Re: [Qemu-stable] [ANNOUNCE] QEMU 2.5.1 Stable released

[Michael Roth]

Quoting Peter Lieven (2016-04-01 02:43:31)
> Am 30.03.2016 um 02:11 schrieb Michael Roth:
> > Hi everyone,
> >
> > I am pleased to announce that the QEMU v2.5.1 stable release is now
> > available at:
> >
> >   http://wiki.qemu.org/download/qemu-2.5.1.tar.bz2
> >
> > v2.5.1 is now tagged in the official qemu.git repository,
> > and the stable-2.5 branch has been updated accordingly:
> >
> >   http://git.qemu.org/?p=qemu.git;a=shortlog;h=refs/heads/stable-2.5
> >
> > In addition to the normal array of general bug fixes, this release
> > includes security fixes/hardening for USB, vmxnet3/e1000/ne2000 NICs,
> > NIC checksumming, and management consoles via HMP. Users of earlier
> > releases should upgrade accordingly.
> >
> > Note: For -M pseries-2.3 PPC guests, migration is now restored between
> > QEMU 2.3.x and 2.5.1, but migration between 2.5.1 and any versions other
> > than 2.3.x now require the -machine enforce-config-section=on option.
> >
> > Thank you to everyone involved!
> >
> > CHANGELOG:
> >
> > a58047f: Update version for 2.5.1 release (Michael Roth)
> > 5f409b1: hyperv: cpu hotplug fix with HyperV enabled (Denis V. Lunev)
> > 078de11: vmdk: Fix converting to streamOptimized (Fam Zheng)
> > acea76c: vmdk: Create streamOptimized as version 3 (Fam Zheng)
> > 80b6e57: usb: check USB configuration descriptor object (Prasad J Pandit)
> > 9bddb45: usb: check RNDIS message length (Prasad J Pandit)
> > e3a2cdf: usb: check RNDIS buffer offsets & length (Prasad J Pandit)
> > 4dcd2f1: usb: check page select value while processing iTD (Prasad J Pandit)
> > 38e0921: net: ne2000: fix bounds check in ioport operations (Prasad J 
> > Pandit)
> > d0ee85b: net: check packet payload length (Prasad J Pandit)
> > 4f046a6: ide: ahci: reset ncq object to unused on error (Prasad J Pandit)
> > b47809c: i386: avoid null pointer dereference (P J P)
> > 24fe899: hmp: fix sendkey out of bounds write (CVE-2015-8619) (Wolfgang 
> > Bumiller)
> > aaf4fb6: ahci: Do not unmap NULL addresses (John Snow)
> > a2ae168: migration: allow machine to enforce configuration section 
> > migration (Greg Kurz)
> > bad094d: vl.c: Fix regression in machine error message (Marcel Apfelbaum)
> > 4b0b1ec: quorum: Fix crash in quorum_aio_cb() (Alberto Garcia)
> > cab1cc7: target-arm: Make reserved ranges in ID_AA64* spaces RAZ, not UNDEF 
> > (Peter Maydell)
> > 9ae0217: vhost-user: don't merge regions with different fds (Michael S. 
> > Tsirkin)
> > 3092979: fw_cfg: unbreak migration compatibility for 2.4 and earlier 
> > machines (Laszlo Ersek)
> > c5c9841: hw/virtio: group virtio flags into an enum (Marcel Apfelbaum)
> > 6b62303: hw/virtio: fix double use of a virtio flag (Marcel Apfelbaum)
> > c06f342: spapr: skip configuration section during migration of older 
> > machines (Greg Kurz)
> > cb873ea: e1000: eliminate infinite loops on out-of-bounds transfer start 
> > (Laszlo Ersek)
> > 4853a5a: block: qemu-iotests - add test for snapshot, commit, snapshot bug 
> > (Jeff Cody)
> > a375e0b: block: set device_list.tqe_prev to NULL on BDS removal (Jeff Cody)
> > a38a283: qmp: Fix reference-counting of qnull on empty output visit (Eric 
> > Blake)
> > 225d50f: cpus: use broadcast on qemu_pause_cond (Dr. David Alan Gilbert)
> > 020282d: fw_cfg: avoid calculating invalid current entry pointer (Gabriel 
> > L. Somlo)
> > 091af18: s390x/css: fix control flags during csch (Halil Pasic)
> > d983923: s390x/ioinst: set type and len for SEI response (Pierre Morel)
> > 643c8d8: block/raw-posix: avoid bogus fixup for cylinders on DASD disks 
> > (Christian Borntraeger)
> > 3ede27d: ehci: update irq on reset (Gerd Hoffmann)
> > 9849b19: net: set endianness on all backend devices (Laurent Vivier)
> > fe90bdc: net: ne2000: check ring buffer control registers (Prasad J Pandit)
> > aaa5271: net/filter: fix nf->netdev_id leak (Li Zhijian)
> > abda95c: net/dump: fix nfds->filename leak (Li Zhijian)
> > 6a49a71: blockdev: Fix 'change' for slot devices (Max Reitz)
> > e1a8a09: block: Add blk_dev_has_tray() (Max Reitz)
> > 7a2c1c8: net: rocker: fix an incorrect array bounds check (Prasad J Pandit)
> > 702a8d1: ivshmem: remove redundant assignment, fix crash with msi=off 
> > (Marc-André Lureau)
> > 3e96d5d: ivshmem: no need for opaque argument (Marc-André Lureau)
> > 16a2875: scsi: initialise info object with appropriate size (P J P)
> > 4588b0d: virtio-9p: use accessor to get thread_pool (Greg Kurz)
> > ff083d3: xenfb: avoid reading twice the same fields from the shared page 
> > (Stefano Stabellini)
> > 4d59e78: xen/blkif: Avoid double access to src->nr_segments (Stefano 
> > Stabellini)
> > 52a7b27: configure: Fix shell syntax to placate OpenBSD's pdksh (Peter 
> > Maydell)
> > d4aed70: target-ppc: kvm: fix floating point registers sync on 
> > little-endian hosts (Greg Kurz)
> > 42ae4a3: net: vmxnet3: avoid memory leakage in activate_device (P J P)
> > 0d33580: ehci: make idt processing more robust (Gerd Hoffmann)
> >
> >
> 
> Unfortunately, this release lacks the following patch:
> 
> target-i386: do not read/write MSR_TSC_AUX from KVM if CPUID bit is not set

AFAICT that patch was posted after the release went out. There's also an
upstream-first policy for stable in the patch is still pending.

> 
> without it any vServer with a Westmere or older vCPU will freeze with 100% CPU
> on vmload / migration.

This probably started with c9b8f6b6210847b4381c5b2ee172b1c7eb9985d6. I
think v2.4.1 is the latest release that would be unaffected.

I'll make sure to pull it in if we do a v2.5.2 or CVE release, but since it's
not a regression from v2.5.0, and since there's only a couple patches on the
stable queue atm, I'm not sure at this point whether there will be one.

> 
> Peter
>