* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2018-03-30 2:54 Aaron Bauman
0 siblings, 0 replies; 21+ messages in thread
From: Aaron Bauman @ 2018-03-30 2:54 UTC (permalink / raw
To: gentoo-commits
commit: 1e4aab7cf6539ac16335dfde1d83cd17ae2d1072
Author: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail <DOT> com>
AuthorDate: Wed Mar 28 20:30:24 2018 +0000
Commit: Aaron Bauman <bman <AT> gentoo <DOT> org>
CommitDate: Fri Mar 30 02:37:44 2018 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1e4aab7c
app-emulation/qemu: remove unused patch
Closes: https://github.com/gentoo/gentoo/pull/7686
.../qemu/files/qemu-2.11.9999-cflags.patch | 24 ----------------------
1 file changed, 24 deletions(-)
diff --git a/app-emulation/qemu/files/qemu-2.11.9999-cflags.patch b/app-emulation/qemu/files/qemu-2.11.9999-cflags.patch
deleted file mode 100644
index 8d7c387851a..00000000000
--- a/app-emulation/qemu/files/qemu-2.11.9999-cflags.patch
+++ /dev/null
@@ -1,24 +0,0 @@
---- a/configure 2018-02-01 22:51:53.068467555 +0000
-+++ b/configure 2018-02-01 22:52:23.965041387 +0000
-@@ -5212,21 +5212,12 @@ fi
- if test "$gcov" = "yes" ; then
- CFLAGS="-fprofile-arcs -ftest-coverage -g $CFLAGS"
- LDFLAGS="-fprofile-arcs -ftest-coverage $LDFLAGS"
--elif test "$fortify_source" = "yes" ; then
-- CFLAGS="-O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 $CFLAGS"
- elif test "$debug" = "yes"; then
-- if compile_prog "-Og" ""; then
-- CFLAGS="-Og $CFLAGS"
-- elif compile_prog "-O1" ""; then
-- CFLAGS="-O1 $CFLAGS"
-- fi
- # Workaround GCC false-positive Wuninitialized bugs with Og or O1:
- # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=24639
- if cc_has_warning_flag "-Wno-maybe-uninitialized"; then
- CFLAGS="-Wno-maybe-uninitialized $CFLAGS"
- fi
--else
-- CFLAGS="-O2 $CFLAGS"
- fi
-
- ##########################################
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2024-08-20 8:01 Joonas Niilola
0 siblings, 0 replies; 21+ messages in thread
From: Joonas Niilola @ 2024-08-20 8:01 UTC (permalink / raw
To: gentoo-commits
commit: 90ea995dd8a8427bade0a55798cc97ee92990d42
Author: Michael Mair-Keimberger <mmk <AT> levelnine <DOT> at>
AuthorDate: Mon Jul 22 16:38:46 2024 +0000
Commit: Joonas Niilola <juippis <AT> gentoo <DOT> org>
CommitDate: Tue Aug 20 08:01:34 2024 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=90ea995d
app-emulation/qemu: remove unused patch
Signed-off-by: Michael Mair-Keimberger <mmk <AT> levelnine.at>
Signed-off-by: Joonas Niilola <juippis <AT> gentoo.org>
| 137 ---------------------
1 file changed, 137 deletions(-)
diff --git a/app-emulation/qemu/files/qemu-7.2.0-linux-headers-6.2-glibc-2.36.patch b/app-emulation/qemu/files/qemu-7.2.0-linux-headers-6.2-glibc-2.36.patch
deleted file mode 100644
index 2a58ca1ad735..000000000000
--- a/app-emulation/qemu/files/qemu-7.2.0-linux-headers-6.2-glibc-2.36.patch
+++ /dev/null
@@ -1,137 +0,0 @@
-https://bugs.gentoo.org/895662
-https://gitlab.com/qemu-project/qemu/-/commit/9f0246539ae84a5e21efd1cc4516fc343f08115a
-https://gitlab.com/qemu-project/qemu/-/commit/6003159ce18faad4e1bc7bf9c85669019cd4950e
-
-From 9f0246539ae84a5e21efd1cc4516fc343f08115a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
-Date: Tue, 10 Jan 2023 12:49:00 -0500
-Subject: [PATCH] Revert "linux-user: add more compat ioctl definitions"
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This reverts commit c5495f4ecb0cdaaf2e9dddeb48f1689cdb520ca0.
-
-glibc has fixed (in 2.36.9000-40-g774058d729) the problem
-that caused a clash when both sys/mount.h annd linux/mount.h
-are included, and backported this to the 2.36 stable release
-too:
-
- https://sourceware.org/glibc/wiki/Release/2.36#Usage_of_.3Clinux.2Fmount.h.3E_and_.3Csys.2Fmount.h.3E
-
-It is saner for QEMU to remove the workaround it applied for
-glibc 2.36 and expect distros to ship the 2.36 maint release
-with the fix. This avoids needing to add a further workaround
-to QEMU to deal with the fact that linux/brtfs.h now also pulls
-in linux/mount.h via linux/fs.h since Linux 6.1
-
-Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-Id: <20230110174901.2580297-2-berrange@redhat.com>
-Signed-off-by: Laurent Vivier <laurent@vivier.eu>
---- a/linux-user/syscall.c
-+++ b/linux-user/syscall.c
-@@ -111,31 +111,6 @@
- #define FS_IOC32_SETFLAGS _IOW('f', 2, int)
- #define FS_IOC32_GETVERSION _IOR('v', 1, int)
- #define FS_IOC32_SETVERSION _IOW('v', 2, int)
--
--#define BLKGETSIZE64 _IOR(0x12,114,size_t)
--#define BLKDISCARD _IO(0x12,119)
--#define BLKIOMIN _IO(0x12,120)
--#define BLKIOOPT _IO(0x12,121)
--#define BLKALIGNOFF _IO(0x12,122)
--#define BLKPBSZGET _IO(0x12,123)
--#define BLKDISCARDZEROES _IO(0x12,124)
--#define BLKSECDISCARD _IO(0x12,125)
--#define BLKROTATIONAL _IO(0x12,126)
--#define BLKZEROOUT _IO(0x12,127)
--
--#define FIBMAP _IO(0x00,1)
--#define FIGETBSZ _IO(0x00,2)
--
--struct file_clone_range {
-- __s64 src_fd;
-- __u64 src_offset;
-- __u64 src_length;
-- __u64 dest_offset;
--};
--
--#define FICLONE _IOW(0x94, 9, int)
--#define FICLONERANGE _IOW(0x94, 13, struct file_clone_range)
--
- #else
- #include <linux/fs.h>
- #endif
---
-GitLab
-
-From 6003159ce18faad4e1bc7bf9c85669019cd4950e Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
-Date: Tue, 10 Jan 2023 12:49:01 -0500
-Subject: [PATCH] Revert "linux-user: fix compat with glibc >= 2.36
- sys/mount.h"
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This reverts commit 3cd3df2a9584e6f753bb62a0028bd67124ab5532.
-
-glibc has fixed (in 2.36.9000-40-g774058d729) the problem
-that caused a clash when both sys/mount.h annd linux/mount.h
-are included, and backported this to the 2.36 stable release
-too:
-
- https://sourceware.org/glibc/wiki/Release/2.36#Usage_of_.3Clinux.2Fmount.h.3E_and_.3Csys.2Fmount.h.3E
-
-It is saner for QEMU to remove the workaround it applied for
-glibc 2.36 and expect distros to ship the 2.36 maint release
-with the fix. This avoids needing to add a further workaround
-to QEMU to deal with the fact that linux/brtfs.h now also pulls
-in linux/mount.h via linux/fs.h since Linux 6.1
-
-Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-Id: <20230110174901.2580297-3-berrange@redhat.com>
-Signed-off-by: Laurent Vivier <laurent@vivier.eu>
---- a/linux-user/syscall.c
-+++ b/linux-user/syscall.c
-@@ -95,25 +95,7 @@
- #include <linux/soundcard.h>
- #include <linux/kd.h>
- #include <linux/mtio.h>
--
--#ifdef HAVE_SYS_MOUNT_FSCONFIG
--/*
-- * glibc >= 2.36 linux/mount.h conflicts with sys/mount.h,
-- * which in turn prevents use of linux/fs.h. So we have to
-- * define the constants ourselves for now.
-- */
--#define FS_IOC_GETFLAGS _IOR('f', 1, long)
--#define FS_IOC_SETFLAGS _IOW('f', 2, long)
--#define FS_IOC_GETVERSION _IOR('v', 1, long)
--#define FS_IOC_SETVERSION _IOW('v', 2, long)
--#define FS_IOC_FIEMAP _IOWR('f', 11, struct fiemap)
--#define FS_IOC32_GETFLAGS _IOR('f', 1, int)
--#define FS_IOC32_SETFLAGS _IOW('f', 2, int)
--#define FS_IOC32_GETVERSION _IOR('v', 1, int)
--#define FS_IOC32_SETVERSION _IOW('v', 2, int)
--#else
- #include <linux/fs.h>
--#endif
- #include <linux/fd.h>
- #if defined(CONFIG_FIEMAP)
- #include <linux/fiemap.h>
---- a/meson.build
-+++ b/meson.build
-@@ -2046,8 +2046,6 @@ config_host_data.set('HAVE_OPTRESET',
- cc.has_header_symbol('getopt.h', 'optreset'))
- config_host_data.set('HAVE_IPPROTO_MPTCP',
- cc.has_header_symbol('netinet/in.h', 'IPPROTO_MPTCP'))
--config_host_data.set('HAVE_SYS_MOUNT_FSCONFIG',
-- cc.has_header_symbol('sys/mount.h', 'FSCONFIG_SET_FLAG'))
-
- # has_member
- config_host_data.set('HAVE_SIGEV_NOTIFY_THREAD_ID',
---
-GitLab
^ permalink raw reply related [flat|nested] 21+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2023-11-20 20:20 Ulrich Müller
0 siblings, 0 replies; 21+ messages in thread
From: Ulrich Müller @ 2023-11-20 20:20 UTC (permalink / raw
To: gentoo-commits
commit: 467b4eb965534778ef9bc685ffe8038940d6b232
Author: Michael Mair-Keimberger <mmk <AT> levelnine <DOT> at>
AuthorDate: Tue Nov 7 18:00:41 2023 +0000
Commit: Ulrich Müller <ulm <AT> gentoo <DOT> org>
CommitDate: Mon Nov 20 20:19:54 2023 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=467b4eb9
app-emulation/qemu: remove unused patch
Signed-off-by: Michael Mair-Keimberger <mmk <AT> levelnine.at>
Signed-off-by: Ulrich Müller <ulm <AT> gentoo.org>
.../qemu/files/qemu-7.2.0-tcg-curl-ssl.patch | 182 ---------------------
1 file changed, 182 deletions(-)
diff --git a/app-emulation/qemu/files/qemu-7.2.0-tcg-curl-ssl.patch b/app-emulation/qemu/files/qemu-7.2.0-tcg-curl-ssl.patch
deleted file mode 100644
index 2b0a9f630371..000000000000
--- a/app-emulation/qemu/files/qemu-7.2.0-tcg-curl-ssl.patch
+++ /dev/null
@@ -1,182 +0,0 @@
-https://bugs.gentoo.org/895746#c3
-https://gitlab.com/qemu-project/qemu/-/issues/1471
-https://gitlab.com/qemu-project/qemu/-/commit/60c7dd22e1383754d5f150bc9f7c2785c662a7b6
-
-From 60c7dd22e1383754d5f150bc9f7c2785c662a7b6 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Tue, 31 Jan 2023 09:48:03 +0100
-Subject: [PATCH] target/i386: fix ADOX followed by ADCX
-
-When ADCX is followed by ADOX or vice versa, the second instruction's
-carry comes from EFLAGS and the condition codes use the CC_OP_ADCOX
-operation. Retrieving the carry from EFLAGS is handled by this bit
-of gen_ADCOX:
-
- tcg_gen_extract_tl(carry_in, cpu_cc_src,
- ctz32(cc_op == CC_OP_ADCX ? CC_C : CC_O), 1);
-
-Unfortunately, in this case cc_op has been overwritten by the previous
-"if" statement to CC_OP_ADCOX. This works by chance when the first
-instruction is ADCX; however, if the first instruction is ADOX,
-ADCX will incorrectly take its carry from OF instead of CF.
-
-Fix by moving the computation of the new cc_op at the end of the function.
-The included exhaustive test case fails without this patch and passes
-afterwards.
-
-Because ADCX/ADOX need not be invoked through the VEX prefix, this
-regression bisects to commit 16fc5726a6e2 ("target/i386: reimplement
-0x0f 0x38, add AVX", 2022-10-18). However, the mistake happened a
-little earlier, when BMI instructions were rewritten using the new
-decoder framework.
-
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1471
-Reported-by: Paul Jolly <https://gitlab.com/myitcv>
-Fixes: 1d0b926150e5 ("target/i386: move scalar 0F 38 and 0F 3A instruction to new decoder", 2022-10-18)
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---- a/target/i386/tcg/emit.c.inc
-+++ b/target/i386/tcg/emit.c.inc
-@@ -1015,6 +1015,7 @@ VSIB_AVX(VPGATHERQ, vpgatherq)
-
- static void gen_ADCOX(DisasContext *s, CPUX86State *env, MemOp ot, int cc_op)
- {
-+ int opposite_cc_op;
- TCGv carry_in = NULL;
- TCGv carry_out = (cc_op == CC_OP_ADCX ? cpu_cc_dst : cpu_cc_src2);
- TCGv zero;
-@@ -1022,14 +1023,8 @@ static void gen_ADCOX(DisasContext *s, CPUX86State *env, MemOp ot, int cc_op)
- if (cc_op == s->cc_op || s->cc_op == CC_OP_ADCOX) {
- /* Re-use the carry-out from a previous round. */
- carry_in = carry_out;
-- cc_op = s->cc_op;
-- } else if (s->cc_op == CC_OP_ADCX || s->cc_op == CC_OP_ADOX) {
-- /* Merge with the carry-out from the opposite instruction. */
-- cc_op = CC_OP_ADCOX;
-- }
--
-- /* If we don't have a carry-in, get it out of EFLAGS. */
-- if (!carry_in) {
-+ } else {
-+ /* We don't have a carry-in, get it out of EFLAGS. */
- if (s->cc_op != CC_OP_ADCX && s->cc_op != CC_OP_ADOX) {
- gen_compute_eflags(s);
- }
-@@ -1053,7 +1048,14 @@ static void gen_ADCOX(DisasContext *s, CPUX86State *env, MemOp ot, int cc_op)
- tcg_gen_add2_tl(s->T0, carry_out, s->T0, carry_out, s->T1, zero);
- break;
- }
-- set_cc_op(s, cc_op);
-+
-+ opposite_cc_op = cc_op == CC_OP_ADCX ? CC_OP_ADOX : CC_OP_ADCX;
-+ if (s->cc_op == CC_OP_ADCOX || s->cc_op == opposite_cc_op) {
-+ /* Merge with the carry-out from the opposite instruction. */
-+ set_cc_op(s, CC_OP_ADCOX);
-+ } else {
-+ set_cc_op(s, cc_op);
-+ }
- }
-
- static void gen_ADCX(DisasContext *s, CPUX86State *env, X86DecodedInsn *decode)
---- a/tests/tcg/i386/Makefile.target
-+++ b/tests/tcg/i386/Makefile.target
-@@ -14,7 +14,7 @@ config-cc.mak: Makefile
- I386_SRCS=$(notdir $(wildcard $(I386_SRC)/*.c))
- ALL_X86_TESTS=$(I386_SRCS:.c=)
- SKIP_I386_TESTS=test-i386-ssse3 test-avx test-3dnow test-mmx
--X86_64_TESTS:=$(filter test-i386-bmi2 $(SKIP_I386_TESTS), $(ALL_X86_TESTS))
-+X86_64_TESTS:=$(filter test-i386-adcox test-i386-bmi2 $(SKIP_I386_TESTS), $(ALL_X86_TESTS))
-
- test-i386-sse-exceptions: CFLAGS += -msse4.1 -mfpmath=sse
- run-test-i386-sse-exceptions: QEMU_OPTS += -cpu max
-@@ -28,6 +28,10 @@ test-i386-bmi2: CFLAGS=-O2
- run-test-i386-bmi2: QEMU_OPTS += -cpu max
- run-plugin-test-i386-bmi2-%: QEMU_OPTS += -cpu max
-
-+test-i386-adcox: CFLAGS=-O2
-+run-test-i386-adcox: QEMU_OPTS += -cpu max
-+run-plugin-test-i386-adcox-%: QEMU_OPTS += -cpu max
-+
- #
- # hello-i386 is a barebones app
- #
---- /dev/null
-+++ b/tests/tcg/i386/test-i386-adcox.c
-@@ -0,0 +1,75 @@
-+/* See if various BMI2 instructions give expected results */
-+#include <assert.h>
-+#include <stdint.h>
-+#include <stdio.h>
-+
-+#define CC_C 1
-+#define CC_O (1 << 11)
-+
-+#ifdef __x86_64__
-+#define REG uint64_t
-+#else
-+#define REG uint32_t
-+#endif
-+
-+void test_adox_adcx(uint32_t in_c, uint32_t in_o, REG adcx_operand, REG adox_operand)
-+{
-+ REG flags;
-+ REG out_adcx, out_adox;
-+
-+ asm("pushf; pop %0" : "=r"(flags));
-+ flags &= ~(CC_C | CC_O);
-+ flags |= (in_c ? CC_C : 0);
-+ flags |= (in_o ? CC_O : 0);
-+
-+ out_adcx = adcx_operand;
-+ out_adox = adox_operand;
-+ asm("push %0; popf;"
-+ "adox %3, %2;"
-+ "adcx %3, %1;"
-+ "pushf; pop %0"
-+ : "+r" (flags), "+r" (out_adcx), "+r" (out_adox)
-+ : "r" ((REG)-1), "0" (flags), "1" (out_adcx), "2" (out_adox));
-+
-+ assert(out_adcx == in_c + adcx_operand - 1);
-+ assert(out_adox == in_o + adox_operand - 1);
-+ assert(!!(flags & CC_C) == (in_c || adcx_operand));
-+ assert(!!(flags & CC_O) == (in_o || adox_operand));
-+}
-+
-+void test_adcx_adox(uint32_t in_c, uint32_t in_o, REG adcx_operand, REG adox_operand)
-+{
-+ REG flags;
-+ REG out_adcx, out_adox;
-+
-+ asm("pushf; pop %0" : "=r"(flags));
-+ flags &= ~(CC_C | CC_O);
-+ flags |= (in_c ? CC_C : 0);
-+ flags |= (in_o ? CC_O : 0);
-+
-+ out_adcx = adcx_operand;
-+ out_adox = adox_operand;
-+ asm("push %0; popf;"
-+ "adcx %3, %1;"
-+ "adox %3, %2;"
-+ "pushf; pop %0"
-+ : "+r" (flags), "+r" (out_adcx), "+r" (out_adox)
-+ : "r" ((REG)-1), "0" (flags), "1" (out_adcx), "2" (out_adox));
-+
-+ assert(out_adcx == in_c + adcx_operand - 1);
-+ assert(out_adox == in_o + adox_operand - 1);
-+ assert(!!(flags & CC_C) == (in_c || adcx_operand));
-+ assert(!!(flags & CC_O) == (in_o || adox_operand));
-+}
-+
-+int main(int argc, char *argv[]) {
-+ /* try all combinations of input CF, input OF, CF from op1+op2, OF from op2+op1 */
-+ int i;
-+ for (i = 0; i <= 15; i++) {
-+ printf("%d\n", i);
-+ test_adcx_adox(!!(i & 1), !!(i & 2), !!(i & 4), !!(i & 8));
-+ test_adox_adcx(!!(i & 1), !!(i & 2), !!(i & 4), !!(i & 8));
-+ }
-+ return 0;
-+}
-+
---
-GitLab
^ permalink raw reply related [flat|nested] 21+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2023-10-22 16:33 Joonas Niilola
0 siblings, 0 replies; 21+ messages in thread
From: Joonas Niilola @ 2023-10-22 16:33 UTC (permalink / raw
To: gentoo-commits
commit: 196685c68adecedeb3c335e551924cab4aee55ea
Author: Michael Mair-Keimberger <mmk <AT> levelnine <DOT> at>
AuthorDate: Sun Oct 22 08:35:37 2023 +0000
Commit: Joonas Niilola <juippis <AT> gentoo <DOT> org>
CommitDate: Sun Oct 22 16:32:11 2023 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=196685c6
app-emulation/qemu: remove unused patches
Signed-off-by: Michael Mair-Keimberger <mmk <AT> levelnine.at>
Closes: https://github.com/gentoo/gentoo/pull/33451
Signed-off-by: Joonas Niilola <juippis <AT> gentoo.org>
.../qemu/files/qemu-7.2.3-CVE-2023-2861.patch | 162 --------------------
.../qemu/files/qemu-8.0.2-CVE-2023-2861.patch | 167 ---------------------
2 files changed, 329 deletions(-)
diff --git a/app-emulation/qemu/files/qemu-7.2.3-CVE-2023-2861.patch b/app-emulation/qemu/files/qemu-7.2.3-CVE-2023-2861.patch
deleted file mode 100644
index 9a9c11a41d66..000000000000
--- a/app-emulation/qemu/files/qemu-7.2.3-CVE-2023-2861.patch
+++ /dev/null
@@ -1,162 +0,0 @@
-https://bugs.gentoo.org/909542
-https://gitlab.com/qemu-project/qemu/-/commit/10fad73a2bf1c76c8aa9d6322755e5f877d83ce5
-
-From 10fad73a2bf1c76c8aa9d6322755e5f877d83ce5 Mon Sep 17 00:00:00 2001
-From: Christian Schoenebeck <qemu_oss@crudebyte.com>
-Date: Wed, 7 Jun 2023 18:29:33 +0200
-Subject: [PATCH] 9pfs: prevent opening special files (CVE-2023-2861)
-
-The 9p protocol does not specifically define how server shall behave when
-client tries to open a special file, however from security POV it does
-make sense for 9p server to prohibit opening any special file on host side
-in general. A sane Linux 9p client for instance would never attempt to
-open a special file on host side, it would always handle those exclusively
-on its guest side. A malicious client however could potentially escape
-from the exported 9p tree by creating and opening a device file on host
-side.
-
-With QEMU this could only be exploited in the following unsafe setups:
-
- - Running QEMU binary as root AND 9p 'local' fs driver AND 'passthrough'
- security model.
-
-or
-
- - Using 9p 'proxy' fs driver (which is running its helper daemon as
- root).
-
-These setups were already discouraged for safety reasons before,
-however for obvious reasons we are now tightening behaviour on this.
-
-Fixes: CVE-2023-2861
-Reported-by: Yanwu Shen <ywsPlz@gmail.com>
-Reported-by: Jietao Xiao <shawtao1125@gmail.com>
-Reported-by: Jinku Li <jkli@xidian.edu.cn>
-Reported-by: Wenbo Shen <shenwenbo@zju.edu.cn>
-Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
-Reviewed-by: Greg Kurz <groug@kaod.org>
-Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
-Message-Id: <E1q6w7r-0000Q0-NM@lizzy.crudebyte.com>
-(cherry picked from commit f6b0de53fb87ddefed348a39284c8e2f28dc4eda)
-Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
-(Mjt: drop adding qemu_fstat wrapper for 7.2 where wrappers aren't used)
---- a/fsdev/virtfs-proxy-helper.c
-+++ b/fsdev/virtfs-proxy-helper.c
-@@ -26,6 +26,7 @@
- #include "qemu/xattr.h"
- #include "9p-iov-marshal.h"
- #include "hw/9pfs/9p-proxy.h"
-+#include "hw/9pfs/9p-util.h"
- #include "fsdev/9p-iov-marshal.h"
-
- #define PROGNAME "virtfs-proxy-helper"
-@@ -338,6 +339,28 @@ static void resetugid(int suid, int sgid)
- }
- }
-
-+/*
-+ * Open regular file or directory. Attempts to open any special file are
-+ * rejected.
-+ *
-+ * returns file descriptor or -1 on error
-+ */
-+static int open_regular(const char *pathname, int flags, mode_t mode)
-+{
-+ int fd;
-+
-+ fd = open(pathname, flags, mode);
-+ if (fd < 0) {
-+ return fd;
-+ }
-+
-+ if (close_if_special_file(fd) < 0) {
-+ return -1;
-+ }
-+
-+ return fd;
-+}
-+
- /*
- * send response in two parts
- * 1) ProxyHeader
-@@ -682,7 +705,7 @@ static int do_create(struct iovec *iovec)
- if (ret < 0) {
- goto unmarshal_err_out;
- }
-- ret = open(path.data, flags, mode);
-+ ret = open_regular(path.data, flags, mode);
- if (ret < 0) {
- ret = -errno;
- }
-@@ -707,7 +730,7 @@ static int do_open(struct iovec *iovec)
- if (ret < 0) {
- goto err_out;
- }
-- ret = open(path.data, flags);
-+ ret = open_regular(path.data, flags, 0);
- if (ret < 0) {
- ret = -errno;
- }
---- a/hw/9pfs/9p-util.h
-+++ b/hw/9pfs/9p-util.h
-@@ -13,6 +13,8 @@
- #ifndef QEMU_9P_UTIL_H
- #define QEMU_9P_UTIL_H
-
-+#include "qemu/error-report.h"
-+
- #ifdef O_PATH
- #define O_PATH_9P_UTIL O_PATH
- #else
-@@ -112,6 +114,38 @@ static inline void close_preserve_errno(int fd)
- errno = serrno;
- }
-
-+/**
-+ * close_if_special_file() - Close @fd if neither regular file nor directory.
-+ *
-+ * @fd: file descriptor of open file
-+ * Return: 0 on regular file or directory, -1 otherwise
-+ *
-+ * CVE-2023-2861: Prohibit opening any special file directly on host
-+ * (especially device files), as a compromised client could potentially gain
-+ * access outside exported tree under certain, unsafe setups. We expect
-+ * client to handle I/O on special files exclusively on guest side.
-+ */
-+static inline int close_if_special_file(int fd)
-+{
-+ struct stat stbuf;
-+
-+ if (fstat(fd, &stbuf) < 0) {
-+ close_preserve_errno(fd);
-+ return -1;
-+ }
-+ if (!S_ISREG(stbuf.st_mode) && !S_ISDIR(stbuf.st_mode)) {
-+ error_report_once(
-+ "9p: broken or compromised client detected; attempt to open "
-+ "special file (i.e. neither regular file, nor directory)"
-+ );
-+ close(fd);
-+ errno = ENXIO;
-+ return -1;
-+ }
-+
-+ return 0;
-+}
-+
- static inline int openat_dir(int dirfd, const char *name)
- {
- return openat(dirfd, name,
-@@ -146,6 +180,10 @@ again:
- return -1;
- }
-
-+ if (close_if_special_file(fd) < 0) {
-+ return -1;
-+ }
-+
- serrno = errno;
- /* O_NONBLOCK was only needed to open the file. Let's drop it. We don't
- * do that with O_PATH since fcntl(F_SETFL) isn't supported, and openat()
---
-GitLab
diff --git a/app-emulation/qemu/files/qemu-8.0.2-CVE-2023-2861.patch b/app-emulation/qemu/files/qemu-8.0.2-CVE-2023-2861.patch
deleted file mode 100644
index 75fa534b4f1c..000000000000
--- a/app-emulation/qemu/files/qemu-8.0.2-CVE-2023-2861.patch
+++ /dev/null
@@ -1,167 +0,0 @@
-https://bugs.gentoo.org/909542
-https://gitlab.com/qemu-project/qemu/-/commit/b9d2887be4e616cdaeedd0b7456bfaa71ee798af
-
-From b9d2887be4e616cdaeedd0b7456bfaa71ee798af Mon Sep 17 00:00:00 2001
-From: Christian Schoenebeck <qemu_oss@crudebyte.com>
-Date: Wed, 7 Jun 2023 18:29:33 +0200
-Subject: [PATCH] 9pfs: prevent opening special files (CVE-2023-2861)
-
-The 9p protocol does not specifically define how server shall behave when
-client tries to open a special file, however from security POV it does
-make sense for 9p server to prohibit opening any special file on host side
-in general. A sane Linux 9p client for instance would never attempt to
-open a special file on host side, it would always handle those exclusively
-on its guest side. A malicious client however could potentially escape
-from the exported 9p tree by creating and opening a device file on host
-side.
-
-With QEMU this could only be exploited in the following unsafe setups:
-
- - Running QEMU binary as root AND 9p 'local' fs driver AND 'passthrough'
- security model.
-
-or
-
- - Using 9p 'proxy' fs driver (which is running its helper daemon as
- root).
-
-These setups were already discouraged for safety reasons before,
-however for obvious reasons we are now tightening behaviour on this.
-
-Fixes: CVE-2023-2861
-Reported-by: Yanwu Shen <ywsPlz@gmail.com>
-Reported-by: Jietao Xiao <shawtao1125@gmail.com>
-Reported-by: Jinku Li <jkli@xidian.edu.cn>
-Reported-by: Wenbo Shen <shenwenbo@zju.edu.cn>
-Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
-Reviewed-by: Greg Kurz <groug@kaod.org>
-Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
-Message-Id: <E1q6w7r-0000Q0-NM@lizzy.crudebyte.com>
-(cherry picked from commit f6b0de53fb87ddefed348a39284c8e2f28dc4eda)
-Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
---- a/fsdev/virtfs-proxy-helper.c
-+++ b/fsdev/virtfs-proxy-helper.c
-@@ -26,6 +26,7 @@
- #include "qemu/xattr.h"
- #include "9p-iov-marshal.h"
- #include "hw/9pfs/9p-proxy.h"
-+#include "hw/9pfs/9p-util.h"
- #include "fsdev/9p-iov-marshal.h"
-
- #define PROGNAME "virtfs-proxy-helper"
-@@ -338,6 +339,28 @@ static void resetugid(int suid, int sgid)
- }
- }
-
-+/*
-+ * Open regular file or directory. Attempts to open any special file are
-+ * rejected.
-+ *
-+ * returns file descriptor or -1 on error
-+ */
-+static int open_regular(const char *pathname, int flags, mode_t mode)
-+{
-+ int fd;
-+
-+ fd = open(pathname, flags, mode);
-+ if (fd < 0) {
-+ return fd;
-+ }
-+
-+ if (close_if_special_file(fd) < 0) {
-+ return -1;
-+ }
-+
-+ return fd;
-+}
-+
- /*
- * send response in two parts
- * 1) ProxyHeader
-@@ -682,7 +705,7 @@ static int do_create(struct iovec *iovec)
- if (ret < 0) {
- goto unmarshal_err_out;
- }
-- ret = open(path.data, flags, mode);
-+ ret = open_regular(path.data, flags, mode);
- if (ret < 0) {
- ret = -errno;
- }
-@@ -707,7 +730,7 @@ static int do_open(struct iovec *iovec)
- if (ret < 0) {
- goto err_out;
- }
-- ret = open(path.data, flags);
-+ ret = open_regular(path.data, flags, 0);
- if (ret < 0) {
- ret = -errno;
- }
---- a/hw/9pfs/9p-util.h
-+++ b/hw/9pfs/9p-util.h
-@@ -13,6 +13,8 @@
- #ifndef QEMU_9P_UTIL_H
- #define QEMU_9P_UTIL_H
-
-+#include "qemu/error-report.h"
-+
- #ifdef O_PATH
- #define O_PATH_9P_UTIL O_PATH
- #else
-@@ -95,6 +97,7 @@ static inline int errno_to_dotl(int err) {
- #endif
-
- #define qemu_openat openat
-+#define qemu_fstat fstat
- #define qemu_fstatat fstatat
- #define qemu_mkdirat mkdirat
- #define qemu_renameat renameat
-@@ -108,6 +111,38 @@ static inline void close_preserve_errno(int fd)
- errno = serrno;
- }
-
-+/**
-+ * close_if_special_file() - Close @fd if neither regular file nor directory.
-+ *
-+ * @fd: file descriptor of open file
-+ * Return: 0 on regular file or directory, -1 otherwise
-+ *
-+ * CVE-2023-2861: Prohibit opening any special file directly on host
-+ * (especially device files), as a compromised client could potentially gain
-+ * access outside exported tree under certain, unsafe setups. We expect
-+ * client to handle I/O on special files exclusively on guest side.
