https://github.com/qemu/qemu
- HEAD
- refs/heads/block
- refs/heads/coverity
- refs/heads/master
- refs/heads/stable-0.10
- refs/heads/stable-0.11
- refs/heads/stable-0.12
- refs/heads/stable-0.13
- refs/heads/stable-0.14
- refs/heads/stable-0.15
- refs/heads/stable-1.0
- refs/heads/stable-1.1
- refs/heads/stable-1.2
- refs/heads/stable-1.3
- refs/heads/stable-1.4
- refs/heads/stable-1.5
- refs/heads/stable-1.6
- refs/heads/stable-1.7
- refs/heads/stable-2.0
- refs/heads/stable-2.1
- refs/heads/stable-2.10
- refs/heads/stable-2.11
- refs/heads/stable-2.12
- refs/heads/stable-2.2
- refs/heads/stable-2.3
- refs/heads/stable-2.4
- refs/heads/stable-2.5
- refs/heads/stable-2.6
- refs/heads/stable-2.7
- refs/heads/stable-2.8
- refs/heads/stable-2.9
- refs/heads/stable-3.0
- refs/heads/stable-3.1
- refs/heads/stable-4.0
- refs/heads/stable-4.1
- refs/heads/stable-4.2
- refs/heads/stable-5.0
- refs/heads/stable-6.0
- refs/heads/stable-6.0-staging
- refs/heads/stable-6.1
- refs/heads/stable-7.2
- refs/heads/stable-7.2-staging
- refs/heads/stable-8.0
- refs/heads/stable-8.0-staging
- refs/heads/stable-8.1
- refs/heads/stable-8.2
- refs/heads/stable-9.0
- refs/heads/staging
- refs/heads/staging-0.0
- refs/heads/staging-7.2
- refs/heads/staging-8.0
- refs/heads/staging-8.1
- refs/heads/staging-8.2
- refs/heads/staging-9.0
- refs/heads/staging-mjt-test
- refs/heads/stsquad-hotfix
- refs/notes/commits
- refs/remotes/github/master
- refs/remotes/github/stable-0.10
- refs/remotes/github/stable-0.11
- refs/remotes/github/stable-0.12
- refs/remotes/github/stable-0.13
- refs/remotes/github/stable-0.14
- refs/remotes/github/stable-0.15
- refs/remotes/github/stable-1.0
- refs/remotes/github/stable-1.1
- refs/remotes/github/stable-1.2
- refs/remotes/github/stable-1.3
- refs/remotes/github/stable-1.4
- refs/remotes/github/stable-1.5
- refs/remotes/github/stable-1.6
- refs/remotes/github/stable-1.7
- refs/remotes/github/stable-2.0
- refs/remotes/github/stable-2.1
- refs/remotes/github/stable-2.10
- refs/remotes/github/stable-2.11
- refs/remotes/github/stable-2.12
- refs/remotes/github/stable-2.2
- refs/remotes/github/stable-2.3
- refs/remotes/github/stable-2.4
- refs/remotes/github/stable-2.5
- refs/remotes/github/stable-2.6
- refs/remotes/github/stable-2.7
- refs/remotes/github/stable-2.8
- refs/remotes/github/stable-2.9
- refs/remotes/github/stable-3.0
- refs/remotes/github/stable-3.1
- refs/remotes/github/stable-4.0
- refs/remotes/github/stable-4.1
- refs/remotes/github/stable-4.2
- refs/remotes/github/stable-5.0
- refs/remotes/github/staging
- refs/tags/initial
- refs/tags/release_0_10_0
- refs/tags/release_0_10_1
- refs/tags/release_0_10_2
- refs/tags/release_0_5_1
- refs/tags/release_0_6_0
- refs/tags/release_0_6_1
- refs/tags/release_0_7_0
- refs/tags/release_0_7_1
- refs/tags/release_0_8_1
- refs/tags/release_0_8_2
- refs/tags/release_0_9_0
- refs/tags/release_0_9_1
- refs/tags/v0.1.0
- refs/tags/v0.1.1
- refs/tags/v0.1.3
- refs/tags/v0.1.4
- refs/tags/v0.1.5
- refs/tags/v0.1.6
- refs/tags/v0.10.0
- refs/tags/v0.10.1
- refs/tags/v0.10.2
- refs/tags/v0.10.3
- refs/tags/v0.10.4
- refs/tags/v0.10.5
- refs/tags/v0.10.6
- refs/tags/v0.11.0
- refs/tags/v0.11.0-rc0
- refs/tags/v0.11.0-rc1
- refs/tags/v0.11.0-rc2
- refs/tags/v0.11.1
- refs/tags/v0.12.0
- refs/tags/v0.12.0-rc0
- refs/tags/v0.12.0-rc1
- refs/tags/v0.12.0-rc2
- refs/tags/v0.12.1
- refs/tags/v0.12.2
- refs/tags/v0.12.3
- refs/tags/v0.12.4
- refs/tags/v0.12.5
- refs/tags/v0.13.0
- refs/tags/v0.13.0-rc0
- refs/tags/v0.13.0-rc1
- refs/tags/v0.13.0-rc2
- refs/tags/v0.13.0-rc3
- refs/tags/v0.14.0
- refs/tags/v0.14.0-rc0
- refs/tags/v0.14.0-rc1
- refs/tags/v0.14.0-rc2
- refs/tags/v0.15.0
- refs/tags/v0.15.0-rc0
- refs/tags/v0.15.0-rc1
- refs/tags/v0.15.0-rc2
- refs/tags/v0.15.1
- refs/tags/v0.2.0
- refs/tags/v0.3.0
- refs/tags/v0.4.0
- refs/tags/v0.4.1
- refs/tags/v0.4.2
- refs/tags/v0.4.3
- refs/tags/v0.4.4
- refs/tags/v0.5.0
- refs/tags/v0.5.1
- refs/tags/v0.6.0
- refs/tags/v0.6.1
- refs/tags/v0.7.0
- refs/tags/v0.7.1
- refs/tags/v0.8.1
- refs/tags/v0.8.2
- refs/tags/v0.9.0
- refs/tags/v0.9.1
- refs/tags/v1.0-rc0
- refs/tags/v1.0-rc1
- refs/tags/v1.0-rc2
- refs/tags/v1.0-rc3
- refs/tags/v1.0.1
- refs/tags/v1.1-rc0
- refs/tags/v1.1-rc1
- refs/tags/v1.1-rc2
- refs/tags/v1.1.0
- refs/tags/v1.1.0-rc2
- refs/tags/v1.1.0-rc3
- refs/tags/v1.1.0-rc4
- refs/tags/v1.1.1
- refs/tags/v1.1.2
- refs/tags/v1.2.0-rc0
- refs/tags/v1.2.1
- refs/tags/v1.2.2
- refs/tags/v1.3.0
- refs/tags/v1.3.0-rc0
- refs/tags/v1.3.0-rc1
- refs/tags/v1.3.0-rc2
- refs/tags/v1.3.1
- refs/tags/v1.4.1
- refs/tags/v1.4.2
- refs/tags/v1.5.0
- refs/tags/v1.5.0-rc0
- refs/tags/v1.5.0-rc1
- refs/tags/v1.5.0-rc2
- refs/tags/v1.5.0-rc3
- refs/tags/v1.5.1
- refs/tags/v1.5.2
- refs/tags/v1.5.3
- refs/tags/v1.6.0
- refs/tags/v1.6.0-rc0
- refs/tags/v1.6.0-rc1
- refs/tags/v1.6.0-rc2
- refs/tags/v1.6.0-rc3
- refs/tags/v1.6.1
- refs/tags/v1.6.2
- refs/tags/v1.7.0
- refs/tags/v1.7.0-rc0
- refs/tags/v1.7.0-rc1
- refs/tags/v1.7.0-rc2
- refs/tags/v1.7.1
- refs/tags/v1.7.2
- refs/tags/v2.0.1
- refs/tags/v2.0.2
- v9.1.0-rc0
- v9.0.2
- v9.0.1
- v9.0.0-rc4
- v9.0.0-rc3
- v9.0.0-rc2
- v9.0.0-rc1
- v9.0.0-rc0
- v9.0.0
- v8.2.6
- v8.2.5
- v8.2.4
- v8.2.3
- v8.2.2
- v8.2.1
- v8.2.0-rc4
- v8.2.0-rc3
- v8.2.0-rc2
- v8.2.0-rc1
- v8.2.0-rc0
- v8.2.0
- v8.1.5
- v8.1.4
- v8.1.3
- v8.1.2
- v8.1.1
- v8.1.0-rc4
- v8.1.0-rc3
- v8.1.0-rc2
- v8.1.0-rc1
- v8.1.0-rc0
- v8.1.0
- v8.0.5
- v8.0.4
- v8.0.3
- v8.0.2
- v8.0.1
- v8.0.0-rc4
- v8.0.0-rc3
- v8.0.0-rc2
- v8.0.0-rc1
- v8.0.0-rc0
- v8.0.0
- v7.2.9
- v7.2.8
- v7.2.7
- v7.2.6
- v7.2.5
- v7.2.4
- v7.2.3
- v7.2.2
- v7.2.13
- v7.2.12
- v7.2.11
- v7.2.10
- v7.2.1
- v7.2.0-rc4
- v7.2.0-rc3
- v7.2.0-rc2
- v7.2.0-rc1
- v7.2.0-rc0
- v7.2.0
- v7.1.0-rc4
- v7.1.0-rc3
- v7.1.0-rc2
- v7.1.0-rc1
- v7.1.0-rc0
- v7.1.0
- v7.0.0-rc4
- v7.0.0-rc3
- v7.0.0-rc2
- v7.0.0-rc1
- v7.0.0-rc0
- v7.0.0
- v6.2.0-rc4
- v6.2.0-rc3
- v6.2.0-rc2
- v6.2.0-rc1
- v6.2.0-rc0
- v6.2.0
- v6.1.1
- v6.1.0-rc4
- v6.1.0-rc3
- v6.1.0-rc2
- v6.1.0-rc1
- v6.1.0-rc0
- v6.1.0
- v6.0.1
- v6.0.0-rc5
- v6.0.0-rc4
- v6.0.0-rc3
- v6.0.0-rc2
- v6.0.0-rc1
- v6.0.0-rc0
- v6.0.0
- v5.2.0-rc4
- v5.2.0-rc3
- v5.2.0-rc2
- v5.2.0-rc1
- v5.2.0-rc0
- v5.2.0
- v5.1.0-rc3
- v5.1.0-rc2
- v5.1.0-rc1
- v5.1.0-rc0
- v5.1.0
- v5.0.1
- v5.0.0-rc4
- v5.0.0-rc3
- v5.0.0-rc2
- v5.0.0-rc1
- v5.0.0-rc0
- v5.0.0
- v4.2.1
- v4.2.0-rc5
- v4.2.0-rc4
- v4.2.0-rc3
- v4.2.0-rc2
- v4.2.0-rc1
- v4.2.0-rc0
- v4.2.0
- v4.1.1
- v4.1.0-rc5
- v4.1.0-rc4
- v4.1.0-rc3
- v4.1.0-rc2
- v4.1.0-rc1
- v4.1.0-rc0
- v4.1.0
- v4.0.1
- v4.0.0-rc4
- v4.0.0-rc3
- v4.0.0-rc2
- v4.0.0-rc1
- v4.0.0-rc0
- v4.0.0
- v3.1.1.1
- v3.1.1
- v3.1.0-rc5
- v3.1.0-rc4
- v3.1.0-rc3
- v3.1.0-rc2
- v3.1.0-rc1
- v3.1.0-rc0
- v3.1.0
- v3.0.1
- v3.0.0-rc4
- v3.0.0-rc3
- v3.0.0-rc2
- v3.0.0-rc1
- v3.0.0-rc0
- v3.0.0
- v2.9.1
- v2.9.0-rc5
- v2.9.0-rc4
- v2.9.0-rc3
- v2.9.0-rc2
- v2.9.0-rc1
- v2.9.0-rc0
- v2.9.0
- v2.8.1.1
- v2.8.1
- v2.8.0-rc4
- v2.8.0-rc3
- v2.8.0-rc2
- v2.8.0-rc1
- v2.8.0-rc0
- v2.8.0
- v2.7.1
- v2.7.0-rc5
- v2.7.0-rc4
- v2.7.0-rc3
- v2.7.0-rc2
- v2.7.0-rc1
- v2.7.0-rc0
- v2.7.0
- v2.6.2
- v2.6.1
- v2.6.0-rc5
- v2.6.0-rc4
- v2.6.0-rc3
- v2.6.0-rc2
- v2.6.0-rc1
- v2.6.0-rc0
- v2.6.0
- v2.5.1.1
- v2.5.1
- v2.5.0-rc4
- v2.5.0-rc3
- v2.5.0-rc2
- v2.5.0-rc1
- v2.5.0-rc0
- v2.5.0
- v2.4.1
- v2.4.0.1
- v2.4.0-rc4
- v2.4.0-rc3
- v2.4.0-rc2
- v2.4.0-rc1
- v2.4.0-rc0
- v2.4.0
- v2.3.1
- v2.3.0-rc4
- v2.3.0-rc3
- v2.3.0-rc2
- v2.3.0-rc1
- v2.3.0-rc0
- v2.3.0
- v2.2.1
- v2.2.0-rc5
- v2.2.0-rc4
- v2.2.0-rc3
- v2.2.0-rc2
- v2.2.0-rc1
- v2.2.0-rc0
- v2.2.0
- v2.12.1
- v2.12.0-rc4
- v2.12.0-rc3
- v2.12.0-rc2
- v2.12.0-rc1
- v2.12.0-rc0
- v2.12.0
- v2.11.2
- v2.11.1
- v2.11.0-rc5
- v2.11.0-rc4
- v2.11.0-rc3
- v2.11.0-rc2
- v2.11.0-rc1
- v2.11.0-rc0
- v2.11.0
- v2.10.2
- v2.10.1
- v2.10.0-rc4
- v2.10.0-rc3
- v2.10.0-rc2
- v2.10.0-rc1
- v2.10.0-rc0
- v2.10.0
- v2.1.3
- v2.1.2
- v2.1.1
- v2.1.0-rc5
- v2.1.0-rc4
- v2.1.0-rc3
- v2.1.0-rc2
- v2.1.0-rc1
- v2.1.0-rc0
- v2.1.0
- v2.0.0-rc3
- v2.0.0-rc2
- v2.0.0-rc1
- v2.0.0-rc0
- v2.0.0
- v1.4.0-rc2
- v1.4.0-rc1
- v1.4.0-rc0
- v1.4.0
- v1.2.0-rc3
- v1.2.0-rc2
- v1.2.0-rc1
- v1.2.0
- v1.0-rc4
- v1.0
- v0.14.1
- trivial-patches-pull-request
Take a new snapshot of a software origin
If the archived software origin currently browsed is not synchronized with its upstream version (for instance when new commits have been issued), you can explicitly request Software Heritage to take a new snapshot of it.
Use the form below to proceed. Once a request has been submitted and accepted, it will be processed as soon as possible. You can then check its processing state by visiting this dedicated page.
Processing "take a new snapshot" request ...
Permalinks
To reference or cite the objects present in the Software Heritage archive, permalinks based on SoftWare Hash IDentifiers (SWHIDs) must be used.
Select below a type of object currently browsed in order to display its associated SWHID and permalink.
| Revision | Author | Date | Message | Commit Date |
|---|---|---|---|---|
| db51dfc | Michael Roth | 09 May 2016, 16:10:47 UTC | Update version for 2.5.1.1 release Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com | 09 May 2016, 16:55:58 UTC |
| 5b7236f | Michael S. Tsirkin | 18 April 2016, 10:07:35 UTC | cadence_uart: bounds check write offset cadence_uart_init() initializes an I/O memory region of size 0x1000 bytes. However in uart_write(), the 'offset' parameter (offset within region) is divided by 4 and then used to index the array 'r' of size CADENCE_UART_R_MAX which is much smaller: (0x48/4). If 'offset>>=2' exceeds CADENCE_UART_R_MAX, this will cause an out-of-bounds memory write where the offset and the value are controlled by guest. This will corrupt QEMU memory, in most situations this causes the vm to crash. Fix by checking the offset against the array size. Cc: qemu-stable@nongnu.org Reported-by: 李强 <liqiang6-s@360.cn> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Alistair Francis <alistair.francis@xilinx.com> Message-id: 20160418100735.GA517@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit 5eb0b194e9b01ba0f3613e6ddc2cb9f63ce96ae5) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 09 May 2016, 16:55:58 UTC |
