Update to qemu 2.7.1
This commit is contained in:
parent
6438461c91
commit
633dc2ad9f
|
@ -25,7 +25,7 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||||
1 file changed, 6 insertions(+), 5 deletions(-)
|
1 file changed, 6 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
||||||
index 4245c15..babac5a 100644
|
index 4d94b36..a5ce7de 100644
|
||||||
--- a/hw/scsi/vmw_pvscsi.c
|
--- a/hw/scsi/vmw_pvscsi.c
|
||||||
+++ b/hw/scsi/vmw_pvscsi.c
|
+++ b/hw/scsi/vmw_pvscsi.c
|
||||||
@@ -40,6 +40,8 @@
|
@@ -40,6 +40,8 @@
|
||||||
|
@ -37,7 +37,7 @@ index 4245c15..babac5a 100644
|
||||||
#define PVSCSI_MAX_CMD_DATA_WORDS \
|
#define PVSCSI_MAX_CMD_DATA_WORDS \
|
||||||
(sizeof(PVSCSICmdDescSetupRings)/sizeof(uint32_t))
|
(sizeof(PVSCSICmdDescSetupRings)/sizeof(uint32_t))
|
||||||
|
|
||||||
@@ -628,17 +630,16 @@ pvscsi_queue_pending_descriptor(PVSCSIState *s, SCSIDevice **d,
|
@@ -631,17 +633,16 @@ pvscsi_queue_pending_descriptor(PVSCSIState *s, SCSIDevice **d,
|
||||||
static void
|
static void
|
||||||
pvscsi_convert_sglist(PVSCSIRequest *r)
|
pvscsi_convert_sglist(PVSCSIRequest *r)
|
||||||
{
|
{
|
|
@ -1,82 +0,0 @@
|
||||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
|
||||||
Date: Wed, 31 Aug 2016 12:19:29 +0530
|
|
||||||
Subject: [PATCH] vmw_pvscsi: check page count while initialising descriptor
|
|
||||||
rings
|
|
||||||
|
|
||||||
Vmware Paravirtual SCSI emulation uses command descriptors to
|
|
||||||
process SCSI commands. These descriptors come with their ring
|
|
||||||
buffers. A guest could set the page count for these rings to
|
|
||||||
an arbitrary value, leading to infinite loop or OOB access.
|
|
||||||
Add check to avoid it.
|
|
||||||
|
|
||||||
Reported-by: Tom Victor <vv474172261@gmail.com>
|
|
||||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
|
||||||
Message-Id: <1472626169-12989-1-git-send-email-ppandit@redhat.com>
|
|
||||||
Cc: qemu-stable@nongnu.org
|
|
||||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
||||||
(cherry picked from commit 7f61f4690dd153be98900a2a508b88989e692753)
|
|
||||||
---
|
|
||||||
hw/scsi/vmw_pvscsi.c | 19 +++++++++----------
|
|
||||||
1 file changed, 9 insertions(+), 10 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
|
||||||
index 5116f4a..4245c15 100644
|
|
||||||
--- a/hw/scsi/vmw_pvscsi.c
|
|
||||||
+++ b/hw/scsi/vmw_pvscsi.c
|
|
||||||
@@ -152,7 +152,7 @@ pvscsi_log2(uint32_t input)
|
|
||||||
return log;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static int
|
|
||||||
+static void
|
|
||||||
pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
|
|
||||||
{
|
|
||||||
int i;
|
|
||||||
@@ -160,10 +160,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
|
|
||||||
uint32_t req_ring_size, cmp_ring_size;
|
|
||||||
m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT;
|
|
||||||
|
|
||||||
- if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)
|
|
||||||
- || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) {
|
|
||||||
- return -1;
|
|
||||||
- }
|
|
||||||
req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
|
|
||||||
cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE;
|
|
||||||
txr_len_log2 = pvscsi_log2(req_ring_size - 1);
|
|
||||||
@@ -195,8 +191,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
|
|
||||||
|
|
||||||
/* Flush ring state page changes */
|
|
||||||
smp_wmb();
|
|
||||||
-
|
|
||||||
- return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int
|
|
||||||
@@ -746,7 +740,7 @@ pvscsi_dbg_dump_tx_rings_config(PVSCSICmdDescSetupRings *rc)
|
|
||||||
|
|
||||||
trace_pvscsi_tx_rings_num_pages("Confirm Ring", rc->cmpRingNumPages);
|
|
||||||
for (i = 0; i < rc->cmpRingNumPages; i++) {
|
|
||||||
- trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->reqRingPPNs[i]);
|
|
||||||
+ trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->cmpRingPPNs[i]);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -779,11 +773,16 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s)
|
|
||||||
|
|
||||||
trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS");
|
|
||||||
|
|
||||||
- pvscsi_dbg_dump_tx_rings_config(rc);
|
|
||||||
- if (pvscsi_ring_init_data(&s->rings, rc) < 0) {
|
|
||||||
+ if (!rc->reqRingNumPages
|
|
||||||
+ || rc->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES
|
|
||||||
+ || !rc->cmpRingNumPages
|
|
||||||
+ || rc->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES) {
|
|
||||||
return PVSCSI_COMMAND_PROCESSING_FAILED;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ pvscsi_dbg_dump_tx_rings_config(rc);
|
|
||||||
+ pvscsi_ring_init_data(&s->rings, rc);
|
|
||||||
+
|
|
||||||
s->rings_info_valid = TRUE;
|
|
||||||
return PVSCSI_COMMAND_PROCESSING_SUCCEEDED;
|
|
||||||
}
|
|
|
@ -1,35 +0,0 @@
|
||||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
|
||||||
Date: Wed, 14 Sep 2016 15:09:12 +0530
|
|
||||||
Subject: [PATCH] scsi: pvscsi: limit process IO loop to ring size
|
|
||||||
|
|
||||||
Vmware Paravirtual SCSI emulator while processing IO requests
|
|
||||||
could run into an infinite loop if 'pvscsi_ring_pop_req_descr'
|
|
||||||
always returned positive value. Limit IO loop to the ring size.
|
|
||||||
|
|
||||||
Cc: qemu-stable@nongnu.org
|
|
||||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
|
||||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
|
||||||
Message-Id: <1473845952-30785-1-git-send-email-ppandit@redhat.com>
|
|
||||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
||||||
(cherry picked from commit d251157ac1928191af851d199a9ff255d330bec9)
|
|
||||||
---
|
|
||||||
hw/scsi/vmw_pvscsi.c | 5 ++++-
|
|
||||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
|
||||||
index babac5a..a5ce7de 100644
|
|
||||||
--- a/hw/scsi/vmw_pvscsi.c
|
|
||||||
+++ b/hw/scsi/vmw_pvscsi.c
|
|
||||||
@@ -247,8 +247,11 @@ static hwaddr
|
|
||||||
pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr)
|
|
||||||
{
|
|
||||||
uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx);
|
|
||||||
+ uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING
|
|
||||||
+ * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
|
|
||||||
|
|
||||||
- if (ready_ptr != mgr->consumed_ptr) {
|
|
||||||
+ if (ready_ptr != mgr->consumed_ptr
|
|
||||||
+ && ready_ptr - mgr->consumed_ptr < ring_size) {
|
|
||||||
uint32_t next_ready_ptr =
|
|
||||||
mgr->consumed_ptr++ & mgr->txr_len_mask;
|
|
||||||
uint32_t next_ready_page =
|
|
|
@ -18,7 +18,7 @@ Reviewed-by: Laszlo Ersek <lersek@redhat.com>
|
||||||
1 file changed, 5 insertions(+)
|
1 file changed, 5 insertions(+)
|
||||||
|
|
||||||
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
|
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
|
||||||
index 74c085c..eabe573 100644
|
index f31140a..58edd99 100644
|
||||||
--- a/hw/virtio/virtio.c
|
--- a/hw/virtio/virtio.c
|
||||||
+++ b/hw/virtio/virtio.c
|
+++ b/hw/virtio/virtio.c
|
||||||
@@ -473,6 +473,11 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove
|
@@ -473,6 +473,11 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove
|
|
@ -1,33 +0,0 @@
|
||||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
|
||||||
Date: Wed, 31 Aug 2016 17:36:07 +0530
|
|
||||||
Subject: [PATCH] scsi: mptconfig: fix an assert expression
|
|
||||||
|
|
||||||
When LSI SAS1068 Host Bus emulator builds configuration page
|
|
||||||
headers, mptsas_config_pack() should assert that the size
|
|
||||||
fits in a byte. However, the size is expressed in 32-bit
|
|
||||||
units, so up to 1020 bytes fit. The assertion was only
|
|
||||||
allowing replies up to 252 bytes, so fix it.
