diff --git a/0001-spice-F24-spice-has-backported-gl-support.patch b/0001-spice-F24-spice-has-backported-gl-support.patch
deleted file mode 100644
index 0895003..0000000
--- a/0001-spice-F24-spice-has-backported-gl-support.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-From: Pavel Grunt <pgrunt@redhat.com>
-Date: Fri, 11 Mar 2016 14:40:59 +0100
-Subject: [PATCH] spice: F24 spice has backported gl support
-
-Not for upstream, this just adjusts the version check to work with
-f24 backported spice gl support
----
- include/ui/spice-display.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/include/ui/spice-display.h b/include/ui/spice-display.h
-index 30ccfe3..00e4a0b 100644
---- a/include/ui/spice-display.h
-+++ b/include/ui/spice-display.h
-@@ -25,7 +25,7 @@
- #include "sysemu/sysemu.h"
-
- #if defined(CONFIG_OPENGL_DMABUF)
--# if SPICE_SERVER_VERSION >= 0x000d01 /* release 0.13.1 */
-+# if SPICE_SERVER_VERSION >= 0x000c07 /* release 0.12.7 */
- # define HAVE_SPICE_GL 1
- # include "ui/egl-helpers.h"
- # include "ui/egl-context.h"
diff --git a/0002-ui-gtk-fix-crash-when-terminal-inner-border-is-NULL.patch b/0002-ui-gtk-fix-crash-when-terminal-inner-border-is-NULL.patch
deleted file mode 100644
index e78c973..0000000
--- a/0002-ui-gtk-fix-crash-when-terminal-inner-border-is-NULL.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From: Cole Robinson <crobinso@redhat.com>
-Date: Thu, 5 May 2016 19:39:38 -0400
-Subject: [PATCH] ui: gtk: fix crash when terminal inner-border is NULL
-
-VTE terminal inner-border can be NULL. The vte-0.36 (API 2.90)
-code checks for the condition too so I assume it's not just a bug
-
-Fixes a crash on Fedora 24 with gtk 3.20
----
- ui/gtk.c | 10 ++++++----
- 1 file changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/ui/gtk.c b/ui/gtk.c
-index f372a6d..9876d89 100644
---- a/ui/gtk.c
-+++ b/ui/gtk.c
-@@ -340,10 +340,12 @@ static void gd_update_geometry_hints(VirtualConsole *vc)
- geo.min_height = geo.height_inc * VC_TERM_Y_MIN;
- mask |= GDK_HINT_MIN_SIZE;
- gtk_widget_style_get(vc->vte.terminal, "inner-border", &ib, NULL);
-- geo.base_width += ib->left + ib->right;
-- geo.base_height += ib->top + ib->bottom;
-- geo.min_width += ib->left + ib->right;
-- geo.min_height += ib->top + ib->bottom;
-+ if (ib) {
-+ geo.base_width += ib->left + ib->right;
-+ geo.base_height += ib->top + ib->bottom;
-+ geo.min_width += ib->left + ib->right;
-+ geo.min_height += ib->top + ib->bottom;
-+ }
- geo_widget = vc->vte.terminal;
- #endif
- }
diff --git a/0003-ui-sdl2-Release-grab-before-opening-console-window.patch b/0003-ui-sdl2-Release-grab-before-opening-console-window.patch
deleted file mode 100644
index 2f86e27..0000000
--- a/0003-ui-sdl2-Release-grab-before-opening-console-window.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From: Cole Robinson <crobinso@redhat.com>
-Date: Fri, 6 May 2016 12:36:46 -0400
-Subject: [PATCH] ui: sdl2: Release grab before opening console window
-
-sdl 2.0.4 currently has a bug which causes our UI shortcuts to fire
-rapidly in succession:
-
- https://bugzilla.libsdl.org/show_bug.cgi?id=3287
-
-It's a toss up whether ctrl+alt+f or ctrl+alt+2 will fire an
-odd or even number of times, thus determining whether the action
-succeeds or fails.
-
-Opening monitor/serial windows is doubly broken, since it will often
-lock the UI trying to grab the pointer:
-
- 0x00007fffef3720a5 in SDL_Delay_REAL () at /lib64/libSDL2-2.0.so.0
- 0x00007fffef3688ba in X11_SetWindowGrab () at /lib64/libSDL2-2.0.so.0
- 0x00007fffef2f2da7 in SDL_SendWindowEvent () at /lib64/libSDL2-2.0.so.0
- 0x00007fffef2f080b in SDL_SetKeyboardFocus () at /lib64/libSDL2-2.0.so.0
- 0x00007fffef35d784 in X11_DispatchFocusIn.isra.8 () at /lib64/libSDL2-2.0.so.0
- 0x00007fffef35dbce in X11_DispatchEvent () at /lib64/libSDL2-2.0.so.0
- 0x00007fffef35ee4a in X11_PumpEvents () at /lib64/libSDL2-2.0.so.0
- 0x00007fffef2eea6a in SDL_PumpEvents_REAL () at /lib64/libSDL2-2.0.so.0
- 0x00007fffef2eeab5 in SDL_WaitEventTimeout_REAL () at /lib64/libSDL2-2.0.so.0
- 0x000055555597eed0 in sdl2_poll_events (scon=0x55555876f928) at ui/sdl2.c:593
-
-We can work around that hang by ungrabbing the pointer before launching
-a new window. This roughly matches what our sdl1 code does
----
- ui/sdl2.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/ui/sdl2.c b/ui/sdl2.c
-index d042442..909038f 100644
---- a/ui/sdl2.c
-+++ b/ui/sdl2.c
-@@ -357,6 +357,10 @@ static void handle_keydown(SDL_Event *ev)
- case SDL_SCANCODE_7:
- case SDL_SCANCODE_8:
- case SDL_SCANCODE_9:
-+ if (gui_grab) {
-+ sdl_grab_end(scon);
-+ }
-+
- win = ev->key.keysym.scancode - SDL_SCANCODE_1;
- if (win < sdl2_num_outputs) {
- sdl2_console[win].hidden = !sdl2_console[win].hidden;
diff --git a/0004-ui-spice-Exit-if-gl-on-EGL-init-fails.patch b/0004-ui-spice-Exit-if-gl-on-EGL-init-fails.patch
deleted file mode 100644
index b51d5b6..0000000
--- a/0004-ui-spice-Exit-if-gl-on-EGL-init-fails.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From: Cole Robinson <crobinso@redhat.com>
-Date: Wed, 18 May 2016 11:44:33 -0400
-Subject: [PATCH] ui: spice: Exit if gl=on EGL init fails
-
-The user explicitly requested spice GL, so if we know it isn't
-going to work we should exit
-
-Signed-off-by: Cole Robinson <crobinso@redhat.com>
----
- ui/spice-core.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/ui/spice-core.c b/ui/spice-core.c
-index 61db3c1..da05054 100644
---- a/ui/spice-core.c
-+++ b/ui/spice-core.c
-@@ -833,9 +833,11 @@ void qemu_spice_init(void)
- "incompatible with -spice port/tls-port");
- exit(1);
- }
-- if (egl_rendernode_init() == 0) {
-- display_opengl = 1;
-+ if (egl_rendernode_init() != 0) {
-+ error_report("Failed to initialize EGL render node for SPICE GL");
-+ exit(1);
- }
-+ display_opengl = 1;
- }
- #endif
- }
diff --git a/0005-spice-gl-add-use-qemu_spice_gl_monitor_config.patch b/0005-spice-gl-add-use-qemu_spice_gl_monitor_config.patch
deleted file mode 100644
index a7f68c4..0000000
--- a/0005-spice-gl-add-use-qemu_spice_gl_monitor_config.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Wed, 3 Feb 2016 13:55:00 +0100
-Subject: [PATCH] spice/gl: add & use qemu_spice_gl_monitor_config
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-(cherry picked from commit 39414ef4e93db9041e463a097084a407d0d374f0)
----
- include/ui/spice-display.h | 1 +
- ui/spice-display.c | 30 ++++++++++++++++++++++++++++++
- 2 files changed, 31 insertions(+)
-
-diff --git a/include/ui/spice-display.h b/include/ui/spice-display.h
-index 00e4a0b..3c679e8 100644
---- a/include/ui/spice-display.h
-+++ b/include/ui/spice-display.h
-@@ -71,6 +71,7 @@ typedef struct QXLCookie {
- QXLRect area;
- int redraw;
- } render;
-+ void *data;
- } u;
- } QXLCookie;
-
-diff --git a/ui/spice-display.c b/ui/spice-display.c
-index 242ab5f..2a77a54 100644
---- a/ui/spice-display.c
-+++ b/ui/spice-display.c
-@@ -660,6 +660,11 @@ static void interface_async_complete(QXLInstance *sin, uint64_t cookie_token)
- qemu_bh_schedule(ssd->gl_unblock_bh);
- break;
- }
-+ case QXL_COOKIE_TYPE_IO:
-+ if (cookie->io == QXL_IO_MONITORS_CONFIG_ASYNC) {
-+ g_free(cookie->u.data);
-+ }
-+ break;
- #endif
- default:
- /* should never be called, used in qxl native mode only */
-@@ -795,6 +800,29 @@ static const DisplayChangeListenerOps display_listener_ops = {
-
- #ifdef HAVE_SPICE_GL
-
-+static void qemu_spice_gl_monitor_config(SimpleSpiceDisplay *ssd,
-+ int x, int y, int w, int h)
-+{
-+ QXLMonitorsConfig *config;
-+ QXLCookie *cookie;
-+
-+ config = g_malloc0(sizeof(QXLMonitorsConfig) + sizeof(QXLHead));
-+ config->count = 1;
-+ config->max_allowed = 1;
-+ config->heads[0].x = x;
-+ config->heads[0].y = y;
-+ config->heads[0].width = w;
-+ config->heads[0].height = h;
-+ cookie = qxl_cookie_new(QXL_COOKIE_TYPE_IO,
-+ QXL_IO_MONITORS_CONFIG_ASYNC);
-+ cookie->u.data = config;
-+
-+ spice_qxl_monitors_config_async(&ssd->qxl,
-+ (uintptr_t)config,
-+ MEMSLOT_GROUP_HOST,
-+ (uintptr_t)cookie);
-+}
-+
- static void qemu_spice_gl_block(SimpleSpiceDisplay *ssd, bool block)
- {
- uint64_t timeout;
-@@ -858,6 +886,8 @@ static void qemu_spice_gl_scanout(DisplayChangeListener *dcl,
- surface_width(ssd->ds),
- surface_height(ssd->ds),
- stride, fourcc, y_0_top);
-+
-+ qemu_spice_gl_monitor_config(ssd, x, y, w, h);
- }
-
- static void qemu_spice_gl_update(DisplayChangeListener *dcl,
diff --git a/0006-i386-kvmvapic-initialise-imm32-variable.patch b/0006-i386-kvmvapic-initialise-imm32-variable.patch
deleted file mode 100644
index 67175b2..0000000
--- a/0006-i386-kvmvapic-initialise-imm32-variable.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Thu, 7 Apr 2016 12:50:08 +0530
-Subject: [PATCH] i386: kvmvapic: initialise imm32 variable
-
-When processing Task Priorty Register(TPR) access, it could leak
-automatic stack variable 'imm32' in patch_instruction().
