diff --git a/0200-ccid-Fix-buffer-overrun-in-handling-of-VSC_ATR-messa.patch b/0200-ccid-Fix-buffer-overrun-in-handling-of-VSC_ATR-messa.patch new file mode 100644 index 0000000..6a8d715 --- /dev/null +++ b/0200-ccid-Fix-buffer-overrun-in-handling-of-VSC_ATR-messa.patch @@ -0,0 +1,42 @@ +From 792733e8aa8565a0b49c80539d0bc7a0ac19aaff Mon Sep 17 00:00:00 2001 +From: Markus Armbruster +Date: Mon, 28 Nov 2011 20:27:37 +0100 +Subject: [PATCH] ccid: Fix buffer overrun in handling of VSC_ATR message +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +ATR size exceeding the limit is diagnosed, but then we merrily use it +anyway, overrunning card->atr[]. + +The message is read from a character device. Obvious security +implications unless the other end of the character device is trusted. + +Spotted by Coverity. CVE-2011-4111. + +Signed-off-by: Markus Armbruster +Signed-off-by: Anthony Liguori +(cherry picked from commit 7e62255a4b3e0e2ab84a3ec7398640e8ed58620a) + +Signed-off-by: Bruce Rogers +[AF: Fixes BNC#731086.] +Signed-off-by: Andreas Färber +--- + hw/ccid-card-passthru.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/ccid-card-passthru.c b/hw/ccid-card-passthru.c +index 28eb9d1..0505663 100644 +--- a/hw/ccid-card-passthru.c ++++ b/hw/ccid-card-passthru.c +@@ -150,6 +150,7 @@ static void ccid_card_vscard_handle_message(PassthruState *card, + error_report("ATR size exceeds spec, ignoring"); + ccid_card_vscard_send_error(card, scr_msg_header->reader_id, + VSC_GENERAL_ERROR); ++ break; + } + memcpy(card->atr, data, scr_msg_header->length); + card->atr_length = scr_msg_header->length; +-- +1.7.11.2 + diff --git a/0201-qdev-Reset-hot-plugged-devices.patch b/0201-qdev-Reset-hot-plugged-devices.patch new file mode 100644 index 0000000..36d506e --- /dev/null +++ b/0201-qdev-Reset-hot-plugged-devices.patch @@ -0,0 +1,39 @@ +From c09233797d29cc18bc7d304ceeb8bef72f3acefb Mon Sep 17 00:00:00 2001 +From: Jan Kiszka +Date: Sun, 24 Jul 2011 19:38:36 +0200 +Subject: [PATCH] qdev: Reset hot-plugged devices +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Device models rely on the core invoking their reset handlers after init. +We do this in the cold-plug case, but so far we miss this step after +hot-plug. + +Signed-off-by: Jan Kiszka +Signed-off-by: Anthony Liguori +(cherry picked from commit 5ab28c8340f683121c081a181adfd9f72ab85cba) + +[AF: Fixes BNC#722958 / LTC#75394.] +Signed-off-by: Andreas Färber +--- + hw/qdev.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/qdev.c b/hw/qdev.c +index a0fcd06..b4ea8e1 100644 +--- a/hw/qdev.c ++++ b/hw/qdev.c +@@ -289,6 +289,9 @@ int qdev_init(DeviceState *dev) + dev->alias_required_for_version); + } + dev->state = DEV_STATE_INITIALIZED; ++ if (dev->hotplugged && dev->info->reset) { ++ dev->info->reset(dev); ++ } + return 0; + } + +-- +1.7.11.2 + diff --git a/0202-e1000-use-MII-status-register-for-link-up-down.patch b/0202-e1000-use-MII-status-register-for-link-up-down.patch new file mode 100644 index 0000000..3f60fb3 --- /dev/null +++ b/0202-e1000-use-MII-status-register-for-link-up-down.patch @@ -0,0 +1,147 @@ +From 461473595d1dd1131cb060c460c87ca7b652939e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= +Date: Wed, 17 Aug 2011 11:03:14 +0200 +Subject: [PATCH] e1000: use MII status register for link up/down +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Some guests will use the standard MII status register +to verify link state. They will not notice link changes +unless this register is updated. + +Verified with Linux 3.0 and Windows XP guests. + +Without this patch, ethtool will report speed and duplex as +unknown when the link is down, but still report the link as +up. This is because the Linux e1000 driver checks the +mac_reg[STATUS] register link state before it checks speed +and duplex, but uses the phy_reg[PHY_STATUS] register for +the actual link state check. Fix by updating both registers +on link state changes. + +Linux guest before: + + (qemu) set_link e1000.0 off + + kvm-sid:~# ethtool eth0 + Settings for eth0: + Supported ports: [ TP ] + Supported link modes: 10baseT/Half 10baseT/Full + 100baseT/Half 100baseT/Full + 1000baseT/Full + Supports auto-negotiation: Yes + Advertised link modes: 10baseT/Half 10baseT/Full + 100baseT/Half 100baseT/Full + 1000baseT/Full + Advertised pause frame use: No + Advertised auto-negotiation: Yes + Speed: Unknown! + Duplex: Unknown! (255) + Port: Twisted Pair + PHYAD: 0 + Transceiver: internal + Auto-negotiation: on + MDI-X: Unknown + Supports Wake-on: umbg + Wake-on: d + Current message level: 0x00000007 (7) + drv probe link + Link detected: yes + + (qemu) set_link e1000.0 on + +Linux guest after: + + (qemu) set_link e1000.0 off + [ 63.384221] e1000: eth0 NIC Link is Down + + kvm-sid:~# ethtool eth0 + Settings for eth0: + Supported ports: [ TP ] + Supported link modes: 10baseT/Half 10baseT/Full + 100baseT/Half 100baseT/Full + 1000baseT/Full + Supports auto-negotiation: Yes + Advertised link modes: 10baseT/Half 10baseT/Full + 100baseT/Half 100baseT/Full + 1000baseT/Full + Advertised pause frame use: No + Advertised auto-negotiation: Yes + Speed: Unknown! + Duplex: Unknown! (255) + Port: Twisted Pair + PHYAD: 0 + Transceiver: internal + Auto-negotiation: on + MDI-X: Unknown + Supports Wake-on: umbg + Wake-on: d + Current message level: 0x00000007 (7) + drv probe link + Link detected: no + + (qemu) set_link e1000.0 on + [ 84.304582] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX + +Signed-off-by: Bjørn Mork +Signed-off-by: Anthony Liguori +(cherry picked from commit d4044c2a6b9ba4a00dd653f515a4b0ebfcb7e125) + +Signed-off-by: Andreas Färber +--- + hw/e1000.c | 7 +++++-- + hw/e1000_hw.h | 17 +++++++++++++++++ + 2 files changed, 22 insertions(+), 2 deletions(-) + +diff --git a/hw/e1000.c b/hw/e1000.c +index 96d84f9..e4d9ab5 100644 +--- a/hw/e1000.c ++++ b/hw/e1000.c +@@ -624,10 +624,13 @@ e1000_set_link_status(VLANClientState *nc) + E1000State *s = DO_UPCAST(NICState, nc, nc)->opaque; + uint32_t old_status = s->mac_reg[STATUS]; + +- if (nc->link_down) ++ if (nc->link_down) { + s->mac_reg[STATUS] &= ~E1000_STATUS_LU; +- else ++ s->phy_reg[PHY_STATUS] &= ~MII_SR_LINK_STATUS; ++ } else { + s->mac_reg[STATUS] |= E1000_STATUS_LU; ++ s->phy_reg[PHY_STATUS] |= MII_SR_LINK_STATUS; ++ } + + if (s->mac_reg[STATUS] != old_status) + set_ics(s, 0, E1000_ICR_LSC); +diff --git a/hw/e1000_hw.h b/hw/e1000_hw.h +index 9bd8a4b..2e341ac 100644 +--- a/hw/e1000_hw.h ++++ b/hw/e1000_hw.h +@@ -349,6 +349,23 @@ + #define M88E1000_PHY_VCO_REG_BIT8 0x100 /* Bits 8 & 11 are adjusted for */ + #define M88E1000_PHY_VCO_REG_BIT11 0x800 /* improved BER performance */ + ++/* PHY Status Register */ ++#define MII_SR_EXTENDED_CAPS 0x0001 /* Extended register capabilities */ ++#define MII_SR_JABBER_DETECT 0x0002 /* Jabber Detected */ ++#define MII_SR_LINK_STATUS 0x0004 /* Link Status 1 = link */ ++#define MII_SR_AUTONEG_CAPS 0x0008 /* Auto Neg Capable */ ++#define MII_SR_REMOTE_FAULT 0x0010 /* Remote Fault Detect */ ++#define MII_SR_AUTONEG_COMPLETE 0x0020 /* Auto Neg Complete */ ++#define MII_SR_PREAMBLE_SUPPRESS 0x0040 /* Preamble may be suppressed */ ++#define MII_SR_EXTENDED_STATUS 0x0100 /* Ext. status info in Reg 0x0F */ ++#define MII_SR_100T2_HD_CAPS 0x0200 /* 100T2 Half Duplex Capable */ ++#define MII_SR_100T2_FD_CAPS 0x0400 /* 100T2 Full Duplex Capable */ ++#define MII_SR_10T_HD_CAPS 0x0800 /* 10T Half Duplex Capable */ ++#define MII_SR_10T_FD_CAPS 0x1000 /* 10T Full Duplex Capable */ ++#define MII_SR_100X_HD_CAPS 0x2000 /* 100X Half Duplex Capable */ ++#define MII_SR_100X_FD_CAPS 0x4000 /* 100X Full Duplex Capable */ ++#define MII_SR_100T4_CAPS 0x8000 /* 100T4 Capable */ ++ + /* Interrupt Cause Read */ + #define E1000_ICR_TXDW 0x00000001 /* Transmit desc written back */ + #define E1000_ICR_TXQE 0x00000002 /* Transmit Queue empty */ +-- +1.7.11.2 + diff --git a/0203-e1000-Don-t-set-the-Capabilities-List-bit.patch b/0203-e1000-Don-t-set-the-Capabilities-List-bit.patch new file mode 100644 index 0000000..6c174ec --- /dev/null +++ b/0203-e1000-Don-t-set-the-Capabilities-List-bit.patch @@ -0,0 +1,43 @@ +From fe7f7d7ae7114fb220ed258e249f9a63834f6fa6 Mon Sep 17 00:00:00 2001 +From: dann frazier +Date: Wed, 21 Sep 2011 14:06:25 -0600 +Subject: [PATCH] e1000: Don't set the Capabilities List bit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[Originally sent to qemu-kvm list, but I was redirected here] + +The Capabilities Pointer is NULL, so this bit shouldn't be set. The state of +this bit doesn't appear to change any behavior on Linux/Windows versions we've +tested, but it does cause Windows' PCI/PCI Express Compliance Test to balk. + +I happen to have a physical 82540EM controller, and it also sets the +Capabilities Bit, but it actually has items on the capabilities list to go +with it :) + +Signed-off-by: dann frazier +Signed-off-by: Anthony Liguori +(cherry picked from commit dd8e93799f13ef82d83c185b8e71e049452f7d40) + +Signed-off-by: Andreas Färber +--- + hw/e1000.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/hw/e1000.c b/hw/e1000.c +index e4d9ab5..7971457 100644 +--- a/hw/e1000.c ++++ b/hw/e1000.c +@@ -1167,8 +1167,6 @@ static int pci_e1000_init(PCIDevice *pci_dev) + + pci_conf = d->dev.config; + +- /* TODO: we have no capabilities, so why is this bit set? */ +- pci_set_word(pci_conf + PCI_STATUS, PCI_STATUS_CAP_LIST); + /* TODO: RST# value should be 0, PCI spec 6.2.4 */ + pci_conf[PCI_CACHE_LINE_SIZE] = 0x10; + +-- +1.7.11.2 + diff --git a/0204-e1000-bounds-packet-size-against-buffer-size.patch b/0204-e1000-bounds-packet-size-against-buffer-size.patch new file mode 100644 index 0000000..f616bf7 --- /dev/null +++ b/0204-e1000-bounds-packet-size-against-buffer-size.patch @@ -0,0 +1,45 @@ +From 078c531e6b57f36359b74ea6c136c2ea1b5a9891 Mon Sep 17 00:00:00 2001 +From: Anthony Liguori +Date: Mon, 23 Jan 2012 07:30:43 -0600 +Subject: [PATCH] e1000: bounds packet size against buffer size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Otherwise we can write beyond the buffer and corrupt memory. This is tracked +as CVE-2012-0029. + +Signed-off-by: Anthony Liguori +(cherry picked from commit 65f82df0d7a71ce1b10cd4c5ab08888d176ac840) + +Signed-off-by: Bruce Rogers +[AF: stable-0.15 does not have pci_dma_read(). Fixes BNC#740165.] +Signed-off-by: Andreas Färber +--- + hw/e1000.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/e1000.c b/hw/e1000.c +index 7971457..c91790b 100644 +--- a/hw/e1000.c ++++ b/hw/e1000.c +@@ -472,6 +472,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) + bytes = split_size; + if (tp->size + bytes > msh) + bytes = msh - tp->size; ++ ++ bytes = MIN(sizeof(tp->data) - tp->size, bytes); + cpu_physical_memory_read(addr, tp->data + tp->size, bytes); + if ((sz = tp->size + bytes) >= hdr && tp->size < hdr) + memmove(tp->header, tp->data, hdr); +@@ -487,6 +489,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) + // context descriptor TSE is not set, while data descriptor TSE is set + DBGOUT(TXERR, "TCP segmentaion Error\n"); + } else { ++ split_size = MIN(sizeof(tp->data) - tp->size, split_size); + cpu_physical_memory_read(addr, tp->data + tp->size, split_size); + tp->size += split_size; + } +-- +1.7.11.2 + diff --git a/0205-compatfd.c-Don-t-pass-NULL-pointer-to-SYS_signalfd.patch b/0205-compatfd.c-Don-t-pass-NULL-pointer-to-SYS_signalfd.patch new file mode 100644 index 0000000..1c3b7ea --- /dev/null +++ b/0205-compatfd.c-Don-t-pass-NULL-pointer-to-SYS_signalfd.patch @@ -0,0 +1,49 @@ +From 89409a7eee1d25a91c31402fdb35d8554e3a99d0 Mon Sep 17 00:00:00 2001 +From: Peter Maydell +Date: Thu, 13 Oct 2011 18:45:37 +0100 +Subject: [PATCH] compatfd.c: Don't pass NULL pointer to SYS_signalfd +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Don't pass a NULL pointer in to SYS_signalfd in qemu_signalfd_available(): +this isn't valid and Valgrind complains about it. + +Signed-off-by: Peter Maydell +Reviewed-by: Stefan Hajnoczi +Signed-off-by: Andrzej Zaborowski +(cherry picked from commit 7f84c1272b601be88daeb828ec1890890c7aae25) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + compatfd.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/compatfd.c b/compatfd.c +index 31654c6..02306a4 100644 +--- a/compatfd.c ++++ b/compatfd.c +@@ -119,9 +119,17 @@ int qemu_signalfd(const sigset_t *mask) + bool qemu_signalfd_available(void) + { + #ifdef CONFIG_SIGNALFD ++ sigset_t mask; ++ int fd; ++ bool ok; ++ sigemptyset(&mask); + errno = 0; +- syscall(SYS_signalfd, -1, NULL, _NSIG / 8); +- return errno != ENOSYS; ++ fd = syscall(SYS_signalfd, -1, &mask, _NSIG / 8); ++ ok = (errno != ENOSYS); ++ if (fd >= 0) { ++ close(fd); ++ } ++ return ok; + #else + return false; + #endif +-- +1.7.11.2 + diff --git a/0206-kvm-avoid-reentring-kvm_flush_coalesced_mmio_buffer.patch b/0206-kvm-avoid-reentring-kvm_flush_coalesced_mmio_buffer.patch new file mode 100644 index 0000000..cfe02b4 --- /dev/null +++ b/0206-kvm-avoid-reentring-kvm_flush_coalesced_mmio_buffer.patch @@ -0,0 +1,60 @@ +From 479c2a6a296d4fafc713746bf96127c1b20c381e Mon Sep 17 00:00:00 2001 +From: Avi Kivity +Date: Tue, 18 Oct 2011 19:43:12 +0200 +Subject: [PATCH] kvm: avoid reentring kvm_flush_coalesced_mmio_buffer() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +mmio callbacks invoked by kvm_flush_coalesced_mmio_buffer() may +themselves indirectly call kvm_flush_coalesced_mmio_buffer(). +Prevent reentering the function by checking a flag that indicates +we're processing coalesced mmio requests. + +Signed-off-by: Avi Kivity +(cherry picked from commit 1cae88b9f4121c9af0bf677435c6129e643280fd) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + kvm-all.