Hello community,
here is the log from the commit of package xen for openSUSE:Factory checked in at 2016-02-25 21:55:47
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/xen (Old)
and /work/SRC/openSUSE:Factory/.xen.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "xen"
Changes:
--------
--- /work/SRC/openSUSE:Factory/xen/xen.changes 2016-02-07 09:22:41.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.xen.new/xen.changes 2016-02-25 22:02:13.000000000 +0100
@@ -1,0 +2,79 @@
+Thu Feb 11 09:29:01 MST 2016 - carnold@suse.com
+
+- Update to Xen Version 4.6.1
+ xen-4.6.1-testing-src.tar.bz2
+- Dropped patches now contained in tarball or unnecessary
+ xen-4.6.0-testing-src.tar.bz2
+ 5604f239-x86-PV-properly-populate-descriptor-tables.patch
+ 561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-it-is-zero.patch
+ 561d2046-VT-d-use-proper-error-codes-in-iommu_enable_x2apic_IR.patch
+ 561d20a0-x86-hide-MWAITX-from-PV-domains.patch
+ 561e3283-x86-NUMA-fix-SRAT-table-processor-entry-parsing-and-consumption.patch
+ 5632118e-arm-Support-hypercall_create_continuation-for-multicall.patch
+ 56321222-arm-rate-limit-logging-from-unimplemented-PHYSDEVOP-and-HVMOP.patch
+ 56321249-arm-handle-races-between-relinquish_memory-and-free_domheap_pages.patch
+ 5632127b-x86-guard-against-undue-super-page-PTE-creation.patch
+ 5632129c-free-domain-s-vcpu-array.patch
+ 563212c9-x86-PoD-Eager-sweep-for-zeroed-pages.patch
+ 563212e4-xenoprof-free-domain-s-vcpu-array.patch
+ 563212ff-x86-rate-limit-logging-in-do_xen-oprof-pmu-_op.patch
+ 56323737-libxl-adjust-PoD-target-by-memory-fudge-too.patch
+ 56377442-x86-PoD-Make-p2m_pod_empty_cache-restartable.patch
+ 5641ceec-x86-HVM-always-intercept-AC-and-DB.patch
+ 56549f24-x86-vPMU-document-as-unsupported.patch
+ 5677f350-x86-make-debug-output-consistent-in-hvm_set_callback_via.patch
+ xsa155-qemut-qdisk-double-access.patch
+ xsa155-qemut-xenfb.patch
+ xsa155-qemuu-qdisk-double-access.patch
+ xsa155-qemuu-xenfb.patch
+ xsa159.patch
+ xsa160.patch
+ xsa162-qemut.patch
+ xsa165.patch
+ xsa166.patch
+ xsa167.patch
+ xsa168.patch
+
+-------------------------------------------------------------------
+Fri Feb 5 08:51:16 MST 2016 - carnold@suse.com
+
+- bsc#965269 - VUL-1: CVE-2015-8619: xen: stack based OOB write in
+ hmp_sendkey routine
+ CVE-2015-8619-qemuu-stack-based-OOB-write-in-hmp_sendkey-routine.patch
+
+-------------------------------------------------------------------
+Thu Feb 4 09:26:34 MST 2016 - carnold@suse.com
+
+- bsc#965156 - VUL-0: CVE-2015-6855: xen: ide: divide by zero issue
+ CVE-2015-6855-qemuu-ide-divide-by-zero-issue.patch
+
+-------------------------------------------------------------------
+Wed Feb 3 10:47:41 MST 2016 - carnold@suse.com
+
+- bsc#964947 - VUL-0: CVE-2015-5278: xen: Infinite loop in
+ ne2000_receive() function
+ CVE-2015-5278-qemut-Infinite-loop-in-ne2000_receive-function.patch
+- bsc#956832 - VUL-0: CVE-2015-8345: xen: qemu: net: eepro100:
+ infinite loop in processing command block list
+ CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch
+ CVE-2015-8345-qemut-eepro100-infinite-loop-fix.patch
+
+-------------------------------------------------------------------
+Tue Feb 2 08:45:07 MST 2016 - carnold@suse.com
+
+- bsc#964644 - VUL-0: CVE-2013-4533: xen pxa2xx: buffer overrun on
+ incoming migration
+ CVE-2013-4533-qemut-pxa2xx-buffer-overrun-on-incoming-migration.patch
+- bsc#964925 - VUL-0: CVE-2014-0222: xen: qcow1: validate L2 table
+ size to avoid integer overflows
+ CVE-2014-0222-blktap-qcow1-validate-l2-table-size.patch
+- Dropped CVE-2014-0222-qemuu-qcow1-validate-l2-table-size.patch
+
+-------------------------------------------------------------------
+Mon Feb 1 13:29:55 MST 2016 - carnold@suse.com
+
+- bsc#964415 - VUL-1: CVE-2016-2198: xen: usb: ehci null pointer
+ dereference in ehci_caps_write
+ CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch
+
+-------------------------------------------------------------------
Old:
----
5604f239-x86-PV-properly-populate-descriptor-tables.patch
561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-it-is-zero.patch
561d2046-VT-d-use-proper-error-codes-in-iommu_enable_x2apic_IR.patch
561d20a0-x86-hide-MWAITX-from-PV-domains.patch
561e3283-x86-NUMA-fix-SRAT-table-processor-entry-parsing-and-consumption.patch
5632118e-arm-Support-hypercall_create_continuation-for-multicall.patch
56321222-arm-rate-limit-logging-from-unimplemented-PHYSDEVOP-and-HVMOP.patch
56321249-arm-handle-races-between-relinquish_memory-and-free_domheap_pages.patch
5632127b-x86-guard-against-undue-super-page-PTE-creation.patch
5632129c-free-domain-s-vcpu-array.patch
563212c9-x86-PoD-Eager-sweep-for-zeroed-pages.patch
563212e4-xenoprof-free-domain-s-vcpu-array.patch
563212ff-x86-rate-limit-logging-in-do_xen-oprof-pmu-_op.patch
56323737-libxl-adjust-PoD-target-by-memory-fudge-too.patch
56377442-x86-PoD-Make-p2m_pod_empty_cache-restartable.patch
5641ceec-x86-HVM-always-intercept-AC-and-DB.patch
56549f24-x86-vPMU-document-as-unsupported.patch
5677f350-x86-make-debug-output-consistent-in-hvm_set_callback_via.patch
CVE-2014-0222-qemuu-qcow1-validate-l2-table-size.patch
xen-4.6.0-testing-src.tar.bz2
xsa155-qemut-qdisk-double-access.patch
xsa155-qemut-xenfb.patch
xsa155-qemuu-qdisk-double-access.patch
xsa155-qemuu-xenfb.patch
xsa159.patch
xsa160.patch
xsa162-qemut.patch
xsa165.patch
xsa166.patch
xsa167.patch
xsa168.patch
New:
----
CVE-2013-4533-qemut-pxa2xx-buffer-overrun-on-incoming-migration.patch
CVE-2014-0222-blktap-qcow1-validate-l2-table-size.patch
CVE-2015-5278-qemut-Infinite-loop-in-ne2000_receive-function.patch
CVE-2015-6855-qemuu-ide-divide-by-zero-issue.patch
CVE-2015-8619-qemuu-stack-based-OOB-write-in-hmp_sendkey-routine.patch
CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch
xen-4.6.1-testing-src.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ xen.spec ++++++
--- /var/tmp/diff_new_pack.77a1IC/_old 2016-02-25 22:02:25.000000000 +0100
+++ /var/tmp/diff_new_pack.77a1IC/_new 2016-02-25 22:02:25.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package xen
#
-# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -15,12 +15,13 @@
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
+
# needssslcertforbuild
Name: xen
ExclusiveArch: %ix86 x86_64 %arm aarch64
%define changeset 31594
-%define xen_build_dir xen-4.6.0-testing
+%define xen_build_dir xen-4.6.1-testing
#
%define with_kmp 0
%define with_debug 0
@@ -162,12 +163,12 @@
%endif
%endif
-Version: 4.6.0_08
+Version: 4.6.1_01
Release: 0
Summary: Xen Virtualization: Hypervisor (aka VMM aka Microkernel)
License: GPL-2.0
Group: System/Kernel
-Source0: xen-4.6.0-testing-src.tar.bz2
+Source0: xen-4.6.1-testing-src.tar.bz2
Source1: stubdom.tar.bz2
Source2: qemu-xen-traditional-dir-remote.tar.bz2
Source3: qemu-xen-dir-remote.tar.bz2
@@ -203,43 +204,14 @@
Source99: baselibs.conf
# Upstream patches
Patch1: 55f7f9d2-libxl-slightly-refine-pci-assignable-add-remove-handling.patch
-Patch2: 5604f239-x86-PV-properly-populate-descriptor-tables.patch
-Patch3: 561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-it-is-zero.patch
-Patch4: 561d2046-VT-d-use-proper-error-codes-in-iommu_enable_x2apic_IR.patch
-Patch5: 561d20a0-x86-hide-MWAITX-from-PV-domains.patch
-Patch6: 561e3283-x86-NUMA-fix-SRAT-table-processor-entry-parsing-and-consumption.patch
-Patch7: 5628fc67-libxl-No-emulated-disk-driver-for-xvdX-disk.patch
-Patch8: 5632118e-arm-Support-hypercall_create_continuation-for-multicall.patch
-Patch9: 56321222-arm-rate-limit-logging-from-unimplemented-PHYSDEVOP-and-HVMOP.patch
-Patch10: 56321249-arm-handle-races-between-relinquish_memory-and-free_domheap_pages.patch
-Patch11: 5632127b-x86-guard-against-undue-super-page-PTE-creation.patch
-Patch12: 5632129c-free-domain-s-vcpu-array.patch
-Patch13: 563212c9-x86-PoD-Eager-sweep-for-zeroed-pages.patch
-Patch14: 563212e4-xenoprof-free-domain-s-vcpu-array.patch
-Patch15: 563212ff-x86-rate-limit-logging-in-do_xen-oprof-pmu-_op.patch
-Patch16: 56323737-libxl-adjust-PoD-target-by-memory-fudge-too.patch
-Patch17: 56377442-x86-PoD-Make-p2m_pod_empty_cache-restartable.patch
-Patch18: 5641ceec-x86-HVM-always-intercept-AC-and-DB.patch
-Patch19: 5644b756-x86-HVM-don-t-inject-DB-with-error-code.patch
-Patch20: 5649bcbe-libxl-relax-readonly-check-introduced-by-XSA-142-fix.patch
-Patch21: 56549f24-x86-vPMU-document-as-unsupported.patch
-Patch22: 5677f350-x86-make-debug-output-consistent-in-hvm_set_callback_via.patch
+Patch2: 5628fc67-libxl-No-emulated-disk-driver-for-xvdX-disk.patch
+Patch3: 5644b756-x86-HVM-don-t-inject-DB-with-error-code.patch
+Patch4: 5649bcbe-libxl-relax-readonly-check-introduced-by-XSA-142-fix.patch
Patch15501: xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch
Patch15502: xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch
Patch15503: xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch
-Patch15504: xsa155-qemuu-qdisk-double-access.patch
-Patch15505: xsa155-qemut-qdisk-double-access.patch
-Patch15506: xsa155-qemuu-xenfb.patch
-Patch15507: xsa155-qemut-xenfb.patch
-Patch159: xsa159.patch
-Patch160: xsa160.patch
-Patch16201: xsa162-qemuu.patch
-Patch16202: xsa162-qemut.patch
+Patch162: xsa162-qemuu.patch
Patch164: xsa164.patch
-Patch165: xsa165.patch
-Patch166: xsa166.patch
-Patch167: xsa167.patch
-Patch168: xsa168.patch
# Upstream qemu
Patch250: VNC-Support-for-ExtendedKeyEvent-client-message.patch
Patch251: 0001-net-move-the-tap-buffer-into-TAPState.patch
@@ -252,7 +224,6 @@
Patch258: 0008-e1000-check-buffer-availability.patch
Patch259: CVE-2015-4037-qemuu-smb-config-dir-name.patch
Patch260: CVE-2015-4037-qemut-smb-config-dir-name.patch
-Patch261: CVE-2014-0222-qemuu-qcow1-validate-l2-table-size.patch
Patch262: CVE-2014-0222-qemut-qcow1-validate-l2-table-size.patch
Patch263: CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch
Patch264: CVE-2015-8345-qemut-eepro100-infinite-loop-fix.patch
@@ -278,6 +249,11 @@
Patch284: CVE-2013-4539-qemut-tsc210x-fix-buffer-overrun-on-invalid-state-load.patch
Patch285: CVE-2016-1981-qemuu-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch
Patch286: CVE-2016-1981-qemut-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch
+Patch287: CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch
+Patch288: CVE-2013-4533-qemut-pxa2xx-buffer-overrun-on-incoming-migration.patch
+Patch289: CVE-2015-5278-qemut-Infinite-loop-in-ne2000_receive-function.patch
+Patch290: CVE-2015-6855-qemuu-ide-divide-by-zero-issue.patch
+Patch291: CVE-2015-8619-qemuu-stack-based-OOB-write-in-hmp_sendkey-routine.patch
# Our platform specific patches
Patch321: xen-destdir.patch
Patch322: vif-bridge-no-iptables.patch
@@ -332,6 +308,7 @@
Patch471: qemu-xen-enable-spice-support.patch
Patch472: tigervnc-long-press.patch
Patch473: xendomains-libvirtd-conflict.patch
+Patch474: CVE-2014-0222-blktap-qcow1-validate-l2-table-size.patch
# Hypervisor and PV driver Patches
Patch501: x86-ioapic-ack-default.patch
Patch502: x86-cpufreq-report.patch
@@ -551,40 +528,11 @@
%patch2 -p1
%patch3 -p1
%patch4 -p1
-%patch5 -p1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
-%patch10 -p1
-%patch11 -p1
-%patch12 -p1
-%patch13 -p1
-%patch14 -p1
-%patch15 -p1
-%patch16 -p1
-%patch17 -p1
-%patch18 -p1
-%patch19 -p1
-%patch20 -p1
-%patch21 -p1
-%patch22 -p1
%patch15501 -p1
%patch15502 -p1
%patch15503 -p1
-%patch15504 -p1
-%patch15505 -p1
-%patch15506 -p1
-%patch15507 -p1
-%patch159 -p1
-%patch160 -p1
-%patch16201 -p1
-%patch16202 -p1
+%patch162 -p1
%patch164 -p1
-%patch165 -p1
-%patch166 -p1
-%patch167 -p1
-%patch168 -p1
# Upstream qemu patches
%patch250 -p1
%patch251 -p1
@@ -597,7 +545,6 @@
%patch258 -p1
%patch259 -p1
%patch260 -p1
-%patch261 -p1
%patch262 -p1
%patch263 -p1
%patch264 -p1
@@ -623,6 +570,11 @@
%patch284 -p1
%patch285 -p1
%patch286 -p1
+%patch287 -p1
+%patch288 -p1
+%patch289 -p1
+%patch290 -p1
+%patch291 -p1
# Our platform specific patches
%patch321 -p1
%patch322 -p1
@@ -677,6 +629,7 @@
%patch471 -p1
%patch472 -p1
%patch473 -p1
+%patch474 -p1
# Hypervisor and PV driver Patches
%patch501 -p1
%patch502 -p1
++++++ CVE-2013-4533-qemut-pxa2xx-buffer-overrun-on-incoming-migration.patch ++++++
References: bsc#964644 CVE-2013-4533
Subject: pxa2xx: avoid buffer overrun on incoming migration
From: Michael S. Tsirkin mst@redhat.com Thu Apr 3 19:51:57 2014 +0300
Date: Mon May 5 22:15:02 2014 +0200:
Git: caa881abe0e01f9931125a0977ec33c5343e4aa7
CVE-2013-4533
s->rx_level is read from the wire and used to determine how many bytes
to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the
length of s->rx_fifo[] the buffer can be overrun with arbitrary data
from the wire.
