From 25c2221d83bef4131b436f3da7696f7027b0cdf1 Mon Sep 17 00:00:00 2001 From: zhangpengrui Date: Fri, 24 Oct 2025 09:04:55 +0800 Subject: [PATCH] QEMU update to version 8.2.0-49 Signed-off-by: zhangpengrui (cherry picked from commit 0dbd1022404f36e79edf01186f1d95f0274dfd2a) --- ...-riscv-use-tail-pseudoinstruction-fo.patch | 47 ++++++++++++ ...3_cpuif-Don-t-downgrade-monitor-trap.patch | 73 +++++++++++++++++++ ...don-t-assert-for-SETUP-to-non-0-endp.patch | 73 +++++++++++++++++++ hw-usb-hcd-xhci-Unmap-canceled-packet.patch | 64 ++++++++++++++++ ...CONFIG_STATX-and-CONFIG_STATX_MNT_ID.patch | 54 ++++++++++++++ ...se-has_header_symbol-to-check-getcpu.patch | 50 +++++++++++++ ...EK_CUR-offset-calculation-in-qio_cha.patch | 41 +++++++++++ qemu.spec | 20 ++++- ...lly-not-initialized-nr_volumes-in-qg.patch | 61 ++++++++++++++++ 9 files changed, 482 insertions(+), 1 deletion(-) create mode 100644 common-user-host-riscv-use-tail-pseudoinstruction-fo.patch create mode 100644 hw-intc-arm_gicv3_cpuif-Don-t-downgrade-monitor-trap.patch create mode 100644 hw-usb-hcd-uhci-don-t-assert-for-SETUP-to-non-0-endp.patch create mode 100644 hw-usb-hcd-xhci-Unmap-canceled-packet.patch create mode 100644 meson-Remove-CONFIG_STATX-and-CONFIG_STATX_MNT_ID.patch create mode 100644 meson-Use-has_header_symbol-to-check-getcpu.patch create mode 100644 migration-fix-SEEK_CUR-offset-calculation-in-qio_cha.patch create mode 100644 qga-fix-potentially-not-initialized-nr_volumes-in-qg.patch diff --git a/common-user-host-riscv-use-tail-pseudoinstruction-fo.patch b/common-user-host-riscv-use-tail-pseudoinstruction-fo.patch new file mode 100644 index 00000000..4930e8a5 --- /dev/null +++ b/common-user-host-riscv-use-tail-pseudoinstruction-fo.patch @@ -0,0 +1,47 @@ +From 163c04af60750ebf617ac1152fccbf72fea3f873 Mon Sep 17 00:00:00 2001 +From: Icenowy Zheng +Date: Thu, 17 Apr 2025 15:22:06 +0800 +Subject: [PATCH] common-user/host/riscv: use tail pseudoinstruction for + calling tail + +The j pseudoinstruction maps to a JAL instruction, which can only handle +a jump to somewhere with a signed 20-bit destination. In case of static +linking and LTO'ing this easily leads to "relocation truncated to fit" +error. + +Switch to use tail pseudoinstruction, which is the standard way to +tail-call a function in medium code model (emits AUIPC+JALR). + +--- +Upstream commit 22b448ccc6611a59d4aa54419f4d88c1f343cb35 , v10.1.0 + +Signed-off-by: Icenowy Zheng +Reviewed-by: Richard Henderson +Message-ID: <20250417072206.364008-1-uwu@icenowy.me> +Signed-off-by: Alistair Francis +Cc: qemu-stable@nongnu.org +--- + common-user/host/riscv/safe-syscall.inc.S | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/common-user/host/riscv/safe-syscall.inc.S b/common-user/host/riscv/safe-syscall.inc.S +index dfe83c300e..c8b81e33d0 100644 +--- a/common-user/host/riscv/safe-syscall.inc.S ++++ b/common-user/host/riscv/safe-syscall.inc.S +@@ -69,11 +69,11 @@ safe_syscall_end: + + /* code path setting errno */ + 0: neg a0, a0 +- j safe_syscall_set_errno_tail ++ tail safe_syscall_set_errno_tail + + /* code path when we didn't execute the syscall */ + 2: li a0, QEMU_ERESTARTSYS +- j safe_syscall_set_errno_tail ++ tail safe_syscall_set_errno_tail + + .cfi_endproc + .size safe_syscall_base, .