qemu-xilinx: lock down on YP 5.1.0 integration

Yocto Project has moved to 5.2.0, but qemu-xilinx has not yet moved forward to
a matching version.  Temporarily include the last 5.1.0 version from master.

Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>

27 files changed, 1629 insertions, 2 deletions

diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu-native.inc b/meta-xilinx-bsp/recipes-devtools/qemu/qemu-native.inc
new file mode 100644
index 00000000..aa5c9b9a
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu-native.inc
@@ -0,0 +1,11 @@
+inherit native
+
+require qemu.inc
+
+EXTRA_OEMAKE_append = " LD='${LD}' AR='${AR}' OBJCOPY='${OBJCOPY}' LDFLAGS='${LDFLAGS}'"
+
+LDFLAGS_append = " -fuse-ld=bfd"
+
+do_install_append() {
+     ${@bb.utils.contains('PACKAGECONFIG', 'gtk+', 'make_qemu_wrapper', '', d)}
+}
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu-targets.inc b/meta-xilinx-bsp/recipes-devtools/qemu/qemu-targets.inc
new file mode 100644
index 00000000..24f9a039
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu-targets.inc
@@ -0,0 +1,28 @@
+# possible arch values are:
+#    aarch64 arm armeb alpha cris i386 x86_64 m68k microblaze
+#    mips mipsel mips64 mips64el ppc ppc64 ppc64abi32 ppcemb
+#    riscv32 riscv64 sparc sparc32 sparc32plus
+
+def get_qemu_target_list(d):
+    import bb
+    archs = d.getVar('QEMU_TARGETS').split()
+    tos = d.getVar('HOST_OS')
+    softmmuonly = ""
+    for arch in ['ppcemb', 'lm32']:
+        if arch in archs:
+            softmmuonly += arch + "-softmmu,"
+            archs.remove(arch)
+    linuxuseronly = ""
+    for arch in ['armeb', 'alpha', 'ppc64abi32', 'ppc64le', 'sparc32plus', 'aarch64_be']:
+        if arch in archs:
+            linuxuseronly += arch + "-linux-user,"
+            archs.remove(arch)
+    if 'linux' not in tos:
+        return softmmuonly + ''.join([arch + "-softmmu" + "," for arch in archs]).rstrip(',')
+    return softmmuonly + linuxuseronly + ''.join([arch + "-linux-user" + "," + arch + "-softmmu" + "," for arch in archs]).rstrip(',')
+
+def get_qemu_usermode_target_list(d):
+    return ",".join(filter(lambda i: "-linux-user" in i, get_qemu_target_list(d).split(',')))
+
+def get_qemu_system_target_list(d):
+    return ",".join(filter(lambda i: "-linux-user" not in i, get_qemu_target_list(d).split(',')))
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu-xilinx-native.inc b/meta-xilinx-bsp/recipes-devtools/qemu/qemu-xilinx-native.inc
index a1dc5d66..d8f06c77 100644
--- a/meta-xilinx-bsp/recipes-devtools/qemu/qemu-xilinx-native.inc
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu-xilinx-native.inc
@@ -1,4 +1,4 @@
-require recipes-devtools/qemu/qemu-native.inc
+require qemu-native.inc
 require qemu-xilinx.inc
 
 DEPENDS = "glib-2.0-native zlib-native"
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu-xilinx_2020.2.bb b/meta-xilinx-bsp/recipes-devtools/qemu/qemu-xilinx_2020.2.bb
index 09f431ec..fd1904ab 100644
--- a/meta-xilinx-bsp/recipes-devtools/qemu/qemu-xilinx_2020.2.bb
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu-xilinx_2020.2.bb
@@ -1,4 +1,4 @@
-require recipes-devtools/qemu/qemu.inc
+require qemu.inc
 require qemu-xilinx.inc
 
 BBCLASSEXTEND = "nativesdk"
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu.inc b/meta-xilinx-bsp/recipes-devtools/qemu/qemu.inc
new file mode 100644
index 00000000..4864d7e9
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu.inc
@@ -0,0 +1,197 @@
+SUMMARY = "Fast open source processor emulator"
+DESCRIPTION = "QEMU is a hosted virtual machine monitor: it emulates the \
+machine's processor through dynamic binary translation and provides a set \
+of different hardware and device models for the machine, enabling it to run \
+a variety of guest operating systems"
+HOMEPAGE = "http://qemu.org"
+LICENSE = "GPLv2 & LGPLv2.1"
+
+RDEPENDS_${PN}-ptest = "bash make"
+
+require qemu-targets.inc
+inherit pkgconfig ptest
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \
+                    file://COPYING.LIB;endline=24;md5=8c5efda6cf1e1b03dcfd0e6c0d271c7f"
+
+SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
+           file://powerpc_rom.bin \
+           file://run-ptest \
+           file://0001-qemu-Add-missing-wacom-HID-descriptor.patch \
+           file://0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch \
+           file://0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch \
+           file://0004-qemu-disable-Valgrind.patch \
+           file://0005-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch \
+           file://0006-chardev-connect-socket-to-a-spawned-command.patch \
+           file://0007-apic-fixup-fallthrough-to-PIC.patch \
+           file://0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \
+           file://0009-Fix-webkitgtk-builds.patch \
+           file://0010-configure-Add-pkg-config-handling-for-libgcrypt.patch \
+           file://0001-Add-enable-disable-udev.patch \
+           file://0001-qemu-Do-not-include-file-if-not-exists.patch \
+           file://find_datadir.patch \
+           file://usb-fix-setup_len-init.patch \
+           file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \
+           file://CVE-2020-24352.patch \
+           file://CVE-2020-29129-CVE-2020-29130.patch \
+           file://CVE-2020-25624.patch \
+           file://CVE-2020-25723.patch \
+           file://CVE-2020-28916.patch \
+           "
+UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
+
+SRC_URI[sha256sum] = "c9174eb5933d9eb5e61f541cd6d1184cd3118dfe4c5c4955bc1bdc4d390fa4e5"
+
+COMPATIBLE_HOST_mipsarchn32 = "null"
+COMPATIBLE_HOST_mipsarchn64 = "null"
+
+# Per https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg03873.html
+# upstream states qemu doesn't work without optimization
+DEBUG_BUILD = "0"
+
+do_install_append() {
+    # Prevent QA warnings about installed ${localstatedir}/run
+    if [ -d ${D}${localstatedir}/run ]; then rmdir ${D}${localstatedir}/run; fi
+}
+
+do_compile_ptest() {
+        make buildtest-TESTS
+}
+
+do_install_ptest() {
+        cp -rL ${B}/tests ${D}${PTEST_PATH}
+        find ${D}${PTEST_PATH}/tests -type f -name "*.[Sshcod]" | xargs -i rm -rf {}
+
+        cp ${S}/tests/Makefile.include ${D}${PTEST_PATH}/tests
+        # Don't check the file genreated by configure
+        sed -i -e '/wildcard config-host.mak/d' \
+               -e '$ {/endif/d}' ${D}${PTEST_PATH}/tests/Makefile.include
+        sed -i -e 's,${HOSTTOOLS_DIR}/python3,${bindir}/python3,' \
+            ${D}/${PTEST_PATH}/tests/qemu-iotests/common.env 
+        sed -i -e "1s,#!/usr/bin/bash,#!${base_bindir}/bash," ${D}${PTEST_PATH}/tests/data/acpi/disassemle-aml.sh
+}
+
+# QEMU_TARGETS is overridable variable
+QEMU_TARGETS ?= "arm aarch64 i386 mips mipsel mips64 mips64el ppc ppc64 ppc64le riscv32 riscv64 sh4 x86_64"
+
+EXTRA_OECONF = " \
+    --prefix=${prefix} \
+    --bindir=${bindir} \
+    --includedir=${includedir} \
+    --libdir=${libdir} \
+    --mandir=${mandir} \
+    --datadir=${datadir} \
+    --docdir=${docdir}/${BPN} \
+    --sysconfdir=${sysconfdir} \
+    --libexecdir=${libexecdir} \
+    --localstatedir=${localstatedir} \
+    --with-confsuffix=/${BPN} \
+    --disable-strip \
+    --disable-werror \
+    --extra-cflags='${CFLAGS}' \
+    --extra-ldflags='${LDFLAGS}' \
+    --with-git=/bin/false \
+    --disable-git-update \
+    ${PACKAGECONFIG_CONFARGS} \
+    "
+
+export LIBTOOL="${HOST_SYS}-libtool"
+
+B = "${WORKDIR}/build"
+
+EXTRA_OECONF_append = " --python=${HOSTTOOLS_DIR}/python3"
+
+do_configure_prepend_class-native() {
+        # Append build host pkg-config paths for native target since the host may provide sdl
+        BHOST_PKGCONFIG_PATH=$(PATH=/usr/bin:/bin pkg-config --variable pc_path pkg-config || echo "")
+        if [ ! -z "$BHOST_PKGCONFIG_PATH" ]; then
+                export PKG_CONFIG_PATH=$PKG_CONFIG_PATH:$BHOST_PKGCONFIG_PATH
+        fi
+}
+
+do_configure() {
+    ${S}/configure ${EXTRA_OECONF}
+}
+do_configure[cleandirs] += "${B}"
+
+do_install () {
+        export STRIP=""
+        oe_runmake 'DESTDIR=${D}' install
+}
+
+# The following fragment will create a wrapper for qemu-mips user emulation
+# binary in order to work around a segmentation fault issue. Basically, by
+# default, the reserved virtual address space for 32-on-64 bit is set to 4GB.
+# This will trigger a MMU access fault in the virtual CPU. With this change,
+# the qemu-mips works fine.
+# IMPORTANT: This piece needs to be removed once the root cause is fixed!
