[pve-devel] Applied: [PATCH kvm] update to qemu-2.6.2

Wolfgang Bumiller w.bumiller at proxmox.com
Thu Oct 6 14:29:10 CEST 2016


dropping a bunch of upstream fixes
---
 Makefile                                           |   4 +-
 debian/changelog                                   |   6 +
 .../0001-9pfs-forbid-illegal-path-names.patch      | 178 ---------------------
 ...heck-fragment-length-during-fragmentation.patch |  36 -----
 .../0002-9pfs-forbid-.-and-.-in-file-names.patch   | 159 ------------------
 ...fs-handle-walk-of-.-in-the-root-directory.patch | 126 ---------------
 ...t-vmxnet-use-g_new-for-pkt-initialisation.patch |  38 -----
 .../0004-net-vmxnet-check-IP-header-length.patch   |  34 ----
 ...rtio-recalculate-vq-inuse-after-migration.patch |  52 ------
 ...o-decrement-vq-inuse-in-virtqueue_discard.patch |  34 ----
 ...008-iscsi-pass-SCSI-status-back-for-SG_IO.patch |  26 ---
 ...0010-ui-fix-refresh-of-VNC-server-surface.patch | 102 ------------
 ...page-count-while-initialising-descriptor-.patch |  83 ----------
 ...7-scsi-mptconfig-fix-an-assert-expression.patch |  35 ----
 ...pvscsi-limit-process-IO-loop-to-ring-size.patch |  38 -----
 ...-use-g_new0-to-allocate-MPTSASRequest-obj.patch |  35 ----
 debian/patches/series                              |  14 --
 qemu-kvm-src.tar.gz                                | Bin 12075164 -> 12075906 bytes
 18 files changed, 8 insertions(+), 992 deletions(-)
 delete mode 100644 debian/patches/extra/0001-9pfs-forbid-illegal-path-names.patch
 delete mode 100644 debian/patches/extra/0001-net-check-fragment-length-during-fragmentation.patch
 delete mode 100644 debian/patches/extra/0002-9pfs-forbid-.-and-.-in-file-names.patch
 delete mode 100644 debian/patches/extra/0003-9pfs-handle-walk-of-.-in-the-root-directory.patch
 delete mode 100644 debian/patches/extra/0003-net-vmxnet-use-g_new-for-pkt-initialisation.patch
 delete mode 100644 debian/patches/extra/0004-net-vmxnet-check-IP-header-length.patch
 delete mode 100644 debian/patches/extra/0006-virtio-recalculate-vq-inuse-after-migration.patch
 delete mode 100644 debian/patches/extra/0007-virtio-decrement-vq-inuse-in-virtqueue_discard.patch
 delete mode 100644 debian/patches/extra/0008-iscsi-pass-SCSI-status-back-for-SG_IO.patch
 delete mode 100644 debian/patches/extra/0010-ui-fix-refresh-of-VNC-server-surface.patch
 delete mode 100644 debian/patches/extra/CVE-2016-7155-scsi-check-page-count-while-initialising-descriptor-.patch
 delete mode 100644 debian/patches/extra/CVE-2016-7157-scsi-mptconfig-fix-an-assert-expression.patch
 delete mode 100644 debian/patches/extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
 delete mode 100644 debian/patches/extra/CVE-2016-7423-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch

diff --git a/Makefile b/Makefile
index 18b3427..b586ef1 100644
--- a/Makefile
+++ b/Makefile
@@ -1,8 +1,8 @@
 RELEASE=4.2
 
 # also update debian/changelog
-KVMVER=2.6.1
-KVMPKGREL=7
+KVMVER=2.6.2
+KVMPKGREL=1
 
 KVMPACKAGE=pve-qemu-kvm
 KVMDIR=qemu-kvm
diff --git a/debian/changelog b/debian/changelog
index 001b1b6..53a8f16 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+pve-qemu-kvm (2.6.2-1) unstable; urgency=medium
+
+  * update to qemu 2.6.2
+
+ -- Proxmox Support Team <support at proxmox.com>  Thu, 06 Oct 2016 14:12:07 +0200
+
 pve-qemu-kvm (2.6.1-7) unstable; urgency=medium
 
   * fix CVE-2016-7161: hw/net: Fix a heap overflow in xlnx.xps-ethernetlite
diff --git a/debian/patches/extra/0001-9pfs-forbid-illegal-path-names.patch b/debian/patches/extra/0001-9pfs-forbid-illegal-path-names.patch
deleted file mode 100644
index 15d3119..0000000
--- a/debian/patches/extra/0001-9pfs-forbid-illegal-path-names.patch
+++ /dev/null
@@ -1,178 +0,0 @@
-From 21289fc663198d96ae2ca145a425f2e21ed4637a Mon Sep 17 00:00:00 2001
-From: Greg Kurz <groug at kaod.org>
-Date: Tue, 30 Aug 2016 19:11:05 +0200
-Subject: [PATCH 1/6] 9pfs: forbid illegal path names
-
-Empty path components don't make sense for most commands and may cause
-undefined behavior, depending on the backend.
-
-Also, the walk request described in the 9P spec [1] clearly shows that
-the client is supposed to send individual path components: the official
-linux client never sends portions of path containing the / character for
-example.
-
-Moreover, the 9P spec [2] also states that a system can decide to restrict
-the set of supported characters used in path components, with an explicit
-mention "to remove slashes from name components".
-
-This patch introduces a new name_is_illegal() helper that checks the
-names sent by the client are not empty and don't contain unwanted chars.
-Since 9pfs is only supported on linux hosts, only the / character is
-checked at the moment. When support for other hosts (AKA. win32) is added,
-other chars may need to be blacklisted as well.
-
-If a client sends an illegal path component, the request will fail and
-ENOENT is returned to the client.
