https://github.com/qemu/qemu
- HEAD
- refs/heads/block
- refs/heads/coverity
- refs/heads/master
- refs/heads/stable-0.10
- refs/heads/stable-0.11
- refs/heads/stable-0.12
- refs/heads/stable-0.13
- refs/heads/stable-0.14
- refs/heads/stable-0.15
- refs/heads/stable-1.0
- refs/heads/stable-1.1
- refs/heads/stable-1.2
- refs/heads/stable-1.3
- refs/heads/stable-1.4
- refs/heads/stable-1.5
- refs/heads/stable-1.6
- refs/heads/stable-1.7
- refs/heads/stable-2.0
- refs/heads/stable-2.1
- refs/heads/stable-2.10
- refs/heads/stable-2.11
- refs/heads/stable-2.12
- refs/heads/stable-2.2
- refs/heads/stable-2.3
- refs/heads/stable-2.4
- refs/heads/stable-2.5
- refs/heads/stable-2.6
- refs/heads/stable-2.7
- refs/heads/stable-2.8
- refs/heads/stable-2.9
- refs/heads/stable-3.0
- refs/heads/stable-3.1
- refs/heads/stable-4.0
- refs/heads/stable-4.1
- refs/heads/stable-4.2
- refs/heads/stable-5.0
- refs/heads/stable-6.0
- refs/heads/stable-6.0-staging
- refs/heads/stable-6.1
- refs/heads/stable-7.2
- refs/heads/stable-7.2-staging
- refs/heads/stable-8.0
- refs/heads/stable-8.0-staging
- refs/heads/stable-8.1
- refs/heads/stable-8.2
- refs/heads/stable-9.0
- refs/heads/staging
- refs/heads/staging-0.0
- refs/heads/staging-7.2
- refs/heads/staging-8.0
- refs/heads/staging-8.1
- refs/heads/staging-8.2
- refs/heads/staging-9.0
- refs/heads/staging-mjt-test
- refs/heads/stsquad-hotfix
- refs/notes/commits
- refs/remotes/github/master
- refs/remotes/github/stable-0.10
- refs/remotes/github/stable-0.11
- refs/remotes/github/stable-0.12
- refs/remotes/github/stable-0.13
- refs/remotes/github/stable-0.14
- refs/remotes/github/stable-0.15
- refs/remotes/github/stable-1.0
- refs/remotes/github/stable-1.1
- refs/remotes/github/stable-1.2
- refs/remotes/github/stable-1.3
- refs/remotes/github/stable-1.4
- refs/remotes/github/stable-1.5
- refs/remotes/github/stable-1.6
- refs/remotes/github/stable-1.7
- refs/remotes/github/stable-2.0
- refs/remotes/github/stable-2.1
- refs/remotes/github/stable-2.10
- refs/remotes/github/stable-2.11
- refs/remotes/github/stable-2.12
- refs/remotes/github/stable-2.2
- refs/remotes/github/stable-2.3
- refs/remotes/github/stable-2.4
- refs/remotes/github/stable-2.5
- refs/remotes/github/stable-2.6
- refs/remotes/github/stable-2.7
- refs/remotes/github/stable-2.8
- refs/remotes/github/stable-2.9
- refs/remotes/github/stable-3.0
- refs/remotes/github/stable-3.1
- refs/remotes/github/stable-4.0
- refs/remotes/github/stable-4.1
- refs/remotes/github/stable-4.2
- refs/remotes/github/stable-5.0
- refs/remotes/github/staging
- refs/tags/initial
- refs/tags/release_0_10_0
- refs/tags/release_0_10_1
- refs/tags/release_0_10_2
- refs/tags/release_0_5_1
- refs/tags/release_0_6_0
- refs/tags/release_0_6_1
- refs/tags/release_0_7_0
- refs/tags/release_0_7_1
- refs/tags/release_0_8_1
- refs/tags/release_0_8_2
- refs/tags/release_0_9_0
- refs/tags/release_0_9_1
- refs/tags/v0.1.0
- refs/tags/v0.1.1
- refs/tags/v0.1.3
- refs/tags/v0.1.4
- refs/tags/v0.1.5
- refs/tags/v0.1.6
- refs/tags/v0.10.0
- refs/tags/v0.10.1
- refs/tags/v0.10.2
- refs/tags/v0.10.3
- refs/tags/v0.10.4
- refs/tags/v0.10.5
- refs/tags/v0.10.6
- refs/tags/v0.11.0
- refs/tags/v0.11.0-rc0
- refs/tags/v0.11.0-rc1
- refs/tags/v0.11.0-rc2
- refs/tags/v0.11.1
- refs/tags/v0.12.0
- refs/tags/v0.12.0-rc0
- refs/tags/v0.12.0-rc1
- refs/tags/v0.12.0-rc2
- refs/tags/v0.12.1
- refs/tags/v0.12.2
- refs/tags/v0.12.3
- refs/tags/v0.12.4
- refs/tags/v0.12.5
- refs/tags/v0.13.0
- refs/tags/v0.13.0-rc0
- refs/tags/v0.13.0-rc1
- refs/tags/v0.13.0-rc2
- refs/tags/v0.13.0-rc3
- refs/tags/v0.14.0
- refs/tags/v0.14.0-rc0
- refs/tags/v0.14.0-rc1
- refs/tags/v0.14.0-rc2
- refs/tags/v0.15.0
- refs/tags/v0.15.0-rc0
- refs/tags/v0.15.0-rc1
- refs/tags/v0.15.0-rc2
- refs/tags/v0.15.1
- refs/tags/v0.2.0
- refs/tags/v0.3.0
- refs/tags/v0.4.0
- refs/tags/v0.4.1
- refs/tags/v0.4.2
- refs/tags/v0.4.3
- refs/tags/v0.4.4
- refs/tags/v0.5.0
- refs/tags/v0.5.1
- refs/tags/v0.6.0
- refs/tags/v0.6.1
- refs/tags/v0.7.0
- refs/tags/v0.7.1
- refs/tags/v0.8.1
- refs/tags/v0.8.2
- refs/tags/v0.9.0
- refs/tags/v0.9.1
- refs/tags/v1.0-rc0
- refs/tags/v1.0-rc1
- refs/tags/v1.0-rc2
- refs/tags/v1.0-rc3
- refs/tags/v1.0.1
- refs/tags/v1.1-rc0
- refs/tags/v1.1-rc1
- refs/tags/v1.1-rc2
- refs/tags/v1.1.0
- refs/tags/v1.1.0-rc2
- refs/tags/v1.1.0-rc3
- refs/tags/v1.1.0-rc4
- refs/tags/v1.1.1
- refs/tags/v1.1.2
- refs/tags/v1.2.0-rc0
- refs/tags/v1.2.1
- refs/tags/v1.2.2
- refs/tags/v1.3.0
- refs/tags/v1.3.0-rc0
- refs/tags/v1.3.0-rc1
- refs/tags/v1.3.0-rc2
- refs/tags/v1.3.1
- refs/tags/v1.4.1
- refs/tags/v1.4.2
- refs/tags/v1.5.0
- refs/tags/v1.5.0-rc0
- refs/tags/v1.5.0-rc1
- refs/tags/v1.5.0-rc2
- refs/tags/v1.5.0-rc3
- refs/tags/v1.5.1
- refs/tags/v1.5.2
- refs/tags/v1.5.3
- refs/tags/v1.6.0
- refs/tags/v1.6.0-rc0
- refs/tags/v1.6.0-rc1
- refs/tags/v1.6.0-rc2
- refs/tags/v1.6.0-rc3
- refs/tags/v1.6.1
- refs/tags/v1.6.2
- refs/tags/v1.7.0
- refs/tags/v1.7.0-rc0
- refs/tags/v1.7.0-rc1
- refs/tags/v1.7.0-rc2
- refs/tags/v1.7.1
- refs/tags/v1.7.2
- refs/tags/v2.0.1
- refs/tags/v2.0.2
- v9.1.0-rc0
- v9.0.2
- v9.0.1
- v9.0.0-rc4
- v9.0.0-rc3
- v9.0.0-rc2
- v9.0.0-rc1
- v9.0.0-rc0
- v9.0.0
- v8.2.6
- v8.2.5
- v8.2.4
- v8.2.3
- v8.2.2
- v8.2.1
- v8.2.0-rc4
- v8.2.0-rc3
- v8.2.0-rc2
- v8.2.0-rc1
- v8.2.0-rc0
- v8.2.0
- v8.1.5
- v8.1.4
- v8.1.3
- v8.1.2
- v8.1.1
- v8.1.0-rc4
- v8.1.0-rc3
- v8.1.0-rc2
- v8.1.0-rc1
- v8.1.0-rc0
- v8.1.0
- v8.0.5
- v8.0.4
- v8.0.3
- v8.0.2
- v8.0.1
- v8.0.0-rc4
- v8.0.0-rc3
- v8.0.0-rc2
- v8.0.0-rc1
- v8.0.0-rc0
- v8.0.0
- v7.2.9
- v7.2.8
- v7.2.7
- v7.2.6
- v7.2.5
- v7.2.4
- v7.2.3
- v7.2.2
- v7.2.13
- v7.2.12
- v7.2.11
- v7.2.10
- v7.2.1
- v7.2.0-rc4
- v7.2.0-rc3
- v7.2.0-rc2
- v7.2.0-rc1
- v7.2.0-rc0
- v7.2.0
- v7.1.0-rc4
- v7.1.0-rc3
- v7.1.0-rc2
- v7.1.0-rc1
- v7.1.0-rc0
- v7.1.0
- v7.0.0-rc4
- v7.0.0-rc3
- v7.0.0-rc2
- v7.0.0-rc1
- v7.0.0-rc0
- v7.0.0
- v6.2.0-rc4
- v6.2.0-rc3
- v6.2.0-rc2
- v6.2.0-rc1
- v6.2.0-rc0
- v6.2.0
- v6.1.1
- v6.1.0-rc4
- v6.1.0-rc3
- v6.1.0-rc2
- v6.1.0-rc1
- v6.1.0-rc0
- v6.1.0
- v6.0.1
- v6.0.0-rc5
- v6.0.0-rc4
- v6.0.0-rc3
- v6.0.0-rc2
- v6.0.0-rc1
- v6.0.0-rc0
- v6.0.0
- v5.2.0-rc4
- v5.2.0-rc3
- v5.2.0-rc2
- v5.2.0-rc1
- v5.2.0-rc0
- v5.2.0
- v5.1.0-rc3
- v5.1.0-rc2
- v5.1.0-rc1
- v5.1.0-rc0
- v5.1.0
- v5.0.1
- v5.0.0-rc4
- v5.0.0-rc3
- v5.0.0-rc2
- v5.0.0-rc1
- v5.0.0-rc0
- v5.0.0
- v4.2.1
- v4.2.0-rc5
- v4.2.0-rc4
- v4.2.0-rc3
- v4.2.0-rc2
- v4.2.0-rc1
- v4.2.0-rc0
- v4.2.0
- v4.1.1
- v4.1.0-rc5
- v4.1.0-rc4
- v4.1.0-rc3
- v4.1.0-rc2
- v4.1.0-rc1
- v4.1.0-rc0
- v4.1.0
- v4.0.1
- v4.0.0-rc4
- v4.0.0-rc3
- v4.0.0-rc2
- v4.0.0-rc1
- v4.0.0-rc0
- v4.0.0
- v3.1.1.1
- v3.1.1
- v3.1.0-rc5
- v3.1.0-rc4
- v3.1.0-rc3
- v3.1.0-rc2
- v3.1.0-rc1
- v3.1.0-rc0
- v3.1.0
- v3.0.1
- v3.0.0-rc4
- v3.0.0-rc3
- v3.0.0-rc2
- v3.0.0-rc1
- v3.0.0-rc0
- v3.0.0
- v2.9.1
- v2.9.0-rc5
- v2.9.0-rc4
- v2.9.0-rc3
- v2.9.0-rc2
- v2.9.0-rc1
- v2.9.0-rc0
- v2.9.0
- v2.8.1.1
- v2.8.1
- v2.8.0-rc4
- v2.8.0-rc3
- v2.8.0-rc2
- v2.8.0-rc1
- v2.8.0-rc0
- v2.8.0
- v2.7.1
- v2.7.0-rc5
- v2.7.0-rc4
- v2.7.0-rc3
- v2.7.0-rc2
- v2.7.0-rc1
- v2.7.0-rc0
- v2.7.0
- v2.6.2
- v2.6.1
- v2.6.0-rc5
- v2.6.0-rc4
- v2.6.0-rc3
- v2.6.0-rc2
- v2.6.0-rc1
- v2.6.0-rc0
- v2.6.0
- v2.5.1.1
- v2.5.1
- v2.5.0-rc4
- v2.5.0-rc3
- v2.5.0-rc2
- v2.5.0-rc1
- v2.5.0-rc0
- v2.5.0
- v2.4.1
- v2.4.0.1
- v2.4.0-rc4
- v2.4.0-rc3
- v2.4.0-rc2
- v2.4.0-rc1
- v2.4.0-rc0
- v2.4.0
- v2.3.1
- v2.3.0-rc4
- v2.3.0-rc3
- v2.3.0-rc2
- v2.3.0-rc1
- v2.3.0-rc0
- v2.3.0
- v2.2.1
- v2.2.0-rc5
- v2.2.0-rc4
- v2.2.0-rc3
- v2.2.0-rc2
- v2.2.0-rc1
- v2.2.0-rc0
- v2.2.0
- v2.12.1
- v2.12.0-rc4
- v2.12.0-rc3
- v2.12.0-rc2
- v2.12.0-rc1
- v2.12.0-rc0
- v2.12.0
- v2.11.2
- v2.11.1
- v2.11.0-rc5
- v2.11.0-rc4
- v2.11.0-rc3
- v2.11.0-rc2
- v2.11.0-rc1
- v2.11.0-rc0
- v2.11.0
- v2.10.2
- v2.10.1
- v2.10.0-rc4
- v2.10.0-rc3
- v2.10.0-rc2
- v2.10.0-rc1
- v2.10.0-rc0
- v2.10.0
- v2.1.3
- v2.1.2
- v2.1.1
- v2.1.0-rc5
- v2.1.0-rc4
- v2.1.0-rc3
- v2.1.0-rc2
- v2.1.0-rc1
- v2.1.0-rc0
- v2.1.0
- v2.0.0-rc3
- v2.0.0-rc2
- v2.0.0-rc1
- v2.0.0-rc0
- v2.0.0
- v1.4.0-rc2
- v1.4.0-rc1
- v1.4.0-rc0
- v1.4.0
- v1.2.0-rc3
- v1.2.0-rc2
- v1.2.0-rc1
- v1.2.0
- v1.0-rc4
- v1.0
- v0.14.1
- trivial-patches-pull-request
Take a new snapshot of a software origin
If the archived software origin currently browsed is not synchronized with its upstream version (for instance when new commits have been issued), you can explicitly request Software Heritage to take a new snapshot of it.
Use the form below to proceed. Once a request has been submitted and accepted, it will be processed as soon as possible. You can then check its processing state by visiting this dedicated page.
Processing "take a new snapshot" request ...
Permalinks
To reference or cite the objects present in the Software Heritage archive, permalinks based on SoftWare Hash IDentifiers (SWHIDs) must be used.
Select below a type of object currently browsed in order to display its associated SWHID and permalink.
| Revision | Author | Date | Message | Commit Date |
|---|---|---|---|---|
| dfa83a6 | Michael Roth | 10 August 2015, 21:09:34 UTC | Update version for 2.3.1 release | 10 August 2015, 21:09:34 UTC |
| 35a616e | Paolo Bonzini | 21 July 2015, 07:25:54 UTC | qemu-char: handle EINTR for TCP character devices Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 9172f428afc1461b1d9b33ebca3a679b9adf7c3a) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 10 August 2015, 20:31:16 UTC |
| 35c30d3 | Stefan Hajnoczi | 15 July 2015, 16:39:29 UTC | rtl8139: check TCP Data Offset field (CVE-2015-5165) The TCP Data Offset field contains the length of the header. Make sure it is valid and does not exceed the IP data length. Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit 8357946b15f0a31f73dd691b7da95f29318ed310) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 04 August 2015, 17:34:00 UTC |
