From 259393612cebb66a13501883cb4a8f394834be0b Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Nov 16 2014 01:39:24 +0000 Subject: Update to qemu-2.2.0-rc1 --- diff --git a/0001-loader-Add-load_image_gzipped-function.patch b/0001-loader-Add-load_image_gzipped-function.patch deleted file mode 100644 index a442e24..0000000 --- a/0001-loader-Add-load_image_gzipped-function.patch +++ /dev/null @@ -1,95 +0,0 @@ -From: "Richard W.M. Jones" -Date: Tue, 19 Aug 2014 18:56:28 +0100 -Subject: [PATCH] loader: Add load_image_gzipped function. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -As the name suggests this lets you load a ROM/disk image that is -gzipped. It is uncompressed before storing it in guest memory. - -Signed-off-by: Richard W.M. Jones -Reviewed-by: Alex Bennée -Reviewed-by: Peter Crosthwaite -Reviewed-by: Alex Bennée -Message-id: 1407831259-2115-2-git-send-email-rjones@redhat.com -[PMM: removed stray space before ')'] -Signed-off-by: Peter Maydell - -(cherry picked from commit 235e74afcb85285a8e35e75f0cb6e6811267bb75) ---- - hw/core/loader.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ - include/hw/loader.h | 1 + - 2 files changed, 49 insertions(+) - -diff --git a/hw/core/loader.c b/hw/core/loader.c -index 2bf6b8f..0fde699 100644 ---- a/hw/core/loader.c -+++ b/hw/core/loader.c -@@ -577,6 +577,54 @@ int load_ramdisk(const char *filename, hwaddr addr, uint64_t max_sz) - return load_uboot_image(filename, NULL, &addr, NULL, IH_TYPE_RAMDISK); - } - -+/* This simply prevents g_malloc in the function below from allocating -+ * a huge amount of memory, by placing a limit on the maximum -+ * uncompressed image size that load_image_gzipped will read. -+ */ -+#define LOAD_IMAGE_MAX_GUNZIP_BYTES (256 << 20) -+ -+/* Load a gzip-compressed kernel. */ -+int load_image_gzipped(const char *filename, hwaddr addr, uint64_t max_sz) -+{ -+ uint8_t *compressed_data = NULL; -+ uint8_t *data = NULL; -+ gsize len; -+ ssize_t bytes; -+ int ret = -1; -+ -+ if (!g_file_get_contents(filename, (char **) &compressed_data, &len, -+ NULL)) { -+ goto out; -+ } -+ -+ /* Is it a gzip-compressed file? */ -+ if (len < 2 || -+ compressed_data[0] != 0x1f || -+ compressed_data[1] != 0x8b) { -+ goto out; -+ } -+ -+ if (max_sz > LOAD_IMAGE_MAX_GUNZIP_BYTES) { -+ max_sz = LOAD_IMAGE_MAX_GUNZIP_BYTES; -+ } -+ -+ data = g_malloc(max_sz); -+ bytes = gunzip(data, max_sz, compressed_data, len); -+ if (bytes < 0) { -+ fprintf(stderr, "%s: unable to decompress gzipped kernel file\n", -+ filename); -+ goto out; -+ } -+ -+ rom_add_blob_fixed(filename, data, bytes, addr); -+ ret = bytes; -+ -+ out: -+ g_free(compressed_data); -+ g_free(data); -+ return ret; -+} -+ - /* - * Functions for reboot-persistent memory regions. - * - used for vga bios and option roms. -diff --git a/include/hw/loader.h b/include/hw/loader.h -index 796cbf9..00c9117 100644 ---- a/include/hw/loader.h -+++ b/include/hw/loader.h -@@ -15,6 +15,7 @@ int get_image_size(const char *filename); - int load_image(const char *filename, uint8_t *addr); /* deprecated */ - int load_image_targphys(const char *filename, hwaddr, - uint64_t max_sz); -+int load_image_gzipped(const char *filename, hwaddr addr, uint64_t max_sz); - - #define ELF_LOAD_FAILED -1 - #define ELF_LOAD_NOT_ELF -2 diff --git a/0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch b/0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch deleted file mode 100644 index 3f3f637..0000000 --- a/0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch +++ /dev/null @@ -1,53 +0,0 @@ -From: "Richard W.M. Jones" -Date: Tue, 19 Aug 2014 18:56:28 +0100 -Subject: [PATCH] aarch64: Allow -kernel option to take a gzip-compressed - kernel. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -On aarch64 it is the bootloader's job to uncompress the kernel. UEFI -and u-boot bootloaders do this automatically when the kernel is -gzip-compressed. - -However the qemu -kernel option does not do this. The following -command does not work: - - qemu-system-aarch64 [...] -kernel /boot/vmlinuz - -because it tries to execute the gzip-compressed data. - -This commit lets gzip-compressed kernels be uncompressed -transparently. - -Currently this is only done when emulating aarch64. - -Signed-off-by: Richard W.M. Jones -Reviewed-by: Alex Bennée -Reviewed-by: Peter Crosthwaite -Reviewed-by: Alex Bennée -Message-id: 1407831259-2115-3-git-send-email-rjones@redhat.com -Signed-off-by: Peter Maydell -(cherry picked from commit 6f5d3cbe8892367026526a7deed0ceecc700a7ad) ---- - hw/arm/boot.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/hw/arm/boot.c b/hw/arm/boot.c -index 3d1f4a2..b7d60aa 100644 ---- a/hw/arm/boot.c -+++ b/hw/arm/boot.c -@@ -510,6 +510,13 @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info) - kernel_size = load_uimage(info->kernel_filename, &entry, NULL, - &is_linux); - } -+ /* On aarch64, it's the bootloader's job to uncompress the kernel. */ -+ if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64) && kernel_size < 0) { -+ entry = info->loader_start + kernel_load_offset; -+ kernel_size = load_image_gzipped(info->kernel_filename, entry, -+ info->ram_size - kernel_load_offset); -+ is_linux = 1; -+ } - if (kernel_size < 0) { - entry = info->loader_start + kernel_load_offset; - kernel_size = load_image_targphys(info->kernel_filename, entry, diff --git a/0003-block.curl-adding-timeout-option.patch b/0003-block.curl-adding-timeout-option.patch deleted file mode 100644 index b003edf..0000000 --- a/0003-block.curl-adding-timeout-option.patch +++ /dev/null @@ -1,112 +0,0 @@ -From: Daniel Henrique Barboza -Date: Wed, 13 Aug 2014 12:44:27 -0300 -Subject: [PATCH] block.curl: adding 'timeout' option - -The curl hardcoded timeout (5 seconds) sometimes is not long -enough depending on the remote server configuration and network -traffic. The user should be able to set how much long he is -willing to wait for the connection. - -Adding a new option to set this timeout gives the user this -flexibility. The previous default timeout of 5 seconds will be -used if this option is not present. - -Reviewed-by: Fam Zheng -Signed-off-by: Daniel Henrique Barboza -Reviewed-by: Benoit Canet -Tested-by: Richard W.M. Jones -Signed-off-by: Stefan Hajnoczi -(cherry picked from commit 212aefaa53d142baa9a22f5aadd2e72eb916c0c0) ---- - block/curl.c | 13 ++++++++++++- - qemu-options.hx | 10 ++++++++-- - 2 files changed, 20 insertions(+), 3 deletions(-) - -diff --git a/block/curl.c b/block/curl.c -index 79ff2f1..6f45547 100644 ---- a/block/curl.c -+++ b/block/curl.c -@@ -63,6 +63,7 @@ static CURLMcode __curl_multi_socket_action(CURLM *multi_handle, - #define CURL_NUM_ACB 8 - #define SECTOR_SIZE 512 - #define READ_AHEAD_DEFAULT (256 * 1024) -+#define