[pve-devel] [PATCH kvm v3 2/2] remove patches which got into upstream

Thomas Lamprecht t.lamprecht at proxmox.com
Fri Jul 1 17:26:02 CEST 2016


They were remove from patches/series in the previous commit.

Signed-off-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
---
 ...move-the-unused-request-cancellation-code.patch |  98 -----------
 ...-do-not-read-write-MSR_TSC_AUX-from-KVM-i.patch |  38 -----
 ...nc-clear-vs-tlscreds-after-unparenting-it.patch |  38 -----
 ...e-request-queue-from-RngEgd-to-RngBackend.patch | 135 ----------------
 ...quest-queue-cleanup-from-RngEgd-to-RngBac.patch | 163 -------------------
 ...ask-for-more-data-if-queue-is-not-fully-d.patch |  47 ------
 .../extra/CVE-2016-2198-ehci-null-pointer.patch    |  44 -----
 ...6-2391-usb-ohci-avoid-multiple-eof-timers.patch |  40 -----
 ...g-add-request-queue-support-to-rng-random.patch | 179 ---------------------
 9 files changed, 782 deletions(-)
 delete mode 100644 debian/patches/extra/0001-rng-remove-the-unused-request-cancellation-code.patch
 delete mode 100644 debian/patches/extra/0001-target-i386-do-not-read-write-MSR_TSC_AUX-from-KVM-i.patch
 delete mode 100644 debian/patches/extra/0001-vnc-clear-vs-tlscreds-after-unparenting-it.patch
 delete mode 100644 debian/patches/extra/0002-rng-move-request-queue-from-RngEgd-to-RngBackend.patch
 delete mode 100644 debian/patches/extra/0003-rng-move-request-queue-cleanup-from-RngEgd-to-RngBac.patch
 delete mode 100644 debian/patches/extra/0005-virtio-rng-ask-for-more-data-if-queue-is-not-fully-d.patch
 delete mode 100644 debian/patches/extra/CVE-2016-2198-ehci-null-pointer.patch
 delete mode 100644 debian/patches/extra/CVE-2016-2391-usb-ohci-avoid-multiple-eof-timers.patch
 delete mode 100644 debian/patches/extra/CVE-2016-2858-0004-rng-add-request-queue-support-to-rng-random.patch

diff --git a/debian/patches/extra/0001-rng-remove-the-unused-request-cancellation-code.patch b/debian/patches/extra/0001-rng-remove-the-unused-request-cancellation-code.patch
deleted file mode 100644
index 5db5a8e..0000000
--- a/debian/patches/extra/0001-rng-remove-the-unused-request-cancellation-code.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-From d615099455e3a6cc71c17182cabd851d4340354d Mon Sep 17 00:00:00 2001
-From: Ladi Prosek <lprosek at redhat.com>
-Date: Thu, 3 Mar 2016 09:37:15 +0100
-Subject: [PATCH 1/5] rng: remove the unused request cancellation code
-
-rng_backend_cancel_requests had no callers and none of the code
-deleted in this commit ever ran.
-
-Signed-off-by: Ladi Prosek <lprosek at redhat.com>
-Reviewed-by: Amit Shah <amit.shah at redhat.com>
-Message-Id: <1456994238-9585-2-git-send-email-lprosek at redhat.com>
-Signed-off-by: Amit Shah <amit.shah at redhat.com>
----
- backends/rng-egd.c   | 12 ------------
- backends/rng.c       |  9 ---------
- include/sysemu/rng.h | 11 -----------
- 3 files changed, 32 deletions(-)
-
-diff --git a/backends/rng-egd.c b/backends/rng-egd.c
-index 6c13409..3c6362e 100644
---- a/backends/rng-egd.c
-+++ b/backends/rng-egd.c
-@@ -124,17 +124,6 @@ static void rng_egd_free_requests(RngEgd *s)
-     s->requests = NULL;
- }
- 
--static void rng_egd_cancel_requests(RngBackend *b)
--{
--    RngEgd *s = RNG_EGD(b);
--
--    /* We simply delete the list of pending requests.  If there is data in the 
--     * queue waiting to be read, this is okay, because there will always be
--     * more data than we requested originally
--     */
--    rng_egd_free_requests(s);
--}
--
- static void rng_egd_opened(RngBackend *b, Error **errp)
- {
-     RngEgd *s = RNG_EGD(b);
-@@ -212,7 +201,6 @@ static void rng_egd_class_init(ObjectClass *klass, void *data)
-     RngBackendClass *rbc = RNG_BACKEND_CLASS(klass);
- 
-     rbc->request_entropy = rng_egd_request_entropy;
--    rbc->cancel_requests = rng_egd_cancel_requests;
-     rbc->opened = rng_egd_opened;
- }
- 
-diff --git a/backends/rng.c b/backends/rng.c
-index 5065fdc..5d1876c 100644
---- a/backends/rng.c
-+++ b/backends/rng.c
-@@ -25,15 +25,6 @@ void rng_backend_request_entropy(RngBackend *s, size_t size,
-     }