Fix this by validating rx_level against the size of s->rx_fifo.
Cc: Don Koch
Reported-by: Michael Roth
Signed-off-by: Michael S. Tsirkin
Reviewed-by: Peter Maydell
Reviewed-by: Don Koch
Signed-off-by: Juan Quintela
Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pxa2xx.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pxa2xx.c
+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pxa2xx.c
@@ -847,7 +847,7 @@ static void pxa2xx_ssp_save(QEMUFile *f,
static int pxa2xx_ssp_load(QEMUFile *f, void *opaque, int version_id)
{
struct pxa2xx_ssp_s *s = (struct pxa2xx_ssp_s *) opaque;
- int i;
+ int i, v;
s->enable = qemu_get_be32(f);
@@ -861,7 +861,11 @@ static int pxa2xx_ssp_load(QEMUFile *f,
qemu_get_8s(f, &s->ssrsa);
qemu_get_8s(f, &s->ssacd);
- s->rx_level = qemu_get_byte(f);
+ v = qemu_get_byte(f);
+ if (v < 0 || v > ARRAY_SIZE(s->rx_fifo)) {
+ return -EINVAL;
+ }
+ s->rx_level = v;
s->rx_start = 0;
for (i = 0; i < s->rx_level; i ++)
s->rx_fifo[i] = qemu_get_byte(f);
++++++ CVE-2014-0222-blktap-qcow1-validate-l2-table-size.patch ++++++
References: bsc#964925
Subject: qcow1: Validate L2 table size (CVE-2014-0222)
From: Kevin Wolf kwolf@redhat.com Thu May 15 16:10:11 2014 +0200
Date: Mon May 19 11:36:49 2014 +0200:
Git: 42eb58179b3b215bb507da3262b682b8a2ec10b5
Too large L2 table sizes cause unbounded allocations. Images actually
created by qemu-img only have 512 byte or 4k L2 tables.
To keep things consistent with cluster sizes, allow ranges between 512
bytes and 64k (in fact, down to 1 entry = 8 bytes is technically
working, but L2 table sizes smaller than a cluster don't make a lot of
sense).
This also means that the number of bytes on the virtual disk that are
described by the same L2 table is limited to at most 8k * 64k or 2^29,
preventively avoiding any integer overflows.
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf
Reviewed-by: Benoit Canet
Index: xen-4.6.0-testing/tools/blktap2/drivers/block-qcow.c
===================================================================
--- xen-4.6.0-testing.orig/tools/blktap2/drivers/block-qcow.c
+++ xen-4.6.0-testing/tools/blktap2/drivers/block-qcow.c
@@ -909,6 +909,10 @@ int tdqcow_open (td_driver_t *driver, co
if (header.size <= 1 || header.cluster_bits < 9)
goto fail;
+ /* l2_bits specifies number of entries; storing a uint64_t in each entry,
+ * so bytes = num_entries << 3. */
+ if (header.l2_bits < 9 - 3 || header.l2_bits > 16 - 3)
+ goto fail;
if (header.crypt_method > QCOW_CRYPT_AES)
goto fail;
s->crypt_method_header = header.crypt_method;
++++++ CVE-2014-7815-qemut-vnc-sanitize-bits_per_pixel-from-the-client.patch ++++++
--- /var/tmp/diff_new_pack.77a1IC/_old 2016-02-25 22:02:25.000000000 +0100
+++ /var/tmp/diff_new_pack.77a1IC/_new 2016-02-25 22:02:25.000000000 +0100
@@ -21,11 +21,11 @@
Signed-off-by: Gerd Hoffmann
-Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
+Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
===================================================================
---- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c
-+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
-@@ -1633,6 +1633,16 @@ static void set_pixel_format(VncState *v
+--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c
++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
+@@ -1643,6 +1643,16 @@ static void set_pixel_format(VncState *v
return;
}
++++++ CVE-2015-5278-qemut-Infinite-loop-in-ne2000_receive-function.patch ++++++
References: bsc#964947 CVE-2015-5278
Subject: net: avoid infinite loop when receiving packets(CVE-2015-5278)
From: P J P pjp@fedoraproject.org Tue Sep 15 16:46:59 2015 +0530
Date: Tue Sep 15 12:51:14 2015 +0100:
Git: 737d2b3c41d59eb8f94ab7eb419b957938f24943
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
bytes to process network packets. While receiving packets
via ne2000_receive() routine, a local 'index' variable
could exceed the ring buffer size, leading to an infinite
loop situation.
Reported-by: Qinghao Tang
Signed-off-by: P J P
Signed-off-by: Stefan Hajnoczi
Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c
+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c
@@ -328,7 +328,7 @@ static void ne2000_receive(void *opaque,
if (index <= s->stop)
avail = s->stop - index;
else
- avail = 0;
+ break;
len = size;
if (len > avail)
len = avail;
++++++ CVE-2015-6855-qemuu-ide-divide-by-zero-issue.patch ++++++
References: bsc#965156 CVE-2015-6855
Subject: ide: fix ATAPI command permissions
From: John Snow jsnow@redhat.com Thu Sep 17 14:17:05 2015 -0400
Date: Fri Sep 18 10:58:56 2015 -0400:
Git: d9033e1d3aa666c5071580617a57bd853c5d794a
We're a little too lenient with what we'll let an ATAPI drive handle.
Clamp down on the IDE command execution table to remove CD_OK permissions
from commands that are not and have never been ATAPI commands.
For ATAPI command validity, please see:
- ATA4 Section 6.5 ("PACKET Command feature set")
- ATA8/ACS Section 4.3 ("The PACKET feature set")
- ACS3 Section 4.3 ("The PACKET feature set")
ACS3 has a historical command validity table in Table B.4
("Historical Command Assignments") that can be referenced to find when
a command was introduced, deprecated, obsoleted, etc.
The only reference for ATAPI command validity is by checking that
version's PACKET feature set section.
ATAPI was introduced by T13 into ATA4, all commands retired prior to ATA4
therefore are assumed to have never been ATAPI commands.
Mandatory commands, as listed in ATA8-ACS3, are:
- DEVICE RESET
- EXECUTE DEVICE DIAGNOSTIC
- IDENTIFY DEVICE
- IDENTIFY PACKET DEVICE
- NOP
- PACKET
- READ SECTOR(S)
- SET FEATURES
Optional commands as listed in ATA8-ACS3, are:
- FLUSH CACHE
- READ LOG DMA EXT
- READ LOG EXT
- WRITE LOG DMA EXT
- WRITE LOG EXT
All other commands are illegal to send to an ATAPI device and should
be rejected by the device.
CD_OK removal justifications:
0x06 WIN_DSM Defined in ACS2. Not valid for ATAPI.
0x21 WIN_READ_ONCE Retired in ATA5. Not ATAPI in ATA4.
0x94 WIN_STANDBYNOW2 Retired in ATA4. Did not coexist with ATAPI.
0x95 WIN_IDLEIMMEDIATE2 Retired in ATA4. Did not coexist with ATAPI.
0x96 WIN_STANDBY2 Retired in ATA4. Did not coexist with ATAPI.
0x97 WIN_SETIDLE2 Retired in ATA4. Did not coexist with ATAPI.
0x98 WIN_CHECKPOWERMODE2 Retired in ATA4. Did not coexist with ATAPI.
0x99 WIN_SLEEPNOW2 Retired in ATA4. Did not coexist with ATAPI.
0xE0 WIN_STANDBYNOW1 Not part of ATAPI in ATA4, ACS or ACS3.
0xE1 WIN_IDLEIMMDIATE Not part of ATAPI in ATA4, ACS or ACS3.
0xE2 WIN_STANDBY Not part of ATAPI in ATA4, ACS or ACS3.
0xE3 WIN_SETIDLE1 Not part of ATAPI in ATA4, ACS or ACS3.
0xE4 WIN_CHECKPOWERMODE1 Not part of ATAPI in ATA4, ACS or ACS3.
0xE5 WIN_SLEEPNOW1 Not part of ATAPI in ATA4, ACS or ACS3.
0xF8 WIN_READ_NATIVE_MAX Obsoleted in ACS3. Not ATAPI in ATA4 or ACS.
This patch fixes a divide by zero fault that can be caused by sending
the WIN_READ_NATIVE_MAX command to an ATAPI drive, which causes it to
attempt to use zeroed CHS values to perform sector arithmetic.
Reported-by: Qinghao Tang
Signed-off-by: John Snow
Reviewed-by: Markus Armbruster
Message-id: 1441816082-21031-1-git-send-email-jsnow@redhat.com
CC: qemu-stable@nongnu.org
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/ide/core.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/ide/core.c
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/ide/core.c
@@ -1739,11 +1739,11 @@ static const struct {
} ide_cmd_table[0x100] = {
/* NOP not implemented, mandatory for CD */
[CFA_REQ_EXT_ERROR_CODE] = { cmd_cfa_req_ext_error_code, CFA_OK },
- [WIN_DSM] = { cmd_data_set_management, ALL_OK },
+ [WIN_DSM] = { cmd_data_set_management, HD_CFA_OK },
[WIN_DEVICE_RESET] = { cmd_device_reset, CD_OK },
[WIN_RECAL] = { cmd_nop, HD_CFA_OK | SET_DSC},
[WIN_READ] = { cmd_read_pio, ALL_OK },
- [WIN_READ_ONCE] = { cmd_read_pio, ALL_OK },
+ [WIN_READ_ONCE] = { cmd_read_pio, HD_CFA_OK },
[WIN_READ_EXT] = { cmd_read_pio, HD_CFA_OK },
[WIN_READDMA_EXT] = { cmd_read_dma, HD_CFA_OK },
[WIN_READ_NATIVE_MAX_EXT] = { cmd_read_native_max, HD_CFA_OK | SET_DSC },
@@ -1762,12 +1762,12 @@ static const struct {
[CFA_TRANSLATE_SECTOR] = { cmd_cfa_translate_sector, CFA_OK },
[WIN_DIAGNOSE] = { cmd_exec_dev_diagnostic, ALL_OK },
[WIN_SPECIFY] = { cmd_nop, HD_CFA_OK | SET_DSC },
- [WIN_STANDBYNOW2] = { cmd_nop, ALL_OK },
- [WIN_IDLEIMMEDIATE2] = { cmd_nop, ALL_OK },
- [WIN_STANDBY2] = { cmd_nop, ALL_OK },
- [WIN_SETIDLE2] = { cmd_nop, ALL_OK },
- [WIN_CHECKPOWERMODE2] = { cmd_check_power_mode, ALL_OK | SET_DSC },
- [WIN_SLEEPNOW2] = { cmd_nop, ALL_OK },
+ [WIN_STANDBYNOW2] = { cmd_nop, HD_CFA_OK },
+ [WIN_IDLEIMMEDIATE2] = { cmd_nop, HD_CFA_OK },
+ [WIN_STANDBY2] = { cmd_nop, HD_CFA_OK },
+ [WIN_SETIDLE2] = { cmd_nop, HD_CFA_OK },
+ [WIN_CHECKPOWERMODE2] = { cmd_check_power_mode, HD_CFA_OK | SET_DSC },
+ [WIN_SLEEPNOW2] = { cmd_nop, HD_CFA_OK },
[WIN_PACKETCMD] = { cmd_packet, CD_OK },
[WIN_PIDENTIFY] = { cmd_identify_packet, CD_OK },
[WIN_SMART] = { cmd_smart, HD_CFA_OK | SET_DSC },
@@ -1781,19 +1781,19 @@ static const struct {
[WIN_WRITEDMA] = { cmd_write_dma, HD_CFA_OK },
[WIN_WRITEDMA_ONCE] = { cmd_write_dma, HD_CFA_OK },
[CFA_WRITE_MULTI_WO_ERASE] = { cmd_write_multiple, CFA_OK },
- [WIN_STANDBYNOW1] = { cmd_nop, ALL_OK },
- [WIN_IDLEIMMEDIATE] = { cmd_nop, ALL_OK },
- [WIN_STANDBY] = { cmd_nop, ALL_OK },
- [WIN_SETIDLE1] = { cmd_nop, ALL_OK },
- [WIN_CHECKPOWERMODE1] = { cmd_check_power_mode, ALL_OK | SET_DSC },
- [WIN_SLEEPNOW1] = { cmd_nop, ALL_OK },
+ [WIN_STANDBYNOW1] = { cmd_nop, HD_CFA_OK },
+ [WIN_IDLEIMMEDIATE] = { cmd_nop, HD_CFA_OK },
+ [WIN_STANDBY] = { cmd_nop, HD_CFA_OK },
+ [WIN_SETIDLE1] = { cmd_nop, HD_CFA_OK },
+ [WIN_CHECKPOWERMODE1] = { cmd_check_power_mode, HD_CFA_OK | SET_DSC },
+ [WIN_SLEEPNOW1] = { cmd_nop, HD_CFA_OK },
[WIN_FLUSH_CACHE] = { cmd_flush_cache, ALL_OK },
[WIN_FLUSH_CACHE_EXT] = { cmd_flush_cache, HD_CFA_OK },
[WIN_IDENTIFY] = { cmd_identify, ALL_OK },
[WIN_SETFEATURES] = { cmd_set_features, ALL_OK | SET_DSC },
[IBM_SENSE_CONDITION] = { cmd_ibm_sense_condition, CFA_OK | SET_DSC },
[CFA_WEAR_LEVEL] = { cmd_cfa_erase_sectors, HD_CFA_OK | SET_DSC },
- [WIN_READ_NATIVE_MAX] = { cmd_read_native_max, ALL_OK | SET_DSC },
+ [WIN_READ_NATIVE_MAX] = { cmd_read_native_max, HD_CFA_OK | SET_DSC },
};
static bool ide_cmd_permitted(IDEState *s, uint32_t cmd)
++++++ CVE-2015-8345-qemut-eepro100-infinite-loop-fix.patch ++++++
--- /var/tmp/diff_new_pack.77a1IC/_old 2016-02-25 22:02:25.000000000 +0100
+++ /var/tmp/diff_new_pack.77a1IC/_new 2016-02-25 22:02:25.000000000 +0100
@@ -1,34 +1,59 @@
References: bsc#956832 CVE-2015-8345
-From: Prasad J Pandit
-Date: Fri, 16 Oct 2015 11:33:27 +0530
-Subject: eepro100: prevent an infinite loop over same command block
+Subject: eepro100: Prevent two endless loops
+From: Stefan Weil sw@weilnetz.de Fri Nov 20 08:42:33 2015 +0100
+Date: Fri Nov 27 10:39:55 2015 +0800:
+Git: 00837731d254908a841d69298a4f9f077babaf24
-action_command() routine executes a chain of commands located
-in the Command Block List(CBL). Each Command Block(CB) has a
-link to the next CB in the list, given by 's->tx.link'.
