summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--meta/conf/distro/include/tcmode-default.inc2
-rw-r--r--meta/recipes-devtools/qemu/qemu-native.inc4
-rw-r--r--meta/recipes-devtools/qemu/qemu-native_4.0.0.bb (renamed from meta/recipes-devtools/qemu/qemu-native_3.1.0.bb)0
-rw-r--r--meta/recipes-devtools/qemu/qemu-system-native_4.0.0.bb (renamed from meta/recipes-devtools/qemu/qemu-system-native_3.1.0.bb)1
-rw-r--r--meta/recipes-devtools/qemu/qemu.inc41
-rw-r--r--meta/recipes-devtools/qemu/qemu/0001-Add-a-missing-X11-include.patch65
-rw-r--r--meta/recipes-devtools/qemu/qemu/0001-egl-headless-add-egl_create_context.patch50
-rw-r--r--meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch (renamed from meta/recipes-devtools/qemu/qemu/0002-qemu-Add-missing-wacom-HID-descriptor.patch)2
-rw-r--r--meta/recipes-devtools/qemu/qemu/0001-sdl.c-allow-user-to-disable-pointer-grabs.patch72
-rw-r--r--meta/recipes-devtools/qemu/qemu/0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch (renamed from meta/recipes-devtools/qemu/qemu/0003-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch)6
-rw-r--r--meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch (renamed from meta/recipes-devtools/qemu/qemu/0004-qemu-Add-addition-environment-space-to-boot-loader-q.patch)6
-rw-r--r--meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch (renamed from meta/recipes-devtools/qemu/qemu/0005-qemu-disable-Valgrind.patch)6
-rw-r--r--meta/recipes-devtools/qemu/qemu/0005-qemu-Limit-paths-searched-during-user-mode-emulation.patch (renamed from meta/recipes-devtools/qemu/qemu/0006-qemu-Limit-paths-searched-during-user-mode-emulation.patch)2
-rw-r--r--meta/recipes-devtools/qemu/qemu/0006-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch (renamed from meta/recipes-devtools/qemu/qemu/0007-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch)6
-rw-r--r--meta/recipes-devtools/qemu/qemu/0007-chardev-connect-socket-to-a-spawned-command.patch (renamed from meta/recipes-devtools/qemu/qemu/0008-chardev-connect-socket-to-a-spawned-command.patch)69
-rw-r--r--meta/recipes-devtools/qemu/qemu/0008-apic-fixup-fallthrough-to-PIC.patch (renamed from meta/recipes-devtools/qemu/qemu/0009-apic-fixup-fallthrough-to-PIC.patch)6
-rw-r--r--meta/recipes-devtools/qemu/qemu/0009-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch (renamed from meta/recipes-devtools/qemu/qemu/0010-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch)4
-rw-r--r--meta/recipes-devtools/qemu/qemu/0010-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch (renamed from meta/recipes-devtools/qemu/qemu/0011-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch)20
-rw-r--r--meta/recipes-devtools/qemu/qemu/0011-fix-libcap-header-issue-on-some-distro.patch (renamed from meta/recipes-devtools/qemu/qemu/0012-fix-libcap-header-issue-on-some-distro.patch)2
-rw-r--r--meta/recipes-devtools/qemu/qemu/0012-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch (renamed from meta/recipes-devtools/qemu/qemu/0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch)10
-rw-r--r--meta/recipes-devtools/qemu/qemu/0013-Revert-target-arm-Use-vector-operations-for-saturati.patch493
-rw-r--r--meta/recipes-devtools/qemu/qemu/0014-fix-CVE-2018-16872.patch85
-rw-r--r--meta/recipes-devtools/qemu/qemu/0015-fix-CVE-2018-20124.patch60
-rw-r--r--meta/recipes-devtools/qemu/qemu/0016-fix-CVE-2018-20125.patch54
-rw-r--r--meta/recipes-devtools/qemu/qemu/0017-fix-CVE-2018-20126.patch113
-rw-r--r--meta/recipes-devtools/qemu/qemu/0018-fix-CVE-2018-20191.patch47
-rw-r--r--meta/recipes-devtools/qemu/qemu/0019-fix-CVE-2018-20216.patch85
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch39
-rw-r--r--meta/recipes-devtools/qemu/qemu_4.0.0.bb (renamed from meta/recipes-devtools/qemu/qemu_3.1.0.bb)2
29 files changed, 583 insertions, 769 deletions
diff --git a/meta/conf/distro/include/tcmode-default.inc b/meta/conf/distro/include/tcmode-default.inc
index 04373cc0aa..02e9ddde24 100644
--- a/meta/conf/distro/include/tcmode-default.inc
+++ b/meta/conf/distro/include/tcmode-default.inc
@@ -24,7 +24,7 @@ BINUVERSION ?= "2.32%"
24GDBVERSION ?= "8.2%" 24GDBVERSION ?= "8.2%"
25GLIBCVERSION ?= "2.29%" 25GLIBCVERSION ?= "2.29%"
26LINUXLIBCVERSION ?= "5.0%" 26LINUXLIBCVERSION ?= "5.0%"
27QEMUVERSION ?= "3.1%" 27QEMUVERSION ?= "4.0%"
28GOVERSION ?= "1.12%" 28GOVERSION ?= "1.12%"
29 29
30PREFERRED_VERSION_gcc ?= "${GCCVERSION}" 30PREFERRED_VERSION_gcc ?= "${GCCVERSION}"
diff --git a/meta/recipes-devtools/qemu/qemu-native.inc b/meta/recipes-devtools/qemu/qemu-native.inc
index 4373ad9e63..34ab8e6401 100644
--- a/meta/recipes-devtools/qemu/qemu-native.inc
+++ b/meta/recipes-devtools/qemu/qemu-native.inc
@@ -3,8 +3,8 @@ inherit native
3require qemu.inc 3require qemu.inc
4 4
5SRC_URI_append = " \ 5SRC_URI_append = " \
6 file://0012-fix-libcap-header-issue-on-some-distro.patch \ 6 file://0011-fix-libcap-header-issue-on-some-distro.patch \
7 file://0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch \ 7 file://0012-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch \
8 " 8 "
9EXTRA_OECONF_append = " --python=python2.7" 9EXTRA_OECONF_append = " --python=python2.7"
10 10
diff --git a/meta/recipes-devtools/qemu/qemu-native_3.1.0.bb b/meta/recipes-devtools/qemu/qemu-native_4.0.0.bb
index c8acff8e19..c8acff8e19 100644
--- a/meta/recipes-devtools/qemu/qemu-native_3.1.0.bb
+++ b/meta/recipes-devtools/qemu/qemu-native_4.0.0.bb
diff --git a/meta/recipes-devtools/qemu/qemu-system-native_3.1.0.bb b/meta/recipes-devtools/qemu/qemu-system-native_4.0.0.bb
index 5bf528bec1..820883df65 100644
--- a/meta/recipes-devtools/qemu/qemu-system-native_3.1.0.bb
+++ b/meta/recipes-devtools/qemu/qemu-system-native_4.0.0.bb
@@ -20,4 +20,5 @@ do_install_append() {
20 # The following is also installed by qemu-native 20 # The following is also installed by qemu-native
21 rm -f ${D}${datadir}/qemu/trace-events-all 21 rm -f ${D}${datadir}/qemu/trace-events-all
22 rm -rf ${D}${datadir}/qemu/keymaps 22 rm -rf ${D}${datadir}/qemu/keymaps
23 rm -rf ${D}${datadir}/icons/
23} 24}
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 3ec141452d..f7b41412ad 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -5,36 +5,27 @@ LICENSE = "GPLv2 & LGPLv2.1"
5RDEPENDS_${PN}-ptest = "bash make" 5RDEPENDS_${PN}-ptest = "bash make"
6 6
7LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \ 7LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \
8 file://COPYING.LIB;endline=24;md5=c04def7ae38850e7d3ef548588159913" 8 file://COPYING.LIB;endline=24;md5=8c5efda6cf1e1b03dcfd0e6c0d271c7f"
9 9
10SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ 10SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
11 file://powerpc_rom.bin \ 11 file://powerpc_rom.bin \
12 file://0001-sdl.c-allow-user-to-disable-pointer-grabs.patch \
13 file://0002-qemu-Add-missing-wacom-HID-descriptor.patch \
14 file://0003-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch \
15 file://run-ptest \ 12 file://run-ptest \
16 file://0004-qemu-Add-addition-environment-space-to-boot-loader-q.patch \ 13 file://0001-qemu-Add-missing-wacom-HID-descriptor.patch \
17 file://0005-qemu-disable-Valgrind.patch \ 14 file://0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch \
18 file://0006-qemu-Limit-paths-searched-during-user-mode-emulation.patch \ 15 file://0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch \
19 file://0007-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch \ 16 file://0004-qemu-disable-Valgrind.patch \
20 file://0008-chardev-connect-socket-to-a-spawned-command.patch \ 17 file://0005-qemu-Limit-paths-searched-during-user-mode-emulation.patch \
21 file://0009-apic-fixup-fallthrough-to-PIC.patch \ 18 file://0006-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch \
22 file://0010-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \ 19 file://0007-chardev-connect-socket-to-a-spawned-command.patch \
23 file://0011-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch \ 20 file://0008-apic-fixup-fallthrough-to-PIC.patch \
24 file://0001-Add-a-missing-X11-include.patch \ 21 file://0009-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \
25 file://0001-egl-headless-add-egl_create_context.patch \ 22 file://0010-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch \
26 file://0014-fix-CVE-2018-16872.patch \ 23 file://0013-Revert-target-arm-Use-vector-operations-for-saturati.patch \
27 file://0015-fix-CVE-2018-20124.patch \
28 file://0016-fix-CVE-2018-20125.patch \
29 file://0017-fix-CVE-2018-20126.patch \
30 file://0018-fix-CVE-2018-20191.patch \
31 file://0019-fix-CVE-2018-20216.patch \
32 file://CVE-2019-3812.patch \
33 " 24 "
34UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" 25UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
35 26
36SRC_URI[md5sum] = "fb687ce0b02d3bf4327e36d3b99427a8" 27SRC_URI[md5sum] = "0afeca336fd57ae3d3086ec07f59d708"
37SRC_URI[sha256sum] = "6a0508df079a0a33c2487ca936a56c12122f105b8a96a44374704bef6c69abfc" 28SRC_URI[sha256sum] = "13a93dfe75b86734326f8d5b475fde82ec692d5b5a338b4262aeeb6b0fa4e469"
38 29
39COMPATIBLE_HOST_mipsarchn32 = "null" 30COMPATIBLE_HOST_mipsarchn32 = "null"
40COMPATIBLE_HOST_mipsarchn64 = "null" 31COMPATIBLE_HOST_mipsarchn64 = "null"
@@ -133,7 +124,7 @@ make_qemu_wrapper() {
133PACKAGECONFIG_remove_darwin = "kvm virglrenderer glx gtk+" 124PACKAGECONFIG_remove_darwin = "kvm virglrenderer glx gtk+"
134PACKAGECONFIG_remove_mingw32 = "kvm virglrenderer glx gtk+" 125PACKAGECONFIG_remove_mingw32 = "kvm virglrenderer glx gtk+"
135 126
136PACKAGECONFIG[sdl] = "--enable-sdl --with-sdlabi=2.0,--disable-sdl,libsdl2" 127PACKAGECONFIG[sdl] = "--enable-sdl,--disable-sdl,libsdl2"
137PACKAGECONFIG[virtfs] = "--enable-virtfs --enable-attr,--disable-virtfs,libcap attr," 128PACKAGECONFIG[virtfs] = "--enable-virtfs --enable-attr,--disable-virtfs,libcap attr,"
138PACKAGECONFIG[aio] = "--enable-linux-aio,--disable-linux-aio,libaio," 129PACKAGECONFIG[aio] = "--enable-linux-aio,--disable-linux-aio,libaio,"
139PACKAGECONFIG[xfs] = "--enable-xfsctl,--disable-xfsctl,xfsprogs," 130PACKAGECONFIG[xfs] = "--enable-xfsctl,--disable-xfsctl,xfsprogs,"
@@ -169,3 +160,5 @@ PACKAGECONFIG[usb-redir] = "--enable-usb-redir,--disable-usb-redir,usbredir"
169PACKAGECONFIG[snappy] = "--enable-snappy,--disable-snappy,snappy" 160PACKAGECONFIG[snappy] = "--enable-snappy,--disable-snappy,snappy"
170 161
171INSANE_SKIP_${PN} = "arch" 162INSANE_SKIP_${PN} = "arch"
163
164FILES_${PN} += "${datadir}/icons"
diff --git a/meta/recipes-devtools/qemu/qemu/0001-Add-a-missing-X11-include.patch b/meta/recipes-devtools/qemu/qemu/0001-Add-a-missing-X11-include.patch
deleted file mode 100644
index 192936e1e7..0000000000
--- a/meta/recipes-devtools/qemu/qemu/0001-Add-a-missing-X11-include.patch
+++ /dev/null
@@ -1,65 +0,0 @@
1From eb1a215a4f86dde4493c3e22ad9f6d698850915e Mon Sep 17 00:00:00 2001
2From: Alexander Kanavin <alex.kanavin@gmail.com>
3Date: Thu, 20 Dec 2018 18:06:29 +0100
4Subject: [PATCH] egl-helpers.h: do not depend on X11 Window type, use
5 EGLNativeWindowType
6
7It was assumed that mesa provides the necessary X11 includes,
8but it is not always the case, as it can be configured without x11 support.
