From 46f3a5c2766eeb5f78d4539b12fc327e852d7cb7 Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Sep 26 2014 14:26:35 +0000 Subject: Rebased to version 2.1.2 CVE-2014-3640 qemu: slirp: NULL pointer (bz #1144821, bz #1144818) --- diff --git a/0001-loader-Add-load_image_gzipped-function.patch b/0001-loader-Add-load_image_gzipped-function.patch index 4358d91..a08a9cb 100644 --- a/0001-loader-Add-load_image_gzipped-function.patch +++ b/0001-loader-Add-load_image_gzipped-function.patch @@ -1,4 +1,4 @@ -From 031f135c71ab705914f378d19067d1f1f25e744f Mon Sep 17 00:00:00 2001 +From 6665e04d68d58a93d75a51a0840534f3a0ad2402 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Tue, 19 Aug 2014 18:56:28 +0100 Subject: [PATCH] loader: Add load_image_gzipped function. diff --git a/0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch b/0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch index 1702946..fbb3e38 100644 --- a/0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch +++ b/0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch @@ -1,4 +1,4 @@ -From 0f688b169496a2f85fe092eae3f385511946bf3f Mon Sep 17 00:00:00 2001 +From f06e2812a6813c8c93fee50bd8beb5ae5d8cb871 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Tue, 19 Aug 2014 18:56:28 +0100 Subject: [PATCH] aarch64: Allow -kernel option to take a gzip-compressed diff --git a/0003-block.curl-adding-timeout-option.patch b/0003-block.curl-adding-timeout-option.patch index 1cfbc69..82b144e 100644 --- a/0003-block.curl-adding-timeout-option.patch +++ b/0003-block.curl-adding-timeout-option.patch @@ -1,4 +1,4 @@ -From 04ca8ab4dfca981ab0f1f6744286e8a84e0fccca Mon Sep 17 00:00:00 2001 +From 5331434dbb2a1959a8a8d153fd4553ae434cc464 Mon Sep 17 00:00:00 2001 From: Daniel Henrique Barboza Date: Wed, 13 Aug 2014 12:44:27 -0300 Subject: [PATCH] block.curl: adding 'timeout' option diff --git a/0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch b/0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch index 345b94d..9cf999a 100644 --- a/0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch +++ b/0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch @@ -1,4 +1,4 @@ -From dde3e0ef0b9f2ffd68b6bd348ccb46d8fb35f84c Mon Sep 17 00:00:00 2001 +From 4b3a1a47188c5df308d51048a8a0de630c45d12c Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Fri, 29 Aug 2014 16:03:12 +0100 Subject: [PATCH] curl: Allow a cookie or cookies to be sent with http/https diff --git a/0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch b/0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch index 594dc3f..ded64ae 100644 --- a/0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch +++ b/0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch @@ -1,4 +1,4 @@ -From 1ea3e3a38b5bdb144a7206654c51f8f4768077f3 Mon Sep 17 00:00:00 2001 +From a1fd2da51b26f549d63000d3a81fbb70d7c40f4e Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Thu, 28 Aug 2014 09:04:21 +0100 Subject: [PATCH] curl: Don't deref NULL pointer in call to aio_poll. diff --git a/0006-virtio-net-drop-assert-on-vm-stop.patch b/0006-virtio-net-drop-assert-on-vm-stop.patch deleted file mode 100644 index 920bc13..0000000 --- a/0006-virtio-net-drop-assert-on-vm-stop.patch +++ /dev/null @@ -1,30 +0,0 @@ -From b6bb785977e725e1a0f3ed203f5ffe3def56e03f Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Thu, 11 Sep 2014 18:32:51 +0300 -Subject: [PATCH] virtio-net: drop assert on vm stop - -On vm stop, vm_running state set to stopped -before device is notified, so callbacks can get envoked with -vm_running = false; and this is not an error. - -Cc: qemu-stable@nongnu.org -Acked-by: Jason Wang -Signed-off-by: Michael S. Tsirkin -(cherry picked from commit 131c5221fe25a9547c4a388a3d26ff7fd14843e5) ---- - hw/net/virtio-net.c | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c -index 826a2a5..2040eac 100644 ---- a/hw/net/virtio-net.c -+++ b/hw/net/virtio-net.c -@@ -1125,8 +1125,6 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q) - return num_packets; - } - -- assert(vdev->vm_running); -- - if (q->async_tx.elem.out_num) { - virtio_queue_set_notification(q->tx_vq, 0); - return num_packets; diff --git a/0006-virtio-pci-enable-bus-master-for-old-guests.patch b/0006-virtio-pci-enable-bus-master-for-old-guests.patch new file mode 100644 index 0000000..9a203f8 --- /dev/null +++ b/0006-virtio-pci-enable-bus-master-for-old-guests.patch @@ -0,0 +1,44 @@ +From a9862ff2c205aa289b62abcb7ddd03c7630f5c7a Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Thu, 11 Sep 2014 18:45:33 +0200 +Subject: [PATCH] virtio-pci: enable bus master for old guests + +commit cc943c36faa192cd4b32af8fe5edb31894017d35 + pci: Use bus master address space for delivering MSI/MSI-X messages +breaks virtio-net for rhel6.[56] x86 guests because they don't +enable bus mastering for virtio PCI devices. For the same reason, +rhel6.[56] ppc64 guests cannot boot on a virtio-blk disk anymore. + +Old guests forgot to enable bus mastering, enable it automatically on +DRIVER (guests use some devices before DRIVER_OK). + +Reported-by: Greg Kurz +Reviewed-by: Greg Kurz +Tested-by: Greg Kurz +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit e43c0b2ea5574efb0bedebf6a7d05916eefeba52) +--- + hw/virtio/virtio-pci.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c +index 3007319..58ebbcf 100644 +--- a/hw/virtio/virtio-pci.c ++++ b/hw/virtio/virtio-pci.c +@@ -314,6 +314,16 @@ static void virtio_ioport_write(void *opaque, uint32_t addr, uint32_t val) + msix_unuse_all_vectors(&proxy->pci_dev); + } + ++ /* Linux before 2.6.34 drives the device without enabling ++ the PCI device bus master bit. Enable it automatically ++ for the guest. This is a PCI spec violation but so is ++ initiating DMA with bus master bit clear. */ ++ if (val == (VIRTIO_CONFIG_S_ACKNOWLEDGE | VIRTIO_CONFIG_S_DRIVER)) { ++ pci_default_write_config(&proxy->pci_dev, PCI_COMMAND, ++ proxy->pci_dev.config[PCI_COMMAND] | ++ PCI_COMMAND_MASTER, 1); ++ } ++ + /* Linux before 2.6.34 sets the device as OK without enabling + the PCI device bus master bit. In this case we need to disable + some safety checks. */ diff --git a/0007-Revert-virtio-don-t-call-device-on-vm_running.patch b/0007-Revert-virtio-don-t-call-device-on-vm_running.patch deleted file mode 100644 index 1d60661..0000000 --- a/0007-Revert-virtio-don-t-call-device-on-vm_running.