+do_install_append() {
+        if [ -e "${D}/${bindir}/qemu-mips" ]; then
+                create_wrapper ${D}/${bindir}/qemu-mips \
+                        QEMU_RESERVED_VA=0x0
+        fi
+}
+# END of qemu-mips workaround
+
+make_qemu_wrapper() {
+        gdk_pixbuf_module_file=`pkg-config --variable=gdk_pixbuf_cache_file gdk-pixbuf-2.0`
+
+        for tool in `ls ${D}${bindir}/qemu-system-*`; do
+                create_wrapper $tool \
+                        GDK_PIXBUF_MODULE_FILE=$gdk_pixbuf_module_file \
+                        FONTCONFIG_PATH=/etc/fonts \
+                        GTK_THEME=Adwaita
+        done
+}
+
+# Disable kvm/virgl/mesa on targets that do not support it
+PACKAGECONFIG_remove_darwin = "kvm virglrenderer glx gtk+"
+PACKAGECONFIG_remove_mingw32 = "kvm virglrenderer glx gtk+"
+
+PACKAGECONFIG[sdl] = "--enable-sdl,--disable-sdl,libsdl2"
+PACKAGECONFIG[virtfs] = "--enable-virtfs --enable-attr --enable-cap-ng,--disable-virtfs,libcap-ng attr,"
+PACKAGECONFIG[aio] = "--enable-linux-aio,--disable-linux-aio,libaio,"
+PACKAGECONFIG[xfs] = "--enable-xfsctl,--disable-xfsctl,xfsprogs,"
+PACKAGECONFIG[xen] = "--enable-xen,--disable-xen,xen-tools,xen-tools-libxenstore xen-tools-libxenctrl xen-tools-libxenguest"
+PACKAGECONFIG[vnc-sasl] = "--enable-vnc --enable-vnc-sasl,--disable-vnc-sasl,cyrus-sasl,"
+PACKAGECONFIG[vnc-jpeg] = "--enable-vnc --enable-vnc-jpeg,--disable-vnc-jpeg,jpeg,"
+PACKAGECONFIG[vnc-png] = "--enable-vnc --enable-vnc-png,--disable-vnc-png,libpng,"
+PACKAGECONFIG[libcurl] = "--enable-curl,--disable-curl,curl,"
+PACKAGECONFIG[nss] = "--enable-smartcard,--disable-smartcard,nss,"
+PACKAGECONFIG[curses] = "--enable-curses,--disable-curses,ncurses,"
+PACKAGECONFIG[gtk+] = "--enable-gtk,--disable-gtk,gtk+3 gettext-native"
+PACKAGECONFIG[vte] = "--enable-vte,--disable-vte,vte gettext-native"
+PACKAGECONFIG[libcap-ng] = "--enable-cap-ng,--disable-cap-ng,libcap-ng,"
+PACKAGECONFIG[ssh] = "--enable-libssh,--disable-libssh,libssh,"
+PACKAGECONFIG[gcrypt] = "--enable-gcrypt,--disable-gcrypt,libgcrypt,"
+PACKAGECONFIG[nettle] = "--enable-nettle,--disable-nettle,nettle"
+PACKAGECONFIG[libusb] = "--enable-libusb,--disable-libusb,libusb1"
+PACKAGECONFIG[fdt] = "--enable-fdt,--disable-fdt,dtc"
+PACKAGECONFIG[alsa] = "--audio-drv-list='oss alsa',,alsa-lib"
+PACKAGECONFIG[glx] = "--enable-opengl,--disable-opengl,virtual/libgl"
+PACKAGECONFIG[lzo] = "--enable-lzo,--disable-lzo,lzo"
+PACKAGECONFIG[numa] = "--enable-numa,--disable-numa,numactl"
+PACKAGECONFIG[gnutls] = "--enable-gnutls,--disable-gnutls,gnutls"
+PACKAGECONFIG[bzip2] = "--enable-bzip2,--disable-bzip2,bzip2"
+PACKAGECONFIG[libiscsi] = "--enable-libiscsi,--disable-libiscsi"
+PACKAGECONFIG[kvm] = "--enable-kvm,--disable-kvm"
+PACKAGECONFIG[virglrenderer] = "--enable-virglrenderer,--disable-virglrenderer,virglrenderer"
+# spice will be in meta-networking layer
+PACKAGECONFIG[spice] = "--enable-spice,--disable-spice,spice"
+# usbredir will be in meta-networking layer
+PACKAGECONFIG[usb-redir] = "--enable-usb-redir,--disable-usb-redir,usbredir"
+PACKAGECONFIG[snappy] = "--enable-snappy,--disable-snappy,snappy"
+PACKAGECONFIG[glusterfs] = "--enable-glusterfs,--disable-glusterfs,glusterfs"
+PACKAGECONFIG[xkbcommon] = "--enable-xkbcommon,--disable-xkbcommon,libxkbcommon"
+PACKAGECONFIG[libudev] = "--enable-libudev,--disable-libudev,eudev"
+PACKAGECONFIG[libxml2] = "--enable-libxml2,--disable-libxml2,libxml2"
+PACKAGECONFIG[attr] = "--enable-attr,--disable-attr,attr,"
+PACKAGECONFIG[rbd] = "--enable-rbd,--disable-rbd,ceph,ceph"
+PACKAGECONFIG[vhost] = "--enable-vhost-net,--disable-vhost-net,,"
+PACKAGECONFIG[ust] = "--enable-trace-backend=ust,--enable-trace-backend=nop,lttng-ust,"
+PACKAGECONFIG[pie] = "--enable-pie,--disable-pie,,"
+PACKAGECONFIG[seccomp] = "--enable-seccomp,--disable-seccomp,libseccomp"
+
+INSANE_SKIP_${PN} = "arch"
+
+FILES_${PN} += "${datadir}/icons"
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch
new file mode 100644
index 00000000..1304ee3b
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch
@@ -0,0 +1,29 @@
+From b921e5204030845dc7c9d16d5f66d965e8d05367 Mon Sep 17 00:00:00 2001
+From: Jeremy Puhlman <jpuhlman@mvista.com>
+Date: Thu, 19 Mar 2020 11:54:26 -0700
+Subject: [PATCH] Add enable/disable libudev
+
+Upstream-Status: Pending
+Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com>
+
+[update patch context]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ configure | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+Index: qemu-5.1.0/configure
+===================================================================
+--- qemu-5.1.0.orig/configure
++++ qemu-5.1.0/configure
+@@ -1640,6 +1640,10 @@ for opt do
+   ;;
+   --disable-libdaxctl) libdaxctl=no
+   ;;
++  --enable-libudev) libudev="yes"
++  ;;
++  --disable-libudev) libudev="no"
++  ;;
+   *)
+       echo "ERROR: unknown option $opt"
+       echo "Try '$0 --help' for more information"
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch
new file mode 100644
index 00000000..46c9da08
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch
@@ -0,0 +1,141 @@
+From 883feb43129dc39b491e492c7ccfe89aefe53c44 Mon Sep 17 00:00:00 2001
+From: Richard Purdie <richard.purdie@linuxfoundation.org>
+Date: Thu, 27 Nov 2014 14:04:29 +0000
+Subject: [PATCH] qemu: Add missing wacom HID descriptor
+
+The USB wacom device is missing a HID descriptor which causes it
+to fail to operate with recent kernels (e.g. 3.17).
+
+This patch adds a HID desriptor to the device, based upon one from
+real wcom device.
