On 03/20/17 17:57, Michael S. Tsirkin wrote:
> On Mon, Mar 20, 2017 at 05:39:18PM +0100, Laszlo Ersek wrote:
>> On 03/20/17 17:26, Michael S. Tsirkin wrote:
>>> On Mon, Mar 20, 2017 at 05:22:16PM +0100, Laszlo Ersek wrote:
On 03/20/17 16:13, Laszlo Ersek wrote:
> On 03/20/17 15:16, Michael
V2 changes are documented per patch.
Cc: "Michael S. Tsirkin"
Cc: Ben Warren
Cc: Igor Mammedov
Cc: Paolo Bonzini
Laszlo Ersek (2):
hw/acpi/vmgenid: prevent device realization on pre-2.5 machine types
hw/acpi/vmgenid: prevent more than one vmgenid device
include/hw/acpi/vmgenid.h | 2 ++
The WRITE_POINTER linker/loader command that underlies VMGENID depends on
commit baf2d5bfbac0 ("fw-cfg: support writeable blobs", 2017-01-12), which
in turn depends on fw_cfg DMA.
DMA for fw_cfg is enabled in 2.5+ machine types only (see commit
e6915b5f3a87, "fw_cfg: unbreak migration compatibilit
A system with multiple VMGENID devices is undefined in the VMGENID spec by
omission.
Cc: "Michael S. Tsirkin"
Cc: Ben Warren
Cc: Igor Mammedov
Cc: Paolo Bonzini
Signed-off-by: Laszlo Ersek
---
Notes:
v2:
- use find_vmgenid_dev() rather than open-code
object_resolve_path_type()
On 20 March 2017 at 16:04, Paolo Bonzini wrote:
> The following changes since commit ebedf0f9cd46b617df331eecc857c379d574ac62:
>
> nios2: iic: Convert CPU prop to qom link (2017-03-18 18:22:54 +)
>
> are available in the git repository at:
>
> git://github.com/bonzini/qemu.git tags/for-ups
On 20/03/2017 18:01, Markus Armbruster wrote:
> Peter Maydell writes:
>
>> On 20 March 2017 at 16:29, Markus Armbruster wrote:
>>> Peter Maydell writes:
I have some comments which feel kind of nit-picky, but since this
is a public-facing HMP API I think they need attention since we
Change malloc/strdup/free to g_malloc/g_strdup/g_free in
util/envlist.c.
Remove NULL checks for pointers returned from g_malloc and g_strdup
as they exit in case of failure. Also, update calls to envlist_create
to reflect this.
Free array and array contents returned by envlist_to_environ using
g_
This patch adds a command-line option (-xen-domid-restrict) which will
use the new libxendevicemodel API to restrict devicemodel operations to
the specified domid.
This patch also adds a tracepoint to allow successful enabling of the
restriction to be monitored.
Signed-off-by: Paul Durrant
---
C
On Mon, Mar 20, 2017 at 5:32 PM, Saurav Sachidanand
wrote:
> Change malloc/strdup/free to g_malloc/g_strdup/g_free in
> util/envlist.c.
>
> Remove NULL checks for pointers returned from g_malloc and g_strdup
> as they exit in case of failure. Also, update calls to envlist_create
> to reflect this.
Change malloc/strdup/free to g_malloc/g_strdup/g_free in
util/envlist.c.
Remove NULL checks for pointers returned from g_malloc and g_strdup
as they exit in case of failure. Also, update calls to envlist_create
to reflect this.
Free array and array contents returned by envlist_to_environ using
g_
From: "Dr. David Alan Gilbert"
A bit more consistent and it removes one of the less necessary uses
of cur_mon.
Signed-off-by: Dr. David Alan Gilbert
---
include/sysemu/sysemu.h | 2 +-
migration/savevm.c | 31 ++-
replay/replay-snapshot.c | 6 --
3 file
From: "Dr. David Alan Gilbert"
I found myself trying to understand cur_mon and found a bunch
of uses that could easily be replaced by error_report or Error **.
