[pve-devel] [PATCH kvm v3 2/2] remove patches which got into upstream
Thomas Lamprecht
t.lamprecht at proxmox.com
Fri Jul 1 17:26:02 CEST 2016
They were remove from patches/series in the previous commit.
Signed-off-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
---
...move-the-unused-request-cancellation-code.patch | 98 -----------
...-do-not-read-write-MSR_TSC_AUX-from-KVM-i.patch | 38 -----
...nc-clear-vs-tlscreds-after-unparenting-it.patch | 38 -----
...e-request-queue-from-RngEgd-to-RngBackend.patch | 135 ----------------
...quest-queue-cleanup-from-RngEgd-to-RngBac.patch | 163 -------------------
...ask-for-more-data-if-queue-is-not-fully-d.patch | 47 ------
.../extra/CVE-2016-2198-ehci-null-pointer.patch | 44 -----
...6-2391-usb-ohci-avoid-multiple-eof-timers.patch | 40 -----
...g-add-request-queue-support-to-rng-random.patch | 179 ---------------------
9 files changed, 782 deletions(-)
delete mode 100644 debian/patches/extra/0001-rng-remove-the-unused-request-cancellation-code.patch
delete mode 100644 debian/patches/extra/0001-target-i386-do-not-read-write-MSR_TSC_AUX-from-KVM-i.patch
delete mode 100644 debian/patches/extra/0001-vnc-clear-vs-tlscreds-after-unparenting-it.patch
delete mode 100644 debian/patches/extra/0002-rng-move-request-queue-from-RngEgd-to-RngBackend.patch
delete mode 100644 debian/patches/extra/0003-rng-move-request-queue-cleanup-from-RngEgd-to-RngBac.patch
delete mode 100644 debian/patches/extra/0005-virtio-rng-ask-for-more-data-if-queue-is-not-fully-d.patch
delete mode 100644 debian/patches/extra/CVE-2016-2198-ehci-null-pointer.patch
delete mode 100644 debian/patches/extra/CVE-2016-2391-usb-ohci-avoid-multiple-eof-timers.patch
delete mode 100644 debian/patches/extra/CVE-2016-2858-0004-rng-add-request-queue-support-to-rng-random.patch
diff --git a/debian/patches/extra/0001-rng-remove-the-unused-request-cancellation-code.patch b/debian/patches/extra/0001-rng-remove-the-unused-request-cancellation-code.patch
deleted file mode 100644
index 5db5a8e..0000000
--- a/debian/patches/extra/0001-rng-remove-the-unused-request-cancellation-code.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-From d615099455e3a6cc71c17182cabd851d4340354d Mon Sep 17 00:00:00 2001
-From: Ladi Prosek <lprosek at redhat.com>
-Date: Thu, 3 Mar 2016 09:37:15 +0100
-Subject: [PATCH 1/5] rng: remove the unused request cancellation code
-
-rng_backend_cancel_requests had no callers and none of the code
-deleted in this commit ever ran.
-
-Signed-off-by: Ladi Prosek <lprosek at redhat.com>
-Reviewed-by: Amit Shah <amit.shah at redhat.com>
-Message-Id: <1456994238-9585-2-git-send-email-lprosek at redhat.com>
-Signed-off-by: Amit Shah <amit.shah at redhat.com>
----
- backends/rng-egd.c | 12 ------------
- backends/rng.c | 9 ---------
- include/sysemu/rng.h | 11 -----------
- 3 files changed, 32 deletions(-)
-
-diff --git a/backends/rng-egd.c b/backends/rng-egd.c
-index 6c13409..3c6362e 100644
---- a/backends/rng-egd.c
-+++ b/backends/rng-egd.c
-@@ -124,17 +124,6 @@ static void rng_egd_free_requests(RngEgd *s)
- s->requests = NULL;
- }
-
--static void rng_egd_cancel_requests(RngBackend *b)
--{
-- RngEgd *s = RNG_EGD(b);
--
-- /* We simply delete the list of pending requests. If there is data in the
-- * queue waiting to be read, this is okay, because there will always be
-- * more data than we requested originally
-- */
-- rng_egd_free_requests(s);
--}
--
- static void rng_egd_opened(RngBackend *b, Error **errp)
- {
- RngEgd *s = RNG_EGD(b);
-@@ -212,7 +201,6 @@ static void rng_egd_class_init(ObjectClass *klass, void *data)
- RngBackendClass *rbc = RNG_BACKEND_CLASS(klass);
-
- rbc->request_entropy = rng_egd_request_entropy;
-- rbc->cancel_requests = rng_egd_cancel_requests;
- rbc->opened = rng_egd_opened;
- }
-
-diff --git a/backends/rng.c b/backends/rng.c
-index 5065fdc..5d1876c 100644
---- a/backends/rng.c
-+++ b/backends/rng.c
-@@ -25,15 +25,6 @@ void rng_backend_request_entropy(RngBackend *s, size_t size,
