From 20c0da0067c56f83fc34e5057af2ab1c89269b25 Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Tue, 29 May 2012 09:47:40 -0400 Subject: [PATCH 1/7] CVE-2012-0029 e1000 buffer overflow (bz 783984, bz 772075) virtio-blk: refuse SG_IO requests with scsi=off (bz 826042) --- qemu-CVE-2012-0029.patch | 20 ++++ ..._refuse_SG_IO_requests_with_scsi_off.patch | 111 ++++++++++++++++++ qemu.spec | 12 +- 3 files changed, 142 insertions(+), 1 deletion(-) create mode 100644 qemu-CVE-2012-0029.patch create mode 100644 qemu-virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch diff --git a/qemu-CVE-2012-0029.patch b/qemu-CVE-2012-0029.patch new file mode 100644 index 0000000..d0c66b5 --- /dev/null +++ b/qemu-CVE-2012-0029.patch @@ -0,0 +1,20 @@ +diff -rup qemu-kvm-0.15.1/hw/e1000.c me/hw/e1000.c +--- qemu-kvm-0.15.1/hw/e1000.c 2011-10-19 09:54:48.000000000 -0400 ++++ me/hw/e1000.c 2012-05-29 09:28:15.832104874 -0400 +@@ -472,6 +472,8 @@ process_tx_desc(E1000State *s, struct e1 + bytes = split_size; + if (tp->size + bytes > msh) + bytes = msh - tp->size; ++ ++ bytes = MIN(sizeof(tp->data) - tp->size, bytes); + cpu_physical_memory_read(addr, tp->data + tp->size, bytes); + if ((sz = tp->size + bytes) >= hdr && tp->size < hdr) + memmove(tp->header, tp->data, hdr); +@@ -487,6 +489,7 @@ process_tx_desc(E1000State *s, struct e1 + // context descriptor TSE is not set, while data descriptor TSE is set + DBGOUT(TXERR, "TCP segmentaion Error\n"); + } else { ++ split_size = MIN(sizeof(tp->data) - tp->size, split_size); + cpu_physical_memory_read(addr, tp->data + tp->size, split_size); + tp->size += split_size; + } diff --git a/qemu-virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch b/qemu-virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch new file mode 100644 index 0000000..277e740 --- /dev/null +++ b/qemu-virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch @@ -0,0 +1,111 @@ +From qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org Wed Jan 11 03:51:20 2012 +Return-Path: +Received: from citysiren.linuxtx.org (localhost [127.0.0.1]) + by citysiren.linuxtx.org (8.14.4/8.14.4) with ESMTP id q0B9pIjw017454 + for ; Wed, 11 Jan 2012 03:51:20 -0600 +Delivered-To: jmforbes@linuxtx.org +Received: from gmail-pop.l.google.com [74.125.81.108] + by citysiren.linuxtx.org with POP3 (fetchmail-6.3.20) + for (single-drop); Wed, 11 Jan 2012 03:51:20 -0600 (CST) +Received: by 10.180.102.100 with SMTP id fn4cs34060wib; + Wed, 11 Jan 2012 01:48:56 -0800 (PST) +Received: by 10.224.182.2 with SMTP id ca2mr28967033qab.57.1326275334564; + Wed, 11 Jan 2012 01:48:54 -0800 (PST) +Received: from lists.gnu.org (lists.gnu.org. [140.186.70.17]) + by mx.google.com with ESMTPS id gc3si782557qab.44.2012.01.11.01.48.54 + (version=TLSv1/SSLv3 cipher=OTHER); + Wed, 11 Jan 2012 01:48:54 -0800 (PST) +Received-SPF: pass (google.com: domain of qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org designates 140.186.70.17 as permitted sender) client-ip=140.186.70.17; +Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org designates 140.186.70.17 as permitted sender) smtp.mail=qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org +Received: from localhost ([::1]:48473 helo=lists.gnu.org) + by lists.gnu.org with esmtp (Exim 4.71) + (envelope-from ) + id 1Rkund-0003iT-UQ + for jmforbes@linuxtx.org; Wed, 11 Jan 2012 04:48:53 -0500 +Received: from eggs.gnu.org ([140.186.70.92]:40037) + by lists.gnu.org with esmtp (Exim 4.71) + (envelope-from ) id 1RkunV-0003fY-Vl + for qemu-stable@nongnu.org; Wed, 11 Jan 2012 04:48:53 -0500 +Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) + (envelope-from ) id 1RkunQ-0004zL-Nl + for qemu-stable@nongnu.org; Wed, 11 Jan 2012 04:48:45 -0500 +Received: from mx1.redhat.com ([209.132.183.28]:23781) + by eggs.gnu.org with esmtp (Exim 4.71) + (envelope-from ) id 1RkunQ-0004vY-3c + for qemu-stable@nongnu.org; Wed, 11 Jan 2012 04:48:40 -0500 +Received: from int-mx11.intmail.prod.int.phx2.redhat.com + (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) + by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q0B9mcYI005348 + (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) + for ; Wed, 11 Jan 2012 04:48:38 -0500 +Received: from yakj.usersys.redhat.com (ovpn-112-23.ams2.redhat.com + [10.36.112.23]) + by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP + id q0B9magG031084 + for ; Wed, 11 Jan 2012 04:48:37 -0500 +From: Paolo Bonzini +To: qemu-stable@nongnu.org +Date: Wed, 11 Jan 2012 10:48:33 +0100 +Message-Id: <1326275313-15635-1-git-send-email-pbonzini@redhat.com> +X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24 +X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) +X-Received-From: 209.132.183.28 +Subject: [Qemu-stable] [PATCH] virtio-blk: refuse SG_IO requests with + scsi=off +X-BeenThere: qemu-stable@nongnu.org +X-Mailman-Version: 2.1.14 +Precedence: list +List-Id: +List-Unsubscribe: , + +List-Archive: +List-Post: +List-Help: +List-Subscribe: , + +Errors-To: qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org +Sender: qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org +X-UID: 32 +Status: RO +Content-Length: 1003 +Lines: 38 + +QEMU does have a "scsi" option (to be used like -device +virtio-blk-pci,drive=foo,scsi=off). However, it only +masks the feature bit, and does not reject the command +if a malicious guest disregards the feature bits and +issues a request. + +Without this patch, using scsi=off does not protect you +from CVE-2011-4127. + +Signed-off-by: Paolo Bonzini +--- + hw/virtio-blk.c | 6 ++++++ + 1 files changed, 6 insertions(+), 0 deletions(-) + +diff --git a/hw/virtio-blk.c b/hw/virtio-blk.c +index b70d116..6cd3164 100644 +--- a/hw/virtio-blk.c ++++ b/hw/virtio-blk.c +@@ -153,6 +153,12 @@ static void virtio_blk_handle_scsi(VirtIOBlockReq *req) + int status; + int i; + ++ if ((req->dev->vdev.guest_features & (1 << VIRTIO_BLK_F_SCSI)) == 0) { ++ virtio_blk_req_complete(req, VIRTIO_BLK_S_UNSUPP); ++ g_free(req); ++ return; ++ } ++ + /* + * We require at least one output segment each for the virtio_blk_outhdr + * and the SCSI command block. +-- +1.7.7.1 + + + + + + diff --git a/qemu.spec b/qemu.spec index 6224bfe..0dc6eef 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,7 +1,7 @@ Summary: QEMU is a FAST! processor emulator Name: qemu Version: 0.15.1 -Release: 4%{?dist} +Release: 5%{?dist} # Epoch because we pushed a qemu-1.0 package Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD @@ -82,6 +82,10 @@ Patch100: qemu-Allow-to-leave-type-on-default-in-machine.patch # Upstream patches from 1.0 Patch101: 0101-usb-hub-dont_trigger_assert_on_packet_completion.patch +# CVE-2012-0029 e1000 buffer overflow (bz 783984, bz 772075) +Patch102: %{name}-CVE-2012-0029.patch +# virtio-blk: refuse SG_IO requests with scsi=off (bz 826042) +Patch103: %{name}-virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: SDL-devel zlib-devel which texi2html gnutls-devel cyrus-sasl-devel @@ -335,6 +339,8 @@ such as kvm_stat. %patch100 -p1 %patch101 -p1 +%patch102 -p1 +%patch103 -p1 %build # By default we build everything, but allow x86 to build a minimal version @@ -715,6 +721,10 @@ fi %{_mandir}/man1/qemu-img.1* %changelog +* Tue May 29 2012 Cole Robinson - 0.15.1-5 +- CVE-2012-0029 e1000 buffer overflow (bz 783984, bz 772075) +- virtio-blk: refuse SG_IO requests with scsi=off (bz 826042) + * Mon Jan 30 2012 Justin M. Forbes - 2:0.15.1-4 - Add vhost-net to kvm.modules - Fix USB passthrough assert on packet completion (#769625) From 2dedc013fc0bc6a9aff998bae9920fbc1efd28d0 Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Tue, 29 May 2012 10:25:50 -0400 Subject: [PATCH 2/7] CVE-2011-1750 virtio-blk: heap buffer overflow (bz 698906, bz 698911) CVE-2011-2527 set groups properly for -runas (bz 720773, bz 720784) CVE-2012-0029 e1000 buffer overflow (bz 783984, bz 772075) virtio-blk: refuse SG_IO requests with scsi=off (bz 770135) --- qemu-CVE-2011-1750.patch | 44 +++++++ qemu-CVE-2011-2527.patch | 41 +++++++ qemu-CVE-2012-0029.patch | 20 ++++ ..._refuse_SG_IO_requests_with_scsi_off.patch | 111 ++++++++++++++++++ qemu.spec | 20 +++- 5 files changed, 235 insertions(+), 1 deletion(-) create mode 100644 qemu-CVE-2011-1750.patch create mode 100644 qemu-CVE-2011-2527.patch create mode 100644 qemu-CVE-2012-0029.patch create mode 100644 qemu-virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch diff --git a/qemu-CVE-2011-1750.patch b/qemu-CVE-2011-1750.patch new file mode 100644 index 0000000..4f0ea2f --- /dev/null +++ b/qemu-CVE-2011-1750.patch @@ -0,0 +1,44 @@ +commit 52c050236eaa4f0b5e1d160cd66dc18106445c4d +Author: Christoph Hellwig +Date: Wed Apr 6 20:28:34 2011 +0200 + + virtio-blk: fail unaligned requests + + Like all block drivers virtio-blk should not allow small than block size + granularity access. But given that the protocol specifies a + byte unit length field we currently accept such requests, which cause + qemu to abort() in lower layers. Add checks to the main read and + write handlers to catch them early. + + Reported-by: Conor Murphy + Tested-by: Conor Murphy + Signed-off-by: Christoph Hellwig + Reviewed-by: Stefan Hajnoczi + Signed-off-by: Kevin Wolf + +diff --git a/hw/virtio-blk.c b/hw/virtio-blk.c +index b14fb99..91e0394 100644 +--- a/hw/virtio-blk.c ++++ b/hw/virtio-blk.c +@@ -290,6 +290,10 @@ static void virtio_blk_handle_write(VirtIOBlockReq *req, MultiReqBuffer *mrb) + virtio_blk_rw_complete(req, -EIO); + return; + } ++ if (req->qiov.size % req->dev->conf->logical_block_size) { ++ virtio_blk_rw_complete(req, -EIO); ++ return; ++ } + + if (mrb->num_writes == 32) { + virtio_submit_multiwrite(req->dev->bs, mrb); +@@ -317,6 +321,10 @@ static void virtio_blk_handle_read(VirtIOBlockReq *req) + virtio_blk_rw_complete(req, -EIO); + return; + } ++ if (req->qiov.size % req->dev->conf->logical_block_size) { ++ virtio_blk_rw_complete(req, -EIO); ++ return; ++ } + + acb = bdrv_aio_readv(req->dev->bs, sector, &req->qiov, + req->qiov.size / BDRV_SECTOR_SIZE, diff --git a/qemu-CVE-2011-2527.patch b/qemu-CVE-2011-2527.patch new file mode 100644 index 0000000..0ccf3cc --- /dev/null +++ b/qemu-CVE-2011-2527.patch @@ -0,0 +1,41 @@ +commit cc4662f9642995c78bed587707eeb9ad8500035b +Author: Stefan Hajnoczi +Date: Sat Jul 9 10:22:07 2011 +0100 + + os-posix: set groups properly for -runas + + Andrew Griffiths reports that -runas does not set supplementary group + IDs. This means that gid 0 (root) is not dropped when switching to an + unprivileged user. + + Add an initgroups(3) call to use the -runas user's /etc/groups + membership to update the supplementary group IDs. + + Signed-off-by: Stefan Hajnoczi + Acked-by: Chris Wright + Signed-off-by: Blue Swirl + +diff --git a/os-posix.c b/os-posix.c +index 7dfb278..6f8d488 100644 +--- a/os-posix.c ++++ b/os-posix.c +@@ -31,6 +31,7 @@ + /*needed for MAP_POPULATE before including qemu-options.h */ + #include + #include ++#include + #include + + /* Needed early for CONFIG_BSD etc. */ +@@ -199,6 +200,11 @@ static void change_process_uid(void) + fprintf(stderr, "Failed to setgid(%d)\n", user_pwd->pw_gid); + exit(1); + } ++ if (initgroups(user_pwd->pw_name, user_pwd->pw_gid) < 0) { ++ fprintf(stderr, "Failed to initgroups(\"%s\", %d)\n", ++ user_pwd->pw_name, user_pwd->pw_gid); ++ exit(1); ++ } + if (setuid(user_pwd->pw_uid) < 0) { + fprintf(stderr, "Failed to setuid(%d)\n", user_pwd->pw_uid); + exit(1); diff --git a/qemu-CVE-2012-0029.patch b/qemu-CVE-2012-0029.patch new file mode 100644 index 0000000..d0c66b5 --- /dev/null +++ b/qemu-CVE-2012-0029.patch @@ -0,0 +1,20 @@ +diff -rup qemu-kvm-0.15.1/hw/e1000.c me/hw/e1000.c +--- qemu-kvm-0.15.1/hw/e1000.c 2011-10-19 09:54:48.000000000 -0400 ++++ me/hw/e1000.c 2012-05-29 09:28:15.832104874 -0400 +@@ -472,6 +472,8 @@ process_tx_desc(E1000State *s, struct e1 + bytes = split_size; + if (tp->size + bytes > msh) + bytes = msh - tp->size; ++ ++ bytes = MIN(sizeof(tp->data) - tp->size, bytes); + cpu_physical_memory_read(addr, tp->data + tp->size, bytes); + if ((sz = tp->size + bytes) >= hdr && tp->size < hdr) + memmove(tp->header, tp->data, hdr); +@@ -487,6 +489,7 @@ process_tx_desc(E1000State *s, struct e1 + // context descriptor TSE is not set, while data descriptor TSE is set + DBGOUT(TXERR, "TCP segmentaion Error\n"); + } else { ++ split_size = MIN(sizeof(tp->data) - tp->size, split_size); + cpu_physical_memory_read(addr, tp->data + tp->size, split_size); + tp->size += split_size; + } diff --git a/qemu-virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch b/qemu-virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch new file mode 100644 index 0000000..cf7f04b --- /dev/null +++ b/qemu-virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch @@ -0,0 +1,111 @@ +From qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org Wed Jan 11 03:51:20 2012 +Return-Path: +Received: from citysiren.linuxtx.org (localhost [127.0.0.1]) + by citysiren.linuxtx.org (8.14.4/8.14.4) with ESMTP id q0B9pIjw017454 + for ; Wed, 11 Jan 2012 03:51:20 -0600 +Delivered-To: jmforbes@linuxtx.org +Received: from gmail-pop.l.google.com [74.125.81.108] + by citysiren.linuxtx.org with POP3 (fetchmail-6.3.20) + for (single-drop); Wed, 11 Jan 2012 03:51:20 -0600 (CST) +Received: by 10.180.102.100 with SMTP id fn4cs34060wib; + Wed, 11 Jan 2012 01:48:56 -0800 (PST) +Received: by 10.224.182.2 with SMTP id ca2mr28967033qab.57.1326275334564; + Wed, 11 Jan 2012 01:48:54 -0800 (PST) +Received: from lists.gnu.org (lists.gnu.org. [140.186.70.17]) + by mx.google.com with ESMTPS id gc3si782557qab.44.2012.01.11.01.48.54 + (version=TLSv1/SSLv3 cipher=OTHER); + Wed, 11 Jan 2012 01:48:54 -0800 (PST) +Received-SPF: pass (google.com: domain of qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org designates 140.186.70.17 as permitted sender) client-ip=140.186.70.17; +Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org designates 140.186.70.17 as permitted sender) smtp.mail=qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org +Received: from localhost ([::1]:48473 helo=lists.gnu.org) + by lists.gnu.org with esmtp (Exim 4.71) + (envelope-from ) + id 1Rkund-0003iT-UQ + for jmforbes@linuxtx.org; Wed, 11 Jan 2012 04:48:53 -0500 +Received: from eggs.gnu.org ([140.186.70.92]:40037) + by lists.gnu.org with esmtp (Exim 4.71) + (envelope-from ) id 1RkunV-0003fY-Vl + for qemu-stable@nongnu.org; Wed, 11 Jan 2012 04:48:53 -0500 +Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) + (envelope-from ) id 1RkunQ-0004zL-Nl + for qemu-stable@nongnu.org; Wed, 11 Jan 2012 04:48:45 -0500 +Received: from mx1.redhat.com ([209.132.183.28]:23781) + by eggs.gnu.org with esmtp (Exim 4.71) + (envelope-from ) id 1RkunQ-0004vY-3c + for qemu-stable@nongnu.org; Wed, 11 Jan 2012 04:48:40 -0500 +Received: from int-mx11.intmail.prod.int.phx2.redhat.com + (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) + by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q0B9mcYI005348 + (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) + for ; Wed, 11 Jan 2012 04:48:38 -0500 +Received: from yakj.usersys.redhat.com (ovpn-112-23.ams2.redhat.com + [10.36.112.23]) + by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP + id q0B9magG031084 + for ; Wed, 11 Jan 2012 04:48:37 -0500 +From: Paolo Bonzini +To: qemu-stable@nongnu.org +Date: Wed, 11 Jan 2012 10:48:33 +0100 +Message-Id: <1326275313-15635-1-git-send-email-pbonzini@redhat.com> +X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24 +X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) +X-Received-From: 209.132.183.28 +Subject: [Qemu-stable] [PATCH] virtio-blk: refuse SG_IO requests with + scsi=off +X-BeenThere: qemu-stable@nongnu.org +X-Mailman-Version: 2.1.14 +Precedence: list +List-Id: +List-Unsubscribe: , + +List-Archive: +List-Post: +List-Help: +List-Subscribe: , + +Errors-To: qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org +Sender: qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org +X-UID: 32 +Status: RO +Content-Length: 1003 +Lines: 38 + +QEMU does have a "scsi" option (to be used like -device +virtio-blk-pci,drive=foo,scsi=off). However, it only +masks the feature bit, and does not reject the command +if a malicious guest disregards the feature bits and +issues a request. + +Without this patch, using scsi=off does not protect you +from CVE-2011-4127. + +Signed-off-by: Paolo Bonzini +--- + hw/virtio-blk.c | 6 ++++++ + 1 files changed, 6 insertions(+), 0 deletions(-) + +diff --git a/hw/virtio-blk.c b/hw/virtio-blk.c +index b70d116..6cd3164 100644 +--- a/hw/virtio-blk.c ++++ b/hw/virtio-blk.c +@@ -153,6 +153,12 @@ static void virtio_blk_handle_scsi(VirtIOBlockReq *req) + int status; + int i; + ++ if ((req->dev->vdev.guest_features & (1 << VIRTIO_BLK_F_SCSI)) == 0) { ++ virtio_blk_req_complete(req, VIRTIO_BLK_S_UNSUPP); ++ qemu_free(req); ++ return; ++ } ++ + /* + * We require at least one output segment each for the virtio_blk_outhdr + * and the SCSI command block. +-- +1.7.7.1 + + + + + + diff --git a/qemu.spec b/qemu.spec index 432daa7..cfb4500 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,7 +1,7 @@ Summary: QEMU is a FAST! processor emulator Name: qemu Version: 0.14.0 -Release: 8%{?dist} +Release: 9%{?dist} # Epoch because we pushed a qemu-1.0 package Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD @@ -60,6 +60,14 @@ Patch34: 0015-chardev-Allow-frontends-to-notify-backends-of-guest-.patch Patch35: 0016-virtio-console-notify-backend-of-guest-open-close.patch Patch36: 0017-spice-chardev-listen-to-frontend-guest-open-close.patch Patch37: 0018-spice-qemu-char-Fix-flow-control-in-client-guest-dir.patch +# CVE-2011-1750 virtio-blk: heap buffer overflow (bz 698906, bz 698911) +Patch38: %{name}-CVE-2011-1750.patch +# CVE-2011-2527 set groups properly for -runas (bz 720773, bz 720784) +Patch39: %{name}-CVE-2011-2527.patch +# CVE-2012-0029 e1000 buffer overflow (bz 783984, bz 772075) +Patch40: %{name}-CVE-2012-0029.patch +# virtio-blk: refuse SG_IO requests with scsi=off (bz 770135) +Patch41: %{name}-virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -257,6 +265,10 @@ such as kvm_stat. %patch35 -p1 %patch36 -p1 %patch37 -p1 +%patch38 -p1 +%patch39 -p1 +%patch40 -p1 +%patch41 -p1 %build # By default we build everything, but allow x86 to build a minimal version @@ -561,6 +573,12 @@ fi %{_mandir}/man1/qemu-img.1* %changelog +* Tue May 29 2012 Cole Robinson - 0.14.0-9 +- CVE-2011-1750 virtio-blk: heap buffer overflow (bz 698906, bz 698911) +- CVE-2011-2527 set groups properly for -runas (bz 720773, bz 720784) +- CVE-2012-0029 e1000 buffer overflow (bz 783984, bz 772075) +- virtio-blk: refuse SG_IO requests with scsi=off (bz 770135) + * Wed Jun 22 2011 Richard W.M. Jones - 2:0.14.0-8 - Add BR libattr-devel. This caused the -fstype option to be disabled. https://www.redhat.com/archives/libvir-list/2011-June/thread.html#01017 From 9e4ae06b20e9a6461797ec19286e6a8b69c17f01 Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Wed, 18 Jul 2012 18:01:46 -0400 Subject: [PATCH 3/7] Fix fedora guest hang with virtio console (bz 837925) --- qemu-virtio-console-unconnected-pty.patch | 47 +++++++++++++++++++++++ qemu.spec | 8 +++- 2 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 qemu-virtio-console-unconnected-pty.patch diff --git a/qemu-virtio-console-unconnected-pty.patch b/qemu-virtio-console-unconnected-pty.patch new file mode 100644 index 0000000..7b95b82 --- /dev/null +++ b/qemu-virtio-console-unconnected-pty.patch @@ -0,0 +1,47 @@ +commit ed8e5a85a1741147ce06932b478a509ce3407061 +Author: Christian Borntraeger +Date: Thu Dec 29 13:47:43 2011 +0100 + + virtio-console: Fix failure on unconnected pty + + when I tried qemu with -virtio-console pty the guest hangs and attaching + on /dev/pts/ does not return anything if the attachment is too late. + + This results in pty_chr_write() returning 0, which causes the port to + get throttled. This results in the guest getting frozen as the + guest->host virtio_console writes don't return until the host releases + the vq element back to the guest. + + For the virtio-serial use case we don't want to lose data but for the + console case we better drop data instead of "killing" the guest + console. If we get chardev->frontend notification and a better behaving + virtio-console we can revert this fix. + + Signed-off-by: Christian Borntraeger + Signed-off-by: Amit Shah + +diff --git a/hw/virtio-serial-bus.c b/hw/virtio-serial-bus.c +index fe0233f..3a9004a 100644 +--- a/hw/virtio-serial-bus.c ++++ b/hw/virtio-serial-bus.c +@@ -163,7 +163,19 @@ static void do_flush_queued_data(VirtIOSerialPort *port, VirtQueue *vq, + abort(); + } + if (ret == -EAGAIN || (ret >= 0 && ret < buf_size)) { +- virtio_serial_throttle_port(port, true); ++ /* ++ * this is a temporary check until chardevs can signal to ++ * frontends that they are writable again. This prevents ++ * the console from going into throttled mode (forever) ++ * if virtio-console is connected to a pty without a ++ * listener. Otherwise the guest spins forever. ++ * We can revert this if ++ * 1: chardevs can notify frondends ++ * 2: the guest driver does not spin in these cases ++ */ ++ if (!info->is_console) { ++ virtio_serial_throttle_port(port, true); ++ } + port->iov_idx = i; + if (ret > 0) { + port->iov_offset += ret; diff --git a/qemu.spec b/qemu.spec index 909e2ce..5ac9289 100644 --- a/qemu.spec +++ b/qemu.spec @@ -38,7 +38,7 @@ Summary: QEMU is a FAST! processor emulator Name: qemu Version: 1.0 -Release: 17%{?dist} +Release: 18%{?dist} # Epoch because we pushed a qemu-1.0 package Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD @@ -207,6 +207,8 @@ Patch506: 0506-audio-spice-add-support-for-volume-control.patch Patch507: 0507-Do-not-use-pa_simple-PulseAudio-API.patch Patch508: 0508-configure-pa_simple-is-not-needed-anymore.patch Patch509: 0509-Allow-controlling-volume-with-PulseAudio-backend.patch +# Fix fedora guest hang with virtio console (bz 837925) +Patch510: %{name}-virtio-console-unconnected-pty.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: SDL-devel zlib-devel which texi2html gnutls-devel cyrus-sasl-devel @@ -578,6 +580,7 @@ such as kvm_stat. %patch507 -p1 %patch508 -p1 %patch509 -p1 +%patch510 -p1 %build @@ -1009,6 +1012,9 @@ fi %{_mandir}/man1/qemu-img.1* %changelog +* Wed Jul 18 2012 Cole Robinson - 1.0-18 +- Fix fedora guest hang with virtio console (bz 837925) + * Mon Apr 23 2012 Paolo Bonzini - 2:1.0-17 - Fix install failure due to set -e (rhbz #815272) From d2798f56e798e54b277181703dc828554c311e28 Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Wed, 18 Jul 2012 18:05:00 -0400 Subject: [PATCH 4/7] Fix fedora guest hang with virtio console (bz 837925) --- qemu-virtio-console-unconnected-pty.patch | 47 +++++++++++++++++++++++ qemu.spec | 8 +++- 2 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 qemu-virtio-console-unconnected-pty.patch diff --git a/qemu-virtio-console-unconnected-pty.patch b/qemu-virtio-console-unconnected-pty.patch new file mode 100644 index 0000000..7b95b82 --- /dev/null +++ b/qemu-virtio-console-unconnected-pty.patch @@ -0,0 +1,47 @@ +commit ed8e5a85a1741147ce06932b478a509ce3407061 +Author: Christian Borntraeger +Date: Thu Dec 29 13:47:43 2011 +0100 + + virtio-console: Fix failure on unconnected pty + + when I tried qemu with -virtio-console pty the guest hangs and attaching + on /dev/pts/ does not return anything if the attachment is too late. + + This results in pty_chr_write() returning 0, which causes the port to + get throttled. This results in the guest getting frozen as the + guest->host virtio_console writes don't return until the host releases + the vq element back to the guest. + + For the virtio-serial use case we don't want to lose data but for the + console case we better drop data instead of "killing" the guest + console. If we get chardev->frontend notification and a better behaving + virtio-console we can revert this fix. + + Signed-off-by: Christian Borntraeger + Signed-off-by: Amit Shah + +diff --git a/hw/virtio-serial-bus.c b/hw/virtio-serial-bus.c +index fe0233f..3a9004a 100644 +--- a/hw/virtio-serial-bus.c ++++ b/hw/virtio-serial-bus.c +@@ -163,7 +163,19 @@ static void do_flush_queued_data(VirtIOSerialPort *port, VirtQueue *vq, + abort(); + } + if (ret == -EAGAIN || (ret >= 0 && ret < buf_size)) { +- virtio_serial_throttle_port(port, true); ++ /* ++ * this is a temporary check until chardevs can signal to ++ * frontends that they are writable again. This prevents ++ * the console from going into throttled mode (forever) ++ * if virtio-console is connected to a pty without a ++ * listener. Otherwise the guest spins forever. ++ * We can revert this if ++ * 1: chardevs can notify frondends ++ * 2: the guest driver does not spin in these cases ++ */ ++ if (!info->is_console) { ++ virtio_serial_throttle_port(port, true); ++ } + port->iov_idx = i; + if (ret > 0) { + port->iov_offset += ret; diff --git a/qemu.spec b/qemu.spec index 0dc6eef..1cb916c 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,7 +1,7 @@ Summary: QEMU is a FAST! processor emulator Name: qemu Version: 0.15.1 -Release: 5%{?dist} +Release: 6%{?dist} # Epoch because we pushed a qemu-1.0 package Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD @@ -86,6 +86,8 @@ Patch101: 0101-usb-hub-dont_trigger_assert_on_packet_completion.patch Patch102: %{name}-CVE-2012-0029.patch # virtio-blk: refuse SG_IO requests with scsi=off (bz 826042) Patch103: %{name}-virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch +# Fix fedora guest hang with virtio console (bz 837925) +Patch104: %{name}-virtio-console-unconnected-pty.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: SDL-devel zlib-devel which texi2html gnutls-devel cyrus-sasl-devel @@ -341,6 +343,7 @@ such as kvm_stat. %patch101 -p1 %patch102 -p1 %patch103 -p1 +%patch104 -p1 %build # By default we build everything, but allow x86 to build a minimal version @@ -721,6 +724,9 @@ fi %{_mandir}/man1/qemu-img.1* %changelog +* Wed Jul 18 2012 Cole Robinson - 0.15.1-6 +- Fix fedora guest hang with virtio console (bz 837925) + * Tue May 29 2012 Cole Robinson - 0.15.1-5 - CVE-2012-0029 e1000 buffer overflow (bz 783984, bz 772075) - virtio-blk: refuse SG_IO requests with scsi=off (bz 826042) From 8452a895336f4bed5c81e8a8467e504f2d00ec75 Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Sun, 29 Jul 2012 20:57:27 -0400 Subject: [PATCH 5/7] Fix systemtap tapsets (bz 831763) Fix VNC audio tunnelling (bz 840653) CVE-2012-2652: Possible symlink attacks with -snapshot (bz 825697, bz 824919) Don't renable ksm on update (bz 815156) Bump usbredir dep (bz 812097) Fix RPM install error on non-virt machines (bz 660629) Obsolete openbios to fix upgrade dependency issues (bz 694802) --- .gitignore | 1 + ...ession-i8259-interrupts-did-not-work.patch | 132 -------- ...ge-memory-access-to-RAM-MemoryRegion.patch | 134 -------- ...Improve-portability-to-older-systems.patch | 101 ------ ...ation-blockers-to-prevent-live-migra.patch | 171 ---------- ...s-Reset-server-state-during-TVERSION.patch | 64 ---- ....reset-callback-for-virtio-9p-pci-de.patch | 57 ---- ...correct-file-descriptor-in-Fsdriver-.patch | 210 ------------ ...iovec-manipulation-with-QEMUIOVector.patch | 305 ------------------ ...correct-signed-type-for-different-va.patch | 133 -------- ...86-fix-cmpxchg-instruction-emulation.patch | 54 ---- ...-build-by-default-PIE-read-only-relo.patch | 31 -- ...Handle-conditional-stores-on-CRISv10.patch | 155 --------- 0013-pc-add-pc-0.15.patch | 40 --- ...idx-compatibility-for-virtio-devices.patch | 87 ----- ...-device-description-with-multiple-co.patch | 56 ---- 0016-usb-storage-cancel-I-O-on-reset.patch | 40 --- ...properly-release-port-on-unplug-exit.patch | 111 ------- ...bp-incorrectly-updated-near-page-end.patch | 40 --- ...4-ignore-ocbp-and-ocbwb-instructions.patch | 47 --- ...-PPC-Fix-linker-scripts-on-ppc-hosts.patch | 74 ----- ...revent-double-free-or-use-after-free.patch | 34 -- ...-per-thread-free-pool-to-a-global-po.patch | 115 ------- ...ase-Fix-for-undersized-backing-files.patch | 86 ----- ...Add-qemu-img-t-parameter-in-man-page.patch | 82 ----- ...-out-parameter-in-qemu_rbd_snap_list.patch | 39 --- ...unds-packet-size-against-buffer-size.patch | 37 --- Fix_save-restore_of_in-kernel_i8259.patch | 87 ----- ...-to-leave-type-on-default-in-machine.patch | 14 - qemu-fix-non-PCI-target-build.patch | 53 --- qemu-fix-systemtap.patch | 16 + qemu-fix-vnc-audio.patch | 20 ++ qemu-snapshot-symlink-attack.patch | 93 ++++++ qemu-vhost-fix-dirty-page-handling.patch | 31 -- qemu.spec | 136 ++++---- sources | 2 +- ..._refuse_SG_IO_requests_with_scsi_off.patch | 111 ------- 37 files changed, 187 insertions(+), 2812 deletions(-) delete mode 100644 0001-malta-Fix-regression-i8259-interrupts-did-not-work.patch delete mode 100644 0002-exec.c-Fix-subpage-memory-access-to-RAM-MemoryRegion.patch delete mode 100644 0003-hw-9pfs-Improve-portability-to-older-systems.patch delete mode 100644 0004-hw-9pfs-use-migration-blockers-to-prevent-live-migra.patch delete mode 100644 0005-hw-9pfs-Reset-server-state-during-TVERSION.patch delete mode 100644 0006-hw-9pfs-Add-qdev.reset-callback-for-virtio-9p-pci-de.patch delete mode 100644 0007-hw-9pfs-Use-the-correct-file-descriptor-in-Fsdriver-.patch delete mode 100644 0008-hw-9pfs-replace-iovec-manipulation-with-QEMUIOVector.patch delete mode 100644 0009-hw-9pfs-Use-the-correct-signed-type-for-different-va.patch delete mode 100644 0010-target-i386-fix-cmpxchg-instruction-emulation.patch delete mode 100644 0011-configure-Enable-build-by-default-PIE-read-only-relo.patch delete mode 100644 0012-cris-Handle-conditional-stores-on-CRISv10.patch delete mode 100644 0013-pc-add-pc-0.15.patch delete mode 100644 0014-pc-fix-event_idx-compatibility-for-virtio-devices.patch delete mode 100644 0015-Fix-parse-of-usb-device-description-with-multiple-co.patch delete mode 100644 0016-usb-storage-cancel-I-O-on-reset.patch delete mode 100644 0017-usb-host-properly-release-port-on-unplug-exit.patch delete mode 100644 0018-usb-ohci-td.cbp-incorrectly-updated-near-page-end.patch delete mode 100644 0019-target-sh4-ignore-ocbp-and-ocbwb-instructions.patch delete mode 100644 0020-PPC-Fix-linker-scripts-on-ppc-hosts.patch delete mode 100644 0021-qiov-prevent-double-free-or-use-after-free.patch delete mode 100644 0022-coroutine-switch-per-thread-free-pool-to-a-global-po.patch delete mode 100644 0023-qemu-img-rebase-Fix-for-undersized-backing-files.patch delete mode 100644 0024-Documentation-Add-qemu-img-t-parameter-in-man-page.patch delete mode 100644 0025-rbd-always-set-out-parameter-in-qemu_rbd_snap_list.patch delete mode 100644 0026-e1000-bounds-packet-size-against-buffer-size.patch delete mode 100644 Fix_save-restore_of_in-kernel_i8259.patch delete mode 100644 qemu-Allow-to-leave-type-on-default-in-machine.patch delete mode 100644 qemu-fix-non-PCI-target-build.patch create mode 100644 qemu-fix-systemtap.patch create mode 100644 qemu-fix-vnc-audio.patch create mode 100644 qemu-snapshot-symlink-attack.patch delete mode 100644 qemu-vhost-fix-dirty-page-handling.patch delete mode 100644 virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch diff --git a/.gitignore b/.gitignore index b5d4127..57c025a 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,4 @@ qemu-kvm-0.13.0-25fdf4a.tar.gz /qemu-kvm-0.15.0-0af4922.tar.gz /qemu-kvm-0.15.0.tar.gz /qemu-kvm-0.15.1.tar.gz +/qemu-kvm-1.0.1.tar.gz diff --git a/0001-malta-Fix-regression-i8259-interrupts-did-not-work.patch b/0001-malta-Fix-regression-i8259-interrupts-did-not-work.patch deleted file mode 100644 index a57f4ec..0000000 --- a/0001-malta-Fix-regression-i8259-interrupts-did-not-work.patch +++ /dev/null @@ -1,132 +0,0 @@ -From 0b23c5d40ea933cfece3b4f69427f79c8a23256d Mon Sep 17 00:00:00 2001 -From: Stefan Weil -Date: Tue, 29 Nov 2011 06:34:48 +0100 -Subject: [PATCH 01/25] malta: Fix regression (i8259 interrupts did not work) - -Commit 5632ae46d5bda798e971dae48ebb318ac2c3686a passes the address -of i8259 to qemu_irq_proxy. i8259 is an auto variable with undefined -value outside of mips_malta_init. - -This made the interrupt proxy unusable: either QEMU crashes, or -the interrupt handler was not called. - -Ethernet for example no longer worked with MIPS Malta. - -v2: -While v1 used a static variable for i8259, this patch introduces -a qdev for the malta machine. i8259 is now part of the device status. -This is a minimal qdev implementation to keep the patch small. - -Signed-off-by: Stefan Weil -Signed-off-by: Aurelien Jarno -(cherry picked from commit e9b40fd34ceb23461083d505a444a389c094455b) ---- - hw/mips_malta.c | 39 +++++++++++++++++++++++++++++++++++---- - 1 files changed, 35 insertions(+), 4 deletions(-) - -diff --git a/hw/mips_malta.c b/hw/mips_malta.c -index bb49749..941b9bd 100644 ---- a/hw/mips_malta.c -+++ b/hw/mips_malta.c -@@ -47,6 +47,7 @@ - #include "mc146818rtc.h" - #include "blockdev.h" - #include "exec-memory.h" -+#include "sysbus.h" /* SysBusDevice */ - - //#define DEBUG_BOARD_INIT - -@@ -72,6 +73,11 @@ typedef struct { - SerialState *uart; - } MaltaFPGAState; - -+typedef struct { -+ SysBusDevice busdev; -+ qemu_irq *i8259; -+} MaltaState; -+ - static ISADevice *pit; - - static struct _loaderparams { -@@ -775,7 +781,7 @@ void mips_malta_init (ram_addr_t ram_size, - int64_t kernel_entry; - PCIBus *pci_bus; - CPUState *env; -- qemu_irq *i8259 = NULL, *isa_irq; -+ qemu_irq *isa_irq; - qemu_irq *cpu_exit_irq; - int piix4_devfn; - i2c_bus *smbus; -@@ -787,6 +793,11 @@ void mips_malta_init (ram_addr_t ram_size, - int fl_sectors = 0; - int be; - -+ DeviceState *dev = qdev_create(NULL, "mips-malta"); -+ MaltaState *s = DO_UPCAST(MaltaState, busdev.qdev, dev); -+ -+ qdev_init_nofail(dev); -+ - /* Make sure the first 3 serial ports are associated with a device. */ - for(i = 0; i < 3; i++) { - if (!serial_hds[i]) { -@@ -932,7 +943,7 @@ void mips_malta_init (ram_addr_t ram_size, - * qemu_irq_proxy() adds an extra bit of indirection, allowing us - * to resolve the isa_irq -> i8259 dependency after i8259 is initialized. - */ -- isa_irq = qemu_irq_proxy(&i8259, 16); -+ isa_irq = qemu_irq_proxy(&s->i8259, 16); - - /* Northbridge */ - pci_bus = gt64120_register(isa_irq); -@@ -944,9 +955,9 @@ void mips_malta_init (ram_addr_t ram_size, - - /* Interrupt controller */ - /* The 8259 is attached to the MIPS CPU INT0 pin, ie interrupt 2 */ -- i8259 = i8259_init(env->irq[2]); -+ s->i8259 = i8259_init(env->irq[2]); - -- isa_bus_irqs(i8259); -+ isa_bus_irqs(s->i8259); - pci_piix4_ide_init(pci_bus, hd, piix4_devfn + 1); - usb_uhci_piix4_init(pci_bus, piix4_devfn + 2); - smbus = piix4_pm_init(pci_bus, piix4_devfn + 3, 0x1100, isa_get_irq(9), -@@ -990,6 +1001,20 @@ void mips_malta_init (ram_addr_t ram_size, - } - } - -+static int mips_malta_sysbus_device_init(SysBusDevice *sysbusdev) -+{ -+ return 0; -+} -+ -+static SysBusDeviceInfo mips_malta_device = { -+ .init = mips_malta_sysbus_device_init, -+ .qdev.name = "mips-malta", -+ .qdev.size = sizeof(MaltaState), -+ .qdev.props = (Property[]) { -+ DEFINE_PROP_END_OF_LIST(), -+ } -+}; -+ - static QEMUMachine mips_malta_machine = { - .name = "malta", - .desc = "MIPS Malta Core LV", -@@ -998,9 +1023,15 @@ static QEMUMachine mips_malta_machine = { - .is_default = 1, - }; - -+static void mips_malta_device_init(void) -+{ -+ sysbus_register_withprop(&mips_malta_device); -+} -+ - static void mips_malta_machine_init(void) - { - qemu_register_machine(&mips_malta_machine); - } - -+device_init(mips_malta_device_init); - machine_init(mips_malta_machine_init); --- -1.7.7.5 - diff --git a/0002-exec.c-Fix-subpage-memory-access-to-RAM-MemoryRegion.patch b/0002-exec.c-Fix-subpage-memory-access-to-RAM-MemoryRegion.patch deleted file mode 100644 index e49a049..0000000 --- a/0002-exec.c-Fix-subpage-memory-access-to-RAM-MemoryRegion.patch +++ /dev/null @@ -1,134 +0,0 @@ -From 2061800b85ddcc9b34b5ccbfaa87f7e8b94626a6 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Andreas=20F=C3=A4rber?