rpms/qemu
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

CVE-2012-2652: Possible symlink attacks with -snapshot (bz 825697, bz 824919)

Browse Source 
Fix systemtap tapsets (bz 831763)
Fix qmp response race caused by spice server bug (bz 744015)
Fix text mode screendumps (bz 819155)
Don't renable ksm on update (bz 815156)
Fix RPM install error on non-virt machines (bz 660629)
Obsolete openbios to fix upgrade dependency issues (bz 694802)
This commit is contained in:
Cole Robinson 2012-07-29 21:15:19 -04:00
parent d2798f56e7
commit cd9d161514
47 changed files with 3153 additions and 111 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
0200-ccid-Fix-buffer-overrun-in-handling-of-VSC_ATR-messa.patch Normal file
View File

@ -0,0 +1,42 @@
From 792733e8aa8565a0b49c80539d0bc7a0ac19aaff Mon Sep 17 00:00:00 2001
From: Markus Armbruster <armbru@redhat.com>
Date: Mon, 28 Nov 2011 20:27:37 +0100
Subject: [PATCH] ccid: Fix buffer overrun in handling of VSC_ATR message
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
ATR size exceeding the limit is diagnosed, but then we merrily use it
anyway, overrunning card->atr[].
The message is read from a character device. Obvious security
implications unless the other end of the character device is trusted.
Spotted by Coverity. CVE-2011-4111.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 7e62255a4b3e0e2ab84a3ec7398640e8ed58620a)
Signed-off-by: Bruce Rogers <brogers@suse.com>
[AF: Fixes BNC#731086.]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/ccid-card-passthru.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/ccid-card-passthru.c b/hw/ccid-card-passthru.c
index 28eb9d1..0505663 100644
--- a/hw/ccid-card-passthru.c
+++ b/hw/ccid-card-passthru.c
@@ -150,6 +150,7 @@ static void ccid_card_vscard_handle_message(PassthruState *card,
error_report("ATR size exceeds spec, ignoring");
ccid_card_vscard_send_error(card, scr_msg_header->reader_id,
VSC_GENERAL_ERROR);
+ break;
}
memcpy(card->atr, data, scr_msg_header->length);
card->atr_length = scr_msg_header->length;
--
1.7.11.2

39
0201-qdev-Reset-hot-plugged-devices.patch Normal file
View File

@ -0,0 +1,39 @@
From c09233797d29cc18bc7d304ceeb8bef72f3acefb Mon Sep 17 00:00:00 2001
From: Jan Kiszka <jan.kiszka@siemens.com>
Date: Sun, 24 Jul 2011 19:38:36 +0200
Subject: [PATCH] qdev: Reset hot-plugged devices
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Device models rely on the core invoking their reset handlers after init.
We do this in the cold-plug case, but so far we miss this step after
hot-plug.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 5ab28c8340f683121c081a181adfd9f72ab85cba)
[AF: Fixes BNC#722958 / LTC#75394.]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/qdev.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/qdev.c b/hw/qdev.c
index a0fcd06..b4ea8e1 100644
--- a/hw/qdev.c
+++ b/hw/qdev.c
@@ -289,6 +289,9 @@ int qdev_init(DeviceState *dev)
dev->alias_required_for_version);
}
dev->state = DEV_STATE_INITIALIZED;
+ if (dev->hotplugged && dev->info->reset) {
+ dev->info->reset(dev);
+ }
return 0;
}
--
1.7.11.2

147
0202-e1000-use-MII-status-register-for-link-up-down.patch Normal file
View File

@ -0,0 +1,147 @@
From 461473595d1dd1131cb060c460c87ca7b652939e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
Date: Wed, 17 Aug 2011 11:03:14 +0200
Subject: [PATCH] e1000: use MII status register for link up/down
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Some guests will use the standard MII status register
to verify link state. They will not notice link changes
unless this register is updated.
Verified with Linux 3.0 and Windows XP guests.
Without this patch, ethtool will report speed and duplex as
unknown when the link is down, but still report the link as
up. This is because the Linux e1000 driver checks the
mac_reg[STATUS] register link state before it checks speed
and duplex, but uses the phy_reg[PHY_STATUS] register for
the actual link state check. Fix by updating both registers
on link state changes.
Linux guest before:
(qemu) set_link e1000.0 off
kvm-sid:~# ethtool eth0
Settings for eth0:
Supported ports: [ TP ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised pause frame use: No
Advertised auto-negotiation: Yes
Speed: Unknown!
Duplex: Unknown! (255)
Port: Twisted Pair
PHYAD: 0
Transceiver: internal
Auto-negotiation: on
MDI-X: Unknown
Supports Wake-on: umbg
Wake-on: d
Current message level: 0x00000007 (7)
drv probe link
Link detected: yes
(qemu) set_link e1000.0 on
Linux guest after:
(qemu) set_link e1000.0 off
[ 63.384221] e1000: eth0 NIC Link is Down
kvm-sid:~# ethtool eth0
Settings for eth0:
Supported ports: [ TP ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised pause frame use: No
Advertised auto-negotiation: Yes
Speed: Unknown!
Duplex: Unknown! (255)
Port: Twisted Pair
PHYAD: 0
Transceiver: internal
Auto-negotiation: on
MDI-X: Unknown
Supports Wake-on: umbg
Wake-on: d
Current message level: 0x00000007 (7)
drv probe link
Link detected: no
(qemu) set_link e1000.0 on
[ 84.304582] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit d4044c2a6b9ba4a00dd653f515a4b0ebfcb7e125)
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/e1000.c | 7 +++++--
hw/e1000_hw.h | 17 +++++++++++++++++
2 files changed, 22 insertions(+), 2 deletions(-)
diff --git a/hw/e1000.c b/hw/e1000.c
index 96d84f9..e4d9ab5 100644
--- a/hw/e1000.c
+++ b/hw/e1000.c
@@ -624,10 +624,13 @@ e1000_set_link_status(VLANClientState *nc)
E1000State *s = DO_UPCAST(NICState, nc, nc)->opaque;
uint32_t old_status = s->mac_reg[STATUS];
- if (nc->link_down)
+ if (nc->link_down) {
s->mac_reg[STATUS] &= ~E1000_STATUS_LU;
- else
+ s->phy_reg[PHY_STATUS] &= ~MII_SR_LINK_STATUS;
+ } else {
s->mac_reg[STATUS] |= E1000_STATUS_LU;
+ s->phy_reg[PHY_STATUS] |= MII_SR_LINK_STATUS;
+ }
if (s->mac_reg[STATUS] != old_status)
set_ics(s, 0, E1000_ICR_LSC);
diff --git a/hw/e1000_hw.h b/hw/e1000_hw.h
index 9bd8a4b..2e341ac 100644
--- a/hw/e1000_hw.h
+++ b/hw/e1000_hw.h
@@ -349,6 +349,23 @@
#define M88E1000_PHY_VCO_REG_BIT8 0x100 /* Bits 8 & 11 are adjusted for */
#define M88E1000_PHY_VCO_REG_BIT11 0x800 /* improved BER performance */
+/* PHY Status Register */
+#define MII_SR_EXTENDED_CAPS 0x0001 /* Extended register capabilities */
+#define MII_SR_JABBER_DETECT 0x0002 /* Jabber Detected */
+#define MII_SR_LINK_STATUS 0x0004 /* Link Status 1 = link */
+#define MII_SR_AUTONEG_CAPS 0x0008 /* Auto Neg Capable */
+#define MII_SR_REMOTE_FAULT 0x0010 /* Remote Fault Detect */
+#define MII_SR_AUTONEG_COMPLETE 0x0020 /* Auto Neg Complete */
+#define MII_SR_PREAMBLE_SUPPRESS 0x0040 /* Preamble may be suppressed */
+#define MII_SR_EXTENDED_STATUS 0x0100 /* Ext. status info in Reg 0x0F */
+#define MII_SR_100T2_HD_CAPS 0x0200 /* 100T2 Half Duplex Capable */
+#define MII_SR_100T2_FD_CAPS 0x0400 /* 100T2 Full Duplex Capable */
+#define MII_SR_10T_HD_CAPS 0x0800 /* 10T Half Duplex Capable */
+#define MII_SR_10T_FD_CAPS 0x1000 /* 10T Full Duplex Capable */
+#define MII_SR_100X_HD_CAPS 0x2000 /* 100X Half Duplex Capable */
+#define MII_SR_100X_FD_CAPS 0x4000 /* 100X Full Duplex Capable */
+#define MII_SR_100T4_CAPS 0x8000 /* 100T4 Capable */
+
/* Interrupt Cause Read */
#define E1000_ICR_TXDW 0x00000001 /* Transmit desc written back */
#define E1000_ICR_TXQE 0x00000002 /* Transmit Queue empty */
--
1.7.11.2

43
0203-e1000-Don-t-set-the-Capabilities-List-bit.patch Normal file
View File

@ -0,0 +1,43 @@
From fe7f7d7ae7114fb220ed258e249f9a63834f6fa6 Mon Sep 17 00:00:00 2001
From: dann frazier <dann.frazier@canonical.com>
Date: Wed, 21 Sep 2011 14:06:25 -0600
Subject: [PATCH] e1000: Don't set the Capabilities List bit
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
[Originally sent to qemu-kvm list, but I was redirected here]
The Capabilities Pointer is NULL, so this bit shouldn't be set. The state of
this bit doesn't appear to change any behavior on Linux/Windows versions we've
tested, but it does cause Windows' PCI/PCI Express Compliance Test to balk.
I happen to have a physical 82540EM controller, and it also sets the
Capabilities Bit, but it actually has items on the capabilities list to go
with it :)
Signed-off-by: dann frazier <dann.frazier@canonical.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit dd8e93799f13ef82d83c185b8e71e049452f7d40)
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/e1000.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/hw/e1000.c b/hw/e1000.c
index e4d9ab5..7971457 100644
--- a/hw/e1000.c
+++ b/hw/e1000.c
@@ -1167,8 +1167,6 @@ static int pci_e1000_init(PCIDevice *pci_dev)
pci_conf = d->dev.config;
- /* TODO: we have no capabilities, so why is this bit set? */
- pci_set_word(pci_conf + PCI_STATUS, PCI_STATUS_CAP_LIST);
/* TODO: RST# value should be 0, PCI spec 6.2.4 */
pci_conf[PCI_CACHE_LINE_SIZE] = 0x10;
--
1.7.11.2

45
0204-e1000-bounds-packet-size-against-buffer-size.patch Normal file
View File

@ -0,0 +1,45 @@
From 078c531e6b57f36359b74ea6c136c2ea1b5a9891 Mon Sep 17 00:00:00 2001
From: Anthony Liguori <aliguori@us.ibm.com>
Date: Mon, 23 Jan 2012 07:30:43 -0600
Subject: [PATCH] e1000: bounds packet size against buffer size
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Otherwise we can write beyond the buffer and corrupt memory. This is tracked
as CVE-2012-0029.
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 65f82df0d7a71ce1b10cd4c5ab08888d176ac840)
Signed-off-by: Bruce Rogers <brogers@suse.com>
[AF: stable-0.15 does not have pci_dma_read(). Fixes BNC#740165.]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/e1000.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/e1000.c b/hw/e1000.c
index 7971457..c91790b 100644
--- a/hw/e1000.c
+++ b/hw/e1000.c
@@ -472,6 +472,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
bytes = split_size;
if (tp->size + bytes > msh)
bytes = msh - tp->size;
+
+ bytes = MIN(sizeof(tp->data) - tp->size, bytes);
cpu_physical_memory_read(addr, tp->data + tp->size, bytes);
if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
memmove(tp->header, tp->data, hdr);
@@ -487,6 +489,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
// context descriptor TSE is not set, while data descriptor TSE is set
DBGOUT(TXERR, "TCP segmentaion Error\n");
} else {
+ split_size = MIN(sizeof(tp->data) - tp->size, split_size);
cpu_physical_memory_read(addr, tp->data + tp->size, split_size);
tp->size += split_size;
}
--
1.7.11.2

49
0205-compatfd.c-Don-t-pass-NULL-pointer-to-SYS_signalfd.patch Normal file
View File

@ -0,0 +1,49 @@
From 89409a7eee1d25a91c31402fdb35d8554e3a99d0 Mon Sep 17 00:00:00 2001
From: Peter Maydell <peter.maydell@linaro.org>
Date: Thu, 13 Oct 2011 18:45:37 +0100
Subject: [PATCH] compatfd.c: Don't pass NULL pointer to SYS_signalfd
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Don't pass a NULL pointer in to SYS_signalfd in qemu_signalfd_available():
this isn't valid and Valgrind complains about it.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Signed-off-by: Andrzej Zaborowski <andrew.zaborowski@intel.com>
(cherry picked from commit 7f84c1272b601be88daeb828ec1890890c7aae25)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
compatfd.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/compatfd.c b/compatfd.c
index 31654c6..02306a4 100644
--- a/compatfd.c
+++ b/compatfd.c
@@ -119,9 +119,17 @@ int qemu_signalfd(const sigset_t *mask)
bool qemu_signalfd_available(void)
{
#ifdef CONFIG_SIGNALFD
+ sigset_t mask;
+ int fd;
+ bool ok;
+ sigemptyset(&mask);
errno = 0;
- syscall(SYS_signalfd, -1, NULL, _NSIG / 8);
- return errno != ENOSYS;
+ fd = syscall(SYS_signalfd, -1, &mask, _NSIG / 8);
+ ok = (errno != ENOSYS);
+ if (fd >= 0) {
+ close(fd);
+ }
+ return ok;
#else
return false;
#endif
--
1.7.11.2

60
0206-kvm-avoid-reentring-kvm_flush_coalesced_mmio_buffer.patch Normal file
View File

@ -0,0 +1,60 @@
From 479c2a6a296d4fafc713746bf96127c1b20c381e Mon Sep 17 00:00:00 2001
From: Avi Kivity <avi@redhat.com>
Date: Tue, 18 Oct 2011 19:43:12 +0200
Subject: [PATCH] kvm: avoid reentring kvm_flush_coalesced_mmio_buffer()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
mmio callbacks invoked by kvm_flush_coalesced_mmio_buffer() may
themselves indirectly call kvm_flush_coalesced_mmio_buffer().
Prevent reentering the function by checking a flag that indicates
we're processing coalesced mmio requests.
Signed-off-by: Avi Kivity <avi@redhat.com>
(cherry picked from commit 1cae88b9f4121c9af0bf677435c6129e643280fd)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
kvm-all.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/kvm-all.c b/kvm-all.c
index cbc2532..26621d0 100644
--- a/kvm-all.c
+++ b/kvm-all.c
@@ -64,6 +64,7 @@ struct KVMState
int vmfd;
int coalesced_mmio;
struct kvm_coalesced_mmio_ring *coalesced_mmio_ring;
+ bool coalesced_flush_in_progress;
int broken_set_mem_region;
int migration_log;
int vcpu_events;
@@ -876,6 +877,13 @@ static int kvm_handle_internal_error(CPUState *env, struct kvm_run *run)
void kvm_flush_coalesced_mmio_buffer(void)
{
KVMState *s = kvm_state;
+
+ if (s->coalesced_flush_in_progress) {
+ return;
+ }
+
+ s->coalesced_flush_in_progress = true;
+
if (s->coalesced_mmio_ring) {
struct kvm_coalesced_mmio_ring *ring = s->coalesced_mmio_ring;
while (ring->first != ring->last) {
@@ -888,6 +896,8 @@ void kvm_flush_coalesced_mmio_buffer(void)
ring->first = (ring->first + 1) % KVM_COALESCED_MMIO_MAX;
}
}
+
+ s->coalesced_flush_in_progress = false;
}
static void do_kvm_cpu_synchronize_state(void *_env)
--
1.7.11.2

