diff --git a/.gitignore b/.gitignore
index 6e4afb7..49cf2a1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -29,3 +29,4 @@ qemu-kvm-0.13.0-25fdf4a.tar.gz
/qemu-2.0.0-rc0.tar.bz2
/qemu-2.0.0-rc3.tar.bz2
/qemu-2.0.0.tar.bz2
+/qemu-2.1.0-rc0.tar.bz2
diff --git a/0001-Change-gtk-quit-accelerator-to-ctrl-shift-q-bz-10623.patch b/0001-Change-gtk-quit-accelerator-to-ctrl-shift-q-bz-10623.patch
deleted file mode 100644
index 3fc7beb..0000000
--- a/0001-Change-gtk-quit-accelerator-to-ctrl-shift-q-bz-10623.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 9d8e4e500dca987531be3666422f17c9486940b2 Mon Sep 17 00:00:00 2001
-From: Cole Robinson <crobinso@redhat.com>
-Date: Wed, 19 Mar 2014 14:57:27 -0400
-Subject: [PATCH] Change gtk quit accelerator to ctrl+shift+q (bz 1062393)
-
-Similar patches queued for 2.1
----
- ui/gtk.c | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
-diff --git a/ui/gtk.c b/ui/gtk.c
-index 00fbbcc..264326a 100644
---- a/ui/gtk.c
-+++ b/ui/gtk.c
-@@ -1351,7 +1351,6 @@ static GtkWidget *gd_create_menu_machine(GtkDisplayState *s, GtkAccelGroup *acce
- {
- GtkWidget *machine_menu;
- GtkWidget *separator;
-- GtkStockItem item;
-
- machine_menu = gtk_menu_new();
- gtk_menu_set_accel_group(GTK_MENU(machine_menu), accel_group);
-@@ -1371,11 +1370,11 @@ static GtkWidget *gd_create_menu_machine(GtkDisplayState *s, GtkAccelGroup *acce
- separator = gtk_separator_menu_item_new();
- gtk_menu_shell_append(GTK_MENU_SHELL(machine_menu), separator);
-
-- s->quit_item = gtk_image_menu_item_new_from_stock(GTK_STOCK_QUIT, NULL);
-- gtk_stock_lookup(GTK_STOCK_QUIT, &item);
-+ s->quit_item = gtk_menu_item_new_with_mnemonic(_("_Quit"));
- gtk_menu_item_set_accel_path(GTK_MENU_ITEM(s->quit_item),
- "<QEMU>/Machine/Quit");
-- gtk_accel_map_add_entry("<QEMU>/Machine/Quit", item.keyval, item.modifier);
-+ gtk_accel_map_add_entry("<QEMU>/Machine/Quit",
-+ GDK_KEY_q, HOTKEY_MODIFIERS);
- gtk_menu_shell_append(GTK_MENU_SHELL(machine_menu), s->quit_item);
-
- return machine_menu;
diff --git a/0002-vmstate-add-VMS_MUST_EXIST.patch b/0002-vmstate-add-VMS_MUST_EXIST.patch
deleted file mode 100644
index 073abd8..0000000
--- a/0002-vmstate-add-VMS_MUST_EXIST.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From 105071cc70a454680e6bf11e2d9d7b73c7ce7491 Mon Sep 17 00:00:00 2001
-From: "Michael S. Tsirkin" <mst@redhat.com>
-Date: Thu, 3 Apr 2014 19:50:31 +0300
-Subject: [PATCH] vmstate: add VMS_MUST_EXIST
-
-Can be used to verify a required field exists or validate
-state in some other way.
-
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
-Signed-off-by: Juan Quintela <quintela@redhat.com>
-(cherry picked from commit 5bf81c8d63db0216a4d29dc87f9ce530bb791dd1)
----
- include/migration/vmstate.h | 1 +
- vmstate.c | 10 ++++++++++
- 2 files changed, 11 insertions(+)
-
-diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h
-index e7e1705..de970ab 100644
---- a/include/migration/vmstate.h
-+++ b/include/migration/vmstate.h
-@@ -100,6 +100,7 @@ enum VMStateFlags {
- VMS_MULTIPLY = 0x200, /* multiply "size" field by field_size */
- VMS_VARRAY_UINT8 = 0x400, /* Array with size in uint8_t field*/
- VMS_VARRAY_UINT32 = 0x800, /* Array with size in uint32_t field*/
-+ VMS_MUST_EXIST = 0x1000, /* Field must exist in input */
- };
-
- typedef struct {
-diff --git a/vmstate.c b/vmstate.c
-index b689f2f..d856319 100644
---- a/vmstate.c
-+++ b/vmstate.c
-@@ -78,6 +78,10 @@ int vmstate_load_state(QEMUFile *f, const VMStateDescription *vmsd,
- return ret;
- }
- }
-+ } else if (field->flags & VMS_MUST_EXIST) {
-+ fprintf(stderr, "Input validation failed: %s/%s\n",
-+ vmsd->name, field->name);
-+ return -1;
- }
- field++;
- }
-@@ -138,6 +142,12 @@ void vmstate_save_state(QEMUFile *f, const VMStateDescription *vmsd,
- field->info->put(f, addr, size);
- }
- }
-+ } else {
-+ if (field->flags & VMS_MUST_EXIST) {
-+ fprintf(stderr, "Output state validation failed: %s/%s\n",
-+ vmsd->name, field->name);
-+ assert(!(field->flags & VMS_MUST_EXIST));
-+ }
- }
- field++;
- }
diff --git a/0003-vmstate-add-VMSTATE_VALIDATE.patch b/0003-vmstate-add-VMSTATE_VALIDATE.patch
deleted file mode 100644
index 775a9ab..0000000
--- a/0003-vmstate-add-VMSTATE_VALIDATE.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From d9e0cb134eefe5104b404b91eaf969a2cd74bd9f Mon Sep 17 00:00:00 2001
-From: "Michael S. Tsirkin" <mst@redhat.com>
-Date: Thu, 3 Apr 2014 19:50:35 +0300
-Subject: [PATCH] vmstate: add VMSTATE_VALIDATE
-
-Validate state using VMS_ARRAY with num = 0 and VMS_MUST_EXIST
-
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Juan Quintela <quintela@redhat.com>
-(cherry picked from commit 4082f0889ba04678fc14816c53e1b9251ea9207e)
----
- include/migration/vmstate.h | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h
-index de970ab..5b71370 100644
---- a/include/migration/vmstate.h
-+++ b/include/migration/vmstate.h
-@@ -204,6 +204,14 @@ extern const VMStateInfo vmstate_info_bitmap;
- .offset = vmstate_offset_value(_state, _field, _type), \
- }
-
-+/* Validate state using a boolean predicate. */
-+#define VMSTATE_VALIDATE(_name, _test) { \
-+ .name = (_name), \
-+ .field_exists = (_test), \
-+ .flags = VMS_ARRAY | VMS_MUST_EXIST, \
-+ .num = 0, /* 0 elements: no data, only run _test */ \
-+}
-+
- #define VMSTATE_POINTER(_field, _state, _version, _info, _type) { \
- .name = (stringify(_field)), \
- .version_id = (_version), \
diff --git a/0004-virtio-net-fix-buffer-overflow-on-invalid-state-load.patch b/0004-virtio-net-fix-buffer-overflow-on-invalid-state-load.patch
deleted file mode 100644
index 1b315c5..0000000
--- a/0004-virtio-net-fix-buffer-overflow-on-invalid-state-load.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From ea96c6a9c91da1923aa922a781fd7abbf9f51b6c Mon Sep 17 00:00:00 2001
-From: "Michael S. Tsirkin" <mst@redhat.com>
-Date: Thu, 3 Apr 2014 19:50:39 +0300
-Subject: [PATCH] virtio-net: fix buffer overflow on invalid state load
-
-CVE-2013-4148 QEMU 1.0 integer conversion in
-virtio_net_load()@hw/net/virtio-net.c
-
-Deals with loading a corrupted savevm image.
-
-> n->mac_table.in_use = qemu_get_be32(f);
-
-in_use is int so it can get negative when assigned 32bit unsigned value.
-
-> /* MAC_TABLE_ENTRIES may be different from the saved image */
-> if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) {
-
-passing this check ^^^
-
-> qemu_get_buffer(f, n->mac_table.macs,
-> n->mac_table.in_use * ETH_ALEN);
-
-with good in_use value, "n->mac_table.in_use * ETH_ALEN" can get
-positive and bigger than mac_table.macs. For example 0x81000000
-satisfies this condition when ETH_ALEN is 6.
-
-Fix it by making the value unsigned.
-For consistency, change first_multi as well.
-
-Note: all call sites were audited to confirm that
-making them unsigned didn't cause any issues:
-it turns out we actually never do math on them,
-so it's easy to validate because both values are
-always <= MAC_TABLE_ENTRIES.
-
-Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Reviewed-by: Laszlo Ersek <lersek@redhat.com>
-Signed-off-by: Juan Quintela <quintela@redhat.com>
-(cherry picked from commit 71f7fe48e10a8437c9d42d859389f37157f59980)
----
- include/hw/virtio/virtio-net.h | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/include/hw/virtio/virtio-net.h b/include/hw/virtio/virtio-net.h
-index df60f16..4b32440 100644
---- a/include/hw/virtio/virtio-net.h
-+++ b/include/hw/virtio/virtio-net.h
-@@ -176,8 +176,8 @@ typedef struct VirtIONet {
- uint8_t nobcast;
- uint8_t vhost_started;
- struct {
-- int in_use;
-- int first_multi;
-+ uint32_t in_use;
-+ uint32_t first_multi;
- uint8_t multi_overflow;
- uint8_t uni_overflow;
- uint8_t *macs;
diff --git a/0005-virtio-net-out-of-bounds-buffer-write-on-invalid-sta.patch b/0005-virtio-net-out-of-bounds-buffer-write-on-invalid-sta.patch
deleted file mode 100644
index 3648d73..0000000
--- a/0005-virtio-net-out-of-bounds-buffer-write-on-invalid-sta.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 9229c44bfa3549085ac68265d9be95a8552c4fa4 Mon Sep 17 00:00:00 2001
-From: "Michael S. Tsirkin" <mst@redhat.com>
-Date: Thu, 3 Apr 2014 19:50:56 +0300
-Subject: [PATCH] virtio-net: out-of-bounds buffer write on invalid state load
-
-CVE-2013-4150 QEMU 1.5.0 out-of-bounds buffer write in
-virtio_net_load()@hw/net/virtio-net.c
-
-This code is in hw/net/virtio-net.c:
-
- if (n->max_queues > 1) {
- if (n->max_queues != qemu_get_be16(f)) {
- error_report("virtio-net: different max_queues ");
- return -1;
- }
-
- n->curr_queues = qemu_get_be16(f);
- for (i = 1; i < n->curr_queues; i++) {
- n->vqs[i].tx_waiting = qemu_get_be32(f);
- }
- }
-
-Number of vqs is max_queues, so if we get invalid input here,
-for example if max_queues = 2, curr_queues = 3, we get
-write beyond end of the buffer, with data that comes from
-wire.
-
-This might be used to corrupt qemu memory in hard to predict ways.
-Since we have lots of function pointers around, RCE might be possible.
-
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Acked-by: Jason Wang <jasowang@redhat.com>
-Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-Signed-off-by: Juan Quintela <quintela@redhat.com>
-(cherry picked from commit eea750a5623ddac7a61982eec8f1c93481857578)
----
- hw/net/virtio-net.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
-index 33bd233..0a8cb40 100644
---- a/hw/net/virtio-net.c
-+++ b/hw/net/virtio-net.c
-@@ -1407,6 +1407,11 @@ static int virtio_net_load(QEMUFile *f, void *opaque, int version_id)
- }
-
- n->curr_queues = qemu_get_be16(f);
-+ if (n->curr_queues > n->max_queues) {
-+ error_report("virtio-net: curr_queues %x > max_queues %x",
-+ n->curr_queues, n->max_queues);
-+ return -1;
-+ }
- for (i = 1; i < n->curr_queues; i++) {
- n->vqs[i].tx_waiting = qemu_get_be32(f);
- }
diff --git a/0006-virtio-out-of-bounds-buffer-write-on-invalid-state-l.patch b/0006-virtio-out-of-bounds-buffer-write-on-invalid-state-l.patch
deleted file mode 100644
index c47af93..0000000
--- a/0006-virtio-out-of-bounds-buffer-write-on-invalid-state-l.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 23f0db5c309893195025bc75402f3f9e1b4de743 Mon Sep 17 00:00:00 2001
-From: "Michael S. Tsirkin" <mst@redhat.com>
-Date: Thu, 3 Apr 2014 19:51:14 +0300
-Subject: [PATCH] virtio: out-of-bounds buffer write on invalid state load
-
-CVE-2013-4151 QEMU 1.0 out-of-bounds buffer write in
-virtio_load@hw/virtio/virtio.c
-
-So we have this code since way back when:
-
- num = qemu_get_be32(f);
-
- for (i = 0; i < num; i++) {
- vdev->vq[i].vring.num = qemu_get_be32(f);
-
-array of vqs has size VIRTIO_PCI_QUEUE_MAX, so
-on invalid input this will write beyond end of buffer.
-
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-Signed-off-by: Juan Quintela <quintela@redhat.com>
-(cherry picked from commit cc45995294b92d95319b4782750a3580cabdbc0c)
----
- hw/virtio/virtio.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
-index aeabf3a..05f05e7 100644
---- a/hw/virtio/virtio.c
-+++ b/hw/virtio/virtio.c
-@@ -891,7 +891,8 @@ int virtio_set_features(VirtIODevice *vdev, uint32_t val)
-
- int virtio_load(VirtIODevice *vdev, QEMUFile *f)
- {
-- int num, i, ret;
-+ int i, ret;
-+ uint32_t num;
- uint32_t features;
- uint32_t supported_features;
- BusState *qbus = qdev_get_parent_bus(DEVICE(vdev));
-@@ -919,6 +920,11 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
-
- num = qemu_get_be32(f);
-
-+ if (num > VIRTIO_PCI_QUEUE_MAX) {
-+ error_report("Invalid number of PCI queues: 0x%x", num);
-+ return -1;
-+ }
-+
- for (i = 0; i < num; i++) {
- vdev->vq[i].vring.num = qemu_get_be32(f);
- if (k->has_variable_vring_alignment) {
diff --git a/0007-ahci-fix-buffer-overrun-on-invalid-state-load.patch b/0007-ahci-fix-buffer-overrun-on-invalid-state-load.patch
deleted file mode 100644
index 07a379c..0000000
--- a/0007-ahci-fix-buffer-overrun-on-invalid-state-load.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 95fa012ed61e1e8b88d701b8f75b38dc5edb16e2 Mon Sep 17 00:00:00 2001
-From: "Michael S. Tsirkin" <mst@redhat.com>
-Date: Thu, 3 Apr 2014 19:51:18 +0300
-Subject: [PATCH] ahci: fix buffer overrun on invalid state load
-
-CVE-2013-4526
-
-Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded. So
-we use the old version of ports to read the array but then allow any
-value for ports. This can cause the code to overflow.
-
-There's no reason to migrate ports - it never changes.
-So just make sure it matches.
-
-Reported-by: Anthony Liguori <anthony@codemonkey.ws>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Juan Quintela <quintela@redhat.com>
-(cherry picked from commit ae2158ad6ce0845b2fae2a22aa7f19c0d7a71ce5)
----
- hw/ide/ahci.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
-index bfe633f..457a7a1 100644
---- a/hw/ide/ahci.c
-+++ b/hw/ide/ahci.c
-@@ -1293,7 +1293,7 @@ const VMStateDescription vmstate_ahci = {
- VMSTATE_UINT32(control_regs.impl, AHCIState),
- VMSTATE_UINT32(control_regs.version, AHCIState),
- VMSTATE_UINT32(idp_index, AHCIState),
-- VMSTATE_INT32(ports, AHCIState),
-+ VMSTATE_INT32_EQUAL(ports, AHCIState),
- VMSTATE_END_OF_LIST()
- },
- };
diff --git a/0008-hpet-fix-buffer-overrun-on-invalid-state-load.patch b/0008-hpet-fix-buffer-overrun-on-invalid-state-load.patch
deleted file mode 100644
index fa1c624..0000000
--- a/0008-hpet-fix-buffer-overrun-on-invalid-state-load.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 5e0e0a12887c9e70356c23d20b08b08eabd4a6df Mon Sep 17 00:00:00 2001
-From: "Michael S. Tsirkin" <mst@redhat.com>
-Date: Thu, 3 Apr 2014 19:51:23 +0300
-Subject: [PATCH] hpet: fix buffer overrun on invalid state load
-
-CVE-2013-4527 hw/timer/hpet.c buffer overrun
-
-hpet is a VARRAY with a uint8 size but static array of 32
-
-To fix, make sure num_timers is valid using VMSTATE_VALID hook.
-
-Reported-by: Anthony Liguori <anthony@codemonkey.ws>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
-Signed-off-by: Juan Quintela <quintela@redhat.com>
-(cherry picked from commit 3f1c49e2136fa08ab1ef3183fd55def308829584)
----
- hw/timer/hpet.c | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
-diff --git a/hw/timer/hpet.c b/hw/timer/hpet.c
-index e15d6bc..2792f89 100644
---- a/hw/timer/hpet.c
-+++ b/hw/timer/hpet.c
-@@ -239,6 +239,18 @@ static int hpet_pre_load(void *opaque)
- return 0;
- }
-
-+static bool hpet_validate_num_timers(void *opaque, int version_id)
-+{
-+ HPETState *s = opaque;
-+
-+ if (s->num_timers < HPET_MIN_TIMERS) {
-+ return false;
-+ } else if (s->num_timers > HPET_MAX_TIMERS) {
-+ return false;
-+ }
-+ return true;
-+}
-+
- static int hpet_post_load(void *opaque, int version_id)
- {
- HPETState *s = opaque;
-@@ -307,6 +319,7 @@ static const VMStateDescription vmstate_hpet = {
- VMSTATE_UINT64(isr, HPETState),
- VMSTATE_UINT64(hpet_counter, HPETState),
- VMSTATE_UINT8_V(num_timers, HPETState, 2),
-+ VMSTATE_VALIDATE("num_timers in range", hpet_validate_num_timers),
- VMSTATE_STRUCT_VARRAY_UINT8(timer, HPETState, num_timers, 0,
- vmstate_hpet_timer, HPETTimer),
- VMSTATE_END_OF_LIST()
diff --git a/0009-hw-pci-pcie_aer.c-fix-buffer-overruns-on-invalid-sta.patch b/0009-hw-pci-pcie_aer.c-fix-buffer-overruns-on-invalid-sta.patch
deleted file mode 100644
index 5b22295..0000000
--- a/0009-hw-pci-pcie_aer.c-fix-buffer-overruns-on-invalid-sta.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From b6f53085cc618bc7e58be702afacad1b5dcae5ba Mon Sep 17 00:00:00 2001
-From: "Michael S. Tsirkin" <mst@redhat.com>
-Date: Thu, 3 Apr 2014 19:51:31 +0300
-Subject: [PATCH] hw/pci/pcie_aer.c: fix buffer overruns on invalid state load
-
-4) CVE-2013-4529
-hw/pci/pcie_aer.c pcie aer log can overrun the buffer if log_num is
- too large
-
-There are two issues in this file:
-1. log_max from remote can be larger than on local
-then buffer will overrun with data coming from state file.
