From ad339ad3392d442830ea44a1a7dfbf92b13b8a1f Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Jul 04 2014 19:08:59 +0000 Subject: Update to qemu 2.1-rc0 --- diff --git a/.gitignore b/.gitignore index 6e4afb7..49cf2a1 100644 --- a/.gitignore +++ b/.gitignore @@ -29,3 +29,4 @@ qemu-kvm-0.13.0-25fdf4a.tar.gz /qemu-2.0.0-rc0.tar.bz2 /qemu-2.0.0-rc3.tar.bz2 /qemu-2.0.0.tar.bz2 +/qemu-2.1.0-rc0.tar.bz2 diff --git a/0001-Change-gtk-quit-accelerator-to-ctrl-shift-q-bz-10623.patch b/0001-Change-gtk-quit-accelerator-to-ctrl-shift-q-bz-10623.patch deleted file mode 100644 index 3fc7beb..0000000 --- a/0001-Change-gtk-quit-accelerator-to-ctrl-shift-q-bz-10623.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 9d8e4e500dca987531be3666422f17c9486940b2 Mon Sep 17 00:00:00 2001 -From: Cole Robinson -Date: Wed, 19 Mar 2014 14:57:27 -0400 -Subject: [PATCH] Change gtk quit accelerator to ctrl+shift+q (bz 1062393) - -Similar patches queued for 2.1 ---- - ui/gtk.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - -diff --git a/ui/gtk.c b/ui/gtk.c -index 00fbbcc..264326a 100644 ---- a/ui/gtk.c -+++ b/ui/gtk.c -@@ -1351,7 +1351,6 @@ static GtkWidget *gd_create_menu_machine(GtkDisplayState *s, GtkAccelGroup *acce - { - GtkWidget *machine_menu; - GtkWidget *separator; -- GtkStockItem item; - - machine_menu = gtk_menu_new(); - gtk_menu_set_accel_group(GTK_MENU(machine_menu), accel_group); -@@ -1371,11 +1370,11 @@ static GtkWidget *gd_create_menu_machine(GtkDisplayState *s, GtkAccelGroup *acce - separator = gtk_separator_menu_item_new(); - gtk_menu_shell_append(GTK_MENU_SHELL(machine_menu), separator); - -- s->quit_item = gtk_image_menu_item_new_from_stock(GTK_STOCK_QUIT, NULL); -- gtk_stock_lookup(GTK_STOCK_QUIT, &item); -+ s->quit_item = gtk_menu_item_new_with_mnemonic(_("_Quit")); - gtk_menu_item_set_accel_path(GTK_MENU_ITEM(s->quit_item), - "/Machine/Quit"); -- gtk_accel_map_add_entry("/Machine/Quit", item.keyval, item.modifier); -+ gtk_accel_map_add_entry("/Machine/Quit", -+ GDK_KEY_q, HOTKEY_MODIFIERS); - gtk_menu_shell_append(GTK_MENU_SHELL(machine_menu), s->quit_item); - - return machine_menu; diff --git a/0002-vmstate-add-VMS_MUST_EXIST.patch b/0002-vmstate-add-VMS_MUST_EXIST.patch deleted file mode 100644 index 073abd8..0000000 --- a/0002-vmstate-add-VMS_MUST_EXIST.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 105071cc70a454680e6bf11e2d9d7b73c7ce7491 Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Thu, 3 Apr 2014 19:50:31 +0300 -Subject: [PATCH] vmstate: add VMS_MUST_EXIST - -Can be used to verify a required field exists or validate -state in some other way. - -Signed-off-by: Michael S. Tsirkin -Reviewed-by: Dr. David Alan Gilbert -Signed-off-by: Juan Quintela -(cherry picked from commit 5bf81c8d63db0216a4d29dc87f9ce530bb791dd1) ---- - include/migration/vmstate.h | 1 + - vmstate.c | 10 ++++++++++ - 2 files changed, 11 insertions(+) - -diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h -index e7e1705..de970ab 100644 ---- a/include/migration/vmstate.h -+++ b/include/migration/vmstate.h -@@ -100,6 +100,7 @@ enum VMStateFlags { - VMS_MULTIPLY = 0x200, /* multiply "size" field by field_size */ - VMS_VARRAY_UINT8 = 0x400, /* Array with size in uint8_t field*/ - VMS_VARRAY_UINT32 = 0x800, /* Array with size in uint32_t field*/ -+ VMS_MUST_EXIST = 0x1000, /* Field must exist in input */ - }; - - typedef struct { -diff --git a/vmstate.c b/vmstate.c -index b689f2f..d856319 100644 ---- a/vmstate.c -+++ b/vmstate.c -@@ -78,6 +78,10 @@ int vmstate_load_state(QEMUFile *f, const VMStateDescription *vmsd, - return ret; - } - } -+ } else if (field->flags & VMS_MUST_EXIST) { -+ fprintf(stderr, "Input validation failed: %s/%s\n", -+ vmsd->name, field->name); -+ return -1; - } - field++; - } -@@ -138,6 +142,12 @@ void vmstate_save_state(QEMUFile *f, const VMStateDescription *vmsd, - field->info->put(f, addr, size); - } - } -+ } else { -+ if (field->flags & VMS_MUST_EXIST) { -+ fprintf(stderr, "Output state validation failed: %s/%s\n", -+ vmsd->name, field->name); -+ assert(!(field->flags & VMS_MUST_EXIST)); -+ } - } - field++; - } diff --git a/0003-vmstate-add-VMSTATE_VALIDATE.patch b/0003-vmstate-add-VMSTATE_VALIDATE.patch deleted file mode 100644 index 775a9ab..0000000 --- a/0003-vmstate-add-VMSTATE_VALIDATE.patch +++ /dev/null @@ -1,33 +0,0 @@ -From d9e0cb134eefe5104b404b91eaf969a2cd74bd9f Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Thu, 3 Apr 2014 19:50:35 +0300 -Subject: [PATCH] vmstate: add VMSTATE_VALIDATE - -Validate state using VMS_ARRAY with num = 0 and VMS_MUST_EXIST - -Signed-off-by: Michael S. Tsirkin -Signed-off-by: Juan Quintela -(cherry picked from commit 4082f0889ba04678fc14816c53e1b9251ea9207e) ---- - include/migration/vmstate.h | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h -index de970ab..5b71370 100644 ---- a/include/migration/vmstate.h -+++ b/include/migration/vmstate.h -@@ -204,6 +204,14 @@ extern const VMStateInfo vmstate_info_bitmap; - .offset = vmstate_offset_value(_state, _field, _type), \ - } - -+/* Validate state using a boolean predicate. */ -+#define VMSTATE_VALIDATE(_name, _test) { \ -+ .name = (_name), \ -+ .field_exists = (_test), \ -+ .flags = VMS_ARRAY | VMS_MUST_EXIST, \ -+ .num = 0, /* 0 elements: no data, only run _test */ \ -+} -+ - #define VMSTATE_POINTER(_field, _state, _version, _info, _type) { \ - .name = (stringify(_field)), \ - .version_id = (_version), \ diff --git a/0004-virtio-net-fix-buffer-overflow-on-invalid-state-load.patch b/0004-virtio-net-fix-buffer-overflow-on-invalid-state-load.patch deleted file mode 100644 index 1b315c5..0000000 --- a/0004-virtio-net-fix-buffer-overflow-on-invalid-state-load.patch +++ /dev/null @@ -1,59 +0,0 @@ -From ea96c6a9c91da1923aa922a781fd7abbf9f51b6c Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Thu, 3 Apr 2014 19:50:39 +0300 -Subject: [PATCH] virtio-net: fix buffer overflow on invalid state load - -CVE-2013-4148 QEMU 1.0 integer conversion in -virtio_net_load()@hw/net/virtio-net.c - -Deals with loading a corrupted savevm image. - -> n->mac_table.in_use = qemu_get_be32(f); - -in_use is int so it can get negative when assigned 32bit unsigned value. - -> /* MAC_TABLE_ENTRIES may be different from the saved image */ -> if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) { - -passing this check ^^^ - -> qemu_get_buffer(f, n->mac_table.macs, -> n->mac_table.in_use * ETH_ALEN); - -with good in_use value, "n->mac_table.in_use * ETH_ALEN" can get -positive and bigger than mac_table.macs. For example 0x81000000 -satisfies this condition when ETH_ALEN is 6. - -Fix it by making the value unsigned. -For consistency, change first_multi as well. - -Note: all call sites were audited to confirm that -making them unsigned didn't cause any issues: -it turns out we actually never do math on them, -so it's easy to validate because both values are -always <= MAC_TABLE_ENTRIES. - -Reviewed-by: Michael Roth -Signed-off-by: Michael S. Tsirkin -Reviewed-by: Laszlo Ersek -Signed-off-by: Juan Quintela -(cherry picked from commit 71f7fe48e10a8437c9d42d859389f37157f59980) ---- - include/hw/virtio/virtio-net.h | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/include/hw/virtio/virtio-net.h b/include/hw/virtio/virtio-net.h -index df60f16..4b32440 100644 ---- a/include/hw/virtio/virtio-net.h -+++ b/include/hw/virtio/virtio-net.h -@@ -176,8 +176,8 @@ typedef struct VirtIONet { - uint8_t nobcast; - uint8_t vhost_started; - struct { -- int in_use; -- int first_multi; -+ uint32_t in_use; -+ uint32_t first_multi; - uint8_t multi_overflow; - uint8_t uni_overflow; - uint8_t *macs; diff --git a/0005-virtio-net-out-of-bounds-buffer-write-on-invalid-sta.patch b/0005-virtio-net-out-of-bounds-buffer-write-on-invalid-sta.patch deleted file mode 100644 index 3648d73..0000000 --- a/0005-virtio-net-out-of-bounds-buffer-write-on-invalid-sta.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 9229c44bfa3549085ac68265d9be95a8552c4fa4 Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Thu, 3 Apr 2014 19:50:56 +0300 -Subject: [PATCH] virtio-net: out-of-bounds buffer write on invalid state load - -CVE-2013-4150 QEMU 1.5.0 out-of-bounds buffer write in -virtio_net_load()@hw/net/virtio-net.c - -This code is in hw/net/virtio-net.c: - - if (n->max_queues > 1) { - if (n->max_queues != qemu_get_be16(f)) { - error_report("virtio-net: different max_queues "); - return -1; - } - - n->curr_queues = qemu_get_be16(f); - for (i = 1; i < n->curr_queues; i++) { - n->vqs[i].tx_waiting = qemu_get_be32(f); - } - } - -Number of vqs is max_queues, so if we get invalid input here, -for example if max_queues = 2, curr_queues = 3, we get -write beyond end of the buffer, with data that comes from -wire. - -This might be used to corrupt qemu memory in hard to predict ways. -Since we have lots of function pointers around, RCE might be possible. - -Signed-off-by: Michael S. Tsirkin -Acked-by: Jason Wang -Reviewed-by: Michael Roth -Signed-off-by: Juan Quintela -(cherry picked from commit eea750a5623ddac7a61982eec8f1c93481857578) ---- - hw/net/virtio-net.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c -index 33bd233..0a8cb40 100644 ---- a/hw/net/virtio-net.c -+++ b/hw/net/virtio-net.c -@@ -1407,6 +1407,11 @@ static int virtio_net_load(QEMUFile *f, void *opaque, int version_id) - } - - n->curr_queues = qemu_get_be16(f); -+ if (n->curr_queues > n->max_queues) { -+ error_report("virtio-net: curr_queues %x > max_queues %x", -+ n->curr_queues, n->max_queues); -+ return -1; -+ } - for (i = 1; i < n->curr_queues; i++) { - n->vqs[i].tx_waiting = qemu_get_be32(f); - } diff --git a/0006-virtio-out-of-bounds-buffer-write-on-invalid-state-l.patch b/0006-virtio-out-of-bounds-buffer-write-on-invalid-state-l.patch deleted file mode 100644 index c47af93..0000000 --- a/0006-virtio-out-of-bounds-buffer-write-on-invalid-state-l.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 23f0db5c309893195025bc75402f3f9e1b4de743 Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Thu, 3 Apr 2014 19:51:14 +0300 -Subject: [PATCH] virtio: out-of-bounds buffer write on invalid state load - -CVE-2013-4151 QEMU 1.0 out-of-bounds buffer write in -virtio_load@hw/virtio/virtio.c - -So we have this code since way back when: - - num = qemu_get_be32(f); - - for (i = 0; i < num; i++) { - vdev->vq[i].vring.num = qemu_get_be32(f); - -array of vqs has size VIRTIO_PCI_QUEUE_MAX, so -on invalid input this will write beyond end of buffer. - -Signed-off-by: Michael S. Tsirkin -Reviewed-by: Michael Roth -Signed-off-by: Juan Quintela -(cherry picked from commit cc45995294b92d95319b4782750a3580cabdbc0c) ---- - hw/virtio/virtio.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c -index aeabf3a..05f05e7 100644 ---- a/hw/virtio/virtio.c -+++ b/hw/virtio/virtio.c -@@ -891,7 +891,8 @@ int virtio_set_features(VirtIODevice *vdev, uint32_t val) - - int virtio_load(VirtIODevice *vdev, QEMUFile *f) - { -- int num, i, ret; -+ int i, ret; -+ uint32_t num; - uint32_t features; - uint32_t supported_features; - BusState *qbus = qdev_get_parent_bus(DEVICE(vdev)); -@@ -919,6 +920,11 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f) - - num = qemu_get_be32(f); - -+ if (num > VIRTIO_PCI_QUEUE_MAX) { -+ error_report("Invalid number of PCI queues: 0x%x", num); -+ return -1; -+ } -+ - for (i = 0; i < num; i++) { - vdev->vq[i].vring.num = qemu_get_be32(f); - if (k->has_variable_vring_alignment) { diff --git a/0007-ahci-fix-buffer-overrun-on-invalid-state-load.patch b/0007-ahci-fix-buffer-overrun-on-invalid-state-load.patch deleted file mode 100644 index 07a379c..0000000 --- a/0007-ahci-fix-buffer-overrun-on-invalid-state-load.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 95fa012ed61e1e8b88d701b8f75b38dc5edb16e2 Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Thu, 3 Apr 2014 19:51:18 +0300 -Subject: [PATCH] ahci: fix buffer overrun on invalid state load - -CVE-2013-4526 - -Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded. So -we use the old version of ports to read the array but then allow any -value for ports. This can cause the code to overflow. - -There's no reason to migrate ports - it never changes. -So just make sure it matches. - -Reported-by: Anthony Liguori -Signed-off-by: Michael S. Tsirkin -Reviewed-by: Peter Maydell -Signed-off-by: Juan Quintela -(cherry picked from commit ae2158ad6ce0845b2fae2a22aa7f19c0d7a71ce5) ---- - hw/ide/ahci.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c -index bfe633f..457a7a1 100644 ---- a/hw/ide/ahci.c -+++ b/hw/ide/ahci.c -@@ -1293,7 +1293,7 @@ const VMStateDescription vmstate_ahci = { - VMSTATE_UINT32(control_regs.impl, AHCIState), - VMSTATE_UINT32(control_regs.version, AHCIState), - VMSTATE_UINT32(idp_index, AHCIState), -- VMSTATE_INT32(ports, AHCIState), -+ VMSTATE_INT32_EQUAL(ports, AHCIState), - VMSTATE_END_OF_LIST() - }, - }; diff --git a/0008-hpet-fix-buffer-overrun-on-invalid-state-load.patch b/0008-hpet-fix-buffer-overrun-on-invalid-state-load.patch deleted file mode 100644 index fa1c624..0000000 --- a/0008-hpet-fix-buffer-overrun-on-invalid-state-load.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 5e0e0a12887c9e70356c23d20b08b08eabd4a6df Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Thu, 3 Apr 2014 19:51:23 +0300 -Subject: [PATCH] hpet: fix buffer overrun on invalid state load - -CVE-2013-4527 hw/timer/hpet.c buffer overrun - -hpet is a VARRAY with a uint8 size but static array of 32 - -To fix, make sure num_timers is valid using VMSTATE_VALID hook. - -Reported-by: Anthony Liguori -Signed-off-by: Michael S. Tsirkin -Reviewed-by: Dr. David Alan Gilbert -Signed-off-by: Juan Quintela -(cherry picked from commit 3f1c49e2136fa08ab1ef3183fd55def308829584) ---- - hw/timer/hpet.c | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/hw/timer/hpet.c b/hw/timer/hpet.c -index e15d6bc..2792f89 100644 ---- a/hw/timer/hpet.c -+++ b/hw/timer/hpet.c -@@ -239,6 +239,18 @@ static int hpet_pre_load(void *opaque) - return 0; - } - -+static bool hpet_validate_num_timers(void *opaque, int version_id) -+{ -+ HPETState *s = opaque; -+ -+ if (s->num_timers < HPET_MIN_TIMERS) { -+ return false; -+ } else if (s->num_timers > HPET_MAX_TIMERS) { -+ return false; -+ } -+ return true; -+} -+ - static int hpet_post_load(void *opaque, int version_id) - { - HPETState *s = opaque; -@@ -307,6 +319,7 @@ static const VMStateDescription vmstate_hpet = { - VMSTATE_UINT64(isr, HPETState), - VMSTATE_UINT64(hpet_counter, HPETState), - VMSTATE_UINT8_V(num_timers, HPETState, 2), -+ VMSTATE_VALIDATE("num_timers in range", hpet_validate_num_timers), - VMSTATE_STRUCT_VARRAY_UINT8(timer, HPETState, num_timers, 0, - vmstate_hpet_timer, HPETTimer), - VMSTATE_END_OF_LIST() diff --git a/0009-hw-pci-pcie_aer.c-fix-buffer-overruns-on-invalid-sta.patch b/0009-hw-pci-pcie_aer.c-fix-buffer-overruns-on-invalid-sta.patch deleted file mode 100644 index 5b22295..0000000 --- a/0009-hw-pci-pcie_aer.c-fix-buffer-overruns-on-invalid-sta.patch +++ /dev/null @@ -1,55 +0,0 @@ -From b6f53085cc618bc7e58be702afacad1b5dcae5ba Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Thu, 3 Apr 2014 19:51:31 +0300 -Subject: [PATCH] hw/pci/pcie_aer.c: fix buffer overruns on invalid state load - -4) CVE-2013-4529 -hw/pci/pcie_aer.c pcie aer log can overrun the buffer if log_num is - too large - -There are two issues in this file: -1. log_max from remote can be larger than on local -then buffer will overrun with data coming from state file. -2. log_num can be larger then we get data corruption -again with an overflow but not adversary controlled. - -Fix both issues. - -Reported-by: Anthony Liguori -Reported-by: Michael S. Tsirkin -Signed-off-by: Michael S. Tsirkin -Reviewed-by: Dr. David Alan Gilbert -Signed-off-by: Juan Quintela -(cherry picked from commit 5f691ff91d323b6f97c6600405a7f9dc115a0ad1) ---- - hw/pci/pcie_aer.