-safe_syscall_base +-- +2.33.0 + diff --git a/hw-intc-arm_gicv3_cpuif-Don-t-downgrade-monitor-trap.patch b/hw-intc-arm_gicv3_cpuif-Don-t-downgrade-monitor-trap.patch new file mode 100644 index 00000000..45fca24b --- /dev/null +++ b/hw-intc-arm_gicv3_cpuif-Don-t-downgrade-monitor-trap.patch @@ -0,0 +1,73 @@ +From e03c56464bedc8dc78b2afa43b975cdb7a5897d9 Mon Sep 17 00:00:00 2001 +From: lijunwei +Date: Tue, 14 Oct 2025 15:04:01 +0800 +Subject: [PATCH] hw/intc/arm_gicv3_cpuif: Don't downgrade monitor traps + for AArch32 EL3 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + + In the gicv3_{irq,fiq,irqfiq}_access() functions, there is a check + which downgrades a CP_ACCESS_TRAP_EL3 to CP_ACCESS_TRAP if EL3 is not + AArch64. This has been there since the GIC was first implemented, + but it isn't right: if we are trapping because of SCR.IRQ or SCR.FIQ + then we definitely want to be going to EL3 (doing + AArch32.TakeMonitorTrapException() in pseudocode terms). We might + want to not take a trap at all, but we don't ever want to go to the + default target EL, because that would mean, for instance, taking a + trap to Hyp mode if the trapped access was made from Hyp mode. + + (This might have been an attempt to work around our failure to + properly implement Monitor Traps.) + + Remove the bogus check. + + Cc: qemu-stable@nongnu.org + Fixes: 359fbe65 ("hw/intc/arm_gicv3: Implement GICv3 CPU interface registers") + Signed-off-by: default avatarPeter Maydell + Reviewed-by: default avatarAlex Bennée + Reviewed-by: default avatarRichard Henderson + Message-id: 20250130182309.717346-7-peter.maydell@linaro.org + (cherry picked from commit d04c6c3c) + Signed-off-by: default avatarMichael Tokarev +--- + hw/intc/arm_gicv3_cpuif.c | 9 --------- + 1 file changed, 9 deletions(-) + +diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c +index a013510074..27458d2b8a 100644 +--- a/hw/intc/arm_gicv3_cpuif.c ++++ b/hw/intc/arm_gicv3_cpuif.c +@@ -2098,9 +2098,6 @@ static CPAccessResult gicv3_irqfiq_access(CPUARMState *env, + } + } + +- if (r == CP_ACCESS_TRAP_EL3 && !arm_el_is_aa64(env, 3)) { +- r = CP_ACCESS_TRAP; +- } + return r; + } + +@@ -2163,9 +2160,6 @@ static CPAccessResult gicv3_fiq_access(CPUARMState *env, + } + } + +- if (r == CP_ACCESS_TRAP_EL3 && !arm_el_is_aa64(env, 3)) { +- r = CP_ACCESS_TRAP; +- } + return r; + } + +@@ -2202,9 +2196,6 @@ static CPAccessResult gicv3_irq_access(CPUARMState *env, + } + } + +- if (r == CP_ACCESS_TRAP_EL3 && !arm_el_is_aa64(env, 3)) { +- r = CP_ACCESS_TRAP; +- } + return r; + } + +-- +2.33.0 + diff --git a/hw-usb-hcd-uhci-don-t-assert-for-SETUP-to-non-0-endp.patch b/hw-usb-hcd-uhci-don-t-assert-for-SETUP-to-non-0-endp.patch new file mode 100644 index 00000000..36137592 --- /dev/null +++ b/hw-usb-hcd-uhci-don-t-assert-for-SETUP-to-non-0-endp.patch @@ -0,0 +1,73 @@ +From a7002fbaa0a8a88d5e57bf9cd981dcf70fb0cf5a Mon Sep 17 00:00:00 2001 +From: Peter Maydell +Date: Mon, 15 Sep 2025 14:29:10 +0100 +Subject: [PATCH] hw/usb/hcd-uhci: don't assert for SETUP to non-0 + endpoint(CVE-2024-8354) + +If the guest feeds invalid data to the UHCI controller, we +can assert: +qemu-system-x86_64: ../../hw/usb/core.c:744: usb_ep_get: Assertion `pid == USB_TOKEN_IN || pid == USB_TOKEN_OUT' failed. + +(see issue 2548 for the repro case). This happens because the guest +attempts USB_TOKEN_SETUP to an endpoint other than 