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/kvm-all.c b/kvm-all.c +index cbc2532..26621d0 100644 +--- a/kvm-all.c ++++ b/kvm-all.c +@@ -64,6 +64,7 @@ struct KVMState + int vmfd; + int coalesced_mmio; + struct kvm_coalesced_mmio_ring *coalesced_mmio_ring; ++ bool coalesced_flush_in_progress; + int broken_set_mem_region; + int migration_log; + int vcpu_events; +@@ -876,6 +877,13 @@ static int kvm_handle_internal_error(CPUState *env, struct kvm_run *run) + void kvm_flush_coalesced_mmio_buffer(void) + { + KVMState *s = kvm_state; ++ ++ if (s->coalesced_flush_in_progress) { ++ return; ++ } ++ ++ s->coalesced_flush_in_progress = true; ++ + if (s->coalesced_mmio_ring) { + struct kvm_coalesced_mmio_ring *ring = s->coalesced_mmio_ring; + while (ring->first != ring->last) { +@@ -888,6 +896,8 @@ void kvm_flush_coalesced_mmio_buffer(void) + ring->first = (ring->first + 1) % KVM_COALESCED_MMIO_MAX; + } + } ++ ++ s->coalesced_flush_in_progress = false; + } + + static void do_kvm_cpu_synchronize_state(void *_env) +-- +1.7.11.2 + diff --git a/0207-vmdk-vmdk_read_cid-returns-garbage-if-p_name-is-NULL.patch b/0207-vmdk-vmdk_read_cid-returns-garbage-if-p_name-is-NULL.patch new file mode 100644 index 0000000..7f6b622 --- /dev/null +++ b/0207-vmdk-vmdk_read_cid-returns-garbage-if-p_name-is-NULL.patch @@ -0,0 +1,36 @@ +From 1b09be835d853b8fd591e1f5de29ae20ed405722 Mon Sep 17 00:00:00 2001 +From: Pavel Borzenkov +Date: Tue, 18 Oct 2011 21:19:03 +0400 +Subject: [PATCH] vmdk: vmdk_read_cid returns garbage if p_name is NULL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Spotted by Clang Analyzer + +Signed-off-by: Pavel Borzenkov +Signed-off-by: Stefan Hajnoczi +(cherry picked from commit 8379e46d1fd681b8aa4714382e2cdab05e5d0575) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + block/vmdk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/vmdk.c b/block/vmdk.c +index 37478d2..b5caa40 100644 +--- a/block/vmdk.c ++++ b/block/vmdk.c +@@ -177,7 +177,7 @@ static void vmdk_free_extents(BlockDriverState *bs) + static uint32_t vmdk_read_cid(BlockDriverState *bs, int parent) + { + char desc[DESC_SIZE]; +- uint32_t cid; ++ uint32_t cid = 0xffffffff; + const char *p_name, *cid_str; + size_t cid_str_size; + BDRVVmdkState *s = bs->opaque; +-- +1.7.11.2 + diff --git a/0208-block-Fix-bdrv_open-use-after-free.patch b/0208-block-Fix-bdrv_open-use-after-free.patch new file mode 100644 index 0000000..ff9c621 --- /dev/null +++ b/0208-block-Fix-bdrv_open-use-after-free.patch @@ -0,0 +1,43 @@ +From 72e8677ee72152245f5dc222a85f83a6a382efe8 Mon Sep 17 00:00:00 2001 +From: Kevin Wolf +Date: Wed, 26 Oct 2011 11:03:01 +0200 +Subject: [PATCH] block: Fix bdrv_open use after free +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +tmp_filename was used outside the block it was defined in, i.e. after it went +out of scope. Move its declaration to the top level. + +Signed-off-by: Kevin Wolf +(cherry picked from commit 2b5728164fcf5211bbae8d3c2fc6df62dd6b2295) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + block.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block.c b/block.c +index 9549b9e..4ebb18b 100644 +--- a/block.c ++++ b/block.c +@@ -526,6 +526,7 @@ int bdrv_open(BlockDriverState *bs, const char *filename, int flags, + BlockDriver *drv) + { + int ret; ++ char tmp_filename[PATH_MAX]; + + if (flags & BDRV_O_SNAPSHOT) { + BlockDriverState *bs1; +@@ -533,7 +534,6 @@ int bdrv_open(BlockDriverState *bs, const char *filename, int flags, + int is_protocol = 0; + BlockDriver *bdrv_qcow2; + QEMUOptionParameter *options; +- char tmp_filename[PATH_MAX]; + char backing_filename[PATH_MAX]; + + /* if snapshot, we create a temporary backing file and open it +-- +1.7.11.2 + diff --git a/0209-ide-Fix-off-by-one-error-in-array-index-check.patch b/0209-ide-Fix-off-by-one-error-in-array-index-check.patch new file mode 100644 index 0000000..282d5a5 --- /dev/null +++ b/0209-ide-Fix-off-by-one-error-in-array-index-check.patch @@ -0,0 +1,34 @@ +From 99f6b4ed1c345b144b0f052974cb470036418020 Mon Sep 17 00:00:00 2001 +From: Kevin Wolf +Date: Wed, 26 Oct 2011 11:52:47 +0200 +Subject: [PATCH] ide: Fix off-by-one error in array index check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Kevin Wolf +Reviewed-by: Paolo Bonzini +(cherry picked from commit fb60105d4942a26f571b1be92a8b9e7528d0c4d8) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + hw/ide/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/ide/core.c b/hw/ide/core.c +index d145b19..9bc446e 100644 +--- a/hw/ide/core.c ++++ b/hw/ide/core.c +@@ -1933,7 +1933,7 @@ static int ide_drive_pio_post_load(void *opaque, int version_id) + { + IDEState *s = opaque; + +- if (s->end_transfer_fn_idx > ARRAY_SIZE(transfer_end_table)) { ++ if (s->end_transfer_fn_idx >= ARRAY_SIZE(transfer_end_table)) { + return -EINVAL; + } + s->end_transfer_func = transfer_end_table[s->end_transfer_fn_idx]; +-- +1.7.11.2 + diff --git a/0210-acl-Fix-use-after-free-in-qemu_acl_reset.patch b/0210-acl-Fix-use-after-free-in-qemu_acl_reset.patch new file mode 100644 index 0000000..e86dd11 --- /dev/null +++ b/0210-acl-Fix-use-after-free-in-qemu_acl_reset.patch @@ -0,0 +1,52 @@ +From fa9ad46e1a4b3707a465bccf6f4431db7a647a08 Mon Sep 17 00:00:00 2001 +From: Markus Armbruster +Date: Fri, 28 Oct 2011 17:07:02 +0200 +Subject: [PATCH] acl: Fix use after free in qemu_acl_reset() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reproducer: + + $ MALLOC_PERTURB_=234 qemu-system-x86_64 -vnc :0,acl,sasl [...] + QEMU 0.15.50 monitor - type 'help' for more information + (qemu) acl_add vnc.username fred allow + acl: added rule at position 1 + (qemu) acl_reset vnc.username + Segmentation fault (core dumped) + +Spotted by Coverity. + +Signed-off-by: Markus Armbruster +Signed-off-by: Stefan Hajnoczi +(cherry picked from commit 0ce6a434176e274a7e86bcaa268542c5cc402696) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + acl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/acl.c b/acl.c +index 82c2704..cae059f 100644 +--- a/acl.c ++++ b/acl.c +@@ -95,13 +95,13 @@ int qemu_acl_party_is_allowed(qemu_acl *acl, + + void qemu_acl_reset(qemu_acl *acl) + { +- qemu_acl_entry *entry; ++ qemu_acl_entry *entry, *next_entry; + + /* Put back to deny by default, so there is no window + * of "open access" while the user re-initializes the + * access control list */ + acl->defaultDeny = 1; +- QTAILQ_FOREACH(entry, &acl->entries, next) { ++ QTAILQ_FOREACH_SAFE(entry, &acl->entries, next, next_entry) { + QTAILQ_REMOVE(&acl->entries, entry, next); + free(entry->match); + free(entry); +-- +1.7.11.2 + diff --git a/0211-migration-flush-migration-data-to-disk.patch b/0211-migration-flush-migration-data-to-disk.patch new file mode 100644 index 0000000..41a628d --- /dev/null +++ b/0211-migration-flush-migration-data-to-disk.patch @@ -0,0 +1,71 @@ +From 06400ebc136bf44f1fa423159fae9cc9a4f6839d Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Thu, 27 Oct 2011 09:12:04 +0200 +Subject: [PATCH] migration: flush migration data to disk. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch increases robustness when migrating to a file with +two little changes: + + (1) Before closing the migration file handle checks if it happens to be + a regular file and if so it issues a fsync. This way the data is + flushed to disk before qemu sends the migration completed event. + (2) It adds error checking. In case either fsync or close syscall + fails pass up the error (and fail migration). + +[ v2: return -errno instead of -1 ] + +Cc: Juan Quintela +Cc: Jiri Denemark +Signed-off-by: Gerd Hoffmann +Signed-off-by: Anthony Liguori +(cherry picked from commit aab2293687ee54a409f3fb53a1ab3595b595e0fb) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + migration-fd.c | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +diff --git a/migration-fd.c b/migration-fd.c +index 66d51c1..f986bdf 100644 +--- a/migration-fd.c ++++ b/migration-fd.c +@@ -42,10 +42,31 @@ static int fd_write(FdMigrationState *s, const void * buf, size_t size) + + static int fd_close(FdMigrationState *s) + { ++ struct stat st; ++ int ret; ++ + DPRINTF("fd_close\n"); + if (s->fd != -1) { +- close(s->fd); ++ ret = fstat(s->fd, &st); ++ if (ret == 0 && S_ISREG(st.st_mode)) { ++ /* ++ * If the file handle is a regular file make sure the ++ * data is flushed to disk before signaling success. ++ */ ++ ret = fsync(s->fd); ++ if (ret != 0) { ++ ret = -errno; ++ perror("migration-fd: fsync"); ++ return ret; ++ } ++ } ++ ret = close(s->fd); + s->fd = -1; ++ if (ret != 0) { ++ ret = -errno; ++ perror("migration-fd: close"); ++ return ret; ++ } + } + return 0; + } +-- +1.7.11.2 + diff --git a/0212-Fix-X86-CPU-topology-in-KVM-mode.patch b/0212-Fix-X86-CPU-topology-in-KVM-mode.patch new file mode 100644 index 0000000..444b80a --- /dev/null +++ b/0212-Fix-X86-CPU-topology-in-KVM-mode.patch @@ -0,0 +1,55 @@ +From 7a890dc5d4e79e4ced03aa9d3665c9a1df3e448e Mon Sep 17 00:00:00 2001 +From: Bharata B Rao +Date: Wed, 2 Nov 2011 14:16:08 +0530 +Subject: [PATCH] Fix X86 CPU topology in KVM mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +apic id returned to guest kernel in ebx for cpuid(function=1) depends on +CPUX86State->cpuid_apic_id which gets populated after the cpuid information +is cached in the host kernel. This results in broken CPU topology in guest. + +Fix this by setting cpuid_apic_id before cpuid information is passed to +the host kernel. This is done by moving the setting of cpuid_apic_id +to cpu_x86_init() where it will work for both KVM as well as TCG modes. + +Acked-by: Jan Kiszka +Signed-off-by: Bharata B Rao +Signed-off-by: Anthony Liguori +(cherry picked from commit f2209eb854a016eabc444b45f6d6b1636949141f) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + hw/pc.c | 1 - + target-i386/helper.c | 1 + + 2 files changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/pc.c b/hw/pc.c +index a3e8539..14ce684 100644 +--- a/hw/pc.c ++++ b/hw/pc.c +@@ -931,7 +931,6 @@ static CPUState *pc_new_cpu(const char *cpu_model) + exit(1); + } + if ((env->cpuid_features & CPUID_APIC) || smp_cpus > 1) { +- env->cpuid_apic_id = env->cpu_index; + env->apic_state = apic_init(env, env->cpuid_apic_id); + } + qemu_register_reset(pc_cpu_reset, env); +diff --git a/target-i386/helper.c b/target-i386/helper.c +index e9be104..829c1da 100644 +--- a/target-i386/helper.c ++++ b/target-i386/helper.c +@@ -1258,6 +1258,7 @@ CPUX86State *cpu_x86_init(const char *cpu_model) + cpu_x86_close(env); + return NULL; + } ++ env->cpuid_apic_id = env->cpu_index; + mce_init(env); + + qemu_init_vcpu(env); +-- +1.7.11.2 + diff --git a/0213-hw-lan9118.c-Add-missing-break-to-fix-buffer-overrun.patch b/0213-hw-lan9118.c-Add-missing-break-to-fix-buffer-overrun.patch new file mode 100644 index 0000000..2523e90 --- /dev/null +++ b/0213-hw-lan9118.c-Add-missing-break-to-fix-buffer-overrun.patch @@ -0,0 +1,37 @@ +From e9552556f514b334b78ed56e32b4af366b429a0b Mon Sep 17 00:00:00 2001 +From: Peter Maydell +Date: Wed, 9 Nov 2011 18:59:54 +0000 +Subject: [PATCH] hw/lan9118.c: Add missing 'break' to fix buffer overrun +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Add a missing 'break' statement to fix a buffer overrun when +executing the EEPROM write-all command. Spotted by Coverity +(see bug 887883). + +Signed-off-by: Peter Maydell +Signed-off-by: Stefan Hajnoczi +(cherry picked from commit 0e3b800e71cb7759d099eabbd8ad4c4fe848e381) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + hw/lan9118.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/lan9118.c b/hw/lan9118.c +index 73a8661..494b11d 100644 +--- a/hw/lan9118.c ++++ b/hw/lan9118.c +@@ -863,6 +863,7 @@ static void lan9118_eeprom_cmd(lan9118_state *s, int cmd, int addr) + } else { + DPRINTF("EEPROM Write All (ignored)\n"); + } ++ break; + case 5: /* ERASE */ + if (s->eeprom_writable) { + s->eeprom[addr] = 0xff; +-- +1.7.11.2 + diff --git a/0214-ac97-don-t-override-the-pci-subsystem-id.patch b/0214-ac97-don-t-override-the-pci-subsystem-id.patch new file mode 100644 index 0000000..f42640e --- /dev/null +++ b/0214-ac97-don-t-override-the-pci-subsystem-id.patch @@ -0,0 +1,119 @@ +From 498a3d8b7d28b8c114d65d9db5ccf3e96e2458f1 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 7 Nov 2011 16:33:09 +0100 +Subject: [PATCH] ac97: don't override the pci subsystem id +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch removes the code lines which set the subsystem id for the +emulated ac97 card to 8086:0000. Due to the device id being zero the +subsystem id isn't vaild anyway. With the patch applied the sound card +gets the default qemu subsystem id (1af4:1100) instead. + +[ v2: old & broken id is maintained for -M pc-$oldqemuversion ] + +Cc: Takashi Iwai +Signed-off-by: Gerd Hoffmann +Signed-off-by: Anthony Liguori +(cherry picked from commit 25a21c94c0055e078acb7f7455e66c8a15f32385) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + hw/ac97.c | 16 +++++++++++----- + hw/pc_piix.c | 16 ++++++++++++++++ + 2 files changed, 27 insertions(+), 5 deletions(-) + +diff --git a/hw/ac97.c b/hw/ac97.c +index 0b59896..a039481 100644 +--- a/hw/ac97.c ++++ b/hw/ac97.c +@@ -149,6 +149,7 @@ typedef struct AC97BusMasterRegs { + typedef struct AC97LinkState { + PCIDevice dev; + QEMUSoundCard card; ++ uint32_t use_broken_id; + uint32_t glob_cnt; + uint32_t glob_sta; + uint32_t cas; +@@ -1301,11 +1302,12 @@ static int ac97_initfn (PCIDevice *dev) + c[PCI_BASE_ADDRESS_0 + 6] = 0x00; + c[PCI_BASE_ADDRESS_0 + 7] = 0x00; + +- c[PCI_SUBSYSTEM_VENDOR_ID] = 0x86; /* svid subsystem vendor id rwo */ +- c[PCI_SUBSYSTEM_VENDOR_ID + 1] = 0x80; +- +- c[PCI_SUBSYSTEM_ID] = 0x00; /* sid subsystem id rwo */ +- c[PCI_SUBSYSTEM_ID + 1] = 0x00; ++ if (s->use_broken_id) { ++ c[PCI_SUBSYSTEM_VENDOR_ID] = 0x86; ++ c[PCI_SUBSYSTEM_VENDOR_ID + 1] = 0x80; ++ c[PCI_SUBSYSTEM_ID] = 0x00; ++ c[PCI_SUBSYSTEM_ID + 1] = 0x00; ++ } + + c[PCI_INTERRUPT_LINE] = 0x00; /* intr_ln interrupt line rw */ + /* TODO: RST# value should be 0. */ +@@ -1336,6 +1338,10 @@ static PCIDeviceInfo ac97_info = { + .device_id = PCI_DEVICE_ID_INTEL_82801AA_5, + .revision = 0x01, + .class_id = PCI_CLASS_MULTIMEDIA_AUDIO, ++ .qdev.props = (Property[]) { ++ DEFINE_PROP_UINT32("use_broken_id", AC97LinkState, use_broken_id, 0), ++ DEFINE_PROP_END_OF_LIST(), ++ } + }; + + static void ac97_register (void) +diff --git a/hw/pc_piix.c