Dave
Dr. David Alan Gilbert (2):
save_vmstate: Convert to Error** from Monitor *
wavcapture: Convert to error_report
audio/wavcap
From: "Dr. David Alan Gilbert"
Kill off a pile of monitor_printf's and cur_mon usage.
The only one left in wavcapture.c is the info case.
Signed-off-by: Dr. David Alan Gilbert
---
audio/wavcapture.c | 39 +--
1 file changed, 17 insertions(+), 22 deletions(-)
I stumbled across this bug:
https://bugs.launchpad.net/ubuntu/+source/linux-rt/+bug/367671
Im not sure if that bug relates to this one, but after disabling realtime
scheduling, pulseaudio does not crash anymore.
However, the lag when starting the VM got significantly worse, the system is
pretty
Made functions *_exit in hw/ return void instead of int (they returned 0 all
the time)
and removed related return value checks
Signed-off-by: Anton Volkov
---
hw/audio/hda-codec.c | 3 +--
hw/audio/intel-hda.c | 3 +--
hw/audio/intel-hda.h | 2 +-
hw/char/
"Dr. David Alan Gilbert (git)" wrote:
> From: "Dr. David Alan Gilbert"
>
> A bit more consistent and it removes one of the less necessary uses
> of cur_mon.
>
> Signed-off-by: Dr. David Alan Gilbert
Reviewed-by: Juan Quintela
> @@ -2094,16 +2094,17 @@ int save_vmstate(Monitor *mon, const cha
Use the new type in virtio-9p-device.
Signed-off-by: Stefano Stabellini
Reviewed-by: Greg Kurz
Reviewed-by: Philippe Mathieu-Daudé
CC: anthony.per...@citrix.com
CC: jgr...@suse.com
CC: Aneesh Kumar K.V
CC: Greg Kurz
---
hw/9pfs/9p.h | 6 ++
hw/9pfs/virtio-9p-device.c | 6 +-
Introduce the Xen 9pfs backend: add struct XenDevOps to register as a
Xen backend and add struct V9fsTransport to register as v9fs transport.
All functions are empty stubs for now.
Signed-off-by: Stefano Stabellini
Reviewed-by: Greg Kurz
CC: anthony.per...@citrix.com
CC: jgr...@suse.com
CC: Ane
Implement xen_9pfs_init_in/out_iov_from_pdu and
xen_9pfs_pdu_vmarshal/vunmarshall by creating new sg pointing to the
data on the ring.
This is safe as we only handle one request per ring at any given time.
Signed-off-by: Stefano Stabellini
CC: anthony.per...@citrix.com
CC: jgr...@suse.com
CC: An
Do not use the ring.h header installed on the system. Instead, import
the header into the QEMU codebase. This avoids problems when QEMU is
built against a Xen version too old to provide all the ring macros.
Signed-off-by: Stefano Stabellini
Reviewed-by: Greg Kurz
CC: anthony.per...@citrix.com
CC
Hi all,
This patch series implements a new transport for 9pfs, aimed at Xen
systems.
The transport is based on a traditional Xen frontend and backend drivers
pair. This patch series implements the backend, which typically runs in
Dom0. I sent another series to implement the frontend in Linux
(htt
Upon receiving an event channel notification from the frontend, schedule
the bottom half. From the bottom half, read one request from the ring,
create a pdu and call pdu_submit to handle it.
For now, only handle one request per ring at a time.
Signed-off-by: Stefano Stabellini
CC: anthony.per...
Write the limits of the backend to xenstore. Connect to the frontend.
Upon connection, allocate the rings according to the protocol
specification.
Initialize a QEMUBH to schedule work upon receiving an event channel
notification from the frontend.
Signed-off-by: Stefano Stabellini
CC: anthony.pe
Once a request is completed, xen_9pfs_push_and_notify gets called. In
xen_9pfs_push_and_notify, update the indexes (data has already been
copied to the sg by the common code) and send a notification to the
frontend.
