From: "Edgar E. Iglesias"
Signed-off-by: Edgar E. Iglesias
---
target-arm/helper.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/target-arm/helper.c b/target-arm/helper.c
index 6e3f5fa..b6dac25 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -2106,6 +2106,11 @@ static c
From: "Edgar E. Iglesias"
Signed-off-by: Edgar E. Iglesias
---
target-arm/helper.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/target-arm/helper.c b/target-arm/helper.c
index 2406058..6e3f5fa 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -2088,6 +2088,11 @@ static c
From: "Edgar E. Iglesias"
Signed-off-by: Edgar E. Iglesias
---
target-arm/helper.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/target-arm/helper.c b/target-arm/helper.c
index 65daeaf..2406058 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -657,7 +657,7 @@
From: "Edgar E. Iglesias"
Signed-off-by: Edgar E. Iglesias
---
target-arm/cpu.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/target-arm/cpu.h b/target-arm/cpu.h
index 34e8f7c..88dfdcb 100644
--- a/target-arm/cpu.h
+++ b/target-arm/cpu.h
@@ -201,7 +201,7 @@ typedef struct
From: "Edgar E. Iglesias"
Signed-off-by: Edgar E. Iglesias
---
target-arm/internals.h | 11 +--
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/target-arm/internals.h b/target-arm/internals.h
index 7c39946..5d802db 100644
--- a/target-arm/internals.h
+++ b/target-arm/inter
From: "Edgar E. Iglesias"
Adds support for ERET to Aarch64 EL2 and 3.
Signed-off-by: Edgar E. Iglesias
---
target-arm/op_helper.c | 13 +++--
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/target-arm/op_helper.c b/target-arm/op_helper.c
index f1ae05e..8494f7f 100644
---
From: "Edgar E. Iglesias"
Check for EL2 support before returning to it.
Signed-off-by: Edgar E. Iglesias
---
target-arm/op_helper.c | 8 +++-
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/target-arm/op_helper.c b/target-arm/op_helper.c
index 770c776..f1ae05e 100644
--- a/ta
From: "Edgar E. Iglesias"
Signed-off-by: Edgar E. Iglesias
---
target-arm/op_helper.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/target-arm/op_helper.c b/target-arm/op_helper.c
index dd9e4fc..770c776 100644
--- a/target-arm/op_helper.c
+++ b/target-arm/op_helper.c
@@ -389,6 +389,7
From: "Edgar E. Iglesias"
Signed-off-by: Edgar E. Iglesias
---
target-arm/helper.c | 16
1 file changed, 16 insertions(+)
diff --git a/target-arm/helper.c b/target-arm/helper.c
index 8efc340..65daeaf 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -2091,6 +2091,1
From: "Edgar E. Iglesias"
Signed-off-by: Edgar E. Iglesias
---
target-arm/helper.c | 17 +
1 file changed, 17 insertions(+)
diff --git a/target-arm/helper.c b/target-arm/helper.c
index ba1830d..8efc340 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -2078,6 +2078,
From: "Edgar E. Iglesias"
Signed-off-by: Edgar E. Iglesias
---
target-arm/cpu.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/target-arm/cpu.h b/target-arm/cpu.h
index d2e52d4..34e8f7c 100644
--- a/target-arm/cpu.h
+++ b/target-arm/cpu.h
@@ -637,6 +637,7 @@ enum arm_features {
ARM_FE
From: "Edgar E. Iglesias"
Add arm64_banked_spsr_index(), used to map an Exception Level
to an index in the baked_spsr array.
