-
Notifications
You must be signed in to change notification settings - Fork 5.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stable 2.5 - boot HP Firmware Images of Router and Switches #40
Commits on Mar 15, 2016
-
ehci: make idt processing more robust
Make ehci_process_itd return an error in case we didn't do any actual iso transfer because we've found no active transaction. That'll avoid ehci happily run in circles forever if the guest builds a loop out of idts. This is CVE-2015-8558. Cc: qemu-stable@nongnu.org Reported-by: Qinghao Tang <luodalongde@gmail.com> Tested-by: P J P <ppandit@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 156a2e4) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for 0d33580 - Browse repository at this point
Copy the full SHA 0d33580View commit details -
net: vmxnet3: avoid memory leakage in activate_device
Vmxnet3 device emulator does not check if the device is active before activating it, also it did not free the transmit & receive buffers while deactivating the device, thus resulting in memory leakage on the host. This patch fixes both these issues to avoid host memory leakage. Reported-by: Qinghao Tang <luodalongde@gmail.com> Reviewed-by: Dmitry Fleytman <dmitry@daynix.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Cc: qemu-stable@nongnu.org Signed-off-by: Jason Wang <jasowang@redhat.com> (cherry picked from commit aa4a3dc) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for 42ae4a3 - Browse repository at this point
Copy the full SHA 42ae4a3View commit details -
target-ppc: kvm: fix floating point registers sync on little-endian h…
…osts On VSX capable CPUs, the 32 FP registers are mapped to the high-bits of the 32 first VSX registers. So if you have: VSR31 = (uint128) 0x0102030405060708090a0b0c0d0e0f00 then FPR31 = (uint64) 0x0102030405060708 The kernel stores the VSX registers in the fp_state struct following the host endian element ordering. On big-endian: fp_state.fpr[31][0] = 0x0102030405060708 fp_state.fpr[31][1] = 0x090a0b0c0d0e0f00 On little-endian: fp_state.fpr[31][0] = 0x090a0b0c0d0e0f00 fp_state.fpr[31][1] = 0x0102030405060708 The KVM_GET_ONE_REG and KVM_SET_ONE_REG ioctls preserve this ordering, but QEMU considers it as big-endian and always copies element [0] to the fpr[] array and element [1] to the vsr[] array. This does not work with little-endian hosts, and you will get: (qemu) p $f31 0x90a0b0c0d0e0f00 instead of: (qemu) p $f31 0x102030405060708 This patch fixes the element ordering for little-endian hosts. Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au> (cherry picked from commit 3a4b791) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for d4aed70 - Browse repository at this point
Copy the full SHA d4aed70View commit details -
configure: Fix shell syntax to placate OpenBSD's pdksh
Unfortunately the OpenBSD pdksh does not like brackets inside the right part of a ${variable+word} parameter expansion: $ echo "${a+($b)}" ksh: ${a+($b)}": bad substitution though both bash and dash accept them. In any case this line was causing odd output in the case where nettle is not present: nettle no () (because if nettle is not present then $nettle will be "no", not a null string or unset). Rewrite it to just use an if. This bug was originally introduced in becaeb7 and was present in the 2.4.0 release. Fixes: https://bugs.launchpad.net/qemu/+bug/1525682 Reported-by: Dmitrij D. Czarkoff Cc: qemu-stable@nongnu.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Eric Blake <eblake@redhat.com> Message-id: 1450105357-8516-1-git-send-email-peter.maydell@linaro.org (cherry picked from commit 18f4988) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for 52a7b27 - Browse repository at this point
Copy the full SHA 52a7b27View commit details -
xen/blkif: Avoid double access to src->nr_segments
src is stored in shared memory and src->nr_segments is dereferenced twice at the end of the function. If a compiler decides to compile this into two separate memory accesses then the size limitation could be bypassed. Fix it by removing the double access to src->nr_segments. This is part of XSA-155. Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> (cherry picked from commit f9e98e5) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for 4d59e78 - Browse repository at this point
Copy the full SHA 4d59e78View commit details -
xenfb: avoid reading twice the same fields from the shared page
Reading twice the same field could give the guest an attack of opportunity. In the case of event->type, gcc could compile the switch statement into a jump table, effectively ending up reading the type field multiple times. This is part of XSA-155. Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> (cherry picked from commit 7ea11bf) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for ff083d3 - Browse repository at this point
Copy the full SHA ff083d3View commit details -
virtio-9p: use accessor to get thread_pool
The aio_context_new() function does not allocate a thread pool. This is deferred to the first call to the aio_get_thread_pool() accessor. It is hence forbidden to access the thread_pool field directly, as it may be NULL. The accessor *must* be used always. Fixes: ebac120 Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Tested-by: Michael Tokarev <mjt@tls.msk.ru> Cc: qemu-stable@nongnu.org Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com> (cherry picked from commit 4b3a4f2) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for 4588b0d - Browse repository at this point