-This is used in conjunction with the base address 's->cu_base'.
+http://lists.nongnu.org/archive/html/qemu-devel/2015-11/msg04592.html
+shows an example how an endless loop in function action_command can
+be achieved.
-An infinite loop unfolds if the 'link' to the next CB is
-same as the previous one, the loop ends up executing the same
-command over and over again.
+During my code review, I noticed a 2nd case which can result in an
+endless loop.
-Reported-by: Qinghao Tang
-Signed-off-by: Prasad J Pandit
----
- hw/net/eepro100.c | 2 ++
- 1 file changed, 2 insertions(+)
+Reported-by: Qinghao Tang
+Signed-off-by: Stefan Weil
+Signed-off-by: Jason Wang
Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/eepro100.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/eepro100.c
+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/eepro100.c
-@@ -674,6 +674,8 @@ static void eepro100_cu_command(EEPRO100
- next_command:
- cb_address = s->cu_base + s->cu_offset;
- cpu_physical_memory_read(cb_address, (uint8_t *) & tx, sizeof(tx));
-+ if (tx.link == s->cu_offset)
+@@ -657,6 +657,10 @@ static void eepro100_cu_command(EEPRO100
+ {
+ eepro100_tx_t tx;
+ uint32_t cb_address;
++ /* The loop below won't stop if it gets special handcrafted data.
++ Therefore we limit the number of iterations. */
++ unsigned max_loop_count = 16;
++
+ switch (val) {
+ case CU_NOP:
+ /* No operation. */
+@@ -685,6 +689,13 @@ static void eepro100_cu_command(EEPRO100
+ bool bit_nc = ((command & 0x0010) != 0);
+ //~ bool bit_sf = ((command & 0x0008) != 0);
+ uint16_t cmd = command & 0x0007;
++
++ if (max_loop_count-- == 0) {
++ /* Prevent an endless loop. (see goto next_command) */
++ logout("loop in %s:%u\n", __FILE__, __LINE__);
+ break;
- uint16_t status = le16_to_cpu(tx.status);
- uint16_t command = le16_to_cpu(tx.command);
- logout
++ }
++
+ s->cu_offset = le32_to_cpu(tx.link);
+ switch (cmd) {
+ case CmdNOp:
+@@ -726,6 +737,11 @@ static void eepro100_cu_command(EEPRO100
+ uint32_t tx_buffer_address = ldl_phys(tbd_address);
+ uint16_t tx_buffer_size = lduw_phys(tbd_address + 4);
+ //~ uint16_t tx_buffer_el = lduw_phys(tbd_address + 6);
++ if (tx_buffer_size == 0) {
++ /* Prevent an endless loop. */
++ logout("loop in %s:%u\n", __FILE__, __LINE__);
++ break;
++ }
+ tbd_address += 8;
+ logout
+ ("TBD (simplified mode): buffer address 0x%08x, size 0x%04x\n",
++++++ CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch ++++++
--- /var/tmp/diff_new_pack.77a1IC/_old 2016-02-25 22:02:25.000000000 +0100
+++ /var/tmp/diff_new_pack.77a1IC/_new 2016-02-25 22:02:25.000000000 +0100
@@ -1,34 +1,59 @@
References: bsc#956832 CVE-2015-8345
-From: Prasad J Pandit
-Date: Fri, 16 Oct 2015 11:33:27 +0530
-Subject: eepro100: prevent an infinite loop over same command block
+Subject: eepro100: Prevent two endless loops
+From: Stefan Weil sw@weilnetz.de Fri Nov 20 08:42:33 2015 +0100
+Date: Fri Nov 27 10:39:55 2015 +0800:
+Git: 00837731d254908a841d69298a4f9f077babaf24
-action_command() routine executes a chain of commands located
-in the Command Block List(CBL). Each Command Block(CB) has a
-link to the next CB in the list, given by 's->tx.link'.
-This is used in conjunction with the base address 's->cu_base'.
+http://lists.nongnu.org/archive/html/qemu-devel/2015-11/msg04592.html
+shows an example how an endless loop in function action_command can
+be achieved.
-An infinite loop unfolds if the 'link' to the next CB is
-same as the previous one, the loop ends up executing the same
-command over and over again.
+During my code review, I noticed a 2nd case which can result in an
+endless loop.
-Reported-by: Qinghao Tang
-Signed-off-by: Prasad J Pandit
----
- hw/net/eepro100.c | 2 ++
- 1 file changed, 2 insertions(+)
+Reported-by: Qinghao Tang
+Signed-off-by: Stefan Weil
+Signed-off-by: Jason Wang
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/eepro100.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/net/eepro100.c
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/eepro100.c
-@@ -863,6 +863,8 @@ static void action_command(EEPRO100State
- uint16_t ok_status = STATUS_OK;
- s->cb_address = s->cu_base + s->cu_offset;
- read_cb(s);
-+ if (s->tx.link == s->cu_offset)
+@@ -774,6 +774,11 @@ static void tx_command(EEPRO100State *s)
+ #if 0
+ uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6);
+ #endif
++ if (tx_buffer_size == 0) {
++ /* Prevent an endless loop. */
++ logout("loop in %s:%u\n", __FILE__, __LINE__);
+ break;
- bit_el = ((s->tx.command & COMMAND_EL) != 0);
- bit_s = ((s->tx.command & COMMAND_S) != 0);
- bit_i = ((s->tx.command & COMMAND_I) != 0);
++ }
+ tbd_address += 8;
+ TRACE(RXTX, logout
+ ("TBD (simplified mode): buffer address 0x%08x, size 0x%04x\n",
+@@ -855,6 +860,10 @@ static void set_multicast_list(EEPRO100S
+
+ static void action_command(EEPRO100State *s)
+ {
++ /* The loop below won't stop if it gets special handcrafted data.
++ Therefore we limit the number of iterations. */
++ unsigned max_loop_count = 16;
++
+ for (;;) {
+ bool bit_el;
+ bool bit_s;
+@@ -870,6 +879,13 @@ static void action_command(EEPRO100State
+ #if 0
+ bool bit_sf = ((s->tx.command & COMMAND_SF) != 0);
+ #endif
++
++ if (max_loop_count-- == 0) {
++ /* Prevent an endless loop. */
++ logout("loop in %s:%u\n", __FILE__, __LINE__);
++ break;
++ }
++
+ s->cu_offset = s->tx.link;
+ TRACE(OTHER,
+ logout("val=(cu start), status=0x%04x, command=0x%04x, link=0x%08x\n",
++++++ CVE-2015-8504-qemut-vnc-avoid-floating-point-exception.patch ++++++
--- /var/tmp/diff_new_pack.77a1IC/_old 2016-02-25 22:02:25.000000000 +0100
+++ /var/tmp/diff_new_pack.77a1IC/_new 2016-02-25 22:02:25.000000000 +0100
@@ -1,10 +1,10 @@
References: bsc#958493 CVE-2015-8504
-Index: xen-4.5.2-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
+Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
===================================================================
---- xen-4.5.2-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c
-+++ xen-4.5.2-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
-@@ -1634,15 +1634,15 @@ static void set_pixel_format(VncState *v
+--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c
++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
+@@ -1644,15 +1644,15 @@ static void set_pixel_format(VncState *v
}
vs->clientds = vs->serverds;
++++++ CVE-2015-8619-qemuu-stack-based-OOB-write-in-hmp_sendkey-routine.patch ++++++
References: bsc#965269 CVE-2015-8619
Subject: hmp: fix sendkey out of bounds write (CVE-2015-8619)
From: Wolfgang Bumiller w.bumiller@proxmox.com Wed Jan 13 09:09:58 2016 +0100
Date: Wed Feb 3 10:13:06 2016 +0100:
Git: 64ffbe04eaafebf4045a3ace52a360c14959d196
When processing 'sendkey' command, hmp_sendkey routine null
terminates the 'keyname_buf' array. This results in an OOB
write issue, if 'keyname_len' was to fall outside of
'keyname_buf' array.
Since the keyname's length is known the keyname_buf can be
removed altogether by adding a length parameter to
index_from_key() and using it for the error output as well.
Reported-by: Ling Liu
Signed-off-by: Wolfgang Bumiller
Message-Id: <20160113080958.GA18934@olga>
[Comparison with "<" dumbed down, test for junk after strtoul()
tweaked]
Signed-off-by: Markus Armbruster
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hmp.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hmp.c
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hmp.c
@@ -1478,21 +1478,18 @@ void hmp_send_key(Monitor *mon, const QD
int has_hold_time = qdict_haskey(qdict, "hold-time");
int hold_time = qdict_get_try_int(qdict, "hold-time", -1);
Error *err = NULL;
- char keyname_buf[16];
char *separator;
int keyname_len;
while (1) {
separator = strchr(keys, '-');
keyname_len = separator ? separator - keys : strlen(keys);
- pstrcpy(keyname_buf, sizeof(keyname_buf), keys);
/* Be compatible with old interface, convert user inputted "<" */
- if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) {
- pstrcpy(keyname_buf, sizeof(keyname_buf), "less");
+ if (keys[0] == '<' && keyname_len == 1) {
+ keys = "less";
keyname_len = 4;
}
- keyname_buf[keyname_len] = 0;
keylist = g_malloc0(sizeof(*keylist));
keylist->value = g_malloc0(sizeof(*keylist->value));
@@ -1505,16 +1502,17 @@ void hmp_send_key(Monitor *mon, const QD
}
tmp = keylist;
- if (strstart(keyname_buf, "0x", NULL)) {
+ if (strstart(keys, "0x", NULL)) {
char *endp;
- int value = strtoul(keyname_buf, &endp, 0);
- if (*endp != '\0') {
+ int value = strtoul(keys, &endp, 0);
+ assert(endp <= keys + keyname_len);
+ if (endp != keys + keyname_len) {
goto err_out;
}
keylist->value->kind = KEY_VALUE_KIND_NUMBER;
keylist->value->number = value;
} else {
- int idx = index_from_key(keyname_buf);
+ int idx = index_from_key(keys, keyname_len);
if (idx == Q_KEY_CODE_MAX) {
goto err_out;
}
@@ -1536,7 +1534,7 @@ out:
return;
err_out:
- monitor_printf(mon, "invalid parameter: %s\n", keyname_buf);
+ monitor_printf(mon, "invalid parameter: %.*s\n", keyname_len, keys);
goto out;
}
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/include/ui/console.h
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/include/ui/console.h
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/include/ui/console.h
@@ -349,7 +349,7 @@ static inline int vnc_display_pw_expire(
void curses_display_init(DisplayState *ds, int full_screen);
/* input.c */
-int index_from_key(const char *key);
+int index_from_key(const char *key, size_t key_length);
/* gtk.c */
void early_gtk_display_init(void);
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/input-legacy.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/ui/input-legacy.c
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/input-legacy.c
@@ -60,12 +60,13 @@ static QTAILQ_HEAD(, QEMUPutLEDEntry) le
static QTAILQ_HEAD(, QEMUPutMouseEntry) mouse_handlers =
QTAILQ_HEAD_INITIALIZER(mouse_handlers);
-int index_from_key(const char *key)
+int index_from_key(const char *key, size_t key_length)
{
int i;
for (i = 0; QKeyCode_lookup[i] != NULL; i++) {
- if (!strcmp(key, QKeyCode_lookup[i])) {
+ if (!strncmp(key, QKeyCode_lookup[i], key_length) &&
+ !QKeyCode_lookup[i][key_length]) {
break;
}
}
++++++ CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch ++++++
References: bsc#964415 CVE-2016-2198
USB Ehci emulation supports host controller capability registers.
But its mmio '.write' function was missing, which lead to a null
pointer dereference issue. Add a do nothing 'ehci_caps_write'
definition to avoid it; Do nothing because capability registers
are Read Only(RO).
Reported-by: Zuozhi Fzz
Signed-off-by: Prasad J Pandit
---
hw/usb/hcd-ehci.c | 6 ++++++
1 file changed, 6 insertions(+)
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci.c
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci.c
@@ -899,6 +899,11 @@ static uint64_t ehci_caps_read(void *ptr
return s->caps[addr];
}
+static void ehci_caps_write(void *ptr, hwaddr addr,
+ uint64_t val, unsigned size)
+{
+}
+
static uint64_t ehci_opreg_read(void *ptr, hwaddr addr,
unsigned size)
{
@@ -2317,6 +2322,7 @@ static void ehci_frame_timer(void *opaqu
static const MemoryRegionOps ehci_mmio_caps_ops = {
.read = ehci_caps_read,
+ .write = ehci_caps_write,
.valid.min_access_size = 1,
.valid.max_access_size = 4,
.impl.min_access_size = 1,
++++++ VNC-Support-for-ExtendedKeyEvent-client-message.patch ++++++
--- /var/tmp/diff_new_pack.77a1IC/_old 2016-02-25 22:02:25.000000000 +0100
+++ /var/tmp/diff_new_pack.77a1IC/_new 2016-02-25 22:02:25.000000000 +0100
@@ -20,10 +20,10 @@
vnc.c | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++---------
1 files changed, 50 insertions(+), 9 deletions(-)
-Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
+Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
===================================================================
---- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c
-+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
+--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c
++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
@@ -1285,35 +1285,22 @@ static void press_key_altgr_down(VncStat
}
}
@@ -115,7 +115,7 @@
case 0x574D5669:
vs->has_WMVi = 1;
default:
-@@ -1780,6 +1797,24 @@ static int protocol_client_msg(VncState
+@@ -1790,6 +1807,24 @@ static int protocol_client_msg(VncState
client_cut_text(vs, read_u32(data, 4), (char *)(data + 8));
break;
@@ -140,7 +140,7 @@
default:
printf("Msg: %d\n", data[0]);
vnc_client_error(vs);
-@@ -2451,10 +2486,11 @@ void vnc_display_init(DisplayState *ds)
+@@ -2461,10 +2496,11 @@ void vnc_display_init(DisplayState *ds)
vs->ds = ds;
++++++ bdrv_default_rwflag.patch ++++++
--- /var/tmp/diff_new_pack.77a1IC/_old 2016-02-25 22:02:25.000000000 +0100
+++ /var/tmp/diff_new_pack.77a1IC/_new 2016-02-25 22:02:25.000000000 +0100
@@ -1,11 +1,11 @@
Subject: modify default read/write flag in bdrv_init.