|
|
||||||
|
|
||||||
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
||||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
|
||||||
Message-Id: <1472645167-30765-2-git-send-email-ppandit@redhat.com>
|
|
||||||
Cc: qemu-stable@nongnu.org
|
|
||||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
||||||
(cherry picked from commit cf2bce203a45d7437029d108357fb23fea0967b6)
|
|
||||||
---
|
|
||||||
hw/scsi/mptconfig.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
|
|
||||||
index 7071854..3e4f400 100644
|
|
||||||
--- a/hw/scsi/mptconfig.c
|
|
||||||
+++ b/hw/scsi/mptconfig.c
|
|
||||||
@@ -158,7 +158,7 @@ static size_t mptsas_config_pack(uint8_t **data, const char *fmt, ...)
|
|
||||||
va_end(ap);
|
|
||||||
|
|
||||||
if (data) {
|
|
||||||
- assert(ret < 256 && (ret % 4) == 0);
|
|
||||||
+ assert(ret / 4 < 256 && (ret % 4) == 0);
|
|
||||||
stb_p(*data + 1, ret / 4);
|
|
||||||
}
|
|
||||||
return ret;
|
|
|
@ -1,37 +0,0 @@
|
||||||
From: Paolo Bonzini <pbonzini@redhat.com>
|
|
||||||
Date: Mon, 29 Aug 2016 11:35:37 +0200
|
|
||||||
Subject: [PATCH] scsi: mptconfig: fix misuse of MPTSAS_CONFIG_PACK
|
|
||||||
|
|
||||||
These issues cause respectively a QEMU crash and a leak of 2 bytes of
|
|
||||||
stack. They were discovered by VictorV of 360 Marvel Team.
|
|
||||||
|
|
||||||
Reported-by: Tom Victor <i-tangtianwen@360.cm>
|
|
||||||
Cc: qemu-stable@nongnu.org
|
|
||||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
||||||
(cherry picked from commit 65a8e1f6413a0f6f79894da710b5d6d43361d27d)
|
|
||||||
---
|
|
||||||
hw/scsi/mptconfig.c | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
|
|
||||||
index 3e4f400..87a416a 100644
|
|
||||||
--- a/hw/scsi/mptconfig.c
|
|
||||||
+++ b/hw/scsi/mptconfig.c
|
|
||||||
@@ -203,7 +203,7 @@ size_t mptsas_config_manufacturing_1(MPTSASState *s, uint8_t **data, int address
|
|
||||||
{
|
|
||||||
/* VPD - all zeros */
|
|
||||||
return MPTSAS_CONFIG_PACK(1, MPI_CONFIG_PAGETYPE_MANUFACTURING, 0x00,
|
|
||||||
- "s256");
|
|
||||||
+ "*s256");
|
|
||||||
}
|
|
||||||
|
|
||||||
static
|
|
||||||
@@ -328,7 +328,7 @@ size_t mptsas_config_ioc_0(MPTSASState *s, uint8_t **data, int address)
|
|
||||||
return MPTSAS_CONFIG_PACK(0, MPI_CONFIG_PAGETYPE_IOC, 0x01,
|
|
||||||
"*l*lwwb*b*b*blww",
|
|
||||||
pcic->vendor_id, pcic->device_id, pcic->revision,
|
|
||||||
- pcic->subsystem_vendor_id,
|
|
||||||
+ pcic->class_id, pcic->subsystem_vendor_id,
|
|
||||||
pcic->subsystem_id);
|
|
||||||
}
|
|
||||||
|
|
|
@ -1,32 +0,0 @@
|
||||||
From: Li Qiang <liqiang6-s@360.cn>
|
|
||||||
Date: Mon, 12 Sep 2016 18:14:11 +0530
|
|
||||||
Subject: [PATCH] scsi: mptsas: use g_new0 to allocate MPTSASRequest object
|
|
||||||
|
|
||||||
When processing IO request in mptsas, it uses g_new to allocate
|
|
||||||
a 'req' object. If an error occurs before 'req->sreq' is
|
|
||||||
allocated, It could lead to an OOB write in mptsas_free_request
|
|
||||||
function. Use g_new0 to avoid it.
