From 4460431c78dd521ed3a00952a10ffe7df417f02d Mon Sep 17 00:00:00 2001 From: "Huawei Technologies Co., Ltd" Date: Tue, 15 Sep 2020 23:52:59 +0530 Subject: [PATCH 1/8] hw: usb: hcd-ohci: check for processed TD before retire While servicing OHCI transfer descriptors(TD), ohci_service_iso_td retires a TD if it has passed its time frame. It does not check if the TD was already processed once and holds an error code in TD_CC. It may happen if the TD list has a loop. Add check to avoid an infinite loop condition. Signed-off-by: Prasad J Pandit Reviewed-by: Li Qiang Message-id: 20200915182259.68522-3-ppandit@redhat.com Signed-off-by: Gerd Hoffmann (cherry-picked from 1be90ebe) Fix CVE-2020-25625 Signed-off-by: Alex Chen --- ...check-for-processed-TD-before-retire.patch | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 hw-usb-hcd-ohci-check-for-processed-TD-before-retire.patch diff --git a/hw-usb-hcd-ohci-check-for-processed-TD-before-retire.patch b/hw-usb-hcd-ohci-check-for-processed-TD-before-retire.patch new file mode 100644 index 0000000..25daaa0 --- /dev/null +++ b/hw-usb-hcd-ohci-check-for-processed-TD-before-retire.patch @@ -0,0 +1,40 @@ +From 166e8d4c20e198e06b89f327c3f3f5235de5ec05 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Tue, 15 Sep 2020 23:52:59 +0530 +Subject: [PATCH] hw: usb: hcd-ohci: check for processed TD before retire + +While servicing OHCI transfer descriptors(TD), ohci_service_iso_td +retires a TD if it has passed its time frame. It does not check if +the TD was already processed once and holds an error code in TD_CC. +It may happen if the TD list has a loop. Add check to avoid an +infinite loop condition. + +Signed-off-by: Prasad J Pandit +Reviewed-by: Li Qiang +Message-id: 20200915182259.68522-3-ppandit@redhat.com +Signed-off-by: Gerd Hoffmann +(cherry-picked from 1be90ebe) +Fix CVE-2020-25625 +Signed-off-by: Alex Chen +--- + hw/usb/hcd-ohci.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c +index 4f6fdbc0a7..ffe52a09d7 100644 +--- a/hw/usb/hcd-ohci.c ++++ b/hw/usb/hcd-ohci.c +@@ -689,6 +689,10 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed, + the next ISO TD of the same ED */ + trace_usb_ohci_iso_td_relative_frame_number_big(relative_frame_number, + frame_count); ++ if (OHCI_CC_DATAOVERRUN == OHCI_BM(iso_td.flags, TD_CC)) { ++ /* avoid infinite loop */ ++ return 1; ++ } + OHCI_SET_BM(iso_td.flags, TD_CC, OHCI_CC_DATAOVERRUN); + ed->head &= ~OHCI_DPTR_MASK; + ed->head |= (iso_td.next & OHCI_DPTR_MASK); +-- +2.27.0 + -- Gitee From ab32524f82991298249a4e04fcd1e2ca328424cf Mon Sep 17 00:00:00 2001 From: "Huawei Technologies Co., Ltd" Date: Wed, 12 Aug 2020 09:17:27 -0700 Subject: [PATCH 2/8] hw: ehci: check return value of 'usb_packet_map' If 'usb_packet_map' fails, we should stop to process the usb request. Signed-off-by: Li Qiang Message-Id: <20200812161727.29412-1-liq3ea@163.com> Signed-off-by: Gerd Hoffmann (cherry-picked from 2fdb42d8) Fix CVE-2020-25723 Signed-off-by: Alex Chen --- ...check-return-value-of-usb_packet_map.patch | 49 +++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 hw-ehci-check-return-value-of-usb_packet_map.patch diff --git a/hw-ehci-check-return-value-of-usb_packet_map.patch b/hw-ehci-check-return-value-of-usb_packet_map.patch new file mode 100644 index 0000000..b868faf --- /dev/null +++ b/hw-ehci-check-return-value-of-usb_packet_map.patch @@ -0,0 +1,49 @@ +From e76104208de1f846860c92bb4a8a971825853ed4 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Wed, 12 Aug 2020 09:17:27 -0700 +Subject: [PATCH] hw: ehci: check return value of 'usb_packet_map' + +If 'usb_packet_map' fails, we should stop to process the usb +request. + +Signed-off-by: Li Qiang +Message-Id: <20200812161727.29412-1-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann +(cherry-picked from 2fdb42d8) +Fix CVE-2020-25723 +Signed-off-by: Alex Chen +--- + hw/usb/hcd-ehci.