0, which is not +valid. The controller code doesn't catch this guest error, so +instead we hit the assertion in the USB core code. + +Catch the case of SETUP to non-zero endpoint, and treat it as a fatal +error in the TD, in the same way we do for an invalid PID value in +the TD. + +This is the UHCI equivalent of the same bug in OHCI that we fixed in +commit 3c3c233677 ("hw/usb/hcd-ohci: Fix #1510, #303: pid not IN or +OUT"). + +This bug has been tracked as CVE-2024-8354. + +Cc: qemu-stable@nongnu.org +Fixes: https://gitlab.com/qemu-project/qemu/-/issues/2548 +Signed-off-by: Peter Maydell +Reviewed-by: Michael Tokarev +--- + hw/usb/hcd-uhci.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/hw/usb/hcd-uhci.c b/hw/usb/hcd-uhci.c +index a92581ff5f..4ed30c59c7 100644 +--- a/hw/usb/hcd-uhci.c ++++ b/hw/usb/hcd-uhci.c +@@ -763,6 +763,7 @@ static int uhci_handle_td(UHCIState *s, UHCIQueue *q, uint32_t qh_addr, + bool spd; + bool queuing = (q != NULL); + uint8_t pid = td->token & 0xff; ++ uint8_t ep_id = (td->token >> 15) & 0xf; + UHCIAsync *async; + + async = uhci_async_find_td(s, td_addr); +@@ -806,9 +807,14 @@ static int uhci_handle_td(UHCIState *s, UHCIQueue *q, uint32_t qh_addr, + + switch (pid) { + case USB_TOKEN_OUT: +- case USB_TOKEN_SETUP: + case USB_TOKEN_IN: + break; ++ case USB_TOKEN_SETUP: ++ /* SETUP is only valid to endpoint 0 */ ++ if (ep_id == 0) { ++ break; ++ } ++ /* fallthrough */ + default: + /* invalid pid : frame interrupted */ + s->status |= UHCI_STS_HCPERR; +@@ -855,7 +861,7 @@ static int uhci_handle_td(UHCIState *s, UHCIQueue *q, uint32_t qh_addr, + return uhci_handle_td_error(s, td, td_addr, USB_RET_NODEV, + int_mask); + } +- ep = usb_ep_get(dev, pid, (td->token >> 15) & 0xf); ++ ep = usb_ep_get(dev, pid, ep_id); + q = uhci_queue_new(s, qh_addr, td, ep); + } + async = uhci_async_alloc(q, td_addr); +-- +2.33.0 + diff --git a/hw-usb-hcd-xhci-Unmap-canceled-packet.patch b/hw-usb-hcd-xhci-Unmap-canceled-packet.patch new file mode 100644 index 00000000..27e42f81 --- /dev/null +++ b/hw-usb-hcd-xhci-Unmap-canceled-packet.patch @@ -0,0 +1,64 @@ +From 04c9b45704f42bd398407acc3e2d3749ac5c00b7 Mon Sep 17 00:00:00 2001 +From: luowei +Date: Wed, 6 Aug 2025 10:26:27 +0800 +Subject: [PATCH] hw/usb/hcd-xhci: Unmap canceled packet cheery-pick from + aca4967567aaa168ce51d54145ba970aafb135de +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When the Stop Endpoint Command is received, packets running +asynchronously are canceled and then all packets are cleaned up. Packets +running asynchronously hold the DMA mapping so cleaning the packets leak +the mapping. Remove the mapping after canceling packets to fix the leak. + +Fixes: 62c6ae04 ("xhci: Initial xHCI implementation") +Signed-off-by: default avatarAkihiko Odaki +Reviewed-by: default avatarPhilippe Mathieu-Daudé +Message-ID: <20250418-xhc-v1-1-bb32dab6a67e@daynix.com> +Signed-off-by: default avatarPhilippe Mathieu-Daudé +--- + hw/usb/hcd-xhci.