[pve-devel] [PATCH kvm] update to 2.5.1

Wolfgang Bumiller w.bumiller at proxmox.com
Fri Apr 1 09:56:26 CEST 2016


And removing the now unnecessary patches.
---
NOTES:
  * Should we also bump KVMVER in the Makefile?
  * Should we replace the tar+exclude command with this?
    $ git archive --format=tar --prefix=qemu-kvm/ v2.5.1 | gzip > ${KVMSRC}


 Makefile                                           |   2 +-
 ...8558-ehci_make_idt_processing_more_robust.patch |  49 -------
 ...CVE-2015-8613-scsi-initialize-info-object.patch |  31 ----
 .../extra/CVE-2015-8619-hmp-sendkey-oob-fix.patch  | 116 ---------------
 .../CVE-2015-8701-net-rocker-off-by-one.patch      |  47 ------
 .../CVE-2015-8743-ne2000-ioport-bounds-check.patch |  48 -------
 ...-1922-i386-avoid-null-pointer-dereference.patch |  64 ---------
 ...E-2016-1981-e1000-eliminate-infinite-loop.patch |  98 -------------
 .../extra/CVE-2016-2197-ahci-null-pointer.patch    |  55 -------
 ...check-USB-configuration-descriptor-object.patch |  33 -----
 ...-2016-2538-usb-check-RNDIS-message-length.patch | 111 --------------
 ...e2000-check-ring-buffer-control-registers.patch |  37 -----
 ...2016-2857-net-check-packet-payload-length.patch |  47 ------
 ...g-unbreak-migration-compatibility-for-2.4.patch | 159 ---------------------
 .../extra/vmxnet3-host-memory-leakage.patch        |  91 ------------
 debian/patches/series                              |  14 --
 16 files changed, 1 insertion(+), 1001 deletions(-)
 delete mode 100644 debian/patches/extra/CVE-2015-8558-ehci_make_idt_processing_more_robust.patch
 delete mode 100644 debian/patches/extra/CVE-2015-8613-scsi-initialize-info-object.patch
 delete mode 100644 debian/patches/extra/CVE-2015-8619-hmp-sendkey-oob-fix.patch
 delete mode 100644 debian/patches/extra/CVE-2015-8701-net-rocker-off-by-one.patch
 delete mode 100644 debian/patches/extra/CVE-2015-8743-ne2000-ioport-bounds-check.patch
 delete mode 100644 debian/patches/extra/CVE-2016-1922-i386-avoid-null-pointer-dereference.patch
 delete mode 100644 debian/patches/extra/CVE-2016-1981-e1000-eliminate-infinite-loop.patch
 delete mode 100644 debian/patches/extra/CVE-2016-2197-ahci-null-pointer.patch
 delete mode 100644 debian/patches/extra/CVE-2016-2392-check-USB-configuration-descriptor-object.patch
 delete mode 100644 debian/patches/extra/CVE-2016-2538-usb-check-RNDIS-message-length.patch
 delete mode 100644 debian/patches/extra/CVE-2016-2841-net-ne2000-check-ring-buffer-control-registers.patch
 delete mode 100644 debian/patches/extra/CVE-2016-2857-net-check-packet-payload-length.patch
 delete mode 100644 debian/patches/extra/fw_cfg-unbreak-migration-compatibility-for-2.4.patch
 delete mode 100644 debian/patches/extra/vmxnet3-host-memory-leakage.patch

diff --git a/Makefile b/Makefile
index d9951b3..154a765 100644
--- a/Makefile
+++ b/Makefile
@@ -24,7 +24,7 @@ download:
 	#git clone git://git.qemu-project.org/qemu.git -b stable-2.4 ${KVMDIR} 
 	git clone git://git.qemu-project.org/qemu.git ${KVMDIR}
 	# see https://bugs.launchpad.net/qemu/+bug/1488363?comments=all
-	cd ${KVMDIR}; git checkout v2.5.0; git revert --no-edit b8eb5512fd8a115f164edbbe897cdf8884920ccb
+	cd ${KVMDIR}; git checkout v2.5.1; git revert --no-edit b8eb5512fd8a115f164edbbe897cdf8884920ccb
 	tar czf ${KVMSRC} --exclude CVS --exclude .git --exclude .svn ${KVMDIR}
 
 ${DEBS} kvm: ${KVMSRC}
diff --git a/debian/patches/extra/CVE-2015-8558-ehci_make_idt_processing_more_robust.patch b/debian/patches/extra/CVE-2015-8558-ehci_make_idt_processing_more_robust.patch
deleted file mode 100644
index 743b68d..0000000
--- a/debian/patches/extra/CVE-2015-8558-ehci_make_idt_processing_more_robust.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From: Gerd Hoffmann
-Subject: [Qemu-devel] [PULL 5/5] ehci: make idt processing more robust
-
-Make ehci_process_itd return an error in case we didn't do any actual
-iso transfer because we've found no active transaction.  That'll avoid
-ehci happily run in circles forever if the guest builds a loop out of
-idts.
-
-This is CVE-2015-8558.
-
-Cc: qemu-stable at nongnu.org
-Reported-by: Qinghao Tang <luodalongde at gmail.com>
-Tested-by: P J P <ppandit at redhat.com>
-Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
----
- hw/usb/hcd-ehci.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
-index 4e2161b..d07f228 100644
---- a/hw/usb/hcd-ehci.c
-+++ b/hw/usb/hcd-ehci.c
-@@ -1389,7 +1389,7 @@ static int ehci_process_itd(EHCIState *ehci,
- {
-     USBDevice *dev;
-     USBEndpoint *ep;
--    uint32_t i, len, pid, dir, devaddr, endp;
-+    uint32_t i, len, pid, dir, devaddr, endp, xfers = 0;
-     uint32_t pg, off, ptr1, ptr2, max, mult;
- 
-     ehci->periodic_sched_active = PERIODIC_ACTIVE;
-@@ -1479,9 +1479,10 @@ static int ehci_process_itd(EHCIState *ehci,
-                 ehci_raise_irq(ehci, USBSTS_INT);
-             }
-             itd->transact[i] &= ~ITD_XACT_ACTIVE;
-+            xfers++;
-         }
-     }
--    return 0;
-+    return xfers ? 0 : -1;
- }
- 
- 
--- 
-1.8.3.1
-
-
-
-
diff --git a/debian/patches/extra/CVE-2015-8613-scsi-initialize-info-object.patch b/debian/patches/extra/CVE-2015-8613-scsi-initialize-info-object.patch
deleted file mode 100644
index ee0f36d..0000000
--- a/debian/patches/extra/CVE-2015-8613-scsi-initialize-info-object.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 5823b4a214ede884f4ba597fdd629862620e0f92 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp at fedoraproject.org>
-Date: Mon, 21 Dec 2015 14:48:18 +0530
-Subject: [PATCH] scsi: initialise info object with appropriate size
-
-While processing controller 'CTRL_GET_INFO' command, the routine
-'megasas_ctrl_get_info' overflows the '&info' object size. Use its
-appropriate size to null initialise it.