- }
- 
--void rng_backend_cancel_requests(RngBackend *s)
--{
--    RngBackendClass *k = RNG_BACKEND_GET_CLASS(s);
--
--    if (k->cancel_requests) {
--        k->cancel_requests(s);
--    }
--}
--
- static bool rng_backend_prop_get_opened(Object *obj, Error **errp)
- {
-     RngBackend *s = RNG_BACKEND(obj);
-diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h
-index 0a27c9b..c7da17d 100644
---- a/include/sysemu/rng.h
-+++ b/include/sysemu/rng.h
-@@ -38,7 +38,6 @@ struct RngBackendClass
- 
-     void (*request_entropy)(RngBackend *s, size_t size,
-                             EntropyReceiveFunc *receive_entropy, void *opaque);
--    void (*cancel_requests)(RngBackend *s);
- 
-     void (*opened)(RngBackend *s, Error **errp);
- };
-@@ -69,14 +68,4 @@ struct RngBackend
- void rng_backend_request_entropy(RngBackend *s, size_t size,
-                                  EntropyReceiveFunc *receive_entropy,
-                                  void *opaque);
--
--/**
-- * rng_backend_cancel_requests:
-- * @s: the backend to cancel all pending requests in
-- *
-- * Cancels all pending requests submitted by @rng_backend_request_entropy.  This
-- * should be used by a device during reset or in preparation for live migration
-- * to stop tracking any request.
-- */
--void rng_backend_cancel_requests(RngBackend *s);
- #endif
--- 
-2.1.4
-
diff --git a/debian/patches/extra/0001-target-i386-do-not-read-write-MSR_TSC_AUX-from-KVM-i.patch b/debian/patches/extra/0001-target-i386-do-not-read-write-MSR_TSC_AUX-from-KVM-i.patch
deleted file mode 100644
index 4077fa3..0000000
--- a/debian/patches/extra/0001-target-i386-do-not-read-write-MSR_TSC_AUX-from-KVM-i.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 73a3187cc97cdc8c11f4781910307e5dde5e8dbc Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini at redhat.com>
-Date: Wed, 30 Mar 2016 22:59:42 +0200
-Subject: [PATCH] target-i386: do not read/write MSR_TSC_AUX from KVM if CPUID
- bit is not set
-
-KVM does not let you read or write this MSR if the corresponding CPUID
-bit is not set.  This in turn causes MSRs that come after MSR_TSC_AUX
-to be ignored by KVM_SET_MRSS.
-
-One visible symptom is that s3.flat from kvm-unit-tests fails with
-CPUs that do not have RDTSCP, because the SMBASE is not reset to
-0x30000 after reset.
-
-Fixes: c9b8f6b6210847b4381c5b2ee172b1c7eb9985d6
-Cc: qemu-stable at nongnu.org
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
----
- target-i386/kvm.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/target-i386/kvm.c b/target-i386/kvm.c
-index 36fa3f0..7370e9e 100644
---- a/target-i386/kvm.c
-+++ b/target-i386/kvm.c
-@@ -846,6 +846,9 @@ int kvm_arch_init_vcpu(CPUState *cs)
-     if (env->features[FEAT_1_EDX] & CPUID_MTRR) {
-         has_msr_mtrr = true;
-     }
-+    if (!(env->features[FEAT_8000_0001_EDX] & CPUID_EXT2_RDTSCP)) {
-+        has_msr_tsc_aux = false;
-+    }
- 
-     return 0;
- }
--- 
-2.1.4
-
diff --git a/debian/patches/extra/0001-vnc-clear-vs-tlscreds-after-unparenting-it.patch b/debian/patches/extra/0001-vnc-clear-vs-tlscreds-after-unparenting-it.patch
deleted file mode 100644
index 2bc8070..0000000
--- a/debian/patches/extra/0001-vnc-clear-vs-tlscreds-after-unparenting-it.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From ec10377932f10e47ce103f16ad469d182ab64321 Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller at proxmox.com>
-Date: Tue, 12 Jan 2016 11:03:04 +0100
-Subject: [PATCH] vnc: clear vs->tlscreds after unparenting it
-
-This pointer should be cleared in vnc_display_close()
-otherwise a use-after-free can happen when when using the
-old style 'x509' and 'tls' options rather than a persistent
-tls-creds -object, by issuing monitor commands to change
-the vnc server like so:
-
-Start with: -vnc unix:test.socket,x509,tls
-Then use the following monitor command:
-  change vnc unix:test.socket
-
-After this the pointer is still set but invalid and a crash
-can be triggered for instance by issuing the same command a
-second time which will try to object_unparent() the same
-pointer again.
