Rebase to qemu-2.8.0-rc2
This commit is contained in:
parent
3bbbcdcb07
commit
151958b44b
|
@ -1,5 +1,7 @@
|
|||
From d1fd2760ce6025f55b7c71ca303d49afbf17ad8e Mon Sep 17 00:00:00 2001
|
||||
Message-Id: <d1fd2760ce6025f55b7c71ca303d49afbf17ad8e.1480901031.git.crobinso@redhat.com>
|
||||
From: Christophe Fergeau <cfergeau@redhat.com>
|
||||
Date: Fri, 14 Oct 2016 14:22:36 +0200
|
||||
Date: Fri, 28 Oct 2016 16:48:40 +0200
|
||||
Subject: [PATCH] qxl: Only emit QXL_INTERRUPT_CLIENT_MONITORS_CONFIG on config
|
||||
changes
|
||||
|
||||
|
@ -23,29 +25,34 @@ This causes https://bugzilla.redhat.com/show_bug.cgi?id=1266484
|
|||
This commit makes sure that we only emit
|
||||
QXL_INTERRUPT_CLIENT_MONITORS_CONFIG when there are actual configuration
|
||||
changes the guest should act on.
|
||||
|
||||
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
|
||||
Signed-off-by: Cole Robinson <crobinso@redhat.com>
|
||||
---
|
||||
hw/display/qxl.c | 20 +++++++++++++++++++-
|
||||
1 file changed, 19 insertions(+), 1 deletion(-)
|
||||
hw/display/qxl.c | 37 ++++++++++++++++++++++++++++++++++++-
|
||||
1 file changed, 36 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/display/qxl.c b/hw/display/qxl.c
|
||||
index 0e2682d..56759f8 100644
|
||||
index 0e2682d..62d0c80 100644
|
||||
--- a/hw/display/qxl.c
|
||||
+++ b/hw/display/qxl.c
|
||||
@@ -1000,6 +1000,7 @@ static int interface_client_monitors_config(QXLInstance *sin,
|
||||
QXLRom *rom = memory_region_get_ram_ptr(&qxl->rom_bar);
|
||||
int i;
|
||||
unsigned max_outputs = ARRAY_SIZE(rom->client_monitors_config.heads);
|
||||
+ bool config_changed = false;
|
||||
@@ -992,6 +992,34 @@ static uint32_t qxl_crc32(const uint8_t *p, unsigned len)
|
||||
return crc32(0xffffffff, p, len) ^ 0xffffffff;
|
||||
}
|
||||
|
||||
if (qxl->revision < 4) {
|
||||
trace_qxl_client_monitors_config_unsupported_by_device(qxl->id,
|
||||
@@ -1030,6 +1031,21 @@ static int interface_client_monitors_config(QXLInstance *sin,
|
||||
}
|
||||
#endif
|
||||
|
||||
+ if (rom->client_monitors_config.count != MIN(monitors_config->num_of_monitors, max_outputs)) {
|
||||
+ config_changed = true;
|
||||
+static bool qxl_rom_monitors_config_changed(QXLRom *rom,
|
||||
+ VDAgentMonitorsConfig *monitors_config,
|
||||
+ unsigned int max_outputs)
|
||||
+{
|
||||
+ int i;
|
||||
+ unsigned int monitors_count;
|
||||
+
|
||||
+ monitors_count = MIN(monitors_config->num_of_monitors, max_outputs);
|
||||
+
|
||||
+ if (rom->client_monitors_config.count != monitors_count) {
|
||||
+ return true;
|
||||
+ }
|
||||
+
|
||||
+ for (i = 0 ; i < rom->client_monitors_config.count ; ++i) {
|
||||
+ VDAgentMonConfig *monitor = &monitors_config->monitors[i];
|
||||
+ QXLURect *rect = &rom->client_monitors_config.heads[i];
|
||||
|
@ -54,14 +61,36 @@ index 0e2682d..56759f8 100644
|
|||
+ (rect->top != monitor->y) ||
|
||||
+ (rect->right != monitor->x + monitor->width) ||
|
||||
+ (rect->bottom != monitor->y + monitor->height)) {
|
||||
+ config_changed = true;
|
||||
+ return true;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return false;
|
||||
+}
|
||||
+
|
||||
/* called from main context only */
|
||||
static int interface_client_monitors_config(QXLInstance *sin,
|
||||
VDAgentMonitorsConfig *monitors_config)
|
||||
@@ -1000,6 +1028,7 @@ static int interface_client_monitors_config(QXLInstance *sin,
|
||||
QXLRom *rom = memory_region_get_ram_ptr(&qxl->rom_bar);
|
||||
int i;
|
||||
unsigned max_outputs = ARRAY_SIZE(rom->client_monitors_config.heads);
|
||||
+ bool config_changed = false;
|
||||
|
||||
if (qxl->revision < 4) {
|
||||
trace_qxl_client_monitors_config_unsupported_by_device(qxl->id,
|
||||
@@ -1030,6 +1059,10 @@ static int interface_client_monitors_config(QXLInstance *sin,
|
||||
}
|
||||
#endif
|
||||
|
||||
+ config_changed = qxl_rom_monitors_config_changed(rom,
|
||||
+ monitors_config,
|
||||
+ max_outputs);
|
||||
+
|
||||
memset(&rom->client_monitors_config, 0,
|
||||
sizeof(rom->client_monitors_config));
|
||||
rom->client_monitors_config.count = monitors_config->num_of_monitors;
|
||||
@@ -1059,7 +1075,9 @@ static int interface_client_monitors_config(QXLInstance *sin,
|
||||
@@ -1059,7 +1092,9 @@ static int interface_client_monitors_config(QXLInstance *sin,
|
||||
trace_qxl_interrupt_client_monitors_config(qxl->id,
|
||||
rom->client_monitors_config.count,
|
||||
rom->client_monitors_config.heads);
|
||||
|
@ -72,3 +101,6 @@ index 0e2682d..56759f8 100644
|
|||
return 1;
|
||||
}
|
||||
|
||||
--
|
||||
2.9.3
|
||||
|
|
@ -1,82 +0,0 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 31 Aug 2016 12:19:29 +0530
|
||||
Subject: [PATCH] vmw_pvscsi: check page count while initialising descriptor
|
||||
rings
|
||||
|
||||
Vmware Paravirtual SCSI emulation uses command descriptors to
|
||||
process SCSI commands. These descriptors come with their ring
|
||||
buffers. A guest could set the page count for these rings to
|
||||
an arbitrary value, leading to infinite loop or OOB access.