-
-Reported-by: Qinghao Tang <luodalongde at gmail.com>
-Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
----
-  hw/scsi/megasas.c | 2 +-
-  1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
-index d7dc667..576f56c 100644
---- a/hw/scsi/megasas.c
-+++ b/hw/scsi/megasas.c
-@@ -718,7 +718,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd)
-     BusChild *kid;
-     int num_pd_disks = 0;
- 
--    memset(&info, 0x0, cmd->iov_size);
-+    memset(&info, 0x0, dcmd_size);
-     if (cmd->iov_size < dcmd_size) {
-         trace_megasas_dcmd_invalid_xfer_len(cmd->index, cmd->iov_size,
-                                             dcmd_size);
--- 
-2.4.3
-===
diff --git a/debian/patches/extra/CVE-2015-8619-hmp-sendkey-oob-fix.patch b/debian/patches/extra/CVE-2015-8619-hmp-sendkey-oob-fix.patch
deleted file mode 100644
index 86e26db..0000000
--- a/debian/patches/extra/CVE-2015-8619-hmp-sendkey-oob-fix.patch
+++ /dev/null
@@ -1,116 +0,0 @@
-From 136dd5ac96fc21654a31aff7fa88b86570c8fc72 Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller at proxmox.com>
-Date: Wed, 13 Jan 2016 08:46:31 +0100
-Subject: [PATCH] hmp: fix sendkey out of bounds write (CVE-2015-8619)
-
-When processing 'sendkey' command, hmp_sendkey routine null
-terminates the 'keyname_buf' array. This results in an OOB
-write issue, if 'keyname_len' was to fall outside of
-'keyname_buf' array.
-
-Since the keyname's length is known the keyname_buf can be
-removed altogether by adding a length parameter to
-index_from_key() and using it for the error output as well.
-
-Reported-by: Ling Liu <liuling-it at 360.cn>
-Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
----
- hmp.c                | 17 +++++++----------
- include/ui/console.h |  2 +-
- ui/input-legacy.c    |  5 +++--
- 3 files changed, 11 insertions(+), 13 deletions(-)
-
-diff --git a/hmp.c b/hmp.c
-index c2b2c16..066ccf8 100644
---- a/hmp.c
-+++ b/hmp.c
-@@ -1742,21 +1742,18 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict)
-     int has_hold_time = qdict_haskey(qdict, "hold-time");
-     int hold_time = qdict_get_try_int(qdict, "hold-time", -1);
-     Error *err = NULL;
--    char keyname_buf[16];
-     char *separator;
-     int keyname_len;
- 
-     while (1) {
-         separator = strchr(keys, '-');
-         keyname_len = separator ? separator - keys : strlen(keys);
--        pstrcpy(keyname_buf, sizeof(keyname_buf), keys);
- 
-         /* Be compatible with old interface, convert user inputted "<" */
--        if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) {
--            pstrcpy(keyname_buf, sizeof(keyname_buf), "less");
-+        if (!strncmp(keys, "<", 1) && keyname_len == 1) {
-+            keys = "less";
-             keyname_len = 4;
-         }
--        keyname_buf[keyname_len] = 0;
- 
-         keylist = g_malloc0(sizeof(*keylist));
-         keylist->value = g_malloc0(sizeof(*keylist->value));
-@@ -1769,16 +1766,16 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict)
-         }
-         tmp = keylist;
- 
--        if (strstart(keyname_buf, "0x", NULL)) {
-+        if (strstart(keys, "0x", NULL)) {
-             char *endp;
--            int value = strtoul(keyname_buf, &endp, 0);
--            if (*endp != '\0') {
-+            int value = strtoul(keys, &endp, 0);
-+            if (*endp != '\0' && *endp != '-') {
-                 goto err_out;
-             }
-             keylist->value->type = KEY_VALUE_KIND_NUMBER;
-             keylist->value->u.number = value;
-         } else {
--            int idx = index_from_key(keyname_buf);
-+            int idx = index_from_key(keys, keyname_len);
-             if (idx == Q_KEY_CODE_MAX) {
-                 goto err_out;
-             }
-@@ -1800,7 +1797,7 @@ out:
-     return;
- 
- err_out:
--    monitor_printf(mon, "invalid parameter: %s\n", keyname_buf);
-+    monitor_printf(mon, "invalid parameter: %.*s\n", keyname_len, keys);
-     goto out;
- }
- 
-diff --git a/include/ui/console.h b/include/ui/console.h
-index adac36d..116bc2b 100644
---- a/include/ui/console.h
-+++ b/include/ui/console.h
-@@ -448,7 +448,7 @@ static inline int vnc_display_pw_expire(const char *id, time_t expires)
- void curses_display_init(DisplayState *ds, int full_screen);
- 
- /* input.c */
--int index_from_key(const char *key);
-+int index_from_key(const char *key, size_t key_length);
- 
- /* gtk.c */
- void early_gtk_display_init(int opengl);
-diff --git a/ui/input-legacy.c b/ui/input-legacy.c
-index 35dfc27..3454055 100644
---- a/ui/input-legacy.c
-+++ b/ui/input-legacy.c
-@@ -57,12 +57,13 @@ struct QEMUPutLEDEntry {
- static QTAILQ_HEAD(, QEMUPutLEDEntry) led_handlers =
-     QTAILQ_HEAD_INITIALIZER(led_handlers);
- 
--int index_from_key(const char *key)
-+int index_from_key(const char *key, size_t key_length)
- {
-     int i;
- 
-     for (i = 0; QKeyCode_lookup[i] != NULL; i++) {
--        if (!strcmp(key, QKeyCode_lookup[i])) {
-+        if (!strncmp(key, QKeyCode_lookup[i], key_length) &&
-+            !QKeyCode_lookup[i][key_length]) {
-             break;
-         }
-     }
--- 
-2.1.4
-
diff --git a/debian/patches/extra/CVE-2015-8701-net-rocker-off-by-one.patch b/debian/patches/extra/CVE-2015-8701-net-rocker-off-by-one.patch
deleted file mode 100644
index 7b17355..0000000
--- a/debian/patches/extra/CVE-2015-8701-net-rocker-off-by-one.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 60e8fd72b0faaf940e220a0514001b86b7149e09 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp at fedoraproject.org>
-Date: Mon, 28 Dec 2015 16:24:08 +0530
-Subject: [PATCH] net: rocker: fix an incorrect array bounds check
-
-While processing transmit(tx) descriptors in 'tx_consume' routine
-the switch emulator suffers from an off-by-one error, if a
-descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=16)
-fragments. Fix an incorrect bounds check to avoid it.