-2. log_num can be larger then we get data corruption
-again with an overflow but not adversary controlled.
-
-Fix both issues.
-
-Reported-by: Anthony Liguori <anthony@codemonkey.ws>
-Reported-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
-Signed-off-by: Juan Quintela <quintela@redhat.com>
-(cherry picked from commit 5f691ff91d323b6f97c6600405a7f9dc115a0ad1)
----
- hw/pci/pcie_aer.c | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/hw/pci/pcie_aer.c b/hw/pci/pcie_aer.c
-index 991502e..535be2c 100644
---- a/hw/pci/pcie_aer.c
-+++ b/hw/pci/pcie_aer.c
-@@ -795,6 +795,13 @@ static const VMStateDescription vmstate_pcie_aer_err = {
- }
- };
-
-+static bool pcie_aer_state_log_num_valid(void *opaque, int version_id)
-+{
-+ PCIEAERLog *s = opaque;
-+
-+ return s->log_num <= s->log_max;
-+}
-+
- const VMStateDescription vmstate_pcie_aer_log = {
- .name = "PCIE_AER_ERROR_LOG",
- .version_id = 1,
-@@ -802,7 +809,8 @@ const VMStateDescription vmstate_pcie_aer_log = {
- .minimum_version_id_old = 1,
- .fields = (VMStateField[]) {
- VMSTATE_UINT16(log_num, PCIEAERLog),
-- VMSTATE_UINT16(log_max, PCIEAERLog),
-+ VMSTATE_UINT16_EQUAL(log_max, PCIEAERLog),
-+ VMSTATE_VALIDATE("log_num <= log_max", pcie_aer_state_log_num_valid),
- VMSTATE_STRUCT_VARRAY_POINTER_UINT16(log, PCIEAERLog, log_num,
- vmstate_pcie_aer_err, PCIEAERErr),
- VMSTATE_END_OF_LIST()
diff --git a/0010-pl022-fix-buffer-overun-on-invalid-state-load.patch b/0010-pl022-fix-buffer-overun-on-invalid-state-load.patch
deleted file mode 100644
index f48fa74..0000000
--- a/0010-pl022-fix-buffer-overun-on-invalid-state-load.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 872fc04ecd90e0ca4d8ac4565b3a9f246c070873 Mon Sep 17 00:00:00 2001
-From: "Michael S. Tsirkin" <mst@redhat.com>
-Date: Thu, 3 Apr 2014 19:51:35 +0300
-Subject: [PATCH] pl022: fix buffer overun on invalid state load
-
-CVE-2013-4530
-
-pl022.c did not bounds check tx_fifo_head and
-rx_fifo_head after loading them from file and
-before they are used to dereference array.
-
-Reported-by: Michael S. Tsirkin <mst@redhat.com
-Reported-by: Anthony Liguori <anthony@codemonkey.ws>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Juan Quintela <quintela@redhat.com>
-(cherry picked from commit d8d0a0bc7e194300e53a346d25fe5724fd588387)
----
- hw/ssi/pl022.c | 14 ++++++++++++++
- 1 file changed, 14 insertions(+)
-
-diff --git a/hw/ssi/pl022.c b/hw/ssi/pl022.c
-index fd479ef..b19bc71 100644
---- a/hw/ssi/pl022.c
-+++ b/hw/ssi/pl022.c
-@@ -240,11 +240,25 @@ static const MemoryRegionOps pl022_ops = {
- .endianness = DEVICE_NATIVE_ENDIAN,
- };
-
-+static int pl022_post_load(void *opaque, int version_id)
-+{
-+ PL022State *s = opaque;
-+
-+ if (s->tx_fifo_head < 0 ||
-+ s->tx_fifo_head >= ARRAY_SIZE(s->tx_fifo) ||
-+ s->rx_fifo_head < 0 ||
-+ s->rx_fifo_head >= ARRAY_SIZE(s->rx_fifo)) {
-+ return -1;
-+ }
-+ return 0;
-+}
-+
- static const VMStateDescription vmstate_pl022 = {
- .name = "pl022_ssp",
- .version_id = 1,
- .minimum_version_id = 1,
- .minimum_version_id_old = 1,
-+ .post_load = pl022_post_load,
- .fields = (VMStateField[]) {
- VMSTATE_UINT32(cr0, PL022State),
- VMSTATE_UINT32(cr1, PL022State),
diff --git a/0011-vmstate-fix-buffer-overflow-in-target-arm-machine.c.patch b/0011-vmstate-fix-buffer-overflow-in-target-arm-machine.c.patch
deleted file mode 100644
index 46a77b0..0000000
--- a/0011-vmstate-fix-buffer-overflow-in-target-arm-machine.c.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From acf45756e165664f6d70025c02ddca563adee496 Mon Sep 17 00:00:00 2001
-From: "Michael S. Tsirkin" <mst@redhat.com>
-Date: Thu, 3 Apr 2014 19:51:42 +0300
-Subject: [PATCH] vmstate: fix buffer overflow in target-arm/machine.c
-
-CVE-2013-4531
-
-cpreg_vmstate_indexes is a VARRAY_INT32. A negative value for
-cpreg_vmstate_array_len will cause a buffer overflow.
-
-VMSTATE_INT32_LE was supposed to protect against this
-but doesn't because it doesn't validate that input is
-non-negative.
-
-Fix this macro to valide the value appropriately.
-
-The only other user of VMSTATE_INT32_LE doesn't
-ever use negative numbers so it doesn't care.
-
-Reported-by: Anthony Liguori <anthony@codemonkey.ws>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Juan Quintela <quintela@redhat.com>
-(cherry picked from commit d2ef4b61fe6d33d2a5dcf100a9b9440de341ad62)
----
- vmstate.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/vmstate.c b/vmstate.c
-index d856319..105f184 100644
---- a/vmstate.c
-+++ b/vmstate.c
-@@ -333,8 +333,9 @@ const VMStateInfo vmstate_info_int32_equal = {
- .put = put_int32,
- };
-
--/* 32 bit int. Check that the received value is less than or equal to
-- the one in the field */
-+/* 32 bit int. Check that the received value is non-negative
-+ * and less than or equal to the one in the field.
-+ */
-
- static int get_int32_le(QEMUFile *f, void *pv, size_t size)
- {
-@@ -342,7 +343,7 @@ static int get_int32_le(QEMUFile *f, void *pv, size_t size)
- int32_t loaded;
- qemu_get_sbe32s(f, &loaded);
-
-- if (loaded <= *cur) {
-+ if (loaded >= 0 && loaded <= *cur) {
- *cur = loaded;
- return 0;
- }
diff --git a/0012-virtio-avoid-buffer-overrun-on-incoming-migration.patch b/0012-virtio-avoid-buffer-overrun-on-incoming-migration.patch
deleted file mode 100644
index 69bdf95..0000000
--- a/0012-virtio-avoid-buffer-overrun-on-incoming-migration.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 9b5cc034e1ed5b2ebc133029d4f865f186c6b895 Mon Sep 17 00:00:00 2001
-From: Michael Roth <mdroth@linux.vnet.ibm.com>
-Date: Thu, 3 Apr 2014 19:51:46 +0300
-Subject: [PATCH] virtio: avoid buffer overrun on incoming migration
-
-CVE-2013-6399
-
-vdev->queue_sel is read from the wire, and later used in the
-emulation code as an index into vdev->vq[]. If the value of
-vdev->queue_sel exceeds the length of vdev->vq[], currently
-allocated to be VIRTIO_PCI_QUEUE_MAX elements, subsequent PIO
-operations such as VIRTIO_PCI_QUEUE_PFN can be used to overrun
-the buffer with arbitrary data originating from the source.
-
-Fix this by failing migration if the value from the wire exceeds
-VIRTIO_PCI_QUEUE_MAX.
-
-Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Juan Quintela <quintela@redhat.com>
-(cherry picked from commit 4b53c2c72cb5541cf394033b528a6fe2a86c0ac1)
----
- hw/virtio/virtio.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
-index 05f05e7..0072542 100644
---- a/hw/virtio/virtio.c
-+++ b/hw/virtio/virtio.c
-@@ -907,6 +907,9 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
- qemu_get_8s(f, &vdev->status);
- qemu_get_8s(f, &vdev->isr);
- qemu_get_be16s(f, &vdev->queue_sel);
-+ if (vdev->queue_sel >= VIRTIO_PCI_QUEUE_MAX) {
-+ return -1;
-+ }
- qemu_get_be32s(f, &features);
-
- if (virtio_set_features(vdev, features) < 0) {
diff --git a/0013-virtio-validate-num_sg-when-mapping.patch b/0013-virtio-validate-num_sg-when-mapping.patch
deleted file mode 100644
index 91de06c..0000000
--- a/0013-virtio-validate-num_sg-when-mapping.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From f1344659fd93ea0dfb9d8d1af25993e57584c773 Mon Sep 17 00:00:00 2001
-From: "Michael S. Tsirkin" <mst@redhat.com>
-Date: Thu, 3 Apr 2014 19:51:53 +0300
-Subject: [PATCH] virtio: validate num_sg when mapping
-
-CVE-2013-4535
-CVE-2013-4536
-
-Both virtio-block and virtio-serial read,
-VirtQueueElements are read in as buffers, and passed to
-virtqueue_map_sg(), where num_sg is taken from the wire and can force
-writes to indicies beyond VIRTQUEUE_MAX_SIZE.
-
-To fix, validate num_sg.
-
-Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Cc: Amit Shah <amit.shah@redhat.com>
-Signed-off-by: Juan Quintela <quintela@redhat.com>
-(cherry picked from commit 36cf2a37132c7f01fa9adb5f95f5312b27742fd4)
----
- hw/virtio/virtio.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
-index 0072542..a70169a 100644
---- a/hw/virtio/virtio.c
-+++ b/hw/virtio/virtio.c
-@@ -430,6 +430,12 @@ void virtqueue_map_sg(struct iovec *sg, hwaddr *addr,
- unsigned int i;
- hwaddr len;
-
-+ if (num_sg >= VIRTQUEUE_MAX_SIZE) {
-+ error_report("virtio: map attempt out of bounds: %zd > %d",
-+ num_sg, VIRTQUEUE_MAX_SIZE);
-+ exit(1);
-+ }
-+
- for (i = 0; i < num_sg; i++) {
- len = sg[i].iov_len;
- sg[i].iov_base = cpu_physical_memory_map(addr[i], &len, is_write);
diff --git a/0014-pxa2xx-avoid-buffer-overrun-on-incoming-migration.patch b/0014-pxa2xx-avoid-buffer-overrun-on-incoming-migration.patch
deleted file mode 100644
index 94d2d4d..0000000
--- a/0014-pxa2xx-avoid-buffer-overrun-on-incoming-migration.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 43b30dec4d07aa81ff5f2dc3b0a064fa589fd3af Mon Sep 17 00:00:00 2001
-From: "Michael S. Tsirkin" <mst@redhat.com>
-Date: Thu, 3 Apr 2014 19:51:57 +0300
-Subject: [PATCH] pxa2xx: avoid buffer overrun on incoming migration
-
-CVE-2013-4533
-
-s->rx_level is read from the wire and used to determine how many bytes
-to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the
-length of s->rx_fifo[] the buffer can be overrun with arbitrary data
-from the wire.
-
-Fix this by validating rx_level against the size of s->rx_fifo.
-
-Cc: Don Koch <dkoch@verizon.com>
-Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Don Koch <dkoch@verizon.com>
-Signed-off-by: Juan Quintela <quintela@redhat.com>
-(cherry picked from commit caa881abe0e01f9931125a0977ec33c5343e4aa7)
----
- hw/arm/pxa2xx.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/hw/arm/pxa2xx.c b/hw/arm/pxa2xx.c
-index 0429148..e0cd847 100644
---- a/hw/arm/pxa2xx.c
-+++ b/hw/arm/pxa2xx.c
-@@ -732,7 +732,7 @@ static void pxa2xx_ssp_save(QEMUFile *f, void *opaque)
- static int pxa2xx_ssp_load(QEMUFile *f, void *opaque, int version_id)
- {
- PXA2xxSSPState *s = (PXA2xxSSPState *) opaque;
-- int i;
-+ int i, v;
-
- s->enable = qemu_get_be32(f);
-
-@@ -746,7 +746,11 @@ static int pxa2xx_ssp_load(QEMUFile *f, void *opaque, int version_id)
- qemu_get_8s(f, &s->ssrsa);
- qemu_get_8s(f, &s->ssacd);
-
-- s->rx_level = qemu_get_byte(f);
-+ v = qemu_get_byte(f);
-+ if (v < 0 || v > ARRAY_SIZE(s->rx_fifo)) {
-+ return -EINVAL;
-+ }
-+ s->rx_level = v;
- s->rx_start = 0;
- for (i = 0; i < s->rx_level; i ++)
- s->rx_fifo[i] = qemu_get_byte(f);
diff --git a/0015-ssd0323-fix-buffer-overun-on-invalid-state-load.patch b/0015-ssd0323-fix-buffer-overun-on-invalid-state-load.patch
deleted file mode 100644
index c0bc8e9..0000000
--- a/0015-ssd0323-fix-buffer-overun-on-invalid-state-load.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-From 0cbd8c5754d6f56b53717e92353772777a799b87 Mon Sep 17 00:00:00 2001
-From: "Michael S. Tsirkin" <mst@redhat.com>
-Date: Thu, 3 Apr 2014 19:52:05 +0300
-Subject: [PATCH] ssd0323: fix buffer overun on invalid state load
-
-CVE-2013-4538
-
-s->cmd_len used as index in ssd0323_transfer() to store 32-bit field.
-Possible this field might then be supplied by guest to overwrite a
-return addr somewhere. Same for row/col fields, which are indicies into
-framebuffer array.
-
-To fix validate after load.
-
-Additionally, validate that the row/col_start/end are within bounds;
-otherwise the guest can provoke an overrun by either setting the _end
-field so large that the row++ increments just walk off the end of the
-array, or by setting the _start value to something bogus and then
-letting the "we hit end of row" logic reset row to row_start.
-
-For completeness, validate mode as well.
-
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Juan Quintela <quintela@redhat.com>
-(cherry picked from commit ead7a57df37d2187813a121308213f41591bd811)
----
- hw/display/ssd0323.c | 24 ++++++++++++++++++++++++
- 1 file changed, 24 insertions(+)
-
-diff --git a/hw/display/ssd0323.c b/hw/display/ssd0323.c
-index 971152e..9727007 100644
---- a/hw/display/ssd0323.c
-+++ b/hw/display/ssd0323.c
-@@ -312,18 +312,42 @@ static int ssd0323_load(QEMUFile *f, void *opaque, int version_id)
- return -EINVAL;
-
- s->cmd_len = qemu_get_be32(f);
-+ if (s->cmd_len < 0 || s->cmd_len > ARRAY_SIZE(s->cmd_data)) {
-+ return -EINVAL;
-+ }
- s->cmd = qemu_get_be32(f);
- for (i = 0; i < 8; i++)
- s->cmd_data[i] = qemu_get_be32(f);
- s->row = qemu_get_be32(f);
-+ if (s->row < 0 || s->row >= 80) {
-+ return -EINVAL;
-+ }
- s->row_start = qemu_get_be32(f);
-+ if (s->row_start < 0 || s->row_start >= 80) {
-+ return -EINVAL;
-+ }
- s->row_end = qemu_get_be32(f);
-+ if (s->row_end < 0 || s->row_end >= 80) {
-+ return -EINVAL;
-+ }
- s->col = qemu_get_be32(f);
-+ if (s->col < 0 || s->col >= 64) {
-+ return -EINVAL;
-+ }
- s->col_start = qemu_get_be32(f);
-+ if (s->col_start < 0 || s->col_start >= 64) {
-+ return -EINVAL;
-+ }
- s->col_end = qemu_get_be32(f);
-+ if (s->col_end < 0 || s->col_end >= 64) {
-+ return -EINVAL;
-+ }
- s->redraw = qemu_get_be32(f);
- s->remap = qemu_get_be32(f);
- s->mode = qemu_get_be32(f);
-+ if (s->mode != SSD0323_CMD && s->mode != SSD0323_DATA) {
-+ return -EINVAL;
-+ }
- qemu_get_buffer(f, s->framebuffer, sizeof(s->framebuffer));
-
- ss->cs = qemu_get_be32(f);
diff --git a/0016-tsc210x-fix-buffer-overrun-on-invalid-state-load.patch b/0016-tsc210x-fix-buffer-overrun-on-invalid-state-load.patch
deleted file mode 100644
index 33fc0c7..0000000
--- a/0016-tsc210x-fix-buffer-overrun-on-invalid-state-load.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 984fcc9ad2abc4429422c045d68e17f1eb1fa4b2 Mon Sep 17 00:00:00 2001
-From: "Michael S. Tsirkin" <mst@redhat.com>
-Date: Thu, 3 Apr 2014 19:52:09 +0300
-Subject: [PATCH] tsc210x: fix buffer overrun on invalid state load
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-CVE-2013-4539
-
-s->precision, nextprecision, function and nextfunction
-come from wire and are used
-as idx into resolution[] in TSC_CUT_RESOLUTION.
-
-Validate after load to avoid buffer overrun.
