diff --git a/Makefile b/Makefile index da36a9f..3c0bb4c 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ # also update debian/changelog -KVMVER=2.7.1 -KVMPKGREL=4 +KVMVER=2.9.0 +KVMPKGREL=1~rc2+5 KVMPACKAGE = pve-qemu-kvm KVMSRC = qemu @@ -30,7 +30,6 @@ $(DEB): | submodule rm -rf $(BUILDSRC) mkdir $(BUILDSRC) cp -a $(KVMSRC)/* $(BUILDSRC)/ - tar -C $(BUILDSRC) -xJf efi-roms-1182.tar.xz cp -a debian $(BUILDSRC)/debian echo "git clone git://git.proxmox.com/git/pve-qemu-kvm.git\\ngit checkout $(GITVERSION)" > $(BUILDSRC)/debian/SOURCE # set package version @@ -40,7 +39,7 @@ $(DEB): | submodule .PHONY: upload upload: $(DEBS) - tar cf - $(DEBS) | ssh repoman@repo.proxmox.com upload --produce pve --dist jessie + tar cf - ${DEBS} | ssh repoman@repo.proxmox.com upload --product pve --dist stretch .PHONY: distclean distclean: clean diff --git a/debian/changelog b/debian/changelog index 699e451..9e5f75b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,53 @@ +pve-qemu-kvm (2.9.0-1~rc2+5) unstable; urgency=medium + + * fix a crash caused by the zeroinit filter in drive-mirror + + -- Proxmox Support Team Fri, 31 Mar 2017 09:31:38 +0200 + +pve-qemu-kvm (2.9.0-1~rc2+4) unstable; urgency=medium + + * fix data loss when sending backups through pipes on kernel >= 4.5 + + -- Proxmox Support Team Thu, 30 Mar 2017 16:07:52 +0200 + +pve-qemu-kvm (2.9.0-1~rc2+3) unstable; urgency=medium + + * fix backup jobs not starting when using multiple disks + + -- Proxmox Support Team Thu, 30 Mar 2017 12:16:30 +0200 + +pve-qemu-kvm (2.9.0-1~rc2+2) unstable; urgency=medium + + * build with virtfs enabled + + -- Proxmox Support Team Thu, 30 Mar 2017 10:57:46 +0200 + +pve-qemu-kvm (2.9.0-1~rc2+1) unstable; urgency=medium + + * fix backup jobs not starting and an assertion on backup job cleanup + + -- Proxmox Support Team Thu, 30 Mar 2017 10:49:00 +0200 + +pve-qemu-kvm (2.9.0-1~rc2) unstable; urgency=medium + + * update to qemu 2.9.0-rc2 + + -- Proxmox Support Team Wed, 29 Mar 2017 13:33:48 +0200 + +pve-qemu-kvm (2.7.1-501) unstable; urgency=medium + + * drop bridge-utils dependency + + * use ip from iproute2 over ifconfig from net-tools + + -- Proxmox Support Team Wed, 15 Mar 2017 11:24:33 +0100 + +pve-qemu-kvm (2.7.1-500) unstable; urgency=medium + + * version bumped for stetch upgrade + + -- Proxmox Support Team Fri, 10 Mar 2017 14:19:59 +0100 + pve-qemu-kvm (2.7.1-4) unstable; urgency=medium * fix CVE-2017-2620: display: cirrus: out-of-bounds access issue diff --git a/debian/control b/debian/control index 8c63066..ecf65c2 100644 --- a/debian/control +++ b/debian/control @@ -2,12 +2,49 @@ Source: pve-qemu-kvm Section: admin Priority: extra Maintainer: Proxmox Support Team -Build-Depends: debhelper (>= 5), autotools-dev, libpci-dev, quilt, texinfo, texi2html, libgnutls28-dev, libsdl1.2-dev, check, libaio-dev, uuid-dev, librbd-dev (>= 0.48), libiscsi-dev (>= 1.12.0), libspice-protocol-dev (>= 0.12.5), pve-libspice-server-dev (>= 0.12.5-1), libusbredirparser-dev (>= 0.6-2), glusterfs-common (>= 3.5.2-1), libusb-1.0-0-dev (>= 1.0.17-1), xfslibs-dev, libnuma-dev, libjemalloc-dev, libjpeg-dev, libacl1-dev +Build-Depends: debhelper (>= 5), + autotools-dev, + libpci-dev, + quilt, + texinfo, + texi2html, + libgnutls28-dev, + libsdl1.2-dev, + check, + libaio-dev, + uuid-dev, + librbd-dev (>= 0.48), + libiscsi-dev (>= 1.12.0), + libspice-protocol-dev (>= 0.12.5), + pve-libspice-server-dev (>= 0.12.5-1), + libusbredirparser-dev (>= 0.6-2), + glusterfs-common (>= 3.5.2-1), + libusb-1.0-0-dev (>= 1.0.17-1), + xfslibs-dev, + libnuma-dev, + libjemalloc-dev, + libjpeg-dev, + libacl1-dev, + libcap-dev Standards-Version: 3.7.2 Package: pve-qemu-kvm Architecture: any -Depends: iproute2, bridge-utils, python, libsdl1.2debian, libaio1, libuuid1, ceph-common (>= 0.48), libiscsi4 (>= 1.12.0) | libiscsi7, pve-libspice-server1 (>= 0.12.5-1), ${shlibs:Depends}, ${misc:Depends}, libusbredirparser1 (>= 0.6-2), glusterfs-common (>= 3.5.2-1), libusb-1.0-0 (>= 1.0.17-1), numactl, libjemalloc1, libjpeg62-turbo +Depends: ${shlibs:Depends}, ${misc:Depends}, + iproute2, + python, + libsdl1.2debian, + libaio1, + libuuid1, + ceph-common (>= 0.48), + libiscsi4 (>= 1.12.0) | libiscsi7, + pve-libspice-server1 (>= 0.12.5-1), + libusbredirparser1 (>= 0.6-2), + glusterfs-common (>= 3.5.2-1), + libusb-1.0-0 (>= 1.0.17-1), + numactl, + libjemalloc1, + libjpeg62-turbo Conflicts: qemu, qemu-kvm, qemu-utils, kvm, pve-kvm, pve-qemu-kvm-2.6.18 Provides: qemu-utils Replaces: pve-kvm, pve-qemu-kvm-2.6.18, qemu-utils diff --git a/debian/kvm-ifup b/debian/kvm-ifup index 29dae84..a4c63ea 100755 --- a/debian/kvm-ifup +++ b/debian/kvm-ifup @@ -1,5 +1,5 @@ #!/bin/sh -switch=$(/sbin/ip route list | awk '/^default / { print $NF }') -/sbin/ifconfig $1 0.0.0.0 promisc up -/sbin/brctl addif ${switch} $1 +switch=$(/sbin/ip route show |sed -nre 's/^default .* dev ([^ ]+).*$/\1/;T;p;q') +/sbin/ip link set "$1" up promisc on +test -d "/sys/class/net/$switch/bridge" && /sbin/ip link set "$1" master "$switch" diff --git a/debian/patches/extra/0001-Revert-target-i386-disable-LINT0-after-reset.patch b/debian/patches/extra/0001-Revert-target-i386-disable-LINT0-after-reset.patch deleted file mode 100644 index fdf5b7b..0000000 --- a/debian/patches/extra/0001-Revert-target-i386-disable-LINT0-after-reset.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 603c472d61c354c30bc898b0e9ff1914302cbca9 Mon Sep 17 00:00:00 2001 -From: Wolfgang Bumiller -Date: Mon, 4 Jul 2016 15:02:26 +0200 -Subject: [PATCH 1/3] Revert "target-i386: disable LINT0 after reset" - -This reverts commit b8eb5512fd8a115f164edbbe897cdf8884920ccb. ---- - hw/intc/apic_common.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/hw/intc/apic_common.c b/hw/intc/apic_common.c -index 14ac43c..1ed0511 100644 ---- a/hw/intc/apic_common.c -+++ b/hw/intc/apic_common.c -@@ -246,6 +246,15 @@ static void apic_reset_common(DeviceState *dev) - info->vapic_base_update(s); - - apic_init_reset(dev); -+ -+ if (bsp) { -+ /* -+ * LINT0 delivery mode on CPU #0 is set to ExtInt at initialization -+ * time typically by BIOS, so PIC interrupt can be delivered to the -+ * processor when local APIC is enabled. -+ */ -+ s->lvt[APIC_LVT_LINT0] = 0x700; -+ } - } - - /* This function is only used for old state version 1 and 2 */ --- -2.1.4 - diff --git a/debian/patches/extra/0001-cirrus-fix-patterncopy-checks.patch b/debian/patches/extra/0001-cirrus-fix-patterncopy-checks.patch deleted file mode 100644 index d31da17..0000000 --- a/debian/patches/extra/0001-cirrus-fix-patterncopy-checks.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 391a9e6fd8c6cf615f2ffe44bb85245df52cc2b6 Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Thu, 9 Feb 2017 14:02:20 +0100 -Subject: [PATCH 1/2] cirrus: fix patterncopy checks - -The blit_region_is_unsafe checks don't work correctly for the -patterncopy source. It's a fixed-sized region, which doesn't -depend on cirrus_blt_{width,height}. So go do the check in -cirrus_bitblt_common_patterncopy instead, then tell blit_is_unsafe that -it doesn't need to verify the source. Also handle the case where we -blit from cirrus_bitbuf correctly. - -This patch replaces 5858dd1801883309bdd208d72ddb81c4e9fee30c. - -Security impact: I think for the most part error on the safe side this -time, refusing blits which should have been allowed. - -Only exception is placing the blit source at the end of the video ram, -so cirrus_blt_srcaddr + 256 goes beyond the end of video memory. But -even in that case I'm not fully sure this actually allows read access to -host memory. To trick the commit 5858dd18 security checks one has to -pick very small cirrus_blt_{width,height} values, which in turn implies -only a fraction of the blit source will actually be used. - -Cc: Wolfgang Bumiller -Cc: Dr. David Alan Gilbert -Signed-off-by: Gerd Hoffmann ---- - hw/display/cirrus_vga.c | 36 ++++++++++++++++++++++++++++++------ - 1 file changed, 30 insertions(+), 6 deletions(-) - -diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c -index 16f27e8..6bd13fc 100644 ---- a/hw/display/cirrus_vga.c -+++ b/hw/display/cirrus_vga.c -@@ -683,14 +683,39 @@ static void cirrus_invalidate_region(CirrusVGAState * s, int off_begin, - } - } - --static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s, -- const uint8_t * src) -+static int cirrus_bitblt_common_patterncopy(CirrusVGAState *s, bool videosrc) - { -+ uint32_t patternsize; - uint8_t *dst; -+ uint8_t *src; - - dst = s->vga.vram_ptr + s->cirrus_blt_dstaddr; - -- if (blit_is_unsafe(s, false, true)) { -+ if (videosrc) { -+ switch (s->vga.get_bpp(&s->vga)) { -+ case 8: -+ patternsize = 64; -+ break; -+ case 15: -+ case 16: -+ patternsize = 128; -+ break; -+ case 24: -+ case 32: -+ default: -+ patternsize = 256; -+ break; -+ } -+ s->cirrus_blt_srcaddr &= ~(patternsize - 1); -+ if (s->cirrus_blt_srcaddr + patternsize > s->vga.vram_size) { -+ return 0; -+ } -+ src = s->vga.vram_ptr + s->cirrus_blt_srcaddr; -+ } else { -+ src = s->cirrus_bltbuf; -+ } -+ -+ if (blit_is_unsafe(s, true, true)) { - return 0; - } - -@@ -731,8 +756,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop) - - static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s) - { -- return cirrus_bitblt_common_patterncopy(s, s->vga.vram_ptr + -- (s->cirrus_blt_srcaddr & ~7)); -+ return cirrus_bitblt_common_patterncopy(s, true); - } - - static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) -@@ -831,7 +855,7 @@ static void cirrus_bitblt_cputovideo_next(CirrusVGAState * s) - - if (s->cirrus_srccounter > 0) { - if (s->cirrus_blt_mode & CIRRUS_BLTMODE_PATTERNCOPY) { -- cirrus_bitblt_common_patterncopy(s, s->cirrus_bltbuf); -+ cirrus_bitblt_common_patterncopy(s, false); - the_end: - s->cirrus_srccounter = 0; - cirrus_bitblt_reset(s); --- -2.1.4 - diff --git a/debian/patches/extra/0001-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch b/debian/patches/extra/0001-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch deleted file mode 100644 index a95cf1b..0000000 --- a/debian/patches/extra/0001-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch +++ /dev/null @@ -1,51 +0,0 @@ -From b3ce5aeaacdd0cec5bab1d83ee24bae73b0dd506 Mon Sep 17 00:00:00 2001 -From: Wolfgang Bumiller -Date: Wed, 25 Jan 2017 14:48:57 +0100 -Subject: [PATCH 1/4] cirrus: handle negative pitch in - cirrus_invalidate_region() - -cirrus_invalidate_region() calls memory_region_set_dirty() -on a per-line basis, always ranging from off_begin to -off_begin+bytesperline. With a negative pitch off_begin -marks the top most used address and thus we need to do an -initial shift backwards by a line for negative pitches of -backward blits, otherwise the first iteration covers the -line going from the start offset forwards instead of -backwards. -Additionally since the start address is inclusive, if we -shift by a full `bytesperline` we move to the first address -*not* included in the blit, so we only shift by one less -than bytesperline. - -Signed-off-by: Wolfgang Bumiller -Message-id: 1485352137-29367-1-git-send-email-w.bumiller@proxmox.com - -[ kraxel: codestyle fixes ] - -Signed-off-by: Gerd Hoffmann ---- - hw/display/cirrus_vga.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c -index 379910d..0f05e45 100644 ---- a/hw/display/cirrus_vga.c -+++ b/hw/display/cirrus_vga.c -@@ -661,9 +661,14 @@ static void cirrus_invalidate_region(CirrusVGAState * s, int off_begin, - int off_cur; - int off_cur_end; - -+ if (off_pitch < 0) { -+ off_begin -= bytesperline - 1; -+ } -+ - for (y = 0; y < lines; y++) { - off_cur = off_begin; - off_cur_end = (off_cur + bytesperline) & s->cirrus_addr_mask; -+ assert(off_cur_end >= off_cur); - memory_region_set_dirty(&s->vga.vram, off_cur, off_cur_end - off_cur); - off_begin += off_pitch; - } --- -2.1.4 - diff --git a/debian/patches/extra/0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch b/debian/patches/extra/0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch deleted file mode 100644 index 2b24cdd..0000000 --- a/debian/patches/extra/0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch +++ /dev/null @@ -1,72 +0,0 @@ -From f5dc8e6b503fda1ed87c0f4f53c6d2c76a584872 Mon Sep 17 00:00:00 2001 -From: Bruce Rogers -Date: Mon, 9 Jan 2017 13:35:20 -0700 -Subject: [PATCH 1/5] display: cirrus: ignore source pitch value as needed in - blit_is_unsafe - -Commit 4299b90 added a check which is too broad, given that the source -pitch value is not required to be initialized for solid fill operations. -This patch refines the blit_is_unsafe() check to ignore source pitch in -that case. After applying the above commit as a security patch, we -noticed the SLES 11 SP4 guest gui failed to initialize properly. - -Signed-off-by: Bruce Rogers -Message-id: 20170109203520.5619-1-brogers@suse.com -Signed-off-by: Gerd Hoffmann ---- - hw/display/cirrus_vga.c | 11 +++++++---- - 1 file changed, 7 insertions(+), 4 deletions(-) - -diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c -index bdb092e..379910d 100644 ---- a/hw/display/cirrus_vga.c -+++ b/hw/display/cirrus_vga.c -@@ -294,7 +294,7 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s, - return false; - } - --static bool blit_is_unsafe(struct CirrusVGAState *s) -+static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only) - { - /* should be the case, see cirrus_bitblt_start */ - assert(s->cirrus_blt_width > 0); -@@ -308,6 +308,9 @@ static bool blit_is_unsafe(struct CirrusVGAState *s) - s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) { - return true; - } -+ if (dst_only) { -+ return false; -+ } - if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch, - s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) { - return true; -@@ -673,7 +676,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s, - - dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask); - -- if (blit_is_unsafe(s)) -+ if (blit_is_unsafe(s, false)) - return 0; - - (*s->cirrus_rop) (s, dst, src, -@@ -691,7 +694,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop) - { - cirrus_fill_t rop_func; - -- if (blit_is_unsafe(s)) { -+ if (blit_is_unsafe(s, true)) { - return 0; - } - rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1]; -@@ -795,7 +798,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) - - static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s) - { -- if (blit_is_unsafe(s)) -+ if (blit_is_unsafe(s, false)) - return 0; - - return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr, --- -2.1.4 - diff --git a/debian/patches/extra/0002-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch b/debian/patches/extra/0002-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch deleted file mode 100644 index 0b8e6ed..0000000 --- a/debian/patches/extra/0002-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch +++ /dev/null @@ -1,101 +0,0 @@ -From cba280fe94eaed53952e2997cac1ee2bed6cfdee Mon Sep 17 00:00:00 2001 -From: Wolfgang Bumiller -Date: Fri, 10 Feb 2017 08:34:03 +0100 -Subject: [PATCH 2/2] Revert "cirrus: allow zero source pitch in pattern fill - rops" - -This reverts commit cf9c099a7694eb47ded529e1ed40ee8789f32d31. - -Conflicts: - hw/display/cirrus_vga.c ---- - hw/display/cirrus_vga.c | 29 +++++++++-------------------- - 1 file changed, 9 insertions(+), 20 deletions(-) - -diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c -index 6bd13fc..92e7951 100644 ---- a/hw/display/cirrus_vga.c -+++ b/hw/display/cirrus_vga.c -@@ -272,6 +272,9 @@ static void cirrus_update_memory_access(CirrusVGAState *s); - static bool blit_region_is_unsafe(struct CirrusVGAState *s, - int32_t pitch, int32_t addr) - { -+ if (!pitch) { -+ return true; -+ } - if (pitch < 0) { - int64_t min = addr - + ((int64_t)s->cirrus_blt_height - 1) * pitch -@@ -290,11 +293,8 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s, - return false; - } - --static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only, -- bool zero_src_pitch_ok) -+static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only) - { -- int32_t check_pitch; -- - /* should be the case, see cirrus_bitblt_start */ - assert(s->cirrus_blt_width > 0); - assert(s->cirrus_blt_height > 0); -@@ -303,10 +303,6 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only, - return true; - } - -- if (!s->cirrus_blt_dstpitch) { -- return true; -- } -- - if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch, - s->cirrus_blt_dstaddr)) { - return true; -@@ -314,14 +310,8 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only, - if (dst_only) { - return false; - } -- -- check_pitch = s->cirrus_blt_srcpitch; -- if (!zero_src_pitch_ok && !check_pitch) { -- check_pitch = s->cirrus_blt_width; -- } -- -- if (blit_region_is_unsafe(s, check_pitch, -- s->cirrus_blt_srcaddr)) { -+ if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch, -+ s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) { - return true; - } - -@@ -715,9 +705,8 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState *s, bool videosrc) - src = s->cirrus_bltbuf; - } - -- if (blit_is_unsafe(s, true, true)) { -+ if (blit_is_unsafe(s, true)) - return 0; -- } - - (*s->cirrus_rop) (s, dst, src, - s->cirrus_blt_dstpitch, 0, -@@ -734,7 +723,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop) - { - cirrus_fill_t rop_func; - -- if (blit_is_unsafe(s, true, true)) { -+ if (blit_is_unsafe(s, true)) { - return 0; - } - rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1]; -@@ -834,7 +823,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) - - static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s) - { -- if (blit_is_unsafe(s, false, false)) -+ if (blit_is_unsafe(s, false)) - return 0; - - return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr, --- -2.1.4 - diff --git a/debian/patches/extra/0002-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch b/debian/patches/extra/0002-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch deleted file mode 100644 index 7431baf..0000000 --- a/debian/patches/extra/0002-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch +++ /dev/null @@ -1,102 +0,0 @@ -From cf9c099a7694eb47ded529e1ed40ee8789f32d31 Mon Sep 17 00:00:00 2001 -From: Wolfgang Bumiller -Date: Tue, 24 Jan 2017 16:35:38 +0100 -Subject: [PATCH 2/4] cirrus: allow zero source pitch in pattern fill rops - -The rops used by cirrus_bitblt_common_patterncopy only use -the destination pitch, so the source pitch shoul allowed to -be zero and the blit with used for the range check around the -source address. - -Signed-off-by: Wolfgang Bumiller -Message-id: 1485272138-23249-1-git-send-email-w.bumiller@proxmox.com -Signed-off-by: Gerd Hoffmann ---- - hw/display/cirrus_vga.c | 27 +++++++++++++++++++-------- - 1 file changed, 19 insertions(+), 8 deletions(-) - -diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c -index 0f05e45..98f089e 100644 ---- a/hw/display/cirrus_vga.c -+++ b/hw/display/cirrus_vga.c -@@ -272,9 +272,6 @@ static void cirrus_update_memory_access(CirrusVGAState *s); - static bool blit_region_is_unsafe(struct CirrusVGAState *s, - int32_t pitch, int32_t addr) - { -- if (!pitch) { -- return true; -- } - if (pitch < 0) { - int64_t min = addr - + ((int64_t)s->cirrus_blt_height-1) * pitch; -@@ -294,8 +291,11 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s, - return false; - } - --static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only) -+static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only, -+ bool zero_src_pitch_ok) - { -+ int32_t check_pitch; -+ - /* should be the case, see cirrus_bitblt_start */ - assert(s->cirrus_blt_width > 0); - assert(s->cirrus_blt_height > 0); -@@ -304,6 +304,10 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only) - return true; - } - -+ if (!s->cirrus_blt_dstpitch) { -+ return true; -+ } -+ - if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch, - s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) { - return true; -@@ -311,7 +315,13 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only) - if (dst_only) { - return false; - } -- if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch, -+ -+ check_pitch = s->cirrus_blt_srcpitch; -+ if (!zero_src_pitch_ok && !check_pitch) { -+ check_pitch = s->cirrus_blt_width; -+ } -+ -+ if (blit_region_is_unsafe(s, check_pitch, - s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) { - return true; - } -@@ -681,8 +691,9 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s, - - dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask); - -- if (blit_is_unsafe(s, false)) -+ if (blit_is_unsafe(s, false, true)) { - return 0; -+ } - - (*s->cirrus_rop) (s, dst, src, - s->cirrus_blt_dstpitch, 0, -@@ -699,7 +710,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop) - { - cirrus_fill_t rop_func; - -- if (blit_is_unsafe(s, true)) { -+ if (blit_is_unsafe(s, true, true)) { - return 0; - } - rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1]; -@@ -803,7 +814,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) - - static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s) - { -- if (blit_is_unsafe(s, false)) -+ if (blit_is_unsafe(s, false, false)) - return 0; - - return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr, --- -2.1.4 - diff --git a/debian/patches/extra/0002-net-vmxnet-initialise-local-tx-descriptor.patch b/debian/patches/extra/0002-net-vmxnet-initialise-local-tx-descriptor.patch deleted file mode 100644 index 5090662..0000000 --- a/debian/patches/extra/0002-net-vmxnet-initialise-local-tx-descriptor.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 1313d27fc347633d0cf6fc2ff8cbe17a740dd658 Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Thu, 11 Aug 2016 00:42:20 +0530 -Subject: [PATCH 2/3] net: vmxnet: initialise local tx descriptor - -In Vmxnet3 device emulator while processing transmit(tx) queue, -when it reaches end of packet, it calls vmxnet3_complete_packet. -In that local 'txcq_descr' object is not initialised, which could -leak host memory bytes a guest. - -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit ---- - hw/net/vmxnet3.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c -index 90f6943..92f6af9 100644 ---- a/hw/net/vmxnet3.c -+++ b/hw/net/vmxnet3.c -@@ -531,6 +531,7 @@ static void vmxnet3_complete_packet(VMXNET3State *s, int qidx, uint32_t tx_ridx) - - VMXNET3_RING_DUMP(VMW_RIPRN, "TXC", qidx, &s->txq_descr[qidx].comp_ring); - -+ memset(&txcq_descr, 0, sizeof(txcq_descr)); - txcq_descr.txdIdx = tx_ridx; - txcq_descr.gen = vmxnet3_ring_curr_gen(&s->txq_descr[qidx].comp_ring); - --- -2.1.4 - diff --git a/debian/patches/extra/0003-cirrus-fix-blit-address-mask-handling.patch b/debian/patches/extra/0003-cirrus-fix-blit-address-mask-handling.patch deleted file mode 100644 index 39a410a..0000000 --- a/debian/patches/extra/0003-cirrus-fix-blit-address-mask-handling.patch +++ /dev/null @@ -1,104 +0,0 @@ -From a173829e6ebd8b2d7f29028f106173ba067c8b8c Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Wed, 25 Jan 2017 11:09:56 +0100 -Subject: [PATCH 3/4] cirrus: fix blit address mask handling - -Apply the cirrus_addr_mask to cirrus_blt_dstaddr and cirrus_blt_srcaddr -right after assigning them, in cirrus_bitblt_start(), instead of having -this all over the place in the cirrus code, and missing a few places. - -Reported-by: Wolfgang Bumiller -Signed-off-by: Gerd Hoffmann -Message-id: 1485338996-17095-1-git-send-email-kraxel@redhat.com ---- - hw/display/cirrus_vga.c | 25 ++++++++++++------------- - 1 file changed, 12 insertions(+), 13 deletions(-) - -diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c -index 98f089e..7db6409 100644 ---- a/hw/display/cirrus_vga.c -+++ b/hw/display/cirrus_vga.c -@@ -309,7 +309,7 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only, - } - - if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch, -- s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) { -+ s->cirrus_blt_dstaddr)) { - return true; - } - if (dst_only) { -@@ -322,7 +322,7 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only, - } - - if (blit_region_is_unsafe(s, check_pitch, -- s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) { -+ s->cirrus_blt_srcaddr)) { - return true; - } - -@@ -689,7 +689,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s, - { - uint8_t *dst; - -- dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask); -+ dst = s->vga.vram_ptr + s->cirrus_blt_dstaddr; - - if (blit_is_unsafe(s, false, true)) { - return 0; -@@ -714,7 +714,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop) - return 0; - } - rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1]; -- rop_func(s, s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask), -+ rop_func(s, s->vga.vram_ptr + s->cirrus_blt_dstaddr, - s->cirrus_blt_dstpitch, - s->cirrus_blt_width, s->cirrus_blt_height); - cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, -@@ -732,9 +732,8 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop) - - static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s) - { -- return cirrus_bitblt_common_patterncopy(s, -- s->vga.vram_ptr + ((s->cirrus_blt_srcaddr & ~7) & -- s->cirrus_addr_mask)); -+ return cirrus_bitblt_common_patterncopy(s, s->vga.vram_ptr + -+ (s->cirrus_blt_srcaddr & ~7)); - } - - static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) -@@ -788,10 +787,8 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) - if (notify) - graphic_hw_update(s->vga.con); - -- (*s->cirrus_rop) (s, s->vga.vram_ptr + -- (s->cirrus_blt_dstaddr & s->cirrus_addr_mask), -- s->vga.vram_ptr + -- (s->cirrus_blt_srcaddr & s->cirrus_addr_mask), -+ (*s->cirrus_rop) (s, s->vga.vram_ptr + s->cirrus_blt_dstaddr, -+ s->vga.vram_ptr + s->cirrus_blt_srcaddr, - s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch, - s->cirrus_blt_width, s->cirrus_blt_height); - -@@ -842,8 +839,7 @@ static void cirrus_bitblt_cputovideo_next(CirrusVGAState * s) - } else { - /* at least one scan line */ - do { -- (*s->cirrus_rop)(s, s->vga.vram_ptr + -- (s->cirrus_blt_dstaddr & s->cirrus_addr_mask), -+ (*s->cirrus_rop)(s, s->vga.vram_ptr + s->cirrus_blt_dstaddr, - s->cirrus_bltbuf, 0, 0, s->cirrus_blt_width, 1); - cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, 0, - s->cirrus_blt_width, 1); -@@ -962,6 +958,9 @@ static void cirrus_bitblt_start(CirrusVGAState * s) - s->cirrus_blt_modeext = s->vga.gr[0x33]; - blt_rop = s->vga.gr[0x32]; - -+ s->cirrus_blt_dstaddr &= s->cirrus_addr_mask; -+ s->cirrus_blt_srcaddr &= s->cirrus_addr_mask; -+ - #ifdef DEBUG_BITBLT - printf("rop=0x%02x mode=0x%02x modeext=0x%02x w=%d h=%d dpitch=%d spitch=%d daddr=0x%08x saddr=0x%08x writemask=0x%02x\n", - blt_rop, --- -2.1.4 - diff --git a/debian/patches/extra/0003-net-limit-allocation-in-nc_sendv_compat.patch b/debian/patches/extra/0003-net-limit-allocation-in-nc_sendv_compat.patch deleted file mode 100644 index 0bdb236..0000000 --- a/debian/patches/extra/0003-net-limit-allocation-in-nc_sendv_compat.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 2705772316ff905f3ed08871c602fca1c636f332 Mon Sep 17 00:00:00 2001 -From: Peter Lieven -Date: Thu, 30 Jun 2016 11:49:40 +0200 -Subject: [PATCH 3/3] net: limit allocation in nc_sendv_compat - -we only need to allocate enough memory to hold the packet. This might be -less than NET_BUFSIZE. Additionally fail early if the packet is larger -than NET_BUFSIZE. - -Signed-off-by: Peter Lieven ---- - net/net.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/net/net.c b/net/net.c -index c94d93d..2ac46a6 100644 ---- a/net/net.c -+++ b/net/net.c -@@ -690,9 +690,13 @@ static ssize_t nc_sendv_compat(NetClientState *nc, const struct iovec *iov, - buffer = iov[0].iov_base; - offset = iov[0].iov_len; - } else { -- buf = g_new(uint8_t, NET_BUFSIZE); -+ offset = iov_size(iov, iovcnt); -+ if (offset > NET_BUFSIZE) { -+ return -1; -+ } -+ buf = g_malloc(offset); - buffer = buf; -- offset = iov_to_buf(iov, iovcnt, 0, buf, NET_BUFSIZE); -+ offset = iov_to_buf(iov, iovcnt, 0, buf, offset); - } - - if (flags & QEMU_NET_PACKET_FLAG_RAW && nc->info->receive_raw) { --- -2.1.4 - diff --git a/debian/patches/extra/0003-sd-sdhci-check-transfer-mode-register-in-multi-block.patch b/debian/patches/extra/0003-sd-sdhci-check-transfer-mode-register-in-multi-block.patch deleted file mode 100644 index 017f55a..0000000 --- a/debian/patches/extra/0003-sd-sdhci-check-transfer-mode-register-in-multi-block.patch +++ /dev/null @@ -1,61 +0,0 @@ -From da4c6050712be98934918e348aa34a74be0e4e57 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Tue, 31 Jan 2017 17:54:15 +0530 -Subject: [PATCH 3/8] sd: sdhci: check transfer mode register in multi block - transfer - -In SDHCI device emulation the transfer mode register value -is used during multi block transfer to check if block count -register is enabled and should be updated. Transfer mode -register could be set such that, block count register would -not be updated, thus leading to an infinite loop. Add check -to avoid it. - -Reported-by: Wjjzhang -Reported-by: Jiang Xin -Signed-off-by: Prasad J Pandit ---- - hw/sd/sdhci.c | 13 +++++++------ - 1 file changed, 7 insertions(+), 6 deletions(-) - -diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c -index 01fbf22..35f953a 100644 ---- a/hw/sd/sdhci.c -+++ b/hw/sd/sdhci.c -@@ -486,6 +486,12 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s) - uint32_t boundary_chk = 1 << (((s->blksize & 0xf000) >> 12) + 12); - uint32_t boundary_count = boundary_chk - (s->sdmasysad % boundary_chk); - -+ if (!(s->trnmod & SDHC_TRNS_MULTI) -+ || !