-
-[1] http://man.cat-v.org/plan_9/5/walk
-[2] http://man.cat-v.org/plan_9/5/intro
-
-Suggested-by: Peter Maydell <peter.maydell at linaro.org>
-Signed-off-by: Greg Kurz <groug at kaod.org>
-Reviewed-by: Eric Blake <eblake at redhat.com>
-Reviewed-by: Michael S. Tsirkin <mst at redhat.com>
-Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
----
- hw/9pfs/9p.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 56 insertions(+)
-
-diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
-index f5e3012..53c466b 100644
---- a/hw/9pfs/9p.c
-+++ b/hw/9pfs/9p.c
-@@ -1254,6 +1254,11 @@ static int v9fs_walk_marshal(V9fsPDU *pdu, uint16_t nwnames, V9fsQID *qids)
-     return offset;
- }
- 
-+static bool name_is_illegal(const char *name)
-+{
-+    return !*name || strchr(name, '/') != NULL;
-+}
-+
- static void v9fs_walk(void *opaque)
- {
-     int name_idx;
-@@ -1287,6 +1292,10 @@ static void v9fs_walk(void *opaque)
-             if (err < 0) {
-                 goto out_nofid;
-             }
-+            if (name_is_illegal(wnames[i].data)) {
-+                err = -ENOENT;
-+                goto out_nofid;
-+            }
-             offset += err;
-         }
-     } else if (nwnames > P9_MAXWELEM) {
-@@ -1481,6 +1490,11 @@ static void v9fs_lcreate(void *opaque)
-     }
-     trace_v9fs_lcreate(pdu->tag, pdu->id, dfid, flags, mode, gid);
- 
-+    if (name_is_illegal(name.data)) {
-+        err = -ENOENT;
-+        goto out_nofid;
-+    }
-+
-     fidp = get_fid(pdu, dfid);
-     if (fidp == NULL) {
-         err = -ENOENT;
-@@ -2066,6 +2080,11 @@ static void v9fs_create(void *opaque)
-     }
-     trace_v9fs_create(pdu->tag, pdu->id, fid, name.data, perm, mode);
- 
-+    if (name_is_illegal(name.data)) {
-+        err = -ENOENT;
-+        goto out_nofid;
-+    }
-+
-     fidp = get_fid(pdu, fid);
-     if (fidp == NULL) {
-         err = -EINVAL;
-@@ -2231,6 +2250,11 @@ static void v9fs_symlink(void *opaque)
-     }
-     trace_v9fs_symlink(pdu->tag, pdu->id, dfid, name.data, symname.data, gid);
- 
-+    if (name_is_illegal(name.data)) {
-+        err = -ENOENT;
-+        goto out_nofid;
-+    }
-+
-     dfidp = get_fid(pdu, dfid);
-     if (dfidp == NULL) {
-         err = -EINVAL;
-@@ -2305,6 +2329,11 @@ static void v9fs_link(void *opaque)
-     }
-     trace_v9fs_link(pdu->tag, pdu->id, dfid, oldfid, name.data);
- 
-+    if (name_is_illegal(name.data)) {
-+        err = -ENOENT;
-+        goto out_nofid;
-+    }
-+
-     dfidp = get_fid(pdu, dfid);
-     if (dfidp == NULL) {
-         err = -ENOENT;
-@@ -2387,6 +2416,12 @@ static void v9fs_unlinkat(void *opaque)
-     if (err < 0) {
-         goto out_nofid;
-     }
-+
-+    if (name_is_illegal(name.data)) {
-+        err = -ENOENT;
-+        goto out_nofid;
-+    }
-+
-     dfidp = get_fid(pdu, dfid);
-     if (dfidp == NULL) {
-         err = -EINVAL;
-@@ -2493,6 +2528,12 @@ static void v9fs_rename(void *opaque)
-     if (err < 0) {
-         goto out_nofid;
-     }
-+
-+    if (name_is_illegal(name.data)) {
-+        err = -ENOENT;
-+        goto out_nofid;
-+    }
-+
-     fidp = get_fid(pdu, fid);
-     if (fidp == NULL) {
-         err = -ENOENT;
-@@ -2605,6 +2646,11 @@ static void v9fs_renameat(void *opaque)
-         goto out_err;
-     }
- 
-+    if (name_is_illegal(old_name.data) || name_is_illegal(new_name.data)) {
-+        err = -ENOENT;
-+        goto out_err;
-+    }
-+
-     v9fs_path_write_lock(s);
-     err = v9fs_complete_renameat(pdu, olddirfid,
-                                  &old_name, newdirfid, &new_name);
-@@ -2815,6 +2861,11 @@ static void v9fs_mknod(void *opaque)
-     }
-     trace_v9fs_mknod(pdu->tag, pdu->id, fid, mode, major, minor);
- 
-+    if (name_is_illegal(name.data)) {
-+        err = -ENOENT;
-+        goto out_nofid;
-+    }
-+
-     fidp = get_fid(pdu, fid);
-     if (fidp == NULL) {
-         err = -ENOENT;
-@@ -2966,6 +3017,11 @@ static void v9fs_mkdir(void *opaque)
-     }
-     trace_v9fs_mkdir(pdu->tag, pdu->id, fid, name.data, mode, gid);
- 
-+    if (name_is_illegal(name.data)) {
-+        err = -ENOENT;
-+        goto out_nofid;
-+    }
-+
-     fidp = get_fid(pdu, fid);
-     if (fidp == NULL) {
-         err = -ENOENT;
--- 
-2.1.4
-
diff --git a/debian/patches/extra/0001-net-check-fragment-length-during-fragmentation.patch b/debian/patches/extra/0001-net-check-fragment-length-during-fragmentation.patch
deleted file mode 100644
index 5e54bec..0000000
--- a/debian/patches/extra/0001-net-check-fragment-length-during-fragmentation.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 24a01bab4aa431b79e201c1e2d0ac552a41114bc Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp at fedoraproject.org>
-Date: Thu, 4 Aug 2016 13:00:14 +0530
-Subject: [PATCH 1/5] net: check fragment length during fragmentation
-
-Network transport abstraction layer supports packet fragmentation.
-While fragmenting a packet, it checks for more fragments from
-packet length and current fragment length. It is susceptible
-to an infinite loop, if the current fragment length is zero.
-Add check to avoid it.
