[pve-devel] applied: [PATCH kvm] update to qemu 2.7.1
Wolfgang Bumiller
w.bumiller at proxmox.com
Tue Jan 3 10:01:54 CET 2017
---
A bunch of fixes from the extra/ patch-set are upstream now thus deleted.
The patches in the pve/ dir all got meta updates (just line numbers), I'm not
including them in this diff to reduce the noise, they apply without conflicts.
Makefile | 6 +-
debian/changelog | 6 ++
qemu-kvm-src.tar.gz | Bin 12974515 -> 12982090 bytes
57 files changed, 144 insertions(+), 435 deletions(-)
delete mode 100644 debian/patches/extra/0004-qmp-fix-object-add-assert-without-props
delete mode 100644 debian/patches/extra/CVE-2016-7155-scsi-check-page-count-while-initialising-descriptor-.patch
delete mode 100644 debian/patches/extra/CVE-2016-7157-scsi-mptconfig-fix-an-assert-expression.patch
delete mode 100644 debian/patches/extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
delete mode 100644 debian/patches/extra/CVE-2016-7423-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch
delete mode 100644 debian/patches/extra/CVE-2016-8910-net-rtl8139-limit-processing-of-ring-descriptors.patch
diff --git a/Makefile b/Makefile
index 121ffeb..95718c0 100644
--- a/Makefile
+++ b/Makefile
@@ -1,8 +1,8 @@
-RELEASE=4.2
+RELEASE=4.4
# also update debian/changelog
-KVMVER=2.7.0
-KVMPKGREL=10
+KVMVER=2.7.1
+KVMPKGREL=1
KVMPACKAGE=pve-qemu-kvm
KVMDIR=qemu-kvm
diff --git a/debian/changelog b/debian/changelog
index 5f85f2a..89c4dbe 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+pve-qemu-kvm (2.7.1-1) unstable; urgency=medium
+
+ * update to qemu 2.7.1
+
+ -- Proxmox Support Team <support at proxmox.com> Tue, 03 Jan 2017 07:57:17 +0100
+
pve-qemu-kvm (2.7.0-10) unstable; urgency=medium
* fix CVE-2016-9776: net: mcf: check receive buffer size register value
diff --git a/debian/patches/extra/0004-qmp-fix-object-add-assert-without-props b/debian/patches/extra/0004-qmp-fix-object-add-assert-without-props
deleted file mode 100644
index dc03931..0000000
--- a/debian/patches/extra/0004-qmp-fix-object-add-assert-without-props
+++ /dev/null
@@ -1,66 +0,0 @@
-From d803b04e8203f48901186a27ab688326aa5569ec Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau at redhat.com>
-Date: Fri, 23 Sep 2016 00:39:25 +0400
-Subject: [PATCH 1/4] qmp: fix object-add assert() without props
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Since commit ad739706bbadee49, user_creatable_add_type() expects to be
-given a qdict. However, if object-add is called without props, you reach
-the assert: "qemu/qom/object_interfaces.c:115: user_creatable_add_type:
-Assertion `qdict' failed.", because the qdict isn't created in this
-case (it's optional).
-
-Furthermore, qmp_input_visitor_new() is not meant to be called without a
-dict, and a further commit will assert in this situation.
-
-If none given, create an empty qdict in qmp to avoid the
-user_creatable_add_type() assert(qdict).