-Initialise the variable to avoid it.
-
-Reported by: Donghai Zdh <donghai.zdh@alibaba-inc.com>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <1460013608-16670-1-git-send-email-ppandit@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-
-(cherry picked from commit 691a02e2ce0c413236a78dee6f2651c937b09fb0)
----
- hw/i386/kvmvapic.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c
-index c69f374..ff1e31a 100644
---- a/hw/i386/kvmvapic.c
-+++ b/hw/i386/kvmvapic.c
-@@ -394,7 +394,7 @@ static void patch_instruction(VAPICROMState *s, X86CPU *cpu, target_ulong ip)
- CPUX86State *env = &cpu->env;
- VAPICHandlers *handlers;
- uint8_t opcode[2];
-- uint32_t imm32;
-+ uint32_t imm32 = 0;
- target_ulong current_pc = 0;
- target_ulong current_cs_base = 0;
- int current_flags = 0;
diff --git a/0007-esp-check-command-buffer-length-before-write-CVE-201.patch b/0007-esp-check-command-buffer-length-before-write-CVE-201.patch
deleted file mode 100644
index c4dc4ca..0000000
--- a/0007-esp-check-command-buffer-length-before-write-CVE-201.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Thu, 19 May 2016 16:09:30 +0530
-Subject: [PATCH] esp: check command buffer length before write(CVE-2016-4439)
-
-The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
-FIFO buffer. It is used to handle command and data transfer. While
-writing to this command buffer 's->cmdbuf[TI_BUFSZ=16]', a check
-was missing to validate input length. Add check to avoid OOB write
-access.
-
-Fixes CVE-2016-4439.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <1463654371-11169-2-git-send-email-ppandit@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit c98c6c105f66f05aa0b7c1d2a4a3f716450907ef)
----
- hw/scsi/esp.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
-index 8961be2..01497e6 100644
---- a/hw/scsi/esp.c
-+++ b/hw/scsi/esp.c
-@@ -448,7 +448,11 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val)
- break;
- case ESP_FIFO:
- if (s->do_cmd) {
-- s->cmdbuf[s->cmdlen++] = val & 0xff;
-+ if (s->cmdlen < TI_BUFSZ) {
-+ s->cmdbuf[s->cmdlen++] = val & 0xff;
-+ } else {
-+ trace_esp_error_fifo_overrun();
-+ }
- } else if (s->ti_size == TI_BUFSZ - 1) {
- trace_esp_error_fifo_overrun();
- } else {
diff --git a/0008-esp-check-dma-length-before-reading-scsi-command-CVE.patch b/0008-esp-check-dma-length-before-reading-scsi-command-CVE.patch
deleted file mode 100644
index a9ffaee..0000000
--- a/0008-esp-check-dma-length-before-reading-scsi-command-CVE.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Thu, 19 May 2016 16:09:31 +0530
-Subject: [PATCH] esp: check dma length before reading scsi
- command(CVE-2016-4441)
-
-The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
-FIFO buffer. It is used to handle command and data transfer.
-Routine get_cmd() uses DMA to read scsi commands into this buffer.
-Add check to validate DMA length against buffer size to avoid any
-overrun.
-
-Fixes CVE-2016-4441.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <1463654371-11169-3-git-send-email-ppandit@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 6c1fef6b59563cc415f21e03f81539ed4b33ad90)
----
- hw/scsi/esp.c | 11 +++++++----
- 1 file changed, 7 insertions(+), 4 deletions(-)
-
-diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
-index 01497e6..591c817 100644
---- a/hw/scsi/esp.c
-+++ b/hw/scsi/esp.c
-@@ -82,7 +82,7 @@ void esp_request_cancelled(SCSIRequest *req)
- }
- }
-
--static uint32_t get_cmd(ESPState *s, uint8_t *buf)
-+static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen)
- {
- uint32_t dmalen;
- int target;
-@@ -92,6 +92,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf)
- dmalen = s->rregs[ESP_TCLO];
- dmalen |= s->rregs[ESP_TCMID] << 8;
- dmalen |= s->rregs[ESP_TCHI] << 16;
-+ if (dmalen > buflen) {
-+ return 0;
-+ }
- s->dma_memory_read(s->dma_opaque, buf, dmalen);
- } else {
- dmalen = s->ti_size;
-@@ -166,7 +169,7 @@ static void handle_satn(ESPState *s)
- s->dma_cb = handle_satn;
- return;
- }
-- len = get_cmd(s, buf);
-+ len = get_cmd(s, buf, sizeof(buf));
- if (len)
- do_cmd(s, buf);
- }
-@@ -180,7 +183,7 @@ static void handle_s_without_atn(ESPState *s)
- s->dma_cb = handle_s_without_atn;
- return;
- }
-- len = get_cmd(s, buf);
-+ len = get_cmd(s, buf, sizeof(buf));
- if (len) {
- do_busid_cmd(s, buf, 0);
- }
-@@ -192,7 +195,7 @@ static void handle_satn_stop(ESPState *s)
- s->dma_cb = handle_satn_stop;
- return;
- }
-- s->cmdlen = get_cmd(s, s->cmdbuf);
-+ s->cmdlen = get_cmd(s, s->cmdbuf, sizeof(s->cmdbuf));
- if (s->cmdlen) {
- trace_esp_handle_satn_stop(s->cmdlen);
- s->do_cmd = 1;
diff --git a/0009-vga-add-sr_vbe-register-set.patch b/0009-vga-add-sr_vbe-register-set.patch
deleted file mode 100644
index 8494fc8..0000000
--- a/0009-vga-add-sr_vbe-register-set.patch
+++ /dev/null
@@ -1,233 +0,0 @@
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Tue, 17 May 2016 10:54:54 +0200
-Subject: [PATCH] vga: add sr_vbe register set
-
-Commit "fd3c136 vga: make sure vga register setup for vbe stays intact
-(CVE-2016-3712)." causes a regression. The win7 installer is unhappy
-because it can't freely modify vga registers any more while in vbe mode.
-
-This patch introduces a new sr_vbe register set. The vbe_update_vgaregs
-will fill sr_vbe[] instead of sr[]. Normal vga register reads and
-writes go to sr[]. Any sr register read access happens through a new
-sr() helper function which will read from sr_vbe[] with vbe active and
-from sr[] otherwise.
-
-This way we can allow guests update sr[] registers as they want, without
-allowing them disrupt vbe video modes that way.