= -Date: Wed, 30 Nov 2011 16:26:21 +0100 -Subject: [PATCH 02/25] exec.c: Fix subpage memory access to RAM MemoryRegion -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Commit 95c318f5e1f88d7e5bcc6deac17330fd4806a2d3 (Fix segfault in mmio -subpage handling code.) prevented a segfault by making all subpage -registrations over an existing memory page perform an unassigned access. -Symptoms were writes not taking effect and reads returning zero. - -Very small page sizes are not currently supported either, -so subpage memory areas cannot fully be avoided. - -Therefore change the previous fix to use a new IO_MEM_SUBPAGE_RAM -instead of IO_MEM_UNASSIGNED. Suggested by Avi. - -Reviewed-by: Avi Kivity -Signed-off-by: Andreas Färber -Cc: Avi Kivity -Cc: Gleb Natapov -Signed-off-by: Anthony Liguori ---- - cpu-common.h | 1 + - exec.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++- - 2 files changed, 64 insertions(+), 2 deletions(-) - -diff --git a/cpu-common.h b/cpu-common.h -index c9878ba..3f45428 100644 ---- a/cpu-common.h -+++ b/cpu-common.h -@@ -172,6 +172,7 @@ void cpu_physical_memory_write_rom(target_phys_addr_t addr, - #define IO_MEM_ROM (1 << IO_MEM_SHIFT) /* hardcoded offset */ - #define IO_MEM_UNASSIGNED (2 << IO_MEM_SHIFT) - #define IO_MEM_NOTDIRTY (3 << IO_MEM_SHIFT) -+#define IO_MEM_SUBPAGE_RAM (4 << IO_MEM_SHIFT) - - /* Acts like a ROM when read and like a device when written. */ - #define IO_MEM_ROMD (1) -diff --git a/exec.c b/exec.c -index 6b92198..6c206ff 100644 ---- a/exec.c -+++ b/exec.c -@@ -3570,6 +3570,63 @@ static CPUWriteMemoryFunc * const subpage_write[] = { - &subpage_writel, - }; - -+static uint32_t subpage_ram_readb(void *opaque, target_phys_addr_t addr) -+{ -+ ram_addr_t raddr = addr; -+ void *ptr = qemu_get_ram_ptr(raddr); -+ return ldub_p(ptr); -+} -+ -+static void subpage_ram_writeb(void *opaque, target_phys_addr_t addr, -+ uint32_t value) -+{ -+ ram_addr_t raddr = addr; -+ void *ptr = qemu_get_ram_ptr(raddr); -+ stb_p(ptr, value); -+} -+ -+static uint32_t subpage_ram_readw(void *opaque, target_phys_addr_t addr) -+{ -+ ram_addr_t raddr = addr; -+ void *ptr = qemu_get_ram_ptr(raddr); -+ return lduw_p(ptr); -+} -+ -+static void subpage_ram_writew(void *opaque, target_phys_addr_t addr, -+ uint32_t value) -+{ -+ ram_addr_t raddr = addr; -+ void *ptr = qemu_get_ram_ptr(raddr); -+ stw_p(ptr, value); -+} -+ -+static uint32_t subpage_ram_readl(void *opaque, target_phys_addr_t addr) -+{ -+ ram_addr_t raddr = addr; -+ void *ptr = qemu_get_ram_ptr(raddr); -+ return ldl_p(ptr); -+} -+ -+static void subpage_ram_writel(void *opaque, target_phys_addr_t addr, -+ uint32_t value) -+{ -+ ram_addr_t raddr = addr; -+ void *ptr = qemu_get_ram_ptr(raddr); -+ stl_p(ptr, value); -+} -+ -+static CPUReadMemoryFunc * const subpage_ram_read[] = { -+ &subpage_ram_readb, -+ &subpage_ram_readw, -+ &subpage_ram_readl, -+}; -+ -+static CPUWriteMemoryFunc * const subpage_ram_write[] = { -+ &subpage_ram_writeb, -+ &subpage_ram_writew, -+ &subpage_ram_writel, -+}; -+ - static int subpage_register (subpage_t *mmio, uint32_t start, uint32_t end, - ram_addr_t memory, ram_addr_t region_offset) - { -@@ -3583,8 +3640,9 @@ static int subpage_register (subpage_t *mmio, uint32_t start, uint32_t end, - printf("%s: %p start %08x end %08x idx %08x eidx %08x mem %ld\n", __func__, - mmio, start, end, idx, eidx, memory); - #endif -- if ((memory & ~TARGET_PAGE_MASK) == IO_MEM_RAM) -- memory = IO_MEM_UNASSIGNED; -+ if ((memory & ~TARGET_PAGE_MASK) == IO_MEM_RAM) { -+ memory = IO_MEM_SUBPAGE_RAM; -+ } - memory = (memory >> IO_MEM_SHIFT) & (IO_MEM_NB_ENTRIES - 1); - for (; idx <= eidx; idx++) { - mmio->sub_io_index[idx] = memory; -@@ -3817,6 +3875,9 @@ static void io_mem_init(void) - cpu_register_io_memory_fixed(IO_MEM_NOTDIRTY, error_mem_read, - notdirty_mem_write, NULL, - DEVICE_NATIVE_ENDIAN); -+ cpu_register_io_memory_fixed(IO_MEM_SUBPAGE_RAM, subpage_ram_read, -+ subpage_ram_write, NULL, -+ DEVICE_NATIVE_ENDIAN); - for (i=0; i<5; i++) - io_mem_used[i] = 1; - --- -1.7.7.5 - diff --git a/0003-hw-9pfs-Improve-portability-to-older-systems.patch b/0003-hw-9pfs-Improve-portability-to-older-systems.patch deleted file mode 100644 index 4e91a9f..0000000 --- a/0003-hw-9pfs-Improve-portability-to-older-systems.patch +++ /dev/null @@ -1,101 +0,0 @@ -From f03969b952bc2aaf9f4445b6da28aebb0a9abde5 Mon Sep 17 00:00:00 2001 -From: "Aneesh Kumar K.V" -Date: Sun, 4 Dec 2011 22:35:27 +0530 -Subject: [PATCH 03/25] hw/9pfs: Improve portability to older systems - -handle fs driver require a set of newly added syscalls. Don't -Compile handle FS driver if those syscalls are not available. -Instead of adding #ifdef for all those syscalls we check for -open by handle syscall. If that is available then rest of the -syscalls used by the driver should be available. - -Signed-off-by: Aneesh Kumar K.V ---- - Makefile.objs | 4 ++-- - fsdev/qemu-fsdev.c | 2 ++ - hw/9pfs/virtio-9p-handle.c | 33 --------------------------------- - 3 files changed, 4 insertions(+), 35 deletions(-) - -diff --git a/Makefile.objs b/Makefile.objs -index d7a6539..3a699ee 100644 ---- a/Makefile.objs -+++ b/Makefile.objs -@@ -310,8 +310,8 @@ hw-obj-$(CONFIG_SOUND) += $(sound-obj-y) - 9pfs-nested-$(CONFIG_VIRTFS) += virtio-9p-local.o virtio-9p-xattr.o - 9pfs-nested-$(CONFIG_VIRTFS) += virtio-9p-xattr-user.o virtio-9p-posix-acl.o - 9pfs-nested-$(CONFIG_VIRTFS) += virtio-9p-coth.o cofs.o codir.o cofile.o --9pfs-nested-$(CONFIG_VIRTFS) += coxattr.o virtio-9p-handle.o --9pfs-nested-$(CONFIG_VIRTFS) += virtio-9p-synth.o -+9pfs-nested-$(CONFIG_VIRTFS) += coxattr.o virtio-9p-synth.o -+9pfs-nested-$(CONFIG_OPEN_BY_HANDLE) += virtio-9p-handle.o - - hw-obj-$(CONFIG_REALLY_VIRTFS) += $(addprefix 9pfs/, $(9pfs-nested-y)) - $(addprefix 9pfs/, $(9pfs-nested-y)): QEMU_CFLAGS+=$(GLIB_CFLAGS) -diff --git a/fsdev/qemu-fsdev.c b/fsdev/qemu-fsdev.c -index 7fd2aa7..6684f7e 100644 ---- a/fsdev/qemu-fsdev.c -+++ b/fsdev/qemu-fsdev.c -@@ -23,7 +23,9 @@ static QTAILQ_HEAD(FsDriverEntry_head, FsDriverListEntry) fsdriver_entries = - - static FsDriverTable FsDrivers[] = { - { .name = "local", .ops = &local_ops}, -+#ifdef CONFIG_OPEN_BY_HANDLE - { .name = "handle", .ops = &handle_ops}, -+#endif - { .name = "synth", .ops = &synth_ops}, - }; - -diff --git a/hw/9pfs/virtio-9p-handle.c b/hw/9pfs/virtio-9p-handle.c -index 7644ae5..a62f690 100644 ---- a/hw/9pfs/virtio-9p-handle.c -+++ b/hw/9pfs/virtio-9p-handle.c -@@ -45,7 +45,6 @@ struct handle_data { - int handle_bytes; - }; - --#ifdef CONFIG_OPEN_BY_HANDLE - static inline int name_to_handle(int dirfd, const char *name, - struct file_handle *fh, int *mnt_id, int flags) - { -@@ -56,38 +55,6 @@ static inline int open_by_handle(int mountfd, const char *fh, int flags) - { - return open_by_handle_at(mountfd, (struct file_handle *)fh, flags); - } --#else -- --struct rpl_file_handle { -- unsigned int handle_bytes; -- int handle_type; -- unsigned char handle[0]; --}; --#define file_handle rpl_file_handle -- --#ifndef AT_REMOVEDIR --#define AT_REMOVEDIR 0x200 --#endif --#ifndef AT_EMPTY_PATH --#define AT_EMPTY_PATH 0x1000 /* Allow empty relative pathname */ --#endif --#ifndef O_PATH --#define O_PATH 010000000 --#endif -- --static inline int name_to_handle(int dirfd, const char *name, -- struct file_handle *fh, int *mnt_id, int flags) --{ -- errno = ENOSYS; -- return -1; --} -- --static inline int open_by_handle(int mountfd, const char *fh, int flags) --{ -- errno = ENOSYS; -- return -1; --} --#endif - - static int handle_update_file_cred(int dirfd, const char *name, FsCred *credp) - { --- -1.7.7.5 - diff --git a/0004-hw-9pfs-use-migration-blockers-to-prevent-live-migra.patch b/0004-hw-9pfs-use-migration-blockers-to-prevent-live-migra.patch deleted file mode 100644 index a63b9e1..0000000 --- a/0004-hw-9pfs-use-migration-blockers-to-prevent-live-migra.patch +++ /dev/null @@ -1,171 +0,0 @@ -From 77a02621812952acfde887244f6f480de1b51f95 Mon Sep 17 00:00:00 2001 -From: "Aneesh Kumar K.V" -Date: Sun, 4 Dec 2011 22:35:28 +0530 -Subject: [PATCH 04/25] hw/9pfs: use migration blockers to prevent live - migration when virtfs export path is mounted - -Now when you try to migrate with VirtFS export path mounted, you get a proper QMP error: - -(qemu) migrate tcp:localhost:4444 -Migration is disabled when VirtFS export path '/tmp/' is mounted in the guest using mount_tag 'v_tmp' -(qemu) - -Signed-off-by: Aneesh Kumar K.V ---- - hw/9pfs/virtio-9p-device.c | 22 +++++++++++----------- - hw/9pfs/virtio-9p.c | 19 +++++++++++++++++++ - hw/9pfs/virtio-9p.h | 5 +++-- - qerror.c | 5 +++++ - qerror.h | 3 +++ - 5 files changed, 41 insertions(+), 13 deletions(-) - -diff --git a/hw/9pfs/virtio-9p-device.c b/hw/9pfs/virtio-9p-device.c -index bba4c54..c9bca8b 100644 ---- a/hw/9pfs/virtio-9p-device.c -+++ b/hw/9pfs/virtio-9p-device.c -@@ -33,13 +33,15 @@ static V9fsState *to_virtio_9p(VirtIODevice *vdev) - - static void virtio_9p_get_config(VirtIODevice *vdev, uint8_t *config) - { -+ int len; - struct virtio_9p_config *cfg; - V9fsState *s = to_virtio_9p(vdev); - -- cfg = g_malloc0(sizeof(struct virtio_9p_config) + -- s->tag_len); -- stw_raw(&cfg->tag_len, s->tag_len); -- memcpy(cfg->tag, s->tag, s->tag_len); -+ len = strlen(s->tag); -+ cfg = g_malloc0(sizeof(struct virtio_9p_config) + len); -+ stw_raw(&cfg->tag_len, len); -+ /* We don't copy the terminating null to config space */ -+ memcpy(cfg->tag, s->tag, len); - memcpy(config, cfg, s->config_size); - g_free(cfg); - } -@@ -96,20 +98,18 @@ VirtIODevice *virtio_9p_init(DeviceState *dev, V9fsConf *conf) - } - - len = strlen(conf->tag); -- if (len > MAX_TAG_LEN) { -+ if (len > MAX_TAG_LEN - 1) { - fprintf(stderr, "mount tag '%s' (%d bytes) is longer than " -- "maximum (%d bytes)", conf->tag, len, MAX_TAG_LEN); -+ "maximum (%d bytes)", conf->tag, len, MAX_TAG_LEN - 1); - exit(1); - } -- /* s->tag is non-NULL terminated string */ -- s->tag = g_malloc(len); -- memcpy(s->tag, conf->tag, len); -- s->tag_len = len; -+ -+ s->tag = strdup(conf->tag); - s->ctx.uid = -1; - - s->ops = fse->ops; - s->vdev.get_features = virtio_9p_get_features; -- s->config_size = sizeof(struct virtio_9p_config) + s->tag_len; -+ s->config_size = sizeof(struct virtio_9p_config) + len; - s->vdev.get_config = virtio_9p_get_config; - s->fid_list = NULL; - qemu_co_rwlock_init(&s->rename_lock); -diff --git a/hw/9pfs/virtio-9p.c b/hw/9pfs/virtio-9p.c -index 1b2fc5d..32b98dd 100644 ---- a/hw/9pfs/virtio-9p.c -+++ b/hw/9pfs/virtio-9p.c -@@ -23,6 +23,7 @@ - #include "virtio-9p-xattr.h" - #include "virtio-9p-coth.h" - #include "trace.h" -+#include "migration.h" - - int open_fd_hw; - int total_open_fd; -@@ -373,6 +374,19 @@ static void put_fid(V9fsPDU *pdu, V9fsFidState *fidp) - * Don't free the fid if it is in reclaim list - */ - if (!fidp->ref && fidp->clunked) { -+ if (fidp->fid == pdu->s->root_fid) { -+ /* -+ * if the clunked fid is root fid then we -+ * have unmounted the fs on the client side. -+ * delete the migration blocker. Ideally, this -+ * should be hooked to transport close notification -+ */ -+ if (pdu->s->migration_blocker) { -+ migrate_del_blocker(pdu->s->migration_blocker); -+ error_free(pdu->s->migration_blocker); -+ pdu->s->migration_blocker = NULL; -+ } -+ } - free_fid(pdu, fidp); - } - } -@@ -1235,6 +1249,11 @@ static void v9fs_attach(void *opaque) - err = offset; - trace_v9fs_attach_return(pdu->tag, pdu->id, - qid.type, qid.version, qid.path); -+ s->root_fid = fid; -+ /* disable migration */ -+ error_set(&s->migration_blocker, QERR_VIRTFS_FEATURE_BLOCKS_MIGRATION, -+ s->ctx.fs_root, s->tag); -+ migrate_add_blocker(s->migration_blocker); - out: - put_fid(pdu, fidp); - out_nofid: -diff --git a/hw/9pfs/virtio-9p.h b/hw/9pfs/virtio-9p.h -index 7f88356..8b612da 100644 ---- a/hw/9pfs/virtio-9p.h -+++ b/hw/9pfs/virtio-9p.h -@@ -246,8 +246,7 @@ typedef struct V9fsState - V9fsFidState *fid_list; - FileOperations *ops; - FsContext ctx; -- uint16_t tag_len; -- uint8_t *tag; -+ char *tag; - size_t config_size; - enum p9_proto_version proto_version; - int32_t msize; -@@ -256,6 +255,8 @@ typedef struct V9fsState - * on rename. - */ - CoRwlock rename_lock; -+ int32_t root_fid; -+ Error *migration_blocker; - } V9fsState; - - typedef struct V9fsStatState { -diff --git a/qerror.c b/qerror.c -index fdf62b9..25bc91e 100644 ---- a/qerror.c -+++ b/qerror.c -@@ -235,6 +235,11 @@ static const QErrorStringTable qerror_table[] = { - "supported by this qemu version: %(feature)", - }, - { -+ .error_fmt = QERR_VIRTFS_FEATURE_BLOCKS_MIGRATION, -+ .desc = "Migration is disabled when VirtFS export path '%(path)' " -+ "is mounted in the guest using mount_tag '%(tag)'", -+ }, -+ { - .error_fmt = QERR_VNC_SERVER_FAILED, - .desc = "Could not start VNC server on %(target)", - }, -diff --git a/qerror.h b/qerror.h -index 2d3d43b..6414cd9 100644 ---- a/qerror.h -+++ b/qerror.h -@@ -192,6 +192,9 @@ QError *qobject_to_qerror(const QObject *obj); - #define QERR_UNKNOWN_BLOCK_FORMAT_FEATURE \ - "{ 'class': 'UnknownBlockFormatFeature', 'data': { 'device': %s, 'format': %s, 'feature': %s } }" - -+#define QERR_VIRTFS_FEATURE_BLOCKS_MIGRATION \ -+ "{ 'class': 'VirtFSFeatureBlocksMigration', 'data': { 'path': %s, 'tag': %s } }" -+ - #define QERR_VNC_SERVER_FAILED \ - "{ 'class': 'VNCServerFailed', 'data': { 'target': %s } }" - --- -1.7.7.5 - diff --git a/0005-hw-9pfs-Reset-server-state-during-TVERSION.patch b/0005-hw-9pfs-Reset-server-state-during-TVERSION.patch deleted file mode 100644 index 585b7cc..0000000 --- a/0005-hw-9pfs-Reset-server-state-during-TVERSION.patch +++ /dev/null @@ -1,64 +0,0 @@ -From c554919f74e5a79f15360c4c2f417003477634cf Mon Sep 17 00:00:00 2001 -From: Deepak C Shetty -Date: Sun, 4 Dec 2011 22:35:28 +0530 -Subject: [PATCH 05/25] hw/9pfs: Reset server state during TVERSION - -As per the 9p rfc, during TVERSION its necessary to clean all the active -fids, so that we start the session from a clean state. Its also needed in -scenarios where the guest is booting off 9p, and boot fails, and client -restarts, without any knowledge of the past, it will issue a TVERSION again -so this ensures that we always start from a clean state. - -Signed-off-by: Deepak C Shetty -Signed-off-by: Aneesh Kumar K.V ---- - hw/9pfs/virtio-9p.c | 26 ++++++++++++++++++++++++++ - 1 files changed, 26 insertions(+), 0 deletions(-) - -diff --git a/hw/9pfs/virtio-9p.c b/hw/9pfs/virtio-9p.c -index 32b98dd..dd43209 100644 ---- a/hw/9pfs/virtio-9p.c -+++ b/hw/9pfs/virtio-9p.c -@@ -523,6 +523,30 @@ static int v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path) - return 0; - } - -+static void virtfs_reset(V9fsPDU *pdu) -+{ -+ V9fsState *s = pdu->s; -+ V9fsFidState *fidp = NULL; -+ -+ /* Free all fids */ -+ while (s->fid_list) { -+ fidp = s->fid_list; -+ s->fid_list = fidp->next; -+ -+ if (fidp->ref) { -+ fidp->clunked = 1; -+ } else { -+ free_fid(pdu, fidp); -+ } -+ } -+ if (fidp) { -+ /* One or more unclunked fids found... */ -+ error_report("9pfs:%s: One or more uncluncked fids " -+ "found during reset", __func__); -+ } -+ return; -+} -+ - #define P9_QID_TYPE_DIR 0x80 - #define P9_QID_TYPE_SYMLINK 0x02 - -@@ -1196,6 +1220,8 @@ static void v9fs_version(void *opaque) - pdu_unmarshal(pdu, offset, "ds", &s->msize, &version); - trace_v9fs_version(pdu->tag, pdu->id, s->msize, version.data); - -+ virtfs_reset(pdu); -+ - if (!strcmp(version.data, "9P2000.u")) { - s->proto_version = V9FS_PROTO_2000U; - } else if (!strcmp(version.data, "9P2000.L")) { --- -1.7.7.5 - diff --git a/0006-hw-9pfs-Add-qdev.reset-callback-for-virtio-9p-pci-de.patch b/0006-hw-9pfs-Add-qdev.reset-callback-for-virtio-9p-pci-de.patch deleted file mode 100644 index aa49abb..0000000 --- a/0006-hw-9pfs-Add-qdev.reset-callback-for-virtio-9p-pci-de.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 64dd41bc2de392fa018c5ce804cc451b83f18b94 Mon Sep 17 00:00:00 2001 -From: "Aneesh Kumar K.V" -Date: Sun, 4 Dec 2011 22:35:28 +0530 -Subject: [PATCH 06/25] hw/9pfs: Add qdev.reset callback for virtio-9p-pci - device - -Add the device reset callback - -Signed-off-by: Aneesh Kumar K.V ---- - hw/9pfs/virtio-9p-device.c | 3 ++- - hw/virtio-pci.c | 2 +- - hw/virtio-pci.h | 1 + - 3 files changed, 4 insertions(+), 2 deletions(-) - -diff --git a/hw/9pfs/virtio-9p-device.c b/hw/9pfs/virtio-9p-device.c -index c9bca8b..cd343e1 100644 ---- a/hw/9pfs/virtio-9p-device.c -+++ b/hw/9pfs/virtio-9p-device.c -@@ -176,7 +176,8 @@ static PCIDeviceInfo virtio_9p_info = { - DEFINE_PROP_STRING("mount_tag", VirtIOPCIProxy, fsconf.tag), - DEFINE_PROP_STRING("fsdev", VirtIOPCIProxy, fsconf.fsdev_id), - DEFINE_PROP_END_OF_LIST(), -- } -+ }, -+ .qdev.reset = virtio_pci_reset, - }; - - static void virtio_9p_register_devices(void) -diff --git a/hw/virtio-pci.c b/hw/virtio-pci.c -index 64c6a94..c665f5c 100644 ---- a/hw/virtio-pci.c -+++ b/hw/virtio-pci.c -@@ -266,7 +266,7 @@ static void virtio_pci_stop_ioeventfd(VirtIOPCIProxy *proxy) - proxy->ioeventfd_started = false; - } - --static void virtio_pci_reset(DeviceState *d) -+void virtio_pci_reset(DeviceState *d) - { - VirtIOPCIProxy *proxy = container_of(d, VirtIOPCIProxy, pci_dev.qdev); - virtio_pci_stop_ioeventfd(proxy); -diff --git a/hw/virtio-pci.h b/hw/virtio-pci.h -index f8404de..344c22b 100644 ---- a/hw/virtio-pci.h -+++ b/hw/virtio-pci.h -@@ -45,6 +45,7 @@ typedef struct { - } VirtIOPCIProxy; - - void virtio_init_pci(VirtIOPCIProxy *proxy, VirtIODevice *vdev); -+void virtio_pci_reset(DeviceState *d); - - /* Virtio ABI version, if we increment this, we break the guest driver. */ - #define VIRTIO_PCI_ABI_VERSION 0 --- -1.7.7.5 - diff --git a/0007-hw-9pfs-Use-the-correct-file-descriptor-in-Fsdriver-.patch b/0007-hw-9pfs-Use-the-correct-file-descriptor-in-Fsdriver-.patch deleted file mode 100644 index 446716c..0000000 --- a/0007-hw-9pfs-Use-the-correct-file-descriptor-in-Fsdriver-.patch +++ /dev/null @@ -1,210 +0,0 @@ -From ed6857bf98e6c8b8080be208ffe15bb678591466 Mon Sep 17 00:00:00 2001 -From: "Aneesh Kumar K.V" -Date: Sun, 4 Dec 2011 22:35:28 +0530 -Subject: [PATCH 07/25] hw/9pfs: Use the correct file descriptor in Fsdriver - Callback - -Fsdriver callback that operate on file descriptor need to -differentiate between directory fd and file fd. - -Based on the original patch from Sassan Panahinejad - -Signed-off-by: Aneesh Kumar K.V ---- - fsdev/file-op-9p.h | 4 ++-- - hw/9pfs/cofile.c | 4 ++-- - hw/9pfs/virtio-9p-handle.c | 28 ++++++++++++++++++++++------ - hw/9pfs/virtio-9p-local.c | 36 ++++++++++++++++++++++++++---------- - hw/9pfs/virtio-9p-synth.c | 5 +++-- - 5 files changed, 55 insertions(+), 22 deletions(-) - -diff --git a/fsdev/file-op-9p.h b/fsdev/file-op-9p.h -index 1928da2..a85ecd3 100644 ---- a/fsdev/file-op-9p.h -+++ b/fsdev/file-op-9p.h -@@ -112,10 +112,10 @@ typedef struct FileOperations - ssize_t (*pwritev)(FsContext *, V9fsFidOpenState *, - const struct iovec *, int, off_t); - int (*mkdir)(FsContext *, V9fsPath *, const char *, FsCred *); -- int (*fstat)(FsContext *, V9fsFidOpenState *, struct stat *); -+ int (*fstat)(FsContext *, int, V9fsFidOpenState *, struct stat *); - int (*rename)(FsContext *, const char *, const char *); - int (*truncate)(FsContext *, V9fsPath *, off_t); -- int (*fsync)(FsContext *, V9fsFidOpenState *, int); -+ int (*fsync)(FsContext *, int, V9fsFidOpenState *, int); - int (*statfs)(FsContext *s, V9fsPath *path, struct statfs *stbuf); - ssize_t (*lgetxattr)(FsContext *, V9fsPath *, - const char *, void *, size_t); -diff --git a/hw/9pfs/cofile.c b/hw/9pfs/cofile.c -index 586b038..b15838c 100644 ---- a/hw/9pfs/cofile.c -+++ b/hw/9pfs/cofile.c -@@ -71,7 +71,7 @@ int v9fs_co_fstat(V9fsPDU *pdu, V9fsFidState *fidp, struct stat *stbuf) - } - v9fs_co_run_in_worker( - { -- err = s->ops->fstat(&s->ctx, &fidp->fs, stbuf); -+ err = s->ops->fstat(&s->ctx, fidp->fid_type, &fidp->fs, stbuf); - if (err < 0) { - err = -errno; - } -@@ -192,7 +192,7 @@ int v9fs_co_fsync(V9fsPDU *pdu, V9fsFidState *fidp, int datasync) - } - v9fs_co_run_in_worker( - { -- err = s->ops->fsync(&s->ctx, &fidp->fs, datasync); -+ err = s->ops->fsync(&s->ctx, fidp->fid_type, &fidp->fs, datasync); - if (err < 0) { - err = -errno; - } -diff --git a/hw/9pfs/virtio-9p-handle.c b/hw/9pfs/virtio-9p-handle.c -index a62f690..f97d898 100644 ---- a/hw/9pfs/virtio-9p-handle.c -+++ b/hw/9pfs/virtio-9p-handle.c -@@ -255,10 +255,17 @@ static int handle_mkdir(FsContext *fs_ctx, V9fsPath *dir_path, - return ret; - } - --static int handle_fstat(FsContext *fs_ctx, V9fsFidOpenState *fs, -- struct stat *stbuf) -+static int handle_fstat(FsContext *fs_ctx, int fid_type, -+ V9fsFidOpenState *fs, struct stat *stbuf) - { -- return fstat(fs->fd, stbuf); -+ int fd; -+ -+ if (fid_type == P9_FID_DIR) { -+ fd = dirfd(fs->dir); -+ } else { -+ fd = fs->fd; -+ } -+ return fstat(fd, stbuf); - } - - static int handle_open2(FsContext *fs_ctx, V9fsPath *dir_path, const char *name, -@@ -395,12 +402,21 @@ static int handle_remove(FsContext *ctx, const char *path) - return -1; - } - --static int handle_fsync(FsContext *ctx, V9fsFidOpenState *fs, int datasync) -+static int handle_fsync(FsContext *ctx, int fid_type, -+ V9fsFidOpenState *fs, int datasync) - { -+ int fd; -+ -+ if (fid_type == P9_FID_DIR) { -+ fd = dirfd(fs->dir); -+ } else { -+ fd = fs->fd; -+ } -+ - if (datasync) { -- return qemu_fdatasync(fs->fd); -+ return qemu_fdatasync(fd); - } else { -- return fsync(fs->fd); -+ return fsync(fd); - } - } - -diff --git a/hw/9pfs/virtio-9p-local.c b/hw/9pfs/virtio-9p-local.c -index 99ef0cd..371a94d 100644 ---- a/hw/9pfs/virtio-9p-local.c -+++ b/hw/9pfs/virtio-9p-local.c -@@ -366,11 +366,18 @@ out: - return err; - } - --static int local_fstat(FsContext *fs_ctx, -+static int local_fstat(FsContext *fs_ctx, int fid_type, - V9fsFidOpenState *fs, struct stat *stbuf) - { -- int err; -- err = fstat(fs->fd, stbuf); -+ int err, fd; -+ -+ if (fid_type == P9_FID_DIR) { -+ fd = dirfd(fs->dir); -+ } else { -+ fd = fs->fd; -+ } -+ -+ err = fstat(fd, stbuf); - if (err) { - return err; - } -@@ -381,19 +388,19 @@ static int local_fstat(FsContext *fs_ctx, - mode_t tmp_mode; - dev_t tmp_dev; - -- if (fgetxattr(fs->fd, "user.virtfs.uid", -+ if (fgetxattr(fd, "user.virtfs.uid", - &tmp_uid, sizeof(uid_t)) > 0) { - stbuf->st_uid = tmp_uid; - } -- if (fgetxattr(fs->fd, "user.virtfs.gid", -+ if (fgetxattr(fd, "user.virtfs.gid", - &tmp_gid, sizeof(gid_t)) > 0) { - stbuf->st_gid = tmp_gid; - } -- if (fgetxattr(fs->fd, "user.virtfs.mode", -+ if (fgetxattr(fd, "user.virtfs.mode", - &tmp_mode, sizeof(mode_t)) > 0) { - stbuf->st_mode = tmp_mode; - } -- if (fgetxattr(fs->fd, "user.virtfs.rdev", -+ if (fgetxattr(fd, "user.virtfs.rdev", - &tmp_dev, sizeof(dev_t)) > 0) { - stbuf->st_rdev = tmp_dev; - } -@@ -592,12 +599,21 @@ static int local_remove(FsContext *ctx, const char *path) - return remove(rpath(ctx, path, buffer)); - } - --static int local_fsync(FsContext *ctx, V9fsFidOpenState *fs, int datasync) -+static int local_fsync(FsContext *ctx, int fid_type, -+ V9fsFidOpenState *fs, int datasync) - { -+ int fd; -+ -+ if (fid_type == P9_FID_DIR) { -+ fd = dirfd(fs->dir); -+ } else { -+ fd = fs->fd; -+ } -+ - if (datasync) { -- return qemu_fdatasync(fs->fd); -+ return qemu_fdatasync(fd); - } else { -- return fsync(fs->fd); -+ return fsync(fd); - } - } - -diff --git a/hw/9pfs/virtio-9p-synth.c b/hw/9pfs/virtio-9p-synth.c -index f573616..92e0b09 100644 ---- a/hw/9pfs/virtio-9p-synth.c -+++ b/hw/9pfs/virtio-9p-synth.c -@@ -166,7 +166,7 @@ static int v9fs_synth_lstat(FsContext *fs_ctx, - return 0; - } - --static int v9fs_synth_fstat(FsContext *fs_ctx, -+static int v9fs_synth_fstat(FsContext *fs_ctx, int fid_type, - V9fsFidOpenState *fs, struct stat *stbuf) - { - V9fsSynthOpenState *synth_open = fs->private; -@@ -414,7 +414,8 @@ static int v9fs_synth_remove(FsContext *ctx, const char *path) - return -1; - } - --static int v9fs_synth_fsync(FsContext *ctx, V9fsFidOpenState *fs, int datasync) -+static int v9fs_synth_fsync(FsContext *ctx, int fid_type, -+ V9fsFidOpenState *fs, int datasync) - { - errno = ENOSYS; - return 0; --- -1.7.7.5 - diff --git a/0008-hw-9pfs-replace-iovec-manipulation-with-QEMUIOVector.patch b/0008-hw-9pfs-replace-iovec-manipulation-with-QEMUIOVector.patch deleted file mode 100644 index 95c3f05..0000000 --- a/0008-hw-9pfs-replace-iovec-manipulation-with-QEMUIOVector.patch +++ /dev/null @@ -1,305 +0,0 @@ -From 45d6cdff48356dc8974497ec0524f971b646dd70 Mon Sep 17 00:00:00 2001 -From: Stefan Hajnoczi -Date: Wed, 21 Dec 2011 12:37:22 +0530 -Subject: [PATCH 08/25] hw/9pfs: replace iovec manipulation with QEMUIOVector - -The v9fs_read() and v9fs_write() functions rely on iovec[] manipulation -code should be replaced with QEMUIOVector to avoid duplicating code. -In the future it may be possible to make the code even more concise by -using QEMUIOVector consistently across virtio and 9pfs. - -The "v" format specifier for pdu_marshal() and pdu_unmarshal() is -dropped since it does not actually pack/unpack anything. The specifier -was also not implemented to update the offset variable and could only be -used at the end of a format string, another sign that this shouldn't -really be a format specifier. Instead, see the new -v9fs_init_qiov_from_pdu() function. - -This change avoids a possible iovec[] buffer overflow when indirect -vrings are used since the number of vectors is now limited by the -underlying VirtQueueElement and cannot be out-of-bounds. - -Signed-off-by: Stefan Hajnoczi -Signed-off-by: Aneesh Kumar K.V ---- - hw/9pfs/virtio-9p.c | 162 +++++++++++++++++++-------------------------------- - 1 files changed, 60 insertions(+), 102 deletions(-) - -diff --git a/hw/9pfs/virtio-9p.c b/hw/9pfs/virtio-9p.c -index dd43209..c018916 100644 ---- a/hw/9pfs/virtio-9p.c -+++ b/hw/9pfs/virtio-9p.c -@@ -674,40 +674,6 @@ static size_t pdu_pack(V9fsPDU *pdu, size_t offset, const void *src, - offset, size, 1); - } - --static int pdu_copy_sg(V9fsPDU *pdu, size_t offset, int rx, struct iovec *sg) --{ -- size_t pos = 0; -- int i, j; -- struct iovec *src_sg; -- unsigned int num; -- -- if (rx) { -- src_sg = pdu->elem.in_sg; -- num = pdu->elem.in_num; -- } else { -- src_sg = pdu->elem.out_sg; -- num = pdu->elem.out_num; -- } -- -- j = 0; -- for (i = 0; i < num; i++) { -- if (offset <= pos) { -- sg[j].iov_base = src_sg[i].iov_base; -- sg[j].iov_len = src_sg[i].iov_len; -- j++; -- } else if (offset < (src_sg[i].iov_len + pos)) { -- sg[j].iov_base = src_sg[i].iov_base; -- sg[j].iov_len = src_sg[i].iov_len; -- sg[j].iov_base += (offset - pos); -- sg[j].iov_len -= (offset - pos); -- j++; -- } -- pos += src_sg[i].iov_len; -- } -- -- return j; --} -- - static size_t pdu_unmarshal(V9fsPDU *pdu, size_t offset, const char *fmt, ...) - { - size_t old_offset = offset; -@@ -743,12 +709,6 @@ static size_t pdu_unmarshal(V9fsPDU *pdu, size_t offset, const char *fmt, ...) - *valp = le64_to_cpu(val); - break; - } -- case 'v': { -- struct iovec *iov = va_arg(ap, struct iovec *); -- int *iovcnt = va_arg(ap, int *); -- *iovcnt = pdu_copy_sg(pdu, offset, 0, iov); -- break; -- } - case 's': { - V9fsString *str = va_arg(ap, V9fsString *); - offset += pdu_unmarshal(pdu, offset, "w", &str->size); -@@ -827,12 +787,6 @@ static size_t pdu_marshal(V9fsPDU *pdu, size_t offset, const char *fmt, ...) - offset += pdu_pack(pdu, offset, &val, sizeof(val)); - break; - } -- case 'v': { -- struct iovec *iov = va_arg(ap, struct iovec *); -- int *iovcnt = va_arg(ap, int *); -- *iovcnt = pdu_copy_sg(pdu, offset, 1, iov); -- break; -- } - case 's': { - V9fsString *str = va_arg(ap, V9fsString *); - offset += pdu_marshal(pdu, offset, "w", str->size); -@@ -1143,42 +1097,6 @@ static void stat_to_v9stat_dotl(V9fsState *s, const struct stat *stbuf, - stat_to_qid(stbuf, &v9lstat->qid); - } - --static struct iovec *adjust_sg(struct iovec *sg, int len, int *iovcnt) --{ -- while (len && *iovcnt) { -- if (len < sg->iov_len) { -- sg->iov_len -= len; -- sg->iov_base += len; -- len = 0; -- } else { -- len -= sg->iov_len; -- sg++; -- *iovcnt -= 1; -- } -- } -- -- return sg; --} -- --static struct iovec *cap_sg(struct iovec *sg, int cap, int *cnt) --{ -- int i; -- int total = 0; -- -- for (i = 0; i < *cnt; i++) { -- if ((total + sg[i].iov_len) > cap) { -- sg[i].iov_len -= ((total + sg[i].iov_len) - cap); -- i++; -- break; -- } -- total += sg[i].iov_len; -- } -- -- *cnt = i; -- -- return sg; --} -- - static void print_sg(struct iovec *sg, int