36
0207-vmdk-vmdk_read_cid-returns-garbage-if-p_name-is-NULL.patch Normal file
View File

@ -0,0 +1,36 @@
From 1b09be835d853b8fd591e1f5de29ae20ed405722 Mon Sep 17 00:00:00 2001
From: Pavel Borzenkov <pavel.borzenkov@gmail.com>
Date: Tue, 18 Oct 2011 21:19:03 +0400
Subject: [PATCH] vmdk: vmdk_read_cid returns garbage if p_name is NULL
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Spotted by Clang Analyzer
Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
(cherry picked from commit 8379e46d1fd681b8aa4714382e2cdab05e5d0575)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
block/vmdk.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/block/vmdk.c b/block/vmdk.c
index 37478d2..b5caa40 100644
--- a/block/vmdk.c
+++ b/block/vmdk.c
@@ -177,7 +177,7 @@ static void vmdk_free_extents(BlockDriverState *bs)
static uint32_t vmdk_read_cid(BlockDriverState *bs, int parent)
{
char desc[DESC_SIZE];
- uint32_t cid;
+ uint32_t cid = 0xffffffff;
const char *p_name, *cid_str;
size_t cid_str_size;
BDRVVmdkState *s = bs->opaque;
--
1.7.11.2

43
0208-block-Fix-bdrv_open-use-after-free.patch Normal file
View File

@ -0,0 +1,43 @@
From 72e8677ee72152245f5dc222a85f83a6a382efe8 Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Wed, 26 Oct 2011 11:03:01 +0200
Subject: [PATCH] block: Fix bdrv_open use after free
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
tmp_filename was used outside the block it was defined in, i.e. after it went
out of scope. Move its declaration to the top level.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 2b5728164fcf5211bbae8d3c2fc6df62dd6b2295)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
block.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/block.c b/block.c
index 9549b9e..4ebb18b 100644
--- a/block.c
+++ b/block.c
@@ -526,6 +526,7 @@ int bdrv_open(BlockDriverState *bs, const char *filename, int flags,
BlockDriver *drv)
{
int ret;
+ char tmp_filename[PATH_MAX];
if (flags & BDRV_O_SNAPSHOT) {
BlockDriverState *bs1;
@@ -533,7 +534,6 @@ int bdrv_open(BlockDriverState *bs, const char *filename, int flags,
int is_protocol = 0;
BlockDriver *bdrv_qcow2;
QEMUOptionParameter *options;
- char tmp_filename[PATH_MAX];
char backing_filename[PATH_MAX];
/* if snapshot, we create a temporary backing file and open it
--
1.7.11.2

34
0209-ide-Fix-off-by-one-error-in-array-index-check.patch Normal file
View File

@ -0,0 +1,34 @@
From 99f6b4ed1c345b144b0f052974cb470036418020 Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Wed, 26 Oct 2011 11:52:47 +0200
Subject: [PATCH] ide: Fix off-by-one error in array index check
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit fb60105d4942a26f571b1be92a8b9e7528d0c4d8)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/ide/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/ide/core.c b/hw/ide/core.c
index d145b19..9bc446e 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -1933,7 +1933,7 @@ static int ide_drive_pio_post_load(void *opaque, int version_id)
{
IDEState *s = opaque;
- if (s->end_transfer_fn_idx > ARRAY_SIZE(transfer_end_table)) {
+ if (s->end_transfer_fn_idx >= ARRAY_SIZE(transfer_end_table)) {
return -EINVAL;
}
s->end_transfer_func = transfer_end_table[s->end_transfer_fn_idx];
--
1.7.11.2

52
0210-acl-Fix-use-after-free-in-qemu_acl_reset.patch Normal file
View File

@ -0,0 +1,52 @@
From fa9ad46e1a4b3707a465bccf6f4431db7a647a08 Mon Sep 17 00:00:00 2001
From: Markus Armbruster <armbru@redhat.com>
Date: Fri, 28 Oct 2011 17:07:02 +0200
Subject: [PATCH] acl: Fix use after free in qemu_acl_reset()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reproducer:
$ MALLOC_PERTURB_=234 qemu-system-x86_64 -vnc :0,acl,sasl [...]
QEMU 0.15.50 monitor - type 'help' for more information
(qemu) acl_add vnc.username fred allow
acl: added rule at position 1
(qemu) acl_reset vnc.username
Segmentation fault (core dumped)
Spotted by Coverity.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
(cherry picked from commit 0ce6a434176e274a7e86bcaa268542c5cc402696)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
acl.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/acl.c b/acl.c
index 82c2704..cae059f 100644
--- a/acl.c
+++ b/acl.c
@@ -95,13 +95,13 @@ int qemu_acl_party_is_allowed(qemu_acl *acl,
void qemu_acl_reset(qemu_acl *acl)
{
- qemu_acl_entry *entry;
+ qemu_acl_entry *entry, *next_entry;
/* Put back to deny by default, so there is no window
* of "open access" while the user re-initializes the
* access control list */
acl->defaultDeny = 1;
- QTAILQ_FOREACH(entry, &acl->entries, next) {
+ QTAILQ_FOREACH_SAFE(entry, &acl->entries, next, next_entry) {
QTAILQ_REMOVE(&acl->entries, entry, next);
free(entry->match);
free(entry);
--
1.7.11.2

71
0211-migration-flush-migration-data-to-disk.patch Normal file
View File

@ -0,0 +1,71 @@
From 06400ebc136bf44f1fa423159fae9cc9a4f6839d Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Thu, 27 Oct 2011 09:12:04 +0200
Subject: [PATCH] migration: flush migration data to disk.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This patch increases robustness when migrating to a file with
two little changes:
(1) Before closing the migration file handle checks if it happens to be
a regular file and if so it issues a fsync. This way the data is
flushed to disk before qemu sends the migration completed event.
(2) It adds error checking. In case either fsync or close syscall
fails pass up the error (and fail migration).
[ v2: return -errno instead of -1 ]
Cc: Juan Quintela <quintela@redhat.com>
Cc: Jiri Denemark <jdenemar@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit aab2293687ee54a409f3fb53a1ab3595b595e0fb)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
migration-fd.c | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
diff --git a/migration-fd.c b/migration-fd.c
index 66d51c1..f986bdf 100644
--- a/migration-fd.c
+++ b/migration-fd.c
@@ -42,10 +42,31 @@ static int fd_write(FdMigrationState *s, const void * buf, size_t size)
static int fd_close(FdMigrationState *s)
{
+ struct stat st;
+ int ret;
+
DPRINTF("fd_close\n");
if (s->fd != -1) {
- close(s->fd);
+ ret = fstat(s->fd, &st);
+ if (ret == 0 && S_ISREG(st.st_mode)) {
+ /*
+ * If the file handle is a regular file make sure the
+ * data is flushed to disk before signaling success.
+ */
+ ret = fsync(s->fd);
+ if (ret != 0) {
+ ret = -errno;
+ perror("migration-fd: fsync");
+ return ret;
+ }
+ }
+ ret = close(s->fd);
s->fd = -1;
+ if (ret != 0) {
+ ret = -errno;
+ perror("migration-fd: close");
+ return ret;
+ }
}
return 0;
}
--
1.7.11.2

55
0212-Fix-X86-CPU-topology-in-KVM-mode.patch Normal file
View File

@ -0,0 +1,55 @@
From 7a890dc5d4e79e4ced03aa9d3665c9a1df3e448e Mon Sep 17 00:00:00 2001
From: Bharata B Rao <bharata.rao@gmail.com>
Date: Wed, 2 Nov 2011 14:16:08 +0530
Subject: [PATCH] Fix X86 CPU topology in KVM mode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
apic id returned to guest kernel in ebx for cpuid(function=1) depends on
CPUX86State->cpuid_apic_id which gets populated after the cpuid information
is cached in the host kernel. This results in broken CPU topology in guest.
Fix this by setting cpuid_apic_id before cpuid information is passed to
the host kernel. This is done by moving the setting of cpuid_apic_id
to cpu_x86_init() where it will work for both KVM as well as TCG modes.
Acked-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Bharata B Rao <bharata.rao@gmail.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit f2209eb854a016eabc444b45f6d6b1636949141f)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/pc.c | 1 -
target-i386/helper.c | 1 +
2 files changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/pc.c b/hw/pc.c
index a3e8539..14ce684 100644
--- a/hw/pc.c
+++ b/hw/pc.c
@@ -931,7 +931,6 @@ static CPUState *pc_new_cpu(const char *cpu_model)
exit(1);
}
if ((env->cpuid_features & CPUID_APIC) || smp_cpus > 1) {
- env->cpuid_apic_id = env->cpu_index;
env->apic_state = apic_init(env, env->cpuid_apic_id);
}
qemu_register_reset(pc_cpu_reset, env);
diff --git a/target-i386/helper.c b/target-i386/helper.c
index e9be104..829c1da 100644
--- a/target-i386/helper.c
+++ b/target-i386/helper.c
@@ -1258,6 +1258,7 @@ CPUX86State *cpu_x86_init(const char *cpu_model)
cpu_x86_close(env);
return NULL;
}
+ env->cpuid_apic_id = env->cpu_index;
mce_init(env);
qemu_init_vcpu(env);
--
1.7.11.2

37
0213-hw-lan9118.c-Add-missing-break-to-fix-buffer-overrun.patch Normal file
View File

@ -0,0 +1,37 @@
From e9552556f514b334b78ed56e32b4af366b429a0b Mon Sep 17 00:00:00 2001
From: Peter Maydell <peter.maydell@linaro.org>
Date: Wed, 9 Nov 2011 18:59:54 +0000
Subject: [PATCH] hw/lan9118.c: Add missing 'break' to fix buffer overrun
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Add a missing 'break' statement to fix a buffer overrun when
executing the EEPROM write-all command. Spotted by Coverity
(see bug 887883).
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
(cherry picked from commit 0e3b800e71cb7759d099eabbd8ad4c4fe848e381)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/lan9118.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/lan9118.c b/hw/lan9118.c
index 73a8661..494b11d 100644
--- a/hw/lan9118.c
+++ b/hw/lan9118.c
@@ -863,6 +863,7 @@ static void lan9118_eeprom_cmd(lan9118_state *s, int cmd, int addr)
} else {
DPRINTF("EEPROM Write All (ignored)\n");
}
+ break;
case 5: /* ERASE */
if (s->eeprom_writable) {
s->eeprom[addr] = 0xff;
--
1.7.11.2

119
0214-ac97-don-t-override-the-pci-subsystem-id.patch Normal file
View File

@ -0,0 +1,119 @@
From 498a3d8b7d28b8c114d65d9db5ccf3e96e2458f1 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Mon, 7 Nov 2011 16:33:09 +0100
Subject: [PATCH] ac97: don't override the pci subsystem id
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This patch removes the code lines which set the subsystem id for the
emulated ac97 card to 8086:0000. Due to the device id being zero the
subsystem id isn't vaild anyway. With the patch applied the sound card
gets the default qemu subsystem id (1af4:1100) instead.
[ v2: old & broken id is maintained for -M pc-$oldqemuversion ]
Cc: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 25a21c94c0055e078acb7f7455e66c8a15f32385)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/ac97.c | 16 +++++++++++-----
hw/pc_piix.c | 16 ++++++++++++++++
2 files changed, 27 insertions(+), 5 deletions(-)
diff --git a/hw/ac97.c b/hw/ac97.c
index 0b59896..a039481 100644
--- a/hw/ac97.c
+++ b/hw/ac97.c
@@ -149,6 +149,7 @@ typedef struct AC97BusMasterRegs {
typedef struct AC97LinkState {
PCIDevice dev;
QEMUSoundCard card;
+ uint32_t use_broken_id;
uint32_t glob_cnt;
uint32_t glob_sta;
uint32_t cas;
@@ -1301,11 +1302,12 @@ static int ac97_initfn (PCIDevice *dev)
c[PCI_BASE_ADDRESS_0 + 6] = 0x00;
c[PCI_BASE_ADDRESS_0 + 7] = 0x00;
- c[PCI_SUBSYSTEM_VENDOR_ID] = 0x86; /* svid subsystem vendor id rwo */
- c[PCI_SUBSYSTEM_VENDOR_ID + 1] = 0x80;
-
- c[PCI_SUBSYSTEM_ID] = 0x00; /* sid subsystem id rwo */
- c[PCI_SUBSYSTEM_ID + 1] = 0x00;
+ if (s->use_broken_id) {
+ c[PCI_SUBSYSTEM_VENDOR_ID] = 0x86;
+ c[PCI_SUBSYSTEM_VENDOR_ID + 1] = 0x80;
+ c[PCI_SUBSYSTEM_ID] = 0x00;
+ c[PCI_SUBSYSTEM_ID + 1] = 0x00;
+ }
c[PCI_INTERRUPT_LINE] = 0x00; /* intr_ln interrupt line rw */
/* TODO: RST# value should be 0. */
@@ -1336,6 +1338,10 @@ static PCIDeviceInfo ac97_info = {
.device_id = PCI_DEVICE_ID_INTEL_82801AA_5,
.revision = 0x01,
.class_id = PCI_CLASS_MULTIMEDIA_AUDIO,
+ .qdev.props = (Property[]) {
+ DEFINE_PROP_UINT32("use_broken_id", AC97LinkState, use_broken_id, 0),
+ DEFINE_PROP_END_OF_LIST(),
+ }
};
static void ac97_register (void)
diff --git a/hw/pc_piix.c b/hw/pc_piix.c
index c5c16b4..31552fd 100644
--- a/hw/pc_piix.c
+++ b/hw/pc_piix.c
@@ -300,6 +300,10 @@ static QEMUMachine pc_machine_v0_13 = {
.driver = "virtio-net-pci",
.property = "event_idx",
.value = "off",
+ },{
+ .driver = "AC97",
+ .property = "use_broken_id",
+ .value = stringify(1),
},
{ /* end of list */ }
},
@@ -343,6 +347,10 @@ static QEMUMachine pc_machine_v0_12 = {
.driver = "virtio-net-pci",
.property = "event_idx",
.value = "off",
+ },{
+ .driver = "AC97",
+ .property = "use_broken_id",
+ .value = stringify(1),
},
{ /* end of list */ }
}
@@ -394,6 +402,10 @@ static QEMUMachine pc_machine_v0_11 = {
.driver = "virtio-net-pci",
.property = "event_idx",
.value = "off",
+ },{
+ .driver = "AC97",
+ .property = "use_broken_id",
+ .value = stringify(1),
},
{ /* end of list */ }
}
@@ -457,6 +469,10 @@ static QEMUMachine pc_machine_v0_10 = {
.driver = "virtio-net-pci",
.property = "event_idx",
.value = "off",
+ },{
+ .driver = "AC97",
+ .property = "use_broken_id",
+ .value = stringify(1),
},
{ /* end of list */ }
},
--
1.7.11.2

36
0215-vvfat-Fix-potential-buffer-overflow.patch Normal file
View File

@ -0,0 +1,36 @@
From f03f1fc43b30c377a553daf7709e1f0f392a532b Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Wed, 1 Jun 2011 10:57:00 +0200
Subject: [PATCH] vvfat: Fix potential buffer overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
path2[PATH_MAX] can be used for the null termination, so make the array big
enough to allow this.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 0d460d6f414e02805cbc348404db03b2b7907360)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
block/vvfat.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/block/vvfat.c b/block/vvfat.c
index fe568fe..98b58f0 100644
--- a/block/vvfat.c
+++ b/block/vvfat.c
@@ -1741,7 +1741,7 @@ static int check_directory_consistency(BDRVVVFATState *s,
long_file_name lfn;
int path_len = strlen(path);
- char path2[PATH_MAX];
+ char path2[PATH_MAX + 1];
assert(path_len < PATH_MAX); /* len was tested before! */
pstrcpy(path2, sizeof(path2), path);
--
1.7.11.2