b/hw/pc_piix.c +index c5c16b4..31552fd 100644 +--- a/hw/pc_piix.c ++++ b/hw/pc_piix.c +@@ -300,6 +300,10 @@ static QEMUMachine pc_machine_v0_13 = { + .driver = "virtio-net-pci", + .property = "event_idx", + .value = "off", ++ },{ ++ .driver = "AC97", ++ .property = "use_broken_id", ++ .value = stringify(1), + }, + { /* end of list */ } + }, +@@ -343,6 +347,10 @@ static QEMUMachine pc_machine_v0_12 = { + .driver = "virtio-net-pci", + .property = "event_idx", + .value = "off", ++ },{ ++ .driver = "AC97", ++ .property = "use_broken_id", ++ .value = stringify(1), + }, + { /* end of list */ } + } +@@ -394,6 +402,10 @@ static QEMUMachine pc_machine_v0_11 = { + .driver = "virtio-net-pci", + .property = "event_idx", + .value = "off", ++ },{ ++ .driver = "AC97", ++ .property = "use_broken_id", ++ .value = stringify(1), + }, + { /* end of list */ } + } +@@ -457,6 +469,10 @@ static QEMUMachine pc_machine_v0_10 = { + .driver = "virtio-net-pci", + .property = "event_idx", + .value = "off", ++ },{ ++ .driver = "AC97", ++ .property = "use_broken_id", ++ .value = stringify(1), + }, + { /* end of list */ } + }, +-- +1.7.11.2 + diff --git a/0215-vvfat-Fix-potential-buffer-overflow.patch b/0215-vvfat-Fix-potential-buffer-overflow.patch new file mode 100644 index 0000000..4f9d07c --- /dev/null +++ b/0215-vvfat-Fix-potential-buffer-overflow.patch @@ -0,0 +1,36 @@ +From f03f1fc43b30c377a553daf7709e1f0f392a532b Mon Sep 17 00:00:00 2001 +From: Kevin Wolf +Date: Wed, 1 Jun 2011 10:57:00 +0200 +Subject: [PATCH] vvfat: Fix potential buffer overflow +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +path2[PATH_MAX] can be used for the null termination, so make the array big +enough to allow this. + +Signed-off-by: Kevin Wolf +(cherry picked from commit 0d460d6f414e02805cbc348404db03b2b7907360) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + block/vvfat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/vvfat.c b/block/vvfat.c +index fe568fe..98b58f0 100644 +--- a/block/vvfat.c ++++ b/block/vvfat.c +@@ -1741,7 +1741,7 @@ static int check_directory_consistency(BDRVVVFATState *s, + + long_file_name lfn; + int path_len = strlen(path); +- char path2[PATH_MAX]; ++ char path2[PATH_MAX + 1]; + + assert(path_len < PATH_MAX); /* len was tested before! */ + pstrcpy(path2, sizeof(path2), path); +-- +1.7.11.2 + diff --git a/0216-vns-tls-don-t-use-depricated-gnutls-functions.patch b/0216-vns-tls-don-t-use-depricated-gnutls-functions.patch new file mode 100644 index 0000000..a47ad72 --- /dev/null +++ b/0216-vns-tls-don-t-use-depricated-gnutls-functions.patch @@ -0,0 +1,116 @@ +From 5a32540f7b39f0b1224c3d6f1d12b6d4e358fe0a Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Wed, 7 Sep 2011 17:52:10 +0200 +Subject: [PATCH] vns/tls: don't use depricated gnutls functions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Avoid using deprecated gnutls functions with recent gnutls versions. +Fixes build failure on Fedora 16. Keep the old way for compatibility +with old installations such as RHEL-5 (gnutls 1.4.x). + +Based on a patch from Raghavendra D Prabhu + +Signed-off-by: Gerd Hoffmann +Signed-off-by: Anthony Liguori +(cherry picked from commit f40d55081667a716312b9a8b6e13835c4074f56b) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + ui/vnc-tls.c | 68 +++++++++++++++++++++++++++++++++++++++++++----------------- + 1 file changed, 49 insertions(+), 19 deletions(-) + +diff --git a/ui/vnc-tls.c b/ui/vnc-tls.c +index 31f1467..f5ed306 100644 +--- a/ui/vnc-tls.c ++++ b/ui/vnc-tls.c +@@ -283,13 +283,57 @@ int vnc_tls_validate_certificate(struct VncState *vs) + return 0; + } + ++#if defined(GNUTLS_VERSION_NUMBER) && \ ++ GNUTLS_VERSION_NUMBER >= 0x020200 /* 2.2.0 */ ++ ++static int vnc_set_gnutls_priority(gnutls_session_t s, int x509) ++{ ++ const char *priority = x509 ? "NORMAL" : "NORMAL:+ANON-DH"; ++ int rc; ++ ++ rc = gnutls_priority_set_direct(s, priority, NULL); ++ if (rc != GNUTLS_E_SUCCESS) { ++ return -1; ++ } ++ return 0; ++} ++ ++#else ++ ++static int vnc_set_gnutls_priority(gnutls_session_t s, int x509) ++{ ++ static const int cert_types[] = { GNUTLS_CRT_X509, 0 }; ++ static const int protocols[] = { ++ GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 ++ }; ++ static const int kx_anon[] = { GNUTLS_KX_ANON_DH, 0 }; ++ static const int kx_x509[] = { ++ GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, ++ GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0 ++ }; ++ int rc; ++ ++ rc = gnutls_kx_set_priority(s, x509 ? kx_x509 : kx_anon); ++ if (rc != GNUTLS_E_SUCCESS) { ++ return -1; ++ } ++ ++ rc = gnutls_certificate_type_set_priority(s, cert_types); ++ if (rc != GNUTLS_E_SUCCESS) { ++ return -1; ++ } ++ ++ rc = gnutls_protocol_set_priority(s, protocols); ++ if (rc != GNUTLS_E_SUCCESS) { ++ return -1; ++ } ++ return 0; ++} ++ ++#endif + + int vnc_tls_client_setup(struct VncState *vs, + int needX509Creds) { +- static const int cert_type_priority[] = { GNUTLS_CRT_X509, 0 }; +- static const int protocol_priority[]= { GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 }; +- static const int kx_anon[] = {GNUTLS_KX_ANON_DH, 0}; +- static const int kx_x509[] = {GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0}; + + VNC_DEBUG("Do TLS setup\n"); + if (vnc_tls_initialize() < 0) { +@@ -310,21 +354,7 @@ int vnc_tls_client_setup(struct VncState *vs, + return -1; + } + +- if (gnutls_kx_set_priority(vs->tls.session, needX509Creds ? kx_x509 : kx_anon) < 0) { +- gnutls_deinit(vs->tls.session); +- vs->tls.session = NULL; +- vnc_client_error(vs); +- return -1; +- } +- +- if (gnutls_certificate_type_set_priority(vs->tls.session, cert_type_priority) < 0) { +- gnutls_deinit(vs->tls.session); +- vs->tls.session = NULL; +- vnc_client_error(vs); +- return -1; +- } +- +- if (gnutls_protocol_set_priority(vs->tls.session, protocol_priority) < 0) { ++ if (vnc_set_gnutls_priority(vs->tls.session, needX509Creds) < 0) { + gnutls_deinit(vs->tls.session); + vs->tls.session = NULL; + vnc_client_error(vs); +-- +1.7.11.2 + diff --git a/0217-block-curl-Implement-a-flush-function-on-the-fd-hand.patch b/0217-block-curl-Implement-a-flush-function-on-the-fd-hand.patch new file mode 100644 index 0000000..581f5fe --- /dev/null +++ b/0217-block-curl-Implement-a-flush-function-on-the-fd-hand.patch @@ -0,0 +1,76 @@ +From 84be2986f687b998f583b27d8b3e068e87032418 Mon Sep 17 00:00:00 2001 +From: Nick Thomas +Date: Wed, 21 Sep 2011 11:55:49 +0100 +Subject: [PATCH] block/curl: Implement a flush function on the fd handlers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Nick Thomas +Signed-off-by: Kevin Wolf +(cherry picked from commit c84dcdc1d6583ebe5841907c99d95deb8c40a6e0) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + block/curl.c | 26 ++++++++++++++++++++++---- + 1 file changed, 22 insertions(+), 4 deletions(-) + +diff --git a/block/curl.c b/block/curl.c +index 407f095..6cf6a70 100644 +--- a/block/curl.c ++++ b/block/curl.c +@@ -76,6 +76,7 @@ typedef struct BDRVCURLState { + + static void curl_clean_state(CURLState *s); + static void curl_multi_do(void *arg); ++static int curl_aio_flush(void *opaque); + + static int curl_sock_cb(CURL *curl, curl_socket_t fd, int action, + void *s, void *sp) +@@ -83,14 +84,16 @@ static int curl_sock_cb(CURL *curl, curl_socket_t fd, int action, + DPRINTF("CURL (AIO): Sock action %d on fd %d\n", action, fd); + switch (action) { + case CURL_POLL_IN: +- qemu_aio_set_fd_handler(fd, curl_multi_do, NULL, NULL, NULL, s); ++ qemu_aio_set_fd_handler(fd, curl_multi_do, NULL, curl_aio_flush, ++ NULL, s); + break; + case CURL_POLL_OUT: +- qemu_aio_set_fd_handler(fd, NULL, curl_multi_do, NULL, NULL, s); ++ qemu_aio_set_fd_handler(fd, NULL, curl_multi_do, curl_aio_flush, ++ NULL, s); + break; + case CURL_POLL_INOUT: +- qemu_aio_set_fd_handler(fd, curl_multi_do, +- curl_multi_do, NULL, NULL, s); ++ qemu_aio_set_fd_handler(fd, curl_multi_do, curl_multi_do, ++ curl_aio_flush, NULL, s); + break; + case CURL_POLL_REMOVE: + qemu_aio_set_fd_handler(fd, NULL, NULL, NULL, NULL, NULL); +@@ -394,6 +397,21 @@ out_noclean: + return -EINVAL; + } + ++static int curl_aio_flush(void *opaque) ++{ ++ BDRVCURLState *s = opaque; ++ int i, j; ++ ++ for (i=0; i < CURL_NUM_STATES; i++) { ++ for(j=0; j < CURL_NUM_ACB; j++) { ++ if (s->states[i].acb[j]) { ++ return 1; ++ } ++ } ++ } ++ return 0; ++} ++ + static void curl_aio_cancel(BlockDriverAIOCB *blockacb) + { + // Do we have to implement canceling? Seems to work without... +-- +1.7.11.2 + diff --git a/0218-hda-do-not-mix-output-and-input-streams-RHBZ-740493.patch b/0218-hda-do-not-mix-output-and-input-streams-RHBZ-740493.patch new file mode 100644 index 0000000..a4f5088 --- /dev/null +++ b/0218-hda-do-not-mix-output-and-input-streams-RHBZ-740493.patch @@ -0,0 +1,51 @@ +From 05a5f7c79ad8dc4887e7cd60c2572121b51adce7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Tue, 25 Oct 2011 16:53:00 +0200 +Subject: [PATCH] hda: do not mix output and input streams, RHBZ #740493 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Windows 7 may use the same stream number for input and output. +That will result in lot of garbage on playback. + +The hardcoded value of 4 needs to be in sync with GCAP streams +description and IN/OUT registers. + +Signed-off-by: Marc-Andr? Lureau +Signed-off-by: malc +(cherry picked from commit 36ac4ad3d054a7b4962a6393630a73591cfa9558) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + hw/intel-hda.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/hw/intel-hda.c b/hw/intel-hda.c +index 5a2bc3a..7d02558 100644 +--- a/hw/intel-hda.c ++++ b/hw/intel-hda.c +@@ -389,14 +389,15 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output, + { + HDACodecBus *bus = DO_UPCAST(HDACodecBus, qbus, dev->qdev.parent_bus); + IntelHDAState *d = container_of(bus, IntelHDAState, codecs); +- IntelHDAStream *st = NULL; + target_phys_addr_t addr; + uint32_t s, copy, left; ++ IntelHDAStream *st; + bool irq = false; + +- for (s = 0; s < ARRAY_SIZE(d->st); s++) { +- if (stnr == ((d->st[s].ctl >> 20) & 0x0f)) { +- st = d->st + s; ++ st = output ? d->st + 4 : d->st; ++ for (s = 0; s < 4; s++) { ++ if (stnr == ((st[s].ctl >> 20) & 0x0f)) { ++ st = st + s; + break; + } + } +-- +1.7.11.2 + diff --git a/0219-hda-do-not-mix-output-and-input-stream-states-RHBZ-7.patch b/0219-hda-do-not-mix-output-and-input-stream-states-RHBZ-7.patch new file mode 100644 index 0000000..062496e --- /dev/null +++ b/0219-hda-do-not-mix-output-and-input-stream-states-RHBZ-7.patch @@ -0,0 +1,172 @@ +From 51a747e171a66d0dc1e4b47c0238fb2e7fa6b118 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Tue, 25 Oct 2011 16:53:01 +0200 +Subject: [PATCH] hda: do not mix output and input stream states, RHBZ #740493 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Windows 7 may use the same stream number for input and output. +Current code will confuse streams. + +Changes since v1: +- keep running_compat[] for migration version 1 +- add running_real[] for migration version 2 + +Signed-off-by: Marc-Andr? Lureau +Signed-off-by: malc +(cherry picked from commit ba43d28916c4f51c19bd7366089155ce81bee058) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + hw/hda-audio.c | 26 +++++++++++++++++++------- + hw/intel-hda.c | 9 +++++---- + hw/intel-hda.h | 2 +- + 3 files changed, 25 insertions(+), 12 deletions(-) + +diff --git a/hw/hda-audio.c b/hw/hda-audio.c +index c699d6f..9b089e6 100644 +--- a/hw/hda-audio.c ++++ b/hw/hda-audio.c +@@ -466,7 +466,8 @@ struct HDAAudioState { + QEMUSoundCard card; + const desc_codec *desc; + HDAAudioStream st[4]; +- bool running[16]; ++ bool running_compat[16]; ++ bool running_real[2 * 16]; + + /* properties */ + uint32_t debug; +@@ -663,7 +664,7 @@ static void hda_audio_command(HDACodecDevice *hda, uint32_t nid, uint32_t data) + st->channel = payload & 0x0f; + dprint(a, 2, "%s: stream %d, channel %d\n", + st->node->name, st->stream, st->channel); +- hda_audio_set_running(st, a->running[st->stream]); ++ hda_audio_set_running(st, a->running_real[st->output * 16 + st->stream]); + hda_codec_response(hda, true, 0); + break; + case AC_VERB_GET_CONV: +@@ -746,16 +747,20 @@ fail: + hda_codec_response(hda, true, 0); + } + +-static void hda_audio_stream(HDACodecDevice *hda, uint32_t stnr, bool running) ++static void hda_audio_stream(HDACodecDevice *hda, uint32_t stnr, bool running, bool output) + { + HDAAudioState *a = DO_UPCAST(HDAAudioState, hda, hda); + int s; + +- a->running[stnr] = running; ++ a->running_compat[stnr] = running; ++ a->running_real[output * 16 + stnr] = running; + for (s = 0; s < ARRAY_SIZE(a->st); s++) { + if (a->st[s].node == NULL) { + continue; + } ++ if (a->st[s].output != output) { ++ continue; ++ } + if (a->st[s].stream != stnr) { + continue; + } +@@ -837,6 +842,12 @@ static int hda_audio_post_load(void *opaque, int version) + int i; + + dprint(a, 1, "%s\n", __FUNCTION__); ++ if (version == 1) { ++ /* assume running_compat[] is for output streams */ ++ for (i = 0; i < ARRAY_SIZE(a->running_compat); i++) ++ a->running_real[16 + i] = a->running_compat[i]; ++ } ++ + for (i = 0; i < ARRAY_SIZE(a->st); i++) { + st = a->st + i; + if (st->node == NULL) +@@ -844,7 +855,7 @@ static int hda_audio_post_load(void *opaque, int version) + hda_codec_parse_fmt(st->format, &st->as); + hda_audio_setup(st); + hda_audio_set_amp(st); +- hda_audio_set_running(st, a->running[st->stream]); ++ hda_audio_set_running(st, a->running_real[st->output * 16 + st->stream]); + } + return 0; + } +@@ -868,13 +879,14 @@ static const VMStateDescription vmstate_hda_audio_stream = { + + static const VMStateDescription vmstate_hda_audio = { + .name = "hda-audio", +- .version_id = 1, ++ .version_id = 2, + .post_load = hda_audio_post_load, + .fields = (VMStateField []) { + VMSTATE_STRUCT_ARRAY(st, HDAAudioState, 4, 0, + vmstate_hda_audio_stream, + HDAAudioStream), +- VMSTATE_BOOL_ARRAY(running, HDAAudioState, 16), ++ VMSTATE_BOOL_ARRAY(running_compat, HDAAudioState, 16), ++ VMSTATE_BOOL_ARRAY_V(running_real, HDAAudioState, 2 * 16, 2), + VMSTATE_END_OF_LIST() + } + }; +diff --git a/hw/intel-hda.c b/hw/intel-hda.c +index 7d02558..904e4fc 100644 +--- a/hw/intel-hda.c ++++ b/hw/intel-hda.c +@@ -485,7 +485,7 @@ static void intel_hda_parse_bdl(IntelHDAState *d, IntelHDAStream *st) + st->bp = 0; + } + +-static void intel_hda_notify_codecs(IntelHDAState *d, uint32_t stream, bool running) ++static void intel_hda_notify_codecs(IntelHDAState *d, uint32_t stream, bool running, bool output) + { + DeviceState *qdev; + HDACodecDevice *cdev; +@@ -493,7 +493,7 @@ static void intel_hda_notify_codecs(IntelHDAState *d, uint32_t stream, bool runn + QLIST_FOREACH(qdev, &d->codecs.qbus.children, sibling) { + cdev = DO_UPCAST(HDACodecDevice, qdev, qdev); + if (cdev->info->stream) { +- cdev->info->stream(cdev, stream, running); ++ cdev->info->stream(cdev, stream, running, output); + } + } + } +@@ -567,6 +567,7 @@ static void intel_hda_set_ics(IntelHDAState *d, const IntelHDAReg *reg, uint32_t + + static void intel_hda_set_st_ctl(IntelHDAState *d, const IntelHDAReg *reg, uint32_t old) + { ++ bool output = reg->stream >= 4; + IntelHDAStream *st = d->st + reg->stream; + + if (st->ctl & 0x01) { +@@ -582,11 +583,11 @@ static void intel_hda_set_st_ctl(IntelHDAState *d, const IntelHDAReg *reg, uint3 + dprint(d, 1, "st #%d: start %d (ring buf %d bytes)\n", + reg->stream, stnr, st->cbl); + intel_hda_parse_bdl(d, st); +- intel_hda_notify_codecs(d, stnr, true); ++ intel_hda_notify_codecs(d, stnr, true, output); + } else { + /* stop */ + dprint(d, 1, "st #%d: stop %d\n", reg->stream, stnr); +- intel_hda_notify_codecs(d, stnr, false); ++ intel_hda_notify_codecs(d, stnr, false, output); + } + } + intel_hda_update_irq(d); +diff --git a/hw/intel-hda.h b/hw/intel-hda.h +index 4e44e38..65fd2a8 100644 +--- a/hw/intel-hda.h ++++ b/hw/intel-hda.h +@@ -34,7 +34,7 @@ struct HDACodecDeviceInfo { + int (*init)(HDACodecDevice *dev); + int (*exit)(HDACodecDevice *dev); + void (*command)(HDACodecDevice *dev, uint32_t nid, uint32_t data); +- void (*stream)(HDACodecDevice *dev, uint32_t stnr, bool running); ++ void (*stream)(HDACodecDevice *dev, uint32_t stnr, bool running, bool output); + }; + + void hda_codec_bus_init(DeviceState *dev, HDACodecBus *bus, +-- +1.7.11.2 + diff --git a/0220-Teach-block-vdi-about-discarded-no-longer-allocated-.patch b/0220-Teach-block-vdi-about-discarded-no-longer-allocated-.patch new file mode 100644 index 0000000..e51c539 --- /dev/null +++ b/0220-Teach-block-vdi-about-discarded-no-longer-allocated-.patch @@ -0,0 +1,108 @@ +From 5621e2027384a35494508f3bc01a758bc2ac076b Mon Sep 17 00:00:00 2001 +From: Eric Sunshine +Date: Wed, 26 Oct 2011 15:51:18 -0400 +Subject: [PATCH] Teach block/vdi about "discarded" (no longer allocated) + blocks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +An entry in the VDI block map will hold an offset to the actual block if +the block is allocated, or one of two specially-interpreted values if +not allocated. Using VirtualBox terminology, value VDI_IMAGE_BLOCK_FREE +(0xffffffff) represents a never-allocated block (semantically arbitrary +content). VDI_IMAGE_BLOCK_ZERO (0xfffffffe) represents a "discarded" +block (semantically zero-filled). block/vdi knows only about +VDI_IMAGE_BLOCK_FREE. Teach it about VDI_IMAGE_BLOCK_ZERO. + +Signed-off-by: Eric Sunshine +Signed-off-by: Kevin Wolf +(cherry picked from commit c794b4e0fd9ef8d72b068614dcdb2418c105d5cc) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + block/vdi.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +diff --git a/block/vdi.c b/block/vdi.c +index 261cf9b..1be0cdc 100644 +--- a/block/vdi.c ++++ b/block/vdi.c +@@ -114,8 +114,13 @@ void uuid_unparse(const uuid_t uu, char *out); + */ + #define VDI_TEXT "<<< QEMU VM Virtual Disk Image >>>\n" + +-/* Unallocated blocks use this index (no need to convert endianness). */ +-#define VDI_UNALLOCATED UINT32_MAX ++/* A never-allocated block; semantically arbitrary content. */ ++#define VDI_UNALLOCATED 0xffffffffU ++ ++/* A discarded (no longer allocated) block; semantically zero-filled. */ ++#define VDI_DISCARDED 0xfffffffeU ++ ++#define VDI_IS_ALLOCATED(X) ((X) < VDI_DISCARDED) + + #if !defined(CONFIG_UUID) + void uuid_generate(uuid_t out) +@@ -307,10 +312,10 @@ static int vdi_check(BlockDriverState *bs, BdrvCheckResult *res) + /* Check block map and value of blocks_allocated. */ + for (block = 0; block < s->header.blocks_in_image; block++) { + uint32_t bmap_entry = le32_to_cpu(s->bmap[block]); +- if (bmap_entry != VDI_UNALLOCATED) { ++ if (VDI_IS_ALLOCATED(bmap_entry)) { + if (bmap_entry < s->header.blocks_in_image) { + blocks_allocated++; +- if (bmap[bmap_entry] == VDI_UNALLOCATED) { ++ if (!VDI_IS_ALLOCATED(bmap[bmap_entry])) { + bmap[bmap_entry] = bmap_entry; + } else { + fprintf(stderr, "ERROR: block index %" PRIu32 +@@ -472,7 +477,7 @@ static int vdi_is_allocated(BlockDriverState *bs, int64_t sector_num, + n_sectors = nb_sectors; + } + *pnum = n_sectors; +- return bmap_entry != VDI_UNALLOCATED; ++ return VDI_IS_ALLOCATED(bmap_entry); + } + + static void vdi_aio_cancel(BlockDriverAIOCB *blockacb) +@@ -603,7 +608,7 @@ static void vdi_aio_read_cb(void *opaque, int ret) + /* prepare next AIO request */ + acb->n_sectors = n_sectors; + bmap_entry = le32_to_cpu(s->bmap[block_index]); +- if (bmap_entry == VDI_UNALLOCATED) { ++ if (!VDI_IS_ALLOCATED(bmap_entry)) { + /* Block not allocated, return zeros, no need to wait. */ + memset(acb->buf, 0, n_sectors * SECTOR_SIZE); + ret = vdi_schedule_bh(vdi_aio_rw_bh, acb); +@@ -685,7 +690,7 @@ static void vdi_aio_write_cb(void *opaque, int ret) + if (acb->header_modified) { + VdiHeader *header = acb->block_buffer; + logout("now writing modified header\n"); +- assert(acb->bmap_first != VDI_UNALLOCATED); ++ assert(VDI_IS_ALLOCATED(acb->bmap_first)); + *header = s->header; + vdi_header_to_le(header); + acb->header_modified = 0; +@@ -699,7 +704,7 @@ static void vdi_aio_write_cb(void *opaque, int ret) + goto done; + } + return; +- } else if (acb->bmap_first != VDI_UNALLOCATED) { ++ } else if (VDI_IS_ALLOCATED(acb->bmap_first)) { + /* One or more new blocks were allocated. */ + uint64_t offset; + uint32_t bmap_first; +@@ -749,7 +754,7 @@ static void vdi_aio_write_cb(void *opaque, int ret) + /* prepare next AIO request */ + acb->n_sectors = n_sectors; + bmap_entry = le32_to_cpu(s->bmap[block_index]); +- if (bmap_entry == VDI_UNALLOCATED) { ++ if (!VDI_IS_ALLOCATED(bmap_entry)) { + /* Allocate new block and write to it. */ + uint64_t offset; + uint8_t *block; +-- +1.7.11.2 + diff --git a/0221-vmdk-Improve-error-handling.patch b/0221-vmdk-Improve-error-handling.patch new file mode 100644 index 0000000..ca8d29f --- /dev/null +++ b/0221-vmdk-Improve-error-handling.patch @@ -0,0 +1,79 @@ +From 2139ef7f75ff63904fac6b451c8a89e4b0c72448 Mon Sep 17 00:00:00 2001 +From: Kevin Wolf +Date: Wed, 26 Oct 2011 12:25:25 +0200 +Subject: [PATCH] vmdk: Improve error handling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Return the right error values in some more places. + +Signed-off-by: Kevin Wolf +(cherry picked from commit 99f1835d9bc744f98370254600530e66f32e6d81) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + block/vmdk.c | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +diff --git a/block/vmdk.c b/block/vmdk.c +index b5caa40..8284747 100644 +--- a/block/vmdk.c ++++ b/block/vmdk.c +@@ -181,8 +181,10 @@ static uint32_t vmdk_read_cid(BlockDriverState *bs, int parent) + const char *p_name, *cid_str; + size_t cid_str_size; + BDRVVmdkState *s = bs->opaque; ++ int ret; + +- if (bdrv_pread(bs->file, s->desc_offset, desc, DESC_SIZE) != DESC_SIZE) { ++ ret = bdrv_pread(bs->file, s->desc_offset, desc, DESC_SIZE); ++ if (ret < 0) { + return 0; + } + +@@ -208,10 +210,12 @@ static int vmdk_write_cid(BlockDriverState *bs, uint32_t cid) + char desc[DESC_SIZE], tmp_desc[DESC_SIZE]; + char *p_name, *tmp_str; + BDRVVmdkState *s = bs->opaque; ++ int ret; + + memset(desc, 0, sizeof(desc)); +- if (bdrv_pread(bs->file, s->desc_offset, desc, DESC_SIZE) != DESC_SIZE) { +- return -EIO; ++ ret = bdrv_pread(bs->file, s->desc_offset, desc, DESC_SIZE); ++ if (ret < 0) { ++ return ret; + } + + tmp_str = strstr(desc, "parentCID"); +@@ -223,9 +227,11 @@ static int vmdk_write_cid(BlockDriverState *bs, uint32_t cid) + pstrcat(desc, sizeof(desc), tmp_desc); + } + +- if (bdrv_pwrite_sync(bs->file, s->desc_offset, desc, DESC_SIZE) < 0) { +- return -EIO; ++ ret = bdrv_pwrite_sync(bs->file, s->desc_offset, desc, DESC_SIZE); ++ if (ret < 0) { ++ return ret; + } ++ + return 0; + } + +@@ -906,7 +912,10 @@ static int vmdk_write(BlockDriverState *bs, int64_t sector_num, + /* update CID on the first write every time the virtual disk is + * opened */ + if (!s->cid_updated) { +- vmdk_write_cid(bs, time(NULL)); ++ ret = vmdk_write_cid(bs, time(NULL)); ++ if (ret < 0) { ++ return ret; ++ } + s->cid_updated = true; + } + } +-- +1.7.11.2 + diff --git a/0222-block-set-bs-read_only-before-.bdrv_open.patch b/0222-block-set-bs-read_only-before-.bdrv_open.patch new file mode 100644 index 0000000..72c03cc --- /dev/null +++ b/0222-block-set-bs-read_only-before-.bdrv_open.patch @@ -0,0 +1,52 @@ +From b461a24186f05d7adec265bd34f348f7b8f9569b Mon Sep 17 00:00:00 2001 +From: Stefan Hajnoczi +Date: Thu, 27 Oct 2011 10:54:27 +0100 +Subject: [PATCH] block: set bs->read_only before .bdrv_open() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Several block drivers set bs->read_only in .bdrv_open() but +block.c:bdrv_open_common() clobbers its value. Additionally, QED uses +bdrv_is_read_only() in .bdrv_open() to decide whether to perform +consistency checks. + +The correct ordering is to initialize bs->read_only from the open flags +before calling .bdrv_open(). This way block drivers can override it if +necessary and can use bdrv_is_read_only() in .bdrv_open(). + +Signed-off-by: Stefan Hajnoczi +Signed-off-by: Kevin Wolf +(cherry picked from commit e7c637967e6aad195b5f30cfd995913c9e0b4666) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + block.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/block.c b/block.c +index 4ebb18b..8d77746 100644 +--- a/block.c ++++ b/block.c +@@ -455,6 +455,8 @@ static int bdrv_open_common(BlockDriverState *bs, const char *filename, + open_flags |= BDRV_O_RDWR; + } + ++ bs->keep_read_only = bs->read_only = !(open_flags & BDRV_O_RDWR); ++ + /* Open the image, either directly or using a protocol */ + if (drv->bdrv_file_open) { + ret = drv->bdrv_file_open(bs, filename, open_flags); +@@ -469,8 +471,6 @@ static int bdrv_open_common(BlockDriverState *bs, const char *filename, + goto free_and_fail; + } + +- bs->keep_read_only = bs->read_only = !(open_flags & BDRV_O_RDWR); +- + ret = refresh_total_sectors(bs, bs->total_sectors); + if (ret < 0) { + goto free_and_fail; +-- +1.7.11.2 + diff --git a/0223-console-Fix-rendering-of-VGA-underline.patch b/0223-console-Fix-rendering-of-VGA-underline.patch new file mode 100644 index 0000000..a271442 --- /dev/null +++ b/0223-console-Fix-rendering-of-VGA-underline.patch @@ -0,0 +1,64 @@ +From 1add57cd4c48d9eb6517f685f67480b4f4f3f13b Mon Sep 17 00:00:00 2001 +From: Markus Armbruster +Date: Fri, 4 Nov 2011 10:38:29 +0100 +Subject: [PATCH] console: Fix rendering of VGA underline +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +vga_putcharxy()'s underline code sets font_data to 0xffff instead of +0xff. vga_putcharxy() then reads dmask16[0xffff >> 4] and +dmask4[0xffff >> 6]. In practice, these out-of-bounds subscripts +"only" put a few crap bits into the display surface. + +For 32 bit pixels, there's no array access. font_data's extra bits go +straight into the display surface. + +Broken when commit 6d6f7c28 implemented underline. + +Spotted by Coverity. + +Signed-off-by: Markus Armbruster +Signed-off-by: Anthony Liguori +(cherry picked from commit 439229c7cb97f6c4cddd3965c3e9d2b8319fe83c) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + console.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/console.c b/console.c +index 242086c..07c82b8 100644 +--- a/console.c ++++ b/console.c +@@ -461,7 +461,7 @@ static void vga_putcharxy(DisplayState *ds, int x, int y, int ch, + font_data = *font_ptr++; + if (t_attrib->uline + && ((i == FONT_HEIGHT - 2) || (i == FONT_HEIGHT - 3))) { +- font_data = 0xFFFF; ++ font_data = 0xFF; + } + ((uint32_t *)d)[0] = (dmask16[(font_data >> 4)] & xorcol) ^ bgcol; + ((uint32_t *)d)[1] = (dmask16[(font_data >> 0) & 0xf] & xorcol) ^ bgcol; +@@ -474,7 +474,7 @@ static void vga_putcharxy(DisplayState *ds, int x, int y, int ch, + font_data = *font_ptr++; + if (t_attrib->uline + && ((i == FONT_HEIGHT - 2) || (i == FONT_HEIGHT - 3))) { +- font_data = 0xFFFF; ++ font_data = 0xFF; + } + ((uint32_t *)d)[0] = (dmask4[(font_data >> 6)] & xorcol) ^ bgcol; + ((uint32_t *)d)[1] = (dmask4[(font_data >> 4) & 3] & xorcol) ^ bgcol; +@@ -487,7 +487,7 @@ static void vga_putcharxy(DisplayState *ds, int x, int y, int ch, + for(i = 0; i < FONT_HEIGHT; i++) { + font_data = *font_ptr++; + if (t_attrib->uline && ((i == FONT_HEIGHT - 2) || (i == FONT_HEIGHT - 3))) { +- font_data = 0xFFFF; ++ font_data = 0xFF; + } + ((uint32_t *)d)[0] = (-((font_data >> 7)) & xorcol) ^ bgcol; + ((uint32_t *)d)[1] = (-((font_data >> 6) & 1) & xorcol) ^ bgcol; +-- +1.7.11.2 + diff --git a/0224-block-Fix-vpc-initialization-of-the-Dynamic-Disk-Hea.patch b/0224-block-Fix-vpc-initialization-of-the-Dynamic-Disk-Hea.patch new file mode 100644 index 0000000..addd077 --- /dev/null +++ b/0224-block-Fix-vpc-initialization-of-the-Dynamic-Disk-Hea.patch @@ -0,0 +1,48 @@ +From 69a9776f3e8a4ff5311f78cc63e52ea436dd9cbe Mon Sep 17 00:00:00 2001 +From: Charles Arnold +Date: Wed, 9 Nov 2011 09:32:25 -0700 +Subject: [PATCH] block: Fix vpc initialization of the Dynamic Disk Header +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The Data Offset field in the Dynamic Disk Header is an 8 byte field. +Although the specification (2006-10-11) gives an example of initializing +only the first 4 bytes, images generated by Microsoft on Windows initialize +all 8 bytes. + +Failure to initialize all 8 bytes results in errors from utilities +like Citrix's vhd-util which checks specifically for the proper Data +Offset field initialization. + +Signed-off-by: Charles Arnold +Reviewed-by: Andreas Färber +Signed-off-by: Kevin Wolf +(cherry picked from commit 78439f6af1caa3e8bdafc9fc2d62aeefa53ed63a) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + block/vpc.