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/hw/pci/pcie_aer.c b/hw/pci/pcie_aer.c -index 991502e..535be2c 100644 ---- a/hw/pci/pcie_aer.c -+++ b/hw/pci/pcie_aer.c -@@ -795,6 +795,13 @@ static const VMStateDescription vmstate_pcie_aer_err = { - } - }; - -+static bool pcie_aer_state_log_num_valid(void *opaque, int version_id) -+{ -+ PCIEAERLog *s = opaque; -+ -+ return s->log_num <= s->log_max; -+} -+ - const VMStateDescription vmstate_pcie_aer_log = { - .name = "PCIE_AER_ERROR_LOG", - .version_id = 1, -@@ -802,7 +809,8 @@ const VMStateDescription vmstate_pcie_aer_log = { - .minimum_version_id_old = 1, - .fields = (VMStateField[]) { - VMSTATE_UINT16(log_num, PCIEAERLog), -- VMSTATE_UINT16(log_max, PCIEAERLog), -+ VMSTATE_UINT16_EQUAL(log_max, PCIEAERLog), -+ VMSTATE_VALIDATE("log_num <= log_max", pcie_aer_state_log_num_valid), - VMSTATE_STRUCT_VARRAY_POINTER_UINT16(log, PCIEAERLog, log_num, - vmstate_pcie_aer_err, PCIEAERErr), - VMSTATE_END_OF_LIST() diff --git a/0010-pl022-fix-buffer-overun-on-invalid-state-load.patch b/0010-pl022-fix-buffer-overun-on-invalid-state-load.patch deleted file mode 100644 index f48fa74..0000000 --- a/0010-pl022-fix-buffer-overun-on-invalid-state-load.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 872fc04ecd90e0ca4d8ac4565b3a9f246c070873 Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Thu, 3 Apr 2014 19:51:35 +0300 -Subject: [PATCH] pl022: fix buffer overun on invalid state load - -CVE-2013-4530 - -pl022.c did not bounds check tx_fifo_head and -rx_fifo_head after loading them from file and -before they are used to dereference array. - -Reported-by: Michael S. Tsirkin -Signed-off-by: Michael S. Tsirkin -Signed-off-by: Juan Quintela -(cherry picked from commit d8d0a0bc7e194300e53a346d25fe5724fd588387) ---- - hw/ssi/pl022.c | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - -diff --git a/hw/ssi/pl022.c b/hw/ssi/pl022.c -index fd479ef..b19bc71 100644 ---- a/hw/ssi/pl022.c -+++ b/hw/ssi/pl022.c -@@ -240,11 +240,25 @@ static const MemoryRegionOps pl022_ops = { - .endianness = DEVICE_NATIVE_ENDIAN, - }; - -+static int pl022_post_load(void *opaque, int version_id) -+{ -+ PL022State *s = opaque; -+ -+ if (s->tx_fifo_head < 0 || -+ s->tx_fifo_head >= ARRAY_SIZE(s->tx_fifo) || -+ s->rx_fifo_head < 0 || -+ s->rx_fifo_head >= ARRAY_SIZE(s->rx_fifo)) { -+ return -1; -+ } -+ return 0; -+} -+ - static const VMStateDescription vmstate_pl022 = { - .name = "pl022_ssp", - .version_id = 1, - .minimum_version_id = 1, - .minimum_version_id_old = 1, -+ .post_load = pl022_post_load, - .fields = (VMStateField[]) { - VMSTATE_UINT32(cr0, PL022State), - VMSTATE_UINT32(cr1, PL022State), diff --git a/0011-vmstate-fix-buffer-overflow-in-target-arm-machine.c.patch b/0011-vmstate-fix-buffer-overflow-in-target-arm-machine.c.patch deleted file mode 100644 index 46a77b0..0000000 --- a/0011-vmstate-fix-buffer-overflow-in-target-arm-machine.c.patch +++ /dev/null @@ -1,52 +0,0 @@ -From acf45756e165664f6d70025c02ddca563adee496 Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Thu, 3 Apr 2014 19:51:42 +0300 -Subject: [PATCH] vmstate: fix buffer overflow in target-arm/machine.c - -CVE-2013-4531 - -cpreg_vmstate_indexes is a VARRAY_INT32. A negative value for -cpreg_vmstate_array_len will cause a buffer overflow. - -VMSTATE_INT32_LE was supposed to protect against this -but doesn't because it doesn't validate that input is -non-negative. - -Fix this macro to valide the value appropriately. - -The only other user of VMSTATE_INT32_LE doesn't -ever use negative numbers so it doesn't care. - -Reported-by: Anthony Liguori -Signed-off-by: Michael S. Tsirkin -Signed-off-by: Juan Quintela -(cherry picked from commit d2ef4b61fe6d33d2a5dcf100a9b9440de341ad62) ---- - vmstate.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/vmstate.c b/vmstate.c -index d856319..105f184 100644 ---- a/vmstate.c -+++ b/vmstate.c -@@ -333,8 +333,9 @@ const VMStateInfo vmstate_info_int32_equal = { - .put = put_int32, - }; - --/* 32 bit int. Check that the received value is less than or equal to -- the one in the field */ -+/* 32 bit int. Check that the received value is non-negative -+ * and less than or equal to the one in the field. -+ */ - - static int get_int32_le(QEMUFile *f, void *pv, size_t size) - { -@@ -342,7 +343,7 @@ static int get_int32_le(QEMUFile *f, void *pv, size_t size) - int32_t loaded; - qemu_get_sbe32s(f, &loaded); - -- if (loaded <= *cur) { -+ if (loaded >= 0 && loaded <= *cur) { - *cur = loaded; - return 0; - } diff --git a/0012-virtio-avoid-buffer-overrun-on-incoming-migration.patch b/0012-virtio-avoid-buffer-overrun-on-incoming-migration.patch deleted file mode 100644 index 69bdf95..0000000 --- a/0012-virtio-avoid-buffer-overrun-on-incoming-migration.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 9b5cc034e1ed5b2ebc133029d4f865f186c6b895 Mon Sep 17 00:00:00 2001 -From: Michael Roth -Date: Thu, 3 Apr 2014 19:51:46 +0300 -Subject: [PATCH] virtio: avoid buffer overrun on incoming migration - -CVE-2013-6399 - -vdev->queue_sel is read from the wire, and later used in the -emulation code as an index into vdev->vq[]. If the value of -vdev->queue_sel exceeds the length of vdev->vq[], currently -allocated to be VIRTIO_PCI_QUEUE_MAX elements, subsequent PIO -operations such as VIRTIO_PCI_QUEUE_PFN can be used to overrun -the buffer with arbitrary data originating from the source. - -Fix this by failing migration if the value from the wire exceeds -VIRTIO_PCI_QUEUE_MAX. - -Signed-off-by: Michael Roth -Signed-off-by: Michael S. Tsirkin -Reviewed-by: Peter Maydell -Signed-off-by: Juan Quintela -(cherry picked from commit 4b53c2c72cb5541cf394033b528a6fe2a86c0ac1) ---- - hw/virtio/virtio.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c -index 05f05e7..0072542 100644 ---- a/hw/virtio/virtio.c -+++ b/hw/virtio/virtio.c -@@ -907,6 +907,9 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f) - qemu_get_8s(f, &vdev->status); - qemu_get_8s(f, &vdev->isr); - qemu_get_be16s(f, &vdev->queue_sel); -+ if (vdev->queue_sel >= VIRTIO_PCI_QUEUE_MAX) { -+ return -1; -+ } - qemu_get_be32s(f, &features); - - if (virtio_set_features(vdev, features) < 0) { diff --git a/0013-virtio-validate-num_sg-when-mapping.patch b/0013-virtio-validate-num_sg-when-mapping.patch deleted file mode 100644 index 91de06c..0000000 --- a/0013-virtio-validate-num_sg-when-mapping.patch +++ /dev/null @@ -1,41 +0,0 @@ -From f1344659fd93ea0dfb9d8d1af25993e57584c773 Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Thu, 3 Apr 2014 19:51:53 +0300 -Subject: [PATCH] virtio: validate num_sg when mapping - -CVE-2013-4535 -CVE-2013-4536 - -Both virtio-block and virtio-serial read, -VirtQueueElements are read in as buffers, and passed to -virtqueue_map_sg(), where num_sg is taken from the wire and can force -writes to indicies beyond VIRTQUEUE_MAX_SIZE. - -To fix, validate num_sg. - -Reported-by: Michael Roth -Signed-off-by: Michael S. Tsirkin -Cc: Amit Shah -Signed-off-by: Juan Quintela -(cherry picked from commit 36cf2a37132c7f01fa9adb5f95f5312b27742fd4) ---- - hw/virtio/virtio.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c -index 0072542..a70169a 100644 ---- a/hw/virtio/virtio.c -+++ b/hw/virtio/virtio.c -@@ -430,6 +430,12 @@ void virtqueue_map_sg(struct iovec *sg, hwaddr *addr, - unsigned int i; - hwaddr len; - -+ if (num_sg >= VIRTQUEUE_MAX_SIZE) { -+ error_report("virtio: map attempt out of bounds: %zd > %d", -+ num_sg, VIRTQUEUE_MAX_SIZE); -+ exit(1); -+ } -+ - for (i = 0; i < num_sg; i++) { - len = sg[i].iov_len; - sg[i].iov_base = cpu_physical_memory_map(addr[i], &len, is_write); diff --git a/0014-pxa2xx-avoid-buffer-overrun-on-incoming-migration.patch b/0014-pxa2xx-avoid-buffer-overrun-on-incoming-migration.patch deleted file mode 100644 index 94d2d4d..0000000 --- a/0014-pxa2xx-avoid-buffer-overrun-on-incoming-migration.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 43b30dec4d07aa81ff5f2dc3b0a064fa589fd3af Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Thu, 3 Apr 2014 19:51:57 +0300 -Subject: [PATCH] pxa2xx: avoid buffer overrun on incoming migration - -CVE-2013-4533 - -s->rx_level is read from the wire and used to determine how many bytes -to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the -length of s->rx_fifo[] the buffer can be overrun with arbitrary data -from the wire. - -Fix this by validating rx_level against the size of s->rx_fifo. - -Cc: Don Koch -Reported-by: Michael Roth -Signed-off-by: Michael S. Tsirkin -Reviewed-by: Peter Maydell -Reviewed-by: Don Koch -Signed-off-by: Juan Quintela -(cherry picked from commit caa881abe0e01f9931125a0977ec33c5343e4aa7) ---- - hw/arm/pxa2xx.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/hw/arm/pxa2xx.c b/hw/arm/pxa2xx.c -index 0429148..e0cd847 100644 ---- a/hw/arm/pxa2xx.c -+++ b/hw/arm/pxa2xx.c -@@ -732,7 +732,7 @@ static void pxa2xx_ssp_save(QEMUFile *f, void *opaque) - static int pxa2xx_ssp_load(QEMUFile *f, void *opaque, int version_id) - { - PXA2xxSSPState *s = (PXA2xxSSPState *) opaque; -- int i; -+ int i, v; - - s->enable = qemu_get_be32(f); - -@@ -746,7 +746,11 @@ static int pxa2xx_ssp_load(QEMUFile *f, void *opaque, int version_id) - qemu_get_8s(f, &s->ssrsa); - qemu_get_8s(f, &s->ssacd); - -- s->rx_level = qemu_get_byte(f); -+ v = qemu_get_byte(f); -+ if (v < 0 || v > ARRAY_SIZE(s->rx_fifo)) { -+ return -EINVAL; -+ } -+ s->rx_level = v; - s->rx_start = 0; - for (i = 0; i < s->rx_level; i ++) - s->rx_fifo[i] = qemu_get_byte(f); diff --git a/0015-ssd0323-fix-buffer-overun-on-invalid-state-load.patch b/0015-ssd0323-fix-buffer-overun-on-invalid-state-load.patch deleted file mode 100644 index c0bc8e9..0000000 --- a/0015-ssd0323-fix-buffer-overun-on-invalid-state-load.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 0cbd8c5754d6f56b53717e92353772777a799b87 Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Thu, 3 Apr 2014 19:52:05 +0300 -Subject: [PATCH] ssd0323: fix buffer overun on invalid state load - -CVE-2013-4538 - -s->cmd_len used as index in ssd0323_transfer() to store 32-bit field. -Possible this field might then be supplied by guest to overwrite a -return addr somewhere. Same for row/col fields, which are indicies into -framebuffer array. - -To fix validate after load. - -Additionally, validate that the row/col_start/end are within bounds; -otherwise the guest can provoke an overrun by either setting the _end -field so large that the row++ increments just walk off the end of the -array, or by setting the _start value to something bogus and then -letting the "we hit end of row" logic reset row to row_start. - -For completeness, validate mode as well. - -Signed-off-by: Michael S. Tsirkin -Reviewed-by: Peter Maydell -Signed-off-by: Juan Quintela -(cherry picked from commit ead7a57df37d2187813a121308213f41591bd811) ---- - hw/display/ssd0323.c | 24 ++++++++++++++++++++++++ - 1 file changed, 24 insertions(+) - -diff --git a/hw/display/ssd0323.c b/hw/display/ssd0323.c -index 971152e..9727007 100644 ---- a/hw/display/ssd0323.c -+++ b/hw/display/ssd0323.c -@@ -312,18 +312,42 @@ static int ssd0323_load(QEMUFile *f, void *opaque, int version_id) - return -EINVAL; - - s->cmd_len = qemu_get_be32(f); -+ if (s->cmd_len < 0 || s->cmd_len > ARRAY_SIZE(s->cmd_data)) { -+ return -EINVAL; -+ } - s->cmd = qemu_get_be32(f); - for (i = 0; i < 8; i++) - s->cmd_data[i] = qemu_get_be32(f); - s->row = qemu_get_be32(f); -+ if (s->row < 0 || s->row >= 80) { -+ return -EINVAL; -+ } - s->row_start = qemu_get_be32(f); -+ if (s->row_start < 0 || s->row_start >= 80) { -+ return -EINVAL; -+ } - s->row_end = qemu_get_be32(f); -+ if (s->row_end < 0 || s->row_end >= 80) { -+ return -EINVAL; -+ } - s->col = qemu_get_be32(f); -+ if (s->col < 0 || s->col >= 64) { -+ return -EINVAL; -+ } - s->col_start = qemu_get_be32(f); -+ if (s->col_start < 0 || s->col_start >= 64) { -+ return -EINVAL; -+ } - s->col_end = qemu_get_be32(f); -+ if (s->col_end < 0 || s->col_end >= 64) { -+ return -EINVAL; -+ } - s->redraw = qemu_get_be32(f); - s->remap = qemu_get_be32(f); - s->mode = qemu_get_be32(f); -+ if (s->mode != SSD0323_CMD && s->mode != SSD0323_DATA) { -+ return -EINVAL; -+ } - qemu_get_buffer(f, s->framebuffer, sizeof(s->framebuffer)); - - ss->cs = qemu_get_be32(f); diff --git a/0016-tsc210x-fix-buffer-overrun-on-invalid-state-load.patch b/0016-tsc210x-fix-buffer-overrun-on-invalid-state-load.patch deleted file mode 100644 index 33fc0c7..0000000 --- a/0016-tsc210x-fix-buffer-overrun-on-invalid-state-load.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 984fcc9ad2abc4429422c045d68e17f1eb1fa4b2 Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Thu, 3 Apr 2014 19:52:09 +0300 -Subject: [PATCH] tsc210x: fix buffer overrun on invalid state load -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -CVE-2013-4539 - -s->precision, nextprecision, function and nextfunction -come from wire and are used -as idx into resolution[] in TSC_CUT_RESOLUTION. - -Validate after load to avoid buffer overrun. - -Cc: Andreas Färber -Signed-off-by: Michael S. Tsirkin -Signed-off-by: Juan Quintela -(cherry picked from commit 5193be3be35f29a35bc465036cd64ad60d43385f) ---- - hw/input/tsc210x.