| 0bcdb63 | Gerd Hoffmann | 18 April 2016, 07:20:54 UTC | Revert "ehci: make idt processing more robust" This reverts commit 156a2e4dbffa85997636a7a39ef12da6f1b40254. Breaks FreeBSD. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit a49923d2837d20510d645d3758f1ad87c32d0730) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 09 May 2016, 03:37:18 UTC |
| 706bab6 | Gerd Hoffmann | 18 April 2016, 07:11:38 UTC | ehci: apply limit to iTD/sidt descriptors Commit "156a2e4 ehci: make idt processing more robust" tries to avoid a DoS by the guest (create a circular iTD queue and let qemu ehci emulation run in circles forever). Unfortunately this has two problems: First it misses the case of siTDs, and second it reportedly breaks FreeBSD. So lets go for a different approach: just count the number of iTDs and siTDs we have seen per frame and apply a limit. That should really catch all cases now. Reported-by: 杜少博 <dushaobo@360.cn> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 1ae3f2f178087711f9591350abad133525ba93f2) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 09 May 2016, 03:37:09 UTC |
| 44b86aa | Gerd Hoffmann | 26 April 2016, 12:48:06 UTC | vga: make sure vga register setup for vbe stays intact (CVE-2016-3712). Call vbe_update_vgaregs() when the guest touches GFX, SEQ or CRT registers, to make sure the vga registers will always have the values needed by vbe mode. This makes sure the sanity checks applied by vbe_fixup_regs() are effective. Without this guests can muck with shift_control, can turn on planar vga modes or text mode emulation while VBE is active, making qemu take code paths meant for CGA compatibility, but with the very large display widths and heigts settable using VBE registers. Which is good for one or another buffer overflow. Not that critical as they typically read overflows happening somewhere in the display code. So guests can DoS by crashing qemu with a segfault, but it is probably not possible to break out of the VM. Fixes: CVE-2016-3712 Reported-by: Zuozhi Fzz <zuozhi.fzz@alibaba-inc.com> Reported-by: P J P <ppandit@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 09 May 2016, 01:56:43 UTC |
| a6e5e5d | Gerd Hoffmann | 26 April 2016, 13:39:22 UTC | vga: update vga register setup on vbe changes Call the new vbe_update_vgaregs() function on vbe configuration changes, to make sure vga registers are up-to-date. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 09 May 2016, 01:56:40 UTC |
| 2f2f74e | Gerd Hoffmann | 26 April 2016, 13:24:18 UTC | vga: factor out vga register setup When enabling vbe mode qemu will setup a bunch of vga registers to make sure the vga emulation operates in correct mode for a linear framebuffer. Move that code to a separate function so we can call it from other places too. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 09 May 2016, 01:56:38 UTC |
| 46aff2c | Gerd Hoffmann | 26 April 2016, 12:11:34 UTC | vga: add vbe_enabled() helper Makes code a bit easier to read. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 09 May 2016, 01:56:34 UTC |
| 4f0323d | Gerd Hoffmann | 26 April 2016, 06:49:10 UTC | vga: fix banked access bounds checking (CVE-2016-3710) vga allows banked access to video memory using the window at 0xa00000 and it supports a different access modes with different address calculations. The VBE bochs extentions support banked access too, using the VBE_DISPI_INDEX_BANK register. The code tries to take the different address calculations into account and applies different limits to VBE_DISPI_INDEX_BANK depending on the current access mode. Which is probably effective in stopping misprogramming by accident. But from a security point of view completely useless as an attacker can easily change access modes after setting the bank register. Drop the bogus check, add range checks to vga_mem_{readb,writeb} instead. Fixes: CVE-2016-3710 Reported-by: Qinghao Tang <luodalongde@gmail.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 09 May 2016, 01:56:30 UTC |
| a58047f | Michael Roth | 29 March 2016, 20:47:56 UTC | Update version for 2.5.1 release Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 29 March 2016, 20:47:56 UTC |
| 5f409b1 | Denis V. Lunev | 22 February 2016, 09:13:02 UTC | hyperv: cpu hotplug fix with HyperV enabled With Hyper-V enabled CPU hotplug stops working. The CPU appears in device manager on Windows but does not appear in peformance monitor and control panel. The root of the problem is the following. Windows checks HV_X64_CPU_DYNAMIC_PARTITIONING_AVAILABLE bit in CPUID. The presence of this bit is enough to cure the situation. The bit should be set when CPU hotplug is allowed for HyperV VM. The check that hot_add_cpu callback is defined is enough from the protocol point of view. Though this callback is defined almost always thus there is no need to export that knowledge in the other way. Signed-off-by: Denis V. Lunev <den@openvz.org> Reviewed-by: Roman Kagan <rkagan@virtuozzo.com> CC: Paolo Bonzini <pbonzini@redhat.com> CC: Richard Henderson <rth@twiddle.net> CC: Eduardo Habkost <ehabkost@redhat.com> CC: "Andreas Färber" <afaerber@suse.de> Reviewed-by: Eduardo Habkost <ehabkost@redhat.com> Signed-off-by: Eduardo Habkost <ehabkost@redhat.com> (cherry picked from commit 4467c6c118b85133846785f517e5733112e811b4) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 22 March 2016, 23:02:30 UTC |
| 078de11 | Fam Zheng | 25 January 2016, 02:26:23 UTC | vmdk: Fix converting to streamOptimized Commit d62d9dc4b8 lifted streamOptimized images's version to 3, but we now refuse to open version 3 images read-write. We need to make streamOptimized an exception to allow converting to it. This fixes the accidentally broken iotests case 059 for the same reason. Signed-off-by: Fam Zheng <famz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Max Reitz <mreitz@redhat.com> (cherry picked from commit 3db1d98a20262228373bb973ca62b1ab64b29af4) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 22 March 2016, 22:41:10 UTC |
| acea76c | Fam Zheng | 17 September 2015, 05:04:10 UTC | vmdk: Create streamOptimized as version 3 VMware products accept only version 3 for streamOptimized, let's bump the version. Reported-by: Radoslav Gerganov <rgerganov@vmware.com> Signed-off-by: Fam Zheng <famz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> (cherry picked from commit d62d9dc4b814950dcc8bd261a3e2e9300d9065e6) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 22 March 2016, 22:41:04 UTC |
| 80b6e57 | Prasad J Pandit | 11 February 2016, 11:01:20 UTC | usb: check USB configuration descriptor object When processing remote NDIS control message packets, the USB Net device emulator checks to see if the USB configuration descriptor object is of RNDIS type(2). But it does not check if it is null, which leads to a null dereference error. Add check to avoid it. Reported-by: Qinghao Tang <luodalongde@gmail.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Message-id: 1455188480-14688-1-git-send-email-ppandit@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 80eecda8e5d09c442c24307f340840a5b70ea3b9) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 22 March 2016, 22:40:56 UTC |
| 9bddb45 | Prasad J Pandit | 16 February 2016, 18:53:40 UTC | usb: check RNDIS message length When processing remote NDIS control message packets, the USB Net device emulator uses a fixed length(4096) data buffer. The incoming packet length could exceed this limit. Add a check to avoid it. Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Message-id: 1455648821-17340-2-git-send-email-ppandit@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 64c9bc181fc78275596649f591302d72df2d3071) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 22 March 2016, 22:40:52 UTC |
| e3a2cdf | Prasad J Pandit | 16 February 2016, 18:53:41 UTC | usb: check RNDIS buffer offsets & length When processing remote NDIS control message packets, the USB Net device emulator uses a fixed length(4096) data buffer. The incoming informationBufferOffset & Length combination could overflow and cross that range. Check control message buffer offsets and length to avoid it. Reported-by: Qinghao Tang <luodalongde@gmail.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Message-id: 1455648821-17340-3-git-send-email-ppandit@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit fe3c546c5ff2a6210f9a4d8561cc64051ca8603e) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 22 March 2016, 22:40:46 UTC |
| 4dcd2f1 | Prasad J Pandit | 19 January 2016, 19:56:46 UTC | usb: check page select value while processing iTD While processing isochronous transfer descriptors(iTD), the page select(PG) field value could lead to an OOB read access. Add check to avoid it. Reported-by: Qinghao Tang <luodalongde@gmail.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Message-id: 1453233406-12165-1-git-send-email-ppandit@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 49d925ce50383a286278143c05511d30ec41a36e) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 22 March 2016, 22:40:40 UTC |
| 38e0921 | Prasad J Pandit | 31 December 2015, 11:35:27 UTC | net: ne2000: fix bounds check in ioport operations While doing ioport r/w operations, ne2000 device emulation suffers from OOB r/w errors. Update respective array bounds check to avoid OOB access. Reported-by: Ling Liu <liuling-it@360.cn> Cc: qemu-stable@nongnu.org Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Jason Wang <jasowang@redhat.com> (cherry picked from commit aa7f9966dfdff500bbbf1956d9e115b1fa8987a6) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 22 March 2016, 22:40:34 UTC |
| d0ee85b | Prasad J Pandit | 02 March 2016, 11:59:58 UTC | net: check packet payload length While computing IP checksum, 'net_checksum_calculate' reads payload length from the packet. It could exceed the given 'data' buffer size. Add a check to avoid it. Reported-by: Liu Ling <liuling-it@360.cn> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Jason Wang <jasowang@redhat.com> (cherry picked from commit 362786f14a753d8a5256ef97d7c10ed576d6572b) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 22 March 2016, 22:40:27 UTC |