Signed-off-by: Edgar E. Iglesias
---
target-arm/helper-a64.c | 5 +++--
target-arm/internals.h | 14 ++
target-arm/op_helper.c | 3 ++-
3 files changed,
From: "Edgar E. Iglesias"
Signed-off-by: Edgar E. Iglesias
---
target-arm/cpu.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/target-arm/cpu.h b/target-arm/cpu.h
index 6e6625b..d2e52d4 100644
--- a/target-arm/cpu.h
+++ b/target-arm/cpu.h
@@ -636,6 +636,7 @@ enum arm_features {
ARM_FE
From: "Edgar E. Iglesias"
Signed-off-by: Edgar E. Iglesias
---
target-arm/cpu.h | 4 +++-
target-arm/helper.c | 4
target-arm/machine.c | 8
3 files changed, 11 insertions(+), 5 deletions(-)
diff --git a/target-arm/cpu.h b/target-arm/cpu.h
index fd8ce70..6e6625b 100644
--- a
From: "Edgar E. Iglesias"
Signed-off-by: Edgar E. Iglesias
---
target-arm/cpu.h | 2 +-
target-arm/machine.c | 8
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/target-arm/cpu.h b/target-arm/cpu.h
index 7bac416..fd8ce70 100644
--- a/target-arm/cpu.h
+++ b/target-arm
From: "Edgar E. Iglesias"
Signed-off-by: Edgar E. Iglesias
---
target-arm/cpu.h | 2 +-
target-arm/machine.c | 8
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/target-arm/cpu.h b/target-arm/cpu.h
index 938f389..7bac416 100644
--- a/target-arm/cpu.h
+++ b/target-arm
From: "Edgar E. Iglesias"
Maps a given EL to the corresponding MMU index.
Signed-off-by: Edgar E. Iglesias
---
target-arm/cpu.h | 21 -
target-arm/translate-a64.c | 8 ++--
2 files changed, 22 insertions(+), 7 deletions(-)
diff --git a/target-arm/cpu.h b/tar
From: "Edgar E. Iglesias"
So that it can be shared with the A32 code in the future.
Signed-off-by: Edgar E. Iglesias
---
target-arm/translate-a64.c | 5 -
target-arm/translate.h | 5 +
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/target-arm/translate-a64.c b/targe
From: "Edgar E. Iglesias"
No functional change.
Preparation for adding EL2 and 3 versions of this reg.
Signed-off-by: Edgar E. Iglesias
---
target-arm/cpu.h| 3 ++-
target-arm/helper-a64.c | 2 +-
target-arm/helper.c | 6 +++---
3 files changed, 6 insertions(+), 5 deletions(-)
dif
From: "Edgar E. Iglesias"
No functional change.
Prepares for future addtion of EL2 and 3 versions of this reg.
Signed-off-by: Edgar E. Iglesias
---
target-arm/cpu.h| 3 ++-
target-arm/helper-a64.c | 4 ++--
target-arm/helper.c | 11 ++-
3 files changed, 10 insertions(+),
From: "Edgar E. Iglesias"
No functional change.
Prepares for future additions of the EL2 and 3 versions of this reg.
Signed-off-by: Edgar E. Iglesias
---
target-arm/cpu.h| 3 ++-
target-arm/helper-a64.c | 4 ++--
target-arm/helper.c | 3 ++-
target-arm/kvm64.c | 4 ++--
target
From: "Edgar E. Iglesias"
Signed-off-by: Edgar E. Iglesias
---
target-arm/translate-a64.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/target-arm/translate-a64.c b/target-arm/translate-a64.c
index b62db4d..4f8246f 100644
--- a/target-arm/translate-a64.c
+++ b/target-ar
From: "Edgar E. Iglesias"
Hi,
I've been doing some work on modeling parts of EL2 and 3 + some of
the system-wide virtualization features for ARMv8. A lot is missing
but I've got a series with enough to for example run KVM A64 guests
on top of EL3 firmware inside emulated QEMU A64 VMs.
I'm workin
This fixes "Cannot open audit interface - aborting." when the
EAFNOSUPPORT errno differs between the target and host
architectures (e.g. mips target and x86_64 host).
Signed-off-by: Ed Swierk
---
linux-user/syscall.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux-user/
Hi Rob, Peter,
On 5 May 2014 20:13, Peter Maydell wrote:
> On 5 May 2014 15:09, Rob Herring wrote:
>> On Mon, May 5, 2014 at 9:06 AM, Rob Herring wrote:
>>> This does not compile for me:
>>>
>>> CCaarch64-softmmu/hw/arm/virt.o
>>> hw/arm/virt.c: In function ‘create_fdt’:
>>> hw/arm/virt.c
On Mon, 05/05 21:09, Eric Blake wrote:
> On 05/05/2014 07:30 PM, Fam Zheng wrote:
>
> >> NAME: { 'type': TYPE, 'default': DEFAULT }
> >>
> >> where
> >>
> >> NAME: { 'type': TYPE }
> >>
> >> can be abbreviated to
> >>
> >> NAME: TYPE
>
> >
> > In data definition, we allow inline sub-
There is no CTRL_I bit in the pong buffer control register. The
CTRL_I bit from the ping buffer masks both ping and pong buffers.