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c +index 5f089f3005..433e6a4fc0 100644 +--- a/hw/usb/hcd-ehci.c ++++ b/hw/usb/hcd-ehci.c +@@ -1370,7 +1370,10 @@ static int ehci_execute(EHCIPacket *p, const char *action) + spd = (p->pid == USB_TOKEN_IN && NLPTR_TBIT(p->qtd.altnext) == 0); + usb_packet_setup(&p->packet, p->pid, ep, 0, p->qtdaddr, spd, + (p->qtd.token & QTD_TOKEN_IOC) != 0); +- usb_packet_map(&p->packet, &p->sgl); ++ if (usb_packet_map(&p->packet, &p->sgl)) { ++ qemu_sglist_destroy(&p->sgl); ++ return -1; ++ } + p->async = EHCI_ASYNC_INITIALIZED; + } + +@@ -1449,7 +1452,10 @@ static int ehci_process_itd(EHCIState *ehci, + if (ep && ep->type == USB_ENDPOINT_XFER_ISOC) { + usb_packet_setup(&ehci->ipacket, pid, ep, 0, addr, false, + (itd->transact[i] & ITD_XACT_IOC) != 0); +- usb_packet_map(&ehci->ipacket, &ehci->isgl); ++ if (usb_packet_map(&ehci->ipacket, &ehci->isgl)) { ++ qemu_sglist_destroy(&ehci->isgl); ++ return -1; ++ } + usb_handle_packet(dev, &ehci->ipacket); + usb_packet_unmap(&ehci->ipacket, &ehci->isgl); + } else { +-- +2.27.0 + -- Gitee From de9ab2e94ef50d217f1db3a838ac4fecb3335894 Mon Sep 17 00:00:00 2001 From: "Huawei Technologies Co., Ltd" Date: Tue, 15 Sep 2020 23:52:58 +0530 Subject: [PATCH 3/8] hw: usb: hcd-ohci: check len and frame_number variables While servicing the OHCI transfer descriptors(TD), OHCI host controller derives variables 'start_addr', 'end_addr', 'len' etc. from values supplied by the host controller driver. Host controller driver may supply values such that using above variables leads to out-of-bounds access issues. Add checks to avoid them. AddressSanitizer: stack-buffer-overflow on address 0x7ffd53af76a0 READ of size 2 at 0x7ffd53af76a0 thread T0 #0 ohci_service_iso_td ../hw/usb/hcd-ohci.c:734 #1 ohci_service_ed_list ../hw/usb/hcd-ohci.c:1180 #2 ohci_process_lists ../hw/usb/hcd-ohci.c:1214 #3 ohci_frame_boundary ../hw/usb/hcd-ohci.c:1257 #4 timerlist_run_timers ../util/qemu-timer.c:572 #5 qemu_clock_run_timers ../util/qemu-timer.c:586 #6 qemu_clock_run_all_timers ../util/qemu-timer.c:672 #7 main_loop_wait ../util/main-loop.c:527 #8 qemu_main_loop ../softmmu/vl.c:1676 #9 main ../softmmu/main.c:50 Reported-by: Gaoning Pan Reported-by: Yongkang Jia Reported-by: Yi Ren Signed-off-by: Prasad J Pandit Message-id: 20200915182259.68522-2-ppandit@redhat.com Signed-off-by: Gerd Hoffmann (cherry-picked from 1328fe0c) Fix CVE-2020-25624 Signed-off-by: Alex Chen --- ...check-len-and-frame_number-variables.patch | 99 +++++++++++++++++++ 1 file changed, 99 insertions(+) create mode 100644 hw-usb-hcd-ohci-check-len-and-frame_number-variables.patch diff --git a/hw-usb-hcd-ohci-check-len-and-frame_number-variables.patch b/hw-usb-hcd-ohci-check-len-and-frame_number-variables.patch new file mode 100644 index 0000000..ef80fa0 --- /dev/null +++ b/hw-usb-hcd-ohci-check-len-and-frame_number-variables.patch @@ -0,0 +1,99 @@ +From b25f8db25fb3bcf04dcf9d72cab668260093fe18 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Tue, 15 Sep 2020 23:52:58 +0530 +Subject: [PATCH] hw: usb: hcd-ohci: check len and frame_number variables + +While servicing the OHCI transfer descriptors(TD), OHCI host +controller derives variables 'start_addr', 'end_addr', 'len' +etc. from values supplied by the host controller driver. +Host controller driver may supply values such that using +above variables leads to out-of-bounds access issues. +Add checks to avoid them. + +AddressSanitizer: stack-buffer-overflow on address 0x7ffd53af76a0 + READ of size 2 at 0x7ffd53af76a0 thread T0 + #0 ohci_service_iso_td ../hw/usb/hcd-ohci.c:734 + #1 ohci_service_ed_list ../hw/usb/hcd-ohci.c:1180 + #2 ohci_process_lists ../hw/usb/hcd-ohci.c:1214 + #3 ohci_frame_boundary ../hw/usb/hcd-ohci.c:1257 + #4 timerlist_run_timers ../util/qemu-timer.c:572 + #5 qemu_clock_run_timers ../util/qemu-timer.c:586 + #6 qemu_clock_run_all_timers ../util/qemu-timer.c:672 + #7 main_loop_wait ../util/main-loop.c:527 + #8 qemu_main_loop ../softmmu/vl.c:1676 + #9 main ../softmmu/main.c:50 + +Reported-by: Gaoning Pan +Reported-by: Yongkang Jia +Reported-by: Yi Ren +Signed-off-by: Prasad J Pandit +Message-id: 20200915182259.68522-2-ppandit@redhat.com +Signed-off-by: Gerd Hoffmann +(cherry-picked from 1328fe0c) +Fix CVE-2020-25624 +Signed-off-by: Alex Chen +--- + hw/usb/hcd-ohci.c | 24 ++++++++++++++++++++++-- + 1 file changed, 22 insertions(+), 2 deletions(-) + +diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c +index ffe52a09d7..d2dd8efd58 100644 +--- a/hw/usb/hcd-ohci.c ++++ b/hw/usb/hcd-ohci.c +@@ -733,7 +733,11 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed, + } + + start_offset = iso_td.offset[relative_frame_number]; +- next_offset = iso_td.offset[relative_frame_number + 1]; ++ if (relative_frame_number < frame_count) { ++ next_offset = iso_td.offset[relative_frame_number + 1]; ++ } else { ++ next_offset = iso_td.be; ++ } + + if (!(OHCI_BM(start_offset, TD_PSW_CC) & 0xe) || + ((relative_frame_number < frame_count) && +@@ -766,7 +770,12 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed, + } + } else { + /* Last packet in the ISO TD */ +- end_addr = iso_td.be; ++ end_addr = next_offset; ++ } ++ ++ if (start_addr > end_addr) { ++ trace_usb_ohci_iso_td_bad_cc_overrun(start_addr, end_addr); ++ return 1; + } + + if ((start_addr & OHCI_PAGE_MASK) != (end_addr & OHCI_PAGE_MASK)) { +@@ -775,6 +784,9 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed, + } else { + len = end_addr - start_addr + 1; + } ++ if (len > sizeof(ohci->usb_buf)) { ++ len = sizeof(ohci->usb_buf); ++ } + + if (len && dir != OHCI_TD_DIR_IN) { + if (ohci_copy_iso_td(ohci, start_addr, end_addr, ohci->usb_buf, len, +@@ -977,8 +989,16 @@ static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed) + if ((td.cbp & 0xfffff000) != (td.be & 0xfffff000)) { + len = (td.be & 0xfff) + 0x1001 - (td.cbp & 0xfff); + } else { ++ if (td.cbp > td.be) { ++ trace_usb_ohci_iso_td_bad_cc_overrun(td.cbp, td.be); ++ ohci_die(ohci); ++ return 1; ++ } + len = (td.be - td.cbp) + 1; + } ++ if (len > sizeof(ohci->usb_buf)) { ++ len = sizeof(ohci->usb_buf); ++ } + + pktlen = len; + if (len && dir != OHCI_TD_DIR_IN) { +-- +2.27.0 + -- Gitee From 7d09c8312b7be50ee7eec0b4f40640fbd6c98612 Mon Sep 17 00:00:00 2001 From: "Huawei