Compare commits
10 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
3d039dc5d8 | ||
|
f081074661 | ||
|
01e01cbfac | ||
|
6d8a1cbc57 | ||
|
d481c533c1 | ||
|
eaa6ce4fe2 | ||
|
11f3efdec3 | ||
|
a0f61528af | ||
|
633dc2ad9f | ||
|
6438461c91 |
@ -25,7 +25,7 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
1 file changed, 6 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
||||
index 4245c15..babac5a 100644
|
||||
index 4d94b363a9..a5ce7dea8e 100644
|
||||
--- a/hw/scsi/vmw_pvscsi.c
|
||||
+++ b/hw/scsi/vmw_pvscsi.c
|
||||
@@ -40,6 +40,8 @@
|
||||
@ -37,7 +37,7 @@ index 4245c15..babac5a 100644
|
||||
#define PVSCSI_MAX_CMD_DATA_WORDS \
|
||||
(sizeof(PVSCSICmdDescSetupRings)/sizeof(uint32_t))
|
||||
|
||||
@@ -628,17 +630,16 @@ pvscsi_queue_pending_descriptor(PVSCSIState *s, SCSIDevice **d,
|
||||
@@ -631,17 +633,16 @@ pvscsi_queue_pending_descriptor(PVSCSIState *s, SCSIDevice **d,
|
||||
static void
|
||||
pvscsi_convert_sglist(PVSCSIRequest *r)
|
||||
{
|
@ -1,82 +0,0 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 31 Aug 2016 12:19:29 +0530
|
||||
Subject: [PATCH] vmw_pvscsi: check page count while initialising descriptor
|
||||
rings
|
||||
|
||||
Vmware Paravirtual SCSI emulation uses command descriptors to
|
||||
process SCSI commands. These descriptors come with their ring
|
||||
buffers. A guest could set the page count for these rings to
|
||||
an arbitrary value, leading to infinite loop or OOB access.
|
||||
Add check to avoid it.
|
||||
|
||||
Reported-by: Tom Victor <vv474172261@gmail.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1472626169-12989-1-git-send-email-ppandit@redhat.com>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 7f61f4690dd153be98900a2a508b88989e692753)
|
||||
---
|
||||
hw/scsi/vmw_pvscsi.c | 19 +++++++++----------
|
||||
1 file changed, 9 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
||||
index 5116f4a..4245c15 100644
|
||||
--- a/hw/scsi/vmw_pvscsi.c
|
||||
+++ b/hw/scsi/vmw_pvscsi.c
|
||||
@@ -152,7 +152,7 @@ pvscsi_log2(uint32_t input)
|
||||
return log;
|
||||
}
|
||||
|
||||
-static int
|
||||
+static void
|
||||
pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
|
||||
{
|
||||
int i;
|
||||
@@ -160,10 +160,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
|
||||
uint32_t req_ring_size, cmp_ring_size;
|
||||
m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT;
|
||||
|
||||
- if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)
|
||||
- || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) {
|
||||
- return -1;
|
||||
- }
|
||||
req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
|
||||
cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE;
|
||||
txr_len_log2 = pvscsi_log2(req_ring_size - 1);
|
||||
@@ -195,8 +191,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
|
||||
|
||||
/* Flush ring state page changes */
|
||||
smp_wmb();
|
||||
-
|
||||
- return 0;
|
||||
}
|
||||
|
||||
static int
|
||||
@@ -746,7 +740,7 @@ pvscsi_dbg_dump_tx_rings_config(PVSCSICmdDescSetupRings *rc)
|
||||
|
||||
trace_pvscsi_tx_rings_num_pages("Confirm Ring", rc->cmpRingNumPages);
|
||||
for (i = 0; i < rc->cmpRingNumPages; i++) {
|
||||
- trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->reqRingPPNs[i]);
|
||||
+ trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->cmpRingPPNs[i]);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -779,11 +773,16 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s)
|
||||
|
||||
trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS");
|
||||
|
||||
- pvscsi_dbg_dump_tx_rings_config(rc);
|
||||
- if (pvscsi_ring_init_data(&s->rings, rc) < 0) {
|
||||
+ if (!rc->reqRingNumPages
|
||||
+ || rc->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES
|
||||
+ || !rc->cmpRingNumPages
|
||||
+ || rc->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES) {
|
||||
return PVSCSI_COMMAND_PROCESSING_FAILED;
|
||||
}
|
||||
|
||||
+ pvscsi_dbg_dump_tx_rings_config(rc);
|
||||
+ pvscsi_ring_init_data(&s->rings, rc);
|
||||
+
|
||||
s->rings_info_valid = TRUE;
|
||||
return PVSCSI_COMMAND_PROCESSING_SUCCEEDED;
|
||||
}
|
@ -18,7 +18,7 @@ Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
1 file changed, 7 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
|
||||
index e51a05e..6599cf0 100644
|
||||
index e51a05ea7e..6599cf078d 100644
|
||||
--- a/hw/display/vmware_vga.c
|
||||
+++ b/hw/display/vmware_vga.c
|
||||
@@ -676,11 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
|
@ -1,35 +0,0 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 14 Sep 2016 15:09:12 +0530
|
||||
Subject: [PATCH] scsi: pvscsi: limit process IO loop to ring size
|
||||
|
||||
Vmware Paravirtual SCSI emulator while processing IO requests
|
||||
could run into an infinite loop if 'pvscsi_ring_pop_req_descr'
|
||||
always returned positive value. Limit IO loop to the ring size.
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1473845952-30785-1-git-send-email-ppandit@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit d251157ac1928191af851d199a9ff255d330bec9)
|
||||
---
|
||||
hw/scsi/vmw_pvscsi.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
||||
index babac5a..a5ce7de 100644
|
||||
--- a/hw/scsi/vmw_pvscsi.c
|
||||
+++ b/hw/scsi/vmw_pvscsi.c
|
||||
@@ -247,8 +247,11 @@ static hwaddr
|
||||
pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr)
|
||||
{
|
||||
uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx);
|
||||
+ uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING
|
||||
+ * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
|
||||
|
||||
- if (ready_ptr != mgr->consumed_ptr) {
|
||||
+ if (ready_ptr != mgr->consumed_ptr
|
||||
+ && ready_ptr - mgr->consumed_ptr < ring_size) {
|
||||
uint32_t next_ready_ptr =
|
||||
mgr->consumed_ptr++ & mgr->txr_len_mask;
|
||||
uint32_t next_ready_page =
|
@ -14,7 +14,7 @@ Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
|
||||
index 188f954..281a2a5 100644
|
||||
index 188f95416a..281a2a59f0 100644
|
||||
--- a/hw/usb/hcd-xhci.c
|
||||
+++ b/hw/usb/hcd-xhci.c
|
||||
@@ -3709,8 +3709,7 @@ static void usb_xhci_exit(PCIDevice *dev)
|
@ -18,7 +18,7 @@ Reviewed-by: Laszlo Ersek <lersek@redhat.com>
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
|
||||
index 74c085c..eabe573 100644
|
||||
index f31140aba4..58edd9952a 100644
|
||||
--- a/hw/virtio/virtio.c
|
||||
+++ b/hw/virtio/virtio.c
|
||||
@@ -473,6 +473,11 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove
|
@ -18,7 +18,7 @@ Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
|
||||
index 0ee8ad9..d31fea1 100644
|
||||
index 0ee8ad9d66..d31fea1f18 100644
|
||||
--- a/hw/net/mcf_fec.c
|
||||
+++ b/hw/net/mcf_fec.c
|
||||
@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0)
|
@ -1,33 +0,0 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 31 Aug 2016 17:36:07 +0530
|
||||
Subject: [PATCH] scsi: mptconfig: fix an assert expression
|
||||
|
||||
When LSI SAS1068 Host Bus emulator builds configuration page
|
||||
headers, mptsas_config_pack() should assert that the size
|
||||
fits in a byte. However, the size is expressed in 32-bit
|
||||
units, so up to 1020 bytes fit. The assertion was only
|
||||
allowing replies up to 252 bytes, so fix it.
|
||||
|
||||
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1472645167-30765-2-git-send-email-ppandit@redhat.com>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit cf2bce203a45d7437029d108357fb23fea0967b6)
|
||||
---
|
||||
hw/scsi/mptconfig.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
|
||||
index 7071854..3e4f400 100644
|
||||
--- a/hw/scsi/mptconfig.c
|
||||
+++ b/hw/scsi/mptconfig.c
|
||||
@@ -158,7 +158,7 @@ static size_t mptsas_config_pack(uint8_t **data, const char *fmt, ...)
|
||||
va_end(ap);
|
||||
|
||||
if (data) {
|
||||
- assert(ret < 256 && (ret % 4) == 0);
|
||||
+ assert(ret / 4 < 256 && (ret % 4) == 0);
|
||||
stb_p(*data + 1, ret / 4);
|
||||
}
|
||||
return ret;
|
@ -1,37 +0,0 @@
|
||||
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Date: Mon, 29 Aug 2016 11:35:37 +0200
|
||||
Subject: [PATCH] scsi: mptconfig: fix misuse of MPTSAS_CONFIG_PACK
|
||||
|
||||
These issues cause respectively a QEMU crash and a leak of 2 bytes of
|
||||
stack. They were discovered by VictorV of 360 Marvel Team.
|
||||
|
||||
Reported-by: Tom Victor <i-tangtianwen@360.cm>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 65a8e1f6413a0f6f79894da710b5d6d43361d27d)
|
||||
---
|
||||
hw/scsi/mptconfig.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
|
||||
index 3e4f400..87a416a 100644
|
||||
--- a/hw/scsi/mptconfig.c
|
||||
+++ b/hw/scsi/mptconfig.c
|
||||
@@ -203,7 +203,7 @@ size_t mptsas_config_manufacturing_1(MPTSASState *s, uint8_t **data, int address
|
||||
{
|
||||
/* VPD - all zeros */
|
||||
return MPTSAS_CONFIG_PACK(1, MPI_CONFIG_PAGETYPE_MANUFACTURING, 0x00,
|
||||
- "s256");
|
||||
+ "*s256");
|
||||
}
|
||||
|
||||
static
|
||||
@@ -328,7 +328,7 @@ size_t mptsas_config_ioc_0(MPTSASState *s, uint8_t **data, int address)
|
||||
return MPTSAS_CONFIG_PACK(0, MPI_CONFIG_PAGETYPE_IOC, 0x01,
|
||||
"*l*lwwb*b*b*blww",
|
||||
pcic->vendor_id, pcic->device_id, pcic->revision,
|
||||
- pcic->subsystem_vendor_id,
|
||||
+ pcic->class_id, pcic->subsystem_vendor_id,
|
||||
pcic->subsystem_id);
|
||||
}
|
||||
|
@ -15,7 +15,7 @@ Message-id: 1476096382-7981-1-git-send-email-kraxel@redhat.com
|
||||
1 file changed, 10 insertions(+)
|
||||
|
||||
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
|
||||
index 281a2a5..8a9a31a 100644
|
||||
index 281a2a59f0..8a9a31a2f7 100644
|
||||
--- a/hw/usb/hcd-xhci.c
|
||||
+++ b/hw/usb/hcd-xhci.c
|
||||
@@ -54,6 +54,8 @@
|
@ -16,7 +16,7 @@ Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
|
||||
index b093db7..f4ece9a 100644
|
||||
index b093db729c..f4ece9abed 100644
|
||||
--- a/hw/usb/hcd-ehci.c
|
||||
+++ b/hw/usb/hcd-ehci.c
|
||||
@@ -1426,6 +1426,7 @@ static int ehci_process_itd(EHCIState *ehci,
|
@ -1,32 +0,0 @@
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Mon, 12 Sep 2016 18:14:11 +0530
|
||||
Subject: [PATCH] scsi: mptsas: use g_new0 to allocate MPTSASRequest object
|
||||
|
||||
When processing IO request in mptsas, it uses g_new to allocate
|
||||
a 'req' object. If an error occurs before 'req->sreq' is
|
||||
allocated, It could lead to an OOB write in mptsas_free_request
|
||||
function. Use g_new0 to avoid it.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1473684251-17476-1-git-send-email-ppandit@redhat.com>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 670e56d3ed2918b3861d9216f2c0540d9e9ae0d5)
|
||||
---
|
||||
hw/scsi/mptsas.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
|
||||
index 0e0a22f..eaae1bb 100644
|
||||
--- a/hw/scsi/mptsas.c
|
||||
+++ b/hw/scsi/mptsas.c
|
||||
@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
|
||||
goto bad;
|
||||
}
|
||||
|
||||
- req = g_new(MPTSASRequest, 1);
|
||||
+ req = g_new0(MPTSASRequest, 1);
|
||||
QTAILQ_INSERT_TAIL(&s->pending, req, next);
|
||||
req->scsi_io = *scsi_io;
|
||||
req->dev = s;
|
@ -19,7 +19,7 @@ Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
1 file changed, 7 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
|
||||
index 444672a..d4ca026 100644
|
||||
index 444672a000..d4ca026f00 100644
|
||||
--- a/hw/usb/redirect.c
|
||||
+++ b/hw/usb/redirect.c
|
||||
@@ -2036,18 +2036,22 @@ static void usbredir_interrupt_packet(void *priv, uint64_t id,
|
@ -1,5 +1,5 @@
|
||||
From: Christophe Fergeau <cfergeau@redhat.com>
|
||||
Date: Fri, 14 Oct 2016 14:22:36 +0200
|
||||
Date: Fri, 28 Oct 2016 16:48:40 +0200
|
||||
Subject: [PATCH] qxl: Only emit QXL_INTERRUPT_CLIENT_MONITORS_CONFIG on config
|
||||
changes
|
||||
|
||||
@ -23,29 +23,36 @@ This causes https://bugzilla.redhat.com/show_bug.cgi?id=1266484
|
||||
This commit makes sure that we only emit
|
||||
QXL_INTERRUPT_CLIENT_MONITORS_CONFIG when there are actual configuration
|
||||
changes the guest should act on.
|
||||
|
||||
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
|
||||
Message-id: 20161028144840.18326-1-cfergeau@redhat.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 6c7565028c272c4c6f2a83c3a90b044eeaf2804a)
|
||||
---
|
||||
hw/display/qxl.c | 20 +++++++++++++++++++-
|
||||
1 file changed, 19 insertions(+), 1 deletion(-)
|
||||
hw/display/qxl.c | 37 ++++++++++++++++++++++++++++++++++++-
|
||||
1 file changed, 36 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/display/qxl.c b/hw/display/qxl.c
|
||||
index 0e2682d..56759f8 100644
|
||||
index 0e2682d28b..62d0c80dcf 100644
|
||||
--- a/hw/display/qxl.c
|
||||
+++ b/hw/display/qxl.c
|
||||
@@ -1000,6 +1000,7 @@ static int interface_client_monitors_config(QXLInstance *sin,
|
||||
QXLRom *rom = memory_region_get_ram_ptr(&qxl->rom_bar);
|
||||
int i;
|
||||
unsigned max_outputs = ARRAY_SIZE(rom->client_monitors_config.heads);
|
||||
+ bool config_changed = false;
|
||||
@@ -992,6 +992,34 @@ static uint32_t qxl_crc32(const uint8_t *p, unsigned len)
|
||||
return crc32(0xffffffff, p, len) ^ 0xffffffff;
|
||||
}
|
||||
|
||||
if (qxl->revision < 4) {
|
||||
trace_qxl_client_monitors_config_unsupported_by_device(qxl->id,
|
||||
@@ -1030,6 +1031,21 @@ static int interface_client_monitors_config(QXLInstance *sin,
|
||||
}
|
||||
#endif
|
||||
|
||||
+ if (rom->client_monitors_config.count != MIN(monitors_config->num_of_monitors, max_outputs)) {
|
||||
+ config_changed = true;
|
||||
+static bool qxl_rom_monitors_config_changed(QXLRom *rom,
|
||||
+ VDAgentMonitorsConfig *monitors_config,
|
||||
+ unsigned int max_outputs)
|
||||
+{
|
||||
+ int i;
|
||||
+ unsigned int monitors_count;
|
||||
+
|
||||
+ monitors_count = MIN(monitors_config->num_of_monitors, max_outputs);
|
||||
+
|
||||
+ if (rom->client_monitors_config.count != monitors_count) {
|
||||
+ return true;
|
||||
+ }
|
||||
+
|
||||
+ for (i = 0 ; i < rom->client_monitors_config.count ; ++i) {
|
||||
+ VDAgentMonConfig *monitor = &monitors_config->monitors[i];
|
||||
+ QXLURect *rect = &rom->client_monitors_config.heads[i];
|
||||
@ -54,14 +61,36 @@ index 0e2682d..56759f8 100644
|
||||
+ (rect->top != monitor->y) ||
|
||||
+ (rect->right != monitor->x + monitor->width) ||
|
||||
+ (rect->bottom != monitor->y + monitor->height)) {
|
||||
+ config_changed = true;
|
||||
+ return true;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return false;
|
||||
+}
|
||||
+
|
||||
/* called from main context only */
|
||||
static int interface_client_monitors_config(QXLInstance *sin,
|
||||
VDAgentMonitorsConfig *monitors_config)
|
||||
@@ -1000,6 +1028,7 @@ static int interface_client_monitors_config(QXLInstance *sin,
|
||||
QXLRom *rom = memory_region_get_ram_ptr(&qxl->rom_bar);
|
||||
int i;
|
||||
unsigned max_outputs = ARRAY_SIZE(rom->client_monitors_config.heads);
|
||||
+ bool config_changed = false;
|
||||
|
||||
if (qxl->revision < 4) {
|
||||
trace_qxl_client_monitors_config_unsupported_by_device(qxl->id,
|
||||
@@ -1030,6 +1059,10 @@ static int interface_client_monitors_config(QXLInstance *sin,
|
||||
}
|
||||
#endif
|
||||
|
||||
+ config_changed = qxl_rom_monitors_config_changed(rom,
|
||||
+ monitors_config,
|
||||
+ max_outputs);
|
||||
+
|
||||
memset(&rom->client_monitors_config, 0,
|
||||
sizeof(rom->client_monitors_config));
|
||||
rom->client_monitors_config.count = monitors_config->num_of_monitors;
|
||||
@@ -1059,7 +1075,9 @@ static int interface_client_monitors_config(QXLInstance *sin,
|
||||
@@ -1059,7 +1092,9 @@ static int interface_client_monitors_config(QXLInstance *sin,
|
||||
trace_qxl_interrupt_client_monitors_config(qxl->id,
|
||||
rom->client_monitors_config.count,
|
||||
rom->client_monitors_config.heads);
|
53
0010-ui-use-evdev-keymap-when-running-under-wayland.patch
Normal file
53
0010-ui-use-evdev-keymap-when-running-under-wayland.patch
Normal file
@ -0,0 +1,53 @@
|
||||
From: "Daniel P. Berrange" <berrange@redhat.com>
|
||||
Date: Thu, 1 Dec 2016 09:41:17 +0000
|
||||
Subject: [PATCH] ui: use evdev keymap when running under wayland
|
||||
|
||||
Wayland always uses evdev as its input source, so QEMU
|
||||
can use the existing evdev keymap data
|
||||
|
||||
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
|
||||
---
|
||||
include/ui/gtk.h | 4 ++++
|
||||
ui/gtk.c | 7 +++++++
|
||||
2 files changed, 11 insertions(+)
|
||||
|
||||
diff --git a/include/ui/gtk.h b/include/ui/gtk.h
|
||||
index 42ca0fea8b..b3b50059c7 100644
|
||||
--- a/include/ui/gtk.h
|
||||
+++ b/include/ui/gtk.h
|
||||
@@ -18,6 +18,10 @@
|
||||
#include <X11/XKBlib.h>
|
||||
#endif
|
||||
|
||||
+#ifdef GDK_WINDOWING_WAYLAND
|
||||
+#include <gdk/gdkwayland.h>
|
||||
+#endif
|
||||
+
|
||||
#if defined(CONFIG_OPENGL)
|
||||
#include "ui/egl-helpers.h"
|
||||
#include "ui/egl-context.h"
|
||||
diff --git a/ui/gtk.c b/ui/gtk.c
|
||||
index 21ae4cbccc..c641e49033 100644
|
||||
--- a/ui/gtk.c
|
||||
+++ b/ui/gtk.c
|
||||
@@ -90,6 +90,9 @@
|
||||
#ifndef GDK_IS_X11_DISPLAY
|
||||
#define GDK_IS_X11_DISPLAY(dpy) (dpy == dpy)
|
||||
#endif
|
||||
+#ifndef GDK_IS_WAYLAND_DISPLAY
|
||||
+#define GDK_IS_WAYLAND_DISPLAY(dpy) (dpy == dpy)
|
||||
+#endif
|
||||
#ifndef GDK_IS_WIN32_DISPLAY
|
||||
#define GDK_IS_WIN32_DISPLAY(dpy) (dpy == dpy)
|
||||
#endif
|
||||
@@ -1034,6 +1037,10 @@ static int gd_map_keycode(GtkDisplayState *s, GdkDisplay *dpy, int gdk_keycode)
|
||||
qemu_keycode = translate_xfree86_keycode(gdk_keycode - 97);
|
||||
}
|
||||
#endif
|
||||
+#ifdef GDK_WINDOWING_WAYLAND
|
||||
+ } else if (GDK_IS_WAYLAND_DISPLAY(dpy) && gdk_keycode < 158) {
|
||||
+ qemu_keycode = translate_evdev_keycode(gdk_keycode - 97);
|
||||
+#endif
|
||||
} else if (gdk_keycode == 208) { /* Hiragana_Katakana */
|
||||
qemu_keycode = 0x70;
|
||||
} else if (gdk_keycode == 211) { /* backslash */
|
30
0011-net-vmxnet-initialise-local-tx-descriptor.patch
Normal file
30
0011-net-vmxnet-initialise-local-tx-descriptor.patch
Normal file
@ -0,0 +1,30 @@
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Thu, 11 Aug 2016 00:42:20 +0530
|
||||
Subject: [PATCH] net: vmxnet: initialise local tx descriptor
|
||||
|
||||
In Vmxnet3 device emulator while processing transmit(tx) queue,
|
||||
when it reaches end of packet, it calls vmxnet3_complete_packet.
|
||||
In that local 'txcq_descr' object is not initialised, which could
|
||||
leak host memory bytes a guest.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit fdda170e50b8af062cf5741e12c4fb5e57a2eacf)
|
||||
---
|
||||
hw/net/vmxnet3.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
|
||||
index 90f6943668..92f6af9620 100644
|
||||
--- a/hw/net/vmxnet3.c
|
||||
+++ b/hw/net/vmxnet3.c
|
||||
@@ -531,6 +531,7 @@ static void vmxnet3_complete_packet(VMXNET3State *s, int qidx, uint32_t tx_ridx)
|
||||
|
||||
VMXNET3_RING_DUMP(VMW_RIPRN, "TXC", qidx, &s->txq_descr[qidx].comp_ring);
|
||||
|
||||
+ memset(&txcq_descr, 0, sizeof(txcq_descr));
|
||||
txcq_descr.txdIdx = tx_ridx;
|
||||
txcq_descr.gen = vmxnet3_ring_curr_gen(&s->txq_descr[qidx].comp_ring);
|
||||
|
34
0012-net-pcnet-check-rx-tx-descriptor-ring-length.patch
Normal file
34
0012-net-pcnet-check-rx-tx-descriptor-ring-length.patch
Normal file
@ -0,0 +1,34 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Fri, 30 Sep 2016 00:27:33 +0530
|
||||
Subject: [PATCH] net: pcnet: check rx/tx descriptor ring length
|
||||
|
||||
The AMD PC-Net II emulator has set of control and status(CSR)
|
||||
registers. Of these, CSR76 and CSR78 hold receive and transmit
|
||||
descriptor ring length respectively. This ring length could range
|
||||
from 1 to 65535. Setting ring length to zero leads to an infinite
|
||||
loop in pcnet_rdra_addr() or pcnet_transmit(). Add check to avoid it.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit 34e29ce754c02bb6b3bdd244fbb85033460feaff)
|
||||
---
|
||||
hw/net/pcnet.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
|
||||
index 198a01f92d..3078de8aba 100644
|
||||
--- a/hw/net/pcnet.c
|
||||
+++ b/hw/net/pcnet.c
|
||||
@@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value)
|
||||
case 47: /* POLLINT */
|
||||
case 72:
|
||||
case 74:
|
||||
+ break;
|
||||
case 76: /* RCVRL */
|
||||
case 78: /* XMTRL */
|
||||
+ val = (val > 0) ? val : 512;
|
||||
+ break;
|
||||
case 112:
|
||||
if (CSR_STOP(s) || CSR_SPND(s))
|
||||
break;
|
@ -0,0 +1,32 @@
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Sun, 18 Sep 2016 19:07:11 -0700
|
||||
Subject: [PATCH] virtio-gpu: fix memory leak in virtio_gpu_resource_create_2d
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
In virtio gpu resource create dispatch, if the pixman format is zero
|
||||
it doesn't free the resource object allocated previously. Thus leading
|
||||
a host memory leak issue. This patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
Message-id: 57df486e.8379240a.c3620.ff81@mx.google.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit cb3a0522b694cc5bb6424497b3f828ccd28fd1dd)
|
||||
---
|
||||
hw/display/virtio-gpu.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
|
||||
index 7fe6ed8bf0..5b6d17be00 100644
|
||||
--- a/hw/display/virtio-gpu.c
|
||||
+++ b/hw/display/virtio-gpu.c
|
||||
@@ -333,6 +333,7 @@ static void virtio_gpu_resource_create_2d(VirtIOGPU *g,
|
||||
qemu_log_mask(LOG_GUEST_ERROR,
|
||||
"%s: host couldn't handle guest format %d\n",
|
||||
__func__, c2d.format);
|
||||
+ g_free(res);
|
||||
cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
|
||||
return;
|
||||
}
|
36
0014-9pfs-fix-potential-host-memory-leak-in-v9fs_read.patch
Normal file
36
0014-9pfs-fix-potential-host-memory-leak-in-v9fs_read.patch
Normal file
@ -0,0 +1,36 @@
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Mon, 17 Oct 2016 14:13:58 +0200
|
||||
Subject: [PATCH] 9pfs: fix potential host memory leak in v9fs_read
|
||||
|
||||
In 9pfs read dispatch function, it doesn't free two QEMUIOVector
|
||||
object thus causing potential memory leak. This patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
(cherry picked from commit e95c9a493a5a8d6f969e86c9f19f80ffe6587e19)
|
||||
---
|
||||
hw/9pfs/9p.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index 91a497079a..1a9ec7ede9 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -1813,14 +1813,15 @@ static void v9fs_read(void *opaque)
|
||||
if (len < 0) {
|
||||
/* IO error return the error */
|
||||
err = len;
|
||||
- goto out;
|
||||
+ goto out_free_iovec;
|
||||
}
|
||||
} while (count < max_count && len > 0);
|
||||
err = pdu_marshal(pdu, offset, "d", count);
|
||||
if (err < 0) {
|
||||
- goto out;
|
||||
+ goto out_free_iovec;
|
||||
}
|
||||
err += offset + count;
|
||||
+out_free_iovec:
|
||||
qemu_iovec_destroy(&qiov);
|
||||
qemu_iovec_destroy(&qiov_full);
|
||||
} else if (fidp->fid_type == P9_FID_XATTR) {
|
@ -1,54 +0,0 @@
|
||||
From: Thomas Huth <thuth@redhat.com>
|
||||
Date: Wed, 21 Sep 2016 11:42:15 +0200
|
||||
Subject: [PATCH] ppc/kvm: Mark 64kB page size support as disabled if not
|
||||
available
|
||||
|
||||
QEMU currently refuses to start with KVM-PR and only prints out
|
||||
|
||||
qemu: fatal: Unknown MMU model 851972
|
||||
|
||||
when being started there. This is because commit 4322e8ced5aaac719
|
||||
("ppc: Fix 64K pages support in full emulation") introduced a new
|
||||
POWERPC_MMU_64K bit to indicate support for this page size, but
|
||||
it never gets cleared on KVM-PR if the host kernel does not support
|
||||
this. Thus we've got to turn off this bit in the mmu_model for KVM-PR.
|
||||
|
||||
Signed-off-by: Thomas Huth <thuth@redhat.com>
|
||||
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
|
||||
(cherry picked from commit 0d594f5565837fe2886a8aa307ef8abb65eab8f7)
|
||||
---
|
||||
target-ppc/kvm.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/target-ppc/kvm.c b/target-ppc/kvm.c
|
||||
index dcb68b9..6bdc804 100644
|
||||
--- a/target-ppc/kvm.c
|
||||
+++ b/target-ppc/kvm.c
|
||||
@@ -427,6 +427,7 @@ static void kvm_fixup_page_sizes(PowerPCCPU *cpu)
|
||||
CPUPPCState *env = &cpu->env;
|
||||
long rampagesize;
|
||||
int iq, ik, jq, jk;
|
||||
+ bool has_64k_pages = false;
|
||||
|
||||
/* We only handle page sizes for 64-bit server guests for now */
|
||||
if (!(env->mmu_model & POWERPC_MMU_64)) {
|
||||
@@ -470,6 +471,9 @@ static void kvm_fixup_page_sizes(PowerPCCPU *cpu)
|
||||
ksps->enc[jk].page_shift)) {
|
||||
continue;
|
||||
}
|
||||
+ if (ksps->enc[jk].page_shift == 16) {
|
||||
+ has_64k_pages = true;
|
||||
+ }
|
||||
qsps->enc[jq].page_shift = ksps->enc[jk].page_shift;
|
||||
qsps->enc[jq].pte_enc = ksps->enc[jk].pte_enc;
|
||||
if (++jq >= PPC_PAGE_SIZES_MAX_SZ) {
|
||||
@@ -484,6 +488,9 @@ static void kvm_fixup_page_sizes(PowerPCCPU *cpu)
|
||||
if (!(smmu_info.flags & KVM_PPC_1T_SEGMENTS)) {
|
||||
env->mmu_model &= ~POWERPC_MMU_1TSEG;
|
||||
}
|
||||
+ if (!has_64k_pages) {
|
||||
+ env->mmu_model &= ~POWERPC_MMU_64K;
|
||||
+ }
|
||||
}
|
||||
#else /* defined (TARGET_PPC64) */
|
||||
|
@ -0,0 +1,56 @@
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Mon, 17 Oct 2016 14:13:58 +0200
|
||||
Subject: [PATCH] 9pfs: allocate space for guest originated empty strings
|
||||
|
||||
If a guest sends an empty string paramater to any 9P operation, the current
|
||||
code unmarshals it into a V9fsString equal to { .size = 0, .data = NULL }.
|
||||
|
||||
This is unfortunate because it can cause NULL pointer dereference to happen
|
||||
at various locations in the 9pfs code. And we don't want to check str->data
|
||||
everywhere we pass it to strcmp() or any other function which expects a
|
||||
dereferenceable pointer.
|
||||
|
||||
This patch enforces the allocation of genuine C empty strings instead, so
|
||||
callers don't have to bother.
|
||||
|
||||
Out of all v9fs_iov_vunmarshal() users, only v9fs_xattrwalk() checks if
|
||||
the returned string is empty. It now uses v9fs_string_size() since
|
||||
name.data cannot be NULL anymore.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
[groug, rewritten title and changelog,
|
||||
fix empty string check in v9fs_xattrwalk()]
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
|
||||
(cherry picked from commit ba42ebb863ab7d40adc79298422ed9596df8f73a)
|
||||
---
|
||||
fsdev/9p-iov-marshal.c | 2 +-
|
||||
hw/9pfs/9p.c | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/fsdev/9p-iov-marshal.c b/fsdev/9p-iov-marshal.c
|
||||
index 663cad5429..1d16f8df4b 100644
|
||||
--- a/fsdev/9p-iov-marshal.c
|
||||
+++ b/fsdev/9p-iov-marshal.c
|
||||
@@ -125,7 +125,7 @@ ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset,
|
||||
str->data = g_malloc(str->size + 1);
|
||||
copied = v9fs_unpack(str->data, out_sg, out_num, offset,
|
||||
str->size);
|
||||
- if (copied > 0) {
|
||||
+ if (copied >= 0) {
|
||||
str->data[str->size] = 0;
|
||||
} else {
|
||||
v9fs_string_free(str);
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index 1a9ec7ede9..2b161ed6c0 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -3162,7 +3162,7 @@ static void v9fs_xattrwalk(void *opaque)
|
||||
goto out;
|
||||
}
|
||||
v9fs_path_copy(&xattr_fidp->path, &file_fidp->path);
|
||||
- if (name.data == NULL) {
|
||||
+ if (!v9fs_string_size(&name)) {
|
||||
/*
|
||||
* listxattr request. Get the size first
|
||||
*/
|
33
0016-net-rocker-set-limit-to-DMA-buffer-size.patch
Normal file
33
0016-net-rocker-set-limit-to-DMA-buffer-size.patch
Normal file
@ -0,0 +1,33 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 12 Oct 2016 14:40:55 +0530
|
||||
Subject: [PATCH] net: rocker: set limit to DMA buffer size
|
||||
|
||||
Rocker network switch emulator has test registers to help debug
|
||||
DMA operations. While testing host DMA access, a buffer address
|
||||
is written to register 'TEST_DMA_ADDR' and its size is written to
|
||||
register 'TEST_DMA_SIZE'. When performing TEST_DMA_CTRL_INVERT
|
||||
test, if DMA buffer size was greater than 'INT_MAX', it leads to
|
||||
an invalid buffer access. Limit the DMA buffer size to avoid it.
|
||||
|
||||
Reported-by: Huawei PSIRT <psirt@huawei.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Reviewed-by: Jiri Pirko <jiri@mellanox.com>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit 8caed3d564672e8bc6d2e4c6a35228afd01f4723)
|
||||
---
|
||||
hw/net/rocker/rocker.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
|
||||
index 30f2ce417b..e9d215aa4d 100644
|
||||
--- a/hw/net/rocker/rocker.c
|
||||
+++ b/hw/net/rocker/rocker.c
|
||||
@@ -860,7 +860,7 @@ static void rocker_io_writel(void *opaque, hwaddr addr, uint32_t val)
|
||||
rocker_msix_irq(r, val);
|
||||
break;
|
||||
case ROCKER_TEST_DMA_SIZE:
|
||||
- r->test_dma_size = val;
|
||||
+ r->test_dma_size = val & 0xFFFF;
|
||||
break;
|
||||
case ROCKER_TEST_DMA_ADDR + 4:
|
||||
r->test_dma_addr = ((uint64_t)val) << 32 | r->lower32;
|
34
0017-char-serial-check-divider-value-against-baud-base.patch
Normal file
34
0017-char-serial-check-divider-value-against-baud-base.patch
Normal file
@ -0,0 +1,34 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 12 Oct 2016 11:28:08 +0530
|
||||
Subject: [PATCH] char: serial: check divider value against baud base
|
||||
|
||||
16550A UART device uses an oscillator to generate frequencies
|
||||
(baud base), which decide communication speed. This speed could
|
||||
be changed by dividing it by a divider. If the divider is
|
||||
greater than the baud base, speed is set to zero, leading to a
|
||||
divide by zero error. Add check to avoid it.
|
||||
|
||||
Reported-by: Huawei PSIRT <psirt@huawei.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1476251888-20238-1-git-send-email-ppandit@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 3592fe0c919cf27a81d8e9f9b4f269553418bb01)
|
||||
---
|
||||
hw/char/serial.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/char/serial.c b/hw/char/serial.c
|
||||
index 3442f47d36..eec72b7b9e 100644
|
||||
--- a/hw/char/serial.c
|
||||
+++ b/hw/char/serial.c
|
||||
@@ -153,8 +153,9 @@ static void serial_update_parameters(SerialState *s)
|
||||
int speed, parity, data_bits, stop_bits, frame_size;
|
||||
QEMUSerialSetParams ssp;
|
||||
|
||||
- if (s->divider == 0)
|
||||
+ if (s->divider == 0 || s->divider > s->baudbase) {
|
||||
return;
|
||||
+ }
|
||||
|
||||
/* Start bit. */
|
||||
frame_size = 1;
|
@ -0,0 +1,35 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 20 Oct 2016 13:10:24 +0530
|
||||
Subject: [PATCH] audio: intel-hda: check stream entry count during transfer
|
||||
|
||||
Intel HDA emulator uses stream of buffers during DMA data
|
||||
transfers. Each entry has buffer length and buffer pointer
|
||||
position, which are used to derive bytes to 'copy'. If this
|
||||
length and buffer pointer were to be same, 'copy' could be
|
||||
set to zero(0), leading to an infinite loop. Add check to
|
||||
avoid it.