|
||||
Add check to avoid it.
|
||||
|
||||
Reported-by: Tom Victor <vv474172261@gmail.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1472626169-12989-1-git-send-email-ppandit@redhat.com>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 7f61f4690dd153be98900a2a508b88989e692753)
|
||||
---
|
||||
hw/scsi/vmw_pvscsi.c | 19 +++++++++----------
|
||||
1 file changed, 9 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
||||
index 5116f4a..4245c15 100644
|
||||
--- a/hw/scsi/vmw_pvscsi.c
|
||||
+++ b/hw/scsi/vmw_pvscsi.c
|
||||
@@ -152,7 +152,7 @@ pvscsi_log2(uint32_t input)
|
||||
return log;
|
||||
}
|
||||
|
||||
-static int
|
||||
+static void
|
||||
pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
|
||||
{
|
||||
int i;
|
||||
@@ -160,10 +160,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
|
||||
uint32_t req_ring_size, cmp_ring_size;
|
||||
m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT;
|
||||
|
||||
- if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)
|
||||
- || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) {
|
||||
- return -1;
|
||||
- }
|
||||
req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
|
||||
cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE;
|
||||
txr_len_log2 = pvscsi_log2(req_ring_size - 1);
|
||||
@@ -195,8 +191,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
|
||||
|
||||
/* Flush ring state page changes */
|
||||
smp_wmb();
|
||||
-
|
||||
- return 0;
|
||||
}
|
||||
|
||||
static int
|
||||
@@ -746,7 +740,7 @@ pvscsi_dbg_dump_tx_rings_config(PVSCSICmdDescSetupRings *rc)
|
||||
|
||||
trace_pvscsi_tx_rings_num_pages("Confirm Ring", rc->cmpRingNumPages);
|
||||
for (i = 0; i < rc->cmpRingNumPages; i++) {
|
||||
- trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->reqRingPPNs[i]);
|
||||
+ trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->cmpRingPPNs[i]);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -779,11 +773,16 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s)
|
||||
|
||||
trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS");
|
||||
|
||||
- pvscsi_dbg_dump_tx_rings_config(rc);
|
||||
- if (pvscsi_ring_init_data(&s->rings, rc) < 0) {
|
||||
+ if (!rc->reqRingNumPages
|
||||
+ || rc->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES
|
||||
+ || !rc->cmpRingNumPages
|
||||
+ || rc->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES) {
|
||||
return PVSCSI_COMMAND_PROCESSING_FAILED;
|
||||
}
|
||||
|
||||
+ pvscsi_dbg_dump_tx_rings_config(rc);
|
||||
+ pvscsi_ring_init_data(&s->rings, rc);
|
||||
+
|
||||
s->rings_info_valid = TRUE;
|
||||
return PVSCSI_COMMAND_PROCESSING_SUCCEEDED;
|
||||
}
|
|
@ -1,61 +0,0 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Tue, 6 Sep 2016 02:20:43 +0530
|
||||
Subject: [PATCH] scsi: pvscsi: limit loop to fetch SG list
|
||||
|
||||
In PVSCSI paravirtual SCSI bus, pvscsi_convert_sglist can take a very
|
||||
long time or go into an infinite loop due to two different bugs:
|
||||
|
||||
1) the request descriptor data length is defined to be 64 bit. While
|
||||
building SG list from a request descriptor, it gets truncated to 32bit
|
||||
in routine 'pvscsi_convert_sglist'. This could lead to an infinite loop
|
||||
situation large 'dataLen' values when data_length is cast to uint32_t and
|
||||
chunk_size becomes always zero. Fix this by removing the incorrect cast.
|
||||
|
||||
2) pvscsi_get_next_sg_elem can be called arbitrarily many times if the
|
||||
element has a zero length. Get out of the loop early when this happens,
|
||||
by introducing an upper limit on the number of SG list elements.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1473108643-12983-1-git-send-email-ppandit@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 49adc5d3f8c6bb75e55ebfeab109c5c37dea65e8)
|
||||
---
|
||||
hw/scsi/vmw_pvscsi.c | 11 ++++++-----
|
||||
1 file changed, 6 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
||||
index 4245c15..babac5a 100644
|
||||
--- a/hw/scsi/vmw_pvscsi.c
|
||||
+++ b/hw/scsi/vmw_pvscsi.c
|
||||
@@ -40,6 +40,8 @@
|
||||
#define PVSCSI_MAX_DEVS (64)
|
||||
#define PVSCSI_MSIX_NUM_VECTORS (1)
|
||||
|
||||
+#define PVSCSI_MAX_SG_ELEM 2048
|
||||
+
|
||||
#define PVSCSI_MAX_CMD_DATA_WORDS \
|
||||
(sizeof(PVSCSICmdDescSetupRings)/sizeof(uint32_t))
|
||||
|
||||
@@ -628,17 +630,16 @@ pvscsi_queue_pending_descriptor(PVSCSIState *s, SCSIDevice **d,
|
||||
static void
|
||||
pvscsi_convert_sglist(PVSCSIRequest *r)
|
||||
{
|
||||
- int chunk_size;
|
||||
+ uint32_t chunk_size, elmcnt = 0;
|
||||
uint64_t data_length = r->req.dataLen;
|
||||
PVSCSISGState sg = r->sg;
|
||||
- while (data_length) {
|
||||
- while (!sg.resid) {
|
||||
+ while (data_length && elmcnt < PVSCSI_MAX_SG_ELEM) {
|
||||
+ while (!sg.resid && elmcnt++ < PVSCSI_MAX_SG_ELEM) {
|
||||
pvscsi_get_next_sg_elem(&sg);
|
||||
trace_pvscsi_convert_sglist(r->req.context, r->sg.dataAddr,
|
||||
r->sg.resid);
|
||||
}
|
||||
- assert(data_length > 0);
|
||||
- chunk_size = MIN((unsigned) data_length, sg.resid);
|
||||
+ chunk_size = MIN(data_length, sg.resid);
|
||||
if (chunk_size) {
|
||||
qemu_sglist_add(&r->sgl, sg.dataAddr, chunk_size);
|
||||
}
|
|
@ -1,35 +0,0 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 14 Sep 2016 15:09:12 +0530
|
||||
Subject: [PATCH] scsi: pvscsi: limit process IO loop to ring size
|
||||
|
||||
Vmware Paravirtual SCSI emulator while processing IO requests
|
||||
could run into an infinite loop if 'pvscsi_ring_pop_req_descr'
|
||||
always returned positive value. Limit IO loop to the ring size.
