Compare commits
247 Commits
Author | SHA1 | Date |
---|---|---|
Cole Robinson | 646ce0f5b5 | |
Cole Robinson | 4b48a789ef | |
Cole Robinson | 108c22f518 | |
Paolo Bonzini | f0d2afbe43 | |
Daniel P. Berrangé | fd795fc4d0 | |
Daniel P. Berrangé | 9d15b88230 | |
Daniel P. Berrangé | e837494495 | |
Cole Robinson | 5ff8af4aaa | |
Daniel P. Berrangé | 0b61e57fbe | |
Adam Williamson | 3f5e1104a8 | |
Cole Robinson | 5bc1125531 | |
Cole Robinson | 28222ce611 | |
Daniel P. Berrangé | 581fcfe335 | |
Daniel P. Berrangé | 9fb824102c | |
Daniel P. Berrangé | 357c686a3e | |
Daniel P. Berrangé | 65b2a489f4 | |
Daniel P. Berrangé | 744e70f72e | |
Cole Robinson | cd21b7f45d | |
Cole Robinson | efaa1cda68 | |
Cole Robinson | 748c8c3268 | |
Daniel P. Berrangé | d9af2bbdff | |
Daniel P. Berrangé | f2839fea71 | |
Daniel P. Berrangé | af50bf7b78 | |
Daniel P. Berrangé | 13e7c30edf | |
Daniel P. Berrangé | 4e321e2f5c | |
Daniel P. Berrangé | 458e07e8d7 | |
Daniel P. Berrangé | 3c0f9e810a | |
Daniel P. Berrangé | dc03f389d3 | |
Cole Robinson | 3927dda118 | |
Tom Stellard | 3fa99d6aac | |
Cole Robinson | 9b60ebfd67 | |
Cole Robinson | 2b132a41aa | |
Cole Robinson | a840dd697e | |
Cole Robinson | 884b734123 | |
Cole Robinson | b35e952c0c | |
Cole Robinson | 25b0302679 | |
Cole Robinson | a90ffcbc2c | |
Merlin Mathesius | e84a93a247 | |
Cole Robinson | d20fa70a4e | |
Cole Robinson | c9c298d7a8 | |
Cole Robinson | f4bee9e135 | |
Daniel P. Berrangé | 7ffd7f7fdf | |
Richard W.M. Jones | bdc5a0bca1 | |
Richard W.M. Jones | 4269c70e28 | |
Kevin Fenzi | 0133142152 | |
Cole Robinson | 3da886a924 | |
Cole Robinson | 8c45437b3a | |
Cole Robinson | 9f833efd2d | |
Cole Robinson | fa1d6ea0cd | |
Cole Robinson | 7e9fe41b78 | |
Cole Robinson | 76b4bc9d96 | |
Cole Robinson | 9f8e48750c | |
Adam Williamson | e2b4e80d3c | |
Cole Robinson | e1b832b513 | |
Cole Robinson | 17655806bf | |
Cole Robinson | dd41f1a7ca | |
Cole Robinson | 8833af8dcd | |
Fabiano Fidêncio | 492d6c1fff | |
Cole Robinson | 377bb253e3 | |
Cole Robinson | 023288b71a | |
Cole Robinson | 1d442bb612 | |
Richard W.M. Jones | b98348b411 | |
Mohan Boddu | ba6f50c7d7 | |
Cole Robinson | 57a3231073 | |
Cole Robinson | 46ea403d2f | |
Daniel P. Berrangé | e6e2c63c09 | |
Cole Robinson | 1d0e437ac8 | |
Cole Robinson | 6732563c65 | |
Cole Robinson | 46eefb217c | |
Cole Robinson | ff9bb15b16 | |
Cole Robinson | 993f4157b6 | |
Cole Robinson | 41cffcfad7 | |
Cole Robinson | b4072bd645 | |
Cole Robinson | fddfbd9637 | |
Thierry Vignaud | 16769836d7 | |
Cole Robinson | 0038f84388 | |
Cole Robinson | 8e6758e973 | |
Cole Robinson | fe24ece8af | |
Cole Robinson | f4c127bbc1 | |
Cole Robinson | 918c70b1aa | |
Cole Robinson | 964eff6ae8 | |
Cole Robinson | 481596d7a6 | |
Leigh Scott | c36918674f | |
Cole Robinson | 9db63cb5df | |
Cole Robinson | 5084436959 | |
Cole Robinson | 70269497f2 | |
Cole Robinson | 2a7146a2ca | |
Cole Robinson | 70b6670bdf | |
Cole Robinson | 28828da2e3 | |
Cole Robinson | e4599b5e27 | |
Cole Robinson | bd59499379 | |
Cole Robinson | 6acd45ea32 | |
Cole Robinson | e0a72f8f2d | |
Cole Robinson | 160bf4b4d5 | |
Kevin Fenzi | 8e85e5e9aa | |
Cole Robinson | 419868beaf | |
Cole Robinson | e5504b6ad4 | |
Cole Robinson | 40fbd86194 | |
Cole Robinson | 8a7ac9c97e | |
David Abdurachmanov | 29c3523ef3 | |
Cole Robinson | 17efd80578 | |
Daniel P. Berrangé | 70ef327d5f | |
Daniel P. Berrangé | af6274808b | |
Cole Robinson | c67ebc8192 | |
Cole Robinson | cdc7e4ca72 | |
Cole Robinson | e14a8ce4ef | |
Richard W.M. Jones | 09f7c02959 | |
Cole Robinson | 4266c9b33e | |
Cole Robinson | c9654a07d8 | |
Adam Williamson | fd86380c5b | |
Adam Williamson | 1515438fd3 | |
Cole Robinson | e3d6ad24ae | |
Thierry Vignaud | 9687314304 | |
Cole Robinson | 7da5fc303e | |
Cole Robinson | f3518876c6 | |
Cole Robinson | d3ff788791 | |
Daniel P. Berrangé | 941a4c0548 | |
Daniel P. Berrangé | e1923c9eb5 | |
Daniel P. Berrangé | a60ad61787 | |
Daniel P. Berrangé | f1fa58e582 | |
Daniel P. Berrangé | e24cbbb32e | |
Cole Robinson | de10d8e08e | |
Cole Robinson | 2679bc30fc | |
Fedora Release Engineering | 8e22bbd1e0 | |
Richard W.M. Jones | f1ea04bd67 | |
Richard W.M. Jones | e0155fb5be | |
Richard W.M. Jones | 8433925433 | |
Adam Williamson | 61ad1f41fd | |
Cole Robinson | 5704646898 | |
Daniel P. Berrangé | a4b3db7151 | |
Cole Robinson | 0af132aa98 | |
Cole Robinson | 007776f3e4 | |
Cole Robinson | e4323bc8b2 | |
Cole Robinson | a6f68877d0 | |
Cole Robinson | 91efacc572 | |
Cole Robinson | 748bb2f566 | |
Cole Robinson | c90305980d | |
Daniel P. Berrangé | 13b2fd93a9 | |
Cole Robinson | e4ec8b672d | |
Cole Robinson | 5bdb061bca | |
Cole Robinson | d4c4507533 | |
Peter Robinson | b12f5aef3a | |
Daniel P. Berrangé | b91dae7a8f | |
Cole Robinson | 330481bc1c | |
Cole Robinson | 97eed6b145 | |
Richard W.M. Jones | 6dab4a0cbd | |
Cole Robinson | 7b9b67b1ec | |
Cole Robinson | 0d2d5cc76d | |
Cole Robinson | 80404b03be | |
Cole Robinson | a28cfa8216 | |
Cole Robinson | e9e03fcd1c | |
Cole Robinson | 6269069f27 | |
Cole Robinson | 3930e8ff37 | |
Cole Robinson | 3758f8a137 | |
Cole Robinson | e13261f947 | |
Cole Robinson | 3c6a0ca337 | |
Daniel P. Berrangé | 55054b88c9 | |
Cole Robinson | 6b1a7d80a5 | |
Cole Robinson | a7e2480deb | |
Daniel P. Berrangé | 29249a79a8 | |
Daniel P. Berrangé | 52904050aa | |
Daniel P. Berrangé | 603dd9e50a | |
Daniel P. Berrangé | 28d4d1f5e7 | |
Daniel P. Berrangé | 34056732a5 | |
Daniel P. Berrangé | 1d16c17085 | |
Fedora Release Engineering | 8253c01b09 | |
Daniel P. Berrange | ec520ba35e | |
Daniel P. Berrange | 167a6b72c2 | |
Adam Williamson | f81be8f026 | |
Cole Robinson | f95699bf90 | |
Cole Robinson | 90a3c96cff | |
Cole Robinson | a76e086590 | |
Paolo Bonzini | e978b4fe84 | |
Paolo Bonzini | bfe7b8124e | |
Cole Robinson | 700f126a07 | |
Cole Robinson | 2a2b49f85b | |
Cole Robinson | 59eb7ad892 | |
Paolo Bonzini | b0a7742ccd | |
Daniel P. Berrange | 8699737f6d | |
Daniel P. Berrange | ac5e33cbfe | |
Daniel P. Berrange | a8c6008b7d | |
Daniel P. Berrange | 9acefb8589 | |
Paolo Bonzini | 4b7bd99c46 | |
Paolo Bonzini | fd8ba3896b | |
Paolo Bonzini | 0fb2b27d3a | |
Paolo Bonzini | 0945e0bba3 | |
Nathaniel McCallum | 98b428ff80 | |
Cole Robinson | 0b42e7fc18 | |
Nathaniel McCallum | 3b6c813012 | |
Cole Robinson | 45cb87a59c | |
Cole Robinson | 5264c6a895 | |
Adam Williamson | c2f33c885f | |
Cole Robinson | c333713fea | |
Cole Robinson | 14cfc78b3c | |
Cole Robinson | 0323a03914 | |
Cole Robinson | 1a4355e536 | |
Florian Weimer | 26c1ceeaa3 | |
Daniel P. Berrange | 6e16c07206 | |
Daniel P. Berrange | a3b9d99ab2 | |
Daniel P. Berrange | a949744f38 | |
Daniel P. Berrange | 20b2275a19 | |
Nathaniel McCallum | 22c2909bc1 | |
Nathaniel McCallum | f73c470a02 | |
Daniel P. Berrange | 1e96c68c3d | |
Nathaniel McCallum | cf6afbb855 | |
Daniel P. Berrange | 895ba8da7d | |
Cole Robinson | 335584f502 | |
Richard W.M. Jones | 5eae33f189 | |
Cole Robinson | faa9df96ad | |
Cole Robinson | 33f79e5eb1 | |
Cole Robinson | 514d6bc543 | |
Richard W.M. Jones | 5dd6a73c80 | |
Cole Robinson | 74c0a82292 | |
Cole Robinson | 0db3257f1a | |
Cole Robinson | 996634350a | |
Cole Robinson | 1db5811d26 | |
Cole Robinson | 1c7073d8dd | |
Daniel P. Berrange | 6a041ef569 | |
Fedora Release Engineering | c1f9c0e4d7 | |
Cole Robinson | 8b317f0917 | |
Cole Robinson | 50bb158a7a | |
Daniel P. Berrange | 8288677cfa | |
Cole Robinson | 9074eea4bb | |
Cole Robinson | 17a6dacdca | |
Cole Robinson | 84eeb10ee8 | |
Cole Robinson | 151958b44b | |
Cole Robinson | 3bbbcdcb07 | |
Cole Robinson | 6f55752c5f | |
Paolo Bonzini | b68b5fed43 | |
Nathaniel McCallum | 0583426e3d | |
Richard W.M. Jones | 820948cb49 | |
Richard W.M. Jones | ecbe006bda | |
Cole Robinson | 8a588691e2 | |
Bastien Nocera | b8878c0ca6 | |
Cole Robinson | cf816402f7 | |
Cole Robinson | d19693d908 | |
Cole Robinson | 8dd6b5e9c8 | |
Cole Robinson | 3a13ddd514 | |
Hans de Goede | a2729a240b | |
Michal Toman | 504e25420b | |
Cole Robinson | 57dbb7a5be | |
Cole Robinson | 435be3635e | |
Cole Robinson | 94ddf1cc6a | |
Daniel P. Berrange | d52607ebe6 | |
Cole Robinson | 4ff778e7b3 | |
Cole Robinson | ef34be9e72 | |
Richard W.M. Jones | 84e6ecadd9 |
|
@ -1,4 +1,4 @@
|
|||
/.build*.log
|
||||
/x86_64/
|
||||
/*.src.rpm
|
||||
/qemu-*.tar.bz2
|
||||
/qemu-*.tar.xz
|
||||
|
|
|
@ -1,23 +0,0 @@
|
|||
From: Pavel Grunt <pgrunt@redhat.com>
|
||||
Date: Fri, 11 Mar 2016 14:40:59 +0100
|
||||