+
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+
+Upstream-Status: Submitted
+2014/11/27
+
+[update patch context]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/usb/dev-wacom.c | 94 +++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 93 insertions(+), 1 deletion(-)
+
+Index: qemu-5.1.0/hw/usb/dev-wacom.c
+===================================================================
+--- qemu-5.1.0.orig/hw/usb/dev-wacom.c
++++ qemu-5.1.0/hw/usb/dev-wacom.c
+@@ -74,6 +74,89 @@ static const USBDescStrings desc_strings
+     [STR_SERIALNUMBER]     = "1",
+ };
+ 
++static const uint8_t qemu_tablet_hid_report_descriptor[] = {
++    0x05, 0x01,                /* Usage Page (Generic Desktop) */
++    0x09, 0x02,                /* Usage (Mouse) */
++    0xa1, 0x01,                /* Collection (Application) */
++    0x85, 0x01,                /*   Report ID (1) */ 
++    0x09, 0x01,                /*   Usage (Pointer) */
++    0xa1, 0x00,                /*   Collection (Physical) */
++    0x05, 0x09,                /*     Usage Page (Button) */
++    0x19, 0x01,                /*     Usage Minimum (1) */
++    0x29, 0x05,                /*     Usage Maximum (5) */
++    0x15, 0x00,                /*     Logical Minimum (0) */
++    0x25, 0x01,                /*     Logical Maximum (1) */
++    0x95, 0x05,                /*     Report Count (5) */
++    0x75, 0x01,                /*     Report Size (1) */
++    0x81, 0x02,                /*     Input (Data, Variable, Absolute) */
++    0x95, 0x01,                /*     Report Count (1) */
++    0x75, 0x03,                /*     Report Size (3) */
++    0x81, 0x01,                /*     Input (Constant) */
++    0x05, 0x01,                /*     Usage Page (Generic Desktop) */
++    0x09, 0x30,                /*     Usage (X) */
++    0x09, 0x31,                /*     Usage (Y) */
++    0x15, 0x81,                /*     Logical Minimum (-127) */
++    0x25, 0x7f,                /*     Logical Maximum (127) */
++    0x75, 0x08,                /*     Report Size (8) */
++    0x95, 0x02,                /*     Report Count (2) */
++    0x81, 0x06,                /*     Input (Data, Variable, Relative) */
++    0xc0,              /*   End Collection */
++    0xc0,              /* End Collection */
++    0x05, 0x0d,                /* Usage Page (Digitizer) */
++    0x09, 0x01,                /* Usage (Digitizer) */
++    0xa1, 0x01,                /* Collection (Application) */
++    0x85, 0x02,                /*   Report ID (2) */ 
++    0xa1, 0x00,                /*   Collection (Physical) */
++    0x06, 0x00, 0xff,   /*   Usage Page (Vendor 0xff00) */
++    0x09, 0x01,        /*   Usage (Digitizer) */
++    0x15, 0x00,        /*     Logical Minimum (0) */
++    0x26, 0xff, 0x00,  /*     Logical Maximum (255) */
++    0x75, 0x08,                /*     Report Size (8) */
++    0x95, 0x08,                /*     Report Count (8) */
++    0x81, 0x02,                /*     Input (Data, Variable, Absolute) */
++    0xc0,              /*   End Collection */
++    0x09, 0x01,                /*   Usage (Digitizer) */
++    0x85, 0x02,        /*   Report ID (2) */ 
++    0x95, 0x01,                /*   Report Count (1) */
++    0xb1, 0x02,                /*   FEATURE (2) */
++    0xc0,              /* End Collection */
++    0x06, 0x00, 0xff,  /* Usage Page (Vendor 0xff00) */
++    0x09, 0x01,                /* Usage (Digitizer) */
++    0xa1, 0x01,                /* Collection (Application) */
++    0x85, 0x02,        /*   Report ID (2) */ 
++    0x05, 0x0d,                /*   Usage Page (Digitizer)  */
++    0x09, 0x22,        /*   Usage (Finger) */
++    0xa1, 0x00,        /*   Collection (Physical) */
++    0x06, 0x00, 0xff,  /*   Usage Page (Vendor 0xff00) */
++    0x09, 0x01,                /*     Usage (Digitizer) */
++    0x15, 0x00,        /*     Logical Minimum (0) */
++    0x26, 0xff, 0x00,          /*     Logical Maximum */
++    0x75, 0x08,                /*     Report Size (8) */
++    0x95, 0x02,                /*     Report Count (2) */
++    0x81, 0x02,        /*     Input (Data, Variable, Absolute) */
++    0x05, 0x01,                /*     Usage Page (Generic Desktop) */
++    0x09, 0x30,                /*     Usage (X) */
++    0x35, 0x00,        /*     Physical Minimum */
++    0x46, 0xe0, 0x2e,  /*     Physical Maximum */
++    0x26, 0xe0, 0x01,   /*     Logical Maximum */
++    0x75, 0x10,                /*     Report Size (16) */
++    0x95, 0x01,                /*     Report Count (1) */
++    0x81, 0x02,                /*     Input (Data, Variable, Absolute) */
++    0x09, 0x31,                /*     Usage (Y) */
++    0x46, 0x40, 0x1f,  /*     Physical Maximum */
++    0x26, 0x40, 0x01,  /*     Logical Maximum */
++    0x81, 0x02,        /*     Input (Data, Variable, Absolute) */
++    0x06, 0x00, 0xff,  /*     Usage Page (Vendor 0xff00) */
++    0x09, 0x01,        /*     Usage (Digitizer) */
++    0x26, 0xff, 0x00,          /*     Logical Maximum */
++    0x75, 0x08,                /*     Report Size (8) */
++    0x95, 0x0d,                /*     Report Count (13) */
++    0x81, 0x02,                /*     Input (Data, Variable, Absolute) */
++    0xc0,              /*   End Collection */ 
++    0xc0,              /* End Collection */
++};
++
++
+ static const USBDescIface desc_iface_wacom = {
+     .bInterfaceNumber              = 0,
+     .bNumEndpoints                 = 1,
+@@ -91,7 +174,7 @@ static const USBDescIface desc_iface_wac
+                 0x00,          /*  u8  country_code */
+                 0x01,          /*  u8  num_descriptors */
+                 0x22,          /*  u8  type: Report */
+-                0x6e, 0,       /*  u16 len */
++                sizeof(qemu_tablet_hid_report_descriptor), 0, /*  u16 len */
+             },
+         },
+     },
+@@ -271,6 +354,15 @@ static void usb_wacom_handle_control(USB
+     }
+ 
+     switch (request) {
++    case InterfaceRequest | USB_REQ_GET_DESCRIPTOR:
++        switch (value >> 8) {
++        case 0x22:
++                memcpy(data, qemu_tablet_hid_report_descriptor,
++                       sizeof(qemu_tablet_hid_report_descriptor));
++                p->actual_length = sizeof(qemu_tablet_hid_report_descriptor);
++            break;
++        }
++        break;
+     case WACOM_SET_REPORT:
+         if (s->mouse_grabbed) {
+             qemu_remove_mouse_event_handler(s->eh_entry);
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch
new file mode 100644
index 00000000..d6c0f9eb
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch
@@ -0,0 +1,31 @@
+From 34247f83095f8cdcdc1f9d7f0c6ffbd46b25d979 Mon Sep 17 00:00:00 2001
+From: Oleksiy Obitotskyy <oobitots@cisco.com>
+Date: Wed, 25 Mar 2020 21:21:35 +0200
+Subject: [PATCH] qemu: Do not include file if not exists
+
+Script configure checks for if_alg.h and check failed but
+if_alg.h still included.
+
+Upstream-Status: Submitted [https://lists.gnu.org/archive/html/qemu-devel/2020-03/msg07188.html]
+Signed-off-by: Oleksiy Obitotskyy <oobitots@cisco.com>
+
+[update patch context]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ linux-user/syscall.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+Index: qemu-5.1.0/linux-user/syscall.c
+===================================================================
+--- qemu-5.1.0.orig/linux-user/syscall.c
++++ qemu-5.1.0/linux-user/syscall.c
+@@ -109,7 +109,9 @@
+ #include <linux/blkpg.h>
+ #include <netpacket/packet.h>
+ #include <linux/netlink.h>
++#if defined(CONFIG_AF_ALG)
+ #include <linux/if_alg.h>
++#endif
+ #include <linux/rtc.h>
+ #include <sound/asound.h>
+ #ifdef HAVE_DRM_H
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch
new file mode 100644
index 00000000..5227b7cb
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch
@@ -0,0 +1,59 @@
+From 68fa519a6cb455005317bd61f95214b58b2f1e69 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
+Date: Fri, 16 Oct 2020 15:20:37 +0200
+Subject: [PATCH] target/mips: Increase number of TLB entries on the 34Kf core
+ (16 -> 64)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Per "MIPS32 34K Processor Core Family Software User's Manual,
+Revision 01.13" page 8 in "Joint TLB (JTLB)" section:
+
+  "The JTLB is a fully associative TLB cache containing 16, 32,
+   or 64-dual-entries mapping up to 128 virtual pages to their
+   corresponding physical addresses."
+
+There is no particular reason to restrict the 34Kf core model to
+16 TLB entries, so raise its config to 64.
+
+This is helpful for other projects, in particular the Yocto Project:
+
+  Yocto Project uses qemu-system-mips 34Kf cpu model, to run 32bit
+  MIPS CI loop. It was observed that in this case CI test execution
+  time was almost twice longer than 64bit MIPS variant that runs
+  under MIPS64R2-generic model. It was investigated and concluded
+  that the difference in number of TLBs 16 in 34Kf case vs 64 in
+  MIPS64R2-generic is responsible for most of CI real time execution
+  difference. Because with 16 TLBs linux user-land trashes TLB more
+  and it needs to execute more instructions in TLB refill handler
+  calls, as result it runs much longer.
+
+(https://lists.gnu.org/archive/html/qemu-devel/2020-10/msg03428.html)
+
+Buglink: https://bugzilla.yoctoproject.org/show_bug.cgi?id=13992
+Reported-by: Victor Kamensky <kamensky@cisco.com>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-Id: <20201016133317.553068-1-f4bug@amsat.org>
+
+Upstream-Status: Backport [https://github.com/qemu/qemu/commit/68fa519a6cb455005317bd61f95214b58b2f1e69]
+Signed-off-by: Victor Kamensky <kamensky@cisco.com>
+
+---
+ target/mips/translate_init.c.inc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: qemu-5.1.0/target/mips/translate_init.inc.c
+===================================================================
+--- qemu-5.1.0.orig/target/mips/translate_init.inc.c
++++ qemu-5.1.0/target/mips/translate_init.inc.c
+@@ -254,7 +254,7 @@ const mips_def_t mips_defs[] =
+         .CP0_PRid = 0x00019500,
+         .CP0_Config0 = MIPS_CONFIG0 | (0x1 << CP0C0_AR) |
+                        (MMU_TYPE_R4000 << CP0C0_MT),
+-        .CP0_Config1 = MIPS_CONFIG1 | (1 << CP0C1_FP) | (15 << CP0C1_MMU) |
++        .CP0_Config1 = MIPS_CONFIG1 | (1 << CP0C1_FP) | (63 << CP0C1_MMU) |
+                        (0 << CP0C1_IS) | (3 << CP0C1_IL) | (1 << CP0C1_IA) |
+                        (0 << CP0C1_DS) | (3 << CP0C1_DL) | (1 << CP0C1_DA) |
+                        (1 << CP0C1_CA),
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch
new file mode 100644
index 00000000..f379948f
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch
@@ -0,0 +1,35 @@
+From 5da6cef7761157a003e7ebde74fb3cf90ab396d9 Mon Sep 17 00:00:00 2001
+From: Juro Bystricky <juro.bystricky@intel.com>
+Date: Thu, 31 Aug 2017 11:06:56 -0700
+Subject: [PATCH] Add subpackage -ptest which runs all unit test cases for
+ qemu.