(s->trnmod & SDHC_TRNS_BLK_CNT_EN) -+ || !s->blkcnt) { -+ return; -+ } -+ - /* XXX: Some sd/mmc drivers (for example, u-boot-slp) do not account for - * possible stop at page boundary if initial address is not page aligned, - * allow them to work properly */ -@@ -797,11 +803,6 @@ static void sdhci_data_transfer(void *opaque) - if (s->trnmod & SDHC_TRNS_DMA) { - switch (SDHC_DMA_TYPE(s->hostctl)) { - case SDHC_CTRL_SDMA: -- if ((s->trnmod & SDHC_TRNS_MULTI) && -- (!(s->trnmod & SDHC_TRNS_BLK_CNT_EN) || s->blkcnt == 0)) { -- break; -- } -- - if ((s->blkcnt == 1) || !(s->trnmod & SDHC_TRNS_MULTI)) { - sdhci_sdma_transfer_single_block(s); - } else { -@@ -1050,7 +1051,7 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size) - if (!(s->capareg & SDHC_CAN_DO_DMA)) { - value &= ~SDHC_TRNS_DMA; - } -- MASKED_WRITE(s->trnmod, mask, value); -+ MASKED_WRITE(s->trnmod, mask, value & 0x0037); - MASKED_WRITE(s->cmdreg, mask >> 16, value >> 16); - - /* Writing to the upper byte of CMDREG triggers SD command generation */ --- -2.1.4 - diff --git a/debian/patches/extra/0004-cirrus-fix-oob-access-issue-CVE-2017-2615.patch b/debian/patches/extra/0004-cirrus-fix-oob-access-issue-CVE-2017-2615.patch deleted file mode 100644 index fb59147..0000000 --- a/debian/patches/extra/0004-cirrus-fix-oob-access-issue-CVE-2017-2615.patch +++ /dev/null @@ -1,50 +0,0 @@ -From e3ff618899e53791fdff5dbd3f8fa889a2ed7b1d Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Wed, 1 Feb 2017 09:35:01 +0100 -Subject: [PATCH 4/4] cirrus: fix oob access issue (CVE-2017-2615) - -When doing bitblt copy in backward mode, we should minus the -blt width first just like the adding in the forward mode. This -can avoid the oob access of the front of vga's vram. - -Signed-off-by: Li Qiang -Reviewed-by: Laszlo Ersek -Signed-off-by: Gerd Hoffmann -Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com -Message-id: 5887254f.863a240a.2c122.5500@mx.google.com - -{ kraxel: with backward blits (negative pitch) addr is the topmost - address, so check it as-is against vram size ] - -Cc: qemu-stable@nongnu.org -Cc: P J P -Cc: Laszlo Ersek -Cc: Paolo Bonzini -Cc: Wolfgang Bumiller -Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106) -Signed-off-by: Gerd Hoffmann ---- - hw/display/cirrus_vga.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - -diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c -index 7db6409..16f27e8 100644 ---- a/hw/display/cirrus_vga.c -+++ b/hw/display/cirrus_vga.c -@@ -274,10 +274,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s, - { - if (pitch < 0) { - int64_t min = addr -- + ((int64_t)s->cirrus_blt_height-1) * pitch; -- int32_t max = addr -- + s->cirrus_blt_width; -- if (min < 0 || max > s->vga.vram_size) { -+ + ((int64_t)s->cirrus_blt_height - 1) * pitch -+ - s->cirrus_blt_width; -+ if (min < -1 || addr >= s->vga.vram_size) { - return true; - } - } else { --- -2.1.4 - diff --git a/debian/patches/extra/0004-sd-sdhci-block-count-enable-not-relevant-in-single-b.patch b/debian/patches/extra/0004-sd-sdhci-block-count-enable-not-relevant-in-single-b.patch deleted file mode 100644 index aeca0a1..0000000 --- a/debian/patches/extra/0004-sd-sdhci-block-count-enable-not-relevant-in-single-b.patch +++ /dev/null @@ -1,42 +0,0 @@ -From b9bc05a3a687f9993c5c2a8890b53ab9e8dbc96c Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Tue, 31 Jan 2017 17:54:16 +0530 -Subject: [PATCH 4/8] sd: sdhci: block count enable not relevant in single - block transfer - -In SDHCI device emulation the 'Block count enable' bit -of the Transfer Mode register is only relevant in multi block -transfers. We need not check it in single block transfers. - -Signed-off-by: Prasad J Pandit ---- - hw/sd/sdhci.c | 6 +----- - 1 file changed, 1 insertion(+), 5 deletions(-) - -diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c -index 35f953a..85cac42 100644 ---- a/hw/sd/sdhci.c -+++ b/hw/sd/sdhci.c -@@ -570,7 +570,6 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s) - } - - /* single block SDMA transfer */ -- - static void sdhci_sdma_transfer_single_block(SDHCIState *s) - { - int n; -@@ -589,10 +588,7 @@ static void sdhci_sdma_transfer_single_block(SDHCIState *s) - sdbus_write_data(&s->sdbus, s->fifo_buffer[n]); - } - } -- -- if (s->trnmod & SDHC_TRNS_BLK_CNT_EN) { -- s->blkcnt--; -- } -+ s->blkcnt--; - - sdhci_end_transfer(s); - } --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-10028-display-virtio-gpu-3d-check-virgl-capabilities-max_s.patch b/debian/patches/extra/CVE-2016-10028-display-virtio-gpu-3d-check-virgl-capabilities-max_s.patch deleted file mode 100644 index 19e7599..0000000 --- a/debian/patches/extra/CVE-2016-10028-display-virtio-gpu-3d-check-virgl-capabilities-max_s.patch +++ /dev/null @@ -1,44 +0,0 @@ -From b891912de9c0ef615955fccc043915eb36ce3c02 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Wed, 14 Dec 2016 12:31:56 +0530 -Subject: [PATCH 2/8] display: virtio-gpu-3d: check virgl capabilities max_size - -Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET' -command, retrieves the maximum capabilities size to fill in the -response object. It continues to fill in capabilities even if -retrieved 'max_size' is zero(0), thus resulting in OOB access. -Add check to avoid it. - -Reported-by: Zhenhao Hong -Signed-off-by: Prasad J Pandit -Message-id: 20161214070156.23368-1-ppandit@redhat.com -Signed-off-by: Gerd Hoffmann ---- - -Notes: - CVE-2016-10028 - - hw/display/virtio-gpu-3d.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c -index d98b140..cdd03a4 100644 ---- a/hw/display/virtio-gpu-3d.c -+++ b/hw/display/virtio-gpu-3d.c -@@ -371,8 +371,12 @@ static void virgl_cmd_get_capset(VirtIOGPU *g, - - virgl_renderer_get_cap_set(gc.capset_id, &max_ver, - &max_size); -- resp = g_malloc0(sizeof(*resp) + max_size); -+ if (!max_size) { -+ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER; -+ return; -+ } - -+ resp = g_malloc0(sizeof(*resp) + max_size); - resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET; - virgl_renderer_fill_caps(gc.capset_id, - gc.capset_version, --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-10155-watchdog-6300esb-add-exit-function.patch b/debian/patches/extra/CVE-2016-10155-watchdog-6300esb-add-exit-function.patch deleted file mode 100644 index 06567fc..0000000 --- a/debian/patches/extra/CVE-2016-10155-watchdog-6300esb-add-exit-function.patch +++ /dev/null @@ -1,50 +0,0 @@ -From a8341ea109259c17ad18b02597e5e03e99db60ae Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Mon, 28 Nov 2016 17:49:04 -0800 -Subject: [PATCH 1/8] watchdog: 6300esb: add exit function - -When the Intel 6300ESB watchdog is hot unplug. The timer allocated -in realize isn't freed thus leaking memory leak. This patch avoid -this through adding the exit function. - -Signed-off-by: Li Qiang -Message-Id: <583cde9c.3223ed0a.7f0c2.886e@mx.google.com> -Signed-off-by: Paolo Bonzini ---- - -Notes: - CVE-2016-10155 - - hw/watchdog/wdt_i6300esb.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/hw/watchdog/wdt_i6300esb.c b/hw/watchdog/wdt_i6300esb.c -index a83d951..49b3cd1 100644 ---- a/hw/watchdog/wdt_i6300esb.c -+++ b/hw/watchdog/wdt_i6300esb.c -@@ -428,6 +428,14 @@ static void i6300esb_realize(PCIDevice *dev, Error **errp) - /* qemu_register_coalesced_mmio (addr, 0x10); ? */ - } - -+static void i6300esb_exit(PCIDevice *dev) -+{ -+ I6300State *d = WATCHDOG_I6300ESB_DEVICE(dev); -+ -+ timer_del(d->timer); -+ timer_free(d->timer); -+} -+ - static WatchdogTimerModel model = { - .wdt_name = "i6300esb", - .wdt_description = "Intel 6300ESB", -@@ -441,6 +449,7 @@ static void i6300esb_class_init(ObjectClass *klass, void *data) - k->config_read = i6300esb_config_read; - k->config_write = i6300esb_config_write; - k->realize = i6300esb_realize; -+ k->exit = i6300esb_exit; - k->vendor_id = PCI_VENDOR_ID_INTEL; - k->device_id = PCI_DEVICE_ID_INTEL_ESB_9; - k->class_id = PCI_CLASS_SYSTEM_OTHER; --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-7156-scsi-pvscsi-avoid-infinite-loop-while-building-SG-li.patch b/debian/patches/extra/CVE-2016-7156-scsi-pvscsi-avoid-infinite-loop-while-building-SG-li.patch deleted file mode 100644 index d4a133a..0000000 --- a/debian/patches/extra/CVE-2016-7156-scsi-pvscsi-avoid-infinite-loop-while-building-SG-li.patch +++ /dev/null @@ -1,63 +0,0 @@ -From a8ceb006190b9072b0b9866ec5a07bd6de4eca6d Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Tue, 6 Sep 2016 23:23:17 +0530 -Subject: [PATCH 5/6] scsi: pvscsi: avoid infinite loop while building SG list - -In PVSCSI paravirtual SCSI bus, pvscsi_convert_sglist can take a very -long time or go into an infinite loop due to two different bugs: - -1) the request descriptor data length is defined to be 64 bit. While -building SG list from a request descriptor, it gets truncated to 32bit -in routine 'pvscsi_convert_sglist'. This could lead to an infinite loop -situation for large 'dataLen' values, when data_length is cast to uint32_t -and chunk_size becomes always zero. Fix this by removing the incorrect -cast. - -2) pvscsi_get_next_sg_elem can be called arbitrarily many times if the -element has a zero length. Get out of the loop early when this happens, -by introducing an upper limit on the number of SG list elements. - -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit ---- - hw/scsi/vmw_pvscsi.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c -index 22f872c..e43e0a4 100644 ---- a/hw/scsi/vmw_pvscsi.c -+++ b/hw/scsi/vmw_pvscsi.c -@@ -40,6 +40,8 @@ - #define PVSCSI_MAX_DEVS (64) - #define PVSCSI_MSIX_NUM_VECTORS (1) - -+#define PVSCSI_MAX_SG_ELEM 2048 -+ - #define PVSCSI_MAX_CMD_DATA_WORDS \ - (sizeof(PVSCSICmdDescSetupRings)/sizeof(uint32_t)) - -@@ -629,17 +631,16 @@ pvscsi_queue_pending_descriptor(PVSCSIState *s, SCSIDevice **d, - static void - pvscsi_convert_sglist(PVSCSIRequest *r) - { -- int chunk_size; -+ uint32_t chunk_size, elmcnt = 0; - uint64_t data_length = r->req.dataLen; - PVSCSISGState sg = r->sg; -- while (data_length) { -- while (!sg.resid) { -+ while (data_length && elmcnt < PVSCSI_MAX_SG_ELEM) { -+ while (!sg.resid && elmcnt++ < PVSCSI_MAX_SG_ELEM) { - pvscsi_get_next_sg_elem(&sg); - trace_pvscsi_convert_sglist(r->req.context, r->sg.dataAddr, - r->sg.resid); - } -- assert(data_length > 0); -- chunk_size = MIN((unsigned) data_length, sg.resid); -+ chunk_size = MIN(data_length, sg.resid); - if (chunk_size) { - qemu_sglist_add(&r->sgl, sg.dataAddr, chunk_size); - } --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-7161-hw-net-Fix-a-heap-overflow-in-xlnx.xps-ethernetlite.patch b/debian/patches/extra/CVE-2016-7161-hw-net-Fix-a-heap-overflow-in-xlnx.xps-ethernetlite.patch deleted file mode 100644 index 1c14d8c..0000000 --- a/debian/patches/extra/CVE-2016-7161-hw-net-Fix-a-heap-overflow-in-xlnx.xps-ethernetlite.patch +++ /dev/null @@ -1,35 +0,0 @@ -From b5cfb53ba6a976d0d478eb438a5ada3b719e8d59 Mon Sep 17 00:00:00 2001 -From: chaojianhu -Date: Tue, 9 Aug 2016 11:52:54 +0800 -Subject: [PATCH 2/5] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite - -The .receive callback of xlnx.xps-ethernetlite doesn't check the length -of data before calling memcpy. As a result, the NetClientState object in -heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite -will be affected. - -Reported-by: chaojianhu -Signed-off-by: chaojianhu -Signed-off-by: Jason Wang ---- - hw/net/xilinx_ethlite.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c -index bc846e7..12b7419 100644 ---- a/hw/net/xilinx_ethlite.c -+++ b/hw/net/xilinx_ethlite.c -@@ -197,6 +197,10 @@ static ssize_t eth_rx(NetClientState *nc, const uint8_t *buf, size_t size) - } - - D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase)); -+ if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4) { -+ D(qemu_log("ethlite packet is too big, size=%x\n", size)); -+ return -1; -+ } - memcpy(&s->regs[rxbase + R_RX_BUF0], buf, size); - - s->regs[rxbase + R_RX_CTRL0] |= CTRL_S; --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-7170-vmsvga-correct-bitmap-and-pixmap-size-checks.patch b/debian/patches/extra/CVE-2016-7170-vmsvga-correct-bitmap-and-pixmap-size-checks.patch deleted file mode 100644 index 732f679..0000000 --- a/debian/patches/extra/CVE-2016-7170-vmsvga-correct-bitmap-and-pixmap-size-checks.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 167d97a3def77ee2dbf6e908b0ecbfe2103977db Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Thu, 8 Sep 2016 18:15:54 +0530 -Subject: [PATCH] vmsvga: correct bitmap and pixmap size checks - -When processing svga command DEFINE_CURSOR in vmsvga_fifo_run, -the computed BITMAP and PIXMAP size are checked against the -'cursor.mask[]' and 'cursor.image[]' array sizes in bytes. -Correct these checks to avoid OOB memory access. - -Reported-by: Qinghao Tang -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit -Message-id: 1473338754-15430-1-git-send-email-ppandit@redhat.com -Signed-off-by: Gerd Hoffmann ---- - hw/display/vmware_vga.c | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - -diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c -index e51a05e..6599cf0 100644 ---- a/hw/display/vmware_vga.c -+++ b/hw/display/vmware_vga.c -@@ -676,11 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s) - cursor.bpp = vmsvga_fifo_read(s); - - args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp); -- if (cursor.width > 256 || -- cursor.height > 256 || -- cursor.bpp > 32 || -- SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask || -- SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) { -+ if (cursor.width > 256 -+ || cursor.height > 256 -+ || cursor.bpp > 32 -+ || SVGA_BITMAP_SIZE(x, y) -+ > sizeof(cursor.mask) / sizeof(cursor.mask[0]) -+ || SVGA_PIXMAP_SIZE(x, y, cursor.bpp) -+ > sizeof(cursor.image) / sizeof(cursor.image[0])) { - goto badcmd; - } - --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-7422-virtio-add-check-for-descriptor-s-mapped-address.patch b/debian/patches/extra/CVE-2016-7422-virtio-add-check-for-descriptor-s-mapped-address.patch deleted file mode 100644 index 6ee65d1..0000000 --- a/debian/patches/extra/CVE-2016-7422-virtio-add-check-for-descriptor-s-mapped-address.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 1723b5e7962eb077353bab0772ca8114774b6c60 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Mon, 19 Sep 2016 23:55:45 +0530 -Subject: [PATCH 4/7] virtio: add check for descriptor's mapped address - -virtio back end uses set of buffers to facilitate I/O operations. -If its size is too large, 'cpu_physical_memory_map' could return -a null address. This would result in a null dereference while -un-mapping descriptors. Add check to avoid it. - -Reported-by: Qinghao Tang -Signed-off-by: Prasad J Pandit -Reviewed-by: Michael S. Tsirkin -Signed-off-by: Michael S. Tsirkin -Reviewed-by: Laszlo Ersek ---- - hw/virtio/virtio.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c -index 74c085c..eabe573 100644 ---- a/hw/virtio/virtio.c -+++ b/hw/virtio/virtio.c -@@ -473,6 +473,11 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove - } - - iov[num_sg].iov_base = cpu_physical_memory_map(pa, &len, is_write); -+ if (!iov[num_sg].iov_base) { -+ error_report("virtio: bogus descriptor or out of resources"); -+ exit(1); -+ } -+ - iov[num_sg].iov_len = len; - addr[num_sg] = pa; - --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-7466-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch b/debian/patches/extra/CVE-2016-7466-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch deleted file mode 100644 index c463161..0000000 --- a/debian/patches/extra/CVE-2016-7466-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch +++ /dev/null @@ -1,32 +0,0 @@ -From b53dd4495ced2432a0b652ea895e651d07336f7e Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Tue, 13 Sep 2016 03:20:03 -0700 -Subject: [PATCH] usb:xhci:fix memory leak in usb_xhci_exit - -If the xhci uses msix, it doesn't free the corresponding -memory, thus leading a memory leak. This patch avoid this. - -Signed-off-by: Li Qiang -Message-id: 57d7d2e0.d4301c0a.d13e9.9a55@mx.google.com -Signed-off-by: Gerd Hoffmann ---- - hw/usb/hcd-xhci.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c -index 37c1493..726435c 100644 ---- a/hw/usb/hcd-xhci.c -+++ b/hw/usb/hcd-xhci.c -@@ -3715,8 +3715,7 @@ static void usb_xhci_exit(PCIDevice *dev) - /* destroy msix memory region */ - if (dev->msix_table && dev->msix_pba - && dev->msix_entry_used) { -- memory_region_del_subregion(&xhci->mem, &dev->msix_table_mmio); -- memory_region_del_subregion(&xhci->mem, &dev->msix_pba_mmio); -+ msix_uninit(dev, &xhci->mem, &xhci->mem); - } - - usb_bus_release(&xhci->bus); --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-7907-net-imx-limit-buffer-descriptor-count.patch b/debian/patches/extra/CVE-2016-7907-net-imx-limit-buffer-descriptor-count.patch deleted file mode 100644 index 108219c..0000000 --- a/debian/patches/extra/CVE-2016-7907-net-imx-limit-buffer-descriptor-count.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 3798522afcf58abbce6de67446fcae7a34ae919d Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Thu, 22 Sep 2016 16:01:38 +0530 -Subject: [PATCH 5/7] net: imx: limit buffer descriptor count - -i.MX Fast Ethernet Controller uses buffer descriptors to manage -data flow to/fro receive & transmit queues. While transmitting -packets, it could continue to read buffer descriptors if a buffer -descriptor has length of zero and has crafted values in bd.flags. -Set an upper limit to number of buffer descriptors. - -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit ---- - hw/net/imx_fec.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c -index 1c415ab..1d74827 100644 ---- a/hw/net/imx_fec.c -+++ b/hw/net/imx_fec.c -@@ -220,6 +220,8 @@ static const VMStateDescription vmstate_imx_eth = { - #define PHY_INT_PARFAULT (1 << 2) - #define PHY_INT_AUTONEG_PAGE (1 << 1) - -+#define IMX_MAX_DESC 1024 -+ - static void imx_eth_update(IMXFECState *s); - - /* -@@ -402,12 +404,12 @@ static void imx_eth_update(IMXFECState *s) - - static void imx_fec_do_tx(IMXFECState *s) - { -- int frame_size = 0; -+ int frame_size = 0, descnt = 0; - uint8_t frame[ENET_MAX_FRAME_SIZE]; - uint8_t *ptr = frame; - uint32_t addr = s->tx_descriptor; - -- while (1) { -+ while (descnt++ < IMX_MAX_DESC) { - IMXFECBufDesc bd; - int len; - --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-7908-net-mcf-limit-buffer-descriptor-count.patch b/debian/patches/extra/CVE-2016-7908-net-mcf-limit-buffer-descriptor-count.patch deleted file mode 100644 index fc15768..0000000 --- a/debian/patches/extra/CVE-2016-7908-net-mcf-limit-buffer-descriptor-count.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 94087c0cbe014b4a60d96930d7cb43d54a05c701 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Thu, 22 Sep 2016 16:02:37 +0530 -Subject: [PATCH 6/7] net: mcf: limit buffer descriptor count - -ColdFire Fast Ethernet Controller uses buffer descriptors to manage -data flow to/fro receive & transmit queues. While transmitting -packets, it could continue to read buffer descriptors if a buffer -descriptor has length of zero and has crafted values in bd.flags. -Set upper limit to number of buffer descriptors. - -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit -Reviewed-by: Paolo Bonzini -Signed-off-by: Jason Wang ---- - hw/net/mcf_fec.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c -index 0ee8ad9..d31fea1 100644 ---- a/hw/net/mcf_fec.c -+++ b/hw/net/mcf_fec.c -@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0) - #define DPRINTF(fmt, ...) do {} while(0) - #endif - -+#define FEC_MAX_DESC 1024 - #define FEC_MAX_FRAME_SIZE 2032 - - typedef struct { -@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s) - uint32_t addr; - mcf_fec_bd bd; - int frame_size; -- int len; -+ int len, descnt = 0; - uint8_t frame[FEC_MAX_FRAME_SIZE]; - uint8_t *ptr; - -@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s) - ptr = frame; - frame_size = 0; - addr = s->tx_descriptor; -- while (1) { -+ while (descnt++ < FEC_MAX_DESC) { - mcf_fec_read_bd(&bd, addr); - DPRINTF("tx_bd %x flags %04x len %d data %08x\n", - addr, bd.flags, bd.length, bd.data); --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-7909-net-pcnet-check-rx-tx-descriptor-ring-length.patch b/debian/patches/extra/CVE-2016-7909-net-pcnet-check-rx-tx-descriptor-ring-length.patch deleted file mode 100644 index c255871..0000000 --- a/debian/patches/extra/CVE-2016-7909-net-pcnet-check-rx-tx-descriptor-ring-length.patch +++ /dev/null @@ -1,36 +0,0 @@ -From ed825b783750cbe88aa67bbe83cf662082828efa Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Fri, 30 Sep 2016 00:27:33 +0530 -Subject: [PATCH 7/7] net: pcnet: check rx/tx descriptor ring length - -The AMD PC-Net II emulator has set of control and status(CSR) -registers. Of these, CSR76 and CSR78 hold receive and transmit -descriptor ring length respectively. This ring length could range -from 1 to 65535. Setting ring length to zero leads to an infinite -loop in pcnet_rdra_addr. Add check to avoid it. - -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit ---- - hw/net/pcnet.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c -index 198a01f..3078de8 100644 ---- a/hw/net/pcnet.c -+++ b/hw/net/pcnet.c -@@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value) - case 47: /* POLLINT */ - case 72: - case 74: -+ break; - case 76: /* RCVRL */ - case 78: /* XMTRL */ -+ val = (val > 0) ? val : 512; -+ break; - case 112: - if (CSR_STOP(s) || CSR_SPND(s)) - break; --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-7994-virtio-gpu-fix-memory-leak-in-virtio_gpu_resource_cr.patch b/debian/patches/extra/CVE-2016-7994-virtio-gpu-fix-memory-leak-in-virtio_gpu_resource_cr.patch deleted file mode 100644 index cddc70f..0000000 --- a/debian/patches/extra/CVE-2016-7994-virtio-gpu-fix-memory-leak-in-virtio_gpu_resource_cr.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 594fa98211f92ab07ee6d6b6a9eda93a416a1f57 Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Sun, 18 Sep 2016 19:07:11 -0700 -Subject: [PATCH 1/2] virtio-gpu: fix memory leak in - virtio_gpu_resource_create_2d - -In virtio gpu resource create dispatch, if the pixman format is zero -it doesn't free the resource object allocated previously. Thus leading -a host memory leak issue. This patch avoid this. - -Signed-off-by: Li Qiang ---- - hw/display/virtio-gpu.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c -index 7fe6ed8..5b6d17b 100644 ---- a/hw/display/virtio-gpu.c -+++ b/hw/display/virtio-gpu.c -@@ -333,6 +333,7 @@ static void virtio_gpu_resource_create_2d(VirtIOGPU *g, - qemu_log_mask(LOG_GUEST_ERROR, - "%s: host couldn't handle guest format %d\n", - __func__, c2d.format); -+ g_free(res); - cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER; - return; - } --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-7995-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch b/debian/patches/extra/CVE-2016-7995-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch deleted file mode 100644 index fc1c382..0000000 --- a/debian/patches/extra/CVE-2016-7995-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 91a16e6e51a4e046d59379fc83b9dfc1e860e9c7 Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Sat, 8 Oct 2016 11:58:03 +0300 -Subject: [PATCH 2/2] usb: ehci: fix memory leak in ehci_process_itd - -While processing isochronous transfer descriptors(iTD), if the page -select(PG) field value is out of bands it will return. In this -situation the ehci's sg list is not freed thus leading to a memory -leak issue. This patch avoid this. - -Signed-off-by: Li Qiang -Reviewed-by: Thomas Huth -Signed-off-by: Michael Tokarev ---- - hw/usb/hcd-ehci.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c -index b093db7..f4ece9a 100644 ---- a/hw/usb/hcd-ehci.c -+++ b/hw/usb/hcd-ehci.c -@@ -1426,6 +1426,7 @@ static int ehci_process_itd(EHCIState *ehci, - if (off + len > 4096) { - /* transfer crosses page border */ - if (pg == 6) { -+ qemu_sglist_destroy(&ehci->isgl); - return -1; /* avoid page pg + 1 */ - } - ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK); --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-8576-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch b/debian/patches/extra/CVE-2016-8576-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch deleted file mode 100644 index 7019960..0000000 --- a/debian/patches/extra/CVE-2016-8576-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch +++ /dev/null @@ -1,69 +0,0 @@ -From b5ef1754de94247de307044b19e6bc3fa0ad5ba8 Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Mon, 10 Oct 2016 12:46:22 +0200 -Subject: [PATCH 2/4] xhci: limit the number of link trbs we are willing to - process - -Needed to avoid we run in circles forever in case the guest builds -an endless loop with link trbs. - -Reported-by: Li Qiang -Tested-by: P J P -Signed-off-by: Gerd Hoffmann -Message-id: 1476096382-7981-1-git-send-email-kraxel@redhat.com ---- - hw/usb/hcd-xhci.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c -index 281a2a5..8a9a31a 100644 ---- a/hw/usb/hcd-xhci.c -+++ b/hw/usb/hcd-xhci.c -@@ -54,6 +54,8 @@ - * to the specs when it gets them */ - #define ER_FULL_HACK - -+#define TRB_LINK_LIMIT 4 -+ - #define LEN_CAP 0x40 - #define LEN_OPER (0x400 + 0x10 * MAXPORTS) - #define LEN_RUNTIME ((MAXINTRS + 1) * 0x20) -@@ -1000,6 +1002,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb, - dma_addr_t *addr) - { - PCIDevice *pci_dev = PCI_DEVICE(xhci); -+ uint32_t link_cnt = 0; - - while (1) { - TRBType type; -@@ -1026,6 +1029,9 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb, - ring->dequeue += TRB_SIZE; - return type; - } else { -+ if (++link_cnt > TRB_LINK_LIMIT) { -+ return 0; -+ } - ring->dequeue = xhci_mask64(trb->parameter); - if (trb->control & TRB_LK_TC) { - ring->ccs = !ring->ccs; -@@ -1043,6 +1049,7 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring) - bool ccs = ring->ccs; - /* hack to bundle together the two/three TDs that make a setup transfer */ - bool control_td_set = 0; -+ uint32_t link_cnt = 0; - - while (1) { - TRBType type; -@@ -1058,6 +1065,9 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring) - type = TRB_TYPE(trb); - - if (type == TR_LINK) { -+ if (++link_cnt > TRB_LINK_LIMIT) { -+ return -length; -+ } - dequeue = xhci_mask64(trb.parameter); - if (trb.control & TRB_LK_TC) { - ccs = !ccs; --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-8577-9pfs-fix-potential-host-memory-leak-in-v9fs_read.patch b/debian/patches/extra/CVE-2016-8577-9pfs-fix-potential-host-memory-leak-in-v9fs_read.patch deleted file mode 100644 index 6583894..0000000 --- a/debian/patches/extra/CVE-2016-8577-9pfs-fix-potential-host-memory-leak-in-v9fs_read.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 8794fc68736fda80d7191f100c03c960a5ef1224 Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Tue, 11 Oct 2016 09:27:45 +0200 -Subject: [PATCH 3/4] 9pfs: fix potential host memory leak in v9fs_read - -In 9pfs read dispatch function, it doesn't free two QEMUIOVector -object thus causing potential memory leak. This patch avoid this. - -Signed-off-by: Li Qiang -Signed-off-by: Greg Kurz ---- - hw/9pfs/9p.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index dfe293d..54e18a2 100644 ---- a/hw/9pfs/9p.c -+++ b/hw/9pfs/9p.c -@@ -1812,14 +1812,15 @@ static void v9fs_read(void *opaque) - if (len < 0) { - /* IO error return the error */ - err = len; -- goto out; -+ goto out_free_iovec; - } - } while (count < max_count && len > 0); - err = pdu_marshal(pdu, offset, "d", count); - if (err < 0) { -- goto out; -+ goto out_free_iovec; - } - err += offset + count; -+out_free_iovec: - qemu_iovec_destroy(&qiov); - qemu_iovec_destroy(&qiov_full); - } else if (fidp->fid_type == P9_FID_XATTR) { --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-8578-9pfs-allocate-space-for-guest-originated-empty-strin.patch b/debian/patches/extra/CVE-2016-8578-9pfs-allocate-space-for-guest-originated-empty-strin.patch deleted file mode 100644 index 3ba78c8..0000000 --- a/debian/patches/extra/CVE-2016-8578-9pfs-allocate-space-for-guest-originated-empty-strin.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 630abd0c70f272b36361348e9ee7d6a71577b72f Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Tue, 11 Oct 2016 09:27:45 +0200 -Subject: [PATCH 4/4] 9pfs: allocate space for guest originated empty strings - -If a guest sends an empty string paramater to any 9P operation, the current -code unmarshals it into a V9fsString equal to { .size = 0, .data = NULL }. - -This is unfortunate because it can cause NULL pointer dereference to happen -at various locations in the 9pfs code. And we don't want to check str->data -everywhere we pass it to strcmp() or any other function which expects a -dereferenceable pointer. - -This patch enforces the allocation of genuine C empty strings instead, so -callers don't have to bother. - -Out of all v9fs_iov_vunmarshal() users, only v9fs_xattrwalk() checks if -the returned string is empty. It now uses v9fs_string_size() since -name.data cannot be NULL anymore. - -Signed-off-by: Li Qiang -[groug, rewritten title and changelog, - fix empty string check in v9fs_xattrwalk()] -Signed-off-by: Greg Kurz ---- - fsdev/9p-iov-marshal.c | 2 +- - hw/9pfs/9p.