|
|
||||||
|
|
||||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
|
||||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
|
||||||
Message-Id: <1473684251-17476-1-git-send-email-ppandit@redhat.com>
|
|
||||||
Cc: qemu-stable@nongnu.org
|
|
||||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
||||||
(cherry picked from commit 670e56d3ed2918b3861d9216f2c0540d9e9ae0d5)
|
|
||||||
---
|
|
||||||
hw/scsi/mptsas.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
|
|
||||||
index 0e0a22f..eaae1bb 100644
|
|
||||||
--- a/hw/scsi/mptsas.c
|
|
||||||
+++ b/hw/scsi/mptsas.c
|
|
||||||
@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
|
|
||||||
goto bad;
|
|
||||||
}
|
|
||||||
|
|
||||||
- req = g_new(MPTSASRequest, 1);
|
|
||||||
+ req = g_new0(MPTSASRequest, 1);
|
|
||||||
QTAILQ_INSERT_TAIL(&s->pending, req, next);
|
|
||||||
req->scsi_io = *scsi_io;
|
|
||||||
req->dev = s;
|
|
|
@ -27,7 +27,7 @@ index 42ca0fe..b3b5005 100644
|
||||||
#include "ui/egl-helpers.h"
|
#include "ui/egl-helpers.h"
|
||||||
#include "ui/egl-context.h"
|
#include "ui/egl-context.h"
|
||||||
diff --git a/ui/gtk.c b/ui/gtk.c
|
diff --git a/ui/gtk.c b/ui/gtk.c
|
||||||
index 58d20ee..e8cf785 100644
|
index 21ae4cb..c641e49 100644
|
||||||
--- a/ui/gtk.c
|
--- a/ui/gtk.c
|
||||||
+++ b/ui/gtk.c
|
+++ b/ui/gtk.c
|
||||||
@@ -90,6 +90,9 @@
|
@@ -90,6 +90,9 @@
|
|
@ -1,54 +0,0 @@
|
||||||
From: Thomas Huth <thuth@redhat.com>
|
|
||||||
Date: Wed, 21 Sep 2016 11:42:15 +0200
|
|
||||||
Subject: [PATCH] ppc/kvm: Mark 64kB page size support as disabled if not
|
|
||||||
available
|
|
||||||
|
|
||||||
QEMU currently refuses to start with KVM-PR and only prints out
|
|
||||||
|
|
||||||
qemu: fatal: Unknown MMU model 851972
|
|
||||||
|
|
||||||
when being started there. This is because commit 4322e8ced5aaac719
|
|
||||||
("ppc: Fix 64K pages support in full emulation") introduced a new
|
|
||||||
POWERPC_MMU_64K bit to indicate support for this page size, but
|
|
||||||
it never gets cleared on KVM-PR if the host kernel does not support
|
|
||||||
this. Thus we've got to turn off this bit in the mmu_model for KVM-PR.