116
0216-vns-tls-don-t-use-depricated-gnutls-functions.patch Normal file
View File

@ -0,0 +1,116 @@
From 5a32540f7b39f0b1224c3d6f1d12b6d4e358fe0a Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Wed, 7 Sep 2011 17:52:10 +0200
Subject: [PATCH] vns/tls: don't use depricated gnutls functions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Avoid using deprecated gnutls functions with recent gnutls versions.
Fixes build failure on Fedora 16. Keep the old way for compatibility
with old installations such as RHEL-5 (gnutls 1.4.x).
Based on a patch from Raghavendra D Prabhu <raghu.prabhu13@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit f40d55081667a716312b9a8b6e13835c4074f56b)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
ui/vnc-tls.c | 68 +++++++++++++++++++++++++++++++++++++++++++-----------------
1 file changed, 49 insertions(+), 19 deletions(-)
diff --git a/ui/vnc-tls.c b/ui/vnc-tls.c
index 31f1467..f5ed306 100644
--- a/ui/vnc-tls.c
+++ b/ui/vnc-tls.c
@@ -283,13 +283,57 @@ int vnc_tls_validate_certificate(struct VncState *vs)
return 0;
}
+#if defined(GNUTLS_VERSION_NUMBER) && \
+ GNUTLS_VERSION_NUMBER >= 0x020200 /* 2.2.0 */
+
+static int vnc_set_gnutls_priority(gnutls_session_t s, int x509)
+{
+ const char *priority = x509 ? "NORMAL" : "NORMAL:+ANON-DH";
+ int rc;
+
+ rc = gnutls_priority_set_direct(s, priority, NULL);
+ if (rc != GNUTLS_E_SUCCESS) {
+ return -1;
+ }
+ return 0;
+}
+
+#else
+
+static int vnc_set_gnutls_priority(gnutls_session_t s, int x509)
+{
+ static const int cert_types[] = { GNUTLS_CRT_X509, 0 };
+ static const int protocols[] = {
+ GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0
+ };
+ static const int kx_anon[] = { GNUTLS_KX_ANON_DH, 0 };
+ static const int kx_x509[] = {
+ GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA,
+ GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0
+ };
+ int rc;
+
+ rc = gnutls_kx_set_priority(s, x509 ? kx_x509 : kx_anon);
+ if (rc != GNUTLS_E_SUCCESS) {
+ return -1;
+ }
+
+ rc = gnutls_certificate_type_set_priority(s, cert_types);
+ if (rc != GNUTLS_E_SUCCESS) {
+ return -1;
+ }
+
+ rc = gnutls_protocol_set_priority(s, protocols);
+ if (rc != GNUTLS_E_SUCCESS) {
+ return -1;
+ }
+ return 0;
+}
+
+#endif
int vnc_tls_client_setup(struct VncState *vs,
int needX509Creds) {
- static const int cert_type_priority[] = { GNUTLS_CRT_X509, 0 };
- static const int protocol_priority[]= { GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 };
- static const int kx_anon[] = {GNUTLS_KX_ANON_DH, 0};
- static const int kx_x509[] = {GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0};
VNC_DEBUG("Do TLS setup\n");
if (vnc_tls_initialize() < 0) {
@@ -310,21 +354,7 @@ int vnc_tls_client_setup(struct VncState *vs,
return -1;
}
- if (gnutls_kx_set_priority(vs->tls.session, needX509Creds ? kx_x509 : kx_anon) < 0) {
- gnutls_deinit(vs->tls.session);
- vs->tls.session = NULL;
- vnc_client_error(vs);
- return -1;
- }
-
- if (gnutls_certificate_type_set_priority(vs->tls.session, cert_type_priority) < 0) {
- gnutls_deinit(vs->tls.session);
- vs->tls.session = NULL;
- vnc_client_error(vs);
- return -1;
- }
-
- if (gnutls_protocol_set_priority(vs->tls.session, protocol_priority) < 0) {
+ if (vnc_set_gnutls_priority(vs->tls.session, needX509Creds) < 0) {
gnutls_deinit(vs->tls.session);
vs->tls.session = NULL;
vnc_client_error(vs);
--
1.7.11.2

76
0217-block-curl-Implement-a-flush-function-on-the-fd-hand.patch Normal file
View File

@ -0,0 +1,76 @@
From 84be2986f687b998f583b27d8b3e068e87032418 Mon Sep 17 00:00:00 2001
From: Nick Thomas <nick@bytemark.co.uk>
Date: Wed, 21 Sep 2011 11:55:49 +0100
Subject: [PATCH] block/curl: Implement a flush function on the fd handlers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Nick Thomas <nick@bytemark.co.uk>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit c84dcdc1d6583ebe5841907c99d95deb8c40a6e0)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
block/curl.c | 26 ++++++++++++++++++++++----
1 file changed, 22 insertions(+), 4 deletions(-)
diff --git a/block/curl.c b/block/curl.c
index 407f095..6cf6a70 100644
--- a/block/curl.c
+++ b/block/curl.c
@@ -76,6 +76,7 @@ typedef struct BDRVCURLState {
static void curl_clean_state(CURLState *s);
static void curl_multi_do(void *arg);
+static int curl_aio_flush(void *opaque);
static int curl_sock_cb(CURL *curl, curl_socket_t fd, int action,
void *s, void *sp)
@@ -83,14 +84,16 @@ static int curl_sock_cb(CURL *curl, curl_socket_t fd, int action,
DPRINTF("CURL (AIO): Sock action %d on fd %d\n", action, fd);
switch (action) {
case CURL_POLL_IN:
- qemu_aio_set_fd_handler(fd, curl_multi_do, NULL, NULL, NULL, s);
+ qemu_aio_set_fd_handler(fd, curl_multi_do, NULL, curl_aio_flush,
+ NULL, s);
break;
case CURL_POLL_OUT:
- qemu_aio_set_fd_handler(fd, NULL, curl_multi_do, NULL, NULL, s);
+ qemu_aio_set_fd_handler(fd, NULL, curl_multi_do, curl_aio_flush,
+ NULL, s);
break;
case CURL_POLL_INOUT:
- qemu_aio_set_fd_handler(fd, curl_multi_do,
- curl_multi_do, NULL, NULL, s);
+ qemu_aio_set_fd_handler(fd, curl_multi_do, curl_multi_do,
+ curl_aio_flush, NULL, s);
break;
case CURL_POLL_REMOVE:
qemu_aio_set_fd_handler(fd, NULL, NULL, NULL, NULL, NULL);
@@ -394,6 +397,21 @@ out_noclean:
return -EINVAL;
}
+static int curl_aio_flush(void *opaque)
+{
+ BDRVCURLState *s = opaque;
+ int i, j;
+
+ for (i=0; i < CURL_NUM_STATES; i++) {
+ for(j=0; j < CURL_NUM_ACB; j++) {
+ if (s->states[i].acb[j]) {
+ return 1;
+ }
+ }
+ }
+ return 0;
+}
+
static void curl_aio_cancel(BlockDriverAIOCB *blockacb)
{
// Do we have to implement canceling? Seems to work without...
--
1.7.11.2

51
0218-hda-do-not-mix-output-and-input-streams-RHBZ-740493.patch Normal file
View File

@ -0,0 +1,51 @@
From 05a5f7c79ad8dc4887e7cd60c2572121b51adce7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@gmail.com>
Date: Tue, 25 Oct 2011 16:53:00 +0200
Subject: [PATCH] hda: do not mix output and input streams, RHBZ #740493
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Windows 7 may use the same stream number for input and output.
That will result in lot of garbage on playback.
The hardcoded value of 4 needs to be in sync with GCAP streams
description and IN/OUT registers.
Signed-off-by: Marc-Andr? Lureau <marcandre.lureau@redhat.com>
Signed-off-by: malc <av1474@comtv.ru>
(cherry picked from commit 36ac4ad3d054a7b4962a6393630a73591cfa9558)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/intel-hda.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/hw/intel-hda.c b/hw/intel-hda.c
index 5a2bc3a..7d02558 100644
--- a/hw/intel-hda.c
+++ b/hw/intel-hda.c
@@ -389,14 +389,15 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
{
HDACodecBus *bus = DO_UPCAST(HDACodecBus, qbus, dev->qdev.parent_bus);
IntelHDAState *d = container_of(bus, IntelHDAState, codecs);
- IntelHDAStream *st = NULL;
target_phys_addr_t addr;
uint32_t s, copy, left;
+ IntelHDAStream *st;
bool irq = false;
- for (s = 0; s < ARRAY_SIZE(d->st); s++) {
- if (stnr == ((d->st[s].ctl >> 20) & 0x0f)) {
- st = d->st + s;
+ st = output ? d->st + 4 : d->st;
+ for (s = 0; s < 4; s++) {
+ if (stnr == ((st[s].ctl >> 20) & 0x0f)) {
+ st = st + s;
break;
}
}
--
1.7.11.2

172
0219-hda-do-not-mix-output-and-input-stream-states-RHBZ-7.patch Normal file
View File

@ -0,0 +1,172 @@
From 51a747e171a66d0dc1e4b47c0238fb2e7fa6b118 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@gmail.com>
Date: Tue, 25 Oct 2011 16:53:01 +0200
Subject: [PATCH] hda: do not mix output and input stream states, RHBZ #740493
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Windows 7 may use the same stream number for input and output.
Current code will confuse streams.
Changes since v1:
- keep running_compat[] for migration version 1
- add running_real[] for migration version 2
Signed-off-by: Marc-Andr? Lureau <marcandre.lureau@redhat.com>
Signed-off-by: malc <av1474@comtv.ru>
(cherry picked from commit ba43d28916c4f51c19bd7366089155ce81bee058)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/hda-audio.c | 26 +++++++++++++++++++-------
hw/intel-hda.c | 9 +++++----
hw/intel-hda.h | 2 +-
3 files changed, 25 insertions(+), 12 deletions(-)
diff --git a/hw/hda-audio.c b/hw/hda-audio.c
index c699d6f..9b089e6 100644
--- a/hw/hda-audio.c
+++ b/hw/hda-audio.c
@@ -466,7 +466,8 @@ struct HDAAudioState {
QEMUSoundCard card;
const desc_codec *desc;
HDAAudioStream st[4];
- bool running[16];
+ bool running_compat[16];
+ bool running_real[2 * 16];
/* properties */
uint32_t debug;
@@ -663,7 +664,7 @@ static void hda_audio_command(HDACodecDevice *hda, uint32_t nid, uint32_t data)
st->channel = payload & 0x0f;
dprint(a, 2, "%s: stream %d, channel %d\n",
st->node->name, st->stream, st->channel);
- hda_audio_set_running(st, a->running[st->stream]);
+ hda_audio_set_running(st, a->running_real[st->output * 16 + st->stream]);
hda_codec_response(hda, true, 0);
break;
case AC_VERB_GET_CONV:
@@ -746,16 +747,20 @@ fail:
hda_codec_response(hda, true, 0);
}
-static void hda_audio_stream(HDACodecDevice *hda, uint32_t stnr, bool running)
+static void hda_audio_stream(HDACodecDevice *hda, uint32_t stnr, bool running, bool output)
{
HDAAudioState *a = DO_UPCAST(HDAAudioState, hda, hda);
int s;
- a->running[stnr] = running;
+ a->running_compat[stnr] = running;
+ a->running_real[output * 16 + stnr] = running;
for (s = 0; s < ARRAY_SIZE(a->st); s++) {
if (a->st[s].node == NULL) {
continue;
}
+ if (a->st[s].output != output) {
+ continue;
+ }
if (a->st[s].stream != stnr) {
continue;
}
@@ -837,6 +842,12 @@ static int hda_audio_post_load(void *opaque, int version)
int i;
dprint(a, 1, "%s\n", __FUNCTION__);
+ if (version == 1) {
+ /* assume running_compat[] is for output streams */
+ for (i = 0; i < ARRAY_SIZE(a->running_compat); i++)
+ a->running_real[16 + i] = a->running_compat[i];
+ }
+
for (i = 0; i < ARRAY_SIZE(a->st); i++) {
st = a->st + i;
if (st->node == NULL)
@@ -844,7 +855,7 @@ static int hda_audio_post_load(void *opaque, int version)
hda_codec_parse_fmt(st->format, &st->as);
hda_audio_setup(st);
hda_audio_set_amp(st);
- hda_audio_set_running(st, a->running[st->stream]);
+ hda_audio_set_running(st, a->running_real[st->output * 16 + st->stream]);
}
return 0;
}
@@ -868,13 +879,14 @@ static const VMStateDescription vmstate_hda_audio_stream = {
static const VMStateDescription vmstate_hda_audio = {
.name = "hda-audio",
- .version_id = 1,
+ .version_id = 2,
.post_load = hda_audio_post_load,
.fields = (VMStateField []) {
VMSTATE_STRUCT_ARRAY(st, HDAAudioState, 4, 0,
vmstate_hda_audio_stream,
HDAAudioStream),
- VMSTATE_BOOL_ARRAY(running, HDAAudioState, 16),
+ VMSTATE_BOOL_ARRAY(running_compat, HDAAudioState, 16),
+ VMSTATE_BOOL_ARRAY_V(running_real, HDAAudioState, 2 * 16, 2),
VMSTATE_END_OF_LIST()
}
};
diff --git a/hw/intel-hda.c b/hw/intel-hda.c
index 7d02558..904e4fc 100644
--- a/hw/intel-hda.c
+++ b/hw/intel-hda.c
@@ -485,7 +485,7 @@ static void intel_hda_parse_bdl(IntelHDAState *d, IntelHDAStream *st)
st->bp = 0;
}
-static void intel_hda_notify_codecs(IntelHDAState *d, uint32_t stream, bool running)
+static void intel_hda_notify_codecs(IntelHDAState *d, uint32_t stream, bool running, bool output)
{
DeviceState *qdev;
HDACodecDevice *cdev;
@@ -493,7 +493,7 @@ static void intel_hda_notify_codecs(IntelHDAState *d, uint32_t stream, bool runn
QLIST_FOREACH(qdev, &d->codecs.qbus.children, sibling) {
cdev = DO_UPCAST(HDACodecDevice, qdev, qdev);
if (cdev->info->stream) {
- cdev->info->stream(cdev, stream, running);
+ cdev->info->stream(cdev, stream, running, output);
}
}
}
@@ -567,6 +567,7 @@ static void intel_hda_set_ics(IntelHDAState *d, const IntelHDAReg *reg, uint32_t
static void intel_hda_set_st_ctl(IntelHDAState *d, const IntelHDAReg *reg, uint32_t old)
{
+ bool output = reg->stream >= 4;
IntelHDAStream *st = d->st + reg->stream;
if (st->ctl & 0x01) {
@@ -582,11 +583,11 @@ static void intel_hda_set_st_ctl(IntelHDAState *d, const IntelHDAReg *reg, uint3
dprint(d, 1, "st #%d: start %d (ring buf %d bytes)\n",
reg->stream, stnr, st->cbl);
intel_hda_parse_bdl(d, st);
- intel_hda_notify_codecs(d, stnr, true);
+ intel_hda_notify_codecs(d, stnr, true, output);
} else {
/* stop */
dprint(d, 1, "st #%d: stop %d\n", reg->stream, stnr);
- intel_hda_notify_codecs(d, stnr, false);
+ intel_hda_notify_codecs(d, stnr, false, output);
}
}
intel_hda_update_irq(d);
diff --git a/hw/intel-hda.h b/hw/intel-hda.h
index 4e44e38..65fd2a8 100644
--- a/hw/intel-hda.h
+++ b/hw/intel-hda.h
@@ -34,7 +34,7 @@ struct HDACodecDeviceInfo {
int (*init)(HDACodecDevice *dev);
int (*exit)(HDACodecDevice *dev);
void (*command)(HDACodecDevice *dev, uint32_t nid, uint32_t data);
- void (*stream)(HDACodecDevice *dev, uint32_t stnr, bool running);
+ void (*stream)(HDACodecDevice *dev, uint32_t stnr, bool running, bool output);
};
void hda_codec_bus_init(DeviceState *dev, HDACodecBus *bus,
--
1.7.11.2