| f4c861f | Stefan Hajnoczi | 15 July 2015, 16:36:15 UTC | rtl8139: skip offload on short TCP header (CVE-2015-5165) TCP Large Segment Offload accesses the TCP header in the packet. If the packet is too short we must not attempt to access header fields: tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen); int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr); Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit 4240be45632db7831129f124bcf53c1223825b0f) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 04 August 2015, 17:33:54 UTC |
| b7a197c | Stefan Hajnoczi | 15 July 2015, 16:34:40 UTC | rtl8139: check IP Total Length field (CVE-2015-5165) The IP Total Length field includes the IP header and data. Make sure it is valid and does not exceed the Ethernet payload size. Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit c6296ea88df040054ccd781f3945fe103f8c7c17) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 04 August 2015, 17:33:48 UTC |
| 8561109 | Stefan Hajnoczi | 15 July 2015, 16:32:32 UTC | rtl8139: check IP Header Length field (CVE-2015-5165) The IP Header Length field was only checked in the IP checksum case, but is used in other cases too. Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit 03247d43c577dfea8181cd40177ad5ba77c8db76) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 04 August 2015, 17:33:42 UTC |
| ce4f451 | Stefan Hajnoczi | 15 July 2015, 13:30:37 UTC | rtl8139: skip offload on short Ethernet/IP header (CVE-2015-5165) Transmit offload features access Ethernet and IP headers the packet. If the packet is too short we must not attempt to access header fields: int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12)); ... eth_payload_data = saved_buffer + ETH_HLEN; ... ip = (ip_header*)eth_payload_data; if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) { Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit e1c120a9c54872f8a538ff9129d928de4e865cbd) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 04 August 2015, 17:33:36 UTC |
| 6722c12 | Stefan Hajnoczi | 15 July 2015, 16:17:28 UTC | rtl8139: drop tautologous if (ip) {...} statement (CVE-2015-5165) The previous patch stopped using the ip pointer as an indicator that the IP header is present. When we reach the if (ip) {...} statement we know ip is always non-NULL. Remove the if statement to reduce nesting. Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit d6812d60e7932de3cd0f602c0ee63dd3d09f1847) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 04 August 2015, 17:33:30 UTC |
| 8dd45dc | Stefan Hajnoczi | 15 July 2015, 16:13:32 UTC | rtl8139: avoid nested ifs in IP header parsing (CVE-2015-5165) Transmit offload needs to parse packet headers. If header fields have unexpected values the offload processing is skipped. The code currently uses nested ifs because there is relatively little input validation. The next patches will add missing input validation and a goto label is more appropriate to avoid deep if statement nesting. Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit 39b8e7dcaf04cbdb926b478f825b160d852752b5) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 04 August 2015, 17:32:40 UTC |
| e750591 | Aurelien Jarno | 31 July 2015, 14:38:25 UTC | tcg/mips: fix add2 The add2 code in the tcg_out_addsub2 function doesn't take into account the case where rl == al == bl. In that case we can't compute the carry after the addition. As it corresponds to a multiplication by 2, the carry bit is the bit 31. While this is a corner case, this prevents x86-64 guests to boot on a MIPS host. Cc: qemu-stable@nongnu.org Reviewed-by: Richard Henderson <rth@twiddle.net> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> (cherry picked from commit c99d69694af4ed15b33e3f7c2e3ef6972c14358d) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 04 August 2015, 17:30:37 UTC |
| f9c0ae2 | Aurelien Jarno | 30 July 2015, 21:39:34 UTC | tcg/mips: fix TLB loading for BE host with 32-bit guests For 32-bit guest, we load a 32-bit address from the TLB, so there is no need to compensate for the low or high part. This fixes 32-bit guests on big-endian hosts. Cc: qemu-stable@nongnu.org Reviewed-by: Richard Henderson <rth@twiddle.net> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> (cherry picked from commit e72c4fb81db52be881c9356f1c60e0a7817d2d32) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 04 August 2015, 17:30:20 UTC |
| c8bd74d | Stefano Stabellini | 03 August 2015, 13:56:57 UTC | Fix release_drive on unplugged devices (pci_piix3_xen_ide_unplug) pci_piix3_xen_ide_unplug should completely unhook the unplugged IDEDevice from the corresponding BlockBackend, otherwise the next call to release_drive will try to detach the drive again. Suggested-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> (cherry picked from commit 6cd387833d05e8ad31829d97e474dc420625aed9) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 04 August 2015, 17:25:11 UTC |
| d155769 | Kevin Wolf | 27 July 2015, 03:42:53 UTC | ide: Clear DRQ after handling all expected accesses This is additional hardening against an end_transfer_func that fails to clear the DRQ status bit. The bit must be unset as soon as the PIO transfer has completed, so it's better to do this in a central place instead of duplicating the code in all commands (and forgetting it in some). Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com> (cherry picked from commit cb72cba83021fa42719e73a5249c12096a4d1cfc) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 30 July 2015, 03:19:55 UTC |
| 86d6fe4 | Kevin Wolf | 27 July 2015, 03:42:53 UTC | ide/atapi: Fix START STOP UNIT command completion The command must be completed on all code paths. START STOP UNIT with pwrcnd set should succeed without doing anything. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com> (cherry picked from commit 03441c3a4a42beb25460dd11592539030337d0f8) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 30 July 2015, 03:19:39 UTC |
| 9634e45 | Kevin Wolf | 27 July 2015, 03:42:53 UTC | ide: Check array bounds before writing to io_buffer (CVE-2015-5154) If the end_transfer_func of a command is called because enough data has been read or written for the current PIO transfer, and it fails to correctly call the command completion functions, the DRQ bit in the status register and s->end_transfer_func may remain set. This allows the guest to access further bytes in s->io_buffer beyond s->data_end, and eventually overflowing the io_buffer. One case where this currently happens is emulation of the ATAPI command START STOP UNIT. This patch fixes the problem by adding explicit array bounds checks before accessing the buffer instead of relying on end_transfer_func to function correctly. Cc: qemu-stable@nongnu.org Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com> (cherry picked from commit d2ff85854512574e7209f295e87b0835d5b032c6) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 30 July 2015, 03:19:29 UTC |
| 0dc545e | Jeff Cody | 24 July 2015, 14:26:52 UTC | block: qemu-iotests - add check for multiplication overflow in vpc This checks that VPC is able to successfully fail (without segfault) on an image file with a max_table_entries that exceeds 0x40000000. This table entry is within the valid range for VPC (although too large for this sample image). Cc: qemu-stable@nongnu.org Signed-off-by: Jeff Cody <jcody@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> (cherry picked from commit 77c102c26ead946fe7589d4bddcdfa5cb431ebfe) Conflicts: tests/qemu-iotests/group * removed context dependency on iotest not present in 2.3.0 group file Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 30 July 2015, 03:18:23 UTC |
| 358f0ee | Jeff Cody | 24 July 2015, 14:26:51 UTC | block: vpc - prevent overflow if max_table_entries >= 0x40000000 When we allocate the pagetable based on max_table_entries, we multiply the max table entry value by 4 to accomodate a table of 32-bit integers. However, max_table_entries is a uint32_t, and the VPC driver accepts ranges for that entry over 0x40000000. So during this allocation: s->pagetable = qemu_try_blockalign(bs->file, s->max_table_entries * 4); The size arg overflows, allocating significantly less memory than expected. Since qemu_try_blockalign() size argument is size_t, cast the multiplication correctly to prevent overflow. The value of "max_table_entries * 4" is used elsewhere in the code as well, so store the correct value for use in all those cases. We also check the Max Tables Entries value, to make sure that it is < SIZE_MAX / 4, so we know the pagetable size will fit in size_t. Cc: qemu-stable@nongnu.org Reported-by: Richard W.M. Jones <rjones@redhat.com> Signed-off-by: Jeff Cody <jcody@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> (cherry picked from commit b15deac79530d818092cb49a8021bcce83d71b5b) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 30 July 2015, 03:16:01 UTC |
| 961c74a | Paolo Bonzini | 21 July 2015, 06:59:39 UTC | scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158) This is a guest-triggerable buffer overflow present in QEMU 2.2.0 and newer. scsi_cdb_length returns -1 as an error value, but the caller does not check it. Luckily, the massive overflow means that QEMU will just SIGSEGV, making the impact much smaller. Reported-by: Zhu Donghai (朱东海) <donghai.zdh@alibaba-inc.com> Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173 Reviewed-by: Fam Zheng <famz@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit c170aad8b057223b1139d72e5ce7acceafab4fa9) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 30 July 2015, 03:13:25 UTC |
| 98fe91e | Alex Williamson | 22 July 2015, 20:56:01 UTC | vfio/pci: Fix bootindex bootindex was incorrectly changed to a device Property during the platform code split, resulting in it no longer working. Remove it. Signed-off-by: Alex Williamson <alex.williamson@redhat.com> Cc: qemu-stable@nongnu.org # v2.3+ (cherry picked from commit 759b484c5d7f92bd01f98797c07e8543ee187888) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 30 July 2015, 03:12:30 UTC |