Signed-off by Chunyan Liu
-Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c
+Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c
===================================================================
---- xen-4.2.0-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c
-+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c
-@@ -2627,6 +2627,8 @@ int drive_init(struct drive_opt *arg, in
+--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c
++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c
+@@ -2626,6 +2626,8 @@ int drive_init(struct drive_opt *arg, in
strncpy(drives_table[nb_drives].serial, serial, sizeof(serial));
nb_drives++;
@@ -14,7 +14,7 @@
switch(type) {
case IF_IDE:
case IF_XEN:
-@@ -2640,6 +2642,7 @@ int drive_init(struct drive_opt *arg, in
+@@ -2639,6 +2641,7 @@ int drive_init(struct drive_opt *arg, in
break;
case MEDIA_CDROM:
bdrv_set_type_hint(bdrv, BDRV_TYPE_CDROM);
@@ -22,7 +22,7 @@
break;
}
break;
-@@ -2660,7 +2663,6 @@ int drive_init(struct drive_opt *arg, in
+@@ -2659,7 +2662,6 @@ int drive_init(struct drive_opt *arg, in
}
if (!file[0])
return -2;
++++++ ioemu-disable-emulated-ide-if-pv.patch ++++++
--- /var/tmp/diff_new_pack.77a1IC/_old 2016-02-25 22:02:25.000000000 +0100
+++ /var/tmp/diff_new_pack.77a1IC/_new 2016-02-25 22:02:25.000000000 +0100
@@ -1,7 +1,7 @@
-Index: xen-4.5.0-testing/tools/qemu-xen-traditional-dir-remote/qemu-xen.h
+Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/qemu-xen.h
===================================================================
---- xen-4.5.0-testing.orig/tools/qemu-xen-traditional-dir-remote/qemu-xen.h
-+++ xen-4.5.0-testing/tools/qemu-xen-traditional-dir-remote/qemu-xen.h
+--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/qemu-xen.h
++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/qemu-xen.h
@@ -1,6 +1,8 @@
#ifndef QEMU_XEN_H
#define QEMU_XEN_H
@@ -20,11 +20,11 @@
int xenstore_parse_disable_pf_config(void);
int xenstore_fd(void);
void xenstore_process_event(void *opaque);
-Index: xen-4.5.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c
+Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c
===================================================================
---- xen-4.5.0-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c
-+++ xen-4.5.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c
-@@ -5862,9 +5862,9 @@ int main(int argc, char **argv, char **e
+--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c
++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c
+@@ -5861,9 +5861,9 @@ int main(int argc, char **argv, char **e
if ((msg = xenbus_read(XBT_NIL, "domid", &domid_s)))
fprintf(stderr,"Can not read our own domid: %s\n", msg);
else
@@ -36,10 +36,10 @@
#endif /* CONFIG_STUBDOM */
}
-Index: xen-4.5.0-testing/tools/qemu-xen-traditional-dir-remote/xenstore.c
+Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/xenstore.c
===================================================================
---- xen-4.5.0-testing.orig/tools/qemu-xen-traditional-dir-remote/xenstore.c
-+++ xen-4.5.0-testing/tools/qemu-xen-traditional-dir-remote/xenstore.c
+--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/xenstore.c
++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/xenstore.c
@@ -445,7 +445,7 @@ void xenstore_init(void)
}
}
++++++ ioemu-vnc-resize.patch ++++++
--- /var/tmp/diff_new_pack.77a1IC/_old 2016-02-25 22:02:25.000000000 +0100
+++ /var/tmp/diff_new_pack.77a1IC/_new 2016-02-25 22:02:25.000000000 +0100
@@ -1,8 +1,8 @@
-Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
+Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
===================================================================
---- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c
-+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
-@@ -1761,6 +1761,25 @@ static int protocol_client_msg(VncState
+--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c
++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
+@@ -1771,6 +1771,25 @@ static int protocol_client_msg(VncState
}
set_encodings(vs, (int32_t *)(data + 4), limit);
++++++ ioemu-watchdog-support.patch ++++++
--- /var/tmp/diff_new_pack.77a1IC/_old 2016-02-25 22:02:25.000000000 +0100
+++ /var/tmp/diff_new_pack.77a1IC/_new 2016-02-25 22:02:25.000000000 +0100
@@ -10,10 +10,10 @@
Signed-off-by: Richard W.M. Jones
Signed-off-by: Anthony Liguori
-Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/Makefile.target
+Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/Makefile.target
===================================================================
---- xen-4.2.0-testing.orig/tools/qemu-xen-traditional-dir-remote/Makefile.target
-+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/Makefile.target
+--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/Makefile.target
++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/Makefile.target
@@ -580,6 +580,10 @@ OBJS += e1000.o
# Serial mouse
OBJS += msmouse.o
@@ -25,10 +25,10 @@
ifeq ($(TARGET_BASE_ARCH), i386)
# Hardware support
ifdef CONFIG_AUDIO
-Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
+Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
===================================================================
---- xen-4.2.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pc.c
-+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
+--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pc.c
++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
@@ -41,6 +41,7 @@
#include "virtio-balloon.h"
#include "virtio-console.h"
@@ -37,7 +37,7 @@
#ifdef CONFIG_PASSTHROUGH
#include "pass-through.h"
-@@ -1050,6 +1051,8 @@ vga_bios_error:
+@@ -1047,6 +1048,8 @@ vga_bios_error:
}
}
@@ -46,10 +46,10 @@
for(i = 0; i < nb_nics; i++) {
NICInfo *nd = &nd_table[i];
-Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.c
+Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.c
===================================================================
--- /dev/null
-+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.c
++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.c
@@ -0,0 +1,136 @@
+/*
+ * Virtual hardware watchdog.
@@ -187,10 +187,10 @@
+ wdt_ib700_init();
+ wdt_i6300esb_init();
+}
-Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.h
+Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.h
===================================================================
--- /dev/null
-+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.h
++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.h
@@ -0,0 +1,65 @@
+/*
+ * Virtual hardware watchdog.
@@ -257,10 +257,10 @@
+extern void register_watchdogs(void);
+
+#endif /* QEMU_WATCHDOG_H */
-Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_i6300esb.c
+Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_i6300esb.c
===================================================================
--- /dev/null
-+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_i6300esb.c
++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_i6300esb.c
@@ -0,0 +1,470 @@
+/*
+ * Virtual hardware watchdog.
@@ -732,10 +732,10 @@
+{
+ watchdog_add_model(&model);
+}
-Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_ib700.c
+Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_ib700.c
===================================================================
--- /dev/null
-+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_ib700.c
++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_ib700.c
@@ -0,0 +1,112 @@
+/*
+ * Virtual hardware watchdog.
@@ -849,10 +849,10 @@
+ watchdog_add_model(&model);
+ timer = qemu_new_timer(vm_clock, ib700_timer_expired, NULL);
+}
-Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/monitor.c
+Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/monitor.c
===================================================================
---- xen-4.2.0-testing.orig/tools/qemu-xen-traditional-dir-remote/monitor.c
-+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/monitor.c
+--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/monitor.c
++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/monitor.c
@@ -26,6 +26,7 @@
#include "hw/pcmcia.h"
#include "hw/pc.h"
@@ -884,10 +884,10 @@
{ "cpu_set", "is", do_cpu_set_nr,
"cpu [online|offline]", "change cpu state" },
{ NULL, NULL, },
-Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c
+Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c
===================================================================
---- xen-4.2.0-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c
-+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c
+--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c
++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c
@@ -30,6 +30,7 @@
#include "hw/isa.h"
#include "hw/baum.h"
@@ -905,7 +905,7 @@
const char *option_rom[MAX_OPTION_ROMS];
int nb_option_roms;
int semihosting_enabled = 0;
-@@ -4177,6 +4180,10 @@ static void help(int exitcode)
+@@ -4176,6 +4179,10 @@ static void help(int exitcode)
"-startdate select initial date of the clock\n"
"-icount [N|auto]\n"
" enable virtual instruction counter with 2^N clock ticks per instruction\n"
@@ -916,7 +916,7 @@
"-echr chr set terminal escape character instead of ctrl-a\n"
"-virtioconsole c\n"
" set virtio console\n"
-@@ -4324,6 +4331,8 @@ enum {
+@@ -4323,6 +4330,8 @@ enum {
QEMU_OPTION_localtime,
QEMU_OPTION_startdate,
QEMU_OPTION_icount,
@@ -925,7 +925,7 @@
QEMU_OPTION_echr,
QEMU_OPTION_virtiocon,
QEMU_OPTION_show_cursor,
-@@ -4450,6 +4459,8 @@ static const QEMUOption qemu_options[] =
+@@ -4449,6 +4458,8 @@ static const QEMUOption qemu_options[] =
{ "localtime", 0, QEMU_OPTION_localtime },
{ "startdate", HAS_ARG, QEMU_OPTION_startdate },
{ "icount", HAS_ARG, QEMU_OPTION_icount },
@@ -934,7 +934,7 @@
{ "echr", HAS_ARG, QEMU_OPTION_echr },
{ "virtioconsole", HAS_ARG, QEMU_OPTION_virtiocon },
{ "show-cursor", 0, QEMU_OPTION_show_cursor },
-@@ -4951,6 +4962,8 @@ int main(int argc, char **argv, char **e
+@@ -4950,6 +4961,8 @@ int main(int argc, char **argv, char **e
tb_size = 0;
autostart= 1;
@@ -943,7 +943,7 @@
optind = 1;
for(;;) {
if (optind >= argc)
-@@ -5325,6 +5338,17 @@ int main(int argc, char **argv, char **e
+@@ -5324,6 +5337,17 @@ int main(int argc, char **argv, char **e
serial_devices[serial_device_index] = optarg;
serial_device_index++;
break;
++++++ kernel-boot-hvm.patch ++++++
--- /var/tmp/diff_new_pack.77a1IC/_old 2016-02-25 22:02:25.000000000 +0100
+++ /var/tmp/diff_new_pack.77a1IC/_new 2016-02-25 22:02:25.000000000 +0100
@@ -4,10 +4,10 @@
Signed-off-by: Chunyan Liu
-Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/block.c
+Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/block.c
===================================================================
---- xen-4.2.0-testing.orig/tools/qemu-xen-traditional-dir-remote/block.c
-+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/block.c
+--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/block.c
++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/block.c
@@ -596,6 +596,16 @@ int bdrv_read(BlockDriverState *bs, int6
if (bdrv_check_request(bs, sector_num, nb_sectors))
@@ -79,10 +79,10 @@
ret = drv->bdrv_aio_write(bs, sector_num, buf, nb_sectors, cb, opaque);
if (ret) {
-Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/block_int.h
+Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/block_int.h
===================================================================
---- xen-4.2.0-testing.orig/tools/qemu-xen-traditional-dir-remote/block_int.h
-+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/block_int.h
+--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/block_int.h
++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/block_int.h
@@ -122,6 +122,9 @@ struct BlockDriverState {
BlockDriver *drv; /* NULL means no media */
void *opaque;
@@ -93,11 +93,11 @@
char filename[1024];
char backing_file[1024]; /* if non zero, the image is a diff of
this file image */
-Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
+Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
===================================================================
---- xen-4.2.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pc.c
-+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
-@@ -474,45 +474,28 @@ static void bochs_bios_init(void)
+--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pc.c
++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
+@@ -473,45 +473,28 @@ static void bochs_bios_init(void)
/* Generate an initial boot sector which sets state and jump to
a specified vector */
@@ -110,7 +110,8 @@
+ uint8_t bootsect[512], *p;
int i;
+ int hda;
-+
+
+- memset(rom, 0, sizeof(rom));
+ hda = drive_get_index(IF_IDE, 0, 0);
+ if (hda == -1) {
+ fprintf(stderr, "A disk image must be given for 'hda' when booting "
@@ -119,8 +120,6 @@
+ }
+ memset(bootsect, 0, sizeof(bootsect));
-- memset(rom, 0, sizeof(rom));
--
- p = rom;
- /* Make sure we have an option rom signature */
- *p++ = 0x55;
@@ -161,7 +160,7 @@
*p++ = 0xfa; /* CLI */
*p++ = 0xfc; /* CLD */
-@@ -542,13 +525,7 @@ static void generate_bootsect(uint8_t *o
+@@ -541,13 +524,7 @@ static void generate_bootsect(uint8_t *o
*p++ = segs[1]; /* CS */
*p++ = segs[1] >> 8;
@@ -176,7 +175,7 @@
}
static long get_file_size(FILE *f)
-@@ -565,8 +542,7 @@ static long get_file_size(FILE *f)
+@@ -564,8 +541,7 @@ static long get_file_size(FILE *f)
return size;
}
@@ -186,7 +185,7 @@
const char *initrd_filename,
const char *kernel_cmdline)
{
-@@ -632,7 +608,9 @@ static void load_linux(uint8_t *option_r
+@@ -631,7 +607,9 @@ static void load_linux(uint8_t *option_r