Schedule the bottom-half to check if we already have any other requests
pending.
Signed-off-by: Stefano Stabellini
Reviewed-by: Greg Kurz
CC: anthony.per...@citrix.com
CC: jgr...@suse.com
CC: Aneesh Kumar K.V
CC: Greg Kurz
---
hw/9pfs/Makefile.objs| 1 +
hw/xen/xen_backend.c | 3 +++
include/hw/xen/xen_backend.h | 3 +++
3 files changed, 7 insertions(+)
di
On OpenBSD none of the ioctls probe_logical_blocksize() tries
exist, so the variable sector_size is unused. Refactor the
code to avoid this (and reduce the duplicated code).
Signed-off-by: Peter Maydell
---
The alternative would be to move the variable so it was
local to a code block inside each
On Mon, Mar 20, 2017 at 03:12:44PM +0100, Laurent Vivier wrote:
> Since commit 224245b ("spapr: Add LMB DR connectors"), NUMA node
> memory size must be aligned to 256MB (SPAPR_MEMORY_BLOCK_SIZE).
>
> But when "-numa" option is provided without "mem" parameter,
> the memory is equally divided betw
"Dr. David Alan Gilbert" wrote:
> * Juan Quintela (quint...@redhat.com) wrote:
>> last_seen_block, last_sent_block, last_offset, last_version and
>> ram_bulk_stage are globals that are really related together.
>>
>> Signed-off-by: Juan Quintela
>> ---
>> migration/ram.c | 136
>> ++
"Dr. David Alan Gilbert" wrote:
> * Juan Quintela (quint...@redhat.com) wrote:
>> We need to add a parameter to several functions to make this work.
>>
>> Signed-off-by: Juan Quintela
[...]
> Is that undoing false spaces from the previous patch?
Yes O:-)
>
> anyway,
> Reviewed-by: Dr. David
On 03/20/2017 11:13 AM, Markus Armbruster wrote:
> Markus Armbruster (2):
> qapi: Fix string input visitor regression for empty lists
> Revert "hostmem: fix QEMU crash by 'info memdev'"
Reviewed-by: Eric Blake
>
> backends/hostmem.c| 22 --
> qapi/string
On Fri, Mar 17, 2017 at 07:29:14PM +0800, Lan Tianyu wrote:
> From: Chao Gao
>
> xen-viommu will be a sysbus device and the device model will
> be enabled via "-device" parameter.
>
> Signed-off-by: Chao Gao
> Signed-off-by: Lan Tianyu
I'm worried about the bugs we may expose by accepting all
On 03/20/2017 07:55 AM, Markus Armbruster wrote:
> We have a negative test case for a list index with leading zero. Add
> positive ones.
>
> Tweak the test case for list index greater or equal the number of
> elements: test "equal" instead of "greater" to guard against
> off-by-one mistakes.
>
>
On 03/20/2017 07:55 AM, Markus Armbruster wrote:
> Signed-off-by: Markus Armbruster
> ---
> util/keyval.c | 47 +++
> 1 file changed, 31 insertions(+), 16 deletions(-)
>
Reviewed-by: Eric Blake
--
Eric Blake eblake redhat com+1-919-301-3266
L
On 03/20/2017 07:55 AM, Markus Armbruster wrote:
> Signed-off-by: Markus Armbruster
> ---
> tests/Makefile.include | 2 +-
> tests/test-keyval.c| 53
> ++
> 2 files changed, 54 insertions(+), 1 deletion(-)
>
Reviewed-by: Eric Blake
--
Eri
On 03/20/2017 07:55 AM, Markus Armbruster wrote:
> Signed-off-by: Markus Armbruster
> ---
> util/keyval.c | 10 ++
> 1 file changed, 10 insertions(+)
>
> diff --git a/util/keyval.c b/util/keyval.c
> index 46cd540..93d5db6 100644
> --- a/util/keyval.c
> +++ b/util/keyval.c
> @@ -61,6 +61,
On 03/20/2017 07:55 AM, Markus Armbruster wrote:
> Signed-off-by: Markus Armbruster
> ---
> MAINTAINERS | 11 +++
> 1 file changed, 11 insertions(+)
Reviewed-by: Eric Blake
By the way, where do we stand on the idea of having checkpatch.pl reject
patches that introduce new files without
Quoting Paolo Bonzini (2017-02-28 07:21:32)
> Commit ad07cd6 ("virtio-scsi: always use dataplane path if ioeventfd is
> active", 2016-10-30) and 9ffe337 ("virtio-blk: always use dataplane
> path if ioeventfd is active", 2016-10-30) broke the virtio 1.0
> indirect access registers.
