[pve-devel] Applied: [PATCH kvm] update to qemu-2.6.2
Wolfgang Bumiller
w.bumiller at proxmox.com
Thu Oct 6 14:29:10 CEST 2016
dropping a bunch of upstream fixes
---
Makefile | 4 +-
debian/changelog | 6 +
.../0001-9pfs-forbid-illegal-path-names.patch | 178 ---------------------
...heck-fragment-length-during-fragmentation.patch | 36 -----
.../0002-9pfs-forbid-.-and-.-in-file-names.patch | 159 ------------------
...fs-handle-walk-of-.-in-the-root-directory.patch | 126 ---------------
...t-vmxnet-use-g_new-for-pkt-initialisation.patch | 38 -----
.../0004-net-vmxnet-check-IP-header-length.patch | 34 ----
...rtio-recalculate-vq-inuse-after-migration.patch | 52 ------
...o-decrement-vq-inuse-in-virtqueue_discard.patch | 34 ----
...008-iscsi-pass-SCSI-status-back-for-SG_IO.patch | 26 ---
...0010-ui-fix-refresh-of-VNC-server-surface.patch | 102 ------------
...page-count-while-initialising-descriptor-.patch | 83 ----------
...7-scsi-mptconfig-fix-an-assert-expression.patch | 35 ----
...pvscsi-limit-process-IO-loop-to-ring-size.patch | 38 -----
...-use-g_new0-to-allocate-MPTSASRequest-obj.patch | 35 ----
debian/patches/series | 14 --
qemu-kvm-src.tar.gz | Bin 12075164 -> 12075906 bytes
18 files changed, 8 insertions(+), 992 deletions(-)
delete mode 100644 debian/patches/extra/0001-9pfs-forbid-illegal-path-names.patch
delete mode 100644 debian/patches/extra/0001-net-check-fragment-length-during-fragmentation.patch
delete mode 100644 debian/patches/extra/0002-9pfs-forbid-.-and-.-in-file-names.patch
delete mode 100644 debian/patches/extra/0003-9pfs-handle-walk-of-.-in-the-root-directory.patch
delete mode 100644 debian/patches/extra/0003-net-vmxnet-use-g_new-for-pkt-initialisation.patch
delete mode 100644 debian/patches/extra/0004-net-vmxnet-check-IP-header-length.patch
delete mode 100644 debian/patches/extra/0006-virtio-recalculate-vq-inuse-after-migration.patch
delete mode 100644 debian/patches/extra/0007-virtio-decrement-vq-inuse-in-virtqueue_discard.patch
delete mode 100644 debian/patches/extra/0008-iscsi-pass-SCSI-status-back-for-SG_IO.patch
delete mode 100644 debian/patches/extra/0010-ui-fix-refresh-of-VNC-server-surface.patch
delete mode 100644 debian/patches/extra/CVE-2016-7155-scsi-check-page-count-while-initialising-descriptor-.patch
delete mode 100644 debian/patches/extra/CVE-2016-7157-scsi-mptconfig-fix-an-assert-expression.patch
delete mode 100644 debian/patches/extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
delete mode 100644 debian/patches/extra/CVE-2016-7423-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch
diff --git a/Makefile b/Makefile
index 18b3427..b586ef1 100644
--- a/Makefile
+++ b/Makefile
@@ -1,8 +1,8 @@
RELEASE=4.2
# also update debian/changelog
-KVMVER=2.6.1
-KVMPKGREL=7
+KVMVER=2.6.2
+KVMPKGREL=1
KVMPACKAGE=pve-qemu-kvm
KVMDIR=qemu-kvm
diff --git a/debian/changelog b/debian/changelog
index 001b1b6..53a8f16 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+pve-qemu-kvm (2.6.2-1) unstable; urgency=medium
+
+ * update to qemu 2.6.2
+
+ -- Proxmox Support Team <support at proxmox.com> Thu, 06 Oct 2016 14:12:07 +0200
+
pve-qemu-kvm (2.6.1-7) unstable; urgency=medium
* fix CVE-2016-7161: hw/net: Fix a heap overflow in xlnx.xps-ethernetlite
diff --git a/debian/patches/extra/0001-9pfs-forbid-illegal-path-names.patch b/debian/patches/extra/0001-9pfs-forbid-illegal-path-names.patch
deleted file mode 100644
index 15d3119..0000000
--- a/debian/patches/extra/0001-9pfs-forbid-illegal-path-names.patch
+++ /dev/null
@@ -1,178 +0,0 @@
-From 21289fc663198d96ae2ca145a425f2e21ed4637a Mon Sep 17 00:00:00 2001
-From: Greg Kurz <groug at kaod.org>
-Date: Tue, 30 Aug 2016 19:11:05 +0200
-Subject: [PATCH 1/6] 9pfs: forbid illegal path names
-
-Empty path components don't make sense for most commands and may cause
-undefined behavior, depending on the backend.
-
-Also, the walk request described in the 9P spec [1] clearly shows that
-the client is supposed to send individual path components: the official
-linux client never sends portions of path containing the / character for
-example.
-
-Moreover, the 9P spec [2] also states that a system can decide to restrict
-the set of supported characters used in path components, with an explicit
-mention "to remove slashes from name components".
-
-This patch introduces a new name_is_illegal() helper that checks the
-names sent by the client are not empty and don't contain unwanted chars.
-Since 9pfs is only supported on linux hosts, only the / character is
-checked at the moment. When support for other hosts (AKA. win32) is added,
-other chars may need to be blacklisted as well.
-
-If a client sends an illegal path component, the request will fail and
-ENOENT is returned to the client.