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 6b448e66c6e2e993b2c5666cbc0747e6405e80fa Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Thu, 11 Sep 2014 18:42:02 +0300 -Subject: [PATCH] Revert "virtio: don't call device on !vm_running" - -This reverts commit a1bc7b827e422e1ff065640d8ec5347c4aadfcd8. - virtio: don't call device on !vm_running -It turns out that virtio net assumes that vm_running -is updated before device status callback in many places, -so this change leads to asserts. -Previous commit fixes the root issue that motivated -a1bc7b827e422e1ff065640d8ec5347c4aadfcd8 differently, -so there's no longer a need for this change. - -In the future, we might be able to drop checking vm_running -completely, and check vm state directly. - -Reported-by: Dietmar Maurer -Cc: qemu-stable@nongnu.org -Acked-by: Jason Wang -Signed-off-by: Michael S. Tsirkin -(cherry picked from commit 9e8e8c48653471fa5fed447e388fdef57d4f6998) ---- - hw/virtio/virtio.c | 9 +-------- - 1 file changed, 1 insertion(+), 8 deletions(-) - -diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c -index ac22238..5c98180 100644 ---- a/hw/virtio/virtio.c -+++ b/hw/virtio/virtio.c -@@ -1108,10 +1108,7 @@ static void virtio_vmstate_change(void *opaque, int running, RunState state) - BusState *qbus = qdev_get_parent_bus(DEVICE(vdev)); - VirtioBusClass *k = VIRTIO_BUS_GET_CLASS(qbus); - bool backend_run = running && (vdev->status & VIRTIO_CONFIG_S_DRIVER_OK); -- -- if (running) { -- vdev->vm_running = running; -- } -+ vdev->vm_running = running; - - if (backend_run) { - virtio_set_status(vdev, vdev->status); -@@ -1124,10 +1121,6 @@ static void virtio_vmstate_change(void *opaque, int running, RunState state) - if (!backend_run) { - virtio_set_status(vdev, vdev->status); - } -- -- if (!running) { -- vdev->vm_running = running; -- } - } - - void virtio_init(VirtIODevice *vdev, const char *name, diff --git a/0007-virtio-pci-fix-migration-for-pci-bus-master.patch b/0007-virtio-pci-fix-migration-for-pci-bus-master.patch new file mode 100644 index 0000000..5d37121 --- /dev/null +++ b/0007-virtio-pci-fix-migration-for-pci-bus-master.patch @@ -0,0 +1,117 @@ +From 2c8d6826ebaf1bf846edd213f8fe8f95c0c300cb Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Thu, 11 Sep 2014 18:34:29 +0300 +Subject: [PATCH] virtio-pci: fix migration for pci bus master + +Current support for bus master (clearing OK bit) +together with the need to support guests which do not +enable PCI bus mastering, leads to extra state in +VIRTIO_PCI_FLAG_BUS_MASTER_BUG bit, which isn't robust +in case of cross-version migration for the case when +guests use the device before setting DRIVER_OK. + +Rip out VIRTIO_PCI_FLAG_BUS_MASTER_BUG and implement a simpler +work-around: treat clearing of PCI_COMMAND as a virtio reset. Old +guests never touch this bit so they will work. + +As reset clears device status, DRIVER and MASTER bits are +now in sync, so we can fix up cross-version migration simply +by synchronising them, without need to detect a buggy guest +explicitly. + +Drop tracking VIRTIO_PCI_FLAG_BUS_MASTER_BUG completely. + +As reset makes the device quiescent, in the future we'll be able to drop +checking OK bit in a bunch of places. + +Cc: Jason Wang +Cc: Greg Kurz +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit 4d43d3f3c8147ade184df9a1e9e82826edd39e19) +--- + hw/virtio/virtio-pci.c | 39 ++++++++++++++++++++------------------- + 1 file changed, 20 insertions(+), 19 deletions(-) + +diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c +index 58ebbcf..c19c4d6 100644 +--- a/hw/virtio/virtio-pci.c ++++ b/hw/virtio/virtio-pci.c +@@ -86,9 +86,6 @@ + * 12 is historical, and due to x86 page size. */ + #define VIRTIO_PCI_QUEUE_ADDR_SHIFT 12 + +-/* Flags track per-device state like workarounds for quirks in older guests. */ +-#define VIRTIO_PCI_FLAG_BUS_MASTER_BUG (1 << 0) +- + static void virtio_pci_bus_new(VirtioBusState *bus, size_t bus_size, + VirtIOPCIProxy *dev); + +@@ -323,14 +320,6 @@ static void virtio_ioport_write(void *opaque, uint32_t addr, uint32_t val) + proxy->pci_dev.config[PCI_COMMAND] | + PCI_COMMAND_MASTER, 1); + } +- +- /* Linux before 2.6.34 sets the device as OK without enabling +- the PCI device bus master bit. In this case we need to disable +- some safety checks. */ +- if ((val & VIRTIO_CONFIG_S_DRIVER_OK) && +- !