From cc96677469388bad3d66479379735cf75db069e3 Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Mon, 20 Jun 2016 16:32:39 +0200
Subject: [PATCH] scsi: esp: fix migration

Commit 926cde5 ("scsi: esp: make cmdbuf big enough for maximum CDB size",
2016-06-16) changed the size of a migrated field.  Split it in two
parts, and only migrate the second part in a new vmstate version.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Upstream-Status: Backport
CVE: CVE-2016-6351 patch1
Signed-off-by: Armin Kuster <akuster@mvista.com>

---
 hw/scsi/esp.c               | 5 +++--
 include/migration/vmstate.h | 5 ++++-
 2 files changed, 7 insertions(+), 3 deletions(-)

Index: qemu-2.4.0/hw/scsi/esp.c
===================================================================
--- qemu-2.4.0.orig/hw/scsi/esp.c
+++ qemu-2.4.0/hw/scsi/esp.c
@@ -571,7 +571,7 @@ static bool esp_mem_accepts(void *opaque
 
 const VMStateDescription vmstate_esp = {
     .name ="esp",
-    .version_id = 3,
+    .version_id = 4,
     .minimum_version_id = 3,
     .fields = (VMStateField[]) {
         VMSTATE_BUFFER(rregs, ESPState),
@@ -582,7 +582,8 @@ const VMStateDescription vmstate_esp = {
         VMSTATE_BUFFER(ti_buf, ESPState),
         VMSTATE_UINT32(status, ESPState),
         VMSTATE_UINT32(dma, ESPState),
-        VMSTATE_BUFFER(cmdbuf, ESPState),
+        VMSTATE_PARTIAL_BUFFER(cmdbuf, ESPState, 16),
+        VMSTATE_BUFFER_START_MIDDLE_V(cmdbuf, ESPState, 16, 4),
         VMSTATE_UINT32(cmdlen, ESPState),
         VMSTATE_UINT32(do_cmd, ESPState),
         VMSTATE_UINT32(dma_left, ESPState),
Index: qemu-2.4.0/include/migration/vmstate.h
===================================================================
--- qemu-2.4.0.orig/include/migration/vmstate.h
+++ qemu-2.4.0/include/migration/vmstate.h
@@ -778,8 +778,11 @@ extern const VMStateInfo vmstate_info_bi
 #define VMSTATE_PARTIAL_BUFFER(_f, _s, _size)                         \
     VMSTATE_STATIC_BUFFER(_f, _s, 0, NULL, 0, _size)
 
+#define VMSTATE_BUFFER_START_MIDDLE_V(_f, _s, _start, _v) \
+    VMSTATE_STATIC_BUFFER(_f, _s, _v, NULL, _start, sizeof(typeof_field(_s, _f)))
+
 #define VMSTATE_BUFFER_START_MIDDLE(_f, _s, _start) \
-    VMSTATE_STATIC_BUFFER(_f, _s, 0, NULL, _start, sizeof(typeof_field(_s, _f)))
+    VMSTATE_BUFFER_START_MIDDLE_V(_f, _s, _start, 0)
 
 #define VMSTATE_PARTIAL_VBUFFER(_f, _s, _size)                        \
     VMSTATE_VBUFFER(_f, _s, 0, NULL, 0, _size)