Fix.
Signed-off-by: Peter Crosthwaite
---
hw/net/xilinx_ethlite.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/hw/net/xilinx_ethlite.c b/hw/
On 05/05/2014 07:30 PM, Fam Zheng wrote:
>> NAME: { 'type': TYPE, 'default': DEFAULT }
>>
>> where
>>
>> NAME: { 'type': TYPE }
>>
>> can be abbreviated to
>>
>> NAME: TYPE
>
> In data definition, we allow inline sub-structure:
>
> { 'type': 'VersionInfo',
> 'data': {'qemu': {'maj
On Mon, 05/05 12:53, Mike Day wrote:
> The help message for qemu-img lists the supported block formats, of
> which there are 27 as of version 2.0.50. The formats are printed in
> the order of their driver's position in a linked list, which appears
> random. This patch prints the formats in sorted o
On mounted NFS filesystem, ftruncate is much much slower than doing a
zero write. Changing this significantly speeds up cluster allocation.
Comparing by converting a cirros image (296M) to VMDK on an NFS mount
point, over 1Gbe LAN:
$ time qemu-img convert cirros-0.3.1.img /mnt/a.raw -O vmdk
On Mon, 05/05 13:06, Markus Armbruster wrote:
> Fam Zheng writes:
> > An example command is:
> >
> > { 'command': 'my-command',
> > - 'data': { 'arg1': 'str', '*arg2': 'str' },
> > + 'data': { 'arg1': 'str', '*arg2': 'str', '*arg3': 'int' },
> > + 'defaults': { 'arg2': 'default value fo
Signed-off-by: Fam Zheng
---
v2: Employ the text suggested by Eric. (Thanks!)
Signed-off-by: Fam Zheng
---
docs/qapi-code-gen.txt | 26 ++
1 file changed, 22 insertions(+), 4 deletions(-)
diff --git a/docs/qapi-code-gen.txt b/docs/qapi-code-gen.txt
index d78921f..3e5cf
On Tue, Apr 29, 2014 at 8:52 AM, Peter Crosthwaite
wrote:
> On Tue, Apr 29, 2014 at 12:54 AM, Peter Maydell
> wrote:
>> On 28 April 2014 01:45, Peter Crosthwaite
>> wrote:
>>> Implement named GPIOs on the Device layer. Listifies the existing GPIOs
>>> stuff using string keys. Legacy un-named GP
On Mon, May 05, 2014 at 05:59:15PM +0200, Vasilis Liaskovitis wrote:
> Hi,
>
> On Mon, Apr 14, 2014 at 06:44:42PM +0200, Igor Mammedov wrote:
> > On Mon, 14 Apr 2014 15:25:01 +0800
> > Hu Tao wrote:
> >
> > > On Fri, Apr 04, 2014 at 03:36:58PM +0200, Igor Mammedov wrote:
> > Could you be more sp
On Mon, 05/05 08:45, Eric Blake wrote:
> On 05/05/2014 01:17 AM, Fam Zheng wrote:
> > Signed-off-by: Fam Zheng
> > ---
> > docs/qapi-code-gen.txt | 6 --
> > 1 file changed, 4 insertions(+), 2 deletions(-)
> >
> > diff --git a/docs/qapi-code-gen.txt b/docs/qapi-code-gen.txt
> > index d78921f
On Mon, 05/05 17:32, Kevin Wolf wrote:
> Am 05.05.2014 um 17:21 hat Stefan Hajnoczi geschrieben:
> > On Wed, Apr 30, 2014 at 10:55:07AM -0400, Jeff Cody wrote:
> > > This adds some common functionality to control QEMU for qemu-iotests.
