Hi everyone, I am pleased to announce that the QEMU v4.2.1 stable release is now available:
You can grab the tarball from our download page here: https://www.qemu.org/download/#source v4.2.1 is now tagged in the official qemu.git repository, and the stable-4.2 branch has been updated accordingly: https://git.qemu.org/?p=qemu.git;a=shortlog;h=refs/heads/stable-4.2 This update contains general fixes for various architectures/subsystems, including CVE fixes for slirp (CVE-2020-1983), NBD (CVE-2020-10761), iscsi (CVE-2020-1711), ati-vga (CVE-2020-13800, CVE-2020-11869), and es1370 (CVE-2020-13361). Please see the changelog for additional details and update accordingly. Thank you to everyone involved! CHANGELOG: 6cdf8c4efa: Update version for 4.2.1 release (Michael Roth) 4a0db6ba7d: iotests/283: Use consistent size for source and target (Kevin Wolf) 0664ffac4b: Fix tulip breakage (Helge Deller) 27f56b9aa2: tcg/mips: mips sync* encode error (lixinyu) 97701bc03e: target/xtensa: fix pasto in pfwait.r opcode name (Max Filippov) ecdb0d5651: vpc: Don't round up already aligned BAT sizes (Kevin Wolf) 9c2e242077: spapr: Fix failure path for attempting to hot unplug PCI bridges (David Gibson) fb6a24fb1d: net: tulip: check frame size and r/w data length (Prasad J Pandit) 60c21aa017: sheepdog: Consistently set bdrv_has_zero_init_truncate (Eric Blake) 5eca12bbad: qcow2: List autoclear bit names in header (Eric Blake) 1c8d9fb334: migration/ram: fix use after free of local_err (Vladimir Sementsov-Ogievskiy) 09397e9657: migration/colo: fix use after free of local_err (Vladimir Sementsov-Ogievskiy) 674d382225: hmp/vnc: Fix info vnc list leak (Dr. David Alan Gilbert) 5ff78dc9bc: block: bdrv_set_backing_bs: fix use-after-free (Vladimir Sementsov-Ogievskiy) 47e0fa7479: block: Avoid memleak on qcow2 image info failure (Eric Blake) 745859d5bf: ppc/ppc405_boards: Remove unnecessary NULL check (Philippe Mathieu-Daudé) c6decabc4a: iotests: Fix nonportable use of od --endian (Eric Blake) 580c08b326: pc-bios: s390x: Save iplb location in lowcore (Janosch Frank) 9dd68ac26b: hw/arm/cubieboard: use ARM Cortex-A8 as the default CPU in machine definition (Niek Linnenbank) 4e258da94a: vhost-user-blk: delete virtioqueues in unrealize to fix memleaks (Pan Nengyuan) e08de99abe: virtio-crypto: do delete ctrl_vq in virtio_crypto_device_unrealize (Pan Nengyuan) 5e063a5846: virtio-pmem: do delete rq_vq in virtio_pmem_unrealize (Pan Nengyuan) 1509a13240: target/arm: Correct definition of PMCRDP (Peter Maydell) 0b487ea664: block: Fix VM size field width in snapshot dump (Max Reitz) 3dd28c8ecc: block: fix crash on zero-length unaligned write and read (Vladimir Sementsov-Ogievskiy) ee9f37f3e5: target/arm/monitor: query-cpu-model-expansion crashed qemu when using machine type none (Liang Yan) 8952da32c3: iotests: add test for backup-top failure on permission activation (Vladimir Sementsov-Ogievskiy) e92b21ffc4: block/backup-top: fix failure path (Vladimir Sementsov-Ogievskiy) a967e75f3a: block: fix memleaks in bdrv_refresh_filename (Pan Nengyuan) aacf6bfb7e: target/arm: fix TCG leak for fcvt half->double (Alex Bennée) 4b34c6d724: audio/oss: fix buffer pos calculation (Gerd Hoffmann) 9adb6569bf: hw/intc/arm_gicv3_kvm: Stop wrongly programming GICR_PENDBASER.PTZ bit (Zenghui