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1473845952-30785-1-git-send-email-ppandit@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit d251157ac1928191af851d199a9ff255d330bec9)
|
||||
---
|
||||
hw/scsi/vmw_pvscsi.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
||||
index babac5a..a5ce7de 100644
|
||||
--- a/hw/scsi/vmw_pvscsi.c
|
||||
+++ b/hw/scsi/vmw_pvscsi.c
|
||||
@@ -247,8 +247,11 @@ static hwaddr
|
||||
pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr)
|
||||
{
|
||||
uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx);
|
||||
+ uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING
|
||||
+ * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
|
||||
|
||||
- if (ready_ptr != mgr->consumed_ptr) {
|
||||
+ if (ready_ptr != mgr->consumed_ptr
|
||||
+ && ready_ptr - mgr->consumed_ptr < ring_size) {
|
||||
uint32_t next_ready_ptr =
|
||||
mgr->consumed_ptr++ & mgr->txr_len_mask;
|
||||
uint32_t next_ready_page =
|
|
@ -1,42 +0,0 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 8 Sep 2016 18:15:54 +0530
|
||||
Subject: [PATCH] vmsvga: correct bitmap and pixmap size checks
|
||||
|
||||
When processing svga command DEFINE_CURSOR in vmsvga_fifo_run,
|
||||
the computed BITMAP and PIXMAP size are checked against the
|
||||
'cursor.mask[]' and 'cursor.image[]' array sizes in bytes.
|
||||
Correct these checks to avoid OOB memory access.
|
||||
|
||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-id: 1473338754-15430-1-git-send-email-ppandit@redhat.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 167d97a3def77ee2dbf6e908b0ecbfe2103977db)
|
||||
---
|
||||
hw/display/vmware_vga.c | 12 +++++++-----
|
||||
1 file changed, 7 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
|
||||
index e51a05e..6599cf0 100644
|
||||
--- a/hw/display/vmware_vga.c
|
||||
+++ b/hw/display/vmware_vga.c
|
||||
@@ -676,11 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
|
||||
cursor.bpp = vmsvga_fifo_read(s);
|
||||
|
||||
args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp);
|
||||
- if (cursor.width > 256 ||
|
||||
- cursor.height > 256 ||
|
||||
- cursor.bpp > 32 ||
|
||||
- SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
|
||||
- SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) {
|
||||
+ if (cursor.width > 256
|
||||
+ || cursor.height > 256
|
||||
+ || cursor.bpp > 32
|
||||
+ || SVGA_BITMAP_SIZE(x, y)
|
||||
+ > sizeof(cursor.mask) / sizeof(cursor.mask[0])
|
||||
+ || SVGA_PIXMAP_SIZE(x, y, cursor.bpp)
|
||||
+ > sizeof(cursor.image) / sizeof(cursor.image[0])) {
|
||||
goto badcmd;
|
||||
}
|
||||
|
|
@ -1,33 +0,0 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 31 Aug 2016 17:36:07 +0530
|
||||
Subject: [PATCH] scsi: mptconfig: fix an assert expression
|
||||
|
||||
When LSI SAS1068 Host Bus emulator builds configuration page
|
||||
headers, mptsas_config_pack() should assert that the size
|
||||
fits in a byte. However, the size is expressed in 32-bit
|
||||
units, so up to 1020 bytes fit. The assertion was only
|
||||
allowing replies up to 252 bytes, so fix it.
|
||||
|
||||
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1472645167-30765-2-git-send-email-ppandit@redhat.com>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit cf2bce203a45d7437029d108357fb23fea0967b6)
|
||||
---
|
||||
hw/scsi/mptconfig.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
|
||||
index 7071854..3e4f400 100644
|
||||
--- a/hw/scsi/mptconfig.c
|
||||
+++ b/hw/scsi/mptconfig.c
|
||||
@@ -158,7 +158,7 @@ static size_t mptsas_config_pack(uint8_t **data, const char *fmt, ...)
|
||||
va_end(ap);
|
||||
|
||||
if (data) {
|
||||
- assert(ret < 256 && (ret % 4) == 0);
|
||||
+ assert(ret / 4 < 256 && (ret % 4) == 0);
|
||||
stb_p(*data + 1, ret / 4);
|
||||
}
|
||||
return ret;
|
|
@ -1,37 +0,0 @@
|
|||
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Date: Mon, 29 Aug 2016 11:35:37 +0200
|
||||
Subject: [PATCH] scsi: mptconfig: fix misuse of MPTSAS_CONFIG_PACK
|
||||
|
||||
These issues cause respectively a QEMU crash and a leak of 2 bytes of
|
||||
stack. They were discovered by VictorV of 360 Marvel Team.