> > >
> > > Additionally, test 085 is updated to use this new
On Tue, Apr 29, 2014 at 2:57 AM, Peter Maydell wrote:
> On 15 April 2014 04:18, Peter Crosthwaite
> wrote:
>> Add support for 16, 32 and 64 bit width FIFOs. The push and pop
>> functions are replicated to accept all four different integer types.
>> The element width of the FIFO is set at creatio
Ping^2!
On Thu, Apr 24, 2014 at 9:09 AM, Peter Crosthwaite
wrote:
> Ping!
>
> On Wed, Apr 9, 2014 at 5:15 PM, Peter Crosthwaite
> wrote:
>> Hi All. This is a new scheme i've come up with handling device registers in a
>> data driven way. My motivation for this is to factor out a lot of the acces
On Wed, Apr 30, 2014 at 1:20 AM, Juan Quintela wrote:
>
>
> 2014-04-29
> --
>
> - security (CVE)
> New group to handle that issues responsible.
> Mail is still not encrypted, wolud be.
> mst writing a wiki page about it
> what is the criteria to request (not) for a CVE number
> L
On Mon, May 05, 2014 at 08:23:43PM -0300, Marcelo Tosatti wrote:
> Hi Alexander,
>
> On Mon, May 05, 2014 at 03:51:22PM +0200, Alexander Graf wrote:
> > When we migrate we ask the kernel about its current belief on what the guest
> > time would be.
>
> KVM_GET_CLOCK which returns the time in "st
Marcin,
Can you provide detailed instructions on how to reproduce the problem?
Thanks
On Mon, May 05, 2014 at 08:27:10PM -0300, Marcelo Tosatti wrote:
> On Mon, May 05, 2014 at 08:26:04PM +0200, Marcin Gibuła wrote:
> > >>is it possible to have kvmclock jumping forward?
> > >>
> > >>Because I'v
On Mon, May 05, 2014 at 08:26:04PM +0200, Marcin Gibuła wrote:
> >>is it possible to have kvmclock jumping forward?
> >>
> >>Because I've reproducible case when at about 1 per 20 vm restores, VM
> >>freezes for couple of hours and then resumes with date few hundreds years
> >>ahead. Happens only
Hi Alexander,
On Mon, May 05, 2014 at 03:51:22PM +0200, Alexander Graf wrote:
> When we migrate we ask the kernel about its current belief on what the guest
> time would be.
KVM_GET_CLOCK which returns the time in "struct kvm_clock_data".
> However, I've seen cases where the kvmclock guest stru
On 04/29/2014 03:10 AM, Chunyan Liu wrote:
> One extra change is to define QED_DEFAULT_CLUSTER_SIZE = 65536 instead
> of 64 * 1024; because:
> according to existing create_options, "cluster size" has default value =
> QED_DEFAULT_CLUSTER_SIZE, after switching to create_opts, this has to be
> string
On 05/05/2014 11:34 AM, Markus Armbruster wrote:
>>
>> Or, putting the question in reverse, you are asking if:
>>
>> data: { '*foo': 'str' }
>>
>> can blindly be rewritten into:
>>
>> data: { 'foo': { 'type': 'str', 'default': null } }
>>
>> and the rest of the introspection use the fact that 'defa
On 05/02/2014 06:44 AM, Markus Armbruster wrote:
> Signed-off-by: Markus Armbruster
> ---
> include/qapi/error.h | 6 --
> util/error.c | 5 -
> 2 files changed, 11 deletions(-)
Of course, depends on several in-flight series. But assuming that all
works out,
Reviewed-by: Eric B
On 05/02/2014 06:44 AM, Markus Armbruster wrote:
> We commonly use the error API like this:
>
> However, mixing the two techniques is confusing. You can't use the
> "accumulate" technique with functions designed for the "check
> separately" technique. You can use the "check separately" techniqu
From: "Dr. David Alan Gilbert"
This is a fix for a bug* triggered by a migration after hot unplugging
a few virtio-net NICs, that caused migration never to converge, because
'migration_dirty_pages' is incorrectly initialised.