-
-Cc: Andreas Färber <afaerber@suse.de>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Juan Quintela <quintela@redhat.com>
-(cherry picked from commit 5193be3be35f29a35bc465036cd64ad60d43385f)
----
- hw/input/tsc210x.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/hw/input/tsc210x.c b/hw/input/tsc210x.c
-index 485c9e5..aa5b688 100644
---- a/hw/input/tsc210x.c
-+++ b/hw/input/tsc210x.c
-@@ -1070,9 +1070,21 @@ static int tsc210x_load(QEMUFile *f, void *opaque, int version_id)
- s->enabled = qemu_get_byte(f);
- s->host_mode = qemu_get_byte(f);
- s->function = qemu_get_byte(f);
-+ if (s->function < 0 || s->function >= ARRAY_SIZE(mode_regs)) {
-+ return -EINVAL;
-+ }
- s->nextfunction = qemu_get_byte(f);
-+ if (s->nextfunction < 0 || s->nextfunction >= ARRAY_SIZE(mode_regs)) {
-+ return -EINVAL;
-+ }
- s->precision = qemu_get_byte(f);
-+ if (s->precision < 0 || s->precision >= ARRAY_SIZE(resolution)) {
-+ return -EINVAL;
-+ }
- s->nextprecision = qemu_get_byte(f);
-+ if (s->nextprecision < 0 || s->nextprecision >= ARRAY_SIZE(resolution)) {
-+ return -EINVAL;
-+ }
- s->filter = qemu_get_byte(f);
- s->pin_func = qemu_get_byte(f);
- s->ref = qemu_get_byte(f);
diff --git a/0017-zaurus-fix-buffer-overrun-on-invalid-state-load.patch b/0017-zaurus-fix-buffer-overrun-on-invalid-state-load.patch
deleted file mode 100644
index 9b442d4..0000000
--- a/0017-zaurus-fix-buffer-overrun-on-invalid-state-load.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From 985b046012f258fd5a2164fb85e9d792f574697c Mon Sep 17 00:00:00 2001
-From: "Michael S. Tsirkin" <mst@redhat.com>
-Date: Thu, 3 Apr 2014 19:52:13 +0300
-Subject: [PATCH] zaurus: fix buffer overrun on invalid state load
-
-CVE-2013-4540
-
-Within scoop_gpio_handler_update, if prev_level has a high bit set, then
-we get bit > 16 and that causes a buffer overrun.
-
-Since prev_level comes from wire indirectly, this can
-happen on invalid state load.
-
-Similarly for gpio_level and gpio_dir.
-
-To fix, limit to 16 bit.
-
-Reported-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
-Signed-off-by: Juan Quintela <quintela@redhat.com>
-(cherry picked from commit 52f91c3723932f8340fe36c8ec8b18a757c37b2b)
----
- hw/gpio/zaurus.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/hw/gpio/zaurus.c b/hw/gpio/zaurus.c
-index dc79a8b..8e2ce04 100644
---- a/hw/gpio/zaurus.c
-+++ b/hw/gpio/zaurus.c
-@@ -203,6 +203,15 @@ static bool is_version_0 (void *opaque, int version_id)
- return version_id == 0;
- }
-
-+static bool vmstate_scoop_validate(void *opaque, int version_id)
-+{
-+ ScoopInfo *s = opaque;
-+
-+ return !(s->prev_level & 0xffff0000) &&
-+ !(s->gpio_level & 0xffff0000) &&
-+ !(s->gpio_dir & 0xffff0000);
-+}
-+
- static const VMStateDescription vmstate_scoop_regs = {
- .name = "scoop",
- .version_id = 1,
-@@ -215,6 +224,7 @@ static const VMStateDescription vmstate_scoop_regs = {
- VMSTATE_UINT32(gpio_level, ScoopInfo),
- VMSTATE_UINT32(gpio_dir, ScoopInfo),
- VMSTATE_UINT32(prev_level, ScoopInfo),
-+ VMSTATE_VALIDATE("irq levels are 16 bit", vmstate_scoop_validate),
- VMSTATE_UINT16(mcr, ScoopInfo),
- VMSTATE_UINT16(cdr, ScoopInfo),
- VMSTATE_UINT16(ccr, ScoopInfo),
diff --git a/0018-virtio-scsi-fix-buffer-overrun-on-invalid-state-load.patch b/0018-virtio-scsi-fix-buffer-overrun-on-invalid-state-load.patch
deleted file mode 100644
index 6c8218d..0000000
--- a/0018-virtio-scsi-fix-buffer-overrun-on-invalid-state-load.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From 579bb2000dbcd8a415660e76d31f521d87ac1302 Mon Sep 17 00:00:00 2001
-From: "Michael S. Tsirkin" <mst@redhat.com>
-Date: Thu, 3 Apr 2014 19:52:17 +0300
-Subject: [PATCH] virtio-scsi: fix buffer overrun on invalid state load
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-CVE-2013-4542
-
-hw/scsi/scsi-bus.c invokes load_request.
-
- virtio_scsi_load_request does:
- qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem));
-
-this probably can make elem invalid, for example,
-make in_num or out_num huge, then:
-
- virtio_scsi_parse_req(s, vs->cmd_vqs[n], req);
-
-will do:
-
- if (req->elem.out_num > 1) {
- qemu_sgl_init_external(req, &req->elem.out_sg[1],
- &req->elem.out_addr[1],
- req->elem.out_num - 1);
- } else {
- qemu_sgl_init_external(req, &req->elem.in_sg[1],
- &req->elem.in_addr[1],
- req->elem.in_num - 1);
- }
-
-and this will access out of array bounds.
-
-Note: this adds security checks within assert calls since
-SCSIBusInfo's load_request cannot fail.
-For now simply disable builds with NDEBUG - there seems
-to be little value in supporting these.
-
-Cc: Andreas Färber <afaerber@suse.de>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Juan Quintela <quintela@redhat.com>
-(cherry picked from commit 3c3ce981423e0d6c18af82ee62f1850c2cda5976)
----
- hw/scsi/virtio-scsi.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
-index b0d7517..1752193 100644
---- a/hw/scsi/virtio-scsi.c
-+++ b/hw/scsi/virtio-scsi.c
-@@ -147,6 +147,15 @@ static void *virtio_scsi_load_request(QEMUFile *f, SCSIRequest *sreq)
- qemu_get_be32s(f, &n);
- assert(n < vs->conf.num_queues);
- qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem));
-+ /* TODO: add a way for SCSIBusInfo's load_request to fail,
-+ * and fail migration instead of asserting here.
-+ * When we do, we might be able to re-enable NDEBUG below.
-+ */
-+#ifdef NDEBUG
-+#error building with NDEBUG is not supported
-+#endif
-+ assert(req->elem.in_num <= ARRAY_SIZE(req->elem.in_sg));
-+ assert(req->elem.out_num <= ARRAY_SIZE(req->elem.out_sg));
- virtio_scsi_parse_req(s, vs->cmd_vqs[n], req);
-
- scsi_req_ref(sreq);
diff --git a/0019-vmstate-s-VMSTATE_INT32_LE-VMSTATE_INT32_POSITIVE_LE.patch b/0019-vmstate-s-VMSTATE_INT32_LE-VMSTATE_INT32_POSITIVE_LE.patch
deleted file mode 100644
index 8b93785..0000000
--- a/0019-vmstate-s-VMSTATE_INT32_LE-VMSTATE_INT32_POSITIVE_LE.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From 83bb87c00e9970a1771ddcad3fd99091f5b2719c Mon Sep 17 00:00:00 2001
-From: "Michael S. Tsirkin" <mst@redhat.com>
-Date: Thu, 3 Apr 2014 19:52:21 +0300
-Subject: [PATCH] vmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/
-
-As the macro verifies the value is positive, rename it
-to make the function clearer.
-
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Juan Quintela <quintela@redhat.com>
-(cherry picked from commit 3476436a44c29725efef0cabf5b3ea4e70054d57)
----
- hw/pci/pci.c | 4 ++--
- include/migration/vmstate.h | 2 +-
- target-arm/machine.c | 2 +-
- 3 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/hw/pci/pci.c b/hw/pci/pci.c
-index 2a9f08e..517ff2a 100644
---- a/hw/pci/pci.c
-+++ b/hw/pci/pci.c
-@@ -475,7 +475,7 @@ const VMStateDescription vmstate_pci_device = {
- .minimum_version_id = 1,
- .minimum_version_id_old = 1,
- .fields = (VMStateField []) {
-- VMSTATE_INT32_LE(version_id, PCIDevice),
-+ VMSTATE_INT32_POSITIVE_LE(version_id, PCIDevice),
- VMSTATE_BUFFER_UNSAFE_INFO(config, PCIDevice, 0,
- vmstate_info_pci_config,
- PCI_CONFIG_SPACE_SIZE),
-@@ -492,7 +492,7 @@ const VMStateDescription vmstate_pcie_device = {
- .minimum_version_id = 1,
- .minimum_version_id_old = 1,
- .fields = (VMStateField []) {
-- VMSTATE_INT32_LE(version_id, PCIDevice),
-+ VMSTATE_INT32_POSITIVE_LE(version_id, PCIDevice),
- VMSTATE_BUFFER_UNSAFE_INFO(config, PCIDevice, 0,
- vmstate_info_pci_config,
- PCIE_CONFIG_SPACE_SIZE),
-diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h
-index 5b71370..7e45048 100644
---- a/include/migration/vmstate.h
-+++ b/include/migration/vmstate.h
-@@ -601,7 +601,7 @@ extern const VMStateInfo vmstate_info_bitmap;
- #define VMSTATE_UINT64_EQUAL(_f, _s) \
- VMSTATE_UINT64_EQUAL_V(_f, _s, 0)
-
--#define VMSTATE_INT32_LE(_f, _s) \
-+#define VMSTATE_INT32_POSITIVE_LE(_f, _s) \
- VMSTATE_SINGLE(_f, _s, 0, vmstate_info_int32_le, int32_t)
-
- #define VMSTATE_UINT8_TEST(_f, _s, _t) \
-diff --git a/target-arm/machine.c b/target-arm/machine.c
-index 7ced87a..5746ffd 100644
---- a/target-arm/machine.c
-+++ b/target-arm/machine.c
-@@ -246,7 +246,7 @@ const VMStateDescription vmstate_arm_cpu = {
- /* The length-check must come before the arrays to avoid
- * incoming data possibly overflowing the array.
- */
-- VMSTATE_INT32_LE(cpreg_vmstate_array_len, ARMCPU),
-+ VMSTATE_INT32_POSITIVE_LE(cpreg_vmstate_array_len, ARMCPU),
- VMSTATE_VARRAY_INT32(cpreg_vmstate_indexes, ARMCPU,
- cpreg_vmstate_array_len,
- 0, vmstate_info_uint64, uint64_t),
diff --git a/0020-usb-sanity-check-setup_index-setup_len-in-post_load.patch b/0020-usb-sanity-check-setup_index-setup_len-in-post_load.patch
deleted file mode 100644
index 824140c..0000000
--- a/0020-usb-sanity-check-setup_index-setup_len-in-post_load.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From a608c9c4150820ec64f5f25f6ebe244906c015da Mon Sep 17 00:00:00 2001
-From: "Michael S. Tsirkin" <mst@redhat.com>
-Date: Thu, 3 Apr 2014 19:52:25 +0300
-Subject: [PATCH] usb: sanity check setup_index+setup_len in post_load
-
-CVE-2013-4541
-
-s->setup_len and s->setup_index are fed into usb_packet_copy as
-size/offset into s->data_buf, it's possible for invalid state to exploit
-this to load arbitrary data.
-
-setup_len and setup_index should be checked to make sure
-they are not negative.
-
-Cc: Gerd Hoffmann <kraxel@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
-Signed-off-by: Juan Quintela <quintela@redhat.com>
-(cherry picked from commit 9f8e9895c504149d7048e9fc5eb5cbb34b16e49a)
----
- hw/usb/bus.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/hw/usb/bus.c b/hw/usb/bus.c
-index fe70429..e48b19f 100644
---- a/hw/usb/bus.c
-+++ b/hw/usb/bus.c
-@@ -49,7 +49,9 @@ static int usb_device_post_load(void *opaque, int version_id)
- } else {
- dev->attached = 1;
- }
-- if (dev->setup_index >= sizeof(dev->data_buf) ||
-+ if (dev->setup_index < 0 ||
-+ dev->setup_len < 0 ||
-+ dev->setup_index >= sizeof(dev->data_buf) ||
- dev->setup_len >= sizeof(dev->data_buf)) {
- return -EINVAL;
- }
diff --git a/0021-ssi-sd-fix-buffer-overrun-on-invalid-state-load.patch b/0021-ssi-sd-fix-buffer-overrun-on-invalid-state-load.patch
deleted file mode 100644
index ac1e790..0000000
--- a/0021-ssi-sd-fix-buffer-overrun-on-invalid-state-load.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From d2c50b94a808f06d778746aec63ce2cb4eb1222f Mon Sep 17 00:00:00 2001
-From: "Michael S. Tsirkin" <mst@redhat.com>
-Date: Mon, 28 Apr 2014 16:08:14 +0300
-Subject: [PATCH] ssi-sd: fix buffer overrun on invalid state load
-
-CVE-2013-4537
-
-s->arglen is taken from wire and used as idx
-in ssi_sd_transfer().
-
-Validate it before access.
-
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Juan Quintela <quintela@redhat.com>
-(cherry picked from commit a9c380db3b8c6af19546a68145c8d1438a09c92b)
----
- hw/sd/ssi-sd.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/hw/sd/ssi-sd.c b/hw/sd/ssi-sd.c
-index 3273c8a..b012e57 100644
---- a/hw/sd/ssi-sd.c
-+++ b/hw/sd/ssi-sd.c
-@@ -230,8 +230,17 @@ static int ssi_sd_load(QEMUFile *f, void *opaque, int version_id)
- for (i = 0; i < 5; i++)
- s->response[i] = qemu_get_be32(f);
- s->arglen = qemu_get_be32(f);
-+ if (s->mode == SSI_SD_CMDARG &&
-+ (s->arglen < 0 || s->arglen >= ARRAY_SIZE(s->cmdarg))) {
-+ return -EINVAL;
-+ }
- s->response_pos = qemu_get_be32(f);
- s->stopping = qemu_get_be32(f);
-+ if (s->mode == SSI_SD_RESPONSE &&
-+ (s->response_pos < 0 || s->response_pos >= ARRAY_SIZE(s->response) ||
-+ (!s->stopping && s->arglen > ARRAY_SIZE(s->response)))) {
-+ return -EINVAL;
-+ }
-
- ss->cs = qemu_get_be32(f);
-
diff --git a/0022-openpic-avoid-buffer-overrun-on-incoming-migration.patch b/0022-openpic-avoid-buffer-overrun-on-incoming-migration.patch
deleted file mode 100644
index b9404dc..0000000
--- a/0022-openpic-avoid-buffer-overrun-on-incoming-migration.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From 70488d5f1746b720bc141ea6b9850585e9c42121 Mon Sep 17 00:00:00 2001
-From: Michael Roth <mdroth@linux.vnet.ibm.com>
-Date: Mon, 28 Apr 2014 16:08:17 +0300
-Subject: [PATCH] openpic: avoid buffer overrun on incoming migration
-
-CVE-2013-4534
-
-opp->nb_cpus is read from the wire and used to determine how many
-IRQDest elements to read into opp->dst[]. If the value exceeds the
-length of opp->dst[], MAX_CPU, opp->dst[] can be overrun with arbitrary
-data from the wire.
-
-Fix this by failing migration if the value read from the wire exceeds
-MAX_CPU.
-
-Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-Reviewed-by: Alexander Graf <agraf@suse.de>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Juan Quintela <quintela@redhat.com>
-(cherry picked from commit 73d963c0a75cb99c6aaa3f6f25e427aa0b35a02e)
----
- hw/intc/openpic.c | 16 ++++++++++++++--
- 1 file changed, 14 insertions(+), 2 deletions(-)
-
-diff --git a/hw/intc/openpic.c b/hw/intc/openpic.c
-index be76fbd..17136c9 100644
---- a/hw/intc/openpic.c
-+++ b/hw/intc/openpic.c
-@@ -41,6 +41,7 @@
- #include "hw/sysbus.h"
- #include "hw/pci/msi.h"
- #include "qemu/bitops.h"
-+#include "qapi/qmp/qerror.h"
-
- //#define DEBUG_OPENPIC
-
-@@ -1416,7 +1417,7 @@ static void openpic_load_IRQ_queue(QEMUFile* f, IRQQueue *q)
- static int openpic_load(QEMUFile* f, void *opaque, int version_id)
- {
- OpenPICState *opp = (OpenPICState *)opaque;
-- unsigned int i;
-+ unsigned int i, nb_cpus;
-
- if (version_id != 1) {
- return -EINVAL;
-@@ -1428,7 +1429,11 @@ static int openpic_load(QEMUFile* f, void *opaque, int version_id)
- qemu_get_be32s(f, &opp->spve);
- qemu_get_be32s(f, &opp->tfrr);
-
-- qemu_get_be32s(f, &opp->nb_cpus);
-+ qemu_get_be32s(f, &nb_cpus);
-+ if (opp->nb_cpus != nb_cpus) {
-+ return -EINVAL;
-+ }
-+ assert(nb_cpus > 0 && nb_cpus <= MAX_CPU);
-
- for (i = 0; i < opp->nb_cpus; i++) {
- qemu_get_sbe32s(f, &opp->dst[i].ctpr);
-@@ -1567,6 +1572,13 @@ static void openpic_realize(DeviceState *dev, Error **errp)
- {NULL}
- };
-
-+ if (opp->nb_cpus > MAX_CPU) {
-+ error_set(errp, QERR_PROPERTY_VALUE_OUT_OF_RANGE,
-+ TYPE_OPENPIC, "nb_cpus", (uint64_t)opp->nb_cpus,
-+ (uint64_t)0, (uint64_t)MAX_CPU);
-+ return;
-+ }
-+
- switch (opp->model) {
- case OPENPIC_MODEL_FSL_MPIC_20:
- default:
diff --git a/0023-virtio-net-out-of-bounds-buffer-write-on-load.patch b/0023-virtio-net-out-of-bounds-buffer-write-on-load.patch
deleted file mode 100644
index cf100f3..0000000
--- a/0023-virtio-net-out-of-bounds-buffer-write-on-load.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 1a29e58f9f23846d0e105a3157629786fc624f65 Mon Sep 17 00:00:00 2001
-From: "Michael S. Tsirkin" <mst@redhat.com>
-Date: Mon, 28 Apr 2014 16:08:21 +0300
-Subject: [PATCH] virtio-net: out-of-bounds buffer write on load
-
-CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in
-virtio_net_load()@hw/net/virtio-net.c
-
-> } else if (n->mac_table.in_use) {
-> uint8_t *buf = g_malloc0(n->mac_table.in_use);
-
-We are allocating buffer of size n->mac_table.in_use
-
-> qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);
-
-and read to the n->mac_table.in_use size buffer n->mac_table.in_use *
-ETH_ALEN bytes, corrupting memory.
-
-If adversary controls state then memory written there is controlled
-by adversary.
-
-Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Juan Quintela <quintela@redhat.com>
-(cherry picked from commit 98f93ddd84800f207889491e0b5d851386b459cf)
----
- hw/net/virtio-net.c | 15 +++++++++++----
- 1 file changed, 11 insertions(+), 4 deletions(-)
-
-diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
-index 0a8cb40..940a7cf 100644
---- a/hw/net/virtio-net.c
-+++ b/hw/net/virtio-net.c
-@@ -1362,10 +1362,17 @@ static int virtio_net_load(QEMUFile *f, void *opaque, int version_id)
- if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) {
- qemu_get_buffer(f, n->mac_table.macs,
- n->mac_table.in_use * ETH_ALEN);
-- } else if (n->mac_table.in_use) {
-- uint8_t *buf = g_malloc0(n->mac_table.in_use);
-- qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);
-- g_free(buf);
-+ } else {
-+ int64_t i;
-+
-+ /* Overflow detected - can happen if source has a larger MAC table.