- }
- }
-
--void rng_backend_cancel_requests(RngBackend *s)
--{
-- RngBackendClass *k = RNG_BACKEND_GET_CLASS(s);
--
-- if (k->cancel_requests) {
-- k->cancel_requests(s);
-- }
--}
--
- static bool rng_backend_prop_get_opened(Object *obj, Error **errp)
- {
- RngBackend *s = RNG_BACKEND(obj);
-diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h
-index 0a27c9b..c7da17d 100644
---- a/include/sysemu/rng.h
-+++ b/include/sysemu/rng.h
-@@ -38,7 +38,6 @@ struct RngBackendClass
-
- void (*request_entropy)(RngBackend *s, size_t size,
- EntropyReceiveFunc *receive_entropy, void *opaque);
-- void (*cancel_requests)(RngBackend *s);
-
- void (*opened)(RngBackend *s, Error **errp);
- };
-@@ -69,14 +68,4 @@ struct RngBackend
- void rng_backend_request_entropy(RngBackend *s, size_t size,
- EntropyReceiveFunc *receive_entropy,
- void *opaque);
--
--/**
-- * rng_backend_cancel_requests:
-- * @s: the backend to cancel all pending requests in
-- *
-- * Cancels all pending requests submitted by @rng_backend_request_entropy. This
-- * should be used by a device during reset or in preparation for live migration
-- * to stop tracking any request.
-- */
--void rng_backend_cancel_requests(RngBackend *s);
- #endif
---
-2.1.4
-
diff --git a/debian/patches/extra/0001-target-i386-do-not-read-write-MSR_TSC_AUX-from-KVM-i.patch b/debian/patches/extra/0001-target-i386-do-not-read-write-MSR_TSC_AUX-from-KVM-i.patch
deleted file mode 100644
index 4077fa3..0000000
--- a/debian/patches/extra/0001-target-i386-do-not-read-write-MSR_TSC_AUX-from-KVM-i.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 73a3187cc97cdc8c11f4781910307e5dde5e8dbc Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini at redhat.com>
-Date: Wed, 30 Mar 2016 22:59:42 +0200
-Subject: [PATCH] target-i386: do not read/write MSR_TSC_AUX from KVM if CPUID
- bit is not set
-
-KVM does not let you read or write this MSR if the corresponding CPUID
-bit is not set. This in turn causes MSRs that come after MSR_TSC_AUX
-to be ignored by KVM_SET_MRSS.
-
-One visible symptom is that s3.flat from kvm-unit-tests fails with
-CPUs that do not have RDTSCP, because the SMBASE is not reset to
-0x30000 after reset.
-
-Fixes: c9b8f6b6210847b4381c5b2ee172b1c7eb9985d6
-Cc: qemu-stable at nongnu.org
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
----
- target-i386/kvm.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/target-i386/kvm.c b/target-i386/kvm.c
-index 36fa3f0..7370e9e 100644
---- a/target-i386/kvm.c
-+++ b/target-i386/kvm.c
-@@ -846,6 +846,9 @@ int kvm_arch_init_vcpu(CPUState *cs)
- if (env->features[FEAT_1_EDX] & CPUID_MTRR) {
- has_msr_mtrr = true;
- }
-+ if (!(env->features[FEAT_8000_0001_EDX] & CPUID_EXT2_RDTSCP)) {
-+ has_msr_tsc_aux = false;
-+ }
-
- return 0;
- }
---
-2.1.4
-
diff --git a/debian/patches/extra/0001-vnc-clear-vs-tlscreds-after-unparenting-it.patch b/debian/patches/extra/0001-vnc-clear-vs-tlscreds-after-unparenting-it.patch
deleted file mode 100644
index 2bc8070..0000000
--- a/debian/patches/extra/0001-vnc-clear-vs-tlscreds-after-unparenting-it.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From ec10377932f10e47ce103f16ad469d182ab64321 Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller at proxmox.com>
-Date: Tue, 12 Jan 2016 11:03:04 +0100
-Subject: [PATCH] vnc: clear vs->tlscreds after unparenting it
-
-This pointer should be cleared in vnc_display_close()
-otherwise a use-after-free can happen when when using the
-old style 'x509' and 'tls' options rather than a persistent
-tls-creds -object, by issuing monitor commands to change
-the vnc server like so:
-
-Start with: -vnc unix:test.socket,x509,tls
-Then use the following monitor command:
- change vnc unix:test.socket
-
-After this the pointer is still set but invalid and a crash
-can be triggered for instance by issuing the same command a
-second time which will try to object_unparent() the same
-pointer again.
