diff --git a/.gitignore b/.gitignore index de2ae9c..6e1a277 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,4 @@ /qemu-2.9.0-rc3.tar.xz /qemu-2.9.0-rc4.tar.xz /qemu-2.9.0.tar.xz +/qemu-2.10.0-rc1.tar.xz diff --git a/0001-vmw_pvscsi-check-message-ring-page-count-at-initiali.patch b/0001-vmw_pvscsi-check-message-ring-page-count-at-initiali.patch deleted file mode 100644 index a005b86..0000000 --- a/0001-vmw_pvscsi-check-message-ring-page-count-at-initiali.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: P J P -Date: Tue, 25 Apr 2017 18:36:23 +0530 -Subject: [PATCH] vmw_pvscsi: check message ring page count at initialisation - -A guest could set the message ring page count to zero, resulting in -infinite loop. Add check to avoid it. - -Reported-by: YY Z -Signed-off-by: P J P -Message-Id: <20170425130623.3649-1-ppandit@redhat.com> -Reviewed-by: Dmitry Fleytman -Signed-off-by: Paolo Bonzini -(cherry picked from commit f68826989cd4d1217797251339579c57b3c0934e) ---- - hw/scsi/vmw_pvscsi.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c -index 75575461e2..4a106da856 100644 ---- a/hw/scsi/vmw_pvscsi.c -+++ b/hw/scsi/vmw_pvscsi.c -@@ -202,7 +202,7 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri) - uint32_t len_log2; - uint32_t ring_size; - -- if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) { -+ if (!ri->numPages || ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) { - return -1; - } - ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE; diff --git a/0001-xen-make-use-of-xen_xc-implicit-in-xen_common.h-inli.patch b/0001-xen-make-use-of-xen_xc-implicit-in-xen_common.h-inli.patch deleted file mode 100644 index dc179b9..0000000 --- a/0001-xen-make-use-of-xen_xc-implicit-in-xen_common.h-inli.patch +++ /dev/null @@ -1,454 +0,0 @@ -From a3dfd0460492f404228335278c2a4b2afd95c2f4 Mon Sep 17 00:00:00 2001 -From: Paul Durrant -Date: Tue, 7 Mar 2017 10:55:30 +0000 -Subject: [PATCH 1/6] xen: make use of xen_xc implicit in xen_common.h inlines - -Doing this will make the transition to using the new libxendevicemodel -interface less intrusive on the callers of these functions, since using -the new library will require a change of handle. - -NOTE: The patch also moves the 'externs' for xen_xc and xen_fmem from - xen_backend.h to xen_common.h, and the declarations from - xen_backend.c to xen-common.c, which is where they belong. - -Signed-off-by: Paul Durrant -Reviewed-by: Anthony Perard -Reviewed-by: Stefano Stabellini -(cherry picked from commit 260cabed718c4d3137553a4a98de268b0fb166b7) ---- - hw/xen/xen_backend.c | 2 - - include/hw/xen/xen_backend.h | 2 - - include/hw/xen/xen_common.h | 90 +++++++++++++++++++++++--------------------- - xen-common.c | 3 ++ - xen-hvm.c | 20 +++++----- - 5 files changed, 60 insertions(+), 57 deletions(-) - -diff --git a/hw/xen/xen_backend.c b/hw/xen/xen_backend.c -index 6c21c37d68..d34c49e152 100644 ---- a/hw/xen/xen_backend.c -+++ b/hw/xen/xen_backend.c -@@ -43,8 +43,6 @@ BusState *xen_sysbus; - /* ------------------------------------------------------------- */ - - /* public */ --xc_interface *xen_xc = NULL; --xenforeignmemory_handle *xen_fmem = NULL; - struct xs_handle *xenstore = NULL; - const char *xen_protocol; - -diff --git a/include/hw/xen/xen_backend.h b/include/hw/xen/xen_backend.h -index 4f4799a610..30811a1e5d 100644 ---- a/include/hw/xen/xen_backend.h -+++ b/include/hw/xen/xen_backend.h -@@ -14,8 +14,6 @@ - OBJECT_CHECK(XenDevice, (obj), TYPE_XENBACKEND) - - /* variables */ --extern xc_interface *xen_xc; --extern xenforeignmemory_handle *xen_fmem; - extern struct xs_handle *xenstore; - extern const char *xen_protocol; - extern DeviceState *xen_sysdev; -diff --git a/include/hw/xen/xen_common.h b/include/hw/xen/xen_common.h -index dce76ee162..1e08b98617 100644 ---- a/include/hw/xen/xen_common.h -+++ b/include/hw/xen/xen_common.h -@@ -20,6 +20,8 @@ - #include "qemu/queue.h" - #include "hw/xen/trace.h" - -+extern xc_interface *xen_xc; -+ - /* - * We don't support Xen prior to 4.2.0. - */ -@@ -73,6 +75,8 @@ static inline void *xenforeignmemory_map(xc_interface *h, uint32_t dom, - - #endif - -+extern xenforeignmemory_handle *xen_fmem; -+ - void destroy_hvm_domain(bool reboot); - - /* shutdown/destroy current domain because of an error */ -@@ -107,8 +111,7 @@ static inline int xen_get_vmport_regs_pfn(xc_interface *xc, domid_t dom, - - #endif - --static inline int xen_get_default_ioreq_server_info(xc_interface *xc, -- domid_t dom, -+static inline int xen_get_default_ioreq_server_info(domid_t dom, - xen_pfn_t *ioreq_pfn, - xen_pfn_t *bufioreq_pfn, - evtchn_port_t -@@ -117,7 +120,7 @@ static inline int xen_get_default_ioreq_server_info(xc_interface *xc, - unsigned long param; - int rc; - -- rc = xc_get_hvm_param(xc, dom, HVM_PARAM_IOREQ_PFN, ¶m); -+ rc = xc_get_hvm_param(xen_xc, dom, HVM_PARAM_IOREQ_PFN, ¶m); - if (rc < 0) { - fprintf(stderr, "failed to get HVM_PARAM_IOREQ_PFN\n"); - return -1; -@@ -125,7 +128,7 @@ static inline int xen_get_default_ioreq_server_info(xc_interface *xc, - - *ioreq_pfn = param; - -- rc = xc_get_hvm_param(xc, dom, HVM_PARAM_BUFIOREQ_PFN, ¶m); -+ rc = xc_get_hvm_param(xen_xc, dom, HVM_PARAM_BUFIOREQ_PFN, ¶m); - if (rc < 0) { - fprintf(stderr, "failed to get HVM_PARAM_BUFIOREQ_PFN\n"); - return -1; -@@ -133,7 +136,7 @@ static inline int xen_get_default_ioreq_server_info(xc_interface *xc, - - *bufioreq_pfn = param; - -- rc = xc_get_hvm_param(xc, dom, HVM_PARAM_BUFIOREQ_EVTCHN, -+ rc = xc_get_hvm_param(xen_xc, dom, HVM_PARAM_BUFIOREQ_EVTCHN, - ¶m); - if (rc < 0) { - fprintf(stderr, "failed to get HVM_PARAM_BUFIOREQ_EVTCHN\n"); -@@ -156,63 +159,64 @@ static inline int xen_get_default_ioreq_server_info(xc_interface *xc, - - typedef uint16_t ioservid_t; - --static inline void xen_map_memory_section(xc_interface *xc, domid_t dom, -+static inline void xen_map_memory_section(domid_t dom, - ioservid_t ioservid, - MemoryRegionSection *section) - { - } - --static inline void xen_unmap_memory_section(xc_interface *xc, domid_t dom, -+static inline void xen_unmap_memory_section(domid_t dom, - ioservid_t ioservid, - MemoryRegionSection *section) - { - } - --static inline void xen_map_io_section(xc_interface *xc, domid_t dom, -+static inline void xen_map_io_section(domid_t dom, - ioservid_t ioservid, - MemoryRegionSection *section) - { - } - --static inline void xen_unmap_io_section(xc_interface *xc, domid_t dom, -+static inline void xen_unmap_io_section(domid_t dom, - ioservid_t ioservid, - MemoryRegionSection *section) - { - } - --static inline void xen_map_pcidev(xc_interface *xc, domid_t dom, -+static inline void xen_map_pcidev(domid_t dom, - ioservid_t ioservid, - PCIDevice *pci_dev) - { - } - --static inline void xen_unmap_pcidev(xc_interface *xc, domid_t dom, -+static inline void xen_unmap_pcidev(domid_t dom, - ioservid_t ioservid, - PCIDevice *pci_dev) - { - } - --static inline void xen_create_ioreq_server(xc_interface *xc, domid_t dom, -+static inline void xen_create_ioreq_server(domid_t dom, - ioservid_t *ioservid) - { - } - --static inline void xen_destroy_ioreq_server(xc_interface *xc, domid_t dom, -+static inline void xen_destroy_ioreq_server(domid_t dom, - ioservid_t ioservid) - { - } - --static inline int xen_get_ioreq_server_info(xc_interface *xc, domid_t dom, -+static inline int xen_get_ioreq_server_info(domid_t dom, - ioservid_t ioservid, - xen_pfn_t *ioreq_pfn, - xen_pfn_t *bufioreq_pfn, - evtchn_port_t *bufioreq_evtchn) - { -- return xen_get_default_ioreq_server_info(xc, dom, ioreq_pfn, bufioreq_pfn, -+ return xen_get_default_ioreq_server_info(dom, ioreq_pfn, -+ bufioreq_pfn, - bufioreq_evtchn); - } - --static inline int xen_set_ioreq_server_state(xc_interface *xc, domid_t dom, -+static inline int xen_set_ioreq_server_state(domid_t dom, - ioservid_t ioservid, - bool enable) - { -@@ -224,7 +228,7 @@ static inline int xen_set_ioreq_server_state(xc_interface *xc, domid_t dom, - - static bool use_default_ioreq_server; - --static inline void xen_map_memory_section(xc_interface *xc, domid_t dom, -+static inline void xen_map_memory_section(domid_t dom, - ioservid_t ioservid, - MemoryRegionSection *section) - { -@@ -237,11 +241,11 @@ static inline void xen_map_memory_section(xc_interface *xc, domid_t dom, - } - - trace_xen_map_mmio_range(ioservid, start_addr, end_addr); -- xc_hvm_map_io_range_to_ioreq_server(xc, dom, ioservid, 1, -+ xc_hvm_map_io_range_to_ioreq_server(xen_xc, dom, ioservid, 1, - start_addr, end_addr); - } - --static inline void xen_unmap_memory_section(xc_interface *xc, domid_t dom, -+static inline void xen_unmap_memory_section(domid_t dom, - ioservid_t ioservid, - MemoryRegionSection *section) - { -@@ -253,13 +257,12 @@ static inline void xen_unmap_memory_section(xc_interface *xc, domid_t dom, - return; - } - -- - trace_xen_unmap_mmio_range(ioservid, start_addr, end_addr); -- xc_hvm_unmap_io_range_from_ioreq_server(xc, dom, ioservid, 1, -- start_addr, end_addr); -+ xc_hvm_unmap_io_range_from_ioreq_server(xen_xc, dom, ioservid, -+ 1, start_addr, end_addr); - } - --static inline void xen_map_io_section(xc_interface *xc, domid_t dom, -+static inline void xen_map_io_section(domid_t dom, - ioservid_t ioservid, - MemoryRegionSection *section) - { -@@ -271,13 +274,12 @@ static inline void xen_map_io_section(xc_interface *xc, domid_t dom, - return; - } - -- - trace_xen_map_portio_range(ioservid, start_addr, end_addr); -- xc_hvm_map_io_range_to_ioreq_server(xc, dom, ioservid, 0, -+ xc_hvm_map_io_range_to_ioreq_server(xen_xc, dom, ioservid, 0, - start_addr, end_addr); - } - --static inline void xen_unmap_io_section(xc_interface *xc, domid_t dom, -+static inline void xen_unmap_io_section(domid_t dom, - ioservid_t ioservid, - MemoryRegionSection *section) - { -@@ -290,11 +292,11 @@ static inline void xen_unmap_io_section(xc_interface *xc, domid_t dom, - } - - trace_xen_unmap_portio_range(ioservid, start_addr, end_addr); -- xc_hvm_unmap_io_range_from_ioreq_server(xc, dom, ioservid, 0, -- start_addr, end_addr); -+ xc_hvm_unmap_io_range_from_ioreq_server(xen_xc, dom, ioservid, -+ 0, start_addr, end_addr); - } - --static inline void xen_map_pcidev(xc_interface *xc, domid_t dom, -+static inline void xen_map_pcidev(domid_t dom, - ioservid_t ioservid, - PCIDevice *pci_dev) - { -@@ -304,13 +306,13 @@ static inline void xen_map_pcidev(xc_interface *xc, domid_t dom, - - trace_xen_map_pcidev(ioservid, pci_bus_num(pci_dev->bus), - PCI_SLOT(pci_dev->devfn), PCI_FUNC(pci_dev->devfn)); -- xc_hvm_map_pcidev_to_ioreq_server(xc, dom, ioservid, -- 0, pci_bus_num(pci_dev->bus), -+ xc_hvm_map_pcidev_to_ioreq_server(xen_xc, dom, ioservid, 0, -+ pci_bus_num(pci_dev->bus), - PCI_SLOT(pci_dev->devfn), - PCI_FUNC(pci_dev->devfn)); - } - --static inline void xen_unmap_pcidev(xc_interface *xc, domid_t dom, -+static inline void xen_unmap_pcidev(domid_t dom, - ioservid_t ioservid, - PCIDevice *pci_dev) - { -@@ -320,16 +322,17 @@ static inline void xen_unmap_pcidev(xc_interface *xc, domid_t dom, - - trace_xen_unmap_pcidev(ioservid, pci_bus_num(pci_dev->bus), - PCI_SLOT(pci_dev->devfn), PCI_FUNC(pci_dev->devfn)); -- xc_hvm_unmap_pcidev_from_ioreq_server(xc, dom, ioservid, -- 0, pci_bus_num(pci_dev->bus), -+ xc_hvm_unmap_pcidev_from_ioreq_server(xen_xc, dom, ioservid, 0, -+ pci_bus_num(pci_dev->bus), - PCI_SLOT(pci_dev->devfn), - PCI_FUNC(pci_dev->devfn)); - } - --static inline void xen_create_ioreq_server(xc_interface *xc, domid_t dom, -+static inline void xen_create_ioreq_server(domid_t dom, - ioservid_t *ioservid) - { -- int rc = xc_hvm_create_ioreq_server(xc, dom, HVM_IOREQSRV_BUFIOREQ_ATOMIC, -+ int rc = xc_hvm_create_ioreq_server(xen_xc, dom, -+ HVM_IOREQSRV_BUFIOREQ_ATOMIC, - ioservid); - - if (rc == 0) { -@@ -342,7 +345,7 @@ static inline void xen_create_ioreq_server(xc_interface *xc, domid_t dom, - trace_xen_default_ioreq_server(); - } - --static inline void xen_destroy_ioreq_server(xc_interface *xc, domid_t dom, -+static inline void xen_destroy_ioreq_server(domid_t dom, - ioservid_t ioservid) - { - if (use_default_ioreq_server) { -@@ -350,27 +353,27 @@ static inline void xen_destroy_ioreq_server(xc_interface *xc, domid_t dom, - } - - trace_xen_ioreq_server_destroy(ioservid); -- xc_hvm_destroy_ioreq_server(xc, dom, ioservid); -+ xc_hvm_destroy_ioreq_server(xen_xc, dom, ioservid); - } - --static inline int xen_get_ioreq_server_info(xc_interface *xc, domid_t dom, -+static inline int xen_get_ioreq_server_info(domid_t dom, - ioservid_t ioservid, - xen_pfn_t *ioreq_pfn, - xen_pfn_t *bufioreq_pfn, - evtchn_port_t *bufioreq_evtchn) - { - if (use_default_ioreq_server) { -- return xen_get_default_ioreq_server_info(xc, dom, ioreq_pfn, -+ return xen_get_default_ioreq_server_info(dom, ioreq_pfn, - bufioreq_pfn, - bufioreq_evtchn); - } - -- return xc_hvm_get_ioreq_server_info(xc, dom, ioservid, -+ return xc_hvm_get_ioreq_server_info(xen_xc, dom, ioservid, - ioreq_pfn, bufioreq_pfn, - bufioreq_evtchn); - } - --static inline int xen_set_ioreq_server_state(xc_interface *xc, domid_t dom, -+static inline int xen_set_ioreq_server_state(domid_t dom, - ioservid_t ioservid, - bool enable) - { -@@ -379,7 +382,8 @@ static inline int xen_set_ioreq_server_state(xc_interface *xc, domid_t dom, - } - - trace_xen_ioreq_server_state(ioservid, enable); -- return xc_hvm_set_ioreq_server_state(xc, dom, ioservid, enable); -+ return xc_hvm_set_ioreq_server_state(xen_xc, dom, ioservid, -+ enable); - } - - #endif -diff --git a/xen-common.c b/xen-common.c -index fd2c92847e..703e7a5861 100644 ---- a/xen-common.c -+++ b/xen-common.c -@@ -25,6 +25,9 @@ - do { } while (0) - #endif - -+xc_interface *xen_xc; -+xenforeignmemory_handle *xen_fmem; -+ - static int store_dev_info(int domid, Chardev *cs, const char *string) - { - struct xs_handle *xs = NULL; -diff --git a/xen-hvm.c b/xen-hvm.c -index 5043beb98f..dbb8c66dd3 100644 ---- a/xen-hvm.c -+++ b/xen-hvm.c -@@ -454,10 +454,10 @@ static void xen_set_memory(struct MemoryListener *listener, - return; - } else { - if (add) { -- xen_map_memory_section(xen_xc, xen_domid, state->ioservid, -+ xen_map_memory_section(xen_domid, state->ioservid, - section); - } else { -- xen_unmap_memory_section(xen_xc, xen_domid, state->ioservid, -+ xen_unmap_memory_section(xen_domid, state->ioservid, - section); - } - } -@@ -521,7 +521,7 @@ static void xen_io_add(MemoryListener *listener, - - memory_region_ref(mr); - -- xen_map_io_section(xen_xc, xen_domid, state->ioservid, section); -+ xen_map_io_section(xen_domid, state->ioservid, section); - } - - static void xen_io_del(MemoryListener *listener, -@@ -534,7 +534,7 @@ static void xen_io_del(MemoryListener *listener, - return; - } - -- xen_unmap_io_section(xen_xc, xen_domid, state->ioservid, section); -+ xen_unmap_io_section(xen_domid, state->ioservid, section); - - memory_region_unref(mr); - } -@@ -547,7 +547,7 @@ static void xen_device_realize(DeviceListener *listener, - if (object_dynamic_cast(OBJECT(dev), TYPE_PCI_DEVICE)) { - PCIDevice *pci_dev = PCI_DEVICE(dev); - -- xen_map_pcidev(xen_xc, xen_domid, state->ioservid, pci_dev); -+ xen_map_pcidev(xen_domid, state->ioservid, pci_dev); - } - } - -@@ -559,7 +559,7 @@ static void xen_device_unrealize(DeviceListener *listener, - if (object_dynamic_cast(OBJECT(dev), TYPE_PCI_DEVICE)) { - PCIDevice *pci_dev = PCI_DEVICE(dev); - -- xen_unmap_pcidev(xen_xc, xen_domid, state->ioservid, pci_dev); -+ xen_unmap_pcidev(xen_domid, state->ioservid, pci_dev); - } - } - -@@ -1139,7 +1139,7 @@ static void xen_hvm_change_state_handler(void *opaque, int running, - xen_main_loop_prepare(state); - } - -- xen_set_ioreq_server_state(xen_xc, xen_domid, -+ xen_set_ioreq_server_state(xen_domid, - state->ioservid, - (rstate == RUN_STATE_RUNNING)); - } -@@ -1227,7 +1227,7 @@ void xen_hvm_init(PCMachineState *pcms, MemoryRegion **ram_memory) - goto err; - } - -- xen_create_ioreq_server(xen_xc, xen_domid, &state->ioservid); -+ xen_create_ioreq_server(xen_domid, &state->ioservid); - - state->exit.notify = xen_exit_notifier; - qemu_add_exit_notifier(&state->exit); -@@ -1238,7 +1238,7 @@ void xen_hvm_init(PCMachineState *pcms, MemoryRegion **ram_memory) - state->wakeup.notify = xen_wakeup_notifier; - qemu_register_wakeup_notifier(&state->wakeup); - -- rc = xen_get_ioreq_server_info(xen_xc, xen_domid, state->ioservid, -+ rc = xen_get_ioreq_server_info(xen_domid, state->ioservid, - &ioreq_pfn, &bufioreq_pfn, - &bufioreq_evtchn); - if (rc < 0) { -@@ -1288,7 +1288,7 @@ void xen_hvm_init(PCMachineState *pcms, MemoryRegion **ram_memory) - /* Note: cpus is empty at this point in init */ - state->cpu_by_vcpu_id = g_malloc0(max_cpus * sizeof(CPUState *)); - -- rc = xen_set_ioreq_server_state(xen_xc, xen_domid, state->ioservid, true); -+ rc = xen_set_ioreq_server_state(xen_domid, state->ioservid, true); - if (rc < 0) { - error_report("failed to enable ioreq server info: error %d handle=%p", - errno, xen_xc); --- -2.13.0 - diff --git a/0002-audio-release-capture-buffers.patch b/0002-audio-release-capture-buffers.patch deleted file mode 100644 index 143defb..0000000 --- a/0002-audio-release-capture-buffers.patch +++ /dev/null @@ -1,35 +0,0 @@ -From: Gerd Hoffmann -Date: Fri, 28 Apr 2017 09:56:12 +0200 -Subject: [PATCH] audio: release capture buffers - -AUD_add_capture() allocates two buffers which are never released. -Add the missing calls to AUD_del_capture(). - -Impact: Allows vnc clients to exhaust host memory by repeatedly -starting and stopping audio capture. - -Fixes: CVE-2017-8309 -Cc: P J P -Cc: Huawei PSIRT -Reported-by: "Jiangxin (hunter, SCC)" -Signed-off-by: Gerd Hoffmann -Reviewed-by: Prasad J Pandit -Message-id: 20170428075612.9997-1-kraxel@redhat.com -(cherry picked from commit 3268a845f41253fb55852a8429c32b50f36f349a) ---- - audio/audio.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/audio/audio.c b/audio/audio.c -index c8898d8422..beafed209b 100644 ---- a/audio/audio.c -+++ b/audio/audio.c -@@ -2028,6 +2028,8 @@ void AUD_del_capture (CaptureVoiceOut *cap, void *cb_opaque) - sw = sw1; - } - QLIST_REMOVE (cap, entries); -+ g_free (cap->hw.mix_buf); -+ g_free (cap->buf); - g_free (cap); - } - return; diff --git a/0002-xen-rename-xen_modified_memory-to-xen_hvm_modified_m.patch b/0002-xen-rename-xen_modified_memory-to-xen_hvm_modified_m.patch deleted file mode 100644 index b23b2db..0000000 --- a/0002-xen-rename-xen_modified_memory-to-xen_hvm_modified_m.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 0f6878d5529718216809846dd05b988134cb32d8 Mon Sep 17 00:00:00 2001 -From: Paul Durrant -Date: Tue, 7 Mar 2017 10:55:31 +0000 -Subject: [PATCH 2/6] xen: rename xen_modified_memory() to - xen_hvm_modified_memory() - -This patch is a purely cosmetic change that avoids a name collision in -a subsequent patch. - -Signed-off-by: Paul Durrant -Reviewed-by: Anthony Perard -Reviewed-by: Stefano Stabellini ---- - include/exec/ram_addr.h | 4 ++-- - include/hw/xen/xen.h | 2 +- - xen-hvm-stub.c | 2 +- - xen-hvm.c | 2 +- - 4 files changed, 5 insertions(+), 5 deletions(-) - -diff --git a/include/exec/ram_addr.h b/include/exec/ram_addr.h -index b05dc84ab9..29647303b0 100644 ---- a/include/exec/ram_addr.h -+++ b/include/exec/ram_addr.h -@@ -260,7 +260,7 @@ static inline void cpu_physical_memory_set_dirty_range(ram_addr_t start, - - rcu_read_unlock(); - -- xen_modified_memory(start, length); -+ xen_hvm_modified_memory(start, length); - } - - #if !defined(_WIN32) -@@ -314,7 +314,7 @@ static inline void cpu_physical_memory_set_dirty_lebitmap(unsigned long *bitmap, - - rcu_read_unlock(); - -- xen_modified_memory(start, pages << TARGET_PAGE_BITS); -+ xen_hvm_modified_memory(start, pages << TARGET_PAGE_BITS); - } else { - uint8_t clients = tcg_enabled() ? DIRTY_CLIENTS_ALL : DIRTY_CLIENTS_NOCODE; - /* -diff --git a/include/hw/xen/xen.h b/include/hw/xen/xen.h -index 09c2ce5170..2b1733b747 100644 ---- a/include/hw/xen/xen.h -+++ b/include/hw/xen/xen.h -@@ -43,7 +43,7 @@ void xen_hvm_init(PCMachineState *pcms, MemoryRegion **ram_memory); - - void xen_ram_alloc(ram_addr_t ram_addr, ram_addr_t size, - struct MemoryRegion *mr, Error **errp); --void xen_modified_memory(ram_addr_t start, ram_addr_t length); -+void xen_hvm_modified_memory(ram_addr_t start, ram_addr_t length); - - void xen_register_framebuffer(struct MemoryRegion *mr); - -diff --git a/xen-hvm-stub.c b/xen-hvm-stub.c -index c5003251cb..3ca6c51b21 100644 ---- a/xen-hvm-stub.c -+++ b/xen-hvm-stub.c -@@ -50,7 +50,7 @@ void xen_register_framebuffer(MemoryRegion *mr) - { - } - --void xen_modified_memory(ram_addr_t start, ram_addr_t length) -+void xen_hvm_modified_memory(ram_addr_t start, ram_addr_t length) - { - } - -diff --git a/xen-hvm.c b/xen-hvm.c -index dbb8c66dd3..edf4983702 100644 ---- a/xen-hvm.c -+++ b/xen-hvm.c -@@ -1391,7 +1391,7 @@ void xen_shutdown_fatal_error(const char *fmt, ...) - qemu_system_shutdown_request(); - } - --void xen_modified_memory(ram_addr_t start, ram_addr_t length) -+void xen_hvm_modified_memory(ram_addr_t start, ram_addr_t length) - { - if (unlikely(xen_in_migration)) { - int rc; --- -2.13.0 - diff --git a/0003-input-limit-kbd-queue-depth.patch b/0003-input-limit-kbd-queue-depth.patch deleted file mode 100644 index ca9e610..0000000 --- a/0003-input-limit-kbd-queue-depth.patch +++ /dev/null @@ -1,87 +0,0 @@ -From: Gerd Hoffmann -Date: Fri, 28 Apr 2017 10:42:37 +0200 -Subject: [PATCH] input: limit kbd queue depth - -Apply a limit to the number of items we accept into the keyboard queue. - -Impact: Without this limit vnc clients can exhaust host memory by -sending keyboard events faster than qemu feeds them to the guest. - -Fixes: CVE-2017-8379 -Cc: P J P -Cc: Huawei PSIRT -Reported-by: jiangxin1@huawei.com -Signed-off-by: Gerd Hoffmann -Message-id: 20170428084237.23960-1-kraxel@redhat.com -(cherry picked from commit fa18f36a461984eae50ab957e47ec78dae3c14fc) ---- - ui/input.c | 14 +++++++++++--- - 1 file changed, 11 insertions(+), 3 deletions(-) - -diff --git a/ui/input.c b/ui/input.c -index ed88cda6d6..fb1f404095 100644 ---- a/ui/input.c -+++ b/ui/input.c -@@ -41,6 +41,8 @@ static QTAILQ_HEAD(QemuInputEventQueueHead, QemuInputEventQueue) kbd_queue = - QTAILQ_HEAD_INITIALIZER(kbd_queue); - static QEMUTimer *kbd_timer; - static uint32_t kbd_default_delay_ms = 10; -+static uint32_t queue_count; -+static uint32_t queue_limit = 1024; - - QemuInputHandlerState *qemu_input_handler_register(DeviceState *dev, - QemuInputHandler *handler) -@@ -268,6 +270,7 @@ static void qemu_input_queue_process(void *opaque) - break; - } - QTAILQ_REMOVE(queue, item, node); -+ queue_count--; - g_free(item); - } - } -@@ -282,6 +285,7 @@ static void qemu_input_queue_delay(struct QemuInputEventQueueHead *queue, - item->delay_ms = delay_ms; - item->timer = timer; - QTAILQ_INSERT_TAIL(queue, item, node); -+ queue_count++; - - if (start_timer) { - timer_mod(item->timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL) -@@ -298,6 +302,7 @@ static void qemu_input_queue_event(struct QemuInputEventQueueHead *queue, - item->src = src; - item->evt = evt; - QTAILQ_INSERT_TAIL(queue, item, node); -+ queue_count++; - } - - static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue) -@@ -306,6 +311,7 @@ static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue) - - item->type = QEMU_INPUT_QUEUE_SYNC; - QTAILQ_INSERT_TAIL(queue, item, node); -+ queue_count++; - } - - void qemu_input_event_send_impl(QemuConsole *src, InputEvent *evt) -@@ -381,7 +387,7 @@ void qemu_input_event_send_key(QemuConsole *src, KeyValue *key, bool down) - qemu_input_event_send(src, evt); - qemu_input_event_sync(); - qapi_free_InputEvent(evt); -- } else { -+ } else if (queue_count < queue_limit) { - qemu_input_queue_event(&kbd_queue, src, evt); - qemu_input_queue_sync(&kbd_queue); - } -@@ -409,8 +415,10 @@ void qemu_input_event_send_key_delay(uint32_t delay_ms) - kbd_timer = timer_new_ms(QEMU_CLOCK_VIRTUAL, qemu_input_queue_process, - &kbd_queue); - } -- qemu_input_queue_delay(&kbd_queue, kbd_timer, -- delay_ms ? delay_ms : kbd_default_delay_ms); -+ if (queue_count < queue_limit) { -+ qemu_input_queue_delay(&kbd_queue, kbd_timer, -+ delay_ms ? delay_ms : kbd_default_delay_ms); -+ } - } - - InputEvent *qemu_input_event_new_btn(InputButton btn, bool down) diff --git a/0003-xen-create-wrappers-for-all-other-uses-of-xc_hvm_XXX.patch b/0003-xen-create-wrappers-for-all-other-uses-of-xc_hvm_XXX.patch deleted file mode 100644 index a63777a..0000000 --- a/0003-xen-create-wrappers-for-all-other-uses-of-xc_hvm_XXX.patch +++ /dev/null @@ -1,179 +0,0 @@ -From 8a69b7e617ce170295aaff4616713c11ef2d998c Mon Sep 17 00:00:00 2001 -From: Paul Durrant -Date: Tue, 7 Mar 2017 10:55:32 +0000 -Subject: [PATCH 3/6] xen: create wrappers for all other uses of xc_hvm_XXX() - functions - -This patch creates inline wrapper functions in xen_common.h for all open -coded calls to xc_hvm_XXX() functions outside of xen_common.h so that use -of xen_xc can be made implicit. This again is in preparation for the move -to using libxendevicemodel. - -Signed-off-by: Paul Durrant -Reviewed-by: Anthony Perard -Reviewed-by: Stefano Stabellini -(cherry picked from commit 8f25e7544150abd4bfd4ef35fe152c049b5ea5e7) ---- - hw/i386/xen/xen_platform.c | 2 +- - include/hw/xen/xen_common.h | 44 ++++++++++++++++++++++++++++++++++++++++++++ - xen-hvm.c | 27 +++++++++++++-------------- - 3 files changed, 58 insertions(+), 15 deletions(-) - -diff --git a/hw/i386/xen/xen_platform.c b/hw/i386/xen/xen_platform.c -index 6010f35266..1419fc96d2 100644 ---- a/hw/i386/xen/xen_platform.c -+++ b/hw/i386/xen/xen_platform.c -@@ -195,7 +195,7 @@ static void platform_fixed_ioport_writeb(void *opaque, uint32_t addr, uint32_t v - case 0: /* Platform flags */ { - hvmmem_type_t mem_type = (val & PFFLAG_ROM_LOCK) ? - HVMMEM_ram_ro : HVMMEM_ram_rw; -- if (xc_hvm_set_mem_type(xen_xc, xen_domid, mem_type, 0xc0, 0x40)) { -+ if (xen_set_mem_type(xen_domid, mem_type, 0xc0, 0x40)) { - DPRINTF("unable to change ro/rw state of ROM memory area!