+
+Upstream-Status: Pending
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+Signed-off-by: Juro Bystricky <juro.bystricky@intel.com>
+
+[update patch context]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ tests/Makefile.include | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+Index: qemu-5.1.0/tests/Makefile.include
+===================================================================
+--- qemu-5.1.0.orig/tests/Makefile.include
++++ qemu-5.1.0/tests/Makefile.include
+@@ -982,4 +982,12 @@ all: $(QEMU_IOTESTS_HELPERS-y)
+ -include $(wildcard tests/qtest/*.d)
+ -include $(wildcard tests/qtest/libqos/*.d)
+ 
++buildtest-TESTS: $(check-unit-y)
++
++runtest-TESTS:
++       for f in $(check-unit-y); do \
++               nf=$$(echo $$f | sed 's/tests\//\.\//g'); \
++               $$nf; \
++       done
++
+ endif
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch
new file mode 100644
index 00000000..33cef422
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch
@@ -0,0 +1,33 @@
+From ce1eceab2350d27960ec254650717085f6a11c9a Mon Sep 17 00:00:00 2001
+From: Jason Wessel <jason.wessel@windriver.com>
+Date: Fri, 28 Mar 2014 17:42:43 +0800
+Subject: [PATCH] qemu: Add addition environment space to boot loader
+ qemu-system-mips
+
+Upstream-Status: Inappropriate - OE uses deep paths
+
+If you create a project with very long directory names like 128 characters
+deep and use NFS, the kernel arguments will be truncated. The kernel will
+accept longer strings such as 1024 bytes, but the qemu boot loader defaulted
+to only 256 bytes. This patch expands the limit.
+
+Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+
+---
+ hw/mips/malta.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: qemu-5.1.0/hw/mips/malta.c
+===================================================================
+--- qemu-5.1.0.orig/hw/mips/malta.c
++++ qemu-5.1.0/hw/mips/malta.c
+@@ -59,7 +59,7 @@
+ 
+ #define ENVP_ADDR           0x80002000l
+ #define ENVP_NB_ENTRIES     16
+-#define ENVP_ENTRY_SIZE     256
++#define ENVP_ENTRY_SIZE     1024
+ 
+ /* Hardware addresses */
+ #define FLASH_ADDRESS       0x1e000000ULL
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch
new file mode 100644
index 00000000..71f537f9
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch
@@ -0,0 +1,34 @@
+From 4127296bb1046cdf73994ba69dc913d8c02fd74f Mon Sep 17 00:00:00 2001
+From: Ross Burton <ross.burton@intel.com>
+Date: Tue, 20 Oct 2015 22:19:08 +0100
+Subject: [PATCH] qemu: disable Valgrind
+
+There isn't an option to enable or disable valgrind support, so disable it to avoid non-deterministic builds.
+
+Upstream-Status: Inappropriate
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+---
+ configure | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+Index: qemu-5.1.0/configure
+===================================================================
+--- qemu-5.1.0.orig/configure
++++ qemu-5.1.0/configure
+@@ -5751,15 +5751,6 @@ fi
+ # check if we have valgrind/valgrind.h
+ 
+ valgrind_h=no
+-cat > $TMPC << EOF
+-#include <valgrind/valgrind.h>
+-int main(void) {
+-  return 0;
+-}
+-EOF
+-if compile_prog "" "" ; then
+-    valgrind_h=yes
+-fi
+ 
+ ########################################
+ # check if environ is declared
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0005-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0005-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch
new file mode 100644
index 00000000..02ebbee1
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0005-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch
@@ -0,0 +1,28 @@
+From 230fe5804099bdca0c9e4cae7280c9fc513cb7f5 Mon Sep 17 00:00:00 2001
+From: Stephen Arnold <sarnold@vctlabs.com>
+Date: Sun, 12 Jun 2016 18:09:56 -0700
+Subject: [PATCH] qemu-native: set ld.bfd, fix cflags, and set some environment
+
+Upstream-Status: Pending
+
+[update patch context]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ configure | 4 ----
+ 1 file changed, 4 deletions(-)
+
+Index: qemu-5.1.0/configure
+===================================================================
+--- qemu-5.1.0.orig/configure
++++ qemu-5.1.0/configure
+@@ -6515,10 +6515,6 @@ write_c_skeleton
+ if test "$gcov" = "yes" ; then
+   QEMU_CFLAGS="-fprofile-arcs -ftest-coverage -g $QEMU_CFLAGS"
+   QEMU_LDFLAGS="-fprofile-arcs -ftest-coverage $QEMU_LDFLAGS"
+-elif test "$fortify_source" = "yes" ; then
+-  CFLAGS="-O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 $CFLAGS"
+-elif test "$debug" = "no"; then
+-  CFLAGS="-O2 $CFLAGS"
+ fi
+ 
+ if test "$have_asan" = "yes"; then
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch
new file mode 100644
index 00000000..98fd5e91
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch
@@ -0,0 +1,241 @@
+From bcc63f775e265df69963a4ad7805b8678ace68f0 Mon Sep 17 00:00:00 2001
+From: Alistair Francis <alistair.francis@xilinx.com>
+Date: Thu, 21 Dec 2017 11:35:16 -0800
+Subject: [PATCH] chardev: connect socket to a spawned command
+
+The command is started in a shell (sh -c) with stdin connect to QEMU
+via a Unix domain stream socket. QEMU then exchanges data via its own
+end of the socket, just like it normally does.
+
+"-chardev socket" supports some ways of connecting via protocols like
+telnet, but that is only a subset of the functionality supported by
+tools socat. To use socat instead, for example to connect via a socks
+proxy, use:
+
+  -chardev 'socket,id=socat,cmd=exec socat FD:0 SOCKS4A:socks-proxy.localdomain:example.com:9999,,socksuser=nobody' \
+  -device usb-serial,chardev=socat
+
+Beware that commas in the command must be escaped as double commas.
+
+Or interactively in the console:
+   (qemu) chardev-add socket,id=cat,cmd=cat
+   (qemu) device_add usb-serial,chardev=cat
+   ^ac
+   # cat >/dev/ttyUSB0
+   hello
+   hello
+
+Another usage is starting swtpm from inside QEMU. swtpm will
+automatically shut down once it looses the connection to the parent
+QEMU, so there is no risk of lingering processes:
+
+  -chardev 'socket,id=chrtpm0,cmd=exec swtpm socket --terminate --ctrl type=unixio,,clientfd=0 --tpmstate dir=... --log file=swtpm.log' \
+  -tpmdev emulator,id=tpm0,chardev=chrtpm0 \
+  -device tpm-tis,tpmdev=tpm0
+
+The patch was discussed upstream, but QEMU developers believe that the
+code calling QEMU should be responsible for managing additional
+processes. In OE-core, that would imply enhancing runqemu and
+oeqa. This patch is a simpler solution.
+
+Because it is not going upstream, the patch was written so that it is
+as simple as possible.
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+
+---
+ chardev/char-socket.c | 101 ++++++++++++++++++++++++++++++++++++++++++
+ chardev/char.c        |   3 ++
+ qapi/char.json        |   5 +++
+ 3 files changed, 109 insertions(+)
+
+Index: qemu-5.1.0/chardev/char-socket.c
+===================================================================
+--- qemu-5.1.0.orig/chardev/char-socket.c
++++ qemu-5.1.0/chardev/char-socket.c
+@@ -1292,6 +1292,67 @@ static bool qmp_chardev_validate_socket(
+     return true;
+ }
+ 
++#ifndef _WIN32
++static void chardev_open_socket_cmd(Chardev *chr,
++                                    const char *cmd,
++                                    Error **errp)
++{
++    int fds[2] = { -1, -1 };
++    QIOChannelSocket *sioc = NULL;
++    pid_t pid = -1;
++    const char *argv[] = { "/bin/sh", "-c", cmd, NULL };
++
++    /*
++     * We need a Unix domain socket for commands like swtpm and a single
++     * connection, therefore we cannot use qio_channel_command_new_spawn()
++     * without patching it first. Duplicating the functionality is easier.
++     */
++    if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0, fds)) {
++        error_setg_errno(errp, errno, "Error creating socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC)");
++        goto error;
++    }
++
++    pid = qemu_fork(errp);
++    if (pid < 0) {
++        goto error;
++    }
++
++    if (!pid) {
++        /* child */
++        dup2(fds[1], STDIN_FILENO);
++        execv(argv[0], (char * const *)argv);
++        _exit(1);
++    }
++
++    /*
++     * Hand over our end of the socket pair to the qio channel.
++     *
++     * We don't reap the child because it is expected to keep
++     * running. We also don't support the "reconnect" option for the
++     * same reason.