| 46addaa | Jason Wang | 17 July 2015, 07:19:18 UTC | virtio-net: unbreak any layout Commit 032a74a1c0fcdd5fd1c69e56126b4c857ee36611 ("virtio-net: byteswap virtio-net header") breaks any layout by requiring out_sg[0].iov_len >= n->guest_hdr_len. Fixing this by copying header to temporary buffer if swap is needed, and then use this buffer as part of out_sg. Fixes 032a74a1c0fcdd5fd1c69e56126b4c857ee36611 ("virtio-net: byteswap virtio-net header") Cc: qemu-stable@nongnu.org Cc: clg@fr.ibm.com Signed-off-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> (cherry picked from commit feb93f361739071778ca2d23df3876db399548f7) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 30 July 2015, 03:10:36 UTC |
| 5a45687 | Alex Williamson | 22 July 2015, 20:56:01 UTC | vfio/pci: Fix RTL8168 NIC quirks The RTL8168 quirk correctly describes using bit 31 as a signal to mark a latch/completion, but the code mistakenly uses bit 28. This causes the Realtek driver to spin on this register for quite a while, 20k cycles on Windows 7 v7.092 driver. Then it gets frustrated and tries to set the bit itself and spins for another 20k cycles. For some this still results in a working driver, for others not. About the only thing the code really does in its current form is protect the guest from sneaking in writes to the real hardware MSI-X table. The fix is obviously to use bit 31 as we document that we should. The other problem doesn't seem to affect current drivers as nobody seems to use these window registers for writes to the MSI-X table, but we need to use the stored data when a write is triggered, not the value of the current write, which only provides the offset. Note that only the Windows drivers from Realtek seem to use these registers, the Microsoft drivers provided with Windows 8.1 do not access them, nor do Linux in-kernel drivers. Link: https://bugs.launchpad.net/qemu/+bug/1384892 Signed-off-by: Alex Williamson <alex.williamson@redhat.com> Cc: qemu-stable@nongnu.org # v2.1+ (cherry picked from commit 69970fcef937bddd7f745efe39501c7716fdfe56) Conflicts: hw/vfio/pci.c * removed dependency on 3b643495 Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 30 July 2015, 03:07:43 UTC |
| 87740ce | James Hogan | 24 April 2015, 10:26:53 UTC | mips/kvm: Sign extend registers written to KVM In case we're running on a 64-bit host, be sure to sign extend the general purpose registers and hi/lo/pc before writing them to KVM, so as to take advantage of MIPS32/MIPS64 compatibility. Signed-off-by: James Hogan <james.hogan@imgtec.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Leon Alrae <leon.alrae@imgtec.com> Cc: Aurelien Jarno <aurelien@aurel32.net> Cc: kvm@vger.kernel.org Cc: qemu-stable@nongnu.org Message-Id: <1429871214-23514-3-git-send-email-james.hogan@imgtec.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 02dae26ac4ceb1e82c432cfca4d9b65ae82343c6) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 30 July 2015, 03:00:11 UTC |
| 8df2a9a | James Hogan | 24 April 2015, 10:26:52 UTC | mips/kvm: Fix Big endian 32-bit register access Fix access to 32-bit registers on big endian targets. The pointer passed to the kernel must be for the actual 32-bit value, not a temporary 64-bit value, otherwise on big endian systems the kernel will only interpret the upper half. Signed-off-by: James Hogan <james.hogan@imgtec.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Leon Alrae <leon.alrae@imgtec.com> Cc: Aurelien Jarno <aurelien@aurel32.net> Cc: kvm@vger.kernel.org Cc: qemu-stable@nongnu.org Message-Id: <1429871214-23514-2-git-send-email-james.hogan@imgtec.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit f8b3e48b2d269551cd40f94770dc20da2f402325) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 30 July 2015, 03:00:07 UTC |
| c5c71e8 | Fam Zheng | 06 July 2015, 04:24:44 UTC | block: Initialize local_err in bdrv_append_temp_snapshot Cc: qemu-stable@nongnu.org Signed-off-by: Fam Zheng <famz@redhat.com> Message-id: 1436156684-16526-1-git-send-email-famz@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit c2e0dbbfd7265eb9a7170ab195d8f9f8a1cbd1af) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 30 July 2015, 02:56:40 UTC |
| 2060efa | 马文霜 | 01 July 2015, 13:41:41 UTC | Fix irq route entries exceeding KVM_MAX_IRQ_ROUTES Last month, we experienced several guests crash(6cores-8cores), qemu logs display the following messages: qemu-system-x86_64: /build/qemu-2.1.2/kvm-all.c:976: kvm_irqchip_commit_routes: Assertion `ret == 0' failed. After analysis and verification, we can confirm it's irq-balance daemon(in guest) leads to the assertion failure. Start a 8 core guest with two disks, execute the following scripts will reproduce the BUG quickly: irq_affinity.sh ======================================================================== vda_irq_num=25 vdb_irq_num=27 while [ 1 ] do for irq in {1,2,4,8,10,20,40,80} do echo $irq > /proc/irq/$vda_irq_num/smp_affinity echo $irq > /proc/irq/$vdb_irq_num/smp_affinity dd if=/dev/vda of=/dev/zero bs=4K count=100 iflag=direct dd if=/dev/vdb of=/dev/zero bs=4K count=100 iflag=direct done done ======================================================================== QEMU setup static irq route entries in kvm_pc_setup_irq_routing(), PIC and IOAPIC share the first 15 GSI numbers, take up 23 GSI numbers, but take up 38 irq route entries. When change irq smp_affinity in guest, a dynamic route entry may be setup, the current logic is: if allocate GSI number succeeds, a new route entry can be added. The available dynamic GSI numbers is 1021(KVM_MAX_IRQ_ROUTES-23), but available irq route entries is only 986(KVM_MAX_IRQ_ROUTES-38), GSI numbers greater than route entries. irq-balance's behavior will eventually leads to total irq route entries exceed KVM_MAX_IRQ_ROUTES, ioctl(KVM_SET_GSI_ROUTING) fail and kvm_irqchip_commit_routes() trigger assertion failure. This patch fix the BUG. Signed-off-by: Wenshuang Ma <kevinnma@tencent.com> Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit bdf026317daa3b9dfa281f29e96fbb6fd48394c8) Conflicts: kvm-all.c * remove context dependency on bd2a8884 Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 30 July 2015, 02:54:31 UTC |
| 8d64975 | Michael Roth | 02 July 2015, 20:46:14 UTC | target-ppc: fix hugepage support when using memory-backend-file Current PPC code relies on -mem-path being used in order for hugepage support to be detected. With the introduction of MemoryBackendFile we can now handle this via: -object memory-file-backend,mem-path=...,id=hugemem0 \ -numa node,id=mem0,memdev=hugemem0 Management tools like libvirt treat the 2 approaches as interchangeable in some cases, which can lead to user-visible regressions even for previously supported guest configurations. Fix these by also iterating through any configured memory backends that may be backed by hugepages. Since the old code assumed hugepages always backed the entirety of guest memory, play it safe an pick the minimum across the max pages sizes for all backends, even ones that aren't backed by hugepages. Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Alexander Graf <agraf@suse.de> (cherry picked from commit 2d103aae876518a91636ad6f4a4d866269c0d953) Conflicts: target-ppc/kvm.c *remove context dependency on header includes not in 2.3.0 Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 30 July 2015, 02:50:55 UTC |
| 9b4420a | David Gibson | 02 July 2015, 06:23:24 UTC | spapr_vty: lookup should only return valid VTY objects If a guest passes the reg property of a valid VIO object that is not a VTY to either H_GET_TERM_CHAR or H_PUT_TERM_CHAR, QEMU hits a dynamic cast assertion and aborts. PAPR+ says "Hypervisor checks the termno parameter for validity against the Vterm IOA unit addresses assigned to the partition, else return H_Parameter." This patch adds a type check to ensure vty_lookup() either returns a pointer to a valid VTY object or NULL. H_GET_TERM_CHAR and H_PUT_TERM_CHAR will now return H_PARAMETER to the guest instead of crashing. The patch has no effect on the reg == 0 hack used to implement the RTAS call display-character. Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Alexander Graf <agraf@suse.de> (cherry picked from commit 0f888bfaddfc5f55b0d82cde2e1164658a672375) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 30 July 2015, 02:48:27 UTC |
| 99c3468 | Christian Borntraeger | 18 June 2015, 14:37:39 UTC | s390x/ipl: Fix boot if no bootindex was specified commit fa92e218df1d ("s390x/ipl: avoid sign extension") introduced a regression: qemu-system-s390x -drive file=image.qcow,format=qcow2 does not boot, the bios states "No virtio-blk device found!" adding bootindex=1 does boot. The reason is that the uint32_t as return value will not do the right thing for the return -1 (default without bootindex). The bios itself, will interpret a 64bit -1 as autodetect (but it will interpret 32bit -1 as ccw device address ff.ff.ffff) Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Cornelia Huck <cornelia.huck@de.ibm.com> Cc: qemu-stable@nongnu.org # v2.3.0 Tested-by: Aurelien Jarno <aurelien@aurel32.net> Reviewed-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com> (cherry picked from commit 6efd2c2a125b4369b8def585b0dac35c849b5eb3) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 30 July 2015, 02:47:15 UTC |
| 1c17e8c | Peter Lieven | 26 June 2015, 11:14:01 UTC | block/nfs: limit maximum readahead size to 1MB a malicious caller could otherwise specify a very large value via the URI and force libnfs to allocate a large amount of memory for the readahead buffer. Cc: qemu-stable@nongnu.org Signed-off-by: Peter Lieven <pl@kamp.de> Message-id: 1435317241-25585-1-git-send-email-pl@kamp.de Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit 29c838cdc96c4d117f00c75bbcb941e1be9590fb) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 30 July 2015, 02:46:36 UTC |
