diff --git a/0001-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch b/0001-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch new file mode 100644 index 0000000..9b0faa5 --- /dev/null +++ b/0001-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch @@ -0,0 +1,106 @@ +From d1fd2760ce6025f55b7c71ca303d49afbf17ad8e Mon Sep 17 00:00:00 2001 +Message-Id: +From: Christophe Fergeau +Date: Fri, 28 Oct 2016 16:48:40 +0200 +Subject: [PATCH] qxl: Only emit QXL_INTERRUPT_CLIENT_MONITORS_CONFIG on config + changes + +Currently if the client keeps sending the same monitor config to +QEMU/spice-server, QEMU will always raise +a QXL_INTERRUPT_CLIENT_MONITORS_CONFIG regardless of whether there was a +change or not. +Guest-side (with fedora 25), the kernel QXL KMS driver will also forward the +event to user-space without checking if there were actual changes. +Next in line are gnome-shell/mutter (on a default f25 install), which +will try to reconfigure everything without checking if there is anything +to do. +Where this gets ugly is that when applying the resolution changes, +gnome-shell/mutter will call drmModeRmFB, drmModeAddFB, and +drmModeSetCrtc, which will cause the primary surface to be destroyed and +recreated by the QXL KMS driver. This in turn will cause the client to +resend a client monitors config message, which will cause QEMU to reemit +an interrupt with an unchanged monitors configuration, ... +This causes https://bugzilla.redhat.com/show_bug.cgi?id=1266484 + +This commit makes sure that we only emit +QXL_INTERRUPT_CLIENT_MONITORS_CONFIG when there are actual configuration +changes the guest should act on. + +Signed-off-by: Christophe Fergeau +Signed-off-by: Cole Robinson +--- + hw/display/qxl.c | 37 ++++++++++++++++++++++++++++++++++++- + 1 file changed, 36 insertions(+), 1 deletion(-) + +diff --git a/hw/display/qxl.c b/hw/display/qxl.c +index 0e2682d..62d0c80 100644 +--- a/hw/display/qxl.c ++++ b/hw/display/qxl.c +@@ -992,6 +992,34 @@ static uint32_t qxl_crc32(const uint8_t *p, unsigned len) + return crc32(0xffffffff, p, len) ^ 0xffffffff; + } + ++static bool qxl_rom_monitors_config_changed(QXLRom *rom, ++ VDAgentMonitorsConfig *monitors_config, ++ unsigned int max_outputs) ++{ ++ int i; ++ unsigned int monitors_count; ++ ++ monitors_count = MIN(monitors_config->num_of_monitors, max_outputs); ++ ++ if (rom->client_monitors_config.count != monitors_count) { ++ return true; ++ } ++ ++ for (i = 0 ; i < rom->client_monitors_config.count ; ++i) { ++ VDAgentMonConfig *monitor = &monitors_config->monitors[i]; ++ QXLURect *rect = &rom->client_monitors_config.heads[i]; ++ /* monitor->depth ignored */ ++ if ((rect->left != monitor->x) || ++ (rect->top != monitor->y) || ++ (rect->right != monitor->x + monitor->width) || ++ (rect->bottom != monitor->y + monitor->height)) { ++ return true; ++ } ++ } ++ ++ return false; ++} ++ + /* called from main context only */ + static int interface_client_monitors_config(QXLInstance *sin, + VDAgentMonitorsConfig *monitors_config) +@@ -1000,6 +1028,7 @@ static int interface_client_monitors_config(QXLInstance *sin, + QXLRom *rom = memory_region_get_ram_ptr(&qxl->rom_bar); + int i; + unsigned max_outputs = ARRAY_SIZE(rom->client_monitors_config.heads); ++ bool config_changed = false; + + if (qxl->revision < 4) { + trace_qxl_client_monitors_config_unsupported_by_device(qxl->id, +@@ -1030,6 +1059,10 @@ static int interface_client_monitors_config(QXLInstance *sin, + } + #endif + ++ config_changed = qxl_rom_monitors_config_changed(rom, ++ monitors_config, ++ max_outputs); ++ + memset(&rom->client_monitors_config, 0, + sizeof(rom->client_monitors_config)); + rom->client_monitors_config.count = monitors_config->num_of_monitors; +@@ -1059,7 +1092,9 @@ static int interface_client_monitors_config(QXLInstance *sin, + trace_qxl_interrupt_client_monitors_config(qxl->id, + rom->client_monitors_config.count, + rom->client_monitors_config.heads); +- qxl_send_events(qxl, QXL_INTERRUPT_CLIENT_MONITORS_CONFIG); ++ if (config_changed) { ++ qxl_send_events(qxl, QXL_INTERRUPT_CLIENT_MONITORS_CONFIG); ++ } + return 1; + } + +-- +2.9.3 + diff --git a/0001-vmw_pvscsi-check-page-count-while-initialising-descr.patch b/0001-vmw_pvscsi-check-page-count-while-initialising-descr.patch deleted file mode 100644 index 57b7b9b..0000000 --- a/0001-vmw_pvscsi-check-page-count-while-initialising-descr.patch +++ /dev/null @@ -1,82 +0,0 @@ -From: Prasad J Pandit -Date: Wed, 31 Aug 2016 12:19:29 +0530 -Subject: [PATCH] vmw_pvscsi: check page count while initialising descriptor - rings - -Vmware Paravirtual SCSI emulation uses command descriptors to -process SCSI commands. These descriptors come with their ring -buffers. A guest could set the page count for these rings to -an arbitrary value, leading to infinite loop or OOB access. -Add check to avoid it. - -Reported-by: Tom Victor -Signed-off-by: Prasad J Pandit -Message-Id: <1472626169-12989-1-git-send-email-ppandit@redhat.com> -Cc: qemu-stable@nongnu.org -Signed-off-by: Paolo Bonzini -(cherry picked from commit 