Hi everyone, The following new patches are queued for QEMU stable v1.7.2:
https://github.com/mdroth/qemu/commits/stable-1.7-staging The release is planned for 2014-07-21: http://wiki.qemu.org/Planning/1.7 Please respond here or CC qemu-sta...@nongnu.org on any patches you think should be included in the release. Testing/feedback is greatly appreciated. As you maybe have noticed, the 1.7.2 stable release is late by almost an entire release cycle. There were some important fixes planned for 1.7.2 however, so hopefully better late than never. Due to the delay the patch queue for this release is quite a bit longer than usual, so anyone interested in this release is highly encouraged to review/test. 2.0.1 has similarly slipped by half a release cycle, so 2.0.1 will be going out during the originally planned date release date for 2.0.2, and is the only planned stable release for the 2.0 series: http://wiki.qemu.org/Planning/2.0 My apologies for the delays. For 2.1.x, we should be back on track for the normal stable release schedule (2.1.1 midway through 2.2 development, and 2.1.2 roughly coinciding with 2.2 release). Thanks! ---------------------------------------------------------------- Alexander Graf (3): kvmclock: Ensure time in migration never goes backward KVM: Fix GSI number space limit virtio-serial: don't migrate the config space Alexey Kardashevskiy (1): spapr_pci: Fix number of returned vectors in ibm, change-msi Andreas Färber (2): sdhci: Fix misuse of qemu_free_irqs() hw: Fix qemu_allocate_irqs() leaks Benoît Canet (2): ide: Correct improper smart self test counter reset in ide core. block: Prevent coroutine stack overflow when recursing in bdrv_open_backing_file. ChenLiang (1): migration: remove duplicate code Cornelia Huck (1): s390x/css: handle emw correctly for tsch Cédric Le Goater (1): virtio-net: byteswap virtio-net header David Hildenbrand (1): s390x: empty function stubs in preparation for __KVM_HAVE_GUEST_DEBUG Dmitry Fleytman (4): vmxnet3: validate interrupt indices coming from guest vmxnet3: validate queues configuration coming from guest vmxnet3: validate interrupt indices read on migration vmxnet3: validate queues configuration read on migration Dr. David Alan Gilbert (1): Fix vmstate_info_int32_le comparison/assign Edgar E. Iglesias (1): target-arm: Make vbar_write 64bit friendly on 32bit hosts Eduardo Habkost (1): target-i386: Filter FEAT_7_0_EBX TCG features too Fam Zheng (2): scsi: Change scsi sense buf size to 252 curl: check data size before memcpy to local buffer. (CVE-2014-0144) Gal Hammer (1): char: restore read callback on a reattached (hotplug) chardev Gonglei (1): qga: Fix handle fd leak in acquire_privilege() Hani Benhabiles (5): usb: Fix usb-bt-dongle initialization. nbd: Don't export a block device with no medium. nbd: Don't validate from and len in NBD_CMD_DISC. nbd: Close socket on negotiation failure. nbd: Shutdown socket before closing. Hannes Reinecke (1): megasas: Implement LD_LIST_QUERY Hu Tao (1): qcow2: fix offset overflow in qcow2_alloc_clusters_at() Jeff Cody (3): vpc/vhd: add bounds check for max_table_entries and block_size (CVE-2014-0144) vdi: add bounds checks for blocks_in_image and disk_size header fields (CVE-2014-0144) vhdx: Bounds checking for block_size and logical_sector_size (CVE-2014-0148) Kevin Wolf (35): qcow2: Flush metadata during read-only reopen block: Use BDRV_O_NO_BACKING where appropriate qemu-iotests: Support for bochs format bochs: Unify header structs and make them QEMU_PACKED bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147) bochs: Check catalog_size header field (CVE-2014-0143) bochs: Check extent_size header field (CVE-2014-0142) bochs: Fix bitmap offset calculation vpc: Validate block size (CVE-2014-0142) qcow2: Check header_length (CVE-2014-0144) qcow2: Check backing_file_offset (CVE-2014-0144) qcow2: Check refcount table size (CVE-2014-0144) qcow2: Validate refcount table offset qcow2: Validate snapshot table offset/size (CVE-2014-0144) qcow2: Validate active L1 table offset and size (CVE-2014-0144) qcow2: Fix backing file name length check qcow2: Zero-initialise first cluster for new images qcow2: Don't rely on free_cluster_index in alloc_refcount_block() (CVE-2014-0147) qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143) qcow2: Check new refcount table size on growth qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref qcow2: Protect against some integer overflows in bdrv_check qcow2: Fix new L1 table size check (CVE-2014-0143) block: Limit request size (CVE-2014-0143) qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146) qcow2: Fix copy_sectors() with VM state qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145) qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143) parallels: Fix catalog size integer overflow (CVE-2014-0143) parallels: Sanity check for s->tracks (CVE-2014-0142) qcow1: Make padding in the header explicit qcow1: Check maximum cluster size qcow1: Validate L2 table size (CVE-2014-0222) qcow1: Validate image size (CVE-2014-0223) qcow1: Stricter backing file length check Le Tan (1): pci: assign devfn to pci_dev before calling pci_device_iommu_address_space() Marcelo Tosatti (1): kvmclock: Ensure proper env->tsc value for kvmclock_current_nsec calculation Markus Armbruster (10): scsi-bus: Fix transfer length for VERIFY with BYTCHK=11b virtio-scsi: Plug memory leak on virtio_scsi_push_event() error path blockdev: Plug memory leak in blockdev_init() blockdev: Plug memory leak in drive_init() block/qapi: Plug memory leak in dump_qobject() case QTYPE_QERROR block/vvfat: Plug memory leak in check_directory_consistency() block/vvfat: Plug memory leak in read_directory() block/sheepdog: Plug memory leak in sd_snapshot_create() qemu-img: Plug memory leak in convert command vnc: Fix tight_detect_smooth_image() for lossless case Max Filippov (1): target-xtensa: fix cross-page jumps/calls at the end of TB Max Reitz (1): block-commit: speed is an optional parameter Michael R. Hines (1): rdma: bug fixes Michael Roth (3): virtio: avoid buffer overrun on incoming migration openpic: avoid buffer overrun on incoming migration qapi: zero-initialize all QMP command parameters Michael S. Tsirkin (27): acpi: fix tables for no-hpet configuration vmstate: reduce code duplication vmstate: add VMS_MUST_EXIST vmstate: add VMSTATE_VALIDATE virtio-net: fix buffer overflow on invalid state load virtio-net: out-of-bounds buffer write on invalid state load virtio-net: out-of-bounds buffer write on load virtio: out-of-bounds buffer write on invalid state load ahci: fix buffer overrun on invalid state load hpet: fix buffer overrun on invalid state load hw/pci/pcie_aer.c: fix buffer overruns on invalid state load pl022: fix buffer overun on invalid state load vmstate: fix buffer overflow in target-arm/machine.c virtio: validate num_sg when mapping pxa2xx: avoid buffer overrun on incoming migration ssi-sd: fix buffer overrun on invalid state load ssd0323: fix buffer overun on invalid state load tsc210x: fix buffer overrun on invalid state load zaurus: fix buffer overrun on invalid state load virtio-scsi: fix buffer overrun on invalid state load vmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/ usb: sanity check setup_index+setup_len in post_load virtio: validate config_len on load stellaris_enet: block migration pci-assign: limit # of msix vectors virtio: allow mapping up to max queue size vhost: fix resource leak in error handling Michael Tokarev (1): po/Makefile: fix $SRC_PATH reference Paolo Bonzini (2): mirror: fix throttling delay calculation target-i386: fix set of registers zeroed on reset Peter Crosthwaite (1): arm: translate.c: Fix smlald Instruction Peter Lieven (2): block/iscsi: fix deadlock on scsi check condition migration: catch unknown flags in ram_load Peter Maydell (9): hw/net/stellaris_enet: Restructure tx_fifo code to avoid buffer overrun hw/net/stellaris_enet: Correct handling of packet padding savevm: Ignore minimum_version_id_old if there is no load_state_old linux-user/elfload.c: Fix incorrect ARM HWCAP bits linux-user/elfload.c: Update ARM HWCAP bits linux-user/elfload.c: Fix A64 code which was incorrectly acting like A32 linux-user: Don't overrun guest buffer in sched_getaffinity target-arm: Fix errors in writes to generic timer control registers coroutine-win32.c: Add noinline attribute to work around gcc bug Richard Henderson (3): target-i386: Fix CC_OP_CLR vs PF target-i386: Fix ucomis and comis memory access tcg-i386: Fix win64 qemu store Stefan Fritsch (1): virtio-net: Do not filter VLANs without F_CTRL_VLAN Stefan Hajnoczi (18): qom: Avoid leaking str and bool properties on failure tap: avoid deadlocking rx mirror: fix early wake from sleep due to aio qemu-iotests: add ./check -cloop support qemu-iotests: add cloop input validation tests block/cloop: validate block_size header field (CVE-2014-0144) block/cloop: prevent offsets_size integer overflow (CVE-2014-0143) block/cloop: refuse images with huge offsets arrays (CVE-2014-0144) block/cloop: refuse images with bogus offsets (CVE-2014-0144) block/cloop: fix offsets[] size off-by-one dmg: coding style and indentation cleanup dmg: prevent out-of-bounds array access on terminator dmg: drop broken bdrv_pread() loop dmg: use appropriate types when reading chunks dmg: sanitize chunk length and sectorcount (CVE-2014-0145) dmg: use uint64_t consistently for sectors and lengths dmg: prevent chunk buffer overflow (CVE-2014-0145) aio: fix qemu_bh_schedule() bh->ctx race condition Stefan Weil (3): tests: Fix 'make test' for i686 hosts (build regression) configure: Don't use __int128_t for clang versions before 3.2 cputlb: Fix regression with TCG interpreter (bug 1310324) Thomas Huth (2): s390x/virtio-hcall: Add range check for hypervisor call s390x/helper: Added format control bit to MMU translation Ulrich Obergfell (1): scsi-disk: fix bug in scsi_block_new_request() introduced by commit 137745c arch_init.c | 96 ++++---- async.c | 14 +- block.c | 40 ++-- block/bochs.c | 109 +++++---- block/cloop.c | 81 ++++++- block/curl.c | 5 + block/dmg.c | 275 +++++++++++++--------- block/iscsi.c | 5 +- block/mirror.c | 37 +-- block/parallels.c | 14 +- block/qapi.c | 1 + block/qcow.c | 43 +++- block/qcow2-cluster.c | 11 +- block/qcow2-refcount.c | 119 ++++++---- block/qcow2-snapshot.c | 35 +-- block/qcow2.c | 198 ++++++++++++---- block/qcow2.h | 48 +++- block/sheepdog.c | 4 +- block/vdi.c | 31 ++- block/vhdx.c | 12 +- block/vmdk.c | 2 +- block/vpc.c | 32 ++- block/vvfat.c | 6 +- blockdev-nbd.c | 9 +- blockdev.c | 11 +- configure | 5 + coroutine-win32.c | 13 +- cputlb.c | 6 +- docs/migration.txt | 12 +- hw/arm/omap1.c | 14 +- hw/arm/omap2.c | 2 +- hw/arm/pxa2xx.c | 12 +- hw/arm/spitz.c | 4 +- hw/arm/z2.c | 2 +- hw/char/virtio-serial-bus.c | 16 +- hw/core/irq.c | 4 +- hw/display/ssd0323.c | 24 ++ hw/dma/omap_dma.c | 4 +- hw/gpio/zaurus.c | 10 + hw/i386/acpi-build.c | 7 +- hw/i386/kvm/clock.c | 52 ++++ hw/i386/kvm/pci-assign.c | 12 +- hw/ide/ahci.c | 2 +- hw/ide/core.c | 2 +- hw/ide/microdrive.c | 2 +- hw/input/tsc210x.c | 12 + hw/intc/openpic.c | 16 +- hw/misc/cbus.c | 6 +- hw/net/stellaris_enet.c | 23 +- hw/net/virtio-net.c | 43 +++- hw/net/vmxnet3.c | 58 ++++- hw/pci/pci.c | 6 +- hw/pci/pcie_aer.c | 10 +- hw/pcmcia/pxa2xx.c | 2 +- hw/ppc/spapr_pci.c | 16 ++ hw/s390x/css.c | 24 +- hw/s390x/s390-virtio-hcall.c | 11 +- hw/scsi/megasas.c | 17 ++ hw/scsi/mfi.h | 9 + hw/scsi/scsi-bus.c | 2 +- hw/scsi/scsi-disk.c | 2 +- hw/scsi/scsi-generic.c | 2 - hw/scsi/spapr_vscsi.c | 1 - hw/scsi/virtio-scsi.c | 12 +- hw/sd/omap_mmc.c | 2 +- hw/sd/sdhci.c | 8 +- hw/sd/ssi-sd.c | 9 + hw/sh4/sh7750.c | 3 +- hw/ssi/pl022.c | 14 ++ hw/timer/hpet.c | 13 + hw/timer/omap_gptimer.c | 4 +- hw/usb/bus.c | 4 +- hw/usb/dev-bluetooth.c | 24 +- hw/virtio/vhost.c | 10 +- hw/virtio/virtio.c | 25 +- include/hw/scsi/scsi.h | 2 +- include/hw/virtio/virtio-net.h | 4 +- include/migration/vmstate.h | 11 +- kvm-all.c | 2 +- linux-user/elfload.c | 115 +++++++-- linux-user/syscall.c | 16 ++ migration-rdma.c | 20 +- migration.c | 2 +- nbd.c | 7 +- net/tap.c | 7 +- po/Makefile | 4 +- qemu-char.c | 17 +- qemu-img.c | 2 +- qemu-nbd.c | 5 +- qga/commands-win32.c | 6 +- qom/object.c | 14 +- savevm.c | 136 ++++++----- scripts/qapi-commands.py | 2 +- target-arm/helper.c | 8 +- target-arm/machine.c | 2 +- target-arm/translate.c | 34 ++- target-i386/cc_helper.c | 2 +- target-i386/cpu.c | 5 +- target-i386/cpu.h | 4 +- target-i386/translate.c | 46 +++- target-s390x/cpu.h | 4 + target-s390x/helper.c | 70 ++++-- target-s390x/kvm.c | 28 +++ target-xtensa/translate.c | 4 +- tcg/i386/tcg-target.c | 3 +- tests/qemu-iotests/026.out | 6 +- tests/qemu-iotests/029 | 40 +++- tests/qemu-iotests/029.out | 17 ++ tests/qemu-iotests/039 | 20 ++ tests/qemu-iotests/039.out | 11 + tests/qemu-iotests/044.out | 2 +- tests/qemu-iotests/075 | 106 +++++++++ tests/qemu-iotests/075.out | 38 +++ tests/qemu-iotests/076 | 76 ++++++ tests/qemu-iotests/076.out | 18 ++ tests/qemu-iotests/078 | 87 +++++++ tests/qemu-iotests/078.out | 26 ++ tests/qemu-iotests/080 | 180 ++++++++++++++ tests/qemu-iotests/080.out | 83 +++++++ tests/qemu-iotests/088 | 64 +++++ tests/qemu-iotests/088.out | 17 ++ tests/qemu-iotests/092 | 98 ++++++++ tests/qemu-iotests/092.out | 38 +++ tests/qemu-iotests/common | 21 ++ tests/qemu-iotests/common.rc | 3 + tests/qemu-iotests/group | 6 + tests/qemu-iotests/sample_images/empty.bochs.bz2 | Bin 0 -> 118 bytes tests/qemu-iotests/sample_images/fake.parallels.bz2 | Bin 0 -> 141 bytes .../sample_images/simple-pattern.cloop.bz2 | Bin 0 -> 488 bytes tests/tcg/test_path.c | 13 +- trace-events | 3 +- ui/vnc-enc-tight.c | 2 +- 132 files changed, 2692 insertions(+), 696 deletions(-) create mode 100755 tests/qemu-iotests/075 create mode 100644 tests/qemu-iotests/075.out create mode 100755 tests/qemu-iotests/076 create mode 100644 tests/qemu-iotests/076.out create mode 100755 tests/qemu-iotests/078 create mode 100644 tests/qemu-iotests/078.out create mode 100755 tests/qemu-iotests/080 create mode 100644 tests/qemu-iotests/080.out create mode 100755 tests/qemu-iotests/088 create mode 100644 tests/qemu-iotests/088.out create mode 100755 tests/qemu-iotests/092 create mode 100644 tests/qemu-iotests/092.out create mode 100644 tests/qemu-iotests/sample_images/empty.bochs.bz2 create mode 100644 tests/qemu-iotests/sample_images/fake.parallels.bz2 create mode 100644 tests/qemu-iotests/sample_images/simple-pattern.cloop.bz2