| ffd060d | John Snow | 17 April 2015, 23:50:06 UTC | iotests: add QMP event waiting queue A filter is added to allow callers to request very specific events to be pulled from the event queue, while leaving undesired events still in the stream. This allows us to poll for completion data for multiple asynchronous events in any arbitrary order. A new timeout context is added to the qmp pull_event method's wait parameter to allow tests to fail if they do not complete within some expected period of time. Also fixed is a bug in qmp.pull_event where we try to retrieve an event from an empty list if we attempt to retrieve an event with wait=False but no events have occurred. Signed-off-by: John Snow <jsnow@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Message-id: 1429314609-29776-19-git-send-email-jsnow@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> (cherry picked from commit 7898f74e78a5900fc079868e255b65d807fa8a8f) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 30 July 2015, 02:46:08 UTC |
| e4fb4be | Fam Zheng | 08 June 2015, 05:56:14 UTC | iotests: Use event_wait in wait_ready Only poll the specific type of event we are interested in, to avoid stealing events that should be consumed by someone else. Suggested-by: John Snow <jsnow@redhat.com> Signed-off-by: Fam Zheng <famz@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit d7b25297920d18fa2a2cde1ed21fde38a88c935f) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 30 July 2015, 02:46:08 UTC |
| edc0a65 | Fam Zheng | 08 June 2015, 05:56:13 UTC | qemu-iotests: Add test case for mirror with unmap This checks that the discard on mirror source that effectively zeroes data is also reflected by the data of target. Signed-off-by: Fam Zheng <famz@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit c615091793f53ff33b8f6c1b1ba711cf7c93e97b) Conflicts: tests/qemu-iotests/group *remove context dependencies on newer block tests Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 30 July 2015, 02:46:07 UTC |
| c62f6c8 | Fam Zheng | 08 June 2015, 05:56:12 UTC | qemu-iotests: Make block job methods common Signed-off-by: Fam Zheng <famz@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit 866323f39d5c7bb053f5e5bf753908ad9f5abec7) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 30 July 2015, 02:46:07 UTC |
| 3d8b7ae | Fam Zheng | 08 June 2015, 05:56:10 UTC | block: Fix dirty bitmap in bdrv_co_discard Unsetting dirty globally with discard is not very correct. The discard may zero out sectors (depending on can_write_zeroes_with_unmap), we should replicate this change to destination side to make sure that the guest sees the same data. Calling bdrv_reset_dirty also troubles mirror job because the hbitmap iterator doesn't expect unsetting of bits after current position. So let's do it the opposite way which fixes both problems: set the dirty bits if we are to discard it. Reported-by: wangxiaolong@ucloud.cn Signed-off-by: Fam Zheng <famz@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit 508249952c0ea7472c62e17bf8132295dab4912d) Conflicts: block/io.c * applied manually to avoid dependency on 61007b316 * squashed in 6e82e4b bdrv_reset_dirty() is static in 2.3.0 and becomes unused as of this patch Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 30 July 2015, 02:46:07 UTC |
| 27ed14c | Fam Zheng | 08 June 2015, 05:56:09 UTC | mirror: Do zero write on target if sectors not allocated If guest discards a source cluster, mirroring with bdrv_aio_readv is overkill. Some protocols do zero upon discard, where it's best to use bdrv_aio_write_zeroes, otherwise, bdrv_aio_discard will be enough. Signed-off-by: Fam Zheng <famz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit dcfb3beb5130694b76b57de109619fcbf9c7e5b5) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 30 July 2015, 02:46:07 UTC |
| 6a45a1b | Fam Zheng | 08 June 2015, 05:56:08 UTC | qmp: Add optional bool "unmap" to drive-mirror If specified as "true", it allows discarding on target sectors where source is not allocated. Signed-off-by: Fam Zheng <famz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit 0fc9f8ea2800b76eaea20a8a3a91fbeeb4bfa81b) * added to maintain any interdependencies between patches in the set. not intended as a new feature for 2.3.1, though it's there for anyone interested Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 30 July 2015, 02:43:36 UTC |
| 6cacd26 | Fam Zheng | 08 June 2015, 05:56:07 UTC | block: Add bdrv_get_block_status_above Like bdrv_is_allocated_above, this function follows the backing chain until seeing BDRV_BLOCK_ALLOCATED. Base is not included. Reimplement bdrv_is_allocated on top. [Initialized bdrv_co_get_block_status_above() ret to 0 to silence mingw64 compiler warning about the unitialized variable. assert(bs != base) prevents that case but I suppose the program could be compiled with -DNDEBUG. --Stefan] Signed-off-by: Fam Zheng <famz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit ba3f0e2545c365ebe1dbddb0e53058710d41881e) Conflicts: block/io.c * applied manually to avoid dependency on 61007b316 Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 30 July 2015, 01:37:30 UTC |
| e8248a5 | Cornelia Huck | 23 June 2015, 13:46:31 UTC | virtio-ccw: complete handling of guest-initiated resets For a guest-initiated reset, we need to not only reset the virtio device, but also reset the VirtioCcwDevice into a clean state. This includes resetting the indicators, or else a guest will not be able to e.g. switch from classic interrupts to adapter interrupts. Split off this routine into a new function virtio_ccw_reset_virtio() to make the distinction between resetting the virtio-related devices and the base subchannel device clear. CC: qemu-stable@nongnu.org Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com> Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com> (cherry picked from commit fa8b0ca5d1b69975b715a259d3586cadf7a5280f) Conflicts: hw/s390x/virtio-ccw.c *removed context dependency on 0b352fd Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 29 July 2015, 23:50:08 UTC |
| 81cb0a5 | Jason Wang | 29 May 2015, 06:13:14 UTC | vhost: correctly pass error to caller in vhost_dev_enable_notifiers() We override the error value r in fail_vq, this will cause the caller can't detect the failure which may cause the caller may disable the notifiers twice if vhost is failed to start. Fix this by using another variable to keep track the return value of set_host_notifier(). Fixes b0b3db79559e57db340b292621c397e7a6cdbdc5 ("vhost-net: cleanup host notifiers at last step") Cc: qemu-stable@nongnu.org Cc: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit 16617e36b02ebdc83f215d89db9ac00f7d6d6d83) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 29 July 2015, 23:44:36 UTC |
| 6130c46 | Laszlo Ersek | 17 June 2015, 12:45:03 UTC | hw/core: rebase sysbus_get_fw_dev_path() to g_strdup_printf() This is done mainly for improving readability, and in preparation for the next patch, but Markus pointed out another bonus for the string being returned: "No arbitrary length limit. Before the patch, it's 39 characters, and the code breaks catastrophically when qdev_fw_name() is longer: the second snprintf() is called with its first argument pointing beyond path[], and its second argument underflowing to a huge size." Cc: qemu-stable@nongnu.org Signed-off-by: Laszlo Ersek <lersek@redhat.com> Tested-by: Marcel Apfelbaum <marcel@redhat.com> Reviewed-by: Marcel Apfelbaum <marcel@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit 5ba03e2dd785362026917e4cc8a1fd2c64e8e62c) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 29 July 2015, 23:41:25 UTC |
| 49ef542 | Petr Matousek | 17 June 2015, 10:46:11 UTC | i8254: fix out-of-bounds memory access in pit_ioport_read() Due converting PIO to the new memory read/write api we no longer provide separate I/O region lenghts for read and write operations. As a result, reading from PIT Mode/Command register will end with accessing pit->channels with invalid index. Fix this by ignoring read from the Mode/Command register. This is CVE-2015-3214. Reported-by: Matt Tait <matttait@google.com> Fixes: 0505bcdec8228d8de39ab1a02644e71999e7c052 Cc: qemu-stable@nongnu.org Signed-off-by: Petr Matousek <pmatouse@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit d4862a87e31a51de9eb260f25c9e99a75efe3235) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 29 July 2015, 23:40:21 UTC |
| c270245 | Gerd Hoffmann | 09 June 2015, 19:08:47 UTC | spice-display: fix segfault in qemu_spice_create_update Although it is pretty unusual the stride for the guest image and the mirror image maintained by spice-display can be different. So use separate variables for them. https://bugzilla.redhat.com/show_bug.cgi?id=1163047 Cc: qemu-stable@nongnu.org Reported-by: perrier vincent <clownix@clownix.net> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit c6e484707f28b3e115e64122a0570f6b3c585489) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 29 July 2015, 23:34:12 UTC |
| 9272707 | Alberto Garcia | 08 June 2015, 09:12:15 UTC | sdl2: fix crash in handle_windowevent() when restoring the screen size The Ctrl-Alt-u keyboard shortcut restores the screen to its original size. In the SDL2 UI this is done by destroying the window and creating a new one. The old window emits SDL_WINDOWEVENT_HIDDEN when it's destroyed, but trying to call SDL_GetWindowFromID() from that event's window ID returns a null pointer. handle_windowevent() assumes that the pointer is never null so it results in a crash. Cc: qemu-stable@nongnu.org Signed-off-by: Alberto Garcia <berto@igalia.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 08d49df0dbaacc220a099dbfb644e1dc0eda57be) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 29 July 2015, 23:33:50 UTC |