CURL_TIMEOUT_DEFAULT 5 - - #define FIND_RET_NONE 0 - #define FIND_RET_OK 1 -@@ -71,6 +72,7 @@ static CURLMcode __curl_multi_socket_action(CURLM *multi_handle, - #define CURL_BLOCK_OPT_URL "url" - #define CURL_BLOCK_OPT_READAHEAD "readahead" - #define CURL_BLOCK_OPT_SSLVERIFY "sslverify" -+#define CURL_BLOCK_OPT_TIMEOUT "timeout" - - struct BDRVCURLState; - -@@ -109,6 +111,7 @@ typedef struct BDRVCURLState { - char *url; - size_t readahead_size; - bool sslverify; -+ int timeout; - bool accept_range; - AioContext *aio_context; - } BDRVCURLState; -@@ -382,7 +385,7 @@ static CURLState *curl_init_state(BDRVCURLState *s) - curl_easy_setopt(state->curl, CURLOPT_URL, s->url); - curl_easy_setopt(state->curl, CURLOPT_SSL_VERIFYPEER, - (long) s->sslverify); -- curl_easy_setopt(state->curl, CURLOPT_TIMEOUT, 5); -+ curl_easy_setopt(state->curl, CURLOPT_TIMEOUT, s->timeout); - curl_easy_setopt(state->curl, CURLOPT_WRITEFUNCTION, - (void *)curl_read_cb); - curl_easy_setopt(state->curl, CURLOPT_WRITEDATA, (void *)state); -@@ -489,6 +492,11 @@ static QemuOptsList runtime_opts = { - .type = QEMU_OPT_BOOL, - .help = "Verify SSL certificate" - }, -+ { -+ .name = CURL_BLOCK_OPT_TIMEOUT, -+ .type = QEMU_OPT_NUMBER, -+ .help = "Curl timeout" -+ }, - { /* end of list */ } - }, - }; -@@ -525,6 +533,9 @@ static int curl_open(BlockDriverState *bs, QDict *options, int flags, - goto out_noclean; - } - -+ s->timeout = qemu_opt_get_number(opts, CURL_BLOCK_OPT_TIMEOUT, -+ CURL_TIMEOUT_DEFAULT); -+ - s->sslverify = qemu_opt_get_bool(opts, CURL_BLOCK_OPT_SSLVERIFY, true); - - file = qemu_opt_get(opts, CURL_BLOCK_OPT_URL); -diff --git a/qemu-options.hx b/qemu-options.hx -index 1549625..dcb008b 100644 ---- a/qemu-options.hx -+++ b/qemu-options.hx -@@ -2351,6 +2351,11 @@ multiple of 512 bytes. It defaults to 256k. - @item sslverify - Whether to verify the remote server's certificate when connecting over SSL. It - can have the value 'on' or 'off'. It defaults to 'on'. -+ -+@item timeout -+Set the timeout in seconds of the CURL connection. This timeout is the time -+that CURL waits for a response from the remote server to get the size of the -+image to be downloaded. If not set, the default timeout of 5 seconds is used. - @end table - - Note that when passing options to qemu explicitly, @option{driver} is the value -@@ -2372,9 +2377,10 @@ qemu-system-x86_64 -drive file=/tmp/Fedora-x86_64-20-20131211.1-sda.qcow2,copy-o - @end example - - Example: boot from an image stored on a VMware vSphere server with a self-signed --certificate using a local overlay for writes and a readahead of 64k -+certificate using a local overlay for writes, a readahead of 64k and a timeout -+of 10 seconds. - @example --qemu-img create -f qcow2 -o backing_file='json:@{"file.driver":"https",, "file.url":"https://user:password@@vsphere.example.com/folder/test/test-flat.vmdk?dcPath=Datacenter&dsName=datastore1",, "file.sslverify":"off",, "file.readahead":"64k"@}' /tmp/test.qcow2 -+qemu-img create -f qcow2 -o backing_file='json:@{"file.driver":"https",, "file.url":"https://user:password@@vsphere.example.com/folder/test/test-flat.vmdk?dcPath=Datacenter&dsName=datastore1",, "file.sslverify":"off",, "file.readahead":"64k",, "file.timeout":10@}' /tmp/test.qcow2 - - qemu-system-x86_64 -drive file=/tmp/test.qcow2 - @end example diff --git a/0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch b/0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch deleted file mode 100644 index e58b6e4..0000000 --- a/0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch +++ /dev/null @@ -1,123 +0,0 @@ -From: "Richard W.M. Jones" -Date: Fri, 29 Aug 2014 16:03:12 +0100 -Subject: [PATCH] curl: Allow a cookie or cookies to be sent with http/https - requests. - -In order to access VMware ESX efficiently, we need to send a session -cookie. This patch is very simple and just allows you to send that -session cookie. It punts on the question of how you get the session -cookie in the first place, but in practice you can just run a `curl' -command against the server and extract the cookie that way. - -To use it, add file.cookie to the curl URL. For example: - -$ qemu-img info 'json: { - "file.driver":"https", - "file.url":"https://vcenter/folder/Windows%202003/Windows%202003-flat.vmdk?dcPath=Datacenter&dsName=datastore1", - "file.sslverify":"off", - "file.cookie":"vmware_soap_session=\"52a01262-bf93-ccce-d379-8dabb3e55560\""}' -image: [...] -file format: raw -virtual size: 8.0G (8589934592 bytes) -disk size: unavailable - -Signed-off-by: Richard W.M. Jones -Signed-off-by: Stefan Hajnoczi -(cherry picked from commit a94f83d94fdf907680f068f1be7ad13d1f697067) ---- - block/curl.c | 16 ++++++++++++++++ - qemu-options.hx | 5 +++++ - 2 files changed, 21 insertions(+) - -diff --git a/block/curl.c b/block/curl.c -index 6f45547..537e257 100644 ---- a/block/curl.c -+++ b/block/curl.c -@@ -73,6 +73,7 @@ static CURLMcode __curl_multi_socket_action(CURLM *multi_handle, - #define CURL_BLOCK_OPT_READAHEAD "readahead" - #define CURL_BLOCK_OPT_SSLVERIFY "sslverify" - #define CURL_BLOCK_OPT_TIMEOUT "timeout" -+#define CURL_BLOCK_OPT_COOKIE "cookie" - - struct BDRVCURLState; - -@@ -112,6 +113,7 @@ typedef struct BDRVCURLState { - size_t readahead_size; - bool sslverify; - int timeout; -+ char *cookie; - bool accept_range; - AioContext *aio_context; - } BDRVCURLState; -@@ -385,6 +387,9 @@ static CURLState *curl_init_state(BDRVCURLState *s) - curl_easy_setopt(state->curl, CURLOPT_URL, s->url); - curl_easy_setopt(state->curl, CURLOPT_SSL_VERIFYPEER, - (long) s->sslverify); -+ if (s->cookie) { -+ curl_easy_setopt(state->curl, CURLOPT_COOKIE, s->cookie); -+ } - curl_easy_setopt(state->curl, CURLOPT_TIMEOUT, s->timeout); - curl_easy_setopt(state->curl, CURLOPT_WRITEFUNCTION, - (void *)curl_read_cb); -@@ -497,6 +502,11 @@ static QemuOptsList runtime_opts = { - .type = QEMU_OPT_NUMBER, - .help = "Curl timeout" - }, -+ { -+ .name = CURL_BLOCK_OPT_COOKIE, -+ .type = QEMU_OPT_STRING, -+ .help = "Pass the cookie or list of cookies with each request" -+ }, - { /* end of list */ } - }, - }; -@@ -509,6 +519,7 @@ static int curl_open(BlockDriverState *bs, QDict *options, int flags, - QemuOpts *opts; - Error *local_err = NULL; - const char *file; -+ const char *cookie; - double d; - - static int inited = 0; -@@ -538,6 +549,9 @@ static int curl_open(BlockDriverState *bs, QDict *options, int flags, - - s->sslverify = qemu_opt_get_bool(opts, CURL_BLOCK_OPT_SSLVERIFY, true); - -+ cookie = qemu_opt_get(opts, CURL_BLOCK_OPT_COOKIE); -+ s->cookie = g_strdup(cookie); -+ - file = qemu_opt_get(opts, CURL_BLOCK_OPT_URL); - if (file == NULL) { - error_setg(errp, "curl block driver requires an 'url' option"); -@@ -593,6 +607,7 @@ out: - curl_easy_cleanup(state->curl); - state->curl = NULL; - out_noclean: -+ g_free(s->cookie); - g_free(s->url); - qemu_opts_del(opts); - return -EINVAL; -@@ -689,6 +704,7 @@ static void curl_close(BlockDriverState *bs) - DPRINTF("CURL: Close\n"); - curl_detach_aio_context(bs); - -+ g_free(s->cookie); - g_free(s->url); - } - -diff --git a/qemu-options.hx b/qemu-options.hx -index dcb008b..53b6171 100644 ---- a/qemu-options.hx -+++ b/qemu-options.hx -@@ -2352,6 +2352,11 @@ multiple of 512 bytes. It defaults to 256k. - Whether to verify the remote server's certificate when connecting over SSL. It - can have the value 'on' or 'off'. It defaults to 'on'. - -+@item cookie -+Send this cookie (it can also be a list of cookies separated by ';') with -+each outgoing request. Only supported when using protocols such as HTTP -+which support cookies, otherwise ignored. -+ - @item timeout - Set the timeout in seconds of the CURL connection. This timeout is the time - that CURL waits for a response from the remote server to get the size of the diff --git a/0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch b/0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch deleted file mode 100644 index b00a751..0000000 --- a/0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch +++ /dev/null @@ -1,76 +0,0 @@ -From: "Richard W.M. Jones" -Date: Thu, 28 Aug 2014 09:04:21 +0100 -Subject: [PATCH] curl: Don't deref NULL pointer in call to aio_poll. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -In commit 63f0f45f2e89b60ff8245fec81328ddfde42a303 the following -mechanical change was made: - - if (!state) { -- qemu_aio_wait(); -+ aio_poll(state->s->aio_context, true); - } - -The new code now checks if state is NULL and then dereferences it -('state->s') which is obviously incorrect. - -This commit replaces state->s->aio_context with -bdrv_get_aio_context(bs), fixing this problem. The two other hunks -are concerned with getting the BlockDriverState pointer bs to where it -is needed. - -The original bug causes a segfault when using libguestfs to access a -VMware vCenter Server and doing any kind of complex read-heavy -operations. With this commit the segfault goes away. - -Signed-off-by: Richard W.M. Jones -Reviewed-by: Paolo Bonzini -Reviewed-by: Benoît Canet -Signed-off-by: Stefan Hajnoczi -(cherry picked from commit a2f468e48f8b6559ec9123e94948bc373b788941) ---- - block/curl.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/block/curl.c b/block/curl.c -index 537e257..d28b701 100644 ---- a/block/curl.c -+++ b/block/curl.c -@@ -357,7 +357,7 @@ static void curl_multi_timeout_do(void *arg) - #endif - } - --static CURLState *curl_init_state(BDRVCURLState *s) -+static CURLState *curl_init_state(BlockDriverState *bs, BDRVCURLState *s) - { - CURLState *state = NULL; - int i, j; -@@ -375,7 +375,7 @@ static CURLState *curl_init_state(BDRVCURLState *s) - break; - } - if (!state) { -- aio_poll(state->s->aio_context, true); -+ aio_poll(bdrv_get_aio_context(bs), true); - } - } while(!state); - -@@ -566,7 +566,7 @@ static int curl_open(BlockDriverState *bs, QDict *options, int flags, - DPRINTF("CURL: Opening %s\n", file); - s->aio_context = bdrv_get_aio_context(bs); - s->url = g_strdup(file); -- state = curl_init_state(s); -+ state = curl_init_state(bs, s); - if (!state) - goto out_noclean; - -@@ -651,7 +651,7 @@ static void curl_readv_bh_cb(void *p) - } - - // No cache found, so let's start a new request -- state = curl_init_state(s); -+ state = curl_init_state(acb->common.bs, s); - if (!state) { - acb->common.cb(acb->common.opaque, -EIO); - qemu_aio_release(acb); diff --git a/0006-virtio-pci-enable-bus-master-for-old-guests.patch b/0006-virtio-pci-enable-bus-master-for-old-guests.patch deleted file mode 100644 index 24f54e8..0000000 --- a/0006-virtio-pci-enable-bus-master-for-old-guests.patch +++ /dev/null @@ -1,43 +0,0 @@ -From: "Michael S. Tsirkin" -Date: Thu, 11 Sep 2014 18:45:33 +0200 -Subject: [PATCH] virtio-pci: enable bus master for old guests - -commit cc943c36faa192cd4b32af8fe5edb31894017d35 - pci: Use bus master address space for delivering MSI/MSI-X messages -breaks virtio-net for rhel6.[56] x86 guests because they don't -enable bus mastering for virtio PCI devices. For the same reason, -rhel6.[56] ppc64 guests cannot boot on a virtio-blk disk anymore. - -Old guests forgot to enable bus mastering, enable it automatically on -DRIVER (guests use some devices before DRIVER_OK). - -Reported-by: Greg Kurz -Reviewed-by: Greg Kurz -Tested-by: Greg Kurz -Signed-off-by: Michael S. Tsirkin -(cherry picked from commit e43c0b2ea5574efb0bedebf6a7d05916eefeba52) ---- - hw/virtio/virtio-pci.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c -index 3007319..58ebbcf 100644 ---- a/hw/virtio/virtio-pci.c -+++ b/hw/virtio/virtio-pci.c -@@ -314,6 +314,16 @@ static void virtio_ioport_write(void *opaque, uint32_t addr, uint32_t val) - msix_unuse_all_vectors(&proxy->pci_dev); - } - -+ /* Linux before 2.6.34 drives the device without enabling -+ the PCI device bus master bit. Enable it automatically -+ for the guest. This is a PCI spec violation but so is -+ initiating DMA with bus master bit clear. */ -+ if (val == (VIRTIO_CONFIG_S_ACKNOWLEDGE | VIRTIO_CONFIG_S_DRIVER)) { -+ pci_default_write_config(&proxy->pci_dev, PCI_COMMAND, -+ proxy->pci_dev.config[PCI_COMMAND] | -+ PCI_COMMAND_MASTER, 1); -+ } -+ - /* Linux before 2.6.34 sets the device as OK without enabling - the PCI device bus master bit. In this case we need to disable - some safety checks. */ diff --git a/0007-virtio-pci-fix-migration-for-pci-bus-master.patch b/0007-virtio-pci-fix-migration-for-pci-bus-master.patch deleted file mode 100644 index 80e9c2e..0000000 --- a/0007-virtio-pci-fix-migration-for-pci-bus-master.patch +++ /dev/null @@ -1,116 +0,0 @@ -From: "Michael S. Tsirkin" -Date: Thu, 11 Sep 2014 18:34:29 +0300 -Subject: [PATCH] virtio-pci: fix migration for pci bus master - -Current support for bus master (clearing OK bit) -together with the need to support guests which do not -enable PCI bus mastering, leads to extra state in -VIRTIO_PCI_FLAG_BUS_MASTER_BUG bit, which isn't robust -in case of cross-version migration for the case when -guests use the device before setting DRIVER_OK. - -Rip out VIRTIO_PCI_FLAG_BUS_MASTER_BUG and implement a simpler -work-around: treat clearing of PCI_COMMAND as a virtio reset. Old -guests never touch this bit so they will work. - -As reset clears device status, DRIVER and MASTER bits are -now in sync, so we can fix up cross-version migration simply -by synchronising them, without need to detect a buggy guest -explicitly. - -Drop tracking VIRTIO_PCI_FLAG_BUS_MASTER_BUG completely. - -As reset makes the device quiescent, in