Technologies Co., Ltd" Date: Wed, 11 Nov 2020 18:36:36 +0530 Subject: [PATCH 4/8] hw/net/e1000e: advance desc_offset in case of null descriptor While receiving packets via e1000e_write_packet_to_guest() routine, 'desc_offset' is advanced only when RX descriptor is processed. And RX descriptor is not processed if it has NULL buffer address. This may lead to an infinite loop condition. Increament 'desc_offset' to process next descriptor in the ring to avoid infinite loop. Reported-by: Cheol-woo Myung <330cjfdn@gmail.com> Signed-off-by: Prasad J Pandit Signed-off-by: Jason Wang (cherry-picked from c2cb5116) Fix CVE-2020-28916 Signed-off-by: Alex Chen --- ...vance-desc_offset-in-case-of-null-de.patch | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 hw-net-e1000e-advance-desc_offset-in-case-of-null-de.patch diff --git a/hw-net-e1000e-advance-desc_offset-in-case-of-null-de.patch b/hw-net-e1000e-advance-desc_offset-in-case-of-null-de.patch new file mode 100644 index 0000000..788feaf --- /dev/null +++ b/hw-net-e1000e-advance-desc_offset-in-case-of-null-de.patch @@ -0,0 +1,46 @@ +From 158d551519727800e9f4d88547bde883045b7673 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Wed, 11 Nov 2020 18:36:36 +0530 +Subject: [PATCH] hw/net/e1000e: advance desc_offset in case of null descriptor + +While receiving packets via e1000e_write_packet_to_guest() routine, +'desc_offset' is advanced only when RX descriptor is processed. And +RX descriptor is not processed if it has NULL buffer address. +This may lead to an infinite loop condition. Increament 'desc_offset' +to process next descriptor in the ring to avoid infinite loop. + +Reported-by: Cheol-woo Myung <330cjfdn@gmail.com> +Signed-off-by: Prasad J Pandit +Signed-off-by: Jason Wang +(cherry-picked from c2cb5116) +Fix CVE-2020-28916 +Signed-off-by: Alex Chen +--- + hw/net/e1000e_core.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c +index 2a221c2ef9..e45d47f584 100644 +--- a/hw/net/e1000e_core.c ++++ b/hw/net/e1000e_core.c +@@ -1595,13 +1595,13 @@ e1000e_write_packet_to_guest(E1000ECore *core, struct NetRxPkt *pkt, + (const char *) &fcs_pad, e1000x_fcs_len(core->mac)); + } + } +- desc_offset += desc_size; +- if (desc_offset >= total_size) { +- is_last = true; +- } + } else { /* as per intel docs; skip descriptors with null buf addr */ + trace_e1000e_rx_null_descriptor(); + } ++ desc_offset += desc_size; ++ if (desc_offset >= total_size) { ++ is_last = true; ++ } + + e1000e_write_rx_descr(core, desc, is_last ? core->rx_pkt : NULL, + rss_info, do_ps ? ps_hdr_len : 0, &bastate.written); +-- +2.27.0 + -- Gitee From 5fda57949aef0d393ffed78e9b1893ab8a7e4995 Mon Sep 17 00:00:00 2001 From: Euler Robot Date: Tue, 15 Dec 2020 21:27:17 +0800 Subject: [PATCH 5/8] spec: Update patch and changelog with !54 hw: usb: hcd-ohci: check for processed TD before retire hw: ehci: check return value of 'usb_packet_map' hw: usb: hcd-ohci: check len and frame_number variables hw/net/e1000e: advance desc_offset in case of null descriptor Signed-off-by: Alex Chen --- qemu.spec | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/qemu.spec b/qemu.spec index 6cbdc1a..f7a4d43 100644 --- a/qemu.spec +++ b/qemu.spec @@ -308,6 +308,10 @@ Patch0295: ati-check-x-y-display-parameter-values.patch Patch0296: net-remove-an-assert-call-in-eth_get_gso_type.patch Patch0297: json-Fix-a-memleak-in-parse_pair.patch Patch0298: slirp-check-pkt_len-before-reading-protocol-header.patch +Patch0299: hw-usb-hcd-ohci-check-for-processed-TD-before-retire.patch +Patch0300: hw-ehci-check-return-value-of-usb_packet_map.patch +Patch0301: hw-usb-hcd-ohci-check-len-and-frame_number-variables.patch +Patch0302: hw-net-e1000e-advance-desc_offset-in-case-of-null-de.patch BuildRequires: flex BuildRequires: bison @@ -654,6 +658,12 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Wed Nov 11 2020 Huawei Technologies Co., Ltd +- hw: usb: hcd-ohci: check for processed TD before retire +- hw: ehci: check return value of 'usb_packet_map' +- hw: usb: hcd-ohci: check len and frame_number variables +- hw/net/e1000e: advance desc_offset in case of null descriptor + * Fri Dec 11 2020 Huawei Technologies Co., Ltd - slirp: check pkt_len before reading protocol header for fixing CVE-2020-29129 and CVE-2020-29130 -- Gitee From b40c886594f74896298d8ef87bcf9040bc84ac37 Mon Sep 17 00:00:00 2001 From: "Huawei Technologies Co., Ltd" Date: Wed, 9 Dec 2020 19:35:08 +0800 Subject: [PATCH 6/8] target/arm: Fix write redundant values to kvm After modifying the value of a ID register, we'd better to try to write it to KVM so that we can known the value is acceptable for KVM. Because it may modify the registers' values of KVM, it's not suitable for other registers. Signed-off-by: Peng Liang --- ...rm-Fix-write-redundant-values-to-kvm.patch | 117 ++++++++++++++++++ 1 file changed, 117 insertions(+) create mode 100644 target-arm-Fix-write-redundant-values-to-kvm.patch diff --git a/target-arm-Fix-write-redundant-values-to-kvm.patch b/target-arm-Fix-write-redundant-values-to-kvm.patch new file mode 100644 index 0000000..ad6eacf --- /dev/null +++ b/target-arm-Fix-write-redundant-values-to-kvm.patch @@ -0,0 +1,117 @@ +From a0d7a9de807639fcfcbe1fe037cb8772d459a9cf Mon Sep 17 00:00:00 2001 +From: Peng Liang +Date: Wed, 9 Dec 2020 19:35:08 +0800 +Subject: [PATCH] target/arm: Fix write redundant values to kvm + +After modifying the value of a ID register, we'd better to try to write +it to KVM so that we can known the value is acceptable for KVM. +Because it may modify the registers' values of KVM, it's not suitable +for other registers. + +Signed-off-by: Peng Liang +--- + target/arm/helper.c | 73 ++++++++++++++++++++++++++++++--------------- + 1 file changed, 49 insertions(+), 24 deletions(-) + +diff --git a/target/arm/helper.c b/target/arm/helper.c +index b262f5d6c5..bddd355fa0 100644 +--- a/target/arm/helper.c ++++ b/target/arm/helper.c +@@ -252,6 +252,16 @@ static bool raw_accessors_invalid(const ARMCPRegInfo *ri) + return true; + } + ++static bool is_id_reg(const ARMCPRegInfo *ri) ++{ ++ /* ++ * (Op0, Op1, CRn, CRm, Op2) of ID registers is (3, 0, 0, crm, op2), ++ * where 1<=crm<8, 0<=op2<8. ++ */ ++ return ri->opc0 == 3 && ri->opc1 == 0 && ri->crn == 0 && ++ ri->crm > 0 && ri->crm < 8; ++} ++ + bool write_cpustate_to_list(ARMCPU *cpu, bool kvm_sync) + { + /* Write the coprocessor state from cpu->env to the (index,value) list. */ +@@ -268,38 +278,53 @@ bool write_cpustate_to_list(ARMCPU *cpu, bool kvm_sync) + ok = false; + continue; + } +- /* +- * (Op0, Op1, CRn, CRm, Op2) of ID registers is (3, 0, 0, crm, op2), +- * where 1<=crm<8, 0<=op2<8. Let's give ID registers a chance to +- * synchronize to kvm. +- */ +- if ((ri->type & ARM_CP_NO_RAW) && !