-
-[1] http://man.cat-v.org/plan_9/5/walk
-[2] http://man.cat-v.org/plan_9/5/intro
-
-Suggested-by: Peter Maydell <peter.maydell at linaro.org>
-Signed-off-by: Greg Kurz <groug at kaod.org>
-Reviewed-by: Eric Blake <eblake at redhat.com>
-Reviewed-by: Michael S. Tsirkin <mst at redhat.com>
-Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
----
- hw/9pfs/9p.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 56 insertions(+)
-
-diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
-index f5e3012..53c466b 100644
---- a/hw/9pfs/9p.c
-+++ b/hw/9pfs/9p.c
-@@ -1254,6 +1254,11 @@ static int v9fs_walk_marshal(V9fsPDU *pdu, uint16_t nwnames, V9fsQID *qids)
- return offset;
- }
-
-+static bool name_is_illegal(const char *name)
-+{
-+ return !*name || strchr(name, '/') != NULL;
-+}
-+
- static void v9fs_walk(void *opaque)
- {
- int name_idx;
-@@ -1287,6 +1292,10 @@ static void v9fs_walk(void *opaque)
- if (err < 0) {
- goto out_nofid;
- }
-+ if (name_is_illegal(wnames[i].data)) {
-+ err = -ENOENT;
-+ goto out_nofid;
-+ }
- offset += err;
- }
- } else if (nwnames > P9_MAXWELEM) {
-@@ -1481,6 +1490,11 @@ static void v9fs_lcreate(void *opaque)
- }
- trace_v9fs_lcreate(pdu->tag, pdu->id, dfid, flags, mode, gid);
-
-+ if (name_is_illegal(name.data)) {
-+ err = -ENOENT;
-+ goto out_nofid;
-+ }
-+
- fidp = get_fid(pdu, dfid);
- if (fidp == NULL) {
- err = -ENOENT;
-@@ -2066,6 +2080,11 @@ static void v9fs_create(void *opaque)
- }
- trace_v9fs_create(pdu->tag, pdu->id, fid, name.data, perm, mode);
-
-+ if (name_is_illegal(name.data)) {
-+ err = -ENOENT;
-+ goto out_nofid;
-+ }
-+
- fidp = get_fid(pdu, fid);
- if (fidp == NULL) {
- err = -EINVAL;
-@@ -2231,6 +2250,11 @@ static void v9fs_symlink(void *opaque)
- }
- trace_v9fs_symlink(pdu->tag, pdu->id, dfid, name.data, symname.data, gid);
-
-+ if (name_is_illegal(name.data)) {
-+ err = -ENOENT;
-+ goto out_nofid;
-+ }
-+
- dfidp = get_fid(pdu, dfid);
- if (dfidp == NULL) {
- err = -EINVAL;
-@@ -2305,6 +2329,11 @@ static void v9fs_link(void *opaque)
- }
- trace_v9fs_link(pdu->tag, pdu->id, dfid, oldfid, name.data);
-
-+ if (name_is_illegal(name.data)) {
-+ err = -ENOENT;
-+ goto out_nofid;
-+ }
-+
- dfidp = get_fid(pdu, dfid);
- if (dfidp == NULL) {
- err = -ENOENT;
-@@ -2387,6 +2416,12 @@ static void v9fs_unlinkat(void *opaque)
- if (err < 0) {
- goto out_nofid;
- }
-+
-+ if (name_is_illegal(name.data)) {
-+ err = -ENOENT;
-+ goto out_nofid;
-+ }
-+
- dfidp = get_fid(pdu, dfid);
- if (dfidp == NULL) {
- err = -EINVAL;
-@@ -2493,6 +2528,12 @@ static void v9fs_rename(void *opaque)
- if (err < 0) {
- goto out_nofid;
- }
-+
-+ if (name_is_illegal(name.data)) {
-+ err = -ENOENT;
-+ goto out_nofid;
-+ }
-+
- fidp = get_fid(pdu, fid);
- if (fidp == NULL) {
- err = -ENOENT;
-@@ -2605,6 +2646,11 @@ static void v9fs_renameat(void *opaque)
- goto out_err;
- }
-
-+ if (name_is_illegal(old_name.data) || name_is_illegal(new_name.data)) {
-+ err = -ENOENT;
-+ goto out_err;
-+ }
-+
- v9fs_path_write_lock(s);
- err = v9fs_complete_renameat(pdu, olddirfid,
- &old_name, newdirfid, &new_name);
-@@ -2815,6 +2861,11 @@ static void v9fs_mknod(void *opaque)
- }
- trace_v9fs_mknod(pdu->tag, pdu->id, fid, mode, major, minor);
-
-+ if (name_is_illegal(name.data)) {
-+ err = -ENOENT;
-+ goto out_nofid;
-+ }
-+
- fidp = get_fid(pdu, fid);
- if (fidp == NULL) {
- err = -ENOENT;
-@@ -2966,6 +3017,11 @@ static void v9fs_mkdir(void *opaque)
- }
- trace_v9fs_mkdir(pdu->tag, pdu->id, fid, name.data, mode, gid);
-
-+ if (name_is_illegal(name.data)) {
-+ err = -ENOENT;
-+ goto out_nofid;
-+ }
-+
- fidp = get_fid(pdu, fid);
- if (fidp == NULL) {
- err = -ENOENT;
---
-2.1.4
-
diff --git a/debian/patches/extra/0001-net-check-fragment-length-during-fragmentation.patch b/debian/patches/extra/0001-net-check-fragment-length-during-fragmentation.patch
deleted file mode 100644
index 5e54bec..0000000
--- a/debian/patches/extra/0001-net-check-fragment-length-during-fragmentation.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 24a01bab4aa431b79e201c1e2d0ac552a41114bc Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp at fedoraproject.org>
-Date: Thu, 4 Aug 2016 13:00:14 +0530
-Subject: [PATCH 1/5] net: check fragment length during fragmentation
-
-Network transport abstraction layer supports packet fragmentation.
-While fragmenting a packet, it checks for more fragments from
-packet length and current fragment length. It is susceptible
-to an infinite loop, if the current fragment length is zero.
-Add check to avoid it.