(proxy->pci_dev.config[PCI_COMMAND] & PCI_COMMAND_MASTER)) { +- proxy->flags |= VIRTIO_PCI_FLAG_BUS_MASTER_BUG; +- } + break; + case VIRTIO_MSI_CONFIG_VECTOR: + msix_vector_unuse(&proxy->pci_dev, vdev->config_vector); +@@ -480,13 +469,18 @@ static void virtio_write_config(PCIDevice *pci_dev, uint32_t address, + VirtIOPCIProxy *proxy = DO_UPCAST(VirtIOPCIProxy, pci_dev, pci_dev); + VirtIODevice *vdev = virtio_bus_get_device(&proxy->bus); + ++ uint8_t cmd = proxy->pci_dev.config[PCI_COMMAND]; ++ + pci_default_write_config(pci_dev, address, val, len); + + if (range_covers_byte(address, len, PCI_COMMAND) && + !(pci_dev->config[PCI_COMMAND] & PCI_COMMAND_MASTER) && +- !(proxy->flags & VIRTIO_PCI_FLAG_BUS_MASTER_BUG)) { ++ (cmd & PCI_COMMAND_MASTER)) { ++ /* Bus driver disables bus mastering - make it act ++ * as a kind of reset to render the device quiescent. */ + virtio_pci_stop_ioeventfd(proxy); +- virtio_set_status(vdev, vdev->status & ~VIRTIO_CONFIG_S_DRIVER_OK); ++ virtio_reset(vdev); ++ msix_unuse_all_vectors(&proxy->pci_dev); + } + } + +@@ -895,11 +889,19 @@ static void virtio_pci_vmstate_change(DeviceState *d, bool running) + VirtIODevice *vdev = virtio_bus_get_device(&proxy->bus); + + if (running) { +- /* Try to find out if the guest has bus master disabled, but is +- in ready state. Then we have a buggy guest OS. */ +- if ((vdev->status & VIRTIO_CONFIG_S_DRIVER_OK) && +- !(proxy->pci_dev.config[PCI_COMMAND] & PCI_COMMAND_MASTER)) { +- proxy->flags |= VIRTIO_PCI_FLAG_BUS_MASTER_BUG; ++ /* Linux before 2.6.34 drives the device without enabling ++ the PCI device bus master bit. Enable it automatically ++ for the guest. This is a PCI spec violation but so is ++ initiating DMA with bus master bit clear. ++ Note: this only makes a difference when migrating ++ across QEMU versions from an old QEMU, as for new QEMU ++ bus master and driver bits are always in sync. ++ TODO: consider enabling conditionally for compat machine types. */ ++ if (vdev->status & (VIRTIO_CONFIG_S_ACKNOWLEDGE | ++ VIRTIO_CONFIG_S_DRIVER)) { ++ pci_default_write_config(&proxy->pci_dev, PCI_COMMAND, ++ proxy->pci_dev.config[PCI_COMMAND] | ++ PCI_COMMAND_MASTER, 1); + } + virtio_pci_start_ioeventfd(proxy); + } else { +@@ -1043,7 +1045,6 @@ static void virtio_pci_reset(DeviceState *qdev) + virtio_pci_stop_ioeventfd(proxy); + virtio_bus_reset(bus); + msix_unuse_all_vectors(&proxy->pci_dev); +- proxy->flags &= ~VIRTIO_PCI_FLAG_BUS_MASTER_BUG; + } + + static Property virtio_pci_properties[] = { diff --git a/0008-virtio-pci-enable-bus-master-for-old-guests.patch b/0008-virtio-pci-enable-bus-master-for-old-guests.patch deleted file mode 100644 index 5c163ab..0000000 --- a/0008-virtio-pci-enable-bus-master-for-old-guests.patch +++ /dev/null @@ -1,44 +0,0 @@ -From b8ecf2e833811f9fce6bcf3a87ca52fb490e2f13 Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Thu, 11 Sep 2014 18:45:33 +0200 -Subject: [PATCH] virtio-pci: enable bus master for old guests - -commit cc943c36faa192cd4b32af8fe5edb31894017d35 - pci: Use bus master address space for delivering MSI/MSI-X messages -breaks virtio-net for rhel6.