-+ */
-+static inline int close_if_special_file(int fd)
-+{
-+ struct stat stbuf;
-+
-+ if (qemu_fstat(fd, &stbuf) < 0) {
-+ close_preserve_errno(fd);
-+ return -1;
-+ }
-+ if (!S_ISREG(stbuf.st_mode) && !S_ISDIR(stbuf.st_mode)) {
-+ error_report_once(
-+ "9p: broken or compromised client detected; attempt to open "
-+ "special file (i.e. neither regular file, nor directory)"
-+ );
-+ close(fd);
-+ errno = ENXIO;
-+ return -1;
-+ }
-+
-+ return 0;
-+}
-+
- static inline int openat_dir(int dirfd, const char *name)
- {
- return qemu_openat(dirfd, name,
-@@ -142,6 +177,10 @@ again:
- return -1;
- }
-
-+ if (close_if_special_file(fd) < 0) {
-+ return -1;
-+ }
-+
- serrno = errno;
- /* O_NONBLOCK was only needed to open the file. Let's drop it. We don't
- * do that with O_PATH since fcntl(F_SETFL) isn't supported, and openat()
^ permalink raw reply related [flat|nested] 21+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2023-02-22 11:32 Sam James
0 siblings, 0 replies; 21+ messages in thread
From: Sam James @ 2023-02-22 11:32 UTC (permalink / raw
To: gentoo-commits
commit: 5b8aab265a7189016df100a2551f9c72055e8cd7
Author: Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Wed Feb 22 11:28:44 2023 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Wed Feb 22 11:32:27 2023 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5b8aab26
app-emulation/qemu: add additional glibc-2.36/linux-headers-6.2 patch
Closes: https://bugs.gentoo.org/895662
Closes: https://bugs.gentoo.org/895746
Signed-off-by: Sam James <sam <AT> gentoo.org>
| 71 ++++++++++++++++++++++
1 file changed, 71 insertions(+)
--git a/app-emulation/qemu/files/qemu-7.2.0-linux-headers-6.2-glibc-2.36.patch b/app-emulation/qemu/files/qemu-7.2.0-linux-headers-6.2-glibc-2.36.patch
index 856997886cc9..2a58ca1ad735 100644
--- a/app-emulation/qemu/files/qemu-7.2.0-linux-headers-6.2-glibc-2.36.patch
+++ b/app-emulation/qemu/files/qemu-7.2.0-linux-headers-6.2-glibc-2.36.patch
@@ -1,5 +1,6 @@
https://bugs.gentoo.org/895662
https://gitlab.com/qemu-project/qemu/-/commit/9f0246539ae84a5e21efd1cc4516fc343f08115a
+https://gitlab.com/qemu-project/qemu/-/commit/6003159ce18faad4e1bc7bf9c85669019cd4950e
From 9f0246539ae84a5e21efd1cc4516fc343f08115a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
@@ -64,3 +65,73 @@ Signed-off-by: Laurent Vivier <laurent@vivier.eu>
#endif
--
GitLab
+
+From 6003159ce18faad4e1bc7bf9c85669019cd4950e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Tue, 10 Jan 2023 12:49:01 -0500
+Subject: [PATCH] Revert "linux-user: fix compat with glibc >= 2.36
+ sys/mount.h"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This reverts commit 3cd3df2a9584e6f753bb62a0028bd67124ab5532.
+
+glibc has fixed (in 2.36.9000-40-g774058d729) the problem
+that caused a clash when both sys/mount.h annd linux/mount.h
+are included, and backported this to the 2.36 stable release
+too:
+
+ https://sourceware.org/glibc/wiki/Release/2.36#Usage_of_.3Clinux.2Fmount.h.3E_and_.3Csys.2Fmount.h.3E
+
+It is saner for QEMU to remove the workaround it applied for
+glibc 2.36 and expect distros to ship the 2.36 maint release
+with the fix. This avoids needing to add a further workaround
+to QEMU to deal with the fact that linux/brtfs.h now also pulls
+in linux/mount.h via linux/fs.h since Linux 6.1
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20230110174901.2580297-3-berrange@redhat.com>
+Signed-off-by: Laurent Vivier <laurent@vivier.eu>
+--- a/linux-user/syscall.c
++++ b/linux-user/syscall.c
+@@ -95,25 +95,7 @@
+ #include <linux/soundcard.h>
+ #include <linux/kd.h>
+ #include <linux/mtio.h>
+-
+-#ifdef HAVE_SYS_MOUNT_FSCONFIG
+-/*
+- * glibc >= 2.36 linux/mount.h conflicts with sys/mount.h,
+- * which in turn prevents use of linux/fs.h. So we have to
+- * define the constants ourselves for now.
+- */
+-#define FS_IOC_GETFLAGS _IOR('f', 1, long)
+-#define FS_IOC_SETFLAGS _IOW('f', 2, long)
+-#define FS_IOC_GETVERSION _IOR('v', 1, long)
+-#define FS_IOC_SETVERSION _IOW('v', 2, long)
+-#define FS_IOC_FIEMAP _IOWR('f', 11, struct fiemap)
+-#define FS_IOC32_GETFLAGS _IOR('f', 1, int)
+-#define FS_IOC32_SETFLAGS _IOW('f', 2, int)
+-#define FS_IOC32_GETVERSION _IOR('v', 1, int)
+-#define FS_IOC32_SETVERSION _IOW('v', 2, int)
+-#else
+ #include <linux/fs.h>
+-#endif
+ #include <linux/fd.h>
+ #if defined(CONFIG_FIEMAP)
+ #include <linux/fiemap.h>
+--- a/meson.build
++++ b/meson.build
+@@ -2046,8 +2046,6 @@ config_host_data.set('HAVE_OPTRESET',
+ cc.has_header_symbol('getopt.h', 'optreset'))
+ config_host_data.set('HAVE_IPPROTO_MPTCP',
+ cc.has_header_symbol('netinet/in.h', 'IPPROTO_MPTCP'))
+-config_host_data.set('HAVE_SYS_MOUNT_FSCONFIG',
+- cc.has_header_symbol('sys/mount.h', 'FSCONFIG_SET_FLAG'))
+
+ # has_member
+ config_host_data.set('HAVE_SIGEV_NOTIFY_THREAD_ID',
+--
+GitLab
^ permalink raw reply related [flat|nested] 21+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2022-01-12 8:38 Matthias Maier
0 siblings, 0 replies; 21+ messages in thread
From: Matthias Maier @ 2022-01-12 8:38 UTC (permalink / raw
To: gentoo-commits
commit: ff74b177a7355f83d0356c8853703959d8a9d470
Author: Matthias Maier <tamiko <AT> gentoo <DOT> org>
AuthorDate: Wed Jan 12 08:31:54 2022 +0000
Commit: Matthias Maier <tamiko <AT> gentoo <DOT> org>
CommitDate: Wed Jan 12 08:38:48 2022 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ff74b177
app-emulation/qemu: fix build for USE=-caps
Package-Manager: Portage-3.0.30, Repoman-3.0.3
Signed-off-by: Matthias Maier <tamiko <AT> gentoo.org>
.../qemu/files/qemu-6.2.0-also-build-virtfs-proxy-helper.patch | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/app-emulation/qemu/files/qemu-6.2.0-also-build-virtfs-proxy-helper.patch b/app-emulation/qemu/files/qemu-6.2.0-also-build-virtfs-proxy-helper.patch
index b6af46552fe5..af220802069c 100644
--- a/app-emulation/qemu/files/qemu-6.2.0-also-build-virtfs-proxy-helper.patch
+++ b/app-emulation/qemu/files/qemu-6.2.0-also-build-virtfs-proxy-helper.patch
@@ -23,7 +23,9 @@ index fbe856700..d6918b04c 100644
libcap_ng.found())
-have_virtfs_proxy_helper = have_virtfs and have_tools
-+have_virtfs_proxy_helper = have_tools
++have_virtfs_proxy_helper = have_tools and libcap_ng.found()
+
+
if get_option('virtfs').enabled()
if not have_virtfs
^ permalink raw reply related [flat|nested] 21+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2022-01-10 21:02 John Helmert III
0 siblings, 0 replies; 21+ messages in thread
From: John Helmert III @ 2022-01-10 21:02 UTC (permalink / raw
To: gentoo-commits
commit: 52a126660cdd959d861b7be8336a5b28acb5b1d2
Author: Michael Mair-Keimberger <mmk <AT> levelnine <DOT> at>
AuthorDate: Mon Jan 10 16:57:21 2022 +0000
Commit: John Helmert III <ajak <AT> gentoo <DOT> org>
CommitDate: Mon Jan 10 21:02:25 2022 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=52a12666
app-emulation/qemu: remove unused patches
Package-Manager: Portage-3.0.30, Repoman-3.0.3
Signed-off-by: Michael Mair-Keimberger <mmk <AT> levelnine.at>
Closes: https://github.com/gentoo/gentoo/pull/23727
Signed-off-by: John Helmert III <ajak <AT> gentoo.org>
.../qemu/files/qemu-6.1.0-automagic-libbpf.patch | 21 ----
.../qemu/files/qemu-6.1.0-data-corruption.patch | 114 ---------------------
.../files/qemu-6.1.0-fix-unix-socket-copy.patch | 76 --------------
3 files changed, 211 deletions(-)
diff --git a/app-emulation/qemu/files/qemu-6.1.0-automagic-libbpf.patch b/app-emulation/qemu/files/qemu-6.1.0-automagic-libbpf.patch
deleted file mode 100644
index d067650dc8fa..000000000000
--- a/app-emulation/qemu/files/qemu-6.1.0-automagic-libbpf.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-commit 080832e4f4801a28bd1170c49e61f6a0f5f05d03
-Author: Paolo Bonzini <pbonzini@redhat.com>
-Date: Tue Sep 7 12:45:12 2021 +0200
-
- ebpf: only include in system emulators
-
- eBPF files are being included in user emulators, which is useless and
- also breaks compilation because ebpf/trace-events is only processed
- if a system emulator is included in the build.
-
- Resolves: https://gitlab.com/qemu-project/qemu/-/issues/566
- Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
- Signed-off-by: Jason Wang <jasowang@redhat.com>
-
-diff --git a/ebpf/meson.build b/ebpf/meson.build
-index 9cd0635370..2dd0fd8948 100644
---- a/ebpf/meson.build
-+++ b/ebpf/meson.build
-@@ -1 +1 @@
--common_ss.add(when: libbpf, if_true: files('ebpf_rss.c'), if_false: files('ebpf_rss-stub.c'))
-+softmmu_ss.add(when: libbpf, if_true: files('ebpf_rss.c'), if_false: files('ebpf_rss-stub.c'))
diff --git a/app-emulation/qemu/files/qemu-6.1.0-data-corruption.patch b/app-emulation/qemu/files/qemu-6.1.0-data-corruption.patch
deleted file mode 100644
index 25c788426a9c..000000000000
--- a/app-emulation/qemu/files/qemu-6.1.0-data-corruption.patch
+++ /dev/null
@@ -1,114 +0,0 @@
-commit cc071629539dc1f303175a7e2d4ab854c0a8b20f
-Author: Paolo Bonzini <pbonzini@redhat.com>
-Date: Thu Sep 23 09:04:36 2021 -0400
-
- block: introduce max_hw_iov for use in scsi-generic
-
- Linux limits the size of iovecs to 1024 (UIO_MAXIOV in the kernel
- sources, IOV_MAX in POSIX). Because of this, on some host adapters
- requests with many iovecs are rejected with -EINVAL by the
- io_submit() or readv()/writev() system calls.
-
- In fact, the same limit applies to SG_IO as well. To fix both the
- EINVAL and the possible performance issues from using fewer iovecs
- than allowed by Linux (some HBAs have max_segments as low as 128),
- introduce a separate entry in BlockLimits to hold the max_segments
- value from sysfs. This new limit is used only for SG_IO and clamped
- to bs->bl.max_iov anyway, just like max_hw_transfer is clamped to
- bs->bl.max_transfer.
-
- Reported-by: Halil Pasic <pasic@linux.ibm.com>
- Cc: Hanna Reitz <hreitz@redhat.com>
- Cc: Kevin Wolf <kwolf@redhat.com>
- Cc: qemu-block@nongnu.org
- Cc: qemu-stable@nongnu.org
- Fixes: 18473467d5 ("file-posix: try BLKSECTGET on block devices too, do not round to power of 2", 2021-06-25)
- Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
- Message-Id: <20210923130436.1187591-1-pbonzini@redhat.com>
- Signed-off-by: Kevin Wolf <kwolf@redhat.com>
-
-diff --git a/block/block-backend.c b/block/block-backend.c
-index 6140d133e2..ba2b5ebb10 100644
---- a/block/block-backend.c
-+++ b/block/block-backend.c
-@@ -1986,6 +1986,12 @@ uint32_t blk_get_max_transfer(BlockBackend *blk)
- return ROUND_DOWN(max, blk_get_request_alignment(blk));
- }
-
-+int blk_get_max_hw_iov(BlockBackend *blk)
-+{
-+ return MIN_NON_ZERO(blk->root->bs->bl.max_hw_iov,
-+ blk->root->bs->bl.max_iov);
-+}
-+
- int blk_get_max_iov(BlockBackend *blk)
- {
- return blk->root->bs->bl.max_iov;
-diff --git a/block/file-posix.c b/block/file-posix.c
-index c62e42743d..53be0bdc1b 100644
---- a/block/file-posix.c
-+++ b/block/file-posix.c
-@@ -1273,7 +1273,7 @@ static void raw_refresh_limits(BlockDriverState *bs, Error **errp)
-
- ret = hdev_get_max_segments(s->fd, &st);
- if (ret > 0) {
-- bs->bl.max_iov = ret;
-+ bs->bl.max_hw_iov = ret;
- }
- }
- }
-diff --git a/block/io.c b/block/io.c
-index 18d345a87a..bb0a254def 100644
---- a/block/io.c
-+++ b/block/io.c
-@@ -136,6 +136,7 @@ static void bdrv_merge_limits(BlockLimits *dst, const BlockLimits *src)
- dst->min_mem_alignment = MAX(dst->min_mem_alignment,
- src->min_mem_alignment);
- dst->max_iov = MIN_NON_ZERO(dst->max_iov, src->max_iov);
-+ dst->max_hw_iov = MIN_NON_ZERO(dst->max_hw_iov, src->max_hw_iov);
- }
-
- typedef struct BdrvRefreshLimitsState {
-diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c
-index 665baf900e..0306ccc7b1 100644
---- a/hw/scsi/scsi-generic.c
-+++ b/hw/scsi/scsi-generic.c
-@@ -180,7 +180,7 @@ static int scsi_handle_inquiry_reply(SCSIGenericReq *r, SCSIDevice *s, int len)
- page = r->req.cmd.buf[2];
- if (page == 0xb0) {
- uint64_t max_transfer = blk_get_max_hw_transfer(s->conf.blk);
-- uint32_t max_iov = blk_get_max_iov(s->conf.blk);
-+ uint32_t max_iov = blk_get_max_hw_iov(s->conf.blk);
-
- assert(max_transfer);
- max_transfer = MIN_NON_ZERO(max_transfer, max_iov * qemu_real_host_page_size)
-diff --git a/include/block/block_int.h b/include/block/block_int.h
-index ffe86068d4..f4c75e8ba9 100644
---- a/include/block/block_int.h
-+++ b/include/block/block_int.h
-@@ -718,6 +718,13 @@ typedef struct BlockLimits {
- */
- uint64_t max_hw_transfer;
-
-+ /* Maximal number of scatter/gather elements allowed by the hardware.
-+ * Applies whenever transfers to the device bypass the kernel I/O
-+ * scheduler, for example with SG_IO. If larger than max_iov
-+ * or if zero, blk_get_max_hw_iov will fall back to max_iov.
-+ */
-+ int max_hw_iov;
-+
- /* memory alignment, in bytes so that no bounce buffer is needed */
- size_t min_mem_alignment;
-
-diff --git a/include/sysemu/block-backend.h b/include/sysemu/block-backend.h
-index 29d4fdbf63..82bae55161 100644
---- a/include/sysemu/block-backend.h
-+++ b/include/sysemu/block-backend.h
-@@ -211,6 +211,7 @@ uint32_t blk_get_request_alignment(BlockBackend *blk);
- uint32_t blk_get_max_transfer(BlockBackend *blk);
- uint64_t blk_get_max_hw_transfer(BlockBackend *blk);
- int blk_get_max_iov(BlockBackend *blk);
-+int blk_get_max_hw_iov(BlockBackend *blk);
- void blk_set_guest_block_size(BlockBackend *blk, int align);
- void *blk_try_blockalign(BlockBackend *blk, size_t size);
- void *blk_blockalign(BlockBackend *blk, size_t size);
diff --git a/app-emulation/qemu/files/qemu-6.1.0-fix-unix-socket-copy.patch b/app-emulation/qemu/files/qemu-6.1.0-fix-unix-socket-copy.patch
deleted file mode 100644
index 7701b26b4f9a..000000000000
--- a/app-emulation/qemu/files/qemu-6.1.0-fix-unix-socket-copy.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-commit 118d527f2e4baec5fe8060b22a6212468b8e4d3f
-Author: Michael Tokarev <mjt@tls.msk.ru>
-Date: Wed Sep 1 16:16:24 2021 +0300
-
- qemu-sockets: fix unix socket path copy (again)
-
- Commit 4cfd970ec188558daa6214f26203fe553fb1e01f added an
- assert which ensures the path within an address of a unix
- socket returned from the kernel is at least one byte and
- does not exceed sun_path buffer. Both of this constraints
- are wrong:
-
- A unix socket can be unnamed, in this case the path is
- completely empty (not even \0)
-
- And some implementations (notable linux) can add extra
- trailing byte (\0) _after_ the sun_path buffer if we
- passed buffer larger than it (and we do).
-
- So remove the assertion (since it causes real-life breakage)
- but at the same time fix the usage of sun_path. Namely,
- we should not access sun_path[0] if kernel did not return
- it at all (this is the case for unnamed sockets),
- and use the returned salen when copyig actual path as an
- upper constraint for the amount of bytes to copy - this
- will ensure we wont exceed the information provided by
- the kernel, regardless whenever there is a trailing \0
- or not. This also helps with unnamed sockets.
-
- Note the case of abstract socket, the sun_path is actually
- a blob and can contain \0 characters, - it should not be
- passed to g_strndup and the like, it should be accessed by
- memcpy-like functions.
-
- Fixes: 4cfd970ec188558daa6214f26203fe553fb1e01f
- Fixes: http://bugs.debian.org/993145
- Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
- Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
- Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
- CC: qemu-stable@nongnu.org
-
-diff --git a/util/qemu-sockets.c b/util/qemu-sockets.c
-index f2f3676d1f..c5043999e9 100644
---- a/util/qemu-sockets.c
-+++ b/util/qemu-sockets.c
-@@ -1345,25 +1345,22 @@ socket_sockaddr_to_address_unix(struct sockaddr_storage *sa,
- SocketAddress *addr;
- struct sockaddr_un *su = (struct sockaddr_un *)sa;
-
-- assert(salen >= sizeof(su->sun_family) + 1 &&
-- salen <= sizeof(struct sockaddr_un));
--
- addr = g_new0(SocketAddress, 1);
- addr->type = SOCKET_ADDRESS_TYPE_UNIX;
-+ salen -= offsetof(struct sockaddr_un, sun_path);
- #ifdef CONFIG_LINUX
-- if (!su->sun_path[0]) {
-+ if (salen > 0 && !su->sun_path[0]) {
- /* Linux abstract socket */
-- addr->u.q_unix.path = g_strndup(su->sun_path + 1,
-- salen - sizeof(su->sun_family) - 1);
-+ addr->u.q_unix.path = g_strndup(su->sun_path + 1, salen - 1);
- addr->u.q_unix.has_abstract = true;
- addr->u.q_unix.abstract = true;
- addr->u.q_unix.has_tight = true;
-- addr->u.q_unix.tight = salen < sizeof(*su);
-+ addr->u.q_unix.tight = salen < sizeof(su->sun_path);
- return addr;
- }
- #endif
-
-- addr->u.q_unix.path = g_strndup(su->sun_path, sizeof(su->sun_path));
-+ addr->u.q_unix.path = g_strndup(su->sun_path, salen);
- return addr;
- }
- #endif /* WIN32 */
^ permalink raw reply related [flat|nested] 21+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2022-01-06 19:08 John Helmert III
0 siblings, 0 replies; 21+ messages in thread
From: John Helmert III @ 2022-01-06 19:08 UTC (permalink / raw
To: gentoo-commits
commit: b748f4135c3eb91e47f9cf914b9dc620d3aaa8d6
Author: John Helmert III <ajak <AT> gentoo <DOT> org>
AuthorDate: Thu Jan 6 19:03:29 2022 +0000
Commit: John Helmert III <ajak <AT> gentoo <DOT> org>
CommitDate: Thu Jan 6 19:07:30 2022 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b748f413
app-emulation/qemu: add links to patch sources, upstream issue, gentoo bug in SLIC patch
Signed-off-by: John Helmert III <ajak <AT> gentoo.org>
app-emulation/qemu/files/qemu-6.2.0-user-SLIC-crash.patch | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/app-emulation/qemu/files/qemu-6.2.0-user-SLIC-crash.patch b/app-emulation/qemu/files/qemu-6.2.0-user-SLIC-crash.patch
index 7d22feeade2a..76809782b5f7 100644
--- a/app-emulation/qemu/files/qemu-6.2.0-user-SLIC-crash.patch
+++ b/app-emulation/qemu/files/qemu-6.2.0-user-SLIC-crash.patch
@@ -1,3 +1,8 @@
+Gentoo bug: https://bugs.gentoo.org/830170
+Upstream bug: https://gitlab.com/qemu-project/qemu/-/issues/786
+Patches taken from
+https://lore.kernel.org/qemu-devel/20211227193120.1084176-1-imammedo@redhat.com/
+
commit dce6c86f54eab61028e110497c222e73381379df
Author: Igor Mammedov <imammedo@redhat.com>
Date: Mon Dec 27 14:31:17 2021 -0500
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2021-06-16 20:59 Sergei Trofimovich
0 siblings, 0 replies; 21+ messages in thread
From: Sergei Trofimovich @ 2021-06-16 20:59 UTC (permalink / raw
To: gentoo-commits
commit: 78479bf6a6ccc2fac8954951cdc6e655a949d6d3
Author: Michael Mair-Keimberger <mmk <AT> levelnine <DOT> at>
AuthorDate: Wed Jun 16 18:14:21 2021 +0000
Commit: Sergei Trofimovich <slyfox <AT> gentoo <DOT> org>
CommitDate: Wed Jun 16 20:59:13 2021 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=78479bf6
app-emulation/qemu: remove unused patches
Package-Manager: Portage-3.0.19, Repoman-3.0.3
Signed-off-by: Michael Mair-Keimberger <mmk <AT> levelnine.at>
Closes: https://github.com/gentoo/gentoo/pull/21269
Signed-off-by: Sergei Trofimovich <slyfox <AT> gentoo.org>
app-emulation/qemu/files/65-kvm.rules-r1 | 2 -
.../qemu/files/qemu-5.2.0-fix-firmware-path.patch | 16 -----
.../qemu/files/qemu-5.2.0-no-pie-ld.patch | 73 ----------------------
3 files changed, 91 deletions(-)
diff --git a/app-emulation/qemu/files/65-kvm.rules-r1 b/app-emulation/qemu/files/65-kvm.rules-r1
deleted file mode 100644
index ab3776ac29e..00000000000
--- a/app-emulation/qemu/files/65-kvm.rules-r1
+++ /dev/null
@@ -1,2 +0,0 @@
-KERNEL=="kvm", GROUP="kvm", MODE="0660"
-KERNEL=="vhost-net", GROUP="kvm", MODE="0660", OPTIONS+="static_node=vhost-net"
diff --git a/app-emulation/qemu/files/qemu-5.2.0-fix-firmware-path.patch b/app-emulation/qemu/files/qemu-5.2.0-fix-firmware-path.patch
deleted file mode 100644
index 53969833795..00000000000
--- a/app-emulation/qemu/files/qemu-5.2.0-fix-firmware-path.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-Se absolute filename in files like
- /usr/share/qemu/firmware/50-edk2-x86_64-secure.json
-
-Bug: https://bugs.gentoo.org/766743
-Patch-by: Jannik Glückert
---- a/pc-bios/descriptors/meson.build
-+++ b/pc-bios/descriptors/meson.build
-@@ -8,7 +8,7 @@ foreach f: [
- ]
- configure_file(input: files(f),
- output: f,
-- configuration: {'DATADIR': qemu_datadir},
-+ configuration: {'DATADIR': get_option('prefix') / qemu_datadir},
- install: get_option('install_blobs'),
- install_dir: qemu_datadir / 'firmware')
- endforeach
diff --git a/app-emulation/qemu/files/qemu-5.2.0-no-pie-ld.patch b/app-emulation/qemu/files/qemu-5.2.0-no-pie-ld.patch
deleted file mode 100644
index f47a58790cc..00000000000
--- a/app-emulation/qemu/files/qemu-5.2.0-no-pie-ld.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From bbd2d5a8120771ec59b86a80a1f51884e0a26e53 Mon Sep 17 00:00:00 2001
-From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
-Date: Mon, 14 Dec 2020 16:09:38 +0100
-Subject: [PATCH] build: -no-pie is no functional linker flag
-
-Recent binutils changes dropping unsupported options [1] caused a build
-issue in regard to the optionroms.
-
- ld -m elf_i386 -T /<<PKGBUILDDIR>>/pc-bios/optionrom//flat.lds -no-pie \
- -s -o multiboot.img multiboot.o
- ld.bfd: Error: unable to disambiguate: -no-pie (did you mean --no-pie ?)
-
-This isn't really a regression in ld.bfd, filing the bug upstream
-revealed that this never worked as a ld flag [2] - in fact it seems we
-were by accident setting --nmagic).
-
-Since it never had the wanted effect this usage of LDFLAGS_NOPIE, should be
-droppable without any effect. This also is the only use-case of LDFLAGS_NOPIE
-in .mak, therefore we can also remove it from being added there.
-
-[1]: https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=983d925d
-[2]: https://sourceware.org/bugzilla/show_bug.cgi?id=27050#c5
-
-Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
-Message-Id: <20201214150938.1297512-1-christian.ehrhardt@canonical.com>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- configure | 3 ---
- pc-bios/optionrom/Makefile | 1 -
- 2 files changed, 4 deletions(-)
-
---- a/configure
-+++ b/configure
-@@ -2137,7 +2137,6 @@ EOF
- # Check we support --no-pie first; we will need this for building ROMs.
- if compile_prog "-Werror -fno-pie" "-no-pie"; then
- CFLAGS_NOPIE="-fno-pie"
-- LDFLAGS_NOPIE="-no-pie"
- fi
-
- if test "$static" = "yes"; then
-@@ -2153,7 +2152,6 @@ if test "$static" = "yes"; then
- fi
- elif test "$pie" = "no"; then
- CONFIGURE_CFLAGS="$CFLAGS_NOPIE $CONFIGURE_CFLAGS"
-- CONFIGURE_LDFLAGS="$LDFLAGS_NOPIE $CONFIGURE_LDFLAGS"
- elif compile_prog "-Werror -fPIE -DPIE" "-pie"; then
- CONFIGURE_CFLAGS="-fPIE -DPIE $CONFIGURE_CFLAGS"
- CONFIGURE_LDFLAGS="-pie $CONFIGURE_LDFLAGS"
-@@ -6714,7 +6712,6 @@ echo "QEMU_CXXFLAGS=$QEMU_CXXFLAGS" >> $config_host_mak
- echo "GLIB_CFLAGS=$glib_cflags" >> $config_host_mak
- echo "GLIB_LIBS=$glib_libs" >> $config_host_mak
- echo "QEMU_LDFLAGS=$QEMU_LDFLAGS" >> $config_host_mak
--echo "LDFLAGS_NOPIE=$LDFLAGS_NOPIE" >> $config_host_mak
- echo "LD_I386_EMULATION=$ld_i386_emulation" >> $config_host_mak
- echo "EXESUF=$EXESUF" >> $config_host_mak
- echo "HOST_DSOSUF=$HOST_DSOSUF" >> $config_host_mak
-diff --git a/pc-bios/optionrom/Makefile b/pc-bios/optionrom/Makefile
-index 084fc10f05..30771f8d17 100644
---- a/pc-bios/optionrom/Makefile
-+++ b/pc-bios/optionrom/Makefile
-@@ -41,7 +41,6 @@ override CFLAGS += $(call cc-option, $(Wa)-32)
-
- LD_I386_EMULATION ?= elf_i386
- override LDFLAGS = -m $(LD_I386_EMULATION) -T $(SRC_DIR)/flat.lds
--override LDFLAGS += $(LDFLAGS_NOPIE)
-
- all: multiboot.bin linuxboot.bin linuxboot_dma.bin kvmvapic.bin pvh.bin
-
---
-2.30.0
-
^ permalink raw reply related [flat|nested] 21+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2021-03-14 18:53 Conrad Kostecki
0 siblings, 0 replies; 21+ messages in thread
From: Conrad Kostecki @ 2021-03-14 18:53 UTC (permalink / raw
To: gentoo-commits
commit: f309e47704c04a153a328c9ad7c07547db51b5a6
Author: Michael Mair-Keimberger <mmk <AT> levelnine <DOT> at>
AuthorDate: Sun Mar 14 16:45:36 2021 +0000
Commit: Conrad Kostecki <conikost <AT> gentoo <DOT> org>
CommitDate: Sun Mar 14 18:51:54 2021 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f309e477
app-emulation/qemu: remove unused patches
Closes: https://github.com/gentoo/gentoo/pull/19927
Package-Manager: Portage-3.0.17, Repoman-3.0.2
Signed-off-by: Michael Mair-Keimberger <mmk <AT> levelnine.at>
Signed-off-by: Conrad Kostecki <conikost <AT> gentoo.org>
.../qemu/files/qemu-4.0.0-mkdir_systemtap.patch | 12 ---
app-emulation/qemu/files/qemu-4.2.0-cflags.patch | 16 ----
.../qemu-5.1.0-pixman-for-vhost-user-gpu.patch | 62 ---------------
...qemu-5.1.0-usb-host-workaround-libusb-bug.patch | 82 --------------------
.../files/qemu-5.1.0-usb-oob-CVE-2020-14364.patch | 90 ----------------------
5 files changed, 262 deletions(-)
diff --git a/app-emulation/qemu/files/qemu-4.0.0-mkdir_systemtap.patch b/app-emulation/qemu/files/qemu-4.0.0-mkdir_systemtap.patch
deleted file mode 100644
index 95ccdd7a4b1..00000000000
--- a/app-emulation/qemu/files/qemu-4.0.0-mkdir_systemtap.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --git a/Makefile b/Makefile
-index 04a0d450..e0013a59 100644
---- a/Makefile
-+++ b/Makefile
-@@ -803,6 +802,7 @@
- $(call install-prog,$(HELPERS-y),$(DESTDIR)$(libexecdir))
- endif
- ifdef CONFIG_TRACE_SYSTEMTAP
-+ mkdir -p $(DESTDIR)$(bindir)
- $(INSTALL_PROG) "scripts/qemu-trace-stap" $(DESTDIR)$(bindir)
- endif
- ifneq ($(BLOBS),)
diff --git a/app-emulation/qemu/files/qemu-4.2.0-cflags.patch b/app-emulation/qemu/files/qemu-4.2.0-cflags.patch
deleted file mode 100644
index 101926589a6..00000000000
--- a/app-emulation/qemu/files/qemu-4.2.0-cflags.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-diff --git i/configure w/configure
-index a72a5def57..546d757603 100755
---- i/configure
-+++ w/configure
-@@ -6093,10 +6093,6 @@ write_c_skeleton
- if test "$gcov" = "yes" ; then
- QEMU_CFLAGS="-fprofile-arcs -ftest-coverage -g $QEMU_CFLAGS"
- QEMU_LDFLAGS="-fprofile-arcs -ftest-coverage $QEMU_LDFLAGS"
--elif test "$fortify_source" = "yes" ; then
-- CFLAGS="-O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 $CFLAGS"
--elif test "$debug" = "no"; then
-- CFLAGS="-O2 $CFLAGS"
- fi
-
- if test "$have_asan" = "yes"; then
-
diff --git a/app-emulation/qemu/files/qemu-5.1.0-pixman-for-vhost-user-gpu.patch b/app-emulation/qemu/files/qemu-5.1.0-pixman-for-vhost-user-gpu.patch
deleted file mode 100644
index 4eb644fde54..00000000000
--- a/app-emulation/qemu/files/qemu-5.1.0-pixman-for-vhost-user-gpu.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-https://bugs.gentoo.org/735146
-
-From 4fd46e6cdd976f4aecdc3fbbad728e00a7bc4ee0 Mon Sep 17 00:00:00 2001
-From: Rafael Kitover <rkitover@gmail.com>
-Date: Thu, 13 Aug 2020 20:19:24 +0000
-Subject: [PATCH] configure: Require pixman for vhost-user-gpu.
-
-Use the test from Makefile to check if vhost-user-gpu is being built,
-and if so require pixman.
-
-Signed-off-by: Rafael Kitover <rkitover@gmail.com>
----
- configure | 28 ++++++++++++++--------------
- 1 file changed, 14 insertions(+), 14 deletions(-)
-
---- a/configure
-+++ b/configure
-@@ -4062,20 +4062,6 @@ if test "$modules" = yes; then
- fi
- fi
-
--##########################################
--# pixman support probe
--
--if test "$softmmu" = "no"; then
-- pixman_cflags=
-- pixman_libs=
--elif $pkg_config --atleast-version=0.21.8 pixman-1 > /dev/null 2>&1; then
-- pixman_cflags=$($pkg_config --cflags pixman-1)
-- pixman_libs=$($pkg_config --libs pixman-1)
--else
-- error_exit "pixman >= 0.21.8 not present." \
-- "Please install the pixman devel package."
--fi
--
- ##########################################
- # libmpathpersist probe
-
-@@ -4491,6 +4477,20 @@ if test "$opengl" = "yes" && test "$have_x11" = "yes"; then
- done
- fi
-
-+##########################################
-+# pixman support probe
-+
-+if test "$softmmu" = "no" && ! test "${linux} ${virglrenderer} ${gbm} ${want_tools}" = "yes yes yes yes"; then
-+ pixman_cflags=
-+ pixman_libs=
-+elif $pkg_config --atleast-version=0.21.8 pixman-1 > /dev/null 2>&1; then
-+ pixman_cflags=$($pkg_config --cflags pixman-1)
-+ pixman_libs=$($pkg_config --libs pixman-1)
-+else
-+ error_exit "pixman >= 0.21.8 not present." \
-+ "Please install the pixman devel package."