-
-Reported-by: Qinghao Tang <luodalongde at gmail.com>
-Cc: qemu-stable at nongnu.org
-Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
-Signed-off-by: Jason Wang <jasowang at redhat.com>
----
- hw/net/rocker/rocker.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
-index c57f1a6..2e77e50 100644
---- a/hw/net/rocker/rocker.c
-+++ b/hw/net/rocker/rocker.c
-@@ -232,6 +232,9 @@ static int tx_consume(Rocker *r, DescInfo *info)
-         frag_addr = rocker_tlv_get_le64(tlvs[ROCKER_TLV_TX_FRAG_ATTR_ADDR]);
-         frag_len = rocker_tlv_get_le16(tlvs[ROCKER_TLV_TX_FRAG_ATTR_LEN]);
- 
-+        if (iovcnt >= ROCKER_TX_FRAGS_MAX) {
-+            goto err_too_many_frags;
-+        }
-         iov[iovcnt].iov_len = frag_len;
-         iov[iovcnt].iov_base = g_malloc(frag_len);
-         if (!iov[iovcnt].iov_base) {
-@@ -244,10 +247,7 @@ static int tx_consume(Rocker *r, DescInfo *info)
-             err = -ROCKER_ENXIO;
-             goto err_bad_io;
-         }
--
--        if (++iovcnt > ROCKER_TX_FRAGS_MAX) {
--            goto err_too_many_frags;
--        }
-+        iovcnt++;
-     }
- 
-     if (iovcnt) {
--- 
-2.1.4
-
diff --git a/debian/patches/extra/CVE-2015-8743-ne2000-ioport-bounds-check.patch b/debian/patches/extra/CVE-2015-8743-ne2000-ioport-bounds-check.patch
deleted file mode 100644
index 5b34ecf..0000000
--- a/debian/patches/extra/CVE-2015-8743-ne2000-ioport-bounds-check.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From ab216355b6d509dce42fda4391f61b49df2ddc93 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp at fedoraproject.org>
-Date: Thu, 31 Dec 2015 17:05:27 +0530
-Subject: [PATCH] net: ne2000: fix bounds check in ioport operations
-
-While doing ioport r/w operations, ne2000 device emulation suffers
-from OOB r/w errors. Update respective array bounds check to avoid
-OOB access.
-
-Reported-by: Ling Liu <liuling-it at 360.cn>
-Cc: qemu-stable at nongnu.org
-Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
-Signed-off-by: Jason Wang <jasowang at redhat.com>
----
- hw/net/ne2000.c | 10 ++++++----
- 1 file changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
-index 010f9ef..a3dffff 100644
---- a/hw/net/ne2000.c
-+++ b/hw/net/ne2000.c
-@@ -467,8 +467,9 @@ static inline void ne2000_mem_writel(NE2000State *s, uint32_t addr,
-                                      uint32_t val)
- {
-     addr &= ~1; /* XXX: check exact behaviour if not even */
--    if (addr < 32 ||
--        (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
-+    if (addr < 32
-+        || (addr >= NE2000_PMEM_START
-+            && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
-         stl_le_p(s->mem + addr, val);
-     }
- }
-@@ -497,8 +498,9 @@ static inline uint32_t ne2000_mem_readw(NE2000State *s, uint32_t addr)
- static inline uint32_t ne2000_mem_readl(NE2000State *s, uint32_t addr)
- {
-     addr &= ~1; /* XXX: check exact behaviour if not even */
--    if (addr < 32 ||
--        (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
-+    if (addr < 32
-+        || (addr >= NE2000_PMEM_START
-+            && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
-         return ldl_le_p(s->mem + addr);
-     } else {
-         return 0xffffffff;
--- 
-2.1.4
-
diff --git a/debian/patches/extra/CVE-2016-1922-i386-avoid-null-pointer-dereference.patch b/debian/patches/extra/CVE-2016-1922-i386-avoid-null-pointer-dereference.patch
deleted file mode 100644
index e294b22..0000000
--- a/debian/patches/extra/CVE-2016-1922-i386-avoid-null-pointer-dereference.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 47568e18c6599962f711bc2ae3cc45fe6900130d Mon Sep 17 00:00:00 2001
-From: P J P <ppandit at redhat.com>
-Date: Fri, 18 Dec 2015 11:35:07 +0530
-Subject: [PATCH] i386: avoid null pointer dereference
-
-    Hello,
-
-A null pointer dereference issue was reported by Mr Ling Liu, CC'd here. It
-occurs while doing I/O port write operations via hmp interface. In that,
-'current_cpu' remains null as it is not called from cpu_exec loop, which
-results in the said issue.
-
-Below is a proposed (tested)patch to fix this issue; Does it look okay?
-
-===
-From ae88a4947fab9a148cd794f8ad2d812e7f5a1d0f Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp at fedoraproject.org>
-Date: Fri, 18 Dec 2015 11:16:07 +0530
-Subject: [PATCH] i386: avoid null pointer dereference
-
-When I/O port write operation is called from hmp interface,
-'current_cpu' remains null, as it is not called from cpu_exec()
-loop. This leads to a null pointer dereference in vapic_write
-routine. Add check to avoid it.
-
-Reported-by: Ling Liu <liuling-it at 360.cn>
-Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
-Message-Id: <alpine.LFD.2.20.1512181129320.9805 at wniryva>
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
----
- hw/i386/kvmvapic.c | 15 ++++++++++-----
- 1 file changed, 10 insertions(+), 5 deletions(-)
-
-diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c
-index c6d34b2..f0922da 100644
---- a/hw/i386/kvmvapic.c
-+++ b/hw/i386/kvmvapic.c
-@@ -634,13 +634,18 @@ static int vapic_prepare(VAPICROMState *s)
- static void vapic_write(void *opaque, hwaddr addr, uint64_t data,
-                         unsigned int size)
- {
--    CPUState *cs = current_cpu;
--    X86CPU *cpu = X86_CPU(cs);
--    CPUX86State *env = &cpu->env;
--    hwaddr rom_paddr;
-     VAPICROMState *s = opaque;
-+    X86CPU *cpu;
-+    CPUX86State *env;
-+    hwaddr rom_paddr;
- 
--    cpu_synchronize_state(cs);
-+    if (!current_cpu) {
-+        return;
-+    }
-+
-+    cpu_synchronize_state(current_cpu);
-+    cpu = X86_CPU(current_cpu);
-+    env = &cpu->env;
- 
-     /*
-      * The VAPIC supports two PIO-based hypercalls, both via port 0x7E.
