diff --git a/0001-scsi-pvscsi-limit-loop-to-fetch-SG-list.patch b/0001-scsi-pvscsi-limit-loop-to-fetch-SG-list.patch index 9556181..36eea3a 100644 --- a/0001-scsi-pvscsi-limit-loop-to-fetch-SG-list.patch +++ b/0001-scsi-pvscsi-limit-loop-to-fetch-SG-list.patch @@ -25,7 +25,7 @@ Signed-off-by: Paolo Bonzini 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c -index 4d94b36..a5ce7de 100644 +index 4d94b363a9..a5ce7dea8e 100644 --- a/hw/scsi/vmw_pvscsi.c +++ b/hw/scsi/vmw_pvscsi.c @@ -40,6 +40,8 @@ diff --git a/0002-vmsvga-correct-bitmap-and-pixmap-size-checks.patch b/0002-vmsvga-correct-bitmap-and-pixmap-size-checks.patch index 91a9b52..29cdccf 100644 --- a/0002-vmsvga-correct-bitmap-and-pixmap-size-checks.patch +++ b/0002-vmsvga-correct-bitmap-and-pixmap-size-checks.patch @@ -18,7 +18,7 @@ Signed-off-by: Gerd Hoffmann 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c -index e51a05e..6599cf0 100644 +index e51a05ea7e..6599cf078d 100644 --- a/hw/display/vmware_vga.c +++ b/hw/display/vmware_vga.c @@ -676,11 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s) diff --git a/0003-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch b/0003-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch index d47fccf..51e2945 100644 --- a/0003-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch +++ b/0003-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch @@ -14,7 +14,7 @@ Signed-off-by: Gerd Hoffmann 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c -index 188f954..281a2a5 100644 +index 188f95416a..281a2a59f0 100644 --- a/hw/usb/hcd-xhci.c +++ b/hw/usb/hcd-xhci.c @@ -3709,8 +3709,7 @@ static void usb_xhci_exit(PCIDevice *dev) diff --git a/0004-virtio-add-check-for-descriptor-s-mapped-address.patch b/0004-virtio-add-check-for-descriptor-s-mapped-address.patch index 000d28e..c90cb25 100644 --- a/0004-virtio-add-check-for-descriptor-s-mapped-address.patch +++ b/0004-virtio-add-check-for-descriptor-s-mapped-address.patch @@ -18,7 +18,7 @@ Reviewed-by: Laszlo Ersek 1 file changed, 5 insertions(+) diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c -index f31140a..58edd99 100644 +index f31140aba4..58edd9952a 100644 --- a/hw/virtio/virtio.c +++ b/hw/virtio/virtio.c @@ -473,6 +473,11 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove diff --git a/0005-net-mcf-limit-buffer-descriptor-count.patch b/0005-net-mcf-limit-buffer-descriptor-count.patch index ae05c63..47e620e 100644 --- a/0005-net-mcf-limit-buffer-descriptor-count.patch +++ b/0005-net-mcf-limit-buffer-descriptor-count.patch @@ -18,7 +18,7 @@ Signed-off-by: Jason Wang 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c -index 0ee8ad9..d31fea1 100644 +index 0ee8ad9d66..d31fea1f18 100644 --- a/hw/net/mcf_fec.c +++ b/hw/net/mcf_fec.c @@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0) diff --git a/0006-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch b/0006-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch index 03b7429..196f1bf 100644 --- a/0006-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch +++ b/0006-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch @@ -15,7 +15,7 @@ Message-id: 1476096382-7981-1-git-send-email-kraxel@redhat.com 1 file changed, 10 insertions(+) diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c -index 281a2a5..8a9a31a 100644 +index 281a2a59f0..8a9a31a2f7 100644 --- a/hw/usb/hcd-xhci.c +++ b/hw/usb/hcd-xhci.c @@ -54,6 +54,8 @@ diff --git a/0007-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch b/0007-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch index e7c7aa3..ba5d595 100644 --- a/0007-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch +++ b/0007-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch @@ -16,7 +16,7 @@ Signed-off-by: Michael Tokarev 1 file changed, 1 insertion(+) diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c -index b093db7..f4ece9a 100644 +index b093db729c..f4ece9abed 100644 --- a/hw/usb/hcd-ehci.c +++ b/hw/usb/hcd-ehci.c @@ -1426,6 +1426,7 @@ static int ehci_process_itd(EHCIState *ehci, diff --git a/0008-usb-redir-allocate-buffers-before-waking-up-the-host.patch b/0008-usb-redir-allocate-buffers-before-waking-up-the-host.patch index 521e879..0f233b9 100644 --- a/0008-usb-redir-allocate-buffers-before-waking-up-the-host.patch +++ b/0008-usb-redir-allocate-buffers-before-waking-up-the-host.patch @@ -19,7 +19,7 @@ Signed-off-by: Gerd Hoffmann 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c -index 444672a..d4ca026 100644 +index 444672a000..d4ca026f00 100644 --- a/hw/usb/redirect.c +++ b/hw/usb/redirect.c @@ -2036,18 +2036,22 @@ static void usbredir_interrupt_packet(void *priv, uint64_t id, diff --git a/0009-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch b/0009-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch index 5855a66..dc8e845 100644 --- a/0009-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch +++ b/0009-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch @@ -33,7 +33,7 @@ Signed-off-by: Gerd Hoffmann 1 file changed, 36 insertions(+), 1 deletion(-) diff --git a/hw/display/qxl.c b/hw/display/qxl.c -index 0e2682d..62d0c80 100644 +index 0e2682d28b..62d0c80dcf 100644 --- a/hw/display/qxl.c +++ b/hw/display/qxl.c @@ -992,6 +992,34 @@ static uint32_t qxl_crc32(const uint8_t *p, unsigned len) diff --git a/0010-ui-use-evdev-keymap-when-running-under-wayland.patch b/0010-ui-use-evdev-keymap-when-running-under-wayland.patch index 9ef77df..b45c9f1 100644 --- a/0010-ui-use-evdev-keymap-when-running-under-wayland.patch +++ b/0010-ui-use-evdev-keymap-when-running-under-wayland.patch @@ -12,7 +12,7 @@ Signed-off-by: Daniel P. Berrange 2 files changed, 11 insertions(+) diff --git a/include/ui/gtk.h b/include/ui/gtk.h -index 42ca0fe..b3b5005 100644 +index 42ca0fea8b..b3b50059c7 100644 --- a/include/ui/gtk.h +++ b/include/ui/gtk.h @@ -18,6 +18,10 @@ @@ -27,7 +27,7 @@ index 42ca0fe..b3b5005 100644 #include "ui/egl-helpers.h" #include "ui/egl-context.h" diff --git a/ui/gtk.c b/ui/gtk.c -index 21ae4cb..c641e49 100644 +index 21ae4cbccc..c641e49033 100644 --- a/ui/gtk.c +++ b/ui/gtk.c @@ -90,6 +90,9 @@ diff --git a/0011-net-vmxnet-initialise-local-tx-descriptor.patch b/0011-net-vmxnet-initialise-local-tx-descriptor.patch index 666dcf4..2b1fbdc 100644 --- a/0011-net-vmxnet-initialise-local-tx-descriptor.patch +++ b/0011-net-vmxnet-initialise-local-tx-descriptor.patch @@ -17,7 +17,7 @@ Signed-off-by: Jason Wang 1 file changed, 1 insertion(+) diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c -index 90f6943..92f6af9 100644 +index 90f6943668..92f6af9620 100644 --- a/hw/net/vmxnet3.c +++ b/hw/net/vmxnet3.c @@ -531,6 +531,7 @@ static void vmxnet3_complete_packet(VMXNET3State *s, int qidx, uint32_t tx_ridx) diff --git a/0012-net-pcnet-check-rx-tx-descriptor-ring-length.patch b/0012-net-pcnet-check-rx-tx-descriptor-ring-length.patch index 3589e7b..1aee90e 100644 --- a/0012-net-pcnet-check-rx-tx-descriptor-ring-length.patch +++ b/0012-net-pcnet-check-rx-tx-descriptor-ring-length.patch @@ -17,7 +17,7 @@ Signed-off-by: Jason Wang 1 file changed, 3 insertions(+) diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c -index 198a01f..3078de8 100644 +index 198a01f92d..3078de8aba 100644 --- a/hw/net/pcnet.c +++ b/hw/net/pcnet.c @@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value) diff --git a/0013-virtio-gpu-fix-memory-leak-in-virtio_gpu_resource_cr.patch b/0013-virtio-gpu-fix-memory-leak-in-virtio_gpu_resource_cr.patch index 5657112..6ac1115 100644 --- a/0013-virtio-gpu-fix-memory-leak-in-virtio_gpu_resource_cr.patch +++ b/0013-virtio-gpu-fix-memory-leak-in-virtio_gpu_resource_cr.patch @@ -19,7 +19,7 @@ Signed-off-by: Gerd Hoffmann 1 file changed, 1 insertion(+) diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c -index 7fe6ed8..5b6d17b 100644 +index 7fe6ed8bf0..5b6d17be00 100644 --- a/hw/display/virtio-gpu.c +++ b/hw/display/virtio-gpu.c @@ -333,6 +333,7 @@ static void virtio_gpu_resource_create_2d(VirtIOGPU *g, diff --git a/0014-9pfs-fix-potential-host-memory-leak-in-v9fs_read.patch b/0014-9pfs-fix-potential-host-memory-leak-in-v9fs_read.patch index 3661095..4dd0bad 100644 --- a/0014-9pfs-fix-potential-host-memory-leak-in-v9fs_read.patch +++ b/0014-9pfs-fix-potential-host-memory-leak-in-v9fs_read.patch @@ -13,7 +13,7 @@ Signed-off-by: Greg Kurz 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index 91a4970..1a9ec7e 100644 +index 91a497079a..1a9ec7ede9 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -1813,14 +1813,15 @@ static void v9fs_read(void *opaque) diff --git a/0015-9pfs-allocate-space-for-guest-originated-empty-strin.patch b/0015-9pfs-allocate-space-for-guest-originated-empty-strin.patch index 0a52067..b9dce90 100644 --- a/0015-9pfs-allocate-space-for-guest-originated-empty-strin.patch +++ b/0015-9pfs-allocate-space-for-guest-originated-empty-strin.patch @@ -29,7 +29,7 @@ Signed-off-by: Greg Kurz 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/fsdev/9p-iov-marshal.c b/fsdev/9p-iov-marshal.c -index 663cad5..1d16f8d 100644 +index 663cad5429..1d16f8df4b 100644 --- a/fsdev/9p-iov-marshal.c +++ b/fsdev/9p-iov-marshal.c @@ -125,7 +125,7 @@ ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset, @@ -42,7 +42,7 @@ index 663cad5..1d16f8d 100644 } else { v9fs_string_free(str); diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index 1a9ec7e..2b161ed 100644 +index 1a9ec7ede9..2b161ed6c0 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -3162,7 +3162,7 @@ static void v9fs_xattrwalk(void *opaque) diff --git a/0016-net-rocker-set-limit-to-DMA-buffer-size.patch b/0016-net-rocker-set-limit-to-DMA-buffer-size.patch index 3973667..f6db3ef 100644 --- a/0016-net-rocker-set-limit-to-DMA-buffer-size.patch +++ b/0016-net-rocker-set-limit-to-DMA-buffer-size.patch @@ -19,7 +19,7 @@ Signed-off-by: Jason Wang 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c -index 30f2ce4..e9d215a 100644 +index 30f2ce417b..e9d215aa4d 100644 --- a/hw/net/rocker/rocker.c +++ b/hw/net/rocker/rocker.c @@ -860,7 +860,7 @@ static void rocker_io_writel(void *opaque, hwaddr addr, uint32_t val) diff --git a/0017-char-serial-check-divider-value-against-baud-base.patch b/0017-char-serial-check-divider-value-against-baud-base.patch index 0ddfddf..8582c2c 100644 --- a/0017-char-serial-check-divider-value-against-baud-base.patch +++ b/0017-char-serial-check-divider-value-against-baud-base.patch @@ -18,7 +18,7 @@ Signed-off-by: Paolo Bonzini 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hw/char/serial.c b/hw/char/serial.c -index 3442f47..eec72b7 100644 +index 3442f47d36..eec72b7b9e 100644 --- a/hw/char/serial.c +++ b/hw/char/serial.c @@ -153,8 +153,9 @@ static void serial_update_parameters(SerialState *s) diff --git a/0018-audio-intel-hda-check-stream-entry-count-during-tran.patch b/0018-audio-intel-hda-check-stream-entry-count-during-tran.patch index 76d0ec3..df955cb 100644 --- a/0018-audio-intel-hda-check-stream-entry-count-during-tran.patch +++ b/0018-audio-intel-hda-check-stream-entry-count-during-tran.patch @@ -20,7 +20,7 @@ Signed-off-by: Gerd Hoffmann 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c -index cd95340..537face 100644 +index cd95340cd9..537face94d 100644 --- a/hw/audio/intel-hda.c +++ b/hw/audio/intel-hda.c @@ -416,7 +416,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output, diff --git a/0019-timer-a9gtimer-remove-loop-to-auto-increment-compara.patch b/0019-timer-a9gtimer-remove-loop-to-auto-increment-compara.patch index c30352c..2ec5c4f 100644 --- a/0019-timer-a9gtimer-remove-loop-to-auto-increment-compara.patch +++ b/0019-timer-a9gtimer-remove-loop-to-auto-increment-compara.patch @@ -20,7 +20,7 @@ Signed-off-by: Peter Maydell 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/hw/timer/a9gtimer.c b/hw/timer/a9gtimer.c -index 772f85f..ce1dc63 100644 +index 772f85f5fd..ce1dc63911 100644 --- a/hw/timer/a9gtimer.c +++ b/hw/timer/a9gtimer.c @@ -82,15 +82,15 @@ static void a9_gtimer_update(A9GTimerState *s, bool sync) diff --git a/0020-net-eepro100-fix-memory-leak-in-device-uninit.patch b/0020-net-eepro100-fix-memory-leak-in-device-uninit.patch index ac45dc1..57ea8bf 100644 --- a/0020-net-eepro100-fix-memory-leak-in-device-uninit.patch +++ b/0020-net-eepro100-fix-memory-leak-in-device-uninit.patch @@ -14,7 +14,7 @@ Signed-off-by: Jason Wang 1 file changed, 1 insertion(+) diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c -index bab4dbf..4bf71f2 100644 +index bab4dbfc98..4bf71f2d85 100644 --- a/hw/net/eepro100.c +++ b/hw/net/eepro100.c @@ -1843,6 +1843,7 @@ static void pci_nic_uninit(PCIDevice *pci_dev) diff --git a/0021-9pfs-fix-information-leak-in-xattr-read.patch b/0021-9pfs-fix-information-leak-in-xattr-read.patch index 4ea15fd..9646dda 100644 --- a/0021-9pfs-fix-information-leak-in-xattr-read.patch +++ b/0021-9pfs-fix-information-leak-in-xattr-read.patch @@ -15,7 +15,7 @@ Signed-off-by: Greg Kurz 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index 2b161ed..0c0645f 100644 +index 2b161ed6c0..0c0645fe9a 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -3270,7 +3270,7 @@ static void v9fs_xattrcreate(void *opaque) diff --git a/0022-9pfs-fix-memory-leak-in-v9fs_xattrcreate.patch b/0022-9pfs-fix-memory-leak-in-v9fs_xattrcreate.patch index 96ac1c1..71dca4f 100644 --- a/0022-9pfs-fix-memory-leak-in-v9fs_xattrcreate.patch +++ b/0022-9pfs-fix-memory-leak-in-v9fs_xattrcreate.patch @@ -19,7 +19,7 @@ Signed-off-by: Greg Kurz 1 file changed, 1 insertion(+) diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index 0c0645f..54554ba 100644 +index 0c0645fe9a..54554bac51 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -3270,6 +3270,7 @@ static void v9fs_xattrcreate(void *opaque) diff --git a/0023-9pfs-add-xattrwalk_fid-field-in-V9fsXattr-struct.patch b/0023-9pfs-add-xattrwalk_fid-field-in-V9fsXattr-struct.patch index a86560d..ed120f0 100644 --- a/0023-9pfs-add-xattrwalk_fid-field-in-V9fsXattr-struct.patch +++ b/0023-9pfs-add-xattrwalk_fid-field-in-V9fsXattr-struct.patch @@ -18,7 +18,7 @@ Signed-off-by: Greg Kurz 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index 54554ba..ad57123 100644 +index 54554bac51..ad57123aaf 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -310,7 +310,7 @@ static int v9fs_xattr_fid_clunk(V9fsPDU *pdu, V9fsFidState *fidp) @@ -57,7 +57,7 @@ index 54554ba..ad57123 100644 xattr_fidp->fs.xattr.flags = flags; v9fs_string_init(&xattr_fidp->fs.xattr.name); diff --git a/hw/9pfs/9p.h b/hw/9pfs/9p.h -index a386033..699235d 100644 +index a38603398e..699235d81c 100644 --- a/hw/9pfs/9p.h +++ b/hw/9pfs/9p.h @@ -164,6 +164,7 @@ typedef struct V9fsXattr diff --git a/0024-9pfs-convert-len-copied_len-field-in-V9fsXattr-to-th.patch b/0024-9pfs-convert-len-copied_len-field-in-V9fsXattr-to-th.patch index f6a5af4..b604ab8 100644 --- a/0024-9pfs-convert-len-copied_len-field-in-V9fsXattr-to-th.patch +++ b/0024-9pfs-convert-len-copied_len-field-in-V9fsXattr-to-th.patch @@ -28,7 +28,7 @@ Signed-off-by: Greg Kurz 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/9pfs/9p.h b/hw/9pfs/9p.h -index 699235d..2067863 100644 +index 699235d81c..2067863100 100644 --- a/hw/9pfs/9p.h +++ b/hw/9pfs/9p.h @@ -159,8 +159,8 @@ typedef struct V9fsConf diff --git a/0025-9pfs-fix-integer-overflow-issue-in-xattr-read-write.patch b/0025-9pfs-fix-integer-overflow-issue-in-xattr-read-write.patch index caac5a8..55ebef3 100644 --- a/0025-9pfs-fix-integer-overflow-issue-in-xattr-read-write.patch +++ b/0025-9pfs-fix-integer-overflow-issue-in-xattr-read-write.patch @@ -27,7 +27,7 @@ Signed-off-by: Greg Kurz 1 file changed, 12 insertions(+), 20 deletions(-) diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index ad57123..9c18322 100644 +index ad57123aaf..9c18322945 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -1629,20 +1629,17 @@ static int v9fs_xattr_read(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp, diff --git a/0026-9pfs-fix-memory-leak-in-v9fs_link.patch b/0026-9pfs-fix-memory-leak-in-v9fs_link.patch index ed43e9f..57628f1 100644 --- a/0026-9pfs-fix-memory-leak-in-v9fs_link.patch +++ b/0026-9pfs-fix-memory-leak-in-v9fs_link.patch @@ -17,7 +17,7 @@ Signed-off-by: Greg Kurz 1 file changed, 1 insertion(+) diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index 9c18322..a4ee24f 100644 +index 9c18322945..a4ee24fe74 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -2396,6 +2396,7 @@ static void v9fs_link(void *opaque) diff --git a/0027-9pfs-fix-memory-leak-in-v9fs_write.patch b/0027-9pfs-fix-memory-leak-in-v9fs_write.patch index 144590f..42d84dc 100644 --- a/0027-9pfs-fix-memory-leak-in-v9fs_write.patch +++ b/0027-9pfs-fix-memory-leak-in-v9fs_write.patch @@ -17,7 +17,7 @@ Signed-off-by: Greg Kurz 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index a4ee24f..03a5a35 100644 +index a4ee24fe74..03a5a35ea4 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -2073,7 +2073,7 @@ static void v9fs_write(void *opaque) diff --git a/0028-xen-fix-ioreq-handling.patch b/0028-xen-fix-ioreq-handling.patch index 5632b2c..ccdff3a 100644 --- a/0028-xen-fix-ioreq-handling.patch +++ b/0028-xen-fix-ioreq-handling.patch @@ -17,7 +17,7 @@ Signed-off-by: Stefano Stabellini 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/xen-hvm.c b/xen-hvm.c -index 2f348ed..097007d 100644 +index 2f348edf86..097007d3ed 100644 --- a/xen-hvm.c +++ b/xen-hvm.c @@ -810,6 +810,10 @@ static void cpu_ioreq_pio(ioreq_t *req) diff --git a/0029-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch b/0029-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch index 37cb998..da6c192 100644 --- a/0029-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch +++ b/0029-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch @@ -17,7 +17,7 @@ Signed-off-by: Gerd Hoffmann 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c -index 3d712d5..bdb092e 100644 +index 3d712d592f..bdb092ee9d 100644 --- a/hw/display/cirrus_vga.c +++ b/hw/display/cirrus_vga.c @@ -272,6 +272,9 @@ static void cirrus_update_memory_access(CirrusVGAState *s); diff --git a/0030-net-mcf-check-receive-buffer-size-register-value.patch b/0030-net-mcf-check-receive-buffer-size-register-value.patch index 4d29214..642ff9e 100644 --- a/0030-net-mcf-check-receive-buffer-size-register-value.patch +++ b/0030-net-mcf-check-receive-buffer-size-register-value.patch @@ -17,7 +17,7 @@ Signed-off-by: Jason Wang 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c -index d31fea1..3d4b3b3 100644 +index d31fea1f18..3d4b3b3b39 100644 --- a/hw/net/mcf_fec.c +++ b/hw/net/mcf_fec.c @@ -393,7 +393,7 @@ static void mcf_fec_write(void *opaque, hwaddr addr, diff --git a/0031-virtio-gpu-fix-information-leak-in-getting-capset-in.patch b/0031-virtio-gpu-fix-information-leak-in-getting-capset-in.patch index 4b93002..20662c8 100644 --- a/0031-virtio-gpu-fix-information-leak-in-getting-capset-in.patch +++ b/0031-virtio-gpu-fix-information-leak-in-getting-capset-in.patch @@ -21,7 +21,7 @@ Signed-off-by: Gerd Hoffmann 1 file changed, 1 insertion(+) diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c -index 758d33a..23f39de 100644 +index 758d33a09d..23f39de94d 100644 --- a/hw/display/virtio-gpu-3d.c +++ b/hw/display/virtio-gpu-3d.c @@ -347,6 +347,7 @@ static void virgl_cmd_get_capset_info(VirtIOGPU *g, diff --git a/0032-virtio-gpu-fix-memory-leak-in-update_cursor_data_vir.patch b/0032-virtio-gpu-fix-memory-leak-in-update_cursor_data_vir.patch index bf9c8ff..4319f05 100644 --- a/0032-virtio-gpu-fix-memory-leak-in-update_cursor_data_vir.patch +++ b/0032-virtio-gpu-fix-memory-leak-in-update_cursor_data_vir.patch @@ -20,7 +20,7 @@ Signed-off-by: Gerd Hoffmann 1 file changed, 1 insertion(+) diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c -index 5b6d17b..41f8096 100644 +index 5b6d17be00..41f80965a6 100644 --- a/hw/display/virtio-gpu.c +++ b/hw/display/virtio-gpu.c @@ -84,6 +84,7 @@ static void update_cursor_data_virgl(VirtIOGPU *g, diff --git a/0033-usbredir-free-vm_change_state_handler-in-usbredir-de.patch b/0033-usbredir-free-vm_change_state_handler-in-usbredir-de.patch index f8c0aee..2c9519e 100644 --- a/0033-usbredir-free-vm_change_state_handler-in-usbredir-de.patch +++ b/0033-usbredir-free-vm_change_state_handler-in-usbredir-de.patch @@ -20,7 +20,7 @@ Signed-off-by: Gerd Hoffmann 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c -index d4ca026..d064961 100644 +index d4ca026f00..d064961203 100644 --- a/hw/usb/redirect.c +++ b/hw/usb/redirect.c @@ -132,6 +132,7 @@ struct USBRedirDevice { diff --git a/0034-usb-ehci-fix-memory-leak-in-ehci_init_transfer.patch b/0034-usb-ehci-fix-memory-leak-in-ehci_init_transfer.patch index 51be7c4..4222846 100644 --- a/0034-usb-ehci-fix-memory-leak-in-ehci_init_transfer.patch +++ b/0034-usb-ehci-fix-memory-leak-in-ehci_init_transfer.patch @@ -15,7 +15,7 @@ Signed-off-by: Gerd Hoffmann 1 file changed, 1 insertion(+) diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c -index f4ece9a..7622a3a 100644 +index f4ece9abed..7622a3ae72 100644 --- a/hw/usb/hcd-ehci.c +++ b/hw/usb/hcd-ehci.c @@ -1190,6 +1190,7 @@ static int ehci_init_transfer(EHCIPacket *p) diff --git a/0035-9pfs-adjust-the-order-of-resource-cleanup-in-device-.patch b/0035-9pfs-adjust-the-order-of-resource-cleanup-in-device-.patch index 529d748..6a16fa8 100644 --- a/0035-9pfs-adjust-the-order-of-resource-cleanup-in-device-.patch +++ b/0035-9pfs-adjust-the-order-of-resource-cleanup-in-device-.patch @@ -15,7 +15,7 @@ Signed-off-by: Greg Kurz 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index 03a5a35..1b7dd84 100644 +index 03a5a35ea4..1b7dd8437c 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -3492,8 +3492,8 @@ int v9fs_device_realize_common(V9fsState *s, Error **errp) diff --git a/0036-9pfs-add-cleanup-operation-in-FileOperations.patch b/0036-9pfs-add-cleanup-operation-in-FileOperations.patch index d6fb0d9..45344d9 100644 --- a/0036-9pfs-add-cleanup-operation-in-FileOperations.patch +++ b/0036-9pfs-add-cleanup-operation-in-FileOperations.patch @@ -16,7 +16,7 @@ Signed-off-by: Greg Kurz 2 files changed, 7 insertions(+) diff --git a/fsdev/file-op-9p.h b/fsdev/file-op-9p.h -index 6db9fea..a56dc84 100644 +index 6db9feac8f..a56dc8488d 100644 --- a/fsdev/file-op-9p.h +++ b/fsdev/file-op-9p.h @@ -100,6 +100,7 @@ struct FileOperations @@ -28,7 +28,7 @@ index 6db9fea..a56dc84 100644 ssize_t (*readlink)(FsContext *, V9fsPath *, char *, size_t); int (*chmod)(FsContext *, V9fsPath *, FsCred *); diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index 1b7dd84..641a348 100644 +index 1b7dd8437c..641a348234 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -3492,6 +3492,9 @@ int v9fs_device_realize_common(V9fsState *s, Error **errp) diff --git a/0037-9pfs-add-cleanup-operation-for-handle-backend-driver.patch b/0037-9pfs-add-cleanup-operation-for-handle-backend-driver.patch index ec8a434..f9b02d4 100644 --- a/0037-9pfs-add-cleanup-operation-for-handle-backend-driver.patch +++ b/0037-9pfs-add-cleanup-operation-for-handle-backend-driver.patch @@ -16,7 +16,7 @@ Signed-off-by: Greg Kurz 1 file changed, 9 insertions(+) diff --git a/hw/9pfs/9p-handle.c b/hw/9pfs/9p-handle.c -index 3d77594..1687661 100644 +index 3d77594f92..1687661bc9 100644 --- a/hw/9pfs/9p-handle.c +++ b/hw/9pfs/9p-handle.c @@ -649,6 +649,14 @@ out: diff --git a/0038-9pfs-add-cleanup-operation-for-proxy-backend-driver.patch b/0038-9pfs-add-cleanup-operation-for-proxy-backend-driver.patch index 15c5e23..70430ab 100644 --- a/0038-9pfs-add-cleanup-operation-for-proxy-backend-driver.patch +++ b/0038-9pfs-add-cleanup-operation-for-proxy-backend-driver.patch @@ -16,7 +16,7 @@ Signed-off-by: Greg Kurz 1 file changed, 13 insertions(+) diff --git a/hw/9pfs/9p-proxy.c b/hw/9pfs/9p-proxy.c -index f265501..336e9fe 100644 +index f265501eac..336e9fef84 100644 --- a/hw/9pfs/9p-proxy.c +++ b/hw/9pfs/9p-proxy.c @@ -1179,9 +1179,22 @@ static int proxy_init(FsContext *ctx) diff --git a/0039-9pfs-fix-crash-when-fsdev-is-missing.patch b/0039-9pfs-fix-crash-when-fsdev-is-missing.patch index 435d3a2..fee546c 100644 --- a/0039-9pfs-fix-crash-when-fsdev-is-missing.patch +++ b/0039-9pfs-fix-crash-when-fsdev-is-missing.patch @@ -15,7 +15,7 @@ Reviewed-by: Li Qiang 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index 641a348..9a89f75 100644 +index 641a348234..9a89f75d90 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -3492,7 +3492,7 @@ int v9fs_device_realize_common(V9fsState *s, Error **errp) diff --git a/0040-display-virtio-gpu-3d-check-virgl-capabilities-max_s.patch b/0040-display-virtio-gpu-3d-check-virgl-capabilities-max_s.patch index 1ec3b9d..6214171 100644 --- a/0040-display-virtio-gpu-3d-check-virgl-capabilities-max_s.patch +++ b/0040-display-virtio-gpu-3d-check-virgl-capabilities-max_s.patch @@ -18,7 +18,7 @@ Signed-off-by: Gerd Hoffmann 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c -index 23f39de..e29f099 100644 +index 23f39de94d..e29f099bd5 100644 --- a/hw/display/virtio-gpu-3d.c +++ b/hw/display/virtio-gpu-3d.c @@ -371,8 +371,12 @@ static void virgl_cmd_get_capset(VirtIOGPU *g, diff --git a/0041-virtio-gpu-fix-information-leak-in-capset-get-dispat.patch b/0041-virtio-gpu-fix-information-leak-in-capset-get-dispat.patch index af097fc..8120e86 100644 --- a/0041-virtio-gpu-fix-information-leak-in-capset-get-dispat.patch +++ b/0041-virtio-gpu-fix-information-leak-in-capset-get-dispat.patch @@ -23,7 +23,7 @@ Signed-off-by: Gerd Hoffmann 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c -index e29f099..cdd03a4 100644 +index e29f099bd5..cdd03a47bd 100644 --- a/hw/display/virtio-gpu-3d.c +++ b/hw/display/virtio-gpu-3d.c @@ -376,7 +376,7 @@ static void virgl_cmd_get_capset(VirtIOGPU *g, diff --git a/0042-virtio-gpu-call-cleanup-mapping-function-in-resource.patch b/0042-virtio-gpu-call-cleanup-mapping-function-in-resource.patch index 37ab67b..56661f1 100644 --- a/0042-virtio-gpu-call-cleanup-mapping-function-in-resource.patch +++ b/0042-virtio-gpu-call-cleanup-mapping-function-in-resource.patch @@ -19,7 +19,7 @@ Signed-off-by: Gerd Hoffmann 1 file changed, 3 insertions(+) diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c -index 41f8096..8903dee 100644 +index 41f80965a6..8903dee4f5 100644 --- a/hw/display/virtio-gpu.c +++ b/hw/display/virtio-gpu.c @@ -28,6 +28,8 @@ diff --git a/0043-net-imx-limit-buffer-descriptor-count.patch b/0043-net-imx-limit-buffer-descriptor-count.patch index 6bc6247..d85ccf1 100644 --- a/0043-net-imx-limit-buffer-descriptor-count.patch +++ b/0043-net-imx-limit-buffer-descriptor-count.patch @@ -17,7 +17,7 @@ Signed-off-by: Jason Wang 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c -index 1c415ab..6b42c10 100644 +index 1c415ab3b1..6b42c10d96 100644 --- a/hw/net/imx_fec.c +++ b/hw/net/imx_fec.c @@ -55,6 +55,8 @@ diff --git a/0044-audio-ac97-add-exit-function.patch b/0044-audio-ac97-add-exit-function.patch index 4402949..21ef3d0 100644 --- a/0044-audio-ac97-add-exit-function.patch +++ b/0044-audio-ac97-add-exit-function.patch @@ -19,7 +19,7 @@ Signed-off-by: Gerd Hoffmann 1 file changed, 11 insertions(+) diff --git a/hw/audio/ac97.c b/hw/audio/ac97.c -index cbd959e..c306575 100644 +index cbd959e0bd..c30657501c 100644 --- a/hw/audio/ac97.c +++ b/hw/audio/ac97.c @@ -1387,6 +1387,16 @@ static void ac97_realize(PCIDevice *dev, Error **errp) diff --git a/0045-audio-es1370-add-exit-function.patch b/0045-audio-es1370-add-exit-function.patch index e289745..1540ab2 100644 --- a/0045-audio-es1370-add-exit-function.patch +++ b/0045-audio-es1370-add-exit-function.patch @@ -19,7 +19,7 @@ Signed-off-by: Gerd Hoffmann 1 file changed, 14 insertions(+) diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c -index 8449b5f..883ec69 100644 +index 8449b5f436..883ec69b30 100644 --- a/hw/audio/es1370.c +++ b/hw/audio/es1370.c @@ -1041,6 +1041,19 @@ static void es1370_realize(PCIDevice *dev, Error **errp) diff --git