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/block/vpc.c b/block/vpc.c +index 56865da..ac33e15 100644 +--- a/block/vpc.c ++++ b/block/vpc.c +@@ -587,7 +587,11 @@ static int vpc_create(const char *filename, QEMUOptionParameter *options) + + memcpy(dyndisk_header->magic, "cxsparse", 8); + +- dyndisk_header->data_offset = be64_to_cpu(0xFFFFFFFF); ++ /* ++ * Note: The spec is actually wrong here for data_offset, it says ++ * 0xFFFFFFFF, but MS tools expect all 64 bits to be set. ++ */ ++ dyndisk_header->data_offset = be64_to_cpu(0xFFFFFFFFFFFFFFFFULL); + dyndisk_header->table_offset = be64_to_cpu(3 * 512); + dyndisk_header->version = be32_to_cpu(0x00010000); + dyndisk_header->block_size = be32_to_cpu(block_size); +-- +1.7.11.2 + diff --git a/0225-qcow-Fix-bdrv_write_compressed-error-handling.patch b/0225-qcow-Fix-bdrv_write_compressed-error-handling.patch new file mode 100644 index 0000000..da5de39 --- /dev/null +++ b/0225-qcow-Fix-bdrv_write_compressed-error-handling.patch @@ -0,0 +1,93 @@ +From 5202e9d55b745eddde9ba6bd08af32fcae347e93 Mon Sep 17 00:00:00 2001 +From: Kevin Wolf +Date: Wed, 26 Oct 2011 11:21:50 +0200 +Subject: [PATCH] qcow: Fix bdrv_write_compressed error handling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Kevin Wolf +Reviewed-by: Paolo Bonzini +(cherry picked from commit 64ebe71aa0e498d24e8c02b133192142fce3a0d0) + +Signed-off-by: Bruce Rogers +[AF: backported] +Signed-off-by: Andreas Färber +--- + block/qcow.c | 30 +++++++++++++++++++----------- + 1 file changed, 19 insertions(+), 11 deletions(-) + +diff --git a/block/qcow.c b/block/qcow.c +index 227b104..115b820 100644 +--- a/block/qcow.c ++++ b/block/qcow.c +@@ -926,8 +926,6 @@ static int qcow_write_compressed(BlockDriverState *bs, int64_t sector_num, + return -EINVAL; + + out_buf = qemu_malloc(s->cluster_size + (s->cluster_size / 1000) + 128); +- if (!out_buf) +- return -1; + + /* best compression, small window, no zlib header */ + memset(&strm, 0, sizeof(strm)); +@@ -935,8 +933,8 @@ static int qcow_write_compressed(BlockDriverState *bs, int64_t sector_num, + Z_DEFLATED, -12, + 9, Z_DEFAULT_STRATEGY); + if (ret != 0) { +- qemu_free(out_buf); +- return -1; ++ ret = -EINVAL; ++ goto fail; + } + + strm.avail_in = s->cluster_size; +@@ -946,9 +944,9 @@ static int qcow_write_compressed(BlockDriverState *bs, int64_t sector_num, + + ret = deflate(&strm, Z_FINISH); + if (ret != Z_STREAM_END && ret != Z_OK) { +- qemu_free(out_buf); + deflateEnd(&strm); +- return -1; ++ ret = -EINVAL; ++ goto fail; + } + out_len = strm.next_out - out_buf; + +@@ -956,19 +954,29 @@ static int qcow_write_compressed(BlockDriverState *bs, int64_t sector_num, + + if (ret != Z_STREAM_END || out_len >= s->cluster_size) { + /* could not compress: write normal cluster */ +- bdrv_write(bs, sector_num, buf, s->cluster_sectors); ++ ret = bdrv_write(bs, sector_num, buf, s->cluster_sectors); ++ if (ret < 0) { ++ goto fail; ++ } + } else { + cluster_offset = get_cluster_offset(bs, sector_num << 9, 2, + out_len, 0, 0); ++ if (cluster_offset == 0) { ++ ret = -EIO; ++ goto fail; ++ } ++ + cluster_offset &= s->cluster_offset_mask; +- if (bdrv_pwrite(bs->file, cluster_offset, out_buf, out_len) != out_len) { +- qemu_free(out_buf); +- return -1; ++ ret = bdrv_pwrite(bs->file, cluster_offset, out_buf, out_len); ++ if (ret < 0) { ++ goto fail; + } + } + ++ ret = 0; ++fail: + qemu_free(out_buf); +- return 0; ++ return ret; + } + + static int qcow_flush(BlockDriverState *bs) +-- +1.7.11.2 + diff --git a/0226-block-reinitialize-across-bdrv_close-bdrv_open.patch b/0226-block-reinitialize-across-bdrv_close-bdrv_open.patch new file mode 100644 index 0000000..7cca69c --- /dev/null +++ b/0226-block-reinitialize-across-bdrv_close-bdrv_open.patch @@ -0,0 +1,55 @@ +From 2432c8cf0a61be64094dae724638a9a081ee4bf9 Mon Sep 17 00:00:00 2001 +From: Stefan Hajnoczi +Date: Thu, 27 Oct 2011 10:54:28 +0100 +Subject: [PATCH] block: reinitialize across bdrv_close()/bdrv_open() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Several BlockDriverState fields are not being reinitialized across +bdrv_close()/bdrv_open(). Make sure they are reset to their default +values. + +Signed-off-by: Stefan Hajnoczi +Signed-off-by: Kevin Wolf +(cherry picked from commit 03f541bd6eacdc6c2893f72b975257c89cab2b74) + +Signed-off-by: Bruce Rogers +[AF: backported] +Signed-off-by: Andreas Färber +--- + block.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/block.c b/block.c +index 8d77746..1d6d26b 100644 +--- a/block.c ++++ b/block.c +@@ -426,11 +426,14 @@ static int bdrv_open_common(BlockDriverState *bs, const char *filename, + bs->total_sectors = 0; + bs->encrypted = 0; + bs->valid_key = 0; ++ bs->sg = 0; + bs->open_flags = flags; ++ bs->growable = 0; + /* buffer_alignment defaulted to 512, drivers can change this value */ + bs->buffer_alignment = 512; + + pstrcpy(bs->filename, sizeof(bs->filename), filename); ++ bs->backing_file[0] = '\0'; + + if (use_bdrv_whitelist && !bdrv_is_whitelisted(drv)) { + return -ENOTSUP; +@@ -439,8 +442,7 @@ static int bdrv_open_common(BlockDriverState *bs, const char *filename, + bs->drv = drv; + bs->opaque = qemu_mallocz(drv->instance_size); + +- if (flags & BDRV_O_CACHE_WB) +- bs->enable_write_cache = 1; ++ bs->enable_write_cache = !!(flags & BDRV_O_CACHE_WB); + + /* + * Clear flags that are internal to the block layer before opening the +-- +1.7.11.2 + diff --git a/0227-qxl-stride-fixup.patch b/0227-qxl-stride-fixup.patch new file mode 100644 index 0000000..1c3d936 --- /dev/null +++ b/0227-qxl-stride-fixup.patch @@ -0,0 +1,111 @@ +From a3cc0cf8b185043fbd1f9b893c1c20f90efb1d06 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Fri, 21 Oct 2011 15:59:07 +0200 +Subject: [PATCH] qxl: stride fixup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +spice uses negative stride value to signal the bitmap is upside down. +The qxl renderer (used for scl, vnc and screenshots) wants a positive +value because it is easier to work with. The positive value is then +stored in the very same variable, which has the drawback that the +upside-down test works only once. Fix by using two variables. + +Signed-off-by: Gerd Hoffmann +(cherry picked from commit 0e2487bd6f56445b43307536a465ee2ba810aed9) + +Signed-off-by: Bruce Rogers +[AF: backported] +Signed-off-by: Andreas Färber +--- + hw/qxl-render.c | 23 ++++++++++++----------- + hw/qxl.h | 3 ++- + 2 files changed, 14 insertions(+), 12 deletions(-) + +diff --git a/hw/qxl-render.c b/hw/qxl-render.c +index 1316066..104d79b 100644 +--- a/hw/qxl-render.c ++++ b/hw/qxl-render.c +@@ -28,16 +28,16 @@ static void qxl_flip(PCIQXLDevice *qxl, QXLRect *rect) + int len, i; + + src += (qxl->guest_primary.surface.height - rect->top - 1) * +- qxl->guest_primary.stride; +- dst += rect->top * qxl->guest_primary.stride; ++ qxl->guest_primary.abs_stride; ++ dst += rect->top * qxl->guest_primary.abs_stride; + src += rect->left * qxl->guest_primary.bytes_pp; + dst += rect->left * qxl->guest_primary.bytes_pp; + len = (rect->right - rect->left) * qxl->guest_primary.bytes_pp; + + for (i = rect->top; i < rect->bottom; i++) { + memcpy(dst, src, len); +- dst += qxl->guest_primary.stride; +- src -= qxl->guest_primary.stride; ++ dst += qxl->guest_primary.abs_stride; ++ src -= qxl->guest_primary.abs_stride; + } + } + +@@ -45,7 +45,8 @@ void qxl_render_resize(PCIQXLDevice *qxl) + { + QXLSurfaceCreate *sc = &qxl->guest_primary.surface; + +- qxl->guest_primary.stride = sc->stride; ++ qxl->guest_primary.qxl_stride = sc->stride; ++ qxl->guest_primary.abs_stride = abs(sc->stride); + qxl->guest_primary.resized++; + switch (sc->format) { + case SPICE_SURFACE_FMT_16_555: +@@ -87,11 +88,11 @@ void qxl_render_update(PCIQXLDevice *qxl) + qemu_free_displaysurface(vga->ds); + + qxl->guest_primary.data = qemu_get_ram_ptr(qxl->vga.vram_offset); +- if (qxl->guest_primary.stride < 0) { ++ if (qxl->guest_primary.qxl_stride < 0) { + /* spice surface is upside down -> need extra buffer to flip */ +- qxl->guest_primary.stride = -qxl->guest_primary.stride; +- qxl->guest_primary.flipped = qemu_malloc(qxl->guest_primary.surface.width * +- qxl->guest_primary.stride); ++ qxl->guest_primary.flipped = ++ qemu_malloc(qxl->guest_primary.surface.width * ++ qxl->guest_primary.abs_stride); + ptr = qxl->guest_primary.flipped; + } else { + ptr = qxl->guest_primary.data; +@@ -100,7 +101,7 @@ void qxl_render_update(PCIQXLDevice *qxl) + __FUNCTION__, + qxl->guest_primary.surface.width, + qxl->guest_primary.surface.height, +- qxl->guest_primary.stride, ++ qxl->guest_primary.qxl_stride, + qxl->guest_primary.bytes_pp, + qxl->guest_primary.bits_pp, + qxl->guest_primary.flipped ? "yes" : "no"); +@@ -108,7 +109,7 @@ void qxl_render_update(PCIQXLDevice *qxl) + qemu_create_displaysurface_from(qxl->guest_primary.surface.width, + qxl->guest_primary.surface.height, + qxl->guest_primary.bits_pp, +- qxl->guest_primary.stride, ++ qxl->guest_primary.abs_stride, + ptr); + dpy_resize(vga->ds); + } +diff --git a/hw/qxl.h b/hw/qxl.h +index f6c450d..c05998a 100644 +--- a/hw/qxl.h ++++ b/hw/qxl.h +@@ -42,7 +42,8 @@ typedef struct PCIQXLDevice { + QXLSurfaceCreate surface; + uint32_t commands; + uint32_t resized; +- int32_t stride; ++ int32_t qxl_stride; ++ uint32_t abs_stride; + uint32_t bits_pp; + uint32_t bytes_pp; + uint8_t *data, *flipped; +-- +1.7.11.2 + diff --git a/0228-vmdk-Fix-possible-segfaults.patch b/0228-vmdk-Fix-possible-segfaults.patch new file mode 100644 index 0000000..c722c6c --- /dev/null +++ b/0228-vmdk-Fix-possible-segfaults.patch @@ -0,0 +1,55 @@ +From f51851ea928882bd3d49cbb6d953723294239d8a Mon Sep 17 00:00:00 2001 +From: Kevin Wolf +Date: Wed, 26 Oct 2011 12:25:52 +0200 +Subject: [PATCH] vmdk: Fix possible segfaults +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Data we read from the disk isn't necessarily null terminated and may not +contain the string we're looking for. The code needs to be a bit more careful +here. + +Signed-off-by: Kevin Wolf +(cherry picked from commit 93897b9fd43548e9c15cf8bece2d9e5174b01fc7) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + block/vmdk.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/block/vmdk.c b/block/vmdk.c +index 8284747..f4fce08 100644 +--- a/block/vmdk.c ++++ b/block/vmdk.c +@@ -196,6 +196,7 @@ static uint32_t vmdk_read_cid(BlockDriverState *bs, int parent) + cid_str_size = sizeof("CID"); + } + ++ desc[DESC_SIZE - 1] = '\0'; + p_name = strstr(desc, cid_str); + if (p_name != NULL) { + p_name += cid_str_size; +@@ -212,13 +213,17 @@ static int vmdk_write_cid(BlockDriverState *bs, uint32_t cid) + BDRVVmdkState *s = bs->opaque; + int ret; + +- memset(desc, 0, sizeof(desc)); + ret = bdrv_pread(bs->file, s->desc_offset, desc, DESC_SIZE); + if (ret < 0) { + return ret; + } + ++ desc[DESC_SIZE - 1] = '\0'; + tmp_str = strstr(desc, "parentCID"); ++ if (tmp_str == NULL) { ++ return -EINVAL; ++ } ++ + pstrcpy(tmp_desc, sizeof(tmp_desc), tmp_str); + p_name = strstr(desc, "CID"); + if (p_name != NULL) { +-- +1.7.11.2 + diff --git a/0229-pc-Fix-floppy-drives-with-if-none.patch b/0229-pc-Fix-floppy-drives-with-if-none.patch new file mode 100644 index 0000000..1d40a24 --- /dev/null +++ b/0229-pc-Fix-floppy-drives-with-if-none.patch @@ -0,0 +1,204 @@ +From 03ff3683be1e3a4e9644150b7f12f046374dcbcd Mon Sep 17 00:00:00 2001 +From: Kevin Wolf +Date: Thu, 20 Oct 2011 16:37:26 +0200 +Subject: [PATCH] pc: Fix floppy drives with if=none +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Commit 63ffb564 broke floppy devices specified on the command line like +-drive file=...,if=none,id=floppy -global isa-fdc.driveA=floppy because it +relies on drive_get() which works only with -fda/-drive if=floppy. + +This patch resembles what we're already doing for IDE, i.e. remember the floppy +device that was created and use that to extract the BlockDriverStates where +needed. + +Signed-off-by: Kevin Wolf +Reviewed-by: Markus Armbruster +(cherry picked from commit 34d4260e1846d69d7241f690534e3dd4b3e6fd5b) + +[BR: bnc#733777] +Signed-off-by: Bruce Rogers +[AF: backported] +Signed-off-by: Andreas Färber +--- + hw/fdc.c | 12 ++++++++++++ + hw/fdc.h | 9 +++++++-- + hw/pc.c | 25 ++++++++++++++----------- + hw/pc.h | 3 ++- + hw/pc_piix.c | 5 +++-- + 5 files changed, 38 insertions(+), 16 deletions(-) + +diff --git a/hw/fdc.c b/hw/fdc.c +index 9fdbc75..cf675ce 100644 +--- a/hw/fdc.c ++++ b/hw/fdc.c +@@ -1911,6 +1911,18 @@ static int sun4m_fdc_init1(SysBusDevice *dev) + return fdctrl_init_common(fdctrl); + } + ++void fdc_get_bs(BlockDriverState *bs[], ISADevice *dev) ++{ ++ FDCtrlISABus *isa = DO_UPCAST(FDCtrlISABus, busdev, dev); ++ FDCtrl *fdctrl = &isa->state; ++ int i; ++ ++ for (i = 0; i < MAX_FD; i++) { ++ bs[i] = fdctrl->drives[i].bs; ++ } ++} ++ ++ + static const VMStateDescription vmstate_isa_fdc ={ + .name = "fdc", + .version_id = 2, +diff --git a/hw/fdc.h b/hw/fdc.h +index 09f73c6..506feb6 100644 +--- a/hw/fdc.h ++++ b/hw/fdc.h +@@ -7,14 +7,15 @@ + /* fdc.c */ + #define MAX_FD 2 + +-static inline void fdctrl_init_isa(DriveInfo **fds) ++static inline ISADevice *fdctrl_init_isa(DriveInfo **fds) + { + ISADevice *dev; + + dev = isa_try_create("isa-fdc"); + if (!dev) { +- return; ++ return NULL; + } ++ + if (fds[0]) { + qdev_prop_set_drive_nofail(&dev->qdev, "driveA", fds[0]->bdrv); + } +@@ -22,10 +23,14 @@ static inline void fdctrl_init_isa(DriveInfo **fds) + qdev_prop_set_drive_nofail(&dev->qdev, "driveB", fds[1]->bdrv); + } + qdev_init_nofail(&dev->qdev); ++ ++ return dev; + } + + void fdctrl_init_sysbus(qemu_irq irq, int dma_chann, + target_phys_addr_t mmio_base, DriveInfo **fds); + void sun4m_fdctrl_init(qemu_irq