'migration_dirty_pages' is used as a tally of the number of outstandin
Il 05/05/2014 22:51, Luiz Capitulino ha scritto:
On Mon, 28 Apr 2014 15:02:35 +0800
Amos Kong wrote:
Not a serious issue, but it's helpful if we can fix it.
V2: split change of scripts/qapi-visit.py to a split patch,
eat space by using a special char as Markus suggested
V3: update commitl
From: "Michael S. Tsirkin"
CVE-2013-4539
s->precision, nextprecision, function and nextfunction
come from wire and are used
as idx into resolution[] in TSC_CUT_RESOLUTION.
Validate after load to avoid buffer overrun.
Cc: Andreas Färber
Signed-off-by: Michael S. Tsirkin
Signed-off-by: Juan Qu
From: "Dr. David Alan Gilbert"
Coverity defects 1005733 & 1005734 complain about passing a negative
value to closesocket in the error paths on incoming migration.
Stash the error value and print it in the message (previously we gave
no indication of the reason for the failure)
Use error_report
From: "Michael S. Tsirkin"
Can be used to verify a required field exists or validate
state in some other way.
Signed-off-by: Michael S. Tsirkin
Reviewed-by: Dr. David Alan Gilbert
Signed-off-by: Juan Quintela
---
include/migration/vmstate.h | 1 +
vmstate.c | 10 ++
Luiz Capitulino writes:
> On Fri, 2 May 2014 15:52:41 +0200
> Lluís Vilanova wrote:
>> --- a/scripts/qapi.py
>> +++ b/scripts/qapi.py
>> @@ -11,6 +11,8 @@
>> # This work is licensed under the terms of the GNU GPL, version 2.
>> # See the COPYING file in the top-level directory.
>>
>> +import o
From: "Michael S. Tsirkin"
Validate state using VMS_ARRAY with num = 0 and VMS_MUST_EXIST
Signed-off-by: Michael S. Tsirkin
Signed-off-by: Juan Quintela
---
include/migration/vmstate.h | 8
1 file changed, 8 insertions(+)
diff --git a/include/migration/vmstate.h b/include/migration/
On 05/02/2014 06:44 AM, Markus Armbruster wrote:
> When visit_start_struct() succeeds, visit_end_struct() must not be
As in 10/13, s/succeeds/fails/
> called. Three out of four visit_type_TestStruct() call it anyway. As
> far as I can tell, visit_start_struct() doesn't actually fail there.
> Fi
From: "Michael S. Tsirkin"
CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c
> } else if (n->mac_table.in_use) {
> uint8_t *buf = g_malloc0(n->mac_table.in_use);
We are allocating buffer of size n->mac_table.in_use
> qe
From: "Michael S. Tsirkin"
CVE-2013-4542
hw/scsi/scsi-bus.c invokes load_request.
virtio_scsi_load_request does:
qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem));
this probably can make elem invalid, for example,
make in_num or out_num huge, then:
virtio_scsi_parse_
From: Peter Maydell
At the moment we require vmstate definitions to set minimum_version_id_old
to the same value as minimum_version_id if they do not provide a
load_state_old handler. Since the load_state_old functionality is
required only for a handful of devices that need to retain migration
co
From: "Michael S. Tsirkin"
CVE-2013-4537
s->arglen is taken from wire and used as idx
in ssi_sd_transfer().
Validate it before access.
Signed-off-by: Michael S. Tsirkin
Signed-off-by: Juan Quintela
---
hw/sd/ssi-sd.c | 9 +
1 file changed, 9 insertions(+)
diff --git a/hw/sd/ssi-sd.
From: "Michael S. Tsirkin"
CVE-2013-4533
s->rx_level is read from the wire and used to determine how many bytes
to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the
length of s->rx_fifo[] the buffer can be overrun with arbitrary data
from the wire.
Fix this by validating rx_level
From: "Michael S. Tsirkin"
Malformed input can have config_len in migration stream
exceed the array size allocated on destination, the
result will be heap overflow.
To fix, that config_len matches on both sides.
CVE-2014-0182
Reported-by: "Dr. David Alan Gilbert"
Signed-off-by: Michael S. Tsi
From: "Dr. David Alan Gilbert"
Provide ram_mig_init (like blk_mig_init) for vl.c to initialise stuff
to do with ram migration (currently in arch_init.c).