7f61f4690dd153be98900a2a508b88989e692753) ---- - hw/scsi/vmw_pvscsi.c | 19 +++++++++---------- - 1 file changed, 9 insertions(+), 10 deletions(-) - -diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c -index 5116f4a..4245c15 100644 ---- a/hw/scsi/vmw_pvscsi.c -+++ b/hw/scsi/vmw_pvscsi.c -@@ -152,7 +152,7 @@ pvscsi_log2(uint32_t input) - return log; - } - --static int -+static void - pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) - { - int i; -@@ -160,10 +160,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) - uint32_t req_ring_size, cmp_ring_size; - m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT; - -- if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES) -- || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) { -- return -1; -- } - req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE; - cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE; - txr_len_log2 = pvscsi_log2(req_ring_size - 1); -@@ -195,8 +191,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) - - /* Flush ring state page changes */ - smp_wmb(); -- -- return 0; - } - - static int -@@ -746,7 +740,7 @@ pvscsi_dbg_dump_tx_rings_config(PVSCSICmdDescSetupRings *rc) - - trace_pvscsi_tx_rings_num_pages("Confirm Ring", rc->cmpRingNumPages); - for (i = 0; i < rc->cmpRingNumPages; i++) { -- trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->reqRingPPNs[i]); -+ trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->cmpRingPPNs[i]); - } - } - -@@ -779,11 +773,16 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s) - - trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS"); - -- pvscsi_dbg_dump_tx_rings_config(rc); -- if (pvscsi_ring_init_data(&s->rings, rc) < 0) { -+ if (!rc->reqRingNumPages -+ || rc->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES -+ || !rc->cmpRingNumPages -+ || rc->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES) { - return PVSCSI_COMMAND_PROCESSING_FAILED; - } - -+ pvscsi_dbg_dump_tx_rings_config(rc); -+ pvscsi_ring_init_data(&s->rings, rc); -+ - s->rings_info_valid = TRUE; - return PVSCSI_COMMAND_PROCESSING_SUCCEEDED; - } diff --git a/0002-scsi-pvscsi-limit-loop-to-fetch-SG-list.patch b/0002-scsi-pvscsi-limit-loop-to-fetch-SG-list.patch deleted file mode 100644 index 89ae98d..0000000 --- a/0002-scsi-pvscsi-limit-loop-to-fetch-SG-list.patch +++ /dev/null @@ -1,61 +0,0 @@ -From: Prasad J Pandit -Date: Tue, 6 Sep 2016 02:20:43 +0530 -Subject: [PATCH] scsi: pvscsi: limit loop to fetch SG list - -In PVSCSI paravirtual SCSI bus, pvscsi_convert_sglist can take a very -long time or go into an infinite loop due to two different bugs: - -1) the request descriptor data length is defined to be 64 bit. While -building SG list from a request descriptor, it gets truncated to 32bit -in routine 'pvscsi_convert_sglist'. This could lead to an infinite loop -situation large 'dataLen' values when data_length is cast to uint32_t and -chunk_size becomes always zero. Fix this by removing the incorrect cast. - -2) pvscsi_get_next_sg_elem can be called arbitrarily many times if the -element has a zero length. Get out of the loop early when this happens, -by introducing an upper limit on the number of SG list elements. - -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit -Message-Id: <1473108643-12983-1-git-send-email-ppandit@redhat.com> -Signed-off-by: Paolo Bonzini -(cherry picked from commit 49adc5d3f8c6bb75e55ebfeab109c5c37dea65e8) ---- - hw/scsi/vmw_pvscsi.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c -index 4245c15..babac5a 100644 ---- a/hw/scsi/vmw_pvscsi.c -+++ b/hw/scsi/vmw_pvscsi.c -@@ -40,6 +40,8 @@ - #define PVSCSI_MAX_DEVS (64) - #define PVSCSI_MSIX_NUM_VECTORS (1) - -+#define PVSCSI_MAX_SG_ELEM 2048 -+ - #define PVSCSI_MAX_CMD_DATA_WORDS \ - (sizeof(PVSCSICmdDescSetupRings)/sizeof(uint32_t)) - -@@ -628,17 +630,16 @@ pvscsi_queue_pending_descriptor(PVSCSIState *s, SCSIDevice **d, - static void - pvscsi_convert_sglist(PVSCSIRequest *r) - { -- int chunk_size; -+ uint32_t chunk_size, elmcnt = 0; - uint64_t data_length = r->req.dataLen; - PVSCSISGState sg = r->sg; -- while (data_length) { -- while (!sg.resid) { -+ while (data_length && elmcnt < PVSCSI_MAX_SG_ELEM) { -+ while (!sg.resid && elmcnt++ < PVSCSI_MAX_SG_ELEM) { - pvscsi_get_next_sg_elem(&sg); - trace_pvscsi_convert_sglist(r->req.context, r->sg.dataAddr, - r->sg.resid); - } -- assert(data_length > 0); -- chunk_size = MIN((unsigned) data_length, sg.resid); -+ chunk_size = MIN(data_length, sg.resid); - if (chunk_size) { - qemu_sglist_add(&r->sgl, sg.dataAddr, chunk_size); - } diff --git a/0003-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch b/0003-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch deleted file mode 100644 index 9280e15..0000000 --- a/0003-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch +++ /dev/null @@ -1,35 +0,0 @@ -From: Prasad J Pandit -Date: Wed, 14 Sep 2016 15:09:12 +0530 -Subject: [PATCH] scsi: pvscsi: limit process IO loop to ring size - -Vmware Paravirtual SCSI emulator while processing IO requests -could run into an infinite loop if 'pvscsi_ring_pop_req_descr' -always returned positive value. Limit IO loop to the ring size. - -Cc: qemu-stable@nongnu.org -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit -Message-Id: <1473845952-30785-1-git-send-email-ppandit@redhat.com> -Signed-off-by: Paolo Bonzini -(cherry picked from commit d251157ac1928191af851d199a9ff255d330bec9) ---- - hw/scsi/vmw_pvscsi.