-
-Signed-off-by: Marc-André Lureau <marcandre.lureau at redhat.com>
-Reviewed-by: Eric Blake <eblake at redhat.com>
-Message-Id: <20160922203927.28241-2-marcandre.lureau at redhat.com>
-Tested-by: Xiao Long Jiang <zxiaol at linux.vnet.ibm.com>
-Reviewed-by: Markus Armbruster <armbru at redhat.com>
-Signed-off-by: Markus Armbruster <armbru at redhat.com>
----
- qmp.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/qmp.c b/qmp.c
-index b6d531e..c485abe 100644
---- a/qmp.c
-+++ b/qmp.c
-@@ -654,7 +654,7 @@ void qmp_add_client(const char *protocol, const char *fdname,
- void qmp_object_add(const char *type, const char *id,
- bool has_props, QObject *props, Error **errp)
- {
-- const QDict *pdict = NULL;
-+ QDict *pdict;
- Visitor *v;
- Object *obj;
-
-@@ -664,14 +664,18 @@ void qmp_object_add(const char *type, const char *id,
- error_setg(errp, QERR_INVALID_PARAMETER_TYPE, "props", "dict");
- return;
- }
-+ QINCREF(pdict);
-+ } else {
-+ pdict = qdict_new();
- }
-
-- v = qmp_input_visitor_new(props, true);
-+ v = qmp_input_visitor_new(QOBJECT(pdict), true);
- obj = user_creatable_add_type(type, id, pdict, v, errp);
- visit_free(v);
- if (obj) {
- object_unref(obj);
- }
-+ QDECREF(pdict);
- }
-
- void qmp_object_del(const char *id, Error **errp)
---
-2.1.4
-
diff --git a/debian/patches/extra/CVE-2016-7155-scsi-check-page-count-while-initialising-descriptor-.patch b/debian/patches/extra/CVE-2016-7155-scsi-check-page-count-while-initialising-descriptor-.patch
deleted file mode 100644
index 54df061..0000000
--- a/debian/patches/extra/CVE-2016-7155-scsi-check-page-count-while-initialising-descriptor-.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From 7c7e45d2bd1a77fbe89dff83fabf89a46479111f Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp at fedoraproject.org>
-Date: Thu, 1 Sep 2016 16:30:51 +0530
-Subject: [PATCH 4/6] scsi: check page count while initialising descriptor
- rings
-
-Vmware Paravirtual SCSI emulation uses command descriptors to
-process SCSI commands. These descriptors come with their ring
-buffers. A guest could set the page count for these rings to
-an arbitrary value, leading to infinite loop or OOB access.
-Add check to avoid it.
-
-Reported-by: Tom Victor <vv474172261 at gmail.com>
-Reported-by: Li Qiang <liqiang6-s at 360.cn>
-Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
----
- hw/scsi/vmw_pvscsi.c | 19 +++++++++----------
- 1 file changed, 9 insertions(+), 10 deletions(-)
-
-diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
-index 2d7528d..22f872c 100644
---- a/hw/scsi/vmw_pvscsi.c
-+++ b/hw/scsi/vmw_pvscsi.c
-@@ -153,7 +153,7 @@ pvscsi_log2(uint32_t input)
- return log;
- }
-
--static int
-+static void
- pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
- {
- int i;
-@@ -161,10 +161,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
- uint32_t req_ring_size, cmp_ring_size;
- m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT;
-
-- if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)
-- || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) {
-- return -1;
-- }
- req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
- cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE;
- txr_len_log2 = pvscsi_log2(req_ring_size - 1);
-@@ -196,8 +192,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
-
- /* Flush ring state page changes */
- smp_wmb();
--
-- return 0;
- }
-
- static int
-@@ -747,7 +741,7 @@ pvscsi_dbg_dump_tx_rings_config(PVSCSICmdDescSetupRings *rc)
-
- trace_pvscsi_tx_rings_num_pages("Confirm Ring", rc->cmpRingNumPages);
- for (i = 0; i < rc->cmpRingNumPages; i++) {
-- trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->reqRingPPNs[i]);
-+ trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->cmpRingPPNs[i]);
- }
- }
-
-@@ -780,11 +774,16 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s)
-
- trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS");
-
-- pvscsi_dbg_dump_tx_rings_config(rc);
-- if (pvscsi_ring_init_data(&s->rings, rc) < 0) {
-+ if (!rc->reqRingNumPages
-+ || rc->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES
-+ || !rc->cmpRingNumPages
-+ || rc->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES) {
- return PVSCSI_COMMAND_PROCESSING_FAILED;
- }
-
-+ pvscsi_dbg_dump_tx_rings_config(rc);
-+ pvscsi_ring_init_data(&s->rings, rc);
-+
- s->rings_info_valid = TRUE;
- return PVSCSI_COMMAND_PROCESSING_SUCCEEDED;
- }
---
-2.1.4
-
diff --git a/debian/patches/extra/CVE-2016-7157-scsi-mptconfig-fix-an-assert-expression.patch b/debian/patches/extra/CVE-2016-7157-scsi-mptconfig-fix-an-assert-expression.patch
deleted file mode 100644
index f74c99b..0000000
--- a/debian/patches/extra/CVE-2016-7157-scsi-mptconfig-fix-an-assert-expression.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From a0e2a28c08472ad3468c2f75d20fe1ca02ef8c0b Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp at fedoraproject.org>
-Date: Wed, 31 Aug 2016 17:36:07 +0530
-Subject: [PATCH 6/6] scsi: mptconfig: fix an assert expression
-
-When LSI SAS1068 Host Bus emulator builds configuration page
-headers, mptsas_config_pack() should assert that the size
-fits in a byte. However, the size is expressed in 32-bit
-units, so up to 1020 bytes fit. The assertion was only
-allowing replies up to 252 bytes, so fix it.