cnt) - { - int i; -@@ -1861,6 +1779,38 @@ out: - return count; - } - -+/* -+ * Create a QEMUIOVector for a sub-region of PDU iovecs -+ * -+ * @qiov: uninitialized QEMUIOVector -+ * @skip: number of bytes to skip from beginning of PDU -+ * @size: number of bytes to include -+ * @is_write: true - write, false - read -+ * -+ * The resulting QEMUIOVector has heap-allocated iovecs and must be cleaned up -+ * with qemu_iovec_destroy(). -+ */ -+static void v9fs_init_qiov_from_pdu(QEMUIOVector *qiov, V9fsPDU *pdu, -+ uint64_t skip, size_t size, -+ bool is_write) -+{ -+ QEMUIOVector elem; -+ struct iovec *iov; -+ unsigned int niov; -+ -+ if (is_write) { -+ iov = pdu->elem.out_sg; -+ niov = pdu->elem.out_num; -+ } else { -+ iov = pdu->elem.in_sg; -+ niov = pdu->elem.in_num; -+ } -+ -+ qemu_iovec_init_external(&elem, iov, niov); -+ qemu_iovec_init(qiov, niov); -+ qemu_iovec_copy(qiov, &elem, skip, size); -+} -+ - static void v9fs_read(void *opaque) - { - int32_t fid; -@@ -1895,21 +1845,21 @@ static void v9fs_read(void *opaque) - err += pdu_marshal(pdu, offset, "d", count); - err += count; - } else if (fidp->fid_type == P9_FID_FILE) { -- int32_t cnt; -+ QEMUIOVector qiov_full; -+ QEMUIOVector qiov; - int32_t len; -- struct iovec *sg; -- struct iovec iov[128]; /* FIXME: bad, bad, bad */ - -- sg = iov; -- pdu_marshal(pdu, offset + 4, "v", sg, &cnt); -- sg = cap_sg(sg, max_count, &cnt); -+ v9fs_init_qiov_from_pdu(&qiov_full, pdu, offset + 4, max_count, false); -+ qemu_iovec_init(&qiov, qiov_full.niov); - do { -+ qemu_iovec_reset(&qiov); -+ qemu_iovec_copy(&qiov, &qiov_full, count, qiov_full.size - count); - if (0) { -- print_sg(sg, cnt); -+ print_sg(qiov.iov, qiov.niov); - } - /* Loop in case of EINTR */ - do { -- len = v9fs_co_preadv(pdu, fidp, sg, cnt, off); -+ len = v9fs_co_preadv(pdu, fidp, qiov.iov, qiov.niov, off); - if (len >= 0) { - off += len; - count += len; -@@ -1920,11 +1870,12 @@ static void v9fs_read(void *opaque) - err = len; - goto out; - } -- sg = adjust_sg(sg, len, &cnt); - } while (count < max_count && len > 0); - err = offset; - err += pdu_marshal(pdu, offset, "d", count); - err += count; -+ qemu_iovec_destroy(&qiov); -+ qemu_iovec_destroy(&qiov_full); - } else if (fidp->fid_type == P9_FID_XATTR) { - err = v9fs_xattr_read(s, pdu, fidp, off, max_count); - } else { -@@ -2095,7 +2046,6 @@ out: - - static void v9fs_write(void *opaque) - { -- int cnt; - ssize_t err; - int32_t fid; - int64_t off; -@@ -2104,13 +2054,14 @@ static void v9fs_write(void *opaque) - int32_t total = 0; - size_t offset = 7; - V9fsFidState *fidp; -- struct iovec iov[128]; /* FIXME: bad, bad, bad */ -- struct iovec *sg = iov; - V9fsPDU *pdu = opaque; - V9fsState *s = pdu->s; -+ QEMUIOVector qiov_full; -+ QEMUIOVector qiov; - -- pdu_unmarshal(pdu, offset, "dqdv", &fid, &off, &count, sg, &cnt); -- trace_v9fs_write(pdu->tag, pdu->id, fid, off, count, cnt); -+ offset += pdu_unmarshal(pdu, offset, "dqd", &fid, &off, &count); -+ v9fs_init_qiov_from_pdu(&qiov_full, pdu, offset, count, true); -+ trace_v9fs_write(pdu->tag, pdu->id, fid, off, count, qiov_full.niov); - - fidp = get_fid(pdu, fid); - if (fidp == NULL) { -@@ -2126,20 +2077,23 @@ static void v9fs_write(void *opaque) - /* - * setxattr operation - */ -- err = v9fs_xattr_write(s, pdu, fidp, off, count, sg, cnt); -+ err = v9fs_xattr_write(s, pdu, fidp, off, count, -+ qiov_full.iov, qiov_full.niov); - goto out; - } else { - err = -EINVAL; - goto out; - } -- sg = cap_sg(sg, count, &cnt); -+ qemu_iovec_init(&qiov, qiov_full.niov); - do { -+ qemu_iovec_reset(&qiov); -+ qemu_iovec_copy(&qiov, &qiov_full, total, qiov_full.size - total); - if (0) { -- print_sg(sg, cnt); -+ print_sg(qiov.iov, qiov.niov); - } - /* Loop in case of EINTR */ - do { -- len = v9fs_co_pwritev(pdu, fidp, sg, cnt, off); -+ len = v9fs_co_pwritev(pdu, fidp, qiov.iov, qiov.niov, off); - if (len >= 0) { - off += len; - total += len; -@@ -2148,16 +2102,20 @@ static void v9fs_write(void *opaque) - if (len < 0) { - /* IO error return the error */ - err = len; -- goto out; -+ goto out_qiov; - } -- sg = adjust_sg(sg, len, &cnt); - } while (total < count && len > 0); -+ -+ offset = 7; - offset += pdu_marshal(pdu, offset, "d", total); - err = offset; - trace_v9fs_write_return(pdu->tag, pdu->id, total, err); -+out_qiov: -+ qemu_iovec_destroy(&qiov); - out: - put_fid(pdu, fidp); - out_nofid: -+ qemu_iovec_destroy(&qiov_full); - complete_pdu(s, pdu, err); - } - --- -1.7.7.5 - diff --git a/0009-hw-9pfs-Use-the-correct-signed-type-for-different-va.patch b/0009-hw-9pfs-Use-the-correct-signed-type-for-different-va.patch deleted file mode 100644 index c0b02f2..0000000 --- a/0009-hw-9pfs-Use-the-correct-signed-type-for-different-va.patch +++ /dev/null @@ -1,133 +0,0 @@ -From 3d3ec7b809b91f2a71fb78fc6b5b079963383243 Mon Sep 17 00:00:00 2001 -From: "Aneesh Kumar K.V" -Date: Wed, 21 Dec 2011 12:37:23 +0530 -Subject: [PATCH 09/25] hw/9pfs: Use the correct signed type for different - variables - -Signed-off-by: Aneesh Kumar K.V ---- - fsdev/file-op-9p.h | 2 +- - hw/9pfs/virtio-9p.c | 21 +++++++++++---------- - hw/9pfs/virtio-9p.h | 2 +- - trace-events | 8 ++++---- - 4 files changed, 17 insertions(+), 16 deletions(-) - -diff --git a/fsdev/file-op-9p.h b/fsdev/file-op-9p.h -index a85ecd3..c823fe0 100644 ---- a/fsdev/file-op-9p.h -+++ b/fsdev/file-op-9p.h -@@ -74,7 +74,7 @@ typedef struct FsContext - } FsContext; - - typedef struct V9fsPath { -- int16_t size; -+ uint16_t size; - char *data; - } V9fsPath; - -diff --git a/hw/9pfs/virtio-9p.c b/hw/9pfs/virtio-9p.c -index c018916..b3fc3d0 100644 ---- a/hw/9pfs/virtio-9p.c -+++ b/hw/9pfs/virtio-9p.c -@@ -1694,8 +1694,8 @@ out_nofid: - complete_pdu(s, pdu, err); - } - --static int v9fs_xattr_read(V9fsState *s, V9fsPDU *pdu, -- V9fsFidState *fidp, int64_t off, int32_t max_count) -+static int v9fs_xattr_read(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp, -+ uint64_t off, uint32_t max_count) - { - size_t offset = 7; - int read_count; -@@ -1719,7 +1719,7 @@ static int v9fs_xattr_read(V9fsState *s, V9fsPDU *pdu, - } - - static int v9fs_do_readdir_with_stat(V9fsPDU *pdu, -- V9fsFidState *fidp, int32_t max_count) -+ V9fsFidState *fidp, uint32_t max_count) - { - V9fsPath path; - V9fsStat v9stat; -@@ -1814,11 +1814,11 @@ static void v9fs_init_qiov_from_pdu(QEMUIOVector *qiov, V9fsPDU *pdu, - static void v9fs_read(void *opaque) - { - int32_t fid; -- int64_t off; -+ uint64_t off; - ssize_t err = 0; - int32_t count = 0; - size_t offset = 7; -- int32_t max_count; -+ uint32_t max_count; - V9fsFidState *fidp; - V9fsPDU *pdu = opaque; - V9fsState *s = pdu->s; -@@ -1962,8 +1962,9 @@ static void v9fs_readdir(void *opaque) - V9fsFidState *fidp; - ssize_t retval = 0; - size_t offset = 7; -- int64_t initial_offset; -- int32_t count, max_count; -+ uint64_t initial_offset; -+ int32_t count; -+ uint32_t max_count; - V9fsPDU *pdu = opaque; - V9fsState *s = pdu->s; - -@@ -2001,7 +2002,7 @@ out_nofid: - } - - static int v9fs_xattr_write(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp, -- int64_t off, int32_t count, -+ uint64_t off, uint32_t count, - struct iovec *sg, int cnt) - { - int i, to_copy; -@@ -2048,8 +2049,8 @@ static void v9fs_write(void *opaque) - { - ssize_t err; - int32_t fid; -- int64_t off; -- int32_t count; -+ uint64_t off; -+ uint32_t count; - int32_t len = 0; - int32_t total = 0; - size_t offset = 7; -diff --git a/hw/9pfs/virtio-9p.h b/hw/9pfs/virtio-9p.h -index 8b612da..19a797b 100644 ---- a/hw/9pfs/virtio-9p.h -+++ b/hw/9pfs/virtio-9p.h -@@ -156,7 +156,7 @@ typedef struct V9fsFidState V9fsFidState; - - typedef struct V9fsString - { -- int16_t size; -+ uint16_t size; - char *data; - } V9fsString; - -diff --git a/trace-events b/trace-events -index 962caca..e417897 100644 ---- a/trace-events -+++ b/trace-events -@@ -579,11 +579,11 @@ v9fs_lcreate(uint16_t tag, uint8_t id, int32_t dfid, int32_t flags, int32_t mode - v9fs_lcreate_return(uint16_t tag, uint8_t id, int8_t type, int32_t version, int64_t path, int32_t iounit) "tag %d id %d qid={type %d version %d path %"PRId64"} iounit %d" - v9fs_fsync(uint16_t tag, uint8_t id, int32_t fid, int datasync) "tag %d id %d fid %d datasync %d" - v9fs_clunk(uint16_t tag, uint8_t id, int32_t fid) "tag %d id %d fid %d" --v9fs_read(uint16_t tag, uint8_t id, int32_t fid, int64_t off, int32_t max_count) "tag %d id %d fid %d off %"PRId64" max_count %d" -+v9fs_read(uint16_t tag, uint8_t id, int32_t fid, uint64_t off, uint32_t max_count) "tag %d id %d fid %d off %"PRIu64" max_count %u" - v9fs_read_return(uint16_t tag, uint8_t id, int32_t count, ssize_t err) "tag %d id %d count %d err %zd" --v9fs_readdir(uint16_t tag, uint8_t id, int32_t fid, int64_t offset, int32_t max_count) "tag %d id %d fid %d offset %"PRId64" max_count %d" --v9fs_readdir_return(uint16_t tag, uint8_t id, int32_t count, ssize_t retval) "tag %d id %d count %d retval %zd" --v9fs_write(uint16_t tag, uint8_t id, int32_t fid, int64_t off, int32_t count, int cnt) "tag %d id %d fid %d off %"PRId64" count %d cnt %d" -+v9fs_readdir(uint16_t tag, uint8_t id, int32_t fid, uint64_t offset, uint32_t max_count) "tag %d id %d fid %d offset %"PRIu64" max_count %u" -+v9fs_readdir_return(uint16_t tag, uint8_t id, uint32_t count, ssize_t retval) "tag %d id %d count %u retval %zd" -+v9fs_write(uint16_t tag, uint8_t id, int32_t fid, uint64_t off, uint32_t count, int cnt) "tag %d id %d fid %d off %"PRIu64" count %u cnt %d" - v9fs_write_return(uint16_t tag, uint8_t id, int32_t total, ssize_t err) "tag %d id %d total %d err %zd" - v9fs_create(uint16_t tag, uint8_t id, int32_t fid, char* name, int32_t perm, int8_t mode) "tag %d id %d fid %d name %s perm %d mode %d" - v9fs_create_return(uint16_t tag, uint8_t id, int8_t type, int32_t version, int64_t path, int iounit) "tag %d id %d qid={type %d version %d path %"PRId64"} iounit %d" --- -1.7.7.5 - diff --git a/0010-target-i386-fix-cmpxchg-instruction-emulation.patch b/0010-target-i386-fix-cmpxchg-instruction-emulation.patch deleted file mode 100644 index a7276e2..0000000 --- a/0010-target-i386-fix-cmpxchg-instruction-emulation.patch +++ /dev/null @@ -1,54 +0,0 @@ -From abf80f880410ebbdd01a289c41c87153802fe900 Mon Sep 17 00:00:00 2001 -From: Andreas Gustafsson -Date: Mon, 12 Dec 2011 00:46:32 +0400 -Subject: [PATCH 10/25] target-i386: fix cmpxchg instruction emulation - -When the i386 cmpxchg instruction is executed with a memory operand -and the comparison result is "unequal", do the memory write before -changing the accumulator instead of the other way around, because -otherwise the new accumulator value will incorrectly be used in the -comparison when the instruction is restarted after a page fault. - -This bug was originally reported on 2010-04-25 as -https://bugs.launchpad.net/qemu/+bug/569760 - -Signed-off-by: Andreas Gustafsson ---- - target-i386/translate.c | 11 +++++++---- - 1 files changed, 7 insertions(+), 4 deletions(-) - -diff --git a/target-i386/translate.c b/target-i386/translate.c -index 1ef8d16..8321bf3 100644 ---- a/target-i386/translate.c -+++ b/target-i386/translate.c -@@ -4870,20 +4870,23 @@ static target_ulong disas_insn(DisasContext *s, target_ulong pc_start) - tcg_gen_sub_tl(t2, cpu_regs[R_EAX], t0); - gen_extu(ot, t2); - tcg_gen_brcondi_tl(TCG_COND_EQ, t2, 0, label1); -+ label2 = gen_new_label(); - if (mod == 3) { -- label2 = gen_new_label(); - gen_op_mov_reg_v(ot, R_EAX, t0); - tcg_gen_br(label2); - gen_set_label(label1); - gen_op_mov_reg_v(ot, rm, t1); -- gen_set_label(label2); - } else { -- tcg_gen_mov_tl(t1, t0); -+ /* perform no-op store cycle like physical cpu; must be -+ before changing accumulator to ensure idempotency if -+ the store faults and the instruction is restarted */ -+ gen_op_st_v(ot + s->mem_index, t0, a0); - gen_op_mov_reg_v(ot, R_EAX, t0); -+ tcg_gen_br(label2); - gen_set_label(label1); -- /* always store */ - gen_op_st_v(ot + s->mem_index, t1, a0); - } -+ gen_set_label(label2); - tcg_gen_mov_tl(cpu_cc_src, t0); - tcg_gen_mov_tl(cpu_cc_dst, t2); - s->cc_op = CC_OP_SUBB + ot; --- -1.7.7.5 - diff --git a/0011-configure-Enable-build-by-default-PIE-read-only-relo.patch b/0011-configure-Enable-build-by-default-PIE-read-only-relo.patch deleted file mode 100644 index bd592c7..0000000 --- a/0011-configure-Enable-build-by-default-PIE-read-only-relo.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 6d450bfbc862d0dab0e8da10ae15698612800726 Mon Sep 17 00:00:00 2001 -From: Brad -Date: Mon, 28 Nov 2011 19:53:49 -0500 -Subject: [PATCH 11/25] configure: Enable build by default PIE / read-only - relocation sections on OpenBSD amd64/i386. - -Enable build by default PIE / read-only relocation sections for the QEMU -binaries on OpenBSD amd64/i386. - -Signed-off-by: Brad Smith -Signed-off-by: Blue Swirl ---- - configure | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - -diff --git a/configure b/configure -index ac4840d..b113f60 100755 ---- a/configure -+++ b/configure -@@ -1116,7 +1116,7 @@ fi - - if test "$pie" = ""; then - case "$cpu-$targetos" in -- i386-Linux|x86_64-Linux) -+ i386-Linux|x86_64-Linux|i386-OpenBSD|x86_64-OpenBSD) - ;; - *) - pie="no" --- -1.7.7.5 - diff --git a/0012-cris-Handle-conditional-stores-on-CRISv10.patch b/0012-cris-Handle-conditional-stores-on-CRISv10.patch deleted file mode 100644 index c824a09..0000000 --- a/0012-cris-Handle-conditional-stores-on-CRISv10.patch +++ /dev/null @@ -1,155 +0,0 @@ -From 3e8088148bb56b84a739c2ef3c63d89188a1ad8f Mon Sep 17 00:00:00 2001 -From: Stefan Sandstrom -Date: Mon, 12 Dec 2011 11:38:31 +0100 -Subject: [PATCH 12/25] cris: Handle conditional stores on CRISv10 - -Signed-off-by: Stefan Sandstrom -Signed-off-by: Edgar E. Iglesias ---- - target-cris/cpu.h | 2 + - target-cris/helper.c | 1 + - target-cris/translate_v10.c | 72 +++++++++++++++++++++++++++++++++++++++--- - 3 files changed, 69 insertions(+), 6 deletions(-) - -diff --git a/target-cris/cpu.h b/target-cris/cpu.h -index 8ae0ce3..453afbb 100644 ---- a/target-cris/cpu.h -+++ b/target-cris/cpu.h -@@ -67,6 +67,8 @@ - #define Q_FLAG 0x80000000 - #define M_FLAG 0x40000000 - #define PFIX_FLAG 0x800 /* CRISv10 Only. */ -+#define F_FLAG_V10 0x400 -+#define P_FLAG_V10 0x200 - #define S_FLAG 0x200 - #define R_FLAG 0x100 - #define P_FLAG 0x80 -diff --git a/target-cris/helper.c b/target-cris/helper.c -index 75f0035..5bc6d81 100644 ---- a/target-cris/helper.c -+++ b/target-cris/helper.c -@@ -157,6 +157,7 @@ static void do_interruptv10(CPUState *env) - /* Now that we are in kernel mode, load the handlers address. */ - env->pc = ldl_code(env->pregs[PR_EBP] + ex_vec * 4); - env->locked_irq = 1; -+ env->pregs[PR_CCS] |= F_FLAG_V10; /* set F. */ - - qemu_log_mask(CPU_LOG_INT, "%s isr=%x vec=%x ccs=%x pid=%d erp=%x\n", - __func__, env->pc, ex_vec, -diff --git a/target-cris/translate_v10.c b/target-cris/translate_v10.c -index 637ac20..95053b6 100644 ---- a/target-cris/translate_v10.c -+++ b/target-cris/translate_v10.c -@@ -62,6 +62,65 @@ static inline void cris_illegal_insn(DisasContext *dc) - t_gen_raise_exception(EXCP_BREAK); - } - -+static void gen_store_v10_conditional(DisasContext *dc, TCGv addr, TCGv val, -+ unsigned int size, int mem_index) -+{ -+ int l1 = gen_new_label(); -+ TCGv taddr = tcg_temp_local_new(); -+ TCGv tval = tcg_temp_local_new(); -+ TCGv t1 = tcg_temp_local_new(); -+ dc->postinc = 0; -+ cris_evaluate_flags(dc); -+ -+ tcg_gen_mov_tl(taddr, addr); -+ tcg_gen_mov_tl(tval, val); -+ -+ /* Store only if F flag isn't set */ -+ tcg_gen_andi_tl(t1, cpu_PR[PR_CCS], F_FLAG_V10); -+ tcg_gen_brcondi_tl(TCG_COND_NE, t1, 0, l1); -+ if (size == 1) { -+ tcg_gen_qemu_st8(tval, taddr, mem_index); -+ } else if (size == 2) { -+ tcg_gen_qemu_st16(tval, taddr, mem_index); -+ } else { -+ tcg_gen_qemu_st32(tval, taddr, mem_index); -+ } -+ gen_set_label(l1); -+ tcg_gen_shri_tl(t1, t1, 1); /* shift F to P position */ -+ tcg_gen_or_tl(cpu_PR[PR_CCS], cpu_PR[PR_CCS], t1); /*P=F*/ -+ tcg_temp_free(t1); -+ tcg_temp_free(tval); -+ tcg_temp_free(taddr); -+} -+ -+static void gen_store_v10(DisasContext *dc, TCGv addr, TCGv val, -+ unsigned int size) -+{ -+ int mem_index = cpu_mmu_index(dc->env); -+ -+ /* If we get a fault on a delayslot we must keep the jmp state in -+ the cpu-state to be able to re-execute the jmp. */ -+ if (dc->delayed_branch == 1) { -+ cris_store_direct_jmp(dc); -+ } -+ -+ /* Conditional writes. We only support the kind were X is known -+ at translation time. */ -+ if (dc->flagx_known && dc->flags_x) { -+ gen_store_v10_conditional(dc, addr, val, size, mem_index); -+ return; -+ } -+ -+ if (size == 1) { -+ tcg_gen_qemu_st8(val, addr, mem_index); -+ } else if (size == 2) { -+ tcg_gen_qemu_st16(val, addr, mem_index); -+ } else { -+ tcg_gen_qemu_st32(val, addr, mem_index); -+ } -+} -+ -+ - /* Prefix flag and register are used to handle the more complex - addressing modes. */ - static void cris_set_prefix(DisasContext *dc) -@@ -313,7 +372,8 @@ static unsigned int dec10_setclrf(DisasContext *dc) - if (set) { - tcg_gen_ori_tl(cpu_PR[PR_CCS], cpu_PR[PR_CCS], flags); - } else { -- tcg_gen_andi_tl(cpu_PR[PR_CCS], cpu_PR[PR_CCS], ~flags); -+ tcg_gen_andi_tl(cpu_PR[PR_CCS], cpu_PR[PR_CCS], -+ ~(flags|F_FLAG_V10|P_FLAG_V10)); - } - - dc->flags_uptodate = 1; -@@ -723,7 +783,7 @@ static unsigned int dec10_ind_move_r_m(DisasContext *dc, unsigned int size) - LOG_DIS("move.%d $r%d, [$r%d]\n", dc->size, dc->src, dc->dst); - addr = tcg_temp_new(); - crisv10_prepare_memaddr(dc, addr, size); -- gen_store(dc, addr, cpu_R[dc->dst], size); -+ gen_store_v10(dc, addr, cpu_R[dc->dst], size); - insn_len += crisv10_post_memaddr(dc, size); - - return insn_len; -@@ -767,10 +827,10 @@ static unsigned int dec10_ind_move_pr_m(DisasContext *dc) - t0 = tcg_temp_new(); - cris_evaluate_flags(dc); - tcg_gen_andi_tl(t0, cpu_PR[PR_CCS], ~PFIX_FLAG); -- gen_store(dc, addr, t0, size); -+ gen_store_v10(dc, addr, t0, size); - tcg_temp_free(t0); - } else { -- gen_store(dc, addr, cpu_PR[dc->dst], size); -+ gen_store_v10(dc, addr, cpu_PR[dc->dst], size); - } - t0 = tcg_temp_new(); - insn_len += crisv10_post_memaddr(dc, size); -@@ -793,9 +853,9 @@ static void dec10_movem_r_m(DisasContext *dc) - tcg_gen_mov_tl(t0, addr); - for (i = dc->dst; i >= 0; i--) { - if ((pfix && dc->mode == CRISV10_MODE_AUTOINC) && dc->src == i) { -- gen_store(dc, addr, t0, 4); -+ gen_store_v10(dc, addr, t0, 4); - } else { -- gen_store(dc, addr, cpu_R[i], 4); -+ gen_store_v10(dc, addr, cpu_R[i], 4); - } - tcg_gen_addi_tl(addr, addr, 4); - } --- -1.7.7.5 - diff --git a/0013-pc-add-pc-0.15.patch b/0013-pc-add-pc-0.15.patch deleted file mode 100644 index f85b065..0000000 --- a/0013-pc-add-pc-0.15.patch +++ /dev/null @@ -1,40 +0,0 @@ -From a25808dc5baee83f36e0cdab998eb6c0024156fa Mon Sep 17 00:00:00 2001 -From: Anthony Liguori -Date: Sun, 18 Dec 2011 12:59:12 -0600 -Subject: [PATCH 13/25] pc: add pc-0.15 - -Signed-off-by: Anthony Liguori ---- - hw/pc_piix.c | 9 +++++++++ - 1 files changed, 9 insertions(+), 0 deletions(-) - -diff --git a/hw/pc_piix.c b/hw/pc_piix.c -index 970f43c..9093a28 100644 ---- a/hw/pc_piix.c -+++ b/hw/pc_piix.c -@@ -306,6 +306,14 @@ static QEMUMachine pc_machine_v1_0 = { - .is_default = 1, - }; - -+static QEMUMachine pc_machine_v0_15 = { -+ .name = "pc-0.15", -+ .desc = "Standard PC", -+ .init = pc_init_pci, -+ .max_cpus = 255, -+ .is_default = 1, -+}; -+ - static QEMUMachine pc_machine_v0_14 = { - .name = "pc-0.14", - .desc = "Standard PC", -@@ -557,6 +565,7 @@ static QEMUMachine xenfv_machine = { - static void pc_machine_init(void) - { - qemu_register_machine(&pc_machine_v1_0); -+ qemu_register_machine(&pc_machine_v0_15); - qemu_register_machine(&pc_machine_v0_14); - qemu_register_machine(&pc_machine_v0_13); - qemu_register_machine(&pc_machine_v0_12); --- -1.7.7.5 - diff --git a/0014-pc-fix-event_idx-compatibility-for-virtio-devices.patch b/0014-pc-fix-event_idx-compatibility-for-virtio-devices.patch deleted file mode 100644 index 121ec6c..0000000 --- a/0014-pc-fix-event_idx-compatibility-for-virtio-devices.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 7e2191ae9898cc957a3d1991aff0e40f2e0f44a4 Mon Sep 17 00:00:00 2001 -From: Anthony Liguori -Date: Sun, 18 Dec 2011 13:07:03 -0600 -Subject: [PATCH 14/25] pc: fix event_idx compatibility for virtio devices - -event_idx was introduced in 0.15 and must be disabled for all virtio-pci devices -(including virtio-balloon-pci). - -Signed-off-by: Anthony Liguori ---- - hw/pc_piix.c | 32 ++++++++++++++++++++++++++++++++ - 1 files changed, 32 insertions(+), 0 deletions(-) - -diff --git a/hw/pc_piix.c b/hw/pc_piix.c -index 9093a28..05000e3 100644 ---- a/hw/pc_piix.c -+++ b/hw/pc_piix.c -@@ -328,6 +328,22 @@ static QEMUMachine pc_machine_v0_14 = { - .driver = "qxl-vga", - .property = "revision", - .value = stringify(2), -+ },{ -+ .driver = "virtio-blk-pci", -+ .property = "event_idx", -+ .value = "off", -+ },{ -+ .driver = "virtio-serial-pci", -+ .property = "event_idx", -+ .value = "off", -+ },{ -+ .driver = "virtio-net-pci", -+ .property = "event_idx", -+ .value = "off", -+ },{ -+ .driver = "virtio-balloon-pci", -+ .property = "event_idx", -+ .value = "off", - }, - { /* end of list */ } - }, -@@ -368,6 +384,10 @@ static QEMUMachine pc_machine_v0_13 = { - .property = "event_idx", - .value = "off", - },{ -+ .driver = "virtio-balloon-pci", -+ .property = "event_idx", -+ .value = "off", -+ },{ - .driver = "AC97", - .property = "use_broken_id", - .value = stringify(1), -@@ -415,6 +435,10 @@ static QEMUMachine pc_machine_v0_12 = { - .property = "event_idx", - .value = "off", - },{ -+ .driver = "virtio-balloon-pci", -+ .property = "event_idx", -+ .value = "off", -+ },{ - .driver = "AC97", - .property = "use_broken_id", - .value = stringify(1), -@@ -470,6 +494,10 @@ static QEMUMachine pc_machine_v0_11 = { - .property = "event_idx", - .value = "off", - },{ -+ .driver = "virtio-balloon-pci", -+ .property = "event_idx", -+ .value = "off", -+ },{ - .driver = "AC97", - .property = "use_broken_id", - .value = stringify(1), -@@ -537,6 +565,10 @@ static QEMUMachine pc_machine_v0_10 = { - .property = "event_idx", - .value = "off", - },{ -+ .driver = "virtio-balloon-pci", -+ .property = "event_idx", -+ .value = "off", -+ },{ - .driver = "AC97", - .property = "use_broken_id", - .value = stringify(1), --- -1.7.7.5 - diff --git a/0015-Fix-parse-of-usb-device-description-with-multiple-co.patch b/0015-Fix-parse-of-usb-device-description-with-multiple-co.patch deleted file mode 100644 index efc5119..0000000 --- a/0015-Fix-parse-of-usb-device-description-with-multiple-co.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 9b81fbdbb0cc930aacec343c6ab37adfd60c9e76 Mon Sep 17 00:00:00 2001 -From: "Cao,Bing Bu" -Date: Tue, 13 Dec 2011 09:22:20 +0800 -Subject: [PATCH 15/25] Fix parse of usb device description with multiple - configurations - -Changed From V1: -Use DPRINTF instead of fprintf,because it is not an error. - -When testing ipod on QEMU by He Jie Xu,qemu made a assertion. -We found that the ipod with 2 configurations,and the usb-linux did not parse the descriptor correctly. -The descr_len returned is the total length of the all configurations,not one configuration. -The older version will through the other configurations instead of skip,continue parsing the descriptor of interfaces/endpoints in other configurations,then went wrong. - -This patch will put the configuration descriptor parse in loop outside and dispel the other configurations not requested. - -Signed-off-by: Cao,Bing Bu -Signed-off-by: Gerd Hoffmann ---- - usb-linux.c | 19 +++++++++++-------- - 1 files changed, 11 insertions(+), 8 deletions(-) - -diff --git a/usb-linux.c b/usb-linux.c -index ab4c693..ed14bb1 100644 ---- a/usb-linux.c -+++ b/usb-linux.c -@@ -1141,15 +1141,18 @@ static int usb_linux_update_endp_table(USBHostDevice *s) - length = s->descr_len - 18; - i = 0; - -- if (descriptors[i + 1] != USB_DT_CONFIG || -- descriptors[i + 5] != s->configuration) { -- fprintf(stderr, "invalid descriptor data - configuration %d\n", -- s->configuration); -- return 1; -- } -- i += descriptors[i]; -- - while (i < length) { -+ if (descriptors[i + 1] != USB_DT_CONFIG) { -+ fprintf(stderr, "invalid descriptor data\n"); -+ return 1; -+ } else if (descriptors[i + 5] != s->configuration) { -+ DPRINTF("not requested configuration %d\n", s->configuration); -+ i += (descriptors[i + 3] << 8) + descriptors[i + 2]; -+ continue; -+ } -+ -+ i += descriptors[i]; -+ - if (descriptors[i + 1] != USB_DT_INTERFACE || - (descriptors[i + 1] == USB_DT_INTERFACE && - descriptors[i + 4] == 0)) { --- -1.7.7.5 - diff --git a/0016-usb-storage-cancel-I-O-on-reset.patch b/0016-usb-storage-cancel-I-O-on-reset.patch deleted file mode 100644 index 5fdd63d..0000000 --- a/0016-usb-storage-cancel-I-O-on-reset.patch +++ /dev/null @@ -1,40 +0,0 @@ -From f63d074313c5df917535587b50802ece7beb6e45 Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Wed, 4 Jan 2012 18:13:54 +0100 -Subject: [PATCH 16/25] usb-storage: cancel I/O on reset - -When resetting the usb-storage device we'll have to carefully cancel -and clear any requests which might be in flight, otherwise we'll confuse -the state machine. - -Signed-off-by: Gerd Hoffmann ---- - hw/usb-msd.c | 12 ++++++++++++ - 1 files changed, 12 insertions(+), 0 deletions(-) - -diff --git a/hw/usb-msd.c b/hw/usb-msd.c -index 4c06950..3147131 100644 ---- a/hw/usb-msd.c -+++ b/hw/usb-msd.c -@@ -278,6 +278,18 @@ static void usb_msd_handle_reset(USBDevice *dev) - MSDState *s = (MSDState *)dev; - - DPRINTF("Reset\n"); -+ if (s->req) { -+ scsi_req_cancel(s->req); -+ } -+ assert(s->req == NULL); -+ -+ if (s->packet) { -+ USBPacket *p = s->packet; -+ s->packet = NULL; -+ p->result = USB_RET_STALL; -+ usb_packet_complete(dev, p); -+ } -+ - s->mode = USB_MSDM_CBW; - } - --- -1.7.7.5 - diff --git a/0017-usb-host-properly-release-port-on-unplug-exit.patch b/0017-usb-host-properly-release-port-on-unplug-exit.patch deleted file mode 100644 index 5804510..0000000 --- a/0017-usb-host-properly-release-port-on-unplug-exit.patch +++ /dev/null @@ -1,111 +0,0 @@ -From c936f649d4a6b87cabe809170874f6b560cc0524 Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Thu, 5 Jan 2012 15:49:18 +0100 -Subject: [PATCH 17/25] usb-host: properly release port on unplug & exit - -Factor out port release into a separate function. Call release function -in exit notifier too. Add explicit call the USBDEVFS_RELEASE_PORT -ioctl, just closing the hub file handle seems not to be enougth. Make -sure we release the port before resetting the device, otherwise host -drivers will not re-attach. - -Signed-off-by: Gerd Hoffmann ---- - usb-linux.c | 28 ++++++++++++++++++++-------- - 1 files changed, 20 insertions(+), 8 deletions(-) - -diff --git a/usb-linux.c b/usb-linux.c -index ed14bb1..749ce71 100644 ---- a/usb-linux.c -+++ b/usb-linux.c -@@ -116,6 +116,7 @@ typedef struct USBHostDevice { - USBDevice dev; - int fd; - int hub_fd; -+ int hub_port; - - uint8_t descr[8192]; - int descr_len; -@@ -434,7 +435,7 @@ static int usb_host_claim_port(USBHostDevice *s) - { - #ifdef USBDEVFS_CLAIM_PORT - char *h, hub_name[64], line[1024]; -- int hub_addr, portnr, ret; -+ int hub_addr, ret; - - snprintf(hub_name, sizeof(hub_name), "%d-%s", - s->match.bus_num, s->match.port); -@@ -442,13 +443,13 @@ static int usb_host_claim_port(USBHostDevice *s) - /* try strip off last ".$portnr" to get hub */ - h = strrchr(hub_name, '.'); - if (h != NULL) { -- portnr = atoi(h+1); -+ s->hub_port = atoi(h+1); - *h = '\0'; - } else { - /* no dot in there -> it is the root hub */ - snprintf(hub_name, sizeof(hub_name), "usb%d", - s->match.bus_num); -- portnr = atoi(s->match.port); -+ s->hub_port = atoi(s->match.port); - } - - if (!usb_host_read_file(line, sizeof(line), "devnum", -@@ -469,20 +470,32 @@ static int usb_host_claim_port(USBHostDevice *s) - return -1; - } - -- ret = ioctl(s->hub_fd, USBDEVFS_CLAIM_PORT, &portnr); -+ ret = ioctl(s->hub_fd, USBDEVFS_CLAIM_PORT, &s->hub_port); - if (ret < 0) { - close(s->hub_fd); - s->hub_fd = -1; - return -1; - } - -- trace_usb_host_claim_port(s->match.bus_num, hub_addr, portnr); -+ trace_usb_host_claim_port(s->match.bus_num, hub_addr, s->hub_port); - return 0; - #else - return -1; - #endif - } - -+static void usb_host_release_port(USBHostDevice *s) -+{ -+ if (s->hub_fd == -1) { -+ return; -+ } -+#ifdef USBDEVFS_RELEASE_PORT -+ ioctl(s->hub_fd, USBDEVFS_RELEASE_PORT, &s->hub_port); -+#endif -+ close(s->hub_fd); -+ s->hub_fd = -1; -+} -+ - static int usb_host_disconnect_ifaces(USBHostDevice *dev, int nb_interfaces) - { - /* earlier Linux 2.4 do not support that */ -@@ -635,10 +648,8 @@ static void usb_host_handle_destroy(USBDevice *dev) - { - USBHostDevice *s = (USBHostDevice *)dev; - -+ usb_host_release_port(s); - usb_host_close(s); -- if (s->hub_fd != -1) { -- close(s->hub_fd); -- } - QTAILQ_REMOVE(&hostdevs, s, next); - qemu_remove_exit_notifier(&s->exit); - } -@@ -1402,6 +1413,7 @@ static void usb_host_exit_notifier(struct Notifier *n, void *data) - { - USBHostDevice *s = container_of(n, USBHostDevice, exit); - -+ usb_host_release_port(s); - if (s->fd != -1) { - usb_host_do_reset(s);; - } --- -1.7.7.5 - diff --git a/0018-usb-ohci-td.cbp-incorrectly-updated-near-page-end.patch b/0018-usb-ohci-td.cbp-incorrectly-updated-near-page-end.patch deleted file mode 100644 index bba083e..0000000 --- a/0018-usb-ohci-td.cbp-incorrectly-updated-near-page-end.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 23201c64a789cf948fedcea221a4b6e197fcd628 Mon Sep 17 00:00:00 2001 -From: Andriy Gapon -Date: Thu, 22 Dec 2011 11:34:30 +0200 -Subject: [PATCH 18/25] usb-ohci: td.cbp incorrectly updated near page end - -The current code that updates the cbp value after a transfer looks like this: -td.cbp += ret; -if ((td.cbp & 0xfff) + ret > 0xfff) { - -because the 'ret' value is effectively added twice the check may fire too early -when the overflow hasn't happened yet. - -Below is one of the possible changes that correct the behavior: - -Signed-off-by: Gerd Hoffmann ---- - hw/usb-ohci.c | 6 +++--- - 1 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/hw/usb-ohci.c b/hw/usb-ohci.c -index c2981c5..c27014a 100644 ---- a/hw/usb-ohci.c -+++ b/hw/usb-ohci.c -@@ -1025,10 +1025,10 @@ static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed) - if (ret == len) { - td.cbp = 0; - } else { -- td.cbp += ret; - if ((td.cbp & 0xfff) + ret > 0xfff) { -- td.cbp &= 0xfff; -- td.cbp |= td.be & ~0xfff; -+ td.cbp = (td.be & ~0xfff) + ((td.cbp + ret) & 0xfff); -+ } else { -+ td.cbp += ret; - } - } - td.flags |= OHCI_TD_T1; --- -1.7.7.5 - diff --git a/0019-target-sh4-ignore-ocbp-and-ocbwb-instructions.patch b/0019-target-sh4-ignore-ocbp-and-ocbwb-instructions.patch deleted file mode 100644 index d3a4197..0000000 --- a/0019-target-sh4-ignore-ocbp-and-ocbwb-instructions.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 37769d27270eff15d878a1c7df23407fc5f09b7f Mon Sep 17 00:00:00 2001 -From: Aurelien Jarno -Date: Sat, 7 Jan 2012 15:20:12 +0100 -Subject: [PATCH 19/25] target-sh4: ignore ocbp and ocbwb instructions - -ocbp and ocbwb controls the writeback of a cache line to memory. They -are supposed to do nothing in case of a cache miss. Given QEMU only -partially emulate caches, it is safe to ignore these instructions. - -This fixes a kernel oops when trying to access an rtl8139 NIC with -recent versions. - -Signed-off-by: Aurelien Jarno -(cherry picked from commit 0cdb95549fedc73e13c147ab9dcabcc303426a07) ---- - target-sh4/translate.c | 14 +++----------- - 1 files changed, 3 insertions(+), 11 deletions(-) - -diff --git a/target-sh4/translate.c b/target-sh4/translate.c -index bad3577..e04a6e0 100644 ---- a/target-sh4/translate.c -+++ b/target-sh4/translate.c -@@ -1652,18 +1652,10 @@ static void _decode_opc(DisasContext * ctx) - } - return; - case 0x00a3: /* ocbp @Rn */ -- { -- TCGv dummy = tcg_temp_new(); -- tcg_gen_qemu_ld32s(dummy, REG(B11_8), ctx->memidx); -- tcg_temp_free(dummy); -- } -- return; - case 0x00b3: /* ocbwb @Rn */ -- { -- TCGv dummy = tcg_temp_new(); -- tcg_gen_qemu_ld32s(dummy, REG(B11_8), ctx->memidx); -- tcg_temp_free(dummy); -- } -+ /* These instructions are supposed to do nothing in case of -+ a cache miss. Given that we only partially emulate caches -+ it is safe to simply ignore them. */ - return; - case 0x0083: /* pref @Rn */ - return; --- -1.7.7.5 - diff --git a/0020-PPC-Fix-linker-scripts-on-ppc-hosts.patch b/0020-PPC-Fix-linker-scripts-on-ppc-hosts.patch deleted file mode 100644 index f6ce35a..0000000 --- a/0020-PPC-Fix-linker-scripts-on-ppc-hosts.patch +++ /dev/null @@ -1,74 +0,0 @@ -From fbcf305e5adc310e6383d4ec5e844f3f8d072116 Mon Sep 17 00:00:00 2001 -From: Alexander Graf -Date: Mon, 12 Dec 2011 22:36:01 +0100 -Subject: [PATCH 20/25] PPC: Fix linker scripts on ppc hosts - -When compiling qemu statically with multilib on PPC, we hit the -same issue that commit 845f2c2812d9ed24b36c02a3d06ee83aeafe8b49 -is fixing. Do the same here. - -Signed-off-by: Alexander Graf -Signed-off-by: Aurelien Jarno -(cherry picked from commit 665a04ae1cbfa8004a38cf0fe99ba799c978a1fe) ---- - ppc.ld | 16 ++++++++++++++-- - ppc64.ld | 16 ++++++++++++++-- - 2 files changed, 28 insertions(+), 4 deletions(-) - -diff --git a/ppc.ld b/ppc.ld -index 69aa3f2..2a0dcad 100644 ---- a/ppc.ld -+++ b/ppc.ld -@@ -49,8 +49,20 @@ SECTIONS - .rela.sbss2 : { *(.rela.sbss2 .rela.sbss2.