-+ * We simply set overflow flag so there's no need to maintain the
-+ * table of addresses, discard them all.
-+ * Note: 64 bit math to avoid integer overflow.
-+ */
-+ for (i = 0; i < (int64_t)n->mac_table.in_use * ETH_ALEN; ++i) {
-+ qemu_get_byte(f);
-+ }
- n->mac_table.multi_overflow = n->mac_table.uni_overflow = 1;
- n->mac_table.in_use = 0;
- }
diff --git a/0024-virtio-validate-config_len-on-load.patch b/0024-virtio-validate-config_len-on-load.patch
deleted file mode 100644
index 9e6dde4..0000000
--- a/0024-virtio-validate-config_len-on-load.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 94998eaa5ef06ba17ad12976ac84801033a28582 Mon Sep 17 00:00:00 2001
-From: "Michael S. Tsirkin" <mst@redhat.com>
-Date: Mon, 28 Apr 2014 16:08:23 +0300
-Subject: [PATCH] virtio: validate config_len on load
-
-Malformed input can have config_len in migration stream
-exceed the array size allocated on destination, the
-result will be heap overflow.
-
-To fix, that config_len matches on both sides.
-
-CVE-2014-0182
-
-Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Juan Quintela <quintela@redhat.com>
-
---
-
-v2: use %ix and %zx to print config_len values
-Signed-off-by: Juan Quintela <quintela@redhat.com>
-(cherry picked from commit a890a2f9137ac3cf5b607649e66a6f3a5512d8dc)
----
- hw/virtio/virtio.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
-index a70169a..7f4e7ec 100644
---- a/hw/virtio/virtio.c
-+++ b/hw/virtio/virtio.c
-@@ -898,6 +898,7 @@ int virtio_set_features(VirtIODevice *vdev, uint32_t val)
- int virtio_load(VirtIODevice *vdev, QEMUFile *f)
- {
- int i, ret;
-+ int32_t config_len;
- uint32_t num;
- uint32_t features;
- uint32_t supported_features;
-@@ -924,7 +925,12 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
- features, supported_features);
- return -1;
- }
-- vdev->config_len = qemu_get_be32(f);
-+ config_len = qemu_get_be32(f);
-+ if (config_len != vdev->config_len) {
-+ error_report("Unexpected config length 0x%x. Expected 0x%zx",
-+ config_len, vdev->config_len);
-+ return -1;
-+ }
- qemu_get_buffer(f, vdev->config, vdev->config_len);
-
- num = qemu_get_be32(f);
diff --git a/0101-qcow1-Make-padding-in-the-header-explicit.patch b/0101-qcow1-Make-padding-in-the-header-explicit.patch
deleted file mode 100644
index 723cc80..0000000
--- a/0101-qcow1-Make-padding-in-the-header-explicit.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 709786ed4fa98cd281beaac3c6770292bd045a30 Mon Sep 17 00:00:00 2001
-From: Kevin Wolf <kwolf@redhat.com>
-Date: Wed, 7 May 2014 16:56:10 +0200
-Subject: [PATCH] qcow1: Make padding in the header explicit
-
-We were relying on all compilers inserting the same padding in the
-header struct that is used for the on-disk format. Let's not do that.
-Mark the struct as packed and insert an explicit padding field for
-compatibility.
-
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Kevin Wolf <kwolf@redhat.com>
-Reviewed-by: Benoit Canet <benoit@irqsave.net>
-(cherry picked from commit ea54feff58efedc809641474b25a3130309678e7)
----
- block/qcow.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/block/qcow.c b/block/qcow.c
-index d5a7d5f..9018f44 100644
---- a/block/qcow.c
-+++ b/block/qcow.c
-@@ -48,9 +48,10 @@ typedef struct QCowHeader {
- uint64_t size; /* in bytes */
- uint8_t cluster_bits;
- uint8_t l2_bits;
-+ uint16_t padding;
- uint32_t crypt_method;
- uint64_t l1_table_offset;
--} QCowHeader;
-+} QEMU_PACKED QCowHeader;
-
- #define L2_CACHE_SIZE 16
-
diff --git a/0102-qcow1-Check-maximum-cluster-size.patch b/0102-qcow1-Check-maximum-cluster-size.patch
deleted file mode 100644
index 071bd79..0000000
--- a/0102-qcow1-Check-maximum-cluster-size.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 6893e96e6b58d809a08c6491f76df221fd1a6473 Mon Sep 17 00:00:00 2001
-From: Kevin Wolf <kwolf@redhat.com>
-Date: Wed, 7 May 2014 17:30:30 +0200
-Subject: [PATCH] qcow1: Check maximum cluster size
-
-Huge values for header.cluster_bits cause unbounded allocations (e.g.
-for s->cluster_cache) and crash qemu this way. Less huge values may
-survive those allocations, but can cause integer overflows later on.
-
-The only cluster sizes that qemu can create are 4k (for standalone
-images) and 512 (for images with backing files), so we can limit it
-to 64k.
-
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Kevin Wolf <kwolf@redhat.com>
-Reviewed-by: Benoit Canet <benoit@irqsave.net>
-(cherry picked from commit 7159a45b2bf2dcb9f49f1e27d1d3d135a0247a2f)
-
-Conflicts:
- tests/qemu-iotests/group
----
- block/qcow.c | 10 ++++++++--
- 1 file changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/block/qcow.c b/block/qcow.c
-index 9018f44..26bb923 100644
---- a/block/qcow.c
-+++ b/block/qcow.c
-@@ -127,11 +127,17 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
- goto fail;
- }
-
-- if (header.size <= 1 || header.cluster_bits < 9) {
-- error_setg(errp, "invalid value in qcow header");
-+ if (header.size <= 1) {
-+ error_setg(errp, "Image size is too small (must be at least 2 bytes)");
- ret = -EINVAL;
- goto fail;
- }
-+ if (header.cluster_bits < 9 || header.cluster_bits > 16) {
-+ error_setg(errp, "Cluster size must be between 512 and 64k");
-+ ret = -EINVAL;
-+ goto fail;
-+ }
-+
- if (header.crypt_method > QCOW_CRYPT_AES) {
- error_setg(errp, "invalid encryption method in qcow header");
- ret = -EINVAL;
diff --git a/0103-qcow1-Validate-L2-table-size-CVE-2014-0222.patch b/0103-qcow1-Validate-L2-table-size-CVE-2014-0222.patch
deleted file mode 100644
index db3b686..0000000
--- a/0103-qcow1-Validate-L2-table-size-CVE-2014-0222.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 71ae37ec9806ab76afcdb40cf5f080af378848ac Mon Sep 17 00:00:00 2001
-From: Kevin Wolf <kwolf@redhat.com>
-Date: Thu, 15 May 2014 16:10:11 +0200
-Subject: [PATCH] qcow1: Validate L2 table size (CVE-2014-0222)
-
-Too large L2 table sizes cause unbounded allocations. Images actually
-created by qemu-img only have 512 byte or 4k L2 tables.
-
-To keep things consistent with cluster sizes, allow ranges between 512
-bytes and 64k (in fact, down to 1 entry = 8 bytes is technically
-working, but L2 table sizes smaller than a cluster don't make a lot of
-sense).
-
-This also means that the number of bytes on the virtual disk that are
-described by the same L2 table is limited to at most 8k * 64k or 2^29,
-preventively avoiding any integer overflows.
-
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Kevin Wolf <kwolf@redhat.com>
-Reviewed-by: Benoit Canet <benoit@irqsave.net>
-(cherry picked from commit 42eb58179b3b215bb507da3262b682b8a2ec10b5)
-
-Conflicts:
- tests/qemu-iotests/092
- tests/qemu-iotests/092.out
----
- block/qcow.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/block/qcow.c b/block/qcow.c
-index 26bb923..8718ca5 100644
---- a/block/qcow.c
-+++ b/block/qcow.c
-@@ -138,6 +138,14 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
- goto fail;
- }
-
-+ /* l2_bits specifies number of entries; storing a uint64_t in each entry,
-+ * so bytes = num_entries << 3. */
-+ if (header.l2_bits < 9 - 3 || header.l2_bits > 16 - 3) {
-+ error_setg(errp, "L2 table size must be between 512 and 64k");
-+ ret = -EINVAL;
-+ goto fail;
-+ }
-+
- if (header.crypt_method > QCOW_CRYPT_AES) {
- error_setg(errp, "invalid encryption method in qcow header");
- ret = -EINVAL;
diff --git a/0104-qcow1-Validate-image-size-CVE-2014-0223.patch b/0104-qcow1-Validate-image-size-CVE-2014-0223.patch
deleted file mode 100644
index 547362a..0000000
--- a/0104-qcow1-Validate-image-size-CVE-2014-0223.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From 92e1dd206a3bb8ddbea0ece22bc05e9446a69436 Mon Sep 17 00:00:00 2001
-From: Kevin Wolf <kwolf@redhat.com>
-Date: Thu, 8 May 2014 13:08:20 +0200
-Subject: [PATCH] qcow1: Validate image size (CVE-2014-0223)
-
-A huge image size could cause s->l1_size to overflow. Make sure that
-images never require a L1 table larger than what fits in s->l1_size.
-
-This cannot only cause unbounded allocations, but also the allocation of
-a too small L1 table, resulting in out-of-bounds array accesses (both
-reads and writes).
-
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Kevin Wolf <kwolf@redhat.com>
-(cherry picked from commit 46485de0cb357b57373e1ca895adedf1f3ed46ec)
-
-Conflicts:
- tests/qemu-iotests/092
- tests/qemu-iotests/092.out
----
- block/qcow.c | 16 ++++++++++++++--
- 1 file changed, 14 insertions(+), 2 deletions(-)
-
-diff --git a/block/qcow.c b/block/qcow.c
-index 8718ca5..f9cb009 100644
---- a/block/qcow.c
-+++ b/block/qcow.c
-@@ -61,7 +61,7 @@ typedef struct BDRVQcowState {
- int cluster_sectors;
- int l2_bits;
- int l2_size;
-- int l1_size;
-+ unsigned int l1_size;
- uint64_t cluster_offset_mask;
- uint64_t l1_table_offset;
- uint64_t *l1_table;
-@@ -165,7 +165,19 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
-
- /* read the level 1 table */
- shift = s->cluster_bits + s->l2_bits;
-- s->l1_size = (header.size + (1LL << shift) - 1) >> shift;
-+ if (header.size > UINT64_MAX - (1LL << shift)) {
-+ error_setg(errp, "Image too large");
-+ ret = -EINVAL;
-+ goto fail;
-+ } else {
-+ uint64_t l1_size = (header.size + (1LL << shift) - 1) >> shift;
-+ if (l1_size > INT_MAX / sizeof(uint64_t)) {
-+ error_setg(errp, "Image too large");
-+ ret = -EINVAL;
-+ goto fail;
-+ }
-+ s->l1_size = l1_size;
-+ }
-
- s->l1_table_offset = header.l1_table_offset;
- s->l1_table = g_malloc(s->l1_size * sizeof(uint64_t));
diff --git a/0105-qcow1-Stricter-backing-file-length-check.patch b/0105-qcow1-Stricter-backing-file-length-check.patch
deleted file mode 100644
index 60894ed..0000000
--- a/0105-qcow1-Stricter-backing-file-length-check.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From deaa4693c8533862fdda9bf584c24d4f2ef50029 Mon Sep 17 00:00:00 2001
-From: Kevin Wolf <kwolf@redhat.com>
-Date: Thu, 8 May 2014 13:35:09 +0200
-Subject: [PATCH] qcow1: Stricter backing file length check
-
-Like qcow2 since commit 6d33e8e7, error out on invalid lengths instead
-of silently truncating them to 1023.
-
-Also don't rely on bdrv_pread() catching integer overflows that make len
-negative, but use unsigned variables in the first place.
-
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Kevin Wolf <kwolf@redhat.com>
-Reviewed-by: Benoit Canet <benoit@irqsave.net>
-(cherry picked from commit d66e5cee002c471b78139228a4e7012736b375f9)
-
-Conflicts:
- tests/qemu-iotests/092
- tests/qemu-iotests/092.out
----
- block/qcow.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/block/qcow.c b/block/qcow.c
-index f9cb009..c0a3b89 100644
---- a/block/qcow.c
-+++ b/block/qcow.c
-@@ -97,7 +97,8 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
- Error **errp)
- {
- BDRVQcowState *s = bs->opaque;
-- int len, i, shift, ret;
-+ unsigned int len, i, shift;
-+ int ret;
- QCowHeader header;
-
- ret = bdrv_pread(bs->file, 0, &header, sizeof(header));
-@@ -201,7 +202,9 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
- if (header.backing_file_offset != 0) {
- len = header.backing_file_size;
- if (len > 1023) {
-- len = 1023;
-+ error_setg(errp, "Backing file name too long");
-+ ret = -EINVAL;
-+ goto fail;
- }
- ret = bdrv_pread(bs->file, header.backing_file_offset,
- bs->backing_file, len);
diff --git a/0106-usb-fix-up-post-load-checks.patch b/0106-usb-fix-up-post-load-checks.patch
deleted file mode 100644
index 3f0c217..0000000
--- a/0106-usb-fix-up-post-load-checks.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 40e49e4fab60b3b323263f06b7a8385fa9b62e89 Mon Sep 17 00:00:00 2001
-From: "Michael S. Tsirkin" <mst@redhat.com>
-Date: Tue, 13 May 2014 12:33:16 +0300
-Subject: [PATCH] usb: fix up post load checks
-
-Correct post load checks:
-1. dev->setup_len == sizeof(dev->data_buf)
- seems fine, no need to fail migration
-2. When state is DATA, passing index > len
- will cause memcpy with negative length,
- resulting in heap overflow
-
-First of the issues was reported by dgilbert.
-
-Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Juan Quintela <quintela@redhat.com>
-(cherry picked from commit 719ffe1f5f72b1c7ace4afe9ba2815bcb53a829e)
----
- hw/usb/bus.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/hw/usb/bus.c b/hw/usb/bus.c
-index e48b19f..ff1dfe6 100644
---- a/hw/usb/bus.c
-+++ b/hw/usb/bus.c
-@@ -51,8 +51,8 @@ static int usb_device_post_load(void *opaque, int version_id)
- }
- if (dev->setup_index < 0 ||
- dev->setup_len < 0 ||
-- dev->setup_index >= sizeof(dev->data_buf) ||
-- dev->setup_len >= sizeof(dev->data_buf)) {
-+ dev->setup_index > dev->setup_len ||
-+ dev->setup_len > sizeof(dev->data_buf)) {
- return -EINVAL;
- }
- return 0;
diff --git a/0107-trace-add-pid-field-to-simpletrace-record.patch b/0107-trace-add-pid-field-to-simpletrace-record.patch
deleted file mode 100644
index e8dc6f6..0000000
--- a/0107-trace-add-pid-field-to-simpletrace-record.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From 32f3e4afa3c9e67c6448b2f3e3aefc4d7cf5a0d3 Mon Sep 17 00:00:00 2001
-From: Stefan Hajnoczi <stefanha@redhat.com>
-Date: Wed, 7 May 2014 19:24:10 +0200
-Subject: [PATCH] trace: add pid field to simpletrace record
-
-It is useful to know the QEMU process ID when working with traces from
-multiple VMs. Although the trace filename may contain the pid, tools
-that aggregate traces or even trace globally need somewhere to record
-the pid.
-
-There is a reserved field in the trace event header struct that we can
-use.
-
-It is not necessary to bump the simpletrace file format version number
-because it has already been incremented for the QEMU 2.1 release cycle
-in commit "trace: [simple] Bump up log version number".
-
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-(cherry picked from commit 26896cbf353e3017f76da8193074839b6e875250)
----
- trace/simple.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/trace/simple.c b/trace/simple.c
-index aaa010e..1584bf7 100644
---- a/trace/simple.c
-+++ b/trace/simple.c
-@@ -75,6 +75,7 @@ uint8_t trace_buf[TRACE_BUF_LEN];
- static volatile gint trace_idx;
- static unsigned int writeout_idx;
- static volatile gint dropped_events;
-+static uint32_t trace_pid;
- static FILE *trace_fp;
- static char *trace_file_name;
-
-@@ -83,7 +84,7 @@ typedef struct {
- uint64_t event; /* TraceEventID */
- uint64_t timestamp_ns;
- uint32_t length; /* in bytes */
-- uint32_t reserved; /* unused */
-+ uint32_t pid;
- uint64_t arguments[];
- } TraceRecord;
-
-@@ -190,7 +191,7 @@ static gpointer writeout_thread(gpointer opaque)
- dropped.rec.event = DROPPED_EVENT_ID,
- dropped.rec.timestamp_ns = get_clock();
- dropped.rec.length = sizeof(TraceRecord) + sizeof(uint64_t),
-- dropped.rec.reserved = 0;
-+ dropped.rec.pid = trace_pid;
- do {
- dropped_count = g_atomic_int_get(&dropped_events);
- } while (!g_atomic_int_compare_and_exchange(&dropped_events,
-@@ -249,6 +250,7 @@ int trace_record_start(TraceBufferRecord *rec, TraceEventID event, size_t datasi
- rec_off = write_to_buffer(rec_off, &event_u64, sizeof(event_u64));
- rec_off = write_to_buffer(rec_off, ×tamp_ns, sizeof(timestamp_ns));
- rec_off = write_to_buffer(rec_off, &rec_len, sizeof(rec_len));
-+ rec_off = write_to_buffer(rec_off, &trace_pid, sizeof(trace_pid));
-
- rec->tbuf_idx = idx;
- rec->rec_off = (idx + sizeof(TraceRecord)) % TRACE_BUF_LEN;
-@@ -414,6 +416,8 @@ bool trace_backend_init(const char *events, const char *file)
- {
- GThread *thread;
-
-+ trace_pid = getpid();
-+
- #if !GLIB_CHECK_VERSION(2, 31, 0)
- trace_available_cond = g_cond_new();
- trace_empty_cond = g_cond_new();
diff --git a/0108-simpletrace-add-support-for-trace-record-pid-field.patch b/0108-simpletrace-add-support-for-trace-record-pid-field.patch
deleted file mode 100644
index 6a270fa..0000000
--- a/0108-simpletrace-add-support-for-trace-record-pid-field.patch
+++ /dev/null
@@ -1,100 +0,0 @@
-From 012d97190b01b0726c47aa46d723b81fa4d193d4 Mon Sep 17 00:00:00 2001
-From: Stefan Hajnoczi <stefanha@redhat.com>
-Date: Wed, 7 May 2014 19:24:11 +0200
-Subject: [PATCH] simpletrace: add support for trace record pid field
-
-Extract the pid field from the trace record and print it.