-+fi
-+
- ##########################################
- # libxml2 probe
- if test "$libxml2" != "no" ; then
---
-2.28.0
-
diff --git a/app-emulation/qemu/files/qemu-5.1.0-usb-host-workaround-libusb-bug.patch b/app-emulation/qemu/files/qemu-5.1.0-usb-host-workaround-libusb-bug.patch
deleted file mode 100644
index 34a50a9bfb5..00000000000
--- a/app-emulation/qemu/files/qemu-5.1.0-usb-host-workaround-libusb-bug.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From 202d69a715a4b1824dcd7ec1683d027ed2bae6d3 Mon Sep 17 00:00:00 2001
-Message-Id: <202d69a715a4b1824dcd7ec1683d027ed2bae6d3.1606202550.git.mprivozn@redhat.com>
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Mon, 24 Aug 2020 13:00:57 +0200
-Subject: [PATCH] usb-host: workaround libusb bug
-
-libusb_get_device_speed() does not work for
-libusb_wrap_sys_device() devices in v1.0.23.
-
-Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1871090
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: 20200824110057.32089-1-kraxel@redhat.com
-Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
----
- hw/usb/host-libusb.c | 37 ++++++++++++++++++++++++++++++++++++-
- 1 file changed, 36 insertions(+), 1 deletion(-)
-
-diff --git a/hw/usb/host-libusb.c b/hw/usb/host-libusb.c
-index c474551d84..08604f787f 100644
---- a/hw/usb/host-libusb.c
-+++ b/hw/usb/host-libusb.c
-@@ -39,6 +39,11 @@
- #endif
- #include <libusb.h>
-
-+#ifdef CONFIG_LINUX
-+#include <sys/ioctl.h>
-+#include <linux/usbdevice_fs.h>
-+#endif
-+
- #include "qapi/error.h"
- #include "migration/vmstate.h"
- #include "monitor/monitor.h"
-@@ -885,6 +890,7 @@ static void usb_host_ep_update(USBHostDevice *s)
- static int usb_host_open(USBHostDevice *s, libusb_device *dev, int hostfd)
- {
- USBDevice *udev = USB_DEVICE(s);
-+ int libusb_speed;
- int bus_num = 0;
- int addr = 0;
- int rc;
-@@ -935,7 +941,36 @@ static int usb_host_open(USBHostDevice *s, libusb_device *dev, int hostfd)
- usb_ep_init(udev);
- usb_host_ep_update(s);
-
-- udev->speed = speed_map[libusb_get_device_speed(dev)];
-+ libusb_speed = libusb_get_device_speed(dev);
-+#ifdef CONFIG_LINUX
-+ if (hostfd && libusb_speed == 0) {
-+ /*
-+ * Workaround libusb bug: libusb_get_device_speed() does not
-+ * work for libusb_wrap_sys_device() devices in v1.0.23.
-+ *
-+ * Speeds are defined in linux/usb/ch9.h, file not included
-+ * due to name conflicts.
-+ */
-+ int rc = ioctl(hostfd, USBDEVFS_GET_SPEED, NULL);
-+ switch (rc) {
-+ case 1: /* low */
-+ libusb_speed = LIBUSB_SPEED_LOW;
-+ break;
-+ case 2: /* full */
-+ libusb_speed = LIBUSB_SPEED_FULL;
-+ break;
-+ case 3: /* high */
-+ case 4: /* wireless */
-+ libusb_speed = LIBUSB_SPEED_HIGH;
-+ break;
-+ case 5: /* super */
-+ case 6: /* super plus */
-+ libusb_speed = LIBUSB_SPEED_SUPER;
-+ break;
-+ }
-+ }
-+#endif
-+ udev->speed = speed_map[libusb_speed];
- usb_host_speed_compat(s);
-
- if (s->ddesc.iProduct) {
---
-2.26.2
-
diff --git a/app-emulation/qemu/files/qemu-5.1.0-usb-oob-CVE-2020-14364.patch b/app-emulation/qemu/files/qemu-5.1.0-usb-oob-CVE-2020-14364.patch
deleted file mode 100644
index d1d23ec6f0e..00000000000
--- a/app-emulation/qemu/files/qemu-5.1.0-usb-oob-CVE-2020-14364.patch
+++ /dev/null
@@ -1,90 +0,0 @@
-https://bugs.gentoo.org/743649
-
-From b946434f2659a182afc17e155be6791ebfb302eb Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Tue, 25 Aug 2020 07:36:36 +0200
-Subject: [PATCH] usb: fix setup_len init (CVE-2020-14364)
-
-Store calculated setup_len in a local variable, verify it, and only
-write it to the struct (USBDevice->setup_len) in case it passed the
-sanity checks.
-
-This prevents other code (do_token_{in,out} functions specifically)
-from working with invalid USBDevice->setup_len values and overrunning
-the USBDevice->setup_buf[] buffer.
-
-Fixes: CVE-2020-14364
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Tested-by: Gonglei <arei.gonglei@huawei.com>
-Reviewed-by: Li Qiang <liq3ea@gmail.com>
-Message-id: 20200825053636.29648-1-kraxel@redhat.com
----
- hw/usb/core.c | 16 ++++++++++------
- 1 file changed, 10 insertions(+), 6 deletions(-)
-
-diff --git a/hw/usb/core.c b/hw/usb/core.c
-index 5abd128b6b..5234dcc73f 100644
---- a/hw/usb/core.c
-+++ b/hw/usb/core.c
-@@ -129,6 +129,7 @@ void usb_wakeup(USBEndpoint *ep, unsigned int stream)
- static void do_token_setup(USBDevice *s, USBPacket *p)
- {
- int request, value, index;
-+ unsigned int setup_len;
-
- if (p->iov.size != 8) {
- p->status = USB_RET_STALL;
-@@ -138,14 +139,15 @@ static void do_token_setup(USBDevice *s, USBPacket *p)
- usb_packet_copy(p, s->setup_buf, p->iov.size);
- s->setup_index = 0;
- p->actual_length = 0;
-- s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
-- if (s->setup_len > sizeof(s->data_buf)) {
-+ setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
-+ if (setup_len > sizeof(s->data_buf)) {
- fprintf(stderr,
- "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
-- s->setup_len, sizeof(s->data_buf));
-+ setup_len, sizeof(s->data_buf));
- p->status = USB_RET_STALL;
- return;
- }
-+ s->setup_len = setup_len;
-
- request = (s->setup_buf[0] << 8) | s->setup_buf[1];
- value = (s->setup_buf[3] << 8) | s->setup_buf[2];
-@@ -259,26 +261,28 @@ static void do_token_out(USBDevice *s, USBPacket *p)
- static void do_parameter(USBDevice *s, USBPacket *p)
- {
- int i, request, value, index;
-+ unsigned int setup_len;
-
- for (i = 0; i < 8; i++) {
- s->setup_buf[i] = p->parameter >> (i*8);
- }
-
- s->setup_state = SETUP_STATE_PARAM;
-- s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
- s->setup_index = 0;
-
- request = (s->setup_buf[0] << 8) | s->setup_buf[1];
- value = (s->setup_buf[3] << 8) | s->setup_buf[2];
- index = (s->setup_buf[5] << 8) | s->setup_buf[4];
-
-- if (s->setup_len > sizeof(s->data_buf)) {
-+ setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
-+ if (setup_len > sizeof(s->data_buf)) {
- fprintf(stderr,
- "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
-- s->setup_len, sizeof(s->data_buf));
-+ setup_len, sizeof(s->data_buf));
- p->status = USB_RET_STALL;
- return;
- }
-+ s->setup_len = setup_len;
-
- if (p->pid == USB_TOKEN_OUT) {
- usb_packet_copy(p, s->data_buf, s->setup_len);
---
-2.28.0
-
^ permalink raw reply related [flat|nested] 21+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2020-09-21 21:48 Conrad Kostecki
0 siblings, 0 replies; 21+ messages in thread
From: Conrad Kostecki @ 2020-09-21 21:48 UTC (permalink / raw
To: gentoo-commits
commit: 5015b08faf87a9906d4bcf8ac8a92804fe95cc7c
Author: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail <DOT> com>
AuthorDate: Mon Sep 21 18:41:00 2020 +0000
Commit: Conrad Kostecki <conikost <AT> gentoo <DOT> org>
CommitDate: Mon Sep 21 21:48:32 2020 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5015b08f
app-emulation/qemu: remove unused patches
Closes: https://github.com/gentoo/gentoo/pull/17629
Package-Manager: Portage-3.0.7, Repoman-3.0.1
Signed-off-by: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail.com>
Signed-off-by: Conrad Kostecki <conikost <AT> gentoo.org>
.../qemu/files/qemu-5.0.0-epoll-strace.patch | 50 ----------------------
.../qemu-5.0.0-ipv6-slirp-CVE-2020-10756.patch | 35 ---------------
2 files changed, 85 deletions(-)
diff --git a/app-emulation/qemu/files/qemu-5.0.0-epoll-strace.patch b/app-emulation/qemu/files/qemu-5.0.0-epoll-strace.patch
deleted file mode 100644
index c0f9a2e008d..00000000000
--- a/app-emulation/qemu/files/qemu-5.0.0-epoll-strace.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-https://lists.nongnu.org/archive/html/qemu-devel/2020-04/msg02643.html
-
-From 6bce23d8daf96a7faa9288e7414948cda31ddaa2 Mon Sep 17 00:00:00 2001
-From: Sergei Trofimovich <slyfox@gentoo.org>
-Date: Thu, 16 Apr 2020 18:55:49 +0100
-Subject: [PATCH] linux-user/strace.list: fix epoll_create{,1} -strace output
-
-Fix syscall name and parameters priinter.
-
-Before the change:
-
-```
-$ alpha-linux-user/qemu-alpha -strace -L /usr/alpha-unknown-linux-gnu/ /tmp/a
-...
-1274697 %s(%d)(2097152,274903156744,274903156760,274905840712,274877908880,274903235616) = 3
-1274697 exit_group(0)
-```
-
-After the change:
-
-```
-$ alpha-linux-user/qemu-alpha -strace -L /usr/alpha-unknown-linux-gnu/ /tmp/a
-...
-1273719 epoll_create1(2097152) = 3
-1273719 exit_group(0)
-```
-
-Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
----
- linux-user/strace.list | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/linux-user/strace.list
-+++ b/linux-user/strace.list
-@@ -125,10 +125,10 @@
- { TARGET_NR_dup3, "dup3" , "%s(%d,%d,%d)", NULL, NULL },
- #endif
- #ifdef TARGET_NR_epoll_create
--{ TARGET_NR_epoll_create, "%s(%d)", NULL, NULL, NULL },
-+{ TARGET_NR_epoll_create, "epoll_create", "%s(%d)", NULL, NULL },
- #endif
- #ifdef TARGET_NR_epoll_create1
--{ TARGET_NR_epoll_create1, "%s(%d)", NULL, NULL, NULL },
-+{ TARGET_NR_epoll_create1, "epoll_create1", "%s(%d)", NULL, NULL },
- #endif
- #ifdef TARGET_NR_epoll_ctl
- { TARGET_NR_epoll_ctl, "epoll_ctl" , NULL, NULL, NULL },
---
-2.26.2
-
diff --git a/app-emulation/qemu/files/qemu-5.0.0-ipv6-slirp-CVE-2020-10756.patch b/app-emulation/qemu/files/qemu-5.0.0-ipv6-slirp-CVE-2020-10756.patch
deleted file mode 100644
index d1d3c49a58f..00000000000
--- a/app-emulation/qemu/files/qemu-5.0.0-ipv6-slirp-CVE-2020-10756.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-https://gitlab.freedesktop.org/slirp/libslirp/-/commit/c7ede54cbd2e2b25385325600958ba0124e31cc0
-https://bugzilla.redhat.com/show_bug.cgi?id=1835986
-https://bugs.gentoo.org/731992
-
-From c7ede54cbd2e2b25385325600958ba0124e31cc0 Mon Sep 17 00:00:00 2001
-From: Ralf Haferkamp <rhafer@suse.com>
-Date: Fri, 3 Jul 2020 14:51:16 +0200
-Subject: [PATCH] Drop bogus IPv6 messages
-
-Drop IPv6 message shorter than what's mentioned in the payload
-length header (+ the size of the IPv6 header). They're invalid an could
-lead to data leakage in icmp6_send_echoreply().
----
- src/ip6_input.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
---- a/slirp/src/ip6_input.c
-+++ b/slirp/src/ip6_input.c
-@@ -49,6 +49,13 @@ void ip6_input(struct mbuf *m)
- goto bad;
- }
-
-+ // Check if the message size is big enough to hold what's
-+ // set in the payload length header. If not this is an invalid
-+ // packet
-+ if (m->m_len < ntohs(ip6->ip_pl) + sizeof(struct ip6)) {
-+ goto bad;
-+ }
-+
- /* check ip_ttl for a correct ICMP reply */
- if (ip6->ip_hl == 0) {
- icmp6_send_error(m, ICMP6_TIMXCEED, ICMP6_TIMXCEED_INTRANS);
---
-GitLab
-
^ permalink raw reply related [flat|nested] 21+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2020-07-06 18:40 Sergei Trofimovich
0 siblings, 0 replies; 21+ messages in thread
From: Sergei Trofimovich @ 2020-07-06 18:40 UTC (permalink / raw
To: gentoo-commits
commit: dbfbd2a380ece3ff78b93dde0da2c086e542bdd6
Author: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail <DOT> com>
AuthorDate: Mon Jul 6 17:22:38 2020 +0000
Commit: Sergei Trofimovich <slyfox <AT> gentoo <DOT> org>
CommitDate: Mon Jul 6 18:40:29 2020 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dbfbd2a3
app-emulation/qemu: remove unused patches
Package-Manager: Portage-2.3.103, Repoman-2.3.23
Signed-off-by: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail.com>
Closes: https://github.com/gentoo/gentoo/pull/16612
Signed-off-by: Sergei Trofimovich <slyfox <AT> gentoo.org>
app-emulation/qemu/files/qemu-2.5.0-cflags.patch | 13 ---
.../qemu/files/qemu-4.2.0-ati-vga-crash.patch | 94 ----------------------
2 files changed, 107 deletions(-)
diff --git a/app-emulation/qemu/files/qemu-2.5.0-cflags.patch b/app-emulation/qemu/files/qemu-2.5.0-cflags.patch
deleted file mode 100644
index 173394fd02f..00000000000
--- a/app-emulation/qemu/files/qemu-2.5.0-cflags.patch
+++ /dev/null
@@ -1,13 +0,0 @@
---- a/configure
-+++ b/configure
-@@ -4468,10 +4468,6 @@ fi
- if test "$gcov" = "yes" ; then
- CFLAGS="-fprofile-arcs -ftest-coverage -g $CFLAGS"
- LDFLAGS="-fprofile-arcs -ftest-coverage $LDFLAGS"
--elif test "$fortify_source" = "yes" ; then
-- CFLAGS="-O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 $CFLAGS"
--elif test "$debug" = "no"; then
-- CFLAGS="-O2 $CFLAGS"
- fi
-
- ##########################################
diff --git a/app-emulation/qemu/files/qemu-4.2.0-ati-vga-crash.patch b/app-emulation/qemu/files/qemu-4.2.0-ati-vga-crash.patch
deleted file mode 100644
index 5f442f0fd07..00000000000
--- a/app-emulation/qemu/files/qemu-4.2.0-ati-vga-crash.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-https://bugs.gentoo.org/719266
-
-From ac2071c3791b67fc7af78b8ceb320c01ca1b5df7 Mon Sep 17 00:00:00 2001
-From: BALATON Zoltan <balaton@eik.bme.hu>
-Date: Mon, 6 Apr 2020 22:34:26 +0200
-Subject: [PATCH] ati-vga: Fix checks in ati_2d_blt() to avoid crash
-
-In some corner cases (that never happen during normal operation but a
-malicious guest could program wrong values) pixman functions were
-called with parameters that result in a crash. Fix this and add more
-checks to disallow such cases.
-
-Reported-by: Ziming Zhang <ezrakiez@gmail.com>
-Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
-Message-id: 20200406204029.19559747D5D@zero.eik.bme.hu
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/display/ati_2d.c | 37 ++++++++++++++++++++++++++-----------
- 1 file changed, 26 insertions(+), 11 deletions(-)
-
---- a/hw/display/ati_2d.c
-+++ b/hw/display/ati_2d.c
-@@ -53,12 +53,20 @@ void ati_2d_blt(ATIVGAState *s)
- s->vga.vbe_start_addr, surface_data(ds), surface_stride(ds),
- surface_bits_per_pixel(ds),
- (s->regs.dp_mix & GMC_ROP3_MASK) >> 16);
-- int dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
-- s->regs.dst_x : s->regs.dst_x + 1 - s->regs.dst_width);
-- int dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
-- s->regs.dst_y : s->regs.dst_y + 1 - s->regs.dst_height);
-+ unsigned dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
-+ s->regs.dst_x : s->regs.dst_x + 1 - s->regs.dst_width);
-+ unsigned dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
-+ s->regs.dst_y : s->regs.dst_y + 1 - s->regs.dst_height);
- int bpp = ati_bpp_from_datatype(s);
-+ if (!bpp) {
-+ qemu_log_mask(LOG_GUEST_ERROR, "Invalid bpp\n");
-+ return;
-+ }
- int dst_stride = DEFAULT_CNTL ? s->regs.dst_pitch : s->regs.default_pitch;
-+ if (!dst_stride) {
-+ qemu_log_mask(LOG_GUEST_ERROR, "Zero dest pitch\n");
-+ return;
-+ }
- uint8_t *dst_bits = s->vga.vram_ptr + (DEFAULT_CNTL ?
- s->regs.dst_offset : s->regs.default_offset);
-
-@@ -82,12 +90,16 @@ void ati_2d_blt(ATIVGAState *s)
- switch (s->regs.dp_mix & GMC_ROP3_MASK) {
- case ROP3_SRCCOPY:
- {
-- int src_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
-- s->regs.src_x : s->regs.src_x + 1 - s->regs.dst_width);
-- int src_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
-- s->regs.src_y : s->regs.src_y + 1 - s->regs.dst_height);
-+ unsigned src_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
-+ s->regs.src_x : s->regs.src_x + 1 - s->regs.dst_width);
-+ unsigned src_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
-+ s->regs.src_y : s->regs.src_y + 1 - s->regs.dst_height);
- int src_stride = DEFAULT_CNTL ?
- s->regs.src_pitch : s->regs.default_pitch;
-+ if (!src_stride) {
-+ qemu_log_mask(LOG_GUEST_ERROR, "Zero source pitch\n");
-+ return;
-+ }
- uint8_t *src_bits = s->vga.vram_ptr + (DEFAULT_CNTL ?
- s->regs.src_offset : s->regs.default_offset);
-
-@@ -137,8 +149,10 @@ void ati_2d_blt(ATIVGAState *s)
- dst_y * surface_stride(ds),
- s->regs.dst_height * surface_stride(ds));
- }
-- s->regs.dst_x += s->regs.dst_width;
-- s->regs.dst_y += s->regs.dst_height;
-+ s->regs.dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
-+ dst_x + s->regs.dst_width : dst_x);
-+ s->regs.dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
-+ dst_y + s->regs.dst_height : dst_y);
- break;
- }
- case ROP3_PATCOPY:
-@@ -179,7 +193,8 @@ void ati_2d_blt(ATIVGAState *s)
- dst_y * surface_stride(ds),
- s->regs.dst_height * surface_stride(ds));
- }
-- s->regs.dst_y += s->regs.dst_height;
-+ s->regs.dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
-+ dst_y + s->regs.dst_height : dst_y);
- break;
- }
- default:
---
-2.26.2
-
^ permalink raw reply related [flat|nested] 21+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2020-04-18 21:31 Sergei Trofimovich
0 siblings, 0 replies; 21+ messages in thread
From: Sergei Trofimovich @ 2020-04-18 21:31 UTC (permalink / raw
To: gentoo-commits
commit: 97b0f769363b5056565b24f10b28192e7b613689
Author: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail <DOT> com>
AuthorDate: Sat Apr 18 16:49:33 2020 +0000
Commit: Sergei Trofimovich <slyfox <AT> gentoo <DOT> org>
CommitDate: Sat Apr 18 21:31:52 2020 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=97b0f769
app-emulation/qemu: remove unused patches
Package-Manager: Portage-2.3.99, Repoman-2.3.22
Signed-off-by: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail.com>
Closes: https://github.com/gentoo/gentoo/pull/15392
Signed-off-by: Sergei Trofimovich <slyfox <AT> gentoo.org>
.../qemu/files/qemu-3.1.0-md-clear-md-no.patch | 61 ----
.../files/qemu-4.0.0-fix_infiniband_include.patch | 12 -
| 334 ---------------------
.../qemu/files/qemu-4.0.0-pc-q35-4.0.patch | 135 ---------
.../qemu/files/qemu-4.0.0-xkbcommon.patch | 38 ---
5 files changed, 580 deletions(-)
diff --git a/app-emulation/qemu/files/qemu-3.1.0-md-clear-md-no.patch b/app-emulation/qemu/files/qemu-3.1.0-md-clear-md-no.patch
deleted file mode 100644
index a7b3e8cb8f2..00000000000
--- a/app-emulation/qemu/files/qemu-3.1.0-md-clear-md-no.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-From 0fb766134bd97ead71646e13349f93769e536ed9 Mon Sep 17 00:00:00 2001
-From: Matthias Maier <tamiko@43-1.org>
-Date: Fri, 17 May 2019 02:21:10 -0500
-Subject: [PATCH] Define md-clear bit, expose md-no CPUID
-
-Fixes for CVE-2018-121{26|27|30}, CVE-2019-11091
-
-See related fixes for Ubuntu:
- https://launchpad.net/ubuntu/+source/qemu/1:3.1+dfsg-2ubuntu3.1
----
- target/i386/cpu.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/target/i386/cpu.c b/target/i386/cpu.c
-index d6bb57d2..331a364a 100644
---- a/target/i386/cpu.c
-+++ b/target/i386/cpu.c
-@@ -1076,7 +1076,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
- .feat_names = {
- NULL, NULL, "avx512-4vnniw", "avx512-4fmaps",
- NULL, NULL, NULL, NULL,
-- NULL, NULL, NULL, NULL,
-+ NULL, NULL, "md-clear", NULL,
- NULL, NULL, NULL, NULL,
- NULL, NULL, NULL, NULL,
- NULL, NULL, NULL, NULL,
-@@ -1183,7 +1183,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
- .type = MSR_FEATURE_WORD,
- .feat_names = {
- "rdctl-no", "ibrs-all", "rsba", "skip-l1dfl-vmentry",
-- "ssb-no", NULL, NULL, NULL,
-+ "ssb-no", "mds-no", NULL, NULL,
- NULL, NULL, NULL, NULL,
- NULL, NULL, NULL, NULL,
- NULL, NULL, NULL, NULL,
-diff --git a/target/i386/cpu.h b/target/i386/cpu.h
-index 83fb5225..d0bab4d7 100644
---- a/target/i386/cpu.h
-+++ b/target/i386/cpu.h
-@@ -694,6 +694,7 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS];
-
- #define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network Instructions */
- #define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) /* AVX512 Multiply Accumulation Single Precision */
-+#define CPUID_7_0_EDX_MD_CLEAR (1U << 10) /* Microarchitectural Data Clear */
- #define CPUID_7_0_EDX_SPEC_CTRL (1U << 26) /* Speculation Control */
- #define CPUID_7_0_EDX_ARCH_CAPABILITIES (1U << 29) /*Arch Capabilities*/
- #define CPUID_7_0_EDX_SPEC_CTRL_SSBD (1U << 31) /* Speculative Store Bypass Disable */
-diff --git a/target/i386/hvf/x86_cpuid.c b/target/i386/hvf/x86_cpuid.c
-index 4d957fe8..b453552f 100644
---- a/target/i386/hvf/x86_cpuid.c
-+++ b/target/i386/hvf/x86_cpuid.c
-@@ -90,7 +90,8 @@ uint32_t hvf_get_supported_cpuid(uint32_t func, uint32_t idx,
- }
-
- ecx &= CPUID_7_0_ECX_AVX512BMI | CPUID_7_0_ECX_AVX512_VPOPCNTDQ;
-- edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS;
-+ edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS | \
-+ CPUID_7_0_EDX_MD_CLEAR;
- } else {
- ebx = 0;
- ecx = 0;
diff --git a/app-emulation/qemu/files/qemu-4.0.0-fix_infiniband_include.patch b/app-emulation/qemu/files/qemu-4.0.0-fix_infiniband_include.patch
deleted file mode 100644
index 2778cc8f4f2..00000000000
--- a/app-emulation/qemu/files/qemu-4.0.0-fix_infiniband_include.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --git a/hw/rdma/rdma_backend.c b/hw/rdma/rdma_backend.c
-index d1660b64..86715bfd 100644
---- a/hw/rdma/rdma_backend.c
-+++ b/hw/rdma/rdma_backend.c
-@@ -21,7 +21,6 @@
- #include "qapi/qapi-events-rdma.h"
-
- #include <infiniband/verbs.h>
--#include <infiniband/umad_types.h>
- #include <infiniband/umad.h>
- #include <rdma/rdma_user_cm.h>
-
diff --git a/app-emulation/qemu/files/qemu-4.0.0-linux-headers-5.2.patch b/app-emulation/qemu/files/qemu-4.0.0-linux-headers-5.2.patch
deleted file mode 100644
index 43be8629dfa..00000000000
--- a/app-emulation/qemu/files/qemu-4.0.0-linux-headers-5.2.patch
+++ /dev/null
@@ -1,334 +0,0 @@
-From 6d5d5dde9adb5acb32e6b8e3dfbf47fff0f308d2 Mon Sep 17 00:00:00 2001
-From: =?utf8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
-Date: Thu, 18 Jul 2019 15:06:41 +0200
-Subject: [PATCH] linux-user: fix to handle variably sized SIOCGSTAMP with new
- kernels
-MIME-Version: 1.0
-Content-Type: text/plain; charset=utf8
-Content-Transfer-Encoding: 8bit
-
-The SIOCGSTAMP symbol was previously defined in the
-asm-generic/sockios.h header file. QEMU sees that header
-indirectly via sys/socket.h
-
-In linux kernel commit 0768e17073dc527ccd18ed5f96ce85f9985e9115
-the asm-generic/sockios.h header no longer defines SIOCGSTAMP.
-Instead it provides only SIOCGSTAMP_OLD, which only uses a
-32-bit time_t on 32-bit architectures.
-
-The linux/sockios.h header then defines SIOCGSTAMP using
-either SIOCGSTAMP_OLD or SIOCGSTAMP_NEW as appropriate. If
-SIOCGSTAMP_NEW is used, then the tv_sec field is 64-bit even
-on 32-bit architectures
-
-To cope with this we must now convert the old and new type from
-the target to the host one.
-
-Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
-Signed-off-by: Laurent Vivier <laurent@vivier.eu>
-Reviewed-by: Arnd Bergmann <arnd@arndb.de>
-Message-Id: <20190718130641.15294-1-laurent@vivier.eu>
-Signed-off-by: Laurent Vivier <laurent@vivier.eu>
----
- linux-user/ioctls.h | 21 ++++++-
- linux-user/syscall.c | 140 ++++++++++++++++++++++++++++++++++++---------
- linux-user/syscall_defs.h | 30 +++++++++-
- linux-user/syscall_types.h | 6 --
- 4 files changed, 159 insertions(+), 38 deletions(-)
-
-diff --git a/linux-user/ioctls.h b/linux-user/ioctls.h
-index ae895162..e6a27ad9 100644
---- a/linux-user/ioctls.h
-+++ b/linux-user/ioctls.h
-@@ -219,8 +219,25 @@
- IOCTL(SIOCGRARP, IOC_R, MK_PTR(MK_STRUCT(STRUCT_arpreq)))
- IOCTL(SIOCGIWNAME, IOC_W | IOC_R, MK_PTR(MK_STRUCT(STRUCT_char_ifreq)))
- IOCTL(SIOCGPGRP, IOC_R, MK_PTR(TYPE_INT)) /* pid_t */
-- IOCTL(SIOCGSTAMP, IOC_R, MK_PTR(MK_STRUCT(STRUCT_timeval)))
-- IOCTL(SIOCGSTAMPNS, IOC_R, MK_PTR(MK_STRUCT(STRUCT_timespec)))
-+
-+ /*
-+ * We can't use IOCTL_SPECIAL() because it will set
-+ * host_cmd to XXX_OLD and XXX_NEW and these macros
-+ * are not defined with kernel prior to 5.2.
-+ * We must set host_cmd to the same value as in target_cmd
-+ * otherwise the consistency check in syscall_init()
-+ * will trigger an error.
-+ * host_cmd is ignored by the do_ioctl_XXX() helpers.