-
-Suggested-by: Paolo Bonzini <pbonzini at redhat.com>
-Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
-Message-Id: <1472645167-30765-2-git-send-email-ppandit at redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
----
- hw/scsi/mptconfig.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
-index 7071854..3e4f400 100644
---- a/hw/scsi/mptconfig.c
-+++ b/hw/scsi/mptconfig.c
-@@ -158,7 +158,7 @@ static size_t mptsas_config_pack(uint8_t **data, const char *fmt, ...)
- va_end(ap);
-
- if (data) {
-- assert(ret < 256 && (ret % 4) == 0);
-+ assert(ret / 4 < 256 && (ret % 4) == 0);
- stb_p(*data + 1, ret / 4);
- }
- return ret;
---
-2.1.4
-
diff --git a/debian/patches/extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch b/debian/patches/extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
deleted file mode 100644
index 05ab4a5..0000000
--- a/debian/patches/extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From d251157ac1928191af851d199a9ff255d330bec9 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp at fedoraproject.org>
-Date: Wed, 14 Sep 2016 15:09:12 +0530
-Subject: [PATCH] scsi: pvscsi: limit process IO loop to ring size
-
-Vmware Paravirtual SCSI emulator while processing IO requests
-could run into an infinite loop if 'pvscsi_ring_pop_req_descr'
-always returned positive value. Limit IO loop to the ring size.
-
-Cc: qemu-stable at nongnu.org
-Reported-by: Li Qiang <liqiang6-s at 360.cn>
-Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
-Message-Id: <1473845952-30785-1-git-send-email-ppandit at redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
----
- hw/scsi/vmw_pvscsi.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
-index babac5a..a5ce7de 100644
---- a/hw/scsi/vmw_pvscsi.c
-+++ b/hw/scsi/vmw_pvscsi.c
-@@ -247,8 +247,11 @@ static hwaddr
- pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr)
- {
- uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx);
-+ uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING
-+ * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
-
-- if (ready_ptr != mgr->consumed_ptr) {
-+ if (ready_ptr != mgr->consumed_ptr
-+ && ready_ptr - mgr->consumed_ptr < ring_size) {
- uint32_t next_ready_ptr =
- mgr->consumed_ptr++ & mgr->txr_len_mask;
- uint32_t next_ready_page =
---
-2.1.4
-
diff --git a/debian/patches/extra/CVE-2016-7423-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch b/debian/patches/extra/CVE-2016-7423-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch
deleted file mode 100644
index f1ba947..0000000
--- a/debian/patches/extra/CVE-2016-7423-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 670e56d3ed2918b3861d9216f2c0540d9e9ae0d5 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s at 360.cn>
-Date: Mon, 12 Sep 2016 18:14:11 +0530
-Subject: [PATCH] scsi: mptsas: use g_new0 to allocate MPTSASRequest object
-
-When processing IO request in mptsas, it uses g_new to allocate
-a 'req' object. If an error occurs before 'req->sreq' is
-allocated, It could lead to an OOB write in mptsas_free_request
-function. Use g_new0 to avoid it.