-
-Change the trace record tuple from:
- (event_num, timestamp, arg1, ..., arg6)
-to:
- (event_num, timestamp, pid, arg1, ..., arg6)
-
-Trace event methods now support 3 prototypes:
-1. <event-name>(arg1, arg2, arg3)
-2. <event-name>(timestamp, arg1, arg2, arg3)
-3. <event-name>(timestamp, pid, arg1, arg2, arg3)
-
-Existing script continue to work without changes, they only know about
-prototypes 1 and 2.
-
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-(cherry picked from commit 80ff35cd3ff451e8f200413ddf27816058630c1f)
----
- scripts/simpletrace.py | 26 +++++++++++++++-----------
- 1 file changed, 15 insertions(+), 11 deletions(-)
-
-diff --git a/scripts/simpletrace.py b/scripts/simpletrace.py
-index 8bbcb42..e1b97d4 100755
---- a/scripts/simpletrace.py
-+++ b/scripts/simpletrace.py
-@@ -31,10 +31,10 @@ def read_header(fobj, hfmt):
- return struct.unpack(hfmt, hdr)
-
- def get_record(edict, rechdr, fobj):
-- """Deserialize a trace record from a file into a tuple (event_num, timestamp, arg1, ..., arg6)."""
-+ """Deserialize a trace record from a file into a tuple (event_num, timestamp, pid, arg1, ..., arg6)."""
- if rechdr is None:
- return None
-- rec = (rechdr[0], rechdr[1])
-+ rec = (rechdr[0], rechdr[1], rechdr[3])
- if rechdr[0] != dropped_event_id:
- event_id = rechdr[0]
- event = edict[event_id]
-@@ -54,12 +54,12 @@ def get_record(edict, rechdr, fobj):
-
-
- def read_record(edict, fobj):
-- """Deserialize a trace record from a file into a tuple (event_num, timestamp, arg1, ..., arg6)."""
-+ """Deserialize a trace record from a file into a tuple (event_num, timestamp, pid, arg1, ..., arg6)."""
- rechdr = read_header(fobj, rec_header_fmt)
- return get_record(edict, rechdr, fobj) # return tuple of record elements
-
- def read_trace_file(edict, fobj):
-- """Deserialize trace records from a file, yielding record tuples (event_num, timestamp, arg1, ..., arg6)."""
-+ """Deserialize trace records from a file, yielding record tuples (event_num, timestamp, pid, arg1, ..., arg6)."""
- header = read_header(fobj, log_header_fmt)
- if header is None or \
- header[0] != header_event_id or \
-@@ -131,10 +131,13 @@ def process(events, log, analyzer):
- fn_argcount = len(inspect.getargspec(fn)[0]) - 1
- if fn_argcount == event_argcount + 1:
- # Include timestamp as first argument
-- return lambda _, rec: fn(*rec[1:2 + event_argcount])
-+ return lambda _, rec: fn(*((rec[1:2],) + rec[3:3 + event_argcount]))
-+ elif fn_argcount == event_argcount + 2:
-+ # Include timestamp and pid
-+ return lambda _, rec: fn(*rec[1:3 + event_argcount])
- else:
-- # Just arguments, no timestamp
-- return lambda _, rec: fn(*rec[2:2 + event_argcount])
-+ # Just arguments, no timestamp or pid
-+ return lambda _, rec: fn(*rec[3:3 + event_argcount])
-
- analyzer.begin()
- fn_cache = {}
-@@ -166,19 +169,20 @@ if __name__ == '__main__':
- self.last_timestamp = None
-
- def catchall(self, event, rec):
-- i = 1
- timestamp = rec[1]
- if self.last_timestamp is None:
- self.last_timestamp = timestamp
- delta_ns = timestamp - self.last_timestamp
- self.last_timestamp = timestamp
-
-- fields = [event.name, '%0.3f' % (delta_ns / 1000.0)]
-+ fields = [event.name, '%0.3f' % (delta_ns / 1000.0),
-+ 'pid=%d' % rec[2]]
-+ i = 3
- for type, name in event.args:
- if is_string(type):
-- fields.append('%s=%s' % (name, rec[i + 1]))
-+ fields.append('%s=%s' % (name, rec[i]))
- else:
-- fields.append('%s=0x%x' % (name, rec[i + 1]))
-+ fields.append('%s=0x%x' % (name, rec[i]))
- i += 1
- print ' '.join(fields)
-
diff --git a/0109-trace-Replace-error-with-warning-if-event-is-not-def.patch b/0109-trace-Replace-error-with-warning-if-event-is-not-def.patch
deleted file mode 100644
index 273bf8c..0000000
--- a/0109-trace-Replace-error-with-warning-if-event-is-not-def.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 2e6870993d226dd8af3e2db502e8e183ee63d66a Mon Sep 17 00:00:00 2001
-From: Alexey Kardashevskiy <aik@ozlabs.ru>
-Date: Wed, 21 May 2014 18:16:01 +1000
-Subject: [PATCH] trace: Replace error with warning if event is not defined
-
-At the moment QEMU exits if trace point is not defined which makes
-a developer life harder if he has to switch between branches with
-different traces implemented.
-
-This replaces error+exit wit WARNING if the tracepoint does not exist or
-not traceable.
-
-Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-(cherry picked from commit 82432638ebeedda8a2e18838b6fbef4b14a94f31)
----
- trace/control.c | 14 +++++++-------
- 1 file changed, 7 insertions(+), 7 deletions(-)
-
-diff --git a/trace/control.c b/trace/control.c
-index 49f61e1..4aa02cf 100644
---- a/trace/control.c
-+++ b/trace/control.c
-@@ -112,15 +112,15 @@ void trace_backend_init_events(const char *fname)
- TraceEvent *ev = trace_event_name(line_ptr);
- if (ev == NULL) {
- fprintf(stderr,
-- "error: trace event '%s' does not exist\n", line_ptr);
-- exit(1);
-- }
-- if (!trace_event_get_state_static(ev)) {
-+ "WARNING: trace event '%s' does not exist\n",
-+ line_ptr);
-+ } else if (!trace_event_get_state_static(ev)) {
- fprintf(stderr,
-- "error: trace event '%s' is not traceable\n", line_ptr);
-- exit(1);
-+ "WARNING: trace event '%s' is not traceable\n",
-+ line_ptr);
-+ } else {
-+ trace_event_set_state_dynamic(ev, enable);
- }
-- trace_event_set_state_dynamic(ev, enable);
- }
- }
- }
diff --git a/0110-do-not-call-g_thread_init-for-glib-2.31.patch b/0110-do-not-call-g_thread_init-for-glib-2.31.patch
deleted file mode 100644
index 30675c4..0000000
--- a/0110-do-not-call-g_thread_init-for-glib-2.31.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From 6b1371a666af982f2d6c0b7dba98c425ea56d3dd Mon Sep 17 00:00:00 2001
-From: Michael Tokarev <mjt@tls.msk.ru>
-Date: Fri, 2 May 2014 18:35:55 +0400
-Subject: [PATCH] do not call g_thread_init() for glib >= 2.31
-
-glib >= 2.31 always enables thread support and g_thread_supported()
-is #defined to 1, there's no need to call g_thread_init() anymore,
-and it definitely does not need to report error which never happens.
-Keep code for old < 2.31 glibc anyway for now, just #ifdef it
-differently.
-
-Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Cc: qemu-trivial@nongnu.org
-(cherry picked from commit f33cc84dd4af7776309d118412df008ec4108a57)
----
- coroutine-gthread.c | 7 ++-----
- util/osdep.c | 21 +++++++++------------
- 2 files changed, 11 insertions(+), 17 deletions(-)
-
-diff --git a/coroutine-gthread.c b/coroutine-gthread.c
-index d3e5b99..a61efe0 100644
---- a/coroutine-gthread.c
-+++ b/coroutine-gthread.c
-@@ -115,14 +115,11 @@ static inline GThread *create_thread(GThreadFunc func, gpointer data)
-
- static void __attribute__((constructor)) coroutine_init(void)
- {
-- if (!g_thread_supported()) {
- #if !GLIB_CHECK_VERSION(2, 31, 0)
-+ if (!g_thread_supported()) {
- g_thread_init(NULL);
--#else
-- fprintf(stderr, "glib threading failed to initialize.\n");
-- exit(1);
--#endif
- }
-+#endif
-
- init_coroutine_cond();
- }
-diff --git a/util/osdep.c b/util/osdep.c
-index a9029f8..b2bd154 100644
---- a/util/osdep.c
-+++ b/util/osdep.c
-@@ -436,23 +436,20 @@ int socket_init(void)
- return 0;
- }
-
--/* Ensure that glib is running in multi-threaded mode */
-+#if !GLIB_CHECK_VERSION(2, 31, 0)
-+/* Ensure that glib is running in multi-threaded mode
-+ * Old versions of glib require explicit initialization. Failure to do
-+ * this results in the single-threaded code paths being taken inside
-+ * glib. For example, the g_slice allocator will not be thread-safe
-+ * and cause crashes.
-+ */
- static void __attribute__((constructor)) thread_init(void)
- {
- if (!g_thread_supported()) {
--#if !GLIB_CHECK_VERSION(2, 31, 0)
-- /* Old versions of glib require explicit initialization. Failure to do
-- * this results in the single-threaded code paths being taken inside
-- * glib. For example, the g_slice allocator will not be thread-safe
-- * and cause crashes.
-- */
-- g_thread_init(NULL);
--#else
-- fprintf(stderr, "glib threading failed to initialize.\n");
-- exit(1);
--#endif
-+ g_thread_init(NULL);
- }
- }
-+#endif
-
- #ifndef CONFIG_IOVEC
- /* helper function for iov_send_recv() */
diff --git a/0111-glib-move-g_poll-replacement-into-glib-compat.h.patch b/0111-glib-move-g_poll-replacement-into-glib-compat.h.patch
deleted file mode 100644
index 70117f9..0000000
--- a/0111-glib-move-g_poll-replacement-into-glib-compat.h.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From 6c1369c499e74fccbbfb97b3ec3e5da59d382031 Mon Sep 17 00:00:00 2001
-From: Stefan Hajnoczi <stefanha@redhat.com>
-Date: Fri, 2 May 2014 18:35:56 +0400
-Subject: [PATCH] glib: move g_poll() replacement into glib-compat.h
-
-We have a dedicated header file for wrappers to smooth over glib version
-differences. Move the g_poll() definition into glib-compat.h for
-consistency.
-
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
-Cc: qemu-trivial@nongnu.org
-(cherry picked from commit f95c967a7950797109d2a96fcfa2e3a2899f2c99)
----
- include/glib-compat.h | 12 ++++++++++++
- include/qemu-common.h | 12 ------------
- 2 files changed, 12 insertions(+), 12 deletions(-)
-
-diff --git a/include/glib-compat.h b/include/glib-compat.h
-index 8aa77af..8d25900 100644
---- a/include/glib-compat.h
-+++ b/include/glib-compat.h
-@@ -24,4 +24,16 @@ static inline guint g_timeout_add_seconds(guint interval, GSourceFunc function,
- }
- #endif
-
-+#if !GLIB_CHECK_VERSION(2, 20, 0)
-+/*
-+ * Glib before 2.20.0 doesn't implement g_poll, so wrap it to compile properly
-+ * on older systems.
-+ */
-+static inline gint g_poll(GPollFD *fds, guint nfds, gint timeout)
-+{
-+ GMainContext *ctx = g_main_context_default();
-+ return g_main_context_get_poll_func(ctx)(fds, nfds, timeout);
-+}
-+#endif
-+
- #endif
-diff --git a/include/qemu-common.h b/include/qemu-common.h
-index a998e8d..3f3fd60 100644
---- a/include/qemu-common.h
-+++ b/include/qemu-common.h
-@@ -124,18 +124,6 @@ int qemu_main(int argc, char **argv, char **envp);
- void qemu_get_timedate(struct tm *tm, int offset);
- int qemu_timedate_diff(struct tm *tm);
-
--#if !GLIB_CHECK_VERSION(2, 20, 0)
--/*
-- * Glib before 2.20.0 doesn't implement g_poll, so wrap it to compile properly
-- * on older systems.
-- */
--static inline gint g_poll(GPollFD *fds, guint nfds, gint timeout)
--{
-- GMainContext *ctx = g_main_context_default();
-- return g_main_context_get_poll_func(ctx)(fds, nfds, timeout);
--}
--#endif
--
- /**
- * is_help_option:
- * @s: string to test
diff --git a/0112-glib-fix-g_poll-early-timeout-on-windows.patch b/0112-glib-fix-g_poll-early-timeout-on-windows.patch
deleted file mode 100644
index 00bfd53..0000000
--- a/0112-glib-fix-g_poll-early-timeout-on-windows.patch
+++ /dev/null
@@ -1,171 +0,0 @@
-From 488f948b9f89a0dd90ed465f5d692230af2ecb05 Mon Sep 17 00:00:00 2001
-From: Sangho Park <sangho1206.park@samsung.com>
-Date: Thu, 8 May 2014 12:47:10 +0400
-Subject: [PATCH] glib: fix g_poll early timeout on windows
-
-g_poll has a problem on Windows when using
-timeouts < 10ms, in glib/gpoll.c:
-
-/* If not, and we have a significant timeout, poll again with
- * timeout then. Note that this will return indication for only
- * one event, or only for messages. We ignore timeouts less than
- * ten milliseconds as they are mostly pointless on Windows, the
- * MsgWaitForMultipleObjectsEx() call will timeout right away
- * anyway.
- */
-if (retval == 0 && (timeout == INFINITE || timeout >= 10))
- retval = poll_rest (poll_msgs, handles, nhandles, fds, nfds, timeout);
-
-so whenever g_poll is called with timeout < 10ms it does
-a quick poll instead of wait, this causes significant performance
-degradation of QEMU, thus we should use WaitForMultipleObjectsEx
-directly
-
-Signed-off-by: Stanislav Vorobiov <s.vorobiov@samsung.com>
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-(cherry picked from commit 5a007547df76446ab891df93ebc55749716609bf)
----
- include/glib-compat.h | 9 +++-
- util/oslib-win32.c | 112 ++++++++++++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 120 insertions(+), 1 deletion(-)
-
-diff --git a/include/glib-compat.h b/include/glib-compat.h
-index 8d25900..1280fb2 100644
---- a/include/glib-compat.h
-+++ b/include/glib-compat.h
-@@ -24,7 +24,14 @@ static inline guint g_timeout_add_seconds(guint interval, GSourceFunc function,
- }
- #endif
-
--#if !GLIB_CHECK_VERSION(2, 20, 0)
-+#ifdef _WIN32
-+/*
-+ * g_poll has a problem on Windows when using
-+ * timeouts < 10ms, so use wrapper.
-+ */
-+#define g_poll(fds, nfds, timeout) g_poll_fixed(fds, nfds, timeout)
-+gint g_poll_fixed(GPollFD *fds, guint nfds, gint timeout);
-+#elif !GLIB_CHECK_VERSION(2, 20, 0)
- /*
- * Glib before 2.20.0 doesn't implement g_poll, so wrap it to compile properly
- * on older systems.
-diff --git a/util/oslib-win32.c b/util/oslib-win32.c
-index 93f7d35..69552f7 100644
---- a/util/oslib-win32.c
-+++ b/util/oslib-win32.c
-@@ -238,3 +238,115 @@ char *qemu_get_exec_dir(void)
- {
- return g_strdup(exec_dir);
- }
-+
-+/*
-+ * g_poll has a problem on Windows when using
-+ * timeouts < 10ms, in glib/gpoll.c:
-+ *
-+ * // If not, and we have a significant timeout, poll again with
-+ * // timeout then. Note that this will return indication for only
-+ * // one event, or only for messages. We ignore timeouts less than
-+ * // ten milliseconds as they are mostly pointless on Windows, the
-+ * // MsgWaitForMultipleObjectsEx() call will timeout right away
-+ * // anyway.
-+ *
-+ * if (retval == 0 && (timeout == INFINITE || timeout >= 10))
-+ * retval = poll_rest (poll_msgs, handles, nhandles, fds, nfds, timeout);
-+ *
-+ * So whenever g_poll is called with timeout < 10ms it does
-+ * a quick poll instead of wait, this causes significant performance
-+ * degradation of QEMU, thus we should use WaitForMultipleObjectsEx
-+ * directly
-+ */
-+gint g_poll_fixed(GPollFD *fds, guint nfds, gint timeout)
-+{
-+ guint i;
-+ HANDLE handles[MAXIMUM_WAIT_OBJECTS];
-+ gint nhandles = 0;
-+ int num_completed = 0;
-+
-+ for (i = 0; i < nfds; i++) {
-+ gint j;
-+
-+ if (fds[i].fd <= 0) {
-+ continue;
-+ }
-+
-+ /* don't add same handle several times
-+ */
-+ for (j = 0; j < nhandles; j++) {
-+ if (handles[j] == (HANDLE)fds[i].fd) {
-+ break;
-+ }
-+ }
-+
-+ if (j == nhandles) {
-+ if (nhandles == MAXIMUM_WAIT_OBJECTS) {
-+ fprintf(stderr, "Too many handles to wait for!\n");
-+ break;
-+ } else {
-+ handles[nhandles++] = (HANDLE)fds[i].fd;
-+ }
-+ }
-+ }
-+
-+ for (i = 0; i < nfds; ++i) {
-+ fds[i].revents = 0;
-+ }
-+
-+ if (timeout == -1) {
-+ timeout = INFINITE;
-+ }
-+
-+ if (nhandles == 0) {
-+ if (timeout == INFINITE) {
-+ return -1;
-+ } else {
-+ SleepEx(timeout, TRUE);
-+ return 0;
-+ }
-+ }
-+
-+ while (1) {
-+ DWORD res;
-+ gint j;
-+
-+ res = WaitForMultipleObjectsEx(nhandles, handles, FALSE,
-+ timeout, TRUE);
-+
-+ if (res == WAIT_FAILED) {
-+ for (i = 0; i < nfds; ++i) {
-+ fds[i].revents = 0;
-+ }
-+
-+ return -1;
-+ } else if ((res == WAIT_TIMEOUT) || (res == WAIT_IO_COMPLETION) ||
-+ ((int)res < (int)WAIT_OBJECT_0) ||
-+ (res >= (WAIT_OBJECT_0 + nhandles))) {
-+ break;
-+ }
-+
-+ for (i = 0; i < nfds; ++i) {
-+ if (handles[res - WAIT_OBJECT_0] == (HANDLE)fds[i].fd) {
-+ fds[i].revents = fds[i].events;
-+ }
-+ }
-+
-+ ++num_completed;
-+
-+ if (nhandles <= 1) {
-+ break;
-+ }
-+
-+ /* poll the rest of the handles
-+ */
-+ for (j = res - WAIT_OBJECT_0 + 1; j < nhandles; j++) {
-+ handles[j - 1] = handles[j];
-+ }
-+ --nhandles;
-+
-+ timeout = 0;
-+ }
-+
-+ return num_completed;
-+}
diff --git a/0113-glib-compat.h-add-new-thread-API-emulation-on-top-of.patch b/0113-glib-compat.h-add-new-thread-API-emulation-on-top-of.patch
deleted file mode 100644
index f79651f..0000000
--- a/0113-glib-compat.h-add-new-thread-API-emulation-on-top-of.patch
+++ /dev/null
@@ -1,350 +0,0 @@
-From 57a1d211179279727d5afa21a7feba2d249d6867 Mon Sep 17 00:00:00 2001
-From: Michael Tokarev <mjt@tls.msk.ru>
-Date: Thu, 8 May 2014 12:30:46 +0400
-Subject: [PATCH] glib-compat.h: add new thread API emulation on top of
- pre-2.31 API
-
-Thread API changed in glib-2.31 significantly. Before that version,
-conditionals and mutexes were only allocated dynamically, using
-_new()/_free() interface. in 2.31 and up, they're allocated statically
-as regular variables, and old interface is deprecated.
