diff --git a/block-Remove-unused-include.patch b/block-Remove-unused-include.patch new file mode 100644 index 0000000000000000000000000000000000000000..91981a9d0cf98b6f0db61a182903d524531f9a15 --- /dev/null +++ b/block-Remove-unused-include.patch @@ -0,0 +1,31 @@ +From b353d059bddf4b211c2560e7c123f874ed5c8cf6 Mon Sep 17 00:00:00 2001 +From: AlexChen +Date: Wed, 21 Oct 2020 17:12:52 +0800 +Subject: [PATCH] block: Remove unused include + +The "qemu-common.h" include is not used, remove it. + +Reported-by: Euler Robot +Signed-off-by: AlexChen +Message-Id: <5F8FFB94.3030209@huawei.com> +Signed-off-by: Max Reitz +(cherry-picked from commit 3d86af858e) +--- + block/dmg-lzfse.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/block/dmg-lzfse.c b/block/dmg-lzfse.c +index 19d25bc646..6798cf4fbf 100644 +--- a/block/dmg-lzfse.c ++++ b/block/dmg-lzfse.c +@@ -22,7 +22,6 @@ + * THE SOFTWARE. + */ + #include "qemu/osdep.h" +-#include "qemu-common.h" + #include "dmg.h" + #include + +-- +2.23.0 + diff --git a/block-vvfat-Fix-bad-printf-format-specifiers.patch b/block-vvfat-Fix-bad-printf-format-specifiers.patch new file mode 100644 index 0000000000000000000000000000000000000000..241d42e75c53151cc0f65417ce3111be64298cfb --- /dev/null +++ b/block-vvfat-Fix-bad-printf-format-specifiers.patch @@ -0,0 +1,77 @@ +From c9a4e85610bffe1803648c431e4cff4539a42323 Mon Sep 17 00:00:00 2001 +From: AlexChen +Date: Tue, 3 Nov 2020 17:42:56 +0800 +Subject: [PATCH] block/vvfat: Fix bad printf format specifiers + +We should use printf format specifier "%u" instead of "%d" for +argument of type "unsigned int". +In addition, fix two error format problems found by checkpatch.pl: +ERROR: space required after that ',' (ctx:VxV) ++ fprintf(stderr,"%s attributes=0x%02x begin=%u size=%d\n", + ^ +ERROR: line over 90 characters ++ fprintf(stderr, "%d, %s (%u, %d)\n", i, commit->path ? commit->path : "(null)", commit->param.rename.cluster, commit->action); + +Reported-by: Euler Robot +Signed-off-by: Alex Chen +Message-Id: <5FA12620.6030705@huawei.com> +Signed-off-by: Kevin Wolf +(cherry-picked from commit c9eb2f3e38) +--- + block/vvfat.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/block/vvfat.c b/block/vvfat.c +index f6c28805dd..5dc8d6eb4c 100644 +--- a/block/vvfat.c ++++ b/block/vvfat.c +@@ -1453,7 +1453,7 @@ static void print_direntry(const direntry_t* direntry) + for(i=0;i<11;i++) + ADD_CHAR(direntry->name[i]); + buffer[j] = 0; +- fprintf(stderr,"%s attributes=0x%02x begin=%d size=%d\n", ++ fprintf(stderr, "%s attributes=0x%02x begin=%u size=%u\n", + buffer, + direntry->attributes, + begin_of_direntry(direntry),le32_to_cpu(direntry->size)); +@@ -1462,7 +1462,7 @@ static void print_direntry(const direntry_t* direntry) + + static void print_mapping(const mapping_t* mapping) + { +- fprintf(stderr, "mapping (%p): begin, end = %d, %d, dir_index = %d, " ++ fprintf(stderr, "mapping (%p): begin, end = %u, %u, dir_index = %u, " + "first_mapping_index = %d, name = %s, mode = 0x%x, " , + mapping, mapping->begin, mapping->end, mapping->dir_index, + mapping->first_mapping_index, mapping->path, mapping->mode); +@@ -1470,7 +1470,7 @@ static void print_mapping(const mapping_t* mapping) + if (mapping->mode & MODE_DIRECTORY) + fprintf(stderr, "parent_mapping_index = %d, first_dir_index = %d\n", mapping->info.dir.parent_mapping_index, mapping->info.dir.first_dir_index); + else +- fprintf(stderr, "offset = %d\n", mapping->info.file.offset); ++ fprintf(stderr, "offset = %u\n", mapping->info.file.offset); + } + #endif + +@@ -1604,7 +1604,7 @@ typedef struct commit_t { + static void clear_commits(BDRVVVFATState* s) + { + int i; +-DLOG(fprintf(stderr, "clear_commits (%d commits)\n", s->commits.next)); ++DLOG(fprintf(stderr, "clear_commits (%u commits)\n", s->commits.next)); + for (i = 0; i < s->commits.next; i++) { + commit_t* commit = array_get(&(s->commits), i); + assert(commit->path || commit->action == ACTION_WRITEOUT); +@@ -2660,7 +2660,9 @@ static int handle_renames_and_mkdirs(BDRVVVFATState* s) + fprintf(stderr, "handle_renames\n"); + for (i = 0; i < s->commits.next; i++) { + commit_t* commit = array_get(&(s->commits), i); +- fprintf(stderr, "%d, %s (%d, %d)\n", i, commit->path ? commit->path : "(null)", commit->param.rename.cluster, commit->action); ++ fprintf(stderr, "%d, %s (%u, %d)\n", i, ++ commit->path ? commit->path : "(null)", ++ commit->param.rename.cluster, commit->action); + } + #endif + +-- +2.23.0 + diff --git a/elf2dmp-Fix-memory-leak-on-main-error-paths.patch b/elf2dmp-Fix-memory-leak-on-main-error-paths.patch new file mode 100644 index 0000000000000000000000000000000000000000..edebe32fa9fc30d9987fbd918082505a9d2e7058 --- /dev/null +++ b/elf2dmp-Fix-memory-leak-on-main-error-paths.patch @@ -0,0 +1,41 @@ +From 1f63f8c20a4cb7b752981ef07b2614bbea828b30 Mon Sep 17 00:00:00 2001 +From: AlexChen +Date: Wed, 26 Aug 2020 18:15:53 +0800 +Subject: [PATCH] elf2dmp: Fix memory leak on main() error paths + +The 'kdgb' is allocating memory in get_kdbg(), but it is not freed +in both fill_header() and fill_context() failed branches, fix it. + +Signed-off-by: AlexChen +Reviewed-by: Li Qiang +Reviewed-by: Viktor Prutyanov +Reviewed-by: Thomas Huth +Message-Id: <5F463659.8080101@huawei.com> +Signed-off-by: Laurent Vivier +(cherry-picked from commit 885538fdc9) +--- + contrib/elf2dmp/main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/contrib/elf2dmp/main.c b/contrib/elf2dmp/main.c +index 9a2dbc2902..ac746e49e0 100644 +--- a/contrib/elf2dmp/main.c ++++ b/contrib/elf2dmp/main.c +@@ -568,12 +568,12 @@ int main(int argc, char *argv[]) + if (fill_header(&header, &ps, &vs, KdDebuggerDataBlock, kdbg, + KdVersionBlock, qemu_elf.state_nr)) { + err = 1; +- goto out_pdb; ++ goto out_kdbg; + } + + if (fill_context(kdbg, &vs, &qemu_elf)) { + err = 1; +- goto out_pdb; ++ goto out_kdbg; + } + + if (write_dump(&ps, &header, argv[2])) { +-- +2.23.0 + diff --git a/hw-display-exynos4210_fimd-Fix-potential-NULL-pointe.patch b/hw-display-exynos4210_fimd-Fix-potential-NULL-pointe.patch new file mode 100644 index 0000000000000000000000000000000000000000..023867edc7985a8df18a4c7fa1434e64e13556ab --- /dev/null +++ b/hw-display-exynos4210_fimd-Fix-potential-NULL-pointe.patch @@ -0,0 +1,46 @@ +From b47d7ad29bc7f30d4ea3fdb0ef86942468416b79 Mon Sep 17 00:00:00 2001 +From: AlexChen +Date: Mon, 2 Nov 2020 16:52:17 +0000 +Subject: [PATCH] hw/display/exynos4210_fimd: Fix potential