-
-Reported-by: Li Qiang <liqiang6-s at 360.cn>
-Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
-Message-Id: <1473684251-17476-1-git-send-email-ppandit at redhat.com>
-Cc: qemu-stable at nongnu.org
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
----
- hw/scsi/mptsas.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
-index 0e0a22f..eaae1bb 100644
---- a/hw/scsi/mptsas.c
-+++ b/hw/scsi/mptsas.c
-@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
- goto bad;
- }
-
-- req = g_new(MPTSASRequest, 1);
-+ req = g_new0(MPTSASRequest, 1);
- QTAILQ_INSERT_TAIL(&s->pending, req, next);
- req->scsi_io = *scsi_io;
- req->dev = s;
---
-2.1.4
-
diff --git a/debian/patches/extra/CVE-2016-8910-net-rtl8139-limit-processing-of-ring-descriptors.patch b/debian/patches/extra/CVE-2016-8910-net-rtl8139-limit-processing-of-ring-descriptors.patch
deleted file mode 100644
index eedbd17..0000000
--- a/debian/patches/extra/CVE-2016-8910-net-rtl8139-limit-processing-of-ring-descriptors.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 8dea1624f9166d9dd52074c98f744e4a1e13a616 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp at fedoraproject.org>
-Date: Fri, 21 Oct 2016 17:39:29 +0530
-Subject: [PATCH 2/8] net: rtl8139: limit processing of ring descriptors
-
-RTL8139 ethernet controller in C+ mode supports multiple
-descriptor rings, each with maximum of 64 descriptors. While
-processing transmit descriptor ring in 'rtl8139_cplus_transmit',
-it does not limit the descriptor count and runs forever. Add
-check to avoid it.
-
-Reported-by: Andrew Henderson <hendersa at icculus.org>
-Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
-Signed-off-by: Jason Wang <jasowang at redhat.com>
----
- hw/net/rtl8139.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
-index 3345bc6..f05e59c 100644
---- a/hw/net/rtl8139.c
-+++ b/hw/net/rtl8139.c
-@@ -2350,7 +2350,7 @@ static void rtl8139_cplus_transmit(RTL8139State *s)
- {
- int txcount = 0;
-
-- while (rtl8139_cplus_transmit_one(s))
-+ while (txcount < 64 && rtl8139_cplus_transmit_one(s))
- {
- ++txcount;
- }
---
-2.1.4
-
diff --git a/debian/patches/series b/debian/patches/series
index f868c7e..3ed6f6d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -50,14 +50,9 @@ extra/x86-lapic-Load-LAPIC-state-at-post_load.patch
extra/0001-Revert-target-i386-disable-LINT0-after-reset.patch
extra/0002-net-vmxnet-initialise-local-tx-descriptor.patch
extra/0003-net-limit-allocation-in-nc_sendv_compat.patch
-extra/0004-qmp-fix-object-add-assert-without-props
-extra/CVE-2016-7155-scsi-check-page-count-while-initialising-descriptor-.patch
extra/CVE-2016-7156-scsi-pvscsi-avoid-infinite-loop-while-building-SG-li.patch
-extra/CVE-2016-7157-scsi-mptconfig-fix-an-assert-expression.patch
extra/CVE-2016-7170-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
-extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
extra/CVE-2016-7422-virtio-add-check-for-descriptor-s-mapped-address.patch
-extra/CVE-2016-7423-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch
extra/CVE-2016-7466-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch
extra/CVE-2016-7907-net-imx-limit-buffer-descriptor-count.patch
extra/CVE-2016-7908-net-mcf-limit-buffer-descriptor-count.patch
@@ -69,7 +64,6 @@ extra/CVE-2016-8577-9pfs-fix-potential-host-memory-leak-in-v9fs_read.patch
extra/CVE-2016-8578-9pfs-allocate-space-for-guest-originated-empty-strin.patch
extra/CVE-2016-8668-net-rocker-set-limit-to-DMA-buffer-size.patch
extra/CVE-2016-8669-char-serial-check-divider-value-against-baud-base.patch
-extra/CVE-2016-8910-net-rtl8139-limit-processing-of-ring-descriptors.patch
extra/CVE-2016-8909-audio-intel-hda-check-stream-entry-count-during-tran.patch
extra/CVE-2016-9103-9pfs-fix-information-leak-in-xattr-read.patch
extra/CVE-2016-9101-net-eepro100-fix-memory-leak-in-device-uninit.patch
diff --git a/qemu-kvm-src.tar.gz b/qemu-kvm-src.tar.gz
index 21700f5..2b1dbe8 100644
Binary files a/qemu-kvm-src.tar.gz and b/qemu-kvm-src.tar.gz differ
--
2.1.4
More information about the pve-devel
mailing list