-
-Reported-by: Li Qiang <liqiang6-s at 360.cn>
-Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
-Reviewed-by: Dmitry Fleytman <dmitry at daynix.com>
-CC: qemu-stable at nongnu.org
-Signed-off-by: Jason Wang <jasowang at redhat.com>
----
- hw/net/vmxnet_tx_pkt.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/net/vmxnet_tx_pkt.c b/hw/net/vmxnet_tx_pkt.c
-index 91e1e08..f4d0f5f 100644
---- a/hw/net/vmxnet_tx_pkt.c
-+++ b/hw/net/vmxnet_tx_pkt.c
-@@ -544,7 +544,7 @@ static bool vmxnet_tx_pkt_do_sw_fragmentation(struct VmxnetTxPkt *pkt,
-
- fragment_offset += fragment_len;
-
-- } while (more_frags);
-+ } while (fragment_len && more_frags);
-
- return true;
- }
---
-2.1.4
-
diff --git a/debian/patches/extra/0002-9pfs-forbid-.-and-.-in-file-names.patch b/debian/patches/extra/0002-9pfs-forbid-.-and-.-in-file-names.patch
deleted file mode 100644
index c2c0500..0000000
--- a/debian/patches/extra/0002-9pfs-forbid-.-and-.-in-file-names.patch
+++ /dev/null
@@ -1,159 +0,0 @@
-From 3ae00feb459657766ec623de7eae8f014a660ab4 Mon Sep 17 00:00:00 2001
-From: Greg Kurz <groug at kaod.org>
-Date: Tue, 30 Aug 2016 19:13:11 +0200
-Subject: [PATCH 2/6] 9pfs: forbid . and .. in file names
-
-According to the 9P spec http://man.cat-v.org/plan_9/5/open about the
-create request:
-
-The names . and .. are special; it is illegal to create files with these
-names.
-
-This patch causes the create and lcreate requests to fail with EINVAL if
-the file name is either "." or "..".
-
-Even if it isn't explicitly written in the spec, this patch extends the
-checking to all requests that may cause a directory entry to be created:
-
- - mknod
- - rename
- - renameat
- - mkdir
- - link
- - symlink
-
-The unlinkat request also gets patched for consistency (even if
-rmdir("foo/..") is expected to fail according to POSIX.1-2001).
-
-The various error values come from the linux manual pages.
-
-Suggested-by: Peter Maydell <peter.maydell at linaro.org>
-Signed-off-by: Greg Kurz <groug at kaod.org>
-Reviewed-by: Eric Blake <eblake at redhat.com>
-Reviewed-by: Michael S. Tsirkin <mst at redhat.com>
-Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
----
- hw/9pfs/9p.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 51 insertions(+)
-
-diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
-index 53c466b..1e96427 100644
---- a/hw/9pfs/9p.c
-+++ b/hw/9pfs/9p.c
-@@ -1495,6 +1495,11 @@ static void v9fs_lcreate(void *opaque)
- goto out_nofid;
- }
-
-+ if (!strcmp(".", name.data) || !strcmp("..", name.data)) {
-+ err = -EEXIST;
-+ goto out_nofid;
-+ }
-+
- fidp = get_fid(pdu, dfid);
- if (fidp == NULL) {
- err = -ENOENT;
-@@ -2085,6 +2090,11 @@ static void v9fs_create(void *opaque)
- goto out_nofid;
- }
-
-+ if (!strcmp(".", name.data) || !strcmp("..", name.data)) {
-+ err = -EEXIST;
-+ goto out_nofid;
-+ }
-+
- fidp = get_fid(pdu, fid);
- if (fidp == NULL) {
- err = -EINVAL;
-@@ -2255,6 +2265,11 @@ static void v9fs_symlink(void *opaque)
- goto out_nofid;
- }
-
-+ if (!strcmp(".", name.data) || !strcmp("..", name.data)) {
-+ err = -EEXIST;
-+ goto out_nofid;
-+ }
-+
- dfidp = get_fid(pdu, dfid);
- if (dfidp == NULL) {
- err = -EINVAL;
-@@ -2334,6 +2349,11 @@ static void v9fs_link(void *opaque)
- goto out_nofid;
- }
-
-+ if (!strcmp(".", name.data) || !strcmp("..", name.data)) {
-+ err = -EEXIST;
-+ goto out_nofid;
-+ }
-+
- dfidp = get_fid(pdu, dfid);
- if (dfidp == NULL) {
- err = -ENOENT;
-@@ -2422,6 +2442,16 @@ static void v9fs_unlinkat(void *opaque)
- goto out_nofid;
- }
-
-+ if (!strcmp(".", name.data)) {
-+ err = -EINVAL;
-+ goto out_nofid;
-+ }
-+
-+ if (!strcmp("..", name.data)) {
-+ err = -ENOTEMPTY;
-+ goto out_nofid;
-+ }
-+
- dfidp = get_fid(pdu, dfid);
- if (dfidp == NULL) {
- err = -EINVAL;
-@@ -2534,6 +2564,11 @@ static void v9fs_rename(void *opaque)
- goto out_nofid;
- }
-
-+ if (!strcmp(".", name.data) || !strcmp("..", name.data)) {
-+ err = -EISDIR;
-+ goto out_nofid;
-+ }
-+
- fidp = get_fid(pdu, fid);
- if (fidp == NULL) {
- err = -ENOENT;
-@@ -2651,6 +2686,12 @@ static void v9fs_renameat(void *opaque)
- goto out_err;
- }
-
-+ if (!strcmp(".", old_name.data) || !strcmp("..", old_name.data) ||
-+ !strcmp(".", new_name.data) || !strcmp("..", new_name.data)) {
-+ err = -EISDIR;
-+ goto out_err;
-+ }
-+
- v9fs_path_write_lock(s);
- err = v9fs_complete_renameat(pdu, olddirfid,
- &old_name, newdirfid, &new_name);
-@@ -2866,6 +2907,11 @@ static void v9fs_mknod(void *opaque)
- goto out_nofid;
- }
-
-+ if (!strcmp(".", name.data) || !strcmp("..", name.data)) {
-+ err = -EEXIST;
-+ goto out_nofid;
-+ }
-+
- fidp = get_fid(pdu, fid);
- if (fidp == NULL) {
- err = -ENOENT;
-@@ -3022,6 +3068,11 @@ static void v9fs_mkdir(void *opaque)
- goto out_nofid;
- }
-
-+ if (!strcmp(".", name.data) || !strcmp("..", name.data)) {
-+ err = -EEXIST;
-+ goto out_nofid;
-+ }
-+
- fidp = get_fid(pdu, fid);
- if (fidp == NULL) {
- err = -ENOENT;
---
-2.1.4
-
diff --git a/debian/patches/extra/0003-9pfs-handle-walk-of-.-in-the-root-directory.patch b/debian/patches/extra/0003-9pfs-handle-walk-of-.-in-the-root-directory.patch
deleted file mode 100644
index d4f22c2..0000000
--- a/debian/patches/extra/0003-9pfs-handle-walk-of-.-in-the-root-directory.patch
+++ /dev/null
@@ -1,126 +0,0 @@
-From 348503ea115b336343166b87271208ffc0bdeb0a Mon Sep 17 00:00:00 2001
-From: Greg Kurz <groug at kaod.org>
-Date: Tue, 30 Aug 2016 17:02:27 +0200
-Subject: [PATCH 3/6] 9pfs: handle walk of ".." in the root directory
-
-The 9P spec at http://man.cat-v.org/plan_9/5/intro says:
-
-All directories must support walks to the directory .. (dot-dot) meaning
-parent directory, although by convention directories contain no explicit
-entry for .. or . (dot). The parent of the root directory of a server's
-tree is itself.