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c -index babac5a..a5ce7de 100644 ---- a/hw/scsi/vmw_pvscsi.c -+++ b/hw/scsi/vmw_pvscsi.c -@@ -247,8 +247,11 @@ static hwaddr - pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr) - { - uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx); -+ uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING -+ * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE; - -- if (ready_ptr != mgr->consumed_ptr) { -+ if (ready_ptr != mgr->consumed_ptr -+ && ready_ptr - mgr->consumed_ptr < ring_size) { - uint32_t next_ready_ptr = - mgr->consumed_ptr++ & mgr->txr_len_mask; - uint32_t next_ready_page = diff --git a/0004-vmsvga-correct-bitmap-and-pixmap-size-checks.patch b/0004-vmsvga-correct-bitmap-and-pixmap-size-checks.patch deleted file mode 100644 index 91a9b52..0000000 --- a/0004-vmsvga-correct-bitmap-and-pixmap-size-checks.patch +++ /dev/null @@ -1,42 +0,0 @@ -From: Prasad J Pandit -Date: Thu, 8 Sep 2016 18:15:54 +0530 -Subject: [PATCH] vmsvga: correct bitmap and pixmap size checks - -When processing svga command DEFINE_CURSOR in vmsvga_fifo_run, -the computed BITMAP and PIXMAP size are checked against the -'cursor.mask[]' and 'cursor.image[]' array sizes in bytes. -Correct these checks to avoid OOB memory access. - -Reported-by: Qinghao Tang -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit -Message-id: 1473338754-15430-1-git-send-email-ppandit@redhat.com -Signed-off-by: Gerd Hoffmann -(cherry picked from commit 167d97a3def77ee2dbf6e908b0ecbfe2103977db) ---- - hw/display/vmware_vga.c | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - -diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c -index e51a05e..6599cf0 100644 ---- a/hw/display/vmware_vga.c -+++ b/hw/display/vmware_vga.c -@@ -676,11 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s) - cursor.bpp = vmsvga_fifo_read(s); - - args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp); -- if (cursor.width > 256 || -- cursor.height > 256 || -- cursor.bpp > 32 || -- SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask || -- SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) { -+ if (cursor.width > 256 -+ || cursor.height > 256 -+ || cursor.bpp > 32 -+ || SVGA_BITMAP_SIZE(x, y) -+ > sizeof(cursor.mask) / sizeof(cursor.mask[0]) -+ || SVGA_PIXMAP_SIZE(x, y, cursor.bpp) -+ > sizeof(cursor.image) / sizeof(cursor.image[0])) { - goto badcmd; - } - diff --git a/0005-scsi-mptconfig-fix-an-assert-expression.patch b/0005-scsi-mptconfig-fix-an-assert-expression.patch deleted file mode 100644 index 75ba430..0000000 --- a/0005-scsi-mptconfig-fix-an-assert-expression.patch +++ /dev/null @@ -1,33 +0,0 @@ -From: Prasad J Pandit -Date: Wed, 31 Aug 2016 17:36:07 +0530 -Subject: [PATCH] scsi: mptconfig: fix an assert expression - -When LSI SAS1068 Host Bus emulator builds configuration page -headers, mptsas_config_pack() should assert that the size -fits in a byte. However, the size is expressed in 32-bit -units, so up to 1020 bytes fit. The assertion was only -allowing replies up to 252 bytes, so fix it. - -Suggested-by: Paolo Bonzini -Signed-off-by: Prasad J Pandit -Message-Id: <1472645167-30765-2-git-send-email-ppandit@redhat.com> -Cc: qemu-stable@nongnu.org -Signed-off-by: Paolo Bonzini -(cherry picked from commit cf2bce203a45d7437029d108357fb23fea0967b6) ---- - hw/scsi/mptconfig.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c -index 7071854..3e4f400 100644 ---- a/hw/scsi/mptconfig.c -+++ b/hw/scsi/mptconfig.c -@@ -158,7 +158,7 @@ static size_t mptsas_config_pack(uint8_t **data, const char *fmt, ...) - va_end(ap); - - if (data) { -- assert(ret < 256 && (ret % 4) == 0); -+ assert(ret / 4 < 256 && (ret % 4) == 0); - stb_p(*data + 1, ret / 4); - } - return ret; diff --git a/0006-scsi-mptconfig-fix-misuse-of-MPTSAS_CONFIG_PACK.patch b/0006-scsi-mptconfig-fix-misuse-of-MPTSAS_CONFIG_PACK.patch deleted file mode 100644 index 8be70e0..0000000 --- a/0006-scsi-mptconfig-fix-misuse-of-MPTSAS_CONFIG_PACK.patch +++ /dev/null @@ -1,37 +0,0 @@ -From: Paolo Bonzini -Date: Mon, 29 Aug 2016 11:35:37 +0200 -Subject: [PATCH] scsi: mptconfig: fix misuse of MPTSAS_CONFIG_PACK - -These issues cause respectively a QEMU crash and a leak of 2 bytes of -stack. They were discovered by VictorV of 360 Marvel Team. - -Reported-by: Tom Victor -Cc: qemu-stable@nongnu.org -Signed-off-by: Paolo Bonzini -(cherry picked from commit 65a8e1f6413a0f6f79894da710b5d6d43361d27d) ---- - hw/scsi/mptconfig.