the future we'll be able to drop -checking OK bit in a bunch of places. - -Cc: Jason Wang -Cc: Greg Kurz -Signed-off-by: Michael S. Tsirkin -(cherry picked from commit 4d43d3f3c8147ade184df9a1e9e82826edd39e19) ---- - hw/virtio/virtio-pci.c | 39 ++++++++++++++++++++------------------- - 1 file changed, 20 insertions(+), 19 deletions(-) - -diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c -index 58ebbcf..c19c4d6 100644 ---- a/hw/virtio/virtio-pci.c -+++ b/hw/virtio/virtio-pci.c -@@ -86,9 +86,6 @@ - * 12 is historical, and due to x86 page size. */ - #define VIRTIO_PCI_QUEUE_ADDR_SHIFT 12 - --/* Flags track per-device state like workarounds for quirks in older guests. */ --#define VIRTIO_PCI_FLAG_BUS_MASTER_BUG (1 << 0) -- - static void virtio_pci_bus_new(VirtioBusState *bus, size_t bus_size, - VirtIOPCIProxy *dev); - -@@ -323,14 +320,6 @@ static void virtio_ioport_write(void *opaque, uint32_t addr, uint32_t val) - proxy->pci_dev.config[PCI_COMMAND] | - PCI_COMMAND_MASTER, 1); - } -- -- /* Linux before 2.6.34 sets the device as OK without enabling -- the PCI device bus master bit. In this case we need to disable -- some safety checks. */ -- if ((val & VIRTIO_CONFIG_S_DRIVER_OK) && -- !(proxy->pci_dev.config[PCI_COMMAND] & PCI_COMMAND_MASTER)) { -- proxy->flags |= VIRTIO_PCI_FLAG_BUS_MASTER_BUG; -- } - break; - case VIRTIO_MSI_CONFIG_VECTOR: - msix_vector_unuse(&proxy->pci_dev, vdev->config_vector); -@@ -480,13 +469,18 @@ static void virtio_write_config(PCIDevice *pci_dev, uint32_t address, - VirtIOPCIProxy *proxy = DO_UPCAST(VirtIOPCIProxy, pci_dev, pci_dev); - VirtIODevice *vdev = virtio_bus_get_device(&proxy->bus); - -+ uint8_t cmd = proxy->pci_dev.config[PCI_COMMAND]; -+ - pci_default_write_config(pci_dev, address, val, len); - - if (range_covers_byte(address, len, PCI_COMMAND) && - !(pci_dev->config[PCI_COMMAND] & PCI_COMMAND_MASTER) && -- !(proxy->flags & VIRTIO_PCI_FLAG_BUS_MASTER_BUG)) { -+ (cmd & PCI_COMMAND_MASTER)) { -+ /* Bus driver disables bus mastering - make it act -+ * as a kind of reset to render the device quiescent. */ - virtio_pci_stop_ioeventfd(proxy); -- virtio_set_status(vdev, vdev->status & ~VIRTIO_CONFIG_S_DRIVER_OK); -+ virtio_reset(vdev); -+ msix_unuse_all_vectors(&proxy->pci_dev); - } - } - -@@ -895,11 +889,19 @@ static void virtio_pci_vmstate_change(DeviceState *d, bool running) - VirtIODevice *vdev = virtio_bus_get_device(&proxy->bus); - - if (running) { -- /* Try to find out if the guest has bus master disabled, but is -- in ready state. Then we have a buggy guest OS. */ -- if ((vdev->status & VIRTIO_CONFIG_S_DRIVER_OK) && -- !(proxy->pci_dev.config[PCI_COMMAND] & PCI_COMMAND_MASTER)) { -- proxy->flags |= VIRTIO_PCI_FLAG_BUS_MASTER_BUG; -+ /* Linux before 2.6.34 drives the device without enabling -+ the PCI device bus master bit. Enable it automatically -+ for the guest. This is a PCI spec violation but so is -+ initiating DMA with bus master bit clear. -+ Note: this only makes a difference when migrating -+ across QEMU versions from an old QEMU, as for new QEMU -+ bus master and driver bits are always in sync. -+ TODO: consider enabling conditionally for compat machine types. */ -+ if (vdev->status & (VIRTIO_CONFIG_S_ACKNOWLEDGE | -+ VIRTIO_CONFIG_S_DRIVER)) { -+ pci_default_write_config(&proxy->pci_dev, PCI_COMMAND, -+ proxy->pci_dev.config[PCI_COMMAND] | -+ PCI_COMMAND_MASTER, 1); - } - virtio_pci_start_ioeventfd(proxy); - } else { -@@ -1043,7 +1045,6 @@ static void virtio_pci_reset(DeviceState *qdev) - virtio_pci_stop_ioeventfd(proxy); - virtio_bus_reset(bus); - msix_unuse_all_vectors(&proxy->pci_dev); -- proxy->flags &= ~VIRTIO_PCI_FLAG_BUS_MASTER_BUG; - } - - static Property virtio_pci_properties[] = { diff --git a/0008-Revert-virtio-pci-fix-migration-for-pci-bus-master.patch b/0008-Revert-virtio-pci-fix-migration-for-pci-bus-master.patch deleted file mode 100644 index 8aa58fe..0000000 --- a/0008-Revert-virtio-pci-fix-migration-for-pci-bus-master.patch +++ /dev/null @@ -1,97 +0,0 @@ -From: "Michael S. Tsirkin" -Date: Mon, 29 Sep 2014 11:27:32 +0300 -Subject: [PATCH] Revert "virtio-pci: fix migration for pci bus master" - -This reverts commit 4d43d3f3c8147ade184df9a1e9e82826edd39e19. - -Reported to break PPC guests. - -Signed-off-by: Michael S. Tsirkin -(cherry picked from commit 45363e46aeebfc99753389649eac7c7fc22bfe52) ---- - hw/virtio/virtio-pci.c | 39 +++++++++++++++++++-------------------- - 1 file changed, 19 insertions(+), 20 deletions(-) - -diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c -index c19c4d6..58ebbcf 100644 ---- a/hw/virtio/virtio-pci.c -+++ b/hw/virtio/virtio-pci.c -@@ -86,6 +86,9 @@ - * 12 is historical, and due to x86 page size. */ - #define VIRTIO_PCI_QUEUE_ADDR_SHIFT 12 - -+/* Flags track per-device state like workarounds for quirks in older guests. */ -+#define VIRTIO_PCI_FLAG_BUS_MASTER_BUG (1 << 0) -+ - static void virtio_pci_bus_new(VirtioBusState *bus, size_t bus_size, - VirtIOPCIProxy *dev); - -@@ -320,6 +323,14 @@ static void virtio_ioport_write(void *opaque, uint32_t addr, uint32_t val) - proxy->pci_dev.config[PCI_COMMAND] | - PCI_COMMAND_MASTER, 1); - } -+ -+ /* Linux before 2.6.34 sets the device as OK without enabling -+ the PCI device bus master bit. In this case we need to disable -+ some safety checks. */ -+ if ((val & VIRTIO_CONFIG_S_DRIVER_OK) && -+ !(proxy->pci_dev.config[PCI_COMMAND] & PCI_COMMAND_MASTER)) { -+ proxy->flags |= VIRTIO_PCI_FLAG_BUS_MASTER_BUG; -+ } - break; - case VIRTIO_MSI_CONFIG_VECTOR: - msix_vector_unuse(&proxy->pci_dev, vdev->config_vector); -@@ -469,18 +480,13 @@ static void virtio_write_config(PCIDevice *pci_dev, uint32_t address, - VirtIOPCIProxy *proxy = DO_UPCAST(VirtIOPCIProxy, pci_dev, pci_dev); - VirtIODevice *vdev = virtio_bus_get_device(&proxy->bus); - -- uint8_t cmd = proxy->pci_dev.config[PCI_COMMAND]; -- - pci_default_write_config(pci_dev, address, val, len); - - if (range_covers_byte(address, len, PCI_COMMAND) && - !(pci_dev->config[PCI_COMMAND] & PCI_COMMAND_MASTER) && -- (cmd & PCI_COMMAND_MASTER)) { -- /* Bus driver disables bus mastering - make it act -- * as a kind of reset to render the device quiescent. */ -+ !