----
- ui/vnc.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/ui/vnc.c b/ui/vnc.c
-index 09756cd..35843b5 100644
---- a/ui/vnc.c
-+++ b/ui/vnc.c
-@@ -3134,6 +3134,7 @@ static void vnc_display_close(VncDisplay *vs)
- vs->subauth = VNC_AUTH_INVALID;
- if (vs->tlscreds) {
- object_unparent(OBJECT(vs->tlscreds));
-+ vs->tlscreds = NULL;
- }
- g_free(vs->tlsaclname);
- vs->tlsaclname = NULL;
---
-2.1.4
-
diff --git a/debian/patches/extra/0002-rng-move-request-queue-from-RngEgd-to-RngBackend.patch b/debian/patches/extra/0002-rng-move-request-queue-from-RngEgd-to-RngBackend.patch
deleted file mode 100644
index a9d6e4b..0000000
--- a/debian/patches/extra/0002-rng-move-request-queue-from-RngEgd-to-RngBackend.patch
+++ /dev/null
@@ -1,135 +0,0 @@
-From 8cd5c28840888a32dab08ef1387864723c092a1d Mon Sep 17 00:00:00 2001
-From: Ladi Prosek <lprosek at redhat.com>
-Date: Thu, 3 Mar 2016 09:37:16 +0100
-Subject: [PATCH 2/5] rng: move request queue from RngEgd to RngBackend
-
-The 'requests' field now lives in the RngBackend parent class.
-There are no functional changes in this commit.
-
-Signed-off-by: Ladi Prosek <lprosek at redhat.com>
-Reviewed-by: Amit Shah <amit.shah at redhat.com>
-Message-Id: <1456994238-9585-3-git-send-email-lprosek at redhat.com>
-Signed-off-by: Amit Shah <amit.shah at redhat.com>
----
- backends/rng-egd.c | 28 +++++++++-------------------
- include/sysemu/rng.h | 11 +++++++++++
- 2 files changed, 20 insertions(+), 19 deletions(-)
-
-diff --git a/backends/rng-egd.c b/backends/rng-egd.c
-index 3c6362e..19eee70 100644
---- a/backends/rng-egd.c
-+++ b/backends/rng-egd.c
-@@ -24,19 +24,8 @@ typedef struct RngEgd
-
- CharDriverState *chr;
- char *chr_name;
--
-- GSList *requests;
- } RngEgd;
-
--typedef struct RngRequest
--{
-- EntropyReceiveFunc *receive_entropy;
-- uint8_t *data;
-- void *opaque;
-- size_t offset;
-- size_t size;
--} RngRequest;
--
- static void rng_egd_request_entropy(RngBackend *b, size_t size,
- EntropyReceiveFunc *receive_entropy,
- void *opaque)
-@@ -65,7 +54,7 @@ static void rng_egd_request_entropy(RngBackend *b, size_t size,
- size -= len;
- }
-
-- s->requests = g_slist_append(s->requests, req);
-+ s->parent.requests = g_slist_append(s->parent.requests, req);
- }
-
- static void rng_egd_free_request(RngRequest *req)
-@@ -80,7 +69,7 @@ static int rng_egd_chr_can_read(void *opaque)
- GSList *i;
- int size = 0;
-
-- for (i = s->requests; i; i = i->next) {
-+ for (i = s->parent.requests; i; i = i->next) {
- RngRequest *req = i->data;
- size += req->size - req->offset;
- }
-@@ -93,8 +82,8 @@ static void rng_egd_chr_read(void *opaque, const uint8_t *buf, int size)
- RngEgd *s = RNG_EGD(opaque);