--- 
-2.1.4
-
diff --git a/debian/patches/extra/CVE-2016-1981-e1000-eliminate-infinite-loop.patch b/debian/patches/extra/CVE-2016-1981-e1000-eliminate-infinite-loop.patch
deleted file mode 100644
index baf86bf..0000000
--- a/debian/patches/extra/CVE-2016-1981-e1000-eliminate-infinite-loop.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-From e55bfae32b6e3ea1e9a8a318e1b9e76acbcdd50b Mon Sep 17 00:00:00 2001
-From: Laszlo Ersek <lersek at redhat.com>
-Date: Tue, 19 Jan 2016 14:17:20 +0100
-Subject: [PATCH] e1000: eliminate infinite loops on out-of-bounds transfer
- start
-
-The start_xmit() and e1000_receive_iov() functions implement DMA transfers
-iterating over a set of descriptors that the guest's e1000 driver
-prepares:
-
-- the TDLEN and RDLEN registers store the total size of the descriptor
-  area,
-
-- while the TDH and RDH registers store the offset (in whole tx / rx
-  descriptors) into the area where the transfer is supposed to start.
-
-Each time a descriptor is processed, the TDH and RDH register is bumped
-(as appropriate for the transfer direction).
-
-QEMU already contains logic to deal with bogus transfers submitted by the
-guest:
-
-- Normally, the transmit case wants to increase TDH from its initial value
-  to TDT. (TDT is allowed to be numerically smaller than the initial TDH
-  value; wrapping at or above TDLEN bytes to zero is normal.) The failsafe
-  that QEMU currently has here is a check against reaching the original
-  TDH value again -- a complete wraparound, which should never happen.
-
-- In the receive case RDH is increased from its initial value until
-  "total_size" bytes have been received; preferably in a single step, or
-  in "s->rxbuf_size" byte steps, if the latter is smaller. However, null
-  RX descriptors are skipped without receiving data, while RDH is
-  incremented just the same. QEMU tries to prevent an infinite loop
-  (processing only null RX descriptors) by detecting whether RDH assumes
-  its original value during the loop. (Again, wrapping from RDLEN to 0 is
-  normal.)
-
-What both directions miss is that the guest could program TDLEN and RDLEN
-so low, and the initial TDH and RDH so high, that these registers will
-immediately be truncated to zero, and then never reassume their initial
-values in the loop -- a full wraparound will never occur.
-
-The condition that expresses this is:
-
-  xdh_start >= s->mac_reg[XDLEN] / sizeof(desc)
-
-i.e., TDH or RDH start out after the last whole rx or tx descriptor that
-fits into the TDLEN or RDLEN sized area.
-
-This condition could be checked before we enter the loops, but
-pci_dma_read() / pci_dma_write() knows how to fill in buffers safely for
-bogus DMA addresses, so we just extend the existing failsafes with the
-above condition.
-
-This is CVE-2016-1981.
-
-Cc: "Michael S. Tsirkin" <mst at redhat.com>
-Cc: Petr Matousek <pmatouse at redhat.com>
-Cc: Stefano Stabellini <stefano.stabellini at eu.citrix.com>
-Cc: Prasad Pandit <ppandit at redhat.com>
-Cc: Michael Roth <mdroth at linux.vnet.ibm.com>
-Cc: Jason Wang <jasowang at redhat.com>
-Cc: qemu-stable at nongnu.org
-RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1296044
-Signed-off-by: Laszlo Ersek <lersek at redhat.com>
-Reviewed-by: Jason Wang <jasowang at redhat.com>
-Signed-off-by: Jason Wang <jasowang at redhat.com>
----
- hw/net/e1000.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/hw/net/e1000.c b/hw/net/e1000.c
-index bec06e9..34d0823 100644
---- a/hw/net/e1000.c
-+++ b/hw/net/e1000.c
-@@ -908,7 +908,8 @@ start_xmit(E1000State *s)
-          * bogus values to TDT/TDLEN.
-          * there's nothing too intelligent we could do about this.
-          */
--        if (s->mac_reg[TDH] == tdh_start) {
-+        if (s->mac_reg[TDH] == tdh_start ||
-+            tdh_start >= s->mac_reg[TDLEN] / sizeof(desc)) {
-             DBGOUT(TXERR, "TDH wraparound @%x, TDT %x, TDLEN %x\n",
-                    tdh_start, s->mac_reg[TDT], s->mac_reg[TDLEN]);
-             break;
-@@ -1165,7 +1166,8 @@ e1000_receive_iov(NetClientState *nc, const struct iovec *iov, int iovcnt)
-         if (++s->mac_reg[RDH] * sizeof(desc) >= s->mac_reg[RDLEN])
-             s->mac_reg[RDH] = 0;
-         /* see comment in start_xmit; same here */
--        if (s->mac_reg[RDH] == rdh_start) {
-+        if (s->mac_reg[RDH] == rdh_start ||
-+            rdh_start >= s->mac_reg[RDLEN] / sizeof(desc)) {
-             DBGOUT(RXERR, "RDH wraparound @%x, RDT %x, RDLEN %x\n",
-                    rdh_start, s->mac_reg[RDT], s->mac_reg[RDLEN]);
-             set_ics(s, 0, E1000_ICS_RXO);
--- 
-2.1.4
-
diff --git a/debian/patches/extra/CVE-2016-2197-ahci-null-pointer.patch b/debian/patches/extra/CVE-2016-2197-ahci-null-pointer.patch
deleted file mode 100644
index 1a3da44..0000000
--- a/debian/patches/extra/CVE-2016-2197-ahci-null-pointer.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 867dcfc8c153c463090b972c2afc7b90700bab91 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp at fedoraproject.org>
-Date: Fri, 29 Jan 2016 01:18:50 +0530
-Subject: [PATCH 2/2] ide: ahci: add check before calling dma_memory_unmap
-
-When IDE AHCI emulation uses Frame Information Structures(FIS)
-engine for data transfer, the mapped FIS buffer address is stored
-in a static 'bounce.buffer'. When a request is made to map another
-memory region, address_space_map() returns NULL because
-'bounce.buffer' is in_use. It leads to a null pointer dereference
-error while doing 'dma_memory_unmap'. Add a check to avoid it.