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/hw/input/tsc210x.c b/hw/input/tsc210x.c -index 485c9e5..aa5b688 100644 ---- a/hw/input/tsc210x.c -+++ b/hw/input/tsc210x.c -@@ -1070,9 +1070,21 @@ static int tsc210x_load(QEMUFile *f, void *opaque, int version_id) - s->enabled = qemu_get_byte(f); - s->host_mode = qemu_get_byte(f); - s->function = qemu_get_byte(f); -+ if (s->function < 0 || s->function >= ARRAY_SIZE(mode_regs)) { -+ return -EINVAL; -+ } - s->nextfunction = qemu_get_byte(f); -+ if (s->nextfunction < 0 || s->nextfunction >= ARRAY_SIZE(mode_regs)) { -+ return -EINVAL; -+ } - s->precision = qemu_get_byte(f); -+ if (s->precision < 0 || s->precision >= ARRAY_SIZE(resolution)) { -+ return -EINVAL; -+ } - s->nextprecision = qemu_get_byte(f); -+ if (s->nextprecision < 0 || s->nextprecision >= ARRAY_SIZE(resolution)) { -+ return -EINVAL; -+ } - s->filter = qemu_get_byte(f); - s->pin_func = qemu_get_byte(f); - s->ref = qemu_get_byte(f); diff --git a/0017-zaurus-fix-buffer-overrun-on-invalid-state-load.patch b/0017-zaurus-fix-buffer-overrun-on-invalid-state-load.patch deleted file mode 100644 index 9b442d4..0000000 --- a/0017-zaurus-fix-buffer-overrun-on-invalid-state-load.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 985b046012f258fd5a2164fb85e9d792f574697c Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Thu, 3 Apr 2014 19:52:13 +0300 -Subject: [PATCH] zaurus: fix buffer overrun on invalid state load - -CVE-2013-4540 - -Within scoop_gpio_handler_update, if prev_level has a high bit set, then -we get bit > 16 and that causes a buffer overrun. - -Since prev_level comes from wire indirectly, this can -happen on invalid state load. - -Similarly for gpio_level and gpio_dir. - -To fix, limit to 16 bit. - -Reported-by: Michael S. Tsirkin -Signed-off-by: Michael S. Tsirkin -Reviewed-by: Dr. David Alan Gilbert -Signed-off-by: Juan Quintela -(cherry picked from commit 52f91c3723932f8340fe36c8ec8b18a757c37b2b) ---- - hw/gpio/zaurus.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/hw/gpio/zaurus.c b/hw/gpio/zaurus.c -index dc79a8b..8e2ce04 100644 ---- a/hw/gpio/zaurus.c -+++ b/hw/gpio/zaurus.c -@@ -203,6 +203,15 @@ static bool is_version_0 (void *opaque, int version_id) - return version_id == 0; - } - -+static bool vmstate_scoop_validate(void *opaque, int version_id) -+{ -+ ScoopInfo *s = opaque; -+ -+ return !(s->prev_level & 0xffff0000) && -+ !(s->gpio_level & 0xffff0000) && -+ !(s->gpio_dir & 0xffff0000); -+} -+ - static const VMStateDescription vmstate_scoop_regs = { - .name = "scoop", - .version_id = 1, -@@ -215,6 +224,7 @@ static const VMStateDescription vmstate_scoop_regs = { - VMSTATE_UINT32(gpio_level, ScoopInfo), - VMSTATE_UINT32(gpio_dir, ScoopInfo), - VMSTATE_UINT32(prev_level, ScoopInfo), -+ VMSTATE_VALIDATE("irq levels are 16 bit", vmstate_scoop_validate), - VMSTATE_UINT16(mcr, ScoopInfo), - VMSTATE_UINT16(cdr, ScoopInfo), - VMSTATE_UINT16(ccr, ScoopInfo), diff --git a/0018-virtio-scsi-fix-buffer-overrun-on-invalid-state-load.patch b/0018-virtio-scsi-fix-buffer-overrun-on-invalid-state-load.patch deleted file mode 100644 index 6c8218d..0000000 --- a/0018-virtio-scsi-fix-buffer-overrun-on-invalid-state-load.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 579bb2000dbcd8a415660e76d31f521d87ac1302 Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Thu, 3 Apr 2014 19:52:17 +0300 -Subject: [PATCH] virtio-scsi: fix buffer overrun on invalid state load -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -CVE-2013-4542 - -hw/scsi/scsi-bus.c invokes load_request. - - virtio_scsi_load_request does: - qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem)); - -this probably can make elem invalid, for example, -make in_num or out_num huge, then: - - virtio_scsi_parse_req(s, vs->cmd_vqs[n], req); - -will do: - - if (req->elem.out_num > 1) { - qemu_sgl_init_external(req, &req->elem.out_sg[1], - &req->elem.out_addr[1], - req->elem.out_num - 1); - } else { - qemu_sgl_init_external(req, &req->elem.in_sg[1], - &req->elem.in_addr[1], - req->elem.in_num - 1); - } - -and this will access out of array bounds. - -Note: this adds security checks within assert calls since -SCSIBusInfo's load_request cannot fail. -For now simply disable builds with NDEBUG - there seems -to be little value in supporting these. - -Cc: Andreas Färber -Signed-off-by: Michael S. Tsirkin -Signed-off-by: Juan Quintela -(cherry picked from commit 3c3ce981423e0d6c18af82ee62f1850c2cda5976) ---- - hw/scsi/virtio-scsi.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c -index b0d7517..1752193 100644 ---- a/hw/scsi/virtio-scsi.c -+++ b/hw/scsi/virtio-scsi.c -@@ -147,6 +147,15 @@ static void *virtio_scsi_load_request(QEMUFile *f, SCSIRequest *sreq) - qemu_get_be32s(f, &n); - assert(n < vs->conf.num_queues); - qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem)); -+ /* TODO: add a way for SCSIBusInfo's load_request to fail, -+ * and fail migration instead of asserting here. -+ * When we do, we might be able to re-enable NDEBUG below. -+ */ -+#ifdef NDEBUG -+#error building with NDEBUG is not supported -+#endif -+ assert(req->elem.in_num <= ARRAY_SIZE(req->elem.in_sg)); -+ assert(req->elem.out_num <= ARRAY_SIZE(req->elem.out_sg)); - virtio_scsi_parse_req(s, vs->cmd_vqs[n], req); - - scsi_req_ref(sreq); diff --git a/0019-vmstate-s-VMSTATE_INT32_LE-VMSTATE_INT32_POSITIVE_LE.patch b/0019-vmstate-s-VMSTATE_INT32_LE-VMSTATE_INT32_POSITIVE_LE.patch deleted file mode 100644 index 8b93785..0000000 --- a/0019-vmstate-s-VMSTATE_INT32_LE-VMSTATE_INT32_POSITIVE_LE.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 83bb87c00e9970a1771ddcad3fd99091f5b2719c Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Thu, 3 Apr 2014 19:52:21 +0300 -Subject: [PATCH] vmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/ - -As the macro verifies the value is positive, rename it -to make the function clearer. - -Signed-off-by: Michael S. Tsirkin -Signed-off-by: Juan Quintela -(cherry picked from commit 3476436a44c29725efef0cabf5b3ea4e70054d57) ---- - hw/pci/pci.c | 4 ++-- - include/migration/vmstate.h | 2 +- - target-arm/machine.c | 2 +- - 3 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/hw/pci/pci.c b/hw/pci/pci.c -index 2a9f08e..517ff2a 100644 ---- a/hw/pci/pci.c -+++ b/hw/pci/pci.c -@@ -475,7 +475,7 @@ const VMStateDescription vmstate_pci_device = { - .minimum_version_id = 1, - .minimum_version_id_old = 1, - .fields = (VMStateField []) { -- VMSTATE_INT32_LE(version_id, PCIDevice), -+ VMSTATE_INT32_POSITIVE_LE(version_id, PCIDevice), - VMSTATE_BUFFER_UNSAFE_INFO(config, PCIDevice, 0, - vmstate_info_pci_config, - PCI_CONFIG_SPACE_SIZE), -@@ -492,7 +492,7 @@ const VMStateDescription vmstate_pcie_device = { - .minimum_version_id = 1, - .minimum_version_id_old = 1, - .fields = (VMStateField []) { -- VMSTATE_INT32_LE(version_id, PCIDevice), -+ VMSTATE_INT32_POSITIVE_LE(version_id, PCIDevice), - VMSTATE_BUFFER_UNSAFE_INFO(config, PCIDevice, 0, - vmstate_info_pci_config, - PCIE_CONFIG_SPACE_SIZE), -diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h -index 5b71370..7e45048 100644 ---- a/include/migration/vmstate.h -+++ b/include/migration/vmstate.h -@@ -601,7 +601,7 @@ extern const VMStateInfo vmstate_info_bitmap; - #define VMSTATE_UINT64_EQUAL(_f, _s) \ - VMSTATE_UINT64_EQUAL_V(_f, _s, 0) - --#define VMSTATE_INT32_LE(_f, _s) \ -+#define VMSTATE_INT32_POSITIVE_LE(_f, _s) \ - VMSTATE_SINGLE(_f, _s, 0, vmstate_info_int32_le, int32_t) - - #define VMSTATE_UINT8_TEST(_f, _s, _t) \ -diff --git a/target-arm/machine.c b/target-arm/machine.c -index 7ced87a..5746ffd 100644 ---- a/target-arm/machine.c -+++ b/target-arm/machine.c -@@ -246,7 +246,7 @@ const VMStateDescription vmstate_arm_cpu = { - /* The length-check must come before the arrays to avoid - * incoming data possibly overflowing the array. - */ -- VMSTATE_INT32_LE(cpreg_vmstate_array_len, ARMCPU), -+ VMSTATE_INT32_POSITIVE_LE(cpreg_vmstate_array_len, ARMCPU), - VMSTATE_VARRAY_INT32(cpreg_vmstate_indexes, ARMCPU, - cpreg_vmstate_array_len, - 0, vmstate_info_uint64, uint64_t), diff --git a/0020-usb-sanity-check-setup_index-setup_len-in-post_load.patch b/0020-usb-sanity-check-setup_index-setup_len-in-post_load.patch deleted file mode 100644 index 824140c..0000000 --- a/0020-usb-sanity-check-setup_index-setup_len-in-post_load.patch +++ /dev/null @@ -1,38 +0,0 @@ -From a608c9c4150820ec64f5f25f6ebe244906c015da Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Thu, 3 Apr 2014 19:52:25 +0300 -Subject: [PATCH] usb: sanity check setup_index+setup_len in post_load - -CVE-2013-4541 - -s->setup_len and s->setup_index are fed into usb_packet_copy as -size/offset into s->data_buf, it's possible for invalid state to exploit -this to load arbitrary data. - -setup_len and setup_index should be checked to make sure -they are not negative. - -Cc: Gerd Hoffmann -Signed-off-by: Michael S. Tsirkin -Reviewed-by: Gerd Hoffmann -Signed-off-by: Juan Quintela -(cherry picked from commit 9f8e9895c504149d7048e9fc5eb5cbb34b16e49a) ---- - hw/usb/bus.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/hw/usb/bus.c b/hw/usb/bus.c -index fe70429..e48b19f 100644 ---- a/hw/usb/bus.c -+++ b/hw/usb/bus.c -@@ -49,7 +49,9 @@ static int usb_device_post_load(void *opaque, int version_id) - } else { - dev->attached = 1; - } -- if (dev->setup_index >= sizeof(dev->data_buf) || -+ if (dev->setup_index < 0 || -+ dev->setup_len < 0 || -+ dev->setup_index >= sizeof(dev->data_buf) || - dev->setup_len >= sizeof(dev->data_buf)) { - return -EINVAL; - } diff --git a/0021-ssi-sd-fix-buffer-overrun-on-invalid-state-load.patch b/0021-ssi-sd-fix-buffer-overrun-on-invalid-state-load.patch deleted file mode 100644 index ac1e790..0000000 --- a/0021-ssi-sd-fix-buffer-overrun-on-invalid-state-load.patch +++ /dev/null @@ -1,41 +0,0 @@ -From d2c50b94a808f06d778746aec63ce2cb4eb1222f Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Mon, 28 Apr 2014 16:08:14 +0300 -Subject: [PATCH] ssi-sd: fix buffer overrun on invalid state load - -CVE-2013-4537 - -s->arglen is taken from wire and used as idx -in ssi_sd_transfer(). - -Validate it before access. - -Signed-off-by: Michael S. Tsirkin -Signed-off-by: Juan Quintela -(cherry picked from commit a9c380db3b8c6af19546a68145c8d1438a09c92b) ---- - hw/sd/ssi-sd.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/hw/sd/ssi-sd.c b/hw/sd/ssi-sd.c -index 3273c8a..b012e57 100644 ---- a/hw/sd/ssi-sd.c -+++ b/hw/sd/ssi-sd.c -@@ -230,8 +230,17 @@ static int ssi_sd_load(QEMUFile *f, void *opaque, int version_id) - for (i = 0; i < 5; i++) - s->response[i] = qemu_get_be32(f); - s->arglen = qemu_get_be32(f); -+ if (s->mode == SSI_SD_CMDARG && -+ (s->arglen < 0 || s->arglen >= ARRAY_SIZE(s->cmdarg))) { -+ return -EINVAL; -+ } - s->response_pos = qemu_get_be32(f); - s->stopping = qemu_get_be32(f); -+ if (s->mode == SSI_SD_RESPONSE && -+ (s->response_pos < 0 || s->response_pos >= ARRAY_SIZE(s->response) || -+ (!s->stopping && s->arglen > ARRAY_SIZE(s->response)))) { -+ return -EINVAL; -+ } - - ss->cs = qemu_get_be32(f); - diff --git a/0022-openpic-avoid-buffer-overrun-on-incoming-migration.patch b/0022-openpic-avoid-buffer-overrun-on-incoming-migration.patch deleted file mode 100644 index b9404dc..0000000 --- a/0022-openpic-avoid-buffer-overrun-on-incoming-migration.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 70488d5f1746b720bc141ea6b9850585e9c42121 Mon Sep 17 00:00:00 2001 -From: Michael Roth -Date: Mon, 28 Apr 2014 16:08:17 +0300 -Subject: [PATCH] openpic: avoid buffer overrun on incoming migration - -CVE-2013-4534 - -opp->nb_cpus is read from the wire and used to determine how many -IRQDest elements to read into opp->dst[]. If the value exceeds the -length of opp->dst[], MAX_CPU, opp->dst[] can be overrun with arbitrary -data from the wire. - -Fix this by failing migration if the value read from the wire exceeds -MAX_CPU. - -Signed-off-by: Michael Roth -Reviewed-by: Alexander Graf -Signed-off-by: Michael S. Tsirkin -Signed-off-by: Juan Quintela -(cherry picked from commit 73d963c0a75cb99c6aaa3f6f25e427aa0b35a02e) ---- - hw/intc/openpic.c | 16 ++++++++++++++-- - 1 file changed, 14 insertions(+), 2 deletions(-) - -diff --git a/hw/intc/openpic.c b/hw/intc/openpic.c -index be76fbd..17136c9 100644 ---- a/hw/intc/openpic.c -+++ b/hw/intc/openpic.c -@@ -41,6 +41,7 @@ - #include "hw/sysbus.h" - #include "hw/pci/msi.h" - #include "qemu/bitops.h" -+#include "qapi/qmp/qerror.h" - - //#define DEBUG_OPENPIC - -@@ -1416,7 +1417,7 @@ static void openpic_load_IRQ_queue(QEMUFile* f, IRQQueue *q) - static int openpic_load(QEMUFile* f, void *opaque, int version_id) - { - OpenPICState *opp = (OpenPICState *)opaque; -- unsigned int i; -+ unsigned int i, nb_cpus; - - if (version_id != 1) { - return -EINVAL; -@@ -1428,7 +1429,11 @@ static int openpic_load(QEMUFile* f, void *opaque, int version_id) - qemu_get_be32s(f, &opp->spve); - qemu_get_be32s(f, &opp->tfrr); - -- qemu_get_be32s(f, &opp->nb_cpus); -+ qemu_get_be32s(f, &nb_cpus); -+ if (opp->nb_cpus != nb_cpus) { -+ return -EINVAL; -+ } -+ assert(nb_cpus > 0 && nb_cpus <= MAX_CPU); - - for (i = 0; i < opp->nb_cpus; i++) { - qemu_get_sbe32s(f, &opp->dst[i].ctpr); -@@ -1567,6 +1572,13 @@ static void openpic_realize(DeviceState *dev, Error **errp) - {NULL} - }; - -+ if (opp->nb_cpus > MAX_CPU) { -+ error_set(errp, QERR_PROPERTY_VALUE_OUT_OF_RANGE, -+ TYPE_OPENPIC, "nb_cpus", (uint64_t)opp->nb_cpus, -+ (uint64_t)0, (uint64_t)MAX_CPU); -+ return; -+ } -+ - switch (opp->model) { - case OPENPIC_MODEL_FSL_MPIC_20: - default: diff --git a/0023-virtio-net-out-of-bounds-buffer-write-on-load.patch b/0023-virtio-net-out-of-bounds-buffer-write-on-load.patch deleted file mode 100644 index cf100f3..0000000 --- a/0023-virtio-net-out-of-bounds-buffer-write-on-load.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 1a29e58f9f23846d0e105a3157629786fc624f65 Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Mon, 28 Apr 2014 16:08:21 +0300 -Subject: [PATCH] virtio-net: out-of-bounds buffer write on load - -CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in -virtio_net_load()@hw/net/virtio-net.c - -> } else if (n->mac_table.in_use) { -> uint8_t *buf = g_malloc0(n->mac_table.in_use); - -We are allocating buffer of size n->mac_table.in_use - -> qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN); - -and read to the n->mac_table.in_use size buffer n->mac_table.in_use * -ETH_ALEN bytes, corrupting memory. - -If adversary controls state then memory written there is controlled -by adversary. - -Reviewed-by: Michael Roth -Signed-off-by: Michael S. Tsirkin -Signed-off-by: Juan Quintela -(cherry picked from commit 98f93ddd84800f207889491e0b5d851386b459cf) ---- - hw/net/virtio-net.c | 15 +++++++++++---- - 1 file changed, 11 insertions(+), 4 deletions(-) - -diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c -index 0a8cb40..940a7cf 100644 ---- a/hw/net/virtio-net.c -+++ b/hw/net/virtio-net.c -@@ -1362,10 +1362,17 @@ static int virtio_net_load(QEMUFile *f, void *opaque, int version_id) - if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) { - qemu_get_buffer(f, n->mac_table.macs, - n->mac_table.in_use * ETH_ALEN); -- } else if (n->mac_table.in_use) { -- uint8_t *buf = g_malloc0(n->mac_table.in_use); -- qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN); -- g_free(buf); -+ } else { -+ int64_t i; -+ -+ /* Overflow detected - can happen if source has a larger MAC table. -+ * We simply set overflow flag so there's no need to maintain the -+ * table of addresses, discard them all. -+ * Note: 64 bit math to avoid integer overflow. -+ */ -+ for (i = 0; i < (int64_t)n->mac_table.in_use * ETH_ALEN; ++i) { -+ qemu_get_byte(f); -+ } - n->mac_table.multi_overflow = n->mac_table.uni_overflow = 1; - n->mac_table.in_use = 0; - } diff --git a/0024-virtio-validate-config_len-on-load.patch b/0024-virtio-validate-config_len-on-load.patch deleted file mode 100644 index 9e6dde4..0000000 --- a/0024-virtio-validate-config_len-on-load.