|
||||
|
||||
Reported-by: Tom Victor <i-tangtianwen@360.cm>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 65a8e1f6413a0f6f79894da710b5d6d43361d27d)
|
||||
---
|
||||
hw/scsi/mptconfig.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
|
||||
index 3e4f400..87a416a 100644
|
||||
--- a/hw/scsi/mptconfig.c
|
||||
+++ b/hw/scsi/mptconfig.c
|
||||
@@ -203,7 +203,7 @@ size_t mptsas_config_manufacturing_1(MPTSASState *s, uint8_t **data, int address
|
||||
{
|
||||
/* VPD - all zeros */
|
||||
return MPTSAS_CONFIG_PACK(1, MPI_CONFIG_PAGETYPE_MANUFACTURING, 0x00,
|
||||
- "s256");
|
||||
+ "*s256");
|
||||
}
|
||||
|
||||
static
|
||||
@@ -328,7 +328,7 @@ size_t mptsas_config_ioc_0(MPTSASState *s, uint8_t **data, int address)
|
||||
return MPTSAS_CONFIG_PACK(0, MPI_CONFIG_PAGETYPE_IOC, 0x01,
|
||||
"*l*lwwb*b*b*blww",
|
||||
pcic->vendor_id, pcic->device_id, pcic->revision,
|
||||
- pcic->subsystem_vendor_id,
|
||||
+ pcic->class_id, pcic->subsystem_vendor_id,
|
||||
pcic->subsystem_id);
|
||||
}
|
||||
|
|
@ -1,29 +0,0 @@
|
|||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Tue, 13 Sep 2016 03:20:03 -0700
|
||||
Subject: [PATCH] usb:xhci:fix memory leak in usb_xhci_exit
|
||||
|
||||
If the xhci uses msix, it doesn't free the corresponding
|
||||
memory, thus leading a memory leak. This patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Message-id: 57d7d2e0.d4301c0a.d13e9.9a55@mx.google.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit b53dd4495ced2432a0b652ea895e651d07336f7e)
|
||||
---
|
||||
hw/usb/hcd-xhci.c | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
|
||||
index 188f954..281a2a5 100644
|
||||
--- a/hw/usb/hcd-xhci.c
|
||||
+++ b/hw/usb/hcd-xhci.c
|
||||
@@ -3709,8 +3709,7 @@ static void usb_xhci_exit(PCIDevice *dev)
|
||||
/* destroy msix memory region */
|
||||
if (dev->msix_table && dev->msix_pba
|
||||
&& dev->msix_entry_used) {
|
||||
- memory_region_del_subregion(&xhci->mem, &dev->msix_table_mmio);
|
||||
- memory_region_del_subregion(&xhci->mem, &dev->msix_pba_mmio);
|
||||
+ msix_uninit(dev, &xhci->mem, &xhci->mem);
|
||||
}
|
||||
|
||||
usb_bus_release(&xhci->bus);
|
|
@ -1,32 +0,0 @@
|
|||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Mon, 12 Sep 2016 18:14:11 +0530
|
||||
Subject: [PATCH] scsi: mptsas: use g_new0 to allocate MPTSASRequest object
|
||||
|
||||
When processing IO request in mptsas, it uses g_new to allocate
|
||||
a 'req' object. If an error occurs before 'req->sreq' is
|
||||
allocated, It could lead to an OOB write in mptsas_free_request
|
||||
function. Use g_new0 to avoid it.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1473684251-17476-1-git-send-email-ppandit@redhat.com>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 670e56d3ed2918b3861d9216f2c0540d9e9ae0d5)
|
||||
---
|
||||
hw/scsi/mptsas.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
|
||||
index 0e0a22f..eaae1bb 100644
|
||||
--- a/hw/scsi/mptsas.c
|
||||
+++ b/hw/scsi/mptsas.c
|
||||
@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
|
||||
goto bad;
|
||||
}
|
||||
|
||||
- req = g_new(MPTSASRequest, 1);
|
||||
+ req = g_new0(MPTSASRequest, 1);
|
||||
QTAILQ_INSERT_TAIL(&s->pending, req, next);
|
||||
req->scsi_io = *scsi_io;
|
||||
req->dev = s;
|
|
@ -1,35 +0,0 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Mon, 19 Sep 2016 23:55:45 +0530
|
||||
Subject: [PATCH] virtio: add check for descriptor's mapped address
|
||||
|
||||
virtio back end uses set of buffers to facilitate I/O operations.
|
||||
If its size is too large, 'cpu_physical_memory_map' could return
|
||||
a null address. This would result in a null dereference while
|
||||
un-mapping descriptors. Add check to avoid it.
|
||||
|
||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
|
||||
(cherry picked from commit 973e7170dddefb491a48df5cba33b2ae151013a0)
|
||||
---
|
||||
hw/virtio/virtio.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
|
||||
index 74c085c..eabe573 100644
|
||||
--- a/hw/virtio/virtio.c
|
||||
+++ b/hw/virtio/virtio.c
|
||||
@@ -473,6 +473,11 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove
|
||||
}
|
||||
|
||||
iov[num_sg].iov_base = cpu_physical_memory_map(pa, &len, is_write);
|
||||
+ if (!iov[num_sg].iov_base) {
|
||||
+ error_report("virtio: bogus descriptor or out of resources");
|
||||
+ exit(1);
|
||||
+ }
|
||||
+
|
||||
iov[num_sg].iov_len = len;
|
||||
addr[num_sg] = pa;
|
||||
|
|
@ -1,49 +0,0 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 22 Sep 2016 16:02:37 +0530
|
||||
Subject: [PATCH] net: mcf: limit buffer descriptor count
|
||||
|
||||
ColdFire Fast Ethernet Controller uses buffer descriptors to manage
|
||||
data flow to/fro receive & transmit queues. While transmitting
|
||||
packets, it could continue to read buffer descriptors if a buffer
|
||||
descriptor has length of zero and has crafted values in bd.flags.