|
||||
|
||||
Reported-by: Huawei PSIRT <psirt@huawei.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
Message-id: 1476949224-6865-1-git-send-email-ppandit@redhat.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 0c0fc2b5fd534786051889459848764edd798050)
|
||||
---
|
||||
hw/audio/intel-hda.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
|
||||
index cd95340cd9..537face94d 100644
|
||||
--- a/hw/audio/intel-hda.c
|
||||
+++ b/hw/audio/intel-hda.c
|
||||
@@ -416,7 +416,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
|
||||
}
|
||||
|
||||
left = len;
|
||||
- while (left > 0) {
|
||||
+ s = st->bentries;
|
||||
+ while (left > 0 && s-- > 0) {
|
||||
copy = left;
|
||||
if (copy > st->bsize - st->lpib)
|
||||
copy = st->bsize - st->lpib;
|
@ -0,0 +1,48 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Mon, 24 Oct 2016 16:26:54 +0100
|
||||
Subject: [PATCH] timer: a9gtimer: remove loop to auto-increment comparator
|
||||
|
||||
ARM A9MP processor has a peripheral timer with an auto-increment
|
||||
register, which holds an increment step value. A user could set
|
||||
this value to zero. When auto-increment control bit is enabled,
|
||||
it leads to an infinite loop in 'a9_gtimer_update' while
|
||||
updating comparator value. Remove this loop incrementing the
|
||||
comparator value.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-id: 1476733226-11635-1-git-send-email-ppandit@redhat.com
|
||||
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
|
||||
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
||||
(cherry picked from commit 6be8f5e2626e102433e569d9cece2120baf0c879)
|
||||
---
|
||||
hw/timer/a9gtimer.c | 14 +++++++-------
|
||||
1 file changed, 7 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/hw/timer/a9gtimer.c b/hw/timer/a9gtimer.c
|
||||
index 772f85f5fd..ce1dc63911 100644
|
||||
--- a/hw/timer/a9gtimer.c
|
||||
+++ b/hw/timer/a9gtimer.c
|
||||
@@ -82,15 +82,15 @@ static void a9_gtimer_update(A9GTimerState *s, bool sync)
|
||||
if ((s->control & R_CONTROL_TIMER_ENABLE) &&
|
||||
(gtb->control & R_CONTROL_COMP_ENABLE)) {
|
||||
/* R2p0+, where the compare function is >= */
|
||||
- while (gtb->compare < update.new) {
|
||||
+ if (gtb->compare < update.new) {
|
||||
DB_PRINT("Compare event happened for CPU %d\n", i);
|
||||
gtb->status = 1;
|
||||
- if (gtb->control & R_CONTROL_AUTO_INCREMENT) {
|
||||
- DB_PRINT("Auto incrementing timer compare by %" PRId32 "\n",
|
||||
- gtb->inc);
|
||||
- gtb->compare += gtb->inc;
|
||||
- } else {
|
||||
- break;
|
||||
+ if (gtb->control & R_CONTROL_AUTO_INCREMENT && gtb->inc) {
|
||||
+ uint64_t inc =
|
||||
+ QEMU_ALIGN_UP(update.new - gtb->compare, gtb->inc);
|
||||
+ DB_PRINT("Auto incrementing timer compare by %"
|
||||
+ PRId64 "\n", inc);
|
||||
+ gtb->compare += inc;
|
||||
}
|
||||
}
|
||||
cdiff = (int64_t)gtb->compare - (int64_t)update.new + 1;
|
27
0020-net-eepro100-fix-memory-leak-in-device-uninit.patch
Normal file
27
0020-net-eepro100-fix-memory-leak-in-device-uninit.patch
Normal file
@ -0,0 +1,27 @@
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Sat, 8 Oct 2016 05:07:25 -0700
|
||||
Subject: [PATCH] net: eepro100: fix memory leak in device uninit
|
||||
|
||||
The exit dispatch of eepro100 network card device doesn't free
|
||||
the 's->vmstate' field which was allocated in device realize thus
|
||||
leading a host memory leak. This patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit 2634ab7fe29b3f75d0865b719caf8f310d634aae)
|
||||
---
|
||||
hw/net/eepro100.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c
|
||||
index bab4dbfc98..4bf71f2d85 100644
|
||||
--- a/hw/net/eepro100.c
|
||||
+++ b/hw/net/eepro100.c
|
||||
@@ -1843,6 +1843,7 @@ static void pci_nic_uninit(PCIDevice *pci_dev)
|
||||
EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, pci_dev);
|
||||
|
||||
vmstate_unregister(&pci_dev->qdev, s->vmstate, s);
|
||||
+ g_free(s->vmstate);
|
||||
eeprom93xx_free(&pci_dev->qdev, s->eeprom);
|
||||
qemu_del_nic(s->nic);
|
||||
}
|
29
0021-9pfs-fix-information-leak-in-xattr-read.patch
Normal file
29
0021-9pfs-fix-information-leak-in-xattr-read.patch
Normal file
@ -0,0 +1,29 @@
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Mon, 17 Oct 2016 14:13:58 +0200
|
||||
Subject: [PATCH] 9pfs: fix information leak in xattr read
|
||||
|
||||
9pfs uses g_malloc() to allocate the xattr memory space, if the guest
|
||||
reads this memory before writing to it, this will leak host heap memory
|
||||
to the guest. This patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Greg Kurz <groug@kaod.org>
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
(cherry picked from commit eb687602853b4ae656e9236ee4222609f3a6887d)
|
||||
---
|
||||
hw/9pfs/9p.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index 2b161ed6c0..0c0645fe9a 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -3270,7 +3270,7 @@ static void v9fs_xattrcreate(void *opaque)
|
||||
xattr_fidp->fs.xattr.flags = flags;
|
||||
v9fs_string_init(&xattr_fidp->fs.xattr.name);
|
||||
v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);
|
||||
- xattr_fidp->fs.xattr.value = g_malloc(size);
|
||||
+ xattr_fidp->fs.xattr.value = g_malloc0(size);
|
||||
err = offset;
|
||||
put_fid(pdu, file_fidp);
|
||||
out_nofid:
|
32
0022-9pfs-fix-memory-leak-in-v9fs_xattrcreate.patch
Normal file
32
0022-9pfs-fix-memory-leak-in-v9fs_xattrcreate.patch
Normal file
@ -0,0 +1,32 @@
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Mon, 17 Oct 2016 14:13:58 +0200
|
||||
Subject: [PATCH] 9pfs: fix memory leak in v9fs_xattrcreate
|
||||
|
||||
The 'fs.xattr.value' field in V9fsFidState object doesn't consider the
|
||||
situation that this field has been allocated previously. Every time, it
|
||||
will be allocated directly. This leads to a host memory leak issue if
|
||||
the client sends another Txattrcreate message with the same fid number
|
||||
before the fid from the previous time got clunked.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Greg Kurz <groug@kaod.org>
|
||||
[groug, updated the changelog to indicate how the leak can occur]
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
|
||||
(cherry picked from commit ff55e94d23ae94c8628b0115320157c763eb3e06)
|
||||
---
|
||||
hw/9pfs/9p.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index 0c0645fe9a..54554bac51 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -3270,6 +3270,7 @@ static void v9fs_xattrcreate(void *opaque)
|
||||
xattr_fidp->fs.xattr.flags = flags;
|
||||
v9fs_string_init(&xattr_fidp->fs.xattr.name);
|
||||
v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);
|
||||
+ g_free(xattr_fidp->fs.xattr.value);
|
||||
xattr_fidp->fs.xattr.value = g_malloc0(size);
|
||||
err = offset;
|
||||
put_fid(pdu, file_fidp);
|
70
0023-9pfs-add-xattrwalk_fid-field-in-V9fsXattr-struct.patch
Normal file
70
0023-9pfs-add-xattrwalk_fid-field-in-V9fsXattr-struct.patch
Normal file
@ -0,0 +1,70 @@
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Tue, 1 Nov 2016 12:00:40 +0100
|
||||
Subject: [PATCH] 9pfs: add xattrwalk_fid field in V9fsXattr struct
|
||||
|
||||
Currently, 9pfs sets the 'copied_len' field in V9fsXattr
|
||||
to -1 to tag xattr walk fid. As the 'copied_len' is also
|
||||
used to account for copied bytes, this may make confusion. This patch
|
||||
add a bool 'xattrwalk_fid' to tag the xattr walk fid.
|
||||
|
||||
Suggested-by: Greg Kurz <groug@kaod.org>
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Greg Kurz <groug@kaod.org>
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
(cherry picked from commit dd28fbbc2edc0822965d402d927ce646326d6954)
|
||||
---
|
||||
hw/9pfs/9p.c | 7 ++++---
|
||||
hw/9pfs/9p.h | 1 +
|
||||
2 files changed, 5 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index 54554bac51..ad57123aaf 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -310,7 +310,7 @@ static int v9fs_xattr_fid_clunk(V9fsPDU *pdu, V9fsFidState *fidp)
|
||||
{
|
||||
int retval = 0;
|
||||
|
||||
- if (fidp->fs.xattr.copied_len == -1) {
|
||||
+ if (fidp->fs.xattr.xattrwalk_fid) {
|
||||
/* getxattr/listxattr fid */
|
||||
goto free_value;
|
||||
}
|
||||
@@ -3177,7 +3177,7 @@ static void v9fs_xattrwalk(void *opaque)
|
||||
*/
|
||||
xattr_fidp->fs.xattr.len = size;
|
||||
xattr_fidp->fid_type = P9_FID_XATTR;
|
||||
- xattr_fidp->fs.xattr.copied_len = -1;
|
||||
+ xattr_fidp->fs.xattr.xattrwalk_fid = true;
|
||||
if (size) {
|
||||
xattr_fidp->fs.xattr.value = g_malloc(size);
|
||||
err = v9fs_co_llistxattr(pdu, &xattr_fidp->path,
|
||||
@@ -3210,7 +3210,7 @@ static void v9fs_xattrwalk(void *opaque)
|
||||
*/
|
||||
xattr_fidp->fs.xattr.len = size;
|
||||
xattr_fidp->fid_type = P9_FID_XATTR;
|
||||
- xattr_fidp->fs.xattr.copied_len = -1;
|
||||
+ xattr_fidp->fs.xattr.xattrwalk_fid = true;
|
||||
if (size) {
|
||||
xattr_fidp->fs.xattr.value = g_malloc(size);
|
||||
err = v9fs_co_lgetxattr(pdu, &xattr_fidp->path,
|
||||
@@ -3266,6 +3266,7 @@ static void v9fs_xattrcreate(void *opaque)
|
||||
xattr_fidp = file_fidp;
|
||||
xattr_fidp->fid_type = P9_FID_XATTR;
|
||||
xattr_fidp->fs.xattr.copied_len = 0;
|
||||
+ xattr_fidp->fs.xattr.xattrwalk_fid = false;
|
||||
xattr_fidp->fs.xattr.len = size;
|
||||
xattr_fidp->fs.xattr.flags = flags;
|
||||
v9fs_string_init(&xattr_fidp->fs.xattr.name);
|
||||
diff --git a/hw/9pfs/9p.h b/hw/9pfs/9p.h
|
||||
index a38603398e..699235d81c 100644
|
||||
--- a/hw/9pfs/9p.h
|
||||
+++ b/hw/9pfs/9p.h
|
||||
@@ -164,6 +164,7 @@ typedef struct V9fsXattr
|
||||
void *value;
|
||||
V9fsString name;
|
||||
int flags;
|
||||
+ bool xattrwalk_fid;
|
||||
} V9fsXattr;
|
||||
|
||||
typedef struct V9fsDir {
|
@ -0,0 +1,44 @@
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Tue, 1 Nov 2016 12:00:40 +0100
|
||||
Subject: [PATCH] 9pfs: convert 'len/copied_len' field in V9fsXattr to the type
|
||||
of uint64_t
|
||||
|
||||
The 'len' in V9fsXattr comes from the 'size' argument in setxattr()
|
||||
function in guest. The setxattr() function's declaration is this:
|
||||
|
||||
int setxattr(const char *path, const char *name,
|
||||
const void *value, size_t size, int flags);
|
||||
|
||||
and 'size' is treated as u64 in linux kernel client code:
|
||||
|
||||
int p9_client_xattrcreate(struct p9_fid *fid, const char *name,
|
||||
u64 attr_size, int flags)
|
||||
|
||||
So the 'len' should have an type of 'uint64_t'.
|
||||
The 'copied_len' in V9fsXattr is used to account for copied bytes, it
|
||||
should also have an type of 'uint64_t'.
|
||||
|
||||
Suggested-by: Greg Kurz <groug@kaod.org>
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Greg Kurz <groug@kaod.org>
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
(cherry picked from commit 8495f9ad26d398f01e208a53f1a5152483a16084)
|
||||
---
|
||||
hw/9pfs/9p.h | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/9pfs/9p.h b/hw/9pfs/9p.h
|
||||
index 699235d81c..2067863100 100644
|
||||
--- a/hw/9pfs/9p.h
|
||||
+++ b/hw/9pfs/9p.h
|
||||
@@ -159,8 +159,8 @@ typedef struct V9fsConf
|
||||
|
||||
typedef struct V9fsXattr
|
||||
{
|
||||
- int64_t copied_len;
|
||||
- int64_t len;
|
||||
+ uint64_t copied_len;
|
||||
+ uint64_t len;
|
||||
void *value;
|
||||
V9fsString name;
|
||||
int flags;
|
@ -0,0 +1,89 @@
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Tue, 1 Nov 2016 12:00:40 +0100
|
||||
Subject: [PATCH] 9pfs: fix integer overflow issue in xattr read/write
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The v9fs_xattr_read() and v9fs_xattr_write() are passed a guest
|
||||
originated offset: they must ensure this offset does not go beyond
|
||||
the size of the extended attribute that was set in v9fs_xattrcreate().
|
||||
Unfortunately, the current code implement these checks with unsafe
|
||||
calculations on 32 and 64 bit values, which may allow a malicious
|
||||
guest to cause OOB access anyway.
|
||||
|
||||
Fix this by comparing the offset and the xattr size, which are
|
||||
both uint64_t, before trying to compute the effective number of bytes
|
||||
to read or write.
|
||||
|
||||
Suggested-by: Greg Kurz <groug@kaod.org>
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Greg Kurz <groug@kaod.org>
|
||||
Reviewed-By: Guido Günther <agx@sigxcpu.org>
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
(cherry picked from commit 7e55d65c56a03dcd2c5d7c49d37c5a74b55d4bd6)
|
||||
---
|
||||
hw/9pfs/9p.c | 32 ++++++++++++--------------------
|
||||
1 file changed, 12 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index ad57123aaf..9c18322945 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -1629,20 +1629,17 @@ static int v9fs_xattr_read(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
|
||||
{
|
||||
ssize_t err;
|
||||
size_t offset = 7;
|
||||
- int read_count;
|
||||
- int64_t xattr_len;
|
||||
+ uint64_t read_count;
|
||||
V9fsVirtioState *v = container_of(s, V9fsVirtioState, state);
|
||||
VirtQueueElement *elem = v->elems[pdu->idx];
|
||||
|
||||
- xattr_len = fidp->fs.xattr.len;
|
||||
- read_count = xattr_len - off;
|
||||
+ if (fidp->fs.xattr.len < off) {
|
||||
+ read_count = 0;
|
||||
+ } else {
|
||||
+ read_count = fidp->fs.xattr.len - off;
|
||||
+ }
|
||||
if (read_count > max_count) {
|
||||
read_count = max_count;
|
||||
- } else if (read_count < 0) {
|
||||
- /*
|
||||
- * read beyond XATTR value
|
||||
- */
|
||||
- read_count = 0;
|
||||
}
|
||||
err = pdu_marshal(pdu, offset, "d", read_count);
|
||||
if (err < 0) {
|
||||
@@ -1970,23 +1967,18 @@ static int v9fs_xattr_write(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
|
||||
{
|
||||
int i, to_copy;
|
||||
ssize_t err = 0;
|
||||
- int write_count;
|
||||
- int64_t xattr_len;
|
||||
+ uint64_t write_count;
|
||||
size_t offset = 7;
|
||||
|
||||
|
||||
- xattr_len = fidp->fs.xattr.len;
|
||||
- write_count = xattr_len - off;
|
||||
- if (write_count > count) {
|
||||
- write_count = count;
|
||||
- } else if (write_count < 0) {
|
||||
- /*
|
||||
- * write beyond XATTR value len specified in
|
||||
- * xattrcreate
|
||||
- */
|
||||
+ if (fidp->fs.xattr.len < off) {
|
||||
err = -ENOSPC;
|
||||
goto out;
|
||||
}
|
||||
+ write_count = fidp->fs.xattr.len - off;
|
||||
+ if (write_count > count) {
|
||||
+ write_count = count;
|
||||
+ }
|
||||
err = pdu_marshal(pdu, offset, "d", write_count);
|
||||
if (err < 0) {
|
||||
return err;
|
30
0026-9pfs-fix-memory-leak-in-v9fs_link.patch
Normal file
30
0026-9pfs-fix-memory-leak-in-v9fs_link.patch
Normal file
@ -0,0 +1,30 @@
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Mon, 17 Oct 2016 14:13:58 +0200
|
||||
Subject: [PATCH] 9pfs: fix memory leak in v9fs_link
|
||||
|
||||
The v9fs_link() function keeps a reference on the source fid object. This
|
||||
causes a memory leak since the reference never goes down to 0. This patch
|
||||
fixes the issue.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Greg Kurz <groug@kaod.org>
|
||||
[groug, rephrased the changelog]
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
|
||||
(cherry picked from commit 4c1586787ff43c9acd18a56c12d720e3e6be9f7c)
|
||||
---
|
||||
hw/9pfs/9p.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index 9c18322945..a4ee24fe74 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -2396,6 +2396,7 @@ static void v9fs_link(void *opaque)
|
||||
if (!err) {
|
||||
err = offset;
|
||||
}
|
||||
+ put_fid(pdu, oldfidp);
|
||||
out:
|
||||
put_fid(pdu, dfidp);
|
||||
out_nofid:
|
31
0027-9pfs-fix-memory-leak-in-v9fs_write.patch
Normal file
31
0027-9pfs-fix-memory-leak-in-v9fs_write.patch
Normal file
@ -0,0 +1,31 @@
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Mon, 17 Oct 2016 14:13:58 +0200
|
||||
Subject: [PATCH] 9pfs: fix memory leak in v9fs_write
|
||||
|
||||
If an error occurs when marshalling the transfer length to the guest, the
|
||||
v9fs_write() function doesn't free an IO vector, thus leading to a memory
|
||||
leak. This patch fixes the issue.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Greg Kurz <groug@kaod.org>
|
||||
[groug, rephrased the changelog]
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
|
||||
(cherry picked from commit fdfcc9aeea1492f4b819a24c94dfb678145b1bf9)
|
||||
---
|
||||
hw/9pfs/9p.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index a4ee24fe74..03a5a35ea4 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -2073,7 +2073,7 @@ static void v9fs_write(void *opaque)
|
||||
offset = 7;
|
||||
err = pdu_marshal(pdu, offset, "d", total);
|
||||
if (err < 0) {
|
||||
- goto out;
|
||||
+ goto out_qiov;
|
||||
}
|
||||
err += offset;
|
||||
trace_v9fs_write_return(pdu->tag, pdu->id, total, err);
|
71
0028-xen-fix-ioreq-handling.patch
Normal file
71
0028-xen-fix-ioreq-handling.patch
Normal file
@ -0,0 +1,71 @@
|
||||
From: Jan Beulich <JBeulich@suse.com>
|
||||
Date: Tue, 22 Nov 2016 05:56:51 -0700
|
||||
Subject: [PATCH] xen: fix ioreq handling
|
||||
|
||||
Avoid double fetches and bounds check size to avoid overflowing
|
||||
internal variables.
|
||||
|
||||
This is CVE-2016-9381 / XSA-197.
|
||||
|
||||
Reported-by: yanghongke <yanghongke@huawei.com>
|
||||
Signed-off-by: Jan Beulich <jbeulich@suse.com>
|
||||
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
|
||||
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
|
||||
(cherry picked from commit b85f9dfdb156ae2a2a52f39a36e9f1f270614cd2)
|
||||
---
|
||||
xen-hvm.c | 16 +++++++++++++++-
|
||||
1 file changed, 15 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/xen-hvm.c b/xen-hvm.c
|
||||
index 2f348edf86..097007d3ed 100644
|
||||
--- a/xen-hvm.c
|
||||
+++ b/xen-hvm.c
|
||||
@@ -810,6 +810,10 @@ static void cpu_ioreq_pio(ioreq_t *req)
|
||||
trace_cpu_ioreq_pio(req, req->dir, req->df, req->data_is_ptr, req->addr,
|
||||
req->data, req->count, req->size);
|
||||
|
||||
+ if (req->size > sizeof(uint32_t)) {
|
||||
+ hw_error("PIO: bad size (%u)", req->size);
|
||||
+ }
|
||||
+
|
||||
if (req->dir == IOREQ_READ) {
|
||||
if (!req->data_is_ptr) {
|
||||
req->data = do_inp(req->addr, req->size);
|
||||
@@ -846,6 +850,10 @@ static void cpu_ioreq_move(ioreq_t *req)
|
||||
trace_cpu_ioreq_move(req, req->dir, req->df, req->data_is_ptr, req->addr,
|
||||
req->data, req->count, req->size);
|
||||
|
||||
+ if (req->size > sizeof(req->data)) {
|
||||
+ hw_error("MMIO: bad size (%u)", req->size);
|
||||
+ }
|
||||
+
|
||||
if (!req->data_is_ptr) {
|
||||
if (req->dir == IOREQ_READ) {
|
||||
for (i = 0; i < req->count; i++) {
|
||||
@@ -1010,11 +1018,13 @@ static int handle_buffered_iopage(XenIOState *state)
|
||||
req.df = 1;
|
||||
req.type = buf_req->type;
|
||||
req.data_is_ptr = 0;
|
||||
+ xen_rmb();
|
||||
qw = (req.size == 8);
|
||||
if (qw) {
|
||||
buf_req = &buf_page->buf_ioreq[(rdptr + 1) %
|
||||
IOREQ_BUFFER_SLOT_NUM];
|
||||
req.data |= ((uint64_t)buf_req->data) << 32;
|
||||
+ xen_rmb();
|
||||
}
|
||||
|
||||
handle_ioreq(state, &req);
|
||||
@@ -1045,7 +1055,11 @@ static void cpu_handle_ioreq(void *opaque)
|
||||
|
||||
handle_buffered_iopage(state);
|
||||
if (req) {
|
||||
- handle_ioreq(state, req);
|
||||
+ ioreq_t copy = *req;
|
||||
+
|
||||
+ xen_rmb();
|
||||
+ handle_ioreq(state, ©);
|
||||
+ req->data = copy.data;
|
||||
|
||||
if (req->state != STATE_IOREQ_INPROCESS) {
|
||||
fprintf(stderr, "Badness in I/O request ... not in service?!: "
|
73
0029-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch
Normal file
73
0029-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch
Normal file
@ -0,0 +1,73 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Tue, 18 Oct 2016 13:15:17 +0530
|
||||
Subject: [PATCH] display: cirrus: check vga bits per pixel(bpp) value
|
||||
|
||||
In Cirrus CLGD 54xx VGA Emulator, if cirrus graphics mode is VGA,
|
||||
'cirrus_get_bpp' returns zero(0), which could lead to a divide
|
||||
by zero error in while copying pixel data. The same could occur
|
||||
via blit pitch values. Add check to avoid it.
|
||||
|
||||
Reported-by: Huawei PSIRT <psirt@huawei.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-id: 1476776717-24807-1-git-send-email-ppandit@redhat.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 4299b90e9ba9ce5ca9024572804ba751aa1a7e70)
|
||||
---
|
||||
hw/display/cirrus_vga.c | 14 ++++++++++----
|
||||
1 file changed, 10 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
|
||||
index 3d712d592f..bdb092ee9d 100644
|
||||
--- a/hw/display/cirrus_vga.c
|
||||
+++ b/hw/display/cirrus_vga.c
|
||||
@@ -272,6 +272,9 @@ static void cirrus_update_memory_access(CirrusVGAState *s);
|
||||
static bool blit_region_is_unsafe(struct CirrusVGAState *s,
|
||||
int32_t pitch, int32_t addr)
|
||||
{
|
||||
+ if (!pitch) {
|
||||
+ return true;
|
||||
+ }
|
||||
if (pitch < 0) {
|
||||
int64_t min = addr
|
||||
+ ((int64_t)s->cirrus_blt_height-1) * pitch;
|
||||
@@ -715,7 +718,7 @@ static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s)
|
||||
s->cirrus_addr_mask));
|
||||
}
|
||||
|
||||
-static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
|
||||
+static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
|
||||
{
|
||||
int sx = 0, sy = 0;
|
||||
int dx = 0, dy = 0;
|
||||
@@ -729,6 +732,9 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
|
||||
int width, height;
|
||||
|
||||
depth = s->vga.get_bpp(&s->vga) / 8;
|
||||
+ if (!depth) {
|
||||
+ return 0;
|
||||
+ }
|
||||
s->vga.get_resolution(&s->vga, &width, &height);
|
||||
|
||||
/* extra x, y */
|
||||
@@ -783,6 +789,8 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
|
||||
cirrus_invalidate_region(s, s->cirrus_blt_dstaddr,
|
||||
s->cirrus_blt_dstpitch, s->cirrus_blt_width,
|
||||
s->cirrus_blt_height);
|
||||
+
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
|
||||
@@ -790,11 +798,9 @@ static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
|
||||
if (blit_is_unsafe(s))
|
||||
return 0;
|
||||
|
||||
- cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
|
||||
+ return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
|
||||
s->cirrus_blt_srcaddr - s->vga.start_addr,
|
||||
s->cirrus_blt_width, s->cirrus_blt_height);
|
||||
-
|
||||
- return 1;
|
||||
}
|
||||
|
||||
/***************************************
|
31
0030-net-mcf-check-receive-buffer-size-register-value.patch
Normal file
31
0030-net-mcf-check-receive-buffer-size-register-value.patch
Normal file
@ -0,0 +1,31 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Tue, 29 Nov 2016 00:38:39 +0530
|
||||
Subject: [PATCH] net: mcf: check receive buffer size register value
|
||||
|
||||
ColdFire Fast Ethernet Controller uses a receive buffer size
|
||||
register(EMRBR) to hold maximum size of all receive buffers.
|
||||
It is set by a user before any operation. If it was set to be
|
||||
zero, ColdFire emulator would go into an infinite loop while
|
||||
receiving data in mcf_fec_receive. Add check to avoid it.
|
||||
|
||||
Reported-by: Wjjzhang <wjjzhang@tencent.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit 77d54985b85a0cb760330ec2bd92505e0a2a97a9)
|
||||
---
|
||||
hw/net/mcf_fec.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
|
||||
index d31fea1f18..3d4b3b3b39 100644
|
||||
--- a/hw/net/mcf_fec.c
|
||||
+++ b/hw/net/mcf_fec.c
|
||||
@@ -393,7 +393,7 @@ static void mcf_fec_write(void *opaque, hwaddr addr,
|
||||
s->tx_descriptor = s->etdsr;
|
||||
break;
|
||||
case 0x188:
|
||||
- s->emrbr = value & 0x7f0;
|
||||
+ s->emrbr = value > 0 ? value & 0x7F0 : 0x7F0;
|
||||
break;
|
||||
default:
|
||||
hw_error("mcf_fec_write Bad address 0x%x\n", (int)addr);
|
@ -0,0 +1,34 @@
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Tue, 1 Nov 2016 02:53:11 -0700
|
||||
Subject: [PATCH] virtio-gpu: fix information leak in getting capset info
|
||||
dispatch
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
In virgl_cmd_get_capset_info dispatch function, the 'resp' hasn't
|
||||
been full initialized before writing to the guest. This will leak
|
||||
the 'resp.padding' and 'resp.hdr.padding' fieds to the guest. This
|
||||
patch fix this issue.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Message-id: 5818661e.0860240a.77264.7a56@mx.google.com
|
||||
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 42a8dadc74f8982fc269e54e3c5627b54d9f83d8)
|
||||
---
|
||||
hw/display/virtio-gpu-3d.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
|
||||
index 758d33a09d..23f39de94d 100644
|
||||
--- a/hw/display/virtio-gpu-3d.c
|
||||
+++ b/hw/display/virtio-gpu-3d.c
|
||||
@@ -347,6 +347,7 @@ static void virgl_cmd_get_capset_info(VirtIOGPU *g,
|
||||
|
||||
VIRTIO_GPU_FILL_CMD(info);
|
||||
|
||||
+ memset(&resp, 0, sizeof(resp));
|
||||
if (info.capset_index == 0) {
|
||||
resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL;
|
||||
virgl_renderer_get_cap_set(resp.capset_id,
|
@ -0,0 +1,33 @@
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Tue, 1 Nov 2016 04:06:58 -0700
|
||||
Subject: [PATCH] virtio-gpu: fix memory leak in update_cursor_data_virgl
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
In update_cursor_data_virgl function, if the 'width'/ 'height'
|
||||
is not equal to current cursor's width/height it will return
|
||||
without free the 'data' allocated previously. This will lead
|
||||
a memory leak issue. This patch fix this issue.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Message-id: 58187760.41d71c0a.cca75.4cb9@mx.google.com
|
||||
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 2d1cd6c7a91a4beb99a0c3a21be529222a708545)
|
||||
---
|
||||
hw/display/virtio-gpu.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
|
||||
index 5b6d17be00..41f80965a6 100644
|
||||
--- a/hw/display/virtio-gpu.c
|
||||
+++ b/hw/display/virtio-gpu.c
|
||||
@@ -84,6 +84,7 @@ static void update_cursor_data_virgl(VirtIOGPU *g,
|
||||
|
||||
if (width != s->current_cursor->width ||
|
||||
height != s->current_cursor->height) {
|
||||
+ free(data);
|
||||
return;
|
||||
}
|
||||
|
@ -0,0 +1,51 @@
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Mon, 7 Nov 2016 21:57:46 -0800
|
||||
Subject: [PATCH] usbredir: free vm_change_state_handler in usbredir destroy
|
||||
dispatch
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
In usbredir destroy dispatch function, it doesn't free the vm change
|
||||
state handler once registered in usbredir_realize function. This will
|
||||
lead a memory leak issue. This patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
Message-id: 58216976.d0236b0a.77b99.bcd6@mx.google.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 07b026fd82d6cf11baf7d7c603c4f5f6070b35bf)
|
||||
---
|
||||
hw/usb/redirect.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
|
||||
index d4ca026f00..d064961203 100644
|
||||
--- a/hw/usb/redirect.c
|
||||
+++ b/hw/usb/redirect.c
|
||||
@@ -132,6 +132,7 @@ struct USBRedirDevice {
|
||||
struct usbredirfilter_rule *filter_rules;
|
||||
int filter_rules_count;
|
||||
int compatible_speedmask;
|
||||
+ VMChangeStateEntry *vmstate;
|
||||
};
|
||||
|
||||
#define TYPE_USB_REDIR "usb-redir"
|
||||
@@ -1409,7 +1410,8 @@ static void usbredir_realize(USBDevice *udev, Error **errp)
|
||||
qemu_chr_add_handlers(dev->cs, usbredir_chardev_can_read,
|
||||
usbredir_chardev_read, usbredir_chardev_event, dev);
|
||||
|
||||
- qemu_add_vm_change_state_handler(usbredir_vm_state_change, dev);
|
||||
+ dev->vmstate =
|
||||
+ qemu_add_vm_change_state_handler(usbredir_vm_state_change, dev);
|
||||
}
|
||||
|
||||
static void usbredir_cleanup_device_queues(USBRedirDevice *dev)
|
||||
@@ -1446,6 +1448,7 @@ static void usbredir_handle_destroy(USBDevice *udev)
|
||||
}
|
||||
|
||||
free(dev->filter_rules);
|
||||
+ qemu_del_vm_change_state_handler(dev->vmstate);
|
||||
}
|
||||
|
||||
static int usbredir_check_filter(USBRedirDevice *dev)
|
28
0034-usb-ehci-fix-memory-leak-in-ehci_init_transfer.patch
Normal file
28
0034-usb-ehci-fix-memory-leak-in-ehci_init_transfer.patch
Normal file
@ -0,0 +1,28 @@
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Tue, 8 Nov 2016 04:11:10 -0800
|
||||
Subject: [PATCH] usb: ehci: fix memory leak in ehci_init_transfer
|
||||
|
||||
In ehci_init_transfer function, if the 'cpage' is bigger than 4,
|
||||
it doesn't free the 'p->sgl' once allocated previously thus leading
|
||||
a memory leak issue. This patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Message-id: 5821c0f4.091c6b0a.e0c92.e811@mx.google.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 791f97758e223de3290592d169f8e6339c281714)
|
||||
---
|
||||
hw/usb/hcd-ehci.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
|
||||
index f4ece9abed..7622a3ae72 100644
|
||||
--- a/hw/usb/hcd-ehci.c
|
||||
+++ b/hw/usb/hcd-ehci.c
|
||||
@@ -1190,6 +1190,7 @@ static int ehci_init_transfer(EHCIPacket *p)
|
||||
while (bytes > 0) {
|
||||
if (cpage > 4) {
|
||||
fprintf(stderr, "cpage out of range (%d)\n", cpage);
|
||||
+ qemu_sglist_destroy(&p->sgl);
|
||||
return -1;
|
||||
}
|
||||
|
@ -0,0 +1,40 @@
|
||||
From: Li Qiang <liq3ea@gmail.com>
|
||||
Date: Wed, 23 Nov 2016 13:53:34 +0100
|
||||
Subject: [PATCH] 9pfs: adjust the order of resource cleanup in device
|
||||
unrealize
|
||||
|
||||
Unrealize should undo things that were set during realize in
|
||||
reverse order. So should do in the error path in realize.
|
||||
|
||||
Signed-off-by: Li Qiang <liq3ea@gmail.com>
|
||||
Reviewed-by: Greg Kurz <groug@kaod.org>
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
(cherry picked from commit 4774718e5c194026ba5ee7a28d9be49be3080e42)
|
||||
---
|
||||
hw/9pfs/9p.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index 03a5a35ea4..1b7dd8437c 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -3492,8 +3492,8 @@ int v9fs_device_realize_common(V9fsState *s, Error **errp)
|
||||
rc = 0;
|
||||
out:
|
||||
if (rc) {
|
||||
- g_free(s->ctx.fs_root);
|
||||
g_free(s->tag);
|
||||
+ g_free(s->ctx.fs_root);
|
||||
v9fs_path_free(&path);
|
||||
}
|
||||
return rc;
|
||||
@@ -3501,8 +3501,8 @@ out:
|
||||
|
||||
void v9fs_device_unrealize_common(V9fsState *s, Error **errp)
|
||||
{
|
||||
- g_free(s->ctx.fs_root);
|
||||
g_free(s->tag);
|
||||
+ g_free(s->ctx.fs_root);
|
||||
}
|
||||
|
||||
static void __attribute__((__constructor__)) v9fs_set_fd_limit(void)
|
53
0036-9pfs-add-cleanup-operation-in-FileOperations.patch
Normal file
53
0036-9pfs-add-cleanup-operation-in-FileOperations.patch
Normal file
@ -0,0 +1,53 @@
|
||||
From: Li Qiang <liq3ea@gmail.com>
|
||||
Date: Wed, 23 Nov 2016 13:53:34 +0100
|
||||
Subject: [PATCH] 9pfs: add cleanup operation in FileOperations
|
||||
|
||||
Currently, the backend of VirtFS doesn't have a cleanup
|
||||
function. This will lead resource leak issues if the backed
|
||||
driver allocates resources. This patch addresses this issue.
|
||||
|
||||
Signed-off-by: Li Qiang <liq3ea@gmail.com>
|
||||
Reviewed-by: Greg Kurz <groug@kaod.org>
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
(cherry picked from commit 702dbcc274e2ca43be20ba64c758c0ca57dab91d)
|
||||
---
|
||||
fsdev/file-op-9p.h | 1 +
|
||||
hw/9pfs/9p.c | 6 ++++++
|
||||
2 files changed, 7 insertions(+)
|
||||
|
||||
diff --git a/fsdev/file-op-9p.h b/fsdev/file-op-9p.h
|
||||
index 6db9feac8f..a56dc8488d 100644
|
||||
--- a/fsdev/file-op-9p.h
|
||||
+++ b/fsdev/file-op-9p.h
|
||||
@@ -100,6 +100,7 @@ struct FileOperations
|
||||
{
|
||||
int (*parse_opts)(QemuOpts *, struct FsDriverEntry *);
|
||||
int (*init)(struct FsContext *);
|
||||
+ void (*cleanup)(struct FsContext *);
|
||||
int (*lstat)(FsContext *, V9fsPath *, struct stat *);
|
||||
ssize_t (*readlink)(FsContext *, V9fsPath *, char *, size_t);
|
||||
int (*chmod)(FsContext *, V9fsPath *, FsCred *);
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index 1b7dd8437c..641a348234 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -3492,6 +3492,9 @@ int v9fs_device_realize_common(V9fsState *s, Error **errp)
|
||||
rc = 0;
|
||||
out:
|
||||
if (rc) {
|
||||
+ if (s->ops->cleanup && s->ctx.private) {
|
||||
+ s->ops->cleanup(&s->ctx);
|
||||
+ }
|
||||
g_free(s->tag);
|
||||
g_free(s->ctx.fs_root);
|
||||
v9fs_path_free(&path);
|
||||
@@ -3501,6 +3504,9 @@ out:
|
||||
|
||||
void v9fs_device_unrealize_common(V9fsState *s, Error **errp)
|
||||
{
|
||||
+ if (s->ops->cleanup) {
|
||||
+ s->ops->cleanup(&s->ctx);
|
||||
+ }
|
||||
g_free(s->tag);
|
||||
g_free(s->ctx.fs_root);
|
||||
}
|
@ -0,0 +1,44 @@
|
||||
From: Li Qiang <liq3ea@gmail.com>
|
||||
Date: Wed, 23 Nov 2016 13:53:34 +0100
|
||||
Subject: [PATCH] 9pfs: add cleanup operation for handle backend driver
|
||||
|
||||
In the init operation of handle backend dirver, it allocates a
|
||||
handle_data struct and opens a mount file. We should free these
|
||||
resources when the 9pfs device is unrealized. This is what this
|
||||
patch does.