| 4f046a6 | Prasad J Pandit | 11 January 2016, 19:10:42 UTC | ide: ahci: reset ncq object to unused on error When processing NCQ commands, AHCI device emulation prepares a NCQ transfer object; To which an aio control block(aiocb) object is assigned in 'execute_ncq_command'. In case, when the NCQ command is invalid, the 'aiocb' object is not assigned, and NCQ transfer object is left as 'used'. This leads to a use after free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'. Reset NCQ transfer object to 'unused' to avoid it. [Maintainer edit: s/ACHI/AHCI/ in the commit message. --js] Reported-by: Qinghao Tang <luodalongde@gmail.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Reviewed-by: John Snow <jsnow@redhat.com> Message-id: 1452282511-4116-1-git-send-email-ppandit@redhat.com Signed-off-by: John Snow <jsnow@redhat.com> (cherry picked from commit 4ab0359a8ae182a7ac5c99609667273167703fab) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 22 March 2016, 22:40:20 UTC |
| b47809c | P J P | 18 December 2015, 06:05:07 UTC | i386: avoid null pointer dereference Hello, A null pointer dereference issue was reported by Mr Ling Liu, CC'd here. It occurs while doing I/O port write operations via hmp interface. In that, 'current_cpu' remains null as it is not called from cpu_exec loop, which results in the said issue. Below is a proposed (tested)patch to fix this issue; Does it look okay? === From ae88a4947fab9a148cd794f8ad2d812e7f5a1d0f Mon Sep 17 00:00:00 2001 From: Prasad J Pandit <pjp@fedoraproject.org> Date: Fri, 18 Dec 2015 11:16:07 +0530 Subject: [PATCH] i386: avoid null pointer dereference When I/O port write operation is called from hmp interface, 'current_cpu' remains null, as it is not called from cpu_exec() loop. This leads to a null pointer dereference in vapic_write routine. Add check to avoid it. Reported-by: Ling Liu <liuling-it@360.cn> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Message-Id: <alpine.LFD.2.20.1512181129320.9805@wniryva> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: P J P <ppandit@redhat.com> (cherry picked from commit 4c1396cb576c9b14425558b73de1584c7a9735d7) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 22 March 2016, 22:39:27 UTC |
| 24fe899 | Wolfgang Bumiller | 13 January 2016, 08:09:58 UTC | hmp: fix sendkey out of bounds write (CVE-2015-8619) When processing 'sendkey' command, hmp_sendkey routine null terminates the 'keyname_buf' array. This results in an OOB write issue, if 'keyname_len' was to fall outside of 'keyname_buf' array. Since the keyname's length is known the keyname_buf can be removed altogether by adding a length parameter to index_from_key() and using it for the error output as well. Reported-by: Ling Liu <liuling-it@360.cn> Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Message-Id: <20160113080958.GA18934@olga> [Comparison with "<" dumbed down, test for junk after strtoul() tweaked] Signed-off-by: Markus Armbruster <armbru@redhat.com> (cherry picked from commit 64ffbe04eaafebf4045a3ace52a360c14959d196) Conflicts: hmp.c *removed dependency on 7fb1cf16 Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 22 March 2016, 22:38:16 UTC |
| aaf4fb6 | John Snow | 10 February 2016, 18:29:40 UTC | ahci: Do not unmap NULL addresses Definitely don't try to unmap a garbage address. Reported-by: Zuozhi fzz <zuozhi.fzz@alibaba-inc.com> Signed-off-by: John Snow <jsnow@redhat.com> Message-id: 1454103689-13042-2-git-send-email-jsnow@redhat.com (cherry picked from commit 99b4cb71069f109b79b27bc629fc0cf0886dbc4b) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 22 March 2016, 22:35:36 UTC |
| a2ae168 | Greg Kurz | 18 February 2016, 11:32:25 UTC | migration: allow machine to enforce configuration section migration Migration of pseries-2.3 doesn't have configuration section. Unfortunately, QEMU 2.4/2.4.1/2.5 are buggy and always stream and expect the configuration section, and break migration both ways. This patch introduces a property which allows to enforce a configuration section for machines who don't have one. It can be set at startup: -machine enforce-config-section=on or later from the QEMU monitor: qom-set /machine enforce-config-section on It is up to the tooling to set or unset this property according to the version of the QEMU at the other end of the pipe. Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com> Reviewed-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: Juan Quintela <quintela@redhat.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au> (cherry picked from commit 902c053d834e3b802ec736f170edf226d4a841ff) Conflicts: qemu-options.hx * removed context dependency on 87252e1b * added to provide 2.5<->2.5.1 migration compat option for pseries-2.3 machines Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 22 March 2016, 22:20:12 UTC |
| bad094d | Marcel Apfelbaum | 12 February 2016, 19:02:24 UTC | vl.c: Fix regression in machine error message Commit e1ce0c3cb (vl.c: fix regression when reading machine type from config file) fixed the error message when the machine type was supplied inside the config file. However now the option name is not displayed correctly if the error happens when the machine is specified at command line. Running ./x86_64-softmmu/qemu-system-x86_64 -M q35-1.5 -redir tcp:8022::22 will result in the error message: qemu-system-x86_64: -redir tcp:8022::22: unsupported machine type Use -machine help to list supported machines Fixed it by restoring the error location and also extracted the code dealing with machine options into a separate function. Reported-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Marcel Apfelbaum <marcel@redhat.com> Reviewed-by: Eduardo Habkost <ehabkost@redhat.com> Signed-off-by: Eduardo Habkost <ehabkost@redhat.com> Message-Id: <1455303747-19776-2-git-send-email-ehabkost@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com> (cherry picked from commit 34f405ae6d5c4170b192a12b2e654a2aea0c3b50) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 17 March 2016, 23:21:32 UTC |
| 4b0b1ec | Alberto Garcia | 10 March 2016, 11:55:24 UTC | quorum: Fix crash in quorum_aio_cb() quorum_aio_cb() emits the QUORUM_REPORT_BAD event if there's an I/O error in a Quorum child. However sacb->aiocb must be correctly initialized for this to happen. read_quorum_children() and read_fifo_child() are not doing this, which results in a QEMU crash. Signed-off-by: Alberto Garcia <berto@igalia.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Message-id: 8138570d071ba7e25db3736979234a1fd71dbd05.1457610443.git.berto@igalia.com Signed-off-by: Max Reitz <mreitz@redhat.com> (cherry picked from commit b9c600d20716b3d942cb07188ff998fb236a8365) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 17 March 2016, 23:18:19 UTC |
| cab1cc7 | Peter Maydell | 19 February 2016, 14:07:43 UTC | target-arm: Make reserved ranges in ID_AA64* spaces RAZ, not UNDEF The v8 ARM ARM defines that unused spaces in the ID_AA64* system register ranges are Reserved and must RAZ, rather than being UNDEF. Implement this. In particular, ARM v8.2 adds a new feature register ID_AA64MMFR2, and newer versions of the Linux kernel will attempt to read this, which causes them not to boot up on versions of QEMU missing this fix. Since the encoding .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 6 is actually defined in ARMv8 (as ID_MMFR4), we give it an entry in the ARMCPU struct so CPUs can override it, though since none do this too will just RAZ. Cc: qemu-stable@nongnu.org Reported-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 1455890863-11203-1-git-send-email-peter.maydell@linaro.org Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Tested-by: Alex Bennée <alex.bennee@linaro.org> (cherry picked from commit e20d84c1407d43d5a2e2ac95dbb46db3b0af8f9f) Conflicts: target-arm/helper.c * remove context dep on 4054bfa9 Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 17 March 2016, 22:48:45 UTC |
| 9ae0217 | Michael S. Tsirkin | 21 February 2016, 15:01:47 UTC | vhost-user: don't merge regions with different fds vhost currently merges regions with contiguious virtual and physical addresses. This breaks for vhost-user since that also needs fds to match. Add a vhost_ops entry to compare the fds for vhost-user only. Cc: qemu-stable@nongnu.org Cc: Victor Kaplansky <victork@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit ffe42cc14c770549abc7995a90cf53bca3659b7f) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 17 March 2016, 22:36:07 UTC |
| 3092979 | Laszlo Ersek | 18 February 2016, 19:31:00 UTC | fw_cfg: unbreak migration compatibility for 2.4 and earlier machines When I reviewed Marc's fw_cfg DMA patches, I completely missed that the way we set dma_enabled would break migration. Gerd explained the right way (see reference below): dma_enabled should be set to true by default, and only true->false transitions should be possible: - when the user requests that with -global fw_cfg_mem.dma_enabled=off or -global fw_cfg_io.dma_enabled=off as appropriate for the platform, - when HW_COMPAT_2_4 dictates it, - when board code initializes fw_cfg without requesting DMA support. Cc: Marc Marí <markmb@redhat.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Alexandre DERUMIER <aderumier@odiso.com> Cc: qemu-stable@nongnu.org Ref: http://thread.gmane.org/gmane.comp.emulators.qemu/390272/focus=391042 Ref: https://bugs.launchpad.net/qemu/+bug/1536487 Suggested-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Laszlo Ersek <lersek@redhat.com> Message-id: 1455823860-22268-1-git-send-email-lersek@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit e6915b5f3a874a467a9a65f7ec1d6ef8d251a51a) Conflicts: include/hw/compat.h * remove cosmetic dep on c9c0afbb Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 17 March 2016, 22:33:59 UTC |