/* Special pages are placed at end of low RAM: pick an arbitrary one and
* subtract a suitably large amount of padding (64kB) to skip BIOS data. */
@@ -197,7 +196,7 @@
end_low_ram = (end_low_ram << 12) - (64*1024);
/* highest address for loading the initrd */
-@@ -721,7 +699,7 @@ static void load_linux(uint8_t *option_r
+@@ -720,7 +698,7 @@ static void load_linux(uint8_t *option_r
memset(gpr, 0, sizeof gpr);
gpr[4] = cmdline_addr-real_addr-16; /* SP (-16 is paranoia) */
@@ -206,7 +205,7 @@
#endif
}
-@@ -932,14 +910,6 @@ vga_bios_error:
+@@ -930,14 +908,6 @@ vga_bios_error:
int size, offset;
offset = 0;
@@ -221,20 +220,20 @@
for (i = 0; i < nb_option_roms; i++) {
size = get_image_size(option_rom[i]);
-@@ -973,6 +943,9 @@ vga_bios_error:
+@@ -971,6 +941,9 @@ vga_bios_error:
bochs_bios_init();
+ if (linux_boot)
-+ load_linux(kernel_filename, initrd_filename, kernel_cmdline);
++ load_linux(kernel_filename, initrd_filename, kernel_cmdline);
+
- cpu_irq = qemu_allocate_irqs(pic_irq_request, NULL, 1);
- i8259 = i8259_init(cpu_irq[0]);
+ i8259 = i8259_init(NULL);
ferr_irq = i8259[13];
-Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/block.h
+
+Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/block.h
===================================================================
---- xen-4.2.0-testing.orig/tools/qemu-xen-traditional-dir-remote/block.h
-+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/block.h
+--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/block.h
++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/block.h
@@ -82,6 +82,7 @@ int64_t bdrv_getlength(BlockDriverState
void bdrv_get_geometry(BlockDriverState *bs, uint64_t *nb_sectors_ptr);
void bdrv_guess_geometry(BlockDriverState *bs, int *pcyls, int *pheads, int *psecs);
++++++ qemu-dm-segfault.patch ++++++
--- /var/tmp/diff_new_pack.77a1IC/_old 2016-02-25 22:02:25.000000000 +0100
+++ /var/tmp/diff_new_pack.77a1IC/_new 2016-02-25 22:02:25.000000000 +0100
@@ -1,8 +1,8 @@
-Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c
+Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c
===================================================================
---- xen-4.2.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ide.c
-+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c
-@@ -935,8 +935,9 @@ static inline void ide_dma_submit_check(
+--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ide.c
++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c
+@@ -937,8 +937,9 @@ static inline void ide_dma_submit_check(
static inline void ide_set_irq(IDEState *s)
{
@@ -14,24 +14,7 @@
if (!(s->cmd & IDE_CMD_DISABLE_IRQ)) {
if (bm) {
bm->status |= BM_STATUS_INT;
-@@ -1224,14 +1225,14 @@ static void ide_read_dma_cb(void *opaque
- int n;
- int64_t sector_num;
-
-+ if (!s || !s->bs) return; /* ouch! (see ide_flush_cb) */
-+
- if (ret < 0) {
- dma_buf_commit(s, 1);
- ide_dma_error(s);
- return;
- }
-
-- if (!s->bs) return; /* ouch! (see ide_flush_cb) */
--
- n = s->io_buffer_size >> 9;
- sector_num = ide_get_sector(s);
- if (n > 0) {
-@@ -1335,6 +1336,8 @@ static void ide_write_flush_cb(void *opa
+@@ -1338,6 +1339,8 @@ static void ide_write_flush_cb(void *opa
BMDMAState *bm = opaque;
IDEState *s = bm->ide_if;
@@ -40,23 +23,7 @@
if (ret != 0) {
ide_dma_error(s);
return;
-@@ -1366,13 +1369,13 @@ static void ide_write_dma_cb(void *opaqu
- int n;
- int64_t sector_num;
-
-+ if (!s || !s->bs) return; /* ouch! (see ide_flush_cb) */
-+
- if (ret < 0) {
- if (ide_handle_write_error(s, -ret, BM_STATUS_DMA_RETRY))
- return;
- }
-
-- if (!s->bs) return; /* ouch! (see ide_flush_cb) */
--
- n = s->io_buffer_size >> 9;
- sector_num = ide_get_sector(s);
- if (n > 0) {
-@@ -1429,7 +1432,7 @@ static void ide_flush_cb(void *opaque, i
+@@ -1432,7 +1435,7 @@ static void ide_flush_cb(void *opaque, i
{
IDEState *s = opaque;
@@ -65,7 +32,7 @@
if (ret) {
/* We are completely doomed. The IDE spec does not permit us
-@@ -1686,7 +1689,7 @@ static void ide_atapi_cmd_read_dma_cb(vo
+@@ -1689,7 +1692,7 @@ static void ide_atapi_cmd_read_dma_cb(vo
IDEState *s = bm->ide_if;
int data_offset, n;
@@ -74,7 +41,7 @@
if (ret < 0) {
ide_atapi_io_error(s, ret);
-@@ -2365,7 +2368,7 @@ static void cdrom_change_cb(void *opaque
+@@ -2368,7 +2371,7 @@ static void cdrom_change_cb(void *opaque
IDEState *s = opaque;
uint64_t nb_sectors;
++++++ qemu-security-etch1.patch ++++++
--- /var/tmp/diff_new_pack.77a1IC/_old 2016-02-25 22:02:25.000000000 +0100
+++ /var/tmp/diff_new_pack.77a1IC/_new 2016-02-25 22:02:25.000000000 +0100
@@ -1,7 +1,7 @@
-Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c
+Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c
===================================================================
---- xen-4.2.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c
-+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c
+--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c
++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c
@@ -218,7 +218,7 @@ static int ne2000_can_receive(void *opaq
NE2000State *s = opaque;
@@ -11,11 +11,11 @@
return !ne2000_buffer_full(s);
}
-Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
+Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
===================================================================
---- xen-4.2.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pc.c
-+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
-@@ -413,7 +413,8 @@ static void bochs_bios_write(void *opaqu
+--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pc.c
++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
+@@ -412,7 +412,8 @@ static void bochs_bios_write(void *opaqu
case 0x400:
case 0x401:
fprintf(stderr, "BIOS panic at rombios.c, line %d\n", val);
@@ -25,7 +25,7 @@
case 0x402:
case 0x403:
#ifdef DEBUG_BIOS
-@@ -436,8 +437,9 @@ static void bochs_bios_write(void *opaqu
+@@ -435,8 +436,9 @@ static void bochs_bios_write(void *opaqu
/* LGPL'ed VGA BIOS messages */
case 0x501:
case 0x502:
++++++ qemu-xen-dir-remote.tar.bz2 ++++++
/work/SRC/openSUSE:Factory/xen/qemu-xen-dir-remote.tar.bz2 /work/SRC/openSUSE:Factory/.xen.new/qemu-xen-dir-remote.tar.bz2 differ: char 11, line 1
++++++ qemu-xen-traditional-dir-remote.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tools/qemu-xen-traditional-dir-remote/block-cow.c new/tools/qemu-xen-traditional-dir-remote/block-cow.c
--- old/tools/qemu-xen-traditional-dir-remote/block-cow.c 2015-10-07 16:07:24.000000000 +0200
+++ new/tools/qemu-xen-traditional-dir-remote/block-cow.c 2016-02-11 16:59:53.000000000 +0100
@@ -224,7 +224,6 @@
fd = open(image_filename, O_RDONLY | O_BINARY);
if (fd < 0) {
- close(cow_fd);
goto mtime_fail;
}
if (fstat(fd, &st) != 0) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tools/qemu-xen-traditional-dir-remote/block-nbd.c new/tools/qemu-xen-traditional-dir-remote/block-nbd.c
--- old/tools/qemu-xen-traditional-dir-remote/block-nbd.c 2015-10-07 16:07:24.000000000 +0200
+++ new/tools/qemu-xen-traditional-dir-remote/block-nbd.c 2016-02-11 16:59:53.000000000 +0100
@@ -88,7 +88,10 @@
ret = nbd_receive_negotiate(sock, &size, &blocksize);
if (ret == -1)
+ {
+ close(sock);
return -errno;
+ }
s->sock = sock;
s->size = size;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tools/qemu-xen-traditional-dir-remote/block-raw-posix.c new/tools/qemu-xen-traditional-dir-remote/block-raw-posix.c
--- old/tools/qemu-xen-traditional-dir-remote/block-raw-posix.c 2015-10-07 16:07:24.000000000 +0200
+++ new/tools/qemu-xen-traditional-dir-remote/block-raw-posix.c 2016-02-11 16:59:53.000000000 +0100
@@ -602,6 +602,7 @@
s->first_aio = NULL;
if (pipe(fds) == -1) {
fprintf(stderr, "failed to create pipe\n");
+ qemu_free(s);
return -errno;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tools/qemu-xen-traditional-dir-remote/block-vvfat.c new/tools/qemu-xen-traditional-dir-remote/block-vvfat.c
--- old/tools/qemu-xen-traditional-dir-remote/block-vvfat.c 2015-10-07 16:07:24.000000000 +0200
+++ new/tools/qemu-xen-traditional-dir-remote/block-vvfat.c 2016-02-11 16:59:53.000000000 +0100
@@ -504,14 +504,21 @@
/* fat functions */
+static inline void fat_chksum_part(const char *name, size_t len, uint8_t *chksum)
+{
+ size_t i;
+
+ for(i = 0; i < len; i++)
+ *chksum = (((*chksum&0xfe) >> 1) | ((*chksum & 0x01) ? 0x80 : 0))
+ + (unsigned char)name[i];
+}
+
static inline uint8_t fat_chksum(const direntry_t* entry)
{
uint8_t chksum=0;
- int i;
- for(i=0;i<11;i++)
- chksum=(((chksum&0xfe)>>1)|((chksum&0x01)?0x80:0))
- +(unsigned char)entry->name[i];
+ fat_chksum_part(entry->name, ARRAY_SIZE(entry->name), &chksum);
+ fat_chksum_part(entry->extension, ARRAY_SIZE(entry->extension), &chksum);
return chksum;
}
@@ -753,6 +760,7 @@
if (st.st_size > 0x7fffffff) {
fprintf(stderr, "File %s is larger than 2GB\n", buffer);
free(buffer);
+ closedir(dir);
return -2;
}
direntry->size=cpu_to_le32(S_ISDIR(st.st_mode)?0:st.st_size);
@@ -780,6 +788,8 @@
s->current_mapping->read_only =
(st.st_mode & (S_IWUSR | S_IWGRP | S_IWOTH)) == 0;
}
+ else
+ qemu_free(buffer);
}
closedir(dir);
@@ -1762,7 +1772,7 @@
if (s->used_clusters[cluster_num] & USED_ANY) {
fprintf(stderr, "cluster %d used more than once\n", (int)cluster_num);
- return 0;
+ goto fail;
}
s->used_clusters[cluster_num] = USED_DIRECTORY;
@@ -2222,11 +2232,15 @@
if (fd < 0) {
fprintf(stderr, "Could not open %s... (%s, %d)\n", mapping->path,
strerror(errno), errno);
+ qemu_free(cluster);
return fd;
}
if (offset > 0)
- if (lseek(fd, offset, SEEK_SET) != offset)
+ if (lseek(fd, offset, SEEK_SET) != offset) {
+ close(fd);
+ qemu_free(cluster);
return -3;
+ }
while (offset < size) {
uint32_t c1;
@@ -2242,11 +2256,17 @@
ret = vvfat_read(s->bs, cluster2sector(s, c),
(uint8_t*)cluster, (rest_size + 0x1ff) / 0x200);
- if (ret < 0)
+ if (ret < 0) {
+ close(fd);
+ qemu_free(cluster);
return ret;
+ }
- if (qemu_write_ok(fd, cluster, rest_size) < 0)
+ if (qemu_write_ok(fd, cluster, rest_size) < 0) {
+ close(fd);
+ qemu_free(cluster);
return -2;
+ }
offset += rest_size;
c = c1;
@@ -2254,6 +2274,7 @@
ftruncate(fd, size);
close(fd);
+ qemu_free(cluster);
return commit_mappings(s, first_cluster, dir_index);
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tools/qemu-xen-traditional-dir-remote/console.c new/tools/qemu-xen-traditional-dir-remote/console.c
--- old/tools/qemu-xen-traditional-dir-remote/console.c 2015-10-07 16:07:24.000000000 +0200
+++ new/tools/qemu-xen-traditional-dir-remote/console.c 2016-02-11 16:59:53.000000000 +0100
@@ -421,7 +421,8 @@
{
uint8_t *d;
const uint8_t *font_ptr;
- unsigned int font_data, linesize, xorcol, bpp;
+ uint8_t font_data;
+ unsigned int linesize, xorcol, bpp;
int i;
unsigned int fgcol, bgcol;
@@ -450,7 +451,7 @@
font_data = *font_ptr++;
if (t_attrib->uline
&& ((i == FONT_HEIGHT - 2) || (i == FONT_HEIGHT - 3))) {
- font_data = 0xFFFF;
+ font_data = 0xFF;
}
((uint32_t *)d)[0] = (dmask16[(font_data >> 4)] & xorcol) ^ bgcol;
((uint32_t *)d)[1] = (dmask16[(font_data >> 0) & 0xf] & xorcol) ^ bgcol;
@@ -463,7 +464,7 @@
font_data = *font_ptr++;
if (t_attrib->uline
&& ((i == FONT_HEIGHT - 2) || (i == FONT_HEIGHT - 3))) {
- font_data = 0xFFFF;
+ font_data = 0xFF;
}
((uint32_t *)d)[0] = (dmask4[(font_data >> 6)] & xorcol) ^ bgcol;
((uint32_t *)d)[1] = (dmask4[(font_data >> 4) & 3] & xorcol) ^ bgcol;
@@ -476,7 +477,7 @@
for(i = 0; i < FONT_HEIGHT; i++) {
font_data = *font_ptr++;
if (t_attrib->uline && ((i == FONT_HEIGHT - 2) || (i == FONT_HEIGHT - 3))) {
- font_data = 0xFFFF;
+ font_data = 0xFF;
}
((uint32_t *)d)[0] = (-((font_data >> 7)) & xorcol) ^ bgcol;
((uint32_t *)d)[1] = (-((font_data >> 6) & 1) & xorcol) ^ bgcol;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tools/qemu-xen-traditional-dir-remote/dma-helpers.c new/tools/qemu-xen-traditional-dir-remote/dma-helpers.c
--- old/tools/qemu-xen-traditional-dir-remote/dma-helpers.c 2015-10-07 16:07:24.000000000 +0200
+++ new/tools/qemu-xen-traditional-dir-remote/dma-helpers.c 2016-02-11 16:59:53.000000000 +0100
@@ -50,8 +50,14 @@
target_phys_addr_t sg_cur_byte;
QEMUIOVector iov;
QEMUBH *bh;
+ int in_use;
} DMAAIOCB;
+static void dma_aio_cb_reset(DMAAIOCB *p)
+{
+ p->in_use = 0;
+}
+
static void dma_bdrv_cb(void *opaque, int ret);
static void reschedule_dma(void *opaque)
@@ -60,6 +66,10 @@
qemu_bh_delete(dbs->bh);
dbs->bh = NULL;
+
+ if (!dbs->in_use)
+ return;
+
dma_bdrv_cb(opaque, 0);
}
@@ -67,7 +77,8 @@
{
DMAAIOCB *dbs = (DMAAIOCB *)opaque;
- dbs->bh = qemu_bh_new(reschedule_dma, dbs);
+ if (!dbs->bh)
+ dbs->bh = qemu_bh_new(reschedule_dma, dbs);
qemu_bh_schedule(dbs->bh);
}
@@ -97,6 +108,7 @@
dbs->common.cb(dbs->common.opaque, ret);
qemu_iovec_destroy(&dbs->iov);
qemu_aio_release(dbs);
+ dma_aio_cb_reset(dbs);
return;
}
@@ -129,6 +141,7 @@
if (!dbs->acb) {
dma_bdrv_unmap(dbs);
qemu_iovec_destroy(&dbs->iov);
+ dma_aio_cb_reset(dbs);
return;
}
}
@@ -148,6 +161,7 @@
dbs->sg_cur_byte = 0;
dbs->is_write = is_write;
dbs->bh = NULL;
+ dbs->in_use = 1;
qemu_iovec_init(&dbs->iov, sg->nsg);
dma_bdrv_cb(dbs, 0);
if (!dbs->acb) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tools/qemu-xen-traditional-dir-remote/hw/cirrus_vga.c new/tools/qemu-xen-traditional-dir-remote/hw/cirrus_vga.c
--- old/tools/qemu-xen-traditional-dir-remote/hw/cirrus_vga.c 2015-10-07 16:07:24.000000000 +0200
+++ new/tools/qemu-xen-traditional-dir-remote/hw/cirrus_vga.c 2016-02-11 16:59:53.000000000 +0100
@@ -34,6 +34,8 @@
#include "qemu-xen.h"
#include "qemu-log.h"
+#include
+
/*
* TODO:
* - destination write mask support not complete (bits 5..7)
@@ -223,20 +225,6 @@
#define ABS(a) ((signed)(a) > 0 ? a : -a)
