summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/qemu
diff options
context:
space:
mode:
authorMarek Vasut <marex@denx.de>2016-05-20 07:03:29 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-05-22 16:11:13 +0100
commitff35bfa2420f30cb79995fb4808175b447967c07 (patch)
treee289ffba6298139e924dfaef5683b768bc9f1d30 /meta/recipes-devtools/qemu
parentbc155f88cf3e5bd390477764f910efe8d0a138e7 (diff)
downloadpoky-ff35bfa2420f30cb79995fb4808175b447967c07.tar.gz
qemu: Upgrade to 2.6.0
(From OE-Core rev: 6c18103e43fd593724f4317a1453a72b0feb6989) Signed-off-by: Marek Vasut <marex@denx.de> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/qemu')
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2016-2198.patch45
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2016-2858.patch183
-rw-r--r--meta/recipes-devtools/qemu/qemu/disable-grabs.patch4
-rw-r--r--meta/recipes-devtools/qemu/qemu/fix-libcap-header-issue-on-some-distro.patch6
-rw-r--r--meta/recipes-devtools/qemu/qemu/rng_move_request_from_RngEgd_to_RngBackend.patch138
-rw-r--r--meta/recipes-devtools/qemu/qemu/rng_move_request_queue_cleanup_from_RngEgd_to_RngBackend.patch150
-rw-r--r--meta/recipes-devtools/qemu/qemu/rng_remove_the_unused_request_cancellation_code.patch101
-rw-r--r--meta/recipes-devtools/qemu/qemu_2.6.0.bb (renamed from meta/recipes-devtools/qemu/qemu_2.5.1.1.bb)9
8 files changed, 7 insertions, 629 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-2198.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-2198.patch
deleted file mode 100644
index f1201f0613..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2016-2198.patch
+++ /dev/null
@@ -1,45 +0,0 @@
1From: Prasad J Pandit <address@hidden>
2
3USB Ehci emulation supports host controller capability registers.
4But its mmio '.write' function was missing, which lead to a null
5pointer dereference issue. Add a do nothing 'ehci_caps_write'
6definition to avoid it; Do nothing because capability registers
7are Read Only(RO).
8
9Reported-by: Zuozhi Fzz <address@hidden>
10Signed-off-by: Prasad J Pandit <address@hidden>
11
12Upstream-Status: Backport
13https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg05899.html
14
15CVE: CVE-2016-2198
16Signed-off-by: Armin Kuster <akuster@mvista.com>
17
18---
19 hw/usb/hcd-ehci.c | 6 ++++++
20 1 file changed, 6 insertions(+)
21
22Index: qemu-2.5.0/hw/usb/hcd-ehci.c
23===================================================================
24--- qemu-2.5.0.orig/hw/usb/hcd-ehci.c
25+++ qemu-2.5.0/hw/usb/hcd-ehci.c
26@@ -893,6 +893,11 @@ static uint64_t ehci_caps_read(void *ptr
27 return s->caps[addr];
28 }
29
30+static void ehci_caps_write(void *ptr, hwaddr addr,
31+ uint64_t val, unsigned size)
32+{
33+}
34+
35 static uint64_t ehci_opreg_read(void *ptr, hwaddr addr,
36 unsigned size)
37 {
38@@ -2310,6 +2315,7 @@ static void ehci_frame_timer(void *opaqu
39
40 static const MemoryRegionOps ehci_mmio_caps_ops = {
41 .read = ehci_caps_read,
42+ .write = ehci_caps_write,
43 .valid.min_access_size = 1,
44 .valid.max_access_size = 4,
45 .impl.min_access_size = 1,
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-2858.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-2858.patch
deleted file mode 100644
index d5395e6152..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2016-2858.patch
+++ /dev/null
@@ -1,183 +0,0 @@
1From 60253ed1e6ec6d8e5ef2efe7bf755f475dce9956 Mon Sep 17 00:00:00 2001
2From: Ladi Prosek <lprosek@redhat.com>
3Date: Thu, 3 Mar 2016 09:37:18 +0100
4Subject: [PATCH] rng: add request queue support to rng-random
5
6Requests are now created in the RngBackend parent class and the
7code path is shared by both rng-egd and rng-random.