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/fsdev/9p-iov-marshal.c b/fsdev/9p-iov-marshal.c -index 663cad5..1d16f8d 100644 ---- a/fsdev/9p-iov-marshal.c -+++ b/fsdev/9p-iov-marshal.c -@@ -125,7 +125,7 @@ ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset, - str->data = g_malloc(str->size + 1); - copied = v9fs_unpack(str->data, out_sg, out_num, offset, - str->size); -- if (copied > 0) { -+ if (copied >= 0) { - str->data[str->size] = 0; - } else { - v9fs_string_free(str); -diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index 54e18a2..75ba5f1 100644 ---- a/hw/9pfs/9p.c -+++ b/hw/9pfs/9p.c -@@ -3161,7 +3161,7 @@ static void v9fs_xattrwalk(void *opaque) - goto out; - } - v9fs_path_copy(&xattr_fidp->path, &file_fidp->path); -- if (name.data == NULL) { -+ if (!v9fs_string_size(&name)) { - /* - * listxattr request. Get the size first - */ --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-8668-net-rocker-set-limit-to-DMA-buffer-size.patch b/debian/patches/extra/CVE-2016-8668-net-rocker-set-limit-to-DMA-buffer-size.patch deleted file mode 100644 index be0743d..0000000 --- a/debian/patches/extra/CVE-2016-8668-net-rocker-set-limit-to-DMA-buffer-size.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 0d3ac427e34f12b1a33646d47ef3dc390a9b569d Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Wed, 12 Oct 2016 14:40:55 +0530 -Subject: [PATCH 1/2] net: rocker: set limit to DMA buffer size - -Rocker network switch emulator has test registers to help debug -DMA operations. While testing host DMA access, a buffer address -is written to register 'TEST_DMA_ADDR' and its size is written to -register 'TEST_DMA_SIZE'. When performing TEST_DMA_CTRL_INVERT -test, if DMA buffer size was greater than 'INT_MAX', it leads to -an invalid buffer access. Limit the DMA buffer size to avoid it. - -Reported-by: Huawei PSIRT -Signed-off-by: Prasad J Pandit ---- - hw/net/rocker/rocker.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c -index 30f2ce4..e9d215a 100644 ---- a/hw/net/rocker/rocker.c -+++ b/hw/net/rocker/rocker.c -@@ -860,7 +860,7 @@ static void rocker_io_writel(void *opaque, hwaddr addr, uint32_t val) - rocker_msix_irq(r, val); - break; - case ROCKER_TEST_DMA_SIZE: -- r->test_dma_size = val; -+ r->test_dma_size = val & 0xFFFF; - break; - case ROCKER_TEST_DMA_ADDR + 4: - r->test_dma_addr = ((uint64_t)val) << 32 | r->lower32; --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-8669-char-serial-check-divider-value-against-baud-base.patch b/debian/patches/extra/CVE-2016-8669-char-serial-check-divider-value-against-baud-base.patch deleted file mode 100644 index 4ccf213..0000000 --- a/debian/patches/extra/CVE-2016-8669-char-serial-check-divider-value-against-baud-base.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 7e0ebfd13e55a706396197437f375692bbf75d15 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Wed, 12 Oct 2016 11:28:08 +0530 -Subject: [PATCH 2/2] char: serial: check divider value against baud base - -16550A UART device uses an oscillator to generate frequencies -(baud base), which decide communication speed. This speed could -be changed by dividing it by a divider. If the divider is -greater than the baud base, speed is set to zero, leading to a -divide by zero error. Add check to avoid it. - -Reported-by: Huawei PSIRT -Signed-off-by: Prasad J Pandit ---- - hw/char/serial.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/hw/char/serial.c b/hw/char/serial.c -index 3442f47..eec72b7 100644 ---- a/hw/char/serial.c -+++ b/hw/char/serial.c -@@ -153,8 +153,9 @@ static void serial_update_parameters(SerialState *s) - int speed, parity, data_bits, stop_bits, frame_size; - QEMUSerialSetParams ssp; - -- if (s->divider == 0) -+ if (s->divider == 0 || s->divider > s->baudbase) { - return; -+ } - - /* Start bit. */ - frame_size = 1; --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-8909-audio-intel-hda-check-stream-entry-count-during-tran.patch b/debian/patches/extra/CVE-2016-8909-audio-intel-hda-check-stream-entry-count-during-tran.patch deleted file mode 100644 index d8102b3..0000000 --- a/debian/patches/extra/CVE-2016-8909-audio-intel-hda-check-stream-entry-count-during-tran.patch +++ /dev/null @@ -1,39 +0,0 @@ -From ad0e6e88e0432aa1e6c75f52a6b3b4bf463e2563 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Thu, 20 Oct 2016 13:10:24 +0530 -Subject: [PATCH 1/8] audio: intel-hda: check stream entry count during - transfer - -Intel HDA emulator uses stream of buffers during DMA data -transfers. Each entry has buffer length and buffer pointer -position, which are used to derive bytes to 'copy'. If this -length and buffer pointer were to be same, 'copy' could be -set to zero(0), leading to an infinite loop. Add check to -avoid it. - -Reported-by: Huawei PSIRT -Signed-off-by: Prasad J Pandit -Reviewed-by: Stefan Hajnoczi -Message-id: 1476949224-6865-1-git-send-email-ppandit@redhat.com -Signed-off-by: Gerd Hoffmann ---- - hw/audio/intel-hda.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c -index cd95340..537face 100644 ---- a/hw/audio/intel-hda.c -+++ b/hw/audio/intel-hda.c -@@ -416,7 +416,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output, - } - - left = len; -- while (left > 0) { -+ s = st->bentries; -+ while (left > 0 && s-- > 0) { - copy = left; - if (copy > st->bsize - st->lpib) - copy = st->bsize - st->lpib; --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-9101-net-eepro100-fix-memory-leak-in-device-uninit.patch b/debian/patches/extra/CVE-2016-9101-net-eepro100-fix-memory-leak-in-device-uninit.patch deleted file mode 100644 index 0ae895a..0000000 --- a/debian/patches/extra/CVE-2016-9101-net-eepro100-fix-memory-leak-in-device-uninit.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 1fab838b55ee7cc199b105d80de4a80f336231b3 Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Sat, 8 Oct 2016 05:07:25 -0700 -Subject: [PATCH 3/8] net: eepro100: fix memory leak in device uninit - -The exit dispatch of eepro100 network card device doesn't free -the 's->vmstate' field which was allocated in device realize thus -leading a host memory leak. This patch avoid this. - -Signed-off-by: Li Qiang -Signed-off-by: Jason Wang ---- - hw/net/eepro100.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c -index bab4dbf..4bf71f2 100644 ---- a/hw/net/eepro100.c -+++ b/hw/net/eepro100.c -@@ -1843,6 +1843,7 @@ static void pci_nic_uninit(PCIDevice *pci_dev) - EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, pci_dev); - - vmstate_unregister(&pci_dev->qdev, s->vmstate, s); -+ g_free(s->vmstate); - eeprom93xx_free(&pci_dev->qdev, s->eeprom); - qemu_del_nic(s->nic); - } --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-9102-9pfs-fix-memory-leak-in-v9fs_xattrcreate.patch b/debian/patches/extra/CVE-2016-9102-9pfs-fix-memory-leak-in-v9fs_xattrcreate.patch deleted file mode 100644 index cad4baf..0000000 --- a/debian/patches/extra/CVE-2016-9102-9pfs-fix-memory-leak-in-v9fs_xattrcreate.patch +++ /dev/null @@ -1,34 +0,0 @@ -From f132108afabf074403afadf822ad2d2275d115cd Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Mon, 17 Oct 2016 14:13:58 +0200 -Subject: [PATCH 5/8] 9pfs: fix memory leak in v9fs_xattrcreate - -The 'fs.xattr.value' field in V9fsFidState object doesn't consider the -situation that this field has been allocated previously. Every time, it -will be allocated directly. This leads to a host memory leak issue if -the client sends another Txattrcreate message with the same fid number -before the fid from the previous time got clunked. - -Signed-off-by: Li Qiang -Reviewed-by: Greg Kurz -[groug, updated the changelog to indicate how the leak can occur] -Signed-off-by: Greg Kurz ---- - hw/9pfs/9p.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index 3becdd0..f5af4e3 100644 ---- a/hw/9pfs/9p.c -+++ b/hw/9pfs/9p.c -@@ -3269,6 +3269,7 @@ static void v9fs_xattrcreate(void *opaque) - xattr_fidp->fs.xattr.flags = flags; - v9fs_string_init(&xattr_fidp->fs.xattr.name); - v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name); -+ g_free(xattr_fidp->fs.xattr.value); - xattr_fidp->fs.xattr.value = g_malloc0(size); - err = offset; - put_fid(pdu, file_fidp); --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-9103-9pfs-fix-information-leak-in-xattr-read.patch b/debian/patches/extra/CVE-2016-9103-9pfs-fix-information-leak-in-xattr-read.patch deleted file mode 100644 index 7d84422..0000000 --- a/debian/patches/extra/CVE-2016-9103-9pfs-fix-information-leak-in-xattr-read.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 644566ea6fe2896b6b171797cfe6e7219939d968 Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Mon, 17 Oct 2016 14:13:58 +0200 -Subject: [PATCH 4/8] 9pfs: fix information leak in xattr read - -9pfs uses g_malloc() to allocate the xattr memory space, if the guest -reads this memory before writing to it, this will leak host heap memory -to the guest. This patch avoid this. - -Signed-off-by: Li Qiang -Reviewed-by: Greg Kurz -Signed-off-by: Greg Kurz ---- - hw/9pfs/9p.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index 75ba5f1..3becdd0 100644 ---- a/hw/9pfs/9p.c -+++ b/hw/9pfs/9p.c -@@ -3269,7 +3269,7 @@ static void v9fs_xattrcreate(void *opaque) - xattr_fidp->fs.xattr.flags = flags; - v9fs_string_init(&xattr_fidp->fs.xattr.name); - v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name); -- xattr_fidp->fs.xattr.value = g_malloc(size); -+ xattr_fidp->fs.xattr.value = g_malloc0(size); - err = offset; - put_fid(pdu, file_fidp); - out_nofid: --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-9104-9pfs-fix-integer-overflow-issue-in-xattr-read-write.patch b/debian/patches/extra/CVE-2016-9104-9pfs-fix-integer-overflow-issue-in-xattr-read-write.patch deleted file mode 100644 index eec6b2a..0000000 --- a/debian/patches/extra/CVE-2016-9104-9pfs-fix-integer-overflow-issue-in-xattr-read-write.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 86a37b0a0ed8f32db819782ca4a367712ece1453 Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Tue, 1 Nov 2016 12:00:40 +0100 -Subject: [PATCH 8/8] 9pfs: fix integer overflow issue in xattr read/write -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The v9fs_xattr_read() and v9fs_xattr_write() are passed a guest -originated offset: they must ensure this offset does not go beyond -the size of the extended attribute that was set in v9fs_xattrcreate(). -Unfortunately, the current code implement these checks with unsafe -calculations on 32 and 64 bit values, which may allow a malicious -guest to cause OOB access anyway. - -Fix this by comparing the offset and the xattr size, which are -both uint64_t, before trying to compute the effective number of bytes -to read or write. - -Suggested-by: Greg Kurz -Signed-off-by: Li Qiang -Reviewed-by: Greg Kurz -Reviewed-By: Guido Günther -Signed-off-by: Greg Kurz ---- - hw/9pfs/9p.c | 32 ++++++++++++-------------------- - 1 file changed, 12 insertions(+), 20 deletions(-) - -diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index af07846..fc4f2cd 100644 ---- a/hw/9pfs/9p.c -+++ b/hw/9pfs/9p.c -@@ -1628,20 +1628,17 @@ static int v9fs_xattr_read(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp, - { - ssize_t err; - size_t offset = 7; -- int read_count; -- int64_t xattr_len; -+ uint64_t read_count; - V9fsVirtioState *v = container_of(s, V9fsVirtioState, state); - VirtQueueElement *elem = v->elems[pdu->idx]; - -- xattr_len = fidp->fs.xattr.len; -- read_count = xattr_len - off; -+ if (fidp->fs.xattr.len < off) { -+ read_count = 0; -+ } else { -+ read_count = fidp->fs.xattr.len - off; -+ } - if (read_count > max_count) { - read_count = max_count; -- } else if (read_count < 0) { -- /* -- * read beyond XATTR value -- */ -- read_count = 0; - } - err = pdu_marshal(pdu, offset, "d", read_count); - if (err < 0) { -@@ -1969,23 +1966,18 @@ static int v9fs_xattr_write(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp, - { - int i, to_copy; - ssize_t err = 0; -- int write_count; -- int64_t xattr_len; -+ uint64_t write_count; - size_t offset = 7; - - -- xattr_len = fidp->fs.xattr.len; -- write_count = xattr_len - off; -- if (write_count > count) { -- write_count = count; -- } else if (write_count < 0) { -- /* -- * write beyond XATTR value len specified in -- * xattrcreate -- */ -+ if (fidp->fs.xattr.len < off) { - err = -ENOSPC; - goto out; - } -+ write_count = fidp->fs.xattr.len - off; -+ if (write_count > count) { -+ write_count = count; -+ } - err = pdu_marshal(pdu, offset, "d", write_count); - if (err < 0) { - return err; --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-9105-9pfs-fix-memory-leak-in-v9fs_link.patch b/debian/patches/extra/CVE-2016-9105-9pfs-fix-memory-leak-in-v9fs_link.patch deleted file mode 100644 index 9138249..0000000 --- a/debian/patches/extra/CVE-2016-9105-9pfs-fix-memory-leak-in-v9fs_link.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 94979ec1a852871eaee150cb56f0e8cac4316e35 Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Mon, 17 Oct 2016 14:13:58 +0200 -Subject: [PATCH 6/8] 9pfs: fix memory leak in v9fs_link - -The v9fs_link() function keeps a reference on the source fid object. This -causes a memory leak since the reference never goes down to 0. This patch -fixes the issue. - -Signed-off-by: Li Qiang -Reviewed-by: Greg Kurz -[groug, rephrased the changelog] -Signed-off-by: Greg Kurz ---- - hw/9pfs/9p.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index f5af4e3..aa2b8c0 100644 ---- a/hw/9pfs/9p.c -+++ b/hw/9pfs/9p.c -@@ -2403,6 +2403,7 @@ static void v9fs_link(void *opaque) - if (!err) { - err = offset; - } -+ put_fid(pdu, oldfidp); - out: - put_fid(pdu, dfidp); - out_nofid: --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-9106-9pfs-fix-memory-leak-in-v9fs_write.patch b/debian/patches/extra/CVE-2016-9106-9pfs-fix-memory-leak-in-v9fs_write.patch deleted file mode 100644 index 3ee8b50..0000000 --- a/debian/patches/extra/CVE-2016-9106-9pfs-fix-memory-leak-in-v9fs_write.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 2c5bcb2d5f32ffcf5064d3557e44836fa70700be Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Mon, 17 Oct 2016 14:13:58 +0200 -Subject: [PATCH 7/8] 9pfs: fix memory leak in v9fs_write - -If an error occurs when marshalling the transfer length to the guest, the -v9fs_write() function doesn't free an IO vector, thus leading to a memory -leak. This patch fixes the issue. - -Signed-off-by: Li Qiang -Reviewed-by: Greg Kurz -[groug, rephrased the changelog] -Signed-off-by: Greg Kurz ---- - hw/9pfs/9p.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index aa2b8c0..af07846 100644 ---- a/hw/9pfs/9p.c -+++ b/hw/9pfs/9p.c -@@ -2080,7 +2080,7 @@ static void v9fs_write(void *opaque) - offset = 7; - err = pdu_marshal(pdu, offset, "d", total); - if (err < 0) { -- goto out; -+ goto out_qiov; - } - err += offset; - trace_v9fs_write_return(pdu->tag, pdu->id, total, err); --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-9776-net-mcf-check-receive-buffer-size-register-value.patch b/debian/patches/extra/CVE-2016-9776-net-mcf-check-receive-buffer-size-register-value.patch deleted file mode 100644 index 85fa543..0000000 --- a/debian/patches/extra/CVE-2016-9776-net-mcf-check-receive-buffer-size-register-value.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 2a4848046ad64db5cb1c1090565a28a5cb2c518e Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Tue, 29 Nov 2016 00:38:39 +0530 -Subject: [PATCH 01/12] net: mcf: check receive buffer size register value - -ColdFire Fast Ethernet Controller uses a receive buffer size -register(EMRBR) to hold maximum size of all receive buffers. -It is set by a user before any operation. If it was set to be -zero, ColdFire emulator would go into an infinite loop while -receiving data in mcf_fec_receive. Add check to avoid it. - -Reported-by: Wjjzhang -Signed-off-by: Prasad J Pandit -Signed-off-by: Jason Wang ---- - hw/net/mcf_fec.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c -index d31fea1..3d4b3b3 100644 ---- a/hw/net/mcf_fec.c -+++ b/hw/net/mcf_fec.c -@@ -393,7 +393,7 @@ static void mcf_fec_write(void *opaque, hwaddr addr, - s->tx_descriptor = s->etdsr; - break; - case 0x188: -- s->emrbr = value & 0x7f0; -+ s->emrbr = value > 0 ? value & 0x7F0 : 0x7F0; - break; - default: - hw_error("mcf_fec_write Bad address 0x%x\n", (int)addr); --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-9845-virtio-gpu-fix-information-leak-in-getting-capset-in.patch b/debian/patches/extra/CVE-2016-9845-virtio-gpu-fix-information-leak-in-getting-capset-in.patch deleted file mode 100644 index 8bec00a..0000000 --- a/debian/patches/extra/CVE-2016-9845-virtio-gpu-fix-information-leak-in-getting-capset-in.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 71ee39ea06cbcbd1971213aa1f3a9036c50b6a57 Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Tue, 1 Nov 2016 02:53:11 -0700 -Subject: [PATCH 02/12] virtio-gpu: fix information leak in getting capset info - dispatch -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -In virgl_cmd_get_capset_info dispatch function, the 'resp' hasn't -been full initialized before writing to the guest. This will leak -the 'resp.padding' and 'resp.hdr.padding' fieds to the guest. This -patch fix this issue. - -Signed-off-by: Li Qiang -Message-id: 5818661e.0860240a.77264.7a56@mx.google.com -Reviewed-by: Marc-André Lureau -Signed-off-by: Gerd Hoffmann ---- - hw/display/virtio-gpu-3d.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c -index 758d33a..23f39de 100644 ---- a/hw/display/virtio-gpu-3d.c -+++ b/hw/display/virtio-gpu-3d.c -@@ -347,6 +347,7 @@ static void virgl_cmd_get_capset_info(VirtIOGPU *g, - - VIRTIO_GPU_FILL_CMD(info); - -+ memset(&resp, 0, sizeof(resp)); - if (info.capset_index == 0) { - resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL; - virgl_renderer_get_cap_set(resp.capset_id, --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-9846-virtio-gpu-fix-memory-leak-in-update_cursor_data_vir.patch b/debian/patches/extra/CVE-2016-9846-virtio-gpu-fix-memory-leak-in-update_cursor_data_vir.patch deleted file mode 100644 index 4ba5aa7..0000000 --- a/debian/patches/extra/CVE-2016-9846-virtio-gpu-fix-memory-leak-in-update_cursor_data_vir.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 74a46afa58632277063ca4990cf0c954f342dd7d Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Tue, 1 Nov 2016 04:06:58 -0700 -Subject: [PATCH 03/12] virtio-gpu: fix memory leak in update_cursor_data_virgl -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -In update_cursor_data_virgl function, if the 'width'/ 'height' -is not equal to current cursor's width/height it will return -without free the 'data' allocated previously. This will lead -a memory leak issue. This patch fix this issue. - -Signed-off-by: Li Qiang -Message-id: 58187760.41d71c0a.cca75.4cb9@mx.google.com -Reviewed-by: Marc-André Lureau -Signed-off-by: Gerd Hoffmann ---- - hw/display/virtio-gpu.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c -index 5b6d17b..41f8096 100644 ---- a/hw/display/virtio-gpu.c -+++ b/hw/display/virtio-gpu.c -@@ -84,6 +84,7 @@ static void update_cursor_data_virgl(VirtIOGPU *g, - - if (width != s->current_cursor->width || - height != s->current_cursor->height) { -+ free(data); - return; - } - --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-9907-usbredir-free-vm_change_state_handler-in-usbredir-de.patch b/debian/patches/extra/CVE-2016-9907-usbredir-free-vm_change_state_handler-in-usbredir-de.patch deleted file mode 100644 index 39a5622..0000000 --- a/debian/patches/extra/CVE-2016-9907-usbredir-free-vm_change_state_handler-in-usbredir-de.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 5bbb994dd062eb3950d67db3c6189dab0df7ec9b Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Mon, 7 Nov 2016 21:57:46 -0800 -Subject: [PATCH 04/12] usbredir: free vm_change_state_handler in usbredir - destroy dispatch -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -In usbredir destroy dispatch function, it doesn't free the vm change -state handler once registered in usbredir_realize function. This will -lead a memory leak issue. This patch avoid this. - -Signed-off-by: Li Qiang -Reviewed-by: Marc-André Lureau -Message-id: 58216976.d0236b0a.77b99.bcd6@mx.google.com -Signed-off-by: Gerd Hoffmann ---- - hw/usb/redirect.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c -index 444672a..42aeaa4 100644 ---- a/hw/usb/redirect.c -+++ b/hw/usb/redirect.c -@@ -132,6 +132,7 @@ struct USBRedirDevice { - struct usbredirfilter_rule *filter_rules; - int filter_rules_count; - int compatible_speedmask; -+ VMChangeStateEntry *vmstate; - }; - - #define TYPE_USB_REDIR "usb-redir" -@@ -1409,7 +1410,8 @@ static void usbredir_realize(USBDevice *udev, Error **errp) - qemu_chr_add_handlers(dev->cs, usbredir_chardev_can_read, - usbredir_chardev_read, usbredir_chardev_event, dev); - -- qemu_add_vm_change_state_handler(usbredir_vm_state_change, dev); -+ dev->vmstate = -+ qemu_add_vm_change_state_handler(usbredir_vm_state_change, dev); - } - - static void usbredir_cleanup_device_queues(USBRedirDevice *dev) -@@ -1446,6 +1448,7 @@ static void usbredir_handle_destroy(USBDevice *udev) - } - - free(dev->filter_rules); -+ qemu_del_vm_change_state_handler(dev->vmstate); - } - - static int usbredir_check_filter(USBRedirDevice *dev) --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-9908-virtio-gpu-fix-information-leak-in-capset-get-dispat.patch b/debian/patches/extra/CVE-2016-9908-virtio-gpu-fix-information-leak-in-capset-get-dispat.patch deleted file mode 100644 index 7fe0533..0000000 --- a/debian/patches/extra/CVE-2016-9908-virtio-gpu-fix-information-leak-in-capset-get-dispat.patch +++ /dev/null @@ -1,31 +0,0 @@ -From bde803ceb42d6bddc06a1881c00acdf203214772 Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Tue, 1 Nov 2016 05:37:57 -0700 -Subject: [PATCH 10/12] virtio-gpu: fix information leak in capset get dispatch - -In virgl_cmd_get_capset function, it uses g_malloc to allocate -a response struct to the guest. As the 'resp'struct hasn't been full -initialized it will lead the 'resp->padding' field to the guest. -Use g_malloc0 to avoid this. - -Signed-off-by: Li Qiang ---- - hw/display/virtio-gpu-3d.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c -index 23f39de..d98b140 100644 ---- a/hw/display/virtio-gpu-3d.c -+++ b/hw/display/virtio-gpu-3d.c -@@ -371,7 +371,7 @@ static void virgl_cmd_get_capset(VirtIOGPU *g, - - virgl_renderer_get_cap_set(gc.capset_id, &max_ver, - &max_size); -- resp = g_malloc(sizeof(*resp) + max_size); -+ resp = g_malloc0(sizeof(*resp) + max_size); - - resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET; - virgl_renderer_fill_caps(gc.capset_id, --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-9911-usb-ehci-fix-memory-leak-in-ehci_init_transfer.patch b/debian/patches/extra/CVE-2016-9911-usb-ehci-fix-memory-leak-in-ehci_init_transfer.patch deleted file mode 100644 index fbe7cd5..0000000 --- a/debian/patches/extra/CVE-2016-9911-usb-ehci-fix-memory-leak-in-ehci_init_transfer.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 824f78bb0135cff4cb29e26c3de1cb4c2da35b46 Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Tue, 8 Nov 2016 04:11:10 -0800 -Subject: [PATCH 05/12] usb: ehci: fix memory leak in ehci_init_transfer - -In ehci_init_transfer function, if the 'cpage' is bigger than 4, -it doesn't free the 'p->sgl' once allocated previously thus leading -a memory leak issue. This patch avoid this. - -Signed-off-by: Li Qiang -Message-id: 5821c0f4.091c6b0a.e0c92.e811@mx.google.com -Signed-off-by: Gerd Hoffmann ---- - hw/usb/hcd-ehci.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c -index f4ece9a..7622a3a 100644 ---- a/hw/usb/hcd-ehci.c -+++ b/hw/usb/hcd-ehci.c -@@ -1190,6 +1190,7 @@ static int ehci_init_transfer(EHCIPacket *p) - while (bytes > 0) { - if (cpage > 4) { - fprintf(stderr, "cpage out of range (%d)\n", cpage); -+ qemu_sglist_destroy(&p->sgl); - return -1; - } - --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-9912-virtio-gpu-call-cleanup-mapping-function-in-resource.patch b/debian/patches/extra/CVE-2016-9912-virtio-gpu-call-cleanup-mapping-function-in-resource.patch deleted file mode 100644 index 94f51c8..0000000 --- a/debian/patches/extra/CVE-2016-9912-virtio-gpu-call-cleanup-mapping-function-in-resource.patch +++ /dev/null @@ -1,39 +0,0 @@ -From efc44f269fe72bab2c496f21809f6bef20d9c398 Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Mon, 28 Nov 2016 21:29:25 -0500 -Subject: [PATCH 11/12] virtio-gpu: call cleanup mapping function in resource - destroy - -If the guest destroy the resource before detach banking, the 'iov' -and 'addrs' field in resource is not freed thus leading memory -leak issue. This patch avoid this. - -Signed-off-by: Li Qiang ---- - hw/display/virtio-gpu.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c -index 41f8096..8903dee 100644 ---- a/hw/display/virtio-gpu.c -+++ b/hw/display/virtio-gpu.c -@@ -28,6 +28,8 @@ - static struct virtio_gpu_simple_resource* - virtio_gpu_find_resource(VirtIOGPU *g, uint32_t resource_id); - -+static void virtio_gpu_cleanup_mapping(struct virtio_gpu_simple_resource *res); -+ - #ifdef CONFIG_VIRGL - #include - #define VIRGL(_g, _virgl, _simple, ...) \ -@@ -359,6 +361,7 @@ static void virtio_gpu_resource_destroy(VirtIOGPU *g, - struct virtio_gpu_simple_resource *res) - { - pixman_image_unref(res->image); -+ virtio_gpu_cleanup_mapping(res); - QTAILQ_REMOVE(&g->reslist, res, next); - g_free(res); - } --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-9913-9pfs-adjust-the-order-of-resource-cleanup-in-device-.patch b/debian/patches/extra/CVE-2016-9913-9pfs-adjust-the-order-of-resource-cleanup-in-device-.patch deleted file mode 100644 index 9db7466..0000000 --- a/debian/patches/extra/CVE-2016-9913-9pfs-adjust-the-order-of-resource-cleanup-in-device-.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 9be364d4b3bc173103bec0dc76259f40d232eb88 Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Wed, 23 Nov 2016 13:53:34 +0100 -Subject: [PATCH 06/12] 9pfs: adjust the order of resource cleanup in device - unrealize - -Unrealize should undo things that were set during realize in -reverse order. So should do in the error path in realize. - -Signed-off-by: Li Qiang -Reviewed-by: Greg Kurz -Signed-off-by: Greg Kurz ---- - hw/9pfs/9p.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index fc4f2cd..ced7b4c 100644 ---- a/hw/9pfs/9p.c -+++ b/hw/9pfs/9p.c -@@ -3490,8 +3490,8 @@ int v9fs_device_realize_common(V9fsState *s, Error **errp) - rc = 0; - out: - if (rc) { -- g_free(s->ctx.fs_root); - g_free(s->tag); -+ g_free(s->ctx.fs_root); - v9fs_path_free(&path); - } - return rc; -@@ -3499,8 +3499,8 @@ out: - - void v9fs_device_unrealize_common(V9fsState *s, Error **errp) - { -- g_free(s->ctx.fs_root); - g_free(s->tag); -+ g_free(s->ctx.fs_root); - } - - static void __attribute__((__constructor__)) v9fs_set_fd_limit(void) --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-9914-9pfs-add-cleanup-operation-in-FileOperations.patch b/debian/patches/extra/CVE-2016-9914-9pfs-add-cleanup-operation-in-FileOperations.patch deleted file mode 100644 index c6fc38d..0000000 --- a/debian/patches/extra/CVE-2016-9914-9pfs-add-cleanup-operation-in-FileOperations.patch +++ /dev/null @@ -1,56 +0,0 @@ -From f2ef9ae2a512fca1df0d56c226adc24ddf002b8b Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Wed, 23 Nov 2016 13:53:34 +0100 -Subject: [PATCH 07/12] 9pfs: add cleanup operation in FileOperations - -Currently, the backend of VirtFS doesn't have a cleanup -function. This will lead resource leak issues if the backed -driver allocates resources. This patch addresses this issue. - -Signed-off-by: Li Qiang -Reviewed-by: Greg Kurz -Signed-off-by: Greg Kurz ---- - fsdev/file-op-9p.h | 1 + - hw/9pfs/9p.c | 6 ++++++ - 2 files changed, 7 insertions(+) - -diff --git a/fsdev/file-op-9p.h b/fsdev/file-op-9p.h -index 6db9fea..a56dc84 100644 ---- a/fsdev/file-op-9p.h -+++ b/fsdev/file-op-9p.h -@@ -100,6 +100,7 @@ struct FileOperations - { - int (*parse_opts)(QemuOpts *, struct FsDriverEntry *); - int (*init)(struct FsContext *); -+ void (*cleanup)(struct FsContext *); - int (*lstat)(FsContext *, V9fsPath *, struct stat *); - ssize_t (*readlink)(FsContext *, V9fsPath *, char *, size_t); - int (*chmod)(FsContext *, V9fsPath *, FsCred *); -diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index ced7b4c..f2a90d4 100644 ---- a/hw/9pfs/9p.c -+++ b/hw/9pfs/9p.c -@@ -3490,6 +3490,9 @@ int v9fs_device_realize_common(V9fsState *s, Error **errp) - rc = 0; - out: - if (rc) { -+ if (s->ops->cleanup && s->ctx.private) { -+ s->ops->cleanup(&s->ctx); -+ } - g_free(s->tag); - g_free(s->ctx.fs_root); - v9fs_path_free(&path); -@@ -3499,6 +3502,9 @@ out: - - void v9fs_device_unrealize_common(V9fsState *s, Error **errp) - { -+ if (s->ops->cleanup) { -+ s->ops->cleanup(&s->ctx); -+ } - g_free(s->tag); - g_free(s->ctx.fs_root); - } --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-9915-9pfs-add-cleanup-operation-for-handle-backend-driver.patch b/debian/patches/extra/CVE-2016-9915-9pfs-add-cleanup-operation-for-handle-backend-driver.patch deleted file mode 100644 index cc78623..0000000 --- a/debian/patches/extra/CVE-2016-9915-9pfs-add-cleanup-operation-for-handle-backend-driver.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 4196726e44c437793294af15d95e53164cf9a02d Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Wed, 23 Nov 2016 13:53:34 +0100 -Subject: [PATCH 08/12] 9pfs: add cleanup operation for handle backend driver - -In the init operation of handle backend dirver, it allocates a -handle_data struct and opens a mount file. We should free these -resources when the 9pfs device is unrealized. This is what this -patch does. - -Signed-off-by: Li Qiang -Reviewed-by: Greg Kurz -Signed-off-by: Greg Kurz ---- - hw/9pfs/9p-handle.