- size_t buf_offset = 0;
-
-- while (size > 0 && s->requests) {
-- RngRequest *req = s->requests->data;
-+ while (size > 0 && s->parent.requests) {
-+ RngRequest *req = s->parent.requests->data;
- int len = MIN(size, req->size - req->offset);
-
- memcpy(req->data + req->offset, buf + buf_offset, len);
-@@ -103,7 +92,8 @@ static void rng_egd_chr_read(void *opaque, const uint8_t *buf, int size)
- size -= len;
-
- if (req->offset == req->size) {
-- s->requests = g_slist_remove_link(s->requests, s->requests);
-+ s->parent.requests = g_slist_remove_link(s->parent.requests,
-+ s->parent.requests);
-
- req->receive_entropy(req->opaque, req->data, req->size);
-
-@@ -116,12 +106,12 @@ static void rng_egd_free_requests(RngEgd *s)
- {
- GSList *i;
-
-- for (i = s->requests; i; i = i->next) {
-+ for (i = s->parent.requests; i; i = i->next) {
- rng_egd_free_request(i->data);
- }
-
-- g_slist_free(s->requests);
-- s->requests = NULL;
-+ g_slist_free(s->parent.requests);
-+ s->parent.requests = NULL;
- }
-
- static void rng_egd_opened(RngBackend *b, Error **errp)
-diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h
-index c7da17d..084164c 100644
---- a/include/sysemu/rng.h
-+++ b/include/sysemu/rng.h
-@@ -25,6 +25,7 @@
- #define RNG_BACKEND_CLASS(klass) \
- OBJECT_CLASS_CHECK(RngBackendClass, (klass), TYPE_RNG_BACKEND)
-
-+typedef struct RngRequest RngRequest;
- typedef struct RngBackendClass RngBackendClass;
- typedef struct RngBackend RngBackend;
-
-@@ -32,6 +33,15 @@ typedef void (EntropyReceiveFunc)(void *opaque,
- const void *data,
- size_t size);
-
-+struct RngRequest
-+{
-+ EntropyReceiveFunc *receive_entropy;
-+ uint8_t *data;
-+ void *opaque;
-+ size_t offset;
-+ size_t size;
-+};
-+
- struct RngBackendClass
- {
- ObjectClass parent_class;
-@@ -48,6 +58,7 @@ struct RngBackend
-
- /*< protected >*/
- bool opened;
-+ GSList *requests;
- };
-
- /**
---
-2.1.4
-
diff --git a/debian/patches/extra/0003-rng-move-request-queue-cleanup-from-RngEgd-to-RngBac.patch b/debian/patches/extra/0003-rng-move-request-queue-cleanup-from-RngEgd-to-RngBac.patch
deleted file mode 100644
index d14453a..0000000
--- a/debian/patches/extra/0003-rng-move-request-queue-cleanup-from-RngEgd-to-RngBac.patch
+++ /dev/null
@@ -1,163 +0,0 @@
-From 33809b9b455fa58d9c011bec6aac462204169560 Mon Sep 17 00:00:00 2001
-From: Ladi Prosek <lprosek at redhat.com>
-Date: Thu, 3 Mar 2016 09:37:17 +0100
-Subject: [PATCH 3/5] rng: move request queue cleanup from RngEgd to RngBackend
-
-RngBackend is now in charge of cleaning up the linked list on
-instance finalization. It also exposes a function to finalize
-individual RngRequest instances, called by its child classes.