>
> The indirect
"Dr. David Alan Gilbert" wrote:
> * Juan Quintela (quint...@redhat.com) wrote:
>> Once there, rename the type to be shorter.
>>
>> Signed-off-by: Juan Quintela
>> ---
>> migration/ram.c | 79
>> ++---
>> 1 file changed, 42 insertions(+), 37 d
"Dr. David Alan Gilbert" wrote:
> * Juan Quintela (quint...@redhat.com) wrote:
>> It was on MigrationState when it is only used inside ram.c for
>> postcopy. Problem is that we need to access it without being able to
>> pass it RAMState directly.
>>
>> Signed-off-by: Juan Quintela
>> ---
>> in
Quoting Markus Armbruster (2017-03-20 11:13:43)
> Visiting a list when input is the empty string should result in an
> empty list, not an error. Noticed when commit 3d089ce belatedly added
> tests, but simply accepted as weird then. It's actually a regression:
> broken in commit 74f24cb, v2.7.0.
Quoting Markus Armbruster (2017-03-20 11:13:44)
> This reverts commit 1454d33f0507cb54d62ed80f494884157c9e7130.
>
> The string input visitor regression fixed in the previous commit made
> visit_type_uint16List() fail on empty input. query_memdev() calls it
> via object_property_get_uint16List().
On 03/21/2017 01:34 AM, Alex Bennée wrote:
This was an oversight when the rest of cputlb was being updated. As
before it falls back to the non-atomic version when the host can't
support wider-than-bus atomics.
Signed-off-by: Alex Bennée
---
cputlb.c | 8
1 file changed, 8 insertions(+
On 03/21/2017 01:34 AM, Alex Bennée wrote:
When "tcg: enable thread-per-vCPU" (commit 3725794) was merged the
lifetime of current_cpu was changed. Previously a broken linux-user
call might abort() which can eventually escalate into a SIGSEGV which
would then crash qemu as it attempted to deref a
On Fri, Mar 17, 2017 at 12:27 PM, Paolo Bonzini wrote:
> And this is a fix, but I have no idea why/how it works and what else it
> may break.
>
> Patches 1 and 2 are pretty obvious and would be the first step towards
> eliminating aio_disable/enable_external altogether.
>
> However I got patch 3 m
On 03/16/2017 03:42 AM, Chao Fan wrote:
> The number of dirty pages outputed in 'pages' in the command
> 'info migrate', so add page-size to calculate the number of dirty
> pages in bytes.
>
> Signed-off-by: Chao Fan
> Signed-off-by: Li Zhijian
> ---
> +++ b/qapi-schema.json
> @@ -575,6 +575,9
** Changed in: qemu
Status: New => Fix Committed
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1663287
Title:
Illegal delay slot code causes abort on mips64
Status in QEMU:
Fix Committed
Thanks for reporting this issue.
In fact, branches in a delay slot is "undefined" in the pre-Release 6
architecture.
MIPS architectre release 6 defines to signal Reserved Instruction exceptions
for such cases.
However as it was undefined, it is better to signal RI and carry on rather than
stopp
Setting status to "Fix released" according to comment #5 (if there is
something left to do for libvirt, please consult their bugtracker
instead)
** Changed in: qemu
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of qemu-
devel-ml, which is
From: Greg Kurz
The local_lremovexattr() callback is vulnerable to symlink attacks because
it calls lremovexattr() which follows symbolic links in all path elements
but the rightmost one.