9
10Upstream-Status: Submitted [http://lists.nongnu.org/archive/html/qemu-devel/2019-01/msg03706.html]
11Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
12
13---
14 include/ui/egl-helpers.h | 2 +-
15 ui/egl-helpers.c | 4 ++--
16 ui/gtk-egl.c | 2 +-
17 3 files changed, 4 insertions(+), 4 deletions(-)
18
19diff --git a/include/ui/egl-helpers.h b/include/ui/egl-helpers.h
20index 9db7293b..3fc656a7 100644
21--- a/include/ui/egl-helpers.h
22+++ b/include/ui/egl-helpers.h
23@@ -43,7 +43,7 @@ void egl_dmabuf_release_texture(QemuDmaBuf *dmabuf);
24
25 #endif
26
27-EGLSurface qemu_egl_init_surface_x11(EGLContext ectx, Window win);
28+EGLSurface qemu_egl_init_surface_x11(EGLContext ectx, EGLNativeWindowType win);
29
30 int qemu_egl_init_dpy_x11(EGLNativeDisplayType dpy, DisplayGLMode mode);
31 int qemu_egl_init_dpy_mesa(EGLNativeDisplayType dpy, DisplayGLMode mode);
32diff --git a/ui/egl-helpers.c b/ui/egl-helpers.c
33index 4f475142..5e115b3f 100644
34--- a/ui/egl-helpers.c
35+++ b/ui/egl-helpers.c
36@@ -273,14 +273,14 @@ void egl_dmabuf_release_texture(QemuDmaBuf *dmabuf)
37
38 /* ---------------------------------------------------------------------- */
39
40-EGLSurface qemu_egl_init_surface_x11(EGLContext ectx, Window win)
41+EGLSurface qemu_egl_init_surface_x11(EGLContext ectx, EGLNativeWindowType win)
42 {
43 EGLSurface esurface;
44 EGLBoolean b;
45
46 esurface = eglCreateWindowSurface(qemu_egl_display,
47 qemu_egl_config,
48- (EGLNativeWindowType)win, NULL);
49+ win, NULL);
50 if (esurface == EGL_NO_SURFACE) {
51 error_report("egl: eglCreateWindowSurface failed");
52 return NULL;
53diff --git a/ui/gtk-egl.c b/ui/gtk-egl.c
54index 5420c236..1f941162 100644
55--- a/ui/gtk-egl.c
56+++ b/ui/gtk-egl.c
57@@ -54,7 +54,7 @@ void gd_egl_init(VirtualConsole *vc)
58 }
59
60 vc->gfx.ectx = qemu_egl_init_ctx();
61- vc->gfx.esurface = qemu_egl_init_surface_x11(vc->gfx.ectx, x11_window);
62+ vc->gfx.esurface = qemu_egl_init_surface_x11(vc->gfx.ectx, (EGLNativeWindowType)x11_window);
63
64 assert(vc->gfx.esurface);
65 }
diff --git a/meta/recipes-devtools/qemu/qemu/0001-egl-headless-add-egl_create_context.patch b/meta/recipes-devtools/qemu/qemu/0001-egl-headless-add-egl_create_context.patch
deleted file mode 100644
index d9326c017a..0000000000
--- a/meta/recipes-devtools/qemu/qemu/0001-egl-headless-add-egl_create_context.patch
+++ /dev/null
@@ -1,50 +0,0 @@
1From 952e5d584f5aabe41298c278065fe628f3f7aa7a Mon Sep 17 00:00:00 2001
2From: Gerd Hoffmann <kraxel@redhat.com>
3Date: Thu, 29 Nov 2018 13:35:02 +0100
4Subject: [PATCH] egl-headless: add egl_create_context
5
6We must set the correct context (via eglMakeCurrent) before
7calling qemu_egl_create_context, so we need a thin wrapper and can't
8hook qemu_egl_create_context directly as ->dpy_gl_ctx_create callback.
9
10Reported-by: Frederik Carlier <frederik.carlier@quamotion.mobi>
11Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
12Message-id: 20181129123502.30129-1-kraxel@redhat.com
13
14Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=952e5d584f5aabe41298c278065fe628f3f7aa7a]
15Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
16---
17 ui/egl-headless.c | 10 +++++++++-
18 1 file changed, 9 insertions(+), 1 deletion(-)
19
20diff --git a/ui/egl-headless.c b/ui/egl-headless.c
21index 4cf3bbc0e4..519e7bad32 100644
22--- a/ui/egl-headless.c
23+++ b/ui/egl-headless.c
24@@ -38,6 +38,14 @@ static void egl_gfx_switch(DisplayChangeListener *dcl,
25 edpy->ds = new_surface;
26 }
27
28+static QEMUGLContext egl_create_context(DisplayChangeListener *dcl,
29+ QEMUGLParams *params)
30+{
31+ eglMakeCurrent(qemu_egl_display, EGL_NO_SURFACE, EGL_NO_SURFACE,
32+ qemu_egl_rn_ctx);
33+ return qemu_egl_create_context(dcl, params);
34+}
35+
36 static void egl_scanout_disable(DisplayChangeListener *dcl)
37 {
38 egl_dpy *edpy = container_of(dcl, egl_dpy, dcl);
39@@ -150,7 +158,7 @@ static const DisplayChangeListenerOps egl_ops = {
40 .dpy_gfx_update = egl_gfx_update,
41 .dpy_gfx_switch = egl_gfx_switch,
42
43- .dpy_gl_ctx_create = qemu_egl_create_context,
44+ .dpy_gl_ctx_create = egl_create_context,
45 .dpy_gl_ctx_destroy = qemu_egl_destroy_context,
46 .dpy_gl_ctx_make_current = qemu_egl_make_context_current,
47 .dpy_gl_ctx_get_current = qemu_egl_get_current_context,
48--
492.17.1
50
diff --git a/meta/recipes-devtools/qemu/qemu/0002-qemu-Add-missing-wacom-HID-descriptor.patch b/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch
index 4de2688838..5373915ff0 100644
--- a/meta/recipes-devtools/qemu/qemu/0002-qemu-Add-missing-wacom-HID-descriptor.patch
+++ b/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch
@@ -1,4 +1,4 @@
1From 7ac3c84f28866491c58cc0f52a25a706949c8ef3 Mon Sep 17 00:00:00 2001 1From 1cb804cf0e47116202011f3386b4739af668224a Mon Sep 17 00:00:00 2001
2From: Richard Purdie <richard.purdie@linuxfoundation.org> 2From: Richard Purdie <richard.purdie@linuxfoundation.org>
3Date: Thu, 27 Nov 2014 14:04:29 +0000 3Date: Thu, 27 Nov 2014 14:04:29 +0000
4Subject: [PATCH] qemu: Add missing wacom HID descriptor 4Subject: [PATCH] qemu: Add missing wacom HID descriptor
diff --git a/meta/recipes-devtools/qemu/qemu/0001-sdl.c-allow-user-to-disable-pointer-grabs.patch b/meta/recipes-devtools/qemu/qemu/0001-sdl.c-allow-user-to-disable-pointer-grabs.patch
deleted file mode 100644
index 5b9a1f911c..0000000000
--- a/meta/recipes-devtools/qemu/qemu/0001-sdl.c-allow-user-to-disable-pointer-grabs.patch
+++ /dev/null
@@ -1,72 +0,0 @@
1From c53ddb5acbee56db6423f369b9f9a9b62501b4af Mon Sep 17 00:00:00 2001
2From: Ross Burton <ross.burton@intel.com>
3Date: Wed, 18 Sep 2013 14:04:54 +0100
4Subject: [PATCH] sdl.c: allow user to disable pointer grabs
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9When the pointer enters the Qemu window it calls SDL_WM_GrabInput, which calls
10XGrabPointer in a busyloop until it returns GrabSuccess. However if there's already
11a pointer grab (screen is locked, a menu is open) then qemu will hang until the
12grab can be taken. In the specific case of a headless X server on an autobuilder, once
13the screensaver has kicked in any qemu instance that appears underneath the
14pointer will hang.