-
-Signed-off-by: Ladi Prosek <lprosek at redhat.com>
-Reviewed-by: Amit Shah <amit.shah at redhat.com>
-Message-Id: <1456994238-9585-4-git-send-email-lprosek at redhat.com>
-Signed-off-by: Amit Shah <amit.shah at redhat.com>
----
- backends/rng-egd.c | 25 +------------------------
- backends/rng.c | 32 ++++++++++++++++++++++++++++++++
- include/sysemu/rng.h | 12 ++++++++++++
- 3 files changed, 45 insertions(+), 24 deletions(-)
-
-diff --git a/backends/rng-egd.c b/backends/rng-egd.c
-index 19eee70..08301a7 100644
---- a/backends/rng-egd.c
-+++ b/backends/rng-egd.c
-@@ -57,12 +57,6 @@ static void rng_egd_request_entropy(RngBackend *b, size_t size,
- s->parent.requests = g_slist_append(s->parent.requests, req);
- }
-
--static void rng_egd_free_request(RngRequest *req)
--{
-- g_free(req->data);
-- g_free(req);
--}
--
- static int rng_egd_chr_can_read(void *opaque)
- {
- RngEgd *s = RNG_EGD(opaque);
-@@ -92,28 +86,13 @@ static void rng_egd_chr_read(void *opaque, const uint8_t *buf, int size)
- size -= len;
-
- if (req->offset == req->size) {
-- s->parent.requests = g_slist_remove_link(s->parent.requests,
-- s->parent.requests);
--
- req->receive_entropy(req->opaque, req->data, req->size);
-
-- rng_egd_free_request(req);
-+ rng_backend_finalize_request(&s->parent, req);
- }
- }
- }
-
--static void rng_egd_free_requests(RngEgd *s)
--{
-- GSList *i;
--
-- for (i = s->parent.requests; i; i = i->next) {
-- rng_egd_free_request(i->data);
-- }
--
-- g_slist_free(s->parent.requests);
-- s->parent.requests = NULL;
--}
--
- static void rng_egd_opened(RngBackend *b, Error **errp)
- {
- RngEgd *s = RNG_EGD(b);
-@@ -182,8 +161,6 @@ static void rng_egd_finalize(Object *obj)
- }
-
- g_free(s->chr_name);
--
-- rng_egd_free_requests(s);
- }
-
- static void rng_egd_class_init(ObjectClass *klass, void *data)
-diff --git a/backends/rng.c b/backends/rng.c
-index 5d1876c..0d9978b 100644
---- a/backends/rng.c
-+++ b/backends/rng.c
-@@ -63,6 +63,30 @@ static void rng_backend_prop_set_opened(Object *obj, bool value, Error **errp)
- s->opened = true;
- }
-
-+static void rng_backend_free_request(RngRequest *req)
-+{
-+ g_free(req->data);
-+ g_free(req);
-+}
-+
-+static void rng_backend_free_requests(RngBackend *s)
-+{
-+ GSList *i;
-+
-+ for (i = s->requests; i; i = i->next) {
-+ rng_backend_free_request(i->data);
-+ }
-+
-+ g_slist_free(s->requests);
-+ s->requests = NULL;
-+}
-+
-+void rng_backend_finalize_request(RngBackend *s, RngRequest *req)
-+{
-+ s->requests = g_slist_remove(s->requests, req);
-+ rng_backend_free_request(req);
-+}
-+
- static void rng_backend_init(Object *obj)
- {
- object_property_add_bool(obj, "opened",
-@@ -71,6 +95,13 @@ static void rng_backend_init(Object *obj)
- NULL);
- }
-
-+static void rng_backend_finalize(Object *obj)
-+{
-+ RngBackend *s = RNG_BACKEND(obj);
-+
-+ rng_backend_free_requests(s);
-+}
-+
- static void rng_backend_class_init(ObjectClass *oc, void *data)
- {
- UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
-@@ -83,6 +114,7 @@ static const TypeInfo rng_backend_info = {
- .parent = TYPE_OBJECT,
- .instance_size = sizeof(RngBackend),
- .instance_init = rng_backend_init,
-+ .instance_finalize = rng_backend_finalize,
- .class_size = sizeof(RngBackendClass),
- .class_init = rng_backend_class_init,
- .abstract = true,
-diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h
-index 084164c..c2c9035 100644
---- a/include/sysemu/rng.h
-+++ b/include/sysemu/rng.h
-@@ -61,6 +61,7 @@ struct RngBackend
- GSList *requests;
- };
-
-+
- /**
- * rng_backend_request_entropy:
- * @s: the backend to request entropy from
-@@ -79,4 +80,15 @@ struct RngBackend
- void rng_backend_request_entropy(RngBackend *s, size_t size,
- EntropyReceiveFunc *receive_entropy,
- void *opaque);
-+
-+/**
-+ * rng_backend_free_request:
-+ * @s: the backend that created the request
-+ * @req: the request to finalize
-+ *
-+ * Used by child rng backend classes to finalize requests once they've been
-+ * processed. The request is removed from the list of active requests and
-+ * deleted.