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 94998eaa5ef06ba17ad12976ac84801033a28582 Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Mon, 28 Apr 2014 16:08:23 +0300 -Subject: [PATCH] virtio: validate config_len on load - -Malformed input can have config_len in migration stream -exceed the array size allocated on destination, the -result will be heap overflow. - -To fix, that config_len matches on both sides. - -CVE-2014-0182 - -Reported-by: "Dr. David Alan Gilbert" -Signed-off-by: Michael S. Tsirkin -Signed-off-by: Juan Quintela - --- - -v2: use %ix and %zx to print config_len values -Signed-off-by: Juan Quintela -(cherry picked from commit a890a2f9137ac3cf5b607649e66a6f3a5512d8dc) ---- - hw/virtio/virtio.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c -index a70169a..7f4e7ec 100644 ---- a/hw/virtio/virtio.c -+++ b/hw/virtio/virtio.c -@@ -898,6 +898,7 @@ int virtio_set_features(VirtIODevice *vdev, uint32_t val) - int virtio_load(VirtIODevice *vdev, QEMUFile *f) - { - int i, ret; -+ int32_t config_len; - uint32_t num; - uint32_t features; - uint32_t supported_features; -@@ -924,7 +925,12 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f) - features, supported_features); - return -1; - } -- vdev->config_len = qemu_get_be32(f); -+ config_len = qemu_get_be32(f); -+ if (config_len != vdev->config_len) { -+ error_report("Unexpected config length 0x%x. Expected 0x%zx", -+ config_len, vdev->config_len); -+ return -1; -+ } - qemu_get_buffer(f, vdev->config, vdev->config_len); - - num = qemu_get_be32(f); diff --git a/0101-qcow1-Make-padding-in-the-header-explicit.patch b/0101-qcow1-Make-padding-in-the-header-explicit.patch deleted file mode 100644 index 723cc80..0000000 --- a/0101-qcow1-Make-padding-in-the-header-explicit.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 709786ed4fa98cd281beaac3c6770292bd045a30 Mon Sep 17 00:00:00 2001 -From: Kevin Wolf -Date: Wed, 7 May 2014 16:56:10 +0200 -Subject: [PATCH] qcow1: Make padding in the header explicit - -We were relying on all compilers inserting the same padding in the -header struct that is used for the on-disk format. Let's not do that. -Mark the struct as packed and insert an explicit padding field for -compatibility. - -Cc: qemu-stable@nongnu.org -Signed-off-by: Kevin Wolf -Reviewed-by: Benoit Canet -(cherry picked from commit ea54feff58efedc809641474b25a3130309678e7) ---- - block/qcow.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/block/qcow.c b/block/qcow.c -index d5a7d5f..9018f44 100644 ---- a/block/qcow.c -+++ b/block/qcow.c -@@ -48,9 +48,10 @@ typedef struct QCowHeader { - uint64_t size; /* in bytes */ - uint8_t cluster_bits; - uint8_t l2_bits; -+ uint16_t padding; - uint32_t crypt_method; - uint64_t l1_table_offset; --} QCowHeader; -+} QEMU_PACKED QCowHeader; - - #define L2_CACHE_SIZE 16 - diff --git a/0102-qcow1-Check-maximum-cluster-size.patch b/0102-qcow1-Check-maximum-cluster-size.patch deleted file mode 100644 index 071bd79..0000000 --- a/0102-qcow1-Check-maximum-cluster-size.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 6893e96e6b58d809a08c6491f76df221fd1a6473 Mon Sep 17 00:00:00 2001 -From: Kevin Wolf -Date: Wed, 7 May 2014 17:30:30 +0200 -Subject: [PATCH] qcow1: Check maximum cluster size - -Huge values for header.cluster_bits cause unbounded allocations (e.g. -for s->cluster_cache) and crash qemu this way. Less huge values may -survive those allocations, but can cause integer overflows later on. - -The only cluster sizes that qemu can create are 4k (for standalone -images) and 512 (for images with backing files), so we can limit it -to 64k. - -Cc: qemu-stable@nongnu.org -Signed-off-by: Kevin Wolf -Reviewed-by: Benoit Canet -(cherry picked from commit 7159a45b2bf2dcb9f49f1e27d1d3d135a0247a2f) - -Conflicts: - tests/qemu-iotests/group ---- - block/qcow.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/block/qcow.c b/block/qcow.c -index 9018f44..26bb923 100644 ---- a/block/qcow.c -+++ b/block/qcow.c -@@ -127,11 +127,17 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags, - goto fail; - } - -- if (header.size <= 1 || header.cluster_bits < 9) { -- error_setg(errp, "invalid value in qcow header"); -+ if (header.size <= 1) { -+ error_setg(errp, "Image size is too small (must be at least 2 bytes)"); - ret = -EINVAL; - goto fail; - } -+ if (header.cluster_bits < 9 || header.cluster_bits > 16) { -+ error_setg(errp, "Cluster size must be between 512 and 64k"); -+ ret = -EINVAL; -+ goto fail; -+ } -+ - if (header.crypt_method > QCOW_CRYPT_AES) { - error_setg(errp, "invalid encryption method in qcow header"); - ret = -EINVAL; diff --git a/0103-qcow1-Validate-L2-table-size-CVE-2014-0222.patch b/0103-qcow1-Validate-L2-table-size-CVE-2014-0222.patch deleted file mode 100644 index db3b686..0000000 --- a/0103-qcow1-Validate-L2-table-size-CVE-2014-0222.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 71ae37ec9806ab76afcdb40cf5f080af378848ac Mon Sep 17 00:00:00 2001 -From: Kevin Wolf -Date: Thu, 15 May 2014 16:10:11 +0200 -Subject: [PATCH] qcow1: Validate L2 table size (CVE-2014-0222) - -Too large L2 table sizes cause unbounded allocations. Images actually -created by qemu-img only have 512 byte or 4k L2 tables. - -To keep things consistent with cluster sizes, allow ranges between 512 -bytes and 64k (in fact, down to 1 entry = 8 bytes is technically -working, but L2 table sizes smaller than a cluster don't make a lot of -sense). - -This also means that the number of bytes on the virtual disk that are -described by the same L2 table is limited to at most 8k * 64k or 2^29, -preventively avoiding any integer overflows. - -Cc: qemu-stable@nongnu.org -Signed-off-by: Kevin Wolf -Reviewed-by: Benoit Canet -(cherry picked from commit 42eb58179b3b215bb507da3262b682b8a2ec10b5) - -Conflicts: - tests/qemu-iotests/092 - tests/qemu-iotests/092.out ---- - block/qcow.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/block/qcow.c b/block/qcow.c -index 26bb923..8718ca5 100644 ---- a/block/qcow.c -+++ b/block/qcow.c -@@ -138,6 +138,14 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags, - goto fail; - } - -+ /* l2_bits specifies number of entries; storing a uint64_t in each entry, -+ * so bytes = num_entries << 3. */ -+ if (header.l2_bits < 9 - 3 || header.l2_bits > 16 - 3) { -+ error_setg(errp, "L2 table size must be between 512 and 64k"); -+ ret = -EINVAL; -+ goto fail; -+ } -+ - if (header.crypt_method > QCOW_CRYPT_AES) { - error_setg(errp, "invalid encryption method in qcow header"); - ret = -EINVAL; diff --git a/0104-qcow1-Validate-image-size-CVE-2014-0223.patch b/0104-qcow1-Validate-image-size-CVE-2014-0223.patch deleted file mode 100644 index 547362a..0000000 --- a/0104-qcow1-Validate-image-size-CVE-2014-0223.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 92e1dd206a3bb8ddbea0ece22bc05e9446a69436 Mon Sep 17 00:00:00 2001 -From: Kevin Wolf -Date: Thu, 8 May 2014 13:08:20 +0200 -Subject: [PATCH] qcow1: Validate image size (CVE-2014-0223) - -A huge image size could cause s->l1_size to overflow. Make sure that -images never require a L1 table larger than what fits in s->l1_size. - -This cannot only cause unbounded allocations, but also the allocation of -a too small L1 table, resulting in out-of-bounds array accesses (both -reads and writes). - -Cc: qemu-stable@nongnu.org -Signed-off-by: Kevin Wolf -(cherry picked from commit 46485de0cb357b57373e1ca895adedf1f3ed46ec) - -Conflicts: - tests/qemu-iotests/092 - tests/qemu-iotests/092.out ---- - block/qcow.c | 16 ++++++++++++++-- - 1 file changed, 14 insertions(+), 2 deletions(-) - -diff --git a/block/qcow.c b/block/qcow.c -index 8718ca5..f9cb009 100644 ---- a/block/qcow.c -+++ b/block/qcow.c -@@ -61,7 +61,7 @@ typedef struct BDRVQcowState { - int cluster_sectors; - int l2_bits; - int l2_size; -- int l1_size; -+ unsigned int l1_size; - uint64_t cluster_offset_mask; - uint64_t l1_table_offset; - uint64_t *l1_table; -@@ -165,7 +165,19 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags, - - /* read the level 1 table */ - shift = s->cluster_bits + s->l2_bits; -- s->l1_size = (header.size + (1LL << shift) - 1) >> shift; -+ if (header.size > UINT64_MAX - (1LL << shift)) { -+ error_setg(errp, "Image too large"); -+ ret = -EINVAL; -+ goto fail; -+ } else { -+ uint64_t l1_size = (header.size + (1LL << shift) - 1) >> shift; -+ if (l1_size > INT_MAX / sizeof(uint64_t)) { -+ error_setg(errp, "Image too large"); -+ ret = -EINVAL; -+ goto fail; -+ } -+ s->l1_size = l1_size; -+ } - - s->l1_table_offset = header.l1_table_offset; - s->l1_table = g_malloc(s->l1_size * sizeof(uint64_t)); diff --git a/0105-qcow1-Stricter-backing-file-length-check.patch b/0105-qcow1-Stricter-backing-file-length-check.patch deleted file mode 100644 index 60894ed..0000000 --- a/0105-qcow1-Stricter-backing-file-length-check.patch +++ /dev/null @@ -1,48 +0,0 @@ -From deaa4693c8533862fdda9bf584c24d4f2ef50029 Mon Sep 17 00:00:00 2001 -From: Kevin Wolf -Date: Thu, 8 May 2014 13:35:09 +0200 -Subject: [PATCH] qcow1: Stricter backing file length check - -Like qcow2 since commit 6d33e8e7, error out on invalid lengths instead -of silently truncating them to 1023. - -Also don't rely on bdrv_pread() catching integer overflows that make len -negative, but use unsigned variables in the first place. - -Cc: qemu-stable@nongnu.org -Signed-off-by: Kevin Wolf -Reviewed-by: Benoit Canet -(cherry picked from commit d66e5cee002c471b78139228a4e7012736b375f9) - -Conflicts: - tests/qemu-iotests/092 - tests/qemu-iotests/092.out ---- - block/qcow.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/block/qcow.c b/block/qcow.c -index f9cb009..c0a3b89 100644 ---- a/block/qcow.c -+++ b/block/qcow.c -@@ -97,7 +97,8 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags, - Error **errp) - { - BDRVQcowState *s = bs->opaque; -- int len, i, shift, ret; -+ unsigned int len, i, shift; -+ int ret; - QCowHeader header; - - ret = bdrv_pread(bs->file, 0, &header, sizeof(header)); -@@ -201,7 +202,9 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags, - if (header.backing_file_offset != 0) { - len = header.backing_file_size; - if (len > 1023) { -- len = 1023; -+ error_setg(errp, "Backing file name too long"); -+ ret = -EINVAL; -+ goto fail; - } - ret = bdrv_pread(bs->file, header.backing_file_offset, - bs->backing_file, len); diff --git a/0106-usb-fix-up-post-load-checks.patch b/0106-usb-fix-up-post-load-checks.patch deleted file mode 100644 index 3f0c217..0000000 --- a/0106-usb-fix-up-post-load-checks.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 40e49e4fab60b3b323263f06b7a8385fa9b62e89 Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Tue, 13 May 2014 12:33:16 +0300 -Subject: [PATCH] usb: fix up post load checks - -Correct post load checks: -1. dev->setup_len == sizeof(dev->data_buf) - seems fine, no need to fail migration -2. When state is DATA, passing index > len - will cause memcpy with negative length, - resulting in heap overflow - -First of the issues was reported by dgilbert. - -Reported-by: "Dr. David Alan Gilbert" -Signed-off-by: Michael S. Tsirkin -Signed-off-by: Juan Quintela -(cherry picked from commit 719ffe1f5f72b1c7ace4afe9ba2815bcb53a829e) ---- - hw/usb/bus.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/hw/usb/bus.c b/hw/usb/bus.c -index e48b19f..ff1dfe6 100644 ---- a/hw/usb/bus.c -+++ b/hw/usb/bus.c -@@ -51,8 +51,8 @@ static int usb_device_post_load(void *opaque, int version_id) - } - if (dev->setup_index < 0 || - dev->setup_len < 0 || -- dev->setup_index >= sizeof(dev->data_buf) || -- dev->setup_len >= sizeof(dev->data_buf)) { -+ dev->setup_index > dev->setup_len || -+ dev->setup_len > sizeof(dev->data_buf)) { - return -EINVAL; - } - return 0; diff --git a/0107-trace-add-pid-field-to-simpletrace-record.patch b/0107-trace-add-pid-field-to-simpletrace-record.patch deleted file mode 100644 index e8dc6f6..0000000 --- a/0107-trace-add-pid-field-to-simpletrace-record.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 32f3e4afa3c9e67c6448b2f3e3aefc4d7cf5a0d3 Mon Sep 17 00:00:00 2001 -From: Stefan Hajnoczi -Date: Wed, 7 May 2014 19:24:10 +0200 -Subject: [PATCH] trace: add pid field to simpletrace record - -It is useful to know the QEMU process ID when working with traces from -multiple VMs. Although the trace filename may contain the pid, tools -that aggregate traces or even trace globally need somewhere to record -the pid. - -There is a reserved field in the trace event header struct that we can -use. - -It is not necessary to bump the simpletrace file format version number -because it has already been incremented for the QEMU 2.1 release cycle -in commit "trace: [simple] Bump up log version number". - -Signed-off-by: Stefan Hajnoczi -(cherry picked from commit 26896cbf353e3017f76da8193074839b6e875250) ---- - trace/simple.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/trace/simple.c b/trace/simple.c -index aaa010e..1584bf7 100644 ---- a/trace/simple.c -+++ b/trace/simple.c -@@ -75,6 +75,7 @@ uint8_t trace_buf[TRACE_BUF_LEN]; - static volatile gint trace_idx; - static unsigned int writeout_idx; - static volatile gint dropped_events; -+static uint32_t trace_pid; - static FILE *trace_fp; - static char *trace_file_name; - -@@ -83,7 +84,7 @@ typedef struct { - uint64_t event; /* TraceEventID */ - uint64_t timestamp_ns; - uint32_t length; /* in bytes */ -- uint32_t reserved; /* unused */ -+ uint32_t pid; - uint64_t arguments[]; - } TraceRecord; - -@@ -190,7 +191,7 @@ static gpointer writeout_thread(gpointer opaque) - dropped.rec.event = DROPPED_EVENT_ID, - dropped.rec.timestamp_ns = get_clock(); - dropped.rec.length = sizeof(TraceRecord) + sizeof(uint64_t), -- dropped.rec.reserved = 0; -+ dropped.rec.pid = trace_pid; - do { - dropped_count = g_atomic_int_get(&dropped_events); - } while (!g_atomic_int_compare_and_exchange(&dropped_events, -@@ -249,6 +250,7 @@ int trace_record_start(TraceBufferRecord *rec, TraceEventID event, size_t datasi - rec_off = write_to_buffer(rec_off, &event_u64, sizeof(event_u64)); - rec_off = write_to_buffer(rec_off, ×tamp_ns, sizeof(timestamp_ns)); - rec_off = write_to_buffer(rec_off, &rec_len, sizeof(rec_len)); -+ rec_off = write_to_buffer(rec_off, &trace_pid, sizeof(trace_pid)); - - rec->tbuf_idx = idx; - rec->rec_off = (idx + sizeof(TraceRecord)) % TRACE_BUF_LEN; -@@ -414,6 +416,8 @@ bool trace_backend_init(const char *events, const char *file) - { - GThread *thread; - -+ trace_pid = getpid(); -+ - #if !GLIB_CHECK_VERSION(2, 31, 0) - trace_available_cond = g_cond_new(); - trace_empty_cond = g_cond_new(); diff --git a/0108-simpletrace-add-support-for-trace-record-pid-field.patch b/0108-simpletrace-add-support-for-trace-record-pid-field.patch deleted file mode 100644 index 6a270fa..0000000 --- a/0108-simpletrace-add-support-for-trace-record-pid-field.