Copy the full SHA 4588b0dView commit details -
scsi: initialise info object with appropriate size
While processing controller 'CTRL_GET_INFO' command, the routine 'megasas_ctrl_get_info' overflows the '&info' object size. Use its appropriate size to null initialise it. Reported-by: Qinghao Tang <luodalongde@gmail.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Message-Id: <alpine.LFD.2.20.1512211501420.22471@wniryva> Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: P J P <ppandit@redhat.com> (cherry picked from commit 36fef36) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for 16a2875 - Browse repository at this point
Copy the full SHA 16a2875View commit details -
Configuration menu - View commit details
-
Copy full SHA for 3e96d5d - Browse repository at this point
Copy the full SHA 3e96d5dView commit details -
ivshmem: remove redundant assignment, fix crash with msi=off
Configuration menu - View commit details
-
Copy full SHA for 702a8d1 - Browse repository at this point
Copy the full SHA 702a8d1View commit details -
net: rocker: fix an incorrect array bounds check
While processing transmit(tx) descriptors in 'tx_consume' routine the switch emulator suffers from an off-by-one error, if a descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=16) fragments. Fix an incorrect bounds check to avoid it. Reported-by: Qinghao Tang <luodalongde@gmail.com> Cc: qemu-stable@nongnu.org Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Jason Wang <jasowang@redhat.com> (cherry picked from commit 007cd22) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for 7a2c1c8 - Browse repository at this point
Copy the full SHA 7a2c1c8View commit details
Commits on Mar 17, 2016
-
Pull out the check whether a block device has a tray from blk_dev_is_tray_open() into its own function so both attributes (whether there is a tray vs. whether that tray is open) can be queried independently. Cc: qemu-stable <qemu-stable@nongnu.org> Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Alberto Garcia <berto@igalia.com> Message-id: 1454096953-31773-2-git-send-email-mreitz@redhat.com (cherry picked from commit 8f3a73b) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for e1a8a09 - Browse repository at this point
Copy the full SHA e1a8a09View commit details -
blockdev: Fix 'change' for slot devices
'change' and related operations did not work when used on guest devices featuring removable media but no actual tray, because blk_dev_is_tray_open() always returned false for them and the blockdev-{insert,remove}-medium commands required it to return true. Fix this by making blockdev-{insert,remove}-medium work on tray-less devices. Also, blockdev-{open,close}-tray are now explicitly no-ops when invoked on such devices, and blk_dev_change_media_cb() is instead called by blockdev-{insert,remove}-medium (for tray-less devices only). Reported-by: Peter Maydell <peter.maydell@linaro.org> Cc: qemu-stable <qemu-stable@nongnu.org> Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Alberto Garcia <berto@igalia.com> Message-id: 1454096953-31773-3-git-send-email-mreitz@redhat.com Reviewed-by: Eric Blake <eblake@redhat.com> (cherry picked from commit 12c7ec8) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for 6a49a71 - Browse repository at this point
Copy the full SHA 6a49a71View commit details -
net/dump: fix nfds->filename leak
Cc: Jason Wang <jasowang@redhat.com> Signed-off-by: Li Zhijian <lizhijian@cn.fujitsu.com> Cc: qemu-stable@nongnu.org Signed-off-by: Jason Wang <jasowang@redhat.com> (cherry picked from commit b50c7d4) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for abda95c - Browse repository at this point
Copy the full SHA abda95cView commit details -
net/filter: fix nf->netdev_id leak
Cc: Jason Wang <jasowang@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: Li Zhijian <lizhijian@cn.fujitsu.com> Signed-off-by: Jason Wang <jasowang@redhat.com> (cherry picked from commit 671f66f) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for aaa5271 - Browse repository at this point
Copy the full SHA aaa5271View commit details -
net: ne2000: check ring buffer control registers
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152) bytes to process network packets. Registers PSTART & PSTOP define ring buffer size & location. Setting these registers to invalid values could lead to infinite loop or OOB r/w access issues. Add check to avoid it. Reported-by: Yang Hongke <yanghongke@huawei.com> Tested-by: Yang Hongke <yanghongke@huawei.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Jason Wang <jasowang@redhat.com> (cherry picked from commit 415ab35) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for fe90bdc - Browse repository at this point
Copy the full SHA fe90bdcView commit details -
net: set endianness on all backend devices
commit 5be7d9f vhost-net: tell tap backend about the vnet endianness makes vhost net to set the endianness of the device, but only for the first device. In case of multiqueue, we have multiple devices... This patch sets the endianness for all the devices of the interface. Signed-off-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Greg Kurz <gkurz@linux.vnet.ibm.com> Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com> Reviewed-by: Jason Wang <jasowang@redhat.com> (cherry picked from commit a407644) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for 9849b19 - Browse repository at this point
