Hi everyone, I am pleased to announce that the QEMU v2.9.1 stable release is now available:
http://wiki.qemu.org/download/qemu-2.9.1.tar.xz http://wiki.qemu.org/download/qemu-2.9.1.tar.xz.sig v2.9.1 is now tagged in the official qemu.git repository, and the stable-2.9 branch has been updated accordingly: http://git.qemu.org/?p=qemu.git;a=shortlog;h=refs/heads/stable-2.9 This update contains security fixes addressing a possible guest privilege escalation when using virtfs/9pfs (CVE-2017-7493) and hardening against possible guest-induced host memory exhaustion via audio/input emulation (CVE-2017-8309 / CVE-2017-8379). There's also a pretty broad range of general fixes. Please see the changelog for additional details and update accordingly. Thank you to everyone involved! CHANGELOG: 4cd4265: Update version for 2.9.1 release (Michael Roth) c24c591: virtfs: error out gracefully when mandatory suboptions are missing (Greg Kurz) 2d1bbf5: target/arm: Fix aa64 ldp register writeback (Richard Henderson) 30b76b2: exec: Add lock parameter to qemu_ram_ptr_length (Anthony PERARD) 2f64063: xen/mapcache: store dma information in revmapcache entries for debugging (Stefano Stabellini) 15d8f91: exec: use qemu_ram_ptr_length to access guest ram (Prasad J Pandit) f9c313f: xhci: only update dequeue ptr on completed transfers (Gerd Hoffmann) 5320675: vl.c/exit: pause cpus before closing block devices (Dr. David Alan Gilbert) 167e764: PPC: E500: update u-boot to match shipped binary (Michael Roth) e22e199: s390-ccw: Fix alignment for CCW1 (Farhan Ali) 5035184: vnc: Set default kbd delay to 10ms (Alexander Graf) 20920f4: qemu-nbd: Ignore SIGPIPE (Max Reitz) 4e6889b: usb-redir: fix stack overflow in usbredir_log_data (Gerd Hoffmann) 244a3ef: megasas: do not read SCSI req parameters more than once from frame (Paolo Bonzini) 578fb50: megasas: do not read command more than once from frame (Paolo Bonzini) 50b9353: megasas: do not read DCMD opcode more than once from frame (Paolo Bonzini) d016071: megasas: do not read iovec count more than once from frame (Paolo Bonzini) 20fd62d: megasas: do not read sense length more than once from frame (Paolo Bonzini) 7442018: 9pfs: local: forbid client access to metadata (CVE-2017-7493) (Greg Kurz) 0f590e79: scsi: avoid an off-by-one error in megasas_mmio_write (Prasad J Pandit) 3c69132: audio: release capture buffers (Gerd Hoffmann) 40a7d47: vmw_pvscsi: check message ring page count at initialisation (P J P) 9b9b442: hw/ppc/spapr_iommu: Fix crash when removing the "spapr-tce-table" device (Thomas Huth) 980e826: hw/ppc/spapr_rtc: Mark the RTC device with user_creatable = false (Thomas Huth) aab0023: qdev: Replace cannot_instantiate_with_device_add_yet with !user_creatable (Eduardo Habkost) cfc65be: fix qemu-system-unicore32 crashing when calling without -kernel (Eduardo Otubo) ac0038f: hw/s390x/ipl: Fix crash with virtio-scsi-pci device (Thomas Huth) 62708c7: slirp: fix clearing ifq_so from pending packets (Samuel Thibault) 746e1fd: slirp: tftp, copy sockaddr_size (Marc-André Lureau) e8679f5: monitor: Check whether TCG is enabled before running the "info jit" code (Thomas Huth) c152efc: target-s390x: Mask the SIGP order_code to 8bit. (Philipp Kern) 077a67e: 9pfs: local: fix fchmodat_nofollow() limitations (Greg Kurz) f4f3529: block/nfs: fix mutex assertion in nfs_file_close() (Jeff Cody) 5f7f7e4: hw/i386: allow SHPC for Q35 machine (Aleksandr Bezzubikov) de9b672: cpu: don't allow negative core id (Laurent Vivier) a0ddbcf: block: Skip implicit nodes in query-block/blockstats (Kevin Wolf) d445e0a: qemu-iotests: Test automatic commit job cancel on hot unplug (Kevin Wolf) ad480ab: input: Decrement queue count on kbd delay (Alexander Graf) f8d050a: input: limit kbd queue depth (Gerd Hoffmann) 9527514: virtio-net: fix offload ctrl endian (Jason Wang) 2a7526b: spapr: fix memory leak in spapr_core_pre_plug() (Greg Kurz) 2e40aad: commit: Add NULL check for overlay_bs (Kevin Wolf) 70da03f: virtio-scsi: finalize IOMMU support (Jason Wang) 19284a0: spapr: fix migration to pseries machine < 2.8 (Laurent Vivier) 0060a3e: hid: Reset kbd modifiers on reset (Alexander Graf) e0398cc: 9pfs: local: remove: use correct path component (Bruce Rogers) 438cd1e: block: Do not strcmp() with NULL uri->scheme (Max Reitz) 40ed5cd: nbd: fix NBD over TLS (Paolo Bonzini) 2182791: blkverify: Catch bs->exact_filename overflow (Max Reitz) 1828d47: blkdebug: Catch bs->exact_filename