-
-Reported-by: Zuozhi fzz <zuozhi.fzz at alibaba-inc.com>
-Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
----
- hw/ide/ahci.c | 16 ++++++++++------
- 1 file changed, 10 insertions(+), 6 deletions(-)
-
-diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
-index dd1912e..ea351fe 100644
---- a/hw/ide/ahci.c
-+++ b/hw/ide/ahci.c
-@@ -661,9 +661,11 @@ static bool ahci_map_fis_address(AHCIDevice *ad)
- 
- static void ahci_unmap_fis_address(AHCIDevice *ad)
- {
--    dma_memory_unmap(ad->hba->as, ad->res_fis, 256,
--                     DMA_DIRECTION_FROM_DEVICE, 256);
--    ad->res_fis = NULL;
-+    if (ad->res_fis) {
-+        dma_memory_unmap(ad->hba->as, ad->res_fis, 256,
-+                         DMA_DIRECTION_FROM_DEVICE, 256);
-+        ad->res_fis = NULL;
-+    }
- }
- 
- static bool ahci_map_clb_address(AHCIDevice *ad)
-@@ -677,9 +679,11 @@ static bool ahci_map_clb_address(AHCIDevice *ad)
- 
- static void ahci_unmap_clb_address(AHCIDevice *ad)
- {
--    dma_memory_unmap(ad->hba->as, ad->lst, 1024,
--                     DMA_DIRECTION_FROM_DEVICE, 1024);
--    ad->lst = NULL;
-+    if (ad->lst) {
-+        dma_memory_unmap(ad->hba->as, ad->lst, 1024,
-+                         DMA_DIRECTION_FROM_DEVICE, 1024);
-+        ad->lst = NULL;
-+    }
- }
- 
- static void ahci_write_fis_sdb(AHCIState *s, NCQTransferState *ncq_tfs)
--- 
-2.1.4
-
diff --git a/debian/patches/extra/CVE-2016-2392-check-USB-configuration-descriptor-object.patch b/debian/patches/extra/CVE-2016-2392-check-USB-configuration-descriptor-object.patch
deleted file mode 100644
index 6616649..0000000
--- a/debian/patches/extra/CVE-2016-2392-check-USB-configuration-descriptor-object.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From f979659e509e9d6da5cd3d74c459b944e131ce73 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp at fedoraproject.org>
-Date: Thu, 11 Feb 2016 16:31:20 +0530
-Subject: [PATCH] usb: check USB configuration descriptor object
-
-When processing remote NDIS control message packets, the USB Net
-device emulator checks to see if the USB configuration descriptor
-object is of RNDIS type(2). But it does not check if it is null,
-which leads to a null dereference error. Add check to avoid it.
-
-Reported-by: Qinghao Tang <luodalongde at gmail.com>
-Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
----
- hw/usb/dev-network.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c
-index 7800cee..8a4ff49 100644
---- a/hw/usb/dev-network.c
-+++ b/hw/usb/dev-network.c
-@@ -653,7 +653,8 @@ typedef struct USBNetState {
- 
- static int is_rndis(USBNetState *s)
- {
--    return s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE;
-+    return s->dev.config ?
-+            s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE : 0;
- }
- 
- static int ndis_query(USBNetState *s, uint32_t oid,
--- 
-2.1.4
-
diff --git a/debian/patches/extra/CVE-2016-2538-usb-check-RNDIS-message-length.patch b/debian/patches/extra/CVE-2016-2538-usb-check-RNDIS-message-length.patch
deleted file mode 100644
index 57491ef..0000000
--- a/debian/patches/extra/CVE-2016-2538-usb-check-RNDIS-message-length.patch
+++ /dev/null
@@ -1,111 +0,0 @@
-From 56ed8c01f949f8a0ee45bfe91aed3a973c79a5db Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp at fedoraproject.org>
-Date: Wed, 17 Feb 2016 00:23:40 +0530
-Subject: [PATCH] usb: check RNDIS message length
-
-When processing remote NDIS control message packets, the USB Net
-device emulator uses a fixed length(4096) data buffer. The incoming
-packet length could exceed this limit. Add a check to avoid it.
-
-Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
-
-usb: check RNDIS buffer offsets & length
-
-When processing remote NDIS control message packets,
-the USB Net device emulator uses a fixed length(4096) data buffer.
-The incoming informationBufferOffset & Length combination could
-overflow and cross that range. Check control message buffer
-offsets and length to avoid it.