This patch introduces a helper to emulate the non-existing fremovexattrat()
function: it is implemented with
Hi everyone,
The following new patches are queued for QEMU stable v2.8.1:
https://github.com/mdroth/qemu/commits/stable-2.8-staging
The release is planned for 2017-03-30:
http://wiki.qemu.org/Planning/2.8
Please respond here or CC qemu-sta...@nongnu.org on any patches you
think should be i
From: Greg Kurz
The local_unlinkat() callback is vulnerable to symlink attacks because it
calls remove() which follows symbolic links in all path elements but the
rightmost one.
This patch converts local_unlinkat() to rely on opendir_nofollow() and
unlinkat() instead.
Most of the code is moved
From: Greg Kurz
The local_statfs() callback is vulnerable to symlink attacks because it
calls statfs() which follows symbolic links in all path elements.
This patch converts local_statfs() to rely on open_nofollow() and fstatfs()
instead.
This partly fixes CVE-2016-9602.
Signed-off-by: Greg Ku
From: Greg Kurz
The local_lsetxattr() callback is vulnerable to symlink attacks because
it calls lsetxattr() which follows symbolic links in all path elements but
the rightmost one.
This patch introduces a helper to emulate the non-existing fsetxattrat()
function: it is implemented with /proc/se
From: Greg Kurz
The local_utimensat() callback is vulnerable to symlink attacks because it
calls qemu_utimens()->utimensat(AT_SYMLINK_NOFOLLOW) which follows symbolic
links in all path elements but the rightmost one or qemu_utimens()->utimes()
which follows symbolic links for all path elements.
From: Greg Kurz
When using the mapped-file security model, we also have to create a link
for the metadata file if it exists. In case of failure, we should rollback.
That's what this patch does.
Signed-off-by: Greg Kurz
Reviewed-by: Stefan Hajnoczi
(cherry picked from commit 6dd4b1f1d026e478d9
From: Greg Kurz
The local_renameat() callback is currently a wrapper around local_rename()
which is vulnerable to symlink attacks.
This patch rewrites local_renameat() to have its own implementation, based
on local_opendir_nofollow() and renameat().
This partly fixes CVE-2016-9602.
Signed-off-
From: Greg Kurz
The local_readlink() callback is vulnerable to symlink attacks because it
calls:
(1) open(O_NOFOLLOW) which follows symbolic links for all path elements but
the rightmost one
(2) readlink() which follows symbolic links for all path elements but the
rightmost one
This pat
From: Greg Kurz
The local_truncate() callback is vulnerable to symlink attacks because
it calls truncate() which follows symbolic links in all path elements.
This patch converts local_truncate() to rely on open_nofollow() and
ftruncate() instead.
This partly fixes CVE-2016-9602.
Signed-off-by:
From: Greg Kurz
The local_symlink() callback is vulnerable to symlink attacks because it
calls:
(1) symlink() which follows symbolic links for all path elements but the
rightmost one
(2) open(O_NOFOLLOW) which follows symbolic links for all path elements but
the rightmost one
(3) local_s
From: Greg Kurz
The local_chmod() callback is vulnerable to symlink attacks because it
calls:
(1) chmod() which follows symbolic links for all path elements
(2) local_set_xattr()->setxattr() which follows symbolic links for all
path elements
(3) local_set_mapped_file_attr() which calls in tu
From: Greg Kurz
The local_remove() callback is vulnerable to symlink attacks because it
calls:
(1) lstat() which follows symbolic links in all path elements but the
rightmost one
(2) remove() which follows symbolic links in all path elements but the
rightmost one
This patch converts loc
From: Greg Kurz
These functions are always called indirectly. It really doesn't make sense
for them to sit in a header file.