NULL pointer + dereference +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In exynos4210_fimd_update(), the pointer s is dereferinced before +being check if it is valid, which may lead to NULL pointer dereference. +So move the assignment to global_width after checking that the s is valid. + +Reported-by: Euler Robot +Signed-off-by: Alex Chen +Reviewed-by: Philippe Mathieu-Daudé +Message-id: 5F9F8D88.9030102@huawei.com +Signed-off-by: Peter Maydell +(cherry-picked from commit 18520fa465) +--- + hw/display/exynos4210_fimd.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/hw/display/exynos4210_fimd.c b/hw/display/exynos4210_fimd.c +index 61f7408b1c..85b0ebf23a 100644 +--- a/hw/display/exynos4210_fimd.c ++++ b/hw/display/exynos4210_fimd.c +@@ -1271,12 +1271,14 @@ static void exynos4210_fimd_update(void *opaque) + bool blend = false; + uint8_t *host_fb_addr; + bool is_dirty = false; +- const int global_width = (s->vidtcon[2] & FIMD_VIDTCON2_SIZE_MASK) + 1; ++ int global_width; + + if (!s || !s->console || !s->enabled || + surface_bits_per_pixel(qemu_console_surface(s->console)) == 0) { + return; + } ++ ++ global_width = (s->vidtcon[2] & FIMD_VIDTCON2_SIZE_MASK) + 1; + exynos4210_update_resolution(s); + surface = qemu_console_surface(s->console); + +-- +2.23.0 + diff --git a/hw-display-omap_lcdc-Fix-potential-NULL-pointer-dere.patch b/hw-display-omap_lcdc-Fix-potential-NULL-pointer-dere.patch new file mode 100644 index 0000000000000000000000000000000000000000..778205613932669f01d39c0b57503d95fcef4e8b --- /dev/null +++ b/hw-display-omap_lcdc-Fix-potential-NULL-pointer-dere.patch @@ -0,0 +1,49 @@ +From 38697076a98034a078c2411234b8979cf3cec6da Mon Sep 17 00:00:00 2001 +From: AlexChen +Date: Mon, 2 Nov 2020 16:52:17 +0000 +Subject: [PATCH] hw/display/omap_lcdc: Fix potential NULL pointer dereference + +In omap_lcd_interrupts(), the pointer omap_lcd is dereferinced before +being check if it is valid, which may lead to NULL pointer dereference. +So move the assignment to surface after checking that the omap_lcd is valid +and move surface_bits_per_pixel(surface) to after the surface assignment. + +Reported-by: Euler Robot +Signed-off-by: AlexChen +Message-id: 5F9CDB8A.9000001@huawei.com +Reviewed-by: Peter Maydell +Signed-off-by: Peter Maydell +(cherry-picked from commit 0080edc45e) +--- + hw/display/omap_lcdc.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/hw/display/omap_lcdc.c b/hw/display/omap_lcdc.c +index 07a5effe04..13ab73ec61 100644 +--- a/hw/display/omap_lcdc.c ++++ b/hw/display/omap_lcdc.c +@@ -77,14 +77,18 @@ static void omap_lcd_interrupts(struct omap_lcd_panel_s *s) + static void omap_update_display(void *opaque) + { + struct omap_lcd_panel_s *omap_lcd = (struct omap_lcd_panel_s *) opaque; +- DisplaySurface *surface = qemu_console_surface(omap_lcd->con); ++ DisplaySurface *surface; + draw_line_func draw_line; + int size, height, first, last; + int width, linesize, step, bpp, frame_offset; + hwaddr frame_base; + +- if (!omap_lcd || omap_lcd->plm == 1 || !omap_lcd->enable || +- !surface_bits_per_pixel(surface)) { ++ if (!omap_lcd || omap_lcd->plm == 1 || !omap_lcd->enable) { ++ return; ++ } ++ ++ surface = qemu_console_surface(omap_lcd->con); ++ if (!surface_bits_per_pixel(surface)) { + return; + } + +-- +2.23.0 + diff --git a/io-Don-t-use-flag-of-printf-format.patch b/io-Don-t-use-flag-of-printf-format.patch new file mode 100644 index 0000000000000000000000000000000000000000..8b2a956894d6395350446a2e97768ca70d2d3fab --- /dev/null +++ b/io-Don-t-use-flag-of-printf-format.patch @@ -0,0 +1,32 @@ +From 0aa003cd0e117cb160da7d4b6e50630bf2fedfd6 Mon Sep 17 00:00:00 2001 +From: AlexChen +Date: Mon, 19 Oct 2020 20:12:02 +0800 +Subject: [PATCH] io: Don't use '#' flag of printf format +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: AlexChen +Signed-off-by: Daniel P. Berrangé +(cherry-picked from commit 77b7829e75) +--- + io/channel-websock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/io/channel-websock.c b/io/channel-websock.c +index fc36d44eba..d48a929e49 100644 +--- a/io/channel-websock.c ++++ b/io/channel-websock.c +@@ -734,7 +734,7 @@ static int qio_channel_websock_decode_header(QIOChannelWebsock *ioc, + opcode != QIO_CHANNEL_WEBSOCK_OPCODE_CLOSE && + opcode != QIO_CHANNEL_WEBSOCK_OPCODE_PING && + opcode != QIO_CHANNEL_WEBSOCK_OPCODE_PONG) { +- error_setg(errp, "unsupported opcode: %#04x; only binary, close, " ++ error_setg(errp, "unsupported opcode: 0x%04x; only binary, close, " + "ping, and pong websocket frames are supported", opcode); + qio_channel_websock_write_close( + ioc, QIO_CHANNEL_WEBSOCK_STATUS_INVALID_DATA , +-- +2.23.0 + diff --git a/net-l2tpv3-Remove-redundant-check-in-net_init_l2tpv3.patch b/net-l2tpv3-Remove-redundant-check-in-net_init_l2tpv3.patch new file mode 100644 index 0000000000000000000000000000000000000000..7617a2eac8aada998bb0b476af13d32fccfdd14b --- /dev/null +++ b/net-l2tpv3-Remove-redundant-check-in-net_init_l2tpv3.patch @@ -0,0 +1,46 @@ +From cb6048ace290e770b0ec1a6011209192541d3e8a Mon Sep 17 00:00:00 2001 +From: AlexChen +Date: Fri, 30 Oct 2020 10:46:55 +0800 +Subject: [PATCH] net/l2tpv3: Remove redundant check in net_init_l2tpv3() + +The result has been checked to be NULL before, it cannot be NULL here, +so the check is redundant. Remove it. + +Reported-by: Euler Robot +Signed-off-by: AlexChen +Signed-off-by: Jason Wang +(cherry-picked from commit d949fe64b0) +--- + net/l2tpv3.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/net/l2tpv3.c b/net/l2tpv3.c +index 55fea17c0f..e4d4218db6 100644 +--- a/net/l2tpv3.c ++++ b/net/l2tpv3.c +@@ -655,9 +655,8 @@ int net_init_l2tpv3(const Netdev *netdev, + error_setg(errp, "could not bind socket err=%i", errno); + goto outerr; + } +- if (result) { +- freeaddrinfo(result); +- } ++ ++ freeaddrinfo(result); + + memset(&hints, 0, sizeof(hints)); + +@@ -686,9 +685,7 @@ int net_init_l2tpv3(const Netdev *netdev, + memcpy(s->dgram_dst, result->ai_addr, result->ai_addrlen); + s->dst_size = result->ai_addrlen; + +- if (result) { +- freeaddrinfo(result); +- } ++ freeaddrinfo(result); + + if (l2tpv3->has_counter && l2tpv3->counter) { + s->has_counter = true; +-- +2.23.0 + diff --git a/qemu.spec b/qemu.spec index 6371fd0d490d1048c201c6c16c65e39cb685521c..f06e31c9a05182f580031c350248091968ff3e07 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 27 +Release: 28 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY @@ -240,6 +240,14 @@ Patch0227: sm501-Clean-up-local-variables-in-sm501_2d_operation.patch Patch0228: sm501-Replace-hand-written-implementation-with-pixma.patch Patch0229: pci-check-bus-pointer-before-dereference.patch Patch0230: hw-ide-check-null-block-before-_cancel_dma_sync.patch +Patch0231: elf2dmp-Fix-memory-leak-on-main-error-paths.patch +Patch0232: io-Don-t-use-flag-of-printf-format.patch +Patch0233: hw-display-omap_lcdc-Fix-potential-NULL-pointer-dere.patch +Patch0234: hw-display-exynos4210_fimd-Fix-potential-NULL-pointe.patch +Patch0235: block-vvfat-Fix-bad-printf-format-specifiers.patch +Patch0236: block-Remove-unused-include.patch +Patch0237: ssi-Fix-bad-printf-format-specifiers.patch +Patch0238: net-l2tpv3-Remove-redundant-check-in-net_init_l2tpv3.patch BuildRequires: flex BuildRequires: bison @@ -586,6 +594,16 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Fri Oct 30 2020 Huawei Technologies Co., Ltd +- elf2dmp: Fix memory leak on main() error paths +- io: Don't use '#' flag of printf format +- hw/display/omap_lcdc: Fix potential NULL pointer dereference +- hw/display/exynos4210_fimd: Fix potential NULL pointer dereference +- block/vvfat: Fix bad printf format specifiers +- block: Remove unused include +- ssi: Fix bad printf format specifiers +- net/l2tpv3: Remove redundant check in net_init_l2tpv3() + * Wed Oct 14 2020 Prasad J Pandit - pci: check bus pointer before dereference - hw/ide: check null block before _cancel_dma_sync diff --git a/ssi-Fix-bad-printf-format-specifiers.patch b/ssi-Fix-bad-printf-format-specifiers.patch new file mode 100644 index 0000000000000000000000000000000000000000..814618c8d98980bdfec55449b0675ac6e71c2f90 --- /dev/null +++ b/ssi-Fix-bad-printf-format-specifiers.patch @@ -0,0 +1,48 @@ +From 073457a45eaccd2beac3c94c53a449b8f683501e Mon Sep 17 00:00:00 2001 +From: AlexChen +Date: Wed, 4 Nov 2020 18:22:45 +0800 +Subject: [PATCH] ssi: Fix bad printf format specifiers + +We should use printf format specifier "%u" instead of "%d" for +argument of type "unsigned int". + +Reported-by: Euler Robot +Signed-off-by: Alex Chen +Reviewed-by: Alistair Francis +Message-id: 5FA280F5.8060902@huawei.com +Signed-off-by: Peter Maydell +(cherry-picked from commit 9df0a97298) +--- + hw/ssi/imx_spi.c | 2 +- + hw/ssi/xilinx_spi.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/ssi/imx_spi.c b/hw/ssi/imx_spi.c +index 5cec9b5d05..0b3052bdf9 100644 +--- a/hw/ssi/imx_spi.c ++++ b/hw/ssi/imx_spi.c +@@ -52,7 +52,7 @@ static const char *imx_spi_reg_name(uint32_t reg) + case ECSPI_MSGDATA: + return "ECSPI_MSGDATA"; + default: +- sprintf(unknown, "%d ?", reg); ++ sprintf(unknown, "%u ?", reg); + return unknown; + } + } +diff --git a/hw/ssi/xilinx_spi.c b/hw/ssi/xilinx_spi.c +index 1379cb164b..d2b69d027a 100644 +--- a/hw/ssi/xilinx_spi.c ++++ b/hw/ssi/xilinx_spi.c +@@ -139,7 +139,7 @@ static void xlx_spi_update_irq(XilinxSPI *s) + irq chain unless things really changed. */ + if (pending != s->irqline) { + s->irqline = pending; +- DB_PRINT("irq_change of state %d ISR:%x IER:%X\n", ++ DB_PRINT("irq_change of state %u ISR:%x IER:%X\n", + pending, s->regs[R_IPISR], s->regs[R_IPIER]); + qemu_set_irq(s->irq, pending); + } +-- +2.23.0 +