108
0220-Teach-block-vdi-about-discarded-no-longer-allocated-.patch Normal file
View File

@ -0,0 +1,108 @@
From 5621e2027384a35494508f3bc01a758bc2ac076b Mon Sep 17 00:00:00 2001
From: Eric Sunshine <sunshine@sunshineco.com>
Date: Wed, 26 Oct 2011 15:51:18 -0400
Subject: [PATCH] Teach block/vdi about "discarded" (no longer allocated)
blocks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
An entry in the VDI block map will hold an offset to the actual block if
the block is allocated, or one of two specially-interpreted values if
not allocated. Using VirtualBox terminology, value VDI_IMAGE_BLOCK_FREE
(0xffffffff) represents a never-allocated block (semantically arbitrary
content). VDI_IMAGE_BLOCK_ZERO (0xfffffffe) represents a "discarded"
block (semantically zero-filled). block/vdi knows only about
VDI_IMAGE_BLOCK_FREE. Teach it about VDI_IMAGE_BLOCK_ZERO.
Signed-off-by: Eric Sunshine <sunshine@sunshineco.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit c794b4e0fd9ef8d72b068614dcdb2418c105d5cc)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
block/vdi.c | 23 ++++++++++++++---------
1 file changed, 14 insertions(+), 9 deletions(-)
diff --git a/block/vdi.c b/block/vdi.c
index 261cf9b..1be0cdc 100644
--- a/block/vdi.c
+++ b/block/vdi.c
@@ -114,8 +114,13 @@ void uuid_unparse(const uuid_t uu, char *out);
*/
#define VDI_TEXT "<<< QEMU VM Virtual Disk Image >>>\n"
-/* Unallocated blocks use this index (no need to convert endianness). */
-#define VDI_UNALLOCATED UINT32_MAX
+/* A never-allocated block; semantically arbitrary content. */
+#define VDI_UNALLOCATED 0xffffffffU
+
+/* A discarded (no longer allocated) block; semantically zero-filled. */
+#define VDI_DISCARDED 0xfffffffeU
+
+#define VDI_IS_ALLOCATED(X) ((X) < VDI_DISCARDED)
#if !defined(CONFIG_UUID)
void uuid_generate(uuid_t out)
@@ -307,10 +312,10 @@ static int vdi_check(BlockDriverState *bs, BdrvCheckResult *res)
/* Check block map and value of blocks_allocated. */
for (block = 0; block < s->header.blocks_in_image; block++) {
uint32_t bmap_entry = le32_to_cpu(s->bmap[block]);
- if (bmap_entry != VDI_UNALLOCATED) {
+ if (VDI_IS_ALLOCATED(bmap_entry)) {
if (bmap_entry < s->header.blocks_in_image) {
blocks_allocated++;
- if (bmap[bmap_entry] == VDI_UNALLOCATED) {
+ if (!VDI_IS_ALLOCATED(bmap[bmap_entry])) {
bmap[bmap_entry] = bmap_entry;
} else {
fprintf(stderr, "ERROR: block index %" PRIu32
@@ -472,7 +477,7 @@ static int vdi_is_allocated(BlockDriverState *bs, int64_t sector_num,
n_sectors = nb_sectors;
}
*pnum = n_sectors;
- return bmap_entry != VDI_UNALLOCATED;
+ return VDI_IS_ALLOCATED(bmap_entry);
}
static void vdi_aio_cancel(BlockDriverAIOCB *blockacb)
@@ -603,7 +608,7 @@ static void vdi_aio_read_cb(void *opaque, int ret)
/* prepare next AIO request */
acb->n_sectors = n_sectors;
bmap_entry = le32_to_cpu(s->bmap[block_index]);
- if (bmap_entry == VDI_UNALLOCATED) {
+ if (!VDI_IS_ALLOCATED(bmap_entry)) {
/* Block not allocated, return zeros, no need to wait. */
memset(acb->buf, 0, n_sectors * SECTOR_SIZE);
ret = vdi_schedule_bh(vdi_aio_rw_bh, acb);
@@ -685,7 +690,7 @@ static void vdi_aio_write_cb(void *opaque, int ret)
if (acb->header_modified) {
VdiHeader *header = acb->block_buffer;
logout("now writing modified header\n");
- assert(acb->bmap_first != VDI_UNALLOCATED);
+ assert(VDI_IS_ALLOCATED(acb->bmap_first));
*header = s->header;
vdi_header_to_le(header);
acb->header_modified = 0;
@@ -699,7 +704,7 @@ static void vdi_aio_write_cb(void *opaque, int ret)
goto done;
}
return;
- } else if (acb->bmap_first != VDI_UNALLOCATED) {
+ } else if (VDI_IS_ALLOCATED(acb->bmap_first)) {
/* One or more new blocks were allocated. */
uint64_t offset;
uint32_t bmap_first;
@@ -749,7 +754,7 @@ static void vdi_aio_write_cb(void *opaque, int ret)
/* prepare next AIO request */
acb->n_sectors = n_sectors;
bmap_entry = le32_to_cpu(s->bmap[block_index]);
- if (bmap_entry == VDI_UNALLOCATED) {
+ if (!VDI_IS_ALLOCATED(bmap_entry)) {
/* Allocate new block and write to it. */
uint64_t offset;
uint8_t *block;
--
1.7.11.2

79
0221-vmdk-Improve-error-handling.patch Normal file
View File

@ -0,0 +1,79 @@
From 2139ef7f75ff63904fac6b451c8a89e4b0c72448 Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Wed, 26 Oct 2011 12:25:25 +0200
Subject: [PATCH] vmdk: Improve error handling
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Return the right error values in some more places.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 99f1835d9bc744f98370254600530e66f32e6d81)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
block/vmdk.c | 21 +++++++++++++++------
1 file changed, 15 insertions(+), 6 deletions(-)
diff --git a/block/vmdk.c b/block/vmdk.c
index b5caa40..8284747 100644
--- a/block/vmdk.c
+++ b/block/vmdk.c
@@ -181,8 +181,10 @@ static uint32_t vmdk_read_cid(BlockDriverState *bs, int parent)
const char *p_name, *cid_str;
size_t cid_str_size;
BDRVVmdkState *s = bs->opaque;
+ int ret;
- if (bdrv_pread(bs->file, s->desc_offset, desc, DESC_SIZE) != DESC_SIZE) {
+ ret = bdrv_pread(bs->file, s->desc_offset, desc, DESC_SIZE);
+ if (ret < 0) {
return 0;
}
@@ -208,10 +210,12 @@ static int vmdk_write_cid(BlockDriverState *bs, uint32_t cid)
char desc[DESC_SIZE], tmp_desc[DESC_SIZE];
char *p_name, *tmp_str;
BDRVVmdkState *s = bs->opaque;
+ int ret;
memset(desc, 0, sizeof(desc));
- if (bdrv_pread(bs->file, s->desc_offset, desc, DESC_SIZE) != DESC_SIZE) {
- return -EIO;
+ ret = bdrv_pread(bs->file, s->desc_offset, desc, DESC_SIZE);
+ if (ret < 0) {
+ return ret;
}
tmp_str = strstr(desc, "parentCID");
@@ -223,9 +227,11 @@ static int vmdk_write_cid(BlockDriverState *bs, uint32_t cid)
pstrcat(desc, sizeof(desc), tmp_desc);
}
- if (bdrv_pwrite_sync(bs->file, s->desc_offset, desc, DESC_SIZE) < 0) {
- return -EIO;
+ ret = bdrv_pwrite_sync(bs->file, s->desc_offset, desc, DESC_SIZE);
+ if (ret < 0) {
+ return ret;
}
+
return 0;
}
@@ -906,7 +912,10 @@ static int vmdk_write(BlockDriverState *bs, int64_t sector_num,
/* update CID on the first write every time the virtual disk is
* opened */
if (!s->cid_updated) {
- vmdk_write_cid(bs, time(NULL));
+ ret = vmdk_write_cid(bs, time(NULL));
+ if (ret < 0) {
+ return ret;
+ }
s->cid_updated = true;
}
}
--
1.7.11.2

52
0222-block-set-bs-read_only-before-.bdrv_open.patch Normal file
View File

@ -0,0 +1,52 @@
From b461a24186f05d7adec265bd34f348f7b8f9569b Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Date: Thu, 27 Oct 2011 10:54:27 +0100
Subject: [PATCH] block: set bs->read_only before .bdrv_open()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Several block drivers set bs->read_only in .bdrv_open() but
block.c:bdrv_open_common() clobbers its value. Additionally, QED uses
bdrv_is_read_only() in .bdrv_open() to decide whether to perform
consistency checks.
The correct ordering is to initialize bs->read_only from the open flags
before calling .bdrv_open(). This way block drivers can override it if
necessary and can use bdrv_is_read_only() in .bdrv_open().
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit e7c637967e6aad195b5f30cfd995913c9e0b4666)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
block.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/block.c b/block.c
index 4ebb18b..8d77746 100644
--- a/block.c
+++ b/block.c
@@ -455,6 +455,8 @@ static int bdrv_open_common(BlockDriverState *bs, const char *filename,
open_flags |= BDRV_O_RDWR;
}
+ bs->keep_read_only = bs->read_only = !(open_flags & BDRV_O_RDWR);
+
/* Open the image, either directly or using a protocol */
if (drv->bdrv_file_open) {
ret = drv->bdrv_file_open(bs, filename, open_flags);
@@ -469,8 +471,6 @@ static int bdrv_open_common(BlockDriverState *bs, const char *filename,
goto free_and_fail;
}
- bs->keep_read_only = bs->read_only = !(open_flags & BDRV_O_RDWR);
-
ret = refresh_total_sectors(bs, bs->total_sectors);
if (ret < 0) {
goto free_and_fail;
--
1.7.11.2

64
0223-console-Fix-rendering-of-VGA-underline.patch Normal file
View File

@ -0,0 +1,64 @@
From 1add57cd4c48d9eb6517f685f67480b4f4f3f13b Mon Sep 17 00:00:00 2001
From: Markus Armbruster <armbru@redhat.com>
Date: Fri, 4 Nov 2011 10:38:29 +0100
Subject: [PATCH] console: Fix rendering of VGA underline
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
vga_putcharxy()'s underline code sets font_data to 0xffff instead of
0xff. vga_putcharxy() then reads dmask16[0xffff >> 4] and
dmask4[0xffff >> 6]. In practice, these out-of-bounds subscripts
"only" put a few crap bits into the display surface.
For 32 bit pixels, there's no array access. font_data's extra bits go
straight into the display surface.
Broken when commit 6d6f7c28 implemented underline.
Spotted by Coverity.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 439229c7cb97f6c4cddd3965c3e9d2b8319fe83c)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
console.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/console.c b/console.c
index 242086c..07c82b8 100644
--- a/console.c
+++ b/console.c
@@ -461,7 +461,7 @@ static void vga_putcharxy(DisplayState *ds, int x, int y, int ch,
font_data = *font_ptr++;
if (t_attrib->uline
&& ((i == FONT_HEIGHT - 2) || (i == FONT_HEIGHT - 3))) {
- font_data = 0xFFFF;
+ font_data = 0xFF;
}
((uint32_t *)d)[0] = (dmask16[(font_data >> 4)] & xorcol) ^ bgcol;
((uint32_t *)d)[1] = (dmask16[(font_data >> 0) & 0xf] & xorcol) ^ bgcol;
@@ -474,7 +474,7 @@ static void vga_putcharxy(DisplayState *ds, int x, int y, int ch,
font_data = *font_ptr++;
if (t_attrib->uline
&& ((i == FONT_HEIGHT - 2) || (i == FONT_HEIGHT - 3))) {
- font_data = 0xFFFF;
+ font_data = 0xFF;
}
((uint32_t *)d)[0] = (dmask4[(font_data >> 6)] & xorcol) ^ bgcol;
((uint32_t *)d)[1] = (dmask4[(font_data >> 4) & 3] & xorcol) ^ bgcol;
@@ -487,7 +487,7 @@ static void vga_putcharxy(DisplayState *ds, int x, int y, int ch,
for(i = 0; i < FONT_HEIGHT; i++) {
font_data = *font_ptr++;
if (t_attrib->uline && ((i == FONT_HEIGHT - 2) || (i == FONT_HEIGHT - 3))) {
- font_data = 0xFFFF;
+ font_data = 0xFF;
}
((uint32_t *)d)[0] = (-((font_data >> 7)) & xorcol) ^ bgcol;
((uint32_t *)d)[1] = (-((font_data >> 6) & 1) & xorcol) ^ bgcol;
--
1.7.11.2

48
0224-block-Fix-vpc-initialization-of-the-Dynamic-Disk-Hea.patch Normal file
View File

@ -0,0 +1,48 @@
From 69a9776f3e8a4ff5311f78cc63e52ea436dd9cbe Mon Sep 17 00:00:00 2001
From: Charles Arnold <carnold@suse.com>
Date: Wed, 9 Nov 2011 09:32:25 -0700
Subject: [PATCH] block: Fix vpc initialization of the Dynamic Disk Header
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The Data Offset field in the Dynamic Disk Header is an 8 byte field.
Although the specification (2006-10-11) gives an example of initializing
only the first 4 bytes, images generated by Microsoft on Windows initialize
all 8 bytes.
Failure to initialize all 8 bytes results in errors from utilities
like Citrix's vhd-util which checks specifically for the proper Data
Offset field initialization.
Signed-off-by: Charles Arnold <carnold@suse.com>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 78439f6af1caa3e8bdafc9fc2d62aeefa53ed63a)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
block/vpc.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/block/vpc.c b/block/vpc.c
index 56865da..ac33e15 100644
--- a/block/vpc.c
+++ b/block/vpc.c
@@ -587,7 +587,11 @@ static int vpc_create(const char *filename, QEMUOptionParameter *options)
memcpy(dyndisk_header->magic, "cxsparse", 8);
- dyndisk_header->data_offset = be64_to_cpu(0xFFFFFFFF);
+ /*
+ * Note: The spec is actually wrong here for data_offset, it says
+ * 0xFFFFFFFF, but MS tools expect all 64 bits to be set.
+ */
+ dyndisk_header->data_offset = be64_to_cpu(0xFFFFFFFFFFFFFFFFULL);
dyndisk_header->table_offset = be64_to_cpu(3 * 512);
dyndisk_header->version = be32_to_cpu(0x00010000);
dyndisk_header->block_size = be32_to_cpu(block_size);
--
1.7.11.2

93
0225-qcow-Fix-bdrv_write_compressed-error-handling.patch Normal file
View File