overflow (Max Reitz) 1dd3ba3: commit: Fix completion with extra reference (Kevin Wolf) ecc7a24: nbd: Fix regression on resiliency to port scan (Eric Blake) ec49c8a: nbd: Fully initialize client in case of failed negotiation (Eric Blake) f28b890: commit: Fix use after free in completion (Kevin Wolf) bace1f9: target/xtensa: handle unknown registers in gdbstub (Max Filippov) 3b2f3a4: spapr: fix memory leak in spapr_memory_pre_plug() (Greg Kurz) 7f4c9f5: spapr: add pre_plug function for memory (Laurent Vivier) 592ee40: target/ppc: fix memory leak in kvmppc_is_mem_backend_page_size_ok() (Greg Kurz) 917a5b9: target/ppc: pass const string to kvmppc_is_mem_backend_page_size_ok() (Greg Kurz) 2401d8a: pc: Use "min-[x]level" on compat_props (Eduardo Habkost) 1775fe6: monitor: fix object_del for command-line-created objects (Michael Roth) b0a3ead: tests: check-qom-proplist: add checks for cmdline-created objects (Michael Roth) 3b428e9: linuxboot_dma: compile for i486 (Paolo Bonzini) 11bac2f: virtio-serial-bus: Unset hotplug handler when unrealize (Ladi Prosek) 0ebbef1: mirror: Drop permissions on s->target on completion (Kevin Wolf) 64945cb: block: Guarantee that *file is set on bdrv_get_block_status() (Eric Blake) 6a3f9c5: block: Simplify BDRV_BLOCK_RAW recursion (Eric Blake) 3f3fe28: tests: Add coverage for recent block geometry fixes (Eric Blake) 48f2dc0: blkdebug: Add ability to override unmap geometries (Eric Blake) 3ae7400: blkdebug: Simplify override logic (Eric Blake) 577cf9e: blkdebug: Add pass-through write_zero and discard support (Eric Blake) 138cf63: blkdebug: Refactor error injection (Eric Blake) a1a3d60: blkdebug: Sanity check block layer guarantees (Eric Blake) 0b18554: virtio-net: fix wild pointer when remove virtio-net queues (Yunjian Wang) f367637: s390x/css: catch section mismatch on load (Halil Pasic) 4921c57: e1000e: Fix ICR "Other" causes clear logic (Sameeh Jubran) 952cc38: virtio-scsi: Unset hotplug handler when unrealize (Fam Zheng) c6b510d: virtio: allow broken device to notify guest (Greg Kurz) 636eacb: vvfat: fix qemu-img map and qemu-img convert (Hervé Poussineau) c60a8ed: stream: fix crash in stream_start() when block_job_create() fails (Alberto Garcia) c79bef6: curl: avoid recursive locking of BDRVCURLState mutex (Paolo Bonzini) 4b519b9: curl: never invoke callbacks with s->mutex held (Paolo Bonzini) f00c08c: curl: strengthen assertion in curl_clean_state (Paolo Bonzini) d81db0b: target/xtensa: fix return value of read/write simcalls (Max Filippov) e442253: target/xtensa: fix mapping direction in read/write simcalls (Max Filippov) af8ca55: blockdev: use drained_begin/end for qmp_block_resize (John Snow) 5797a36: block: Add errp to b{lk,drv}_truncate() (Max Reitz) 73aa7ad: block/vhdx: Make vhdx_create() always set errp (Max Reitz) d8cddcc: qemu-img: wait for convert coroutines to complete (Anton Nefedov) ce11924: aio: add missing aio_notify() to aio_enable_external() (Stefan Hajnoczi) 0e727a2: hw/virtio: fix vhost user fails to startup when MQ (Zhiyong Yang) d2fcb92: block: Reuse bs as backing hd for drive-backup sync=none (Fam Zheng) e59084b: qobject: Use simpler QDict/QList scalar insertion macros (Eric Blake) 1eaf431: s390x: Drop useless casts (Eric Blake) 396474a: qobject: Add helper macros for common scalar insertions (Eric Blake) 3f308bf: qobject: Drop useless QObject casts (Eric Blake) 2104724: coccinelle: Add script to remove useless QObject casts (Eric Blake) 785d9ab: 9pfs: local: fix unlink of alien files in mapped-file mode (Greg Kurz) 45b3eac: replication: Make --disable-replication compile again (Markus Armbruster) c64d184: ACPI: don't call acpi_pcihp_device_plug_cb on xen (Bruce Rogers) c1059a3: block: Do not unref bs->file on error in BD's open (Max Reitz) 0b906e4: pci: deassert intx when pci device unrealize (Herongguang (Stephen)) 181e005: migration: setup bi-directional I/O channel for exec: protocol (Daniel P. Berrange) b8420f7: iotests/051: Add test for empty filename (Max Reitz) bd1039b: block: An empty filename counts as no filename (Max Reitz) bc70597: qemu-img/convert: Move bs_n > 1 && -B check down (Max Reitz) a1c850f: qemu-img/convert: Use @opts for one thing only (Max Reitz) c37a62b: qemu-img/convert: Always set ret < 0 on error (Max Reitz) 4aa16db: dirty-bitmap: Report BlockDirtyInfo.count in bytes, as documented (Eric Blake) 27dd31f: qga-win: Enable 'can-offline' field in 'guest-get-vcpus' reply (Sameeh Jubran)