(proxy->flags & VIRTIO_PCI_FLAG_BUS_MASTER_BUG)) { - virtio_pci_stop_ioeventfd(proxy); -- virtio_reset(vdev); -- msix_unuse_all_vectors(&proxy->pci_dev); -+ virtio_set_status(vdev, vdev->status & ~VIRTIO_CONFIG_S_DRIVER_OK); - } - } - -@@ -889,19 +895,11 @@ static void virtio_pci_vmstate_change(DeviceState *d, bool running) - VirtIODevice *vdev = virtio_bus_get_device(&proxy->bus); - - if (running) { -- /* Linux before 2.6.34 drives the device without enabling -- the PCI device bus master bit. Enable it automatically -- for the guest. This is a PCI spec violation but so is -- initiating DMA with bus master bit clear. -- Note: this only makes a difference when migrating -- across QEMU versions from an old QEMU, as for new QEMU -- bus master and driver bits are always in sync. -- TODO: consider enabling conditionally for compat machine types. */ -- if (vdev->status & (VIRTIO_CONFIG_S_ACKNOWLEDGE | -- VIRTIO_CONFIG_S_DRIVER)) { -- pci_default_write_config(&proxy->pci_dev, PCI_COMMAND, -- proxy->pci_dev.config[PCI_COMMAND] | -- PCI_COMMAND_MASTER, 1); -+ /* Try to find out if the guest has bus master disabled, but is -+ in ready state. Then we have a buggy guest OS. */ -+ if ((vdev->status & VIRTIO_CONFIG_S_DRIVER_OK) && -+ !(proxy->pci_dev.config[PCI_COMMAND] & PCI_COMMAND_MASTER)) { -+ proxy->flags |= VIRTIO_PCI_FLAG_BUS_MASTER_BUG; - } - virtio_pci_start_ioeventfd(proxy); - } else { -@@ -1045,6 +1043,7 @@ static void virtio_pci_reset(DeviceState *qdev) - virtio_pci_stop_ioeventfd(proxy); - virtio_bus_reset(bus); - msix_unuse_all_vectors(&proxy->pci_dev); -+ proxy->flags &= ~VIRTIO_PCI_FLAG_BUS_MASTER_BUG; - } - - static Property virtio_pci_properties[] = { diff --git a/0009-vnc-sanitize-bits_per_pixel-from-the-client.patch b/0009-vnc-sanitize-bits_per_pixel-from-the-client.patch deleted file mode 100644 index a6caa18..0000000 --- a/0009-vnc-sanitize-bits_per_pixel-from-the-client.patch +++ /dev/null @@ -1,45 +0,0 @@ -From: Petr Matousek -Date: Mon, 27 Oct 2014 12:41:44 +0100 -Subject: [PATCH] vnc: sanitize bits_per_pixel from the client - -bits_per_pixel that are less than 8 could result in accessing -non-initialized buffers later in the code due to the expectation -that bytes_per_pixel value that is used to initialize these buffers is -never zero. - -To fix this check that bits_per_pixel from the client is one of the -values that the rfb protocol specification allows. - -This is CVE-2014-7815. - -Signed-off-by: Petr Matousek - -[ kraxel: apply codestyle fix ] - -Signed-off-by: Gerd Hoffmann -(cherry picked from commit e6908bfe8e07f2b452e78e677da1b45b1c0f6829) ---- - ui/vnc.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/ui/vnc.c b/ui/vnc.c -index f8d9b7d..87e34ae 100644 ---- a/ui/vnc.c -+++ b/ui/vnc.c -@@ -2026,6 +2026,16 @@ static void set_pixel_format(VncState *vs, - return; - } - -+ switch (bits_per_pixel) { -+ case 8: -+ case 16: -+ case 32: -+ break; -+ default: -+ vnc_client_error(vs); -+ return; -+ } -+ - vs->client_pf.rmax = red_max; - vs->client_pf.rbits = hweight_long(red_max); - vs->client_pf.rshift = red_shift; diff --git a/0010-vmware-vga-CVE-2014-3689-turn-off-hw-accel.patch b/0010-vmware-vga-CVE-2014-3689-turn-off-hw-accel.patch deleted file mode 100644 index 31915be..0000000 --- a/0010-vmware-vga-CVE-2014-3689-turn-off-hw-accel.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Gerd Hoffmann -Date: Wed, 29 Oct 2014 12:56:06 +0100 -Subject: [PATCH] vmware-vga: CVE-2014-3689: turn off hw accel - -Quick & easy stopgap for CVE-2014-3689: We just compile out the -hardware acceleration functions which lack sanity checks. Thankfully -we have capability bits for them (SVGA_CAP_RECT_COPY and -SVGA_CAP_RECT_FILL), so guests should deal just fine, in theory. - -Subsequent patches will add the missing checks and re-enable the -hardware acceleration emulation. - -Cc: qemu-stable@nongnu.org -Signed-off-by: Gerd Hoffmann -Reviewed-by: Don Koch ---- - hw/display/vmware_vga.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c -index 591b645..4a4229b 100644 ---- a/hw/display/vmware_vga.c -+++ b/hw/display/vmware_vga.c -@@ -29,8 +29,10 @@ - #include "hw/pci/pci.h" - - #undef VERBOSE -+#if 0 - #define HW_RECT_ACCEL - #define HW_FILL_ACCEL -+#endif - #define HW_MOUSE_ACCEL - - #include "vga_int.h" diff --git a/0011-vmware-vga-add-vmsvga_verify_rect.patch b/0011-vmware-vga-add-vmsvga_verify_rect.patch deleted file mode 100644 index a48878c..0000000 --- a/0011-vmware-vga-add-vmsvga_verify_rect.patch +++ /dev/null @@ -1,79 +0,0 @@ -From: Gerd Hoffmann -Date: Wed, 29 Oct 2014 12:56:07 +0100 -Subject: [PATCH] vmware-vga: add vmsvga_verify_rect - -Add verification function for rectangles, returning -true if verification passes and false otherwise. - -Cc: qemu-stable@nongnu.org -Signed-off-by: Gerd Hoffmann -Reviewed-by: Don Koch ---- - hw/display/vmware_vga.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++- - 1 file changed, 52 insertions(+), 1 deletion(-) - -diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c -index 4a4229b..f0e487f 100644 ---- a/hw/display/vmware_vga.c -+++ b/hw/display/vmware_vga.c -@@ -294,8 +294,59 @@ enum { - SVGA_CURSOR_ON_RESTORE_TO_FB = 3, - }; - -+static inline bool vmsvga_verify_rect(DisplaySurface *surface, -+ const char *name, -+ int x, int y, int w, int h) -+{ -+ if (x < 0) { -+ fprintf(stderr, "%s: x was < 0 (%d)\n", name, x); -+ return false; -+ } -+ if (x > SVGA_MAX_WIDTH) { -+ fprintf(stderr, "%s: x was > %d (%d)\n", name, SVGA_MAX_WIDTH, x); -+ return false; -+ } -+ if (w < 0) { -+ fprintf(stderr, "%s: w was < 0 (%d)\n", name, w); -+ return false; -+ } -+ if (w > SVGA_MAX_WIDTH) { -+ fprintf(stderr, "%s: w was > %d (%d)\n", name, SVGA_MAX_WIDTH, w); -+ return false; -+ } -+ if (x + w > surface_width(surface)) { -+ fprintf(stderr, "%s: width was > %d (x: %d, w: %d)\n", -+ name, surface_width(surface), x, w); -+ return false; -+ } -+ -+ if (y < 0) { -+ fprintf(stderr, "%s: y was < 0 (%d)\n", name, y); -+ return false; -+ } -+ if (y > SVGA_MAX_HEIGHT) { -+ fprintf(stderr, "%s: y was > %d (%d)\n", name, SVGA_MAX_HEIGHT, y); -+ return false; -+ } -+ if (h < 0) { -+ fprintf(stderr, "%s: h was < 0 (%d)\n", name, h); -+ return false; -+ } -+ if (h > SVGA_MAX_HEIGHT) { -+ fprintf(stderr, "%s: h was > %d (%d)\n", name, SVGA_MAX_HEIGHT, h); -+ return false; -+ } -+ if (y + h > surface_height(surface)) { -+ fprintf(stderr, "%s: update height > %d (y: %d, h: %d)\n", -+ name, surface_height(surface), y, h); -+ return false; -+ } -+ -+ return true; -+} -+ - static inline void vmsvga_update_rect(struct vmsvga_state_s *s, -- int x, int y, int w, int h) -+ int x, int y, int w, int h) - { - DisplaySurface *surface = qemu_console_surface(s->vga.con); - int line; diff --git a/0012-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_update_r.patch b/0012-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_update_r.patch deleted file mode 100644 index 0605011..0000000 --- a/0012-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_update_r.patch +++ /dev/null @@ -1,61 +0,0 @@ -From: Gerd Hoffmann -Date: Wed, 29 Oct 2014 12:56:08 +0100 -Subject: [PATCH] vmware-vga: use vmsvga_verify_rect in vmsvga_update_rect - -Switch vmsvga_update_rect over to use vmsvga_verify_rect. Slight change -in behavior: We don't try to automatically