-
-This means that a client cannot walk further than the root directory
-exported by the server. In other words, if the client wants to walk
-"/.." or "/foo/../..", the server should answer like the request was
-to walk "/".
-
-This patch just does that:
-- we cache the QID of the root directory at attach time
-- during the walk we compare the QID of each path component with the root
- QID to detect if we're in a "/.." situation
-- if so, we skip the current component and go to the next one
-
-Signed-off-by: Greg Kurz <groug at kaod.org>
-Reviewed-by: Eric Blake <eblake at redhat.com>
-Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
----
- hw/9pfs/9p.c | 40 +++++++++++++++++++++++++++++++---------
- hw/9pfs/9p.h | 1 +
- 2 files changed, 32 insertions(+), 9 deletions(-)
-
-diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
-index 1e96427..1ac05b2 100644
---- a/hw/9pfs/9p.c
-+++ b/hw/9pfs/9p.c
-@@ -1008,6 +1008,7 @@ static void v9fs_attach(void *opaque)
- goto out;
- }
- err += offset;
-+ memcpy(&s->root_qid, &qid, sizeof(qid));
- trace_v9fs_attach_return(pdu->tag, pdu->id,
- qid.type, qid.version, qid.path);
- /*
-@@ -1259,6 +1260,14 @@ static bool name_is_illegal(const char *name)
- return !*name || strchr(name, '/') != NULL;
- }
-
-+static bool not_same_qid(const V9fsQID *qid1, const V9fsQID *qid2)
-+{
-+ return
-+ qid1->type != qid2->type ||
-+ qid1->version != qid2->version ||
-+ qid1->path != qid2->path;
-+}
-+
- static void v9fs_walk(void *opaque)
- {
- int name_idx;
-@@ -1274,6 +1283,7 @@ static void v9fs_walk(void *opaque)
- V9fsFidState *newfidp = NULL;
- V9fsPDU *pdu = opaque;
- V9fsState *s = pdu->s;
-+ V9fsQID qid;
-
- err = pdu_unmarshal(pdu, offset, "ddw", &fid, &newfid, &nwnames);
- if (err < 0) {
-@@ -1307,6 +1317,12 @@ static void v9fs_walk(void *opaque)
- err = -ENOENT;
- goto out_nofid;
- }
-+
-+ err = fid_to_qid(pdu, fidp, &qid);
-+ if (err < 0) {
-+ goto out;
-+ }
-+
- v9fs_path_init(&dpath);
- v9fs_path_init(&path);
- /*
-@@ -1316,16 +1332,22 @@ static void v9fs_walk(void *opaque)
- v9fs_path_copy(&dpath, &fidp->path);
- v9fs_path_copy(&path, &fidp->path);
- for (name_idx = 0; name_idx < nwnames; name_idx++) {
-- err = v9fs_co_name_to_path(pdu, &dpath, wnames[name_idx].data, &path);
-- if (err < 0) {
-- goto out;
-- }
-- err = v9fs_co_lstat(pdu, &path, &stbuf);
-- if (err < 0) {
-- goto out;
-+ if (not_same_qid(&pdu->s->root_qid, &qid) ||
-+ strcmp("..", wnames[name_idx].data)) {
-+ err = v9fs_co_name_to_path(pdu, &dpath, wnames[name_idx].data,
-+ &path);
-+ if (err < 0) {
-+ goto out;
-+ }
-+
-+ err = v9fs_co_lstat(pdu, &path, &stbuf);
-+ if (err < 0) {
-+ goto out;
-+ }
-+ stat_to_qid(&stbuf, &qid);
-+ v9fs_path_copy(&dpath, &path);
- }
-- stat_to_qid(&stbuf, &qids[name_idx]);
-- v9fs_path_copy(&dpath, &path);
-+ memcpy(&qids[name_idx], &qid, sizeof(qid));
- }
- if (fid == newfid) {
- BUG_ON(fidp->fid_type != P9_FID_NONE);
-diff --git a/hw/9pfs/9p.h b/hw/9pfs/9p.h
-index 1a19418..589b3a5 100644
---- a/hw/9pfs/9p.h
-+++ b/hw/9pfs/9p.h
-@@ -219,6 +219,7 @@ typedef struct V9fsState
- int32_t root_fid;
- Error *migration_blocker;
- V9fsConf fsconf;
-+ V9fsQID root_qid;
- } V9fsState;
-
- /* 9p2000.L open flags */
---
-2.1.4
-
diff --git a/debian/patches/extra/0003-net-vmxnet-use-g_new-for-pkt-initialisation.patch b/debian/patches/extra/0003-net-vmxnet-use-g_new-for-pkt-initialisation.patch
deleted file mode 100644
index 67083f2..0000000
--- a/debian/patches/extra/0003-net-vmxnet-use-g_new-for-pkt-initialisation.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From c2f17c0e4754b5140fb79371dc8cb7973ff5d1b0 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s at 360.cn>
-Date: Tue, 16 Aug 2016 16:58:01 +0530
-Subject: [PATCH 3/5] net: vmxnet: use g_new for pkt initialisation
-
-When network transport abstraction layer initialises pkt, the maximum
-fragmentation count is not checked. This could lead to an integer
-overflow causing a NULL pointer dereference. Replace g_malloc() with
-g_new() to catch the multiplication overflow.