[56] x86 guests because they don't -enable bus mastering for virtio PCI devices. For the same reason, -rhel6.[56] ppc64 guests cannot boot on a virtio-blk disk anymore. - -Old guests forgot to enable bus mastering, enable it automatically on -DRIVER (guests use some devices before DRIVER_OK). - -Reported-by: Greg Kurz -Reviewed-by: Greg Kurz -Tested-by: Greg Kurz -Signed-off-by: Michael S. Tsirkin -(cherry picked from commit e43c0b2ea5574efb0bedebf6a7d05916eefeba52) ---- - hw/virtio/virtio-pci.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c -index 3007319..58ebbcf 100644 ---- a/hw/virtio/virtio-pci.c -+++ b/hw/virtio/virtio-pci.c -@@ -314,6 +314,16 @@ static void virtio_ioport_write(void *opaque, uint32_t addr, uint32_t val) - msix_unuse_all_vectors(&proxy->pci_dev); - } - -+ /* Linux before 2.6.34 drives the device without enabling -+ the PCI device bus master bit. Enable it automatically -+ for the guest. This is a PCI spec violation but so is -+ initiating DMA with bus master bit clear. */ -+ if (val == (VIRTIO_CONFIG_S_ACKNOWLEDGE | VIRTIO_CONFIG_S_DRIVER)) { -+ pci_default_write_config(&proxy->pci_dev, PCI_COMMAND, -+ proxy->pci_dev.config[PCI_COMMAND] | -+ PCI_COMMAND_MASTER, 1); -+ } -+ - /* Linux before 2.6.34 sets the device as OK without enabling - the PCI device bus master bit. In this case we need to disable - some safety checks. */ diff --git a/0009-virtio-pci-fix-migration-for-pci-bus-master.patch b/0009-virtio-pci-fix-migration-for-pci-bus-master.patch deleted file mode 100644 index 5784067..0000000 --- a/0009-virtio-pci-fix-migration-for-pci-bus-master.patch +++ /dev/null @@ -1,117 +0,0 @@ -From 53db3d7b0836c13268f141bb46653a7898011d1e Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Thu, 11 Sep 2014 18:34:29 +0300 -Subject: [PATCH] virtio-pci: fix migration for pci bus master - -Current support for bus master (clearing OK bit) -together with the need to support guests which do not -enable PCI bus mastering, leads to extra state in -VIRTIO_PCI_FLAG_BUS_MASTER_BUG bit, which isn't robust -in case of cross-version migration for the case when -guests use the device before setting DRIVER_OK. - -Rip out VIRTIO_PCI_FLAG_BUS_MASTER_BUG and implement a simpler -work-around: treat clearing of PCI_COMMAND as a virtio reset. Old -guests never touch this bit so they will work. - -As reset clears device status, DRIVER and MASTER bits are -now in sync, so we can fix up cross-version migration simply -by synchronising them, without need to detect a buggy guest -explicitly. - -Drop tracking VIRTIO_PCI_FLAG_BUS_MASTER_BUG completely. - -As reset makes the device quiescent, in the future we'll be able to drop -checking OK bit in a bunch of places. - -Cc: Jason Wang -Cc: Greg Kurz -Signed-off-by: Michael S. Tsirkin -(cherry picked from commit 4d43d3f3c8147ade184df9a1e9e82826edd39e19) ---- - hw/virtio/virtio-pci.c | 39 ++++++++++++++++++++------------------- - 1 file changed, 20 insertions(+), 19 deletions(-) - -diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c -index 58ebbcf..c19c4d6 100644 ---- a/hw/virtio/virtio-pci.c -+++ b/hw/virtio/virtio-pci.c -@@ -86,9 +86,6 @@ - * 12 is historical, and due to x86 page size. */ - #define VIRTIO_PCI_QUEUE_ADDR_SHIFT 12 - --/* Flags track per-device state like workarounds for quirks in older guests. */ --#define