----
- ui/vnc.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/ui/vnc.c b/ui/vnc.c
-index 09756cd..35843b5 100644
---- a/ui/vnc.c
-+++ b/ui/vnc.c
-@@ -3134,6 +3134,7 @@ static void vnc_display_close(VncDisplay *vs)
-     vs->subauth = VNC_AUTH_INVALID;
-     if (vs->tlscreds) {
-         object_unparent(OBJECT(vs->tlscreds));
-+        vs->tlscreds = NULL;
-     }
-     g_free(vs->tlsaclname);
-     vs->tlsaclname = NULL;
--- 
-2.1.4
-
diff --git a/debian/patches/extra/0002-rng-move-request-queue-from-RngEgd-to-RngBackend.patch b/debian/patches/extra/0002-rng-move-request-queue-from-RngEgd-to-RngBackend.patch
deleted file mode 100644
index a9d6e4b..0000000
--- a/debian/patches/extra/0002-rng-move-request-queue-from-RngEgd-to-RngBackend.patch
+++ /dev/null
@@ -1,135 +0,0 @@
-From 8cd5c28840888a32dab08ef1387864723c092a1d Mon Sep 17 00:00:00 2001
-From: Ladi Prosek <lprosek at redhat.com>
-Date: Thu, 3 Mar 2016 09:37:16 +0100
-Subject: [PATCH 2/5] rng: move request queue from RngEgd to RngBackend
-
-The 'requests' field now lives in the RngBackend parent class.
-There are no functional changes in this commit.
-
-Signed-off-by: Ladi Prosek <lprosek at redhat.com>
-Reviewed-by: Amit Shah <amit.shah at redhat.com>
-Message-Id: <1456994238-9585-3-git-send-email-lprosek at redhat.com>
-Signed-off-by: Amit Shah <amit.shah at redhat.com>
----
- backends/rng-egd.c   | 28 +++++++++-------------------
- include/sysemu/rng.h | 11 +++++++++++
- 2 files changed, 20 insertions(+), 19 deletions(-)
-
-diff --git a/backends/rng-egd.c b/backends/rng-egd.c
-index 3c6362e..19eee70 100644
---- a/backends/rng-egd.c
-+++ b/backends/rng-egd.c
-@@ -24,19 +24,8 @@ typedef struct RngEgd
- 
-     CharDriverState *chr;
-     char *chr_name;
--
--    GSList *requests;
- } RngEgd;
- 
--typedef struct RngRequest
--{
--    EntropyReceiveFunc *receive_entropy;
--    uint8_t *data;
--    void *opaque;
--    size_t offset;
--    size_t size;
--} RngRequest;
--
- static void rng_egd_request_entropy(RngBackend *b, size_t size,
-                                     EntropyReceiveFunc *receive_entropy,
-                                     void *opaque)
-@@ -65,7 +54,7 @@ static void rng_egd_request_entropy(RngBackend *b, size_t size,
-         size -= len;
-     }
- 
--    s->requests = g_slist_append(s->requests, req);
-+    s->parent.requests = g_slist_append(s->parent.requests, req);
- }
- 
- static void rng_egd_free_request(RngRequest *req)
-@@ -80,7 +69,7 @@ static int rng_egd_chr_can_read(void *opaque)
-     GSList *i;
-     int size = 0;
- 
--    for (i = s->requests; i; i = i->next) {
-+    for (i = s->parent.requests; i; i = i->next) {
-         RngRequest *req = i->data;
-         size += req->size - req->offset;
-     }
-@@ -93,8 +82,8 @@ static void rng_egd_chr_read(void *opaque, const uint8_t *buf, int size)
-     RngEgd *s = RNG_EGD(opaque);
-     size_t buf_offset = 0;
- 