Subject: [PATCH] spice: F24 spice has backported gl support
|
||||
|
||||
Not for upstream, this just adjusts the version check to work with
|
||||
f24 backported spice gl support
|
||||
---
|
||||
include/ui/spice-display.h | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/include/ui/spice-display.h b/include/ui/spice-display.h
|
||||
index 30ccfe3..00e4a0b 100644
|
||||
--- a/include/ui/spice-display.h
|
||||
+++ b/include/ui/spice-display.h
|
||||
@@ -25,7 +25,7 @@
|
||||
#include "sysemu/sysemu.h"
|
||||
|
||||
#if defined(CONFIG_OPENGL_DMABUF)
|
||||
-# if SPICE_SERVER_VERSION >= 0x000d01 /* release 0.13.1 */
|
||||
+# if SPICE_SERVER_VERSION >= 0x000c07 /* release 0.12.7 */
|
||||
# define HAVE_SPICE_GL 1
|
||||
# include "ui/egl-helpers.h"
|
||||
# include "ui/egl-context.h"
|
|
@ -1,33 +0,0 @@
|
|||
From: Cole Robinson <crobinso@redhat.com>
|
||||
Date: Thu, 5 May 2016 19:39:38 -0400
|
||||
Subject: [PATCH] ui: gtk: fix crash when terminal inner-border is NULL
|
||||
|
||||
VTE terminal inner-border can be NULL. The vte-0.36 (API 2.90)
|
||||
code checks for the condition too so I assume it's not just a bug
|
||||
|
||||
Fixes a crash on Fedora 24 with gtk 3.20
|
||||
---
|
||||
ui/gtk.c | 10 ++++++----
|
||||
1 file changed, 6 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/ui/gtk.c b/ui/gtk.c
|
||||
index f372a6d..9876d89 100644
|
||||
--- a/ui/gtk.c
|
||||
+++ b/ui/gtk.c
|
||||
@@ -340,10 +340,12 @@ static void gd_update_geometry_hints(VirtualConsole *vc)
|
||||
geo.min_height = geo.height_inc * VC_TERM_Y_MIN;
|
||||
mask |= GDK_HINT_MIN_SIZE;
|
||||
gtk_widget_style_get(vc->vte.terminal, "inner-border", &ib, NULL);
|
||||
- geo.base_width += ib->left + ib->right;
|
||||
- geo.base_height += ib->top + ib->bottom;
|
||||
- geo.min_width += ib->left + ib->right;
|
||||
- geo.min_height += ib->top + ib->bottom;
|
||||
+ if (ib) {
|
||||
+ geo.base_width += ib->left + ib->right;
|
||||
+ geo.base_height += ib->top + ib->bottom;
|
||||
+ geo.min_width += ib->left + ib->right;
|
||||
+ geo.min_height += ib->top + ib->bottom;
|
||||
+ }
|
||||
geo_widget = vc->vte.terminal;
|
||||
#endif
|
||||
}
|
|
@ -1,48 +0,0 @@
|
|||
From: Cole Robinson <crobinso@redhat.com>
|
||||
Date: Fri, 6 May 2016 12:36:46 -0400
|
||||
Subject: [PATCH] ui: sdl2: Release grab before opening console window
|
||||
|
||||
sdl 2.0.4 currently has a bug which causes our UI shortcuts to fire
|
||||
rapidly in succession:
|
||||
|
||||
https://bugzilla.libsdl.org/show_bug.cgi?id=3287
|
||||
|
||||
It's a toss up whether ctrl+alt+f or ctrl+alt+2 will fire an
|
||||
odd or even number of times, thus determining whether the action
|
||||
succeeds or fails.
|
||||
|
||||
Opening monitor/serial windows is doubly broken, since it will often
|
||||
lock the UI trying to grab the pointer:
|
||||
|
||||
0x00007fffef3720a5 in SDL_Delay_REAL () at /lib64/libSDL2-2.0.so.0
|
||||
0x00007fffef3688ba in X11_SetWindowGrab () at /lib64/libSDL2-2.0.so.0
|
||||
0x00007fffef2f2da7 in SDL_SendWindowEvent () at /lib64/libSDL2-2.0.so.0
|
||||
0x00007fffef2f080b in SDL_SetKeyboardFocus () at /lib64/libSDL2-2.0.so.0
|
||||
0x00007fffef35d784 in X11_DispatchFocusIn.isra.8 () at /lib64/libSDL2-2.0.so.0
|
||||
0x00007fffef35dbce in X11_DispatchEvent () at /lib64/libSDL2-2.0.so.0
|
||||
0x00007fffef35ee4a in X11_PumpEvents () at /lib64/libSDL2-2.0.so.0
|
||||
0x00007fffef2eea6a in SDL_PumpEvents_REAL () at /lib64/libSDL2-2.0.so.0
|
||||
0x00007fffef2eeab5 in SDL_WaitEventTimeout_REAL () at /lib64/libSDL2-2.0.so.0
|
||||
0x000055555597eed0 in sdl2_poll_events (scon=0x55555876f928) at ui/sdl2.c:593
|
||||
|
||||
We can work around that hang by ungrabbing the pointer before launching
|
||||
a new window. This roughly matches what our sdl1 code does
|
||||
---
|
||||
ui/sdl2.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/ui/sdl2.c b/ui/sdl2.c
|
||||
index d042442..909038f 100644
|
||||
--- a/ui/sdl2.c
|
||||
+++ b/ui/sdl2.c
|
||||
@@ -357,6 +357,10 @@ static void handle_keydown(SDL_Event *ev)
|
||||
case SDL_SCANCODE_7:
|
||||
case SDL_SCANCODE_8:
|
||||
case SDL_SCANCODE_9:
|
||||
+ if (gui_grab) {
|
||||
+ sdl_grab_end(scon);
|
||||
+ }
|
||||
+
|
||||
win = ev->key.keysym.scancode - SDL_SCANCODE_1;
|
||||
if (win < sdl2_num_outputs) {
|
||||
sdl2_console[win].hidden = !sdl2_console[win].hidden;
|
|
@ -1,30 +0,0 @@
|
|||
From: Cole Robinson <crobinso@redhat.com>
|
||||
Date: Wed, 18 May 2016 11:44:33 -0400
|
||||
Subject: [PATCH] ui: spice: Exit if gl=on EGL init fails
|
||||
|
||||
The user explicitly requested spice GL, so if we know it isn't
|
||||
going to work we should exit
|
||||
|
||||
Signed-off-by: Cole Robinson <crobinso@redhat.com>
|
||||
---
|
||||
ui/spice-core.c | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/ui/spice-core.c b/ui/spice-core.c
|
||||
index 61db3c1..da05054 100644
|
||||
--- a/ui/spice-core.c
|
||||
+++ b/ui/spice-core.c
|
||||
@@ -833,9 +833,11 @@ void qemu_spice_init(void)
|
||||
"incompatible with -spice port/tls-port");
|
||||
exit(1);
|
||||
}
|
||||
- if (egl_rendernode_init() == 0) {
|
||||
- display_opengl = 1;
|
||||
+ if (egl_rendernode_init() != 0) {
|
||||
+ error_report("Failed to initialize EGL render node for SPICE GL");
|
||||
+ exit(1);
|
||||
}
|
||||
+ display_opengl = 1;
|
||||
}
|
||||
#endif
|
||||
}
|
|
@ -1,83 +0,0 @@
|
|||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Wed, 3 Feb 2016 13:55:00 +0100
|
||||
Subject: [PATCH] spice/gl: add & use qemu_spice_gl_monitor_config
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
(cherry picked from commit 39414ef4e93db9041e463a097084a407d0d374f0)
|
||||
---
|
||||
include/ui/spice-display.h | 1 +
|
||||
ui/spice-display.c | 30 ++++++++++++++++++++++++++++++
|
||||
2 files changed, 31 insertions(+)
|
||||
|
||||
diff --git a/include/ui/spice-display.h b/include/ui/spice-display.h
|
||||
index 00e4a0b..3c679e8 100644
|
||||
--- a/include/ui/spice-display.h
|
||||
+++ b/include/ui/spice-display.h
|
||||
@@ -71,6 +71,7 @@ typedef struct QXLCookie {
|
||||
QXLRect area;
|
||||
int redraw;
|
||||
} render;
|
||||
+ void *data;
|
||||
} u;
|
||||
} QXLCookie;
|
||||
|
||||
diff --git a/ui/spice-display.c b/ui/spice-display.c
|
||||
index 242ab5f..2a77a54 100644
|
||||
--- a/ui/spice-display.c
|
||||
+++ b/ui/spice-display.c
|
||||
@@ -660,6 +660,11 @@ static void interface_async_complete(QXLInstance *sin, uint64_t cookie_token)
|
||||
qemu_bh_schedule(ssd->gl_unblock_bh);
|
||||
break;
|
||||
}
|
||||
+ case QXL_COOKIE_TYPE_IO:
|
||||
+ if (cookie->io == QXL_IO_MONITORS_CONFIG_ASYNC) {
|
||||
+ g_free(cookie->u.data);
|
||||
+ }
|
||||
+ break;
|
||||
#endif
|
||||
default:
|
||||
/* should never be called, used in qxl native mode only */
|
||||
@@ -795,6 +800,29 @@ static const DisplayChangeListenerOps display_listener_ops = {
|
||||
|
||||
#ifdef HAVE_SPICE_GL
|
||||
|
||||
+static void qemu_spice_gl_monitor_config(SimpleSpiceDisplay *ssd,
|
||||
+ int x, int y, int w, int h)
|
||||
+{
|
||||
+ QXLMonitorsConfig *config;
|
||||
+ QXLCookie *cookie;
|
||||
+
|
||||
+ config = g_malloc0(sizeof(QXLMonitorsConfig) + sizeof(QXLHead));
|
||||
+ config->count = 1;
|
||||
+ config->max_allowed = 1;
|
||||
+ config->heads[0].x = x;
|
||||
+ config->heads[0].y = y;
|
||||
+ config->heads[0].width = w;
|
||||
+ config->heads[0].height = h;
|
||||
+ cookie = qxl_cookie_new(QXL_COOKIE_TYPE_IO,
|
||||
+ QXL_IO_MONITORS_CONFIG_ASYNC);
|
||||
+ cookie->u.data = config;
|
||||
+
|
||||
+ spice_qxl_monitors_config_async(&ssd->qxl,
|
||||
+ (uintptr_t)config,
|
||||
+ MEMSLOT_GROUP_HOST,
|
||||
+ (uintptr_t)cookie);
|
||||
+}
|
||||
+
|
||||
static void qemu_spice_gl_block(SimpleSpiceDisplay *ssd, bool block)
|
||||
{
|
||||
uint64_t timeout;
|
||||
@@ -858,6 +886,8 @@ static void qemu_spice_gl_scanout(DisplayChangeListener *dcl,
|
||||
surface_width(ssd->ds),
|
||||
surface_height(ssd->ds),
|
||||
stride, fourcc, y_0_top);
|
||||
+
|
||||
+ qemu_spice_gl_monitor_config(ssd, x, y, w, h);
|
||||
}
|
||||
|
||||
static void qemu_spice_gl_update(DisplayChangeListener *dcl,
|
|
@ -1,32 +0,0 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 7 Apr 2016 12:50:08 +0530
|
||||
Subject: [PATCH] i386: kvmvapic: initialise imm32 variable
|
||||
|
||||
When processing Task Priorty Register(TPR) access, it could leak
|
||||
automatic stack variable 'imm32' in patch_instruction().
|
||||
Initialise the variable to avoid it.