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/hw/9pfs/9p-handle.c b/hw/9pfs/9p-handle.c -index 3d77594..1687661 100644 ---- a/hw/9pfs/9p-handle.c -+++ b/hw/9pfs/9p-handle.c -@@ -649,6 +649,14 @@ out: - return ret; - } - -+static void handle_cleanup(FsContext *ctx) -+{ -+ struct handle_data *data = ctx->private; -+ -+ close(data->mountfd); -+ g_free(data); -+} -+ - static int handle_parse_opts(QemuOpts *opts, struct FsDriverEntry *fse) - { - const char *sec_model = qemu_opt_get(opts, "security_model"); -@@ -671,6 +679,7 @@ static int handle_parse_opts(QemuOpts *opts, struct FsDriverEntry *fse) - FileOperations handle_ops = { - .parse_opts = handle_parse_opts, - .init = handle_init, -+ .cleanup = handle_cleanup, - .lstat = handle_lstat, - .readlink = handle_readlink, - .close = handle_close, --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-9916-9pfs-add-cleanup-operation-for-proxy-backend-driver.patch b/debian/patches/extra/CVE-2016-9916-9pfs-add-cleanup-operation-for-proxy-backend-driver.patch deleted file mode 100644 index 78c49cb..0000000 --- a/debian/patches/extra/CVE-2016-9916-9pfs-add-cleanup-operation-for-proxy-backend-driver.patch +++ /dev/null @@ -1,47 +0,0 @@ -From ae9b5c9dae96dd8d3bdf9bb6b9a0f7a2d6f532f7 Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Wed, 23 Nov 2016 13:53:34 +0100 -Subject: [PATCH 09/12] 9pfs: add cleanup operation for proxy backend driver - -In the init operation of proxy backend dirver, it allocates a -V9fsProxy struct and some other resources. We should free these -resources when the 9pfs device is unrealized. This is what this -patch does. - -Signed-off-by: Li Qiang -Reviewed-by: Greg Kurz -Signed-off-by: Greg Kurz ---- - hw/9pfs/9p-proxy.c | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/hw/9pfs/9p-proxy.c b/hw/9pfs/9p-proxy.c -index f265501..336e9fe 100644 ---- a/hw/9pfs/9p-proxy.c -+++ b/hw/9pfs/9p-proxy.c -@@ -1179,9 +1179,22 @@ static int proxy_init(FsContext *ctx) - return 0; - } - -+static void proxy_cleanup(FsContext *ctx) -+{ -+ V9fsProxy *proxy = ctx->private; -+ -+ g_free(proxy->out_iovec.iov_base); -+ g_free(proxy->in_iovec.iov_base); -+ if (ctx->export_flags & V9FS_PROXY_SOCK_NAME) { -+ close(proxy->sockfd); -+ } -+ g_free(proxy); -+} -+ - FileOperations proxy_ops = { - .parse_opts = proxy_parse_opts, - .init = proxy_init, -+ .cleanup = proxy_cleanup, - .lstat = proxy_lstat, - .readlink = proxy_readlink, - .close = proxy_close, --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-9921-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch b/debian/patches/extra/CVE-2016-9921-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch deleted file mode 100644 index acaeb95..0000000 --- a/debian/patches/extra/CVE-2016-9921-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 9ec3cbedab41f93d2fbf742f2ca6705c2d68c3e1 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Tue, 18 Oct 2016 13:15:17 +0530 -Subject: [PATCH 12/12] display: cirrus: check vga bits per pixel(bpp) value - -In Cirrus CLGD 54xx VGA Emulator, if cirrus graphics mode is VGA, -'cirrus_get_bpp' returns zero(0), which could lead to a divide -by zero error in while copying pixel data. The same could occur -via blit pitch values. Add check to avoid it. - -Reported-by: Huawei PSIRT -Signed-off-by: Prasad J Pandit -Message-id: 1476776717-24807-1-git-send-email-ppandit@redhat.com -Signed-off-by: Gerd Hoffmann ---- - -Notes: - CVE-2016-9921 - CVE-2016-9922 - - hw/display/cirrus_vga.c | 14 ++++++++++---- - 1 file changed, 10 insertions(+), 4 deletions(-) - -diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c -index 3d712d5..bdb092e 100644 ---- a/hw/display/cirrus_vga.c -+++ b/hw/display/cirrus_vga.c -@@ -272,6 +272,9 @@ static void cirrus_update_memory_access(CirrusVGAState *s); - static bool blit_region_is_unsafe(struct CirrusVGAState *s, - int32_t pitch, int32_t addr) - { -+ if (!pitch) { -+ return true; -+ } - if (pitch < 0) { - int64_t min = addr - + ((int64_t)s->cirrus_blt_height-1) * pitch; -@@ -715,7 +718,7 @@ static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s) - s->cirrus_addr_mask)); - } - --static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) -+static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) - { - int sx = 0, sy = 0; - int dx = 0, dy = 0; -@@ -729,6 +732,9 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) - int width, height; - - depth = s->vga.get_bpp(&s->vga) / 8; -+ if (!depth) { -+ return 0; -+ } - s->vga.get_resolution(&s->vga, &width, &height); - - /* extra x, y */ -@@ -783,6 +789,8 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) - cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, - s->cirrus_blt_dstpitch, s->cirrus_blt_width, - s->cirrus_blt_height); -+ -+ return 1; - } - - static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s) -@@ -790,11 +798,9 @@ static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s) - if (blit_is_unsafe(s)) - return 0; - -- cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr, -+ return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr, - s->cirrus_blt_srcaddr - s->vga.start_addr, - s->cirrus_blt_width, s->cirrus_blt_height); -- -- return 1; - } - - /*************************************** --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2017-2620_cirrus_add_blit_is_unsafe_call_to_cirrus_bitblt_cputovideo.patch b/debian/patches/extra/CVE-2017-2620_cirrus_add_blit_is_unsafe_call_to_cirrus_bitblt_cputovideo.patch deleted file mode 100644 index 36f1158..0000000 --- a/debian/patches/extra/CVE-2017-2620_cirrus_add_blit_is_unsafe_call_to_cirrus_bitblt_cputovideo.patch +++ /dev/null @@ -1,52 +0,0 @@ -From d775c497a84a5c4be3f15cca85ca8440dd5880a0 Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Wed, 22 Feb 2017 13:42:31 +0100 -Subject: [PATCH qemu] cirrus: add blit_is_unsafe call to - cirrus_bitblt_cputovideo (CVE-2017-2620) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination -and blit width, at all. Oops. Fix it. - -Security impact: high. - -The missing blit destination check allows to write to host memory. -Basically same as CVE-2014-8106 for the other blit variants. - -Signed-off-by: Gerd Hoffmann -Message-id: 1487679663-3264-1-git-send-email-kraxel@redhat.com ---- - hw/display/cirrus_vga.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c -index 1deb520..b9e7cb1 100644 ---- a/hw/display/cirrus_vga.c -+++ b/hw/display/cirrus_vga.c -@@ -900,6 +900,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) - { - int w; - -+ if (blit_is_unsafe(s, true)) { -+ return 0; -+ } -+ - s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC; - s->cirrus_srcptr = &s->cirrus_bltbuf[0]; - s->cirrus_srcptr_end = &s->cirrus_bltbuf[0]; -@@ -925,6 +929,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) - } - s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height; - } -+ -+ /* the blit_is_unsafe call above should catch this */ -+ assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE); -+ - s->cirrus_srcptr = s->cirrus_bltbuf; - s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch; - cirrus_update_memory_access(s); --- -2.1.4 - diff --git a/debian/patches/extra/x86-lapic-Load-LAPIC-state-at-post_load.patch b/debian/patches/extra/x86-lapic-Load-LAPIC-state-at-post_load.patch deleted file mode 100644 index 2f77865..0000000 --- a/debian/patches/extra/x86-lapic-Load-LAPIC-state-at-post_load.patch +++ /dev/null @@ -1,133 +0,0 @@ -From 385c66564aad5fbbe303e0d2ee5e8ffd9c10bc23 Mon Sep 17 00:00:00 2001 -From: "Dr. David Alan Gilbert" -Date: Mon, 12 Sep 2016 18:18:35 +0100 -Subject: [PATCH 04/36] x86/lapic: Load LAPIC state at post_load - -Load the LAPIC state during post_load (rather than when the CPU -starts). - -This allows an interrupt to be delivered from the ioapic to -the lapic prior to cpu loading, in particular the RTC that starts -ticking as soon as we load it's state. - -Fixes a case where Windows hangs after migration due to RTC interrupts -disappearing. - -Signed-off-by: Dr. David Alan Gilbert -Suggested-by: Paolo Bonzini -Signed-off-by: Paolo Bonzini ---- - hw/i386/kvm/apic.c | 26 ++++++++++++++++++++++++-- - include/sysemu/kvm.h | 1 - - target-i386/kvm.c | 17 ----------------- - 3 files changed, 24 insertions(+), 20 deletions(-) - -diff --git a/hw/i386/kvm/apic.c b/hw/i386/kvm/apic.c -index 2bd0de8..feb0002 100644 ---- a/hw/i386/kvm/apic.c -+++ b/hw/i386/kvm/apic.c -@@ -28,9 +28,8 @@ static inline uint32_t kvm_apic_get_reg(struct kvm_lapic_state *kapic, - return *((uint32_t *)(kapic->regs + (reg_id << 4))); - } - --void kvm_put_apic_state(DeviceState *dev, struct kvm_lapic_state *kapic) -+static void kvm_put_apic_state(APICCommonState *s, struct kvm_lapic_state *kapic) - { -- APICCommonState *s = APIC_COMMON(dev); - int i; - - memset(kapic, 0, sizeof(*kapic)); -@@ -125,6 +124,26 @@ static void kvm_apic_vapic_base_update(APICCommonState *s) - } - } - -+static void kvm_apic_put(void *data) -+{ -+ APICCommonState *s = data; -+ struct kvm_lapic_state kapic; -+ int ret; -+ -+ kvm_put_apic_state(s, &kapic); -+ -+ ret = kvm_vcpu_ioctl(CPU(s->cpu), KVM_SET_LAPIC, &kapic); -+ if (ret < 0) { -+ fprintf(stderr, "KVM_SET_LAPIC failed: %s\n", strerror(ret)); -+ abort(); -+ } -+} -+ -+static void kvm_apic_post_load(APICCommonState *s) -+{ -+ run_on_cpu(CPU(s->cpu), kvm_apic_put, s); -+} -+ - static void do_inject_external_nmi(void *data) - { - APICCommonState *s = data; -@@ -178,6 +197,8 @@ static void kvm_apic_reset(APICCommonState *s) - { - /* Not used by KVM, which uses the CPU mp_state instead. */ - s->wait_for_sipi = 0; -+ -+ run_on_cpu(CPU(s->cpu), kvm_apic_put, s); - } - - static void kvm_apic_realize(DeviceState *dev, Error **errp) -@@ -206,6 +227,7 @@ static void kvm_apic_class_init(ObjectClass *klass, void *data) - k->set_base = kvm_apic_set_base; - k->set_tpr = kvm_apic_set_tpr; - k->get_tpr = kvm_apic_get_tpr; -+ k->post_load = kvm_apic_post_load; - k->enable_tpr_reporting = kvm_apic_enable_tpr_reporting; - k->vapic_base_update = kvm_apic_vapic_base_update; - k->external_nmi = kvm_apic_external_nmi; -diff --git a/include/sysemu/kvm.h b/include/sysemu/kvm.h -index c9c2436..ae5d81b 100644 ---- a/include/sysemu/kvm.h -+++ b/include/sysemu/kvm.h -@@ -372,7 +372,6 @@ int kvm_irqchip_send_msi(KVMState *s, MSIMessage msg); - - void kvm_irqchip_add_irq_route(KVMState *s, int gsi, int irqchip, int pin); - --void kvm_put_apic_state(DeviceState *d, struct kvm_lapic_state *kapic); - void kvm_get_apic_state(DeviceState *d, struct kvm_lapic_state *kapic); - - struct kvm_guest_debug; -diff --git a/target-i386/kvm.c b/target-i386/kvm.c -index d1a25c5..f1ad805 100644 ---- a/target-i386/kvm.c -+++ b/target-i386/kvm.c -@@ -2416,19 +2416,6 @@ static int kvm_get_apic(X86CPU *cpu) - return 0; - } - --static int kvm_put_apic(X86CPU *cpu) --{ -- DeviceState *apic = cpu->apic_state; -- struct kvm_lapic_state kapic; -- -- if (apic && kvm_irqchip_in_kernel()) { -- kvm_put_apic_state(apic, &kapic); -- -- return kvm_vcpu_ioctl(CPU(cpu), KVM_SET_LAPIC, &kapic); -- } -- return 0; --} -- - static int kvm_put_vcpu_events(X86CPU *cpu, int level) - { - CPUState *cs = CPU(cpu); -@@ -2670,10 +2657,6 @@ int kvm_arch_put_registers(CPUState *cpu, int level) - if (ret < 0) { - return ret; - } -- ret = kvm_put_apic(x86_cpu); -- if (ret < 0) { -- return ret; -- } - } - - ret = kvm_put_tscdeadline_msr(x86_cpu); --- -2.1.4 - diff --git a/debian/patches/pve/0001-fr-ca-keymap-corrections.patch b/debian/patches/pve/0001-fr-ca-keymap-corrections.patch index 3fe1bb1..dc72688 100644 --- a/debian/patches/pve/0001-fr-ca-keymap-corrections.patch +++ b/debian/patches/pve/0001-fr-ca-keymap-corrections.patch @@ -1,7 +1,7 @@ -From 109c1a773ac37b2dc3d9781ce203a804d3e77651 Mon Sep 17 00:00:00 2001 +From 45b6688a45611bb5818e1b6aa7313c91797aa003 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Wed, 9 Dec 2015 14:15:49 +0100 -Subject: [PATCH 01/47] fr-ca keymap corrections +Subject: [PATCH 01/48] fr-ca keymap corrections --- pc-bios/keymaps/fr-ca | 9 +++++++++ diff --git a/debian/patches/pve/0002-Adjust-network-script-path-to-etc-kvm.patch b/debian/patches/pve/0002-Adjust-network-script-path-to-etc-kvm.patch index 4272294..b9e79c3 100644 --- a/debian/patches/pve/0002-Adjust-network-script-path-to-etc-kvm.patch +++ b/debian/patches/pve/0002-Adjust-network-script-path-to-etc-kvm.patch @@ -1,17 +1,17 @@ -From 1dfa1a8df7b065e15639d078c0f137f2dec7c3fa Mon Sep 17 00:00:00 2001 +From 392fb50a1c43b47acffb1073a458703da93dfdd8 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Wed, 9 Dec 2015 14:16:49 +0100 -Subject: [PATCH 02/47] Adjust network script path to /etc/kvm/ +Subject: [PATCH 02/48] Adjust network script path to /etc/kvm/ --- include/net/net.h | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/include/net/net.h b/include/net/net.h -index e8d9e9e..375e81d 100644 +index 99b28d5..40c39f0 100644 --- a/include/net/net.h +++ b/include/net/net.h -@@ -216,8 +216,9 @@ void qmp_netdev_add(QDict *qdict, QObject **ret, Error **errp); +@@ -214,8 +214,9 @@ void qmp_netdev_add(QDict *qdict, QObject **ret, Error **errp); int net_hub_id_for_client(NetClientState *nc, int *id); NetClientState *net_hub_port_find(int hub_id); diff --git a/debian/patches/pve/0003-vnc-altgr-emulation.patch b/debian/patches/pve/0003-vnc-altgr-emulation.patch index 272e74f..d43ad39 100644 --- a/debian/patches/pve/0003-vnc-altgr-emulation.patch +++ b/debian/patches/pve/0003-vnc-altgr-emulation.patch @@ -1,17 +1,17 @@ -From cf2ef62fc7d4ff7e64eed5a01e499c91b62121b9 Mon Sep 17 00:00:00 2001 +From f3e33fe70da6f9361bd940d2b029d293a71408ca Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Wed, 9 Dec 2015 14:17:38 +0100 -Subject: [PATCH 03/47] vnc: altgr emulation +Subject: [PATCH 03/48] vnc: altgr emulation --- ui/vnc.c | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/ui/vnc.c b/ui/vnc.c -index 76a3273..b9f36b5 100644 +index 821acdd..29575f8 100644 --- a/ui/vnc.c +++ b/ui/vnc.c -@@ -1733,6 +1733,10 @@ static void kbd_leds(void *opaque, int ledstate) +@@ -1625,6 +1625,10 @@ static void kbd_leds(void *opaque, int ledstate) static void do_key_event(VncState *vs, int down, int keycode, int sym) { @@ -22,7 +22,7 @@ index 76a3273..b9f36b5 100644 /* QEMU console switch */ switch(keycode) { case 0x2a: /* Left Shift */ -@@ -1813,8 +1817,27 @@ static void do_key_event(VncState *vs, int down, int keycode, int sym) +@@ -1705,8 +1709,27 @@ static void do_key_event(VncState *vs, int down, int keycode, int sym) } if (qemu_console_is_graphic(NULL)) { @@ -50,7 +50,7 @@ index 76a3273..b9f36b5 100644 } else { bool numlock = vs->modifiers_state[0x45]; bool control = (vs->modifiers_state[0x1d] || -@@ -1954,7 +1977,8 @@ static void key_event(VncState *vs, int down, uint32_t sym) +@@ -1846,7 +1869,8 @@ static void key_event(VncState *vs, int down, uint32_t sym) lsym = lsym - 'A' + 'a'; } diff --git a/debian/patches/pve/0004-qemu-img-return-success-on-info-without-snapshots.patch b/debian/patches/pve/0004-qemu-img-return-success-on-info-without-snapshots.patch index b56797f..77e2dce 100644 --- a/debian/patches/pve/0004-qemu-img-return-success-on-info-without-snapshots.patch +++ b/debian/patches/pve/0004-qemu-img-return-success-on-info-without-snapshots.patch @@ -1,17 +1,17 @@ -From baf469b28e3f1bfd5b03e449ffcd8f41c80a5387 Mon Sep 17 00:00:00 2001 +From adea2808e62d32a9b22bbe3d16c84c92289983a8 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Wed, 9 Dec 2015 14:18:46 +0100 -Subject: [PATCH 04/47] qemu-img: return success on info without snapshots +Subject: [PATCH 04/48] qemu-img: return success on info without snapshots --- qemu-img.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/qemu-img.c b/qemu-img.c -index f204d041..99be68f 100644 +index b220cf7..4f7f458 100644 --- a/qemu-img.c +++ b/qemu-img.c -@@ -2389,7 +2389,8 @@ static int img_info(int argc, char **argv) +@@ -2596,7 +2596,8 @@ static int img_info(int argc, char **argv) list = collect_image_info_list(image_opts, filename, fmt, chain); if (!list) { diff --git a/debian/patches/pve/0005-use-kvm-by-default.patch b/debian/patches/pve/0005-use-kvm-by-default.patch index ff48982..0508587 100644 --- a/debian/patches/pve/0005-use-kvm-by-default.patch +++ b/debian/patches/pve/0005-use-kvm-by-default.patch @@ -1,17 +1,17 @@ -From c5405c552945f19b36ecc748a2a0e0ec14dff31e Mon Sep 17 00:00:00 2001 +From bd3aa97864804b5b37421f199b9fe64e3b16b52c Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Wed, 9 Dec 2015 14:27:05 +0100 -Subject: [PATCH 05/47] use kvm by default +Subject: [PATCH 05/48] use kvm by default --- accel.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/accel.c b/accel.c -index 403eb5e..dd2ebea 100644 +index 664bb88..ddb23a3 100644 --- a/accel.c +++ b/accel.c -@@ -88,8 +88,8 @@ void configure_accelerator(MachineState *ms) +@@ -87,8 +87,8 @@ void configure_accelerator(MachineState *ms) p = qemu_opt_get(qemu_get_machine_opts(), "accel"); if (p == NULL) { diff --git a/debian/patches/pve/0006-virtio-balloon-fix-query.patch b/debian/patches/pve/0006-virtio-balloon-fix-query.patch index 4d0f546..8a430b4 100644 --- a/debian/patches/pve/0006-virtio-balloon-fix-query.patch +++ b/debian/patches/pve/0006-virtio-balloon-fix-query.patch @@ -1,7 +1,7 @@ -From 132444451193736847c68d91f74c09cb76a16e6a Mon Sep 17 00:00:00 2001 +From 5921bc0360f6964a5bb5355c2707c806425f4734 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Wed, 9 Dec 2015 14:27:49 +0100 -Subject: [PATCH 06/47] virtio-balloon: fix query +Subject: [PATCH 06/48] virtio-balloon: fix query Actually provide memory information via the query-balloon command. @@ -9,14 +9,13 @@ command. hmp.c | 30 +++++++++++++++++++++++++++++- hw/virtio/virtio-balloon.c | 33 +++++++++++++++++++++++++++++++-- qapi-schema.json | 23 +++++++++++++++++++++-- - qmp-commands.hx | 13 +++++++++++++ - 4 files changed, 94 insertions(+), 5 deletions(-) + 3 files changed, 81 insertions(+), 5 deletions(-) diff --git a/hmp.c b/hmp.c -index bb45f7f..3b0dd81 100644 +index edb8970..904542d 100644 --- a/hmp.c +++ b/hmp.c -@@ -704,7 +704,35 @@ void hmp_info_balloon(Monitor *mon, const QDict *qdict) +@@ -723,7 +723,35 @@ void hmp_info_balloon(Monitor *mon, const QDict *qdict) return; } @@ -54,10 +53,10 @@ index bb45f7f..3b0dd81 100644 qapi_free_BalloonInfo(info); } diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c -index ad4189a..b3a17f4 100644 +index a705e0e..158e13e 100644 --- a/hw/virtio/virtio-balloon.c +++ b/hw/virtio/virtio-balloon.c -@@ -376,8 +376,37 @@ static uint64_t virtio_balloon_get_features(VirtIODevice *vdev, uint64_t f, +@@ -379,8 +379,37 @@ static uint64_t virtio_balloon_get_features(VirtIODevice *vdev, uint64_t f, static void virtio_balloon_stat(void *opaque, BalloonInfo *info) { VirtIOBalloon *dev = opaque; @@ -98,27 +97,27 @@ index ad4189a..b3a17f4 100644 static void virtio_balloon_to_target(void *opaque, ram_addr_t target) diff --git a/qapi-schema.json b/qapi-schema.json -index 5658723..4bf7222 100644 +index b921994..e7a8117 100644 --- a/qapi-schema.json +++ b/qapi-schema.json -@@ -1278,10 +1278,29 @@ +@@ -1900,10 +1900,29 @@ # # @actual: the number of bytes the balloon currently contains # -# Since: 0.14.0 -+# @last_update: #optional time when stats got updated from guest ++# @last_update: time when stats got updated from guest +# -+# @mem_swapped_in: #optional number of pages swapped in within the guest ++# @mem_swapped_in: number of pages swapped in within the guest +# -+# @mem_swapped_out: #optional number of pages swapped out within the guest ++# @mem_swapped_out: number of pages swapped out within the guest +# -+# @major_page_faults: #optional number of major page faults within the guest ++# @major_page_faults: number of major page faults within the guest # -+# @minor_page_faults: #optional number of minor page faults within the guest ++# @minor_page_faults: number of minor page faults within the guest +# -+# @free_mem: #optional amount of memory (in bytes) free in the guest ++# @free_mem: amount of memory (in bytes) free in the guest +# -+# @total_mem: #optional amount of memory (in bytes) visible to the guest ++# @total_mem: amount of memory (in bytes) visible to the guest +# +# @max_mem: amount of memory (in bytes) assigned to the guest +# @@ -133,37 +132,6 @@ index 5658723..4bf7222 100644 ## # @query-balloon: -diff --git a/qmp-commands.hx b/qmp-commands.hx -index 6866264..6de28d4 100644 ---- a/qmp-commands.hx -+++ b/qmp-commands.hx -@@ -3854,6 +3854,13 @@ Make an asynchronous request for balloon info. When the request completes a - json-object will be returned containing the following data: - - - "actual": current balloon value in bytes (json-int) -+- "mem_swapped_in": Amount of memory swapped in bytes (json-int, optional) -+- "mem_swapped_out": Amount of memory swapped out in bytes (json-int, optional) -+- "major_page_faults": Number of major faults (json-int, optional) -+- "minor_page_faults": Number of minor faults (json-int, optional) -+- "free_mem": Total amount of free and unused memory in -+ bytes (json-int, optional) -+- "total_mem": Total amount of available memory in bytes (json-int, optional) - - Example: - -@@ -3861,6 +3868,12 @@ Example: - <- { - "return":{ - "actual":1073741824, -+ "mem_swapped_in":0, -+ "mem_swapped_out":0, -+ "major_page_faults":142, -+ "minor_page_faults":239245, -+ "free_mem":1014185984, -+ "total_mem":1044668416 - } - } - -- 2.1.4 diff --git a/debian/patches/pve/0007-set-the-CPU-model-to-kvm64-32-instead-of-qemu64-32.patch b/debian/patches/pve/0007-set-the-CPU-model-to-kvm64-32-instead-of-qemu64-32.patch index f5d31bf..8bc87ce 100644 --- a/debian/patches/pve/0007-set-the-CPU-model-to-kvm64-32-instead-of-qemu64-32.patch +++ b/debian/patches/pve/0007-set-the-CPU-model-to-kvm64-32-instead-of-qemu64-32.patch @@ -1,17 +1,17 @@ -From 118ca6343a48aaab7d1a8f252fb36008c823e551 Mon Sep 17 00:00:00 2001 +From bc04d6e5e09d517a9c8833fd407a655be3cf21fe Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Wed, 9 Dec 2015 14:30:21 +0100 -Subject: [PATCH 07/47] set the CPU model to kvm64/32 instead of qemu64/32 +Subject: [PATCH 07/48] set the CPU model to kvm64/32 instead of qemu64/32 --- hw/i386/pc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/i386/pc.c b/hw/i386/pc.c -index 022dd1b..ba8a5a1 100644 +index d24388e..81e91a4 100644 --- a/hw/i386/pc.c +++ b/hw/i386/pc.c -@@ -1160,9 +1160,9 @@ void pc_cpus_init(PCMachineState *pcms) +@@ -1151,9 +1151,9 @@ void pc_cpus_init(PCMachineState *pcms) /* init CPUs */ if (machine->cpu_model == NULL) { #ifdef TARGET_X86_64 diff --git a/debian/patches/pve/0008-qapi-modify-query-machines.patch b/debian/patches/pve/0008-qapi-modify-query-machines.patch index d8cd15c..f244794 100644 --- a/debian/patches/pve/0008-qapi-modify-query-machines.patch +++ b/debian/patches/pve/0008-qapi-modify-query-machines.patch @@ -1,7 +1,7 @@ -From dc5b92fbb2d405fd86228409b1f25c0bb2d6d973 Mon Sep 17 00:00:00 2001 +From e453e9a98f7f0c2a213fe5bee04ece37ce10e625 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Wed, 9 Dec 2015 14:31:18 +0100 -Subject: [PATCH 08/47] qapi: modify query machines +Subject: [PATCH 08/48] qapi: modify query machines provide '*is-current' in MachineInfo struct --- @@ -10,19 +10,19 @@ provide '*is-current' in MachineInfo struct 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/qapi-schema.json b/qapi-schema.json -index 4bf7222..63507f5 100644 +index e7a8117..2c40928 100644 --- a/qapi-schema.json +++ b/qapi-schema.json -@@ -3027,6 +3027,8 @@ +@@ -4245,6 +4245,8 @@ # - # @default: #optional whether the machine is default + # @is-default: whether the machine is default # -+# @current: #optional whether this machine is currently used ++# @is-current: whether this machine is currently used +# # @cpu-max: maximum number of CPUs supported by the machine type # (since 1.5.0) # -@@ -3036,7 +3038,7 @@ +@@ -4254,7 +4256,7 @@ ## { 'struct': 'MachineInfo', 'data': { 'name': 'str', '*alias': 'str', @@ -32,12 +32,12 @@ index 4bf7222..63507f5 100644 ## diff --git a/vl.c b/vl.c -index 6a218ce..b226e0b 100644 +index 0b4ed52..868c489 100644 --- a/vl.c +++ b/vl.c -@@ -1509,6 +1509,11 @@ MachineInfoList *qmp_query_machines(Error **errp) +@@ -1518,6 +1518,11 @@ MachineInfoList *qmp_query_machines(Error **errp) info->cpu_max = !mc->max_cpus ? 1 : mc->max_cpus; - info->hotpluggable_cpus = !!mc->query_hotpluggable_cpus; + info->hotpluggable_cpus = mc->has_hotpluggable_cpus; + if (strcmp(mc->name, MACHINE_GET_CLASS(current_machine)->name) == 0) { + info->has_is_current = true; diff --git a/debian/patches/pve/0009-qapi-modify-spice-query.patch b/debian/patches/pve/0009-qapi-modify-spice-query.patch index 673fc7e..50e3306 100644 --- a/debian/patches/pve/0009-qapi-modify-spice-query.patch +++ b/debian/patches/pve/0009-qapi-modify-spice-query.patch @@ -1,7 +1,7 @@ -From c09467afaf37989942076b45f6ffa7bb8ebde2ca Mon Sep 17 00:00:00 2001 +From c51f39a5741210b7df2ac212a8ced14ef950d415 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Wed, 9 Dec 2015 14:32:11 +0100 -Subject: [PATCH 09/47] qapi: modify spice query +Subject: [PATCH 09/48] qapi: modify spice query Provide the last ticket in the SpiceInfo struct optionally. --- @@ -10,14 +10,14 @@ Provide the last ticket in the SpiceInfo struct optionally. 2 files changed, 8 insertions(+) diff --git a/qapi-schema.json b/qapi-schema.json -index 63507f5..518c2ea 100644 +index 2c40928..ca534cc 100644 --- a/qapi-schema.json +++ b/qapi-schema.json -@@ -1253,11 +1253,14 @@ +@@ -1841,11 +1841,14 @@ # # @channels: a list of @SpiceChannel for each active spice channel # -+# @ticket: #optional The last ticket set with set_password ++# @ticket: The last ticket set with set_password +# # Since: 0.14.0 ## @@ -29,10 +29,10 @@ index 63507f5..518c2ea 100644 ## diff --git a/ui/spice-core.c b/ui/spice-core.c -index da05054..acf5a73 100644 +index 804abc5..4a41731 100644 --- a/ui/spice-core.c +++ b/ui/spice-core.c -@@ -543,6 +543,11 @@ SpiceInfo *qmp_query_spice(Error **errp) +@@ -552,6 +552,11 @@ SpiceInfo *qmp_query_spice(Error **errp) micro = SPICE_SERVER_VERSION & 0xff; info->compiled_version = g_strdup_printf("%d.%d.%d", major, minor, micro); diff --git a/debian/patches/pve/0010-ui-spice-default-to-pve-certs-unless-otherwise-speci.patch b/debian/patches/pve/0010-ui-spice-default-to-pve-certs-unless-otherwise-speci.patch index cf9ba57..1be891a 100644 --- a/debian/patches/pve/0010-ui-spice-default-to-pve-certs-unless-otherwise-speci.patch +++ b/debian/patches/pve/0010-ui-spice-default-to-pve-certs-unless-otherwise-speci.patch @@ -1,7 +1,7 @@ -From 78cc6a38bfa2c986ff75a322d750a548bf2291b9 Mon Sep 17 00:00:00 2001 +From 1434b9fad738e852f789cd8b951f2f4e1e08d3e5 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Wed, 9 Dec 2015 14:33:34 +0100 -Subject: [PATCH 10/47] ui/spice: default to pve certs unless otherwise +Subject: [PATCH 10/48] ui/spice: default to pve certs unless otherwise specified --- @@ -9,10 +9,10 @@ Subject: [PATCH 10/47] ui/spice: default to pve certs unless otherwise 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/ui/spice-core.c b/ui/spice-core.c -index acf5a73..4f1cf45 100644 +index 4a41731..af1dc8c 100644 --- a/ui/spice-core.c +++ b/ui/spice-core.c -@@ -676,32 +676,35 @@ void qemu_spice_init(void) +@@ -685,32 +685,35 @@ void qemu_spice_init(void) if (tls_port) { x509_dir = qemu_opt_get(opts, "x509-dir"); diff --git a/debian/patches/pve/0011-introduce-new-vma-archive-format.patch b/debian/patches/pve/0011-introduce-new-vma-archive-format.patch index 963c37d..124889b 100644 --- a/debian/patches/pve/0011-introduce-new-vma-archive-format.patch +++ b/debian/patches/pve/0011-introduce-new-vma-archive-format.patch @@ -1,7 +1,7 @@ -From 183d526538782e8c3644db303846cf0a70595009 Mon Sep 17 00:00:00 2001 +From c1338b34ccac2c5e6d7d1aca3ca3e3457a3f744c Mon Sep 17 00:00:00 2001 From: Dietmar Maurer Date: Tue, 13 Nov 2012 11:11:38 +0100 -Subject: [PATCH 11/47] introduce new vma archive format +Subject: [PATCH 11/48] introduce new vma archive format This is a very simple archive format, see docs/specs/vma_spec.txt @@ -11,19 +11,19 @@ Signed-off-by: Dietmar Maurer Makefile.objs | 1 + vma-reader.c | 797 +++++++++++++++++++++++++++++++++++++++++++++++++++++ vma-writer.c | 870 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ - vma.c | 585 +++++++++++++++++++++++++++++++++++++++ + vma.c | 586 +++++++++++++++++++++++++++++++++++++++ vma.h | 146 ++++++++++ - 6 files changed, 2401 insertions(+), 1 deletion(-) + 6 files changed, 2402 insertions(+), 1 deletion(-) create mode 100644 vma-reader.c create mode 100644 vma-writer.c create mode 100644 vma.c create mode 100644 vma.h diff --git a/Makefile b/Makefile -index 50b4b3a..d92d905 100644 +index 6c359b2..edbc8b5 100644 --- a/Makefile +++ b/Makefile -@@ -165,7 +165,7 @@ ifneq ($(wildcard config-host.mak),) +@@ -284,7 +284,7 @@ ifneq ($(wildcard config-host.mak),) include $(SRC_PATH)/tests/Makefile.include endif @@ -32,22 +32,22 @@ index 50b4b3a..d92d905 100644 qemu-version.h: FORCE $(call quiet-command, \ -@@ -256,6 +256,7 @@ qemu-img.o: qemu-img-cmds.h - qemu-img$(EXESUF): qemu-img.o $(block-obj-y) $(crypto-obj-y) $(io-obj-y) $(qom-obj-y) libqemuutil.a libqemustub.a - qemu-nbd$(EXESUF): qemu-nbd.o $(block-obj-y) $(crypto-obj-y) $(io-obj-y) $(qom-obj-y) libqemuutil.a libqemustub.a - qemu-io$(EXESUF): qemu-io.o $(block-obj-y) $(crypto-obj-y) $(io-obj-y) $(qom-obj-y) libqemuutil.a libqemustub.a -+vma$(EXESUF): vma.o vma-reader.o $(block-obj-y) $(crypto-obj-y) $(io-obj-y) $(qom-obj-y) libqemuutil.a libqemustub.a +@@ -377,6 +377,7 @@ qemu-img.o: qemu-img-cmds.h + qemu-img$(EXESUF): qemu-img.o $(block-obj-y) $(crypto-obj-y) $(io-obj-y) $(qom-obj-y) $(COMMON_LDADDS) + qemu-nbd$(EXESUF): qemu-nbd.o $(block-obj-y) $(crypto-obj-y) $(io-obj-y) $(qom-obj-y) $(COMMON_LDADDS) + qemu-io$(EXESUF): qemu-io.o $(block-obj-y) $(crypto-obj-y) $(io-obj-y) $(qom-obj-y) $(COMMON_LDADDS) ++vma$(EXESUF): vma.o vma-reader.o $(block-obj-y) $(crypto-obj-y) $(io-obj-y) $(qom-obj-y) $(COMMON_LDADDS) - qemu-bridge-helper$(EXESUF): qemu-bridge-helper.o libqemuutil.a libqemustub.a + qemu-bridge-helper$(EXESUF): qemu-bridge-helper.o $(COMMON_LDADDS) diff --git a/Makefile.objs b/Makefile.objs -index 6d5ddcf..845edd0 100644 +index 6167e7b..9b12ee6 100644 --- a/Makefile.objs +++ b/Makefile.objs -@@ -15,6 +15,7 @@ block-obj-$(CONFIG_POSIX) += aio-posix.o - block-obj-$(CONFIG_WIN32) += aio-win32.o +@@ -14,6 +14,7 @@ block-obj-y += block.o blockjob.o block-obj-y += block/ block-obj-y += qemu-io-cmds.o + block-obj-$(CONFIG_REPLICATION) += replication.o +block-obj-y += vma-writer.o block-obj-m = block/ @@ -1733,10 +1733,10 @@ index 0000000..b0cf529 +} diff --git a/vma.c b/vma.c new file mode 100644 -index 0000000..8014090 +index 0000000..8732bfa --- /dev/null +++ b/vma.c -@@ -0,0 +1,585 @@ +@@ -0,0 +1,586 @@ +/* + * VMA: Virtual Machine Archive + * @@ -1757,6 +1757,7 @@ index 0000000..8014090 +#include "qemu-common.h" +#include "qemu/error-report.h" +#include "qemu/main-loop.h" ++#include "qapi/qmp/qstring.h" +#include "sysemu/char.h" /* qstring_from_str */ + +static void help(void) diff --git a/debian/patches/pve/0012-vma-add-verify-command.patch b/debian/patches/pve/0012-vma-add-verify-command.patch index fa90ef4..46234ea 100644 --- a/debian/patches/pve/0012-vma-add-verify-command.patch +++ b/debian/patches/pve/0012-vma-add-verify-command.patch @@ -1,7 +1,7 @@ -From 144e613eeca6a3383b981f9ca8b82c4a354b36c2 Mon Sep 17 00:00:00 2001 +From f6a9d9269a4f07eb7b2161884dde52a65f58c9f6 Mon Sep 17 00:00:00 2001 From: Dietmar Maurer Date: Mon, 11 Mar 2013 07:07:46 +0100 -Subject: [PATCH 12/47] vma: add verify command +Subject: [PATCH 12/48] vma: add verify command Users wants to verify the archive after backup. @@ -226,10 +226,10 @@ index 51dd8fe..2aafb26 100644 +} + diff --git a/vma.c b/vma.c -index 8014090..d55874a 100644 +index 8732bfa..ab7b766 100644 --- a/vma.c +++ b/vma.c -@@ -28,6 +28,7 @@ static void help(void) +@@ -29,6 +29,7 @@ static void help(void) "vma list \n" "vma create [-c config] pathname ...