Yu) b1b362aa8e: tpm-ppi: page-align PPI RAM (Marc-André Lureau) dc6bdba433: block/backup: fix memory leak in bdrv_backup_top_append() (Eiichi Tsukata) bc509b2a5b: s390x: adapter routes error handling (Cornelia Huck) cd8ecfb19c: target/i386: kvm: initialize feature MSRs very early (Paolo Bonzini) abf9ffa7b3: target/arm: Fix PAuth sbox functions (Vincent Dehors) c44015c50c: m68k: Fix regression causing Single-Step via GDB/RSP to not single step (Laurent Vivier) b5ba361d8f: Revert "vnc: allow fall back to RAW encoding" (Gerd Hoffmann) 52771abbfa: migration: Rate limit inside host pages (Dr. David Alan Gilbert) d306348fd6: runstate: ignore finishmigrate -> prelaunch transition (Laurent Vivier) f3ef98874e: target/arm: Return correct IL bit in merge_syn_data_abort (Jeff Kubascik) e8a286010c: migration-test: ppc64: fix FORTH test program (Laurent Vivier) 9a30621d3d: blkdebug: Allow taking/unsharing permissions (Max Reitz) 0972fbf353: block: Add bdrv_qapi_perm_to_blk_perm() (Max Reitz) 9b59fdf478: hw/arm/smmuv3: Report F_STE_FETCH fault address in correct word position (Simon Veith) ec3bd881e2: hw/arm/smmuv3: Use correct bit positions in EVT_SET_ADDR2 macro (Simon Veith) 65fad28d85: hw/arm/smmuv3: Align stream table base address to table size (Simon Veith) 256ecc06eb: hw/arm/smmuv3: Check stream IDs against actual table LOG2SIZE (Simon Veith) 606a6bf788: hw/arm/smmuv3: Correct SMMU_BASE_ADDR_MASK value (Simon Veith) e8ae3a4e2b: hw/arm/smmuv3: Apply address mask to linear strtab base address (Simon Veith) 7e1bc51f3f: display/bochs-display: fix memory leak (Cameron Esfahani) 8d151ab5c2: vhost-user-gpu: Drop trailing json comma (Cole Robinson) 6772bba8a4: iotests: Fix IMGOPTSSYNTAX for nbd (Max Reitz) 45b65bf8df: Fix double free issue in qemu_set_log_filename(). (Robert Foley) aea7a50fb5: Revert "qemu-options.hx: Update for reboot-timeout parameter" (Han Han) 2f7597fbc2: iotests/026: Move v3-exclusive test to new file (Max Reitz) f127d16397: dp8393x: Mask EOL bit from descriptor addresses, take 2 (Finn Thain) 862240852b: slirp: update to fix CVE-2020-1983 (Marc-André Lureau) 1343d33371: kvm: Reallocate dirty_bmap when we change a slot (Dr. David Alan Gilbert) c436692c6a: es1370: check total frame count against current frame (Prasad J Pandit) 69a6048e1e: ati-vga: check mm_index before recursive call (CVE-2020-13800) (Prasad J Pandit) 01392ae31a: ati-vga: Fix checks in ati_2d_blt() to avoid crash (BALATON Zoltan) 4e98c388d6: iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711) (Felipe Franciosi) 54bcaf08d6: target/i386: do not set unsupported VMX secondary execution controls (Vitaly Kuznetsov) e727aa1a7b: target/riscv: update mstatus.SD when FS is set dirty (ShihPo Hung) 690e3004ae: target/riscv: fsd/fsw doesn't dirty FP state (ShihPo Hung) a918ea2ec3: target/riscv: Fix tb->flags FS status (ShihPo Hung) c1cad76dcd: riscv: Set xPIE to 1 after xRET (Yiting Wang) a6e44eee6c: riscv/sifive_u: fix a memory leak in soc_realize() (Pan Nengyuan) 3729ff3032: tests: fix modules-test 'duplicate test case' error (Cole Robinson) 2367c7235b: xen/9pfs: yield when there isn't enough room on the ring (Stefano Stabellini) 0c6499ff2b: 9pfs: include linux/limits.h for XATTR_SIZE_MAX (Dan Robertson) 17216bc044: 9pfs: local: ignore O_NOATIME if we don't have permissions (Omar Sandoval) 410252fc5b: 9p/proxy: Fix export_flags (Greg Kurz) 603cda272d: virtio-9p-device: fix memleak in virtio_9p_device_unrealize (Pan Nengyuan) 03afe9c035: 9p: local: always return -1 on error in local_unlinkat_common (Daniel Henrique Barboza) 18f6b13e08: 9pfs: local: Fix possible memory leak in local_link() (Jiajun Chen) 6c75ddf4a9: block: Call attention to truncation of long NBD exports (Eric Blake) d6d45d9ed1: virtio-balloon: unref the iothread when unrealizing (David Hildenbrand) 2a7c80d82e: virtio-balloon: fix free page hinting check on unrealize (David Hildenbrand) e27f334fdc: virtio-balloon: fix free page hinting without an iothread (David Hildenbrand) 0c1d805360: nbd/server: Avoid long error message assertions CVE-2020-10761 (Eric Blake) 252d614ea2: net: Do not include a newline in the id of -nic devices (Thomas Huth) dad6d5e7e6: 9p: Lock directory streams with a CoMutex (Greg Kurz) ad56aecb21: qemu-nbd: Close inherited stderr (Raphael Pour) d5691a6373: target/arm: Clear tail in gvec_fmul_idx_*, gvec_fmla_idx_* (Richard Henderson) 34c78a4100: hostmem: don't use mbind() if host-nodes is empty (Igor Mammedov) 8d127b4be7: target/ppc: Fix mtmsr(d) L=1 variant that loses interrupts (Nicholas Piggin) ea1518bb5e: vhost-user-gpu: Release memory returned by vu_queue_pop() with free() (Philippe Mathieu-Daudé) c5feb39219: xen-block: Fix double qlist remove and request leak (Anthony PERARD) 25fcaed9a3: dump: Fix writing of ELF section (Peter Maydell) aabd9ddd2d: tcg/i386: Fix INDEX_op_dup2_vec (Richard Henderson) 33be7aa9b6: hw/i386/amd_iommu.c: Fix corruption of log events passed to guest (Peter Maydell) 8f5728cb97: qemu-ga: document vsock-listen in the man page (Stefan Hajnoczi) e3531619f1: qga: Fix undefined C behavior (Eric Blake) 4996bd7161: qga-win: prevent crash when executing guest-file-read with large count (Basil Salman) 3c3e1653c5: qga-win: Handle VSS_E_PROVIDER_ALREADY_REGISTERED error (Sameeh Jubran) 7cc217b30d: qga: Installer: Wait for installation to finish (Basil Salman) 219362f965: compat: disable edid on correct virtio-gpu device (Cornelia Huck) 8fc4aa4822: block/io: fix bdrv_co_do_copy_on_readv (Vladimir Sementsov-Ogievskiy) 4a9486a02d: target/ppc: Fix rlwinm on ppc64 (Vitaly Chikunov) c44c4f7229: block/block-copy: fix progress calculation (Vladimir Sementsov-Ogievskiy) a0dc4d2495: job: refactor progress to separate object (Vladimir Sementsov-Ogievskiy) e0ccde3887: block/qcow2-threads: fix qcow2_decompress (Vladimir Sementsov-Ogievskiy) 4a1c5955e7: scsi/qemu-pr-helper: Fix out-of-bounds access to trnptid_list[] (Christophe de Dinechin) 2dc540e40d: virtio: gracefully handle invalid region caches (Stefan Hajnoczi) 4540aa4a8d: iotests/026: Test EIO on allocation in a data-file (Max Reitz) 30aa0ea6c5: iotests/026: Test EIO on preallocated zero cluster (Max Reitz) 382b9f09bd: qcow2: Fix alloc_cluster_abort() for pre-existing clusters (Max Reitz) 373fd948ab: iotests: Test copy offloading with external data file (Kevin Wolf) ab7f6eaa5b: qcow2: Fix qcow2_alloc_cluster_abort() for external data file (Kevin Wolf) f9854de0d8: qcow2: update_refcount(): Reset old_table_index after qcow2_cache_put() (Kevin Wolf) e49ae74a24: tcg: save vaddr temp for plugin usage (Alex Bennée) 0319118bcf: plugins/core: add missing break