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 012d97190b01b0726c47aa46d723b81fa4d193d4 Mon Sep 17 00:00:00 2001 -From: Stefan Hajnoczi -Date: Wed, 7 May 2014 19:24:11 +0200 -Subject: [PATCH] simpletrace: add support for trace record pid field - -Extract the pid field from the trace record and print it. - -Change the trace record tuple from: - (event_num, timestamp, arg1, ..., arg6) -to: - (event_num, timestamp, pid, arg1, ..., arg6) - -Trace event methods now support 3 prototypes: -1. (arg1, arg2, arg3) -2. (timestamp, arg1, arg2, arg3) -3. (timestamp, pid, arg1, arg2, arg3) - -Existing script continue to work without changes, they only know about -prototypes 1 and 2. - -Signed-off-by: Stefan Hajnoczi -(cherry picked from commit 80ff35cd3ff451e8f200413ddf27816058630c1f) ---- - scripts/simpletrace.py | 26 +++++++++++++++----------- - 1 file changed, 15 insertions(+), 11 deletions(-) - -diff --git a/scripts/simpletrace.py b/scripts/simpletrace.py -index 8bbcb42..e1b97d4 100755 ---- a/scripts/simpletrace.py -+++ b/scripts/simpletrace.py -@@ -31,10 +31,10 @@ def read_header(fobj, hfmt): - return struct.unpack(hfmt, hdr) - - def get_record(edict, rechdr, fobj): -- """Deserialize a trace record from a file into a tuple (event_num, timestamp, arg1, ..., arg6).""" -+ """Deserialize a trace record from a file into a tuple (event_num, timestamp, pid, arg1, ..., arg6).""" - if rechdr is None: - return None -- rec = (rechdr[0], rechdr[1]) -+ rec = (rechdr[0], rechdr[1], rechdr[3]) - if rechdr[0] != dropped_event_id: - event_id = rechdr[0] - event = edict[event_id] -@@ -54,12 +54,12 @@ def get_record(edict, rechdr, fobj): - - - def read_record(edict, fobj): -- """Deserialize a trace record from a file into a tuple (event_num, timestamp, arg1, ..., arg6).""" -+ """Deserialize a trace record from a file into a tuple (event_num, timestamp, pid, arg1, ..., arg6).""" - rechdr = read_header(fobj, rec_header_fmt) - return get_record(edict, rechdr, fobj) # return tuple of record elements - - def read_trace_file(edict, fobj): -- """Deserialize trace records from a file, yielding record tuples (event_num, timestamp, arg1, ..., arg6).""" -+ """Deserialize trace records from a file, yielding record tuples (event_num, timestamp, pid, arg1, ..., arg6).""" - header = read_header(fobj, log_header_fmt) - if header is None or \ - header[0] != header_event_id or \ -@@ -131,10 +131,13 @@ def process(events, log, analyzer): - fn_argcount = len(inspect.getargspec(fn)[0]) - 1 - if fn_argcount == event_argcount + 1: - # Include timestamp as first argument -- return lambda _, rec: fn(*rec[1:2 + event_argcount]) -+ return lambda _, rec: fn(*((rec[1:2],) + rec[3:3 + event_argcount])) -+ elif fn_argcount == event_argcount + 2: -+ # Include timestamp and pid -+ return lambda _, rec: fn(*rec[1:3 + event_argcount]) - else: -- # Just arguments, no timestamp -- return lambda _, rec: fn(*rec[2:2 + event_argcount]) -+ # Just arguments, no timestamp or pid -+ return lambda _, rec: fn(*rec[3:3 + event_argcount]) - - analyzer.begin() - fn_cache = {} -@@ -166,19 +169,20 @@ if __name__ == '__main__': - self.last_timestamp = None - - def catchall(self, event, rec): -- i = 1 - timestamp = rec[1] - if self.last_timestamp is None: - self.last_timestamp = timestamp - delta_ns = timestamp - self.last_timestamp - self.last_timestamp = timestamp - -- fields = [event.name, '%0.3f' % (delta_ns / 1000.0)] -+ fields = [event.name, '%0.3f' % (delta_ns / 1000.0), -+ 'pid=%d' % rec[2]] -+ i = 3 - for type, name in event.args: - if is_string(type): -- fields.append('%s=%s' % (name, rec[i + 1])) -+ fields.append('%s=%s' % (name, rec[i])) - else: -- fields.append('%s=0x%x' % (name, rec[i + 1])) -+ fields.append('%s=0x%x' % (name, rec[i])) - i += 1 - print ' '.join(fields) - diff --git a/0109-trace-Replace-error-with-warning-if-event-is-not-def.patch b/0109-trace-Replace-error-with-warning-if-event-is-not-def.patch deleted file mode 100644 index 273bf8c..0000000 --- a/0109-trace-Replace-error-with-warning-if-event-is-not-def.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 2e6870993d226dd8af3e2db502e8e183ee63d66a Mon Sep 17 00:00:00 2001 -From: Alexey Kardashevskiy -Date: Wed, 21 May 2014 18:16:01 +1000 -Subject: [PATCH] trace: Replace error with warning if event is not defined - -At the moment QEMU exits if trace point is not defined which makes -a developer life harder if he has to switch between branches with -different traces implemented. - -This replaces error+exit wit WARNING if the tracepoint does not exist or -not traceable. - -Signed-off-by: Alexey Kardashevskiy -Signed-off-by: Stefan Hajnoczi -(cherry picked from commit 82432638ebeedda8a2e18838b6fbef4b14a94f31) ---- - trace/control.c | 14 +++++++------- - 1 file changed, 7 insertions(+), 7 deletions(-) - -diff --git a/trace/control.c b/trace/control.c -index 49f61e1..4aa02cf 100644 ---- a/trace/control.c -+++ b/trace/control.c -@@ -112,15 +112,15 @@ void trace_backend_init_events(const char *fname) - TraceEvent *ev = trace_event_name(line_ptr); - if (ev == NULL) { - fprintf(stderr, -- "error: trace event '%s' does not exist\n", line_ptr); -- exit(1); -- } -- if (!trace_event_get_state_static(ev)) { -+ "WARNING: trace event '%s' does not exist\n", -+ line_ptr); -+ } else if (!trace_event_get_state_static(ev)) { - fprintf(stderr, -- "error: trace event '%s' is not traceable\n", line_ptr); -- exit(1); -+ "WARNING: trace event '%s' is not traceable\n", -+ line_ptr); -+ } else { -+ trace_event_set_state_dynamic(ev, enable); - } -- trace_event_set_state_dynamic(ev, enable); - } - } - } diff --git a/0110-do-not-call-g_thread_init-for-glib-2.31.patch b/0110-do-not-call-g_thread_init-for-glib-2.31.patch deleted file mode 100644 index 30675c4..0000000 --- a/0110-do-not-call-g_thread_init-for-glib-2.31.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 6b1371a666af982f2d6c0b7dba98c425ea56d3dd Mon Sep 17 00:00:00 2001 -From: Michael Tokarev -Date: Fri, 2 May 2014 18:35:55 +0400 -Subject: [PATCH] do not call g_thread_init() for glib >= 2.31 - -glib >= 2.31 always enables thread support and g_thread_supported() -is #defined to 1, there's no need to call g_thread_init() anymore, -and it definitely does not need to report error which never happens. -Keep code for old < 2.31 glibc anyway for now, just #ifdef it -differently. - -Signed-off-by: Michael Tokarev -Reviewed-by: Stefan Hajnoczi -Cc: qemu-trivial@nongnu.org -(cherry picked from commit f33cc84dd4af7776309d118412df008ec4108a57) ---- - coroutine-gthread.c | 7 ++----- - util/osdep.c | 21 +++++++++------------ - 2 files changed, 11 insertions(+), 17 deletions(-) - -diff --git a/coroutine-gthread.c b/coroutine-gthread.c -index d3e5b99..a61efe0 100644 ---- a/coroutine-gthread.c -+++ b/coroutine-gthread.c -@@ -115,14 +115,11 @@ static inline GThread *create_thread(GThreadFunc func, gpointer data) - - static void __attribute__((constructor)) coroutine_init(void) - { -- if (!g_thread_supported()) { - #if !GLIB_CHECK_VERSION(2, 31, 0) -+ if (!g_thread_supported()) { - g_thread_init(NULL); --#else -- fprintf(stderr, "glib threading failed to initialize.\n"); -- exit(1); --#endif - } -+#endif - - init_coroutine_cond(); - } -diff --git a/util/osdep.c b/util/osdep.c -index a9029f8..b2bd154 100644 ---- a/util/osdep.c -+++ b/util/osdep.c -@@ -436,23 +436,20 @@ int socket_init(void) - return 0; - } - --/* Ensure that glib is running in multi-threaded mode */ -+#if !GLIB_CHECK_VERSION(2, 31, 0) -+/* Ensure that glib is running in multi-threaded mode -+ * Old versions of glib require explicit initialization. Failure to do -+ * this results in the single-threaded code paths being taken inside -+ * glib. For example, the g_slice allocator will not be thread-safe -+ * and cause crashes. -+ */ - static void __attribute__((constructor)) thread_init(void) - { - if (!g_thread_supported()) { --#if !GLIB_CHECK_VERSION(2, 31, 0) -- /* Old versions of glib require explicit initialization. Failure to do -- * this results in the single-threaded code paths being taken inside -- * glib. For example, the g_slice allocator will not be thread-safe -- * and cause crashes. -- */ -- g_thread_init(NULL); --#else -- fprintf(stderr, "glib threading failed to initialize.\n"); -- exit(1); --#endif -+ g_thread_init(NULL); - } - } -+#endif - - #ifndef CONFIG_IOVEC - /* helper function for iov_send_recv() */ diff --git a/0111-glib-move-g_poll-replacement-into-glib-compat.h.patch b/0111-glib-move-g_poll-replacement-into-glib-compat.h.patch deleted file mode 100644 index 70117f9..0000000 --- a/0111-glib-move-g_poll-replacement-into-glib-compat.h.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 6c1369c499e74fccbbfb97b3ec3e5da59d382031 Mon Sep 17 00:00:00 2001 -From: Stefan Hajnoczi -Date: Fri, 2 May 2014 18:35:56 +0400 -Subject: [PATCH] glib: move g_poll() replacement into glib-compat.h - -We have a dedicated header file for wrappers to smooth over glib version -differences. Move the g_poll() definition into glib-compat.h for -consistency. - -Signed-off-by: Stefan Hajnoczi -Signed-off-by: Michael Tokarev -Cc: qemu-trivial@nongnu.org -(cherry picked from commit f95c967a7950797109d2a96fcfa2e3a2899f2c99) ---- - include/glib-compat.h | 12 ++++++++++++ - include/qemu-common.h | 12 ------------ - 2 files changed, 12 insertions(+), 12 deletions(-) - -diff --git a/include/glib-compat.h b/include/glib-compat.h -index 8aa77af..8d25900 100644 ---- a/include/glib-compat.h -+++ b/include/glib-compat.h -@@ -24,4 +24,16 @@ static inline guint g_timeout_add_seconds(guint interval, GSourceFunc function, - } - #endif - -+#if !GLIB_CHECK_VERSION(2, 20, 0) -+/* -+ * Glib before 2.20.0 doesn't implement g_poll, so wrap it to compile properly -+ * on older systems. -+ */ -+static inline gint g_poll(GPollFD *fds, guint nfds, gint timeout) -+{ -+ GMainContext *ctx = g_main_context_default(); -+ return g_main_context_get_poll_func(ctx)(fds, nfds, timeout); -+} -+#endif -+ - #endif -diff --git a/include/qemu-common.h b/include/qemu-common.h -index a998e8d..3f3fd60 100644 ---- a/include/qemu-common.h -+++ b/include/qemu-common.h -@@ -124,18 +124,6 @@ int qemu_main(int argc, char **argv, char **envp); - void qemu_get_timedate(struct tm *tm, int offset); - int qemu_timedate_diff(struct tm *tm); - --#if !GLIB_CHECK_VERSION(2, 20, 0) --/* -- * Glib before 2.20.0 doesn't implement g_poll, so wrap it to compile properly -- * on older systems. -- */ --static inline gint g_poll(GPollFD *fds, guint nfds, gint timeout) --{ -- GMainContext *ctx = g_main_context_default(); -- return g_main_context_get_poll_func(ctx)(fds, nfds, timeout); --} --#endif -- - /** - * is_help_option: - * @s: string to test diff --git a/0112-glib-fix-g_poll-early-timeout-on-windows.patch b/0112-glib-fix-g_poll-early-timeout-on-windows.patch deleted file mode 100644 index 00bfd53..0000000 --- a/0112-glib-fix-g_poll-early-timeout-on-windows.patch +++ /dev/null @@ -1,171 +0,0 @@ -From 488f948b9f89a0dd90ed465f5d692230af2ecb05 Mon Sep 17 00:00:00 2001 -From: Sangho Park -Date: Thu, 8 May 2014 12:47:10 +0400 -Subject: [PATCH] glib: fix g_poll early timeout on windows - -g_poll has a problem on Windows when using -timeouts < 10ms, in glib/gpoll.c: - -/* If not, and we have a significant timeout, poll again with - * timeout then. Note that this will return indication for only - * one event, or only for messages. We ignore timeouts less than - * ten milliseconds as they are mostly pointless on Windows, the - * MsgWaitForMultipleObjectsEx() call will timeout right away - * anyway. - */ -if (retval == 0 && (timeout == INFINITE || timeout >= 10)) - retval = poll_rest (poll_msgs, handles, nhandles, fds, nfds, timeout); - -so whenever g_poll is called with timeout < 10ms it does -a quick poll instead of wait, this causes significant performance -degradation of QEMU, thus we should use WaitForMultipleObjectsEx -directly - -Signed-off-by: Stanislav Vorobiov -Signed-off-by: Stefan Hajnoczi -(cherry picked from commit 5a007547df76446ab891df93ebc55749716609bf) ---- - include/glib-compat.h | 9 +++- - util/oslib-win32.c | 112 ++++++++++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 120 insertions(+), 1 deletion(-) - -diff --git a/include/glib-compat.h b/include/glib-compat.h -index 8d25900..1280fb2 100644 ---- a/include/glib-compat.h -+++ b/include/glib-compat.h -@@ -24,7 +24,14 @@ static inline guint g_timeout_add_seconds(guint interval, GSourceFunc function, - } - #endif - --#if !GLIB_CHECK_VERSION(2, 20, 0) -+#ifdef _WIN32 -+/* -+ * g_poll has a problem on Windows when using -+ * timeouts < 10ms, so use wrapper. -+ */ -+#define g_poll(fds, nfds, timeout) g_poll_fixed(fds, nfds, timeout) -+gint g_poll_fixed(GPollFD *fds, guint nfds, gint timeout); -+#elif !GLIB_CHECK_VERSION(2, 20, 0) - /* - * Glib before 2.20.0 doesn't implement g_poll, so wrap it to compile properly - * on older systems. -diff --git a/util/oslib-win32.c b/util/oslib-win32.c -index 93f7d35..69552f7 100644 ---- a/util/oslib-win32.c -+++ b/util/oslib-win32.c -@@ -238,3 +238,115 @@ char *qemu_get_exec_dir(void) - { - return g_strdup(exec_dir); - } -+ -+/* -+ * g_poll has a problem on Windows when using -+ * timeouts < 10ms, in glib/gpoll.c: -+ * -+ * // If not, and we have a significant timeout, poll again with -+ * // timeout then. Note that this will return indication for only -+ * // one event, or only for messages. We ignore timeouts less than -+ * // ten milliseconds as they are mostly pointless on Windows, the -+ * // MsgWaitForMultipleObjectsEx() call will timeout right away -+ * // anyway. -+ * -+ * if (retval == 0 && (timeout == INFINITE || timeout >= 10)) -+ * retval = poll_rest (poll_msgs, handles, nhandles, fds, nfds, timeout); -+ * -+ * So whenever g_poll is called with timeout < 10ms it does -+ * a quick poll instead of wait, this causes significant performance -+ * degradation of QEMU, thus we should use WaitForMultipleObjectsEx -+ * directly -+ */ -+gint g_poll_fixed(GPollFD *fds, guint nfds, gint timeout) -+{ -+ guint i; -+ HANDLE handles[MAXIMUM_WAIT_OBJECTS]; -+ gint nhandles = 0; -+ int num_completed = 0; -+ -+ for (i = 0; i < nfds; i++) { -+ gint j; -+ -+ if (fds[i].fd <= 0) { -+ continue; -+ } -+ -+ /* don't add same handle several times -+ */ -+ for (j = 0; j < nhandles; j++) { -+ if (handles[j] == (HANDLE)fds[i].fd) { -+ break; -+ } -+ } -+ -+ if (j == nhandles) { -+ if (nhandles == MAXIMUM_WAIT_OBJECTS) { -+ fprintf(stderr, "Too many handles to wait for!