* .rela.gnu.linkonce.sb2.*) } - .rel.bss : { *(.rel.bss .rel.bss.* .rel.gnu.linkonce.b.*) } - .rela.bss : { *(.rela.bss .rela.bss.* .rela.gnu.linkonce.b.*) } -- .rel.plt : { *(.rel.plt) } -- .rela.plt : { *(.rela.plt) } -+ .rel.plt : -+ { -+ *(.rel.plt) -+ PROVIDE (__rel_iplt_start = .); -+ *(.rel.iplt) -+ PROVIDE (__rel_iplt_end = .); -+ } -+ .rela.plt : -+ { -+ *(.rela.plt) -+ PROVIDE (__rela_iplt_start = .); -+ *(.rela.iplt) -+ PROVIDE (__rela_iplt_end = .); -+ } - .init : - { - KEEP (*(.init)) -diff --git a/ppc64.ld b/ppc64.ld -index 0a7c0dd..e2dafa0 100644 ---- a/ppc64.ld -+++ b/ppc64.ld -@@ -54,8 +54,20 @@ SECTIONS - *(.rela.sbss2 .rela.sbss2.* .rela.gnu.linkonce.sb2.*) - *(.rela.bss .rela.bss.* .rela.gnu.linkonce.b.*) - } -- .rel.plt : { *(.rel.plt) } -- .rela.plt : { *(.rela.plt) } -+ .rel.plt : -+ { -+ *(.rel.plt) -+ PROVIDE (__rel_iplt_start = .); -+ *(.rel.iplt) -+ PROVIDE (__rel_iplt_end = .); -+ } -+ .rela.plt : -+ { -+ *(.rela.plt) -+ PROVIDE (__rela_iplt_start = .); -+ *(.rela.iplt) -+ PROVIDE (__rela_iplt_end = .); -+ } - .rela.tocbss : { *(.rela.tocbss) } - .init : - { --- -1.7.7.5 - diff --git a/0021-qiov-prevent-double-free-or-use-after-free.patch b/0021-qiov-prevent-double-free-or-use-after-free.patch deleted file mode 100644 index 08e0e84..0000000 --- a/0021-qiov-prevent-double-free-or-use-after-free.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 6061f16a8a119a46e61f2ddbabdb58f83e8857f7 Mon Sep 17 00:00:00 2001 -From: Paolo Bonzini -Date: Fri, 25 Nov 2011 12:06:22 +0100 -Subject: [PATCH 21/25] qiov: prevent double free or use-after-free - -qemu_iovec_destroy does not clear the QEMUIOVector fully, and the data -could thus be used after free or freed again. While I do not know any -example in the tree, I observed this using virtio-scsi (and SCSI -scatter/gather) when canceling DMA requests. - -Signed-off-by: Paolo Bonzini -Signed-off-by: Kevin Wolf ---- - cutils.c | 3 +++ - 1 files changed, 3 insertions(+), 0 deletions(-) - -diff --git a/cutils.c b/cutils.c -index 6db6304..24b3fe3 100644 ---- a/cutils.c -+++ b/cutils.c -@@ -217,7 +217,10 @@ void qemu_iovec_destroy(QEMUIOVector *qiov) - { - assert(qiov->nalloc != -1); - -+ qemu_iovec_reset(qiov); - g_free(qiov->iov); -+ qiov->nalloc = 0; -+ qiov->iov = NULL; - } - - void qemu_iovec_reset(QEMUIOVector *qiov) --- -1.7.7.5 - diff --git a/0022-coroutine-switch-per-thread-free-pool-to-a-global-po.patch b/0022-coroutine-switch-per-thread-free-pool-to-a-global-po.patch deleted file mode 100644 index eebdfaa..0000000 --- a/0022-coroutine-switch-per-thread-free-pool-to-a-global-po.patch +++ /dev/null @@ -1,115 +0,0 @@ -From fe5c13ebf1161d0f324229cfb36cb5fb87ec6248 Mon Sep 17 00:00:00 2001 -From: Avi Kivity -Date: Mon, 5 Dec 2011 19:20:12 +0200 -Subject: [PATCH 22/25] coroutine: switch per-thread free pool to a global - pool - -ucontext-based coroutines use a free pool to reduce allocations and -deallocations of coroutine objects. The pool is per-thread, presumably -to improve locality. However, as coroutines are usually allocated in -a vcpu thread and freed in the I/O thread, the pool accounting gets -screwed up and we end allocating and freeing a coroutine for every I/O -request. This is expensive since large objects are allocated via the -kernel, and are not cached by the C runtime. - -Fix by switching to a global pool. This is safe since we're protected -by the global mutex. - -Signed-off-by: Avi Kivity -Signed-off-by: Kevin Wolf ---- - coroutine-ucontext.c | 30 ++++++++++++++++-------------- - 1 files changed, 16 insertions(+), 14 deletions(-) - -diff --git a/coroutine-ucontext.c b/coroutine-ucontext.c -index 2b8d3e9..3d01075 100644 ---- a/coroutine-ucontext.c -+++ b/coroutine-ucontext.c -@@ -35,6 +35,10 @@ enum { - POOL_MAX_SIZE = 64, - }; - -+/** Free list to speed up creation */ -+static QLIST_HEAD(, Coroutine) pool = QLIST_HEAD_INITIALIZER(pool); -+static unsigned int pool_size; -+ - typedef struct { - Coroutine base; - void *stack; -@@ -48,10 +52,6 @@ typedef struct { - /** Currently executing coroutine */ - Coroutine *current; - -- /** Free list to speed up creation */ -- QLIST_HEAD(, Coroutine) pool; -- unsigned int pool_size; -- - /** The default coroutine */ - CoroutineUContext leader; - } CoroutineThreadState; -@@ -75,7 +75,6 @@ static CoroutineThreadState *coroutine_get_thread_state(void) - if (!s) { - s = g_malloc0(sizeof(*s)); - s->current = &s->leader.base; -- QLIST_INIT(&s->pool); - pthread_setspecific(thread_state_key, s); - } - return s; -@@ -84,14 +83,19 @@ static CoroutineThreadState *coroutine_get_thread_state(void) - static void qemu_coroutine_thread_cleanup(void *opaque) - { - CoroutineThreadState *s = opaque; -+ -+ g_free(s); -+} -+ -+static void __attribute__((destructor)) coroutine_cleanup(void) -+{ - Coroutine *co; - Coroutine *tmp; - -- QLIST_FOREACH_SAFE(co, &s->pool, pool_next, tmp) { -+ QLIST_FOREACH_SAFE(co, &pool, pool_next, tmp) { - g_free(DO_UPCAST(CoroutineUContext, base, co)->stack); - g_free(co); - } -- g_free(s); - } - - static void __attribute__((constructor)) coroutine_init(void) -@@ -169,13 +173,12 @@ static Coroutine *coroutine_new(void) - - Coroutine *qemu_coroutine_new(void) - { -- CoroutineThreadState *s = coroutine_get_thread_state(); - Coroutine *co; - -- co = QLIST_FIRST(&s->pool); -+ co = QLIST_FIRST(&pool); - if (co) { - QLIST_REMOVE(co, pool_next); -- s->pool_size--; -+ pool_size--; - } else { - co = coroutine_new(); - } -@@ -184,13 +187,12 @@ Coroutine *qemu_coroutine_new(void) - - void qemu_coroutine_delete(Coroutine *co_) - { -- CoroutineThreadState *s = coroutine_get_thread_state(); - CoroutineUContext *co = DO_UPCAST(CoroutineUContext, base, co_); - -- if (s->pool_size < POOL_MAX_SIZE) { -- QLIST_INSERT_HEAD(&s->pool, &co->base, pool_next); -+ if (pool_size < POOL_MAX_SIZE) { -+ QLIST_INSERT_HEAD(&pool, &co->base, pool_next); - co->base.caller = NULL; -- s->pool_size++; -+ pool_size++; - return; - } - --- -1.7.7.5 - diff --git a/0023-qemu-img-rebase-Fix-for-undersized-backing-files.patch b/0023-qemu-img-rebase-Fix-for-undersized-backing-files.patch deleted file mode 100644 index 413ebd0..0000000 --- a/0023-qemu-img-rebase-Fix-for-undersized-backing-files.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 5bb37d151b026759ee35f04212b11b4d625c7431 Mon Sep 17 00:00:00 2001 -From: Kevin Wolf -Date: Wed, 7 Dec 2011 12:42:10 +0100 -Subject: [PATCH 23/25] qemu-img rebase: Fix for undersized backing files - -Backing files may be smaller than the corresponding COW file. When -reading directly from the backing file, qemu-img rebase must consider -this and assume zero sectors after the end of backing files. - -Signed-off-by: Kevin Wolf -Reviewed-by: Stefan Hajnoczi ---- - qemu-img.c | 42 +++++++++++++++++++++++++++++++++--------- - 1 files changed, 33 insertions(+), 9 deletions(-) - -diff --git a/qemu-img.c b/qemu-img.c -index 8bdae66..01cc0d3 100644 ---- a/qemu-img.c -+++ b/qemu-img.c -@@ -1420,6 +1420,8 @@ static int img_rebase(int argc, char **argv) - */ - if (!unsafe) { - uint64_t num_sectors; -+ uint64_t old_backing_num_sectors; -+ uint64_t new_backing_num_sectors; - uint64_t sector; - int n; - uint8_t * buf_old; -@@ -1430,6 +1432,8 @@ static int img_rebase(int argc, char **argv) - buf_new = qemu_blockalign(bs, IO_BUF_SIZE); - - bdrv_get_geometry(bs, &num_sectors); -+ bdrv_get_geometry(bs_old_backing, &old_backing_num_sectors); -+ bdrv_get_geometry(bs_new_backing, &new_backing_num_sectors); - - local_progress = (float)100 / - (num_sectors / MIN(num_sectors, IO_BUF_SIZE / 512)); -@@ -1448,16 +1452,36 @@ static int img_rebase(int argc, char **argv) - continue; - } - -- /* Read old and new backing file */ -- ret = bdrv_read(bs_old_backing, sector, buf_old, n); -- if (ret < 0) { -- error_report("error while reading from old backing file"); -- goto out; -+ /* -+ * Read old and new backing file and take into consideration that -+ * backing files may be smaller than the COW image. -+ */ -+ if (sector >= old_backing_num_sectors) { -+ memset(buf_old, 0, n * BDRV_SECTOR_SIZE); -+ } else { -+ if (sector + n > old_backing_num_sectors) { -+ n = old_backing_num_sectors - sector; -+ } -+ -+ ret = bdrv_read(bs_old_backing, sector, buf_old, n); -+ if (ret < 0) { -+ error_report("error while reading from old backing file"); -+ goto out; -+ } - } -- ret = bdrv_read(bs_new_backing, sector, buf_new, n); -- if (ret < 0) { -- error_report("error while reading from new backing file"); -- goto out; -+ -+ if (sector >= new_backing_num_sectors) { -+ memset(buf_new, 0, n * BDRV_SECTOR_SIZE); -+ } else { -+ if (sector + n > new_backing_num_sectors) { -+ n = new_backing_num_sectors - sector; -+ } -+ -+ ret = bdrv_read(bs_new_backing, sector, buf_new, n); -+ if (ret < 0) { -+ error_report("error while reading from new backing file"); -+ goto out; -+ } - } - - /* If they differ, we need to write to the COW file */ --- -1.7.7.5 - diff --git a/0024-Documentation-Add-qemu-img-t-parameter-in-man-page.patch b/0024-Documentation-Add-qemu-img-t-parameter-in-man-page.patch deleted file mode 100644 index 6df771d..0000000 --- a/0024-Documentation-Add-qemu-img-t-parameter-in-man-page.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 8afe984ef7aa25cb2f8af51da021fdc8a242884d Mon Sep 17 00:00:00 2001 -From: Kevin Wolf -Date: Wed, 7 Dec 2011 13:57:13 +0100 -Subject: [PATCH 24/25] Documentation: Add qemu-img -t parameter in man page - -Signed-off-by: Kevin Wolf -Reviewed-by: Stefan Hajnoczi ---- - qemu-img-cmds.hx | 6 +++--- - qemu-img.texi | 10 +++++++--- - 2 files changed, 10 insertions(+), 6 deletions(-) - -diff --git a/qemu-img-cmds.hx b/qemu-img-cmds.hx -index 4be00a5..49dce7c 100644 ---- a/qemu-img-cmds.hx -+++ b/qemu-img-cmds.hx -@@ -24,13 +24,13 @@ ETEXI - DEF("commit", img_commit, - "commit [-f fmt] [-t cache] filename") - STEXI --@item commit [-f @var{fmt}] @var{filename} -+@item commit [-f @var{fmt}] [-t @var{cache}] @var{filename} - ETEXI - - DEF("convert", img_convert, - "convert [-c] [-p] [-f fmt] [-t cache] [-O output_fmt] [-o options] [-s snapshot_name] [-S sparse_size] filename [filename2 [...]] output_filename") - STEXI --@item convert [-c] [-p] [-f @var{fmt}] [-O @var{output_fmt}] [-o @var{options}] [-s @var{snapshot_name}] [-S @var{sparse_size}] @var{filename} [@var{filename2} [...]] @var{output_filename} -+@item convert [-c] [-p] [-f @var{fmt}] [-t @var{cache}] [-O @var{output_fmt}] [-o @var{options}] [-s @var{snapshot_name}] [-S @var{sparse_size}] @var{filename} [@var{filename2} [...]] @var{output_filename} - ETEXI - - DEF("info", img_info, -@@ -48,7 +48,7 @@ ETEXI - DEF("rebase", img_rebase, - "rebase [-f fmt] [-t cache] [-p] [-u] -b backing_file [-F backing_fmt] filename") - STEXI --@item rebase [-f @var{fmt}] [-p] [-u] -b @var{backing_file} [-F @var{backing_fmt}] @var{filename} -+@item rebase [-f @var{fmt}] [-t @var{cache}] [-p] [-u] -b @var{backing_file} [-F @var{backing_fmt}] @var{filename} - ETEXI - - DEF("resize", img_resize, -diff --git a/qemu-img.texi b/qemu-img.texi -index 70fa321..b2ca3a5 100644 ---- a/qemu-img.texi -+++ b/qemu-img.texi -@@ -45,6 +45,10 @@ indicates the consecutive number of bytes that must contain only zeros - for qemu-img to create a sparse image during conversion. This value is rounded - down to the nearest 512 bytes. You may use the common size suffixes like - @code{k} for kilobytes. -+@item -t @var{cache} -+specifies the cache mode that should be used with the (destination) file. See -+the documentation of the emulator's @code{-drive cache=...} option for allowed -+values. - @end table - - Parameters to snapshot subcommand: -@@ -87,11 +91,11 @@ this case. @var{backing_file} will never be modified unless you use the - The size can also be specified using the @var{size} option with @code{-o}, - it doesn't need to be specified separately in this case. - --@item commit [-f @var{fmt}] @var{filename} -+@item commit [-f @var{fmt}] [-t @var{cache}] @var{filename} - - Commit the changes recorded in @var{filename} in its base image. - --@item convert [-c] [-p] [-f @var{fmt}] [-O @var{output_fmt}] [-o @var{options}] [-s @var{snapshot_name}] [-S @var{sparse_size}] @var{filename} [@var{filename2} [...]] @var{output_filename} -+@item convert [-c] [-p] [-f @var{fmt}] [-t @var{cache}] [-O @var{output_fmt}] [-o @var{options}] [-s @var{snapshot_name}] [-S @var{sparse_size}] @var{filename} [@var{filename2} [...]] @var{output_filename} - - Convert the disk image @var{filename} or a snapshot @var{snapshot_name} to disk image @var{output_filename} - using format @var{output_fmt}. It can be optionally compressed (@code{-c} -@@ -121,7 +125,7 @@ they are displayed too. - - List, apply, create or delete snapshots in image @var{filename}. - --@item rebase [-f @var{fmt}] [-p] [-u] -b @var{backing_file} [-F @var{backing_fmt}] @var{filename} -+@item rebase [-f @var{fmt}] [-t @var{cache}] [-p] [-u] -b @var{backing_file} [-F @var{backing_fmt}] @var{filename} - - Changes the backing file of an image. Only the formats @code{qcow2} and - @code{qed} support changing the backing file. --- -1.7.7.5 - diff --git a/0025-rbd-always-set-out-parameter-in-qemu_rbd_snap_list.patch b/0025-rbd-always-set-out-parameter-in-qemu_rbd_snap_list.patch deleted file mode 100644 index fb7010d..0000000 --- a/0025-rbd-always-set-out-parameter-in-qemu_rbd_snap_list.patch +++ /dev/null @@ -1,39 +0,0 @@ -From e47c212cb5af148ab6d9dcf49bc0e054fe9c2e1d Mon Sep 17 00:00:00 2001 -From: Josh Durgin -Date: Tue, 6 Dec 2011 17:05:10 -0800 -Subject: [PATCH 25/25] rbd: always set out parameter in qemu_rbd_snap_list - -The caller expects psn_tab to be NULL when there are no snapshots or -an error occurs. This results in calling g_free on an invalid address. - -Reported-by: Oliver Francke -Signed-off-by: Josh Durgin -Signed-off-by: Kevin Wolf ---- - block/rbd.c | 3 ++- - 1 files changed, 2 insertions(+), 1 deletions(-) - -diff --git a/block/rbd.c b/block/rbd.c -index 9088c52..54a6961 100644 ---- a/block/rbd.c -+++ b/block/rbd.c -@@ -808,7 +808,7 @@ static int qemu_rbd_snap_list(BlockDriverState *bs, - } while (snap_count == -ERANGE); - - if (snap_count <= 0) { -- return snap_count; -+ goto done; - } - - sn_tab = g_malloc0(snap_count * sizeof(QEMUSnapshotInfo)); -@@ -827,6 +827,7 @@ static int qemu_rbd_snap_list(BlockDriverState *bs, - } - rbd_snap_list_end(snaps); - -+ done: - *psn_tab = sn_tab; - return snap_count; - } --- -1.7.7.5 - diff --git a/0026-e1000-bounds-packet-size-against-buffer-size.patch b/0026-e1000-bounds-packet-size-against-buffer-size.patch deleted file mode 100644 index bd2bdc7..0000000 --- a/0026-e1000-bounds-packet-size-against-buffer-size.patch +++ /dev/null @@ -1,37 +0,0 @@ -From d0ed2d2e8e863a9a64c9fc9c08fa68bee546ad00 Mon Sep 17 00:00:00 2001 -From: Anthony Liguori -Date: Mon, 23 Jan 2012 07:30:43 -0600 -Subject: [PATCH 26/26] e1000: bounds packet size against buffer size - -Otherwise we can write beyond the buffer and corrupt memory. This is tracked -as CVE-2012-0029. - -Signed-off-by: Anthony Liguori ---- - hw/e1000.c | 3 +++ - 1 files changed, 3 insertions(+), 0 deletions(-) - -diff --git a/hw/e1000.c b/hw/e1000.c -index 986ed9c..e164d79 100644 ---- a/hw/e1000.c -+++ b/hw/e1000.c -@@ -466,6 +466,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) - bytes = split_size; - if (tp->size + bytes > msh) - bytes = msh - tp->size; -+ -+ bytes = MIN(sizeof(tp->data) - tp->size, bytes); - pci_dma_read(&s->dev, addr, tp->data + tp->size, bytes); - if ((sz = tp->size + bytes) >= hdr && tp->size < hdr) - memmove(tp->header, tp->data, hdr); -@@ -481,6 +483,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) - // context descriptor TSE is not set, while data descriptor TSE is set - DBGOUT(TXERR, "TCP segmentaion Error\n"); - } else { -+ split_size = MIN(sizeof(tp->data) - tp->size, split_size); - pci_dma_read(&s->dev, addr, tp->data + tp->size, split_size); - tp->size += split_size; - } --- -1.7.7.6 - diff --git a/Fix_save-restore_of_in-kernel_i8259.patch b/Fix_save-restore_of_in-kernel_i8259.patch deleted file mode 100644 index 15c772f..0000000 --- a/Fix_save-restore_of_in-kernel_i8259.patch +++ /dev/null @@ -1,87 +0,0 @@ -As the qemu-kvm version of the i8259 contains KVM bits, it still has to -be compiled per target. This unbreaks migration of the i8259. - -Signed-off-by: Jan Kiszka ---- - -Not sure if anyone bothers (no one should actually use qemu-kvm for -targets != x86), but let's avoid needless breakages of other targets -requiring the i8259. - - Makefile.objs | 2 +- - Makefile.target | 8 ++++---- - hw/i8259.c | 2 -- - 3 files changed, 5 insertions(+), 7 deletions(-) - -diff --git a/Makefile.objs b/Makefile.objs -index 13afd19..77237e1 100644 ---- a/Makefile.objs -+++ b/Makefile.objs -@@ -223,7 +223,7 @@ hw-obj-$(CONFIG_APPLESMC) += applesmc.o - hw-obj-$(CONFIG_SMARTCARD) += usb-ccid.o ccid-card-passthru.o - hw-obj-$(CONFIG_SMARTCARD_NSS) += ccid-card-emulated.o - hw-obj-$(CONFIG_USB_REDIR) += usb-redir.o --hw-obj-$(CONFIG_I8259) += i8259.o -+# hw-obj-$(CONFIG_I8259) += i8259.o - - # PPC devices - hw-obj-$(CONFIG_PREP_PCI) += prep_pci.o -diff --git a/Makefile.target b/Makefile.target -index 0b610ad..29eaa68 100644 ---- a/Makefile.target -+++ b/Makefile.target -@@ -236,7 +236,7 @@ obj-$(CONFIG_IVSHMEM) += ivshmem.o - - # Hardware support - obj-i386-y += vga.o --obj-i386-y += mc146818rtc.o pc.o -+obj-i386-y += mc146818rtc.o pc.o i8259.o - obj-i386-y += cirrus_vga.o sga.o apic.o ioapic.o piix_pci.o - obj-i386-y += vmport.o - obj-i386-y += device-hotplug.o pci-hotplug.o smbios.o wdt_ib700.o -@@ -255,7 +255,7 @@ obj-i386-$(CONFIG_KVM_DEVICE_ASSIGNMENT) += device-assignment.o - obj-ppc-y = ppc.o ppc_booke.o - obj-ppc-y += vga.o - # PREP target --obj-ppc-y += mc146818rtc.o -+obj-ppc-y += mc146818rtc.o i8259.o - obj-ppc-y += ppc_prep.o - # OldWorld PowerMac - obj-ppc-y += ppc_oldworld.o -@@ -311,7 +311,7 @@ obj-mips-y += acpi.o acpi_piix4.o - obj-mips-y += mips_addr.o mips_timer.o mips_int.o - obj-mips-y += vga.o - obj-mips-y += jazz_led.o --obj-mips-y += gt64xxx.o mc146818rtc.o -+obj-mips-y += gt64xxx.o mc146818rtc.o i8259.o - obj-mips-y += cirrus_vga.o - obj-mips-$(CONFIG_FULONG) += bonito.o vt82c686.o mips_fulong2e.o - -@@ -392,7 +392,7 @@ obj-m68k-y += m68k-semi.o dummy_m68k.o - - obj-s390x-y = s390-virtio-bus.o s390-virtio.o - --obj-alpha-y = mc146818rtc.o -+obj-alpha-y = mc146818rtc.o i8259.o - obj-alpha-y += vga.o cirrus_vga.o - obj-alpha-y += alpha_pci.o alpha_dp264.o alpha_typhoon.o - -diff --git a/hw/i8259.c b/hw/i8259.c -index fa63e83..a9ea9c9 100644 ---- a/hw/i8259.c -+++ b/hw/i8259.c -@@ -697,8 +697,6 @@ static int kvm_kernel_pic_load_from_user(PicState *s) - return 0; - } - --extern void apic_set_irq_delivered(void); -- - static void kvm_i8259_set_irq(void *opaque, int irq, int level) - { - int pic_ret; --- -1.7.3.4 --- -To unsubscribe from this list: send the line "unsubscribe kvm" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/qemu-Allow-to-leave-type-on-default-in-machine.patch b/qemu-Allow-to-leave-type-on-default-in-machine.patch deleted file mode 100644 index e4a8e6d..0000000 --- a/qemu-Allow-to-leave-type-on-default-in-machine.patch +++ /dev/null @@ -1,14 +0,0 @@ ---- qemu-kvm-0.15.0.old/vl.c 2011-08-09 13:40:29.000000000 +0100 -+++ qemu-kvm-0.15.0/vl.c 2011-08-18 16:38:51.487515037 +0100 -@@ -2718,7 +2718,10 @@ - fprintf(stderr, "parse error: %s\n", optarg); - exit(1); - } -- machine = machine_parse(qemu_opt_get(opts, "type")); -+ optarg = qemu_opt_get(opts, "type"); -+ if (optarg) { -+ machine = machine_parse(optarg); -+ } - break; - case QEMU_OPTION_no_kvm: - olist = qemu_find_opts("machine"); diff --git a/qemu-fix-non-PCI-target-build.patch b/qemu-fix-non-PCI-target-build.patch deleted file mode 100644 index b479efa..0000000 --- a/qemu-fix-non-PCI-target-build.patch +++ /dev/null @@ -1,53 +0,0 @@ -commit 1a8364456c2f3946b4feb8fc78eaf00d974f4c03 -Author: Jan Kiszka -Date: Wed Feb 23 09:28:53 2011 +0100 - - qemu-kvm: Fix non-PCI target build - - Replace obsolete qemu-kvm.h with kvm.h in pci.c and build that module - just like upstream does. This fixes non-x86 targets which have no PCI - support. - - Signed-off-by: Jan Kiszka - Signed-off-by: Avi Kivity - -diff --git a/Makefile.objs b/Makefile.objs -index f5702eb..3ec7121 100644 ---- a/Makefile.objs -+++ b/Makefile.objs -@@ -170,7 +170,7 @@ hw-obj-y = - hw-obj-y += loader.o - hw-obj-$(CONFIG_VIRTIO) += virtio.o virtio-console.o - hw-obj-y += fw_cfg.o --hw-obj-$(CONFIG_PCI) += pci_bridge.o -+hw-obj-$(CONFIG_PCI) += pci.o pci_bridge.o - hw-obj-$(CONFIG_PCI) += msix.o msi.o - hw-obj-$(CONFIG_PCI) += pci_host.o pcie_host.o - hw-obj-$(CONFIG_PCI) += ioh3420.o xio3130_upstream.o xio3130_downstream.o -diff --git a/Makefile.target b/Makefile.target -index 6e9a024..23367eb 100644 ---- a/Makefile.target -+++ b/Makefile.target -@@ -195,7 +195,7 @@ endif #CONFIG_BSD_USER - # System emulator target - ifdef CONFIG_SOFTMMU - --obj-y = arch_init.o cpus.o monitor.o pci.o machine.o gdbstub.o vl.o balloon.o -+obj-y = arch_init.o cpus.o monitor.o machine.o gdbstub.o vl.o balloon.o - # virtio has to be here due to weird dependency between PCI and virtio-net. - # need to fix this properly - obj-$(CONFIG_NO_PCI) += pci-stub.o -diff --git a/hw/pci.c b/hw/pci.c -index 0c44939..1f6cebe 100644 ---- a/hw/pci.c -+++ b/hw/pci.c -@@ -29,8 +29,8 @@ - #include "net.h" - #include "sysemu.h" - #include "loader.h" --#include "qemu-kvm.h" - #include "hw/pc.h" -+#include "kvm.h" - #include "device-assignment.h" - #include "qemu-objects.h" - #include "range.h" diff --git a/qemu-fix-systemtap.patch b/qemu-fix-systemtap.patch new file mode 100644 index 0000000..1ea1fc0 --- /dev/null +++ b/qemu-fix-systemtap.patch @@ -0,0 +1,16 @@ +diff -rup qemu-kvm-1.0.1/scripts/tracetool foo/scripts/tracetool +--- qemu-kvm-1.0.1/scripts/tracetool 2012-04-16 22:15:17.000000000 -0400 ++++ foo/scripts/tracetool 2012-07-29 20:46:52.628797169 -0400 +@@ -499,6 +499,12 @@ EOF + # 'limit' is a reserved keyword + if [ "$arg" = "limit" ]; then + arg="_limit" ++ if [ "$arg" = "in" ]; then ++ arg="_in" ++ if [ "$arg" = "next" ]; then ++ arg="_next" ++ if [ "$arg" = "self" ]; then ++ arg="_self" + fi + cat < +Date: Mon Jul 16 18:08:36 2012 +0400 + + audio: Unbreak capturing in mixemu case + + Signed-off-by: malc + +diff --git a/audio/audio.c b/audio/audio.c +index 583ee51..1c77389 100644 +--- a/audio/audio.c ++++ b/audio/audio.c +@@ -818,6 +818,7 @@ static int audio_attach_capture (HWVoiceOut *hw) + sw->active = hw->enabled; + sw->conv = noop_conv; + sw->ratio = ((int64_t) hw_cap->info.freq << 32) / sw->info.freq; ++ sw->vol = nominal_volume; + sw->rate = st_rate_start (sw->info.freq, hw_cap->info.freq); + if (!sw->rate) { + dolog ("Could not start rate conversion for `%s'\n", SW_NAME (sw)); diff --git a/qemu-snapshot-symlink-attack.patch b/qemu-snapshot-symlink-attack.patch new file mode 100644 index 0000000..198c010 --- /dev/null +++ b/qemu-snapshot-symlink-attack.patch @@ -0,0 +1,93 @@ +diff -rup qemu-kvm-1.0.1/block/vvfat.c foo/block/vvfat.c +--- qemu-kvm-1.0.1/block/vvfat.c 2012-04-16 22:15:17.000000000 -0400 ++++ foo/block/vvfat.c 2012-07-29 20:00:15.515321504 -0400 +@@ -2799,7 +2799,12 @@ static int enable_write_target(BDRVVVFAT + array_init(&(s->commits), sizeof(commit_t)); + + s->qcow_filename = g_malloc(1024); +- get_tmp_filename(s->qcow_filename, 1024); ++ ret = get_tmp_filename(s->qcow_filename, 1024); ++ if (ret < 0) { ++ g_free(s->qcow_filename); ++ s->qcow_filename = NULL; ++ return ret; ++ } + + bdrv_qcow = bdrv_find_format("qcow"); + options = parse_option_parameters("", bdrv_qcow->create_options, NULL); +diff -rup qemu-kvm-1.0.1/block.c foo/block.c +--- qemu-kvm-1.0.1/block.c 2012-04-16 22:15:17.000000000 -0400 ++++ foo/block.c 2012-07-29 20:00:15.513321760 -0400 +@@ -272,28 +272,36 @@ int bdrv_create_file(const char* filenam + return bdrv_create(drv, filename, options); + } + +-#ifdef _WIN32 +-void get_tmp_filename(char *filename, int size) ++/* ++ * Create a uniquely-named empty temporary file. ++ * Return 0 upon success, otherwise a negative errno value. ++ */ ++int get_tmp_filename(char *filename, int size) + { ++#ifdef _WIN32 + char temp_dir[MAX_PATH]; +- +- GetTempPath(MAX_PATH, temp_dir); +- GetTempFileName(temp_dir, "qem", 0, filename); +-} ++ /* GetTempFileName requires that its output buffer (4th param) ++ have length MAX_PATH or greater. */ ++ assert(size >= MAX_PATH); ++ return (GetTempPath(MAX_PATH, temp_dir) ++ && GetTempFileName(temp_dir, "qem", 0, filename) ++ ? 0 : -GetLastError()); + #else +-void get_tmp_filename(char *filename, int size) +-{ + int fd; + const char *tmpdir; +- /* XXX: race condition possible */ + tmpdir = getenv("TMPDIR"); + if (!tmpdir) + tmpdir = "/tmp"; +- snprintf(filename, size, "%s/vl.XXXXXX", tmpdir); ++ if (snprintf(filename, size, "%s/vl.XXXXXX", tmpdir) >= size) { ++ return -EOVERFLOW; ++ } + fd = mkstemp(filename); +- close(fd); +-} ++ if (fd < 0 || close(fd)) { ++ return -errno; ++ } ++ return 0; + #endif ++} + + /* + * Detect host devices. By convention, /dev/cdrom[N] is always +@@ -601,7 +609,10 @@ int bdrv_open(BlockDriverState *bs, cons + + bdrv_delete(bs1); + +- get_tmp_filename(tmp_filename, sizeof(tmp_filename)); ++ ret = get_tmp_filename(tmp_filename, sizeof(tmp_filename)); ++ if (ret < 0) { ++ return ret; ++ } + + /* Real path is meaningless for protocols */ + if (is_protocol) +diff -rup qemu-kvm-1.0.1/block_int.h foo/block_int.h +--- qemu-kvm-1.0.1/block_int.h 2012-04-16 22:15:17.000000000 -0400 ++++ foo/block_int.h 2012-07-29 20:00:15.515321504 -0400 +@@ -238,7 +238,7 @@ struct BlockDriverAIOCB { + BlockDriverAIOCB *next; + }; + +-void get_tmp_filename(char *filename, int size); ++int get_tmp_filename(char *filename, int size); + + void *qemu_aio_get(AIOPool *pool, BlockDriverState *bs, + BlockDriverCompletionFunc *cb, void *opaque); diff --git a/qemu-vhost-fix-dirty-page-handling.patch b/qemu-vhost-fix-dirty-page-handling.patch deleted file mode 100644 index e3fabb7..0000000 --- a/qemu-vhost-fix-dirty-page-handling.patch +++ /dev/null @@ -1,31 +0,0 @@ -vhost was passing a physical address to cpu_physical_memory_set_dirty, -which is wrong: we need to translate to ram address first. - -Signed-off-by: Michael S. Tsirkin - -Note: this lead to crashes during migration, so the patch -is needed on the stable branch too. - ---- - hw/vhost.c | 4 +++- - 1 files changed, 3 insertions(+), 1 deletions(-) - -diff --git a/hw/vhost.c b/hw/vhost.c -index aaa34e4..97a1299 100644 ---- a/hw/vhost.c -+++ b/hw/vhost.c -@@ -49,8 +49,10 @@ static void vhost_dev_sync_region(struct vhost_dev *dev, - log = __sync_fetch_and_and(from, 0); - while ((bit = sizeof(log) > sizeof(int) ? - ffsll(log) : ffs(log))) { -+ ram_addr_t ram_addr; - bit -= 1; -- cpu_physical_memory_set_dirty(addr + bit * VHOST_LOG_PAGE); -+ ram_addr = cpu_get_physical_page_desc(addr + bit * VHOST_LOG_PAGE); -+ cpu_physical_memory_set_dirty(ram_addr); - log &= ~(0x1ull << bit); - } - addr += VHOST_LOG_CHUNK; --- -1.7.3.2.91.g446ac - diff --git a/qemu.spec b/qemu.spec index 5ac9289..963c14b 100644 --- a/qemu.spec +++ b/qemu.spec @@ -37,9 +37,9 @@ Summary: QEMU is a FAST! processor emulator Name: qemu -Version: 1.0 -Release: 18%{?dist} -# Epoch because we pushed a qemu-1.0 package +Version: 1.0.1 +Release: 1%{?dist} +# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD Group: Development/Tools @@ -75,35 +75,6 @@ Source9: ksmtuned.conf Source10: qemu-guest-agent.service Source11: 99-qemu-guest-agent.rules -# Patches queued for 1.0.1 stable -Patch01: 0001-malta-Fix-regression-i8259-interrupts-did-not-work.patch -Patch02: 0002-exec.c-Fix-subpage-memory-access-to-RAM-MemoryRegion.patch -Patch03: 0003-hw-9pfs-Improve-portability-to-older-systems.patch -Patch04: 0004-hw-9pfs-use-migration-blockers-to-prevent-live-migra.patch -Patch05: 0005-hw-9pfs-Reset-server-state-during-TVERSION.patch -Patch06: 0006-hw-9pfs-Add-qdev.reset-callback-for-virtio-9p-pci-de.patch -Patch07: 0007-hw-9pfs-Use-the-correct-file-descriptor-in-Fsdriver-.patch -Patch08: 0008-hw-9pfs-replace-iovec-manipulation-with-QEMUIOVector.patch -Patch09: 0009-hw-9pfs-Use-the-correct-signed-type-for-different-va.patch -Patch10: 0010-target-i386-fix-cmpxchg-instruction-emulation.patch -Patch11: 0011-configure-Enable-build-by-default-PIE-read-only-relo.patch -Patch12: 0012-cris-Handle-conditional-stores-on-CRISv10.patch -Patch13: 0013-pc-add-pc-0.15.patch -Patch14: 0014-pc-fix-event_idx-compatibility-for-virtio-devices.patch -Patch15: 0015-Fix-parse-of-usb-device-description-with-multiple-co.patch -Patch16: 0016-usb-storage-cancel-I-O-on-reset.patch -Patch17: 0017-usb-host-properly-release-port-on-unplug-exit.patch -Patch18: 0018-usb-ohci-td.cbp-incorrectly-updated-near-page-end.patch -Patch19: 0019-target-sh4-ignore-ocbp-and-ocbwb-instructions.patch -Patch20: 0020-PPC-Fix-linker-scripts-on-ppc-hosts.patch -Patch21: 0021-qiov-prevent-double-free-or-use-after-free.patch -Patch22: 0022-coroutine-switch-per-thread-free-pool-to-a-global-po.patch -Patch23: 0023-qemu-img-rebase-Fix-for-undersized-backing-files.patch -Patch24: 0024-Documentation-Add-qemu-img-t-parameter-in-man-page.patch -Patch25: 0025-rbd-always-set-out-parameter-in-qemu_rbd_snap_list.patch -Patch26: 0026-e1000-bounds-packet-size-against-buffer-size.patch -Patch27: virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch - # USB-redir patches all upstream for 1.1 except for the chardev flowcontrol set Patch101: 0101-usb-redir-Clear-iso-irq-error-when-stopping-the-stre.patch Patch102: 0102-usb-redir-Dynamically-adjust-iso-buffering-size-base.patch @@ -154,7 +125,6 @@ Patch146: 0146-usb-redir-Not-finding-an-async-urb-id-is-not-an-erro.patch Patch147: 0147-usb-ehci-Ensure-frindex-writes-leave-a-valid-frindex.patch # General bug fixes -Patch201: Fix_save-restore_of_in-kernel_i8259.patch Patch202: qemu-virtio-9p-noatime.patch # Feature patches, should be in 1.1 before release @@ -209,6 +179,13 @@ Patch508: 0508-configure-pa_simple-is-not-needed-anymore.patch Patch509: 0509-Allow-controlling-volume-with-PulseAudio-backend.patch # Fix fedora guest hang with virtio console (bz 837925) Patch510: %{name}-virtio-console-unconnected-pty.patch +# Fix VNC audio tunnelling (bz 840653) +Patch511: %{name}-fix-vnc-audio.patch +# CVE-2012-2652: Possible symlink attacks with -snapshot (bz 825697, bz +# 824919) +Patch512: %{name}-snapshot-symlink-attack.patch +# Fix systemtap tapsets (bz 831763) +Patch513: %{name}-fix-systemtap.