--    while (size > 0 && s->requests) {
--        RngRequest *req = s->requests->data;
-+    while (size > 0 && s->parent.requests) {
-+        RngRequest *req = s->parent.requests->data;
-         int len = MIN(size, req->size - req->offset);
- 
-         memcpy(req->data + req->offset, buf + buf_offset, len);
-@@ -103,7 +92,8 @@ static void rng_egd_chr_read(void *opaque, const uint8_t *buf, int size)
-         size -= len;
- 
-         if (req->offset == req->size) {
--            s->requests = g_slist_remove_link(s->requests, s->requests);
-+            s->parent.requests = g_slist_remove_link(s->parent.requests,
-+                                                     s->parent.requests);
- 
-             req->receive_entropy(req->opaque, req->data, req->size);
- 
-@@ -116,12 +106,12 @@ static void rng_egd_free_requests(RngEgd *s)
- {
-     GSList *i;
- 
--    for (i = s->requests; i; i = i->next) {
-+    for (i = s->parent.requests; i; i = i->next) {
-         rng_egd_free_request(i->data);
-     }
- 
--    g_slist_free(s->requests);
--    s->requests = NULL;
-+    g_slist_free(s->parent.requests);
-+    s->parent.requests = NULL;
- }
- 
- static void rng_egd_opened(RngBackend *b, Error **errp)
-diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h
-index c7da17d..084164c 100644
---- a/include/sysemu/rng.h
-+++ b/include/sysemu/rng.h
-@@ -25,6 +25,7 @@
- #define RNG_BACKEND_CLASS(klass) \
-     OBJECT_CLASS_CHECK(RngBackendClass, (klass), TYPE_RNG_BACKEND)
- 
-+typedef struct RngRequest RngRequest;
- typedef struct RngBackendClass RngBackendClass;
- typedef struct RngBackend RngBackend;
- 
-@@ -32,6 +33,15 @@ typedef void (EntropyReceiveFunc)(void *opaque,
-                                   const void *data,
-                                   size_t size);
- 
-+struct RngRequest
-+{
-+    EntropyReceiveFunc *receive_entropy;
-+    uint8_t *data;
-+    void *opaque;
-+    size_t offset;
-+    size_t size;
-+};
-+
- struct RngBackendClass
- {
-     ObjectClass parent_class;
-@@ -48,6 +58,7 @@ struct RngBackend
- 
-     /*< protected >*/
-     bool opened;
-+    GSList *requests;
- };
- 
- /**
--- 
-2.1.4
-
diff --git a/debian/patches/extra/0003-rng-move-request-queue-cleanup-from-RngEgd-to-RngBac.patch b/debian/patches/extra/0003-rng-move-request-queue-cleanup-from-RngEgd-to-RngBac.patch
deleted file mode 100644
index d14453a..0000000
--- a/debian/patches/extra/0003-rng-move-request-queue-cleanup-from-RngEgd-to-RngBac.patch
+++ /dev/null
@@ -1,163 +0,0 @@
-From 33809b9b455fa58d9c011bec6aac462204169560 Mon Sep 17 00:00:00 2001
-From: Ladi Prosek <lprosek at redhat.com>
-Date: Thu, 3 Mar 2016 09:37:17 +0100
-Subject: [PATCH 3/5] rng: move request queue cleanup from RngEgd to RngBackend
-
-RngBackend is now in charge of cleaning up the linked list on
-instance finalization. It also exposes a function to finalize
-individual RngRequest instances, called by its child classes.