|
||||
Set upper limit to number of buffer descriptors.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit 070c4b92b8cd5390889716677a0b92444d6e087a)
|
||||
---
|
||||
hw/net/mcf_fec.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
|
||||
index 0ee8ad9..d31fea1 100644
|
||||
--- a/hw/net/mcf_fec.c
|
||||
+++ b/hw/net/mcf_fec.c
|
||||
@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0)
|
||||
#define DPRINTF(fmt, ...) do {} while(0)
|
||||
#endif
|
||||
|
||||
+#define FEC_MAX_DESC 1024
|
||||
#define FEC_MAX_FRAME_SIZE 2032
|
||||
|
||||
typedef struct {
|
||||
@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
|
||||
uint32_t addr;
|
||||
mcf_fec_bd bd;
|
||||
int frame_size;
|
||||
- int len;
|
||||
+ int len, descnt = 0;
|
||||
uint8_t frame[FEC_MAX_FRAME_SIZE];
|
||||
uint8_t *ptr;
|
||||
|
||||
@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
|
||||
ptr = frame;
|
||||
frame_size = 0;
|
||||
addr = s->tx_descriptor;
|
||||
- while (1) {
|
||||
+ while (descnt++ < FEC_MAX_DESC) {
|
||||
mcf_fec_read_bd(&bd, addr);
|
||||
DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
|
||||
addr, bd.flags, bd.length, bd.data);
|
|
@ -1,65 +0,0 @@
|
|||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Mon, 10 Oct 2016 12:46:22 +0200
|
||||
Subject: [PATCH] xhci: limit the number of link trbs we are willing to process
|
||||
|
||||
Needed to avoid we run in circles forever in case the guest builds
|
||||
an endless loop with link trbs.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Tested-by: P J P <ppandit@redhat.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-id: 1476096382-7981-1-git-send-email-kraxel@redhat.com
|
||||
(cherry picked from commit 05f43d44e4bc26611ce25fd7d726e483f73363ce)
|
||||
---
|
||||
hw/usb/hcd-xhci.c | 10 ++++++++++
|
||||
1 file changed, 10 insertions(+)
|
||||
|
||||
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
|
||||
index 281a2a5..8a9a31a 100644
|
||||
--- a/hw/usb/hcd-xhci.c
|
||||
+++ b/hw/usb/hcd-xhci.c
|
||||
@@ -54,6 +54,8 @@
|
||||
* to the specs when it gets them */
|
||||
#define ER_FULL_HACK
|
||||
|
||||
+#define TRB_LINK_LIMIT 4
|
||||
+
|
||||
#define LEN_CAP 0x40
|
||||
#define LEN_OPER (0x400 + 0x10 * MAXPORTS)
|
||||
#define LEN_RUNTIME ((MAXINTRS + 1) * 0x20)
|
||||
@@ -1000,6 +1002,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
|
||||
dma_addr_t *addr)
|
||||
{
|
||||
PCIDevice *pci_dev = PCI_DEVICE(xhci);
|
||||
+ uint32_t link_cnt = 0;
|
||||
|
||||
while (1) {
|
||||
TRBType type;
|
||||
@@ -1026,6 +1029,9 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
|
||||
ring->dequeue += TRB_SIZE;
|
||||
return type;
|
||||
} else {
|
||||
+ if (++link_cnt > TRB_LINK_LIMIT) {
|
||||
+ return 0;
|
||||
+ }
|
||||
ring->dequeue = xhci_mask64(trb->parameter);
|
||||
if (trb->control & TRB_LK_TC) {
|
||||
ring->ccs = !ring->ccs;
|
||||
@@ -1043,6 +1049,7 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
|
||||
bool ccs = ring->ccs;
|
||||
/* hack to bundle together the two/three TDs that make a setup transfer */
|
||||
bool control_td_set = 0;
|
||||
+ uint32_t link_cnt = 0;
|
||||
|
||||
while (1) {
|
||||
TRBType type;
|
||||
@@ -1058,6 +1065,9 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
|
||||
type = TRB_TYPE(trb);
|
||||
|
||||
if (type == TR_LINK) {
|
||||
+ if (++link_cnt > TRB_LINK_LIMIT) {
|
||||
+ return -length;
|
||||
+ }
|
||||
dequeue = xhci_mask64(trb.parameter);
|
||||
if (trb.control & TRB_LK_TC) {
|
||||
ccs = !ccs;
|
|
@ -1,29 +0,0 @@
|
|||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Sun, 18 Sep 2016 19:48:35 -0700
|
||||
Subject: [PATCH] usb: ehci: fix memory leak in ehci_process_itd
|
||||
|
||||
While processing isochronous transfer descriptors(iTD), if the page
|
||||
select(PG) field value is out of bands it will return. In this
|
||||
situation the ehci's sg list is not freed thus leading to a memory
|
||||
leak issue. This patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Thomas Huth <thuth@redhat.com>
|
||||
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
|
||||
(cherry picked from commit b16c129daf0fed91febbb88de23dae8271c8898a)
|
||||
---
|
||||
hw/usb/hcd-ehci.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
|
||||
index b093db7..f4ece9a 100644
|
||||
--- a/hw/usb/hcd-ehci.c
|
||||
+++ b/hw/usb/hcd-ehci.c
|
||||
@@ -1426,6 +1426,7 @@ static int ehci_process_itd(EHCIState *ehci,
|
||||
if (off + len > 4096) {
|
||||
/* transfer crosses page border */
|
||||
if (pg == 6) {
|
||||
+ qemu_sglist_destroy(&ehci->isgl);
|
||||
return -1; /* avoid page pg + 1 */
|
||||
}
|
||||
ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK);
|
|
@ -1,50 +0,0 @@
|
|||
From: Hans de Goede <hdegoede@redhat.com>
|
||||
Date: Mon, 10 Oct 2016 12:45:13 +0200
|
||||
Subject: [PATCH] usb-redir: allocate buffers before waking up the host adapter
|
||||
|
||||
Needed to make sure usb redirection is prepared to actually handle the
|
||||
callback from the usb host adapter. Without this interrupt endpoints
|
||||
don't work on xhci.
|
||||
|
||||
Note: On ehci the usb_wakeup() call only schedules a BH for the actual
|
||||
work, which hides this bug because the allocation happens before ehci
|
||||
calls back even without this patch.