15
16I'm not entirely sure why pointer grabs are required (the documentation
17explicitly says it doesn't do grabs when using a tablet, which we are) so wrap
18them in a conditional that can be set by the autobuilder environment, preserving
19the current grabbing behaviour for everyone else.
20
21Upstream-Status: Pending
22Signed-off-by: Ross Burton <ross.burton@intel.com>
23Signed-off-by: Eric Bénard <eric@eukrea.com>
24
25---
26 ui/sdl.c | 13 +++++++++++--
27 1 file changed, 11 insertions(+), 2 deletions(-)
28
29diff --git a/ui/sdl.c b/ui/sdl.c
30index 190b16f5..aa89471d 100644
31--- a/ui/sdl.c
32+++ b/ui/sdl.c
33@@ -69,6 +69,11 @@ static int idle_counter;
34 static const guint16 *keycode_map;
35 static size_t keycode_maplen;
36
37+#ifndef True
38+#define True 1
39+#endif
40+static doing_grabs = True;
41+
42 #define SDL_REFRESH_INTERVAL_BUSY 10
43 #define SDL_MAX_IDLE_COUNT (2 * GUI_REFRESH_INTERVAL_DEFAULT \
44 / SDL_REFRESH_INTERVAL_BUSY + 1)
45@@ -399,14 +404,16 @@ static void sdl_grab_start(void)
46 }
47 } else
48 sdl_hide_cursor();
49- SDL_WM_GrabInput(SDL_GRAB_ON);
50+ if (doing_grabs)
51+ SDL_WM_GrabInput(SDL_GRAB_ON);
52 gui_grab = 1;
53 sdl_update_caption();
54 }
55
56 static void sdl_grab_end(void)
57 {
58- SDL_WM_GrabInput(SDL_GRAB_OFF);
59+ if (doing_grabs)
60+ SDL_WM_GrabInput(SDL_GRAB_OFF);
61 gui_grab = 0;
62 sdl_show_cursor();
63 sdl_update_caption();
64@@ -945,6 +952,8 @@ static void sdl1_display_init(DisplayState *ds, DisplayOptions *o)
65 * This requires SDL >= 1.2.14. */
66 setenv("SDL_DISABLE_LOCK_KEYS", "1", 1);
67
68+ doing_grabs = (getenv("QEMU_DONT_GRAB") == NULL);
69+
70 flags = SDL_INIT_VIDEO | SDL_INIT_NOPARACHUTE;
71 if (SDL_Init (flags)) {
72 fprintf(stderr, "Could not initialize SDL(%s) - exiting\n",
diff --git a/meta/recipes-devtools/qemu/qemu/0003-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch b/meta/recipes-devtools/qemu/qemu/0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch
index 668fc4680c..7b7c5d71a0 100644
--- a/meta/recipes-devtools/qemu/qemu/0003-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch
+++ b/meta/recipes-devtools/qemu/qemu/0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch
@@ -1,4 +1,4 @@
1From aac8834bfd5b79e724f2593895847b50968a1223 Mon Sep 17 00:00:00 2001 1From 281116b31981b0b9e174bda8abe00f4eaa33c2ae Mon Sep 17 00:00:00 2001
2From: Juro Bystricky <juro.bystricky@intel.com> 2From: Juro Bystricky <juro.bystricky@intel.com>
3Date: Thu, 31 Aug 2017 11:06:56 -0700 3Date: Thu, 31 Aug 2017 11:06:56 -0700
4Subject: [PATCH] Add subpackage -ptest which runs all unit test cases for 4Subject: [PATCH] Add subpackage -ptest which runs all unit test cases for
@@ -15,10 +15,10 @@ Signed-off-by: Juro Bystricky <juro.bystricky@intel.com>
15 1 file changed, 8 insertions(+) 15 1 file changed, 8 insertions(+)
16 16
17diff --git a/tests/Makefile.include b/tests/Makefile.include 17diff --git a/tests/Makefile.include b/tests/Makefile.include
18index fb0b449c..afedabd4 100644 18index 36fc73fe..01fecd4d 100644
19--- a/tests/Makefile.include 19--- a/tests/Makefile.include
20+++ b/tests/Makefile.include 20+++ b/tests/Makefile.include
21@@ -967,4 +967,12 @@ all: $(QEMU_IOTESTS_HELPERS-y) 21@@ -1184,4 +1184,12 @@ all: $(QEMU_IOTESTS_HELPERS-y)
22 -include $(wildcard tests/*.d) 22 -include $(wildcard tests/*.d)
23 -include $(wildcard tests/libqos/*.d) 23 -include $(wildcard tests/libqos/*.d)
24 24
diff --git a/meta/recipes-devtools/qemu/qemu/0004-qemu-Add-addition-environment-space-to-boot-loader-q.patch b/meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch
index b4d4c587bd..9a18ca18e4 100644
--- a/meta/recipes-devtools/qemu/qemu/0004-qemu-Add-addition-environment-space-to-boot-loader-q.patch
+++ b/meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch
@@ -1,4 +1,4 @@
1From 3de7a5635093c31dcb960ce9dff27da629b85d4d Mon Sep 17 00:00:00 2001 1From bf04acef9ec31ddcc18ddbb4ac5b7b1e7368bf7d Mon Sep 17 00:00:00 2001
2From: Jason Wessel <jason.wessel@windriver.com> 2From: Jason Wessel <jason.wessel@windriver.com>
3Date: Fri, 28 Mar 2014 17:42:43 +0800 3Date: Fri, 28 Mar 2014 17:42:43 +0800
4Subject: [PATCH] qemu: Add addition environment space to boot loader 4Subject: [PATCH] qemu: Add addition environment space to boot loader
@@ -19,10 +19,10 @@ Signed-off-by: Roy Li <rongqing.li@windriver.com>
19 1 file changed, 1 insertion(+), 1 deletion(-) 19 1 file changed, 1 insertion(+), 1 deletion(-)
20 20
21diff --git a/hw/mips/mips_malta.c b/hw/mips/mips_malta.c 21diff --git a/hw/mips/mips_malta.c b/hw/mips/mips_malta.c
22index c1cf0fe1..decffd2f 100644 22index 439665ab..285c78ef 100644
23--- a/hw/mips/mips_malta.c 23--- a/hw/mips/mips_malta.c
24+++ b/hw/mips/mips_malta.c 24+++ b/hw/mips/mips_malta.c
25@@ -62,7 +62,7 @@ 25@@ -60,7 +60,7 @@
26 26
27 #define ENVP_ADDR 0x80002000l 27 #define ENVP_ADDR 0x80002000l
28 #define ENVP_NB_ENTRIES 16 28 #define ENVP_NB_ENTRIES 16
diff --git a/meta/recipes-devtools/qemu/qemu/0005-qemu-disable-Valgrind.patch b/meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch
index f0cf8148e1..9e326081f2 100644
--- a/meta/recipes-devtools/qemu/qemu/0005-qemu-disable-Valgrind.patch
+++ b/meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch
@@ -1,4 +1,4 @@
1From 32e8a94b6ae664d9b5689e19d495e304c0f41954 Mon Sep 17 00:00:00 2001 1From e40f797548bc3ff06c71b6cbe042a46406894d18 Mon Sep 17 00:00:00 2001
2From: Ross Burton <ross.burton@intel.com> 2From: Ross Burton <ross.burton@intel.com>
3Date: Tue, 20 Oct 2015 22:19:08 +0100 3Date: Tue, 20 Oct 2015 22:19:08 +0100
4Subject: [PATCH] qemu: disable Valgrind 4Subject: [PATCH] qemu: disable Valgrind
@@ -13,10 +13,10 @@ Signed-off-by: Ross Burton <ross.burton@intel.com>
13 1 file changed, 9 deletions(-) 13 1 file changed, 9 deletions(-)
14 14
15diff --git a/configure b/configure 15diff --git a/configure b/configure
16index 0a3c6a72..069e0daa 100755 16index 1c563a70..eaf9bb5e 100755
17--- a/configure 17--- a/configure
18+++ b/configure 18+++ b/configure
19@@ -5044,15 +5044,6 @@ fi 19@@ -5311,15 +5311,6 @@ fi
20 # check if we have valgrind/valgrind.h 20 # check if we have valgrind/valgrind.h
21 21
22 valgrind_h=no 22 valgrind_h=no
diff --git a/meta/recipes-devtools/qemu/qemu/0006-qemu-Limit-paths-searched-during-user-mode-emulation.patch b/meta/recipes-devtools/qemu/qemu/0005-qemu-Limit-paths-searched-during-user-mode-emulation.patch
index 4b2f0137eb..819720a3f2 100644
--- a/meta/recipes-devtools/qemu/qemu/0006-qemu-Limit-paths-searched-during-user-mode-emulation.patch
+++ b/meta/recipes-devtools/qemu/qemu/0005-qemu-Limit-paths-searched-during-user-mode-emulation.patch
@@ -1,4 +1,4 @@
1From 02f80ee81681b6307a8032128a07686183662270 Mon Sep 17 00:00:00 2001 1From 547c3710a1493d2fd6bb56b819cf162db433756a Mon Sep 17 00:00:00 2001
2From: Richard Purdie <richard.purdie@linuxfoundation.org> 2From: Richard Purdie <richard.purdie@linuxfoundation.org>
3Date: Wed, 9 Mar 2016 22:49:02 +0000 3Date: Wed, 9 Mar 2016 22:49:02 +0000
4Subject: [PATCH] qemu: Limit paths searched during user mode emulation 4Subject: [PATCH] qemu: Limit paths searched during user mode emulation
diff --git a/meta/recipes-devtools/qemu/qemu/0007-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch b/meta/recipes-devtools/qemu/qemu/0006-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch
index 4163e51884..b62a588c66 100644
--- a/meta/recipes-devtools/qemu/qemu/0007-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch
+++ b/meta/recipes-devtools/qemu/qemu/0006-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch
@@ -1,4 +1,4 @@
1From 74bce35b71f4733c13e96f96e25956ff943fae20 Mon Sep 17 00:00:00 2001 1From 107fd860529a3c1319d54c3c225758457b0d9394 Mon Sep 17 00:00:00 2001
2From: Stephen Arnold <sarnold@vctlabs.com> 2From: Stephen Arnold <sarnold@vctlabs.com>
3Date: Sun, 12 Jun 2016 18:09:56 -0700 3Date: Sun, 12 Jun 2016 18:09:56 -0700
4Subject: [PATCH] qemu-native: set ld.bfd, fix cflags, and set some environment 4Subject: [PATCH] qemu-native: set ld.bfd, fix cflags, and set some environment
@@ -10,10 +10,10 @@ Upstream-Status: Pending
10 1 file changed, 4 deletions(-) 10 1 file changed, 4 deletions(-)
11 11
12diff --git a/configure b/configure 12diff --git a/configure b/configure
13index 069e0daa..5b97f3c1 100755 13index eaf9bb5e..de2933d1 100755