-
-Reported-by: Qinghao Tang <luodalongde at gmail.com>
-Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
----
- hw/usb/core.c        | 18 +++++++++---------
- hw/usb/dev-network.c |  9 ++++++---
- 2 files changed, 15 insertions(+), 12 deletions(-)
-
-diff --git a/hw/usb/core.c b/hw/usb/core.c
-index d0025db..7f46370 100644
---- a/hw/usb/core.c
-+++ b/hw/usb/core.c
-@@ -128,9 +128,16 @@ static void do_token_setup(USBDevice *s, USBPacket *p)
-     }
- 
-     usb_packet_copy(p, s->setup_buf, p->iov.size);
-+    s->setup_index = 0;
-     p->actual_length = 0;
-     s->setup_len   = (s->setup_buf[7] << 8) | s->setup_buf[6];
--    s->setup_index = 0;
-+    if (s->setup_len > sizeof(s->data_buf)) {
-+        fprintf(stderr,
-+                "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
-+                s->setup_len, sizeof(s->data_buf));
-+        p->status = USB_RET_STALL;
-+        return;
-+    }
- 
-     request = (s->setup_buf[0] << 8) | s->setup_buf[1];
-     value   = (s->setup_buf[3] << 8) | s->setup_buf[2];
-@@ -151,13 +158,6 @@ static void do_token_setup(USBDevice *s, USBPacket *p)
-         }
-         s->setup_state = SETUP_STATE_DATA;
-     } else {
--        if (s->setup_len > sizeof(s->data_buf)) {
--            fprintf(stderr,
--                "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
--                s->setup_len, sizeof(s->data_buf));
--            p->status = USB_RET_STALL;
--            return;
--        }
-         if (s->setup_len == 0)
-             s->setup_state = SETUP_STATE_ACK;
-         else
-@@ -176,7 +176,7 @@ static void do_token_in(USBDevice *s, USBPacket *p)
-     request = (s->setup_buf[0] << 8) | s->setup_buf[1];
-     value   = (s->setup_buf[3] << 8) | s->setup_buf[2];
-     index   = (s->setup_buf[5] << 8) | s->setup_buf[4];
-- 
-+
-     switch(s->setup_state) {
-     case SETUP_STATE_ACK:
-         if (!(s->setup_buf[0] & USB_DIR_IN)) {
-diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c
-index 8a4ff49..180adce 100644
---- a/hw/usb/dev-network.c
-+++ b/hw/usb/dev-network.c
-@@ -915,8 +915,9 @@ static int rndis_query_response(USBNetState *s,
- 
-     bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8;
-     buflen = le32_to_cpu(buf->InformationBufferLength);
--    if (bufoffs + buflen > length)
-+    if (buflen > length || bufoffs >= length || bufoffs + buflen > length) {
-         return USB_RET_STALL;
-+    }
- 
-     infobuflen = ndis_query(s, le32_to_cpu(buf->OID),
-                             bufoffs + (uint8_t *) buf, buflen, infobuf,
-@@ -961,8 +962,9 @@ static int rndis_set_response(USBNetState *s,
- 
-     bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8;
-     buflen = le32_to_cpu(buf->InformationBufferLength);
--    if (bufoffs + buflen > length)
-+    if (buflen > length || bufoffs >= length || bufoffs + buflen > length) {
-         return USB_RET_STALL;
-+    }
- 
-     ret = ndis_set(s, le32_to_cpu(buf->OID),
-                     bufoffs + (uint8_t *) buf, buflen);
-@@ -1212,8 +1214,9 @@ static void usb_net_handle_dataout(USBNetState *s, USBPacket *p)
-     if (le32_to_cpu(msg->MessageType) == RNDIS_PACKET_MSG) {
-         uint32_t offs = 8 + le32_to_cpu(msg->DataOffset);
-         uint32_t size = le32_to_cpu(msg->DataLength);
--        if (offs + size <= len)
-+        if (offs < len && size < len && offs + size <= len) {
-             qemu_send_packet(qemu_get_queue(s->nic), s->out_buf + offs, size);
-+        }
-     }
-     s->out_ptr -= len;
-     memmove(s->out_buf, &s->out_buf[len], s->out_ptr);
--- 
-2.1.4
-
diff --git a/debian/patches/extra/CVE-2016-2841-net-ne2000-check-ring-buffer-control-registers.patch b/debian/patches/extra/CVE-2016-2841-net-ne2000-check-ring-buffer-control-registers.patch
deleted file mode 100644
index c92068e..0000000
--- a/debian/patches/extra/CVE-2016-2841-net-ne2000-check-ring-buffer-control-registers.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 081109008ca6f6adae2bcda2bc5c3472553cc110 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp at fedoraproject.org>
-Date: Wed, 24 Feb 2016 11:41:33 +0530
-Subject: [PATCH] net: ne2000: check ring buffer control registers
-
-Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
-bytes to process network packets. Registers PSTART & PSTOP
-define ring buffer size & location. Setting these registers
-to invalid values could lead to infinite loop or OOB r/w
-access issues. Add check to avoid it.
-
-Reported-by: Yang Hongke <yanghongke at huawei.com>
-Tested-by: Yang Hongke <yanghongke at huawei.com>
-Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
-Signed-off-by: Jason Wang <jasowang at redhat.com>
----
- hw/net/ne2000.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
-index 010f9ef..84a7263 100644
---- a/hw/net/ne2000.c
-+++ b/hw/net/ne2000.c
-@@ -154,6 +154,10 @@ static int ne2000_buffer_full(NE2000State *s)
- {
-     int avail, index, boundary;
- 
-+    if (s->stop <= s->start) {
-+        return 1;
-+    }
-+
-     index = s->curpag << 8;
-     boundary = s->boundary << 8;
-     if (index < boundary)
--- 
-2.1.4
-
diff --git a/debian/patches/extra/CVE-2016-2857-net-check-packet-payload-length.patch b/debian/patches/extra/CVE-2016-2857-net-check-packet-payload-length.patch
deleted file mode 100644
index 4a20cd8..0000000
--- a/debian/patches/extra/CVE-2016-2857-net-check-packet-payload-length.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From c0d732a6233af2f148c59f3b81f95f429ea235cb Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp at fedoraproject.org>
-Date: Wed, 2 Mar 2016 17:29:58 +0530
-Subject: [PATCH] net: check packet payload length
-
-While computing IP checksum, 'net_checksum_calculate' reads
-payload length from the packet. It could exceed the given 'data'
-buffer size. Add a check to avoid it.
-
-Reported-by: Liu Ling <liuling-it at 360.cn>
-Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
-Signed-off-by: Jason Wang <jasowang at redhat.com>
----
- net/checksum.c | 10 ++++++++--
- 1 file changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/net/checksum.c b/net/checksum.c
-index 14c0855..0942437 100644
---- a/net/checksum.c
-+++ b/net/checksum.c
-@@ -59,6 +59,11 @@ void net_checksum_calculate(uint8_t *data, int length)
-     int hlen, plen, proto, csum_offset;
-     uint16_t csum;
- 
-+    /* Ensure data has complete L2 & L3 headers. */
-+    if (length < 14 + 20) {
-+        return;
-+    }
-+
-     if ((data[14] & 0xf0) != 0x40)
- 	return; /* not IPv4 */
-     hlen  = (data[14] & 0x0f) * 4;
-@@ -76,8 +81,9 @@ void net_checksum_calculate(uint8_t *data, int length)
- 	return;
-     }
- 
--    if (plen < csum_offset+2)
--	return;
-+    if (plen < csum_offset + 2 || 14 + hlen + plen > length) {
-+        return;
-+    }
- 
-     data[14+hlen+csum_offset]   = 0;
-     data[14+hlen+csum_offset+1] = 0;
--- 
-2.1.4
-
diff --git a/debian/patches/extra/fw_cfg-unbreak-migration-compatibility-for-2.4.patch b/debian/patches/extra/fw_cfg-unbreak-migration-compatibility-for-2.4.patch
deleted file mode 100644
index 3426471..0000000
--- a/debian/patches/extra/fw_cfg-unbreak-migration-compatibility-for-2.4.patch
+++ /dev/null
@@ -1,159 +0,0 @@
-From patchwork Thu Feb 18 19:31:00 2016
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 8bit
-Subject: fw_cfg: unbreak migration compatibility for 2.4 and earlier machines
-From: Laszlo Ersek <lersek at redhat.com>
-X-Patchwork-Id: 584876
-Message-Id: <1455823860-22268-1-git-send-email-lersek at redhat.com>
-To: qemu-devel at nongnu.org
-Cc: =?UTF-8?q?Marc=20Mar=ED?= <markmb at redhat.com>,
- Gerd Hoffmann <kraxel at redhat.com>,
- Alexandre DERUMIER <aderumier at odiso.com>, qemu-stable at nongnu.org
-Date: Thu, 18 Feb 2016 20:31:00 +0100
-
-When I reviewed Marc's fw_cfg DMA patches, I completely missed that the
-way we set dma_enabled would break migration.