|
||||
|
||||
Reported by: Donghai Zdh <donghai.zdh@alibaba-inc.com>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1460013608-16670-1-git-send-email-ppandit@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
|
||||
(cherry picked from commit 691a02e2ce0c413236a78dee6f2651c937b09fb0)
|
||||
---
|
||||
hw/i386/kvmvapic.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c
|
||||
index c69f374..ff1e31a 100644
|
||||
--- a/hw/i386/kvmvapic.c
|
||||
+++ b/hw/i386/kvmvapic.c
|
||||
@@ -394,7 +394,7 @@ static void patch_instruction(VAPICROMState *s, X86CPU *cpu, target_ulong ip)
|
||||
CPUX86State *env = &cpu->env;
|
||||
VAPICHandlers *handlers;
|
||||
uint8_t opcode[2];
|
||||
- uint32_t imm32;
|
||||
+ uint32_t imm32 = 0;
|
||||
target_ulong current_pc = 0;
|
||||
target_ulong current_cs_base = 0;
|
||||
int current_flags = 0;
|
|
@ -1,39 +0,0 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 19 May 2016 16:09:30 +0530
|
||||
Subject: [PATCH] esp: check command buffer length before write(CVE-2016-4439)
|
||||
|
||||
The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
|
||||
FIFO buffer. It is used to handle command and data transfer. While
|
||||
writing to this command buffer 's->cmdbuf[TI_BUFSZ=16]', a check
|
||||
was missing to validate input length. Add check to avoid OOB write
|
||||
access.
|
||||
|
||||
Fixes CVE-2016-4439.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1463654371-11169-2-git-send-email-ppandit@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit c98c6c105f66f05aa0b7c1d2a4a3f716450907ef)
|
||||
---
|
||||
hw/scsi/esp.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
|
||||
index 8961be2..01497e6 100644
|
||||
--- a/hw/scsi/esp.c
|
||||
+++ b/hw/scsi/esp.c
|
||||
@@ -448,7 +448,11 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val)
|
||||
break;
|
||||
case ESP_FIFO:
|
||||
if (s->do_cmd) {
|
||||
- s->cmdbuf[s->cmdlen++] = val & 0xff;
|
||||
+ if (s->cmdlen < TI_BUFSZ) {
|
||||
+ s->cmdbuf[s->cmdlen++] = val & 0xff;
|
||||
+ } else {
|
||||
+ trace_esp_error_fifo_overrun();
|
||||
+ }
|
||||
} else if (s->ti_size == TI_BUFSZ - 1) {
|
||||
trace_esp_error_fifo_overrun();
|
||||
} else {
|
|
@ -1,73 +0,0 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 19 May 2016 16:09:31 +0530
|
||||
Subject: [PATCH] esp: check dma length before reading scsi
|
||||
command(CVE-2016-4441)
|
||||
|
||||
The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
|
||||
FIFO buffer. It is used to handle command and data transfer.
|
||||
Routine get_cmd() uses DMA to read scsi commands into this buffer.
|
||||
Add check to validate DMA length against buffer size to avoid any
|
||||
overrun.
|
||||
|
||||
Fixes CVE-2016-4441.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1463654371-11169-3-git-send-email-ppandit@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 6c1fef6b59563cc415f21e03f81539ed4b33ad90)
|
||||
---
|
||||
hw/scsi/esp.c | 11 +++++++----
|
||||
1 file changed, 7 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
|
||||
index 01497e6..591c817 100644
|
||||
--- a/hw/scsi/esp.c
|
||||
+++ b/hw/scsi/esp.c
|
||||
@@ -82,7 +82,7 @@ void esp_request_cancelled(SCSIRequest *req)
|
||||
}
|
||||
}
|
||||
|
||||
-static uint32_t get_cmd(ESPState *s, uint8_t *buf)
|
||||
+static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen)
|
||||
{
|
||||
uint32_t dmalen;
|
||||
int target;
|
||||
@@ -92,6 +92,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf)
|
||||
dmalen = s->rregs[ESP_TCLO];
|
||||
dmalen |= s->rregs[ESP_TCMID] << 8;
|
||||
dmalen |= s->rregs[ESP_TCHI] << 16;
|
||||
+ if (dmalen > buflen) {
|
||||
+ return 0;
|
||||
+ }
|
||||
s->dma_memory_read(s->dma_opaque, buf, dmalen);
|
||||
} else {
|
||||
dmalen = s->ti_size;
|
||||
@@ -166,7 +169,7 @@ static void handle_satn(ESPState *s)
|
||||
s->dma_cb = handle_satn;
|
||||
return;
|
||||
}
|
||||
- len = get_cmd(s, buf);
|
||||
+ len = get_cmd(s, buf, sizeof(buf));
|
||||
if (len)
|
||||
do_cmd(s, buf);
|
||||
}
|
||||
@@ -180,7 +183,7 @@ static void handle_s_without_atn(ESPState *s)
|
||||
s->dma_cb = handle_s_without_atn;
|
||||
return;
|
||||
}
|
||||
- len = get_cmd(s, buf);
|
||||
+ len = get_cmd(s, buf, sizeof(buf));
|
||||
if (len) {
|
||||
do_busid_cmd(s, buf, 0);
|
||||
}
|
||||
@@ -192,7 +195,7 @@ static void handle_satn_stop(ESPState *s)
|
||||
s->dma_cb = handle_satn_stop;
|
||||
return;
|
||||
}
|
||||
- s->cmdlen = get_cmd(s, s->cmdbuf);
|
||||
+ s->cmdlen = get_cmd(s, s->cmdbuf, sizeof(s->cmdbuf));
|
||||
if (s->cmdlen) {
|
||||
trace_esp_handle_satn_stop(s->cmdlen);
|
||||
s->do_cmd = 1;
|
|
@ -1,233 +0,0 @@
|
|||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Tue, 17 May 2016 10:54:54 +0200
|
||||
Subject: [PATCH] vga: add sr_vbe register set
|
||||
|
||||
Commit "fd3c136 vga: make sure vga register setup for vbe stays intact
|
||||
(CVE-2016-3712)." causes a regression. The win7 installer is unhappy
|
||||
because it can't freely modify vga registers any more while in vbe mode.
|
||||
|
||||
This patch introduces a new sr_vbe register set. The vbe_update_vgaregs
|
||||
will fill sr_vbe[] instead of sr[]. Normal vga register reads and
|
||||
writes go to sr[]. Any sr register read access happens through a new
|
||||
sr() helper function which will read from sr_vbe[] with vbe active and
|
||||
from sr[] otherwise.
|
||||
|
||||
This way we can allow guests update sr[] registers as they want, without
|
||||
allowing them disrupt vbe video modes that way.
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Reported-by: Thomas Lamprecht <thomas@lamprecht.org>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-id: 1463475294-14119-1-git-send-email-kraxel@redhat.com
|
||||
(cherry picked from commit 94ef4f337fb614f18b765a8e0e878a4c23cdedcd)
|
||||
---
|
||||
hw/display/vga.c | 50 ++++++++++++++++++++++++++++----------------------
|
||||
hw/display/vga_int.h | 1 +
|
||||
2 files changed, 29 insertions(+), 22 deletions(-)
|
||||
|
||||
diff --git a/hw/display/vga.c b/hw/display/vga.c
|
||||
index 4a55ec6..9ebc54f 100644
|
||||
--- a/hw/display/vga.c
|
||||
+++ b/hw/display/vga.c
|
||||
@@ -149,6 +149,11 @@ static inline bool vbe_enabled(VGACommonState *s)
|
||||
return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED;
|
||||
}
|
||||
|
||||
+static inline uint8_t sr(VGACommonState *s, int idx)
|
||||
+{
|
||||
+ return vbe_enabled(s) ? s->sr_vbe[idx] : s->sr[idx];
|
||||
+}
|
||||
+
|
||||
static void vga_update_memory_access(VGACommonState *s)
|
||||
{
|
||||
hwaddr base, offset, size;
|
||||
@@ -163,8 +168,8 @@ static void vga_update_memory_access(VGACommonState *s)
|
||||
s->has_chain4_alias = false;
|
||||
s->plane_updated = 0xf;
|
||||
}
|
||||
- if ((s->sr[VGA_SEQ_PLANE_WRITE] & VGA_SR02_ALL_PLANES) ==
|
||||
- VGA_SR02_ALL_PLANES && s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
|
||||
+ if ((sr(s, VGA_SEQ_PLANE_WRITE) & VGA_SR02_ALL_PLANES) ==
|
||||
+ VGA_SR02_ALL_PLANES && sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) {
|
||||
offset = 0;
|
||||
switch ((s->gr[VGA_GFX_MISC] >> 2) & 3) {
|
||||
case 0:
|
||||
@@ -234,7 +239,7 @@ static void vga_precise_update_retrace_info(VGACommonState *s)
|
||||
((s->cr[VGA_CRTC_OVERFLOW] >> 6) & 2)) << 8);
|
||||
vretr_end_line = s->cr[VGA_CRTC_V_SYNC_END] & 0xf;
|
||||
|
||||
- clocking_mode = (s->sr[VGA_SEQ_CLOCK_MODE] >> 3) & 1;
|
||||
+ clocking_mode = (sr(s, VGA_SEQ_CLOCK_MODE) >> 3) & 1;
|
||||
clock_sel = (s->msr >> 2) & 3;
|
||||
dots = (s->msr & 1) ? 8 : 9;
|
||||
|
||||
@@ -486,7 +491,6 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)
|
||||
printf("vga: write SR%x = 0x%02x\n", s->sr_index, val);
|
||||
#endif
|
||||
s->sr[s->sr_index] = val & sr_mask[s->sr_index];
|
||||
- vbe_update_vgaregs(s);
|
||||
if (s->sr_index == VGA_SEQ_CLOCK_MODE) {
|
||||
s->update_retrace_info(s);
|
||||
}
|
||||
@@ -680,13 +684,13 @@ static void vbe_update_vgaregs(VGACommonState *s)
|
||||
|
||||
if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) {
|
||||
shift_control = 0;
|
||||
- s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */
|
||||
+ s->sr_vbe[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */
|
||||
} else {
|
||||
shift_control = 2;
|
||||
/* set chain 4 mode */
|
||||
- s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M;
|
||||
+ s->sr_vbe[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M;
|
||||
/* activate all planes */
|
||||
- s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES;
|
||||
+ s->sr_vbe[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES;
|
||||
}
|
||||
s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) |
|
||||
(shift_control << 5);
|
||||
@@ -836,7 +840,7 @@ uint32_t vga_mem_readb(VGACommonState *s, hwaddr addr)
|
||||
break;
|
||||
}
|
||||
|
||||
- if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
|
||||
+ if (sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) {
|
||||
/* chain 4 mode : simplest access */
|
||||
assert(addr < s->vram_size);
|
||||
ret = s->vram_ptr[addr];
|
||||
@@ -904,11 +908,11 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
|
||||
break;
|
||||
}
|
||||
|
||||
- if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
|
||||
+ if (sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) {
|
||||
/* chain 4 mode : simplest access */
|
||||
plane = addr & 3;
|
||||
mask = (1 << plane);
|
||||
- if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
|
||||
+ if (sr(s, VGA_SEQ_PLANE_WRITE) & mask) {
|
||||
assert(addr < s->vram_size);
|
||||
s->vram_ptr[addr] = val;
|
||||
#ifdef DEBUG_VGA_MEM
|
||||
@@ -921,7 +925,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
|
||||
/* odd/even mode (aka text mode mapping) */
|
||||
plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1);
|
||||
mask = (1 << plane);
|
||||
- if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
|
||||
+ if (sr(s, VGA_SEQ_PLANE_WRITE) & mask) {
|
||||
addr = ((addr & ~1) << 1) | plane;
|
||||
if (addr >= s->vram_size) {
|
||||
return;
|
||||
@@ -996,7 +1000,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
|
||||