-+ * FIXME: create a macro to define this kind of entry
-+ */
-+ { TARGET_SIOCGSTAMP_OLD, TARGET_SIOCGSTAMP_OLD,
-+ "SIOCGSTAMP_OLD", IOC_R, do_ioctl_SIOCGSTAMP },
-+ { TARGET_SIOCGSTAMPNS_OLD, TARGET_SIOCGSTAMPNS_OLD,
-+ "SIOCGSTAMPNS_OLD", IOC_R, do_ioctl_SIOCGSTAMPNS },
-+ { TARGET_SIOCGSTAMP_NEW, TARGET_SIOCGSTAMP_NEW,
-+ "SIOCGSTAMP_NEW", IOC_R, do_ioctl_SIOCGSTAMP },
-+ { TARGET_SIOCGSTAMPNS_NEW, TARGET_SIOCGSTAMPNS_NEW,
-+ "SIOCGSTAMPNS_NEW", IOC_R, do_ioctl_SIOCGSTAMPNS },
-
- IOCTL(RNDGETENTCNT, IOC_R, MK_PTR(TYPE_INT))
- IOCTL(RNDADDTOENTCNT, IOC_W, MK_PTR(TYPE_INT))
-diff --git a/linux-user/syscall.c b/linux-user/syscall.c
-index 96cd4bf8..6df480e1 100644
---- a/linux-user/syscall.c
-+++ b/linux-user/syscall.c
-@@ -37,6 +37,7 @@
- #include <sched.h>
- #include <sys/timex.h>
- #include <sys/socket.h>
-+#include <linux/sockios.h>
- #include <sys/un.h>
- #include <sys/uio.h>
- #include <poll.h>
-@@ -1139,8 +1140,9 @@ static inline abi_long copy_from_user_timeval(struct timeval *tv,
- {
- struct target_timeval *target_tv;
-
-- if (!lock_user_struct(VERIFY_READ, target_tv, target_tv_addr, 1))
-+ if (!lock_user_struct(VERIFY_READ, target_tv, target_tv_addr, 1)) {
- return -TARGET_EFAULT;
-+ }
-
- __get_user(tv->tv_sec, &target_tv->tv_sec);
- __get_user(tv->tv_usec, &target_tv->tv_usec);
-@@ -1155,8 +1157,26 @@ static inline abi_long copy_to_user_timeval(abi_ulong target_tv_addr,
- {
- struct target_timeval *target_tv;
-
-- if (!lock_user_struct(VERIFY_WRITE, target_tv, target_tv_addr, 0))
-+ if (!lock_user_struct(VERIFY_WRITE, target_tv, target_tv_addr, 0)) {
-+ return -TARGET_EFAULT;
-+ }
-+
-+ __put_user(tv->tv_sec, &target_tv->tv_sec);
-+ __put_user(tv->tv_usec, &target_tv->tv_usec);
-+
-+ unlock_user_struct(target_tv, target_tv_addr, 1);
-+
-+ return 0;
-+}
-+
-+static inline abi_long copy_to_user_timeval64(abi_ulong target_tv_addr,
-+ const struct timeval *tv)
-+{
-+ struct target__kernel_sock_timeval *target_tv;
-+
-+ if (!lock_user_struct(VERIFY_WRITE, target_tv, target_tv_addr, 0)) {
- return -TARGET_EFAULT;
-+ }
-
- __put_user(tv->tv_sec, &target_tv->tv_sec);
- __put_user(tv->tv_usec, &target_tv->tv_usec);
-@@ -1166,6 +1186,48 @@ static inline abi_long copy_to_user_timeval(abi_ulong target_tv_addr,
- return 0;
- }
-
-+static inline abi_long target_to_host_timespec(struct timespec *host_ts,
-+ abi_ulong target_addr)
-+{
-+ struct target_timespec *target_ts;
-+
-+ if (!lock_user_struct(VERIFY_READ, target_ts, target_addr, 1)) {
-+ return -TARGET_EFAULT;
-+ }
-+ __get_user(host_ts->tv_sec, &target_ts->tv_sec);
-+ __get_user(host_ts->tv_nsec, &target_ts->tv_nsec);
-+ unlock_user_struct(target_ts, target_addr, 0);
-+ return 0;
-+}
-+
-+static inline abi_long host_to_target_timespec(abi_ulong target_addr,
-+ struct timespec *host_ts)
-+{
-+ struct target_timespec *target_ts;
-+
-+ if (!lock_user_struct(VERIFY_WRITE, target_ts, target_addr, 0)) {
-+ return -TARGET_EFAULT;
-+ }
-+ __put_user(host_ts->tv_sec, &target_ts->tv_sec);
-+ __put_user(host_ts->tv_nsec, &target_ts->tv_nsec);
-+ unlock_user_struct(target_ts, target_addr, 1);
-+ return 0;
-+}
-+
-+static inline abi_long host_to_target_timespec64(abi_ulong target_addr,
-+ struct timespec *host_ts)
-+{
-+ struct target__kernel_timespec *target_ts;
-+
-+ if (!lock_user_struct(VERIFY_WRITE, target_ts, target_addr, 0)) {
-+ return -TARGET_EFAULT;
-+ }
-+ __put_user(host_ts->tv_sec, &target_ts->tv_sec);
-+ __put_user(host_ts->tv_nsec, &target_ts->tv_nsec);
-+ unlock_user_struct(target_ts, target_addr, 1);
-+ return 0;
-+}
-+
- static inline abi_long copy_from_user_timezone(struct timezone *tz,
- abi_ulong target_tz_addr)
- {
-@@ -4790,6 +4852,54 @@ static abi_long do_ioctl_kdsigaccept(const IOCTLEntry *ie, uint8_t *buf_temp,
- return get_errno(safe_ioctl(fd, ie->host_cmd, sig));
- }
-
-+static abi_long do_ioctl_SIOCGSTAMP(const IOCTLEntry *ie, uint8_t *buf_temp,
-+ int fd, int cmd, abi_long arg)
-+{
-+ struct timeval tv;
-+ abi_long ret;
-+
-+ ret = get_errno(safe_ioctl(fd, SIOCGSTAMP, &tv));
-+ if (is_error(ret)) {
-+ return ret;
-+ }
-+
-+ if (cmd == (int)TARGET_SIOCGSTAMP_OLD) {
-+ if (copy_to_user_timeval(arg, &tv)) {
-+ return -TARGET_EFAULT;
-+ }
-+ } else {
-+ if (copy_to_user_timeval64(arg, &tv)) {
-+ return -TARGET_EFAULT;
-+ }
-+ }
-+
-+ return ret;
-+}
-+
-+static abi_long do_ioctl_SIOCGSTAMPNS(const IOCTLEntry *ie, uint8_t *buf_temp,
-+ int fd, int cmd, abi_long arg)
-+{
-+ struct timespec ts;
-+ abi_long ret;
-+
-+ ret = get_errno(safe_ioctl(fd, SIOCGSTAMPNS, &ts));
-+ if (is_error(ret)) {
-+ return ret;
-+ }
-+
-+ if (cmd == (int)TARGET_SIOCGSTAMPNS_OLD) {
-+ if (host_to_target_timespec(arg, &ts)) {
-+ return -TARGET_EFAULT;
-+ }
-+ } else{
-+ if (host_to_target_timespec64(arg, &ts)) {
-+ return -TARGET_EFAULT;
-+ }
-+ }
-+
-+ return ret;
-+}
-+
- #ifdef TIOCGPTPEER
- static abi_long do_ioctl_tiocgptpeer(const IOCTLEntry *ie, uint8_t *buf_temp,
- int fd, int cmd, abi_long arg)
-@@ -6160,32 +6270,6 @@ static inline abi_long target_ftruncate64(void *cpu_env, abi_long arg1,
- }
- #endif
-
--static inline abi_long target_to_host_timespec(struct timespec *host_ts,
-- abi_ulong target_addr)
--{
-- struct target_timespec *target_ts;
--
-- if (!lock_user_struct(VERIFY_READ, target_ts, target_addr, 1))
-- return -TARGET_EFAULT;
-- __get_user(host_ts->tv_sec, &target_ts->tv_sec);
-- __get_user(host_ts->tv_nsec, &target_ts->tv_nsec);
-- unlock_user_struct(target_ts, target_addr, 0);
-- return 0;
--}
--
--static inline abi_long host_to_target_timespec(abi_ulong target_addr,
-- struct timespec *host_ts)
--{
-- struct target_timespec *target_ts;
--
-- if (!lock_user_struct(VERIFY_WRITE, target_ts, target_addr, 0))
-- return -TARGET_EFAULT;
-- __put_user(host_ts->tv_sec, &target_ts->tv_sec);
-- __put_user(host_ts->tv_nsec, &target_ts->tv_nsec);
-- unlock_user_struct(target_ts, target_addr, 1);
-- return 0;
--}
--
- static inline abi_long target_to_host_itimerspec(struct itimerspec *host_itspec,
- abi_ulong target_addr)
- {
-diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h
-index 12c84071..cfb3eeec 100644
---- a/linux-user/syscall_defs.h
-+++ b/linux-user/syscall_defs.h
-@@ -208,16 +208,34 @@ struct target_linger {
- abi_int l_linger; /* How long to linger for */
- };
-
-+#if defined(TARGET_SPARC64) && !defined(TARGET_ABI32)
-+struct target_timeval {
-+ abi_long tv_sec;
-+ abi_int tv_usec;
-+};
-+#define target__kernel_sock_timeval target_timeval
-+#else
- struct target_timeval {
- abi_long tv_sec;
- abi_long tv_usec;
- };
-
-+struct target__kernel_sock_timeval {
-+ abi_llong tv_sec;
-+ abi_llong tv_usec;
-+};
-+#endif
-+
- struct target_timespec {
- abi_long tv_sec;
- abi_long tv_nsec;
- };
-
-+struct target__kernel_timespec {
-+ abi_llong tv_sec;
-+ abi_llong tv_nsec;
-+};
-+
- struct target_timezone {
- abi_int tz_minuteswest;
- abi_int tz_dsttime;
-@@ -743,8 +761,17 @@ struct target_pollfd {
- #define TARGET_SIOCATMARK 0x8905
- #define TARGET_SIOCGPGRP 0x8904
- #endif
--#define TARGET_SIOCGSTAMP 0x8906 /* Get stamp (timeval) */
--#define TARGET_SIOCGSTAMPNS 0x8907 /* Get stamp (timespec) */
-+
-+#if defined(TARGET_SH4)
-+#define TARGET_SIOCGSTAMP_OLD TARGET_IOR('s', 100, struct target_timeval)
-+#define TARGET_SIOCGSTAMPNS_OLD TARGET_IOR('s', 101, struct target_timespec)
-+#else
-+#define TARGET_SIOCGSTAMP_OLD 0x8906
-+#define TARGET_SIOCGSTAMPNS_OLD 0x8907
-+#endif
-+
-+#define TARGET_SIOCGSTAMP_NEW TARGET_IOR(0x89, 0x06, abi_llong[2])
-+#define TARGET_SIOCGSTAMPNS_NEW TARGET_IOR(0x89, 0x07, abi_llong[2])
-
- /* Networking ioctls */
- #define TARGET_SIOCADDRT 0x890B /* add routing table entry */
-diff --git a/linux-user/syscall_types.h b/linux-user/syscall_types.h
-index b98a23b0..4e369838 100644
---- a/linux-user/syscall_types.h
-+++ b/linux-user/syscall_types.h
-@@ -14,12 +14,6 @@ STRUCT(serial_icounter_struct,
- STRUCT(sockaddr,
- TYPE_SHORT, MK_ARRAY(TYPE_CHAR, 14))
-
--STRUCT(timeval,
-- MK_ARRAY(TYPE_LONG, 2))
--
--STRUCT(timespec,
-- MK_ARRAY(TYPE_LONG, 2))
--
- STRUCT(rtentry,
- TYPE_ULONG, MK_STRUCT(STRUCT_sockaddr), MK_STRUCT(STRUCT_sockaddr), MK_STRUCT(STRUCT_sockaddr),
- TYPE_SHORT, TYPE_SHORT, TYPE_ULONG, TYPE_PTRVOID, TYPE_SHORT, TYPE_PTRVOID,
diff --git a/app-emulation/qemu/files/qemu-4.0.0-pc-q35-4.0.patch b/app-emulation/qemu/files/qemu-4.0.0-pc-q35-4.0.patch
deleted file mode 100644
index ebabc0c4c29..00000000000
--- a/app-emulation/qemu/files/qemu-4.0.0-pc-q35-4.0.patch
+++ /dev/null
@@ -1,135 +0,0 @@
-Backport of QEMU v4.1 commit for stable v4.0.1 release
-
-commit c87759ce876a7a0b17c2bf4f0b964bd51f0ee871
-Author: Alex Williamson <address@hidden>
-Date: Tue May 14 14:14:41 2019 -0600
-
- q35: Revert to kernel irqchip
-
- Commit b2fc91db8447 ("q35: set split kernel irqchip as default") changed
- the default for the pc-q35-4.0 machine type to use split irqchip, which
- turned out to have disasterous effects on vfio-pci INTx support. KVM
- resampling irqfds are registered for handling these interrupts, but
- these are non-functional in split irqchip mode. We can't simply test
- for split irqchip in QEMU as userspace handling of this interrupt is a
- significant performance regression versus KVM handling (GeForce GPUs
- assigned to Windows VMs are non-functional without forcing MSI mode or
- re-enabling kernel irqchip).
-
- The resolution is to revert the change in default irqchip mode in the
- pc-q35-4.1 machine and create a pc-q35-4.0.1 machine for the 4.0-stable
- branch. The qemu-q35-4.0 machine type should not be used in vfio-pci
- configurations for devices requiring legacy INTx support without
- explicitly modifying the VM configuration to use kernel irqchip.
-
-Link: https://bugs.launchpad.net/qemu/+bug/1826422
-Fixes: b2fc91db8447 ("q35: set split kernel irqchip as default")
-Cc: address@hidden
-Reviewed-by: Peter Xu <address@hidden>
-Signed-off-by: Alex Williamson <address@hidden>
----
-
-Same code as v1, just updating the commit log as a formal backport of
-the merged 4.1 commit.
-
- hw/core/machine.c | 3 +++
- hw/i386/pc.c | 3 +++
- hw/i386/pc_q35.c | 16 ++++++++++++++--
- include/hw/boards.h | 3 +++
- include/hw/i386/pc.h | 3 +++
- 5 files changed, 26 insertions(+), 2 deletions(-)
-
-diff --git a/hw/core/machine.c b/hw/core/machine.c
-index 743fef28982c..5d046a43e3d2 100644
---- a/hw/core/machine.c
-+++ b/hw/core/machine.c
-@@ -24,6 +24,9 @@
- #include "hw/pci/pci.h"
- #include "hw/mem/nvdimm.h"
-
-+GlobalProperty hw_compat_4_0[] = {};
-+const size_t hw_compat_4_0_len = G_N_ELEMENTS(hw_compat_4_0);
-+
- GlobalProperty hw_compat_3_1[] = {
- { "pcie-root-port", "x-speed", "2_5" },
- { "pcie-root-port", "x-width", "1" },
-diff --git a/hw/i386/pc.c b/hw/i386/pc.c
-index f2c15bf1f2c3..d98b737b8f3b 100644
---- a/hw/i386/pc.c
-+++ b/hw/i386/pc.c
-@@ -115,6 +115,9 @@ struct hpet_fw_config hpet_cfg = {.count = UINT8_MAX};
- /* Physical Address of PVH entry point read from kernel ELF NOTE */
- static size_t pvh_start_addr;
-
-+GlobalProperty pc_compat_4_0[] = {};
-+const size_t pc_compat_4_0_len = G_N_ELEMENTS(pc_compat_4_0);
-+
- GlobalProperty pc_compat_3_1[] = {
- { "intel-iommu", "dma-drain", "off" },
- { "Opteron_G3" "-" TYPE_X86_CPU, "rdtscp", "off" },
-diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c
-index 372c6b73bebd..45cc29d1adb7 100644
---- a/hw/i386/pc_q35.c
-+++ b/hw/i386/pc_q35.c
-@@ -357,7 +357,7 @@ static void pc_q35_machine_options(MachineClass *m)
- m->units_per_default_bus = 1;
- m->default_machine_opts = "firmware=bios-256k.bin";
- m->default_display = "std";
-- m->default_kernel_irqchip_split = true;
-+ m->default_kernel_irqchip_split = false;
- m->no_floppy = 1;
- machine_class_allow_dynamic_sysbus_dev(m, TYPE_AMD_IOMMU_DEVICE);
- machine_class_allow_dynamic_sysbus_dev(m, TYPE_INTEL_IOMMU_DEVICE);
-@@ -365,12 +365,24 @@ static void pc_q35_machine_options(MachineClass *m)
- m->max_cpus = 288;
- }
-
--static void pc_q35_4_0_machine_options(MachineClass *m)
-+static void pc_q35_4_0_1_machine_options(MachineClass *m)
- {
- pc_q35_machine_options(m);
- m->alias = "q35";
- }
-
-+DEFINE_Q35_MACHINE(v4_0_1, "pc-q35-4.0.1", NULL,
-+ pc_q35_4_0_1_machine_options);
-+
-+static void pc_q35_4_0_machine_options(MachineClass *m)
-+{
-+ pc_q35_4_0_1_machine_options(m);
-+ m->default_kernel_irqchip_split = true;
-+ m->alias = NULL;
-+ compat_props_add(m->compat_props, hw_compat_4_0, hw_compat_4_0_len);
-+ compat_props_add(m->compat_props, pc_compat_4_0, pc_compat_4_0_len);
-+}
-+
- DEFINE_Q35_MACHINE(v4_0, "pc-q35-4.0", NULL,
- pc_q35_4_0_machine_options);
-
-diff --git a/include/hw/boards.h b/include/hw/boards.h
-index e231860666a1..fe1885cbffa0 100644
---- a/include/hw/boards.h
-+++ b/include/hw/boards.h
-@@ -293,6 +293,9 @@ struct MachineState {
- } \
- type_init(machine_initfn##_register_types)
-
-+extern GlobalProperty hw_compat_4_0[];
-+extern const size_t hw_compat_4_0_len;
-+
- extern GlobalProperty hw_compat_3_1[];
- extern const size_t hw_compat_3_1_len;
-
-diff --git a/include/hw/i386/pc.h b/include/hw/i386/pc.h
-index ca65ef18afb4..43df7230a22b 100644
---- a/include/hw/i386/pc.h
-+++ b/include/hw/i386/pc.h
-@@ -293,6 +293,9 @@ int e820_add_entry(uint64_t, uint64_t, uint32_t);
- int e820_get_num_entries(void);
- bool e820_get_entry(int, uint32_t, uint64_t *, uint64_t *);
-
-+extern GlobalProperty pc_compat_4_0[];
-+extern const size_t pc_compat_4_0_len;
-+
- extern GlobalProperty pc_compat_3_1[];
- extern const size_t pc_compat_3_1_len;
diff --git a/app-emulation/qemu/files/qemu-4.0.0-xkbcommon.patch b/app-emulation/qemu/files/qemu-4.0.0-xkbcommon.patch
deleted file mode 100644
index 3d9a5163ecf..00000000000
--- a/app-emulation/qemu/files/qemu-4.0.0-xkbcommon.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From cef396dc0b11a09ede85b275ed1ceee71b60a4b3 Mon Sep 17 00:00:00 2001
-From: James Le Cuirot <chewi@gentoo.org>
-Date: Sat, 14 Sep 2019 15:47:20 +0100
-Subject: [PATCH] configure: Add xkbcommon configure options
-
-This dependency is currently "automagic", which is bad for distributions.
-
-Signed-off-by: James Le Cuirot <chewi@gentoo.org>
----
- configure | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/configure b/configure
-index 30aad233d1..30544f52e6 100755
---- a/configure
-+++ b/configure
-@@ -1521,6 +1521,10 @@ for opt do
- ;;
- --disable-libpmem) libpmem=no
- ;;
-+ --enable-xkbcommon) xkbcommon=yes
-+ ;;
-+ --disable-xkbcommon) xkbcommon=no
-+ ;;
- *)
- echo "ERROR: unknown option $opt"
- echo "Try '$0 --help' for more information"
-@@ -1804,6 +1808,7 @@ disabled with --disable-FEATURE, default is enabled if available:
- capstone capstone disassembler support
- debug-mutex mutex debugging support
- libpmem libpmem support
-+ xkbcommon xkbcommon support
-
- NOTE: The object files are built at the place where configure is launched
- EOF
---
-2.23.0
-
^ permalink raw reply related [flat|nested] 21+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2019-05-20 16:27 Matthias Maier
0 siblings, 0 replies; 21+ messages in thread
From: Matthias Maier @ 2019-05-20 16:27 UTC (permalink / raw
To: gentoo-commits
commit: cbedf5e1f9b2591cdd337a5fa915d76210e96cdf
Author: Matthias Maier <tamiko <AT> gentoo <DOT> org>
AuthorDate: Mon May 20 16:27:04 2019 +0000
Commit: Matthias Maier <tamiko <AT> gentoo <DOT> org>
CommitDate: Mon May 20 16:27:28 2019 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cbedf5e1
app-emulation/qemu: fix systemtap patch
Thanks to hangglider <AT> gmx.de for pointing this out!
Closes: https://bugs.gentoo.org/686370
Package-Manager: Portage-2.3.66, Repoman-2.3.12
Signed-off-by: Matthias Maier <tamiko <AT> gentoo.org>
app-emulation/qemu/files/qemu-4.0.0-mkdir_systemtap.patch | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/app-emulation/qemu/files/qemu-4.0.0-mkdir_systemtap.patch b/app-emulation/qemu/files/qemu-4.0.0-mkdir_systemtap.patch
index abfcbd1b9af..95ccdd7a4b1 100644
--- a/app-emulation/qemu/files/qemu-4.0.0-mkdir_systemtap.patch
+++ b/app-emulation/qemu/files/qemu-4.0.0-mkdir_systemtap.patch
@@ -2,11 +2,11 @@ diff --git a/Makefile b/Makefile
index 04a0d450..e0013a59 100644
--- a/Makefile
+++ b/Makefile
-@@ -760,6 +760,7 @@ ifneq ($(TOOLS),)
- $(INSTALL_DATA) qemu-nbd.8 "$(DESTDIR)$(mandir)/man8"
+@@ -803,6 +802,7 @@
+ $(call install-prog,$(HELPERS-y),$(DESTDIR)$(libexecdir))
endif
ifdef CONFIG_TRACE_SYSTEMTAP
+ mkdir -p $(DESTDIR)$(bindir)
- $(INSTALL_DATA) scripts/qemu-trace-stap.1 "$(DESTDIR)$(mandir)/man1"
+ $(INSTALL_PROG) "scripts/qemu-trace-stap" $(DESTDIR)$(bindir)
endif
- ifneq (,$(findstring qemu-ga,$(TOOLS)))
+ ifneq ($(BLOBS),)
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2018-03-27 15:44 Matthias Maier
0 siblings, 0 replies; 21+ messages in thread
From: Matthias Maier @ 2018-03-27 15:44 UTC (permalink / raw
To: gentoo-commits
commit: 190b1a61ae287c47f2bcd4bee4cb620d6facaecd
Author: Matthias Maier <tamiko <AT> gentoo <DOT> org>
AuthorDate: Tue Mar 27 14:57:10 2018 +0000
Commit: Matthias Maier <tamiko <AT> gentoo <DOT> org>
CommitDate: Tue Mar 27 15:44:04 2018 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=190b1a61
app-emulation/qemu: drop obsolete file
Package-Manager: Portage-2.3.24, Repoman-2.3.6
app-emulation/qemu/files/65-kvm.rules | 1 -
1 file changed, 1 deletion(-)
diff --git a/app-emulation/qemu/files/65-kvm.rules b/app-emulation/qemu/files/65-kvm.rules
deleted file mode 100644
index c2f7317aacc..00000000000
--- a/app-emulation/qemu/files/65-kvm.rules
+++ /dev/null
@@ -1 +0,0 @@
-KERNEL=="kvm", GROUP="kvm", MODE="0660"
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2017-12-06 12:42 Michael Palimaka
0 siblings, 0 replies; 21+ messages in thread
From: Michael Palimaka @ 2017-12-06 12:42 UTC (permalink / raw
To: gentoo-commits
commit: b4f56dd13d25045c4e6fdb245c41e0858e770a3c
Author: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail <DOT> com>
AuthorDate: Sun Dec 3 12:35:00 2017 +0000
Commit: Michael Palimaka <kensington <AT> gentoo <DOT> org>
CommitDate: Wed Dec 6 12:41:52 2017 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b4f56dd1
app-emulation/qemu: remove unused file
Closes: https://github.com/gentoo/gentoo/pull/6419
app-emulation/qemu/files/qemu-binfmt.initd-r1 | 138 --------------------------
1 file changed, 138 deletions(-)
diff --git a/app-emulation/qemu/files/qemu-binfmt.initd-r1 b/app-emulation/qemu/files/qemu-binfmt.initd-r1
deleted file mode 100644
index fe62a2a211e..00000000000
--- a/app-emulation/qemu/files/qemu-binfmt.initd-r1
+++ /dev/null
@@ -1,138 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 1999-2016 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# enable automatic i386/ARM/M68K/MIPS/SPARC/PPC/s390 program execution by the kernel
-
-# Defaulting to OC should be safe because it comes down to:
-# - do we trust the interp itself to not be malicious? yes; we built it.
-# - do we trust the programs we're running? ish; same permission as native
-# binaries apply. so if user can do bad stuff natively, cross isn't worse.
-: ${QEMU_BINFMT_FLAGS:=OC}
-
-depend() {
- after procfs
-}
-
-start() {
- ebegin "Registering qemu-user binaries (flags: ${QEMU_BINFMT_FLAGS})"
-
- if [ ! -d /proc/sys/fs/binfmt_misc ] ; then
- modprobe -q binfmt_misc
- fi
-
- if [ ! -d /proc/sys/fs/binfmt_misc ] ; then
- eend $? "You need support for 'misc binaries' in your kernel!" || return
- fi
-
- if [ ! -f /proc/sys/fs/binfmt_misc/register ] ; then
- mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc >/dev/null 2>&1
- eend $? || return
- fi
-
- # probe cpu type
- cpu=`uname -m`
- case "$cpu" in
- i386|i486|i586|i686|i86pc|BePC|x86_64)
- cpu="i386"
- ;;
- m68k)
- cpu="m68k"
- ;;
- mips*)
- cpu="mips"
- ;;
- "Power Macintosh"|ppc|ppc64)
- cpu="ppc"
- ;;
- armv[4-9]*)
- cpu="arm"
- ;;
- sparc*)
- cpu="sparc"
- ;;
- esac
-
- # register the interpreter for each cpu except for the native one
- if [ $cpu != "i386" -a -x "/usr/bin/qemu-i386" ] ; then
- echo ':i386:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-i386:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
- echo ':i486:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x06\x00:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-i386:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
- fi
- if [ $cpu != "alpha" -a -x "/usr/bin/qemu-alpha" ] ; then
- echo ':alpha:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x26\x90:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-alpha:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
- fi
- if [ $cpu != "arm" -a -x "/usr/bin/qemu-arm" ] ; then
- echo ':arm:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\x00\xff\xfe\xff\xff\xff:/usr/bin/qemu-arm:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
- fi
- if [ $cpu != "arm" -a -x "/usr/bin/qemu-armeb" ] ; then
- echo ':armeb:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-armeb:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
- fi
- if [ $cpu != "aarch64" -a -x "/usr/bin/qemu-aarch64" ] ; then
- echo ':aarch64:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xb7\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-aarch64:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
- fi
- if [ $cpu != "sparc" -a -x "/usr/bin/qemu-sparc" ] ; then
- echo ':sparc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x02:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-sparc:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
- fi
- if [ $cpu != "ppc" -a -x "/usr/bin/qemu-ppc" ] ; then
- echo ':ppc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x14:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-ppc:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
- fi
- if [ $cpu != "m68k" -a -x "/usr/bin/qemu-m68k" ] ; then
- #echo 'Please check cpu value and header information for m68k!'
- echo ':m68k:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-m68k:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
- fi
- if [ $cpu != "mips" -a -x "/usr/bin/qemu-mips" ] ; then
- # FIXME: We could use the other endianness on a MIPS host.
- echo ':mips:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-mips:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
- fi
- if [ $cpu != "mips" -a -x "/usr/bin/qemu-mipsel" ] ; then
- echo ':mipsel:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-mipsel:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
- fi
- if [ $cpu != "mips" -a -x "/usr/bin/qemu-mipsn32" ] ; then
- echo ':mipsn32:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-mipsn32:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
- fi
- if [ $cpu != "mips" -a -x "/usr/bin/qemu-mipsn32el" ] ; then
- echo ':mipsn32el:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-mipsn32el:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
- fi
- if [ $cpu != "mips" -a -x "/usr/bin/qemu-mips64" ] ; then
- echo ':mips64:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-mips64:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
- fi
- if [ $cpu != "mips" -a -x "/usr/bin/qemu-mips64el" ] ; then
- echo ':mips64el:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-mips64el:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
- fi
- if [ $cpu != "sh" -a -x "/usr/bin/qemu-sh4" ] ; then
- echo ':sh4:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x2a\x00:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-sh4:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
- fi
- if [ $cpu != "sh" -a -x "/usr/bin/qemu-sh4eb" ] ; then
- echo ':sh4eb:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x2a:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-sh4eb:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
- fi
- if [ $cpu != "s390x" -a -x "/usr/bin/qemu-s390x" ] ; then
- echo ':s390x:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x16:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-s390x:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
- fi
- eend $?
-}
-
-stop() {
- ebegin "Unregistering qemu-user binaries"
- local arches
-
- arches="${arches} i386 i486"
- arches="${arches} alpha"
- arches="${arches} arm armeb"
- arches="${arches} aarch64"
- arches="${arches} sparc"
- arches="${arches} ppc"
- arches="${arches} m68k"
- arches="${arches} mips mipsel mipsn32 mipsn32el mips64 mips64el"
- arches="${arches} sh4 sh4eb"
- arches="${arches} s390x"
-
- for a in ${arches}; do
- if [ -f /proc/sys/fs/binfmt_misc/$a ] ; then
- echo '-1' > /proc/sys/fs/binfmt_misc/$a
- fi
- done
-
- eend $?
-}
-
-# vim: ts=4 :
^ permalink raw reply related [flat|nested] 21+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2017-11-12 20:22 Matthias Maier
0 siblings, 0 replies; 21+ messages in thread
From: Matthias Maier @ 2017-11-12 20:22 UTC (permalink / raw
To: gentoo-commits
commit: 71ba961e21b1493ae7b335a6e2fa5a6669baf64c
Author: Matthias Maier <tamiko <AT> gentoo <DOT> org>
AuthorDate: Sun Nov 12 20:01:23 2017 +0000
Commit: Matthias Maier <tamiko <AT> gentoo <DOT> org>
CommitDate: Sun Nov 12 20:21:51 2017 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=71ba961e
app-emulation/qemu: drop obsolete patches
Package-Manager: Portage-2.3.8, Repoman-2.3.4
.../qemu/files/qemu-2.9.0-CVE-2017-10664.patch | 47 -----
.../qemu/files/qemu-2.9.0-CVE-2017-10806.patch | 50 ------
.../qemu/files/qemu-2.9.0-CVE-2017-11334.patch | 40 -----
.../qemu/files/qemu-2.9.0-CVE-2017-11434.patch | 29 ---
.../qemu/files/qemu-2.9.0-CVE-2017-7493.patch | 174 ------------------
.../qemu/files/qemu-2.9.0-CVE-2017-8112.patch | 22 ---
.../qemu/files/qemu-2.9.0-CVE-2017-8309.patch | 22 ---
.../qemu/files/qemu-2.9.0-CVE-2017-8379.patch | 76 --------
.../qemu/files/qemu-2.9.0-CVE-2017-8380.patch | 34 ----
.../qemu/files/qemu-2.9.0-CVE-2017-9503-1.patch | 122 -------------
.../qemu/files/qemu-2.9.0-CVE-2017-9503-2.patch | 114 ------------
.../qemu/files/qemu-2.9.0-CVE-2017-9524-1.patch | 80 ---------
.../qemu/files/qemu-2.9.0-CVE-2017-9524-2.patch | 197 ---------------------
13 files changed, 1007 deletions(-)
diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-10664.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-10664.patch
deleted file mode 100644
index 7db06929cf2..00000000000
--- a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-10664.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 041e32b8d9d076980b4e35317c0339e57ab888f1 Mon Sep 17 00:00:00 2001
-From: Max Reitz <mreitz@redhat.com>
-Date: Sun, 11 Jun 2017 14:37:14 +0200
-Subject: [PATCH] qemu-nbd: Ignore SIGPIPE
-
-qemu proper has done so for 13 years
-(8a7ddc38a60648257dc0645ab4a05b33d6040063), qemu-img and qemu-io have
-done so for four years (526eda14a68d5b3596be715505289b541288ef2a).
-Ignoring this signal is especially important in qemu-nbd because
-otherwise a client can easily take down the qemu-nbd server by dropping
-the connection when the server wants to send something, for example:
-
-$ qemu-nbd -x foo -f raw -t null-co:// &
-[1] 12726
-$ qemu-io -c quit nbd://localhost/bar
-can't open device nbd://localhost/bar: No export with name 'bar' available
-[1] + 12726 broken pipe qemu-nbd -x foo -f raw -t null-co://
-
-In this case, the client sends an NBD_OPT_ABORT and closes the
-connection (because it is not required to wait for a reply), but the
-server replies with an NBD_REP_ACK (because it is required to reply).
-
-Signed-off-by: Max Reitz <mreitz@redhat.com>
-Message-Id: <20170611123714.31292-1-mreitz@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- qemu-nbd.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/qemu-nbd.c b/qemu-nbd.c
-index 9464a0461c..4dd3fd4732 100644
---- a/qemu-nbd.c
-+++ b/qemu-nbd.c
-@@ -581,6 +581,10 @@ int main(int argc, char **argv)
- sa_sigterm.sa_handler = termsig_handler;
- sigaction(SIGTERM, &sa_sigterm, NULL);
-
-+#ifdef CONFIG_POSIX
-+ signal(SIGPIPE, SIG_IGN);
-+#endif
-+
- module_call_init(MODULE_INIT_TRACE);
- qcrypto_init(&error_fatal);
-
---
-2.13.0
-
diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-10806.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-10806.patch
deleted file mode 100644
index 0074f5f8c77..00000000000
--- a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-10806.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From bd4a683505b27adc1ac809f71e918e58573d851d Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Tue, 9 May 2017 13:01:28 +0200
-Subject: [PATCH] usb-redir: fix stack overflow in usbredir_log_data
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Don't reinvent a broken wheel, just use the hexdump function we have.
-
-Impact: low, broken code doesn't run unless you have debug logging
-enabled.
-
-Reported-by: 李强 <liqiang6-s@360.cn>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: 20170509110128.27261-1-kraxel@redhat.com
----
- hw/usb/redirect.c | 13 +------------
- 1 file changed, 1 insertion(+), 12 deletions(-)
-
-diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
-index b001a27f05..ad5ef783a6 100644
---- a/hw/usb/redirect.c
-+++ b/hw/usb/redirect.c
-@@ -229,21 +229,10 @@ static void usbredir_log(void *priv, int level, const char *msg)
- static void usbredir_log_data(USBRedirDevice *dev, const char *desc,
- const uint8_t *data, int len)
- {
-- int i, j, n;
--
- if (dev->debug < usbredirparser_debug_data) {
- return;
- }
--
-- for (i = 0; i < len; i += j) {
-- char buf[128];
--
-- n = sprintf(buf, "%s", desc);
-- for (j = 0; j < 8 && i + j < len; j++) {
-- n += sprintf(buf + n, " %02X", data[i + j]);
-- }
-- error_report("%s", buf);
-- }
-+ qemu_hexdump((char *)data, stderr, desc, len);
- }
-
- /*
---
-2.13.0
-
diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-11334.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-11334.patch
deleted file mode 100644
index bfe4c7d89f2..00000000000
--- a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-11334.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-[Qemu-devel] [PULL 21/41] exec: use qemu_ram_ptr_length to access guest
-From: Prasad J Pandit <address@hidden>
-
-When accessing guest's ram block during DMA operation, use
-'qemu_ram_ptr_length' to get ram block pointer. It ensures
-that DMA operation of given length is possible; And avoids
-any OOB memory access situations.
-
-Reported-by: Alex <address@hidden>
-Signed-off-by: Prasad J Pandit <address@hidden>
-Message-Id: <address@hidden>
-Signed-off-by: Paolo Bonzini <address@hidden>
----
- exec.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/exec.c b/exec.c
-index a083ff8..ad103ce 100644
---- a/exec.c
-+++ b/exec.c
-@@ -2929,7 +2929,7 @@ static MemTxResult address_space_write_continue(AddressSpace *as, hwaddr addr,
- }
- } else {
- /* RAM case */
-- ptr = qemu_map_ram_ptr(mr->ram_block, addr1);
-+ ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l);
- memcpy(ptr, buf, l);
- invalidate_and_set_dirty(mr, addr1, l);
- }
-@@ -3020,7 +3020,7 @@ MemTxResult address_space_read_continue(AddressSpace *as, hwaddr addr,
- }
- } else {
- /* RAM case */
-- ptr = qemu_map_ram_ptr(mr->ram_block, addr1);
-+ ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l);
- memcpy(buf, ptr, l);
- }
-
---
-1.8.3.1
diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-11434.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-11434.patch
deleted file mode 100644
index 5d32067c7a0..00000000000
--- a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-11434.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-[Qemu-devel] [PATCH] slirp: check len against dhcp options array end
-From: Prasad J Pandit <address@hidden>
-
-While parsing dhcp options string in 'dhcp_decode', if an options'
-length 'len' appeared towards the end of 'bp_vend' array, ensuing
-read could lead to an OOB memory access issue. Add check to avoid it.
