qemu: update 7.1.0 -> 7.2.0

qemu no longer carries libslirp in-tree, so enabling slirp requires providing external libslirp. Another noteworthy change is: x86: TCG support for AVX, AVX2, F16C, FMA3 and VAES instructions ... which means both meta-intel and qemu x86 targets can now fully utilize Haswell-and-later instruction set with benefits for performance in emulation and on silicon. Changelog: https://wiki.qemu.org/ChangeLog/7.2 (From OE-Core rev: d82e521995832580e990c0c173651aafd43d299c) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Alexander Kanavin <alex.kanavin@gmail.com> 2022-12-24 17:59:43 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-12-26 18:49:07 +0000
commit: 9caff14abbb742e5083056b899ee6fc0a5fba8f3 (patch)
tree: f1011ab47b0a00d76ceb26c4899d62b92b0ccc78 /meta/recipes-devtools/qemu/qemu
parent: d7f7b788f7cef5f8db9df3613a108e13998155e1 (diff)
download: poky-9caff14abbb742e5083056b899ee6fc0a5fba8f3.tar.gz
3 files changed, 0 insertions, 150 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/0001-net-tulip-Restrict-DMA-engine-to-memories.patch b/meta/recipes-devtools/qemu/qemu/0001-net-tulip-Restrict-DMA-engine-to-memories.patch
deleted file mode 100644
index 6c85a77ba7..0000000000
--- a/meta/recipes-devtools/qemu/qemu/0001-net-tulip-Restrict-DMA-engine-to-memories.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-CVE: CVE-2022-2962
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-From 5c5c50b0a73d78ffe18336c9996fef5eae9bbbb0 Mon Sep 17 00:00:00 2001
-From: Zheyu Ma <zheyuma97@gmail.com>
-Date: Sun, 21 Aug 2022 20:43:43 +0800
-Subject: [PATCH] net: tulip: Restrict DMA engine to memories
-The DMA engine is started by I/O access and then itself accesses the
-I/O registers, triggering a reentrancy bug.
-The following log can reveal it:
-==5637==ERROR: AddressSanitizer: stack-overflow
-    #0 0x5595435f6078 in tulip_xmit_list_update qemu/hw/net/tulip.c:673
-    #1 0x5595435f204a in tulip_write qemu/hw/net/tulip.c:805:13
-    #2 0x559544637f86 in memory_region_write_accessor qemu/softmmu/memory.c:492:5
-    #3 0x5595446379fa in access_with_adjusted_size qemu/softmmu/memory.c:554:18
-    #4 0x5595446372fa in memory_region_dispatch_write qemu/softmmu/memory.c
-    #5 0x55954468b74c in flatview_write_continue qemu/softmmu/physmem.c:2825:23
-    #6 0x559544683662 in flatview_write qemu/softmmu/physmem.c:2867:12
-    #7 0x5595446833f3 in address_space_write qemu/softmmu/physmem.c:2963:18
-    #8 0x5595435fb082 in dma_memory_rw_relaxed qemu/include/sysemu/dma.h:87:12
-    #9 0x5595435fb082 in dma_memory_rw qemu/include/sysemu/dma.h:130:12
-    #10 0x5595435fb082 in dma_memory_write qemu/include/sysemu/dma.h:171:12
-    #11 0x5595435fb082 in stl_le_dma qemu/include/sysemu/dma.h:272:1
-    #12 0x5595435fb082 in stl_le_pci_dma qemu/include/hw/pci/pci.h:910:1
-    #13 0x5595435fb082 in tulip_desc_write qemu/hw/net/tulip.c:101:9
-    #14 0x5595435f7e3d in tulip_xmit_list_update qemu/hw/net/tulip.c:706:9
-    #15 0x5595435f204a in tulip_write qemu/hw/net/tulip.c:805:13
-Fix this bug by restricting the DMA engine to memories regions.
-Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
---
- hw/net/tulip.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/hw/net/tulip.c b/hw/net/tulip.c
-index 097e905bec..b9e42c322a 100644
--- a/hw/net/tulip.c
-+++ b/hw/net/tulip.c
-@@ -70,7 +70,7 @@ static const VMStateDescription vmstate_pci_tulip = {
- static void tulip_desc_read(TULIPState *s, hwaddr p,
-         struct tulip_descriptor *desc)
- {
-    const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
-+    const MemTxAttrs attrs = { .memory = true };
- 
-     if (s->csr[0] & CSR0_DBO) {
-         ldl_be_pci_dma(&s->dev, p, &desc->status, attrs);
-@@ -88,7 +88,7 @@ static void tulip_desc_read(TULIPState *s, hwaddr p,
- static void tulip_desc_write(TULIPState *s, hwaddr p,
-         struct tulip_descriptor *desc)
- {
-    const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
-+    const MemTxAttrs attrs = { .memory = true };
- 
-     if (s->csr[0] & CSR0_DBO) {
-         stl_be_pci_dma(&s->dev, p, desc->status, attrs);
-- 
-2.34.1
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-3165.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-3165.patch
deleted file mode 100644
index 3b4a6694c2..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2022-3165.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-CVE: CVE-2022-3165
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-From d307040b18bfcb1393b910f1bae753d5c12a4dc7 Mon Sep 17 00:00:00 2001
-From: Mauro Matteo Cascella <mcascell@redhat.com>
-Date: Sun, 25 Sep 2022 22:45:11 +0200
-Subject: [PATCH] ui/vnc-clipboard: fix integer underflow in
- vnc_client_cut_text_ext
-Extended ClientCutText messages start with a 4-byte header. If len < 4,
-an integer underflow occurs in vnc_client_cut_text_ext. The result is
-used to decompress data in a while loop in inflate_buffer, leading to
-CPU consumption and denial of service. Prevent this by checking dlen in
-protocol_client_msg.
-Fixes: CVE-2022-3165
-Fixes: 0bf41cab93e5 ("ui/vnc: clipboard support")
-Reported-by: TangPeng <tangpeng@qianxin.com>
-Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
-Message-Id: <20220925204511.1103214-1-mcascell@redhat.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
- ui/vnc.c | 11 ++++++++---
- 1 file changed, 8 insertions(+), 3 deletions(-)
-diff --git a/ui/vnc.c b/ui/vnc.c
-index 6a05d06147..acb3629cd8 100644
--- a/ui/vnc.c
-+++ b/ui/vnc.c
-@@ -2442,8 +2442,8 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
-         if (len == 1) {
-             return 8;
-         }
-+        uint32_t dlen = abs(read_s32(data, 4));
-         if (len == 8) {
-            uint32_t dlen = abs(read_s32(data, 4));
-             if (dlen > (1 << 20)) {
-                 error_report("vnc: client_cut_text msg payload has %u bytes"
-                              " which exceeds our limit of 1MB.", dlen);
-@@ -2456,8 +2456,13 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
-         }
- 
-         if (read_s32(data, 4) < 0) {
-            vnc_client_cut_text_ext(vs, abs(read_s32(data, 4)),
-                                    read_u32(data, 8), data + 12);
-+            if (dlen < 4) {
-+                error_report("vnc: malformed payload (header less than 4 bytes)"
-+                             " in extended clipboard pseudo-encoding.");
-+                vnc_client_error(vs);
-+                break;
-+            }
-+            vnc_client_cut_text_ext(vs, dlen, read_u32(data, 8), data + 12);
-             break;
-         }
-         vnc_client_cut_text(vs, read_u32(data, 4), data + 8);
-- 
-GitLab
diff --git a/meta/recipes-devtools/qemu/qemu/arm-cpreg-fix.patch b/meta/recipes-devtools/qemu/qemu/arm-cpreg-fix.patch
deleted file mode 100644
index 071691f8ca..0000000000
--- a/meta/recipes-devtools/qemu/qemu/arm-cpreg-fix.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-target/arm: mark SP_EL1 with ARM_CP_EL3_NO_EL2_KEEP
-SP_EL1 must be kept when EL3 is present but EL2 is not. Therefore mark
-it with ARM_CP_EL3_NO_EL2_KEEP.