++     */
++    sioc = qio_channel_socket_new_fd(fds[0], errp);
++    if (!sioc) {
++        goto error;
++    }
++    fds[0] = -1;
++
++    g_free(chr->filename);
++    chr->filename = g_strdup_printf("cmd:%s", cmd);
++    tcp_chr_new_client(chr, sioc);
++
++ error:
++    if (fds[0] >= 0) {
++        close(fds[0]);
++    }
++    if (fds[1] >= 0) {
++        close(fds[1]);
++    }
++    if (sioc) {
++        object_unref(OBJECT(sioc));
++    }
++}
++#endif
+ 
+ static void qmp_chardev_open_socket(Chardev *chr,
+                                     ChardevBackend *backend,
+@@ -1300,6 +1361,9 @@ static void qmp_chardev_open_socket(Char
+ {
+     SocketChardev *s = SOCKET_CHARDEV(chr);
+     ChardevSocket *sock = backend->u.socket.data;
++#ifndef _WIN32
++    const char *cmd     = sock->cmd;
++#endif
+     bool do_nodelay     = sock->has_nodelay ? sock->nodelay : false;
+     bool is_listen      = sock->has_server  ? sock->server  : true;
+     bool is_telnet      = sock->has_telnet  ? sock->telnet  : false;
+@@ -1365,6 +1429,14 @@ static void qmp_chardev_open_socket(Char
+ 
+     update_disconnected_filename(s);
+ 
++#ifndef _WIN32
++    if (cmd) {
++        chardev_open_socket_cmd(chr, cmd, errp);
++
++        /* everything ready (or failed permanently) before we return */
++        *be_opened = true;
++    } else
++#endif
+     if (s->is_listen) {
+         if (qmp_chardev_open_socket_server(chr, is_telnet || is_tn3270,
+                                            is_waitconnect, errp) < 0) {
+@@ -1384,11 +1456,27 @@ static void qemu_chr_parse_socket(QemuOp
+     const char *host = qemu_opt_get(opts, "host");
+     const char *port = qemu_opt_get(opts, "port");
+     const char *fd = qemu_opt_get(opts, "fd");
++#ifndef _WIN32
++    const char *cmd = qemu_opt_get(opts, "cmd");
++#endif
+     bool tight = qemu_opt_get_bool(opts, "tight", true);
+     bool abstract = qemu_opt_get_bool(opts, "abstract", false);
+     SocketAddressLegacy *addr;
+     ChardevSocket *sock;
+ 
++#ifndef _WIN32
++    if (cmd) {
++        /*
++         * Here we have to ensure that no options are set which are incompatible with
++         * spawning a command, otherwise unmodified code that doesn't know about
++         * command spawning (like socket_reconnect_timeout()) might get called.
++         */
++        if (path || sock->server || sock->has_telnet || sock->has_tn3270 || sock->reconnect || host || port || sock->tls_creds) {
++            error_setg(errp, "chardev: socket: cmd does not support any additional options");
++            return;
++        }
++    } else
++#endif
+     if ((!!path + !!fd + !!host) != 1) {
+         error_setg(errp,
+                    "Exactly one of 'path', 'fd' or 'host' required");
+@@ -1431,12 +1519,24 @@ static void qemu_chr_parse_socket(QemuOp
+     sock->has_tls_authz = qemu_opt_get(opts, "tls-authz");
+     sock->tls_authz = g_strdup(qemu_opt_get(opts, "tls-authz"));
+ 
+-    addr = g_new0(SocketAddressLegacy, 1);
++#ifndef _WIN32
++    sock->cmd = g_strdup(cmd);
++#endif
++
++     addr = g_new0(SocketAddressLegacy, 1);
++#ifndef _WIN32
++    if (path || cmd) {
++#else
+     if (path) {
++#endif
+         UnixSocketAddress *q_unix;
+         addr->type = SOCKET_ADDRESS_LEGACY_KIND_UNIX;
+         q_unix = addr->u.q_unix.data = g_new0(UnixSocketAddress, 1);
++#ifndef _WIN32
++        q_unix->path = cmd ? g_strdup_printf("cmd:%s", cmd) : g_strdup(path);
++#else
+         q_unix->path = g_strdup(path);
++#endif
+         q_unix->tight = tight;
+         q_unix->abstract = abstract;
+     } else if (host) {
+Index: qemu-5.1.0/chardev/char.c
+===================================================================
+--- qemu-5.1.0.orig/chardev/char.c
++++ qemu-5.1.0/chardev/char.c
+@@ -826,6 +826,9 @@ QemuOptsList qemu_chardev_opts = {
+             .name = "path",
+             .type = QEMU_OPT_STRING,
+         },{
++            .name = "cmd",
++            .type = QEMU_OPT_STRING,
++        },{
+             .name = "host",
+             .type = QEMU_OPT_STRING,
+         },{
+Index: qemu-5.1.0/qapi/char.json
+===================================================================
+--- qemu-5.1.0.orig/qapi/char.json
++++ qemu-5.1.0/qapi/char.json
+@@ -250,6 +250,10 @@
+ #
+ # @addr: socket address to listen on (server=true)
+ #        or connect to (server=false)
++# @cmd: command to run via "sh -c" with stdin as one end of
++#       a AF_UNIX SOCK_DSTREAM socket pair. The other end
++#       is used by the chardev. Either an addr or a cmd can
++#       be specified, but not both.
+ # @tls-creds: the ID of the TLS credentials object (since 2.6)
+ # @tls-authz: the ID of the QAuthZ authorization object against which
+ #             the client's x509 distinguished name will be validated. This
+@@ -276,6 +280,7 @@
+ ##
+ { 'struct': 'ChardevSocket',
+   'data': { 'addr': 'SocketAddressLegacy',
++            '*cmd': 'str',
+             '*tls-creds': 'str',
+             '*tls-authz'  : 'str',
+             '*server': 'bool',
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch
new file mode 100644
index 00000000..034ac578
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch
@@ -0,0 +1,44 @@
+From a59a98d100123030a4145e7efe3b8a001920a9f1 Mon Sep 17 00:00:00 2001
+From: Mark Asselstine <mark.asselstine@windriver.com>
+Date: Tue, 26 Feb 2013 11:43:28 -0500
+Subject: [PATCH] apic: fixup fallthrough to PIC
+
+Commit 0e21e12bb311c4c1095d0269dc2ef81196ccb60a [Don't route PIC
+interrupts through the local APIC if the local APIC config says so.]
+missed a check to ensure the local APIC is enabled. Since if the local
+APIC is disabled it doesn't matter what the local APIC config says.
+
+If this check isn't done and the guest has disabled the local APIC the
+guest will receive a general protection fault, similar to what is seen
+here:
+
+https://lists.gnu.org/archive/html/qemu-devel/2012-12/msg02304.html
+
+The GPF is caused by an attempt to service interrupt 0xffffffff. This
+comes about since cpu_get_pic_interrupt() calls apic_accept_pic_intr()
+(with the local APIC disabled apic_get_interrupt() returns -1).
+apic_accept_pic_intr() returns 0 and thus the interrupt number which
+is returned from cpu_get_pic_interrupt(), and which is attempted to be
+serviced, is -1.
+
+Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
+Upstream-Status: Submitted [https://lists.gnu.org/archive/html/qemu-devel/2013-04/msg00878.html]
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+
+---
+ hw/intc/apic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: qemu-5.1.0/hw/intc/apic.c
+===================================================================
+--- qemu-5.1.0.orig/hw/intc/apic.c
++++ qemu-5.1.0/hw/intc/apic.c
+@@ -603,7 +603,7 @@ int apic_accept_pic_intr(DeviceState *de
+     APICCommonState *s = APIC(dev);
+     uint32_t lvt0;
+ 
+-    if (!s)
++    if (!s || !(s->spurious_vec & APIC_SV_ENABLE))
+         return -1;
+ 
+     lvt0 = s->lvt[APIC_LVT_LINT0];
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch
new file mode 100644
index 00000000..d20f04ee
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch
@@ -0,0 +1,33 @@
+From cf8c9aac5243f506a1a3e8e284414f311cde04f5 Mon Sep 17 00:00:00 2001
+From: Alistair Francis <alistair.francis@xilinx.com>
+Date: Wed, 17 Jan 2018 10:51:49 -0800
+Subject: [PATCH] linux-user: Fix webkitgtk hangs on 32-bit x86 target
+
+Since commit "linux-user: Tidy and enforce reserved_va initialization"
+(18e80c55bb6ec17c05ec0ba717ec83933c2bfc07) the Yocto webkitgtk build
+hangs when cross compiling for 32-bit x86 on a 64-bit x86 machine using
+musl.
+
+To fix the issue reduce the MAX_RESERVED_VA macro to be a closer match
+to what it was before the problematic commit.
+
+Upstream-Status: Submitted http://lists.gnu.org/archive/html/qemu-devel/2018-01/msg04185.html
+Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
+
+---
+ linux-user/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: qemu-5.1.0/linux-user/main.c
+===================================================================
+--- qemu-5.1.0.orig/linux-user/main.c
++++ qemu-5.1.0/linux-user/main.c
+@@ -92,7 +92,7 @@ static int last_log_mask;
+       (TARGET_LONG_BITS == 32 || defined(TARGET_ABI32))
+ /* There are a number of places where we assign reserved_va to a variable
+    of type abi_ulong and expect it to fit.  Avoid the last page.  */
+-#   define MAX_RESERVED_VA(CPU)  (0xfffffffful & TARGET_PAGE_MASK)
++#   define MAX_RESERVED_VA(CPU)  (0x7ffffffful & TARGET_PAGE_MASK)
+ #  else
+ #   define MAX_RESERVED_VA(CPU)  (1ul << TARGET_VIRT_ADDR_SPACE_BITS)
+ #  endif
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0009-Fix-webkitgtk-builds.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0009-Fix-webkitgtk-builds.patch
new file mode 100644
index 00000000..f2a44986
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0009-Fix-webkitgtk-builds.patch
@@ -0,0 +1,137 @@
+From 815c97ba0de02da9dace3fcfcbdf9b20e029f0d7 Mon Sep 17 00:00:00 2001
+From: Martin Jansa <martin.jansa@lge.com>
+Date: Fri, 1 Jun 2018 08:41:07 +0000
+Subject: [PATCH] Fix webkitgtk builds
+
+This is a partial revert of "linux-user: fix mmap/munmap/mprotect/mremap/shmat".
+
+This patch fixes qemu-i386 hangs during gobject-introspection in webkitgtk build
+when musl is used on qemux86. This is the same issue that
+0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch was
+fixing in the 2.11 release.