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: SDL-devel zlib-devel which texi2html gnutls-devel cyrus-sasl-devel @@ -218,7 +195,7 @@ BuildRequires: pciutils-devel BuildRequires: pulseaudio-libs-devel BuildRequires: ncurses-devel BuildRequires: libattr-devel -BuildRequires: usbredir-devel +BuildRequires: usbredir-devel >= 0.4.1 BuildRequires: texinfo %ifarch %{ix86} x86_64 BuildRequires: spice-protocol >= 0.8.1 @@ -267,6 +244,13 @@ Requires: %{name}-img = %{epoch}:%{version}-%{release} Obsoletes: %{name}-system-ppc Obsoletes: %{name}-system-sparc +# Needed for F14->F16+ upgrade +# https://bugzilla.redhat.com/show_bug.cgi?id=694802 +Obsoletes: openbios-common +Obsoletes: openbios-ppc +Obsoletes: openbios-sparc32 +Obsoletes: openbios-sparc64 + %define qemudocdir %{_docdir}/%{name}-%{version} %description @@ -312,9 +296,9 @@ Group: Development/Tools Requires(post): /usr/bin/getent Requires(post): /usr/sbin/groupadd Requires(post): /usr/sbin/useradd -Requires(post): /sbin/chkconfig -Requires(preun): /sbin/service /sbin/chkconfig -Requires(postun): /sbin/service +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units %description common QEMU is a generic and open source processor emulator which achieves a good emulation speed by using dynamic translation. @@ -362,9 +346,8 @@ fi Summary: QEMU user mode emulation of qemu targets Group: Development/Tools Requires: %{name}-common = %{epoch}:%{version}-%{release} -Requires(post): /sbin/chkconfig -Requires(preun): /sbin/service /sbin/chkconfig -Requires(postun): /sbin/service +Requires(post): systemd-units +Requires(postun): systemd-units %description user QEMU is a generic and open source processor emulator which achieves a good emulation speed by using dynamic translation. @@ -454,33 +437,6 @@ such as kvm_stat. %prep %setup -q -n qemu-kvm-%{version} -%patch01 -p1 -%patch02 -p1 -%patch03 -p1 -%patch04 -p1 -%patch05 -p1 -%patch06 -p1 -%patch07 -p1 -%patch08 -p1 -%patch09 -p1 -%patch10 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p1 -%patch16 -p1 -%patch17 -p1 -%patch18 -p1 -%patch19 -p1 -%patch20 -p1 -%patch21 -p1 -%patch22 -p1 -%patch23 -p1 -%patch24 -p1 -%patch25 -p1 -%patch26 -p1 -%patch27 -p1 %patch101 -p1 %patch102 -p1 @@ -530,7 +486,6 @@ such as kvm_stat. %patch146 -p1 %patch147 -p1 -%patch201 -p1 %patch202 -p1 %patch301 -p1 @@ -581,6 +536,9 @@ such as kvm_stat. %patch508 -p1 %patch509 -p1 %patch510 -p1 +%patch511 -p1 +%patch512 -p1 +%patch513 -p1 %build @@ -816,39 +774,47 @@ rm -rf $RPM_BUILD_ROOT %ifarch %{ix86} x86_64 # load kvm modules now, so we can make sure no reboot is needed. # If there's already a kvm module installed, we don't mess with it -sh %{_sysconfdir}/sysconfig/modules/kvm.modules +sh %{_sysconfdir}/sysconfig/modules/kvm.modules || : %endif %post common +if [ $1 -eq 1 ] ; then + # Initial installation + /bin/systemctl enable ksm.service >/dev/null 2>&1 || : + /bin/systemctl enable ksmtuned.service >/dev/null 2>&1 || : +fi + getent group kvm >/dev/null || groupadd -g 36 -r kvm getent group qemu >/dev/null || groupadd -g 107 -r qemu getent passwd qemu >/dev/null || \ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ -c "qemu user" qemu -/bin/systemctl enable ksm.service -/bin/systemctl enable ksmtuned.service - %preun common -if [ $1 -eq 0 ]; then - /bin/systemctl --system stop ksmtuned.service &>/dev/null || : - /bin/systemctl --system stop ksm.service &>/dev/null || : - /bin/systemctl disable ksmtuned.service - /bin/systemctl disable ksm.service +if [ $1 -eq 0 ] ; then + # Package removal, not upgrade + /bin/systemctl --no-reload disable ksmtuned.service > /dev/null 2>&1 || : + /bin/systemctl --no-reload disable ksm.service > /dev/null 2>&1 || : + /bin/systemctl stop ksmtuned.service > /dev/null 2>&1 || : + /bin/systemctl stop ksm.service > /dev/null 2>&1 || : fi %postun common -if [ $1 -ge 1 ]; then - /bin/systemctl --system try-restart ksm.service &>/dev/null || : - /bin/systemctl --system try-restart ksmtuned.service &>/dev/null || : +/bin/systemctl daemon-reload >/dev/null 2>&1 || : +if [ $1 -ge 1 ] ; then + # Package upgrade, not uninstall + /bin/systemctl try-restart ksmtuned.service >/dev/null 2>&1 || : + /bin/systemctl try-restart ksm.service >/dev/null 2>&1 || : fi + %post user /bin/systemctl --system try-restart systemd-binfmt.service &>/dev/null || : %postun user /bin/systemctl --system try-restart systemd-binfmt.service &>/dev/null || : + %files %defattr(-,root,root) @@ -1012,6 +978,16 @@ fi %{_mandir}/man1/qemu-img.1* %changelog +* Sun Jul 29 2012 Cole Robinson - 1.0.1-2 +- Fix VNC audio tunnelling (bz 840653) +- CVE-2012-2652: Possible symlink attacks with -snapshot (bz 825697, bz + 824919) +- Fix systemtap tapsets (bz 831763) +- Don't renable ksm on update (bz 815156) +- Bump usbredir dep (bz 812097) +- Fix RPM install error on non-virt machines (bz 660629) +- Obsolete openbios to fix upgrade dependency issues (bz 694802) + * Wed Jul 18 2012 Cole Robinson - 1.0-18 - Fix fedora guest hang with virtio console (bz 837925) diff --git a/sources b/sources index c8f2676..438e28c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -00a825db46a70ba8ef9fc95da9cc7c1e qemu-kvm-1.0.tar.gz +f23711fb9f3c70f802829b109ba9aa27 qemu-kvm-1.0.1.tar.gz diff --git a/virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch b/virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch deleted file mode 100644 index 277e740..0000000 --- a/virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch +++ /dev/null @@ -1,111 +0,0 @@ -From qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org Wed Jan 11 03:51:20 2012 -Return-Path: -Received: from citysiren.linuxtx.org (localhost [127.0.0.1]) - by citysiren.linuxtx.org (8.14.4/8.14.4) with ESMTP id q0B9pIjw017454 - for ; Wed, 11 Jan 2012 03:51:20 -0600 -Delivered-To: jmforbes@linuxtx.org -Received: from gmail-pop.l.google.com [74.125.81.108] - by citysiren.linuxtx.org with POP3 (fetchmail-6.3.20) - for (single-drop); Wed, 11 Jan 2012 03:51:20 -0600 (CST) -Received: by 10.180.102.100 with SMTP id fn4cs34060wib; - Wed, 11 Jan 2012 01:48:56 -0800 (PST) -Received: by 10.224.182.2 with SMTP id ca2mr28967033qab.57.1326275334564; - Wed, 11 Jan 2012 01:48:54 -0800 (PST) -Received: from lists.gnu.org (lists.gnu.org. [140.186.70.17]) - by mx.google.com with ESMTPS id gc3si782557qab.44.2012.01.11.01.48.54 - (version=TLSv1/SSLv3 cipher=OTHER); - Wed, 11 Jan 2012 01:48:54 -0800 (PST) -Received-SPF: pass (google.com: domain of qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org designates 140.186.70.17 as permitted sender) client-ip=140.186.70.17; -Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org designates 140.186.70.17 as permitted sender) smtp.mail=qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org -Received: from localhost ([::1]:48473 helo=lists.gnu.org) - by lists.gnu.org with esmtp (Exim 4.71) - (envelope-from ) - id 1Rkund-0003iT-UQ - for jmforbes@linuxtx.org; Wed, 11 Jan 2012 04:48:53 -0500 -Received: from eggs.gnu.org ([140.186.70.92]:40037) - by lists.gnu.org with esmtp (Exim 4.71) - (envelope-from ) id 1RkunV-0003fY-Vl - for qemu-stable@nongnu.org; Wed, 11 Jan 2012 04:48:53 -0500 -Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) - (envelope-from ) id 1RkunQ-0004zL-Nl - for qemu-stable@nongnu.org; Wed, 11 Jan 2012 04:48:45 -0500 -Received: from mx1.redhat.com ([209.132.183.28]:23781) - by eggs.gnu.org with esmtp (Exim 4.71) - (envelope-from ) id 1RkunQ-0004vY-3c - for qemu-stable@nongnu.org; Wed, 11 Jan 2012 04:48:40 -0500 -Received: from int-mx11.intmail.prod.int.phx2.redhat.com - (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) - by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q0B9mcYI005348 - (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) - for ; Wed, 11 Jan 2012 04:48:38 -0500 -Received: from yakj.usersys.redhat.com (ovpn-112-23.ams2.redhat.com - [10.36.112.23]) - by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP - id q0B9magG031084 - for ; Wed, 11 Jan 2012 04:48:37 -0500 -From: Paolo Bonzini -To: qemu-stable@nongnu.org -Date: Wed, 11 Jan 2012 10:48:33 +0100 -Message-Id: <1326275313-15635-1-git-send-email-pbonzini@redhat.com> -X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24 -X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) -X-Received-From: 209.132.183.28 -Subject: [Qemu-stable] [PATCH] virtio-blk: refuse SG_IO requests with - scsi=off -X-BeenThere: qemu-stable@nongnu.org -X-Mailman-Version: 2.1.14 -Precedence: list -List-Id: -List-Unsubscribe: , - -List-Archive: -List-Post: -List-Help: -List-Subscribe: , - -Errors-To: qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org -Sender: qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org -X-UID: 32 -Status: RO -Content-Length: 1003 -Lines: 38 - -QEMU does have a "scsi" option (to be used like -device -virtio-blk-pci,drive=foo,scsi=off). However, it only -masks the feature bit, and does not reject the command -if a malicious guest disregards the feature bits and -issues a request. - -Without this patch, using scsi=off does not protect you -from CVE-2011-4127. - -Signed-off-by: Paolo Bonzini ---- - hw/virtio-blk.c | 6 ++++++ - 1 files changed, 6 insertions(+), 0 deletions(-) - -diff --git a/hw/virtio-blk.c b/hw/virtio-blk.c -index b70d116..6cd3164 100644 ---- a/hw/virtio-blk.c -+++ b/hw/virtio-blk.c -@@ -153,6 +153,12 @@ static void virtio_blk_handle_scsi(VirtIOBlockReq *req) - int status; - int i; - -+ if ((req->dev->vdev.guest_features & (1 << VIRTIO_BLK_F_SCSI)) == 0) { -+ virtio_blk_req_complete(req, VIRTIO_BLK_S_UNSUPP); -+ g_free(req); -+ return; -+ } -+ - /* - * We require at least one output segment each for the virtio_blk_outhdr - * and the SCSI command block. --- -1.7.7.1 - - - - - - From 8e54b56c40f5ec63b746a29ce44259997b98690b Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Sun, 29 Jul 2012 21:14:20 -0400 Subject: [PATCH 6/7] Fix systemtap backport --- qemu-fix-systemtap.patch | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/qemu-fix-systemtap.patch b/qemu-fix-systemtap.patch index 1ea1fc0..3191eec 100644 --- a/qemu-fix-systemtap.patch +++ b/qemu-fix-systemtap.patch @@ -1,16 +1,19 @@ -diff -rup qemu-kvm-1.0.1/scripts/tracetool foo/scripts/tracetool +diff -rup qemu-kvm-1.0.1/scripts/tracetool z/scripts/tracetool --- qemu-kvm-1.0.1/scripts/tracetool 2012-04-16 22:15:17.000000000 -0400 -+++ foo/scripts/tracetool 2012-07-29 20:46:52.628797169 -0400 -@@ -499,6 +499,12 @@ EOF - # 'limit' is a reserved keyword ++++ z/scripts/tracetool 2012-07-29 21:10:51.326868987 -0400 +@@ -500,6 +500,15 @@ EOF if [ "$arg" = "limit" ]; then arg="_limit" + fi + if [ "$arg" = "in" ]; then + arg="_in" ++ fi + if [ "$arg" = "next" ]; then + arg="_next" ++ fi + if [ "$arg" = "self" ]; then + arg="_self" - fi ++ fi cat < Date: Sun, 29 Jul 2012 21:15:19 -0400 Subject: [PATCH 7/7] CVE-2012-2652: Possible symlink attacks with -snapshot (bz 825697, bz 824919) Fix systemtap tapsets (bz 831763) Fix qmp response race caused by spice server bug (bz 744015) Fix text mode screendumps (bz 819155) Don't renable ksm on update (bz 815156) Fix RPM install error on non-virt machines (bz 660629) Obsolete openbios to fix upgrade dependency issues (bz 694802) --- ...overrun-in-handling-of-VSC_ATR-messa.patch | 42 ++++ 0201-qdev-Reset-hot-plugged-devices.patch | 39 ++++ ...MII-status-register-for-link-up-down.patch | 147 +++++++++++++ ...-Don-t-set-the-Capabilities-List-bit.patch | 43 ++++ ...unds-packet-size-against-buffer-size.patch | 45 ++++ ...-t-pass-NULL-pointer-to-SYS_signalfd.patch | 49 +++++ ...ring-kvm_flush_coalesced_mmio_buffer.patch | 60 ++++++ ...id-returns-garbage-if-p_name-is-NULL.patch | 36 ++++ 0208-block-Fix-bdrv_open-use-after-free.patch | 43 ++++ ...ff-by-one-error-in-array-index-check.patch | 34 +++ ...Fix-use-after-free-in-qemu_acl_reset.patch | 52 +++++ ...gration-flush-migration-data-to-disk.patch | 71 ++++++ 0212-Fix-X86-CPU-topology-in-KVM-mode.patch | 55 +++++ ...-missing-break-to-fix-buffer-overrun.patch | 37 ++++ ...-don-t-override-the-pci-subsystem-id.patch | 119 ++++++++++ ...-vvfat-Fix-potential-buffer-overflow.patch | 36 ++++ ...on-t-use-depricated-gnutls-functions.patch | 116 ++++++++++ ...ment-a-flush-function-on-the-fd-hand.patch | 76 +++++++ ...output-and-input-streams-RHBZ-740493.patch | 51 +++++ ...utput-and-input-stream-states-RHBZ-7.patch | 172 +++++++++++++++ ...about-discarded-no-longer-allocated-.patch | 108 ++++++++++ 0221-vmdk-Improve-error-handling.patch | 79 +++++++ ...k-set-bs-read_only-before-.bdrv_open.patch | 52 +++++ ...nsole-Fix-rendering-of-VGA-underline.patch | 64 ++++++ ...itialization-of-the-Dynamic-Disk-Hea.patch | 48 +++++ ...bdrv_write_compressed-error-handling.patch | 93 ++++++++ ...itialize-across-bdrv_close-bdrv_open.patch | 55 +++++ 0227-qxl-stride-fixup.patch | 111 ++++++++++ 0228-vmdk-Fix-possible-segfaults.patch | 55 +++++ 0229-pc-Fix-floppy-drives-with-if-none.patch | 204 ++++++++++++++++++ ...Have-a-ram_addr_t-of-uint64-with-Xen.patch | 97 +++++++++ 0231-Error-check-find_ram_offset.patch | 58 +++++ 0232-pc-add-pc-0.15.patch | 73 +++++++ ...idx-compatibility-for-virtio-devices.patch | 95 ++++++++ ...e-call-to-oslib-posix.c-qemu_vmalloc.patch | 37 ++++ ...gn-properly-for-transparent-hugepage.patch | 61 ++++++ ...-checksum-back-to-footer-after-check.patch | 41 ++++ ...-bt-host-add-missing-break-statement.patch | 36 ++++ 0238-ds1338-Add-missing-break-statement.patch | 39 ++++ ...nused-parts-when-allocating-a-new-bl.patch | 70 ++++++ qemu-fix-non-PCI-target-build.patch | 53 ----- qemu-fix-systemtap.patch | 19 ++ qemu-fix-text-mode-screendumps.patch | 31 +++ qemu-snapshot-symlink-attack.patch | 93 ++++++++ qemu-spice-server-threading.patch | 73 +++++++ qemu-vhost-fix-dirty-page-handling.patch | 31 --- qemu.spec | 165 +++++++++++--- 47 files changed, 3153 insertions(+), 111 deletions(-) create mode 100644 0200-ccid-Fix-buffer-overrun-in-handling-of-VSC_ATR-messa.patch create mode 100644 0201-qdev-Reset-hot-plugged-devices.patch create mode 100644 0202-e1000-use-MII-status-register-for-link-up-down.patch create mode 100644 0203-e1000-Don-t-set-the-Capabilities-List-bit.patch create mode 100644 0204-e1000-bounds-packet-size-against-buffer-size.patch create mode 100644 0205-compatfd.c-Don-t-pass-NULL-pointer-to-SYS_signalfd.patch create mode 100644 0206-kvm-avoid-reentring-kvm_flush_coalesced_mmio_buffer.patch create mode 100644 0207-vmdk-vmdk_read_cid-returns-garbage-if-p_name-is-NULL.patch create mode 100644 0208-block-Fix-bdrv_open-use-after-free.patch create mode 100644 0209-ide-Fix-off-by-one-error-in-array-index-check.patch create mode 100644 0210-acl-Fix-use-after-free-in-qemu_acl_reset.patch create mode 100644 0211-migration-flush-migration-data-to-disk.patch create mode 100644 0212-Fix-X86-CPU-topology-in-KVM-mode.patch create mode 100644 0213-hw-lan9118.c-Add-missing-break-to-fix-buffer-overrun.patch create mode 100644 0214-ac97-don-t-override-the-pci-subsystem-id.patch create mode 100644 0215-vvfat-Fix-potential-buffer-overflow.patch create mode 100644 0216-vns-tls-don-t-use-depricated-gnutls-functions.patch create mode 100644 0217-block-curl-Implement-a-flush-function-on-the-fd-hand.patch create mode 100644 0218-hda-do-not-mix-output-and-input-streams-RHBZ-740493.patch create mode 100644 0219-hda-do-not-mix-output-and-input-stream-states-RHBZ-7.patch create mode 100644 0220-Teach-block-vdi-about-discarded-no-longer-allocated-.patch create mode 100644 0221-vmdk-Improve-error-handling.patch create mode 100644 0222-block-set-bs-read_only-before-.bdrv_open.patch create mode 100644 0223-console-Fix-rendering-of-VGA-underline.patch create mode 100644 0224-block-Fix-vpc-initialization-of-the-Dynamic-Disk-Hea.patch create mode 100644 0225-qcow-Fix-bdrv_write_compressed-error-handling.patch create mode 100644 0226-block-reinitialize-across-bdrv_close-bdrv_open.patch create mode 100644 0227-qxl-stride-fixup.patch create mode 100644 0228-vmdk-Fix-possible-segfaults.patch create mode 100644 0229-pc-Fix-floppy-drives-with-if-none.patch create mode 100644 0230-cpu-common-Have-a-ram_addr_t-of-uint64-with-Xen.patch create mode 100644 0231-Error-check-find_ram_offset.patch create mode 100644 0232-pc-add-pc-0.15.patch create mode 100644 0233-pc-fix-event_idx-compatibility-for-virtio-devices.patch create mode 100644 0234-Add-missing-trace-call-to-oslib-posix.c-qemu_vmalloc.patch create mode 100644 0235-qemu_vmalloc-align-properly-for-transparent-hugepage.patch create mode 100644 0236-block-vpc-write-checksum-back-to-footer-after-check.patch create mode 100644 0237-bt-host-add-missing-break-statement.patch create mode 100644 0238-ds1338-Add-missing-break-statement.patch create mode 100644 0239-block-vdi-Zero-unused-parts-when-allocating-a-new-bl.patch delete mode 100644 qemu-fix-non-PCI-target-build.patch create mode 100644 qemu-fix-systemtap.patch create mode 100644 qemu-fix-text-mode-screendumps.patch create mode 100644 qemu-snapshot-symlink-attack.patch create mode 100644 qemu-spice-server-threading.patch delete mode 100644 qemu-vhost-fix-dirty-page-handling.patch diff --git a/0200-ccid-Fix-buffer-overrun-in-handling-of-VSC_ATR-messa.patch b/0200-ccid-Fix-buffer-overrun-in-handling-of-VSC_ATR-messa.patch new file mode 100644 index 0000000..6a8d715 --- /dev/null +++ b/0200-ccid-Fix-buffer-overrun-in-handling-of-VSC_ATR-messa.patch @@ -0,0 +1,42 @@ +From 792733e8aa8565a0b49c80539d0bc7a0ac19aaff Mon Sep 17 00:00:00 2001 +From: Markus Armbruster +Date: Mon, 28 Nov 2011 20:27:37 +0100 +Subject: [PATCH] ccid: Fix buffer overrun in handling of VSC_ATR message +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +ATR size exceeding the limit is diagnosed, but then we merrily use it +anyway, overrunning card->atr[]. + +The message is read from a character device. Obvious security +implications unless the other end of the character device is trusted. + +Spotted by Coverity. CVE-2011-4111. + +Signed-off-by: Markus Armbruster +Signed-off-by: Anthony Liguori +(cherry picked from commit 7e62255a4b3e0e2ab84a3ec7398640e8ed58620a) + +Signed-off-by: Bruce Rogers +[AF: Fixes BNC#731086.] +Signed-off-by: Andreas Färber +--- + hw/ccid-card-passthru.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/ccid-card-passthru.c b/hw/ccid-card-passthru.c +index 28eb9d1..0505663 100644 +--- a/hw/ccid-card-passthru.c ++++ b/hw/ccid-card-passthru.c +@@ -150,6 +150,7 @@ static void ccid_card_vscard_handle_message(PassthruState *card, + error_report("ATR size exceeds spec, ignoring"); + ccid_card_vscard_send_error(card, scr_msg_header->reader_id, + VSC_GENERAL_ERROR); ++ break; + } + memcpy(card->atr, data, scr_msg_header->length); + card->atr_length = scr_msg_header->length; +-- +1.7.11.2 + diff --git a/0201-qdev-Reset-hot-plugged-devices.patch b/0201-qdev-Reset-hot-plugged-devices.patch new file mode 100644 index 0000000..36d506e --- /dev/null +++ b/0201-qdev-Reset-hot-plugged-devices.patch @@ -0,0 +1,39 @@ +From c09233797d29cc18bc7d304ceeb8bef72f3acefb Mon Sep 17 00:00:00 2001 +From: Jan Kiszka +Date: Sun, 24 Jul 2011 19:38:36 +0200 +Subject: [PATCH] qdev: Reset hot-plugged devices +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Device models rely on the core invoking their reset handlers after init. +We do this in the cold-plug case, but so far we miss this step after +hot-plug. + +Signed-off-by: Jan Kiszka +Signed-off-by: Anthony Liguori +(cherry picked from commit 5ab28c8340f683121c081a181adfd9f72ab85cba) + +[AF: Fixes BNC#722958 / LTC#75394.] +Signed-off-by: Andreas Färber +--- + hw/qdev.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/qdev.c b/hw/qdev.c +index a0fcd06..b4ea8e1 100644 +--- a/hw/qdev.c ++++ b/hw/qdev.c +@@ -289,6 +289,9 @@ int qdev_init(DeviceState *dev) + dev->alias_required_for_version); + } + dev->state = DEV_STATE_INITIALIZED; ++ if (dev->hotplugged && dev->info->reset) { ++ dev->info->reset(dev); ++ } + return 0; + } + +-- +1.7.11.2 + diff --git a/0202-e1000-use-MII-status-register-for-link-up-down.patch b/0202-e1000-use-MII-status-register-for-link-up-down.patch new file mode 100644 index 0000000..3f60fb3 --- /dev/null +++ b/0202-e1000-use-MII-status-register-for-link-up-down.patch @@ -0,0 +1,147 @@ +From 461473595d1dd1131cb060c460c87ca7b652939e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= +Date: Wed, 17 Aug 2011 11:03:14 +0200 +Subject: [PATCH] e1000: use MII status register for link up/down +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Some guests will use the standard MII status register +to verify link state. They will not notice link changes +unless this register is updated. + +Verified with Linux 3.0 and Windows XP guests. + +Without this patch, ethtool will report speed and duplex as +unknown when the link is down, but still report the link as +up. This is because the Linux e1000 driver checks the +mac_reg[STATUS] register link state before it checks speed +and duplex, but uses the phy_reg[PHY_STATUS] register for +the actual link state check. Fix by updating both registers +on link state changes. + +Linux guest before: + + (qemu) set_link e1000.0 off + + kvm-sid:~# ethtool eth0 + Settings for eth0: + Supported ports: [ TP ] + Supported link modes: 10baseT/Half 10baseT/Full + 100baseT/Half 100baseT/Full + 1000baseT/Full + Supports auto-negotiation: Yes + Advertised link modes: 10baseT/Half 10baseT/Full + 100baseT/Half 100baseT/Full + 1000baseT/Full + Advertised pause frame use: No + Advertised auto-negotiation: Yes + Speed: Unknown! + Duplex: Unknown! (255) + Port: Twisted Pair + PHYAD: 0 + Transceiver: internal + Auto-negotiation: on + MDI-X: Unknown + Supports Wake-on: umbg + Wake-on: d + Current message level: 0x00000007 (7) + drv probe link + Link detected: yes + + (qemu) set_link e1000.0 on + +Linux guest after: + + (qemu) set_link e1000.0 off + [ 63.384221] e1000: eth0 NIC Link is Down + + kvm-sid:~# ethtool eth0 + Settings for eth0: + Supported ports: [ TP ] + Supported link modes: 10baseT/Half 10baseT/Full + 100baseT/Half 100baseT/Full + 1000baseT/Full + Supports auto-negotiation: Yes + Advertised link modes: 10baseT/Half 10baseT/Full + 100baseT/Half 100baseT/Full + 1000baseT/Full + Advertised pause frame use: No + Advertised auto-negotiation: Yes + Speed: Unknown! + Duplex: Unknown! (255) + Port: Twisted Pair + PHYAD: 0 + Transceiver: internal + Auto-negotiation: on + MDI-X: Unknown + Supports Wake-on: umbg + Wake-on: d + Current message level: 0x00000007 (7) + drv probe link + Link detected: no + + (qemu) set_link e1000.0 on + [ 84.304582] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX + +Signed-off-by: Bjørn Mork +Signed-off-by: Anthony Liguori +(cherry picked from commit d4044c2a6b9ba4a00dd653f515a4b0ebfcb7e125) + +Signed-off-by: Andreas Färber +--- + hw/e1000.c | 7 +++++-- + hw/e1000_hw.h | 17 +++++++++++++++++ + 2 files changed, 22 insertions(+), 2 deletions(-) + +diff --git a/hw/e1000.c b/hw/e1000.c +index 96d84f9..e4d9ab5 100644 +--- a/hw/e1000.c ++++ b/hw/e1000.c +@@ -624,10 +624,13 @@ e1000_set_link_status(VLANClientState *nc) + E1000State *s = DO_UPCAST(NICState, nc, nc)->opaque; + uint32_t old_status = s->mac_reg[STATUS]; + +- if (nc->link_down) ++ if (nc->link_down) { + s->mac_reg[STATUS] &= ~E1000_STATUS_LU; +- else ++ s->phy_reg[PHY_STATUS] &= ~MII_SR_LINK_STATUS; ++ } else { + s->mac_reg[STATUS] |= E1000_STATUS_LU; ++ s->phy_reg[PHY_STATUS] |= MII_SR_LINK_STATUS; ++ } + + if (s->mac_reg[STATUS] != old_status) + set_ics(s, 0, E1000_ICR_LSC); +diff --git a/hw/e1000_hw.h b/hw/e1000_hw.h +index 9bd8a4b..2e341ac 100644 +--- a/hw/e1000_hw.h ++++ b/hw/e1000_hw.h +@@ -349,6 +349,23 @@ + #define M88E1000_PHY_VCO_REG_BIT8 0x100 /* Bits 8 & 11 are adjusted for */ + #define M88E1000_PHY_VCO_REG_BIT11 0x800 /* improved BER performance */ + ++/* PHY Status Register */ ++#define MII_SR_EXTENDED_CAPS 0x0001 /* Extended register capabilities */ ++#define MII_SR_JABBER_DETECT 0x0002 /* Jabber Detected */ ++#define MII_SR_LINK_STATUS 0x0004 /* Link Status 1 = link */ ++#define MII_SR_AUTONEG_CAPS 0x0008 /* Auto Neg Capable */ ++#define MII_SR_REMOTE_FAULT 0x0010 /* Remote Fault Detect */ ++#define MII_SR_AUTONEG_COMPLETE 0x0020 /* Auto Neg Complete */ ++#define MII_SR_PREAMBLE_SUPPRESS 0x0040 /* Preamble may be suppressed */ ++#define MII_SR_EXTENDED_STATUS 0x0100 /* Ext. status info in Reg 0x0F */ ++#define MII_SR_100T2_HD_CAPS 0x0200 /* 100T2 Half Duplex Capable */ ++#define MII_SR_100T2_FD_CAPS 0x0400 /* 100T2 Full Duplex Capable */ ++#define MII_SR_10T_HD_CAPS 0x0800 /* 10T Half Duplex Capable */ ++#define MII_SR_10T_FD_CAPS 0x1000 /* 10T Full Duplex Capable */ ++#define MII_SR_100X_HD_CAPS 0x2000 /* 100X Half Duplex Capable */ ++#define MII_SR_100X_FD_CAPS 0x4000 /* 100X Full Duplex Capable */ ++#define MII_SR_100T4_CAPS 0x8000 /* 100T4 Capable */ ++ + /* Interrupt Cause Read */ + #define E1000_ICR_TXDW 0x00000001 /* Transmit desc written back */ + #define E1000_ICR_TXQE 0x00000002 /* Transmit Queue empty */ +-- +1.7.11.2 + diff --git a/0203-e1000-Don-t-set-the-Capabilities-List-bit.patch b/0203-e1000-Don-t-set-the-Capabilities-List-bit.patch new file mode 100644 index 0000000..6c174ec --- /dev/null +++ b/0203-e1000-Don-t-set-the-Capabilities-List-bit.patch @@ -0,0 +1,43 @@ +From fe7f7d7ae7114fb220ed258e249f9a63834f6fa6 Mon Sep 17 00:00:00 2001 +From: dann frazier +Date: Wed, 21 Sep 2011 14:06:25 -0600 +Subject: [PATCH] e1000: Don't set the Capabilities List bit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[Originally sent to qemu-kvm list, but I was redirected here] + +The Capabilities Pointer is NULL, so this bit shouldn't be set. The state of +this bit doesn't appear to change any behavior on Linux/Windows versions we've +tested, but it does cause Windows' PCI/PCI Express Compliance Test to balk. + +I happen to have a physical 82540EM controller, and it also sets the +Capabilities Bit, but it actually has items on the capabilities list to go +with it :) + +Signed-off-by: dann frazier +Signed-off-by: Anthony Liguori +(cherry picked from commit dd8e93799f13ef82d83c185b8e71e049452f7d40) + +Signed-off-by: Andreas Färber +--- + hw/e1000.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/hw/e1000.c b/hw/e1000.c +index e4d9ab5..7971457 100644 +--- a/hw/e1000.c ++++ b/hw/e1000.c +@@ -1167,8 +1167,6 @@ static int pci_e1000_init(PCIDevice *pci_dev) + + pci_conf = d->dev.config; + +- /* TODO: we have no capabilities, so why is this bit set? */ +- pci_set_word(pci_conf + PCI_STATUS, PCI_STATUS_CAP_LIST); + /* TODO: RST# value should be 0, PCI spec 6.2.4 */ + pci_conf[PCI_CACHE_LINE_SIZE] = 0x10; + +-- +1.7.11.2 + diff --git a/0204-e1000-bounds-packet-size-against-buffer-size.patch b/0204-e1000-bounds-packet-size-against-buffer-size.patch new file mode 100644 index 0000000..f616bf7 --- /dev/null +++ b/0204-e1000-bounds-packet-size-against-buffer-size.patch @@ -0,0 +1,45 @@ +From 078c531e6b57f36359b74ea6c136c2ea1b5a9891 Mon Sep 17 00:00:00 2001 +From: Anthony Liguori +Date: Mon, 23 Jan 2012 07:30:43 -0600 +Subject: [PATCH] e1000: bounds packet size against buffer size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Otherwise we can write beyond the buffer and corrupt memory. This is tracked +as CVE-2012-0029. + +Signed-off-by: Anthony Liguori +(cherry picked from commit 65f82df0d7a71ce1b10cd4c5ab08888d176ac840) + +Signed-off-by: Bruce Rogers +[AF: stable-0.15 does not have pci_dma_read(). Fixes BNC#740165.] +Signed-off-by: Andreas Färber +--- + hw/e1000.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/e1000.c b/hw/e1000.c +index 7971457..c91790b 100644 +--- a/hw/e1000.c ++++ b/hw/e1000.c +@@ -472,6 +472,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) + bytes = split_size; + if (tp->size + bytes > msh) + bytes = msh - tp->size; ++ ++ bytes = MIN(sizeof(tp->data) - tp->size, bytes); + cpu_physical_memory_read(addr, tp->data + tp->size, bytes); + if ((sz = tp->size + bytes) >= hdr && tp->size < hdr) + memmove(tp->header, tp->data, hdr); +@@ -487,6 +489,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) + // context descriptor TSE is not set, while data descriptor TSE is set + DBGOUT(TXERR, "TCP segmentaion Error\n"); + } else { ++ split_size = MIN(sizeof(tp->data) - tp->size, split_size); + cpu_physical_memory_read(addr, tp->data + tp->size, split_size); + tp->size += split_size; + } +-- +1.7.11.2 + diff --git a/0205-compatfd.c-Don-t-pass-NULL-pointer-to-SYS_signalfd.patch b/0205-compatfd.c-Don-t-pass-NULL-pointer-to-SYS_signalfd.patch new file mode 100644 index 0000000..1c3b7ea --- /dev/null +++ b/0205-compatfd.c-Don-t-pass-NULL-pointer-to-SYS_signalfd.patch @@ -0,0 +1,49 @@ +From 89409a7eee1d25a91c31402fdb35d8554e3a99d0 Mon Sep 17 00:00:00 2001 +From: Peter Maydell +Date: Thu, 13 Oct 2011 18:45:37 +0100 +Subject: [PATCH] compatfd.c: Don't pass NULL pointer to SYS_signalfd +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Don't pass a NULL pointer in to SYS_signalfd in qemu_signalfd_available(): +this isn't valid and Valgrind complains about it. + +Signed-off-by: Peter Maydell +Reviewed-by: Stefan Hajnoczi +Signed-off-by: Andrzej Zaborowski +(cherry picked from commit 7f84c1272b601be88daeb828ec1890890c7aae25) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + compatfd.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/compatfd.c b/compatfd.c +index 31654c6..02306a4 100644 +--- a/compatfd.c ++++ b/compatfd.c +@@ -119,9 +119,17 @@ int qemu_signalfd(const sigset_t *mask) + bool qemu_signalfd_available(void) + { + #ifdef CONFIG_SIGNALFD ++ sigset_t mask; ++ int fd; ++ bool ok; ++ sigemptyset(&mask); + errno = 0; +- syscall(SYS_signalfd, -1, NULL, _NSIG / 8); +- return errno != ENOSYS; ++ fd = syscall(SYS_signalfd, -1, &mask, _NSIG / 8); ++ ok = (errno != ENOSYS); ++ if (fd >= 0) { ++ close(fd); ++ } ++ return ok; + #else + return false; + #endif +-- +1.7.11.2 + diff --git a/0206-kvm-avoid-reentring-kvm_flush_coalesced_mmio_buffer.patch b/0206-kvm-avoid-reentring-kvm_flush_coalesced_mmio_buffer.patch new file mode 100644 index 0000000..cfe02b4 --- /dev/null +++ b/0206-kvm-avoid-reentring-kvm_flush_coalesced_mmio_buffer.patch @@ -0,0 +1,60 @@ +From 479c2a6a296d4fafc713746bf96127c1b20c381e Mon Sep 17 00:00:00 2001 +From: Avi Kivity +Date: Tue, 18 Oct 2011 19:43:12 +0200 +Subject: [PATCH] kvm: avoid reentring kvm_flush_coalesced_mmio_buffer() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +mmio callbacks invoked by kvm_flush_coalesced_mmio_buffer() may +themselves indirectly call kvm_flush_coalesced_mmio_buffer(). +Prevent reentering the function by checking a flag that indicates +we're processing coalesced mmio requests. + +Signed-off-by: Avi Kivity +(cherry picked from commit 1cae88b9f4121c9af0bf677435c6129e643280fd) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + kvm-all.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/kvm-all.c b/kvm-all.c +index cbc2532..26621d0 100644 +--- a/kvm-all.c ++++ b/kvm-all.c +@@ -64,6 +64,7 @@ struct KVMState + int vmfd; + int coalesced_mmio; + struct kvm_coalesced_mmio_ring *coalesced_mmio_ring; ++ bool coalesced_flush_in_progress; + int broken_set_mem_region; + int migration_log; + int vcpu_events; +@@ -876,6 +877,13 @@ static int kvm_handle_internal_error(CPUState *env, struct kvm_run *run) + void kvm_flush_coalesced_mmio_buffer(void) + { + KVMState *s = kvm_state; ++ ++ if (s->coalesced_flush_in_progress) { ++ return; ++ } ++ ++ s->coalesced_flush_in_progress = true; ++ + if (s->coalesced_mmio_ring) { + struct kvm_coalesced_mmio_ring *ring = s->coalesced_mmio_ring; + while (ring->first != ring->last) { +@@ -888,6 +896,8 @@ void kvm_flush_coalesced_mmio_buffer(void) + ring->first = (ring->first + 1) % KVM_COALESCED_MMIO_MAX; + } + } ++ ++ s->coalesced_flush_in_progress = false; + } + + static void do_kvm_cpu_synchronize_state(void *_env) +-- +1.7.11.2 + diff --git a/0207-vmdk-vmdk_read_cid-returns-garbage-if-p_name-is-NULL.patch b/0207-vmdk-vmdk_read_cid-returns-garbage-if-p_name-is-NULL.patch new file mode 100644 index 0000000..7f6b622 --- /dev/null +++ b/0207-vmdk-vmdk_read_cid-returns-garbage-if-p_name-is-NULL.patch @@ -0,0 +1,36 @@ +From 1b09be835d853b8fd591e1f5de29ae20ed405722 Mon Sep 17 00:00:00 2001 +From: Pavel Borzenkov +Date: Tue, 18 Oct 2011 21:19:03 +0400 +Subject: [PATCH] vmdk: vmdk_read_cid returns garbage if p_name is NULL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Spotted by Clang Analyzer + +Signed-off-by: Pavel Borzenkov +Signed-off-by: Stefan Hajnoczi +(cherry picked from commit 8379e46d1fd681b8aa4714382e2cdab05e5d0575) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + block/vmdk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/vmdk.c b/block/vmdk.c +index 37478d2..b5caa40 100644 +--- a/block/vmdk.c ++++ b/block/vmdk.c +@@ -177,7 +177,7 @@ static void vmdk_free_extents(BlockDriverState *bs) + static uint32_t vmdk_read_cid(BlockDriverState *bs, int parent) + { + char desc[DESC_SIZE]; +- uint32_t cid; ++ uint32_t cid = 0xffffffff; + const char *p_name, *cid_str; + size_t cid_str_size; + BDRVVmdkState *s = bs->opaque; +-- +1.7.11.2 + diff --git a/0208-block-Fix-bdrv_open-use-after-free.patch b/0208-block-Fix-bdrv_open-use-after-free.patch new file mode 100644 index 0000000..ff9c621 --- /dev/null +++ b/0208-block-Fix-bdrv_open-use-after-free.patch @@ -0,0 +1,43 @@ +From 72e8677ee72152245f5dc222a85f83a6a382efe8 Mon Sep 17 00:00:00 2001 +From: Kevin Wolf +Date: Wed, 26 Oct 2011 11:03:01 +0200 +Subject: [PATCH] block: Fix bdrv_open use after free +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +tmp_filename was used outside the block it was defined in, i.e. after it went +out of scope. Move its declaration to the top level. + +Signed-off-by: Kevin Wolf +(cherry picked from commit 2b5728164fcf5211bbae8d3c2fc6df62dd6b2295) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + block.