| c5c9841 | Marcel Apfelbaum | 10 February 2016, 13:31:13 UTC | hw/virtio: group virtio flags into an enum Minimizes the possibility to assign the same bit to different features. Signed-off-by: Marcel Apfelbaum <marcel@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Laurent Vivier <lvivier@redhat.com> Acked-by: Jason Wang <jasowang@redhat.com> (cherry picked from commit fc1769b758a5b6167bb9cdb4e10369a49b4fa930) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 17 March 2016, 22:25:13 UTC |
| 6b62303 | Marcel Apfelbaum | 10 February 2016, 13:31:12 UTC | hw/virtio: fix double use of a virtio flag Commits 1811e64c and a6df8adf use the same virtio feature bit 4 for different features. Fix it by using different bits. Reported-by: Laurent Vivier <lvivier@redhat.com> Tested-by: Laurent Vivier <lvivier@redhat.com> Signed-off-by: Marcel Apfelbaum <marcel@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Acked-by: Jason Wang <jasowang@redhat.com> (cherry picked from commit 631a4387554d53a0d19dd7973851ed760a5bff97) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 17 March 2016, 22:24:57 UTC |
| c06f342 | Greg Kurz | 18 February 2016, 11:32:18 UTC | spapr: skip configuration section during migration of older machines Since QEMU 2.4, we have a configuration section in the migration stream. This must be skipped for older machines, like it is already done for x86. This patch fixes the migration of pseries-2.3 from/to QEMU 2.3, but it breaks migration of the same machine from/to QEMU 2.4/2.4.1/2.5. We do that anyway because QEMU 2.3 is likely to be more widely deployed than newer QEMU versions. Fixes: 61964c23e5ddd5a33f15699e45ce126f879e3e33 Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com> Reviewed-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: Juan Quintela <quintela@redhat.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au> (cherry picked from commit 09b5e30da5b19f44768a5429f603caaede216757) Conflicts: hw/ppc/spapr.c *remove dep on 5013c5474 Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 17 March 2016, 22:17:33 UTC |
| cb873ea | Laszlo Ersek | 19 January 2016, 13:17:20 UTC | e1000: eliminate infinite loops on out-of-bounds transfer start The start_xmit() and e1000_receive_iov() functions implement DMA transfers iterating over a set of descriptors that the guest's e1000 driver prepares: - the TDLEN and RDLEN registers store the total size of the descriptor area, - while the TDH and RDH registers store the offset (in whole tx / rx descriptors) into the area where the transfer is supposed to start. Each time a descriptor is processed, the TDH and RDH register is bumped (as appropriate for the transfer direction). QEMU already contains logic to deal with bogus transfers submitted by the guest: - Normally, the transmit case wants to increase TDH from its initial value to TDT. (TDT is allowed to be numerically smaller than the initial TDH value; wrapping at or above TDLEN bytes to zero is normal.) The failsafe that QEMU currently has here is a check against reaching the original TDH value again -- a complete wraparound, which should never happen. - In the receive case RDH is increased from its initial value until "total_size" bytes have been received; preferably in a single step, or in "s->rxbuf_size" byte steps, if the latter is smaller. However, null RX descriptors are skipped without receiving data, while RDH is incremented just the same. QEMU tries to prevent an infinite loop (processing only null RX descriptors) by detecting whether RDH assumes its original value during the loop. (Again, wrapping from RDLEN to 0 is normal.) What both directions miss is that the guest could program TDLEN and RDLEN so low, and the initial TDH and RDH so high, that these registers will immediately be truncated to zero, and then never reassume their initial values in the loop -- a full wraparound will never occur. The condition that expresses this is: xdh_start >= s->mac_reg[XDLEN] / sizeof(desc) i.e., TDH or RDH start out after the last whole rx or tx descriptor that fits into the TDLEN or RDLEN sized area. This condition could be checked before we enter the loops, but pci_dma_read() / pci_dma_write() knows how to fill in buffers safely for bogus DMA addresses, so we just extend the existing failsafes with the above condition. This is CVE-2016-1981. Cc: "Michael S. Tsirkin" <mst@redhat.com> Cc: Petr Matousek <pmatouse@redhat.com> Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Cc: Prasad Pandit <ppandit@redhat.com> Cc: Michael Roth <mdroth@linux.vnet.ibm.com> Cc: Jason Wang <jasowang@redhat.com> Cc: qemu-stable@nongnu.org RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1296044 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com> (cherry picked from commit dd793a74882477ca38d49e191110c17dfee51dcc) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 17 March 2016, 21:55:27 UTC |
| 4853a5a | Jeff Cody | 02 February 2016, 01:33:11 UTC | block: qemu-iotests - add test for snapshot, commit, snapshot bug Signed-off-by: Jeff Cody <jcody@redhat.com> Message-id: 2dbc05efba2f683cb3aaf71aaa9b776ebf7ec57c.1454376655.git.jcody@redhat.com Reviewed-by: Max Reitz <mreitz@redhat.com> [Moved test number from 143 to 144] Signed-off-by: Max Reitz <mreitz@redhat.com> (cherry picked from commit 8983b670f62ab5e5e8dd2690bf8304123651bfe5) Conflicts: tests/qemu-iotests/group *removed context dependencies on newer test groups Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 17 March 2016, 21:53:35 UTC |
| a375e0b | Jeff Cody | 02 February 2016, 01:33:10 UTC | block: set device_list.tqe_prev to NULL on BDS removal This fixes a regression introduced with commit 3f09bfbc7. Multiple bugs arise in conjunction with live snapshots and mirroring operations (which include active layer commit). After a live snapshot occurs, the active layer and the base layer both have a non-NULL tqe_prev field in the device_list, although the base node's tqe_prev field points to a NULL entry. This non-NULL tqe_prev field occurs after the bdrv_append() in the external snapshot calls change_parent_backing_link(). In change_parent_backing_link(), when the previous active layer is removed from device_list, the device_list.tqe_prev pointer is not set to NULL. The operating scheme in the block layer is to indicate that a BDS belongs in the bdrv_states device_list iff the device_list.tqe_prev pointer is non-NULL. This patch does two things: 1.) Introduces a new block layer helper bdrv_device_remove() to remove a BDS from the device_list, and 2.) uses that new API, which also fixes the regression once used in change_parent_backing_link(). Signed-off-by: Jeff Cody <jcody@redhat.com> Message-id: 0cd51e11c0666c04ddb7c05293fe94afeb551e89.1454376655.git.jcody@redhat.com Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Max Reitz <mreitz@redhat.com> (cherry picked from commit f8aa905a4fec89863c82de4186352447d851871e) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 17 March 2016, 21:51:48 UTC |
| a38a283 | Eric Blake | 29 January 2016, 13:49:00 UTC | qmp: Fix reference-counting of qnull on empty output visit Commit 6c2f9a15 ensured that we would not return NULL when the caller used an output visitor but had nothing to visit. But in doing so, it added a FIXME about a reference count leak that could abort qemu in the (unlikely) case of SIZE_MAX such visits (more plausible on 32-bit). (Although that commit suggested we might fix it in time for 2.5, we ran out of time; fortunately, it is unlikely enough to bite that it was not worth worrying about during the 2.5 release.) This fixes things by documenting the internal contracts, and explaining why the internal function can return NULL and only the public facing interface needs to worry about qnull(), thus avoiding over-referencing the qnull_ global object. It does not, however, fix the stupidity of the stack mixing up two separate pieces of information; add a FIXME to explain that issue, which will be fixed shortly in a future patch. Signed-off-by: Eric Blake <eblake@redhat.com> Cc: qemu-stable@nongnu.org Message-Id: <1454075341-13658-25-git-send-email-eblake@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com> (cherry picked from commit a86156401559cb4401cf9ecc704faeab6fc8bb19) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 17 March 2016, 21:50:34 UTC |
| 225d50f | Dr. David Alan Gilbert | 25 January 2016, 10:08:18 UTC | cpus: use broadcast on qemu_pause_cond Jiri saw a hang on pause_all_vcpus called from postcopy_start, where the cpus are all apparently stopped ('stopped' flag set) but pause_all_vcpus is still stuck on a cond_wait on qemu_paused_cond. We suspect this is happening if a qmp_stop is called at about the same time as the postcopy code calls that pause_all_vcpus; although they both should have the main lock held, Paolo spotted the cond_wait unlocks the global lock so perhaps they both could end up waiting at the same time? Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reported-by: Jiri Denemark <jdenemar@redhat.com> Message-Id: <1453716498-27238-1-git-send-email-dgilbert@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 96bce6831bd19b61e965384427741d805c7234c3) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 17 March 2016, 21:47:04 UTC |
| 020282d | Gabriel L. Somlo | 05 November 2015, 14:32:50 UTC | fw_cfg: avoid calculating invalid current entry pointer When calculating a pointer to the currently selected fw_cfg item, the following is used: FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; When s->cur_entry is FW_CFG_INVALID, we are calculating the address of a non-existent element in s->entries[arch][...], which is undefined. This patch ensures the resulting entry pointer is set to NULL whenever s->cur_entry is FW_CFG_INVALID. Reported-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Gabriel Somlo <somlo@cmu.edu> Message-id: 1446733972-1602-5-git-send-email-somlo@cmu.edu Cc: Marc Marí <markmb@redhat.com> Signed-off-by: Gabriel Somlo <somlo@cmu.edu> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 66f8fd9dda312191b78d2a2ba2848bcee76127a2) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 17 March 2016, 21:45:24 UTC |