|
||||
do_write:
|
||||
/* mask data according to sr[2] */
|
||||
- mask = s->sr[VGA_SEQ_PLANE_WRITE];
|
||||
+ mask = sr(s, VGA_SEQ_PLANE_WRITE);
|
||||
s->plane_updated |= mask; /* only used to detect font change */
|
||||
write_mask = mask16[mask];
|
||||
if (addr * sizeof(uint32_t) >= s->vram_size) {
|
||||
@@ -1152,10 +1156,10 @@ static void vga_get_text_resolution(VGACommonState *s, int *pwidth, int *pheight
|
||||
/* total width & height */
|
||||
cheight = (s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1;
|
||||
cwidth = 8;
|
||||
- if (!(s->sr[VGA_SEQ_CLOCK_MODE] & VGA_SR01_CHAR_CLK_8DOTS)) {
|
||||
+ if (!(sr(s, VGA_SEQ_CLOCK_MODE) & VGA_SR01_CHAR_CLK_8DOTS)) {
|
||||
cwidth = 9;
|
||||
}
|
||||
- if (s->sr[VGA_SEQ_CLOCK_MODE] & 0x08) {
|
||||
+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 0x08) {
|
||||
cwidth = 16; /* NOTE: no 18 pixel wide */
|
||||
}
|
||||
width = (s->cr[VGA_CRTC_H_DISP] + 1);
|
||||
@@ -1197,7 +1201,7 @@ static void vga_draw_text(VGACommonState *s, int full_update)
|
||||
int64_t now = qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL);
|
||||
|
||||
/* compute font data address (in plane 2) */
|
||||
- v = s->sr[VGA_SEQ_CHARACTER_MAP];
|
||||
+ v = sr(s, VGA_SEQ_CHARACTER_MAP);
|
||||
offset = (((v >> 4) & 1) | ((v << 1) & 6)) * 8192 * 4 + 2;
|
||||
if (offset != s->font_offsets[0]) {
|
||||
s->font_offsets[0] = offset;
|
||||
@@ -1506,11 +1510,11 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
|
||||
}
|
||||
|
||||
if (shift_control == 0) {
|
||||
- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
|
||||
+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
|
||||
disp_width <<= 1;
|
||||
}
|
||||
} else if (shift_control == 1) {
|
||||
- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
|
||||
+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
|
||||
disp_width <<= 1;
|
||||
}
|
||||
}
|
||||
@@ -1574,7 +1578,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
|
||||
|
||||
if (shift_control == 0) {
|
||||
full_update |= update_palette16(s);
|
||||
- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
|
||||
+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
|
||||
v = VGA_DRAW_LINE4D2;
|
||||
} else {
|
||||
v = VGA_DRAW_LINE4;
|
||||
@@ -1582,7 +1586,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
|
||||
bits = 4;
|
||||
} else if (shift_control == 1) {
|
||||
full_update |= update_palette16(s);
|
||||
- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
|
||||
+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
|
||||
v = VGA_DRAW_LINE2D2;
|
||||
} else {
|
||||
v = VGA_DRAW_LINE2;
|
||||
@@ -1629,7 +1633,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
|
||||
#if 0
|
||||
printf("w=%d h=%d v=%d line_offset=%d cr[0x09]=0x%02x cr[0x17]=0x%02x linecmp=%d sr[0x01]=0x%02x\n",
|
||||
width, height, v, line_offset, s->cr[9], s->cr[VGA_CRTC_MODE],
|
||||
- s->line_compare, s->sr[VGA_SEQ_CLOCK_MODE]);
|
||||
+ s->line_compare, sr(s, VGA_SEQ_CLOCK_MODE));
|
||||
#endif
|
||||
addr1 = (s->start_addr * 4);
|
||||
bwidth = (width * bits + 7) / 8;
|
||||
@@ -1781,6 +1785,7 @@ void vga_common_reset(VGACommonState *s)
|
||||
{
|
||||
s->sr_index = 0;
|
||||
memset(s->sr, '\0', sizeof(s->sr));
|
||||
+ memset(s->sr_vbe, '\0', sizeof(s->sr_vbe));
|
||||
s->gr_index = 0;
|
||||
memset(s->gr, '\0', sizeof(s->gr));
|
||||
s->ar_index = 0;
|
||||
@@ -1883,10 +1888,10 @@ static void vga_update_text(void *opaque, console_ch_t *chardata)
|
||||
/* total width & height */
|
||||
cheight = (s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1;
|
||||
cw = 8;
|
||||
- if (!(s->sr[VGA_SEQ_CLOCK_MODE] & VGA_SR01_CHAR_CLK_8DOTS)) {
|
||||
+ if (!(sr(s, VGA_SEQ_CLOCK_MODE) & VGA_SR01_CHAR_CLK_8DOTS)) {
|
||||
cw = 9;
|
||||
}
|
||||
- if (s->sr[VGA_SEQ_CLOCK_MODE] & 0x08) {
|
||||
+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 0x08) {
|
||||
cw = 16; /* NOTE: no 18 pixel wide */
|
||||
}
|
||||
width = (s->cr[VGA_CRTC_H_DISP] + 1);
|
||||
@@ -2053,6 +2058,7 @@ static int vga_common_post_load(void *opaque, int version_id)
|
||||
|
||||
/* force refresh */
|
||||
s->graphic_mode = -1;
|
||||
+ vbe_update_vgaregs(s);
|
||||
return 0;
|
||||
}
|
||||
|
||||
diff --git a/hw/display/vga_int.h b/hw/display/vga_int.h
|
||||
index bdb43a5..3ce5544 100644
|
||||
--- a/hw/display/vga_int.h
|
||||
+++ b/hw/display/vga_int.h
|
||||
@@ -98,6 +98,7 @@ typedef struct VGACommonState {
|
||||
MemoryRegion chain4_alias;
|
||||
uint8_t sr_index;
|
||||
uint8_t sr[256];
|
||||
+ uint8_t sr_vbe[256];
|
||||
uint8_t gr_index;
|
||||
uint8_t gr[256];
|
||||
uint8_t ar_index;
|
|
@ -1,35 +0,0 @@
|
|||
From: Cole Robinson <crobinso@redhat.com>
|
||||
Date: Thu, 26 May 2016 09:55:21 -0400
|
||||
Subject: [PATCH] hw/arm/virt: Reject gic-version=host for non-KVM
|
||||
|
||||
If you try to gic-version=host with TCG on a KVM aarch64 host,
|
||||
qemu segfaults, since host requires KVM APIs.
|
||||
|
||||
Explicitly reject gic-version=host if KVM is not enabled
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1339977
|
||||
(cherry picked from commit b1b3b0dd143b7995a7f4062966b80a2cf3e3c71e)
|
||||
---
|
||||
hw/arm/virt.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
|
||||
index 56d35c7..a535285 100644
|
||||
--- a/hw/arm/virt.c
|
||||
+++ b/hw/arm/virt.c
|
||||
@@ -1114,10 +1114,14 @@ static void machvirt_init(MachineState *machine)
|
||||
* KVM is not available yet
|
||||
*/
|
||||
if (!gic_version) {
|
||||
+ if (!kvm_enabled()) {
|
||||
+ error_report("gic-version=host requires KVM");
|
||||
+ exit(1);
|
||||
+ }
|
||||
+
|
||||
gic_version = kvm_arm_vgic_probe();
|
||||
if (!gic_version) {
|
||||
error_report("Unable to determine GIC version supported by host");
|
||||
- error_printf("KVM acceleration is probably not supported\n");
|
||||
exit(1);
|
||||
}
|
||||
}
|
|
@ -1,32 +0,0 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 7 Apr 2016 15:56:02 +0530
|
||||
Subject: [PATCH] net: mipsnet: check packet length against buffer
|
||||
|
||||
When receiving packets over MIPSnet network device, it uses
|
||||
receive buffer of size 1514 bytes. In case the controller
|
||||
accepts large(MTU) packets, it could lead to memory corruption.
|
||||
Add check to avoid it.
|
||||
|
||||
Reported by: Oleksandr Bazhaniuk <oleksandr.bazhaniuk@intel.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
|
||||
(cherry picked from commit 3af9187fc6caaf415ab9c0c6d92c9678f65cb17f)
|
||||
---
|
||||
hw/net/mipsnet.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/hw/net/mipsnet.c b/hw/net/mipsnet.c
|
||||
index 740cd98..cf8b823 100644
|
||||
--- a/hw/net/mipsnet.c
|
||||
+++ b/hw/net/mipsnet.c
|
||||
@@ -83,6 +83,9 @@ static ssize_t mipsnet_receive(NetClientState *nc, const uint8_t *buf, size_t si
|
||||
if (!mipsnet_can_receive(nc))
|
||||
return 0;
|
||||
|
||||
+ if (size >= sizeof(s->rx_buffer)) {
|
||||
+ return 0;
|
||||
+ }
|
||||
s->busy = 1;
|
||||
|
||||
/* Just accept everything. */
|
|
@ -1,100 +0,0 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Mon, 23 May 2016 16:18:05 +0530
|
||||
Subject: [PATCH] scsi: pvscsi: check command descriptor ring buffer size
|
||||
(CVE-2016-4952)
|
||||
|
||||
Vmware Paravirtual SCSI emulation uses command descriptors to
|
||||
process SCSI commands. These descriptors come with their ring
|
||||
buffers. A guest could set the ring buffer size to an arbitrary
|
||||
value leading to OOB access issue. Add check to avoid it.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Message-Id: <1464000485-27041-1-git-send-email-ppandit@redhat.com>
|
||||
Reviewed-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com>
|
||||
Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 3e831b40e015ba34dfb55ff11f767001839425ff)
|
||||
---
|
||||
hw/scsi/vmw_pvscsi.c | 24 ++++++++++++++++++++----
|
||||
1 file changed, 20 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
||||
index e690b4e..e1d6d06 100644
|
||||
--- a/hw/scsi/vmw_pvscsi.c
|
||||
+++ b/hw/scsi/vmw_pvscsi.c
|
||||
@@ -153,7 +153,7 @@ pvscsi_log2(uint32_t input)
|
||||
return log;
|
||||
}
|
||||
|
||||
-static void
|
||||
+static int
|
||||
pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
|
||||
{
|
||||
int i;
|
||||
@@ -161,6 +161,10 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
|
||||
uint32_t req_ring_size, cmp_ring_size;
|
||||
m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT;
|
||||
|
||||
+ if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)
|
||||
+ || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) {
|
||||
+ return -1;
|
||||
+ }
|
||||
req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
|
||||
cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE;
|
||||
txr_len_log2 = pvscsi_log2(req_ring_size - 1);
|
||||
@@ -192,15 +196,20 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
|
||||
|
||||
/* Flush ring state page changes */
|
||||
smp_wmb();
|
||||
+
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
-static void
|
||||
+static int
|
||||
pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
|
||||
{
|
||||
int i;
|
||||
uint32_t len_log2;
|
||||
uint32_t ring_size;
|
||||
|
||||
+ if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
|
||||
+ return -1;
|
||||
+ }
|
||||
ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE;
|
||||
len_log2 = pvscsi_log2(ring_size - 1);
|
||||
|
||||
@@ -220,6 +229,8 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
|
||||
|
||||
/* Flush ring state page changes */
|
||||
smp_wmb();
|
||||
+
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -770,7 +781,10 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s)
|
||||
trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS");
|
||||
|
||||
pvscsi_dbg_dump_tx_rings_config(rc);
|
||||
- pvscsi_ring_init_data(&s->rings, rc);
|
||||
+ if (pvscsi_ring_init_data(&s->rings, rc) < 0) {
|
||||
+ return PVSCSI_COMMAND_PROCESSING_FAILED;
|
||||
+ }
|
||||
+
|
||||
s->rings_info_valid = TRUE;
|
||||
return PVSCSI_COMMAND_PROCESSING_SUCCEEDED;
|
||||
}
|
||||
@@ -850,7 +864,9 @@ pvscsi_on_cmd_setup_msg_ring(PVSCSIState *s)