-Fixes: 696ba3771894 ("target/arm: Handle cpreg registration for missing EL")
-Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
-Upstream-Status: Submitted [https://lists.gnu.org/archive/html/qemu-devel/2022-09/msg04515.html]
---
- target/arm/helper.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-Index: qemu-7.1.0/target/arm/helper.c
-===================================================================
--- qemu-7.1.0.orig/target/arm/helper.c
-+++ qemu-7.1.0/target/arm/helper.c
-@@ -4971,7 +4971,7 @@ static const ARMCPRegInfo v8_cp_reginfo[
-       .fieldoffset = offsetof(CPUARMState, sp_el[0]) },
-     { .name = "SP_EL1", .state = ARM_CP_STATE_AA64,
-       .opc0 = 3, .opc1 = 4, .crn = 4, .crm = 1, .opc2 = 0,
-      .access = PL2_RW, .type = ARM_CP_ALIAS,
-+      .access = PL2_RW, .type = ARM_CP_ALIAS | ARM_CP_EL3_NO_EL2_KEEP,
-       .fieldoffset = offsetof(CPUARMState, sp_el[1]) },
-     { .name = "SPSel", .state = ARM_CP_STATE_AA64,
-       .opc0 = 3, .opc1 = 0, .crn = 4, .crm = 2, .opc2 = 0,
author	Alexander Kanavin <alex.kanavin@gmail.com>	2022-12-24 17:59:43 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-12-26 18:49:07 +0000
commit	9caff14abbb742e5083056b899ee6fc0a5fba8f3 (patch)
tree	f1011ab47b0a00d76ceb26c4899d62b92b0ccc78 /meta/recipes-devtools/qemu/qemu
parent	d7f7b788f7cef5f8db9df3613a108e13998155e1 (diff)
download	poky-9caff14abbb742e5083056b899ee6fc0a5fba8f3.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu/0001-net-tulip-Restrict-DMA-engine-to-memories.patch b/meta/recipes-devtools/qemu/qemu/0001-net-tulip-Restrict-DMA-engine-to-memories.patch deleted file mode 100644 index 6c85a77ba7..0000000000 --- a/meta/recipes-devtools/qemu/qemu/0001-net-tulip-Restrict-DMA-engine-to-memories.patch +++ /dev/null