-
-Cc: qemu-stable@nongnu.org
-Reported-by: Thomas Lamprecht <thomas@lamprecht.org>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: 1463475294-14119-1-git-send-email-kraxel@redhat.com
-(cherry picked from commit 94ef4f337fb614f18b765a8e0e878a4c23cdedcd)
----
- hw/display/vga.c | 50 ++++++++++++++++++++++++++++----------------------
- hw/display/vga_int.h | 1 +
- 2 files changed, 29 insertions(+), 22 deletions(-)
-
-diff --git a/hw/display/vga.c b/hw/display/vga.c
-index 4a55ec6..9ebc54f 100644
---- a/hw/display/vga.c
-+++ b/hw/display/vga.c
-@@ -149,6 +149,11 @@ static inline bool vbe_enabled(VGACommonState *s)
- return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED;
- }
-
-+static inline uint8_t sr(VGACommonState *s, int idx)
-+{
-+ return vbe_enabled(s) ? s->sr_vbe[idx] : s->sr[idx];
-+}
-+
- static void vga_update_memory_access(VGACommonState *s)
- {
- hwaddr base, offset, size;
-@@ -163,8 +168,8 @@ static void vga_update_memory_access(VGACommonState *s)
- s->has_chain4_alias = false;
- s->plane_updated = 0xf;
- }
-- if ((s->sr[VGA_SEQ_PLANE_WRITE] & VGA_SR02_ALL_PLANES) ==
-- VGA_SR02_ALL_PLANES && s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
-+ if ((sr(s, VGA_SEQ_PLANE_WRITE) & VGA_SR02_ALL_PLANES) ==
-+ VGA_SR02_ALL_PLANES && sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) {
- offset = 0;
- switch ((s->gr[VGA_GFX_MISC] >> 2) & 3) {
- case 0:
-@@ -234,7 +239,7 @@ static void vga_precise_update_retrace_info(VGACommonState *s)
- ((s->cr[VGA_CRTC_OVERFLOW] >> 6) & 2)) << 8);
- vretr_end_line = s->cr[VGA_CRTC_V_SYNC_END] & 0xf;
-
-- clocking_mode = (s->sr[VGA_SEQ_CLOCK_MODE] >> 3) & 1;
-+ clocking_mode = (sr(s, VGA_SEQ_CLOCK_MODE) >> 3) & 1;
- clock_sel = (s->msr >> 2) & 3;
- dots = (s->msr & 1) ? 8 : 9;
-
-@@ -486,7 +491,6 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)
- printf("vga: write SR%x = 0x%02x\n", s->sr_index, val);
- #endif
- s->sr[s->sr_index] = val & sr_mask[s->sr_index];
-- vbe_update_vgaregs(s);
- if (s->sr_index == VGA_SEQ_CLOCK_MODE) {
- s->update_retrace_info(s);
- }
-@@ -680,13 +684,13 @@ static void vbe_update_vgaregs(VGACommonState *s)
-
- if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) {
- shift_control = 0;
-- s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */
-+ s->sr_vbe[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */
- } else {
- shift_control = 2;
- /* set chain 4 mode */
-- s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M;
-+ s->sr_vbe[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M;
- /* activate all planes */
-- s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES;
-+ s->sr_vbe[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES;
- }
- s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) |
- (shift_control << 5);
-@@ -836,7 +840,7 @@ uint32_t vga_mem_readb(VGACommonState *s, hwaddr addr)
- break;
- }
-
-- if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
-+ if (sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) {
- /* chain 4 mode : simplest access */
- assert(addr < s->vram_size);
- ret = s->vram_ptr[addr];
-@@ -904,11 +908,11 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
- break;
- }
-
-- if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
-+ if (sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) {
- /* chain 4 mode : simplest access */
- plane = addr & 3;
- mask = (1 << plane);
-- if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
-+ if (sr(s, VGA_SEQ_PLANE_WRITE) & mask) {
- assert(addr < s->vram_size);
- s->vram_ptr[addr] = val;
- #ifdef DEBUG_VGA_MEM
-@@ -921,7 +925,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
- /* odd/even mode (aka text mode mapping) */
- plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1);
- mask = (1 << plane);
-- if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
-+ if (sr(s, VGA_SEQ_PLANE_WRITE) & mask) {
- addr = ((addr & ~1) << 1) | plane;
- if (addr >= s->vram_size) {
- return;
-@@ -996,7 +1000,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
-
- do_write:
- /* mask data according to sr[2] */
-- mask = s->sr[VGA_SEQ_PLANE_WRITE];
-+ mask = sr(s, VGA_SEQ_PLANE_WRITE);
- s->plane_updated |= mask; /* only used to detect font change */
- write_mask = mask16[mask];
- if (addr * sizeof(uint32_t) >= s->vram_size) {
-@@ -1152,10 +1156,10 @@ static void vga_get_text_resolution(VGACommonState *s, int *pwidth, int *pheight
- /* total width & height */
- cheight = (s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1;
- cwidth = 8;
-- if (!(s->sr[VGA_SEQ_CLOCK_MODE] & VGA_SR01_CHAR_CLK_8DOTS)) {
-+ if (!(sr(s, VGA_SEQ_CLOCK_MODE) & VGA_SR01_CHAR_CLK_8DOTS)) {
- cwidth = 9;
- }
-- if (s->sr[VGA_SEQ_CLOCK_MODE] & 0x08) {
-+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 0x08) {
- cwidth = 16; /* NOTE: no 18 pixel wide */
- }
- width = (s->cr[VGA_CRTC_H_DISP] + 1);
-@@ -1197,7 +1201,7 @@ static void vga_draw_text(VGACommonState *s, int full_update)
- int64_t now = qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL);
-
- /* compute font data address (in plane 2) */
-- v = s->sr[VGA_SEQ_CHARACTER_MAP];
-+ v = sr(s, VGA_SEQ_CHARACTER_MAP);
- offset = (((v >> 4) & 1) | ((v << 1) & 6)) * 8192 * 4 + 2;
- if (offset != s->font_offsets[0]) {
- s->font_offsets[0] = offset;
-@@ -1506,11 +1510,11 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
- }
-
- if (shift_control == 0) {
-- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
-+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
- disp_width <<= 1;
- }
- } else if (shift_control == 1) {
-- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
-+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
- disp_width <<= 1;
- }
- }
-@@ -1574,7 +1578,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
-
- if (shift_control == 0) {
- full_update |= update_palette16(s);
-- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
-+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
- v = VGA_DRAW_LINE4D2;
- } else {
- v = VGA_DRAW_LINE4;
-@@ -1582,7 +1586,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
- bits = 4;
- } else if (shift_control == 1) {
- full_update |= update_palette16(s);
-- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
-+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
- v = VGA_DRAW_LINE2D2;
- } else {
- v = VGA_DRAW_LINE2;
-@@ -1629,7 +1633,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
- #if 0
- printf("w=%d h=%d v=%d line_offset=%d cr[0x09]=0x%02x cr[0x17]=0x%02x linecmp=%d sr[0x01]=0x%02x\n",
- width, height, v, line_offset, s->cr[9], s->cr[VGA_CRTC_MODE],
-- s->line_compare, s->sr[VGA_SEQ_CLOCK_MODE]);
-+ s->line_compare, sr(s, VGA_SEQ_CLOCK_MODE));
- #endif
- addr1 = (s->start_addr * 4);
- bwidth = (width * bits + 7) / 8;
-@@ -1781,6 +1785,7 @@ void vga_common_reset(VGACommonState *s)
- {
- s->sr_index = 0;
- memset(s->sr, '\0', sizeof(s->sr));
-+ memset(s->sr_vbe, '\0', sizeof(s->sr_vbe));
- s->gr_index = 0;
- memset(s->gr, '\0', sizeof(s->gr));
- s->ar_index = 0;
-@@ -1883,10 +1888,10 @@ static void vga_update_text(void *opaque, console_ch_t *chardata)
- /* total width & height */
- cheight = (s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1;
- cw = 8;
-- if (!(s->sr[VGA_SEQ_CLOCK_MODE] & VGA_SR01_CHAR_CLK_8DOTS)) {
-+ if (!(sr(s, VGA_SEQ_CLOCK_MODE) & VGA_SR01_CHAR_CLK_8DOTS)) {
- cw = 9;
- }
-- if (s->sr[VGA_SEQ_CLOCK_MODE] & 0x08) {
-+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 0x08) {
- cw = 16; /* NOTE: no 18 pixel wide */
- }
- width = (s->cr[VGA_CRTC_H_DISP] + 1);
-@@ -2053,6 +2058,7 @@ static int vga_common_post_load(void *opaque, int version_id)
-
- /* force refresh */
- s->graphic_mode = -1;
-+ vbe_update_vgaregs(s);
- return 0;
- }
-
-diff --git a/hw/display/vga_int.h b/hw/display/vga_int.h
-index bdb43a5..3ce5544 100644
---- a/hw/display/vga_int.h
-+++ b/hw/display/vga_int.h
-@@ -98,6 +98,7 @@ typedef struct VGACommonState {
- MemoryRegion chain4_alias;
- uint8_t sr_index;
- uint8_t sr[256];
-+ uint8_t sr_vbe[256];
- uint8_t gr_index;
- uint8_t gr[256];
- uint8_t ar_index;
diff --git a/0010-hw-arm-virt-Reject-gic-version-host-for-non-KVM.patch b/0010-hw-arm-virt-Reject-gic-version-host-for-non-KVM.patch
deleted file mode 100644
index 0663a06..0000000
--- a/0010-hw-arm-virt-Reject-gic-version-host-for-non-KVM.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From: Cole Robinson <crobinso@redhat.com>
-Date: Thu, 26 May 2016 09:55:21 -0400
-Subject: [PATCH] hw/arm/virt: Reject gic-version=host for non-KVM
-
-If you try to gic-version=host with TCG on a KVM aarch64 host,
-qemu segfaults, since host requires KVM APIs.
-
-Explicitly reject gic-version=host if KVM is not enabled
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1339977
-(cherry picked from commit b1b3b0dd143b7995a7f4062966b80a2cf3e3c71e)
----
- hw/arm/virt.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/hw/arm/virt.c b/hw/arm/virt.c
-index 56d35c7..a535285 100644
---- a/hw/arm/virt.c
-+++ b/hw/arm/virt.c
-@@ -1114,10 +1114,14 @@ static void machvirt_init(MachineState *machine)
- * KVM is not available yet
- */
- if (!gic_version) {
-+ if (!kvm_enabled()) {
-+ error_report("gic-version=host requires KVM");
-+ exit(1);
-+ }
-+
- gic_version = kvm_arm_vgic_probe();
- if (!gic_version) {
- error_report("Unable to determine GIC version supported by host");
-- error_printf("KVM acceleration is probably not supported\n");
- exit(1);
- }
- }
diff --git a/0011-net-mipsnet-check-packet-length-against-buffer.patch b/0011-net-mipsnet-check-packet-length-against-buffer.patch
deleted file mode 100644
index 3e2aac7..0000000
--- a/0011-net-mipsnet-check-packet-length-against-buffer.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Thu, 7 Apr 2016 15:56:02 +0530
-Subject: [PATCH] net: mipsnet: check packet length against buffer
-
-When receiving packets over MIPSnet network device, it uses
-receive buffer of size 1514 bytes. In case the controller
-accepts large(MTU) packets, it could lead to memory corruption.