@ -0,0 +1,93 @@
From 5202e9d55b745eddde9ba6bd08af32fcae347e93 Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Wed, 26 Oct 2011 11:21:50 +0200
Subject: [PATCH] qcow: Fix bdrv_write_compressed error handling
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 64ebe71aa0e498d24e8c02b133192142fce3a0d0)
Signed-off-by: Bruce Rogers <brogers@suse.com>
[AF: backported]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
block/qcow.c | 30 +++++++++++++++++++-----------
1 file changed, 19 insertions(+), 11 deletions(-)
diff --git a/block/qcow.c b/block/qcow.c
index 227b104..115b820 100644
--- a/block/qcow.c
+++ b/block/qcow.c
@@ -926,8 +926,6 @@ static int qcow_write_compressed(BlockDriverState *bs, int64_t sector_num,
return -EINVAL;
out_buf = qemu_malloc(s->cluster_size + (s->cluster_size / 1000) + 128);
- if (!out_buf)
- return -1;
/* best compression, small window, no zlib header */
memset(&strm, 0, sizeof(strm));
@@ -935,8 +933,8 @@ static int qcow_write_compressed(BlockDriverState *bs, int64_t sector_num,
Z_DEFLATED, -12,
9, Z_DEFAULT_STRATEGY);
if (ret != 0) {
- qemu_free(out_buf);
- return -1;
+ ret = -EINVAL;
+ goto fail;
}
strm.avail_in = s->cluster_size;
@@ -946,9 +944,9 @@ static int qcow_write_compressed(BlockDriverState *bs, int64_t sector_num,
ret = deflate(&strm, Z_FINISH);
if (ret != Z_STREAM_END && ret != Z_OK) {
- qemu_free(out_buf);
deflateEnd(&strm);
- return -1;
+ ret = -EINVAL;
+ goto fail;
}
out_len = strm.next_out - out_buf;
@@ -956,19 +954,29 @@ static int qcow_write_compressed(BlockDriverState *bs, int64_t sector_num,
if (ret != Z_STREAM_END || out_len >= s->cluster_size) {
/* could not compress: write normal cluster */
- bdrv_write(bs, sector_num, buf, s->cluster_sectors);
+ ret = bdrv_write(bs, sector_num, buf, s->cluster_sectors);
+ if (ret < 0) {
+ goto fail;
+ }
} else {
cluster_offset = get_cluster_offset(bs, sector_num << 9, 2,
out_len, 0, 0);
+ if (cluster_offset == 0) {
+ ret = -EIO;
+ goto fail;
+ }
+
cluster_offset &= s->cluster_offset_mask;
- if (bdrv_pwrite(bs->file, cluster_offset, out_buf, out_len) != out_len) {
- qemu_free(out_buf);
- return -1;
+ ret = bdrv_pwrite(bs->file, cluster_offset, out_buf, out_len);
+ if (ret < 0) {
+ goto fail;
}
}
+ ret = 0;
+fail:
qemu_free(out_buf);
- return 0;
+ return ret;
}
static int qcow_flush(BlockDriverState *bs)
--
1.7.11.2

55
0226-block-reinitialize-across-bdrv_close-bdrv_open.patch Normal file
View File

@ -0,0 +1,55 @@
From 2432c8cf0a61be64094dae724638a9a081ee4bf9 Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Date: Thu, 27 Oct 2011 10:54:28 +0100
Subject: [PATCH] block: reinitialize across bdrv_close()/bdrv_open()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Several BlockDriverState fields are not being reinitialized across
bdrv_close()/bdrv_open(). Make sure they are reset to their default
values.
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 03f541bd6eacdc6c2893f72b975257c89cab2b74)
Signed-off-by: Bruce Rogers <brogers@suse.com>
[AF: backported]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
block.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/block.c b/block.c
index 8d77746..1d6d26b 100644
--- a/block.c
+++ b/block.c
@@ -426,11 +426,14 @@ static int bdrv_open_common(BlockDriverState *bs, const char *filename,
bs->total_sectors = 0;
bs->encrypted = 0;
bs->valid_key = 0;
+ bs->sg = 0;
bs->open_flags = flags;
+ bs->growable = 0;
/* buffer_alignment defaulted to 512, drivers can change this value */
bs->buffer_alignment = 512;
pstrcpy(bs->filename, sizeof(bs->filename), filename);
+ bs->backing_file[0] = '\0';
if (use_bdrv_whitelist && !bdrv_is_whitelisted(drv)) {
return -ENOTSUP;
@@ -439,8 +442,7 @@ static int bdrv_open_common(BlockDriverState *bs, const char *filename,
bs->drv = drv;
bs->opaque = qemu_mallocz(drv->instance_size);
- if (flags & BDRV_O_CACHE_WB)
- bs->enable_write_cache = 1;
+ bs->enable_write_cache = !!(flags & BDRV_O_CACHE_WB);
/*
* Clear flags that are internal to the block layer before opening the
--
1.7.11.2

111
0227-qxl-stride-fixup.patch Normal file
View File

@ -0,0 +1,111 @@
From a3cc0cf8b185043fbd1f9b893c1c20f90efb1d06 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 21 Oct 2011 15:59:07 +0200
Subject: [PATCH] qxl: stride fixup
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
spice uses negative stride value to signal the bitmap is upside down.
The qxl renderer (used for scl, vnc and screenshots) wants a positive
value because it is easier to work with. The positive value is then
stored in the very same variable, which has the drawback that the
upside-down test works only once. Fix by using two variables.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 0e2487bd6f56445b43307536a465ee2ba810aed9)
Signed-off-by: Bruce Rogers <brogers@suse.com>
[AF: backported]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/qxl-render.c | 23 ++++++++++++-----------
hw/qxl.h | 3 ++-
2 files changed, 14 insertions(+), 12 deletions(-)
diff --git a/hw/qxl-render.c b/hw/qxl-render.c
index 1316066..104d79b 100644
--- a/hw/qxl-render.c
+++ b/hw/qxl-render.c
@@ -28,16 +28,16 @@ static void qxl_flip(PCIQXLDevice *qxl, QXLRect *rect)
int len, i;
src += (qxl->guest_primary.surface.height - rect->top - 1) *
- qxl->guest_primary.stride;
- dst += rect->top * qxl->guest_primary.stride;
+ qxl->guest_primary.abs_stride;
+ dst += rect->top * qxl->guest_primary.abs_stride;
src += rect->left * qxl->guest_primary.bytes_pp;
dst += rect->left * qxl->guest_primary.bytes_pp;
len = (rect->right - rect->left) * qxl->guest_primary.bytes_pp;
for (i = rect->top; i < rect->bottom; i++) {
memcpy(dst, src, len);
- dst += qxl->guest_primary.stride;
- src -= qxl->guest_primary.stride;
+ dst += qxl->guest_primary.abs_stride;
+ src -= qxl->guest_primary.abs_stride;
}
}
@@ -45,7 +45,8 @@ void qxl_render_resize(PCIQXLDevice *qxl)
{
QXLSurfaceCreate *sc = &qxl->guest_primary.surface;
- qxl->guest_primary.stride = sc->stride;
+ qxl->guest_primary.qxl_stride = sc->stride;
+ qxl->guest_primary.abs_stride = abs(sc->stride);
qxl->guest_primary.resized++;
switch (sc->format) {
case SPICE_SURFACE_FMT_16_555:
@@ -87,11 +88,11 @@ void qxl_render_update(PCIQXLDevice *qxl)
qemu_free_displaysurface(vga->ds);
qxl->guest_primary.data = qemu_get_ram_ptr(qxl->vga.vram_offset);
- if (qxl->guest_primary.stride < 0) {
+ if (qxl->guest_primary.qxl_stride < 0) {
/* spice surface is upside down -> need extra buffer to flip */
- qxl->guest_primary.stride = -qxl->guest_primary.stride;
- qxl->guest_primary.flipped = qemu_malloc(qxl->guest_primary.surface.width *
- qxl->guest_primary.stride);
+ qxl->guest_primary.flipped =
+ qemu_malloc(qxl->guest_primary.surface.width *
+ qxl->guest_primary.abs_stride);
ptr = qxl->guest_primary.flipped;
} else {
ptr = qxl->guest_primary.data;
@@ -100,7 +101,7 @@ void qxl_render_update(PCIQXLDevice *qxl)
__FUNCTION__,
qxl->guest_primary.surface.width,
qxl->guest_primary.surface.height,
- qxl->guest_primary.stride,
+ qxl->guest_primary.qxl_stride,
qxl->guest_primary.bytes_pp,
qxl->guest_primary.bits_pp,
qxl->guest_primary.flipped ? "yes" : "no");
@@ -108,7 +109,7 @@ void qxl_render_update(PCIQXLDevice *qxl)
qemu_create_displaysurface_from(qxl->guest_primary.surface.width,
qxl->guest_primary.surface.height,
qxl->guest_primary.bits_pp,
- qxl->guest_primary.stride,
+ qxl->guest_primary.abs_stride,
ptr);
dpy_resize(vga->ds);
}
diff --git a/hw/qxl.h b/hw/qxl.h
index f6c450d..c05998a 100644
--- a/hw/qxl.h
+++ b/hw/qxl.h
@@ -42,7 +42,8 @@ typedef struct PCIQXLDevice {
QXLSurfaceCreate surface;
uint32_t commands;
uint32_t resized;
- int32_t stride;
+ int32_t qxl_stride;
+ uint32_t abs_stride;
uint32_t bits_pp;
uint32_t bytes_pp;
uint8_t *data, *flipped;
--
1.7.11.2

55
0228-vmdk-Fix-possible-segfaults.patch Normal file
View File

@ -0,0 +1,55 @@
From f51851ea928882bd3d49cbb6d953723294239d8a Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Wed, 26 Oct 2011 12:25:52 +0200
Subject: [PATCH] vmdk: Fix possible segfaults
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Data we read from the disk isn't necessarily null terminated and may not
contain the string we're looking for. The code needs to be a bit more careful
here.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 93897b9fd43548e9c15cf8bece2d9e5174b01fc7)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
block/vmdk.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/block/vmdk.c b/block/vmdk.c
index 8284747..f4fce08 100644
--- a/block/vmdk.c
+++ b/block/vmdk.c
@@ -196,6 +196,7 @@ static uint32_t vmdk_read_cid(BlockDriverState *bs, int parent)
cid_str_size = sizeof("CID");
}
+ desc[DESC_SIZE - 1] = '\0';
p_name = strstr(desc, cid_str);
if (p_name != NULL) {
p_name += cid_str_size;
@@ -212,13 +213,17 @@ static int vmdk_write_cid(BlockDriverState *bs, uint32_t cid)
BDRVVmdkState *s = bs->opaque;
int ret;
- memset(desc, 0, sizeof(desc));
ret = bdrv_pread(bs->file, s->desc_offset, desc, DESC_SIZE);
if (ret < 0) {
return ret;
}
+ desc[DESC_SIZE - 1] = '\0';
tmp_str = strstr(desc, "parentCID");
+ if (tmp_str == NULL) {
+ return -EINVAL;
+ }
+
pstrcpy(tmp_desc, sizeof(tmp_desc), tmp_str);
p_name = strstr(desc, "CID");
if (p_name != NULL) {
--
1.7.11.2

204
0229-pc-Fix-floppy-drives-with-if-none.patch Normal file
View File

@ -0,0 +1,204 @@
From 03ff3683be1e3a4e9644150b7f12f046374dcbcd Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Thu, 20 Oct 2011 16:37:26 +0200
Subject: [PATCH] pc: Fix floppy drives with if=none
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Commit 63ffb564 broke floppy devices specified on the command line like
-drive file=...,if=none,id=floppy -global isa-fdc.driveA=floppy because it
relies on drive_get() which works only with -fda/-drive if=floppy.
This patch resembles what we're already doing for IDE, i.e. remember the floppy
device that was created and use that to extract the BlockDriverStates where
needed.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
(cherry picked from commit 34d4260e1846d69d7241f690534e3dd4b3e6fd5b)
[BR: bnc#733777]
Signed-off-by: Bruce Rogers <brogers@suse.com>
[AF: backported]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/fdc.c | 12 ++++++++++++
hw/fdc.h | 9 +++++++--
hw/pc.c | 25 ++++++++++++++-----------
hw/pc.h | 3 ++-
hw/pc_piix.c | 5 +++--
5 files changed, 38 insertions(+), 16 deletions(-)
diff --git a/hw/fdc.c b/hw/fdc.c
index 9fdbc75..cf675ce 100644
--- a/hw/fdc.c
+++ b/hw/fdc.c
@@ -1911,6 +1911,18 @@ static int sun4m_fdc_init1(SysBusDevice *dev)
return fdctrl_init_common(fdctrl);
}
+void fdc_get_bs(BlockDriverState *bs[], ISADevice *dev)
+{
+ FDCtrlISABus *isa = DO_UPCAST(FDCtrlISABus, busdev, dev);
+ FDCtrl *fdctrl = &isa->state;
+ int i;
+
+ for (i = 0; i < MAX_FD; i++) {
+ bs[i] = fdctrl->drives[i].bs;
+ }
+}
+
+
static const VMStateDescription vmstate_isa_fdc ={
.name = "fdc",
.version_id = 2,
diff --git a/hw/fdc.h b/hw/fdc.h
index 09f73c6..506feb6 100644
--- a/hw/fdc.h
+++ b/hw/fdc.h
@@ -7,14 +7,15 @@
/* fdc.c */
#define MAX_FD 2
-static inline void fdctrl_init_isa(DriveInfo **fds)
+static inline ISADevice *fdctrl_init_isa(DriveInfo **fds)
{
ISADevice *dev;
dev = isa_try_create("isa-fdc");
if (!dev) {
- return;
+ return NULL;
}
+
if (fds[0]) {
qdev_prop_set_drive_nofail(&dev->qdev, "driveA", fds[0]->bdrv);
}
@@ -22,10 +23,14 @@ static inline void fdctrl_init_isa(DriveInfo **fds)
qdev_prop_set_drive_nofail(&dev->qdev, "driveB", fds[1]->bdrv);
}
qdev_init_nofail(&dev->qdev);
+
+ return dev;
}
void fdctrl_init_sysbus(qemu_irq irq, int dma_chann,
target_phys_addr_t mmio_base, DriveInfo **fds);
void sun4m_fdctrl_init(qemu_irq irq, target_phys_addr_t io_base,
DriveInfo **fds, qemu_irq *fdc_tc);
+void fdc_get_bs(BlockDriverState *bs[], ISADevice *dev);
+
#endif
diff --git a/hw/pc.c b/hw/pc.c
index 14ce684..1d2b61e 100644
--- a/hw/pc.c
+++ b/hw/pc.c
@@ -333,12 +333,12 @@ static void pc_cmos_init_late(void *opaque)
void pc_cmos_init(ram_addr_t ram_size, ram_addr_t above_4g_mem_size,
const char *boot_device,
- BusState *idebus0, BusState *idebus1,
+ ISADevice *floppy, BusState *idebus0, BusState *idebus1,
ISADevice *s)
{
int val, nb, nb_heads, max_track, last_sect, i;
FDriveType fd_type[2];
- DriveInfo *fd[2];
+ BlockDriverState *fd[MAX_FD];
static pc_cmos_init_late_arg arg;
/* various important CMOS locations needed by PC/Bochs bios */
@@ -380,14 +380,16 @@ void pc_cmos_init(ram_addr_t ram_size, ram_addr_t above_4g_mem_size,
}
/* floppy type */
- for (i = 0; i < 2; i++) {
- fd[i] = drive_get(IF_FLOPPY, 0, i);
- if (fd[i] && bdrv_is_inserted(fd[i]->bdrv)) {
- bdrv_get_floppy_geometry_hint(fd[i]->bdrv, &nb_heads, &max_track,
- &last_sect, FDRIVE_DRV_NONE,
- &fd_type[i]);
- } else {
- fd_type[i] = FDRIVE_DRV_NONE;
+ if (floppy) {
+ fdc_get_bs(fd, floppy);
+ for (i = 0; i < 2; i++) {
+ if (fd[i] && bdrv_is_inserted(fd[i])) {
+ bdrv_get_floppy_geometry_hint(fd[i], &nb_heads, &max_track,
+ &last_sect, FDRIVE_DRV_NONE,
+ &fd_type[i]);
+ } else {
+ fd_type[i] = FDRIVE_DRV_NONE;
+ }
}
}
val = (cmos_get_fd_drive_type(fd_type[0]) << 4) |
@@ -1091,6 +1093,7 @@ static void cpu_request_exit(void *opaque, int irq, int level)
void pc_basic_device_init(qemu_irq *isa_irq,
ISADevice **rtc_state,
+ ISADevice **floppy,
bool no_vmport)
{
int i;
@@ -1155,7 +1158,7 @@ void pc_basic_device_init(qemu_irq *isa_irq,
for(i = 0; i < MAX_FD; i++) {
fd[i] = drive_get(IF_FLOPPY, 0, i);
}
- fdctrl_init_isa(fd);
+ *floppy = fdctrl_init_isa(fd);
}
void pc_pci_device_init(PCIBus *pci_bus)
diff --git a/hw/pc.h b/hw/pc.h
index 6d5730b..24b7fe2 100644
--- a/hw/pc.h
+++ b/hw/pc.h
@@ -138,11 +138,12 @@ qemu_irq *pc_allocate_cpu_irq(void);
void pc_vga_init(PCIBus *pci_bus);
void pc_basic_device_init(qemu_irq *isa_irq,
ISADevice **rtc_state,
+ ISADevice **floppy,
bool no_vmport);
void pc_init_ne2k_isa(NICInfo *nd);
void pc_cmos_init(ram_addr_t ram_size, ram_addr_t above_4g_mem_size,
const char *boot_device,
- BusState *ide0, BusState *ide1,
+ ISADevice *floppy, BusState *ide0, BusState *ide1,
ISADevice *s);
void pc_pci_device_init(PCIBus *pci_bus);
diff --git a/hw/pc_piix.c b/hw/pc_piix.c
index 31552fd..b8e0841 100644
--- a/hw/pc_piix.c
+++ b/hw/pc_piix.c
@@ -89,6 +89,7 @@ static void pc_init1(ram_addr_t ram_size,
DriveInfo *hd[MAX_IDE_BUS * MAX_IDE_DEVS];
BusState *idebus[MAX_IDE_BUS];
ISADevice *rtc_state;
+ ISADevice *floppy;
pc_cpus_init(cpu_model);
@@ -141,7 +142,7 @@ static void pc_init1(ram_addr_t ram_size,
}
/* init basic PC hardware */
- pc_basic_device_init(isa_irq, &rtc_state, xen_enabled());
+ pc_basic_device_init(isa_irq, &rtc_state, &floppy, xen_enabled());
for(i = 0; i < nb_nics; i++) {
NICInfo *nd = &nd_table[i];
@@ -170,7 +171,7 @@ static void pc_init1(ram_addr_t ram_size,
audio_init(isa_irq, pci_enabled ? pci_bus : NULL);
pc_cmos_init(below_4g_mem_size, above_4g_mem_size, boot_device,
- idebus[0], idebus[1], rtc_state);
+ floppy, idebus[0], idebus[1], rtc_state);
if (pci_enabled && usb_enabled) {
usb_uhci_piix3_init(pci_bus, piix3_devfn + 2);
--
1.7.11.2