|
|
||||||
|
|
||||||
Signed-off-by: Thomas Huth <thuth@redhat.com>
|
|
||||||
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
|
|
||||||
(cherry picked from commit 0d594f5565837fe2886a8aa307ef8abb65eab8f7)
|
|
||||||
---
|
|
||||||
target-ppc/kvm.c | 7 +++++++
|
|
||||||
1 file changed, 7 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/target-ppc/kvm.c b/target-ppc/kvm.c
|
|
||||||
index dcb68b9..6bdc804 100644
|
|
||||||
--- a/target-ppc/kvm.c
|
|
||||||
+++ b/target-ppc/kvm.c
|
|
||||||
@@ -427,6 +427,7 @@ static void kvm_fixup_page_sizes(PowerPCCPU *cpu)
|
|
||||||
CPUPPCState *env = &cpu->env;
|
|
||||||
long rampagesize;
|
|
||||||
int iq, ik, jq, jk;
|
|
||||||
+ bool has_64k_pages = false;
|
|
||||||
|
|
||||||
/* We only handle page sizes for 64-bit server guests for now */
|
|
||||||
if (!(env->mmu_model & POWERPC_MMU_64)) {
|
|
||||||
@@ -470,6 +471,9 @@ static void kvm_fixup_page_sizes(PowerPCCPU *cpu)
|
|
||||||
ksps->enc[jk].page_shift)) {
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
+ if (ksps->enc[jk].page_shift == 16) {
|
|
||||||
+ has_64k_pages = true;
|
|
||||||
+ }
|
|
||||||
qsps->enc[jq].page_shift = ksps->enc[jk].page_shift;
|
|
||||||
qsps->enc[jq].pte_enc = ksps->enc[jk].pte_enc;
|
|
||||||
if (++jq >= PPC_PAGE_SIZES_MAX_SZ) {
|
|
||||||
@@ -484,6 +488,9 @@ static void kvm_fixup_page_sizes(PowerPCCPU *cpu)
|
|
||||||
if (!(smmu_info.flags & KVM_PPC_1T_SEGMENTS)) {
|
|
||||||
env->mmu_model &= ~POWERPC_MMU_1TSEG;
|
|
||||||
}
|
|
||||||
+ if (!has_64k_pages) {
|
|
||||||
+ env->mmu_model &= ~POWERPC_MMU_64K;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
#else /* defined (TARGET_PPC64) */
|
|
||||||
|
|
|
@ -1,72 +0,0 @@
|
||||||
From: "Daniel P. Berrange" <berrange@redhat.com>
|
|
||||||
Date: Fri, 4 Nov 2016 15:46:33 +0000
|
|
||||||
Subject: [PATCH] net: fix sending of data with -net socket, listen backend
|
|
||||||
|
|
||||||
The use of -net socket,listen was broken in the following
|
|
||||||
commit
|
|
||||||
|
|
||||||
commit 16a3df403b10c4ac347159e39005fd520b2648bb
|
|
||||||
Author: Zhang Chen <zhangchen.fnst@cn.fujitsu.com>
|
|
||||||
Date: Fri May 13 15:35:19 2016 +0800
|
|
||||||
|
|
||||||
net/net: Add SocketReadState for reuse codes
|
|
||||||
|
|
||||||
This function is from net/socket.c, move it to net.c and net.h.
|
|
||||||
Add SocketReadState to make others reuse net_fill_rstate().
|
|
||||||
suggestion from jason.
|
|
||||||
|
|
||||||
This refactored the state out of NetSocketState into a
|
|
||||||
separate SocketReadState. This refactoring requires
|
|
||||||
that a callback is provided to be triggered upon
|
|
||||||
completion of a packet receive from the guest.
|
|
||||||
|
|
||||||
The patch only registered this callback in the codepaths
|
|
||||||
hit by -net socket,connect, not -net socket,listen. So
|
|
||||||
as a result packets sent by the guest in the latter case
|
|
||||||
get dropped on the floor.
|
|
||||||
|
|
||||||
This bug is hidden because net_fill_rstate() silently
|
|
||||||
does nothing if the callback is not set.
|
|
||||||
|
|
||||||
This patch adds in the middle callback registration
|
|
||||||
and also adds an assert so that QEMU aborts if there
|
|
||||||
are any other codepaths hit which are missing the
|
|
||||||
callback.