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c +index 4b60114207..3413a36ebe 100644 +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -1190,6 +1190,12 @@ static void xhci_ep_free_xfer(XHCITransfer *xfer) + g_free(xfer); + } + ++static void xhci_xfer_unmap(XHCITransfer *xfer) ++{ ++ usb_packet_unmap(&xfer->packet, &xfer->sgl); ++ qemu_sglist_destroy(&xfer->sgl); ++} ++ + static int xhci_ep_nuke_one_xfer(XHCITransfer *t, TRBCCode report) + { + int killed = 0; +@@ -1201,6 +1207,7 @@ static int xhci_ep_nuke_one_xfer(XHCITransfer *t, TRBCCode report) + + if (t->running_async) { + usb_cancel_packet(&t->packet); ++ xhci_xfer_unmap(t); + t->running_async = 0; + killed = 1; + } +@@ -1483,12 +1490,6 @@ err: + return -1; + } + +-static void xhci_xfer_unmap(XHCITransfer *xfer) +-{ +- usb_packet_unmap(&xfer->packet, &xfer->sgl); +- qemu_sglist_destroy(&xfer->sgl); +-} +- + static void xhci_xfer_report(XHCITransfer *xfer) + { + uint32_t edtla = 0; +-- +2.33.0 + diff --git a/meson-Remove-CONFIG_STATX-and-CONFIG_STATX_MNT_ID.patch b/meson-Remove-CONFIG_STATX-and-CONFIG_STATX_MNT_ID.patch new file mode 100644 index 00000000..27c54d13 --- /dev/null +++ b/meson-Remove-CONFIG_STATX-and-CONFIG_STATX_MNT_ID.patch @@ -0,0 +1,54 @@ +From 19702630b27b96aa48b1acd4e4c9a22a6dfb444e Mon Sep 17 00:00:00 2001 +From: lijunwei +Date: Tue, 23 Sep 2025 16:02:55 +0800 +Subject: [PATCH] meson: Remove CONFIG_STATX and CONFIG_STATX_MNT_ID +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CONFIG_STATX and CONFIG_STATX_MNT_ID are not used since commit +e0dc2631 ("virtiofsd: Remove source"). + +Cc: qemu-stable@nongnu.org +Signed-off-by: default avatarAkihiko Odaki +Reviewed-by: default avatarPhilippe Mathieu-Daudé +Tested-by: default avatarPhilippe Mathieu-Daudé +Message-ID: <20250424-buildsys-v1-2-97655e3b25d7@daynix.com> +Signed-off-by: default avatarPhilippe Mathieu-Daudé +(cherry picked from commit 6804b89f) +Signed-off-by: default avatarMichael Tokarev +--- + meson.build | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/meson.build b/meson.build +index d221f5cad5..66c66c1ada 100644 +--- a/meson.build ++++ b/meson.build +@@ -1921,14 +1921,6 @@ gnu_source_prefix = ''' + #endif + ''' + +-# Check whether the glibc provides STATX_BASIC_STATS +- +-has_statx = cc.has_header_symbol('sys/stat.h', 'STATX_BASIC_STATS', prefix: gnu_source_prefix) +- +-# Check whether statx() provides mount ID information +- +-has_statx_mnt_id = cc.has_header_symbol('sys/stat.h', 'STATX_MNT_ID', prefix: gnu_source_prefix) +- + have_vhost_user_blk_server = get_option('vhost_user_blk_server') \ + .require(targetos == 'linux', + error_message: 'vhost_user_blk_server requires linux') \ +@@ -2304,8 +2296,6 @@ config_host_data.set('CONFIG_CRYPTO_SM3', crypto_sm3.found()) + config_host_data.set('CONFIG_HOGWEED', hogweed.found()) + config_host_data.set('CONFIG_QEMU_PRIVATE_XTS', xts == 'private') + config_host_data.set('CONFIG_MALLOC_TRIM', has_malloc_trim) +-config_host_data.set('CONFIG_STATX', has_statx) +-config_host_data.set('CONFIG_STATX_MNT_ID', has_statx_mnt_id) + config_host_data.set('CONFIG_ZSTD', zstd.found()) + config_host_data.set('CONFIG_QPL', qpl.found()) + config_host_data.set('CONFIG_UADK', uadk.found()) +-- +2.33.0 + diff --git a/meson-Use-has_header_symbol-to-check-getcpu.patch b/meson-Use-has_header_symbol-to-check-getcpu.patch new file mode 100644 index 00000000..00f0dbc4 --- /dev/null +++ b/meson-Use-has_header_symbol-to-check-getcpu.patch @@ -0,0 +1,50 @@ +From ddd158c60e9af53567067798eaf3996b012c3a20 Mon Sep 17 00:00:00 2001 +From: lijunwei +Date: Tue, 14 Oct 2025 15:00:01 +0800 +Subject: [PATCH] meson: Use has_header_symbol() to check