-
-Reported-by: Reno Robert <address@hidden>
-Signed-off-by: Prasad J Pandit <address@hidden>
----
- slirp/bootp.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/slirp/bootp.c b/slirp/bootp.c
-index 5a4646c..5dd1a41 100644
---- a/slirp/bootp.c
-+++ b/slirp/bootp.c
-@@ -123,6 +123,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
- if (p >= p_end)
- break;
- len = *p++;
-+ if (p + len > p_end) {
-+ break;
-+ }
- DPRINTF("dhcp: tag=%d len=%d\n", tag, len);
-
- switch(tag) {
---
-2.9.4
diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-7493.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-7493.patch
deleted file mode 100644
index 346e7713f74..00000000000
--- a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-7493.patch
+++ /dev/null
@@ -1,174 +0,0 @@
-From 7a95434e0ca8a037fd8aa1a2e2461f92585eb77b Mon Sep 17 00:00:00 2001
-From: Greg Kurz <groug@kaod.org>
-Date: Fri, 5 May 2017 14:48:08 +0200
-Subject: [PATCH] 9pfs: local: forbid client access to metadata (CVE-2017-7493)
-
-When using the mapped-file security mode, we shouldn't let the client mess
-with the metadata. The current code already tries to hide the metadata dir
-from the client by skipping it in local_readdir(). But the client can still
-access or modify it through several other operations. This can be used to
-escalate privileges in the guest.
-
-Affected backend operations are:
-- local_mknod()
-- local_mkdir()
-- local_open2()
-- local_symlink()
-- local_link()
-- local_unlinkat()
-- local_renameat()
-- local_rename()
-- local_name_to_path()
-
-Other operations are safe because they are only passed a fid path, which
-is computed internally in local_name_to_path().
-
-This patch converts all the functions listed above to fail and return
-EINVAL when being passed the name of the metadata dir. This may look
-like a poor choice for errno, but there's no such thing as an illegal
-path name on Linux and I could not think of anything better.
-
-This fixes CVE-2017-7493.
-
-Reported-by: Leo Gaspard <leo@gaspard.io>
-Signed-off-by: Greg Kurz <groug@kaod.org>
-Reviewed-by: Eric Blake <eblake@redhat.com>
----
- hw/9pfs/9p-local.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++--
- 1 file changed, 56 insertions(+), 2 deletions(-)
-
-diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
-index f3ebca4f7a..a2486566af 100644
---- a/hw/9pfs/9p-local.c
-+++ b/hw/9pfs/9p-local.c
-@@ -452,6 +452,11 @@ static off_t local_telldir(FsContext *ctx, V9fsFidOpenState *fs)
- return telldir(fs->dir.stream);
- }
-
-+static bool local_is_mapped_file_metadata(FsContext *fs_ctx, const char *name)
-+{
-+ return !strcmp(name, VIRTFS_META_DIR);
-+}
-+
- static struct dirent *local_readdir(FsContext *ctx, V9fsFidOpenState *fs)
- {
- struct dirent *entry;
-@@ -465,8 +470,8 @@ again:
- if (ctx->export_flags & V9FS_SM_MAPPED) {
- entry->d_type = DT_UNKNOWN;
- } else if (ctx->export_flags & V9FS_SM_MAPPED_FILE) {
-- if (!strcmp(entry->d_name, VIRTFS_META_DIR)) {
-- /* skp the meta data directory */
-+ if (local_is_mapped_file_metadata(ctx, entry->d_name)) {
-+ /* skip the meta data directory */
- goto again;
- }
- entry->d_type = DT_UNKNOWN;
-@@ -559,6 +564,12 @@ static int local_mknod(FsContext *fs_ctx, V9fsPath *dir_path,
- int err = -1;
- int dirfd;
-
-+ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE &&
-+ local_is_mapped_file_metadata(fs_ctx, name)) {
-+ errno = EINVAL;
-+ return -1;
-+ }
-+
- dirfd = local_opendir_nofollow(fs_ctx, dir_path->data);
- if (dirfd == -1) {
- return -1;
-@@ -605,6 +616,12 @@ static int local_mkdir(FsContext *fs_ctx, V9fsPath *dir_path,
- int err = -1;
- int dirfd;
-
-+ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE &&
-+ local_is_mapped_file_metadata(fs_ctx, name)) {
-+ errno = EINVAL;
-+ return -1;
-+ }
-+
- dirfd = local_opendir_nofollow(fs_ctx, dir_path->data);
- if (dirfd == -1) {
- return -1;
-@@ -694,6 +711,12 @@ static int local_open2(FsContext *fs_ctx, V9fsPath *dir_path, const char *name,
- int err = -1;
- int dirfd;
-
-+ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE &&
-+ local_is_mapped_file_metadata(fs_ctx, name)) {
-+ errno = EINVAL;
-+ return -1;
-+ }
-+
- /*
- * Mark all the open to not follow symlinks
- */
-@@ -752,6 +775,12 @@ static int local_symlink(FsContext *fs_ctx, const char *oldpath,
- int err = -1;
- int dirfd;
-
-+ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE &&
-+ local_is_mapped_file_metadata(fs_ctx, name)) {
-+ errno = EINVAL;
-+ return -1;
-+ }
-+
- dirfd = local_opendir_nofollow(fs_ctx, dir_path->data);
- if (dirfd == -1) {
- return -1;
-@@ -826,6 +855,12 @@ static int local_link(FsContext *ctx, V9fsPath *oldpath,
- int ret = -1;
- int odirfd, ndirfd;
-
-+ if (ctx->export_flags & V9FS_SM_MAPPED_FILE &&
-+ local_is_mapped_file_metadata(ctx, name)) {
-+ errno = EINVAL;
-+ return -1;
-+ }
-+
- odirfd = local_opendir_nofollow(ctx, odirpath);
- if (odirfd == -1) {
- goto out;
-@@ -1096,6 +1131,12 @@ static int local_lremovexattr(FsContext *ctx, V9fsPath *fs_path,
- static int local_name_to_path(FsContext *ctx, V9fsPath *dir_path,
- const char *name, V9fsPath *target)
- {
-+ if (ctx->export_flags & V9FS_SM_MAPPED_FILE &&
-+ local_is_mapped_file_metadata(ctx, name)) {
-+ errno = EINVAL;
-+ return -1;
-+ }
-+
- if (dir_path) {
- v9fs_path_sprintf(target, "%s/%s", dir_path->data, name);
- } else if (strcmp(name, "/")) {
-@@ -1116,6 +1157,13 @@ static int local_renameat(FsContext *ctx, V9fsPath *olddir,
- int ret;
- int odirfd, ndirfd;
-
-+ if (ctx->export_flags & V9FS_SM_MAPPED_FILE &&
-+ (local_is_mapped_file_metadata(ctx, old_name) ||
-+ local_is_mapped_file_metadata(ctx, new_name))) {
-+ errno = EINVAL;
-+ return -1;
-+ }
-+
- odirfd = local_opendir_nofollow(ctx, olddir->data);
- if (odirfd == -1) {
- return -1;
-@@ -1206,6 +1254,12 @@ static int local_unlinkat(FsContext *ctx, V9fsPath *dir,
- int ret;
- int dirfd;
-
-+ if (ctx->export_flags & V9FS_SM_MAPPED_FILE &&
-+ local_is_mapped_file_metadata(ctx, name)) {
-+ errno = EINVAL;
-+ return -1;
-+ }
-+
- dirfd = local_opendir_nofollow(ctx, dir->data);
- if (dirfd == -1) {
- return -1;
---
-2.13.0
-
diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8112.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8112.patch
deleted file mode 100644
index 31fb69bf897..00000000000
--- a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8112.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-CVE-2017-8112
-
-https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg04494.html
----
- hw/scsi/vmw_pvscsi.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
-index 7557546..4a106da 100644
---- a/hw/scsi/vmw_pvscsi.c
-+++ b/hw/scsi/vmw_pvscsi.c
-@@ -202,7 +202,7 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
- uint32_t len_log2;
- uint32_t ring_size;
-
-- if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
-+ if (!ri->numPages || ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
- return -1;
- }
- ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE;
---
-2.9.3
diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8309.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8309.patch
deleted file mode 100644
index 4f7f870210c..00000000000
--- a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8309.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-bug #616870
-
-https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg05587.html
----
- audio/audio.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/audio/audio.c b/audio/audio.c
-index c8898d8422..beafed209b 100644
---- a/audio/audio.c
-+++ b/audio/audio.c
-@@ -2028,6 +2028,8 @@ void AUD_del_capture (CaptureVoiceOut *cap, void *cb_opaque)
- sw = sw1;
- }
- QLIST_REMOVE (cap, entries);
-+ g_free (cap->hw.mix_buf);
-+ g_free (cap->buf);
- g_free (cap);
- }
- return;
---
-2.9.3
diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8379.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8379.patch
deleted file mode 100644
index 0a34dae671c..00000000000
--- a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8379.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-bug #616872
-
-https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg05599.html
----
- ui/input.c | 14 +++++++++++---
- 1 file changed, 11 insertions(+), 3 deletions(-)
-
-diff --git a/ui/input.c b/ui/input.c
-index ed88cda6d6..fb1f404095 100644
---- a/ui/input.c
-+++ b/ui/input.c
-@@ -41,6 +41,8 @@ static QTAILQ_HEAD(QemuInputEventQueueHead, QemuInputEventQueue) kbd_queue =
- QTAILQ_HEAD_INITIALIZER(kbd_queue);
- static QEMUTimer *kbd_timer;
- static uint32_t kbd_default_delay_ms = 10;
-+static uint32_t queue_count;
-+static uint32_t queue_limit = 1024;
-
- QemuInputHandlerState *qemu_input_handler_register(DeviceState *dev,
- QemuInputHandler *handler)
-@@ -268,6 +270,7 @@ static void qemu_input_queue_process(void *opaque)
- break;
- }
- QTAILQ_REMOVE(queue, item, node);
-+ queue_count--;
- g_free(item);
- }
- }
-@@ -282,6 +285,7 @@ static void qemu_input_queue_delay(struct QemuInputEventQueueHead *queue,
- item->delay_ms = delay_ms;
- item->timer = timer;
- QTAILQ_INSERT_TAIL(queue, item, node);
-+ queue_count++;
-
- if (start_timer) {
- timer_mod(item->timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL)
-@@ -298,6 +302,7 @@ static void qemu_input_queue_event(struct QemuInputEventQueueHead *queue,
- item->src = src;
- item->evt = evt;
- QTAILQ_INSERT_TAIL(queue, item, node);
-+ queue_count++;
- }
-
- static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue)
-@@ -306,6 +311,7 @@ static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue)
-
- item->type = QEMU_INPUT_QUEUE_SYNC;
- QTAILQ_INSERT_TAIL(queue, item, node);
-+ queue_count++;
- }
-
- void qemu_input_event_send_impl(QemuConsole *src, InputEvent *evt)
-@@ -381,7 +387,7 @@ void qemu_input_event_send_key(QemuConsole *src, KeyValue *key, bool down)
- qemu_input_event_send(src, evt);
- qemu_input_event_sync();
- qapi_free_InputEvent(evt);
-- } else {
-+ } else if (queue_count < queue_limit) {
- qemu_input_queue_event(&kbd_queue, src, evt);
- qemu_input_queue_sync(&kbd_queue);
- }
-@@ -409,8 +415,10 @@ void qemu_input_event_send_key_delay(uint32_t delay_ms)
- kbd_timer = timer_new_ms(QEMU_CLOCK_VIRTUAL, qemu_input_queue_process,
- &kbd_queue);
- }
-- qemu_input_queue_delay(&kbd_queue, kbd_timer,
-- delay_ms ? delay_ms : kbd_default_delay_ms);
-+ if (queue_count < queue_limit) {
-+ qemu_input_queue_delay(&kbd_queue, kbd_timer,
-+ delay_ms ? delay_ms : kbd_default_delay_ms);
-+ }
- }
-
- InputEvent *qemu_input_event_new_btn(InputButton btn, bool down)
---
-2.9.3
diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8380.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8380.patch
deleted file mode 100644
index 08911dd0bfb..00000000000
--- a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8380.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-bug #616874
-
-https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg04147.html
----
- hw/scsi/megasas.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
-index 84b8caf..804122a 100644
---- a/hw/scsi/megasas.c
-+++ b/hw/scsi/megasas.c
-@@ -2138,15 +2138,15 @@ static void megasas_mmio_write(void *opaque, hwaddr addr,
- case MFI_SEQ:
- trace_megasas_mmio_writel("MFI_SEQ", val);
- /* Magic sequence to start ADP reset */
-- if (adp_reset_seq[s->adp_reset] == val) {
-- s->adp_reset++;
-+ if (adp_reset_seq[s->adp_reset++] == val) {
-+ if (s->adp_reset == 6) {
-+ s->adp_reset = 0;
-+ s->diag = MFI_DIAG_WRITE_ENABLE;
-+ }
- } else {
- s->adp_reset = 0;
- s->diag = 0;
- }
-- if (s->adp_reset == 6) {
-- s->diag = MFI_DIAG_WRITE_ENABLE;
-- }
- break;
- case MFI_DIAG:
- trace_megasas_mmio_writel("MFI_DIAG", val);
---
-2.9.3
diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-9503-1.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-9503-1.patch
deleted file mode 100644
index 01c81d10ec0..00000000000
--- a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-9503-1.patch
+++ /dev/null
@@ -1,122 +0,0 @@
-From 87e459a810d7b1ec1638085b5a80ea3d9b43119a Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Thu, 1 Jun 2017 17:26:14 +0200
-Subject: [PATCH] megasas: always store SCSIRequest* into MegasasCmd
-
-This ensures that the request is unref'ed properly, and avoids a
-segmentation fault in the new qtest testcase that is added.
-This is CVE-2017-9503.
-
-Reported-by: Zhangyanyu <zyy4013@stu.ouc.edu.cn>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- hw/scsi/megasas.c | 31 ++++++++++++++++---------------
- 2 files changed, 51 insertions(+), 15 deletions(-)
-
-diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
-index 135662df31..734fdaef90 100644
---- a/hw/scsi/megasas.c
-+++ b/hw/scsi/megasas.c
-@@ -609,6 +609,9 @@ static void megasas_reset_frames(MegasasState *s)
- static void megasas_abort_command(MegasasCmd *cmd)
- {
- /* Never abort internal commands. */
-+ if (cmd->dcmd_opcode != -1) {
-+ return;
-+ }
- if (cmd->req != NULL) {
- scsi_req_cancel(cmd->req);
- }
-@@ -1017,7 +1020,6 @@ static int megasas_pd_get_info_submit(SCSIDevice *sdev, int lun,
- uint64_t pd_size;
- uint16_t pd_id = ((sdev->id & 0xFF) << 8) | (lun & 0xFF);
- uint8_t cmdbuf[6];
-- SCSIRequest *req;
- size_t len, resid;
-
- if (!cmd->iov_buf) {
-@@ -1026,8 +1028,8 @@ static int megasas_pd_get_info_submit(SCSIDevice *sdev, int lun,
- info->inquiry_data[0] = 0x7f; /* Force PQual 0x3, PType 0x1f */
- info->vpd_page83[0] = 0x7f;
- megasas_setup_inquiry(cmdbuf, 0, sizeof(info->inquiry_data));
-- req = scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd);
-- if (!req) {
-+ cmd->req = scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd);
-+ if (!cmd->req) {
- trace_megasas_dcmd_req_alloc_failed(cmd->index,
- "PD get info std inquiry");
- g_free(cmd->iov_buf);
-@@ -1036,26 +1038,26 @@ static int megasas_pd_get_info_submit(SCSIDevice *sdev, int lun,
- }
- trace_megasas_dcmd_internal_submit(cmd->index,
- "PD get info std inquiry", lun);
-- len = scsi_req_enqueue(req);
-+ len = scsi_req_enqueue(cmd->req);
- if (len > 0) {
- cmd->iov_size = len;
-- scsi_req_continue(req);
-+ scsi_req_continue(cmd->req);
- }
- return MFI_STAT_INVALID_STATUS;
- } else if (info->inquiry_data[0] != 0x7f && info->vpd_page83[0] == 0x7f) {
- megasas_setup_inquiry(cmdbuf, 0x83, sizeof(info->vpd_page83));
-- req = scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd);
-- if (!req) {
-+ cmd->req = scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd);
-+ if (!cmd->req) {
- trace_megasas_dcmd_req_alloc_failed(cmd->index,
- "PD get info vpd inquiry");
- return MFI_STAT_FLASH_ALLOC_FAIL;
- }
- trace_megasas_dcmd_internal_submit(cmd->index,
- "PD get info vpd inquiry", lun);
-- len = scsi_req_enqueue(req);
-+ len = scsi_req_enqueue(cmd->req);
- if (len > 0) {
- cmd->iov_size = len;
-- scsi_req_continue(req);
-+ scsi_req_continue(cmd->req);
- }
- return MFI_STAT_INVALID_STATUS;
- }
-@@ -1217,7 +1219,6 @@ static int megasas_ld_get_info_submit(SCSIDevice *sdev, int lun,
- struct mfi_ld_info *info = cmd->iov_buf;
- size_t dcmd_size = sizeof(struct mfi_ld_info);
- uint8_t cdb[6];
-- SCSIRequest *req;
- ssize_t len, resid;
- uint16_t sdev_id = ((sdev->id & 0xFF) << 8) | (lun & 0xFF);
- uint64_t ld_size;
-@@ -1226,8 +1227,8 @@ static int megasas_ld_get_info_submit(SCSIDevice *sdev, int lun,
- cmd->iov_buf = g_malloc0(dcmd_size);
- info = cmd->iov_buf;
- megasas_setup_inquiry(cdb, 0x83, sizeof(info->vpd_page83));
-- req = scsi_req_new(sdev, cmd->index, lun, cdb, cmd);
-- if (!req) {
-+ cmd->req = scsi_req_new(sdev, cmd->index, lun, cdb, cmd);
-+ if (!cmd->req) {
- trace_megasas_dcmd_req_alloc_failed(cmd->index,
- "LD get info vpd inquiry");
- g_free(cmd->iov_buf);
-@@ -1236,10 +1237,10 @@ static int megasas_ld_get_info_submit(SCSIDevice *sdev, int lun,
- }
- trace_megasas_dcmd_internal_submit(cmd->index,
- "LD get info vpd inquiry", lun);
-- len = scsi_req_enqueue(req);
-+ len = scsi_req_enqueue(cmd->req);
- if (len > 0) {
- cmd->iov_size = len;
-- scsi_req_continue(req);
-+ scsi_req_continue(cmd->req);
- }
- return MFI_STAT_INVALID_STATUS;
- }
-@@ -1851,7 +1852,7 @@ static void megasas_command_complete(SCSIRequest *req, uint32_t status,
- return;
- }
-
-- if (cmd->req == NULL) {
-+ if (cmd->dcmd_opcode != -1) {
- /*
- * Internal command complete
- */
diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-9503-2.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-9503-2.patch
deleted file mode 100644
index 74725a92736..00000000000
--- a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-9503-2.patch
+++ /dev/null
@@ -1,114 +0,0 @@
-From 5104fac8539eaf155fc6de93e164be43e1e62242 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Thu, 1 Jun 2017 17:18:23 +0200
-Subject: [PATCH] megasas: do not read DCMD opcode more than once from frame
-
-Avoid TOC-TOU bugs by storing the DCMD opcode in the MegasasCmd
-
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- hw/scsi/megasas.c | 25 +++++++++++--------------
- 1 file changed, 11 insertions(+), 14 deletions(-)
-
-diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
-index c353118882..a3f75c1650 100644
---- a/hw/scsi/megasas.c
-+++ b/hw/scsi/megasas.c
-@@ -63,6 +63,7 @@ typedef struct MegasasCmd {
-
- hwaddr pa;
- hwaddr pa_size;
-+ uint32_t dcmd_opcode;
- union mfi_frame *frame;
- SCSIRequest *req;
- QEMUSGList qsg;
-@@ -513,6 +514,7 @@ static MegasasCmd *megasas_enqueue_frame(MegasasState *s,
- cmd->context &= (uint64_t)0xFFFFFFFF;
- }
- cmd->count = count;
-+ cmd->dcmd_opcode = -1;
- s->busy++;
-
- if (s->consumer_pa) {
-@@ -1562,22 +1564,21 @@ static const struct dcmd_cmd_tbl_t {
-
- static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd)
- {
-- int opcode;
- int retval = 0;
- size_t len;
- const struct dcmd_cmd_tbl_t *cmdptr = dcmd_cmd_tbl;
-
-- opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
-- trace_megasas_handle_dcmd(cmd->index, opcode);
-+ cmd->dcmd_opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
-+ trace_megasas_handle_dcmd(cmd->index, cmd->dcmd_opcode);
- if (megasas_map_dcmd(s, cmd) < 0) {
- return MFI_STAT_MEMORY_NOT_AVAILABLE;
- }
-- while (cmdptr->opcode != -1 && cmdptr->opcode != opcode) {
-+ while (cmdptr->opcode != -1 && cmdptr->opcode != cmd->dcmd_opcode) {
- cmdptr++;
- }
- len = cmd->iov_size;
- if (cmdptr->opcode == -1) {
-- trace_megasas_dcmd_unhandled(cmd->index, opcode, len);
-+ trace_megasas_dcmd_unhandled(cmd->index, cmd->dcmd_opcode, len);
- retval = megasas_dcmd_dummy(s, cmd);
- } else {
- trace_megasas_dcmd_enter(cmd->index, cmdptr->desc, len);
-@@ -1592,13 +1593,11 @@ static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd)
- static int megasas_finish_internal_dcmd(MegasasCmd *cmd,
- SCSIRequest *req)
- {
-- int opcode;
- int retval = MFI_STAT_OK;
- int lun = req->lun;
-
-- opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
-- trace_megasas_dcmd_internal_finish(cmd->index, opcode, lun);
-- switch (opcode) {
-+ trace_megasas_dcmd_internal_finish(cmd->index, cmd->dcmd_opcode, lun);
-+ switch (cmd->dcmd_opcode) {
- case MFI_DCMD_PD_GET_INFO:
- retval = megasas_pd_get_info_submit(req->dev, lun, cmd);
- break;
-@@ -1606,7 +1605,7 @@ static int megasas_finish_internal_dcmd(MegasasCmd *cmd,
- retval = megasas_ld_get_info_submit(req->dev, lun, cmd);
- break;
- default:
-- trace_megasas_dcmd_internal_invalid(cmd->index, opcode);
-+ trace_megasas_dcmd_internal_invalid(cmd->index, cmd->dcmd_opcode);
- retval = MFI_STAT_INVALID_DCMD;
- break;
- }
-@@ -1827,7 +1826,6 @@ static void megasas_xfer_complete(SCSIRequest *req, uint32_t len)
- {
- MegasasCmd *cmd = req->hba_private;
- uint8_t *buf;
-- uint32_t opcode;
-
- trace_megasas_io_complete(cmd->index, len);
-
-@@ -1837,8 +1835,7 @@ static void megasas_xfer_complete(SCSIRequest *req, uint32_t len)
- }
-
- buf = scsi_req_get_buf(req);
-- opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
-- if (opcode == MFI_DCMD_PD_GET_INFO && cmd->iov_buf) {
-+ if (cmd->dcmd_opcode == MFI_DCMD_PD_GET_INFO && cmd->iov_buf) {
- struct mfi_pd_info *info = cmd->iov_buf;
-
- if (info->inquiry_data[0] == 0x7f) {
-@@ -1849,7 +1846,7 @@ static void megasas_xfer_complete(SCSIRequest *req, uint32_t len)
- memcpy(info->vpd_page83, buf, len);
- }
- scsi_req_continue(req);
-- } else if (opcode == MFI_DCMD_LD_GET_INFO) {
-+ } else if (cmd->dcmd_opcode == MFI_DCMD_LD_GET_INFO) {
- struct mfi_ld_info *info = cmd->iov_buf;
-
- if (cmd->iov_buf) {
---
-2.13.0
-
diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-9524-1.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-9524-1.patch
deleted file mode 100644
index 9d77193b1f6..00000000000
--- a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-9524-1.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From df8ad9f128c15aa0a0ebc7b24e9a22c9775b67af Mon Sep 17 00:00:00 2001
-From: Eric Blake <eblake@redhat.com>
-Date: Fri, 26 May 2017 22:04:21 -0500
-Subject: [PATCH] nbd: Fully initialize client in case of failed negotiation
-
-If a non-NBD client connects to qemu-nbd, we would end up with
-a SIGSEGV in nbd_client_put() because we were trying to
-unregister the client's association to the export, even though
-we skipped inserting the client into that list. Easy trigger
-in two terminals:
-
-$ qemu-nbd -p 30001 --format=raw file
-$ nmap 127.0.0.1 -p 30001
-
-nmap claims that it thinks it connected to a pago-services1
-server (which probably means nmap could be updated to learn the
-NBD protocol and give a more accurate diagnosis of the open
-port - but that's not our problem), then terminates immediately,
-so our call to nbd_negotiate() fails. The fix is to reorder
-nbd_co_client_start() to ensure that all initialization occurs
-before we ever try talking to a client in nbd_negotiate(), so
-that the teardown sequence on negotiation failure doesn't fault
-while dereferencing a half-initialized object.
-
-While debugging this, I also noticed that nbd_update_server_watch()
-called by nbd_client_closed() was still adding a channel to accept
-the next client, even when the state was no longer RUNNING. That
-is fixed by making nbd_can_accept() pay attention to the current
-state.
-
-Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1451614
-
-Signed-off-by: Eric Blake <eblake@redhat.com>
-Message-Id: <20170527030421.28366-1-eblake@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- nbd/server.c | 8 +++-----
- qemu-nbd.c | 2 +-
- 2 files changed, 4 insertions(+), 6 deletions(-)
-
-diff --git a/nbd/server.c b/nbd/server.c
-index ee59e5d234..49b55f6ede 100644
---- a/nbd/server.c
-+++ b/nbd/server.c
-@@ -1358,16 +1358,14 @@ static coroutine_fn void nbd_co_client_start(void *opaque)
-
- if (exp) {
- nbd_export_get(exp);
-+ QTAILQ_INSERT_TAIL(&exp->clients, client, next);
- }
-+ qemu_co_mutex_init(&client->send_lock);
-+
- if (nbd_negotiate(data)) {
- client_close(client);
- goto out;
- }
-- qemu_co_mutex_init(&client->send_lock);
--
-- if (exp) {
-- QTAILQ_INSERT_TAIL(&exp->clients, client, next);
-- }
-
- nbd_client_receive_next_request(client);
-
-diff --git a/qemu-nbd.c b/qemu-nbd.c
-index f60842fd86..651f85ecc1 100644
---- a/qemu-nbd.c
-+++ b/qemu-nbd.c
-@@ -325,7 +325,7 @@ out:
-
- static int nbd_can_accept(void)
- {
-- return nb_fds < shared;
-+ return state == RUNNING && nb_fds < shared;
- }
-
- static void nbd_export_closed(NBDExport *exp)
---
-2.13.0
-
diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-9524-2.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-9524-2.patch
deleted file mode 100644
index e6934b379a2..00000000000
--- a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-9524-2.patch
+++ /dev/null
@@ -1,197 +0,0 @@
-From 0c9390d978cbf61e8f16c9f580fa96b305c43568 Mon Sep 17 00:00:00 2001
-From: Eric Blake <eblake@redhat.com>
-Date: Thu, 8 Jun 2017 17:26:17 -0500
-Subject: [PATCH] nbd: Fix regression on resiliency to port scan
-
-Back in qemu 2.5, qemu-nbd was immune to port probes (a transient
-server would not quit, regardless of how many probe connections
-came and went, until a connection actually negotiated). But we
-broke that in commit ee7d7aa when removing the return value to
-nbd_client_new(), although that patch also introduced a bug causing
-an assertion failure on a client that fails negotiation. We then
-made it worse during refactoring in commit 1a6245a (a segfault
-before we could even assert); the (masked) assertion was cleaned
-up in d3780c2 (still in 2.6), and just recently we finally fixed
-the segfault ("nbd: Fully intialize client in case of failed
-negotiation"). But that still means that ever since we added
-TLS support to qemu-nbd, we have been vulnerable to an ill-timed
-port-scan being able to cause a denial of service by taking down
-qemu-nbd before a real client has a chance to connect.
-
-Since negotiation is now handled asynchronously via coroutines,
-we no longer have a synchronous point of return by re-adding a
-return value to nbd_client_new(). So this patch instead wires
-things up to pass the negotiation status through the close_fn
-callback function.
-
-Simple test across two terminals:
-$ qemu-nbd -f raw -p 30001 file
-$ nmap 127.0.0.1 -p 30001 && \
- qemu-io -c 'r 0 512' -f raw nbd://localhost:30001
-
-Note that this patch does not change what constitutes successful
-negotiation (thus, a client must enter transmission phase before
-that client can be considered as a reason to terminate the server
-when the connection ends). Perhaps we may want to tweak things
-in a later patch to also treat a client that uses NBD_OPT_ABORT
-as being a 'successful' negotiation (the client correctly talked
-the NBD protocol, and informed us it was not going to use our
-export after all), but that's a discussion for another day.
-
-Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1451614
-
-Signed-off-by: Eric Blake <eblake@redhat.com>
-Message-Id: <20170608222617.20376-1-eblake@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- blockdev-nbd.c | 6 +++++-
- include/block/nbd.h | 2 +-
- nbd/server.c | 24 +++++++++++++++---------
- qemu-nbd.c | 4 ++--
- 4 files changed, 23 insertions(+), 13 deletions(-)
-
-diff --git a/blockdev-nbd.c b/blockdev-nbd.c
-index dd0860f4a6..28f551a7b0 100644
---- a/blockdev-nbd.c
-+++ b/blockdev-nbd.c
-@@ -27,6 +27,10 @@ typedef struct NBDServerData {
-
- static NBDServerData *nbd_server;
-
-+static void nbd_blockdev_client_closed(NBDClient *client, bool ignored)
-+{
-+ nbd_client_put(client);
-+}
-
- static gboolean nbd_accept(QIOChannel *ioc, GIOCondition condition,
- gpointer opaque)
-@@ -46,7 +50,7 @@ static gboolean nbd_accept(QIOChannel *ioc, GIOCondition condition,
- qio_channel_set_name(QIO_CHANNEL(cioc), "nbd-server");
- nbd_client_new(NULL, cioc,
- nbd_server->tlscreds, NULL,
-- nbd_client_put);
-+ nbd_blockdev_client_closed);
- object_unref(OBJECT(cioc));
- return TRUE;
- }
-diff --git a/include/block/nbd.h b/include/block/nbd.h
-index 416257abca..8fa5ce51f3 100644
---- a/include/block/nbd.h
-+++ b/include/block/nbd.h
-@@ -162,7 +162,7 @@ void nbd_client_new(NBDExport *exp,
- QIOChannelSocket *sioc,
- QCryptoTLSCreds *tlscreds,
- const char *tlsaclname,
-- void (*close)(NBDClient *));
-+ void (*close_fn)(NBDClient *, bool));
- void nbd_client_get(NBDClient *client);
- void nbd_client_put(NBDClient *client);
-
-diff --git a/nbd/server.c b/nbd/server.c
-index 49b55f6ede..f2b1aa47ce 100644
---- a/nbd/server.c
-+++ b/nbd/server.c
-@@ -81,7 +81,7 @@ static QTAILQ_HEAD(, NBDExport) exports = QTAILQ_HEAD_INITIALIZER(exports);
-
- struct NBDClient {
- int refcount;
-- void (*close)(NBDClient *client);
-+ void (*close_fn)(NBDClient *client, bool negotiated);
-
- bool no_zeroes;
- NBDExport *exp;
-@@ -778,7 +778,7 @@ void nbd_client_put(NBDClient *client)
- }
- }
-
--static void client_close(NBDClient *client)
-+static void client_close(NBDClient *client, bool negotiated)
- {
- if (client->closing) {
- return;
-@@ -793,8 +793,8 @@ static void client_close(NBDClient *client)
- NULL);
-
- /* Also tell the client, so that they release their reference. */
-- if (client->close) {
-- client->close(client);
-+ if (client->close_fn) {
-+ client->close_fn(client, negotiated);
- }
- }
-
-@@ -975,7 +975,7 @@ void nbd_export_close(NBDExport *exp)
-
- nbd_export_get(exp);
- QTAILQ_FOREACH_SAFE(client, &exp->clients, next, next) {
-- client_close(client);
-+ client_close(client, true);
- }
- nbd_export_set_name(exp, NULL);
- nbd_export_set_description(exp, NULL);
-@@ -1337,7 +1337,7 @@ done:
-
- out:
- nbd_request_put(req);
-- client_close(client);
-+ client_close(client, true);
- nbd_client_put(client);
- }
-
-@@ -1363,7 +1363,7 @@ static coroutine_fn void nbd_co_client_start(void *opaque)
- qemu_co_mutex_init(&client->send_lock);
-
- if (nbd_negotiate(data)) {
-- client_close(client);
-+ client_close(client, false);
- goto out;
- }
-
-@@ -1373,11 +1373,17 @@ out:
- g_free(data);
- }
-
-+/*
-+ * Create a new client listener on the given export @exp, using the
-+ * given channel @sioc. Begin servicing it in a coroutine. When the
-+ * connection closes, call @close_fn with an indication of whether the
-+ * client completed negotiation.