-
-Signed-off-by: Ladi Prosek <lprosek at redhat.com>
-Reviewed-by: Amit Shah <amit.shah at redhat.com>
-Message-Id: <1456994238-9585-4-git-send-email-lprosek at redhat.com>
-Signed-off-by: Amit Shah <amit.shah at redhat.com>
----
- backends/rng-egd.c   | 25 +------------------------
- backends/rng.c       | 32 ++++++++++++++++++++++++++++++++
- include/sysemu/rng.h | 12 ++++++++++++
- 3 files changed, 45 insertions(+), 24 deletions(-)
-
-diff --git a/backends/rng-egd.c b/backends/rng-egd.c
-index 19eee70..08301a7 100644
---- a/backends/rng-egd.c
-+++ b/backends/rng-egd.c
-@@ -57,12 +57,6 @@ static void rng_egd_request_entropy(RngBackend *b, size_t size,
-     s->parent.requests = g_slist_append(s->parent.requests, req);
- }
- 
--static void rng_egd_free_request(RngRequest *req)
--{
--    g_free(req->data);
--    g_free(req);
--}
--
- static int rng_egd_chr_can_read(void *opaque)
- {
-     RngEgd *s = RNG_EGD(opaque);
-@@ -92,28 +86,13 @@ static void rng_egd_chr_read(void *opaque, const uint8_t *buf, int size)
-         size -= len;
- 
-         if (req->offset == req->size) {
--            s->parent.requests = g_slist_remove_link(s->parent.requests,
--                                                     s->parent.requests);
--
-             req->receive_entropy(req->opaque, req->data, req->size);
- 
--            rng_egd_free_request(req);
-+            rng_backend_finalize_request(&s->parent, req);
-         }
-     }
- }
- 
--static void rng_egd_free_requests(RngEgd *s)
--{
--    GSList *i;
--
--    for (i = s->parent.requests; i; i = i->next) {
--        rng_egd_free_request(i->data);
--    }
--
--    g_slist_free(s->parent.requests);
--    s->parent.requests = NULL;
--}
--
- static void rng_egd_opened(RngBackend *b, Error **errp)
- {
-     RngEgd *s = RNG_EGD(b);
-@@ -182,8 +161,6 @@ static void rng_egd_finalize(Object *obj)
-     }
- 
-     g_free(s->chr_name);
--
--    rng_egd_free_requests(s);
- }
- 
- static void rng_egd_class_init(ObjectClass *klass, void *data)
-diff --git a/backends/rng.c b/backends/rng.c
-index 5d1876c..0d9978b 100644
---- a/backends/rng.c
-+++ b/backends/rng.c
-@@ -63,6 +63,30 @@ static void rng_backend_prop_set_opened(Object *obj, bool value, Error **errp)
-     s->opened = true;
- }
- 
-+static void rng_backend_free_request(RngRequest *req)
-+{
-+    g_free(req->data);
-+    g_free(req);
-+}
-+
-+static void rng_backend_free_requests(RngBackend *s)
-+{
-+    GSList *i;
-+
-+    for (i = s->requests; i; i = i->next) {
-+        rng_backend_free_request(i->data);
-+    }
-+
-+    g_slist_free(s->requests);
-+    s->requests = NULL;
-+}
-+
-+void rng_backend_finalize_request(RngBackend *s, RngRequest *req)
-+{
-+    s->requests = g_slist_remove(s->requests, req);
-+    rng_backend_free_request(req);
-+}
-+
- static void rng_backend_init(Object *obj)
- {
-     object_property_add_bool(obj, "opened",
-@@ -71,6 +95,13 @@ static void rng_backend_init(Object *obj)
-                              NULL);
- }
- 
-+static void rng_backend_finalize(Object *obj)
-+{
-+    RngBackend *s = RNG_BACKEND(obj);
-+
-+    rng_backend_free_requests(s);
-+}
-+
- static void rng_backend_class_init(ObjectClass *oc, void *data)
- {
-     UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
-@@ -83,6 +114,7 @@ static const TypeInfo rng_backend_info = {
-     .parent = TYPE_OBJECT,
-     .instance_size = sizeof(RngBackend),
-     .instance_init = rng_backend_init,
-+    .instance_finalize = rng_backend_finalize,
-     .class_size = sizeof(RngBackendClass),
-     .class_init = rng_backend_class_init,
-     .abstract = true,
-diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h
-index 084164c..c2c9035 100644
---- a/include/sysemu/rng.h
-+++ b/include/sysemu/rng.h
-@@ -61,6 +61,7 @@ struct RngBackend
-     GSList *requests;
- };
- 
-+
- /**
-  * rng_backend_request_entropy:
-  * @s: the backend to request entropy from
-@@ -79,4 +80,15 @@ struct RngBackend
- void rng_backend_request_entropy(RngBackend *s, size_t size,
-                                  EntropyReceiveFunc *receive_entropy,
-                                  void *opaque);
-+
-+/**
-+ * rng_backend_free_request:
-+ * @s: the backend that created the request
-+ * @req: the request to finalize
-+ *
-+ * Used by child rng backend classes to finalize requests once they've been
-+ * processed. The request is removed from the list of active requests and
-+ * deleted.