Copy the full SHA 9849b19View commit details -
After clearing the status register we also have to update the irq line status. Otherwise a irq which happends to be pending at reset time causes a interrupt storm. And the guest can't stop as the status register doesn't indicate any pending interrupt. Both NetBSD and FreeBSD hang on shutdown because of that. Cc: qemu-stable@nongnu.org Reported-by: Andrey Korolyov <andrey@xdel.ru> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 1453203884-4125-1-git-send-email-kraxel@redhat.com (cherry picked from commit 5a86607) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for 3ede27d - Browse repository at this point
Copy the full SHA 3ede27dView commit details -
block/raw-posix: avoid bogus fixup for cylinders on DASD disks
large volume DASD that have > 64k cylinders do claim to have 0xFFFE cylinders as special value in the old 16 bit field. We want to pass this "token" along to the guest, instead of calculating the real number. Otherwise qemu might fail with "cyls must be between 1 and 65535" Cc: qemu-stable@nongnu.org Acked-by: Cornelia Huck <cornelia.huck@de.ibm.com> Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> (cherry picked from commit 972b543) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for 643c8d8 - Browse repository at this point
Copy the full SHA 643c8d8View commit details -
s390x/ioinst: set type and len for SEI response
If no event information is pending, the return code is set to 0x0005 and the length of the response is set to 8 bytes. Signed-off-by: Pierre Morel <pmorel@linux.vnet.ibm.com> Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com> Reviewed-by: Song Shan Gong <gongss@linux.vnet.ibm.com> Cc: qemu-stable@nongnu.org Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com> (cherry picked from commit f70202b) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for d983923 - Browse repository at this point
Copy the full SHA d983923View commit details -
s390x/css: fix control flags during csch
From the beginning, css support contained an error in csch handling: instead of setting the clear bit in the function control bits twice, we need to set the clear pending bit in the activity control bits. Let's fix this. Cc: qemu-stable@nongnu.org Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com> Signed-off-by: Halil Pasic <pasic@linux.vnet.ibm.com> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com> (cherry picked from commit 4c6bf79) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for 091af18 - Browse repository at this point
Copy the full SHA 091af18View commit details -
fw_cfg: avoid calculating invalid current entry pointer
When calculating a pointer to the currently selected fw_cfg item, the following is used: FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; When s->cur_entry is FW_CFG_INVALID, we are calculating the address of a non-existent element in s->entries[arch][...], which is undefined. This patch ensures the resulting entry pointer is set to NULL whenever s->cur_entry is FW_CFG_INVALID. Reported-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Gabriel Somlo <somlo@cmu.edu> Message-id: 1446733972-1602-5-git-send-email-somlo@cmu.edu Cc: Marc Marí <markmb@redhat.com> Signed-off-by: Gabriel Somlo <somlo@cmu.edu> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 66f8fd9) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for 020282d - Browse repository at this point
Copy the full SHA 020282dView commit details -
cpus: use broadcast on qemu_pause_cond
Jiri saw a hang on pause_all_vcpus called from postcopy_start, where the cpus are all apparently stopped ('stopped' flag set) but pause_all_vcpus is still stuck on a cond_wait on qemu_paused_cond. We suspect this is happening if a qmp_stop is called at about the same time as the postcopy code calls that pause_all_vcpus; although they both should have the main lock held, Paolo spotted the cond_wait unlocks the global lock so perhaps they both could end up waiting at the same time? Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reported-by: Jiri Denemark <jdenemar@redhat.com> Message-Id: <1453716498-27238-1-git-send-email-dgilbert@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 96bce68) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for 225d50f - Browse repository at this point
Copy the full SHA 225d50fView commit details -
qmp: Fix reference-counting of qnull on empty output visit
Commit 6c2f9a1 ensured that we would not return NULL when the caller used an output visitor but had nothing to visit. But in doing so, it added a FIXME about a reference count leak that could abort qemu in the (unlikely) case of SIZE_MAX such visits (more plausible on 32-bit). (Although that commit suggested we might fix it in time for 2.5, we ran out of time; fortunately, it is unlikely enough to bite that it was not worth worrying about during the 2.5 release.) This fixes things by documenting the internal contracts, and explaining why the internal function can return NULL and only the public facing interface needs to worry about qnull(), thus avoiding over-referencing the qnull_ global object. It does not, however, fix the stupidity of the stack mixing up two separate pieces of information; add a FIXME to explain that issue, which will be fixed shortly in a future patch. Signed-off-by: Eric Blake <eblake@redhat.com> Cc: qemu-stable@nongnu.org Message-Id: <1454075341-13658-25-git-send-email-eblake@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com> (cherry picked from commit a861564) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for a38a283 - Browse repository at this point