\n" "vma extract [-r ] \n" @@ -237,7 +237,7 @@ index 8014090..d55874a 100644 ; printf("%s", help_msg); -@@ -332,6 +333,58 @@ static int extract_content(int argc, char **argv) +@@ -333,6 +334,58 @@ static int extract_content(int argc, char **argv) return ret; } @@ -296,7 +296,7 @@ index 8014090..d55874a 100644 typedef struct BackupJob { BlockDriverState *bs; int64_t len; -@@ -578,6 +631,8 @@ int main(int argc, char **argv) +@@ -579,6 +632,8 @@ int main(int argc, char **argv) return create_archive(argc, argv); } else if (!strcmp(cmdname, "extract")) { return extract_content(argc, argv); diff --git a/debian/patches/pve/0013-vma-add-config-command-to-dump-the-config.patch b/debian/patches/pve/0013-vma-add-config-command-to-dump-the-config.patch index c16c8e5..06334f0 100644 --- a/debian/patches/pve/0013-vma-add-config-command-to-dump-the-config.patch +++ b/debian/patches/pve/0013-vma-add-config-command-to-dump-the-config.patch @@ -1,17 +1,17 @@ -From 48896281bebc5c69760f4e47625e4db81e3a9004 Mon Sep 17 00:00:00 2001 +From cfc9d20b832a3db40b4e61fa6af0fbcda911ec2e Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Wed, 9 Dec 2015 14:46:49 +0100 -Subject: [PATCH 13/47] vma: add 'config' command to dump the config +Subject: [PATCH 13/48] vma: add 'config' command to dump the config --- vma.c | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) diff --git a/vma.c b/vma.c -index d55874a..79bdd00 100644 +index ab7b766..8925407 100644 --- a/vma.c +++ b/vma.c -@@ -26,6 +26,7 @@ static void help(void) +@@ -27,6 +27,7 @@ static void help(void) "usage: vma command [command options]\n" "\n" "vma list \n" @@ -19,7 +19,7 @@ index d55874a..79bdd00 100644 "vma create [-c config] pathname ...\n" "vma extract [-r ] \n" "vma verify [-v]\n" -@@ -604,6 +605,67 @@ static int create_archive(int argc, char **argv) +@@ -605,6 +606,67 @@ static int create_archive(int argc, char **argv) return 0; } @@ -87,7 +87,7 @@ index d55874a..79bdd00 100644 int main(int argc, char **argv) { const char *cmdname; -@@ -633,6 +695,8 @@ int main(int argc, char **argv) +@@ -634,6 +696,8 @@ int main(int argc, char **argv) return extract_content(argc, argv); } else if (!strcmp(cmdname, "verify")) { return verify_content(argc, argv); diff --git a/debian/patches/pve/0014-backup-modify-job-api.patch b/debian/patches/pve/0014-backup-modify-job-api.patch index 4a4b671..4ec816b 100644 --- a/debian/patches/pve/0014-backup-modify-job-api.patch +++ b/debian/patches/pve/0014-backup-modify-job-api.patch @@ -1,22 +1,23 @@ -From 1078c0f6acc1bfba04b7d5cdfdeb02b161b5f7c4 Mon Sep 17 00:00:00 2001 +From c46139b295f9edffd43a12e7f029fce4f9b2ea46 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Wed, 9 Dec 2015 15:04:57 +0100 -Subject: [PATCH 14/47] backup: modify job api +Subject: [PATCH 14/48] backup: modify job api Introduces a BackupDump function callback and a pause_count for backup_start. For a dump-backup the target parameter can now be NULL so access to target needs to be guarded now. --- - block/backup.c | 82 +++++++++++++++++++++++++++++++---------------- - blockdev.c | 6 ++-- - include/block/block_int.h | 5 +++ - 3 files changed, 63 insertions(+), 30 deletions(-) + block/backup.c | 118 +++++++++++++++++++++++++++++----------------- + block/replication.c | 3 +- + blockdev.c | 4 +- + include/block/block_int.h | 5 ++ + 4 files changed, 83 insertions(+), 47 deletions(-) diff --git a/block/backup.c b/block/backup.c -index 2c05323..f3c0ba3 100644 +index a4fb288..fe4ce7f 100644 --- a/block/backup.c +++ b/block/backup.c -@@ -41,6 +41,7 @@ typedef struct BackupBlockJob { +@@ -36,6 +36,7 @@ typedef struct BackupBlockJob { BdrvDirtyBitmap *sync_bitmap; MirrorSyncMode sync_mode; RateLimit limit; @@ -24,7 +25,7 @@ index 2c05323..f3c0ba3 100644 BlockdevOnError on_source_error; BlockdevOnError on_target_error; CoRwlock flush_rwlock; -@@ -149,12 +150,23 @@ static int coroutine_fn backup_do_cow(BackupBlockJob *job, +@@ -145,13 +146,24 @@ static int coroutine_fn backup_do_cow(BackupBlockJob *job, goto out; } @@ -41,18 +42,29 @@ index 2c05323..f3c0ba3 100644 + } } else { - ret = blk_co_pwritev(job->target, start * job->cluster_size, -- bounce_qiov.size, &bounce_qiov, 0); +- bounce_qiov.size, &bounce_qiov, +- job->compress ? BDRV_REQ_WRITE_COMPRESSED : 0); + if (job->dump_cb) { + ret = job->dump_cb(job->common.opaque, job->target, start_sec, n, bounce_buffer); + } + if (job->target) { + ret = blk_co_pwritev(job->target, start * job->cluster_size, -+ bounce_qiov.size, &bounce_qiov, 0); ++ bounce_qiov.size, &bounce_qiov, ++ job->compress ? BDRV_REQ_WRITE_COMPRESSED : 0); + } } if (ret < 0) { trace_backup_do_cow_write_fail(job, start, ret); -@@ -268,9 +280,11 @@ static BlockErrorAction backup_error_action(BackupBlockJob *job, +@@ -246,6 +258,8 @@ static void backup_abort(BlockJob *job) + static void backup_clean(BlockJob *job) + { + BackupBlockJob *s = container_of(job, BackupBlockJob, common); ++ if (!s->target) ++ return; + assert(s->target); + blk_unref(s->target); + s->target = NULL; +@@ -330,9 +344,11 @@ static BlockErrorAction backup_error_action(BackupBlockJob *job, if (read) { return block_job_error_action(&job->common, job->on_source_error, true, error); @@ -65,7 +77,7 @@ index 2c05323..f3c0ba3 100644 } } -@@ -393,6 +407,7 @@ static void coroutine_fn backup_run(void *opaque) +@@ -453,6 +469,7 @@ static void coroutine_fn backup_run(void *opaque) job->done_bitmap = bitmap_new(end); @@ -73,28 +85,17 @@ index 2c05323..f3c0ba3 100644 job->before_write.notify = backup_before_write_notify; bdrv_add_before_write_notifier(bs, &job->before_write); -@@ -467,7 +482,9 @@ static void coroutine_fn backup_run(void *opaque) - qemu_co_rwlock_unlock(&job->flush_rwlock); - g_free(job->done_bitmap); - -- bdrv_op_unblock_all(blk_bs(target), job->common.blocker); -+ if (target) { -+ bdrv_op_unblock_all(blk_bs(target), job->common.blocker); -+ } - - data = g_malloc(sizeof(*data)); - data->ret = ret; -@@ -479,7 +496,9 @@ void backup_start(const char *job_id, BlockDriverState *bs, - MirrorSyncMode sync_mode, BdrvDirtyBitmap *sync_bitmap, +@@ -557,7 +574,9 @@ BlockJob *backup_job_create(const char *job_id, BlockDriverState *bs, BlockdevOnError on_source_error, BlockdevOnError on_target_error, + int creation_flags, + BackupDumpFunc *dump_cb, BlockCompletionFunc *cb, void *opaque, + int pause_count, BlockJobTxn *txn, Error **errp) { int64_t len; -@@ -488,7 +507,7 @@ void backup_start(const char *job_id, BlockDriverState *bs, +@@ -566,7 +585,7 @@ BlockJob *backup_job_create(const char *job_id, BlockDriverState *bs, int ret; assert(bs); @@ -103,47 +104,75 @@ index 2c05323..f3c0ba3 100644 if (bs == target) { error_setg(errp, "Source and target cannot be the same"); -@@ -501,7 +520,7 @@ void backup_start(const char *job_id, BlockDriverState *bs, - return; +@@ -579,13 +598,13 @@ BlockJob *backup_job_create(const char *job_id, BlockDriverState *bs, + return NULL; } - if (!bdrv_is_inserted(target)) { + if (target && !bdrv_is_inserted(target)) { error_setg(errp, "Device is not inserted: %s", bdrv_get_device_name(target)); - return; -@@ -511,7 +530,7 @@ void backup_start(const char *job_id, BlockDriverState *bs, - return; + return NULL; + } + +- if (compress && target->drv->bdrv_co_pwritev_compressed == NULL) { ++ if (target && compress && target->drv->bdrv_co_pwritev_compressed == NULL) { + error_setg(errp, "Compression is not supported for this drive %s", + bdrv_get_device_name(target)); + return NULL; +@@ -595,7 +614,7 @@ BlockJob *backup_job_create(const char *job_id, BlockDriverState *bs, + return NULL; } - if (bdrv_op_is_blocked(target, BLOCK_OP_TYPE_BACKUP_TARGET, errp)) { + if (target && bdrv_op_is_blocked(target, BLOCK_OP_TYPE_BACKUP_TARGET, errp)) { - return; + return NULL; } -@@ -547,34 +566,43 @@ void backup_start(const char *job_id, BlockDriverState *bs, +@@ -635,15 +654,18 @@ BlockJob *backup_job_create(const char *job_id, BlockDriverState *bs, goto error; } -- job->target = blk_new(); -- blk_insert_bs(job->target, target); +- /* The target must match the source in size, so no resize here either */ +- job->target = blk_new(BLK_PERM_WRITE, +- BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE | +- BLK_PERM_WRITE_UNCHANGED | BLK_PERM_GRAPH_MOD); +- ret = blk_insert_bs(job->target, target, errp); +- if (ret < 0) { +- goto error; + if (target) { -+ job->target = blk_new(); -+ blk_insert_bs(job->target, target); -+ } ++ /* The target must match the source in size, so no resize here either */ ++ job->target = blk_new(BLK_PERM_WRITE, ++ BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE | ++ BLK_PERM_WRITE_UNCHANGED | BLK_PERM_GRAPH_MOD); ++ ret = blk_insert_bs(job->target, target, errp); ++ if (ret < 0) { ++ goto error; ++ } + } + job->dump_cb = dump_cb; job->on_source_error = on_source_error; job->on_target_error = on_target_error; job->sync_mode = sync_mode; - job->sync_bitmap = sync_mode == MIRROR_SYNC_MODE_INCREMENTAL ? +@@ -651,36 +673,44 @@ BlockJob *backup_job_create(const char *job_id, BlockDriverState *bs, sync_bitmap : NULL; + job->compress = compress; - /* If there is no backing file on the target, we cannot rely on COW if our - * backup cluster size is smaller than the target cluster size. Even for - * targets with a backing file, try to avoid COW if possible. */ - ret = bdrv_get_info(target, &bdi); -- if (ret < 0 && !target->backing) { +- if (ret == -ENOTSUP && !target->backing) { +- /* Cluster size is not defined */ +- error_report("WARNING: The target block device doesn't provide " +- "information about the block size and it doesn't have a " +- "backing file. The default block size of %u bytes is " +- "used. If the actual block size of the target exceeds " +- "this default, the backup may be unusable", +- BACKUP_CLUSTER_SIZE_DEFAULT); +- job->cluster_size = BACKUP_CLUSTER_SIZE_DEFAULT; +- } else if (ret < 0 && !target->backing) { - error_setg_errno(errp, -ret, - "Couldn't determine the cluster size of the target image, " - "which has no backing file"); @@ -158,7 +187,16 @@ index 2c05323..f3c0ba3 100644 + * backup cluster size is smaller than the target cluster size. Even for + * targets with a backing file, try to avoid COW if possible. */ + ret = bdrv_get_info(target, &bdi); -+ if (ret < 0 && !target->backing) { ++ if (ret == -ENOTSUP && !target->backing) { ++ /* Cluster size is not defined */ ++ error_report("WARNING: The target block device doesn't provide " ++ "information about the block size and it doesn't have a " ++ "backing file. The default block size of %u bytes is " ++ "used. If the actual block size of the target exceeds " ++ "this default, the backup may be unusable", ++ BACKUP_CLUSTER_SIZE_DEFAULT); ++ job->cluster_size = BACKUP_CLUSTER_SIZE_DEFAULT; ++ } else if (ret < 0 && !target->backing) { + error_setg_errno(errp, -ret, + "Couldn't determine the cluster size of the target image, " + "which has no backing file"); @@ -169,46 +207,64 @@ index 2c05323..f3c0ba3 100644 + /* Not fatal; just trudge on ahead. */ + job->cluster_size = BACKUP_CLUSTER_SIZE_DEFAULT; + } else { -+ job->cluster_size = MAX(BACKUP_CLUSTER_SIZE_DEFAULT, bdi.cluster_size); ++ job->cluster_size = BACKUP_CLUSTER_SIZE_DEFAULT; + } -+ -+ bdrv_op_block_all(target, job->common.blocker); } else { - job->cluster_size = MAX(BACKUP_CLUSTER_SIZE_DEFAULT, bdi.cluster_size); + job->cluster_size = BACKUP_CLUSTER_SIZE_DEFAULT; } -- bdrv_op_block_all(target, job->common.blocker); -+ job->common.pause_count = pause_count; +- /* Required permissions are already taken with target's blk_new() */ +- block_job_add_bdrv(&job->common, "target", target, 0, BLK_PERM_ALL, +- &error_abort); ++ if (target) { ++ /* Required permissions are already taken with target's blk_new() */ ++ block_job_add_bdrv(&job->common, "target", target, 0, BLK_PERM_ALL, ++ &error_abort); ++ } else { ++ job->common.pause_count = pause_count; ++ } job->common.len = len; - job->common.co = qemu_coroutine_create(backup_run, job); block_job_txn_add_job(txn, &job->common); + +diff --git a/block/replication.c b/block/replication.c +index bf3c395..60c6524 100644 +--- a/block/replication.c ++++ b/block/replication.c +@@ -531,7 +531,8 @@ static void replication_start(ReplicationState *rs, ReplicationMode mode, + 0, MIRROR_SYNC_MODE_NONE, NULL, false, + BLOCKDEV_ON_ERROR_REPORT, + BLOCKDEV_ON_ERROR_REPORT, BLOCK_JOB_INTERNAL, +- backup_job_completed, bs, NULL, &local_err); ++ NULL, ++ backup_job_completed, bs, 0, NULL, &local_err); + if (local_err) { + error_propagate(errp, local_err); + backup_job_cleanup(bs); diff --git a/blockdev.c b/blockdev.c -index 2161400..5e3707d 100644 +index 040c152..bb3fc5b 100644 --- a/blockdev.c +++ b/blockdev.c -@@ -3277,8 +3277,8 @@ static void do_drive_backup(const char *job_id, const char *device, - } - - backup_start(job_id, bs, target_bs, speed, sync, bmap, -- on_source_error, on_target_error, -- block_job_cb, bs, txn, &local_err); -+ on_source_error, on_target_error, NULL, -+ block_job_cb, bs, 0, txn, &local_err); +@@ -3273,7 +3273,7 @@ static BlockJob *do_drive_backup(DriveBackup *backup, BlockJobTxn *txn, + job = backup_job_create(backup->job_id, bs, target_bs, backup->speed, + backup->sync, bmap, backup->compress, + backup->on_source_error, backup->on_target_error, +- BLOCK_JOB_DEFAULT, NULL, NULL, txn, &local_err); ++ BLOCK_JOB_DEFAULT, NULL, NULL, NULL, 0, txn, &local_err); bdrv_unref(target_bs); if (local_err != NULL) { error_propagate(errp, local_err); -@@ -3371,7 +3371,7 @@ void do_blockdev_backup(const char *job_id, const char *device, - } - } - backup_start(job_id, bs, target_bs, speed, sync, NULL, on_source_error, -- on_target_error, block_job_cb, bs, txn, &local_err); -+ on_target_error, NULL, block_job_cb, bs, 0, txn, &local_err); +@@ -3352,7 +3352,7 @@ BlockJob *do_blockdev_backup(BlockdevBackup *backup, BlockJobTxn *txn, + job = backup_job_create(backup->job_id, bs, target_bs, backup->speed, + backup->sync, NULL, backup->compress, + backup->on_source_error, backup->on_target_error, +- BLOCK_JOB_DEFAULT, NULL, NULL, txn, &local_err); ++ BLOCK_JOB_DEFAULT, NULL, NULL, NULL, 0, txn, &local_err); if (local_err != NULL) { error_propagate(errp, local_err); } diff --git a/include/block/block_int.h b/include/block/block_int.h -index 1e939de..db4650e 100644 +index 59400bd..ec65581 100644 --- a/include/block/block_int.h +++ b/include/block/block_int.h @@ -59,6 +59,9 @@ @@ -221,14 +277,14 @@ index 1e939de..db4650e 100644 enum BdrvTrackedRequestType { BDRV_TRACKED_READ, BDRV_TRACKED_WRITE, -@@ -767,7 +770,9 @@ void backup_start(const char *job_id, BlockDriverState *bs, - MirrorSyncMode sync_mode, BdrvDirtyBitmap *sync_bitmap, - BlockdevOnError on_source_error, - BlockdevOnError on_target_error, -+ BackupDumpFunc *dump_cb, - BlockCompletionFunc *cb, void *opaque, -+ int pause_count, - BlockJobTxn *txn, Error **errp); +@@ -877,7 +880,9 @@ BlockJob *backup_job_create(const char *job_id, BlockDriverState *bs, + BlockdevOnError on_source_error, + BlockdevOnError on_target_error, + int creation_flags, ++ BackupDumpFunc *dump_cb, + BlockCompletionFunc *cb, void *opaque, ++ int pause_count, + BlockJobTxn *txn, Error **errp); void hmp_drive_add_node(Monitor *mon, const char *optstr); -- diff --git a/debian/patches/pve/0015-backup-add-pve-monitor-commands.patch b/debian/patches/pve/0015-backup-add-pve-monitor-commands.patch index ed76b3b..7c00193 100644 --- a/debian/patches/pve/0015-backup-add-pve-monitor-commands.patch +++ b/debian/patches/pve/0015-backup-add-pve-monitor-commands.patch @@ -1,36 +1,68 @@ -From 798846b48b31d8231a3af5858285845d932d1d6b Mon Sep 17 00:00:00 2001 +From d48092bb9901112b3356aa8d461c45ffb4ec2b9a Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Wed, 9 Dec 2015 15:20:56 +0100 -Subject: [PATCH 15/47] backup: add pve monitor commands +Subject: [PATCH 15/48] backup: add pve monitor commands --- - blockdev.c | 439 ++++++++++++++++++++++++++++++++++++++++++++++ - blockjob.c | 3 +- + blockdev.c | 465 ++++++++++++++++++++++++++++++++++++++++++++++ + blockjob.c | 11 +- hmp-commands-info.hx | 13 ++ hmp-commands.hx | 29 +++ - hmp.c | 61 +++++++ + hmp.c | 61 ++++++ hmp.h | 3 + include/block/block_int.h | 2 +- - qapi-schema.json | 89 ++++++++++ - qmp-commands.hx | 18 ++ - 9 files changed, 655 insertions(+), 2 deletions(-) + qapi-schema.json | 90 +++++++++ + 8 files changed, 668 insertions(+), 6 deletions(-) diff --git a/blockdev.c b/blockdev.c -index 5e3707d..5417bb0 100644 +index bb3fc5b..3e5c9ce 100644 --- a/blockdev.c +++ b/blockdev.c -@@ -52,6 +52,7 @@ - #include "sysemu/arch_init.h" +@@ -35,6 +35,7 @@ + #include "sysemu/blockdev.h" + #include "hw/block/block.h" + #include "block/blockjob.h" ++#include "block/blockjob_int.h" + #include "block/throttle-groups.h" + #include "monitor/monitor.h" + #include "qemu/error-report.h" +@@ -53,6 +54,7 @@ #include "qemu/cutils.h" #include "qemu/help_option.h" + #include "qemu/throttle-options.h" +#include "vma.h" static QTAILQ_HEAD(, BlockDriverState) monitor_bdrv_states = QTAILQ_HEAD_INITIALIZER(monitor_bdrv_states); -@@ -2976,6 +2977,444 @@ static void block_job_cb(void *opaque, int ret) - } +@@ -2956,6 +2958,469 @@ out: + aio_context_release(aio_context); } ++void block_job_event_cancelled(BlockJob *job); ++void block_job_event_completed(BlockJob *job, const char *msg); ++static void block_job_cb(void *opaque, int ret) ++{ ++ /* Note that this function may be executed from another AioContext besides ++ * the QEMU main loop. If you need to access anything that assumes the ++ * QEMU global mutex, use a BH or introduce a mutex. ++ */ ++ ++ BlockDriverState *bs = opaque; ++ const char *msg = NULL; ++ ++ assert(bs->job); ++ ++ if (ret < 0) { ++ msg = strerror(-ret); ++ } ++ ++ if (block_job_is_cancelled(bs->job)) { ++ block_job_event_cancelled(bs->job); ++ } else { ++ block_job_event_completed(bs->job, msg); ++ } ++} ++ +/* PVE backup related function */ + +static struct PVEBackupState { @@ -384,10 +416,10 @@ index 5e3707d..5417bb0 100644 + PVEBackupDevInfo *di = (PVEBackupDevInfo *)l->data; + l = g_list_next(l); + -+ backup_start(NULL, di->bs, NULL, speed, MIRROR_SYNC_MODE_FULL, NULL, -+ BLOCKDEV_ON_ERROR_REPORT, BLOCKDEV_ON_ERROR_REPORT, -+ pvebackup_dump_cb, pvebackup_complete_cb, di, -+ 1, NULL, &local_err); ++ backup_job_create(NULL, di->bs, NULL, speed, MIRROR_SYNC_MODE_FULL, NULL, ++ BLOCKDEV_ON_ERROR_REPORT, BLOCKDEV_ON_ERROR_REPORT, ++ pvebackup_dump_cb, pvebackup_complete_cb, di, ++ 1, NULL, &local_err); + if (local_err != NULL) { + error_setg(&backup_state.error, "backup_job_create failed"); + pvebackup_cancel(NULL); @@ -471,13 +503,24 @@ index 5e3707d..5417bb0 100644 + void qmp_block_stream(bool has_job_id, const char *job_id, const char *device, bool has_base, const char *base, - bool has_backing_file, const char *backing_file, + bool has_base_node, const char *base_node, diff --git a/blockjob.c b/blockjob.c -index a5ba3be..a550458 100644 +index 9b619f385..54bd34a 100644 --- a/blockjob.c +++ b/blockjob.c -@@ -331,7 +331,8 @@ void block_job_pause(BlockJob *job) - job->pause_count++; +@@ -37,8 +37,8 @@ + #include "qemu/timer.h" + #include "qapi-event.h" + +-static void block_job_event_cancelled(BlockJob *job); +-static void block_job_event_completed(BlockJob *job, const char *msg); ++void block_job_event_cancelled(BlockJob *job); ++void block_job_event_completed(BlockJob *job, const char *msg); + + /* Transactional group of block jobs */ + struct BlockJobTxn { +@@ -473,7 +473,8 @@ void block_job_user_pause(BlockJob *job) + block_job_pause(job); } -static bool block_job_should_pause(BlockJob *job) @@ -486,11 +529,29 @@ index a5ba3be..a550458 100644 { return job->pause_count > 0; } +@@ -687,7 +688,7 @@ static void block_job_iostatus_set_err(BlockJob *job, int error) + } + } + +-static void block_job_event_cancelled(BlockJob *job) ++void block_job_event_cancelled(BlockJob *job) + { + if (block_job_is_internal(job)) { + return; +@@ -701,7 +702,7 @@ static void block_job_event_cancelled(BlockJob *job) + &error_abort); + } + +-static void block_job_event_completed(BlockJob *job, const char *msg) ++void block_job_event_completed(BlockJob *job, const char *msg) + { + if (block_job_is_internal(job)) { + return; diff --git a/hmp-commands-info.hx b/hmp-commands-info.hx -index 74446c6..7616fe2 100644 +index a53f105..1a18380 100644 --- a/hmp-commands-info.hx +++ b/hmp-commands-info.hx -@@ -502,6 +502,19 @@ STEXI +@@ -487,6 +487,19 @@ STEXI Show CPU statistics. ETEXI @@ -499,7 +560,7 @@ index 74446c6..7616fe2 100644 + .args_type = "", + .params = "", + .help = "show backup status", -+ .mhandler.cmd = hmp_info_backup, ++ .cmd = hmp_info_backup, + }, + +STEXI @@ -511,7 +572,7 @@ index 74446c6..7616fe2 100644 { .name = "usernet", diff --git a/hmp-commands.hx b/hmp-commands.hx -index 848efee..8f2f3e0 100644 +index 8819281..aea39d0 100644 --- a/hmp-commands.hx +++ b/hmp-commands.hx @@ -87,6 +87,35 @@ STEXI @@ -523,7 +584,7 @@ index 848efee..8f2f3e0 100644 + .args_type = "backupfile:s,speed:o?,devlist:s?", + .params = "backupfile [speed [devlist]]", + .help = "create a VM Backup.", -+ .mhandler.cmd = hmp_backup, ++ .cmd = hmp_backup, + }, + +STEXI @@ -537,7 +598,7 @@ index 848efee..8f2f3e0 100644 + .args_type = "", + .params = "", + .help = "cancel the current VM backup", -+ .mhandler.cmd = hmp_backup_cancel, ++ .cmd = hmp_backup_cancel, + }, + +STEXI @@ -551,10 +612,10 @@ index 848efee..8f2f3e0 100644 .name = "block_job_set_speed", .args_type = "device:B,speed:o", diff --git a/hmp.c b/hmp.c -index 3b0dd81..95da164 100644 +index 904542d..c685ba5 100644 --- a/hmp.c +++ b/hmp.c -@@ -149,6 +149,44 @@ void hmp_info_mice(Monitor *mon, const QDict *qdict) +@@ -151,6 +151,44 @@ void hmp_info_mice(Monitor *mon, const QDict *qdict) qapi_free_MouseInfoList(mice_list); } @@ -599,7 +660,7 @@ index 3b0dd81..95da164 100644 void hmp_info_migrate(Monitor *mon, const QDict *qdict) { MigrationInfo *info; -@@ -1493,6 +1531,29 @@ void hmp_block_stream(Monitor *mon, const QDict *qdict) +@@ -1613,6 +1651,29 @@ void hmp_block_stream(Monitor *mon, const QDict *qdict) hmp_handle_error(mon, &error); } @@ -630,7 +691,7 @@ index 3b0dd81..95da164 100644 { Error *error = NULL; diff --git a/hmp.h b/hmp.h -index 0876ec0..9a4c1f6 100644 +index 799fd37..17a65b2 100644 --- a/hmp.h +++ b/hmp.h @@ -30,6 +30,7 @@ void hmp_info_migrate(Monitor *mon, const QDict *qdict); @@ -641,7 +702,7 @@ index 0876ec0..9a4c1f6 100644 void hmp_info_cpus(Monitor *mon, const QDict *qdict); void hmp_info_block(Monitor *mon, const QDict *qdict); void hmp_info_blockstats(Monitor *mon, const QDict *qdict); -@@ -76,6 +77,8 @@ void hmp_eject(Monitor *mon, const QDict *qdict); +@@ -79,6 +80,8 @@ void hmp_eject(Monitor *mon, const QDict *qdict); void hmp_change(Monitor *mon, const QDict *qdict); void hmp_block_set_io_throttle(Monitor *mon, const QDict *qdict); void hmp_block_stream(Monitor *mon, const QDict *qdict); @@ -651,7 +712,7 @@ index 0876ec0..9a4c1f6 100644 void hmp_block_job_cancel(Monitor *mon, const QDict *qdict); void hmp_block_job_pause(Monitor *mon, const QDict *qdict); diff --git a/include/block/block_int.h b/include/block/block_int.h -index db4650e..0f79b51 100644 +index ec65581..278da16 100644 --- a/include/block/block_int.h +++ b/include/block/block_int.h @@ -59,7 +59,7 @@ @@ -664,36 +725,36 @@ index db4650e..0f79b51 100644 enum BdrvTrackedRequestType { diff --git a/qapi-schema.json b/qapi-schema.json -index 518c2ea..89d9ea6 100644 +index ca534cc..059cbfc 100644 --- a/qapi-schema.json +++ b/qapi-schema.json -@@ -356,6 +356,95 @@ - ## +@@ -570,6 +570,96 @@ { 'command': 'query-events', 'returns': ['EventInfo'] } + ## +# @BackupStatus: +# +# Detailed backup status. +# -+# @status: #optional string describing the current backup status. ++# @status: string describing the current backup status. +# This can be 'active', 'done', 'error'. If this field is not +# returned, no backup process has been initiated +# -+# @errmsg: #optional error message (only returned if status is 'error') ++# @errmsg: error message (only returned if status is 'error') +# -+# @total: #optional total amount of bytes involved in the backup process ++# @total: total amount of bytes involved in the backup process +# -+# @transferred: #optional amount of bytes already backed up. ++# @transferred: amount of bytes already backed up. +# -+# @zero-bytes: #optional amount of 'zero' bytes detected. ++# @zero-bytes: amount of 'zero' bytes detected. +# -+# @start-time: #optional time (epoch) when backup job started. ++# @start-time: time (epoch) when backup job started. +# -+# @end-time: #optional time (epoch) when backup job finished. ++# @end-time: time (epoch) when backup job finished. +# -+# @backupfile: #optional backup file name ++# @backup-file: backup file name +# -+# @uuid: #optional uuid for this backup job ++# @uuid: uuid for this backup job +# +## +{ 'struct': 'BackupStatus', @@ -703,7 +764,7 @@ index 518c2ea..89d9ea6 100644 + '*backup-file': 'str', '*uuid': 'str' } } + +## -+# @BackupFormat ++# @BackupFormat: +# +# An enumeration of supported backup formats. +# @@ -721,12 +782,12 @@ index 518c2ea..89d9ea6 100644 +# +# @format: format of the backup file +# -+# @config-filename: #optional name of a configuration file to include into ++# @config-file: a configuration file to include into +# the backup archive. +# -+# @speed: #optional the maximum speed, in bytes per second ++# @speed: the maximum speed, in bytes per second +# -+# @devlist: #optional list of block device names (separated by ',', ';' ++# @devlist: list of block device names (separated by ',', ';' +# or ':'). By default the backup includes all writable block devices. +# +# Returns: the uuid of the backup job @@ -739,7 +800,7 @@ index 518c2ea..89d9ea6 100644 + 'returns': 'UuidInfo' } + +## -+# @query-backup ++# @query-backup: +# +# Returns information about current/last backup task. +# @@ -749,7 +810,7 @@ index 518c2ea..89d9ea6 100644 +{ 'command': 'query-backup', 'returns': 'BackupStatus' } + +## -+# @backup-cancel ++# @backup-cancel: +# +# Cancel the current executing backup process. +# @@ -760,38 +821,10 @@ index 518c2ea..89d9ea6 100644 +## +{ 'command': 'backup-cancel' } + - ## - # @MigrationStats ++## + # @MigrationStats: # -diff --git a/qmp-commands.hx b/qmp-commands.hx -index 6de28d4..a8e8522 100644 ---- a/qmp-commands.hx -+++ b/qmp-commands.hx -@@ -1314,6 +1314,24 @@ Example: - EQMP - - { -+ .name = "backup", -+ .args_type = "backup-file:s,format:s?,config-file:F?,speed:o?,devlist:s?", -+ .mhandler.cmd_new = qmp_marshal_backup, -+ }, -+ -+ { -+ .name = "backup-cancel", -+ .args_type = "", -+ .mhandler.cmd_new = qmp_marshal_backup_cancel, -+ }, -+ -+ { -+ .name = "query-backup", -+ .args_type = "", -+ .mhandler.cmd_new = qmp_marshal_query_backup, -+ }, -+ -+ { - .name = "block-job-set-speed", - .args_type = "device:B,speed:o", - .mhandler.cmd_new = qmp_marshal_block_job_set_speed, + # Detailed migration status. -- 2.1.4 diff --git a/debian/patches/pve/0016-backup-vma-add-dir-format.patch b/debian/patches/pve/0016-backup-vma-add-dir-format.patch index 3a53dd3..3d36d5f 100644 --- a/debian/patches/pve/0016-backup-vma-add-dir-format.patch +++ b/debian/patches/pve/0016-backup-vma-add-dir-format.patch @@ -1,21 +1,21 @@ -From 210be0fc498989e7b029de90b9d2599fdcc343d3 Mon Sep 17 00:00:00 2001 +From 99a526d92531d64ff0c31a83d0d55f38651a32a5 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Wed, 9 Dec 2015 15:21:54 +0100 -Subject: [PATCH 16/47] backup: vma: add dir format +Subject: [PATCH 16/48] backup: vma: add dir format --- - blockdev.c | 124 +++++++++++++++++++++++++++++++++++++++++-------------- + blockdev.c | 137 ++++++++++++++++++++++++++++++++++++++++--------------- hmp-commands.hx | 8 ++-- hmp.c | 4 +- qapi-schema.json | 2 +- vma.c | 2 +- - 5 files changed, 