-
-(Note: glib docs says the new interface is available since version
-2.32, but it was actually introduced in version 2.31).
-
-Create the new interface using old primitives, by providing non-opaque
-definitions of the base types (GCond and GMutex) using GOnces.
-
-Replace #ifdeffery around GCond and GMutex in trace/simple.c and
-coroutine-gthread.c too because it does not work anymore with the new
-glib-compat.h.
-
-Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-[Use GOnce to support lazy initialization; introduce CompatGMutex
- and CompatGCond. - Paolo]
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-
-(cherry picked from commit 86946a2d835614050b90bc8e5c82982fe45deff2)
----
- coroutine-gthread.c | 29 ++++--------
- include/glib-compat.h | 119 ++++++++++++++++++++++++++++++++++++++++++++++++++
- trace/simple.c | 50 +++++----------------
- 3 files changed, 138 insertions(+), 60 deletions(-)
-
-diff --git a/coroutine-gthread.c b/coroutine-gthread.c
-index a61efe0..6bd6d6b 100644
---- a/coroutine-gthread.c
-+++ b/coroutine-gthread.c
-@@ -30,20 +30,14 @@ typedef struct {
- CoroutineAction action;
- } CoroutineGThread;
-
--static GStaticMutex coroutine_lock = G_STATIC_MUTEX_INIT;
-+static CompatGMutex coroutine_lock;
-+static CompatGCond coroutine_cond;
-
- /* GLib 2.31 and beyond deprecated various parts of the thread API,
- * but the new interfaces are not available in older GLib versions
- * so we have to cope with both.
- */
- #if GLIB_CHECK_VERSION(2, 31, 0)
--/* Default zero-initialisation is sufficient for 2.31+ GCond */
--static GCond the_coroutine_cond;
--static GCond *coroutine_cond = &the_coroutine_cond;
--static inline void init_coroutine_cond(void)
--{
--}
--
- /* Awkwardly, the GPrivate API doesn't provide a way to update the
- * GDestroyNotify handler for the coroutine key dynamically. So instead
- * we track whether or not the CoroutineGThread should be freed on
-@@ -84,11 +78,6 @@ static inline GThread *create_thread(GThreadFunc func, gpointer data)
- #else
-
- /* Handle older GLib versions */
--static GCond *coroutine_cond;
--static inline void init_coroutine_cond(void)
--{
-- coroutine_cond = g_cond_new();
--}
-
- static GStaticPrivate coroutine_key = G_STATIC_PRIVATE_INIT;
-
-@@ -120,22 +109,20 @@ static void __attribute__((constructor)) coroutine_init(void)
- g_thread_init(NULL);
- }
- #endif
--
-- init_coroutine_cond();
- }
-
- static void coroutine_wait_runnable_locked(CoroutineGThread *co)
- {
- while (!co->runnable) {
-- g_cond_wait(coroutine_cond, g_static_mutex_get_mutex(&coroutine_lock));
-+ g_cond_wait(&coroutine_cond, &coroutine_lock);
- }
- }
-
- static void coroutine_wait_runnable(CoroutineGThread *co)
- {
-- g_static_mutex_lock(&coroutine_lock);
-+ g_mutex_lock(&coroutine_lock);
- coroutine_wait_runnable_locked(co);
-- g_static_mutex_unlock(&coroutine_lock);
-+ g_mutex_unlock(&coroutine_lock);
- }
-
- static gpointer coroutine_thread(gpointer opaque)
-@@ -177,17 +164,17 @@ CoroutineAction qemu_coroutine_switch(Coroutine *from_,
- CoroutineGThread *from = DO_UPCAST(CoroutineGThread, base, from_);
- CoroutineGThread *to = DO_UPCAST(CoroutineGThread, base, to_);
-
-- g_static_mutex_lock(&coroutine_lock);
-+ g_mutex_lock(&coroutine_lock);
- from->runnable = false;
- from->action = action;
- to->runnable = true;
- to->action = action;
-- g_cond_broadcast(coroutine_cond);
-+ g_cond_broadcast(&coroutine_cond);
-
- if (action != COROUTINE_TERMINATE) {
- coroutine_wait_runnable_locked(from);
- }
-- g_static_mutex_unlock(&coroutine_lock);
-+ g_mutex_unlock(&coroutine_lock);
- return from->action;
- }
-
-diff --git a/include/glib-compat.h b/include/glib-compat.h
-index 1280fb2..4ae0671 100644
---- a/include/glib-compat.h
-+++ b/include/glib-compat.h
-@@ -5,6 +5,8 @@
- *
- * Authors:
- * Anthony Liguori <aliguori@us.ibm.com>
-+ * Michael Tokarev <mjt@tls.msk.ru>
-+ * Paolo Bonzini <pbonzini@redhat.com>
- *
- * This work is licensed under the terms of the GNU GPL, version 2 or later.
- * See the COPYING file in the top-level directory.
-@@ -43,4 +45,121 @@ static inline gint g_poll(GPollFD *fds, guint nfds, gint timeout)
- }
- #endif
-
-+#if !GLIB_CHECK_VERSION(2, 31, 0)
-+/* before glib-2.31, GMutex and GCond was dynamic-only (there was a separate
-+ * GStaticMutex, but it didn't work with condition variables).
-+ *
-+ * Our implementation uses GOnce to fake a static implementation that does
-+ * not require separate initialization.
-+ * We need to rename the types to avoid passing our CompatGMutex/CompatGCond
-+ * by mistake to a function that expects GMutex/GCond. However, for ease
-+ * of use we keep the GLib function names. GLib uses macros for the
-+ * implementation, we use inline functions instead and undefine the macros.
-+ */
-+
-+typedef struct CompatGMutex {
-+ GOnce once;
-+} CompatGMutex;
-+
-+typedef struct CompatGCond {
-+ GOnce once;
-+} CompatGCond;
-+
-+static inline gpointer do_g_mutex_new(gpointer unused)
-+{
-+ return (gpointer) g_mutex_new();
-+}
-+
-+static inline void g_mutex_init(CompatGMutex *mutex)
-+{
-+ mutex->once = (GOnce) G_ONCE_INIT;
-+}
-+
-+static inline void g_mutex_clear(CompatGMutex *mutex)
-+{
-+ assert(mutex->once.status != G_ONCE_STATUS_PROGRESS);
-+ if (mutex->once.retval) {
-+ g_mutex_free((GMutex *) mutex->once.retval);
-+ }
-+ mutex->once = (GOnce) G_ONCE_INIT;
-+}
-+
-+static inline void (g_mutex_lock)(CompatGMutex *mutex)
-+{
-+ g_once(&mutex->once, do_g_mutex_new, NULL);
-+ g_mutex_lock((GMutex *) mutex->once.retval);
-+}
-+#undef g_mutex_lock
-+
-+static inline gboolean (g_mutex_trylock)(CompatGMutex *mutex)
-+{
-+ g_once(&mutex->once, do_g_mutex_new, NULL);
-+ return g_mutex_trylock((GMutex *) mutex->once.retval);
-+}
-+#undef g_mutex_trylock
-+
-+
-+static inline void (g_mutex_unlock)(CompatGMutex *mutex)
-+{
-+ g_mutex_unlock((GMutex *) mutex->once.retval);
-+}
-+#undef g_mutex_unlock
-+
-+static inline gpointer do_g_cond_new(gpointer unused)
-+{
-+ return (gpointer) g_cond_new();
-+}
-+
-+static inline void g_cond_init(CompatGCond *cond)
-+{
-+ cond->once = (GOnce) G_ONCE_INIT;
-+}
-+
-+static inline void g_cond_clear(CompatGCond *cond)
-+{
-+ assert(cond->once.status != G_ONCE_STATUS_PROGRESS);
-+ if (cond->once.retval) {
-+ g_cond_free((GCond *) cond->once.retval);
-+ }
-+ cond->once = (GOnce) G_ONCE_INIT;
-+}
-+
-+static inline void (g_cond_wait)(CompatGCond *cond, CompatGMutex *mutex)
-+{
-+ assert(mutex->once.status != G_ONCE_STATUS_PROGRESS);
-+ g_once(&cond->once, do_g_cond_new, NULL);
-+ g_cond_wait((GCond *) cond->once.retval, (GMutex *) mutex->once.retval);
-+}
-+#undef g_cond_wait
-+
-+static inline void (g_cond_broadcast)(CompatGCond *cond)
-+{
-+ g_once(&cond->once, do_g_cond_new, NULL);
-+ g_cond_broadcast((GCond *) cond->once.retval);
-+}
-+#undef g_cond_broadcast
-+
-+static inline void (g_cond_signal)(CompatGCond *cond)
-+{
-+ g_once(&cond->once, do_g_cond_new, NULL);
-+ g_cond_signal((GCond *) cond->once.retval);
-+}
-+#undef g_cond_signal
-+
-+
-+/* before 2.31 there was no g_thread_new() */
-+static inline GThread *g_thread_new(const char *name,
-+ GThreadFunc func, gpointer data)
-+{
-+ GThread *thread = g_thread_create(func, data, TRUE, NULL);
-+ if (!thread) {
-+ g_error("creating thread");
-+ }
-+ return thread;
-+}
-+#else
-+#define CompatGMutex GMutex
-+#define CompatGCond GCond
-+#endif /* glib 2.31 */
-+
- #endif
-diff --git a/trace/simple.c b/trace/simple.c
-index 1584bf7..8fc96fe 100644
---- a/trace/simple.c
-+++ b/trace/simple.c
-@@ -40,28 +40,9 @@
- * Trace records are written out by a dedicated thread. The thread waits for
- * records to become available, writes them out, and then waits again.
- */
--#if GLIB_CHECK_VERSION(2, 32, 0)
--static GMutex trace_lock;
--#define lock_trace_lock() g_mutex_lock(&trace_lock)
--#define unlock_trace_lock() g_mutex_unlock(&trace_lock)
--#define get_trace_lock_mutex() (&trace_lock)
--#else
--static GStaticMutex trace_lock = G_STATIC_MUTEX_INIT;
--#define lock_trace_lock() g_static_mutex_lock(&trace_lock)
--#define unlock_trace_lock() g_static_mutex_unlock(&trace_lock)
--#define get_trace_lock_mutex() g_static_mutex_get_mutex(&trace_lock)
--#endif
--
--/* g_cond_new() was deprecated in glib 2.31 but we still need to support it */
--#if GLIB_CHECK_VERSION(2, 31, 0)
--static GCond the_trace_available_cond;
--static GCond the_trace_empty_cond;
--static GCond *trace_available_cond = &the_trace_available_cond;
--static GCond *trace_empty_cond = &the_trace_empty_cond;
--#else
--static GCond *trace_available_cond;
--static GCond *trace_empty_cond;
--#endif
-+static CompatGMutex trace_lock;
-+static CompatGCond trace_available_cond;
-+static CompatGCond trace_empty_cond;
-
- static bool trace_available;
- static bool trace_writeout_enabled;
-@@ -151,26 +132,26 @@ static bool get_trace_record(unsigned int idx, TraceRecord **recordptr)
- */
- static void flush_trace_file(bool wait)
- {
-- lock_trace_lock();
-+ g_mutex_lock(&trace_lock);
- trace_available = true;
-- g_cond_signal(trace_available_cond);
-+ g_cond_signal(&trace_available_cond);
-
- if (wait) {
-- g_cond_wait(trace_empty_cond, get_trace_lock_mutex());
-+ g_cond_wait(&trace_empty_cond, &trace_lock);
- }
-
-- unlock_trace_lock();
-+ g_mutex_unlock(&trace_lock);
- }
-
- static void wait_for_trace_records_available(void)
- {
-- lock_trace_lock();
-+ g_mutex_lock(&trace_lock);
- while (!(trace_available && trace_writeout_enabled)) {
-- g_cond_signal(trace_empty_cond);
-- g_cond_wait(trace_available_cond, get_trace_lock_mutex());
-+ g_cond_signal(&trace_empty_cond);
-+ g_cond_wait(&trace_available_cond, &trace_lock);
- }
- trace_available = false;
-- unlock_trace_lock();
-+ g_mutex_unlock(&trace_lock);
- }
-
- static gpointer writeout_thread(gpointer opaque)
-@@ -399,11 +380,7 @@ static GThread *trace_thread_create(GThreadFunc fn)
- pthread_sigmask(SIG_SETMASK, &set, &oldset);
- #endif
-
--#if GLIB_CHECK_VERSION(2, 31, 0)
- thread = g_thread_new("trace-thread", fn, NULL);
--#else
-- thread = g_thread_create(fn, NULL, FALSE, NULL);
--#endif
-
- #ifndef _WIN32
- pthread_sigmask(SIG_SETMASK, &oldset, NULL);
-@@ -418,11 +395,6 @@ bool trace_backend_init(const char *events, const char *file)
-
- trace_pid = getpid();
-
--#if !GLIB_CHECK_VERSION(2, 31, 0)
-- trace_available_cond = g_cond_new();
-- trace_empty_cond = g_cond_new();
--#endif
--
- thread = trace_thread_create(writeout_thread);
- if (!thread) {
- fprintf(stderr, "warning: unable to initialize simple trace backend\n");
diff --git a/0114-libcacard-replace-pstrcpy-with-memcpy.patch b/0114-libcacard-replace-pstrcpy-with-memcpy.patch
deleted file mode 100644
index 25ec2dd..0000000
--- a/0114-libcacard-replace-pstrcpy-with-memcpy.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From c916d06403eec41a92eabf52b31102d3b7068da8 Mon Sep 17 00:00:00 2001
-From: Michael Tokarev <mjt@tls.msk.ru>
-Date: Fri, 2 May 2014 18:35:59 +0400
-Subject: [PATCH] libcacard: replace pstrcpy() with memcpy()
-
-Commit 2e679780ae86c6ca8 replaced strncpy() with pstrcpy()
-in one place in libcacard. This is a qemu-specific function,
-while libcacard is a stand-alone library (or tries to be).
-But since we know the exact length of the string to copy,
-and know that it definitely will fit in the destination
-buffer, use memcpy() instead, and null-terminate the string
-after that.
-
-An alternative is to use g_strlcpy() or strncpy(), but memcpy()
-is more than adequate in this place.
-
-Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
-Cc: qemu-trivial@nongnu.org
-Cc: Alon Levy <alevy@redhat.com>
-(cherry picked from commit a22f8f38942623dc473bf5ced5b4117b8bdf4821)
----
- libcacard/vcard_emul_nss.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/libcacard/vcard_emul_nss.c b/libcacard/vcard_emul_nss.c
-index ee2dfae..e2b196d 100644
---- a/libcacard/vcard_emul_nss.c
-+++ b/libcacard/vcard_emul_nss.c
-@@ -1162,7 +1162,8 @@ vcard_emul_options(const char *args)
- NEXT_TOKEN(vname)
- NEXT_TOKEN(type_params)
- type_params_length = MIN(type_params_length, sizeof(type_str)-1);
-- pstrcpy(type_str, type_params_length, type_params);
-+ memcpy(type_str, type_params, type_params_length);
-+ type_str[type_params_length] = '\0';
- type = vcard_emul_type_from_string(type_str);
-
- NEXT_TOKEN(type_params)
diff --git a/0115-libcacard-g_malloc-cleanups.patch b/0115-libcacard-g_malloc-cleanups.patch
deleted file mode 100644
index 5b2d98d..0000000
--- a/0115-libcacard-g_malloc-cleanups.patch
+++ /dev/null
@@ -1,236 +0,0 @@
-From 118436ff47d7269f4bf3e3c1cd83df4b44b7d5c2 Mon Sep 17 00:00:00 2001
-From: Michael Tokarev <mjt@tls.msk.ru>
-Date: Thu, 8 May 2014 19:51:01 +0400
-Subject: [PATCH] libcacard: g_malloc cleanups
-
-This patch replaces g_malloc() in libcacard into g_new()
-or g_new0() where appropriate (removing some init-to-zero
-surrounding code), g_malloc+memcpy into g_memdup() and the
-like.