|
||||
|
||||
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
|
||||
Message-id: 1476096313-7730-1-git-send-email-kraxel@redhat.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit d5c42857d6b0c35028897df8dfc3749eba6f6de3)
|
||||
---
|
||||
hw/usb/redirect.c | 10 +++++++---
|
||||
1 file changed, 7 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
|
||||
index 444672a..d4ca026 100644
|
||||
--- a/hw/usb/redirect.c
|
||||
+++ b/hw/usb/redirect.c
|
||||
@@ -2036,18 +2036,22 @@ static void usbredir_interrupt_packet(void *priv, uint64_t id,
|
||||
}
|
||||
|
||||
if (ep & USB_DIR_IN) {
|
||||
+ bool q_was_empty;
|
||||
+
|
||||
if (dev->endpoint[EP2I(ep)].interrupt_started == 0) {
|
||||
DPRINTF("received int packet while not started ep %02X\n", ep);
|
||||
free(data);
|
||||
return;
|
||||
}
|
||||
|
||||
- if (QTAILQ_EMPTY(&dev->endpoint[EP2I(ep)].bufpq)) {
|
||||
- usb_wakeup(usb_ep_get(&dev->dev, USB_TOKEN_IN, ep & 0x0f), 0);
|
||||
- }
|
||||
+ q_was_empty = QTAILQ_EMPTY(&dev->endpoint[EP2I(ep)].bufpq);
|
||||
|
||||
/* bufp_alloc also adds the packet to the ep queue */
|
||||
bufp_alloc(dev, data, data_len, interrupt_packet->status, ep, data);
|
||||
+
|
||||
+ if (q_was_empty) {
|
||||
+ usb_wakeup(usb_ep_get(&dev->dev, USB_TOKEN_IN, ep & 0x0f), 0);
|
||||
+ }
|
||||
} else {
|
||||
/*
|
||||
* We report output interrupt packets as completed directly upon
|
|
@ -1,54 +0,0 @@
|
|||
From: Thomas Huth <thuth@redhat.com>
|
||||
Date: Wed, 21 Sep 2016 11:42:15 +0200
|
||||
Subject: [PATCH] ppc/kvm: Mark 64kB page size support as disabled if not
|
||||
available
|
||||
|
||||
QEMU currently refuses to start with KVM-PR and only prints out
|
||||
|
||||
qemu: fatal: Unknown MMU model 851972
|
||||
|
||||
when being started there. This is because commit 4322e8ced5aaac719
|
||||
("ppc: Fix 64K pages support in full emulation") introduced a new
|
||||
POWERPC_MMU_64K bit to indicate support for this page size, but
|
||||
it never gets cleared on KVM-PR if the host kernel does not support
|
||||
this. Thus we've got to turn off this bit in the mmu_model for KVM-PR.
|
||||
|
||||
Signed-off-by: Thomas Huth <thuth@redhat.com>
|
||||
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
|
||||
(cherry picked from commit 0d594f5565837fe2886a8aa307ef8abb65eab8f7)
|
||||
---
|
||||
target-ppc/kvm.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/target-ppc/kvm.c b/target-ppc/kvm.c
|
||||
index dcb68b9..6bdc804 100644
|
||||
--- a/target-ppc/kvm.c
|
||||
+++ b/target-ppc/kvm.c
|
||||
@@ -427,6 +427,7 @@ static void kvm_fixup_page_sizes(PowerPCCPU *cpu)
|
||||
CPUPPCState *env = &cpu->env;
|
||||
long rampagesize;
|
||||
int iq, ik, jq, jk;
|
||||
+ bool has_64k_pages = false;
|
||||
|
||||
/* We only handle page sizes for 64-bit server guests for now */
|
||||
if (!(env->mmu_model & POWERPC_MMU_64)) {
|
||||
@@ -470,6 +471,9 @@ static void kvm_fixup_page_sizes(PowerPCCPU *cpu)
|
||||
ksps->enc[jk].page_shift)) {
|
||||
continue;
|
||||
}
|
||||
+ if (ksps->enc[jk].page_shift == 16) {
|
||||
+ has_64k_pages = true;
|
||||
+ }
|
||||
qsps->enc[jq].page_shift = ksps->enc[jk].page_shift;
|
||||
qsps->enc[jq].pte_enc = ksps->enc[jk].pte_enc;
|
||||
if (++jq >= PPC_PAGE_SIZES_MAX_SZ) {
|
||||
@@ -484,6 +488,9 @@ static void kvm_fixup_page_sizes(PowerPCCPU *cpu)
|
||||
if (!(smmu_info.flags & KVM_PPC_1T_SEGMENTS)) {
|
||||
env->mmu_model &= ~POWERPC_MMU_1TSEG;
|
||||
}
|
||||
+ if (!has_64k_pages) {
|
||||
+ env->mmu_model &= ~POWERPC_MMU_64K;
|
||||
+ }
|
||||
}
|
||||
#else /* defined (TARGET_PPC64) */
|
||||
|
80
qemu.spec
80
qemu.spec
|
@ -73,6 +73,7 @@ Requires: %{name}-block-curl = %{epoch}:%{version}-%{release} \
|
|||
Requires: %{name}-block-dmg = %{epoch}:%{version}-%{release} \
|
||||
Requires: %{name}-block-gluster = %{epoch}:%{version}-%{release} \
|
||||
Requires: %{name}-block-iscsi = %{epoch}:%{version}-%{release} \
|
||||
Requires: %{name}-block-nfs = %{epoch}:%{version}-%{release} \
|
||||
Requires: %{name}-block-rbd = %{epoch}:%{version}-%{release} \
|
||||
Requires: %{name}-block-ssh = %{epoch}:%{version}-%{release}
|
||||
|
||||
|