97
0230-cpu-common-Have-a-ram_addr_t-of-uint64-with-Xen.patch Normal file
View File

@ -0,0 +1,97 @@
From 7baf1e0bf54096eceb4c4553c9212599454cd83d Mon Sep 17 00:00:00 2001
From: Anthony PERARD <anthony.perard@citrix.com>
Date: Wed, 20 Jul 2011 08:17:42 +0000
Subject: [PATCH] cpu-common: Have a ram_addr_t of uint64 with Xen.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In Xen case, memory can be bigger than the host memory. that mean a
32bits host (and QEMU) should be able to handle a RAM address of 64bits.
Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
(cherry picked from commit f15fbc4bd1a24bd1477a846e63e62c6d435912f8)
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
cpu-common.h | 8 ++++++++
exec.c | 9 +++++----
xen-all.c | 2 +-
3 files changed, 14 insertions(+), 5 deletions(-)
diff --git a/cpu-common.h b/cpu-common.h
index 44b04b3..0700101 100644
--- a/cpu-common.h
+++ b/cpu-common.h
@@ -27,7 +27,15 @@ enum device_endian {
};
/* address in the RAM (different from a physical address) */
+#if defined(CONFIG_XEN_BACKEND) && TARGET_PHYS_ADDR_BITS == 64
+typedef uint64_t ram_addr_t;
+# define RAM_ADDR_MAX UINT64_MAX
+# define RAM_ADDR_FMT "%" PRIx64
+#else
typedef unsigned long ram_addr_t;
+# define RAM_ADDR_MAX ULONG_MAX
+# define RAM_ADDR_FMT "%lx"
+#endif
/* memory API */
diff --git a/exec.c b/exec.c
index 2160ded..6fb589b 100644
--- a/exec.c
+++ b/exec.c
@@ -2863,13 +2863,13 @@ static void *file_ram_alloc(RAMBlock *block,
static ram_addr_t find_ram_offset(ram_addr_t size)
{
RAMBlock *block, *next_block;
- ram_addr_t offset = 0, mingap = ULONG_MAX;
+ ram_addr_t offset = 0, mingap = RAM_ADDR_MAX;
if (QLIST_EMPTY(&ram_list.blocks))
return 0;
QLIST_FOREACH(block, &ram_list.blocks, next) {
- ram_addr_t end, next = ULONG_MAX;
+ ram_addr_t end, next = RAM_ADDR_MAX;
end = block->offset + block->length;
@@ -3081,7 +3081,8 @@ void qemu_ram_remap(ram_addr_t addr, ram_addr_t length)
#endif
}
if (area != vaddr) {
- fprintf(stderr, "Could not remap addr: %lx@%lx\n",
+ fprintf(stderr, "Could not remap addr: "
+ RAM_ADDR_FMT "@" RAM_ADDR_FMT "\n",
length, addr);
exit(1);
}
@@ -4052,7 +4053,7 @@ void *cpu_physical_memory_map(target_phys_addr_t addr,
target_phys_addr_t page;
unsigned long pd;
PhysPageDesc *p;
- ram_addr_t raddr = ULONG_MAX;
+ ram_addr_t raddr = RAM_ADDR_MAX;
ram_addr_t rlen;
void *ret;
diff --git a/xen-all.c b/xen-all.c
index 167bed6..8f2556a 100644
--- a/xen-all.c
+++ b/xen-all.c
@@ -184,7 +184,7 @@ void xen_ram_alloc(ram_addr_t ram_addr, ram_addr_t size)
}
if (xc_domain_populate_physmap_exact(xen_xc, xen_domid, nr_pfn, 0, 0, pfn_list)) {
- hw_error("xen: failed to populate ram at %lx", ram_addr);
+ hw_error("xen: failed to populate ram at " RAM_ADDR_FMT, ram_addr);
}
qemu_free(pfn_list);
--
1.7.11.2

58
0231-Error-check-find_ram_offset.patch Normal file
View File

@ -0,0 +1,58 @@
From 75f2b558df8c3ccd8b980eedf2f4aef8b217587e Mon Sep 17 00:00:00 2001
From: Alex Williamson <alex.williamson@redhat.com>
Date: Mon, 31 Oct 2011 08:54:09 -0600
Subject: [PATCH] Error check find_ram_offset
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Spotted via code review, we initialize offset to 0 to avoid a
compiler warning, but in the unlikely case that offset is
never set to something else, we should abort instead of return
a value that will almost certainly cause problems.
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 3e837b2c05bc63fe2226baf3c29923d5a688593f)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
exec.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/exec.c b/exec.c
index 6fb589b..537a49f 100644
--- a/exec.c
+++ b/exec.c
@@ -2863,7 +2863,7 @@ static void *file_ram_alloc(RAMBlock *block,
static ram_addr_t find_ram_offset(ram_addr_t size)
{
RAMBlock *block, *next_block;
- ram_addr_t offset = 0, mingap = RAM_ADDR_MAX;
+ ram_addr_t offset = RAM_ADDR_MAX, mingap = RAM_ADDR_MAX;
if (QLIST_EMPTY(&ram_list.blocks))
return 0;
@@ -2879,10 +2879,17 @@ static ram_addr_t find_ram_offset(ram_addr_t size)
}
}
if (next - end >= size && next - end < mingap) {
- offset = end;
+ offset = end;
mingap = next - end;
}
}
+
+ if (offset == RAM_ADDR_MAX) {
+ fprintf(stderr, "Failed to find gap of requested size: %" PRIu64 "\n",
+ (uint64_t)size);
+ abort();
+ }
+
return offset;
}
--
1.7.11.2

73
0232-pc-add-pc-0.15.patch Normal file
View File

@ -0,0 +1,73 @@
From 60d8ce5610a8b24ff298d6cb3d9abbd2e6f046bd Mon Sep 17 00:00:00 2001
From: Anthony Liguori <aliguori@us.ibm.com>
Date: Sun, 18 Dec 2011 12:59:12 -0600
Subject: [PATCH] pc: add pc-0.15
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit ce01a508e8053350544c88ba68a3f90c44b6bb93)
[BR: bnc#741460]
Signed-off-by: Bruce Rogers <brogers@suse.com>
[AF: backported]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/pc_piix.c | 26 +++++++++++++++++++++++---
1 file changed, 23 insertions(+), 3 deletions(-)
diff --git a/hw/pc_piix.c b/hw/pc_piix.c
index b8e0841..20bac9d 100644
--- a/hw/pc_piix.c
+++ b/hw/pc_piix.c
@@ -258,8 +258,8 @@ static void pc_xen_hvm_init(ram_addr_t ram_size,
}
#endif
-static QEMUMachine pc_machine = {
- .name = "pc-0.14",
+static QEMUMachine pc_machine_v0_15 = {
+ .name = "pc-0.15",
.alias = "pc",
.desc = "Standard PC",
.init = pc_init_pci,
@@ -267,6 +267,25 @@ static QEMUMachine pc_machine = {
.is_default = 1,
};
+static QEMUMachine pc_machine_v0_14 = {
+ .name = "pc-0.14",
+ .desc = "Standard PC",
+ .init = pc_init_pci,
+ .max_cpus = 255,
+ .compat_props = (GlobalProperty[]) {
+ {
+ .driver = "qxl",
+ .property = "revision",
+ .value = stringify(2),
+ },{
+ .driver = "qxl-vga",
+ .property = "revision",
+ .value = stringify(2),
+ },
+ { /* end of list */ }
+ },
+};
+
static QEMUMachine pc_machine_v0_13 = {
.name = "pc-0.13",
.desc = "Standard PC",
@@ -498,7 +517,8 @@ static QEMUMachine xenfv_machine = {
static void pc_machine_init(void)
{
- qemu_register_machine(&pc_machine);
+ qemu_register_machine(&pc_machine_v0_15);
+ qemu_register_machine(&pc_machine_v0_14);
qemu_register_machine(&pc_machine_v0_13);
qemu_register_machine(&pc_machine_v0_12);
qemu_register_machine(&pc_machine_v0_11);
--
1.7.11.2

95
0233-pc-fix-event_idx-compatibility-for-virtio-devices.patch Normal file
View File

@ -0,0 +1,95 @@
From 3cc7ef743b3f04ff986c820f67444d2dec946167 Mon Sep 17 00:00:00 2001
From: Anthony Liguori <aliguori@us.ibm.com>
Date: Sun, 18 Dec 2011 13:07:03 -0600
Subject: [PATCH] pc: fix event_idx compatibility for virtio devices
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
event_idx was introduced in 0.15 and must be disabled for all virtio-pci devices
(including virtio-balloon-pci).
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit ea830ebb74461c5ad6d199857fb000d2e0284c69)
[BR: bnc#741460]
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/pc_piix.c | 32 ++++++++++++++++++++++++++++++++
1 file changed, 32 insertions(+)
diff --git a/hw/pc_piix.c b/hw/pc_piix.c
index 20bac9d..b179465 100644
--- a/hw/pc_piix.c
+++ b/hw/pc_piix.c
@@ -281,6 +281,22 @@ static QEMUMachine pc_machine_v0_14 = {
.driver = "qxl-vga",
.property = "revision",
.value = stringify(2),
+ },{
+ .driver = "virtio-blk-pci",
+ .property = "event_idx",
+ .value = "off",
+ },{
+ .driver = "virtio-serial-pci",
+ .property = "event_idx",
+ .value = "off",
+ },{
+ .driver = "virtio-net-pci",
+ .property = "event_idx",
+ .value = "off",
+ },{
+ .driver = "virtio-balloon-pci",
+ .property = "event_idx",
+ .value = "off",
},
{ /* end of list */ }
},
@@ -321,6 +337,10 @@ static QEMUMachine pc_machine_v0_13 = {
.property = "event_idx",
.value = "off",
},{
+ .driver = "virtio-balloon-pci",
+ .property = "event_idx",
+ .value = "off",
+ },{
.driver = "AC97",
.property = "use_broken_id",
.value = stringify(1),
@@ -368,6 +388,10 @@ static QEMUMachine pc_machine_v0_12 = {
.property = "event_idx",
.value = "off",
},{
+ .driver = "virtio-balloon-pci",
+ .property = "event_idx",
+ .value = "off",
+ },{
.driver = "AC97",
.property = "use_broken_id",
.value = stringify(1),
@@ -423,6 +447,10 @@ static QEMUMachine pc_machine_v0_11 = {
.property = "event_idx",
.value = "off",
},{
+ .driver = "virtio-balloon-pci",
+ .property = "event_idx",
+ .value = "off",
+ },{
.driver = "AC97",
.property = "use_broken_id",
.value = stringify(1),
@@ -490,6 +518,10 @@ static QEMUMachine pc_machine_v0_10 = {
.property = "event_idx",
.value = "off",
},{
+ .driver = "virtio-balloon-pci",
+ .property = "event_idx",
+ .value = "off",
+ },{
.driver = "AC97",
.property = "use_broken_id",
.value = stringify(1),
--
1.7.11.2

37
0234-Add-missing-trace-call-to-oslib-posix.c-qemu_vmalloc.patch Normal file
View File

@ -0,0 +1,37 @@
From 601465e71b720e1e54911bbd67e2d02cd4904f0d Mon Sep 17 00:00:00 2001
From: Jes Sorensen <Jes.Sorensen@redhat.com>
Date: Mon, 25 Jul 2011 17:13:36 +0200
Subject: [PATCH] Add missing trace call to oslib-posix.c:qemu_vmalloc()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Acked-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit c7f4111a06208b46c6d05934d2a1e5cfbebc0180)
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
oslib-posix.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/oslib-posix.c b/oslib-posix.c
index 3a18e86..196099c 100644
--- a/oslib-posix.c
+++ b/oslib-posix.c
@@ -79,7 +79,10 @@ void *qemu_memalign(size_t alignment, size_t size)
/* alloc shared memory pages */
void *qemu_vmalloc(size_t size)
{
- return qemu_memalign(getpagesize(), size);
+ void *ptr;
+ ptr = qemu_memalign(getpagesize(), size);
+ trace_qemu_vmalloc(size, ptr);
+ return ptr;
}
void qemu_vfree(void *ptr)
--
1.7.11.2

61
0235-qemu_vmalloc-align-properly-for-transparent-hugepage.patch Normal file
View File