| c759f1a | Fam Zheng | 04 June 2015, 06:02:57 UTC | vmdk: Use vmdk_find_index_in_cluster everywhere Signed-off-by: Fam Zheng <famz@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> (cherry picked from commit 90df601f06de14f062d2e8dc1bc57f0decf86fd1) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 29 July 2015, 23:33:01 UTC |
| 714b544 | Fam Zheng | 04 June 2015, 06:02:56 UTC | vmdk: Fix index_in_cluster calculation in vmdk_co_get_block_status It has the similar issue with b1649fae49a8. Since the calculation is repeated for a few times already, introduce a function so it can be reused. Signed-off-by: Fam Zheng <famz@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> (cherry picked from commit 61f0ed1d54601b91b8195c1a30d7046f83283b40) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 29 July 2015, 23:32:49 UTC |
| e7e0838 | Max Reitz | 01 June 2015, 16:09:18 UTC | iotests: qcow2 COW with minimal L2 cache size This adds a test case to test 103 for performing a COW operation in a qcow2 image using an L2 cache with minimal size (which should be at least two clusters so the COW can access both source and destination simultaneously). Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Alberto Garcia <berto@igalia.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> (cherry picked from commit a4291eafc597c0944057930acf3e51d899f79c2e) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 29 July 2015, 23:27:34 UTC |
| c631ee6 | Max Reitz | 01 June 2015, 16:09:17 UTC | qcow2: Set MIN_L2_CACHE_SIZE to 2 The L2 cache must cover at least two L2 tables, because during COW two L2 tables are accessed simultaneously. Reported-by: Alexander Graf <agraf@suse.de> Cc: qemu-stable <qemu-stable@nongnu.org> Signed-off-by: Max Reitz <mreitz@redhat.com> Tested-by: Alexander Graf <agraf@suse.de> Reviewed-by: Alberto Garcia <berto@igalia.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> (cherry picked from commit 57e216695948a79d9ced82fc217a37cce70fd986) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 29 July 2015, 23:26:34 UTC |
| b153c8d | Gerd Hoffmann | 26 May 2015, 11:12:54 UTC | kbd: add brazil kbd keys to x11 evdev map This patch adds the two extra brazilian keys to the evdev keymap for X11. This patch gets the two keys going with the vnc, gtk and sdl1 UIs. The SDL2 library complains it doesn't know these keys, so the SDL2 library must be fixed before we can update ui/sdl2-keymap.h Cc: qemu-stable@nongnu.org Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Daniel P. Berrange <berrange@redhat.com> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> (cherry picked from commit 33aa30cafcce053b833f9fe09fbb88e2f54b93aa) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 29 July 2015, 23:25:10 UTC |
| f450482 | Gerd Hoffmann | 26 May 2015, 08:39:10 UTC | kbd: add brazil kbd keys to qemu The brazilian computer keyboard layout has two extra keys (compared to the usual 105-key intl ps/2 keyboard). This patch makes these two keys known to qemu. For historic reasons qemu has two ways to specify a key: A QKeyCode (name-based) or a number (ps/2 scancode based). Therefore we have to update multiple places to make new keys known to qemu: (1) The QKeyCode definition in qapi-schema.json (2) The QKeyCode <-> number mapping table in ui/input-keymap.c This patch does just that. With this patch applied you can send those two keys to the guest using the send-key monitor command. Cc: qemu-stable@nongnu.org Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Daniel P. Berrange <berrange@redhat.com> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> (cherry picked from commit b771f470f3e2f99f585eaae68147f0c849fd1f8d) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 29 July 2015, 23:25:03 UTC |
| ae0fa48 | Justin Ossevoort | 11 May 2015, 06:58:44 UTC | qga/commands-posix: Fix bug in guest-fstrim The FITRIM ioctl updates the fstrim_range structure it receives. This way the caller can determine how many bytes were trimmed. The guest-fstrim logic reuses the same fstrim_range for each filesystem, effectively limiting each filesystem to trim at most as much as the previous was able to trim. If a previous filesystem would have trimmed 0 bytes, than the next filesystem would report an error 'Invalid argument' because a FITRIM request with length 0 is not valid. This change resets the fstrim_range structure for each filesystem. Signed-off-by: Justin Ossevoort <justin@quarantainenet.nl> Reviewed-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit 73a652a1b08445e8d91e50cdbb2da50e571c61b3) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 29 July 2015, 23:24:00 UTC |
| bb3a1da | Shannon Zhao | 25 May 2015, 07:14:37 UTC | hw/acpi/aml-build: Fix memory leak Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com> Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> (cherry picked from commit afcf905cff7971324c2706600ead35a1f41f417a) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 29 July 2015, 23:21:41 UTC |
| b48a391 | Fam Zheng | 13 May 2015, 13:12:01 UTC | qemu-iotests: Test unaligned sub-block zero write Test zero write in byte range 512~1024 for 4k alignment. Signed-off-by: Fam Zheng <famz@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Message-id: 1431522721-3266-4-git-send-email-famz@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit ab53c44718305d3fde3d9d2251889f1cab694be2) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 29 July 2015, 23:18:59 UTC |
| cc883fe | Fam Zheng | 13 May 2015, 13:12:00 UTC | block: Fix NULL deference for unaligned write if qiov is NULL For zero write, callers pass in NULL qiov (qemu-io "write -z" or scsi-disk "write same"). Commit fc3959e466 fixed bdrv_co_write_zeroes which is the common case for this bug, but it still exists in bdrv_aio_write_zeroes. A simpler fix would be in bdrv_co_do_pwritev which is the NULL dereference point and covers both cases. So don't access it in bdrv_co_do_pwritev in this case, use three aligned writes. [Initialize ret to 0 in bdrv_co_do_zero_pwritev() to avoid uninitialized variable warning with gcc 4.9.2. --Stefan] Signed-off-by: Fam Zheng <famz@redhat.com> Message-id: 1431522721-3266-3-git-send-email-famz@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit 9eeb6dd1b27bd57eb4e3869290e87feac8e8b226) Conflicts: block/io.c * moved hunks into corresponding location in block.c due to lack of 61007b316 in v2.3.0 Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 29 July 2015, 23:15:27 UTC |
| 4072585 | Michael Roth | 29 July 2015, 22:05:56 UTC | Revert "block: Fix unaligned zero write" This reverts commit fc3959e4669a1c2149b91ccb05101cfc7ae1fc05. From upstream commit d01c07f: This reverts commit fc3959e4669a1c2149b91ccb05101cfc7ae1fc05. The core write code already handles the case, so remove this duplication. Because commit 61007b316 moved the touched code from block.c to block/io.c, the change is manually reverted. Signed-off-by: Fam Zheng <famz@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> v2.3.0 does not contain 61007b316 so we can revert the change directly. Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 29 July 2015, 22:05:56 UTC |
| 959fad0 | Petr Matousek | 06 May 2015, 07:48:59 UTC | fdc: force the fifo access to be in bounds of the allocated buffer During processing of certain commands such as FD_CMD_READ_ID and FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could get out of bounds leading to memory corruption with values coming from the guest. Fix this by making sure that the index is always bounded by the allocated memory. This is CVE-2015-3456. Signed-off-by: Petr Matousek <pmatouse@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com> Signed-off-by: John Snow <jsnow@redhat.com> (cherry picked from commit e907746266721f305d67bc0718795fedee2e824c) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 28 July 2015, 23:26:06 UTC |
| a4bb522 | Peter Maydell | 29 May 2015, 10:29:00 UTC | target-arm: Avoid buffer overrun on UNPREDICTABLE ldrd/strd A LDRD or STRD where rd is not an even number is UNPREDICTABLE. We were letting this fall through, which is OK unless rd is 15, in which case we would attempt to do a load_reg or store_reg to a nonexistent r16 for the second half of the double-word. Catch the odd-numbered-rd cases and UNDEF them instead. To do this we rearrange the structure of the code a little so we can put the UNDEF catches at the top before we've allocated TCG temporaries. Cc: qemu-stable@nongnu.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 1431348973-21315-1-git-send-email-peter.maydell@linaro.org (cherry picked from commit 3960c336ad96c2183549c8bf32bbff93ecda7ea4) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 28 July 2015, 23:23:18 UTC |
| cf6c213 | Jason Wang | 23 April 2015, 06:21:34 UTC | virtio-net: fix the upper bound when trying to delete queues Virtqueue were indexed from zero, so don't delete virtqueue whose index is n->max_queues * 2 + 1. Cc: Michael S. Tsirkin <mst@redhat.com> Cc: qemu-stable <qemu-stable@nongnu.org> Signed-off-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit 27a46dcf5038e20451101ed2d5414aebf3846e27) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 28 July 2015, 23:22:35 UTC |
| cf32978 | Michal Kazior | 29 April 2015, 11:34:59 UTC | usb: fix usb-net segfault The dev->config pointer isn't set until guest system initializes usb devices (via usb_desc_set_config). However qemu networking can go through some motions prior to that, e.g.: #0 is_rndis (s=0x555557261970) at hw/usb/dev-network.c:653 #1 0x000055555585f723 in usbnet_can_receive (nc=0x55555641e820) at hw/usb/dev-network.c:1315 #2 0x000055555587635e in qemu_can_send_packet (sender=0x5555572660a0) at net/net.c:470 #3 0x0000555555878e34 in net_hub_port_can_receive (nc=0x5555562d7800) at net/hub.c:101 #4 0x000055555587635e in qemu_can_send_packet (sender=0x5555562d7980) at net/net.c:470 #5 0x000055555587dbca in tap_can_send (opaque=0x5555562d7980) at net/tap.c:172 The command to reproduce most reliably was: qemu-system-i386 -usb -device usb-net,vlan=0 -net tap,vlan=0 This wasn't strictly a problem with tap. Other networking endpoints (vde, user) could trigger this problem as well. Fixes: https://bugs.launchpad.net/qemu/+bug/1050823 Cc: qemu-stable@nongnu.org Signed-off-by: Michal Kazior <michal.kazior@tieto.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 278412d0e710e2e848c6e510f8308e5b1ed4d03e) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 28 July 2015, 23:20:04 UTC |