irq, target_phys_addr_t io_base, + DriveInfo **fds, qemu_irq *fdc_tc); ++void fdc_get_bs(BlockDriverState *bs[], ISADevice *dev); ++ + #endif +diff --git a/hw/pc.c b/hw/pc.c +index 14ce684..1d2b61e 100644 +--- a/hw/pc.c ++++ b/hw/pc.c +@@ -333,12 +333,12 @@ static void pc_cmos_init_late(void *opaque) + + void pc_cmos_init(ram_addr_t ram_size, ram_addr_t above_4g_mem_size, + const char *boot_device, +- BusState *idebus0, BusState *idebus1, ++ ISADevice *floppy, BusState *idebus0, BusState *idebus1, + ISADevice *s) + { + int val, nb, nb_heads, max_track, last_sect, i; + FDriveType fd_type[2]; +- DriveInfo *fd[2]; ++ BlockDriverState *fd[MAX_FD]; + static pc_cmos_init_late_arg arg; + + /* various important CMOS locations needed by PC/Bochs bios */ +@@ -380,14 +380,16 @@ void pc_cmos_init(ram_addr_t ram_size, ram_addr_t above_4g_mem_size, + } + + /* floppy type */ +- for (i = 0; i < 2; i++) { +- fd[i] = drive_get(IF_FLOPPY, 0, i); +- if (fd[i] && bdrv_is_inserted(fd[i]->bdrv)) { +- bdrv_get_floppy_geometry_hint(fd[i]->bdrv, &nb_heads, &max_track, +- &last_sect, FDRIVE_DRV_NONE, +- &fd_type[i]); +- } else { +- fd_type[i] = FDRIVE_DRV_NONE; ++ if (floppy) { ++ fdc_get_bs(fd, floppy); ++ for (i = 0; i < 2; i++) { ++ if (fd[i] && bdrv_is_inserted(fd[i])) { ++ bdrv_get_floppy_geometry_hint(fd[i], &nb_heads, &max_track, ++ &last_sect, FDRIVE_DRV_NONE, ++ &fd_type[i]); ++ } else { ++ fd_type[i] = FDRIVE_DRV_NONE; ++ } + } + } + val = (cmos_get_fd_drive_type(fd_type[0]) << 4) | +@@ -1091,6 +1093,7 @@ static void cpu_request_exit(void *opaque, int irq, int level) + + void pc_basic_device_init(qemu_irq *isa_irq, + ISADevice **rtc_state, ++ ISADevice **floppy, + bool no_vmport) + { + int i; +@@ -1155,7 +1158,7 @@ void pc_basic_device_init(qemu_irq *isa_irq, + for(i = 0; i < MAX_FD; i++) { + fd[i] = drive_get(IF_FLOPPY, 0, i); + } +- fdctrl_init_isa(fd); ++ *floppy = fdctrl_init_isa(fd); + } + + void pc_pci_device_init(PCIBus *pci_bus) +diff --git a/hw/pc.h b/hw/pc.h +index 6d5730b..24b7fe2 100644 +--- a/hw/pc.h ++++ b/hw/pc.h +@@ -138,11 +138,12 @@ qemu_irq *pc_allocate_cpu_irq(void); + void pc_vga_init(PCIBus *pci_bus); + void pc_basic_device_init(qemu_irq *isa_irq, + ISADevice **rtc_state, ++ ISADevice **floppy, + bool no_vmport); + void pc_init_ne2k_isa(NICInfo *nd); + void pc_cmos_init(ram_addr_t ram_size, ram_addr_t above_4g_mem_size, + const char *boot_device, +- BusState *ide0, BusState *ide1, ++ ISADevice *floppy, BusState *ide0, BusState *ide1, + ISADevice *s); + void pc_pci_device_init(PCIBus *pci_bus); + +diff --git a/hw/pc_piix.c b/hw/pc_piix.c +index 31552fd..b8e0841 100644 +--- a/hw/pc_piix.c ++++ b/hw/pc_piix.c +@@ -89,6 +89,7 @@ static void pc_init1(ram_addr_t ram_size, + DriveInfo *hd[MAX_IDE_BUS * MAX_IDE_DEVS]; + BusState *idebus[MAX_IDE_BUS]; + ISADevice *rtc_state; ++ ISADevice *floppy; + + pc_cpus_init(cpu_model); + +@@ -141,7 +142,7 @@ static void pc_init1(ram_addr_t ram_size, + } + + /* init basic PC hardware */ +- pc_basic_device_init(isa_irq, &rtc_state, xen_enabled()); ++ pc_basic_device_init(isa_irq, &rtc_state, &floppy, xen_enabled()); + + for(i = 0; i < nb_nics; i++) { + NICInfo *nd = &nd_table[i]; +@@ -170,7 +171,7 @@ static void pc_init1(ram_addr_t ram_size, + audio_init(isa_irq, pci_enabled ? pci_bus : NULL); + + pc_cmos_init(below_4g_mem_size, above_4g_mem_size, boot_device, +- idebus[0], idebus[1], rtc_state); ++ floppy, idebus[0], idebus[1], rtc_state); + + if (pci_enabled && usb_enabled) { + usb_uhci_piix3_init(pci_bus, piix3_devfn + 2); +-- +1.7.11.2 + diff --git a/0230-cpu-common-Have-a-ram_addr_t-of-uint64-with-Xen.patch b/0230-cpu-common-Have-a-ram_addr_t-of-uint64-with-Xen.patch new file mode 100644 index 0000000..1fe3b1e --- /dev/null +++ b/0230-cpu-common-Have-a-ram_addr_t-of-uint64-with-Xen.patch @@ -0,0 +1,97 @@ +From 7baf1e0bf54096eceb4c4553c9212599454cd83d Mon Sep 17 00:00:00 2001 +From: Anthony PERARD +Date: Wed, 20 Jul 2011 08:17:42 +0000 +Subject: [PATCH] cpu-common: Have a ram_addr_t of uint64 with Xen. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In Xen case, memory can be bigger than the host memory. that mean a +32bits host (and QEMU) should be able to handle a RAM address of 64bits. + +Signed-off-by: Anthony PERARD +Signed-off-by: Alexander Graf +(cherry picked from commit f15fbc4bd1a24bd1477a846e63e62c6d435912f8) + +Signed-off-by: Andreas Färber +--- + cpu-common.h | 8 ++++++++ + exec.c | 9 +++++---- + xen-all.c | 2 +- + 3 files changed, 14 insertions(+), 5 deletions(-) + +diff --git a/cpu-common.h b/cpu-common.h +index 44b04b3..0700101 100644 +--- a/cpu-common.h ++++ b/cpu-common.h +@@ -27,7 +27,15 @@ enum device_endian { + }; + + /* address in the RAM (different from a physical address) */ ++#if defined(CONFIG_XEN_BACKEND) && TARGET_PHYS_ADDR_BITS == 64 ++typedef uint64_t ram_addr_t; ++# define RAM_ADDR_MAX UINT64_MAX ++# define RAM_ADDR_FMT "%" PRIx64 ++#else + typedef unsigned long ram_addr_t; ++# define RAM_ADDR_MAX ULONG_MAX ++# define RAM_ADDR_FMT "%lx" ++#endif + + /* memory API */ + +diff --git a/exec.c b/exec.c +index 2160ded..6fb589b 100644 +--- a/exec.c ++++ b/exec.c +@@ -2863,13 +2863,13 @@ static void *file_ram_alloc(RAMBlock *block, + static ram_addr_t find_ram_offset(ram_addr_t size) + { + RAMBlock *block, *next_block; +- ram_addr_t offset = 0, mingap = ULONG_MAX; ++ ram_addr_t offset = 0, mingap = RAM_ADDR_MAX; + + if (QLIST_EMPTY(&ram_list.blocks)) + return 0; + + QLIST_FOREACH(block, &ram_list.blocks, next) { +- ram_addr_t end, next = ULONG_MAX; ++ ram_addr_t end, next = RAM_ADDR_MAX; + + end = block->offset + block->length; + +@@ -3081,7 +3081,8 @@ void qemu_ram_remap(ram_addr_t addr, ram_addr_t length) + #endif + } + if (area != vaddr) { +- fprintf(stderr, "Could not remap addr: %lx@%lx\n", ++ fprintf(stderr, "Could not remap addr: " ++ RAM_ADDR_FMT "@" RAM_ADDR_FMT "\n", + length, addr); + exit(1); + } +@@ -4052,7 +4053,7 @@ void *cpu_physical_memory_map(target_phys_addr_t addr, + target_phys_addr_t page; + unsigned long pd; + PhysPageDesc *p; +- ram_addr_t raddr = ULONG_MAX; ++ ram_addr_t raddr = RAM_ADDR_MAX; + ram_addr_t rlen; + void *ret; + +diff --git a/xen-all.c b/xen-all.c +index 167bed6..8f2556a 100644 +--- a/xen-all.c ++++ b/xen-all.c +@@ -184,7 +184,7 @@ void xen_ram_alloc(ram_addr_t ram_addr, ram_addr_t size) + } + + if (xc_domain_populate_physmap_exact(xen_xc, xen_domid, nr_pfn, 0, 0, pfn_list)) { +- hw_error("xen: failed to populate ram at %lx", ram_addr); ++ hw_error("xen: failed to populate ram at " RAM_ADDR_FMT, ram_addr); + } + + qemu_free(pfn_list); +-- +1.7.11.2 + diff --git a/0231-Error-check-find_ram_offset.patch b/0231-Error-check-find_ram_offset.patch new file mode 100644 index 0000000..e4b3497 --- /dev/null +++ b/0231-Error-check-find_ram_offset.patch @@ -0,0 +1,58 @@ +From 75f2b558df8c3ccd8b980eedf2f4aef8b217587e Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Mon, 31 Oct 2011 08:54:09 -0600 +Subject: [PATCH] Error check find_ram_offset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Spotted via code review, we initialize offset to 0 to avoid a +compiler warning, but in the unlikely case that offset is +never set to something else, we should abort instead of return +a value that will almost certainly cause problems. + +Signed-off-by: Alex Williamson +Signed-off-by: Anthony Liguori +(cherry picked from commit 3e837b2c05bc63fe2226baf3c29923d5a688593f) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + exec.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/exec.c b/exec.c +index 6fb589b..537a49f 100644 +--- a/exec.c ++++ b/exec.c +@@ -2863,7 +2863,7 @@ static void *file_ram_alloc(RAMBlock *block, + static ram_addr_t find_ram_offset(ram_addr_t size) + { + RAMBlock *block, *next_block; +- ram_addr_t offset = 0, mingap = RAM_ADDR_MAX; ++ ram_addr_t offset = RAM_ADDR_MAX, mingap = RAM_ADDR_MAX; + + if (QLIST_EMPTY(&ram_list.blocks)) + return 0; +@@ -2879,10 +2879,17 @@ static ram_addr_t find_ram_offset(ram_addr_t size) + } + } + if (next - end >= size && next - end < mingap) { +- offset = end; ++ offset = end; + mingap = next - end; + } + } ++ ++ if (offset == RAM_ADDR_MAX) { ++ fprintf(stderr, "Failed to find gap of requested size: %" PRIu64 "\n", ++ (uint64_t)size); ++ abort(); ++ } ++ + return offset; + } + +-- +1.7.11.2 + diff --git a/0232-pc-add-pc-0.15.patch b/0232-pc-add-pc-0.15.patch new file mode 100644 index 0000000..aaefe27 --- /dev/null +++ b/0232-pc-add-pc-0.15.patch @@ -0,0 +1,73 @@ +From 60d8ce5610a8b24ff298d6cb3d9abbd2e6f046bd Mon Sep 17 00:00:00 2001 +From: Anthony Liguori +Date: Sun, 18 Dec 2011 12:59:12 -0600 +Subject: [PATCH] pc: add pc-0.15 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Anthony Liguori +(cherry picked from commit ce01a508e8053350544c88ba68a3f90c44b6bb93) + +[BR: bnc#741460] +Signed-off-by: Bruce Rogers +[AF: backported] +Signed-off-by: Andreas Färber +--- + hw/pc_piix.c | 26 +++++++++++++++++++++++--- + 1 file changed, 23 insertions(+), 3 deletions(-) + +diff --git a/hw/pc_piix.c b/hw/pc_piix.c +index b8e0841..20bac9d 100644 +--- a/hw/pc_piix.c ++++ b/hw/pc_piix.c +@@ -258,8 +258,8 @@ static void pc_xen_hvm_init(ram_addr_t ram_size, + } + #endif + +-static QEMUMachine pc_machine = { +- .name = "pc-0.14", ++static QEMUMachine pc_machine_v0_15 = { ++ .name = "pc-0.15", + .alias = "pc", + .desc = "Standard PC", + .init = pc_init_pci, +@@ -267,6 +267,25 @@ static QEMUMachine pc_machine = { + .is_default = 1, + }; + ++static QEMUMachine pc_machine_v0_14 = { ++ .name = "pc-0.14", ++ .desc = "Standard PC", ++ .init = pc_init_pci, ++ .max_cpus = 255, ++ .compat_props = (GlobalProperty[]) { ++ { ++ .driver = "qxl", ++ .property = "revision", ++ .value = stringify(2), ++ },{ ++ .driver = "qxl-vga", ++ .property = "revision", ++ .value = stringify(2), ++ }, ++ { /* end of list */ } ++ }, ++}; ++ + static QEMUMachine pc_machine_v0_13 = { + .name = "pc-0.13", + .desc = "Standard PC", +@@ -498,7 +517,8 @@ static QEMUMachine xenfv_machine = { + + static void pc_machine_init(void) + { +- qemu_register_machine(&pc_machine); ++ qemu_register_machine(&pc_machine_v0_15); ++ qemu_register_machine(&pc_machine_v0_14); + qemu_register_machine(&pc_machine_v0_13); + qemu_register_machine(&pc_machine_v0_12); + qemu_register_machine(&pc_machine_v0_11); +-- +1.7.11.2 + diff --git a/0233-pc-fix-event_idx-compatibility-for-virtio-devices.patch b/0233-pc-fix-event_idx-compatibility-for-virtio-devices.patch new file mode 100644 index 0000000..7ad890a --- /dev/null +++ b/0233-pc-fix-event_idx-compatibility-for-virtio-devices.patch @@ -0,0 +1,95 @@ +From 3cc7ef743b3f04ff986c820f67444d2dec946167 Mon Sep 17 00:00:00 2001 +From: Anthony Liguori +Date: Sun, 18 Dec 2011 13:07:03 -0600 +Subject: [PATCH] pc: fix event_idx compatibility for virtio devices +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +event_idx was introduced in 0.15 and must be disabled for all virtio-pci devices +(including virtio-balloon-pci). + +Signed-off-by: Anthony Liguori +(cherry picked from commit ea830ebb74461c5ad6d199857fb000d2e0284c69) + +[BR: bnc#741460] +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + hw/pc_piix.c | 32 ++++++++++++++++++++++++++++++++ + 1 file changed, 32 insertions(+) + +diff --git a/hw/pc_piix.c b/hw/pc_piix.c +index 20bac9d..b179465 100644 +--- a/hw/pc_piix.c ++++ b/hw/pc_piix.c +@@ -281,6 +281,22 @@ static QEMUMachine pc_machine_v0_14 = { + .driver = "qxl-vga", + .property = "revision", + .value = stringify(2), ++ },{ ++ .driver = "virtio-blk-pci", ++ .property = "event_idx", ++ .value = "off", ++ },{ ++ .driver = "virtio-serial-pci", ++ .property = "event_idx", ++ .value = "off", ++ },{ ++ .driver = "virtio-net-pci", ++ .property = "event_idx", ++ .value = "off", ++ },{ ++ .driver = "virtio-balloon-pci", ++ .property = "event_idx", ++ .value = "off", + }, + { /* end of list */ } + }, +@@ -321,6 +337,10 @@ static QEMUMachine pc_machine_v0_13 = { + .property = "event_idx", + .value = "off", + },{ ++ .driver = "virtio-balloon-pci", ++ .property = "event_idx", ++ .value = "off", ++ },{ + .driver = "AC97", + .property = "use_broken_id", + .value = stringify(1), +@@ -368,6 +388,10 @@ static QEMUMachine pc_machine_v0_12 = { + .property = "event_idx", + .value = "off", + },{ ++ .driver = "virtio-balloon-pci", ++ .property = "event_idx", ++ .value = "off", ++ },{ + .driver = "AC97", + .property = "use_broken_id", + .value = stringify(1), +@@ -423,6 +447,10 @@ static QEMUMachine pc_machine_v0_11 = { + .property = "event_idx", + .value = "off", + },{ ++ .driver = "virtio-balloon-pci", ++ .property = "event_idx", ++ .value = "off", ++ },{ + .driver = "AC97", + .property = "use_broken_id", + .value = stringify(1), +@@ -490,6 +518,10 @@ static QEMUMachine pc_machine_v0_10 = { + .property = "event_idx", + .value = "off", + },{ ++ .driver = "virtio-balloon-pci", ++ .property = "event_idx", ++ .value = "off", ++ },{ + .driver = "AC97", + .property = "use_broken_id", + .value = stringify(1), +-- +1.7.11.2 + diff --git a/0234-Add-missing-trace-call-to-oslib-posix.c-qemu_vmalloc.patch b/0234-Add-missing-trace-call-to-oslib-posix.c-qemu_vmalloc.patch new file mode 100644 index 0000000..2585cb5 --- /dev/null +++ b/0234-Add-missing-trace-call-to-oslib-posix.c-qemu_vmalloc.patch @@ -0,0 +1,37 @@ +From 601465e71b720e1e54911bbd67e2d02cd4904f0d Mon Sep 17 00:00:00 2001 +From: Jes Sorensen +Date: Mon, 25 Jul 2011 17:13:36 +0200 +Subject: [PATCH] Add missing trace call to oslib-posix.c:qemu_vmalloc() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Acked-by: Stefan Hajnoczi +Signed-off-by: Jes Sorensen +Signed-off-by: Anthony Liguori +(cherry picked from commit c7f4111a06208b46c6d05934d2a1e5cfbebc0180) + +Signed-off-by: Andreas Färber +--- + oslib-posix.