|
||||
}
|
||||
|
||||
if (s->rings_info_valid) {
|
||||
- pvscsi_ring_init_msg(&s->rings, rc);
|
||||
+ if (pvscsi_ring_init_msg(&s->rings, rc) < 0) {
|
||||
+ return PVSCSI_COMMAND_PROCESSING_FAILED;
|
||||
+ }
|
||||
s->msg_ring_info_valid = TRUE;
|
||||
}
|
||||
return sizeof(PVSCSICmdDescSetupMsgRing) / sizeof(uint32_t);
|
|
@ -1,46 +0,0 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Tue, 24 May 2016 13:37:44 +0530
|
||||
Subject: [PATCH] scsi: mptsas: infinite loop while fetching requests
|
||||
|
||||
The LSI SAS1068 Host Bus Adapter emulator in Qemu, periodically
|
||||
looks for requests and fetches them. A loop doing that in
|
||||
mptsas_fetch_requests() could run infinitely if 's->state' was
|
||||
not operational. Move check to avoid such a loop.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Message-Id: <1464077264-25473-1-git-send-email-ppandit@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 06630554ccbdd25780aa03c3548aaff1eb56dffd)
|
||||
---
|
||||
hw/scsi/mptsas.c | 9 ++++-----
|
||||
1 file changed, 4 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
|
||||
index 499c146..be88e16 100644
|
||||
--- a/hw/scsi/mptsas.c
|
||||
+++ b/hw/scsi/mptsas.c
|
||||
@@ -754,11 +754,6 @@ static void mptsas_fetch_request(MPTSASState *s)
|
||||
hwaddr addr;
|
||||
int size;
|
||||
|
||||
- if (s->state != MPI_IOC_STATE_OPERATIONAL) {
|
||||
- mptsas_set_fault(s, MPI_IOCSTATUS_INVALID_STATE);
|
||||
- return;
|
||||
- }
|
||||
-
|
||||
/* Read the message header from the guest first. */
|
||||
addr = s->host_mfa_high_addr | MPTSAS_FIFO_GET(s, request_post);
|
||||
pci_dma_read(pci, addr, req, sizeof(hdr));
|
||||
@@ -789,6 +784,10 @@ static void mptsas_fetch_requests(void *opaque)
|
||||
{
|
||||
MPTSASState *s = opaque;
|
||||
|
||||
+ if (s->state != MPI_IOC_STATE_OPERATIONAL) {
|
||||
+ mptsas_set_fault(s, MPI_IOCSTATUS_INVALID_STATE);
|
||||
+ return;
|
||||
+ }
|
||||
while (!MPTSAS_FIFO_EMPTY(s, request_post)) {
|
||||
mptsas_fetch_request(s);
|
||||
}
|
|
@ -1,31 +0,0 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 25 May 2016 16:01:29 +0530
|
||||
Subject: [PATCH] scsi: megasas: use appropriate property buffer size
|
||||
|
||||
When setting MegaRAID SAS controller properties via MegaRAID
|
||||
Firmware Interface(MFI) commands, a user supplied size parameter
|
||||
is used to set property value. Use appropriate size value to avoid
|
||||
OOB access issues.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1464172291-2856-2-git-send-email-ppandit@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 1b85898025c4cd95dce673d15e67e60e98e91731)
|
||||
---
|
||||
hw/scsi/megasas.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
|
||||
index a63a581..dcbd3e1 100644
|
||||
--- a/hw/scsi/megasas.c
|
||||
+++ b/hw/scsi/megasas.c
|
||||
@@ -1446,7 +1446,7 @@ static int megasas_dcmd_set_properties(MegasasState *s, MegasasCmd *cmd)
|
||||
dcmd_size);
|
||||
return MFI_STAT_INVALID_PARAMETER;
|
||||
}
|
||||
- dma_buf_write((uint8_t *)&info, cmd->iov_size, &cmd->qsg);
|
||||
+ dma_buf_write((uint8_t *)&info, dcmd_size, &cmd->qsg);
|
||||
trace_megasas_dcmd_unsupported(cmd->index, cmd->iov_size);
|
||||
return MFI_STAT_OK;
|
||||
}
|
|
@ -1,31 +0,0 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 25 May 2016 17:41:44 +0530
|
||||
Subject: [PATCH] scsi: megasas: initialise local configuration data buffer
|
||||
|
||||
When reading MegaRAID SAS controller configuration via MegaRAID
|
||||
Firmware Interface(MFI) commands, routine megasas_dcmd_cfg_read
|
||||
uses an uninitialised local data buffer. Initialise this buffer
|
||||
to avoid stack information leakage.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1464178304-12831-1-git-send-email-ppandit@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit d37af740730dbbb93960cd318e040372d04d6dcf)
|
||||
---
|
||||
hw/scsi/megasas.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
|
||||
index dcbd3e1..bf642d4 100644
|
||||
--- a/hw/scsi/megasas.c
|
||||
+++ b/hw/scsi/megasas.c
|
||||
@@ -1293,7 +1293,7 @@ static int megasas_dcmd_ld_get_info(MegasasState *s, MegasasCmd *cmd)
|
||||
|
||||
static int megasas_dcmd_cfg_read(MegasasState *s, MegasasCmd *cmd)
|
||||
{
|
||||
- uint8_t data[4096];
|
||||
+ uint8_t data[4096] = { 0 };
|
||||
struct mfi_config_data *info;
|
||||
int num_pd_disks = 0, array_offset, ld_offset;
|
||||
BusChild *kid;
|
|
@ -1,33 +0,0 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 25 May 2016 17:55:10 +0530
|
||||
Subject: [PATCH] scsi: megasas: check 'read_queue_head' index value
|
||||
|
||||
While doing MegaRAID SAS controller command frame lookup, routine
|
||||
'megasas_lookup_frame' uses 'read_queue_head' value as an index
|
||||
into 'frames[MEGASAS_MAX_FRAMES=2048]' array. Limit its value
|
||||
within array bounds to avoid any OOB access.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1464179110-18593-1-git-send-email-ppandit@redhat.com>
|
||||
Reviewed-by: Alexander Graf <agraf@suse.de>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit b60bdd1f1ee1616b7a9aeeffb4088e1ce2710fb2)
|
||||
---
|
||||
hw/scsi/megasas.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
|
||||
index bf642d4..cc66d36 100644
|
||||
--- a/hw/scsi/megasas.c
|
||||
+++ b/hw/scsi/megasas.c
|
||||
@@ -650,7 +650,9 @@ static int megasas_init_firmware(MegasasState *s, MegasasCmd *cmd)
|
||||
pa_hi = le32_to_cpu(initq->pi_addr_hi);
|
||||
s->producer_pa = ((uint64_t) pa_hi << 32) | pa_lo;
|
||||
s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa);
|
||||
+ s->reply_queue_head %= MEGASAS_MAX_FRAMES;
|
||||
s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa);
|
||||
+ s->reply_queue_tail %= MEGASAS_MAX_FRAMES;
|
||||
flags = le32_to_cpu(initq->flags);
|
||||
if (flags & MFI_QUEUE_FLAG_CONTEXT64) {
|
||||
s->flags |= MEGASAS_MASK_USE_QUEUE64;
|
|
@ -1,70 +0,0 @@
|
|||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Mon, 30 May 2016 09:09:18 +0200
|
||||
Subject: [PATCH] vmsvga: move fifo sanity checks to vmsvga_fifo_length
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Sanity checks are applied when the fifo is enabled by the guest
|
||||
(SVGA_REG_CONFIG_DONE write). Which doesn't help much if the guest
|
||||
changes the fifo registers afterwards. Move the checks to
|
||||
vmsvga_fifo_length so they are done each time qemu is about to read
|
||||
from the fifo.
|
||||
|
||||
Fixes: CVE-2016-4454
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Cc: P J P <ppandit@redhat.com>
|
||||
Reported-by: 李强 <liqiang6-s@360.cn>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-id: 1464592161-18348-2-git-send-email-kraxel@redhat.com
|
||||
(cherry picked from commit 521360267876d3b6518b328051a2e56bca55bef8)
|
||||
---
|
||||
hw/display/vmware_vga.c | 28 +++++++++++++++-------------
|
||||
1 file changed, 15 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
|
||||
index 0c63fa8..63a7c05 100644
|
||||
--- a/hw/display/vmware_vga.c
|
||||
+++ b/hw/display/vmware_vga.c
|
||||
@@ -555,6 +555,21 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
|
||||
if (!s->config || !s->enable) {
|
||||
return 0;
|
||||
}
|
||||
+
|
||||
+ /* Check range and alignment. */
|
||||
+ if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+ if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+ if (CMD(max) > SVGA_FIFO_SIZE) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+ if (CMD(max) < CMD(min) + 10 * 1024) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
num = CMD(next_cmd) - CMD(stop);
|
||||
if (num < 0) {
|
||||
num += CMD(max) - CMD(min);
|
||||
@@ -1005,19 +1020,6 @@ static void vmsvga_value_write(void *opaque, uint32_t address, uint32_t value)
|
||||
case SVGA_REG_CONFIG_DONE:
|
||||
if (value) {
|
||||
s->fifo = (uint32_t *) s->fifo_ptr;
|
||||
- /* Check range and alignment. */
|
||||
- if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) {
|
||||
- break;
|
||||
- }
|
||||
- if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
|
||||
- break;
|
||||
- }
|
||||
- if (CMD(max) > SVGA_FIFO_SIZE) {
|
||||
- break;
|
||||
- }
|
||||
- if (CMD(max) < CMD(min) + 10 * 1024) {
|
||||
- break;
|
||||
- }
|
||||
vga_dirty_log_stop(&s->vga);
|
||||
}
|
||||
s->config = !!value;
|
|
@ -1,36 +0,0 @@
|
|||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Mon, 30 May 2016 09:09:19 +0200
|
||||
Subject: [PATCH] vmsvga: add more fifo checks
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Make sure all fifo ptrs are within range.
|
||||
|
||||
Fixes: CVE-2016-4454
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Cc: P J P <ppandit@redhat.com>
|
||||
Reported-by: 李强 <liqiang6-s@360.cn>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-id: 1464592161-18348-3-git-send-email-kraxel@redhat.com
|
||||
(cherry picked from commit c2e3c54d3960bc53bfa3a5ce7ea7a050b9be267e)
|
||||
---
|
||||
hw/display/vmware_vga.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
|
||||
index 63a7c05..a26e62e 100644
|
||||
--- a/hw/display/vmware_vga.c
|
||||
+++ b/hw/display/vmware_vga.c
|
||||
@@ -563,7 +563,10 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
|
||||
if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
|
||||
return 0;
|
||||
}
|
||||
- if (CMD(max) > SVGA_FIFO_SIZE) {
|
||||
+ if (CMD(max) > SVGA_FIFO_SIZE ||
|
||||
+ CMD(min) >= SVGA_FIFO_SIZE ||
|
||||
+ CMD(stop) >= SVGA_FIFO_SIZE ||
|
||||
+ CMD(next_cmd) >= SVGA_FIFO_SIZE) {
|
||||
return 0;
|
||||
}
|
||||
if (CMD(max) < CMD(min) + 10 * 1024) {
|
|
@ -1,143 +0,0 @@
|
|||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Mon, 30 May 2016 09:09:20 +0200
|
||||
Subject: [PATCH] vmsvga: shadow fifo registers
|
||||
|
||||
The fifo is normal ram. So kvm vcpu threads and qemu iothread can
|
||||
access the fifo in parallel without syncronization. Which in turn
|
||||
implies we can't use the fifo pointers in-place because the guest
|
||||
can try changing them underneath us. So add shadows for them, to
|
||||
make sure the guest can't modify them after we've applied sanity
|
||||
checks.