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c -index 3e4f400..87a416a 100644 ---- a/hw/scsi/mptconfig.c -+++ b/hw/scsi/mptconfig.c -@@ -203,7 +203,7 @@ size_t mptsas_config_manufacturing_1(MPTSASState *s, uint8_t **data, int address - { - /* VPD - all zeros */ - return MPTSAS_CONFIG_PACK(1, MPI_CONFIG_PAGETYPE_MANUFACTURING, 0x00, -- "s256"); -+ "*s256"); - } - - static -@@ -328,7 +328,7 @@ size_t mptsas_config_ioc_0(MPTSASState *s, uint8_t **data, int address) - return MPTSAS_CONFIG_PACK(0, MPI_CONFIG_PAGETYPE_IOC, 0x01, - "*l*lwwb*b*b*blww", - pcic->vendor_id, pcic->device_id, pcic->revision, -- pcic->subsystem_vendor_id, -+ pcic->class_id, pcic->subsystem_vendor_id, - pcic->subsystem_id); - } - diff --git a/0007-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch b/0007-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch deleted file mode 100644 index d47fccf..0000000 --- a/0007-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch +++ /dev/null @@ -1,29 +0,0 @@ -From: Li Qiang -Date: Tue, 13 Sep 2016 03:20:03 -0700 -Subject: [PATCH] usb:xhci:fix memory leak in usb_xhci_exit - -If the xhci uses msix, it doesn't free the corresponding -memory, thus leading a memory leak. This patch avoid this. - -Signed-off-by: Li Qiang -Message-id: 57d7d2e0.d4301c0a.d13e9.9a55@mx.google.com -Signed-off-by: Gerd Hoffmann -(cherry picked from commit b53dd4495ced2432a0b652ea895e651d07336f7e) ---- - hw/usb/hcd-xhci.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c -index 188f954..281a2a5 100644 ---- a/hw/usb/hcd-xhci.c -+++ b/hw/usb/hcd-xhci.c -@@ -3709,8 +3709,7 @@ static void usb_xhci_exit(PCIDevice *dev) - /* destroy msix memory region */ - if (dev->msix_table && dev->msix_pba - && dev->msix_entry_used) { -- memory_region_del_subregion(&xhci->mem, &dev->msix_table_mmio); -- memory_region_del_subregion(&xhci->mem, &dev->msix_pba_mmio); -+ msix_uninit(dev, &xhci->mem, &xhci->mem); - } - - usb_bus_release(&xhci->bus); diff --git a/0008-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch b/0008-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch deleted file mode 100644 index 41c48b3..0000000 --- a/0008-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: Li Qiang -Date: Mon, 12 Sep 2016 18:14:11 +0530 -Subject: [PATCH] scsi: mptsas: use g_new0 to allocate MPTSASRequest object - -When processing IO request in mptsas, it uses g_new to allocate -a 'req' object. If an error occurs before 'req->sreq' is -allocated, It could lead to an OOB write in mptsas_free_request -function. Use g_new0 to avoid it. - -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit -Message-Id: <1473684251-17476-1-git-send-email-ppandit@redhat.com> -Cc: qemu-stable@nongnu.org -Signed-off-by: Paolo Bonzini -(cherry picked from commit 670e56d3ed2918b3861d9216f2c0540d9e9ae0d5) ---- - hw/scsi/mptsas.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c -index 0e0a22f..eaae1bb 100644 ---- a/hw/scsi/mptsas.c -+++ b/hw/scsi/mptsas.c -@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s, - goto bad; - } - -- req = g_new(MPTSASRequest, 1); -+ req = g_new0(MPTSASRequest, 1); - QTAILQ_INSERT_TAIL(&s->pending, req, next); - req->scsi_io = *scsi_io; - req->dev = s; diff --git a/0009-virtio-add-check-for-descriptor-s-mapped-address.patch b/0009-virtio-add-check-for-descriptor-s-mapped-address.patch deleted file mode 100644 index d663896..0000000 --- a/0009-virtio-add-check-for-descriptor-s-mapped-address.patch +++ /dev/null @@ -1,35 +0,0 @@ -From: Prasad J Pandit -Date: Mon, 19 Sep 2016 23:55:45 +0530 -Subject: [PATCH] virtio: add check for descriptor's mapped address - -virtio back end uses set of buffers to facilitate I/O operations. -If its size is too large, 'cpu_physical_memory_map' could return -a null address. This would result in a null dereference while -un-mapping descriptors. Add check to avoid it. - -Reported-by: Qinghao Tang -Signed-off-by: Prasad J Pandit -Reviewed-by: Michael S. Tsirkin -Signed-off-by: Michael S. Tsirkin -Reviewed-by: Laszlo Ersek -(cherry picked from commit 973e7170dddefb491a48df5cba33b2ae151013a0) ---- - hw/virtio/virtio.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c -index 74c085c..eabe573 100644 ---- a/hw/virtio/virtio.c -+++ b/hw/virtio/virtio.c -@@ -473,6 +473,11 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove - } - - iov[num_sg].iov_base = cpu_physical_memory_map(pa, &len, is_write); -+ if (!iov[num_sg].iov_base) { -+ error_report("virtio: bogus descriptor or out of resources"); -+ exit(1); -+ } -+ - iov[num_sg].iov_len = len; - addr[num_sg] = pa; - diff --git a/0010-net-mcf-limit-buffer-descriptor-count.patch b/0010-net-mcf-limit-buffer-descriptor-count.patch deleted file mode 100644 index ae05c63..0000000 --- a/0010-net-mcf-limit-buffer-descriptor-count.patch +++ /dev/null @@ -1,49 +0,0 @@ -From: Prasad J Pandit -Date: Thu, 22 Sep 2016 16:02:37 +0530 -Subject: [PATCH] net: mcf: limit buffer descriptor count - -ColdFire Fast Ethernet Controller uses buffer descriptors to manage -data flow to/fro receive & transmit queues. While transmitting -packets, it could continue to read buffer descriptors if a buffer -descriptor has length of zero and has crafted values in bd.flags. -Set upper limit to number of buffer descriptors. - -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit -Reviewed-by: Paolo Bonzini -Signed-off-by: Jason Wang -(cherry picked from commit 070c4b92b8cd5390889716677a0b92444d6e087a) ---- - hw/net/mcf_fec.