-
-Reported-by: Li Qiang <liqiang6-s at 360.cn>
-Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
-Acked-by: Dmitry Fleytman <dmitry at daynix.com>
-Signed-off-by: Jason Wang <jasowang at redhat.com>
----
- hw/net/vmxnet_tx_pkt.c | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/hw/net/vmxnet_tx_pkt.c b/hw/net/vmxnet_tx_pkt.c
-index f4d0f5f..9152444 100644
---- a/hw/net/vmxnet_tx_pkt.c
-+++ b/hw/net/vmxnet_tx_pkt.c
-@@ -60,10 +60,9 @@ void vmxnet_tx_pkt_init(struct VmxnetTxPkt **pkt, uint32_t max_frags,
- {
- struct VmxnetTxPkt *p = g_malloc0(sizeof *p);
-
-- p->vec = g_malloc((sizeof *p->vec) *
-- (max_frags + VMXNET_TX_PKT_PL_START_FRAG));
-+ p->vec = g_new(struct iovec, max_frags + VMXNET_TX_PKT_PL_START_FRAG);
-
-- p->raw = g_malloc((sizeof *p->raw) * max_frags);
-+ p->raw = g_new(struct iovec, max_frags);
-
- p->max_payload_frags = max_frags;
- p->max_raw_frags = max_frags;
---
-2.1.4
-
diff --git a/debian/patches/extra/0004-net-vmxnet-check-IP-header-length.patch b/debian/patches/extra/0004-net-vmxnet-check-IP-header-length.patch
deleted file mode 100644
index a1a1c70..0000000
--- a/debian/patches/extra/0004-net-vmxnet-check-IP-header-length.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 1f2c8a260b6f1c87cefa7459baff7e203316f7b6 Mon Sep 17 00:00:00 2001
-From: Li Qiang <address at hidden>
-Date: Tue, 9 Aug 2016 16:49:47 +0530
-Subject: [PATCH 4/5] net: vmxnet: check IP header length
-
-Vmxnet3 device emulator when parsing packet headers does not check
-for IP header length. It could lead to a OOB access when reading
-further packet data. Add check to avoid it.
-
-Reported-by: Li Qiang <address at hidden>
-Signed-off-by: Prasad J Pandit <address at hidden>
----
- hw/net/vmxnet_tx_pkt.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/hw/net/vmxnet_tx_pkt.c b/hw/net/vmxnet_tx_pkt.c
-index 9152444..849826b 100644
---- a/hw/net/vmxnet_tx_pkt.c
-+++ b/hw/net/vmxnet_tx_pkt.c
-@@ -177,6 +177,11 @@ static bool vmxnet_tx_pkt_parse_headers(struct VmxnetTxPkt *pkt)
- }
-
- l3_hdr->iov_len = IP_HDR_GET_LEN(l3_hdr->iov_base);
-+ if(l3_hdr->iov_len < sizeof(struct ip_header))
-+ {
-+ l3_hdr->iov_len = 0;
-+ return false;
-+ }
- pkt->l4proto = ((struct ip_header *) l3_hdr->iov_base)->ip_p;
-
- /* copy optional IPv4 header data */
---
-2.1.4
-
diff --git a/debian/patches/extra/0006-virtio-recalculate-vq-inuse-after-migration.patch b/debian/patches/extra/0006-virtio-recalculate-vq-inuse-after-migration.patch
deleted file mode 100644
index 8c5567e..0000000
--- a/debian/patches/extra/0006-virtio-recalculate-vq-inuse-after-migration.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From ed3112487835fb5c5ec685e15032641c25018f87 Mon Sep 17 00:00:00 2001
-From: Stefan Hajnoczi <stefanha at redhat.com>
-Date: Mon, 15 Aug 2016 13:54:15 +0100
-Subject: [PATCH 06/10] virtio: recalculate vq->inuse after migration
-
-The vq->inuse field is not migrated. Many devices don't hold
-VirtQueueElements across migration so it doesn't matter that vq->inuse
-starts at 0 on the destination QEMU.
-
-At least virtio-serial, virtio-blk, and virtio-balloon migrate while
-holding VirtQueueElements. For these devices we need to recalculate
-vq->inuse upon load so the value is correct.
-
-Cc: qemu-stable at nongnu.org
-Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
-Reviewed-by: Michael S. Tsirkin <mst at redhat.com>
-Reviewed-by: Cornelia Huck <cornelia.huck at de.ibm.com>
-Reviewed-by: Michael S. Tsirkin <mst at redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
----
- hw/virtio/virtio.c | 15 +++++++++++++++
- 1 file changed, 15 insertions(+)
-
-diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
-index 111ad8e..486147b 100644
---- a/hw/virtio/virtio.c
-+++ b/hw/virtio/virtio.c
-@@ -1629,6 +1629,21 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f, int version_id)
- }
- vdev->vq[i].used_idx = vring_used_idx(&vdev->vq[i]);
- vdev->vq[i].shadow_avail_idx = vring_avail_idx(&vdev->vq[i]);
-+
-+ /*
-+ * Some devices migrate VirtQueueElements that have been popped
-+ * from the avail ring but not yet returned to the used ring.