-
-Reported-by: Li Qiang <liqiang6-s at 360.cn>
-Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
-Reviewed-by: Dmitry Fleytman <dmitry at daynix.com>
-CC: qemu-stable at nongnu.org
-Signed-off-by: Jason Wang <jasowang at redhat.com>
----
- hw/net/vmxnet_tx_pkt.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/net/vmxnet_tx_pkt.c b/hw/net/vmxnet_tx_pkt.c
-index 91e1e08..f4d0f5f 100644
---- a/hw/net/vmxnet_tx_pkt.c
-+++ b/hw/net/vmxnet_tx_pkt.c
-@@ -544,7 +544,7 @@ static bool vmxnet_tx_pkt_do_sw_fragmentation(struct VmxnetTxPkt *pkt,
- 
-         fragment_offset += fragment_len;
- 
--    } while (more_frags);
-+    } while (fragment_len && more_frags);
- 
-     return true;
- }
--- 
-2.1.4
-
diff --git a/debian/patches/extra/0002-9pfs-forbid-.-and-.-in-file-names.patch b/debian/patches/extra/0002-9pfs-forbid-.-and-.-in-file-names.patch
deleted file mode 100644
index c2c0500..0000000
--- a/debian/patches/extra/0002-9pfs-forbid-.-and-.-in-file-names.patch
+++ /dev/null
@@ -1,159 +0,0 @@
-From 3ae00feb459657766ec623de7eae8f014a660ab4 Mon Sep 17 00:00:00 2001
-From: Greg Kurz <groug at kaod.org>
-Date: Tue, 30 Aug 2016 19:13:11 +0200
-Subject: [PATCH 2/6] 9pfs: forbid . and .. in file names
-
-According to the 9P spec http://man.cat-v.org/plan_9/5/open about the
-create request:
-
-The names . and .. are special; it is illegal to create files with these
-names.
-
-This patch causes the create and lcreate requests to fail with EINVAL if
-the file name is either "." or "..".
-
-Even if it isn't explicitly written in the spec, this patch extends the
-checking to all requests that may cause a directory entry to be created:
-
-    - mknod
-    - rename
-    - renameat
-    - mkdir
-    - link
-    - symlink
-
-The unlinkat request also gets patched for consistency (even if
-rmdir("foo/..") is expected to fail according to POSIX.1-2001).
-
-The various error values come from the linux manual pages.
-
-Suggested-by: Peter Maydell <peter.maydell at linaro.org>
-Signed-off-by: Greg Kurz <groug at kaod.org>
-Reviewed-by: Eric Blake <eblake at redhat.com>
-Reviewed-by: Michael S. Tsirkin <mst at redhat.com>
-Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
----
- hw/9pfs/9p.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 51 insertions(+)
-
-diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
-index 53c466b..1e96427 100644
---- a/hw/9pfs/9p.c
-+++ b/hw/9pfs/9p.c
-@@ -1495,6 +1495,11 @@ static void v9fs_lcreate(void *opaque)
-         goto out_nofid;
-     }
- 
-+    if (!strcmp(".", name.data) || !strcmp("..", name.data)) {
-+        err = -EEXIST;
-+        goto out_nofid;
-+    }
-+
-     fidp = get_fid(pdu, dfid);
-     if (fidp == NULL) {
-         err = -ENOENT;
-@@ -2085,6 +2090,11 @@ static void v9fs_create(void *opaque)
-         goto out_nofid;
-     }
- 
-+    if (!strcmp(".", name.data) || !strcmp("..", name.data)) {
-+        err = -EEXIST;
-+        goto out_nofid;
-+    }
-+
-     fidp = get_fid(pdu, fid);
-     if (fidp == NULL) {
-         err = -EINVAL;
-@@ -2255,6 +2265,11 @@ static void v9fs_symlink(void *opaque)
-         goto out_nofid;
-     }
- 
-+    if (!strcmp(".", name.data) || !strcmp("..", name.data)) {
-+        err = -EEXIST;
-+        goto out_nofid;
-+    }
-+
-     dfidp = get_fid(pdu, dfid);
-     if (dfidp == NULL) {
-         err = -EINVAL;
-@@ -2334,6 +2349,11 @@ static void v9fs_link(void *opaque)
-         goto out_nofid;
-     }
- 
-+    if (!strcmp(".", name.data) || !strcmp("..", name.data)) {
-+        err = -EEXIST;
-+        goto out_nofid;
-+    }
-+
-     dfidp = get_fid(pdu, dfid);
-     if (dfidp == NULL) {
-         err = -ENOENT;
-@@ -2422,6 +2442,16 @@ static void v9fs_unlinkat(void *opaque)
-         goto out_nofid;
-     }
- 
-+    if (!strcmp(".", name.data)) {
-+        err = -EINVAL;
-+        goto out_nofid;
-+    }
-+
-+    if (!strcmp("..", name.data)) {
-+        err = -ENOTEMPTY;
-+        goto out_nofid;
-+    }
-+
-     dfidp = get_fid(pdu, dfid);
-     if (dfidp == NULL) {
-         err = -EINVAL;
-@@ -2534,6 +2564,11 @@ static void v9fs_rename(void *opaque)
-         goto out_nofid;
-     }
- 
-+    if (!strcmp(".", name.data) || !strcmp("..", name.data)) {
-+        err = -EISDIR;
-+        goto out_nofid;
-+    }
-+
-     fidp = get_fid(pdu, fid);
-     if (fidp == NULL) {
-         err = -ENOENT;
-@@ -2651,6 +2686,12 @@ static void v9fs_renameat(void *opaque)
-         goto out_err;
-     }
- 
-+    if (!strcmp(".", old_name.data) || !strcmp("..", old_name.data) ||
-+        !strcmp(".", new_name.data) || !strcmp("..", new_name.data)) {
-+        err = -EISDIR;
-+        goto out_err;
-+    }
-+
-     v9fs_path_write_lock(s);
-     err = v9fs_complete_renameat(pdu, olddirfid,
-                                  &old_name, newdirfid, &new_name);
-@@ -2866,6 +2907,11 @@ static void v9fs_mknod(void *opaque)
-         goto out_nofid;
-     }
- 
-+    if (!strcmp(".", name.data) || !strcmp("..", name.data)) {
-+        err = -EEXIST;
-+        goto out_nofid;
-+    }
-+
-     fidp = get_fid(pdu, fid);
-     if (fidp == NULL) {
-         err = -ENOENT;
-@@ -3022,6 +3068,11 @@ static void v9fs_mkdir(void *opaque)
-         goto out_nofid;
-     }
- 
-+    if (!strcmp(".", name.data) || !strcmp("..", name.data)) {
-+        err = -EEXIST;
-+        goto out_nofid;
-+    }
-+
-     fidp = get_fid(pdu, fid);
-     if (fidp == NULL) {
-         err = -ENOENT;
--- 
-2.1.4
-
diff --git a/debian/patches/extra/0003-9pfs-handle-walk-of-.-in-the-root-directory.patch b/debian/patches/extra/0003-9pfs-handle-walk-of-.-in-the-root-directory.patch
deleted file mode 100644
index d4f22c2..0000000
--- a/debian/patches/extra/0003-9pfs-handle-walk-of-.-in-the-root-directory.patch
+++ /dev/null
@@ -1,126 +0,0 @@
-From 348503ea115b336343166b87271208ffc0bdeb0a Mon Sep 17 00:00:00 2001
-From: Greg Kurz <groug at kaod.org>
-Date: Tue, 30 Aug 2016 17:02:27 +0200
-Subject: [PATCH 3/6] 9pfs: handle walk of ".." in the root directory
-
-The 9P spec at http://man.cat-v.org/plan_9/5/intro says:
-
-All directories must support walks to the directory .. (dot-dot) meaning
-parent directory, although by convention directories contain no explicit
-entry for .. or . (dot).  The parent of the root directory of a server's
-tree is itself.
