qemu: Upgrade 7.0.0 -> 7.1.0

Drop CVE backports and backported patch for pvrdma which was also applied upstream.
Refresh cross.patch.
Drop vnc-png option removed upstream.
Update ptest path manipulations for target.
qmp now has consists of multiple files so install them all as a python module.

The upgrade contains fixes for virtio block devices which we hope will
address vda device tracebacks on the autobuilder from qemu.

(From OE-Core rev: e94d182889ca3c02df913c59f0b66b228ffe588c)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

12 files changed, 20 insertions, 528 deletions

diff --git a/meta/conf/distro/include/tcmode-default.inc b/meta/conf/distro/include/tcmode-default.inc
index 9abd121e3a..59b226e62f 100644
--- a/meta/conf/distro/include/tcmode-default.inc
+++ b/meta/conf/distro/include/tcmode-default.inc
@@ -22,7 +22,7 @@ BINUVERSION ?= "2.39%"
 GDBVERSION ?= "12.%"
 GLIBCVERSION ?= "2.36"
 LINUXLIBCVERSION ?= "5.19%"
-QEMUVERSION ?= "7.0%"
+QEMUVERSION ?= "7.1%"
 GOVERSION ?= "1.19%"
 # This can not use wildcards like 8.0.% since it is also used in mesa to denote
 # llvm version being used, so always bump it with llvm recipe version bump
diff --git a/meta/recipes-devtools/qemu/qemu-native_7.0.0.bb b/meta/recipes-devtools/qemu/qemu-native_7.1.0.bb
index a94dc0b61e..a94dc0b61e 100644
--- a/meta/recipes-devtools/qemu/qemu-native_7.0.0.bb
+++ b/meta/recipes-devtools/qemu/qemu-native_7.1.0.bb
diff --git a/meta/recipes-devtools/qemu/qemu-system-native_7.0.0.bb b/meta/recipes-devtools/qemu/qemu-system-native_7.1.0.bb
index 5ccede5095..04c7c2a6ac 100644
--- a/meta/recipes-devtools/qemu/qemu-system-native_7.0.0.bb
+++ b/meta/recipes-devtools/qemu/qemu-system-native_7.1.0.bb
@@ -28,5 +28,6 @@ do_install:append() {
     rm -rf ${D}${includedir}/qemu-plugin.h
 
     # Install qmp.py to be used with testimage
-    install -D ${S}/python/qemu/qmp/__init__.py ${D}${libdir}/qemu-python/qmp.py
+    install -d ${D}${libdir}/qemu-python/qmp/
+    install -D ${S}/python/qemu/qmp/* ${D}${libdir}/qemu-python/qmp/
 }
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 56fc7aaf55..f22de74ea4 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -26,17 +26,11 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
            file://0007-qemu-Determinism-fixes.patch \
            file://0008-tests-meson.build-use-relative-path-to-refer-to-file.patch \
            file://0009-Define-MAP_SYNC-and-MAP_SHARED_VALIDATE-on-needed-li.patch \
-           file://0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch \
-           file://qemu-7.0.0-glibc-2.36.patch \
-           file://CVE-2022-35414.patch \
-           file://CVE-2021-3507_1.patch \
-           file://CVE-2021-3507_2.patch \
-           file://CVE-2022-0216_1.patch \
-           file://CVE-2022-0216_2.patch \
            "
+BAR = "           file://0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
 
-SRC_URI[sha256sum] = "f6b375c7951f728402798b0baabb2d86478ca53d44cedbefabbe1c46bf46f839"
+SRC_URI[sha256sum] = "a0634e536bded57cf38ec8a751adb124b89c776fe0846f21ab6c6728f1cbbbe6"
 
 SRC_URI:append:class-target = " file://cross.patch"
 SRC_URI:append:class-nativesdk = " file://cross.patch"
@@ -75,8 +69,14 @@ do_install_ptest() {
         # Strip the paths from the QEMU variable, we can use PATH
         sed -i -e "s#^QEMU=.*/qemu-#QEMU=qemu-#g" ${D}${PTEST_PATH}/tests/tcg/*.mak
 
-        # Strip compiler flags as they break reproducibility
-        sed -i -e "s,CROSS_CC_GUEST=.*,CROSS_CC_GUEST=," ${D}${PTEST_PATH}/tests/tcg/*.mak