Signed-off-by: Dr. David Alan Gilbert
Reviewed-by: Gonglei
Reviewed-by: Markus Armbruster
Signed-off-by: Juan Quintela
---
arch_init.c
On Mon, 28 Apr 2014 13:53:49 +0800
Amos Kong wrote:
> strtosz_suffix() might return negative error, this patch fixes
> the error handling.
>
> This patch also changes to handle error in the if statement
> rather than handle success specially, this will make this use
> of strtosz_suffix consisten
On Mon, 5 May 2014 16:51:04 -0400
Luiz Capitulino wrote:
> On Mon, 28 Apr 2014 15:02:35 +0800
> Amos Kong wrote:
>
> > Not a serious issue, but it's helpful if we can fix it.
> >
> > V2: split change of scripts/qapi-visit.py to a split patch,
> > eat space by using a special char as Markus
On 05/02/2014 06:44 AM, Markus Armbruster wrote:
> When visit_start_struct() succeeds, visit_end_struct() must not be
s/succeeds/fails/ (this really confused me on my first read, until I saw
the code and the subject line and determined the typo)
> called. rtc_get_date() and balloon_stats_all() c
Both systems I mentioned above were upgraded from precise to trusty.
After reinstalling them with clean install issue disappear and VMs are
not crashing anymore.
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.n
On Mon, 28 Apr 2014 15:02:35 +0800
Amos Kong wrote:
> Not a serious issue, but it's helpful if we can fix it.
>
> V2: split change of scripts/qapi-visit.py to a split patch,
> eat space by using a special char as Markus suggested
> V3: update commitlog, update special string, fix of adding
>
On 05/02/2014 06:44 AM, Markus Armbruster wrote:
> When visit_start_struct() succeeds, visit_end_struct() must be called.
> hmp_object_add() doesn't when a member visit fails. As far as I can
> tell, the opts visitor copes okay with the misuse. Fix it anyway.
>
> Signed-off-by: Markus Armbruster
From: Michael Roth
CVE-2013-6399
vdev->queue_sel is read from the wire, and later used in the
emulation code as an index into vdev->vq[]. If the value of
vdev->queue_sel exceeds the length of vdev->vq[], currently
allocated to be VIRTIO_PCI_QUEUE_MAX elements, subsequent PIO
operations such as V
From: ChenLiang
expose the count that logs the times of updating the dirty bitmap to
end user.
Signed-off-by: ChenLiang
Signed-off-by: Gonglei
Reviewed-by: Eric Blake
Signed-off-by: Juan Quintela
---
arch_init.c | 1 +
hmp.c | 2 ++
include/migrat
On 05/02/2014 06:44 AM, Markus Armbruster wrote:
> In preparation of error handling changes. Bonus: generates less
> duplicated code.
>
> Signed-off-by: Markus Armbruster
> ---
> scripts/qapi-visit.py | 48 ++--
> 1 file changed, 34 insertions(+), 14
From: ChenLiang
The page may not be inserted into cache after executing save_xbzrle_page.
In case of failure to insert, the original page should be sent rather
than the page in the cache.
Signed-off-by: ChenLiang
Signed-off-by: Gonglei
Reviewed-by: Juan Quintela
Signed-off-by: Juan Quintela
On 05/02/2014 06:44 AM, Markus Armbruster wrote:
> generate_visit_struct_fields() generates the base type's struct member
> name both with and without the field prefix. Harmless, because the
> field prefix is always empty there: only unboxed complex members have
> a prefix, and those can't have a
From: "Michael S. Tsirkin"
CVE-2013-4527 hw/timer/hpet.c buffer overrun
hpet is a VARRAY with a uint8 size but static array of 32
To fix, make sure num_timers is valid using VMSTATE_VALID hook.
Reported-by: Anthony Liguori
Signed-off-by: Michael S. Tsirkin
Reviewed-by: Dr. David Alan Gilbert
From: ChenLiang
version_id is checked twice in the ram_load.