-
-This means that a client cannot walk further than the root directory
-exported by the server. In other words, if the client wants to walk
-"/.." or "/foo/../..", the server should answer like the request was
-to walk "/".
-
-This patch just does that:
-- we cache the QID of the root directory at attach time
-- during the walk we compare the QID of each path component with the root
-  QID to detect if we're in a "/.." situation
-- if so, we skip the current component and go to the next one
-
-Signed-off-by: Greg Kurz <groug at kaod.org>
-Reviewed-by: Eric Blake <eblake at redhat.com>
-Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
----
- hw/9pfs/9p.c | 40 +++++++++++++++++++++++++++++++---------
- hw/9pfs/9p.h |  1 +
- 2 files changed, 32 insertions(+), 9 deletions(-)
-
-diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
-index 1e96427..1ac05b2 100644
---- a/hw/9pfs/9p.c
-+++ b/hw/9pfs/9p.c
-@@ -1008,6 +1008,7 @@ static void v9fs_attach(void *opaque)
-         goto out;
-     }
-     err += offset;
-+    memcpy(&s->root_qid, &qid, sizeof(qid));
-     trace_v9fs_attach_return(pdu->tag, pdu->id,
-                              qid.type, qid.version, qid.path);
-     /*
-@@ -1259,6 +1260,14 @@ static bool name_is_illegal(const char *name)
-     return !*name || strchr(name, '/') != NULL;
- }
- 
-+static bool not_same_qid(const V9fsQID *qid1, const V9fsQID *qid2)
-+{
-+    return
-+        qid1->type != qid2->type ||
-+        qid1->version != qid2->version ||
-+        qid1->path != qid2->path;
-+}
-+
- static void v9fs_walk(void *opaque)
- {
-     int name_idx;
-@@ -1274,6 +1283,7 @@ static void v9fs_walk(void *opaque)
-     V9fsFidState *newfidp = NULL;
-     V9fsPDU *pdu = opaque;
-     V9fsState *s = pdu->s;
-+    V9fsQID qid;
- 
-     err = pdu_unmarshal(pdu, offset, "ddw", &fid, &newfid, &nwnames);
-     if (err < 0) {
-@@ -1307,6 +1317,12 @@ static void v9fs_walk(void *opaque)
-         err = -ENOENT;
-         goto out_nofid;
-     }
-+
-+    err = fid_to_qid(pdu, fidp, &qid);
-+    if (err < 0) {
-+        goto out;
-+    }
-+
-     v9fs_path_init(&dpath);
-     v9fs_path_init(&path);
-     /*
-@@ -1316,16 +1332,22 @@ static void v9fs_walk(void *opaque)
-     v9fs_path_copy(&dpath, &fidp->path);
-     v9fs_path_copy(&path, &fidp->path);
-     for (name_idx = 0; name_idx < nwnames; name_idx++) {
--        err = v9fs_co_name_to_path(pdu, &dpath, wnames[name_idx].data, &path);
--        if (err < 0) {
--            goto out;
--        }
--        err = v9fs_co_lstat(pdu, &path, &stbuf);
--        if (err < 0) {
--            goto out;
-+        if (not_same_qid(&pdu->s->root_qid, &qid) ||
-+            strcmp("..", wnames[name_idx].data)) {
-+            err = v9fs_co_name_to_path(pdu, &dpath, wnames[name_idx].data,
-+                                       &path);
-+            if (err < 0) {
-+                goto out;
-+            }
-+
-+            err = v9fs_co_lstat(pdu, &path, &stbuf);
-+            if (err < 0) {
-+                goto out;
-+            }
-+            stat_to_qid(&stbuf, &qid);
-+            v9fs_path_copy(&dpath, &path);
-         }
--        stat_to_qid(&stbuf, &qids[name_idx]);
--        v9fs_path_copy(&dpath, &path);
-+        memcpy(&qids[name_idx], &qid, sizeof(qid));
-     }
-     if (fid == newfid) {
-         BUG_ON(fidp->fid_type != P9_FID_NONE);
-diff --git a/hw/9pfs/9p.h b/hw/9pfs/9p.h
-index 1a19418..589b3a5 100644
---- a/hw/9pfs/9p.h
-+++ b/hw/9pfs/9p.h
-@@ -219,6 +219,7 @@ typedef struct V9fsState
-     int32_t root_fid;
-     Error *migration_blocker;
-     V9fsConf fsconf;
-+    V9fsQID root_qid;
- } V9fsState;
- 
- /* 9p2000.L open flags */
--- 
-2.1.4
-
diff --git a/debian/patches/extra/0003-net-vmxnet-use-g_new-for-pkt-initialisation.patch b/debian/patches/extra/0003-net-vmxnet-use-g_new-for-pkt-initialisation.patch
deleted file mode 100644
index 67083f2..0000000
--- a/debian/patches/extra/0003-net-vmxnet-use-g_new-for-pkt-initialisation.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From c2f17c0e4754b5140fb79371dc8cb7973ff5d1b0 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s at 360.cn>
-Date: Tue, 16 Aug 2016 16:58:01 +0530
-Subject: [PATCH 3/5] net: vmxnet: use g_new for pkt initialisation
-
-When network transport abstraction layer initialises pkt, the maximum
-fragmentation count is not checked. This could lead to an integer
-overflow causing a NULL pointer dereference. Replace g_malloc() with
-g_new() to catch the multiplication overflow.