103 insertions(+), 37 deletions(-) + 5 files changed, 111 insertions(+), 42 deletions(-) diff --git a/blockdev.c b/blockdev.c -index 5417bb0..d8b1db8 100644 +index 3e5c9ce..af1b9d4 100644 --- a/blockdev.c +++ b/blockdev.c -@@ -3001,6 +3001,8 @@ typedef struct PVEBackupDevInfo { +@@ -3007,6 +3007,8 @@ typedef struct PVEBackupDevInfo { uint8_t dev_id; //bool started; bool completed; @@ -24,7 +24,7 @@ index 5417bb0..d8b1db8 100644 } PVEBackupDevInfo; static void pvebackup_run_next_job(void); -@@ -3069,8 +3071,6 @@ static void pvebackup_complete_cb(void *opaque, int ret) +@@ -3075,8 +3077,6 @@ static void pvebackup_complete_cb(void *opaque, int ret) { PVEBackupDevInfo *di = opaque; @@ -33,7 +33,7 @@ index 5417bb0..d8b1db8 100644 di->completed = true; if (ret < 0 && !backup_state.error) { -@@ -3081,8 +3081,11 @@ static void pvebackup_complete_cb(void *opaque, int ret) +@@ -3087,8 +3087,11 @@ static void pvebackup_complete_cb(void *opaque, int ret) BlockDriverState *bs = di->bs; di->bs = NULL; @@ -46,7 +46,7 @@ index 5417bb0..d8b1db8 100644 block_job_cb(bs, ret); -@@ -3162,6 +3165,7 @@ UuidInfo *qmp_backup(const char *backup_file, bool has_format, +@@ -3168,6 +3171,7 @@ UuidInfo *qmp_backup(const char *backup_file, bool has_format, { BlockBackend *blk; BlockDriverState *bs = NULL; @@ -54,7 +54,15 @@ index 5417bb0..d8b1db8 100644 Error *local_err = NULL; uuid_t uuid; VmaWriter *vmaw = NULL; -@@ -3179,11 +3183,6 @@ UuidInfo *qmp_backup(const char *backup_file, bool has_format, +@@ -3175,6 +3179,7 @@ UuidInfo *qmp_backup(const char *backup_file, bool has_format, + GList *di_list = NULL; + GList *l; + UuidInfo *uuid_info; ++ BlockJob *job; + + if (backup_state.di_list) { + error_set(errp, ERROR_CLASS_GENERIC_ERROR, +@@ -3185,11 +3190,6 @@ UuidInfo *qmp_backup(const char *backup_file, bool has_format, /* Todo: try to auto-detect format based on file name */ format = has_format ? format : BACKUP_FORMAT_VMA; @@ -66,7 +74,7 @@ index 5417bb0..d8b1db8 100644 if (has_devlist) { devs = g_strsplit_set(devlist, ",;:", -1); -@@ -3252,27 +3251,62 @@ UuidInfo *qmp_backup(const char *backup_file, bool has_format, +@@ -3258,27 +3258,62 @@ UuidInfo *qmp_backup(const char *backup_file, bool has_format, uuid_generate(uuid); @@ -145,7 +153,7 @@ index 5417bb0..d8b1db8 100644 } /* add configuration file to archive */ -@@ -3285,12 +3319,27 @@ UuidInfo *qmp_backup(const char *backup_file, bool has_format, +@@ -3291,12 +3326,27 @@ UuidInfo *qmp_backup(const char *backup_file, bool has_format, goto err; } @@ -178,16 +186,37 @@ index 5417bb0..d8b1db8 100644 g_free(cdata); } -@@ -3330,7 +3379,7 @@ UuidInfo *qmp_backup(const char *backup_file, bool has_format, +@@ -3335,15 +3385,16 @@ UuidInfo *qmp_backup(const char *backup_file, bool has_format, + while (l) { PVEBackupDevInfo *di = (PVEBackupDevInfo *)l->data; l = g_list_next(l); +- +- backup_job_create(NULL, di->bs, NULL, speed, MIRROR_SYNC_MODE_FULL, NULL, +- BLOCKDEV_ON_ERROR_REPORT, BLOCKDEV_ON_ERROR_REPORT, +- pvebackup_dump_cb, pvebackup_complete_cb, di, +- 1, NULL, &local_err); +- if (local_err != NULL) { ++ job = backup_job_create(NULL, di->bs, di->target, speed, MIRROR_SYNC_MODE_FULL, NULL, ++ false, BLOCKDEV_ON_ERROR_REPORT, BLOCKDEV_ON_ERROR_REPORT, ++ BLOCK_JOB_DEFAULT, ++ pvebackup_dump_cb, pvebackup_complete_cb, di, ++ 1, NULL, &local_err); ++ if (!job || local_err != NULL) { + error_setg(&backup_state.error, "backup_job_create failed"); + pvebackup_cancel(NULL); + } ++ block_job_start(job); + } -- backup_start(NULL, di->bs, NULL, speed, MIRROR_SYNC_MODE_FULL, NULL, -+ backup_start(NULL, di->bs, di->target, speed, MIRROR_SYNC_MODE_FULL, NULL, - BLOCKDEV_ON_ERROR_REPORT, BLOCKDEV_ON_ERROR_REPORT, - pvebackup_dump_cb, pvebackup_complete_cb, di, - 1, NULL, &local_err); -@@ -3352,8 +3401,17 @@ err: + if (!backup_state.error) { +@@ -3352,14 +3403,24 @@ UuidInfo *qmp_backup(const char *backup_file, bool has_format, + + uuid_info = g_malloc0(sizeof(*uuid_info)); + uuid_info->UUID = g_strdup(backup_state.uuid_str); ++ + return uuid_info; + + err: l = di_list; while (l) { @@ -206,7 +235,7 @@ index 5417bb0..d8b1db8 100644 } g_list_free(di_list); -@@ -3367,6 +3425,10 @@ err: +@@ -3373,6 +3434,10 @@ err: unlink(backup_file); } @@ -218,7 +247,7 @@ index 5417bb0..d8b1db8 100644 } diff --git a/hmp-commands.hx b/hmp-commands.hx -index 8f2f3e0..0e20ef9 100644 +index aea39d0..7288203 100644 --- a/hmp-commands.hx +++ b/hmp-commands.hx @@ -89,9 +89,11 @@ ETEXI @@ -233,14 +262,14 @@ index 8f2f3e0..0e20ef9 100644 + .help = "create a VM Backup." + "\n\t\t\t Use -d to dump data into a directory instead" + "\n\t\t\t of using VMA format.", - .mhandler.cmd = hmp_backup, + .cmd = hmp_backup, }, diff --git a/hmp.c b/hmp.c -index 95da164..c23cf2f 100644 +index c685ba5..465d7fa 100644 --- a/hmp.c +++ b/hmp.c -@@ -1544,11 +1544,13 @@ void hmp_backup(Monitor *mon, const QDict *qdict) +@@ -1664,11 +1664,13 @@ void hmp_backup(Monitor *mon, const QDict *qdict) { Error *error = NULL; @@ -256,10 +285,10 @@ index 95da164..c23cf2f 100644 hmp_handle_error(mon, &error); diff --git a/qapi-schema.json b/qapi-schema.json -index 89d9ea6..147137d 100644 +index 059cbfc..1127f2c 100644 --- a/qapi-schema.json +++ b/qapi-schema.json -@@ -395,7 +395,7 @@ +@@ -609,7 +609,7 @@ # @vma: Proxmox vma backup format ## { 'enum': 'BackupFormat', @@ -269,10 +298,10 @@ index 89d9ea6..147137d 100644 ## # @backup: diff --git a/vma.c b/vma.c -index 79bdd00..c88a4358 100644 +index 8925407..1ffaced 100644 --- a/vma.c +++ b/vma.c -@@ -263,7 +263,7 @@ static int extract_content(int argc, char **argv) +@@ -264,7 +264,7 @@ static int extract_content(int argc, char **argv) g_free(statefn); } else if (di) { char *devfn = NULL; diff --git a/debian/patches/pve/0017-backup-do-not-return-errors-in-dump-callback.patch b/debian/patches/pve/0017-backup-do-not-return-errors-in-dump-callback.patch index 48a914d..031d605 100644 --- a/debian/patches/pve/0017-backup-do-not-return-errors-in-dump-callback.patch +++ b/debian/patches/pve/0017-backup-do-not-return-errors-in-dump-callback.patch @@ -1,17 +1,17 @@ -From 8a10cce2efa3d8906617939a5c644c9cb7104ef6 Mon Sep 17 00:00:00 2001 +From f859377de12e2faa46046b266ce4418c138e61ab Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Wed, 9 Dec 2015 15:22:19 +0100 -Subject: [PATCH 17/47] backup: do not return errors in dump callback +Subject: [PATCH 17/48] backup: do not return errors in dump callback --- blockdev.c | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/blockdev.c b/blockdev.c -index d8b1db8..fb71cdc 100644 +index af1b9d4..4b073d4 100644 --- a/blockdev.c +++ b/blockdev.c -@@ -3013,6 +3013,11 @@ static int pvebackup_dump_cb(void *opaque, BlockBackend *target, +@@ -3019,6 +3019,11 @@ static int pvebackup_dump_cb(void *opaque, BlockBackend *target, { PVEBackupDevInfo *di = opaque; @@ -23,7 +23,7 @@ index d8b1db8..fb71cdc 100644 if (sector_num & 0x7f) { if (!backup_state.error) { error_setg(&backup_state.error, -@@ -3023,7 +3028,6 @@ static int pvebackup_dump_cb(void *opaque, BlockBackend *target, +@@ -3029,7 +3034,6 @@ static int pvebackup_dump_cb(void *opaque, BlockBackend *target, } int64_t cluster_num = sector_num >> 7; @@ -31,7 +31,7 @@ index d8b1db8..fb71cdc 100644 int ret = -1; -@@ -3031,17 +3035,27 @@ static int pvebackup_dump_cb(void *opaque, BlockBackend *target, +@@ -3037,17 +3041,27 @@ static int pvebackup_dump_cb(void *opaque, BlockBackend *target, size_t zero_bytes = 0; ret = vma_writer_write(backup_state.vmaw, di->dev_id, cluster_num, buf, &zero_bytes); @@ -63,7 +63,7 @@ index d8b1db8..fb71cdc 100644 } static void pvebackup_cleanup(void) -@@ -3113,7 +3127,7 @@ static void pvebackup_cancel(void *opaque) +@@ -3119,7 +3133,7 @@ static void pvebackup_cancel(void *opaque) BlockJob *job = di->bs->job; if (job) { if (!di->completed) { diff --git a/debian/patches/pve/0018-backup-vma-correctly-propagate-error.patch b/debian/patches/pve/0018-backup-vma-correctly-propagate-error.patch index 4da2832..437cbfa 100644 --- a/debian/patches/pve/0018-backup-vma-correctly-propagate-error.patch +++ b/debian/patches/pve/0018-backup-vma-correctly-propagate-error.patch @@ -1,7 +1,7 @@ -From c31ba8ff9485b7648ca45952b9e7ccd74c50ac40 Mon Sep 17 00:00:00 2001 +From 17b2fc7ed399325558b891e13e104214568fd154 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Wed, 9 Dec 2015 15:39:36 +0100 -Subject: [PATCH 18/47] backup: vma: correctly propagate error +Subject: [PATCH 18/48] backup: vma: correctly propagate error --- blockdev.c | 2 +- @@ -10,10 +10,10 @@ Subject: [PATCH 18/47] backup: vma: correctly propagate error 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/blockdev.c b/blockdev.c -index fb71cdc..2e51913 100644 +index 4b073d4..6253ef1 100644 --- a/blockdev.c +++ b/blockdev.c -@@ -3037,7 +3037,7 @@ static int pvebackup_dump_cb(void *opaque, BlockBackend *target, +@@ -3043,7 +3043,7 @@ static int pvebackup_dump_cb(void *opaque, BlockBackend *target, buf, &zero_bytes); if (ret < 0) { if (!backup_state.error) { diff --git a/debian/patches/pve/0019-backup-vma-remove-async-queue.patch b/debian/patches/pve/0019-backup-vma-remove-async-queue.patch index 50a2063..c691e9e 100644 --- a/debian/patches/pve/0019-backup-vma-remove-async-queue.patch +++ b/debian/patches/pve/0019-backup-vma-remove-async-queue.patch @@ -1,7 +1,7 @@ -From fb3d52b336cd8404055bf0b3b8d825c6f5247fef Mon Sep 17 00:00:00 2001 +From bf0b444a62df49c016eb47f0299e5656d830234e Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Wed, 9 Dec 2015 15:40:00 +0100 -Subject: [PATCH 19/47] backup: vma: remove async queue +Subject: [PATCH 19/48] backup: vma: remove async queue --- blockdev.c | 6 ++ @@ -9,10 +9,10 @@ Subject: [PATCH 19/47] backup: vma: remove async queue 2 files changed, 38 insertions(+), 147 deletions(-) diff --git a/blockdev.c b/blockdev.c -index 2e51913..1491c2d 100644 +index 6253ef1..ef159b0 100644 --- a/blockdev.c +++ b/blockdev.c -@@ -3116,6 +3116,11 @@ static void pvebackup_cancel(void *opaque) +@@ -3122,6 +3122,11 @@ static void pvebackup_cancel(void *opaque) error_setg(&backup_state.error, "backup cancelled"); } @@ -24,7 +24,7 @@ index 2e51913..1491c2d 100644 /* drain all i/o (awake jobs waiting for aio) */ bdrv_drain_all(); -@@ -3128,6 +3133,7 @@ static void pvebackup_cancel(void *opaque) +@@ -3134,6 +3139,7 @@ static void pvebackup_cancel(void *opaque) if (job) { if (!di->completed) { block_job_cancel_sync(job); @@ -33,7 +33,7 @@ index 2e51913..1491c2d 100644 } } diff --git a/vma-writer.c b/vma-writer.c -index 689e988..6d3119d 100644 +index 689e988..ec8da53 100644 --- a/vma-writer.c +++ b/vma-writer.c @@ -28,14 +28,8 @@ @@ -104,9 +104,9 @@ index 689e988..6d3119d 100644 - DPRINTF("vma_co_write starting %zd\n", bytes); - while (done < bytes) { -+ aio_set_fd_handler(qemu_get_aio_context(), vmaw->fd, false, NULL, vma_co_continue_write, vmaw); ++ aio_set_fd_handler(qemu_get_aio_context(), vmaw->fd, false, NULL, vma_co_continue_write, NULL, vmaw); + qemu_coroutine_yield(); -+ aio_set_fd_handler(qemu_get_aio_context(), vmaw->fd, false, NULL, NULL, NULL); ++ aio_set_fd_handler(qemu_get_aio_context(), vmaw->fd, false, NULL, NULL, NULL, NULL); + if (vmaw->status < 0) { + DPRINTF("vma_queue_write detected canceled backup\n"); + done = -1; diff --git a/debian/patches/pve/0020-backup-vma-run-flush-inside-coroutine.patch b/debian/patches/pve/0020-backup-vma-run-flush-inside-coroutine.patch index 6de18b2..d00f07b 100644 --- a/debian/patches/pve/0020-backup-vma-run-flush-inside-coroutine.patch +++ b/debian/patches/pve/0020-backup-vma-run-flush-inside-coroutine.patch @@ -1,7 +1,7 @@ -From 3e0869f3ef3fc5537d90d22cde89f1384b164e70 Mon Sep 17 00:00:00 2001 +From c0b66c21bb4d4cc1f02d4259d62dd8d6d413fd7f Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Wed, 9 Dec 2015 15:40:42 +0100 -Subject: [PATCH 20/47] backup: vma: run flush inside coroutine +Subject: [PATCH 20/48] backup: vma: run flush inside coroutine --- blockdev.c | 10 +++++++++- @@ -9,10 +9,10 @@ Subject: [PATCH 20/47] backup: vma: run flush inside coroutine 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/blockdev.c b/blockdev.c -index 1491c2d..f3c0c58 100644 +index ef159b0..a9a900e 100644 --- a/blockdev.c +++ b/blockdev.c -@@ -3081,6 +3081,13 @@ static void pvebackup_cleanup(void) +@@ -3087,6 +3087,13 @@ static void pvebackup_cleanup(void) } } @@ -26,7 +26,7 @@ index 1491c2d..f3c0c58 100644 static void pvebackup_complete_cb(void *opaque, int ret) { PVEBackupDevInfo *di = opaque; -@@ -3098,7 +3105,8 @@ static void pvebackup_complete_cb(void *opaque, int ret) +@@ -3104,7 +3111,8 @@ static void pvebackup_complete_cb(void *opaque, int ret) di->target = NULL; if (backup_state.vmaw) { @@ -37,7 +37,7 @@ index 1491c2d..f3c0c58 100644 block_job_cb(bs, ret); diff --git a/vma-writer.c b/vma-writer.c -index 6d3119d..79b7fd4 100644 +index ec8da53..216577a 100644 --- a/vma-writer.c +++ b/vma-writer.c @@ -700,6 +700,10 @@ int vma_writer_close(VmaWriter *vmaw, Error **errp) diff --git a/debian/patches/pve/0021-backup-do-not-use-bdrv_drain_all.patch b/debian/patches/pve/0021-backup-do-not-use-bdrv_drain_all.patch index bc66245..58c7c59 100644 --- a/debian/patches/pve/0021-backup-do-not-use-bdrv_drain_all.patch +++ b/debian/patches/pve/0021-backup-do-not-use-bdrv_drain_all.patch @@ -1,17 +1,17 @@ -From e7cf613192638f5ac24629961c4010a3b3575ad6 Mon Sep 17 00:00:00 2001 +From 4de872af5f176bbcc0d2f19b9fd30a7cefbddd9a Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Wed, 9 Dec 2015 15:41:13 +0100 -Subject: [PATCH 21/47] backup: do not use bdrv_drain_all +Subject: [PATCH 21/48] backup: do not use bdrv_drain_all --- blockdev.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/blockdev.c b/blockdev.c -index f3c0c58..2371cf3 100644 +index a9a900e..36b4083 100644 --- a/blockdev.c +++ b/blockdev.c -@@ -3129,9 +3129,6 @@ static void pvebackup_cancel(void *opaque) +@@ -3135,9 +3135,6 @@ static void pvebackup_cancel(void *opaque) vma_writer_set_error(backup_state.vmaw, "backup cancelled"); } @@ -21,7 +21,7 @@ index f3c0c58..2371cf3 100644 GList *l = backup_state.di_list; while (l) { PVEBackupDevInfo *di = (PVEBackupDevInfo *)l->data; -@@ -3140,8 +3137,7 @@ static void pvebackup_cancel(void *opaque) +@@ -3146,8 +3143,7 @@ static void pvebackup_cancel(void *opaque) BlockJob *job = di->bs->job; if (job) { if (!di->completed) { diff --git a/debian/patches/pve/0022-internal-snapshot-async.patch b/debian/patches/pve/0022-internal-snapshot-async.patch index 3c7cfcb..f20e24e 100644 --- a/debian/patches/pve/0022-internal-snapshot-async.patch +++ b/debian/patches/pve/0022-internal-snapshot-async.patch @@ -1,7 +1,7 @@ -From ddfc29076293a794f0d9cc74c0c822c144e7ecbc Mon Sep 17 00:00:00 2001 +From ab6904d8e0f3a976ade19e8b5f99270738ed6518 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Wed, 9 Dec 2015 16:04:32 +0100 -Subject: [PATCH 22/47] internal snapshot async +Subject: [PATCH 22/48] internal snapshot async --- Makefile.objs | 1 + @@ -13,32 +13,31 @@ Subject: [PATCH 22/47] internal snapshot async include/block/block.h | 1 + include/sysemu/sysemu.h | 5 +- migration/savevm.c | 12 +- - qapi-schema.json | 46 +++++ + qapi-schema.json | 68 +++++++ qemu-options.hx | 13 ++ - qmp-commands.hx | 30 +++ - savevm-async.c | 526 ++++++++++++++++++++++++++++++++++++++++++++++++ + savevm-async.c | 525 ++++++++++++++++++++++++++++++++++++++++++++++++ vl.c | 8 + - 14 files changed, 743 insertions(+), 8 deletions(-) + 13 files changed, 734 insertions(+), 8 deletions(-) create mode 100644 savevm-async.c diff --git a/Makefile.objs b/Makefile.objs -index 845edd0..7d9d2d7 100644 +index 9b12ee6..f5f8dba 100644 --- a/Makefile.objs +++ b/Makefile.objs -@@ -53,6 +53,7 @@ common-obj-$(CONFIG_LINUX) += fsdev/ +@@ -51,6 +51,7 @@ common-obj-$(CONFIG_LINUX) += fsdev/ + common-obj-y += migration/ - common-obj-y += qemu-char.o #aio.o - common-obj-y += page_cache.o + common-obj-y += page_cache.o #aio.o +common-obj-y += savevm-async.o common-obj-$(CONFIG_SPICE) += spice-qemu-char.o diff --git a/block.c b/block.c -index 30d64e6..95c1d32 100644 +index 6e906ec..5563a4f 100644 --- a/block.c +++ b/block.c -@@ -2288,7 +2288,7 @@ void bdrv_replace_in_backing_chain(BlockDriverState *old, BlockDriverState *new) - bdrv_unref(old); +@@ -3045,7 +3045,7 @@ out: + bdrv_unref(bs_new); } -static void bdrv_delete(BlockDriverState *bs) @@ -47,10 +46,10 @@ index 30d64e6..95c1d32 100644 assert(!bs->job); assert(bdrv_op_blocker_is_empty(bs)); diff --git a/hmp-commands-info.hx b/hmp-commands-info.hx -index 7616fe2..3046f9d 100644 +index 1a18380..3b5a0f9 100644 --- a/hmp-commands-info.hx +++ b/hmp-commands-info.hx -@@ -588,6 +588,19 @@ Show current migration xbzrle cache size. +@@ -573,6 +573,19 @@ Show current migration xbzrle cache size. ETEXI { @@ -58,7 +57,7 @@ index 7616fe2..3046f9d 100644 + .args_type = "", + .params = "", + .help = "show savevm status", -+ .mhandler.cmd = hmp_info_savevm, ++ .cmd = hmp_info_savevm, + }, + +STEXI @@ -71,10 +70,10 @@ index 7616fe2..3046f9d 100644 .args_type = "", .params = "", diff --git a/hmp-commands.hx b/hmp-commands.hx -index 0e20ef9..4d735cb 100644 +index 7288203..a2867b5 100644 --- a/hmp-commands.hx +++ b/hmp-commands.hx -@@ -1791,3 +1791,35 @@ ETEXI +@@ -1808,3 +1808,35 @@ ETEXI STEXI @end table ETEXI @@ -84,7 +83,7 @@ index 0e20ef9..4d735cb 100644 + .args_type = "statefile:s?", + .params = "[statefile]", + .help = "Prepare for snapshot and halt VM. Save VM state to statefile.", -+ .mhandler.cmd = hmp_savevm_start, ++ .cmd = hmp_savevm_start, + }, + + { @@ -92,7 +91,7 @@ index 0e20ef9..4d735cb 100644 + .args_type = "device:s,name:s", + .params = "device name", + .help = "Create internal snapshot.", -+ .mhandler.cmd = hmp_snapshot_drive, ++ .cmd = hmp_snapshot_drive, + }, + + { @@ -100,7 +99,7 @@ index 0e20ef9..4d735cb 100644 + .args_type = "device:s,name:s", + .params = "device name", + .help = "Delete internal snapshot.", -+ .mhandler.cmd = hmp_delete_drive_snapshot, ++ .cmd = hmp_delete_drive_snapshot, + }, + + { @@ -108,13 +107,13 @@ index 0e20ef9..4d735cb 100644 + .args_type = "", + .params = "", + .help = "Resume VM after snaphot.", -+ .mhandler.cmd = hmp_savevm_end, ++ .cmd = hmp_savevm_end, + }, diff --git a/hmp.c b/hmp.c -index c23cf2f..030fd97 100644 +index 465d7fa..aaf0de1 100644 --- a/hmp.c +++ b/hmp.c -@@ -2117,6 +2117,63 @@ void hmp_info_memory_devices(Monitor *mon, const QDict *qdict) +@@ -2270,6 +2270,63 @@ void hmp_info_memory_devices(Monitor *mon, const QDict *qdict) qapi_free_MemoryDeviceInfoList(info_list); } @@ -179,7 +178,7 @@ index c23cf2f..030fd97 100644 { IOThreadInfoList *info_list = qmp_query_iothreads(NULL); diff --git a/hmp.h b/hmp.h -index 9a4c1f6..b74ddbf 100644 +index 17a65b2..8c1b484 100644 --- a/hmp.h +++ b/hmp.h @@ -26,6 +26,7 @@ void hmp_info_status(Monitor *mon, const QDict *qdict); @@ -190,7 +189,7 @@ index 9a4c1f6..b74ddbf 100644 void hmp_info_migrate(Monitor *mon, const QDict *qdict); void hmp_info_migrate_capabilities(Monitor *mon, const QDict *qdict); void hmp_info_migrate_parameters(Monitor *mon, const QDict *qdict); -@@ -92,6 +93,10 @@ void hmp_netdev_add(Monitor *mon, const QDict *qdict); +@@ -95,6 +96,10 @@ void hmp_netdev_add(Monitor *mon, const QDict *qdict); void hmp_netdev_del(Monitor *mon, const QDict *qdict); void hmp_getfd(Monitor *mon, const QDict *qdict); void hmp_closefd(Monitor *mon, const QDict *qdict); @@ -202,30 +201,30 @@ index 9a4c1f6..b74ddbf 100644 void hmp_screendump(Monitor *mon, const QDict *qdict); void hmp_nbd_server_start(Monitor *mon, const QDict *qdict); diff --git a/include/block/block.h b/include/block/block.h -index acddf3b..0f70a9d 100644 +index 5149260..b29c69d 100644 --- a/include/block/block.h +++ b/include/block/block.h -@@ -256,6 +256,7 @@ BlockDriverState *bdrv_find_backing_image(BlockDriverState *bs, +@@ -295,6 +295,7 @@ BlockDriverState *bdrv_find_backing_image(BlockDriverState *bs, int bdrv_get_backing_file_depth(BlockDriverState *bs); void bdrv_refresh_filename(BlockDriverState *bs); - int bdrv_truncate(BlockDriverState *bs, int64_t offset); + int bdrv_truncate(BdrvChild *child, int64_t offset); +void bdrv_delete(BlockDriverState *bs); int64_t bdrv_nb_sectors(BlockDriverState *bs); int64_t bdrv_getlength(BlockDriverState *bs); int64_t bdrv_get_allocated_file_size(BlockDriverState *bs); diff --git a/include/sysemu/sysemu.h b/include/sysemu/sysemu.h -index ee7c760..4875441 100644 +index 576c7ce..74623de 100644 --- a/include/sysemu/sysemu.h +++ b/include/sysemu/sysemu.h -@@ -79,6 +79,7 @@ void qemu_remove_machine_init_done_notifier(Notifier *notify); - +@@ -78,6 +78,7 @@ void qemu_remove_machine_init_done_notifier(Notifier *notify); void hmp_savevm(Monitor *mon, const QDict *qdict); + int save_vmstate(Monitor *mon, const char *name); int load_vmstate(const char *name); +int load_state_from_blockdev(const char *filename); void hmp_delvm(Monitor *mon, const QDict *qdict); void hmp_info_snapshots(Monitor *mon, const QDict *qdict); -@@ -106,13 +107,13 @@ enum qemu_vm_cmd { +@@ -105,13 +106,13 @@ enum qemu_vm_cmd { #define MAX_VM_CMD_PACKAGED_SIZE (1ul << 24) bool qemu_savevm_state_blocked(Error **errp); @@ -242,10 +241,10 @@ index ee7c760..4875441 100644 uint64_t *res_non_postcopiable, uint64_t *res_postcopiable); diff --git a/migration/savevm.c b/migration/savevm.c -index 33a2911..b1bdfb6 100644 +index 3b19a4a..feb0dc6 100644 --- a/migration/savevm.c +++ b/migration/savevm.c -@@ -879,11 +879,11 @@ void qemu_savevm_state_header(QEMUFile *f) +@@ -970,11 +970,11 @@ void qemu_savevm_state_header(QEMUFile *f) } @@ -259,7 +258,7 @@ index 33a2911..b1bdfb6 100644 trace_savevm_state_begin(); QTAILQ_FOREACH(se, &savevm_state.handlers, entry) { -@@ -911,6 +911,7 @@ void qemu_savevm_state_begin(QEMUFile *f, +@@ -1002,6 +1002,7 @@ void qemu_savevm_state_begin(QEMUFile *f, break; } } @@ -267,7 +266,7 @@ index 33a2911..b1bdfb6 100644 } /* -@@ -1014,7 +1015,7 @@ void qemu_savevm_state_complete_postcopy(QEMUFile *f) +@@ -1105,7 +1106,7 @@ void qemu_savevm_state_complete_postcopy(QEMUFile *f) qemu_fflush(f); } @@ -276,7 +275,7 @@ index 33a2911..b1bdfb6 100644 { QJSON *vmdesc; int vmdesc_len; -@@ -1048,12 +1049,12 @@ void qemu_savevm_state_complete_precopy(QEMUFile *f, bool iterable_only) +@@ -1139,12 +1140,12 @@ void qemu_savevm_state_complete_precopy(QEMUFile *f, bool iterable_only) save_section_footer(f, se); if (ret < 0) { qemu_file_set_error(f, ret); @@ -291,7 +290,7 @@ index 33a2911..b1bdfb6 100644 } vmdesc = qjson_new(); -@@ -1100,6 +1101,7 @@ void qemu_savevm_state_complete_precopy(QEMUFile *f, bool iterable_only) +@@ -1191,6 +1192,7 @@ void qemu_savevm_state_complete_precopy(QEMUFile *f, bool iterable_only) qjson_destroy(vmdesc); qemu_fflush(f); @@ -300,29 +299,28 @@ index 33a2911..b1bdfb6 100644 /* Give an estimate of the amount left to be transferred, diff --git a/qapi-schema.json b/qapi-schema.json -index 147137d..0c0faf7 100644 +index 1127f2c..c33ebb3 100644 --- a/qapi-schema.json +++ b/qapi-schema.json -@@ -594,6 +594,42 @@ - '*cpu-throttle-percentage': 'int', +@@ -813,6 +813,40 @@ '*error-desc': 'str'} } -+ -+# @SaveVMInfo + ## ++# @SaveVMInfo: +# +# Information about current migration process. +# -+# @status: #optional string describing the current savevm status. ++# @status: string describing the current savevm status. +# This can be 'active', 'completed', 'failed'. +# If this field is not returned, no savevm process +# has been initiated +# -+# @error: #optional string containing error message is status is failed. ++# @error: string containing error message is status is failed. +# -+# @total-time: #optional total amount of milliseconds since savevm started. ++# @total-time: total amount of milliseconds since savevm started. +# If savevm has ended, it returns the total save time +# -+# @bytes: #optional total amount of data transfered ++# @bytes: total amount of data transfered +# +# Since: 1.3 +## @@ -331,7 +329,7 @@ index 147137d..0c0faf7 100644 + '*total-time': 'int', '*bytes': 'int'} } + +## -+# @query-savevm ++# @query-savevm: +# +# Returns information about current savevm process. +# @@ -342,34 +340,58 @@ index 147137d..0c0faf7 100644 +{ 'command': 'query-savevm', 'returns': 'SaveVMInfo' } + +## -+ - ## - # @query-migrate + # @query-migrate: # -@@ -3286,8 +3322,18 @@ + # Returns information about current migration process. If migration +@@ -4828,9 +4862,43 @@ # # Since: 1.2.0 ## + { 'command': 'query-target', 'returns': 'TargetInfo' } + ## ++# @savevm-start: ++# ++# Prepare for snapshot and halt VM. Save VM state to statefile. ++# ++## +{ 'command': 'savevm-start', 'data': { '*statefile': 'str' } } + ++## ++# @snapshot-drive: ++# ++# Create an internal drive snapshot. ++# ++## +{ 'command': 'snapshot-drive', 'data': { 'device': 'str', 'name': 'str' } } + ++## ++# @delete-drive-snapshot: ++# ++# Delete a drive snapshot. ++# ++## +{ 'command': 'delete-drive-snapshot', 'data': { 'device': 'str', 'name': 'str' } } + ++## ++# @savevm-end: ++# ++# Resume VM after a snapshot. ++# ++## +{ 'command': 'savevm-end' } + + - ## ++## # @QKeyCode: # + # An enumeration of key name. diff --git a/qemu-options.hx b/qemu-options.hx -index a71aaf8..37fad3b 100644 +index 99af8ed..10f0e81 100644 --- a/qemu-options.hx +++ b/qemu-options.hx -@@ -3302,6 +3302,19 @@ STEXI +@@ -3396,6 +3396,19 @@ STEXI Start right away with a saved state (@code{loadvm} in monitor) ETEXI @@ -389,53 +411,12 @@ index a71aaf8..37fad3b 100644 #ifndef _WIN32 DEF("daemonize", 0, QEMU_OPTION_daemonize, \ "-daemonize daemonize QEMU after initializing\n", QEMU_ARCH_ALL) -diff --git a/qmp-commands.hx b/qmp-commands.hx -index a8e8522..6342cd2 100644 ---- a/qmp-commands.hx -+++ b/qmp-commands.hx -@@ -4904,6 +4904,36 @@ Example: - EQMP - - { -+ .name = "savevm-start", -+ .args_type = "statefile:s?", -+ .mhandler.cmd_new = qmp_marshal_savevm_start, -+ }, -+ -+ { -+ .name = "snapshot-drive", -+ .args_type = "device:s,name:s", -+ .mhandler.cmd_new = qmp_marshal_snapshot_drive, -+ }, -+ -+ { -+ .name = "delete-drive-snapshot", -+ .args_type = "device:s,name:s", -+ .mhandler.cmd_new = qmp_marshal_delete_drive_snapshot, -+ }, -+ -+ { -+ .name = "savevm-end", -+ .args_type = "", -+ .mhandler.cmd_new = qmp_marshal_savevm_end, -+ }, -+ -+ { -+ .name = "query-savevm", -+ .args_type = "", -+ .mhandler.cmd_new = qmp_marshal_query_savevm, -+ }, -+ -+ { - .name = "query-rocker", - .args_type = "name:s", - .mhandler.cmd_new = qmp_marshal_query_rocker, diff --git a/savevm-async.c b/savevm-async.c new file mode 100644 -index 0000000..ae7ea84 +index 0000000..9704a41 --- /dev/null +++ b/savevm-async.c -@@ -0,0 +1,526 @@ +@@ -0,0 +1,525 @@ +#include "qemu/osdep.h" +#include "qemu-common.h" +#include "qapi/qmp/qerror.h" @@ -691,7 +672,7 @@ index 0000000..ae7ea84 + BlockDriver *drv = NULL; + Error *local_err = NULL; + -+ int bdrv_oflags = BDRV_O_RDWR; ++ int bdrv_oflags = BDRV_O_RDWR | BDRV_O_RESIZE; + int ret; + + if (snap_state.state != SAVE_STATE_DONE) { @@ -942,7 +923,6 @@ index 0000000..ae7ea84 + } + + qemu_system_reset(VMRESET_SILENT); -+ migration_incoming_state_new(f); + ret = qemu_loadvm_state(f); + + qemu_fclose(f); @@ -963,10 +943,10 @@ index 0000000..ae7ea84 + return ret; +} diff --git a/vl.c b/vl.c -index b226e0b..c01b1b5 100644 +index 868c489..19afd47 100644 --- a/vl.c +++ b/vl.c -@@ -2962,6 +2962,7 @@ int main(int argc, char **argv, char **envp) +@@ -2960,6 +2960,7 @@ int main(int argc, char **argv, char **envp) int optind; const char *optarg; const char *loadvm = NULL; @@ -974,7 +954,7 @@ index b226e0b..c01b1b5 100644 MachineClass *machine_class; const char *cpu_model; const char *vga_model = NULL; -@@ -3603,6 +3604,9 @@ int main(int argc, char **argv, char **envp) +@@ -3631,6 +3632,9 @@ int main(int argc, char **argv, char **envp) case QEMU_OPTION_loadvm: loadvm = optarg; break; @@ -984,7 +964,7 @@ index b226e0b..c01b1b5 100644 case QEMU_OPTION_full_screen: full_screen = 1; break; -@@ -4597,6 +4601,10 @@ int main(int argc, char **argv, char **envp) +@@ -4689,6 +4693,10 @@ int main(int argc, char **argv, char **envp) if (load_vmstate(loadvm) < 0) { autostart = 0; } diff --git a/debian/patches/pve/0023-backup-vma-allow-empty-backups.patch b/debian/patches/pve/0023-backup-vma-allow-empty-backups.patch index d42a3d2..9ca91f5 100644 --- a/debian/patches/pve/0023-backup-vma-allow-empty-backups.patch +++ b/debian/patches/pve/0023-backup-vma-allow-empty-backups.patch @@ -1,7 +1,7 @@ -From e9b9fd9156a6631998ec4b4254fe2e91859b340a Mon Sep 17 00:00:00 2001 +From b5ac1badd1810f87aae5091f44bee54e3c45e979 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Wed, 9 Dec 2015 16:31:51 +0100 -Subject: [PATCH 23/47] backup: vma: allow empty backups +Subject: [PATCH 23/48] backup: vma: allow empty backups --- vma-reader.c | 29 ++++++++++++------------- @@ -58,7 +58,7 @@ index 2aafb26..78f1de9 100644 } return ret; diff --git a/vma-writer.c b/vma-writer.c -index 79b7fd4..0d26fc6 100644 +index 216577a..0dd668b 100644 --- a/vma-writer.c +++ b/vma-writer.c @@ -252,7 +252,7 @@ vma_queue_write(VmaWriter *vmaw, const void *buf, size_t bytes) @@ -120,10 +120,10 @@ index 79b7fd4..0d26fc6 100644 return open_drives; diff --git a/vma.c b/vma.c -index c88a4358..08e4725 100644 +index 1ffaced..c7c0538 100644 --- a/vma.c +++ b/vma.c -@@ -27,7 +27,7 @@ static void help(void) +@@ -28,7 +28,7 @@ static void help(void) "\n" "vma list \n" "vma config [-c config]\n" @@ -132,7 +132,7 @@ index c88a4358..08e4725 100644 "vma extract [-r ] \n" "vma verify [-v]\n" ; -@@ -395,6 +395,18 @@ typedef struct BackupJob { +@@ -396,6 +396,18 @@ typedef struct BackupJob { #define BACKUP_SECTORS_PER_CLUSTER (VMA_CLUSTER_SIZE / BDRV_SECTOR_SIZE) @@ -151,7 +151,7 @@ index c88a4358..08e4725 100644 static void coroutine_fn backup_run(void *opaque) { BackupJob *job = (BackupJob *)opaque; -@@ -468,8 +480,8 @@ static int create_archive(int argc, char **argv) +@@ -469,8 +481,8 @@ static int create_archive(int argc, char **argv) } @@ -162,7 +162,7 @@ index c88a4358..08e4725 100644 help(); } -@@ -504,11 +516,11 @@ static int create_archive(int argc, char **argv) +@@ -505,11 +517,11 @@ static int create_archive(int argc, char **argv) l = g_list_next(l); } @@ -176,7 +176,7 @@ index c88a4358..08e4725 100644 Error *errp = NULL; BlockDriverState *bs; -@@ -539,37 +551,39 @@ static int create_archive(int argc, char **argv) +@@ -540,37 +552,39 @@ static int create_archive(int argc, char **argv) int percent = 0; int last_percent = -1; diff --git a/debian/patches/pve/0024-qmp-add-get_link_status.patch b/debian/patches/pve/0024-qmp-add-get_link_status.patch index ba944e3..f57929f 100644 --- a/debian/patches/pve/0024-qmp-add-get_link_status.patch +++ b/debian/patches/pve/0024-qmp-add-get_link_status.patch @@ -1,20 +1,18 @@ -From e933992419bd8da2689a527ae95000891e687a2d Mon Sep 17 00:00:00 2001 +From 759fdd7b7ea2f90a463d4bc766f9c53053498c58 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Wed, 9 Dec 2015 16:34:41 +0100 -Subject: [PATCH 24/47] qmp: add get_link_status +Subject: [PATCH 24/48] qmp: add get_link_status --- net/net.c | 27 +++++++++++++++++++++++++++ - qapi-schema.json | 15 +++++++++++++++ - qmp-commands.hx | 23 +++++++++++++++++++++++ - scripts/qapi.py | 2 ++ - 4 files changed, 67 insertions(+) + qapi-schema.json | 16 ++++++++++++++++ + 2 files changed, 43 insertions(+) diff --git a/net/net.c b/net/net.c -index 19b4d9e..5f890b7 100644 +index 0ac3b9e..7410c1e 100644 --- a/net/net.c +++ b/net/net.c -@@ -1362,6 +1362,33 @@ void hmp_info_network(Monitor *mon, const QDict *qdict) +@@ -1373,6 +1373,33 @@ void hmp_info_network(Monitor *mon, const QDict *qdict) } } @@ -49,14 +47,22 @@ index 19b4d9e..5f890b7 100644 { NetClientState *ncs[MAX_QUEUE_NUM]; diff --git a/qapi-schema.json b/qapi-schema.json -index 0c0faf7..d75e932 100644 +index c33ebb3..79bfd97 100644 --- a/qapi-schema.json +++ b/qapi-schema.json -@@ -1786,6 +1786,21 @@ +@@ -56,6 +56,7 @@ + { 'pragma': { + # Commands allowed to return a non-dictionary: + 'returns-whitelist': [ ++ 'get_link_status', + 'human-monitor-command', + 'qom-get', + 'query-migrate-cache-size', +@@ -2627,6 +2628,21 @@ { 'command': 'set_link', 'data': {'name': 'str', 'up': 'bool'} } ## -+# @get_link_status ++# @get_link_status: +# +# Get the current link state of the nics or nic. +# @@ -74,53 +80,6 @@ index 0c0faf7..d75e932 100644 # @balloon: # # Request the balloon driver to change its balloon size. -diff --git a/qmp-commands.hx b/qmp-commands.hx -index 6342cd2..a84932a 100644 ---- a/qmp-commands.hx -+++ b/qmp-commands.hx -@@ -1883,6 +1883,29 @@ Example: - EQMP - - { -+ .name = "get_link_status", -+ .args_type = "name:s", -+ .mhandler.cmd_new = qmp_marshal_get_link_status, -+ }, -+ -+SQMP -+get_link_status -+-------- -+ -+Get the link status of a network adapter. -+ -+Arguments: -+ -+- "name": network device name (json-string) -+ -+Example: -+ -+-> { "execute": "get_link_status", "arguments": { "name": "e1000.0" } } -+<- { "return": {1} } -+ -+EQMP -+ -+ { - .name = "getfd", - .args_type = "fdname:s", - .params = "getfd name", -diff --git a/scripts/qapi.py b/scripts/qapi.py -index 21bc32f..f900659 100644 ---- a/scripts/qapi.py -+++ b/scripts/qapi.py -@@ -39,6 +39,8 @@ builtin_types = { - - # Whitelist of commands allowed to return a non-dictionary - returns_whitelist = [ -+ 'get_link_status', -+ - # From QMP: - 'human-monitor-command', - 'qom-get', -- 2.1.4 diff --git a/debian/patches/pve/0025-smm_available-false.patch b/debian/patches/pve/0025-smm_available-false.patch index d51daee..34cfdc5 100644 --- a/debian/patches/pve/0025-smm_available-false.patch +++ b/debian/patches/pve/0025-smm_available-false.patch @@ -1,7 +1,7 @@ -From e1682387e4bed2357e1030933481ab63f648249b Mon Sep 17 00:00:00 2001 +From 8a8c61f58cfde89540c885bc3b0f7e7e9d820782 Mon Sep 17 00:00:00 2001 From: Alexandre Derumier Date: Tue, 29 Sep 2015 15:37:44 +0200 -Subject: [PATCH 25/47] smm_available = false +Subject: [PATCH 25/48] smm_available = false Signed-off-by: Alexandre Derumier --- @@ -9,10 +9,10 @@ Signed-off-by: Alexandre Derumier 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/i386/pc.c b/hw/i386/pc.c -index ba8a5a1..9c206fc 100644 +index 81e91a4..4161a45 100644 --- a/hw/i386/pc.c +++ b/hw/i386/pc.c -@@ -2084,7 +2084,7 @@ bool pc_machine_is_smm_enabled(PCMachineState *pcms) +@@ -2123,7 +2123,7 @@ bool pc_machine_is_smm_enabled(PCMachineState *pcms) if (tcg_enabled() || qtest_enabled()) { smm_available = true; } else if (kvm_enabled()) { diff --git a/debian/patches/pve/0026-use-whitespace-between-VERSION-and-PKGVERSION.patch b/debian/patches/pve/0026-use-whitespace-between-VERSION-and-PKGVERSION.patch index b7547af..773bd49 100644 --- a/debian/patches/pve/0026-use-whitespace-between-VERSION-and-PKGVERSION.patch +++ b/debian/patches/pve/0026-use-whitespace-between-VERSION-and-PKGVERSION.patch @@ -1,7 +1,7 @@ -From 017016151cb8f9a364f0b0006603772620966d5a Mon Sep 17 00:00:00 2001 +From 7329980dbe0b2c40a7262c4ea4946dfb23c189c6 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Wed, 9 Dec 2015 16:50:05 +0100 -Subject: [PATCH 26/47] use whitespace between VERSION and PKGVERSION +Subject: [PATCH 26/48] use whitespace between VERSION and PKGVERSION Our kvm version parser expects a white space or comma after the version string, see PVE::QemuServer::kvm_user_version() @@ -10,15 +10,15 @@ the version string, see PVE::QemuServer::kvm_user_version() 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vl.c b/vl.c -index c01b1b5..0b5a721 100644 +index 19afd47..d0780a4 100644 --- a/vl.c +++ b/vl.c -@@ -1920,7 +1920,7 @@ static void main_loop(void) +@@ -1909,7 +1909,7 @@ static void main_loop(void) static void version(void) { -- printf("QEMU emulator version " QEMU_VERSION QEMU_PKGVERSION ", " -+ printf("QEMU emulator version " QEMU_VERSION " " QEMU_PKGVERSION ", " +- printf("QEMU emulator version " QEMU_VERSION QEMU_PKGVERSION "\n" ++ printf("QEMU emulator version " QEMU_VERSION " " QEMU_PKGVERSION "\n" QEMU_COPYRIGHT "\n"); } diff --git a/debian/patches/pve/0027-vma-add-firewall.patch b/debian/patches/pve/0027-vma-add-firewall.patch index fbbefb2..f65b173 100644 --- a/debian/patches/pve/0027-vma-add-firewall.patch +++ b/debian/patches/pve/0027-vma-add-firewall.patch @@ -1,20 +1,19 @@ -From 3400a70a51015f119c12d3600943baae97aabb0f Mon Sep 17 00:00:00 2001 +From 4e55ff68ec7aef1e2ea602890495cd862dd1161c Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Wed, 9 Dec 2015 16:51:23 +0100 -Subject: [PATCH 27/47] vma: add firewall +Subject: [PATCH 27/48] vma: add firewall --- blockdev.c | 78 ++++++++++++++++++++++++++++++++++---------------------- hmp.c | 2 +- qapi-schema.json | 1 + - qmp-commands.hx | 2 +- - 4 files changed, 51 insertions(+), 32 deletions(-) + 3 files changed, 50 insertions(+), 31 deletions(-) diff --git a/blockdev.c b/blockdev.c -index 2371cf3..bbb1502 100644 +index 36b4083..3b82339 100644 --- a/blockdev.c +++ b/blockdev.c -@@ -3157,6 +3157,44 @@ void qmp_backup_cancel(Error **errp) +@@ -3163,6 +3163,44 @@ void qmp_backup_cancel(Error **errp) } } @@ -59,7 +58,7 @@ index 2371cf3..bbb1502 100644 bool block_job_should_pause(BlockJob *job); static void pvebackup_run_next_job(void) { -@@ -3184,6 +3222,7 @@ static void pvebackup_run_next_job(void) +@@ -3190,6 +3228,7 @@ static void pvebackup_run_next_job(void) UuidInfo *qmp_backup(const char *backup_file, bool has_format, BackupFormat format, bool has_config_file, const char *config_file, @@ -67,7 +66,7 @@ index 2371cf3..bbb1502 100644 bool has_devlist, const char *devlist, bool has_speed, int64_t speed, Error **errp) { -@@ -3335,38 +3374,17 @@ UuidInfo *qmp_backup(const char *backup_file, bool has_format, +@@ -3342,38 +3381,17 @@ UuidInfo *qmp_backup(const char *backup_file, bool has_format, /* add configuration file to archive */ if (has_config_file) { @@ -116,10 +115,10 @@ index 2371cf3..bbb1502 100644 backup_state.cancel = false; diff --git a/hmp.c b/hmp.c -index 030fd97..5c5e8ed 100644 +index aaf0de1..12f1f46 100644 --- a/hmp.c +++ b/hmp.c -@@ -1550,7 +1550,7 @@ void hmp_backup(Monitor *mon, const QDict *qdict) +@@ -1670,7 +1670,7 @@ void hmp_backup(Monitor *mon, const QDict *qdict) int64_t speed = qdict_get_try_int(qdict, "speed", 0); qmp_backup(backup_file, true, dir ? BACKUP_FORMAT_DIR : BACKUP_FORMAT_VMA, @@ -129,10 +128,10 @@ index 030fd97..5c5e8ed 100644 hmp_handle_error(mon, &error); diff --git a/qapi-schema.json b/qapi-schema.json -index d75e932..7bb0ee0 100644 +index 79bfd97..6334018 100644 --- a/qapi-schema.json +++ b/qapi-schema.json -@@ -420,6 +420,7 @@ +@@ -635,6 +635,7 @@ { 'command': 'backup', 'data': { 'backup-file': 'str', '*format': 'BackupFormat', '*config-file': 'str', @@ -140,19 +139,6 @@ index d75e932..7bb0ee0 100644 '*devlist': 'str', '*speed': 'int' }, 'returns': 'UuidInfo' } -diff --git a/qmp-commands.hx b/qmp-commands.hx -index a84932a..94cfac2 100644 ---- a/qmp-commands.hx -+++ b/qmp-commands.hx -@@ -1315,7 +1315,7 @@ EQMP - - { - .name = "backup", -- .args_type = "backup-file:s,format:s?,config-file:F?,speed:o?,devlist:s?", -+ .args_type = "backup-file:s,format:s?,config-file:F?,firewall-file:F?,speed:o?,devlist:s?", - .mhandler.cmd_new = qmp_marshal_backup, - }, - -- 2.1.4 diff --git a/debian/patches/pve/0028-savevm-async-migration-and-bdrv_open-update.patch b/debian/patches/pve/0028-savevm-async-migration-and-bdrv_open-update.patch index f4c8276..0c3c864 100644 --- a/debian/patches/pve/0028-savevm-async-migration-and-bdrv_open-update.patch +++ b/debian/patches/pve/0028-savevm-async-migration-and-bdrv_open-update.patch @@ -1,14 +1,14 @@ -From d5ef7dd4d2b53e4868289dca3770724cb9597ec5 Mon Sep 17 00:00:00 2001 +From 54847dbb3050d9ec9dd786d572d9c1dff0757d4d Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Thu, 10 Dec 2015 15:14:00 +0100 -Subject: [PATCH 28/47] savevm-async: migration and bdrv_open update +Subject: [PATCH 28/48] savevm-async: migration and bdrv_open update --- savevm-async.c | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/savevm-async.c b/savevm-async.c -index ae7ea84..7979435 100644 +index 9704a41..6ac03af 100644 --- a/savevm-async.c +++ b/savevm-async.c @@ -154,10 +154,10 @@ static int block_state_close(void *opaque) @@ -58,7 +58,7 @@ index ae7ea84..7979435 100644 - BlockDriver *drv = NULL; Error *local_err = NULL; - int bdrv_oflags = BDRV_O_RDWR; + int bdrv_oflags = BDRV_O_RDWR | BDRV_O_RESIZE; @@ -289,7 +289,7 @@ void qmp_savevm_start(bool has_statefile, const char *statefile, Error **errp) QDict *options = NULL; options = qdict_new(); diff --git a/debian/patches/pve/0029-vnc-make-x509-imply-tls-again.patch b/debian/patches/pve/0029-vnc-make-x509-imply-tls-again.patch index df15432..81cce23 100644 --- a/debian/patches/pve/0029-vnc-make-x509-imply-tls-again.patch +++ b/debian/patches/pve/0029-vnc-make-x509-imply-tls-again.patch @@ -1,17 +1,17 @@ -From d42052d75321a1af75b039f8e31127b98485ec93 Mon Sep 17 00:00:00 2001 +From 4e0a43ec969bcdf5d3bb01892bc75346e47676d6 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Tue, 12 Jan 2016 09:09:49 +0100 -Subject: [PATCH 29/47] vnc: make x509 imply tls again +Subject: [PATCH 29/48] vnc: make x509 imply tls again --- ui/vnc.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/ui/vnc.c b/ui/vnc.c -index b9f36b5..acbe3bd 100644 +index 29575f8..039b3ed 100644 --- a/ui/vnc.c +++ b/ui/vnc.c -@@ -3729,9 +3729,8 @@ void vnc_display_open(const char *id, Error **errp) +@@ -3878,9 +3878,8 @@ void vnc_display_open(const char *id, Error **errp) const char *path; bool tls = false, x509 = false, x509verify = false; tls = qemu_opt_get_bool(opts, "tls", false); diff --git a/debian/patches/pve/0030-PVE-VNC-authentication.patch b/debian/patches/pve/0030-PVE-VNC-authentication.patch index 5620655..681fc4a 100644 --- a/debian/patches/pve/0030-PVE-VNC-authentication.patch +++ b/debian/patches/pve/0030-PVE-VNC-authentication.patch @@ -1,21 +1,21 @@ -From 51dd4df80640e1671de73c014c6273b154df920a Mon Sep 17 00:00:00 2001 +From d55b3d4bca482ded41c0c1489626e426007e786c Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Mon, 11 Jan 2016 10:40:31 +0100 -Subject: [PATCH 30/47] PVE VNC authentication +Subject: [PATCH 30/48] PVE VNC authentication --- crypto/tlscreds.c | 47 +++++++++++ crypto/tlscredspriv.h | 2 + - crypto/tlscredsx509.c | 13 ++-- + crypto/tlscredsx509.c | 13 +-- crypto/tlssession.c | 1 + include/crypto/tlscreds.h | 1 + include/ui/console.h | 1 + qemu-options.hx | 3 + - ui/vnc-auth-vencrypt.c | 194 ++++++++++++++++++++++++++++++++++++++-------- + ui/vnc-auth-vencrypt.c | 196 ++++++++++++++++++++++++++++++++++++++-------- ui/vnc.c | 140 ++++++++++++++++++++++++++++++++- ui/vnc.h | 4 + vl.c | 9 +++ - 11 files changed, 375 insertions(+), 40 deletions(-) + 11 files changed, 376 insertions(+), 41 deletions(-) diff --git a/crypto/tlscreds.c b/crypto/tlscreds.c index a896553..e9ae13c 100644 @@ -96,7 +96,7 @@ index 13e9b6c..0356acc 100644 #endif /* QCRYPTO_TLSCREDSPRIV_H */ diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c -index 520d34d..1ba971c 100644 +index 50eb54f..09f7364 100644 --- a/crypto/tlscredsx509.c +++ b/crypto/tlscredsx509.c @@ -555,22 +555,23 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds, @@ -144,7 +144,7 @@ index 520d34d..1ba971c 100644 goto cleanup; } diff --git a/crypto/tlssession.c b/crypto/tlssession.c -index 2de42c6..768466a 100644 +index 96a02de..c453e29 100644 --- a/crypto/tlssession.c +++ b/crypto/tlssession.c @@ -23,6 +23,7 @@ @@ -168,10 +168,10 @@ index ad47d88..f86d379 100644 diff --git a/include/ui/console.h b/include/ui/console.h -index 2703a3a..db6dd22 100644 +index d759338..69f010e 100644 --- a/include/ui/console.h +++ b/include/ui/console.h -@@ -456,6 +456,7 @@ static inline void cocoa_display_init(DisplayState *ds, int full_screen) +@@ -462,6 +462,7 @@ static inline void cocoa_display_init(DisplayState *ds, int full_screen) #endif /* vnc.c */ @@ -180,10 +180,10 @@ index 2703a3a..db6dd22 100644 void vnc_display_open(const char *id, Error **errp); void vnc_display_add_client(const char *id, int csock, bool skipauth); diff --git a/qemu-options.hx b/qemu-options.hx -index 37fad3b..f943ae6 100644 +index 10f0e81..fbd1a1c 100644 --- a/qemu-options.hx +++ b/qemu-options.hx -@@ -473,6 +473,9 @@ STEXI +@@ -513,6 +513,9 @@ STEXI @table @option ETEXI @@ -194,7 +194,7 @@ index 37fad3b..f943ae6 100644 "-fda/-fdb file use 'file' as floppy disk 0/1 image\n", QEMU_ARCH_ALL) DEF("fdb", HAS_ARG, QEMU_OPTION_fdb, "", QEMU_ARCH_ALL) diff --git a/ui/vnc-auth-vencrypt.c b/ui/vnc-auth-vencrypt.c -index 11c8c9a..d11f1df 100644 +index ffaab57..de1c194 100644 --- a/ui/vnc-auth-vencrypt.c +++ b/ui/vnc-auth-vencrypt.c @@ -28,6 +28,107 @@ @@ -323,7 +323,7 @@ index 11c8c9a..d11f1df 100644 case VNC_AUTH_VENCRYPT_TLSVNC: case VNC_AUTH_VENCRYPT_X509VNC: VNC_DEBUG("Start TLS auth VNC\n"); -@@ -87,44 +199,63 @@ static int protocol_client_vencrypt_auth(VncState *vs, uint8_t *data, size_t len +@@ -88,45 +200,64 @@ static int protocol_client_vencrypt_auth(VncState *vs, uint8_t *data, size_t len { int auth = read_u32(data, 0); @@ -371,6 +371,7 @@ index 11c8c9a..d11f1df 100644 + vs->ioc_tag = 0; + } +- qio_channel_set_name(QIO_CHANNEL(tls), "vnc-server-tls"); - VNC_DEBUG("Start TLS VeNCrypt handshake process\n"); - object_unref(OBJECT(vs->ioc)); - vs->ioc = QIO_CHANNEL(tls); @@ -398,6 +399,7 @@ index 11c8c9a..d11f1df 100644 + return 0; + } + } ++ qio_channel_set_name(QIO_CHANNEL(tls), "vnc-server-tls"); - qio_channel_tls_handshake(tls, - vnc_tls_handshake_done, @@ -416,7 +418,7 @@ index 11c8c9a..d11f1df 100644 } return 0; } -@@ -138,10 +269,11 @@ static int protocol_client_vencrypt_init(VncState *vs, uint8_t *data, size_t len +@@ -140,10 +271,11 @@ static int protocol_client_vencrypt_init(VncState *vs, uint8_t *data, size_t len vnc_flush(vs); vnc_client_error(vs); } else { @@ -431,10 +433,10 @@ index 11c8c9a..d11f1df 100644 vnc_read_when(vs, protocol_client_vencrypt_auth, 4); } diff --git a/ui/vnc.c b/ui/vnc.c -index acbe3bd..2a18a20 100644 +index 039b3ed..a34ba08 100644 --- a/ui/vnc.c +++ b/ui/vnc.c -@@ -55,6 +55,125 @@ static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 }; +@@ -56,6 +56,125 @@ static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 }; #include "vnc_keysym.h" #include "crypto/cipher.h" @@ -560,27 +562,26 @@ index acbe3bd..2a18a20 100644 static QTAILQ_HEAD(, VncDisplay) vnc_displays = QTAILQ_HEAD_INITIALIZER(vnc_displays); -@@ -3413,11 +3532,17 @@ vnc_display_setup_auth(VncDisplay *vs, - if (object_dynamic_cast(OBJECT(vs->tlscreds), - TYPE_QCRYPTO_TLS_CREDS_X509)) { +@@ -3350,10 +3469,16 @@ vnc_display_setup_auth(int *auth, + if (password) { + if (is_x509) { VNC_DEBUG("Initializing VNC server with x509 password auth\n"); -- vs->subauth = VNC_AUTH_VENCRYPT_X509VNC; -+ if (vs->tlscreds->pve) -+ vs->subauth = VNC_AUTH_VENCRYPT_X509PLAIN; +- *subauth = VNC_AUTH_VENCRYPT_X509VNC; ++ if (tlscreds->pve) ++ *subauth = VNC_AUTH_VENCRYPT_X509PLAIN; + else -+ vs->subauth = VNC_AUTH_VENCRYPT_X509VNC; - } else if (object_dynamic_cast(OBJECT(vs->tlscreds), - TYPE_QCRYPTO_TLS_CREDS_ANON)) { - VNC_DEBUG("Initializing VNC server with TLS password auth\n"); -- vs->subauth = VNC_AUTH_VENCRYPT_TLSVNC; -+ if (vs->tlscreds->pve) -+ vs->subauth = VNC_AUTH_VENCRYPT_TLSPLAIN; -+ else -+ vs->subauth = VNC_AUTH_VENCRYPT_TLSVNC; ++ *subauth = VNC_AUTH_VENCRYPT_X509VNC; } else { - error_setg(errp, - "Unsupported TLS cred type %s", -@@ -3508,6 +3633,7 @@ vnc_display_create_creds(bool x509, + VNC_DEBUG("Initializing VNC server with TLS password auth\n"); +- *subauth = VNC_AUTH_VENCRYPT_TLSVNC; ++ if (tlscreds->pve) ++ *subauth = VNC_AUTH_VENCRYPT_TLSPLAIN; ++ else ++ *subauth = VNC_AUTH_VENCRYPT_TLSVNC; + } + + } else if (sasl) { +@@ -3387,6 +3512,7 @@ vnc_display_create_creds(bool x509, bool x509verify, const char *dir, const char *id, @@ -588,7 +589,7 @@ index acbe3bd..2a18a20 100644 Error **errp) { gchar *credsid = g_strdup_printf("tlsvnc%s", id); -@@ -3523,6 +3649,7 @@ vnc_display_create_creds(bool x509, +@@ -3402,6 +3528,7 @@ vnc_display_create_creds(bool x509, "endpoint", "server", "dir", dir, "verify-peer", x509verify ? "yes" : "no", @@ -596,7 +597,7 @@ index acbe3bd..2a18a20 100644 NULL); } else { creds = object_new_with_props(TYPE_QCRYPTO_TLS_CREDS_ANON, -@@ -3530,6 +3657,7 @@ vnc_display_create_creds(bool x509, +@@ -3409,6 +3536,7 @@ vnc_display_create_creds(bool x509, credsid, &err, "endpoint", "server", @@ -604,7 +605,7 @@ index acbe3bd..2a18a20 100644 NULL); } -@@ -3727,12 +3855,17 @@ void vnc_display_open(const char *id, Error **errp) +@@ -3876,12 +4004,17 @@ void vnc_display_open(const char *id, Error **errp) } } else { const char *path; @@ -623,19 +624,19 @@ index acbe3bd..2a18a20 100644 } else { path = qemu_opt_get(opts, "x509verify"); if (path) { -@@ -3744,6 +3877,7 @@ void vnc_display_open(const char *id, Error **errp) +@@ -3893,6 +4026,7 @@ void vnc_display_open(const char *id, Error **errp) x509verify, path, - vs->id, + vd->id, + pve, errp); - if (!vs->tlscreds) { + if (!vd->tlscreds) { goto fail; diff --git a/ui/vnc.h b/ui/vnc.h -index ab5f244..2fde9d3 100644 +index 694cf32..78d622a 100644 --- a/ui/vnc.h +++ b/ui/vnc.h -@@ -282,6 +282,8 @@ struct VncState +@@ -284,6 +284,8 @@ struct VncState int auth; int subauth; /* Used by VeNCrypt */ char challenge[VNC_AUTH_CHALLENGE_SIZE]; @@ -652,10 +653,10 @@ index ab5f244..2fde9d3 100644 + #endif /* QEMU_VNC_H */ diff --git a/vl.c b/vl.c -index 0b5a721..4742300 100644 +index d0780a4..2496b06 100644 --- a/vl.c +++ b/vl.c -@@ -2950,6 +2950,7 @@ static int global_init_func(void *opaque, QemuOpts *opts, Error **errp) +@@ -2947,6 +2947,7 @@ static int qemu_read_default_config_file(void) int main(int argc, char **argv, char **envp) { int i; @@ -663,7 +664,7 @@ index 0b5a721..4742300 100644 int snapshot, linux_boot; const char *initrd_filename; const char *kernel_filename, *kernel_cmdline; -@@ -3722,6 +3723,14 @@ int main(int argc, char **argv, char **envp) +@@ -3774,6 +3775,14 @@ int main(int argc, char **argv, char **envp) exit(1); } break; diff --git a/debian/patches/pve/0031-vma-writer-don-t-bail-out-on-zero-length-files.patch b/debian/patches/pve/0031-vma-writer-don-t-bail-out-on-zero-length-files.patch index 90dadea..f470528 100644 --- a/debian/patches/pve/0031-vma-writer-don-t-bail-out-on-zero-length-files.patch +++ b/debian/patches/pve/0031-vma-writer-don-t-bail-out-on-zero-length-files.patch @@ -1,14 +1,14 @@ -From e4958531f423dd635053559d05e8c86c208ceb02 Mon Sep 17 00:00:00 2001 +From c1210916b52651aaa5d27e69fce78dd57818eab1 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Mon, 8 Feb 2016 08:23:34 +0100 -Subject: [PATCH 31/47] vma-writer: don't bail out on zero-length files +Subject: [PATCH 31/48] vma-writer: don't bail out on zero-length files --- vma-writer.c | 1 - 1 file changed, 1 deletion(-) diff --git a/vma-writer.c b/vma-writer.c -index 0d26fc6..a378762 100644 +index 0dd668b..70dcca0 100644 --- a/vma-writer.c +++ b/vma-writer.c @@ -130,7 +130,6 @@ int vma_writer_add_config(VmaWriter *vmaw, const char *name, gpointer data, diff --git a/debian/patches/pve/0032-vma-better-driver-guessing-for-bdrv_open.patch b/debian/patches/pve/0032-vma-better-driver-guessing-for-bdrv_open.patch index db45d26..2a2614b 100644 --- a/debian/patches/pve/0032-vma-better-driver-guessing-for-bdrv_open.patch +++ b/debian/patches/pve/0032-vma-better-driver-guessing-for-bdrv_open.patch @@ -1,7 +1,7 @@ -From 2dc69ead56b7ecd60eb513ab5b6c9978e06070ef Mon Sep 17 00:00:00 2001 +From 0cf02f586f50e0bc1b25f0ecf76207b2510d77df Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Tue, 23 Feb 2016 15:48:41 +0100 -Subject: [PATCH 32/47] vma: better driver guessing for bdrv_open +Subject: [PATCH 32/48] vma: better driver guessing for bdrv_open Only use 'raw' when the file actually ends with .raw and no protocol has been specified. With protocol pass the @@ -12,10 +12,10 @@ into account. 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/vma.c b/vma.c -index 08e4725..8a27704 100644 +index c7c0538..4903568 100644 --- a/vma.c +++ b/vma.c -@@ -293,7 +293,20 @@ static int extract_content(int argc, char **argv) +@@ -294,7 +294,20 @@ static int extract_content(int argc, char **argv) } BlockDriverState *bs = bdrv_new(); diff --git a/debian/patches/pve/0033-block-add-the-zeroinit-block-driver-filter.patch b/debian/patches/pve/0033-block-add-the-zeroinit-block-driver-filter.patch index f3fc5b7..d4be32d 100644 --- a/debian/patches/pve/0033-block-add-the-zeroinit-block-driver-filter.patch +++ b/debian/patches/pve/0033-block-add-the-zeroinit-block-driver-filter.patch @@ -1,32 +1,32 @@ -From 6f6f38d2ef8f22a12f72e4d60f8a1fa978ac569a Mon Sep 17 00:00:00 2001 +From 35facc3a3549baf4cccaef27afa9c35a25abe91c Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Thu, 17 Mar 2016 11:33:37 +0100 -Subject: [PATCH 33/47] block: add the zeroinit block driver filter +Subject: [PATCH 33/48] block: add the zeroinit block driver filter --- block/Makefile.objs | 1 + - block/zeroinit.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 221 insertions(+) + block/zeroinit.c | 219 ++++++++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 220 insertions(+) create mode 100644 block/zeroinit.c diff --git a/block/Makefile.objs b/block/Makefile.objs -index 2593a2f..930ca33 100644 +index de96f8e..8cdac08 100644 --- a/block/Makefile.objs +++ b/block/Makefile.objs @@ -4,6 +4,7 @@ block-obj-y += qed.o qed-gencb.o qed-l2-cache.o qed-table.o qed-cluster.o block-obj-y += qed-check.o - block-obj-$(CONFIG_VHDX) += vhdx.o vhdx-endian.o vhdx-log.o + block-obj-y += vhdx.o vhdx-endian.o vhdx-log.o block-obj-y += quorum.o +block-obj-y += zeroinit.o block-obj-y += parallels.o blkdebug.o blkverify.o blkreplay.o block-obj-y += block-backend.o snapshot.o qapi.o - block-obj-$(CONFIG_WIN32) += raw-win32.o win32-aio.o + block-obj-$(CONFIG_WIN32) += file-win32.o win32-aio.o diff --git a/block/zeroinit.c b/block/zeroinit.c new file mode 100644 -index 0000000..c56a446 +index 0000000..0a8c7f9 --- /dev/null +++ b/block/zeroinit.c -@@ -0,0 +1,220 @@ +@@ -0,0 +1,219 @@ +/* + * Filter to fake a zero-initialized block device. + * @@ -195,16 +195,15 @@ index 0000000..c56a446 + return bdrv_get_block_status(bs->file->bs, sector_num, nb_sectors, pnum, file); +} + -+static coroutine_fn BlockAIOCB *zeroinit_aio_pdiscard(BlockDriverState *bs, -+ int64_t offset, int count, -+ BlockCompletionFunc *cb, void *opaque) ++static int coroutine_fn zeroinit_co_pdiscard(BlockDriverState *bs, ++ int64_t offset, int count) +{ -+ return bdrv_aio_pdiscard(bs->file->bs, offset, count, cb, opaque); ++ return bdrv_co_pdiscard(bs->file->bs, offset, count); +} + +static int zeroinit_truncate(BlockDriverState *bs, int64_t offset) +{ -+ return bdrv_truncate(bs->file->bs, offset); ++ return bdrv_truncate(bs->file, offset); +} + +static int zeroinit_get_info(BlockDriverState *bs, BlockDriverInfo *bdi) @@ -235,7 +234,7 @@ index 0000000..c56a446 + + .bdrv_co_get_block_status = zeroinit_co_get_block_status, + -+ .bdrv_aio_pdiscard = zeroinit_aio_pdiscard, ++ .bdrv_co_pdiscard = zeroinit_co_pdiscard, + + .bdrv_truncate = zeroinit_truncate, + .bdrv_get_info = zeroinit_get_info, diff --git a/debian/patches/pve/0034-vma-add-format-option-to-device-mapping.patch b/debian/patches/pve/0034-vma-add-format-option-to-device-mapping.patch index 90b75ae..4a26623 100644 --- a/debian/patches/pve/0034-vma-add-format-option-to-device-mapping.patch +++ b/debian/patches/pve/0034-vma-add-format-option-to-device-mapping.patch @@ -1,7 +1,7 @@ -From 10ae69c411df788752628c8950bf9e76c8cf6af1 Mon Sep 17 00:00:00 2001 +From a61194439318c95dfcb7df973ac961c12937dbcd Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Tue, 12 Apr 2016 13:49:44 +0200 -Subject: [PATCH 34/47] vma: add format option to device mapping +Subject: [PATCH 34/48] vma: add format option to device mapping The BDRV_O_PROTOCOL option breaks non-raw protocol devices, so we instead now allow the format to be explicitly @@ -15,10 +15,10 @@ silence the warnings by passing the drive mapping. 1 file changed, 27 insertions(+), 7 deletions(-) diff --git a/vma.c b/vma.c -index 8a27704..c8ad6c0 100644 +index 4903568..f71e5a5 100644 --- a/vma.c +++ b/vma.c -@@ -130,6 +130,7 @@ static int list_content(int argc, char **argv) +@@ -131,6 +131,7 @@ static int list_content(int argc, char **argv) typedef struct RestoreMap { char *devname; char *path; @@ -26,7 +26,7 @@ index 8a27704..c8ad6c0 100644 bool write_zero; } RestoreMap; -@@ -217,13 +218,24 @@ static int extract_content(int argc, char **argv) +@@ -218,13 +219,24 @@ static int extract_content(int argc, char **argv) } } @@ -53,7 +53,7 @@ index 8a27704..c8ad6c0 100644 write_zero = true; } else { g_error("read map failed - parse error ('%s')", inbuf); -@@ -239,6 +251,7 @@ static int extract_content(int argc, char **argv) +@@ -240,6 +252,7 @@ static int extract_content(int argc, char **argv) RestoreMap *map = g_new0(RestoreMap, 1); map->devname = g_strdup(devname); map->path = g_strdup(path); @@ -61,7 +61,7 @@ index 8a27704..c8ad6c0 100644 map->write_zero = write_zero; g_hash_table_insert(devmap, map->devname, map); -@@ -263,6 +276,7 @@ static int extract_content(int argc, char **argv) +@@ -264,6 +277,7 @@ static int extract_content(int argc, char **argv) g_free(statefn); } else if (di) { char *devfn = NULL; @@ -69,7 +69,7 @@ index 8a27704..c8ad6c0 100644 int flags = BDRV_O_RDWR; bool write_zero = true; -@@ -273,6 +287,7 @@ static int extract_content(int argc, char **argv) +@@ -274,6 +288,7 @@ static int extract_content(int argc, char **argv) g_error("no device name mapping for %s", di->devname); } devfn = map->path; @@ -77,7 +77,7 @@ index 8a27704..c8ad6c0 100644 write_zero = map->write_zero; } else { devfn = g_strdup_printf("%s/tmp-disk-%s.raw", -@@ -295,15 +310,20 @@ static int extract_content(int argc, char **argv) +@@ -296,15 +311,20 @@ static int extract_content(int argc, char **argv) BlockDriverState *bs = bdrv_new(); size_t devlen = strlen(devfn); diff --git a/debian/patches/pve/0035-fix-possible-unitialised-return-value.patch b/debian/patches/pve/0035-fix-possible-unitialised-return-value.patch index fb2dc2d..c9af179 100644 --- a/debian/patches/pve/0035-fix-possible-unitialised-return-value.patch +++ b/debian/patches/pve/0035-fix-possible-unitialised-return-value.patch @@ -1,17 +1,17 @@ -From 927da5e2426aac5bef37c97604740deddedbda41 Mon Sep 17 00:00:00 2001 +From 6db418de8e775dd2f3699033699777498f4e2afd Mon Sep 17 00:00:00 2001 From: Thomas Lamprecht Date: Wed, 6 Apr 2016 16:45:15 +0200 -Subject: [PATCH 35/47] fix possible unitialised return value +Subject: [PATCH 35/48] fix possible unitialised return value --- migration/savevm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/migration/savevm.c b/migration/savevm.c -index b1bdfb6..cebba77 100644 +index feb0dc6..d2615f4 100644 --- a/migration/savevm.c +++ b/migration/savevm.c -@@ -1020,7 +1020,7 @@ int qemu_savevm_state_complete_precopy(QEMUFile *f, bool iterable_only) +@@ -1111,7 +1111,7 @@ int qemu_savevm_state_complete_precopy(QEMUFile *f, bool iterable_only) QJSON *vmdesc; int vmdesc_len; SaveStateEntry *se; diff --git a/debian/patches/pve/0036-vnc-refactor-to-QIOChannelSocket.patch b/debian/patches/pve/0036-vnc-refactor-to-QIOChannelSocket.patch index 8b4421f..3e3e988 100644 --- a/debian/patches/pve/0036-vnc-refactor-to-QIOChannelSocket.patch +++ b/debian/patches/pve/0036-vnc-refactor-to-QIOChannelSocket.patch @@ -1,14 +1,14 @@ -From e6af4497017e37cb31f7cbd80137f41ce297d702 Mon Sep 17 00:00:00 2001 +From f9fec937bcc33ff1edb11b53107486a35b23f2a8 Mon Sep 17 00:00:00 2001 From: Thomas Lamprecht Date: Wed, 6 Apr 2016 16:47:54 +0200 -Subject: [PATCH 36/47] vnc: refactor to QIOChannelSocket +Subject: [PATCH 36/48] vnc: refactor to QIOChannelSocket --- ui/vnc-auth-vencrypt.c | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/ui/vnc-auth-vencrypt.c b/ui/vnc-auth-vencrypt.c -index d11f1df..a529520 100644 +index de1c194..594ca73 100644 --- a/ui/vnc-auth-vencrypt.c +++ b/ui/vnc-auth-vencrypt.c @@ -28,27 +28,23 @@ diff --git a/debian/patches/pve/0037-vma-use-BlockBackend-on-extract.patch b/debian/patches/pve/0037-vma-use-BlockBackend-on-extract.patch index 9f836b7..0089256 100644 --- a/debian/patches/pve/0037-vma-use-BlockBackend-on-extract.patch +++ b/debian/patches/pve/0037-vma-use-BlockBackend-on-extract.patch @@ -1,7 +1,7 @@ -From 0d4b69786584eec1386183b259c22f7cae6df69d Mon Sep 17 00:00:00 2001 +From d63b3c58bce32b976231923f5e186ebd55259c98 Mon Sep 17 00:00:00 2001 From: Thomas Lamprecht Date: Fri, 1 Jul 2016 15:47:29 +0200 -Subject: [PATCH 37/47] vma: use BlockBackend on extract +Subject: [PATCH 37/48] vma: use BlockBackend on extract As we else rely on bdrv_close_all() do clean up, which was rewritten in ca9bd24cf1d53775169ba9adc17e265554d1afed and fails on "dangling" @@ -16,18 +16,18 @@ and dump_config(), both do not have a BDS so no need to change here. 