+        # Strip compiler flags as they break reproducibility
+        sed -i -e "s,^CC=.*,CC=gcc," \
+               -e "s,^CCAS=.*,CCAS=gcc," \
+               -e "s,^LD=.*,LD=ld," ${D}${PTEST_PATH}/tests/tcg/*.mak
+
+        # Update SRC_PATH variable to the right place on target
+        sed -i -e "s#^SRC_PATH=.*#SRC_PATH=${PTEST_PATH}#g" ${D}${PTEST_PATH}/tests/tcg/*.mak
+
 }
 
 # QEMU_TARGETS is overridable variable
@@ -151,7 +151,6 @@ PACKAGECONFIG[uring] = "--enable-linux-io-uring,--disable-linux-io-uring,liburin
 PACKAGECONFIG[xen] = "--enable-xen,--disable-xen,xen-tools,xen-tools-libxenstore xen-tools-libxenctrl xen-tools-libxenguest"
 PACKAGECONFIG[vnc-sasl] = "--enable-vnc --enable-vnc-sasl,--disable-vnc-sasl,cyrus-sasl,"
 PACKAGECONFIG[vnc-jpeg] = "--enable-vnc --enable-vnc-jpeg,--disable-vnc-jpeg,jpeg,"
-PACKAGECONFIG[vnc-png] = "--enable-vnc --enable-vnc-png,--disable-vnc-png,libpng,"
 PACKAGECONFIG[libcurl] = "--enable-curl,--disable-curl,curl,"
 PACKAGECONFIG[nss] = "--enable-smartcard,--disable-smartcard,nss,"
 PACKAGECONFIG[curses] = "--enable-curses,--disable-curses,ncurses,"
diff --git a/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch b/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch
deleted file mode 100644
index 826d42fc20..0000000000
--- a/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From 52c38fa9f3a790a7c2805e7d8cce3ea9262d6ae2 Mon Sep 17 00:00:00 2001
-From: Yuval Shaia <yuval.shaia.ml@gmail.com>
-Date: Tue, 12 Apr 2022 11:01:51 +0100
-Subject: [PATCH 10/12] hw/pvrdma: Protect against buggy or malicious guest
- driver
-
-Guest driver might execute HW commands when shared buffers are not yet
-allocated.
-This might happen on purpose (malicious guest) or because some other
-guest/host address mapping.
-We need to protect againts such case.
-
-Reported-by: Mauro Matteo Cascella <mcascell@redhat.com>
-Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
-
-CVE: CVE-2022-1050
-Upstream-Status: Submitted [https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg05197.html]
-
----
- hw/rdma/vmw/pvrdma_cmd.c  | 6 ++++++
- hw/rdma/vmw/pvrdma_main.c | 3 ++-
- 2 files changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
-index da7ddfa54..89db963c4 100644
---- a/hw/rdma/vmw/pvrdma_cmd.c
-+++ b/hw/rdma/vmw/pvrdma_cmd.c
-@@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev)
- 
-     dsr_info = &dev->dsr_info;
- 
-+    if (!dsr_info->dsr) {
-+            /* Buggy or malicious guest driver */
-+            rdma_error_report("Exec command without dsr, req or rsp buffers");
-+            goto out;
-+    }
-+
-     if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) /
-                       sizeof(struct cmd_handler)) {
-         rdma_error_report("Unsupported command");
-diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
-index 91206dbb8..0b7d908e2 100644
---- a/hw/rdma/vmw/pvrdma_main.c
-+++ b/hw/rdma/vmw/pvrdma_main.c
-@@ -249,7 +249,8 @@ static void init_dsr_dev_caps(PVRDMADev *dev)
- {
-     struct pvrdma_device_shared_region *dsr;
- 
--    if (dev->dsr_info.dsr == NULL) {
-+    if (!dev->dsr_info.dsr) {
-+        /* Buggy or malicious guest driver */
-         rdma_error_report("Can't initialized DSR");
-         return;
-     }
--- 
-2.30.2
-
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch
deleted file mode 100644
index 24fd2c5ed3..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch
+++ /dev/null
@@ -1,92 +0,0 @@
-From 57a89cc36ead7234e540d0ecbe1a792ab6b04cb7 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
-Date: Thu, 18 Nov 2021 12:57:32 +0100
-Subject: [PATCH 1/2] hw/block/fdc: Prevent end-of-track overrun
- (CVE-2021-3507)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Per the 82078 datasheet, if the end-of-track (EOT byte in
-the FIFO) is more than the number of sectors per side, the
-command is terminated unsuccessfully:
-
-* 5.2.5 DATA TRANSFER TERMINATION
-
-  The 82078 supports terminal count explicitly through
-  the TC pin and implicitly through the underrun/over-
-  run and end-of-track (EOT) functions. For full sector
-  transfers, the EOT parameter can define the last
-  sector to be transferred in a single or multisector
-  transfer. If the last sector to be transferred is a par-
-  tial sector, the host can stop transferring the data in
-  mid-sector, and the 82078 will continue to complete
-  the sector as if a hardware TC was received. The
-  only difference between these implicit functions and
-  TC is that they return "abnormal termination" result
-  status. Such status indications can be ignored if they
-  were expected.
-
-* 6.1.3 READ TRACK
-
-  This command terminates when the EOT specified
-  number of sectors have been read. If the 82078
-  does not find an I D Address Mark on the diskette
-  after the second· occurrence of a pulse on the
-  INDX# pin, then it sets the IC code in Status Regis-
-  ter 0 to "01" (Abnormal termination), sets the MA bit
-  in Status Register 1 to "1", and terminates the com-
-  mand.
-
-* 6.1.6 VERIFY
-
-  Refer to Table 6-6 and Table 6-7 for information
-  concerning the values of MT and EC versus SC and
-  EOT value.
-
-* Table 6·6. Result Phase Table
-
-* Table 6-7. Verify Command Result Phase Table
-
-Fix by aborting the transfer when EOT > # Sectors Per Side.
-
-Cc: qemu-stable@nongnu.org
-Cc: Hervé Poussineau <hpoussin@reactos.org>
-Fixes: baca51faff0 ("floppy driver: disk geometry auto detect")
-Reported-by: Alexander Bulekov <alxndr@bu.edu>
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/339
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-Id: <20211118115733.4038610-2-philmd@redhat.com>
-Reviewed-by: Hanna Reitz <hreitz@redhat.com>
-Signed-off-by: Kevin Wolf <kwolf@redhat.com>
-
-Upstream-Status: Backport [defac5e2fbddf8423a354ff0454283a2115e1367]
-CVE: CVE-2021-3507
-
-Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
----
- hw/block/fdc.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/hw/block/fdc.c b/hw/block/fdc.c
-index 347875a0c..57bb35579 100644
---- a/hw/block/fdc.c
-+++ b/hw/block/fdc.c
-@@ -1530,6 +1530,14 @@ static void fdctrl_start_transfer(FDCtrl *fdctrl, int direction)
-         int tmp;
-         fdctrl->data_len = 128 << (fdctrl->fifo[5] > 7 ? 7 : fdctrl->fifo[5]);
-         tmp = (fdctrl->fifo[6] - ks + 1);
-+        if (tmp < 0) {
-+            FLOPPY_DPRINTF("invalid EOT: %d\n", tmp);
-+            fdctrl_stop_transfer(fdctrl, FD_SR0_ABNTERM, FD_SR1_MA, 0x00);
-+            fdctrl->fifo[3] = kt;
-+            fdctrl->fifo[4] = kh;
-+            fdctrl->fifo[5] = ks;
-+            return;
-+        }
-         if (fdctrl->fifo[0] & 0x80)
-             tmp += fdctrl->fifo[6];
-         fdctrl->data_len *= tmp;
--- 
-2.33.0
-
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch
deleted file mode 100644
index acc93e897b..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch
+++ /dev/null
@@ -1,115 +0,0 @@
-From 3e8601ec707dcbc3c768f7733d016dc70c947e4a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
-Date: Thu, 18 Nov 2021 12:57:33 +0100
-Subject: [PATCH 2/2] tests/qtest/fdc-test: Add a regression test for
- CVE-2021-3507
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Add the reproducer from https://gitlab.com/qemu-project/qemu/-/issues/339
-
-Without the previous commit, when running 'make check-qtest-i386'
-with QEMU configured with '--enable-sanitizers' we get:
-
-  ==4028352==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000062a00 at pc 0x5626d03c491a bp 0x7ffdb4199410 sp 0x7ffdb4198bc0
-  READ of size 786432 at 0x619000062a00 thread T0
-      #0 0x5626d03c4919 in __asan_memcpy (qemu-system-i386+0x1e65919)
-      #1 0x5626d1c023cc in flatview_write_continue softmmu/physmem.c:2787:13
-      #2 0x5626d1bf0c0f in flatview_write softmmu/physmem.c:2822:14
-      #3 0x5626d1bf0798 in address_space_write softmmu/physmem.c:2914:18
-      #4 0x5626d1bf0f37 in address_space_rw softmmu/physmem.c:2924:16
-      #5 0x5626d1bf14c8 in cpu_physical_memory_rw softmmu/physmem.c:2933:5
-      #6 0x5626d0bd5649 in cpu_physical_memory_write include/exec/cpu-common.h:82:5
-      #7 0x5626d0bd0a07 in i8257_dma_write_memory hw/dma/i8257.c:452:9
-      #8 0x5626d09f825d in fdctrl_transfer_handler hw/block/fdc.c:1616:13
-      #9 0x5626d0a048b4 in fdctrl_start_transfer hw/block/fdc.c:1539:13
-      #10 0x5626d09f4c3e in fdctrl_write_data hw/block/fdc.c:2266:13
-      #11 0x5626d09f22f7 in fdctrl_write hw/block/fdc.c:829:9
-      #12 0x5626d1c20bc5 in portio_write softmmu/ioport.c:207:17
-
-  0x619000062a00 is located 0 bytes to the right of 512-byte region [0x619000062800,0x619000062a00)
-  allocated by thread T0 here:
-      #0 0x5626d03c66ec in posix_memalign (qemu-system-i386+0x1e676ec)
-      #1 0x5626d2b988d4 in qemu_try_memalign util/oslib-posix.c:210:11
-      #2 0x5626d2b98b0c in qemu_memalign util/oslib-posix.c:226:27
-      #3 0x5626d09fbaf0 in fdctrl_realize_common hw/block/fdc.c:2341:20
-      #4 0x5626d0a150ed in isabus_fdc_realize hw/block/fdc-isa.c:113:5
-      #5 0x5626d2367935 in device_set_realized hw/core/qdev.c:531:13
-
-  SUMMARY: AddressSanitizer: heap-buffer-overflow (qemu-system-i386+0x1e65919) in __asan_memcpy
-  Shadow bytes around the buggy address:
-    0x0c32800044f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
-    0x0c3280004500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-    0x0c3280004510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-    0x0c3280004520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-    0x0c3280004530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-  =>0x0c3280004540:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
-    0x0c3280004550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
-    0x0c3280004560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
-    0x0c3280004570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
-    0x0c3280004580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
-    0x0c3280004590: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
-  Shadow byte legend (one shadow byte represents 8 application bytes):
-    Addressable:           00
-    Heap left redzone:       fa
-    Freed heap region:       fd
-  ==4028352==ABORTING
-
-[ kwolf: Added snapshot=on to prevent write file lock failure ]
-
-Reported-by: Alexander Bulekov <alxndr@bu.edu>
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
-Signed-off-by: Kevin Wolf <kwolf@redhat.com>
-
-Upstream-Status: Backport [46609b90d9e3a6304def11038a76b58ff43f77bc]
-CVE: CVE-2021-3507
-
-Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
----
- tests/qtest/fdc-test.c | 21 +++++++++++++++++++++
- 1 file changed, 21 insertions(+)
-
-diff --git a/tests/qtest/fdc-test.c b/tests/qtest/fdc-test.c
-index b0d40012e..1d4f85212 100644
---- a/tests/qtest/fdc-test.c
-+++ b/tests/qtest/fdc-test.c
-@@ -583,6 +583,26 @@ static void test_cve_2021_20196(void)
-     qtest_quit(s);
- }
- 
-+static void test_cve_2021_3507(void)
-+{
-+    QTestState *s;
-+
-+    s = qtest_initf("-nographic -m 32M -nodefaults "
-+                    "-drive file=%s,format=raw,if=floppy,snapshot=on",
-+                    test_image);
-+    qtest_outl(s, 0x9, 0x0a0206);
-+    qtest_outw(s, 0x3f4, 0x1600);
-+    qtest_outw(s, 0x3f4, 0x0000);
-+    qtest_outw(s, 0x3f4, 0x0000);
-+    qtest_outw(s, 0x3f4, 0x0000);
-+    qtest_outw(s, 0x3f4, 0x0200);
-+    qtest_outw(s, 0x3f4, 0x0200);
-+    qtest_outw(s, 0x3f4, 0x0000);
-+    qtest_outw(s, 0x3f4, 0x0000);
-+    qtest_outw(s, 0x3f4, 0x0000);
-+    qtest_quit(s);
-+}
-+
- int main(int argc, char **argv)
- {
-     int fd;
-@@ -614,6 +634,7 @@ int main(int argc, char **argv)
-     qtest_add_func("/fdc/read_no_dma_19", test_read_no_dma_19);
-     qtest_add_func("/fdc/fuzz-registers", fuzz_registers);
-     qtest_add_func("/fdc/fuzz/cve_2021_20196", test_cve_2021_20196);
-+    qtest_add_func("/fdc/fuzz/cve_2021_3507", test_cve_2021_3507);
- 
-     ret = g_test_run();
- 
--- 
-2.33.0
-
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch
deleted file mode 100644
index 56fc34ce5a..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From f37ac8619a39498edd225c4a0b3039b28814833d Mon Sep 17 00:00:00 2001
-From: Mauro Matteo Cascella <mcascell@redhat.com>
-Date: Tue, 5 Jul 2022 22:05:43 +0200
-Subject: [PATCH 1/2] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout
- (CVE-2022-0216)
-
-Set current_req->req to NULL to prevent reusing a free'd buffer in case of
-repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch.
-
-Fixes: CVE-2022-0216
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
-Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
-Reviewed-by: Thomas Huth <thuth@redhat.com>
-Message-Id: <20220705200543.2366809-1-mcascell@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-
-Upstream-Status: Backport [6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8]
-CVE: CVE-2022-0216
-
-Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
----
- hw/scsi/lsi53c895a.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
-index c8773f73f..99ea42d49 100644
---- a/hw/scsi/lsi53c895a.c
-+++ b/hw/scsi/lsi53c895a.c
-@@ -1028,8 +1028,9 @@ static void lsi_do_msgout(LSIState *s)
-         case 0x0d:
-             /* The ABORT TAG message clears the current I/O process only. */
-             trace_lsi_do_msgout_abort(current_tag);
--            if (current_req) {
-+            if (current_req && current_req->req) {
-                 scsi_req_cancel(current_req->req);
-+                current_req->req = NULL;
-             }
-             lsi_disconnect(s);
-             break;
--- 
-2.33.0
-
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch
deleted file mode 100644
index f332154b6a..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch
+++ /dev/null
@@ -1,146 +0,0 @@
-From 5451bf6db85ce3da1238e9154d051ebccec8f171 Mon Sep 17 00:00:00 2001
-From: Mauro Matteo Cascella <mcascell@redhat.com>
-Date: Mon, 11 Jul 2022 14:33:16 +0200
-Subject: [PATCH 2/2] scsi/lsi53c895a: really fix use-after-free in
- lsi_do_msgout (CVE-2022-0216)
-
-Set current_req to NULL, not current_req->req, to prevent reusing a free'd
-buffer in case of repeated SCSI cancel requests.  Also apply the fix to
-CLEAR QUEUE and BUS DEVICE RESET messages as well, since they also cancel
-the request.
-
-Thanks to Alexander Bulekov for providing a reproducer.
-
-Fixes: CVE-2022-0216
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
-Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
-Tested-by: Alexander Bulekov <alxndr@bu.edu>
-Message-Id: <20220711123316.421279-1-mcascell@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-
-Upstream-Status: Backport [4367a20cc442c56b05611b4224de9a61908f9eac]
-CVE: CVE-2022-0216
-
-Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
----
- hw/scsi/lsi53c895a.c               |  3 +-
- tests/qtest/fuzz-lsi53c895a-test.c | 76 ++++++++++++++++++++++++++++++
- 2 files changed, 78 insertions(+), 1 deletion(-)
-
-diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
-index 99ea42d49..ad5f5e5f3 100644
---- a/hw/scsi/lsi53c895a.c
-+++ b/hw/scsi/lsi53c895a.c
-@@ -1030,7 +1030,7 @@ static void lsi_do_msgout(LSIState *s)
-             trace_lsi_do_msgout_abort(current_tag);
-             if (current_req && current_req->req) {
-                 scsi_req_cancel(current_req->req);
--                current_req->req = NULL;
-+                current_req = NULL;
-             }
-             lsi_disconnect(s);
-             break;
-@@ -1056,6 +1056,7 @@ static void lsi_do_msgout(LSIState *s)
-             /* clear the current I/O process */
-             if (s->current) {
-                 scsi_req_cancel(s->current->req);
-+                current_req = NULL;
-             }
- 
-             /* As the current implemented devices scsi_disk and scsi_generic
-diff --git a/tests/qtest/fuzz-lsi53c895a-test.c b/tests/qtest/fuzz-lsi53c895a-test.c
-index ba5d46897..c1af0ab1c 100644
---- a/tests/qtest/fuzz-lsi53c895a-test.c
-+++ b/tests/qtest/fuzz-lsi53c895a-test.c
-@@ -8,6 +8,79 @@
- #include "qemu/osdep.h"
- #include "libqos/libqtest.h"
- 
-+/*
-+ * This used to trigger a UAF in lsi_do_msgout()
-+ * https://gitlab.com/qemu-project/qemu/-/issues/972
-+ */
-+static void test_lsi_do_msgout_cancel_req(void)
-+{
-+    QTestState *s;
-+
-+    if (sizeof(void *) == 4) {
-+        g_test_skip("memory size too big for 32-bit build");
-+        return;
-+    }
-+
-+    s = qtest_init("-M q35 -m 4G -display none -nodefaults "
-+                   "-device lsi53c895a,id=scsi "
-+                   "-device scsi-hd,drive=disk0 "
-+                   "-drive file=null-co://,id=disk0,if=none,format=raw");
-+
-+    qtest_outl(s, 0xcf8, 0x80000810);
-+    qtest_outl(s, 0xcf8, 0xc000);
-+    qtest_outl(s, 0xcf8, 0x80000810);
-+    qtest_outw(s, 0xcfc, 0x7);
-+    qtest_outl(s, 0xcf8, 0x80000810);
-+    qtest_outl(s, 0xcfc, 0xc000);
-+    qtest_outl(s, 0xcf8, 0x80000804);
-+    qtest_outw(s, 0xcfc, 0x05);
-+    qtest_writeb(s, 0x69736c10, 0x08);
-+    qtest_writeb(s, 0x69736c13, 0x58);
-+    qtest_writeb(s, 0x69736c1a, 0x01);
-+    qtest_writeb(s, 0x69736c1b, 0x06);
-+    qtest_writeb(s, 0x69736c22, 0x01);
-+    qtest_writeb(s, 0x69736c23, 0x07);
-+    qtest_writeb(s, 0x69736c2b, 0x02);
-+    qtest_writeb(s, 0x69736c48, 0x08);
-+    qtest_writeb(s, 0x69736c4b, 0x58);
-+    qtest_writeb(s, 0x69736c52, 0x04);
-+    qtest_writeb(s, 0x69736c53, 0x06);
-+    qtest_writeb(s, 0x69736c5b, 0x02);
-+    qtest_outl(s, 0xc02d, 0x697300);
-+    qtest_writeb(s, 0x5a554662, 0x01);
-+    qtest_writeb(s, 0x5a554663, 0x07);
-+    qtest_writeb(s, 0x5a55466a, 0x10);
-+    qtest_writeb(s, 0x5a55466b, 0x22);
-+    qtest_writeb(s, 0x5a55466c, 0x5a);
-+    qtest_writeb(s, 0x5a55466d, 0x5a);
-+    qtest_writeb(s, 0x5a55466e, 0x34);
-+    qtest_writeb(s, 0x5a55466f, 0x5a);
-+    qtest_writeb(s, 0x5a345a5a, 0x77);
-+    qtest_writeb(s, 0x5a345a5b, 0x55);
-+    qtest_writeb(s, 0x5a345a5c, 0x51);
-+    qtest_writeb(s, 0x5a345a5d, 0x27);
-+    qtest_writeb(s, 0x27515577, 0x41);
-+    qtest_outl(s, 0xc02d, 0x5a5500);
-+    qtest_writeb(s, 0x364001d0, 0x08);
-+    qtest_writeb(s, 0x364001d3, 0x58);
-+    qtest_writeb(s, 0x364001da, 0x01);
-+    qtest_writeb(s, 0x364001db, 0x26);
-+    qtest_writeb(s, 0x364001dc, 0x0d);
-+    qtest_writeb(s, 0x364001dd, 0xae);
-+    qtest_writeb(s, 0x364001de, 0x41);
-+    qtest_writeb(s, 0x364001df, 0x5a);
-+    qtest_writeb(s, 0x5a41ae0d, 0xf8);
-+    qtest_writeb(s, 0x5a41ae0e, 0x36);
-+    qtest_writeb(s, 0x5a41ae0f, 0xd7);
-+    qtest_writeb(s, 0x5a41ae10, 0x36);
-+    qtest_writeb(s, 0x36d736f8, 0x0c);
-+    qtest_writeb(s, 0x36d736f9, 0x80);
-+    qtest_writeb(s, 0x36d736fa, 0x0d);
-+    qtest_outl(s, 0xc02d, 0x364000);
-+
-+    qtest_quit(s);
-+}
-+
- /*
-  * This used to trigger the assert in lsi_do_dma()
-  * https://bugs.launchpad.net/qemu/+bug/697510
-@@ -48,5 +121,8 @@ int main(int argc, char **argv)
-                        test_lsi_do_dma_empty_queue);
-     }
- 
-+    qtest_add_func("fuzz/lsi53c895a/lsi_do_msgout_cancel_req",
-+                   test_lsi_do_msgout_cancel_req);
-+
-     return g_test_run();
- }
--- 
-2.33.0
-
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch
deleted file mode 100644
index fe79a749ae..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From a10c33942dc8cb31b3762b9dd4adde4c490eed9c Mon Sep 17 00:00:00 2001
-From: Hitendra Prajapati <hprajapati@mvista.com>
-Date: Wed, 3 Aug 2022 10:11:11 +0530
-Subject: [PATCH] CVE-2022-35414
-
-Upstream-Status: Backport [https://github.com/qemu/qemu/commit/418ade7849ce7641c0f7333718caf5091a02fd4c]
-CVE: CVE-2022-35414
-Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
----
- softmmu/physmem.c | 13 ++++++++++++-
- 1 file changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/softmmu/physmem.c b/softmmu/physmem.c
-index 4e1b27a20..ad8a90dec 100644
---- a/softmmu/physmem.c
-+++ b/softmmu/physmem.c
-@@ -669,7 +669,7 @@ void tcg_iommu_init_notifier_list(CPUState *cpu)
- 
- /* Called from RCU critical section */
- MemoryRegionSection *
--address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr,
-+address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr orig_addr,
-                                   hwaddr *xlat, hwaddr *plen,
-                                   MemTxAttrs attrs, int *prot)
- {
-@@ -678,6 +678,7 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr,
-     IOMMUMemoryRegionClass *imrc;
-     IOMMUTLBEntry iotlb;
-     int iommu_idx;
-+    hwaddr addr = orig_addr;
-     AddressSpaceDispatch *d =
-         qatomic_rcu_read(&cpu->cpu_ases[asidx].memory_dispatch);
- 
-@@ -722,6 +723,16 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr,
-     return section;
- 
- translate_fail:
-+    /*
-+     * We should be given a page-aligned address -- certainly
-+     * tlb_set_page_with_attrs() does so.  The page offset of xlat
-+     * is used to index sections[], and PHYS_SECTION_UNASSIGNED = 0.
-+     * The page portion of xlat will be logged by memory_region_access_valid()
-+     * when this memory access is rejected, so use the original untranslated
-+     * physical address.
-+     */
-+    assert((orig_addr & ~TARGET_PAGE_MASK) == 0);
-+    *xlat = orig_addr;
-     return &d->map.sections[PHYS_SECTION_UNASSIGNED];
- }
- 
--- 
-2.25.1
-
diff --git a/meta/recipes-devtools/qemu/qemu/cross.patch b/meta/recipes-devtools/qemu/qemu/cross.patch
index d1256a1229..ca2ad361ef 100644
--- a/meta/recipes-devtools/qemu/qemu/cross.patch
+++ b/meta/recipes-devtools/qemu/qemu/cross.patch
@@ -14,19 +14,19 @@ Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
  configure | 4 ----
  1 file changed, 4 deletions(-)
 
-diff --git a/configure b/configure
-index 7c08c1835..0613279f9 100755
---- a/configure
-+++ b/configure
-@@ -3118,7 +3118,6 @@ if test "$skip_meson" = no; then
-   fi
+Index: qemu-7.1.0/configure
+===================================================================
+--- qemu-7.1.0.orig/configure
++++ qemu-7.1.0/configure
+@@ -2710,7 +2710,6 @@ if test "$skip_meson" = no; then
    echo "strip = [$(meson_quote $strip)]" >> $cross
+   echo "widl = [$(meson_quote $widl)]" >> $cross
    echo "windres = [$(meson_quote $windres)]" >> $cross
 -  if test "$cross_compile" = "yes"; then
      cross_arg="--cross-file config-meson.cross"
      echo "[host_machine]" >> $cross
      echo "system = '$targetos'" >> $cross
-@@ -3136,9 +3135,6 @@ if test "$skip_meson" = no; then
+@@ -2728,9 +2727,6 @@ if test "$skip_meson" = no; then
      else
          echo "endian = 'little'" >> $cross
      fi
@@ -36,6 +36,3 @@ index 7c08c1835..0613279f9 100755
    mv $cross config-meson.cross
  
    rm -rf meson-private meson-info meson-logs
--- 
-2.30.2
-
diff --git a/meta/recipes-devtools/qemu/qemu_7.0.0.bb b/meta/recipes-devtools/qemu/qemu_7.1.0.bb
index 42e133967e..42e133967e 100644
--- a/meta/recipes-devtools/qemu/qemu_7.0.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_7.1.0.bb