-+ */
-+ vdev->vq[i].inuse = vdev->vq[i].last_avail_idx -
-+ vdev->vq[i].used_idx;
-+ if (vdev->vq[i].inuse > vdev->vq[i].vring.num) {
-+ error_report("VQ %d size 0x%x < last_avail_idx 0x%x - "
-+ "used_idx 0x%x",
-+ i, vdev->vq[i].vring.num,
-+ vdev->vq[i].last_avail_idx,
-+ vdev->vq[i].used_idx);
-+ return -1;
-+ }
- }
- }
-
---
-2.1.4
-
diff --git a/debian/patches/extra/0007-virtio-decrement-vq-inuse-in-virtqueue_discard.patch b/debian/patches/extra/0007-virtio-decrement-vq-inuse-in-virtqueue_discard.patch
deleted file mode 100644
index 5ad2487..0000000
--- a/debian/patches/extra/0007-virtio-decrement-vq-inuse-in-virtqueue_discard.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From e8bc5606ad11e053a7c9ca64ed1aeaed18be8e4e Mon Sep 17 00:00:00 2001
-From: Stefan Hajnoczi <stefanha at redhat.com>
-Date: Mon, 15 Aug 2016 13:54:16 +0100
-Subject: [PATCH 07/10] virtio: decrement vq->inuse in virtqueue_discard()
-
-virtqueue_discard() moves vq->last_avail_idx back so the element can be
-popped again. It's necessary to decrement vq->inuse to avoid "leaking"
-the element count.
-
-Cc: qemu-stable at nongnu.org
-Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
-Reviewed-by: Michael S. Tsirkin <mst at redhat.com>
-Reviewed-by: Cornelia Huck <cornelia.huck at de.ibm.com>
-Reviewed-by: Michael S. Tsirkin <mst at redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
----
- hw/virtio/virtio.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
-index 486147b..787849a 100644
---- a/hw/virtio/virtio.c
-+++ b/hw/virtio/virtio.c
-@@ -267,6 +267,7 @@ void virtqueue_discard(VirtQueue *vq, const VirtQueueElement *elem,
- unsigned int len)
- {
- vq->last_avail_idx--;
-+ vq->inuse--;
- virtqueue_unmap_sg(vq, elem, len);
- }
-
---
-2.1.4
-
diff --git a/debian/patches/extra/0008-iscsi-pass-SCSI-status-back-for-SG_IO.patch b/debian/patches/extra/0008-iscsi-pass-SCSI-status-back-for-SG_IO.patch
deleted file mode 100644
index 2acfa61..0000000
--- a/debian/patches/extra/0008-iscsi-pass-SCSI-status-back-for-SG_IO.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From b3d69a0d7dc3945ff134e69593b5fcec447e8389 Mon Sep 17 00:00:00 2001
-From: Vadim Rozenfeld <vrozenfe at redhat.com>
-Date: Fri, 13 May 2016 13:03:22 +0200
-Subject: [PATCH 08/10] iscsi: pass SCSI status back for SG_IO
-
-Signed-off-by: Vadim Rozenfeld <vrozenfe at redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
----
- block/iscsi.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/block/iscsi.c b/block/iscsi.c
-index 0466c30..1f6a0e5 100644
---- a/block/iscsi.c
-+++ b/block/iscsi.c
-@@ -768,6 +768,7 @@ iscsi_aio_ioctl_cb(struct iscsi_context *iscsi, int status,
- acb->ioh->driver_status = 0;
- acb->ioh->host_status = 0;
- acb->ioh->resid = 0;
-+ acb->ioh->status = status;
-
- #define SG_ERR_DRIVER_SENSE 0x08
-
---
-2.1.4
-
diff --git a/debian/patches/extra/0010-ui-fix-refresh-of-VNC-server-surface.patch b/debian/patches/extra/0010-ui-fix-refresh-of-VNC-server-surface.patch
deleted file mode 100644
index fd2ad03..0000000
--- a/debian/patches/extra/0010-ui-fix-refresh-of-VNC-server-surface.patch
+++ /dev/null
@@ -1,102 +0,0 @@
-From e74eda6892bede3f22ce449af32fe941147396d8 Mon Sep 17 00:00:00 2001
-From: "Daniel P. Berrange" <berrange at redhat.com>
-Date: Tue, 16 Aug 2016 17:30:32 +0100
-Subject: [PATCH 10/10] ui: fix refresh of VNC server surface
-
-In previous commit
-
- commit c7628bff4138ce906a3620d12e0820c1cf6c140d
- Author: Gerd Hoffmann <kraxel at redhat.com>
- Date: Fri Oct 30 12:10:09 2015 +0100
-
- vnc: only alloc server surface with clients connected
-
-the VNC server was changed so that the 'vd->server' pixman
-image was only allocated when a client is connected.
-
-Since then if a client disconnects and then reconnects to
-the VNC server all they will see is a black screen until
-they do something that triggers a refresh. On a graphical
-desktop this is not often noticed since there's many things
-going on which cause a refresh. On a plain text console it
-is really obvious since nothing refreshes frequently.
-
-The problem is that the VNC server didn't update the guest
-dirty bitmap, so still believes its server image is in sync
-with the guest contents.