\n"); - } else { - s->flags = val & PFFLAG_ROM_LOCK; -diff --git a/include/hw/xen/xen_common.h b/include/hw/xen/xen_common.h -index 1e08b98617..31cf25f846 100644 ---- a/include/hw/xen/xen_common.h -+++ b/include/hw/xen/xen_common.h -@@ -26,6 +26,50 @@ extern xc_interface *xen_xc; - * We don't support Xen prior to 4.2.0. - */ - -+static inline int xen_set_mem_type(domid_t domid, hvmmem_type_t type, -+ uint64_t first_pfn, uint32_t nr) -+{ -+ return xc_hvm_set_mem_type(xen_xc, domid, type, first_pfn, nr); -+} -+ -+static inline int xen_set_pci_intx_level(domid_t domid, uint16_t segment, -+ uint8_t bus, uint8_t device, -+ uint8_t intx, unsigned int level) -+{ -+ return xc_hvm_set_pci_intx_level(xen_xc, domid, segment, bus, device, -+ intx, level); -+} -+ -+static inline int xen_set_pci_link_route(domid_t domid, uint8_t link, -+ uint8_t irq) -+{ -+ return xc_hvm_set_pci_link_route(xen_xc, domid, link, irq); -+} -+ -+static inline int xen_inject_msi(domid_t domid, uint64_t msi_addr, -+ uint32_t msi_data) -+{ -+ return xc_hvm_inject_msi(xen_xc, domid, msi_addr, msi_data); -+} -+ -+static inline int xen_set_isa_irq_level(domid_t domid, uint8_t irq, -+ unsigned int level) -+{ -+ return xc_hvm_set_isa_irq_level(xen_xc, domid, irq, level); -+} -+ -+static inline int xen_track_dirty_vram(domid_t domid, uint64_t first_pfn, -+ uint32_t nr, unsigned long *bitmap) -+{ -+ return xc_hvm_track_dirty_vram(xen_xc, domid, first_pfn, nr, bitmap); -+} -+ -+static inline int xen_modified_memory(domid_t domid, uint64_t first_pfn, -+ uint32_t nr) -+{ -+ return xc_hvm_modified_memory(xen_xc, domid, first_pfn, nr); -+} -+ - /* Xen 4.2 through 4.6 */ - #if CONFIG_XEN_CTRL_INTERFACE_VERSION < 471 - -diff --git a/xen-hvm.c b/xen-hvm.c -index edf4983702..4b928cfb30 100644 ---- a/xen-hvm.c -+++ b/xen-hvm.c -@@ -125,8 +125,8 @@ int xen_pci_slot_get_pirq(PCIDevice *pci_dev, int irq_num) - - void xen_piix3_set_irq(void *opaque, int irq_num, int level) - { -- xc_hvm_set_pci_intx_level(xen_xc, xen_domid, 0, 0, irq_num >> 2, -- irq_num & 3, level); -+ xen_set_pci_intx_level(xen_domid, 0, 0, irq_num >> 2, -+ irq_num & 3, level); - } - - void xen_piix_pci_write_config_client(uint32_t address, uint32_t val, int len) -@@ -141,7 +141,7 @@ void xen_piix_pci_write_config_client(uint32_t address, uint32_t val, int len) - } - v &= 0xf; - if (((address + i) >= 0x60) && ((address + i) <= 0x63)) { -- xc_hvm_set_pci_link_route(xen_xc, xen_domid, address + i - 0x60, v); -+ xen_set_pci_link_route(xen_domid, address + i - 0x60, v); - } - } - } -@@ -156,7 +156,7 @@ int xen_is_pirq_msi(uint32_t msi_data) - - void xen_hvm_inject_msi(uint64_t addr, uint32_t data) - { -- xc_hvm_inject_msi(xen_xc, xen_domid, addr, data); -+ xen_inject_msi(xen_domid, addr, data); - } - - static void xen_suspend_notifier(Notifier *notifier, void *data) -@@ -168,7 +168,7 @@ static void xen_suspend_notifier(Notifier *notifier, void *data) - - static void xen_set_irq(void *opaque, int irq, int level) - { -- xc_hvm_set_isa_irq_level(xen_xc, xen_domid, irq, level); -+ xen_set_isa_irq_level(xen_domid, irq, level); - } - - qemu_irq *xen_interrupt_controller_init(void) -@@ -481,10 +481,10 @@ static void xen_set_memory(struct MemoryListener *listener, - section->mr, section->offset_within_region); - } else { - mem_type = HVMMEM_ram_ro; -- if (xc_hvm_set_mem_type(xen_xc, xen_domid, mem_type, -- start_addr >> TARGET_PAGE_BITS, -- size >> TARGET_PAGE_BITS)) { -- DPRINTF("xc_hvm_set_mem_type error, addr: "TARGET_FMT_plx"\n", -+ if (xen_set_mem_type(xen_domid, mem_type, -+ start_addr >> TARGET_PAGE_BITS, -+ size >> TARGET_PAGE_BITS)) { -+ DPRINTF("xen_set_mem_type error, addr: "TARGET_FMT_plx"\n", - start_addr); - } - } -@@ -586,9 +586,8 @@ static void xen_sync_dirty_bitmap(XenIOState *state, - return; - } - -- rc = xc_hvm_track_dirty_vram(xen_xc, xen_domid, -- start_addr >> TARGET_PAGE_BITS, npages, -- bitmap); -+ rc = xen_track_dirty_vram(xen_domid, start_addr >> TARGET_PAGE_BITS, -+ npages, bitmap); - if (rc < 0) { - #ifndef ENODATA - #define ENODATA ENOENT -@@ -634,7 +633,7 @@ static void xen_log_stop(MemoryListener *listener, MemoryRegionSection *section, - if (old & ~new & (1 << DIRTY_MEMORY_VGA)) { - state->log_for_dirtybit = NULL; - /* Disable dirty bit tracking */ -- xc_hvm_track_dirty_vram(xen_xc, xen_domid, 0, 0, NULL); -+ xen_track_dirty_vram(xen_domid, 0, 0, NULL); - } - } - -@@ -1403,7 +1402,7 @@ void xen_hvm_modified_memory(ram_addr_t start, ram_addr_t length) - start_pfn = start >> TARGET_PAGE_BITS; - nb_pages = ((start + length + TARGET_PAGE_SIZE - 1) >> TARGET_PAGE_BITS) - - start_pfn; -- rc = xc_hvm_modified_memory(xen_xc, xen_domid, start_pfn, nb_pages); -+ rc = xen_modified_memory(xen_domid, start_pfn, nb_pages); - if (rc) { - fprintf(stderr, - "%s failed for "RAM_ADDR_FMT" ("RAM_ADDR_FMT"): %i, %s\n", --- -2.13.0 - diff --git a/0004-configure-detect-presence-of-libxendevicemodel.patch b/0004-configure-detect-presence-of-libxendevicemodel.patch deleted file mode 100644 index de3b6e6..0000000 --- a/0004-configure-detect-presence-of-libxendevicemodel.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 85f61ad8c70b51e541745503d650d0e628809c17 Mon Sep 17 00:00:00 2001 -From: Paul Durrant -Date: Tue, 7 Mar 2017 10:55:33 +0000 -Subject: [PATCH 4/6] configure: detect presence of libxendevicemodel - -This patch adds code in configure to set CONFIG_XEN_CTRL_INTERFACE_VERSION -to a new value of 490 if libxendevicemodel is present in the build -environment. - -Signed-off-by: Paul Durrant -Signed-off-by: Stefano Stabellini -Reviewed-by: Anthony Perard -Reviewed-by: Stefano Stabellini -(cherry picked from commit da8090ccb7735aed5a46ce27dfbe8486cfce61f5) ---- - configure | 21 ++++++++++++++++++++- - 1 file changed, 20 insertions(+), 1 deletion(-) - -diff --git a/configure b/configure -index be4d326ae0..092cb7359d 100755 ---- a/configure -+++ b/configure -@@ -1989,7 +1989,7 @@ fi - - if test "$xen" != "no" ; then - xen_libs="-lxenstore -lxenctrl -lxenguest" -- xen_stable_libs="-lxenforeignmemory -lxengnttab -lxenevtchn" -+ xen_stable_libs="-lxencall -lxenforeignmemory -lxengnttab -lxenevtchn" - - # First we test whether Xen headers and libraries are available. - # If no, we are done and there is no Xen support. -@@ -2012,6 +2012,25 @@ EOF - # Xen unstable - elif - cat > $TMPC < -+int main(void) { -+ xendevicemodel_handle *xd; -+ -+ xd = xendevicemodel_open(0, 0); -+ xendevicemodel_close(xd); -+ -+ return 0; -+} -+EOF -+ compile_prog "" "$xen_libs -lxendevicemodel $xen_stable_libs" -+ then -+ xen_stable_libs="-lxendevicemodel $xen_stable_libs" -+ xen_ctrl_version=490 -+ xen=yes -+ elif -+ cat > $TMPC < -Date: Mon, 24 Apr 2017 17:36:34 +0530 -Subject: [PATCH] scsi: avoid an off-by-one error in megasas_mmio_write - -While reading magic sequence(MFI_SEQ) in megasas_mmio_write, -an off-by-one error could occur as 's->adp_reset' index is not -reset after reading the last sequence. - -Reported-by: YY Z -Signed-off-by: Prasad J Pandit -Message-Id: <20170424120634.12268-1-ppandit@redhat.com> -Signed-off-by: Paolo Bonzini -(cherry picked from commit 24dfa9fa2f90a95ac33c7372de4f4f2c8a2c141f) ---- - hw/scsi/megasas.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c -index 84b8caf901..804122ab05 100644 ---- a/hw/scsi/megasas.c -+++ b/hw/scsi/megasas.c -@@ -2138,15 +2138,15 @@ static void megasas_mmio_write(void *opaque, hwaddr addr, - case MFI_SEQ: - trace_megasas_mmio_writel("MFI_SEQ", val); - /* Magic sequence to start ADP reset */ -- if (adp_reset_seq[s->adp_reset] == val) { -- s->adp_reset++; -+ if (adp_reset_seq[s->adp_reset++] == val) { -+ if (s->adp_reset == 6) { -+ s->adp_reset = 0; -+ s->diag = MFI_DIAG_WRITE_ENABLE; -+ } - } else { - s->adp_reset = 0; - s->diag = 0; - } -- if (s->adp_reset == 6) { -- s->diag = MFI_DIAG_WRITE_ENABLE; -- } - break; - case MFI_DIAG: - trace_megasas_mmio_writel("MFI_DIAG", val); diff --git a/0005-9pfs-local-forbid-client-access-to-metadata-CVE-2017.patch b/0005-9pfs-local-forbid-client-access-to-metadata-CVE-2017.patch deleted file mode 100644 index c8af0b5..0000000 --- a/0005-9pfs-local-forbid-client-access-to-metadata-CVE-2017.patch +++ /dev/null @@ -1,171 +0,0 @@ -From: Greg Kurz -Date: Fri, 5 May 2017 14:48:08 +0200 -Subject: [PATCH] 9pfs: local: forbid client access to metadata (CVE-2017-7493) - -When using the mapped-file security mode, we shouldn't let the client mess -with the metadata. The current code already tries to hide the metadata dir -from the client by skipping it in local_readdir(). But the client can still -access or modify it through several other operations. This can be used to -escalate privileges in the guest. - -Affected backend operations are: -- local_mknod() -- local_mkdir() -- local_open2() -- local_symlink() -- local_link() -- local_unlinkat() -- local_renameat() -- local_rename() -- local_name_to_path() - -Other operations are safe because they are only passed a fid path, which -is computed internally in local_name_to_path(). - -This patch converts all the functions listed above to fail and return -EINVAL when being passed the name of the metadata dir. This may look -like a poor choice for errno, but there's no such thing as an illegal -path name on Linux and I could not think of anything better. - -This fixes CVE-2017-7493. - -Reported-by: Leo Gaspard -Signed-off-by: Greg Kurz -Reviewed-by: Eric Blake -(cherry picked from commit 7a95434e0ca8a037fd8aa1a2e2461f92585eb77b) ---- - hw/9pfs/9p-local.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++-- - 1 file changed, 56 insertions(+), 2 deletions(-) - -diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c -index f3ebca4f7a..a2486566af 100644 ---- a/hw/9pfs/9p-local.c -+++ b/hw/9pfs/9p-local.c -@@ -452,6 +452,11 @@ static off_t local_telldir(FsContext *ctx, V9fsFidOpenState *fs) - return telldir(fs->dir.stream); - } - -+static bool local_is_mapped_file_metadata(FsContext *fs_ctx, const char *name) -+{ -+ return !strcmp(name, VIRTFS_META_DIR); -+} -+ - static struct dirent *local_readdir(FsContext *ctx, V9fsFidOpenState *fs) - { - struct dirent *entry; -@@ -465,8 +470,8 @@ again: - if (ctx->export_flags & V9FS_SM_MAPPED) { - entry->d_type = DT_UNKNOWN; - } else if (ctx->export_flags & V9FS_SM_MAPPED_FILE) { -- if (!strcmp(entry->d_name, VIRTFS_META_DIR)) { -- /* skp the meta data directory */ -+ if (local_is_mapped_file_metadata(ctx, entry->d_name)) { -+ /* skip the meta data directory */ - goto again; - } - entry->d_type = DT_UNKNOWN; -@@ -559,6 +564,12 @@ static int local_mknod(FsContext *fs_ctx, V9fsPath *dir_path, - int err = -1; - int dirfd; - -+ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE && -+ local_is_mapped_file_metadata(fs_ctx, name)) { -+ errno = EINVAL; -+ return -1; -+ } -+ - dirfd = local_opendir_nofollow(fs_ctx, dir_path->data); - if (dirfd == -1) { - return -1; -@@ -605,6 +616,12 @@ static int local_mkdir(FsContext *fs_ctx, V9fsPath *dir_path, - int err = -1; - int dirfd; - -+ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE && -+ local_is_mapped_file_metadata(fs_ctx, name)) { -+ errno = EINVAL; -+ return -1; -+ } -+ - dirfd = local_opendir_nofollow(fs_ctx, dir_path->data); - if (dirfd == -1) { - return -1; -@@ -694,6 +711,12 @@ static int local_open2(FsContext *fs_ctx, V9fsPath *dir_path, const char *name, - int err = -1; - int dirfd; - -+ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE && -+ local_is_mapped_file_metadata(fs_ctx, name)) { -+ errno = EINVAL; -+ return -1; -+ } -+ - /* - * Mark all the open to not follow symlinks - */ -@@ -752,6 +775,12 @@ static int local_symlink(FsContext *fs_ctx, const char *oldpath, - int err = -1; - int dirfd; - -+ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE && -+ local_is_mapped_file_metadata(fs_ctx, name)) { -+ errno = EINVAL; -+ return -1; -+ } -+ - dirfd = local_opendir_nofollow(fs_ctx, dir_path->data); - if (dirfd == -1) { - return -1; -@@ -826,6 +855,12 @@ static int local_link(FsContext *ctx, V9fsPath *oldpath, - int ret = -1; - int odirfd, ndirfd; - -+ if (ctx->export_flags & V9FS_SM_MAPPED_FILE && -+ local_is_mapped_file_metadata(ctx, name)) { -+ errno = EINVAL; -+ return -1; -+ } -+ - odirfd = local_opendir_nofollow(ctx, odirpath); - if (odirfd == -1) { - goto out; -@@ -1096,6 +1131,12 @@ static int local_lremovexattr(FsContext *ctx, V9fsPath *fs_path, - static int local_name_to_path(FsContext *ctx, V9fsPath *dir_path, - const char *name, V9fsPath *target) - { -+ if (ctx->export_flags & V9FS_SM_MAPPED_FILE && -+ local_is_mapped_file_metadata(ctx, name)) { -+ errno = EINVAL; -+ return -1; -+ } -+ - if (dir_path) { - v9fs_path_sprintf(target, "%s/%s", dir_path->data, name); - } else if (strcmp(name, "/")) { -@@ -1116,6 +1157,13 @@ static int local_renameat(FsContext *ctx, V9fsPath *olddir, - int ret; - int odirfd, ndirfd; - -+ if (ctx->export_flags & V9FS_SM_MAPPED_FILE && -+ (local_is_mapped_file_metadata(ctx, old_name) || -+ local_is_mapped_file_metadata(ctx, new_name))) { -+ errno = EINVAL; -+ return -1; -+ } -+ - odirfd = local_opendir_nofollow(ctx, olddir->data); - if (odirfd == -1) { - return -1; -@@ -1206,6 +1254,12 @@ static int local_unlinkat(FsContext *ctx, V9fsPath *dir, - int ret; - int dirfd; - -+ if (ctx->export_flags & V9FS_SM_MAPPED_FILE && -+ local_is_mapped_file_metadata(ctx, name)) { -+ errno = EINVAL; -+ return -1; -+ } -+ - dirfd = local_opendir_nofollow(ctx, dir->data); - if (dirfd == -1) { - return -1; diff --git a/0005-xen-use-libxendevicemodel-when-available.patch b/0005-xen-use-libxendevicemodel-when-available.patch deleted file mode 100644 index 72121f3..0000000 --- a/0005-xen-use-libxendevicemodel-when-available.patch +++ /dev/null @@ -1,371 +0,0 @@ -From c4fa82c4d243730daccdf5b6668fb8e559460a76 Mon Sep 17 00:00:00 2001 -From: Paul Durrant -Date: Tue, 7 Mar 2017 10:55:34 +0000 -Subject: [PATCH 5/6] xen: use libxendevicemodel when available - -This patch modifies the wrapper functions in xen_common.h to use the -new xendevicemodel interface if it is available along with compatibility -code to use the old libxenctrl interface if it is not. - -Signed-off-by: Paul Durrant -Signed-off-by: Stefano Stabellini -Reviewed-by: Anthony Perard -Reviewed-by: Stefano Stabellini -(cherry picked from commit d655f34e6d6a68f64e885fa85295e0c7a31ce846) ---- - include/hw/xen/xen_common.h | 203 +++++++++++++++++++++++++++++++++++++------- - xen-common.c | 8 ++ - 2 files changed, 178 insertions(+), 33 deletions(-) - -diff --git a/include/hw/xen/xen_common.h b/include/hw/xen/xen_common.h -index 31cf25f846..b1f5f53e35 100644 ---- a/include/hw/xen/xen_common.h -+++ b/include/hw/xen/xen_common.h -@@ -26,48 +26,184 @@ extern xc_interface *xen_xc; - * We don't support Xen prior to 4.2.0. - */ - -+#if CONFIG_XEN_CTRL_INTERFACE_VERSION < 490 -+ -+typedef xc_interface xendevicemodel_handle; -+ -+static inline xendevicemodel_handle *xendevicemodel_open( -+ struct xentoollog_logger *logger, unsigned int open_flags) -+{ -+ return xen_xc; -+} -+ -+#if CONFIG_XEN_CTRL_INTERFACE_VERSION >= 450 -+ -+static inline int xendevicemodel_create_ioreq_server( -+ xendevicemodel_handle *dmod, domid_t domid, int handle_bufioreq, -+ ioservid_t *id) -+{ -+ return xc_hvm_create_ioreq_server(dmod, domid, handle_bufioreq, -+ id); -+} -+ -+static inline int xendevicemodel_get_ioreq_server_info( -+ xendevicemodel_handle *dmod, domid_t domid, ioservid_t id, -+ xen_pfn_t *ioreq_pfn, xen_pfn_t *bufioreq_pfn, -+ evtchn_port_t *bufioreq_port) -+{ -+ return xc_hvm_get_ioreq_server_info(dmod, domid, id, ioreq_pfn, -+ bufioreq_pfn, bufioreq_port); -+} -+ -+static inline int xendevicemodel_map_io_range_to_ioreq_server( -+ xendevicemodel_handle *dmod, domid_t domid, ioservid_t id, int is_mmio, -+ uint64_t start, uint64_t end) -+{ -+ return xc_hvm_map_io_range_to_ioreq_server(dmod, domid, id, is_mmio, -+ start, end); -+} -+ -+static inline int xendevicemodel_unmap_io_range_from_ioreq_server( -+ xendevicemodel_handle *dmod, domid_t domid, ioservid_t id, int is_mmio, -+ uint64_t start, uint64_t end) -+{ -+ return xc_hvm_unmap_io_range_from_ioreq_server(dmod, domid, id, is_mmio, -+ start, end); -+} -+ -+static inline int xendevicemodel_map_pcidev_to_ioreq_server( -+ xendevicemodel_handle *dmod, domid_t domid, ioservid_t id, -+ uint16_t segment, uint8_t bus, uint8_t device, uint8_t function) -+{ -+ return xc_hvm_map_pcidev_to_ioreq_server(dmod, domid, id, segment, -+ bus, device, function); -+} -+ -+static inline int xendevicemodel_unmap_pcidev_from_ioreq_server( -+ xendevicemodel_handle *dmod, domid_t domid, ioservid_t id, -+ uint16_t segment, uint8_t bus, uint8_t device, uint8_t function) -+{ -+ return xc_hvm_unmap_pcidev_from_ioreq_server(dmod, domid, id, segment, -+ bus, device, function); -+} -+ -+static inline int xendevicemodel_destroy_ioreq_server( -+ xendevicemodel_handle *dmod, domid_t domid, ioservid_t id) -+{ -+ return xc_hvm_destroy_ioreq_server(dmod, domid, id); -+} -+ -+static inline int xendevicemodel_set_ioreq_server_state( -+ xendevicemodel_handle *dmod, domid_t domid, ioservid_t id, int enabled) -+{ -+ return xc_hvm_set_ioreq_server_state(dmod, domid, id, enabled); -+} -+ -+#endif /* CONFIG_XEN_CTRL_INTERFACE_VERSION >= 450 */ -+ -+static inline int xendevicemodel_set_pci_intx_level( -+ xendevicemodel_handle *dmod, domid_t domid, uint16_t segment, -+ uint8_t bus, uint8_t device, uint8_t intx, unsigned int level) -+{ -+ return xc_hvm_set_pci_intx_level(dmod, domid, segment, bus, device, -+ intx, level); -+} -+ -+static inline int xendevicemodel_set_isa_irq_level( -+ xendevicemodel_handle *dmod, domid_t domid, uint8_t irq, -+ unsigned int level) -+{ -+ return xc_hvm_set_isa_irq_level(dmod, domid, irq, level); -+} -+ -+static inline int xendevicemodel_set_pci_link_route( -+ xendevicemodel_handle *dmod, domid_t domid, uint8_t link, uint8_t irq) -+{ -+ return xc_hvm_set_pci_link_route(dmod, domid, link, irq); -+} -+ -+static inline int xendevicemodel_inject_msi( -+ xendevicemodel_handle *dmod, domid_t domid, uint64_t msi_addr, -+ uint32_t msi_data) -+{ -+ return xc_hvm_inject_msi(dmod, domid, msi_addr, msi_data); -+} -+ -+static inline int xendevicemodel_track_dirty_vram( -+ xendevicemodel_handle *dmod, domid_t domid, uint64_t first_pfn, -+ uint32_t nr, unsigned long *dirty_bitmap) -+{ -+ return xc_hvm_track_dirty_vram(dmod, domid, first_pfn, nr, -+ dirty_bitmap); -+} -+ -+static inline int xendevicemodel_modified_memory( -+ xendevicemodel_handle *dmod, domid_t domid, uint64_t first_pfn, -+ uint32_t nr) -+{ -+ return xc_hvm_modified_memory(dmod, domid, first_pfn, nr); -+} -+ -+static inline int xendevicemodel_set_mem_type( -+ xendevicemodel_handle *dmod, domid_t domid, hvmmem_type_t mem_type, -+ uint64_t first_pfn, uint32_t nr) -+{ -+ return xc_hvm_set_mem_type(dmod, domid, mem_type, first_pfn, nr); -+} -+ -+#else /* CONFIG_XEN_CTRL_INTERFACE_VERSION >= 490 */ -+ -+#undef XC_WANT_COMPAT_DEVICEMODEL_API -+#include -+ -+#endif -+ -+extern xendevicemodel_handle *xen_dmod; -+ - static inline int xen_set_mem_type(domid_t domid, hvmmem_type_t type, - uint64_t first_pfn, uint32_t nr) - { -- return xc_hvm_set_mem_type(xen_xc, domid, type, first_pfn, nr); -+ return xendevicemodel_set_mem_type(xen_dmod, domid, type, first_pfn, -+ nr); - } - - static inline int xen_set_pci_intx_level(domid_t domid, uint16_t segment, - uint8_t bus, uint8_t device, - uint8_t intx, unsigned int level) - { -- return xc_hvm_set_pci_intx_level(xen_xc, domid, segment, bus, device, -- intx, level); -+ return xendevicemodel_set_pci_intx_level(xen_dmod, domid, segment, bus, -+ device, intx, level); - } - - static inline int xen_set_pci_link_route(domid_t domid, uint8_t link, - uint8_t irq) - { -- return xc_hvm_set_pci_link_route(xen_xc, domid, link, irq); -+ return xendevicemodel_set_pci_link_route(xen_dmod, domid, link, irq); - } - - static inline int xen_inject_msi(domid_t domid, uint64_t msi_addr, - uint32_t msi_data) - { -- return xc_hvm_inject_msi(xen_xc, domid, msi_addr, msi_data); -+ return xendevicemodel_inject_msi(xen_dmod, domid, msi_addr, msi_data); - } - - static inline int xen_set_isa_irq_level(domid_t domid, uint8_t irq, - unsigned int level) - { -- return xc_hvm_set_isa_irq_level(xen_xc, domid, irq, level); -+ return xendevicemodel_set_isa_irq_level(xen_dmod, domid, irq, level); - } - - static inline int xen_track_dirty_vram(domid_t domid, uint64_t first_pfn, - uint32_t nr, unsigned long *bitmap) - { -- return xc_hvm_track_dirty_vram(xen_xc, domid, first_pfn, nr, bitmap); -+ return xendevicemodel_track_dirty_vram(xen_dmod, domid, first_pfn, nr, -+ bitmap); - } - - static inline int xen_modified_memory(domid_t domid, uint64_t first_pfn, - uint32_t nr) - { -- return xc_hvm_modified_memory(xen_xc, domid, first_pfn, nr); -+ return xendevicemodel_modified_memory(xen_dmod, domid, first_pfn, nr); - } - - /* Xen 4.2 through 4.6 */ -@@ -97,6 +233,7 @@ typedef xc_gnttab xengnttab_handle; - xc_gnttab_map_domain_grant_refs(h, c, d, r, p) - - #define xenforeignmemory_open(l, f) xen_xc -+#define xenforeignmemory_close(h) - - static inline void *xenforeignmemory_map(xc_interface *h, uint32_t dom, - int prot, size_t pages, -@@ -285,8 +422,8 @@ static inline void xen_map_memory_section(domid_t dom, - } - - trace_xen_map_mmio_range(ioservid, start_addr, end_addr); -- xc_hvm_map_io_range_to_ioreq_server(xen_xc, dom, ioservid, 1, -- start_addr, end_addr); -+ xendevicemodel_map_io_range_to_ioreq_server(xen_dmod, dom, ioservid, 1, -+ start_addr, end_addr); - } - - static inline void xen_unmap_memory_section(domid_t dom, -@@ -302,8 +439,8 @@ static inline void xen_unmap_memory_section(domid_t dom, - } - - trace_xen_unmap_mmio_range(ioservid, start_addr, end_addr); -- xc_hvm_unmap_io_range_from_ioreq_server(xen_xc, dom, ioservid, -- 1, start_addr, end_addr); -+ xendevicemodel_unmap_io_range_from_ioreq_server(xen_dmod, dom, ioservid, -+ 1, start_addr, end_addr); - } - - static inline void xen_map_io_section(domid_t dom, -@@ -319,8 +456,8 @@ static inline void xen_map_io_section(domid_t dom, - } - - trace_xen_map_portio_range(ioservid, start_addr, end_addr); -- xc_hvm_map_io_range_to_ioreq_server(xen_xc, dom, ioservid, 0, -- start_addr, end_addr); -+ xendevicemodel_map_io_range_to_ioreq_server(xen_dmod, dom, ioservid, 0, -+ start_addr, end_addr); - } - - static inline void xen_unmap_io_section(domid_t dom, -@@ -336,8 +473,8 @@ static inline void xen_unmap_io_section(domid_t dom, - } - - trace_xen_unmap_portio_range(ioservid, start_addr, end_addr); -- xc_hvm_unmap_io_range_from_ioreq_server(xen_xc, dom, ioservid, -- 0, start_addr, end_addr); -+ xendevicemodel_unmap_io_range_from_ioreq_server(xen_dmod, dom, ioservid, -+ 0, start_addr, end_addr); - } - - static inline void xen_map_pcidev(domid_t dom, -@@ -350,10 +487,10 @@ static inline void xen_map_pcidev(domid_t dom, - - trace_xen_map_pcidev(ioservid, pci_bus_num(pci_dev->bus), - PCI_SLOT(pci_dev->devfn), PCI_FUNC(pci_dev->devfn)); -- xc_hvm_map_pcidev_to_ioreq_server(xen_xc, dom, ioservid, 0, -- pci_bus_num(pci_dev->bus), -- PCI_SLOT(pci_dev->devfn), -- PCI_FUNC(pci_dev->devfn)); -+ xendevicemodel_map_pcidev_to_ioreq_server(xen_dmod, dom, ioservid, 0, -+ pci_bus_num(pci_dev->bus), -+ PCI_SLOT(pci_dev->devfn), -+ PCI_FUNC(pci_dev->devfn)); - } - - static inline void xen_unmap_pcidev(domid_t dom, -@@ -366,18 +503,18 @@ static inline void xen_unmap_pcidev(domid_t dom, - - trace_xen_unmap_pcidev(ioservid, pci_bus_num(pci_dev->bus), - PCI_SLOT(pci_dev->devfn), PCI_FUNC(pci_dev->devfn)); -- xc_hvm_unmap_pcidev_from_ioreq_server(xen_xc, dom, ioservid, 0, -- pci_bus_num(pci_dev->bus), -- PCI_SLOT(pci_dev->devfn), -- PCI_FUNC(pci_dev->devfn)); -+ xendevicemodel_unmap_pcidev_from_ioreq_server(xen_dmod, dom, ioservid, 0, -+ pci_bus_num(pci_dev->bus), -+ PCI_SLOT(pci_dev->devfn), -+ PCI_FUNC(pci_dev->devfn)); - } - - static inline void xen_create_ioreq_server(domid_t dom, - ioservid_t *ioservid) - { -- int rc = xc_hvm_create_ioreq_server(xen_xc, dom, -- HVM_IOREQSRV_BUFIOREQ_ATOMIC, -- ioservid); -+ int rc = xendevicemodel_create_ioreq_server(xen_dmod, dom, -+ HVM_IOREQSRV_BUFIOREQ_ATOMIC, -+ ioservid); - - if (rc == 0) { - trace_xen_ioreq_server_create(*ioservid); -@@ -397,7 +534,7 @@ static inline void xen_destroy_ioreq_server(domid_t dom, - } - - trace_xen_ioreq_server_destroy(ioservid); -- xc_hvm_destroy_ioreq_server(xen_xc, dom, ioservid); -+ xendevicemodel_destroy_ioreq_server(xen_dmod, dom, ioservid); - } - - static inline int xen_get_ioreq_server_info(domid_t dom, -@@ -412,9 +549,9 @@ static inline int xen_get_ioreq_server_info(domid_t dom, - bufioreq_evtchn); - } - -- return xc_hvm_get_ioreq_server_info(xen_xc, dom, ioservid, -- ioreq_pfn, bufioreq_pfn, -- bufioreq_evtchn); -+ return xendevicemodel_get_ioreq_server_info(xen_dmod, dom, ioservid, -+ ioreq_pfn, bufioreq_pfn, -+ bufioreq_evtchn); - } - - static inline int xen_set_ioreq_server_state(domid_t dom, -@@ -426,8 +563,8 @@ static inline int xen_set_ioreq_server_state(domid_t dom, - } - - trace_xen_ioreq_server_state(ioservid, enable); -- return xc_hvm_set_ioreq_server_state(xen_xc, dom, ioservid, -- enable); -+ return xendevicemodel_set_ioreq_server_state(xen_dmod, dom, ioservid, -+ enable); - } - - #endif -diff --git a/xen-common.c b/xen-common.c -index 703e7a5861..ae76150e8a 100644 ---- a/xen-common.c -+++ b/xen-common.c -@@ -27,6 +27,7 @@ - - xc_interface *xen_xc; - xenforeignmemory_handle *xen_fmem; -+xendevicemodel_handle *xen_dmod; - - static int store_dev_info(int domid, Chardev *cs, const char *string) - { -@@ -128,6 +129,13 @@ static int xen_init(MachineState *ms) - xc_interface_close(xen_xc); - return -1; - } -+ xen_dmod = xendevicemodel_open(0, 0); -+ if (xen_dmod == NULL) { -+ xen_pv_printf(NULL, 0, "can't open xen devicemodel interface\n"); -+ xenforeignmemory_close(xen_fmem); -+ xc_interface_close(xen_xc); -+ return -1; -+ } - qemu_add_vm_change_state_handler(xen_change_state_handler, NULL); - - global_state_set_optional(); --- -2.13.0 - diff --git a/0006-megasas-do-not-read-sense-length-more-than-once-from.patch b/0006-megasas-do-not-read-sense-length-more-than-once-from.patch deleted file mode 100644 index b2a2e6d..0000000 --- a/0006-megasas-do-not-read-sense-length-more-than-once-from.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: Paolo Bonzini -Date: Thu, 1 Jun 2017 17:18:39 +0200 -Subject: [PATCH] megasas: do not read sense length more than once from frame - -Avoid TOC-TOU bugs depending on how the compiler behaves. - -Signed-off-by: Paolo Bonzini -(cherry picked from commit 134550bf81a026e18cf58b81e2c2cceaf516f92e) ---- - hw/scsi/megasas.