-
-Reported-by: Li Qiang <liqiang6-s at 360.cn>
-Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
-Acked-by: Dmitry Fleytman <dmitry at daynix.com>
-Signed-off-by: Jason Wang <jasowang at redhat.com>
----
- hw/net/vmxnet_tx_pkt.c | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/hw/net/vmxnet_tx_pkt.c b/hw/net/vmxnet_tx_pkt.c
-index f4d0f5f..9152444 100644
---- a/hw/net/vmxnet_tx_pkt.c
-+++ b/hw/net/vmxnet_tx_pkt.c
-@@ -60,10 +60,9 @@ void vmxnet_tx_pkt_init(struct VmxnetTxPkt **pkt, uint32_t max_frags,
- {
-     struct VmxnetTxPkt *p = g_malloc0(sizeof *p);
- 
--    p->vec = g_malloc((sizeof *p->vec) *
--        (max_frags + VMXNET_TX_PKT_PL_START_FRAG));
-+    p->vec = g_new(struct iovec, max_frags + VMXNET_TX_PKT_PL_START_FRAG);
- 
--    p->raw = g_malloc((sizeof *p->raw) * max_frags);
-+    p->raw = g_new(struct iovec, max_frags);
- 
-     p->max_payload_frags = max_frags;
-     p->max_raw_frags = max_frags;
--- 
-2.1.4
-
diff --git a/debian/patches/extra/0004-net-vmxnet-check-IP-header-length.patch b/debian/patches/extra/0004-net-vmxnet-check-IP-header-length.patch
deleted file mode 100644
index a1a1c70..0000000
--- a/debian/patches/extra/0004-net-vmxnet-check-IP-header-length.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 1f2c8a260b6f1c87cefa7459baff7e203316f7b6 Mon Sep 17 00:00:00 2001
-From: Li Qiang <address at hidden>
-Date: Tue, 9 Aug 2016 16:49:47 +0530
-Subject: [PATCH 4/5] net: vmxnet: check IP header length
-
-Vmxnet3 device emulator when parsing packet headers does not check
-for IP header length. It could lead to a OOB access when reading
-further packet data. Add check to avoid it.
-
-Reported-by: Li Qiang <address at hidden>
-Signed-off-by: Prasad J Pandit <address at hidden>
----
- hw/net/vmxnet_tx_pkt.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/hw/net/vmxnet_tx_pkt.c b/hw/net/vmxnet_tx_pkt.c
-index 9152444..849826b 100644
---- a/hw/net/vmxnet_tx_pkt.c
-+++ b/hw/net/vmxnet_tx_pkt.c
-@@ -177,6 +177,11 @@ static bool vmxnet_tx_pkt_parse_headers(struct VmxnetTxPkt *pkt)
-         }
- 
-         l3_hdr->iov_len = IP_HDR_GET_LEN(l3_hdr->iov_base);
-+        if(l3_hdr->iov_len < sizeof(struct ip_header))
-+        {
-+            l3_hdr->iov_len = 0;
-+            return false;
-+        }
-         pkt->l4proto = ((struct ip_header *) l3_hdr->iov_base)->ip_p;
- 
-         /* copy optional IPv4 header data */
--- 
-2.1.4
-
diff --git a/debian/patches/extra/0006-virtio-recalculate-vq-inuse-after-migration.patch b/debian/patches/extra/0006-virtio-recalculate-vq-inuse-after-migration.patch
deleted file mode 100644
index 8c5567e..0000000
--- a/debian/patches/extra/0006-virtio-recalculate-vq-inuse-after-migration.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From ed3112487835fb5c5ec685e15032641c25018f87 Mon Sep 17 00:00:00 2001
-From: Stefan Hajnoczi <stefanha at redhat.com>
-Date: Mon, 15 Aug 2016 13:54:15 +0100
-Subject: [PATCH 06/10] virtio: recalculate vq->inuse after migration
-
-The vq->inuse field is not migrated.  Many devices don't hold
-VirtQueueElements across migration so it doesn't matter that vq->inuse
-starts at 0 on the destination QEMU.
-
-At least virtio-serial, virtio-blk, and virtio-balloon migrate while
-holding VirtQueueElements.  For these devices we need to recalculate
-vq->inuse upon load so the value is correct.
-
-Cc: qemu-stable at nongnu.org
-Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
-Reviewed-by: Michael S. Tsirkin <mst at redhat.com>
-Reviewed-by: Cornelia Huck <cornelia.huck at de.ibm.com>
-Reviewed-by: Michael S. Tsirkin <mst at redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
----
- hw/virtio/virtio.c | 15 +++++++++++++++
- 1 file changed, 15 insertions(+)
-
-diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
-index 111ad8e..486147b 100644
---- a/hw/virtio/virtio.c
-+++ b/hw/virtio/virtio.c
-@@ -1629,6 +1629,21 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f, int version_id)
-             }
-             vdev->vq[i].used_idx = vring_used_idx(&vdev->vq[i]);
-             vdev->vq[i].shadow_avail_idx = vring_avail_idx(&vdev->vq[i]);
-+
-+            /*
-+             * Some devices migrate VirtQueueElements that have been popped
-+             * from the avail ring but not yet returned to the used ring.