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c -index 0ee8ad9..d31fea1 100644 ---- a/hw/net/mcf_fec.c -+++ b/hw/net/mcf_fec.c -@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0) - #define DPRINTF(fmt, ...) do {} while(0) - #endif - -+#define FEC_MAX_DESC 1024 - #define FEC_MAX_FRAME_SIZE 2032 - - typedef struct { -@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s) - uint32_t addr; - mcf_fec_bd bd; - int frame_size; -- int len; -+ int len, descnt = 0; - uint8_t frame[FEC_MAX_FRAME_SIZE]; - uint8_t *ptr; - -@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s) - ptr = frame; - frame_size = 0; - addr = s->tx_descriptor; -- while (1) { -+ while (descnt++ < FEC_MAX_DESC) { - mcf_fec_read_bd(&bd, addr); - DPRINTF("tx_bd %x flags %04x len %d data %08x\n", - addr, bd.flags, bd.length, bd.data); diff --git a/0011-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch b/0011-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch deleted file mode 100644 index 03b7429..0000000 --- a/0011-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch +++ /dev/null @@ -1,65 +0,0 @@ -From: Gerd Hoffmann -Date: Mon, 10 Oct 2016 12:46:22 +0200 -Subject: [PATCH] xhci: limit the number of link trbs we are willing to process - -Needed to avoid we run in circles forever in case the guest builds -an endless loop with link trbs. - -Reported-by: Li Qiang -Tested-by: P J P -Signed-off-by: Gerd Hoffmann -Message-id: 1476096382-7981-1-git-send-email-kraxel@redhat.com -(cherry picked from commit 05f43d44e4bc26611ce25fd7d726e483f73363ce) ---- - hw/usb/hcd-xhci.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c -index 281a2a5..8a9a31a 100644 ---- a/hw/usb/hcd-xhci.c -+++ b/hw/usb/hcd-xhci.c -@@ -54,6 +54,8 @@ - * to the specs when it gets them */ - #define ER_FULL_HACK - -+#define TRB_LINK_LIMIT 4 -+ - #define LEN_CAP 0x40 - #define LEN_OPER (0x400 + 0x10 * MAXPORTS) - #define LEN_RUNTIME ((MAXINTRS + 1) * 0x20) -@@ -1000,6 +1002,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb, - dma_addr_t *addr) - { - PCIDevice *pci_dev = PCI_DEVICE(xhci); -+ uint32_t link_cnt = 0; - - while (1) { - TRBType type; -@@ -1026,6 +1029,9 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb, - ring->dequeue += TRB_SIZE; - return type; - } else { -+ if (++link_cnt > TRB_LINK_LIMIT) { -+ return 0; -+ } - ring->dequeue = xhci_mask64(trb->parameter); - if (trb->control & TRB_LK_TC) { - ring->ccs = !ring->ccs; -@@ -1043,6 +1049,7 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring) - bool ccs = ring->ccs; - /* hack to bundle together the two/three TDs that make a setup transfer */ - bool control_td_set = 0; -+ uint32_t link_cnt = 0; - - while (1) { - TRBType type; -@@ -1058,6 +1065,9 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring) - type = TRB_TYPE(trb); - - if (type == TR_LINK) { -+ if (++link_cnt > TRB_LINK_LIMIT) { -+ return -length; -+ } - dequeue = xhci_mask64(trb.parameter); - if (trb.control & TRB_LK_TC) { - ccs = !ccs; diff --git a/0012-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch b/0012-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch deleted file mode 100644 index e7c7aa3..0000000 --- a/0012-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch +++ /dev/null @@ -1,29 +0,0 @@ -From: Li Qiang -Date: Sun, 18 Sep 2016 19:48:35 -0700 -Subject: [PATCH] usb: ehci: fix memory leak in ehci_process_itd - -While processing isochronous transfer descriptors(iTD), if the page -select(PG) field value is out of bands it will return. In this -situation the ehci's sg list is not freed thus leading to a memory -leak issue. This patch avoid this. - -Signed-off-by: Li Qiang -Reviewed-by: Thomas Huth -Signed-off-by: Michael Tokarev -(cherry picked from commit b16c129daf0fed91febbb88de23dae8271c8898a) ---- - hw/usb/hcd-ehci.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c -index b093db7..f4ece9a 100644 ---- a/hw/usb/hcd-ehci.c -+++ b/hw/usb/hcd-ehci.c -@@ -1426,6 +1426,7 @@ static int ehci_process_itd(EHCIState *ehci, - if (off + len > 4096) { - /* transfer crosses page border */ - if (pg == 6) { -+ qemu_sglist_destroy(&ehci->isgl); - return -1; /* avoid page pg + 1 */ - } - ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK); diff --git a/0013-usb-redir-allocate-buffers-before-waking-up-the-host.patch b/0013-usb-redir-allocate-buffers-before-waking-up-the-host.patch deleted file mode 100644 index 521e879..0000000 --- a/0013-usb-redir-allocate-buffers-before-waking-up-the-host.patch +++ /dev/null @@ -1,50 +0,0 @@ -From: Hans de Goede -Date: Mon, 10 Oct 2016 12:45:13 +0200 -Subject: [PATCH] usb-redir: allocate buffers before waking up the host adapter - -Needed to make sure usb redirection is prepared to actually handle the -callback from the usb host adapter. Without this interrupt endpoints -don't work on xhci. - -Note: On ehci the usb_wakeup() call only schedules a BH for the actual -work, which hides this bug because the allocation happens before ehci -calls back even without this patch. - -Signed-off-by: Hans de Goede -Message-id: 1476096313-7730-1-git-send-email-kraxel@redhat.com -Signed-off-by: Gerd Hoffmann -(cherry picked from commit d5c42857d6b0c35028897df8dfc3749eba6f6de3) ---- - hw/usb/redirect.c | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) - -diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c -index 444672a..d4ca026 100644 ---- a/hw/usb/redirect.c -+++ b/hw/usb/redirect.c -@@ -2036,18 +2036,22 @@ static void usbredir_interrupt_packet(void *priv, uint64_t id, - } - - if (ep & USB_DIR_IN) { -+ bool q_was_empty; -+ - if (dev->endpoint[EP2I(ep)].interrupt_started == 0) { - DPRINTF("received int packet while not started ep %02X\n", ep); - free(data); - return; - } - -- if (QTAILQ_EMPTY(&dev->endpoint[EP2I(ep)].bufpq)) { -- usb_wakeup(usb_ep_get(&dev->dev, USB_TOKEN_IN, ep & 0x0f), 0); -- } -+ q_was_empty = QTAILQ_EMPTY(&dev->endpoint[EP2I(ep)].bufpq); - - /* bufp_alloc also adds the packet to the ep queue */ - bufp_alloc(dev, data, data_len, interrupt_packet->status, ep, data); -+ -+ if (q_was_empty) { -+ usb_wakeup(usb_ep_get(&dev->dev, USB_TOKEN_IN, ep & 0x0f), 0); -+ } - } else { - /* - * We report output interrupt packets as completed directly upon diff --git a/0014-ppc-kvm-Mark-64kB-page-size-support-as-disabled-if-n.patch b/0014-ppc-kvm-Mark-64kB-page-size-support-as-disabled-if-n.patch deleted file mode 100644 index 183d1fe..0000000 --- a/0014-ppc-kvm-Mark-64kB-page-size-support-as-disabled-if-n.patch +++ /dev/null @@ -1,54 +0,0 @@ -From: Thomas Huth -Date: Wed, 21 Sep 2016 11:42:15 +0200 -Subject: [PATCH] ppc/kvm: Mark 64kB page size support as disabled if not - available - -QEMU currently refuses to start with KVM-PR and only prints out - - qemu: fatal: Unknown MMU model 851972 - -when being started there. This is because commit 4322e8ced5aaac719 -("ppc: Fix 64K pages support in full emulation") introduced a new -POWERPC_MMU_64K bit to indicate support for this page size, but -it never gets cleared on KVM-PR if the host kernel does not support -this. Thus we've got to turn off this bit in the mmu_model for KVM-PR. - -Signed-off-by: Thomas Huth -Signed-off-by: David Gibson -(cherry picked from commit 0d594f5565837fe2886a8aa307ef8abb65eab8f7) ---- - target-ppc/kvm.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/target-ppc/kvm.c b/target-ppc/kvm.c -index dcb68b9..6bdc804 100644 ---- a/target-ppc/kvm.c -+++ b/target-ppc/kvm.c -@@ -427,6 +427,7 @@ static void kvm_fixup_page_sizes(PowerPCCPU *cpu) - CPUPPCState *env = &cpu->env; - long rampagesize; - int iq, ik, jq, jk; -+ bool has_64k_pages = false; - - /* We only handle page sizes for 64-bit server guests for now */ - if (!(env->mmu_model & POWERPC_MMU_64)) { -@@ -470,6 +471,9 @@ static void kvm_fixup_page_sizes(PowerPCCPU *cpu) - ksps->enc[jk].page_shift)) { - continue; - } -+ if (ksps->enc[jk].page_shift == 16) { -+ has_64k_pages = true; -+ } - qsps->enc[jq].page_shift = ksps->enc[jk].page_shift; - qsps->enc[jq].pte_enc = ksps->enc[jk].pte_enc; - if (++jq >= PPC_PAGE_SIZES_MAX_SZ) { -@@ -484,6 +488,9 @@ static void kvm_fixup_page_sizes(PowerPCCPU *cpu) - if (!(smmu_info.flags & KVM_PPC_1T_SEGMENTS)) { - env->mmu_model &= ~POWERPC_MMU_1TSEG; - } -+ if (!has_64k_pages) { -+ env->mmu_model &= ~POWERPC_MMU_64K; -+ } - } - #else /* defined (TARGET_PPC64) */ - diff --git a/0015-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch b/0015-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch deleted file mode 100644 index 874e14f..0000000 --- a/0015-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch +++ /dev/null @@ -1,74 +0,0 @@ -From: Christophe Fergeau -Date: Fri, 14 Oct 2016 14:22:36 +0200 -Subject: [PATCH] qxl: Only emit QXL_INTERRUPT_CLIENT_MONITORS_CONFIG on config - changes - -Currently if the client keeps sending the same monitor config to -QEMU/spice-server, QEMU will always raise -a QXL_INTERRUPT_CLIENT_MONITORS_CONFIG regardless of whether there was a -change or not. -Guest-side (with fedora 25), the kernel QXL KMS driver will also forward the -event to user-space without checking if there were actual changes. -Next in line are gnome-shell/mutter (on a default f25 install), which -will try to reconfigure everything without checking if there is anything -to do. -Where this gets ugly is that when applying the resolution changes, -gnome-shell/mutter will call drmModeRmFB, drmModeAddFB, and -drmModeSetCrtc, which will cause the primary surface to be destroyed and -recreated by the QXL KMS driver. This in turn will cause the client to -resend a client monitors config message, which will cause QEMU to reemit -an interrupt with an unchanged monitors configuration, ... -This causes https://bugzilla.redhat.com/show_bug.cgi?id=1266484 - -This commit makes sure that we only emit -QXL_INTERRUPT_CLIENT_MONITORS_CONFIG when there are actual configuration -changes the guest should act