8
9This commit fixes the rng-random implementation which processed
10only one request at a time and simply discarded all but the most
11recent one. In the guest this manifested as delayed completion
12of reads from virtio-rng, i.e. a read was completed only after
13another read was issued.
14
15By switching rng-random to use the same request queue as rng-egd,
16the unsafe stack-based allocation of the entropy buffer is
17eliminated and replaced with g_malloc.
18
19Signed-off-by: Ladi Prosek <lprosek@redhat.com>
20Reviewed-by: Amit Shah <amit.shah@redhat.com>
21Message-Id: <1456994238-9585-5-git-send-email-lprosek@redhat.com>
22Signed-off-by: Amit Shah <amit.shah@redhat.com>
23
24Upstream-Status: Backport
25CVE: CVE-2016-2858
26
27http://git.qemu.org/?p=qemu.git;a=commit;h=60253ed1e6ec6d8e5ef2efe7bf755f475
28Signed-off-by: Armin Kuster <akuster@mvista.com>
29
30---
31 backends/rng-egd.c | 16 ++--------------
32 backends/rng-random.c | 43 +++++++++++++++++++------------------------
33 backends/rng.c | 13 ++++++++++++-
34 include/sysemu/rng.h | 3 +--
35 4 files changed, 34 insertions(+), 41 deletions(-)
36
37Index: qemu-2.5.0/backends/rng-egd.c
38===================================================================
39--- qemu-2.5.0.orig/backends/rng-egd.c
40+++ qemu-2.5.0/backends/rng-egd.c
41@@ -26,20 +26,10 @@ typedef struct RngEgd
42 char *chr_name;
43 } RngEgd;
44
45-static void rng_egd_request_entropy(RngBackend *b, size_t size,
46- EntropyReceiveFunc *receive_entropy,
47- void *opaque)
48+static void rng_egd_request_entropy(RngBackend *b, RngRequest *req)
49 {
50 RngEgd *s = RNG_EGD(b);
51- RngRequest *req;
52-
53- req = g_malloc(sizeof(*req));
54-
55- req->offset = 0;
56- req->size = size;
57- req->receive_entropy = receive_entropy;
58- req->opaque = opaque;
59- req->data = g_malloc(req->size);
60+ size_t size = req->size;
61
62 while (size > 0) {
63 uint8_t header[2];
64@@ -53,8 +43,6 @@ static void rng_egd_request_entropy(RngB
65
66 size -= len;
67 }
68-
69- s->parent.requests = g_slist_append(s->parent.requests, req);
70 }
71
72 static int rng_egd_chr_can_read(void *opaque)
73Index: qemu-2.5.0/backends/rng-random.c
74===================================================================
75--- qemu-2.5.0.orig/backends/rng-random.c
76+++ qemu-2.5.0/backends/rng-random.c
77@@ -21,10 +21,6 @@ struct RndRandom
78
79 int fd;
80 char *filename;
81-
82- EntropyReceiveFunc *receive_func;
83- void *opaque;
84- size_t size;
85 };
86
87 /**
88@@ -37,36 +33,35 @@ struct RndRandom
89 static void entropy_available(void *opaque)
90 {
91 RndRandom *s = RNG_RANDOM(opaque);
92- uint8_t buffer[s->size];
93- ssize_t len;
94
95- len = read(s->fd, buffer, s->size);
96- if (len < 0 && errno == EAGAIN) {
97- return;
98- }
99- g_assert(len != -1);