+
+This patch also fixes a build failure when building webkitgtk for
+qemumips. A QEMU assert is seen while building webkitgtk:
+page_check_range: Assertion `start < ((target_ulong)1 << L1_MAP_ADDR_SPACE_BITS)' failed.
+
+This reverts commit ebf9a3630c911d0cfc9c20f7cafe9ba4f88cf583.
+
+Upstream-Status: Pending
+Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
+
+[update patch context]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ include/exec/cpu-all.h  |  6 +-----
+ include/exec/cpu_ldst.h |  5 ++++-
+ linux-user/mmap.c       | 17 ++++-------------
+ linux-user/syscall.c    |  5 +----
+ 4 files changed, 10 insertions(+), 23 deletions(-)
+
+Index: qemu-5.1.0/include/exec/cpu-all.h
+===================================================================
+--- qemu-5.1.0.orig/include/exec/cpu-all.h
++++ qemu-5.1.0/include/exec/cpu-all.h
+@@ -176,11 +176,8 @@ extern unsigned long reserved_va;
+  * avoid setting bits at the top of guest addresses that might need
+  * to be used for tags.
+  */
+-#define GUEST_ADDR_MAX_                                                 \
+-    ((MIN_CONST(TARGET_VIRT_ADDR_SPACE_BITS, TARGET_ABI_BITS) <= 32) ?  \
+-     UINT32_MAX : ~0ul)
+-#define GUEST_ADDR_MAX    (reserved_va ? reserved_va - 1 : GUEST_ADDR_MAX_)
+-
++#define GUEST_ADDR_MAX (reserved_va ? reserved_va : \
++                                     (1ul << TARGET_VIRT_ADDR_SPACE_BITS) - 1)
+ #else
+ 
+ #include "exec/hwaddr.h"
+Index: qemu-5.1.0/include/exec/cpu_ldst.h
+===================================================================
+--- qemu-5.1.0.orig/include/exec/cpu_ldst.h
++++ qemu-5.1.0/include/exec/cpu_ldst.h
+@@ -75,7 +75,10 @@ typedef uint64_t abi_ptr;
+ #if HOST_LONG_BITS <= TARGET_VIRT_ADDR_SPACE_BITS
+ #define guest_addr_valid(x) (1)
+ #else
+-#define guest_addr_valid(x) ((x) <= GUEST_ADDR_MAX)
++#define guest_addr_valid(x) ({ \
++    ((x) < (1ul << TARGET_VIRT_ADDR_SPACE_BITS)) && \
++    (!reserved_va || ((x) < reserved_va)); \
++})
+ #endif
+ #define h2g_valid(x) guest_addr_valid((unsigned long)(x) - guest_base)
+ 
+Index: qemu-5.1.0/linux-user/mmap.c
+===================================================================
+--- qemu-5.1.0.orig/linux-user/mmap.c
++++ qemu-5.1.0/linux-user/mmap.c
+@@ -71,7 +71,7 @@ int target_mprotect(abi_ulong start, abi
+         return -TARGET_EINVAL;
+     len = TARGET_PAGE_ALIGN(len);
+     end = start + len;
+-    if (!guest_range_valid(start, len)) {
++    if (end < start) {
+         return -TARGET_ENOMEM;
+     }
+     prot &= PROT_READ | PROT_WRITE | PROT_EXEC;
+@@ -467,8 +467,8 @@ abi_long target_mmap(abi_ulong start, ab
+          * It can fail only on 64-bit host with 32-bit target.
+          * On any other target/host host mmap() handles this error correctly.
+          */
+-        if (end < start || !guest_range_valid(start, len)) {
+-            errno = ENOMEM;
++        if (end < start || ((unsigned long)start + len - 1 > (abi_ulong) -1)) {
++            errno = EINVAL;
+             goto fail;
+         }
+ 
+@@ -604,10 +604,8 @@ int target_munmap(abi_ulong start, abi_u
+     if (start & ~TARGET_PAGE_MASK)
+         return -TARGET_EINVAL;
+     len = TARGET_PAGE_ALIGN(len);
+-    if (len == 0 || !guest_range_valid(start, len)) {
++    if (len == 0)
+         return -TARGET_EINVAL;
+-    }
+-
+     mmap_lock();
+     end = start + len;
+     real_start = start & qemu_host_page_mask;
+@@ -662,13 +660,6 @@ abi_long target_mremap(abi_ulong old_add
+     int prot;
+     void *host_addr;
+ 
+-    if (!guest_range_valid(old_addr, old_size) ||
+-        ((flags & MREMAP_FIXED) &&
+-         !guest_range_valid(new_addr, new_size))) {
+-        errno = ENOMEM;
+-        return -1;
+-    }
+-
+     mmap_lock();
+ 
+     if (flags & MREMAP_FIXED) {
+Index: qemu-5.1.0/linux-user/syscall.c
+===================================================================
+--- qemu-5.1.0.orig/linux-user/syscall.c
++++ qemu-5.1.0/linux-user/syscall.c
+@@ -4336,9 +4336,6 @@ static inline abi_ulong do_shmat(CPUArch
+             return -TARGET_EINVAL;
+         }
+     }
+-    if (!guest_range_valid(shmaddr, shm_info.shm_segsz)) {
+-        return -TARGET_EINVAL;
+-    }
+ 
+     mmap_lock();
+ 
+@@ -7376,7 +7373,7 @@ static int open_self_maps(void *cpu_env,
+             const char *path;
+ 
+             max = h2g_valid(max - 1) ?
+-                max : (uintptr_t) g2h(GUEST_ADDR_MAX) + 1;
++                max : (uintptr_t) g2h(GUEST_ADDR_MAX);
+ 
+             if (page_check_range(h2g(min), max - min, flags) == -1) {
+                 continue;
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch
new file mode 100644
index 00000000..d7e3fffd
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch
@@ -0,0 +1,91 @@
+From c207607cdf3996ad9783c3bffbcd3d65e74c0158 Mon Sep 17 00:00:00 2001
+From: He Zhe <zhe.he@windriver.com>
+Date: Wed, 28 Aug 2019 19:56:28 +0800
+Subject: [PATCH] configure: Add pkg-config handling for libgcrypt
+
+libgcrypt may also be controlled by pkg-config, this patch adds pkg-config
+handling for libgcrypt.
+
+Upstream-Status: Denied [https://lists.nongnu.org/archive/html/qemu-devel/2019-08/msg06333.html]
+
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+
+---
+ configure | 48 ++++++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 40 insertions(+), 8 deletions(-)
+
+Index: qemu-5.1.0/configure
+===================================================================
+--- qemu-5.1.0.orig/configure
++++ qemu-5.1.0/configure
+@@ -3084,6 +3084,30 @@ has_libgcrypt() {
+     return 0
+ }
+ 
++has_libgcrypt_pkgconfig() {
++    if ! has $pkg_config ; then
++        return 1
++    fi
++
++    if ! $pkg_config --list-all | grep libgcrypt > /dev/null 2>&1 ; then
++        return 1
++    fi
++
++    if test -n "$cross_prefix" ; then
++        host=$($pkg_config --variable=host libgcrypt)
++        if test "${host%-gnu}-" != "${cross_prefix%-gnu}" ; then
++            print_error "host($host) does not match cross_prefix($cross_prefix)"
++            return 1
++        fi
++    fi
++
++    if ! $pkg_config --atleast-version=1.5.0 libgcrypt ; then
++        print_error "libgcrypt version is $($pkg_config --modversion libgcrypt)"
++        return 1
++    fi
++
++    return 0
++}
+ 
+ if test "$nettle" != "no"; then
+     pass="no"
+@@ -3124,7 +3148,14 @@ fi
+ 
+ if test "$gcrypt" != "no"; then
+     pass="no"
+-    if has_libgcrypt; then
++    if has_libgcrypt_pkgconfig; then
++        gcrypt_cflags=$($pkg_config --cflags libgcrypt)
++        if test "$static" = "yes" ; then
++            gcrypt_libs=$($pkg_config --libs --static libgcrypt)
++        else
++            gcrypt_libs=$($pkg_config --libs libgcrypt)
++        fi
++    elif has_libgcrypt; then
+         gcrypt_cflags=$(libgcrypt-config --cflags)
+         gcrypt_libs=$(libgcrypt-config --libs)
+         # Debian has removed -lgpg-error from libgcrypt-config
+@@ -3134,15 +3165,16 @@ if test "$gcrypt" != "no"; then
+         then
+             gcrypt_libs="$gcrypt_libs -lgpg-error"
+         fi
++    fi
+ 
+-        # Link test to make sure the given libraries work (e.g for static).
+-        write_c_skeleton
+-        if compile_prog "" "$gcrypt_libs" ; then
+-            LIBS="$gcrypt_libs $LIBS"
+-            QEMU_CFLAGS="$QEMU_CFLAGS $gcrypt_cflags"
+-            pass="yes"
+-        fi
++    # Link test to make sure the given libraries work (e.g for static).
++    write_c_skeleton
++    if compile_prog "" "$gcrypt_libs" ; then
++           LIBS="$gcrypt_libs $LIBS"
++           QEMU_CFLAGS="$QEMU_CFLAGS $gcrypt_cflags"
++           pass="yes"
+     fi
++
+     if test "$pass" = "yes"; then
+         gcrypt="yes"
+         cat > $TMPC << EOF
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-24352.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-24352.patch
new file mode 100644
index 00000000..861ff6c3
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-24352.patch
@@ -0,0 +1,52 @@
+From ca1f9cbfdce4d63b10d57de80fef89a89d92a540 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 21 Oct 2020 16:08:18 +0530
+Subject: [PATCH 1/1] ati: check x y display parameter values
+
+The source and destination x,y display parameters in ati_2d_blt()
+may run off the vga limits if either of s->regs.[src|dst]_[xy] is
+zero. Check the parameter values to avoid potential crash.