14--- a/configure 14--- a/configure
15+++ b/configure 15+++ b/configure
16@@ -5622,10 +5622,6 @@ write_c_skeleton 16@@ -5928,10 +5928,6 @@ write_c_skeleton
17 if test "$gcov" = "yes" ; then 17 if test "$gcov" = "yes" ; then
18 CFLAGS="-fprofile-arcs -ftest-coverage -g $CFLAGS" 18 CFLAGS="-fprofile-arcs -ftest-coverage -g $CFLAGS"
19 LDFLAGS="-fprofile-arcs -ftest-coverage $LDFLAGS" 19 LDFLAGS="-fprofile-arcs -ftest-coverage $LDFLAGS"
diff --git a/meta/recipes-devtools/qemu/qemu/0008-chardev-connect-socket-to-a-spawned-command.patch b/meta/recipes-devtools/qemu/qemu/0007-chardev-connect-socket-to-a-spawned-command.patch
index e5a2d4abca..f3f3dc3f5e 100644
--- a/meta/recipes-devtools/qemu/qemu/0008-chardev-connect-socket-to-a-spawned-command.patch
+++ b/meta/recipes-devtools/qemu/qemu/0007-chardev-connect-socket-to-a-spawned-command.patch
@@ -1,4 +1,4 @@
1From 9c1e976290e87a83ab1bfe38eb7ff3521ff0d684 Mon Sep 17 00:00:00 2001 1From 136e159482a1bc8676cbe6e767055d0c3fb20065 Mon Sep 17 00:00:00 2001
2From: Alistair Francis <alistair.francis@xilinx.com> 2From: Alistair Francis <alistair.francis@xilinx.com>
3Date: Thu, 21 Dec 2017 11:35:16 -0800 3Date: Thu, 21 Dec 2017 11:35:16 -0800
4Subject: [PATCH] chardev: connect socket to a spawned command 4Subject: [PATCH] chardev: connect socket to a spawned command
@@ -46,17 +46,17 @@ Upstream-Status: Inappropriate [embedded specific]
46Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> 46Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
47 47
48--- 48---
49 chardev/char-socket.c | 102 ++++++++++++++++++++++++++++++++++++++++++ 49 chardev/char-socket.c | 101 ++++++++++++++++++++++++++++++++++++++++++
50 chardev/char.c | 3 ++ 50 chardev/char.c | 3 ++
51 qapi/char.json | 5 +++ 51 qapi/char.json | 5 +++
52 3 files changed, 110 insertions(+) 52 3 files changed, 109 insertions(+)
53 53
54diff --git a/chardev/char-socket.c b/chardev/char-socket.c 54diff --git a/chardev/char-socket.c b/chardev/char-socket.c
55index eaa8e8b6..959ed183 100644 55index 3916505d..a8e9dce8 100644
56--- a/chardev/char-socket.c 56--- a/chardev/char-socket.c
57+++ b/chardev/char-socket.c 57+++ b/chardev/char-socket.c
58@@ -987,6 +987,68 @@ static gboolean socket_reconnect_timeout(gpointer opaque) 58@@ -1273,6 +1273,67 @@ static bool qmp_chardev_validate_socket(ChardevSocket *sock,
59 return false; 59 return true;
60 } 60 }
61 61
62+#ifndef _WIN32 62+#ifndef _WIN32
@@ -120,11 +120,10 @@ index eaa8e8b6..959ed183 100644
120+ } 120+ }
121+} 121+}
122+#endif 122+#endif
123+ 123
124 static void qmp_chardev_open_socket(Chardev *chr, 124 static void qmp_chardev_open_socket(Chardev *chr,
125 ChardevBackend *backend, 125 ChardevBackend *backend,
126 bool *be_opened, 126@@ -1281,6 +1342,9 @@ static void qmp_chardev_open_socket(Chardev *chr,
127@@ -994,6 +1056,9 @@ static void qmp_chardev_open_socket(Chardev *chr,
128 { 127 {
129 SocketChardev *s = SOCKET_CHARDEV(chr); 128 SocketChardev *s = SOCKET_CHARDEV(chr);
130 ChardevSocket *sock = backend->u.socket.data; 129 ChardevSocket *sock = backend->u.socket.data;
@@ -134,9 +133,9 @@ index eaa8e8b6..959ed183 100644
134 bool do_nodelay = sock->has_nodelay ? sock->nodelay : false; 133 bool do_nodelay = sock->has_nodelay ? sock->nodelay : false;
135 bool is_listen = sock->has_server ? sock->server : true; 134 bool is_listen = sock->has_server ? sock->server : true;
136 bool is_telnet = sock->has_telnet ? sock->telnet : false; 135 bool is_telnet = sock->has_telnet ? sock->telnet : false;
137@@ -1072,6 +1137,14 @@ static void qmp_chardev_open_socket(Chardev *chr, 136@@ -1346,6 +1410,14 @@ static void qmp_chardev_open_socket(Chardev *chr,
138 s->reconnect_time = reconnect; 137
139 } 138 update_disconnected_filename(s);
140 139
141+#ifndef _WIN32 140+#ifndef _WIN32
142+ if (cmd) { 141+ if (cmd) {
@@ -146,13 +145,13 @@ index eaa8e8b6..959ed183 100644
146+ *be_opened = true; 145+ *be_opened = true;
147+ } else 146+ } else
148+#endif 147+#endif
149 if (s->reconnect_time) { 148 if (s->is_listen) {
150 tcp_chr_connect_async(chr); 149 if (qmp_chardev_open_socket_server(chr, is_telnet || is_tn3270,
151 } else { 150 is_waitconnect, errp) < 0) {
152@@ -1131,9 +1204,26 @@ static void qemu_chr_parse_socket(QemuOpts *opts, ChardevBackend *backend, 151@@ -1365,9 +1437,26 @@ static void qemu_chr_parse_socket(QemuOpts *opts, ChardevBackend *backend,
152 const char *host = qemu_opt_get(opts, "host");
153 const char *port = qemu_opt_get(opts, "port"); 153 const char *port = qemu_opt_get(opts, "port");
154 const char *fd = qemu_opt_get(opts, "fd"); 154 const char *fd = qemu_opt_get(opts, "fd");
155 const char *tls_creds = qemu_opt_get(opts, "tls-creds");
156+#ifndef _WIN32 155+#ifndef _WIN32
157+ const char *cmd = qemu_opt_get(opts, "cmd"); 156+ const char *cmd = qemu_opt_get(opts, "cmd");
158+#endif 157+#endif
@@ -166,7 +165,7 @@ index eaa8e8b6..959ed183 100644
166+ * spawning a command, otherwise unmodified code that doesn't know about 165+ * spawning a command, otherwise unmodified code that doesn't know about
167+ * command spawning (like socket_reconnect_timeout()) might get called. 166+ * command spawning (like socket_reconnect_timeout()) might get called.
168+ */ 167+ */
169+ if (path || is_listen || is_telnet || is_tn3270 || reconnect || host || port || tls_creds) { 168+ if (path || sock->server || sock->has_telnet || sock->has_tn3270 || sock->reconnect || host || port || sock->tls_creds) {
170+ error_setg(errp, "chardev: socket: cmd does not support any additional options"); 169+ error_setg(errp, "chardev: socket: cmd does not support any additional options");
171+ return; 170+ return;
172+ } 171+ }
@@ -176,14 +175,14 @@ index eaa8e8b6..959ed183 100644
176 if ((!!path + !!fd + !!host) != 1) { 175 if ((!!path + !!fd + !!host) != 1) {
177 error_setg(errp, 176 error_setg(errp,
178 "Exactly one of 'path', 'fd' or 'host' required"); 177 "Exactly one of 'path', 'fd' or 'host' required");
179@@ -1180,12 +1270,24 @@ static void qemu_chr_parse_socket(QemuOpts *opts, ChardevBackend *backend, 178@@ -1410,12 +1499,24 @@ static void qemu_chr_parse_socket(QemuOpts *opts, ChardevBackend *backend,
180 sock->reconnect = reconnect; 179 sock->has_tls_authz = qemu_opt_get(opts, "tls-authz");
181 sock->tls_creds = g_strdup(tls_creds); 180 sock->tls_authz = g_strdup(qemu_opt_get(opts, "tls-authz"));
182 181
183+#ifndef _WIN32 182+#ifndef _WIN32
184+ sock->cmd = g_strdup(cmd); 183+ sock->cmd = g_strdup(cmd);
185+#endif 184+#endif
186+ 185+
187 addr = g_new0(SocketAddressLegacy, 1); 186 addr = g_new0(SocketAddressLegacy, 1);
188+#ifndef _WIN32 187+#ifndef _WIN32
189+ if (path || cmd) { 188+ if (path || cmd) {
@@ -202,10 +201,10 @@ index eaa8e8b6..959ed183 100644
202 addr->type = SOCKET_ADDRESS_LEGACY_KIND_INET; 201 addr->type = SOCKET_ADDRESS_LEGACY_KIND_INET;
203 addr->u.inet.data = g_new(InetSocketAddress, 1); 202 addr->u.inet.data = g_new(InetSocketAddress, 1);
204diff --git a/chardev/char.c b/chardev/char.c 203diff --git a/chardev/char.c b/chardev/char.c
205index 152dde53..62d5b578 100644 204index 514cd6b0..36a40d67 100644
206--- a/chardev/char.c 205--- a/chardev/char.c
207+++ b/chardev/char.c 206+++ b/chardev/char.c
208@@ -818,6 +818,9 @@ QemuOptsList qemu_chardev_opts = { 207@@ -835,6 +835,9 @@ QemuOptsList qemu_chardev_opts = {
209 },{ 208 },{
210 .name = "path", 209 .name = "path",
211 .type = QEMU_OPT_STRING, 210 .type = QEMU_OPT_STRING,
@@ -216,10 +215,10 @@ index 152dde53..62d5b578 100644
216 .name = "host", 215 .name = "host",
217 .type = QEMU_OPT_STRING, 216 .type = QEMU_OPT_STRING,
218diff --git a/qapi/char.json b/qapi/char.json 217diff --git a/qapi/char.json b/qapi/char.json
219index 79bac598..97bd161a 100644 218index a6e81ac7..517962c6 100644
220--- a/qapi/char.json 219--- a/qapi/char.json
221+++ b/qapi/char.json 220+++ b/qapi/char.json
222@@ -242,6 +242,10 @@ 221@@ -247,6 +247,10 @@
223 # 222 #
224 # @addr: socket address to listen on (server=true) 223 # @addr: socket address to listen on (server=true)
225 # or connect to (server=false) 224 # or connect to (server=false)
@@ -228,13 +227,13 @@ index 79bac598..97bd161a 100644
228+# is used by the chardev. Either an addr or a cmd can 227+# is used by the chardev. Either an addr or a cmd can
229+# be specified, but not both. 228+# be specified, but not both.