-+ */
-+void rng_backend_finalize_request(RngBackend *s, RngRequest *req);
- #endif
---
-2.1.4
-
diff --git a/debian/patches/extra/0005-virtio-rng-ask-for-more-data-if-queue-is-not-fully-d.patch b/debian/patches/extra/0005-virtio-rng-ask-for-more-data-if-queue-is-not-fully-d.patch
deleted file mode 100644
index 3f48a29..0000000
--- a/debian/patches/extra/0005-virtio-rng-ask-for-more-data-if-queue-is-not-fully-d.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From b5f29c3cdd14243de19d974320f49fb3bdd37a6d Mon Sep 17 00:00:00 2001
-From: Ladi Prosek <lprosek at redhat.com>
-Date: Thu, 3 Mar 2016 10:48:34 +0100
-Subject: [PATCH 5/5] virtio-rng: ask for more data if queue is not fully
- drained
-
-This commit effectively reverts:
-
- commit 4621c1768ef5d12171cca2aa1473595ecb9f1c9e
- Author: Amit Shah <amit.shah at redhat.com>
- Date: Wed Nov 21 11:21:19 2012 +0530
-
- virtio-rng: remove extra request for entropy
-
-but instead of calling virtio_rng_process unconditionally, it
-first checks to see if the queue is empty as a little bit of
-optimization.
-
-Signed-off-by: Ladi Prosek <lprosek at redhat.com>
-Reviewed-by: Amit Shah <amit.shah at redhat.com>
-Message-Id: <1456998514-19271-1-git-send-email-lprosek at redhat.com>
-Signed-off-by: Amit Shah <amit.shah at redhat.com>
----
- hw/virtio/virtio-rng.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/hw/virtio/virtio-rng.c b/hw/virtio/virtio-rng.c
-index 97d1541..3124461 100644
---- a/hw/virtio/virtio-rng.c
-+++ b/hw/virtio/virtio-rng.c
-@@ -66,6 +66,13 @@ static void chr_read(void *opaque, const void *buf, size_t size)
- trace_virtio_rng_pushed(vrng, len);
- }
- virtio_notify(vdev, vrng->vq);
-+
-+ if (!virtio_queue_empty(vrng->vq)) {
-+ /* If we didn't drain the queue, call virtio_rng_process
-+ * to take care of asking for more data as appropriate.
-+ */
-+ virtio_rng_process(vrng);
-+ }
- }
-
- static void virtio_rng_process(VirtIORNG *vrng)
---
-2.1.4
-
diff --git a/debian/patches/extra/CVE-2016-2198-ehci-null-pointer.patch b/debian/patches/extra/CVE-2016-2198-ehci-null-pointer.patch
deleted file mode 100644
index 640fa2b..0000000
--- a/debian/patches/extra/CVE-2016-2198-ehci-null-pointer.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From f1a42b805bb9290e7c03358ce803c311f5aa8a69 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp at fedoraproject.org>
-Date: Fri, 29 Jan 2016 18:30:34 +0530
-Subject: [PATCH 1/2] usb: ehci: add capability mmio write function
-
-USB Ehci emulation supports host controller capability registers.
-But its mmio '.write' function was missing, which lead to a null
-pointer dereference issue. Add a do nothing 'ehci_caps_write'
-definition to avoid it; Do nothing because capability registers
-are Read Only(RO).
-
-Reported-by: Zuozhi Fzz <zuozhi.fzz at alibaba-inc.com>
-Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
----
- hw/usb/hcd-ehci.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
-index 4e2161b..5f726a9 100644
---- a/hw/usb/hcd-ehci.c
-+++ b/hw/usb/hcd-ehci.c
-@@ -893,6 +893,11 @@ static uint64_t ehci_caps_read(void *ptr, hwaddr addr,
- return s->caps[addr];
- }
-
-+static void ehci_caps_write(void *ptr, hwaddr addr,
-+ uint64_t val, unsigned size)
-+{
-+}
-+
- static uint64_t ehci_opreg_read(void *ptr, hwaddr addr,
- unsigned size)
- {
-@@ -2310,6 +2315,7 @@ static void ehci_frame_timer(void *opaque)
-
- static const MemoryRegionOps ehci_mmio_caps_ops = {
- .read = ehci_caps_read,
-+ .write = ehci_caps_write,
- .valid.min_access_size = 1,
- .valid.max_access_size = 4,
- .impl.min_access_size = 1,
---
-2.1.4
-
diff --git a/debian/patches/extra/CVE-2016-2391-usb-ohci-avoid-multiple-eof-timers.patch b/debian/patches/extra/CVE-2016-2391-usb-ohci-avoid-multiple-eof-timers.patch
deleted file mode 100644
index 923c5a5..0000000
--- a/debian/patches/extra/CVE-2016-2391-usb-ohci-avoid-multiple-eof-timers.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From f2575bbcfe89deabe1f8eab306854d35d7418537 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp at fedoraproject.org>
-Date: Tue, 16 Feb 2016 15:34:14 +0530
-Subject: [PATCH] usb: ohci avoid multiple eof timers
-
-When transitioning an OHCI controller to the OHCI_USB_OPERATIONAL
-state, it creates an eof timer object in 'ohci_bus_start'.