Copy the full SHA a38a283View commit details -
block: set device_list.tqe_prev to NULL on BDS removal
This fixes a regression introduced with commit 3f09bfb. Multiple bugs arise in conjunction with live snapshots and mirroring operations (which include active layer commit). After a live snapshot occurs, the active layer and the base layer both have a non-NULL tqe_prev field in the device_list, although the base node's tqe_prev field points to a NULL entry. This non-NULL tqe_prev field occurs after the bdrv_append() in the external snapshot calls change_parent_backing_link(). In change_parent_backing_link(), when the previous active layer is removed from device_list, the device_list.tqe_prev pointer is not set to NULL. The operating scheme in the block layer is to indicate that a BDS belongs in the bdrv_states device_list iff the device_list.tqe_prev pointer is non-NULL. This patch does two things: 1.) Introduces a new block layer helper bdrv_device_remove() to remove a BDS from the device_list, and 2.) uses that new API, which also fixes the regression once used in change_parent_backing_link(). Signed-off-by: Jeff Cody <jcody@redhat.com> Message-id: 0cd51e11c0666c04ddb7c05293fe94afeb551e89.1454376655.git.jcody@redhat.com Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Max Reitz <mreitz@redhat.com> (cherry picked from commit f8aa905) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for a375e0b - Browse repository at this point
Copy the full SHA a375e0bView commit details -
block: qemu-iotests - add test for snapshot, commit, snapshot bug
Signed-off-by: Jeff Cody <jcody@redhat.com> Message-id: 2dbc05efba2f683cb3aaf71aaa9b776ebf7ec57c.1454376655.git.jcody@redhat.com Reviewed-by: Max Reitz <mreitz@redhat.com> [Moved test number from 143 to 144] Signed-off-by: Max Reitz <mreitz@redhat.com> (cherry picked from commit 8983b67) Conflicts: tests/qemu-iotests/group *removed context dependencies on newer test groups Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for 4853a5a - Browse repository at this point
Copy the full SHA 4853a5aView commit details -
e1000: eliminate infinite loops on out-of-bounds transfer start
The start_xmit() and e1000_receive_iov() functions implement DMA transfers iterating over a set of descriptors that the guest's e1000 driver prepares: - the TDLEN and RDLEN registers store the total size of the descriptor area, - while the TDH and RDH registers store the offset (in whole tx / rx descriptors) into the area where the transfer is supposed to start. Each time a descriptor is processed, the TDH and RDH register is bumped (as appropriate for the transfer direction). QEMU already contains logic to deal with bogus transfers submitted by the guest: - Normally, the transmit case wants to increase TDH from its initial value to TDT. (TDT is allowed to be numerically smaller than the initial TDH value; wrapping at or above TDLEN bytes to zero is normal.) The failsafe that QEMU currently has here is a check against reaching the original TDH value again -- a complete wraparound, which should never happen. - In the receive case RDH is increased from its initial value until "total_size" bytes have been received; preferably in a single step, or in "s->rxbuf_size" byte steps, if the latter is smaller. However, null RX descriptors are skipped without receiving data, while RDH is incremented just the same. QEMU tries to prevent an infinite loop (processing only null RX descriptors) by detecting whether RDH assumes its original value during the loop. (Again, wrapping from RDLEN to 0 is normal.) What both directions miss is that the guest could program TDLEN and RDLEN so low, and the initial TDH and RDH so high, that these registers will immediately be truncated to zero, and then never reassume their initial values in the loop -- a full wraparound will never occur. The condition that expresses this is: xdh_start >= s->mac_reg[XDLEN] / sizeof(desc) i.e., TDH or RDH start out after the last whole rx or tx descriptor that fits into the TDLEN or RDLEN sized area. This condition could be checked before we enter the loops, but pci_dma_read() / pci_dma_write() knows how to fill in buffers safely for bogus DMA addresses, so we just extend the existing failsafes with the above condition. This is CVE-2016-1981. Cc: "Michael S. Tsirkin" <mst@redhat.com> Cc: Petr Matousek <pmatouse@redhat.com> Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Cc: Prasad Pandit <ppandit@redhat.com> Cc: Michael Roth <mdroth@linux.vnet.ibm.com> Cc: Jason Wang <jasowang@redhat.com> Cc: qemu-stable@nongnu.org RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1296044 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com> (cherry picked from commit dd793a7) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for cb873ea - Browse repository at this point
Copy the full SHA cb873eaView commit details -
spapr: skip configuration section during migration of older machines
Since QEMU 2.4, we have a configuration section in the migration stream. This must be skipped for older machines, like it is already done for x86. This patch fixes the migration of pseries-2.3 from/to QEMU 2.3, but it breaks migration of the same machine from/to QEMU 2.4/2.4.1/2.5. We do that anyway because QEMU 2.3 is likely to be more widely deployed than newer QEMU versions. Fixes: 61964c2 Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com> Reviewed-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: Juan Quintela <quintela@redhat.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au> (cherry picked from commit 09b5e30) Conflicts: hw/ppc/spapr.c *remove dep on 5013c54 Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for c06f342 - Browse repository at this point
Copy the full SHA c06f342View commit details -
hw/virtio: fix double use of a virtio flag
Commits 1811e64 and a6df8ad use the same virtio feature bit 4 for different features. Fix it by using different bits. Reported-by: Laurent Vivier <lvivier@redhat.com> Tested-by: Laurent Vivier <lvivier@redhat.com> Signed-off-by: Marcel Apfelbaum <marcel@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Acked-by: Jason Wang <jasowang@redhat.com> (cherry picked from commit 631a438) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for 6b62303 - Browse repository at this point
Copy the full SHA 6b62303View commit details -
hw/virtio: group virtio flags into an enum
Minimizes the possibility to assign the same bit to different features. Signed-off-by: Marcel Apfelbaum <marcel@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Laurent Vivier <lvivier@redhat.com> Acked-by: Jason Wang <jasowang@redhat.com> (cherry picked from commit fc1769b) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for c5c9841 - Browse repository at this point
Copy the full SHA c5c9841View commit details -
fw_cfg: unbreak migration compatibility for 2.4 and earlier machines
When I reviewed Marc's fw_cfg DMA patches, I completely missed that the way we set dma_enabled would break migration. Gerd explained the right way (see reference below): dma_enabled should be set to true by default, and only true->false transitions should be possible: - when the user requests that with -global fw_cfg_mem.dma_enabled=off or -global fw_cfg_io.dma_enabled=off as appropriate for the platform, - when HW_COMPAT_2_4 dictates it, - when board code initializes fw_cfg without requesting DMA support. Cc: Marc Marí <markmb@redhat.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Alexandre DERUMIER <aderumier@odiso.com> Cc: qemu-stable@nongnu.org Ref: http://thread.gmane.org/gmane.comp.emulators.qemu/390272/focus=391042 Ref: https://bugs.launchpad.net/qemu/+bug/1536487 Suggested-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Laszlo Ersek <lersek@redhat.com> Message-id: 1455823860-22268-1-git-send-email-lersek@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit e6915b5) Conflicts: include/hw/compat.h * remove cosmetic dep on c9c0afb Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for 3092979 - Browse repository at this point
Copy the full SHA 3092979View commit details -
vhost-user: don't merge regions with different fds
vhost currently merges regions with contiguious virtual and physical addresses. This breaks for vhost-user since that also needs fds to match. Add a vhost_ops entry to compare the fds for vhost-user only. Cc: qemu-stable@nongnu.org Cc: Victor Kaplansky <victork@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit ffe42cc) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for 9ae0217 - Browse repository at this point
Copy the full SHA 9ae0217View commit details -
target-arm: Make reserved ranges in ID_AA64* spaces RAZ, not UNDEF
The v8 ARM ARM defines that unused spaces in the ID_AA64* system register ranges are Reserved and must RAZ, rather than being UNDEF. Implement this. In particular, ARM v8.2 adds a new feature register ID_AA64MMFR2, and newer versions of the Linux kernel will attempt to read this, which causes them not to boot up on versions of QEMU missing this fix. Since the encoding .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 6 is actually defined in ARMv8 (as ID_MMFR4), we give it an entry in the ARMCPU struct so CPUs can override it, though since none do this too will just RAZ. Cc: qemu-stable@nongnu.org Reported-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 1455890863-11203-1-git-send-email-peter.maydell@linaro.org Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Tested-by: Alex Bennée <alex.bennee@linaro.org> (cherry picked from commit e20d84c) Conflicts: target-arm/helper.c * remove context dep on 4054bfa Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for cab1cc7 - Browse repository at this point
Copy the full SHA cab1cc7View commit details -
quorum: Fix crash in quorum_aio_cb()
quorum_aio_cb() emits the QUORUM_REPORT_BAD event if there's an I/O error in a Quorum child. However sacb->aiocb must be correctly initialized for this to happen. read_quorum_children() and read_fifo_child() are not doing this, which results in a QEMU crash. Signed-off-by: Alberto Garcia <berto@igalia.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Message-id: 8138570d071ba7e25db3736979234a1fd71dbd05.1457610443.git.berto@igalia.com Signed-off-by: Max Reitz <mreitz@redhat.com> (cherry picked from commit b9c600d) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for 4b0b1ec - Browse repository at this point
Copy the full SHA 4b0b1ecView commit details -
vl.c: Fix regression in machine error message
Commit e1ce0c3 (vl.c: fix regression when reading machine type from config file) fixed the error message when the machine type was supplied inside the config file. However now the option name is not displayed correctly if the error happens when the machine is specified at command line. Running ./x86_64-softmmu/qemu-system-x86_64 -M q35-1.5 -redir tcp:8022::22 will result in the error message: qemu-system-x86_64: -redir tcp:8022::22: unsupported machine type Use -machine help to list supported machines Fixed it by restoring the error location and also extracted the code dealing with machine options into a separate function. Reported-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Marcel Apfelbaum <marcel@redhat.com> Reviewed-by: Eduardo Habkost <ehabkost@redhat.com> Signed-off-by: Eduardo Habkost <ehabkost@redhat.com> Message-Id: <1455303747-19776-2-git-send-email-ehabkost@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com> (cherry picked from commit 34f405a) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for bad094d - Browse repository at this point
Copy the full SHA bad094dView commit details
Commits on Mar 22, 2016
-
migration: allow machine to enforce configuration section migration
Migration of pseries-2.3 doesn't have configuration section. Unfortunately, QEMU 2.4/2.4.1/2.5 are buggy and always stream and expect the configuration section, and break migration both ways. This patch introduces a property which allows to enforce a configuration section for machines who don't have one. It can be set at startup: -machine enforce-config-section=on or later from the QEMU monitor: qom-set /machine enforce-config-section on It is up to the tooling to set or unset this property according to the version of the QEMU at the other end of the pipe. Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com> Reviewed-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: Juan Quintela <quintela@redhat.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au> (cherry picked from commit 902c053) Conflicts: qemu-options.hx * removed context dependency on 87252e1 * added to provide 2.5<->2.5.1 migration compat option for pseries-2.3 machines Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for a2ae168 - Browse repository at this point
Copy the full SHA a2ae168View commit details -
ahci: Do not unmap NULL addresses
Definitely don't try to unmap a garbage address. Reported-by: Zuozhi fzz <zuozhi.fzz@alibaba-inc.com> Signed-off-by: John Snow <jsnow@redhat.com> Message-id: 1454103689-13042-2-git-send-email-jsnow@redhat.com (cherry picked from commit 99b4cb7) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for aaf4fb6 - Browse repository at this point
Copy the full SHA aaf4fb6View commit details -
hmp: fix sendkey out of bounds write (CVE-2015-8619)
When processing 'sendkey' command, hmp_sendkey routine null terminates the 'keyname_buf' array. This results in an OOB write issue, if 'keyname_len' was to fall outside of 'keyname_buf' array. Since the keyname's length is known the keyname_buf can be removed altogether by adding a length parameter to index_from_key() and using it for the error output as well. Reported-by: Ling Liu <liuling-it@360.cn> Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Message-Id: <20160113080958.GA18934@olga> [Comparison with "<" dumbed down, test for junk after strtoul() tweaked] Signed-off-by: Markus Armbruster <armbru@redhat.com> (cherry picked from commit 64ffbe0) Conflicts: hmp.c *removed dependency on 7fb1cf1 Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for 24fe899 - Browse repository at this point
Copy the full SHA 24fe899View commit details -
i386: avoid null pointer dereference
Hello, A null pointer dereference issue was reported by Mr Ling Liu, CC'd here. It occurs while doing I/O port write operations via hmp interface. In that, 'current_cpu' remains null as it is not called from cpu_exec loop, which results in the said issue. Below is a proposed (tested)patch to fix this issue; Does it look okay? === From ae88a4947fab9a148cd794f8ad2d812e7f5a1d0f Mon Sep 17 00:00:00 2001 From: Prasad J Pandit <pjp@fedoraproject.org> Date: Fri, 18 Dec 2015 11:16:07 +0530 Subject: [PATCH] i386: avoid null pointer dereference When I/O port write operation is called from hmp interface, 'current_cpu' remains null, as it is not called from cpu_exec() loop. This leads to a null pointer dereference in vapic_write routine. Add check to avoid it. Reported-by: Ling Liu <liuling-it@360.cn> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Message-Id: <alpine.LFD.2.20.1512181129320.9805@wniryva> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: P J P <ppandit@redhat.com> (cherry picked from commit 4c1396c) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for b47809c - Browse repository at this point
Copy the full SHA b47809cView commit details -
ide: ahci: reset ncq object to unused on error
When processing NCQ commands, AHCI device emulation prepares a NCQ transfer object; To which an aio control block(aiocb) object is assigned in 'execute_ncq_command'. In case, when the NCQ command is invalid, the 'aiocb' object is not assigned, and NCQ transfer object is left as 'used'. This leads to a use after free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'. Reset NCQ transfer object to 'unused' to avoid it. [Maintainer edit: s/ACHI/AHCI/ in the commit message. --js] Reported-by: Qinghao Tang <luodalongde@gmail.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Reviewed-by: John Snow <jsnow@redhat.com> Message-id: 1452282511-4116-1-git-send-email-ppandit@redhat.com Signed-off-by: John Snow <jsnow@redhat.com> (cherry picked from commit 4ab0359) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for 4f046a6 - Browse repository at this point
Copy the full SHA 4f046a6View commit details -
net: check packet payload length
While computing IP checksum, 'net_checksum_calculate' reads payload length from the packet. It could exceed the given 'data' buffer size. Add a check to avoid it. Reported-by: Liu Ling <liuling-it@360.cn> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Jason Wang <jasowang@redhat.com> (cherry picked from commit 362786f) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for d0ee85b - Browse repository at this point
Copy the full SHA d0ee85bView commit details -
net: ne2000: fix bounds check in ioport operations
While doing ioport r/w operations, ne2000 device emulation suffers from OOB r/w errors. Update respective array bounds check to avoid OOB access. Reported-by: Ling Liu <liuling-it@360.cn> Cc: qemu-stable@nongnu.org Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Jason Wang <jasowang@redhat.com> (cherry picked from commit aa7f996) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for 38e0921 - Browse repository at this point
Copy the full SHA 38e0921View commit details -
usb: check page select value while processing iTD
While processing isochronous transfer descriptors(iTD), the page select(PG) field value could lead to an OOB read access. Add check to avoid it. Reported-by: Qinghao Tang <luodalongde@gmail.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Message-id: 1453233406-12165-1-git-send-email-ppandit@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 49d925c) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for 4dcd2f1 - Browse repository at this point
Copy the full SHA 4dcd2f1View commit details -
usb: check RNDIS buffer offsets & length
When processing remote NDIS control message packets, the USB Net device emulator uses a fixed length(4096) data buffer. The incoming informationBufferOffset & Length combination could overflow and cross that range. Check control message buffer offsets and length to avoid it. Reported-by: Qinghao Tang <luodalongde@gmail.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Message-id: 1455648821-17340-3-git-send-email-ppandit@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit fe3c546) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for e3a2cdf - Browse repository at this point
Copy the full SHA e3a2cdfView commit details -
usb: check RNDIS message length
When processing remote NDIS control message packets, the USB Net device emulator uses a fixed length(4096) data buffer. The incoming packet length could exceed this limit. Add a check to avoid it. Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Message-id: 1455648821-17340-2-git-send-email-ppandit@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 64c9bc1) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for 9bddb45 - Browse repository at this point
Copy the full SHA 9bddb45View commit details -
usb: check USB configuration descriptor object
When processing remote NDIS control message packets, the USB Net device emulator checks to see if the USB configuration descriptor object is of RNDIS type(2). But it does not check if it is null, which leads to a null dereference error. Add check to avoid it. Reported-by: Qinghao Tang <luodalongde@gmail.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Message-id: 1455188480-14688-1-git-send-email-ppandit@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 80eecda) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for 80b6e57 - Browse repository at this point
Copy the full SHA 80b6e57View commit details -
vmdk: Create streamOptimized as version 3
VMware products accept only version 3 for streamOptimized, let's bump the version. Reported-by: Radoslav Gerganov <rgerganov@vmware.com> Signed-off-by: Fam Zheng <famz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> (cherry picked from commit d62d9dc) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for acea76c - Browse repository at this point
Copy the full SHA acea76cView commit details -
vmdk: Fix converting to streamOptimized
Commit d62d9dc lifted streamOptimized images's version to 3, but we now refuse to open version 3 images read-write. We need to make streamOptimized an exception to allow converting to it. This fixes the accidentally broken iotests case 059 for the same reason. Signed-off-by: Fam Zheng <famz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Max Reitz <mreitz@redhat.com> (cherry picked from commit 3db1d98) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for 078de11 - Browse repository at this point
Copy the full SHA 078de11View commit details -
hyperv: cpu hotplug fix with HyperV enabled
With Hyper-V enabled CPU hotplug stops working. The CPU appears in device manager on Windows but does not appear in peformance monitor and control panel. The root of the problem is the following. Windows checks HV_X64_CPU_DYNAMIC_PARTITIONING_AVAILABLE bit in CPUID. The presence of this bit is enough to cure the situation. The bit should be set when CPU hotplug is allowed for HyperV VM. The check that hot_add_cpu callback is defined is enough from the protocol point of view. Though this callback is defined almost always thus there is no need to export that knowledge in the other way. Signed-off-by: Denis V. Lunev <den@openvz.org> Reviewed-by: Roman Kagan <rkagan@virtuozzo.com> CC: Paolo Bonzini <pbonzini@redhat.com> CC: Richard Henderson <rth@twiddle.net> CC: Eduardo Habkost <ehabkost@redhat.com> CC: "Andreas Färber" <afaerber@suse.de> Reviewed-by: Eduardo Habkost <ehabkost@redhat.com> Signed-off-by: Eduardo Habkost <ehabkost@redhat.com> (cherry picked from commit 4467c6c) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for 5f409b1 - Browse repository at this point
Copy the full SHA 5f409b1View commit details
Commits on Mar 29, 2016
-
Update version for 2.5.1 release
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for a58047f - Browse repository at this point
Copy the full SHA a58047fView commit details
Commits on May 9, 2016
-
vga: fix banked access bounds checking (CVE-2016-3710)
vga allows banked access to video memory using the window at 0xa00000 and it supports a different access modes with different address calculations. The VBE bochs extentions support banked access too, using the VBE_DISPI_INDEX_BANK register. The code tries to take the different address calculations into account and applies different limits to VBE_DISPI_INDEX_BANK depending on the current access mode. Which is probably effective in stopping misprogramming by accident. But from a security point of view completely useless as an attacker can easily change access modes after setting the bank register. Drop the bogus check, add range checks to vga_mem_{readb,writeb} instead. Fixes: CVE-2016-3710 Reported-by: Qinghao Tang <luodalongde@gmail.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for 4f0323d - Browse repository at this point
Copy the full SHA 4f0323dView commit details -
Makes code a bit easier to read. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for 46aff2c - Browse repository at this point
Copy the full SHA 46aff2cView commit details -
vga: factor out vga register setup
When enabling vbe mode qemu will setup a bunch of vga registers to make sure the vga emulation operates in correct mode for a linear framebuffer. Move that code to a separate function so we can call it from other places too. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for 2f2f74e - Browse repository at this point
Copy the full SHA 2f2f74eView commit details -
vga: update vga register setup on vbe changes
Call the new vbe_update_vgaregs() function on vbe configuration changes, to make sure vga registers are up-to-date. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for a6e5e5d - Browse repository at this point
Copy the full SHA a6e5e5dView commit details -
vga: make sure vga register setup for vbe stays intact (CVE-2016-3712).
Call vbe_update_vgaregs() when the guest touches GFX, SEQ or CRT registers, to make sure the vga registers will always have the values needed by vbe mode. This makes sure the sanity checks applied by vbe_fixup_regs() are effective. Without this guests can muck with shift_control, can turn on planar vga modes or text mode emulation while VBE is active, making qemu take code paths meant for CGA compatibility, but with the very large display widths and heigts settable using VBE registers. Which is good for one or another buffer overflow. Not that critical as they typically read overflows happening somewhere in the display code. So guests can DoS by crashing qemu with a segfault, but it is probably not possible to break out of the VM. Fixes: CVE-2016-3712 Reported-by: Zuozhi Fzz <zuozhi.fzz@alibaba-inc.com> Reported-by: P J P <ppandit@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for 44b86aa - Browse repository at this point
Copy the full SHA 44b86aaView commit details -
ehci: apply limit to iTD/sidt descriptors
Commit "156a2e4 ehci: make idt processing more robust" tries to avoid a DoS by the guest (create a circular iTD queue and let qemu ehci emulation run in circles forever). Unfortunately this has two problems: First it misses the case of siTDs, and second it reportedly breaks FreeBSD. So lets go for a different approach: just count the number of iTDs and siTDs we have seen per frame and apply a limit. That should really catch all cases now. Reported-by: 杜少博 <dushaobo@360.cn> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 1ae3f2f) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for 706bab6 - Browse repository at this point
Copy the full SHA 706bab6View commit details -
Configuration menu - View commit details
-
Copy full SHA for 0bcdb63 - Browse repository at this point
Copy the full SHA 0bcdb63View commit details -
cadence_uart: bounds check write offset
cadence_uart_init() initializes an I/O memory region of size 0x1000 bytes. However in uart_write(), the 'offset' parameter (offset within region) is divided by 4 and then used to index the array 'r' of size CADENCE_UART_R_MAX which is much smaller: (0x48/4). If 'offset>>=2' exceeds CADENCE_UART_R_MAX, this will cause an out-of-bounds memory write where the offset and the value are controlled by guest. This will corrupt QEMU memory, in most situations this causes the vm to crash. Fix by checking the offset against the array size. Cc: qemu-stable@nongnu.org Reported-by: 李强 <liqiang6-s@360.cn> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Alistair Francis <alistair.francis@xilinx.com> Message-id: 20160418100735.GA517@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit 5eb0b19) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for 5b7236f - Browse repository at this point
Copy the full SHA 5b7236fView commit details -
Update version for 2.5.1.1 release
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com
Configuration menu - View commit details
-
Copy full SHA for db51dfc - Browse repository at this point
Copy the full SHA db51dfcView commit details