getcpu() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The use of gnu_source_prefix in the detection of getcpu() was +ineffective because the header file that declares getcpu() when +_GNU_SOURCE is defined was not included. Pass sched.h to +has_header_symbol() so that the existence of the declaration will be +properly checked. + +Cc: qemu-stable@nongnu.org +Signed-off-by: default avatarAkihiko Odaki +Reviewed-by: default avatarPhilippe Mathieu-Daudé +Tested-by: default avatarPhilippe Mathieu-Daudé +Message-ID: <20250424-buildsys-v1-1-97655e3b25d7@daynix.com> +Signed-off-by: default avatarPhilippe Mathieu-Daudé +(cherry picked from commit 563cd698) +Signed-off-by: default avatarMichael Tokarev ')) + # Note that we need to specify prefix: here to avoid incorrectly + # thinking that Windows has posix_memalign() +@@ -2427,6 +2426,8 @@ config_host_data.set('CONFIG_FALLOCATE_ZERO_RANGE', + config_host_data.set('CONFIG_FIEMAP', + cc.has_header('linux/fiemap.h') and + cc.has_header_symbol('linux/fs.h', 'FS_IOC_FIEMAP')) ++config_host_data.set('CONFIG_GETCPU', ++ cc.has_header_symbol('sched.h', 'getcpu', prefix: gnu_source_prefix)) + config_host_data.set('CONFIG_GETRANDOM', + cc.has_function('getrandom') and + cc.has_header_symbol('sys/random.h', 'GRND_NONBLOCK')) +-- +2.33.0 + diff --git a/migration-fix-SEEK_CUR-offset-calculation-in-qio_cha.patch b/migration-fix-SEEK_CUR-offset-calculation-in-qio_cha.patch new file mode 100644 index 00000000..4d8eb2f0 --- /dev/null +++ b/migration-fix-SEEK_CUR-offset-calculation-in-qio_cha.patch @@ -0,0 +1,41 @@ +From 47d070644db6fd423da4e01728d91117180b7908 Mon Sep 17 00:00:00 2001 +From: lijunwei +Date: Tue, 14 Oct 2025 15:13:40 +0800 +Subject: [PATCH] migration: fix SEEK_CUR offset calculation in + qio_channel_block_seek +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The SEEK_CUR case in qio_channel_block_seek was incorrectly using the +'whence' parameter instead of the 'offset' parameter when calculating the +new position. + +Fixes: 65cf200a ("migration: introduce a QIOChannel impl for BlockDriverState VMState") +Signed-off-by: default avatarMarco Cavenati +Reviewed-by: default avatarDaniel P. Berrangé +Reviewed-by: default avatarMichael Tokarev +Message-ID: <20250326162230.3323199-1-Marco.Cavenati@eurecom.fr> +Signed-off-by: default avatarFabiano Rosas +(cherry picked from commit c0b32426) +Signed-off-by: default avatarMichael Tokarev +--- + migration/channel-block.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/migration/channel-block.c b/migration/channel-block.c +index fff8d87094..b0477f5b6d 100644 +--- a/migration/channel-block.c ++++ b/migration/channel-block.c +@@ -123,7 +123,7 @@ qio_channel_block_seek(QIOChannel *ioc, + bioc->offset = offset; + break; + case SEEK_CUR: +- bioc->offset += whence; ++ bioc->offset += offset; + break; + case SEEK_END: + error_setg(errp, "Size of VMstate region is unknown"); +-- +2.33.0 + diff --git a/qemu.spec b/qemu.spec index b46ed419..418af1ef 100644 --- a/qemu.spec +++ b/qemu.spec @@ -3,7 +3,7 @@ Name: qemu Version: 8.2.0 -Release: 48 +Release: 49 Epoch: 11 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -1093,6 +1093,14 @@ Patch1076: target-riscv-kvm-update-the-KVM-regs-to-Linux-rvck-6.patch Patch1077: target-riscv-kvm-Fix-exposure-of-Zkr.patch Patch1078: hw-arm-virt-Introduce-a-IPIV-machine-option.patch