\n"); -+ break; -+ } else { -+ handles[nhandles++] = (HANDLE)fds[i].fd; -+ } -+ } -+ } -+ -+ for (i = 0; i < nfds; ++i) { -+ fds[i].revents = 0; -+ } -+ -+ if (timeout == -1) { -+ timeout = INFINITE; -+ } -+ -+ if (nhandles == 0) { -+ if (timeout == INFINITE) { -+ return -1; -+ } else { -+ SleepEx(timeout, TRUE); -+ return 0; -+ } -+ } -+ -+ while (1) { -+ DWORD res; -+ gint j; -+ -+ res = WaitForMultipleObjectsEx(nhandles, handles, FALSE, -+ timeout, TRUE); -+ -+ if (res == WAIT_FAILED) { -+ for (i = 0; i < nfds; ++i) { -+ fds[i].revents = 0; -+ } -+ -+ return -1; -+ } else if ((res == WAIT_TIMEOUT) || (res == WAIT_IO_COMPLETION) || -+ ((int)res < (int)WAIT_OBJECT_0) || -+ (res >= (WAIT_OBJECT_0 + nhandles))) { -+ break; -+ } -+ -+ for (i = 0; i < nfds; ++i) { -+ if (handles[res - WAIT_OBJECT_0] == (HANDLE)fds[i].fd) { -+ fds[i].revents = fds[i].events; -+ } -+ } -+ -+ ++num_completed; -+ -+ if (nhandles <= 1) { -+ break; -+ } -+ -+ /* poll the rest of the handles -+ */ -+ for (j = res - WAIT_OBJECT_0 + 1; j < nhandles; j++) { -+ handles[j - 1] = handles[j]; -+ } -+ --nhandles; -+ -+ timeout = 0; -+ } -+ -+ return num_completed; -+} diff --git a/0113-glib-compat.h-add-new-thread-API-emulation-on-top-of.patch b/0113-glib-compat.h-add-new-thread-API-emulation-on-top-of.patch deleted file mode 100644 index f79651f..0000000 --- a/0113-glib-compat.h-add-new-thread-API-emulation-on-top-of.patch +++ /dev/null @@ -1,350 +0,0 @@ -From 57a1d211179279727d5afa21a7feba2d249d6867 Mon Sep 17 00:00:00 2001 -From: Michael Tokarev -Date: Thu, 8 May 2014 12:30:46 +0400 -Subject: [PATCH] glib-compat.h: add new thread API emulation on top of - pre-2.31 API - -Thread API changed in glib-2.31 significantly. Before that version, -conditionals and mutexes were only allocated dynamically, using -_new()/_free() interface. in 2.31 and up, they're allocated statically -as regular variables, and old interface is deprecated. - -(Note: glib docs says the new interface is available since version -2.32, but it was actually introduced in version 2.31). - -Create the new interface using old primitives, by providing non-opaque -definitions of the base types (GCond and GMutex) using GOnces. - -Replace #ifdeffery around GCond and GMutex in trace/simple.c and -coroutine-gthread.c too because it does not work anymore with the new -glib-compat.h. - -Signed-off-by: Michael Tokarev -Reviewed-by: Stefan Hajnoczi -[Use GOnce to support lazy initialization; introduce CompatGMutex - and CompatGCond. - Paolo] -Signed-off-by: Paolo Bonzini - -(cherry picked from commit 86946a2d835614050b90bc8e5c82982fe45deff2) ---- - coroutine-gthread.c | 29 ++++-------- - include/glib-compat.h | 119 ++++++++++++++++++++++++++++++++++++++++++++++++++ - trace/simple.c | 50 +++++---------------- - 3 files changed, 138 insertions(+), 60 deletions(-) - -diff --git a/coroutine-gthread.c b/coroutine-gthread.c -index a61efe0..6bd6d6b 100644 ---- a/coroutine-gthread.c -+++ b/coroutine-gthread.c -@@ -30,20 +30,14 @@ typedef struct { - CoroutineAction action; - } CoroutineGThread; - --static GStaticMutex coroutine_lock = G_STATIC_MUTEX_INIT; -+static CompatGMutex coroutine_lock; -+static CompatGCond coroutine_cond; - - /* GLib 2.31 and beyond deprecated various parts of the thread API, - * but the new interfaces are not available in older GLib versions - * so we have to cope with both. - */ - #if GLIB_CHECK_VERSION(2, 31, 0) --/* Default zero-initialisation is sufficient for 2.31+ GCond */ --static GCond the_coroutine_cond; --static GCond *coroutine_cond = &the_coroutine_cond; --static inline void init_coroutine_cond(void) --{ --} -- - /* Awkwardly, the GPrivate API doesn't provide a way to update the - * GDestroyNotify handler for the coroutine key dynamically. So instead - * we track whether or not the CoroutineGThread should be freed on -@@ -84,11 +78,6 @@ static inline GThread *create_thread(GThreadFunc func, gpointer data) - #else - - /* Handle older GLib versions */ --static GCond *coroutine_cond; --static inline void init_coroutine_cond(void) --{ -- coroutine_cond = g_cond_new(); --} - - static GStaticPrivate coroutine_key = G_STATIC_PRIVATE_INIT; - -@@ -120,22 +109,20 @@ static void __attribute__((constructor)) coroutine_init(void) - g_thread_init(NULL); - } - #endif -- -- init_coroutine_cond(); - } - - static void coroutine_wait_runnable_locked(CoroutineGThread *co) - { - while (!co->runnable) { -- g_cond_wait(coroutine_cond, g_static_mutex_get_mutex(&coroutine_lock)); -+ g_cond_wait(&coroutine_cond, &coroutine_lock); - } - } - - static void coroutine_wait_runnable(CoroutineGThread *co) - { -- g_static_mutex_lock(&coroutine_lock); -+ g_mutex_lock(&coroutine_lock); - coroutine_wait_runnable_locked(co); -- g_static_mutex_unlock(&coroutine_lock); -+ g_mutex_unlock(&coroutine_lock); - } - - static gpointer coroutine_thread(gpointer opaque) -@@ -177,17 +164,17 @@ CoroutineAction qemu_coroutine_switch(Coroutine *from_, - CoroutineGThread *from = DO_UPCAST(CoroutineGThread, base, from_); - CoroutineGThread *to = DO_UPCAST(CoroutineGThread, base, to_); - -- g_static_mutex_lock(&coroutine_lock); -+ g_mutex_lock(&coroutine_lock); - from->runnable = false; - from->action = action; - to->runnable = true; - to->action = action; -- g_cond_broadcast(coroutine_cond); -+ g_cond_broadcast(&coroutine_cond); - - if (action != COROUTINE_TERMINATE) { - coroutine_wait_runnable_locked(from); - } -- g_static_mutex_unlock(&coroutine_lock); -+ g_mutex_unlock(&coroutine_lock); - return from->action; - } - -diff --git a/include/glib-compat.h b/include/glib-compat.h -index 1280fb2..4ae0671 100644 ---- a/include/glib-compat.h -+++ b/include/glib-compat.h -@@ -5,6 +5,8 @@ - * - * Authors: - * Anthony Liguori -+ * Michael Tokarev -+ * Paolo Bonzini - * - * This work is licensed under the terms of the GNU GPL, version 2 or later. - * See the COPYING file in the top-level directory. -@@ -43,4 +45,121 @@ static inline gint g_poll(GPollFD *fds, guint nfds, gint timeout) - } - #endif - -+#if !GLIB_CHECK_VERSION(2, 31, 0) -+/* before glib-2.31, GMutex and GCond was dynamic-only (there was a separate -+ * GStaticMutex, but it didn't work with condition variables). -+ * -+ * Our implementation uses GOnce to fake a static implementation that does -+ * not require separate initialization. -+ * We need to rename the types to avoid passing our CompatGMutex/CompatGCond -+ * by mistake to a function that expects GMutex/GCond. However, for ease -+ * of use we keep the GLib function names. GLib uses macros for the -+ * implementation, we use inline functions instead and undefine the macros. -+ */ -+ -+typedef struct CompatGMutex { -+ GOnce once; -+} CompatGMutex; -+ -+typedef struct CompatGCond { -+ GOnce once; -+} CompatGCond; -+ -+static inline gpointer do_g_mutex_new(gpointer unused) -+{ -+ return (gpointer) g_mutex_new(); -+} -+ -+static inline void g_mutex_init(CompatGMutex *mutex) -+{ -+ mutex->once = (GOnce) G_ONCE_INIT; -+} -+ -+static inline void g_mutex_clear(CompatGMutex *mutex) -+{ -+ assert(mutex->once.status != G_ONCE_STATUS_PROGRESS); -+ if (mutex->once.retval) { -+ g_mutex_free((GMutex *) mutex->once.retval); -+ } -+ mutex->once = (GOnce) G_ONCE_INIT; -+} -+ -+static inline void (g_mutex_lock)(CompatGMutex *mutex) -+{ -+ g_once(&mutex->once, do_g_mutex_new, NULL); -+ g_mutex_lock((GMutex *) mutex->once.retval); -+} -+#undef g_mutex_lock -+ -+static inline gboolean (g_mutex_trylock)(CompatGMutex *mutex) -+{ -+ g_once(&mutex->once, do_g_mutex_new, NULL); -+ return g_mutex_trylock((GMutex *) mutex->once.retval); -+} -+#undef g_mutex_trylock -+ -+ -+static inline void (g_mutex_unlock)(CompatGMutex *mutex) -+{ -+ g_mutex_unlock((GMutex *) mutex->once.retval); -+} -+#undef g_mutex_unlock -+ -+static inline gpointer do_g_cond_new(gpointer unused) -+{ -+ return (gpointer) g_cond_new(); -+} -+ -+static inline void g_cond_init(CompatGCond *cond) -+{ -+ cond->once = (GOnce) G_ONCE_INIT; -+} -+ -+static inline void g_cond_clear(CompatGCond *cond) -+{ -+ assert(cond->once.status != G_ONCE_STATUS_PROGRESS); -+ if (cond->once.retval) { -+ g_cond_free((GCond *) cond->once.retval); -+ } -+ cond->once = (GOnce) G_ONCE_INIT; -+} -+ -+static inline void (g_cond_wait)(CompatGCond *cond, CompatGMutex *mutex) -+{ -+ assert(mutex->once.status != G_ONCE_STATUS_PROGRESS); -+ g_once(&cond->once, do_g_cond_new, NULL); -+ g_cond_wait((GCond *) cond->once.retval, (GMutex *) mutex->once.retval); -+} -+#undef g_cond_wait -+ -+static inline void (g_cond_broadcast)(CompatGCond *cond) -+{ -+ g_once(&cond->once, do_g_cond_new, NULL); -+ g_cond_broadcast((GCond *) cond->once.retval); -+} -+#undef g_cond_broadcast -+ -+static inline void (g_cond_signal)(CompatGCond *cond) -+{ -+ g_once(&cond->once, do_g_cond_new, NULL); -+ g_cond_signal((GCond *) cond->once.retval); -+} -+#undef g_cond_signal -+ -+ -+/* before 2.31 there was no g_thread_new() */ -+static inline GThread *g_thread_new(const char *name, -+ GThreadFunc func, gpointer data) -+{ -+ GThread *thread = g_thread_create(func, data, TRUE, NULL); -+ if (!thread) { -+ g_error("creating thread"); -+ } -+ return thread; -+} -+#else -+#define CompatGMutex GMutex -+#define CompatGCond GCond -+#endif /* glib 2.31 */ -+ - #endif -diff --git a/trace/simple.c b/trace/simple.c -index 1584bf7..8fc96fe 100644 ---- a/trace/simple.c -+++ b/trace/simple.c -@@ -40,28 +40,9 @@ - * Trace records are written out by a dedicated thread. The thread waits for - * records to become available, writes them out, and then waits again. - */ --#if GLIB_CHECK_VERSION(2, 32, 0) --static GMutex trace_lock; --#define lock_trace_lock() g_mutex_lock(&trace_lock) --#define unlock_trace_lock() g_mutex_unlock(&trace_lock) --#define get_trace_lock_mutex() (&trace_lock) --#else --static GStaticMutex trace_lock = G_STATIC_MUTEX_INIT; --#define lock_trace_lock() g_static_mutex_lock(&trace_lock) --#define unlock_trace_lock() g_static_mutex_unlock(&trace_lock) --#define get_trace_lock_mutex() g_static_mutex_get_mutex(&trace_lock) --#endif -- --/* g_cond_new() was deprecated in glib 2.31 but we still need to support it */ --#if GLIB_CHECK_VERSION(2, 31, 0) --static GCond the_trace_available_cond; --static GCond the_trace_empty_cond; --static GCond *trace_available_cond = &the_trace_available_cond; --static GCond *trace_empty_cond = &the_trace_empty_cond; --#else --static GCond *trace_available_cond; --static GCond *trace_empty_cond; --#endif -+static CompatGMutex trace_lock; -+static CompatGCond trace_available_cond; -+static CompatGCond trace_empty_cond; - - static bool trace_available; - static bool trace_writeout_enabled; -@@ -151,26 +132,26 @@ static bool get_trace_record(unsigned int idx, TraceRecord **recordptr) - */ - static void flush_trace_file(bool wait) - { -- lock_trace_lock(); -+ g_mutex_lock(&trace_lock); - trace_available = true; -- g_cond_signal(trace_available_cond); -+ g_cond_signal(&trace_available_cond); - - if (wait) { -- g_cond_wait(trace_empty_cond, get_trace_lock_mutex()); -+ g_cond_wait(&trace_empty_cond, &trace_lock); - } - -- unlock_trace_lock(); -+ g_mutex_unlock(&trace_lock); - } - - static void wait_for_trace_records_available(void) - { -- lock_trace_lock(); -+ g_mutex_lock(&trace_lock); - while (!(trace_available && trace_writeout_enabled)) { -- g_cond_signal(trace_empty_cond); -- g_cond_wait(trace_available_cond, get_trace_lock_mutex()); -+ g_cond_signal(&trace_empty_cond); -+ g_cond_wait(&trace_available_cond, &trace_lock); - } - trace_available = false; -- unlock_trace_lock(); -+ g_mutex_unlock(&trace_lock); - } - - static gpointer writeout_thread(gpointer opaque) -@@ -399,11 +380,7 @@ static GThread *trace_thread_create(GThreadFunc fn) - pthread_sigmask(SIG_SETMASK, &set, &oldset); - #endif - --#if GLIB_CHECK_VERSION(2, 31, 0) - thread = g_thread_new("trace-thread", fn, NULL); --#else -- thread = g_thread_create(fn, NULL, FALSE, NULL); --#endif - - #ifndef _WIN32 - pthread_sigmask(SIG_SETMASK, &oldset, NULL); -@@ -418,11 +395,6 @@ bool trace_backend_init(const char *events, const char *file) - - trace_pid = getpid(); - --#if !GLIB_CHECK_VERSION(2, 31, 0) -- trace_available_cond = g_cond_new(); -- trace_empty_cond = g_cond_new(); --#endif -- - thread = trace_thread_create(writeout_thread); - if (!thread) { - fprintf(stderr, "warning: unable to initialize simple trace backend\n"); diff --git a/0114-libcacard-replace-pstrcpy-with-memcpy.patch b/0114-libcacard-replace-pstrcpy-with-memcpy.patch deleted file mode 100644 index 25ec2dd..0000000 --- a/0114-libcacard-replace-pstrcpy-with-memcpy.patch +++ /dev/null @@ -1,38 +0,0 @@ -From c916d06403eec41a92eabf52b31102d3b7068da8 Mon Sep 17 00:00:00 2001 -From: Michael Tokarev -Date: Fri, 2 May 2014 18:35:59 +0400 -Subject: [PATCH] libcacard: replace pstrcpy() with memcpy() - -Commit 2e679780ae86c6ca8 replaced strncpy() with pstrcpy() -in one place in libcacard. This is a qemu-specific function, -while libcacard is a stand-alone library (or tries to be). -But since we know the exact length of the string to copy, -and know that it definitely will fit in the destination -buffer, use memcpy() instead, and null-terminate the string -after that. - -An alternative is to use g_strlcpy() or strncpy(), but memcpy() -is more than adequate in this place. - -Signed-off-by: Michael Tokarev -Cc: qemu-trivial@nongnu.org -Cc: Alon Levy -(cherry picked from commit a22f8f38942623dc473bf5ced5b4117b8bdf4821) ---- - libcacard/vcard_emul_nss.