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c -index 804122ab05..1888118e5f 100644 ---- a/hw/scsi/megasas.c -+++ b/hw/scsi/megasas.c -@@ -309,9 +309,11 @@ static int megasas_build_sense(MegasasCmd *cmd, uint8_t *sense_ptr, - PCIDevice *pcid = PCI_DEVICE(cmd->state); - uint32_t pa_hi = 0, pa_lo; - hwaddr pa; -+ int frame_sense_len; - -- if (sense_len > cmd->frame->header.sense_len) { -- sense_len = cmd->frame->header.sense_len; -+ frame_sense_len = cmd->frame->header.sense_len; -+ if (sense_len > frame_sense_len) { -+ sense_len = frame_sense_len; - } - if (sense_len) { - pa_lo = le32_to_cpu(cmd->frame->pass.sense_addr_lo); diff --git a/0006-xen-use-5-digit-xen-versions.patch b/0006-xen-use-5-digit-xen-versions.patch deleted file mode 100644 index 4a63356..0000000 --- a/0006-xen-use-5-digit-xen-versions.patch +++ /dev/null @@ -1,217 +0,0 @@ -From 490e4b67768f167736c0a1084a5d6917431c783e Mon Sep 17 00:00:00 2001 -From: Juergen Gross -Date: Thu, 16 Mar 2017 15:19:52 +0100 -Subject: [PATCH 6/6] xen: use 5 digit xen versions - -Today qemu is using e.g. the value 480 for Xen version 4.8.0. As some -Xen version tests are using ">" relations this scheme will lead to -problems when Xen version 4.10.0 is being reached. - -Instead of the 3 digit schem use a 5 digit scheme (e.g. 40800 for -version 4.8.0). - -Signed-off-by: Juergen Gross -Signed-off-by: Stefano Stabellini -Reviewed-by: Stefano Stabellini -(cherry picked from commit f1167ee684279bffabe7bb3ab23eff87577fe427) ---- - configure | 16 ++++++++-------- - hw/block/xen_disk.c | 2 +- - include/hw/xen/xen_common.h | 22 +++++++++++----------- - 3 files changed, 20 insertions(+), 20 deletions(-) - -diff --git a/configure b/configure -index 092cb7359d..d5ee30aad8 100755 ---- a/configure -+++ b/configure -@@ -2027,7 +2027,7 @@ EOF - compile_prog "" "$xen_libs -lxendevicemodel $xen_stable_libs" - then - xen_stable_libs="-lxendevicemodel $xen_stable_libs" -- xen_ctrl_version=490 -+ xen_ctrl_version=40900 - xen=yes - elif - cat > $TMPC < $TMPC < $TMPC <= 480 -+#if CONFIG_XEN_CTRL_INTERFACE_VERSION >= 40800 - - static void ioreq_free_copy_buffers(struct ioreq *ioreq) - { -diff --git a/include/hw/xen/xen_common.h b/include/hw/xen/xen_common.h -index b1f5f53e35..fa990a07c0 100644 ---- a/include/hw/xen/xen_common.h -+++ b/include/hw/xen/xen_common.h -@@ -26,7 +26,7 @@ extern xc_interface *xen_xc; - * We don't support Xen prior to 4.2.0. - */ - --#if CONFIG_XEN_CTRL_INTERFACE_VERSION < 490 -+#if CONFIG_XEN_CTRL_INTERFACE_VERSION < 40900 - - typedef xc_interface xendevicemodel_handle; - -@@ -36,7 +36,7 @@ static inline xendevicemodel_handle *xendevicemodel_open( - return xen_xc; - } - --#if CONFIG_XEN_CTRL_INTERFACE_VERSION >= 450 -+#if CONFIG_XEN_CTRL_INTERFACE_VERSION >= 40500 - - static inline int xendevicemodel_create_ioreq_server( - xendevicemodel_handle *dmod, domid_t domid, int handle_bufioreq, -@@ -99,7 +99,7 @@ static inline int xendevicemodel_set_ioreq_server_state( - return xc_hvm_set_ioreq_server_state(dmod, domid, id, enabled); - } - --#endif /* CONFIG_XEN_CTRL_INTERFACE_VERSION >= 450 */ -+#endif /* CONFIG_XEN_CTRL_INTERFACE_VERSION >= 40500 */ - - static inline int xendevicemodel_set_pci_intx_level( - xendevicemodel_handle *dmod, domid_t domid, uint16_t segment, -@@ -151,7 +151,7 @@ static inline int xendevicemodel_set_mem_type( - return xc_hvm_set_mem_type(dmod, domid, mem_type, first_pfn, nr); - } - --#else /* CONFIG_XEN_CTRL_INTERFACE_VERSION >= 490 */ -+#else /* CONFIG_XEN_CTRL_INTERFACE_VERSION >= 40900 */ - - #undef XC_WANT_COMPAT_DEVICEMODEL_API - #include -@@ -207,7 +207,7 @@ static inline int xen_modified_memory(domid_t domid, uint64_t first_pfn, - } - - /* Xen 4.2 through 4.6 */ --#if CONFIG_XEN_CTRL_INTERFACE_VERSION < 471 -+#if CONFIG_XEN_CTRL_INTERFACE_VERSION < 40701 - - typedef xc_interface xenforeignmemory_handle; - typedef xc_evtchn xenevtchn_handle; -@@ -248,7 +248,7 @@ static inline void *xenforeignmemory_map(xc_interface *h, uint32_t dom, - - #define xenforeignmemory_unmap(h, p, s) munmap(p, s * XC_PAGE_SIZE) - --#else /* CONFIG_XEN_CTRL_INTERFACE_VERSION >= 471 */ -+#else /* CONFIG_XEN_CTRL_INTERFACE_VERSION >= 40701 */ - - #include - #include -@@ -284,7 +284,7 @@ static inline int xen_get_vmport_regs_pfn(xc_interface *xc, domid_t dom, - #endif - - /* Xen before 4.6 */ --#if CONFIG_XEN_CTRL_INTERFACE_VERSION < 460 -+#if CONFIG_XEN_CTRL_INTERFACE_VERSION < 40600 - - #ifndef HVM_IOREQSRV_BUFIOREQ_ATOMIC - #define HVM_IOREQSRV_BUFIOREQ_ATOMIC 2 -@@ -330,7 +330,7 @@ static inline int xen_get_default_ioreq_server_info(domid_t dom, - } - - /* Xen before 4.5 */ --#if CONFIG_XEN_CTRL_INTERFACE_VERSION < 450 -+#if CONFIG_XEN_CTRL_INTERFACE_VERSION < 40500 - - #ifndef HVM_PARAM_BUFIOREQ_EVTCHN - #define HVM_PARAM_BUFIOREQ_EVTCHN 26 -@@ -569,7 +569,7 @@ static inline int xen_set_ioreq_server_state(domid_t dom, - - #endif - --#if CONFIG_XEN_CTRL_INTERFACE_VERSION < 460 -+#if CONFIG_XEN_CTRL_INTERFACE_VERSION < 40600 - static inline int xen_xc_domain_add_to_physmap(xc_interface *xch, uint32_t domid, - unsigned int space, - unsigned long idx, -@@ -592,7 +592,7 @@ static inline int xen_xc_domain_add_to_physmap(xc_interface *xch, uint32_t domid - #endif - - #ifdef CONFIG_XEN_PV_DOMAIN_BUILD --#if CONFIG_XEN_CTRL_INTERFACE_VERSION < 470 -+#if CONFIG_XEN_CTRL_INTERFACE_VERSION < 40700 - static inline int xen_domain_create(xc_interface *xc, uint32_t ssidref, - xen_domain_handle_t handle, uint32_t flags, - uint32_t *pdomid) -@@ -611,7 +611,7 @@ static inline int xen_domain_create(xc_interface *xc, uint32_t ssidref, - - /* Xen before 4.8 */ - --#if CONFIG_XEN_CTRL_INTERFACE_VERSION < 480 -+#if CONFIG_XEN_CTRL_INTERFACE_VERSION < 40800 - - - typedef void *xengnttab_grant_copy_segment_t; --- -2.13.0 - diff --git a/0007-megasas-do-not-read-iovec-count-more-than-once-from-.patch b/0007-megasas-do-not-read-iovec-count-more-than-once-from-.patch deleted file mode 100644 index 62eda4d..0000000 --- a/0007-megasas-do-not-read-iovec-count-more-than-once-from-.patch +++ /dev/null @@ -1,37 +0,0 @@ -From: Paolo Bonzini -Date: Thu, 1 Jun 2017 17:18:57 +0200 -Subject: [PATCH] megasas: do not read iovec count more than once from frame - -Avoid TOC-TOU bugs depending on how the compiler behaves. - -Signed-off-by: Paolo Bonzini -(cherry picked from commit 24c0c77af515acbf0f9705e8096f33ef24d37430) ---- - hw/scsi/megasas.c | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - -diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c -index 1888118e5f..c353118882 100644 ---- a/hw/scsi/megasas.c -+++ b/hw/scsi/megasas.c -@@ -675,15 +675,16 @@ out: - static int megasas_map_dcmd(MegasasState *s, MegasasCmd *cmd) - { - dma_addr_t iov_pa, iov_size; -+ int iov_count; - - cmd->flags = le16_to_cpu(cmd->frame->header.flags); -- if (!cmd->frame->header.sge_count) { -+ iov_count = cmd->frame->header.sge_count; -+ if (!iov_count) { - trace_megasas_dcmd_zero_sge(cmd->index); - cmd->iov_size = 0; - return 0; -- } else if (cmd->frame->header.sge_count > 1) { -- trace_megasas_dcmd_invalid_sge(cmd->index, -- cmd->frame->header.sge_count); -+ } else if (iov_count > 1) { -+ trace_megasas_dcmd_invalid_sge(cmd->index, iov_count); - cmd->iov_size = 0; - return -EINVAL; - } diff --git a/0008-megasas-do-not-read-DCMD-opcode-more-than-once-from-.patch b/0008-megasas-do-not-read-DCMD-opcode-more-than-once-from-.patch deleted file mode 100644 index 816b86b..0000000 --- a/0008-megasas-do-not-read-DCMD-opcode-more-than-once-from-.patch +++ /dev/null @@ -1,111 +0,0 @@ -From: Paolo Bonzini -Date: Thu, 1 Jun 2017 17:18:23 +0200 -Subject: [PATCH] megasas: do not read DCMD opcode more than once from frame - -Avoid TOC-TOU bugs by storing the DCMD opcode in the MegasasCmd - -Signed-off-by: Paolo Bonzini -(cherry picked from commit 5104fac8539eaf155fc6de93e164be43e1e62242) ---- - hw/scsi/megasas.c | 25 +++++++++++-------------- - 1 file changed, 11 insertions(+), 14 deletions(-) - -diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c -index c353118882..a3f75c1650 100644 ---- a/hw/scsi/megasas.c -+++ b/hw/scsi/megasas.c -@@ -63,6 +63,7 @@ typedef struct MegasasCmd { - - hwaddr pa; - hwaddr pa_size; -+ uint32_t dcmd_opcode; - union mfi_frame *frame; - SCSIRequest *req; - QEMUSGList qsg; -@@ -513,6 +514,7 @@ static MegasasCmd *megasas_enqueue_frame(MegasasState *s, - cmd->context &= (uint64_t)0xFFFFFFFF; - } - cmd->count = count; -+ cmd->dcmd_opcode = -1; - s->busy++; - - if (s->consumer_pa) { -@@ -1562,22 +1564,21 @@ static const struct dcmd_cmd_tbl_t { - - static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd) - { -- int opcode; - int retval = 0; - size_t len; - const struct dcmd_cmd_tbl_t *cmdptr = dcmd_cmd_tbl; - -- opcode = le32_to_cpu(cmd->frame->dcmd.opcode); -- trace_megasas_handle_dcmd(cmd->index, opcode); -+ cmd->dcmd_opcode = le32_to_cpu(cmd->frame->dcmd.opcode); -+ trace_megasas_handle_dcmd(cmd->index, cmd->dcmd_opcode); - if (megasas_map_dcmd(s, cmd) < 0) { - return MFI_STAT_MEMORY_NOT_AVAILABLE; - } -- while (cmdptr->opcode != -1 && cmdptr->opcode != opcode) { -+ while (cmdptr->opcode != -1 && cmdptr->opcode != cmd->dcmd_opcode) { - cmdptr++; - } - len = cmd->iov_size; - if (cmdptr->opcode == -1) { -- trace_megasas_dcmd_unhandled(cmd->index, opcode, len); -+ trace_megasas_dcmd_unhandled(cmd->index, cmd->dcmd_opcode, len); - retval = megasas_dcmd_dummy(s, cmd); - } else { - trace_megasas_dcmd_enter(cmd->index, cmdptr->desc, len); -@@ -1592,13 +1593,11 @@ static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd) - static int megasas_finish_internal_dcmd(MegasasCmd *cmd, - SCSIRequest *req) - { -- int opcode; - int retval = MFI_STAT_OK; - int lun = req->lun; - -- opcode = le32_to_cpu(cmd->frame->dcmd.opcode); -- trace_megasas_dcmd_internal_finish(cmd->index, opcode, lun); -- switch (opcode) { -+ trace_megasas_dcmd_internal_finish(cmd->index, cmd->dcmd_opcode, lun); -+ switch (cmd->dcmd_opcode) { - case MFI_DCMD_PD_GET_INFO: - retval = megasas_pd_get_info_submit(req->dev, lun, cmd); - break; -@@ -1606,7 +1605,7 @@ static int megasas_finish_internal_dcmd(MegasasCmd *cmd, - retval = megasas_ld_get_info_submit(req->dev, lun, cmd); - break; - default: -- trace_megasas_dcmd_internal_invalid(cmd->index, opcode); -+ trace_megasas_dcmd_internal_invalid(cmd->index, cmd->dcmd_opcode); - retval = MFI_STAT_INVALID_DCMD; - break; - } -@@ -1827,7 +1826,6 @@ static void megasas_xfer_complete(SCSIRequest *req, uint32_t len) - { - MegasasCmd *cmd = req->hba_private; - uint8_t *buf; -- uint32_t opcode; - - trace_megasas_io_complete(cmd->index, len); - -@@ -1837,8 +1835,7 @@ static void megasas_xfer_complete(SCSIRequest *req, uint32_t len) - } - - buf = scsi_req_get_buf(req); -- opcode = le32_to_cpu(cmd->frame->dcmd.opcode); -- if (opcode == MFI_DCMD_PD_GET_INFO && cmd->iov_buf) { -+ if (cmd->dcmd_opcode == MFI_DCMD_PD_GET_INFO && cmd->iov_buf) { - struct mfi_pd_info *info = cmd->iov_buf; - - if (info->inquiry_data[0] == 0x7f) { -@@ -1849,7 +1846,7 @@ static void megasas_xfer_complete(SCSIRequest *req, uint32_t len) - memcpy(info->vpd_page83, buf, len); - } - scsi_req_continue(req); -- } else if (opcode == MFI_DCMD_LD_GET_INFO) { -+ } else if (cmd->dcmd_opcode == MFI_DCMD_LD_GET_INFO) { - struct mfi_ld_info *info = cmd->iov_buf; - - if (cmd->iov_buf) { diff --git a/0009-megasas-do-not-read-command-more-than-once-from-fram.patch b/0009-megasas-do-not-read-command-more-than-once-from-fram.patch deleted file mode 100644 index 82e7e25..0000000 --- a/0009-megasas-do-not-read-command-more-than-once-from-fram.patch +++ /dev/null @@ -1,218 +0,0 @@ -From: Paolo Bonzini -Date: Thu, 1 Jun 2017 17:23:13 +0200 -Subject: [PATCH] megasas: do not read command more than once from frame - -Avoid TOC-TOU bugs by passing the frame_cmd down, and checking -cmd->dcmd_opcode instead of cmd->frame->header.frame_cmd. - -Signed-off-by: Paolo Bonzini -(cherry picked from commit 36c327a69d723571f02a7691631667cdb1865ee1) ---- - hw/scsi/megasas.c | 60 +++++++++++++++++++++++-------------------------------- - 1 file changed, 25 insertions(+), 35 deletions(-) - -diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c -index a3f75c1650..38e0a2f5ef 100644 ---- a/hw/scsi/megasas.c -+++ b/hw/scsi/megasas.c -@@ -1591,12 +1591,13 @@ static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd) - } - - static int megasas_finish_internal_dcmd(MegasasCmd *cmd, -- SCSIRequest *req) -+ SCSIRequest *req, size_t resid) - { - int retval = MFI_STAT_OK; - int lun = req->lun; - - trace_megasas_dcmd_internal_finish(cmd->index, cmd->dcmd_opcode, lun); -+ cmd->iov_size -= resid; - switch (cmd->dcmd_opcode) { - case MFI_DCMD_PD_GET_INFO: - retval = megasas_pd_get_info_submit(req->dev, lun, cmd); -@@ -1649,11 +1650,12 @@ static int megasas_enqueue_req(MegasasCmd *cmd, bool is_write) - } - - static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd, -- bool is_logical) -+ int frame_cmd) - { - uint8_t *cdb; - bool is_write; - struct SCSIDevice *sdev = NULL; -+ bool is_logical = (frame_cmd == MFI_CMD_LD_SCSI_IO); - - cdb = cmd->frame->pass.cdb; - -@@ -1661,7 +1663,7 @@ static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd, - if (cmd->frame->header.target_id >= MFI_MAX_LD || - cmd->frame->header.lun_id != 0) { - trace_megasas_scsi_target_not_present( -- mfi_frame_desc[cmd->frame->header.frame_cmd], is_logical, -+ mfi_frame_desc[frame_cmd], is_logical, - cmd->frame->header.target_id, cmd->frame->header.lun_id); - return MFI_STAT_DEVICE_NOT_FOUND; - } -@@ -1671,19 +1673,20 @@ static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd, - - cmd->iov_size = le32_to_cpu(cmd->frame->header.data_len); - trace_megasas_handle_scsi(mfi_frame_desc[cmd->frame->header.frame_cmd], -- is_logical, cmd->frame->header.target_id, -+ trace_megasas_handle_scsi(mfi_frame_desc[frame_cmd], is_logical, -+ cmd->frame->header.target_id, - cmd->frame->header.lun_id, sdev, cmd->iov_size); - - if (!sdev || (megasas_is_jbod(s) && is_logical)) { - trace_megasas_scsi_target_not_present( -- mfi_frame_desc[cmd->frame->header.frame_cmd], is_logical, -+ mfi_frame_desc[frame_cmd], is_logical, - cmd->frame->header.target_id, cmd->frame->header.lun_id); - return MFI_STAT_DEVICE_NOT_FOUND; - } - - if (cmd->frame->header.cdb_len > 16) { - trace_megasas_scsi_invalid_cdb_len( -- mfi_frame_desc[cmd->frame->header.frame_cmd], is_logical, -+ mfi_frame_desc[frame_cmd], is_logical, - cmd->frame->header.target_id, cmd->frame->header.lun_id, - cmd->frame->header.cdb_len); - megasas_write_sense(cmd, SENSE_CODE(INVALID_OPCODE)); -@@ -1703,7 +1706,7 @@ static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd, - cmd->frame->header.lun_id, cdb, cmd); - if (!cmd->req) { - trace_megasas_scsi_req_alloc_failed( -- mfi_frame_desc[cmd->frame->header.frame_cmd], -+ mfi_frame_desc[frame_cmd], - cmd->frame->header.target_id, cmd->frame->header.lun_id); - megasas_write_sense(cmd, SENSE_CODE(NO_SENSE)); - cmd->frame->header.scsi_status = BUSY; -@@ -1725,11 +1728,11 @@ static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd, - return MFI_STAT_INVALID_STATUS; - } - --static int megasas_handle_io(MegasasState *s, MegasasCmd *cmd) -+static int megasas_handle_io(MegasasState *s, MegasasCmd *cmd, int frame_cmd) - { - uint32_t lba_count, lba_start_hi, lba_start_lo; - uint64_t lba_start; -- bool is_write = (cmd->frame->header.frame_cmd == MFI_CMD_LD_WRITE); -+ bool is_write = (frame_cmd == MFI_CMD_LD_WRITE); - uint8_t cdb[16]; - int len; - struct SCSIDevice *sdev = NULL; -@@ -1746,20 +1749,20 @@ static int megasas_handle_io(MegasasState *s, MegasasCmd *cmd) - } - - trace_megasas_handle_io(cmd->index, -- mfi_frame_desc[cmd->frame->header.frame_cmd], -+ mfi_frame_desc[frame_cmd], - cmd->frame->header.target_id, - cmd->frame->header.lun_id, - (unsigned long)lba_start, (unsigned long)lba_count); - if (!sdev) { - trace_megasas_io_target_not_present(cmd->index, -- mfi_frame_desc[cmd->frame->header.frame_cmd], -+ mfi_frame_desc[frame_cmd], - cmd->frame->header.target_id, cmd->frame->header.lun_id); - return MFI_STAT_DEVICE_NOT_FOUND; - } - - if (cmd->frame->header.cdb_len > 16) { - trace_megasas_scsi_invalid_cdb_len( -- mfi_frame_desc[cmd->frame->header.frame_cmd], 1, -+ mfi_frame_desc[frame_cmd], 1, - cmd->frame->header.target_id, cmd->frame->header.lun_id, - cmd->frame->header.cdb_len); - megasas_write_sense(cmd, SENSE_CODE(INVALID_OPCODE)); -@@ -1781,7 +1784,7 @@ static int megasas_handle_io(MegasasState *s, MegasasCmd *cmd) - cmd->frame->header.lun_id, cdb, cmd); - if (!cmd->req) { - trace_megasas_scsi_req_alloc_failed( -- mfi_frame_desc[cmd->frame->header.frame_cmd], -+ mfi_frame_desc[frame_cmd], - cmd->frame->header.target_id, cmd->frame->header.lun_id); - megasas_write_sense(cmd, SENSE_CODE(NO_SENSE)); - cmd->frame->header.scsi_status = BUSY; -@@ -1799,23 +1802,11 @@ static int megasas_handle_io(MegasasState *s, MegasasCmd *cmd) - return MFI_STAT_INVALID_STATUS; - } - --static int megasas_finish_internal_command(MegasasCmd *cmd, -- SCSIRequest *req, size_t resid) --{ -- int retval = MFI_STAT_INVALID_CMD; -- -- if (cmd->frame->header.frame_cmd == MFI_CMD_DCMD) { -- cmd->iov_size -= resid; -- retval = megasas_finish_internal_dcmd(cmd, req); -- } -- return retval; --} -- - static QEMUSGList *megasas_get_sg_list(SCSIRequest *req) - { - MegasasCmd *cmd = req->hba_private; - -- if (cmd->frame->header.frame_cmd == MFI_CMD_DCMD) { -+ if (cmd->dcmd_opcode != -1) { - return NULL; - } else { - return &cmd->qsg; -@@ -1829,7 +1820,7 @@ static void megasas_xfer_complete(SCSIRequest *req, uint32_t len) - - trace_megasas_io_complete(cmd->index, len); - -- if (cmd->frame->header.frame_cmd != MFI_CMD_DCMD) { -+ if (cmd->dcmd_opcode != -1) { - scsi_req_continue(req); - return; - } -@@ -1872,7 +1863,7 @@ static void megasas_command_complete(SCSIRequest *req, uint32_t status, - /* - * Internal command complete - */ -- cmd_status = megasas_finish_internal_command(cmd, req, resid); -+ cmd_status = megasas_finish_internal_dcmd(cmd, req, resid); - if (cmd_status == MFI_STAT_INVALID_STATUS) { - return; - } -@@ -1943,6 +1934,7 @@ static void megasas_handle_frame(MegasasState *s, uint64_t frame_addr, - { - uint8_t frame_status = MFI_STAT_INVALID_CMD; - uint64_t frame_context; -+ int frame_cmd; - MegasasCmd *cmd; - - /* -@@ -1961,7 +1953,8 @@ static void megasas_handle_frame(MegasasState *s, uint64_t frame_addr, - s->event_count++; - return; - } -- switch (cmd->frame->header.frame_cmd) { -+ frame_cmd = cmd->frame->header.frame_cmd; -+ switch (frame_cmd) { - case MFI_CMD_INIT: - frame_status = megasas_init_firmware(s, cmd); - break; -@@ -1972,18 +1965,15 @@ static void megasas_handle_frame(MegasasState *s, uint64_t frame_addr, - frame_status = megasas_handle_abort(s, cmd); - break; - case MFI_CMD_PD_SCSI_IO: -- frame_status = megasas_handle_scsi(s, cmd, 0); -- break; - case MFI_CMD_LD_SCSI_IO: -- frame_status = megasas_handle_scsi(s, cmd, 1); -+ frame_status = megasas_handle_scsi(s, cmd, frame_cmd); - break; - case MFI_CMD_LD_READ: - case MFI_CMD_LD_WRITE: -- frame_status = megasas_handle_io(s, cmd); -+ frame_status = megasas_handle_io(s, cmd, frame_cmd); - break; - default: -- trace_megasas_unhandled_frame_cmd(cmd->index, -- cmd->frame->header.frame_cmd); -+ trace_megasas_unhandled_frame_cmd(cmd->index, frame_cmd); - s->event_count++; - break; - } diff --git a/0010-megasas-do-not-read-SCSI-req-parameters-more-than-on.patch b/0010-megasas-do-not-read-SCSI-req-parameters-more-than-on.patch deleted file mode 100644 index b3a606c..0000000 --- a/0010-megasas-do-not-read-SCSI-req-parameters-more-than-on.patch +++ /dev/null @@ -1,145 +0,0 @@ -From: Paolo Bonzini -Date: Thu, 1 Jun 2017 17:25:03 +0200 -Subject: [PATCH] megasas: do not read SCSI req parameters more than once from - frame - -Signed-off-by: Paolo Bonzini -(cherry picked from commit b356807fcdfc45583c437f761fc579ab2a8eab11) ---- - hw/scsi/megasas.c | 60 ++++++++++++++++++++++++------------------------------- - 1 file changed, 26 insertions(+), 34 deletions(-) - -diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c -index 38e0a2f5ef..135662df31 100644 ---- a/hw/scsi/megasas.c -+++ b/hw/scsi/megasas.c -@@ -1653,42 +1653,39 @@ static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd, - int frame_cmd) - { - uint8_t *cdb; -+ int target_id, lun_id, cdb_len; - bool is_write; - struct SCSIDevice *sdev = NULL; - bool is_logical = (frame_cmd == MFI_CMD_LD_SCSI_IO); - - cdb = cmd->frame->pass.cdb; -+ target_id = cmd->frame->header.target_id; -+ lun_id = cmd->frame->header.lun_id; -+ cdb_len = cmd->frame->header.cdb_len; - - if (is_logical) { -- if (cmd->frame->header.target_id >= MFI_MAX_LD || -- cmd->frame->header.lun_id != 0) { -+ if (target_id >= MFI_MAX_LD || lun_id != 0) { - trace_megasas_scsi_target_not_present( -- mfi_frame_desc[frame_cmd], is_logical, -- cmd->frame->header.target_id, cmd->frame->header.lun_id); -+ mfi_frame_desc[frame_cmd], is_logical, target_id, lun_id); - return MFI_STAT_DEVICE_NOT_FOUND; - } - } -- sdev = scsi_device_find(&s->bus, 0, cmd->frame->header.target_id, -- cmd->frame->header.lun_id); -+ sdev = scsi_device_find(&s->bus, 0, target_id, lun_id); - - cmd->iov_size = le32_to_cpu(cmd->frame->header.data_len); -- trace_megasas_handle_scsi(mfi_frame_desc[cmd->frame->header.frame_cmd], - trace_megasas_handle_scsi(mfi_frame_desc[frame_cmd], is_logical, -- cmd->frame->header.target_id, -- cmd->frame->header.lun_id, sdev, cmd->iov_size); -+ target_id, lun_id, sdev, cmd->iov_size); - - if (!sdev || (megasas_is_jbod(s) && is_logical)) { - trace_megasas_scsi_target_not_present( -- mfi_frame_desc[frame_cmd], is_logical, -- cmd->frame->header.target_id, cmd->frame->header.lun_id); -+ mfi_frame_desc[frame_cmd], is_logical, target_id, lun_id); - return MFI_STAT_DEVICE_NOT_FOUND; - } - -- if (cmd->frame->header.cdb_len > 16) { -+ if (cdb_len > 16) { - trace_megasas_scsi_invalid_cdb_len( - mfi_frame_desc[frame_cmd], is_logical, -- cmd->frame->header.target_id, cmd->frame->header.lun_id, -- cmd->frame->header.cdb_len); -+ target_id, lun_id, cdb_len); - megasas_write_sense(cmd, SENSE_CODE(INVALID_OPCODE)); - cmd->frame->header.scsi_status = CHECK_CONDITION; - s->event_count++; -@@ -1702,12 +1699,10 @@ static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd, - return MFI_STAT_SCSI_DONE_WITH_ERROR; - } - -- cmd->req = scsi_req_new(sdev, cmd->index, -- cmd->frame->header.lun_id, cdb, cmd); -+ cmd->req = scsi_req_new(sdev, cmd->index, lun_id, cdb, cmd); - if (!cmd->req) { - trace_megasas_scsi_req_alloc_failed( -- mfi_frame_desc[frame_cmd], -- cmd->frame->header.target_id, cmd->frame->header.lun_id); -+ mfi_frame_desc[frame_cmd], target_id, lun_id); - megasas_write_sense(cmd, SENSE_CODE(NO_SENSE)); - cmd->frame->header.scsi_status = BUSY; - s->event_count++; -@@ -1736,35 +1731,33 @@ static int megasas_handle_io(MegasasState *s, MegasasCmd *cmd, int frame_cmd) - uint8_t cdb[16]; - int len; - struct SCSIDevice *sdev = NULL; -+ int target_id, lun_id, cdb_len; - - lba_count = le32_to_cpu(cmd->frame->io.header.data_len); - lba_start_lo = le32_to_cpu(cmd->frame->io.lba_lo); - lba_start_hi = le32_to_cpu(cmd->frame->io.lba_hi); - lba_start = ((uint64_t)lba_start_hi << 32) | lba_start_lo; - -- if (cmd->frame->header.target_id < MFI_MAX_LD && -- cmd->frame->header.lun_id == 0) { -- sdev = scsi_device_find(&s->bus, 0, cmd->frame->header.target_id, -- cmd->frame->header.lun_id); -+ target_id = cmd->frame->header.target_id; -+ lun_id = cmd->frame->header.lun_id; -+ cdb_len = cmd->frame->header.cdb_len; -+ -+ if (target_id < MFI_MAX_LD && lun_id == 0) { -+ sdev = scsi_device_find(&s->bus, 0, target_id, lun_id); - } - - trace_megasas_handle_io(cmd->index, -- mfi_frame_desc[frame_cmd], -- cmd->frame->header.target_id, -- cmd->frame->header.lun_id, -+ mfi_frame_desc[frame_cmd], target_id, lun_id, - (unsigned long)lba_start, (unsigned long)lba_count); - if (!sdev) { - trace_megasas_io_target_not_present(cmd->index, -- mfi_frame_desc[frame_cmd], -- cmd->frame->header.target_id, cmd->frame->header.lun_id); -+ mfi_frame_desc[frame_cmd], target_id, lun_id); - return MFI_STAT_DEVICE_NOT_FOUND; - } - -- if (cmd->frame->header.cdb_len > 16) { -+ if (cdb_len > 16) { - trace_megasas_scsi_invalid_cdb_len( -- mfi_frame_desc[frame_cmd], 1, -- cmd->frame->header.target_id, cmd->frame->header.lun_id, -- cmd->frame->header.cdb_len); -+ mfi_frame_desc[frame_cmd], 1, target_id, lun_id, cdb_len); - megasas_write_sense(cmd, SENSE_CODE(INVALID_OPCODE)); - cmd->frame->header.scsi_status = CHECK_CONDITION; - s->event_count++; -@@ -1781,11 +1774,10 @@ static int megasas_handle_io(MegasasState *s, MegasasCmd *cmd, int frame_cmd) - - megasas_encode_lba(cdb, lba_start, lba_count, is_write); - cmd->req = scsi_req_new(sdev, cmd->index, -- cmd->frame->header.lun_id, cdb, cmd); -+ lun_id, cdb, cmd); - if (!cmd->req) { - trace_megasas_scsi_req_alloc_failed( -- mfi_frame_desc[frame_cmd], -- cmd->frame->header.target_id, cmd->frame->header.lun_id); -+ mfi_frame_desc[frame_cmd], target_id, lun_id); - megasas_write_sense(cmd, SENSE_CODE(NO_SENSE)); - cmd->frame->header.scsi_status = BUSY; - s->event_count++; diff --git a/0011-megasas-always-store-SCSIRequest-into-MegasasCmd.patch b/0011-megasas-always-store-SCSIRequest-into-MegasasCmd.patch deleted file mode 100644 index 3a74932..0000000 --- a/0011-megasas-always-store-SCSIRequest-into-MegasasCmd.patch +++ /dev/null @@ -1,122 +0,0 @@ -From: Paolo Bonzini -Date: Thu, 1 Jun 2017 17:26:14 +0200 -Subject: [PATCH] megasas: always store SCSIRequest* into MegasasCmd - -This ensures that the request is unref'ed properly, and avoids a -segmentation fault in the new qtest testcase that is added. -This is CVE-2017-9503. - -Reported-by: Zhangyanyu -Signed-off-by: Paolo Bonzini -(cherry picked from commit 87e459a810d7b1ec1638085b5a80ea3d9b43119a) ---- - hw/scsi/megasas.c | 31 ++++++++++++++++--------------- - 1 file changed, 16 insertions(+), 15 deletions(-) - -diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c -index 135662df31..734fdaef90 100644 ---- a/hw/scsi/megasas.c -+++ b/hw/scsi/megasas.c -@@ -609,6 +609,9 @@ static void megasas_reset_frames(MegasasState *s) - static void megasas_abort_command(MegasasCmd *cmd) - { - /* Never abort internal commands. */ -+ if (cmd->dcmd_opcode != -1) { -+ return; -+ } - if (cmd->req != NULL) { - scsi_req_cancel(cmd->req); - } -@@ -1017,7 +1020,6 @@ static int megasas_pd_get_info_submit(SCSIDevice *sdev, int lun, - uint64_t pd_size; - uint16_t pd_id = ((sdev->id & 0xFF) << 8) | (lun & 0xFF); - uint8_t cmdbuf[6]; -- SCSIRequest *req; - size_t len, resid; - - if (!cmd->iov_buf) { -@@ -1026,8 +1028,8 @@ static int megasas_pd_get_info_submit(SCSIDevice *sdev, int lun, - info->inquiry_data[0] = 0x7f; /* Force PQual 0x3, PType 0x1f */ - info->vpd_page83[0] = 0x7f; - megasas_setup_inquiry(cmdbuf, 0, sizeof(info->inquiry_data)); -- req = scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd); -- if (!req) { -+ cmd->req = scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd); -+ if (!cmd->req) { - trace_megasas_dcmd_req_alloc_failed(cmd->index, - "PD get info std inquiry"); - g_free(cmd->iov_buf); -@@ -1036,26 +1038,26 @@ static int megasas_pd_get_info_submit(SCSIDevice *sdev, int lun, - } - trace_megasas_dcmd_internal_submit(cmd->index, - "PD get info std inquiry", lun); -- len = scsi_req_enqueue(req); -+ len = scsi_req_enqueue(cmd->req); - if (len > 0) { - cmd->iov_size = len; -- scsi_req_continue(req); -+ scsi_req_continue(cmd->req); - } - return MFI_STAT_INVALID_STATUS; - } else if (info->inquiry_data[0] != 0x7f && info->vpd_page83[0] == 0x7f) { - megasas_setup_inquiry(cmdbuf, 0x83, sizeof(info->vpd_page83)); -- req = scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd); -- if (!req) { -+ cmd->req = scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd); -+ if (!cmd->req) { - trace_megasas_dcmd_req_alloc_failed(cmd->index, - "PD get info vpd inquiry"); - return MFI_STAT_FLASH_ALLOC_FAIL; - } - trace_megasas_dcmd_internal_submit(cmd->index, - "PD get info vpd inquiry", lun); -- len = scsi_req_enqueue(req); -+ len = scsi_req_enqueue(cmd->req); - if (len > 0) { - cmd->iov_size = len; -- scsi_req_continue(req); -+ scsi_req_continue(cmd->req); - } - return MFI_STAT_INVALID_STATUS; - } -@@ -1217,7 +1219,6 @@ static int megasas_ld_get_info_submit(SCSIDevice *sdev, int lun, - struct mfi_ld_info *info = cmd->iov_buf; - size_t dcmd_size = sizeof(struct mfi_ld_info); - uint8_t cdb[6]; -- SCSIRequest *req; - ssize_t len, resid; - uint16_t sdev_id = ((sdev->id & 0xFF) << 8) | (lun & 0xFF); - uint64_t ld_size; -@@ -1226,8 +1227,8 @@ static int megasas_ld_get_info_submit(SCSIDevice *sdev, int lun, - cmd->iov_buf = g_malloc0(dcmd_size); - info = cmd->iov_buf; - megasas_setup_inquiry(cdb, 0x83, sizeof(info->vpd_page83)); -- req = scsi_req_new(sdev, cmd->index, lun, cdb, cmd); -- if (!req) { -+ cmd->req = scsi_req_new(sdev, cmd->index, lun, cdb, cmd); -+ if (!cmd->req) { - trace_megasas_dcmd_req_alloc_failed(cmd->index, - "LD get info vpd inquiry"); - g_free(cmd->iov_buf); -@@ -1236,10 +1237,10 @@ static int