@@ -1,64 +0,0 @@
1	CVE: CVE-2022-2962
2	Upstream-Status: Backport
3	Signed-off-by: Ross Burton <ross.burton@arm.com>
4
5	From 5c5c50b0a73d78ffe18336c9996fef5eae9bbbb0 Mon Sep 17 00:00:00 2001
6	From: Zheyu Ma <zheyuma97@gmail.com>
7	Date: Sun, 21 Aug 2022 20:43:43 +0800
8	Subject: [PATCH] net: tulip: Restrict DMA engine to memories
9
10	The DMA engine is started by I/O access and then itself accesses the
11	I/O registers, triggering a reentrancy bug.
12
13	The following log can reveal it:
14	==5637==ERROR: AddressSanitizer: stack-overflow
15	#0 0x5595435f6078 in tulip_xmit_list_update qemu/hw/net/tulip.c:673
16	#1 0x5595435f204a in tulip_write qemu/hw/net/tulip.c:805:13
17	#2 0x559544637f86 in memory_region_write_accessor qemu/softmmu/memory.c:492:5
18	#3 0x5595446379fa in access_with_adjusted_size qemu/softmmu/memory.c:554:18
19	#4 0x5595446372fa in memory_region_dispatch_write qemu/softmmu/memory.c
20	#5 0x55954468b74c in flatview_write_continue qemu/softmmu/physmem.c:2825:23
21	#6 0x559544683662 in flatview_write qemu/softmmu/physmem.c:2867:12
22	#7 0x5595446833f3 in address_space_write qemu/softmmu/physmem.c:2963:18
23	#8 0x5595435fb082 in dma_memory_rw_relaxed qemu/include/sysemu/dma.h:87:12
24	#9 0x5595435fb082 in dma_memory_rw qemu/include/sysemu/dma.h:130:12
25	#10 0x5595435fb082 in dma_memory_write qemu/include/sysemu/dma.h:171:12
26	#11 0x5595435fb082 in stl_le_dma qemu/include/sysemu/dma.h:272:1
27	#12 0x5595435fb082 in stl_le_pci_dma qemu/include/hw/pci/pci.h:910:1
28	#13 0x5595435fb082 in tulip_desc_write qemu/hw/net/tulip.c:101:9
29	#14 0x5595435f7e3d in tulip_xmit_list_update qemu/hw/net/tulip.c:706:9
30	#15 0x5595435f204a in tulip_write qemu/hw/net/tulip.c:805:13
31
32	Fix this bug by restricting the DMA engine to memories regions.
33
34	Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
35	Signed-off-by: Jason Wang <jasowang@redhat.com>
36	---
37	hw/net/tulip.c \| 4 ++--
38	1 file changed, 2 insertions(+), 2 deletions(-)
39
40	diff --git a/hw/net/tulip.c b/hw/net/tulip.c
41	index 097e905bec..b9e42c322a 100644
42	--- a/hw/net/tulip.c
43	+++ b/hw/net/tulip.c
44	@@ -70,7 +70,7 @@ static const VMStateDescription vmstate_pci_tulip = {
45	static void tulip_desc_read(TULIPState *s, hwaddr p,
46	struct tulip_descriptor *desc)
47	{
48	- const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
49	+ const MemTxAttrs attrs = { .memory = true };
50
51	if (s->csr[0] & CSR0_DBO) {
52	ldl_be_pci_dma(&s->dev, p, &desc->status, attrs);
53	@@ -88,7 +88,7 @@ static void tulip_desc_read(TULIPState *s, hwaddr p,
54	static void tulip_desc_write(TULIPState *s, hwaddr p,
55	struct tulip_descriptor *desc)
56	{
57	- const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
58	+ const MemTxAttrs attrs = { .memory = true };
59
60	if (s->csr[0] & CSR0_DBO) {
61	stl_be_pci_dma(&s->dev, p, desc->status, attrs);
62	--
63	2.34.1
64


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-3165.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-3165.patch deleted file mode 100644 index 3b4a6694c2..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2022-3165.patch +++ /dev/null
@@ -1,59 +0,0 @@
1	CVE: CVE-2022-3165
2	Upstream-Status: Backport
3	Signed-off-by: Ross Burton <ross.burton@arm.com>
4
5	From d307040b18bfcb1393b910f1bae753d5c12a4dc7 Mon Sep 17 00:00:00 2001
6	From: Mauro Matteo Cascella <mcascell@redhat.com>
7	Date: Sun, 25 Sep 2022 22:45:11 +0200
8	Subject: [PATCH] ui/vnc-clipboard: fix integer underflow in
9	vnc_client_cut_text_ext
10
11	Extended ClientCutText messages start with a 4-byte header. If len < 4,
12	an integer underflow occurs in vnc_client_cut_text_ext. The result is
13	used to decompress data in a while loop in inflate_buffer, leading to
14	CPU consumption and denial of service. Prevent this by checking dlen in
15	protocol_client_msg.