VIRTIO_PCI_FLAG_BUS_MASTER_BUG (1 << 0) -- - static void virtio_pci_bus_new(VirtioBusState *bus, size_t bus_size, - VirtIOPCIProxy *dev); - -@@ -323,14 +320,6 @@ static void virtio_ioport_write(void *opaque, uint32_t addr, uint32_t val) - proxy->pci_dev.config[PCI_COMMAND] | - PCI_COMMAND_MASTER, 1); - } -- -- /* Linux before 2.6.34 sets the device as OK without enabling -- the PCI device bus master bit. In this case we need to disable -- some safety checks. */ -- if ((val & VIRTIO_CONFIG_S_DRIVER_OK) && -- !(proxy->pci_dev.config[PCI_COMMAND] & PCI_COMMAND_MASTER)) { -- proxy->flags |= VIRTIO_PCI_FLAG_BUS_MASTER_BUG; -- } - break; - case VIRTIO_MSI_CONFIG_VECTOR: - msix_vector_unuse(&proxy->pci_dev, vdev->config_vector); -@@ -480,13 +469,18 @@ static void virtio_write_config(PCIDevice *pci_dev, uint32_t address, - VirtIOPCIProxy *proxy = DO_UPCAST(VirtIOPCIProxy, pci_dev, pci_dev); - VirtIODevice *vdev = virtio_bus_get_device(&proxy->bus); - -+ uint8_t cmd = proxy->pci_dev.config[PCI_COMMAND]; -+ - pci_default_write_config(pci_dev, address, val, len); - - if (range_covers_byte(address, len, PCI_COMMAND) && - !(pci_dev->config[PCI_COMMAND] & PCI_COMMAND_MASTER) && -- !(proxy->flags & VIRTIO_PCI_FLAG_BUS_MASTER_BUG)) { -+ (cmd & PCI_COMMAND_MASTER)) { -+ /* Bus driver disables bus mastering - make it act -+ * as a kind of reset to render the device quiescent. */ - virtio_pci_stop_ioeventfd(proxy); -- virtio_set_status(vdev, vdev->status & ~VIRTIO_CONFIG_S_DRIVER_OK); -+ virtio_reset(vdev); -+ msix_unuse_all_vectors(&proxy->pci_dev); - } - } - -@@ -895,11 +889,19 @@ static void virtio_pci_vmstate_change(DeviceState *d, bool running) - VirtIODevice *vdev = virtio_bus_get_device(&proxy->bus); - - if (running) { -- /* Try to find out if the guest has bus master disabled, but is -- in ready state. Then we have a buggy guest OS. */ -- if ((vdev->status & VIRTIO_CONFIG_S_DRIVER_OK) && -- !(proxy->pci_dev.config[PCI_COMMAND] & PCI_COMMAND_MASTER)) { -- proxy->flags |= VIRTIO_PCI_FLAG_BUS_MASTER_BUG; -+ /* Linux before 2.6.34 drives the device without enabling -+ the PCI device bus master bit. Enable it automatically -+ for the guest. This is a PCI spec violation but so is -+ initiating DMA with bus master bit clear. -+ Note: this only makes a difference when migrating -+ across QEMU versions from an old QEMU, as for new QEMU -+ bus master and driver bits are always in sync. -+ TODO: consider enabling conditionally for compat machine types. */ -+ if (vdev->status & (VIRTIO_CONFIG_S_ACKNOWLEDGE | -+ VIRTIO_CONFIG_S_DRIVER)) { -+ pci_default_write_config(&proxy->pci_dev, PCI_COMMAND, -+ proxy->pci_dev.config[PCI_COMMAND] | -+ PCI_COMMAND_MASTER, 1); - } - virtio_pci_start_ioeventfd(proxy); - } else { -@@ -1043,7 +1045,6 @@ static void virtio_pci_reset(DeviceState *qdev) - virtio_pci_stop_ioeventfd(proxy); - virtio_bus_reset(bus); - msix_unuse_all_vectors(&proxy->pci_dev); -- proxy->flags &= ~VIRTIO_PCI_FLAG_BUS_MASTER_BUG; - } - - static Property virtio_pci_properties[] = { diff --git a/0010-pc-leave-more-space-for-BIOS-allocations.patch b/0010-pc-leave-more-space-for-BIOS-allocations.patch deleted file mode 100644 index 75e3314..0000000 --- a/0010-pc-leave-more-space-for-BIOS-allocations.patch +++ /dev/null @@ -1,47 +0,0 @@ -From beb8650b34906da8f87e07238ab33aa8ffc54a67 Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Thu, 18 Sep 2014 16:32:07 +0300 -Subject: [PATCH] pc: leave more space for BIOS allocations - -Since QEMU 2.1, we are allocating more space for ACPI tables, so no -space is left after initrd for the BIOS to allocate memory. - -Besides ACPI tables, there are a few other uses of high memory in -SeaBIOS: SMBIOS tables and USB drivers use it in particular. These uses -allocate a very small amount of memory. Malloc metadata also lives -there. So we need _some_ extra padding there to avoid initrd breakage, -but not much. - -John Snow found a case where RHEL5 was broken by the recent change to -ACPI_TABLE_SIZE; in his case 4KB of extra padding are fine, but just to -be safe I am adding 32KB, which is roughly the same amount of padding -that was left by QEMU 2.0 and earlier. - -Move initrd to leave some space for the BIOS. - -Cc: qemu-stable@nongnu.org -Signed-off-by: Paolo Bonzini -Reported-by: John Snow -Signed-off-by: Michael S. Tsirkin -(cherry picked from commit 438f92ee9f6a4f78f8adcc399809e252b6da72a2) ---- - hw/i386/pc.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/hw/i386/pc.c b/hw/i386/pc.c -index 97932a6..ef9fad8 100644 ---- a/hw/i386/pc.c -+++ b/hw/i386/pc.c -@@ -72,8 +72,10 @@ - #define DPRINTF(fmt, ...) - #endif - --/* Leave a chunk of memory at the top of RAM for the BIOS ACPI tables. */ --unsigned acpi_data_size = 0x20000; -+/* Leave a chunk of memory at the top of RAM for the BIOS ACPI tables -+ * (128K) and other BIOS datastructures (less than 4K reported to be used at -+ * the moment, 32K should be enough for a while). */ -+unsigned acpi_data_size = 0x20000 + 0x8000; - void pc_set_legacy_acpi_data_size(void) - { - acpi_data_size = 0x10000; diff --git a/qemu.spec b/qemu.spec index c6ccc85..1f992d5 100644 --- a/qemu.spec +++ b/qemu.spec @@ -151,8 +151,8 @@ Summary: QEMU is a FAST! processor emulator Name: qemu -Version: 2.1.1 -Release: 2%{?dist} +Version: 2.1.2 +Release: 1%{?dist} Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD Group: Development/Tools @@ -200,11 +200,8 @@ Patch0003: 0003-block.curl-adding-timeout-option.patch Patch0004: 0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch Patch0005: 0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch # Fix crash on migration/snapshot (bz #1144490) -Patch0006: 0006-virtio-net-drop-assert-on-vm-stop.patch -Patch0007: 0007-Revert-virtio-don-t-call-device-on-vm_running.patch -Patch0008: 0008-virtio-pci-enable-bus-master-for-old-guests.patch -Patch0009: 0009-virtio-pci-fix-migration-for-pci-bus-master.patch -Patch0010: 0010-pc-leave-more-space-for-BIOS-allocations.patch +Patch0006: 0006-virtio-pci-enable-bus-master-for-old-guests.patch +Patch0007: 0007-virtio-pci-fix-migration-for-pci-bus-master.patch BuildRequires: SDL2-devel BuildRequires: zlib-devel @@ -740,9 +737,6 @@ CAC emulation development files. # Fix crash on migration/snapshot (bz #1144490) %patch0006 -p1 %patch0007 -p1 -%patch0008 -p1 -%patch0009 -p1 -%patch0010 -p1 %build @@ -1522,6 +1516,10 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Fri Sep 26 2014 Cole Robinson - 2:2.1.2-1 +- Rebased to version 2.1.2 +- CVE-2014-3640 qemu: slirp: NULL pointer (bz #1144821, bz #1144818) + * Sun Sep 21 2014 Cole Robinson - 2:2.1.1-2 - Fix crash on migration/snapshot (bz #1144490) diff --git a/sources b/sources index bb54534..33b62c2 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -78b1b51bfa2eee424e1bfdf3b66daa64 qemu-2.1.1.tar.bz2 +0ff197c4ed4b695620bc4734e77c888f qemu-2.1.2.tar.bz2