fixup rectangles any more. -In case we find invalid update requests we'll do a full-screen update -instead. - -Cc: qemu-stable@nongnu.org -Signed-off-by: Gerd Hoffmann -Reviewed-by: Don Koch ---- - hw/display/vmware_vga.c | 32 ++++---------------------------- - 1 file changed, 4 insertions(+), 28 deletions(-) - -diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c -index f0e487f..718746e 100644 ---- a/hw/display/vmware_vga.c -+++ b/hw/display/vmware_vga.c -@@ -356,36 +356,12 @@ static inline void vmsvga_update_rect(struct vmsvga_state_s *s, - uint8_t *src; - uint8_t *dst; - -- if (x < 0) { -- fprintf(stderr, "%s: update x was < 0 (%d)\n", __func__, x); -- w += x; -+ if (!vmsvga_verify_rect(surface, __func__, x, y, w, h)) { -+ /* go for a fullscreen update as fallback */ - x = 0; -- } -- if (w < 0) { -- fprintf(stderr, "%s: update w was < 0 (%d)\n", __func__, w); -- w = 0; -- } -- if (x + w > surface_width(surface)) { -- fprintf(stderr, "%s: update width too large x: %d, w: %d\n", -- __func__, x, w); -- x = MIN(x, surface_width(surface)); -- w = surface_width(surface) - x; -- } -- -- if (y < 0) { -- fprintf(stderr, "%s: update y was < 0 (%d)\n", __func__, y); -- h += y; - y = 0; -- } -- if (h < 0) { -- fprintf(stderr, "%s: update h was < 0 (%d)\n", __func__, h); -- h = 0; -- } -- if (y + h > surface_height(surface)) { -- fprintf(stderr, "%s: update height too large y: %d, h: %d\n", -- __func__, y, h); -- y = MIN(y, surface_height(surface)); -- h = surface_height(surface) - y; -+ w = surface_width(surface); -+ h = surface_height(surface); - } - - bypl = surface_stride(surface); diff --git a/0013-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_copy_rec.patch b/0013-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_copy_rec.patch deleted file mode 100644 index a101aca..0000000 --- a/0013-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_copy_rec.patch +++ /dev/null @@ -1,75 +0,0 @@ -From: Gerd Hoffmann -Date: Wed, 29 Oct 2014 12:56:09 +0100 -Subject: [PATCH] vmware-vga: use vmsvga_verify_rect in vmsvga_copy_rect - -Add verification to vmsvga_copy_rect, re-enable HW_RECT_ACCEL. - -Cc: qemu-stable@nongnu.org -Signed-off-by: Gerd Hoffmann -Reviewed-by: Don Koch ---- - hw/display/vmware_vga.c | 20 ++++++++++++++------ - 1 file changed, 14 insertions(+), 6 deletions(-) - -diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c -index 718746e..c2e0a43 100644 ---- a/hw/display/vmware_vga.c -+++ b/hw/display/vmware_vga.c -@@ -29,8 +29,8 @@ - #include "hw/pci/pci.h" - - #undef VERBOSE --#if 0 - #define HW_RECT_ACCEL -+#if 0 - #define HW_FILL_ACCEL - #endif - #define HW_MOUSE_ACCEL -@@ -406,7 +406,7 @@ static inline void vmsvga_update_rect_flush(struct vmsvga_state_s *s) - } - - #ifdef HW_RECT_ACCEL --static inline void vmsvga_copy_rect(struct vmsvga_state_s *s, -+static inline int vmsvga_copy_rect(struct vmsvga_state_s *s, - int x0, int y0, int x1, int y1, int w, int h) - { - DisplaySurface *surface = qemu_console_surface(s->vga.con); -@@ -417,6 +417,13 @@ static inline void vmsvga_copy_rect(struct vmsvga_state_s *s, - int line = h; - uint8_t *ptr[2]; - -+ if (!vmsvga_verify_rect(surface, "vmsvga_copy_rect/src", x0, y0, w, h)) { -+ return -1; -+ } -+ if (!vmsvga_verify_rect(surface, "vmsvga_copy_rect/dst", x1, y1, w, h)) { -+ return -1; -+ } -+ - if (y1 > y0) { - ptr[0] = vram + bypp * x0 + bypl * (y0 + h - 1); - ptr[1] = vram + bypp * x1 + bypl * (y1 + h - 1); -@@ -432,6 +439,7 @@ static inline void vmsvga_copy_rect(struct vmsvga_state_s *s, - } - - vmsvga_update_rect_delayed(s, x1, y1, w, h); -+ return 0; - } - #endif - -@@ -625,12 +633,12 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s) - width = vmsvga_fifo_read(s); - height = vmsvga_fifo_read(s); - #ifdef HW_RECT_ACCEL -- vmsvga_copy_rect(s, x, y, dx, dy, width, height); -- break; --#else -+ if (vmsvga_copy_rect(s, x, y, dx, dy, width, height) == 0) { -+ break; -+ } -+#endif - args = 0; - goto badcmd; --#endif - - case SVGA_CMD_DEFINE_CURSOR: - len -= 8; diff --git a/0014-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_fill_rec.patch b/0014-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_fill_rec.patch deleted file mode 100644 index efd5ae3..0000000 --- a/0014-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_fill_rec.patch +++ /dev/null @@ -1,72 +0,0 @@ -From: Gerd Hoffmann -Date: Wed, 29 Oct 2014 12:56:10 +0100 -Subject: [PATCH] vmware-vga: use vmsvga_verify_rect in vmsvga_fill_rect - -Add verification to vmsvga_fill_rect, re-enable HW_FILL_ACCEL. - -Cc: qemu-stable@nongnu.org -Signed-off-by: Gerd Hoffmann -Reviewed-by: Don Koch ---- - hw/display/vmware_vga.c | 17 ++++++++++------- - 1 file changed, 10 insertions(+), 7 deletions(-) - -diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c -index c2e0a43..d44e3e8 100644 ---- a/hw/display/vmware_vga.c -+++ b/hw/display/vmware_vga.c -@@ -30,9 +30,7 @@ - - #undef VERBOSE - #define HW_RECT_ACCEL --#if 0 - #define HW_FILL_ACCEL --#endif - #define HW_MOUSE_ACCEL - - #include "vga_int.h" -@@ -444,7 +442,7 @@ static inline int vmsvga_copy_rect(struct vmsvga_state_s *s, - #endif - - #ifdef HW_FILL_ACCEL --static inline void vmsvga_fill_rect(struct vmsvga_state_s *s, -+static inline int vmsvga_fill_rect(struct vmsvga_state_s *s, - uint32_t c, int x, int y, int w, int h) - { - DisplaySurface *surface = qemu_console_surface(s->vga.con); -@@ -457,6 +455,10 @@ static inline void vmsvga_fill_rect(struct vmsvga_state_s *s, - uint8_t *src; - uint8_t col[4]; - -+ if (!vmsvga_verify_rect(surface, __func__, x, y, w, h)) { -+ return -1; -+ } -+ - col[0] = c; - col[1] = c >> 8; - col[2] = c >> 16; -@@ -481,6 +483,7 @@ static inline void vmsvga_fill_rect(struct vmsvga_state_s *s, - } - - vmsvga_update_rect_delayed(s, x, y, w, h); -+ return 0; - } - #endif - -@@ -613,12 +616,12 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s) - width = vmsvga_fifo_read(s); - height = vmsvga_fifo_read(s); - #ifdef HW_FILL_ACCEL -- vmsvga_fill_rect(s, colour, x, y, width, height); -- break; --#else -+ if (vmsvga_fill_rect(s, colour, x, y, width, height) == 0) { -+ break; -+ } -+#endif - args = 0; - goto badcmd; --#endif - - case SVGA_CMD_RECT_COPY: - len -= 7; diff --git a/qemu.spec b/qemu.spec index 89d34f3..792c069 100644 --- a/qemu.spec +++ b/qemu.spec @@ -135,6 +135,7 @@ %global system_unicore32 system-unicore32 %global system_moxie system-moxie %global system_aarch64 system-aarch64 +%global system_tricore system-tricore %endif # libfdt is only needed to build ARM, aarch64, Microblaze or PPC emulators @@ -151,8 +152,8 @@ Summary: QEMU is a FAST! processor emulator Name: qemu -Version: 2.1.2 -Release: 6%{?dist} +Version: 2.2.0 +Release: 0.1.rc1%{?dist} Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD Group: Development/Tools @@ -167,7 +168,7 @@ ExclusiveArch: %{kvm_archs} %define _smp_mflags %{nil} %endif -Source0: http://wiki.qemu-project.org/download/%{name}-%{version}.tar.bz2 +Source0: http://wiki.qemu-project.org/download/%{name}-%{version}-rc1.tar.bz2 Source1: qemu.binfmt @@ -192,29 +193,6 @@ Source12: bridge.conf # qemu-kvm back compat wrapper Source13: qemu-kvm.sh -# Allow aarch64 to boot compressed kernel -Patch0001: 0001-loader-Add-load_image_gzipped-function.patch -Patch0002: 0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch -# Fix crash in curl driver -Patch0003: 0003-block.curl-adding-timeout-option.patch -Patch0004: 0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch -Patch0005: 0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch -# Fix crash on migration/snapshot (bz #1144490) -Patch0006: 0006-virtio-pci-enable-bus-master-for-old-guests.patch -Patch0007: 0007-virtio-pci-fix-migration-for-pci-bus-master.patch -# Fix PPC virtio regression (bz #1144490) -Patch0008: 0008-Revert-virtio-pci-fix-migration-for-pci-bus-master.patch -# CVE-2014-7815 vnc: insufficient bits_per_pixel from the client -# sanitization (bz #1157647, bz #1157641) -Patch0009: 0009-vnc-sanitize-bits_per_pixel-from-the-client.patch -# CVE-2014-3689 vmware_vga: insufficient parameter validation in -# rectangle functions (bz #1153038, bz #1153035) -Patch0010: 0010-vmware-vga-CVE-2014-3689-turn-off-hw-accel.patch -Patch0011: 0011-vmware-vga-add-vmsvga_verify_rect.patch -Patch0012: 0012-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_update_r.patch -Patch0013: 0013-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_copy_rec.patch -Patch0014: 0014-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_fill_rec.patch - BuildRequires: SDL2-devel BuildRequires: zlib-devel BuildRequires: which @@ -368,6 +346,9 @@ Requires: %{name}-%{system_moxie} = %{epoch}:%{version}-%{release} %if 0%{?system_aarch64:1} Requires: %{name}-%{system_aarch64} = %{epoch}:%{version}-%{release} %endif +%if 0%{?system_tricore:1} +Requires: %{name}-%{system_tricore} = %{epoch}:%{version}-%{release} +%endif %if %{without separate_kvm} Requires: %{name}-img = %{epoch}:%{version}-%{release} %else @@ -700,6 +681,18 @@ emulation speed by using dynamic translation. This package provides the system emulator for AArch64. %endif +%if 0%{?system_tricore:1} +%package %{system_tricore} +Summary: QEMU system emulator for tricore +Group: Development/Tools +Requires: %{name}-common = %{epoch}:%{version}-%{release} +%description %{system_tricore} +QEMU is a generic and open source processor emulator which achieves a good +emulation speed by using dynamic translation. + +This package provides the system emulator for Tricore. +%endif + %ifarch %{kvm_archs} %package kvm-tools @@ -738,31 +731,7 @@ CAC emulation development files. %prep -%setup -q - -# Allow aarch64 to boot compressed kernel -%patch0001 -p1 -%patch0002 -p1 -# Fix crash in curl driver -%patch0003 -p1 -%patch0004 -p1 -%patch0005 -p1 -# Fix crash on migration/snapshot (bz #1144490) -%patch0006 -p1 -%patch0007 -p1 -# Fix PPC virtio regression (bz #1144490) -%patch0008 -p1 -# CVE-2014-7815 vnc: insufficient bits_per_pixel from the client -# sanitization (bz #1157647, bz #1157641) -%patch0009 -p1 -# CVE-2014-3689 vmware_vga: insufficient parameter validation in -# rectangle functions (bz #1153038, bz #1153035) -%patch0010 -p1 -%patch0011 -p1 -%patch0012 -p1 -%patch0013 -p1 -%patch0014 -p1 - +%setup -q -n qemu-2.2.0-rc1 %build %if %{with kvmonly} @@ -774,6 +743,7 @@ microblazeel-softmmu mips-softmmu mipsel-softmmu mips64-softmmu \ mips64el-softmmu or32-softmmu ppc-softmmu ppcemb-softmmu ppc64-softmmu \ s390x-softmmu sh4-softmmu sh4eb-softmmu sparc-softmmu sparc64-softmmu \ xtensa-softmmu xtensaeb-softmmu unicore32-softmmu moxie-softmmu \ +tricore-softmmu \ i386-linux-user x86_64-linux-user aarch64-linux-user alpha-linux-user \ arm-linux-user armeb-linux-user cris-linux-user m68k-linux-user \ microblaze-linux-user microblazeel-linux-user mips-linux-user \ @@ -1191,6 +1161,7 @@ getent passwd qemu >/dev/null || \ %{_datadir}/%{name}/qemu-icon.bmp %{_datadir}/%{name}/qemu_logo_no_text.svg %{_datadir}/%{name}/keymaps/ +%{_datadir}/%{name}/trace-events %{_mandir}/man1/qemu.1* %{_mandir}/man1/virtfs-proxy-helper.1* %{_bindir}/virtfs-proxy-helper @@ -1250,34 +1221,21 @@ getent passwd qemu >/dev/null || \ %{_bindir}/qemu-sparc32plus %{_bindir}/qemu-sparc64 %{_bindir}/qemu-unicore32 -%{_datadir}/systemtap/tapset/qemu-i386.stp -%{_datadir}/systemtap/tapset/qemu-x86_64.stp -%{_datadir}/systemtap/tapset/qemu-aarch64.stp -%{_datadir}/systemtap/tapset/qemu-alpha.stp -%{_datadir}/systemtap/tapset/qemu-arm.stp -%{_datadir}/systemtap/tapset/qemu-armeb.stp -%{_datadir}/systemtap/tapset/qemu-cris.stp -%{_datadir}/systemtap/tapset/qemu-m68k.stp -%{_datadir}/systemtap/tapset/qemu-microblaze.stp -%{_datadir}/systemtap/tapset/qemu-microblazeel.stp -%{_datadir}/systemtap/tapset/qemu-mips.stp -%{_datadir}/systemtap/tapset/qemu-mipsel.stp -%{_datadir}/systemtap/tapset/qemu-mips64.stp -%{_datadir}/systemtap/tapset/qemu-mips64el.stp -%{_datadir}/systemtap/tapset/qemu-mipsn32.stp -%{_datadir}/systemtap/tapset/qemu-mipsn32el.stp -%{_datadir}/systemtap/tapset/qemu-or32.stp -%{_datadir}/systemtap/tapset/qemu-ppc.stp -%{_datadir}/systemtap/tapset/qemu-ppc64.stp -%{_datadir}/systemtap/tapset/qemu-ppc64abi32.stp -%{_datadir}/systemtap/tapset/qemu-ppc64le.stp -%{_datadir}/systemtap/tapset/qemu-s390x.stp -%{_datadir}/systemtap/tapset/qemu-sh4.stp -%{_datadir}/systemtap/tapset/qemu-sh4eb.stp -%{_datadir}/systemtap/tapset/qemu-sparc.stp -%{_datadir}/systemtap/tapset/qemu-sparc32plus.stp -%{_datadir}/systemtap/tapset/qemu-sparc64.stp -%{_datadir}/systemtap/tapset/qemu-unicore32.stp +%{_datadir}/systemtap/tapset/qemu-i386*.stp +%{_datadir}/systemtap/tapset/qemu-x86_64*.stp +%{_datadir}/systemtap/tapset/qemu-aarch64*.stp +%{_datadir}/systemtap/tapset/qemu-alpha*.stp +%{_datadir}/systemtap/tapset/qemu-arm*.stp +%{_datadir}/systemtap/tapset/qemu-cris*.stp +%{_datadir}/systemtap/tapset/qemu-m68k*.stp +%{_datadir}/systemtap/tapset/qemu-microblaze*.stp +%{_datadir}/systemtap/tapset/qemu-mips*.stp +%{_datadir}/systemtap/tapset/qemu-or32*.stp +%{_datadir}/systemtap/tapset/qemu-ppc*.stp +%{_datadir}/systemtap/tapset/qemu-s390x*.stp +%{_datadir}/systemtap/tapset/qemu-sh4*.stp +%{_datadir}/systemtap/tapset/qemu-sparc*.stp +%{_datadir}/systemtap/tapset/qemu-unicore32*.stp %endif %if 0%{?system_x86:1} @@ -1286,8 +1244,8 @@ getent passwd qemu >/dev/null || \ %if %{without kvmonly} %{_bindir}/qemu-system-i386 %{_bindir}/qemu-system-x86_64 -%{_datadir}/systemtap/tapset/qemu-system-i386.stp -%{_datadir}/systemtap/tapset/qemu-system-x86_64.stp +%{_datadir}/systemtap/tapset/qemu-system-i386*.stp +%{_datadir}/systemtap/tapset/qemu-system-x86_64*.stp %{_mandir}/man1/qemu-system-i386.1* %{_mandir}/man1/qemu-system-x86_64.1* %endif @@ -1333,7 +1291,7 @@ getent passwd qemu >/dev/null || \ %files %{system_alpha} %defattr(-,root,root) %{_bindir}/qemu-system-alpha -%{_datadir}/systemtap/tapset/qemu-system-alpha.stp +%{_datadir}/systemtap/tapset/qemu-system-alpha*.stp %{_mandir}/man1/qemu-system-alpha.1* %{_datadir}/%{name}/palcode-clipper %endif @@ -1342,7 +1300,7 @@ getent passwd qemu >/dev/null || \ %files %{system_arm} %defattr(-,root,root) %{_bindir}/qemu-system-arm -%{_datadir}/systemtap/tapset/qemu-system-arm.stp +%{_datadir}/systemtap/tapset/qemu-system-arm*.stp %{_mandir}/man1/qemu-system-arm.1* %if %{without separate_kvm} %ifarch armv7hl @@ -1360,10 +1318,7 @@ getent passwd qemu >/dev/null || \ %{_bindir}/qemu-system-mipsel %{_bindir}/qemu-system-mips64 %{_bindir}/qemu-system-mips64el -%{_datadir}/systemtap/tapset/qemu-system-mips.stp -%{_datadir}/systemtap/tapset/qemu-system-mipsel.stp -%{_datadir}/systemtap/tapset/qemu-system-mips64el.stp -%{_datadir}/systemtap/tapset/qemu-system-mips64.stp +%{_datadir}/systemtap/tapset/qemu-system-mips*.stp %{_mandir}/man1/qemu-system-mips.1* %{_mandir}/man1/qemu-system-mipsel.1* %{_mandir}/man1/qemu-system-mips64el.1* @@ -1374,7 +1329,7 @@ getent passwd qemu >/dev/null || \ %files %{system_cris} %defattr(-,root,root) %{_bindir}/qemu-system-cris -%{_datadir}/systemtap/tapset/qemu-system-cris.stp +%{_datadir}/systemtap/tapset/qemu-system-cris*.stp %{_mandir}/man1/qemu-system-cris.1* %endif @@ -1382,7 +1337,7 @@ getent passwd qemu >/dev/null || \ %files %{system_lm32} %defattr(-,root,root) %{_bindir}/qemu-system-lm32 -%{_datadir}/systemtap/tapset/qemu-system-lm32.stp +%{_datadir}/systemtap/tapset/qemu-system-lm32*.stp %{_mandir}/man1/qemu-system-lm32.1* %endif @@ -1390,7 +1345,7 @@ getent passwd qemu >/dev/null || \ %files %{system_m68k} %defattr(-,root,root) %{_bindir}/qemu-system-m68k -%{_datadir}/systemtap/tapset/qemu-system-m68k.stp +%{_datadir}/systemtap/tapset/qemu-system-m68k*.stp %{_mandir}/man1/qemu-system-m68k.1* %endif @@ -1399,8 +1354,7 @@ getent passwd qemu >/dev/null || \ %defattr(-,root,root) %{_bindir}/qemu-system-microblaze %{_bindir}/qemu-system-microblazeel -%{_datadir}/systemtap/tapset/qemu-system-microblaze.stp -%{_datadir}/systemtap/tapset/qemu-system-microblazeel.stp +%{_datadir}/systemtap/tapset/qemu-system-microblaze*.stp %{_mandir}/man1/qemu-system-microblaze.1* %{_mandir}/man1/qemu-system-microblazeel.1* %{_datadir}/%{name}/petalogix*.dtb @@ -1410,7 +1364,7 @@ getent passwd qemu >/dev/null || \ %files %{system_or32} %defattr(-,root,root) %{_bindir}/qemu-system-or32 -%{_datadir}/systemtap/tapset/qemu-system-or32.stp +%{_datadir}/systemtap/tapset/qemu-system-or32*.stp %{_mandir}/man1/qemu-system-or32.1* %endif @@ -1418,7 +1372,7 @@ getent passwd qemu >/dev/null || \ %files %{system_s390x} %defattr(-,root,root) %{_bindir}/qemu-system-s390x -%{_datadir}/systemtap/tapset/qemu-system-s390x.stp +%{_datadir}/systemtap/tapset/qemu-system-s390x*.stp %{_mandir}/man1/qemu-system-s390x.1* %{_datadir}/%{name}/s390-zipl.rom %{_datadir}/%{name}/s390-ccw.img @@ -1433,8 +1387,7 @@ getent passwd qemu >/dev/null || \ %defattr(-,root,root) %{_bindir}/qemu-system-sh4 %{_bindir}/qemu-system-sh4eb -%{_datadir}/systemtap/tapset/qemu-system-sh4.stp -%{_datadir}/systemtap/tapset/qemu-system-sh4eb.stp +%{_datadir}/systemtap/tapset/qemu-system-sh4*.stp %{_mandir}/man1/qemu-system-sh4.1* %{_mandir}/man1/qemu-system-sh4eb.1* %endif @@ -1444,8 +1397,7 @@ getent passwd qemu >/dev/null || \ %defattr(-,root,root) %{_bindir}/qemu-system-sparc %{_bindir}/qemu-system-sparc64 -%{_datadir}/systemtap/tapset/qemu-system-sparc.stp -%{_datadir}/systemtap/tapset/qemu-system-sparc64.stp +%{_datadir}/systemtap/tapset/qemu-system-sparc*.stp %{_mandir}/man1/qemu-system-sparc.1* %{_mandir}/man1/qemu-system-sparc64.1* %{_datadir}/%{name}/QEMU,tcx.bin @@ -1459,9 +1411,9 @@ getent passwd qemu >/dev/null || \ %{_bindir}/qemu-system-ppc %{_bindir}/qemu-system-ppc64 %{_bindir}/qemu-system-ppcemb -%{_datadir}/systemtap/tapset/qemu-system-ppc.stp -%{_datadir}/systemtap/tapset/qemu-system-ppc64.stp -%{_datadir}/systemtap/tapset/qemu-system-ppcemb.stp +%{_datadir}/systemtap/tapset/qemu-system-ppc*.stp +%{_datadir}/systemtap/tapset/qemu-system-ppc64*.stp +%{_datadir}/systemtap/tapset/qemu-system-ppcemb*.stp %{_mandir}/man1/qemu-system-ppc.1* %{_mandir}/man1/qemu-system-ppc64.1* %{_mandir}/man1/qemu-system-ppcemb.1* @@ -1480,7 +1432,7 @@ getent passwd qemu >/dev/null || \ %files %{system_unicore32} %defattr(-,root,root) %{_bindir}/qemu-system-unicore32 -%{_datadir}/systemtap/tapset/qemu-system-unicore32.stp +%{_datadir}/systemtap/tapset/qemu-system-unicore32*.stp %{_mandir}/man1/qemu-system-unicore32.1* %endif @@ -1489,8 +1441,7 @@ getent passwd qemu >/dev/null || \ %defattr(-,root,root) %{_bindir}/qemu-system-xtensa %{_bindir}/qemu-system-xtensaeb -%{_datadir}/systemtap/tapset/qemu-system-xtensa.stp -%{_datadir}/systemtap/tapset/qemu-system-xtensaeb.stp +%{_datadir}/systemtap/tapset/qemu-system-xtensa*.stp %{_mandir}/man1/qemu-system-xtensa.1* %{_mandir}/man1/qemu-system-xtensaeb.1* %endif @@ -1499,7 +1450,7 @@ getent passwd qemu >/dev/null || \ %files %{system_moxie} %defattr(-,root,root) %{_bindir}/qemu-system-moxie -%{_datadir}/systemtap/tapset/qemu-system-moxie.stp +%{_datadir}/systemtap/tapset/qemu-system-moxie*.stp %{_mandir}/man1/qemu-system-moxie.1* %endif @@ -1507,7 +1458,7 @@ getent passwd qemu >/dev/null || \ %files %{system_aarch64} %defattr(-,root,root) %{_bindir}/qemu-system-aarch64 -%{_datadir}/systemtap/tapset/qemu-system-aarch64.stp +%{_datadir}/systemtap/tapset/qemu-system-aarch64*.stp %{_mandir}/man1/qemu-system-aarch64.1* %ifarch aarch64 %{?kvm_files:} @@ -1515,6 +1466,14 @@ getent passwd qemu >/dev/null || \ %endif %endif +%if 0%{?system_tricore:1} +%files %{system_tricore} +%defattr(-,root,root) +%{_bindir}/qemu-system-tricore +%{_datadir}/systemtap/tapset/qemu-system-tricore*.stp +%{_mandir}/man1/qemu-system-tricore.1* +%endif + %if %{without separate_kvm} %files img %defattr(-,root,root) @@ -1541,6 +1500,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Sat Nov 15 2014 Cole Robinson - 2:2.2.0-0.1.rc1 +- Update to qemu-2.2.0-rc1 + * Wed Oct 29 2014 Cole Robinson - 2:2.1.2-6 - CVE-2014-7815 vnc: insufficient bits_per_pixel from the client sanitization (bz #1157647, bz #1157641) diff --git a/sources b/sources index 33b62c2..eff7bc0 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -0ff197c4ed4b695620bc4734e77c888f qemu-2.1.2.tar.bz2 +2da53c1c44ee769f9827f68e2412c9c5 qemu-2.2.0-rc1.tar.bz2