| 091af18 | Halil Pasic | 20 January 2016, 18:51:30 UTC | s390x/css: fix control flags during csch From the beginning, css support contained an error in csch handling: instead of setting the clear bit in the function control bits twice, we need to set the clear pending bit in the activity control bits. Let's fix this. Cc: qemu-stable@nongnu.org Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com> Signed-off-by: Halil Pasic <pasic@linux.vnet.ibm.com> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com> (cherry picked from commit 4c6bf79a222934ac9ff0e45fc98ea1c986ed5c67) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 17 March 2016, 21:42:26 UTC |
| d983923 | Pierre Morel | 14 January 2016, 12:29:53 UTC | s390x/ioinst: set type and len for SEI response If no event information is pending, the return code is set to 0x0005 and the length of the response is set to 8 bytes. Signed-off-by: Pierre Morel <pmorel@linux.vnet.ibm.com> Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com> Reviewed-by: Song Shan Gong <gongss@linux.vnet.ibm.com> Cc: qemu-stable@nongnu.org Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com> (cherry picked from commit f70202be535b5601fd02c725dc1d74f3bfc5039c) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 17 March 2016, 21:42:13 UTC |
| 643c8d8 | Christian Borntraeger | 14 December 2015, 15:41:19 UTC | block/raw-posix: avoid bogus fixup for cylinders on DASD disks large volume DASD that have > 64k cylinders do claim to have 0xFFFE cylinders as special value in the old 16 bit field. We want to pass this "token" along to the guest, instead of calculating the real number. Otherwise qemu might fail with "cyls must be between 1 and 65535" Cc: qemu-stable@nongnu.org Acked-by: Cornelia Huck <cornelia.huck@de.ibm.com> Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> (cherry picked from commit 972b543c6b63579aee590b738d21af09f01569f7) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 17 March 2016, 21:41:43 UTC |
| 3ede27d | Gerd Hoffmann | 19 January 2016, 11:44:44 UTC | ehci: update irq on reset After clearing the status register we also have to update the irq line status. Otherwise a irq which happends to be pending at reset time causes a interrupt storm. And the guest can't stop as the status register doesn't indicate any pending interrupt. Both NetBSD and FreeBSD hang on shutdown because of that. Cc: qemu-stable@nongnu.org Reported-by: Andrey Korolyov <andrey@xdel.ru> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 1453203884-4125-1-git-send-email-kraxel@redhat.com (cherry picked from commit 5a8660741a8aa19fbf8a5e8a2b3aac88664f4e66) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 17 March 2016, 21:41:14 UTC |
| 9849b19 | Laurent Vivier | 13 January 2016, 19:26:25 UTC | net: set endianness on all backend devices commit 5be7d9f1b1452613b95c6ba70b8d7ad3d0797991 vhost-net: tell tap backend about the vnet endianness makes vhost net to set the endianness of the device, but only for the first device. In case of multiqueue, we have multiple devices... This patch sets the endianness for all the devices of the interface. Signed-off-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Greg Kurz <gkurz@linux.vnet.ibm.com> Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com> Reviewed-by: Jason Wang <jasowang@redhat.com> (cherry picked from commit a407644079c8639002e7ea635d851953b10a38c3) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 17 March 2016, 21:36:19 UTC |
| fe90bdc | Prasad J Pandit | 24 February 2016, 06:11:33 UTC | net: ne2000: check ring buffer control registers Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152) bytes to process network packets. Registers PSTART & PSTOP define ring buffer size & location. Setting these registers to invalid values could lead to infinite loop or OOB r/w access issues. Add check to avoid it. Reported-by: Yang Hongke <yanghongke@huawei.com> Tested-by: Yang Hongke <yanghongke@huawei.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Jason Wang <jasowang@redhat.com> (cherry picked from commit 415ab35a441eca767d033a2702223e785b9d5190) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 17 March 2016, 21:34:56 UTC |
| aaa5271 | Li Zhijian | 23 December 2015, 07:43:18 UTC | net/filter: fix nf->netdev_id leak Cc: Jason Wang <jasowang@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: Li Zhijian <lizhijian@cn.fujitsu.com> Signed-off-by: Jason Wang <jasowang@redhat.com> (cherry picked from commit 671f66f87fbf6cc6a3879f3055f16347b1db91e9) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 17 March 2016, 21:34:23 UTC |
| abda95c | Li Zhijian | 23 December 2015, 07:43:19 UTC | net/dump: fix nfds->filename leak Cc: Jason Wang <jasowang@redhat.com> Signed-off-by: Li Zhijian <lizhijian@cn.fujitsu.com> Cc: qemu-stable@nongnu.org Signed-off-by: Jason Wang <jasowang@redhat.com> (cherry picked from commit b50c7d452f5aef52cc9e7461f215cab87c3f3b03) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 17 March 2016, 21:34:15 UTC |
| 6a49a71 | Max Reitz | 29 January 2016, 19:49:11 UTC | blockdev: Fix 'change' for slot devices 'change' and related operations did not work when used on guest devices featuring removable media but no actual tray, because blk_dev_is_tray_open() always returned false for them and the blockdev-{insert,remove}-medium commands required it to return true. Fix this by making blockdev-{insert,remove}-medium work on tray-less devices. Also, blockdev-{open,close}-tray are now explicitly no-ops when invoked on such devices, and blk_dev_change_media_cb() is instead called by blockdev-{insert,remove}-medium (for tray-less devices only). Reported-by: Peter Maydell <peter.maydell@linaro.org> Cc: qemu-stable <qemu-stable@nongnu.org> Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Alberto Garcia <berto@igalia.com> Message-id: 1454096953-31773-3-git-send-email-mreitz@redhat.com Reviewed-by: Eric Blake <eblake@redhat.com> (cherry picked from commit 12c7ec87a7d88919b23736176eba3118d1521372) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 17 March 2016, 21:23:54 UTC |
| e1a8a09 | Max Reitz | 29 January 2016, 19:49:10 UTC | block: Add blk_dev_has_tray() Pull out the check whether a block device has a tray from blk_dev_is_tray_open() into its own function so both attributes (whether there is a tray vs. whether that tray is open) can be queried independently. Cc: qemu-stable <qemu-stable@nongnu.org> Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Alberto Garcia <berto@igalia.com> Message-id: 1454096953-31773-2-git-send-email-mreitz@redhat.com (cherry picked from commit 8f3a73bc57ea83e5b3930d14fc596ea51859987a) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 17 March 2016, 21:23:28 UTC |
| 7a2c1c8 | Prasad J Pandit | 28 December 2015, 10:54:08 UTC | net: rocker: fix an incorrect array bounds check While processing transmit(tx) descriptors in 'tx_consume' routine the switch emulator suffers from an off-by-one error, if a descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=16) fragments. Fix an incorrect bounds check to avoid it. Reported-by: Qinghao Tang <luodalongde@gmail.com> Cc: qemu-stable@nongnu.org Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Jason Wang <jasowang@redhat.com> (cherry picked from commit 007cd223de527b5f41278f2d886c1a4beb3e67aa) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 15 March 2016, 17:39:32 UTC |
| 702a8d1 | Marc-André Lureau | 18 December 2015, 14:13:08 UTC | ivshmem: remove redundant assignment, fix crash with msi=off Fix crash when msi=false introduced in 660c97ee (msi_vectors is NULL in this case) Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> (cherry picked from commit 47213eb1104709bf238c8d16db20aa47d37b1c59) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 15 March 2016, 17:35:51 UTC |
| 3e96d5d | Marc-André Lureau | 18 December 2015, 11:20:51 UTC | ivshmem: no need for opaque argument Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> (cherry picked from commit 2c64846972897fc3aec4072f849fae2b00322f8b) *context dependency for 47213eb Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 15 March 2016, 17:35:25 UTC |
| 16a2875 | P J P | 21 December 2015, 09:43:13 UTC | scsi: initialise info object with appropriate size While processing controller 'CTRL_GET_INFO' command, the routine 'megasas_ctrl_get_info' overflows the '&info' object size. Use its appropriate size to null initialise it. Reported-by: Qinghao Tang <luodalongde@gmail.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Message-Id: <alpine.LFD.2.20.1512211501420.22471@wniryva> Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: P J P <ppandit@redhat.com> (cherry picked from commit 36fef36b91f7ec0435215860f1458b5342ce2811) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 15 March 2016, 17:21:11 UTC |
| 4588b0d | Greg Kurz | 23 December 2015, 09:56:58 UTC | virtio-9p: use accessor to get thread_pool The aio_context_new() function does not allocate a thread pool. This is deferred to the first call to the aio_get_thread_pool() accessor. It is hence forbidden to access the thread_pool field directly, as it may be NULL. The accessor *must* be used always. Fixes: ebac1202c95a4f1b76b6ef3f0f63926fa76e753e Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Tested-by: Michael Tokarev <mjt@tls.msk.ru> Cc: qemu-stable@nongnu.org Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com> (cherry picked from commit 4b3a4f2d458ca5a7c6c16ac36a8d9ac22cc253d6) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 15 March 2016, 17:20:55 UTC |
| ff083d3 | Stefano Stabellini | 18 December 2015, 15:10:09 UTC | xenfb: avoid reading twice the same fields from the shared page Reading twice the same field could give the guest an attack of opportunity. In the case of event->type, gcc could compile the switch statement into a jump table, effectively ending up reading the type field multiple times. This is part of XSA-155. Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> (cherry picked from commit 7ea11bf376aea4bf8340eb363de9777c7f93e556) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 15 March 2016, 17:20:35 UTC |
| 4d59e78 | Stefano Stabellini | 18 December 2015, 15:09:58 UTC | xen/blkif: Avoid double access to src->nr_segments src is stored in shared memory and src->nr_segments is dereferenced twice at the end of the function. If a compiler decides to compile this into two separate memory accesses then the size limitation could be bypassed. Fix it by removing the double access to src->nr_segments. This is part of XSA-155. Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> (cherry picked from commit f9e98e5d7a67367b862941e339a98b8322fa0cea) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 15 March 2016, 17:20:17 UTC |
| 52a7b27 | Peter Maydell | 14 December 2015, 15:02:36 UTC | configure: Fix shell syntax to placate OpenBSD's pdksh Unfortunately the OpenBSD pdksh does not like brackets inside the right part of a ${variable+word} parameter expansion: $ echo "${a+($b)}" ksh: ${a+($b)}": bad substitution though both bash and dash accept them. In any case this line was causing odd output in the case where nettle is not present: nettle no () (because if nettle is not present then $nettle will be "no", not a null string or unset). Rewrite it to just use an if. This bug was originally introduced in becaeb726 and was present in the 2.4.0 release. Fixes: https://bugs.launchpad.net/qemu/+bug/1525682 Reported-by: Dmitrij D. Czarkoff Cc: qemu-stable@nongnu.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Eric Blake <eblake@redhat.com> Message-id: 1450105357-8516-1-git-send-email-peter.maydell@linaro.org (cherry picked from commit 18f49881cf8359e89396aac12f5d3cf3f8a632ba) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 15 March 2016, 17:19:47 UTC |
| d4aed70 | Greg Kurz | 15 January 2016, 15:00:12 UTC | target-ppc: kvm: fix floating point registers sync on little-endian hosts On VSX capable CPUs, the 32 FP registers are mapped to the high-bits of the 32 first VSX registers. So if you have: VSR31 = (uint128) 0x0102030405060708090a0b0c0d0e0f00 then FPR31 = (uint64) 0x0102030405060708 The kernel stores the VSX registers in the fp_state struct following the host endian element ordering. On big-endian: fp_state.fpr[31][0] = 0x0102030405060708 fp_state.fpr[31][1] = 0x090a0b0c0d0e0f00 On little-endian: fp_state.fpr[31][0] = 0x090a0b0c0d0e0f00 fp_state.fpr[31][1] = 0x0102030405060708 The KVM_GET_ONE_REG and KVM_SET_ONE_REG ioctls preserve this ordering, but QEMU considers it as big-endian and always copies element [0] to the fpr[] array and element [1] to the vsr[] array. This does not work with little-endian hosts, and you will get: (qemu) p $f31 0x90a0b0c0d0e0f00 instead of: (qemu) p $f31 0x102030405060708 This patch fixes the element ordering for little-endian hosts. Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au> (cherry picked from commit 3a4b791b4c13e02537a5cc572fa3de70bc5f68da) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 15 March 2016, 17:10:47 UTC |
| 42ae4a3 | P J P | 15 December 2015, 06:57:54 UTC | net: vmxnet3: avoid memory leakage in activate_device Vmxnet3 device emulator does not check if the device is active before activating it, also it did not free the transmit & receive buffers while deactivating the device, thus resulting in memory leakage on the host. This patch fixes both these issues to avoid host memory leakage. Reported-by: Qinghao Tang <luodalongde@gmail.com> Reviewed-by: Dmitry Fleytman <dmitry@daynix.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Cc: qemu-stable@nongnu.org Signed-off-by: Jason Wang <jasowang@redhat.com> (cherry picked from commit aa4a3dce1c88ed51b616806b8214b7c8428b7470) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 15 March 2016, 17:08:24 UTC |
| 0d33580 | Gerd Hoffmann | 14 December 2015, 08:21:23 UTC | ehci: make idt processing more robust Make ehci_process_itd return an error in case we didn't do any actual iso transfer because we've found no active transaction. That'll avoid ehci happily run in circles forever if the guest builds a loop out of idts. This is CVE-2015-8558. Cc: qemu-stable@nongnu.org Reported-by: Qinghao Tang <luodalongde@gmail.com> Tested-by: P J P <ppandit@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 156a2e4dbffa85997636a7a39ef12da6f1b40254) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | 15 March 2016, 17:07:11 UTC |
| a8c40fa | Peter Maydell | 16 December 2015, 16:10:14 UTC | Update version for v2.5.0 release Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 16 December 2015, 16:10:14 UTC |
| f05b42d | Peter Maydell | 11 December 2015, 16:37:55 UTC | Update version for v2.5.0-rc4 release Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 11 December 2015, 16:37:55 UTC |
| 6e0abc2 | Max Reitz | 11 December 2015, 15:23:05 UTC | blockdev: Mark {insert, remove}-medium experimental While in the long term we want throttling to be its own block filter BDS, in the short term we want it to be part of the BB instead of a BDS; even in the long term we may want legacy throttling to be automatically tied to the BB. blockdev-insert-medium and blockdev-remove-medium do not retain throttling information in the BB (deliberately so). Therefore, using them means tying this information to a BDS, which would break the model described above. (The same applies to other flags such as detect_zeroes.) We probably want to move this information to the BB or its own filter BDS before blockdev-{insert,remove}-medium can be considered completely stable. Therefore, mark these functions experimental for the time being. Suggested-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Max Reitz <mreitz@redhat.com> Acked-by: Markus Armbruster <armbru@redhat.com> Acked-by: Kevin Wolf <kwolf@redhat.com> Message-id: 1449847385-13986-2-git-send-email-mreitz@redhat.com Reviewed-by: Eric Blake <eblake@redhat.com> [PMM: fixed format nit (underlining) in qmp-commands.hx] Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 11 December 2015, 15:39:29 UTC |
| 3fd3c4b | Dr. David Alan Gilbert | 10 December 2015, 16:31:46 UTC | Fix xbzrle vs last_sent_block update My fix (84e7b80a) replaced the last_sent_block update that I'd removed earlier; however it was too aggressive in the xbzrle case. save_xbzrle_page might return '0' to mean that the page didn't need sending since it was the same as the last sent version; in this case we can't update 'last_sent_block' since we didn't actually send it. Symptom: 'Illegal RAM offset 1018000' as we try and send a page to the wrong RAMBlock; potentially that could be a data corruption if you were really unlucky. Fixes: 84e7b80a05c0c44b90533c6cd2f1db5c932ccf77 Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Juan Quintela <quintela@redhat.com> Message-id: 1449765106-6528-1-git-send-email-dgilbert@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 11 December 2015, 12:51:27 UTC |
| b969526 | Peter Maydell | 10 December 2015, 13:34:27 UTC | Update language files for QEMU 2.5.0 Update translation files (change created via 'make -C po update'). Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Stefan Weil <sw@weilnetz.de> Message-id: 1449754467-3496-1-git-send-email-peter.maydell@linaro.org | 10 December 2015, 13:50:45 UTC |
| bd4e097 | Alex Zuepke | 04 December 2015, 15:01:02 UTC | sparc: allow CASA with ASI 0xa from user space LEON3 allows the CASA instruction to be used from user space if the ASI is set to 0xa (user data). Signed-off-by: Alex Zuepke <azu@sysgo.de> Reviewed-by: Richard Henderson <rth@twiddle.net> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 10 December 2015, 11:19:18 UTC |
| a3154cc | Greg Kurz | 30 November 2015, 15:40:16 UTC | MAINTAINERS: add maintainer to virtio-9p As suggested by Paolo, I add myself as maintainer for virtio-9p. Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com> Acked-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com> Message-id: 20151130154016.20108.79073.stgit@bahia.huguette.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 10 December 2015, 11:17:25 UTC |
| 6cecf09 | Greg Kurz | 08 December 2015, 15:54:57 UTC | virtio-9p-device: add minimal unrealize handler Since commit 4652f1640e029e1f2433fa77ba6af285 "virtio-9p: add savevm handlers", if the user hot-unplugs a quiescent 9p device and live migrates, the source QEMU crashes before migration completetion... This happens because virtio-9p devices have a realize handler which calls virtio_init() and register_savevm(). Both calls store pointers to the device internals, that get dereferenced during migration even if the device got unplugged. This patch simply adds an unrealize handler to perform minimal cleanup and avoid the crash. Hot unplug of non-quiescent 9p devices is still not supported in QEMU, and not supported by linux guests either. Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Message-id: 20151208155457.27775.69441.stgit@bahia.huguette.org [PMM: rewrapped long lines in commit message] Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 10 December 2015, 10:46:22 UTC |
| c3626ca | Peter Maydell | 07 December 2015, 17:47:40 UTC | Update version for v2.5.0-rc3 release Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 07 December 2015, 17:47:40 UTC |
| ba306c7 | Markus Armbruster | 07 December 2015, 15:55:10 UTC | sd: Mark brittle abuse of blk_attach_dev() FIXME blk_attach_dev() fails here only when we're working for device "sdhci-pci" (which already attached the backend), and then we don't want to attach a second time. If we ever create another failure mode, we're setting up ourselves to using the same backend from multiple frontends, which is likely to end in tears. Can't clean this up this close to the release, so mark it FIXME. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 1449503710-3707-3-git-send-email-armbru@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 07 December 2015, 17:13:10 UTC |