230 # @tls-creds: the ID of the TLS credentials object (since 2.6) 229 # @tls-creds: the ID of the TLS credentials object (since 2.6)
231 # @server: create server socket (default: true) 230 # @tls-authz: the ID of the QAuthZ authorization object against which
232 # @wait: wait for incoming connection on server 231 # the client's x509 distinguished name will be validated. This
233@@ -261,6 +265,7 @@ 232@@ -272,6 +276,7 @@
234 # Since: 1.4
235 ## 233 ##
236 { 'struct': 'ChardevSocket', 'data': { 'addr' : 'SocketAddressLegacy', 234 { 'struct': 'ChardevSocket',
237+ '*cmd' : 'str', 235 'data': { 'addr': 'SocketAddressLegacy',
238 '*tls-creds' : 'str', 236+ '*cmd': 'str',
239 '*server' : 'bool', 237 '*tls-creds': 'str',
240 '*wait' : 'bool', 238 '*tls-authz' : 'str',
239 '*server': 'bool',
diff --git a/meta/recipes-devtools/qemu/qemu/0009-apic-fixup-fallthrough-to-PIC.patch b/meta/recipes-devtools/qemu/qemu/0008-apic-fixup-fallthrough-to-PIC.patch
index 1d3a2b5b21..13037f33f3 100644
--- a/meta/recipes-devtools/qemu/qemu/0009-apic-fixup-fallthrough-to-PIC.patch
+++ b/meta/recipes-devtools/qemu/qemu/0008-apic-fixup-fallthrough-to-PIC.patch
@@ -1,4 +1,4 @@
1From 4829da131996548dc86775b8b97a29c436f3d130 Mon Sep 17 00:00:00 2001 1From 1b3f264e2ba18caf658fae27293c426c8366c6a3 Mon Sep 17 00:00:00 2001
2From: Mark Asselstine <mark.asselstine@windriver.com> 2From: Mark Asselstine <mark.asselstine@windriver.com>
3Date: Tue, 26 Feb 2013 11:43:28 -0500 3Date: Tue, 26 Feb 2013 11:43:28 -0500
4Subject: [PATCH] apic: fixup fallthrough to PIC 4Subject: [PATCH] apic: fixup fallthrough to PIC
@@ -30,10 +30,10 @@ Signed-off-by: He Zhe <zhe.he@windriver.com>
30 1 file changed, 1 insertion(+), 1 deletion(-) 30 1 file changed, 1 insertion(+), 1 deletion(-)
31 31
32diff --git a/hw/intc/apic.c b/hw/intc/apic.c 32diff --git a/hw/intc/apic.c b/hw/intc/apic.c
33index 97ffdd82..ef23430e 100644 33index 6ea619c3..f892811e 100644
34--- a/hw/intc/apic.c 34--- a/hw/intc/apic.c
35+++ b/hw/intc/apic.c 35+++ b/hw/intc/apic.c
36@@ -603,7 +603,7 @@ int apic_accept_pic_intr(DeviceState *dev) 36@@ -604,7 +604,7 @@ int apic_accept_pic_intr(DeviceState *dev)
37 APICCommonState *s = APIC(dev); 37 APICCommonState *s = APIC(dev);
38 uint32_t lvt0; 38 uint32_t lvt0;
39 39
diff --git a/meta/recipes-devtools/qemu/qemu/0010-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch b/meta/recipes-devtools/qemu/qemu/0009-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch
index c0d7914be0..c572ff94d0 100644
--- a/meta/recipes-devtools/qemu/qemu/0010-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch
+++ b/meta/recipes-devtools/qemu/qemu/0009-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch
@@ -1,4 +1,4 @@
1From bce25c9cda73569963615ffd31ed949cbe3a3781 Mon Sep 17 00:00:00 2001 1From a33ae91504ea4d254b5ace64a84791d3c96c9773 Mon Sep 17 00:00:00 2001
2From: Alistair Francis <alistair.francis@xilinx.com> 2From: Alistair Francis <alistair.francis@xilinx.com>
3Date: Wed, 17 Jan 2018 10:51:49 -0800 3Date: Wed, 17 Jan 2018 10:51:49 -0800
4Subject: [PATCH] linux-user: Fix webkitgtk hangs on 32-bit x86 target 4Subject: [PATCH] linux-user: Fix webkitgtk hangs on 32-bit x86 target
@@ -19,7 +19,7 @@ Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
19 1 file changed, 1 insertion(+), 1 deletion(-) 19 1 file changed, 1 insertion(+), 1 deletion(-)
20 20
21diff --git a/linux-user/main.c b/linux-user/main.c 21diff --git a/linux-user/main.c b/linux-user/main.c
22index 923cbb75..fe0b9ff4 100644 22index a0aba9cb..34c54924 100644
23--- a/linux-user/main.c 23--- a/linux-user/main.c
24+++ b/linux-user/main.c 24+++ b/linux-user/main.c
25@@ -69,7 +69,7 @@ int have_guest_base; 25@@ -69,7 +69,7 @@ int have_guest_base;
diff --git a/meta/recipes-devtools/qemu/qemu/0011-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch b/meta/recipes-devtools/qemu/qemu/0010-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch
index 066ea7865a..3418eb7c65 100644
--- a/meta/recipes-devtools/qemu/qemu/0011-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch
+++ b/meta/recipes-devtools/qemu/qemu/0010-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch
@@ -1,4 +1,4 @@
1From 496231774f8bc17ecfaf543a6603e3cad3f3f74e Mon Sep 17 00:00:00 2001 1From 2a66bd95c856de6950fbd802c5b99075207c1d76 Mon Sep 17 00:00:00 2001
2From: Martin Jansa <martin.jansa@lge.com> 2From: Martin Jansa <martin.jansa@lge.com>
3Date: Fri, 1 Jun 2018 08:41:07 +0000 3Date: Fri, 1 Jun 2018 08:41:07 +0000
4Subject: [PATCH] Revert "linux-user: fix mmap/munmap/mprotect/mremap/shmat" 4Subject: [PATCH] Revert "linux-user: fix mmap/munmap/mprotect/mremap/shmat"
@@ -23,7 +23,7 @@ Upstream-Status: Pending
23 4 files changed, 15 insertions(+), 29 deletions(-) 23 4 files changed, 15 insertions(+), 29 deletions(-)
24 24
25diff --git a/include/exec/cpu-all.h b/include/exec/cpu-all.h 25diff --git a/include/exec/cpu-all.h b/include/exec/cpu-all.h
26index 117d2fbb..90558c14 100644 26index b16c9ec5..612db6a0 100644
27--- a/include/exec/cpu-all.h 27--- a/include/exec/cpu-all.h
28+++ b/include/exec/cpu-all.h 28+++ b/include/exec/cpu-all.h
29@@ -163,12 +163,8 @@ extern unsigned long guest_base; 29@@ -163,12 +163,8 @@ extern unsigned long guest_base;
@@ -41,7 +41,7 @@ index 117d2fbb..90558c14 100644
41 41
42 #include "exec/hwaddr.h" 42 #include "exec/hwaddr.h"
43diff --git a/include/exec/cpu_ldst.h b/include/exec/cpu_ldst.h 43diff --git a/include/exec/cpu_ldst.h b/include/exec/cpu_ldst.h
44index 95906849..ed17b3f6 100644 44index d78041d7..845639f7 100644
45--- a/include/exec/cpu_ldst.h 45--- a/include/exec/cpu_ldst.h
46+++ b/include/exec/cpu_ldst.h 46+++ b/include/exec/cpu_ldst.h
47@@ -62,13 +62,15 @@ typedef uint64_t abi_ptr; 47@@ -62,13 +62,15 @@ typedef uint64_t abi_ptr;
@@ -68,7 +68,7 @@ index 95906849..ed17b3f6 100644
68 #define h2g_nocheck(x) ({ \ 68 #define h2g_nocheck(x) ({ \
69 unsigned long __ret = (unsigned long)(x) - guest_base; \ 69 unsigned long __ret = (unsigned long)(x) - guest_base; \
70diff --git a/linux-user/mmap.c b/linux-user/mmap.c 70diff --git a/linux-user/mmap.c b/linux-user/mmap.c
71index 41e0983c..d0ee1c53 100644 71index e0249efe..cfe34b35 100644
72--- a/linux-user/mmap.c 72--- a/linux-user/mmap.c
73+++ b/linux-user/mmap.c 73+++ b/linux-user/mmap.c
74@@ -79,7 +79,7 @@ int target_mprotect(abi_ulong start, abi_ulong len, int prot) 74@@ -79,7 +79,7 @@ int target_mprotect(abi_ulong start, abi_ulong len, int prot)
@@ -81,9 +81,9 @@ index 41e0983c..d0ee1c53 100644
81 } 81 }
82 prot &= PROT_READ | PROT_WRITE | PROT_EXEC; 82 prot &= PROT_READ | PROT_WRITE | PROT_EXEC;
83@@ -490,8 +490,8 @@ abi_long target_mmap(abi_ulong start, abi_ulong len, int prot, 83@@ -490,8 +490,8 @@ abi_long target_mmap(abi_ulong start, abi_ulong len, int prot,
84 * It can fail only on 64-bit host with 32-bit target. 84 * It can fail only on 64-bit host with 32-bit target.
85 * On any other target/host host mmap() handles this error correctly. 85 * On any other target/host host mmap() handles this error correctly.