@ -0,0 +1,61 @@
From d12ac10d3ce10d3e1c9b23aeca397caa74be49d3 Mon Sep 17 00:00:00 2001
From: Avi Kivity <avi@redhat.com>
Date: Mon, 5 Sep 2011 11:07:05 +0300
Subject: [PATCH] qemu_vmalloc: align properly for transparent hugepages and
KVM
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
To make good use of transparent hugepages, KVM requires that guest-physical
and host-virtual addresses share the low 21 bits (as opposed to just the low
12 bits normally required).
Adjust qemu_vmalloc() to honor that requirement. Ignore it for small regions
to avoid fragmentation.
Signed-off-by: Avi Kivity <avi@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 36b586284e678da28df3af9fd0907d2b16f9311c)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
oslib-posix.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/oslib-posix.c b/oslib-posix.c
index 196099c..a304fb0 100644
--- a/oslib-posix.c
+++ b/oslib-posix.c
@@ -35,6 +35,13 @@
extern int daemon(int, int);
#endif
+#if defined(__linux__) && defined(__x86_64__)
+ /* Use 2MB alignment so transparent hugepages can be used by KVM */
+# define QEMU_VMALLOC_ALIGN (512 * 4096)
+#else
+# define QEMU_VMALLOC_ALIGN getpagesize()
+#endif
+
#include "config-host.h"
#include "sysemu.h"
#include "trace.h"
@@ -80,7 +87,12 @@ void *qemu_memalign(size_t alignment, size_t size)
void *qemu_vmalloc(size_t size)
{
void *ptr;
- ptr = qemu_memalign(getpagesize(), size);
+ size_t align = QEMU_VMALLOC_ALIGN;
+
+ if (size < align) {
+ align = getpagesize();
+ }
+ ptr = qemu_memalign(align, size);
trace_qemu_vmalloc(size, ptr);
return ptr;
}
--
1.7.11.2

41
0236-block-vpc-write-checksum-back-to-footer-after-check.patch Normal file
View File

@ -0,0 +1,41 @@
From add89f969fc86f3b3223c4283ee49fcb507b8f81 Mon Sep 17 00:00:00 2001
From: Zhang Shengju <zhangsju@gmail.com>
Date: Tue, 13 Mar 2012 22:38:13 +0800
Subject: [PATCH] block/vpc: write checksum back to footer after check
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
After validation check, the 'checksum' is not written back
to footer, which leave it with zero.
This results in errors while loadding it under Microsoft's
Hyper-V environment, and also errors from utilities like
Citrix's vhd-util.
Signed-off-by: Zhang Shengju <sean_zhang@trendmicro.com.cn>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit c088b691363070d151f80cc1fde4b7c151bdfe8f)
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
block/vpc.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/block/vpc.c b/block/vpc.c
index ac33e15..55201e2 100644
--- a/block/vpc.c
+++ b/block/vpc.c
@@ -170,6 +170,9 @@ static int vpc_open(BlockDriverState *bs, int flags)
fprintf(stderr, "block-vpc: The header checksum of '%s' is "
"incorrect.\n", bs->filename);
+ /* Write 'checksum' back to footer, or else will leave it with zero. */
+ footer->checksum = be32_to_cpu(checksum);
+
// The visible size of a image in Virtual PC depends on the geometry
// rather than on the size stored in the footer (the size in the footer
// is too large usually)
--
1.7.11.2

36
0237-bt-host-add-missing-break-statement.patch Normal file
View File

@ -0,0 +1,36 @@
From 557393c06af445a23f65667d16d1ff43b5d7ae6d Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Date: Thu, 12 Jan 2012 14:17:04 +0000
Subject: [PATCH] bt-host: add missing break statement
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The switch statement in bt_host_read() is missing a break in one case.
Andrzej Zaborowski <andrew.zaborowski@intel.com> confirmed that this is
not an intentional fall-through.
Reviewed-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
(cherry picked from commit f7253270fc66a60e4faf639a3c4ce0b352553b24)
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
bt-host.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/bt-host.c b/bt-host.c
index 095254d..df59494 100644
--- a/bt-host.c
+++ b/bt-host.c
@@ -130,6 +130,7 @@ static void bt_host_read(void *opaque)
pktlen = MIN(pkt[2] + 3, s->len);
s->len -= pktlen;
pkt += pktlen;
+ break;
default:
bad_pkt:
--
1.7.11.2

39
0238-ds1338-Add-missing-break-statement.patch Normal file
View File

@ -0,0 +1,39 @@
From 1c363aca36c5f53cb04d04fa1ee9a442dd5dbad4 Mon Sep 17 00:00:00 2001
From: Stefan Weil <sw@weilnetz.de>
Date: Sat, 25 Feb 2012 14:50:25 +0100
Subject: [PATCH] ds1338: Add missing break statement
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Without the break statement, case 5 sets month and year from the same
data. This does not look correct.
The missing break was reported by splint.
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
(cherry picked from commit fbac6a7d35d119a52606c175aface9bcec805f09)
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/ds1338.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/ds1338.c b/hw/ds1338.c
index 3522af5..964d2f7 100644
--- a/hw/ds1338.c
+++ b/hw/ds1338.c
@@ -97,6 +97,7 @@ static int ds1338_send(i2c_slave *i2c, uint8_t data)
break;
case 5:
s->now.tm_mon = from_bcd(data & 0x1f) - 1;
+ break;
case 6:
s->now.tm_year = from_bcd(data) + 100;
break;
--
1.7.11.2

70
0239-block-vdi-Zero-unused-parts-when-allocating-a-new-bl.patch Normal file
View File

@ -0,0 +1,70 @@
From e246af75817264aa340cc4e8bb42c17a2d48cbb7 Mon Sep 17 00:00:00 2001
From: Stefan Weil <sw@weilnetz.de>
Date: Sat, 21 Jan 2012 13:54:24 +0100
Subject: [PATCH] block/vdi: Zero unused parts when allocating a new block
(fix #919242)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The new block was filled with zero when it was allocated by g_malloc0,
but when it was reused later and only partially used, data from the
previously allocated block were still present and written to the new
block.
This caused the problems reported by bug #919242
(https://bugs.launchpad.net/qemu/+bug/919242).
Now the unused parts of the new block which are before and after the data
are always filled with zero, so it is no longer necessary to zero the whole
block with g_malloc0.
I also updated the copyright comment.
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 641543b76b82a8b361482b727e08de0c8ec093b0)
[AF: g_malloc() -> qemu_malloc()]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
block/vdi.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/block/vdi.c b/block/vdi.c
index 1be0cdc..07413af 100644
--- a/block/vdi.c
+++ b/block/vdi.c
@@ -1,7 +1,7 @@
/*
* Block driver for the Virtual Disk Image (VDI) format
*
- * Copyright (c) 2009 Stefan Weil
+ * Copyright (c) 2009, 2012 Stefan Weil
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -765,15 +765,19 @@ static void vdi_aio_write_cb(void *opaque, int ret)
(uint64_t)bmap_entry * s->block_sectors;
block = acb->block_buffer;
if (block == NULL) {
- block = qemu_mallocz(s->block_size);
+ block = qemu_malloc(s->block_size);
acb->block_buffer = block;
acb->bmap_first = block_index;
assert(!acb->header_modified);
acb->header_modified = 1;
}
acb->bmap_last = block_index;
+ /* Copy data to be written to new block and zero unused parts. */
+ memset(block, 0, sector_in_block * SECTOR_SIZE);
memcpy(block + sector_in_block * SECTOR_SIZE,
acb->buf, n_sectors * SECTOR_SIZE);
+ memset(block + (sector_in_block + n_sectors) * SECTOR_SIZE, 0,
+ (s->block_sectors - n_sectors - sector_in_block) * SECTOR_SIZE);
acb->hd_iov.iov_base = (void *)block;
acb->hd_iov.iov_len = s->block_size;
qemu_iovec_init_external(&acb->hd_qiov, &acb->hd_iov, 1);
--
1.7.11.2

53
qemu-fix-non-PCI-target-build.patch
View File

@ -1,53 +0,0 @@
commit 1a8364456c2f3946b4feb8fc78eaf00d974f4c03
Author: Jan Kiszka <jan.kiszka@siemens.com>
Date: Wed Feb 23 09:28:53 2011 +0100
qemu-kvm: Fix non-PCI target build
Replace obsolete qemu-kvm.h with kvm.h in pci.c and build that module
just like upstream does. This fixes non-x86 targets which have no PCI
support.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Avi Kivity <avi@redhat.com>
diff --git a/Makefile.objs b/Makefile.objs
index f5702eb..3ec7121 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -170,7 +170,7 @@ hw-obj-y =
hw-obj-y += loader.o
hw-obj-$(CONFIG_VIRTIO) += virtio.o virtio-console.o
hw-obj-y += fw_cfg.o
-hw-obj-$(CONFIG_PCI) += pci_bridge.o
+hw-obj-$(CONFIG_PCI) += pci.o pci_bridge.o
hw-obj-$(CONFIG_PCI) += msix.o msi.o
hw-obj-$(CONFIG_PCI) += pci_host.o pcie_host.o
hw-obj-$(CONFIG_PCI) += ioh3420.o xio3130_upstream.o xio3130_downstream.o
diff --git a/Makefile.target b/Makefile.target
index 6e9a024..23367eb 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -195,7 +195,7 @@ endif #CONFIG_BSD_USER
# System emulator target
ifdef CONFIG_SOFTMMU
-obj-y = arch_init.o cpus.o monitor.o pci.o machine.o gdbstub.o vl.o balloon.o
+obj-y = arch_init.o cpus.o monitor.o machine.o gdbstub.o vl.o balloon.o
# virtio has to be here due to weird dependency between PCI and virtio-net.
# need to fix this properly
obj-$(CONFIG_NO_PCI) += pci-stub.o
diff --git a/hw/pci.c b/hw/pci.c
index 0c44939..1f6cebe 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -29,8 +29,8 @@
#include "net.h"
#include "sysemu.h"
#include "loader.h"
-#include "qemu-kvm.h"
#include "hw/pc.h"
+#include "kvm.h"
#include "device-assignment.h"
#include "qemu-objects.h"
#include "range.h"

19
qemu-fix-systemtap.patch Normal file
View File

@ -0,0 +1,19 @@
diff -rup qemu-kvm-1.0.1/scripts/tracetool z/scripts/tracetool
--- qemu-kvm-1.0.1/scripts/tracetool 2012-04-16 22:15:17.000000000 -0400
+++ z/scripts/tracetool 2012-07-29 21:10:51.326868987 -0400
@@ -500,6 +500,15 @@ EOF
if [ "$arg" = "limit" ]; then
arg="_limit"
fi
+ if [ "$arg" = "in" ]; then
+ arg="_in"
+ fi
+ if [ "$arg" = "next" ]; then
+ arg="_next"
+ fi
+ if [ "$arg" = "self" ]; then
+ arg="_self"
+ fi
cat <<EOF
$arg = \$arg$i;
EOF

31
qemu-fix-text-mode-screendumps.patch Normal file
View File

@ -0,0 +1,31 @@
diff -rup qemu-kvm-0.15.1/hw/vga.c frob/hw/vga.c
--- qemu-kvm-0.15.1/hw/vga.c 2011-10-19 09:54:48.000000000 -0400
+++ frob/hw/vga.c 2012-07-29 21:00:27.389677588 -0400
@@ -149,7 +149,7 @@ static uint16_t expand2[256];
static uint8_t expand4to8[16];
static void vga_screen_dump(void *opaque, const char *filename);
-static char *screen_dump_filename;
+static const char *screen_dump_filename;
static DisplayChangeListener *screen_dump_dcl;
static void vga_dumb_update_retrace_info(VGACommonState *s)
@@ -2330,7 +2330,6 @@ static void vga_save_dpy_update(DisplayS
{
if (screen_dump_filename) {
ppm_save(screen_dump_filename, ds->surface);
- screen_dump_filename = NULL;
}
}
@@ -2408,8 +2407,8 @@ static void vga_screen_dump(void *opaque
if (!screen_dump_dcl)
screen_dump_dcl = vga_screen_dump_init(s->ds);
- screen_dump_filename = (char *)filename;
+ screen_dump_filename = filename;
vga_invalidate_display(s);
vga_hw_update();
+ screen_dump_filename = NULL;
}
-

93
qemu-snapshot-symlink-attack.patch Normal file
View File

@ -0,0 +1,93 @@
diff -rup qemu-kvm-0.15.1/block/vvfat.c frob/block/vvfat.c
--- qemu-kvm-0.15.1/block/vvfat.c 2012-07-29 20:56:28.318227757 -0400
+++ frob/block/vvfat.c 2012-07-29 20:59:15.537859208 -0400
@@ -2795,7 +2795,12 @@ static int enable_write_target(BDRVVVFAT
array_init(&(s->commits), sizeof(commit_t));
s->qcow_filename = qemu_malloc(1024);
- get_tmp_filename(s->qcow_filename, 1024);
+ ret = get_tmp_filename(s->qcow_filename, 1024);
+ if (ret < 0) {
+ free(s->qcow_filename);
+ s->qcow_filename = NULL;
+ return ret;
+ }
bdrv_qcow = bdrv_find_format("qcow");
options = parse_option_parameters("", bdrv_qcow->create_options, NULL);
diff -rup qemu-kvm-0.15.1/block.c frob/block.c
--- qemu-kvm-0.15.1/block.c 2012-07-29 20:56:28.367221495 -0400
+++ frob/block.c 2012-07-29 20:58:24.931326050 -0400
@@ -254,28 +254,36 @@ int bdrv_create_file(const char* filenam
return bdrv_create(drv, filename, options);
}
-#ifdef _WIN32
-void get_tmp_filename(char *filename, int size)
+/*
+ * Create a uniquely-named empty temporary file.
+ * Return 0 upon success, otherwise a negative errno value.
+ */
+int get_tmp_filename(char *filename, int size)
{
+#ifdef _WIN32
char temp_dir[MAX_PATH];
-
- GetTempPath(MAX_PATH, temp_dir);
- GetTempFileName(temp_dir, "qem", 0, filename);
-}
+ /* GetTempFileName requires that its output buffer (4th param)
+ have length MAX_PATH or greater. */
+ assert(size >= MAX_PATH);
+ return (GetTempPath(MAX_PATH, temp_dir)
+ && GetTempFileName(temp_dir, "qem", 0, filename)
+ ? 0 : -GetLastError());
#else
-void get_tmp_filename(char *filename, int size)
-{
int fd;
const char *tmpdir;
- /* XXX: race condition possible */
tmpdir = getenv("TMPDIR");
if (!tmpdir)
tmpdir = "/tmp";
- snprintf(filename, size, "%s/vl.XXXXXX", tmpdir);
+ if (snprintf(filename, size, "%s/vl.XXXXXX", tmpdir) >= size) {
+ return -EOVERFLOW;
+ }
fd = mkstemp(filename);
- close(fd);
-}
+ if (fd < 0 || close(fd)) {
+ return -errno;
+ }
+ return 0;
#endif
+}
/*
* Detect host devices. By convention, /dev/cdrom[N] is always
@@ -555,7 +563,10 @@ int bdrv_open(BlockDriverState *bs, cons
bdrv_delete(bs1);
- get_tmp_filename(tmp_filename, sizeof(tmp_filename));
+ ret = get_tmp_filename(tmp_filename, sizeof(tmp_filename));
+ if (ret < 0) {
+ return ret;
+ }
/* Real path is meaningless for protocols */
if (is_protocol)
diff -rup qemu-kvm-0.15.1/block_int.h frob/block_int.h
--- qemu-kvm-0.15.1/block_int.h 2011-10-19 09:54:48.000000000 -0400
+++ frob/block_int.h 2012-07-29 20:58:24.932325925 -0400
@@ -216,7 +216,7 @@ struct BlockDriverAIOCB {
BlockDriverAIOCB *next;
};
-void get_tmp_filename(char *filename, int size);
+int get_tmp_filename(char *filename, int size);
void *qemu_aio_get(AIOPool *pool, BlockDriverState *bs,
BlockDriverCompletionFunc *cb, void *opaque);