on. ---- - hw/display/qxl.c | 20 +++++++++++++++++++- - 1 file changed, 19 insertions(+), 1 deletion(-) - -diff --git a/hw/display/qxl.c b/hw/display/qxl.c -index 0e2682d..56759f8 100644 ---- a/hw/display/qxl.c -+++ b/hw/display/qxl.c -@@ -1000,6 +1000,7 @@ static int interface_client_monitors_config(QXLInstance *sin, - QXLRom *rom = memory_region_get_ram_ptr(&qxl->rom_bar); - int i; - unsigned max_outputs = ARRAY_SIZE(rom->client_monitors_config.heads); -+ bool config_changed = false; - - if (qxl->revision < 4) { - trace_qxl_client_monitors_config_unsupported_by_device(qxl->id, -@@ -1030,6 +1031,21 @@ static int interface_client_monitors_config(QXLInstance *sin, - } - #endif - -+ if (rom->client_monitors_config.count != MIN(monitors_config->num_of_monitors, max_outputs)) { -+ config_changed = true; -+ } -+ for (i = 0 ; i < rom->client_monitors_config.count ; ++i) { -+ VDAgentMonConfig *monitor = &monitors_config->monitors[i]; -+ QXLURect *rect = &rom->client_monitors_config.heads[i]; -+ /* monitor->depth ignored */ -+ if ((rect->left != monitor->x) || -+ (rect->top != monitor->y) || -+ (rect->right != monitor->x + monitor->width) || -+ (rect->bottom != monitor->y + monitor->height)) { -+ config_changed = true; -+ } -+ } -+ - memset(&rom->client_monitors_config, 0, - sizeof(rom->client_monitors_config)); - rom->client_monitors_config.count = monitors_config->num_of_monitors; -@@ -1059,7 +1075,9 @@ static int interface_client_monitors_config(QXLInstance *sin, - trace_qxl_interrupt_client_monitors_config(qxl->id, - rom->client_monitors_config.count, - rom->client_monitors_config.heads); -- qxl_send_events(qxl, QXL_INTERRUPT_CLIENT_MONITORS_CONFIG); -+ if (config_changed) { -+ qxl_send_events(qxl, QXL_INTERRUPT_CLIENT_MONITORS_CONFIG); -+ } - return 1; - } - diff --git a/qemu.spec b/qemu.spec index 6763c88..543880e 100644 --- a/qemu.spec +++ b/qemu.spec @@ -73,6 +73,7 @@ Requires: %{name}-block-curl = %{epoch}:%{version}-%{release} \ Requires: %{name}-block-dmg = %{epoch}:%{version}-%{release} \ Requires: %{name}-block-gluster = %{epoch}:%{version}-%{release} \ Requires: %{name}-block-iscsi = %{epoch}:%{version}-%{release} \ +Requires: %{name}-block-nfs = %{epoch}:%{version}-%{release} \ Requires: %{name}-block-rbd = %{epoch}:%{version}-%{release} \ Requires: %{name}-block-ssh = %{epoch}:%{version}-%{release} @@ -81,7 +82,7 @@ Requires: %{name}-block-ssh = %{epoch}:%{version}-%{release} %undefine _hardened_build # Release candidate version tracking -# global rcver rc3 +%global rcver rc2 %if 0%{?rcver:1} %global rcrel .%{rcver} %global rcstr -%{rcver} @@ -90,8 +91,8 @@ Requires: %{name}-block-ssh = %{epoch}:%{version}-%{release} Summary: QEMU is a FAST! processor emulator Name: qemu -Version: 2.7.0 -Release: 10%{?rcrel}%{?dist} +Version: 2.8.0 +Release: 0.1%{?rcrel}%{?dist} Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD Group: Development/Tools @@ -125,37 +126,9 @@ Source21: 50-kvm-s390x.conf # /etc/security/limits.d/95-kvm-ppc64-memlock.conf Source22: 95-kvm-ppc64-memlock.conf -# CVE-2016-7155: pvscsi: OOB read and infinite loop (bz #1373463) -Patch0001: 0001-vmw_pvscsi-check-page-count-while-initialising-descr.patch -# CVE-2016-7156: pvscsi: infinite loop when building SG list (bz #1373480) -Patch0002: 0002-scsi-pvscsi-limit-loop-to-fetch-SG-list.patch -# CVE-2016-7156: pvscsi: infinite loop when processing IO requests (bz -# #1373480) -Patch0003: 0003-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch -# CVE-2016-7170: vmware_vga: OOB stack memory access (bz #1374709) -Patch0004: 0004-vmsvga-correct-bitmap-and-pixmap-size-checks.patch -# CVE-2016-7157: mptsas: invalid memory access (bz #1373505) -Patch0005: 0005-scsi-mptconfig-fix-an-assert-expression.patch -Patch0006: 0006-scsi-mptconfig-fix-misuse-of-MPTSAS_CONFIG_PACK.patch -# CVE-2016-7466: usb: xhci memory leakage during device unplug (bz #1377838) -Patch0007: 0007-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch -# CVE-2016-7423: scsi: mptsas: OOB access (bz #1376777) -Patch0008: 0008-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch -# CVE-2016-7422: virtio: null pointer dereference (bz #1376756) -Patch0009: 0009-virtio-add-check-for-descriptor-s-mapped-address.patch -# CVE-2016-7908: net: Infinite loop in mcf_fec_do_tx (bz #1381193) -Patch0010: 0010-net-mcf-limit-buffer-descriptor-count.patch -# CVE-2016-8576: usb: xHCI: infinite loop vulnerability (bz #1382322) -Patch0011: 0011-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch -# CVE-2016-7995: usb: hcd-ehci: memory leak (bz #1382669) -Patch0012: 0012-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch -# Fix interrupt endpoints not working with network/spice USB redirection on -# guest with an emulated xhci controller (bz #1382331) -Patch0013: 0013-usb-redir-allocate-buffers-before-waking-up-the-host.patch -# Fix nested PPC 'Unknown MMU model' error (bz #1374749) -Patch0014: 0014-ppc-kvm-Mark-64kB-page-size-support-as-disabled-if-n.patch -# Fix flickering display with boxes + wayland VM (bz #1266484) -Patch0015: 0015-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch +# Fix flickering display with boxes + wayland VM (bz #1392239) +# Posted, but not yet upstream +Patch0001: 0001-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch # documentation deps BuildRequires: texi2html @@ -418,6 +391,17 @@ This package provides the additional iSCSI block driver for QEMU. Install this package if you want to access iSCSI volumes. +%package block-nfs +Summary: QEMU NFS block driver +Group: Development/Tools +Requires: %{name}-common%{?