in cb_to_tcg_flags (Emilio G. Cota) 2a7569e751: s390/sclp: improve special wait psw logic (Christian Borntraeger) 3e1d95301e: dp8393x: Don't stop reception upon RBE interrupt assertion (Finn Thain) 735cd8ddab: dp8393x: Don't reset Silicon Revision register (Finn Thain) 1190026fe4: dp8393x: Always update RRA pointers and sequence numbers (Finn Thain) 8d61b1e2c4: dp8393x: Clear descriptor in_use field to release packet (Finn Thain) cbc8277051: dp8393x: Pad frames to word or long word boundary (Finn Thain) e7cad754fd: dp8393x: Use long-word-aligned RRA pointers in 32-bit mode (Finn Thain) d50aa8acbc: dp8393x: Don't clobber packet checksum (Finn Thain) 3a8068f4eb: dp8393x: Implement packet size limit and RBAE interrupt (Finn Thain) 5f08c382ca: dp8393x: Clear RRRA command register bit only when appropriate (Finn Thain) edd67a61f4: dp8393x: Update LLFA and CRDA registers from rx descriptor (Finn Thain) 153c3320e7: dp8393x: Have dp8393x_receive() return the packet size (Finn Thain) bf3f12ac8c: dp8393x: Clean up endianness hacks (Finn Thain) 956e1b2d97: dp8393x: Always use 32-bit accesses (Finn Thain) eb54a2f9ce: dp8393x: Mask EOL bit from descriptor addresses (Finn Thain) fa446ae444: qcow2-bitmaps: fix qcow2_can_store_new_dirty_bitmap (Vladimir Sementsov-Ogievskiy) 3fb2521040: vfio/pci: Don't remove irqchip notifier if not registered (Peter Xu) 742195db17: intel_iommu: add present bit check for pasid table entries (Liu Yi L) 98c74fe49a: intel_iommu: a fix to vtd_find_as_from_bus_num() (Liu Yi L) 7042922dd7: virtio-net: delete also control queue when TX/RX deleted (Yuri Benditovich) a474197f11: virtio: reset region cache when on queue deletion (Yuri Benditovich) a843731d7f: virtio: make virtio_delete_queue idempotent (Michael S. Tsirkin) d5a5d43e27: virtio: add ability to delete vq through a pointer (Michael S. Tsirkin) 0253531824: virtio-mmio: update queue size on guest write (Denis Plotnikov) 2f4affb721: virtio: update queue size on guest write (Michael S. Tsirkin) 77d9c84d9f: target/arm: Set ISSIs16Bit in make_issinfo (Richard Henderson) 4412cb3bca: ide: Fix incorrect handling of some PRDTs in ide_dma_cb() (Alexander Popov) 3a94a8b7fd: tests/ide-test: Create a single unit-test covering more PRDT cases (Alexander Popov) 0cfa46da8f: hw/i386/pc: fix regression in parsing vga cmdline parameter (Peter Wu) ba6a94e64e: arm/arm-powerctl: rebuild hflags after setting CP15 bits in arm_set_cpu_on() (Niek Linnenbank) a5f815514a: arm/arm-powerctl: set NSACR.{CP11, CP10} bits in arm_set_cpu_on() (Niek Linnenbank) 2215837fe2: backup-top: Begin drain earlier (Max Reitz) cbdfd3865b: numa: properly check if numa is supported (Igor Mammedov) 89eebb016d: numa: remove not needed check (Igor Mammedov) def30090ad: virtio-blk: fix out-of-bounds access to bitmap in notify_guest_bh (Li Hangjing) 52a02834e0: block: Activate recursively even for already active nodes (Kevin Wolf) da0948d13c: target/arm: ensure we use current exception state after SCR update (Alex Bennée) d636d64b35: qapi: better document NVMe blockdev @device parameter (Daniel P. Berrangé) bed590f2b8: i386: Resolve CPU models to v1 by default (Eduardo Habkost) a115daadf6: block/nbd: fix memory leak in nbd_open() (Pan Nengyuan) 85df33073a: block/nbd: extract the common cleanup code (Pan Nengyuan)