73
qemu-spice-server-threading.patch Normal file
View File

@ -0,0 +1,73 @@
commit 22b626e28e9895cc65c1e2023323bda5138716dc
Author: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri Sep 2 15:03:28 2011 +0200
spice: workaround a spice server bug.
spice server might call the channel_event callback from spice server
thread context. Detect that and aquire iothread lock if needed,
diff --git a/ui/spice-core.c b/ui/spice-core.c
index dba11f0..3cbc721 100644
--- a/ui/spice-core.c
+++ b/ui/spice-core.c
@@ -19,6 +19,7 @@
#include <spice-experimental.h>
#include <netdb.h>
+#include <pthread.h>
#include "qemu-common.h"
#include "qemu-spice.h"
@@ -44,6 +45,8 @@ static char *auth_passwd;
static time_t auth_expires = TIME_MAX;
int using_spice = 0;
+static pthread_t me;
+
struct SpiceTimer {
QEMUTimer *timer;
QTAILQ_ENTRY(SpiceTimer) next;
@@ -217,6 +220,20 @@ static void channel_event(int event, SpiceChannelEventInfo *info)
QDict *server, *client;
QObject *data;
+ /*
+ * Spice server might have called us from spice worker thread
+ * context (happens on display channel disconnects). Spice should
+ * not do that. It isn't that easy to fix it in spice and even
+ * when it is fixed we still should cover the already released
+ * spice versions. So detect that we've been called from another
+ * thread and grab the iothread lock if so before calling qemu
+ * functions.
+ */
+ bool need_lock = !pthread_equal(me, pthread_self());
+ if (need_lock) {
+ qemu_mutex_lock_iothread();
+ }
+
client = qdict_new();
add_addr_info(client, &info->paddr, info->plen);
@@ -236,6 +253,10 @@ static void channel_event(int event, SpiceChannelEventInfo *info)
QOBJECT(client), QOBJECT(server));
monitor_protocol_event(qevent[event], data);
qobject_decref(data);
+
+ if (need_lock) {
+ qemu_mutex_unlock_iothread();
+ }
}
#else /* SPICE_INTERFACE_CORE_MINOR >= 3 */
@@ -482,7 +503,9 @@ void qemu_spice_init(void)
spice_image_compression_t compression;
spice_wan_compression_t wan_compr;
- if (!opts) {
+ me = pthread_self();
+
+ if (!opts) {
return;
}
port = qemu_opt_get_number(opts, "port", 0);

31
qemu-vhost-fix-dirty-page-handling.patch
View File

@ -1,31 +0,0 @@
vhost was passing a physical address to cpu_physical_memory_set_dirty,
which is wrong: we need to translate to ram address first.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Note: this lead to crashes during migration, so the patch
is needed on the stable branch too.
---
hw/vhost.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/hw/vhost.c b/hw/vhost.c
index aaa34e4..97a1299 100644
--- a/hw/vhost.c
+++ b/hw/vhost.c
@@ -49,8 +49,10 @@ static void vhost_dev_sync_region(struct vhost_dev *dev,
log = __sync_fetch_and_and(from, 0);
while ((bit = sizeof(log) > sizeof(int) ?
ffsll(log) : ffs(log))) {
+ ram_addr_t ram_addr;
bit -= 1;
- cpu_physical_memory_set_dirty(addr + bit * VHOST_LOG_PAGE);
+ ram_addr = cpu_get_physical_page_desc(addr + bit * VHOST_LOG_PAGE);
+ cpu_physical_memory_set_dirty(ram_addr);
log &= ~(0x1ull << bit);
}
addr += VHOST_LOG_CHUNK;
--
1.7.3.2.91.g446ac

165
qemu.spec
View File

@ -1,8 +1,8 @@
Summary: QEMU is a FAST! processor emulator
Name: qemu
Version: 0.15.1
Release: 6%{?dist}
# Epoch because we pushed a qemu-1.0 package
Release: 7%{?dist}
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
Epoch: 2
License: GPLv2+ and LGPLv2+ and BSD
Group: Development/Tools
@ -89,6 +89,51 @@ Patch103: %{name}-virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch
# Fix fedora guest hang with virtio console (bz 837925)
Patch104: %{name}-virtio-console-unconnected-pty.patch
# Patches from 0.15 stable
Patch200: 0200-ccid-Fix-buffer-overrun-in-handling-of-VSC_ATR-messa.patch
Patch201: 0201-qdev-Reset-hot-plugged-devices.patch
Patch202: 0202-e1000-use-MII-status-register-for-link-up-down.patch
Patch203: 0203-e1000-Don-t-set-the-Capabilities-List-bit.patch
Patch205: 0205-compatfd.c-Don-t-pass-NULL-pointer-to-SYS_signalfd.patch
Patch206: 0206-kvm-avoid-reentring-kvm_flush_coalesced_mmio_buffer.patch
Patch207: 0207-vmdk-vmdk_read_cid-returns-garbage-if-p_name-is-NULL.patch
Patch208: 0208-block-Fix-bdrv_open-use-after-free.patch
Patch209: 0209-ide-Fix-off-by-one-error-in-array-index-check.patch
Patch210: 0210-acl-Fix-use-after-free-in-qemu_acl_reset.patch
Patch211: 0211-migration-flush-migration-data-to-disk.patch
Patch212: 0212-Fix-X86-CPU-topology-in-KVM-mode.patch
Patch213: 0213-hw-lan9118.c-Add-missing-break-to-fix-buffer-overrun.patch
Patch214: 0214-ac97-don-t-override-the-pci-subsystem-id.patch
Patch215: 0215-vvfat-Fix-potential-buffer-overflow.patch
Patch216: 0216-vns-tls-don-t-use-depricated-gnutls-functions.patch
Patch217: 0217-block-curl-Implement-a-flush-function-on-the-fd-hand.patch
Patch218: 0218-hda-do-not-mix-output-and-input-streams-RHBZ-740493.patch
Patch219: 0219-hda-do-not-mix-output-and-input-stream-states-RHBZ-7.patch
Patch220: 0220-Teach-block-vdi-about-discarded-no-longer-allocated-.patch
Patch221: 0221-vmdk-Improve-error-handling.patch
Patch222: 0222-block-set-bs-read_only-before-.bdrv_open.patch
Patch223: 0223-console-Fix-rendering-of-VGA-underline.patch
Patch224: 0224-block-Fix-vpc-initialization-of-the-Dynamic-Disk-Hea.patch
Patch225: 0225-qcow-Fix-bdrv_write_compressed-error-handling.patch
Patch226: 0226-block-reinitialize-across-bdrv_close-bdrv_open.patch
Patch227: 0227-qxl-stride-fixup.patch
Patch228: 0228-vmdk-Fix-possible-segfaults.patch
Patch230: 0230-cpu-common-Have-a-ram_addr_t-of-uint64-with-Xen.patch
Patch231: 0231-Error-check-find_ram_offset.patch
Patch236: 0236-block-vpc-write-checksum-back-to-footer-after-check.patch
Patch237: 0237-bt-host-add-missing-break-statement.patch
Patch238: 0238-ds1338-Add-missing-break-statement.patch
Patch239: 0239-block-vdi-Zero-unused-parts-when-allocating-a-new-bl.patch
# CVE-2012-2652: Possible symlink attacks with -snapshot (bz 825697, bz
# 824919)
Patch240: %{name}-snapshot-symlink-attack.patch
# Fix systemtap tapsets (bz 831763)
Patch241: %{name}-fix-systemtap.patch
# Fix qmp response race caused by spice server bug (bz 744015)
Patch242: %{name}-spice-server-threading.patch
# Fix text mode screendumps (bz 819155)
Patch243: %{name}-fix-text-mode-screendumps.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: SDL-devel zlib-devel which texi2html gnutls-devel cyrus-sasl-devel
BuildRequires: libaio-devel
@ -122,6 +167,13 @@ Requires: %{name}-img = %{epoch}:%{version}-%{release}
Obsoletes: %{name}-system-ppc
Obsoletes: %{name}-system-sparc
# Needed for F14->F16+ upgrade
# https://bugzilla.redhat.com/show_bug.cgi?id=694802
Obsoletes: openbios-common
Obsoletes: openbios-ppc
Obsoletes: openbios-sparc32
Obsoletes: openbios-sparc64
%define qemudocdir %{_docdir}/%{name}-%{version}
%description
@ -161,9 +213,9 @@ Group: Development/Tools
Requires(post): /usr/bin/getent
Requires(post): /usr/sbin/groupadd
Requires(post): /usr/sbin/useradd
Requires(post): /sbin/chkconfig
Requires(preun): /sbin/service /sbin/chkconfig
Requires(postun): /sbin/service
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
%description common
QEMU is a generic and open source processor emulator which achieves a good
emulation speed by using dynamic translation.
@ -211,9 +263,8 @@ fi
Summary: QEMU user mode emulation of qemu targets
Group: Development/Tools
Requires: %{name}-common = %{epoch}:%{version}-%{release}
Requires(post): /sbin/chkconfig
Requires(preun): /sbin/service /sbin/chkconfig
Requires(postun): /sbin/service
Requires(post): systemd-units
Requires(postun): systemd-units
%description user
QEMU is a generic and open source processor emulator which achieves a good
emulation speed by using dynamic translation.
@ -228,6 +279,7 @@ Provides: kvm = 85
Obsoletes: kvm < 85
Requires: vgabios >= 0.6c-2
Requires: seabios-bin >= 0.6.0-2
Requires: sgabios-bin
Requires: /usr/share/gpxe/8086100e.rom
Requires: /usr/share/gpxe/rtl8029.rom
Requires: /usr/share/gpxe/pcnet32.rom
@ -345,6 +397,45 @@ such as kvm_stat.
%patch103 -p1
%patch104 -p1
%patch200 -p1
%patch201 -p1
%patch202 -p1
%patch203 -p1
%patch205 -p1
%patch206 -p1
%patch207 -p1
%patch208 -p1
%patch209 -p1
%patch210 -p1
%patch211 -p1
%patch212 -p1
%patch213 -p1
%patch214 -p1
%patch215 -p1
%patch216 -p1
%patch217 -p1
%patch218 -p1
%patch219 -p1
%patch220 -p1
%patch221 -p1
%patch222 -p1
%patch223 -p1
%patch224 -p1
%patch225 -p1
%patch226 -p1
%patch227 -p1
%patch228 -p1
%patch230 -p1
%patch231 -p1
%patch236 -p1
%patch237 -p1
%patch238 -p1
%patch239 -p1
%patch240 -p1
%patch241 -p1
%patch242 -p1
%patch243 -p1
%build
# By default we build everything, but allow x86 to build a minimal version
# with only similar arch target support
@ -498,6 +589,7 @@ ln -s ../vgabios/VGABIOS-lgpl-latest.cirrus.bin %{buildroot}/%{_datadir}/%{name}
ln -s ../vgabios/VGABIOS-lgpl-latest.qxl.bin %{buildroot}/%{_datadir}/%{name}/vgabios-qxl.bin
ln -s ../vgabios/VGABIOS-lgpl-latest.stdvga.bin %{buildroot}/%{_datadir}/%{name}/vgabios-stdvga.bin
ln -s ../vgabios/VGABIOS-lgpl-latest.vmware.bin %{buildroot}/%{_datadir}/%{name}/vgabios-vmware.bin
ln -s ../sgabios/sgabios.bin %{buildroot}/%{_datadir}/%{name}/sgabios.bin
ln -s ../seabios/bios.bin %{buildroot}/%{_datadir}/%{name}/bios.bin
mkdir -p $RPM_BUILD_ROOT%{_exec_prefix}/lib/binfmt.d
@ -540,41 +632,47 @@ rm -rf $RPM_BUILD_ROOT
%ifarch %{ix86} x86_64
# load kvm modules now, so we can make sure no reboot is needed.
# If there's already a kvm module installed, we don't mess with it
sh %{_sysconfdir}/sysconfig/modules/kvm.modules
sh %{_sysconfdir}/sysconfig/modules/kvm.modules || :
%endif
%post common
if [ $1 -eq 1 ] ; then
getent group kvm >/dev/null || groupadd -g 36 -r kvm
getent group qemu >/dev/null || groupadd -g 107 -r qemu
getent passwd qemu >/dev/null || \
useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
-c "qemu user" qemu
/bin/systemctl enable ksm.service
/bin/systemctl enable ksmtuned.service
# Initial installation
/bin/systemctl enable ksm.service >/dev/null 2>&1 || :
/bin/systemctl enable ksmtuned.service >/dev/null 2>&1 || :
fi
getent group kvm >/dev/null || groupadd -g 36 -r kvm
getent group qemu >/dev/null || groupadd -g 107 -r qemu
getent passwd qemu >/dev/null || \
useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
-c "qemu user" qemu
%preun common
if [ $1 -eq 0 ]; then
/bin/systemctl --system stop ksmtuned.service &>/dev/null || :
/bin/systemctl --system stop ksm.service &>/dev/null || :
/bin/systemctl disable ksmtuned.service
/bin/systemctl disable ksm.service
if [ $1 -eq 0 ] ; then
# Package removal, not upgrade
/bin/systemctl --no-reload disable ksmtuned.service > /dev/null 2>&1 || :
/bin/systemctl --no-reload disable ksm.service > /dev/null 2>&1 || :
/bin/systemctl stop ksmtuned.service > /dev/null 2>&1 || :
/bin/systemctl stop ksm.service > /dev/null 2>&1 || :
fi
%postun common
if [ $1 -ge 1 ]; then
/bin/systemctl --system try-restart ksm.service &>/dev/null || :
/bin/systemctl --system try-restart ksmtuned.service &>/dev/null || :
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
if [ $1 -ge 1 ] ; then
# Package upgrade, not uninstall
/bin/systemctl try-restart ksmtuned.service >/dev/null 2>&1 || :
/bin/systemctl try-restart ksm.service >/dev/null 2>&1 || :
fi
%post user
/bin/systemctl --system try-restart systemd-binfmt.service &>/dev/null || :
%postun user
/bin/systemctl --system try-restart systemd-binfmt.service &>/dev/null || :
%files
%defattr(-,root,root)
@ -648,6 +746,7 @@ fi
%{_bindir}/qemu
%{_bindir}/qemu-system-x86_64
%{_datadir}/%{name}/bios.bin
%{_datadir}/%{name}/sgabios.bin
%{_datadir}/%{name}/linuxboot.bin
%{_datadir}/%{name}/multiboot.bin
%{_datadir}/%{name}/mpc8544ds.dtb
@ -724,6 +823,18 @@ fi
%{_mandir}/man1/qemu-img.1*
%changelog
* Sun Jul 29 2012 Cole Robinson <crobinso@redhat.com> - 0.15.1-7
- Pull patches from 0.15 stable
- CVE-2012-2652: Possible symlink attacks with -snapshot (bz 825697, bz
824919)
- Fix systemtap tapsets (bz 831763)
- Fix qmp response race caused by spice server bug (bz 744015)
- Fix text mode screendumps (bz 819155)
- Don't renable ksm on update (bz 815156)
- Fix RPM install error on non-virt machines (bz 660629)
- Obsolete openbios to fix upgrade dependency issues (bz 694802)
- Fix sgabios integration (bz 791344)
* Wed Jul 18 2012 Cole Robinson <crobinso@redhat.com> - 0.15.1-6
- Fix fedora guest hang with virtio console (bz 837925)
@ -734,7 +845,7 @@ fi
* Mon Jan 30 2012 Justin M. Forbes <jforbes@redhat.com> - 2:0.15.1-4
- Add vhost-net to kvm.modules
- Fix USB passthrough assert on packet completion (#769625)
-
* Thu Jan 5 2012 Christophe Fergeau <cfergeau@redhat.com> - 2:0.15.1-3.1
- Backport patches from qemu 1.0 to fix floppy drives (#753863)
@ -749,7 +860,7 @@ fi
- Require seabios-bin >= 0.6.0-2 (#741992)
- Replace init scripts with systemd units (#741920)
- Update to 0.15.1 stable upstream
* Fri Oct 21 2011 Paul Moore <pmoore@redhat.com>
- Enable full relro and PIE (rhbz #738812)