-+ */
- void nbd_client_new(NBDExport *exp,
- QIOChannelSocket *sioc,
- QCryptoTLSCreds *tlscreds,
- const char *tlsaclname,
-- void (*close_fn)(NBDClient *))
-+ void (*close_fn)(NBDClient *, bool))
- {
- NBDClient *client;
- NBDClientNewData *data = g_new(NBDClientNewData, 1);
-@@ -1394,7 +1400,7 @@ void nbd_client_new(NBDExport *exp,
- object_ref(OBJECT(client->sioc));
- client->ioc = QIO_CHANNEL(sioc);
- object_ref(OBJECT(client->ioc));
-- client->close = close_fn;
-+ client->close_fn = close_fn;
-
- data->client = client;
- data->co = qemu_coroutine_create(nbd_co_client_start, data);
-diff --git a/qemu-nbd.c b/qemu-nbd.c
-index 651f85ecc1..9464a0461c 100644
---- a/qemu-nbd.c
-+++ b/qemu-nbd.c
-@@ -336,10 +336,10 @@ static void nbd_export_closed(NBDExport *exp)
-
- static void nbd_update_server_watch(void);
-
--static void nbd_client_closed(NBDClient *client)
-+static void nbd_client_closed(NBDClient *client, bool negotiated)
- {
- nb_fds--;
-- if (nb_fds == 0 && !persistent && state == RUNNING) {
-+ if (negotiated && nb_fds == 0 && !persistent && state == RUNNING) {
- state = TERMINATE;
- }
- nbd_update_server_watch();
---
-2.13.0
-
^ permalink raw reply related [flat|nested] 21+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2017-07-26 19:37 Matthias Maier
0 siblings, 0 replies; 21+ messages in thread
From: Matthias Maier @ 2017-07-26 19:37 UTC (permalink / raw
To: gentoo-commits
commit: 07b6f997d19ce19197604ffc7b123497d635405c
Author: Matthias Maier <tamiko <AT> gentoo <DOT> org>
AuthorDate: Wed Jul 26 19:06:15 2017 +0000
Commit: Matthias Maier <tamiko <AT> gentoo <DOT> org>
CommitDate: Wed Jul 26 19:37:32 2017 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=07b6f997
app-emulation/qemu: Bugfix: Fix patch file
Package-Manager: Portage-2.3.6, Repoman-2.3.3
.../qemu/files/qemu-2.9.0-CVE-2017-7539.patch | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-7539.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-7539.patch
index 3af16977b93..ee77a59373e 100644
--- a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-7539.patch
+++ b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-7539.patch
@@ -375,25 +375,25 @@ index 924a1fe..a1f106b 100644
magic = cpu_to_be64(NBD_REP_MAGIC);
- if (nbd_negotiate_write(ioc, &magic, sizeof(magic)) != sizeof(magic)) {
-+ if (nbd_write(ioc, &magic, sizeof(magic), NULL) < 0) {
++ if (write_sync(ioc, &magic, sizeof(magic), NULL) < 0) {
LOG("write failed (rep magic)");
return -EINVAL;
}
opt = cpu_to_be32(opt);
- if (nbd_negotiate_write(ioc, &opt, sizeof(opt)) != sizeof(opt)) {
-+ if (nbd_write(ioc, &opt, sizeof(opt), NULL) < 0) {
++ if (write_sync(ioc, &opt, sizeof(opt), NULL) < 0) {
LOG("write failed (rep opt)");
return -EINVAL;
}
type = cpu_to_be32(type);
- if (nbd_negotiate_write(ioc, &type, sizeof(type)) != sizeof(type)) {
-+ if (nbd_write(ioc, &type, sizeof(type), NULL) < 0) {
++ if (write_sync(ioc, &type, sizeof(type), NULL) < 0) {
LOG("write failed (rep type)");
return -EINVAL;
}
len = cpu_to_be32(len);
- if (nbd_negotiate_write(ioc, &len, sizeof(len)) != sizeof(len)) {
-+ if (nbd_write(ioc, &len, sizeof(len), NULL) < 0) {
++ if (write_sync(ioc, &len, sizeof(len), NULL) < 0) {
LOG("write failed (rep data length)");
return -EINVAL;
}
@@ -402,7 +402,7 @@ index 924a1fe..a1f106b 100644
goto out;
}
- if (nbd_negotiate_write(ioc, msg, len) != len) {
-+ if (nbd_write(ioc, msg, len, NULL) < 0) {
++ if (write_sync(ioc, msg, len, NULL) < 0) {
LOG("write failed (error message)");
ret = -EIO;
} else {
@@ -411,17 +411,17 @@ index 924a1fe..a1f106b 100644
len = cpu_to_be32(name_len);
- if (nbd_negotiate_write(ioc, &len, sizeof(len)) != sizeof(len)) {
-+ if (nbd_write(ioc, &len, sizeof(len), NULL) < 0) {
++ if (write_sync(ioc, &len, sizeof(len), NULL) < 0) {
LOG("write failed (name length)");
return -EINVAL;
}
- if (nbd_negotiate_write(ioc, name, name_len) != name_len) {
-+ if (nbd_write(ioc, name, name_len, NULL) < 0) {
++ if (write_sync(ioc, name, name_len, NULL) < 0) {
LOG("write failed (name buffer)");
return -EINVAL;
}
- if (nbd_negotiate_write(ioc, desc, desc_len) != desc_len) {
-+ if (nbd_write(ioc, desc, desc_len, NULL) < 0) {
++ if (write_sync(ioc, desc, desc_len, NULL) < 0) {
LOG("write failed (description buffer)");
return -EINVAL;
}
@@ -524,13 +524,13 @@ index 924a1fe..a1f106b 100644
goto fail;
}
- if (nbd_negotiate_write(client->ioc, buf, sizeof(buf)) != sizeof(buf)) {
-+ if (nbd_write(client->ioc, buf, sizeof(buf), NULL) < 0) {
++ if (write_sync(client->ioc, buf, sizeof(buf), NULL) < 0) {
LOG("write failed");
goto fail;
}
} else {
- if (nbd_negotiate_write(client->ioc, buf, 18) != 18) {
-+ if (nbd_write(client->ioc, buf, 18, NULL) < 0) {
++ if (write_sync(client->ioc, buf, 18, NULL) < 0) {
LOG("write failed");
goto fail;
}
@@ -539,7 +539,7 @@ index 924a1fe..a1f106b 100644
stw_be_p(buf + 26, client->exp->nbdflags | myflags);
len = client->no_zeroes ? 10 : sizeof(buf) - 18;
- if (nbd_negotiate_write(client->ioc, buf + 18, len) != len) {
-+ if (nbd_write(client->ioc, buf + 18, len, NULL) < 0) {
++ if (write_sync(client->ioc, buf + 18, len, NULL) < 0) {
LOG("write failed");
goto fail;
}
^ permalink raw reply related [flat|nested] 21+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2017-07-26 17:15 Matthias Maier
0 siblings, 0 replies; 21+ messages in thread
From: Matthias Maier @ 2017-07-26 17:15 UTC (permalink / raw
To: gentoo-commits
commit: 4716c9ae8666e4cfc6eff46960f7bff8f4f3d708
Author: Matthias Maier <tamiko <AT> gentoo <DOT> org>
AuthorDate: Wed Jul 26 17:14:28 2017 +0000
Commit: Matthias Maier <tamiko <AT> gentoo <DOT> org>
CommitDate: Wed Jul 26 17:14:53 2017 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4716c9ae
app-emulation/qemu: drop old patch files
Package-Manager: Portage-2.3.6, Repoman-2.3.3
.../qemu/files/qemu-2.7.0-CVE-2016-8669-1.patch | 32 ------
.../qemu/files/qemu-2.8.0-CVE-2016-10028.patch | 40 --------
.../qemu/files/qemu-2.8.0-CVE-2016-10155.patch | 46 ---------
.../qemu/files/qemu-2.8.0-CVE-2016-9908.patch | 35 -------
.../qemu/files/qemu-2.8.0-CVE-2016-9912.patch | 38 -------
.../qemu/files/qemu-2.8.0-CVE-2017-2615.patch | 48 ---------
.../qemu/files/qemu-2.8.0-CVE-2017-2620.patch | 56 -----------
.../qemu/files/qemu-2.8.0-CVE-2017-2630.patch | 22 ----
.../qemu/files/qemu-2.8.0-CVE-2017-5525-1.patch | 52 ----------
.../qemu/files/qemu-2.8.0-CVE-2017-5525-2.patch | 55 ----------
.../qemu/files/qemu-2.8.0-CVE-2017-5552.patch | 41 --------
.../qemu/files/qemu-2.8.0-CVE-2017-5578.patch | 35 -------
.../qemu/files/qemu-2.8.0-CVE-2017-5579.patch | 40 --------
.../qemu/files/qemu-2.8.0-CVE-2017-5667.patch | 37 -------
.../qemu/files/qemu-2.8.0-CVE-2017-5856.patch | 64 ------------
.../qemu/files/qemu-2.8.0-CVE-2017-5857.patch | 38 -------
.../qemu/files/qemu-2.8.0-CVE-2017-5898.patch | 35 -------
.../qemu/files/qemu-2.8.0-CVE-2017-5931.patch | 46 ---------
.../qemu/files/qemu-2.8.0-CVE-2017-5973.patch | 87 ----------------
.../qemu/files/qemu-2.8.0-CVE-2017-5987.patch | 50 ---------
.../qemu/files/qemu-2.8.0-CVE-2017-6058.patch | 112 ---------------------
.../qemu/files/qemu-2.8.0-CVE-2017-6505.patch | 52 ----------
.../qemu/files/qemu-2.8.0-CVE-2017-7377.patch | 49 ---------
.../qemu/files/qemu-2.8.1-CVE-2017-7471.patch | 64 ------------
.../qemu/files/qemu-2.8.1-CVE-2017-8086.patch | 28 ------
25 files changed, 1202 deletions(-)
diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-1.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-1.patch
deleted file mode 100644
index cea8efc0686..00000000000
--- a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-1.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-http://bugs.gentoo.org/597108
-https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg02577.html
-
-From: Prasad J Pandit <address@hidden>
-
-The JAZZ RC4030 chipset emulator has a periodic timer and
-associated interval reload register. The reload value is used
-as divider when computing timer's next tick value. If reload
-value is large, it could lead to divide by zero error. Limit
-the interval reload value to avoid it.
-
-Reported-by: Huawei PSIRT <address@hidden>
-Signed-off-by: Prasad J Pandit <address@hidden>
----
- hw/dma/rc4030.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/dma/rc4030.c b/hw/dma/rc4030.c
-index 2f2576f..c1b4997 100644
---- a/hw/dma/rc4030.c
-+++ b/hw/dma/rc4030.c
-@@ -460,7 +460,7 @@ static void rc4030_write(void *opaque, hwaddr addr, uint64_t data,
- break;
- /* Interval timer reload */
- case 0x0228:
-- s->itr = val;
-+ s->itr = val & 0x01FF;
- qemu_irq_lower(s->timer_irq);
- set_next_tick(s);
- break;
---
-2.5.5
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10028.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10028.patch
deleted file mode 100644
index 466c819e78a..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10028.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-https://lists.gnu.org/archive/html/qemu-devel/2016-12/msg01903.html
-https://bugs.gentoo.org/603444
-
-From: P J P
-Subject: [Qemu-devel] [PATCH] display: virtio-gpu-3d: check virgl capabilities max_size
-Date: Wed, 14 Dec 2016 12:31:56 +0530
-From: Prasad J Pandit <address@hidden>
-
-Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET'
-command, retrieves the maximum capabilities size to fill in the
-response object. It continues to fill in capabilities even if
-retrieved 'max_size' is zero(0), thus resulting in OOB access.
-Add check to avoid it.
-
-Reported-by: Zhenhao Hong <address@hidden>
-Signed-off-by: Prasad J Pandit <address@hidden>
----
- hw/display/virtio-gpu-3d.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
-index 758d33a..6ceeba3 100644
---- a/hw/display/virtio-gpu-3d.c
-+++ b/hw/display/virtio-gpu-3d.c
-@@ -370,8 +370,12 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
-
- virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
- &max_size);
-+ if (!max_size) {
-+ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
-+ return;
-+ }
-+
- resp = g_malloc0(sizeof(*resp) + max_size);
--
- resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
- virgl_renderer_fill_caps(gc.capset_id,
- gc.capset_version,
---
-2.9.3
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10155.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10155.patch
deleted file mode 100644
index c486295d06f..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10155.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From eb7a20a3616085d46aa6b4b4224e15587ec67e6e Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Mon, 28 Nov 2016 17:49:04 -0800
-Subject: [PATCH] watchdog: 6300esb: add exit function
-
-When the Intel 6300ESB watchdog is hot unplug. The timer allocated
-in realize isn't freed thus leaking memory leak. This patch avoid
-this through adding the exit function.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Message-Id: <583cde9c.3223ed0a.7f0c2.886e@mx.google.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- hw/watchdog/wdt_i6300esb.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/hw/watchdog/wdt_i6300esb.c b/hw/watchdog/wdt_i6300esb.c
-index a83d951..49b3cd1 100644
---- a/hw/watchdog/wdt_i6300esb.c
-+++ b/hw/watchdog/wdt_i6300esb.c
-@@ -428,6 +428,14 @@ static void i6300esb_realize(PCIDevice *dev, Error **errp)
- /* qemu_register_coalesced_mmio (addr, 0x10); ? */
- }
-
-+static void i6300esb_exit(PCIDevice *dev)
-+{
-+ I6300State *d = WATCHDOG_I6300ESB_DEVICE(dev);
-+
-+ timer_del(d->timer);
-+ timer_free(d->timer);
-+}
-+
- static WatchdogTimerModel model = {
- .wdt_name = "i6300esb",
- .wdt_description = "Intel 6300ESB",
-@@ -441,6 +449,7 @@ static void i6300esb_class_init(ObjectClass *klass, void *data)
- k->config_read = i6300esb_config_read;
- k->config_write = i6300esb_config_write;
- k->realize = i6300esb_realize;
-+ k->exit = i6300esb_exit;
- k->vendor_id = PCI_VENDOR_ID_INTEL;
- k->device_id = PCI_DEVICE_ID_INTEL_ESB_9;
- k->class_id = PCI_CLASS_SYSTEM_OTHER;
---
-2.10.2
-
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9908.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9908.patch
deleted file mode 100644
index 841de65d48c..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9908.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg00059.html
-https://bugs.gentoo.org/601826
-
-From: Li Qiang
-Subject: [Qemu-devel] [PATCH] virtio-gpu: fix information leak in capset get dispatch
-Date: Tue, 1 Nov 2016 05:37:57 -0700
-From: Li Qiang <address@hidden>
-
-In virgl_cmd_get_capset function, it uses g_malloc to allocate
-a response struct to the guest. As the 'resp'struct hasn't been full
-initialized it will lead the 'resp->padding' field to the guest.
-Use g_malloc0 to avoid this.
-
-Signed-off-by: Li Qiang <address@hidden>
----
- hw/display/virtio-gpu-3d.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
-index 23f39de..d98b140 100644
---- a/hw/display/virtio-gpu-3d.c
-+++ b/hw/display/virtio-gpu-3d.c
-@@ -371,7 +371,7 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
-
- virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
- &max_size);
-- resp = g_malloc(sizeof(*resp) + max_size);
-+ resp = g_malloc0(sizeof(*resp) + max_size);
-
- resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
- virgl_renderer_fill_caps(gc.capset_id,
---
-1.8.3.1
-
-
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9912.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9912.patch
deleted file mode 100644
index 55963f70b98..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9912.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg05043.html
-https://bugs.gentoo.org/602630
-
-From: Li Qiang
-Subject: [Qemu-devel] [PATCH] virtio-gpu: call cleanup mapping function in resource destroy
-Date: Mon, 28 Nov 2016 21:29:25 -0500
-If the guest destroy the resource before detach banking, the 'iov'
-and 'addrs' field in resource is not freed thus leading memory
-leak issue. This patch avoid this.
-
-Signed-off-by: Li Qiang <address@hidden>
----
- hw/display/virtio-gpu.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
-index 60bce94..98dadf2 100644
---- a/hw/display/virtio-gpu.c
-+++ b/hw/display/virtio-gpu.c
-@@ -28,6 +28,8 @@
- static struct virtio_gpu_simple_resource*
- virtio_gpu_find_resource(VirtIOGPU *g, uint32_t resource_id);
-
-+static void virtio_gpu_cleanup_mapping(struct virtio_gpu_simple_resource *res);
-+
- #ifdef CONFIG_VIRGL
- #include <virglrenderer.h>
- #define VIRGL(_g, _virgl, _simple, ...) \
-@@ -358,6 +360,7 @@ static void virtio_gpu_resource_destroy(VirtIOGPU *g,
- struct virtio_gpu_simple_resource *res)
- {
- pixman_image_unref(res->image);
-+ virtio_gpu_cleanup_mapping(res);
- QTAILQ_REMOVE(&g->reslist, res, next);
- g_free(res);
- }
---
-1.8.3.1
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2615.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2615.patch
deleted file mode 100644
index f0bba801657..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2615.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 62d4c6bd5263bb8413a06c80144fc678df6dfb64 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Wed, 1 Feb 2017 09:35:01 +0100
-Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615)
-
-When doing bitblt copy in backward mode, we should minus the
-blt width first just like the adding in the forward mode. This
-can avoid the oob access of the front of vga's vram.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-
-{ kraxel: with backward blits (negative pitch) addr is the topmost
- address, so check it as-is against vram size ]
-
-Cc: qemu-stable@nongnu.org
-Cc: P J P <ppandit@redhat.com>
-Cc: Laszlo Ersek <lersek@redhat.com>
-Cc: Paolo Bonzini <pbonzini@redhat.com>
-Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
-Reviewed-by: Laszlo Ersek <lersek@redhat.com>
----
- hw/display/cirrus_vga.c | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
-diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
-index 7db6409..16f27e8 100644
---- a/hw/display/cirrus_vga.c
-+++ b/hw/display/cirrus_vga.c
-@@ -274,10 +274,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
- {
- if (pitch < 0) {
- int64_t min = addr
-- + ((int64_t)s->cirrus_blt_height-1) * pitch;
-- int32_t max = addr
-- + s->cirrus_blt_width;
-- if (min < 0 || max > s->vga.vram_size) {
-+ + ((int64_t)s->cirrus_blt_height - 1) * pitch
-+ - s->cirrus_blt_width;
-+ if (min < -1 || addr >= s->vga.vram_size) {
- return true;
- }
- } else {
---
-2.10.2
-
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2620.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2620.patch
deleted file mode 100644
index e2a98012d7c..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2620.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From: Gerd Hoffmann <kraxel@redhat.com>
-Subject: [PATCH 3/3] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo
-
-CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
-and blit width, at all. Oops. Fix it.
-
-Security impact: high.
-
-The missing blit destination check allows to write to host memory.
-Basically same as CVE-2014-8106 for the other blit variants.
-
-The missing blit width check allows to overflow cirrus_bltbuf,
-with the attractive target cirrus_srcptr (current cirrus_bltbuf write
-position) being located right after cirrus_bltbuf in CirrusVGAState.
-
-Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker
-hasn't full control over cirrus_srcptr though, only one byte can be
-changed. Once the first byte has been modified further writes land
-elsewhere.
-
-[ This is CVE-2017-2620 / XSA-209 - Ian Jackson ]
-
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/display/cirrus_vga.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
-index 0e47cf8..a093dc8 100644
---- a/hw/display/cirrus_vga.c
-+++ b/hw/display/cirrus_vga.c
-@@ -899,6 +899,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
- {
- int w;
-
-+ if (blit_is_unsafe(s)) {
-+ return 0;
-+ }
-+
- s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC;
- s->cirrus_srcptr = &s->cirrus_bltbuf[0];
- s->cirrus_srcptr_end = &s->cirrus_bltbuf[0];
-@@ -924,6 +928,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
- }
- s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height;
- }
-+
-+ /* the blit_is_unsafe call above should catch this */
-+ assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE);
-+
- s->cirrus_srcptr = s->cirrus_bltbuf;
- s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch;
- cirrus_update_memory_access(s);
---
-1.8.3.1
-
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2630.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2630.patch
deleted file mode 100644
index 034b322de5f..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2630.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-Comparison symbol is misused. It may lead to memory corruption.
-
-Signed-off-by: Vladimir Sementsov-Ogievskiy <address@hidden>
----
- nbd/client.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/nbd/client.c b/nbd/client.c
-index 6caf6bda6d..351731bc63 100644
---- a/nbd/client.c
-+++ b/nbd/client.c
-@@ -94,7 +94,7 @@ static ssize_t drop_sync(QIOChannel *ioc, size_t size)
- char small[1024];
- char *buffer;
-
-- buffer = sizeof(small) < size ? small : g_malloc(MIN(65536, size));
-+ buffer = sizeof(small) > size ? small : g_malloc(MIN(65536, size));
- while (size > 0) {
- ssize_t count = read_sync(ioc, buffer, MIN(65536, size));
-
---
-2.11.0
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-1.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-1.patch
deleted file mode 100644
index 24411b4dca3..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-1.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 12351a91da97b414eec8cdb09f1d9f41e535a401 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Wed, 14 Dec 2016 18:30:21 -0800
-Subject: [PATCH] audio: ac97: add exit function
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Currently the ac97 device emulation doesn't have a exit function,
-hot unplug this device will leak some memory. Add a exit function to
-avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-id: 58520052.4825ed0a.27a71.6cae@mx.google.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/audio/ac97.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/hw/audio/ac97.c b/hw/audio/ac97.c
-index cbd959e..c306575 100644
---- a/hw/audio/ac97.c
-+++ b/hw/audio/ac97.c
-@@ -1387,6 +1387,16 @@ static void ac97_realize(PCIDevice *dev, Error **errp)
- ac97_on_reset (&s->dev.qdev);
- }
-
-+static void ac97_exit(PCIDevice *dev)
-+{
-+ AC97LinkState *s = DO_UPCAST(AC97LinkState, dev, dev);
-+
-+ AUD_close_in(&s->card, s->voice_pi);
-+ AUD_close_out(&s->card, s->voice_po);
-+ AUD_close_in(&s->card, s->voice_mc);
-+ AUD_remove_card(&s->card);
-+}
-+
- static int ac97_init (PCIBus *bus)
- {
- pci_create_simple (bus, -1, "AC97");
-@@ -1404,6 +1414,7 @@ static void ac97_class_init (ObjectClass *klass, void *data)
- PCIDeviceClass *k = PCI_DEVICE_CLASS (klass);
-
- k->realize = ac97_realize;
-+ k->exit = ac97_exit;
- k->vendor_id = PCI_VENDOR_ID_INTEL;
- k->device_id = PCI_DEVICE_ID_INTEL_82801AA_5;
- k->revision = 0x01;
---
-2.10.2
-
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-2.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-2.patch
deleted file mode 100644
index 6bbac580c3c..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-2.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Wed, 14 Dec 2016 18:32:22 -0800
-Subject: [PATCH] audio: es1370: add exit function
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Currently the es1370 device emulation doesn't have a exit function,
-hot unplug this device will leak some memory. Add a exit function to
-avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-id: 585200c9.a968ca0a.1ab80.4c98@mx.google.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/audio/es1370.c | 14 ++++++++++++++
- 1 file changed, 14 insertions(+)
-
-diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c
-index 8449b5f..883ec69 100644
---- a/hw/audio/es1370.c
-+++ b/hw/audio/es1370.c
-@@ -1041,6 +1041,19 @@ static void es1370_realize(PCIDevice *dev, Error **errp)
- es1370_reset (s);
- }
-
-+static void es1370_exit(PCIDevice *dev)
-+{
-+ ES1370State *s = ES1370(dev);
-+ int i;
-+
-+ for (i = 0; i < 2; ++i) {
-+ AUD_close_out(&s->card, s->dac_voice[i]);
-+ }
-+
-+ AUD_close_in(&s->card, s->adc_voice);
-+ AUD_remove_card(&s->card);
-+}
-+
- static int es1370_init (PCIBus *bus)
- {
- pci_create_simple (bus, -1, TYPE_ES1370);
-@@ -1053,6 +1066,7 @@ static void es1370_class_init (ObjectClass *klass, void *data)
- PCIDeviceClass *k = PCI_DEVICE_CLASS (klass);
-
- k->realize = es1370_realize;
-+ k->exit = es1370_exit;
- k->vendor_id = PCI_VENDOR_ID_ENSONIQ;
- k->device_id = PCI_DEVICE_ID_ENSONIQ_ES1370;
- k->class_id = PCI_CLASS_MULTIMEDIA_AUDIO;
---
-2.10.2
-
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5552.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5552.patch
deleted file mode 100644
index 9475f3fd2a2..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5552.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 33243031dad02d161225ba99d782616da133f689 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liq3ea@gmail.com>
-Date: Thu, 29 Dec 2016 03:11:26 -0500
-Subject: [PATCH] virtio-gpu-3d: fix memory leak in resource attach backing
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-If the virgl_renderer_resource_attach_iov function fails the
-'res_iovs' will be leaked. Add check of the return value to
-free the 'res_iovs' when failing.
-
-Signed-off-by: Li Qiang <liq3ea@gmail.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-id: 1482999086-59795-1-git-send-email-liq3ea@gmail.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/display/virtio-gpu-3d.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
-index e29f099..b13ced3 100644
---- a/hw/display/virtio-gpu-3d.c
-+++ b/hw/display/virtio-gpu-3d.c
-@@ -291,8 +291,11 @@ static void virgl_resource_attach_backing(VirtIOGPU *g,
- return;
- }
-
-- virgl_renderer_resource_attach_iov(att_rb.resource_id,
-- res_iovs, att_rb.nr_entries);
-+ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id,
-+ res_iovs, att_rb.nr_entries);
-+
-+ if (ret != 0)
-+ virtio_gpu_cleanup_mapping_iov(res_iovs, att_rb.nr_entries);
- }
-
- static void virgl_resource_detach_backing(VirtIOGPU *g,
---
-2.10.2
-
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5578.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5578.patch
deleted file mode 100644
index f93d1e7f9e9..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5578.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 204f01b30975923c64006f8067f0937b91eea68b Mon Sep 17 00:00:00 2001
-From: Li Qiang <liq3ea@gmail.com>
-Date: Thu, 29 Dec 2016 04:28:41 -0500
-Subject: [PATCH] virtio-gpu: fix memory leak in resource attach backing
-
-In the resource attach backing function, everytime it will
-allocate 'res->iov' thus can leading a memory leak. This
-patch avoid this.
-
-Signed-off-by: Li Qiang <liq3ea@gmail.com>
-Message-id: 1483003721-65360-1-git-send-email-liq3ea@gmail.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/display/virtio-gpu.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
-index 6a26258..ca88cf4 100644
---- a/hw/display/virtio-gpu.c
-+++ b/hw/display/virtio-gpu.c
-@@ -714,6 +714,11 @@ virtio_gpu_resource_attach_backing(VirtIOGPU *g,
- return;
- }
-
-+ if (res->iov) {
-+ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
-+ return;
-+ }
-+
- ret = virtio_gpu_create_mapping_iov(&ab, cmd, &res->addrs, &res->iov);
- if (ret != 0) {
- cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
---
-2.10.2
-
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5579.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5579.patch
deleted file mode 100644
index e4572a8d571..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5579.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 8409dc884a201bf74b30a9d232b6bbdd00cb7e2b Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Wed, 4 Jan 2017 00:43:16 -0800
-Subject: [PATCH] serial: fix memory leak in serial exit
-
-The serial_exit_core function doesn't free some resources.
-This can lead memory leak when hotplug and unplug. This
-patch avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Message-Id: <586cb5ab.f31d9d0a.38ac3.acf2@mx.google.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- hw/char/serial.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/hw/char/serial.c b/hw/char/serial.c
-index ffbacd8..67b18ed 100644
---- a/hw/char/serial.c
-+++ b/hw/char/serial.c
-@@ -906,6 +906,16 @@ void serial_realize_core(SerialState *s, Error **errp)
- void serial_exit_core(SerialState *s)
- {
- qemu_chr_fe_deinit(&s->chr);
-+
-+ timer_del(s->modem_status_poll);
-+ timer_free(s->modem_status_poll);
-+
-+ timer_del(s->fifo_timeout_timer);
-+ timer_free(s->fifo_timeout_timer);
-+
-+ fifo8_destroy(&s->recv_fifo);
-+ fifo8_destroy(&s->xmit_fifo);
-+
- qemu_unregister_reset(serial_reset, s);
- }
-
---
-2.10.2
-
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5667.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5667.patch
deleted file mode 100644
index 93e9c9406c4..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5667.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 42922105beb14c2fc58185ea022b9f72fb5465e9 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 7 Feb 2017 18:29:59 +0000
-Subject: [PATCH] sd: sdhci: check data length during dma_memory_read
-
-While doing multi block SDMA transfer in routine
-'sdhci_sdma_transfer_multi_blocks', the 's->fifo_buffer' starting
-index 'begin' and data length 's->data_count' could end up to be same.
-This could lead to an OOB access issue. Correct transfer data length
-to avoid it.
-
-Cc: qemu-stable@nongnu.org
-Reported-by: Jiang Xin <jiangxin1@huawei.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20170130064736.9236-1-ppandit@redhat.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/sd/sdhci.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
-index 01fbf22..5bd5ab6 100644
---- a/hw/sd/sdhci.c
-+++ b/hw/sd/sdhci.c
-@@ -536,7 +536,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
- boundary_count -= block_size - begin;
- }
- dma_memory_read(&address_space_memory, s->sdmasysad,
-- &s->fifo_buffer[begin], s->data_count);
-+ &s->fifo_buffer[begin], s->data_count - begin);
- s->sdmasysad += s->data_count - begin;
- if (s->data_count == block_size) {
- for (n = 0; n < block_size; n++) {
---
-2.10.2
-
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5856.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5856.patch
deleted file mode 100644
index 2ebd49fa54d..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5856.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 765a707000e838c30b18d712fe6cb3dd8e0435f3 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Mon, 2 Jan 2017 11:03:33 +0100
-Subject: [PATCH] megasas: fix guest-triggered memory leak
-
-If the guest sets the sglist size to a value >=2GB, megasas_handle_dcmd
-will return MFI_STAT_MEMORY_NOT_AVAILABLE without freeing the memory.
-Avoid this by returning only the status from map_dcmd, and loading
-cmd->iov_size in the caller.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- hw/scsi/megasas.c | 11 ++++++-----
- 1 file changed, 6 insertions(+), 5 deletions(-)
-
-diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
-index 67fc1e7..6233865 100644
---- a/hw/scsi/megasas.c
-+++ b/hw/scsi/megasas.c
-@@ -683,14 +683,14 @@ static int megasas_map_dcmd(MegasasState *s, MegasasCmd *cmd)
- trace_megasas_dcmd_invalid_sge(cmd->index,
- cmd->frame->header.sge_count);
- cmd->iov_size = 0;
-- return -1;
-+ return -EINVAL;
- }
- iov_pa = megasas_sgl_get_addr(cmd, &cmd->frame->dcmd.sgl);
- iov_size = megasas_sgl_get_len(cmd, &cmd->frame->dcmd.sgl);
- pci_dma_sglist_init(&cmd->qsg, PCI_DEVICE(s), 1);
- qemu_sglist_add(&cmd->qsg, iov_pa, iov_size);
- cmd->iov_size = iov_size;
-- return cmd->iov_size;
-+ return 0;
- }
-
- static void megasas_finish_dcmd(MegasasCmd *cmd, uint32_t iov_size)
-@@ -1559,19 +1559,20 @@ static const struct dcmd_cmd_tbl_t {
-
- static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd)
- {
-- int opcode, len;
-+ int opcode;
- int retval = 0;
-+ size_t len;
- const struct dcmd_cmd_tbl_t *cmdptr = dcmd_cmd_tbl;
-
- opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
- trace_megasas_handle_dcmd(cmd->index, opcode);
-- len = megasas_map_dcmd(s, cmd);
-- if (len < 0) {
-+ if (megasas_map_dcmd(s, cmd) < 0) {
- return MFI_STAT_MEMORY_NOT_AVAILABLE;
- }
- while (cmdptr->opcode != -1 && cmdptr->opcode != opcode) {
- cmdptr++;
- }
-+ len = cmd->iov_size;
- if (cmdptr->opcode == -1) {
- trace_megasas_dcmd_unhandled(cmd->index, opcode, len);
- retval = megasas_dcmd_dummy(s, cmd);
---
-2.10.2
-
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5857.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5857.patch
deleted file mode 100644
index 664a669ffaa..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5857.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-When the guest sends VIRTIO_GPU_CMD_RESOURCE_UNREF without detaching the
-backing storage beforehand (VIRTIO_GPU_CMD_RESOURCE_DETACH_BACKING)
-we'll leak memory.
-
-This patch fixes it for 3d mode, simliar to the 2d mode fix in commit
-"b8e2392 virtio-gpu: call cleanup mapping function in resource destroy".