-
-To fix this we must explicitly mark the entire guest desktop
-as dirty after re-creating the server surface. Move this
-logic into vnc_update_server_surface() so it is guaranteed
-to be call in all code paths that re-create the surface
-instead of only in vnc_dpy_switch()
-
-Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
----
- ui/vnc.c | 20 +++++++++++---------
- 1 file changed, 11 insertions(+), 9 deletions(-)
-
-diff --git a/ui/vnc.c b/ui/vnc.c
-index 66e2163..de145cd 100644
---- a/ui/vnc.c
-+++ b/ui/vnc.c
-@@ -806,6 +806,8 @@ void *vnc_server_fb_ptr(VncDisplay *vd, int x, int y)
-
- static void vnc_update_server_surface(VncDisplay *vd)
- {
-+ int width, height;
-+
- qemu_pixman_image_unref(vd->server);
- vd->server = NULL;
-
-@@ -813,10 +815,15 @@ static void vnc_update_server_surface(VncDisplay *vd)
- return;
- }
-
-+ width = vnc_width(vd);
-+ height = vnc_height(vd);
- vd->server = pixman_image_create_bits(VNC_SERVER_FB_FORMAT,
-- vnc_width(vd),
-- vnc_height(vd),
-+ width, height,
- NULL, 0);
-+
-+ memset(vd->guest.dirty, 0x00, sizeof(vd->guest.dirty));
-+ vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
-+ width, height);
- }
-
- static void vnc_dpy_switch(DisplayChangeListener *dcl,
-@@ -824,7 +831,6 @@ static void vnc_dpy_switch(DisplayChangeListener *dcl,
- {
- VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
- VncState *vs;
-- int width, height;
-
- vnc_abort_display_jobs(vd);
- vd->ds = surface;
-@@ -836,11 +842,6 @@ static void vnc_dpy_switch(DisplayChangeListener *dcl,
- qemu_pixman_image_unref(vd->guest.fb);
- vd->guest.fb = pixman_image_ref(surface->image);
- vd->guest.format = surface->format;
-- width = vnc_width(vd);
-- height = vnc_height(vd);
-- memset(vd->guest.dirty, 0x00, sizeof(vd->guest.dirty));
-- vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
-- width, height);
-
- QTAILQ_FOREACH(vs, &vd->clients, next) {
- vnc_colordepth(vs);
-@@ -850,7 +851,8 @@ static void vnc_dpy_switch(DisplayChangeListener *dcl,
- }
- memset(vs->dirty, 0x00, sizeof(vs->dirty));
- vnc_set_area_dirty(vs->dirty, vd, 0, 0,
-- width, height);
-+ vnc_width(vd),
-+ vnc_height(vd));
- }
- }
-
---
-2.1.4
-
diff --git a/debian/patches/extra/CVE-2016-7155-scsi-check-page-count-while-initialising-descriptor-.patch b/debian/patches/extra/CVE-2016-7155-scsi-check-page-count-while-initialising-descriptor-.patch
deleted file mode 100644
index 54df061..0000000
--- a/debian/patches/extra/CVE-2016-7155-scsi-check-page-count-while-initialising-descriptor-.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From 7c7e45d2bd1a77fbe89dff83fabf89a46479111f Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp at fedoraproject.org>
-Date: Thu, 1 Sep 2016 16:30:51 +0530
-Subject: [PATCH 4/6] scsi: check page count while initialising descriptor
- rings
-
-Vmware Paravirtual SCSI emulation uses command descriptors to
-process SCSI commands. These descriptors come with their ring
-buffers. A guest could set the page count for these rings to
-an arbitrary value, leading to infinite loop or OOB access.
-Add check to avoid it.
-
-Reported-by: Tom Victor <vv474172261 at gmail.com>
-Reported-by: Li Qiang <liqiang6-s at 360.cn>
-Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
----
- hw/scsi/vmw_pvscsi.c | 19 +++++++++----------
- 1 file changed, 9 insertions(+), 10 deletions(-)
-
-diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
-index 2d7528d..22f872c 100644
---- a/hw/scsi/vmw_pvscsi.c
-+++ b/hw/scsi/vmw_pvscsi.c
-@@ -153,7 +153,7 @@ pvscsi_log2(uint32_t input)
- return log;
- }
-
--static int
-+static void
- pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
- {
- int i;
-@@ -161,10 +161,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
- uint32_t req_ring_size, cmp_ring_size;
- m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT;
-
-- if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)
-- || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) {
-- return -1;
-- }
- req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
- cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE;
- txr_len_log2 = pvscsi_log2(req_ring_size - 1);
-@@ -196,8 +192,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
-
- /* Flush ring state page changes */
- smp_wmb();
--
-- return 0;
- }
-
- static int
-@@ -747,7 +741,7 @@ pvscsi_dbg_dump_tx_rings_config(PVSCSICmdDescSetupRings *rc)
-
- trace_pvscsi_tx_rings_num_pages("Confirm Ring", rc->cmpRingNumPages);
- for (i = 0; i < rc->cmpRingNumPages; i++) {
-- trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->reqRingPPNs[i]);
-+ trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->cmpRingPPNs[i]);
- }
- }
-
-@@ -780,11 +774,16 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s)
-
- trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS");
-
-- pvscsi_dbg_dump_tx_rings_config(rc);
-- if (pvscsi_ring_init_data(&s->rings, rc) < 0) {
-+ if (!rc->reqRingNumPages
-+ || rc->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES
-+ || !rc->cmpRingNumPages
-+ || rc->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES) {
- return PVSCSI_COMMAND_PROCESSING_FAILED;
- }
-
-+ pvscsi_dbg_dump_tx_rings_config(rc);
-+ pvscsi_ring_init_data(&s->rings, rc);
-+
- s->rings_info_valid = TRUE;
- return PVSCSI_COMMAND_PROCESSING_SUCCEEDED;
- }
---
-2.1.4
-
diff --git a/debian/patches/extra/CVE-2016-7157-scsi-mptconfig-fix-an-assert-expression.patch b/debian/patches/extra/CVE-2016-7157-scsi-mptconfig-fix-an-assert-expression.patch
deleted file mode 100644
index f74c99b..0000000
--- a/debian/patches/extra/CVE-2016-7157-scsi-mptconfig-fix-an-assert-expression.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From a0e2a28c08472ad3468c2f75d20fe1ca02ef8c0b Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp at fedoraproject.org>
-Date: Wed, 31 Aug 2016 17:36:07 +0530
-Subject: [PATCH 6/6] scsi: mptconfig: fix an assert expression
-
-When LSI SAS1068 Host Bus emulator builds configuration page
-headers, mptsas_config_pack() should assert that the size
-fits in a byte. However, the size is expressed in 32-bit
-units, so up to 1020 bytes fit. The assertion was only
-allowing replies up to 252 bytes, so fix it.