| 79f2170 | Markus Armbruster | 07 December 2015, 15:55:09 UTC | sdhci: Sanitize "sdhci-pci" properties for future qomification We currently fuse controller and card into a single device model, but we intend qomify things properly and separate the two. The properties that really belong to the card would then have to somehow pass-through to the card's properties. To avoid that complication, either mark them experimental or drop them. Properties "capareg", "maxcurr" and the usual PCI device properties belong to the controller. Property "drive" belongs to the card; rename it to "x-drive". Properties "logical_block_size", "physical_block_size", "min_io_size", "opt_io_size", "discard_granularity" belong to the card, but have no effect; drop them. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 1449503710-3707-2-git-send-email-armbru@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 07 December 2015, 17:13:10 UTC |
| a616fb7 | Fam Zheng | 07 December 2015, 10:59:27 UTC | virtio-blk: Drop x-data-plane option The official way of enabling dataplane is through the "iothread" property that references an iothread object created by "-object iothread". Since the old "x-data-plane=on" way now even crashes, it's probably easier to just drop it: $ qemu-system-x86_64 -drive file=null-co://,id=d0,if=none \ -device virtio-blk-pci,drive=d0,x-data-plane=on ERROR:/home/fam/work/qemu/qom/object.c:1515: object_get_canonical_path_component: assertion failed: (obj->parent != NULL) Aborted Signed-off-by: Fam Zheng <famz@redhat.com> Message-id: 1449485967-19240-1-git-send-email-famz@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 07 December 2015, 16:47:16 UTC |
| 8494297 | Peter Maydell | 07 December 2015, 14:18:31 UTC | Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into staging # gpg: Signature made Mon 07 Dec 2015 14:06:07 GMT using RSA key ID 398D6211 # gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <jasowang@redhat.com>" # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: 215D 46F4 8246 689E C77F 3562 EF04 965B 398D 6211 * remotes/jasowang/tags/net-pull-request: lan9118: log and ignore access to invalid registers, rather than aborting lan9118: fix emulation of MAC address loaded bit in E2P_CMD register vmxnet3: silence warning pcnet: fix rx buffer overflow(CVE-2015-7512) net: pcnet: add check to validate receive data size(CVE-2015-7504) e1000: fix hang of win2k12 shutdown with flood ping Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 07 December 2015, 14:18:31 UTC |
| 52b4bb7 | Andrew Baumann | 04 December 2015, 18:58:50 UTC | lan9118: log and ignore access to invalid registers, rather than aborting With this change, access to invalid/unimplemented device registers are logged as a "guest error" rather than aborting qemu with hw_error. This enables drivers for similar devices (e.g. SMSC 9221), by simply ignoring the unimplemented writes. It's also closer to what real hardware does. Signed-off-by: Andrew Baumann <Andrew.Baumann@microsoft.com> Signed-off-by: Jason Wang <jasowang@redhat.com> | 07 December 2015, 13:43:48 UTC |
| 12fdd92 | Andrew Baumann | 04 December 2015, 18:58:49 UTC | lan9118: fix emulation of MAC address loaded bit in E2P_CMD register There appears to have been a longstanding typo in the implementation of the "MAC address loaded" bit in the E2P_CMD (EEPROM command) register. The code was using 0x10, but the controller spec says it should be bit 8 (0x100). Signed-off-by: Andrew Baumann <Andrew.Baumann@microsoft.com> Signed-off-by: Jason Wang <jasowang@redhat.com> | 07 December 2015, 13:43:48 UTC |
| 6a9c647 | Michael S. Tsirkin | 30 November 2015, 16:26:24 UTC | vmxnet3: silence warning vmxnet3 always produces a warning under qtest. This is not a user error, don't warn. Suggested-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com> | 07 December 2015, 13:43:48 UTC |
| 8b98a2f | Jason Wang | 30 November 2015, 07:00:06 UTC | pcnet: fix rx buffer overflow(CVE-2015-7512) Backends could provide a packet whose length is greater than buffer size. Check for this and truncate the packet to avoid rx buffer overflow in this case. Cc: Prasad J Pandit <pjp@fedoraproject.org> Cc: qemu-stable@nongnu.org Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com> | 07 December 2015, 13:43:48 UTC |
| 837f21a | Prasad J Pandit | 20 November 2015, 06:20:31 UTC | net: pcnet: add check to validate receive data size(CVE-2015-7504) In loopback mode, pcnet_receive routine appends CRC code to the receive buffer. If the data size given is same as the buffer size, the appended CRC code overwrites 4 bytes after s->buffer. Added a check to avoid that. Reported by: Qinghao Tang <luodalongde@gmail.com> Cc: qemu-stable@nongnu.org Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Jason Wang <jasowang@redhat.com> | 07 December 2015, 13:43:48 UTC |
| 9596ef7 | Denis V. Lunev | 27 November 2015, 06:48:41 UTC | e1000: fix hang of win2k12 shutdown with flood ping e1000 driver in Win2k12 is really well rotten. It 100% hangs on shutdown of UP VM under flood ping. The guest checks card state and reinjects itself interrupt in a loop. This is fatal for UP machine. There is no good way to fix this misbehavior but to kludge it. The emulation has interrupt throttling register aka ITR which limits interrupt rate and allows the guest to proceed this phase. There is no problem with this kludge for Linux guests - it adjust the value of it itself. On the other hand according to the initial research in commit e9845f0985f088dd01790f4821026df0afba5795 Author: Vincenzo Maffione <v.maffione@gmail.com> Date: Fri Aug 2 18:30:52 2013 +0200 e1000: add interrupt mitigation support ... Interrupt mitigation boosts performance when the guest suffers from an high interrupt rate (i.e. receiving short UDP packets at high packet rate). For some numerical results see the following link http://info.iet.unipi.it/~luigi/papers/20130520-rizzo-vm.pdf this should also boost performance a bit. See https://bugzilla.redhat.com/show_bug.cgi?id=874406 for additional details. Signed-off-by: Denis V. Lunev <den@openvz.org> CC: Vincenzo Maffione <v.maffione@gmail.com> CC: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com> | 07 December 2015, 13:43:43 UTC |
| a5582ea | Peter Maydell | 04 December 2015, 18:11:40 UTC | Merge remote-tracking branch 'remotes/afaerber/tags/qom-devices-for-peter' into staging QOM infrastructure fixes and device conversions * Documentation update * qom-test and related fixes # gpg: Signature made Fri 04 Dec 2015 17:54:55 GMT using RSA key ID 3E7E013F # gpg: Good signature from "Andreas Färber <afaerber@suse.de>" # gpg: aka "Andreas Färber <afaerber@suse.com>" * remotes/afaerber/tags/qom-devices-for-peter: qom-test: Fix qmp() leaks tests: Use proper functions types instead of void (*fn) qom: Update documentation comment of struct Object tests: Fix check-report-qtest-% target Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 04 December 2015, 18:11:40 UTC |
| 0d2cd78 | Marc-André Lureau | 02 December 2015, 20:20:34 UTC | qom-test: Fix qmp() leaks Before this patch ASAN reported: SUMMARY: AddressSanitizer: 677165875 byte(s) leaked in 1272437 allocation(s) After this patch: SUMMARY: AddressSanitizer: 465 byte(s) leaked in 32 allocation(s) Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <1448551895-871-1-git-send-email-marcandre.lureau@redhat.com> [Straightforwardly rebased onto the previous patch] Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Andreas Färber <afaerber@suse.de> | 04 December 2015, 17:29:31 UTC |
| 041088c | Markus Armbruster | 02 December 2015, 20:20:33 UTC | tests: Use proper functions types instead of void (*fn) We have several function parameters declared as void (*fn). This is just a stupid way to write void *, and the only purpose writing it like that could serve is obscuring the sin of bypassing the type system without need. The original sin is commit 49ee359: its qtest_add_func() is a wrapper for g_test_add_func(). Fix the parameter type to match g_test_add_func()'s. This uncovers type errors in ide-test.c; fix them. Commit 7949c0e faithfully repeated the sin for qtest_add_data_func(). Fix it the same way, along with a harmless type error uncovered in vhost-user-test.c. Commit 063c23d repeated it for qtest_add_abrt_handler(). The screwy parameter gets assigned to GHook member func, so change its type to match. Requires wrapping kill_qemu() to keep the type checker happy. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> [AF/armbru: Inline GTestFunc/GTestDataFunc typedef for old GLib] Signed-off-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Andreas Färber <afaerber@suse.de> | 04 December 2015, 17:25:42 UTC |
| 61e3aa2 | Peter Maydell | 04 December 2015, 10:55:03 UTC | Merge remote-tracking branch 'remotes/mjt/tags/pull-trivial-patches-2015-12-04' into staging trivial patches for 2015-12-04 # gpg: Signature made Fri 04 Dec 2015 06:40:23 GMT using RSA key ID A4C3D7DB # gpg: Good signature from "Michael Tokarev <mjt@tls.msk.ru>" # gpg: aka "Michael Tokarev <mjt@corpit.ru>" # gpg: aka "Michael Tokarev <mjt@debian.org>" * remotes/mjt/tags/pull-trivial-patches-2015-12-04: bt: check struct sizes typedefs: Put them back into alphabetical order scsi: remove scsi_req_free prototype gt64xxx: fix decoding of ISD register configure: use appropriate code fragment for -fstack-protector checks crypto: avoid two coverity false positive error reports configure: Diagnose broken linkers directly bt: avoid unintended sign extension util/id: fully allocate names table Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 04 December 2015, 10:55:03 UTC |
| f33d046 | Peter Maydell | 04 December 2015, 09:49:28 UTC | Merge remote-tracking branch 'remotes/dgibson/tags/ppc-for-2.5-20151204' into staging ppc patch queue for 2.5 2015-12-04 This contains some last minute QOM behaviour fixes from Markus Armbruster. # gpg: Signature made Fri 04 Dec 2015 06:43:54 GMT using RSA key ID 20D9B392 # gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>" # gpg: aka "David Gibson (Red Hat) <dgibson@redhat.com>" # gpg: aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>" # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: 75F4 6586 AE61 A66C C44E 87DC 6C38 CACA 20D9 B392 * remotes/dgibson/tags/ppc-for-2.5-20151204: spapr_drc: Change value of property "fdt" from null back to {} spapr_drc: Make device "spapr-dr-connector" unavailable with -device spapr_drc: Handle visitor errors properly Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 04 December 2015, 09:49:28 UTC |