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block.c b/block.c +index 9549b9e..4ebb18b 100644 +--- a/block.c ++++ b/block.c +@@ -526,6 +526,7 @@ int bdrv_open(BlockDriverState *bs, const char *filename, int flags, + BlockDriver *drv) + { + int ret; ++ char tmp_filename[PATH_MAX]; + + if (flags & BDRV_O_SNAPSHOT) { + BlockDriverState *bs1; +@@ -533,7 +534,6 @@ int bdrv_open(BlockDriverState *bs, const char *filename, int flags, + int is_protocol = 0; + BlockDriver *bdrv_qcow2; + QEMUOptionParameter *options; +- char tmp_filename[PATH_MAX]; + char backing_filename[PATH_MAX]; + + /* if snapshot, we create a temporary backing file and open it +-- +1.7.11.2 + diff --git a/0209-ide-Fix-off-by-one-error-in-array-index-check.patch b/0209-ide-Fix-off-by-one-error-in-array-index-check.patch new file mode 100644 index 0000000..282d5a5 --- /dev/null +++ b/0209-ide-Fix-off-by-one-error-in-array-index-check.patch @@ -0,0 +1,34 @@ +From 99f6b4ed1c345b144b0f052974cb470036418020 Mon Sep 17 00:00:00 2001 +From: Kevin Wolf +Date: Wed, 26 Oct 2011 11:52:47 +0200 +Subject: [PATCH] ide: Fix off-by-one error in array index check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Kevin Wolf +Reviewed-by: Paolo Bonzini +(cherry picked from commit fb60105d4942a26f571b1be92a8b9e7528d0c4d8) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + hw/ide/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/ide/core.c b/hw/ide/core.c +index d145b19..9bc446e 100644 +--- a/hw/ide/core.c ++++ b/hw/ide/core.c +@@ -1933,7 +1933,7 @@ static int ide_drive_pio_post_load(void *opaque, int version_id) + { + IDEState *s = opaque; + +- if (s->end_transfer_fn_idx > ARRAY_SIZE(transfer_end_table)) { ++ if (s->end_transfer_fn_idx >= ARRAY_SIZE(transfer_end_table)) { + return -EINVAL; + } + s->end_transfer_func = transfer_end_table[s->end_transfer_fn_idx]; +-- +1.7.11.2 + diff --git a/0210-acl-Fix-use-after-free-in-qemu_acl_reset.patch b/0210-acl-Fix-use-after-free-in-qemu_acl_reset.patch new file mode 100644 index 0000000..e86dd11 --- /dev/null +++ b/0210-acl-Fix-use-after-free-in-qemu_acl_reset.patch @@ -0,0 +1,52 @@ +From fa9ad46e1a4b3707a465bccf6f4431db7a647a08 Mon Sep 17 00:00:00 2001 +From: Markus Armbruster +Date: Fri, 28 Oct 2011 17:07:02 +0200 +Subject: [PATCH] acl: Fix use after free in qemu_acl_reset() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reproducer: + + $ MALLOC_PERTURB_=234 qemu-system-x86_64 -vnc :0,acl,sasl [...] + QEMU 0.15.50 monitor - type 'help' for more information + (qemu) acl_add vnc.username fred allow + acl: added rule at position 1 + (qemu) acl_reset vnc.username + Segmentation fault (core dumped) + +Spotted by Coverity. + +Signed-off-by: Markus Armbruster +Signed-off-by: Stefan Hajnoczi +(cherry picked from commit 0ce6a434176e274a7e86bcaa268542c5cc402696) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + acl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/acl.c b/acl.c +index 82c2704..cae059f 100644 +--- a/acl.c ++++ b/acl.c +@@ -95,13 +95,13 @@ int qemu_acl_party_is_allowed(qemu_acl *acl, + + void qemu_acl_reset(qemu_acl *acl) + { +- qemu_acl_entry *entry; ++ qemu_acl_entry *entry, *next_entry; + + /* Put back to deny by default, so there is no window + * of "open access" while the user re-initializes the + * access control list */ + acl->defaultDeny = 1; +- QTAILQ_FOREACH(entry, &acl->entries, next) { ++ QTAILQ_FOREACH_SAFE(entry, &acl->entries, next, next_entry) { + QTAILQ_REMOVE(&acl->entries, entry, next); + free(entry->match); + free(entry); +-- +1.7.11.2 + diff --git a/0211-migration-flush-migration-data-to-disk.patch b/0211-migration-flush-migration-data-to-disk.patch new file mode 100644 index 0000000..41a628d --- /dev/null +++ b/0211-migration-flush-migration-data-to-disk.patch @@ -0,0 +1,71 @@ +From 06400ebc136bf44f1fa423159fae9cc9a4f6839d Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Thu, 27 Oct 2011 09:12:04 +0200 +Subject: [PATCH] migration: flush migration data to disk. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch increases robustness when migrating to a file with +two little changes: + + (1) Before closing the migration file handle checks if it happens to be + a regular file and if so it issues a fsync. This way the data is + flushed to disk before qemu sends the migration completed event. + (2) It adds error checking. In case either fsync or close syscall + fails pass up the error (and fail migration). + +[ v2: return -errno instead of -1 ] + +Cc: Juan Quintela +Cc: Jiri Denemark +Signed-off-by: Gerd Hoffmann +Signed-off-by: Anthony Liguori +(cherry picked from commit aab2293687ee54a409f3fb53a1ab3595b595e0fb) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + migration-fd.c | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +diff --git a/migration-fd.c b/migration-fd.c +index 66d51c1..f986bdf 100644 +--- a/migration-fd.c ++++ b/migration-fd.c +@@ -42,10 +42,31 @@ static int fd_write(FdMigrationState *s, const void * buf, size_t size) + + static int fd_close(FdMigrationState *s) + { ++ struct stat st; ++ int ret; ++ + DPRINTF("fd_close\n"); + if (s->fd != -1) { +- close(s->fd); ++ ret = fstat(s->fd, &st); ++ if (ret == 0 && S_ISREG(st.st_mode)) { ++ /* ++ * If the file handle is a regular file make sure the ++ * data is flushed to disk before signaling success. ++ */ ++ ret = fsync(s->fd); ++ if (ret != 0) { ++ ret = -errno; ++ perror("migration-fd: fsync"); ++ return ret; ++ } ++ } ++ ret = close(s->fd); + s->fd = -1; ++ if (ret != 0) { ++ ret = -errno; ++ perror("migration-fd: close"); ++ return ret; ++ } + } + return 0; + } +-- +1.7.11.2 + diff --git a/0212-Fix-X86-CPU-topology-in-KVM-mode.patch b/0212-Fix-X86-CPU-topology-in-KVM-mode.patch new file mode 100644 index 0000000..444b80a --- /dev/null +++ b/0212-Fix-X86-CPU-topology-in-KVM-mode.patch @@ -0,0 +1,55 @@ +From 7a890dc5d4e79e4ced03aa9d3665c9a1df3e448e Mon Sep 17 00:00:00 2001 +From: Bharata B Rao +Date: Wed, 2 Nov 2011 14:16:08 +0530 +Subject: [PATCH] Fix X86 CPU topology in KVM mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +apic id returned to guest kernel in ebx for cpuid(function=1) depends on +CPUX86State->cpuid_apic_id which gets populated after the cpuid information +is cached in the host kernel. This results in broken CPU topology in guest. + +Fix this by setting cpuid_apic_id before cpuid information is passed to +the host kernel. This is done by moving the setting of cpuid_apic_id +to cpu_x86_init() where it will work for both KVM as well as TCG modes. + +Acked-by: Jan Kiszka +Signed-off-by: Bharata B Rao +Signed-off-by: Anthony Liguori +(cherry picked from commit f2209eb854a016eabc444b45f6d6b1636949141f) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + hw/pc.c | 1 - + target-i386/helper.c | 1 + + 2 files changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/pc.c b/hw/pc.c +index a3e8539..14ce684 100644 +--- a/hw/pc.c ++++ b/hw/pc.c +@@ -931,7 +931,6 @@ static CPUState *pc_new_cpu(const char *cpu_model) + exit(1); + } + if ((env->cpuid_features & CPUID_APIC) || smp_cpus > 1) { +- env->cpuid_apic_id = env->cpu_index; + env->apic_state = apic_init(env, env->cpuid_apic_id); + } + qemu_register_reset(pc_cpu_reset, env); +diff --git a/target-i386/helper.c b/target-i386/helper.c +index e9be104..829c1da 100644 +--- a/target-i386/helper.c ++++ b/target-i386/helper.c +@@ -1258,6 +1258,7 @@ CPUX86State *cpu_x86_init(const char *cpu_model) + cpu_x86_close(env); + return NULL; + } ++ env->cpuid_apic_id = env->cpu_index; + mce_init(env); + + qemu_init_vcpu(env); +-- +1.7.11.2 + diff --git a/0213-hw-lan9118.c-Add-missing-break-to-fix-buffer-overrun.patch b/0213-hw-lan9118.c-Add-missing-break-to-fix-buffer-overrun.patch new file mode 100644 index 0000000..2523e90 --- /dev/null +++ b/0213-hw-lan9118.c-Add-missing-break-to-fix-buffer-overrun.patch @@ -0,0 +1,37 @@ +From e9552556f514b334b78ed56e32b4af366b429a0b Mon Sep 17 00:00:00 2001 +From: Peter Maydell +Date: Wed, 9 Nov 2011 18:59:54 +0000 +Subject: [PATCH] hw/lan9118.c: Add missing 'break' to fix buffer overrun +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Add a missing 'break' statement to fix a buffer overrun when +executing the EEPROM write-all command. Spotted by Coverity +(see bug 887883). + +Signed-off-by: Peter Maydell +Signed-off-by: Stefan Hajnoczi +(cherry picked from commit 0e3b800e71cb7759d099eabbd8ad4c4fe848e381) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + hw/lan9118.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/lan9118.c b/hw/lan9118.c +index 73a8661..494b11d 100644 +--- a/hw/lan9118.c ++++ b/hw/lan9118.c +@@ -863,6 +863,7 @@ static void lan9118_eeprom_cmd(lan9118_state *s, int cmd, int addr) + } else { + DPRINTF("EEPROM Write All (ignored)\n"); + } ++ break; + case 5: /* ERASE */ + if (s->eeprom_writable) { + s->eeprom[addr] = 0xff; +-- +1.7.11.2 + diff --git a/0214-ac97-don-t-override-the-pci-subsystem-id.patch b/0214-ac97-don-t-override-the-pci-subsystem-id.patch new file mode 100644 index 0000000..f42640e --- /dev/null +++ b/0214-ac97-don-t-override-the-pci-subsystem-id.patch @@ -0,0 +1,119 @@ +From 498a3d8b7d28b8c114d65d9db5ccf3e96e2458f1 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 7 Nov 2011 16:33:09 +0100 +Subject: [PATCH] ac97: don't override the pci subsystem id +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch removes the code lines which set the subsystem id for the +emulated ac97 card to 8086:0000. Due to the device id being zero the +subsystem id isn't vaild anyway. With the patch applied the sound card +gets the default qemu subsystem id (1af4:1100) instead. + +[ v2: old & broken id is maintained for -M pc-$oldqemuversion ] + +Cc: Takashi Iwai +Signed-off-by: Gerd Hoffmann +Signed-off-by: Anthony Liguori +(cherry picked from commit 25a21c94c0055e078acb7f7455e66c8a15f32385) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + hw/ac97.c | 16 +++++++++++----- + hw/pc_piix.c | 16 ++++++++++++++++ + 2 files changed, 27 insertions(+), 5 deletions(-) + +diff --git a/hw/ac97.c b/hw/ac97.c +index 0b59896..a039481 100644 +--- a/hw/ac97.c ++++ b/hw/ac97.c +@@ -149,6 +149,7 @@ typedef struct AC97BusMasterRegs { + typedef struct AC97LinkState { + PCIDevice dev; + QEMUSoundCard card; ++ uint32_t use_broken_id; + uint32_t glob_cnt; + uint32_t glob_sta; + uint32_t cas; +@@ -1301,11 +1302,12 @@ static int ac97_initfn (PCIDevice *dev) + c[PCI_BASE_ADDRESS_0 + 6] = 0x00; + c[PCI_BASE_ADDRESS_0 + 7] = 0x00; + +- c[PCI_SUBSYSTEM_VENDOR_ID] = 0x86; /* svid subsystem vendor id rwo */ +- c[PCI_SUBSYSTEM_VENDOR_ID + 1] = 0x80; +- +- c[PCI_SUBSYSTEM_ID] = 0x00; /* sid subsystem id rwo */ +- c[PCI_SUBSYSTEM_ID + 1] = 0x00; ++ if (s->use_broken_id) { ++ c[PCI_SUBSYSTEM_VENDOR_ID] = 0x86; ++ c[PCI_SUBSYSTEM_VENDOR_ID + 1] = 0x80; ++ c[PCI_SUBSYSTEM_ID] = 0x00; ++ c[PCI_SUBSYSTEM_ID + 1] = 0x00; ++ } + + c[PCI_INTERRUPT_LINE] = 0x00; /* intr_ln interrupt line rw */ + /* TODO: RST# value should be 0. */ +@@ -1336,6 +1338,10 @@ static PCIDeviceInfo ac97_info = { + .device_id = PCI_DEVICE_ID_INTEL_82801AA_5, + .revision = 0x01, + .class_id = PCI_CLASS_MULTIMEDIA_AUDIO, ++ .qdev.props = (Property[]) { ++ DEFINE_PROP_UINT32("use_broken_id", AC97LinkState, use_broken_id, 0), ++ DEFINE_PROP_END_OF_LIST(), ++ } + }; + + static void ac97_register (void) +diff --git a/hw/pc_piix.c b/hw/pc_piix.c +index c5c16b4..31552fd 100644 +--- a/hw/pc_piix.c ++++ b/hw/pc_piix.c +@@ -300,6 +300,10 @@ static QEMUMachine pc_machine_v0_13 = { + .driver = "virtio-net-pci", + .property = "event_idx", + .value = "off", ++ },{ ++ .driver = "AC97", ++ .property = "use_broken_id", ++ .value = stringify(1), + }, + { /* end of list */ } + }, +@@ -343,6 +347,10 @@ static QEMUMachine pc_machine_v0_12 = { + .driver = "virtio-net-pci", + .property = "event_idx", + .value = "off", ++ },{ ++ .driver = "AC97", ++ .property = "use_broken_id", ++ .value = stringify(1), + }, + { /* end of list */ } + } +@@ -394,6 +402,10 @@ static QEMUMachine pc_machine_v0_11 = { + .driver = "virtio-net-pci", + .property = "event_idx", + .value = "off", ++ },{ ++ .driver = "AC97", ++ .property = "use_broken_id", ++ .value = stringify(1), + }, + { /* end of list */ } + } +@@ -457,6 +469,10 @@ static QEMUMachine pc_machine_v0_10 = { + .driver = "virtio-net-pci", + .property = "event_idx", + .value = "off", ++ },{ ++ .driver = "AC97", ++ .property = "use_broken_id", ++ .value = stringify(1), + }, + { /* end of list */ } + }, +-- +1.7.11.2 + diff --git a/0215-vvfat-Fix-potential-buffer-overflow.patch b/0215-vvfat-Fix-potential-buffer-overflow.patch new file mode 100644 index 0000000..4f9d07c --- /dev/null +++ b/0215-vvfat-Fix-potential-buffer-overflow.patch @@ -0,0 +1,36 @@ +From f03f1fc43b30c377a553daf7709e1f0f392a532b Mon Sep 17 00:00:00 2001 +From: Kevin Wolf +Date: Wed, 1 Jun 2011 10:57:00 +0200 +Subject: [PATCH] vvfat: Fix potential buffer overflow +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +path2[PATH_MAX] can be used for the null termination, so make the array big +enough to allow this. + +Signed-off-by: Kevin Wolf +(cherry picked from commit 0d460d6f414e02805cbc348404db03b2b7907360) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + block/vvfat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/vvfat.c b/block/vvfat.c +index fe568fe..98b58f0 100644 +--- a/block/vvfat.c ++++ b/block/vvfat.c +@@ -1741,7 +1741,7 @@ static int check_directory_consistency(BDRVVVFATState *s, + + long_file_name lfn; + int path_len = strlen(path); +- char path2[PATH_MAX]; ++ char path2[PATH_MAX + 1]; + + assert(path_len < PATH_MAX); /* len was tested before! */ + pstrcpy(path2, sizeof(path2), path); +-- +1.7.11.2 + diff --git a/0216-vns-tls-don-t-use-depricated-gnutls-functions.patch b/0216-vns-tls-don-t-use-depricated-gnutls-functions.patch new file mode 100644 index 0000000..a47ad72 --- /dev/null +++ b/0216-vns-tls-don-t-use-depricated-gnutls-functions.patch @@ -0,0 +1,116 @@ +From 5a32540f7b39f0b1224c3d6f1d12b6d4e358fe0a Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Wed, 7 Sep 2011 17:52:10 +0200 +Subject: [PATCH] vns/tls: don't use depricated gnutls functions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Avoid using deprecated gnutls functions with recent gnutls versions. +Fixes build failure on Fedora 16. Keep the old way for compatibility +with old installations such as RHEL-5 (gnutls 1.4.x). + +Based on a patch from Raghavendra D Prabhu + +Signed-off-by: Gerd Hoffmann +Signed-off-by: Anthony Liguori +(cherry picked from commit f40d55081667a716312b9a8b6e13835c4074f56b) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + ui/vnc-tls.c | 68 +++++++++++++++++++++++++++++++++++++++++++----------------- + 1 file changed, 49 insertions(+), 19 deletions(-) + +diff --git a/ui/vnc-tls.c b/ui/vnc-tls.c +index 31f1467..f5ed306 100644 +--- a/ui/vnc-tls.c ++++ b/ui/vnc-tls.c +@@ -283,13 +283,57 @@ int vnc_tls_validate_certificate(struct VncState *vs) + return 0; + } + ++#if defined(GNUTLS_VERSION_NUMBER) && \ ++ GNUTLS_VERSION_NUMBER >= 0x020200 /* 2.2.0 */ ++ ++static int vnc_set_gnutls_priority(gnutls_session_t s, int x509) ++{ ++ const char *priority = x509 ? "NORMAL" : "NORMAL:+ANON-DH"; ++ int rc; ++ ++ rc = gnutls_priority_set_direct(s, priority, NULL); ++ if (rc != GNUTLS_E_SUCCESS) { ++ return -1; ++ } ++ return 0; ++} ++ ++#else ++ ++static int vnc_set_gnutls_priority(gnutls_session_t s, int x509) ++{ ++ static const int cert_types[] = { GNUTLS_CRT_X509, 0 }; ++ static const int protocols[] = { ++ GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 ++ }; ++ static const int kx_anon[] = { GNUTLS_KX_ANON_DH, 0 }; ++ static const int kx_x509[] = { ++ GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, ++ GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0 ++ }; ++ int rc; ++ ++ rc = gnutls_kx_set_priority(s, x509 ? kx_x509 : kx_anon); ++ if (rc != GNUTLS_E_SUCCESS) { ++ return -1; ++ } ++ ++ rc = gnutls_certificate_type_set_priority(s, cert_types); ++ if (rc != GNUTLS_E_SUCCESS) { ++ return -1; ++ } ++ ++ rc = gnutls_protocol_set_priority(s, protocols); ++ if (rc != GNUTLS_E_SUCCESS) { ++ return -1; ++ } ++ return 0; ++} ++ ++#endif + + int vnc_tls_client_setup(struct VncState *vs, + int needX509Creds) { +- static const int cert_type_priority[] = { GNUTLS_CRT_X509, 0 }; +- static const int protocol_priority[]= { GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 }; +- static const int kx_anon[] = {GNUTLS_KX_ANON_DH, 0}; +- static const int kx_x509[] = {GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0}; + + VNC_DEBUG("Do TLS setup\n"); + if (vnc_tls_initialize() < 0) { +@@ -310,21 +354,7 @@ int vnc_tls_client_setup(struct VncState *vs, + return -1; + } + +- if (gnutls_kx_set_priority(vs->tls.session, needX509Creds ? kx_x509 : kx_anon) < 0) { +- gnutls_deinit(vs->tls.session); +- vs->tls.session = NULL; +- vnc_client_error(vs); +- return -1; +- } +- +- if (gnutls_certificate_type_set_priority(vs->tls.session, cert_type_priority) < 0) { +- gnutls_deinit(vs->tls.session); +- vs->tls.session = NULL; +- vnc_client_error(vs); +- return -1; +- } +- +- if (gnutls_protocol_set_priority(vs->tls.session, protocol_priority) < 0) { ++ if (vnc_set_gnutls_priority(vs->tls.session, needX509Creds) < 0) { + gnutls_deinit(vs->tls.session); + vs->tls.session = NULL; + vnc_client_error(vs); +-- +1.7.11.2 + diff --git a/0217-block-curl-Implement-a-flush-function-on-the-fd-hand.patch b/0217-block-curl-Implement-a-flush-function-on-the-fd-hand.patch new file mode 100644 index 0000000..581f5fe --- /dev/null +++ b/0217-block-curl-Implement-a-flush-function-on-the-fd-hand.patch @@ -0,0 +1,76 @@ +From 84be2986f687b998f583b27d8b3e068e87032418 Mon Sep 17 00:00:00 2001 +From: Nick Thomas +Date: Wed, 21 Sep 2011 11:55:49 +0100 +Subject: [PATCH] block/curl: Implement a flush function on the fd handlers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Nick Thomas +Signed-off-by: Kevin Wolf +(cherry picked from commit c84dcdc1d6583ebe5841907c99d95deb8c40a6e0) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + block/curl.c | 26 ++++++++++++++++++++++---- + 1 file changed, 22 insertions(+), 4 deletions(-) + +diff --git a/block/curl.c b/block/curl.c +index 407f095..6cf6a70 100644 +--- a/block/curl.c ++++ b/block/curl.c +@@ -76,6 +76,7 @@ typedef struct BDRVCURLState { + + static void curl_clean_state(CURLState *s); + static void curl_multi_do(void *arg); ++static int curl_aio_flush(void *opaque); + + static int curl_sock_cb(CURL *curl, curl_socket_t fd, int action, + void *s, void *sp) +@@ -83,14 +84,16 @@ static int curl_sock_cb(CURL *curl, curl_socket_t fd, int action, + DPRINTF("CURL (AIO): Sock action %d on fd %d\n", action, fd); + switch (action) { + case CURL_POLL_IN: +- qemu_aio_set_fd_handler(fd, curl_multi_do, NULL, NULL, NULL, s); ++ qemu_aio_set_fd_handler(fd, curl_multi_do, NULL, curl_aio_flush, ++ NULL, s); + break; + case CURL_POLL_OUT: +- qemu_aio_set_fd_handler(fd, NULL, curl_multi_do, NULL, NULL, s); ++ qemu_aio_set_fd_handler(fd, NULL, curl_multi_do, curl_aio_flush, ++ NULL, s); + break; + case CURL_POLL_INOUT: +- qemu_aio_set_fd_handler(fd, curl_multi_do, +- curl_multi_do, NULL, NULL, s); ++ qemu_aio_set_fd_handler(fd, curl_multi_do, curl_multi_do, ++ curl_aio_flush, NULL, s); + break; + case CURL_POLL_REMOVE: + qemu_aio_set_fd_handler(fd, NULL, NULL, NULL, NULL, NULL); +@@ -394,6 +397,21 @@ out_noclean: + return -EINVAL; + } + ++static int curl_aio_flush(void *opaque) ++{ ++ BDRVCURLState *s = opaque; ++ int i, j; ++ ++ for (i=0; i < CURL_NUM_STATES; i++) { ++ for(j=0; j < CURL_NUM_ACB; j++) { ++ if (s->states[i].acb[j]) { ++ return 1; ++ } ++ } ++ } ++ return 0; ++} ++ + static void curl_aio_cancel(BlockDriverAIOCB *blockacb) + { + // Do we have to implement canceling? Seems to work without... +-- +1.7.11.2 + diff --git a/0218-hda-do-not-mix-output-and-input-streams-RHBZ-740493.patch b/0218-hda-do-not-mix-output-and-input-streams-RHBZ-740493.patch new file mode 100644 index 0000000..a4f5088 --- /dev/null +++ b/0218-hda-do-not-mix-output-and-input-streams-RHBZ-740493.patch @@ -0,0 +1,51 @@ +From 05a5f7c79ad8dc4887e7cd60c2572121b51adce7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Tue, 25 Oct 2011 16:53:00 +0200 +Subject: [PATCH] hda: do not mix output and input streams, RHBZ #740493 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Windows 7 may use the same stream number for input and output. +That will result in lot of garbage on playback. + +The hardcoded value of 4 needs to be in sync with GCAP streams +description and IN/OUT registers. + +Signed-off-by: Marc-Andr? Lureau +Signed-off-by: malc +(cherry picked from commit 36ac4ad3d054a7b4962a6393630a73591cfa9558) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + hw/intel-hda.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/hw/intel-hda.c b/hw/intel-hda.c +index 5a2bc3a..7d02558 100644 +--- a/hw/intel-hda.c ++++ b/hw/intel-hda.c +@@ -389,14 +389,15 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output, + { + HDACodecBus *bus = DO_UPCAST(HDACodecBus, qbus, dev->qdev.parent_bus); + IntelHDAState *d = container_of(bus, IntelHDAState, codecs); +- IntelHDAStream *st = NULL; + target_phys_addr_t addr; + uint32_t s, copy, left; ++ IntelHDAStream *st; + bool irq = false; + +- for (s = 0; s < ARRAY_SIZE(d->st); s++) { +- if (stnr == ((d->st[s].ctl >> 20) & 0x0f)) { +- st = d->st + s; ++ st = output ? d->st + 4 : d->st; ++ for (s = 0; s < 4; s++) { ++ if (stnr == ((st[s].ctl >> 20) & 0x0f)) { ++ st = st + s; + break; + } + } +-- +1.7.11.2 + diff --git a/0219-hda-do-not-mix-output-and-input-stream-states-RHBZ-7.patch b/0219-hda-do-not-mix-output-and-input-stream-states-RHBZ-7.patch new file mode 100644 index 0000000..062496e --- /dev/null +++ b/0219-hda-do-not-mix-output-and-input-stream-states-RHBZ-7.patch @@ -0,0 +1,172 @@ +From 51a747e171a66d0dc1e4b47c0238fb2e7fa6b118 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Tue, 25 Oct 2011 16:53:01 +0200 +Subject: [PATCH] hda: do not mix output and input stream states, RHBZ #740493 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Windows 7 may use the same stream number for input and output. +Current code will confuse streams. + +Changes since v1: +- keep running_compat[] for migration version 1 +- add running_real[] for migration version 2 + +Signed-off-by: Marc-Andr? Lureau +Signed-off-by: malc +(cherry picked from commit ba43d28916c4f51c19bd7366089155ce81bee058) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + hw/hda-audio.c | 26 +++++++++++++++++++------- + hw/intel-hda.c | 9 +++++---- + hw/intel-hda.h | 2 +- + 3 files changed, 25 insertions(+), 12 deletions(-) + +diff --git a/hw/hda-audio.c b/hw/hda-audio.c +index c699d6f..9b089e6 100644 +--- a/hw/hda-audio.c ++++ b/hw/hda-audio.c +@@ -466,7 +466,8 @@ struct HDAAudioState { + QEMUSoundCard card; + const desc_codec *desc; + HDAAudioStream st[4]; +- bool running[16]; ++ bool running_compat[16]; ++ bool running_real[2 * 16]; + + /* properties */ + uint32_t debug; +@@ -663,7 +664,7 @@ static void hda_audio_command(HDACodecDevice *hda, uint32_t nid, uint32_t data) + st->channel = payload & 0x0f; + dprint(a, 2, "%s: stream %d, channel %d\n", + st->node->name, st->stream, st->channel); +- hda_audio_set_running(st, a->running[st->stream]); ++ hda_audio_set_running(st, a->running_real[st->output * 16 + st->stream]); + hda_codec_response(hda, true, 0); + break; + case AC_VERB_GET_CONV: +@@ -746,16 +747,20 @@ fail: + hda_codec_response(hda, true, 0); + } + +-static void hda_audio_stream(HDACodecDevice *hda, uint32_t stnr, bool running) ++static void hda_audio_stream(HDACodecDevice *hda, uint32_t stnr, bool running, bool output) + { + HDAAudioState *a = DO_UPCAST(HDAAudioState, hda, hda); + int s; + +- a->running[stnr] = running; ++ a->running_compat[stnr] = running; ++ a->running_real[output * 16 + stnr] = running; + for (s = 0; s < ARRAY_SIZE(a->st); s++) { + if (a->st[s].node == NULL) { + continue; + } ++ if (a->st[s].output != output) { ++ continue; ++ } + if (a->st[s].stream != stnr) { + continue; + } +@@ -837,6 +842,12 @@ static int hda_audio_post_load(void *opaque, int version) + int i; + + dprint(a, 1, "%s\n", __FUNCTION__); ++ if (version == 1) { ++ /* assume running_compat[] is for output streams */ ++ for (i = 0; i < ARRAY_SIZE(a->running_compat); i++) ++ a->running_real[16 + i] = a->running_compat[i]; ++ } ++ + for (i = 0; i < ARRAY_SIZE(a->st); i++) { + st = a->st + i; + if (st->node == NULL) +@@ -844,7 +855,7 @@ static int hda_audio_post_load(void *opaque, int version) + hda_codec_parse_fmt(st->format, &st->as); + hda_audio_setup(st); + hda_audio_set_amp(st); +- hda_audio_set_running(st, a->running[st->stream]); ++ hda_audio_set_running(st, a->running_real[st->output * 16 + st->stream]); + } + return 0; + } +@@ -868,13 +879,14 @@ static const VMStateDescription vmstate_hda_audio_stream = { + + static const VMStateDescription vmstate_hda_audio = { + .name = "hda-audio", +- .version_id = 1, ++ .version_id = 2, + .post_load = hda_audio_post_load, + .fields = (VMStateField []) { + VMSTATE_STRUCT_ARRAY(st, HDAAudioState, 4, 0, + vmstate_hda_audio_stream, + HDAAudioStream), +- VMSTATE_BOOL_ARRAY(running, HDAAudioState, 16), ++ VMSTATE_BOOL_ARRAY(running_compat, HDAAudioState, 16), ++ VMSTATE_BOOL_ARRAY_V(running_real, HDAAudioState, 2 * 16, 2), + VMSTATE_END_OF_LIST() + } + }; +diff --git a/hw/intel-hda.c b/hw/intel-hda.c +index 7d02558..904e4fc 100644 +--- a/hw/intel-hda.c ++++ b/hw/intel-hda.c +@@ -485,7 +485,7 @@ static void intel_hda_parse_bdl(IntelHDAState *d, IntelHDAStream *st) + st->bp = 0; + } + +-static void intel_hda_notify_codecs(IntelHDAState *d, uint32_t stream, bool running) ++static void intel_hda_notify_codecs(IntelHDAState *d, uint32_t stream, bool running, bool output) + { + DeviceState *qdev; + HDACodecDevice *cdev; +@@ -493,7 +493,7 @@ static void intel_hda_notify_codecs(IntelHDAState *d, uint32_t stream, bool runn + QLIST_FOREACH(qdev, &d->codecs.qbus.children, sibling) { + cdev = DO_UPCAST(HDACodecDevice, qdev, qdev); + if (cdev->info->stream) { +- cdev->info->stream(cdev, stream, running); ++ cdev->info->stream(cdev, stream, running, output); + } + } + } +@@ -567,6 +567,7 @@ static void intel_hda_set_ics(IntelHDAState *d, const IntelHDAReg *reg, uint32_t + + static void intel_hda_set_st_ctl(IntelHDAState *d, const IntelHDAReg *reg, uint32_t old) + { ++ bool output = reg->stream >= 4; + IntelHDAStream *st = d->st + reg->stream; + + if (st->ctl & 0x01) { +@@ -582,11 +583,11 @@ static void intel_hda_set_st_ctl(IntelHDAState *d, const IntelHDAReg *reg, uint3 + dprint(d, 1, "st #%d: start %d (ring buf %d bytes)\n", + reg->stream, stnr, st->cbl); + intel_hda_parse_bdl(d, st); +- intel_hda_notify_codecs(d, stnr, true); ++ intel_hda_notify_codecs(d, stnr, true, output); + } else { + /* stop */ + dprint(d, 1, "st #%d: stop %d\n", reg->stream, stnr); +- intel_hda_notify_codecs(d, stnr, false); ++ intel_hda_notify_codecs(d, stnr, false, output); + } + } + intel_hda_update_irq(d); +diff --git a/hw/intel-hda.h b/hw/intel-hda.h +index 4e44e38..65fd2a8 100644 +--- a/hw/intel-hda.h ++++ b/hw/intel-hda.h +@@ -34,7 +34,7 @@ struct HDACodecDeviceInfo { + int (*init)(HDACodecDevice *dev); + int (*exit)(HDACodecDevice *dev); + void (*command)(HDACodecDevice *dev, uint32_t nid, uint32_t data); +- void (*stream)(HDACodecDevice *dev, uint32_t stnr, bool running); ++ void (*stream)(HDACodecDevice *dev, uint32_t stnr, bool running, bool output); + }; + + void hda_codec_bus_init(DeviceState *dev, HDACodecBus *bus, +-- +1.7.11.2 + diff --git a/0220-Teach-block-vdi-about-discarded-no-longer-allocated-.patch b/0220-Teach-block-vdi-about-discarded-no-longer-allocated-.patch new file mode 100644 index 0000000..e51c539 --- /dev/null +++ b/0220-Teach-block-vdi-about-discarded-no-longer-allocated-.patch @@ -0,0 +1,108 @@ +From 5621e2027384a35494508f3bc01a758bc2ac076b Mon Sep 17 00:00:00 2001 +From: Eric Sunshine +Date: Wed, 26 Oct 2011 15:51:18 -0400 +Subject: [PATCH] Teach block/vdi about "discarded" (no longer allocated) + blocks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +An entry in the VDI block map will hold an offset to the actual block if +the block is allocated, or one of two specially-interpreted values if +not allocated. Using VirtualBox terminology, value VDI_IMAGE_BLOCK_FREE +(0xffffffff) represents a never-allocated block (semantically arbitrary +content). VDI_IMAGE_BLOCK_ZERO (0xfffffffe) represents a "discarded" +block (semantically zero-filled). block/vdi knows only about +VDI_IMAGE_BLOCK_FREE. Teach it about VDI_IMAGE_BLOCK_ZERO. + +Signed-off-by: Eric Sunshine +Signed-off-by: Kevin Wolf +(cherry picked from commit c794b4e0fd9ef8d72b068614dcdb2418c105d5cc) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + block/vdi.