-
-Reported-by: 李强 <address@hidden>
-Signed-off-by: Gerd Hoffmann <address@hidden>
----
- hw/display/virtio-gpu-3d.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
-index f96a0c2..ecb09d1 100644
---- a/hw/display/virtio-gpu-3d.c
-+++ b/hw/display/virtio-gpu-3d.c
-@@ -77,10 +77,18 @@ static void virgl_cmd_resource_unref(VirtIOGPU *g,
- struct virtio_gpu_ctrl_command *cmd)
- {
- struct virtio_gpu_resource_unref unref;
-+ struct iovec *res_iovs = NULL;
-+ int num_iovs = 0;
-
- VIRTIO_GPU_FILL_CMD(unref);
- trace_virtio_gpu_cmd_res_unref(unref.resource_id);
-
-+ virgl_renderer_resource_detach_iov(unref.resource_id,
-+ &res_iovs,
-+ &num_iovs);
-+ if (res_iovs != NULL && num_iovs != 0) {
-+ virtio_gpu_cleanup_mapping_iov(res_iovs, num_iovs);
-+ }
- virgl_renderer_resource_unref(unref.resource_id);
- }
-
---
-1.8.3.1
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5898.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5898.patch
deleted file mode 100644
index 9f94477a46b..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5898.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From c7dfbf322595ded4e70b626bf83158a9f3807c6a Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Fri, 3 Feb 2017 00:52:28 +0530
-Subject: [PATCH] usb: ccid: check ccid apdu length
-
-CCID device emulator uses Application Protocol Data Units(APDU)
-to exchange command and responses to and from the host.
-The length in these units couldn't be greater than 65536. Add
-check to ensure the same. It'd also avoid potential integer
-overflow in emulated_apdu_from_guest.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-id: 20170202192228.10847-1-ppandit@redhat.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/usb/dev-smartcard-reader.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
-index 89e11b6..1325ea1 100644
---- a/hw/usb/dev-smartcard-reader.c
-+++ b/hw/usb/dev-smartcard-reader.c
-@@ -967,7 +967,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv)
- DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__,
- recv->hdr.bSeq, len);
- ccid_add_pending_answer(s, (CCID_Header *)recv);
-- if (s->card) {
-+ if (s->card && len <= BULK_OUT_DATA_SIZE) {
- ccid_card_apdu_from_guest(s->card, recv->abData, len);
- } else {
- DPRINTF(s, D_WARN, "warning: discarded apdu\n");
---
-2.10.2
-
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5931.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5931.patch
deleted file mode 100644
index f24d557c96d..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5931.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From a08aaff811fb194950f79711d2afe5a892ae03a4 Mon Sep 17 00:00:00 2001
-From: Gonglei <arei.gonglei@huawei.com>
-Date: Tue, 3 Jan 2017 14:50:03 +0800
-Subject: [PATCH] virtio-crypto: fix possible integer and heap overflow
-
-Because the 'size_t' type is 4 bytes in 32-bit platform, which
-is the same with 'int'. It's easy to make 'max_len' to zero when
-integer overflow and then cause heap overflow if 'max_len' is zero.
-
-Using uint_64 instead of size_t to avoid the integer overflow.
-
-Cc: qemu-stable@nongnu.org
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Gonglei <arei.gonglei@huawei.com>
-Tested-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
----
- hw/virtio/virtio-crypto.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
-index 2f2467e..c23e1ad 100644
---- a/hw/virtio/virtio-crypto.c
-+++ b/hw/virtio/virtio-crypto.c
-@@ -416,7 +416,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
- uint32_t hash_start_src_offset = 0, len_to_hash = 0;
- uint32_t cipher_start_src_offset = 0, len_to_cipher = 0;
-
-- size_t max_len, curr_size = 0;
-+ uint64_t max_len, curr_size = 0;
- size_t s;
-
- /* Plain cipher */
-@@ -441,7 +441,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
- return NULL;
- }
-
-- max_len = iv_len + aad_len + src_len + dst_len + hash_result_len;
-+ max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len;
- if (unlikely(max_len > vcrypto->conf.max_size)) {
- virtio_error(vdev, "virtio-crypto too big length");
- return NULL;
---
-2.10.2
-
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5973.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5973.patch
deleted file mode 100644
index 50ff3c99792..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5973.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-Limits should be big enough that normal guest should not hit it.
-Add a tracepoint to log them, just in case. Also, while being
-at it, log the existing link trb limit too.
-
-Reported-by: 李强 <address@hidden>
-Signed-off-by: Gerd Hoffmann <address@hidden>
----
- hw/usb/hcd-xhci.c | 15 ++++++++++++++-
- hw/usb/trace-events | 1 +
- 2 files changed, 15 insertions(+), 1 deletion(-)
-
-diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
-index fbf8a8b..28dd2f2 100644
---- a/hw/usb/hcd-xhci.c
-+++ b/hw/usb/hcd-xhci.c
-@@ -51,6 +51,8 @@
- #define EV_QUEUE (((3 * 24) + 16) * MAXSLOTS)
-
- #define TRB_LINK_LIMIT 4
-+#define COMMAND_LIMIT 256
-+#define TRANSFER_LIMIT 256
-
- #define LEN_CAP 0x40
- #define LEN_OPER (0x400 + 0x10 * MAXPORTS)
-@@ -943,6 +945,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
- return type;
- } else {
- if (++link_cnt > TRB_LINK_LIMIT) {
-+ trace_usb_xhci_enforced_limit("trb-link");
- return 0;
- }
- ring->dequeue = xhci_mask64(trb->parameter);
-@@ -2060,6 +2063,7 @@ static void xhci_kick_epctx(XHCIEPContext *epctx, unsigned int streamid)
- XHCIRing *ring;
- USBEndpoint *ep = NULL;
- uint64_t mfindex;
-+ unsigned int count = 0;
- int length;
- int i;
-
-@@ -2172,6 +2176,10 @@ static void xhci_kick_epctx(XHCIEPContext *epctx, unsigned int streamid)
- epctx->retry = xfer;
- break;
- }
-+ if (count++ > TRANSFER_LIMIT) {
-+ trace_usb_xhci_enforced_limit("transfers");
-+ break;
-+ }
- }
- epctx->kick_active--;
-
-@@ -2618,7 +2626,7 @@ static void xhci_process_commands(XHCIState *xhci)
- TRBType type;
- XHCIEvent event = {ER_COMMAND_COMPLETE, CC_SUCCESS};
- dma_addr_t addr;
-- unsigned int i, slotid = 0;
-+ unsigned int i, slotid = 0, count = 0;
-
- DPRINTF("xhci_process_commands()\n");
- if (!xhci_running(xhci)) {
-@@ -2735,6 +2743,11 @@ static void xhci_process_commands(XHCIState *xhci)
- }
- event.slotid = slotid;
- xhci_event(xhci, &event, 0);
-+
-+ if (count++ > COMMAND_LIMIT) {
-+ trace_usb_xhci_enforced_limit("commands");
-+ return;
-+ }
- }
- }
-
-diff --git a/hw/usb/trace-events b/hw/usb/trace-events
-index fdd1d29..0c323d4 100644
---- a/hw/usb/trace-events
-+++ b/hw/usb/trace-events
-@@ -174,6 +174,7 @@ usb_xhci_xfer_retry(void *xfer) "%p"
- usb_xhci_xfer_success(void *xfer, uint32_t bytes) "%p: len %d"
- usb_xhci_xfer_error(void *xfer, uint32_t ret) "%p: ret %d"
- usb_xhci_unimplemented(const char *item, int nr) "%s (0x%x)"
-+usb_xhci_enforced_limit(const char *item) "%s"
-
- # hw/usb/desc.c
- usb_desc_device(int addr, int len, int ret) "dev %d query device, len %d, ret %d"
---
-1.8.3.1
-
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5987.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5987.patch
deleted file mode 100644
index bfde2e9d4b7..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5987.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From: Prasad J Pandit <address@hidden>
-
-In the SDHCI protocol, the transfer mode register value
-is used during multi block transfer to check if block count
-register is enabled and should be updated. Transfer mode
-register could be set such that, block count register would
-not be updated, thus leading to an infinite loop. Add check
-to avoid it.
-
-Reported-by: Wjjzhang <address@hidden>
-Reported-by: Jiang Xin <address@hidden>
-Signed-off-by: Prasad J Pandit <address@hidden>
----
- hw/sd/sdhci.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-Update: use qemu_log_mask(LOG_UNIMP, ...)
- -> https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg02354.html
-
-diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
-index 5bd5ab6..a9c744b 100644
---- a/hw/sd/sdhci.c
-+++ b/hw/sd/sdhci.c
-@@ -486,6 +486,11 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
- uint32_t boundary_chk = 1 << (((s->blksize & 0xf000) >> 12) + 12);
- uint32_t boundary_count = boundary_chk - (s->sdmasysad % boundary_chk);
-
-+ if (!(s->trnmod & SDHC_TRNS_BLK_CNT_EN) || !s->blkcnt) {
-+ qemu_log_mask(LOG_UNIMP, "infinite transfer is not supported\n");
-+ return;
-+ }
-+
- /* XXX: Some sd/mmc drivers (for example, u-boot-slp) do not account for
- * possible stop at page boundary if initial address is not page aligned,
- * allow them to work properly */
-@@ -797,11 +802,6 @@ static void sdhci_data_transfer(void *opaque)
- if (s->trnmod & SDHC_TRNS_DMA) {
- switch (SDHC_DMA_TYPE(s->hostctl)) {
- case SDHC_CTRL_SDMA:
-- if ((s->trnmod & SDHC_TRNS_MULTI) &&
-- (!(s->trnmod & SDHC_TRNS_BLK_CNT_EN) || s->blkcnt == 0)) {
-- break;
-- }
--
- if ((s->blkcnt == 1) || !(s->trnmod & SDHC_TRNS_MULTI)) {
- sdhci_sdma_transfer_single_block(s);
- } else {
---
-2.9.3
-
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6058.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6058.patch
deleted file mode 100644
index 666c18ccea1..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6058.patch
+++ /dev/null
@@ -1,112 +0,0 @@
-This patch fixed a problem that was introduced in commit eb700029.
-
-When net_rx_pkt_attach_iovec() calls eth_strip_vlan()
-this can result in pkt->ehdr_buf being overflowed, because
-ehdr_buf is only sizeof(struct eth_header) bytes large
-but eth_strip_vlan() can write
-sizeof(struct eth_header) + sizeof(struct vlan_header)
-bytes into it.
-
-Devices affected by this problem: vmxnet3.
-
-Reported-by: Peter Maydell <address@hidden>
-Signed-off-by: Dmitry Fleytman <address@hidden>
----
- hw/net/net_rx_pkt.c | 34 +++++++++++++++++-----------------
- 1 file changed, 17 insertions(+), 17 deletions(-)
-
-diff --git a/hw/net/net_rx_pkt.c b/hw/net/net_rx_pkt.c
-index 1019b50..7c0beac 100644
---- a/hw/net/net_rx_pkt.c
-+++ b/hw/net/net_rx_pkt.c
-@@ -23,13 +23,13 @@
-
- struct NetRxPkt {
- struct virtio_net_hdr virt_hdr;
-- uint8_t ehdr_buf[sizeof(struct eth_header)];
-+ uint8_t ehdr_buf[sizeof(struct eth_header) + sizeof(struct vlan_header)];
- struct iovec *vec;
- uint16_t vec_len_total;
- uint16_t vec_len;
- uint32_t tot_len;
- uint16_t tci;
-- bool vlan_stripped;
-+ size_t ehdr_buf_len;
- bool has_virt_hdr;
- eth_pkt_types_e packet_type;
-
-@@ -88,15 +88,13 @@ net_rx_pkt_pull_data(struct NetRxPkt *pkt,
- const struct iovec *iov, int iovcnt,
- size_t ploff)
- {
-- if (pkt->vlan_stripped) {
-+ if (pkt->ehdr_buf_len) {
- net_rx_pkt_iovec_realloc(pkt, iovcnt + 1);
-
- pkt->vec[0].iov_base = pkt->ehdr_buf;
-- pkt->vec[0].iov_len = sizeof(pkt->ehdr_buf);
--
-- pkt->tot_len =
-- iov_size(iov, iovcnt) - ploff + sizeof(struct eth_header);
-+ pkt->vec[0].iov_len = pkt->ehdr_buf_len;
-
-+ pkt->tot_len = iov_size(iov, iovcnt) - ploff + pkt->ehdr_buf_len;
- pkt->vec_len = iov_copy(pkt->vec + 1, pkt->vec_len_total - 1,
- iov, iovcnt, ploff, pkt->tot_len);
- } else {
-@@ -123,11 +121,12 @@ void net_rx_pkt_attach_iovec(struct NetRxPkt *pkt,
- uint16_t tci = 0;
- uint16_t ploff = iovoff;
- assert(pkt);
-- pkt->vlan_stripped = false;
-
- if (strip_vlan) {
-- pkt->vlan_stripped = eth_strip_vlan(iov, iovcnt, iovoff, pkt->ehdr_buf,
-- &ploff, &tci);
-+ pkt->ehdr_buf_len = eth_strip_vlan(iov, iovcnt, iovoff, pkt->ehdr_buf,
-+ &ploff, &tci);
-+ } else {
-+ pkt->ehdr_buf_len = 0;
- }
-
- pkt->tci = tci;
-@@ -143,12 +142,13 @@ void net_rx_pkt_attach_iovec_ex(struct NetRxPkt *pkt,
- uint16_t tci = 0;
- uint16_t ploff = iovoff;
- assert(pkt);
-- pkt->vlan_stripped = false;
-
- if (strip_vlan) {
-- pkt->vlan_stripped = eth_strip_vlan_ex(iov, iovcnt, iovoff, vet,
-- pkt->ehdr_buf,
-- &ploff, &tci);
-+ pkt->ehdr_buf_len = eth_strip_vlan_ex(iov, iovcnt, iovoff, vet,
-+ pkt->ehdr_buf,
-+ &ploff, &tci);
-+ } else {
-+ pkt->ehdr_buf_len = 0;
- }
-
- pkt->tci = tci;
-@@ -162,8 +162,8 @@ void net_rx_pkt_dump(struct NetRxPkt *pkt)
- NetRxPkt *pkt = (NetRxPkt *)pkt;
- assert(pkt);
-
-- printf("RX PKT: tot_len: %d, vlan_stripped: %d, vlan_tag: %d\n",
-- pkt->tot_len, pkt->vlan_stripped, pkt->tci);
-+ printf("RX PKT: tot_len: %d, ehdr_buf_len: %lu, vlan_tag: %d\n",
-+ pkt->tot_len, pkt->ehdr_buf_len, pkt->tci);
- #endif
- }
-
-@@ -426,7 +426,7 @@ bool net_rx_pkt_is_vlan_stripped(struct NetRxPkt *pkt)
- {
- assert(pkt);
-
-- return pkt->vlan_stripped;
-+ return pkt->ehdr_buf_len ? true : false;
- }
-
- bool net_rx_pkt_has_virt_hdr(struct NetRxPkt *pkt)
---
-2.7.4
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6505.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6505.patch
deleted file mode 100644
index a15aa96bd56..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6505.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 95ed56939eb2eaa4e2f349fe6dcd13ca4edfd8fb Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Tue, 7 Feb 2017 02:23:33 -0800
-Subject: [PATCH] usb: ohci: limit the number of link eds
-
-The guest may builds an infinite loop with link eds. This patch
-limit the number of linked ed to avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Message-id: 5899a02e.45ca240a.6c373.93c1@mx.google.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/usb/hcd-ohci.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
-index 2cba3e3..21c93e0 100644
---- a/hw/usb/hcd-ohci.c
-+++ b/hw/usb/hcd-ohci.c
-@@ -42,6 +42,8 @@
-
- #define OHCI_MAX_PORTS 15
-
-+#define ED_LINK_LIMIT 4
-+
- static int64_t usb_frame_time;
- static int64_t usb_bit_time;
-
-@@ -1184,7 +1186,7 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion)
- uint32_t next_ed;
- uint32_t cur;
- int active;
--
-+ uint32_t link_cnt = 0;
- active = 0;
-
- if (head == 0)
-@@ -1199,6 +1201,11 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion)
-
- next_ed = ed.next & OHCI_DPTR_MASK;
-
-+ if (++link_cnt > ED_LINK_LIMIT) {
-+ ohci_die(ohci);
-+ return 0;
-+ }
-+
- if ((ed.head & OHCI_ED_H) || (ed.flags & OHCI_ED_K)) {
- uint32_t addr;
- /* Cancel pending packets for ED that have been paused. */
---
-2.10.2
-
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-7377.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-7377.patch
deleted file mode 100644
index f2d317c3c94..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-7377.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From d63fb193e71644a073b77ff5ac6f1216f2f6cf6e Mon Sep 17 00:00:00 2001
-From: Li Qiang <liq3ea@gmail.com>
-Date: Mon, 27 Mar 2017 21:13:19 +0200
-Subject: [PATCH] 9pfs: fix file descriptor leak
-
-The v9fs_create() and v9fs_lcreate() functions are used to create a file
-on the backend and to associate it to a fid. The fid shouldn't be already
-in-use, otherwise both functions may silently leak a file descriptor or
-allocated memory. The current code doesn't check that.
-
-This patch ensures that the fid isn't already associated to anything
-before using it.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-(reworded the changelog, Greg Kurz)
-Signed-off-by: Greg Kurz <groug@kaod.org>
----
- hw/9pfs/9p.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
-index b8c0b99..48babce 100644
---- a/hw/9pfs/9p.c
-+++ b/hw/9pfs/9p.c
-@@ -1550,6 +1550,10 @@ static void coroutine_fn v9fs_lcreate(void *opaque)
- err = -ENOENT;
- goto out_nofid;
- }
-+ if (fidp->fid_type != P9_FID_NONE) {
-+ err = -EINVAL;
-+ goto out;
-+ }
-
- flags = get_dotl_openflags(pdu->s, flags);
- err = v9fs_co_open2(pdu, fidp, &name, gid,
-@@ -2153,6 +2157,10 @@ static void coroutine_fn v9fs_create(void *opaque)
- err = -EINVAL;
- goto out_nofid;
- }
-+ if (fidp->fid_type != P9_FID_NONE) {
-+ err = -EINVAL;
-+ goto out;
-+ }
- if (perm & P9_STAT_MODE_DIR) {
- err = v9fs_co_mkdir(pdu, fidp, &name, perm & 0777,
- fidp->uid, -1, &stbuf);
---
-2.10.2
-
diff --git a/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-7471.patch b/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-7471.patch
deleted file mode 100644
index c5366f5758e..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-7471.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 9c6b899f7a46893ab3b671e341a2234e9c0c060e Mon Sep 17 00:00:00 2001
-From: Greg Kurz <groug@kaod.org>
-Date: Mon, 17 Apr 2017 10:53:23 +0200
-Subject: [PATCH] 9pfs: local: set the path of the export root to "."
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The local backend was recently converted to using "at*()" syscalls in order
-to ensure all accesses happen below the shared directory. This requires that
-we only pass relative paths, otherwise the dirfd argument to the "at*()"
-syscalls is ignored and the path is treated as an absolute path in the host.
-This is actually the case for paths in all fids, with the notable exception
-of the root fid, whose path is "/". This causes the following backend ops to
-act on the "/" directory of the host instead of the virtfs shared directory
-when the export root is involved:
-- lstat
-- chmod
-- chown
-- utimensat
-
-ie, chmod /9p_mount_point in the guest will be converted to chmod / in the
-host for example. This could cause security issues with a privileged QEMU.
-
-All "*at()" syscalls are being passed an open file descriptor. In the case
-of the export root, this file descriptor points to the path in the host that
-was passed to -fsdev.
-
-The fix is thus as simple as changing the path of the export root fid to be
-"." instead of "/".
-
-This is CVE-2017-7471.
-
-Cc: qemu-stable@nongnu.org
-Reported-by: Léo Gaspard <leo@gaspard.io>
-Signed-off-by: Greg Kurz <groug@kaod.org>
-Reviewed-by: Eric Blake <eblake@redhat.com>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/9pfs/9p-local.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
-index 45e9a1f..f3ebca4 100644
---- a/hw/9pfs/9p-local.c
-+++ b/hw/9pfs/9p-local.c
-@@ -1098,8 +1098,13 @@ static int local_name_to_path(FsContext *ctx, V9fsPath *dir_path,
- {
- if (dir_path) {
- v9fs_path_sprintf(target, "%s/%s", dir_path->data, name);
-- } else {
-+ } else if (strcmp(name, "/")) {
- v9fs_path_sprintf(target, "%s", name);
-+ } else {
-+ /* We want the path of the export root to be relative, otherwise
-+ * "*at()" syscalls would treat it as "/" in the host.
-+ */
-+ v9fs_path_sprintf(target, "%s", ".");
- }
- return 0;
- }
---
-2.10.2
-
diff --git a/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-8086.patch b/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-8086.patch
deleted file mode 100644
index eac72f3dcb5..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-8086.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 4ffcdef4277a91af15a3c09f7d16af072c29f3f2 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liq3ea@gmail.com>
-Date: Fri, 7 Apr 2017 03:48:52 -0700
-Subject: [PATCH] 9pfs: xattr: fix memory leak in v9fs_list_xattr
-
-Free 'orig_value' in error path.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Greg Kurz <groug@kaod.org>
----
- hw/9pfs/9p-xattr.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/hw/9pfs/9p-xattr.c b/hw/9pfs/9p-xattr.c
-index eec160b..d05c1a1 100644
---- a/hw/9pfs/9p-xattr.c
-+++ b/hw/9pfs/9p-xattr.c
-@@ -108,6 +108,7 @@ ssize_t v9fs_list_xattr(FsContext *ctx, const char *path,
- g_free(name);
- close_preserve_errno(dirfd);
- if (xattr_len < 0) {
-+ g_free(orig_value);
- return -1;
- }
-
---
-2.10.2
-
^ permalink raw reply related [flat|nested] 21+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2016-09-05 5:30 Matthias Maier
0 siblings, 0 replies; 21+ messages in thread
From: Matthias Maier @ 2016-09-05 5:30 UTC (permalink / raw
To: gentoo-commits
commit: 6ac7a9b9a00ee2c1afb780ffcafc8e66ce1b59d9
Author: Matthias Maier <tamiko <AT> gentoo <DOT> org>
AuthorDate: Mon Sep 5 05:00:00 2016 +0000
Commit: Matthias Maier <tamiko <AT> gentoo <DOT> org>
CommitDate: Mon Sep 5 05:30:00 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6ac7a9b9
app-emulation/qemu: drop obsolete patches
Package-Manager: portage-2.2.28
.../qemu/files/qemu-2.5.0-9pfs-segfault.patch | 34 ------
.../qemu/files/qemu-2.5.0-CVE-2015-8567.patch | 95 ----------------
.../qemu/files/qemu-2.5.0-CVE-2015-8613.patch | 35 ------
.../qemu/files/qemu-2.5.0-CVE-2015-8619.patch | 121 ---------------------
.../qemu/files/qemu-2.5.0-CVE-2015-8701.patch | 49 ---------
.../qemu/files/qemu-2.5.0-CVE-2015-8743.patch | 50 ---------
.../qemu/files/qemu-2.5.0-CVE-2016-1568.patch | 41 -------
.../qemu/files/qemu-2.5.0-CVE-2016-1714.patch | 58 ----------
.../qemu/files/qemu-2.5.0-CVE-2016-1922.patch | 65 -----------
.../qemu/files/qemu-2.5.0-CVE-2016-1981.patch | 98 -----------------
.../qemu/files/qemu-2.5.0-CVE-2016-2197.patch | 43 --------
.../qemu/files/qemu-2.5.0-CVE-2016-2392.patch | 35 ------
.../qemu/files/qemu-2.5.0-ne2000-reg-check.patch | 37 -------
.../qemu/files/qemu-2.5.0-usb-ehci-oob.patch | 52 ---------
.../files/qemu-2.5.0-usb-ndis-int-overflow.patch | 59 ----------
.../qemu/files/qemu-2.6.0-crypto-static.patch | 60 ----------
.../qemu/files/qemu-2.6.0-glib-size_t.patch | 11 --
17 files changed, 943 deletions(-)
diff --git a/app-emulation/qemu/files/qemu-2.5.0-9pfs-segfault.patch b/app-emulation/qemu/files/qemu-2.5.0-9pfs-segfault.patch
deleted file mode 100644
index 0e27684..00000000
--- a/app-emulation/qemu/files/qemu-2.5.0-9pfs-segfault.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 4b3a4f2d458ca5a7c6c16ac36a8d9ac22cc253d6 Mon Sep 17 00:00:00 2001
-From: Greg Kurz <gkurz@linux.vnet.ibm.com>
-Date: Wed, 23 Dec 2015 10:56:58 +0100
-Subject: [PATCH] virtio-9p: use accessor to get thread_pool
-
-The aio_context_new() function does not allocate a thread pool. This is
-deferred to the first call to the aio_get_thread_pool() accessor. It is
-hence forbidden to access the thread_pool field directly, as it may be
-NULL. The accessor *must* be used always.
-
-Fixes: ebac1202c95a4f1b76b6ef3f0f63926fa76e753e
-Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
-Tested-by: Michael Tokarev <mjt@tls.msk.ru>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
----
- hw/9pfs/virtio-9p-coth.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/9pfs/virtio-9p-coth.c b/hw/9pfs/virtio-9p-coth.c
-index fb6e8f8..ab9425c 100644
---- a/hw/9pfs/virtio-9p-coth.c
-+++ b/hw/9pfs/virtio-9p-coth.c
-@@ -36,6 +36,6 @@ static int coroutine_enter_func(void *arg)
- void co_run_in_worker_bh(void *opaque)
- {
- Coroutine *co = opaque;
-- thread_pool_submit_aio(qemu_get_aio_context()->thread_pool,
-+ thread_pool_submit_aio(aio_get_thread_pool(qemu_get_aio_context()),
- coroutine_enter_func, co, coroutine_enter_cb, co);
- }
---
-2.7.4
-
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8567.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8567.patch
deleted file mode 100644
index e196043..00000000
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8567.patch
+++ /dev/null
@@ -1,95 +0,0 @@
-https://bugs.gentoo.org/567868
-
-From aa4a3dce1c88ed51b616806b8214b7c8428b7470 Mon Sep 17 00:00:00 2001
-From: P J P <ppandit@redhat.com>
-Date: Tue, 15 Dec 2015 12:27:54 +0530
-Subject: [PATCH] net: vmxnet3: avoid memory leakage in activate_device
-
-Vmxnet3 device emulator does not check if the device is active
-before activating it, also it did not free the transmit & receive
-buffers while deactivating the device, thus resulting in memory
-leakage on the host. This patch fixes both these issues to avoid
-host memory leakage.
-
-Reported-by: Qinghao Tang <luodalongde@gmail.com>
-Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Jason Wang <jasowang@redhat.com>
----
- hw/net/vmxnet3.c | 24 ++++++++++++++++--------
- 1 file changed, 16 insertions(+), 8 deletions(-)
-
-diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
-index a5dd79a..9c1adfc 100644
---- a/hw/net/vmxnet3.c
-+++ b/hw/net/vmxnet3.c
-@@ -1194,8 +1194,13 @@ static void vmxnet3_reset_mac(VMXNET3State *s)
-
- static void vmxnet3_deactivate_device(VMXNET3State *s)
- {
-- VMW_CBPRN("Deactivating vmxnet3...");
-- s->device_active = false;
-+ if (s->device_active) {
-+ VMW_CBPRN("Deactivating vmxnet3...");
-+ vmxnet_tx_pkt_reset(s->tx_pkt);
-+ vmxnet_tx_pkt_uninit(s->tx_pkt);
-+ vmxnet_rx_pkt_uninit(s->rx_pkt);
-+ s->device_active = false;
-+ }
- }
-
- static void vmxnet3_reset(VMXNET3State *s)
-@@ -1204,7 +1209,6 @@ static void vmxnet3_reset(VMXNET3State *s)
-
- vmxnet3_deactivate_device(s);
- vmxnet3_reset_interrupt_states(s);
-- vmxnet_tx_pkt_reset(s->tx_pkt);
- s->drv_shmem = 0;
- s->tx_sop = true;
- s->skip_current_tx_pkt = false;
-@@ -1431,6 +1435,12 @@ static void vmxnet3_activate_device(VMXNET3State *s)
- return;
- }
-
-+ /* Verify if device is active */
-+ if (s->device_active) {
-+ VMW_CFPRN("Vmxnet3 device is active");
-+ return;
-+ }
-+
- vmxnet3_adjust_by_guest_type(s);
- vmxnet3_update_features(s);
- vmxnet3_update_pm_state(s);
-@@ -1627,7 +1637,7 @@ static void vmxnet3_handle_command(VMXNET3State *s, uint64_t cmd)
- break;
-
- case VMXNET3_CMD_QUIESCE_DEV:
-- VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - pause the device");
-+ VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - deactivate the device");
- vmxnet3_deactivate_device(s);
- break;
-
-@@ -1741,7 +1751,7 @@ vmxnet3_io_bar1_write(void *opaque,
- * shared address only after we get the high part
- */
- if (val == 0) {
-- s->device_active = false;
-+ vmxnet3_deactivate_device(s);
- }
- s->temp_shared_guest_driver_memory = val;
- s->drv_shmem = 0;
-@@ -2021,9 +2031,7 @@ static bool vmxnet3_peer_has_vnet_hdr(VMXNET3State *s)
- static void vmxnet3_net_uninit(VMXNET3State *s)
- {
- g_free(s->mcast_list);
-- vmxnet_tx_pkt_reset(s->tx_pkt);
-- vmxnet_tx_pkt_uninit(s->tx_pkt);
-- vmxnet_rx_pkt_uninit(s->rx_pkt);
-+ vmxnet3_deactivate_device(s);
- qemu_del_nic(s->nic);
- }
-
---
-2.6.2
-
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8613.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8613.patch
deleted file mode 100644
index 61a52ee..00000000
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8613.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 36fef36b91f7ec0435215860f1458b5342ce2811 Mon Sep 17 00:00:00 2001
-From: P J P <ppandit@redhat.com>
-Date: Mon, 21 Dec 2015 15:13:13 +0530
-Subject: [PATCH] scsi: initialise info object with appropriate size
-
-While processing controller 'CTRL_GET_INFO' command, the routine
-'megasas_ctrl_get_info' overflows the '&info' object size. Use its
-appropriate size to null initialise it.
-
-Reported-by: Qinghao Tang <luodalongde@gmail.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <alpine.LFD.2.20.1512211501420.22471@wniryva>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: P J P <ppandit@redhat.com>
----
- hw/scsi/megasas.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
-index d7dc667..576f56c 100644
---- a/hw/scsi/megasas.c
-+++ b/hw/scsi/megasas.c
-@@ -718,7 +718,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd)
- BusChild *kid;
- int num_pd_disks = 0;
-
-- memset(&info, 0x0, cmd->iov_size);
-+ memset(&info, 0x0, dcmd_size);
- if (cmd->iov_size < dcmd_size) {
- trace_megasas_dcmd_invalid_xfer_len(cmd->index, cmd->iov_size,
- dcmd_size);
---
-2.7.4
-
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8619.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8619.patch
deleted file mode 100644
index be67336..00000000
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8619.patch
+++ /dev/null
@@ -1,121 +0,0 @@
-From 64ffbe04eaafebf4045a3ace52a360c14959d196 Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Wed, 13 Jan 2016 09:09:58 +0100
-Subject: [PATCH] hmp: fix sendkey out of bounds write (CVE-2015-8619)
-
-When processing 'sendkey' command, hmp_sendkey routine null
-terminates the 'keyname_buf' array. This results in an OOB
-write issue, if 'keyname_len' was to fall outside of
-'keyname_buf' array.
-
-Since the keyname's length is known the keyname_buf can be
-removed altogether by adding a length parameter to
-index_from_key() and using it for the error output as well.