-
-Gerd explained the right way (see reference below): dma_enabled should be
-set to true by default, and only true->false transitions should be
-possible:
-
-- when the user requests that with
-
-    -global fw_cfg_mem.dma_enabled=off
-
-  or
-
-   -global fw_cfg_io.dma_enabled=off
-
-  as appropriate for the platform,
-
-- when HW_COMPAT_2_4 dictates it,
-
-- when board code initializes fw_cfg without requesting DMA support.
-
-Cc: Marc Marí <markmb at redhat.com>
-Cc: Gerd Hoffmann <kraxel at redhat.com>
-Cc: Alexandre DERUMIER <aderumier at odiso.com>
-Cc: qemu-stable at nongnu.org
-Ref: http://thread.gmane.org/gmane.comp.emulators.qemu/390272/focus=391042
-Ref: https://bugs.launchpad.net/qemu/+bug/1536487
-Suggested-by: Gerd Hoffmann <kraxel at redhat.com>
-Signed-off-by: Laszlo Ersek <lersek at redhat.com>
----
-
-Notes:
-    Tested the following cases with gdb, using qemu-system-x86_64, setting a
-    breakpoint on (s->dma_enabled) in fw_cfg_init_io_dma():
-    
-    * no special params (DMA enabled)
-    * -global fw_cfg_io.dma_enabled=off (DMA disabled)
-    * -M pc-i440fx-2.4 (DMA disabled), similarly with 2.3 and Q35 too
-    
-    Also tested the memory mapped case in practice, using
-    qemu-system-aarch64 -M virt, -kernel / -initrd / -append, with guest
-    UEFI:
-    * no special params (DMA enabled)
-    * -global fw_cfg_mem.dma_enabled=off (DMA disabled)
-    
-    Not tested:
-    * actual migration
-    * when board code doesn't request DMA support
-    
-    Testing feedback from people who use migration would be nice.
-
- include/hw/compat.h |  8 ++++++++
- hw/nvram/fw_cfg.c   | 20 ++++++++++++--------
- 2 files changed, 20 insertions(+), 8 deletions(-)
-
-diff --git a/include/hw/compat.h b/include/hw/compat.h
-index 2ebe739fcb5c..a5dbbf8984b1 100644
-index d0b1c4f..b7973db 100644
---- a/include/hw/compat.h
-+++ b/include/hw/compat.h
-@@ -18,6 +18,14 @@
-             .driver   = "virtio-pci",\
-             .property = "migrate-extra",\
-             .value    = "off",\
-+        },{\
-+            .driver   = "fw_cfg_mem",\
-+            .property = "dma_enabled",\
-+            .value    = "off",\
-+        },{\
-+            .driver   = "fw_cfg_io",\
-+            .property = "dma_enabled",\
-+            .value    = "off",\
-         },
- 
- #define HW_COMPAT_2_3 \
-diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c
-index 79c5742b3362..f3acb47bd4dc 100644
---- a/hw/nvram/fw_cfg.c
-+++ b/hw/nvram/fw_cfg.c
-@@ -778,17 +778,19 @@ FWCfgState *fw_cfg_init_io_dma(uint32_t iobase, uint32_t dma_iobase,
-     DeviceState *dev;
-     FWCfgState *s;
-     uint32_t version = FW_CFG_VERSION;
--    bool dma_enabled = dma_iobase && dma_as;
-+    bool dma_requested = dma_iobase && dma_as;
- 
-     dev = qdev_create(NULL, TYPE_FW_CFG_IO);
-     qdev_prop_set_uint32(dev, "iobase", iobase);
-     qdev_prop_set_uint32(dev, "dma_iobase", dma_iobase);
--    qdev_prop_set_bit(dev, "dma_enabled", dma_enabled);
-+    if (!dma_requested) {
-+        qdev_prop_set_bit(dev, "dma_enabled", false);
-+    }
- 
-     fw_cfg_init1(dev);
-     s = FW_CFG(dev);
- 
--    if (dma_enabled) {
-+    if (s->dma_enabled) {
-         /* 64 bits for the address field */
-         s->dma_as = dma_as;
-         s->dma_addr = 0;
-@@ -814,11 +816,13 @@ FWCfgState *fw_cfg_init_mem_wide(hwaddr ctl_addr,
-     SysBusDevice *sbd;
-     FWCfgState *s;
-     uint32_t version = FW_CFG_VERSION;
--    bool dma_enabled = dma_addr && dma_as;
-+    bool dma_requested = dma_addr && dma_as;
- 
-     dev = qdev_create(NULL, TYPE_FW_CFG_MEM);
-     qdev_prop_set_uint32(dev, "data_width", data_width);
--    qdev_prop_set_bit(dev, "dma_enabled", dma_enabled);
-+    if (!dma_requested) {
-+        qdev_prop_set_bit(dev, "dma_enabled", false);
-+    }
- 
-     fw_cfg_init1(dev);
- 
-@@ -828,7 +832,7 @@ FWCfgState *fw_cfg_init_mem_wide(hwaddr ctl_addr,
- 
-     s = FW_CFG(dev);
- 
--    if (dma_enabled) {
-+    if (s->dma_enabled) {
-         s->dma_as = dma_as;
-         s->dma_addr = 0;
-         sysbus_mmio_map(sbd, 2, dma_addr);
-@@ -873,7 +877,7 @@ static Property fw_cfg_io_properties[] = {
-     DEFINE_PROP_UINT32("iobase", FWCfgIoState, iobase, -1),
-     DEFINE_PROP_UINT32("dma_iobase", FWCfgIoState, dma_iobase, -1),
-     DEFINE_PROP_BOOL("dma_enabled", FWCfgIoState, parent_obj.dma_enabled,
--                     false),
-+                     true),
-     DEFINE_PROP_END_OF_LIST(),
- };
- 
-@@ -913,7 +917,7 @@ static const TypeInfo fw_cfg_io_info = {
- static Property fw_cfg_mem_properties[] = {
-     DEFINE_PROP_UINT32("data_width", FWCfgMemState, data_width, -1),
-     DEFINE_PROP_BOOL("dma_enabled", FWCfgMemState, parent_obj.dma_enabled,
--                     false),
-+                     true),
-     DEFINE_PROP_END_OF_LIST(),
- };
- 
diff --git a/debian/patches/extra/vmxnet3-host-memory-leakage.patch b/debian/patches/extra/vmxnet3-host-memory-leakage.patch
deleted file mode 100644
index dcc76b9..0000000
--- a/debian/patches/extra/vmxnet3-host-memory-leakage.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From 3ef66b01874fcc2fe3bfc73d2b61ee3a5b29fdb6 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp at fedoraproject.org>
-Date: Tue, 15 Dec 2015 12:17:28 +0530
-Subject: [PATCH] net: vmxnet3: avoid memory leakage in activate_device
-
-Vmxnet3 device emulator does not check if the device is active
-before activating it, also it did not free the transmit & receive
-buffers while deactivating the device, thus resulting in memory
-leakage on the host. This patch fixes both these issues to avoid
-host memory leakage.