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +diff --git a/block/vdi.c b/block/vdi.c +index 261cf9b..1be0cdc 100644 +--- a/block/vdi.c ++++ b/block/vdi.c +@@ -114,8 +114,13 @@ void uuid_unparse(const uuid_t uu, char *out); + */ + #define VDI_TEXT "<<< QEMU VM Virtual Disk Image >>>\n" + +-/* Unallocated blocks use this index (no need to convert endianness). */ +-#define VDI_UNALLOCATED UINT32_MAX ++/* A never-allocated block; semantically arbitrary content. */ ++#define VDI_UNALLOCATED 0xffffffffU ++ ++/* A discarded (no longer allocated) block; semantically zero-filled. */ ++#define VDI_DISCARDED 0xfffffffeU ++ ++#define VDI_IS_ALLOCATED(X) ((X) < VDI_DISCARDED) + + #if !defined(CONFIG_UUID) + void uuid_generate(uuid_t out) +@@ -307,10 +312,10 @@ static int vdi_check(BlockDriverState *bs, BdrvCheckResult *res) + /* Check block map and value of blocks_allocated. */ + for (block = 0; block < s->header.blocks_in_image; block++) { + uint32_t bmap_entry = le32_to_cpu(s->bmap[block]); +- if (bmap_entry != VDI_UNALLOCATED) { ++ if (VDI_IS_ALLOCATED(bmap_entry)) { + if (bmap_entry < s->header.blocks_in_image) { + blocks_allocated++; +- if (bmap[bmap_entry] == VDI_UNALLOCATED) { ++ if (!VDI_IS_ALLOCATED(bmap[bmap_entry])) { + bmap[bmap_entry] = bmap_entry; + } else { + fprintf(stderr, "ERROR: block index %" PRIu32 +@@ -472,7 +477,7 @@ static int vdi_is_allocated(BlockDriverState *bs, int64_t sector_num, + n_sectors = nb_sectors; + } + *pnum = n_sectors; +- return bmap_entry != VDI_UNALLOCATED; ++ return VDI_IS_ALLOCATED(bmap_entry); + } + + static void vdi_aio_cancel(BlockDriverAIOCB *blockacb) +@@ -603,7 +608,7 @@ static void vdi_aio_read_cb(void *opaque, int ret) + /* prepare next AIO request */ + acb->n_sectors = n_sectors; + bmap_entry = le32_to_cpu(s->bmap[block_index]); +- if (bmap_entry == VDI_UNALLOCATED) { ++ if (!VDI_IS_ALLOCATED(bmap_entry)) { + /* Block not allocated, return zeros, no need to wait. */ + memset(acb->buf, 0, n_sectors * SECTOR_SIZE); + ret = vdi_schedule_bh(vdi_aio_rw_bh, acb); +@@ -685,7 +690,7 @@ static void vdi_aio_write_cb(void *opaque, int ret) + if (acb->header_modified) { + VdiHeader *header = acb->block_buffer; + logout("now writing modified header\n"); +- assert(acb->bmap_first != VDI_UNALLOCATED); ++ assert(VDI_IS_ALLOCATED(acb->bmap_first)); + *header = s->header; + vdi_header_to_le(header); + acb->header_modified = 0; +@@ -699,7 +704,7 @@ static void vdi_aio_write_cb(void *opaque, int ret) + goto done; + } + return; +- } else if (acb->bmap_first != VDI_UNALLOCATED) { ++ } else if (VDI_IS_ALLOCATED(acb->bmap_first)) { + /* One or more new blocks were allocated. */ + uint64_t offset; + uint32_t bmap_first; +@@ -749,7 +754,7 @@ static void vdi_aio_write_cb(void *opaque, int ret) + /* prepare next AIO request */ + acb->n_sectors = n_sectors; + bmap_entry = le32_to_cpu(s->bmap[block_index]); +- if (bmap_entry == VDI_UNALLOCATED) { ++ if (!VDI_IS_ALLOCATED(bmap_entry)) { + /* Allocate new block and write to it. */ + uint64_t offset; + uint8_t *block; +-- +1.7.11.2 + diff --git a/0221-vmdk-Improve-error-handling.patch b/0221-vmdk-Improve-error-handling.patch new file mode 100644 index 0000000..ca8d29f --- /dev/null +++ b/0221-vmdk-Improve-error-handling.patch @@ -0,0 +1,79 @@ +From 2139ef7f75ff63904fac6b451c8a89e4b0c72448 Mon Sep 17 00:00:00 2001 +From: Kevin Wolf +Date: Wed, 26 Oct 2011 12:25:25 +0200 +Subject: [PATCH] vmdk: Improve error handling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Return the right error values in some more places. + +Signed-off-by: Kevin Wolf +(cherry picked from commit 99f1835d9bc744f98370254600530e66f32e6d81) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + block/vmdk.c | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +diff --git a/block/vmdk.c b/block/vmdk.c +index b5caa40..8284747 100644 +--- a/block/vmdk.c ++++ b/block/vmdk.c +@@ -181,8 +181,10 @@ static uint32_t vmdk_read_cid(BlockDriverState *bs, int parent) + const char *p_name, *cid_str; + size_t cid_str_size; + BDRVVmdkState *s = bs->opaque; ++ int ret; + +- if (bdrv_pread(bs->file, s->desc_offset, desc, DESC_SIZE) != DESC_SIZE) { ++ ret = bdrv_pread(bs->file, s->desc_offset, desc, DESC_SIZE); ++ if (ret < 0) { + return 0; + } + +@@ -208,10 +210,12 @@ static int vmdk_write_cid(BlockDriverState *bs, uint32_t cid) + char desc[DESC_SIZE], tmp_desc[DESC_SIZE]; + char *p_name, *tmp_str; + BDRVVmdkState *s = bs->opaque; ++ int ret; + + memset(desc, 0, sizeof(desc)); +- if (bdrv_pread(bs->file, s->desc_offset, desc, DESC_SIZE) != DESC_SIZE) { +- return -EIO; ++ ret = bdrv_pread(bs->file, s->desc_offset, desc, DESC_SIZE); ++ if (ret < 0) { ++ return ret; + } + + tmp_str = strstr(desc, "parentCID"); +@@ -223,9 +227,11 @@ static int vmdk_write_cid(BlockDriverState *bs, uint32_t cid) + pstrcat(desc, sizeof(desc), tmp_desc); + } + +- if (bdrv_pwrite_sync(bs->file, s->desc_offset, desc, DESC_SIZE) < 0) { +- return -EIO; ++ ret = bdrv_pwrite_sync(bs->file, s->desc_offset, desc, DESC_SIZE); ++ if (ret < 0) { ++ return ret; + } ++ + return 0; + } + +@@ -906,7 +912,10 @@ static int vmdk_write(BlockDriverState *bs, int64_t sector_num, + /* update CID on the first write every time the virtual disk is + * opened */ + if (!s->cid_updated) { +- vmdk_write_cid(bs, time(NULL)); ++ ret = vmdk_write_cid(bs, time(NULL)); ++ if (ret < 0) { ++ return ret; ++ } + s->cid_updated = true; + } + } +-- +1.7.11.2 + diff --git a/0222-block-set-bs-read_only-before-.bdrv_open.patch b/0222-block-set-bs-read_only-before-.bdrv_open.patch new file mode 100644 index 0000000..72c03cc --- /dev/null +++ b/0222-block-set-bs-read_only-before-.bdrv_open.patch @@ -0,0 +1,52 @@ +From b461a24186f05d7adec265bd34f348f7b8f9569b Mon Sep 17 00:00:00 2001 +From: Stefan Hajnoczi +Date: Thu, 27 Oct 2011 10:54:27 +0100 +Subject: [PATCH] block: set bs->read_only before .bdrv_open() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Several block drivers set bs->read_only in .bdrv_open() but +block.c:bdrv_open_common() clobbers its value. Additionally, QED uses +bdrv_is_read_only() in .bdrv_open() to decide whether to perform +consistency checks. + +The correct ordering is to initialize bs->read_only from the open flags +before calling .bdrv_open(). This way block drivers can override it if +necessary and can use bdrv_is_read_only() in .bdrv_open(). + +Signed-off-by: Stefan Hajnoczi +Signed-off-by: Kevin Wolf +(cherry picked from commit e7c637967e6aad195b5f30cfd995913c9e0b4666) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + block.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/block.c b/block.c +index 4ebb18b..8d77746 100644 +--- a/block.c ++++ b/block.c +@@ -455,6 +455,8 @@ static int bdrv_open_common(BlockDriverState *bs, const char *filename, + open_flags |= BDRV_O_RDWR; + } + ++ bs->keep_read_only = bs->read_only = !(open_flags & BDRV_O_RDWR); ++ + /* Open the image, either directly or using a protocol */ + if (drv->bdrv_file_open) { + ret = drv->bdrv_file_open(bs, filename, open_flags); +@@ -469,8 +471,6 @@ static int bdrv_open_common(BlockDriverState *bs, const char *filename, + goto free_and_fail; + } + +- bs->keep_read_only = bs->read_only = !(open_flags & BDRV_O_RDWR); +- + ret = refresh_total_sectors(bs, bs->total_sectors); + if (ret < 0) { + goto free_and_fail; +-- +1.7.11.2 + diff --git a/0223-console-Fix-rendering-of-VGA-underline.patch b/0223-console-Fix-rendering-of-VGA-underline.patch new file mode 100644 index 0000000..a271442 --- /dev/null +++ b/0223-console-Fix-rendering-of-VGA-underline.patch @@ -0,0 +1,64 @@ +From 1add57cd4c48d9eb6517f685f67480b4f4f3f13b Mon Sep 17 00:00:00 2001 +From: Markus Armbruster +Date: Fri, 4 Nov 2011 10:38:29 +0100 +Subject: [PATCH] console: Fix rendering of VGA underline +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +vga_putcharxy()'s underline code sets font_data to 0xffff instead of +0xff. vga_putcharxy() then reads dmask16[0xffff >> 4] and +dmask4[0xffff >> 6]. In practice, these out-of-bounds subscripts +"only" put a few crap bits into the display surface. + +For 32 bit pixels, there's no array access. font_data's extra bits go +straight into the display surface. + +Broken when commit 6d6f7c28 implemented underline. + +Spotted by Coverity. + +Signed-off-by: Markus Armbruster +Signed-off-by: Anthony Liguori +(cherry picked from commit 439229c7cb97f6c4cddd3965c3e9d2b8319fe83c) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + console.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/console.c b/console.c +index 242086c..07c82b8 100644 +--- a/console.c ++++ b/console.c +@@ -461,7 +461,7 @@ static void vga_putcharxy(DisplayState *ds, int x, int y, int ch, + font_data = *font_ptr++; + if (t_attrib->uline + && ((i == FONT_HEIGHT - 2) || (i == FONT_HEIGHT - 3))) { +- font_data = 0xFFFF; ++ font_data = 0xFF; + } + ((uint32_t *)d)[0] = (dmask16[(font_data >> 4)] & xorcol) ^ bgcol; + ((uint32_t *)d)[1] = (dmask16[(font_data >> 0) & 0xf] & xorcol) ^ bgcol; +@@ -474,7 +474,7 @@ static void vga_putcharxy(DisplayState *ds, int x, int y, int ch, + font_data = *font_ptr++; + if (t_attrib->uline + && ((i == FONT_HEIGHT - 2) || (i == FONT_HEIGHT - 3))) { +- font_data = 0xFFFF; ++ font_data = 0xFF; + } + ((uint32_t *)d)[0] = (dmask4[(font_data >> 6)] & xorcol) ^ bgcol; + ((uint32_t *)d)[1] = (dmask4[(font_data >> 4) & 3] & xorcol) ^ bgcol; +@@ -487,7 +487,7 @@ static void vga_putcharxy(DisplayState *ds, int x, int y, int ch, + for(i = 0; i < FONT_HEIGHT; i++) { + font_data = *font_ptr++; + if (t_attrib->uline && ((i == FONT_HEIGHT - 2) || (i == FONT_HEIGHT - 3))) { +- font_data = 0xFFFF; ++ font_data = 0xFF; + } + ((uint32_t *)d)[0] = (-((font_data >> 7)) & xorcol) ^ bgcol; + ((uint32_t *)d)[1] = (-((font_data >> 6) & 1) & xorcol) ^ bgcol; +-- +1.7.11.2 + diff --git a/0224-block-Fix-vpc-initialization-of-the-Dynamic-Disk-Hea.patch b/0224-block-Fix-vpc-initialization-of-the-Dynamic-Disk-Hea.patch new file mode 100644 index 0000000..addd077 --- /dev/null +++ b/0224-block-Fix-vpc-initialization-of-the-Dynamic-Disk-Hea.patch @@ -0,0 +1,48 @@ +From 69a9776f3e8a4ff5311f78cc63e52ea436dd9cbe Mon Sep 17 00:00:00 2001 +From: Charles Arnold +Date: Wed, 9 Nov 2011 09:32:25 -0700 +Subject: [PATCH] block: Fix vpc initialization of the Dynamic Disk Header +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The Data Offset field in the Dynamic Disk Header is an 8 byte field. +Although the specification (2006-10-11) gives an example of initializing +only the first 4 bytes, images generated by Microsoft on Windows initialize +all 8 bytes. + +Failure to initialize all 8 bytes results in errors from utilities +like Citrix's vhd-util which checks specifically for the proper Data +Offset field initialization. + +Signed-off-by: Charles Arnold +Reviewed-by: Andreas Färber +Signed-off-by: Kevin Wolf +(cherry picked from commit 78439f6af1caa3e8bdafc9fc2d62aeefa53ed63a) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + block/vpc.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/block/vpc.c b/block/vpc.c +index 56865da..ac33e15 100644 +--- a/block/vpc.c ++++ b/block/vpc.c +@@ -587,7 +587,11 @@ static int vpc_create(const char *filename, QEMUOptionParameter *options) + + memcpy(dyndisk_header->magic, "cxsparse", 8); + +- dyndisk_header->data_offset = be64_to_cpu(0xFFFFFFFF); ++ /* ++ * Note: The spec is actually wrong here for data_offset, it says ++ * 0xFFFFFFFF, but MS tools expect all 64 bits to be set. ++ */ ++ dyndisk_header->data_offset = be64_to_cpu(0xFFFFFFFFFFFFFFFFULL); + dyndisk_header->table_offset = be64_to_cpu(3 * 512); + dyndisk_header->version = be32_to_cpu(0x00010000); + dyndisk_header->block_size = be32_to_cpu(block_size); +-- +1.7.11.2 + diff --git a/0225-qcow-Fix-bdrv_write_compressed-error-handling.patch b/0225-qcow-Fix-bdrv_write_compressed-error-handling.patch new file mode 100644 index 0000000..da5de39 --- /dev/null +++ b/0225-qcow-Fix-bdrv_write_compressed-error-handling.patch @@ -0,0 +1,93 @@ +From 5202e9d55b745eddde9ba6bd08af32fcae347e93 Mon Sep 17 00:00:00 2001 +From: Kevin Wolf +Date: Wed, 26 Oct 2011 11:21:50 +0200 +Subject: [PATCH] qcow: Fix bdrv_write_compressed error handling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Kevin Wolf +Reviewed-by: Paolo Bonzini +(cherry picked from commit 64ebe71aa0e498d24e8c02b133192142fce3a0d0) + +Signed-off-by: Bruce Rogers +[AF: backported] +Signed-off-by: Andreas Färber +--- + block/qcow.c | 30 +++++++++++++++++++----------- + 1 file changed, 19 insertions(+), 11 deletions(-) + +diff --git a/block/qcow.c b/block/qcow.c +index 227b104..115b820 100644 +--- a/block/qcow.c ++++ b/block/qcow.c +@@ -926,8 +926,6 @@ static int qcow_write_compressed(BlockDriverState *bs, int64_t sector_num, + return -EINVAL; + + out_buf = qemu_malloc(s->cluster_size + (s->cluster_size / 1000) + 128); +- if (!out_buf) +- return -1; + + /* best compression, small window, no zlib header */ + memset(&strm, 0, sizeof(strm)); +@@ -935,8 +933,8 @@ static int qcow_write_compressed(BlockDriverState *bs, int64_t sector_num, + Z_DEFLATED, -12, + 9, Z_DEFAULT_STRATEGY); + if (ret != 0) { +- qemu_free(out_buf); +- return -1; ++ ret = -EINVAL; ++ goto fail; + } + + strm.avail_in = s->cluster_size; +@@ -946,9 +944,9 @@ static int qcow_write_compressed(BlockDriverState *bs, int64_t sector_num, + + ret = deflate(&strm, Z_FINISH); + if (ret != Z_STREAM_END && ret != Z_OK) { +- qemu_free(out_buf); + deflateEnd(&strm); +- return -1; ++ ret = -EINVAL; ++ goto fail; + } + out_len = strm.next_out - out_buf; + +@@ -956,19 +954,29 @@ static int qcow_write_compressed(BlockDriverState *bs, int64_t sector_num, + + if (ret != Z_STREAM_END || out_len >= s->cluster_size) { + /* could not compress: write normal cluster */ +- bdrv_write(bs, sector_num, buf, s->cluster_sectors); ++ ret = bdrv_write(bs, sector_num, buf, s->cluster_sectors); ++ if (ret < 0) { ++ goto fail; ++ } + } else { + cluster_offset = get_cluster_offset(bs, sector_num << 9, 2, + out_len, 0, 0); ++ if (cluster_offset == 0) { ++ ret = -EIO; ++ goto fail; ++ } ++ + cluster_offset &= s->cluster_offset_mask; +- if (bdrv_pwrite(bs->file, cluster_offset, out_buf, out_len) != out_len) { +- qemu_free(out_buf); +- return -1; ++ ret = bdrv_pwrite(bs->file, cluster_offset, out_buf, out_len); ++ if (ret < 0) { ++ goto fail; + } + } + ++ ret = 0; ++fail: + qemu_free(out_buf); +- return 0; ++ return ret; + } + + static int qcow_flush(BlockDriverState *bs) +-- +1.7.11.2 + diff --git a/0226-block-reinitialize-across-bdrv_close-bdrv_open.patch b/0226-block-reinitialize-across-bdrv_close-bdrv_open.patch new file mode 100644 index 0000000..7cca69c --- /dev/null +++ b/0226-block-reinitialize-across-bdrv_close-bdrv_open.patch @@ -0,0 +1,55 @@ +From 2432c8cf0a61be64094dae724638a9a081ee4bf9 Mon Sep 17 00:00:00 2001 +From: Stefan Hajnoczi +Date: Thu, 27 Oct 2011 10:54:28 +0100 +Subject: [PATCH] block: reinitialize across bdrv_close()/bdrv_open() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Several BlockDriverState fields are not being reinitialized across +bdrv_close()/bdrv_open(). Make sure they are reset to their default +values. + +Signed-off-by: Stefan Hajnoczi +Signed-off-by: Kevin Wolf +(cherry picked from commit 03f541bd6eacdc6c2893f72b975257c89cab2b74) + +Signed-off-by: Bruce Rogers +[AF: backported] +Signed-off-by: Andreas Färber +--- + block.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/block.c b/block.c +index 8d77746..1d6d26b 100644 +--- a/block.c ++++ b/block.c +@@ -426,11 +426,14 @@ static int bdrv_open_common(BlockDriverState *bs, const char *filename, + bs->total_sectors = 0; + bs->encrypted = 0; + bs->valid_key = 0; ++ bs->sg = 0; + bs->open_flags = flags; ++ bs->growable = 0; + /* buffer_alignment defaulted to 512, drivers can change this value */ + bs->buffer_alignment = 512; + + pstrcpy(bs->filename, sizeof(bs->filename), filename); ++ bs->backing_file[0] = '\0'; + + if (use_bdrv_whitelist && !bdrv_is_whitelisted(drv)) { + return -ENOTSUP; +@@ -439,8 +442,7 @@ static int bdrv_open_common(BlockDriverState *bs, const char *filename, + bs->drv = drv; + bs->opaque = qemu_mallocz(drv->instance_size); + +- if (flags & BDRV_O_CACHE_WB) +- bs->enable_write_cache = 1; ++ bs->enable_write_cache = !!(flags & BDRV_O_CACHE_WB); + + /* + * Clear flags that are internal to the block layer before opening the +-- +1.7.11.2 + diff --git a/0227-qxl-stride-fixup.patch b/0227-qxl-stride-fixup.patch new file mode 100644 index 0000000..1c3d936 --- /dev/null +++ b/0227-qxl-stride-fixup.patch @@ -0,0 +1,111 @@ +From a3cc0cf8b185043fbd1f9b893c1c20f90efb1d06 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Fri, 21 Oct 2011 15:59:07 +0200 +Subject: [PATCH] qxl: stride fixup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +spice uses negative stride value to signal the bitmap is upside down. +The qxl renderer (used for scl, vnc and screenshots) wants a positive +value because it is easier to work with. The positive value is then +stored in the very same variable, which has the drawback that the +upside-down test works only once. Fix by using two variables. + +Signed-off-by: Gerd Hoffmann +(cherry picked from commit 0e2487bd6f56445b43307536a465ee2ba810aed9) + +Signed-off-by: Bruce Rogers +[AF: backported] +Signed-off-by: Andreas Färber +--- + hw/qxl-render.c | 23 ++++++++++++----------- + hw/qxl.h | 3 ++- + 2 files changed, 14 insertions(+), 12 deletions(-) + +diff --git a/hw/qxl-render.c b/hw/qxl-render.c +index 1316066..104d79b 100644 +--- a/hw/qxl-render.c ++++ b/hw/qxl-render.c +@@ -28,16 +28,16 @@ static void qxl_flip(PCIQXLDevice *qxl, QXLRect *rect) + int len, i; + + src += (qxl->guest_primary.surface.height - rect->top - 1) * +- qxl->guest_primary.stride; +- dst += rect->top * qxl->guest_primary.stride; ++ qxl->guest_primary.abs_stride; ++ dst += rect->top * qxl->guest_primary.abs_stride; + src += rect->left * qxl->guest_primary.bytes_pp; + dst += rect->left * qxl->guest_primary.bytes_pp; + len = (rect->right - rect->left) * qxl->guest_primary.bytes_pp; + + for (i = rect->top; i < rect->bottom; i++) { + memcpy(dst, src, len); +- dst += qxl->guest_primary.stride; +- src -= qxl->guest_primary.stride; ++ dst += qxl->guest_primary.abs_stride; ++ src -= qxl->guest_primary.abs_stride; + } + } + +@@ -45,7 +45,8 @@ void qxl_render_resize(PCIQXLDevice *qxl) + { + QXLSurfaceCreate *sc = &qxl->guest_primary.surface; + +- qxl->guest_primary.stride = sc->stride; ++ qxl->guest_primary.qxl_stride = sc->stride; ++ qxl->guest_primary.abs_stride = abs(sc->stride); + qxl->guest_primary.resized++; + switch (sc->format) { + case SPICE_SURFACE_FMT_16_555: +@@ -87,11 +88,11 @@ void qxl_render_update(PCIQXLDevice *qxl) + qemu_free_displaysurface(vga->ds); + + qxl->guest_primary.data = qemu_get_ram_ptr(qxl->vga.vram_offset); +- if (qxl->guest_primary.stride < 0) { ++ if (qxl->guest_primary.qxl_stride < 0) { + /* spice surface is upside down -> need extra buffer to flip */ +- qxl->guest_primary.stride = -qxl->guest_primary.stride; +- qxl->guest_primary.flipped = qemu_malloc(qxl->guest_primary.surface.width * +- qxl->guest_primary.stride); ++ qxl->guest_primary.flipped = ++ qemu_malloc(qxl->guest_primary.surface.width * ++ qxl->guest_primary.abs_stride); + ptr = qxl->guest_primary.flipped; + } else { + ptr = qxl->guest_primary.data; +@@ -100,7 +101,7 @@ void qxl_render_update(PCIQXLDevice *qxl) + __FUNCTION__, + qxl->guest_primary.surface.width, + qxl->guest_primary.surface.height, +- qxl->guest_primary.stride, ++ qxl->guest_primary.qxl_stride, + qxl->guest_primary.bytes_pp, + qxl->guest_primary.bits_pp, + qxl->guest_primary.flipped ? "yes" : "no"); +@@ -108,7 +109,7 @@ void qxl_render_update(PCIQXLDevice *qxl) + qemu_create_displaysurface_from(qxl->guest_primary.surface.width, + qxl->guest_primary.surface.height, + qxl->guest_primary.bits_pp, +- qxl->guest_primary.stride, ++ qxl->guest_primary.abs_stride, + ptr); + dpy_resize(vga->ds); + } +diff --git a/hw/qxl.h b/hw/qxl.h +index f6c450d..c05998a 100644 +--- a/hw/qxl.h ++++ b/hw/qxl.h +@@ -42,7 +42,8 @@ typedef struct PCIQXLDevice { + QXLSurfaceCreate surface; + uint32_t commands; + uint32_t resized; +- int32_t stride; ++ int32_t qxl_stride; ++ uint32_t abs_stride; + uint32_t bits_pp; + uint32_t bytes_pp; + uint8_t *data, *flipped; +-- +1.7.11.2 + diff --git a/0228-vmdk-Fix-possible-segfaults.patch b/0228-vmdk-Fix-possible-segfaults.patch new file mode 100644 index 0000000..c722c6c --- /dev/null +++ b/0228-vmdk-Fix-possible-segfaults.patch @@ -0,0 +1,55 @@ +From f51851ea928882bd3d49cbb6d953723294239d8a Mon Sep 17 00:00:00 2001 +From: Kevin Wolf +Date: Wed, 26 Oct 2011 12:25:52 +0200 +Subject: [PATCH] vmdk: Fix possible segfaults +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Data we read from the disk isn't necessarily null terminated and may not +contain the string we're looking for. The code needs to be a bit more careful +here. + +Signed-off-by: Kevin Wolf +(cherry picked from commit 93897b9fd43548e9c15cf8bece2d9e5174b01fc7) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + block/vmdk.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/block/vmdk.c b/block/vmdk.c +index 8284747..f4fce08 100644 +--- a/block/vmdk.c ++++ b/block/vmdk.c +@@ -196,6 +196,7 @@ static uint32_t vmdk_read_cid(BlockDriverState *bs, int parent) + cid_str_size = sizeof("CID"); + } + ++ desc[DESC_SIZE - 1] = '\0'; + p_name = strstr(desc, cid_str); + if (p_name != NULL) { + p_name += cid_str_size; +@@ -212,13 +213,17 @@ static int vmdk_write_cid(BlockDriverState *bs, uint32_t cid) + BDRVVmdkState *s = bs->opaque; + int ret; + +- memset(desc, 0, sizeof(desc)); + ret = bdrv_pread(bs->file, s->desc_offset, desc, DESC_SIZE); + if (ret < 0) { + return ret; + } + ++ desc[DESC_SIZE - 1] = '\0'; + tmp_str = strstr(desc, "parentCID"); ++ if (tmp_str == NULL) { ++ return -EINVAL; ++ } ++ + pstrcpy(tmp_desc, sizeof(tmp_desc), tmp_str); + p_name = strstr(desc, "CID"); + if (p_name != NULL) { +-- +1.7.11.2 + diff --git a/0229-pc-Fix-floppy-drives-with-if-none.patch b/0229-pc-Fix-floppy-drives-with-if-none.patch new file mode 100644 index 0000000..1d40a24 --- /dev/null +++ b/0229-pc-Fix-floppy-drives-with-if-none.patch @@ -0,0 +1,204 @@ +From 03ff3683be1e3a4e9644150b7f12f046374dcbcd Mon Sep 17 00:00:00 2001 +From: Kevin Wolf +Date: Thu, 20 Oct 2011 16:37:26 +0200 +Subject: [PATCH] pc: Fix floppy drives with if=none +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Commit 63ffb564 broke floppy devices specified on the command line like +-drive file=...,if=none,id=floppy -global isa-fdc.driveA=floppy because it +relies on drive_get() which works only with -fda/-drive if=floppy. + +This patch resembles what we're already doing for IDE, i.e. remember the floppy +device that was created and use that to extract the BlockDriverStates where +needed. + +Signed-off-by: Kevin Wolf +Reviewed-by: Markus Armbruster +(cherry picked from commit 34d4260e1846d69d7241f690534e3dd4b3e6fd5b) + +[BR: bnc#733777] +Signed-off-by: Bruce Rogers +[AF: backported] +Signed-off-by: Andreas Färber +--- + hw/fdc.c | 12 ++++++++++++ + hw/fdc.h | 9 +++++++-- + hw/pc.c | 25 ++++++++++++++----------- + hw/pc.h | 3 ++- + hw/pc_piix.c | 5 +++-- + 5 files changed, 38 insertions(+), 16 deletions(-) + +diff --git a/hw/fdc.c b/hw/fdc.c +index 9fdbc75..cf675ce 100644 +--- a/hw/fdc.c ++++ b/hw/fdc.c +@@ -1911,6 +1911,18 @@ static int sun4m_fdc_init1(SysBusDevice *dev) + return fdctrl_init_common(fdctrl); + } + ++void fdc_get_bs(BlockDriverState *bs[], ISADevice *dev) ++{ ++ FDCtrlISABus *isa = DO_UPCAST(FDCtrlISABus, busdev, dev); ++ FDCtrl *fdctrl = &isa->state; ++ int i; ++ ++ for (i = 0; i < MAX_FD; i++) { ++ bs[i] = fdctrl->drives[i].bs; ++ } ++} ++ ++ + static const VMStateDescription vmstate_isa_fdc ={ + .name = "fdc", + .version_id = 2, +diff --git a/hw/fdc.h b/hw/fdc.h +index 09f73c6..506feb6 100644 +--- a/hw/fdc.h ++++ b/hw/fdc.h +@@ -7,14 +7,15 @@ + /* fdc.c */ + #define MAX_FD 2 + +-static inline void fdctrl_init_isa(DriveInfo **fds) ++static inline ISADevice *fdctrl_init_isa(DriveInfo **fds) + { + ISADevice *dev; + + dev = isa_try_create("isa-fdc"); + if (!dev) { +- return; ++ return NULL; + } ++ + if (fds[0]) { + qdev_prop_set_drive_nofail(&dev->qdev, "driveA", fds[0]->bdrv); + } +@@ -22,10 +23,14 @@ static inline void fdctrl_init_isa(DriveInfo **fds) + qdev_prop_set_drive_nofail(&dev->qdev, "driveB", fds[1]->bdrv); + } + qdev_init_nofail(&dev->qdev); ++ ++ return dev; + } + + void fdctrl_init_sysbus(qemu_irq irq, int dma_chann, + target_phys_addr_t mmio_base, DriveInfo **fds); + void sun4m_fdctrl_init(qemu_irq irq, target_phys_addr_t io_base, + DriveInfo **fds, qemu_irq *fdc_tc); ++void fdc_get_bs(BlockDriverState *bs[], ISADevice *dev); ++ + #endif +diff --git a/hw/pc.c b/hw/pc.c +index 14ce684..1d2b61e 100644 +--- a/hw/pc.c ++++ b/hw/pc.c +@@ -333,12 +333,12 @@ static void pc_cmos_init_late(void *opaque) + + void pc_cmos_init(ram_addr_t ram_size, ram_addr_t above_4g_mem_size, + const char *boot_device, +- BusState *idebus0, BusState *idebus1, ++ ISADevice *floppy, BusState *idebus0, BusState *idebus1, + ISADevice *s) + { + int val, nb, nb_heads, max_track, last_sect, i; + FDriveType fd_type[2]; +- DriveInfo *fd[2]; ++ BlockDriverState *fd[MAX_FD]; + static pc_cmos_init_late_arg arg; + + /* various important CMOS locations needed by PC/Bochs bios */ +@@ -380,14 +380,16 @@ void pc_cmos_init(ram_addr_t ram_size, ram_addr_t above_4g_mem_size, + } + + /* floppy type */ +- for (i = 0; i < 2; i++) { +- fd[i] = drive_get(IF_FLOPPY, 0, i); +- if (fd[i] && bdrv_is_inserted(fd[i]->bdrv)) { +- bdrv_get_floppy_geometry_hint(fd[i]->bdrv, &nb_heads, &max_track, +- &last_sect, FDRIVE_DRV_NONE, +- &fd_type[i]); +- } else { +- fd_type[i] = FDRIVE_DRV_NONE; ++ if (floppy) { ++ fdc_get_bs(fd, floppy); ++ for (i = 0; i < 2; i++) { ++ if (fd[i] && bdrv_is_inserted(fd[i])) { ++ bdrv_get_floppy_geometry_hint(fd[i], &nb_heads, &max_track, ++ &last_sect, FDRIVE_DRV_NONE, ++ &fd_type[i]); ++ } else { ++ fd_type[i] = FDRIVE_DRV_NONE; ++ } + } + } + val = (cmos_get_fd_drive_type(fd_type[0]) << 4) | +@@ -1091,6 +1093,7 @@ static void cpu_request_exit(void *opaque, int irq, int level) + + void pc_basic_device_init(qemu_irq *isa_irq, + ISADevice **rtc_state, ++ ISADevice **floppy, + bool no_vmport) + { + int i; +@@ -1155,7 +1158,7 @@ void pc_basic_device_init(qemu_irq *isa_irq, + for(i = 0; i < MAX_FD; i++) { + fd[i] = drive_get(IF_FLOPPY, 0, i); + } +- fdctrl_init_isa(fd); ++ *floppy = fdctrl_init_isa(fd); + } + + void pc_pci_device_init(PCIBus *pci_bus) +diff --git a/hw/pc.h b/hw/pc.h +index 6d5730b..24b7fe2 100644 +--- a/hw/pc.h ++++ b/hw/pc.h +@@ -138,11 +138,12 @@ qemu_irq *pc_allocate_cpu_irq(void); + void pc_vga_init(PCIBus *pci_bus); + void pc_basic_device_init(qemu_irq *isa_irq, + ISADevice **rtc_state, ++ ISADevice **floppy, + bool no_vmport); + void pc_init_ne2k_isa(NICInfo *nd); + void pc_cmos_init(ram_addr_t ram_size, ram_addr_t above_4g_mem_size, + const char *boot_device, +- BusState *ide0, BusState *ide1, ++ ISADevice *floppy, BusState *ide0, BusState *ide1, + ISADevice *s); + void pc_pci_device_init(PCIBus *pci_bus); + +diff --git a/hw/pc_piix.c b/hw/pc_piix.c +index 31552fd..b8e0841 100644 +--- a/hw/pc_piix.c ++++ b/hw/pc_piix.c +@@ -89,6 +89,7 @@ static void pc_init1(ram_addr_t ram_size, + DriveInfo *hd[MAX_IDE_BUS * MAX_IDE_DEVS]; + BusState *idebus[MAX_IDE_BUS]; + ISADevice *rtc_state; ++ ISADevice *floppy; + + pc_cpus_init(cpu_model); + +@@ -141,7 +142,7 @@ static void pc_init1(ram_addr_t ram_size, + } + + /* init basic PC hardware */ +- pc_basic_device_init(isa_irq, &rtc_state, xen_enabled()); ++ pc_basic_device_init(isa_irq, &rtc_state, &floppy, xen_enabled()); + + for(i = 0; i < nb_nics; i++) { + NICInfo *nd = &nd_table[i]; +@@ -170,7 +171,7 @@ static void pc_init1(ram_addr_t ram_size, + audio_init(isa_irq, pci_enabled ? pci_bus : NULL); + + pc_cmos_init(below_4g_mem_size, above_4g_mem_size, boot_device, +- idebus[0], idebus[1], rtc_state); ++ floppy, idebus[0], idebus[1], rtc_state); + + if (pci_enabled && usb_enabled) { + usb_uhci_piix3_init(pci_bus, piix3_devfn + 2); +-- +1.7.11.2 + diff --git a/0230-cpu-common-Have-a-ram_addr_t-of-uint64-with-Xen.patch b/0230-cpu-common-Have-a-ram_addr_t-of-uint64-with-Xen.patch new file mode 100644 index 0000000..1fe3b1e --- /dev/null +++ b/0230-cpu-common-Have-a-ram_addr_t-of-uint64-with-Xen.patch @@ -0,0 +1,97 @@ +From 7baf1e0bf54096eceb4c4553c9212599454cd83d Mon Sep 17 00:00:00 2001 +From: Anthony PERARD +Date: Wed, 20 Jul 2011 08:17:42 +0000 +Subject: [PATCH] cpu-common: Have a ram_addr_t of uint64 with Xen. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In Xen case, memory can be bigger than the host memory. that mean a +32bits host (and QEMU) should be able to handle a RAM address of 64bits. + +Signed-off-by: Anthony PERARD +Signed-off-by: Alexander Graf +(cherry picked from commit f15fbc4bd1a24bd1477a846e63e62c6d435912f8) + +Signed-off-by: Andreas Färber +--- + cpu-common.h | 8 ++++++++ + exec.c | 9 +++++---- + xen-all.c | 2 +- + 3 files changed, 14 insertions(+), 5 deletions(-) + +diff --git a/cpu-common.h b/cpu-common.h +index 44b04b3..0700101 100644 +--- a/cpu-common.h ++++ b/cpu-common.h +@@ -27,7 +27,15 @@ enum device_endian { + }; + + /* address in the RAM (different from a physical address) */ ++#if defined(CONFIG_XEN_BACKEND) && TARGET_PHYS_ADDR_BITS == 64 ++typedef uint64_t ram_addr_t; ++# define RAM_ADDR_MAX UINT64_MAX ++# define RAM_ADDR_FMT "%" PRIx64 ++#else + typedef unsigned long ram_addr_t; ++# define RAM_ADDR_MAX ULONG_MAX ++# define RAM_ADDR_FMT "%lx" ++#endif + + /* memory API */ + +diff --git a/exec.c b/exec.c +index 2160ded..6fb589b 100644 +--- a/exec.c ++++ b/exec.c +@@ -2863,13 +2863,13 @@ static void *file_ram_alloc(RAMBlock *block, + static ram_addr_t find_ram_offset(ram_addr_t size) + { + RAMBlock *block, *next_block; +- ram_addr_t offset = 0, mingap = ULONG_MAX; ++ ram_addr_t offset = 0, mingap = RAM_ADDR_MAX; + + if (QLIST_EMPTY(&ram_list.blocks)) + return 0; + + QLIST_FOREACH(block, &ram_list.blocks, next) { +- ram_addr_t end, next = ULONG_MAX; ++ ram_addr_t end, next = RAM_ADDR_MAX; + + end = block->offset + block->length; + +@@ -3081,7 +3081,8 @@ void qemu_ram_remap(ram_addr_t addr, ram_addr_t length) + #endif + } + if (area != vaddr) { +- fprintf(stderr, "Could not remap addr: %lx@%lx\n", ++ fprintf(stderr, "Could not remap addr: " ++ RAM_ADDR_FMT "@" RAM_ADDR_FMT "\n", + length, addr); + exit(1); + } +@@ -4052,7 +4053,7 @@ void *cpu_physical_memory_map(target_phys_addr_t addr, + target_phys_addr_t page; + unsigned long pd; + PhysPageDesc *p; +- ram_addr_t raddr = ULONG_MAX; ++ ram_addr_t raddr = RAM_ADDR_MAX; + ram_addr_t rlen; + void *ret; + +diff --git a/xen-all.c b/xen-all.c +index 167bed6..8f2556a 100644 +--- a/xen-all.c ++++ b/xen-all.c +@@ -184,7 +184,7 @@ void xen_ram_alloc(ram_addr_t ram_addr, ram_addr_t size) + } + + if (xc_domain_populate_physmap_exact(xen_xc, xen_domid, nr_pfn, 0, 0, pfn_list)) { +- hw_error("xen: failed to populate ram at %lx", ram_addr); ++ hw_error("xen: failed to populate ram at " RAM_ADDR_FMT, ram_addr); + } + + qemu_free(pfn_list); +-- +1.7.11.2 + diff --git a/0231-Error-check-find_ram_offset.patch b/0231-Error-check-find_ram_offset.patch new file mode 100644 index 0000000..e4b3497 --- /dev/null +++ b/0231-Error-check-find_ram_offset.patch @@ -0,0 +1,58 @@ +From 75f2b558df8c3ccd8b980eedf2f4aef8b217587e Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Mon, 31 Oct 2011 08:54:09 -0600 +Subject: [PATCH] Error check find_ram_offset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Spotted via code review, we initialize offset to 0 to avoid a +compiler warning, but in the unlikely case that offset is +never set to something else, we should abort instead of return +a value that will almost certainly cause problems. + +Signed-off-by: Alex Williamson +Signed-off-by: Anthony Liguori +(cherry picked from commit 3e837b2c05bc63fe2226baf3c29923d5a688593f) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + exec.