|
||||
|
||||
Signed-off-by: Li Qiang <liq3ea@gmail.com>
|
||||
Reviewed-by: Greg Kurz <groug@kaod.org>
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
(cherry picked from commit 971f406b77a6eb84e0ad27dcc416b663765aee30)
|
||||
---
|
||||
hw/9pfs/9p-handle.c | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/hw/9pfs/9p-handle.c b/hw/9pfs/9p-handle.c
|
||||
index 3d77594f92..1687661bc9 100644
|
||||
--- a/hw/9pfs/9p-handle.c
|
||||
+++ b/hw/9pfs/9p-handle.c
|
||||
@@ -649,6 +649,14 @@ out:
|
||||
return ret;
|
||||
}
|
||||
|
||||
+static void handle_cleanup(FsContext *ctx)
|
||||
+{
|
||||
+ struct handle_data *data = ctx->private;
|
||||
+
|
||||
+ close(data->mountfd);
|
||||
+ g_free(data);
|
||||
+}
|
||||
+
|
||||
static int handle_parse_opts(QemuOpts *opts, struct FsDriverEntry *fse)
|
||||
{
|
||||
const char *sec_model = qemu_opt_get(opts, "security_model");
|
||||
@@ -671,6 +679,7 @@ static int handle_parse_opts(QemuOpts *opts, struct FsDriverEntry *fse)
|
||||
FileOperations handle_ops = {
|
||||
.parse_opts = handle_parse_opts,
|
||||
.init = handle_init,
|
||||
+ .cleanup = handle_cleanup,
|
||||
.lstat = handle_lstat,
|
||||
.readlink = handle_readlink,
|
||||
.close = handle_close,
|
@ -0,0 +1,44 @@
|
||||
From: Li Qiang <liq3ea@gmail.com>
|
||||
Date: Wed, 23 Nov 2016 13:53:34 +0100
|
||||
Subject: [PATCH] 9pfs: add cleanup operation for proxy backend driver
|
||||
|
||||
In the init operation of proxy backend dirver, it allocates a
|
||||
V9fsProxy struct and some other resources. We should free these
|
||||
resources when the 9pfs device is unrealized. This is what this
|
||||
patch does.
|
||||
|
||||
Signed-off-by: Li Qiang <liq3ea@gmail.com>
|
||||
Reviewed-by: Greg Kurz <groug@kaod.org>
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
(cherry picked from commit 898ae90a44551d25b8e956fd87372d303c82fe68)
|
||||
---
|
||||
hw/9pfs/9p-proxy.c | 13 +++++++++++++
|
||||
1 file changed, 13 insertions(+)
|
||||
|
||||
diff --git a/hw/9pfs/9p-proxy.c b/hw/9pfs/9p-proxy.c
|
||||
index f265501eac..336e9fef84 100644
|
||||
--- a/hw/9pfs/9p-proxy.c
|
||||
+++ b/hw/9pfs/9p-proxy.c
|
||||
@@ -1179,9 +1179,22 @@ static int proxy_init(FsContext *ctx)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+static void proxy_cleanup(FsContext *ctx)
|
||||
+{
|
||||
+ V9fsProxy *proxy = ctx->private;
|
||||
+
|
||||
+ g_free(proxy->out_iovec.iov_base);
|
||||
+ g_free(proxy->in_iovec.iov_base);
|
||||
+ if (ctx->export_flags & V9FS_PROXY_SOCK_NAME) {
|
||||
+ close(proxy->sockfd);
|
||||
+ }
|
||||
+ g_free(proxy);
|
||||
+}
|
||||
+
|
||||
FileOperations proxy_ops = {
|
||||
.parse_opts = proxy_parse_opts,
|
||||
.init = proxy_init,
|
||||
+ .cleanup = proxy_cleanup,
|
||||
.lstat = proxy_lstat,
|
||||
.readlink = proxy_readlink,
|
||||
.close = proxy_close,
|
29
0039-9pfs-fix-crash-when-fsdev-is-missing.patch
Normal file
29
0039-9pfs-fix-crash-when-fsdev-is-missing.patch
Normal file
@ -0,0 +1,29 @@
|
||||
From: Greg Kurz <groug@kaod.org>
|
||||
Date: Tue, 3 Jan 2017 17:28:44 +0100
|
||||
Subject: [PATCH] 9pfs: fix crash when fsdev is missing
|
||||
|
||||
If the user passes -device virtio-9p without the corresponding -fsdev, QEMU
|
||||
dereferences a NULL pointer and crashes.
|
||||
|
||||
This is a 2.8 regression introduced by commit 702dbcc274e2c.
|
||||
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
Reviewed-by: Li Qiang <liq3ea@gmail.com>
|
||||
(cherry picked from commit f2b58c43758efc61e2a49b899f5e58848489d0dc)
|
||||
---
|
||||
hw/9pfs/9p.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index 641a348234..9a89f75d90 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -3492,7 +3492,7 @@ int v9fs_device_realize_common(V9fsState *s, Error **errp)
|
||||
rc = 0;
|
||||
out:
|
||||
if (rc) {
|
||||
- if (s->ops->cleanup && s->ctx.private) {
|
||||
+ if (s->ops && s->ops->cleanup && s->ctx.private) {
|
||||
s->ops->cleanup(&s->ctx);
|
||||
}
|
||||
g_free(s->tag);
|
@ -0,0 +1,37 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 14 Dec 2016 12:31:56 +0530
|
||||
Subject: [PATCH] display: virtio-gpu-3d: check virgl capabilities max_size
|
||||
|
||||
Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET'
|
||||
command, retrieves the maximum capabilities size to fill in the
|
||||
response object. It continues to fill in capabilities even if
|
||||
retrieved 'max_size' is zero(0), thus resulting in OOB access.
|
||||
Add check to avoid it.
|
||||
|
||||
Reported-by: Zhenhao Hong <zhenhaohong@gmail.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-id: 20161214070156.23368-1-ppandit@redhat.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit abd7f08b2353f43274b785db8c7224f082ef4d31)
|
||||
---
|
||||
hw/display/virtio-gpu-3d.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
|
||||
index 23f39de94d..e29f099bd5 100644
|
||||
--- a/hw/display/virtio-gpu-3d.c
|
||||
+++ b/hw/display/virtio-gpu-3d.c
|
||||
@@ -371,8 +371,12 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
|
||||
|
||||
virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
|
||||
&max_size);
|
||||
- resp = g_malloc(sizeof(*resp) + max_size);
|
||||
+ if (!max_size) {
|
||||
+ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
|
||||
+ return;
|
||||
+ }
|
||||
|
||||
+ resp = g_malloc(sizeof(*resp) + max_size);
|
||||
resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
|
||||
virgl_renderer_fill_caps(gc.capset_id,
|
||||
gc.capset_version,
|
@ -0,0 +1,37 @@
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Tue, 1 Nov 2016 05:37:57 -0700
|
||||
Subject: [PATCH] virtio-gpu: fix information leak in capset get dispatch
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
In virgl_cmd_get_capset function, it uses g_malloc to allocate
|
||||
a response struct to the guest. As the 'resp'struct hasn't been full
|
||||
initialized it will lead the 'resp->padding' field to the guest.
|
||||
Use g_malloc0 to avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
Message-id: 58188cae.4a6ec20a.3d2d1.aff2@mx.google.com
|
||||
|
||||
[ kraxel: resolved conflict ]
|
||||
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 85d9d044471f93c48c5c396f7e217b4ef12f69f8)
|
||||
---
|
||||
hw/display/virtio-gpu-3d.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
|
||||
index e29f099bd5..cdd03a47bd 100644
|
||||
--- a/hw/display/virtio-gpu-3d.c
|
||||
+++ b/hw/display/virtio-gpu-3d.c
|
||||
@@ -376,7 +376,7 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
|
||||
return;
|
||||
}
|
||||
|
||||
- resp = g_malloc(sizeof(*resp) + max_size);
|
||||
+ resp = g_malloc0(sizeof(*resp) + max_size);
|
||||
resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
|
||||
virgl_renderer_fill_caps(gc.capset_id,
|
||||
gc.capset_version,
|
@ -0,0 +1,41 @@
|
||||
From: Li Qiang <liq3ea@gmail.com>
|
||||
Date: Mon, 28 Nov 2016 21:29:25 -0500
|
||||
Subject: [PATCH] virtio-gpu: call cleanup mapping function in resource destroy
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
If the guest destroy the resource before detach banking, the 'iov'
|
||||
and 'addrs' field in resource is not freed thus leading memory
|
||||
leak issue. This patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liq3ea@gmail.com>
|
||||
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
Message-id: 1480386565-10077-1-git-send-email-liq3ea@gmail.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit b8e23926c568f2e963af39028b71c472e3023793)
|
||||
---
|
||||
hw/display/virtio-gpu.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
|
||||
index 41f80965a6..8903dee4f5 100644
|
||||
--- a/hw/display/virtio-gpu.c
|
||||
+++ b/hw/display/virtio-gpu.c
|
||||
@@ -28,6 +28,8 @@
|
||||
static struct virtio_gpu_simple_resource*
|
||||
virtio_gpu_find_resource(VirtIOGPU *g, uint32_t resource_id);
|
||||
|
||||
+static void virtio_gpu_cleanup_mapping(struct virtio_gpu_simple_resource *res);
|
||||
+
|
||||
#ifdef CONFIG_VIRGL
|
||||
#include <virglrenderer.h>
|
||||
#define VIRGL(_g, _virgl, _simple, ...) \
|
||||
@@ -359,6 +361,7 @@ static void virtio_gpu_resource_destroy(VirtIOGPU *g,
|
||||
struct virtio_gpu_simple_resource *res)
|
||||
{
|
||||
pixman_image_unref(res->image);
|
||||
+ virtio_gpu_cleanup_mapping(res);
|
||||
QTAILQ_REMOVE(&g->reslist, res, next);
|
||||
g_free(res);
|
||||
}
|
61
0043-net-imx-limit-buffer-descriptor-count.patch
Normal file
61
0043-net-imx-limit-buffer-descriptor-count.patch
Normal file
@ -0,0 +1,61 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 2 Feb 2017 16:16:24 +0530
|
||||
Subject: [PATCH] net: imx: limit buffer descriptor count
|
||||
|
||||
i.MX Fast Ethernet Controller uses buffer descriptors to manage
|
||||
data flow to/fro receive & transmit queues. While transmitting
|
||||
packets, it could continue to read buffer descriptors if a buffer
|
||||
descriptor has length of zero and has crafted values in bd.flags.
|
||||
Set an upper limit to number of buffer descriptors.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit 81f17e0d435c3db3a3e67e0d32ebf9c98973211f)
|
||||
---
|
||||
hw/net/imx_fec.c | 10 ++++++----
|
||||
1 file changed, 6 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
|
||||
index 1c415ab3b1..6b42c10d96 100644
|
||||
--- a/hw/net/imx_fec.c
|
||||
+++ b/hw/net/imx_fec.c
|
||||
@@ -55,6 +55,8 @@
|
||||
} \
|
||||
} while (0)
|
||||
|
||||
+#define IMX_MAX_DESC 1024
|
||||
+
|
||||
static const char *imx_default_reg_name(IMXFECState *s, uint32_t index)
|
||||
{
|
||||
static char tmp[20];
|
||||
@@ -402,12 +404,12 @@ static void imx_eth_update(IMXFECState *s)
|
||||
|
||||
static void imx_fec_do_tx(IMXFECState *s)
|
||||
{
|
||||
- int frame_size = 0;
|
||||
+ int frame_size = 0, descnt = 0;
|
||||
uint8_t frame[ENET_MAX_FRAME_SIZE];
|
||||
uint8_t *ptr = frame;
|
||||
uint32_t addr = s->tx_descriptor;
|
||||
|
||||
- while (1) {
|
||||
+ while (descnt++ < IMX_MAX_DESC) {
|
||||
IMXFECBufDesc bd;
|
||||
int len;
|
||||
|
||||
@@ -453,12 +455,12 @@ static void imx_fec_do_tx(IMXFECState *s)
|
||||
|
||||
static void imx_enet_do_tx(IMXFECState *s)
|
||||
{
|
||||
- int frame_size = 0;
|
||||
+ int frame_size = 0, descnt = 0;
|
||||
uint8_t frame[ENET_MAX_FRAME_SIZE];
|
||||
uint8_t *ptr = frame;
|
||||
uint32_t addr = s->tx_descriptor;
|
||||
|
||||
- while (1) {
|
||||
+ while (descnt++ < IMX_MAX_DESC) {
|
||||
IMXENETBufDesc bd;
|
||||
int len;
|
||||
|
49
0044-audio-ac97-add-exit-function.patch
Normal file
49
0044-audio-ac97-add-exit-function.patch
Normal file
@ -0,0 +1,49 @@
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Wed, 14 Dec 2016 18:30:21 -0800
|
||||
Subject: [PATCH] audio: ac97: add exit function
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Currently the ac97 device emulation doesn't have a exit function,
|
||||
hot unplug this device will leak some memory. Add a exit function to
|
||||
avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
Message-id: 58520052.4825ed0a.27a71.6cae@mx.google.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 12351a91da97b414eec8cdb09f1d9f41e535a401)
|
||||
---
|
||||
hw/audio/ac97.c | 11 +++++++++++
|
||||
1 file changed, 11 insertions(+)
|
||||
|
||||
diff --git a/hw/audio/ac97.c b/hw/audio/ac97.c
|
||||
index cbd959e0bd..c30657501c 100644
|
||||
--- a/hw/audio/ac97.c
|
||||
+++ b/hw/audio/ac97.c
|
||||
@@ -1387,6 +1387,16 @@ static void ac97_realize(PCIDevice *dev, Error **errp)
|
||||
ac97_on_reset (&s->dev.qdev);
|
||||
}
|
||||
|
||||
+static void ac97_exit(PCIDevice *dev)
|
||||
+{
|
||||
+ AC97LinkState *s = DO_UPCAST(AC97LinkState, dev, dev);
|
||||
+
|
||||
+ AUD_close_in(&s->card, s->voice_pi);
|
||||
+ AUD_close_out(&s->card, s->voice_po);
|
||||
+ AUD_close_in(&s->card, s->voice_mc);
|
||||
+ AUD_remove_card(&s->card);
|
||||
+}
|
||||
+
|
||||
static int ac97_init (PCIBus *bus)
|
||||
{
|
||||
pci_create_simple (bus, -1, "AC97");
|
||||
@@ -1404,6 +1414,7 @@ static void ac97_class_init (ObjectClass *klass, void *data)
|
||||
PCIDeviceClass *k = PCI_DEVICE_CLASS (klass);
|
||||
|
||||
k->realize = ac97_realize;
|
||||
+ k->exit = ac97_exit;
|
||||
k->vendor_id = PCI_VENDOR_ID_INTEL;
|
||||
k->device_id = PCI_DEVICE_ID_INTEL_82801AA_5;
|
||||
k->revision = 0x01;
|
52
0045-audio-es1370-add-exit-function.patch
Normal file
52
0045-audio-es1370-add-exit-function.patch
Normal file
@ -0,0 +1,52 @@
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Wed, 14 Dec 2016 18:32:22 -0800
|
||||
Subject: [PATCH] audio: es1370: add exit function
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Currently the es1370 device emulation doesn't have a exit function,
|
||||
hot unplug this device will leak some memory. Add a exit function to
|
||||
avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
Message-id: 585200c9.a968ca0a.1ab80.4c98@mx.google.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da)
|
||||
---
|
||||
hw/audio/es1370.c | 14 ++++++++++++++
|
||||
1 file changed, 14 insertions(+)
|
||||
|
||||
diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c
|
||||
index 8449b5f436..883ec69b30 100644
|
||||
--- a/hw/audio/es1370.c
|
||||
+++ b/hw/audio/es1370.c
|
||||
@@ -1041,6 +1041,19 @@ static void es1370_realize(PCIDevice *dev, Error **errp)
|
||||
es1370_reset (s);
|
||||
}
|
||||
|
||||
+static void es1370_exit(PCIDevice *dev)
|
||||
+{
|
||||
+ ES1370State *s = ES1370(dev);
|
||||
+ int i;
|
||||
+
|
||||
+ for (i = 0; i < 2; ++i) {
|
||||
+ AUD_close_out(&s->card, s->dac_voice[i]);
|
||||
+ }
|
||||
+
|
||||
+ AUD_close_in(&s->card, s->adc_voice);
|
||||
+ AUD_remove_card(&s->card);
|
||||
+}
|
||||
+
|
||||
static int es1370_init (PCIBus *bus)
|
||||
{
|
||||
pci_create_simple (bus, -1, TYPE_ES1370);
|
||||
@@ -1053,6 +1066,7 @@ static void es1370_class_init (ObjectClass *klass, void *data)
|
||||
PCIDeviceClass *k = PCI_DEVICE_CLASS (klass);
|
||||
|
||||
k->realize = es1370_realize;
|
||||
+ k->exit = es1370_exit;
|
||||
k->vendor_id = PCI_VENDOR_ID_ENSONIQ;
|
||||
k->device_id = PCI_DEVICE_ID_ENSONIQ_ES1370;
|
||||
k->class_id = PCI_CLASS_MULTIMEDIA_AUDIO;
|
43
0046-watchdog-6300esb-add-exit-function.patch
Normal file
43
0046-watchdog-6300esb-add-exit-function.patch
Normal file
@ -0,0 +1,43 @@
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Mon, 28 Nov 2016 17:49:04 -0800
|
||||
Subject: [PATCH] watchdog: 6300esb: add exit function
|
||||
|
||||
When the Intel 6300ESB watchdog is hot unplug. The timer allocated
|
||||
in realize isn't freed thus leaking memory leak. This patch avoid
|
||||
this through adding the exit function.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Message-Id: <583cde9c.3223ed0a.7f0c2.886e@mx.google.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit eb7a20a3616085d46aa6b4b4224e15587ec67e6e)
|
||||
---
|
||||
hw/watchdog/wdt_i6300esb.c | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/hw/watchdog/wdt_i6300esb.c b/hw/watchdog/wdt_i6300esb.c
|
||||
index a83d951213..49b3cd188a 100644
|
||||
--- a/hw/watchdog/wdt_i6300esb.c
|
||||
+++ b/hw/watchdog/wdt_i6300esb.c
|
||||
@@ -428,6 +428,14 @@ static void i6300esb_realize(PCIDevice *dev, Error **errp)
|
||||
/* qemu_register_coalesced_mmio (addr, 0x10); ? */
|
||||
}
|
||||
|
||||
+static void i6300esb_exit(PCIDevice *dev)
|
||||
+{
|
||||
+ I6300State *d = WATCHDOG_I6300ESB_DEVICE(dev);
|
||||
+
|
||||
+ timer_del(d->timer);
|
||||
+ timer_free(d->timer);
|
||||
+}
|
||||
+
|
||||
static WatchdogTimerModel model = {
|
||||
.wdt_name = "i6300esb",
|
||||
.wdt_description = "Intel 6300ESB",
|
||||
@@ -441,6 +449,7 @@ static void i6300esb_class_init(ObjectClass *klass, void *data)
|
||||
k->config_read = i6300esb_config_read;
|
||||
k->config_write = i6300esb_config_write;
|
||||
k->realize = i6300esb_realize;
|
||||
+ k->exit = i6300esb_exit;
|
||||
k->vendor_id = PCI_VENDOR_ID_INTEL;
|
||||
k->device_id = PCI_DEVICE_ID_INTEL_ESB_9;
|
||||
k->class_id = PCI_CLASS_SYSTEM_OTHER;
|
@ -0,0 +1,38 @@
|
||||
From: Li Qiang <liq3ea@gmail.com>
|
||||
Date: Thu, 29 Dec 2016 03:11:26 -0500
|
||||
Subject: [PATCH] virtio-gpu-3d: fix memory leak in resource attach backing
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
If the virgl_renderer_resource_attach_iov function fails the
|
||||
'res_iovs' will be leaked. Add check of the return value to
|
||||
free the 'res_iovs' when failing.
|
||||
|
||||
Signed-off-by: Li Qiang <liq3ea@gmail.com>
|
||||
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
Message-id: 1482999086-59795-1-git-send-email-liq3ea@gmail.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 33243031dad02d161225ba99d782616da133f689)
|
||||
---
|
||||
hw/display/virtio-gpu-3d.c | 7 +++++--
|
||||
1 file changed, 5 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
|
||||
index cdd03a47bd..f96a0c2e59 100644
|
||||
--- a/hw/display/virtio-gpu-3d.c
|
||||
+++ b/hw/display/virtio-gpu-3d.c
|
||||
@@ -291,8 +291,11 @@ static void virgl_resource_attach_backing(VirtIOGPU *g,
|
||||
return;
|
||||
}
|
||||
|
||||
- virgl_renderer_resource_attach_iov(att_rb.resource_id,
|
||||
- res_iovs, att_rb.nr_entries);
|
||||
+ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id,
|
||||
+ res_iovs, att_rb.nr_entries);
|
||||
+
|
||||
+ if (ret != 0)
|
||||
+ virtio_gpu_cleanup_mapping_iov(res_iovs, att_rb.nr_entries);
|
||||
}
|
||||
|
||||
static void virgl_resource_detach_backing(VirtIOGPU *g,
|
@ -0,0 +1,32 @@
|
||||
From: Li Qiang <liq3ea@gmail.com>
|
||||
Date: Thu, 29 Dec 2016 04:28:41 -0500
|
||||
Subject: [PATCH] virtio-gpu: fix memory leak in resource attach backing
|
||||
|
||||
In the resource attach backing function, everytime it will
|
||||
allocate 'res->iov' thus can leading a memory leak. This
|
||||
patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liq3ea@gmail.com>
|
||||
Message-id: 1483003721-65360-1-git-send-email-liq3ea@gmail.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 204f01b30975923c64006f8067f0937b91eea68b)
|
||||
---
|
||||
hw/display/virtio-gpu.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
|
||||
index 8903dee4f5..cadd7d899d 100644
|
||||
--- a/hw/display/virtio-gpu.c
|
||||
+++ b/hw/display/virtio-gpu.c
|
||||
@@ -708,6 +708,11 @@ virtio_gpu_resource_attach_backing(VirtIOGPU *g,
|
||||
return;
|
||||
}
|
||||
|
||||
+ if (res->iov) {
|
||||
+ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
ret = virtio_gpu_create_mapping_iov(&ab, cmd, &res->addrs, &res->iov);
|
||||
if (ret != 0) {
|
||||
cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
|
34
0049-sd-sdhci-check-data-length-during-dma_memory_read.patch
Normal file
34
0049-sd-sdhci-check-data-length-during-dma_memory_read.patch
Normal file
@ -0,0 +1,34 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Tue, 7 Feb 2017 18:29:59 +0000
|
||||
Subject: [PATCH] sd: sdhci: check data length during dma_memory_read
|
||||
|
||||
While doing multi block SDMA transfer in routine
|
||||
'sdhci_sdma_transfer_multi_blocks', the 's->fifo_buffer' starting
|
||||
index 'begin' and data length 's->data_count' could end up to be same.
|
||||
This could lead to an OOB access issue. Correct transfer data length
|
||||
to avoid it.
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Reported-by: Jiang Xin <jiangxin1@huawei.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
|
||||
Message-id: 20170130064736.9236-1-ppandit@redhat.com
|
||||
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
||||
(cherry picked from commit 42922105beb14c2fc58185ea022b9f72fb5465e9)
|
||||
---
|
||||
hw/sd/sdhci.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
|
||||
index 01fbf228be..5bd5ab6319 100644
|
||||
--- a/hw/sd/sdhci.c
|
||||
+++ b/hw/sd/sdhci.c
|
||||
@@ -536,7 +536,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
|
||||
boundary_count -= block_size - begin;
|
||||
}
|
||||
dma_memory_read(&address_space_memory, s->sdmasysad,
|
||||
- &s->fifo_buffer[begin], s->data_count);
|
||||
+ &s->fifo_buffer[begin], s->data_count - begin);
|
||||
s->sdmasysad += s->data_count - begin;
|
||||
if (s->data_count == block_size) {
|
||||
for (n = 0; n < block_size; n++) {
|
61
0050-megasas-fix-guest-triggered-memory-leak.patch
Normal file
61
0050-megasas-fix-guest-triggered-memory-leak.patch
Normal file
@ -0,0 +1,61 @@
|
||||
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Date: Mon, 2 Jan 2017 11:03:33 +0100
|
||||
Subject: [PATCH] megasas: fix guest-triggered memory leak
|
||||
|
||||
If the guest sets the sglist size to a value >=2GB, megasas_handle_dcmd
|
||||
will return MFI_STAT_MEMORY_NOT_AVAILABLE without freeing the memory.
|
||||
Avoid this by returning only the status from map_dcmd, and loading
|
||||
cmd->iov_size in the caller.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 765a707000e838c30b18d712fe6cb3dd8e0435f3)
|
||||
---
|
||||
hw/scsi/megasas.c | 11 ++++++-----
|
||||
1 file changed, 6 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
|
||||
index 52a41239cf..ebf03022ed 100644
|
||||
--- a/hw/scsi/megasas.c
|
||||
+++ b/hw/scsi/megasas.c
|
||||
@@ -672,14 +672,14 @@ static int megasas_map_dcmd(MegasasState *s, MegasasCmd *cmd)
|
||||
trace_megasas_dcmd_invalid_sge(cmd->index,
|
||||
cmd->frame->header.sge_count);
|
||||
cmd->iov_size = 0;
|
||||
- return -1;
|
||||
+ return -EINVAL;
|
||||
}
|
||||
iov_pa = megasas_sgl_get_addr(cmd, &cmd->frame->dcmd.sgl);
|
||||
iov_size = megasas_sgl_get_len(cmd, &cmd->frame->dcmd.sgl);
|
||||
pci_dma_sglist_init(&cmd->qsg, PCI_DEVICE(s), 1);
|
||||
qemu_sglist_add(&cmd->qsg, iov_pa, iov_size);
|
||||
cmd->iov_size = iov_size;
|
||||
- return cmd->iov_size;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
static void megasas_finish_dcmd(MegasasCmd *cmd, uint32_t iov_size)
|
||||
@@ -1552,19 +1552,20 @@ static const struct dcmd_cmd_tbl_t {
|
||||
|
||||
static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd)
|
||||
{
|
||||
- int opcode, len;
|
||||
+ int opcode;
|
||||
int retval = 0;
|
||||
+ size_t len;
|
||||
const struct dcmd_cmd_tbl_t *cmdptr = dcmd_cmd_tbl;
|
||||
|
||||
opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
|
||||
trace_megasas_handle_dcmd(cmd->index, opcode);
|
||||
- len = megasas_map_dcmd(s, cmd);
|
||||
- if (len < 0) {
|
||||
+ if (megasas_map_dcmd(s, cmd) < 0) {
|
||||
return MFI_STAT_MEMORY_NOT_AVAILABLE;
|
||||
}
|
||||
while (cmdptr->opcode != -1 && cmdptr->opcode != opcode) {
|
||||
cmdptr++;
|
||||
}
|
||||
+ len = cmd->iov_size;
|
||||
if (cmdptr->opcode == -1) {
|
||||
trace_megasas_dcmd_unhandled(cmd->index, opcode, len);
|
||||
retval = megasas_dcmd_dummy(s, cmd);
|
@ -0,0 +1,45 @@
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Mon, 23 Jan 2017 11:26:50 +0100
|
||||
Subject: [PATCH] virtio-gpu: fix resource leak in virgl_cmd_resource_unref
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
When the guest sends VIRTIO_GPU_CMD_RESOURCE_UNREF without detaching the
|
||||
backing storage beforehand (VIRTIO_GPU_CMD_RESOURCE_DETACH_BACKING)
|
||||
we'll leak memory.
|
||||
|
||||
This patch fixes it for 3d mode, simliar to the 2d mode fix in commit
|
||||
"b8e2392 virtio-gpu: call cleanup mapping function in resource destroy".
|
||||
|
||||
Reported-by: 李强 <liqiang6-s@360.cn>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-id: 1485167210-4757-1-git-send-email-kraxel@redhat.com
|
||||
(cherry picked from commit 5e8e3c4c75c199aa1017db816fca02be2a9f8798)
|
||||
---
|
||||
hw/display/virtio-gpu-3d.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
|
||||
index f96a0c2e59..ecb09d17a1 100644
|
||||
--- a/hw/display/virtio-gpu-3d.c
|
||||
+++ b/hw/display/virtio-gpu-3d.c
|
||||
@@ -77,10 +77,18 @@ static void virgl_cmd_resource_unref(VirtIOGPU *g,
|
||||
struct virtio_gpu_ctrl_command *cmd)
|
||||
{
|
||||
struct virtio_gpu_resource_unref unref;
|
||||
+ struct iovec *res_iovs = NULL;
|
||||
+ int num_iovs = 0;
|
||||
|
||||
VIRTIO_GPU_FILL_CMD(unref);
|
||||
trace_virtio_gpu_cmd_res_unref(unref.resource_id);
|
||||
|
||||
+ virgl_renderer_resource_detach_iov(unref.resource_id,
|
||||
+ &res_iovs,
|
||||
+ &num_iovs);
|
||||
+ if (res_iovs != NULL && num_iovs != 0) {
|
||||
+ virtio_gpu_cleanup_mapping_iov(res_iovs, num_iovs);
|
||||
+ }
|
||||
virgl_renderer_resource_unref(unref.resource_id);
|
||||
}
|
||||
|
32
0052-usb-ccid-check-ccid-apdu-length.patch
Normal file
32
0052-usb-ccid-check-ccid-apdu-length.patch
Normal file
@ -0,0 +1,32 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Fri, 3 Feb 2017 00:52:28 +0530
|
||||
Subject: [PATCH] usb: ccid: check ccid apdu length
|
||||
|
||||
CCID device emulator uses Application Protocol Data Units(APDU)
|
||||
to exchange command and responses to and from the host.
|
||||
The length in these units couldn't be greater than 65536. Add
|
||||
check to ensure the same. It'd also avoid potential integer
|
||||
overflow in emulated_apdu_from_guest.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-id: 20170202192228.10847-1-ppandit@redhat.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit c7dfbf322595ded4e70b626bf83158a9f3807c6a)
|
||||
---
|
||||
hw/usb/dev-smartcard-reader.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
|
||||
index af4b851356..fc32b00363 100644
|
||||
--- a/hw/usb/dev-smartcard-reader.c
|
||||
+++ b/hw/usb/dev-smartcard-reader.c
|
||||
@@ -967,7 +967,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv)
|
||||
DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__,
|
||||
recv->hdr.bSeq, len);
|
||||
ccid_add_pending_answer(s, (CCID_Header *)recv);
|
||||
- if (s->card) {
|
||||
+ if (s->card && len <= BULK_OUT_DATA_SIZE) {
|
||||
ccid_card_apdu_from_guest(s->card, recv->abData, len);
|
||||
} else {
|
||||
DPRINTF(s, D_WARN, "warning: discarded apdu\n");
|
@ -0,0 +1,51 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Tue, 28 Feb 2017 12:08:14 +0000
|
||||
Subject: [PATCH] sd: sdhci: check transfer mode register in multi block
|
||||
transfer
|
||||
|
||||
In the SDHCI protocol, the transfer mode register value
|
||||
is used during multi block transfer to check if block count
|
||||
register is enabled and should be updated. Transfer mode
|
||||
register could be set such that, block count register would
|
||||
not be updated, thus leading to an infinite loop. Add check
|
||||
to avoid it.
|
||||
|
||||
Reported-by: Wjjzhang <wjjzhang@tencent.com>
|
||||
Reported-by: Jiang Xin <jiangxin1@huawei.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-id: 20170214185225.7994-3-ppandit@redhat.com
|
||||
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
|
||||
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
||||
(cherry picked from commit 6e86d90352adf6cb08295255220295cf23c4286e)
|
||||
---
|
||||
hw/sd/sdhci.c | 10 +++++-----
|
||||
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
|
||||
index 5bd5ab6319..a9c744b50a 100644
|
||||
--- a/hw/sd/sdhci.c
|
||||
+++ b/hw/sd/sdhci.c
|
||||
@@ -486,6 +486,11 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
|
||||
uint32_t boundary_chk = 1 << (((s->blksize & 0xf000) >> 12) + 12);
|
||||
uint32_t boundary_count = boundary_chk - (s->sdmasysad % boundary_chk);
|
||||
|
||||
+ if (!(s->trnmod & SDHC_TRNS_BLK_CNT_EN) || !s->blkcnt) {
|
||||
+ qemu_log_mask(LOG_UNIMP, "infinite transfer is not supported\n");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
/* XXX: Some sd/mmc drivers (for example, u-boot-slp) do not account for
|
||||
* possible stop at page boundary if initial address is not page aligned,
|
||||
* allow them to work properly */
|
||||
@@ -797,11 +802,6 @@ static void sdhci_data_transfer(void *opaque)
|
||||
if (s->trnmod & SDHC_TRNS_DMA) {
|
||||
switch (SDHC_DMA_TYPE(s->hostctl)) {
|
||||
case SDHC_CTRL_SDMA:
|
||||
- if ((s->trnmod & SDHC_TRNS_MULTI) &&
|
||||
- (!(s->trnmod & SDHC_TRNS_BLK_CNT_EN) || s->blkcnt == 0)) {
|
||||
- break;
|
||||
- }
|
||||
-
|
||||
if ((s->blkcnt == 1) || !(s->trnmod & SDHC_TRNS_MULTI)) {
|
||||
sdhci_sdma_transfer_single_block(s);
|
||||
} else {
|
125
0054-eth-Extend-vlan-stripping-functions.patch
Normal file
125
0054-eth-Extend-vlan-stripping-functions.patch
Normal file
@ -0,0 +1,125 @@
|
||||
From: Dmitry Fleytman <dmitry@daynix.com>
|
||||
Date: Thu, 16 Feb 2017 14:29:32 +0200
|
||||
Subject: [PATCH] eth: Extend vlan stripping functions
|
||||
|
||||
Make VLAN stripping functions return number of bytes
|
||||
copied to given Ethernet header buffer.
|
||||
|
||||
This information should be used to re-compose
|
||||
packet IOV after VLAN stripping.
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Dmitry Fleytman <dmitry@daynix.com>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit 566342c3125ac2e73abd36c650222318164517ed)
|
||||
---
|
||||
include/net/eth.h | 4 ++--
|
||||
net/eth.c | 25 ++++++++++++++-----------
|
||||
2 files changed, 16 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/include/net/eth.h b/include/net/eth.h
|
||||
index 2013175857..afeb45be34 100644
|
||||
--- a/include/net/eth.h
|
||||
+++ b/include/net/eth.h
|
||||
@@ -331,12 +331,12 @@ eth_get_pkt_tci(const void *p)
|
||||
}
|
||||
}
|
||||
|
||||
-bool
|
||||
+size_t
|
||||
eth_strip_vlan(const struct iovec *iov, int iovcnt, size_t iovoff,
|
||||
uint8_t *new_ehdr_buf,
|
||||
uint16_t *payload_offset, uint16_t *tci);
|
||||
|
||||
-bool
|
||||
+size_t
|
||||
eth_strip_vlan_ex(const struct iovec *iov, int iovcnt, size_t iovoff,
|
||||
uint16_t vet, uint8_t *new_ehdr_buf,
|
||||
uint16_t *payload_offset, uint16_t *tci);
|
||||
diff --git a/net/eth.c b/net/eth.c
|
||||
index df81efb676..5b9ba26a56 100644
|
||||
--- a/net/eth.c
|
||||
+++ b/net/eth.c
|
||||
@@ -232,7 +232,7 @@ void eth_get_protocols(const struct iovec *iov, int iovcnt,
|
||||
}
|
||||
}
|
||||
|
||||
-bool
|
||||
+size_t
|
||||
eth_strip_vlan(const struct iovec *iov, int iovcnt, size_t iovoff,
|
||||
uint8_t *new_ehdr_buf,
|
||||
uint16_t *payload_offset, uint16_t *tci)
|
||||
@@ -244,7 +244,7 @@ eth_strip_vlan(const struct iovec *iov, int iovcnt, size_t iovoff,
|
||||
new_ehdr, sizeof(*new_ehdr));
|
||||
|
||||
if (copied < sizeof(*new_ehdr)) {
|
||||
- return false;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
switch (be16_to_cpu(new_ehdr->h_proto)) {
|
||||
@@ -254,7 +254,7 @@ eth_strip_vlan(const struct iovec *iov, int iovcnt, size_t iovoff,
|
||||
&vlan_hdr, sizeof(vlan_hdr));
|
||||
|
||||
if (copied < sizeof(vlan_hdr)) {
|
||||
- return false;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
new_ehdr->h_proto = vlan_hdr.h_proto;
|
||||
@@ -268,18 +268,21 @@ eth_strip_vlan(const struct iovec *iov, int iovcnt, size_t iovoff,
|
||||
PKT_GET_VLAN_HDR(new_ehdr), sizeof(vlan_hdr));
|
||||
|
||||
if (copied < sizeof(vlan_hdr)) {
|
||||
- return false;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
*payload_offset += sizeof(vlan_hdr);
|
||||
+
|
||||
+ return sizeof(struct eth_header) + sizeof(struct vlan_header);
|
||||
+ } else {
|
||||
+ return sizeof(struct eth_header);
|
||||
}
|
||||
- return true;
|
||||
default:
|
||||
- return false;
|
||||
+ return 0;
|
||||
}
|
||||
}
|
||||
|
||||
-bool
|
||||
+size_t
|
||||
eth_strip_vlan_ex(const struct iovec *iov, int iovcnt, size_t iovoff,
|
||||
uint16_t vet, uint8_t *new_ehdr_buf,
|
||||
uint16_t *payload_offset, uint16_t *tci)
|
||||
@@ -291,7 +294,7 @@ eth_strip_vlan_ex(const struct iovec *iov, int iovcnt, size_t iovoff,
|
||||
new_ehdr, sizeof(*new_ehdr));
|
||||
|
||||
if (copied < sizeof(*new_ehdr)) {
|
||||
- return false;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
if (be16_to_cpu(new_ehdr->h_proto) == vet) {
|
||||
@@ -299,17 +302,17 @@ eth_strip_vlan_ex(const struct iovec *iov, int iovcnt, size_t iovoff,
|
||||
&vlan_hdr, sizeof(vlan_hdr));
|
||||
|
||||
if (copied < sizeof(vlan_hdr)) {
|
||||
- return false;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
new_ehdr->h_proto = vlan_hdr.h_proto;
|
||||
|
||||
*tci = be16_to_cpu(vlan_hdr.h_tci);
|
||||
*payload_offset = iovoff + sizeof(*new_ehdr) + sizeof(vlan_hdr);
|
||||
- return true;
|
||||
+ return sizeof(struct eth_header);
|
||||
}
|
||||
|
||||
- return false;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
void
|
117
0055-NetRxPkt-Fix-memory-corruption-on-VLAN-header-stripp.patch
Normal file
117
0055-NetRxPkt-Fix-memory-corruption-on-VLAN-header-stripp.patch
Normal file
@ -0,0 +1,117 @@
|
||||
From: Dmitry Fleytman <dmitry@daynix.com>
|
||||
Date: Thu, 16 Feb 2017 14:29:33 +0200
|
||||
Subject: [PATCH] NetRxPkt: Fix memory corruption on VLAN header stripping
|
||||
|
||||
This patch fixed a problem that was introduced in commit eb700029.
|
||||
|
||||
When net_rx_pkt_attach_iovec() calls eth_strip_vlan()
|
||||
this can result in pkt->ehdr_buf being overflowed, because
|
||||
ehdr_buf is only sizeof(struct eth_header) bytes large
|
||||
but eth_strip_vlan() can write
|
||||
sizeof(struct eth_header) + sizeof(struct vlan_header)
|
||||
bytes into it.
|
||||
|
||||
Devices affected by this problem: vmxnet3.