86 */ 86 */
87- if (!guest_range_valid(start, len)) { 87- if (!guest_range_valid(start, len)) {
88- errno = ENOMEM; 88- errno = ENOMEM;
89+ if ((unsigned long)start + len - 1 > (abi_ulong) -1) { 89+ if ((unsigned long)start + len - 1 > (abi_ulong) -1) {
@@ -118,10 +118,10 @@ index 41e0983c..d0ee1c53 100644
118 118
119 if (flags & MREMAP_FIXED) { 119 if (flags & MREMAP_FIXED) {
120diff --git a/linux-user/syscall.c b/linux-user/syscall.c 120diff --git a/linux-user/syscall.c b/linux-user/syscall.c
121index 280137da..efdd0006 100644 121index 96cd4bf8..e6754772 100644
122--- a/linux-user/syscall.c 122--- a/linux-user/syscall.c
123+++ b/linux-user/syscall.c 123+++ b/linux-user/syscall.c
124@@ -3818,9 +3818,6 @@ static inline abi_ulong do_shmat(CPUArchState *cpu_env, 124@@ -3860,9 +3860,6 @@ static inline abi_ulong do_shmat(CPUArchState *cpu_env,
125 return -TARGET_EINVAL; 125 return -TARGET_EINVAL;
126 } 126 }
127 } 127 }
@@ -131,7 +131,7 @@ index 280137da..efdd0006 100644
131 131
132 mmap_lock(); 132 mmap_lock();
133 133
134@@ -6582,7 +6579,7 @@ static int open_self_maps(void *cpu_env, int fd) 134@@ -6633,7 +6630,7 @@ static int open_self_maps(void *cpu_env, int fd)
135 } 135 }
136 if (h2g_valid(min)) { 136 if (h2g_valid(min)) {
137 int flags = page_get_flags(h2g(min)); 137 int flags = page_get_flags(h2g(min));
diff --git a/meta/recipes-devtools/qemu/qemu/0012-fix-libcap-header-issue-on-some-distro.patch b/meta/recipes-devtools/qemu/qemu/0011-fix-libcap-header-issue-on-some-distro.patch
index 9cbe838811..3a7d7bbd33 100644
--- a/meta/recipes-devtools/qemu/qemu/0012-fix-libcap-header-issue-on-some-distro.patch
+++ b/meta/recipes-devtools/qemu/qemu/0011-fix-libcap-header-issue-on-some-distro.patch
@@ -1,4 +1,4 @@
1From d3e0b8dac7c2eb20d7fcff747bc98b981f4398ef Mon Sep 17 00:00:00 2001 1From 9125afb733d8c96416bb83c5adad39bb8d0803a1 Mon Sep 17 00:00:00 2001
2From: Hongxu Jia <hongxu.jia@windriver.com> 2From: Hongxu Jia <hongxu.jia@windriver.com>
3Date: Tue, 12 Mar 2013 09:54:06 +0800 3Date: Tue, 12 Mar 2013 09:54:06 +0800
4Subject: [PATCH] fix libcap header issue on some distro 4Subject: [PATCH] fix libcap header issue on some distro
diff --git a/meta/recipes-devtools/qemu/qemu/0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch b/meta/recipes-devtools/qemu/qemu/0012-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch
index 27e508c5a3..04664195d1 100644
--- a/meta/recipes-devtools/qemu/qemu/0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch
+++ b/meta/recipes-devtools/qemu/qemu/0012-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch
@@ -1,4 +1,4 @@
1From 861c522df7791d7e93743d5641f3ef2a5a3c4632 Mon Sep 17 00:00:00 2001 1From 0a53e906510cce1f32bc04a11e81ea40f834dac4 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?An=C3=ADbal=20Lim=C3=B3n?= <anibal.limon@linux.intel.com> 2From: =?UTF-8?q?An=C3=ADbal=20Lim=C3=B3n?= <anibal.limon@linux.intel.com>
3Date: Wed, 12 Aug 2015 15:11:30 -0500 3Date: Wed, 12 Aug 2015 15:11:30 -0500
4Subject: [PATCH] cpus.c: Add error messages when qemi_cpu_kick_thread fails. 4Subject: [PATCH] cpus.c: Add error messages when qemi_cpu_kick_thread fails.
@@ -20,10 +20,10 @@ Signed-off-by: Aníbal Limón <anibal.limon@linux.intel.com>
20 create mode 100644 custom_debug.h 20 create mode 100644 custom_debug.h
21 21
22diff --git a/cpus.c b/cpus.c 22diff --git a/cpus.c b/cpus.c
23index 0ddeeefc..4f3a5624 100644 23index e83f72b4..e6e2576e 100644
24--- a/cpus.c 24--- a/cpus.c
25+++ b/cpus.c 25+++ b/cpus.c
26@@ -1768,6 +1768,8 @@ static void *qemu_tcg_cpu_thread_fn(void *arg) 26@@ -1769,6 +1769,8 @@ static void *qemu_tcg_cpu_thread_fn(void *arg)
27 return NULL; 27 return NULL;
28 } 28 }
29 29
@@ -32,9 +32,9 @@ index 0ddeeefc..4f3a5624 100644
32 static void qemu_cpu_kick_thread(CPUState *cpu) 32 static void qemu_cpu_kick_thread(CPUState *cpu)
33 { 33 {
34 #ifndef _WIN32 34 #ifndef _WIN32
35@@ -1780,6 +1782,9 @@ static void qemu_cpu_kick_thread(CPUState *cpu) 35@@ -1781,6 +1783,9 @@ static void qemu_cpu_kick_thread(CPUState *cpu)
36 err = pthread_kill(cpu->thread->thread, SIG_IPI); 36 err = pthread_kill(cpu->thread->thread, SIG_IPI);
37 if (err) { 37 if (err && err != ESRCH) {
38 fprintf(stderr, "qemu:%s: %s", __func__, strerror(err)); 38 fprintf(stderr, "qemu:%s: %s", __func__, strerror(err));
39+ fprintf(stderr, "CPU #%d:\n", cpu->cpu_index); 39+ fprintf(stderr, "CPU #%d:\n", cpu->cpu_index);
40+ cpu_dump_state(cpu, stderr, fprintf, 0); 40+ cpu_dump_state(cpu, stderr, fprintf, 0);
diff --git a/meta/recipes-devtools/qemu/qemu/0013-Revert-target-arm-Use-vector-operations-for-saturati.patch b/meta/recipes-devtools/qemu/qemu/0013-Revert-target-arm-Use-vector-operations-for-saturati.patch
new file mode 100644
index 0000000000..c38b547e2c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0013-Revert-target-arm-Use-vector-operations-for-saturati.patch
@@ -0,0 +1,493 @@
1From b46cdcdeb762c1f0eef68dc4a7d90f8176152e07 Mon Sep 17 00:00:00 2001
2From: Alistair Francis <alistair.francis@wdc.com>
3Date: Wed, 1 May 2019 19:51:27 -0700
4Subject: [PATCH] Revert "target/arm: Use vector operations for saturation"
5
6This reverts commit 89e68b575e138d0af1435f11a8ffcd8779c237bd.
7
8This fixes QEMU aborts when running the qemuarm machine.
9
10Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
11Upstream-status: Pending
12---
13 target/arm/helper.h | 33 -------
14 target/arm/translate-a64.c | 36 ++++----
15 target/arm/translate.c | 172 ++++++-------------------------------
16 target/arm/translate.h | 4 -
17 target/arm/vec_helper.c | 130 ----------------------------
18 5 files changed, 44 insertions(+), 331 deletions(-)
19
20diff --git a/target/arm/helper.h b/target/arm/helper.h
21index 50cb036378..b2669f140f 100644
22--- a/target/arm/helper.h
23+++ b/target/arm/helper.h
24@@ -646,39 +646,6 @@ DEF_HELPER_FLAGS_6(gvec_fmla_idx_s, TCG_CALL_NO_RWG,
25 DEF_HELPER_FLAGS_6(gvec_fmla_idx_d, TCG_CALL_NO_RWG,
26 void, ptr, ptr, ptr, ptr, ptr, i32)
27
28-DEF_HELPER_FLAGS_5(gvec_uqadd_b, TCG_CALL_NO_RWG,
29- void, ptr, ptr, ptr, ptr, i32)
30-DEF_HELPER_FLAGS_5(gvec_uqadd_h, TCG_CALL_NO_RWG,
31- void, ptr, ptr, ptr, ptr, i32)
32-DEF_HELPER_FLAGS_5(gvec_uqadd_s, TCG_CALL_NO_RWG,
33- void, ptr, ptr, ptr, ptr, i32)
34-DEF_HELPER_FLAGS_5(gvec_uqadd_d, TCG_CALL_NO_RWG,
35- void, ptr, ptr, ptr, ptr, i32)
36-DEF_HELPER_FLAGS_5(gvec_sqadd_b, TCG_CALL_NO_RWG,
37- void, ptr, ptr, ptr, ptr, i32)
38-DEF_HELPER_FLAGS_5(gvec_sqadd_h, TCG_CALL_NO_RWG,
39- void, ptr, ptr, ptr, ptr, i32)
40-DEF_HELPER_FLAGS_5(gvec_sqadd_s, TCG_CALL_NO_RWG,
41- void, ptr, ptr, ptr, ptr, i32)
42-DEF_HELPER_FLAGS_5(gvec_sqadd_d, TCG_CALL_NO_RWG,
43- void, ptr, ptr, ptr, ptr, i32)
44-DEF_HELPER_FLAGS_5(gvec_uqsub_b, TCG_CALL_NO_RWG,
45- void, ptr, ptr, ptr, ptr, i32)
46-DEF_HELPER_FLAGS_5(gvec_uqsub_h, TCG_CALL_NO_RWG,
47- void, ptr, ptr, ptr, ptr, i32)
48-DEF_HELPER_FLAGS_5(gvec_uqsub_s, TCG_CALL_NO_RWG,
49- void, ptr, ptr, ptr, ptr, i32)