_isa} = %{epoch}:%{version}-%{release} + +%description block-nfs +This package provides the additional NFS block driver for QEMU. + +Install this package if you want to access remote NFS storage. + + %package block-rbd Summary: QEMU Ceph/RBD block driver Group: Development/Tools @@ -1039,7 +1023,6 @@ user_arch="\ sparc \ sparc32plus \ sparc64 \ - unicore32 \ x86_64" dynamic_targets= @@ -1155,7 +1138,6 @@ pushd build-static --disable-nettle \ --disable-cap-ng \ --disable-brlapi \ - --disable-uuid \ --disable-libnfs \ %ifarch s390 %{mips64} --enable-tcg-interpreter \ @@ -1266,14 +1248,9 @@ rm -rf %{buildroot}%{_datadir}/%{name}/vgabios*bin # Provided by package seabios rm -rf %{buildroot}%{_datadir}/%{name}/bios.bin rm -rf %{buildroot}%{_datadir}/%{name}/bios-256k.bin -rm -rf %{buildroot}%{_datadir}/%{name}/acpi-dsdt.aml -rm -rf %{buildroot}%{_datadir}/%{name}/q35-acpi-dsdt.aml # Provided by package sgabios rm -rf %{buildroot}%{_datadir}/%{name}/sgabios.bin -# the pxe gpxe images will be symlinks to the images on -# /usr/share/ipxe, as QEMU doesn't know how to look -# for other paths, yet. pxe_link() { ln -s ../ipxe/$2.rom %{buildroot}%{_datadir}/%{name}/pxe-$1.rom ln -s ../ipxe.efi/$2.rom %{buildroot}%{_datadir}/%{name}/efi-$1.rom @@ -1300,8 +1277,6 @@ rom_link ../seavgabios/vgabios-vmware.bin vgabios-vmware.bin rom_link ../seavgabios/vgabios-virtio.bin vgabios-virtio.bin rom_link ../seabios/bios.bin bios.bin rom_link ../seabios/bios-256k.bin bios-256k.bin -rom_link ../seabios/acpi-dsdt.aml acpi-dsdt.aml -rom_link ../seabios/q35-acpi-dsdt.aml q35-acpi-dsdt.aml rom_link ../sgabios/sgabios.bin sgabios.bin # Install binfmt @@ -1479,7 +1454,6 @@ getent passwd qemu >/dev/null || \ %doc %{qemudocdir}/Changelog %doc %{qemudocdir}/README %doc %{qemudocdir}/qemu-doc.html -%doc %{qemudocdir}/qemu-tech.html %doc %{qemudocdir}/qmp-commands.txt %doc %{qemudocdir}/COPYING %doc %{qemudocdir}/COPYING.LIB @@ -1510,7 +1484,6 @@ getent passwd qemu >/dev/null || \ %files guest-agent -%doc COPYING README %{_bindir}/qemu-ga %{_mandir}/man8/qemu-ga.8* %{_unitdir}/qemu-guest-agent.service @@ -1530,7 +1503,7 @@ getent passwd qemu >/dev/null || \ %files block-dmg -%{_libdir}/qemu/block-dmg.so +%{_libdir}/qemu/block-dmg-bz2.so %files block-gluster @@ -1541,6 +1514,10 @@ getent passwd qemu >/dev/null || \ %{_libdir}/qemu/block-iscsi.so +%files block-nfs +%{_libdir}/qemu/block-nfs.so + + %files block-rbd %{_libdir}/qemu/block-rbd.so @@ -1591,7 +1568,6 @@ getent passwd qemu >/dev/null || \ %{_bindir}/qemu-sparc %{_bindir}/qemu-sparc32plus %{_bindir}/qemu-sparc64 -%{_bindir}/qemu-unicore32 %{_datadir}/systemtap/tapset/qemu-i386.stp %{_datadir}/systemtap/tapset/qemu-i386-simpletrace.stp @@ -1647,8 +1623,6 @@ getent passwd qemu >/dev/null || \ %{_datadir}/systemtap/tapset/qemu-sparc32plus-simpletrace.stp %{_datadir}/systemtap/tapset/qemu-sparc64.stp %{_datadir}/systemtap/tapset/qemu-sparc64-simpletrace.stp -%{_datadir}/systemtap/tapset/qemu-unicore32.stp -%{_datadir}/systemtap/tapset/qemu-unicore32-simpletrace.stp %files user-binfmt %{_exec_prefix}/lib/binfmt.d/qemu-*-dynamic.conf @@ -1683,7 +1657,6 @@ getent passwd qemu >/dev/null || \ %{_bindir}/qemu-sparc-static %{_bindir}/qemu-sparc32plus-static %{_bindir}/qemu-sparc64-static -%{_bindir}/qemu-unicore32-static %{_datadir}/systemtap/tapset/qemu-i386-static.stp %{_datadir}/systemtap/tapset/qemu-i386-simpletrace-static.stp @@ -1739,8 +1712,6 @@ getent passwd qemu >/dev/null || \ %{_datadir}/systemtap/tapset/qemu-sparc32plus-simpletrace-static.stp %{_datadir}/systemtap/tapset/qemu-sparc64-static.stp %{_datadir}/systemtap/tapset/qemu-sparc64-simpletrace-static.stp -%{_datadir}/systemtap/tapset/qemu-unicore32-static.stp -%{_datadir}/systemtap/tapset/qemu-unicore32-simpletrace-static.stp %endif @@ -1761,7 +1732,6 @@ getent passwd qemu >/dev/null || \ %endif %{_datadir}/%{name}/acpi-dsdt.aml -%{_datadir}/%{name}/q35-acpi-dsdt.aml %{_datadir}/%{name}/bios.bin %{_datadir}/%{name}/bios-256k.bin %{_datadir}/%{name}/sgabios.bin @@ -1935,6 +1905,7 @@ getent passwd qemu >/dev/null || \ %{_mandir}/man1/qemu-system-ppcemb.1* %{_datadir}/%{name}/bamboo.dtb %{_datadir}/%{name}/ppc_rom.bin +%{_datadir}/%{name}/skiboot.lid %{_datadir}/%{name}/spapr-rtas.bin %{_datadir}/%{name}/u-boot.e500 %ifarch %{power64} @@ -1994,6 +1965,9 @@ getent passwd qemu >/dev/null || \ %changelog +* Mon Dec 05 2016 Cole Robinson - 2:2.8.0-0.1-rc2 +- Rebase to qemu-2.8.0-rc2 + * Mon Nov 28 2016 Paolo Bonzini - 2:2.7.0-10 - Do not build aarch64 with -fPIC anymore (rhbz 1232499)