-+             */
-+            vdev->vq[i].inuse = vdev->vq[i].last_avail_idx -
-+                                vdev->vq[i].used_idx;
-+            if (vdev->vq[i].inuse > vdev->vq[i].vring.num) {
-+                error_report("VQ %d size 0x%x < last_avail_idx 0x%x - "
-+                             "used_idx 0x%x",
-+                             i, vdev->vq[i].vring.num,
-+                             vdev->vq[i].last_avail_idx,
-+                             vdev->vq[i].used_idx);
-+                return -1;
-+            }
-         }
-     }
- 
--- 
-2.1.4
-
diff --git a/debian/patches/extra/0007-virtio-decrement-vq-inuse-in-virtqueue_discard.patch b/debian/patches/extra/0007-virtio-decrement-vq-inuse-in-virtqueue_discard.patch
deleted file mode 100644
index 5ad2487..0000000
--- a/debian/patches/extra/0007-virtio-decrement-vq-inuse-in-virtqueue_discard.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From e8bc5606ad11e053a7c9ca64ed1aeaed18be8e4e Mon Sep 17 00:00:00 2001
-From: Stefan Hajnoczi <stefanha at redhat.com>
-Date: Mon, 15 Aug 2016 13:54:16 +0100
-Subject: [PATCH 07/10] virtio: decrement vq->inuse in virtqueue_discard()
-
-virtqueue_discard() moves vq->last_avail_idx back so the element can be
-popped again.  It's necessary to decrement vq->inuse to avoid "leaking"
-the element count.
-
-Cc: qemu-stable at nongnu.org
-Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
-Reviewed-by: Michael S. Tsirkin <mst at redhat.com>
-Reviewed-by: Cornelia Huck <cornelia.huck at de.ibm.com>
-Reviewed-by: Michael S. Tsirkin <mst at redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
----
- hw/virtio/virtio.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
-index 486147b..787849a 100644
---- a/hw/virtio/virtio.c
-+++ b/hw/virtio/virtio.c
-@@ -267,6 +267,7 @@ void virtqueue_discard(VirtQueue *vq, const VirtQueueElement *elem,
-                        unsigned int len)
- {
-     vq->last_avail_idx--;
-+    vq->inuse--;
-     virtqueue_unmap_sg(vq, elem, len);
- }
- 
--- 
-2.1.4
-
diff --git a/debian/patches/extra/0008-iscsi-pass-SCSI-status-back-for-SG_IO.patch b/debian/patches/extra/0008-iscsi-pass-SCSI-status-back-for-SG_IO.patch
deleted file mode 100644
index 2acfa61..0000000
--- a/debian/patches/extra/0008-iscsi-pass-SCSI-status-back-for-SG_IO.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From b3d69a0d7dc3945ff134e69593b5fcec447e8389 Mon Sep 17 00:00:00 2001
-From: Vadim Rozenfeld <vrozenfe at redhat.com>
-Date: Fri, 13 May 2016 13:03:22 +0200
-Subject: [PATCH 08/10] iscsi: pass SCSI status back for SG_IO
-
-Signed-off-by: Vadim Rozenfeld <vrozenfe at redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
----
- block/iscsi.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/block/iscsi.c b/block/iscsi.c
-index 0466c30..1f6a0e5 100644
---- a/block/iscsi.c
-+++ b/block/iscsi.c
-@@ -768,6 +768,7 @@ iscsi_aio_ioctl_cb(struct iscsi_context *iscsi, int status,
-     acb->ioh->driver_status = 0;
-     acb->ioh->host_status   = 0;
-     acb->ioh->resid         = 0;
-+    acb->ioh->status        = status;
- 
- #define SG_ERR_DRIVER_SENSE    0x08
- 
--- 
-2.1.4
-
diff --git a/debian/patches/extra/0010-ui-fix-refresh-of-VNC-server-surface.patch b/debian/patches/extra/0010-ui-fix-refresh-of-VNC-server-surface.patch
deleted file mode 100644
index fd2ad03..0000000
--- a/debian/patches/extra/0010-ui-fix-refresh-of-VNC-server-surface.patch
+++ /dev/null
@@ -1,102 +0,0 @@
-From e74eda6892bede3f22ce449af32fe941147396d8 Mon Sep 17 00:00:00 2001
-From: "Daniel P. Berrange" <berrange at redhat.com>
-Date: Tue, 16 Aug 2016 17:30:32 +0100
-Subject: [PATCH 10/10] ui: fix refresh of VNC server surface
-
-In previous commit
-
-  commit c7628bff4138ce906a3620d12e0820c1cf6c140d
-  Author: Gerd Hoffmann <kraxel at redhat.com>
-  Date:   Fri Oct 30 12:10:09 2015 +0100
-
-    vnc: only alloc server surface with clients connected
-
-the VNC server was changed so that the 'vd->server' pixman
-image was only allocated when a client is connected.
-
-Since then if a client disconnects and then reconnects to
-the VNC server all they will see is a black screen until
-they do something that triggers a refresh. On a graphical
-desktop this is not often noticed since there's many things
-going on which cause a refresh. On a plain text console it
-is really obvious since nothing refreshes frequently.
-
-The problem is that the VNC server didn't update the guest
-dirty bitmap, so still believes its server image is in sync
-with the guest contents.