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/vma.c b/vma.c -index c8ad6c0..a2ddd32 100644 +index f71e5a5..ad51090 100644 --- a/vma.c +++ b/vma.c -@@ -19,6 +19,7 @@ - #include "qemu/error-report.h" +@@ -20,6 +20,7 @@ #include "qemu/main-loop.h" + #include "qapi/qmp/qstring.h" #include "sysemu/char.h" /* qstring_from_str */ +#include "sysemu/block-backend.h" static void help(void) { -@@ -263,6 +264,8 @@ static int extract_content(int argc, char **argv) +@@ -264,6 +265,8 @@ static int extract_content(int argc, char **argv) int vmstate_fd = -1; guint8 vmstate_stream = 0; @@ -36,7 +36,7 @@ index c8ad6c0..a2ddd32 100644 for (i = 1; i < 255; i++) { VmaDeviceInfo *di = vma_reader_get_device_info(vmar, i); if (di && (strcmp(di->devname, "vmstate") == 0)) { -@@ -307,8 +310,6 @@ static int extract_content(int argc, char **argv) +@@ -308,8 +311,6 @@ static int extract_content(int argc, char **argv) write_zero = false; } @@ -45,7 +45,7 @@ index c8ad6c0..a2ddd32 100644 size_t devlen = strlen(devfn); QDict *options = NULL; if (format) { -@@ -326,10 +327,14 @@ static int extract_content(int argc, char **argv) +@@ -327,10 +328,14 @@ static int extract_content(int argc, char **argv) qdict_put(options, "driver", qstring_from_str("raw")); } @@ -61,7 +61,7 @@ index c8ad6c0..a2ddd32 100644 if (vma_reader_register_bs(vmar, i, bs, write_zero, &errp) < 0) { g_error("%s", error_get_pretty(errp)); } -@@ -362,6 +367,8 @@ static int extract_content(int argc, char **argv) +@@ -363,6 +368,8 @@ static int extract_content(int argc, char **argv) vma_reader_destroy(vmar); diff --git a/debian/patches/pve/0038-vma-byte-based-write-calls.patch b/debian/patches/pve/0038-vma-byte-based-write-calls.patch index d2fe7b2..6727f09 100644 --- a/debian/patches/pve/0038-vma-byte-based-write-calls.patch +++ b/debian/patches/pve/0038-vma-byte-based-write-calls.patch @@ -1,7 +1,7 @@ -From 1209cadf111aaf73b53e568f78104340b4ffb0bd Mon Sep 17 00:00:00 2001 +From a004ee9295029201e8fc3b8fe4acf7f85674527c Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Fri, 9 Sep 2016 14:51:28 +0200 -Subject: [PATCH 38/47] vma: byte based write calls +Subject: [PATCH 38/48] vma: byte based write calls --- vma-reader.c | 42 +++++++++++++++++++++--------------------- @@ -148,10 +148,10 @@ index 78f1de9..2000889 100644 return -1; } diff --git a/vma.c b/vma.c -index a2ddd32..ff974bd 100644 +index ad51090..aafdc2d 100644 --- a/vma.c +++ b/vma.c -@@ -333,9 +333,7 @@ static int extract_content(int argc, char **argv) +@@ -334,9 +334,7 @@ static int extract_content(int argc, char **argv) error_get_pretty(errp)); } @@ -162,7 +162,7 @@ index a2ddd32..ff974bd 100644 g_error("%s", error_get_pretty(errp)); } -@@ -427,7 +425,7 @@ static int verify_content(int argc, char **argv) +@@ -428,7 +426,7 @@ static int verify_content(int argc, char **argv) } typedef struct BackupJob { @@ -171,7 +171,7 @@ index a2ddd32..ff974bd 100644 int64_t len; VmaWriter *vmaw; uint8_t dev_id; -@@ -456,7 +454,7 @@ static void coroutine_fn backup_run(void *opaque) +@@ -457,7 +455,7 @@ static void coroutine_fn backup_run(void *opaque) int64_t start, end; int ret = 0; @@ -180,7 +180,7 @@ index a2ddd32..ff974bd 100644 start = 0; end = DIV_ROUND_UP(job->len / BDRV_SECTOR_SIZE, -@@ -467,8 +465,8 @@ static void coroutine_fn backup_run(void *opaque) +@@ -468,8 +466,8 @@ static void coroutine_fn backup_run(void *opaque) iov.iov_len = VMA_CLUSTER_SIZE; qemu_iovec_init_external(&qiov, &iov, 1); @@ -191,7 +191,7 @@ index a2ddd32..ff974bd 100644 if (ret < 0) { vma_writer_set_error(job->vmaw, "read error", -1); goto out; -@@ -563,14 +561,14 @@ static int create_archive(int argc, char **argv) +@@ -564,14 +562,14 @@ static int create_archive(int argc, char **argv) path = extract_devname(path, &devname, devcount++); Error *errp = NULL; @@ -210,7 +210,7 @@ index a2ddd32..ff974bd 100644 int dev_id = vma_writer_register_stream(vmaw, devname, size); if (dev_id <= 0) { unlink(archivename); -@@ -579,7 +577,7 @@ static int create_archive(int argc, char **argv) +@@ -580,7 +578,7 @@ static int create_archive(int argc, char **argv) BackupJob *job = g_new0(BackupJob, 1); job->len = size; diff --git a/debian/patches/pve/0039-rbd-disable-rbd_cache_writethrough_until_flush-with-.patch b/debian/patches/pve/0039-rbd-disable-rbd_cache_writethrough_until_flush-with-.patch index 0e1f752..0f1a65e 100644 --- a/debian/patches/pve/0039-rbd-disable-rbd_cache_writethrough_until_flush-with-.patch +++ b/debian/patches/pve/0039-rbd-disable-rbd_cache_writethrough_until_flush-with-.patch @@ -1,7 +1,7 @@ -From 8aaa1a8108aabdca93d866eeaa9308deae81cd70 Mon Sep 17 00:00:00 2001 +From 0dd047c39e7821c8e31f9133be12bc9be61c045c Mon Sep 17 00:00:00 2001 From: Alexandre Derumier Date: Tue, 26 Jul 2016 16:51:00 +0200 -Subject: [PATCH 39/47] rbd: disable rbd_cache_writethrough_until_flush with +Subject: [PATCH 39/48] rbd: disable rbd_cache_writethrough_until_flush with cache=unsafe Signed-off-by: Alexandre Derumier @@ -10,10 +10,10 @@ Signed-off-by: Alexandre Derumier 1 file changed, 4 insertions(+) diff --git a/block/rbd.c b/block/rbd.c -index 5cefdbb..b0bb516 100644 +index 498322b..e9c02c6 100644 --- a/block/rbd.c +++ b/block/rbd.c -@@ -552,6 +552,10 @@ static int qemu_rbd_open(BlockDriverState *bs, QDict *options, int flags, +@@ -616,6 +616,10 @@ static int qemu_rbd_open(BlockDriverState *bs, QDict *options, int flags, rados_conf_set(s->cluster, "rbd_cache", "true"); } diff --git a/debian/patches/pve/0040-enable-cache-unsafe-for-vma-extract_content-and-qmp_.patch b/debian/patches/pve/0040-enable-cache-unsafe-for-vma-extract_content-and-qmp_.patch index c4fbc64..9b42f49 100644 --- a/debian/patches/pve/0040-enable-cache-unsafe-for-vma-extract_content-and-qmp_.patch +++ b/debian/patches/pve/0040-enable-cache-unsafe-for-vma-extract_content-and-qmp_.patch @@ -1,7 +1,7 @@ -From 383a94de8f4f887a95b8089b2f0141321d94f5fe Mon Sep 17 00:00:00 2001 +From 5a587bc1cfc30faa8506b5c2925b767b4c3d7b56 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Mon, 1 Aug 2016 10:52:46 +0200 -Subject: [PATCH 40/47] enable cache=unsafe for vma extract_content and +Subject: [PATCH 40/48] enable cache=unsafe for vma extract_content and qmp_savevm_start We don't send any flush here, so we need to open with cache=unsafe. @@ -13,23 +13,23 @@ Signed-off-by: Alexandre Derumier 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/savevm-async.c b/savevm-async.c -index 7979435..76cd8fa 100644 +index 6ac03af..46c1be7 100644 --- a/savevm-async.c +++ b/savevm-async.c @@ -253,7 +253,7 @@ void qmp_savevm_start(bool has_statefile, const char *statefile, Error **errp) { Error *local_err = NULL; -- int bdrv_oflags = BDRV_O_RDWR; -+ int bdrv_oflags = BDRV_O_RDWR | BDRV_O_NO_FLUSH; +- int bdrv_oflags = BDRV_O_RDWR | BDRV_O_RESIZE; ++ int bdrv_oflags = BDRV_O_RDWR | BDRV_O_RESIZE | BDRV_O_NO_FLUSH; int ret; if (snap_state.state != SAVE_STATE_DONE) { diff --git a/vma.c b/vma.c -index ff974bd..a8fa4ff 100644 +index aafdc2d..4f55799 100644 --- a/vma.c +++ b/vma.c -@@ -280,7 +280,7 @@ static int extract_content(int argc, char **argv) +@@ -281,7 +281,7 @@ static int extract_content(int argc, char **argv) } else if (di) { char *devfn = NULL; const char *format = NULL; diff --git a/debian/patches/pve/0041-savevm-async-updates.patch b/debian/patches/pve/0041-savevm-async-updates.patch index a427269..781ddb4 100644 --- a/debian/patches/pve/0041-savevm-async-updates.patch +++ b/debian/patches/pve/0041-savevm-async-updates.patch @@ -1,14 +1,14 @@ -From 9ea20572325cbc6df31293b863ccb8d2ae0e1dbd Mon Sep 17 00:00:00 2001 +From d7b0ad8cf8ef0aad35b0549128003dbb49b8386d Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Fri, 9 Sep 2016 15:21:19 +0200 -Subject: [PATCH 41/47] savevm-async updates +Subject: [PATCH 41/48] savevm-async updates --- savevm-async.c | 79 +++++++++++++++++++++++++++++----------------------------- 1 file changed, 39 insertions(+), 40 deletions(-) diff --git a/savevm-async.c b/savevm-async.c -index 76cd8fa..8c76137 100644 +index 46c1be7..2f4766c 100644 --- a/savevm-async.c +++ b/savevm-async.c @@ -20,6 +20,8 @@ @@ -106,7 +106,7 @@ index 76cd8fa..8c76137 100644 @@ -254,7 +257,6 @@ void qmp_savevm_start(bool has_statefile, const char *statefile, Error **errp) Error *local_err = NULL; - int bdrv_oflags = BDRV_O_RDWR | BDRV_O_NO_FLUSH; + int bdrv_oflags = BDRV_O_RDWR | BDRV_O_RESIZE | BDRV_O_NO_FLUSH; - int ret; if (snap_state.state != SAVE_STATE_DONE) { @@ -196,7 +196,7 @@ index 76cd8fa..8c76137 100644 goto the_end; } -@@ -516,10 +515,10 @@ int load_state_from_blockdev(const char *filename) +@@ -515,10 +514,10 @@ int load_state_from_blockdev(const char *filename) ret = 0; the_end: diff --git a/debian/patches/pve/0042-qmp_snapshot_drive-add-aiocontext.patch b/debian/patches/pve/0042-qmp_snapshot_drive-add-aiocontext.patch index c78ab68..10ae052 100644 --- a/debian/patches/pve/0042-qmp_snapshot_drive-add-aiocontext.patch +++ b/debian/patches/pve/0042-qmp_snapshot_drive-add-aiocontext.patch @@ -1,7 +1,7 @@ -From 704d008790dbccfd38aa55463c9e8bd873d08a3d Mon Sep 17 00:00:00 2001 +From 4fb6191acb1fdff8170a26ba9acd835c9eaf8218 Mon Sep 17 00:00:00 2001 From: Alexandre Derumier Date: Tue, 13 Sep 2016 01:57:56 +0200 -Subject: [PATCH 42/47] qmp_snapshot_drive: add aiocontext +Subject: [PATCH 42/48] qmp_snapshot_drive: add aiocontext Signed-off-by: Alexandre Derumier --- @@ -9,7 +9,7 @@ Signed-off-by: Alexandre Derumier 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/savevm-async.c b/savevm-async.c -index 8c76137..99ba132 100644 +index 2f4766c..5913a90 100644 --- a/savevm-async.c +++ b/savevm-async.c @@ -345,6 +345,7 @@ void qmp_snapshot_drive(const char *device, const char *name, Error **errp) diff --git a/debian/patches/pve/0043-vma-sizes-passed-to-blk_co_preadv-should-be-bytes-no.patch b/debian/patches/pve/0043-vma-sizes-passed-to-blk_co_preadv-should-be-bytes-no.patch index 3d08a8d..97ebf96 100644 --- a/debian/patches/pve/0043-vma-sizes-passed-to-blk_co_preadv-should-be-bytes-no.patch +++ b/debian/patches/pve/0043-vma-sizes-passed-to-blk_co_preadv-should-be-bytes-no.patch @@ -1,17 +1,17 @@ -From ed8e3b7faeb3a36e1105aac4813cd9876735bd81 Mon Sep 17 00:00:00 2001 +From 220fb93343dc6c05989c903873d8ed68943848ef Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Fri, 21 Oct 2016 09:09:26 +0200 -Subject: [PATCH 43/47] vma: sizes passed to blk_co_preadv should be bytes now +Subject: [PATCH 43/48] vma: sizes passed to blk_co_preadv should be bytes now --- vma.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/vma.c b/vma.c -index a8fa4ff..752a21b 100644 +index 4f55799..0491542 100644 --- a/vma.c +++ b/vma.c -@@ -465,8 +465,8 @@ static void coroutine_fn backup_run(void *opaque) +@@ -466,8 +466,8 @@ static void coroutine_fn backup_run(void *opaque) iov.iov_len = VMA_CLUSTER_SIZE; qemu_iovec_init_external(&qiov, &iov, 1); diff --git a/debian/patches/pve/0044-glusterfs-daemonize.patch b/debian/patches/pve/0044-glusterfs-daemonize.patch deleted file mode 100644 index 16febf8..0000000 --- a/debian/patches/pve/0044-glusterfs-daemonize.patch +++ /dev/null @@ -1,31 +0,0 @@ -From a7613eb93e702d5de5b40d17c4d4e95e8e5a010d Mon Sep 17 00:00:00 2001 -From: Wolfgang Bumiller -Date: Mon, 24 Oct 2016 09:32:36 +0200 -Subject: [PATCH 44/47] glusterfs: daemonize - ---- - block/gluster.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/block/gluster.c b/block/gluster.c -index 01b479f..6dcf926 100644 ---- a/block/gluster.c -+++ b/block/gluster.c -@@ -341,9 +341,11 @@ static struct glfs *qemu_gluster_glfs_init(BlockdevOptionsGluster *gconf, - } - } - -- ret = glfs_set_logging(glfs, "-", gconf->debug_level); -- if (ret < 0) { -- goto out; -+ if (!is_daemonized()) { -+ ret = glfs_set_logging(glfs, "-", gconf->debug_level); -+ if (ret < 0) { -+ goto out; -+ } - } - - ret = glfs_init(glfs); --- -2.1.4 - diff --git a/debian/patches/pve/0044-glusterfs-no-default-logfile-if-daemonized.patch b/debian/patches/pve/0044-glusterfs-no-default-logfile-if-daemonized.patch new file mode 100644 index 0000000..4b5694d --- /dev/null +++ b/debian/patches/pve/0044-glusterfs-no-default-logfile-if-daemonized.patch @@ -0,0 +1,52 @@ +From cb89d816594f141bad45536886900cbf33ba09bd Mon Sep 17 00:00:00 2001 +From: Wolfgang Bumiller +Date: Mon, 24 Oct 2016 09:32:36 +0200 +Subject: [PATCH 44/48] glusterfs: no default logfile if daemonized + +--- + block/gluster.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/block/gluster.c b/block/gluster.c +index a577dae..e712dc7 100644 +--- a/block/gluster.c ++++ b/block/gluster.c +@@ -33,7 +33,7 @@ + #define GLUSTER_DEBUG_DEFAULT 4 + #define GLUSTER_DEBUG_MAX 9 + #define GLUSTER_OPT_LOGFILE "logfile" +-#define GLUSTER_LOGFILE_DEFAULT "-" /* handled in libgfapi as /dev/stderr */ ++#define GLUSTER_LOGFILE_DEFAULT NULL + + #define GERR_INDEX_HINT "hint: check in 'server' array index '%d'\n" + +@@ -398,6 +398,7 @@ static struct glfs *qemu_gluster_glfs_init(BlockdevOptionsGluster *gconf, + int old_errno; + SocketAddressFlatList *server; + unsigned long long port; ++ const char *logfile; + + glfs = glfs_find_preopened(gconf->volume); + if (glfs) { +@@ -433,9 +434,15 @@ static struct glfs *qemu_gluster_glfs_init(BlockdevOptionsGluster *gconf, + } + } + +- ret = glfs_set_logging(glfs, gconf->logfile, gconf->debug); +- if (ret < 0) { +- goto out; ++ logfile = gconf->logfile; ++ if (!logfile && !is_daemonized()) { ++ logfile = "-"; ++ } ++ if (logfile) { ++ ret = glfs_set_logging(glfs, logfile, gconf->debug); ++ if (ret < 0) { ++ goto out; ++ } + } + + ret = glfs_init(glfs); +-- +2.1.4 + diff --git a/debian/patches/pve/0045-qmp_delete_drive_snapshot-add-aiocontext.patch b/debian/patches/pve/0045-qmp_delete_drive_snapshot-add-aiocontext.patch index 5841588..8928886 100644 --- a/debian/patches/pve/0045-qmp_delete_drive_snapshot-add-aiocontext.patch +++ b/debian/patches/pve/0045-qmp_delete_drive_snapshot-add-aiocontext.patch @@ -1,7 +1,7 @@ -From 41cd2dcf03fe0187221a8d005f423cc091d76dfc Mon Sep 17 00:00:00 2001 +From 58d620cb1d511be7a6521e76a6cd54ebbbbae2b7 Mon Sep 17 00:00:00 2001 From: Alexandre Derumier Date: Mon, 7 Nov 2016 11:47:50 +0100 -Subject: [PATCH 45/47] qmp_delete_drive_snapshot : add aiocontext +Subject: [PATCH 45/48] qmp_delete_drive_snapshot : add aiocontext this fix snapshot delete of qcow2 with iothread enabled @@ -11,7 +11,7 @@ Signed-off-by: Alexandre Derumier 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/savevm-async.c b/savevm-async.c -index 99ba132..660b25b 100644 +index 5913a90..3adf89f 100644 --- a/savevm-async.c +++ b/savevm-async.c @@ -427,6 +427,7 @@ void qmp_delete_drive_snapshot(const char *device, const char *name, diff --git a/debian/patches/pve/0046-convert-savevm-async-to-threads.patch b/debian/patches/pve/0046-convert-savevm-async-to-threads.patch index 4391b09..d2606bc 100644 --- a/debian/patches/pve/0046-convert-savevm-async-to-threads.patch +++ b/debian/patches/pve/0046-convert-savevm-async-to-threads.patch @@ -1,14 +1,14 @@ -From 593664f6efe07973f54d3cbcc4203c05ad68f6cf Mon Sep 17 00:00:00 2001 +From 190e9321e1657ec0b956ecece21d6a037487cd14 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Tue, 8 Nov 2016 11:13:06 +0100 -Subject: [PATCH 46/47] convert savevm-async to threads +Subject: [PATCH 46/48] convert savevm-async to threads --- savevm-async.c | 144 +++++++++++++++++++++++++++++++++++---------------------- 1 file changed, 88 insertions(+), 56 deletions(-) diff --git a/savevm-async.c b/savevm-async.c -index 660b25b..7b4c219 100644 +index 3adf89f..9f839fa 100644 --- a/savevm-async.c +++ b/savevm-async.c @@ -48,6 +48,8 @@ static struct SnapshotState { diff --git a/debian/patches/pve/0047-glusterfs-allow-partial-reads.patch b/debian/patches/pve/0047-glusterfs-allow-partial-reads.patch index 6e2379a..3416bc4 100644 --- a/debian/patches/pve/0047-glusterfs-allow-partial-reads.patch +++ b/debian/patches/pve/0047-glusterfs-allow-partial-reads.patch @@ -1,7 +1,7 @@ -From 519bcfc6d86a42a643ee65a0741bb2418c7d2e67 Mon Sep 17 00:00:00 2001 +From 2cebda37c624832599906df01f540fdc76ecac50 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Wed, 30 Nov 2016 10:27:47 +0100 -Subject: [PATCH 47/47] glusterfs: allow partial reads +Subject: [PATCH 47/48] glusterfs: allow partial reads This should deal with qemu bug #1644754 until upstream decides which way to go. The general direction seems to be @@ -14,18 +14,18 @@ sense. 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/block/gluster.c b/block/gluster.c -index 6dcf926..17c51ed 100644 +index e712dc7..daf6cec 100644 --- a/block/gluster.c +++ b/block/gluster.c -@@ -39,6 +39,7 @@ typedef struct GlusterAIOCB { - QEMUBH *bh; +@@ -42,6 +42,7 @@ typedef struct GlusterAIOCB { + int ret; Coroutine *coroutine; AioContext *aio_context; + bool is_write; } GlusterAIOCB; typedef struct BDRVGlusterState { -@@ -623,8 +624,10 @@ static void gluster_finish_aiocb(struct glfs_fd *fd, ssize_t ret, void *arg) +@@ -705,8 +706,10 @@ static void gluster_finish_aiocb(struct glfs_fd *fd, ssize_t ret, void *arg) acb->ret = 0; /* Success */ } else if (ret < 0) { acb->ret = -errno; /* Read/Write failed */ @@ -36,8 +36,8 @@ index 6dcf926..17c51ed 100644 + acb->ret = 0; /* Success */ } - acb->bh = aio_bh_new(acb->aio_context, qemu_gluster_complete_aio, acb); -@@ -861,6 +864,7 @@ static coroutine_fn int qemu_gluster_co_pwrite_zeroes(BlockDriverState *bs, + aio_co_schedule(acb->aio_context, acb->coroutine); +@@ -954,6 +957,7 @@ static coroutine_fn int qemu_gluster_co_pwrite_zeroes(BlockDriverState *bs, acb.ret = 0; acb.coroutine = qemu_coroutine_self(); acb.aio_context = bdrv_get_aio_context(bs); @@ -45,7 +45,7 @@ index 6dcf926..17c51ed 100644 ret = glfs_zerofill_async(s->fd, offset, size, gluster_finish_aiocb, &acb); if (ret < 0) { -@@ -979,9 +983,11 @@ static coroutine_fn int qemu_gluster_co_rw(BlockDriverState *bs, +@@ -1076,9 +1080,11 @@ static coroutine_fn int qemu_gluster_co_rw(BlockDriverState *bs, acb.aio_context = bdrv_get_aio_context(bs); if (write) { @@ -57,7 +57,7 @@ index 6dcf926..17c51ed 100644 ret = glfs_preadv_async(s->fd, qiov->iov, qiov->niov, offset, 0, gluster_finish_aiocb, &acb); } -@@ -1044,6 +1050,7 @@ static coroutine_fn int qemu_gluster_co_flush_to_disk(BlockDriverState *bs) +@@ -1142,6 +1148,7 @@ static coroutine_fn int qemu_gluster_co_flush_to_disk(BlockDriverState *bs) acb.ret = 0; acb.coroutine = qemu_coroutine_self(); acb.aio_context = bdrv_get_aio_context(bs); @@ -65,7 +65,7 @@ index 6dcf926..17c51ed 100644 ret = glfs_fsync_async(s->fd, gluster_finish_aiocb, &acb); if (ret < 0) { -@@ -1090,6 +1097,7 @@ static coroutine_fn int qemu_gluster_co_pdiscard(BlockDriverState *bs, +@@ -1188,6 +1195,7 @@ static coroutine_fn int qemu_gluster_co_pdiscard(BlockDriverState *bs, acb.ret = 0; acb.coroutine = qemu_coroutine_self(); acb.aio_context = bdrv_get_aio_context(bs); diff --git a/debian/patches/pve/0048-vma-don-t-use-O_DIRECT-on-pipes.patch b/debian/patches/pve/0048-vma-don-t-use-O_DIRECT-on-pipes.patch new file mode 100644 index 0000000..8ec4b1c --- /dev/null +++ b/debian/patches/pve/0048-vma-don-t-use-O_DIRECT-on-pipes.patch @@ -0,0 +1,51 @@ +From 40846f73aea36b4ef66cce152321208f7d820222 Mon Sep 17 00:00:00 2001 +From: Wolfgang Bumiller +Date: Thu, 30 Mar 2017 16:05:34 +0200 +Subject: [PATCH 48/48] vma: don't use O_DIRECT on pipes + +It puts them in packet mode which potentially discards data. +--- + vma-writer.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/vma-writer.c b/vma-writer.c +index 70dcca0..9001cbd 100644 +--- a/vma-writer.c ++++ b/vma-writer.c +@@ -283,9 +283,8 @@ VmaWriter *vma_writer_create(const char *filename, uuid_t uuid, Error **errp) + } + vmaw->fd = fileno(vmaw->cmd); + +- /* try to use O_NONBLOCK and O_DIRECT */ ++ /* try to use O_NONBLOCK */ + fcntl(vmaw->fd, F_SETFL, fcntl(vmaw->fd, F_GETFL)|O_NONBLOCK); +- fcntl(vmaw->fd, F_SETFL, fcntl(vmaw->fd, F_GETFL)|O_DIRECT); + + } else { + struct stat st; +@@ -293,19 +292,18 @@ VmaWriter *vma_writer_create(const char *filename, uuid_t uuid, Error **errp) + const char *tmp_id_str; + + if ((stat(filename, &st) == 0) && S_ISFIFO(st.st_mode)) { +- oflags = O_NONBLOCK|O_DIRECT|O_WRONLY; ++ oflags = O_NONBLOCK|O_WRONLY; + vmaw->fd = qemu_open(filename, oflags, 0644); + } else if (strstart(filename, "/dev/fdset/", &tmp_id_str)) { +- oflags = O_NONBLOCK|O_DIRECT|O_WRONLY; ++ oflags = O_NONBLOCK|O_WRONLY; + vmaw->fd = qemu_open(filename, oflags, 0644); + } else if (strstart(filename, "/dev/fdname/", &tmp_id_str)) { + vmaw->fd = monitor_get_fd(cur_mon, tmp_id_str, errp); + if (vmaw->fd < 0) { + goto err; + } +- /* try to use O_NONBLOCK and O_DIRECT */ ++ /* try to use O_NONBLOCK */ + fcntl(vmaw->fd, F_SETFL, fcntl(vmaw->fd, F_GETFL)|O_NONBLOCK); +- fcntl(vmaw->fd, F_SETFL, fcntl(vmaw->fd, F_GETFL)|O_DIRECT); + } else { + oflags = O_NONBLOCK|O_DIRECT|O_WRONLY|O_CREAT|O_EXCL; + vmaw->fd = qemu_open(filename, oflags, 0644); +-- +2.1.4 + diff --git a/debian/patches/pve/0049-block-zeroinit-request-child-permissions.patch b/debian/patches/pve/0049-block-zeroinit-request-child-permissions.patch new file mode 100644 index 0000000..2285706 --- /dev/null +++ b/debian/patches/pve/0049-block-zeroinit-request-child-permissions.patch @@ -0,0 +1,25 @@ +From 5445b96892a6350894ea3785f174157c4e7bbbaa Mon Sep 17 00:00:00 2001 +From: Wolfgang Bumiller +Date: Fri, 31 Mar 2017 09:27:58 +0200 +Subject: [PATCH 49/49] block: zeroinit: request child permissions + +See d7010dfb685 +--- + block/zeroinit.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/block/zeroinit.c b/block/zeroinit.c +index 0a8c7f9..a857ec3 100644 +--- a/block/zeroinit.c ++++ b/block/zeroinit.c +@@ -191,6 +191,7 @@ static BlockDriver bdrv_zeroinit = { + .bdrv_file_open = zeroinit_open, + .bdrv_close = zeroinit_close, + .bdrv_getlength = zeroinit_getlength, ++ .bdrv_child_perm = bdrv_filter_default_perms, + .bdrv_co_flush_to_disk = zeroinit_co_flush, + + .bdrv_co_pwrite_zeroes = zeroinit_co_pwrite_zeroes, +-- +2.1.4 + diff --git a/debian/patches/series b/debian/patches/series index ff76828..e6fe8a7 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -41,57 +41,9 @@ pve/0040-enable-cache-unsafe-for-vma-extract_content-and-qmp_.patch pve/0041-savevm-async-updates.patch pve/0042-qmp_snapshot_drive-add-aiocontext.patch pve/0043-vma-sizes-passed-to-blk_co_preadv-should-be-bytes-no.patch -pve/0044-glusterfs-daemonize.patch +pve/0044-glusterfs-no-default-logfile-if-daemonized.patch pve/0045-qmp_delete_drive_snapshot-add-aiocontext.patch pve/0046-convert-savevm-async-to-threads.patch pve/0047-glusterfs-allow-partial-reads.patch -#see https://bugs.launchpad.net/qemu/+bug/1488363?comments=all -extra/x86-lapic-Load-LAPIC-state-at-post_load.patch -extra/0001-Revert-target-i386-disable-LINT0-after-reset.patch -extra/0002-net-vmxnet-initialise-local-tx-descriptor.patch -extra/0003-net-limit-allocation-in-nc_sendv_compat.patch -extra/CVE-2016-7156-scsi-pvscsi-avoid-infinite-loop-while-building-SG-li.patch -extra/CVE-2016-7170-vmsvga-correct-bitmap-and-pixmap-size-checks.patch -extra/CVE-2016-7422-virtio-add-check-for-descriptor-s-mapped-address.patch -extra/CVE-2016-7466-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch -extra/CVE-2016-7907-net-imx-limit-buffer-descriptor-count.patch -extra/CVE-2016-7908-net-mcf-limit-buffer-descriptor-count.patch -extra/CVE-2016-7909-net-pcnet-check-rx-tx-descriptor-ring-length.patch -extra/CVE-2016-7994-virtio-gpu-fix-memory-leak-in-virtio_gpu_resource_cr.patch -extra/CVE-2016-7995-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch -extra/CVE-2016-8576-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch -extra/CVE-2016-8577-9pfs-fix-potential-host-memory-leak-in-v9fs_read.patch -extra/CVE-2016-8578-9pfs-allocate-space-for-guest-originated-empty-strin.patch -extra/CVE-2016-8668-net-rocker-set-limit-to-DMA-buffer-size.patch -extra/CVE-2016-8669-char-serial-check-divider-value-against-baud-base.patch -extra/CVE-2016-8909-audio-intel-hda-check-stream-entry-count-during-tran.patch -extra/CVE-2016-9103-9pfs-fix-information-leak-in-xattr-read.patch -extra/CVE-2016-9101-net-eepro100-fix-memory-leak-in-device-uninit.patch -extra/CVE-2016-9105-9pfs-fix-memory-leak-in-v9fs_link.patch -extra/CVE-2016-9102-9pfs-fix-memory-leak-in-v9fs_xattrcreate.patch -extra/CVE-2016-9106-9pfs-fix-memory-leak-in-v9fs_write.patch -extra/CVE-2016-9104-9pfs-fix-integer-overflow-issue-in-xattr-read-write.patch -extra/CVE-2016-9776-net-mcf-check-receive-buffer-size-register-value.patch -extra/CVE-2016-9845-virtio-gpu-fix-information-leak-in-getting-capset-in.patch -extra/CVE-2016-9846-virtio-gpu-fix-memory-leak-in-update_cursor_data_vir.patch -extra/CVE-2016-9907-usbredir-free-vm_change_state_handler-in-usbredir-de.patch -extra/CVE-2016-9908-virtio-gpu-fix-information-leak-in-capset-get-dispat.patch -extra/CVE-2016-9911-usb-ehci-fix-memory-leak-in-ehci_init_transfer.patch -extra/CVE-2016-9912-virtio-gpu-call-cleanup-mapping-function-in-resource.patch -extra/CVE-2016-9913-9pfs-adjust-the-order-of-resource-cleanup-in-device-.patch -extra/CVE-2016-9914-9pfs-add-cleanup-operation-in-FileOperations.patch -extra/CVE-2016-9915-9pfs-add-cleanup-operation-for-handle-backend-driver.patch -extra/CVE-2016-9916-9pfs-add-cleanup-operation-for-proxy-backend-driver.patch -extra/CVE-2016-9921-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch -extra/0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch -extra/0001-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch -extra/0002-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch -extra/0003-cirrus-fix-blit-address-mask-handling.patch -extra/0004-cirrus-fix-oob-access-issue-CVE-2017-2615.patch -extra/CVE-2016-10028-display-virtio-gpu-3d-check-virgl-capabilities-max_s.patch -extra/CVE-2016-10155-watchdog-6300esb-add-exit-function.patch -extra/0003-sd-sdhci-check-transfer-mode-register-in-multi-block.patch -extra/0004-sd-sdhci-block-count-enable-not-relevant-in-single-b.patch -extra/0001-cirrus-fix-patterncopy-checks.patch -extra/0002-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch -extra/CVE-2017-2620_cirrus_add_blit_is_unsafe_call_to_cirrus_bitblt_cputovideo.patch +pve/0048-vma-don-t-use-O_DIRECT-on-pipes.patch +pve/0049-block-zeroinit-request-child-permissions.patch diff --git a/debian/rules b/debian/rules index 26a06a7..ecacfa3 100755 --- a/debian/rules +++ b/debian/rules @@ -15,6 +15,8 @@ DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) +ARCH ?= $(shell dpkg-architecture -qDEB_HOST_GNU_CPU) + PACKAGE=pve-qemu-kvm destdir := $(CURDIR)/debian/$(PACKAGE) @@ -33,7 +35,7 @@ endif config.status: configure dh_testdir # Add here commands to configure the package. - ./configure --with-confsuffix="/kvm" --target-list=x86_64-softmmu --prefix=/usr --datadir=/usr/share --docdir=/usr/share/doc/pve-qemu-kvm --sysconfdir=/etc --localstatedir=/var --disable-xen --enable-gnutls --enable-sdl --enable-uuid --enable-linux-aio --enable-rbd --enable-libiscsi --disable-smartcard --audio-drv-list="alsa" --enable-spice --enable-usb-redir --enable-glusterfs --enable-libusb --disable-gtk --enable-xfsctl --enable-numa --disable-strip --enable-jemalloc --disable-libnfs --disable-fdt + ./configure --with-confsuffix="/kvm" --target-list=$(ARCH)-softmmu --prefix=/usr --datadir=/usr/share --docdir=/usr/share/doc/pve-qemu-kvm --sysconfdir=/etc --localstatedir=/var --disable-xen --enable-gnutls --enable-sdl --enable-linux-aio --enable-rbd --enable-libiscsi --disable-smartcard --audio-drv-list="alsa" --enable-spice --enable-usb-redir --enable-glusterfs --enable-libusb --disable-gtk --enable-xfsctl --enable-numa --disable-strip --enable-jemalloc --enable-virtfs --disable-libnfs --disable-fdt build: patch build-stamp @@ -73,7 +75,7 @@ install: build # Add here commands to install the package into debian/pve-kvm. $(MAKE) DESTDIR=$(destdir) install - mv $(destdir)/usr/bin/qemu-system-x86_64 $(destdir)/usr/bin/kvm + mv $(destdir)/usr/bin/qemu-system-$(ARCH) $(destdir)/usr/bin/kvm mv $(destdir)/usr/share/man/man1/qemu.1 $(destdir)/usr/share/man/man1/kvm.1 # Install the userspace utilities diff --git a/qemu b/qemu index 0d83fcc..df90463 160000 --- a/qemu +++ b/qemu @@ -1 +1 @@ -Subproject commit 0d83fccb4fb3140d21feeb37ba069ba71029aaa7 +Subproject commit df9046363220e57d45818312759b954c033c58ab