|
||||
|
||||
Fixes: CVE-2016-4454
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Cc: P J P <ppandit@redhat.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-id: 1464592161-18348-4-git-send-email-kraxel@redhat.com
|
||||
(cherry picked from commit 7e486f7577764a07aa35588e119903c80a5c30a2)
|
||||
---
|
||||
hw/display/vmware_vga.c | 57 ++++++++++++++++++++++++-------------------------
|
||||
1 file changed, 28 insertions(+), 29 deletions(-)
|
||||
|
||||
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
|
||||
index a26e62e..de2567b 100644
|
||||
--- a/hw/display/vmware_vga.c
|
||||
+++ b/hw/display/vmware_vga.c
|
||||
@@ -66,17 +66,11 @@ struct vmsvga_state_s {
|
||||
uint8_t *fifo_ptr;
|
||||
unsigned int fifo_size;
|
||||
|
||||
- union {
|
||||
- uint32_t *fifo;
|
||||
- struct QEMU_PACKED {
|
||||
- uint32_t min;
|
||||
- uint32_t max;
|
||||
- uint32_t next_cmd;
|
||||
- uint32_t stop;
|
||||
- /* Add registers here when adding capabilities. */
|
||||
- uint32_t fifo[0];
|
||||
- } *cmd;
|
||||
- };
|
||||
+ uint32_t *fifo;
|
||||
+ uint32_t fifo_min;
|
||||
+ uint32_t fifo_max;
|
||||
+ uint32_t fifo_next;
|
||||
+ uint32_t fifo_stop;
|
||||
|
||||
#define REDRAW_FIFO_LEN 512
|
||||
struct vmsvga_rect_s {
|
||||
@@ -198,7 +192,7 @@ enum {
|
||||
*/
|
||||
SVGA_FIFO_MIN = 0,
|
||||
SVGA_FIFO_MAX, /* The distance from MIN to MAX must be at least 10K */
|
||||
- SVGA_FIFO_NEXT_CMD,
|
||||
+ SVGA_FIFO_NEXT,
|
||||
SVGA_FIFO_STOP,
|
||||
|
||||
/*
|
||||
@@ -546,8 +540,6 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s,
|
||||
}
|
||||
#endif
|
||||
|
||||
-#define CMD(f) le32_to_cpu(s->cmd->f)
|
||||
-
|
||||
static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
|
||||
{
|
||||
int num;
|
||||
@@ -556,38 +548,44 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ s->fifo_min = le32_to_cpu(s->fifo[SVGA_FIFO_MIN]);
|
||||
+ s->fifo_max = le32_to_cpu(s->fifo[SVGA_FIFO_MAX]);
|
||||
+ s->fifo_next = le32_to_cpu(s->fifo[SVGA_FIFO_NEXT]);
|
||||
+ s->fifo_stop = le32_to_cpu(s->fifo[SVGA_FIFO_STOP]);
|
||||
+
|
||||
/* Check range and alignment. */
|
||||
- if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) {
|
||||
+ if ((s->fifo_min | s->fifo_max | s->fifo_next | s->fifo_stop) & 3) {
|
||||
return 0;
|
||||
}
|
||||
- if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
|
||||
+ if (s->fifo_min < sizeof(uint32_t) * 4) {
|
||||
return 0;
|
||||
}
|
||||
- if (CMD(max) > SVGA_FIFO_SIZE ||
|
||||
- CMD(min) >= SVGA_FIFO_SIZE ||
|
||||
- CMD(stop) >= SVGA_FIFO_SIZE ||
|
||||
- CMD(next_cmd) >= SVGA_FIFO_SIZE) {
|
||||
+ if (s->fifo_max > SVGA_FIFO_SIZE ||
|
||||
+ s->fifo_min >= SVGA_FIFO_SIZE ||
|
||||
+ s->fifo_stop >= SVGA_FIFO_SIZE ||
|
||||
+ s->fifo_next >= SVGA_FIFO_SIZE) {
|
||||
return 0;
|
||||
}
|
||||
- if (CMD(max) < CMD(min) + 10 * 1024) {
|
||||
+ if (s->fifo_max < s->fifo_min + 10 * 1024) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
- num = CMD(next_cmd) - CMD(stop);
|
||||
+ num = s->fifo_next - s->fifo_stop;
|
||||
if (num < 0) {
|
||||
- num += CMD(max) - CMD(min);
|
||||
+ num += s->fifo_max - s->fifo_min;
|
||||
}
|
||||
return num >> 2;
|
||||
}
|
||||
|
||||
static inline uint32_t vmsvga_fifo_read_raw(struct vmsvga_state_s *s)
|
||||
{
|
||||
- uint32_t cmd = s->fifo[CMD(stop) >> 2];
|
||||
+ uint32_t cmd = s->fifo[s->fifo_stop >> 2];
|
||||
|
||||
- s->cmd->stop = cpu_to_le32(CMD(stop) + 4);
|
||||
- if (CMD(stop) >= CMD(max)) {
|
||||
- s->cmd->stop = s->cmd->min;
|
||||
+ s->fifo_stop += 4;
|
||||
+ if (s->fifo_stop >= s->fifo_max) {
|
||||
+ s->fifo_stop = s->fifo_min;
|
||||
}
|
||||
+ s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop);
|
||||
return cmd;
|
||||
}
|
||||
|
||||
@@ -607,7 +605,7 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
|
||||
len = vmsvga_fifo_length(s);
|
||||
while (len > 0) {
|
||||
/* May need to go back to the start of the command if incomplete */
|
||||
- cmd_start = s->cmd->stop;
|
||||
+ cmd_start = s->fifo_stop;
|
||||
|
||||
switch (cmd = vmsvga_fifo_read(s)) {
|
||||
case SVGA_CMD_UPDATE:
|
||||
@@ -766,7 +764,8 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
|
||||
break;
|
||||
|
||||
rewind:
|
||||
- s->cmd->stop = cmd_start;
|
||||
+ s->fifo_stop = cmd_start;
|
||||
+ s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop);
|
||||
break;
|
||||
}
|
||||
}
|
|
@ -1,42 +0,0 @@
|
|||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Mon, 30 May 2016 09:09:21 +0200
|
||||
Subject: [PATCH] vmsvga: don't process more than 1024 fifo commands at once
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
vmsvga_fifo_run is called in regular intervals (on each display update)
|
||||
and will resume where it left off. So we can simply exit the loop,
|
||||
without having to worry about how processing will continue.
|
||||
|
||||
Fixes: CVE-2016-4453
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Cc: P J P <ppandit@redhat.com>
|
||||
Reported-by: 李强 <liqiang6-s@360.cn>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-id: 1464592161-18348-5-git-send-email-kraxel@redhat.com
|
||||
(cherry picked from commit 4e68a0ee17dad7b8d870df0081d4ab2e079016c2)
|
||||
---
|
||||
hw/display/vmware_vga.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
|
||||
index de2567b..e51a05e 100644
|
||||
--- a/hw/display/vmware_vga.c
|
||||
+++ b/hw/display/vmware_vga.c
|
||||
@@ -597,13 +597,13 @@ static inline uint32_t vmsvga_fifo_read(struct vmsvga_state_s *s)
|
||||
static void vmsvga_fifo_run(struct vmsvga_state_s *s)
|
||||
{
|
||||
uint32_t cmd, colour;
|
||||
- int args, len;
|
||||
+ int args, len, maxloop = 1024;
|
||||
int x, y, dx, dy, width, height;
|
||||
struct vmsvga_cursor_definition_s cursor;
|
||||
uint32_t cmd_start;
|
||||
|
||||
len = vmsvga_fifo_length(s);
|
||||
- while (len > 0) {
|
||||
+ while (len > 0 && --maxloop > 0) {
|
||||
/* May need to go back to the start of the command if incomplete */
|
||||
cmd_start = s->fifo_stop;
|
||||
|
|
@ -1,34 +0,0 @@
|
|||
From: Peter Lieven <pl@kamp.de>
|
||||
Date: Tue, 24 May 2016 10:59:28 +0200
|
||||
Subject: [PATCH] block/iscsi: avoid potential overflow of acb->task->cdb
|
||||
|
||||
at least in the path via virtio-blk the maximum size is not
|
||||
restricted.
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Peter Lieven <pl@kamp.de>
|
||||
Message-Id: <1464080368-29584-1-git-send-email-pl@kamp.de>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit a6b3167fa0e825aebb5a7cd8b437b6d41584a196)
|
||||
---
|
||||
block/iscsi.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/block/iscsi.c b/block/iscsi.c
|
||||
index 302baf8..172e6cf 100644
|
||||
--- a/block/iscsi.c
|
||||
+++ b/block/iscsi.c
|
||||
@@ -837,6 +837,13 @@ static BlockAIOCB *iscsi_aio_ioctl(BlockDriverState *bs,
|
||||
return &acb->common;
|
||||
}
|
||||
|
||||
+ if (acb->ioh->cmd_len > SCSI_CDB_MAX_SIZE) {
|
||||
+ error_report("iSCSI: ioctl error CDB exceeds max size (%d > %d)",
|
||||
+ acb->ioh->cmd_len, SCSI_CDB_MAX_SIZE);
|
||||
+ qemu_aio_unref(acb);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
acb->task = malloc(sizeof(struct scsi_task));
|
||||
if (acb->task == NULL) {
|
||||
error_report("iSCSI: Failed to allocate task for scsi command. %s",
|
|
@ -1,33 +0,0 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Tue, 31 May 2016 23:23:27 +0530
|
||||
Subject: [PATCH] scsi: esp: check buffer length before reading scsi command
|
||||
|
||||
The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
|
||||
FIFO buffer. It is used to handle command and data transfer.
|
||||
Routine get_cmd() in non-DMA mode, uses 'ti_size' to read scsi
|
||||
command into a buffer. Add check to validate command length against
|
||||
buffer size to avoid any overrun.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1464717207-7549-1-git-send-email-ppandit@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit d3cdc49138c30be1d3c2f83d18f85d9fdee95f1a)
|
||||
---
|
||||
hw/scsi/esp.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
|
||||
index 591c817..c2f6f8f 100644
|
||||
--- a/hw/scsi/esp.c
|
||||
+++ b/hw/scsi/esp.c
|
||||
@@ -98,6 +98,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen)
|
||||
s->dma_memory_read(s->dma_opaque, buf, dmalen);
|
||||
} else {
|
||||
dmalen = s->ti_size;
|
||||
+ if (dmalen > TI_BUFSZ) {
|
||||
+ return 0;
|
||||
+ }
|
||||
memcpy(buf, s->ti_buf, dmalen);
|
||||
buf[0] = buf[2] >> 5;
|
||||
}
|
|
@ -1,26 +0,0 @@
|
|||
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Date: Tue, 14 Jun 2016 15:10:24 +0200
|
||||
Subject: [PATCH] scsi: esp: respect FIFO invariant after message phase
|
||||
|
||||
The FIFO contains two bytes; hence the write ptr should be two bytes ahead
|
||||
of the read pointer.
|
||||
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit d020aa504cec8f525b55ba2ef982c09dc847c72e)
|
||||
---
|
||||
hw/scsi/esp.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
|
||||
index c2f6f8f..6407844 100644
|
||||
--- a/hw/scsi/esp.c
|
||||
+++ b/hw/scsi/esp.c
|
||||
@@ -222,7 +222,7 @@ static void write_response(ESPState *s)
|
||||
} else {
|
||||
s->ti_size = 2;
|
||||
s->ti_rptr = 0;
|
||||
- s->ti_wptr = 0;
|
||||
+ s->ti_wptr = 2;
|
||||
s->rregs[ESP_RFLAGS] = 2;
|
||||
}
|
||||
esp_raise_irq(s);
|
|
@ -1,76 +0,0 @@
|
|||
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Date: Wed, 15 Jun 2016 14:29:33 +0200
|
||||
Subject: [PATCH] scsi: esp: clean up handle_ti/esp_do_dma if s->do_cmd
|
||||
|
||||
Avoid duplicated code between esp_do_dma and handle_ti. esp_do_dma
|
||||
has the same code that handle_ti contains after the call to esp_do_dma;
|
||||
but the code in handle_ti is never reached because it is in an "else if".
|
||||
Remove the else and also the pointless return.
|
||||
|
||||
esp_do_dma also has a partially dead assignment of the to_device
|
||||
variable. Sink it to the point where it's actually used.
|
||||
|
||||
Finally, assert that the other caller of esp_do_dma (esp_transfer_data)
|
||||
only transfers data and not a command. This is true because get_cmd
|
||||
cancels the old request synchronously before its caller handle_satn_stop
|
||||
sets do_cmd to 1.