| ad9c167 | Kevin Wolf | 06 May 2015, 11:21:51 UTC | qcow2: Flush pending discards before allocating cluster Before a freed cluster can be reused, pending discards for this cluster must be processed. The original assumption was that this was not a problem because discards are only cached during discard/write zeroes operations, which are synchronous so that no concurrent write requests can cause cluster allocations. However, the discard/write zeroes operation itself can allocate a new L2 table (and it has to in order to put zero flags there), so make sure we can cope with the situation. This fixes https://bugs.launchpad.net/bugs/1349972. Cc: qemu-stable@nongnu.org Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> (cherry picked from commit ecbda7a22576591a84f44de1be0150faf6001f1c) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 28 July 2015, 23:19:33 UTC |
| d8e231f | Fam Zheng | 05 May 2015, 09:28:13 UTC | vmdk: Fix overflow if l1_size is 0x20000000 Richard Jones caught this bug with afl fuzzer. In fact, that's the only possible value to overflow (extent->l1_size = 0x20000000) l1_size: l1_size = extent->l1_size * sizeof(long) => 0x80000000; g_try_malloc returns NULL because l1_size is interpreted as negative during type casting from 'int' to 'gsize', which yields a enormous value. Hence, by coincidence, we get a "not too bad" behavior: qemu-img: Could not open '/tmp/afl6.img': Could not open '/tmp/afl6.img': Cannot allocate memory Values larger than 0x20000000 will be refused by the validation in vmdk_add_extent. Values smaller than 0x20000000 will not overflow l1_size. Cc: qemu-stable@nongnu.org Reported-by: Richard W.M. Jones <rjones@redhat.com> Signed-off-by: Fam Zheng <famz@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Tested-by: Richard W.M. Jones <rjones@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> (cherry picked from commit 13c4941cdd8685d28c7e3a09e393a5579b58db46) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 28 July 2015, 23:19:02 UTC |
| 53cd79c | Fam Zheng | 06 May 2015, 12:23:46 UTC | vmdk: Fix next_cluster_sector for compressed write This fixes the bug introduced by commit c6ac36e (vmdk: Optimize cluster allocation). Sometimes, write_len could be larger than cluster size, because it contains both data and marker. We must advance next_cluster_sector in this case, otherwise the image gets corrupted. Cc: qemu-stable@nongnu.org Reported-by: Antoni Villalonga <qemu-list@friki.cat> Signed-off-by: Fam Zheng <famz@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> (cherry picked from commit 5e82a31eb967db135fc4e688b134fb0972d62de3) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 28 July 2015, 23:18:27 UTC |
| 3dd15f3 | Bogdan Purcareata | 03 April 2015, 11:01:54 UTC | nbd/trivial: fix type cast for ioctl This fixes ioctl behavior on powerpc e6500 platforms with 64bit kernel and 32bit userspace. The current type cast has no effect there and the value passed to the kernel is still 0. Probably an issue related to the compiler, since I'm assuming the same configuration works on a similar setup on x86. Also ensure consistency with previous type cast in TRACE message. Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com> Message-Id: <1428058914-32050-1-git-send-email-bogdan.purcareata@freescale.com> Cc: qemu-stable@nongnu.org [Fix parens as noticed by Michael. - Paolo] Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit d064d9f381b00538e41f14104b88a1ae85d78865) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 28 July 2015, 23:14:07 UTC |
| 4c59860 | Ján Tomko | 27 April 2015, 15:03:14 UTC | Strip brackets from vnc host Commit v2.2.0-1530-ge556032 vnc: switch to inet_listen_opts bypassed the use of inet_parse in inet_listen, making literal IPv6 addresses enclosed in brackets fail: qemu-kvm: -vnc [::1]:0: Failed to start VNC server on `(null)': address resolution failed for [::1]:5900: Name or service not known Strip the brackets to make it work again. Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 274c3b52e10466a4771d591f6298ef61e8354ce0) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 28 July 2015, 23:13:19 UTC |
| b575af0 | Peter Lieven | 16 April 2015, 14:08:25 UTC | block/iscsi: do not forget to logout from target We actually were always impolitely dropping the connection and not cleanly logging out. CC: qemu-stable@nongnu.org Signed-off-by: Peter Lieven <pl@kamp.de> Message-id: 1429193313-4263-2-git-send-email-pl@kamp.de Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> (cherry picked from commit 20474e9aa040b9a255c63127f1eb873c29c54f68) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 28 July 2015, 23:08:49 UTC |
| d3b5978 | Stefan Hajnoczi | 23 March 2015, 15:29:23 UTC | bt-sdp: fix broken uuids power-of-2 calculation The binary search in sdp_uuid_match() only works when the number of elements to search is a power of two. lo = record->uuid; hi = record->uuids; while (hi >>= 1) if (lo[hi] <= val) lo += hi; return *lo == val; I noticed that the record->uuids calculation in sdp_service_record_build() was suspect: record->uuids = 1 << ffs(record->uuids - 1); Unlike most ffs(val) - 1 users, the expression is ffs(val - 1)! Actually ffs() is the wrong function to use for power-of-2. Use pow2ceil() to achieve the correct effect. Now the record->uuid[] array is sized correctly and the binary search in sdp_uuid_match() should work. I'm not sure how to run/test this code. Cc: Andrzej Zaborowski <balrog@zabor.org> Cc: qemu-stable@nongnu.org Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Message-id: 1427124571-28598-2-git-send-email-stefanha@redhat.com Signed-off-by: Kevin Wolf <kwolf@redhat.com> (cherry picked from commit 588ef9d411339012fc3c94bfad8911e9d0a517a2) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 28 July 2015, 22:46:44 UTC |
| e5b3a24 | Peter Maydell | 24 April 2015, 14:05:06 UTC | Update version for v2.3.0 release Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 24 April 2015, 14:05:06 UTC |
| f2a5810 | Peter Maydell | 20 April 2015, 16:13:16 UTC | Update version for v2.3.0-rc4 release Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 20 April 2015, 16:13:16 UTC |
| e05ca82 | Michael S. Tsirkin | 17 April 2015, 15:13:24 UTC | vhost: fix log base address VHOST_SET_LOG_BASE got an incorrect address, causing migration errors and potentially even memory corruption. Reported-by: Wen Congyang <wency@cn.fujitsu.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Amos Kong <akong@redhat.com> Message-id: 1429283565-32265-1-git-send-email-mst@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 20 April 2015, 08:27:01 UTC |
| 638b836 | Alberto Garcia | 17 April 2015, 12:44:48 UTC | hmp: fix crash in 'info block -n -v' The image field in BlockDeviceInfo should never be null, however bdrv_block_device_info() is not filling it in. This makes the 'info block -n -v' command crash QEMU. The proper solution is probably to move the relevant code from bdrv_query_info() to bdrv_block_device_info(), but since we're too close to the release for that this simpler workaround solves the crash. Signed-off-by: Alberto Garcia <berto@igalia.com> Message-id: 1429274688-8115-1-git-send-email-berto@igalia.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 17 April 2015, 13:27:42 UTC |
| 87a8adc | Peter Maydell | 17 April 2015, 11:54:46 UTC | Merge remote-tracking branch 'remotes/lalrae/tags/mips-20150417-2' into staging MIPS patches 2015-04-17 Changes: * fix broken fulong2e # gpg: Signature made Fri Apr 17 12:14:37 2015 BST using RSA key ID 0B29DA6B # gpg: Can't check signature: public key not found * remotes/lalrae/tags/mips-20150417-2: mips: fix broken fulong2e machine Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 17 April 2015, 11:54:46 UTC |
| b6df74c | Peter Maydell | 17 April 2015, 11:37:38 UTC | Merge remote-tracking branch 'remotes/kraxel/tags/pull-fwcfg-20150414-1' into staging fw_cfg: add documentation file (docs/specs/fw_cfg.txt) # gpg: Signature made Tue Apr 14 12:22:20 2015 BST using RSA key ID D3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" * remotes/kraxel/tags/pull-fwcfg-20150414-1: fw_cfg: add documentation file (docs/specs/fw_cfg.txt) Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 17 April 2015, 11:37:38 UTC |
| 0ca4f94 | Paolo Bonzini | 16 April 2015, 20:11:23 UTC | mips: fix broken fulong2e machine After commit 5312bd8 the bonito_readl() and bonito_writel() have been accessing incorrect addresses. Consequently QEMU is crashing when trying to boot Linux kernel on fulong2e machine. Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Leon Alrae <leon.alrae@imgtec.com> | 17 April 2015, 11:11:48 UTC |
| 993ebe4 | Mark Cave-Ayland | 17 April 2015, 07:16:49 UTC | target-ppc: don't invalidate msr MSR_HVB bit in cpu_post_load The invalidation code introduced in commit 2360b works by inverting most bits of env->msr to ensure that hreg_store_msr() will forcibly update the CPU env state to reflect the new msr value post-migration. Unfortunately hreg_store_msr() is called with alter_hv set to 0 which preserves the MSR_HVB state from the CPU env which is now the opposite value to what it should be. Ensure that we don't invalidate the msr MSR_HVB bit during cpu_post_load so that the correct value is restored. This fixes suspend/resume for PPC64. Reported-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Reviewed-by: Alexander Graf <agraf@suse.de> Message-id: 1429255009-12751-1-git-send-email-mark.cave-ayland@ilande.co.uk Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 17 April 2015, 10:44:01 UTC |