(kvm_sync && +- ri->opc0 == 3 && ri->opc1 == 0 && ri->crn == 0 && ri->crm > 0)) { ++ if ((ri->type & ARM_CP_NO_RAW) && !(kvm_sync && is_id_reg(ri))) { + continue; + } + + newval = read_raw_cp_reg(&cpu->env, ri); + if (kvm_sync) { +- /* Only sync if we can sync to KVM successfully. */ +- uint64_t oldval; +- uint64_t kvmval; ++ if (is_id_reg(ri)) { ++ /* Only sync if we can sync to KVM successfully. */ ++ uint64_t oldval; ++ uint64_t kvmval; + +- if (kvm_arm_get_one_reg(cpu, cpu->cpreg_indexes[i], &oldval)) { +- continue; +- } +- if (oldval == newval) { +- continue; +- } ++ if (kvm_arm_get_one_reg(cpu, cpu->cpreg_indexes[i], &oldval)) { ++ continue; ++ } ++ if (oldval == newval) { ++ continue; ++ } + +- if (kvm_arm_set_one_reg(cpu, cpu->cpreg_indexes[i], &newval)) { +- continue; +- } +- if (kvm_arm_get_one_reg(cpu, cpu->cpreg_indexes[i], &kvmval) || +- kvmval != newval) { +- continue; +- } ++ if (kvm_arm_set_one_reg(cpu, cpu->cpreg_indexes[i], &newval)) { ++ continue; ++ } ++ if (kvm_arm_get_one_reg(cpu, cpu->cpreg_indexes[i], &kvmval) || ++ kvmval != newval) { ++ continue; ++ } ++ ++ kvm_arm_set_one_reg(cpu, cpu->cpreg_indexes[i], &oldval); ++ } else { ++ /* ++ * Only sync if the previous list->cpustate sync succeeded. ++ * Rather than tracking the success/failure state for every ++ * item in the list, we just recheck "does the raw write we must ++ * have made in write_list_to_cpustate() read back OK" here. ++ */ ++ uint64_t oldval = cpu->cpreg_values[i]; ++ ++ if (oldval == newval) { ++ continue; ++ } + +- kvm_arm_set_one_reg(cpu, cpu->cpreg_indexes[i], &oldval); ++ write_raw_cp_reg(&cpu->env, ri, oldval); ++ if (read_raw_cp_reg(&cpu->env, ri) != oldval) { ++ continue; ++ } ++ ++ write_raw_cp_reg(&cpu->env, ri, newval); ++ } + } + cpu->cpreg_values[i] = newval; + } +-- +2.27.0 + -- Gitee From fded1750c5912ee8ccb73fbd63032bc3684d25c3 Mon Sep 17 00:00:00 2001 From: Euler Robot Date: Tue, 15 Dec 2020 21:27:20 +0800 Subject: [PATCH 7/8] spec: Update patch and changelog with !48 target/arm: Fix write redundant values to kvm Signed-off-by: Alex Chen --- qemu.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/qemu.spec b/qemu.spec index f7a4d43..03b114b 100644 --- a/qemu.spec +++ b/qemu.spec @@ -312,6 +312,7 @@ Patch0299: hw-usb-hcd-ohci-check-for-processed-TD-before-retire.patch Patch0300: hw-ehci-check-return-value-of-usb_packet_map.patch Patch0301: hw-usb-hcd-ohci-check-len-and-frame_number-variables.patch Patch0302: hw-net-e1000e-advance-desc_offset-in-case-of-null-de.patch +Patch0303: target-arm-Fix-write-redundant-values-to-kvm.patch BuildRequires: flex BuildRequires: bison @@ -658,6 +659,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Wed Dec 9 2020 Huawei Technologies Co., Ltd +- target/arm: Fix write redundant values to kvm + * Wed Nov 11 2020 Huawei Technologies Co., Ltd - hw: usb: hcd-ohci: check for processed TD before retire - hw: ehci: check return value of 'usb_packet_map' -- Gitee From c7c84ea52122dcd49ba06caff062b0fe92e334fe Mon Sep 17 00:00:00 2001 From: Euler Robot Date: Tue, 15 Dec 2020 21:27:20 +0800 Subject: [PATCH 8/8] spec: Update release version with !54 !48 increase release verison by one Signed-off-by: Euler Robot --- qemu.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qemu.spec b/qemu.spec index 03b114b..1357f8d 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 36 +Release: 37 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY -- Gitee