Signed-off-by: Greg Kurz
Reviewed-by: Stefan Hajnoczi
(cherry picked from commit 56fc494bdcba35d74da27e1d34dbb6db6fa7bd67)
Signed-off-by: Greg Kurz
Signed-off-by: Micha
From: Greg Kurz
We should pass O_NOFOLLOW otherwise openat() will follow symlinks and make
QEMU vulnerable.
While here, we also fix local_unlinkat_common() to use openat_dir() for
the same reasons (it was a leftover in the original patchset actually).
This fixes CVE-2016-9602.
Signed-off-by: G
From: Greg Kurz
The local_mknod() callback is vulnerable to symlink attacks because it
calls:
(1) mknod() which follows symbolic links for all path elements but the
rightmost one
(2) local_set_xattr()->setxattr() which follows symbolic links for all
path elements
(3) local_set_mapped_fil
From: Greg Kurz
The local_rename() callback is vulnerable to symlink attacks because it
uses rename() which follows symbolic links in all path elements but the
rightmost one.
This patch simply transforms local_rename() into a wrapper around
local_renameat() which is symlink-attack safe.
This pa
From: Greg Kurz
Coverity issue CID1371731
Signed-off-by: Greg Kurz
Reviewed-by: Daniel P. Berrange
Reviewed-by: Philippe Mathieu-Daudé
(cherry picked from commit faab207f115cf9738f110cb088ab35a4b7aef73a)
Signed-off-by: Greg Kurz
Signed-off-by: Michael Roth
---
hw/9pfs/9p-local.c | 1 +
1 f
From: Hervé Poussineau
This patch fixes a segfault at QEMU startup, introduced in
a08156321ab9a7d2fed9ee77dbfeea2a61ffd153.
gd_vc_find_current() return NULL, which is dereferenced without checking it.
While at it, disable the whole 'View' menu if no console exists.
Reproducer: qemu-system-i386
From: Greg Kurz
The local_lstat() callback is vulnerable to symlink attacks because it
calls:
(1) lstat() which follows symbolic links in all path elements but the
rightmost one
(2) getxattr() which follows symbolic links in all path elements
(3) local_mapped_file_attr()->local_fopen()->open
From: Greg Kurz
The local_open2() callback is vulnerable to symlink attacks because it
calls:
(1) open() which follows symbolic links for all path elements but the
rightmost one
(2) local_set_xattr()->setxattr() which follows symbolic links for all
path elements
(3) local_set_mapped_file
From: Greg Kurz
When O_PATH is used with O_DIRECTORY, it only acts as an optimization: the
openat() syscall simply finds the name in the VFS, and doesn't trigger the
underlying filesystem.
On systems that don't define O_PATH, because they have glibc version 2.13
or older for example, we can safe
From: Roman Kapl
rcu_read_unlock was not called if the address_space_access_valid result is
negative.
This caused (at least) a problem when qemu on PPC/E500+TAP failed to terminate
properly and instead got stuck in a deadlock.
Signed-off-by: Roman Kapl
Message-Id: <20170109110921.4931-1-...@sy
From: Greg Kurz
The local_link() callback is vulnerable to symlink attacks because it calls:
(1) link() which follows symbolic links for all path elements but the
rightmost one
(2) local_create_mapped_attr_dir()->mkdir() which follows symbolic links
for all path elements but the rightmos
From: Eduardo Habkost
Original problem description by Greg Kurz:
> Since commit "9a4c0e220d8a hw/virtio-pci: fix virtio
> behaviour", passing -device virtio-blk-pci.disable-modern=off
> has no effect on 2.6 machine types because the internal
> virtio-pci.disable-modern=on compat property always
From: "Michael S. Tsirkin"
PCI Express downstream slot has a single PCI slot
behind it, using PCI_DEVFN(PCI_SLOT(devfn), 0)
does not give you function 0 in cases such as ARI
as well as some error cases.