a/0046-watchdog-6300esb-add-exit-function.patch b/0046-watchdog-6300esb-add-exit-function.patch index 6c7404b..0f6d81d 100644 --- a/0046-watchdog-6300esb-add-exit-function.patch +++ b/0046-watchdog-6300esb-add-exit-function.patch @@ -15,7 +15,7 @@ Signed-off-by: Paolo Bonzini 1 file changed, 9 insertions(+) diff --git a/hw/watchdog/wdt_i6300esb.c b/hw/watchdog/wdt_i6300esb.c -index a83d951..49b3cd1 100644 +index a83d951213..49b3cd188a 100644 --- a/hw/watchdog/wdt_i6300esb.c +++ b/hw/watchdog/wdt_i6300esb.c @@ -428,6 +428,14 @@ static void i6300esb_realize(PCIDevice *dev, Error **errp) diff --git a/0047-virtio-gpu-3d-fix-memory-leak-in-resource-attach-bac.patch b/0047-virtio-gpu-3d-fix-memory-leak-in-resource-attach-bac.patch index 7e8375c..ee22353 100644 --- a/0047-virtio-gpu-3d-fix-memory-leak-in-resource-attach-bac.patch +++ b/0047-virtio-gpu-3d-fix-memory-leak-in-resource-attach-bac.patch @@ -19,7 +19,7 @@ Signed-off-by: Gerd Hoffmann 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c -index cdd03a4..f96a0c2 100644 +index cdd03a47bd..f96a0c2e59 100644 --- a/hw/display/virtio-gpu-3d.c +++ b/hw/display/virtio-gpu-3d.c @@ -291,8 +291,11 @@ static void virgl_resource_attach_backing(VirtIOGPU *g, diff --git a/0048-virtio-gpu-fix-memory-leak-in-resource-attach-backin.patch b/0048-virtio-gpu-fix-memory-leak-in-resource-attach-backin.patch index af6bd7e..ea139fa 100644 --- a/0048-virtio-gpu-fix-memory-leak-in-resource-attach-backin.patch +++ b/0048-virtio-gpu-fix-memory-leak-in-resource-attach-backin.patch @@ -15,7 +15,7 @@ Signed-off-by: Gerd Hoffmann 1 file changed, 5 insertions(+) diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c -index 8903dee..cadd7d8 100644 +index 8903dee4f5..cadd7d899d 100644 --- a/hw/display/virtio-gpu.c +++ b/hw/display/virtio-gpu.c @@ -708,6 +708,11 @@ virtio_gpu_resource_attach_backing(VirtIOGPU *g, diff --git a/0049-sd-sdhci-check-data-length-during-dma_memory_read.patch b/0049-sd-sdhci-check-data-length-during-dma_memory_read.patch index 6f6288c..a811a06 100644 --- a/0049-sd-sdhci-check-data-length-during-dma_memory_read.patch +++ b/0049-sd-sdhci-check-data-length-during-dma_memory_read.patch @@ -20,7 +20,7 @@ Signed-off-by: Peter Maydell 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c -index 01fbf22..5bd5ab6 100644 +index 01fbf228be..5bd5ab6319 100644 --- a/hw/sd/sdhci.c +++ b/hw/sd/sdhci.c @@ -536,7 +536,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s) diff --git a/0050-megasas-fix-guest-triggered-memory-leak.patch b/0050-megasas-fix-guest-triggered-memory-leak.patch index 321f2ac..b79a853 100644 --- a/0050-megasas-fix-guest-triggered-memory-leak.patch +++ b/0050-megasas-fix-guest-triggered-memory-leak.patch @@ -15,7 +15,7 @@ Signed-off-by: Paolo Bonzini 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c -index 52a4123..ebf0302 100644 +index 52a41239cf..ebf03022ed 100644 --- a/hw/scsi/megasas.c +++ b/hw/scsi/megasas.c @@ -672,14 +672,14 @@ static int megasas_map_dcmd(MegasasState *s, MegasasCmd *cmd) diff --git a/0051-virtio-gpu-fix-resource-leak-in-virgl_cmd_resource_u.patch b/0051-virtio-gpu-fix-resource-leak-in-virgl_cmd_resource_u.patch index 7fabe5f..544ce2f 100644 --- a/0051-virtio-gpu-fix-resource-leak-in-virgl_cmd_resource_u.patch +++ b/0051-virtio-gpu-fix-resource-leak-in-virgl_cmd_resource_u.patch @@ -21,7 +21,7 @@ Message-id: 1485167210-4757-1-git-send-email-kraxel@redhat.com 1 file changed, 8 insertions(+) diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c -index f96a0c2..ecb09d1 100644 +index f96a0c2e59..ecb09d17a1 100644 --- a/hw/display/virtio-gpu-3d.c +++ b/hw/display/virtio-gpu-3d.c @@ -77,10 +77,18 @@ static void virgl_cmd_resource_unref(VirtIOGPU *g, diff --git a/0052-usb-ccid-check-ccid-apdu-length.patch b/0052-usb-ccid-check-ccid-apdu-length.patch index 5c35157..5d00676 100644 --- a/0052-usb-ccid-check-ccid-apdu-length.patch +++ b/0052-usb-ccid-check-ccid-apdu-length.patch @@ -18,7 +18,7 @@ Signed-off-by: Gerd Hoffmann 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c -index af4b851..fc32b00 100644 +index af4b851356..fc32b00363 100644 --- a/hw/usb/dev-smartcard-reader.c +++ b/hw/usb/dev-smartcard-reader.c @@ -967,7 +967,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv) diff --git a/0053-sd-sdhci-check-transfer-mode-register-in-multi-block.patch b/0053-sd-sdhci-check-transfer-mode-register-in-multi-block.patch index 0075866..cd0d00a 100644 --- a/0053-sd-sdhci-check-transfer-mode-register-in-multi-block.patch +++ b/0053-sd-sdhci-check-transfer-mode-register-in-multi-block.patch @@ -22,7 +22,7 @@ Signed-off-by: Peter Maydell 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c -index 5bd5ab6..a9c744b 100644 +index 5bd5ab6319..a9c744b50a 100644 --- a/hw/sd/sdhci.c +++ b/hw/sd/sdhci.c @@ -486,6 +486,11 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s) diff --git a/0054-eth-Extend-vlan-stripping-functions.patch b/0054-eth-Extend-vlan-stripping-functions.patch index f1a7d19..cd4510a 100644 --- a/0054-eth-Extend-vlan-stripping-functions.patch +++ b/0054-eth-Extend-vlan-stripping-functions.patch @@ -18,7 +18,7 @@ Signed-off-by: Jason Wang 2 files changed, 16 insertions(+), 13 deletions(-) diff --git a/include/net/eth.h b/include/net/eth.h -index 2013175..afeb45b 100644 +index 2013175857..afeb45be34 100644 --- a/include/net/eth.h +++ b/include/net/eth.h @@ -331,12 +331,12 @@ eth_get_pkt_tci(const void *p) @@ -37,7 +37,7 @@ index 2013175..afeb45b 100644 uint16_t vet, uint8_t *new_ehdr_buf, uint16_t *payload_offset, uint16_t *tci); diff --git a/net/eth.c b/net/eth.c -index df81efb..5b9ba26 100644 +index df81efb676..5b9ba26a56 100644 --- a/net/eth.c +++ b/net/eth.c @@ -232,7 +232,7 @@ void eth_get_protocols(const struct iovec *iov, int iovcnt, diff --git a/0055-NetRxPkt-Fix-memory-corruption-on-VLAN-header-stripp.patch b/0055-NetRxPkt-Fix-memory-corruption-on-VLAN-header-stripp.patch index b39a35c..fd53048 100644 --- a/0055-NetRxPkt-Fix-memory-corruption-on-VLAN-header-stripp.patch +++ b/0055-NetRxPkt-Fix-memory-corruption-on-VLAN-header-stripp.patch @@ -23,7 +23,7 @@ Signed-off-by: Jason Wang 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/hw/net/net_rx_pkt.c b/hw/net/net_rx_pkt.c -index 1019b50..7c0beac 100644 +index 1019b50c18..7c0beace9e 100644 --- a/hw/net/net_rx_pkt.c +++ b/hw/net/net_rx_pkt.c @@ -23,13 +23,13 @@ diff --git a/0056-NetRxPkt-Do-not-try-to-pull-more-data-than-present.patch b/0056-NetRxPkt-Do-not-try-to-pull-more-data-than-present.patch index 7fab4e9..8156a1a 100644 --- a/0056-NetRxPkt-Do-not-try-to-pull-more-data-than-present.patch +++ b/0056-NetRxPkt-Do-not-try-to-pull-more-data-than-present.patch @@ -15,7 +15,7 @@ Signed-off-by: Jason Wang 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hw/net/net_rx_pkt.c b/hw/net/net_rx_pkt.c -index 7c0beac..d38babe 100644 +index 7c0beace9e..d38babec88 100644 --- a/hw/net/net_rx_pkt.c +++ b/hw/net/net_rx_pkt.c @@ -96,7 +96,8 @@ net_rx_pkt_pull_data(struct NetRxPkt *pkt, diff --git a/0057-NetRxPkt-Account-buffer-with-ETH-header-in-IOV-lengt.patch b/0057-NetRxPkt-Account-buffer-with-ETH-header-in-IOV-lengt.patch index be60e14..a8ea02d 100644 --- a/0057-NetRxPkt-Account-buffer-with-ETH-header-in-IOV-lengt.patch +++ b/0057-NetRxPkt-Account-buffer-with-ETH-header-in-IOV-lengt.patch @@ -20,7 +20,7 @@ Signed-off-by: Jason Wang 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/net/net_rx_pkt.c b/hw/net/net_rx_pkt.c -index d38babe..c7ae33d 100644 +index d38babec88..c7ae33d0d3 100644 --- a/hw/net/net_rx_pkt.c +++ b/hw/net/net_rx_pkt.c @@ -97,7 +97,7 @@ net_rx_pkt_pull_data(struct NetRxPkt *pkt, diff --git a/0058-usb-ohci-limit-the-number-of-link-eds.patch b/0058-usb-ohci-limit-the-number-of-link-eds.patch index 01fe007..60d743c 100644 --- a/0058-usb-ohci-limit-the-number-of-link-eds.patch +++ b/0058-usb-ohci-limit-the-number-of-link-eds.patch @@ -14,7 +14,7 @@ Signed-off-by: Gerd Hoffmann 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c -index fa57038..48307fe 100644 +index fa5703832c..48307febd3 100644 --- a/hw/usb/hcd-ohci.c +++ b/hw/usb/hcd-ohci.c @@ -42,6 +42,8 @@ diff --git a/0059-display-cirrus-ignore-source-pitch-value-as-needed-i.patch b/0059-display-cirrus-ignore-source-pitch-value-as-needed-i.patch index a28cb02..9232138 100644 --- a/0059-display-cirrus-ignore-source-pitch-value-as-needed-i.patch +++ b/0059-display-cirrus-ignore-source-pitch-value-as-needed-i.patch @@ -18,7 +18,7 @@ Signed-off-by: Gerd Hoffmann 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c -index bdb092e..379910d 100644 +index bdb092ee9d..379910db2d 100644 --- a/hw/display/cirrus_vga.c +++ b/hw/display/cirrus_vga.c @@ -294,7 +294,7 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s, diff --git a/0060-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch b/0060-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch index d69a28b..7f7dc55 100644 --- a/0060-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch +++ b/0060-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch @@ -27,7 +27,7 @@ Signed-off-by: Gerd Hoffmann 1 file changed, 5 insertions(+) diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c -index 379910d..0f05e45 100644 +index 379910db2d..0f05e4596e 100644 --- a/hw/display/cirrus_vga.c +++ b/hw/display/cirrus_vga.c @@ -661,9 +661,14 @@ static void cirrus_invalidate_region(CirrusVGAState * s, int off_begin, diff --git a/0061-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch b/0061-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch index 63e32a1..930ccde 100644 --- a/0061-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch +++ b/0061-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch @@ -16,7 +16,7 @@ Signed-off-by: Gerd Hoffmann 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c -index 0f05e45..98f089e 100644 +index 0f05e4596e..98f089e4e9 100644 --- a/hw/display/cirrus_vga.c +++ b/hw/display/cirrus_vga.c @@ -272,9 +272,6 @@ static void cirrus_update_memory_access(CirrusVGAState *s); diff --git a/0062-cirrus-fix-blit-address-mask-handling.patch b/0062-cirrus-fix-blit-address-mask-handling.patch index 9acb06c..2d26ce5 100644 --- a/0062-cirrus-fix-blit-address-mask-handling.patch +++ b/0062-cirrus-fix-blit-address-mask-handling.patch @@ -15,7 +15,7 @@ Message-id: 1485338996-17095-1-git-send-email-kraxel@redhat.com 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c -index 98f089e..7db6409 100644 +index 98f089e4e9..7db6409dc5 100644 --- a/hw/display/cirrus_vga.c +++ b/hw/display/cirrus_vga.c @@ -309,7 +309,7 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only, diff --git a/0063-cirrus-fix-oob-access-issue-CVE-2017-2615.patch b/0063-cirrus-fix-oob-access-issue-CVE-2017-2615.patch index 1bc7215..3723f4f 100644 --- a/0063-cirrus-fix-oob-access-issue-CVE-2017-2615.patch +++ b/0063-cirrus-fix-oob-access-issue-CVE-2017-2615.patch @@ -26,7 +26,7 @@ Reviewed-by: Laszlo Ersek 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c -index 7db6409..16f27e8 100644 +index 7db6409dc5..16f27e8ac5 100644 --- a/hw/display/cirrus_vga.c +++ b/hw/display/cirrus_vga.c @@ -274,10 +274,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s, diff --git a/0064-cirrus-fix-patterncopy-checks.patch b/0064-cirrus-fix-patterncopy-checks.patch index 9c9f151..f380cea 100644 --- a/0064-cirrus-fix-patterncopy-checks.patch +++ b/0064-cirrus-fix-patterncopy-checks.patch @@ -34,7 +34,7 @@ Message-id: 1486645341-5010-1-git-send-email-kraxel@redhat.com 1 file changed, 30 insertions(+), 6 deletions(-) diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c -index 16f27e8..6bd13fc 100644 +index 16f27e8ac5..6bd13fc78f 100644 --- a/hw/display/cirrus_vga.c +++ b/hw/display/cirrus_vga.c @@ -683,14 +683,39 @@ static void cirrus_invalidate_region(CirrusVGAState * s, int off_begin, diff --git a/0065-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch b/0065-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch index 70d1439..bcb8554 100644 --- a/0065-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch +++ b/0065-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch @@ -19,7 +19,7 @@ Message-id: 1486645341-5010-2-git-send-email-kraxel@redhat.com 1 file changed, 8 insertions(+), 18 deletions(-) diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c -index 6bd13fc..0e47cf8 100644 +index 6bd13fc78f..0e47cf85ad 100644 --- a/hw/display/cirrus_vga.c +++ b/hw/display/cirrus_vga.c @@ -272,6 +272,9 @@ static void cirrus_update_memory_access(CirrusVGAState *s); diff --git a/0066-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch b/0066-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch index 96766e6..1aad869 100644 --- a/0066-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch +++ b/0066-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch @@ -19,7 +19,7 @@ Signed-off-by: Gerd Hoffmann 1 file changed, 8 insertions(+) diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c -index 0e47cf8..a093dc8 100644 +index 0e47cf85ad..a093dc8b16 100644 --- a/hw/display/cirrus_vga.c +++ b/hw/display/cirrus_vga.c @@ -899,6 +899,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) diff --git a/0067-egl-helpers-Support-newer-MESA-versions.patch b/0067-egl-helpers-Support-newer-MESA-versions.patch index 71b85e3..9eb1f89 100644 --- a/0067-egl-helpers-Support-newer-MESA-versions.patch +++ b/0067-egl-helpers-Support-newer-MESA-versions.patch @@ -16,7 +16,7 @@ Signed-off-by: Gerd Hoffmann 1 file changed, 4 insertions(+) diff --git a/ui/egl-helpers.c b/ui/egl-helpers.c -index 79cee05..d8d57c4 100644 +index 79cee0503a..d8d57c4bbe 100644 --- a/ui/egl-helpers.c +++ b/ui/egl-helpers.c @@ -203,7 +203,11 @@ int qemu_egl_init_dpy(EGLNativeDisplayType dpy, bool gles, bool debug) diff --git a/0068-char-drop-data-written-to-a-disconnected-pty.patch b/0068-char-drop-data-written-to-a-disconnected-pty.patch index af447a5..98e219f 100644 --- a/0068-char-drop-data-written-to-a-disconnected-pty.patch +++ b/0068-char-drop-data-written-to-a-disconnected-pty.patch @@ -18,7 +18,7 @@ Signed-off-by: Paolo Bonzini 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qemu-char.c b/qemu-char.c -index 90e9627..4ec9ae5 100644 +index 90e96271dd..4ec9ae5b94 100644 --- a/qemu-char.c +++ b/qemu-char.c @@ -1328,7 +1328,7 @@ static int pty_chr_write(CharDriverState *chr, const uint8_t *buf, int len) diff --git a/0069-dma-rc4030-limit-interval-timer-reload-value.patch b/0069-dma-rc4030-limit-interval-timer-reload-value.patch index a71d4df..73ca298 100644 --- a/0069-dma-rc4030-limit-interval-timer-reload-value.patch +++ b/0069-dma-rc4030-limit-interval-timer-reload-value.patch @@ -21,7 +21,7 @@ Signed-off-by: Yongbok Kim 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/dma/rc4030.c b/hw/dma/rc4030.c -index 2f2576f..c1b4997 100644 +index 2f2576fafb..c1b4997c73 100644 --- a/hw/dma/rc4030.c +++ b/hw/dma/rc4030.c @@ -460,7 +460,7 @@ static void rc4030_write(void *opaque, hwaddr addr, uint64_t data, diff --git a/0070-slirp-Make-RA-build-more-flexible.patch b/0070-slirp-Make-RA-build-more-flexible.patch index 9a486ef..c555bdd 100644 --- a/0070-slirp-Make-RA-build-more-flexible.patch +++ b/0070-slirp-Make-RA-build-more-flexible.patch @@ -18,7 +18,7 @@ Reviewed-by: Philippe Mathieu-Daudé 1 file changed, 9 insertions(+), 15 deletions(-) diff --git a/slirp/ip6_icmp.c b/slirp/ip6_icmp.c -index 6d18e28..3f74389 100644 +index 6d18e28985..3f7438996f 100644 --- a/slirp/ip6_icmp.c +++ b/slirp/ip6_icmp.c @@ -143,17 +143,10 @@ void ndp_send_ra(Slirp *slirp) diff --git a/0071-slirp-Send-RDNSS-in-RA-only-if-host-has-an-IPv6-DNS-.patch b/0071-slirp-Send-RDNSS-in-RA-only-if-host-has-an-IPv6-DNS-.patch index 4ac0b15..1a5fecb 100644 --- a/0071-slirp-Send-RDNSS-in-RA-only-if-host-has-an-IPv6-DNS-.patch +++ b/0071-slirp-Send-RDNSS-in-RA-only-if-host-has-an-IPv6-DNS-.patch @@ -20,7 +20,7 @@ Reviewed-by: Philippe Mathieu-Daudé 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/slirp/ip6_icmp.c b/slirp/ip6_icmp.c -index 3f74389..4c71f4c 100644 +index 3f7438996f..4c71f4c2fc 100644 --- a/slirp/ip6_icmp.c +++ b/slirp/ip6_icmp.c @@ -144,6 +144,9 @@ void ndp_send_ra(Slirp *slirp) diff --git a/0072-qxl-clear-guest_cursor-on-QXL_CURSOR_HIDE.patch b/0072-qxl-clear-guest_cursor-on-QXL_CURSOR_HIDE.patch index 5a7df4f..a554ace 100644 --- a/0072-qxl-clear-guest_cursor-on-QXL_CURSOR_HIDE.patch +++ b/0072-qxl-clear-guest_cursor-on-QXL_CURSOR_HIDE.patch @@ -20,7 +20,7 @@ Message-id: 1488789111-27340-1-git-send-email-kraxel@redhat.com 1 file changed, 5 insertions(+) diff --git a/hw/display/qxl.c b/hw/display/qxl.c -index 62d0c80..e09ce10 100644 +index 62d0c80dcf..e09ce10660 100644 --- a/hw/display/qxl.c +++ b/hw/display/qxl.c @@ -478,6 +478,11 @@ static int qxl_track_command(PCIQXLDevice *qxl, struct QXLCommandExt *ext) diff --git a/0073-serial-fix-memory-leak-in-serial-exit.patch b/0073-serial-fix-memory-leak-in-serial-exit.patch index 8985f37..bb36f2a 100644 --- a/0073-serial-fix-memory-leak-in-serial-exit.patch +++ b/0073-serial-fix-memory-leak-in-serial-exit.patch @@ -15,7 +15,7 @@ Signed-off-by: Paolo Bonzini 1 file changed, 10 insertions(+) diff --git a/hw/char/serial.c b/hw/char/serial.c -index eec72b7..455119f 100644 +index eec72b7b9e..455119f3d7 100644 --- a/hw/char/serial.c +++ b/hw/char/serial.c @@ -904,6 +904,16 @@ void serial_realize_core(SerialState *s, Error **errp) diff --git a/0074-fix-cirrus_vga-fix-OOB-read-case-qemu-Segmentation-f.patch b/0074-fix-cirrus_vga-fix-OOB-read-case-qemu-Segmentation-f.patch new file mode 100644 index 0000000..49dff5c --- /dev/null +++ b/0074-fix-cirrus_vga-fix-OOB-read-case-qemu-Segmentation-f.patch @@ -0,0 +1,48 @@ +From: hangaohuai +Date: Tue, 14 Mar 2017 14:39:19 +0800 +Subject: [PATCH] fix :cirrus_vga fix OOB read case qemu Segmentation fault + +check the validity of parameters in cirrus_bitblt_rop_fwd_transp_xxx +and cirrus_bitblt_rop_fwd_xxx to avoid the OOB read which causes qemu Segmentation fault. + +After the fix, we will touch the assert in +cirrus_invalidate_region: +assert(off_cur_end >= off_cur); + +Signed-off-by: fangying +Signed-off-by: hangaohuai +Message-id: 20170314063919.16200-1-hangaohuai@huawei.com +Signed-off-by: Gerd Hoffmann +(cherry picked from commit 215902d7b6fb50c6fc216fc74f770858278ed904) +--- + hw/display/cirrus_vga_rop.h | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/hw/display/cirrus_vga_rop.h b/hw/display/cirrus_vga_rop.h +index 0925a009fe..b7447f8733 100644 +--- a/hw/display/cirrus_vga_rop.h ++++ b/hw/display/cirrus_vga_rop.h +@@ -97,6 +97,11 @@ glue(glue(cirrus_bitblt_rop_fwd_transp_, ROP_NAME),_8)(CirrusVGAState *s, + uint8_t p; + dstpitch -= bltwidth; + srcpitch -= bltwidth; ++ ++ if (bltheight > 1 && (dstpitch < 0 || srcpitch < 0)) { ++ return; ++ } ++ + for (y = 0; y < bltheight; y++) { + for (x = 0; x < bltwidth; x++) { + p = *dst; +@@ -143,6 +148,11 @@ glue(glue(cirrus_bitblt_rop_fwd_transp_, ROP_NAME),_16)(CirrusVGAState *s, + uint8_t p1, p2; + dstpitch -= bltwidth; + srcpitch -= bltwidth; ++ ++ if (bltheight > 1 && (dstpitch < 0 || srcpitch < 0)) { ++ return; ++ } ++ + for (y = 0; y < bltheight; y++) { + for (x = 0; x < bltwidth; x+=2) { + p1 = *dst; diff --git a/0075-cirrus-vnc-zap-bitblit-support-from-console-code.patch b/0075-cirrus-vnc-zap-bitblit-support-from-console-code.patch new file mode 100644 index 0000000..32edd9f --- /dev/null +++ b/0075-cirrus-vnc-zap-bitblit-support-from-console-code.patch @@ -0,0 +1,269 @@ +From: Gerd Hoffmann +Date: Tue, 14 Mar 2017 13:26:59 +0100 +Subject: [PATCH] cirrus/vnc: zap bitblit support from console code. + +There is a special code path (dpy_gfx_copy) to allow graphic emulation +notify user interface code about bitblit operations carryed out by +guests. It is supported by cirrus and vnc server. The intended purpose +is to optimize display scrolls and just send over the scroll op instead +of a full display update. + +This is rarely used these days though because modern guests simply don't +use the cirrus blitter any more. Any linux guest using the cirrus drm +driver doesn't. Any windows guest newer than winxp doesn't ship with a +cirrus driver any more and thus uses the cirrus as simple framebuffer. + +So this code tends to bitrot and bugs can go unnoticed for a long time. +See for example commit "3e10c3e vnc: fix qemu crash because of SIGSEGV" +which fixes a bug lingering in the code for almost a year, added by +commit "c7628bf vnc: only alloc server surface with clients connected". + +Also the vnc server will throttle the frame rate in case it figures the +network can't keep up (send buffers are full). This doesn't work with +dpy_gfx_copy, for any copy operation sent to the vnc client we have to +send all outstanding updates beforehand, otherwise the vnc client might +run the client side blit on outdated data and thereby corrupt the +display. So this dpy_gfx_copy "optimization" might even make things +worse on slow network links. + +Lets kill it once for all. + +Oh, and one more reason: Turns out (after writing the patch) we have a +security bug in that code path ... + +Fixes: CVE-2016-9603 +Signed-off-by: Gerd Hoffmann +Message-id: 1489494419-14340-1-git-send-email-kraxel@redhat.com +(cherry picked from commit 50628d3479e4f9aa97e323506856e394fe7ad7a6) +--- + hw/display/cirrus_vga.c | 12 ++---- + include/ui/console.h | 7 ---- + ui/console.c | 28 -------------- + ui/vnc.c | 100 ------------------------------------------------ + 4 files changed, 3 insertions(+), 144 deletions(-) + +diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c +index a093dc8b16..2ef2884823 100644 +--- a/hw/display/cirrus_vga.c ++++ b/hw/display/cirrus_vga.c +@@ -795,21 +795,15 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) + } + } + +- /* we have to flush all pending changes so that the copy +- is generated at the appropriate moment in time */ +- if (notify) +- graphic_hw_update(s->vga.con); +- + (*s->cirrus_rop) (s, s->vga.vram_ptr + s->cirrus_blt_dstaddr, + s->vga.vram_ptr + s->cirrus_blt_srcaddr, + s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch, + s->cirrus_blt_width, s->cirrus_blt_height); + + if (notify) { +- qemu_console_copy(s->vga.con, +- sx, sy, dx, dy, +- s->cirrus_blt_width / depth, +- s->cirrus_blt_height); ++ dpy_gfx_update(s->vga.con, dx, dy, ++ s->cirrus_blt_width / depth, ++ s->cirrus_blt_height); + } + + /* we don't have to notify the display that this portion has +diff --git a/include/ui/console.h b/include/ui/console.h +index 2703a3aa5a..67927ed851 100644 +--- a/include/ui/console.h ++++ b/include/ui/console.h +@@ -189,9 +189,6 @@ typedef struct DisplayChangeListenerOps { + int x, int y, int w, int h); + void (*dpy_gfx_switch)(DisplayChangeListener *dcl, + struct DisplaySurface *new_surface); +- void (*dpy_gfx_copy)(DisplayChangeListener *dcl, +- int src_x, int src_y, +- int dst_x, int dst_y, int w, int h); + bool (*dpy_gfx_check_format)(DisplayChangeListener *dcl, + pixman_format_code_t format); + +@@ -273,8 +270,6 @@ int dpy_set_ui_info(QemuConsole *con, QemuUIInfo *info); + void dpy_gfx_update(QemuConsole *con, int x, int y, int w, int h); + void dpy_gfx_replace_surface(QemuConsole *con, + DisplaySurface *surface); +-void dpy_gfx_copy(QemuConsole *con, int src_x, int src_y, +- int dst_x, int dst_y, int w, int h); + void dpy_text_cursor(QemuConsole *con, int x, int y); + void dpy_text_update(QemuConsole *con, int x, int y, int w, int h); + void dpy_text_resize(QemuConsole *con, int w, int h); +@@ -398,8 +393,6 @@ void text_consoles_set_display(DisplayState *ds); + void console_select(unsigned int index); + void console_color_init(DisplayState *ds); + void qemu_console_resize(QemuConsole *con, int width, int height); +-void qemu_console_copy(QemuConsole *con, int src_x, int src_y, +- int dst_x, int dst_y, int w, int h); + DisplaySurface *qemu_console_surface(QemuConsole *con); + + /* console-gl.c */ +diff --git a/ui/console.c b/ui/console.c +index c24bfe422d..ece0c04ddf 100644 +--- a/ui/console.c ++++ b/ui/console.c +@@ -1558,27 +1558,6 @@ static void dpy_refresh(DisplayState *s) + } + } + +-void dpy_gfx_copy(QemuConsole *con, int src_x, int src_y, +- int dst_x, int dst_y, int w, int h) +-{ +- DisplayState *s = con->ds; +- DisplayChangeListener *dcl; +- +- if (!qemu_console_is_visible(con)) { +- return; +- } +- QLIST_FOREACH(dcl, &s->listeners, next) { +- if (con != (dcl->con ? dcl->con : active_console)) { +- continue; +- } +- if (dcl->ops->dpy_gfx_copy) { +- dcl->ops->dpy_gfx_copy(dcl, src_x, src_y, dst_x, dst_y, w, h); +- } else { /* TODO */ +- dcl->ops->dpy_gfx_update(dcl, dst_x, dst_y, w, h); +- } +- } +-} +- + void dpy_text_cursor(QemuConsole *con, int x, int y) + { + DisplayState *s = con->ds; +@@ -2104,13 +2083,6 @@ void qemu_console_resize(QemuConsole *s, int width, int height) + dpy_gfx_replace_surface(s, surface); + } + +-void qemu_console_copy(QemuConsole *con, int src_x, int src_y, +- int dst_x, int dst_y, int w, int h) +-{ +- assert(con->console_type == GRAPHIC_CONSOLE); +- dpy_gfx_copy(con, src_x, src_y, dst_x, dst_y, w, h); +-} +- + DisplaySurface *qemu_console_surface(QemuConsole *console) + { + return console->surface; +diff --git a/ui/vnc.c b/ui/vnc.c +index 76a3273e0b..b45bb2c4b8 100644 +--- a/ui/vnc.c ++++ b/ui/vnc.c +@@ -872,105 +872,6 @@ int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h) + return n; + } + +-static void vnc_copy(VncState *vs, int src_x, int src_y, int dst_x, int dst_y, int w, int h) +-{ +- /* send bitblit op to the vnc client */ +- vnc_lock_output(vs); +- vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE); +- vnc_write_u8(vs, 0); +- vnc_write_u16(vs, 1); /* number of rects */ +- vnc_framebuffer_update(vs, dst_x, dst_y, w, h, VNC_ENCODING_COPYRECT); +- vnc_write_u16(vs, src_x); +- vnc_write_u16(vs, src_y); +- vnc_unlock_output(vs); +- vnc_flush(vs); +-} +- +-static void vnc_dpy_copy(DisplayChangeListener *dcl, +- int src_x, int src_y, +- int dst_x, int dst_y, int w, int h) +-{ +- VncDisplay *vd = container_of(dcl, VncDisplay, dcl); +- VncState *vs, *vn; +- uint8_t *src_row; +- uint8_t *dst_row; +- int i, x, y, pitch, inc, w_lim, s; +- int cmp_bytes; +- +- if (!vd->server) { +- /* no client connected */ +- return; +- } +- +- vnc_refresh_server_surface(vd); +- QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) { +- if (vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) { +- vs->force_update = 1; +- vnc_update_client(vs, 1, true); +- /* vs might be free()ed here */ +- } +- } +- +- if (!vd->server) { +- /* no client connected */ +- return; +- } +- /* do bitblit op on the local surface too */ +- pitch = vnc_server_fb_stride(vd); +- src_row = vnc_server_fb_ptr(vd, src_x, src_y); +- dst_row = vnc_server_fb_ptr(vd, dst_x, dst_y); +- y = dst_y; +- inc = 1; +- if (dst_y > src_y) { +- /* copy backwards */ +- src_row += pitch * (h-1); +- dst_row += pitch * (h-1); +- pitch = -pitch; +- y = dst_y + h - 1; +- inc = -1; +- } +- w_lim = w - (VNC_DIRTY_PIXELS_PER_BIT - (dst_x % VNC_DIRTY_PIXELS_PER_BIT)); +- if (w_lim < 0) { +- w_lim = w; +- } else { +- w_lim = w - (w_lim % VNC_DIRTY_PIXELS_PER_BIT); +- } +- for (i = 0; i < h; i++) { +- for (x = 0; x <= w_lim; +- x += s, src_row += cmp_bytes, dst_row += cmp_bytes) { +- if (x == w_lim) { +- if ((s = w - w_lim) == 0) +- break; +- } else if (!x) { +- s = (VNC_DIRTY_PIXELS_PER_BIT - +- (dst_x % VNC_DIRTY_PIXELS_PER_BIT)); +- s = MIN(s, w_lim); +- } else { +- s = VNC_DIRTY_PIXELS_PER_BIT; +- } +- cmp_bytes = s * VNC_SERVER_FB_BYTES; +- if (memcmp(src_row, dst_row, cmp_bytes) == 0) +- continue; +- memmove(dst_row, src_row, cmp_bytes); +- QTAILQ_FOREACH(vs, &vd->clients, next) { +- if (!vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) { +- set_bit(((x + dst_x) / VNC_DIRTY_PIXELS_PER_BIT), +- vs->dirty[y]); +- } +- } +- } +- src_row += pitch - w * VNC_SERVER_FB_BYTES; +- dst_row += pitch - w * VNC_SERVER_FB_BYTES; +- y += inc; +- } +- +- QTAILQ_FOREACH(vs, &vd->clients, next) { +- if (vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) { +- vnc_copy(vs, src_x, src_y, dst_x, dst_y, w, h); +- } +- } +-} +- + static void vnc_mouse_set(DisplayChangeListener *dcl, + int x, int y, int visible) + { +@@ -3123,7 +3024,6 @@ static gboolean vnc_listen_io(QIOChannel *ioc, + static const DisplayChangeListenerOps dcl_ops = { + .dpy_name = "vnc", + .dpy_refresh = vnc_refresh, +- .dpy_gfx_copy = vnc_dpy_copy, + .dpy_gfx_update = vnc_dpy_update, + .dpy_gfx_switch = vnc_dpy_switch, + .dpy_gfx_check_format = qemu_pixman_check_format, diff --git a/0076-9pfs-fix-file-descriptor-leak.patch b/0076-9pfs-fix-file-descriptor-leak.patch new file mode 100644 index 0000000..049fb4a --- /dev/null +++ b/0076-9pfs-fix-file-descriptor-leak.patch @@ -0,0 +1,46 @@ +From: Li Qiang +Date: Mon, 27 Mar 2017 21:13:19 +0200 +Subject: [PATCH] 9pfs: fix file descriptor leak + +The v9fs_create() and v9fs_lcreate() functions are used to create a file +on the backend and to associate it to a fid. The fid shouldn't be already +in-use, otherwise both functions may silently leak a file descriptor or +allocated memory. The current code doesn't check that. + +This patch ensures that the fid isn't already associated to anything +before using it. + +Signed-off-by: Li Qiang +(reworded the changelog, Greg Kurz) +Signed-off-by: Greg Kurz +(cherry picked from commit d63fb193e71644a073b77ff5ac6f1216f2f6cf6e) +--- + hw/9pfs/9p.