| 6cec43e | Gabriel L. Somlo | 09 April 2015, 14:40:01 UTC | fw_cfg: add documentation file (docs/specs/fw_cfg.txt) This document covers the guest-side hardware interface, as well as the host-side programming API of QEMU's firmware configuration (fw_cfg) device. Signed-off-by: Jordan Justen <jordan.l.justen@intel.com> Signed-off-by: Gabriel Somlo <somlo@cmu.edu> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | 14 April 2015, 11:21:08 UTC |
| b8df920 | Peter Maydell | 13 April 2015, 16:35:44 UTC | Update version for v2.3.0-rc3 release Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 13 April 2015, 16:35:44 UTC |
| ae6e8ef | Peter Maydell | 10 April 2015, 12:58:01 UTC | Revert seccomp tests that allow it to be used on non-x86 architectures Unfortunately it turns out that libseccomp 2.2 still does not work correctly on non-x86 architectures; return to the previous configure setup of insisting on libseccomp 2.1 or better and i386/x86_64 and disabling seccomp support in all other situations. This reverts the two commits: * "seccomp: libseccomp version varying according to arch" (commit 896848f0d3e2393905845ef2b244bb2601f9df0c) * "seccomp: update libseccomp version and remove arch restriction" (commit 8e27fc200457e3f2473d0069263774d4ba17bd85) Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 1428670681-23032-1-git-send-email-peter.maydell@linaro.org | 13 April 2015, 11:28:48 UTC |
| 4d0ecde | Thomas Huth | 09 April 2015, 13:32:45 UTC | pci: Fix crash with illegal "-net nic, model=xxx" option Current QEMU crashes when specifying an illegal model with the "-net nic,model=xxx" option, e.g.: $ qemu-system-x86_64 -net nic,model=n/a qemu-system-x86_64: Unsupported NIC model: n/a Program received signal SIGSEGV, Segmentation fault. The gdb backtrace looks like this: 0x0000555555965fe0 in error_get_pretty (err=0x0) at util/error.c:152 152 return err->msg; (gdb) bt 0 0x0000555555965fe0 in error_get_pretty (err=0x0) at util/error.c:152 1 0x0000555555965ffd in error_report_err (err=0x0) at util/error.c:157 2 0x0000555555809c90 in pci_nic_init_nofail (nd=0x555555e49860 <nd_table>, rootbus=0x5555564409b0, default_model=0x55555598c37b "e1000", default_devaddr=0x0) at hw/pci/pci.c:1663 3 0x0000555555691e42 in pc_nic_init (isa_bus=0x555556f71900, pci_bus=0x5555564409b0) at hw/i386/pc.c:1506 4 0x000055555569396b in pc_init1 (machine=0x5555562abbf0, pci_enabled=1, kvmclock_enabled=1) at hw/i386/pc_piix.c:248 5 0x0000555555693d27 in pc_init_pci (machine=0x5555562abbf0) at hw/i386/pc_piix.c:310 6 0x000055555572ddf5 in main (argc=3, argv=0x7fffffffe018, envp=0x7fffffffe038) at vl.c:4226 The problem is that pci_nic_init_nofail() does not check whether the err parameter from pci_nic_init has been set up and thus passes a NULL pointer to error_report_err(). Fix it by correctly checking the err parameter. Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 13 April 2015, 11:11:44 UTC |
| 342b071 | Andreas Färber | 10 April 2015, 14:37:56 UTC | stm32f205: Fix SoC type name The type name for the SoC device, unlike those of its sub-devices, did not follow the QOM naming conventions. While the usage is internal only, this is exposed through QMP and HMP, so fix it before release. Cc: Alistair Francis <alistair.francis@xilinx.com> Signed-off-by: Andreas Färber <afaerber@suse.de> Reviewed-by: Alistair Francis <alistair@alistair23.me> Message-id: 1428676676-23056-1-git-send-email-afaerber@suse.de Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 13 April 2015, 10:37:10 UTC |
| c0c8584 | Dirk Müller | 04 April 2015, 12:15:10 UTC | cris: memory: Replace memory_region_init_ram with memory_region_allocate_system_memory Commit 0b183fc871:"memory: move mem_path handling to memory_region_allocate_system_memory" split memory_region_init_ram and memory_region_init_ram_from_file. Also it moved mem-path handling a step up from memory_region_init_ram to memory_region_allocate_system_memory. Therefore for any board that uses memory_region_init_ram directly, -mem-path is not supported. Fix this by replacing memory_region_init_ram with memory_region_allocate_system_memory. Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Cc: Edgar E. Iglesias <edgar.iglesias@gmail.com> Signed-off-by: Dirk Mueller <dmueller@suse.com> Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> | 11 April 2015, 10:03:57 UTC |
| 58c24a4 | Dirk Müller | 04 April 2015, 12:14:14 UTC | alpha: memory: Replace memory_region_init_ram with memory_region_allocate_system_memory Commit 0b183fc871:"memory: move mem_path handling to memory_region_allocate_system_memory" split memory_region_init_ram and memory_region_init_ram_from_file. Also it moved mem-path handling a step up from memory_region_init_ram to memory_region_allocate_system_memory. Therefore for any board that uses memory_region_init_ram directly, -mem-path is not supported. Fix this by replacing memory_region_init_ram with memory_region_allocate_system_memory. Cc: Richard Henderson <rth@twiddle.net> Signed-off-by: Dirk Mueller <dmueller@suse.com> Acked-by: Richard Henderson <rth@twiddle.net> Message-id: CAL5wTH64_ykF17cw2T1Axq8P3vCWm=6WbUJ3qJrLF-u+-MmzUw@mail.gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 10 April 2015, 13:15:18 UTC |
| b7ccb83 | Dirk Müller | 04 April 2015, 12:16:18 UTC | lm32: memory: Replace memory_region_init_ram with memory_region_allocate_system_memory Commit 0b183fc871:"memory: move mem_path handling to memory_region_allocate_system_memory" split memory_region_init_ram and memory_region_init_ram_from_file. Also it moved mem-path handling a step up from memory_region_init_ram to memory_region_allocate_system_memory. Therefore for any board that uses memory_region_init_ram directly, -mem-path is not supported. Fix this by replacing memory_region_init_ram with memory_region_allocate_system_memory. Cc: Michael Walle <michael@walle.cc> Signed-off-by: Dirk Mueller <dmueller@suse.com> Acked-by: Michael Walle <michael@walle.cc> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 10 April 2015, 13:12:20 UTC |
| 81b23ef | Jan Beulich | 31 March 2015, 14:18:03 UTC | xen: limit guest control of PCI command register Otherwise the guest can abuse that control to cause e.g. PCIe Unsupported Request responses (by disabling memory and/or I/O decoding and subsequently causing [CPU side] accesses to the respective address ranges), which (depending on system configuration) may be fatal to the host. This is CVE-2015-2756 / XSA-126. Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Message-id: alpine.DEB.2.02.1503311510300.7690@kaball.uk.xensource.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 09 April 2015, 22:37:21 UTC |
| 6a460ed | Stefan Hajnoczi | 09 April 2015, 13:52:18 UTC | configure: disable Archipelago by default and warn about libxseg GPLv3 license libxseg has changed license to GPLv3. QEMU includes GPL "v2 only" code which is not compatible with GPLv3. This means the resulting binaries may not be redistributable! Disable Archipelago (libxseg) by default to prevent accidental license violations. Also warn if linking against libxseg is enabled to remind the user. Note that this commit does not constitute any advice about software licensing. If you have doubts you should consult a lawyer. Cc: Chrysostomos Nanakos <cnanakos@grnet.gr> Suggested-by: Kevin Wolf <kwolf@redhat.com> Reported-by: Andreas Färber <afaerber@suse.de> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Andreas Färber <afaerber@suse.de> Message-id: 1428587538-8765-1-git-send-email-stefanha@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 09 April 2015, 20:43:15 UTC |
| a6f2cb0 | Peter Maydell | 09 April 2015, 11:05:00 UTC | Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into staging # gpg: Signature made Thu Apr 9 10:55:11 2015 BST using RSA key ID 81AB73C8 # gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>" # gpg: aka "Stefan Hajnoczi <stefanha@gmail.com>" * remotes/stefanha/tags/block-pull-request: block/iscsi: handle zero events from iscsi_which_events aio: strengthen memory barriers for bottom half scheduling virtio-blk: correctly dirty guest memory qcow2: Fix header update with overridden backing file Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 09 April 2015, 11:05:00 UTC |
| cf811ff | Peter Maydell | 08 April 2015, 19:57:09 UTC | tcg/tcg-op.c: Fix ld/st of 64 bit values on 32-bit bigendian hosts Commit 951c6300f7 out-of-lined the 32-bit-host versions of tcg_gen_{ld,st}_i64, but in the process it inadvertently changed an #ifdef HOST_WORDS_BIGENDIAN to #ifdef TCG_TARGET_WORDS_BIGENDIAN. Since the latter doesn't get defined anywhere this meant we always took the "LE host" codepath, and stored the two halves of the value in the wrong order on BE hosts. This typically breaks any 64-bit guest on a 32-bit BE host completely, and will have possibly more subtle effects even for 32-bit guests. Switch the ifdef back to HOST_WORDS_BIGENDIAN. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <rth@twiddle.net> Tested-by: Andreas Färber <afaerber@suse.de> Message-id: 1428523029-13620-1-git-send-email-peter.maydell@linaro.org | 09 April 2015, 09:51:10 UTC |
| 05b685f | Peter Lieven | 07 April 2015, 20:08:15 UTC | block/iscsi: handle zero events from iscsi_which_events newer libiscsi versions may return zero events from iscsi_which_events. In this case iscsi_service will return immediately without any progress. To avoid busy waiting for iscsi_which_events to change we deregister all read and write handlers in this case and schedule a timer to periodically check iscsi_which_events for changed events. Next libiscsi version will introduce async reconnects and zero events are returned while libiscsi is waiting for a reconnect retry. Signed-off-by: Peter Lieven <pl@kamp.de> Message-id: 1428437295-29577-1-git-send-email-pl@kamp.de Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> | 09 April 2015, 09:31:45 UTC |