-
-To fix this we must explicitly mark the entire guest desktop
-as dirty after re-creating the server surface. Move this
-logic into vnc_update_server_surface() so it is guaranteed
-to be call in all code paths that re-create the surface
-instead of only in vnc_dpy_switch()
-
-Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
----
- ui/vnc.c | 20 +++++++++++---------
- 1 file changed, 11 insertions(+), 9 deletions(-)
-
-diff --git a/ui/vnc.c b/ui/vnc.c
-index 66e2163..de145cd 100644
---- a/ui/vnc.c
-+++ b/ui/vnc.c
-@@ -806,6 +806,8 @@ void *vnc_server_fb_ptr(VncDisplay *vd, int x, int y)
- 
- static void vnc_update_server_surface(VncDisplay *vd)
- {
-+    int width, height;
-+
-     qemu_pixman_image_unref(vd->server);
-     vd->server = NULL;
- 
-@@ -813,10 +815,15 @@ static void vnc_update_server_surface(VncDisplay *vd)
-         return;
-     }
- 
-+    width = vnc_width(vd);
-+    height = vnc_height(vd);
-     vd->server = pixman_image_create_bits(VNC_SERVER_FB_FORMAT,
--                                          vnc_width(vd),
--                                          vnc_height(vd),
-+                                          width, height,
-                                           NULL, 0);
-+
-+    memset(vd->guest.dirty, 0x00, sizeof(vd->guest.dirty));
-+    vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
-+                       width, height);
- }
- 
- static void vnc_dpy_switch(DisplayChangeListener *dcl,
-@@ -824,7 +831,6 @@ static void vnc_dpy_switch(DisplayChangeListener *dcl,
- {
-     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
-     VncState *vs;
--    int width, height;
- 
-     vnc_abort_display_jobs(vd);
-     vd->ds = surface;
-@@ -836,11 +842,6 @@ static void vnc_dpy_switch(DisplayChangeListener *dcl,
-     qemu_pixman_image_unref(vd->guest.fb);
-     vd->guest.fb = pixman_image_ref(surface->image);
-     vd->guest.format = surface->format;
--    width = vnc_width(vd);
--    height = vnc_height(vd);
--    memset(vd->guest.dirty, 0x00, sizeof(vd->guest.dirty));
--    vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
--                       width, height);
- 
-     QTAILQ_FOREACH(vs, &vd->clients, next) {
-         vnc_colordepth(vs);
-@@ -850,7 +851,8 @@ static void vnc_dpy_switch(DisplayChangeListener *dcl,
-         }
-         memset(vs->dirty, 0x00, sizeof(vs->dirty));
-         vnc_set_area_dirty(vs->dirty, vd, 0, 0,
--                           width, height);
-+                           vnc_width(vd),
-+                           vnc_height(vd));
-     }
- }
- 
--- 
-2.1.4
-
diff --git a/debian/patches/extra/CVE-2016-7155-scsi-check-page-count-while-initialising-descriptor-.patch b/debian/patches/extra/CVE-2016-7155-scsi-check-page-count-while-initialising-descriptor-.patch
deleted file mode 100644
index 54df061..0000000
--- a/debian/patches/extra/CVE-2016-7155-scsi-check-page-count-while-initialising-descriptor-.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From 7c7e45d2bd1a77fbe89dff83fabf89a46479111f Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp at fedoraproject.org>
-Date: Thu, 1 Sep 2016 16:30:51 +0530
-Subject: [PATCH 4/6] scsi: check page count while initialising descriptor
- rings
-
-Vmware Paravirtual SCSI emulation uses command descriptors to
-process SCSI commands. These descriptors come with their ring
-buffers. A guest could set the page count for these rings to
-an arbitrary value, leading to infinite loop or OOB access.
-Add check to avoid it.
-
-Reported-by: Tom Victor <vv474172261 at gmail.com>
-Reported-by: Li Qiang <liqiang6-s at 360.cn>
-Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
----
- hw/scsi/vmw_pvscsi.c | 19 +++++++++----------
- 1 file changed, 9 insertions(+), 10 deletions(-)
-
-diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
-index 2d7528d..22f872c 100644
---- a/hw/scsi/vmw_pvscsi.c
-+++ b/hw/scsi/vmw_pvscsi.c
-@@ -153,7 +153,7 @@ pvscsi_log2(uint32_t input)
-     return log;
- }
- 
--static int
-+static void
- pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
- {
-     int i;
-@@ -161,10 +161,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
-     uint32_t req_ring_size, cmp_ring_size;
-     m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT;
- 
--    if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)
--        || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) {
--        return -1;
--    }
-     req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
-     cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE;
-     txr_len_log2 = pvscsi_log2(req_ring_size - 1);
-@@ -196,8 +192,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
- 
-     /* Flush ring state page changes */
-     smp_wmb();
--
--    return 0;
- }
- 
- static int
-@@ -747,7 +741,7 @@ pvscsi_dbg_dump_tx_rings_config(PVSCSICmdDescSetupRings *rc)
- 
-     trace_pvscsi_tx_rings_num_pages("Confirm Ring", rc->cmpRingNumPages);
-     for (i = 0; i < rc->cmpRingNumPages; i++) {
--        trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->reqRingPPNs[i]);
-+        trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->cmpRingPPNs[i]);
-     }
- }
- 
-@@ -780,11 +774,16 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s)
- 
-     trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS");
- 
--    pvscsi_dbg_dump_tx_rings_config(rc);
--    if (pvscsi_ring_init_data(&s->rings, rc) < 0) {
-+    if (!rc->reqRingNumPages
-+        || rc->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES
-+        || !rc->cmpRingNumPages
-+        || rc->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES) {
-         return PVSCSI_COMMAND_PROCESSING_FAILED;
-     }
- 
-+    pvscsi_dbg_dump_tx_rings_config(rc);
-+    pvscsi_ring_init_data(&s->rings, rc);
-+
-     s->rings_info_valid = TRUE;
-     return PVSCSI_COMMAND_PROCESSING_SUCCEEDED;
- }
--- 
-2.1.4
-
diff --git a/debian/patches/extra/CVE-2016-7157-scsi-mptconfig-fix-an-assert-expression.patch b/debian/patches/extra/CVE-2016-7157-scsi-mptconfig-fix-an-assert-expression.patch
deleted file mode 100644
index f74c99b..0000000
--- a/debian/patches/extra/CVE-2016-7157-scsi-mptconfig-fix-an-assert-expression.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From a0e2a28c08472ad3468c2f75d20fe1ca02ef8c0b Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp at fedoraproject.org>
-Date: Wed, 31 Aug 2016 17:36:07 +0530
-Subject: [PATCH 6/6] scsi: mptconfig: fix an assert expression
-
-When LSI SAS1068 Host Bus emulator builds configuration page
-headers, mptsas_config_pack() should assert that the size
-fits in a byte.  However, the size is expressed in 32-bit
-units, so up to 1020 bytes fit.  The assertion was only
-allowing replies up to 252 bytes, so fix it.