50-DEF_HELPER_FLAGS_5(gvec_uqsub_d, TCG_CALL_NO_RWG,
51- void, ptr, ptr, ptr, ptr, i32)
52-DEF_HELPER_FLAGS_5(gvec_sqsub_b, TCG_CALL_NO_RWG,
53- void, ptr, ptr, ptr, ptr, i32)
54-DEF_HELPER_FLAGS_5(gvec_sqsub_h, TCG_CALL_NO_RWG,
55- void, ptr, ptr, ptr, ptr, i32)
56-DEF_HELPER_FLAGS_5(gvec_sqsub_s, TCG_CALL_NO_RWG,
57- void, ptr, ptr, ptr, ptr, i32)
58-DEF_HELPER_FLAGS_5(gvec_sqsub_d, TCG_CALL_NO_RWG,
59- void, ptr, ptr, ptr, ptr, i32)
60-
61 DEF_HELPER_FLAGS_5(gvec_fmlal_a32, TCG_CALL_NO_RWG,
62 void, ptr, ptr, ptr, ptr, i32)
63 DEF_HELPER_FLAGS_5(gvec_fmlal_a64, TCG_CALL_NO_RWG,
64diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
65index 9dcc5ff3a3..428211f92f 100644
66--- a/target/arm/translate-a64.c
67+++ b/target/arm/translate-a64.c
68@@ -11230,22 +11230,6 @@ static void disas_simd_3same_int(DisasContext *s, uint32_t insn)
69 }
70
71 switch (opcode) {
72- case 0x01: /* SQADD, UQADD */
73- tcg_gen_gvec_4(vec_full_reg_offset(s, rd),
74- offsetof(CPUARMState, vfp.qc),
75- vec_full_reg_offset(s, rn),
76- vec_full_reg_offset(s, rm),
77- is_q ? 16 : 8, vec_full_reg_size(s),
78- (u ? uqadd_op : sqadd_op) + size);
79- return;
80- case 0x05: /* SQSUB, UQSUB */
81- tcg_gen_gvec_4(vec_full_reg_offset(s, rd),
82- offsetof(CPUARMState, vfp.qc),
83- vec_full_reg_offset(s, rn),
84- vec_full_reg_offset(s, rm),
85- is_q ? 16 : 8, vec_full_reg_size(s),
86- (u ? uqsub_op : sqsub_op) + size);
87- return;
88 case 0x0c: /* SMAX, UMAX */
89 if (u) {
90 gen_gvec_fn3(s, is_q, rd, rn, rm, tcg_gen_gvec_umax, size);
91@@ -11341,6 +11325,16 @@ static void disas_simd_3same_int(DisasContext *s, uint32_t insn)
92 genfn = fns[size][u];
93 break;
94 }
95+ case 0x1: /* SQADD, UQADD */
96+ {
97+ static NeonGenTwoOpEnvFn * const fns[3][2] = {
98+ { gen_helper_neon_qadd_s8, gen_helper_neon_qadd_u8 },
99+ { gen_helper_neon_qadd_s16, gen_helper_neon_qadd_u16 },
100+ { gen_helper_neon_qadd_s32, gen_helper_neon_qadd_u32 },
101+ };
102+ genenvfn = fns[size][u];
103+ break;
104+ }
105 case 0x2: /* SRHADD, URHADD */
106 {
107 static NeonGenTwoOpFn * const fns[3][2] = {
108@@ -11361,6 +11355,16 @@ static void disas_simd_3same_int(DisasContext *s, uint32_t insn)
109 genfn = fns[size][u];
110 break;
111 }
112+ case 0x5: /* SQSUB, UQSUB */
113+ {
114+ static NeonGenTwoOpEnvFn * const fns[3][2] = {
115+ { gen_helper_neon_qsub_s8, gen_helper_neon_qsub_u8 },
116+ { gen_helper_neon_qsub_s16, gen_helper_neon_qsub_u16 },
117+ { gen_helper_neon_qsub_s32, gen_helper_neon_qsub_u32 },
118+ };
119+ genenvfn = fns[size][u];
120+ break;
121+ }
122 case 0x8: /* SSHL, USHL */
123 {
124 static NeonGenTwoOpFn * const fns[3][2] = {
125diff --git a/target/arm/translate.c b/target/arm/translate.c
126index 10bc53f91c..cf675cef3f 100644
127--- a/target/arm/translate.c
128+++ b/target/arm/translate.c
129@@ -6242,142 +6242,6 @@ const GVecGen3 cmtst_op[4] = {
130 .vece = MO_64 },
131 };
132
133-static void gen_uqadd_vec(unsigned vece, TCGv_vec t, TCGv_vec sat,
134- TCGv_vec a, TCGv_vec b)
135-{
136- TCGv_vec x = tcg_temp_new_vec_matching(t);
137- tcg_gen_add_vec(vece, x, a, b);
138- tcg_gen_usadd_vec(vece, t, a, b);
139- tcg_gen_cmp_vec(TCG_COND_NE, vece, x, x, t);
140- tcg_gen_or_vec(vece, sat, sat, x);
141- tcg_temp_free_vec(x);
142-}
143-
144-const GVecGen4 uqadd_op[4] = {
145- { .fniv = gen_uqadd_vec,
146- .fno = gen_helper_gvec_uqadd_b,
147- .opc = INDEX_op_usadd_vec,
148- .write_aofs = true,
149- .vece = MO_8 },
150- { .fniv = gen_uqadd_vec,
151- .fno = gen_helper_gvec_uqadd_h,
152- .opc = INDEX_op_usadd_vec,
153- .write_aofs = true,
154- .vece = MO_16 },
155- { .fniv = gen_uqadd_vec,
156- .fno = gen_helper_gvec_uqadd_s,
157- .opc = INDEX_op_usadd_vec,
158- .write_aofs = true,
159- .vece = MO_32 },
160- { .fniv = gen_uqadd_vec,
161- .fno = gen_helper_gvec_uqadd_d,
162- .opc = INDEX_op_usadd_vec,
163- .write_aofs = true,
164- .vece = MO_64 },
165-};
166-
167-static void gen_sqadd_vec(unsigned vece, TCGv_vec t, TCGv_vec sat,
168- TCGv_vec a, TCGv_vec b)
169-{
170- TCGv_vec x = tcg_temp_new_vec_matching(t);
171- tcg_gen_add_vec(vece, x, a, b);
172- tcg_gen_ssadd_vec(vece, t, a, b);
173- tcg_gen_cmp_vec(TCG_COND_NE, vece, x, x, t);
174- tcg_gen_or_vec(vece, sat, sat, x);
175- tcg_temp_free_vec(x);
176-}
177-
178-const GVecGen4 sqadd_op[4] = {
179- { .fniv = gen_sqadd_vec,
180- .fno = gen_helper_gvec_sqadd_b,
181- .opc = INDEX_op_ssadd_vec,
182- .write_aofs = true,
183- .vece = MO_8 },
184- { .fniv = gen_sqadd_vec,
185- .fno = gen_helper_gvec_sqadd_h,
186- .opc = INDEX_op_ssadd_vec,
187- .write_aofs = true,
188- .vece = MO_16 },
189- { .fniv = gen_sqadd_vec,
190- .fno = gen_helper_gvec_sqadd_s,
191- .opc = INDEX_op_ssadd_vec,
192- .write_aofs = true,
193- .vece = MO_32 },
194- { .fniv = gen_sqadd_vec,
195- .fno = gen_helper_gvec_sqadd_d,
196- .opc = INDEX_op_ssadd_vec,
197- .write_aofs = true,
198- .vece = MO_64 },
199-};
200-
201-static void gen_uqsub_vec(unsigned vece, TCGv_vec t, TCGv_vec sat,
202- TCGv_vec a, TCGv_vec b)
203-{
204- TCGv_vec x = tcg_temp_new_vec_matching(t);
205- tcg_gen_sub_vec(vece, x, a, b);
206- tcg_gen_ussub_vec(vece, t, a, b);
207- tcg_gen_cmp_vec(TCG_COND_NE, vece, x, x, t);
208- tcg_gen_or_vec(vece, sat, sat, x);
209- tcg_temp_free_vec(x);
210-}
211-
212-const GVecGen4 uqsub_op[4] = {
213- { .fniv = gen_uqsub_vec,
214- .fno = gen_helper_gvec_uqsub_b,
215- .opc = INDEX_op_ussub_vec,
216- .write_aofs = true,
217- .vece = MO_8 },
218- { .fniv = gen_uqsub_vec,
219- .fno = gen_helper_gvec_uqsub_h,
220- .opc = INDEX_op_ussub_vec,
221- .write_aofs = true,
222- .vece = MO_16 },
223- { .fniv = gen_uqsub_vec,
224- .fno = gen_helper_gvec_uqsub_s,
225- .opc = INDEX_op_ussub_vec,
226- .write_aofs = true,
227- .vece = MO_32 },
228- { .fniv = gen_uqsub_vec,
229- .fno = gen_helper_gvec_uqsub_d,
230- .opc = INDEX_op_ussub_vec,
231- .write_aofs = true,
232- .vece = MO_64 },
233-};
234-
235-static void gen_sqsub_vec(unsigned vece, TCGv_vec t, TCGv_vec sat,
236- TCGv_vec a, TCGv_vec b)
237-{
238- TCGv_vec x = tcg_temp_new_vec_matching(t);
239- tcg_gen_sub_vec(vece, x, a, b);
240- tcg_gen_sssub_vec(vece, t, a, b);
241- tcg_gen_cmp_vec(TCG_COND_NE, vece, x, x, t);
242- tcg_gen_or_vec(vece, sat, sat, x);
243- tcg_temp_free_vec(x);
244-}
245-
246-const GVecGen4 sqsub_op[4] = {
247- { .fniv = gen_sqsub_vec,
248- .fno = gen_helper_gvec_sqsub_b,
249- .opc = INDEX_op_sssub_vec,
250- .write_aofs = true,
251- .vece = MO_8 },
252- { .fniv = gen_sqsub_vec,
253- .fno = gen_helper_gvec_sqsub_h,
254- .opc = INDEX_op_sssub_vec,
255- .write_aofs = true,
256- .vece = MO_16 },
257- { .fniv = gen_sqsub_vec,
258- .fno = gen_helper_gvec_sqsub_s,
259- .opc = INDEX_op_sssub_vec,
260- .write_aofs = true,
261- .vece = MO_32 },
262- { .fniv = gen_sqsub_vec,
263- .fno = gen_helper_gvec_sqsub_d,
264- .opc = INDEX_op_sssub_vec,
265- .write_aofs = true,
266- .vece = MO_64 },
267-};
268-
269 /* Translate a NEON data processing instruction. Return nonzero if the
270 instruction is invalid.