Patch1079: hw-vfio-migration-Fix-vfio-migration-isn-t-aborted-i.patch +Patch1080: common-user-host-riscv-use-tail-pseudoinstruction-fo.patch +Patch1081: meson-Remove-CONFIG_STATX-and-CONFIG_STATX_MNT_ID.patch +Patch1082: qga-fix-potentially-not-initialized-nr_volumes-in-qg.patch +Patch1083: hw-usb-hcd-uhci-don-t-assert-for-SETUP-to-non-0-endp.patch +Patch1084: hw-usb-hcd-xhci-Unmap-canceled-packet.patch +Patch1085: meson-Use-has_header_symbol-to-check-getcpu.patch +Patch1086: hw-intc-arm_gicv3_cpuif-Don-t-downgrade-monitor-trap.patch +Patch1087: migration-fix-SEEK_CUR-offset-calculation-in-qio_cha.patch BuildRequires: flex BuildRequires: gcc @@ -1695,6 +1703,16 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Fri Oct 24 2025 Pengrui Zhang - 11:8.2.0-49 +- common-user/host/riscv: use tail pseudoinstruction for calling tail +- meson: Remove CONFIG_STATX and CONFIG_STATX_MNT_ID +- qga: fix potentially not initialized nr_volumes in qga_vss_fsfreeze() +- hw/usb/hcd-uhci: don't assert for SETUP to non-0 endpoint(CVE-2024-8354) +- hw/usb/hcd-xhci: Unmap canceled packet +- meson: Use has_header_symbol() to check getcpu() +- hw/intc/arm_gicv3_cpuif: Don't downgrade monitor traps for AArch32 EL3 +- migration: fix SEEK_CUR offset calculation in qio_channel_block_seek + * Wed Oct 22 2025 Junqi Ma - 11:8.2.0-48 - target/s390x: Fix MVC not always invalidating translation blocks - target/sparc: Fix gdbstub incorrectly handling registers f32-f62 diff --git a/qga-fix-potentially-not-initialized-nr_volumes-in-qg.patch b/qga-fix-potentially-not-initialized-nr_volumes-in-qg.patch new file mode 100644 index 00000000..df347485 --- /dev/null +++ b/qga-fix-potentially-not-initialized-nr_volumes-in-qg.patch @@ -0,0 +1,61 @@ +From 78427e1c7669c60f3e0d3577830477b69dc498d2 Mon Sep 17 00:00:00 2001 +From: jipengfei +Date: Thu, 7 Aug 2025 15:32:21 +0200 +Subject: [PATCH] qga: fix potentially not initialized nr_volumes in + qga_vss_fsfreeze() + +In this function we could have this variable not initialized. If this +could be acceptable on error, the variable could be left not initialized +f.e. as follows: + +void requester_freeze(int *num_vols, void *mountpoints, ErrorSet *errset) +{ + ... + if (mountpoints) { + ... + if (num_mount_points == 0) { + /* If there is no valid mount points, just exit. */ + goto out; + } + } + ... + if (!mountpoints) { + ... + if (num_fixed_drives == 0) { + goto out; /* If there is no fixed drive, just exit. */ + } + } + ... +} + +Stay on safe side, initialize the variable at the beginning. + +cheery-pick from 42bdb911c22f9449f7a310efc73b70548ca42b24 + +Signed-off-by:jipengfei +Signed-off-by: Denis V. Lunev +CC: Kostiantyn Kostiuk +CC: Michael Roth +Reviewed-by: Kostiantyn Kostiuk +Link: https://lore.kernel.org/qemu-devel/20250807133221.1135453-1-den@openvz.org +Signed-off-by: Kostiantyn Kostiuk +--- + qga/vss-win32.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/qga/vss-win32.c b/qga/vss-win32.c +index f444a25a70..b272bfc782 100644 +--- a/qga/vss-win32.c ++++ b/qga/vss-win32.c +@@ -157,6 +157,8 @@ void qga_vss_fsfreeze(int *nr_volume, bool freeze, + .errp = errp, + }; + ++ *nr_volume = 0; ++ + g_assert(errp); /* requester.cpp requires it */ + func = (QGAVSSRequesterFunc)GetProcAddress(provider_lib, func_name); + if (!func) { +-- +2.33.0 + -- Gitee