+
+Reported-by: Gaoning Pan <pgn@zju.edu.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 20201021103818.1704030-1-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport [ https://git.qemu.org/?p=qemu.git;a=commitdiff;h=ca1f9cbfdce4d63b10d57de80fef89a89d92a540;hp=2ddafce7f797082ad216657c830afd4546f16e37 ]
+CVE: CVE-2020-24352
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/display/ati_2d.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c
+index 23a8ae0..4dc10ea 100644
+--- a/hw/display/ati_2d.c
++++ b/hw/display/ati_2d.c
+@@ -75,8 +75,9 @@ void ati_2d_blt(ATIVGAState *s)
+         dst_stride *= bpp;
+     }
+     uint8_t *end = s->vga.vram_ptr + s->vga.vram_size;
+-    if (dst_bits >= end || dst_bits + dst_x + (dst_y + s->regs.dst_height) *
+-        dst_stride >= end) {
++    if (dst_x > 0x3fff || dst_y > 0x3fff || dst_bits >= end
++        || dst_bits + dst_x
++         + (dst_y + s->regs.dst_height) * dst_stride >= end) {
+         qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
+         return;
+     }
+@@ -107,8 +108,9 @@ void ati_2d_blt(ATIVGAState *s)
+             src_bits += s->regs.crtc_offset & 0x07ffffff;
+             src_stride *= bpp;
+         }
+-        if (src_bits >= end || src_bits + src_x +
+-            (src_y + s->regs.dst_height) * src_stride >= end) {
++        if (src_x > 0x3fff || src_y > 0x3fff || src_bits >= end
++            || src_bits + src_x
++             + (src_y + s->regs.dst_height) * src_stride >= end) {
+             qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
+             return;
+         }
+-- 
+1.8.3.1
+
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-25624.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-25624.patch
new file mode 100644
index 00000000..7631bab3
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-25624.patch
@@ -0,0 +1,101 @@
+From 1328fe0c32d5474604105b8105310e944976b058 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 15 Sep 2020 23:52:58 +0530
+Subject: [PATCH] hw: usb: hcd-ohci: check len and frame_number variables
+
+While servicing the OHCI transfer descriptors(TD), OHCI host
+controller derives variables 'start_addr', 'end_addr', 'len'
+etc. from values supplied by the host controller driver.
+Host controller driver may supply values such that using
+above variables leads to out-of-bounds access issues.
+Add checks to avoid them.
+
+AddressSanitizer: stack-buffer-overflow on address 0x7ffd53af76a0
+  READ of size 2 at 0x7ffd53af76a0 thread T0
+  #0 ohci_service_iso_td ../hw/usb/hcd-ohci.c:734
+  #1 ohci_service_ed_list ../hw/usb/hcd-ohci.c:1180
+  #2 ohci_process_lists ../hw/usb/hcd-ohci.c:1214
+  #3 ohci_frame_boundary ../hw/usb/hcd-ohci.c:1257
+  #4 timerlist_run_timers ../util/qemu-timer.c:572
+  #5 qemu_clock_run_timers ../util/qemu-timer.c:586
+  #6 qemu_clock_run_all_timers ../util/qemu-timer.c:672
+  #7 main_loop_wait ../util/main-loop.c:527
+  #8 qemu_main_loop ../softmmu/vl.c:1676
+  #9 main ../softmmu/main.c:50
+
+Reported-by: Gaoning Pan <pgn@zju.edu.cn>
+Reported-by: Yongkang Jia <j_kangel@163.com>
+Reported-by: Yi Ren <yunye.ry@alibaba-inc.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 20200915182259.68522-2-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-25624
+[https://git.qemu.org/?p=qemu.git;a=commit;h=1328fe0c32d5474604105b8105310e944976b058]
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ hw/usb/hcd-ohci.c | 24 ++++++++++++++++++++++--
+ 1 file changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
+index 1e6e85e..9dc5910 100644
+--- a/hw/usb/hcd-ohci.c
++++ b/hw/usb/hcd-ohci.c
+@@ -731,7 +731,11 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
+     }
+ 
+     start_offset = iso_td.offset[relative_frame_number];
+-    next_offset = iso_td.offset[relative_frame_number + 1];
++    if (relative_frame_number < frame_count) {
++        next_offset = iso_td.offset[relative_frame_number + 1];
++    } else {
++        next_offset = iso_td.be;
++    }
+ 
+     if (!(OHCI_BM(start_offset, TD_PSW_CC) & 0xe) || 
+         ((relative_frame_number < frame_count) && 
+@@ -764,7 +768,12 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
+         }
+     } else {
+         /* Last packet in the ISO TD */
+-        end_addr = iso_td.be;
++        end_addr = next_offset;
++    }
++
++    if (start_addr > end_addr) {
++        trace_usb_ohci_iso_td_bad_cc_overrun(start_addr, end_addr);
++        return 1;
+     }
+ 
+     if ((start_addr & OHCI_PAGE_MASK) != (end_addr & OHCI_PAGE_MASK)) {
+@@ -773,6 +782,9 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
+     } else {
+         len = end_addr - start_addr + 1;
+     }
++    if (len > sizeof(ohci->usb_buf)) {
++        len = sizeof(ohci->usb_buf);
++    }
+ 
+     if (len && dir != OHCI_TD_DIR_IN) {
+         if (ohci_copy_iso_td(ohci, start_addr, end_addr, ohci->usb_buf, len,
+@@ -975,8 +987,16 @@ static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed)
+         if ((td.cbp & 0xfffff000) != (td.be & 0xfffff000)) {
+             len = (td.be & 0xfff) + 0x1001 - (td.cbp & 0xfff);
+         } else {
++            if (td.cbp > td.be) {
++                trace_usb_ohci_iso_td_bad_cc_overrun(td.cbp, td.be);
++                ohci_die(ohci);
++                return 1;
++            }
+             len = (td.be - td.cbp) + 1;
+         }
++        if (len > sizeof(ohci->usb_buf)) {
++            len = sizeof(ohci->usb_buf);
++        }
+ 
+         pktlen = len;
+         if (len && dir != OHCI_TD_DIR_IN) {
+-- 
+2.17.1
+
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-25723.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-25723.patch
new file mode 100644
index 00000000..90b3a2f4
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-25723.patch
@@ -0,0 +1,51 @@
+From 2fdb42d840400d58f2e706ecca82c142b97bcbd6 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Wed, 12 Aug 2020 09:17:27 -0700
+Subject: [PATCH] hw: ehci: check return value of 'usb_packet_map'
+
+If 'usb_packet_map' fails, we should stop to process the usb
+request.
+
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Message-Id: <20200812161727.29412-1-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-25723
+[https://git.qemu.org/?p=qemu.git;a=commit;h=2fdb42d840400d58f2e706ecca82c142b97bcbd6]
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ hw/usb/hcd-ehci.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
+index 1495e8f..1fbb02a 100644
+--- a/hw/usb/hcd-ehci.c
++++ b/hw/usb/hcd-ehci.c
+@@ -1373,7 +1373,10 @@ static int ehci_execute(EHCIPacket *p, const char *action)
+         spd = (p->pid == USB_TOKEN_IN && NLPTR_TBIT(p->qtd.altnext) == 0);
+         usb_packet_setup(&p->packet, p->pid, ep, 0, p->qtdaddr, spd,
+                          (p->qtd.token & QTD_TOKEN_IOC) != 0);
+-        usb_packet_map(&p->packet, &p->sgl);
++        if (usb_packet_map(&p->packet, &p->sgl)) {
++            qemu_sglist_destroy(&p->sgl);
++            return -1;
++        }
+         p->async = EHCI_ASYNC_INITIALIZED;
+     }
+ 
+@@ -1452,7 +1455,10 @@ static int ehci_process_itd(EHCIState *ehci,
+             if (ep && ep->type == USB_ENDPOINT_XFER_ISOC) {
+                 usb_packet_setup(&ehci->ipacket, pid, ep, 0, addr, false,
+                                  (itd->transact[i] & ITD_XACT_IOC) != 0);
+-                usb_packet_map(&ehci->ipacket, &ehci->isgl);
++                if (usb_packet_map(&ehci->ipacket, &ehci->isgl)) {
++                    qemu_sglist_destroy(&ehci->isgl);
++                    return -1;
++                }
+                 usb_handle_packet(dev, &ehci->ipacket);
+                 usb_packet_unmap(&ehci->ipacket, &ehci->isgl);
+             } else {
+-- 
+2.17.1
+
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-28916.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-28916.patch
new file mode 100644
index 00000000..52121968
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-28916.patch
@@ -0,0 +1,49 @@
+From c2cb511634012344e3d0fe49a037a33b12d8a98a Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 11 Nov 2020 18:36:36 +0530
+Subject: [PATCH] hw/net/e1000e: advance desc_offset in case of null
+descriptor
+
+While receiving packets via e1000e_write_packet_to_guest() routine,
+'desc_offset' is advanced only when RX descriptor is processed. And
+RX descriptor is not processed if it has NULL buffer address.
+This may lead to an infinite loop condition. Increament 'desc_offset'
+to process next descriptor in the ring to avoid infinite loop.