-+ */
-+void rng_backend_finalize_request(RngBackend *s, RngRequest *req);
- #endif
--- 
-2.1.4
-
diff --git a/debian/patches/extra/0005-virtio-rng-ask-for-more-data-if-queue-is-not-fully-d.patch b/debian/patches/extra/0005-virtio-rng-ask-for-more-data-if-queue-is-not-fully-d.patch
deleted file mode 100644
index 3f48a29..0000000
--- a/debian/patches/extra/0005-virtio-rng-ask-for-more-data-if-queue-is-not-fully-d.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From b5f29c3cdd14243de19d974320f49fb3bdd37a6d Mon Sep 17 00:00:00 2001
-From: Ladi Prosek <lprosek at redhat.com>
-Date: Thu, 3 Mar 2016 10:48:34 +0100
-Subject: [PATCH 5/5] virtio-rng: ask for more data if queue is not fully
- drained
-
-This commit effectively reverts:
-
-  commit 4621c1768ef5d12171cca2aa1473595ecb9f1c9e
-  Author: Amit Shah <amit.shah at redhat.com>
-  Date:   Wed Nov 21 11:21:19 2012 +0530
-
-  virtio-rng: remove extra request for entropy
-
-but instead of calling virtio_rng_process unconditionally, it
-first checks to see if the queue is empty as a little bit of
-optimization.
-
-Signed-off-by: Ladi Prosek <lprosek at redhat.com>
-Reviewed-by: Amit Shah <amit.shah at redhat.com>
-Message-Id: <1456998514-19271-1-git-send-email-lprosek at redhat.com>
-Signed-off-by: Amit Shah <amit.shah at redhat.com>
----
- hw/virtio/virtio-rng.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/hw/virtio/virtio-rng.c b/hw/virtio/virtio-rng.c
-index 97d1541..3124461 100644
---- a/hw/virtio/virtio-rng.c
-+++ b/hw/virtio/virtio-rng.c
-@@ -66,6 +66,13 @@ static void chr_read(void *opaque, const void *buf, size_t size)
-         trace_virtio_rng_pushed(vrng, len);
-     }
-     virtio_notify(vdev, vrng->vq);
-+
-+    if (!virtio_queue_empty(vrng->vq)) {
-+        /* If we didn't drain the queue, call virtio_rng_process
-+         * to take care of asking for more data as appropriate.
-+         */
-+        virtio_rng_process(vrng);
-+    }
- }
- 
- static void virtio_rng_process(VirtIORNG *vrng)
--- 
-2.1.4
-
diff --git a/debian/patches/extra/CVE-2016-2198-ehci-null-pointer.patch b/debian/patches/extra/CVE-2016-2198-ehci-null-pointer.patch
deleted file mode 100644
index 640fa2b..0000000
--- a/debian/patches/extra/CVE-2016-2198-ehci-null-pointer.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From f1a42b805bb9290e7c03358ce803c311f5aa8a69 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp at fedoraproject.org>
-Date: Fri, 29 Jan 2016 18:30:34 +0530
-Subject: [PATCH 1/2] usb: ehci: add capability mmio write function
-
-USB Ehci emulation supports host controller capability registers.
-But its mmio '.write' function was missing, which lead to a null
-pointer dereference issue. Add a do nothing 'ehci_caps_write'
-definition to avoid it; Do nothing because capability registers
-are Read Only(RO).
-
-Reported-by: Zuozhi Fzz <zuozhi.fzz at alibaba-inc.com>
-Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
----
- hw/usb/hcd-ehci.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
-index 4e2161b..5f726a9 100644
---- a/hw/usb/hcd-ehci.c
-+++ b/hw/usb/hcd-ehci.c
-@@ -893,6 +893,11 @@ static uint64_t ehci_caps_read(void *ptr, hwaddr addr,
-     return s->caps[addr];
- }
- 
-+static void ehci_caps_write(void *ptr, hwaddr addr,
-+                             uint64_t val, unsigned size)
-+{
-+}
-+
- static uint64_t ehci_opreg_read(void *ptr, hwaddr addr,
-                                 unsigned size)
- {
-@@ -2310,6 +2315,7 @@ static void ehci_frame_timer(void *opaque)
- 
- static const MemoryRegionOps ehci_mmio_caps_ops = {
-     .read = ehci_caps_read,
-+    .write = ehci_caps_write,
-     .valid.min_access_size = 1,
-     .valid.max_access_size = 4,
-     .impl.min_access_size = 1,
--- 
-2.1.4
-
diff --git a/debian/patches/extra/CVE-2016-2391-usb-ohci-avoid-multiple-eof-timers.patch b/debian/patches/extra/CVE-2016-2391-usb-ohci-avoid-multiple-eof-timers.patch
deleted file mode 100644
index 923c5a5..0000000
--- a/debian/patches/extra/CVE-2016-2391-usb-ohci-avoid-multiple-eof-timers.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From f2575bbcfe89deabe1f8eab306854d35d7418537 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp at fedoraproject.org>
-Date: Tue, 16 Feb 2016 15:34:14 +0530
-Subject: [PATCH] usb: ohci avoid multiple eof timers
-
-When transitioning an OHCI controller to the OHCI_USB_OPERATIONAL
-state, it creates an eof timer object in 'ohci_bus_start'.