-
-Suggested-by: Paolo Bonzini <pbonzini at redhat.com>
-Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
-Message-Id: <1472645167-30765-2-git-send-email-ppandit at redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
----
- hw/scsi/mptconfig.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
-index 7071854..3e4f400 100644
---- a/hw/scsi/mptconfig.c
-+++ b/hw/scsi/mptconfig.c
-@@ -158,7 +158,7 @@ static size_t mptsas_config_pack(uint8_t **data, const char *fmt, ...)
-     va_end(ap);
- 
-     if (data) {
--        assert(ret < 256 && (ret % 4) == 0);
-+        assert(ret / 4 < 256 && (ret % 4) == 0);
-         stb_p(*data + 1, ret / 4);
-     }
-     return ret;
--- 
-2.1.4
-
diff --git a/debian/patches/extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch b/debian/patches/extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
deleted file mode 100644
index 05ab4a5..0000000
--- a/debian/patches/extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From d251157ac1928191af851d199a9ff255d330bec9 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp at fedoraproject.org>
-Date: Wed, 14 Sep 2016 15:09:12 +0530
-Subject: [PATCH] scsi: pvscsi: limit process IO loop to ring size
-
-Vmware Paravirtual SCSI emulator while processing IO requests
-could run into an infinite loop if 'pvscsi_ring_pop_req_descr'
-always returned positive value. Limit IO loop to the ring size.
-
-Cc: qemu-stable at nongnu.org
-Reported-by: Li Qiang <liqiang6-s at 360.cn>
-Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
-Message-Id: <1473845952-30785-1-git-send-email-ppandit at redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
----
- hw/scsi/vmw_pvscsi.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
-index babac5a..a5ce7de 100644
---- a/hw/scsi/vmw_pvscsi.c
-+++ b/hw/scsi/vmw_pvscsi.c
-@@ -247,8 +247,11 @@ static hwaddr
- pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr)
- {
-     uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx);
-+    uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING
-+                            * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
- 
--    if (ready_ptr != mgr->consumed_ptr) {
-+    if (ready_ptr != mgr->consumed_ptr
-+        && ready_ptr - mgr->consumed_ptr < ring_size) {
-         uint32_t next_ready_ptr =
-             mgr->consumed_ptr++ & mgr->txr_len_mask;
-         uint32_t next_ready_page =
--- 
-2.1.4
-
diff --git a/debian/patches/extra/CVE-2016-7423-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch b/debian/patches/extra/CVE-2016-7423-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch
deleted file mode 100644
index f1ba947..0000000
--- a/debian/patches/extra/CVE-2016-7423-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 670e56d3ed2918b3861d9216f2c0540d9e9ae0d5 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s at 360.cn>
-Date: Mon, 12 Sep 2016 18:14:11 +0530
-Subject: [PATCH] scsi: mptsas: use g_new0 to allocate MPTSASRequest object
-
-When processing IO request in mptsas, it uses g_new to allocate
-a 'req' object. If an error occurs before 'req->sreq' is
-allocated, It could lead to an OOB write in mptsas_free_request
-function. Use g_new0 to avoid it.
-
-Reported-by: Li Qiang <liqiang6-s at 360.cn>
-Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
-Message-Id: <1473684251-17476-1-git-send-email-ppandit at redhat.com>
-Cc: qemu-stable at nongnu.org
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
----
- hw/scsi/mptsas.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
-index 0e0a22f..eaae1bb 100644
---- a/hw/scsi/mptsas.c
-+++ b/hw/scsi/mptsas.c
-@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
-         goto bad;
-     }
- 
--    req = g_new(MPTSASRequest, 1);
-+    req = g_new0(MPTSASRequest, 1);
-     QTAILQ_INSERT_TAIL(&s->pending, req, next);
-     req->scsi_io = *scsi_io;
-     req->dev = s;
--- 
-2.1.4
-
diff --git a/debian/patches/series b/debian/patches/series
index 07cf5c4..2d9bf81 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -58,25 +58,11 @@ pve/0056-qmp_snapshot_drive-add-aiocontext.patch
 extra/0001-Revert-target-i386-disable-LINT0-after-reset.patch
 extra/0002-scsi-esp-fix-migration.patch
 extra/CVE-2016-6490-virtio-check-vring-descriptor-buffer-length.patch
-extra/0001-net-check-fragment-length-during-fragmentation.patch
 extra/0002-net-vmxnet3-check-for-device_active-before-write.patch
-extra/0003-net-vmxnet-use-g_new-for-pkt-initialisation.patch
-extra/0004-net-vmxnet-check-IP-header-length.patch
 extra/0005-net-vmxnet-initialise-local-tx-descriptor.patch
-extra/0006-virtio-recalculate-vq-inuse-after-migration.patch
-extra/0007-virtio-decrement-vq-inuse-in-virtqueue_discard.patch
-extra/0008-iscsi-pass-SCSI-status-back-for-SG_IO.patch
 extra/0009-net-limit-allocation-in-nc_sendv_compat.patch
-extra/0010-ui-fix-refresh-of-VNC-server-surface.patch
-extra/0001-9pfs-forbid-illegal-path-names.patch
-extra/0002-9pfs-forbid-.-and-.-in-file-names.patch
-extra/0003-9pfs-handle-walk-of-.-in-the-root-directory.patch
-extra/CVE-2016-7155-scsi-check-page-count-while-initialising-descriptor-.patch
 extra/CVE-2016-7156-scsi-pvscsi-avoid-infinite-loop-while-building-SG-li.patch
-extra/CVE-2016-7157-scsi-mptconfig-fix-an-assert-expression.patch
 extra/CVE-2016-7170-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
-extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
-extra/CVE-2016-7423-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch
 extra/x86-lapic-Load-LAPIC-state-at-post_load.patch
 extra/CVE-2016-7161-hw-net-Fix-a-heap-overflow-in-xlnx.xps-ethernetlite.patch
 extra/CVE-2016-7422-virtio-add-check-for-descriptor-s-mapped-address.patch
diff --git a/qemu-kvm-src.tar.gz b/qemu-kvm-src.tar.gz
index 772c666..43ca5e5 100644
Binary files a/qemu-kvm-src.tar.gz and b/qemu-kvm-src.tar.gz differ
-- 
2.1.4





More information about the pve-devel mailing list