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/libcacard/vcard_emul_nss.c b/libcacard/vcard_emul_nss.c -index ee2dfae..e2b196d 100644 ---- a/libcacard/vcard_emul_nss.c -+++ b/libcacard/vcard_emul_nss.c -@@ -1162,7 +1162,8 @@ vcard_emul_options(const char *args) - NEXT_TOKEN(vname) - NEXT_TOKEN(type_params) - type_params_length = MIN(type_params_length, sizeof(type_str)-1); -- pstrcpy(type_str, type_params_length, type_params); -+ memcpy(type_str, type_params, type_params_length); -+ type_str[type_params_length] = '\0'; - type = vcard_emul_type_from_string(type_str); - - NEXT_TOKEN(type_params) diff --git a/0115-libcacard-g_malloc-cleanups.patch b/0115-libcacard-g_malloc-cleanups.patch deleted file mode 100644 index 5b2d98d..0000000 --- a/0115-libcacard-g_malloc-cleanups.patch +++ /dev/null @@ -1,236 +0,0 @@ -From 118436ff47d7269f4bf3e3c1cd83df4b44b7d5c2 Mon Sep 17 00:00:00 2001 -From: Michael Tokarev -Date: Thu, 8 May 2014 19:51:01 +0400 -Subject: [PATCH] libcacard: g_malloc cleanups - -This patch replaces g_malloc() in libcacard into g_new() -or g_new0() where appropriate (removing some init-to-zero -surrounding code), g_malloc+memcpy into g_memdup() and the -like. - -Signed-off-by: Michael Tokarev -Reviewed-by: Alon Levy -(cherry picked from commit 78a4b8d2051bff8e8794e9419b7925122212b096) ---- - libcacard/cac.c | 11 +++-------- - libcacard/card_7816.c | 11 +++++------ - libcacard/event.c | 2 +- - libcacard/vcard.c | 22 +++++----------------- - libcacard/vcard_emul_nss.c | 12 ++++++------ - libcacard/vreader.c | 11 +++-------- - 6 files changed, 23 insertions(+), 46 deletions(-) - -diff --git a/libcacard/cac.c b/libcacard/cac.c -index 74ef3e3..122129e 100644 ---- a/libcacard/cac.c -+++ b/libcacard/cac.c -@@ -310,16 +310,11 @@ static VCardAppletPrivate * - cac_new_pki_applet_private(const unsigned char *cert, - int cert_len, VCardKey *key) - { -- CACPKIAppletData *pki_applet_data = NULL; -- VCardAppletPrivate *applet_private = NULL; -- applet_private = (VCardAppletPrivate *)g_malloc(sizeof(VCardAppletPrivate)); -+ CACPKIAppletData *pki_applet_data; -+ VCardAppletPrivate *applet_private; - -+ applet_private = g_new0(VCardAppletPrivate, 1); - pki_applet_data = &(applet_private->u.pki_data); -- pki_applet_data->cert_buffer = NULL; -- pki_applet_data->cert_buffer_len = 0; -- pki_applet_data->sign_buffer = NULL; -- pki_applet_data->sign_buffer_len = 0; -- pki_applet_data->key = NULL; - pki_applet_data->cert = (unsigned char *)g_malloc(cert_len+1); - /* - * if we want to support compression, then we simply change the 0 to a 1 -diff --git a/libcacard/card_7816.c b/libcacard/card_7816.c -index c28bb60..bca8c4a 100644 ---- a/libcacard/card_7816.c -+++ b/libcacard/card_7816.c -@@ -51,7 +51,7 @@ vcard_response_new_data(unsigned char *buf, int len) - { - VCardResponse *new_response; - -- new_response = (VCardResponse *)g_malloc(sizeof(VCardResponse)); -+ new_response = g_new(VCardResponse, 1); - new_response->b_data = g_malloc(len + 2); - memcpy(new_response->b_data, buf, len); - new_response->b_total_len = len+2; -@@ -132,7 +132,7 @@ vcard_response_new_status(vcard_7816_status_t status) - { - VCardResponse *new_response; - -- new_response = (VCardResponse *)g_malloc(sizeof(VCardResponse)); -+ new_response = g_new(VCardResponse, 1); - new_response->b_data = &new_response->b_sw1; - new_response->b_len = 0; - new_response->b_total_len = 2; -@@ -149,7 +149,7 @@ vcard_response_new_status_bytes(unsigned char sw1, unsigned char sw2) - { - VCardResponse *new_response; - -- new_response = (VCardResponse *)g_malloc(sizeof(VCardResponse)); -+ new_response = g_new(VCardResponse, 1); - new_response->b_data = &new_response->b_sw1; - new_response->b_len = 0; - new_response->b_total_len = 2; -@@ -336,9 +336,8 @@ vcard_apdu_new(unsigned char *raw_apdu, int len, vcard_7816_status_t *status) - return NULL; - } - -- new_apdu = (VCardAPDU *)g_malloc(sizeof(VCardAPDU)); -- new_apdu->a_data = g_malloc(len); -- memcpy(new_apdu->a_data, raw_apdu, len); -+ new_apdu = g_new(VCardAPDU, 1); -+ new_apdu->a_data = g_memdup(raw_apdu, len); - new_apdu->a_len = len; - *status = vcard_apdu_set_class(new_apdu); - if (*status != VCARD7816_STATUS_SUCCESS) { -diff --git a/libcacard/event.c b/libcacard/event.c -index 2d7500f..a2e6c7d 100644 ---- a/libcacard/event.c -+++ b/libcacard/event.c -@@ -17,7 +17,7 @@ vevent_new(VEventType type, VReader *reader, VCard *card) - { - VEvent *new_vevent; - -- new_vevent = (VEvent *)g_malloc(sizeof(VEvent)); -+ new_vevent = g_new(VEvent, 1); - new_vevent->next = NULL; - new_vevent->type = type; - new_vevent->reader = vreader_reference(reader); -diff --git a/libcacard/vcard.c b/libcacard/vcard.c -index 539177b..227e477 100644 ---- a/libcacard/vcard.c -+++ b/libcacard/vcard.c -@@ -37,9 +37,8 @@ vcard_buffer_response_new(unsigned char *buffer, int size) - { - VCardBufferResponse *new_buffer; - -- new_buffer = (VCardBufferResponse *)g_malloc(sizeof(VCardBufferResponse)); -- new_buffer->buffer = (unsigned char *)g_malloc(size); -- memcpy(new_buffer->buffer, buffer, size); -+ new_buffer = g_new(VCardBufferResponse, 1); -+ new_buffer->buffer = (unsigned char *)g_memdup(buffer, size); - new_buffer->buffer_len = size; - new_buffer->current = new_buffer->buffer; - new_buffer->len = size; -@@ -102,15 +101,11 @@ vcard_new_applet(VCardProcessAPDU applet_process_function, - { - VCardApplet *applet; - -- applet = (VCardApplet *)g_malloc(sizeof(VCardApplet)); -- applet->next = NULL; -- applet->applet_private = NULL; -- applet->applet_private_free = NULL; -+ applet = g_new0(VCardApplet, 1); - applet->process_apdu = applet_process_function; - applet->reset_applet = applet_reset_function; - -- applet->aid = g_malloc(aid_len); -- memcpy(applet->aid, aid, aid_len); -+ applet->aid = g_memdup(aid, aid_len); - applet->aid_len = aid_len; - return applet; - } -@@ -149,18 +144,11 @@ VCard * - vcard_new(VCardEmul *private, VCardEmulFree private_free) - { - VCard *new_card; -- int i; - -- new_card = (VCard *)g_malloc(sizeof(VCard)); -- new_card->applet_list = NULL; -- for (i = 0; i < MAX_CHANNEL; i++) { -- new_card->current_applet[i] = NULL; -- } -- new_card->vcard_buffer_response = NULL; -+ new_card = g_new0(VCard, 1); - new_card->type = VCARD_VM; - new_card->vcard_private = private; - new_card->vcard_private_free = private_free; -- new_card->vcard_get_atr = NULL; - new_card->reference_count = 1; - return new_card; - } -diff --git a/libcacard/vcard_emul_nss.c b/libcacard/vcard_emul_nss.c -index e2b196d..75b9d79 100644 ---- a/libcacard/vcard_emul_nss.c -+++ b/libcacard/vcard_emul_nss.c -@@ -94,9 +94,9 @@ static void - vcard_emul_alloc_arrays(unsigned char ***certsp, int **cert_lenp, - VCardKey ***keysp, int cert_count) - { -- *certsp = (unsigned char **)g_malloc(sizeof(unsigned char *)*cert_count); -- *cert_lenp = (int *)g_malloc(sizeof(int)*cert_count); -- *keysp = (VCardKey **)g_malloc(sizeof(VCardKey *)*cert_count); -+ *certsp = g_new(unsigned char *, cert_count); -+ *cert_lenp = g_new(int, cert_count); -+ *keysp = g_new(VCardKey *, cert_count); - } - - /* -@@ -139,7 +139,7 @@ vcard_emul_make_key(PK11SlotInfo *slot, CERTCertificate *cert) - { - VCardKey *key; - -- key = (VCardKey *)g_malloc(sizeof(VCardKey)); -+ key = g_new(VCardKey, 1); - key->slot = PK11_ReferenceSlot(slot); - key->cert = CERT_DupCertificate(cert); - /* NOTE: if we aren't logged into the token, this could return NULL */ -@@ -449,7 +449,7 @@ vreader_emul_new(PK11SlotInfo *slot, VCardEmulType type, const char *params) - { - VReaderEmul *new_reader_emul; - -- new_reader_emul = (VReaderEmul *)g_malloc(sizeof(VReaderEmul)); -+ new_reader_emul = g_new(VReaderEmul, 1); - - new_reader_emul->slot = PK11_ReferenceSlot(slot); - new_reader_emul->default_type = type; -@@ -1189,7 +1189,7 @@ vcard_emul_options(const char *args) - g_strndup(type_params, type_params_length); - count = count_tokens(args, ',', ')') + 1; - vreaderOpt->cert_count = count; -- vreaderOpt->cert_name = (char **)g_malloc(count*sizeof(char *)); -+ vreaderOpt->cert_name = g_new(char *, count); - for (i = 0; i < count; i++) { - const char *cert = args; - args = strpbrk(args, ",)"); -diff --git a/libcacard/vreader.c b/libcacard/vreader.c -index 5793d73..215a2f6 100644 ---- a/libcacard/vreader.c -+++ b/libcacard/vreader.c -@@ -115,7 +115,7 @@ vreader_new(const char *name, VReaderEmul *private, - { - VReader *reader; - -- reader = (VReader *)g_malloc(sizeof(VReader)); -+ reader = g_new(VReader, 1); - qemu_mutex_init(&reader->lock); - reader->reference_count = 1; - reader->name = g_strdup(name); -@@ -312,10 +312,7 @@ vreader_list_entry_new(VReader *reader) - { - VReaderListEntry *new_reader_list_entry; - -- new_reader_list_entry = (VReaderListEntry *) -- g_malloc(sizeof(VReaderListEntry)); -- new_reader_list_entry->next = NULL; -- new_reader_list_entry->prev = NULL; -+ new_reader_list_entry = g_new0(VReaderListEntry, 1); - new_reader_list_entry->reader = vreader_reference(reader); - return new_reader_list_entry; - } -@@ -336,9 +333,7 @@ vreader_list_new(void) - { - VReaderList *new_reader_list; - -- new_reader_list = (VReaderList *)g_malloc(sizeof(VReaderList)); -- new_reader_list->head = NULL; -- new_reader_list->tail = NULL; -+ new_reader_list = g_new0(VReaderList, 1); - return new_reader_list; - } - diff --git a/0116-vscclient-use-glib-thread-primitives-not-qemu.patch b/0116-vscclient-use-glib-thread-primitives-not-qemu.patch deleted file mode 100644 index 018f9e6..0000000 --- a/0116-vscclient-use-glib-thread-primitives-not-qemu.patch +++ /dev/null @@ -1,218 +0,0 @@ -From 4a609afa4206d7af9fe2c8dcfbe7850509701aff Mon Sep 17 00:00:00 2001 -From: Michael Tokarev -Date: Thu, 8 May 2014 12:30:47 +0400 -Subject: [PATCH] vscclient: use glib thread primitives not qemu - -Use glib-provided thread primitives in vscclient instead of -qemu ones, and do not use qemu sockets in there (open-code -call to WSAStartup() for windows to initialize things). - -This way, vscclient becomes more stand-alone, independent on -qemu internals. - -Signed-off-by: Michael Tokarev -Reviewed-by: Alon Levy -Tested-by: Alon Levy -Signed-off-by: Paolo Bonzini -(cherry picked from commit 2a0c46da967e5dc8cfe73b1b6fe7a1600c04f461) ---- - libcacard/vscclient.c | 70 +++++++++++++++++++++++++++------------------------ - 1 file changed, 37 insertions(+), 33 deletions(-) - -diff --git a/libcacard/vscclient.c b/libcacard/vscclient.c -index 3477ab3..598206b 100644 ---- a/libcacard/vscclient.c -+++ b/libcacard/vscclient.c -@@ -12,12 +12,10 @@ - - #ifndef _WIN32 - #include -+#define closesocket(x) close(x) - #endif --#include - - #include "qemu-common.h" --#include "qemu/thread.h" --#include "qemu/sockets.h" - - #include "vscard_common.h" - -@@ -54,7 +52,7 @@ print_usage(void) { - - static GIOChannel *channel_socket; - static GByteArray *socket_to_send; --static QemuMutex socket_to_send_lock; -+static CompatGMutex socket_to_send_lock; - static guint socket_tag; - - static void -@@ -103,7 +101,7 @@ send_msg( - ) { - VSCMsgHeader mhHeader; - -- qemu_mutex_lock(&socket_to_send_lock); -+ g_mutex_lock(&socket_to_send_lock); - - if (verbose > 10) { - printf("sending type=%d id=%u, len =%u (0x%x)\n", -@@ -117,18 +115,18 @@ send_msg( - g_byte_array_append(socket_to_send, (guint8 *)msg, length); - g_idle_add(socket_prepare_sending, NULL); - -- qemu_mutex_unlock(&socket_to_send_lock); -+ g_mutex_unlock(&socket_to_send_lock); - - return 0; - } - - static VReader *pending_reader; --static QemuMutex pending_reader_lock; --static QemuCond pending_reader_condition; -+static CompatGMutex pending_reader_lock; -+static CompatGCond pending_reader_condition; - - #define MAX_ATR_LEN 40 --static void * --event_thread(void *arg) -+static gpointer -+event_thread(gpointer arg) - { - unsigned char atr[MAX_ATR_LEN]; - int atr_len = MAX_ATR_LEN; -@@ -149,20 +147,20 @@ event_thread(void *arg) - /* ignore events from readers qemu has rejected */ - /* if qemu is still deciding on this reader, wait to see if need to - * forward this event */ -- qemu_mutex_lock(&pending_reader_lock); -+ g_mutex_lock(&pending_reader_lock); - if (!pending_reader || (pending_reader != event->reader)) { - /* wasn't for a pending reader, this reader has already been - * rejected by qemu */ -- qemu_mutex_unlock(&pending_reader_lock); -+ g_mutex_unlock(&pending_reader_lock); - vevent_delete(event); - continue; - } - /* this reader hasn't been told its status from qemu yet, wait for - * that status */ - while (pending_reader != NULL) { -- qemu_cond_wait(&pending_reader_condition, &pending_reader_lock); -+ g_cond_wait(&pending_reader_condition, &pending_reader_lock); - } -- qemu_mutex_unlock(&pending_reader_lock); -+ g_mutex_unlock(&pending_reader_lock); - /* now recheck the id */ - reader_id = vreader_get_id(event->reader); - if (reader_id == VSCARD_UNDEFINED_READER_ID) { -@@ -178,12 +176,12 @@ event_thread(void *arg) - /* wait until qemu has responded to our first reader insert - * before we send a second. That way we won't confuse the responses - * */ -- qemu_mutex_lock(&pending_reader_lock); -+ g_mutex_lock(&pending_reader_lock); - while (pending_reader != NULL) { -- qemu_cond_wait(&pending_reader_condition, &pending_reader_lock); -+ g_cond_wait(&pending_reader_condition, &pending_reader_lock); - } - pending_reader = vreader_reference(event->reader); -- qemu_mutex_unlock(&pending_reader_lock); -+ g_mutex_unlock(&pending_reader_lock); - reader_name = vreader_get_name(event->reader); - if (verbose > 10) { - printf(" READER INSERT: %s\n", reader_name); -@@ -246,7 +244,6 @@ on_host_init(VSCMsgHeader *mhHeader, VSCMsgInit *incoming) - int num_capabilities = - 1 + ((mhHeader->length - sizeof(VSCMsgInit)) / sizeof(uint32_t)); - int i; -- QemuThread thread_id; - - incoming->version = ntohl(incoming->version); - if (incoming->version != VSCARD_VERSION) { -@@ -269,7 +266,7 @@ on_host_init(VSCMsgHeader *mhHeader, VSCMsgInit *incoming) - send_msg(VSC_ReaderRemove, VSCARD_MINIMAL_READER_ID, NULL, 0); - /* launch the event_thread. This will trigger reader adds for all the - * existing readers */ -- qemu_thread_create(&thread_id, "vsc/event", event_thread, NULL, 0); -+ g_thread_new("vsc/event", event_thread, NULL); - return 0; - } - -@@ -379,26 +376,26 @@ do_socket_read(GIOChannel *source, - case VSC_Error: - error_msg = (VSCMsgError *) pbSendBuffer; - if (error_msg->code == VSC_SUCCESS) { -- qemu_mutex_lock(&pending_reader_lock); -+ g_mutex_lock(&pending_reader_lock); - if (pending_reader) { - vreader_set_id(pending_reader, mhHeader.reader_id); - vreader_free(pending_reader); - pending_reader = NULL; -- qemu_cond_signal(&pending_reader_condition); -+ g_cond_signal(&pending_reader_condition); - } -- qemu_mutex_unlock(&pending_reader_lock); -+ g_mutex_unlock(&pending_reader_lock); - break; - } - printf("warning: qemu refused to add reader\n"); - if (error_msg->code == VSC_CANNOT_ADD_MORE_READERS) { - /* clear pending reader, qemu can't handle any more */ -- qemu_mutex_lock(&pending_reader_lock); -+ g_mutex_lock(&pending_reader_lock); - if (pending_reader) { - pending_reader = NULL; - /* make sure the event loop doesn't hang */ -- qemu_cond_signal(&pending_reader_condition); -+ g_cond_signal(&pending_reader_condition); - } -- qemu_mutex_unlock(&pending_reader_lock); -+ g_mutex_unlock(&pending_reader_lock); - } - break; - case VSC_Init: -@@ -602,7 +599,7 @@ connect_to_qemu( - struct addrinfo *server; - int ret, sock; - -- sock = qemu_socket(AF_INET, SOCK_STREAM, 0); -+ sock = socket(AF_INET, SOCK_STREAM, 0); - if (sock < 0) { - /* Error */ - fprintf(stderr, "Error opening socket!