|
||||
|
||||
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 7f0b6e114ae4e142e2b3dfc9fac138f4a30edc4f)
|
||||
---
|
||||
hw/scsi/esp.c | 11 ++++-------
|
||||
1 file changed, 4 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
|
||||
index 6407844..68d3e4d 100644
|
||||
--- a/hw/scsi/esp.c
|
||||
+++ b/hw/scsi/esp.c
|
||||
@@ -245,15 +245,10 @@ static void esp_do_dma(ESPState *s)
|
||||
uint32_t len;
|
||||
int to_device;
|
||||
|
||||
- to_device = (s->ti_size < 0);
|
||||
len = s->dma_left;
|
||||
if (s->do_cmd) {
|
||||
trace_esp_do_dma(s->cmdlen, len);
|
||||
s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len);
|
||||
- s->ti_size = 0;
|
||||
- s->cmdlen = 0;
|
||||
- s->do_cmd = 0;
|
||||
- do_cmd(s, s->cmdbuf);
|
||||
return;
|
||||
}
|
||||
if (s->async_len == 0) {
|
||||
@@ -263,6 +258,7 @@ static void esp_do_dma(ESPState *s)
|
||||
if (len > s->async_len) {
|
||||
len = s->async_len;
|
||||
}
|
||||
+ to_device = (s->ti_size < 0);
|
||||
if (to_device) {
|
||||
s->dma_memory_read(s->dma_opaque, s->async_buf, len);
|
||||
} else {
|
||||
@@ -318,6 +314,7 @@ void esp_transfer_data(SCSIRequest *req, uint32_t len)
|
||||
{
|
||||
ESPState *s = req->hba_private;
|
||||
|
||||
+ assert(!s->do_cmd);
|
||||
trace_esp_transfer_data(s->dma_left, s->ti_size);
|
||||
s->async_len = len;
|
||||
s->async_buf = scsi_req_get_buf(req);
|
||||
@@ -358,13 +355,13 @@ static void handle_ti(ESPState *s)
|
||||
s->dma_left = minlen;
|
||||
s->rregs[ESP_RSTAT] &= ~STAT_TC;
|
||||
esp_do_dma(s);
|
||||
- } else if (s->do_cmd) {
|
||||
+ }
|
||||
+ if (s->do_cmd) {
|
||||
trace_esp_handle_ti_cmd(s->cmdlen);
|
||||
s->ti_size = 0;
|
||||
s->cmdlen = 0;
|
||||
s->do_cmd = 0;
|
||||
do_cmd(s, s->cmdbuf);
|
||||
- return;
|
||||
}
|
||||
}
|
||||
|
|
@ -1,70 +0,0 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 16 Jun 2016 00:22:35 +0200
|
||||
Subject: [PATCH] scsi: esp: make cmdbuf big enough for maximum CDB size
|
||||
|
||||
While doing DMA read into ESP command buffer 's->cmdbuf', it could
|
||||
write past the 's->cmdbuf' area, if it was transferring more than 16
|
||||
bytes. Increase the command buffer size to 32, which is maximum when
|
||||
's->do_cmd' is set, and add a check on 'len' to avoid OOB access.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 926cde5f3e4d2504ed161ed0cb771ac7cad6fd11)
|
||||
---
|
||||
hw/scsi/esp.c | 6 ++++--
|
||||
include/hw/scsi/esp.h | 3 ++-
|
||||
2 files changed, 6 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
|
||||
index 68d3e4d..b4601ad 100644
|
||||
--- a/hw/scsi/esp.c
|
||||
+++ b/hw/scsi/esp.c
|
||||
@@ -248,6 +248,8 @@ static void esp_do_dma(ESPState *s)
|
||||
len = s->dma_left;
|
||||
if (s->do_cmd) {
|
||||
trace_esp_do_dma(s->cmdlen, len);
|
||||
+ assert (s->cmdlen <= sizeof(s->cmdbuf) &&
|
||||
+ len <= sizeof(s->cmdbuf) - s->cmdlen);
|
||||
s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len);
|
||||
return;
|
||||
}
|
||||
@@ -345,7 +347,7 @@ static void handle_ti(ESPState *s)
|
||||
s->dma_counter = dmalen;
|
||||
|
||||
if (s->do_cmd)
|
||||
- minlen = (dmalen < 32) ? dmalen : 32;
|
||||
+ minlen = (dmalen < ESP_CMDBUF_SZ) ? dmalen : ESP_CMDBUF_SZ;
|
||||
else if (s->ti_size < 0)
|
||||
minlen = (dmalen < -s->ti_size) ? dmalen : -s->ti_size;
|
||||
else
|
||||
@@ -451,7 +453,7 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val)
|
||||
break;
|
||||
case ESP_FIFO:
|
||||
if (s->do_cmd) {
|
||||
- if (s->cmdlen < TI_BUFSZ) {
|
||||
+ if (s->cmdlen < ESP_CMDBUF_SZ) {
|
||||
s->cmdbuf[s->cmdlen++] = val & 0xff;
|
||||
} else {
|
||||
trace_esp_error_fifo_overrun();
|
||||
diff --git a/include/hw/scsi/esp.h b/include/hw/scsi/esp.h
|
||||
index 6c79527..d2c4886 100644
|
||||
--- a/include/hw/scsi/esp.h
|
||||
+++ b/include/hw/scsi/esp.h
|
||||
@@ -14,6 +14,7 @@ void esp_init(hwaddr espaddr, int it_shift,
|
||||
|
||||
#define ESP_REGS 16
|
||||
#define TI_BUFSZ 16
|
||||
+#define ESP_CMDBUF_SZ 32
|
||||
|
||||
typedef struct ESPState ESPState;
|
||||
|
||||
@@ -31,7 +32,7 @@ struct ESPState {
|
||||
SCSIBus bus;
|
||||
SCSIDevice *current_dev;
|
||||
SCSIRequest *current_req;
|
||||
- uint8_t cmdbuf[TI_BUFSZ];
|
||||
+ uint8_t cmdbuf[ESP_CMDBUF_SZ];
|
||||
uint32_t cmdlen;
|
||||
uint32_t do_cmd;
|
||||
|
|
@ -1,29 +0,0 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Tue, 7 Jun 2016 16:44:03 +0530
|
||||
Subject: [PATCH] scsi: megasas: null terminate bios version buffer
|
||||
|
||||
While reading information via 'megasas_ctrl_get_info' routine,
|
||||
a local bios version buffer isn't null terminated. Add the
|
||||
terminating null byte to avoid any OOB access.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 844864fbae66935951529408831c2f22367a57b6)
|
||||
---
|
||||
hw/scsi/megasas.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
|
||||
index cc66d36..a9ffc32 100644
|
||||
--- a/hw/scsi/megasas.c
|
||||
+++ b/hw/scsi/megasas.c
|
||||
@@ -773,6 +773,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd)
|
||||
|
||||
ptr = memory_region_get_ram_ptr(&pci_dev->rom);
|
||||
memcpy(biosver, ptr + 0x41, 31);
|
||||
+ biosver[31] = 0;
|
||||
memcpy(info.image_component[1].name, "BIOS", 4);
|
||||
memcpy(info.image_component[1].version, biosver,
|
||||
strlen((const char *)biosver));
|
|
@ -1,26 +0,0 @@
|
|||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Wed, 1 Jun 2016 16:08:36 +0200
|
||||
Subject: [PATCH] sdl2: skip init without outputs
|
||||
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Tested-by: Cole Robinson <crobinso@redhat.com>
|
||||
Message-id: 1464790116-32405-1-git-send-email-kraxel@redhat.com
|
||||
(cherry picked from commit 8efa5f29f83816ae34f428143de49acbaacccb24)
|
||||
---
|
||||
ui/sdl2.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/ui/sdl2.c b/ui/sdl2.c
|
||||
index 909038f..30d2a3c 100644
|
||||
--- a/ui/sdl2.c
|
||||
+++ b/ui/sdl2.c
|
||||
@@ -794,6 +794,9 @@ void sdl_display_init(DisplayState *ds, int full_screen, int no_frame)
|
||||
}
|
||||
}
|
||||
sdl2_num_outputs = i;
|
||||
+ if (sdl2_num_outputs == 0) {
|
||||
+ return;
|
||||
+ }
|
||||
sdl2_console = g_new0(struct sdl2_console, sdl2_num_outputs);
|
||||
for (i = 0; i < sdl2_num_outputs; i++) {
|
||||
QemuConsole *con = qemu_console_lookup_by_index(i);
|
|
@ -1,3 +0,0 @@
|
|||
# KVM S390 VM creation fails without this set
|
||||
# https://www.mail-archive.com/kvm@vger.kernel.org/msg115576.html
|
||||
vm.allocate_pgste = 1
|
|
@ -1 +0,0 @@
|
|||
KERNEL=="kvm", GROUP="kvm", MODE="0666"
|
|
@ -0,0 +1,12 @@
|
|||
# The KVM HV implementation on Power can require a significant amount
|
||||
# of unswappable memory (about half of which also needs to be host
|
||||
# physically contiguous) to hold the guest's Hash Page Table (HPT) -
|
||||
# roughly 1/64th of the guest's RAM size, minimum 16MiB.
|
||||
#
|
||||
# These limits allow unprivileged users to start smallish VMs, such as
|
||||
# those used by libguestfs.
|
||||
#
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1293024
|
||||
#
|
||||
* hard memlock 65536
|
||||
* soft memlock 65536
|
14
ksm.service
14
ksm.service
|
@ -1,14 +0,0 @@
|
|||
[Unit]
|
||||
Description=Kernel Samepage Merging
|
||||
ConditionPathExists=/sys/kernel/mm/ksm
|
||||
ConditionVirtualization=no
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
EnvironmentFile=-/etc/sysconfig/ksm
|
||||
ExecStart=/usr/libexec/ksmctl start
|
||||
ExecStop=/usr/libexec/ksmctl stop
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -1,4 +0,0 @@
|
|||
# The maximum number of unswappable kernel pages
|
||||
# which may be allocated by ksm (0 for unlimited)
|
||||
# If unset, defaults to half of total memory
|
||||
# KSM_MAX_KERNEL_PAGES=
|
77
ksmctl.c
77
ksmctl.c
|
@ -1,77 +0,0 @@
|
|||
/* Start/stop KSM, for systemd.
|
||||
* Copyright (C) 2009, 2011 Red Hat, Inc.
|
||||
* Written by Paolo Bonzini <pbonzini@redhat.com>.
|
||||
* Based on the original sysvinit script by Dan Kenigsberg <danken@redhat.com>
|
||||
* This file is distributed under the GNU General Public License, version 2
|
||||
* or later. */
|
||||
|
||||
#include <unistd.h>
|
||||
#include <stdio.h>
|
||||
#include <limits.h>
|
||||
#include <stdint.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
||||
#define KSM_MAX_KERNEL_PAGES_FILE "/sys/kernel/mm/ksm/max_kernel_pages"
|
||||
#define KSM_RUN_FILE "/sys/kernel/mm/ksm/run"
|
||||
|
||||
char *program_name;
|
||||
|
||||
int usage(void)
|
||||
{
|
||||
fprintf(stderr, "Usage: %s {start|stop}\n", program_name);
|
||||
return 1;
|
||||
}
|
||||
|
||||
int write_value(uint64_t value, char *filename)
|
||||
{
|
||||
FILE *fp;
|
||||
if (!(fp = fopen(filename, "w")) ||
|
||||
fprintf(fp, "%llu\n", (unsigned long long) value) == EOF ||
|
||||
fflush(fp) == EOF ||
|
||||
fclose(fp) == EOF)
|
||||
return 1;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
uint64_t ksm_max_kernel_pages()
|
||||
{
|
||||
char *var = getenv("KSM_MAX_KERNEL_PAGES");
|
||||
char *endptr;
|
||||
uint64_t value;
|
||||
if (var && *var) {
|
||||
value = strtoll(var, &endptr, 0);
|
||||
if (value < LLONG_MAX && !*endptr)
|
||||
return value;
|
||||
}
|
||||
/* Unless KSM_MAX_KERNEL_PAGES is set, let KSM munch up to half of
|
||||
* total memory. */
|
||||
return sysconf(_SC_PHYS_PAGES) / 2;
|
||||
}
|
||||
|
||||
int start(void)
|
||||
{
|
||||
if (access(KSM_MAX_KERNEL_PAGES_FILE, R_OK) >= 0)
|
||||
write_value(ksm_max_kernel_pages(), KSM_MAX_KERNEL_PAGES_FILE);
|
||||
return write_value(1, KSM_RUN_FILE);
|
||||
}
|
||||
|
||||
int stop(void)
|
||||
{
|
||||
return write_value(0, KSM_RUN_FILE);
|
||||
}
|
||||
|
||||
int main(int argc, char **argv)
|
||||
{
|
||||
program_name = argv[0];
|
||||
if (argc < 2) {
|
||||
return usage();
|
||||
} else if (!strcmp(argv[1], "start")) {
|
||||
return start();
|
||||
} else if (!strcmp(argv[1], "stop")) {
|
||||
return stop();
|
||||
} else {
|
||||
return usage();
|
||||
}
|
||||
}
|
139
ksmtuned
139
ksmtuned
|
@ -1,139 +0,0 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Copyright 2009 Red Hat, Inc. and/or its affiliates.