@ -81,7 +82,7 @@ Requires: %{name}-block-ssh = %{epoch}:%{version}-%{release}
|
|||
%undefine _hardened_build
|
||||
|
||||
# Release candidate version tracking
|
||||
# global rcver rc3
|
||||
%global rcver rc2
|
||||
%if 0%{?rcver:1}
|
||||
%global rcrel .%{rcver}
|
||||
%global rcstr -%{rcver}
|
||||
|
@ -90,8 +91,8 @@ Requires: %{name}-block-ssh = %{epoch}:%{version}-%{release}
|
|||
|
||||
Summary: QEMU is a FAST! processor emulator
|
||||
Name: qemu
|
||||
Version: 2.7.0
|
||||
Release: 10%{?rcrel}%{?dist}
|
||||
Version: 2.8.0
|
||||
Release: 0.1%{?rcrel}%{?dist}
|
||||
Epoch: 2
|
||||
License: GPLv2+ and LGPLv2+ and BSD
|
||||
Group: Development/Tools
|
||||
|
@ -125,37 +126,9 @@ Source21: 50-kvm-s390x.conf
|
|||
# /etc/security/limits.d/95-kvm-ppc64-memlock.conf
|
||||
Source22: 95-kvm-ppc64-memlock.conf
|
||||
|
||||
# CVE-2016-7155: pvscsi: OOB read and infinite loop (bz #1373463)
|
||||
Patch0001: 0001-vmw_pvscsi-check-page-count-while-initialising-descr.patch
|
||||
# CVE-2016-7156: pvscsi: infinite loop when building SG list (bz #1373480)
|
||||
Patch0002: 0002-scsi-pvscsi-limit-loop-to-fetch-SG-list.patch
|
||||
# CVE-2016-7156: pvscsi: infinite loop when processing IO requests (bz
|
||||
# #1373480)
|
||||
Patch0003: 0003-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
|
||||
# CVE-2016-7170: vmware_vga: OOB stack memory access (bz #1374709)
|
||||
Patch0004: 0004-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
|
||||
# CVE-2016-7157: mptsas: invalid memory access (bz #1373505)
|
||||
Patch0005: 0005-scsi-mptconfig-fix-an-assert-expression.patch
|
||||
Patch0006: 0006-scsi-mptconfig-fix-misuse-of-MPTSAS_CONFIG_PACK.patch
|
||||
# CVE-2016-7466: usb: xhci memory leakage during device unplug (bz #1377838)
|
||||
Patch0007: 0007-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch
|
||||
# CVE-2016-7423: scsi: mptsas: OOB access (bz #1376777)
|
||||
Patch0008: 0008-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch
|
||||
# CVE-2016-7422: virtio: null pointer dereference (bz #1376756)
|
||||
Patch0009: 0009-virtio-add-check-for-descriptor-s-mapped-address.patch
|
||||
# CVE-2016-7908: net: Infinite loop in mcf_fec_do_tx (bz #1381193)
|
||||
Patch0010: 0010-net-mcf-limit-buffer-descriptor-count.patch
|
||||
# CVE-2016-8576: usb: xHCI: infinite loop vulnerability (bz #1382322)
|
||||
Patch0011: 0011-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch
|
||||
# CVE-2016-7995: usb: hcd-ehci: memory leak (bz #1382669)
|
||||
Patch0012: 0012-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch
|
||||
# Fix interrupt endpoints not working with network/spice USB redirection on
|
||||
# guest with an emulated xhci controller (bz #1382331)
|
||||
Patch0013: 0013-usb-redir-allocate-buffers-before-waking-up-the-host.patch
|
||||
# Fix nested PPC 'Unknown MMU model' error (bz #1374749)
|
||||
Patch0014: 0014-ppc-kvm-Mark-64kB-page-size-support-as-disabled-if-n.patch
|
||||
# Fix flickering display with boxes + wayland VM (bz #1266484)
|
||||
Patch0015: 0015-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch
|
||||
# Fix flickering display with boxes + wayland VM (bz #1392239)
|
||||
# Posted, but not yet upstream
|
||||
Patch0001: 0001-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch
|
||||
|
||||
# documentation deps
|
||||
BuildRequires: texi2html
|
||||
|
@ -418,6 +391,17 @@ This package provides the additional iSCSI block driver for QEMU.
|
|||
Install this package if you want to access iSCSI volumes.
|
||||
|
||||
|
||||
%package block-nfs
|
||||
Summary: QEMU NFS block driver
|
||||
Group: Development/Tools
|
||||
Requires: %{name}-common%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
|
||||
%description block-nfs
|
||||
This package provides the additional NFS block driver for QEMU.
|
||||
|
||||
Install this package if you want to access remote NFS storage.
|
||||
|
||||
|
||||
%package block-rbd
|
||||
Summary: QEMU Ceph/RBD block driver
|
||||
Group: Development/Tools
|
||||
|
@ -1039,7 +1023,6 @@ user_arch="\
|
|||
sparc \
|
||||
sparc32plus \
|
||||
sparc64 \
|
||||
unicore32 \
|
||||
x86_64"