Signed-off-by: ChenLiang
Signed-off-by: Gonglei
Signed-off-by: Juan Quintela
---
arch_init.c | 68 ++---
1 file changed, 33 insertions(+), 35 deletions(-)
diff --git a/arch_i
From: "Dr. David Alan Gilbert"
Make qemu_peek_buffer repeatedly call fill_buffer until it gets
all the data it requires, or until there is an error.
At the moment, qemu_peek_buffer will try one qemu_fill_buffer if there
isn't enough data waiting, however the kernel is entitled to return
ju
On 05/02/2014 06:44 AM, Markus Armbruster wrote:
> By un-inlining the visit of nested complex types.
>
> Signed-off-by: Markus Armbruster
> ---
> scripts/qapi-visit.py | 20 +---
> 1 file changed, 17 insertions(+), 3 deletions(-)
>
> @@ -106,8 +122,6 @@ if (!error_is_set(errp))
On 05.05.14 20:08, Gabriel L. Somlo wrote:
On Mon, May 05, 2014 at 07:38:58PM +0200, Andreas F?rber wrote:
Yes, with that patch it's okay, you just forgot to mention that
dependency in your cover letter - also a change log from v1 is missing.
Instead of quoting Alex in the cover letter, you sho
From: ChenLiang
Add counts to log the times of updating the dirty bitmap.
Signed-off-by: ChenLiang
Signed-off-by: Gonglei
Reviewed-by: Eric Blake
Signed-off-by: Juan Quintela
---
arch_init.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/arch_init.c b/arch_init.c
index 0ffecee..c0
From: "Michael S. Tsirkin"
CVE-2013-4541
s->setup_len and s->setup_index are fed into usb_packet_copy as
size/offset into s->data_buf, it's possible for invalid state to exploit
this to load arbitrary data.
setup_len and setup_index should be checked to make sure
they are not negative.
Cc: Ger
On 5/2/2014 11:43 AM, Richard Henderson wrote:
> On 05/02/2014 09:30 AM, Ulrich Weigand wrote:
>> Richard Henderson wrote on 01.05.2014 17:44:21:
>>
>>> Please review, and if you've got an ELFv2 system (nudge nudge), please
>>> give it a try and make sure it works.
>>
>> I ran into illegal instruc
From: Michael Roth
CVE-2013-4534
opp->nb_cpus is read from the wire and used to determine how many
IRQDest elements to read into opp->dst[]. If the value exceeds the
length of opp->dst[], MAX_CPU, opp->dst[] can be overrun with arbitrary
data from the wire.
Fix this by failing migration if the
From: "Michael S. Tsirkin"
CVE-2013-4151 QEMU 1.0 out-of-bounds buffer write in
virtio_load@hw/virtio/virtio.c
So we have this code since way back when:
num = qemu_get_be32(f);
for (i = 0; i < num; i++) {
vdev->vq[i].vring.num = qemu_get_be32(f);
array of vqs has size VIRTIO_P
From: "Michael S. Tsirkin"
move size offset and number of elements math out
to functions, to reduce code duplication.
Signed-off-by: Michael S. Tsirkin
Cc: "Dr. David Alan Gilbert"
Signed-off-by: Juan Quintela
---
vmstate.c | 100 --
From: ChenLiang
expose xbzrle cache miss rate
Signed-off-by: ChenLiang
Signed-off-by: Gonglei
Reviewed-by: Eric Blake
Signed-off-by: Juan Quintela
---
arch_init.c | 18 ++
hmp.c | 2 ++
include/migration/migration.h | 1 +
migratio
From: "Michael S. Tsirkin"
CVE-2013-4535
CVE-2013-4536
Both virtio-block and virtio-serial read,
VirtQueueElements are read in as buffers, and passed to
virtqueue_map_sg(), where num_sg is taken from the wire and can force
writes to indicies beyond VIRTQUEUE_MAX_SIZE.
To fix, validate num_sg.
From: "Dr. David Alan Gilbert"
QEMU will assert if you attempt to start an outgoing migration on
a QEMU that's sitting waiting for an incoming migration (started
with -incoming), so disallow it with a proper error.