-#define BLTUNSAFE(s) \
- ( \
- ( /* check dst is within bounds */ \
- (s)->cirrus_blt_height * ABS((s)->cirrus_blt_dstpitch) \
- + ((s)->cirrus_blt_dstaddr & (s)->cirrus_addr_mask) > \
- (s)->vram_size \
- ) || \
- ( /* check src is within bounds */ \
- (s)->cirrus_blt_height * ABS((s)->cirrus_blt_srcpitch) \
- + ((s)->cirrus_blt_srcaddr & (s)->cirrus_addr_mask) > \
- (s)->vram_size \
- ) \
- )
-
struct CirrusVGAState;
typedef void (*cirrus_bitblt_rop_t) (struct CirrusVGAState *s,
uint8_t * dst, const uint8_t * src,
@@ -315,6 +303,50 @@
*
***************************************/
+static bool blit_region_is_unsafe(struct CirrusVGAState *s,
+ int32_t pitch, int32_t addr)
+{
+ if (pitch < 0) {
+ int64_t min = addr
+ + ((int64_t)s->cirrus_blt_height-1) * pitch;
+ int32_t max = addr
+ + s->cirrus_blt_width;
+ if (min < 0 || max >= s->vram_size) {
+ return true;
+ }
+ } else {
+ int64_t max = addr
+ + ((int64_t)s->cirrus_blt_height-1) * pitch
+ + s->cirrus_blt_width;
+ if (max >= s->vram_size) {
+ return true;
+ }
+ }
+ return false;
+}
+
+static bool blit_is_unsafe(struct CirrusVGAState *s)
+{
+ /* should be the case, see cirrus_bitblt_start */
+ assert(s->cirrus_blt_width > 0);
+ assert(s->cirrus_blt_height > 0);
+
+ if (s->cirrus_blt_width > CIRRUS_BLTBUFSIZE) {
+ return true;
+ }
+
+ if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch,
+ s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
+ return true;
+ }
+ if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
+ s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
+ return true;
+ }
+
+ return false;
+}
+
static void cirrus_bitblt_rop_nop(CirrusVGAState *s,
uint8_t *dst,const uint8_t *src,
int dstpitch,int srcpitch,
@@ -676,7 +708,7 @@
dst = s->vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
- if (BLTUNSAFE(s))
+ if (blit_is_unsafe(s))
return 0;
(*s->cirrus_rop) (s, dst, src,
@@ -694,7 +726,7 @@
{
cirrus_fill_t rop_func;
- if (BLTUNSAFE(s))
+ if (blit_is_unsafe(s))
return 0;
rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
rop_func(s, s->vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
@@ -722,45 +754,45 @@
static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
{
- int sx, sy;
- int dx, dy;
- int width, height;
- int depth;
+ int sx = 0, sy = 0;
+ int dx = 0, dy = 0;
+ int depth = 0;
int notify = 0;
- depth = s->get_bpp((VGAState *)s) / 8;
- s->get_resolution((VGAState *)s, &width, &height);
+ /* make sure to only copy if it's a plain copy ROP */
+ if (*s->cirrus_rop == cirrus_bitblt_rop_fwd_src ||
+ *s->cirrus_rop == cirrus_bitblt_rop_bkwd_src) {
+ int width, height;
+
+ depth = s->get_bpp((VGAState *)s) / 8;
+ s->get_resolution((VGAState *)s, &width, &height);
+
+ /* extra x, y */
+ sx = (src % ABS(s->cirrus_blt_srcpitch)) / depth;
+ sy = (src / ABS(s->cirrus_blt_srcpitch));
+ dx = (dst % ABS(s->cirrus_blt_dstpitch)) / depth;
+ dy = (dst / ABS(s->cirrus_blt_dstpitch));
+
+ /* normalize width */
+ w /= depth;
+
+ /* if we're doing a backward copy, we have to adjust
+ our x/y to be the upper left corner (instead of the lower
+ right corner) */
+ if (s->cirrus_blt_dstpitch < 0) {
+ sx -= (s->cirrus_blt_width / depth) - 1;
+ dx -= (s->cirrus_blt_width / depth) - 1;
+ sy -= s->cirrus_blt_height - 1;
+ dy -= s->cirrus_blt_height - 1;
+ }
- /* extra x, y */
- sx = (src % ABS(s->cirrus_blt_srcpitch)) / depth;
- sy = (src / ABS(s->cirrus_blt_srcpitch));
- dx = (dst % ABS(s->cirrus_blt_dstpitch)) / depth;
- dy = (dst / ABS(s->cirrus_blt_dstpitch));
-
- /* normalize width */
- w /= depth;
-
- /* if we're doing a backward copy, we have to adjust
- our x/y to be the upper left corner (instead of the lower
- right corner) */
- if (s->cirrus_blt_dstpitch < 0) {
- sx -= (s->cirrus_blt_width / depth) - 1;
- dx -= (s->cirrus_blt_width / depth) - 1;
- sy -= s->cirrus_blt_height - 1;
- dy -= s->cirrus_blt_height - 1;
- }
-
- /* are we in the visible portion of memory? */
- if (sx >= 0 && sy >= 0 && dx >= 0 && dy >= 0 &&
- (sx + w) <= width && (sy + h) <= height &&
- (dx + w) <= width && (dy + h) <= height) {
- notify = 1;
- }
-
- /* make to sure only copy if it's a plain copy ROP */
- if (*s->cirrus_rop != cirrus_bitblt_rop_fwd_src &&
- *s->cirrus_rop != cirrus_bitblt_rop_bkwd_src)
- notify = 0;
+ /* are we in the visible portion of memory? */
+ if (sx >= 0 && sy >= 0 && dx >= 0 && dy >= 0 &&
+ (sx + w) <= width && (sy + h) <= height &&
+ (dx + w) <= width && (dy + h) <= height) {
+ notify = 1;
+ }
+ }
/* we have to flush all pending changes so that the copy
is generated at the appropriate moment in time */
@@ -790,7 +822,7 @@
static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
{
- if (BLTUNSAFE(s))
+ if (blit_is_unsafe(s))
return 0;
cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->start_addr,
@@ -2674,7 +2706,7 @@
static uint32_t vga_ioport_read(void *opaque, uint32_t addr)
{
CirrusVGAState *s = opaque;
- int val, index;
+ int val = 0xff, index;
/* check port range access depending on color/monochrome mode */
if ((addr >= 0x3b0 && addr <= 0x3bf && (s->msr & MSR_COLOR_EMULATION))
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tools/qemu-xen-traditional-dir-remote/hw/device-hotplug.c new/tools/qemu-xen-traditional-dir-remote/hw/device-hotplug.c
--- old/tools/qemu-xen-traditional-dir-remote/hw/device-hotplug.c 2015-10-07 16:07:24.000000000 +0200
+++ new/tools/qemu-xen-traditional-dir-remote/hw/device-hotplug.c 2016-02-11 16:59:53.000000000 +0100
@@ -34,7 +34,7 @@
int ret = -1;
drive_opt_idx = drive_add(NULL, "%s", opts);
- if (!drive_opt_idx)
+ if (drive_opt_idx < 0)
return ret;
drive_idx = drive_init(&drives_opt[drive_opt_idx], 0, current_machine);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tools/qemu-xen-traditional-dir-remote/hw/ide.c new/tools/qemu-xen-traditional-dir-remote/hw/ide.c
--- old/tools/qemu-xen-traditional-dir-remote/hw/ide.c 2015-10-07 16:07:24.000000000 +0200
+++ new/tools/qemu-xen-traditional-dir-remote/hw/ide.c 2016-02-11 16:59:53.000000000 +0100
@@ -919,8 +919,10 @@
}
}
+static void ide_dma_cancel(BMDMAState *bm);
static inline void ide_abort_command(IDEState *s)
{
+ if (s->bmdma) ide_dma_cancel(s->bmdma);
s->status = READY_STAT | ERR_STAT;
s->error = ABRT_ERR;
}
@@ -1098,6 +1100,7 @@
static void ide_dma_error(IDEState *s)
{
+ if (s->bmdma) ide_dma_cancel(s->bmdma);
ide_transfer_stop(s);
s->error = ABRT_ERR;
s->status = READY_STAT | ERR_STAT;
@@ -1230,7 +1233,7 @@
return;
}
- if (!s->bs) return; /* ouch! (see ide_flush_cb) */
+ if (!s || !s->bs) return; /* ouch! (see ide_dma_error & ide_flush_cb) */
n = s->io_buffer_size >> 9;
sector_num = ide_get_sector(s);
@@ -1371,7 +1374,7 @@
return;
}
- if (!s->bs) return; /* ouch! (see ide_flush_cb) */
+ if (!s || !s->bs) return; /* ouch! (see ide_dma_error & ide_flush_cb) */
n = s->io_buffer_size >> 9;
sector_num = ide_get_sector(s);
@@ -3673,7 +3676,6 @@
PCIIDEState *d;
uint8_t *pci_conf;
int i;
- qemu_irq *irq;
d = (PCIIDEState *)pci_register_device(bus, "CMD646 IDE",
sizeof(PCIIDEState),
@@ -3715,9 +3717,8 @@
for(i = 0; i < 4; i++)
d->ide_if[i].pci_dev = (PCIDevice *)d;
- irq = qemu_allocate_irqs(cmd646_set_irq, d, 2);
- ide_init2(&d->ide_if[0], hd_table[0], hd_table[1], irq[0]);
- ide_init2(&d->ide_if[2], hd_table[2], hd_table[3], irq[1]);
+ ide_init2(&d->ide_if[0], hd_table[0], hd_table[1], qemu_allocate_irq(cmd646_set_irq, d));
+ ide_init2(&d->ide_if[2], hd_table[2], hd_table[3], qemu_allocate_irq(cmd646_set_irq, d));
register_savevm("ide", 0, 3, pci_ide_save, pci_ide_load, d);
qemu_register_reset(cmd646_reset, d);
@@ -4790,7 +4791,7 @@
md->card.cis = dscm1xxxx_cis;
md->card.cis_len = sizeof(dscm1xxxx_cis);
- ide_init2(md->ide, bdrv, 0, qemu_allocate_irqs(md_set_irq, md, 1)[0]);
+ ide_init2(md->ide, bdrv, 0, qemu_allocate_irq(md_set_irq, md));
md->ide->is_cf = 1;
md->ide->mdata_size = METADATA_SIZE;
md->ide->mdata_storage = (uint8_t *) qemu_mallocz(METADATA_SIZE);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tools/qemu-xen-traditional-dir-remote/hw/irq.c new/tools/qemu-xen-traditional-dir-remote/hw/irq.c
--- old/tools/qemu-xen-traditional-dir-remote/hw/irq.c 2015-10-07 16:07:24.000000000 +0200
+++ new/tools/qemu-xen-traditional-dir-remote/hw/irq.c 2016-02-11 16:59:53.000000000 +0100
@@ -38,6 +38,22 @@
irq->handler(irq->opaque, irq->n, level);
}
+qemu_irq qemu_allocate_irq(qemu_irq_handler handler, void *opaque)
+{
+ struct IRQState *irq;
+
+ irq = (struct IRQState *)qemu_mallocz(sizeof(struct IRQState));
+ irq->handler = handler;
+ irq->opaque = opaque;
+ irq->n = 0;
+ return irq;
+}
+
+void qemu_free_irq(qemu_irq irq)
+{
+ qemu_free(irq);
+}
+
qemu_irq *qemu_allocate_irqs(qemu_irq_handler handler, void *opaque, int n)
{
qemu_irq *s;
@@ -73,5 +89,5 @@
{
/* The default state for IRQs is low, so raise the output now. */
qemu_irq_raise(irq);
- return qemu_allocate_irqs(qemu_notirq, irq, 1)[0];
+ return qemu_allocate_irq(qemu_notirq, irq);
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tools/qemu-xen-traditional-dir-remote/hw/irq.h new/tools/qemu-xen-traditional-dir-remote/hw/irq.h
--- old/tools/qemu-xen-traditional-dir-remote/hw/irq.h 2015-10-07 16:07:24.000000000 +0200
+++ new/tools/qemu-xen-traditional-dir-remote/hw/irq.h 2016-02-11 16:59:53.000000000 +0100
@@ -25,6 +25,10 @@
qemu_set_irq(irq, 0);
}
+/* Returns one IRQ. */
+qemu_irq qemu_allocate_irq(qemu_irq_handler handler, void *opaque);
+void qemu_free_irq(qemu_irq irq);
+
/* Returns an array of N IRQs. */
qemu_irq *qemu_allocate_irqs(qemu_irq_handler handler, void *opaque, int n);
void qemu_free_irqs(qemu_irq *s);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tools/qemu-xen-traditional-dir-remote/hw/lm832x.c new/tools/qemu-xen-traditional-dir-remote/hw/lm832x.c
--- old/tools/qemu-xen-traditional-dir-remote/hw/lm832x.c 2015-10-07 16:07:24.000000000 +0200
+++ new/tools/qemu-xen-traditional-dir-remote/hw/lm832x.c 2016-02-11 16:59:53.000000000 +0100
@@ -439,8 +439,11 @@
qemu_put_byte(f, s->kbd.len);
qemu_put_buffer(f, s->kbd.fifo, sizeof(s->kbd.fifo));
- for (i = 0; i < sizeof(s->pwm.file); i ++)
+ for (i = 0; i < ARRAY_SIZE(s->pwm.file); i ++)
qemu_put_be16s(f, &s->pwm.file[i]);
+ /* Padding for compatibility with older records. */
+ for ( ; i < sizeof(s->pwm.file); i++)
+ qemu_put_be16s(f, 0);
qemu_put_8s(f, &s->pwm.faddr);
qemu_put_buffer(f, s->pwm.addr, sizeof(s->pwm.addr));
qemu_put_timer(f, s->pwm.tm[0]);
@@ -451,6 +454,7 @@
static int lm_kbd_load(QEMUFile *f, void *opaque, int version_id)
{
struct lm_kbd_s *s = (struct lm_kbd_s *) opaque;
+ uint16_t pad;
int i;
i2c_slave_load(f, &s->i2c);
@@ -475,8 +479,11 @@
s->kbd.len = qemu_get_byte(f);
qemu_get_buffer(f, s->kbd.fifo, sizeof(s->kbd.fifo));
- for (i = 0; i < sizeof(s->pwm.file); i ++)
+ for (i = 0; i < ARRAY_SIZE(s->pwm.file); i ++)
qemu_get_be16s(f, &s->pwm.file[i]);
+ /* Skip padding. */
+ for ( ; i < sizeof(s->pwm.file); i++)
+ qemu_get_be16(f);
qemu_get_8s(f, &s->pwm.faddr);
qemu_get_buffer(f, s->pwm.addr, sizeof(s->pwm.addr));
qemu_get_timer(f, s->pwm.tm[0]);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tools/qemu-xen-traditional-dir-remote/hw/msmouse.c new/tools/qemu-xen-traditional-dir-remote/hw/msmouse.c
--- old/tools/qemu-xen-traditional-dir-remote/hw/msmouse.c 2015-10-07 16:07:24.000000000 +0200
+++ new/tools/qemu-xen-traditional-dir-remote/hw/msmouse.c 2016-02-11 16:59:53.000000000 +0100
@@ -61,7 +61,6 @@
static void msmouse_chr_close (struct CharDriverState *chr)
{
- qemu_free (chr);
}
CharDriverState *qemu_chr_open_msmouse(void)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tools/qemu-xen-traditional-dir-remote/hw/pc.c new/tools/qemu-xen-traditional-dir-remote/hw/pc.c
--- old/tools/qemu-xen-traditional-dir-remote/hw/pc.c 2015-10-07 16:07:24.000000000 +0200
+++ new/tools/qemu-xen-traditional-dir-remote/hw/pc.c 2016-02-11 16:59:53.000000000 +0100
@@ -79,7 +79,6 @@
uint16_t protocol,
const uint8_t header[], int kernel_size,
target_phys_addr_t real_addr, int real_size);
-#define smbus_eeprom_device_init (void)
static void ioport80_write(void *opaque, uint32_t addr, uint32_t data)
{
@@ -802,7 +801,6 @@
PCIBus *pci_bus;
int piix3_devfn = -1;
CPUState *env;
- qemu_irq *cpu_irq;
qemu_irq *i8259;
int index;
BlockDriverState *hd[MAX_IDE_BUS * MAX_IDE_DEVS];
@@ -971,8 +969,7 @@
bochs_bios_init();
- cpu_irq = qemu_allocate_irqs(pic_irq_request, NULL, 1);
- i8259 = i8259_init(cpu_irq[0]);
+ i8259 = i8259_init(NULL);
ferr_irq = i8259[13];
if (pci_enabled) {
@@ -1135,17 +1132,8 @@
}
if (pci_enabled && acpi_enabled) {
- uint8_t *eeprom_buf = qemu_mallocz(8 * 256); /* XXX: make this persistent */
- i2c_bus *smbus;
-
/* TODO: Populate SPD eeprom data. */
- smbus = piix4_pm_init(pci_bus, piix3_devfn + 3, 0xb100, i8259[9]);
-
- if (smbus) {
- for (i = 0; i < 8; i++) {
- smbus_eeprom_device_init(smbus, 0x50 + i, eeprom_buf + (i * 256));
- }
- }
+ piix4_pm_init(pci_bus, piix3_devfn + 3, 0xb100, i8259[9]);
}
if (i440fx_state) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tools/qemu-xen-traditional-dir-remote/hw/pcnet.c new/tools/qemu-xen-traditional-dir-remote/hw/pcnet.c
--- old/tools/qemu-xen-traditional-dir-remote/hw/pcnet.c 2015-10-07 16:07:24.000000000 +0200
+++ new/tools/qemu-xen-traditional-dir-remote/hw/pcnet.c 2016-02-11 16:59:53.000000000 +0100
@@ -1153,7 +1153,7 @@
uint32_t fcs = ~0;
uint8_t *p = src;
- while (p != &src[size-4])
+ while (p != &src[size])
CRC(fcs, *p++);
crc_err = (*(uint32_t *)p != htonl(fcs));
}
@@ -1284,12 +1284,13 @@
bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
/* if multi-tmd packet outsizes s->buffer then skip it silently.