-
-Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
-Reviewed-by: Alon Levy <alevy@redhat.com>
-(cherry picked from commit 78a4b8d2051bff8e8794e9419b7925122212b096)
----
- libcacard/cac.c | 11 +++--------
- libcacard/card_7816.c | 11 +++++------
- libcacard/event.c | 2 +-
- libcacard/vcard.c | 22 +++++-----------------
- libcacard/vcard_emul_nss.c | 12 ++++++------
- libcacard/vreader.c | 11 +++--------
- 6 files changed, 23 insertions(+), 46 deletions(-)
-
-diff --git a/libcacard/cac.c b/libcacard/cac.c
-index 74ef3e3..122129e 100644
---- a/libcacard/cac.c
-+++ b/libcacard/cac.c
-@@ -310,16 +310,11 @@ static VCardAppletPrivate *
- cac_new_pki_applet_private(const unsigned char *cert,
- int cert_len, VCardKey *key)
- {
-- CACPKIAppletData *pki_applet_data = NULL;
-- VCardAppletPrivate *applet_private = NULL;
-- applet_private = (VCardAppletPrivate *)g_malloc(sizeof(VCardAppletPrivate));
-+ CACPKIAppletData *pki_applet_data;
-+ VCardAppletPrivate *applet_private;
-
-+ applet_private = g_new0(VCardAppletPrivate, 1);
- pki_applet_data = &(applet_private->u.pki_data);
-- pki_applet_data->cert_buffer = NULL;
-- pki_applet_data->cert_buffer_len = 0;
-- pki_applet_data->sign_buffer = NULL;
-- pki_applet_data->sign_buffer_len = 0;
-- pki_applet_data->key = NULL;
- pki_applet_data->cert = (unsigned char *)g_malloc(cert_len+1);
- /*
- * if we want to support compression, then we simply change the 0 to a 1
-diff --git a/libcacard/card_7816.c b/libcacard/card_7816.c
-index c28bb60..bca8c4a 100644
---- a/libcacard/card_7816.c
-+++ b/libcacard/card_7816.c
-@@ -51,7 +51,7 @@ vcard_response_new_data(unsigned char *buf, int len)
- {
- VCardResponse *new_response;
-
-- new_response = (VCardResponse *)g_malloc(sizeof(VCardResponse));
-+ new_response = g_new(VCardResponse, 1);
- new_response->b_data = g_malloc(len + 2);
- memcpy(new_response->b_data, buf, len);
- new_response->b_total_len = len+2;
-@@ -132,7 +132,7 @@ vcard_response_new_status(vcard_7816_status_t status)
- {
- VCardResponse *new_response;
-
-- new_response = (VCardResponse *)g_malloc(sizeof(VCardResponse));
-+ new_response = g_new(VCardResponse, 1);
- new_response->b_data = &new_response->b_sw1;
- new_response->b_len = 0;
- new_response->b_total_len = 2;
-@@ -149,7 +149,7 @@ vcard_response_new_status_bytes(unsigned char sw1, unsigned char sw2)
- {
- VCardResponse *new_response;
-
-- new_response = (VCardResponse *)g_malloc(sizeof(VCardResponse));
-+ new_response = g_new(VCardResponse, 1);
- new_response->b_data = &new_response->b_sw1;
- new_response->b_len = 0;
- new_response->b_total_len = 2;
-@@ -336,9 +336,8 @@ vcard_apdu_new(unsigned char *raw_apdu, int len, vcard_7816_status_t *status)
- return NULL;
- }
-
-- new_apdu = (VCardAPDU *)g_malloc(sizeof(VCardAPDU));
-- new_apdu->a_data = g_malloc(len);
-- memcpy(new_apdu->a_data, raw_apdu, len);
-+ new_apdu = g_new(VCardAPDU, 1);
-+ new_apdu->a_data = g_memdup(raw_apdu, len);
- new_apdu->a_len = len;
- *status = vcard_apdu_set_class(new_apdu);
- if (*status != VCARD7816_STATUS_SUCCESS) {
-diff --git a/libcacard/event.c b/libcacard/event.c
-index 2d7500f..a2e6c7d 100644
---- a/libcacard/event.c
-+++ b/libcacard/event.c
-@@ -17,7 +17,7 @@ vevent_new(VEventType type, VReader *reader, VCard *card)
- {
- VEvent *new_vevent;
-
-- new_vevent = (VEvent *)g_malloc(sizeof(VEvent));
-+ new_vevent = g_new(VEvent, 1);
- new_vevent->next = NULL;
- new_vevent->type = type;
- new_vevent->reader = vreader_reference(reader);
-diff --git a/libcacard/vcard.c b/libcacard/vcard.c
-index 539177b..227e477 100644
---- a/libcacard/vcard.c
-+++ b/libcacard/vcard.c
-@@ -37,9 +37,8 @@ vcard_buffer_response_new(unsigned char *buffer, int size)
- {
- VCardBufferResponse *new_buffer;
-
-- new_buffer = (VCardBufferResponse *)g_malloc(sizeof(VCardBufferResponse));
-- new_buffer->buffer = (unsigned char *)g_malloc(size);
-- memcpy(new_buffer->buffer, buffer, size);
-+ new_buffer = g_new(VCardBufferResponse, 1);
-+ new_buffer->buffer = (unsigned char *)g_memdup(buffer, size);
- new_buffer->buffer_len = size;
- new_buffer->current = new_buffer->buffer;
- new_buffer->len = size;
-@@ -102,15 +101,11 @@ vcard_new_applet(VCardProcessAPDU applet_process_function,
- {
- VCardApplet *applet;
-
-- applet = (VCardApplet *)g_malloc(sizeof(VCardApplet));
-- applet->next = NULL;
-- applet->applet_private = NULL;
-- applet->applet_private_free = NULL;
-+ applet = g_new0(VCardApplet, 1);
- applet->process_apdu = applet_process_function;
- applet->reset_applet = applet_reset_function;
-
-- applet->aid = g_malloc(aid_len);
-- memcpy(applet->aid, aid, aid_len);
-+ applet->aid = g_memdup(aid, aid_len);
- applet->aid_len = aid_len;
- return applet;
- }
-@@ -149,18 +144,11 @@ VCard *
- vcard_new(VCardEmul *private, VCardEmulFree private_free)
- {
- VCard *new_card;
-- int i;
-
-- new_card = (VCard *)g_malloc(sizeof(VCard));
-- new_card->applet_list = NULL;
-- for (i = 0; i < MAX_CHANNEL; i++) {
-- new_card->current_applet[i] = NULL;
-- }
-- new_card->vcard_buffer_response = NULL;
-+ new_card = g_new0(VCard, 1);
- new_card->type = VCARD_VM;
- new_card->vcard_private = private;
- new_card->vcard_private_free = private_free;
-- new_card->vcard_get_atr = NULL;
- new_card->reference_count = 1;
- return new_card;
- }
-diff --git a/libcacard/vcard_emul_nss.c b/libcacard/vcard_emul_nss.c
-index e2b196d..75b9d79 100644
---- a/libcacard/vcard_emul_nss.c
-+++ b/libcacard/vcard_emul_nss.c
-@@ -94,9 +94,9 @@ static void
- vcard_emul_alloc_arrays(unsigned char ***certsp, int **cert_lenp,
- VCardKey ***keysp, int cert_count)
- {
-- *certsp = (unsigned char **)g_malloc(sizeof(unsigned char *)*cert_count);
-- *cert_lenp = (int *)g_malloc(sizeof(int)*cert_count);
-- *keysp = (VCardKey **)g_malloc(sizeof(VCardKey *)*cert_count);
-+ *certsp = g_new(unsigned char *, cert_count);
-+ *cert_lenp = g_new(int, cert_count);
-+ *keysp = g_new(VCardKey *, cert_count);
- }
-
- /*
-@@ -139,7 +139,7 @@ vcard_emul_make_key(PK11SlotInfo *slot, CERTCertificate *cert)
- {
- VCardKey *key;
-
-- key = (VCardKey *)g_malloc(sizeof(VCardKey));
-+ key = g_new(VCardKey, 1);
- key->slot = PK11_ReferenceSlot(slot);
- key->cert = CERT_DupCertificate(cert);
- /* NOTE: if we aren't logged into the token, this could return NULL */
-@@ -449,7 +449,7 @@ vreader_emul_new(PK11SlotInfo *slot, VCardEmulType type, const char *params)
- {
- VReaderEmul *new_reader_emul;
-
-- new_reader_emul = (VReaderEmul *)g_malloc(sizeof(VReaderEmul));
-+ new_reader_emul = g_new(VReaderEmul, 1);
-
- new_reader_emul->slot = PK11_ReferenceSlot(slot);
- new_reader_emul->default_type = type;
-@@ -1189,7 +1189,7 @@ vcard_emul_options(const char *args)
- g_strndup(type_params, type_params_length);
- count = count_tokens(args, ',', ')') + 1;
- vreaderOpt->cert_count = count;
-- vreaderOpt->cert_name = (char **)g_malloc(count*sizeof(char *));
-+ vreaderOpt->cert_name = g_new(char *, count);
- for (i = 0; i < count; i++) {
- const char *cert = args;
- args = strpbrk(args, ",)");
-diff --git a/libcacard/vreader.c b/libcacard/vreader.c
-index 5793d73..215a2f6 100644
---- a/libcacard/vreader.c
-+++ b/libcacard/vreader.c
-@@ -115,7 +115,7 @@ vreader_new(const char *name, VReaderEmul *private,
- {
- VReader *reader;
-
-- reader = (VReader *)g_malloc(sizeof(VReader));
-+ reader = g_new(VReader, 1);
- qemu_mutex_init(&reader->lock);
- reader->reference_count = 1;
- reader->name = g_strdup(name);
-@@ -312,10 +312,7 @@ vreader_list_entry_new(VReader *reader)
- {
- VReaderListEntry *new_reader_list_entry;
-
-- new_reader_list_entry = (VReaderListEntry *)
-- g_malloc(sizeof(VReaderListEntry));
-- new_reader_list_entry->next = NULL;
-- new_reader_list_entry->prev = NULL;
-+ new_reader_list_entry = g_new0(VReaderListEntry, 1);
- new_reader_list_entry->reader = vreader_reference(reader);
- return new_reader_list_entry;
- }
-@@ -336,9 +333,7 @@ vreader_list_new(void)
- {
- VReaderList *new_reader_list;
-
-- new_reader_list = (VReaderList *)g_malloc(sizeof(VReaderList));
-- new_reader_list->head = NULL;
-- new_reader_list->tail = NULL;
-+ new_reader_list = g_new0(VReaderList, 1);
- return new_reader_list;
- }
-
diff --git a/0116-vscclient-use-glib-thread-primitives-not-qemu.patch b/0116-vscclient-use-glib-thread-primitives-not-qemu.patch
deleted file mode 100644
index 018f9e6..0000000
--- a/0116-vscclient-use-glib-thread-primitives-not-qemu.patch
+++ /dev/null
@@ -1,218 +0,0 @@
-From 4a609afa4206d7af9fe2c8dcfbe7850509701aff Mon Sep 17 00:00:00 2001
-From: Michael Tokarev <mjt@tls.msk.ru>
-Date: Thu, 8 May 2014 12:30:47 +0400
-Subject: [PATCH] vscclient: use glib thread primitives not qemu
-
-Use glib-provided thread primitives in vscclient instead of
-qemu ones, and do not use qemu sockets in there (open-code
-call to WSAStartup() for windows to initialize things).
-
-This way, vscclient becomes more stand-alone, independent on
-qemu internals.
-
-Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
-Reviewed-by: Alon Levy <alevy@redhat.com>
-Tested-by: Alon Levy <alevy@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 2a0c46da967e5dc8cfe73b1b6fe7a1600c04f461)
----
- libcacard/vscclient.c | 70 +++++++++++++++++++++++++++------------------------
- 1 file changed, 37 insertions(+), 33 deletions(-)
-
-diff --git a/libcacard/vscclient.c b/libcacard/vscclient.c
-index 3477ab3..598206b 100644
---- a/libcacard/vscclient.c
-+++ b/libcacard/vscclient.c
-@@ -12,12 +12,10 @@
-
- #ifndef _WIN32
- #include <netdb.h>
-+#define closesocket(x) close(x)
- #endif
--#include <glib.h>
-
- #include "qemu-common.h"
--#include "qemu/thread.h"
--#include "qemu/sockets.h"
-
- #include "vscard_common.h"
-
-@@ -54,7 +52,7 @@ print_usage(void) {
-
- static GIOChannel *channel_socket;
- static GByteArray *socket_to_send;
--static QemuMutex socket_to_send_lock;
-+static CompatGMutex socket_to_send_lock;
- static guint socket_tag;
-
- static void
-@@ -103,7 +101,7 @@ send_msg(
- ) {
- VSCMsgHeader mhHeader;
-
-- qemu_mutex_lock(&socket_to_send_lock);
-+ g_mutex_lock(&socket_to_send_lock);
-
- if (verbose > 10) {
- printf("sending type=%d id=%u, len =%u (0x%x)\n",
-@@ -117,18 +115,18 @@ send_msg(
- g_byte_array_append(socket_to_send, (guint8 *)msg, length);
- g_idle_add(socket_prepare_sending, NULL);
-
-- qemu_mutex_unlock(&socket_to_send_lock);
-+ g_mutex_unlock(&socket_to_send_lock);
-
- return 0;
- }
-
- static VReader *pending_reader;
--static QemuMutex pending_reader_lock;
--static QemuCond pending_reader_condition;
-+static CompatGMutex pending_reader_lock;
-+static CompatGCond pending_reader_condition;
-
- #define MAX_ATR_LEN 40
--static void *
--event_thread(void *arg)
-+static gpointer
-+event_thread(gpointer arg)
- {
- unsigned char atr[MAX_ATR_LEN];
- int atr_len = MAX_ATR_LEN;
-@@ -149,20 +147,20 @@ event_thread(void *arg)
- /* ignore events from readers qemu has rejected */
- /* if qemu is still deciding on this reader, wait to see if need to
- * forward this event */
-- qemu_mutex_lock(&pending_reader_lock);
-+ g_mutex_lock(&pending_reader_lock);
- if (!pending_reader || (pending_reader != event->reader)) {
- /* wasn't for a pending reader, this reader has already been
- * rejected by qemu */
-- qemu_mutex_unlock(&pending_reader_lock);
-+ g_mutex_unlock(&pending_reader_lock);
- vevent_delete(event);
- continue;
- }
- /* this reader hasn't been told its status from qemu yet, wait for
- * that status */
- while (pending_reader != NULL) {
-- qemu_cond_wait(&pending_reader_condition, &pending_reader_lock);
-+ g_cond_wait(&pending_reader_condition, &pending_reader_lock);
- }
-- qemu_mutex_unlock(&pending_reader_lock);
-+ g_mutex_unlock(&pending_reader_lock);
- /* now recheck the id */
- reader_id = vreader_get_id(event->reader);
- if (reader_id == VSCARD_UNDEFINED_READER_ID) {
-@@ -178,12 +176,12 @@ event_thread(void *arg)
- /* wait until qemu has responded to our first reader insert
- * before we send a second. That way we won't confuse the responses
- * */
-- qemu_mutex_lock(&pending_reader_lock);
-+ g_mutex_lock(&pending_reader_lock);
- while (pending_reader != NULL) {
-- qemu_cond_wait(&pending_reader_condition, &pending_reader_lock);
-+ g_cond_wait(&pending_reader_condition, &pending_reader_lock);
- }
- pending_reader = vreader_reference(event->reader);
-- qemu_mutex_unlock(&pending_reader_lock);
-+ g_mutex_unlock(&pending_reader_lock);
- reader_name = vreader_get_name(event->reader);
- if (verbose > 10) {
- printf(" READER INSERT: %s\n", reader_name);
-@@ -246,7 +244,6 @@ on_host_init(VSCMsgHeader *mhHeader, VSCMsgInit *incoming)
- int num_capabilities =
- 1 + ((mhHeader->length - sizeof(VSCMsgInit)) / sizeof(uint32_t));
- int i;
-- QemuThread thread_id;
-
- incoming->version = ntohl(incoming->version);
- if (incoming->version != VSCARD_VERSION) {
-@@ -269,7 +266,7 @@ on_host_init(VSCMsgHeader *mhHeader, VSCMsgInit *incoming)
- send_msg(VSC_ReaderRemove, VSCARD_MINIMAL_READER_ID, NULL, 0);
- /* launch the event_thread. This will trigger reader adds for all the
- * existing readers */
-- qemu_thread_create(&thread_id, "vsc/event", event_thread, NULL, 0);
-+ g_thread_new("vsc/event", event_thread, NULL);
- return 0;
- }
-
-@@ -379,26 +376,26 @@ do_socket_read(GIOChannel *source,
- case VSC_Error:
- error_msg = (VSCMsgError *) pbSendBuffer;
- if (error_msg->code == VSC_SUCCESS) {
-- qemu_mutex_lock(&pending_reader_lock);
-+ g_mutex_lock(&pending_reader_lock);
- if (pending_reader) {
- vreader_set_id(pending_reader, mhHeader.reader_id);
- vreader_free(pending_reader);
- pending_reader = NULL;
-- qemu_cond_signal(&pending_reader_condition);
-+ g_cond_signal(&pending_reader_condition);
- }
-- qemu_mutex_unlock(&pending_reader_lock);
-+ g_mutex_unlock(&pending_reader_lock);
- break;
- }
- printf("warning: qemu refused to add reader\n");
- if (error_msg->code == VSC_CANNOT_ADD_MORE_READERS) {
- /* clear pending reader, qemu can't handle any more */
-- qemu_mutex_lock(&pending_reader_lock);
-+ g_mutex_lock(&pending_reader_lock);
- if (pending_reader) {
- pending_reader = NULL;
- /* make sure the event loop doesn't hang */
-- qemu_cond_signal(&pending_reader_condition);
-+ g_cond_signal(&pending_reader_condition);
- }
-- qemu_mutex_unlock(&pending_reader_lock);
-+ g_mutex_unlock(&pending_reader_lock);
- }
- break;
- case VSC_Init:
-@@ -602,7 +599,7 @@ connect_to_qemu(
- struct addrinfo *server;
- int ret, sock;
-
-- sock = qemu_socket(AF_INET, SOCK_STREAM, 0);
-+ sock = socket(AF_INET, SOCK_STREAM, 0);
- if (sock < 0) {
- /* Error */
- fprintf(stderr, "Error opening socket!\n");
-@@ -655,8 +652,20 @@ main(
- int cert_count = 0;
- int c, sock;
-
-- if (socket_init() != 0)
-+#ifdef _WIN32
-+ WSADATA Data;
-+
-+ if (WSAStartup(MAKEWORD(2, 2), &Data) != 0) {
-+ c = WSAGetLastError();
-+ fprintf(stderr, "WSAStartup: %d\n", c);
- return 1;
-+ }
-+#endif
-+#if !GLIB_CHECK_VERSION(2, 31, 0)
-+ if (!g_thread_supported()) {
-+ g_thread_init(NULL);
-+ }
-+#endif
-
- while ((c = getopt(argc, argv, "c:e:pd:")) != -1) {
- switch (c) {
-@@ -723,13 +732,8 @@ main(
- }
-
- socket_to_send = g_byte_array_new();
-- qemu_mutex_init(&socket_to_send_lock);
-- qemu_mutex_init(&pending_reader_lock);
-- qemu_cond_init(&pending_reader_condition);
--
- vcard_emul_init(command_line_options);
--
-- loop = g_main_loop_new(NULL, true);
-+ loop = g_main_loop_new(NULL, TRUE);
-
- printf("> ");
- fflush(stdout);
diff --git a/0117-libcacard-replace-qemu-thread-primitives-with-glib-o.patch b/0117-libcacard-replace-qemu-thread-primitives-with-glib-o.patch
deleted file mode 100644
index 72fc8ac..0000000
--- a/0117-libcacard-replace-qemu-thread-primitives-with-glib-o.patch
+++ /dev/null
@@ -1,204 +0,0 @@
-From 95d830ad782262bac47e4cc368e8dff108b789f1 Mon Sep 17 00:00:00 2001
-From: Michael Tokarev <mjt@tls.msk.ru>
-Date: Thu, 8 May 2014 12:30:48 +0400
-Subject: [PATCH] libcacard: replace qemu thread primitives with glib ones
-
-Replace QemuMutex with GMutex and QemuCond with GCond
-(with corresponding function changes), to make libcacard
-independent of qemu internal functions.