(This is a fix for https://bugzilla.redhat.com/show_bug.cgi?id=1086987 )
Signed-
On Fri, 2 May 2014 15:52:41 +0200
Lluís Vilanova wrote:
> --- a/scripts/qapi.py
> +++ b/scripts/qapi.py
> @@ -11,6 +11,8 @@
> # This work is licensed under the terms of the GNU GPL, version 2.
> # See the COPYING file in the top-level directory.
>
> +import os
> +import re
> from ordereddic
From: "Michael S. Tsirkin"
CVE-2013-4530
pl022.c did not bounds check tx_fifo_head and
rx_fifo_head after loading them from file and
before they are used to dereference array.
Reported-by: Michael S. Tsirkin
Signed-off-by: Michael S. Tsirkin
Signed-off-by: Juan Quintela
---
hw/ssi/pl022.c |
From: "Michael S. Tsirkin"
CVE-2013-4540
Within scoop_gpio_handler_update, if prev_level has a high bit set, then
we get bit > 16 and that causes a buffer overrun.
Since prev_level comes from wire indirectly, this can
happen on invalid state load.
Similarly for gpio_level and gpio_dir.
To fix
In practice this seems very unlikely, so cleanup is neglected, as done
for bind().
Reviewed-by: Stefan Hajnoczi
Signed-off-by: Andreas Färber
---
tests/libqtest.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tests/libqtest.c b/tests/libqtest.c
index 8155695..232f781 100
From: "Dr. David Alan Gilbert"
Initialising the XBZRLE.lock earlier simplifies the lock use.
Based on Markus's patch in:
http://lists.gnu.org/archive/html/qemu-devel/2014-03/msg03879.html
Signed-off-by: Dr. David Alan Gilbert
Reviewed-by: Gonglei
Reviewed-by: Markus Armbruster
Signed-off-by:
From: "Michael S. Tsirkin"
CVE-2013-4538
s->cmd_len used as index in ssd0323_transfer() to store 32-bit field.
Possible this field might then be supplied by guest to overwrite a
return addr somewhere. Same for row/col fields, which are indicies into
framebuffer array.
To fix validate after load
From: "Michael S. Tsirkin"
4) CVE-2013-4529
hw/pci/pcie_aer.cpcie aer log can overrun the buffer if log_num is
too large
There are two issues in this file:
1. log_max from remote can be larger than on local
then buffer will overrun with data coming from state file.
2. lo
From: "Michael S. Tsirkin"
As the macro verifies the value is positive, rename it
to make the function clearer.
Signed-off-by: Michael S. Tsirkin
Signed-off-by: Juan Quintela
---
hw/pci/pci.c| 4 ++--
include/migration/vmstate.h | 2 +-
target-arm/machine.c| 2 +-
3 fi
From: "Michael S. Tsirkin"
CVE-2013-4148 QEMU 1.0 integer conversion in
virtio_net_load()@hw/net/virtio-net.c
Deals with loading a corrupted savevm image.
> n->mac_table.in_use = qemu_get_be32(f);
in_use is int so it can get negative when assigned 32bit unsigned value.
> /* MA
From: "Michael S. Tsirkin"
CVE-2013-4531
cpreg_vmstate_indexes is a VARRAY_INT32. A negative value for
cpreg_vmstate_array_len will cause a buffer overflow.
VMSTATE_INT32_LE was supposed to protect against this
but doesn't because it doesn't validate that input is
non-negative.
Fix this macro
From: "Michael S. Tsirkin"
CVE-2013-4526
Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded. So
we use the old version of ports to read the array but then allow any
value for ports. This can cause the code to overflow.
There's no reason to migrate ports - it never changes.
So j
From: "Michael S. Tsirkin"
CVE-2013-4150 QEMU 1.5.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c
This code is in hw/net/virtio-net.c:
if (n->max_queues > 1) {
if (n->max_queues != qemu_get_be16(f)) {
error_report("virtio-net: different max_queues "
/migration/20140505
for you to fetch changes up to 8bc3923343e91902ca541112b3bdb5448f8d288e:
migration: expose xbzrle cache miss rate (2014-05-05 22:15:03 +0200)
migration/next fo
1 - 100 of 330 matches
Mail list logo