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c +index 9a89f75d90..9d6b2caf1b 100644 +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c +@@ -1530,6 +1530,10 @@ static void v9fs_lcreate(void *opaque) + err = -ENOENT; + goto out_nofid; + } ++ if (fidp->fid_type != P9_FID_NONE) { ++ err = -EINVAL; ++ goto out; ++ } + + flags = get_dotl_openflags(pdu->s, flags); + err = v9fs_co_open2(pdu, fidp, &name, gid, +@@ -2127,6 +2131,10 @@ static void v9fs_create(void *opaque) + err = -EINVAL; + goto out_nofid; + } ++ if (fidp->fid_type != P9_FID_NONE) { ++ err = -EINVAL; ++ goto out; ++ } + if (perm & P9_STAT_MODE_DIR) { + err = v9fs_co_mkdir(pdu, fidp, &name, perm & 0777, + fidp->uid, -1, &stbuf); diff --git a/0077-cirrus-fix-cirrus_invalidate_region.patch b/0077-cirrus-fix-cirrus_invalidate_region.patch new file mode 100644 index 0000000..eef552f --- /dev/null +++ b/0077-cirrus-fix-cirrus_invalidate_region.patch @@ -0,0 +1,37 @@ +From: Gerd Hoffmann +Date: Wed, 15 Mar 2017 13:06:46 +0100 +Subject: [PATCH] cirrus: fix cirrus_invalidate_region + +off_cur_end is exclusive, so off_cur_end == cirrus_addr_mask is valid. +Fix calculation to make sure to allow that, otherwise the assert added +by commit f153b563f8cf121aebf5a2fff5f0110faf58ccb3 can trigger for valid +blits. + +Test case: boot windows nt 4.0 + +Signed-off-by: Gerd Hoffmann +Message-id: 1489579606-26020-1-git-send-email-kraxel@redhat.com +(cherry picked from commit e048dac616748273c2153490e9fdf1da242f0cad) +--- + hw/display/cirrus_vga.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c +index 2ef2884823..444335f7c1 100644 +--- a/hw/display/cirrus_vga.c ++++ b/hw/display/cirrus_vga.c +@@ -665,11 +665,11 @@ static void cirrus_invalidate_region(CirrusVGAState * s, int off_begin, + } + + for (y = 0; y < lines; y++) { +- off_cur = off_begin; +- off_cur_end = (off_cur + bytesperline) & s->cirrus_addr_mask; ++ off_cur = off_begin; ++ off_cur_end = ((off_cur + bytesperline - 1) & s->cirrus_addr_mask) + 1; + assert(off_cur_end >= off_cur); + memory_region_set_dirty(&s->vga.vram, off_cur, off_cur_end - off_cur); +- off_begin += off_pitch; ++ off_begin += off_pitch; + } + } + diff --git a/0078-cirrus-stop-passing-around-dst-pointers-in-the-blitt.patch b/0078-cirrus-stop-passing-around-dst-pointers-in-the-blitt.patch new file mode 100644 index 0000000..05f08c2 --- /dev/null +++ b/0078-cirrus-stop-passing-around-dst-pointers-in-the-blitt.patch @@ -0,0 +1,616 @@ +From: Gerd Hoffmann +Date: Wed, 15 Mar 2017 11:47:52 +0100 +Subject: [PATCH] cirrus: stop passing around dst pointers in the blitter + +Instead pass around the address (aka offset into vga memory). Calculate +the pointer in the rop_* functions, after applying the mask to the +address, to make sure the address stays within the valid range. + +Signed-off-by: Gerd Hoffmann +Message-id: 1489574872-8679-1-git-send-email-kraxel@redhat.com +(cherry picked from commit 026aeffcb4752054830ba203020ed6eb05bcaba8) +--- + hw/display/cirrus_vga.c | 20 +++--- + hw/display/cirrus_vga_rop.h | 161 +++++++++++++++++++++++++------------------ + hw/display/cirrus_vga_rop2.h | 97 +++++++++++++------------- + 3 files changed, 153 insertions(+), 125 deletions(-) + +diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c +index 444335f7c1..f1952a00a8 100644 +--- a/hw/display/cirrus_vga.c ++++ b/hw/display/cirrus_vga.c +@@ -177,11 +177,12 @@ + + struct CirrusVGAState; + typedef void (*cirrus_bitblt_rop_t) (struct CirrusVGAState *s, +- uint8_t * dst, const uint8_t * src, ++ uint32_t dstaddr, const uint8_t *src, + int dstpitch, int srcpitch, + int bltwidth, int bltheight); + typedef void (*cirrus_fill_t)(struct CirrusVGAState *s, +- uint8_t *dst, int dst_pitch, int width, int height); ++ uint32_t dstaddr, int dst_pitch, ++ int width, int height); + + typedef struct CirrusVGAState { + VGACommonState vga; +@@ -319,14 +320,14 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only) + } + + static void cirrus_bitblt_rop_nop(CirrusVGAState *s, +- uint8_t *dst,const uint8_t *src, ++ uint32_t dstaddr, const uint8_t *src, + int dstpitch,int srcpitch, + int bltwidth,int bltheight) + { + } + + static void cirrus_bitblt_fill_nop(CirrusVGAState *s, +- uint8_t *dst, ++ uint32_t dstaddr, + int dstpitch, int bltwidth,int bltheight) + { + } +@@ -676,11 +677,8 @@ static void cirrus_invalidate_region(CirrusVGAState * s, int off_begin, + static int cirrus_bitblt_common_patterncopy(CirrusVGAState *s, bool videosrc) + { + uint32_t patternsize; +- uint8_t *dst; + uint8_t *src; + +- dst = s->vga.vram_ptr + s->cirrus_blt_dstaddr; +- + if (videosrc) { + switch (s->vga.get_bpp(&s->vga)) { + case 8: +@@ -709,7 +707,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState *s, bool videosrc) + return 0; + } + +- (*s->cirrus_rop) (s, dst, src, ++ (*s->cirrus_rop) (s, s->cirrus_blt_dstaddr, src, + s->cirrus_blt_dstpitch, 0, + s->cirrus_blt_width, s->cirrus_blt_height); + cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, +@@ -728,7 +726,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop) + return 0; + } + rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1]; +- rop_func(s, s->vga.vram_ptr + s->cirrus_blt_dstaddr, ++ rop_func(s, s->cirrus_blt_dstaddr, + s->cirrus_blt_dstpitch, + s->cirrus_blt_width, s->cirrus_blt_height); + cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, +@@ -795,7 +793,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) + } + } + +- (*s->cirrus_rop) (s, s->vga.vram_ptr + s->cirrus_blt_dstaddr, ++ (*s->cirrus_rop) (s, s->cirrus_blt_dstaddr, + s->vga.vram_ptr + s->cirrus_blt_srcaddr, + s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch, + s->cirrus_blt_width, s->cirrus_blt_height); +@@ -846,7 +844,7 @@ static void cirrus_bitblt_cputovideo_next(CirrusVGAState * s) + } else { + /* at least one scan line */ + do { +- (*s->cirrus_rop)(s, s->vga.vram_ptr + s->cirrus_blt_dstaddr, ++ (*s->cirrus_rop)(s, s->cirrus_blt_dstaddr, + s->cirrus_bltbuf, 0, 0, s->cirrus_blt_width, 1); + cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, 0, + s->cirrus_blt_width, 1); +diff --git a/hw/display/cirrus_vga_rop.h b/hw/display/cirrus_vga_rop.h +index b7447f8733..1aa778d3e8 100644 +--- a/hw/display/cirrus_vga_rop.h ++++ b/hw/display/cirrus_vga_rop.h +@@ -22,31 +22,65 @@ + * THE SOFTWARE. + */ + +-static inline void glue(rop_8_,ROP_NAME)(uint8_t *dst, uint8_t src) ++static inline void glue(rop_8_, ROP_NAME)(CirrusVGAState *s, ++ uint32_t dstaddr, uint8_t src) + { ++ uint8_t *dst = &s->vga.vram_ptr[dstaddr & s->cirrus_addr_mask]; + *dst = ROP_FN(*dst, src); + } + +-static inline void glue(rop_16_,ROP_NAME)(uint16_t *dst, uint16_t src) ++static inline void glue(rop_tr_8_, ROP_NAME)(CirrusVGAState *s, ++ uint32_t dstaddr, uint8_t src, ++ uint8_t transp) + { ++ uint8_t *dst = &s->vga.vram_ptr[dstaddr & s->cirrus_addr_mask]; ++ uint8_t pixel = ROP_FN(*dst, src); ++ if (pixel != transp) { ++ *dst = pixel; ++ } ++} ++ ++static inline void glue(rop_16_, ROP_NAME)(CirrusVGAState *s, ++ uint32_t dstaddr, uint16_t src) ++{ ++ uint16_t *dst = (uint16_t *) ++ (&s->vga.vram_ptr[dstaddr & s->cirrus_addr_mask & ~1]); + *dst = ROP_FN(*dst, src); + } + +-static inline void glue(rop_32_,ROP_NAME)(uint32_t *dst, uint32_t src) ++static inline void glue(rop_tr_16_, ROP_NAME)(CirrusVGAState *s, ++ uint32_t dstaddr, uint16_t src, ++ uint16_t transp) ++{ ++ uint16_t *dst = (uint16_t *) ++ (&s->vga.vram_ptr[dstaddr & s->cirrus_addr_mask & ~1]); ++ uint16_t pixel = ROP_FN(*dst, src); ++ if (pixel != transp) { ++ *dst = pixel; ++ } ++} ++ ++static inline void glue(rop_32_, ROP_NAME)(CirrusVGAState *s, ++ uint32_t dstaddr, uint32_t src) + { ++ uint32_t *dst = (uint32_t *) ++ (&s->vga.vram_ptr[dstaddr & s->cirrus_addr_mask & ~3]); + *dst = ROP_FN(*dst, src); + } + +-#define ROP_OP(d, s) glue(rop_8_,ROP_NAME)(d, s) +-#define ROP_OP_16(d, s) glue(rop_16_,ROP_NAME)(d, s) +-#define ROP_OP_32(d, s) glue(rop_32_,ROP_NAME)(d, s) ++#define ROP_OP(st, d, s) glue(rop_8_, ROP_NAME)(st, d, s) ++#define ROP_OP_TR(st, d, s, t) glue(rop_tr_8_, ROP_NAME)(st, d, s, t) ++#define ROP_OP_16(st, d, s) glue(rop_16_, ROP_NAME)(st, d, s) ++#define ROP_OP_TR_16(st, d, s, t) glue(rop_tr_16_, ROP_NAME)(st, d, s, t) ++#define ROP_OP_32(st, d, s) glue(rop_32_, ROP_NAME)(st, d, s) + #undef ROP_FN + + static void + glue(cirrus_bitblt_rop_fwd_, ROP_NAME)(CirrusVGAState *s, +- uint8_t *dst,const uint8_t *src, +- int dstpitch,int srcpitch, +- int bltwidth,int bltheight) ++ uint32_t dstaddr, ++ const uint8_t *src, ++ int dstpitch, int srcpitch, ++ int bltwidth, int bltheight) + { + int x,y; + dstpitch -= bltwidth; +@@ -58,43 +92,47 @@ glue(cirrus_bitblt_rop_fwd_, ROP_NAME)(CirrusVGAState *s, + + for (y = 0; y < bltheight; y++) { + for (x = 0; x < bltwidth; x++) { +- ROP_OP(dst, *src); +- dst++; ++ ROP_OP(s, dstaddr, *src); ++ dstaddr++; + src++; + } +- dst += dstpitch; ++ dstaddr += dstpitch; + src += srcpitch; + } + } + + static void + glue(cirrus_bitblt_rop_bkwd_, ROP_NAME)(CirrusVGAState *s, +- uint8_t *dst,const uint8_t *src, +- int dstpitch,int srcpitch, +- int bltwidth,int bltheight) ++ uint32_t dstaddr, ++ const uint8_t *src, ++ int dstpitch, int srcpitch, ++ int bltwidth, int bltheight) + { + int x,y; + dstpitch += bltwidth; + srcpitch += bltwidth; + for (y = 0; y < bltheight; y++) { + for (x = 0; x < bltwidth; x++) { +- ROP_OP(dst, *src); +- dst--; ++ ROP_OP(s, dstaddr, *src); ++ dstaddr--; + src--; + } +- dst += dstpitch; ++ dstaddr += dstpitch; + src += srcpitch; + } + } + + static void + glue(glue(cirrus_bitblt_rop_fwd_transp_, ROP_NAME),_8)(CirrusVGAState *s, +- uint8_t *dst,const uint8_t *src, +- int dstpitch,int srcpitch, +- int bltwidth,int bltheight) ++ uint32_t dstaddr, ++ const uint8_t *src, ++ int dstpitch, ++ int srcpitch, ++ int bltwidth, ++ int bltheight) + { + int x,y; +- uint8_t p; ++ uint8_t transp = s->vga.gr[0x34]; + dstpitch -= bltwidth; + srcpitch -= bltwidth; + +@@ -104,48 +142,50 @@ glue(glue(cirrus_bitblt_rop_fwd_transp_, ROP_NAME),_8)(CirrusVGAState *s, + + for (y = 0; y < bltheight; y++) { + for (x = 0; x < bltwidth; x++) { +- p = *dst; +- ROP_OP(&p, *src); +- if (p != s->vga.gr[0x34]) *dst = p; +- dst++; ++ ROP_OP_TR(s, dstaddr, *src, transp); ++ dstaddr++; + src++; + } +- dst += dstpitch; ++ dstaddr += dstpitch; + src += srcpitch; + } + } + + static void + glue(glue(cirrus_bitblt_rop_bkwd_transp_, ROP_NAME),_8)(CirrusVGAState *s, +- uint8_t *dst,const uint8_t *src, +- int dstpitch,int srcpitch, +- int bltwidth,int bltheight) ++ uint32_t dstaddr, ++ const uint8_t *src, ++ int dstpitch, ++ int srcpitch, ++ int bltwidth, ++ int bltheight) + { + int x,y; +- uint8_t p; ++ uint8_t transp = s->vga.gr[0x34]; + dstpitch += bltwidth; + srcpitch += bltwidth; + for (y = 0; y < bltheight; y++) { + for (x = 0; x < bltwidth; x++) { +- p = *dst; +- ROP_OP(&p, *src); +- if (p != s->vga.gr[0x34]) *dst = p; +- dst--; ++ ROP_OP_TR(s, dstaddr, *src, transp); ++ dstaddr--; + src--; + } +- dst += dstpitch; ++ dstaddr += dstpitch; + src += srcpitch; + } + } + + static void + glue(glue(cirrus_bitblt_rop_fwd_transp_, ROP_NAME),_16)(CirrusVGAState *s, +- uint8_t *dst,const uint8_t *src, +- int dstpitch,int srcpitch, +- int bltwidth,int bltheight) ++ uint32_t dstaddr, ++ const uint8_t *src, ++ int dstpitch, ++ int srcpitch, ++ int bltwidth, ++ int bltheight) + { + int x,y; +- uint8_t p1, p2; ++ uint16_t transp = s->vga.gr[0x34] | (uint16_t)s->vga.gr[0x35] << 8; + dstpitch -= bltwidth; + srcpitch -= bltwidth; + +@@ -155,46 +195,35 @@ glue(glue(cirrus_bitblt_rop_fwd_transp_, ROP_NAME),_16)(CirrusVGAState *s, + + for (y = 0; y < bltheight; y++) { + for (x = 0; x < bltwidth; x+=2) { +- p1 = *dst; +- p2 = *(dst+1); +- ROP_OP(&p1, *src); +- ROP_OP(&p2, *(src + 1)); +- if ((p1 != s->vga.gr[0x34]) || (p2 != s->vga.gr[0x35])) { +- *dst = p1; +- *(dst+1) = p2; +- } +- dst+=2; +- src+=2; ++ ROP_OP_TR_16(s, dstaddr, *(uint16_t *)src, transp); ++ dstaddr += 2; ++ src += 2; + } +- dst += dstpitch; ++ dstaddr += dstpitch; + src += srcpitch; + } + } + + static void + glue(glue(cirrus_bitblt_rop_bkwd_transp_, ROP_NAME),_16)(CirrusVGAState *s, +- uint8_t *dst,const uint8_t *src, +- int dstpitch,int srcpitch, +- int bltwidth,int bltheight) ++ uint32_t dstaddr, ++ const uint8_t *src, ++ int dstpitch, ++ int srcpitch, ++ int bltwidth, ++ int bltheight) + { + int x,y; +- uint8_t p1, p2; ++ uint16_t transp = s->vga.gr[0x34] | (uint16_t)s->vga.gr[0x35] << 