megasas_ld_get_info_submit(SCSIDevice *sdev, int lun, - } - trace_megasas_dcmd_internal_submit(cmd->index, - "LD get info vpd inquiry", lun); -- len = scsi_req_enqueue(req); -+ len = scsi_req_enqueue(cmd->req); - if (len > 0) { - cmd->iov_size = len; -- scsi_req_continue(req); -+ scsi_req_continue(cmd->req); - } - return MFI_STAT_INVALID_STATUS; - } -@@ -1851,7 +1852,7 @@ static void megasas_command_complete(SCSIRequest *req, uint32_t status, - return; - } - -- if (cmd->req == NULL) { -+ if (cmd->dcmd_opcode != -1) { - /* - * Internal command complete - */ diff --git a/0101-usb-redir-fix-stack-overflow-in-usbredir_log_data.patch b/0101-usb-redir-fix-stack-overflow-in-usbredir_log_data.patch deleted file mode 100644 index 5101ab0..0000000 --- a/0101-usb-redir-fix-stack-overflow-in-usbredir_log_data.patch +++ /dev/null @@ -1,47 +0,0 @@ -From: Gerd Hoffmann -Date: Tue, 9 May 2017 13:01:28 +0200 -Subject: [PATCH] usb-redir: fix stack overflow in usbredir_log_data -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Don't reinvent a broken wheel, just use the hexdump function we have. - -Impact: low, broken code doesn't run unless you have debug logging -enabled. - -Reported-by: 李强 -Signed-off-by: Gerd Hoffmann -Message-id: 20170509110128.27261-1-kraxel@redhat.com -(cherry picked from commit bd4a683505b27adc1ac809f71e918e58573d851d) ---- - hw/usb/redirect.c | 13 +------------ - 1 file changed, 1 insertion(+), 12 deletions(-) - -diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c -index 0efe62f725..eb70dc7218 100644 ---- a/hw/usb/redirect.c -+++ b/hw/usb/redirect.c -@@ -229,21 +229,10 @@ static void usbredir_log(void *priv, int level, const char *msg) - static void usbredir_log_data(USBRedirDevice *dev, const char *desc, - const uint8_t *data, int len) - { -- int i, j, n; -- - if (dev->debug < usbredirparser_debug_data) { - return; - } -- -- for (i = 0; i < len; i += j) { -- char buf[128]; -- -- n = sprintf(buf, "%s", desc); -- for (j = 0; j < 8 && i + j < len; j++) { -- n += sprintf(buf + n, " %02X", data[i + j]); -- } -- error_report("%s", buf); -- } -+ qemu_hexdump((char *)data, stderr, desc, len); - } - - /* diff --git a/0102-nbd-Fully-initialize-client-in-case-of-failed-negoti.patch b/0102-nbd-Fully-initialize-client-in-case-of-failed-negoti.patch deleted file mode 100644 index 3ec2c28..0000000 --- a/0102-nbd-Fully-initialize-client-in-case-of-failed-negoti.patch +++ /dev/null @@ -1,77 +0,0 @@ -From: Eric Blake -Date: Fri, 26 May 2017 22:04:21 -0500 -Subject: [PATCH] nbd: Fully initialize client in case of failed negotiation - -If a non-NBD client connects to qemu-nbd, we would end up with -a SIGSEGV in nbd_client_put() because we were trying to -unregister the client's association to the export, even though -we skipped inserting the client into that list. Easy trigger -in two terminals: - -$ qemu-nbd -p 30001 --format=raw file -$ nmap 127.0.0.1 -p 30001 - -nmap claims that it thinks it connected to a pago-services1 -server (which probably means nmap could be updated to learn the -NBD protocol and give a more accurate diagnosis of the open -port - but that's not our problem), then terminates immediately, -so our call to nbd_negotiate() fails. The fix is to reorder -nbd_co_client_start() to ensure that all initialization occurs -before we ever try talking to a client in nbd_negotiate(), so -that the teardown sequence on negotiation failure doesn't fault -while dereferencing a half-initialized object. - -While debugging this, I also noticed that nbd_update_server_watch() -called by nbd_client_closed() was still adding a channel to accept -the next client, even when the state was no longer RUNNING. That -is fixed by making nbd_can_accept() pay attention to the current -state. - -Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1451614 - -Signed-off-by: Eric Blake -Message-Id: <20170527030421.28366-1-eblake@redhat.com> -Signed-off-by: Paolo Bonzini -(cherry picked from commit df8ad9f128c15aa0a0ebc7b24e9a22c9775b67af) ---- - nbd/server.c | 8 +++----- - qemu-nbd.c | 2 +- - 2 files changed, 4 insertions(+), 6 deletions(-) - -diff --git a/nbd/server.c b/nbd/server.c -index 924a1fe2db..edfda84d43 100644 ---- a/nbd/server.c -+++ b/nbd/server.c -@@ -1376,16 +1376,14 @@ static coroutine_fn void nbd_co_client_start(void *opaque) - - if (exp) { - nbd_export_get(exp); -+ QTAILQ_INSERT_TAIL(&exp->clients, client, next); - } -+ qemu_co_mutex_init(&client->send_lock); -+ - if (nbd_negotiate(data)) { - client_close(client); - goto out; - } -- qemu_co_mutex_init(&client->send_lock); -- -- if (exp) { -- QTAILQ_INSERT_TAIL(&exp->clients, client, next); -- } - - nbd_client_receive_next_request(client); - -diff --git a/qemu-nbd.c b/qemu-nbd.c -index e080fb7c75..b44764eb87 100644 ---- a/qemu-nbd.c -+++ b/qemu-nbd.c -@@ -324,7 +324,7 @@ out: - - static int nbd_can_accept(void) - { -- return nb_fds < shared; -+ return state == RUNNING && nb_fds < shared; - } - - static void nbd_export_closed(NBDExport *exp) diff --git a/0103-nbd-Fix-regression-on-resiliency-to-port-scan.patch b/0103-nbd-Fix-regression-on-resiliency-to-port-scan.patch deleted file mode 100644 index 9d6eb73..0000000 --- a/0103-nbd-Fix-regression-on-resiliency-to-port-scan.patch +++ /dev/null @@ -1,194 +0,0 @@ -From: Eric Blake -Date: Thu, 8 Jun 2017 17:26:17 -0500 -Subject: [PATCH] nbd: Fix regression on resiliency to port scan - -Back in qemu 2.5, qemu-nbd was immune to port probes (a transient -server would not quit, regardless of how many probe connections -came and went, until a connection actually negotiated). But we -broke that in commit ee7d7aa when removing the return value to -nbd_client_new(), although that patch also introduced a bug causing -an assertion failure on a client that fails negotiation. We then -made it worse during refactoring in commit 1a6245a (a segfault -before we could even assert); the (masked) assertion was cleaned -up in d3780c2 (still in 2.6), and just recently we finally fixed -the segfault ("nbd: Fully intialize client in case of failed -negotiation"). But that still means that ever since we added -TLS support to qemu-nbd, we have been vulnerable to an ill-timed -port-scan being able to cause a denial of service by taking down -qemu-nbd before a real client has a chance to connect. - -Since negotiation is now handled asynchronously via coroutines, -we no longer have a synchronous point of return by re-adding a -return value to nbd_client_new(). So this patch instead wires -things up to pass the negotiation status through the close_fn -callback function. - -Simple test across two terminals: -$ qemu-nbd -f raw -p 30001 file -$ nmap 127.0.0.1 -p 30001 && \ - qemu-io -c 'r 0 512' -f raw nbd://localhost:30001 - -Note that this patch does not change what constitutes successful -negotiation (thus, a client must enter transmission phase before -that client can be considered as a reason to terminate the server -when the connection ends). Perhaps we may want to tweak things -in a later patch to also treat a client that uses NBD_OPT_ABORT -as being a 'successful' negotiation (the client correctly talked -the NBD protocol, and informed us it was not going to use our -export after all), but that's a discussion for another day. - -Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1451614 - -Signed-off-by: Eric Blake -Message-Id: <20170608222617.20376-1-eblake@redhat.com> -Signed-off-by: Paolo Bonzini -(cherry picked from commit 0c9390d978cbf61e8f16c9f580fa96b305c43568) ---- - blockdev-nbd.c | 6 +++++- - include/block/nbd.h | 2 +- - nbd/server.c | 24 +++++++++++++++--------- - qemu-nbd.c | 4 ++-- - 4 files changed, 23 insertions(+), 13 deletions(-) - -diff --git a/blockdev-nbd.c b/blockdev-nbd.c -index 8a11807df3..8d7284ac56 100644 ---- a/blockdev-nbd.c -+++ b/blockdev-nbd.c -@@ -27,6 +27,10 @@ typedef struct NBDServerData { - - static NBDServerData *nbd_server; - -+static void nbd_blockdev_client_closed(NBDClient *client, bool ignored) -+{ -+ nbd_client_put(client); -+} - - static gboolean nbd_accept(QIOChannel *ioc, GIOCondition condition, - gpointer opaque) -@@ -46,7 +50,7 @@ static gboolean nbd_accept(QIOChannel *ioc, GIOCondition condition, - qio_channel_set_name(QIO_CHANNEL(cioc), "nbd-server"); - nbd_client_new(NULL, cioc, - nbd_server->tlscreds, NULL, -- nbd_client_put); -+ nbd_blockdev_client_closed); - object_unref(OBJECT(cioc)); - return TRUE; - } -diff --git a/include/block/nbd.h b/include/block/nbd.h -index 3e373f0498..b69c30d063 100644 ---- a/include/block/nbd.h -+++ b/include/block/nbd.h -@@ -160,7 +160,7 @@ void nbd_client_new(NBDExport *exp, - QIOChannelSocket *sioc, - QCryptoTLSCreds *tlscreds, - const char *tlsaclname, -- void (*close)(NBDClient *)); -+ void (*close_fn)(NBDClient *, bool)); - void nbd_client_get(NBDClient *client); - void nbd_client_put(NBDClient *client); - -diff --git a/nbd/server.c b/nbd/server.c -index edfda84d43..a98bb21a0a 100644 ---- a/nbd/server.c -+++ b/nbd/server.c -@@ -81,7 +81,7 @@ static QTAILQ_HEAD(, NBDExport) exports = QTAILQ_HEAD_INITIALIZER(exports); - - struct NBDClient { - int refcount; -- void (*close)(NBDClient *client); -+ void (*close_fn)(NBDClient *client, bool negotiated); - - bool no_zeroes; - NBDExport *exp; -@@ -796,7 +796,7 @@ void nbd_client_put(NBDClient *client) - } - } - --static void client_close(NBDClient *client) -+static void client_close(NBDClient *client, bool negotiated) - { - if (client->closing) { - return; -@@ -811,8 +811,8 @@ static void client_close(NBDClient *client) - NULL); - - /* Also tell the client, so that they release their reference. */ -- if (client->close) { -- client->close(client); -+ if (client->close_fn) { -+ client->close_fn(client, negotiated); - } - } - -@@ -993,7 +993,7 @@ void nbd_export_close(NBDExport *exp) - - nbd_export_get(exp); - QTAILQ_FOREACH_SAFE(client, &exp->clients, next, next) { -- client_close(client); -+ client_close(client, true); - } - nbd_export_set_name(exp, NULL); - nbd_export_set_description(exp, NULL); -@@ -1355,7 +1355,7 @@ done: - - out: - nbd_request_put(req); -- client_close(client); -+ client_close(client, true); - nbd_client_put(client); - } - -@@ -1381,7 +1381,7 @@ static coroutine_fn void nbd_co_client_start(void *opaque) - qemu_co_mutex_init(&client->send_lock); - - if (nbd_negotiate(data)) { -- client_close(client); -+ client_close(client, false); - goto out; - } - -@@ -1391,11 +1391,17 @@ out: - g_free(data); - } - -+/* -+ * Create a new client listener on the given export @exp, using the -+ * given channel @sioc. Begin servicing it in a coroutine. When the -+ * connection closes, call @close_fn with an indication of whether the -+ * client completed negotiation. -+ */ - void nbd_client_new(NBDExport *exp, - QIOChannelSocket *sioc, - QCryptoTLSCreds *tlscreds, - const char *tlsaclname, -- void (*close_fn)(NBDClient *)) -+ void (*close_fn)(NBDClient *, bool)) - { - NBDClient *client; - NBDClientNewData *data = g_new(NBDClientNewData, 1); -@@ -1412,7 +1418,7 @@ void nbd_client_new(NBDExport *exp, - object_ref(OBJECT(client->sioc)); - client->ioc = QIO_CHANNEL(sioc); - object_ref(OBJECT(client->ioc)); -- client->close = close_fn; -+ client->close_fn = close_fn; - - data->client = client; - data->co = qemu_coroutine_create(nbd_co_client_start, data); -diff --git a/qemu-nbd.c b/qemu-nbd.c -index b44764eb87..483dd77a77 100644 ---- a/qemu-nbd.c -+++ b/qemu-nbd.c -@@ -335,10 +335,10 @@ static void nbd_export_closed(NBDExport *exp) - - static void nbd_update_server_watch(void); - --static void nbd_client_closed(NBDClient *client) -+static void nbd_client_closed(NBDClient *client, bool negotiated) - { - nb_fds--; -- if (nb_fds == 0 && !persistent && state == RUNNING) { -+ if (negotiated && nb_fds == 0 && !persistent && state == RUNNING) { - state = TERMINATE; - } - nbd_update_server_watch(); diff --git a/0104-qemu-nbd-Ignore-SIGPIPE.patch b/0104-qemu-nbd-Ignore-SIGPIPE.patch deleted file mode 100644 index 40b5737..0000000 --- a/0104-qemu-nbd-Ignore-SIGPIPE.patch +++ /dev/null @@ -1,44 +0,0 @@ -From: Max Reitz -Date: Sun, 11 Jun 2017 14:37:14 +0200 -Subject: [PATCH] qemu-nbd: Ignore SIGPIPE - -qemu proper has done so for 13 years -(8a7ddc38a60648257dc0645ab4a05b33d6040063), qemu-img and qemu-io have -done so for four years (526eda14a68d5b3596be715505289b541288ef2a). -Ignoring this signal is especially important in qemu-nbd because -otherwise a client can easily take down the qemu-nbd server by dropping -the connection when the server wants to send something, for example: - -$ qemu-nbd -x foo -f raw -t null-co:// & -[1] 12726 -$ qemu-io -c quit nbd://localhost/bar -can't open device nbd://localhost/bar: No export with name 'bar' available -[1] + 12726 broken pipe qemu-nbd -x foo -f raw -t null-co:// - -In this case, the client sends an NBD_OPT_ABORT and closes the -connection (because it is not required to wait for a reply), but the -server replies with an NBD_REP_ACK (because it is required to reply). - -Signed-off-by: Max Reitz -Message-Id: <20170611123714.31292-1-mreitz@redhat.com> -Signed-off-by: Paolo Bonzini -(cherry picked from commit 041e32b8d9d076980b4e35317c0339e57ab888f1) ---- - qemu-nbd.