\n"); -@@ -655,8 +652,20 @@ main( - int cert_count = 0; - int c, sock; - -- if (socket_init() != 0) -+#ifdef _WIN32 -+ WSADATA Data; -+ -+ if (WSAStartup(MAKEWORD(2, 2), &Data) != 0) { -+ c = WSAGetLastError(); -+ fprintf(stderr, "WSAStartup: %d\n", c); - return 1; -+ } -+#endif -+#if !GLIB_CHECK_VERSION(2, 31, 0) -+ if (!g_thread_supported()) { -+ g_thread_init(NULL); -+ } -+#endif - - while ((c = getopt(argc, argv, "c:e:pd:")) != -1) { - switch (c) { -@@ -723,13 +732,8 @@ main( - } - - socket_to_send = g_byte_array_new(); -- qemu_mutex_init(&socket_to_send_lock); -- qemu_mutex_init(&pending_reader_lock); -- qemu_cond_init(&pending_reader_condition); -- - vcard_emul_init(command_line_options); -- -- loop = g_main_loop_new(NULL, true); -+ loop = g_main_loop_new(NULL, TRUE); - - printf("> "); - fflush(stdout); diff --git a/0117-libcacard-replace-qemu-thread-primitives-with-glib-o.patch b/0117-libcacard-replace-qemu-thread-primitives-with-glib-o.patch deleted file mode 100644 index 72fc8ac..0000000 --- a/0117-libcacard-replace-qemu-thread-primitives-with-glib-o.patch +++ /dev/null @@ -1,204 +0,0 @@ -From 95d830ad782262bac47e4cc368e8dff108b789f1 Mon Sep 17 00:00:00 2001 -From: Michael Tokarev -Date: Thu, 8 May 2014 12:30:48 +0400 -Subject: [PATCH] libcacard: replace qemu thread primitives with glib ones - -Replace QemuMutex with GMutex and QemuCond with GCond -(with corresponding function changes), to make libcacard -independent of qemu internal functions. - -After this step, none of libcacard internals use any -qemu-provided symbols. Maybe it's a good idea to -stop including qemu-common.h internally too. - -Signed-off-by: Michael Tokarev -Reviewed-by: Alon Levy -Tested-by: Alon Levy -Signed-off-by: Paolo Bonzini -(cherry picked from commit fd25c0e6dd1ed2aa932fa7ef814b32457bf270fd) ---- - libcacard/Makefile | 8 +------- - libcacard/event.c | 23 ++++++++++------------- - libcacard/vreader.c | 18 ++++++++---------- - 3 files changed, 19 insertions(+), 30 deletions(-) - -diff --git a/libcacard/Makefile b/libcacard/Makefile -index 6b06448..89a5942 100644 ---- a/libcacard/Makefile -+++ b/libcacard/Makefile -@@ -3,13 +3,7 @@ libcacard_includedir=$(includedir)/cacard - TOOLS += vscclient$(EXESUF) - - # objects linked into a shared library, built with libtool with -fPIC if required --libcacard-obj-y = $(stub-obj-y) $(libcacard-y) --libcacard-obj-y += util/osdep.o util/cutils.o util/qemu-timer-common.o --libcacard-obj-y += util/error.o util/qemu-error.o --libcacard-obj-$(CONFIG_WIN32) += util/oslib-win32.o util/qemu-thread-win32.o --libcacard-obj-$(CONFIG_POSIX) += util/oslib-posix.o util/qemu-thread-posix.o --libcacard-obj-y += $(filter trace/%, $(util-obj-y)) -- -+libcacard-obj-y = $(libcacard-y) - libcacard-lobj-y=$(patsubst %.o,%.lo,$(libcacard-obj-y)) - - # libtool will build the .o files, too -diff --git a/libcacard/event.c b/libcacard/event.c -index a2e6c7d..4c551e4 100644 ---- a/libcacard/event.c -+++ b/libcacard/event.c -@@ -6,7 +6,6 @@ - */ - - #include "qemu-common.h" --#include "qemu/thread.h" - - #include "vcard.h" - #include "vreader.h" -@@ -43,13 +42,11 @@ vevent_delete(VEvent *vevent) - - static VEvent *vevent_queue_head; - static VEvent *vevent_queue_tail; --static QemuMutex vevent_queue_lock; --static QemuCond vevent_queue_condition; -+static CompatGMutex vevent_queue_lock; -+static CompatGCond vevent_queue_condition; - - void vevent_queue_init(void) - { -- qemu_mutex_init(&vevent_queue_lock); -- qemu_cond_init(&vevent_queue_condition); - vevent_queue_head = vevent_queue_tail = NULL; - } - -@@ -57,7 +54,7 @@ void - vevent_queue_vevent(VEvent *vevent) - { - vevent->next = NULL; -- qemu_mutex_lock(&vevent_queue_lock); -+ g_mutex_lock(&vevent_queue_lock); - if (vevent_queue_head) { - assert(vevent_queue_tail); - vevent_queue_tail->next = vevent; -@@ -65,8 +62,8 @@ vevent_queue_vevent(VEvent *vevent) - vevent_queue_head = vevent; - } - vevent_queue_tail = vevent; -- qemu_cond_signal(&vevent_queue_condition); -- qemu_mutex_unlock(&vevent_queue_lock); -+ g_cond_signal(&vevent_queue_condition); -+ g_mutex_unlock(&vevent_queue_lock); - } - - /* must have lock */ -@@ -86,11 +83,11 @@ VEvent *vevent_wait_next_vevent(void) - { - VEvent *vevent; - -- qemu_mutex_lock(&vevent_queue_lock); -+ g_mutex_lock(&vevent_queue_lock); - while ((vevent = vevent_dequeue_vevent()) == NULL) { -- qemu_cond_wait(&vevent_queue_condition, &vevent_queue_lock); -+ g_cond_wait(&vevent_queue_condition, &vevent_queue_lock); - } -- qemu_mutex_unlock(&vevent_queue_lock); -+ g_mutex_unlock(&vevent_queue_lock); - return vevent; - } - -@@ -98,9 +95,9 @@ VEvent *vevent_get_next_vevent(void) - { - VEvent *vevent; - -- qemu_mutex_lock(&vevent_queue_lock); -+ g_mutex_lock(&vevent_queue_lock); - vevent = vevent_dequeue_vevent(); -- qemu_mutex_unlock(&vevent_queue_lock); -+ g_mutex_unlock(&vevent_queue_lock); - return vevent; - } - -diff --git a/libcacard/vreader.c b/libcacard/vreader.c -index 215a2f6..75b5b28 100644 ---- a/libcacard/vreader.c -+++ b/libcacard/vreader.c -@@ -9,10 +9,8 @@ - #undef G_LOG_DOMAIN - #endif - #define G_LOG_DOMAIN "libcacard" --#include - - #include "qemu-common.h" --#include "qemu/thread.h" - - #include "vcard.h" - #include "vcard_emul.h" -@@ -28,7 +26,7 @@ struct VReaderStruct { - VCard *card; - char *name; - vreader_id_t id; -- QemuMutex lock; -+ CompatGMutex lock; - VReaderEmul *reader_private; - VReaderEmulFree reader_private_free; - }; -@@ -97,13 +95,13 @@ apdu_ins_to_string(int ins) - static inline void - vreader_lock(VReader *reader) - { -- qemu_mutex_lock(&reader->lock); -+ g_mutex_lock(&reader->lock); - } - - static inline void - vreader_unlock(VReader *reader) - { -- qemu_mutex_unlock(&reader->lock); -+ g_mutex_unlock(&reader->lock); - } - - /* -@@ -116,7 +114,7 @@ vreader_new(const char *name, VReaderEmul *private, - VReader *reader; - - reader = g_new(VReader, 1); -- qemu_mutex_init(&reader->lock); -+ g_mutex_init(&reader->lock); - reader->reference_count = 1; - reader->name = g_strdup(name); - reader->card = NULL; -@@ -152,6 +150,7 @@ vreader_free(VReader *reader) - return; - } - vreader_unlock(reader); -+ g_mutex_clear(&reader->lock); - if (reader->card) { - vcard_free(reader->card); - } -@@ -408,25 +407,24 @@ vreader_dequeue(VReaderList *list, VReaderListEntry *entry) - } - - static VReaderList *vreader_list; --static QemuMutex vreader_list_mutex; -+static CompatGMutex vreader_list_mutex; - - static void - vreader_list_init(void) - { - vreader_list = vreader_list_new(); -- qemu_mutex_init(&vreader_list_mutex); - } - - static void - vreader_list_lock(void) - { -- qemu_mutex_lock(&vreader_list_mutex); -+ g_mutex_lock(&vreader_list_mutex); - } - - static void - vreader_list_unlock(void) - { -- qemu_mutex_unlock(&vreader_list_mutex); -+ g_mutex_unlock(&vreader_list_mutex); - } - - static VReaderList * diff --git a/qemu.spec b/qemu.spec index 2b1d1f2..c3b1d54 100644 --- a/qemu.spec +++ b/qemu.spec @@ -154,11 +154,10 @@ %define with_xen 1 %endif - Summary: QEMU is a FAST! processor emulator Name: qemu -Version: 2.0.0 -Release: 7%{?dist} +Version: 2.1.0 +Release: 0.1.rc0%{?dist} Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD Group: Development/Tools @@ -173,7 +172,8 @@ ExclusiveArch: %{kvm_archs} %define _smp_mflags %{nil} %endif -Source0: http://wiki.qemu-project.org/download/%{name}-%{version}.tar.bz2 +#Source0: http://wiki.qemu-project.org/download/%{name}-%{version}.tar.bz2 +Source0: http://wiki.qemu-project.org/download/%{name}-%{version}-rc0.tar.bz2 Source1: qemu.binfmt @@ -198,57 +198,6 @@ Source12: bridge.conf # qemu-kvm back compat wrapper Source13: qemu-kvm.sh -# Change gtk quit accelerator to ctrl+shift+q (bz #1062393) -# Patches queued for 2.1 -Patch0001: 0001-Change-gtk-quit-accelerator-to-ctrl-shift-q-bz-10623.patch -# Migration CVEs: CVE-2014-0182 etc. -Patch0002: 0002-vmstate-add-VMS_MUST_EXIST.patch -Patch0003: 0003-vmstate-add-VMSTATE_VALIDATE.patch -Patch0004: 0004-virtio-net-fix-buffer-overflow-on-invalid-state-load.patch -Patch0005: 0005-virtio-net-out-of-bounds-buffer-write-on-invalid-sta.patch -Patch0006: 0006-virtio-out-of-bounds-buffer-write-on-invalid-state-l.patch -Patch0007: 0007-ahci-fix-buffer-overrun-on-invalid-state-load.patch -Patch0008: 0008-hpet-fix-buffer-overrun-on-invalid-state-load.patch -Patch0009: 0009-hw-pci-pcie_aer.c-fix-buffer-overruns-on-invalid-sta.patch -Patch0010: 0010-pl022-fix-buffer-overun-on-invalid-state-load.patch -Patch0011: 0011-vmstate-fix-buffer-overflow-in-target-arm-machine.c.patch -Patch0012: 0012-virtio-avoid-buffer-overrun-on-incoming-migration.patch -Patch0013: 0013-virtio-validate-num_sg-when-mapping.patch -Patch0014: 0014-pxa2xx-avoid-buffer-overrun-on-incoming-migration.patch -Patch0015: 0015-ssd0323-fix-buffer-overun-on-invalid-state-load.patch -Patch0016: 0016-tsc210x-fix-buffer-overrun-on-invalid-state-load.patch -Patch0017: 0017-zaurus-fix-buffer-overrun-on-invalid-state-load.patch -Patch0018: 0018-virtio-scsi-fix-buffer-overrun-on-invalid-state-load.patch -Patch0019: 0019-vmstate-s-VMSTATE_INT32_LE-VMSTATE_INT32_POSITIVE_LE.patch -Patch0020: 0020-usb-sanity-check-setup_index-setup_len-in-post_load.patch -Patch0021: 0021-ssi-sd-fix-buffer-overrun-on-invalid-state-load.patch -Patch0022: 0022-openpic-avoid-buffer-overrun-on-incoming-migration.patch -Patch0023: 0023-virtio-net-out-of-bounds-buffer-write-on-load.patch -Patch0024: 0024-virtio-validate-config_len-on-load.patch - -# QCOW1 validation CVEs: CVE-2014-0222, CVE-2014-0223 (bz #1097232, bz -# #1097238, bz #1097222, bz #1097216) -Patch0101: 0101-qcow1-Make-padding-in-the-header-explicit.patch -Patch0102: 0102-qcow1-Check-maximum-cluster-size.patch -Patch0103: 0103-qcow1-Validate-L2-table-size-CVE-2014-0222.patch -Patch0104: 0104-qcow1-Validate-image-size-CVE-2014-0223.patch -Patch0105: 0105-qcow1-Stricter-backing-file-length-check.patch -# CVE-2014-3461: Issues in USB post load checks (bz #1097260, bz -# #1096821) -Patch0106: 0106-usb-fix-up-post-load-checks.patch -# Don't use libtool on dtrace, fixes rawhide build (bz #1106968) -Patch0107: 0107-trace-add-pid-field-to-simpletrace-record.patch -Patch0108: 0108-simpletrace-add-support-for-trace-record-pid-field.patch -Patch0109: 0109-trace-Replace-error-with-warning-if-event-is-not-def.patch -Patch0110: 0110-do-not-call-g_thread_init-for-glib-2.31.patch -Patch0111: 0111-glib-move-g_poll-replacement-into-glib-compat.h.patch -Patch0112: 0112-glib-fix-g_poll-early-timeout-on-windows.patch -Patch0113: 0113-glib-compat.h-add-new-thread-API-emulation-on-top-of.patch -Patch0114: 0114-libcacard-replace-pstrcpy-with-memcpy.patch -Patch0115: 0115-libcacard-g_malloc-cleanups.patch -Patch0116: 0116-vscclient-use-glib-thread-primitives-not-qemu.patch -Patch0117: 0117-libcacard-replace-qemu-thread-primitives-with-glib-o.patch - BuildRequires: SDL-devel BuildRequires: zlib-devel BuildRequires: which @@ -343,7 +292,10 @@ BuildRequires: iasl %if %{with_xen} BuildRequires: xen-devel %endif - +%ifarch %{ix86} x86_64 +# memdev hostmem backend added in 2.1 +Requires: numactl-devel +%endif %if 0%{?user:1} Requires: %{name}-%{user} = %{epoch}:%{version}-%{release} @@ -768,58 +720,7 @@ CAC emulation development files. %prep -%setup -q - -# Change gtk quit accelerator to ctrl+shift+q (bz #1062393) -# Patches queued for 2.1 -%patch0001 -p1 -# Migration CVEs: CVE-2014-0182 etc. -%patch0002 -p1 -%patch0003 -p1 -%patch0004 -p1 -%patch0005 -p1 -%patch0006 -p1 -%patch0007 -p1 -%patch0008 -p1 -%patch0009 -p1 -%patch0010 -p1 -%patch0011 -p1 -%patch0012 -p1 -%patch0013 -p1 -%patch0014 -p1 -%patch0015 -p1 -%patch0016 -p1 -%patch0017 -p1 -%patch0018 -p1 -%patch0019 -p1 -%patch0020 -p1 -%patch0021 -p1 -%patch0022 -p1 -%patch0023 -p1 -%patch0024 -p1 - -# QCOW1 validation CVEs: CVE-2014-0222, CVE-2014-0223 (bz #1097232, bz -# #1097238, bz #1097222, bz #1097216) -%patch0101 -p1 -%patch0102 -p1 -%patch0103 -p1 -%patch0104 -p1 -%patch0105 -p1 -# CVE-2014-3461: Issues in USB post load checks (bz #1097260, bz -# #1096821) -%patch0106 -p1 -# Don't use libtool on dtrace, fixes rawhide build (bz #1106968) -%patch0107 -p1 -%patch0108 -p1 -%patch0109 -p1 -%patch0110 -p1 -%patch0111 -p1 -%patch0112 -p1 -%patch0113 -p1 -%patch0114 -p1 -%patch0115 -p1 -%patch0116 -p1 -%patch0117 -p1 +%setup -q -n %{name}-%{version}-rc0 %build @@ -837,7 +738,7 @@ arm-linux-user armeb-linux-user cris-linux-user m68k-linux-user \ microblaze-linux-user microblazeel-linux-user mips-linux-user \ mipsel-linux-user mips64-linux-user mips64el-linux-user \ mipsn32-linux-user mipsn32el-linux-user \ -or32-linux-user ppc-linux-user ppc64-linux-user \ +or32-linux-user ppc-linux-user ppc64-linux-user ppc64le-linux-user \ ppc64abi32-linux-user s390x-linux-user sh4-linux-user sh4eb-linux-user \ sparc-linux-user sparc64-linux-user sparc32plus-linux-user \ unicore32-linux-user" @@ -858,6 +759,10 @@ buildldflags="VL_LDFLAGS=-Wl,--build-id" sed -i.debug 's/"-g $CFLAGS"/"$CFLAGS"/g' configure %endif + +# As of qemu 2.1, --enable-trace-backends supports multiple backends, +# but there's a performance impact for non-dtrace so we don't use them + ./configure \ --prefix=%{_prefix} \ --libdir=%{_libdir} \ @@ -873,7 +778,6 @@ sed -i.debug 's/"-g $CFLAGS"/"$CFLAGS"/g' configure --audio-drv-list=pa,sdl,alsa,oss \ --enable-trace-backend=dtrace \ --enable-kvm \ - --enable-tpm \ %if %{with_xen} --enable-xen \ %else @@ -903,7 +807,6 @@ sed -i.debug 's/"-g $CFLAGS"/"$CFLAGS"/g' configure %ifarch s390 --enable-tcg-interpreter \ %endif - --enable-quorum \ "$@" echo "config-host.mak contents:" @@ -1291,6 +1194,7 @@ getent passwd qemu >/dev/null || \ %{_bindir}/qemu-ppc %{_bindir}/qemu-ppc64 %{_bindir}/qemu-ppc64abi32 +%{_bindir}/qemu-ppc64le %{_bindir}/qemu-s390x %{_bindir}/qemu-sh4 %{_bindir}/qemu-sh4eb @@ -1318,6 +1222,7 @@ getent passwd qemu >/dev/null || \ %{_datadir}/systemtap/tapset/qemu-ppc.stp %{_datadir}/systemtap/tapset/qemu-ppc64.stp %{_datadir}/systemtap/tapset/qemu-ppc64abi32.stp +%{_datadir}/systemtap/tapset/qemu-ppc64le.stp %{_datadir}/systemtap/tapset/qemu-s390x.stp %{_datadir}/systemtap/tapset/qemu-sh4.stp %{_datadir}/systemtap/tapset/qemu-sh4eb.stp @@ -1587,6 +1492,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Fri Jul 04 2014 Cole Robinson - 2:2.1.0-0.1.rc0 +- Update to qemu 2.1-rc0 + * Sun Jun 15 2014 Cole Robinson - 2:2.0.0-7 - Don't use libtool on dtrace, fixes rawhide build (bz #1106968) diff --git a/sources b/sources index 134a333..c68d8e8 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -2790f44fd76da5de5024b4aafeb594c2 qemu-2.0.0.tar.bz2 +b8e7af12112d4859ea30196975b1fd57 qemu-2.1.0-rc0.tar.bz2