ati: use vga_read_byte in ati_cursor_define
sd: sdhci: assert data_count is within fifo_buffer
msix: add valid.accepts methods to check address
Signed-off-by: Alex Chen <alex.chen@huawei.com>
scsi-bus: Refactor the code that retries requests
scsi-disk: Add support for retry on errors
qapi/block-core: Add retry option for error action
block-backend: Introduce retry timer
block-backend: Add device specific retry callback
block-backend: Enable retry action on errors
block-backend: Add timeout support for retry
block: Add error retry param setting
virtio-blk: Refactor the code that processes queued requests
virtio-blk: On restart, process queued requests in the proper context
virtio_blk: Add support for retry on errors
Signed-off-by: Alex Chen <alex.chen@huawei.com>
hw: usb: hcd-ohci: check for processed TD before retire
hw: ehci: check return value of 'usb_packet_map'
hw: usb: hcd-ohci: check len and frame_number variables
hw/net/e1000e: advance desc_offset in case of null descriptor
Signed-off-by: Alex Chen <alex.chen@huawei.com>
While processing ARP/NCSI packets in 'arp_input' or 'ncsi_input'
routines, ensure that pkt_len is large enough to accommodate the
respective protocol headers, lest it should do an OOB access.
Add check to avoid it.
CVE-2020-29129 CVE-2020-29130
QEMU: slirp: out-of-bounds access while processing ARP/NCSI packets
-> https://www.openwall.com/lists/oss-security/2020/11/27/1
Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <20201126135706.273950-1-ppandit@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
(cherry-picked from 2e1dcbc0)
Signed-off-by: Alex Chen <alex.chen@huawei.com>
migration/tls: save hostname into MigrationState
migration/tls: extract migration_tls_client_create for common-use
migration/tls: add tls_hostname into MultiFDSendParams
migration/tls: extract cleanup function for common-use
migration/tls: add support for multifd tls-handshake
migration/tls: add trace points for multifd-tls
qemu-file: Don't do IO after shutdown
multifd: Make sure that we don't do any IO after an error
migration: Don't send data if we have stopped
migration: Create migration_is_running()
migration: fix COLO broken caused by a previous commit
migration/multifd: fix hangup with TLS-Multifd due to blocking handshake
multifd/tls: fix memoryleak of the QIOChannelSocket object when cancelling migration
Signed-off-by: Alex Chen <alex.chen@huawei.com>
migration/dirtyrate: setup up query-dirtyrate framwork
migration/dirtyrate: add DirtyRateStatus to denote calculation status
migration/dirtyrate: Add RamblockDirtyInfo to store sampled page info
migration/dirtyrate: Add dirtyrate statistics series functions
migration/dirtyrate: move RAMBLOCK_FOREACH_MIGRATABLE into ram.h
migration/dirtyrate: Record hash results for each sampled page
migration/dirtyrate: Compare page hash results for recorded sampled page
migration/dirtyrate: skip sampling ramblock with size below MIN_RAMBLOCK_SIZE
migration/dirtyrate: Implement set_sample_page_period() and is_sample_period_valid()
migration/dirtyrate: Implement calculate_dirtyrate() function
migration/dirtyrate: Implement qmp_cal_dirty_rate()/qmp_get_dirty_rate() function
migration/dirtyrate: Add trace_calls to make it easier to debug
migration/dirtyrate: record start_time and calc_time while at the measuring state
migration/dirtyrate: present dirty rate only when querying the rate has completed
migration/dirtyrate: simplify includes in dirtyrate.c
Signed-off-by: Alex Chen <alex.chen@huawei.com>
elf2dmp: Fix memory leak on main() error paths
io: Don't use '#' flag of printf format
hw/display/omap_lcdc: Fix potential NULL pointer dereference
hw/display/exynos4210_fimd: Fix potential NULL pointer dereference
block/vvfat: Fix bad printf format specifiers
block: Remove unused include
ssi: Fix bad printf format specifiers
net/l2tpv3: Remove redundant check in net_init_l2tpv3()
Signed-off-by: Alex Chen <alex.chen@huawei.com>
Drop IPv6 message shorter than what's mentioned in the payload
length header (+ the size of the IPv6 header). They're invalid and could
lead to data leakage in icmp6_send_echoreply().