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/exec.c b/exec.c +index 6fb589b..537a49f 100644 +--- a/exec.c ++++ b/exec.c +@@ -2863,7 +2863,7 @@ static void *file_ram_alloc(RAMBlock *block, + static ram_addr_t find_ram_offset(ram_addr_t size) + { + RAMBlock *block, *next_block; +- ram_addr_t offset = 0, mingap = RAM_ADDR_MAX; ++ ram_addr_t offset = RAM_ADDR_MAX, mingap = RAM_ADDR_MAX; + + if (QLIST_EMPTY(&ram_list.blocks)) + return 0; +@@ -2879,10 +2879,17 @@ static ram_addr_t find_ram_offset(ram_addr_t size) + } + } + if (next - end >= size && next - end < mingap) { +- offset = end; ++ offset = end; + mingap = next - end; + } + } ++ ++ if (offset == RAM_ADDR_MAX) { ++ fprintf(stderr, "Failed to find gap of requested size: %" PRIu64 "\n", ++ (uint64_t)size); ++ abort(); ++ } ++ + return offset; + } + +-- +1.7.11.2 + diff --git a/0232-pc-add-pc-0.15.patch b/0232-pc-add-pc-0.15.patch new file mode 100644 index 0000000..aaefe27 --- /dev/null +++ b/0232-pc-add-pc-0.15.patch @@ -0,0 +1,73 @@ +From 60d8ce5610a8b24ff298d6cb3d9abbd2e6f046bd Mon Sep 17 00:00:00 2001 +From: Anthony Liguori +Date: Sun, 18 Dec 2011 12:59:12 -0600 +Subject: [PATCH] pc: add pc-0.15 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Anthony Liguori +(cherry picked from commit ce01a508e8053350544c88ba68a3f90c44b6bb93) + +[BR: bnc#741460] +Signed-off-by: Bruce Rogers +[AF: backported] +Signed-off-by: Andreas Färber +--- + hw/pc_piix.c | 26 +++++++++++++++++++++++--- + 1 file changed, 23 insertions(+), 3 deletions(-) + +diff --git a/hw/pc_piix.c b/hw/pc_piix.c +index b8e0841..20bac9d 100644 +--- a/hw/pc_piix.c ++++ b/hw/pc_piix.c +@@ -258,8 +258,8 @@ static void pc_xen_hvm_init(ram_addr_t ram_size, + } + #endif + +-static QEMUMachine pc_machine = { +- .name = "pc-0.14", ++static QEMUMachine pc_machine_v0_15 = { ++ .name = "pc-0.15", + .alias = "pc", + .desc = "Standard PC", + .init = pc_init_pci, +@@ -267,6 +267,25 @@ static QEMUMachine pc_machine = { + .is_default = 1, + }; + ++static QEMUMachine pc_machine_v0_14 = { ++ .name = "pc-0.14", ++ .desc = "Standard PC", ++ .init = pc_init_pci, ++ .max_cpus = 255, ++ .compat_props = (GlobalProperty[]) { ++ { ++ .driver = "qxl", ++ .property = "revision", ++ .value = stringify(2), ++ },{ ++ .driver = "qxl-vga", ++ .property = "revision", ++ .value = stringify(2), ++ }, ++ { /* end of list */ } ++ }, ++}; ++ + static QEMUMachine pc_machine_v0_13 = { + .name = "pc-0.13", + .desc = "Standard PC", +@@ -498,7 +517,8 @@ static QEMUMachine xenfv_machine = { + + static void pc_machine_init(void) + { +- qemu_register_machine(&pc_machine); ++ qemu_register_machine(&pc_machine_v0_15); ++ qemu_register_machine(&pc_machine_v0_14); + qemu_register_machine(&pc_machine_v0_13); + qemu_register_machine(&pc_machine_v0_12); + qemu_register_machine(&pc_machine_v0_11); +-- +1.7.11.2 + diff --git a/0233-pc-fix-event_idx-compatibility-for-virtio-devices.patch b/0233-pc-fix-event_idx-compatibility-for-virtio-devices.patch new file mode 100644 index 0000000..7ad890a --- /dev/null +++ b/0233-pc-fix-event_idx-compatibility-for-virtio-devices.patch @@ -0,0 +1,95 @@ +From 3cc7ef743b3f04ff986c820f67444d2dec946167 Mon Sep 17 00:00:00 2001 +From: Anthony Liguori +Date: Sun, 18 Dec 2011 13:07:03 -0600 +Subject: [PATCH] pc: fix event_idx compatibility for virtio devices +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +event_idx was introduced in 0.15 and must be disabled for all virtio-pci devices +(including virtio-balloon-pci). + +Signed-off-by: Anthony Liguori +(cherry picked from commit ea830ebb74461c5ad6d199857fb000d2e0284c69) + +[BR: bnc#741460] +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + hw/pc_piix.c | 32 ++++++++++++++++++++++++++++++++ + 1 file changed, 32 insertions(+) + +diff --git a/hw/pc_piix.c b/hw/pc_piix.c +index 20bac9d..b179465 100644 +--- a/hw/pc_piix.c ++++ b/hw/pc_piix.c +@@ -281,6 +281,22 @@ static QEMUMachine pc_machine_v0_14 = { + .driver = "qxl-vga", + .property = "revision", + .value = stringify(2), ++ },{ ++ .driver = "virtio-blk-pci", ++ .property = "event_idx", ++ .value = "off", ++ },{ ++ .driver = "virtio-serial-pci", ++ .property = "event_idx", ++ .value = "off", ++ },{ ++ .driver = "virtio-net-pci", ++ .property = "event_idx", ++ .value = "off", ++ },{ ++ .driver = "virtio-balloon-pci", ++ .property = "event_idx", ++ .value = "off", + }, + { /* end of list */ } + }, +@@ -321,6 +337,10 @@ static QEMUMachine pc_machine_v0_13 = { + .property = "event_idx", + .value = "off", + },{ ++ .driver = "virtio-balloon-pci", ++ .property = "event_idx", ++ .value = "off", ++ },{ + .driver = "AC97", + .property = "use_broken_id", + .value = stringify(1), +@@ -368,6 +388,10 @@ static QEMUMachine pc_machine_v0_12 = { + .property = "event_idx", + .value = "off", + },{ ++ .driver = "virtio-balloon-pci", ++ .property = "event_idx", ++ .value = "off", ++ },{ + .driver = "AC97", + .property = "use_broken_id", + .value = stringify(1), +@@ -423,6 +447,10 @@ static QEMUMachine pc_machine_v0_11 = { + .property = "event_idx", + .value = "off", + },{ ++ .driver = "virtio-balloon-pci", ++ .property = "event_idx", ++ .value = "off", ++ },{ + .driver = "AC97", + .property = "use_broken_id", + .value = stringify(1), +@@ -490,6 +518,10 @@ static QEMUMachine pc_machine_v0_10 = { + .property = "event_idx", + .value = "off", + },{ ++ .driver = "virtio-balloon-pci", ++ .property = "event_idx", ++ .value = "off", ++ },{ + .driver = "AC97", + .property = "use_broken_id", + .value = stringify(1), +-- +1.7.11.2 + diff --git a/0234-Add-missing-trace-call-to-oslib-posix.c-qemu_vmalloc.patch b/0234-Add-missing-trace-call-to-oslib-posix.c-qemu_vmalloc.patch new file mode 100644 index 0000000..2585cb5 --- /dev/null +++ b/0234-Add-missing-trace-call-to-oslib-posix.c-qemu_vmalloc.patch @@ -0,0 +1,37 @@ +From 601465e71b720e1e54911bbd67e2d02cd4904f0d Mon Sep 17 00:00:00 2001 +From: Jes Sorensen +Date: Mon, 25 Jul 2011 17:13:36 +0200 +Subject: [PATCH] Add missing trace call to oslib-posix.c:qemu_vmalloc() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Acked-by: Stefan Hajnoczi +Signed-off-by: Jes Sorensen +Signed-off-by: Anthony Liguori +(cherry picked from commit c7f4111a06208b46c6d05934d2a1e5cfbebc0180) + +Signed-off-by: Andreas Färber +--- + oslib-posix.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/oslib-posix.c b/oslib-posix.c +index 3a18e86..196099c 100644 +--- a/oslib-posix.c ++++ b/oslib-posix.c +@@ -79,7 +79,10 @@ void *qemu_memalign(size_t alignment, size_t size) + /* alloc shared memory pages */ + void *qemu_vmalloc(size_t size) + { +- return qemu_memalign(getpagesize(), size); ++ void *ptr; ++ ptr = qemu_memalign(getpagesize(), size); ++ trace_qemu_vmalloc(size, ptr); ++ return ptr; + } + + void qemu_vfree(void *ptr) +-- +1.7.11.2 + diff --git a/0235-qemu_vmalloc-align-properly-for-transparent-hugepage.patch b/0235-qemu_vmalloc-align-properly-for-transparent-hugepage.patch new file mode 100644 index 0000000..bb9cde2 --- /dev/null +++ b/0235-qemu_vmalloc-align-properly-for-transparent-hugepage.patch @@ -0,0 +1,61 @@ +From d12ac10d3ce10d3e1c9b23aeca397caa74be49d3 Mon Sep 17 00:00:00 2001 +From: Avi Kivity +Date: Mon, 5 Sep 2011 11:07:05 +0300 +Subject: [PATCH] qemu_vmalloc: align properly for transparent hugepages and + KVM +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +To make good use of transparent hugepages, KVM requires that guest-physical +and host-virtual addresses share the low 21 bits (as opposed to just the low +12 bits normally required). + +Adjust qemu_vmalloc() to honor that requirement. Ignore it for small regions +to avoid fragmentation. + +Signed-off-by: Avi Kivity +Signed-off-by: Anthony Liguori +(cherry picked from commit 36b586284e678da28df3af9fd0907d2b16f9311c) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + oslib-posix.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/oslib-posix.c b/oslib-posix.c +index 196099c..a304fb0 100644 +--- a/oslib-posix.c ++++ b/oslib-posix.c +@@ -35,6 +35,13 @@ + extern int daemon(int, int); + #endif + ++#if defined(__linux__) && defined(__x86_64__) ++ /* Use 2MB alignment so transparent hugepages can be used by KVM */ ++# define QEMU_VMALLOC_ALIGN (512 * 4096) ++#else ++# define QEMU_VMALLOC_ALIGN getpagesize() ++#endif ++ + #include "config-host.h" + #include "sysemu.h" + #include "trace.h" +@@ -80,7 +87,12 @@ void *qemu_memalign(size_t alignment, size_t size) + void *qemu_vmalloc(size_t size) + { + void *ptr; +- ptr = qemu_memalign(getpagesize(), size); ++ size_t align = QEMU_VMALLOC_ALIGN; ++ ++ if (size < align) { ++ align = getpagesize(); ++ } ++ ptr = qemu_memalign(align, size); + trace_qemu_vmalloc(size, ptr); + return ptr; + } +-- +1.7.11.2 + diff --git a/0236-block-vpc-write-checksum-back-to-footer-after-check.patch b/0236-block-vpc-write-checksum-back-to-footer-after-check.patch new file mode 100644 index 0000000..f35383d --- /dev/null +++ b/0236-block-vpc-write-checksum-back-to-footer-after-check.patch @@ -0,0 +1,41 @@ +From add89f969fc86f3b3223c4283ee49fcb507b8f81 Mon Sep 17 00:00:00 2001 +From: Zhang Shengju +Date: Tue, 13 Mar 2012 22:38:13 +0800 +Subject: [PATCH] block/vpc: write checksum back to footer after check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +After validation check, the 'checksum' is not written back +to footer, which leave it with zero. + +This results in errors while loadding it under Microsoft's +Hyper-V environment, and also errors from utilities like +Citrix's vhd-util. + +Signed-off-by: Zhang Shengju +Signed-off-by: Kevin Wolf +(cherry picked from commit c088b691363070d151f80cc1fde4b7c151bdfe8f) + +Signed-off-by: Andreas Färber +--- + block/vpc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/block/vpc.c b/block/vpc.c +index ac33e15..55201e2 100644 +--- a/block/vpc.c ++++ b/block/vpc.c +@@ -170,6 +170,9 @@ static int vpc_open(BlockDriverState *bs, int flags) + fprintf(stderr, "block-vpc: The header checksum of '%s' is " + "incorrect.\n", bs->filename); + ++ /* Write 'checksum' back to footer, or else will leave it with zero. */ ++ footer->checksum = be32_to_cpu(checksum); ++ + // The visible size of a image in Virtual PC depends on the geometry + // rather than on the size stored in the footer (the size in the footer + // is too large usually) +-- +1.7.11.2 + diff --git a/0237-bt-host-add-missing-break-statement.patch b/0237-bt-host-add-missing-break-statement.patch new file mode 100644 index 0000000..8f72237 --- /dev/null +++ b/0237-bt-host-add-missing-break-statement.patch @@ -0,0 +1,36 @@ +From 557393c06af445a23f65667d16d1ff43b5d7ae6d Mon Sep 17 00:00:00 2001 +From: Stefan Hajnoczi +Date: Thu, 12 Jan 2012 14:17:04 +0000 +Subject: [PATCH] bt-host: add missing break statement +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The switch statement in bt_host_read() is missing a break in one case. +Andrzej Zaborowski confirmed that this is +not an intentional fall-through. + +Reviewed-by: Stefan Weil +Signed-off-by: Stefan Hajnoczi +(cherry picked from commit f7253270fc66a60e4faf639a3c4ce0b352553b24) + +Signed-off-by: Andreas Färber +--- + bt-host.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/bt-host.c b/bt-host.c +index 095254d..df59494 100644 +--- a/bt-host.c ++++ b/bt-host.c +@@ -130,6 +130,7 @@ static void bt_host_read(void *opaque) + pktlen = MIN(pkt[2] + 3, s->len); + s->len -= pktlen; + pkt += pktlen; ++ break; + + default: + bad_pkt: +-- +1.7.11.2 + diff --git a/0238-ds1338-Add-missing-break-statement.patch b/0238-ds1338-Add-missing-break-statement.patch new file mode 100644 index 0000000..f4529e9 --- /dev/null +++ b/0238-ds1338-Add-missing-break-statement.patch @@ -0,0 +1,39 @@ +From 1c363aca36c5f53cb04d04fa1ee9a442dd5dbad4 Mon Sep 17 00:00:00 2001 +From: Stefan Weil +Date: Sat, 25 Feb 2012 14:50:25 +0100 +Subject: [PATCH] ds1338: Add missing break statement +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Without the break statement, case 5 sets month and year from the same +data. This does not look correct. + +The missing break was reported by splint. + +Signed-off-by: Stefan Weil +Reviewed-by: Peter Maydell +Reviewed-by: Andreas Färber +Signed-off-by: Stefan Hajnoczi +(cherry picked from commit fbac6a7d35d119a52606c175aface9bcec805f09) + +Signed-off-by: Andreas Färber +--- + hw/ds1338.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/ds1338.c b/hw/ds1338.c +index 3522af5..964d2f7 100644 +--- a/hw/ds1338.c ++++ b/hw/ds1338.c +@@ -97,6 +97,7 @@ static int ds1338_send(i2c_slave *i2c, uint8_t data) + break; + case 5: + s->now.tm_mon = from_bcd(data & 0x1f) - 1; ++ break; + case 6: + s->now.tm_year = from_bcd(data) + 100; + break; +-- +1.7.11.2 + diff --git a/0239-block-vdi-Zero-unused-parts-when-allocating-a-new-bl.patch b/0239-block-vdi-Zero-unused-parts-when-allocating-a-new-bl.patch new file mode 100644 index 0000000..c396ce6 --- /dev/null +++ b/0239-block-vdi-Zero-unused-parts-when-allocating-a-new-bl.patch @@ -0,0 +1,70 @@ +From e246af75817264aa340cc4e8bb42c17a2d48cbb7 Mon Sep 17 00:00:00 2001 +From: Stefan Weil +Date: Sat, 21 Jan 2012 13:54:24 +0100 +Subject: [PATCH] block/vdi: Zero unused parts when allocating a new block + (fix #919242) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The new block was filled with zero when it was allocated by g_malloc0, +but when it was reused later and only partially used, data from the +previously allocated block were still present and written to the new +block. + +This caused the problems reported by bug #919242 +(https://bugs.launchpad.net/qemu/+bug/919242). + +Now the unused parts of the new block which are before and after the data +are always filled with zero, so it is no longer necessary to zero the whole +block with g_malloc0. + +I also updated the copyright comment. + +Signed-off-by: Stefan Weil +Signed-off-by: Kevin Wolf +(cherry picked from commit 641543b76b82a8b361482b727e08de0c8ec093b0) + +[AF: g_malloc() -> qemu_malloc()] +Signed-off-by: Andreas Färber +--- + block/vdi.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/block/vdi.c b/block/vdi.c +index 1be0cdc..07413af 100644 +--- a/block/vdi.c ++++ b/block/vdi.c +@@ -1,7 +1,7 @@ + /* + * Block driver for the Virtual Disk Image (VDI) format + * +- * Copyright (c) 2009 Stefan Weil ++ * Copyright (c) 2009, 2012 Stefan Weil + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by +@@ -765,15 +765,19 @@ static void vdi_aio_write_cb(void *opaque, int ret) + (uint64_t)bmap_entry * s->block_sectors; + block = acb->block_buffer; + if (block == NULL) { +- block = qemu_mallocz(s->block_size); ++ block = qemu_malloc(s->block_size); + acb->block_buffer = block; + acb->bmap_first = block_index; + assert(!acb->header_modified); + acb->header_modified = 1; + } + acb->bmap_last = block_index; ++ /* Copy data to be written to new block and zero unused parts. */ ++ memset(block, 0, sector_in_block * SECTOR_SIZE); + memcpy(block + sector_in_block * SECTOR_SIZE, + acb->buf, n_sectors * SECTOR_SIZE); ++ memset(block + (sector_in_block + n_sectors) * SECTOR_SIZE, 0, ++ (s->block_sectors - n_sectors - sector_in_block) * SECTOR_SIZE); + acb->hd_iov.iov_base = (void *)block; + acb->hd_iov.iov_len = s->block_size; + qemu_iovec_init_external(&acb->hd_qiov, &acb->hd_iov, 1); +-- +1.7.11.2 + diff --git a/qemu-fix-non-PCI-target-build.patch b/qemu-fix-non-PCI-target-build.patch deleted file mode 100644 index b479efa..0000000 --- a/qemu-fix-non-PCI-target-build.patch +++ /dev/null @@ -1,53 +0,0 @@ -commit 1a8364456c2f3946b4feb8fc78eaf00d974f4c03 -Author: Jan Kiszka -Date: Wed Feb 23 09:28:53 2011 +0100 - - qemu-kvm: Fix non-PCI target build - - Replace obsolete qemu-kvm.h with kvm.h in pci.c and build that module - just like upstream does. This fixes non-x86 targets which have no PCI - support. - - Signed-off-by: Jan Kiszka - Signed-off-by: Avi Kivity - -diff --git a/Makefile.objs b/Makefile.objs -index f5702eb..3ec7121 100644 ---- a/Makefile.objs -+++ b/Makefile.objs -@@ -170,7 +170,7 @@ hw-obj-y = - hw-obj-y += loader.o - hw-obj-$(CONFIG_VIRTIO) += virtio.o virtio-console.o - hw-obj-y += fw_cfg.o --hw-obj-$(CONFIG_PCI) += pci_bridge.o -+hw-obj-$(CONFIG_PCI) += pci.o pci_bridge.o - hw-obj-$(CONFIG_PCI) += msix.o msi.o - hw-obj-$(CONFIG_PCI) += pci_host.o pcie_host.o - hw-obj-$(CONFIG_PCI) += ioh3420.o xio3130_upstream.o xio3130_downstream.o -diff --git a/Makefile.target b/Makefile.target -index 6e9a024..23367eb 100644 ---- a/Makefile.target -+++ b/Makefile.target -@@ -195,7 +195,7 @@ endif #CONFIG_BSD_USER - # System emulator target - ifdef CONFIG_SOFTMMU - --obj-y = arch_init.o cpus.o monitor.o pci.o machine.o gdbstub.o vl.o balloon.o -+obj-y = arch_init.o cpus.o monitor.o machine.o gdbstub.o vl.o balloon.o - # virtio has to be here due to weird dependency between PCI and virtio-net. - # need to fix this properly - obj-$(CONFIG_NO_PCI) += pci-stub.o -diff --git a/hw/pci.c b/hw/pci.c -index 0c44939..1f6cebe 100644 ---- a/hw/pci.c -+++ b/hw/pci.c -@@ -29,8 +29,8 @@ - #include "net.h" - #include "sysemu.h" - #include "loader.h" --#include "qemu-kvm.h" - #include "hw/pc.h" -+#include "kvm.h" - #include "device-assignment.h" - #include "qemu-objects.h" - #include "range.h" diff --git a/qemu-fix-systemtap.patch b/qemu-fix-systemtap.patch new file mode 100644 index 0000000..3191eec --- /dev/null +++ b/qemu-fix-systemtap.patch @@ -0,0 +1,19 @@ +diff -rup qemu-kvm-1.0.1/scripts/tracetool z/scripts/tracetool +--- qemu-kvm-1.0.1/scripts/tracetool 2012-04-16 22:15:17.000000000 -0400 ++++ z/scripts/tracetool 2012-07-29 21:10:51.326868987 -0400 +@@ -500,6 +500,15 @@ EOF + if [ "$arg" = "limit" ]; then + arg="_limit" + fi ++ if [ "$arg" = "in" ]; then ++ arg="_in" ++ fi ++ if [ "$arg" = "next" ]; then ++ arg="_next" ++ fi ++ if [ "$arg" = "self" ]; then ++ arg="_self" ++ fi + cat <surface); +- screen_dump_filename = NULL; + } + } + +@@ -2408,8 +2407,8 @@ static void vga_screen_dump(void *opaque + if (!screen_dump_dcl) + screen_dump_dcl = vga_screen_dump_init(s->ds); + +- screen_dump_filename = (char *)filename; ++ screen_dump_filename = filename; + vga_invalidate_display(s); + vga_hw_update(); ++ screen_dump_filename = NULL; + } +- diff --git a/qemu-snapshot-symlink-attack.patch b/qemu-snapshot-symlink-attack.patch new file mode 100644 index 0000000..e6b1ae6 --- /dev/null +++ b/qemu-snapshot-symlink-attack.patch @@ -0,0 +1,93 @@ +diff -rup qemu-kvm-0.15.1/block/vvfat.c frob/block/vvfat.c +--- qemu-kvm-0.15.1/block/vvfat.c 2012-07-29 20:56:28.318227757 -0400 ++++ frob/block/vvfat.c 2012-07-29 20:59:15.537859208 -0400 +@@ -2795,7 +2795,12 @@ static int enable_write_target(BDRVVVFAT + array_init(&(s->commits), sizeof(commit_t)); + + s->qcow_filename = qemu_malloc(1024); +- get_tmp_filename(s->qcow_filename, 1024); ++ ret = get_tmp_filename(s->qcow_filename, 1024); ++ if (ret < 0) { ++ free(s->qcow_filename); ++ s->qcow_filename = NULL; ++ return ret; ++ } + + bdrv_qcow = bdrv_find_format("qcow"); + options = parse_option_parameters("", bdrv_qcow->create_options, NULL); +diff -rup qemu-kvm-0.15.1/block.c frob/block.c +--- qemu-kvm-0.15.1/block.c 2012-07-29 20:56:28.367221495 -0400 ++++ frob/block.c 2012-07-29 20:58:24.931326050 -0400 +@@ -254,28 +254,36 @@ int bdrv_create_file(const char* filenam + return bdrv_create(drv, filename, options); + } + +-#ifdef _WIN32 +-void get_tmp_filename(char *filename, int size) ++/* ++ * Create a uniquely-named empty temporary file. ++ * Return 0 upon success, otherwise a negative errno value. ++ */ ++int get_tmp_filename(char *filename, int size) + { ++#ifdef _WIN32 + char temp_dir[MAX_PATH]; +- +- GetTempPath(MAX_PATH, temp_dir); +- GetTempFileName(temp_dir, "qem", 0, filename); +-} ++ /* GetTempFileName requires that its output buffer (4th param) ++ have length MAX_PATH or greater. */ ++ assert(size >= MAX_PATH); ++ return (GetTempPath(MAX_PATH, temp_dir) ++ && GetTempFileName(temp_dir, "qem", 0, filename) ++ ? 0 : -GetLastError()); + #else +-void get_tmp_filename(char *filename, int size) +-{ + int fd; + const char *tmpdir; +- /* XXX: race condition possible */ + tmpdir = getenv("TMPDIR"); + if (!tmpdir) + tmpdir = "/tmp"; +- snprintf(filename, size, "%s/vl.XXXXXX", tmpdir); ++ if (snprintf(filename, size, "%s/vl.XXXXXX", tmpdir) >= size) { ++ return -EOVERFLOW; ++ } + fd = mkstemp(filename); +- close(fd); +-} ++ if (fd < 0 || close(fd)) { ++ return -errno; ++ } ++ return 0; + #endif ++} + + /* + * Detect host devices. By convention, /dev/cdrom[N] is always +@@ -555,7 +563,10 @@ int bdrv_open(BlockDriverState *bs, cons + + bdrv_delete(bs1); + +- get_tmp_filename(tmp_filename, sizeof(tmp_filename)); ++ ret = get_tmp_filename(tmp_filename, sizeof(tmp_filename)); ++ if (ret < 0) { ++ return ret; ++ } + + /* Real path is meaningless for protocols */ + if (is_protocol) +diff -rup qemu-kvm-0.15.1/block_int.h frob/block_int.h +--- qemu-kvm-0.15.1/block_int.h 2011-10-19 09:54:48.000000000 -0400 ++++ frob/block_int.h 2012-07-29 20:58:24.932325925 -0400 +@@ -216,7 +216,7 @@ struct BlockDriverAIOCB { + BlockDriverAIOCB *next; + }; + +-void get_tmp_filename(char *filename, int size); ++int get_tmp_filename(char *filename, int size); + + void *qemu_aio_get(AIOPool *pool, BlockDriverState *bs, + BlockDriverCompletionFunc *cb, void *opaque); diff --git a/qemu-spice-server-threading.patch b/qemu-spice-server-threading.patch new file mode 100644 index 0000000..c8ba0a3 --- /dev/null +++ b/qemu-spice-server-threading.patch @@ -0,0 +1,73 @@ +commit 22b626e28e9895cc65c1e2023323bda5138716dc +Author: Gerd Hoffmann +Date: Fri Sep 2 15:03:28 2011 +0200 + + spice: workaround a spice server bug. + + spice server might call the channel_event callback from spice server + thread context. Detect that and aquire iothread lock if needed, + +diff --git a/ui/spice-core.c b/ui/spice-core.c +index dba11f0..3cbc721 100644 +--- a/ui/spice-core.c ++++ b/ui/spice-core.c +@@ -19,6 +19,7 @@ + #include + + #include ++#include + + #include "qemu-common.h" + #include "qemu-spice.h" +@@ -44,6 +45,8 @@ static char *auth_passwd; + static time_t auth_expires = TIME_MAX; + int using_spice = 0; + ++static pthread_t me; ++ + struct SpiceTimer { + QEMUTimer *timer; + QTAILQ_ENTRY(SpiceTimer) next; +@@ -217,6 +220,20 @@ static void channel_event(int event, SpiceChannelEventInfo *info) + QDict *server, *client; + QObject *data; + ++ /* ++ * Spice server might have called us from spice worker thread ++ * context (happens on display channel disconnects). Spice should ++ * not do that. It isn't that easy to fix it in spice and even ++ * when it is fixed we still should cover the already released ++ * spice versions. So detect that we've been called from another ++ * thread and grab the iothread lock if so before calling qemu ++ * functions. ++ */ ++ bool need_lock = !pthread_equal(me, pthread_self()); ++ if (need_lock) { ++ qemu_mutex_lock_iothread(); ++ } ++ + client = qdict_new(); + add_addr_info(client, &info->paddr, info->plen); + +@@ -236,6 +253,10 @@ static void channel_event(int event, SpiceChannelEventInfo *info) + QOBJECT(client), QOBJECT(server)); + monitor_protocol_event(qevent[event], data); + qobject_decref(data); ++ ++ if (need_lock) { ++ qemu_mutex_unlock_iothread(); ++ } + } + + #else /* SPICE_INTERFACE_CORE_MINOR >= 3 */ +@@ -482,7 +503,9 @@ void qemu_spice_init(void) + spice_image_compression_t compression; + spice_wan_compression_t wan_compr; + +- if (!opts) { ++ me = pthread_self(); ++ ++ if (!opts) { + return; + } + port = qemu_opt_get_number(opts, "port", 0); diff --git a/qemu-vhost-fix-dirty-page-handling.patch b/qemu-vhost-fix-dirty-page-handling.patch deleted file mode 100644 index e3fabb7..0000000 --- a/qemu-vhost-fix-dirty-page-handling.patch +++ /dev/null @@ -1,31 +0,0 @@ -vhost was passing a physical address to cpu_physical_memory_set_dirty, -which is wrong: we need to translate to ram address first. - -Signed-off-by: Michael S. Tsirkin - -Note: this lead to crashes during migration, so the patch -is needed on the stable branch too. - ---- - hw/vhost.c | 4 +++- - 1 files changed, 3 insertions(+), 1 deletions(-) - -diff --git a/hw/vhost.c b/hw/vhost.c -index aaa34e4..97a1299 100644 ---- a/hw/vhost.c -+++ b/hw/vhost.c -@@ -49,8 +49,10 @@ static void vhost_dev_sync_region(struct vhost_dev *dev, - log = __sync_fetch_and_and(from, 0); - while ((bit = sizeof(log) > sizeof(int) ? - ffsll(log) : ffs(log))) { -+ ram_addr_t ram_addr; - bit -= 1; -- cpu_physical_memory_set_dirty(addr + bit * VHOST_LOG_PAGE); -+ ram_addr = cpu_get_physical_page_desc(addr + bit * VHOST_LOG_PAGE); -+ cpu_physical_memory_set_dirty(ram_addr); - log &= ~(0x1ull << bit); - } - addr += VHOST_LOG_CHUNK; --- -1.7.3.2.91.g446ac - diff --git a/qemu.spec b/qemu.spec index 1cb916c..86918a3 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,8 +1,8 @@ Summary: QEMU is a FAST! processor emulator Name: qemu Version: 0.15.1 -Release: 6%{?dist} -# Epoch because we pushed a qemu-1.0 package +Release: 7%{?dist} +# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD Group: Development/Tools @@ -89,6 +89,51 @@ Patch103: %{name}-virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch # Fix fedora guest hang with virtio console (bz 837925) Patch104: %{name}-virtio-console-unconnected-pty.patch +# Patches from 0.15 stable +Patch200: 0200-ccid-Fix-buffer-overrun-in-handling-of-VSC_ATR-messa.patch +Patch201: 0201-qdev-Reset-hot-plugged-devices.patch +Patch202: 0202-e1000-use-MII-status-register-for-link-up-down.patch +Patch203: 0203-e1000-Don-t-set-the-Capabilities-List-bit.patch +Patch205: 0205-compatfd.c-Don-t-pass-NULL-pointer-to-SYS_signalfd.patch +Patch206: 0206-kvm-avoid-reentring-kvm_flush_coalesced_mmio_buffer.patch +Patch207: 0207-vmdk-vmdk_read_cid-returns-garbage-if-p_name-is-NULL.patch +Patch208: 0208-block-Fix-bdrv_open-use-after-free.patch +Patch209: 0209-ide-Fix-off-by-one-error-in-array-index-check.patch +Patch210: 0210-acl-Fix-use-after-free-in-qemu_acl_reset.patch +Patch211: 0211-migration-flush-migration-data-to-disk.patch +Patch212: 0212-Fix-X86-CPU-topology-in-KVM-mode.patch +Patch213: 0213-hw-lan9118.c-Add-missing-break-to-fix-buffer-overrun.patch +Patch214: 0214-ac97-don-t-override-the-pci-subsystem-id.patch +Patch215: 0215-vvfat-Fix-potential-buffer-overflow.patch +Patch216: 0216-vns-tls-don-t-use-depricated-gnutls-functions.patch +Patch217: 0217-block-curl-Implement-a-flush-function-on-the-fd-hand.patch +Patch218: 0218-hda-do-not-mix-output-and-input-streams-RHBZ-740493.patch +Patch219: 0219-hda-do-not-mix-output-and-input-stream-states-RHBZ-7.patch +Patch220: 0220-Teach-block-vdi-about-discarded-no-longer-allocated-.patch +Patch221: 0221-vmdk-Improve-error-handling.patch +Patch222: 0222-block-set-bs-read_only-before-.bdrv_open.patch +Patch223: 0223-console-Fix-rendering-of-VGA-underline.patch +Patch224: 0224-block-Fix-vpc-initialization-of-the-Dynamic-Disk-Hea.patch +Patch225: 0225-qcow-Fix-bdrv_write_compressed-error-handling.patch +Patch226: 0226-block-reinitialize-across-bdrv_close-bdrv_open.patch +Patch227: 0227-qxl-stride-fixup.patch +Patch228: 0228-vmdk-Fix-possible-segfaults.patch +Patch230: 0230-cpu-common-Have-a-ram_addr_t-of-uint64-with-Xen.patch +Patch231: 0231-Error-check-find_ram_offset.patch +Patch236: 0236-block-vpc-write-checksum-back-to-footer-after-check.patch +Patch237: 0237-bt-host-add-missing-break-statement.patch +Patch238: 0238-ds1338-Add-missing-break-statement.patch +Patch239: 0239-block-vdi-Zero-unused-parts-when-allocating-a-new-bl.patch +# CVE-2012-2652: Possible symlink attacks with -snapshot (bz 825697, bz +# 824919) +Patch240: %{name}-snapshot-symlink-attack.patch +# Fix systemtap tapsets (bz 831763) +Patch241: %{name}-fix-systemtap.patch +# Fix qmp response race caused by spice server bug (bz 744015) +Patch242: %{name}-spice-server-threading.patch +# Fix text mode screendumps (bz 819155) +Patch243: %{name}-fix-text-mode-screendumps.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: SDL-devel zlib-devel which texi2html gnutls-devel cyrus-sasl-devel BuildRequires: libaio-devel @@ -122,6 +167,13 @@ Requires: %{name}-img = %{epoch}:%{version}-%{release} Obsoletes: %{name}-system-ppc Obsoletes: %{name}-system-sparc +# Needed for F14->F16+ upgrade +# https://bugzilla.redhat.com/show_bug.cgi?id=694802 +Obsoletes: openbios-common +Obsoletes: openbios-ppc +Obsoletes: openbios-sparc32 +Obsoletes: openbios-sparc64 + %define qemudocdir %{_docdir}/%{name}-%{version} %description @@ -161,9 +213,9 @@ Group: Development/Tools Requires(post): /usr/bin/getent Requires(post): /usr/sbin/groupadd Requires(post): /usr/sbin/useradd -Requires(post): /sbin/chkconfig -Requires(preun): /sbin/service /sbin/chkconfig -Requires(postun): /sbin/service +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units %description common QEMU is a generic and open source processor emulator which achieves a good emulation speed by using dynamic translation. @@ -211,9 +263,8 @@ fi Summary: QEMU user mode emulation of qemu targets Group: Development/Tools Requires: %{name}-common = %{epoch}:%{version}-%{release} -Requires(post): /sbin/chkconfig -Requires(preun): /sbin/service /sbin/chkconfig -Requires(postun): /sbin/service +Requires(post): systemd-units +Requires(postun): systemd-units %description user QEMU is a generic and open source processor emulator which achieves a good emulation speed by using dynamic translation. @@ -228,6 +279,7 @@ Provides: kvm = 85 Obsoletes: kvm < 85 Requires: vgabios >= 0.6c-2 Requires: seabios-bin >= 0.6.0-2 +Requires: sgabios-bin Requires: /usr/share/gpxe/8086100e.rom Requires: /usr/share/gpxe/rtl8029.rom Requires: /usr/share/gpxe/pcnet32.rom @@ -345,6 +397,45 @@ such as kvm_stat. %patch103 -p1 %patch104 -p1 +%patch200 -p1 +%patch201 -p1 +%patch202 -p1 +%patch203 -p1 +%patch205 -p1 +%patch206 -p1 +%patch207 -p1 +%patch208 -p1 +%patch209 -p1 +%patch210 -p1 +%patch211 -p1 +%patch212 -p1 +%patch213 -p1 +%patch214 -p1 +%patch215 -p1 +%patch216 -p1 +%patch217 -p1 +%patch218 -p1 +%patch219 -p1 +%patch220 -p1 +%patch221 -p1 +%patch222 -p1 +%patch223 -p1 +%patch224 -p1 +%patch225 -p1 +%patch226 -p1 +%patch227 -p1 +%patch228 -p1 +%patch230 -p1 +%patch231 -p1 +%patch236 -p1 +%patch237 -p1 +%patch238 -p1 +%patch239 -p1 +%patch240 -p1 +%patch241 -p1 +%patch242 -p1 +%patch243 -p1 + %build # By default we build everything, but allow x86 to build a minimal version # with only similar arch target support @@ -498,6 +589,7 @@ ln -s ../vgabios/VGABIOS-lgpl-latest.cirrus.bin %{buildroot}/%{_datadir}/%{name} ln -s ../vgabios/VGABIOS-lgpl-latest.qxl.bin %{buildroot}/%{_datadir}/%{name}/vgabios-qxl.bin ln -s ../vgabios/VGABIOS-lgpl-latest.stdvga.bin %{buildroot}/%{_datadir}/%{name}/vgabios-stdvga.bin ln -s ../vgabios/VGABIOS-lgpl-latest.vmware.bin %{buildroot}/%{_datadir}/%{name}/vgabios-vmware.bin +ln -s ../sgabios/sgabios.bin %{buildroot}/%{_datadir}/%{name}/sgabios.bin ln -s ../seabios/bios.bin %{buildroot}/%{_datadir}/%{name}/bios.bin mkdir -p $RPM_BUILD_ROOT%{_exec_prefix}/lib/binfmt.d @@ -540,41 +632,47 @@ rm -rf $RPM_BUILD_ROOT %ifarch %{ix86} x86_64 # load kvm modules now, so we can make sure no reboot is needed. # If there's already a kvm module installed, we don't mess with it -sh %{_sysconfdir}/sysconfig/modules/kvm.modules +sh %{_sysconfdir}/sysconfig/modules/kvm.modules || : %endif %post common if [ $1 -eq 1 ] ; then - getent group kvm >/dev/null || groupadd -g 36 -r kvm - getent group qemu >/dev/null || groupadd -g 107 -r qemu - getent passwd qemu >/dev/null || \ - useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ - -c "qemu user" qemu - - /bin/systemctl enable ksm.service - /bin/systemctl enable ksmtuned.service + # Initial installation + /bin/systemctl enable ksm.service >/dev/null 2>&1 || : + /bin/systemctl enable ksmtuned.service >/dev/null 2>&1 || : fi +getent group kvm >/dev/null || groupadd -g 36 -r kvm +getent group qemu >/dev/null || groupadd -g 107 -r qemu +getent passwd qemu >/dev/null || \ + useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ + -c "qemu user" qemu + %preun common -if [ $1 -eq 0 ]; then - /bin/systemctl --system stop ksmtuned.service &>/dev/null || : - /bin/systemctl --system stop ksm.service &>/dev/null || : - /bin/systemctl disable ksmtuned.service - /bin/systemctl disable ksm.service +if [ $1 -eq 0 ] ; then + # Package removal, not upgrade + /bin/systemctl --no-reload disable ksmtuned.service > /dev/null 2>&1 || : + /bin/systemctl --no-reload disable ksm.service > /dev/null 2>&1 || : + /bin/systemctl stop ksmtuned.service > /dev/null 2>&1 || : + /bin/systemctl stop ksm.service > /dev/null 2>&1 || : fi %postun common -if [ $1 -ge 1 ]; then - /bin/systemctl --system try-restart ksm.service &>/dev/null || : - /bin/systemctl --system try-restart ksmtuned.service &>/dev/null || : +/bin/systemctl daemon-reload >/dev/null 2>&1 || : +if [ $1 -ge 1 ] ; then + # Package upgrade, not uninstall + /bin/systemctl try-restart ksmtuned.service >/dev/null 2>&1 || : + /bin/systemctl try-restart ksm.service >/dev/null 2>&1 || : fi + %post user /bin/systemctl --system try-restart systemd-binfmt.service &>/dev/null || : %postun user /bin/systemctl --system try-restart systemd-binfmt.service &>/dev/null || : + %files %defattr(-,root,root) @@ -648,6 +746,7 @@ fi %{_bindir}/qemu %{_bindir}/qemu-system-x86_64 %{_datadir}/%{name}/bios.bin +%{_datadir}/%{name}/sgabios.bin %{_datadir}/%{name}/linuxboot.bin %{_datadir}/%{name}/multiboot.bin %{_datadir}/%{name}/mpc8544ds.dtb @@ -724,6 +823,18 @@ fi %{_mandir}/man1/qemu-img.1* %changelog +* Sun Jul 29 2012 Cole Robinson - 0.15.1-7 +- Pull patches from 0.15 stable +- CVE-2012-2652: Possible symlink attacks with -snapshot (bz 825697, bz + 824919) +- Fix systemtap tapsets (bz 831763) +- Fix qmp response race caused by spice server bug (bz 744015) +- Fix text mode screendumps (bz 819155) +- Don't renable ksm on update (bz 815156) +- Fix RPM install error on non-virt machines (bz 660629) +- Obsolete openbios to fix upgrade dependency issues (bz 694802) +- Fix sgabios integration (bz 791344) + * Wed Jul 18 2012 Cole Robinson - 0.15.1-6 - Fix fedora guest hang with virtio console (bz 837925) @@ -734,7 +845,7 @@ fi * Mon Jan 30 2012 Justin M. Forbes - 2:0.15.1-4 - Add vhost-net to kvm.modules - Fix USB passthrough assert on packet completion (#769625) -- + * Thu Jan 5 2012 Christophe Fergeau - 2:0.15.1-3.1 - Backport patches from qemu 1.0 to fix floppy drives (#753863) @@ -749,7 +860,7 @@ fi - Require seabios-bin >= 0.6.0-2 (#741992) - Replace init scripts with systemd units (#741920) - Update to 0.15.1 stable upstream - + * Fri Oct 21 2011 Paul Moore - Enable full relro and PIE (rhbz #738812)