8; + dstpitch += bltwidth; + srcpitch += bltwidth; + for (y = 0; y < bltheight; y++) { + for (x = 0; x < bltwidth; x+=2) { +- p1 = *(dst-1); +- p2 = *dst; +- ROP_OP(&p1, *(src - 1)); +- ROP_OP(&p2, *src); +- if ((p1 != s->vga.gr[0x34]) || (p2 != s->vga.gr[0x35])) { +- *(dst-1) = p1; +- *dst = p2; +- } +- dst-=2; +- src-=2; ++ ROP_OP_TR_16(s, dstaddr, *(uint16_t *)src, transp); ++ dstaddr -= 2; ++ src -= 2; + } +- dst += dstpitch; ++ dstaddr += dstpitch; + src += srcpitch; + } + } +diff --git a/hw/display/cirrus_vga_rop2.h b/hw/display/cirrus_vga_rop2.h +index d28bcc6f25..bc92f0e0e7 100644 +--- a/hw/display/cirrus_vga_rop2.h ++++ b/hw/display/cirrus_vga_rop2.h +@@ -23,27 +23,29 @@ + */ + + #if DEPTH == 8 +-#define PUTPIXEL() ROP_OP(&d[0], col) ++#define PUTPIXEL(s, a, c) ROP_OP(s, a, c) + #elif DEPTH == 16 +-#define PUTPIXEL() ROP_OP_16((uint16_t *)&d[0], col) ++#define PUTPIXEL(s, a, c) ROP_OP_16(s, a, c) + #elif DEPTH == 24 +-#define PUTPIXEL() ROP_OP(&d[0], col); \ +- ROP_OP(&d[1], (col >> 8)); \ +- ROP_OP(&d[2], (col >> 16)) ++#define PUTPIXEL(s, a, c) do { \ ++ ROP_OP(s, a, c); \ ++ ROP_OP(s, a + 1, (col >> 8)); \ ++ ROP_OP(s, a + 2, (col >> 16)); \ ++ } while (0) + #elif DEPTH == 32 +-#define PUTPIXEL() ROP_OP_32(((uint32_t *)&d[0]), col) ++#define PUTPIXEL(s, a, c) ROP_OP_32(s, a, c) + #else + #error unsupported DEPTH + #endif + + static void + glue(glue(glue(cirrus_patternfill_, ROP_NAME), _),DEPTH) +- (CirrusVGAState * s, uint8_t * dst, +- const uint8_t * src, ++ (CirrusVGAState *s, uint32_t dstaddr, ++ const uint8_t *src, + int dstpitch, int srcpitch, + int bltwidth, int bltheight) + { +- uint8_t *d; ++ uint32_t addr; + int x, y, pattern_y, pattern_pitch, pattern_x; + unsigned int col; + const uint8_t *src1; +@@ -63,7 +65,7 @@ glue(glue(glue(cirrus_patternfill_, ROP_NAME), _),DEPTH) + pattern_y = s->cirrus_blt_srcaddr & 7; + for(y = 0; y < bltheight; y++) { + pattern_x = skipleft; +- d = dst + skipleft; ++ addr = dstaddr + skipleft; + src1 = src + pattern_y * pattern_pitch; + for (x = skipleft; x < bltwidth; x += (DEPTH / 8)) { + #if DEPTH == 8 +@@ -82,23 +84,23 @@ glue(glue(glue(cirrus_patternfill_, ROP_NAME), _),DEPTH) + col = ((uint32_t *)(src1 + pattern_x))[0]; + pattern_x = (pattern_x + 4) & 31; + #endif +- PUTPIXEL(); +- d += (DEPTH / 8); ++ PUTPIXEL(s, addr, col); ++ addr += (DEPTH / 8); + } + pattern_y = (pattern_y + 1) & 7; +- dst += dstpitch; ++ dstaddr += dstpitch; + } + } + + /* NOTE: srcpitch is ignored */ + static void + glue(glue(glue(cirrus_colorexpand_transp_, ROP_NAME), _),DEPTH) +- (CirrusVGAState * s, uint8_t * dst, +- const uint8_t * src, ++ (CirrusVGAState *s, uint32_t dstaddr, ++ const uint8_t *src, + int dstpitch, int srcpitch, + int bltwidth, int bltheight) + { +- uint8_t *d; ++ uint32_t addr; + int x, y; + unsigned bits, bits_xor; + unsigned int col; +@@ -123,7 +125,7 @@ glue(glue(glue(cirrus_colorexpand_transp_, ROP_NAME), _),DEPTH) + for(y = 0; y < bltheight; y++) { + bitmask = 0x80 >> srcskipleft; + bits = *src++ ^ bits_xor; +- d = dst + dstskipleft; ++ addr = dstaddr + dstskipleft; + for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) { + if ((bitmask & 0xff) == 0) { + bitmask = 0x80; +@@ -131,24 +133,24 @@ glue(glue(glue(cirrus_colorexpand_transp_, ROP_NAME), _),DEPTH) + } + index = (bits & bitmask); + if (index) { +- PUTPIXEL(); ++ PUTPIXEL(s, addr, col); + } +- d += (DEPTH / 8); ++ addr += (DEPTH / 8); + bitmask >>= 1; + } +- dst += dstpitch; ++ dstaddr += dstpitch; + } + } + + static void + glue(glue(glue(cirrus_colorexpand_, ROP_NAME), _),DEPTH) +- (CirrusVGAState * s, uint8_t * dst, +- const uint8_t * src, ++ (CirrusVGAState *s, uint32_t dstaddr, ++ const uint8_t *src, + int dstpitch, int srcpitch, + int bltwidth, int bltheight) + { + uint32_t colors[2]; +- uint8_t *d; ++ uint32_t addr; + int x, y; + unsigned bits; + unsigned int col; +@@ -161,29 +163,29 @@ glue(glue(glue(cirrus_colorexpand_, ROP_NAME), _),DEPTH) + for(y = 0; y < bltheight; y++) { + bitmask = 0x80 >> srcskipleft; + bits = *src++; +- d = dst + dstskipleft; ++ addr = dstaddr + dstskipleft; + for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) { + if ((bitmask & 0xff) == 0) { + bitmask = 0x80; + bits = *src++; + } + col = colors[!!(bits & bitmask)]; +- PUTPIXEL(); +- d += (DEPTH / 8); ++ PUTPIXEL(s, addr, col); ++ addr += (DEPTH / 8); + bitmask >>= 1; + } +- dst += dstpitch; ++ dstaddr += dstpitch; + } + } + + static void + glue(glue(glue(cirrus_colorexpand_pattern_transp_, ROP_NAME), _),DEPTH) +- (CirrusVGAState * s, uint8_t * dst, +- const uint8_t * src, ++ (CirrusVGAState *s, uint32_t dstaddr, ++ const uint8_t *src, + int dstpitch, int srcpitch, + int bltwidth, int bltheight) + { +- uint8_t *d; ++ uint32_t addr; + int x, y, bitpos, pattern_y; + unsigned int bits, bits_xor; + unsigned int col; +@@ -207,28 +209,28 @@ glue(glue(glue(cirrus_colorexpand_pattern_transp_, ROP_NAME), _),DEPTH) + for(y = 0; y < bltheight; y++) { + bits = src[pattern_y] ^ bits_xor; + bitpos = 7 - srcskipleft; +- d = dst + dstskipleft; ++ addr = dstaddr + dstskipleft; + for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) { + if ((bits >> bitpos) & 1) { +- PUTPIXEL(); ++ PUTPIXEL(s, addr, col); + } +- d += (DEPTH / 8); ++ addr += (DEPTH / 8); + bitpos = (bitpos - 1) & 7; + } + pattern_y = (pattern_y + 1) & 7; +- dst += dstpitch; ++ dstaddr += dstpitch; + } + } + + static void + glue(glue(glue(cirrus_colorexpand_pattern_, ROP_NAME), _),DEPTH) +- (CirrusVGAState * s, uint8_t * dst, +- const uint8_t * src, ++ (CirrusVGAState *s, uint32_t dstaddr, ++ const uint8_t *src, + int dstpitch, int srcpitch, + int bltwidth, int bltheight) + { + uint32_t colors[2]; +- uint8_t *d; ++ uint32_t addr; + int x, y, bitpos, pattern_y; + unsigned int bits; + unsigned int col; +@@ -242,38 +244,37 @@ glue(glue(glue(cirrus_colorexpand_pattern_, ROP_NAME), _),DEPTH) + for(y = 0; y < bltheight; y++) { + bits = src[pattern_y]; + bitpos = 7 - srcskipleft; +- d = dst + dstskipleft; ++ addr = dstaddr + dstskipleft; + for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) { + col = colors[(bits >> bitpos) & 1]; +- PUTPIXEL(); +- d += (DEPTH / 8); ++ PUTPIXEL(s, addr, col); ++ addr += (DEPTH / 8); + bitpos = (bitpos - 1) & 7; + } + pattern_y = (pattern_y + 1) & 7; +- dst += dstpitch; ++ dstaddr += dstpitch; + } + } + + static void + glue(glue(glue(cirrus_fill_, ROP_NAME), _),DEPTH) + (CirrusVGAState *s, +- uint8_t *dst, int dst_pitch, ++ uint32_t dstaddr, int dst_pitch, + int width, int height) + { +- uint8_t *d, *d1; ++ uint32_t addr; + uint32_t col; + int x, y; + + col = s->cirrus_blt_fgcol; + +- d1 = dst; + for(y = 0; y < height; y++) { +- d = d1; ++ addr = dstaddr; + for(x = 0; x < width; x += (DEPTH / 8)) { +- PUTPIXEL(); +- d += (DEPTH / 8); ++ PUTPIXEL(s, addr, col); ++ addr += (DEPTH / 8); + } +- d1 += dst_pitch; ++ dstaddr += dst_pitch; + } + } + diff --git a/0079-cirrus-stop-passing-around-src-pointers-in-the-blitt.patch b/0079-cirrus-stop-passing-around-src-pointers-in-the-blitt.patch new file mode 100644 index 0000000..491b651 --- /dev/null +++ b/0079-cirrus-stop-passing-around-src-pointers-in-the-blitt.patch @@ -0,0 +1,441 @@ +From: Gerd Hoffmann +Date: Wed, 15 Mar 2017 14:28:07 +0100 +Subject: [PATCH] cirrus: stop passing around src pointers in the blitter + +Does basically the same as "cirrus: stop passing around dst pointers in +the blitter", just for the src pointer instead of the dst pointer. + +For the src we have to care about cputovideo blits though and fetch the +data from s->cirrus_bltbuf instead of vga memory. The cirrus_src*() +helper functions handle that. + +Signed-off-by: Gerd Hoffmann +Message-id: 1489584487-3489-1-git-send-email-kraxel@redhat.com +(cherry picked from commit ffaf857778286ca54e3804432a2369a279e73aa7) +--- + hw/display/cirrus_vga.c | 61 +++++++++++++++++++++++++++++++++++--------- + hw/display/cirrus_vga_rop.h | 48 +++++++++++++++++----------------- + hw/display/cirrus_vga_rop2.h | 38 ++++++++++++++------------- + 3 files changed, 93 insertions(+), 54 deletions(-) + +diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c +index f1952a00a8..9274c25f46 100644 +--- a/hw/display/cirrus_vga.c ++++ b/hw/display/cirrus_vga.c +@@ -177,7 +177,7 @@ + + struct CirrusVGAState; + typedef void (*cirrus_bitblt_rop_t) (struct CirrusVGAState *s, +- uint32_t dstaddr, const uint8_t *src, ++ uint32_t dstaddr, uint32_t srcaddr, + int dstpitch, int srcpitch, + int bltwidth, int bltheight); + typedef void (*cirrus_fill_t)(struct CirrusVGAState *s, +@@ -320,7 +320,7 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only) + } + + static void cirrus_bitblt_rop_nop(CirrusVGAState *s, +- uint32_t dstaddr, const uint8_t *src, ++ uint32_t dstaddr, uint32_t srcaddr, + int dstpitch,int srcpitch, + int bltwidth,int bltheight) + { +@@ -332,6 +332,45 @@ static void cirrus_bitblt_fill_nop(CirrusVGAState *s, + { + } + ++static inline uint8_t cirrus_src(CirrusVGAState *s, uint32_t srcaddr) ++{ ++ if (s->cirrus_srccounter) { ++ /* cputovideo */ ++ return s->cirrus_bltbuf[srcaddr & (CIRRUS_BLTBUFSIZE - 1)]; ++ } else { ++ /* videotovideo */ ++ return s->vga.vram_ptr[srcaddr & s->cirrus_addr_mask]; ++ } ++} ++ ++static inline uint16_t cirrus_src16(CirrusVGAState *s, uint32_t srcaddr) ++{ ++ uint16_t *src; ++ ++ if (s->cirrus_srccounter) { ++ /* cputovideo */ ++ src = (void *)&s->cirrus_bltbuf[srcaddr & (CIRRUS_BLTBUFSIZE - 1) & ~1]; ++ } else { ++ /* videotovideo */ ++ src = (void *)&s->vga.vram_ptr[srcaddr & s->cirrus_addr_mask & ~1]; ++ } ++ return *src; ++} ++ ++static inline uint32_t cirrus_src32(CirrusVGAState *s, uint32_t srcaddr) ++{ ++ uint32_t *src; ++ ++ if (s->cirrus_srccounter) { ++ /* cputovideo */ ++ src = (void *)&s->cirrus_bltbuf[srcaddr & (CIRRUS_BLTBUFSIZE - 1) & ~3]; ++ } else { ++ /* videotovideo */ ++ src = (void *)&s->vga.vram_ptr[srcaddr & s->cirrus_addr_mask & ~3]; ++ } ++ return *src; ++} ++ + #define ROP_NAME 0 + #define ROP_FN(d, s) 0 + #include "cirrus_vga_rop.h" +@@ -674,10 +713,10 @@ static void cirrus_invalidate_region(CirrusVGAState * s, int off_begin, + } + } + +-static int cirrus_bitblt_common_patterncopy(CirrusVGAState *s, bool videosrc) ++static int cirrus_bitblt_common_patterncopy(CirrusVGAState *s) + { + uint32_t patternsize; +- uint8_t *src; ++ bool videosrc = !s->cirrus_srccounter; + + if (videosrc) { + switch (s->vga.get_bpp(&s->vga)) { +@@ -698,16 +737,14 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState *s, bool videosrc) + if (s->cirrus_blt_srcaddr + patternsize > s->vga.vram_size) { + return 0; + } +- src = s->vga.vram_ptr + s->cirrus_blt_srcaddr; +- } else { +- src = s->cirrus_bltbuf; + } + + if (blit_is_unsafe(s, true)) { + return 0; + } + +- (*s->cirrus_rop) (s, s->cirrus_blt_dstaddr, src, ++ (*s->cirrus_rop) (s, s->cirrus_blt_dstaddr, ++ videosrc ? s->cirrus_blt_srcaddr : 0, + s->cirrus_blt_dstpitch, 0, + s->cirrus_blt_width, s->cirrus_blt_height); + cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, +@@ -744,7 +781,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop) + + static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s) + { +- return cirrus_bitblt_common_patterncopy(s, true); ++ return cirrus_bitblt_common_patterncopy(s); + } + + static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) +@@ -794,7 +831,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) + } + + (*s->cirrus_rop) (s, s->cirrus_blt_dstaddr, +- s->vga.vram_ptr + s->cirrus_blt_srcaddr, ++ s->cirrus_blt_srcaddr, + s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch, + s->cirrus_blt_width, s->cirrus_blt_height); + +@@ -837,7 +874,7 @@ static void cirrus_bitblt_cputovideo_next(CirrusVGAState * s) + + if (s->cirrus_srccounter > 0) { + if (s->cirrus_blt_mode & CIRRUS_BLTMODE_PATTERNCOPY) { +- cirrus_bitblt_common_patterncopy(s, false); ++ cirrus_bitblt_common_patterncopy(s); + the_end: + s->cirrus_srccounter = 0; + cirrus_bitblt_reset(s); +@@ -845,7 +882,7 @@ static void cirrus_bitblt_cputovideo_next(CirrusVGAState * s) + /* at least one scan line */ + do { + (*s->cirrus_rop)(s, s->cirrus_blt_dstaddr, +- s->cirrus_bltbuf, 0, 0, s->cirrus_blt_width, 1); ++ 0, 0, 0, s->cirrus_blt_width, 1); + cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, 0, + s->cirrus_blt_width, 1); + s->cirrus_blt_dstaddr += s->cirrus_blt_dstpitch; +diff --git a/hw/display/cirrus_vga_rop.h b/hw/display/cirrus_vga_rop.h +index 1aa778d3e8..c61a677353 100644 +--- a/hw/display/cirrus_vga_rop.h ++++ b/hw/display/cirrus_vga_rop.h +@@ -78,7 +78,7 @@ static inline void glue(rop_32_, ROP_NAME)(CirrusVGAState *s, + static void + glue(cirrus_bitblt_rop_fwd_, ROP_NAME)(CirrusVGAState *s, + uint32_t dstaddr, +- const uint8_t *src, ++ uint32_t srcaddr, + int dstpitch, int srcpitch, + int bltwidth, int bltheight) + { +@@ -92,19 +92,19 @@ glue(cirrus_bitblt_rop_fwd_, ROP_NAME)(CirrusVGAState *s, + + for (y = 0; y < bltheight; y++) { + for (x = 0; x < bltwidth; x++) { +- ROP_OP(s, dstaddr, *src); ++ ROP_OP(s, dstaddr, cirrus_src(s, srcaddr)); + dstaddr++; +- src++; ++ srcaddr++; + } + dstaddr += dstpitch; +- src += srcpitch; ++ srcaddr += srcpitch; + } + } + + static void + glue(cirrus_bitblt_rop_bkwd_, ROP_NAME)(CirrusVGAState *s, + uint32_t dstaddr, +- const uint8_t *src, ++ uint32_t srcaddr, + int dstpitch, int srcpitch, + int bltwidth, int bltheight) + { +@@ -113,19 +113,19 @@ glue(cirrus_bitblt_rop_bkwd_, ROP_NAME)(CirrusVGAState *s, + srcpitch += bltwidth; + for (y = 0; y < bltheight; y++) { + for (x = 0; x < bltwidth; x++) { +- ROP_OP(s, dstaddr, *src); ++ ROP_OP(s, dstaddr, cirrus_src(s, srcaddr)); + dstaddr--; +- src--; ++ srcaddr--; + } + dstaddr += dstpitch; +- src += srcpitch; ++ srcaddr += srcpitch; + } + } + + static void + glue(glue(cirrus_bitblt_rop_fwd_transp_, ROP_NAME),_8)(CirrusVGAState *s, + uint32_t dstaddr, +- const uint8_t *src, ++ uint32_t srcaddr, + int dstpitch, + int srcpitch, + int bltwidth, +@@ -142,19 +142,19 @@ glue(glue(cirrus_bitblt_rop_fwd_transp_, ROP_NAME),_8)(CirrusVGAState *s, + + for (y = 0; y < bltheight; y++) { + for (x = 0; x < bltwidth; x++) { +- ROP_OP_TR(s, dstaddr, *src, transp); ++ ROP_OP_TR(s, dstaddr, cirrus_src(s, srcaddr), transp); + dstaddr++; +- src++; ++ srcaddr++; + } + dstaddr += dstpitch; +- src += srcpitch; ++ srcaddr += srcpitch; + } + } + + static void + glue(glue(cirrus_bitblt_rop_bkwd_transp_, ROP_NAME),_8)(CirrusVGAState *s, + uint32_t dstaddr, +- const uint8_t *src, ++ uint32_t srcaddr, + int dstpitch, + int srcpitch, + int bltwidth, +@@ -166,19 +166,19 @@ glue(glue(cirrus_bitblt_rop_bkwd_transp_, ROP_NAME),_8)(CirrusVGAState *s, + srcpitch += bltwidth; + for (y = 0; y < bltheight; y++) { + for (x = 0; x < bltwidth; x++) { +- ROP_OP_TR(s, dstaddr, *src, transp); ++ ROP_OP_TR(s, dstaddr, cirrus_src(s, srcaddr), transp); + dstaddr--; +- src--; ++ srcaddr--; + } + dstaddr += dstpitch; +- src += srcpitch; ++ srcaddr += srcpitch; + } + } + + static void + glue(glue(cirrus_bitblt_rop_fwd_transp_, ROP_NAME),_16)(CirrusVGAState *s, + uint32_t dstaddr, +- const uint8_t *src, ++ uint32_t srcaddr, + int dstpitch, + int srcpitch, + int bltwidth, +@@ -195,19 +195,19 @@ glue(glue(cirrus_bitblt_rop_fwd_transp_, ROP_NAME),_16)(CirrusVGAState *s, + + for (y = 0; y < bltheight; y++) { + for (x = 0; x < bltwidth; x+=2) { +- ROP_OP_TR_16(s, dstaddr, *(uint16_t *)src, transp); ++ ROP_OP_TR_16(s, dstaddr, cirrus_src16(s, srcaddr), transp); + dstaddr += 2; +- src += 2; ++ srcaddr += 2; + } + dstaddr += dstpitch; +- src += srcpitch; ++ srcaddr += srcpitch; + } + } + + static void + glue(glue(cirrus_bitblt_rop_bkwd_transp_, ROP_NAME),_16)(CirrusVGAState *s, + uint32_t dstaddr, +- const uint8_t *src, ++ uint32_t srcaddr, + int dstpitch, + int srcpitch, + int bltwidth, +@@ -219,12 +219,12 @@ glue(glue(cirrus_bitblt_rop_bkwd_transp_, ROP_NAME),_16)(CirrusVGAState *s, + srcpitch += bltwidth; + for (y = 0; y < bltheight; y++) { + for (x = 0; x < bltwidth; x+=2) { +- ROP_OP_TR_16(s, dstaddr, *(uint16_t *)src, transp); ++ ROP_OP_TR_16(s, dstaddr, cirrus_src16(s, srcaddr), transp); + dstaddr -= 2; +- src -= 2; ++ srcaddr -= 2; + } + dstaddr += dstpitch; +- src += srcpitch; ++ srcaddr += srcpitch; + } + } + +diff --git a/hw/display/cirrus_vga_rop2.h b/hw/display/cirrus_vga_rop2.h +index bc92f0e0e7..b86bcd6e09 100644 +--- a/hw/display/cirrus_vga_rop2.h ++++ b/hw/display/cirrus_vga_rop2.h +@@ -41,14 +41,14 @@ + static void + glue(glue(glue(cirrus_patternfill_, ROP_NAME), _),DEPTH) + (CirrusVGAState *s, uint32_t dstaddr, +- const uint8_t *src, ++ uint32_t srcaddr, + int dstpitch, int srcpitch, + int bltwidth, int bltheight) + { + uint32_t addr; + int x, y, pattern_y, pattern_pitch, pattern_x; + unsigned int col; +- const uint8_t *src1; ++ uint32_t src1addr; + #if DEPTH == 24 + int skipleft = s->vga.gr[0x2f] & 0x1f; + #else +@@ -66,22 +66,24 @@ glue(glue(glue(cirrus_patternfill_, ROP_NAME), _),DEPTH) + for(y = 0; y < bltheight; y++) { + pattern_x = skipleft; + addr = dstaddr + skipleft; +- src1 = src + pattern_y * pattern_pitch; ++ src1addr = srcaddr + pattern_y * pattern_pitch; + for (x = skipleft; x < bltwidth; x += (DEPTH / 8)) { + #if DEPTH == 8 +- col = src1[pattern_x]; ++ col = cirrus_src(s, src1addr + pattern_x); + pattern_x = (pattern_x + 1) & 7; + #elif DEPTH == 16 +- col = ((uint16_t *)(src1 + pattern_x))[0]; ++ col = cirrus_src16(s, src1addr + pattern_x); + pattern_x = (pattern_x + 2) & 15; + #elif DEPTH == 24 + { +- const uint8_t *src2 = src1 + pattern_x * 3; +- col = src2[0] | (src2[1] << 8) | (src2[2] << 16); ++ uint32_t src2addr = src1addr + pattern_x * 3; ++ col = cirrus_src(s, src2addr) | ++ (cirrus_src(s, src2addr + 1) << 8) | ++ (cirrus_src(s, src2addr + 2) << 16); + pattern_x = (pattern_x + 1) & 7; + } + #else +- col = ((uint32_t *)(src1 + pattern_x))[0]; ++ col = cirrus_src32(s, src1addr + pattern_x); + pattern_x = (pattern_x + 4) & 31; + #endif + PUTPIXEL(s, addr, col); +@@ -96,7 +98,7 @@ glue(glue(glue(cirrus_patternfill_, ROP_NAME), _),DEPTH) + static void + glue(glue(glue(cirrus_colorexpand_transp_, ROP_NAME), _),DEPTH) + (CirrusVGAState *s, uint32_t dstaddr, +- const uint8_t *src, ++ uint32_t srcaddr, + int dstpitch, int srcpitch, + int bltwidth, int bltheight) + { +@@ -124,12 +126,12 @@ glue(glue(glue(cirrus_colorexpand_transp_, ROP_NAME), _),DEPTH) + + for(y = 0; y < bltheight; y++) { + bitmask = 0x80 >> srcskipleft; +- bits = *src++ ^ bits_xor; ++ bits = cirrus_src(s, srcaddr++) ^ bits_xor; + addr = dstaddr + dstskipleft; + for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) { + if ((bitmask & 0xff) == 0) { + bitmask = 0x80; +- bits = *src++ ^ bits_xor; ++ bits = cirrus_src(s, srcaddr++) ^ bits_xor; + } + index = (bits & bitmask); + if (index) { +@@ -145,7 +147,7 @@ glue(glue(glue(cirrus_colorexpand_transp_, ROP_NAME), _),DEPTH) + static void + glue(glue(glue(cirrus_colorexpand_, ROP_NAME), _),DEPTH) + (CirrusVGAState *s, uint32_t dstaddr, +- const uint8_t *src, ++ uint32_t srcaddr, + int dstpitch, int srcpitch, + int bltwidth, int bltheight) + { +@@ -162,12 +164,12 @@ glue(glue(glue(cirrus_colorexpand_, ROP_NAME), _),DEPTH) + colors[1] = s->cirrus_blt_fgcol; + for(y = 0; y < bltheight; y++) { + bitmask = 0x80 >> srcskipleft; +- bits = *src++; ++ bits = cirrus_src(s, srcaddr++); + addr = dstaddr + dstskipleft; + for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) { + if ((bitmask & 0xff) == 0) { + bitmask = 0x80; +- bits = *src++; ++ bits = cirrus_src(s, srcaddr++); + } + col = colors[!!(bits & bitmask)]; + PUTPIXEL(s, addr, col); +@@ -181,7 +183,7 @@ glue(glue(glue(cirrus_colorexpand_, ROP_NAME), _),DEPTH) + static void + glue(glue(glue(cirrus_colorexpand_pattern_transp_, ROP_NAME), _),DEPTH) + (CirrusVGAState *s, uint32_t dstaddr, +- const uint8_t *src, ++ uint32_t srcaddr, + int dstpitch, int srcpitch, + int bltwidth, int bltheight) + { +@@ -207,7 +209,7 @@ glue(glue(glue(cirrus_colorexpand_pattern_transp_, ROP_NAME), _),DEPTH) + pattern_y = s->cirrus_blt_srcaddr & 7; + + for(y = 0; y < bltheight; y++) { +- bits = src[pattern_y] ^ bits_xor; ++ bits = cirrus_src(s, srcaddr + pattern_y) ^ bits_xor; + bitpos = 7 - srcskipleft; + addr = dstaddr + dstskipleft; + for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) { +@@ -225,7 +227,7 @@ glue(glue(glue(cirrus_colorexpand_pattern_transp_, ROP_NAME), _),DEPTH) + static void + glue(glue(glue(cirrus_colorexpand_pattern_, ROP_NAME), _),DEPTH) + (CirrusVGAState *s, uint32_t dstaddr, +- const uint8_t *src, ++ uint32_t srcaddr, + int dstpitch, int srcpitch, + int bltwidth, int bltheight) + { +@@ -242,7 +244,7 @@ glue(glue(glue(cirrus_colorexpand_pattern_, ROP_NAME), _),DEPTH) + pattern_y = s->cirrus_blt_srcaddr & 7; + + for(y = 0; y < bltheight; y++) { +- bits = src[pattern_y]; ++ bits = cirrus_src(s, srcaddr + pattern_y); + bitpos = 7 - srcskipleft; + addr = dstaddr + dstskipleft; + for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) { diff --git a/0080-cirrus-fix-off-by-one-in-cirrus_bitblt_rop_bkwd_tran.patch b/0080-cirrus-fix-off-by-one-in-cirrus_bitblt_rop_bkwd_tran.patch new file mode 100644 index 0000000..e65aaed --- /dev/null +++ b/0080-cirrus-fix-off-by-one-in-cirrus_bitblt_rop_bkwd_tran.patch @@ -0,0 +1,34 @@ +From: Gerd Hoffmann +Date: Fri, 17 Mar 2017 08:21:36 +0100 +Subject: [PATCH] cirrus: fix off-by-one in cirrus_bitblt_rop_bkwd_transp_*_16 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The switch from pointers to addresses (commit +026aeffcb4752054830ba203020ed6eb05bcaba8 and +ffaf857778286ca54e3804432a2369a279e73aa7) added +a off-by-one bug to 16bit backward blits. Fix. + +Reported-by: 李强 +Signed-off-by: Gerd Hoffmann +Reviewed-by: Li Qiang +Message-id: 1489735296-19047-1-git-send-email-kraxel@redhat.com +(cherry picked from commit f019722cbbb45aea153294fc8921fcc96a4d3fa2) +--- + hw/display/cirrus_vga_rop.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/display/cirrus_vga_rop.h b/hw/display/cirrus_vga_rop.h +index c61a677353..0841b9efa9 100644 +--- a/hw/display/cirrus_vga_rop.h ++++ b/hw/display/cirrus_vga_rop.h +@@ -219,7 +219,7 @@ glue(glue(cirrus_bitblt_rop_bkwd_transp_, ROP_NAME),_16)(CirrusVGAState *s, + srcpitch += bltwidth; + for (y = 0; y < bltheight; y++) { + for (x = 0; x < bltwidth; x+=2) { +- ROP_OP_TR_16(s, dstaddr, cirrus_src16(s, srcaddr), transp); ++ ROP_OP_TR_16(s, dstaddr - 1, cirrus_src16(s, srcaddr - 1), transp); + dstaddr -= 2; + srcaddr -= 2; + } diff --git a/0081-vmw_pvscsi-check-message-ring-page-count-at-initiali.patch b/0081-vmw_pvscsi-check-message-ring-page-count-at-initiali.patch new file mode 100644 index 0000000..405959a --- /dev/null +++ b/0081-vmw_pvscsi-check-message-ring-page-count-at-initiali.patch @@ -0,0 +1,30 @@ +From: P J P +Date: Tue, 25 Apr 2017 18:36:23 +0530 +Subject: [PATCH] vmw_pvscsi: check message ring page count at initialisation + +A guest could set the message ring page count to zero, resulting in +infinite loop. Add check to avoid it. + +Reported-by: YY Z +Signed-off-by: P J P +Message-Id: <20170425130623.3649-1-ppandit@redhat.com> +Reviewed-by: Dmitry Fleytman +Signed-off-by: Paolo Bonzini +(cherry picked from commit f68826989cd4d1217797251339579c57b3c0934e) +--- + hw/scsi/vmw_pvscsi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c +index a5ce7dea8e..44141322de 100644 +--- a/hw/scsi/vmw_pvscsi.c ++++ b/hw/scsi/vmw_pvscsi.c +@@ -202,7 +202,7 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri) + uint32_t len_log2; + uint32_t ring_size; + +- if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) { ++ if (!ri->numPages || ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) { + return -1; + } + ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE; diff --git a/0082-audio-release-capture-buffers.patch b/0082-audio-release-capture-buffers.patch new file mode 100644 index 0000000..5ee6593 --- /dev/null +++ b/0082-audio-release-capture-buffers.patch @@ -0,0 +1,35 @@ +From: Gerd Hoffmann +Date: Fri, 28 Apr 2017 09:56:12 +0200 +Subject: [PATCH] audio: release capture buffers + +AUD_add_capture() allocates two buffers which are never released. +Add the missing calls to AUD_del_capture(). + +Impact: Allows vnc clients to exhaust host memory by repeatedly +starting and stopping audio capture. + +Fixes: CVE-2017-8309 +Cc: P J P +Cc: Huawei PSIRT +Reported-by: "Jiangxin (hunter, SCC)" +Signed-off-by: Gerd Hoffmann +Reviewed-by: Prasad J Pandit +Message-id: 20170428075612.9997-1-kraxel@redhat.com +(cherry picked from commit 3268a845f41253fb55852a8429c32b50f36f349a) +--- + audio/audio.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/audio/audio.c b/audio/audio.c +index c845a44f0a..adede3c9ef 100644 +--- a/audio/audio.c ++++ b/audio/audio.c +@@ -2023,6 +2023,8 @@ void AUD_del_capture (CaptureVoiceOut *cap, void *cb_opaque) + sw = sw1; + } + QLIST_REMOVE (cap, entries); ++ g_free (cap->hw.mix_buf); ++ g_free (cap->buf); + g_free (cap); + } + return; diff --git a/0083-input-limit-kbd-queue-depth.patch b/0083-input-limit-kbd-queue-depth.patch new file mode 100644 index 0000000..ca9e610 --- /dev/null +++ b/0083-input-limit-kbd-queue-depth.patch @@ -0,0 +1,87 @@ +From: Gerd Hoffmann +Date: Fri, 28 Apr 2017 10:42:37 +0200 +Subject: [PATCH] input: limit kbd queue depth + +Apply a limit to the number of items we accept into the keyboard queue. + +Impact: Without this limit vnc clients can exhaust host memory by +sending keyboard events faster than qemu feeds them to the guest. + +Fixes: CVE-2017-8379 +Cc: P J P +Cc: Huawei PSIRT +Reported-by: jiangxin1@huawei.com +Signed-off-by: Gerd Hoffmann +Message-id: 20170428084237.23960-1-kraxel@redhat.com +(cherry picked from commit fa18f36a461984eae50ab957e47ec78dae3c14fc) +--- + ui/input.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/ui/input.c b/ui/input.c +index ed88cda6d6..fb1f404095 100644 +--- a/ui/input.c ++++ b/ui/input.c +@@ -41,6 +41,8 @@ static QTAILQ_HEAD(QemuInputEventQueueHead, QemuInputEventQueue) kbd_queue = + QTAILQ_HEAD_INITIALIZER(kbd_queue); + static QEMUTimer *kbd_timer; + static uint32_t kbd_default_delay_ms = 10; ++static uint32_t queue_count; ++static uint32_t queue_limit = 1024; + + QemuInputHandlerState *qemu_input_handler_register(DeviceState *dev, + QemuInputHandler *handler) +@@ -268,6 +270,7 @@ static void qemu_input_queue_process(void *opaque) + break; + } + QTAILQ_REMOVE(queue, item, node); ++ queue_count--; + g_free(item); + } + } +@@ -282,6 +285,7 @@ static void qemu_input_queue_delay(struct QemuInputEventQueueHead *queue, + item->delay_ms = delay_ms; + item->timer = timer; + QTAILQ_INSERT_TAIL(queue, item, node); ++ queue_count++; + + if (start_timer) { + timer_mod(item->timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL) +@@ -298,6 +302,7 @@ static void qemu_input_queue_event(struct QemuInputEventQueueHead *queue, + item->src = src; + item->evt = evt; + QTAILQ_INSERT_TAIL(queue, item, node); ++ queue_count++; + } + + static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue) +@@ -306,6 +311,7 @@ static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue) + + item->type = QEMU_INPUT_QUEUE_SYNC; + QTAILQ_INSERT_TAIL(queue, item, node); ++ queue_count++; + } + + void qemu_input_event_send_impl(QemuConsole *src, InputEvent *evt) +@@ -381,7 +387,7 @@ void qemu_input_event_send_key(QemuConsole *src, KeyValue *key, bool down) + qemu_input_event_send(src, evt); + qemu_input_event_sync(); + qapi_free_InputEvent(evt); +- } else { ++ } else if (queue_count < queue_limit) { + qemu_input_queue_event(&kbd_queue, src, evt); + qemu_input_queue_sync(&kbd_queue); + } +@@ -409,8 +415,10 @@ void qemu_input_event_send_key_delay(uint32_t delay_ms) + kbd_timer = timer_new_ms(QEMU_CLOCK_VIRTUAL, qemu_input_queue_process, + &kbd_queue); + } +- qemu_input_queue_delay(&kbd_queue, kbd_timer, +- delay_ms ? delay_ms : kbd_default_delay_ms); ++ if (queue_count < queue_limit) { ++ qemu_input_queue_delay(&kbd_queue, kbd_timer, ++ delay_ms ? delay_ms : kbd_default_delay_ms); ++ } + } + + InputEvent *qemu_input_event_new_btn(InputButton btn, bool down) diff --git a/0084-scsi-avoid-an-off-by-one-error-in-megasas_mmio_write.patch b/0084-scsi-avoid-an-off-by-one-error-in-megasas_mmio_write.patch new file mode 100644 index 0000000..5b20930 --- /dev/null +++ b/0084-scsi-avoid-an-off-by-one-error-in-megasas_mmio_write.patch @@ -0,0 +1,42 @@ +From: Prasad J Pandit +Date: Mon, 24 Apr 2017 17:36:34 +0530 +Subject: [PATCH] scsi: avoid an off-by-one error in megasas_mmio_write + +While reading magic sequence(MFI_SEQ) in megasas_mmio_write, +an off-by-one error could occur as 's->adp_reset' index is not +reset after reading the last sequence. + +Reported-by: YY Z +Signed-off-by: Prasad J Pandit +Message-Id: <20170424120634.12268-1-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +(cherry picked from commit 24dfa9fa2f90a95ac33c7372de4f4f2c8a2c141f) +--- + hw/scsi/megasas.