-
-Reported-by: Qinghao Tang <luodalongde at gmail.com>
-Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
-Reviewed-by: Dmitry Fleytman <dmitry at daynix.com>
----
- hw/net/vmxnet3.c | 24 ++++++++++++++++--------
- 1 file changed, 16 insertions(+), 8 deletions(-)
-
-diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
-index 37373e5..2b4aad7 100644
---- a/hw/net/vmxnet3.c
-+++ b/hw/net/vmxnet3.c
-@@ -1194,8 +1194,13 @@ static void vmxnet3_reset_mac(VMXNET3State *s)
- 
- static void vmxnet3_deactivate_device(VMXNET3State *s)
- {
--    VMW_CBPRN("Deactivating vmxnet3...");
--    s->device_active = false;
-+    if (s->device_active) {
-+        VMW_CBPRN("Deactivating vmxnet3...");
-+        vmxnet_tx_pkt_reset(s->tx_pkt);
-+        vmxnet_tx_pkt_uninit(s->tx_pkt);
-+        vmxnet_rx_pkt_uninit(s->rx_pkt);
-+        s->device_active = false;
-+    }
- }
- 
- static void vmxnet3_reset(VMXNET3State *s)
-@@ -1204,7 +1209,6 @@ static void vmxnet3_reset(VMXNET3State *s)
- 
-     vmxnet3_deactivate_device(s);
-     vmxnet3_reset_interrupt_states(s);
--    vmxnet_tx_pkt_reset(s->tx_pkt);
-     s->drv_shmem = 0;
-     s->tx_sop = true;
-     s->skip_current_tx_pkt = false;
-@@ -1431,6 +1435,12 @@ static void vmxnet3_activate_device(VMXNET3State *s)
-         return;
-     }
- 
-+    /* Verify if device is active */
-+    if (s->device_active) {
-+        VMW_CFPRN("Vmxnet3 device is active");
-+        return;
-+    }
-+
-     vmxnet3_adjust_by_guest_type(s);
-     vmxnet3_update_features(s);
-     vmxnet3_update_pm_state(s);
-@@ -1627,7 +1637,7 @@ static void vmxnet3_handle_command(VMXNET3State *s, uint64_t cmd)
-         break;
- 
-     case VMXNET3_CMD_QUIESCE_DEV:
--        VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - pause the device");
-+        VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - deactivate the device");
-         vmxnet3_deactivate_device(s);
-         break;
- 
-@@ -1741,7 +1751,7 @@ vmxnet3_io_bar1_write(void *opaque,
-          * shared address only after we get the high part
-          */
-         if (val == 0) {
--            s->device_active = false;
-+            vmxnet3_deactivate_device(s);
-         }
-         s->temp_shared_guest_driver_memory = val;
-         s->drv_shmem = 0;
-@@ -2021,9 +2031,7 @@ static bool vmxnet3_peer_has_vnet_hdr(VMXNET3State *s)
- static void vmxnet3_net_uninit(VMXNET3State *s)
- {
-     g_free(s->mcast_list);
--    vmxnet_tx_pkt_reset(s->tx_pkt);
--    vmxnet_tx_pkt_uninit(s->tx_pkt);
--    vmxnet_rx_pkt_uninit(s->rx_pkt);
-+    vmxnet3_deactivate_device(s);
-     qemu_del_nic(s->nic);
- }
- 
--- 
-2.4.3
-
diff --git a/debian/patches/series b/debian/patches/series
index e8f1710..3ff759d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -42,23 +42,9 @@ pve/0041-PVE-VNC-authentication.patch
 pve/0042-vma-writer-don-t-bail-out-on-zero-length-files.patch
 pve/0043-vma-better-driver-guessing-for-bdrv_open.patch
 pve/0044-block-add-zeroinit.patch
-extra/CVE-2015-8558-ehci_make_idt_processing_more_robust.patch
-extra/CVE-2015-8613-scsi-initialize-info-object.patch
-extra/CVE-2015-8701-net-rocker-off-by-one.patch
-extra/CVE-2015-8743-ne2000-ioport-bounds-check.patch
-extra/vmxnet3-host-memory-leakage.patch
-extra/CVE-2015-8619-hmp-sendkey-oob-fix.patch
 extra/0001-vnc-clear-vs-tlscreds-after-unparenting-it.patch
-extra/CVE-2016-1922-i386-avoid-null-pointer-dereference.patch
-extra/CVE-2016-1981-e1000-eliminate-infinite-loop.patch
-extra/CVE-2016-2197-ahci-null-pointer.patch
 extra/CVE-2016-2198-ehci-null-pointer.patch
 extra/CVE-2016-2391-usb-ohci-avoid-multiple-eof-timers.patch
-extra/CVE-2016-2392-check-USB-configuration-descriptor-object.patch
-extra/fw_cfg-unbreak-migration-compatibility-for-2.4.patch
-extra/CVE-2016-2538-usb-check-RNDIS-message-length.patch
-extra/CVE-2016-2841-net-ne2000-check-ring-buffer-control-registers.patch
-extra/CVE-2016-2857-net-check-packet-payload-length.patch
 extra/0001-rng-remove-the-unused-request-cancellation-code.patch
 extra/0002-rng-move-request-queue-from-RngEgd-to-RngBackend.patch
 extra/0003-rng-move-request-queue-cleanup-from-RngEgd-to-RngBac.patch
-- 
2.1.4




More information about the pve-devel mailing list