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Reported-by: Peter Maydell <peter.maydell@linaro.org>
|
||||
Signed-off-by: Dmitry Fleytman <dmitry@daynix.com>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit df8bf7a7fe75eb5d5caffa55f5cd4292b757aea6)
|
||||
---
|
||||
hw/net/net_rx_pkt.c | 34 +++++++++++++++++-----------------
|
||||
1 file changed, 17 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/hw/net/net_rx_pkt.c b/hw/net/net_rx_pkt.c
|
||||
index 1019b50c18..7c0beace9e 100644
|
||||
--- a/hw/net/net_rx_pkt.c
|
||||
+++ b/hw/net/net_rx_pkt.c
|
||||
@@ -23,13 +23,13 @@
|
||||
|
||||
struct NetRxPkt {
|
||||
struct virtio_net_hdr virt_hdr;
|
||||
- uint8_t ehdr_buf[sizeof(struct eth_header)];
|
||||
+ uint8_t ehdr_buf[sizeof(struct eth_header) + sizeof(struct vlan_header)];
|
||||
struct iovec *vec;
|
||||
uint16_t vec_len_total;
|
||||
uint16_t vec_len;
|
||||
uint32_t tot_len;
|
||||
uint16_t tci;
|
||||
- bool vlan_stripped;
|
||||
+ size_t ehdr_buf_len;
|
||||
bool has_virt_hdr;
|
||||
eth_pkt_types_e packet_type;
|
||||
|
||||
@@ -88,15 +88,13 @@ net_rx_pkt_pull_data(struct NetRxPkt *pkt,
|
||||
const struct iovec *iov, int iovcnt,
|
||||
size_t ploff)
|
||||
{
|
||||
- if (pkt->vlan_stripped) {
|
||||
+ if (pkt->ehdr_buf_len) {
|
||||
net_rx_pkt_iovec_realloc(pkt, iovcnt + 1);
|
||||
|
||||
pkt->vec[0].iov_base = pkt->ehdr_buf;
|
||||
- pkt->vec[0].iov_len = sizeof(pkt->ehdr_buf);
|
||||
-
|
||||
- pkt->tot_len =
|
||||
- iov_size(iov, iovcnt) - ploff + sizeof(struct eth_header);
|
||||
+ pkt->vec[0].iov_len = pkt->ehdr_buf_len;
|
||||
|
||||
+ pkt->tot_len = iov_size(iov, iovcnt) - ploff + pkt->ehdr_buf_len;
|
||||
pkt->vec_len = iov_copy(pkt->vec + 1, pkt->vec_len_total - 1,
|
||||
iov, iovcnt, ploff, pkt->tot_len);
|
||||
} else {
|
||||
@@ -123,11 +121,12 @@ void net_rx_pkt_attach_iovec(struct NetRxPkt *pkt,
|
||||
uint16_t tci = 0;
|
||||
uint16_t ploff = iovoff;
|
||||
assert(pkt);
|
||||
- pkt->vlan_stripped = false;
|
||||
|
||||
if (strip_vlan) {
|
||||
- pkt->vlan_stripped = eth_strip_vlan(iov, iovcnt, iovoff, pkt->ehdr_buf,
|
||||
- &ploff, &tci);
|
||||
+ pkt->ehdr_buf_len = eth_strip_vlan(iov, iovcnt, iovoff, pkt->ehdr_buf,
|
||||
+ &ploff, &tci);
|
||||
+ } else {
|
||||
+ pkt->ehdr_buf_len = 0;
|
||||
}
|
||||
|
||||
pkt->tci = tci;
|
||||
@@ -143,12 +142,13 @@ void net_rx_pkt_attach_iovec_ex(struct NetRxPkt *pkt,
|
||||
uint16_t tci = 0;
|
||||
uint16_t ploff = iovoff;
|
||||
assert(pkt);
|
||||
- pkt->vlan_stripped = false;
|
||||
|
||||
if (strip_vlan) {
|
||||
- pkt->vlan_stripped = eth_strip_vlan_ex(iov, iovcnt, iovoff, vet,
|
||||
- pkt->ehdr_buf,
|
||||
- &ploff, &tci);
|
||||
+ pkt->ehdr_buf_len = eth_strip_vlan_ex(iov, iovcnt, iovoff, vet,
|
||||
+ pkt->ehdr_buf,
|
||||
+ &ploff, &tci);
|
||||
+ } else {
|
||||
+ pkt->ehdr_buf_len = 0;
|
||||
}
|
||||
|
||||
pkt->tci = tci;
|
||||
@@ -162,8 +162,8 @@ void net_rx_pkt_dump(struct NetRxPkt *pkt)
|
||||
NetRxPkt *pkt = (NetRxPkt *)pkt;
|
||||
assert(pkt);
|
||||
|
||||
- printf("RX PKT: tot_len: %d, vlan_stripped: %d, vlan_tag: %d\n",
|
||||
- pkt->tot_len, pkt->vlan_stripped, pkt->tci);
|
||||
+ printf("RX PKT: tot_len: %d, ehdr_buf_len: %lu, vlan_tag: %d\n",
|
||||
+ pkt->tot_len, pkt->ehdr_buf_len, pkt->tci);
|
||||
#endif
|
||||
}
|
||||
|
||||
@@ -426,7 +426,7 @@ bool net_rx_pkt_is_vlan_stripped(struct NetRxPkt *pkt)
|
||||
{
|
||||
assert(pkt);
|
||||
|
||||
- return pkt->vlan_stripped;
|
||||
+ return pkt->ehdr_buf_len ? true : false;
|
||||
}
|
||||
|
||||
bool net_rx_pkt_has_virt_hdr(struct NetRxPkt *pkt)
|
@ -0,0 +1,30 @@
|
||||
From: Dmitry Fleytman <dmitry@daynix.com>
|
||||
Date: Thu, 16 Feb 2017 14:29:34 +0200
|
||||
Subject: [PATCH] NetRxPkt: Do not try to pull more data than present
|
||||
|
||||
In case of VLAN stripping, ETH header put into a
|
||||
separate buffer, therefore amont of data copied
|
||||
from original IOV should be smaller.
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Dmitry Fleytman <dmitry@daynix.com>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit d5e772146d2bbc92e5126c145eddef3b2843d026)
|
||||
---
|
||||
hw/net/net_rx_pkt.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/net/net_rx_pkt.c b/hw/net/net_rx_pkt.c
|
||||
index 7c0beace9e..d38babec88 100644
|
||||
--- a/hw/net/net_rx_pkt.c
|
||||
+++ b/hw/net/net_rx_pkt.c
|
||||
@@ -96,7 +96,8 @@ net_rx_pkt_pull_data(struct NetRxPkt *pkt,
|
||||
|
||||
pkt->tot_len = iov_size(iov, iovcnt) - ploff + pkt->ehdr_buf_len;
|
||||
pkt->vec_len = iov_copy(pkt->vec + 1, pkt->vec_len_total - 1,
|
||||
- iov, iovcnt, ploff, pkt->tot_len);
|
||||
+ iov, iovcnt, ploff,
|
||||
+ pkt->tot_len - pkt->ehdr_buf_len);
|
||||
} else {
|
||||
net_rx_pkt_iovec_realloc(pkt, iovcnt);
|
||||
|
@ -0,0 +1,34 @@
|
||||
From: Dmitry Fleytman <dmitry@daynix.com>
|
||||
Date: Thu, 16 Feb 2017 14:29:35 +0200
|
||||
Subject: [PATCH] NetRxPkt: Account buffer with ETH header in IOV length
|
||||
|
||||
In case of VLAN stripping ETH header is stored in a
|
||||
separate chunk and length of IOV should take this into
|
||||
account.
|
||||
|
||||
This patch fixes checksum validation for RX packets
|
||||
with VLAN header.
|
||||
|
||||
Devices affected by this problem: e1000e and vmxnet3.
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Dmitry Fleytman <dmitry@daynix.com>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit c5d083c561a4f5297cc2e44a2f3cef3324d77a88)
|
||||
---
|
||||
hw/net/net_rx_pkt.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/net/net_rx_pkt.c b/hw/net/net_rx_pkt.c
|
||||
index d38babec88..c7ae33d0d3 100644
|
||||
--- a/hw/net/net_rx_pkt.c
|
||||
+++ b/hw/net/net_rx_pkt.c
|
||||
@@ -97,7 +97,7 @@ net_rx_pkt_pull_data(struct NetRxPkt *pkt,
|
||||
pkt->tot_len = iov_size(iov, iovcnt) - ploff + pkt->ehdr_buf_len;
|
||||
pkt->vec_len = iov_copy(pkt->vec + 1, pkt->vec_len_total - 1,
|
||||
iov, iovcnt, ploff,
|
||||
- pkt->tot_len - pkt->ehdr_buf_len);
|
||||
+ pkt->tot_len - pkt->ehdr_buf_len) + 1;
|
||||
} else {
|
||||
net_rx_pkt_iovec_realloc(pkt, iovcnt);
|
||||
|
49
0058-usb-ohci-limit-the-number-of-link-eds.patch
Normal file
49
0058-usb-ohci-limit-the-number-of-link-eds.patch
Normal file
@ -0,0 +1,49 @@
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Tue, 7 Feb 2017 02:23:33 -0800
|
||||
Subject: [PATCH] usb: ohci: limit the number of link eds
|
||||
|
||||
The guest may builds an infinite loop with link eds. This patch
|
||||
limit the number of linked ed to avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Message-id: 5899a02e.45ca240a.6c373.93c1@mx.google.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 95ed56939eb2eaa4e2f349fe6dcd13ca4edfd8fb)
|
||||
---
|
||||
hw/usb/hcd-ohci.c | 9 ++++++++-
|
||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
|
||||
index fa5703832c..48307febd3 100644
|
||||
--- a/hw/usb/hcd-ohci.c
|
||||
+++ b/hw/usb/hcd-ohci.c
|
||||
@@ -42,6 +42,8 @@
|
||||
|
||||
#define OHCI_MAX_PORTS 15
|
||||
|
||||
+#define ED_LINK_LIMIT 4
|
||||
+
|
||||
static int64_t usb_frame_time;
|
||||
static int64_t usb_bit_time;
|
||||
|
||||
@@ -1184,7 +1186,7 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion)
|
||||
uint32_t next_ed;
|
||||
uint32_t cur;
|
||||
int active;
|
||||
-
|
||||
+ uint32_t link_cnt = 0;
|
||||
active = 0;
|
||||
|
||||
if (head == 0)
|
||||
@@ -1199,6 +1201,11 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion)
|
||||
|
||||
next_ed = ed.next & OHCI_DPTR_MASK;
|
||||
|
||||
+ if (++link_cnt > ED_LINK_LIMIT) {
|
||||
+ ohci_die(ohci);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
if ((ed.head & OHCI_ED_H) || (ed.flags & OHCI_ED_K)) {
|
||||
uint32_t addr;
|
||||
/* Cancel pending packets for ED that have been paused. */
|
@ -0,0 +1,69 @@
|
||||
From: Bruce Rogers <brogers@suse.com>
|
||||
Date: Mon, 9 Jan 2017 13:35:20 -0700
|
||||
Subject: [PATCH] display: cirrus: ignore source pitch value as needed in
|
||||
blit_is_unsafe
|
||||
|
||||
Commit 4299b90 added a check which is too broad, given that the source
|
||||
pitch value is not required to be initialized for solid fill operations.
|
||||
This patch refines the blit_is_unsafe() check to ignore source pitch in
|
||||
that case. After applying the above commit as a security patch, we
|
||||
noticed the SLES 11 SP4 guest gui failed to initialize properly.
|
||||
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
Message-id: 20170109203520.5619-1-brogers@suse.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 913a87885f589d263e682c2eb6637c6e14538061)
|
||||
---
|
||||
hw/display/cirrus_vga.c | 11 +++++++----
|
||||
1 file changed, 7 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
|
||||
index bdb092ee9d..379910db2d 100644
|
||||
--- a/hw/display/cirrus_vga.c
|
||||
+++ b/hw/display/cirrus_vga.c
|
||||
@@ -294,7 +294,7 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
|
||||
return false;
|
||||
}
|
||||
|
||||
-static bool blit_is_unsafe(struct CirrusVGAState *s)
|
||||
+static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
|
||||
{
|
||||
/* should be the case, see cirrus_bitblt_start */
|
||||
assert(s->cirrus_blt_width > 0);
|
||||
@@ -308,6 +308,9 @@ static bool blit_is_unsafe(struct CirrusVGAState *s)
|
||||
s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
|
||||
return true;
|
||||
}
|
||||
+ if (dst_only) {
|
||||
+ return false;
|
||||
+ }
|
||||
if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
|
||||
s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
|
||||
return true;
|
||||
@@ -673,7 +676,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
|
||||
|
||||
dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
|
||||
|
||||
- if (blit_is_unsafe(s))
|
||||
+ if (blit_is_unsafe(s, false))
|
||||
return 0;
|
||||
|
||||
(*s->cirrus_rop) (s, dst, src,
|
||||
@@ -691,7 +694,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
|
||||
{
|
||||
cirrus_fill_t rop_func;
|
||||
|
||||
- if (blit_is_unsafe(s)) {
|
||||
+ if (blit_is_unsafe(s, true)) {
|
||||
return 0;
|
||||
}
|
||||
rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
|
||||
@@ -795,7 +798,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
|
||||
|
||||
static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
|
||||
{
|
||||
- if (blit_is_unsafe(s))
|
||||
+ if (blit_is_unsafe(s, false))
|
||||
return 0;
|
||||
|
||||
return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
|
@ -0,0 +1,47 @@
|
||||
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
Date: Wed, 25 Jan 2017 14:48:57 +0100
|
||||
Subject: [PATCH] cirrus: handle negative pitch in cirrus_invalidate_region()
|
||||
|
||||
cirrus_invalidate_region() calls memory_region_set_dirty()
|
||||
on a per-line basis, always ranging from off_begin to
|
||||
off_begin+bytesperline. With a negative pitch off_begin
|
||||
marks the top most used address and thus we need to do an
|
||||
initial shift backwards by a line for negative pitches of
|
||||
backward blits, otherwise the first iteration covers the
|
||||
line going from the start offset forwards instead of
|
||||
backwards.
|
||||
Additionally since the start address is inclusive, if we
|
||||
shift by a full `bytesperline` we move to the first address
|
||||
*not* included in the blit, so we only shift by one less
|
||||
than bytesperline.
|
||||
|
||||
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
Message-id: 1485352137-29367-1-git-send-email-w.bumiller@proxmox.com
|
||||
|
||||
[ kraxel: codestyle fixes ]
|
||||
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit f153b563f8cf121aebf5a2fff5f0110faf58ccb3)
|
||||
---
|
||||
hw/display/cirrus_vga.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
|
||||
index 379910db2d..0f05e4596e 100644
|
||||
--- a/hw/display/cirrus_vga.c
|
||||
+++ b/hw/display/cirrus_vga.c
|
||||
@@ -661,9 +661,14 @@ static void cirrus_invalidate_region(CirrusVGAState * s, int off_begin,
|
||||
int off_cur;
|
||||
int off_cur_end;
|
||||
|
||||
+ if (off_pitch < 0) {
|
||||
+ off_begin -= bytesperline - 1;
|
||||
+ }
|
||||
+
|
||||
for (y = 0; y < lines; y++) {
|
||||
off_cur = off_begin;
|
||||
off_cur_end = (off_cur + bytesperline) & s->cirrus_addr_mask;
|
||||
+ assert(off_cur_end >= off_cur);
|
||||
memory_region_set_dirty(&s->vga.vram, off_cur, off_cur_end - off_cur);
|
||||
off_begin += off_pitch;
|
||||
}
|
@ -0,0 +1,99 @@
|
||||
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
Date: Tue, 24 Jan 2017 16:35:38 +0100
|
||||
Subject: [PATCH] cirrus: allow zero source pitch in pattern fill rops
|
||||
|
||||
The rops used by cirrus_bitblt_common_patterncopy only use
|
||||
the destination pitch, so the source pitch shoul allowed to
|
||||
be zero and the blit with used for the range check around the
|
||||
source address.
|
||||
|
||||
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
Message-id: 1485272138-23249-1-git-send-email-w.bumiller@proxmox.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 5858dd1801883309bdd208d72ddb81c4e9fee30c)
|
||||
---
|
||||
hw/display/cirrus_vga.c | 27 +++++++++++++++++++--------
|
||||
1 file changed, 19 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
|
||||
index 0f05e4596e..98f089e4e9 100644
|
||||
--- a/hw/display/cirrus_vga.c
|
||||
+++ b/hw/display/cirrus_vga.c
|
||||
@@ -272,9 +272,6 @@ static void cirrus_update_memory_access(CirrusVGAState *s);
|
||||
static bool blit_region_is_unsafe(struct CirrusVGAState *s,
|
||||
int32_t pitch, int32_t addr)
|
||||
{
|
||||
- if (!pitch) {
|
||||
- return true;
|
||||
- }
|
||||
if (pitch < 0) {
|
||||
int64_t min = addr
|
||||
+ ((int64_t)s->cirrus_blt_height-1) * pitch;
|
||||
@@ -294,8 +291,11 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
|
||||
return false;
|
||||
}
|
||||
|
||||
-static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
|
||||
+static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only,
|
||||
+ bool zero_src_pitch_ok)
|
||||
{
|
||||
+ int32_t check_pitch;
|
||||
+
|
||||
/* should be the case, see cirrus_bitblt_start */
|
||||
assert(s->cirrus_blt_width > 0);
|
||||
assert(s->cirrus_blt_height > 0);
|
||||
@@ -304,6 +304,10 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
|
||||
return true;
|
||||
}
|
||||
|
||||
+ if (!s->cirrus_blt_dstpitch) {
|
||||
+ return true;
|
||||
+ }
|
||||
+
|
||||
if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch,
|
||||
s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
|
||||
return true;
|
||||
@@ -311,7 +315,13 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
|
||||
if (dst_only) {
|
||||
return false;
|
||||
}
|
||||
- if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
|
||||
+
|
||||
+ check_pitch = s->cirrus_blt_srcpitch;
|
||||
+ if (!zero_src_pitch_ok && !check_pitch) {
|
||||
+ check_pitch = s->cirrus_blt_width;
|
||||
+ }
|
||||
+
|
||||
+ if (blit_region_is_unsafe(s, check_pitch,
|
||||
s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
|
||||
return true;
|
||||
}
|
||||
@@ -681,8 +691,9 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
|
||||
|
||||
dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
|
||||
|
||||
- if (blit_is_unsafe(s, false))
|
||||
+ if (blit_is_unsafe(s, false, true)) {
|
||||
return 0;
|
||||
+ }
|
||||
|
||||
(*s->cirrus_rop) (s, dst, src,
|
||||
s->cirrus_blt_dstpitch, 0,
|
||||
@@ -699,7 +710,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
|
||||
{
|
||||
cirrus_fill_t rop_func;
|
||||
|
||||
- if (blit_is_unsafe(s, true)) {
|
||||
+ if (blit_is_unsafe(s, true, true)) {
|
||||
return 0;
|
||||
}
|
||||
rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
|
||||
@@ -803,7 +814,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
|
||||
|
||||
static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
|
||||
{
|
||||
- if (blit_is_unsafe(s, false))
|
||||
+ if (blit_is_unsafe(s, false, false))
|
||||
return 0;
|
||||
|
||||
return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
|
101
0062-cirrus-fix-blit-address-mask-handling.patch
Normal file
101
0062-cirrus-fix-blit-address-mask-handling.patch
Normal file
@ -0,0 +1,101 @@
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Wed, 25 Jan 2017 11:09:56 +0100
|
||||
Subject: [PATCH] cirrus: fix blit address mask handling
|
||||
|
||||
Apply the cirrus_addr_mask to cirrus_blt_dstaddr and cirrus_blt_srcaddr
|
||||
right after assigning them, in cirrus_bitblt_start(), instead of having
|
||||
this all over the place in the cirrus code, and missing a few places.
|
||||
|
||||
Reported-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-id: 1485338996-17095-1-git-send-email-kraxel@redhat.com
|
||||
(cherry picked from commit 60cd23e85151525ab26591394c4e7e06fa07d216)
|
||||
---
|
||||
hw/display/cirrus_vga.c | 25 ++++++++++++-------------
|
||||
1 file changed, 12 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
|
||||
index 98f089e4e9..7db6409dc5 100644
|
||||
--- a/hw/display/cirrus_vga.c
|
||||
+++ b/hw/display/cirrus_vga.c
|
||||
@@ -309,7 +309,7 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only,
|
||||
}
|
||||
|
||||
if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch,
|
||||
- s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
|
||||
+ s->cirrus_blt_dstaddr)) {
|
||||
return true;
|
||||
}
|
||||
if (dst_only) {
|
||||
@@ -322,7 +322,7 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only,
|
||||
}
|
||||
|
||||
if (blit_region_is_unsafe(s, check_pitch,
|
||||
- s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
|
||||
+ s->cirrus_blt_srcaddr)) {
|
||||
return true;
|
||||
}
|
||||
|
||||
@@ -689,7 +689,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
|
||||
{
|
||||
uint8_t *dst;
|
||||
|
||||
- dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
|
||||
+ dst = s->vga.vram_ptr + s->cirrus_blt_dstaddr;
|
||||
|
||||
if (blit_is_unsafe(s, false, true)) {
|
||||
return 0;
|
||||
@@ -714,7 +714,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
|
||||
return 0;
|
||||
}
|
||||
rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
|
||||
- rop_func(s, s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
|
||||
+ rop_func(s, s->vga.vram_ptr + s->cirrus_blt_dstaddr,
|
||||
s->cirrus_blt_dstpitch,
|
||||
s->cirrus_blt_width, s->cirrus_blt_height);
|
||||
cirrus_invalidate_region(s, s->cirrus_blt_dstaddr,
|
||||
@@ -732,9 +732,8 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
|
||||
|
||||
static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s)
|
||||
{
|
||||
- return cirrus_bitblt_common_patterncopy(s,
|
||||
- s->vga.vram_ptr + ((s->cirrus_blt_srcaddr & ~7) &
|
||||
- s->cirrus_addr_mask));
|
||||
+ return cirrus_bitblt_common_patterncopy(s, s->vga.vram_ptr +
|
||||
+ (s->cirrus_blt_srcaddr & ~7));
|
||||
}
|
||||
|
||||
static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
|
||||
@@ -788,10 +787,8 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
|
||||
if (notify)
|
||||
graphic_hw_update(s->vga.con);
|
||||
|
||||
- (*s->cirrus_rop) (s, s->vga.vram_ptr +
|
||||
- (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
|
||||
- s->vga.vram_ptr +
|
||||
- (s->cirrus_blt_srcaddr & s->cirrus_addr_mask),
|
||||
+ (*s->cirrus_rop) (s, s->vga.vram_ptr + s->cirrus_blt_dstaddr,
|
||||
+ s->vga.vram_ptr + s->cirrus_blt_srcaddr,
|
||||
s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch,
|
||||
s->cirrus_blt_width, s->cirrus_blt_height);
|
||||
|
||||
@@ -842,8 +839,7 @@ static void cirrus_bitblt_cputovideo_next(CirrusVGAState * s)
|
||||
} else {
|
||||
/* at least one scan line */
|
||||
do {
|
||||
- (*s->cirrus_rop)(s, s->vga.vram_ptr +
|
||||
- (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
|
||||
+ (*s->cirrus_rop)(s, s->vga.vram_ptr + s->cirrus_blt_dstaddr,
|
||||
s->cirrus_bltbuf, 0, 0, s->cirrus_blt_width, 1);
|
||||
cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, 0,
|
||||
s->cirrus_blt_width, 1);
|
||||
@@ -962,6 +958,9 @@ static void cirrus_bitblt_start(CirrusVGAState * s)
|
||||
s->cirrus_blt_modeext = s->vga.gr[0x33];
|
||||
blt_rop = s->vga.gr[0x32];
|
||||
|
||||
+ s->cirrus_blt_dstaddr &= s->cirrus_addr_mask;
|
||||
+ s->cirrus_blt_srcaddr &= s->cirrus_addr_mask;
|
||||
+
|
||||
#ifdef DEBUG_BITBLT
|
||||
printf("rop=0x%02x mode=0x%02x modeext=0x%02x w=%d h=%d dpitch=%d spitch=%d daddr=0x%08x saddr=0x%08x writemask=0x%02x\n",
|
||||
blt_rop,
|
45
0063-cirrus-fix-oob-access-issue-CVE-2017-2615.patch
Normal file
45
0063-cirrus-fix-oob-access-issue-CVE-2017-2615.patch
Normal file
@ -0,0 +1,45 @@
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Wed, 1 Feb 2017 09:35:01 +0100
|
||||
Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615)
|
||||
|
||||
When doing bitblt copy in backward mode, we should minus the
|
||||
blt width first just like the adding in the forward mode. This
|
||||
can avoid the oob access of the front of vga's vram.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
|
||||
{ kraxel: with backward blits (negative pitch) addr is the topmost
|
||||
address, so check it as-is against vram size ]
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Cc: P J P <ppandit@redhat.com>
|
||||
Cc: Laszlo Ersek <lersek@redhat.com>
|
||||
Cc: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
|
||||
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
|
||||
(cherry picked from commit 62d4c6bd5263bb8413a06c80144fc678df6dfb64)
|
||||
---
|
||||
hw/display/cirrus_vga.c | 7 +++----
|
||||
1 file changed, 3 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
|
||||
index 7db6409dc5..16f27e8ac5 100644
|
||||
--- a/hw/display/cirrus_vga.c
|
||||
+++ b/hw/display/cirrus_vga.c
|
||||
@@ -274,10 +274,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
|
||||
{
|
||||
if (pitch < 0) {
|
||||
int64_t min = addr
|
||||
- + ((int64_t)s->cirrus_blt_height-1) * pitch;
|
||||
- int32_t max = addr
|
||||
- + s->cirrus_blt_width;
|
||||
- if (min < 0 || max > s->vga.vram_size) {
|
||||
+ + ((int64_t)s->cirrus_blt_height - 1) * pitch
|
||||
+ - s->cirrus_blt_width;
|
||||
+ if (min < -1 || addr >= s->vga.vram_size) {
|
||||
return true;
|
||||
}
|
||||
} else {
|
101
0064-cirrus-fix-patterncopy-checks.patch
Normal file
101
0064-cirrus-fix-patterncopy-checks.patch
Normal file
@ -0,0 +1,101 @@
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Thu, 9 Feb 2017 14:02:20 +0100
|
||||
Subject: [PATCH] cirrus: fix patterncopy checks
|
||||
|
||||
The blit_region_is_unsafe checks don't work correctly for the
|
||||
patterncopy source. It's a fixed-sized region, which doesn't
|
||||
depend on cirrus_blt_{width,height}. So go do the check in
|
||||
cirrus_bitblt_common_patterncopy instead, then tell blit_is_unsafe that
|
||||
it doesn't need to verify the source. Also handle the case where we
|
||||
blit from cirrus_bitbuf correctly.
|
||||
|
||||
This patch replaces 5858dd1801883309bdd208d72ddb81c4e9fee30c.
|
||||
|
||||
Security impact: I think for the most part error on the safe side this
|
||||
time, refusing blits which should have been allowed.
|
||||
|
||||
Only exception is placing the blit source at the end of the video ram,
|
||||
so cirrus_blt_srcaddr + 256 goes beyond the end of video memory. But
|
||||
even in that case I'm not fully sure this actually allows read access to
|
||||
host memory. To trick the commit 5858dd18 security checks one has to
|
||||
pick very small cirrus_blt_{width,height} values, which in turn implies
|
||||
only a fraction of the blit source will actually be used.
|
||||
|
||||
Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
Cc: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
||||
Reviewed-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
|
||||
Message-id: 1486645341-5010-1-git-send-email-kraxel@redhat.com
|
||||
(cherry picked from commit 95280c31cda79bb1d0968afc7b19a220b3a9d986)
|
||||
---
|
||||
hw/display/cirrus_vga.c | 36 ++++++++++++++++++++++++++++++------
|
||||
1 file changed, 30 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
|
||||
index 16f27e8ac5..6bd13fc78f 100644
|
||||
--- a/hw/display/cirrus_vga.c
|
||||
+++ b/hw/display/cirrus_vga.c
|
||||
@@ -683,14 +683,39 @@ static void cirrus_invalidate_region(CirrusVGAState * s, int off_begin,
|
||||
}
|
||||
}
|
||||
|
||||
-static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
|
||||
- const uint8_t * src)
|
||||
+static int cirrus_bitblt_common_patterncopy(CirrusVGAState *s, bool videosrc)
|
||||
{
|
||||
+ uint32_t patternsize;
|
||||
uint8_t *dst;
|
||||
+ uint8_t *src;
|
||||
|
||||
dst = s->vga.vram_ptr + s->cirrus_blt_dstaddr;
|
||||
|
||||
- if (blit_is_unsafe(s, false, true)) {
|
||||
+ if (videosrc) {
|
||||
+ switch (s->vga.get_bpp(&s->vga)) {
|
||||
+ case 8:
|
||||
+ patternsize = 64;
|
||||
+ break;
|
||||
+ case 15:
|
||||
+ case 16:
|
||||
+ patternsize = 128;
|
||||
+ break;
|
||||
+ case 24:
|
||||
+ case 32:
|
||||
+ default:
|
||||
+ patternsize = 256;
|
||||
+ break;
|
||||
+ }
|
||||
+ s->cirrus_blt_srcaddr &= ~(patternsize - 1);
|
||||
+ if (s->cirrus_blt_srcaddr + patternsize > s->vga.vram_size) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+ src = s->vga.vram_ptr + s->cirrus_blt_srcaddr;
|
||||
+ } else {
|
||||
+ src = s->cirrus_bltbuf;
|
||||
+ }
|
||||
+
|
||||
+ if (blit_is_unsafe(s, true, true)) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -731,8 +756,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
|
||||
|
||||
static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s)
|
||||
{
|
||||
- return cirrus_bitblt_common_patterncopy(s, s->vga.vram_ptr +
|
||||
- (s->cirrus_blt_srcaddr & ~7));
|
||||
+ return cirrus_bitblt_common_patterncopy(s, true);
|
||||
}
|
||||
|
||||
static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
|
||||
@@ -831,7 +855,7 @@ static void cirrus_bitblt_cputovideo_next(CirrusVGAState * s)
|
||||
|
||||
if (s->cirrus_srccounter > 0) {
|
||||
if (s->cirrus_blt_mode & CIRRUS_BLTMODE_PATTERNCOPY) {
|
||||
- cirrus_bitblt_common_patterncopy(s, s->cirrus_bltbuf);
|
||||
+ cirrus_bitblt_common_patterncopy(s, false);
|
||||
the_end:
|
||||
s->cirrus_srccounter = 0;
|
||||
cirrus_bitblt_reset(s);
|
100
0065-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch
Normal file
100
0065-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch
Normal file
@ -0,0 +1,100 @@
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Thu, 9 Feb 2017 14:02:21 +0100
|
||||
Subject: [PATCH] Revert "cirrus: allow zero source pitch in pattern fill rops"
|
||||
|
||||
This reverts commit 5858dd1801883309bdd208d72ddb81c4e9fee30c.
|
||||
|
||||
Conflicts:
|
||||
hw/display/cirrus_vga.c
|
||||
|
||||
Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
Cc: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
||||
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
|
||||
Message-id: 1486645341-5010-2-git-send-email-kraxel@redhat.com
|
||||
(cherry picked from commit 12e97ec39931e5321645fd483ab761319d48bf16)
|
||||
---
|
||||
hw/display/cirrus_vga.c | 26 ++++++++------------------
|
||||
1 file changed, 8 insertions(+), 18 deletions(-)
|
||||
|
||||
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
|
||||
index 6bd13fc78f..0e47cf85ad 100644
|
||||
--- a/hw/display/cirrus_vga.c
|
||||
+++ b/hw/display/cirrus_vga.c
|
||||
@@ -272,6 +272,9 @@ static void cirrus_update_memory_access(CirrusVGAState *s);
|
||||
static bool blit_region_is_unsafe(struct CirrusVGAState *s,
|
||||
int32_t pitch, int32_t addr)
|
||||
{
|
||||
+ if (!pitch) {
|
||||
+ return true;
|
||||
+ }
|
||||
if (pitch < 0) {
|
||||
int64_t min = addr
|
||||
+ ((int64_t)s->cirrus_blt_height - 1) * pitch
|
||||
@@ -290,11 +293,8 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
|
||||
return false;
|
||||
}
|
||||
|
||||
-static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only,
|
||||
- bool zero_src_pitch_ok)
|
||||
+static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
|
||||
{
|
||||
- int32_t check_pitch;
|
||||
-
|
||||
/* should be the case, see cirrus_bitblt_start */
|
||||
assert(s->cirrus_blt_width > 0);
|
||||
assert(s->cirrus_blt_height > 0);
|
||||
@@ -303,10 +303,6 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only,
|
||||
return true;
|
||||
}
|
||||
|
||||
- if (!s->cirrus_blt_dstpitch) {
|
||||
- return true;
|
||||
- }
|
||||
-
|
||||
if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch,
|
||||
s->cirrus_blt_dstaddr)) {
|
||||
return true;
|
||||
@@ -314,13 +310,7 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only,
|
||||
if (dst_only) {
|
||||
return false;
|
||||
}
|
||||
-
|
||||
- check_pitch = s->cirrus_blt_srcpitch;
|
||||
- if (!zero_src_pitch_ok && !check_pitch) {
|
||||
- check_pitch = s->cirrus_blt_width;
|
||||
- }
|
||||
-
|
||||
- if (blit_region_is_unsafe(s, check_pitch,
|
||||
+ if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
|
||||
s->cirrus_blt_srcaddr)) {
|
||||
return true;
|
||||
}
|
||||
@@ -715,7 +705,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState *s, bool videosrc)
|
||||
src = s->cirrus_bltbuf;
|
||||
}
|
||||
|
||||
- if (blit_is_unsafe(s, true, true)) {
|
||||
+ if (blit_is_unsafe(s, true)) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -734,7 +724,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
|
||||
{
|
||||
cirrus_fill_t rop_func;
|
||||
|
||||
- if (blit_is_unsafe(s, true, true)) {
|
||||
+ if (blit_is_unsafe(s, true)) {
|
||||
return 0;
|
||||
}
|
||||
rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
|
||||
@@ -834,7 +824,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
|
||||
|
||||
static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
|
||||
{
|
||||
- if (blit_is_unsafe(s, false, false))
|
||||
+ if (blit_is_unsafe(s, false))
|
||||
return 0;
|
||||
|
||||
return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
|
@ -0,0 +1,46 @@
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Wed, 8 Feb 2017 11:18:36 +0100
|
||||
Subject: [PATCH] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo
|
||||
(CVE-2017-2620)
|
||||
|
||||
CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
|
||||
and blit width, at all. Oops. Fix it.
|
||||
|
||||
Security impact: high.
|
||||
|
||||
The missing blit destination check allows to write to host memory.
|
||||
Basically same as CVE-2014-8106 for the other blit variants.