| e8d3b1a | Paolo Bonzini | 07 April 2015, 15:16:19 UTC | aio: strengthen memory barriers for bottom half scheduling There are two problems with memory barriers in async.c. The fix is to use atomic_xchg in order to achieve sequential consistency between the scheduling of a bottom half and the corresponding execution. First, if bh->scheduled is already 1 in qemu_bh_schedule, QEMU does not execute a memory barrier to order any writes needed by the callback before the read of bh->scheduled. If the other side sees req->state as THREAD_ACTIVE, the callback is not invoked and you get deadlock. Second, the memory barrier in aio_bh_poll is too weak. Without this patch, it is possible that bh->scheduled = 0 is not "published" until after the callback has returned. Another thread wants to schedule the bottom half, but it sees bh->scheduled = 1 and does nothing. This causes a lost wakeup. The memory barrier should have been changed to smp_mb() in commit 924fe12 (aio: fix qemu_bh_schedule() bh->ctx race condition, 2014-06-03) together with qemu_bh_schedule()'s. Guess who reviewed that patch? Both of these involve a store and a load, so they are reproducible on x86_64 as well. It is however much easier on aarch64, where the libguestfs test suite triggers the bug fairly easily. Even there the failure can go away or appear depending on compiler optimization level, tracing options, or even kernel debugging options. Paul Leveille however reported how to trigger the problem within 15 minutes on x86_64 as well. His (untested) recipe, reproduced here for reference, is the following: 1) Qcow2 (or 3) is critical – raw files alone seem to avoid the problem. 2) Use “cache=directsync” rather than the default of “cache=none” to make it happen easier. 3) Use a server with a write-back RAID controller to allow for rapid IO rates. 4) Run a random-access load that (mostly) writes chunks to various files on the virtual block device. a. I use ‘diskload.exe c:25’, a Microsoft HCT load generator, on Windows VMs. b. Iometer can probably be configured to generate a similar load. 5) Run multiple VMs in parallel, against the same storage device, to shake the failure out sooner. 6) IvyBridge and Haswell processors for certain; not sure about others. A similar patch survived over 12 hours of testing, where an unpatched QEMU would fail within 15 minutes. This bug is, most likely, also the cause of failures in the libguestfs testsuite on AArch64. Thanks to Laszlo Ersek for initially reporting this bug, to Stefan Hajnoczi for suggesting closer examination of qemu_bh_schedule, and to Paul for providing test input and a prototype patch. Reported-by: Laszlo Ersek <lersek@redhat.com> Reported-by: Paul Leveille <Paul.Leveille@stratus.com> Reported-by: John Snow <jsnow@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Message-id: 1428419779-26062-1-git-send-email-pbonzini@redhat.com Suggested-by: Paul Leveille <Paul.Leveille@stratus.com> Suggested-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> | 09 April 2015, 09:29:29 UTC |
| c8623c0 | Dirk Müller | 04 April 2015, 12:24:38 UTC | arm: memory: Replace memory_region_init_ram with memory_region_allocate_system_memory Commit 0b183fc871:"memory: move mem_path handling to memory_region_allocate_system_memory" split memory_region_init_ram and memory_region_init_ram_from_file. Also it moved mem-path handling a step up from memory_region_init_ram to memory_region_allocate_system_memory. Therefore for any board that uses memory_region_init_ram directly, -mem-path is not supported. Fix this by replacing memory_region_init_ram with memory_region_allocate_system_memory. Signed-off-by: Dirk Mueller <dmueller@suse.com> Message-id: CAL5wTH4UHYKpJF=dLJfFzxpufjY189chnCow47-ySuLf8GLbug@mail.gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 08 April 2015, 16:30:36 UTC |
| 2a6cdd6 | Paolo Bonzini | 02 April 2015, 17:50:44 UTC | virtio-blk: correctly dirty guest memory After qemu_iovec_destroy, the QEMUIOVector's size is zeroed and the zero size ultimately is used to compute virtqueue_push's len argument. Therefore, reads from virtio-blk devices did not migrate their results correctly. (Writes were okay). Save the size in virtio_blk_handle_request, and use it when the request is completed. Based on a patch by Wen Congyang. Signed-off-by: Wen Congyang <wency@cn.fujitsu.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Tested-by: Li Zhijian <lizhijian@cn.fujitsu.com> Message-id: 1427997044-392-1-git-send-email-pbonzini@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> | 08 April 2015, 09:39:18 UTC |
| e4603fe | Kevin Wolf | 07 April 2015, 13:03:16 UTC | qcow2: Fix header update with overridden backing file In recent qemu versions, it is possible to override the backing file name and format that is stored in the image file with values given at runtime. In such cases, the temporary override could end up in the image header if the qcow2 header was updated, while obviously correct behaviour would be to leave the on-disk backing file path/format unchanged. Fix this and add a test case for it. Reported-by: Michael Tokarev <mjt@tls.msk.ru> Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Message-id: 1428411796-2852-1-git-send-email-kwolf@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> | 08 April 2015, 09:29:20 UTC |
| 5a24f20 | Peter Maydell | 07 April 2015, 13:33:46 UTC | Merge remote-tracking branch 'remotes/mjt/tags/pull-trivial-patches-2015-04-04' into staging trivial patches for 2015-04-04 # gpg: Signature made Sat Apr 4 08:07:49 2015 BST using RSA key ID A4C3D7DB # gpg: Good signature from "Michael Tokarev <mjt@tls.msk.ru>" # gpg: aka "Michael Tokarev <mjt@corpit.ru>" # gpg: aka "Michael Tokarev <mjt@debian.org>" * remotes/mjt/tags/pull-trivial-patches-2015-04-04: vhost: fix typo in vq_index description gitignore: Ignore more .pod files. target-tricore: Fix check which was always false target-i386: remove superfluous TARGET_HAS_SMC macro pcspk: Fix I/O port name Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 07 April 2015, 13:33:46 UTC |
| 9be6e69 | Greg Kurz | 26 March 2015, 11:10:29 UTC | vhost: fix typo in vq_index description Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com> Acked-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 04 April 2015, 06:48:19 UTC |
| 085feb6 | Eric Blake | 20 March 2015, 16:30:44 UTC | gitignore: Ignore more .pod files. kvm_stat.{1,pod} started showing up as untracked files in my directory, and I nearly accidentally merged them into a commit with my usual habit of 'git add .'. Rather than spelling out each such file, just ignore the entire pattern. Signed-off-by: Eric Blake <eblake@redhat.com> Reviewed-by: Stefan Weil <sw@weilnetz.de> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 04 April 2015, 06:45:59 UTC |
| 7b4b0b5 | Stefan Weil | 21 March 2015, 13:44:58 UTC | target-tricore: Fix check which was always false With a mask value of 0x00400000, the result will never be 1. This fixes a Coverity warning. Signed-off-by: Stefan Weil <sw@weilnetz.de> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 04 April 2015, 06:45:59 UTC |
| 9c04146 | Emilio G. Cota | 21 March 2015, 17:29:09 UTC | target-i386: remove superfluous TARGET_HAS_SMC macro Signed-off-by: Emilio G. Cota <cota@braap.org> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 04 April 2015, 06:45:59 UTC |
| ecf2e5a | Jan Kiszka | 19 March 2015, 12:08:40 UTC | pcspk: Fix I/O port name Probably a copy&paste bug. Fixing it helps identifying the device model behind port 0x61. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com> Reviewed-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 04 April 2015, 06:45:59 UTC |
| f2155a0 | Peter Maydell | 02 April 2015, 17:02:02 UTC | Update version for v2.3.0-rc2 release Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 02 April 2015, 17:02:02 UTC |
| 14655e9 | Cornelia Huck | 02 April 2015, 15:17:45 UTC | glib-compat: fix problems with not-quite glib 2.22 Commit 89b516d8b9444ece8ccabb322a9389587c7a7b83 ("glib: add compatibility interface for g_get_monotonic_time()") aimed at making qemu build with old glib versions. At least SLES11SP3, however, contains a backport of g_get_monotonic_time() while keeping the reported glib version at 2.22. Let's work around this by a strategically placed #define. Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com> Message-id: 1427987865-433-2-git-send-email-cornelia.huck@de.ibm.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 02 April 2015, 15:53:42 UTC |
| a8a7ef1 | Peter Maydell | 02 April 2015, 14:53:16 UTC | Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging Another round of small fixes. I am not including the virtio-blk fix, because Wen only posted a prototype and the changes I made were pretty large. It definitely needs another pair of eyes (but it is a 2.3 regression and a blocker). # gpg: Signature made Thu Apr 2 14:59:56 2015 BST using RSA key ID 78C7AE83 # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * remotes/bonzini/tags/for-upstream: Use $(MAKE) for recursive make kvm-all: Sync dirty-bitmap from kvm before kvm destroy the corresponding dirty_bitmap util/qemu-config: fix regression of qmp_query_command_line_options target-i386: clear bsp bit when designating bsp qga: fitering out -fstack-protector-strong target-i386: save 64-bit CR3 in 64-bit SMM state save area Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 02 April 2015, 14:53:16 UTC |
| fb8597b | Ed Maste | 01 April 2015, 17:58:38 UTC | Use $(MAKE) for recursive make On BSDs "make" is typically BSD make, while "gmake" is GNU make. Signed-off-by: Ed Maste <emaste@freebsd.org> Message-Id: <1427911118-21905-1-git-send-email-emaste@freebsd.org> [Fix $(INSTALLER) too as reported by Fam Zheng. - Paolo] Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | 02 April 2015, 13:58:39 UTC |