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index ebf03022ed..efcbaa9c8d 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -2132,15 +2132,15 @@ static void megasas_mmio_write(void *opaque, hwaddr addr, + case MFI_SEQ: + trace_megasas_mmio_writel("MFI_SEQ", val); + /* Magic sequence to start ADP reset */ +- if (adp_reset_seq[s->adp_reset] == val) { +- s->adp_reset++; ++ if (adp_reset_seq[s->adp_reset++] == val) { ++ if (s->adp_reset == 6) { ++ s->adp_reset = 0; ++ s->diag = MFI_DIAG_WRITE_ENABLE; ++ } + } else { + s->adp_reset = 0; + s->diag = 0; + } +- if (s->adp_reset == 6) { +- s->diag = MFI_DIAG_WRITE_ENABLE; +- } + break; + case MFI_DIAG: + trace_megasas_mmio_writel("MFI_DIAG", val); diff --git a/0085-virtio-gpu-fix-memory-leak-in-set-scanout.patch b/0085-virtio-gpu-fix-memory-leak-in-set-scanout.patch new file mode 100644 index 0000000..5921c98 --- /dev/null +++ b/0085-virtio-gpu-fix-memory-leak-in-set-scanout.patch @@ -0,0 +1,33 @@ +From: Li Qiang +Date: Sat, 21 Jan 2017 23:42:33 -0800 +Subject: [PATCH] virtio-gpu: fix memory leak in set scanout +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In virtio_gpu_set_scanout function, when creating the 'rect' +its refcount is set to 2, by pixman_image_create_bits and +qemu_create_displaysurface_pixman function. This can lead +a memory leak issues. This patch avoid this issue. + +Signed-off-by: Li Qiang +Reviewed-by: Marc-André Lureau +Message-id: 5884626f.5b2f6b0a.1bfff.3037@mx.google.com +Signed-off-by: Gerd Hoffmann +(cherry picked from commit dd248ed7e204ee8a1873914e02b8b526e8f1b80d) +--- + hw/display/virtio-gpu.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c +index cadd7d899d..7c8fda1733 100644 +--- a/hw/display/virtio-gpu.c ++++ b/hw/display/virtio-gpu.c +@@ -602,6 +602,7 @@ static void virtio_gpu_set_scanout(VirtIOGPU *g, + cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; + return; + } ++ pixman_image_unref(rect); + dpy_gfx_replace_surface(g->scanout[ss.scanout_id].con, scanout->ds); + } + diff --git a/0086-net-e1000e-fix-an-infinite-loop-issue.patch b/0086-net-e1000e-fix-an-infinite-loop-issue.patch new file mode 100644 index 0000000..f61ac06 --- /dev/null +++ b/0086-net-e1000e-fix-an-infinite-loop-issue.patch @@ -0,0 +1,41 @@ +From: Li Qiang +Date: Thu, 9 Feb 2017 18:19:19 -0800 +Subject: [PATCH] net: e1000e: fix an infinite loop issue + +This issue is like the issue in e1000 network card addressed in +this commit: +e1000: eliminate infinite loops on out-of-bounds transfer start. + +Signed-off-by: Li Qiang +Reviewed-by: Dmitry Fleytman +Signed-off-by: Jason Wang +(cherry picked from commit 4154c7e03fa55b4cf52509a83d50d6c09d743b77) +--- + hw/net/e1000e_core.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c +index badb1feb7d..718154bc56 100644 +--- a/hw/net/e1000e_core.c ++++ b/hw/net/e1000e_core.c +@@ -806,7 +806,8 @@ typedef struct E1000E_RingInfo_st { + static inline bool + e1000e_ring_empty(E1000ECore *core, const E1000E_RingInfo *r) + { +- return core->mac[r->dh] == core->mac[r->dt]; ++ return core->mac[r->dh] == core->mac[r->dt] || ++ core->mac[r->dt] >= core->mac[r->dlen] / E1000_RING_DESC_LEN; + } + + static inline uint64_t +@@ -1522,6 +1523,10 @@ e1000e_write_packet_to_guest(E1000ECore *core, struct NetRxPkt *pkt, + desc_size = core->rx_desc_buf_size; + } + ++ if (e1000e_ring_empty(core, rxi)) { ++ return; ++ } ++ + base = e1000e_ring_head_descr(core, rxi); + + pci_dma_read(d, base, &desc, core->rx_desc_len); diff --git a/0087-usb-ohci-fix-error-return-code-in-servicing-iso-td.patch b/0087-usb-ohci-fix-error-return-code-in-servicing-iso-td.patch new file mode 100644 index 0000000..ff3b000 --- /dev/null +++ b/0087-usb-ohci-fix-error-return-code-in-servicing-iso-td.patch @@ -0,0 +1,28 @@ +From: Li Qiang +Date: Tue, 7 Feb 2017 03:15:03 -0800 +Subject: [PATCH] usb: ohci: fix error return code in servicing iso td + +It should return 1 if an error occurs when reading iso td. +This will avoid an infinite loop issue in ohci_service_ed_list. + +Signed-off-by: Li Qiang +Message-id: 5899ac3e.1033240a.944d5.9a2d@mx.google.com +Signed-off-by: Gerd Hoffmann +(cherry picked from commit 26f670a244982335cc08943fb1ec099a2c81e42d) +--- + hw/usb/hcd-ohci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c +index 48307febd3..27130fe08f 100644 +--- a/hw/usb/hcd-ohci.c ++++ b/hw/usb/hcd-ohci.c +@@ -727,7 +727,7 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed, + if (ohci_read_iso_td(ohci, addr, &iso_td)) { + trace_usb_ohci_iso_td_read_failed(addr); + ohci_die(ohci); +- return 0; ++ return 1; + } + + starting_frame = OHCI_BM(iso_td.flags, TD_SF); diff --git a/0088-usb-ehci-fix-memory-leak-in-ehci.patch b/0088-usb-ehci-fix-memory-leak-in-ehci.patch new file mode 100644 index 0000000..cb4ab83 --- /dev/null +++ b/0088-usb-ehci-fix-memory-leak-in-ehci.patch @@ -0,0 +1,75 @@ +From: Li Qiang +Date: Tue, 7 Feb 2017 18:42:55 -0800 +Subject: [PATCH] usb: ehci: fix memory leak in ehci + +In usb_ehci_init function, it initializes 's->ipacket', but there +is no corresponding function to free this. As the ehci can be hotplug +and unplug, this will leak host memory leak. In order to make the +hierarchy clean, we should add a ehci pci finalize function, then call +the clean function in ehci device. + +Signed-off-by: Li Qiang +Message-id: 589a85b8.3c2b9d0a.b8e6.1434@mx.google.com +Signed-off-by: Gerd Hoffmann +(cherry picked from commit d710e1e7bd3d5bfc26b631f02ae87901ebe646b0) +--- + hw/usb/hcd-ehci-pci.c | 9 +++++++++ + hw/usb/hcd-ehci.c | 5 +++++ + hw/usb/hcd-ehci.h | 1 + + 3 files changed, 15 insertions(+) + +diff --git a/hw/usb/hcd-ehci-pci.c b/hw/usb/hcd-ehci-pci.c +index 56577051e2..6dedcb8989 100644 +--- a/hw/usb/hcd-ehci-pci.c ++++ b/hw/usb/hcd-ehci-pci.c +@@ -89,6 +89,14 @@ static void usb_ehci_pci_init(Object *obj) + usb_ehci_init(s, DEVICE(obj)); + } + ++static void usb_ehci_pci_finalize(Object *obj) ++{ ++ EHCIPCIState *i = PCI_EHCI(obj); ++ EHCIState *s = &i->ehci; ++ ++ usb_ehci_finalize(s); ++} ++ + static void usb_ehci_pci_exit(PCIDevice *dev) + { + EHCIPCIState *i = PCI_EHCI(dev); +@@ -159,6 +167,7 @@ static const TypeInfo ehci_pci_type_info = { + .parent = TYPE_PCI_DEVICE, + .instance_size = sizeof(EHCIPCIState), + .instance_init = usb_ehci_pci_init, ++ .instance_finalize = usb_ehci_pci_finalize, + .abstract = true, + .class_init = ehci_class_init, + }; +diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c +index 7622a3ae72..50ef817f93 100644 +--- a/hw/usb/hcd-ehci.c ++++ b/hw/usb/hcd-ehci.c +@@ -2545,6 +2545,11 @@ void usb_ehci_init(EHCIState *s, DeviceState *dev) + &s->mem_ports); + } + ++void usb_ehci_finalize(EHCIState *s) ++{ ++ usb_packet_cleanup(&s->ipacket); ++} ++ + /* + * vim: expandtab ts=4 + */ +diff --git a/hw/usb/hcd-ehci.h b/hw/usb/hcd-ehci.h +index 3fd7038658..938d8aa284 100644 +--- a/hw/usb/hcd-ehci.h ++++ b/hw/usb/hcd-ehci.h +@@ -323,6 +323,7 @@ struct EHCIState { + extern const VMStateDescription vmstate_ehci; + + void usb_ehci_init(EHCIState *s, DeviceState *dev); ++void usb_ehci_finalize(EHCIState *s); + void usb_ehci_realize(EHCIState *s, DeviceState *dev, Error **errp); + void usb_ehci_unrealize(EHCIState *s, DeviceState *dev, Error **errp); + void ehci_reset(void *opaque); diff --git a/0089-usb-redir-fix-stack-overflow-in-usbredir_log_data.patch b/0089-usb-redir-fix-stack-overflow-in-usbredir_log_data.patch new file mode 100644 index 0000000..f78e6c6 --- /dev/null +++ b/0089-usb-redir-fix-stack-overflow-in-usbredir_log_data.patch @@ -0,0 +1,47 @@ +From: Gerd Hoffmann +Date: Tue, 9 May 2017 13:01:28 +0200 +Subject: [PATCH] usb-redir: fix stack overflow in usbredir_log_data +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Don't reinvent a broken wheel, just use the hexdump function we have. + +Impact: low, broken code doesn't run unless you have debug logging +enabled. + +Reported-by: 李强 +Signed-off-by: Gerd Hoffmann +Message-id: 20170509110128.27261-1-kraxel@redhat.com +(cherry picked from commit bd4a683505b27adc1ac809f71e918e58573d851d) +--- + hw/usb/redirect.c | 13 +------------ + 1 file changed, 1 insertion(+), 12 deletions(-) + +diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c +index d064961203..94249ec0b5 100644 +--- a/hw/usb/redirect.c ++++ b/hw/usb/redirect.c +@@ -229,21 +229,10 @@ static void usbredir_log(void *priv, int level, const char *msg) + static void usbredir_log_data(USBRedirDevice *dev, const char *desc, + const uint8_t *data, int len) + { +- int i, j, n; +- + if (dev->debug < usbredirparser_debug_data) { + return; + } +- +- for (i = 0; i < len; i += j) { +- char buf[128]; +- +- n = sprintf(buf, "%s", desc); +- for (j = 0; j < 8 && i + j < len; j++) { +- n += sprintf(buf + n, " %02X", data[i + j]); +- } +- error_report("%s", buf); +- } ++ qemu_hexdump((char *)data, stderr, desc, len); + } + + /* diff --git a/qemu.spec b/qemu.spec index 1a2c55b..8f70765 100644 --- a/qemu.spec +++ b/qemu.spec @@ -68,7 +68,7 @@ Summary: QEMU is a FAST! processor emulator Name: qemu Version: 2.7.1 -Release: 6%{?rcrel}%{?dist} +Release: 7%{?rcrel}%{?dist} Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD Group: Development/Tools @@ -254,6 +254,41 @@ Patch0071: 0071-slirp-Send-RDNSS-in-RA-only-if-host-has-an-IPv6-DNS-.patch Patch0072: 0072-qxl-clear-guest_cursor-on-QXL_CURSOR_HIDE.patch # CVE-2017-5579: serial: fix memory leak in serial exit (bz #1416161) Patch0073: 0073-serial-fix-memory-leak-in-serial-exit.patch +# CVE-2017-7718: cirrus: OOB read access issue (bz #1443443) +Patch0074: 0074-fix-cirrus_vga-fix-OOB-read-case-qemu-Segmentation-f.patch +# CVE-2016-9603: cirrus: heap buffer overflow via vnc connection (bz +# #1432040) +Patch0075: 0075-cirrus-vnc-zap-bitblit-support-from-console-code.patch +# CVE-2017-7377: 9pfs: fix file descriptor leak (bz #1437872) +Patch0076: 0076-9pfs-fix-file-descriptor-leak.patch +# CVE-2017-7980: cirrus: OOB r/w access issues in bitblt (bz #1444372) +Patch0077: 0077-cirrus-fix-cirrus_invalidate_region.patch +Patch0078: 0078-cirrus-stop-passing-around-dst-pointers-in-the-blitt.patch +Patch0079: 0079-cirrus-stop-passing-around-src-pointers-in-the-blitt.patch +Patch0080: 0080-cirrus-fix-off-by-one-in-cirrus_bitblt_rop_bkwd_tran.patch +# CVE-2017-8112: vmw_pvscsi: infinite loop in pvscsi_log2 (bz #1445622) +Patch0081: 0081-vmw_pvscsi-check-message-ring-page-count-at-initiali.patch +# CVE-2017-8309: audio: host memory lekage via capture buffer (bz #1446520) +Patch0082: 0082-audio-release-capture-buffers.patch +# CVE-2017-8379: input: host memory lekage via keyboard events (bz #1446560) +Patch0083: 0083-input-limit-kbd-queue-depth.patch +# CVE-2017-8380: scsi: megasas: out-of-bounds read in megasas_mmio_write (bz +# #1446578) +Patch0084: 0084-scsi-avoid-an-off-by-one-error-in-megasas_mmio_write.patch +# CVE-2017-9060: virtio-gpu: host memory leakage in Virtio GPU device (bz +# #1452598) +Patch0085: 0085-virtio-gpu-fix-memory-leak-in-set-scanout.patch +# CVE-2017-9310: net: infinite loop in e1000e NIC emulation (bz #1452623) +Patch0086: 0086-net-e1000e-fix-an-infinite-loop-issue.patch +# CVE-2017-9330: usb: ohci: infinite loop due to incorrect return value (bz +# #1457699) +Patch0087: 0087-usb-ohci-fix-error-return-code-in-servicing-iso-td.patch +# CVE-2017-9374: usb: ehci host memory leakage during hotunplug (bz +# #1459137) +Patch0088: 0088-usb-ehci-fix-memory-leak-in-ehci.patch +# CVE-2017-10806: usb-redirect: stack buffer overflow in debug logging (bz +# #1468497) +Patch0089: 0089-usb-redir-fix-stack-overflow-in-usbredir_log_data.patch # documentation deps BuildRequires: texinfo @@ -1727,6 +1762,27 @@ getent passwd qemu >/dev/null || \ %changelog +* Wed Jul 12 2017 Cole Robinson - 2:2.7.1-7 +- CVE-2017-7718: cirrus: OOB read access issue (bz #1443443) +- CVE-2016-9603: cirrus: heap buffer overflow via vnc connection (bz + #1432040) +- CVE-2017-7377: 9pfs: fix file descriptor leak (bz #1437872) +- CVE-2017-7980: cirrus: OOB r/w access issues in bitblt (bz #1444372) +- CVE-2017-8112: vmw_pvscsi: infinite loop in pvscsi_log2 (bz #1445622) +- CVE-2017-8309: audio: host memory lekage via capture buffer (bz #1446520) +- CVE-2017-8379: input: host memory lekage via keyboard events (bz #1446560) +- CVE-2017-8380: scsi: megasas: out-of-bounds read in megasas_mmio_write (bz + #1446578) +- CVE-2017-9060: virtio-gpu: host memory leakage in Virtio GPU device (bz + #1452598) +- CVE-2017-9310: net: infinite loop in e1000e NIC emulation (bz #1452623) +- CVE-2017-9330: usb: ohci: infinite loop due to incorrect return value (bz + #1457699) +- CVE-2017-9374: usb: ehci host memory leakage during hotunplug (bz + #1459137) +- CVE-2017-10806: usb-redirect: stack buffer overflow in debug logging (bz + #1468497) + * Thu Apr 13 2017 Cole Robinson - 2:2.7.1-6 - chardev data is dropped when host side closed (bz #1352977) - CVE-2016-8667: dma: divide by zero error in set_next_tick (bz #1384876)