Re: [Qemu-devel] [ANNOUNCE] QEMU 3.1.1 Stable released

["Philippe Mathieu-Daudé" <philmd@redhat.com>]

On 8/2/19 7:50 PM, Michael Roth wrote:
> Hi everyone,
> 
> I am pleased to announce that the QEMU v3.1.1 stable release is now
> available:
> 
> You can grab the tarball from our download page here:
> 
>   https://www.qemu.org/download/#source
> 
> v3.1.1 is now tagged in the official qemu.git repository,
> and the stable-3.1 branch has been updated accordingly:
> 
>   https://git.qemu.org/?p=qemu.git;a=shortlog;h=refs/heads/stable-3.1
> 
> This update contains a fix for CVE-2018-16872 (usb-mtp) and bug/security
> fixes for a number of areas.
> 
> Please see the changelog for additional details and update accordingly.
> 
> Thank you to everyone involved!
> 
> CHANGELOG:
> 
> 71049d2a74: Update version for 3.1.1 release (Michael Roth)
> 03d7712b4b: qemu-bridge-helper: restrict interface name to IFNAMSIZ (Prasad J Pandit)
> 4482258130: block: Fix hangs in synchronous APIs with iothreads (Kevin Wolf)
> 41dd30ff63: pvrdma: release ring object in case of an error (Prasad J Pandit)
> a1001760ab: pvrdma: check return value from pvrdma_idx_ring_has_ routines (Prasad J Pandit)
> 2a0e6f1369: pvrdma: check number of pages when creating rings (Prasad J Pandit)
> 017f271f7a: device_tree: Fix integer overflowing in load_device_tree() (Markus Armbruster)
> 5149630fed: device_tree.c: Don't use load_image() (Peter Maydell)
> 59a823017a: sun4u: add power_mem_read routine (Prasad J Pandit)
> 3be7eb2f47: qxl: check release info object (Prasad J Pandit)
> 576964bf2a: seccomp: don't kill process for resource control syscalls (Daniel P. Berrangé)
> 4c7f4c4bbb: i2c-ddc: fix oob read (Gerd Hoffmann)
> 4e74e7a867: slirp: check data length while emulating ident function (Prasad J Pandit)
> 375667af78: scsi-generic: avoid possible out-of-bounds access to r->buf (Paolo Bonzini)
> bceff528ba: pvrdma: add uar_read routine (Prasad J Pandit)
> 1549e3a54a: pvrdma: release device resources in case of an error (Prasad J Pandit)
> 86d4f40141: gluster: the glfs_io_cbk callback function pointer adds pre/post stat args (Niels de Vos)
> 37867211d9: gluster: Handle changed glfs_ftruncate signature (Prasanna Kumar Kalever)
> 43a3a1b694: hw/block/pflash_cfi01: Add missing DeviceReset() handler (Philippe Mathieu-Daudé)
> ddacb784b3: hw: Use PFLASH_CFI0{1,2} and TYPE_PFLASH_CFI0{1,2} (Markus Armbruster)
> 03f130c682: pflash: Rename *CFI_PFLASH* to *PFLASH_CFI* (Markus Armbruster)
> 10b1d6070a: pflash_cfi01: Log use of flawed "write to buffer" (Markus Armbruster)
> e634054c9d: pflash_cfi01: Do not exit() on guest aborting "write to buffer" (Markus Armbruster)
> 13cb31ce08: pflash: Rename pflash_t to PFlashCFI01, PFlashCFI02 (Markus Armbruster)
> d0cb440280: block/pflash_cfi02: Fix memory leak and potential use-after-free (Stephen Checkoway)
> 21e5c69b85: hw/display/xlnx_dp: Avoid crash when reading empty RX FIFO (Philippe Mathieu-Daudé)
> e2ec206ea9: hw/ssi/mss-spi: Avoid crash when reading empty RX FIFO (Philippe Mathieu-Daudé)
> 1f30e35861: hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[] (Philippe Mathieu-Daudé)
> 19f55e7ab5: target/m68k: Fix a tcg_temp leak (Philippe Mathieu-Daudé)
> c6b77a64b4: virtio-balloon: free pbp more aggressively (Michael S. Tsirkin)
> 0965d5583e: virtio-balloon: don't track subpages for the PBP (David Hildenbrand)
> 14d9028a7d: virtio-balloon: Use temporary PBP only (David Hildenbrand)
> 2aa5009412: virtio-balloon: Rework pbp tracking data (David Hildenbrand)
> 46275f9091: virtio-balloon: Better names for offset variables in inflate/deflate code (David Hildenbrand)
> b0d6feca99: virtio-balloon: Simplify deflate with pbp (David Hildenbrand)
> 07026c30c3: virtio-balloon: Fix QEMU crashes on pagesize > BALLOON_PAGE_SIZE (David Hildenbrand)
> 11dd808dc0: virtio-balloon: Fix wrong sign extension of PFNs (David Hildenbrand)
> f8364784f0: virtio-balloon: Restore MADV_WILLNEED hint on balloon deflate (David Gibson)
> 38e8e9007d: virtio-balloon: Fix possible guest memory corruption with inflates & deflates (David Gibson)