- Note: this is not what real hw does */
- if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
- s->xmit_pos = -1;
- goto txdone;
+ * Note: this is not what real hw does.
+ * Last four bytes of s->buffer are used to store CRC FCS code.
+ */
+ if (s->xmit_pos + bcnt > sizeof(s->buffer) - 4) {
+ s->xmit_pos = -1;
+ goto txdone;
}
-
s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
s->xmit_pos += bcnt;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tools/qemu-xen-traditional-dir-remote/hw/pt-msi.c new/tools/qemu-xen-traditional-dir-remote/hw/pt-msi.c
--- old/tools/qemu-xen-traditional-dir-remote/hw/pt-msi.c 2015-10-07 16:07:24.000000000 +0200
+++ new/tools/qemu-xen-traditional-dir-remote/hw/pt-msi.c 2016-02-11 16:59:53.000000000 +0100
@@ -440,6 +440,13 @@
return;
}
+ if ( addr - msix->mmio_base_addr >= msix->total_entries * 16 )
+ {
+ PT_LOG("Error: Out of bounds write to MSI-X table,"
+ " addr %016"PRIx64"\n", addr);
+ return;
+ }
+
entry_nr = (addr - msix->mmio_base_addr) / 16;
entry = &msix->msix_entry[entry_nr];
offset = ((addr - msix->mmio_base_addr) % 16) / 4;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tools/qemu-xen-traditional-dir-remote/hw/vga.c new/tools/qemu-xen-traditional-dir-remote/hw/vga.c
--- old/tools/qemu-xen-traditional-dir-remote/hw/vga.c 2015-10-07 16:07:24.000000000 +0200
+++ new/tools/qemu-xen-traditional-dir-remote/hw/vga.c 2016-02-11 16:59:53.000000000 +0100
@@ -521,6 +521,93 @@
}
#ifdef CONFIG_BOCHS_VBE
+/*
+ * Sanity check vbe register writes.
+ *
+ * As we don't have a way to signal errors to the guest in the bochs
+ * dispi interface we'll go adjust the registers to the closest valid
+ * value.
+ */
+static void vbe_fixup_regs(VGAState *s)
+{
+ uint16_t *r = s->vbe_regs;
+ uint32_t bits, linelength, maxy, offset;
+
+ if (!(r[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED)) {
+ /* vbe is turned off -- nothing to do */
+ return;
+ }
+
+ /* check depth */
+ switch (r[VBE_DISPI_INDEX_BPP]) {
+ case 4:
+ case 8:
+ case 16:
+ case 24:
+ case 32:
+ bits = r[VBE_DISPI_INDEX_BPP];
+ break;
+ case 15:
+ bits = 16;
+ break;
+ default:
+ bits = r[VBE_DISPI_INDEX_BPP] = 8;
+ break;
+ }
+
+ /* check width */
+ r[VBE_DISPI_INDEX_XRES] &= ~7u;
+ if (r[VBE_DISPI_INDEX_XRES] == 0) {
+ r[VBE_DISPI_INDEX_XRES] = 8;
+ }
+ if (r[VBE_DISPI_INDEX_XRES] > VBE_DISPI_MAX_XRES) {
+ r[VBE_DISPI_INDEX_XRES] = VBE_DISPI_MAX_XRES;
+ }
+ r[VBE_DISPI_INDEX_VIRT_WIDTH] &= ~7u;
+ if (r[VBE_DISPI_INDEX_VIRT_WIDTH] > VBE_DISPI_MAX_XRES) {
+ r[VBE_DISPI_INDEX_VIRT_WIDTH] = VBE_DISPI_MAX_XRES;
+ }
+ if (r[VBE_DISPI_INDEX_VIRT_WIDTH] < r[VBE_DISPI_INDEX_XRES]) {
+ r[VBE_DISPI_INDEX_VIRT_WIDTH] = r[VBE_DISPI_INDEX_XRES];
+ }
+
+ /* check height */
+ linelength = r[VBE_DISPI_INDEX_VIRT_WIDTH] * bits / 8;
+ maxy = s->vram_size / linelength;
+ if (r[VBE_DISPI_INDEX_YRES] == 0) {
+ r[VBE_DISPI_INDEX_YRES] = 1;
+ }
+ if (r[VBE_DISPI_INDEX_YRES] > VBE_DISPI_MAX_YRES) {
+ r[VBE_DISPI_INDEX_YRES] = VBE_DISPI_MAX_YRES;
+ }
+ if (r[VBE_DISPI_INDEX_YRES] > maxy) {
+ r[VBE_DISPI_INDEX_YRES] = maxy;
+ }
+
+ /* check offset */
+ if (r[VBE_DISPI_INDEX_X_OFFSET] > VBE_DISPI_MAX_XRES) {
+ r[VBE_DISPI_INDEX_X_OFFSET] = VBE_DISPI_MAX_XRES;
+ }
+ if (r[VBE_DISPI_INDEX_Y_OFFSET] > VBE_DISPI_MAX_YRES) {
+ r[VBE_DISPI_INDEX_Y_OFFSET] = VBE_DISPI_MAX_YRES;
+ }
+ offset = r[VBE_DISPI_INDEX_X_OFFSET] * bits / 8;
+ offset += r[VBE_DISPI_INDEX_Y_OFFSET] * linelength;
+ if (offset + r[VBE_DISPI_INDEX_YRES] * linelength > s->vram_size) {
+ r[VBE_DISPI_INDEX_Y_OFFSET] = 0;
+ offset = r[VBE_DISPI_INDEX_X_OFFSET] * bits / 8;
+ if (offset + r[VBE_DISPI_INDEX_YRES] * linelength > s->vram_size) {
+ r[VBE_DISPI_INDEX_X_OFFSET] = 0;
+ offset = 0;
+ }
+ }
+
+ /* update vga state */
+ r[VBE_DISPI_INDEX_VIRT_HEIGHT] = maxy;
+ s->vbe_line_offset = linelength;
+ s->vbe_start_addr = offset / 4;
+}
+
static uint32_t vbe_ioport_read_index(void *opaque, uint32_t addr)
{
VGAState *s = opaque;
@@ -588,22 +675,13 @@
}
break;
case VBE_DISPI_INDEX_XRES:
- if ((val <= VBE_DISPI_MAX_XRES) && ((val & 7) == 0)) {
- s->vbe_regs[s->vbe_index] = val;
- }
- break;
case VBE_DISPI_INDEX_YRES:
- if (val <= VBE_DISPI_MAX_YRES) {
- s->vbe_regs[s->vbe_index] = val;
- }
- break;
case VBE_DISPI_INDEX_BPP:
- if (val == 0)
- val = 8;
- if (val == 4 || val == 8 || val == 15 ||
- val == 16 || val == 24 || val == 32) {
- s->vbe_regs[s->vbe_index] = val;
- }
+ case VBE_DISPI_INDEX_VIRT_WIDTH:
+ case VBE_DISPI_INDEX_X_OFFSET:
+ case VBE_DISPI_INDEX_Y_OFFSET:
+ s->vbe_regs[s->vbe_index] = val;
+ vbe_fixup_regs(s);
break;
case VBE_DISPI_INDEX_BANK:
if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) {
@@ -623,19 +701,11 @@
set_vram_mapping(s, s->lfb_addr, s->lfb_end);
}
- s->vbe_regs[VBE_DISPI_INDEX_VIRT_WIDTH] =
- s->vbe_regs[VBE_DISPI_INDEX_XRES];
- s->vbe_regs[VBE_DISPI_INDEX_VIRT_HEIGHT] =
- s->vbe_regs[VBE_DISPI_INDEX_YRES];
+ s->vbe_regs[VBE_DISPI_INDEX_VIRT_WIDTH] = 0;
s->vbe_regs[VBE_DISPI_INDEX_X_OFFSET] = 0;
s->vbe_regs[VBE_DISPI_INDEX_Y_OFFSET] = 0;
-
- if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4)
- s->vbe_line_offset = s->vbe_regs[VBE_DISPI_INDEX_XRES] >> 1;
- else
- s->vbe_line_offset = s->vbe_regs[VBE_DISPI_INDEX_XRES] *
- ((s->vbe_regs[VBE_DISPI_INDEX_BPP] + 7) >> 3);
- s->vbe_start_addr = 0;
+ s->vbe_regs[VBE_DISPI_INDEX_ENABLE] |= VBE_DISPI_ENABLED;
+ vbe_fixup_regs(s);
/* clear the screen (should be done in BIOS) */
if (!(val & VBE_DISPI_NOCLEARMEM)) {
@@ -677,40 +747,6 @@
s->dac_8bit = (val & VBE_DISPI_8BIT_DAC) > 0;
s->vbe_regs[s->vbe_index] = val;
break;
- case VBE_DISPI_INDEX_VIRT_WIDTH:
- {
- int w, h, line_offset;
-
- if (val < s->vbe_regs[VBE_DISPI_INDEX_XRES])
- return;
- w = val;
- if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4)
- line_offset = w >> 1;
- else
- line_offset = w * ((s->vbe_regs[VBE_DISPI_INDEX_BPP] + 7) >> 3);
- h = s->vram_size / line_offset;
- /* XXX: support weird bochs semantics ? */
- if (h < s->vbe_regs[VBE_DISPI_INDEX_YRES])
- return;
- s->vbe_regs[VBE_DISPI_INDEX_VIRT_WIDTH] = w;
- s->vbe_regs[VBE_DISPI_INDEX_VIRT_HEIGHT] = h;
- s->vbe_line_offset = line_offset;
- }
- break;
- case VBE_DISPI_INDEX_X_OFFSET:
- case VBE_DISPI_INDEX_Y_OFFSET:
- {
- int x;
- s->vbe_regs[s->vbe_index] = val;
- s->vbe_start_addr = s->vbe_line_offset * s->vbe_regs[VBE_DISPI_INDEX_Y_OFFSET];
- x = s->vbe_regs[VBE_DISPI_INDEX_X_OFFSET];
- if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4)
- s->vbe_start_addr += x >> 1;
- else
- s->vbe_start_addr += x * ((s->vbe_regs[VBE_DISPI_INDEX_BPP] + 7) >> 3);
- s->vbe_start_addr >>= 2;
- }
- break;
default:
break;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tools/qemu-xen-traditional-dir-remote/hw/virtio-blk.c new/tools/qemu-xen-traditional-dir-remote/hw/virtio-blk.c
--- old/tools/qemu-xen-traditional-dir-remote/hw/virtio-blk.c 2015-10-07 16:07:24.000000000 +0200
+++ new/tools/qemu-xen-traditional-dir-remote/hw/virtio-blk.c 2016-02-11 16:59:53.000000000 +0100
@@ -252,6 +252,7 @@
stw_raw(&blkcfg.cylinders, cylinders);
blkcfg.heads = heads;
blkcfg.sectors = secs;
+ blkcfg.size_max = 0;
memcpy(config, &blkcfg, sizeof(blkcfg));
}
@@ -287,7 +288,7 @@
VirtIOBlockReq *req = virtio_blk_alloc_request(s);
qemu_get_buffer(f, (unsigned char*)&req->elem, sizeof(req->elem));
req->next = s->rq;
- s->rq = req->next;
+ s->rq = req;
}
return 0;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tools/qemu-xen-traditional-dir-remote/hw/xen_blkif.h new/tools/qemu-xen-traditional-dir-remote/hw/xen_blkif.h
--- old/tools/qemu-xen-traditional-dir-remote/hw/xen_blkif.h 2015-10-07 16:07:24.000000000 +0200
+++ new/tools/qemu-xen-traditional-dir-remote/hw/xen_blkif.h 2016-02-11 16:59:53.000000000 +0100
@@ -79,8 +79,10 @@
dst->handle = src->handle;
dst->id = src->id;
dst->sector_number = src->sector_number;
- if (n > src->nr_segments)
- n = src->nr_segments;
+ /* prevent the compiler from optimizing the code and using src->nr_segments instead */
+ xen_mb();
+ if (n > dst->nr_segments)
+ n = dst->nr_segments;
for (i = 0; i < n; i++)
dst->seg[i] = src->seg[i];
}
@@ -94,8 +96,10 @@
dst->handle = src->handle;
dst->id = src->id;
dst->sector_number = src->sector_number;
- if (n > src->nr_segments)
- n = src->nr_segments;
+ /* prevent the compiler from optimizing the code and using src->nr_segments instead */
+ xen_mb();
+ if (n > dst->nr_segments)
+ n = dst->nr_segments;
for (i = 0; i < n; i++)
dst->seg[i] = src->seg[i];
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tools/qemu-xen-traditional-dir-remote/hw/xenfb.c new/tools/qemu-xen-traditional-dir-remote/hw/xenfb.c
--- old/tools/qemu-xen-traditional-dir-remote/hw/xenfb.c 2015-10-07 16:07:24.000000000 +0200
+++ new/tools/qemu-xen-traditional-dir-remote/hw/xenfb.c 2016-02-11 16:59:53.000000000 +0100
@@ -827,18 +827,20 @@
static void xenfb_handle_events(struct XenFB *xenfb)
{
- uint32_t prod, cons;
+ uint32_t prod, cons, out_cons;
struct xenfb_page *page = xenfb->c.page;
prod = page->out_prod;
- if (prod == page->out_cons)
+ out_cons = page->out_cons;
+ if (prod == out_cons)
return;
xen_rmb(); /* ensure we see ring contents up to prod */
- for (cons = page->out_cons; cons != prod; cons++) {
+ for (cons = out_cons; cons != prod; cons++) {
union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons);
+ uint8_t type = event->type;
int x, y, w, h;
- switch (event->type) {
+ switch (type) {
case XENFB_TYPE_UPDATE:
if (xenfb->up_count == UP_QUEUE)
xenfb->up_fullscreen = 1;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tools/qemu-xen-traditional-dir-remote/net.c new/tools/qemu-xen-traditional-dir-remote/net.c
--- old/tools/qemu-xen-traditional-dir-remote/net.c 2015-10-07 16:07:24.000000000 +0200