100+ while (s->parent.requests != NULL) {
101+ RngRequest *req = s->parent.requests->data;
102+ ssize_t len;
103+
104+ len = read(s->fd, req->data, req->size);
105+ if (len < 0 && errno == EAGAIN) {
106+ return;
107+ }
108+ g_assert(len != -1);
109+
110+ req->receive_entropy(req->opaque, req->data, len);
111
112- s->receive_func(s->opaque, buffer, len);
113- s->receive_func = NULL;
114+ rng_backend_finalize_request(&s->parent, req);
115+ }
116
117+ /* We've drained all requests, the fd handler can be reset. */
118 qemu_set_fd_handler(s->fd, NULL, NULL, NULL);
119 }
120
121-static void rng_random_request_entropy(RngBackend *b, size_t size,
122- EntropyReceiveFunc *receive_entropy,
123- void *opaque)
124+static void rng_random_request_entropy(RngBackend *b, RngRequest *req)
125 {
126 RndRandom *s = RNG_RANDOM(b);
127
128- if (s->receive_func) {
129- s->receive_func(s->opaque, NULL, 0);
130+ if (s->parent.requests == NULL) {
131+ /* If there are no pending requests yet, we need to
132+ * install our fd handler. */
133+ qemu_set_fd_handler(s->fd, entropy_available, NULL, s);
134 }
135-
136- s->receive_func = receive_entropy;
137- s->opaque = opaque;
138- s->size = size;
139-
140- qemu_set_fd_handler(s->fd, entropy_available, NULL, s);
141 }
142
143 static void rng_random_opened(RngBackend *b, Error **errp)
144Index: qemu-2.5.0/backends/rng.c
145===================================================================
146--- qemu-2.5.0.orig/backends/rng.c
147+++ qemu-2.5.0/backends/rng.c
148@@ -19,9 +19,20 @@ void rng_backend_request_entropy(RngBack
149 void *opaque)
150 {
151 RngBackendClass *k = RNG_BACKEND_GET_CLASS(s);
152+ RngRequest *req;
153
154 if (k->request_entropy) {
155- k->request_entropy(s, size, receive_entropy, opaque);
156+ req = g_malloc(sizeof(*req));
157+
158+ req->offset = 0;
159+ req->size = size;
160+ req->receive_entropy = receive_entropy;
161+ req->opaque = opaque;
162+ req->data = g_malloc(req->size);
163+
164+ k->request_entropy(s, req);
165+
166+ s->requests = g_slist_append(s->requests, req);
167 }
168 }
169
170Index: qemu-2.5.0/include/sysemu/rng.h
171===================================================================
172--- qemu-2.5.0.orig/include/sysemu/rng.h
173+++ qemu-2.5.0/include/sysemu/rng.h
174@@ -46,8 +46,7 @@ struct RngBackendClass
175 {
176 ObjectClass parent_class;
177
178- void (*request_entropy)(RngBackend *s, size_t size,
179- EntropyReceiveFunc *receive_entropy, void *opaque);
180+ void (*request_entropy)(RngBackend *s, RngRequest *req);
181
182 void (*opened)(RngBackend *s, Error **errp);
183 };
diff --git a/meta/recipes-devtools/qemu/qemu/disable-grabs.patch b/meta/recipes-devtools/qemu/qemu/disable-grabs.patch
index 41726b1c87..123833f824 100644
--- a/meta/recipes-devtools/qemu/qemu/disable-grabs.patch
+++ b/meta/recipes-devtools/qemu/qemu/disable-grabs.patch
@@ -29,9 +29,9 @@ index 39a42d6..9b8abe5 100644
29--- a/ui/sdl.c 29--- a/ui/sdl.c
30+++ b/ui/sdl.c 30+++ b/ui/sdl.c
31@@ -59,6 +59,10 @@ static SDL_Cursor *guest_sprite = NULL; 31@@ -59,6 +59,10 @@ static SDL_Cursor *guest_sprite = NULL;
32 static SDL_PixelFormat host_format;
33 static int scaling_active = 0; 32 static int scaling_active = 0;
34 static Notifier mouse_mode_notifier; 33 static Notifier mouse_mode_notifier;
34 static int idle_counter;
35+#ifndef True 35+#ifndef True
36+#define True 1 36+#define True 1
37+#endif 37+#endif
@@ -40,7 +40,7 @@ index 39a42d6..9b8abe5 100644
40 static void sdl_update(DisplayChangeListener *dcl, 40 static void sdl_update(DisplayChangeListener *dcl,
41 int x, int y, int w, int h) 41 int x, int y, int w, int h)
42@@ -384,14 +388,16 @@ static void sdl_grab_start(void) 42@@ -384,14 +388,16 @@ static void sdl_grab_start(void)
43 SDL_WarpMouse(guest_x, guest_y); 43 }
44 } else 44 } else
45 sdl_hide_cursor(); 45 sdl_hide_cursor();
46- SDL_WM_GrabInput(SDL_GRAB_ON); 46- SDL_WM_GrabInput(SDL_GRAB_ON);
diff --git a/meta/recipes-devtools/qemu/qemu/fix-libcap-header-issue-on-some-distro.patch b/meta/recipes-devtools/qemu/qemu/fix-libcap-header-issue-on-some-distro.patch
index 13a6ea23b1..cee6a676ab 100644
--- a/meta/recipes-devtools/qemu/qemu/fix-libcap-header-issue-on-some-distro.patch
+++ b/meta/recipes-devtools/qemu/qemu/fix-libcap-header-issue-on-some-distro.patch
@@ -67,9 +67,9 @@ diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c
67 #include <sys/vfs.h> 67 #include <sys/vfs.h>
68 #include <sys/ioctl.h> 68 #include <sys/ioctl.h>
69@@ -26,7 +25,11 @@ 69@@ -26,7 +25,11 @@
70 #include "virtio-9p-marshal.h" 70 #include "9p-iov-marshal.h"
71 #include "hw/9pfs/virtio-9p-proxy.h" 71 #include "hw/9pfs/9p-proxy.h"
72 #include "fsdev/virtio-9p-marshal.h" 72 #include "fsdev/9p-iov-marshal.h"
73- 73-
74+/* 74+/*
75+ * Include this one last due to some versions of it being buggy: 75+ * Include this one last due to some versions of it being buggy:
diff --git a/meta/recipes-devtools/qemu/qemu/rng_move_request_from_RngEgd_to_RngBackend.patch b/meta/recipes-devtools/qemu/qemu/rng_move_request_from_RngEgd_to_RngBackend.patch
deleted file mode 100644
index 01928f91e8..0000000000
--- a/meta/recipes-devtools/qemu/qemu/rng_move_request_from_RngEgd_to_RngBackend.patch
+++ /dev/null
@@ -1,138 +0,0 @@
1From 74074e8a7c60592cf1cc6469dbc2550d24aeded3 Mon Sep 17 00:00:00 2001
2From: Ladi Prosek <lprosek@redhat.com>
3Date: Thu, 3 Mar 2016 09:37:16 +0100
4Subject: [PATCH] rng: move request queue from RngEgd to RngBackend
5
6The 'requests' field now lives in the RngBackend parent class.
7There are no functional changes in this commit.
8
9Signed-off-by: Ladi Prosek <lprosek@redhat.com>
10Reviewed-by: Amit Shah <amit.shah@redhat.com>
11Message-Id: <1456994238-9585-3-git-send-email-lprosek@redhat.com>
12Signed-off-by: Amit Shah <amit.shah@redhat.com>
13
14Upstream-Status: Backport
15in support of CVE-2016-2858
16
17Signed-off-by: Armin Kuster <akuster@mvista.com>
18
19---
20 backends/rng-egd.c | 28 +++++++++-------------------
21 include/sysemu/rng.h | 11 +++++++++++
22 2 files changed, 20 insertions(+), 19 deletions(-)
23
24Index: qemu-2.5.0/backends/rng-egd.c
25===================================================================
26--- qemu-2.5.0.orig/backends/rng-egd.c
27+++ qemu-2.5.0/backends/rng-egd.c
28@@ -24,19 +24,8 @@ typedef struct RngEgd
29
30 CharDriverState *chr;
31 char *chr_name;
32-
33- GSList *requests;
34 } RngEgd;
35
36-typedef struct RngRequest
37-{
38- EntropyReceiveFunc *receive_entropy;
39- uint8_t *data;
40- void *opaque;
41- size_t offset;
42- size_t size;
43-} RngRequest;
44-
45 static void rng_egd_request_entropy(RngBackend *b, size_t size,
46 EntropyReceiveFunc *receive_entropy,
47 void *opaque)
48@@ -65,7 +54,7 @@ static void rng_egd_request_entropy(RngB
49 size -= len;
50 }
51
52- s->requests = g_slist_append(s->requests, req);
53+ s->parent.requests = g_slist_append(s->parent.requests, req);
54 }
55
56 static void rng_egd_free_request(RngRequest *req)
57@@ -80,7 +69,7 @@ static int rng_egd_chr_can_read(void *op
58 GSList *i;
59 int size = 0;
60
61- for (i = s->requests; i; i = i->next) {
62+ for (i = s->parent.requests; i; i = i->next) {
63 RngRequest *req = i->data;
64 size += req->size - req->offset;
65 }
66@@ -93,8 +82,8 @@ static void rng_egd_chr_read(void *opaqu
67 RngEgd *s = RNG_EGD(opaque);
68 size_t buf_offset = 0;
69
70- while (size > 0 && s->requests) {
71- RngRequest *req = s->requests->data;
72+ while (size > 0 && s->parent.requests) {
73+ RngRequest *req = s->parent.requests->data;
74 int len = MIN(size, req->size - req->offset);
75
76 memcpy(req->data + req->offset, buf + buf_offset, len);
77@@ -103,7 +92,8 @@ static void rng_egd_chr_read(void *opaqu
78 size -= len;
79
80 if (req->offset == req->size) {
81- s->requests = g_slist_remove_link(s->requests, s->requests);
82+ s->parent.requests = g_slist_remove_link(s->parent.requests,
83+ s->parent.requests);
84
85 req->receive_entropy(req->opaque, req->data, req->size);
86
87@@ -116,12 +106,12 @@ static void rng_egd_free_requests(RngEgd
88 {
89 GSList *i;
90
91- for (i = s->requests; i; i = i->next) {
92+ for (i = s->parent.requests; i; i = i->next) {
93 rng_egd_free_request(i->data);
94 }
95
96- g_slist_free(s->requests);
97- s->requests = NULL;
98+ g_slist_free(s->parent.requests);
99+ s->parent.requests = NULL;
100 }
101
102 static void rng_egd_cancel_requests(RngBackend *b)
103Index: qemu-2.5.0/include/sysemu/rng.h
104===================================================================
105--- qemu-2.5.0.orig/include/sysemu/rng.h
106+++ qemu-2.5.0/include/sysemu/rng.h
107@@ -25,6 +25,7 @@
108 #define RNG_BACKEND_CLASS(klass) \
109 OBJECT_CLASS_CHECK(RngBackendClass, (klass), TYPE_RNG_BACKEND)
110
111+typedef struct RngRequest RngRequest;
112 typedef struct RngBackendClass RngBackendClass;
113 typedef struct RngBackend RngBackend;
114
115@@ -32,6 +33,15 @@ typedef void (EntropyReceiveFunc)(void *
116 const void *data,
117 size_t size);
118
119+struct RngRequest
120+{
121+ EntropyReceiveFunc *receive_entropy;
122+ uint8_t *data;
123+ void *opaque;
124+ size_t offset;
125+ size_t size;
126+};
127+
128 struct RngBackendClass
129 {
130 ObjectClass parent_class;
131@@ -49,6 +59,7 @@ struct RngBackend
132
133 /*< protected >*/
134 bool opened;
135+ GSList *requests;
136 };
137
138 /**
diff --git a/meta/recipes-devtools/qemu/qemu/rng_move_request_queue_cleanup_from_RngEgd_to_RngBackend.patch b/meta/recipes-devtools/qemu/qemu/rng_move_request_queue_cleanup_from_RngEgd_to_RngBackend.patch
deleted file mode 100644
index afe8bf66cf..0000000000
--- a/meta/recipes-devtools/qemu/qemu/rng_move_request_queue_cleanup_from_RngEgd_to_RngBackend.patch
+++ /dev/null
@@ -1,150 +0,0 @@
1From 9f14b0add1dcdbfa2ee61051d068211fb0a1fcc9 Mon Sep 17 00:00:00 2001
2From: Ladi Prosek <lprosek@redhat.com>
3Date: Thu, 3 Mar 2016 09:37:17 +0100
4Subject: [PATCH] rng: move request queue cleanup from RngEgd to RngBackend
5
6RngBackend is now in charge of cleaning up the linked list on
7instance finalization. It also exposes a function to finalize
8individual RngRequest instances, called by its child classes.
9
10Signed-off-by: Ladi Prosek <lprosek@redhat.com>
11Reviewed-by: Amit Shah <amit.shah@redhat.com>
12Message-Id: <1456994238-9585-4-git-send-email-lprosek@redhat.com>
13Signed-off-by: Amit Shah <amit.shah@redhat.com>
14
15Upstream-Status: Backport
16in support of CVE-2016-2858
17
18Signed-off-by: Armin Kuster <akuster@mvista.com>
19
20---
21 backends/rng-egd.c | 25 +------------------------
22 backends/rng.c | 32 ++++++++++++++++++++++++++++++++
23 include/sysemu/rng.h | 12 ++++++++++++
24 3 files changed, 45 insertions(+), 24 deletions(-)
25
26Index: qemu-2.5.0/backends/rng-egd.c
27===================================================================
28--- qemu-2.5.0.orig/backends/rng-egd.c
29+++ qemu-2.5.0/backends/rng-egd.c
30@@ -57,12 +57,6 @@ static void rng_egd_request_entropy(RngB
31 s->parent.requests = g_slist_append(s->parent.requests, req);
32 }
33
34-static void rng_egd_free_request(RngRequest *req)
35-{
36- g_free(req->data);
37- g_free(req);
38-}
39-
40 static int rng_egd_chr_can_read(void *opaque)
41 {
42 RngEgd *s = RNG_EGD(opaque);
43@@ -92,28 +86,13 @@ static void rng_egd_chr_read(void *opaqu
44 size -= len;
45
46 if (req->offset == req->size) {
47- s->parent.requests = g_slist_remove_link(s->parent.requests,
48- s->parent.requests);
49
50 req->receive_entropy(req->opaque, req->data, req->size);
51-
52- rng_egd_free_request(req);
53+ rng_backend_finalize_request(&s->parent, req);
54 }
55 }
56 }
57
58-static void rng_egd_free_requests(RngEgd *s)
59-{
60- GSList *i;
61-
62- for (i = s->parent.requests; i; i = i->next) {
63- rng_egd_free_request(i->data);
64- }
65-
66- g_slist_free(s->parent.requests);
67- s->parent.requests = NULL;
68-}
69-
70 static void rng_egd_opened(RngBackend *b, Error **errp)
71 {
72 RngEgd *s = RNG_EGD(b);
73@@ -182,8 +161,6 @@ static void rng_egd_finalize(Object *obj
74 }
75
76 g_free(s->chr_name);
77-
78- rng_egd_free_requests(s);
79 }
80
81 static void rng_egd_class_init(ObjectClass *klass, void *data)
82Index: qemu-2.5.0/backends/rng.c
83===================================================================
84--- qemu-2.5.0.orig/backends/rng.c
85+++ qemu-2.5.0/backends/rng.c
86@@ -63,6 +63,30 @@ static void rng_backend_prop_set_opened(
87 s->opened = true;
88 }
89
90+static void rng_backend_free_request(RngRequest *req)
91+{
92+ g_free(req->data);
93+ g_free(req);
94+}
95+
96+static void rng_backend_free_requests(RngBackend *s)
97+{
98+ GSList *i;
99+
100+ for (i = s->requests; i; i = i->next) {
101+ rng_backend_free_request(i->data);
102+ }
103+
104+ g_slist_free(s->requests);
105+ s->requests = NULL;
106+}
107+
108+void rng_backend_finalize_request(RngBackend *s, RngRequest *req)
109+{
110+ s->requests = g_slist_remove(s->requests, req);
111+ rng_backend_free_request(req);
112+}
113+
114 static void rng_backend_init(Object *obj)
115 {
116 object_property_add_bool(obj, "opened",
117@@ -71,6 +95,13 @@ static void rng_backend_init(Object *obj
118 NULL);
119 }
120
121+static void rng_backend_finalize(Object *obj)
122+{
123+ RngBackend *s = RNG_BACKEND(obj);
124+
125+ rng_backend_free_requests(s);
126+}
127+
128 static void rng_backend_class_init(ObjectClass *oc, void *data)
129 {
130 UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
131@@ -83,6 +114,7 @@ static const TypeInfo rng_backend_info =
132 .parent = TYPE_OBJECT,
133 .instance_size = sizeof(RngBackend),
134 .instance_init = rng_backend_init,
135+ .instance_finalize = rng_backend_finalize,
136 .class_size = sizeof(RngBackendClass),
137 .class_init = rng_backend_class_init,
138 .abstract = true,
139Index: qemu-2.5.0/include/sysemu/rng.h
140===================================================================
141--- qemu-2.5.0.orig/include/sysemu/rng.h
142+++ qemu-2.5.0/include/sysemu/rng.h
143@@ -61,6 +61,7 @@ struct RngBackend
144 GSList *requests;
145 };
146
147+
148 /**
149 * rng_backend_request_entropy:
150 * @s: the backend to request entropy from
diff --git a/meta/recipes-devtools/qemu/qemu/rng_remove_the_unused_request_cancellation_code.patch b/meta/recipes-devtools/qemu/qemu/rng_remove_the_unused_request_cancellation_code.patch
deleted file mode 100644
index 51296bcac8..0000000000
--- a/meta/recipes-devtools/qemu/qemu/rng_remove_the_unused_request_cancellation_code.patch
+++ /dev/null
@@ -1,101 +0,0 @@
1From 3c52ddcdc548e7fbe65112d8a7bdc9cd105b4750 Mon Sep 17 00:00:00 2001
2From: Ladi Prosek <lprosek@redhat.com>
3Date: Thu, 3 Mar 2016 09:37:15 +0100
4Subject: [PATCH] rng: remove the unused request cancellation code
5
6rng_backend_cancel_requests had no callers and none of the code
7deleted in this commit ever ran.
8
9Signed-off-by: Ladi Prosek <lprosek@redhat.com>
10Reviewed-by: Amit Shah <amit.shah@redhat.com>
11Message-Id: <1456994238-9585-2-git-send-email-lprosek@redhat.com>
12Signed-off-by: Amit Shah <amit.shah@redhat.com>
13
14Upstream-Status: Backport
15in support of CVE-2016-2858
16
17Signed-off-by: Armin Kuster <akuster@mvista.com>
18
19---
20 backends/rng-egd.c | 12 ------------
21 backends/rng.c | 9 ---------
22 include/sysemu/rng.h | 11 -----------
23 3 files changed, 32 deletions(-)
24
25Index: qemu-2.5.0/backends/rng-egd.c
26===================================================================
27--- qemu-2.5.0.orig/backends/rng-egd.c
28+++ qemu-2.5.0/backends/rng-egd.c
29@@ -114,17 +114,6 @@ static void rng_egd_free_requests(RngEgd
30 s->parent.requests = NULL;
31 }
32
33-static void rng_egd_cancel_requests(RngBackend *b)
34-{
35- RngEgd *s = RNG_EGD(b);
36-
37- /* We simply delete the list of pending requests. If there is data in the
38- * queue waiting to be read, this is okay, because there will always be
39- * more data than we requested originally
40- */
41- rng_egd_free_requests(s);
42-}
43-
44 static void rng_egd_opened(RngBackend *b, Error **errp)
45 {
46 RngEgd *s = RNG_EGD(b);
47@@ -202,7 +191,6 @@ static void rng_egd_class_init(ObjectCla
48 RngBackendClass *rbc = RNG_BACKEND_CLASS(klass);
49
50 rbc->request_entropy = rng_egd_request_entropy;
51- rbc->cancel_requests = rng_egd_cancel_requests;
52 rbc->opened = rng_egd_opened;
53 }
54
55Index: qemu-2.5.0/backends/rng.c
56===================================================================
57--- qemu-2.5.0.orig/backends/rng.c
58+++ qemu-2.5.0/backends/rng.c
59@@ -25,15 +25,6 @@ void rng_backend_request_entropy(RngBack
60 }
61 }
62
63-void rng_backend_cancel_requests(RngBackend *s)
64-{
65- RngBackendClass *k = RNG_BACKEND_GET_CLASS(s);
66-
67- if (k->cancel_requests) {
68- k->cancel_requests(s);
69- }
70-}
71-
72 static bool rng_backend_prop_get_opened(Object *obj, Error **errp)
73 {
74 RngBackend *s = RNG_BACKEND(obj);
75Index: qemu-2.5.0/include/sysemu/rng.h
76===================================================================
77--- qemu-2.5.0.orig/include/sysemu/rng.h
78+++ qemu-2.5.0/include/sysemu/rng.h
79@@ -48,7 +48,6 @@ struct RngBackendClass
80
81 void (*request_entropy)(RngBackend *s, size_t size,
82 EntropyReceiveFunc *receive_entropy, void *opaque);
83- void (*cancel_requests)(RngBackend *s);
84
85 void (*opened)(RngBackend *s, Error **errp);
86 };
87@@ -80,14 +79,4 @@ struct RngBackend
88 void rng_backend_request_entropy(RngBackend *s, size_t size,
89 EntropyReceiveFunc *receive_entropy,
90 void *opaque);
91-
92-/**
93- * rng_backend_cancel_requests:
94- * @s: the backend to cancel all pending requests in
95- *
96- * Cancels all pending requests submitted by @rng_backend_request_entropy. This
97- * should be used by a device during reset or in preparation for live migration
98- * to stop tracking any request.
99- */
100-void rng_backend_cancel_requests(RngBackend *s);
101 #endif
diff --git a/meta/recipes-devtools/qemu/qemu_2.5.1.1.bb b/meta/recipes-devtools/qemu/qemu_2.6.0.bb
index ba2dfc6de1..e39132625a 100644
--- a/meta/recipes-devtools/qemu/qemu_2.5.1.1.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.6.0.bb
@@ -7,16 +7,11 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
7 file://qemu-enlarge-env-entry-size.patch \ 7 file://qemu-enlarge-env-entry-size.patch \
8 file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \ 8 file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \
9 file://no-valgrind.patch \ 9 file://no-valgrind.patch \
10 file://CVE-2016-2198.patch \
11 file://pathlimit.patch \ 10 file://pathlimit.patch \
12 file://rng_move_request_from_RngEgd_to_RngBackend.patch \
13 file://rng_remove_the_unused_request_cancellation_code.patch \
14 file://rng_move_request_queue_cleanup_from_RngEgd_to_RngBackend.patch \
15 file://CVE-2016-2858.patch \
16 " 11 "
17SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" 12SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
18SRC_URI[md5sum] = "f5ff0e71398b9e428b4f177001ba4285" 13SRC_URI[md5sum] = "ca3f70b43f093e33e9e014f144067f13"
19SRC_URI[sha256sum] = "28d9946e43765a44ccccca3cba5f4f9034f2759ec1f2ce16594ddb6776c8efe6" 14SRC_URI[sha256sum] = "c9ac4a651b273233d21b8bec32e30507cb9cce7900841febc330956a1a8434ec"
20 15
21COMPATIBLE_HOST_class-target_mips64 = "null" 16COMPATIBLE_HOST_class-target_mips64 = "null"
22 17