16
17	Fixes: CVE-2022-3165
18	Fixes: 0bf41cab93e5 ("ui/vnc: clipboard support")
19	Reported-by: TangPeng <tangpeng@qianxin.com>
20	Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
21	Message-Id: <20220925204511.1103214-1-mcascell@redhat.com>
22	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
23	---
24	ui/vnc.c \| 11 ++++++++---
25	1 file changed, 8 insertions(+), 3 deletions(-)
26
27	diff --git a/ui/vnc.c b/ui/vnc.c
28	index 6a05d06147..acb3629cd8 100644
29	--- a/ui/vnc.c
30	+++ b/ui/vnc.c
31	@@ -2442,8 +2442,8 @@ static int protocol_client_msg(VncState vs, uint8_t data, size_t len)
32	if (len == 1) {
33	return 8;
34	}
35	+ uint32_t dlen = abs(read_s32(data, 4));
36	if (len == 8) {
37	- uint32_t dlen = abs(read_s32(data, 4));
38	if (dlen > (1 << 20)) {
39	error_report("vnc: client_cut_text msg payload has %u bytes"
40	" which exceeds our limit of 1MB.", dlen);
41	@@ -2456,8 +2456,13 @@ static int protocol_client_msg(VncState vs, uint8_t data, size_t len)
42	}
43
44	if (read_s32(data, 4) < 0) {
45	- vnc_client_cut_text_ext(vs, abs(read_s32(data, 4)),
46	- read_u32(data, 8), data + 12);
47	+ if (dlen < 4) {
48	+ error_report("vnc: malformed payload (header less than 4 bytes)"
49	+ " in extended clipboard pseudo-encoding.");
50	+ vnc_client_error(vs);
51	+ break;
52	+ }
53	+ vnc_client_cut_text_ext(vs, dlen, read_u32(data, 8), data + 12);
54	break;
55	}
56	vnc_client_cut_text(vs, read_u32(data, 4), data + 8);
57	--
58	GitLab
59


diff --git a/meta/recipes-devtools/qemu/qemu/arm-cpreg-fix.patch b/meta/recipes-devtools/qemu/qemu/arm-cpreg-fix.patch deleted file mode 100644 index 071691f8ca..0000000000 --- a/meta/recipes-devtools/qemu/qemu/arm-cpreg-fix.patch +++ /dev/null
@@ -1,27 +0,0 @@
1	target/arm: mark SP_EL1 with ARM_CP_EL3_NO_EL2_KEEP
2
3	SP_EL1 must be kept when EL3 is present but EL2 is not. Therefore mark
4	it with ARM_CP_EL3_NO_EL2_KEEP.
5
6	Fixes: 696ba3771894 ("target/arm: Handle cpreg registration for missing EL")
7	Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
8
9	Upstream-Status: Submitted [https://lists.gnu.org/archive/html/qemu-devel/2022-09/msg04515.html]
10
11	---
12	target/arm/helper.c \| 2 +-
13	1 file changed, 1 insertion(+), 1 deletion(-)
14
15	Index: qemu-7.1.0/target/arm/helper.c
16	===================================================================
17	--- qemu-7.1.0.orig/target/arm/helper.c
18	+++ qemu-7.1.0/target/arm/helper.c
19	@@ -4971,7 +4971,7 @@ static const ARMCPRegInfo v8_cp_reginfo[
20	.fieldoffset = offsetof(CPUARMState, sp_el[0]) },
21	{ .name = "SP_EL1", .state = ARM_CP_STATE_AA64,
22	.opc0 = 3, .opc1 = 4, .crn = 4, .crm = 1, .opc2 = 0,
23	- .access = PL2_RW, .type = ARM_CP_ALIAS,
24	+ .access = PL2_RW, .type = ARM_CP_ALIAS \| ARM_CP_EL3_NO_EL2_KEEP,
25	.fieldoffset = offsetof(CPUARMState, sp_el[1]) },
26	{ .name = "SPSel", .state = ARM_CP_STATE_AA64,
27	.opc0 = 3, .opc1 = 0, .crn = 4, .crm = 2, .opc2 = 0,