+++ new/tools/qemu-xen-traditional-dir-remote/net.c 2016-02-11 16:59:53.000000000 +0100
@@ -1049,8 +1049,10 @@
if (!setup_script || !strcmp(setup_script, "no"))
setup_script = "";
if (setup_script[0] != '\0') {
- if (launch_script(setup_script, ifname, script_arg, fd))
+ if (launch_script(setup_script, ifname, script_arg, fd)) {
+ close(fd);
return -1;
+ }
}
s = net_tap_fd_init(vlan, model, name, fd);
if (!s)
@@ -1314,9 +1316,11 @@
{
struct sockaddr_in saddr;
int newfd;
- socklen_t saddr_len;
+ socklen_t saddr_len = sizeof(saddr);
NetSocketState *s;
+ memset(&saddr, 0, sizeof(saddr));
+
/* fd passed: multicast: "learn" dgram_dst address from bound address and save it
* Because this may be "shared" socket from a "master" process, datagrams would be recv()
* by ONLY ONE process: we must "clone" this dgram socket --jjo
@@ -1458,6 +1462,7 @@
fd = socket(PF_INET, SOCK_STREAM, 0);
if (fd < 0) {
perror("socket");
+ qemu_free(s);
return -1;
}
socket_set_nonblock(fd);
@@ -1469,11 +1474,15 @@
ret = bind(fd, (struct sockaddr *)&saddr, sizeof(saddr));
if (ret < 0) {
perror("bind");
+ closesocket(fd);
+ qemu_free(s);
return -1;
}
ret = listen(fd, 0);
if (ret < 0) {
perror("listen");
+ closesocket(fd);
+ qemu_free(s);
return -1;
}
s->vlan = vlan;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tools/qemu-xen-traditional-dir-remote/qemu-char.c new/tools/qemu-xen-traditional-dir-remote/qemu-char.c
--- old/tools/qemu-xen-traditional-dir-remote/qemu-char.c 2015-10-07 16:07:24.000000000 +0200
+++ new/tools/qemu-xen-traditional-dir-remote/qemu-char.c 2016-02-11 16:59:53.000000000 +0100
@@ -932,6 +932,8 @@
s = qemu_mallocz(sizeof(PtyCharDriver));
if (openpty(&s->fd, &slave_fd, pty_name, NULL, NULL) < 0) {
+ qemu_free(s);
+ qemu_free(chr);
return NULL;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tools/qemu-xen-traditional-dir-remote/readline.c new/tools/qemu-xen-traditional-dir-remote/readline.c
--- old/tools/qemu-xen-traditional-dir-remote/readline.c 2015-10-07 16:07:24.000000000 +0200
+++ new/tools/qemu-xen-traditional-dir-remote/readline.c 2016-02-11 16:59:53.000000000 +0100
@@ -267,7 +267,7 @@
new_entry = hist_entry;
/* Put this entry at the end of history */
memmove(&term_history[idx], &term_history[idx + 1],
- (TERM_MAX_CMDS - idx + 1) * sizeof(char *));
+ (TERM_MAX_CMDS - (idx + 1)) * sizeof(char *));
term_history[TERM_MAX_CMDS - 1] = NULL;
for (; idx < TERM_MAX_CMDS; idx++) {
if (term_history[idx] == NULL)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tools/qemu-xen-traditional-dir-remote/usb-linux.c new/tools/qemu-xen-traditional-dir-remote/usb-linux.c
--- old/tools/qemu-xen-traditional-dir-remote/usb-linux.c 2015-10-07 16:07:24.000000000 +0200
+++ new/tools/qemu-xen-traditional-dir-remote/usb-linux.c 2016-02-11 16:59:53.000000000 +0100
@@ -117,7 +117,7 @@
uint16_t offset;
uint8_t state;
struct usb_ctrlrequest req;
- uint8_t buffer[1024];
+ uint8_t buffer[2048];
};
typedef struct USBHostDevice {
@@ -554,6 +554,7 @@
struct usbdevfs_urb *urb;
AsyncURB *aurb;
int ret, value, index;
+ int buffer_len;
/*
* Process certain standard device requests.
@@ -582,6 +583,13 @@
/* The rest are asynchronous */
+ buffer_len = 8 + s->ctrl.len;
+ if (buffer_len > sizeof(s->ctrl.buffer)) {
+ fprintf(stderr, "husb: ctrl buffer too small (%d > %zu)\n",
+ buffer_len, sizeof(s->ctrl.buffer));
+ return USB_RET_STALL;
+ }
+
aurb = async_alloc();
aurb->hdev = s;
aurb->packet = p;
@@ -598,7 +606,7 @@
urb->endpoint = p->devep;
urb->buffer = &s->ctrl.req;
- urb->buffer_length = 8 + s->ctrl.len;
+ urb->buffer_length = buffer_len;
urb->usercontext = s;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tools/qemu-xen-traditional-dir-remote/vl.c new/tools/qemu-xen-traditional-dir-remote/vl.c
--- old/tools/qemu-xen-traditional-dir-remote/vl.c 2015-10-07 16:07:24.000000000 +0200
+++ new/tools/qemu-xen-traditional-dir-remote/vl.c 2016-02-11 16:59:53.000000000 +0100
@@ -1568,7 +1568,7 @@
static int dynticks_start_timer(struct qemu_alarm_timer *t)
{
- struct sigevent ev;
+ struct sigevent ev = { { 0 } };
timer_t host_timer;
struct sigaction act;
@@ -1578,7 +1578,6 @@
sigaction(SIGALRM, &act, NULL);
- ev.sigev_value.sival_int = 0;
ev.sigev_notify = SIGEV_SIGNAL;
ev.sigev_signo = SIGALRM;
@@ -5952,6 +5951,15 @@
}
}
+#ifdef CONFIG_PASSTHROUGH
+ for (i = 0; i < nb_pci_emulation; i++) {
+ if (pci_emulation_add(pci_emulation_config_text[i]) < 0) {
+ fprintf(stderr, "Warning: could not add PCI device %s\n",
+ pci_emulation_config_text[i]);
+ }
+ }
+#endif
+
machine->init(ram_size, vga_ram_size, boot_devices,
kernel_filename, kernel_cmdline, initrd_filename, cpu_model,
direct_pci);
@@ -6068,15 +6076,6 @@
}
}
-#ifdef CONFIG_PASSTHROUGH
- for (i = 0; i < nb_pci_emulation; i++) {
- if (pci_emulation_add(pci_emulation_config_text[i]) < 0) {
- fprintf(stderr, "Warning: could not add PCI device %s\n",
- pci_emulation_config_text[i]);
- }
- }
-#endif
-
for(i = 0; i < MAX_VIRTIO_CONSOLES; i++) {
const char *devname = virtio_consoles[i];
if (virtcon_hds[i] && devname) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tools/qemu-xen-traditional-dir-remote/vnc.c new/tools/qemu-xen-traditional-dir-remote/vnc.c
--- old/tools/qemu-xen-traditional-dir-remote/vnc.c 2015-10-07 16:07:24.000000000 +0200
+++ new/tools/qemu-xen-traditional-dir-remote/vnc.c 2016-02-11 16:59:53.000000000 +0100
@@ -1616,6 +1616,16 @@
return;
}
+ switch (bits_per_pixel) {
+ case 8:
+ case 16:
+ case 32:
+ break;
+ default:
+ vnc_client_error(vs);
+ return;
+ }
+
vs->clientds = vs->serverds;
vs->clientds.pf.rmax = red_max;
count_bits(vs->clientds.pf.rbits, red_max);
++++++ seabios-dir-remote.tar.bz2 ++++++
++++++ stdvga-cache.patch ++++++
--- /var/tmp/diff_new_pack.77a1IC/_old 2016-02-25 22:02:28.000000000 +0100
+++ /var/tmp/diff_new_pack.77a1IC/_new 2016-02-25 22:02:28.000000000 +0100
@@ -1,8 +1,8 @@
-Index: xen-4.2.0-testing/xen/arch/x86/hvm/stdvga.c
+Index: xen-4.6.1-testing/xen/arch/x86/hvm/stdvga.c
===================================================================
---- xen-4.2.0-testing.orig/xen/arch/x86/hvm/stdvga.c
-+++ xen-4.2.0-testing/xen/arch/x86/hvm/stdvga.c
-@@ -135,7 +135,10 @@ static int stdvga_outb(uint64_t addr, ui
+--- xen-4.6.1-testing.orig/xen/arch/x86/hvm/stdvga.c
++++ xen-4.6.1-testing/xen/arch/x86/hvm/stdvga.c
+@@ -166,7 +166,10 @@ static int stdvga_outb(uint64_t addr, ui
/* When in standard vga mode, emulate here all writes to the vram buffer
* so we can immediately satisfy reads without waiting for qemu. */
++++++ xen-4.6.0-testing-src.tar.bz2 -> xen-4.6.1-testing-src.tar.bz2 ++++++
++++ 3184 lines of diff (skipped)
++++++ xen-hvm-default-bridge.patch ++++++
--- /var/tmp/diff_new_pack.77a1IC/_old 2016-02-25 22:02:30.000000000 +0100
+++ /var/tmp/diff_new_pack.77a1IC/_new 2016-02-25 22:02:30.000000000 +0100
@@ -1,7 +1,7 @@
-Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/net.h
+Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/net.h
===================================================================
---- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/net.h
-+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/net.h
+--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/net.h
++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/net.h
@@ -107,8 +107,8 @@ void net_host_device_add(const char *dev
void net_host_device_remove(int vlan_id, const char *device);
@@ -13,11 +13,11 @@
#endif
#ifdef __sun__
#define SMBD_COMMAND "/usr/sfw/sbin/smbd"
-Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/net.c
+Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/net.c
===================================================================
---- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/net.c
-+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/net.c
-@@ -1765,9 +1765,10 @@ int net_client_init(const char *device,
+--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/net.c
++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/net.c
+@@ -1774,9 +1774,10 @@ int net_client_init(const char *device,
}
if (get_param_value(script_arg, sizeof(script_arg), "scriptarg", p) == 0 &&
get_param_value(script_arg, sizeof(script_arg), "bridge", p) == 0) { /* deprecated; for xend compatibility */
@@ -30,10 +30,10 @@
}
} else
#endif
-Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/i386-dm/qemu-ifup-Linux
+Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/i386-dm/qemu-ifup-Linux
===================================================================
---- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/i386-dm/qemu-ifup-Linux
-+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/i386-dm/qemu-ifup-Linux
+--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/i386-dm/qemu-ifup-Linux
++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/i386-dm/qemu-ifup-Linux
@@ -1,36 +1,22 @@
#!/bin/sh
++++++ xsa164.patch ++++++
--- /var/tmp/diff_new_pack.77a1IC/_old 2016-02-25 22:02:30.000000000 +0100
+++ /var/tmp/diff_new_pack.77a1IC/_new 2016-02-25 22:02:30.000000000 +0100
@@ -17,11 +17,11 @@
Signed-off-by: Jan Beulich
-Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pt-msi.c
+Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pt-msi.c
===================================================================
---- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pt-msi.c
-+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pt-msi.c
-@@ -440,6 +440,13 @@ static void pci_msix_writel(void *opaque
+--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pt-msi.c
++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pt-msi.c
+@@ -447,6 +447,13 @@ static void pci_msix_writel(void *opaque
return;
}