This is exactly what we are hitting:
$ qemu-system-x86_64 -machine q35 -readconfig docs/q3
From: Greg Kurz
The local_chown() callback is vulnerable to symlink attacks because it
calls:
(1) lchown() which follows symbolic links for all path elements but the
rightmost one
(2) local_set_xattr()->setxattr() which follows symbolic links for all
path elements
(3) local_set_mapped_fi
From: Richard Henderson
When al == xzr, we cannot use addi/subi because that encodes xsp.
Force a zero into the temp register for that (rare) case.
Signed-off-by: Richard Henderson
Message-Id: <20161207180727.6286-2-...@twiddle.net>
(cherry picked from commit b1eb20da625897244e9621dabcf63d899de
From: "Dr. David Alan Gilbert"
A broken guest can specify physical addresses that correspond
to any memory region, but it shouldn't be able to change ROM.
Signed-off-by: Dr. David Alan Gilbert
Cc: qemu-sta...@nongnu.org
Acked-by: Paolo Bonzini
Reviewed-by: Michael S. Tsirkin
Signed-off-by: Mi
From: Paolo Bonzini
The direction is wrong; scsi_block_is_passthrough returns
false for commands that *can* use sglists.
Reported-by: Zhang Qian
Fixes: 8fdc7839e40f43a426bc7e858cf1dbfe315a3804
Cc: qemu-sta...@nongnu.org
Signed-off-by: Paolo Bonzini
(cherry picked from commit 1f8af0d186abf9ef77
From: Bruce Rogers
Commit 4299b90 added a check which is too broad, given that the source
pitch value is not required to be initialized for solid fill operations.
This patch refines the blit_is_unsafe() check to ignore source pitch in
that case. After applying the above commit as a security patch
From: Greg Kurz
The name argument can never be an empty string, and dirfd always point to
the containing directory of the file name. AT_EMPTY_PATH is hence useless
here. Also it breaks build with glibc version 2.13 and older.
It is actually an oversight of a previous tentative patch to implement
From: Greg Kurz
The local_mkdir() callback is vulnerable to symlink attacks because it
calls:
(1) mkdir() which follows symbolic links for all path elements but the
rightmost one
(2) local_set_xattr()->setxattr() which follows symbolic links for all
path elements
(3) local_set_mapped_fil
From: Thomas Huth
If the buffer is not big enough, snprintf() does not return the number
of bytes that have been written to the buffer, but the number of bytes
that would be needed for writing the whole string. By using this value
for the following vnc_write() calls, we send some junk at the end
From: Greg Kurz
When using the passthrough security mode, symbolic links created by the
guest are actual symbolic links on the host file system.
Since the resolution of symbolic links during path walk is supposed to
occur on the client side. The server should hence never receive any path
pointin
From: Greg Kurz
This was spotted by Coverity as a fd leak. This is certainly true, but also
local_remove() would always return without doing anything, unless the fd is
zero, which is very unlikely.
(Coverity issue CID1371732)
Signed-off-by: Greg Kurz
Reviewed-by: Eric Blake
(cherry picked fro
From: Igor Mammedov
'hotplugged' propperty is meant to be used on migration side when migrating
source with hotplugged devices.
However though it not exacly correct usage of 'hotplugged' property
it's possible to set generic hotplugged property for CPU using
-cpu foo,hotplugged=on
or
-global fo
From: Li Qiang
When doing bitblt copy in backward mode, we should minus the
blt width first just like the adding in the forward mode. This
can avoid the oob access of the front of vga's vram.
Signed-off-by: Li Qiang
{ kraxel: with backward blits (negative pitch) addr is the topmost
a
From: Halil Pasic
Correct recalculation of vq->inuse after migration for the corner case
where the avail_idx has already wrapped but used_idx not yet.
Also change the type of the VirtQueue.inuse to unsigned int. This is
done to be consistent with other members representing sizes (VRing.num),
and
From: Caoxinhua
QEMU will crash with the follow backtrace if the new created thread exited
before
we call qemu_thread_set_name() for it.
(gdb) bt
#0 0x7f9a68b095d7 in __GI_raise (sig=sig@entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x7f9a68b0acc8 in __GI_abort () at
From: Greg Kurz
Now that the all callbacks have been converted to use "at" syscalls, we
can drop this code.