-Add check to avoid it.
-
-Reported by: Oleksandr Bazhaniuk <oleksandr.bazhaniuk@intel.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-
-(cherry picked from commit 3af9187fc6caaf415ab9c0c6d92c9678f65cb17f)
----
- hw/net/mipsnet.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/hw/net/mipsnet.c b/hw/net/mipsnet.c
-index 740cd98..cf8b823 100644
---- a/hw/net/mipsnet.c
-+++ b/hw/net/mipsnet.c
-@@ -83,6 +83,9 @@ static ssize_t mipsnet_receive(NetClientState *nc, const uint8_t *buf, size_t si
- if (!mipsnet_can_receive(nc))
- return 0;
-
-+ if (size >= sizeof(s->rx_buffer)) {
-+ return 0;
-+ }
- s->busy = 1;
-
- /* Just accept everything. */
diff --git a/0012-scsi-pvscsi-check-command-descriptor-ring-buffer-siz.patch b/0012-scsi-pvscsi-check-command-descriptor-ring-buffer-siz.patch
deleted file mode 100644
index 9e4c4d7..0000000
--- a/0012-scsi-pvscsi-check-command-descriptor-ring-buffer-siz.patch
+++ /dev/null
@@ -1,100 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Mon, 23 May 2016 16:18:05 +0530
-Subject: [PATCH] scsi: pvscsi: check command descriptor ring buffer size
- (CVE-2016-4952)
-
-Vmware Paravirtual SCSI emulation uses command descriptors to
-process SCSI commands. These descriptors come with their ring
-buffers. A guest could set the ring buffer size to an arbitrary
-value leading to OOB access issue. Add check to avoid it.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Cc: qemu-stable@nongnu.org
-Message-Id: <1464000485-27041-1-git-send-email-ppandit@redhat.com>
-Reviewed-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com>
-Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 3e831b40e015ba34dfb55ff11f767001839425ff)
----
- hw/scsi/vmw_pvscsi.c | 24 ++++++++++++++++++++----
- 1 file changed, 20 insertions(+), 4 deletions(-)
-
-diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
-index e690b4e..e1d6d06 100644
---- a/hw/scsi/vmw_pvscsi.c
-+++ b/hw/scsi/vmw_pvscsi.c
-@@ -153,7 +153,7 @@ pvscsi_log2(uint32_t input)
- return log;
- }
-
--static void
-+static int
- pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
- {
- int i;
-@@ -161,6 +161,10 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
- uint32_t req_ring_size, cmp_ring_size;
- m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT;
-
-+ if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)
-+ || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) {
-+ return -1;
-+ }
- req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
- cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE;
- txr_len_log2 = pvscsi_log2(req_ring_size - 1);
-@@ -192,15 +196,20 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
-
- /* Flush ring state page changes */
- smp_wmb();
-+
-+ return 0;
- }
-
--static void
-+static int
- pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
- {
- int i;
- uint32_t len_log2;
- uint32_t ring_size;
-
-+ if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
-+ return -1;
-+ }
- ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE;
- len_log2 = pvscsi_log2(ring_size - 1);
-
-@@ -220,6 +229,8 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
-
- /* Flush ring state page changes */
- smp_wmb();
-+
-+ return 0;
- }
-
- static void
-@@ -770,7 +781,10 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s)
- trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS");
-
- pvscsi_dbg_dump_tx_rings_config(rc);
-- pvscsi_ring_init_data(&s->rings, rc);
-+ if (pvscsi_ring_init_data(&s->rings, rc) < 0) {
-+ return PVSCSI_COMMAND_PROCESSING_FAILED;
-+ }
-+
- s->rings_info_valid = TRUE;
- return PVSCSI_COMMAND_PROCESSING_SUCCEEDED;
- }
-@@ -850,7 +864,9 @@ pvscsi_on_cmd_setup_msg_ring(PVSCSIState *s)
- }
-
- if (s->rings_info_valid) {
-- pvscsi_ring_init_msg(&s->rings, rc);
-+ if (pvscsi_ring_init_msg(&s->rings, rc) < 0) {
-+ return PVSCSI_COMMAND_PROCESSING_FAILED;
-+ }
- s->msg_ring_info_valid = TRUE;
- }
- return sizeof(PVSCSICmdDescSetupMsgRing) / sizeof(uint32_t);
diff --git a/0013-scsi-mptsas-infinite-loop-while-fetching-requests.patch b/0013-scsi-mptsas-infinite-loop-while-fetching-requests.patch
deleted file mode 100644
index 40d736d..0000000
--- a/0013-scsi-mptsas-infinite-loop-while-fetching-requests.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 24 May 2016 13:37:44 +0530
-Subject: [PATCH] scsi: mptsas: infinite loop while fetching requests
-
-The LSI SAS1068 Host Bus Adapter emulator in Qemu, periodically
-looks for requests and fetches them. A loop doing that in
-mptsas_fetch_requests() could run infinitely if 's->state' was
-not operational. Move check to avoid such a loop.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Cc: qemu-stable@nongnu.org
-Message-Id: <1464077264-25473-1-git-send-email-ppandit@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 06630554ccbdd25780aa03c3548aaff1eb56dffd)
----
- hw/scsi/mptsas.c | 9 ++++-----
- 1 file changed, 4 insertions(+), 5 deletions(-)
-
-diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
-index 499c146..be88e16 100644
---- a/hw/scsi/mptsas.c
-+++ b/hw/scsi/mptsas.c
-@@ -754,11 +754,6 @@ static void mptsas_fetch_request(MPTSASState *s)
- hwaddr addr;
- int size;
-
-- if (s->state != MPI_IOC_STATE_OPERATIONAL) {
-- mptsas_set_fault(s, MPI_IOCSTATUS_INVALID_STATE);
-- return;
-- }
--
- /* Read the message header from the guest first. */
- addr = s->host_mfa_high_addr | MPTSAS_FIFO_GET(s, request_post);
- pci_dma_read(pci, addr, req, sizeof(hdr));
-@@ -789,6 +784,10 @@ static void mptsas_fetch_requests(void *opaque)
- {
- MPTSASState *s = opaque;
-
-+ if (s->state != MPI_IOC_STATE_OPERATIONAL) {
-+ mptsas_set_fault(s, MPI_IOCSTATUS_INVALID_STATE);
-+ return;
-+ }
- while (!MPTSAS_FIFO_EMPTY(s, request_post)) {
- mptsas_fetch_request(s);
- }
diff --git a/0014-scsi-megasas-use-appropriate-property-buffer-size.patch b/0014-scsi-megasas-use-appropriate-property-buffer-size.patch
deleted file mode 100644
index b38c361..0000000
--- a/0014-scsi-megasas-use-appropriate-property-buffer-size.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Wed, 25 May 2016 16:01:29 +0530
-Subject: [PATCH] scsi: megasas: use appropriate property buffer size
-
-When setting MegaRAID SAS controller properties via MegaRAID
-Firmware Interface(MFI) commands, a user supplied size parameter
-is used to set property value. Use appropriate size value to avoid
-OOB access issues.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <1464172291-2856-2-git-send-email-ppandit@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 1b85898025c4cd95dce673d15e67e60e98e91731)
----
- hw/scsi/megasas.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
-index a63a581..dcbd3e1 100644
---- a/hw/scsi/megasas.c
-+++ b/hw/scsi/megasas.c
-@@ -1446,7 +1446,7 @@ static int megasas_dcmd_set_properties(MegasasState *s, MegasasCmd *cmd)
- dcmd_size);
- return MFI_STAT_INVALID_PARAMETER;
- }
-- dma_buf_write((uint8_t *)&info, cmd->iov_size, &cmd->qsg);
-+ dma_buf_write((uint8_t *)&info, dcmd_size, &cmd->qsg);
- trace_megasas_dcmd_unsupported(cmd->index, cmd->iov_size);
- return MFI_STAT_OK;
- }
diff --git a/0015-scsi-megasas-initialise-local-configuration-data-buf.patch b/0015-scsi-megasas-initialise-local-configuration-data-buf.patch
deleted file mode 100644
index fb33b43..0000000
--- a/0015-scsi-megasas-initialise-local-configuration-data-buf.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Wed, 25 May 2016 17:41:44 +0530
-Subject: [PATCH] scsi: megasas: initialise local configuration data buffer
-
-When reading MegaRAID SAS controller configuration via MegaRAID
-Firmware Interface(MFI) commands, routine megasas_dcmd_cfg_read
-uses an uninitialised local data buffer. Initialise this buffer
-to avoid stack information leakage.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <1464178304-12831-1-git-send-email-ppandit@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit d37af740730dbbb93960cd318e040372d04d6dcf)
----
- hw/scsi/megasas.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
-index dcbd3e1..bf642d4 100644
---- a/hw/scsi/megasas.c
-+++ b/hw/scsi/megasas.c
-@@ -1293,7 +1293,7 @@ static int megasas_dcmd_ld_get_info(MegasasState *s, MegasasCmd *cmd)
-
- static int megasas_dcmd_cfg_read(MegasasState *s, MegasasCmd *cmd)
- {
-- uint8_t data[4096];
-+ uint8_t data[4096] = { 0 };
- struct mfi_config_data *info;
- int num_pd_disks = 0, array_offset, ld_offset;
- BusChild *kid;
diff --git a/0016-scsi-megasas-check-read_queue_head-index-value.patch b/0016-scsi-megasas-check-read_queue_head-index-value.patch
deleted file mode 100644
index 6dae842..0000000
--- a/0016-scsi-megasas-check-read_queue_head-index-value.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Wed, 25 May 2016 17:55:10 +0530
-Subject: [PATCH] scsi: megasas: check 'read_queue_head' index value
-
-While doing MegaRAID SAS controller command frame lookup, routine
-'megasas_lookup_frame' uses 'read_queue_head' value as an index
-into 'frames[MEGASAS_MAX_FRAMES=2048]' array. Limit its value
-within array bounds to avoid any OOB access.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <1464179110-18593-1-git-send-email-ppandit@redhat.com>
-Reviewed-by: Alexander Graf <agraf@suse.de>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit b60bdd1f1ee1616b7a9aeeffb4088e1ce2710fb2)
----
- hw/scsi/megasas.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
-index bf642d4..cc66d36 100644
---- a/hw/scsi/megasas.c
-+++ b/hw/scsi/megasas.c
-@@ -650,7 +650,9 @@ static int megasas_init_firmware(MegasasState *s, MegasasCmd *cmd)
- pa_hi = le32_to_cpu(initq->pi_addr_hi);
- s->producer_pa = ((uint64_t) pa_hi << 32) | pa_lo;
- s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa);
-+ s->reply_queue_head %= MEGASAS_MAX_FRAMES;
- s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa);
-+ s->reply_queue_tail %= MEGASAS_MAX_FRAMES;
- flags = le32_to_cpu(initq->flags);
- if (flags & MFI_QUEUE_FLAG_CONTEXT64) {
- s->flags |= MEGASAS_MASK_USE_QUEUE64;
diff --git a/0017-vmsvga-move-fifo-sanity-checks-to-vmsvga_fifo_length.patch b/0017-vmsvga-move-fifo-sanity-checks-to-vmsvga_fifo_length.patch
deleted file mode 100644
index d200db7..0000000
--- a/0017-vmsvga-move-fifo-sanity-checks-to-vmsvga_fifo_length.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Mon, 30 May 2016 09:09:18 +0200
-Subject: [PATCH] vmsvga: move fifo sanity checks to vmsvga_fifo_length
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Sanity checks are applied when the fifo is enabled by the guest
-(SVGA_REG_CONFIG_DONE write). Which doesn't help much if the guest
-changes the fifo registers afterwards. Move the checks to
-vmsvga_fifo_length so they are done each time qemu is about to read
-from the fifo.
-
-Fixes: CVE-2016-4454
-Cc: qemu-stable@nongnu.org
-Cc: P J P <ppandit@redhat.com>
-Reported-by: 李强 <liqiang6-s@360.cn>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: 1464592161-18348-2-git-send-email-kraxel@redhat.com
-(cherry picked from commit 521360267876d3b6518b328051a2e56bca55bef8)
----
- hw/display/vmware_vga.c | 28 +++++++++++++++-------------
- 1 file changed, 15 insertions(+), 13 deletions(-)
-
-diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
-index 0c63fa8..63a7c05 100644
---- a/hw/display/vmware_vga.c
-+++ b/hw/display/vmware_vga.c
-@@ -555,6 +555,21 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
- if (!s->config || !s->enable) {
- return 0;
- }
-+
-+ /* Check range and alignment. */
-+ if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) {
-+ return 0;
-+ }
-+ if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
-+ return 0;
-+ }
-+ if (CMD(max) > SVGA_FIFO_SIZE) {
-+ return 0;
-+ }
-+ if (CMD(max) < CMD(min) + 10 * 1024) {
-+ return 0;
-+ }
-+
- num = CMD(next_cmd) - CMD(stop);
- if (num < 0) {
- num += CMD(max) - CMD(min);
-@@ -1005,19 +1020,6 @@ static void vmsvga_value_write(void *opaque, uint32_t address, uint32_t value)
- case SVGA_REG_CONFIG_DONE:
- if (value) {
- s->fifo = (uint32_t *) s->fifo_ptr;
-- /* Check range and alignment. */
-- if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) {
-- break;
-- }
-- if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
-- break;
-- }
-- if (CMD(max) > SVGA_FIFO_SIZE) {
-- break;
-- }
-- if (CMD(max) < CMD(min) + 10 * 1024) {
-- break;
-- }
- vga_dirty_log_stop(&s->vga);
- }
- s->config = !!value;
diff --git a/0018-vmsvga-add-more-fifo-checks.patch b/0018-vmsvga-add-more-fifo-checks.patch
deleted file mode 100644
index 16ef5f0..0000000
--- a/0018-vmsvga-add-more-fifo-checks.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Mon, 30 May 2016 09:09:19 +0200
-Subject: [PATCH] vmsvga: add more fifo checks
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Make sure all fifo ptrs are within range.
-
-Fixes: CVE-2016-4454
-Cc: qemu-stable@nongnu.org
-Cc: P J P <ppandit@redhat.com>
-Reported-by: 李强 <liqiang6-s@360.cn>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: 1464592161-18348-3-git-send-email-kraxel@redhat.com
-(cherry picked from commit c2e3c54d3960bc53bfa3a5ce7ea7a050b9be267e)
----
- hw/display/vmware_vga.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
-index 63a7c05..a26e62e 100644
---- a/hw/display/vmware_vga.c
-+++ b/hw/display/vmware_vga.c
-@@ -563,7 +563,10 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
- if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
- return 0;
- }
-- if (CMD(max) > SVGA_FIFO_SIZE) {
-+ if (CMD(max) > SVGA_FIFO_SIZE ||
-+ CMD(min) >= SVGA_FIFO_SIZE ||
-+ CMD(stop) >= SVGA_FIFO_SIZE ||
-+ CMD(next_cmd) >= SVGA_FIFO_SIZE) {
- return 0;
- }
- if (CMD(max) < CMD(min) + 10 * 1024) {
diff --git a/0019-vmsvga-shadow-fifo-registers.patch b/0019-vmsvga-shadow-fifo-registers.patch
deleted file mode 100644
index 54b6416..0000000
--- a/0019-vmsvga-shadow-fifo-registers.patch
+++ /dev/null
@@ -1,143 +0,0 @@
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Mon, 30 May 2016 09:09:20 +0200
-Subject: [PATCH] vmsvga: shadow fifo registers
-
-The fifo is normal ram. So kvm vcpu threads and qemu iothread can
-access the fifo in parallel without syncronization. Which in turn
-implies we can't use the fifo pointers in-place because the guest
-can try changing them underneath us. So add shadows for them, to
-make sure the guest can't modify them after we've applied sanity
-checks.
-
-Fixes: CVE-2016-4454
-Cc: qemu-stable@nongnu.org
-Cc: P J P <ppandit@redhat.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: 1464592161-18348-4-git-send-email-kraxel@redhat.com
-(cherry picked from commit 7e486f7577764a07aa35588e119903c80a5c30a2)
----
- hw/display/vmware_vga.c | 57 ++++++++++++++++++++++++-------------------------
- 1 file changed, 28 insertions(+), 29 deletions(-)
-
-diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
-index a26e62e..de2567b 100644
---- a/hw/display/vmware_vga.c
-+++ b/hw/display/vmware_vga.c
-@@ -66,17 +66,11 @@ struct vmsvga_state_s {
- uint8_t *fifo_ptr;
- unsigned int fifo_size;
-
-- union {
-- uint32_t *fifo;
-- struct QEMU_PACKED {
-- uint32_t min;
-- uint32_t max;
-- uint32_t next_cmd;
-- uint32_t stop;
-- /* Add registers here when adding capabilities. */
-- uint32_t fifo[0];
-- } *cmd;
-- };
-+ uint32_t *fifo;
-+ uint32_t fifo_min;
-+ uint32_t fifo_max;
-+ uint32_t fifo_next;
-+ uint32_t fifo_stop;
-
- #define REDRAW_FIFO_LEN 512
- struct vmsvga_rect_s {
-@@ -198,7 +192,7 @@ enum {
- */
- SVGA_FIFO_MIN = 0,
- SVGA_FIFO_MAX, /* The distance from MIN to MAX must be at least 10K */
-- SVGA_FIFO_NEXT_CMD,
-+ SVGA_FIFO_NEXT,
- SVGA_FIFO_STOP,
-
- /*
-@@ -546,8 +540,6 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s,
- }
- #endif
-
--#define CMD(f) le32_to_cpu(s->cmd->f)
--
- static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
- {
- int num;
-@@ -556,38 +548,44 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
- return 0;
- }
-
-+ s->fifo_min = le32_to_cpu(s->fifo[SVGA_FIFO_MIN]);
-+ s->fifo_max = le32_to_cpu(s->fifo[SVGA_FIFO_MAX]);
-+ s->fifo_next = le32_to_cpu(s->fifo[SVGA_FIFO_NEXT]);
-+ s->fifo_stop = le32_to_cpu(s->fifo[SVGA_FIFO_STOP]);
-+
- /* Check range and alignment. */
-- if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) {
-+ if ((s->fifo_min | s->fifo_max | s->fifo_next | s->fifo_stop) & 3) {
- return 0;
- }
-- if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
-+ if (s->fifo_min < sizeof(uint32_t) * 4) {
- return 0;
- }
-- if (CMD(max) > SVGA_FIFO_SIZE ||
-- CMD(min) >= SVGA_FIFO_SIZE ||
-- CMD(stop) >= SVGA_FIFO_SIZE ||
-- CMD(next_cmd) >= SVGA_FIFO_SIZE) {
-+ if (s->fifo_max > SVGA_FIFO_SIZE ||
-+ s->fifo_min >= SVGA_FIFO_SIZE ||
-+ s->fifo_stop >= SVGA_FIFO_SIZE ||
-+ s->fifo_next >= SVGA_FIFO_SIZE) {
- return 0;
- }
-- if (CMD(max) < CMD(min) + 10 * 1024) {
-+ if (s->fifo_max < s->fifo_min + 10 * 1024) {
- return 0;
- }
-
-- num = CMD(next_cmd) - CMD(stop);
-+ num = s->fifo_next - s->fifo_stop;
- if (num < 0) {
-- num += CMD(max) - CMD(min);
-+ num += s->fifo_max - s->fifo_min;
- }
- return num >> 2;
- }
-
- static inline uint32_t vmsvga_fifo_read_raw(struct vmsvga_state_s *s)
- {
-- uint32_t cmd = s->fifo[CMD(stop) >> 2];
-+ uint32_t cmd = s->fifo[s->fifo_stop >> 2];
-
-- s->cmd->stop = cpu_to_le32(CMD(stop) + 4);
-- if (CMD(stop) >= CMD(max)) {
-- s->cmd->stop = s->cmd->min;
-+ s->fifo_stop += 4;
-+ if (s->fifo_stop >= s->fifo_max) {
-+ s->fifo_stop = s->fifo_min;
- }
-+ s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop);
- return cmd;
- }
-
-@@ -607,7 +605,7 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
- len = vmsvga_fifo_length(s);
- while (len > 0) {
- /* May need to go back to the start of the command if incomplete */
-- cmd_start = s->cmd->stop;
-+ cmd_start = s->fifo_stop;
-
- switch (cmd = vmsvga_fifo_read(s)) {
- case SVGA_CMD_UPDATE:
-@@ -766,7 +764,8 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
- break;
-
- rewind:
-- s->cmd->stop = cmd_start;
-+ s->fifo_stop = cmd_start;
-+ s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop);
- break;
- }
- }
diff --git a/0020-vmsvga-don-t-process-more-than-1024-fifo-commands-at.patch b/0020-vmsvga-don-t-process-more-than-1024-fifo-commands-at.patch
deleted file mode 100644
index 37dd5e6..0000000
--- a/0020-vmsvga-don-t-process-more-than-1024-fifo-commands-at.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Mon, 30 May 2016 09:09:21 +0200
-Subject: [PATCH] vmsvga: don't process more than 1024 fifo commands at once
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-vmsvga_fifo_run is called in regular intervals (on each display update)
-and will resume where it left off. So we can simply exit the loop,
-without having to worry about how processing will continue.
-
-Fixes: CVE-2016-4453
-Cc: qemu-stable@nongnu.org
-Cc: P J P <ppandit@redhat.com>
-Reported-by: 李强 <liqiang6-s@360.cn>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: 1464592161-18348-5-git-send-email-kraxel@redhat.com
-(cherry picked from commit 4e68a0ee17dad7b8d870df0081d4ab2e079016c2)
----
- hw/display/vmware_vga.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
-index de2567b..e51a05e 100644
---- a/hw/display/vmware_vga.c
-+++ b/hw/display/vmware_vga.c
-@@ -597,13 +597,13 @@ static inline uint32_t vmsvga_fifo_read(struct vmsvga_state_s *s)
- static void vmsvga_fifo_run(struct vmsvga_state_s *s)
- {
- uint32_t cmd, colour;
-- int args, len;
-+ int args, len, maxloop = 1024;
- int x, y, dx, dy, width, height;
- struct vmsvga_cursor_definition_s cursor;
- uint32_t cmd_start;
-
- len = vmsvga_fifo_length(s);
-- while (len > 0) {
-+ while (len > 0 && --maxloop > 0) {
- /* May need to go back to the start of the command if incomplete */
- cmd_start = s->fifo_stop;
-
diff --git a/0021-block-iscsi-avoid-potential-overflow-of-acb-task-cdb.patch b/0021-block-iscsi-avoid-potential-overflow-of-acb-task-cdb.patch
deleted file mode 100644
index 80c8c37..0000000
--- a/0021-block-iscsi-avoid-potential-overflow-of-acb-task-cdb.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From: Peter Lieven <pl@kamp.de>
-Date: Tue, 24 May 2016 10:59:28 +0200
-Subject: [PATCH] block/iscsi: avoid potential overflow of acb->task->cdb
-
-at least in the path via virtio-blk the maximum size is not
-restricted.
-
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Peter Lieven <pl@kamp.de>
-Message-Id: <1464080368-29584-1-git-send-email-pl@kamp.de>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit a6b3167fa0e825aebb5a7cd8b437b6d41584a196)
----
- block/iscsi.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/block/iscsi.c b/block/iscsi.c
-index 302baf8..172e6cf 100644
---- a/block/iscsi.c
-+++ b/block/iscsi.c
-@@ -837,6 +837,13 @@ static BlockAIOCB *iscsi_aio_ioctl(BlockDriverState *bs,
- return &acb->common;
- }
-
-+ if (acb->ioh->cmd_len > SCSI_CDB_MAX_SIZE) {
-+ error_report("iSCSI: ioctl error CDB exceeds max size (%d > %d)",
-+ acb->ioh->cmd_len, SCSI_CDB_MAX_SIZE);
-+ qemu_aio_unref(acb);
-+ return NULL;
-+ }
-+
- acb->task = malloc(sizeof(struct scsi_task));
- if (acb->task == NULL) {
- error_report("iSCSI: Failed to allocate task for scsi command. %s",
diff --git a/0022-scsi-esp-check-buffer-length-before-reading-scsi-com.patch b/0022-scsi-esp-check-buffer-length-before-reading-scsi-com.patch
deleted file mode 100644
index eba1a41..0000000
--- a/0022-scsi-esp-check-buffer-length-before-reading-scsi-com.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 31 May 2016 23:23:27 +0530
-Subject: [PATCH] scsi: esp: check buffer length before reading scsi command
-
-The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
-FIFO buffer. It is used to handle command and data transfer.
-Routine get_cmd() in non-DMA mode, uses 'ti_size' to read scsi
-command into a buffer. Add check to validate command length against
-buffer size to avoid any overrun.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <1464717207-7549-1-git-send-email-ppandit@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit d3cdc49138c30be1d3c2f83d18f85d9fdee95f1a)
----
- hw/scsi/esp.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
-index 591c817..c2f6f8f 100644
---- a/hw/scsi/esp.c
-+++ b/hw/scsi/esp.c
-@@ -98,6 +98,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen)
- s->dma_memory_read(s->dma_opaque, buf, dmalen);
- } else {
- dmalen = s->ti_size;
-+ if (dmalen > TI_BUFSZ) {
-+ return 0;
-+ }
- memcpy(buf, s->ti_buf, dmalen);
- buf[0] = buf[2] >> 5;
- }
diff --git a/0023-scsi-esp-respect-FIFO-invariant-after-message-phase.patch b/0023-scsi-esp-respect-FIFO-invariant-after-message-phase.patch
deleted file mode 100644
index bd8f5da..0000000
--- a/0023-scsi-esp-respect-FIFO-invariant-after-message-phase.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Tue, 14 Jun 2016 15:10:24 +0200
-Subject: [PATCH] scsi: esp: respect FIFO invariant after message phase
-
-The FIFO contains two bytes; hence the write ptr should be two bytes ahead
-of the read pointer.
-
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit d020aa504cec8f525b55ba2ef982c09dc847c72e)
----
- hw/scsi/esp.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
-index c2f6f8f..6407844 100644
---- a/hw/scsi/esp.c
-+++ b/hw/scsi/esp.c
-@@ -222,7 +222,7 @@ static void write_response(ESPState *s)
- } else {
- s->ti_size = 2;
- s->ti_rptr = 0;
-- s->ti_wptr = 0;
-+ s->ti_wptr = 2;
- s->rregs[ESP_RFLAGS] = 2;
- }
- esp_raise_irq(s);
diff --git a/0024-scsi-esp-clean-up-handle_ti-esp_do_dma-if-s-do_cmd.patch b/0024-scsi-esp-clean-up-handle_ti-esp_do_dma-if-s-do_cmd.patch
deleted file mode 100644
index e88d722..0000000
--- a/0024-scsi-esp-clean-up-handle_ti-esp_do_dma-if-s-do_cmd.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Wed, 15 Jun 2016 14:29:33 +0200
-Subject: [PATCH] scsi: esp: clean up handle_ti/esp_do_dma if s->do_cmd
-
-Avoid duplicated code between esp_do_dma and handle_ti. esp_do_dma
-has the same code that handle_ti contains after the call to esp_do_dma;
-but the code in handle_ti is never reached because it is in an "else if".
-Remove the else and also the pointless return.
-
-esp_do_dma also has a partially dead assignment of the to_device
-variable. Sink it to the point where it's actually used.
-
-Finally, assert that the other caller of esp_do_dma (esp_transfer_data)
-only transfers data and not a command. This is true because get_cmd
-cancels the old request synchronously before its caller handle_satn_stop
-sets do_cmd to 1.
-
-Reviewed-by: Laszlo Ersek <lersek@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 7f0b6e114ae4e142e2b3dfc9fac138f4a30edc4f)
----
- hw/scsi/esp.c | 11 ++++-------
- 1 file changed, 4 insertions(+), 7 deletions(-)
-
-diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
-index 6407844..68d3e4d 100644
---- a/hw/scsi/esp.c
-+++ b/hw/scsi/esp.c
-@@ -245,15 +245,10 @@ static void esp_do_dma(ESPState *s)
- uint32_t len;
- int to_device;
-
-- to_device = (s->ti_size < 0);
- len = s->dma_left;
- if (s->do_cmd) {
- trace_esp_do_dma(s->cmdlen, len);
- s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len);
-- s->ti_size = 0;
-- s->cmdlen = 0;
-- s->do_cmd = 0;
-- do_cmd(s, s->cmdbuf);
- return;
- }
- if (s->async_len == 0) {
-@@ -263,6 +258,7 @@ static void esp_do_dma(ESPState *s)
- if (len > s->async_len) {
- len = s->async_len;
- }
-+ to_device = (s->ti_size < 0);
- if (to_device) {
- s->dma_memory_read(s->dma_opaque, s->async_buf, len);
- } else {
-@@ -318,6 +314,7 @@ void esp_transfer_data(SCSIRequest *req, uint32_t len)
- {
- ESPState *s = req->hba_private;
-
-+ assert(!s->do_cmd);
- trace_esp_transfer_data(s->dma_left, s->ti_size);
- s->async_len = len;
- s->async_buf = scsi_req_get_buf(req);
-@@ -358,13 +355,13 @@ static void handle_ti(ESPState *s)
- s->dma_left = minlen;
- s->rregs[ESP_RSTAT] &= ~STAT_TC;
- esp_do_dma(s);
-- } else if (s->do_cmd) {
-+ }
-+ if (s->do_cmd) {
- trace_esp_handle_ti_cmd(s->cmdlen);
- s->ti_size = 0;
- s->cmdlen = 0;
- s->do_cmd = 0;
- do_cmd(s, s->cmdbuf);
-- return;
- }
- }
-
diff --git a/0025-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch b/0025-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch
deleted file mode 100644
index e999e83..0000000
--- a/0025-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Thu, 16 Jun 2016 00:22:35 +0200
-Subject: [PATCH] scsi: esp: make cmdbuf big enough for maximum CDB size
-
-While doing DMA read into ESP command buffer 's->cmdbuf', it could
-write past the 's->cmdbuf' area, if it was transferring more than 16
-bytes. Increase the command buffer size to 32, which is maximum when
-'s->do_cmd' is set, and add a check on 'len' to avoid OOB access.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 926cde5f3e4d2504ed161ed0cb771ac7cad6fd11)
----
- hw/scsi/esp.c | 6 ++++--
- include/hw/scsi/esp.h | 3 ++-
- 2 files changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
-index 68d3e4d..b4601ad 100644
---- a/hw/scsi/esp.c
-+++ b/hw/scsi/esp.c
-@@ -248,6 +248,8 @@ static void esp_do_dma(ESPState *s)
- len = s->dma_left;
- if (s->do_cmd) {
- trace_esp_do_dma(s->cmdlen, len);
-+ assert (s->cmdlen <= sizeof(s->cmdbuf) &&
-+ len <= sizeof(s->cmdbuf) - s->cmdlen);
- s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len);
- return;
- }
-@@ -345,7 +347,7 @@ static void handle_ti(ESPState *s)
- s->dma_counter = dmalen;
-
- if (s->do_cmd)
-- minlen = (dmalen < 32) ? dmalen : 32;
-+ minlen = (dmalen < ESP_CMDBUF_SZ) ? dmalen : ESP_CMDBUF_SZ;
- else if (s->ti_size < 0)
- minlen = (dmalen < -s->ti_size) ? dmalen : -s->ti_size;
- else
-@@ -451,7 +453,7 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val)
- break;
- case ESP_FIFO:
- if (s->do_cmd) {
-- if (s->cmdlen < TI_BUFSZ) {
-+ if (s->cmdlen < ESP_CMDBUF_SZ) {
- s->cmdbuf[s->cmdlen++] = val & 0xff;
- } else {
- trace_esp_error_fifo_overrun();
-diff --git a/include/hw/scsi/esp.h b/include/hw/scsi/esp.h
-index 6c79527..d2c4886 100644
---- a/include/hw/scsi/esp.h
-+++ b/include/hw/scsi/esp.h
-@@ -14,6 +14,7 @@ void esp_init(hwaddr espaddr, int it_shift,
-
- #define ESP_REGS 16
- #define TI_BUFSZ 16
-+#define ESP_CMDBUF_SZ 32
-
- typedef struct ESPState ESPState;
-
-@@ -31,7 +32,7 @@ struct ESPState {
- SCSIBus bus;
- SCSIDevice *current_dev;
- SCSIRequest *current_req;
-- uint8_t cmdbuf[TI_BUFSZ];
-+ uint8_t cmdbuf[ESP_CMDBUF_SZ];
- uint32_t cmdlen;
- uint32_t do_cmd;
-
diff --git a/0026-scsi-megasas-null-terminate-bios-version-buffer.patch b/0026-scsi-megasas-null-terminate-bios-version-buffer.patch
deleted file mode 100644
index 9a2f6f3..0000000
--- a/0026-scsi-megasas-null-terminate-bios-version-buffer.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 7 Jun 2016 16:44:03 +0530
-Subject: [PATCH] scsi: megasas: null terminate bios version buffer
-
-While reading information via 'megasas_ctrl_get_info' routine,
-a local bios version buffer isn't null terminated. Add the
-terminating null byte to avoid any OOB access.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 844864fbae66935951529408831c2f22367a57b6)
----
- hw/scsi/megasas.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
-index cc66d36..a9ffc32 100644
---- a/hw/scsi/megasas.c
-+++ b/hw/scsi/megasas.c
-@@ -773,6 +773,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd)
-
- ptr = memory_region_get_ram_ptr(&pci_dev->rom);
- memcpy(biosver, ptr + 0x41, 31);
-+ biosver[31] = 0;
- memcpy(info.image_component[1].name, "BIOS", 4);
- memcpy(info.image_component[1].version, biosver,
- strlen((const char *)biosver));
diff --git a/0027-sdl2-skip-init-without-outputs.patch b/0027-sdl2-skip-init-without-outputs.patch
deleted file mode 100644
index 17c7b15..0000000
--- a/0027-sdl2-skip-init-without-outputs.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Wed, 1 Jun 2016 16:08:36 +0200
-Subject: [PATCH] sdl2: skip init without outputs
-
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Tested-by: Cole Robinson <crobinso@redhat.com>
-Message-id: 1464790116-32405-1-git-send-email-kraxel@redhat.com
-(cherry picked from commit 8efa5f29f83816ae34f428143de49acbaacccb24)
----
- ui/sdl2.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/ui/sdl2.c b/ui/sdl2.c
-index 909038f..30d2a3c 100644
---- a/ui/sdl2.c
-+++ b/ui/sdl2.c
-@@ -794,6 +794,9 @@ void sdl_display_init(DisplayState *ds, int full_screen, int no_frame)
- }
- }
- sdl2_num_outputs = i;
-+ if (sdl2_num_outputs == 0) {
-+ return;
-+ }
- sdl2_console = g_new0(struct sdl2_console, sdl2_num_outputs);
- for (i = 0; i < sdl2_num_outputs; i++) {
- QemuConsole *con = qemu_console_lookup_by_index(i);
diff --git a/for-2.7-virtio-gpu-fix-missing-log.h-include-file.patch b/for-2.7-virtio-gpu-fix-missing-log.h-include-file.patch
new file mode 100644
index 0000000..46367ab
--- /dev/null
+++ b/for-2.7-virtio-gpu-fix-missing-log.h-include-file.patch
@@ -0,0 +1,12 @@
+diff --git a/include/hw/virtio/virtio-gpu.h b/include/hw/virtio/virtio-gpu.h
+index e4f424a..20d1cd6 100644
+--- a/include/hw/virtio/virtio-gpu.h
++++ b/include/hw/virtio/virtio-gpu.h
+@@ -19,6 +19,7 @@
+ #include "ui/console.h"
+ #include "hw/virtio/virtio.h"
+ #include "hw/pci/pci.h"
++#include "qemu/log.h"
+
+ #include "standard-headers/linux/virtio_gpu.h"
+ #define TYPE_VIRTIO_GPU "virtio-gpu-device"
diff --git a/qemu.spec b/qemu.spec
index 45d56c6..b919992 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -50,7 +50,7 @@
%undefine _hardened_build
# Release candidate version tracking
-# global rcver rc5
+%global rcver rc2
%if 0%{?rcver:1}
%global rcrel .%{rcver}
%global rcstr -%{rcver}
@@ -59,8 +59,8 @@
Summary: QEMU is a FAST! processor emulator
Name: qemu
-Version: 2.6.0
-Release: 6%{?rcrel}%{?dist}
+Version: 2.7.0
+Release: 0.1%{?rcrel}%{?dist}
Epoch: 2
License: GPLv2+ and LGPLv2+ and BSD
Group: Development/Tools
@@ -92,58 +92,8 @@ Source20: kvm.conf
# /etc/sysctl.d/50-kvm-s390x.conf
Source21: 50-kvm-s390x.conf
-# Adjust spice gl version check to expect F24 backported version
-# Not for upstream, f24 only
-Patch0001: 0001-spice-F24-spice-has-backported-gl-support.patch
-# Fix gtk UI crash when switching to monitor (bz #1333424)
-Patch0002: 0002-ui-gtk-fix-crash-when-terminal-inner-border-is-NULL.patch
-# Fix sdl2 UI lockup lockup when switching to monitor
-Patch0003: 0003-ui-sdl2-Release-grab-before-opening-console-window.patch
-# Explicitly error if spice GL setup fails
-Patch0004: 0004-ui-spice-Exit-if-gl-on-EGL-init-fails.patch
-# Fix monitor resizing with virgl (bz #1337564)
-Patch0005: 0005-spice-gl-add-use-qemu_spice_gl_monitor_config.patch
-# CVE-2016-4020: memory leak in kvmvapic.c (bz #1326904)
-Patch0006: 0006-i386-kvmvapic-initialise-imm32-variable.patch
-# CVE-2016-4439: scsi: esb: OOB write #1 (bz #1337503)
-Patch0007: 0007-esp-check-command-buffer-length-before-write-CVE-201.patch
-# CVE-2016-4441: scsi: esb: OOB write #2 (bz #1337506)
-Patch0008: 0008-esp-check-dma-length-before-reading-scsi-command-CVE.patch
-# Fix regression installing windows 7 with qxl/vga (bz #1339267)
-Patch0009: 0009-vga-add-sr_vbe-register-set.patch
-# Fix crash with aarch64 gic-version=host and accel=tcg (bz #1339977)
-Patch0010: 0010-hw-arm-virt-Reject-gic-version-host-for-non-KVM.patch
-# CVE-2016-4002: net: buffer overflow in MIPSnet (bz #1326083)
-Patch0011: 0011-net-mipsnet-check-packet-length-against-buffer.patch
-# CVE-2016-4952 scsi: pvscsi: out-of-bounds access issue
-Patch0012: 0012-scsi-pvscsi-check-command-descriptor-ring-buffer-siz.patch
-# CVE-2016-4964: scsi: mptsas infinite loop (bz #1339157)
-Patch0013: 0013-scsi-mptsas-infinite-loop-while-fetching-requests.patch
-# CVE-2016-5106: scsi: megasas: out-of-bounds write (bz #1339581)
-Patch0014: 0014-scsi-megasas-use-appropriate-property-buffer-size.patch
-# CVE-2016-5105: scsi: megasas: stack information leakage (bz #1339585)
-Patch0015: 0015-scsi-megasas-initialise-local-configuration-data-buf.patch
-# CVE-2016-5107: scsi: megasas: out-of-bounds read (bz #1339573)
-Patch0016: 0016-scsi-megasas-check-read_queue_head-index-value.patch
-# CVE-2016-4454: display: vmsvga: out-of-bounds read (bz #1340740)
-Patch0017: 0017-vmsvga-move-fifo-sanity-checks-to-vmsvga_fifo_length.patch
-Patch0018: 0018-vmsvga-add-more-fifo-checks.patch
-Patch0019: 0019-vmsvga-shadow-fifo-registers.patch
-# CVE-2016-4453: display: vmsvga: infinite loop (bz #1340744)
-Patch0020: 0020-vmsvga-don-t-process-more-than-1024-fifo-commands-at.patch
-# CVE-2016-5126: block: iscsi: buffer overflow (bz #1340925)
-Patch0021: 0021-block-iscsi-avoid-potential-overflow-of-acb-task-cdb.patch
-# CVE-2016-5238: scsi: esp: OOB write (bz #1341932)
-Patch0022: 0022-scsi-esp-check-buffer-length-before-reading-scsi-com.patch
-Patch0023: 0023-scsi-esp-respect-FIFO-invariant-after-message-phase.patch
-Patch0024: 0024-scsi-esp-clean-up-handle_ti-esp_do_dma-if-s-do_cmd.patch
-# CVE-2016-5338: scsi: esp: OOB r/w access (bz #1343325)
-Patch0025: 0025-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch
-# CVE-2016-5337: scsi: megasas: information leakage (bz #1343910)
-Patch0026: 0026-scsi-megasas-null-terminate-bios-version-buffer.patch
-# Fix crash with -nodefaults -sdl (bz #1340931)
-Patch0027: 0027-sdl2-skip-init-without-outputs.patch
-
+# Build fix, posted upstream
+Patch0001: for-2.7-virtio-gpu-fix-missing-log.h-include-file.patch
# documentation deps
BuildRequires: texi2html
@@ -371,15 +321,6 @@ Requires: qemu-%{kvm_package} = %{epoch}:%{version}-%{release}
This is a meta-package that provides a qemu-system-<arch> package for native
architectures where kvm can be enabled. For example, in an x86 system, this
will install qemu-system-x86
-
-
-%package kvm-tools
-Summary: KVM debugging and diagnostics tools
-Group: Development/Tools
-
-%description kvm-tools
-This package contains some diagnostics and debugging tools for KVM,
-such as kvm_stat.
%endif
@@ -783,6 +724,7 @@ pushd build-dynamic
--localstatedir=%{_localstatedir} \
--libexecdir=%{_libexecdir} \
--with-pkgversion=%{name}-%{version}-%{release} \
+ --tls-priority=@QEMU,SYSTEM \
--disable-strip \
%ifnarch aarch64
--extra-ldflags="$extraldflags -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -pie -Wl,-z,relro -Wl,-z,now" \
@@ -906,7 +848,6 @@ install -m 0644 %{_sourcedir}/50-kvm-s390x.conf %{buildroot}%{_sysconfdir}/sysct
# Install kvm specific bits
%if %{have_kvm}
mkdir -p %{buildroot}%{_bindir}/
-install -m 0755 scripts/kvm/kvm_stat %{buildroot}%{_bindir}/
install -m 0644 %{_sourcedir}/80-kvm.rules %{buildroot}%{_udevdir}
%endif
@@ -984,6 +925,9 @@ pxe_link ne2k_pci 10ec8029
pxe_link pcnet 10222000
pxe_link rtl8139 10ec8139
pxe_link virtio 1af41000
+pxe_link eepro100 80861209
+pxe_link e1000e 808610d3
+pxe_link vmxnet3 15ad07b0
rom_link() {
ln -s $1 %{buildroot}%{_datadir}/%{name}/$2
@@ -1079,6 +1023,7 @@ done
%global archs_skip_tests s390
%global archs_ignore_test_failures 0
+pushd build-dynamic
%ifnarch %{archs_skip_tests}
# Check the binary runs (see eg RHBZ#998722).
@@ -1108,6 +1053,7 @@ hostqemu=x86_64-softmmu/qemu-system-x86_64
if test -f "$hostqemu"; then qemu-sanity-check --qemu=$hostqemu ||: ; fi
%endif # archs_skip_tests
+popd
%if %{have_kvm}
@@ -1179,7 +1125,7 @@ getent passwd qemu >/dev/null || \
%{_datadir}/%{name}/qemu-icon.bmp
%{_datadir}/%{name}/qemu_logo_no_text.svg
%{_datadir}/%{name}/keymaps/
-%{_datadir}/%{name}/trace-events
+%{_datadir}/%{name}/trace-events-all
%{_mandir}/man1/qemu.1*
%{_mandir}/man1/virtfs-proxy-helper.1*
%{_bindir}/virtfs-proxy-helper
@@ -1223,9 +1169,6 @@ getent passwd qemu >/dev/null || \
%if %{have_kvm}
%files kvm
# Deliberately empty
-
-%files kvm-tools
-%{_bindir}/kvm_stat
%endif
@@ -1429,6 +1372,7 @@ getent passwd qemu >/dev/null || \
%{_datadir}/%{name}/bios-256k.bin
%{_datadir}/%{name}/sgabios.bin
%{_datadir}/%{name}/linuxboot.bin
+%{_datadir}/%{name}/linuxboot_dma.bin
%{_datadir}/%{name}/multiboot.bin
%{_datadir}/%{name}/kvmvapic.bin
%{_datadir}/%{name}/vgabios.bin
@@ -1439,14 +1383,20 @@ getent passwd qemu >/dev/null || \
%{_datadir}/%{name}/vgabios-virtio.bin
%{_datadir}/%{name}/pxe-e1000.rom
%{_datadir}/%{name}/efi-e1000.rom
-%{_datadir}/%{name}/pxe-virtio.rom
-%{_datadir}/%{name}/efi-virtio.rom
+%{_datadir}/%{name}/pxe-e1000e.rom
+%{_datadir}/%{name}/efi-e1000e.rom
+%{_datadir}/%{name}/pxe-eepro100.rom
+%{_datadir}/%{name}/efi-eepro100.rom
+%{_datadir}/%{name}/pxe-ne2k_pci.rom
+%{_datadir}/%{name}/efi-ne2k_pci.rom
%{_datadir}/%{name}/pxe-pcnet.rom
%{_datadir}/%{name}/efi-pcnet.rom
%{_datadir}/%{name}/pxe-rtl8139.rom
%{_datadir}/%{name}/efi-rtl8139.rom
-%{_datadir}/%{name}/pxe-ne2k_pci.rom
-%{_datadir}/%{name}/efi-ne2k_pci.rom
+%{_datadir}/%{name}/pxe-virtio.rom
+%{_datadir}/%{name}/efi-virtio.rom
+%{_datadir}/%{name}/pxe-vmxnet3.rom
+%{_datadir}/%{name}/efi-vmxnet3.rom
%ifarch %{ix86} x86_64
%{?kvm_files:}
%endif
@@ -1595,6 +1545,9 @@ getent passwd qemu >/dev/null || \
%changelog
+* Wed Aug 03 2016 Cole Robinson <crobinso@redhat.com> - 2:2.7.0-0.1.rc2
+- Rebase to qemu 2.7.0-rc2
+
* Sat Jul 23 2016 Richard W.M. Jones <rjones@redhat.com> - 2:2.6.0-6
- Rebuild to attempt to fix '2:qemu-system-xtensa-2.6.0-5.fc25.x86_64 requires libxenctrl.so.4.6()(64bit)'