-It does not check if one already exists. This results in memory
-leakage and null dereference issue. Add a check to avoid it.
-
-Reported-by: Zuozhi Fzz <zuozhi.fzz at alibaba-inc.com>
-Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
----
- hw/usb/hcd-ohci.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
-index 7d65818..15f0b44 100644
---- a/hw/usb/hcd-ohci.c
-+++ b/hw/usb/hcd-ohci.c
-@@ -1331,11 +1331,11 @@ static void ohci_frame_boundary(void *opaque)
- */
- static int ohci_bus_start(OHCIState *ohci)
- {
-- ohci->eof_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL,
-- ohci_frame_boundary,
-- ohci);
--
-- if (ohci->eof_timer == NULL) {
-+ if (!ohci->eof_timer) {
-+ ohci->eof_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL,
-+ ohci_frame_boundary, ohci);
-+ }
-+ if (!ohci->eof_timer) {
- trace_usb_ohci_bus_eof_timer_failed(ohci->name);
- ohci_die(ohci);
- return 0;
---
-2.1.4
-
diff --git a/debian/patches/extra/CVE-2016-2858-0004-rng-add-request-queue-support-to-rng-random.patch b/debian/patches/extra/CVE-2016-2858-0004-rng-add-request-queue-support-to-rng-random.patch
deleted file mode 100644
index 305b8c8..0000000
--- a/debian/patches/extra/CVE-2016-2858-0004-rng-add-request-queue-support-to-rng-random.patch
+++ /dev/null
@@ -1,179 +0,0 @@
-From c33f9c1b4eb6142f6d49a72465395f111b6c968b Mon Sep 17 00:00:00 2001
-From: Ladi Prosek <lprosek at redhat.com>
-Date: Thu, 3 Mar 2016 09:37:18 +0100
-Subject: [PATCH 4/5] rng: add request queue support to rng-random
-
-Requests are now created in the RngBackend parent class and the
-code path is shared by both rng-egd and rng-random.
-
-This commit fixes the rng-random implementation which processed
-only one request at a time and simply discarded all but the most
-recent one. In the guest this manifested as delayed completion
-of reads from virtio-rng, i.e. a read was completed only after
-another read was issued.
-
-By switching rng-random to use the same request queue as rng-egd,
-the unsafe stack-based allocation of the entropy buffer is
-eliminated and replaced with g_malloc.
-
-Signed-off-by: Ladi Prosek <lprosek at redhat.com>
-Reviewed-by: Amit Shah <amit.shah at redhat.com>
-Message-Id: <1456994238-9585-5-git-send-email-lprosek at redhat.com>
-Signed-off-by: Amit Shah <amit.shah at redhat.com>
----
- backends/rng-egd.c | 16 ++--------------
- backends/rng-random.c | 43 +++++++++++++++++++------------------------
- backends/rng.c | 13 ++++++++++++-
- include/sysemu/rng.h | 3 +--
- 4 files changed, 34 insertions(+), 41 deletions(-)
-
-diff --git a/backends/rng-egd.c b/backends/rng-egd.c
-index 08301a7..de6c8d4 100644
---- a/backends/rng-egd.c
-+++ b/backends/rng-egd.c
-@@ -26,20 +26,10 @@ typedef struct RngEgd
- char *chr_name;
- } RngEgd;
-
--static void rng_egd_request_entropy(RngBackend *b, size_t size,
-- EntropyReceiveFunc *receive_entropy,
-- void *opaque)
-+static void rng_egd_request_entropy(RngBackend *b, RngRequest *req)
- {
- RngEgd *s = RNG_EGD(b);
-- RngRequest *req;
--
-- req = g_malloc(sizeof(*req));
--
-- req->offset = 0;
-- req->size = size;
-- req->receive_entropy = receive_entropy;
-- req->opaque = opaque;
-- req->data = g_malloc(req->size);
-+ size_t size = req->size;
-
- while (size > 0) {