Signed-off-by: Greg Kurz
Reviewed-by: Stefan Hajnoczi
(cherry picked from commit c23d5f1d5bc0e23aeb845b1af8f996f16783ce98)
Signed-off-by: Greg Kurz
Signed-off-by: Michael Roth
---
hw/
From: Greg Kurz
If these functions fail, they should not change *fs. Let's use local
variables to fix this.
Signed-off-by: Greg Kurz
Reviewed-by: Stefan Hajnoczi
(cherry picked from commit 21328e1e57f526e3f0c2fcd00f10c8aa6e7bc07f)
Signed-off-by: Greg Kurz
Signed-off-by: Michael Roth
---
hw/
From: "Michael S. Tsirkin"
Coverity reports that ARRAY_SIZE(elem->out_sg) (and all the others too)
is wrong because elem->out_sg is a pointer.
However, the check is not in the right place and the max_size argument
of virtqueue_map_iovec can be removed. The check on in_num/out_num
should be move
From: Greg Kurz
If this function fails, it should not modify *ctx.
Signed-off-by: Greg Kurz
Reviewed-by: Stefan Hajnoczi
(cherry picked from commit 00c90bd1c2ff6aabb9ca948a254ba044a403e399)
Signed-off-by: Greg Kurz
Signed-off-by: Michael Roth
---
hw/9pfs/9p-local.c | 37 +++-
From: Peter Xu
Split irqchip works based on the fact that we kept the first 24 gsi
routing entries inside KVM for userspace ioapic's use. When system
boot, we'll reserve these MSI routing entries before hand. However,
after migration, we forgot to re-configure it up in the destination
side. The r
From: Greg Kurz
If we cannot open the given path, we can return right away instead of
passing -1 to fstatfs() and close(). This will make Coverity happy.
(Coverity issue CID1371729)
Signed-off-by: Greg Kurz
Reviewed-by: Daniel P. berrange
Reviewed-by: Eric Blake
Reviewed-by: Philippe Mathieu
From: Peter Lieven
parse_uint_full wants to put the parsed value into the
variable passed via its second argument which is NULL.
Fixes: 94d6a7a76e9df9919629428f6c598e2b97d9426c
Cc: qemu-sta...@nongnu.org
Signed-off-by: Peter Lieven
Reviewed-by: Eric Blake
Message-id: 1485942829-10756-2-git-sen
From: Christian Borntraeger
Right now we reset all devices before we reset the cmma states. This
can result in the host kernel discarding guest pages that were
previously in the unused state but already contain a bios or a -kernel
file before the cmma reset has finished. This race results in ra
From: Marc-André Lureau
CharDriverState.be should be updated to point to the current
associated backend.
Fix the regression introduced in the "mux" chardev from commit
a4afa548fc6dd9842ed86639b4d37d4d1c4ad480.
https://bugs.launchpad.net/bugs/1654137
Signed-off-by: Marc-André Lureau
Message-Id
From: Peter Lieven
commit 94d6a7a accidentally left the naming of runtime opts and QAPI
scheme inconsistent. As one consequence passing of parameters in the
URI is broken. Sync the naming of the runtime opts to the QAPI
scheme.
Please note that this is technically backwards incompatible with the
From: Ladi Prosek
The AHCI emulation code supports 64-bit addressing and should advertise this
fact in the Host Capabilities register. Both Linux and Windows drivers test
this bit to decide if the upper 32 bits of various registers may be written
to, and at least some versions of Windows have a b
From: Greg Kurz
If the user passes -device virtio-9p without the corresponding -fsdev, QEMU
dereferences a NULL pointer and crashes.
This is a 2.8 regression introduced by commit 702dbcc274e2c.
Signed-off-by: Greg Kurz
Reviewed-by: Li Qiang
(cherry picked from commit f2b58c43758efc61e2a49b899
201 - 300 of 392 matches
Mail list logo