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 92f2b88cea48c6aeba8de568a45f2ed958f3c298)
|
||||
---
|
||||
hw/display/cirrus_vga.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
|
||||
index 0e47cf85ad..a093dc8b16 100644
|
||||
--- a/hw/display/cirrus_vga.c
|
||||
+++ b/hw/display/cirrus_vga.c
|
||||
@@ -899,6 +899,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
|
||||
{
|
||||
int w;
|
||||
|
||||
+ if (blit_is_unsafe(s, true)) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC;
|
||||
s->cirrus_srcptr = &s->cirrus_bltbuf[0];
|
||||
s->cirrus_srcptr_end = &s->cirrus_bltbuf[0];
|
||||
@@ -924,6 +928,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
|
||||
}
|
||||
s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height;
|
||||
}
|
||||
+
|
||||
+ /* the blit_is_unsafe call above should catch this */
|
||||
+ assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE);
|
||||
+
|
||||
s->cirrus_srcptr = s->cirrus_bltbuf;
|
||||
s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch;
|
||||
cirrus_update_memory_access(s);
|
33
0067-egl-helpers-Support-newer-MESA-versions.patch
Normal file
33
0067-egl-helpers-Support-newer-MESA-versions.patch
Normal file
@ -0,0 +1,33 @@
|
||||
From: Frediano Ziglio <fziglio@redhat.com>
|
||||
Date: Mon, 20 Feb 2017 09:50:55 +0000
|
||||
Subject: [PATCH] egl-helpers: Support newer MESA versions
|
||||
|
||||
According to
|
||||
https://www.khronos.org/registry/EGL/extensions/MESA/EGL_MESA_platform_gbm.txt
|
||||
if MESA_platform_gbm is supported display should be initialized
|
||||
from a GBM handle using eglGetPlatformDisplayEXT.
|
||||
|
||||
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
|
||||
Message-id: 20170220095055.4234-1-fziglio@redhat.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 0ea1523fb6703aa0dcd65e66b59e96fec028e60a)
|
||||
---
|
||||
ui/egl-helpers.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/ui/egl-helpers.c b/ui/egl-helpers.c
|
||||
index 79cee0503a..d8d57c4bbe 100644
|
||||
--- a/ui/egl-helpers.c
|
||||
+++ b/ui/egl-helpers.c
|
||||
@@ -203,7 +203,11 @@ int qemu_egl_init_dpy(EGLNativeDisplayType dpy, bool gles, bool debug)
|
||||
}
|
||||
|
||||
egl_dbg("eglGetDisplay (dpy %p) ...\n", dpy);
|
||||
+#ifdef EGL_MESA_platform_gbm
|
||||
+ qemu_egl_display = eglGetPlatformDisplayEXT(EGL_PLATFORM_GBM_MESA, dpy, NULL);
|
||||
+#else
|
||||
qemu_egl_display = eglGetDisplay(dpy);
|
||||
+#endif
|
||||
if (qemu_egl_display == EGL_NO_DISPLAY) {
|
||||
error_report("egl: eglGetDisplay failed");
|
||||
return -1;
|
32
0068-char-drop-data-written-to-a-disconnected-pty.patch
Normal file
32
0068-char-drop-data-written-to-a-disconnected-pty.patch
Normal file
@ -0,0 +1,32 @@
|
||||
From: Ed Swierk <eswierk@skyportsystems.com>
|
||||
Date: Tue, 31 Jan 2017 05:45:29 -0800
|
||||
Subject: [PATCH] char: drop data written to a disconnected pty
|
||||
|
||||
When a serial port writes data to a pty that's disconnected, drop the
|
||||
data and return the length dropped. This avoids triggering pointless
|
||||
retries in callers like the 16550A serial_xmit(), and causes
|
||||
qemu_chr_fe_write() to write all data to the log file, rather than
|
||||
logging only while a pty client like virsh console happens to be
|
||||
connected.
|
||||
|
||||
Signed-off-by: Ed Swierk <eswierk@skyportsystems.com>
|
||||
Message-Id: <1485870329-79428-1-git-send-email-eswierk@skyportsystems.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 1c64fdbc8177058802df205f5d7cd65edafa59a8)
|
||||
---
|
||||
qemu-char.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/qemu-char.c b/qemu-char.c
|
||||
index 90e96271dd..4ec9ae5b94 100644
|
||||
--- a/qemu-char.c
|
||||
+++ b/qemu-char.c
|
||||
@@ -1328,7 +1328,7 @@ static int pty_chr_write(CharDriverState *chr, const uint8_t *buf, int len)
|
||||
/* guest sends data, check for (re-)connect */
|
||||
pty_chr_update_read_handler_locked(chr);
|
||||
if (!s->connected) {
|
||||
- return 0;
|
||||
+ return len;
|
||||
}
|
||||
}
|
||||
return io_channel_send(s->ioc, buf, len);
|
35
0069-dma-rc4030-limit-interval-timer-reload-value.patch
Normal file
35
0069-dma-rc4030-limit-interval-timer-reload-value.patch
Normal file
@ -0,0 +1,35 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 12 Oct 2016 18:07:41 +0530
|
||||
Subject: [PATCH] dma: rc4030: limit interval timer reload value
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The JAZZ RC4030 chipset emulator has a periodic timer and
|
||||
associated interval reload register. The reload value is used
|
||||
as divider when computing timer's next tick value. If reload
|
||||
value is large, it could lead to divide by zero error. Limit
|
||||
the interval reload value to avoid it.
|
||||
|
||||
Reported-by: Huawei PSIRT <psirt@huawei.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Tested-by: Hervé Poussineau <hpoussin@reactos.org>
|
||||
Signed-off-by: Yongbok Kim <yongbok.kim@imgtec.com>
|
||||
(cherry picked from commit c0a3172fa6bbddcc73192f2a2c48d0bf3a7ba61c)
|
||||
---
|
||||
hw/dma/rc4030.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/dma/rc4030.c b/hw/dma/rc4030.c
|
||||
index 2f2576fafb..c1b4997c73 100644
|
||||
--- a/hw/dma/rc4030.c
|
||||
+++ b/hw/dma/rc4030.c
|
||||
@@ -460,7 +460,7 @@ static void rc4030_write(void *opaque, hwaddr addr, uint64_t data,
|
||||
break;
|
||||
/* Interval timer reload */
|
||||
case 0x0228:
|
||||
- s->itr = val;
|
||||
+ s->itr = val & 0x01FF;
|
||||
qemu_irq_lower(s->timer_irq);
|
||||
set_next_tick(s);
|
||||
break;
|
88
0070-slirp-Make-RA-build-more-flexible.patch
Normal file
88
0070-slirp-Make-RA-build-more-flexible.patch
Normal file
@ -0,0 +1,88 @@
|
||||
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
||||
Date: Sun, 26 Mar 2017 20:28:11 +0200
|
||||
Subject: [PATCH] slirp: Make RA build more flexible
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Do not hardcode the RA size at all, use a pl_size variable which
|
||||
accounts the accumulated size, and fill rip->ip_pl at the end.
|
||||
|
||||
This will allow to make some blocks optional.
|
||||
|
||||
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
||||
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
|
||||
(cherry picked from commit e42f869b5118fa9ac64dcea624276204567fc581)
|
||||
---
|
||||
slirp/ip6_icmp.c | 24 +++++++++---------------
|
||||
1 file changed, 9 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/slirp/ip6_icmp.c b/slirp/ip6_icmp.c
|
||||
index 6d18e28985..3f7438996f 100644
|
||||
--- a/slirp/ip6_icmp.c
|
||||
+++ b/slirp/ip6_icmp.c
|
||||
@@ -143,17 +143,10 @@ void ndp_send_ra(Slirp *slirp)
|
||||
/* Build IPv6 packet */
|
||||
struct mbuf *t = m_get(slirp);
|
||||
struct ip6 *rip = mtod(t, struct ip6 *);
|
||||
+ size_t pl_size = 0;
|
||||
rip->ip_src = (struct in6_addr)LINKLOCAL_ADDR;
|
||||
rip->ip_dst = (struct in6_addr)ALLNODES_MULTICAST;
|
||||
rip->ip_nh = IPPROTO_ICMPV6;
|
||||
- rip->ip_pl = htons(ICMP6_NDP_RA_MINLEN
|
||||
- + NDPOPT_LINKLAYER_LEN
|
||||
- + NDPOPT_PREFIXINFO_LEN
|
||||
-#ifndef _WIN32
|
||||
- + NDPOPT_RDNSS_LEN
|
||||
-#endif
|
||||
- );
|
||||
- t->m_len = sizeof(struct ip6) + ntohs(rip->ip_pl);
|
||||
|
||||
/* Build ICMPv6 packet */
|
||||
t->m_data += sizeof(struct ip6);
|
||||
@@ -171,6 +164,7 @@ void ndp_send_ra(Slirp *slirp)
|
||||
ricmp->icmp6_nra.reach_time = htonl(NDP_AdvReachableTime);
|
||||
ricmp->icmp6_nra.retrans_time = htonl(NDP_AdvRetransTime);
|
||||
t->m_data += ICMP6_NDP_RA_MINLEN;
|
||||
+ pl_size += ICMP6_NDP_RA_MINLEN;
|
||||
|
||||
/* Source link-layer address (NDP option) */
|
||||
struct ndpopt *opt = mtod(t, struct ndpopt *);
|
||||
@@ -178,6 +172,7 @@ void ndp_send_ra(Slirp *slirp)
|
||||
opt->ndpopt_len = NDPOPT_LINKLAYER_LEN / 8;
|
||||
in6_compute_ethaddr(rip->ip_src, opt->ndpopt_linklayer);
|
||||
t->m_data += NDPOPT_LINKLAYER_LEN;
|
||||
+ pl_size += NDPOPT_LINKLAYER_LEN;
|
||||
|
||||
/* Prefix information (NDP option) */
|
||||
struct ndpopt *opt2 = mtod(t, struct ndpopt *);
|
||||
@@ -192,6 +187,7 @@ void ndp_send_ra(Slirp *slirp)
|
||||
opt2->ndpopt_prefixinfo.reserved2 = 0;
|
||||
opt2->ndpopt_prefixinfo.prefix = slirp->vprefix_addr6;
|
||||
t->m_data += NDPOPT_PREFIXINFO_LEN;
|
||||
+ pl_size += NDPOPT_PREFIXINFO_LEN;
|
||||
|
||||
#ifndef _WIN32
|
||||
/* Prefix information (NDP option) */
|
||||
@@ -203,16 +199,14 @@ void ndp_send_ra(Slirp *slirp)
|
||||
opt3->ndpopt_rdnss.lifetime = htonl(2 * NDP_MaxRtrAdvInterval);
|
||||
opt3->ndpopt_rdnss.addr = slirp->vnameserver_addr6;
|
||||
t->m_data += NDPOPT_RDNSS_LEN;
|
||||
+ pl_size += NDPOPT_RDNSS_LEN;
|
||||
#endif
|
||||
|
||||
+ rip->ip_pl = htons(pl_size);
|
||||
+ t->m_data -= sizeof(struct ip6) + pl_size;
|
||||
+ t->m_len = sizeof(struct ip6) + pl_size;
|
||||
+
|
||||
/* ICMPv6 Checksum */
|
||||
-#ifndef _WIN32
|
||||
- t->m_data -= NDPOPT_RDNSS_LEN;
|
||||
-#endif
|
||||
- t->m_data -= NDPOPT_PREFIXINFO_LEN;
|
||||
- t->m_data -= NDPOPT_LINKLAYER_LEN;
|
||||
- t->m_data -= ICMP6_NDP_RA_MINLEN;
|
||||
- t->m_data -= sizeof(struct ip6);
|
||||
ricmp->icmp6_cksum = ip6_cksum(t);
|
||||
|
||||
ip6_output(NULL, t, 0);
|
@ -0,0 +1,65 @@
|
||||
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
||||
Date: Sun, 26 Mar 2017 20:46:34 +0200
|
||||
Subject: [PATCH] slirp: Send RDNSS in RA only if host has an IPv6 DNS server
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Previously we would always send an RDNSS option in the RA, making the guest
|
||||
try to resolve DNS through IPv6, even if the host does not actually have
|
||||
and IPv6 DNS server available.
|
||||
|
||||
This makes the RDNSS option enabled only when an IPv6 DNS server is
|
||||
available.
|
||||
|
||||
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
||||
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
|
||||
(cherry picked from commit a2f80fdfc683019901cdf4c0863a5920c0ca7245)
|
||||
---
|
||||
slirp/ip6_icmp.c | 25 ++++++++++++++-----------
|
||||
1 file changed, 14 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/slirp/ip6_icmp.c b/slirp/ip6_icmp.c
|
||||
index 3f7438996f..4c71f4c2fc 100644
|
||||
--- a/slirp/ip6_icmp.c
|
||||
+++ b/slirp/ip6_icmp.c
|
||||
@@ -144,6 +144,9 @@ void ndp_send_ra(Slirp *slirp)
|
||||
struct mbuf *t = m_get(slirp);
|
||||
struct ip6 *rip = mtod(t, struct ip6 *);
|
||||
size_t pl_size = 0;
|
||||
+ struct in6_addr addr;
|
||||
+ uint32_t scope_id;
|
||||
+
|
||||
rip->ip_src = (struct in6_addr)LINKLOCAL_ADDR;
|
||||
rip->ip_dst = (struct in6_addr)ALLNODES_MULTICAST;
|
||||
rip->ip_nh = IPPROTO_ICMPV6;
|
||||
@@ -189,18 +192,18 @@ void ndp_send_ra(Slirp *slirp)
|
||||
t->m_data += NDPOPT_PREFIXINFO_LEN;
|
||||
pl_size += NDPOPT_PREFIXINFO_LEN;
|
||||
|
||||
-#ifndef _WIN32
|
||||
/* Prefix information (NDP option) */
|
||||
- /* disabled for windows for now, until get_dns6_addr is implemented */
|
||||
- struct ndpopt *opt3 = mtod(t, struct ndpopt *);
|
||||
- opt3->ndpopt_type = NDPOPT_RDNSS;
|
||||
- opt3->ndpopt_len = NDPOPT_RDNSS_LEN / 8;
|
||||
- opt3->ndpopt_rdnss.reserved = 0;
|
||||
- opt3->ndpopt_rdnss.lifetime = htonl(2 * NDP_MaxRtrAdvInterval);
|
||||
- opt3->ndpopt_rdnss.addr = slirp->vnameserver_addr6;
|
||||
- t->m_data += NDPOPT_RDNSS_LEN;
|
||||
- pl_size += NDPOPT_RDNSS_LEN;
|
||||
-#endif
|
||||
+ if (get_dns6_addr(&addr, &scope_id) >= 0) {
|
||||
+ /* Host system does have an IPv6 DNS server, announce our proxy. */
|
||||
+ struct ndpopt *opt3 = mtod(t, struct ndpopt *);
|
||||
+ opt3->ndpopt_type = NDPOPT_RDNSS;
|
||||
+ opt3->ndpopt_len = NDPOPT_RDNSS_LEN / 8;
|
||||
+ opt3->ndpopt_rdnss.reserved = 0;
|
||||
+ opt3->ndpopt_rdnss.lifetime = htonl(2 * NDP_MaxRtrAdvInterval);
|
||||
+ opt3->ndpopt_rdnss.addr = slirp->vnameserver_addr6;
|
||||
+ t->m_data += NDPOPT_RDNSS_LEN;
|
||||
+ pl_size += NDPOPT_RDNSS_LEN;
|
||||
+ }
|
||||
|
||||
rip->ip_pl = htons(pl_size);
|
||||
t->m_data -= sizeof(struct ip6) + pl_size;
|
37
0072-qxl-clear-guest_cursor-on-QXL_CURSOR_HIDE.patch
Normal file
37
0072-qxl-clear-guest_cursor-on-QXL_CURSOR_HIDE.patch
Normal file
@ -0,0 +1,37 @@
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Mon, 6 Mar 2017 09:31:51 +0100
|
||||
Subject: [PATCH] qxl: clear guest_cursor on QXL_CURSOR_HIDE
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Make sure we don't leave guest_cursor pointing into nowhere. This might
|
||||
lead to (rare) live migration failures, due to target trying to restore
|
||||
the cursor from the stale pointer.
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1421788
|
||||
Reported-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
Message-id: 1488789111-27340-1-git-send-email-kraxel@redhat.com
|
||||
(cherry picked from commit dbb5fb8d3519130559b10fa4e1395e4486c633f8)
|
||||
---
|
||||
hw/display/qxl.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/hw/display/qxl.c b/hw/display/qxl.c
|
||||
index 62d0c80dcf..e09ce10660 100644
|
||||
--- a/hw/display/qxl.c
|
||||
+++ b/hw/display/qxl.c
|
||||
@@ -478,6 +478,11 @@ static int qxl_track_command(PCIQXLDevice *qxl, struct QXLCommandExt *ext)
|
||||
qxl->guest_cursor = ext->cmd.data;
|
||||
qemu_mutex_unlock(&qxl->track_lock);
|
||||
}
|
||||
+ if (cmd->type == QXL_CURSOR_HIDE) {
|
||||
+ qemu_mutex_lock(&qxl->track_lock);
|
||||
+ qxl->guest_cursor = 0;
|
||||
+ qemu_mutex_unlock(&qxl->track_lock);
|
||||
+ }
|
||||
break;
|
||||
}
|
||||
}
|
37
0073-serial-fix-memory-leak-in-serial-exit.patch
Normal file
37
0073-serial-fix-memory-leak-in-serial-exit.patch
Normal file
@ -0,0 +1,37 @@
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Wed, 4 Jan 2017 00:43:16 -0800
|
||||
Subject: [PATCH] serial: fix memory leak in serial exit
|
||||
|
||||
The serial_exit_core function doesn't free some resources.
|
||||
This can lead memory leak when hotplug and unplug. This
|
||||
patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Message-Id: <586cb5ab.f31d9d0a.38ac3.acf2@mx.google.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 8409dc884a201bf74b30a9d232b6bbdd00cb7e2b)
|
||||
---
|
||||
hw/char/serial.c | 10 ++++++++++
|
||||
1 file changed, 10 insertions(+)
|
||||
|
||||
diff --git a/hw/char/serial.c b/hw/char/serial.c
|
||||
index eec72b7b9e..455119f3d7 100644
|
||||
--- a/hw/char/serial.c
|
||||
+++ b/hw/char/serial.c
|
||||
@@ -904,6 +904,16 @@ void serial_realize_core(SerialState *s, Error **errp)
|
||||
void serial_exit_core(SerialState *s)
|
||||
{
|
||||
qemu_chr_add_handlers(s->chr, NULL, NULL, NULL, NULL);
|
||||
+
|
||||
+ timer_del(s->modem_status_poll);
|
||||
+ timer_free(s->modem_status_poll);
|
||||
+
|
||||
+ timer_del(s->fifo_timeout_timer);
|
||||
+ timer_free(s->fifo_timeout_timer);
|
||||
+
|
||||
+ fifo8_destroy(&s->recv_fifo);
|
||||
+ fifo8_destroy(&s->xmit_fifo);
|
||||
+
|
||||
qemu_unregister_reset(serial_reset, s);
|
||||
}
|
||||
|
@ -0,0 +1,48 @@
|
||||
From: hangaohuai <hangaohuai@huawei.com>
|
||||
Date: Tue, 14 Mar 2017 14:39:19 +0800
|
||||
Subject: [PATCH] fix :cirrus_vga fix OOB read case qemu Segmentation fault
|
||||
|
||||
check the validity of parameters in cirrus_bitblt_rop_fwd_transp_xxx
|
||||
and cirrus_bitblt_rop_fwd_xxx to avoid the OOB read which causes qemu Segmentation fault.
|
||||
|
||||
After the fix, we will touch the assert in
|
||||
cirrus_invalidate_region:
|
||||
assert(off_cur_end >= off_cur);
|
||||
|
||||
Signed-off-by: fangying <fangying1@huawei.com>
|
||||
Signed-off-by: hangaohuai <hangaohuai@huawei.com>
|
||||
Message-id: 20170314063919.16200-1-hangaohuai@huawei.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 215902d7b6fb50c6fc216fc74f770858278ed904)
|
||||
---
|
||||
hw/display/cirrus_vga_rop.h | 10 ++++++++++
|
||||
1 file changed, 10 insertions(+)
|
||||
|
||||
diff --git a/hw/display/cirrus_vga_rop.h b/hw/display/cirrus_vga_rop.h
|
||||
index 0925a009fe..b7447f8733 100644
|
||||
--- a/hw/display/cirrus_vga_rop.h
|
||||
+++ b/hw/display/cirrus_vga_rop.h
|
||||
@@ -97,6 +97,11 @@ glue(glue(cirrus_bitblt_rop_fwd_transp_, ROP_NAME),_8)(CirrusVGAState *s,
|
||||
uint8_t p;
|
||||
dstpitch -= bltwidth;
|
||||
srcpitch -= bltwidth;
|
||||
+
|
||||
+ if (bltheight > 1 && (dstpitch < 0 || srcpitch < 0)) {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
for (y = 0; y < bltheight; y++) {
|
||||
for (x = 0; x < bltwidth; x++) {
|
||||
p = *dst;
|
||||
@@ -143,6 +148,11 @@ glue(glue(cirrus_bitblt_rop_fwd_transp_, ROP_NAME),_16)(CirrusVGAState *s,
|
||||
uint8_t p1, p2;
|
||||
dstpitch -= bltwidth;
|
||||
srcpitch -= bltwidth;
|
||||
+
|
||||
+ if (bltheight > 1 && (dstpitch < 0 || srcpitch < 0)) {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
for (y = 0; y < bltheight; y++) {
|
||||
for (x = 0; x < bltwidth; x+=2) {
|
||||
p1 = *dst;
|
269
0075-cirrus-vnc-zap-bitblit-support-from-console-code.patch
Normal file
269
0075-cirrus-vnc-zap-bitblit-support-from-console-code.patch
Normal file
@ -0,0 +1,269 @@
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Tue, 14 Mar 2017 13:26:59 +0100
|
||||
Subject: [PATCH] cirrus/vnc: zap bitblit support from console code.
|
||||
|
||||
There is a special code path (dpy_gfx_copy) to allow graphic emulation
|
||||
notify user interface code about bitblit operations carryed out by
|
||||
guests. It is supported by cirrus and vnc server. The intended purpose
|
||||
is to optimize display scrolls and just send over the scroll op instead
|
||||
of a full display update.
|
||||
|
||||
This is rarely used these days though because modern guests simply don't
|
||||
use the cirrus blitter any more. Any linux guest using the cirrus drm
|
||||
driver doesn't. Any windows guest newer than winxp doesn't ship with a
|
||||
cirrus driver any more and thus uses the cirrus as simple framebuffer.
|
||||
|
||||
So this code tends to bitrot and bugs can go unnoticed for a long time.
|
||||
See for example commit "3e10c3e vnc: fix qemu crash because of SIGSEGV"
|
||||
which fixes a bug lingering in the code for almost a year, added by
|
||||
commit "c7628bf vnc: only alloc server surface with clients connected".
|
||||
|
||||
Also the vnc server will throttle the frame rate in case it figures the
|
||||
network can't keep up (send buffers are full). This doesn't work with
|
||||
dpy_gfx_copy, for any copy operation sent to the vnc client we have to
|
||||
send all outstanding updates beforehand, otherwise the vnc client might
|
||||
run the client side blit on outdated data and thereby corrupt the
|
||||
display. So this dpy_gfx_copy "optimization" might even make things
|
||||
worse on slow network links.
|
||||
|
||||
Lets kill it once for all.
|
||||
|
||||
Oh, and one more reason: Turns out (after writing the patch) we have a
|
||||
security bug in that code path ...
|
||||
|
||||
Fixes: CVE-2016-9603
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-id: 1489494419-14340-1-git-send-email-kraxel@redhat.com
|
||||
(cherry picked from commit 50628d3479e4f9aa97e323506856e394fe7ad7a6)
|
||||
---
|
||||
hw/display/cirrus_vga.c | 12 ++----
|
||||
include/ui/console.h | 7 ----
|
||||
ui/console.c | 28 --------------
|
||||
ui/vnc.c | 100 ------------------------------------------------
|
||||
4 files changed, 3 insertions(+), 144 deletions(-)
|
||||
|
||||
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
|
||||
index a093dc8b16..2ef2884823 100644
|
||||
--- a/hw/display/cirrus_vga.c
|
||||
+++ b/hw/display/cirrus_vga.c
|
||||
@@ -795,21 +795,15 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
|
||||
}
|
||||
}
|
||||
|
||||
- /* we have to flush all pending changes so that the copy
|
||||
- is generated at the appropriate moment in time */
|
||||
- if (notify)
|
||||
- graphic_hw_update(s->vga.con);
|
||||
-
|
||||
(*s->cirrus_rop) (s, s->vga.vram_ptr + s->cirrus_blt_dstaddr,
|
||||
s->vga.vram_ptr + s->cirrus_blt_srcaddr,
|
||||
s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch,
|
||||
s->cirrus_blt_width, s->cirrus_blt_height);
|
||||
|
||||
if (notify) {
|
||||
- qemu_console_copy(s->vga.con,
|
||||
- sx, sy, dx, dy,
|
||||
- s->cirrus_blt_width / depth,
|
||||
- s->cirrus_blt_height);
|
||||
+ dpy_gfx_update(s->vga.con, dx, dy,
|
||||
+ s->cirrus_blt_width / depth,
|
||||
+ s->cirrus_blt_height);
|
||||
}
|
||||
|
||||
/* we don't have to notify the display that this portion has
|
||||
diff --git a/include/ui/console.h b/include/ui/console.h
|
||||
index 2703a3aa5a..67927ed851 100644
|
||||
--- a/include/ui/console.h
|
||||
+++ b/include/ui/console.h
|
||||
@@ -189,9 +189,6 @@ typedef struct DisplayChangeListenerOps {
|
||||
int x, int y, int w, int h);
|
||||
void (*dpy_gfx_switch)(DisplayChangeListener *dcl,
|
||||
struct DisplaySurface *new_surface);
|
||||
- void (*dpy_gfx_copy)(DisplayChangeListener *dcl,
|
||||
- int src_x, int src_y,
|
||||
- int dst_x, int dst_y, int w, int h);
|
||||
bool (*dpy_gfx_check_format)(DisplayChangeListener *dcl,
|
||||
pixman_format_code_t format);
|
||||
|
||||
@@ -273,8 +270,6 @@ int dpy_set_ui_info(QemuConsole *con, QemuUIInfo *info);
|
||||
void dpy_gfx_update(QemuConsole *con, int x, int y, int w, int h);
|
||||
void dpy_gfx_replace_surface(QemuConsole *con,
|
||||
DisplaySurface *surface);
|
||||
-void dpy_gfx_copy(QemuConsole *con, int src_x, int src_y,
|
||||
- int dst_x, int dst_y, int w, int h);
|
||||
void dpy_text_cursor(QemuConsole *con, int x, int y);
|
||||
void dpy_text_update(QemuConsole *con, int x, int y, int w, int h);
|
||||
void dpy_text_resize(QemuConsole *con, int w, int h);
|
||||
@@ -398,8 +393,6 @@ void text_consoles_set_display(DisplayState *ds);
|
||||
void console_select(unsigned int index);
|
||||
void console_color_init(DisplayState *ds);
|
||||
void qemu_console_resize(QemuConsole *con, int width, int height);
|
||||
-void qemu_console_copy(QemuConsole *con, int src_x, int src_y,
|
||||
- int dst_x, int dst_y, int w, int h);
|
||||
DisplaySurface *qemu_console_surface(QemuConsole *con);
|
||||
|
||||
/* console-gl.c */
|
||||
diff --git a/ui/console.c b/ui/console.c
|
||||
index c24bfe422d..ece0c04ddf 100644
|
||||
--- a/ui/console.c
|
||||
+++ b/ui/console.c
|
||||
@@ -1558,27 +1558,6 @@ static void dpy_refresh(DisplayState *s)
|
||||
}
|
||||
}
|
||||
|
||||
-void dpy_gfx_copy(QemuConsole *con, int src_x, int src_y,
|
||||
- int dst_x, int dst_y, int w, int h)
|
||||
-{
|
||||
- DisplayState *s = con->ds;
|
||||
- DisplayChangeListener *dcl;
|
||||
-
|
||||
- if (!qemu_console_is_visible(con)) {
|
||||
- return;
|
||||
- }
|
||||
- QLIST_FOREACH(dcl, &s->listeners, next) {
|
||||
- if (con != (dcl->con ? dcl->con : active_console)) {
|
||||
- continue;
|
||||
- }
|
||||
- if (dcl->ops->dpy_gfx_copy) {
|
||||
- dcl->ops->dpy_gfx_copy(dcl, src_x, src_y, dst_x, dst_y, w, h);
|
||||
- } else { /* TODO */
|
||||
- dcl->ops->dpy_gfx_update(dcl, dst_x, dst_y, w, h);
|
||||
- }
|
||||
- }
|
||||
-}
|
||||
-
|
||||
void dpy_text_cursor(QemuConsole *con, int x, int y)
|
||||
{
|
||||
DisplayState *s = con->ds;
|
||||
@@ -2104,13 +2083,6 @@ void qemu_console_resize(QemuConsole *s, int width, int height)
|
||||
dpy_gfx_replace_surface(s, surface);
|
||||
}
|
||||
|
||||
-void qemu_console_copy(QemuConsole *con, int src_x, int src_y,
|
||||
- int dst_x, int dst_y, int w, int h)
|
||||
-{
|
||||
- assert(con->console_type == GRAPHIC_CONSOLE);
|
||||
- dpy_gfx_copy(con, src_x, src_y, dst_x, dst_y, w, h);
|
||||
-}
|
||||
-
|
||||
DisplaySurface *qemu_console_surface(QemuConsole *console)
|
||||
{
|
||||
return console->surface;
|
||||
diff --git a/ui/vnc.c b/ui/vnc.c
|
||||
index 76a3273e0b..b45bb2c4b8 100644
|
||||
--- a/ui/vnc.c
|
||||
+++ b/ui/vnc.c
|
||||
@@ -872,105 +872,6 @@ int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
|
||||
return n;
|
||||
}
|
||||
|
||||
-static void vnc_copy(VncState *vs, int src_x, int src_y, int dst_x, int dst_y, int w, int h)
|
||||
-{
|
||||
- /* send bitblit op to the vnc client */
|
||||
- vnc_lock_output(vs);
|
||||
- vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
|
||||
- vnc_write_u8(vs, 0);
|
||||
- vnc_write_u16(vs, 1); /* number of rects */
|
||||
- vnc_framebuffer_update(vs, dst_x, dst_y, w, h, VNC_ENCODING_COPYRECT);
|
||||
- vnc_write_u16(vs, src_x);
|
||||
- vnc_write_u16(vs, src_y);
|
||||
- vnc_unlock_output(vs);
|
||||
- vnc_flush(vs);
|
||||
-}
|
||||
-
|
||||
-static void vnc_dpy_copy(DisplayChangeListener *dcl,
|
||||
- int src_x, int src_y,
|
||||
- int dst_x, int dst_y, int w, int h)
|
||||
-{
|
||||
- VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
|
||||
- VncState *vs, *vn;
|
||||
- uint8_t *src_row;
|
||||
- uint8_t *dst_row;
|
||||
- int i, x, y, pitch, inc, w_lim, s;
|
||||
- int cmp_bytes;
|
||||
-
|
||||
- if (!vd->server) {
|
||||
- /* no client connected */
|
||||
- return;
|
||||
- }
|
||||
-
|
||||
- vnc_refresh_server_surface(vd);
|
||||
- QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
|
||||
- if (vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
|
||||
- vs->force_update = 1;
|
||||
- vnc_update_client(vs, 1, true);
|
||||
- /* vs might be free()ed here */
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- if (!vd->server) {
|
||||
- /* no client connected */
|
||||
- return;
|
||||
- }
|
||||
- /* do bitblit op on the local surface too */
|
||||
- pitch = vnc_server_fb_stride(vd);
|
||||
- src_row = vnc_server_fb_ptr(vd, src_x, src_y);
|
||||
- dst_row = vnc_server_fb_ptr(vd, dst_x, dst_y);
|
||||
- y = dst_y;
|
||||
- inc = 1;
|
||||
- if (dst_y > src_y) {
|
||||
- /* copy backwards */
|
||||
- src_row += pitch * (h-1);
|
||||
- dst_row += pitch * (h-1);
|
||||
- pitch = -pitch;
|
||||
- y = dst_y + h - 1;
|
||||
- inc = -1;
|
||||
- }
|
||||
- w_lim = w - (VNC_DIRTY_PIXELS_PER_BIT - (dst_x % VNC_DIRTY_PIXELS_PER_BIT));
|
||||
- if (w_lim < 0) {
|
||||
- w_lim = w;
|
||||
- } else {
|
||||
- w_lim = w - (w_lim % VNC_DIRTY_PIXELS_PER_BIT);
|
||||
- }
|
||||
- for (i = 0; i < h; i++) {
|
||||
- for (x = 0; x <= w_lim;
|
||||
- x += s, src_row += cmp_bytes, dst_row += cmp_bytes) {
|
||||
- if (x == w_lim) {
|
||||
- if ((s = w - w_lim) == 0)
|
||||
- break;
|
||||
- } else if (!x) {
|
||||
- s = (VNC_DIRTY_PIXELS_PER_BIT -
|
||||
- (dst_x % VNC_DIRTY_PIXELS_PER_BIT));
|
||||
- s = MIN(s, w_lim);
|
||||
- } else {
|
||||
- s = VNC_DIRTY_PIXELS_PER_BIT;
|
||||
- }
|
||||
- cmp_bytes = s * VNC_SERVER_FB_BYTES;
|
||||
- if (memcmp(src_row, dst_row, cmp_bytes) == 0)
|
||||
- continue;
|
||||
- memmove(dst_row, src_row, cmp_bytes);
|
||||
- QTAILQ_FOREACH(vs, &vd->clients, next) {
|
||||
- if (!vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
|
||||
- set_bit(((x + dst_x) / VNC_DIRTY_PIXELS_PER_BIT),
|
||||
- vs->dirty[y]);
|
||||
- }
|
||||
- }
|
||||
- }
|
||||
- src_row += pitch - w * VNC_SERVER_FB_BYTES;
|
||||
- dst_row += pitch - w * VNC_SERVER_FB_BYTES;
|
||||
- y += inc;
|
||||
- }
|
||||
-
|
||||
- QTAILQ_FOREACH(vs, &vd->clients, next) {
|
||||
- if (vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
|
||||
- vnc_copy(vs, src_x, src_y, dst_x, dst_y, w, h);
|
||||
- }
|
||||
- }
|
||||
-}
|
||||
-
|
||||
static void vnc_mouse_set(DisplayChangeListener *dcl,
|
||||
int x, int y, int visible)
|
||||
{
|
||||
@@ -3123,7 +3024,6 @@ static gboolean vnc_listen_io(QIOChannel *ioc,
|
||||
static const DisplayChangeListenerOps dcl_ops = {
|
||||
.dpy_name = "vnc",
|
||||
.dpy_refresh = vnc_refresh,
|
||||
- .dpy_gfx_copy = vnc_dpy_copy,
|
||||
.dpy_gfx_update = vnc_dpy_update,
|
||||
.dpy_gfx_switch = vnc_dpy_switch,
|
||||
.dpy_gfx_check_format = qemu_pixman_check_format,
|
46
0076-9pfs-fix-file-descriptor-leak.patch
Normal file
46
0076-9pfs-fix-file-descriptor-leak.patch
Normal file
@ -0,0 +1,46 @@
|
||||
From: Li Qiang <liq3ea@gmail.com>
|
||||
Date: Mon, 27 Mar 2017 21:13:19 +0200
|
||||
Subject: [PATCH] 9pfs: fix file descriptor leak
|
||||
|
||||
The v9fs_create() and v9fs_lcreate() functions are used to create a file
|
||||
on the backend and to associate it to a fid. The fid shouldn't be already
|
||||
in-use, otherwise both functions may silently leak a file descriptor or
|
||||
allocated memory. The current code doesn't check that.
|
||||
|
||||
This patch ensures that the fid isn't already associated to anything
|
||||
before using it.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
(reworded the changelog, Greg Kurz)
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
(cherry picked from commit d63fb193e71644a073b77ff5ac6f1216f2f6cf6e)
|
||||
---
|
||||
hw/9pfs/9p.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index 9a89f75d90..9d6b2caf1b 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -1530,6 +1530,10 @@ static void v9fs_lcreate(void *opaque)
|
||||
err = -ENOENT;
|
||||
goto out_nofid;
|
||||
}
|
||||
+ if (fidp->fid_type != P9_FID_NONE) {
|
||||
+ err = -EINVAL;
|
||||
+ goto out;
|
||||
+ }
|
||||
|
||||
flags = get_dotl_openflags(pdu->s, flags);
|
||||
err = v9fs_co_open2(pdu, fidp, &name, gid,
|
||||
@@ -2127,6 +2131,10 @@ static void v9fs_create(void *opaque)
|
||||
err = -EINVAL;
|
||||
goto out_nofid;
|
||||
}
|
||||
+ if (fidp->fid_type != P9_FID_NONE) {
|
||||
+ err = -EINVAL;
|
||||
+ goto out;
|
||||
+ }
|
||||
if (perm & P9_STAT_MODE_DIR) {
|
||||
err = v9fs_co_mkdir(pdu, fidp, &name, perm & 0777,
|
||||
fidp->uid, -1, &stbuf);
|
37
0077-cirrus-fix-cirrus_invalidate_region.patch
Normal file
37
0077-cirrus-fix-cirrus_invalidate_region.patch
Normal file
@ -0,0 +1,37 @@
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Wed, 15 Mar 2017 13:06:46 +0100
|
||||
Subject: [PATCH] cirrus: fix cirrus_invalidate_region
|
||||
|
||||
off_cur_end is exclusive, so off_cur_end == cirrus_addr_mask is valid.
|
||||
Fix calculation to make sure to allow that, otherwise the assert added
|
||||
by commit f153b563f8cf121aebf5a2fff5f0110faf58ccb3 can trigger for valid
|
||||
blits.