> 80c96a7b60: virtio-balloon: Don't mismatch g_malloc()/free (CID 1399146) (David Gibson)
> 118112024d: virtio-balloon: Safely handle BALLOON_PAGE_SIZE < host page size (David Gibson)
> 83cddbaadf: virtio-balloon: Use ram_block_discard_range() instead of raw madvise() (David Gibson)
> 89b0e359bc: virtio-balloon: Rework ballon_page() interface (David Gibson)
> b260cdec21: virtio-balloon: Corrections to address verification (David Gibson)
> 7a31a0af31: virtio-balloon: Remove unnecessary MADV_WILLNEED on deflate (David Gibson)
> f0a334345b: hw/virtio/virtio-balloon: zero-initialize the virtio_balloon_config struct (Peter Maydell)
> fc6c2bce38: i386/acpi: show PCI Express bus on pxb-pcie expanders (Evgeny Yakovlev)
> 11665ca918: i386/acpi: fix gint overflow in crs_range_compare (Evgeny Yakovlev)
> df42bc4897: ioapic: kvm: Skip route updates for masked pins (Jan Kiszka)
> c00635946f: tpm_emulator: Translate TPM error codes to strings (Stefan Berger)
> 51ce84e119: tpm: Exit in reset when backend indicates failure (Stefan Berger)
> 0318166a9f: vhost: fix vhost_log size overflow during migration (Li Hangjing)
> 261d7f653a: iotests: Test unaligned raw images with O_DIRECT (Max Reitz)
> 044b0bcedf: block/file-posix: Unaligned O_DIRECT block-status (Max Reitz)
> 1742e3c74e: iotests: Filter second BLOCK_JOB_ERROR from 229 (Max Reitz)
> f173a43a6d: megasas: fix mapped frame size (Peter Lieven)
> 2157938f7b: s390x/cpumodel: ignore csske for expansion (Christian Borntraeger)
> f56e70ee4f: do not call vhost_net_cleanup() on running net from char user event (Dan Streetman)
> 8a5aaad6c2: block: Fix AioContext switch for bs->drv == NULL (Kevin Wolf)
> 3c9e488dbe: cutils: Fix size_to_str() on 32-bit platforms (Eric Blake)
> c627cc38be: qcow2: Avoid COW during metadata preallocation (Kevin Wolf)
> b443db97c1: qemu-img: fix error reporting for -object (Daniel P. Berrangé)
> 6b29db871d: usb-mtp: use O_NOFOLLOW and O_CLOEXEC. (Gerd Hoffmann)
> 6c77b5ab35: qga: update docs with systemd suspend support info (Daniel Henrique Barboza)
> 11cd30e71a: mac_newworld: use node name instead of alias name for hd device in FWPathProvider (Mark Cave-Ayland)
> 4a25ba2e2b: mac_oldworld: use node name instead of alias name for hd device in FWPathProvider (Mark Cave-Ayland)
> 847fe10828: configure: improve usbfs check (Thomas Petazzoni)
> f3a70a4ae1: qga-win: include glib when building VSS DLL (Michael Roth)
> d7cae05bf5: json: Fix % handling when not interpolating (Christophe Fergeau)
> d03c389511: i386: remove the 'INTEL_PT' CPUID bit from named CPU models (Paolo Bonzini)
> 02d735c274: i386: remove the new CPUID 'PCONFIG' from Icelake-Server CPU model (Robert Hoo)
> 821314aec3: vfio-ap: flag as compatible with balloon (Cornelia Huck)
> 7c693f0c3f: tpm_tis: fix loop that cancels any seizure by a lower locality (Liam Merwick)
> 83cd9ed3d7: slirp: check sscanf result when emulating ident (William Bowling)
> c6f25642e0: hw/rdma: another clang compilation fix (Marcel Apfelbaum)
> 27df37c1ea: block: Fix invalidate_cache error path for parent activation (Kevin Wolf)
> fe87edd5ed: tpm: Make sure the locality received from backend is valid (Stefan Berger)
> 27b0c099fd: tpm: Make sure new locality passed to tpm_tis_prep_abort() is valid (Stefan Berger)
> 00d0932e0b: exec.c: Don't reallocate IOMMUNotifiers that are in use (Peter Maydell)
> 2e5502300e: s390x: Return specification exception for unimplemented diag 308 subcodes (Janosch Frank)
> 8ec7368c8f: linux-user: make pwrite64/pread64(fd, NULL, 0, offset) return 0 (Peter Maydell)
> 85bfce130a: hw/s390x: Fix bad mask in time2tod() (Thomas Huth)
> 98cf1bb872: pc:piix4: Update smbus I/O space after a migration (Corey Minyard)
> 5363028d1f: pcie: set link state inactive/active after hot unplug/plug (Zheng Xiang)
> 0d6b9ce17c: Changes requirement for "vsubsbs" instruction (Paul A. Clarke)
> def04278d1: iotests: make 235 work on s390 (and others) (Christian Borntraeger)
> 08c410e390: i2c: Move typedef of bitbang_i2c_interface to i2c.h (BALATON Zoltan)

I was testing the CVE-2019-14378 fix, 7min too late :(