|
||||
|
||||
dynamic_targets=
|
||||
|
@ -1155,7 +1138,6 @@ pushd build-static
|
|||
--disable-nettle \
|
||||
--disable-cap-ng \
|
||||
--disable-brlapi \
|
||||
--disable-uuid \
|
||||
--disable-libnfs \
|
||||
%ifarch s390 %{mips64}
|
||||
--enable-tcg-interpreter \
|
||||
|
@ -1266,14 +1248,9 @@ rm -rf %{buildroot}%{_datadir}/%{name}/vgabios*bin
|
|||
# Provided by package seabios
|
||||
rm -rf %{buildroot}%{_datadir}/%{name}/bios.bin
|
||||
rm -rf %{buildroot}%{_datadir}/%{name}/bios-256k.bin
|
||||
rm -rf %{buildroot}%{_datadir}/%{name}/acpi-dsdt.aml
|
||||
rm -rf %{buildroot}%{_datadir}/%{name}/q35-acpi-dsdt.aml
|
||||
# Provided by package sgabios
|
||||
rm -rf %{buildroot}%{_datadir}/%{name}/sgabios.bin
|
||||
|
||||
# the pxe gpxe images will be symlinks to the images on
|
||||
# /usr/share/ipxe, as QEMU doesn't know how to look
|
||||
# for other paths, yet.
|
||||
pxe_link() {
|
||||
ln -s ../ipxe/$2.rom %{buildroot}%{_datadir}/%{name}/pxe-$1.rom
|
||||
ln -s ../ipxe.efi/$2.rom %{buildroot}%{_datadir}/%{name}/efi-$1.rom
|
||||
|
@ -1300,8 +1277,6 @@ rom_link ../seavgabios/vgabios-vmware.bin vgabios-vmware.bin
|
|||
rom_link ../seavgabios/vgabios-virtio.bin vgabios-virtio.bin
|
||||
rom_link ../seabios/bios.bin bios.bin
|
||||
rom_link ../seabios/bios-256k.bin bios-256k.bin
|
||||
rom_link ../seabios/acpi-dsdt.aml acpi-dsdt.aml
|
||||
rom_link ../seabios/q35-acpi-dsdt.aml q35-acpi-dsdt.aml
|
||||
rom_link ../sgabios/sgabios.bin sgabios.bin
|
||||
|
||||
# Install binfmt
|
||||
|
@ -1479,7 +1454,6 @@ getent passwd qemu >/dev/null || \
|
|||
%doc %{qemudocdir}/Changelog
|
||||
%doc %{qemudocdir}/README
|
||||
%doc %{qemudocdir}/qemu-doc.html
|
||||
%doc %{qemudocdir}/qemu-tech.html
|
||||
%doc %{qemudocdir}/qmp-commands.txt
|
||||
%doc %{qemudocdir}/COPYING
|
||||
%doc %{qemudocdir}/COPYING.LIB
|
||||
|
@ -1510,7 +1484,6 @@ getent passwd qemu >/dev/null || \
|
|||
|
||||
|
||||
%files guest-agent
|
||||
%doc COPYING README
|
||||
%{_bindir}/qemu-ga
|
||||
%{_mandir}/man8/qemu-ga.8*
|
||||
%{_unitdir}/qemu-guest-agent.service
|
||||
|
@ -1530,7 +1503,7 @@ getent passwd qemu >/dev/null || \
|
|||
|
||||
|
||||
%files block-dmg
|
||||
%{_libdir}/qemu/block-dmg.so
|
||||
%{_libdir}/qemu/block-dmg-bz2.so
|
||||
|
||||
|
||||
%files block-gluster
|
||||
|
@ -1541,6 +1514,10 @@ getent passwd qemu >/dev/null || \
|
|||
%{_libdir}/qemu/block-iscsi.so
|
||||
|
||||
|
||||
%files block-nfs
|
||||
%{_libdir}/qemu/block-nfs.so
|
||||
|
||||
|
||||
%files block-rbd
|
||||
%{_libdir}/qemu/block-rbd.so
|
||||
|
||||
|
@ -1591,7 +1568,6 @@ getent passwd qemu >/dev/null || \
|
|||
%{_bindir}/qemu-sparc
|
||||
%{_bindir}/qemu-sparc32plus
|
||||
%{_bindir}/qemu-sparc64
|
||||
%{_bindir}/qemu-unicore32
|
||||
|
||||
%{_datadir}/systemtap/tapset/qemu-i386.stp
|
||||
%{_datadir}/systemtap/tapset/qemu-i386-simpletrace.stp
|
||||
|
@ -1647,8 +1623,6 @@ getent passwd qemu >/dev/null || \
|
|||
%{_datadir}/systemtap/tapset/qemu-sparc32plus-simpletrace.stp
|
||||
%{_datadir}/systemtap/tapset/qemu-sparc64.stp
|
||||
%{_datadir}/systemtap/tapset/qemu-sparc64-simpletrace.stp
|
||||
%{_datadir}/systemtap/tapset/qemu-unicore32.stp
|
||||
%{_datadir}/systemtap/tapset/qemu-unicore32-simpletrace.stp
|
||||
|
||||
%files user-binfmt
|
||||
%{_exec_prefix}/lib/binfmt.d/qemu-*-dynamic.conf
|
||||
|
@ -1683,7 +1657,6 @@ getent passwd qemu >/dev/null || \
|
|||
%{_bindir}/qemu-sparc-static
|
||||
%{_bindir}/qemu-sparc32plus-static
|
||||
%{_bindir}/qemu-sparc64-static
|
||||
%{_bindir}/qemu-unicore32-static
|
||||
|
||||
%{_datadir}/systemtap/tapset/qemu-i386-static.stp
|
||||
%{_datadir}/systemtap/tapset/qemu-i386-simpletrace-static.stp
|
||||
|
@ -1739,8 +1712,6 @@ getent passwd qemu >/dev/null || \
|
|||
%{_datadir}/systemtap/tapset/qemu-sparc32plus-simpletrace-static.stp
|
||||
%{_datadir}/systemtap/tapset/qemu-sparc64-static.stp
|
||||
%{_datadir}/systemtap/tapset/qemu-sparc64-simpletrace-static.stp
|
||||
%{_datadir}/systemtap/tapset/qemu-unicore32-static.stp
|
||||
%{_datadir}/systemtap/tapset/qemu-unicore32-simpletrace-static.stp
|
||||
%endif
|
||||
|
||||
|
||||
|
@ -1761,7 +1732,6 @@ getent passwd qemu >/dev/null || \
|
|||
%endif
|
||||
|
||||
%{_datadir}/%{name}/acpi-dsdt.aml
|
||||
%{_datadir}/%{name}/q35-acpi-dsdt.aml
|
||||
%{_datadir}/%{name}/bios.bin
|
||||
%{_datadir}/%{name}/bios-256k.bin
|
||||
%{_datadir}/%{name}/sgabios.bin
|
||||
|
@ -1935,6 +1905,7 @@ getent passwd qemu >/dev/null || \
|
|||
%{_mandir}/man1/qemu-system-ppcemb.1*
|
||||
%{_datadir}/%{name}/bamboo.dtb
|
||||
%{_datadir}/%{name}/ppc_rom.bin
|
||||
%{_datadir}/%{name}/skiboot.lid
|
||||
%{_datadir}/%{name}/spapr-rtas.bin
|
||||
%{_datadir}/%{name}/u-boot.e500
|
||||
%ifarch %{power64}
|
||||
|
@ -1994,6 +1965,9 @@ getent passwd qemu >/dev/null || \
|
|||
|
||||
|
||||
%changelog
|
||||
* Mon Dec 05 2016 Cole Robinson <crobinso@redhat.com> - 2:2.8.0-0.1-rc2
|
||||
- Rebase to qemu-2.8.0-rc2
|
||||
|
||||
* Mon Nov 28 2016 Paolo Bonzini <pbonzini@redhat.com> - 2:2.7.0-10
|
||||
- Do not build aarch64 with -fPIC anymore (rhbz 1232499)
|
||||
|
||||
|
|
Loading…
Reference in New Issue