|
||||
|
||||
Test case: boot windows nt 4.0
|
||||
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-id: 1489579606-26020-1-git-send-email-kraxel@redhat.com
|
||||
(cherry picked from commit e048dac616748273c2153490e9fdf1da242f0cad)
|
||||
---
|
||||
hw/display/cirrus_vga.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
|
||||
index 2ef2884823..444335f7c1 100644
|
||||
--- a/hw/display/cirrus_vga.c
|
||||
+++ b/hw/display/cirrus_vga.c
|
||||
@@ -665,11 +665,11 @@ static void cirrus_invalidate_region(CirrusVGAState * s, int off_begin,
|
||||
}
|
||||
|
||||
for (y = 0; y < lines; y++) {
|
||||
- off_cur = off_begin;
|
||||
- off_cur_end = (off_cur + bytesperline) & s->cirrus_addr_mask;
|
||||
+ off_cur = off_begin;
|
||||
+ off_cur_end = ((off_cur + bytesperline - 1) & s->cirrus_addr_mask) + 1;
|
||||
assert(off_cur_end >= off_cur);
|
||||
memory_region_set_dirty(&s->vga.vram, off_cur, off_cur_end - off_cur);
|
||||
- off_begin += off_pitch;
|
||||
+ off_begin += off_pitch;
|
||||
}
|
||||
}
|
||||
|
616
0078-cirrus-stop-passing-around-dst-pointers-in-the-blitt.patch
Normal file
616
0078-cirrus-stop-passing-around-dst-pointers-in-the-blitt.patch
Normal file
@ -0,0 +1,616 @@
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Wed, 15 Mar 2017 11:47:52 +0100
|
||||
Subject: [PATCH] cirrus: stop passing around dst pointers in the blitter
|
||||
|
||||
Instead pass around the address (aka offset into vga memory). Calculate
|
||||
the pointer in the rop_* functions, after applying the mask to the
|
||||
address, to make sure the address stays within the valid range.
|
||||
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-id: 1489574872-8679-1-git-send-email-kraxel@redhat.com
|
||||
(cherry picked from commit 026aeffcb4752054830ba203020ed6eb05bcaba8)
|
||||
---
|
||||
hw/display/cirrus_vga.c | 20 +++---
|
||||
hw/display/cirrus_vga_rop.h | 161 +++++++++++++++++++++++++------------------
|
||||
hw/display/cirrus_vga_rop2.h | 97 +++++++++++++-------------
|
||||
3 files changed, 153 insertions(+), 125 deletions(-)
|
||||
|
||||
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
|
||||
index 444335f7c1..f1952a00a8 100644
|
||||
--- a/hw/display/cirrus_vga.c
|
||||
+++ b/hw/display/cirrus_vga.c
|
||||
@@ -177,11 +177,12 @@
|
||||
|
||||
struct CirrusVGAState;
|
||||
typedef void (*cirrus_bitblt_rop_t) (struct CirrusVGAState *s,
|
||||
- uint8_t * dst, const uint8_t * src,
|
||||
+ uint32_t dstaddr, const uint8_t *src,
|
||||
int dstpitch, int srcpitch,
|
||||
int bltwidth, int bltheight);
|
||||
typedef void (*cirrus_fill_t)(struct CirrusVGAState *s,
|
||||
- uint8_t *dst, int dst_pitch, int width, int height);
|
||||
+ uint32_t dstaddr, int dst_pitch,
|
||||
+ int width, int height);
|
||||
|
||||
typedef struct CirrusVGAState {
|
||||
VGACommonState vga;
|
||||
@@ -319,14 +320,14 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
|
||||
}
|
||||
|
||||
static void cirrus_bitblt_rop_nop(CirrusVGAState *s,
|
||||
- uint8_t *dst,const uint8_t *src,
|
||||
+ uint32_t dstaddr, const uint8_t *src,
|
||||
int dstpitch,int srcpitch,
|
||||
int bltwidth,int bltheight)
|
||||
{
|
||||
}
|
||||
|
||||
static void cirrus_bitblt_fill_nop(CirrusVGAState *s,
|
||||
- uint8_t *dst,
|
||||
+ uint32_t dstaddr,
|
||||
int dstpitch, int bltwidth,int bltheight)
|
||||
{
|
||||
}
|
||||
@@ -676,11 +677,8 @@ static void cirrus_invalidate_region(CirrusVGAState * s, int off_begin,
|
||||
static int cirrus_bitblt_common_patterncopy(CirrusVGAState *s, bool videosrc)
|
||||
{
|
||||
uint32_t patternsize;
|
||||
- uint8_t *dst;
|
||||
uint8_t *src;
|
||||
|
||||
- dst = s->vga.vram_ptr + s->cirrus_blt_dstaddr;
|
||||
-
|
||||
if (videosrc) {
|
||||
switch (s->vga.get_bpp(&s->vga)) {
|
||||
case 8:
|
||||
@@ -709,7 +707,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState *s, bool videosrc)
|
||||
return 0;
|
||||
}
|
||||
|
||||
- (*s->cirrus_rop) (s, dst, src,
|
||||
+ (*s->cirrus_rop) (s, s->cirrus_blt_dstaddr, src,
|
||||
s->cirrus_blt_dstpitch, 0,
|
||||
s->cirrus_blt_width, s->cirrus_blt_height);
|
||||
cirrus_invalidate_region(s, s->cirrus_blt_dstaddr,
|
||||
@@ -728,7 +726,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
|
||||
return 0;
|
||||
}
|
||||
rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
|
||||
- rop_func(s, s->vga.vram_ptr + s->cirrus_blt_dstaddr,
|
||||
+ rop_func(s, s->cirrus_blt_dstaddr,
|
||||
s->cirrus_blt_dstpitch,
|
||||
s->cirrus_blt_width, s->cirrus_blt_height);
|
||||
cirrus_invalidate_region(s, s->cirrus_blt_dstaddr,
|
||||
@@ -795,7 +793,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
|
||||
}
|
||||
}
|
||||
|
||||
- (*s->cirrus_rop) (s, s->vga.vram_ptr + s->cirrus_blt_dstaddr,
|
||||
+ (*s->cirrus_rop) (s, s->cirrus_blt_dstaddr,
|
||||
s->vga.vram_ptr + s->cirrus_blt_srcaddr,
|
||||
s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch,
|
||||
s->cirrus_blt_width, s->cirrus_blt_height);
|
||||
@@ -846,7 +844,7 @@ static void cirrus_bitblt_cputovideo_next(CirrusVGAState * s)
|
||||
} else {
|
||||
/* at least one scan line */
|
||||
do {
|
||||
- (*s->cirrus_rop)(s, s->vga.vram_ptr + s->cirrus_blt_dstaddr,
|
||||
+ (*s->cirrus_rop)(s, s->cirrus_blt_dstaddr,
|
||||
s->cirrus_bltbuf, 0, 0, s->cirrus_blt_width, 1);
|
||||
cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, 0,
|
||||
s->cirrus_blt_width, 1);
|
||||
diff --git a/hw/display/cirrus_vga_rop.h b/hw/display/cirrus_vga_rop.h
|
||||
index b7447f8733..1aa778d3e8 100644
|
||||
--- a/hw/display/cirrus_vga_rop.h
|
||||
+++ b/hw/display/cirrus_vga_rop.h
|
||||
@@ -22,31 +22,65 @@
|
||||
* THE SOFTWARE.
|
||||
*/
|
||||
|
||||
-static inline void glue(rop_8_,ROP_NAME)(uint8_t *dst, uint8_t src)
|
||||
+static inline void glue(rop_8_, ROP_NAME)(CirrusVGAState *s,
|
||||
+ uint32_t dstaddr, uint8_t src)
|
||||
{
|
||||
+ uint8_t *dst = &s->vga.vram_ptr[dstaddr & s->cirrus_addr_mask];
|
||||
*dst = ROP_FN(*dst, src);
|
||||
}
|
||||
|
||||
-static inline void glue(rop_16_,ROP_NAME)(uint16_t *dst, uint16_t src)
|
||||
+static inline void glue(rop_tr_8_, ROP_NAME)(CirrusVGAState *s,
|
||||
+ uint32_t dstaddr, uint8_t src,
|
||||
+ uint8_t transp)
|
||||
{
|
||||
+ uint8_t *dst = &s->vga.vram_ptr[dstaddr & s->cirrus_addr_mask];
|
||||
+ uint8_t pixel = ROP_FN(*dst, src);
|
||||
+ if (pixel != transp) {
|
||||
+ *dst = pixel;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static inline void glue(rop_16_, ROP_NAME)(CirrusVGAState *s,
|
||||
+ uint32_t dstaddr, uint16_t src)
|
||||
+{
|
||||
+ uint16_t *dst = (uint16_t *)
|
||||
+ (&s->vga.vram_ptr[dstaddr & s->cirrus_addr_mask & ~1]);
|
||||
*dst = ROP_FN(*dst, src);
|
||||
}
|
||||
|
||||
-static inline void glue(rop_32_,ROP_NAME)(uint32_t *dst, uint32_t src)
|
||||
+static inline void glue(rop_tr_16_, ROP_NAME)(CirrusVGAState *s,
|
||||
+ uint32_t dstaddr, uint16_t src,
|
||||
+ uint16_t transp)
|
||||
+{
|
||||
+ uint16_t *dst = (uint16_t *)
|
||||
+ (&s->vga.vram_ptr[dstaddr & s->cirrus_addr_mask & ~1]);
|
||||
+ uint16_t pixel = ROP_FN(*dst, src);
|
||||
+ if (pixel != transp) {
|
||||
+ *dst = pixel;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static inline void glue(rop_32_, ROP_NAME)(CirrusVGAState *s,
|
||||
+ uint32_t dstaddr, uint32_t src)
|
||||
{
|
||||
+ uint32_t *dst = (uint32_t *)
|
||||
+ (&s->vga.vram_ptr[dstaddr & s->cirrus_addr_mask & ~3]);
|
||||
*dst = ROP_FN(*dst, src);
|
||||
}
|
||||
|
||||
-#define ROP_OP(d, s) glue(rop_8_,ROP_NAME)(d, s)
|
||||
-#define ROP_OP_16(d, s) glue(rop_16_,ROP_NAME)(d, s)
|
||||
-#define ROP_OP_32(d, s) glue(rop_32_,ROP_NAME)(d, s)
|
||||
+#define ROP_OP(st, d, s) glue(rop_8_, ROP_NAME)(st, d, s)
|
||||
+#define ROP_OP_TR(st, d, s, t) glue(rop_tr_8_, ROP_NAME)(st, d, s, t)
|
||||
+#define ROP_OP_16(st, d, s) glue(rop_16_, ROP_NAME)(st, d, s)
|
||||
+#define ROP_OP_TR_16(st, d, s, t) glue(rop_tr_16_, ROP_NAME)(st, d, s, t)
|
||||
+#define ROP_OP_32(st, d, s) glue(rop_32_, ROP_NAME)(st, d, s)
|
||||
#undef ROP_FN
|
||||
|
||||
static void
|
||||
glue(cirrus_bitblt_rop_fwd_, ROP_NAME)(CirrusVGAState *s,
|
||||
- uint8_t *dst,const uint8_t *src,
|
||||
- int dstpitch,int srcpitch,
|
||||
- int bltwidth,int bltheight)
|
||||
+ uint32_t dstaddr,
|
||||
+ const uint8_t *src,
|
||||
+ int dstpitch, int srcpitch,
|
||||
+ int bltwidth, int bltheight)
|
||||
{
|
||||
int x,y;
|
||||
dstpitch -= bltwidth;
|
||||
@@ -58,43 +92,47 @@ glue(cirrus_bitblt_rop_fwd_, ROP_NAME)(CirrusVGAState *s,
|
||||
|
||||
for (y = 0; y < bltheight; y++) {
|
||||
for (x = 0; x < bltwidth; x++) {
|
||||
- ROP_OP(dst, *src);
|
||||
- dst++;
|
||||
+ ROP_OP(s, dstaddr, *src);
|
||||
+ dstaddr++;
|
||||
src++;
|
||||
}
|
||||
- dst += dstpitch;
|
||||
+ dstaddr += dstpitch;
|
||||
src += srcpitch;
|
||||
}
|
||||
}
|
||||
|
||||
static void
|
||||
glue(cirrus_bitblt_rop_bkwd_, ROP_NAME)(CirrusVGAState *s,
|
||||
- uint8_t *dst,const uint8_t *src,
|
||||
- int dstpitch,int srcpitch,
|
||||
- int bltwidth,int bltheight)
|
||||
+ uint32_t dstaddr,
|
||||
+ const uint8_t *src,
|
||||
+ int dstpitch, int srcpitch,
|
||||
+ int bltwidth, int bltheight)
|
||||
{
|
||||
int x,y;
|
||||
dstpitch += bltwidth;
|
||||
srcpitch += bltwidth;
|
||||
for (y = 0; y < bltheight; y++) {
|
||||
for (x = 0; x < bltwidth; x++) {
|
||||
- ROP_OP(dst, *src);
|
||||
- dst--;
|
||||
+ ROP_OP(s, dstaddr, *src);
|
||||
+ dstaddr--;
|
||||
src--;
|
||||
}
|
||||
- dst += dstpitch;
|
||||
+ dstaddr += dstpitch;
|
||||
src += srcpitch;
|
||||
}
|
||||
}
|
||||
|
||||
static void
|
||||
glue(glue(cirrus_bitblt_rop_fwd_transp_, ROP_NAME),_8)(CirrusVGAState *s,
|
||||
- uint8_t *dst,const uint8_t *src,
|
||||
- int dstpitch,int srcpitch,
|
||||
- int bltwidth,int bltheight)
|
||||
+ uint32_t dstaddr,
|
||||
+ const uint8_t *src,
|
||||
+ int dstpitch,
|
||||
+ int srcpitch,
|
||||
+ int bltwidth,
|
||||
+ int bltheight)
|
||||
{
|
||||
int x,y;
|
||||
- uint8_t p;
|
||||
+ uint8_t transp = s->vga.gr[0x34];
|
||||
dstpitch -= bltwidth;
|
||||
srcpitch -= bltwidth;
|
||||
|
||||
@@ -104,48 +142,50 @@ glue(glue(cirrus_bitblt_rop_fwd_transp_, ROP_NAME),_8)(CirrusVGAState *s,
|
||||
|
||||
for (y = 0; y < bltheight; y++) {
|
||||
for (x = 0; x < bltwidth; x++) {
|
||||
- p = *dst;
|
||||
- ROP_OP(&p, *src);
|
||||
- if (p != s->vga.gr[0x34]) *dst = p;
|
||||
- dst++;
|
||||
+ ROP_OP_TR(s, dstaddr, *src, transp);
|
||||
+ dstaddr++;
|
||||
src++;
|
||||
}
|
||||
- dst += dstpitch;
|
||||
+ dstaddr += dstpitch;
|
||||
src += srcpitch;
|
||||
}
|
||||
}
|
||||
|
||||
static void
|
||||
glue(glue(cirrus_bitblt_rop_bkwd_transp_, ROP_NAME),_8)(CirrusVGAState *s,
|
||||
- uint8_t *dst,const uint8_t *src,
|
||||
- int dstpitch,int srcpitch,
|
||||
- int bltwidth,int bltheight)
|
||||
+ uint32_t dstaddr,
|
||||
+ const uint8_t *src,
|
||||
+ int dstpitch,
|
||||
+ int srcpitch,
|
||||
+ int bltwidth,
|
||||
+ int bltheight)
|
||||
{
|
||||
int x,y;
|
||||
- uint8_t p;
|
||||
+ uint8_t transp = s->vga.gr[0x34];
|
||||
dstpitch += bltwidth;
|
||||
srcpitch += bltwidth;
|
||||
for (y = 0; y < bltheight; y++) {
|
||||
for (x = 0; x < bltwidth; x++) {
|
||||
- p = *dst;
|
||||
- ROP_OP(&p, *src);
|
||||
- if (p != s->vga.gr[0x34]) *dst = p;
|
||||
- dst--;
|
||||
+ ROP_OP_TR(s, dstaddr, *src, transp);
|
||||
+ dstaddr--;
|
||||
src--;
|
||||
}
|
||||
- dst += dstpitch;
|
||||
+ dstaddr += dstpitch;
|
||||
src += srcpitch;
|
||||
}
|
||||
}
|
||||
|
||||
static void
|
||||
glue(glue(cirrus_bitblt_rop_fwd_transp_, ROP_NAME),_16)(CirrusVGAState *s,
|
||||
- uint8_t *dst,const uint8_t *src,
|
||||
- int dstpitch,int srcpitch,
|
||||
- int bltwidth,int bltheight)
|
||||
+ uint32_t dstaddr,
|
||||
+ const uint8_t *src,
|
||||
+ int dstpitch,
|
||||
+ int srcpitch,
|
||||
+ int bltwidth,
|
||||
+ int bltheight)
|
||||
{
|
||||
int x,y;
|
||||
- uint8_t p1, p2;
|
||||
+ uint16_t transp = s->vga.gr[0x34] | (uint16_t)s->vga.gr[0x35] << 8;
|
||||
dstpitch -= bltwidth;
|
||||
srcpitch -= bltwidth;
|
||||
|
||||
@@ -155,46 +195,35 @@ glue(glue(cirrus_bitblt_rop_fwd_transp_, ROP_NAME),_16)(CirrusVGAState *s,
|
||||
|
||||
for (y = 0; y < bltheight; y++) {
|
||||
for (x = 0; x < bltwidth; x+=2) {
|
||||
- p1 = *dst;
|
||||
- p2 = *(dst+1);
|
||||
- ROP_OP(&p1, *src);
|
||||
- ROP_OP(&p2, *(src + 1));
|
||||
- if ((p1 != s->vga.gr[0x34]) || (p2 != s->vga.gr[0x35])) {
|
||||
- *dst = p1;
|
||||
- *(dst+1) = p2;
|
||||
- }
|
||||
- dst+=2;
|
||||
- src+=2;
|
||||
+ ROP_OP_TR_16(s, dstaddr, *(uint16_t *)src, transp);
|
||||
+ dstaddr += 2;
|
||||
+ src += 2;
|
||||
}
|
||||
- dst += dstpitch;
|
||||
+ dstaddr += dstpitch;
|
||||
src += srcpitch;
|
||||
}
|
||||
}
|
||||
|
||||
static void
|
||||
glue(glue(cirrus_bitblt_rop_bkwd_transp_, ROP_NAME),_16)(CirrusVGAState *s,
|
||||
- uint8_t *dst,const uint8_t *src,
|
||||
- int dstpitch,int srcpitch,
|
||||
- int bltwidth,int bltheight)
|
||||
+ uint32_t dstaddr,
|
||||
+ const uint8_t *src,
|
||||
+ int dstpitch,
|
||||
+ int srcpitch,
|
||||
+ int bltwidth,
|
||||
+ int bltheight)
|
||||
{
|
||||
int x,y;
|
||||
- uint8_t p1, p2;
|
||||
+ uint16_t transp = s->vga.gr[0x34] | (uint16_t)s->vga.gr[0x35] << 8;
|
||||
dstpitch += bltwidth;
|
||||
srcpitch += bltwidth;
|
||||
for (y = 0; y < bltheight; y++) {
|
||||
for (x = 0; x < bltwidth; x+=2) {
|
||||
- p1 = *(dst-1);
|
||||
- p2 = *dst;
|
||||
- ROP_OP(&p1, *(src - 1));
|
||||
- ROP_OP(&p2, *src);
|
||||
- if ((p1 != s->vga.gr[0x34]) || (p2 != s->vga.gr[0x35])) {
|
||||
- *(dst-1) = p1;
|
||||
- *dst = p2;
|
||||
- }
|
||||
- dst-=2;
|
||||
- src-=2;
|
||||
+ ROP_OP_TR_16(s, dstaddr, *(uint16_t *)src, transp);
|
||||
+ dstaddr -= 2;
|
||||
+ src -= 2;
|
||||
}
|
||||
- dst += dstpitch;
|
||||
+ dstaddr += dstpitch;
|
||||
src += srcpitch;
|
||||
}
|
||||
}
|
||||
diff --git a/hw/display/cirrus_vga_rop2.h b/hw/display/cirrus_vga_rop2.h
|
||||
index d28bcc6f25..bc92f0e0e7 100644
|
||||
--- a/hw/display/cirrus_vga_rop2.h
|
||||
+++ b/hw/display/cirrus_vga_rop2.h
|
||||
@@ -23,27 +23,29 @@
|
||||
*/
|
||||
|
||||
#if DEPTH == 8
|
||||
-#define PUTPIXEL() ROP_OP(&d[0], col)
|
||||
+#define PUTPIXEL(s, a, c) ROP_OP(s, a, c)
|
||||
#elif DEPTH == 16
|
||||
-#define PUTPIXEL() ROP_OP_16((uint16_t *)&d[0], col)
|
||||
+#define PUTPIXEL(s, a, c) ROP_OP_16(s, a, c)
|
||||
#elif DEPTH == 24
|
||||
-#define PUTPIXEL() ROP_OP(&d[0], col); \
|
||||
- ROP_OP(&d[1], (col >> 8)); \
|
||||
- ROP_OP(&d[2], (col >> 16))
|
||||
+#define PUTPIXEL(s, a, c) do { \
|
||||
+ ROP_OP(s, a, c); \
|
||||
+ ROP_OP(s, a + 1, (col >> 8)); \
|
||||
+ ROP_OP(s, a + 2, (col >> 16)); \
|
||||
+ } while (0)
|
||||
#elif DEPTH == 32
|
||||
-#define PUTPIXEL() ROP_OP_32(((uint32_t *)&d[0]), col)
|
||||
+#define PUTPIXEL(s, a, c) ROP_OP_32(s, a, c)
|
||||
#else
|
||||
#error unsupported DEPTH
|
||||
#endif
|
||||
|
||||
static void
|
||||
glue(glue(glue(cirrus_patternfill_, ROP_NAME), _),DEPTH)
|
||||
- (CirrusVGAState * s, uint8_t * dst,
|
||||
- const uint8_t * src,
|
||||
+ (CirrusVGAState *s, uint32_t dstaddr,
|
||||
+ const uint8_t *src,
|
||||
int dstpitch, int srcpitch,
|
||||
int bltwidth, int bltheight)
|
||||
{
|
||||
- uint8_t *d;
|
||||
+ uint32_t addr;
|
||||
int x, y, pattern_y, pattern_pitch, pattern_x;
|
||||
unsigned int col;
|
||||
const uint8_t *src1;
|
||||
@@ -63,7 +65,7 @@ glue(glue(glue(cirrus_patternfill_, ROP_NAME), _),DEPTH)
|
||||
pattern_y = s->cirrus_blt_srcaddr & 7;
|
||||
for(y = 0; y < bltheight; y++) {
|
||||
pattern_x = skipleft;
|
||||
- d = dst + skipleft;
|
||||
+ addr = dstaddr + skipleft;
|
||||
src1 = src + pattern_y * pattern_pitch;
|
||||
for (x = skipleft; x < bltwidth; x += (DEPTH / 8)) {
|
||||
#if DEPTH == 8
|
||||
@@ -82,23 +84,23 @@ glue(glue(glue(cirrus_patternfill_, ROP_NAME), _),DEPTH)
|
||||
col = ((uint32_t *)(src1 + pattern_x))[0];
|
||||
pattern_x = (pattern_x + 4) & 31;
|
||||
#endif
|
||||
- PUTPIXEL();
|
||||
- d += (DEPTH / 8);
|
||||
+ PUTPIXEL(s, addr, col);
|
||||
+ addr += (DEPTH / 8);
|
||||
}
|
||||
pattern_y = (pattern_y + 1) & 7;
|
||||
- dst += dstpitch;
|
||||
+ dstaddr += dstpitch;
|
||||
}
|
||||
}
|
||||
|
||||
/* NOTE: srcpitch is ignored */
|
||||
static void
|
||||
glue(glue(glue(cirrus_colorexpand_transp_, ROP_NAME), _),DEPTH)
|
||||
- (CirrusVGAState * s, uint8_t * dst,
|
||||
- const uint8_t * src,
|
||||
+ (CirrusVGAState *s, uint32_t dstaddr,
|
||||
+ const uint8_t *src,
|
||||
int dstpitch, int srcpitch,
|
||||
int bltwidth, int bltheight)
|
||||
{
|
||||
- uint8_t *d;
|
||||
+ uint32_t addr;
|
||||
int x, y;
|
||||
unsigned bits, bits_xor;
|
||||
unsigned int col;
|
||||
@@ -123,7 +125,7 @@ glue(glue(glue(cirrus_colorexpand_transp_, ROP_NAME), _),DEPTH)
|
||||
for(y = 0; y < bltheight; y++) {
|
||||
bitmask = 0x80 >> srcskipleft;
|
||||
bits = *src++ ^ bits_xor;
|
||||
- d = dst + dstskipleft;
|
||||
+ addr = dstaddr + dstskipleft;
|
||||
for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) {
|
||||
if ((bitmask & 0xff) == 0) {
|
||||
bitmask = 0x80;
|
||||
@@ -131,24 +133,24 @@ glue(glue(glue(cirrus_colorexpand_transp_, ROP_NAME), _),DEPTH)
|
||||
}
|
||||
index = (bits & bitmask);
|
||||
if (index) {
|
||||
- PUTPIXEL();
|
||||
+ PUTPIXEL(s, addr, col);
|
||||
}
|
||||
- d += (DEPTH / 8);
|
||||
+ addr += (DEPTH / 8);
|
||||
bitmask >>= 1;
|
||||
}
|
||||
- dst += dstpitch;
|
||||
+ dstaddr += dstpitch;
|
||||
}
|
||||
}
|
||||
|
||||
static void
|
||||
glue(glue(glue(cirrus_colorexpand_, ROP_NAME), _),DEPTH)
|
||||
- (CirrusVGAState * s, uint8_t * dst,
|
||||
- const uint8_t * src,
|
||||
+ (CirrusVGAState *s, uint32_t dstaddr,
|
||||
+ const uint8_t *src,
|
||||
int dstpitch, int srcpitch,
|
||||
int bltwidth, int bltheight)
|
||||
{
|
||||
uint32_t colors[2];
|
||||
- uint8_t *d;
|
||||
+ uint32_t addr;
|
||||
int x, y;
|
||||
unsigned bits;
|
||||
unsigned int col;
|
||||
@@ -161,29 +163,29 @@ glue(glue(glue(cirrus_colorexpand_, ROP_NAME), _),DEPTH)
|
||||
for(y = 0; y < bltheight; y++) {
|
||||
bitmask = 0x80 >> srcskipleft;
|
||||
bits = *src++;
|
||||
- d = dst + dstskipleft;
|
||||
+ addr = dstaddr + dstskipleft;
|
||||
for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) {
|
||||
if ((bitmask & 0xff) == 0) {
|
||||
bitmask = 0x80;
|
||||
bits = *src++;
|
||||
}
|
||||
col = colors[!!(bits & bitmask)];
|
||||
- PUTPIXEL();
|
||||
- d += (DEPTH / 8);
|
||||
+ PUTPIXEL(s, addr, col);
|
||||
+ addr += (DEPTH / 8);
|
||||
bitmask >>= 1;
|
||||
}
|
||||
- dst += dstpitch;
|
||||
+ dstaddr += dstpitch;
|
||||
}
|
||||
}
|
||||
|
||||
static void
|
||||
glue(glue(glue(cirrus_colorexpand_pattern_transp_, ROP_NAME), _),DEPTH)
|
||||
- (CirrusVGAState * s, uint8_t * dst,
|
||||
- const uint8_t * src,
|
||||
+ (CirrusVGAState *s, uint32_t dstaddr,
|
||||
+ const uint8_t *src,
|
||||
int dstpitch, int srcpitch,
|
||||
int bltwidth, int bltheight)
|
||||
{
|
||||
- uint8_t *d;
|
||||
+ uint32_t addr;
|
||||
int x, y, bitpos, pattern_y;
|
||||
unsigned int bits, bits_xor;
|
||||
unsigned int col;
|
||||
@@ -207,28 +209,28 @@ glue(glue(glue(cirrus_colorexpand_pattern_transp_, ROP_NAME), _),DEPTH)
|
||||
for(y = 0; y < bltheight; y++) {
|
||||
bits = src[pattern_y] ^ bits_xor;
|
||||
bitpos = 7 - srcskipleft;
|
||||
- d = dst + dstskipleft;
|
||||
+ addr = dstaddr + dstskipleft;
|
||||
for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) {
|
||||
if ((bits >> bitpos) & 1) {
|
||||
- PUTPIXEL();
|
||||
+ PUTPIXEL(s, addr, col);
|
||||
}
|
||||
- d += (DEPTH / 8);
|
||||
+ addr += (DEPTH / 8);
|
||||
bitpos = (bitpos - 1) & 7;
|
||||
}
|
||||
pattern_y = (pattern_y + 1) & 7;
|
||||
- dst += dstpitch;
|
||||
+ dstaddr += dstpitch;
|
||||
}
|
||||
}
|
||||
|
||||
static void
|
||||
glue(glue(glue(cirrus_colorexpand_pattern_, ROP_NAME), _),DEPTH)
|
||||
- (CirrusVGAState * s, uint8_t * dst,
|
||||
- const uint8_t * src,
|
||||
+ (CirrusVGAState *s, uint32_t dstaddr,
|
||||
+ const uint8_t *src,
|
||||
int dstpitch, int srcpitch,
|
||||
int bltwidth, int bltheight)
|
||||
{
|
||||
uint32_t colors[2];
|
||||
- uint8_t *d;
|
||||
+ uint32_t addr;
|
||||
int x, y, bitpos, pattern_y;
|
||||
unsigned int bits;
|
||||
unsigned int col;
|
||||
@@ -242,38 +244,37 @@ glue(glue(glue(cirrus_colorexpand_pattern_, ROP_NAME), _),DEPTH)
|
||||
for(y = 0; y < bltheight; y++) {
|
||||
bits = src[pattern_y];
|
||||
bitpos = 7 - srcskipleft;
|
||||
- d = dst + dstskipleft;
|
||||
+ addr = dstaddr + dstskipleft;
|
||||
for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) {
|
||||
col = colors[(bits >> bitpos) & 1];
|
||||
- PUTPIXEL();
|
||||
- d += (DEPTH / 8);
|
||||
+ PUTPIXEL(s, addr, col);
|
||||
+ addr += (DEPTH / 8);
|
||||
bitpos = (bitpos - 1) & 7;
|
||||
}
|
||||
pattern_y = (pattern_y + 1) & 7;
|
||||
- dst += dstpitch;
|
||||
+ dstaddr += dstpitch;
|
||||
}
|
||||
}
|
||||
|
||||
static void
|
||||
glue(glue(glue(cirrus_fill_, ROP_NAME), _),DEPTH)
|
||||
(CirrusVGAState *s,
|
||||
- uint8_t *dst, int dst_pitch,
|
||||
+ uint32_t dstaddr, int dst_pitch,
|
||||
int width, int height)
|
||||
{
|
||||
- uint8_t *d, *d1;
|
||||
+ uint32_t addr;
|
||||
uint32_t col;
|
||||
int x, y;
|
||||
|
||||
col = s->cirrus_blt_fgcol;
|
||||
|
||||
- d1 = dst;
|
||||
for(y = 0; y < height; y++) {
|
||||
- d = d1;
|
||||
+ addr = dstaddr;
|
||||
for(x = 0; x < width; x += (DEPTH / 8)) {
|
||||
- PUTPIXEL();
|
||||
- d += (DEPTH / 8);
|
||||
+ PUTPIXEL(s, addr, col);
|
||||
+ addr += (DEPTH / 8);
|
||||
}
|
||||
- d1 += dst_pitch;
|
||||
+ dstaddr += dst_pitch;
|
||||
}
|
||||
}
|
||||
|
441
0079-cirrus-stop-passing-around-src-pointers-in-the-blitt.patch
Normal file
441
0079-cirrus-stop-passing-around-src-pointers-in-the-blitt.patch
Normal file
@ -0,0 +1,441 @@
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Wed, 15 Mar 2017 14:28:07 +0100
|
||||
Subject: [PATCH] cirrus: stop passing around src pointers in the blitter
|
||||
|
||||
Does basically the same as "cirrus: stop passing around dst pointers in
|
||||
the blitter", just for the src pointer instead of the dst pointer.
|
||||
|
||||
For the src we have to care about cputovideo blits though and fetch the
|
||||
data from s->cirrus_bltbuf instead of vga memory. The cirrus_src*()
|
||||
helper functions handle that.