-It does not check if one already exists. This results in memory
-leakage and null dereference issue. Add a check to avoid it.
-
-Reported-by: Zuozhi Fzz <zuozhi.fzz at alibaba-inc.com>
-Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
----
- hw/usb/hcd-ohci.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
-index 7d65818..15f0b44 100644
---- a/hw/usb/hcd-ohci.c
-+++ b/hw/usb/hcd-ohci.c
-@@ -1331,11 +1331,11 @@ static void ohci_frame_boundary(void *opaque)
-  */
- static int ohci_bus_start(OHCIState *ohci)
- {
--    ohci->eof_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL,
--                    ohci_frame_boundary,
--                    ohci);
--
--    if (ohci->eof_timer == NULL) {
-+    if (!ohci->eof_timer) {
-+        ohci->eof_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL,
-+                                        ohci_frame_boundary, ohci);
-+    }
-+    if (!ohci->eof_timer) {
-         trace_usb_ohci_bus_eof_timer_failed(ohci->name);
-         ohci_die(ohci);
-         return 0;
--- 
-2.1.4
-
diff --git a/debian/patches/extra/CVE-2016-2858-0004-rng-add-request-queue-support-to-rng-random.patch b/debian/patches/extra/CVE-2016-2858-0004-rng-add-request-queue-support-to-rng-random.patch
deleted file mode 100644
index 305b8c8..0000000
--- a/debian/patches/extra/CVE-2016-2858-0004-rng-add-request-queue-support-to-rng-random.patch
+++ /dev/null
@@ -1,179 +0,0 @@
-From c33f9c1b4eb6142f6d49a72465395f111b6c968b Mon Sep 17 00:00:00 2001
-From: Ladi Prosek <lprosek at redhat.com>
-Date: Thu, 3 Mar 2016 09:37:18 +0100
-Subject: [PATCH 4/5] rng: add request queue support to rng-random
-
-Requests are now created in the RngBackend parent class and the
-code path is shared by both rng-egd and rng-random.
-
-This commit fixes the rng-random implementation which processed
-only one request at a time and simply discarded all but the most
-recent one. In the guest this manifested as delayed completion
-of reads from virtio-rng, i.e. a read was completed only after
-another read was issued.
-
-By switching rng-random to use the same request queue as rng-egd,
-the unsafe stack-based allocation of the entropy buffer is
-eliminated and replaced with g_malloc.
-
-Signed-off-by: Ladi Prosek <lprosek at redhat.com>
-Reviewed-by: Amit Shah <amit.shah at redhat.com>
-Message-Id: <1456994238-9585-5-git-send-email-lprosek at redhat.com>
-Signed-off-by: Amit Shah <amit.shah at redhat.com>
----
- backends/rng-egd.c    | 16 ++--------------
- backends/rng-random.c | 43 +++++++++++++++++++------------------------
- backends/rng.c        | 13 ++++++++++++-
- include/sysemu/rng.h  |  3 +--
- 4 files changed, 34 insertions(+), 41 deletions(-)
-
-diff --git a/backends/rng-egd.c b/backends/rng-egd.c
-index 08301a7..de6c8d4 100644
---- a/backends/rng-egd.c
-+++ b/backends/rng-egd.c
-@@ -26,20 +26,10 @@ typedef struct RngEgd
-     char *chr_name;
- } RngEgd;
- 
--static void rng_egd_request_entropy(RngBackend *b, size_t size,
--                                    EntropyReceiveFunc *receive_entropy,
--                                    void *opaque)
-+static void rng_egd_request_entropy(RngBackend *b, RngRequest *req)
- {
-     RngEgd *s = RNG_EGD(b);
--    RngRequest *req;
--
--    req = g_malloc(sizeof(*req));
--
--    req->offset = 0;
--    req->size = size;
--    req->receive_entropy = receive_entropy;
--    req->opaque = opaque;
--    req->data = g_malloc(req->size);
-+    size_t size = req->size;
- 
-     while (size > 0) {
-         uint8_t header[2];
-@@ -53,8 +43,6 @@ static void rng_egd_request_entropy(RngBackend *b, size_t size,