-
-Reported-by: Ling Liu <liuling-it@360.cn>
-Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Message-Id: <20160113080958.GA18934@olga>
-[Comparison with "<" dumbed down, test for junk after strtoul()
-tweaked]
-Signed-off-by: Markus Armbruster <armbru@redhat.com>
----
- hmp.c | 18 ++++++++----------
- include/ui/console.h | 2 +-
- ui/input-legacy.c | 5 +++--
- 3 files changed, 12 insertions(+), 13 deletions(-)
-
-diff --git a/hmp.c b/hmp.c
-index 54f2620..9c571f5 100644
---- a/hmp.c
-+++ b/hmp.c
-@@ -1731,21 +1731,18 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict)
- int has_hold_time = qdict_haskey(qdict, "hold-time");
- int hold_time = qdict_get_try_int(qdict, "hold-time", -1);
- Error *err = NULL;
-- char keyname_buf[16];
- char *separator;
- int keyname_len;
-
- while (1) {
- separator = strchr(keys, '-');
- keyname_len = separator ? separator - keys : strlen(keys);
-- pstrcpy(keyname_buf, sizeof(keyname_buf), keys);
-
- /* Be compatible with old interface, convert user inputted "<" */
-- if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) {
-- pstrcpy(keyname_buf, sizeof(keyname_buf), "less");
-+ if (keys[0] == '<' && keyname_len == 1) {
-+ keys = "less";
- keyname_len = 4;
- }
-- keyname_buf[keyname_len] = 0;
-
- keylist = g_malloc0(sizeof(*keylist));
- keylist->value = g_malloc0(sizeof(*keylist->value));
-@@ -1758,16 +1755,17 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict)
- }
- tmp = keylist;
-
-- if (strstart(keyname_buf, "0x", NULL)) {
-+ if (strstart(keys, "0x", NULL)) {
- char *endp;
-- int value = strtoul(keyname_buf, &endp, 0);
-- if (*endp != '\0') {
-+ int value = strtoul(keys, &endp, 0);
-+ assert(endp <= keys + keyname_len);
-+ if (endp != keys + keyname_len) {
- goto err_out;
- }
- keylist->value->type = KEY_VALUE_KIND_NUMBER;
- keylist->value->u.number = value;
- } else {
-- int idx = index_from_key(keyname_buf);
-+ int idx = index_from_key(keys, keyname_len);
- if (idx == Q_KEY_CODE_MAX) {
- goto err_out;
- }
-@@ -1789,7 +1787,7 @@ out:
- return;
-
- err_out:
-- monitor_printf(mon, "invalid parameter: %s\n", keyname_buf);
-+ monitor_printf(mon, "invalid parameter: %.*s\n", keyname_len, keys);
- goto out;
- }
-
-diff --git a/include/ui/console.h b/include/ui/console.h
-index adac36d..116bc2b 100644
---- a/include/ui/console.h
-+++ b/include/ui/console.h
-@@ -448,7 +448,7 @@ static inline int vnc_display_pw_expire(const char *id, time_t expires)
- void curses_display_init(DisplayState *ds, int full_screen);
-
- /* input.c */
--int index_from_key(const char *key);
-+int index_from_key(const char *key, size_t key_length);
-
- /* gtk.c */
- void early_gtk_display_init(int opengl);
-diff --git a/ui/input-legacy.c b/ui/input-legacy.c
-index 35dfc27..3454055 100644
---- a/ui/input-legacy.c
-+++ b/ui/input-legacy.c
-@@ -57,12 +57,13 @@ struct QEMUPutLEDEntry {
- static QTAILQ_HEAD(, QEMUPutLEDEntry) led_handlers =
- QTAILQ_HEAD_INITIALIZER(led_handlers);
-
--int index_from_key(const char *key)
-+int index_from_key(const char *key, size_t key_length)
- {
- int i;
-
- for (i = 0; QKeyCode_lookup[i] != NULL; i++) {
-- if (!strcmp(key, QKeyCode_lookup[i])) {
-+ if (!strncmp(key, QKeyCode_lookup[i], key_length) &&
-+ !QKeyCode_lookup[i][key_length]) {
- break;
- }
- }
---
-2.7.4
-
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8701.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8701.patch
deleted file mode 100644
index 0dab1c3..00000000
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8701.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-https://bugs.gentoo.org/570110
-
-From 007cd223de527b5f41278f2d886c1a4beb3e67aa Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Mon, 28 Dec 2015 16:24:08 +0530
-Subject: [PATCH] net: rocker: fix an incorrect array bounds check
-
-While processing transmit(tx) descriptors in 'tx_consume' routine
-the switch emulator suffers from an off-by-one error, if a
-descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=16)
-fragments. Fix an incorrect bounds check to avoid it.
-
-Reported-by: Qinghao Tang <luodalongde@gmail.com>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
----
- hw/net/rocker/rocker.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
-index c57f1a6..2e77e50 100644
---- a/hw/net/rocker/rocker.c
-+++ b/hw/net/rocker/rocker.c
-@@ -232,6 +232,9 @@ static int tx_consume(Rocker *r, DescInfo *info)
- frag_addr = rocker_tlv_get_le64(tlvs[ROCKER_TLV_TX_FRAG_ATTR_ADDR]);
- frag_len = rocker_tlv_get_le16(tlvs[ROCKER_TLV_TX_FRAG_ATTR_LEN]);
-
-+ if (iovcnt >= ROCKER_TX_FRAGS_MAX) {
-+ goto err_too_many_frags;
-+ }
- iov[iovcnt].iov_len = frag_len;
- iov[iovcnt].iov_base = g_malloc(frag_len);
- if (!iov[iovcnt].iov_base) {
-@@ -244,10 +247,7 @@ static int tx_consume(Rocker *r, DescInfo *info)
- err = -ROCKER_ENXIO;
- goto err_bad_io;
- }
--
-- if (++iovcnt > ROCKER_TX_FRAGS_MAX) {
-- goto err_too_many_frags;
-- }
-+ iovcnt++;
- }
-
- if (iovcnt) {
---
-2.6.2
-
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8743.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8743.patch
deleted file mode 100644
index b2bca56..00000000
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8743.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-https://bugs.gentoo.org/570988
-
-From aa7f9966dfdff500bbbf1956d9e115b1fa8987a6 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Thu, 31 Dec 2015 17:05:27 +0530
-Subject: [PATCH] net: ne2000: fix bounds check in ioport operations
-
-While doing ioport r/w operations, ne2000 device emulation suffers
-from OOB r/w errors. Update respective array bounds check to avoid
-OOB access.
-
-Reported-by: Ling Liu <liuling-it@360.cn>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
----
- hw/net/ne2000.c | 10 ++++++----
- 1 file changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
-index 010f9ef..a3dffff 100644
---- a/hw/net/ne2000.c
-+++ b/hw/net/ne2000.c
-@@ -467,8 +467,9 @@ static inline void ne2000_mem_writel(NE2000State *s, uint32_t addr,
- uint32_t val)
- {
- addr &= ~1; /* XXX: check exact behaviour if not even */
-- if (addr < 32 ||
-- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
-+ if (addr < 32
-+ || (addr >= NE2000_PMEM_START
-+ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
- stl_le_p(s->mem + addr, val);
- }
- }
-@@ -497,8 +498,9 @@ static inline uint32_t ne2000_mem_readw(NE2000State *s, uint32_t addr)
- static inline uint32_t ne2000_mem_readl(NE2000State *s, uint32_t addr)
- {
- addr &= ~1; /* XXX: check exact behaviour if not even */
-- if (addr < 32 ||
-- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
-+ if (addr < 32
-+ || (addr >= NE2000_PMEM_START
-+ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
- return ldl_le_p(s->mem + addr);
- } else {
- return 0xffffffff;
---
-2.6.2
-
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1568.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1568.patch
deleted file mode 100644
index 4ce9a35..00000000
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1568.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-https://bugs.gentoo.org/571566
-
-From 4ab0359a8ae182a7ac5c99609667273167703fab Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Mon, 11 Jan 2016 14:10:42 -0500
-Subject: [PATCH] ide: ahci: reset ncq object to unused on error
-
-When processing NCQ commands, AHCI device emulation prepares a
-NCQ transfer object; To which an aio control block(aiocb) object
-is assigned in 'execute_ncq_command'. In case, when the NCQ
-command is invalid, the 'aiocb' object is not assigned, and NCQ
-transfer object is left as 'used'. This leads to a use after
-free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'.
-Reset NCQ transfer object to 'unused' to avoid it.
-
-[Maintainer edit: s/ACHI/AHCI/ in the commit message. --js]
-
-Reported-by: Qinghao Tang <luodalongde@gmail.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Reviewed-by: John Snow <jsnow@redhat.com>
-Message-id: 1452282511-4116-1-git-send-email-ppandit@redhat.com
-Signed-off-by: John Snow <jsnow@redhat.com>
----
- hw/ide/ahci.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
-index dd1912e..17f1cbd 100644
---- a/hw/ide/ahci.c
-+++ b/hw/ide/ahci.c
-@@ -910,6 +910,7 @@ static void ncq_err(NCQTransferState *ncq_tfs)
- ide_state->error = ABRT_ERR;
- ide_state->status = READY_STAT | ERR_STAT;
- ncq_tfs->drive->port_regs.scr_err |= (1 << ncq_tfs->tag);
-+ ncq_tfs->used = 0;
- }
-
- static void ncq_finish(NCQTransferState *ncq_tfs)
---
-2.6.2
-
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch
deleted file mode 100644
index 917fa2f..00000000
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 66f8fd9dda312191b78d2a2ba2848bcee76127a2 Mon Sep 17 00:00:00 2001
-From: "Gabriel L. Somlo" <somlo@cmu.edu>
-Date: Thu, 5 Nov 2015 09:32:50 -0500
-Subject: [PATCH] fw_cfg: avoid calculating invalid current entry pointer
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-When calculating a pointer to the currently selected fw_cfg item, the
-following is used:
-
- FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
-
-When s->cur_entry is FW_CFG_INVALID, we are calculating the address of
-a non-existent element in s->entries[arch][...], which is undefined.
-
-This patch ensures the resulting entry pointer is set to NULL whenever
-s->cur_entry is FW_CFG_INVALID.
-
-Reported-by: Laszlo Ersek <lersek@redhat.com>
-Reviewed-by: Laszlo Ersek <lersek@redhat.com>
-Signed-off-by: Gabriel Somlo <somlo@cmu.edu>
-Message-id: 1446733972-1602-5-git-send-email-somlo@cmu.edu
-Cc: Marc Marí <markmb@redhat.com>
-Signed-off-by: Gabriel Somlo <somlo@cmu.edu>
-Reviewed-by: Laszlo Ersek <lersek@redhat.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/nvram/fw_cfg.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c
-index c2d3a0a..046fa74 100644
---- a/hw/nvram/fw_cfg.c
-+++ b/hw/nvram/fw_cfg.c
-@@ -277,7 +277,8 @@ static int fw_cfg_select(FWCfgState *s, uint16_t key)
- static uint8_t fw_cfg_read(FWCfgState *s)
- {
- int arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL);
-- FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
-+ FWCfgEntry *e = (s->cur_entry == FW_CFG_INVALID) ? NULL :
-+ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
- uint8_t ret;
-
- if (s->cur_entry == FW_CFG_INVALID || !e->data || s->cur_offset >= e->len)
-@@ -342,7 +343,8 @@ static void fw_cfg_dma_transfer(FWCfgState *s)
- }
-
- arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL);
-- e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
-+ e = (s->cur_entry == FW_CFG_INVALID) ? NULL :
-+ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
-
- if (dma.control & FW_CFG_DMA_CTL_READ) {
- read = 1;
---
-2.7.4
-
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1922.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1922.patch
deleted file mode 100644
index 23c2341..00000000
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1922.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From 4c1396cb576c9b14425558b73de1584c7a9735d7 Mon Sep 17 00:00:00 2001
-From: P J P <ppandit@redhat.com>
-Date: Fri, 18 Dec 2015 11:35:07 +0530
-Subject: [PATCH] i386: avoid null pointer dereference
-
- Hello,
-
-A null pointer dereference issue was reported by Mr Ling Liu, CC'd here. It
-occurs while doing I/O port write operations via hmp interface. In that,
-'current_cpu' remains null as it is not called from cpu_exec loop, which
-results in the said issue.
-
-Below is a proposed (tested)patch to fix this issue; Does it look okay?
-
-===
-From ae88a4947fab9a148cd794f8ad2d812e7f5a1d0f Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Fri, 18 Dec 2015 11:16:07 +0530
-Subject: [PATCH] i386: avoid null pointer dereference
-
-When I/O port write operation is called from hmp interface,
-'current_cpu' remains null, as it is not called from cpu_exec()
-loop. This leads to a null pointer dereference in vapic_write
-routine. Add check to avoid it.
-
-Reported-by: Ling Liu <liuling-it@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <alpine.LFD.2.20.1512181129320.9805@wniryva>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: P J P <ppandit@redhat.com>
----
- hw/i386/kvmvapic.c | 15 ++++++++++-----
- 1 file changed, 10 insertions(+), 5 deletions(-)
-
-diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c
-index c6d34b2..f0922da 100644
---- a/hw/i386/kvmvapic.c
-+++ b/hw/i386/kvmvapic.c
-@@ -634,13 +634,18 @@ static int vapic_prepare(VAPICROMState *s)
- static void vapic_write(void *opaque, hwaddr addr, uint64_t data,
- unsigned int size)
- {
-- CPUState *cs = current_cpu;
-- X86CPU *cpu = X86_CPU(cs);
-- CPUX86State *env = &cpu->env;
-- hwaddr rom_paddr;
- VAPICROMState *s = opaque;
-+ X86CPU *cpu;
-+ CPUX86State *env;
-+ hwaddr rom_paddr;
-
-- cpu_synchronize_state(cs);
-+ if (!current_cpu) {
-+ return;
-+ }
-+
-+ cpu_synchronize_state(current_cpu);
-+ cpu = X86_CPU(current_cpu);
-+ env = &cpu->env;
-
- /*
- * The VAPIC supports two PIO-based hypercalls, both via port 0x7E.
---
-2.7.4
-
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1981.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1981.patch
deleted file mode 100644
index 2922193..00000000
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1981.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-From dd793a74882477ca38d49e191110c17dfee51dcc Mon Sep 17 00:00:00 2001
-From: Laszlo Ersek <lersek@redhat.com>
-Date: Tue, 19 Jan 2016 14:17:20 +0100
-Subject: [PATCH] e1000: eliminate infinite loops on out-of-bounds transfer
- start
-
-The start_xmit() and e1000_receive_iov() functions implement DMA transfers
-iterating over a set of descriptors that the guest's e1000 driver
-prepares:
-
-- the TDLEN and RDLEN registers store the total size of the descriptor
- area,
-
-- while the TDH and RDH registers store the offset (in whole tx / rx
- descriptors) into the area where the transfer is supposed to start.
-
-Each time a descriptor is processed, the TDH and RDH register is bumped
-(as appropriate for the transfer direction).
-
-QEMU already contains logic to deal with bogus transfers submitted by the
-guest:
-
-- Normally, the transmit case wants to increase TDH from its initial value
- to TDT. (TDT is allowed to be numerically smaller than the initial TDH
- value; wrapping at or above TDLEN bytes to zero is normal.) The failsafe
- that QEMU currently has here is a check against reaching the original
- TDH value again -- a complete wraparound, which should never happen.
-
-- In the receive case RDH is increased from its initial value until
- "total_size" bytes have been received; preferably in a single step, or
- in "s->rxbuf_size" byte steps, if the latter is smaller. However, null
- RX descriptors are skipped without receiving data, while RDH is
- incremented just the same. QEMU tries to prevent an infinite loop
- (processing only null RX descriptors) by detecting whether RDH assumes
- its original value during the loop. (Again, wrapping from RDLEN to 0 is
- normal.)
-
-What both directions miss is that the guest could program TDLEN and RDLEN
-so low, and the initial TDH and RDH so high, that these registers will
-immediately be truncated to zero, and then never reassume their initial
-values in the loop -- a full wraparound will never occur.
-
-The condition that expresses this is:
-
- xdh_start >= s->mac_reg[XDLEN] / sizeof(desc)
-
-i.e., TDH or RDH start out after the last whole rx or tx descriptor that
-fits into the TDLEN or RDLEN sized area.
-
-This condition could be checked before we enter the loops, but
-pci_dma_read() / pci_dma_write() knows how to fill in buffers safely for
-bogus DMA addresses, so we just extend the existing failsafes with the
-above condition.
-
-This is CVE-2016-1981.
-
-Cc: "Michael S. Tsirkin" <mst@redhat.com>
-Cc: Petr Matousek <pmatouse@redhat.com>
-Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
-Cc: Prasad Pandit <ppandit@redhat.com>
-Cc: Michael Roth <mdroth@linux.vnet.ibm.com>
-Cc: Jason Wang <jasowang@redhat.com>
-Cc: qemu-stable@nongnu.org
-RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1296044
-Signed-off-by: Laszlo Ersek <lersek@redhat.com>
-Reviewed-by: Jason Wang <jasowang@redhat.com>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
----
- hw/net/e1000.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/hw/net/e1000.c b/hw/net/e1000.c
-index 4eda7a3..0387fa0 100644
---- a/hw/net/e1000.c
-+++ b/hw/net/e1000.c
-@@ -909,7 +909,8 @@ start_xmit(E1000State *s)
- * bogus values to TDT/TDLEN.
- * there's nothing too intelligent we could do about this.
- */
-- if (s->mac_reg[TDH] == tdh_start) {
-+ if (s->mac_reg[TDH] == tdh_start ||
-+ tdh_start >= s->mac_reg[TDLEN] / sizeof(desc)) {
- DBGOUT(TXERR, "TDH wraparound @%x, TDT %x, TDLEN %x\n",
- tdh_start, s->mac_reg[TDT], s->mac_reg[TDLEN]);
- break;
-@@ -1166,7 +1167,8 @@ e1000_receive_iov(NetClientState *nc, const struct iovec *iov, int iovcnt)
- if (++s->mac_reg[RDH] * sizeof(desc) >= s->mac_reg[RDLEN])
- s->mac_reg[RDH] = 0;
- /* see comment in start_xmit; same here */
-- if (s->mac_reg[RDH] == rdh_start) {
-+ if (s->mac_reg[RDH] == rdh_start ||
-+ rdh_start >= s->mac_reg[RDLEN] / sizeof(desc)) {
- DBGOUT(RXERR, "RDH wraparound @%x, RDT %x, RDLEN %x\n",
- rdh_start, s->mac_reg[RDT], s->mac_reg[RDLEN]);
- set_ics(s, 0, E1000_ICS_RXO);
---
-2.7.4
-
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2197.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2197.patch
deleted file mode 100644
index 0ab7b02..00000000
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2197.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 99b4cb71069f109b79b27bc629fc0cf0886dbc4b Mon Sep 17 00:00:00 2001
-From: John Snow <jsnow@redhat.com>
-Date: Wed, 10 Feb 2016 13:29:40 -0500
-Subject: [PATCH] ahci: Do not unmap NULL addresses
-
-Definitely don't try to unmap a garbage address.
-
-Reported-by: Zuozhi fzz <zuozhi.fzz@alibaba-inc.com>
-Signed-off-by: John Snow <jsnow@redhat.com>
-Message-id: 1454103689-13042-2-git-send-email-jsnow@redhat.com
----
- hw/ide/ahci.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
-index 7e87b18..3a95dad 100644
---- a/hw/ide/ahci.c
-+++ b/hw/ide/ahci.c
-@@ -662,6 +662,10 @@ static bool ahci_map_fis_address(AHCIDevice *ad)
-
- static void ahci_unmap_fis_address(AHCIDevice *ad)
- {
-+ if (ad->res_fis == NULL) {
-+ DPRINTF(ad->port_no, "Attempt to unmap NULL FIS address\n");
-+ return;
-+ }
- dma_memory_unmap(ad->hba->as, ad->res_fis, 256,
- DMA_DIRECTION_FROM_DEVICE, 256);
- ad->res_fis = NULL;
-@@ -678,6 +682,10 @@ static bool ahci_map_clb_address(AHCIDevice *ad)
-
- static void ahci_unmap_clb_address(AHCIDevice *ad)
- {
-+ if (ad->lst == NULL) {
-+ DPRINTF(ad->port_no, "Attempt to unmap NULL CLB address\n");
-+ return;
-+ }
- dma_memory_unmap(ad->hba->as, ad->lst, 1024,
- DMA_DIRECTION_FROM_DEVICE, 1024);
- ad->lst = NULL;
---
-2.7.4
-
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2392.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2392.patch
deleted file mode 100644
index e7aa5ca..00000000
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2392.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 80eecda8e5d09c442c24307f340840a5b70ea3b9 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Thu, 11 Feb 2016 16:31:20 +0530
-Subject: [PATCH] usb: check USB configuration descriptor object
-
-When processing remote NDIS control message packets, the USB Net
-device emulator checks to see if the USB configuration descriptor
-object is of RNDIS type(2). But it does not check if it is null,
-which leads to a null dereference error. Add check to avoid it.
-
-Reported-by: Qinghao Tang <luodalongde@gmail.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-id: 1455188480-14688-1-git-send-email-ppandit@redhat.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/usb/dev-network.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c
-index 985a629..5dc4538 100644
---- a/hw/usb/dev-network.c
-+++ b/hw/usb/dev-network.c
-@@ -654,7 +654,8 @@ typedef struct USBNetState {
-
- static int is_rndis(USBNetState *s)
- {
-- return s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE;
-+ return s->dev.config ?
-+ s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE : 0;
- }
-
- static int ndis_query(USBNetState *s, uint32_t oid,
---
-2.7.4
-
diff --git a/app-emulation/qemu/files/qemu-2.5.0-ne2000-reg-check.patch b/app-emulation/qemu/files/qemu-2.5.0-ne2000-reg-check.patch
deleted file mode 100644
index 2874b75..00000000
--- a/app-emulation/qemu/files/qemu-2.5.0-ne2000-reg-check.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 415ab35a441eca767d033a2702223e785b9d5190 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Wed, 24 Feb 2016 11:41:33 +0530
-Subject: [PATCH] net: ne2000: check ring buffer control registers
-
-Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
-bytes to process network packets. Registers PSTART & PSTOP
-define ring buffer size & location. Setting these registers
-to invalid values could lead to infinite loop or OOB r/w
-access issues. Add check to avoid it.
-
-Reported-by: Yang Hongke <yanghongke@huawei.com>
-Tested-by: Yang Hongke <yanghongke@huawei.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
----
- hw/net/ne2000.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
-index e408083..f0feaf9 100644
---- a/hw/net/ne2000.c
-+++ b/hw/net/ne2000.c
-@@ -155,6 +155,10 @@ static int ne2000_buffer_full(NE2000State *s)
- {
- int avail, index, boundary;
-
-+ if (s->stop <= s->start) {
-+ return 1;
-+ }
-+
- index = s->curpag << 8;
- boundary = s->boundary << 8;
- if (index < boundary)
---
-2.7.4
-
diff --git a/app-emulation/qemu/files/qemu-2.5.0-usb-ehci-oob.patch b/app-emulation/qemu/files/qemu-2.5.0-usb-ehci-oob.patch
deleted file mode 100644
index 2ddca3e..00000000
--- a/app-emulation/qemu/files/qemu-2.5.0-usb-ehci-oob.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 49d925ce50383a286278143c05511d30ec41a36e Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Wed, 20 Jan 2016 01:26:46 +0530
-Subject: [PATCH] usb: check page select value while processing iTD
-
-While processing isochronous transfer descriptors(iTD), the page
-select(PG) field value could lead to an OOB read access. Add
-check to avoid it.
-
-Reported-by: Qinghao Tang <luodalongde@gmail.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-id: 1453233406-12165-1-git-send-email-ppandit@redhat.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/usb/hcd-ehci.c | 10 ++++++----
- 1 file changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
-index ab00268..93601d9 100644
---- a/hw/usb/hcd-ehci.c
-+++ b/hw/usb/hcd-ehci.c
-@@ -1405,21 +1405,23 @@ static int ehci_process_itd(EHCIState *ehci,
- if (itd->transact[i] & ITD_XACT_ACTIVE) {
- pg = get_field(itd->transact[i], ITD_XACT_PGSEL);
- off = itd->transact[i] & ITD_XACT_OFFSET_MASK;
-- ptr1 = (itd->bufptr[pg] & ITD_BUFPTR_MASK);
-- ptr2 = (itd->bufptr[pg+1] & ITD_BUFPTR_MASK);
- len = get_field(itd->transact[i], ITD_XACT_LENGTH);
-
- if (len > max * mult) {
- len = max * mult;
- }
--
-- if (len > BUFF_SIZE) {
-+ if (len > BUFF_SIZE || pg > 6) {
- return -1;
- }
-
-+ ptr1 = (itd->bufptr[pg] & ITD_BUFPTR_MASK);
- qemu_sglist_init(&ehci->isgl, ehci->device, 2, ehci->as);
- if (off + len > 4096) {
- /* transfer crosses page border */
-+ if (pg == 6) {
-+ return -1; /* avoid page pg + 1 */
-+ }
-+ ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK);
- uint32_t len2 = off + len - 4096;
- uint32_t len1 = len - len2;
- qemu_sglist_add(&ehci->isgl, ptr1 + off, len1);
---
-2.7.4
-
diff --git a/app-emulation/qemu/files/qemu-2.5.0-usb-ndis-int-overflow.patch b/app-emulation/qemu/files/qemu-2.5.0-usb-ndis-int-overflow.patch
deleted file mode 100644
index da643fd..00000000
--- a/app-emulation/qemu/files/qemu-2.5.0-usb-ndis-int-overflow.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From fe3c546c5ff2a6210f9a4d8561cc64051ca8603e Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Wed, 17 Feb 2016 00:23:41 +0530
-Subject: [PATCH] usb: check RNDIS buffer offsets & length
-
-When processing remote NDIS control message packets,
-the USB Net device emulator uses a fixed length(4096) data buffer.
-The incoming informationBufferOffset & Length combination could
-overflow and cross that range. Check control message buffer
-offsets and length to avoid it.
-
-Reported-by: Qinghao Tang <luodalongde@gmail.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-id: 1455648821-17340-3-git-send-email-ppandit@redhat.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/usb/dev-network.c | 9 ++++++---
- 1 file changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c
-index 5dc4538..c6abd38 100644
---- a/hw/usb/dev-network.c
-+++ b/hw/usb/dev-network.c
-@@ -916,8 +916,9 @@ static int rndis_query_response(USBNetState *s,
-
- bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8;
- buflen = le32_to_cpu(buf->InformationBufferLength);
-- if (bufoffs + buflen > length)
-+ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) {
- return USB_RET_STALL;
-+ }
-
- infobuflen = ndis_query(s, le32_to_cpu(buf->OID),
- bufoffs + (uint8_t *) buf, buflen, infobuf,
-@@ -962,8 +963,9 @@ static int rndis_set_response(USBNetState *s,
-
- bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8;
- buflen = le32_to_cpu(buf->InformationBufferLength);
-- if (bufoffs + buflen > length)
-+ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) {
- return USB_RET_STALL;
-+ }
-
- ret = ndis_set(s, le32_to_cpu(buf->OID),
- bufoffs + (uint8_t *) buf, buflen);
-@@ -1213,8 +1215,9 @@ static void usb_net_handle_dataout(USBNetState *s, USBPacket *p)
- if (le32_to_cpu(msg->MessageType) == RNDIS_PACKET_MSG) {
- uint32_t offs = 8 + le32_to_cpu(msg->DataOffset);
- uint32_t size = le32_to_cpu(msg->DataLength);
-- if (offs + size <= len)
-+ if (offs < len && size < len && offs + size <= len) {
- qemu_send_packet(qemu_get_queue(s->nic), s->out_buf + offs, size);
-+ }
- }
- s->out_ptr -= len;
- memmove(s->out_buf, &s->out_buf[len], s->out_ptr);
---
-2.7.4
-
diff --git a/app-emulation/qemu/files/qemu-2.6.0-crypto-static.patch b/app-emulation/qemu/files/qemu-2.6.0-crypto-static.patch
deleted file mode 100644
index 4856373..00000000
--- a/app-emulation/qemu/files/qemu-2.6.0-crypto-static.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-https://lists.gnu.org/archive/html/qemu-devel/2016-06/msg01611.html
-
-From 6a2909cf98e892783b2502df6f7f4de46d13e42b Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@chromium.org>
-Date: Mon, 6 Jun 2016 17:58:26 -0400
-Subject: [PATCH] crypto: aes: always rename internal symbols
-
-OpenSSL's libcrypto always defines AES symbols with the same names as
-qemu's local aes code. This is problematic when enabling at least curl
-as that frequently also uses libcrypto. It might not be noticed when
-running, but if you try to statically link, everything falls down.
-
-An example snippet:
- LINK qemu-nbd
-.../libcrypto.a(aes-x86_64.o): In function 'AES_encrypt':
-(.text+0x460): multiple definition of 'AES_encrypt'
-crypto/aes.o:aes.c:(.text+0x670): first defined here
-.../libcrypto.a(aes-x86_64.o): In function 'AES_decrypt':
-(.text+0x9f0): multiple definition of 'AES_decrypt'
-crypto/aes.o:aes.c:(.text+0xb30): first defined here
-.../libcrypto.a(aes-x86_64.o): In function 'AES_cbc_encrypt':
-(.text+0xf90): multiple definition of 'AES_cbc_encrypt'
-crypto/aes.o:aes.c:(.text+0xff0): first defined here
-collect2: error: ld returned 1 exit status
-.../qemu-2.6.0/rules.mak:105: recipe for target 'qemu-nbd' failed
-make: *** [qemu-nbd] Error 1
-
-The aes.h header has redefines already for FreeBSD, but go ahead and
-enable that for everyone since there's no real good reason to not use
-a namespace all the time.
-
-Signed-off-by: Mike Frysinger <vapier@chromium.org>
----
- include/crypto/aes.h | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/include/crypto/aes.h b/include/crypto/aes.h
-index a006da2224a9..12fb321b89de 100644
---- a/include/crypto/aes.h
-+++ b/include/crypto/aes.h
-@@ -10,14 +10,13 @@ struct aes_key_st {
- };
- typedef struct aes_key_st AES_KEY;
-
--/* FreeBSD has its own AES_set_decrypt_key in -lcrypto, avoid conflicts */
--#ifdef __FreeBSD__
-+/* FreeBSD/OpenSSL have their own AES functions with the same names in -lcrypto
-+ * (which might be pulled in via curl), so redefine to avoid conflicts. */
- #define AES_set_encrypt_key QEMU_AES_set_encrypt_key
- #define AES_set_decrypt_key QEMU_AES_set_decrypt_key
- #define AES_encrypt QEMU_AES_encrypt
- #define AES_decrypt QEMU_AES_decrypt
- #define AES_cbc_encrypt QEMU_AES_cbc_encrypt
--#endif
-
- int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
- AES_KEY *key);
---
-2.8.2
-
diff --git a/app-emulation/qemu/files/qemu-2.6.0-glib-size_t.patch b/app-emulation/qemu/files/qemu-2.6.0-glib-size_t.patch
deleted file mode 100644
index 5fd678c..00000000
--- a/app-emulation/qemu/files/qemu-2.6.0-glib-size_t.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- a/configure 2016-08-07 15:50:20.386687733 +0200
-+++ b/configure 2016-08-07 15:53:55.489691690 +0200
-@@ -2967,7 +2967,7 @@
- }
- EOF
-
--if ! compile_prog "-Werror $CFLAGS" "$LIBS" ; then
-+if ! compile_prog "$CFLAGS" "$LIBS" ; then
- error_exit "sizeof(size_t) doesn't match GLIB_SIZEOF_SIZE_T."\
- "You probably need to set PKG_CONFIG_LIBDIR"\
- "to point to the right pkg-config files for your"\
^ permalink raw reply related [flat|nested] 21+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2016-08-15 20:36 Luca Barbato
0 siblings, 0 replies; 21+ messages in thread
From: Luca Barbato @ 2016-08-15 20:36 UTC (permalink / raw
To: gentoo-commits
commit: 7e098a5f99fd05748c2925a1811ac08cce82ae56
Author: Luca Barbato <lu_zero <AT> gentoo <DOT> org>
AuthorDate: Mon Aug 15 20:36:12 2016 +0000
Commit: Luca Barbato <lu_zero <AT> gentoo <DOT> org>
CommitDate: Mon Aug 15 20:36:12 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7e098a5f
app-emulation/qemu: Update ppc magic mask
Unbreak using qemu-user with current stage3.
Package-Manager: portage-2.3.0
app-emulation/qemu/files/qemu-binfmt.initd-r1 | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/app-emulation/qemu/files/qemu-binfmt.initd-r1 b/app-emulation/qemu/files/qemu-binfmt.initd-r1
index 5ad0fc0..18adb65 100644
--- a/app-emulation/qemu/files/qemu-binfmt.initd-r1
+++ b/app-emulation/qemu/files/qemu-binfmt.initd-r1
@@ -1,5 +1,5 @@
#!/sbin/openrc-run
-# Copyright 1999-2014 Gentoo Foundation
+# Copyright 1999-2016 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Id$
@@ -75,7 +75,7 @@ start() {
echo ':sparc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x02:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-sparc:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
fi
if [ $cpu != "ppc" -a -x "/usr/bin/qemu-ppc" ] ; then
- echo ':ppc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x14:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-ppc:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
+ echo ':ppc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x14:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-ppc:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
fi
if [ $cpu != "m68k" -a -x "/usr/bin/qemu-m68k" ] ; then
#echo 'Please check cpu value and header information for m68k!'
^ permalink raw reply related [flat|nested] 21+ messages in thread
end of thread, other threads:[~2024-08-20 8:01 UTC | newest]
Thread overview: 21+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-03-30 2:54 [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/ Aaron Bauman
-- strict thread matches above, loose matches on Subject: below --
2024-08-20 8:01 Joonas Niilola
2023-11-20 20:20 Ulrich Müller
2023-10-22 16:33 Joonas Niilola
2023-02-22 11:32 Sam James
2022-01-12 8:38 Matthias Maier
2022-01-10 21:02 John Helmert III
2022-01-06 19:08 John Helmert III
2021-06-16 20:59 Sergei Trofimovich
2021-03-14 18:53 Conrad Kostecki
2020-09-21 21:48 Conrad Kostecki
2020-07-06 18:40 Sergei Trofimovich
2020-04-18 21:31 Sergei Trofimovich
2019-05-20 16:27 Matthias Maier
2018-03-27 15:44 Matthias Maier
2017-12-06 12:42 Michael Palimaka
2017-11-12 20:22 Matthias Maier
2017-07-26 19:37 Matthias Maier
2017-07-26 17:15 Matthias Maier
2016-09-05 5:30 Matthias Maier
2016-08-15 20:36 Luca Barbato
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox