initial commit for Enea Linux 5.0 arm

Signed-off-by: Tudor Florea <tudor.florea@enea.com>

23 files changed, 1619 insertions, 0 deletions

diff --git a/meta/recipes-devtools/qemu/files/0001-Back-porting-security-fix-CVE-2014-5388.patch b/meta/recipes-devtools/qemu/files/0001-Back-porting-security-fix-CVE-2014-5388.patch
new file mode 100644
index 0000000000..ec541fa668
--- /dev/null
+++ b/meta/recipes-devtools/qemu/files/0001-Back-porting-security-fix-CVE-2014-5388.patch
@@ -0,0 +1,30 @@
+Prevent out-of-bounds array access on
+acpi_pcihp_pci_status.
+
+Upstream-Status: Backport
+
+Signed-off-by: Gonglei <arei.gonglei@huawei.com>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+v2:
+ - change commit message.
+ - add 'Reviewed-by'
+---
+ hw/acpi/pcihp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c
+index fae663a..34dedf1 100644
+--- a/hw/acpi/pcihp.c
++++ b/hw/acpi/pcihp.c
+@@ -231,7 +231,7 @@ static uint64_t pci_read(void *opaque, hwaddr addr, unsigned int size)
+     uint32_t val = 0;
+     int bsel = s->hotplug_select;
+
+-    if (bsel < 0 || bsel > ACPI_PCIHP_MAX_HOTPLUG_BUS) {
++    if (bsel < 0 || bsel >= ACPI_PCIHP_MAX_HOTPLUG_BUS) {
+         return 0;
+     }
+
+--
+1.7.12.4
diff --git a/meta/recipes-devtools/qemu/files/Qemu-Arm-versatilepb-Add-memory-size-checking.patch b/meta/recipes-devtools/qemu/files/Qemu-Arm-versatilepb-Add-memory-size-checking.patch
new file mode 100644
index 0000000000..7f1c5a9058
--- /dev/null
+++ b/meta/recipes-devtools/qemu/files/Qemu-Arm-versatilepb-Add-memory-size-checking.patch
@@ -0,0 +1,40 @@
+From 896fa02c24347e6e9259812cfda187b1d6ca6199 Mon Sep 17 00:00:00 2001
+From: Jiang Lu <lu.jiang@windriver.com>
+Date: Wed, 13 Nov 2013 10:38:08 +0800
+Subject: [PATCH] Qemu:Arm:versatilepb: Add memory size checking
+
+The machine can not work with memory over 256M, so add a checking
+at startup. If the memory size exceed 256M, just stop emulation then
+throw out warning about memory limitation.
+
+Upstream-Status: Pending
+
+Signed-off-by: Jiang Lu <lu.jiang@windriver.com>
+
+Updated it on 2014-01-15 for rebasing
+
+Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
+---
+ hw/arm/versatilepb.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/hw/arm/versatilepb.c b/hw/arm/versatilepb.c
+index b48d84c..ad2cd5a 100644
+--- a/hw/arm/versatilepb.c
++++ b/hw/arm/versatilepb.c
+@@ -199,6 +199,12 @@ static void versatile_init(QEMUMachineInitArgs *args, int board_id)
+         fprintf(stderr, "Unable to find CPU definition\n");
+         exit(1);
+     }
++    if (ram_size > (256 << 20)) {
++        fprintf(stderr,
++                "qemu: Too much memory for this machine: %d MB, maximum 256 MB\n",
++                ((unsigned int)ram_size / (1 << 20)));
++        exit(1);
++    }
+     memory_region_init_ram(ram, NULL, "versatile.ram", machine->ram_size);
+     vmstate_register_ram_global(ram);
+     /* ??? RAM should repeat to fill physical memory space.  */
+-- 
+1.7.10.4
+
diff --git a/meta/recipes-devtools/qemu/files/exclude-some-arm-EABI-obsolete-syscalls.patch b/meta/recipes-devtools/qemu/files/exclude-some-arm-EABI-obsolete-syscalls.patch
new file mode 100644
index 0000000000..171bda7e95
--- /dev/null
+++ b/meta/recipes-devtools/qemu/files/exclude-some-arm-EABI-obsolete-syscalls.patch
@@ -0,0 +1,93 @@
+[PATCH] exclude some arm EABI obsolete syscalls
+
+Upstream-Status: Pending
+
+some syscalls are obsolete and no longer available for EABI, exclude them to
+fix the below error:
+        In file included from qemu-seccomp.c:16:0:
+        qemu-seccomp.c:28:7: error: '__NR_select' undeclared here (not in a function)
+              { SCMP_SYS(select), 252 },
+                ^
+        qemu-seccomp.c:36:7: error: '__NR_mmap' undeclared here (not in a function)
+              { SCMP_SYS(mmap), 247 },
+                ^
+        qemu-seccomp.c:57:7: error: '__NR_getrlimit' undeclared here (not in a function)
+              { SCMP_SYS(getrlimit), 245 },
+                ^
+        qemu-seccomp.c:96:7: error: '__NR_time' undeclared here (not in a function)
+              { SCMP_SYS(time), 245 },
+                ^
+        qemu-seccomp.c:185:7: error: '__NR_alarm' undeclared here (not in a function)
+              { SCMP_SYS(alarm), 241 },
+
+please refer source files:
+        arch/arm/include/uapi/asm/unistd.h
+or kernel header:
+        /usr/include/asm/unistd.h
+
+Signed-off-by: Roy.Li <rongqing.li@windriver.com>
+---
+ qemu-seccomp.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/qemu-seccomp.c b/qemu-seccomp.c
+index caa926e..5a78502 100644
+--- a/qemu-seccomp.c
++++ b/qemu-seccomp.c
+@@ -25,15 +25,21 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
+     { SCMP_SYS(timer_settime), 255 },
+     { SCMP_SYS(timer_gettime), 254 },
+     { SCMP_SYS(futex), 253 },
++#if !defined(__ARM_EABI__)
+     { SCMP_SYS(select), 252 },
++    { SCMP_SYS(time), 245 },
++    { SCMP_SYS(alarm), 241 },
++    { SCMP_SYS(getrlimit), 245 },
++    { SCMP_SYS(mmap), 247 },
++    { SCMP_SYS(socketcall), 250 },
++    { SCMP_SYS(ipc), 245 },
++#endif
+     { SCMP_SYS(recvfrom), 251 },
+     { SCMP_SYS(sendto), 250 },
+-    { SCMP_SYS(socketcall), 250 },
+     { SCMP_SYS(read), 249 },
+     { SCMP_SYS(io_submit), 249 },
+     { SCMP_SYS(brk), 248 },
+     { SCMP_SYS(clone), 247 },
+-    { SCMP_SYS(mmap), 247 },
+     { SCMP_SYS(mprotect), 246 },
+     { SCMP_SYS(execve), 245 },
+     { SCMP_SYS(open), 245 },
+@@ -48,13 +54,11 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
+     { SCMP_SYS(bind), 245 },
+     { SCMP_SYS(listen), 245 },
+     { SCMP_SYS(semget), 245 },
+-    { SCMP_SYS(ipc), 245 },
+     { SCMP_SYS(gettimeofday), 245 },
+     { SCMP_SYS(readlink), 245 },
+     { SCMP_SYS(access), 245 },
+     { SCMP_SYS(prctl), 245 },
+     { SCMP_SYS(signalfd), 245 },
+-    { SCMP_SYS(getrlimit), 245 },
+     { SCMP_SYS(set_tid_address), 245 },
+     { SCMP_SYS(statfs), 245 },
+     { SCMP_SYS(unlink), 245 },
+@@ -93,7 +97,6 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
+     { SCMP_SYS(times), 245 },
+     { SCMP_SYS(exit), 245 },
+     { SCMP_SYS(clock_gettime), 245 },
+-    { SCMP_SYS(time), 245 },
+     { SCMP_SYS(restart_syscall), 245 },
+     { SCMP_SYS(pwrite64), 245 },
+     { SCMP_SYS(nanosleep), 245 },
+@@ -182,7 +185,6 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
+     { SCMP_SYS(lstat64), 241 },
+     { SCMP_SYS(sendfile64), 241 },
+     { SCMP_SYS(ugetrlimit), 241 },
+-    { SCMP_SYS(alarm), 241 },
+     { SCMP_SYS(rt_sigsuspend), 241 },
+     { SCMP_SYS(rt_sigqueueinfo), 241 },
+     { SCMP_SYS(rt_tgsigqueueinfo), 241 },
+-- 
+1.9.1
+
diff --git a/meta/recipes-devtools/qemu/files/qemu-enlarge-env-entry-size.patch b/meta/recipes-devtools/qemu/files/qemu-enlarge-env-entry-size.patch
new file mode 100644
index 0000000000..c7425ab8d4
--- /dev/null
+++ b/meta/recipes-devtools/qemu/files/qemu-enlarge-env-entry-size.patch
@@ -0,0 +1,31 @@
+qemu: Add addition environment space to boot loader qemu-system-mips 
+
+Upstream-Status: Inappropriate - OE uses deep paths
+
+If you create a project with very long directory names like 128 characters
+deep and use NFS, the kernel arguments will be truncated. The kernel will
+accept longer strings such as 1024 bytes, but the qemu boot loader defaulted
+to only 256 bytes. This patch expands the limit.
+
+Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+---
+ hw/mips/mips_malta.c    |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/hw/mips/mips_malta.c b/hw/mips/mips_malta.c
+index 9d521cc..17c0391 100644
+--- a/hw/mips/mips_malta.c
++++ b/hw/mips/mips_malta.c
+@@ -53,7 +53,7 @@
+ 
+ #define ENVP_ADDR              0x80002000l
+ #define ENVP_NB_ENTRIES                16
+-#define ENVP_ENTRY_SIZE                256
++#define ENVP_ENTRY_SIZE                1024
+ 
+ /* Hardware addresses */
+ #define FLASH_ADDRESS 0x1e000000ULL
+-- 
+1.7.10.4
+
diff --git a/meta/recipes-devtools/qemu/nativesdk-qemu-helper_1.0.bb b/meta/recipes-devtools/qemu/nativesdk-qemu-helper_1.0.bb
new file mode 100644
index 0000000000..51d1c59699
--- /dev/null
+++ b/meta/recipes-devtools/qemu/nativesdk-qemu-helper_1.0.bb
@@ -0,0 +1,47 @@
+SUMMARY = "Qemu helper scripts"
+LICENSE = "GPLv2"
+RDEPENDS_${PN} = "nativesdk-qemu"
+PR = "r9"
+
+
+LIC_FILES_CHKSUM = "file://${WORKDIR}/tunctl.c;endline=4;md5=ff3a09996bc5fff6bc5d4e0b4c28f999 \
+                    file://${COREBASE}/scripts/runqemu;endline=18;md5=77fbe442a88b1bcdc29c3ba67733b21b"
+
+
+SRC_URI = "file://${COREBASE}/scripts/runqemu \
+           file://${COREBASE}/scripts/runqemu-internal \
+           file://${COREBASE}/scripts/runqemu-addptable2image \
+           file://${COREBASE}/scripts/runqemu-gen-tapdevs \
+           file://${COREBASE}/scripts/runqemu-ifup \
+           file://${COREBASE}/scripts/runqemu-ifdown \
+           file://${COREBASE}/scripts/oe-find-native-sysroot \
+           file://${COREBASE}/scripts/runqemu-extract-sdk \
+           file://${COREBASE}/scripts/runqemu-export-rootfs \
+           file://tunctl.c \
+           file://raw2flash.c \
+          "
+
+S = "${WORKDIR}"
+
+inherit nativesdk
+
+do_compile() {
+        ${CC} tunctl.c -o tunctl
+        ${CC} raw2flash.c -o raw2flash.spitz
+        ${CC} raw2flash.c -o flash2raw.spitz -Dflash2raw
+}
+
+do_install() {
+        install -d ${D}${bindir}
+        install -m 0755 ${WORKDIR}${COREBASE}/scripts/oe-* ${D}${bindir}/
+        install -m 0755 ${WORKDIR}${COREBASE}/scripts/runqemu* ${D}${bindir}/
+        install tunctl ${D}${bindir}/
+        install raw2flash.spitz ${D}${bindir}/
+        install flash2raw.spitz ${D}${bindir}/
+        ln -fs raw2flash.spitz ${D}${bindir}/raw2flash.akita
+        ln -fs raw2flash.spitz ${D}${bindir}/raw2flash.borzoi
+        ln -fs raw2flash.spitz ${D}${bindir}/raw2flash.terrier
+        ln -fs flash2raw.spitz ${D}${bindir}/flash2raw.akita
+        ln -fs flash2raw.spitz ${D}${bindir}/flash2raw.borzoi
+        ln -fs flash2raw.spitz ${D}${bindir}/flash2raw.terrier
+}
diff --git a/meta/recipes-devtools/qemu/qemu-helper-native_1.0.bb b/meta/recipes-devtools/qemu/qemu-helper-native_1.0.bb
new file mode 100644
index 0000000000..8d27c4db61
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu-helper-native_1.0.bb
@@ -0,0 +1,21 @@
+SUMMARY = "Helper utilities needed by the runqemu script"
+LICENSE = "GPLv2"
+RDEPENDS_${PN} = "qemu-native"
+PR = "r1"
+
+LIC_FILES_CHKSUM = "file://${WORKDIR}/tunctl.c;endline=4;md5=ff3a09996bc5fff6bc5d4e0b4c28f999"
+
+SRC_URI = "file://tunctl.c"
+
+S = "${WORKDIR}"
+
+inherit native
+
+do_compile() {
+        ${CC} tunctl.c -o tunctl
+}
+
+do_install() {
+        install -d ${D}${bindir}
+        install tunctl ${D}${bindir}/
+}
diff --git a/meta/recipes-devtools/qemu/qemu-helper/raw2flash.c b/meta/recipes-devtools/qemu/qemu-helper/raw2flash.c
new file mode 100644
index 0000000000..19faf629b9
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu-helper/raw2flash.c
@@ -0,0 +1,370 @@
+/*
+ * Copyright (c) 2006 OpenedHand Ltd.
+ *
+ * This file is licensed under GNU GPL v2.
+ */
+#include <string.h>
+#include <unistd.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <stdlib.h>
+
+#define TFR(_)          _
+#define VERBOSE
+#define PBAR_LEN        40
+
+#define PARTITION_START 0x00700000
+
+static const int ecc_pos8[] = {
+        0x0, 0x1, 0x2,
+};
+
+static const int ecc_pos16[] = {
+        0x0, 0x1, 0x2, 0x3, 0x6, 0x7,
+};
+
+static const int ecc_pos64[] = {
+        0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
+        0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+        0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
+};
+
+static const int ecc_akita[] = {
+        0x05, 0x01, 0x02, 0x03, 0x06, 0x07, 0x15, 0x11,
+        0x12, 0x13, 0x16, 0x17, 0x25, 0x21, 0x22, 0x23,
+        0x26, 0x27, 0x35, 0x31, 0x32, 0x33, 0x36, 0x37,
+};
+
+struct jffs_marker_s {
+        int pos;
+        uint8_t value;
+};
+
+static const struct jffs_marker_s free_pos8[] = {
+        { 0x03, 0xff }, { 0x04, 0xff }, { 0x06, 0x85 }, { 0x07, 0x19 },
+        { -1 },
+};
+
+static const struct jffs_marker_s free_pos16[] = {
+        { 0x08, 0x85 }, { 0x09, 0x19 }, { 0x0a, 0x03 }, { 0x0b, 0x20 },
+        { 0x0c, 0x08 }, { 0x0d, 0x00 }, { 0x0e, 0x00 }, { 0x0f, 0x00 },
+        { -1 },
+};
+
+static const struct jffs_marker_s free_pos64[] = {
+        { 0x02, 0xff }, { 0x03, 0xff }, { 0x04, 0xff }, { 0x05, 0xff },
+        { 0x06, 0xff }, { 0x07, 0xff }, { 0x08, 0xff }, { 0x09, 0xff },
+        { 0x0a, 0xff }, { 0x0b, 0xff }, { 0x0c, 0xff }, { 0x0d, 0xff },
+        { 0x0e, 0xff }, { 0x0f, 0xff }, { 0x10, 0x85 }, { 0x11, 0x19 },
+        { 0x12, 0x03 }, { 0x13, 0x20 }, { 0x14, 0x08 }, { 0x15, 0x00 },
+        { 0x16, 0x00 }, { 0x17, 0x00 }, { 0x18, 0xff }, { 0x19, 0xff },
+        { 0x1a, 0xff }, { 0x1b, 0xff }, { 0x1c, 0xff }, { 0x1d, 0xff },
+        { 0x1e, 0xff }, { 0x1f, 0xff }, { 0x20, 0xff }, { 0x21, 0xff },
+        { 0x22, 0xff }, { 0x23, 0xff }, { 0x24, 0xff }, { 0x25, 0xff },
+        { 0x26, 0xff }, { 0x27, 0xff },
+        { -1 },
+};
+
+static const struct jffs_marker_s free_akita[] = {
+        { 0x08, 0x85 }, { 0x09, 0x19 }, { 0x0a, 0x03 }, { 0x0b, 0x20 },
+        { 0x0c, 0x08 }, { 0x0d, 0x00 }, { 0x0e, 0x00 }, { 0x0f, 0x00 },
+        { 0x10, 0xff },
+        { -1 },
+};
+
+#define LEN(array)      (sizeof(array) / sizeof(*array))
+
+static const struct ecc_style_s {
+        int page_size;
+        int oob_size;
+        int eccbytes;
+        int eccsize;
+        const int *eccpos;
+        int romsize;
+        const struct jffs_marker_s *freepos;
+} spitz = {
+        0x200, 0x10, 0x100, LEN(ecc_pos16), ecc_pos16, 0x01000000, free_pos16
+}, akita = {
+        0x800, 0x40, 0x100, LEN(ecc_akita), ecc_akita, 0x08000000, free_akita
+}, borzoi = {
+        0x800, 0x40, 0x100, LEN(ecc_akita), ecc_akita, 0x08000000, free_akita
+}, terrier = {
+        0x800, 0x40, 0x100, LEN(ecc_akita), ecc_akita, 0x08000000, free_akita
+};
+
+struct ecc_state_s {
+        int count;
+        uint8_t cp;
+        uint8_t lp[2];
+        const struct ecc_style_s *style;
+};
+
+#ifndef flash2raw
+/*
+ * Pre-calculated 256-way 1 byte column parity.  Table borrowed from Linux.
+ */
+static const uint8_t ecc_precalc_table[] = {
+        0x00, 0x55, 0x56, 0x03, 0x59, 0x0c, 0x0f, 0x5a,
+        0x5a, 0x0f, 0x0c, 0x59, 0x03, 0x56, 0x55, 0x00,
+        0x65, 0x30, 0x33, 0x66, 0x3c, 0x69, 0x6a, 0x3f,
+        0x3f, 0x6a, 0x69, 0x3c, 0x66, 0x33, 0x30, 0x65,
+        0x66, 0x33, 0x30, 0x65, 0x3f, 0x6a, 0x69, 0x3c,
+        0x3c, 0x69, 0x6a, 0x3f, 0x65, 0x30, 0x33, 0x66,
+        0x03, 0x56, 0x55, 0x00, 0x5a, 0x0f, 0x0c, 0x59,
+        0x59, 0x0c, 0x0f, 0x5a, 0x00, 0x55, 0x56, 0x03,
+        0x69, 0x3c, 0x3f, 0x6a, 0x30, 0x65, 0x66, 0x33,
+        0x33, 0x66, 0x65, 0x30, 0x6a, 0x3f, 0x3c, 0x69,
+        0x0c, 0x59, 0x5a, 0x0f, 0x55, 0x00, 0x03, 0x56,
+        0x56, 0x03, 0x00, 0x55, 0x0f, 0x5a, 0x59, 0x0c,
+        0x0f, 0x5a, 0x59, 0x0c, 0x56, 0x03, 0x00, 0x55,
+        0x55, 0x00, 0x03, 0x56, 0x0c, 0x59, 0x5a, 0x0f,
+        0x6a, 0x3f, 0x3c, 0x69, 0x33, 0x66, 0x65, 0x30,
+        0x30, 0x65, 0x66, 0x33, 0x69, 0x3c, 0x3f, 0x6a,
+        0x6a, 0x3f, 0x3c, 0x69, 0x33, 0x66, 0x65, 0x30,
+        0x30, 0x65, 0x66, 0x33, 0x69, 0x3c, 0x3f, 0x6a,
+        0x0f, 0x5a, 0x59, 0x0c, 0x56, 0x03, 0x00, 0x55,
+        0x55, 0x00, 0x03, 0x56, 0x0c, 0x59, 0x5a, 0x0f,
+        0x0c, 0x59, 0x5a, 0x0f, 0x55, 0x00, 0x03, 0x56,
+        0x56, 0x03, 0x00, 0x55, 0x0f, 0x5a, 0x59, 0x0c,
+        0x69, 0x3c, 0x3f, 0x6a, 0x30, 0x65, 0x66, 0x33,
+        0x33, 0x66, 0x65, 0x30, 0x6a, 0x3f, 0x3c, 0x69,
+        0x03, 0x56, 0x55, 0x00, 0x5a, 0x0f, 0x0c, 0x59,
+        0x59, 0x0c, 0x0f, 0x5a, 0x00, 0x55, 0x56, 0x03,
+        0x66, 0x33, 0x30, 0x65, 0x3f, 0x6a, 0x69, 0x3c,
+        0x3c, 0x69, 0x6a, 0x3f, 0x65, 0x30, 0x33, 0x66,
+        0x65, 0x30, 0x33, 0x66, 0x3c, 0x69, 0x6a, 0x3f,
+        0x3f, 0x6a, 0x69, 0x3c, 0x66, 0x33, 0x30, 0x65,
+        0x00, 0x55, 0x56, 0x03, 0x59, 0x0c, 0x0f, 0x5a,
+        0x5a, 0x0f, 0x0c, 0x59, 0x03, 0x56, 0x55, 0x00,
+};
+
+/* Update ECC parity count */
+static inline uint8_t ecc_digest(struct ecc_state_s *s, uint8_t sample) {
+        uint8_t idx = ecc_precalc_table[sample];
+
+        s->cp ^= idx & 0x3f;
+        if (idx & 0x40) {
+                s->lp[0] ^= ~(s->count & 0xff);
+                s->lp[1] ^= s->count & 0xff;
+        }
+        s->count ++;
+
+        return sample;
+}
+
+static void buffer_digest(struct ecc_state_s *ecc,
+                const uint8_t *buf, uint8_t *out) {
+        int i, lp_a[2];
+
+        ecc->lp[0] = 0x00;
+        ecc->lp[1] = 0x00;
+        ecc->cp = 0x00;
+        ecc->count = 0;
+        for (i = 0; i < ecc->style->eccbytes; i ++)
+                ecc_digest(ecc, buf[i]);
+
+# define BSHR(byte, from, to)   ((ecc->lp[byte] >> (from - to)) & (1 << to))
+        lp_a[0] =
+                BSHR(0, 4, 0) | BSHR(0, 5, 2) |
+                BSHR(0, 6, 4) | BSHR(0, 7, 6) |
+                BSHR(1, 4, 1) | BSHR(1, 5, 3) |
+                BSHR(1, 6, 5) | BSHR(1, 7, 7);
+
+# define BSHL(byte, from, to)   ((ecc->lp[byte] << (to - from)) & (1 << to))
+        lp_a[1] =
+                BSHL(0, 0, 0) | BSHL(0, 1, 2) |
+                BSHL(0, 2, 4) | BSHL(0, 3, 6) |
+                BSHL(1, 0, 1) | BSHL(1, 1, 3) |
+                BSHL(1, 2, 5) | BSHL(1, 3, 7);
+
+        out[0] = ~lp_a[1];
+        out[1] = ~lp_a[0];
+        out[2] = (~ecc->cp << 2) | 0x03;
+}
+
+static void jffs2_format(const struct ecc_state_s *ecc, uint8_t oob[]) {
+        const struct jffs_marker_s *byte;
+        for (byte = ecc->style->freepos; byte->pos >= 0; byte ++)
+                oob[byte->pos] = byte->value;
+}
+
+static void buffer_fill(const struct ecc_state_s *ecc, uint8_t buffer[],
+                int *len, int *partition, int count, uint8_t jffs_buffer[]) {
+        int ret;
+
+        switch (*partition) {
+        case 0:
+                if (count < PARTITION_START) {
+                        memcpy(buffer, jffs_buffer + count,
+                                        ecc->style->eccbytes);
+                        *len = ecc->style->eccbytes;
+                        break;
+                }
+                *partition = 1;
+        case 1:
+                if (count - PARTITION_START < PARTITION_START) {
+                        memcpy(buffer, jffs_buffer + count - PARTITION_START,
+                                        ecc->style->eccbytes);
+                        *len = ecc->style->eccbytes;
+                        break;
+                }
+
+                while (*len < ecc->style->eccbytes) {
+                        ret = TFR(read(0, buffer + *len, 0x800 - *len));
+                        if (ret <= 0)
+                                break;
+                        *len += ret;
+                }
+
+                if (*len == 0)
+                        *partition = 2;
+                else if (*len < ecc->style->eccbytes) {
+                        fprintf(stderr, "\nWarning: %i stray bytes\n", *len);
+                        memset(buffer + *len, 0xff,
+                                        ecc->style->eccbytes - *len);
+                        *len = ecc->style->eccbytes;
+                        break;
+                } else
+                        break;
+        case 2:
+                memset(buffer, 0xff, ecc->style->eccbytes);
+                *len = ecc->style->eccbytes;
+                break;
+        }
+}
+
+int main(int argc, char *argv[], char *envp[]) {
+        struct ecc_state_s ecc;
+        uint8_t buffer[0x1000], ecc_payload[0x40], regs[3], *jffs;
+        int ret, len, eccbyte, count, partition;
+
+        /* Check if we're called by "raw2flash.spitz" or similar */
+        len = strlen(argv[0]);
+        if (!strcasecmp(argv[0] + len - 5, "akita"))
+                ecc.style = &akita;
+        else if (!strcasecmp(argv[0] + len - 6, "borzoi"))
+                ecc.style = &borzoi;
+        else if (!strcasecmp(argv[0] + len - 7, "terrier"))
+                ecc.style = &terrier;
+        else
+                ecc.style = &spitz;
+
+# ifdef VERBOSE
+        fprintf(stderr, "[");
+# endif
+
+        /* Skip first 10 bytes */
+        TFR(read(0, buffer, 0x10));
+
+        len = 0;
+        jffs = (uint8_t *) malloc(PARTITION_START);
+        while (len < PARTITION_START) {
+                ret = TFR(read(0, jffs + len, PARTITION_START - len));
+                if (ret <= 0)
+                        break;
+                len += ret;
+        }
+
+        /* Convert data from stdin */
+        partition = len = eccbyte = count = 0;
+        memset(ecc_payload, 0xff, ecc.style->oob_size);
+        jffs2_format(&ecc, ecc_payload);
+        while (count < ecc.style->romsize) {
+                buffer_fill(&ecc, buffer, &len, &partition, count, jffs);
+                buffer_digest(&ecc, buffer, regs);
+
+                ecc_payload[ecc.style->eccpos[eccbyte ++]] = regs[0];
+                ecc_payload[ecc.style->eccpos[eccbyte ++]] = regs[1];
+                ecc_payload[ecc.style->eccpos[eccbyte ++]] = regs[2];
+
+                TFR(write(1, buffer, ecc.style->eccbytes));
+                count += ecc.style->eccbytes;
+                len -= ecc.style->eccbytes;
+                memmove(buffer, buffer + ecc.style->eccbytes, len);
+
+                if (eccbyte >= ecc.style->eccsize) {
+                        TFR(write(1, ecc_payload, ecc.style->oob_size));
+                        eccbyte = 0;
+                        memset(ecc_payload, 0xff, ecc.style->oob_size);
+                        if (partition < 2)
+                                jffs2_format(&ecc, ecc_payload);
+                }
+
+# ifdef VERBOSE
+                if (count * PBAR_LEN / ecc.style->romsize >
+                                (count - ecc.style->eccbytes) *
+                                PBAR_LEN / ecc.style->romsize)
+                        fprintf(stderr, "#");
+# endif
+        }
+
+# ifdef VERBOSE
+        fprintf(stderr, "]\n");
+# endif
+        free(jffs);
+        return 0;
+}
+#else
+int main(int argc, char *argv[], char *envp[]) {
+        struct ecc_state_s ecc;
+        uint8_t buffer[0x1000];
+        int ret, len, count;
+
+        /* Check if we're called by "flash2raw.spitz" or similar */
+        len = strlen(argv[0]);
+        if (!strcasecmp(argv[0] + len - 5, "akita"))
+                ecc.style = &akita;
+        else if (!strcasecmp(argv[0] + len - 6, "borzoi"))
+                ecc.style = &borzoi;
+        else if (!strcasecmp(argv[0] + len - 7, "terrier"))
+                ecc.style = &terrier;
+        else
+                ecc.style = &spitz;
+
+# ifdef VERBOSE
+        fprintf(stderr, "[");
+# endif
+
+        /* Convert data from stdin */
+        count = 0;
+        while (count < ecc.style->romsize) {
+                len = 0;
+                while (len < ecc.style->page_size) {
+                        ret = TFR(read(0, buffer + len,
+                                                ecc.style->page_size - len));
+                        if (ret <= 0)
+                                break;
+                        len += ret;
+                }
+                if (len == 0)
+                        break;
+                if (len < ecc.style->page_size) {
+                        fprintf(stderr, "\nWarning: %i stray bytes\n", len);
+                }
+
+                TFR(write(1, buffer, ecc.style->page_size));
+
+                count += len;
+                len = 0;
+                while (len < ecc.style->oob_size) {
+                        ret = TFR(read(0, buffer, ecc.style->oob_size - len));
+                        if (ret <= 0)
+                                break;
+                        len += ret;
+                }
+
+# ifdef VERBOSE
+                if (count * PBAR_LEN / ecc.style->romsize >
+                                (count - ecc.style->page_size) *
+                                PBAR_LEN / ecc.style->romsize)
+                        fprintf(stderr, "#");
+# endif
+        }
+
+# ifdef VERBOSE
+        fprintf(stderr, "]\n");
+# endif
+        return 0;
+}
+#endif
diff --git a/meta/recipes-devtools/qemu/qemu-helper/tunctl.c b/meta/recipes-devtools/qemu/qemu-helper/tunctl.c
new file mode 100644
index 0000000000..16e24a2add
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu-helper/tunctl.c
@@ -0,0 +1,156 @@
+/* Copyright 2002 Jeff Dike
+ * Licensed under the GPL
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <pwd.h>
+#include <grp.h>
+#include <net/if.h>
+#include <sys/ioctl.h>
+#include <linux/if_tun.h>
+
+/* TUNSETGROUP appeared in 2.6.23 */
+#ifndef TUNSETGROUP
+#define TUNSETGROUP   _IOW('T', 206, int)
+#endif
+
+static void Usage(char *name)
+{
+  fprintf(stderr, "Create: %s [-b] [-u owner] [-g group] [-t device-name] "
+          "[-f tun-clone-device]\n", name);
+  fprintf(stderr, "Delete: %s -d device-name [-f tun-clone-device]\n\n",
+          name);
+  fprintf(stderr, "The default tun clone device is /dev/net/tun - some systems"
+          " use\n/dev/misc/net/tun instead\n\n");
+  fprintf(stderr, "-b will result in brief output (just the device name)\n");
+  exit(1);
+}
+
+int main(int argc, char **argv)
+{
+  struct ifreq ifr;
+  struct passwd *pw;
+  struct group *gr;
+  uid_t owner = -1;
+  gid_t group = -1;
+  int tap_fd, opt, delete = 0, brief = 0;
+  char *tun = "", *file = "/dev/net/tun", *name = argv[0], *end;
+
+  while((opt = getopt(argc, argv, "bd:f:t:u:g:")) > 0){
+    switch(opt) {
+      case 'b':
+        brief = 1;
+        break;
+      case 'd':
+        delete = 1;
+        tun = optarg;
+        break;
+      case 'f':
+        file = optarg;
+        break;
+      case 'u':
+        pw = getpwnam(optarg);
+        if(pw != NULL){
+          owner = pw->pw_uid;
+          break;
+        }
+        owner = strtol(optarg, &end, 0);
+        if(*end != '\0'){
+          fprintf(stderr, "'%s' is neither a username nor a numeric uid.\n",
+                  optarg);
+          Usage(name);
+        }
+        break;
+      case 'g':
+        gr = getgrnam(optarg);
+        if(gr != NULL){
+          group = gr->gr_gid;
+          break;
+        }
+        group = strtol(optarg, &end, 0);
+        if(*end != '\0'){
+          fprintf(stderr, "'%s' is neither a groupname nor a numeric group.\n",
+                  optarg);
+          Usage(name);
+        }
+        break;
+
+      case 't':
+        tun = optarg;
+        break;
+      case 'h':
+      default:
+        Usage(name);
+    }
+  }
+
+  argv += optind;
+  argc -= optind;
+
+  if(argc > 0)
+    Usage(name);
+
+  if((tap_fd = open(file, O_RDWR)) < 0){
+    fprintf(stderr, "Failed to open '%s' : ", file);
+    perror("");
+    exit(1);
+  }
+
+  memset(&ifr, 0, sizeof(ifr));
+
+  ifr.ifr_flags = IFF_TAP | IFF_NO_PI;
+  strncpy(ifr.ifr_name, tun, sizeof(ifr.ifr_name) - 1);
+  if(ioctl(tap_fd, TUNSETIFF, (void *) &ifr) < 0){
+    perror("TUNSETIFF");
+    exit(1);
+  }
+
+  if(delete){
+    if(ioctl(tap_fd, TUNSETPERSIST, 0) < 0){
+      perror("disabling TUNSETPERSIST");
+      exit(1);
+    }
+    printf("Set '%s' nonpersistent\n", ifr.ifr_name);
+  }
+  else {
+    /* emulate behaviour prior to TUNSETGROUP */
+    if(owner == -1 && group == -1) {
+      owner = geteuid();
+    }
+
+    if(owner != -1) {
+      if(ioctl(tap_fd, TUNSETOWNER, owner) < 0){
+        perror("TUNSETOWNER");
+        exit(1);
+      }
+    }
+    if(group != -1) {
+      if(ioctl(tap_fd, TUNSETGROUP, group) < 0){
+        perror("TUNSETGROUP");
+        exit(1);
+      }
+    }
+
+    if(ioctl(tap_fd, TUNSETPERSIST, 1) < 0){
+      perror("enabling TUNSETPERSIST");
+      exit(1);
+    }
+
+    if(brief)
+      printf("%s\n", ifr.ifr_name);
+    else {
+      printf("Set '%s' persistent and owned by", ifr.ifr_name);
+      if(owner != -1)
+          printf(" uid %d", owner);
+      if(group != -1)
+          printf(" gid %d", group);
+      printf("\n");
+    }
+  }
+  return(0);
+}
diff --git a/meta/recipes-devtools/qemu/qemu-targets.inc b/meta/recipes-devtools/qemu/qemu-targets.inc
new file mode 100644
index 0000000000..5c3565544e
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu-targets.inc
@@ -0,0 +1,22 @@
+# possible arch values are arm aarch64 mips mipsel mips64 mips64el ppc ppc64 ppc64abi32
+# ppcemb armeb alpha sparc32plus i386 x86_64 cris m68k microblaze sparc sparc32
+# sparc32plus
+
+def get_qemu_target_list(d):
+    import bb
+    archs = d.getVar('QEMU_TARGETS', True).split()
+    tos = d.getVar('HOST_OS', True)
+    softmmuonly = ""
+    for arch in ['mips64', 'mips64el', 'ppcemb']:
+        if arch in archs:
+            softmmuonly += arch + "-softmmu,"
+            archs.remove(arch)
+    linuxuseronly = ""
+    for arch in ['armeb', 'alpha', 'ppc64abi32', 'sparc32plus']:
+        if arch in archs:
+            linuxuseronly += arch + "-linux-user,"
+            archs.remove(arch)
+    if 'linux' not in tos:
+        return softmmuonly + ''.join([arch + "-softmmu" + "," for arch in archs]).rstrip(',')
+    return softmmuonly + linuxuseronly + ''.join([arch + "-linux-user" + "," + arch + "-softmmu" + "," for arch in archs]).rstrip(',')
+
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
new file mode 100644
index 0000000000..c9a5d328f9
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -0,0 +1,124 @@
+SUMMARY = "Fast open source processor emulator"
+HOMEPAGE = "http://qemu.org"
+LICENSE = "GPLv2 & LGPLv2.1"
+DEPENDS = "glib-2.0 zlib pixman"
+RDEPENDS_${PN}_class-target += "bash python"
+
+require qemu-targets.inc
+inherit autotools-brokensep
+BBCLASSEXTEND = "native nativesdk"
+
+# QEMU_TARGETS is overridable variable
+QEMU_TARGETS ?= "arm aarch64 i386 mips mipsel mips64 mips64el ppc sh4 x86_64"
+
+SRC_URI = "\
+    file://powerpc_rom.bin \
+    file://larger_default_ram_size.patch \
+    file://disable-grabs.patch \
+    file://exclude-some-arm-EABI-obsolete-syscalls.patch \
+    file://wacom.patch \
+    "
+
+SRC_URI_append_class-native = "\
+    file://fix-libcap-header-issue-on-some-distro.patch \
+    "
+
+EXTRA_OECONF += "--target-list=${@get_qemu_target_list(d)} --disable-werror  --disable-bluez --disable-libiscsi --with-system-pixman --extra-cflags='${CFLAGS}'"
+
+EXTRA_OECONF_class-nativesdk = "--target-list=${@get_qemu_target_list(d)} --disable-werror \
+                                "
+export LIBTOOL="${HOST_SYS}-libtool"
+
+do_configure_prepend_class-native() {
+        # Append build host pkg-config paths for native target since the host may provide sdl
+        BHOST_PKGCONFIG_PATH=$(PATH=/usr/bin:/bin pkg-config --variable pc_path pkg-config || echo "")
+        if [ ! -z "$BHOST_PKGCONFIG_PATH" ]; then
+                export PKG_CONFIG_PATH=$PKG_CONFIG_PATH:$BHOST_PKGCONFIG_PATH
+        fi
+
+        # Undo the -lX11 added by linker-flags.patch, don't assume that host has libX11 installed
+        sed -i 's/-lX11//g' Makefile.target
+}
+
+do_configure_prepend_class-nativesdk() {
+        if [ "${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'x11', '', d)}" = "" ] ; then
+                # Undo the -lX11 added by linker-flags.patch
+                sed -i 's/-lX11//g' Makefile.target
+        fi
+}
+
+KVMENABLE = "--enable-kvm"
+KVMENABLE_darwin = "--disable-kvm"
+KVMENABLE_mingw32 = "--disable-kvm"
+
+do_configure() {
+    # Handle distros such as CentOS 5 32-bit that do not have kvm support
+    KVMOPTS="--disable-kvm"
+    if [ "${PN}" != "qemu-native" -a "${PN}" != "nativesdk-qemu" ] \
+       || [ -f /usr/include/linux/kvm.h ] ; then
+       KVMOPTS="${KVMENABLE}"
+    fi
+
+    ${S}/configure --prefix=${prefix} --sysconfdir=${sysconfdir} --libexecdir=${libexecdir} --localstatedir=${localstatedir} --disable-strip ${EXTRA_OECONF} $KVMOPTS
+    test ! -e ${S}/target-i386/beginend_funcs.sh || chmod a+x ${S}/target-i386/beginend_funcs.sh
+}
+
+do_install () {
+        export STRIP="true"
+        autotools_do_install
+        install -d ${D}${datadir}/qemu
+        install -m 0755 ${WORKDIR}/powerpc_rom.bin ${D}${datadir}/qemu
+}
+
+# The following fragment will create a wrapper for qemu-mips user emulation
+# binary in order to work around a segmentation fault issue. Basically, by
+# default, the reserved virtual address space for 32-on-64 bit is set to 4GB.
+# This will trigger a MMU access fault in the virtual CPU. With this change,
+# the qemu-mips works fine.
+# IMPORTANT: This piece needs to be removed once the root cause is fixed!
+do_install_append() {
+        if [ -e "${D}/${bindir}/qemu-mips" ]; then
+                create_wrapper ${D}/${bindir}/qemu-mips \
+                        QEMU_RESERVED_VA=0x0
+        fi
+}
+# END of qemu-mips workaround
+
+PACKAGECONFIG ??= "fdt sdl alsa"
+PACKAGECONFIG_class-native ??= "fdt alsa"
+PACKAGECONFIG_class-nativesdk ??= "fdt sdl"
+NATIVEDEPS = ""
+NATIVEDEPS_class-native = "${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'libxext-native', '',d)}"
+PACKAGECONFIG[sdl] = "--enable-sdl,--disable-sdl,libsdl ${NATIVEDEPS},"
+PACKAGECONFIG[virtfs] = "--enable-virtfs --enable-attr,--disable-virtfs,libcap attr,"
+PACKAGECONFIG[aio] = "--enable-linux-aio,--disable-linux-aio,libaio,"
+PACKAGECONFIG[xfs] = "--enable-xfsctl,--disable-xfsctl,xfsprogs,"
+PACKAGECONFIG[xen] = "--enable-xen, --disable-xen,,"
+PACKAGECONFIG[quorum] = "--enable-quorum, --disable-quorum, gnutls,"
+PACKAGECONFIG[vnc-tls] = "--enable-vnc --enable-vnc-tls,--disable-vnc-tls, gnutls,"
+PACKAGECONFIG[vnc-ws] = "--enable-vnc --enable-vnc-ws,--disable-vnc-ws, gnutls,"
+PACKAGECONFIG[vnc-sasl] = "--enable-vnc --enable-vnc-sasl,--disable-vnc-sasl,cyrus-sasl,"
+PACKAGECONFIG[vnc-jpeg] = "--enable-vnc --enable-vnc-jpeg,--disable-vnc-jpeg,jpeg,"
+PACKAGECONFIG[vnc-png] = "--enable-vnc --enable-vnc-png,--disable-vnc-png,libpng,"
+PACKAGECONFIG[libcurl] = "--enable-curl,--disable-curl,libcurl,"
+PACKAGECONFIG[nss] = "--enable-smartcard-nss,--disable-smartcard-nss,nss,"
+PACKAGECONFIG[uuid] = "--enable-uuid,--disable-uuid,util-linux,"
+PACKAGECONFIG[curses] = "--enable-curses,--disable-curses,ncurses,"
+PACKAGECONFIG[gtk+] = "--enable-gtk --enable-vte,--disable-gtk --disable-vte,gtk+ libvte,"
+PACKAGECONFIG[libcap-ng] = "--enable-cap-ng,--disable-cap-ng,libcap-ng,"
+PACKAGECONFIG[ssh2] = "--enable-libssh2,--disable-libssh2,libssh2,"
+PACKAGECONFIG[libusb] = "--enable-libusb,--disable-libusb,libusb1"
+PACKAGECONFIG[fdt] = "--enable-fdt,--disable-fdt,dtc"
+PACKAGECONFIG[alsa] = ",,alsa-lib"
+PACKAGECONFIG[glx] = "--enable-glx,--disable-glx,mesa"
+PACKAGECONFIG[lzo] = "--enable-lzo,--disable-lzo,lzo"
+PACKAGECONFIG[numa] = "--enable-numa,--disable-numa,numactl"
+
+EXTRA_OECONF += "${@bb.utils.contains('PACKAGECONFIG', 'alsa', '--audio-drv-list=oss,alsa', '', d)}"
+
+# Qemu target will not build in world build for ARM or Mips
+BROKEN_qemuarm = "1"
+BROKEN_qemumips64 = "1"
+BROKEN_qemumips = "1"
+
+INSANE_SKIP_${PN} = "arch"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch b/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch
new file mode 100644
index 0000000000..4f992bae14
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch
@@ -0,0 +1,57 @@
+From 0be839a2701369f669532ea5884c15bead1c6e08 Mon Sep 17 00:00:00 2001
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Wed, 12 Nov 2014 11:44:39 +0200
+Subject: [PATCH] migration: fix parameter validation on ram load
+
+During migration, the values read from migration stream during ram load
+are not validated. Especially offset in host_from_stream_offset() and
+also the length of the writes in the callers of said function.
+
+To fix this, we need to make sure that the [offset, offset + length]
+range fits into one of the allocated memory regions.
+
+Validating addr < len should be sufficient since data seems to always be
+managed in TARGET_PAGE_SIZE chunks.
+
+Fixes: CVE-2014-7840
+
+Upstream-Status: Backport
+
+Note: follow-up patches add extra checks on each block->host access.
+
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Signed-off-by: Amit Shah <amit.shah@redhat.com>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ arch_init.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/arch_init.c b/arch_init.c
+index 88a5ba0..593a990 100644
+--- a/arch_init.c
++++ b/arch_init.c
+@@ -1006,7 +1006,7 @@ static inline void *host_from_stream_offset(QEMUFile *f,
+     uint8_t len;
+ 
+     if (flags & RAM_SAVE_FLAG_CONTINUE) {
+-        if (!block) {
++        if (!block || block->length <= offset) {
+             error_report("Ack, bad migration stream!");
+             return NULL;
+         }
+@@ -1019,8 +1019,9 @@ static inline void *host_from_stream_offset(QEMUFile *f,
+     id[len] = 0;
+ 
+     QTAILQ_FOREACH(block, &ram_list.blocks, next) {
+-        if (!strncmp(id, block->idstr, sizeof(id)))
++        if (!strncmp(id, block->idstr, sizeof(id)) && block->length > offset) {
+             return memory_region_get_ram_ptr(block->mr) + offset;
++        }
+     }
+ 
+     error_report("Can't find block %s!", id);
+-- 
+1.9.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/configure-fix-Darwin-target-detection.patch b/meta/recipes-devtools/qemu/qemu/configure-fix-Darwin-target-detection.patch
new file mode 100644
index 0000000000..59cdc1c304
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/configure-fix-Darwin-target-detection.patch
@@ -0,0 +1,32 @@
+Upstream-Status: Pending
+Signed-off-by: Cristian Iorga <cristian.iorga@intel.com>
+
+From 9ac096d8eccf2d56ece646320c282c8369f8337c Mon Sep 17 00:00:00 2001
+From: Cristian Iorga <cristian.iorga@intel.com>
+Date: Tue, 29 Jul 2014 18:35:59 +0300
+Subject: [PATCH] configure: fix Darwin target detection
+
+fix Darwin target detection for qemu
+cross-compilation.
+
+Signed-off-by: Cristian Iorga <cristian.iorga@intel.com>
+---
+ configure | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/configure b/configure
+index 283c71c..1c66a11 100755
+--- a/configure
++++ b/configure
+@@ -444,6 +444,8 @@ elif check_define __sun__ ; then
+   targetos='SunOS'
+ elif check_define __HAIKU__ ; then
+   targetos='Haiku'
++elif check_define __APPLE__ ; then
++  targetos='Darwin'
+ else
+   targetos=`uname -s`
+ fi
+-- 
+1.9.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/disable-grabs.patch b/meta/recipes-devtools/qemu/qemu/disable-grabs.patch
new file mode 100644
index 0000000000..41726b1c87
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/disable-grabs.patch
@@ -0,0 +1,72 @@
+When the pointer enters the Qemu window it calls SDL_WM_GrabInput, which calls
+XGrabPointer in a busyloop until it returns GrabSuccess. However if there's already
+a pointer grab (screen is locked, a menu is open) then qemu will hang until the
+grab can be taken.  In the specific case of a headless X server on an autobuilder, once
+the screensaver has kicked in any qemu instance that appears underneath the
+pointer will hang.
+
+I'm not entirely sure why pointer grabs are required (the documentation
+explicitly says it doesn't do grabs when using a tablet, which we are) so wrap
+them in a conditional that can be set by the autobuilder environment, preserving
+the current grabbing behaviour for everyone else.
+
+Upstream-Status: Pending
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From 4b1988ecb01a178269ec0513a75f2ec620c7ef6a Mon Sep 17 00:00:00 2001
+From: Ross Burton <ross.burton@intel.com>
+Date: Wed, 18 Sep 2013 14:04:54 +0100
+Subject: [PATCH] sdl.c: allow user to disable pointer grabs
+
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+Signed-off-by: Eric Bénard <eric@eukrea.com>
+---
+ ui/sdl.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/ui/sdl.c b/ui/sdl.c
+index 39a42d6..9b8abe5 100644
+--- a/ui/sdl.c
++++ b/ui/sdl.c
+@@ -59,6 +59,10 @@ static SDL_Cursor *guest_sprite = NULL;
+ static SDL_PixelFormat host_format;
+ static int scaling_active = 0;
+ static Notifier mouse_mode_notifier;
++#ifndef True
++#define True 1
++#endif
++static doing_grabs = True;
+ 
+ static void sdl_update(DisplayChangeListener *dcl,
+                        int x, int y, int w, int h)
+@@ -384,14 +388,16 @@ static void sdl_grab_start(void)
+             SDL_WarpMouse(guest_x, guest_y);
+     } else
+         sdl_hide_cursor();
+-    SDL_WM_GrabInput(SDL_GRAB_ON);
++    if (doing_grabs)
++      SDL_WM_GrabInput(SDL_GRAB_ON);
+     gui_grab = 1;
+     sdl_update_caption();
+ }
+ 
+ static void sdl_grab_end(void)
+ {
+-    SDL_WM_GrabInput(SDL_GRAB_OFF);
++    if (doing_grabs)
++      SDL_WM_GrabInput(SDL_GRAB_OFF);
+     gui_grab = 0;
+     sdl_show_cursor();
+     sdl_update_caption();
+@@ -909,6 +915,8 @@ void sdl_display_init(DisplayState *ds, int full_screen, int no_frame)
+      * This requires SDL >= 1.2.14. */
+     setenv("SDL_DISABLE_LOCK_KEYS", "1", 1);
+ 
++    doing_grabs = (getenv("QEMU_DONT_GRAB") == NULL);
++
+     flags = SDL_INIT_VIDEO | SDL_INIT_NOPARACHUTE;
+     if (SDL_Init (flags)) {
+         fprintf(stderr, "Could not initialize SDL(%s) - exiting\n",
+-- 
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/fix-libcap-header-issue-on-some-distro.patch b/meta/recipes-devtools/qemu/qemu/fix-libcap-header-issue-on-some-distro.patch
new file mode 100644
index 0000000000..13a6ea23b1
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/fix-libcap-header-issue-on-some-distro.patch
@@ -0,0 +1,84 @@
+fix libcap header issue on some distro
+
+1, When build qemu-native on SLED 11.2, there is an error:
+...
+| In file included from /usr/include/bits/sigcontext.h:28,
+|  from /usr/include/signal.h:339,
+|  from /buildarea2/tmp/work/i686-linux/qemu-native/1.4.0-r0/
+qemu-1.4.0/include/qemu-common.h:42,
+|  from fsdev/virtfs-proxy-helper.c:23:
+|  /usr/include/asm/sigcontext.h:28: error: expected specifier-
+qualifier-list before '__u64'
+|  /usr/include/asm/sigcontext.h:191: error: expected specifier-
+qualifier-list before '__u64'
+...
+
+2, The virtfs-proxy-helper.c includes <sys/capability.h> and
+qemu-common.h in sequence. The header include map is:
+(`-->' presents `include')
+...
+"virtfs-proxy-helper.c" --> <sys/capability.h>
+...
+"virtfs-proxy-helper.c" --> "qemu-common.h" --> <signal.h> -->
+<bits/sigcontext.h> --> <asm/sigcontext.h> --> <linux/types.h> -->
+<asm/types.h> --> <asm-generic/types.h> --> <asm-generic/int-ll64.h>
+...
+
+3, The bug is found on SLED 11.2 x86. In libcap header file
+/usr/include/sys/capability.h, it does evil stuff like this:
+...
+  25 /*
+  26  * Make sure we can be included from userland by preventing
+  27  * capability.h from including other kernel headers
+  28  */
+  29 #define _LINUX_TYPES_H
+  30 #define _LINUX_FS_H
+  31 #define __LINUX_COMPILER_H
+  32 #define __user
+  33
+  34 typedef unsigned int __u32;
+  35 typedef __u32 __le32;
+...
+This completely prevents including /usr/include/linux/types.h.
+The above `<asm/sigcontext.h> --> <linux/types.h>' is prevented,
+and '__u64' is defined in <asm-generic/int-ll64.h>.
+
+4, Modify virtfs-proxy-helper.c to include <sys/capability.h>
+last to workaround the issue.
+
+http://www.linuxtv.org/pipermail/vdr/2009-August/021194.html
+http://patchwork.linuxtv.org/patch/12748/
+
+Upstream-Status: Pending
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ fsdev/virtfs-proxy-helper.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c
+--- a/fsdev/virtfs-proxy-helper.c
++++ b/fsdev/virtfs-proxy-helper.c
+@@ -12,7 +12,6 @@
+ #include <sys/resource.h>
+ #include <getopt.h>
+ #include <syslog.h>
+-#include <sys/capability.h>
+ #include <sys/fsuid.h>
+ #include <sys/vfs.h>
+ #include <sys/ioctl.h>
+@@ -26,7 +25,11 @@
+ #include "virtio-9p-marshal.h"
+ #include "hw/9pfs/virtio-9p-proxy.h"
+ #include "fsdev/virtio-9p-marshal.h"
+-
++/*
++ * Include this one last due to some versions of it being buggy:
++ * http://www.linuxtv.org/pipermail/vdr/2009-August/021194.html
++ */
++#include <sys/capability.h>
+ #define PROGNAME "virtfs-proxy-helper"
+ 
+ #ifndef XFS_SUPER_MAGIC
+-- 
+1.7.10.4
+
diff --git a/meta/recipes-devtools/qemu/qemu/larger_default_ram_size.patch b/meta/recipes-devtools/qemu/qemu/larger_default_ram_size.patch
new file mode 100644
index 0000000000..711c36071d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/larger_default_ram_size.patch
@@ -0,0 +1,22 @@
+This patch is taken from debian. 128M is too less sometimes if distro
+with lot of packages is booted so this patch raises the default to 384M
+
+It has not been applied to upstream qemu
+
+Khem Raj <raj.khem@gmail.com>
+
+Upstream-Status: Pending
+
+Index: qemu-0.14.0/vl.c
+===================================================================
+--- qemu-0.14.0.orig/vl.c
++++ qemu-0.14.0/vl.c
+@@ -168,7 +168,7 @@ int main(int argc, char **argv)
+ //#define DEBUG_NET
+ //#define DEBUG_SLIRP
+ 
+-#define DEFAULT_RAM_SIZE 128
++#define DEFAULT_RAM_SIZE 384
+ 
+ #define MAX_VIRTIO_CONSOLES 1
+ 
diff --git a/meta/recipes-devtools/qemu/qemu/powerpc_rom.bin b/meta/recipes-devtools/qemu/qemu/powerpc_rom.bin
new file mode 100644
index 0000000000..c4044296c5
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/powerpc_rom.bin
diff --git a/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch b/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch
new file mode 100644
index 0000000000..f05441fce6
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch
@@ -0,0 +1,92 @@
+qemu: CVE-2015-3456
+
+the patch comes from:
+https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3456
+http://git.qemu.org/?p=qemu.git;a=commit;h=e907746266721f305d67bc0718795fedee2e824c
+
+fdc: force the fifo access to be in bounds of the allocated buffer
+
+During processing of certain commands such as FD_CMD_READ_ID and
+FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
+get out of bounds leading to memory corruption with values coming
+from the guest.
+
+Fix this by making sure that the index is always bounded by the
+allocated memory.
+
+This is CVE-2015-3456.
+
+Signed-off-by: Petr Matousek <pmatouse@redhat.com>
+Reviewed-by: John Snow <jsnow@redhat.com>
+Signed-off-by: John Snow <jsnow@redhat.com>
+Signed-off-by: Li Wang <li.wang@windriver.com>
+
+Upstream-Status: Backport
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+ hw/block/fdc.c |   17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/hw/block/fdc.c b/hw/block/fdc.c
+index 490d127..045459e 100644
+--- a/hw/block/fdc.c
++++ b/hw/block/fdc.c
+@@ -1436,7 +1436,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+ {
+     FDrive *cur_drv;
+     uint32_t retval = 0;
+-    int pos;
++    uint32_t pos;
+ 
+     cur_drv = get_cur_drv(fdctrl);
+     fdctrl->dsr &= ~FD_DSR_PWRDOWN;
+@@ -1445,8 +1445,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+         return 0;
+     }
+     pos = fdctrl->data_pos;
++    pos %= FD_SECTOR_LEN;
+     if (fdctrl->msr & FD_MSR_NONDMA) {
+-        pos %= FD_SECTOR_LEN;
+         if (pos == 0) {
+             if (fdctrl->data_pos != 0)
+                 if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
+@@ -1790,10 +1790,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
+ static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
+ {
+     FDrive *cur_drv = get_cur_drv(fdctrl);
++    uint32_t pos;
+ 
+-    if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
++    pos = fdctrl->data_pos - 1;
++    pos %= FD_SECTOR_LEN;
++    if (fdctrl->fifo[pos] & 0x80) {
+         /* Command parameters done */
+-        if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
++        if (fdctrl->fifo[pos] & 0x40) {
+             fdctrl->fifo[0] = fdctrl->fifo[1];
+             fdctrl->fifo[2] = 0;
+             fdctrl->fifo[3] = 0;
+@@ -1893,7 +1896,7 @@ static uint8_t command_to_handler[256];
+ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+ {
+     FDrive *cur_drv;
+-    int pos;
++    uint32_t pos;
+ 
+     /* Reset mode */
+     if (!(fdctrl->dor & FD_DOR_nRESET)) {
+@@ -1941,7 +1944,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+     }
+ 
+     FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
+-    fdctrl->fifo[fdctrl->data_pos++] = value;
++    pos = fdctrl->data_pos++;
++    pos %= FD_SECTOR_LEN;
++    fdctrl->fifo[pos] = value;
+     if (fdctrl->data_pos == fdctrl->data_len) {
+         /* We now have all parameters
+          * and will be able to treat the command
+-- 
+1.7.9.5
+
diff --git a/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch b/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch
new file mode 100644
index 0000000000..a7ecf31c01
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch
@@ -0,0 +1,48 @@
+From 9a72433843d912a45046959b1953861211d1838d Mon Sep 17 00:00:00 2001
+From: Petr Matousek <pmatouse@redhat.com>
+Date: Thu, 18 Sep 2014 08:35:37 +0200
+Subject: [PATCH] slirp: udp: fix NULL pointer dereference because of
+ uninitialized socket
+
+When guest sends udp packet with source port and source addr 0,
+uninitialized socket is picked up when looking for matching and already
+created udp sockets, and later passed to sosendto() where NULL pointer
+dereference is hit during so->slirp->vnetwork_mask.s_addr access.
+
+Fix this by checking that the socket is not just a socket stub.
+
+This is CVE-2014-3640.
+
+Upstream-Status: Backport
+
+Signed-off-by: Petr Matousek <pmatouse@redhat.com>
+Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com>
+Reported-by: Stephane Duverger <stephane.duverger@eads.net>
+Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
+Message-id: 20140918063537.GX9321@dhcp-25-225.brq.redhat.com
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+(cherry picked from commit 01f7cecf0037997cb0e58ec0d56bf9b5a6f7cb2a)
+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ slirp/udp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/slirp/udp.c b/slirp/udp.c
+index 8cc6cb6..f77e00f 100644
+--- a/slirp/udp.c
++++ b/slirp/udp.c
+@@ -152,7 +152,7 @@ udp_input(register struct mbuf *m, int iphlen)
+         * Locate pcb for datagram.
+         */
+        so = slirp->udp_last_so;
+-       if (so->so_lport != uh->uh_sport ||
++       if (so == &slirp->udb || so->so_lport != uh->uh_sport ||
+            so->so_laddr.s_addr != ip->ip_src.s_addr) {
+                struct socket *tmp;
+ 
+-- 
+1.9.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch b/meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch
new file mode 100644
index 0000000000..10a6dacbe5
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch
@@ -0,0 +1,53 @@
+From b2f1d90530301d7915dddc8a750063757675b21a Mon Sep 17 00:00:00 2001
+From: Petr Matousek <pmatouse@redhat.com>
+Date: Mon, 27 Oct 2014 12:41:44 +0100
+Subject: [PATCH] vnc: sanitize bits_per_pixel from the client
+
+bits_per_pixel that are less than 8 could result in accessing
+non-initialized buffers later in the code due to the expectation
+that bytes_per_pixel value that is used to initialize these buffers is
+never zero.
+
+To fix this check that bits_per_pixel from the client is one of the
+values that the rfb protocol specification allows.
+
+This is CVE-2014-7815.
+
+Upstream-Status: Backport
+
+Signed-off-by: Petr Matousek <pmatouse@redhat.com>
+
+[ kraxel: apply codestyle fix ]
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit e6908bfe8e07f2b452e78e677da1b45b1c0f6829)
+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ ui/vnc.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/ui/vnc.c b/ui/vnc.c
+index f8d9b7d..87e34ae 100644
+--- a/ui/vnc.c
++++ b/ui/vnc.c
+@@ -2026,6 +2026,16 @@ static void set_pixel_format(VncState *vs,
+         return;
+     }
+ 
++    switch (bits_per_pixel) {
++    case 8:
++    case 16:
++    case 32:
++        break;
++    default:
++        vnc_client_error(vs);
++        return;
++    }
++
+     vs->client_pf.rmax = red_max;
+     vs->client_pf.rbits = hweight_long(red_max);
+     vs->client_pf.rshift = red_shift;
+-- 
+1.9.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/wacom.patch b/meta/recipes-devtools/qemu/qemu/wacom.patch
new file mode 100644
index 0000000000..fd1b4a6963
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/wacom.patch
@@ -0,0 +1,130 @@
+The USB wacom device is missing a HID descriptor which causes it
+to fail to operate with recent kernels (e.g. 3.17).
+
+This patch adds a HID desriptor to the device, based upon one from
+real wcom device.
+
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+
+Upstream-Status: Submitted
+2014/11/27
+
+Index: qemu-2.1.0/hw/usb/dev-wacom.c
+===================================================================
+--- qemu-2.1.0.orig/hw/usb/dev-wacom.c  2014-08-01 15:12:17.000000000 +0100
++++ qemu-2.1.0/hw/usb/dev-wacom.c       2014-10-12 12:13:30.540306042 +0100
+@@ -68,6 +68,89 @@
+     [STR_SERIALNUMBER]     = "1",
+ };
+
++static const uint8_t qemu_tablet_hid_report_descriptor[] = {
++    0x05, 0x01,                /* Usage Page (Generic Desktop) */
++    0x09, 0x02,                /* Usage (Mouse) */
++    0xa1, 0x01,                /* Collection (Application) */
++    0x85, 0x01,                /*   Report ID (1) */
++    0x09, 0x01,                /*   Usage (Pointer) */
++    0xa1, 0x00,                /*   Collection (Physical) */
++    0x05, 0x09,                /*     Usage Page (Button) */
++    0x19, 0x01,                /*     Usage Minimum (1) */
++    0x29, 0x05,                /*     Usage Maximum (5) */
++    0x15, 0x00,                /*     Logical Minimum (0) */
++    0x25, 0x01,                /*     Logical Maximum (1) */
++    0x95, 0x05,                /*     Report Count (5) */
++    0x75, 0x01,                /*     Report Size (1) */
++    0x81, 0x02,                /*     Input (Data, Variable, Absolute) */
++    0x95, 0x01,                /*     Report Count (1) */
++    0x75, 0x03,                /*     Report Size (3) */
++    0x81, 0x01,                /*     Input (Constant) */
++    0x05, 0x01,                /*     Usage Page (Generic Desktop) */
++    0x09, 0x30,                /*     Usage (X) */
++    0x09, 0x31,                /*     Usage (Y) */
++    0x15, 0x81,                /*     Logical Minimum (-127) */
++    0x25, 0x7f,                /*     Logical Maximum (127) */
++    0x75, 0x08,                /*     Report Size (8) */
++    0x95, 0x02,                /*     Report Count (2) */
++    0x81, 0x06,                /*     Input (Data, Variable, Relative) */
++    0xc0,              /*   End Collection */
++    0xc0,              /* End Collection */
++    0x05, 0x0d,                /* Usage Page (Digitizer) */
++    0x09, 0x01,                /* Usage (Digitizer) */
++    0xa1, 0x01,                /* Collection (Application) */
++    0x85, 0x02,                /*   Report ID (2) */
++    0xa1, 0x00,                /*   Collection (Physical) */
++    0x06, 0x00, 0xff,   /*   Usage Page (Vendor 0xff00) */
++    0x09, 0x01,        /*   Usage (Digitizer) */
++    0x15, 0x00,        /*     Logical Minimum (0) */
++    0x26, 0xff, 0x00,  /*     Logical Maximum (255) */
++    0x75, 0x08,                /*     Report Size (8) */
++    0x95, 0x08,                /*     Report Count (8) */
++    0x81, 0x02,                /*     Input (Data, Variable, Absolute) */
++    0xc0,              /*   End Collection */
++    0x09, 0x01,                /*   Usage (Digitizer) */
++    0x85, 0x02,        /*   Report ID (2) */
++    0x95, 0x01,                /*   Report Count (1) */
++    0xb1, 0x02,                /*   FEATURE (2) */
++    0xc0,              /* End Collection */
++    0x06, 0x00, 0xff,  /* Usage Page (Vendor 0xff00) */
++    0x09, 0x01,                /* Usage (Digitizer) */
++    0xa1, 0x01,                /* Collection (Application) */
++    0x85, 0x02,        /*   Report ID (2) */
++    0x05, 0x0d,                /*   Usage Page (Digitizer)  */
++    0x09, 0x22,        /*   Usage (Finger) */
++    0xa1, 0x00,        /*   Collection (Physical) */
++    0x06, 0x00, 0xff,  /*   Usage Page (Vendor 0xff00) */
++    0x09, 0x01,                /*     Usage (Digitizer) */
++    0x15, 0x00,        /*     Logical Minimum (0) */
++    0x26, 0xff, 0x00,          /*     Logical Maximum */
++    0x75, 0x08,                /*     Report Size (8) */
++    0x95, 0x02,                /*     Report Count (2) */
++    0x81, 0x02,        /*     Input (Data, Variable, Absolute) */
++    0x05, 0x01,                /*     Usage Page (Generic Desktop) */
++    0x09, 0x30,                /*     Usage (X) */
++    0x35, 0x00,        /*     Physical Minimum */
++    0x46, 0xe0, 0x2e,  /*     Physical Maximum */
++    0x26, 0xe0, 0x01,   /*     Logical Maximum */
++    0x75, 0x10,                /*     Report Size (16) */
++    0x95, 0x01,                /*     Report Count (1) */
++    0x81, 0x02,                /*     Input (Data, Variable, Absolute) */
++    0x09, 0x31,                /*     Usage (Y) */
++    0x46, 0x40, 0x1f,  /*     Physical Maximum */
++    0x26, 0x40, 0x01,  /*     Logical Maximum */
++    0x81, 0x02,        /*     Input (Data, Variable, Absolute) */
++    0x06, 0x00, 0xff,  /*     Usage Page (Vendor 0xff00) */
++    0x09, 0x01,        /*     Usage (Digitizer) */
++    0x26, 0xff, 0x00,          /*     Logical Maximum */
++    0x75, 0x08,                /*     Report Size (8) */
++    0x95, 0x0d,                /*     Report Count (13) */
++    0x81, 0x02,                /*     Input (Data, Variable, Absolute) */
++    0xc0,              /*   End Collection */
++    0xc0,              /* End Collection */
++};
++
++
+ static const USBDescIface desc_iface_wacom = {
+     .bInterfaceNumber              = 0,
+     .bNumEndpoints                 = 1,
+@@ -85,7 +168,7 @@
+                 0x00,          /*  u8  country_code */
+                 0x01,          /*  u8  num_descriptors */
+                 0x22,          /*  u8  type: Report */
+-                0x6e, 0,       /*  u16 len */
++                sizeof(qemu_tablet_hid_report_descriptor), 0, /*  u16 len */
+             },
+         },
+     },
+@@ -265,6 +350,15 @@
+     }
+
+     switch (request) {
++    case InterfaceRequest | USB_REQ_GET_DESCRIPTOR:
++        switch (value >> 8) {
++        case 0x22:
++                memcpy(data, qemu_tablet_hid_report_descriptor,
++                       sizeof(qemu_tablet_hid_report_descriptor));
++                p->actual_length = sizeof(qemu_tablet_hid_report_descriptor);
++            break;
++        }
++        break;
+     case WACOM_SET_REPORT:
+         if (s->mouse_grabbed) {
+             qemu_remove_mouse_event_handler(s->eh_entry);
diff --git a/meta/recipes-devtools/qemu/qemu_2.1.0.bb b/meta/recipes-devtools/qemu/qemu_2.1.0.bb
new file mode 100644
index 0000000000..92a89d699c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu_2.1.0.bb
@@ -0,0 +1,32 @@
+require qemu.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \
+                    file://COPYING.LIB;endline=24;md5=c04def7ae38850e7d3ef548588159913"
+
+SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
+            file://qemu-enlarge-env-entry-size.patch \
+            file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \
+            file://0001-Back-porting-security-fix-CVE-2014-5388.patch \
+            file://qemu-CVE-2015-3456.patch \
+            file://CVE-2014-7840.patch \
+            file://vnc-CVE-2014-7815.patch \
+            file://slirp-CVE-2014-3640.patch \
+            "
+SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
+SRC_URI[md5sum] = "6726977292b448cbc7f89998fac6983b"
+SRC_URI[sha256sum] = "397e23184f4bf613589a8fe0c6542461dc2afdf17ed337e97e6fd2f31e8f8802"
+
+COMPATIBLE_HOST_class-target_mips64 = "null"
+
+do_sanitize_sources() {
+    # These .git files point to a nonexistent path "../.git/modules" and will confuse git
+    # if it tries to recurse into those directories.
+    rm -f ${S}/dtc/.git ${S}/pixman/.git
+}
+
+addtask sanitize_sources after do_unpack before do_patch
+
+do_install_append() {
+    # Prevent QA warnings about installed ${localstatedir}/run
+    if [ -d ${D}${localstatedir}/run ]; then rmdir ${D}${localstatedir}/run; fi
+}
diff --git a/meta/recipes-devtools/qemu/qemu_git.bb b/meta/recipes-devtools/qemu/qemu_git.bb
new file mode 100644
index 0000000000..a30932a8ba
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu_git.bb
@@ -0,0 +1,15 @@
+require qemu.inc
+
+SRCREV = "04024dea2674861fcf13582a77b58130c67fccd8"
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \
+                    file://COPYING.LIB;endline=24;md5=c04def7ae38850e7d3ef548588159913"
+
+PV = "1.3.0+git${SRCPV}"
+
+SRC_URI_prepend = "git://git.qemu.org/qemu.git"
+S = "${WORKDIR}/git"
+
+DEFAULT_PREFERENCE = "-1"
+
+COMPATIBLE_HOST_class-target_mips64 = "null"
diff --git a/meta/recipes-devtools/qemu/qemuwrapper-cross_1.0.bb b/meta/recipes-devtools/qemu/qemuwrapper-cross_1.0.bb
new file mode 100644
index 0000000000..d2981b5575
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemuwrapper-cross_1.0.bb
@@ -0,0 +1,48 @@
+SUMMARY = "QEMU wrapper script"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+inherit qemu
+
+do_install () {
+        install -d ${D}${bindir_crossscripts}/
+
+        echo "#!/bin/sh" > ${D}${bindir_crossscripts}/qemuwrapper
+        qemu_binary=${@qemu_target_binary(d)}
+        qemu_options='${@d.getVar("QEMU_OPTIONS_%s" % d.getVar('PACKAGE_ARCH', True), True) or d.getVar('QEMU_OPTIONS', True) or ""}'
+        echo "$qemu_binary $qemu_options \"\$@\"" >> ${D}${bindir_crossscripts}/qemuwrapper
+        fallback_qemu_bin=
+        case $qemu_binary in
+                "qemu-i386")
+                        fallback_qemu_bin=qemu-x86_64
+                        ;;
+                "qemu-x86_64")
+                        fallback_qemu_bin=qemu-i386
+                        ;;
+                *)
+                        ;;
+        esac
+
+        if [ -n "$fallback_qemu_bin" ]; then
+
+                cat >> ${D}${bindir_crossscripts}/qemuwrapper << EOF
+rc=\$?
+if [ \$rc = 255 ]; then
+        $fallback_qemu_bin "\$@"
+        rc=\$?
+fi
+exit \$rc
+EOF
+
+        fi
+
+        chmod +x ${D}${bindir_crossscripts}/qemuwrapper
+}
+
+SYSROOT_PREPROCESS_FUNCS += "qemuwrapper_sysroot_preprocess"
+
+qemuwrapper_sysroot_preprocess () {
+        sysroot_stage_dir ${D}${bindir_crossscripts} ${SYSROOT_DESTDIR}${bindir_crossscripts}
+}
+
+INHIBIT_DEFAULT_DEPS = "1"