-
-Suggested-by: Paolo Bonzini <pbonzini at redhat.com>
-Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
-Message-Id: <1472645167-30765-2-git-send-email-ppandit at redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
----
- hw/scsi/mptconfig.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
-index 7071854..3e4f400 100644
---- a/hw/scsi/mptconfig.c
-+++ b/hw/scsi/mptconfig.c
-@@ -158,7 +158,7 @@ static size_t mptsas_config_pack(uint8_t **data, const char *fmt, ...)
- va_end(ap);
-
- if (data) {
-- assert(ret < 256 && (ret % 4) == 0);
-+ assert(ret / 4 < 256 && (ret % 4) == 0);
- stb_p(*data + 1, ret / 4);
- }
- return ret;
---
-2.1.4
-
diff --git a/debian/patches/extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch b/debian/patches/extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
deleted file mode 100644
index 05ab4a5..0000000
--- a/debian/patches/extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From d251157ac1928191af851d199a9ff255d330bec9 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp at fedoraproject.org>
-Date: Wed, 14 Sep 2016 15:09:12 +0530
-Subject: [PATCH] scsi: pvscsi: limit process IO loop to ring size
-
-Vmware Paravirtual SCSI emulator while processing IO requests
-could run into an infinite loop if 'pvscsi_ring_pop_req_descr'
-always returned positive value. Limit IO loop to the ring size.
-
-Cc: qemu-stable at nongnu.org
-Reported-by: Li Qiang <liqiang6-s at 360.cn>
-Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
-Message-Id: <1473845952-30785-1-git-send-email-ppandit at redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
----
- hw/scsi/vmw_pvscsi.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
-index babac5a..a5ce7de 100644
---- a/hw/scsi/vmw_pvscsi.c
-+++ b/hw/scsi/vmw_pvscsi.c
-@@ -247,8 +247,11 @@ static hwaddr
- pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr)
- {
- uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx);
-+ uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING
-+ * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
-
-- if (ready_ptr != mgr->consumed_ptr) {
-+ if (ready_ptr != mgr->consumed_ptr
-+ && ready_ptr - mgr->consumed_ptr < ring_size) {
- uint32_t next_ready_ptr =
- mgr->consumed_ptr++ & mgr->txr_len_mask;
- uint32_t next_ready_page =
---
-2.1.4
-
diff --git a/debian/patches/extra/CVE-2016-7423-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch b/debian/patches/extra/CVE-2016-7423-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch
deleted file mode 100644
index f1ba947..0000000
--- a/debian/patches/extra/CVE-2016-7423-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 670e56d3ed2918b3861d9216f2c0540d9e9ae0d5 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s at 360.cn>
-Date: Mon, 12 Sep 2016 18:14:11 +0530
-Subject: [PATCH] scsi: mptsas: use g_new0 to allocate MPTSASRequest object
-
-When processing IO request in mptsas, it uses g_new to allocate
-a 'req' object. If an error occurs before 'req->sreq' is
-allocated, It could lead to an OOB write in mptsas_free_request
-function. Use g_new0 to avoid it.
-
-Reported-by: Li Qiang <liqiang6-s at 360.cn>
-Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
-Message-Id: <1473684251-17476-1-git-send-email-ppandit at redhat.com>
-Cc: qemu-stable at nongnu.org
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
----
- hw/scsi/mptsas.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
-index 0e0a22f..eaae1bb 100644
---- a/hw/scsi/mptsas.c
-+++ b/hw/scsi/mptsas.c
-@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
- goto bad;
- }
-
-- req = g_new(MPTSASRequest, 1);
-+ req = g_new0(MPTSASRequest, 1);
- QTAILQ_INSERT_TAIL(&s->pending, req, next);
- req->scsi_io = *scsi_io;
- req->dev = s;
---
-2.1.4
-
diff --git a/debian/patches/series b/debian/patches/series
index 07cf5c4..2d9bf81 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -58,25 +58,11 @@ pve/0056-qmp_snapshot_drive-add-aiocontext.patch
extra/0001-Revert-target-i386-disable-LINT0-after-reset.patch
extra/0002-scsi-esp-fix-migration.patch
extra/CVE-2016-6490-virtio-check-vring-descriptor-buffer-length.patch
-extra/0001-net-check-fragment-length-during-fragmentation.patch
extra/0002-net-vmxnet3-check-for-device_active-before-write.patch
-extra/0003-net-vmxnet-use-g_new-for-pkt-initialisation.patch
-extra/0004-net-vmxnet-check-IP-header-length.patch
extra/0005-net-vmxnet-initialise-local-tx-descriptor.patch
-extra/0006-virtio-recalculate-vq-inuse-after-migration.patch
-extra/0007-virtio-decrement-vq-inuse-in-virtqueue_discard.patch
-extra/0008-iscsi-pass-SCSI-status-back-for-SG_IO.patch
extra/0009-net-limit-allocation-in-nc_sendv_compat.patch
-extra/0010-ui-fix-refresh-of-VNC-server-surface.patch
-extra/0001-9pfs-forbid-illegal-path-names.patch
-extra/0002-9pfs-forbid-.-and-.-in-file-names.patch
-extra/0003-9pfs-handle-walk-of-.-in-the-root-directory.patch
-extra/CVE-2016-7155-scsi-check-page-count-while-initialising-descriptor-.patch
extra/CVE-2016-7156-scsi-pvscsi-avoid-infinite-loop-while-building-SG-li.patch
-extra/CVE-2016-7157-scsi-mptconfig-fix-an-assert-expression.patch
extra/CVE-2016-7170-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
-extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
-extra/CVE-2016-7423-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch
extra/x86-lapic-Load-LAPIC-state-at-post_load.patch
extra/CVE-2016-7161-hw-net-Fix-a-heap-overflow-in-xlnx.xps-ethernetlite.patch
extra/CVE-2016-7422-virtio-add-check-for-descriptor-s-mapped-address.patch
diff --git a/qemu-kvm-src.tar.gz b/qemu-kvm-src.tar.gz
index 772c666..43ca5e5 100644
Binary files a/qemu-kvm-src.tar.gz and b/qemu-kvm-src.tar.gz differ
--
2.1.4
More information about the pve-devel
mailing list