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/oslib-posix.c b/oslib-posix.c +index 3a18e86..196099c 100644 +--- a/oslib-posix.c ++++ b/oslib-posix.c +@@ -79,7 +79,10 @@ void *qemu_memalign(size_t alignment, size_t size) + /* alloc shared memory pages */ + void *qemu_vmalloc(size_t size) + { +- return qemu_memalign(getpagesize(), size); ++ void *ptr; ++ ptr = qemu_memalign(getpagesize(), size); ++ trace_qemu_vmalloc(size, ptr); ++ return ptr; + } + + void qemu_vfree(void *ptr) +-- +1.7.11.2 + diff --git a/0235-qemu_vmalloc-align-properly-for-transparent-hugepage.patch b/0235-qemu_vmalloc-align-properly-for-transparent-hugepage.patch new file mode 100644 index 0000000..bb9cde2 --- /dev/null +++ b/0235-qemu_vmalloc-align-properly-for-transparent-hugepage.patch @@ -0,0 +1,61 @@ +From d12ac10d3ce10d3e1c9b23aeca397caa74be49d3 Mon Sep 17 00:00:00 2001 +From: Avi Kivity +Date: Mon, 5 Sep 2011 11:07:05 +0300 +Subject: [PATCH] qemu_vmalloc: align properly for transparent hugepages and + KVM +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +To make good use of transparent hugepages, KVM requires that guest-physical +and host-virtual addresses share the low 21 bits (as opposed to just the low +12 bits normally required). + +Adjust qemu_vmalloc() to honor that requirement. Ignore it for small regions +to avoid fragmentation. + +Signed-off-by: Avi Kivity +Signed-off-by: Anthony Liguori +(cherry picked from commit 36b586284e678da28df3af9fd0907d2b16f9311c) + +Signed-off-by: Bruce Rogers +Signed-off-by: Andreas Färber +--- + oslib-posix.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/oslib-posix.c b/oslib-posix.c +index 196099c..a304fb0 100644 +--- a/oslib-posix.c ++++ b/oslib-posix.c +@@ -35,6 +35,13 @@ + extern int daemon(int, int); + #endif + ++#if defined(__linux__) && defined(__x86_64__) ++ /* Use 2MB alignment so transparent hugepages can be used by KVM */ ++# define QEMU_VMALLOC_ALIGN (512 * 4096) ++#else ++# define QEMU_VMALLOC_ALIGN getpagesize() ++#endif ++ + #include "config-host.h" + #include "sysemu.h" + #include "trace.h" +@@ -80,7 +87,12 @@ void *qemu_memalign(size_t alignment, size_t size) + void *qemu_vmalloc(size_t size) + { + void *ptr; +- ptr = qemu_memalign(getpagesize(), size); ++ size_t align = QEMU_VMALLOC_ALIGN; ++ ++ if (size < align) { ++ align = getpagesize(); ++ } ++ ptr = qemu_memalign(align, size); + trace_qemu_vmalloc(size, ptr); + return ptr; + } +-- +1.7.11.2 + diff --git a/0236-block-vpc-write-checksum-back-to-footer-after-check.patch b/0236-block-vpc-write-checksum-back-to-footer-after-check.patch new file mode 100644 index 0000000..f35383d --- /dev/null +++ b/0236-block-vpc-write-checksum-back-to-footer-after-check.patch @@ -0,0 +1,41 @@ +From add89f969fc86f3b3223c4283ee49fcb507b8f81 Mon Sep 17 00:00:00 2001 +From: Zhang Shengju +Date: Tue, 13 Mar 2012 22:38:13 +0800 +Subject: [PATCH] block/vpc: write checksum back to footer after check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +After validation check, the 'checksum' is not written back +to footer, which leave it with zero. + +This results in errors while loadding it under Microsoft's +Hyper-V environment, and also errors from utilities like +Citrix's vhd-util. + +Signed-off-by: Zhang Shengju +Signed-off-by: Kevin Wolf +(cherry picked from commit c088b691363070d151f80cc1fde4b7c151bdfe8f) + +Signed-off-by: Andreas Färber +--- + block/vpc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/block/vpc.c b/block/vpc.c +index ac33e15..55201e2 100644 +--- a/block/vpc.c ++++ b/block/vpc.c +@@ -170,6 +170,9 @@ static int vpc_open(BlockDriverState *bs, int flags) + fprintf(stderr, "block-vpc: The header checksum of '%s' is " + "incorrect.\n", bs->filename); + ++ /* Write 'checksum' back to footer, or else will leave it with zero. */ ++ footer->checksum = be32_to_cpu(checksum); ++ + // The visible size of a image in Virtual PC depends on the geometry + // rather than on the size stored in the footer (the size in the footer + // is too large usually) +-- +1.7.11.2 + diff --git a/0237-bt-host-add-missing-break-statement.patch b/0237-bt-host-add-missing-break-statement.patch new file mode 100644 index 0000000..8f72237 --- /dev/null +++ b/0237-bt-host-add-missing-break-statement.patch @@ -0,0 +1,36 @@ +From 557393c06af445a23f65667d16d1ff43b5d7ae6d Mon Sep 17 00:00:00 2001 +From: Stefan Hajnoczi +Date: Thu, 12 Jan 2012 14:17:04 +0000 +Subject: [PATCH] bt-host: add missing break statement +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The switch statement in bt_host_read() is missing a break in one case. +Andrzej Zaborowski confirmed that this is +not an intentional fall-through. + +Reviewed-by: Stefan Weil +Signed-off-by: Stefan Hajnoczi +(cherry picked from commit f7253270fc66a60e4faf639a3c4ce0b352553b24) + +Signed-off-by: Andreas Färber +--- + bt-host.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/bt-host.c b/bt-host.c +index 095254d..df59494 100644 +--- a/bt-host.c ++++ b/bt-host.c +@@ -130,6 +130,7 @@ static void bt_host_read(void *opaque) + pktlen = MIN(pkt[2] + 3, s->len); + s->len -= pktlen; + pkt += pktlen; ++ break; + + default: + bad_pkt: +-- +1.7.11.2 + diff --git a/0238-ds1338-Add-missing-break-statement.patch b/0238-ds1338-Add-missing-break-statement.patch new file mode 100644 index 0000000..f4529e9 --- /dev/null +++ b/0238-ds1338-Add-missing-break-statement.patch @@ -0,0 +1,39 @@ +From 1c363aca36c5f53cb04d04fa1ee9a442dd5dbad4 Mon Sep 17 00:00:00 2001 +From: Stefan Weil +Date: Sat, 25 Feb 2012 14:50:25 +0100 +Subject: [PATCH] ds1338: Add missing break statement +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Without the break statement, case 5 sets month and year from the same +data. This does not look correct. + +The missing break was reported by splint. + +Signed-off-by: Stefan Weil +Reviewed-by: Peter Maydell +Reviewed-by: Andreas Färber +Signed-off-by: Stefan Hajnoczi +(cherry picked from commit fbac6a7d35d119a52606c175aface9bcec805f09) + +Signed-off-by: Andreas Färber +--- + hw/ds1338.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/ds1338.c b/hw/ds1338.c +index 3522af5..964d2f7 100644 +--- a/hw/ds1338.c ++++ b/hw/ds1338.c +@@ -97,6 +97,7 @@ static int ds1338_send(i2c_slave *i2c, uint8_t data) + break; + case 5: + s->now.tm_mon = from_bcd(data & 0x1f) - 1; ++ break; + case 6: + s->now.tm_year = from_bcd(data) + 100; + break; +-- +1.7.11.2 + diff --git a/0239-block-vdi-Zero-unused-parts-when-allocating-a-new-bl.patch b/0239-block-vdi-Zero-unused-parts-when-allocating-a-new-bl.patch new file mode 100644 index 0000000..c396ce6 --- /dev/null +++ b/0239-block-vdi-Zero-unused-parts-when-allocating-a-new-bl.patch @@ -0,0 +1,70 @@ +From e246af75817264aa340cc4e8bb42c17a2d48cbb7 Mon Sep 17 00:00:00 2001 +From: Stefan Weil +Date: Sat, 21 Jan 2012 13:54:24 +0100 +Subject: [PATCH] block/vdi: Zero unused parts when allocating a new block + (fix #919242) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The new block was filled with zero when it was allocated by g_malloc0, +but when it was reused later and only partially used, data from the +previously allocated block were still present and written to the new +block. + +This caused the problems reported by bug #919242 +(https://bugs.launchpad.net/qemu/+bug/919242). + +Now the unused parts of the new block which are before and after the data +are always filled with zero, so it is no longer necessary to zero the whole +block with g_malloc0. + +I also updated the copyright comment. + +Signed-off-by: Stefan Weil +Signed-off-by: Kevin Wolf +(cherry picked from commit 641543b76b82a8b361482b727e08de0c8ec093b0) + +[AF: g_malloc() -> qemu_malloc()] +Signed-off-by: Andreas Färber +--- + block/vdi.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/block/vdi.c b/block/vdi.c +index 1be0cdc..07413af 100644 +--- a/block/vdi.c ++++ b/block/vdi.c +@@ -1,7 +1,7 @@ + /* + * Block driver for the Virtual Disk Image (VDI) format + * +- * Copyright (c) 2009 Stefan Weil ++ * Copyright (c) 2009, 2012 Stefan Weil + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by +@@ -765,15 +765,19 @@ static void vdi_aio_write_cb(void *opaque, int ret) + (uint64_t)bmap_entry * s->block_sectors; + block = acb->block_buffer; + if (block == NULL) { +- block = qemu_mallocz(s->block_size); ++ block = qemu_malloc(s->block_size); + acb->block_buffer = block; + acb->bmap_first = block_index; + assert(!acb->header_modified); + acb->header_modified = 1; + } + acb->bmap_last = block_index; ++ /* Copy data to be written to new block and zero unused parts. */ ++ memset(block, 0, sector_in_block * SECTOR_SIZE); + memcpy(block + sector_in_block * SECTOR_SIZE, + acb->buf, n_sectors * SECTOR_SIZE); ++ memset(block + (sector_in_block + n_sectors) * SECTOR_SIZE, 0, ++ (s->block_sectors - n_sectors - sector_in_block) * SECTOR_SIZE); + acb->hd_iov.iov_base = (void *)block; + acb->hd_iov.iov_len = s->block_size; + qemu_iovec_init_external(&acb->hd_qiov, &acb->hd_iov, 1); +-- +1.7.11.2 + diff --git a/qemu-fix-non-PCI-target-build.patch b/qemu-fix-non-PCI-target-build.patch deleted file mode 100644 index b479efa..0000000 --- a/qemu-fix-non-PCI-target-build.patch +++ /dev/null @@ -1,53 +0,0 @@ -commit 1a8364456c2f3946b4feb8fc78eaf00d974f4c03 -Author: Jan Kiszka -Date: Wed Feb 23 09:28:53 2011 +0100 - - qemu-kvm: Fix non-PCI target build - - Replace obsolete qemu-kvm.h with kvm.h in pci.c and build that module - just like upstream does. This fixes non-x86 targets which have no PCI - support. - - Signed-off-by: Jan Kiszka - Signed-off-by: Avi Kivity - -diff --git a/Makefile.objs b/Makefile.objs -index f5702eb..3ec7121 100644 ---- a/Makefile.objs -+++ b/Makefile.objs -@@ -170,7 +170,7 @@ hw-obj-y = - hw-obj-y += loader.o - hw-obj-$(CONFIG_VIRTIO) += virtio.o virtio-console.o - hw-obj-y += fw_cfg.o --hw-obj-$(CONFIG_PCI) += pci_bridge.o -+hw-obj-$(CONFIG_PCI) += pci.o pci_bridge.o - hw-obj-$(CONFIG_PCI) += msix.o msi.o - hw-obj-$(CONFIG_PCI) += pci_host.o pcie_host.o - hw-obj-$(CONFIG_PCI) += ioh3420.o xio3130_upstream.o xio3130_downstream.o -diff --git a/Makefile.target b/Makefile.target -index 6e9a024..23367eb 100644 ---- a/Makefile.target -+++ b/Makefile.target -@@ -195,7 +195,7 @@ endif #CONFIG_BSD_USER - # System emulator target - ifdef CONFIG_SOFTMMU - --obj-y = arch_init.o cpus.o monitor.o pci.o machine.o gdbstub.o vl.o balloon.o -+obj-y = arch_init.o cpus.o monitor.o machine.o gdbstub.o vl.o balloon.o - # virtio has to be here due to weird dependency between PCI and virtio-net. - # need to fix this properly - obj-$(CONFIG_NO_PCI) += pci-stub.o -diff --git a/hw/pci.c b/hw/pci.c -index 0c44939..1f6cebe 100644 ---- a/hw/pci.c -+++ b/hw/pci.c -@@ -29,8 +29,8 @@ - #include "net.h" - #include "sysemu.h" - #include "loader.h" --#include "qemu-kvm.h" - #include "hw/pc.h" -+#include "kvm.h" - #include "device-assignment.h" - #include "qemu-objects.h" - #include "range.h" diff --git a/qemu-fix-systemtap.patch b/qemu-fix-systemtap.patch new file mode 100644 index 0000000..3191eec --- /dev/null +++ b/qemu-fix-systemtap.patch @@ -0,0 +1,19 @@ +diff -rup qemu-kvm-1.0.1/scripts/tracetool z/scripts/tracetool +--- qemu-kvm-1.0.1/scripts/tracetool 2012-04-16 22:15:17.000000000 -0400 ++++ z/scripts/tracetool 2012-07-29 21:10:51.326868987 -0400 +@@ -500,6 +500,15 @@ EOF + if [ "$arg" = "limit" ]; then + arg="_limit" + fi ++ if [ "$arg" = "in" ]; then ++ arg="_in" ++ fi ++ if [ "$arg" = "next" ]; then ++ arg="_next" ++ fi ++ if [ "$arg" = "self" ]; then ++ arg="_self" ++ fi + cat <surface); +- screen_dump_filename = NULL; + } + } + +@@ -2408,8 +2407,8 @@ static void vga_screen_dump(void *opaque + if (!screen_dump_dcl) + screen_dump_dcl = vga_screen_dump_init(s->ds); + +- screen_dump_filename = (char *)filename; ++ screen_dump_filename = filename; + vga_invalidate_display(s); + vga_hw_update(); ++ screen_dump_filename = NULL; + } +- diff --git a/qemu-snapshot-symlink-attack.patch b/qemu-snapshot-symlink-attack.patch new file mode 100644 index 0000000..e6b1ae6 --- /dev/null +++ b/qemu-snapshot-symlink-attack.patch @@ -0,0 +1,93 @@ +diff -rup qemu-kvm-0.15.1/block/vvfat.c frob/block/vvfat.c +--- qemu-kvm-0.15.1/block/vvfat.c 2012-07-29 20:56:28.318227757 -0400 ++++ frob/block/vvfat.c 2012-07-29 20:59:15.537859208 -0400 +@@ -2795,7 +2795,12 @@ static int enable_write_target(BDRVVVFAT + array_init(&(s->commits), sizeof(commit_t)); + + s->qcow_filename = qemu_malloc(1024); +- get_tmp_filename(s->qcow_filename, 1024); ++ ret = get_tmp_filename(s->qcow_filename, 1024); ++ if (ret < 0) { ++ free(s->qcow_filename); ++ s->qcow_filename = NULL; ++ return ret; ++ } + + bdrv_qcow = bdrv_find_format("qcow"); + options = parse_option_parameters("", bdrv_qcow->create_options, NULL); +diff -rup qemu-kvm-0.15.1/block.c frob/block.c +--- qemu-kvm-0.15.1/block.c 2012-07-29 20:56:28.367221495 -0400 ++++ frob/block.c 2012-07-29 20:58:24.931326050 -0400 +@@ -254,28 +254,36 @@ int bdrv_create_file(const char* filenam + return bdrv_create(drv, filename, options); + } + +-#ifdef _WIN32 +-void get_tmp_filename(char *filename, int size) ++/* ++ * Create a uniquely-named empty temporary file. ++ * Return 0 upon success, otherwise a negative errno value. ++ */ ++int get_tmp_filename(char *filename, int size) + { ++#ifdef _WIN32 + char temp_dir[MAX_PATH]; +- +- GetTempPath(MAX_PATH, temp_dir); +- GetTempFileName(temp_dir, "qem", 0, filename); +-} ++ /* GetTempFileName requires that its output buffer (4th param) ++ have length MAX_PATH or greater. */ ++ assert(size >= MAX_PATH); ++ return (GetTempPath(MAX_PATH, temp_dir) ++ && GetTempFileName(temp_dir, "qem", 0, filename) ++ ? 