|
||||
# Released under the GPL
|
||||
#
|
||||
# Author: Dan Kenigsberg <danken@redhat.com>
|
||||
#
|
||||
# ksmtuned - a simple script that controls whether (and with what vigor) ksm
|
||||
# should search for duplicated pages.
|
||||
#
|
||||
# starts ksm when memory commited to qemu processes exceeds a threshold, and
|
||||
# make ksm work harder and harder untill memory load falls below that
|
||||
# threshold.
|
||||
#
|
||||
# send SIGUSR1 to this process right after a new qemu process is started, or
|
||||
# following its death, to retune ksm accordingly
|
||||
#
|
||||
# needs testing and ironing. contact danken@redhat.com if something breaks.
|
||||
|
||||
if [ -f /etc/ksmtuned.conf ]; then
|
||||
. /etc/ksmtuned.conf
|
||||
fi
|
||||
|
||||
debug() {
|
||||
if [ -n "$DEBUG" ]; then
|
||||
s="`/bin/date`: $*"
|
||||
[ -n "$LOGFILE" ] && echo "$s" >> "$LOGFILE" || echo "$s"
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
KSM_MONITOR_INTERVAL=${KSM_MONITOR_INTERVAL:-60}
|
||||
KSM_NPAGES_BOOST=${KSM_NPAGES_BOOST:-300}
|
||||
KSM_NPAGES_DECAY=${KSM_NPAGES_DECAY:--50}
|
||||
|
||||
KSM_NPAGES_MIN=${KSM_NPAGES_MIN:-64}
|
||||
KSM_NPAGES_MAX=${KSM_NPAGES_MAX:-1250}
|
||||
# millisecond sleep between ksm scans for 16Gb server. Smaller servers sleep
|
||||
# more, bigger sleep less.
|
||||
KSM_SLEEP_MSEC=${KSM_SLEEP_MSEC:-10}
|
||||
|
||||
KSM_THRES_COEF=${KSM_THRES_COEF:-20}
|
||||
KSM_THRES_CONST=${KSM_THRES_CONST:-2048}
|
||||
|
||||
total=`awk '/^MemTotal:/ {print $2}' /proc/meminfo`
|
||||
debug total $total
|
||||
|
||||
npages=0
|
||||
sleep=$[KSM_SLEEP_MSEC * 16 * 1024 * 1024 / total]
|
||||
[ $sleep -le 10 ] && sleep=10
|
||||
debug sleep $sleep
|
||||
thres=$[total * KSM_THRES_COEF / 100]
|
||||
if [ $KSM_THRES_CONST -gt $thres ]; then
|
||||
thres=$KSM_THRES_CONST
|
||||
fi
|
||||
debug thres $thres
|
||||
|
||||
KSMCTL () {
|
||||
case x$1 in
|
||||
xstop)
|
||||
echo 0 > /sys/kernel/mm/ksm/run
|
||||
;;
|
||||
xstart)
|
||||
echo $2 > /sys/kernel/mm/ksm/pages_to_scan
|
||||
echo $3 > /sys/kernel/mm/ksm/sleep_millisecs
|
||||
echo 1 > /sys/kernel/mm/ksm/run
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
committed_memory () {
|
||||
# calculate how much memory is committed to running qemu processes
|
||||
local pidlist
|
||||
pidlist=$(pgrep -d ' ' -- '^qemu(-(kvm|system-.+)|:.{1,11})$')
|
||||
if [ -n "$pidlist" ]; then
|
||||
ps -p "$pidlist" -o rsz=
|
||||
fi | awk '{ sum += $1 }; END { print 0+sum }'
|
||||
}
|
||||
|
||||
free_memory () {
|
||||
awk '/^(MemFree|Buffers|Cached):/ {free += $2}; END {print free}' \
|
||||
/proc/meminfo
|
||||
}
|
||||
|
||||
increase_npages() {
|
||||
local delta
|
||||
delta=${1:-0}
|
||||
npages=$[npages + delta]
|
||||
if [ $npages -lt $KSM_NPAGES_MIN ]; then
|
||||
npages=$KSM_NPAGES_MIN
|
||||
elif [ $npages -gt $KSM_NPAGES_MAX ]; then
|
||||
npages=$KSM_NPAGES_MAX
|
||||
fi
|
||||
echo $npages
|
||||
}
|
||||
|
||||
|
||||
adjust () {
|
||||
local free committed
|
||||
free=`free_memory`
|
||||
committed=`committed_memory`
|
||||
debug committed $committed free $free
|
||||
if [ $[committed + thres] -lt $total -a $free -gt $thres ]; then
|
||||
KSMCTL stop
|
||||
debug "$[committed + thres] < $total and free > $thres, stop ksm"
|
||||
return 1
|
||||
fi
|
||||
debug "$[committed + thres] > $total, start ksm"
|
||||
if [ $free -lt $thres ]; then
|
||||
npages=`increase_npages $KSM_NPAGES_BOOST`
|
||||
debug "$free < $thres, boost"
|
||||
else
|
||||
npages=`increase_npages $KSM_NPAGES_DECAY`
|
||||
debug "$free > $thres, decay"
|
||||
fi
|
||||
KSMCTL start $npages $sleep
|
||||
debug "KSMCTL start $npages $sleep"
|
||||
return 0
|
||||
}
|
||||
|
||||
function nothing () {
|
||||
:
|
||||
}
|
||||
|
||||
loop () {
|
||||
trap nothing SIGUSR1
|
||||
while true
|
||||
do
|
||||
sleep $KSM_MONITOR_INTERVAL &
|
||||
wait $!
|
||||
adjust
|
||||
done
|
||||
}
|
||||
|
||||
PIDFILE=${PIDFILE-/var/run/ksmtune.pid}
|
||||
if touch "$PIDFILE"; then
|
||||
loop &
|
||||
echo $! > "$PIDFILE"
|
||||
fi
|
|
@ -1,21 +0,0 @@
|
|||
# Configuration file for ksmtuned.
|
||||
|
||||
# How long ksmtuned should sleep between tuning adjustments
|
||||
# KSM_MONITOR_INTERVAL=60
|
||||
|
||||
# Millisecond sleep between ksm scans for 16Gb server.
|
||||
# Smaller servers sleep more, bigger sleep less.
|
||||
# KSM_SLEEP_MSEC=10
|
||||
|
||||
# KSM_NPAGES_BOOST=300
|
||||
# KSM_NPAGES_DECAY=-50
|
||||
# KSM_NPAGES_MIN=64
|
||||
# KSM_NPAGES_MAX=1250
|
||||
|
||||
# KSM_THRES_COEF=20
|
||||
# KSM_THRES_CONST=2048
|
||||
|
||||
# uncomment the following if you want ksmtuned debug info
|
||||
|
||||
# LOGFILE=/var/log/ksmtuned
|
||||
# DEBUG=1
|
|
@ -1,13 +0,0 @@
|
|||
[Unit]
|
||||
Description=Kernel Samepage Merging (KSM) Tuning Daemon
|
||||
After=ksm.service
|
||||
Requires=ksm.service
|
||||
ConditionVirtualization=no
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/sbin/ksmtuned
|
||||
ExecReload=/bin/kill -USR1 $MAINPID
|
||||
Type=forking
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
18
kvm.modules
18
kvm.modules
|
@ -1,18 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
case $(uname -m) in
|
||||
ppc64)
|
||||
grep OPAL /proc/cpuinfo >/dev/null 2>&1 && opal=1
|
||||
|
||||
modprobe -b kvm >/dev/null 2>&1
|
||||
modprobe -b kvm-pr >/dev/null 2>&1 && kvm=1
|
||||
if [ "$opal" ]; then
|
||||
modprobe -b kvm-hv >/dev/null 2>&1
|
||||
fi
|
||||
;;
|
||||
s390x)
|
||||
modprobe -b kvm >/dev/null 2>&1 && kvm=1
|
||||
;;
|
||||
esac
|
||||
|
||||
exit 0
|
|
@ -0,0 +1,19 @@
|
|||
# This is a systemd environment file, not a shell script.
|
||||
# It provides settings for "/lib/systemd/system/qemu-guest-agent.service".
|
||||
|
||||
# Comma-separated blacklist of RPCs to disable, or empty list to enable all.
|
||||
#
|
||||
# You can get the list of RPC commands using "qemu-ga --blacklist='?'".
|
||||
# There should be no spaces between commas and commands in the blacklist.
|
||||
#BLACKLIST_RPC=guest-file-open,guest-file-close,guest-file-read,guest-file-write,guest-file-seek,guest-file-flush,guest-exec,guest-exec-status
|
||||
|
||||
# Fsfreeze hook script specification.
|
||||
#
|
||||
# FSFREEZE_HOOK_PATHNAME=/dev/null : disables the feature.
|
||||
#
|
||||
# FSFREEZE_HOOK_PATHNAME=/path/to/executable : enables the feature with the
|
||||
# specified binary or shell script.
|
||||
#
|
||||
# FSFREEZE_HOOK_PATHNAME= : enables the feature with the
|
||||
# default value (invoke "qemu-ga --help" to interrogate).
|
||||
FSFREEZE_HOOK_PATHNAME=/etc/qemu-ga/fsfreeze-hook
|
|
@ -1,11 +1,19 @@
|
|||
[Unit]
|
||||
Description=QEMU Guest Agent
|
||||
BindTo=dev-virtio\x2dports-org.qemu.guest_agent.0.device
|
||||
BindsTo=dev-virtio\x2dports-org.qemu.guest_agent.0.device
|
||||
After=dev-virtio\x2dports-org.qemu.guest_agent.0.device
|
||||
IgnoreOnIsolate=True
|
||||
|
||||
[Service]
|
||||
ExecStart=-/usr/bin/qemu-ga
|
||||
UMask=0077
|
||||
EnvironmentFile=/etc/sysconfig/qemu-ga
|
||||
ExecStart=/usr/bin/qemu-ga \
|
||||
--method=virtio-serial \
|
||||
--path=/dev/virtio-ports/org.qemu.guest_agent.0 \
|
||||
--blacklist=${BLACKLIST_RPC} \
|
||||
-F${FSFREEZE_HOOK_PATHNAME}
|
||||
Restart=always
|
||||
RestartSec=0
|
||||
|
||||
[Install]
|
||||
WantedBy=dev-virtio\x2dports-org.qemu.guest_agent.0.device
|
||||
|
|
22
qemu.binfmt
22
qemu.binfmt
|
@ -1,22 +0,0 @@
|
|||
:qemu-alpha:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x26\x90:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-alpha:
|
||||
:qemu-armeb:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-armeb:
|
||||
:qemu-arm:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-arm:
|
||||
:qemu-cris:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x4c\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-cris:
|
||||
:qemu-i386:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-i386:
|
||||
:qemu-i486:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x06\x00:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-i386:
|
||||
:qemu-m68k:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x04:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-m68k:
|
||||
:qemu-microblazeel:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xab\xba:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-microblazeel:
|
||||
:qemu-microblaze:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\xba\xab:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-microblaze:
|
||||
:qemu-mips64el:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xfe\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-mips64el:
|
||||
:qemu-mips64:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-mips64:
|
||||
:qemu-mipsel:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xfe\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-mipsel:
|
||||
:qemu-mips:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-mips:
|
||||
:qemu-ppc64abi32:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x15:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-ppc64abi32:
|
||||
:qemu-ppc64:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x15:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-ppc64:
|
||||
:qemu-ppc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x14:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-ppc:
|
||||
:qemu-s390x:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x16:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-s390x:
|
||||
:qemu-sh4eb:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x2a:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-sh4eb:
|
||||
:qemu-sh4:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x2a\x00:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-sh4:
|
||||
:qemu-sparc32plus:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x12:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-sparc32plus:
|
||||
:qemu-sparc64:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x2b:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-sparc64:
|
||||
:qemu-sparc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x02:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-sparc:
|
Loading…
Reference in New Issue