|
|
||||||
|
|
||||||
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
|
|
||||||
Reviewed-by: Zhang Chen <zhangchen.fnst@cn.fujitsu.com>
|
|
||||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
|
||||||
(cherry picked from commit e79cd4068063ea2859199002a049010a11202939)
|
|
||||||
---
|
|
||||||
net/net.c | 5 ++---
|
|
||||||
net/socket.c | 1 +
|
|
||||||
2 files changed, 3 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/net/net.c b/net/net.c
|
|
||||||
index d51cb29..19b4d9e 100644
|
|
||||||
--- a/net/net.c
|
|
||||||
+++ b/net/net.c
|
|
||||||
@@ -1648,9 +1648,8 @@ int net_fill_rstate(SocketReadState *rs, const uint8_t *buf, int size)
|
|
||||||
if (rs->index >= rs->packet_len) {
|
|
||||||
rs->index = 0;
|
|
||||||
rs->state = 0;
|
|
||||||
- if (rs->finalize) {
|
|
||||||
- rs->finalize(rs);
|
|
||||||
- }
|
|
||||||
+ assert(rs->finalize);
|
|
||||||
+ rs->finalize(rs);
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
diff --git a/net/socket.c b/net/socket.c
|
|
||||||
index 3f98eef..dcae1ae 100644
|
|
||||||
--- a/net/socket.c
|
|
||||||
+++ b/net/socket.c
|
|
||||||
@@ -522,6 +522,7 @@ static int net_socket_listen_init(NetClientState *peer,
|
|
||||||
s->fd = -1;
|
|
||||||
s->listen_fd = fd;
|
|
||||||
s->nc.link_down = true;
|
|
||||||
+ net_socket_rs_init(&s->rs, net_socket_rs_finalize);
|
|
||||||
|
|
||||||
qemu_set_fd_handler(s->listen_fd, net_socket_accept, NULL, s);
|
|
||||||
return 0;
|
|
41
qemu.spec
41
qemu.spec
|
@ -67,8 +67,8 @@
|
||||||
|
|
||||||
Summary: QEMU is a FAST! processor emulator
|
Summary: QEMU is a FAST! processor emulator
|
||||||
Name: qemu
|
Name: qemu
|
||||||
Version: 2.7.0
|
Version: 2.7.1
|
||||||
Release: 8%{?rcrel}%{?dist}
|
Release: 1%{?rcrel}%{?dist}
|
||||||
Epoch: 2
|
Epoch: 2
|
||||||
License: GPLv2+ and LGPLv2+ and BSD
|
License: GPLv2+ and LGPLv2+ and BSD
|
||||||
Group: Development/Tools
|
Group: Development/Tools
|
||||||
|
@ -102,42 +102,28 @@ Source21: 50-kvm-s390x.conf
|
||||||
# /etc/security/limits.d/95-kvm-ppc64-memlock.conf
|
# /etc/security/limits.d/95-kvm-ppc64-memlock.conf
|
||||||
Source22: 95-kvm-ppc64-memlock.conf
|
Source22: 95-kvm-ppc64-memlock.conf
|
||||||
|
|
||||||
# CVE-2016-7155: pvscsi: OOB read and infinite loop (bz #1373463)
|
|
||||||
Patch0001: 0001-vmw_pvscsi-check-page-count-while-initialising-descr.patch
|
|
||||||
# CVE-2016-7156: pvscsi: infinite loop when building SG list (bz #1373480)
|
# CVE-2016-7156: pvscsi: infinite loop when building SG list (bz #1373480)
|
||||||
Patch0002: 0002-scsi-pvscsi-limit-loop-to-fetch-SG-list.patch
|
Patch0001: 0001-scsi-pvscsi-limit-loop-to-fetch-SG-list.patch
|
||||||
# CVE-2016-7156: pvscsi: infinite loop when processing IO requests (bz
|
|
||||||
# #1373480)
|
|
||||||
Patch0003: 0003-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
|
|
||||||
# CVE-2016-7170: vmware_vga: OOB stack memory access (bz #1374709)
|
# CVE-2016-7170: vmware_vga: OOB stack memory access (bz #1374709)
|
||||||
Patch0004: 0004-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
|
Patch0002: 0002-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
|
||||||
# CVE-2016-7157: mptsas: invalid memory access (bz #1373505)
|
|
||||||
Patch0005: 0005-scsi-mptconfig-fix-an-assert-expression.patch
|
|
||||||
Patch0006: 0006-scsi-mptconfig-fix-misuse-of-MPTSAS_CONFIG_PACK.patch
|
|
||||||
# CVE-2016-7466: usb: xhci memory leakage during device unplug (bz #1377838)
|
# CVE-2016-7466: usb: xhci memory leakage during device unplug (bz #1377838)
|
||||||
Patch0007: 0007-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch
|
Patch0003: 0003-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch
|
||||||
# CVE-2016-7423: scsi: mptsas: OOB access (bz #1376777)
|
|
||||||
Patch0008: 0008-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch
|
|
||||||
# CVE-2016-7422: virtio: null pointer dereference (bz #1376756)
|
# CVE-2016-7422: virtio: null pointer dereference (bz #1376756)
|
||||||
Patch0009: 0009-virtio-add-check-for-descriptor-s-mapped-address.patch
|
Patch0004: 0004-virtio-add-check-for-descriptor-s-mapped-address.patch
|
||||||
# CVE-2016-7908: net: Infinite loop in mcf_fec_do_tx (bz #1381193)
|
# CVE-2016-7908: net: Infinite loop in mcf_fec_do_tx (bz #1381193)
|
||||||
Patch0010: 0010-net-mcf-limit-buffer-descriptor-count.patch
|
Patch0005: 0005-net-mcf-limit-buffer-descriptor-count.patch
|
||||||
# CVE-2016-8576: usb: xHCI: infinite loop vulnerability (bz #1382322)
|
# CVE-2016-8576: usb: xHCI: infinite loop vulnerability (bz #1382322)
|
||||||
Patch0011: 0011-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch
|
Patch0006: 0006-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch
|
||||||
# CVE-2016-7995: usb: hcd-ehci: memory leak (bz #1382669)
|
# CVE-2016-7995: usb: hcd-ehci: memory leak (bz #1382669)
|
||||||
Patch0012: 0012-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch
|
Patch0007: 0007-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch
|
||||||
# Fix interrupt endpoints not working with network/spice USB redirection on
|
# Fix interrupt endpoints not working with network/spice USB redirection on
|
||||||
# guest with an emulated xhci controller (bz #1382331)
|
# guest with an emulated xhci controller (bz #1382331)
|
||||||
Patch0013: 0013-usb-redir-allocate-buffers-before-waking-up-the-host.patch
|
Patch0008: 0008-usb-redir-allocate-buffers-before-waking-up-the-host.patch
|
||||||
# Fix nested PPC 'Unknown MMU model' error (bz #1374749)
|
|
||||||
Patch0014: 0014-ppc-kvm-Mark-64kB-page-size-support-as-disabled-if-n.patch
|
|
||||||
# Fix flickering display with boxes + wayland VM (bz #1266484)
|
# Fix flickering display with boxes + wayland VM (bz #1266484)
|
||||||
Patch0015: 0015-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch
|
Patch0009: 0009-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch
|
||||||
# Fix sending of data with -net socket (bz #1391497)
|
|
||||||
Patch0016: 0016-net-fix-sending-of-data-with-net-socket-listen-backe.patch
|
|
||||||
# Fix keyboard issues with -ui gtk + host wayland (bz #1401211)
|
# Fix keyboard issues with -ui gtk + host wayland (bz #1401211)
|
||||||
# Posted but not yet applied upstream
|
# Posted but not yet applied upstream
|
||||||
Patch0017: 0017-ui-use-evdev-keymap-when-running-under-wayland.patch
|
Patch0010: 0010-ui-use-evdev-keymap-when-running-under-wayland.patch
|
||||||
|
|
||||||
# documentation deps
|
# documentation deps
|
||||||
BuildRequires: texi2html
|
BuildRequires: texi2html
|
||||||
|
@ -1609,6 +1595,9 @@ getent passwd qemu >/dev/null || \
|
||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Jan 09 2017 Cole Robinson <crobinso@redhat.com> - 2:2.7.1-1
|
||||||
|
- Update to qemu 2.7.1
|
||||||
|
|
||||||
* Mon Dec 12 2016 Cole Robinson <crobinso@redhat.com> - 2:2.7.0-8
|
* Mon Dec 12 2016 Cole Robinson <crobinso@redhat.com> - 2:2.7.0-8
|
||||||
- Fix sending of data with -net socket (bz #1391497)
|
- Fix sending of data with -net socket (bz #1391497)
|
||||||
- Fix keyboard issues with -ui gtk + host wayland (bz #1401211)
|
- Fix keyboard issues with -ui gtk + host wayland (bz #1401211)
|
||||||
|
|
Loading…
Reference in New Issue