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/qemu-nbd.c b/qemu-nbd.c -index 483dd77a77..5deb37e03e 100644 ---- a/qemu-nbd.c -+++ b/qemu-nbd.c -@@ -581,6 +581,10 @@ int main(int argc, char **argv) - sa_sigterm.sa_handler = termsig_handler; - sigaction(SIGTERM, &sa_sigterm, NULL); - -+#ifdef CONFIG_POSIX -+ signal(SIGPIPE, SIG_IGN); -+#endif -+ - module_call_init(MODULE_INIT_TRACE); - qcrypto_init(&error_fatal); - diff --git a/0200-Update-references-of-struct-ucontext-to-ucontext_t.patch b/0200-Update-references-of-struct-ucontext-to-ucontext_t.patch deleted file mode 100644 index 0bbc2a0..0000000 --- a/0200-Update-references-of-struct-ucontext-to-ucontext_t.patch +++ /dev/null @@ -1,267 +0,0 @@ -From 4eea6d48daa1d1f7dda3e1458b992302c1dd040e Mon Sep 17 00:00:00 2001 -From: Nathaniel McCallum -Date: Tue, 18 Jul 2017 18:19:38 -0400 -Subject: [PATCH] Update references of "struct ucontext" to "ucontext_t" - -Glibc used to have: - - typedef struct ucontext { ... } ucontext_t; - -Glibc now has: - - typedef struct ucontext_t { ... } ucontext_t; - -However, Qemu used "struct ucontext" in declarations. This is a -private name and compatiblity cannot be guaranteed. This patch -updates Qemu to only use the standardized type name. - -Signed-off-by: Nathaniel McCallum ---- - linux-user/host/aarch64/hostdep.h | 2 +- - linux-user/host/arm/hostdep.h | 2 +- - linux-user/host/i386/hostdep.h | 2 +- - linux-user/host/ppc64/hostdep.h | 2 +- - linux-user/host/s390x/hostdep.h | 2 +- - linux-user/host/x86_64/hostdep.h | 2 +- - linux-user/signal.c | 10 +++++----- - tests/tcg/test-i386.c | 4 ++-- - user-exec.c | 18 +++++++++--------- - 9 files changed, 22 insertions(+), 22 deletions(-) - -diff --git a/linux-user/host/aarch64/hostdep.h b/linux-user/host/aarch64/hostdep.h -index 64f75cef49..a8d41a21ad 100644 ---- a/linux-user/host/aarch64/hostdep.h -+++ b/linux-user/host/aarch64/hostdep.h -@@ -24,7 +24,7 @@ extern char safe_syscall_end[]; - /* Adjust the signal context to rewind out of safe-syscall if we're in it */ - static inline void rewind_if_in_safe_syscall(void *puc) - { -- struct ucontext *uc = puc; -+ ucontext_t *uc = puc; - __u64 *pcreg = &uc->uc_mcontext.pc; - - if (*pcreg > (uintptr_t)safe_syscall_start -diff --git a/linux-user/host/arm/hostdep.h b/linux-user/host/arm/hostdep.h -index 5c1ae60120..9276fe6ceb 100644 ---- a/linux-user/host/arm/hostdep.h -+++ b/linux-user/host/arm/hostdep.h -@@ -24,7 +24,7 @@ extern char safe_syscall_end[]; - /* Adjust the signal context to rewind out of safe-syscall if we're in it */ - static inline void rewind_if_in_safe_syscall(void *puc) - { -- struct ucontext *uc = puc; -+ ucontext_t *uc = puc; - unsigned long *pcreg = &uc->uc_mcontext.arm_pc; - - if (*pcreg > (uintptr_t)safe_syscall_start -diff --git a/linux-user/host/i386/hostdep.h b/linux-user/host/i386/hostdep.h -index d834bd80ea..073be74d87 100644 ---- a/linux-user/host/i386/hostdep.h -+++ b/linux-user/host/i386/hostdep.h -@@ -24,7 +24,7 @@ extern char safe_syscall_end[]; - /* Adjust the signal context to rewind out of safe-syscall if we're in it */ - static inline void rewind_if_in_safe_syscall(void *puc) - { -- struct ucontext *uc = puc; -+ ucontext_t *uc = puc; - greg_t *pcreg = &uc->uc_mcontext.gregs[REG_EIP]; - - if (*pcreg > (uintptr_t)safe_syscall_start -diff --git a/linux-user/host/ppc64/hostdep.h b/linux-user/host/ppc64/hostdep.h -index 0b0f5f7821..98979ad917 100644 ---- a/linux-user/host/ppc64/hostdep.h -+++ b/linux-user/host/ppc64/hostdep.h -@@ -24,7 +24,7 @@ extern char safe_syscall_end[]; - /* Adjust the signal context to rewind out of safe-syscall if we're in it */ - static inline void rewind_if_in_safe_syscall(void *puc) - { -- struct ucontext *uc = puc; -+ ucontext_t *uc = puc; - unsigned long *pcreg = &uc->uc_mcontext.gp_regs[PT_NIP]; - - if (*pcreg > (uintptr_t)safe_syscall_start -diff --git a/linux-user/host/s390x/hostdep.h b/linux-user/host/s390x/hostdep.h -index 6f9da9c608..4f0171f36f 100644 ---- a/linux-user/host/s390x/hostdep.h -+++ b/linux-user/host/s390x/hostdep.h -@@ -24,7 +24,7 @@ extern char safe_syscall_end[]; - /* Adjust the signal context to rewind out of safe-syscall if we're in it */ - static inline void rewind_if_in_safe_syscall(void *puc) - { -- struct ucontext *uc = puc; -+ ucontext_t *uc = puc; - unsigned long *pcreg = &uc->uc_mcontext.psw.addr; - - if (*pcreg > (uintptr_t)safe_syscall_start -diff --git a/linux-user/host/x86_64/hostdep.h b/linux-user/host/x86_64/hostdep.h -index 3b4259633e..a4fefb5114 100644 ---- a/linux-user/host/x86_64/hostdep.h -+++ b/linux-user/host/x86_64/hostdep.h -@@ -24,7 +24,7 @@ extern char safe_syscall_end[]; - /* Adjust the signal context to rewind out of safe-syscall if we're in it */ - static inline void rewind_if_in_safe_syscall(void *puc) - { -- struct ucontext *uc = puc; -+ ucontext_t *uc = puc; - greg_t *pcreg = &uc->uc_mcontext.gregs[REG_RIP]; - - if (*pcreg > (uintptr_t)safe_syscall_start -diff --git a/linux-user/signal.c b/linux-user/signal.c -index 3d18d1b3ee..2c55a4f600 100644 ---- a/linux-user/signal.c -+++ b/linux-user/signal.c -@@ -3346,7 +3346,7 @@ static void setup_rt_frame(int sig, struct target_sigaction *ka, - * - * a0 = signal number - * a1 = pointer to siginfo_t -- * a2 = pointer to struct ucontext -+ * a2 = pointer to ucontext_t - * - * $25 and PC point to the signal handler, $29 points to the - * struct sigframe. -@@ -3733,7 +3733,7 @@ struct target_signal_frame { - - struct rt_signal_frame { - siginfo_t info; -- struct ucontext uc; -+ ucontext_t uc; - uint32_t tramp[2]; - }; - -@@ -3949,7 +3949,7 @@ struct rt_signal_frame { - siginfo_t *pinfo; - void *puc; - siginfo_t info; -- struct ucontext uc; -+ ucontext_t uc; - uint16_t retcode[4]; /* Trampoline code. */ - }; - -@@ -4484,7 +4484,7 @@ static void setup_rt_frame(int sig, struct target_sigaction *ka, - tswap_siginfo(&frame->info, info); - } - -- /*err |= __clear_user(&frame->uc, offsetof(struct ucontext, uc_mcontext));*/ -+ /*err |= __clear_user(&frame->uc, offsetof(ucontext_t, uc_mcontext));*/ - __put_user(0, &frame->uc.tuc_flags); - __put_user(0, &frame->uc.tuc_link); - __put_user(target_sigaltstack_used.ss_sp, -@@ -4976,7 +4976,7 @@ enum { - - struct target_ucontext { - target_ulong tuc_flags; -- target_ulong tuc_link; /* struct ucontext __user * */ -+ target_ulong tuc_link; /* ucontext_t __user * */ - struct target_sigaltstack tuc_stack; - #if !defined(TARGET_PPC64) - int32_t tuc_pad[7]; -diff --git a/tests/tcg/test-i386.c b/tests/tcg/test-i386.c -index 0f7b943b0c..9599204895 100644 ---- a/tests/tcg/test-i386.c -+++ b/tests/tcg/test-i386.c -@@ -1720,7 +1720,7 @@ int tab[2]; - - void sig_handler(int sig, siginfo_t *info, void *puc) - { -- struct ucontext *uc = puc; -+ ucontext_t *uc = puc; - - printf("si_signo=%d si_errno=%d si_code=%d", - info->si_signo, info->si_errno, info->si_code); -@@ -1912,7 +1912,7 @@ void test_exceptions(void) - /* specific precise single step test */ - void sig_trap_handler(int sig, siginfo_t *info, void *puc) - { -- struct ucontext *uc = puc; -+ ucontext_t *uc = puc; - printf("EIP=" FMTLX "\n", (long)uc->uc_mcontext.gregs[REG_EIP]); - } - -diff --git a/user-exec.c b/user-exec.c -index a8f95fa1e1..2a975eaf69 100644 ---- a/user-exec.c -+++ b/user-exec.c -@@ -167,7 +167,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, - #elif defined(__OpenBSD__) - struct sigcontext *uc = puc; - #else -- struct ucontext *uc = puc; -+ ucontext_t *uc = puc; - #endif - unsigned long pc; - int trapno; -@@ -222,7 +222,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, - #elif defined(__OpenBSD__) - struct sigcontext *uc = puc; - #else -- struct ucontext *uc = puc; -+ ucontext_t *uc = puc; - #endif - - pc = PC_sig(uc); -@@ -289,7 +289,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, - #if defined(__FreeBSD__) || defined(__FreeBSD_kernel__) - ucontext_t *uc = puc; - #else -- struct ucontext *uc = puc; -+ ucontext_t *uc = puc; - #endif - unsigned long pc; - int is_write; -@@ -316,7 +316,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, - void *puc) - { - siginfo_t *info = pinfo; -- struct ucontext *uc = puc; -+ ucontext_t *uc = puc; - uint32_t *pc = uc->uc_mcontext.sc_pc; - uint32_t insn = *pc; - int is_write = 0; -@@ -414,7 +414,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, - #if defined(__NetBSD__) - ucontext_t *uc = puc; - #else -- struct ucontext *uc = puc; -+ ucontext_t *uc = puc; - #endif - unsigned long pc; - int is_write; -@@ -441,7 +441,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, - int cpu_signal_handler(int host_signum, void *pinfo, void *puc) - { - siginfo_t *info = pinfo; -- struct ucontext *uc = puc; -+ ucontext_t *uc = puc; - uintptr_t pc = uc->uc_mcontext.pc; - uint32_t insn = *(uint32_t *)pc; - bool is_write; -@@ -474,7 +474,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, void *puc) - int cpu_signal_handler(int host_signum, void *pinfo, void *puc) - { - siginfo_t *info = pinfo; -- struct ucontext *uc = puc; -+ ucontext_t *uc = puc; - unsigned long ip; - int is_write = 0; - -@@ -505,7 +505,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, - void *puc) - { - siginfo_t *info = pinfo; -- struct ucontext *uc = puc; -+ ucontext_t *uc = puc; - unsigned long pc; - uint16_t *pinsn; - int is_write = 0; -@@ -558,7 +558,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, - void *puc) - { - siginfo_t *info = pinfo; -- struct ucontext *uc = puc; -+ ucontext_t *uc = puc; - greg_t pc = uc->uc_mcontext.pc; - int is_write; - --- -2.13.3 - diff --git a/qemu.spec b/qemu.spec index 0aa90e3..65cfad1 100644 --- a/qemu.spec +++ b/qemu.spec @@ -97,17 +97,17 @@ Requires: %{name}-block-ssh = %{epoch}:%{version}-%{release} %undefine _hardened_build # Release candidate version tracking -#global rcver rc4 -#if 0%{?rcver:1} -#global rcrel .%{rcver} -#global rcstr -%{rcver} -#endif +%global rcver rc1 +%if 0%{?rcver:1} +%global rcrel .%{rcver} +%global rcstr -%{rcver} +%endif Summary: QEMU is a FAST! processor emulator Name: qemu -Version: 2.9.0 -Release: 9%{?rcrel}%{?dist} +Version: 2.10.0 +Release: 0.1%{?rcrel}%{?dist} Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD Group: Development/Tools @@ -141,47 +141,6 @@ Source21: 50-kvm-s390x.conf # /etc/security/limits.d/95-kvm-ppc64-memlock.conf Source22: 95-kvm-ppc64-memlock.conf -# CVE-2017-8112: vmw_pvscsi: infinite loop in pvscsi_log2 (bz #1445622) -Patch0001: 0001-vmw_pvscsi-check-message-ring-page-count-at-initiali.patch -# CVE-2017-8309: audio: host memory lekage via capture buffer (bz #1446520) -Patch0002: 0002-audio-release-capture-buffers.patch -# CVE-2017-8379: input: host memory lekage via keyboard events (bz #1446560) -Patch0003: 0003-input-limit-kbd-queue-depth.patch -# CVE-2017-8380: scsi: megasas: out-of-bounds read in megasas_mmio_write (bz -# #1446578) -Patch0004: 0004-scsi-avoid-an-off-by-one-error-in-megasas_mmio_write.patch -# CVE-2017-7493: 9pfs: guest privilege escalation in virtfs mapped-file mode -# (bz #1451711) -Patch0005: 0005-9pfs-local-forbid-client-access-to-metadata-CVE-2017.patch -# CVE-2017-9503: megasas: null pointer dereference while processing megasas -# command (bz #1459478) -Patch0006: 0006-megasas-do-not-read-sense-length-more-than-once-from.patch -Patch0007: 0007-megasas-do-not-read-iovec-count-more-than-once-from-.patch -Patch0008: 0008-megasas-do-not-read-DCMD-opcode-more-than-once-from-.patch -Patch0009: 0009-megasas-do-not-read-command-more-than-once-from-fram.patch -Patch0010: 0010-megasas-do-not-read-SCSI-req-parameters-more-than-on.patch -Patch0011: 0011-megasas-always-store-SCSIRequest-into-MegasasCmd.patch - -# CVE-2017-10806: usb-redirect: stack buffer overflow in debug logging (bz -# #1468497) -Patch0101: 0101-usb-redir-fix-stack-overflow-in-usbredir_log_data.patch -# CVE-2017-9524: nbd: segfault due to client non-negotiation (bz #1460172) -Patch0102: 0102-nbd-Fully-initialize-client-in-case-of-failed-negoti.patch -Patch0103: 0103-nbd-Fix-regression-on-resiliency-to-port-scan.patch -# CVE-2017-10664: qemu-nbd: server breaks with SIGPIPE upon client abort (bz -# #1466192) -Patch0104: 0104-qemu-nbd-Ignore-SIGPIPE.patch - -# Build fix; https://lists.gnu.org/archive/html/qemu-devel/2017-07/msg06005.html -Patch0200: 0200-Update-references-of-struct-ucontext-to-ucontext_t.patch - -Patch1001: 0001-xen-make-use-of-xen_xc-implicit-in-xen_common.h-inli.patch -Patch1002: 0002-xen-rename-xen_modified_memory-to-xen_hvm_modified_m.patch -Patch1003: 0003-xen-create-wrappers-for-all-other-uses-of-xc_hvm_XXX.patch -Patch1004: 0004-configure-detect-presence-of-libxendevicemodel.patch -Patch1005: 0005-xen-use-libxendevicemodel-when-available.patch -Patch1006: 0006-xen-use-5-digit-xen-versions.patch - # documentation deps BuildRequires: texinfo # For /usr/bin/pod2man @@ -1952,6 +1911,7 @@ getent passwd qemu >/dev/null || \ %{_datadir}/systemtap/tapset/qemu-system-s390x*.stp %{_mandir}/man1/qemu-system-s390x.1* %{_datadir}/%{name}/s390-ccw.img +%{_datadir}/%{name}/s390-netboot.img %ifarch s390x %{?kvm_files:} %{_sysconfdir}/sysctl.d/50-kvm-s390x.conf @@ -1995,6 +1955,7 @@ getent passwd qemu >/dev/null || \ %{_mandir}/man1/qemu-system-ppcemb.1* %{_datadir}/%{name}/bamboo.dtb %{_datadir}/%{name}/ppc_rom.bin +%{_datadir}/%{name}/qemu_vga.ndrv %{_datadir}/%{name}/skiboot.lid %{_datadir}/%{name}/spapr-rtas.bin %{_datadir}/%{name}/u-boot.e500 @@ -2064,6 +2025,9 @@ getent passwd qemu >/dev/null || \ %changelog +* Thu Aug 03 2017 Cole Robinson - 2:2.10.0-0.1-rc1 +- Rebase to 2.10.0-rc1 + * Sun Jul 30 2017 Florian Weimer - 2:2.9.0-9 - Rebuild with binutils fix for ppc64le (#1475636) diff --git a/sources b/sources index 2d417b0..afee1c6 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (qemu-2.9.0.tar.xz) = a5259b888ac336db559f4483a9c50ad434fb82aedce37d9be957e79f696736509af1841489ee10e7362ef1506f3a04786c483a2e37d342b2bec46f0a726fb60f +SHA512 (qemu-2.10.0-rc1.tar.xz) = 9776e2605e8d7aa8393fed0ccb4e349b325c45fddc636dab43598654437624edcdfdebabc26459506da7833f0b41a8c4cbd610c488a8fc0038e42354f891a19a