|
||||
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-id: 1489584487-3489-1-git-send-email-kraxel@redhat.com
|
||||
(cherry picked from commit ffaf857778286ca54e3804432a2369a279e73aa7)
|
||||
---
|
||||
hw/display/cirrus_vga.c | 61 +++++++++++++++++++++++++++++++++++---------
|
||||
hw/display/cirrus_vga_rop.h | 48 +++++++++++++++++-----------------
|
||||
hw/display/cirrus_vga_rop2.h | 38 ++++++++++++++-------------
|
||||
3 files changed, 93 insertions(+), 54 deletions(-)
|
||||
|
||||
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
|
||||
index f1952a00a8..9274c25f46 100644
|
||||
--- a/hw/display/cirrus_vga.c
|
||||
+++ b/hw/display/cirrus_vga.c
|
||||
@@ -177,7 +177,7 @@
|
||||
|
||||
struct CirrusVGAState;
|
||||
typedef void (*cirrus_bitblt_rop_t) (struct CirrusVGAState *s,
|
||||
- uint32_t dstaddr, const uint8_t *src,
|
||||
+ uint32_t dstaddr, uint32_t srcaddr,
|
||||
int dstpitch, int srcpitch,
|
||||
int bltwidth, int bltheight);
|
||||
typedef void (*cirrus_fill_t)(struct CirrusVGAState *s,
|
||||
@@ -320,7 +320,7 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
|
||||
}
|
||||
|
||||
static void cirrus_bitblt_rop_nop(CirrusVGAState *s,
|
||||
- uint32_t dstaddr, const uint8_t *src,
|
||||
+ uint32_t dstaddr, uint32_t srcaddr,
|
||||
int dstpitch,int srcpitch,
|
||||
int bltwidth,int bltheight)
|
||||
{
|
||||
@@ -332,6 +332,45 @@ static void cirrus_bitblt_fill_nop(CirrusVGAState *s,
|
||||
{
|
||||
}
|
||||
|
||||
+static inline uint8_t cirrus_src(CirrusVGAState *s, uint32_t srcaddr)
|
||||
+{
|
||||
+ if (s->cirrus_srccounter) {
|
||||
+ /* cputovideo */
|
||||
+ return s->cirrus_bltbuf[srcaddr & (CIRRUS_BLTBUFSIZE - 1)];
|
||||
+ } else {
|
||||
+ /* videotovideo */
|
||||
+ return s->vga.vram_ptr[srcaddr & s->cirrus_addr_mask];
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static inline uint16_t cirrus_src16(CirrusVGAState *s, uint32_t srcaddr)
|
||||
+{
|
||||
+ uint16_t *src;
|
||||
+
|
||||
+ if (s->cirrus_srccounter) {
|
||||
+ /* cputovideo */
|
||||
+ src = (void *)&s->cirrus_bltbuf[srcaddr & (CIRRUS_BLTBUFSIZE - 1) & ~1];
|
||||
+ } else {
|
||||
+ /* videotovideo */
|
||||
+ src = (void *)&s->vga.vram_ptr[srcaddr & s->cirrus_addr_mask & ~1];
|
||||
+ }
|
||||
+ return *src;
|
||||
+}
|
||||
+
|
||||
+static inline uint32_t cirrus_src32(CirrusVGAState *s, uint32_t srcaddr)
|
||||
+{
|
||||
+ uint32_t *src;
|
||||
+
|
||||
+ if (s->cirrus_srccounter) {
|
||||
+ /* cputovideo */
|
||||
+ src = (void *)&s->cirrus_bltbuf[srcaddr & (CIRRUS_BLTBUFSIZE - 1) & ~3];
|
||||
+ } else {
|
||||
+ /* videotovideo */
|
||||
+ src = (void *)&s->vga.vram_ptr[srcaddr & s->cirrus_addr_mask & ~3];
|
||||
+ }
|
||||
+ return *src;
|
||||
+}
|
||||
+
|
||||
#define ROP_NAME 0
|
||||
#define ROP_FN(d, s) 0
|
||||
#include "cirrus_vga_rop.h"
|
||||
@@ -674,10 +713,10 @@ static void cirrus_invalidate_region(CirrusVGAState * s, int off_begin,
|
||||
}
|
||||
}
|
||||
|
||||
-static int cirrus_bitblt_common_patterncopy(CirrusVGAState *s, bool videosrc)
|
||||
+static int cirrus_bitblt_common_patterncopy(CirrusVGAState *s)
|
||||
{
|
||||
uint32_t patternsize;
|
||||
- uint8_t *src;
|
||||
+ bool videosrc = !s->cirrus_srccounter;
|
||||
|
||||
if (videosrc) {
|
||||
switch (s->vga.get_bpp(&s->vga)) {
|
||||
@@ -698,16 +737,14 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState *s, bool videosrc)
|
||||
if (s->cirrus_blt_srcaddr + patternsize > s->vga.vram_size) {
|
||||
return 0;
|
||||
}
|
||||
- src = s->vga.vram_ptr + s->cirrus_blt_srcaddr;
|
||||
- } else {
|
||||
- src = s->cirrus_bltbuf;
|
||||
}
|
||||
|
||||
if (blit_is_unsafe(s, true)) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
- (*s->cirrus_rop) (s, s->cirrus_blt_dstaddr, src,
|
||||
+ (*s->cirrus_rop) (s, s->cirrus_blt_dstaddr,
|
||||
+ videosrc ? s->cirrus_blt_srcaddr : 0,
|
||||
s->cirrus_blt_dstpitch, 0,
|
||||
s->cirrus_blt_width, s->cirrus_blt_height);
|
||||
cirrus_invalidate_region(s, s->cirrus_blt_dstaddr,
|
||||
@@ -744,7 +781,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
|
||||
|
||||
static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s)
|
||||
{
|
||||
- return cirrus_bitblt_common_patterncopy(s, true);
|
||||
+ return cirrus_bitblt_common_patterncopy(s);
|
||||
}
|
||||
|
||||
static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
|
||||
@@ -794,7 +831,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
|
||||
}
|
||||
|
||||
(*s->cirrus_rop) (s, s->cirrus_blt_dstaddr,
|
||||
- s->vga.vram_ptr + s->cirrus_blt_srcaddr,
|
||||
+ s->cirrus_blt_srcaddr,
|
||||
s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch,
|
||||
s->cirrus_blt_width, s->cirrus_blt_height);
|
||||
|
||||
@@ -837,7 +874,7 @@ static void cirrus_bitblt_cputovideo_next(CirrusVGAState * s)
|
||||
|
||||
if (s->cirrus_srccounter > 0) {
|
||||
if (s->cirrus_blt_mode & CIRRUS_BLTMODE_PATTERNCOPY) {
|
||||
- cirrus_bitblt_common_patterncopy(s, false);
|
||||
+ cirrus_bitblt_common_patterncopy(s);
|
||||
the_end:
|
||||
s->cirrus_srccounter = 0;
|
||||
cirrus_bitblt_reset(s);
|
||||
@@ -845,7 +882,7 @@ static void cirrus_bitblt_cputovideo_next(CirrusVGAState * s)
|
||||
/* at least one scan line */
|
||||
do {
|
||||
(*s->cirrus_rop)(s, s->cirrus_blt_dstaddr,
|
||||
- s->cirrus_bltbuf, 0, 0, s->cirrus_blt_width, 1);
|
||||
+ 0, 0, 0, s->cirrus_blt_width, 1);
|
||||
cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, 0,
|
||||
s->cirrus_blt_width, 1);
|
||||
s->cirrus_blt_dstaddr += s->cirrus_blt_dstpitch;
|
||||
diff --git a/hw/display/cirrus_vga_rop.h b/hw/display/cirrus_vga_rop.h
|
||||
index 1aa778d3e8..c61a677353 100644
|
||||
--- a/hw/display/cirrus_vga_rop.h
|
||||
+++ b/hw/display/cirrus_vga_rop.h
|
||||
@@ -78,7 +78,7 @@ static inline void glue(rop_32_, ROP_NAME)(CirrusVGAState *s,
|
||||
static void
|
||||
glue(cirrus_bitblt_rop_fwd_, ROP_NAME)(CirrusVGAState *s,
|
||||
uint32_t dstaddr,
|
||||
- const uint8_t *src,
|
||||
+ uint32_t srcaddr,
|
||||
int dstpitch, int srcpitch,
|
||||
int bltwidth, int bltheight)
|
||||
{
|
||||
@@ -92,19 +92,19 @@ glue(cirrus_bitblt_rop_fwd_, ROP_NAME)(CirrusVGAState *s,
|
||||
|
||||
for (y = 0; y < bltheight; y++) {
|
||||
for (x = 0; x < bltwidth; x++) {
|
||||
- ROP_OP(s, dstaddr, *src);
|
||||
+ ROP_OP(s, dstaddr, cirrus_src(s, srcaddr));
|
||||
dstaddr++;
|
||||
- src++;
|
||||
+ srcaddr++;
|
||||
}
|
||||
dstaddr += dstpitch;
|
||||
- src += srcpitch;
|
||||
+ srcaddr += srcpitch;
|
||||
}
|
||||
}
|
||||
|
||||
static void
|
||||
glue(cirrus_bitblt_rop_bkwd_, ROP_NAME)(CirrusVGAState *s,
|
||||
uint32_t dstaddr,
|
||||
- const uint8_t *src,
|
||||
+ uint32_t srcaddr,
|
||||
int dstpitch, int srcpitch,
|
||||
int bltwidth, int bltheight)
|
||||
{
|
||||
@@ -113,19 +113,19 @@ glue(cirrus_bitblt_rop_bkwd_, ROP_NAME)(CirrusVGAState *s,
|
||||
srcpitch += bltwidth;
|
||||
for (y = 0; y < bltheight; y++) {
|
||||
for (x = 0; x < bltwidth; x++) {
|
||||
- ROP_OP(s, dstaddr, *src);
|
||||
+ ROP_OP(s, dstaddr, cirrus_src(s, srcaddr));
|
||||
dstaddr--;
|
||||
- src--;
|
||||
+ srcaddr--;
|
||||
}
|
||||
dstaddr += dstpitch;
|
||||
- src += srcpitch;
|
||||
+ srcaddr += srcpitch;
|
||||
}
|
||||
}
|
||||
|
||||
static void
|
||||
glue(glue(cirrus_bitblt_rop_fwd_transp_, ROP_NAME),_8)(CirrusVGAState *s,
|
||||
uint32_t dstaddr,
|
||||
- const uint8_t *src,
|
||||
+ uint32_t srcaddr,
|
||||
int dstpitch,
|
||||
int srcpitch,
|
||||
int bltwidth,
|
||||
@@ -142,19 +142,19 @@ glue(glue(cirrus_bitblt_rop_fwd_transp_, ROP_NAME),_8)(CirrusVGAState *s,
|
||||
|
||||
for (y = 0; y < bltheight; y++) {
|
||||
for (x = 0; x < bltwidth; x++) {
|
||||
- ROP_OP_TR(s, dstaddr, *src, transp);
|
||||
+ ROP_OP_TR(s, dstaddr, cirrus_src(s, srcaddr), transp);
|
||||
dstaddr++;
|
||||
- src++;
|
||||
+ srcaddr++;
|
||||
}
|
||||
dstaddr += dstpitch;
|
||||
- src += srcpitch;
|
||||
+ srcaddr += srcpitch;
|
||||
}
|
||||
}
|
||||
|
||||
static void
|
||||
glue(glue(cirrus_bitblt_rop_bkwd_transp_, ROP_NAME),_8)(CirrusVGAState *s,
|
||||
uint32_t dstaddr,
|
||||
- const uint8_t *src,
|
||||
+ uint32_t srcaddr,
|
||||
int dstpitch,
|
||||
int srcpitch,
|
||||
int bltwidth,
|
||||
@@ -166,19 +166,19 @@ glue(glue(cirrus_bitblt_rop_bkwd_transp_, ROP_NAME),_8)(CirrusVGAState *s,
|
||||
srcpitch += bltwidth;
|
||||
for (y = 0; y < bltheight; y++) {
|
||||
for (x = 0; x < bltwidth; x++) {
|
||||
- ROP_OP_TR(s, dstaddr, *src, transp);
|
||||
+ ROP_OP_TR(s, dstaddr, cirrus_src(s, srcaddr), transp);
|
||||
dstaddr--;
|
||||
- src--;
|
||||
+ srcaddr--;
|
||||
}
|
||||
dstaddr += dstpitch;
|
||||
- src += srcpitch;
|
||||
+ srcaddr += srcpitch;
|
||||
}
|
||||
}
|
||||
|
||||
static void
|
||||
glue(glue(cirrus_bitblt_rop_fwd_transp_, ROP_NAME),_16)(CirrusVGAState *s,
|
||||
uint32_t dstaddr,
|
||||
- const uint8_t *src,
|
||||
+ uint32_t srcaddr,
|
||||
int dstpitch,
|
||||
int srcpitch,
|
||||
int bltwidth,
|
||||
@@ -195,19 +195,19 @@ glue(glue(cirrus_bitblt_rop_fwd_transp_, ROP_NAME),_16)(CirrusVGAState *s,
|
||||
|
||||
for (y = 0; y < bltheight; y++) {
|
||||
for (x = 0; x < bltwidth; x+=2) {
|
||||
- ROP_OP_TR_16(s, dstaddr, *(uint16_t *)src, transp);
|
||||
+ ROP_OP_TR_16(s, dstaddr, cirrus_src16(s, srcaddr), transp);
|
||||
dstaddr += 2;
|
||||
- src += 2;
|
||||
+ srcaddr += 2;
|
||||
}
|
||||
dstaddr += dstpitch;
|
||||
- src += srcpitch;
|
||||
+ srcaddr += srcpitch;
|
||||
}
|
||||
}
|
||||
|
||||
static void
|
||||
glue(glue(cirrus_bitblt_rop_bkwd_transp_, ROP_NAME),_16)(CirrusVGAState *s,
|
||||
uint32_t dstaddr,
|
||||
- const uint8_t *src,
|
||||
+ uint32_t srcaddr,
|
||||
int dstpitch,
|
||||
int srcpitch,
|
||||
int bltwidth,
|
||||
@@ -219,12 +219,12 @@ glue(glue(cirrus_bitblt_rop_bkwd_transp_, ROP_NAME),_16)(CirrusVGAState *s,
|
||||
srcpitch += bltwidth;
|
||||
for (y = 0; y < bltheight; y++) {
|
||||
for (x = 0; x < bltwidth; x+=2) {
|
||||
- ROP_OP_TR_16(s, dstaddr, *(uint16_t *)src, transp);
|
||||
+ ROP_OP_TR_16(s, dstaddr, cirrus_src16(s, srcaddr), transp);
|
||||
dstaddr -= 2;
|
||||
- src -= 2;
|
||||
+ srcaddr -= 2;
|
||||
}
|
||||
dstaddr += dstpitch;
|
||||
- src += srcpitch;
|
||||
+ srcaddr += srcpitch;
|
||||
}
|
||||
}
|
||||
|
||||
diff --git a/hw/display/cirrus_vga_rop2.h b/hw/display/cirrus_vga_rop2.h
|
||||
index bc92f0e0e7..b86bcd6e09 100644
|
||||
--- a/hw/display/cirrus_vga_rop2.h
|
||||
+++ b/hw/display/cirrus_vga_rop2.h
|
||||
@@ -41,14 +41,14 @@
|
||||
static void
|
||||
glue(glue(glue(cirrus_patternfill_, ROP_NAME), _),DEPTH)
|
||||
(CirrusVGAState *s, uint32_t dstaddr,
|
||||
- const uint8_t *src,
|
||||
+ uint32_t srcaddr,
|
||||
int dstpitch, int srcpitch,
|
||||
int bltwidth, int bltheight)
|
||||
{
|
||||
uint32_t addr;
|
||||
int x, y, pattern_y, pattern_pitch, pattern_x;
|
||||
unsigned int col;
|
||||
- const uint8_t *src1;
|
||||
+ uint32_t src1addr;
|
||||
#if DEPTH == 24
|
||||
int skipleft = s->vga.gr[0x2f] & 0x1f;
|
||||
#else
|
||||
@@ -66,22 +66,24 @@ glue(glue(glue(cirrus_patternfill_, ROP_NAME), _),DEPTH)
|
||||
for(y = 0; y < bltheight; y++) {
|
||||
pattern_x = skipleft;
|
||||
addr = dstaddr + skipleft;
|
||||
- src1 = src + pattern_y * pattern_pitch;
|
||||
+ src1addr = srcaddr + pattern_y * pattern_pitch;
|
||||
for (x = skipleft; x < bltwidth; x += (DEPTH / 8)) {
|
||||
#if DEPTH == 8
|
||||
- col = src1[pattern_x];
|
||||
+ col = cirrus_src(s, src1addr + pattern_x);
|
||||
pattern_x = (pattern_x + 1) & 7;
|
||||
#elif DEPTH == 16
|
||||
- col = ((uint16_t *)(src1 + pattern_x))[0];
|
||||
+ col = cirrus_src16(s, src1addr + pattern_x);
|
||||
pattern_x = (pattern_x + 2) & 15;
|
||||
#elif DEPTH == 24
|
||||
{
|
||||
- const uint8_t *src2 = src1 + pattern_x * 3;
|
||||
- col = src2[0] | (src2[1] << 8) | (src2[2] << 16);
|
||||
+ uint32_t src2addr = src1addr + pattern_x * 3;
|
||||
+ col = cirrus_src(s, src2addr) |
|
||||
+ (cirrus_src(s, src2addr + 1) << 8) |
|
||||
+ (cirrus_src(s, src2addr + 2) << 16);
|
||||
pattern_x = (pattern_x + 1) & 7;
|
||||
}
|
||||
#else
|
||||
- col = ((uint32_t *)(src1 + pattern_x))[0];
|
||||
+ col = cirrus_src32(s, src1addr + pattern_x);
|
||||
pattern_x = (pattern_x + 4) & 31;
|
||||
#endif
|
||||
PUTPIXEL(s, addr, col);
|
||||
@@ -96,7 +98,7 @@ glue(glue(glue(cirrus_patternfill_, ROP_NAME), _),DEPTH)
|
||||
static void
|
||||
glue(glue(glue(cirrus_colorexpand_transp_, ROP_NAME), _),DEPTH)
|
||||
(CirrusVGAState *s, uint32_t dstaddr,
|
||||
- const uint8_t *src,
|
||||
+ uint32_t srcaddr,
|
||||
int dstpitch, int srcpitch,
|
||||
int bltwidth, int bltheight)
|
||||
{
|
||||
@@ -124,12 +126,12 @@ glue(glue(glue(cirrus_colorexpand_transp_, ROP_NAME), _),DEPTH)
|
||||
|
||||
for(y = 0; y < bltheight; y++) {
|
||||
bitmask = 0x80 >> srcskipleft;
|
||||
- bits = *src++ ^ bits_xor;
|
||||
+ bits = cirrus_src(s, srcaddr++) ^ bits_xor;
|
||||
addr = dstaddr + dstskipleft;
|
||||
for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) {
|
||||
if ((bitmask & 0xff) == 0) {
|
||||
bitmask = 0x80;
|
||||
- bits = *src++ ^ bits_xor;
|
||||
+ bits = cirrus_src(s, srcaddr++) ^ bits_xor;
|
||||
}
|
||||
index = (bits & bitmask);
|
||||
if (index) {
|
||||
@@ -145,7 +147,7 @@ glue(glue(glue(cirrus_colorexpand_transp_, ROP_NAME), _),DEPTH)
|
||||
static void
|
||||
glue(glue(glue(cirrus_colorexpand_, ROP_NAME), _),DEPTH)
|
||||
(CirrusVGAState *s, uint32_t dstaddr,
|
||||
- const uint8_t *src,
|
||||
+ uint32_t srcaddr,
|
||||
int dstpitch, int srcpitch,
|
||||
int bltwidth, int bltheight)
|
||||
{
|
||||
@@ -162,12 +164,12 @@ glue(glue(glue(cirrus_colorexpand_, ROP_NAME), _),DEPTH)
|
||||
colors[1] = s->cirrus_blt_fgcol;
|
||||
for(y = 0; y < bltheight; y++) {
|
||||
bitmask = 0x80 >> srcskipleft;
|
||||
- bits = *src++;
|
||||
+ bits = cirrus_src(s, srcaddr++);
|
||||
addr = dstaddr + dstskipleft;
|
||||
for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) {
|
||||
if ((bitmask & 0xff) == 0) {
|
||||
bitmask = 0x80;
|
||||
- bits = *src++;
|
||||
+ bits = cirrus_src(s, srcaddr++);
|
||||
}
|
||||
col = colors[!!(bits & bitmask)];
|
||||
PUTPIXEL(s, addr, col);
|
||||
@@ -181,7 +183,7 @@ glue(glue(glue(cirrus_colorexpand_, ROP_NAME), _),DEPTH)
|
||||
static void
|
||||
glue(glue(glue(cirrus_colorexpand_pattern_transp_, ROP_NAME), _),DEPTH)
|
||||
(CirrusVGAState *s, uint32_t dstaddr,
|
||||
- const uint8_t *src,
|
||||
+ uint32_t srcaddr,
|
||||
int dstpitch, int srcpitch,
|
||||
int bltwidth, int bltheight)
|
||||
{
|
||||
@@ -207,7 +209,7 @@ glue(glue(glue(cirrus_colorexpand_pattern_transp_, ROP_NAME), _),DEPTH)
|
||||
pattern_y = s->cirrus_blt_srcaddr & 7;
|
||||
|
||||
for(y = 0; y < bltheight; y++) {
|
||||
- bits = src[pattern_y] ^ bits_xor;
|
||||
+ bits = cirrus_src(s, srcaddr + pattern_y) ^ bits_xor;
|
||||
bitpos = 7 - srcskipleft;
|
||||
addr = dstaddr + dstskipleft;
|
||||
for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) {
|
||||
@@ -225,7 +227,7 @@ glue(glue(glue(cirrus_colorexpand_pattern_transp_, ROP_NAME), _),DEPTH)
|
||||
static void
|
||||
glue(glue(glue(cirrus_colorexpand_pattern_, ROP_NAME), _),DEPTH)
|
||||
(CirrusVGAState *s, uint32_t dstaddr,
|
||||
- const uint8_t *src,
|
||||
+ uint32_t srcaddr,
|
||||
int dstpitch, int srcpitch,
|
||||
int bltwidth, int bltheight)
|
||||
{
|
||||
@@ -242,7 +244,7 @@ glue(glue(glue(cirrus_colorexpand_pattern_, ROP_NAME), _),DEPTH)
|
||||
pattern_y = s->cirrus_blt_srcaddr & 7;
|
||||
|
||||
for(y = 0; y < bltheight; y++) {
|
||||
- bits = src[pattern_y];
|
||||
+ bits = cirrus_src(s, srcaddr + pattern_y);
|
||||
bitpos = 7 - srcskipleft;
|
||||
addr = dstaddr + dstskipleft;
|
||||
for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) {
|
@ -0,0 +1,34 @@
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Fri, 17 Mar 2017 08:21:36 +0100
|
||||
Subject: [PATCH] cirrus: fix off-by-one in cirrus_bitblt_rop_bkwd_transp_*_16
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The switch from pointers to addresses (commit
|
||||
026aeffcb4752054830ba203020ed6eb05bcaba8 and
|
||||
ffaf857778286ca54e3804432a2369a279e73aa7) added
|
||||
a off-by-one bug to 16bit backward blits. Fix.
|
||||
|
||||
Reported-by: 李强 <liqiang6-s@360.cn>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Reviewed-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Message-id: 1489735296-19047-1-git-send-email-kraxel@redhat.com
|
||||
(cherry picked from commit f019722cbbb45aea153294fc8921fcc96a4d3fa2)
|
||||
---
|
||||
hw/display/cirrus_vga_rop.h | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/display/cirrus_vga_rop.h b/hw/display/cirrus_vga_rop.h
|
||||
index c61a677353..0841b9efa9 100644
|
||||
--- a/hw/display/cirrus_vga_rop.h
|
||||
+++ b/hw/display/cirrus_vga_rop.h
|
||||
@@ -219,7 +219,7 @@ glue(glue(cirrus_bitblt_rop_bkwd_transp_, ROP_NAME),_16)(CirrusVGAState *s,
|
||||
srcpitch += bltwidth;
|
||||
for (y = 0; y < bltheight; y++) {
|
||||
for (x = 0; x < bltwidth; x+=2) {
|
||||
- ROP_OP_TR_16(s, dstaddr, cirrus_src16(s, srcaddr), transp);
|
||||
+ ROP_OP_TR_16(s, dstaddr - 1, cirrus_src16(s, srcaddr - 1), transp);
|
||||
dstaddr -= 2;
|
||||
srcaddr -= 2;
|
||||
}
|
@ -0,0 +1,30 @@
|
||||
From: P J P <ppandit@redhat.com>
|
||||
Date: Tue, 25 Apr 2017 18:36:23 +0530
|
||||
Subject: [PATCH] vmw_pvscsi: check message ring page count at initialisation
|
||||
|
||||
A guest could set the message ring page count to zero, resulting in
|
||||
infinite loop. Add check to avoid it.
|
||||
|
||||
Reported-by: YY Z <bigbird475958471@gmail.com>
|
||||
Signed-off-by: P J P <ppandit@redhat.com>
|
||||
Message-Id: <20170425130623.3649-1-ppandit@redhat.com>
|
||||
Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit f68826989cd4d1217797251339579c57b3c0934e)
|
||||
---
|
||||
hw/scsi/vmw_pvscsi.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
||||
index a5ce7dea8e..44141322de 100644
|
||||
--- a/hw/scsi/vmw_pvscsi.c
|
||||
+++ b/hw/scsi/vmw_pvscsi.c
|
||||
@@ -202,7 +202,7 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
|
||||
uint32_t len_log2;
|
||||
uint32_t ring_size;
|
||||
|
||||
- if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
|
||||
+ if (!ri->numPages || ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
|
||||
return -1;
|
||||
}
|
||||
ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE;
|
35
0082-audio-release-capture-buffers.patch
Normal file
35
0082-audio-release-capture-buffers.patch
Normal file
@ -0,0 +1,35 @@
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Fri, 28 Apr 2017 09:56:12 +0200
|
||||
Subject: [PATCH] audio: release capture buffers
|
||||
|
||||
AUD_add_capture() allocates two buffers which are never released.
|
||||
Add the missing calls to AUD_del_capture().
|
||||
|
||||
Impact: Allows vnc clients to exhaust host memory by repeatedly
|
||||
starting and stopping audio capture.
|
||||
|
||||
Fixes: CVE-2017-8309
|
||||
Cc: P J P <ppandit@redhat.com>
|
||||
Cc: Huawei PSIRT <PSIRT@huawei.com>
|
||||
Reported-by: "Jiangxin (hunter, SCC)" <jiangxin1@huawei.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-id: 20170428075612.9997-1-kraxel@redhat.com
|
||||
(cherry picked from commit 3268a845f41253fb55852a8429c32b50f36f349a)
|
||||
---
|
||||
audio/audio.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/audio/audio.c b/audio/audio.c
|
||||
index c845a44f0a..adede3c9ef 100644
|
||||
--- a/audio/audio.c
|
||||
+++ b/audio/audio.c
|
||||
@@ -2023,6 +2023,8 @@ void AUD_del_capture (CaptureVoiceOut *cap, void *cb_opaque)
|
||||
sw = sw1;
|
||||
}
|
||||
QLIST_REMOVE (cap, entries);
|
||||
+ g_free (cap->hw.mix_buf);
|
||||
+ g_free (cap->buf);
|
||||
g_free (cap);
|
||||
}
|
||||
return;
|
87
0083-input-limit-kbd-queue-depth.patch
Normal file
87
0083-input-limit-kbd-queue-depth.patch
Normal file
@ -0,0 +1,87 @@
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Fri, 28 Apr 2017 10:42:37 +0200
|
||||
Subject: [PATCH] input: limit kbd queue depth
|
||||
|
||||
Apply a limit to the number of items we accept into the keyboard queue.
|
||||
|
||||
Impact: Without this limit vnc clients can exhaust host memory by
|
||||
sending keyboard events faster than qemu feeds them to the guest.
|
||||
|
||||
Fixes: CVE-2017-8379
|
||||
Cc: P J P <ppandit@redhat.com>
|
||||
Cc: Huawei PSIRT <PSIRT@huawei.com>
|
||||
Reported-by: jiangxin1@huawei.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-id: 20170428084237.23960-1-kraxel@redhat.com
|
||||
(cherry picked from commit fa18f36a461984eae50ab957e47ec78dae3c14fc)
|
||||
---
|
||||
ui/input.c | 14 +++++++++++---
|
||||
1 file changed, 11 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/ui/input.c b/ui/input.c
|
||||
index ed88cda6d6..fb1f404095 100644
|
||||
--- a/ui/input.c
|
||||
+++ b/ui/input.c
|
||||
@@ -41,6 +41,8 @@ static QTAILQ_HEAD(QemuInputEventQueueHead, QemuInputEventQueue) kbd_queue =
|
||||
QTAILQ_HEAD_INITIALIZER(kbd_queue);
|
||||
static QEMUTimer *kbd_timer;
|
||||
static uint32_t kbd_default_delay_ms = 10;
|
||||
+static uint32_t queue_count;
|
||||
+static uint32_t queue_limit = 1024;
|
||||
|
||||
QemuInputHandlerState *qemu_input_handler_register(DeviceState *dev,
|
||||
QemuInputHandler *handler)
|
||||
@@ -268,6 +270,7 @@ static void qemu_input_queue_process(void *opaque)
|
||||
break;
|
||||
}
|
||||
QTAILQ_REMOVE(queue, item, node);
|
||||
+ queue_count--;
|
||||
g_free(item);
|
||||
}
|
||||
}
|
||||
@@ -282,6 +285,7 @@ static void qemu_input_queue_delay(struct QemuInputEventQueueHead *queue,
|
||||
item->delay_ms = delay_ms;
|
||||
item->timer = timer;
|
||||
QTAILQ_INSERT_TAIL(queue, item, node);
|
||||
+ queue_count++;
|
||||
|
||||
if (start_timer) {
|
||||
timer_mod(item->timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL)
|
||||
@@ -298,6 +302,7 @@ static void qemu_input_queue_event(struct QemuInputEventQueueHead *queue,
|
||||
item->src = src;
|
||||
item->evt = evt;
|
||||
QTAILQ_INSERT_TAIL(queue, item, node);
|
||||
+ queue_count++;
|
||||
}
|
||||
|
||||
static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue)
|
||||
@@ -306,6 +311,7 @@ static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue)
|
||||
|
||||
item->type = QEMU_INPUT_QUEUE_SYNC;
|
||||
QTAILQ_INSERT_TAIL(queue, item, node);
|
||||
+ queue_count++;
|
||||
}
|
||||
|
||||
void qemu_input_event_send_impl(QemuConsole *src, InputEvent *evt)
|
||||
@@ -381,7 +387,7 @@ void qemu_input_event_send_key(QemuConsole *src, KeyValue *key, bool down)
|
||||
qemu_input_event_send(src, evt);
|
||||
qemu_input_event_sync();
|
||||
qapi_free_InputEvent(evt);
|
||||
- } else {
|
||||
+ } else if (queue_count < queue_limit) {
|
||||
qemu_input_queue_event(&kbd_queue, src, evt);
|
||||
qemu_input_queue_sync(&kbd_queue);
|
||||
}
|
||||
@@ -409,8 +415,10 @@ void qemu_input_event_send_key_delay(uint32_t delay_ms)
|
||||
kbd_timer = timer_new_ms(QEMU_CLOCK_VIRTUAL, qemu_input_queue_process,
|
||||
&kbd_queue);
|
||||
}
|
||||
- qemu_input_queue_delay(&kbd_queue, kbd_timer,
|
||||
- delay_ms ? delay_ms : kbd_default_delay_ms);
|
||||
+ if (queue_count < queue_limit) {
|
||||
+ qemu_input_queue_delay(&kbd_queue, kbd_timer,
|
||||
+ delay_ms ? delay_ms : kbd_default_delay_ms);
|
||||
+ }
|
||||
}
|
||||
|
||||
InputEvent *qemu_input_event_new_btn(InputButton btn, bool down)
|
@ -0,0 +1,42 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Mon, 24 Apr 2017 17:36:34 +0530
|
||||
Subject: [PATCH] scsi: avoid an off-by-one error in megasas_mmio_write
|
||||
|
||||
While reading magic sequence(MFI_SEQ) in megasas_mmio_write,
|
||||
an off-by-one error could occur as 's->adp_reset' index is not
|
||||
reset after reading the last sequence.
|
||||
|
||||
Reported-by: YY Z <bigbird475958471@gmail.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <20170424120634.12268-1-ppandit@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 24dfa9fa2f90a95ac33c7372de4f4f2c8a2c141f)
|
||||
---
|
||||
hw/scsi/megasas.c | 10 +++++-----
|
||||
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
|
||||
index ebf03022ed..efcbaa9c8d 100644
|
||||
--- a/hw/scsi/megasas.c
|
||||
+++ b/hw/scsi/megasas.c
|
||||
@@ -2132,15 +2132,15 @@ static void megasas_mmio_write(void *opaque, hwaddr addr,
|
||||
case MFI_SEQ:
|
||||
trace_megasas_mmio_writel("MFI_SEQ", val);
|
||||
/* Magic sequence to start ADP reset */
|
||||
- if (adp_reset_seq[s->adp_reset] == val) {
|
||||
- s->adp_reset++;
|
||||
+ if (adp_reset_seq[s->adp_reset++] == val) {
|
||||
+ if (s->adp_reset == 6) {
|
||||
+ s->adp_reset = 0;
|
||||
+ s->diag = MFI_DIAG_WRITE_ENABLE;
|
||||
+ }
|
||||
} else {
|
||||
s->adp_reset = 0;
|
||||
s->diag = 0;
|
||||
}
|
||||
- if (s->adp_reset == 6) {
|
||||
- s->diag = MFI_DIAG_WRITE_ENABLE;
|
||||
- }
|
||||
break;
|
||||
case MFI_DIAG:
|
||||
trace_megasas_mmio_writel("MFI_DIAG", val);
|
33
0085-virtio-gpu-fix-memory-leak-in-set-scanout.patch
Normal file
33
0085-virtio-gpu-fix-memory-leak-in-set-scanout.patch
Normal file
@ -0,0 +1,33 @@
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Sat, 21 Jan 2017 23:42:33 -0800
|
||||
Subject: [PATCH] virtio-gpu: fix memory leak in set scanout
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
In virtio_gpu_set_scanout function, when creating the 'rect'
|
||||
its refcount is set to 2, by pixman_image_create_bits and
|
||||
qemu_create_displaysurface_pixman function. This can lead
|
||||
a memory leak issues. This patch avoid this issue.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
Message-id: 5884626f.5b2f6b0a.1bfff.3037@mx.google.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit dd248ed7e204ee8a1873914e02b8b526e8f1b80d)
|
||||
---
|
||||
hw/display/virtio-gpu.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
|
||||
index cadd7d899d..7c8fda1733 100644
|
||||
--- a/hw/display/virtio-gpu.c
|
||||
+++ b/hw/display/virtio-gpu.c
|
||||
@@ -602,6 +602,7 @@ static void virtio_gpu_set_scanout(VirtIOGPU *g,
|
||||
cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
|
||||
return;
|
||||
}
|
||||
+ pixman_image_unref(rect);
|
||||
dpy_gfx_replace_surface(g->scanout[ss.scanout_id].con, scanout->ds);
|
||||
}
|
||||
|
41
0086-net-e1000e-fix-an-infinite-loop-issue.patch
Normal file
41
0086-net-e1000e-fix-an-infinite-loop-issue.patch
Normal file
@ -0,0 +1,41 @@
|
||||
From: Li Qiang <liq3ea@gmail.com>
|
||||
Date: Thu, 9 Feb 2017 18:19:19 -0800
|
||||
Subject: [PATCH] net: e1000e: fix an infinite loop issue
|
||||
|
||||
This issue is like the issue in e1000 network card addressed in
|
||||
this commit:
|
||||
e1000: eliminate infinite loops on out-of-bounds transfer start.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit 4154c7e03fa55b4cf52509a83d50d6c09d743b77)
|
||||
---
|
||||
hw/net/e1000e_core.c | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c
|
||||
index badb1feb7d..718154bc56 100644
|
||||
--- a/hw/net/e1000e_core.c
|
||||
+++ b/hw/net/e1000e_core.c
|
||||
@@ -806,7 +806,8 @@ typedef struct E1000E_RingInfo_st {
|
||||
static inline bool
|
||||
e1000e_ring_empty(E1000ECore *core, const E1000E_RingInfo *r)
|
||||
{
|
||||
- return core->mac[r->dh] == core->mac[r->dt];
|
||||
+ return core->mac[r->dh] == core->mac[r->dt] ||
|
||||
+ core->mac[r->dt] >= core->mac[r->dlen] / E1000_RING_DESC_LEN;
|
||||
}
|
||||
|
||||
static inline uint64_t
|
||||
@@ -1522,6 +1523,10 @@ e1000e_write_packet_to_guest(E1000ECore *core, struct NetRxPkt *pkt,
|
||||
desc_size = core->rx_desc_buf_size;
|
||||
}
|
||||
|
||||
+ if (e1000e_ring_empty(core, rxi)) {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
base = e1000e_ring_head_descr(core, rxi);
|
||||
|
||||
pci_dma_read(d, base, &desc, core->rx_desc_len);
|
@ -0,0 +1,28 @@
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Tue, 7 Feb 2017 03:15:03 -0800
|
||||
Subject: [PATCH] usb: ohci: fix error return code in servicing iso td
|
||||
|
||||
It should return 1 if an error occurs when reading iso td.
|
||||
This will avoid an infinite loop issue in ohci_service_ed_list.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Message-id: 5899ac3e.1033240a.944d5.9a2d@mx.google.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 26f670a244982335cc08943fb1ec099a2c81e42d)
|
||||
---
|
||||
hw/usb/hcd-ohci.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
|
||||
index 48307febd3..27130fe08f 100644
|
||||
--- a/hw/usb/hcd-ohci.c
|
||||
+++ b/hw/usb/hcd-ohci.c
|
||||
@@ -727,7 +727,7 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
|
||||
if (ohci_read_iso_td(ohci, addr, &iso_td)) {
|
||||
trace_usb_ohci_iso_td_read_failed(addr);
|
||||
ohci_die(ohci);
|
||||
- return 0;
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
starting_frame = OHCI_BM(iso_td.flags, TD_SF);
|
75
0088-usb-ehci-fix-memory-leak-in-ehci.patch
Normal file
75
0088-usb-ehci-fix-memory-leak-in-ehci.patch
Normal file
@ -0,0 +1,75 @@
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Tue, 7 Feb 2017 18:42:55 -0800
|
||||
Subject: [PATCH] usb: ehci: fix memory leak in ehci
|
||||
|
||||
In usb_ehci_init function, it initializes 's->ipacket', but there
|
||||
is no corresponding function to free this. As the ehci can be hotplug
|
||||
and unplug, this will leak host memory leak. In order to make the
|
||||
hierarchy clean, we should add a ehci pci finalize function, then call
|
||||
the clean function in ehci device.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Message-id: 589a85b8.3c2b9d0a.b8e6.1434@mx.google.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit d710e1e7bd3d5bfc26b631f02ae87901ebe646b0)
|
||||
---
|
||||
hw/usb/hcd-ehci-pci.c | 9 +++++++++
|
||||
hw/usb/hcd-ehci.c | 5 +++++
|
||||
hw/usb/hcd-ehci.h | 1 +
|
||||
3 files changed, 15 insertions(+)
|
||||
|
||||
diff --git a/hw/usb/hcd-ehci-pci.c b/hw/usb/hcd-ehci-pci.c
|
||||
index 56577051e2..6dedcb8989 100644
|
||||
--- a/hw/usb/hcd-ehci-pci.c
|
||||
+++ b/hw/usb/hcd-ehci-pci.c
|
||||
@@ -89,6 +89,14 @@ static void usb_ehci_pci_init(Object *obj)
|
||||
usb_ehci_init(s, DEVICE(obj));
|
||||
}
|
||||
|
||||
+static void usb_ehci_pci_finalize(Object *obj)
|
||||
+{
|
||||
+ EHCIPCIState *i = PCI_EHCI(obj);
|
||||
+ EHCIState *s = &i->ehci;
|
||||
+
|
||||
+ usb_ehci_finalize(s);
|
||||
+}
|
||||
+
|
||||
static void usb_ehci_pci_exit(PCIDevice *dev)
|
||||
{
|
||||
EHCIPCIState *i = PCI_EHCI(dev);
|
||||
@@ -159,6 +167,7 @@ static const TypeInfo ehci_pci_type_info = {
|
||||
.parent = TYPE_PCI_DEVICE,
|
||||
.instance_size = sizeof(EHCIPCIState),
|
||||
.instance_init = usb_ehci_pci_init,
|
||||
+ .instance_finalize = usb_ehci_pci_finalize,
|
||||
.abstract = true,
|
||||
.class_init = ehci_class_init,
|
||||
};
|
||||
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
|
||||
index 7622a3ae72..50ef817f93 100644
|
||||
--- a/hw/usb/hcd-ehci.c
|
||||
+++ b/hw/usb/hcd-ehci.c
|
||||
@@ -2545,6 +2545,11 @@ void usb_ehci_init(EHCIState *s, DeviceState *dev)
|
||||
&s->mem_ports);
|
||||
}
|
||||
|
||||
+void usb_ehci_finalize(EHCIState *s)
|
||||
+{
|
||||
+ usb_packet_cleanup(&s->ipacket);
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* vim: expandtab ts=4
|
||||
*/
|
||||
diff --git a/hw/usb/hcd-ehci.h b/hw/usb/hcd-ehci.h
|
||||
index 3fd7038658..938d8aa284 100644
|
||||
--- a/hw/usb/hcd-ehci.h
|
||||
+++ b/hw/usb/hcd-ehci.h
|
||||
@@ -323,6 +323,7 @@ struct EHCIState {
|
||||
extern const VMStateDescription vmstate_ehci;
|
||||
|
||||
void usb_ehci_init(EHCIState *s, DeviceState *dev);
|
||||
+void usb_ehci_finalize(EHCIState *s);
|
||||
void usb_ehci_realize(EHCIState *s, DeviceState *dev, Error **errp);
|
||||
void usb_ehci_unrealize(EHCIState *s, DeviceState *dev, Error **errp);
|
||||
void ehci_reset(void *opaque);
|
47
0089-usb-redir-fix-stack-overflow-in-usbredir_log_data.patch
Normal file
47
0089-usb-redir-fix-stack-overflow-in-usbredir_log_data.patch
Normal file
@ -0,0 +1,47 @@
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Tue, 9 May 2017 13:01:28 +0200
|
||||
Subject: [PATCH] usb-redir: fix stack overflow in usbredir_log_data
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Don't reinvent a broken wheel, just use the hexdump function we have.
|
||||
|
||||
Impact: low, broken code doesn't run unless you have debug logging
|
||||
enabled.