-
-After this step, none of libcacard internals use any
-qemu-provided symbols. Maybe it's a good idea to
-stop including qemu-common.h internally too.
-
-Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
-Reviewed-by: Alon Levy <alevy@redhat.com>
-Tested-by: Alon Levy <alevy@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit fd25c0e6dd1ed2aa932fa7ef814b32457bf270fd)
----
- libcacard/Makefile | 8 +-------
- libcacard/event.c | 23 ++++++++++-------------
- libcacard/vreader.c | 18 ++++++++----------
- 3 files changed, 19 insertions(+), 30 deletions(-)
-
-diff --git a/libcacard/Makefile b/libcacard/Makefile
-index 6b06448..89a5942 100644
---- a/libcacard/Makefile
-+++ b/libcacard/Makefile
-@@ -3,13 +3,7 @@ libcacard_includedir=$(includedir)/cacard
- TOOLS += vscclient$(EXESUF)
-
- # objects linked into a shared library, built with libtool with -fPIC if required
--libcacard-obj-y = $(stub-obj-y) $(libcacard-y)
--libcacard-obj-y += util/osdep.o util/cutils.o util/qemu-timer-common.o
--libcacard-obj-y += util/error.o util/qemu-error.o
--libcacard-obj-$(CONFIG_WIN32) += util/oslib-win32.o util/qemu-thread-win32.o
--libcacard-obj-$(CONFIG_POSIX) += util/oslib-posix.o util/qemu-thread-posix.o
--libcacard-obj-y += $(filter trace/%, $(util-obj-y))
--
-+libcacard-obj-y = $(libcacard-y)
- libcacard-lobj-y=$(patsubst %.o,%.lo,$(libcacard-obj-y))
-
- # libtool will build the .o files, too
-diff --git a/libcacard/event.c b/libcacard/event.c
-index a2e6c7d..4c551e4 100644
---- a/libcacard/event.c
-+++ b/libcacard/event.c
-@@ -6,7 +6,6 @@
- */
-
- #include "qemu-common.h"
--#include "qemu/thread.h"
-
- #include "vcard.h"
- #include "vreader.h"
-@@ -43,13 +42,11 @@ vevent_delete(VEvent *vevent)
-
- static VEvent *vevent_queue_head;
- static VEvent *vevent_queue_tail;
--static QemuMutex vevent_queue_lock;
--static QemuCond vevent_queue_condition;
-+static CompatGMutex vevent_queue_lock;
-+static CompatGCond vevent_queue_condition;
-
- void vevent_queue_init(void)
- {
-- qemu_mutex_init(&vevent_queue_lock);
-- qemu_cond_init(&vevent_queue_condition);
- vevent_queue_head = vevent_queue_tail = NULL;
- }
-
-@@ -57,7 +54,7 @@ void
- vevent_queue_vevent(VEvent *vevent)
- {
- vevent->next = NULL;
-- qemu_mutex_lock(&vevent_queue_lock);
-+ g_mutex_lock(&vevent_queue_lock);
- if (vevent_queue_head) {
- assert(vevent_queue_tail);
- vevent_queue_tail->next = vevent;
-@@ -65,8 +62,8 @@ vevent_queue_vevent(VEvent *vevent)
- vevent_queue_head = vevent;
- }
- vevent_queue_tail = vevent;
-- qemu_cond_signal(&vevent_queue_condition);
-- qemu_mutex_unlock(&vevent_queue_lock);
-+ g_cond_signal(&vevent_queue_condition);
-+ g_mutex_unlock(&vevent_queue_lock);
- }
-
- /* must have lock */
-@@ -86,11 +83,11 @@ VEvent *vevent_wait_next_vevent(void)
- {
- VEvent *vevent;
-
-- qemu_mutex_lock(&vevent_queue_lock);
-+ g_mutex_lock(&vevent_queue_lock);
- while ((vevent = vevent_dequeue_vevent()) == NULL) {
-- qemu_cond_wait(&vevent_queue_condition, &vevent_queue_lock);
-+ g_cond_wait(&vevent_queue_condition, &vevent_queue_lock);
- }
-- qemu_mutex_unlock(&vevent_queue_lock);
-+ g_mutex_unlock(&vevent_queue_lock);
- return vevent;
- }
-
-@@ -98,9 +95,9 @@ VEvent *vevent_get_next_vevent(void)
- {
- VEvent *vevent;
-
-- qemu_mutex_lock(&vevent_queue_lock);
-+ g_mutex_lock(&vevent_queue_lock);
- vevent = vevent_dequeue_vevent();
-- qemu_mutex_unlock(&vevent_queue_lock);
-+ g_mutex_unlock(&vevent_queue_lock);
- return vevent;
- }
-
-diff --git a/libcacard/vreader.c b/libcacard/vreader.c
-index 215a2f6..75b5b28 100644
---- a/libcacard/vreader.c
-+++ b/libcacard/vreader.c
-@@ -9,10 +9,8 @@
- #undef G_LOG_DOMAIN
- #endif
- #define G_LOG_DOMAIN "libcacard"
--#include <glib.h>
-
- #include "qemu-common.h"
--#include "qemu/thread.h"
-
- #include "vcard.h"
- #include "vcard_emul.h"
-@@ -28,7 +26,7 @@ struct VReaderStruct {
- VCard *card;
- char *name;
- vreader_id_t id;
-- QemuMutex lock;
-+ CompatGMutex lock;
- VReaderEmul *reader_private;
- VReaderEmulFree reader_private_free;
- };
-@@ -97,13 +95,13 @@ apdu_ins_to_string(int ins)
- static inline void
- vreader_lock(VReader *reader)
- {
-- qemu_mutex_lock(&reader->lock);
-+ g_mutex_lock(&reader->lock);
- }
-
- static inline void
- vreader_unlock(VReader *reader)
- {
-- qemu_mutex_unlock(&reader->lock);
-+ g_mutex_unlock(&reader->lock);
- }
-
- /*
-@@ -116,7 +114,7 @@ vreader_new(const char *name, VReaderEmul *private,
- VReader *reader;
-
- reader = g_new(VReader, 1);
-- qemu_mutex_init(&reader->lock);
-+ g_mutex_init(&reader->lock);
- reader->reference_count = 1;
- reader->name = g_strdup(name);
- reader->card = NULL;
-@@ -152,6 +150,7 @@ vreader_free(VReader *reader)
- return;
- }
- vreader_unlock(reader);
-+ g_mutex_clear(&reader->lock);
- if (reader->card) {
- vcard_free(reader->card);
- }
-@@ -408,25 +407,24 @@ vreader_dequeue(VReaderList *list, VReaderListEntry *entry)
- }
-
- static VReaderList *vreader_list;
--static QemuMutex vreader_list_mutex;
-+static CompatGMutex vreader_list_mutex;
-
- static void
- vreader_list_init(void)
- {
- vreader_list = vreader_list_new();
-- qemu_mutex_init(&vreader_list_mutex);
- }
-
- static void
- vreader_list_lock(void)
- {
-- qemu_mutex_lock(&vreader_list_mutex);
-+ g_mutex_lock(&vreader_list_mutex);
- }
-
- static void
- vreader_list_unlock(void)
- {
-- qemu_mutex_unlock(&vreader_list_mutex);
-+ g_mutex_unlock(&vreader_list_mutex);
- }
-
- static VReaderList *
diff --git a/qemu.spec b/qemu.spec
index 2b1d1f2..c3b1d54 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -154,11 +154,10 @@
%define with_xen 1
%endif
-
Summary: QEMU is a FAST! processor emulator
Name: qemu
-Version: 2.0.0
-Release: 7%{?dist}
+Version: 2.1.0
+Release: 0.1.rc0%{?dist}
Epoch: 2
License: GPLv2+ and LGPLv2+ and BSD
Group: Development/Tools
@@ -173,7 +172,8 @@ ExclusiveArch: %{kvm_archs}
%define _smp_mflags %{nil}
%endif
-Source0: http://wiki.qemu-project.org/download/%{name}-%{version}.tar.bz2
+#Source0: http://wiki.qemu-project.org/download/%{name}-%{version}.tar.bz2
+Source0: http://wiki.qemu-project.org/download/%{name}-%{version}-rc0.tar.bz2
Source1: qemu.binfmt
@@ -198,57 +198,6 @@ Source12: bridge.conf
# qemu-kvm back compat wrapper
Source13: qemu-kvm.sh
-# Change gtk quit accelerator to ctrl+shift+q (bz #1062393)
-# Patches queued for 2.1
-Patch0001: 0001-Change-gtk-quit-accelerator-to-ctrl-shift-q-bz-10623.patch
-# Migration CVEs: CVE-2014-0182 etc.
-Patch0002: 0002-vmstate-add-VMS_MUST_EXIST.patch
-Patch0003: 0003-vmstate-add-VMSTATE_VALIDATE.patch
-Patch0004: 0004-virtio-net-fix-buffer-overflow-on-invalid-state-load.patch
-Patch0005: 0005-virtio-net-out-of-bounds-buffer-write-on-invalid-sta.patch
-Patch0006: 0006-virtio-out-of-bounds-buffer-write-on-invalid-state-l.patch
-Patch0007: 0007-ahci-fix-buffer-overrun-on-invalid-state-load.patch
-Patch0008: 0008-hpet-fix-buffer-overrun-on-invalid-state-load.patch
-Patch0009: 0009-hw-pci-pcie_aer.c-fix-buffer-overruns-on-invalid-sta.patch
-Patch0010: 0010-pl022-fix-buffer-overun-on-invalid-state-load.patch
-Patch0011: 0011-vmstate-fix-buffer-overflow-in-target-arm-machine.c.patch
-Patch0012: 0012-virtio-avoid-buffer-overrun-on-incoming-migration.patch
-Patch0013: 0013-virtio-validate-num_sg-when-mapping.patch
-Patch0014: 0014-pxa2xx-avoid-buffer-overrun-on-incoming-migration.patch
-Patch0015: 0015-ssd0323-fix-buffer-overun-on-invalid-state-load.patch
-Patch0016: 0016-tsc210x-fix-buffer-overrun-on-invalid-state-load.patch
-Patch0017: 0017-zaurus-fix-buffer-overrun-on-invalid-state-load.patch
-Patch0018: 0018-virtio-scsi-fix-buffer-overrun-on-invalid-state-load.patch
-Patch0019: 0019-vmstate-s-VMSTATE_INT32_LE-VMSTATE_INT32_POSITIVE_LE.patch
-Patch0020: 0020-usb-sanity-check-setup_index-setup_len-in-post_load.patch
-Patch0021: 0021-ssi-sd-fix-buffer-overrun-on-invalid-state-load.patch
-Patch0022: 0022-openpic-avoid-buffer-overrun-on-incoming-migration.patch
-Patch0023: 0023-virtio-net-out-of-bounds-buffer-write-on-load.patch
-Patch0024: 0024-virtio-validate-config_len-on-load.patch
-
-# QCOW1 validation CVEs: CVE-2014-0222, CVE-2014-0223 (bz #1097232, bz
-# #1097238, bz #1097222, bz #1097216)
-Patch0101: 0101-qcow1-Make-padding-in-the-header-explicit.patch
-Patch0102: 0102-qcow1-Check-maximum-cluster-size.patch
-Patch0103: 0103-qcow1-Validate-L2-table-size-CVE-2014-0222.patch
-Patch0104: 0104-qcow1-Validate-image-size-CVE-2014-0223.patch
-Patch0105: 0105-qcow1-Stricter-backing-file-length-check.patch
-# CVE-2014-3461: Issues in USB post load checks (bz #1097260, bz
-# #1096821)
-Patch0106: 0106-usb-fix-up-post-load-checks.patch
-# Don't use libtool on dtrace, fixes rawhide build (bz #1106968)
-Patch0107: 0107-trace-add-pid-field-to-simpletrace-record.patch
-Patch0108: 0108-simpletrace-add-support-for-trace-record-pid-field.patch
-Patch0109: 0109-trace-Replace-error-with-warning-if-event-is-not-def.patch
-Patch0110: 0110-do-not-call-g_thread_init-for-glib-2.31.patch
-Patch0111: 0111-glib-move-g_poll-replacement-into-glib-compat.h.patch
-Patch0112: 0112-glib-fix-g_poll-early-timeout-on-windows.patch
-Patch0113: 0113-glib-compat.h-add-new-thread-API-emulation-on-top-of.patch
-Patch0114: 0114-libcacard-replace-pstrcpy-with-memcpy.patch
-Patch0115: 0115-libcacard-g_malloc-cleanups.patch
-Patch0116: 0116-vscclient-use-glib-thread-primitives-not-qemu.patch
-Patch0117: 0117-libcacard-replace-qemu-thread-primitives-with-glib-o.patch
-
BuildRequires: SDL-devel
BuildRequires: zlib-devel
BuildRequires: which
@@ -343,7 +292,10 @@ BuildRequires: iasl
%if %{with_xen}
BuildRequires: xen-devel
%endif
-
+%ifarch %{ix86} x86_64
+# memdev hostmem backend added in 2.1
+Requires: numactl-devel
+%endif
%if 0%{?user:1}
Requires: %{name}-%{user} = %{epoch}:%{version}-%{release}
@@ -768,58 +720,7 @@ CAC emulation development files.
%prep
-%setup -q
-
-# Change gtk quit accelerator to ctrl+shift+q (bz #1062393)
-# Patches queued for 2.1
-%patch0001 -p1
-# Migration CVEs: CVE-2014-0182 etc.
-%patch0002 -p1
-%patch0003 -p1
-%patch0004 -p1
-%patch0005 -p1
-%patch0006 -p1
-%patch0007 -p1
-%patch0008 -p1
-%patch0009 -p1
-%patch0010 -p1
-%patch0011 -p1
-%patch0012 -p1
-%patch0013 -p1
-%patch0014 -p1
-%patch0015 -p1
-%patch0016 -p1
-%patch0017 -p1
-%patch0018 -p1
-%patch0019 -p1
-%patch0020 -p1
-%patch0021 -p1
-%patch0022 -p1
-%patch0023 -p1
-%patch0024 -p1
-
-# QCOW1 validation CVEs: CVE-2014-0222, CVE-2014-0223 (bz #1097232, bz
-# #1097238, bz #1097222, bz #1097216)
-%patch0101 -p1
-%patch0102 -p1
-%patch0103 -p1
-%patch0104 -p1
-%patch0105 -p1
-# CVE-2014-3461: Issues in USB post load checks (bz #1097260, bz
-# #1096821)
-%patch0106 -p1
-# Don't use libtool on dtrace, fixes rawhide build (bz #1106968)
-%patch0107 -p1
-%patch0108 -p1
-%patch0109 -p1
-%patch0110 -p1
-%patch0111 -p1
-%patch0112 -p1
-%patch0113 -p1
-%patch0114 -p1
-%patch0115 -p1
-%patch0116 -p1
-%patch0117 -p1
+%setup -q -n %{name}-%{version}-rc0
%build
@@ -837,7 +738,7 @@ arm-linux-user armeb-linux-user cris-linux-user m68k-linux-user \
microblaze-linux-user microblazeel-linux-user mips-linux-user \
mipsel-linux-user mips64-linux-user mips64el-linux-user \
mipsn32-linux-user mipsn32el-linux-user \
-or32-linux-user ppc-linux-user ppc64-linux-user \
+or32-linux-user ppc-linux-user ppc64-linux-user ppc64le-linux-user \
ppc64abi32-linux-user s390x-linux-user sh4-linux-user sh4eb-linux-user \
sparc-linux-user sparc64-linux-user sparc32plus-linux-user \
unicore32-linux-user"
@@ -858,6 +759,10 @@ buildldflags="VL_LDFLAGS=-Wl,--build-id"
sed -i.debug 's/"-g $CFLAGS"/"$CFLAGS"/g' configure
%endif
+
+# As of qemu 2.1, --enable-trace-backends supports multiple backends,
+# but there's a performance impact for non-dtrace so we don't use them
+
./configure \
--prefix=%{_prefix} \
--libdir=%{_libdir} \
@@ -873,7 +778,6 @@ sed -i.debug 's/"-g $CFLAGS"/"$CFLAGS"/g' configure
--audio-drv-list=pa,sdl,alsa,oss \
--enable-trace-backend=dtrace \
--enable-kvm \
- --enable-tpm \
%if %{with_xen}
--enable-xen \
%else
@@ -903,7 +807,6 @@ sed -i.debug 's/"-g $CFLAGS"/"$CFLAGS"/g' configure
%ifarch s390
--enable-tcg-interpreter \
%endif
- --enable-quorum \
"$@"
echo "config-host.mak contents:"
@@ -1291,6 +1194,7 @@ getent passwd qemu >/dev/null || \
%{_bindir}/qemu-ppc
%{_bindir}/qemu-ppc64
%{_bindir}/qemu-ppc64abi32
+%{_bindir}/qemu-ppc64le
%{_bindir}/qemu-s390x
%{_bindir}/qemu-sh4
%{_bindir}/qemu-sh4eb
@@ -1318,6 +1222,7 @@ getent passwd qemu >/dev/null || \
%{_datadir}/systemtap/tapset/qemu-ppc.stp
%{_datadir}/systemtap/tapset/qemu-ppc64.stp
%{_datadir}/systemtap/tapset/qemu-ppc64abi32.stp
+%{_datadir}/systemtap/tapset/qemu-ppc64le.stp
%{_datadir}/systemtap/tapset/qemu-s390x.stp
%{_datadir}/systemtap/tapset/qemu-sh4.stp
%{_datadir}/systemtap/tapset/qemu-sh4eb.stp
@@ -1587,6 +1492,9 @@ getent passwd qemu >/dev/null || \
%endif
%changelog
+* Fri Jul 04 2014 Cole Robinson <crobinso@redhat.com> - 2:2.1.0-0.1.rc0
+- Update to qemu 2.1-rc0
+
* Sun Jun 15 2014 Cole Robinson <crobinso@redhat.com> - 2:2.0.0-7
- Don't use libtool on dtrace, fixes rawhide build (bz #1106968)
diff --git a/sources b/sources
index 134a333..c68d8e8 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-2790f44fd76da5de5024b4aafeb594c2 qemu-2.0.0.tar.bz2
+b8e7af12112d4859ea30196975b1fd57 qemu-2.1.0-rc0.tar.bz2