+
+Reported-by: Cheol-woo Myung <330cjfdn@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-28916
+[https://git.qemu.org/?p=qemu.git;a=commit;h=c2cb511634012344e3d0fe49a037a33b12d8a98a]
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ hw/net/e1000e_core.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c
+index bcd186c..d3e3cdc 100644
+--- a/hw/net/e1000e_core.c
++++ b/hw/net/e1000e_core.c
+@@ -1596,13 +1596,13 @@ e1000e_write_packet_to_guest(E1000ECore *core, struct NetRxPkt *pkt,
+                           (const char *) &fcs_pad, e1000x_fcs_len(core->mac));
+                 }
+             }
+-            desc_offset += desc_size;
+-            if (desc_offset >= total_size) {
+-                is_last = true;
+-            }
+         } else { /* as per intel docs; skip descriptors with null buf addr */
+             trace_e1000e_rx_null_descriptor();
+         }
++        desc_offset += desc_size;
++        if (desc_offset >= total_size) {
++            is_last = true;
++        }
+ 
+         e1000e_write_rx_descr(core, desc, is_last ? core->rx_pkt : NULL,
+                            rss_info, do_ps ? ps_hdr_len : 0, &bastate.written);
+-- 
+2.17.1
+
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-29129-CVE-2020-29130.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-29129-CVE-2020-29130.patch
new file mode 100644
index 00000000..e5829f6d
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-29129-CVE-2020-29130.patch
@@ -0,0 +1,64 @@
+From 2e1dcbc0c2af64fcb17009eaf2ceedd81be2b27f Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 26 Nov 2020 19:27:06 +0530
+Subject: [PATCH] slirp: check pkt_len before reading protocol header
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+While processing ARP/NCSI packets in 'arp_input' or 'ncsi_input'
+routines, ensure that pkt_len is large enough to accommodate the
+respective protocol headers, lest it should do an OOB access.
+Add check to avoid it.
+
+CVE-2020-29129 CVE-2020-29130
+  QEMU: slirp: out-of-bounds access while processing ARP/NCSI packets
+ -> https://www.openwall.com/lists/oss-security/2020/11/27/1
+
+Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <20201126135706.273950-1-ppandit@redhat.com>
+Reviewed-by: Marc-Andrà Lureau <marcandre.lureau@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-29129 CVE-2020-29130
+[https://git.qemu.org/?p=libslirp.git;a=commit;h=2e1dcbc0c2af64fcb17009eaf2ceedd81be2b27f]
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ slirp/src/ncsi.c  | 4 ++++
+ slirp/src/slirp.c | 4 ++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/slirp/src/ncsi.c b/slirp/src/ncsi.c
+index 3c1dfef..75dcc08 100644
+--- a/slirp/src/ncsi.c
++++ b/slirp/src/ncsi.c
+@@ -148,6 +148,10 @@ void ncsi_input(Slirp *slirp, const uint8_t *pkt, int pkt_len)
+     uint32_t checksum;
+     uint32_t *pchecksum;
+ 
++    if (pkt_len < ETH_HLEN + sizeof(struct ncsi_pkt_hdr)) {
++        return; /* packet too short */
++    }
++
+     memset(ncsi_reply, 0, sizeof(ncsi_reply));
+ 
+     memset(reh->h_dest, 0xff, ETH_ALEN);
+diff --git a/slirp/src/slirp.c b/slirp/src/slirp.c
+index dba7c98..9be58e2 100644
+--- a/slirp/src/slirp.c
++++ b/slirp/src/slirp.c
+@@ -756,6 +756,10 @@ static void arp_input(Slirp *slirp, const uint8_t *pkt, int pkt_len)
+         return;
+     }
+ 
++    if (pkt_len < ETH_HLEN + sizeof(struct slirp_arphdr)) {
++        return; /* packet too short */
++    }
++
+     ar_op = ntohs(ah->ar_op);
+     switch (ar_op) {
+     case ARPOP_REQUEST:
+-- 
+2.17.1
+
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/find_datadir.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/find_datadir.patch
new file mode 100644
index 00000000..9a4c1126
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/find_datadir.patch
@@ -0,0 +1,39 @@
+qemu: search for datadir as in version 4.2
+
+os_find_datadir() was changed after the 4.2 release.  We need to check for
+../share/qemu relative to the executable because that is where the runqemu
+configuration assumes it will be.
+
+Upstream-Status: Submitted [qemu-devel@nongnu.org]
+
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+
+
+Index: qemu-5.1.0/os-posix.c
+===================================================================
+--- qemu-5.1.0.orig/os-posix.c
++++ qemu-5.1.0/os-posix.c
+@@ -82,8 +82,9 @@ void os_setup_signal_handling(void)
+ 
+ /*
+  * Find a likely location for support files using the location of the binary.
++ * Typically, this would be "$bindir/../share/qemu".
+  * When running from the build tree this will be "$bindir/../pc-bios".
+- * Otherwise, this is CONFIG_QEMU_DATADIR.
++ * Otherwise, this is CONFIG_QEMU_DATADIR as constructed by configure.
+  *
+  * The caller must use g_free() to free the returned data when it is
+  * no longer required.
+@@ -96,6 +97,12 @@ char *os_find_datadir(void)
+     exec_dir = qemu_get_exec_dir();
+     g_return_val_if_fail(exec_dir != NULL, NULL);
+ 
++    dir = g_build_filename(exec_dir, "..", "share", "qemu", NULL);
++    if (g_file_test(dir, G_FILE_TEST_IS_DIR)) {
++        return g_steal_pointer(&dir);
++    }
++    g_free(dir);  /* no autofree this time */
++
+     dir = g_build_filename(exec_dir, "..", "pc-bios", NULL);
+     if (g_file_test(dir, G_FILE_TEST_IS_DIR)) {
+         return g_steal_pointer(&dir);
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/powerpc_rom.bin b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/powerpc_rom.bin
new file mode 100644
index 00000000..c4044296
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/powerpc_rom.bin
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/run-ptest b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/run-ptest
new file mode 100644
index 00000000..b25a792d
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/run-ptest
@@ -0,0 +1,10 @@
+#!/bin/sh
+#
+#This script is used to run qemu test suites
+#
+
+ptestdir=$(dirname "$(readlink -f "$0")")
+export SRC_PATH=$ptestdir
+
+cd $ptestdir/tests
+make -f Makefile.include -k runtest-TESTS | sed '/^ok /s/ok /PASS: /g'
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/usb-fix-setup_len-init.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/usb-fix-setup_len-init.patch
new file mode 100644
index 00000000..92801da4
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/usb-fix-setup_len-init.patch
@@ -0,0 +1,89 @@
+CVE: CVE-2020-14364
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+From b946434f2659a182afc17e155be6791ebfb302eb Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 25 Aug 2020 07:36:36 +0200
+Subject: [PATCH] usb: fix setup_len init (CVE-2020-14364)
+
+Store calculated setup_len in a local variable, verify it, and only
+write it to the struct (USBDevice->setup_len) in case it passed the
+sanity checks.
+
+This prevents other code (do_token_{in,out} functions specifically)
+from working with invalid USBDevice->setup_len values and overrunning
+the USBDevice->setup_buf[] buffer.
+
+Fixes: CVE-2020-14364
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Tested-by: Gonglei <arei.gonglei@huawei.com>
+Reviewed-by: Li Qiang <liq3ea@gmail.com>
+Message-id: 20200825053636.29648-1-kraxel@redhat.com
+---
+ hw/usb/core.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/hw/usb/core.c b/hw/usb/core.c
+index 5abd128b6bc..5234dcc73fe 100644
+--- a/hw/usb/core.c
++++ b/hw/usb/core.c
+@@ -129,6 +129,7 @@ void usb_wakeup(USBEndpoint *ep, unsigned int stream)
+ static void do_token_setup(USBDevice *s, USBPacket *p)
+ {
+     int request, value, index;
++    unsigned int setup_len;
+ 
+     if (p->iov.size != 8) {
+         p->status = USB_RET_STALL;
+@@ -138,14 +139,15 @@ static void do_token_setup(USBDevice *s, USBPacket *p)
+     usb_packet_copy(p, s->setup_buf, p->iov.size);
+     s->setup_index = 0;
+     p->actual_length = 0;
+-    s->setup_len   = (s->setup_buf[7] << 8) | s->setup_buf[6];
+-    if (s->setup_len > sizeof(s->data_buf)) {
++    setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
++    if (setup_len > sizeof(s->data_buf)) {
+         fprintf(stderr,
+                 "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
+-                s->setup_len, sizeof(s->data_buf));
++                setup_len, sizeof(s->data_buf));
+         p->status = USB_RET_STALL;
+         return;
+     }
++    s->setup_len = setup_len;
+ 
+     request = (s->setup_buf[0] << 8) | s->setup_buf[1];
+     value   = (s->setup_buf[3] << 8) | s->setup_buf[2];
+@@ -259,26 +261,28 @@ static void do_token_out(USBDevice *s, USBPacket *p)
+ static void do_parameter(USBDevice *s, USBPacket *p)
+ {
+     int i, request, value, index;
++    unsigned int setup_len;
+ 
+     for (i = 0; i < 8; i++) {
+         s->setup_buf[i] = p->parameter >> (i*8);
+     }
+ 
+     s->setup_state = SETUP_STATE_PARAM;
+-    s->setup_len   = (s->setup_buf[7] << 8) | s->setup_buf[6];
+     s->setup_index = 0;
+ 
+     request = (s->setup_buf[0] << 8) | s->setup_buf[1];
+     value   = (s->setup_buf[3] << 8) | s->setup_buf[2];
+     index   = (s->setup_buf[5] << 8) | s->setup_buf[4];
+ 
+-    if (s->setup_len > sizeof(s->data_buf)) {
++    setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
++    if (setup_len > sizeof(s->data_buf)) {
+         fprintf(stderr,
+                 "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
+-                s->setup_len, sizeof(s->data_buf));
++                setup_len, sizeof(s->data_buf));
+         p->status = USB_RET_STALL;
+         return;
+     }
++    s->setup_len = setup_len;
+ 
+     if (p->pid == USB_TOKEN_OUT) {
+         usb_packet_copy(p, s->data_buf, s->setup_len);