0 : -GetLastError()); + #else +-void get_tmp_filename(char *filename, int size) +-{ + int fd; + const char *tmpdir; +- /* XXX: race condition possible */ + tmpdir = getenv("TMPDIR"); + if (!tmpdir) + tmpdir = "/tmp"; +- snprintf(filename, size, "%s/vl.XXXXXX", tmpdir); ++ if (snprintf(filename, size, "%s/vl.XXXXXX", tmpdir) >= size) { ++ return -EOVERFLOW; ++ } + fd = mkstemp(filename); +- close(fd); +-} ++ if (fd < 0 || close(fd)) { ++ return -errno; ++ } ++ return 0; + #endif ++} + + /* + * Detect host devices. By convention, /dev/cdrom[N] is always +@@ -555,7 +563,10 @@ int bdrv_open(BlockDriverState *bs, cons + + bdrv_delete(bs1); + +- get_tmp_filename(tmp_filename, sizeof(tmp_filename)); ++ ret = get_tmp_filename(tmp_filename, sizeof(tmp_filename)); ++ if (ret < 0) { ++ return ret; ++ } + + /* Real path is meaningless for protocols */ + if (is_protocol) +diff -rup qemu-kvm-0.15.1/block_int.h frob/block_int.h +--- qemu-kvm-0.15.1/block_int.h 2011-10-19 09:54:48.000000000 -0400 ++++ frob/block_int.h 2012-07-29 20:58:24.932325925 -0400 +@@ -216,7 +216,7 @@ struct BlockDriverAIOCB { + BlockDriverAIOCB *next; + }; + +-void get_tmp_filename(char *filename, int size); ++int get_tmp_filename(char *filename, int size); + + void *qemu_aio_get(AIOPool *pool, BlockDriverState *bs, + BlockDriverCompletionFunc *cb, void *opaque); diff --git a/qemu-spice-server-threading.patch b/qemu-spice-server-threading.patch new file mode 100644 index 0000000..c8ba0a3 --- /dev/null +++ b/qemu-spice-server-threading.patch @@ -0,0 +1,73 @@ +commit 22b626e28e9895cc65c1e2023323bda5138716dc +Author: Gerd Hoffmann +Date: Fri Sep 2 15:03:28 2011 +0200 + + spice: workaround a spice server bug. + + spice server might call the channel_event callback from spice server + thread context. Detect that and aquire iothread lock if needed, + +diff --git a/ui/spice-core.c b/ui/spice-core.c +index dba11f0..3cbc721 100644 +--- a/ui/spice-core.c ++++ b/ui/spice-core.c +@@ -19,6 +19,7 @@ + #include + + #include ++#include + + #include "qemu-common.h" + #include "qemu-spice.h" +@@ -44,6 +45,8 @@ static char *auth_passwd; + static time_t auth_expires = TIME_MAX; + int using_spice = 0; + ++static pthread_t me; ++ + struct SpiceTimer { + QEMUTimer *timer; + QTAILQ_ENTRY(SpiceTimer) next; +@@ -217,6 +220,20 @@ static void channel_event(int event, SpiceChannelEventInfo *info) + QDict *server, *client; + QObject *data; + ++ /* ++ * Spice server might have called us from spice worker thread ++ * context (happens on display channel disconnects). Spice should ++ * not do that. It isn't that easy to fix it in spice and even ++ * when it is fixed we still should cover the already released ++ * spice versions. So detect that we've been called from another ++ * thread and grab the iothread lock if so before calling qemu ++ * functions. ++ */ ++ bool need_lock = !pthread_equal(me, pthread_self()); ++ if (need_lock) { ++ qemu_mutex_lock_iothread(); ++ } ++ + client = qdict_new(); + add_addr_info(client, &info->paddr, info->plen); + +@@ -236,6 +253,10 @@ static void channel_event(int event, SpiceChannelEventInfo *info) + QOBJECT(client), QOBJECT(server)); + monitor_protocol_event(qevent[event], data); + qobject_decref(data); ++ ++ if (need_lock) { ++ qemu_mutex_unlock_iothread(); ++ } + } + + #else /* SPICE_INTERFACE_CORE_MINOR >= 3 */ +@@ -482,7 +503,9 @@ void qemu_spice_init(void) + spice_image_compression_t compression; + spice_wan_compression_t wan_compr; + +- if (!opts) { ++ me = pthread_self(); ++ ++ if (!opts) { + return; + } + port = qemu_opt_get_number(opts, "port", 0); diff --git a/qemu-vhost-fix-dirty-page-handling.patch b/qemu-vhost-fix-dirty-page-handling.patch deleted file mode 100644 index e3fabb7..0000000 --- a/qemu-vhost-fix-dirty-page-handling.patch +++ /dev/null @@ -1,31 +0,0 @@ -vhost was passing a physical address to cpu_physical_memory_set_dirty, -which is wrong: we need to translate to ram address first. - -Signed-off-by: Michael S. Tsirkin - -Note: this lead to crashes during migration, so the patch -is needed on the stable branch too. - ---- - hw/vhost.c | 4 +++- - 1 files changed, 3 insertions(+), 1 deletions(-) - -diff --git a/hw/vhost.c b/hw/vhost.c -index aaa34e4..97a1299 100644 ---- a/hw/vhost.c -+++ b/hw/vhost.c -@@ -49,8 +49,10 @@ static void vhost_dev_sync_region(struct vhost_dev *dev, - log = __sync_fetch_and_and(from, 0); - while ((bit = sizeof(log) > sizeof(int) ? - ffsll(log) : ffs(log))) { -+ ram_addr_t ram_addr; - bit -= 1; -- cpu_physical_memory_set_dirty(addr + bit * VHOST_LOG_PAGE); -+ ram_addr = cpu_get_physical_page_desc(addr + bit * VHOST_LOG_PAGE); -+ cpu_physical_memory_set_dirty(ram_addr); - log &= ~(0x1ull << bit); - } - addr += VHOST_LOG_CHUNK; --- -1.7.3.2.91.g446ac - diff --git a/qemu.spec b/qemu.spec index 1cb916c..86918a3 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,8 +1,8 @@ Summary: QEMU is a FAST! processor emulator Name: qemu Version: 0.15.1 -Release: 6%{?dist} -# Epoch because we pushed a qemu-1.0 package +Release: 7%{?dist} +# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD Group: Development/Tools @@ -89,6 +89,51 @@ Patch103: %{name}-virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch # Fix fedora guest hang with virtio console (bz 837925) Patch104: %{name}-virtio-console-unconnected-pty.patch +# Patches from 0.15 stable +Patch200: 0200-ccid-Fix-buffer-overrun-in-handling-of-VSC_ATR-messa.patch +Patch201: 0201-qdev-Reset-hot-plugged-devices.patch +Patch202: 0202-e1000-use-MII-status-register-for-link-up-down.patch +Patch203: 0203-e1000-Don-t-set-the-Capabilities-List-bit.patch +Patch205: 0205-compatfd.c-Don-t-pass-NULL-pointer-to-SYS_signalfd.patch +Patch206: 0206-kvm-avoid-reentring-kvm_flush_coalesced_mmio_buffer.patch +Patch207: 0207-vmdk-vmdk_read_cid-returns-garbage-if-p_name-is-NULL.patch +Patch208: 0208-block-Fix-bdrv_open-use-after-free.patch +Patch209: 0209-ide-Fix-off-by-one-error-in-array-index-check.patch +Patch210: 0210-acl-Fix-use-after-free-in-qemu_acl_reset.patch +Patch211: 0211-migration-flush-migration-data-to-disk.patch +Patch212: 0212-Fix-X86-CPU-topology-in-KVM-mode.patch +Patch213: 0213-hw-lan9118.c-Add-missing-break-to-fix-buffer-overrun.patch +Patch214: 0214-ac97-don-t-override-the-pci-subsystem-id.patch +Patch215: 0215-vvfat-Fix-potential-buffer-overflow.patch +Patch216: 0216-vns-tls-don-t-use-depricated-gnutls-functions.patch +Patch217: 0217-block-curl-Implement-a-flush-function-on-the-fd-hand.patch +Patch218: 0218-hda-do-not-mix-output-and-input-streams-RHBZ-740493.patch +Patch219: 0219-hda-do-not-mix-output-and-input-stream-states-RHBZ-7.patch +Patch220: 0220-Teach-block-vdi-about-discarded-no-longer-allocated-.patch +Patch221: 0221-vmdk-Improve-error-handling.patch +Patch222: 0222-block-set-bs-read_only-before-.bdrv_open.patch +Patch223: 0223-console-Fix-rendering-of-VGA-underline.patch +Patch224: 0224-block-Fix-vpc-initialization-of-the-Dynamic-Disk-Hea.patch +Patch225: 0225-qcow-Fix-bdrv_write_compressed-error-handling.patch +Patch226: 0226-block-reinitialize-across-bdrv_close-bdrv_open.patch +Patch227: 0227-qxl-stride-fixup.patch +Patch228: 0228-vmdk-Fix-possible-segfaults.patch +Patch230: 0230-cpu-common-Have-a-ram_addr_t-of-uint64-with-Xen.patch +Patch231: 0231-Error-check-find_ram_offset.patch +Patch236: 0236-block-vpc-write-checksum-back-to-footer-after-check.patch +Patch237: 0237-bt-host-add-missing-break-statement.patch +Patch238: 0238-ds1338-Add-missing-break-statement.patch +Patch239: 0239-block-vdi-Zero-unused-parts-when-allocating-a-new-bl.patch +# CVE-2012-2652: Possible symlink attacks with -snapshot (bz 825697, bz +# 824919) +Patch240: %{name}-snapshot-symlink-attack.patch +# Fix systemtap tapsets (bz 831763) +Patch241: %{name}-fix-systemtap.patch +# Fix qmp response race caused by spice server bug (bz 744015) +Patch242: %{name}-spice-server-threading.patch +# Fix text mode screendumps (bz 819155) +Patch243: %{name}-fix-text-mode-screendumps.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: SDL-devel zlib-devel which texi2html gnutls-devel cyrus-sasl-devel BuildRequires: libaio-devel @@ -122,6 +167,13 @@ Requires: %{name}-img = %{epoch}:%{version}-%{release} Obsoletes: %{name}-system-ppc Obsoletes: %{name}-system-sparc +# Needed for F14->F16+ upgrade +# https://bugzilla.redhat.com/show_bug.cgi?id=694802 +Obsoletes: openbios-common +Obsoletes: openbios-ppc +Obsoletes: openbios-sparc32 +Obsoletes: openbios-sparc64 + %define qemudocdir %{_docdir}/%{name}-%{version} %description @@ -161,9 +213,9 @@ Group: Development/Tools Requires(post): /usr/bin/getent Requires(post): /usr/sbin/groupadd Requires(post): /usr/sbin/useradd -Requires(post): /sbin/chkconfig -Requires(preun): /sbin/service /sbin/chkconfig -Requires(postun): /sbin/service +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units %description common QEMU is a generic and open source processor emulator which achieves a good emulation speed by using dynamic translation. @@ -211,9 +263,8 @@ fi Summary: QEMU user mode emulation of qemu targets Group: Development/Tools Requires: %{name}-common = %{epoch}:%{version}-%{release} -Requires(post): /sbin/chkconfig -Requires(preun): /sbin/service /sbin/chkconfig -Requires(postun): /sbin/service +Requires(post): systemd-units +Requires(postun): systemd-units %description user QEMU is a generic and open source processor emulator which achieves a good emulation speed by using dynamic translation. @@ -228,6 +279,7 @@ Provides: kvm = 85 Obsoletes: kvm < 85 Requires: vgabios >= 0.6c-2 Requires: seabios-bin >= 0.6.0-2 +Requires: sgabios-bin Requires: /usr/share/gpxe/8086100e.rom Requires: /usr/share/gpxe/rtl8029.rom Requires: /usr/share/gpxe/pcnet32.rom @@ -345,6 +397,45 @@ such as kvm_stat. %patch103 -p1 %patch104 -p1 +%patch200 -p1 +%patch201 -p1 +%patch202 -p1 +%patch203 -p1 +%patch205 -p1 +%patch206 -p1 +%patch207 -p1 +%patch208 -p1 +%patch209 -p1 +%patch210 -p1 +%patch211 -p1 +%patch212 -p1 +%patch213 -p1 +%patch214 -p1 +%patch215 -p1 +%patch216 -p1 +%patch217 -p1 +%patch218 -p1 +%patch219 -p1 +%patch220 -p1 +%patch221 -p1 +%patch222 -p1 +%patch223 -p1 +%patch224 -p1 +%patch225 -p1 +%patch226 -p1 +%patch227 -p1 +%patch228 -p1 +%patch230 -p1 +%patch231 -p1 +%patch236 -p1 +%patch237 -p1 +%patch238 -p1 +%patch239 -p1 +%patch240 -p1 +%patch241 -p1 +%patch242 -p1 +%patch243 -p1 + %build # By default we build everything, but allow x86 to build a minimal version # with only similar arch target support @@ -498,6 +589,7 @@ ln -s ../vgabios/VGABIOS-lgpl-latest.cirrus.bin %{buildroot}/%{_datadir}/%{name} ln -s ../vgabios/VGABIOS-lgpl-latest.qxl.bin %{buildroot}/%{_datadir}/%{name}/vgabios-qxl.bin ln -s ../vgabios/VGABIOS-lgpl-latest.stdvga.bin %{buildroot}/%{_datadir}/%{name}/vgabios-stdvga.bin ln -s ../vgabios/VGABIOS-lgpl-latest.vmware.bin %{buildroot}/%{_datadir}/%{name}/vgabios-vmware.bin +ln -s ../sgabios/sgabios.bin %{buildroot}/%{_datadir}/%{name}/sgabios.bin ln -s ../seabios/bios.bin %{buildroot}/%{_datadir}/%{name}/bios.bin mkdir -p $RPM_BUILD_ROOT%{_exec_prefix}/lib/binfmt.d @@ -540,41 +632,47 @@ rm -rf $RPM_BUILD_ROOT %ifarch %{ix86} x86_64 # load kvm modules now, so we can make sure no reboot is needed. # If there's already a kvm module installed, we don't mess with it -sh %{_sysconfdir}/sysconfig/modules/kvm.modules +sh %{_sysconfdir}/sysconfig/modules/kvm.modules || : %endif %post common if [ $1 -eq 1 ] ; then - getent group kvm >/dev/null || groupadd -g 36 -r kvm - getent group qemu >/dev/null || groupadd -g 107 -r qemu - getent passwd qemu >/dev/null || \ - useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ - -c "qemu user" qemu - - /bin/systemctl enable ksm.service - /bin/systemctl enable ksmtuned.service + # Initial installation + /bin/systemctl enable ksm.service >/dev/null 2>&1 || : + /bin/systemctl enable ksmtuned.service >/dev/null 2>&1 || : fi +getent group kvm >/dev/null || groupadd -g 36 -r kvm +getent group qemu >/dev/null || groupadd -g 107 -r qemu +getent passwd qemu >/dev/null || \ + useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ + -c "qemu user" qemu + %preun common -if [ $1 -eq 0 ]; then - /bin/systemctl --system stop ksmtuned.service &>/dev/null || : - /bin/systemctl --system stop ksm.service &>/dev/null || : - /bin/systemctl disable ksmtuned.service - /bin/systemctl disable ksm.service +if [ $1 -eq 0 ] ; then + # Package removal, not upgrade + /bin/systemctl --no-reload disable ksmtuned.service > /dev/null 2>&1 || : + /bin/systemctl --no-reload disable ksm.service > /dev/null 2>&1 || : + /bin/systemctl stop ksmtuned.service > /dev/null 2>&1 || : + /bin/systemctl stop ksm.service > /dev/null 2>&1 || : fi %postun common -if [ $1 -ge 1 ]; then - /bin/systemctl --system try-restart ksm.service &>/dev/null || : - /bin/systemctl --system try-restart ksmtuned.service &>/dev/null || : +/bin/systemctl daemon-reload >/dev/null 2>&1 || : +if [ $1 -ge 1 ] ; then + # Package upgrade, not uninstall + /bin/systemctl try-restart ksmtuned.service >/dev/null 2>&1 || : + /bin/systemctl try-restart ksm.service >/dev/null 2>&1 || : fi + %post user /bin/systemctl --system try-restart systemd-binfmt.service &>/dev/null || : %postun user /bin/systemctl --system try-restart systemd-binfmt.service &>/dev/null || : + %files %defattr(-,root,root) @@ -648,6 +746,7 @@ fi %{_bindir}/qemu %{_bindir}/qemu-system-x86_64 %{_datadir}/%{name}/bios.bin +%{_datadir}/%{name}/sgabios.bin %{_datadir}/%{name}/linuxboot.bin %{_datadir}/%{name}/multiboot.bin %{_datadir}/%{name}/mpc8544ds.dtb @@ -724,6 +823,18 @@ fi %{_mandir}/man1/qemu-img.1* %changelog +* Sun Jul 29 2012 Cole Robinson - 0.15.1-7 +- Pull patches from 0.15 stable +- CVE-2012-2652: Possible symlink attacks with -snapshot (bz 825697, bz + 824919) +- Fix systemtap tapsets (bz 831763) +- Fix qmp response race caused by spice server bug (bz 744015) +- Fix text mode screendumps (bz 819155) +- Don't renable ksm on update (bz 815156) +- Fix RPM install error on non-virt machines (bz 660629) +- Obsolete openbios to fix upgrade dependency issues (bz 694802) +- Fix sgabios integration (bz 791344) + * Wed Jul 18 2012 Cole Robinson - 0.15.1-6 - Fix fedora guest hang with virtio console (bz 837925) @@ -734,7 +845,7 @@ fi * Mon Jan 30 2012 Justin M. Forbes - 2:0.15.1-4 - Add vhost-net to kvm.modules - Fix USB passthrough assert on packet completion (#769625) -- + * Thu Jan 5 2012 Christophe Fergeau - 2:0.15.1-3.1 - Backport patches from qemu 1.0 to fix floppy drives (#753863) @@ -749,7 +860,7 @@ fi - Require seabios-bin >= 0.6.0-2 (#741992) - Replace init scripts with systemd units (#741920) - Update to 0.15.1 stable upstream - + * Fri Oct 21 2011 Paul Moore - Enable full relro and PIE (rhbz #738812)