- 
-         size -= len;
-     }
--
--    s->parent.requests = g_slist_append(s->parent.requests, req);
- }
- 
- static int rng_egd_chr_can_read(void *opaque)
-diff --git a/backends/rng-random.c b/backends/rng-random.c
-index 4e51f46..c2d8c03 100644
---- a/backends/rng-random.c
-+++ b/backends/rng-random.c
-@@ -21,10 +21,6 @@ struct RndRandom
- 
-     int fd;
-     char *filename;
--
--    EntropyReceiveFunc *receive_func;
--    void *opaque;
--    size_t size;
- };
- 
- /**
-@@ -37,36 +33,35 @@ struct RndRandom
- static void entropy_available(void *opaque)
- {
-     RndRandom *s = RNG_RANDOM(opaque);
--    uint8_t buffer[s->size];
--    ssize_t len;
- 
--    len = read(s->fd, buffer, s->size);
--    if (len < 0 && errno == EAGAIN) {
--        return;
--    }
--    g_assert(len != -1);
-+    while (s->parent.requests != NULL) {
-+        RngRequest *req = s->parent.requests->data;
-+        ssize_t len;
-+
-+        len = read(s->fd, req->data, req->size);
-+        if (len < 0 && errno == EAGAIN) {
-+            return;
-+        }
-+        g_assert(len != -1);
- 
--    s->receive_func(s->opaque, buffer, len);
--    s->receive_func = NULL;
-+        req->receive_entropy(req->opaque, req->data, len);
- 
-+        rng_backend_finalize_request(&s->parent, req);
-+    }
-+
-+    /* We've drained all requests, the fd handler can be reset. */
-     qemu_set_fd_handler(s->fd, NULL, NULL, NULL);
- }
- 
--static void rng_random_request_entropy(RngBackend *b, size_t size,
--                                        EntropyReceiveFunc *receive_entropy,
--                                        void *opaque)
-+static void rng_random_request_entropy(RngBackend *b, RngRequest *req)
- {
-     RndRandom *s = RNG_RANDOM(b);
- 
--    if (s->receive_func) {
--        s->receive_func(s->opaque, NULL, 0);
-+    if (s->parent.requests == NULL) {
-+        /* If there are no pending requests yet, we need to
-+         * install our fd handler. */
-+        qemu_set_fd_handler(s->fd, entropy_available, NULL, s);
-     }
--
--    s->receive_func = receive_entropy;
--    s->opaque = opaque;
--    s->size = size;
--
--    qemu_set_fd_handler(s->fd, entropy_available, NULL, s);
- }
- 
- static void rng_random_opened(RngBackend *b, Error **errp)
-diff --git a/backends/rng.c b/backends/rng.c
-index 0d9978b..4066268 100644
---- a/backends/rng.c
-+++ b/backends/rng.c
-@@ -19,9 +19,20 @@ void rng_backend_request_entropy(RngBackend *s, size_t size,
-                                  void *opaque)
- {
-     RngBackendClass *k = RNG_BACKEND_GET_CLASS(s);
-+    RngRequest *req;
- 
-     if (k->request_entropy) {
--        k->request_entropy(s, size, receive_entropy, opaque);
-+        req = g_malloc(sizeof(*req));
-+
-+        req->offset = 0;
-+        req->size = size;
-+        req->receive_entropy = receive_entropy;
-+        req->opaque = opaque;
-+        req->data = g_malloc(req->size);
-+
-+        k->request_entropy(s, req);
-+
-+        s->requests = g_slist_append(s->requests, req);
-     }
- }
- 
-diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h
-index c2c9035..a7ed580 100644
---- a/include/sysemu/rng.h
-+++ b/include/sysemu/rng.h
-@@ -46,8 +46,7 @@ struct RngBackendClass
- {
-     ObjectClass parent_class;
- 
--    void (*request_entropy)(RngBackend *s, size_t size,
--                            EntropyReceiveFunc *receive_entropy, void *opaque);
-+    void (*request_entropy)(RngBackend *s, RngRequest *req);
- 
-     void (*opened)(RngBackend *s, Error **errp);
- };
--- 
-2.1.4
-
-- 
2.1.4





More information about the pve-devel mailing list