- uint8_t header[2];
-@@ -53,8 +43,6 @@ static void rng_egd_request_entropy(RngBackend *b, size_t size,
-
- size -= len;
- }
--
-- s->parent.requests = g_slist_append(s->parent.requests, req);
- }
-
- static int rng_egd_chr_can_read(void *opaque)
-diff --git a/backends/rng-random.c b/backends/rng-random.c
-index 4e51f46..c2d8c03 100644
---- a/backends/rng-random.c
-+++ b/backends/rng-random.c
-@@ -21,10 +21,6 @@ struct RndRandom
-
- int fd;
- char *filename;
--
-- EntropyReceiveFunc *receive_func;
-- void *opaque;
-- size_t size;
- };
-
- /**
-@@ -37,36 +33,35 @@ struct RndRandom
- static void entropy_available(void *opaque)
- {
- RndRandom *s = RNG_RANDOM(opaque);
-- uint8_t buffer[s->size];
-- ssize_t len;
-
-- len = read(s->fd, buffer, s->size);
-- if (len < 0 && errno == EAGAIN) {
-- return;
-- }
-- g_assert(len != -1);
-+ while (s->parent.requests != NULL) {
-+ RngRequest *req = s->parent.requests->data;
-+ ssize_t len;
-+
-+ len = read(s->fd, req->data, req->size);
-+ if (len < 0 && errno == EAGAIN) {
-+ return;
-+ }
-+ g_assert(len != -1);
-
-- s->receive_func(s->opaque, buffer, len);
-- s->receive_func = NULL;
-+ req->receive_entropy(req->opaque, req->data, len);
-
-+ rng_backend_finalize_request(&s->parent, req);
-+ }
-+
-+ /* We've drained all requests, the fd handler can be reset. */
- qemu_set_fd_handler(s->fd, NULL, NULL, NULL);
- }
-
--static void rng_random_request_entropy(RngBackend *b, size_t size,
-- EntropyReceiveFunc *receive_entropy,
-- void *opaque)
-+static void rng_random_request_entropy(RngBackend *b, RngRequest *req)
- {
- RndRandom *s = RNG_RANDOM(b);
-
-- if (s->receive_func) {
-- s->receive_func(s->opaque, NULL, 0);
-+ if (s->parent.requests == NULL) {
-+ /* If there are no pending requests yet, we need to
-+ * install our fd handler. */
-+ qemu_set_fd_handler(s->fd, entropy_available, NULL, s);
- }
--
-- s->receive_func = receive_entropy;
-- s->opaque = opaque;
-- s->size = size;
--
-- qemu_set_fd_handler(s->fd, entropy_available, NULL, s);
- }
-
- static void rng_random_opened(RngBackend *b, Error **errp)
-diff --git a/backends/rng.c b/backends/rng.c
-index 0d9978b..4066268 100644
---- a/backends/rng.c
-+++ b/backends/rng.c
-@@ -19,9 +19,20 @@ void rng_backend_request_entropy(RngBackend *s, size_t size,
- void *opaque)
- {
- RngBackendClass *k = RNG_BACKEND_GET_CLASS(s);
-+ RngRequest *req;
-
- if (k->request_entropy) {
-- k->request_entropy(s, size, receive_entropy, opaque);
-+ req = g_malloc(sizeof(*req));
-+
-+ req->offset = 0;
-+ req->size = size;
-+ req->receive_entropy = receive_entropy;
-+ req->opaque = opaque;
-+ req->data = g_malloc(req->size);
-+
-+ k->request_entropy(s, req);
-+
-+ s->requests = g_slist_append(s->requests, req);
- }
- }
-
-diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h
-index c2c9035..a7ed580 100644
---- a/include/sysemu/rng.h
-+++ b/include/sysemu/rng.h
-@@ -46,8 +46,7 @@ struct RngBackendClass
- {
- ObjectClass parent_class;
-
-- void (*request_entropy)(RngBackend *s, size_t size,
-- EntropyReceiveFunc *receive_entropy, void *opaque);
-+ void (*request_entropy)(RngBackend *s, RngRequest *req);
-
- void (*opened)(RngBackend *s, Error **errp);
- };
---
-2.1.4
-
--
2.1.4
More information about the pve-devel
mailing list