|
||||
|
||||
Reported-by: 李强 <liqiang6-s@360.cn>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-id: 20170509110128.27261-1-kraxel@redhat.com
|
||||
(cherry picked from commit bd4a683505b27adc1ac809f71e918e58573d851d)
|
||||
---
|
||||
hw/usb/redirect.c | 13 +------------
|
||||
1 file changed, 1 insertion(+), 12 deletions(-)
|
||||
|
||||
diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
|
||||
index d064961203..94249ec0b5 100644
|
||||
--- a/hw/usb/redirect.c
|
||||
+++ b/hw/usb/redirect.c
|
||||
@@ -229,21 +229,10 @@ static void usbredir_log(void *priv, int level, const char *msg)
|
||||
static void usbredir_log_data(USBRedirDevice *dev, const char *desc,
|
||||
const uint8_t *data, int len)
|
||||
{
|
||||
- int i, j, n;
|
||||
-
|
||||
if (dev->debug < usbredirparser_debug_data) {
|
||||
return;
|
||||
}
|
||||
-
|
||||
- for (i = 0; i < len; i += j) {
|
||||
- char buf[128];
|
||||
-
|
||||
- n = sprintf(buf, "%s", desc);
|
||||
- for (j = 0; j < 8 && i + j < len; j++) {
|
||||
- n += sprintf(buf + n, " %02X", data[i + j]);
|
||||
- }
|
||||
- error_report("%s", buf);
|
||||
- }
|
||||
+ qemu_hexdump((char *)data, stderr, desc, len);
|
||||
}
|
||||
|
||||
/*
|
45
qemu.binfmt
45
qemu.binfmt
@ -1,22 +1,23 @@
|
||||
:qemu-alpha:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x26\x90:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-alpha:
|
||||
:qemu-armeb:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-armeb:
|
||||
:qemu-arm:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-arm:
|
||||
:qemu-cris:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x4c\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-cris:
|
||||
:qemu-i386:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-i386:
|
||||
:qemu-i486:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x06\x00:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-i386:
|
||||
:qemu-m68k:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x04:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-m68k:
|
||||
:qemu-microblazeel:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xab\xba:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-microblazeel:
|
||||
:qemu-microblaze:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\xba\xab:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-microblaze:
|
||||
:qemu-mips64el:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xfe\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-mips64el:
|
||||
:qemu-mips64:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-mips64:
|
||||
:qemu-mipsel:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xfe\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-mipsel:
|
||||
:qemu-mips:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-mips:
|
||||
:qemu-ppc64abi32:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x15:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-ppc64abi32:
|
||||
:qemu-ppc64:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x15:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-ppc64:
|
||||
:qemu-ppc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x14:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-ppc:
|
||||
:qemu-s390x:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x16:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-s390x:
|
||||
:qemu-sh4eb:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x2a:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-sh4eb:
|
||||
:qemu-sh4:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x2a\x00:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-sh4:
|
||||
:qemu-sparc32plus:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x12:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-sparc32plus:
|
||||
:qemu-sparc64:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x2b:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-sparc64:
|
||||
:qemu-sparc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x02:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-sparc:
|
||||
:qemu-aarch64:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xb7\x00:\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfe\xff\xff\xff:/usr/bin/qemu-aarch64:
|
||||
:qemu-alpha:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x26\x90:\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfe\xff\xff\xff:/usr/bin/qemu-alpha:
|
||||
:qemu-armeb:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28:\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\xff\xff:/usr/bin/qemu-armeb:
|
||||
:qemu-arm:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28\x00:\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfe\xff\xff\xff:/usr/bin/qemu-arm:
|
||||
:qemu-cris:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x4c\x00:\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfe\xff\xff\xff:/usr/bin/qemu-cris:
|
||||
:qemu-i386:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00:\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfe\xff\xff\xff:/usr/bin/qemu-i386:
|
||||
:qemu-i486:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x06\x00:\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfe\xff\xff\xff:/usr/bin/qemu-i386:
|
||||
:qemu-m68k:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x04:\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\xff\xff:/usr/bin/qemu-m68k:
|
||||
:qemu-microblazeel:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xab\xba:\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfe\xff\xff\xff:/usr/bin/qemu-microblazeel:
|
||||
:qemu-microblaze:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\xba\xab:\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\xff\xff:/usr/bin/qemu-microblaze:
|
||||
:qemu-mips64el:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfe\xff\xff\xff:/usr/bin/qemu-mips64el:
|
||||
:qemu-mips64:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\xff\xff:/usr/bin/qemu-mips64:
|
||||
:qemu-mipsel:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfe\xff\xff\xff:/usr/bin/qemu-mipsel:
|
||||
:qemu-mips:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\xff\xff:/usr/bin/qemu-mips:
|
||||
:qemu-ppc64abi32:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x15:\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\xff\xff:/usr/bin/qemu-ppc64abi32:
|
||||
:qemu-ppc64:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x15:\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\xff\xff:/usr/bin/qemu-ppc64:
|
||||
:qemu-ppc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x14:\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\xff\xff:/usr/bin/qemu-ppc:
|
||||
:qemu-s390x:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x16:\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\xff\xff:/usr/bin/qemu-s390x:
|
||||
:qemu-sh4eb:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x2a:\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\xff\xff:/usr/bin/qemu-sh4eb:
|
||||
:qemu-sh4:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x2a\x00:\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfe\xff\xff\xff:/usr/bin/qemu-sh4:
|
||||
:qemu-sparc32plus:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x12:\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\xff\xff:/usr/bin/qemu-sparc32plus:
|
||||
:qemu-sparc64:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x2b:\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\xff\xff:/usr/bin/qemu-sparc64:
|
||||
:qemu-sparc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x02:\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\xff\xff:/usr/bin/qemu-sparc:
|
||||
|
361
qemu.spec
361
qemu.spec
@ -67,7 +67,7 @@
|
||||
|
||||
Summary: QEMU is a FAST! processor emulator
|
||||
Name: qemu
|
||||
Version: 2.7.0
|
||||
Version: 2.7.1
|
||||
Release: 7%{?rcrel}%{?dist}
|
||||
Epoch: 2
|
||||
License: GPLv2+ and LGPLv2+ and BSD
|
||||
@ -102,40 +102,195 @@ Source21: 50-kvm-s390x.conf
|
||||
# /etc/security/limits.d/95-kvm-ppc64-memlock.conf
|
||||
Source22: 95-kvm-ppc64-memlock.conf
|
||||
|
||||
# CVE-2016-7155: pvscsi: OOB read and infinite loop (bz #1373463)
|
||||
Patch0001: 0001-vmw_pvscsi-check-page-count-while-initialising-descr.patch
|
||||
# CVE-2016-7156: pvscsi: infinite loop when building SG list (bz #1373480)
|
||||
Patch0002: 0002-scsi-pvscsi-limit-loop-to-fetch-SG-list.patch
|
||||
# CVE-2016-7156: pvscsi: infinite loop when processing IO requests (bz
|
||||
# #1373480)
|
||||
Patch0003: 0003-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
|
||||
Patch0001: 0001-scsi-pvscsi-limit-loop-to-fetch-SG-list.patch
|
||||
# CVE-2016-7170: vmware_vga: OOB stack memory access (bz #1374709)
|
||||
Patch0004: 0004-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
|
||||
# CVE-2016-7157: mptsas: invalid memory access (bz #1373505)
|
||||
Patch0005: 0005-scsi-mptconfig-fix-an-assert-expression.patch
|
||||
Patch0006: 0006-scsi-mptconfig-fix-misuse-of-MPTSAS_CONFIG_PACK.patch
|
||||
Patch0002: 0002-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
|
||||
# CVE-2016-7466: usb: xhci memory leakage during device unplug (bz #1377838)
|
||||
Patch0007: 0007-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch
|
||||
# CVE-2016-7423: scsi: mptsas: OOB access (bz #1376777)
|
||||
Patch0008: 0008-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch
|
||||
Patch0003: 0003-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch
|
||||
# CVE-2016-7422: virtio: null pointer dereference (bz #1376756)
|
||||
Patch0009: 0009-virtio-add-check-for-descriptor-s-mapped-address.patch
|
||||
Patch0004: 0004-virtio-add-check-for-descriptor-s-mapped-address.patch
|
||||
# CVE-2016-7908: net: Infinite loop in mcf_fec_do_tx (bz #1381193)
|
||||
Patch0010: 0010-net-mcf-limit-buffer-descriptor-count.patch
|
||||
Patch0005: 0005-net-mcf-limit-buffer-descriptor-count.patch
|
||||
# CVE-2016-8576: usb: xHCI: infinite loop vulnerability (bz #1382322)
|
||||
Patch0011: 0011-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch
|
||||
Patch0006: 0006-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch
|
||||
# CVE-2016-7995: usb: hcd-ehci: memory leak (bz #1382669)
|
||||
Patch0012: 0012-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch
|
||||
Patch0007: 0007-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch
|
||||
# Fix interrupt endpoints not working with network/spice USB redirection on
|
||||
# guest with an emulated xhci controller (bz #1382331)
|
||||
Patch0013: 0013-usb-redir-allocate-buffers-before-waking-up-the-host.patch
|
||||
# Fix nested PPC 'Unknown MMU model' error (bz #1374749)
|
||||
Patch0014: 0014-ppc-kvm-Mark-64kB-page-size-support-as-disabled-if-n.patch
|
||||
Patch0008: 0008-usb-redir-allocate-buffers-before-waking-up-the-host.patch
|
||||
# Fix flickering display with boxes + wayland VM (bz #1266484)
|
||||
Patch0015: 0015-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch
|
||||
Patch0009: 0009-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch
|
||||
# Fix keyboard issues with -ui gtk + host wayland (bz #1401211)
|
||||
# Posted but not yet applied upstream
|
||||
Patch0010: 0010-ui-use-evdev-keymap-when-running-under-wayland.patch
|
||||
# CVE-2016-6836: vmxnet: Information leakage in vmxnet3_complete_packet (bz
|
||||
# #1366370)
|
||||
Patch0011: 0011-net-vmxnet-initialise-local-tx-descriptor.patch
|
||||
# CVE-2016-7909: pcnet: Infinite loop in pcnet_rdra_addr (bz #1381196)
|
||||
Patch0012: 0012-net-pcnet-check-rx-tx-descriptor-ring-length.patch
|
||||
# CVE-2016-7994: virtio-gpu: memory leak in resource_create_2d (bz #1382667)
|
||||
Patch0013: 0013-virtio-gpu-fix-memory-leak-in-virtio_gpu_resource_cr.patch
|
||||
# CVE-2016-8577: 9pfs: host memory leakage in v9fs_read (bz #1383286)
|
||||
Patch0014: 0014-9pfs-fix-potential-host-memory-leak-in-v9fs_read.patch
|
||||
# CVE-2016-8578: 9pfs: potential NULL dereferencein 9pfs routines (bz
|
||||
# #1383292)
|
||||
Patch0015: 0015-9pfs-allocate-space-for-guest-originated-empty-strin.patch
|
||||
# CVE-2016-8668: OOB buffer access in rocker switch emulation (bz #1384898)
|
||||
Patch0016: 0016-net-rocker-set-limit-to-DMA-buffer-size.patch
|
||||
# CVE-2016-8669: divide by zero error in serial_update_parameters (bz
|
||||
# #1384911)
|
||||
Patch0017: 0017-char-serial-check-divider-value-against-baud-base.patch
|
||||
# CVE-2016-8909: intel-hda: infinite loop in dma buffer stream (bz #1388053)
|
||||
Patch0018: 0018-audio-intel-hda-check-stream-entry-count-during-tran.patch
|
||||
# Infinite loop vulnerability in a9_gtimer_update (bz #1388300)
|
||||
Patch0019: 0019-timer-a9gtimer-remove-loop-to-auto-increment-compara.patch
|
||||
# CVE-2016-9101: eepro100: memory leakage at device unplug (bz #1389539)
|
||||
Patch0020: 0020-net-eepro100-fix-memory-leak-in-device-uninit.patch
|
||||
# CVE-2016-9103: 9pfs: information leakage via xattr (bz #1389643)
|
||||
Patch0021: 0021-9pfs-fix-information-leak-in-xattr-read.patch
|
||||
# CVE-2016-9102: 9pfs: memory leakage when creating extended attribute (bz
|
||||
# #1389551)
|
||||
Patch0022: 0022-9pfs-fix-memory-leak-in-v9fs_xattrcreate.patch
|
||||
# CVE-2016-9104: 9pfs: integer overflow leading to OOB access (bz #1389687)
|
||||
Patch0023: 0023-9pfs-add-xattrwalk_fid-field-in-V9fsXattr-struct.patch
|
||||
Patch0024: 0024-9pfs-convert-len-copied_len-field-in-V9fsXattr-to-th.patch
|
||||
Patch0025: 0025-9pfs-fix-integer-overflow-issue-in-xattr-read-write.patch
|
||||
# CVE-2016-9105: 9pfs: memory leakage in v9fs_link (bz #1389704)
|
||||
Patch0026: 0026-9pfs-fix-memory-leak-in-v9fs_link.patch
|
||||
# CVE-2016-9106: 9pfs: memory leakage in v9fs_write (bz #1389713)
|
||||
Patch0027: 0027-9pfs-fix-memory-leak-in-v9fs_write.patch
|
||||
# CVE-2016-9381: xen: incautious about shared ring processing (bz #1397385)
|
||||
Patch0028: 0028-xen-fix-ioreq-handling.patch
|
||||
# CVE-2016-9921: Divide by zero vulnerability in cirrus_do_copy (bz
|
||||
# #1399054)
|
||||
Patch0029: 0029-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch
|
||||
# CVE-2016-9776: infinite loop while receiving data in mcf_fec_receive (bz
|
||||
# #1400830)
|
||||
Patch0030: 0030-net-mcf-check-receive-buffer-size-register-value.patch
|
||||
# CVE-2016-9845: information leakage in virgl_cmd_get_capset_info (bz
|
||||
# #1402247)
|
||||
Patch0031: 0031-virtio-gpu-fix-information-leak-in-getting-capset-in.patch
|
||||
# CVE-2016-9846: virtio-gpu: memory leakage while updating cursor data (bz
|
||||
# #1402258)
|
||||
Patch0032: 0032-virtio-gpu-fix-memory-leak-in-update_cursor_data_vir.patch
|
||||
# CVE-2016-9907: usbredir: memory leakage when destroying redirector (bz
|
||||
# #1402266)
|
||||
Patch0033: 0033-usbredir-free-vm_change_state_handler-in-usbredir-de.patch
|
||||
# CVE-2016-9911: usb: ehci: memory leakage in ehci_init_transfer (bz
|
||||
# #1402273)
|
||||
Patch0034: 0034-usb-ehci-fix-memory-leak-in-ehci_init_transfer.patch
|
||||
# CVE-2016-9913: 9pfs: memory leakage via proxy/handle callbacks (bz
|
||||
# #1402277)
|
||||
Patch0035: 0035-9pfs-adjust-the-order-of-resource-cleanup-in-device-.patch
|
||||
Patch0036: 0036-9pfs-add-cleanup-operation-in-FileOperations.patch
|
||||
Patch0037: 0037-9pfs-add-cleanup-operation-for-handle-backend-driver.patch
|
||||
Patch0038: 0038-9pfs-add-cleanup-operation-for-proxy-backend-driver.patch
|
||||
Patch0039: 0039-9pfs-fix-crash-when-fsdev-is-missing.patch
|
||||
# CVE-2016-10028: virtio-gpu-3d: OOB access while reading virgl capabilities
|
||||
# (bz #1406368)
|
||||
Patch0040: 0040-display-virtio-gpu-3d-check-virgl-capabilities-max_s.patch
|
||||
# CVE-2016-9908: virtio-gpu: information leakage in virgl_cmd_get_capset (bz
|
||||
# #1402263)
|
||||
Patch0041: 0041-virtio-gpu-fix-information-leak-in-capset-get-dispat.patch
|
||||
# CVE-2016-9912: virtio-gpu: memory leakage when destroying gpu resource (bz
|
||||
# #1402285)
|
||||
Patch0042: 0042-virtio-gpu-call-cleanup-mapping-function-in-resource.patch
|
||||
# CVE-2016-7907: net: imx: infinite loop (bz #1381182)
|
||||
Patch0043: 0043-net-imx-limit-buffer-descriptor-count.patch
|
||||
# CVE-2017-5525: audio: memory leakage in ac97 (bz #1414110)
|
||||
Patch0044: 0044-audio-ac97-add-exit-function.patch
|
||||
# CVE-2017-5526: audio: memory leakage in es1370 (bz #1414210)
|
||||
Patch0045: 0045-audio-es1370-add-exit-function.patch
|
||||
# CVE-2016-10155 watchdog: memory leakage in i6300esb (bz #1415200)
|
||||
Patch0046: 0046-watchdog-6300esb-add-exit-function.patch
|
||||
# CVE-2017-5552: virtio-gpu-3d: memory leakage (bz #1415283)
|
||||
Patch0047: 0047-virtio-gpu-3d-fix-memory-leak-in-resource-attach-bac.patch
|
||||
# CVE-2017-5578: virtio-gpu: memory leakage (bz #1415797)
|
||||
Patch0048: 0048-virtio-gpu-fix-memory-leak-in-resource-attach-backin.patch
|
||||
# CVE-2017-5667: sd: sdhci OOB access during multi block transfer (bz
|
||||
# #1417560)
|
||||
Patch0049: 0049-sd-sdhci-check-data-length-during-dma_memory_read.patch
|
||||
# CVE-2017-5856: scsi: megasas: memory leakage (bz #1418344)
|
||||
Patch0050: 0050-megasas-fix-guest-triggered-memory-leak.patch
|
||||
# CVE-2017-5857: virtio-gpu-3d: host memory leakage in
|
||||
# virgl_cmd_resource_unref (bz #1418383)
|
||||
Patch0051: 0051-virtio-gpu-fix-resource-leak-in-virgl_cmd_resource_u.patch
|
||||
# CVE-2017-5898: usb: integer overflow in emulated_apdu_from_guest (bz
|
||||
# #1419700)
|
||||
Patch0052: 0052-usb-ccid-check-ccid-apdu-length.patch
|
||||
# CVE-2017-5987: sd: infinite loop issue in multi block transfers (bz
|
||||
# #1422001)
|
||||
Patch0053: 0053-sd-sdhci-check-transfer-mode-register-in-multi-block.patch
|
||||
# CVE-2017-6058: vmxnet3: OOB access when doing vlan stripping (bz #1423359)
|
||||
Patch0054: 0054-eth-Extend-vlan-stripping-functions.patch
|
||||
Patch0055: 0055-NetRxPkt-Fix-memory-corruption-on-VLAN-header-stripp.patch
|
||||
Patch0056: 0056-NetRxPkt-Do-not-try-to-pull-more-data-than-present.patch
|
||||
Patch0057: 0057-NetRxPkt-Account-buffer-with-ETH-header-in-IOV-lengt.patch
|
||||
# CVE-2017-6505: usb: an infinite loop issue in ohci_service_ed_list (bz
|
||||
# #1429434)
|
||||
Patch0058: 0058-usb-ohci-limit-the-number-of-link-eds.patch
|
||||
# CVE-2017-2615: cirrus: oob access while doing bitblt copy backward (bz
|
||||
# #1418206)
|
||||
Patch0059: 0059-display-cirrus-ignore-source-pitch-value-as-needed-i.patch
|
||||
Patch0060: 0060-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch
|
||||
Patch0061: 0061-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch
|
||||
Patch0062: 0062-cirrus-fix-blit-address-mask-handling.patch
|
||||
Patch0063: 0063-cirrus-fix-oob-access-issue-CVE-2017-2615.patch
|
||||
# CVE-2017-2620: cirrus: potential arbitrary code execution (bz #1425419)
|
||||
Patch0064: 0064-cirrus-fix-patterncopy-checks.patch
|
||||
Patch0065: 0065-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch
|
||||
Patch0066: 0066-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch
|
||||
# Fix spice GL with new mesa/libglvnd (bz #1431905)
|
||||
Patch0067: 0067-egl-helpers-Support-newer-MESA-versions.patch
|
||||
# chardev data is dropped when host side closed (bz #1352977)
|
||||
Patch0068: 0068-char-drop-data-written-to-a-disconnected-pty.patch
|
||||
# CVE-2016-8667: dma: divide by zero error in set_next_tick (bz #1384876)
|
||||
Patch0069: 0069-dma-rc4030-limit-interval-timer-reload-value.patch
|
||||
# IPv6 DNS problems in qemu user networking (bz #1401165)
|
||||
Patch0070: 0070-slirp-Make-RA-build-more-flexible.patch
|
||||
Patch0071: 0071-slirp-Send-RDNSS-in-RA-only-if-host-has-an-IPv6-DNS-.patch
|
||||
# Fix crash in qxl memslot_get_virt (bz #1405847)
|
||||
Patch0072: 0072-qxl-clear-guest_cursor-on-QXL_CURSOR_HIDE.patch
|
||||
# CVE-2017-5579: serial: fix memory leak in serial exit (bz #1416161)
|
||||
Patch0073: 0073-serial-fix-memory-leak-in-serial-exit.patch
|
||||
# CVE-2017-7718: cirrus: OOB read access issue (bz #1443443)
|
||||
Patch0074: 0074-fix-cirrus_vga-fix-OOB-read-case-qemu-Segmentation-f.patch
|
||||
# CVE-2016-9603: cirrus: heap buffer overflow via vnc connection (bz
|
||||
# #1432040)
|
||||
Patch0075: 0075-cirrus-vnc-zap-bitblit-support-from-console-code.patch
|
||||
# CVE-2017-7377: 9pfs: fix file descriptor leak (bz #1437872)
|
||||
Patch0076: 0076-9pfs-fix-file-descriptor-leak.patch
|
||||
# CVE-2017-7980: cirrus: OOB r/w access issues in bitblt (bz #1444372)
|
||||
Patch0077: 0077-cirrus-fix-cirrus_invalidate_region.patch
|
||||
Patch0078: 0078-cirrus-stop-passing-around-dst-pointers-in-the-blitt.patch
|
||||
Patch0079: 0079-cirrus-stop-passing-around-src-pointers-in-the-blitt.patch
|
||||
Patch0080: 0080-cirrus-fix-off-by-one-in-cirrus_bitblt_rop_bkwd_tran.patch
|
||||
# CVE-2017-8112: vmw_pvscsi: infinite loop in pvscsi_log2 (bz #1445622)
|
||||
Patch0081: 0081-vmw_pvscsi-check-message-ring-page-count-at-initiali.patch
|
||||
# CVE-2017-8309: audio: host memory lekage via capture buffer (bz #1446520)
|
||||
Patch0082: 0082-audio-release-capture-buffers.patch
|
||||
# CVE-2017-8379: input: host memory lekage via keyboard events (bz #1446560)
|
||||
Patch0083: 0083-input-limit-kbd-queue-depth.patch
|
||||
# CVE-2017-8380: scsi: megasas: out-of-bounds read in megasas_mmio_write (bz
|
||||
# #1446578)
|
||||
Patch0084: 0084-scsi-avoid-an-off-by-one-error-in-megasas_mmio_write.patch
|
||||
# CVE-2017-9060: virtio-gpu: host memory leakage in Virtio GPU device (bz
|
||||
# #1452598)
|
||||
Patch0085: 0085-virtio-gpu-fix-memory-leak-in-set-scanout.patch
|
||||
# CVE-2017-9310: net: infinite loop in e1000e NIC emulation (bz #1452623)
|
||||
Patch0086: 0086-net-e1000e-fix-an-infinite-loop-issue.patch
|
||||
# CVE-2017-9330: usb: ohci: infinite loop due to incorrect return value (bz
|
||||
# #1457699)
|
||||
Patch0087: 0087-usb-ohci-fix-error-return-code-in-servicing-iso-td.patch
|
||||
# CVE-2017-9374: usb: ehci host memory leakage during hotunplug (bz
|
||||
# #1459137)
|
||||
Patch0088: 0088-usb-ehci-fix-memory-leak-in-ehci.patch
|
||||
# CVE-2017-10806: usb-redirect: stack buffer overflow in debug logging (bz
|
||||
# #1468497)
|
||||
Patch0089: 0089-usb-redir-fix-stack-overflow-in-usbredir_log_data.patch
|
||||
|
||||
# documentation deps
|
||||
BuildRequires: texi2html
|
||||
BuildRequires: texinfo
|
||||
# For /usr/bin/pod2man
|
||||
BuildRequires: perl-podlators
|
||||
@ -291,6 +446,8 @@ As QEMU requires no host kernel patches to run, it is safe and easy to use.
|
||||
%package common
|
||||
Summary: QEMU common files needed by all QEMU targets
|
||||
Group: Development/Tools
|
||||
Requires: ipxe-roms-qemu
|
||||
Requires: seavgabios-bin
|
||||
Requires(post): /usr/bin/getent
|
||||
Requires(post): /usr/sbin/groupadd
|
||||
Requires(post): /usr/sbin/useradd
|
||||
@ -421,12 +578,10 @@ Group: Development/Tools
|
||||
Requires: %{name}-common = %{epoch}:%{version}-%{release}
|
||||
Provides: kvm = 85
|
||||
Obsoletes: kvm < 85
|
||||
Requires: seavgabios-bin
|
||||
# virtio-blk booting is broken for Windows guests
|
||||
# if you mix seabios 1.7.4 and qemu 2.1.x
|
||||
Requires: seabios-bin >= 1.7.5
|
||||
Requires: sgabios-bin
|
||||
Requires: ipxe-roms-qemu
|
||||
%if 0%{?have_edk2:1}
|
||||
Requires: edk2-ovmf
|
||||
%endif
|
||||
@ -1002,6 +1157,9 @@ for i in dummy \
|
||||
%ifnarch alpha
|
||||
qemu-alpha \
|
||||
%endif
|
||||
%ifnarch aarch64
|
||||
qemu-aarch64 \
|
||||
%endif
|
||||
%ifnarch %{arm}
|
||||
qemu-arm \
|
||||
%endif
|
||||
@ -1181,6 +1339,28 @@ getent passwd qemu >/dev/null || \
|
||||
%{_datadir}/%{name}/qemu_logo_no_text.svg
|
||||
%{_datadir}/%{name}/keymaps/
|
||||
%{_datadir}/%{name}/trace-events-all
|
||||
%{_datadir}/%{name}/vgabios.bin
|
||||
%{_datadir}/%{name}/vgabios-cirrus.bin
|
||||
%{_datadir}/%{name}/vgabios-qxl.bin
|
||||
%{_datadir}/%{name}/vgabios-stdvga.bin
|
||||
%{_datadir}/%{name}/vgabios-vmware.bin
|
||||
%{_datadir}/%{name}/vgabios-virtio.bin
|
||||
%{_datadir}/%{name}/pxe-e1000.rom
|
||||
%{_datadir}/%{name}/efi-e1000.rom
|
||||
%{_datadir}/%{name}/pxe-e1000e.rom
|
||||
%{_datadir}/%{name}/efi-e1000e.rom
|
||||
%{_datadir}/%{name}/pxe-eepro100.rom
|
||||
%{_datadir}/%{name}/efi-eepro100.rom
|
||||
%{_datadir}/%{name}/pxe-ne2k_pci.rom
|
||||
%{_datadir}/%{name}/efi-ne2k_pci.rom
|
||||
%{_datadir}/%{name}/pxe-pcnet.rom
|
||||
%{_datadir}/%{name}/efi-pcnet.rom
|
||||
%{_datadir}/%{name}/pxe-rtl8139.rom
|
||||
%{_datadir}/%{name}/efi-rtl8139.rom
|
||||
%{_datadir}/%{name}/pxe-virtio.rom
|
||||
%{_datadir}/%{name}/efi-virtio.rom
|
||||
%{_datadir}/%{name}/pxe-vmxnet3.rom
|
||||
%{_datadir}/%{name}/efi-vmxnet3.rom
|
||||
%{_mandir}/man1/qemu.1*
|
||||
%{_mandir}/man1/virtfs-proxy-helper.1*
|
||||
%{_bindir}/virtfs-proxy-helper
|
||||
@ -1430,28 +1610,6 @@ getent passwd qemu >/dev/null || \
|
||||
%{_datadir}/%{name}/linuxboot_dma.bin
|
||||
%{_datadir}/%{name}/multiboot.bin
|
||||
%{_datadir}/%{name}/kvmvapic.bin
|
||||
%{_datadir}/%{name}/vgabios.bin
|
||||
%{_datadir}/%{name}/vgabios-cirrus.bin
|
||||
%{_datadir}/%{name}/vgabios-qxl.bin
|
||||
%{_datadir}/%{name}/vgabios-stdvga.bin
|
||||
%{_datadir}/%{name}/vgabios-vmware.bin
|
||||
%{_datadir}/%{name}/vgabios-virtio.bin
|
||||
%{_datadir}/%{name}/pxe-e1000.rom
|
||||
%{_datadir}/%{name}/efi-e1000.rom
|
||||
%{_datadir}/%{name}/pxe-e1000e.rom
|
||||
%{_datadir}/%{name}/efi-e1000e.rom
|
||||
%{_datadir}/%{name}/pxe-eepro100.rom
|
||||
%{_datadir}/%{name}/efi-eepro100.rom
|
||||
%{_datadir}/%{name}/pxe-ne2k_pci.rom
|
||||
%{_datadir}/%{name}/efi-ne2k_pci.rom
|
||||
%{_datadir}/%{name}/pxe-pcnet.rom
|
||||
%{_datadir}/%{name}/efi-pcnet.rom
|
||||
%{_datadir}/%{name}/pxe-rtl8139.rom
|
||||
%{_datadir}/%{name}/efi-rtl8139.rom
|
||||
%{_datadir}/%{name}/pxe-virtio.rom
|
||||
%{_datadir}/%{name}/efi-virtio.rom
|
||||
%{_datadir}/%{name}/pxe-vmxnet3.rom
|
||||
%{_datadir}/%{name}/efi-vmxnet3.rom
|
||||
%ifarch %{ix86} x86_64
|
||||
%{?kvm_files:}
|
||||
%endif
|
||||
@ -1604,6 +1762,115 @@ getent passwd qemu >/dev/null || \
|
||||
|
||||
|
||||
%changelog
|
||||
* Wed Jul 12 2017 Cole Robinson <crobinso@redhat.com> - 2:2.7.1-7
|
||||
- CVE-2017-7718: cirrus: OOB read access issue (bz #1443443)
|
||||
- CVE-2016-9603: cirrus: heap buffer overflow via vnc connection (bz
|
||||
#1432040)
|
||||
- CVE-2017-7377: 9pfs: fix file descriptor leak (bz #1437872)
|
||||
- CVE-2017-7980: cirrus: OOB r/w access issues in bitblt (bz #1444372)
|
||||
- CVE-2017-8112: vmw_pvscsi: infinite loop in pvscsi_log2 (bz #1445622)
|
||||
- CVE-2017-8309: audio: host memory lekage via capture buffer (bz #1446520)
|
||||
- CVE-2017-8379: input: host memory lekage via keyboard events (bz #1446560)
|
||||
- CVE-2017-8380: scsi: megasas: out-of-bounds read in megasas_mmio_write (bz
|
||||
#1446578)
|
||||
- CVE-2017-9060: virtio-gpu: host memory leakage in Virtio GPU device (bz
|
||||
#1452598)
|
||||
- CVE-2017-9310: net: infinite loop in e1000e NIC emulation (bz #1452623)
|
||||
- CVE-2017-9330: usb: ohci: infinite loop due to incorrect return value (bz
|
||||
#1457699)
|
||||
- CVE-2017-9374: usb: ehci host memory leakage during hotunplug (bz
|
||||
#1459137)
|
||||
- CVE-2017-10806: usb-redirect: stack buffer overflow in debug logging (bz
|
||||
#1468497)
|
||||
|
||||
* Thu Apr 13 2017 Cole Robinson <crobinso@redhat.com> - 2:2.7.1-6
|
||||
- chardev data is dropped when host side closed (bz #1352977)
|
||||
- CVE-2016-8667: dma: divide by zero error in set_next_tick (bz #1384876)
|
||||
- IPv6 DNS problems in qemu user networking (bz #1401165)
|
||||
- Fix crash in qxl memslot_get_virt (bz #1405847)
|
||||
- CVE-2017-5579: serial: fix memory leak in serial exit (bz #1416161)
|
||||
- spec: Pull in ipxe/vgabios links via -common package (bz #1431403)
|
||||
- Clean up binfmt.d configuration files (bz #1394859)
|
||||
|
||||
* Tue Apr 4 2017 Paolo Bonzini <pbonzini@redhat.com> - 2:2.7.1-5
|
||||
* Workaround hangs with recent glib (bz #1435432, gnome.org bz #761102)
|
||||
|
||||
* Wed Mar 15 2017 Cole Robinson <crobinso@redhat.com> - 2:2.7.1-4
|
||||
- CVE-2016-7907: net: imx: infinite loop (bz #1381182)
|
||||
- CVE-2017-5525: audio: memory leakage in ac97 (bz #1414110)
|
||||
- CVE-2017-5526: audio: memory leakage in es1370 (bz #1414210)
|
||||
- CVE-2016-10155 watchdog: memory leakage in i6300esb (bz #1415200)
|
||||
- CVE-2017-5552: virtio-gpu-3d: memory leakage (bz #1415283)
|
||||
- CVE-2017-5578: virtio-gpu: memory leakage (bz #1415797)
|
||||
- CVE-2017-5667: sd: sdhci OOB access during multi block transfer (bz
|
||||
#1417560)
|
||||
- CVE-2017-5856: scsi: megasas: memory leakage (bz #1418344)
|
||||
- CVE-2017-5857: virtio-gpu-3d: host memory leakage in
|
||||
virgl_cmd_resource_unref (bz #1418383)
|
||||
- CVE-2017-5898: usb: integer overflow in emulated_apdu_from_guest (bz
|
||||
#1419700)
|
||||
- CVE-2017-5987: sd: infinite loop issue in multi block transfers (bz
|
||||
#1422001)
|
||||
- CVE-2017-6058: vmxnet3: OOB access when doing vlan stripping (bz #1423359)
|
||||
- CVE-2017-6505: usb: an infinite loop issue in ohci_service_ed_list (bz
|
||||
#1429434)
|
||||
- CVE-2017-2615: cirrus: oob access while doing bitblt copy backward (bz
|
||||
#1418206)
|
||||
- CVE-2017-2620: cirrus: potential arbitrary code execution (bz #1425419)
|
||||
- Fix spice GL with new mesa/libglvnd (bz #1431905)
|
||||
|
||||
* Tue Feb 21 2017 Daniel Berrange <berrange@redhat.com> - 2:2.7.1-3
|
||||
- Drop texi2html BR, since QEMU switched to using makeinfo back in 2010
|
||||
|
||||
* Mon Jan 16 2017 Cole Robinson <crobinso@redhat.com> - 2:2.7.1-2
|
||||
- CVE-2016-6836: vmxnet: Information leakage in vmxnet3_complete_packet (bz
|
||||
#1366370)
|
||||
- CVE-2016-7909: pcnet: Infinite loop in pcnet_rdra_addr (bz #1381196)
|
||||
- CVE-2016-7994: virtio-gpu: memory leak in resource_create_2d (bz #1382667)
|
||||
- CVE-2016-8577: 9pfs: host memory leakage in v9fs_read (bz #1383286)
|
||||
- CVE-2016-8578: 9pfs: potential NULL dereferencein 9pfs routines (bz
|
||||
#1383292)
|
||||
- CVE-2016-8668: OOB buffer access in rocker switch emulation (bz #1384898)
|
||||
- CVE-2016-8669: divide by zero error in serial_update_parameters (bz
|
||||
#1384911)
|
||||
- CVE-2016-8909: intel-hda: infinite loop in dma buffer stream (bz #1388053)
|
||||
- Infinite loop vulnerability in a9_gtimer_update (bz #1388300)
|
||||
- CVE-2016-9101: eepro100: memory leakage at device unplug (bz #1389539)
|
||||
- CVE-2016-9103: 9pfs: information leakage via xattr (bz #1389643)
|
||||
- CVE-2016-9102: 9pfs: memory leakage when creating extended attribute (bz
|
||||
#1389551)
|
||||
- CVE-2016-9104: 9pfs: integer overflow leading to OOB access (bz #1389687)
|
||||
- CVE-2016-9105: 9pfs: memory leakage in v9fs_link (bz #1389704)
|
||||
- CVE-2016-9106: 9pfs: memory leakage in v9fs_write (bz #1389713)
|
||||
- CVE-2016-9381: xen: incautious about shared ring processing (bz #1397385)
|
||||
- CVE-2016-9921: Divide by zero vulnerability in cirrus_do_copy (bz
|
||||
#1399054)
|
||||
- CVE-2016-9776: infinite loop while receiving data in mcf_fec_receive (bz
|
||||
#1400830)
|
||||
- CVE-2016-9845: information leakage in virgl_cmd_get_capset_info (bz
|
||||
#1402247)
|
||||
- CVE-2016-9846: virtio-gpu: memory leakage while updating cursor data (bz
|
||||
#1402258)
|
||||
- CVE-2016-9907: usbredir: memory leakage when destroying redirector (bz
|
||||
#1402266)
|
||||
- CVE-2016-9911: usb: ehci: memory leakage in ehci_init_transfer (bz
|
||||
#1402273)
|
||||
- CVE-2016-9913: 9pfs: memory leakage via proxy/handle callbacks (bz
|
||||
#1402277)
|
||||
- CVE-2016-10028: virtio-gpu-3d: OOB access while reading virgl capabilities
|
||||
(bz #1406368)
|
||||
- CVE-2016-9908: virtio-gpu: information leakage in virgl_cmd_get_capset (bz
|
||||
#1402263)
|
||||
- CVE-2016-9912: virtio-gpu: memory leakage when destroying gpu resource (bz
|
||||
#1402285)
|
||||
|
||||
* Mon Jan 09 2017 Cole Robinson <crobinso@redhat.com> - 2:2.7.1-1
|
||||
- Update to qemu 2.7.1
|
||||
|
||||
* Mon Dec 12 2016 Cole Robinson <crobinso@redhat.com> - 2:2.7.0-8
|
||||
- Fix sending of data with -net socket (bz #1391497)
|
||||
- Fix keyboard issues with -ui gtk + host wayland (bz #1401211)
|
||||
|
||||
* Tue Oct 25 2016 Cole Robinson <crobinso@redhat.com> - 2:2.7.0-7
|
||||
- Fix PPC64 build with memlock file (bz #1387601)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user