| 9847574 | Paolo Bonzini | 30 November 2015, 09:57:25 UTC | bt: check struct sizes See http://permalink.gmane.org/gmane.linux.bluez.kernel/36505. For historical reasons these do not use sizeof, and Coverity caught a mistake in EVT_ENCRYPT_CHANGE_SIZE. In addition: - remove status from create_conn_cancel_cp; the "status" field is only in rp structs. Note that this means that the OCF_CREATE_CONN_CANCEL could never have worked (it would have failed the LENGTH_CHECK), but I am keeping it anyway. - OCF_READ_LINK_QUALITY similarly could never have worked, but I am fixing read_link_quality_cp anyway. - fix inquiry_info which is shorter by one: the kernel has a struct that is 14 byte long, but not counting the initial num_responses byte which the kernel parses separately; - remove extended_inquiry_info altogether, since it's not used and unlike the other inquiry structs does not have the initial num_responses byte. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 04 December 2015, 06:39:55 UTC |
| 2988cbe | Markus Armbruster | 19 November 2015, 12:29:28 UTC | typedefs: Put them back into alphabetical order "Please keep this list in alphabetical order" has been more honoured in the breach than in the observance. Clean up. While there, drop a redundant struct declaration. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 04 December 2015, 06:39:55 UTC |
| 8ea9900 | Hervé Poussineau | 12 November 2015, 21:26:33 UTC | scsi: remove scsi_req_free prototype Function has been deleted in ad2d30f79d3b0812f02c741be2189796b788d6d7. Signed-off-by: Hervé Poussineau <hpoussin@reactos.org> Reviewed-by: Fam Zheng <famz@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 04 December 2015, 06:39:55 UTC |
| 63fc737 | Paolo Bonzini | 06 November 2015, 15:34:06 UTC | gt64xxx: fix decoding of ISD register The GT64xxx's internal registers can be placed above the first 4 GiB in the address space, but not above the first 64 GiB. Correctly cast the register to a 64-bit integer, and mask away bits above bit 35. Datasheet at http://pdf.datasheetarchive.com/datasheetsmain/Datasheets-33/DSA-655889.pdf (bug reported by Coverity). Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 04 December 2015, 06:39:55 UTC |
| fccd35a | Rodrigo Rebello | 12 November 2015, 14:04:28 UTC | configure: use appropriate code fragment for -fstack-protector checks The check for stack-protector support consisted in compiling and linking the test program below (output by function write_c_skeleton()) with the compiler flag -fstack-protector-strong first and then with -fstack-protector-all if the first one failed to work: int main(void) { return 0; } This caused false positives when using certain toolchains in which the compiler accepted -fstack-protector-strong but no support was provided by the C library, since for this stack-protector variant the compiler emits canary code only for functions that meet specific conditions (local arrays, memory references to local variables, etc.) and the code fragment under test included none of them (hence no stack protection code generated, no link failure). This fix changes the test program used for -fstack-protector checks to include a function that meets conditions which cause the compiler to generate canary code in all variants. Signed-off-by: Rodrigo Rebello <rprebello@gmail.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 04 December 2015, 06:39:55 UTC |
| 0e1d024 | Daniel P. Berrange | 13 November 2015, 17:45:27 UTC | crypto: avoid two coverity false positive error reports In qcrypto_tls_creds_get_path() coverity complains that we are checking '*creds' for NULL, despite having dereferenced it previously. This is harmless bug due to fact that the trace call was too early. Moving it after the cleanup gets the desired semantics. In qcrypto_tls_creds_check_cert_key_purpose() coverity complains that we're passing a pointer to a previously free'd buffer into gnutls_x509_crt_get_key_purpose_oid() This is harmless because we're passing a size == 0, so gnutls won't access the buffer, but rather just report what size it needs to be. We can avoid it though by explicitly setting the buffer to NULL after free'ing it. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 04 December 2015, 06:39:55 UTC |
| 0ef74c7 | Peter Maydell | 24 November 2015, 14:55:46 UTC | configure: Diagnose broken linkers directly Currently if the user's compiler works for creating .o files but their linker is broken such that compiling an executable from a C file does not work, we will report a misleading error message about the compiler not supporting __thread (since that happens to be the first test we run which requires a working linker). Explicitly check that compile_prog works as well as compile_object, so that people whose toolchain setup is broken get a more helpful error message. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 04 December 2015, 06:39:55 UTC |
| e0df8f1 | Paolo Bonzini | 27 November 2015, 12:08:25 UTC | bt: avoid unintended sign extension In the case of a 4-byte length, shifting a value by 24 may cause an unintended sign extension when converting from int to size_t. Use a uint32_t variable instead. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 04 December 2015, 06:39:55 UTC |
| 624533e | John Snow | 25 November 2015, 21:03:37 UTC | util/id: fully allocate names table Trivial: this array should be allocated to have ID_MAX entries always. Otherwise if someone were to forget to expand this table, the assertion in the id generator won't actually trigger; it will read junk data. Signed-off-by: John Snow <jsnow@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Jeff Cody <jcody@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 04 December 2015, 06:39:55 UTC |
| ab8bf1d | Markus Armbruster | 03 December 2015, 16:37:39 UTC | spapr_drc: Change value of property "fdt" from null back to {} prop_get_fdt() misuses the visitor API: when fdt is null, it doesn't visit anything. object_property_get_qobject() happily object_property_get_qobject(). Amazingly, the latter survives the misuse. Turns out we've papered over it long before prop_get_fdt() existed, in commit 1d10b44. However, commit 6c2f9a1 changed how we paper over it, and as a side effect changed qom-get's value from {} to null. Change it right back by fixing the visitor misuse. Signed-off-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au> | 04 December 2015, 05:50:59 UTC |
| c401ae8 | Markus Armbruster | 03 December 2015, 16:37:40 UTC | spapr_drc: Make device "spapr-dr-connector" unavailable with -device It should only be created via spapr_dr_connector_new(). Attempting to create it with -device crashes. Signed-off-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au> | 03 December 2015, 23:56:29 UTC |
| c75304a | Markus Armbruster | 03 December 2015, 16:37:38 UTC | spapr_drc: Handle visitor errors properly Since prop_get_fdt() is only used with QmpOutputVisitor, errors shouldn't actually happen, so this is only a latent bug. Signed-off-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au> | 03 December 2015, 23:56:29 UTC |
| 70ae0b6 | Cao jin | 05 November 2015, 07:39:03 UTC | qom: Update documentation comment of struct Object It doesn't have "GSList *interfaces" anymore, drop the paragraph. Signed-off-by: Cao jin <caoj.fnst@cn.fujitsu.com> Signed-off-by: Andreas Färber <afaerber@suse.de> | 03 December 2015, 19:10:22 UTC |
| b5e62af | Andreas Färber | 21 November 2015, 01:20:06 UTC | tests: Fix check-report-qtest-% target Commit e253c28 ("tests: Fix how qom-test is run") introduced $(qtest-generic-y) and used it for check-qtest-% target, but did not update check-report-qtest-%. This causes check-report-qtest-aarch64.xml target to fail with a gtester usage error for lack of test arguments. Fix this by adding $(qtest-generic-y) in check-report-qtest-%. Also add it in check-clean target, spotted by Markus. Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Andreas Färber <afaerber@suse.de> | 03 December 2015, 19:07:05 UTC |
| 4c65fed | Prasad J Pandit | 03 December 2015, 13:24:17 UTC | ui: vnc: avoid floating point exception While sending 'SetPixelFormat' messages to a VNC server, the client could set the 'red-max', 'green-max' and 'blue-max' values to be zero. This leads to a floating point exception in write_png_palette while doing frame buffer updates. Reported-by: Lian Yihan <lianyihan@360.cn> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 03 December 2015, 13:34:50 UTC |
| efdeb96 | Peter Maydell | 03 December 2015, 11:08:43 UTC | Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into staging # gpg: Signature made Thu 03 Dec 2015 04:59:48 GMT using RSA key ID 81AB73C8 # gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>" # gpg: aka "Stefan Hajnoczi <stefanha@gmail.com>" * remotes/stefanha/tags/block-pull-request: iotests: Add regresion test case for write notifier assertion failure iotests: Add "add_drive_raw" method block: Don't wait serialising for non-COR read requests iothread: include id in thread name Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 03 December 2015, 11:08:43 UTC |
| eab0ebc | Peter Maydell | 03 December 2015, 10:43:43 UTC | Merge remote-tracking branch 'remotes/juanquintela/tags/migration/20151203' into staging migration/next for 20151203 # gpg: Signature made Wed 02 Dec 2015 23:19:10 GMT using RSA key ID 5872D723 # gpg: Good signature from "Juan Quintela <quintela@redhat.com>" # gpg: aka "Juan Quintela <quintela@trasno.org>" * remotes/juanquintela/tags/migration/20151203: migration: do floating-point division migration: Clean up use of g_poll() in socket_writev_buffer() Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 03 December 2015, 10:43:43 UTC |