271 We process data in a mixture of 32-bit and 64-bit chunks.
272@@ -6561,18 +6425,6 @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
273 }
274 return 0;
275
276- case NEON_3R_VQADD:
277- tcg_gen_gvec_4(rd_ofs, offsetof(CPUARMState, vfp.qc),
278- rn_ofs, rm_ofs, vec_size, vec_size,
279- (u ? uqadd_op : sqadd_op) + size);
280- break;
281-
282- case NEON_3R_VQSUB:
283- tcg_gen_gvec_4(rd_ofs, offsetof(CPUARMState, vfp.qc),
284- rn_ofs, rm_ofs, vec_size, vec_size,
285- (u ? uqsub_op : sqsub_op) + size);
286- break;
287-
288 case NEON_3R_VMUL: /* VMUL */
289 if (u) {
290 /* Polynomial case allows only P8 and is handled below. */
291@@ -6637,6 +6489,24 @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
292 neon_load_reg64(cpu_V0, rn + pass);
293 neon_load_reg64(cpu_V1, rm + pass);
294 switch (op) {
295+ case NEON_3R_VQADD:
296+ if (u) {
297+ gen_helper_neon_qadd_u64(cpu_V0, cpu_env,
298+ cpu_V0, cpu_V1);
299+ } else {
300+ gen_helper_neon_qadd_s64(cpu_V0, cpu_env,
301+ cpu_V0, cpu_V1);
302+ }
303+ break;
304+ case NEON_3R_VQSUB:
305+ if (u) {
306+ gen_helper_neon_qsub_u64(cpu_V0, cpu_env,
307+ cpu_V0, cpu_V1);
308+ } else {
309+ gen_helper_neon_qsub_s64(cpu_V0, cpu_env,
310+ cpu_V0, cpu_V1);
311+ }
312+ break;
313 case NEON_3R_VSHL:
314 if (u) {
315 gen_helper_neon_shl_u64(cpu_V0, cpu_V1, cpu_V0);
316@@ -6752,12 +6622,18 @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
317 case NEON_3R_VHADD:
318 GEN_NEON_INTEGER_OP(hadd);
319 break;
320+ case NEON_3R_VQADD:
321+ GEN_NEON_INTEGER_OP_ENV(qadd);
322+ break;
323 case NEON_3R_VRHADD:
324 GEN_NEON_INTEGER_OP(rhadd);
325 break;
326 case NEON_3R_VHSUB:
327 GEN_NEON_INTEGER_OP(hsub);
328 break;
329+ case NEON_3R_VQSUB:
330+ GEN_NEON_INTEGER_OP_ENV(qsub);
331+ break;
332 case NEON_3R_VSHL:
333 GEN_NEON_INTEGER_OP(shl);
334 break;
335diff --git a/target/arm/translate.h b/target/arm/translate.h
336index c2348def0d..07055c9449 100644
337--- a/target/arm/translate.h
338+++ b/target/arm/translate.h
339@@ -248,10 +248,6 @@ extern const GVecGen2i ssra_op[4];
340 extern const GVecGen2i usra_op[4];
341 extern const GVecGen2i sri_op[4];
342 extern const GVecGen2i sli_op[4];
343-extern const GVecGen4 uqadd_op[4];
344-extern const GVecGen4 sqadd_op[4];
345-extern const GVecGen4 uqsub_op[4];
346-extern const GVecGen4 sqsub_op[4];
347 void gen_cmtst_i64(TCGv_i64 d, TCGv_i64 a, TCGv_i64 b);
348
349 /*
350diff --git a/target/arm/vec_helper.c b/target/arm/vec_helper.c
351index dedef62403..be3271659f 100644
352--- a/target/arm/vec_helper.c
353+++ b/target/arm/vec_helper.c
354@@ -769,136 +769,6 @@ DO_FMLA_IDX(gvec_fmla_idx_d, float64, )
355
356 #undef DO_FMLA_IDX
357
358-#define DO_SAT(NAME, WTYPE, TYPEN, TYPEM, OP, MIN, MAX) \
359-void HELPER(NAME)(void *vd, void *vq, void *vn, void *vm, uint32_t desc) \
360-{ \
361- intptr_t i, oprsz = simd_oprsz(desc); \
362- TYPEN *d = vd, *n = vn; TYPEM *m = vm; \
363- bool q = false; \
364- for (i = 0; i < oprsz / sizeof(TYPEN); i++) { \
365- WTYPE dd = (WTYPE)n[i] OP m[i]; \
366- if (dd < MIN) { \
367- dd = MIN; \
368- q = true; \
369- } else if (dd > MAX) { \
370- dd = MAX; \
371- q = true; \
372- } \
373- d[i] = dd; \
374- } \
375- if (q) { \
376- uint32_t *qc = vq; \
377- qc[0] = 1; \
378- } \
379- clear_tail(d, oprsz, simd_maxsz(desc)); \
380-}
381-
382-DO_SAT(gvec_uqadd_b, int, uint8_t, uint8_t, +, 0, UINT8_MAX)
383-DO_SAT(gvec_uqadd_h, int, uint16_t, uint16_t, +, 0, UINT16_MAX)
384-DO_SAT(gvec_uqadd_s, int64_t, uint32_t, uint32_t, +, 0, UINT32_MAX)
385-
386-DO_SAT(gvec_sqadd_b, int, int8_t, int8_t, +, INT8_MIN, INT8_MAX)
387-DO_SAT(gvec_sqadd_h, int, int16_t, int16_t, +, INT16_MIN, INT16_MAX)
388-DO_SAT(gvec_sqadd_s, int64_t, int32_t, int32_t, +, INT32_MIN, INT32_MAX)
389-
390-DO_SAT(gvec_uqsub_b, int, uint8_t, uint8_t, -, 0, UINT8_MAX)
391-DO_SAT(gvec_uqsub_h, int, uint16_t, uint16_t, -, 0, UINT16_MAX)
392-DO_SAT(gvec_uqsub_s, int64_t, uint32_t, uint32_t, -, 0, UINT32_MAX)
393-
394-DO_SAT(gvec_sqsub_b, int, int8_t, int8_t, -, INT8_MIN, INT8_MAX)
395-DO_SAT(gvec_sqsub_h, int, int16_t, int16_t, -, INT16_MIN, INT16_MAX)
396-DO_SAT(gvec_sqsub_s, int64_t, int32_t, int32_t, -, INT32_MIN, INT32_MAX)
397-
398-#undef DO_SAT
399-
400-void HELPER(gvec_uqadd_d)(void *vd, void *vq, void *vn,
401- void *vm, uint32_t desc)
402-{
403- intptr_t i, oprsz = simd_oprsz(desc);
404- uint64_t *d = vd, *n = vn, *m = vm;
405- bool q = false;
406-
407- for (i = 0; i < oprsz / 8; i++) {
408- uint64_t nn = n[i], mm = m[i], dd = nn + mm;
409- if (dd < nn) {
410- dd = UINT64_MAX;
411- q = true;
412- }
413- d[i] = dd;
414- }
415- if (q) {
416- uint32_t *qc = vq;
417- qc[0] = 1;
418- }
419- clear_tail(d, oprsz, simd_maxsz(desc));
420-}
421-
422-void HELPER(gvec_uqsub_d)(void *vd, void *vq, void *vn,
423- void *vm, uint32_t desc)
424-{
425- intptr_t i, oprsz = simd_oprsz(desc);
426- uint64_t *d = vd, *n = vn, *m = vm;
427- bool q = false;
428-
429- for (i = 0; i < oprsz / 8; i++) {
430- uint64_t nn = n[i], mm = m[i], dd = nn - mm;
431- if (nn < mm) {
432- dd = 0;
433- q = true;
434- }
435- d[i] = dd;
436- }
437- if (q) {
438- uint32_t *qc = vq;
439- qc[0] = 1;
440- }
441- clear_tail(d, oprsz, simd_maxsz(desc));
442-}
443-
444-void HELPER(gvec_sqadd_d)(void *vd, void *vq, void *vn,
445- void *vm, uint32_t desc)
446-{
447- intptr_t i, oprsz = simd_oprsz(desc);
448- int64_t *d = vd, *n = vn, *m = vm;
449- bool q = false;
450-
451- for (i = 0; i < oprsz / 8; i++) {
452- int64_t nn = n[i], mm = m[i], dd = nn + mm;
453- if (((dd ^ nn) & ~(nn ^ mm)) & INT64_MIN) {
454- dd = (nn >> 63) ^ ~INT64_MIN;
455- q = true;
456- }
457- d[i] = dd;
458- }
459- if (q) {
460- uint32_t *qc = vq;
461- qc[0] = 1;
462- }
463- clear_tail(d, oprsz, simd_maxsz(desc));
464-}
465-
466-void HELPER(gvec_sqsub_d)(void *vd, void *vq, void *vn,
467- void *vm, uint32_t desc)
468-{
469- intptr_t i, oprsz = simd_oprsz(desc);
470- int64_t *d = vd, *n = vn, *m = vm;
471- bool q = false;
472-
473- for (i = 0; i < oprsz / 8; i++) {
474- int64_t nn = n[i], mm = m[i], dd = nn - mm;
475- if (((dd ^ nn) & (nn ^ mm)) & INT64_MIN) {
476- dd = (nn >> 63) ^ ~INT64_MIN;
477- q = true;
478- }
479- d[i] = dd;
480- }
481- if (q) {
482- uint32_t *qc = vq;
483- qc[0] = 1;
484- }
485- clear_tail(d, oprsz, simd_maxsz(desc));
486-}
487-
488 /*
489 * Convert float16 to float32, raising no exceptions and
490 * preserving exceptional values, including SNaN.
491--
4922.21.0
493
diff --git a/meta/recipes-devtools/qemu/qemu/0014-fix-CVE-2018-16872.patch b/meta/recipes-devtools/qemu/qemu/0014-fix-CVE-2018-16872.patch
deleted file mode 100644
index 412aa16046..0000000000
--- a/meta/recipes-devtools/qemu/qemu/0014-fix-CVE-2018-16872.patch
+++ /dev/null
@@ -1,85 +0,0 @@
1CVE: CVE-2018-16872
2Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=bab9df35]
3
4Signed-off-by: Kai Kang <kai.kang@windriver.com>
5
6From bab9df35ce73d1c8e19a37e2737717ea1c984dc1 Mon Sep 17 00:00:00 2001
7From: Gerd Hoffmann <kraxel@redhat.com>
8Date: Thu, 13 Dec 2018 13:25:11 +0100
9Subject: [PATCH] usb-mtp: use O_NOFOLLOW and O_CLOEXEC.
10
11Open files and directories with O_NOFOLLOW to avoid symlinks attacks.
12While being at it also add O_CLOEXEC.
13
14usb-mtp only handles regular files and directories and ignores
15everything else, so users should not see a difference.
16
17Because qemu ignores symlinks, carrying out a successful symlink attack
18requires swapping an existing file or directory below rootdir for a
19symlink and winning the race against the inotify notification to qemu.
20
21Fixes: CVE-2018-16872
22Cc: Prasad J Pandit <ppandit@redhat.com>
23Cc: Bandan Das <bsd@redhat.com>
24Reported-by: Michael Hanselmann <public@hansmi.ch>
25Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
26Reviewed-by: Michael Hanselmann <public@hansmi.ch>
27Message-id: 20181213122511.13853-1-kraxel@redhat.com
28---
29 hw/usb/dev-mtp.c | 13 +++++++++----
30 1 file changed, 9 insertions(+), 4 deletions(-)
31
32diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
33index 100b7171f4..36c43b8c20 100644
34--- a/hw/usb/dev-mtp.c
35+++ b/hw/usb/dev-mtp.c
36@@ -653,13 +653,18 @@ static void usb_mtp_object_readdir(MTPState *s, MTPObject *o)
37 {
38 struct dirent *entry;
39 DIR *dir;
40+ int fd;
41
42 if (o->have_children) {
43 return;
44 }
45 o->have_children = true;
46
47- dir = opendir(o->path);
48+ fd = open(o->path, O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW);
49+ if (fd < 0) {
50+ return;
51+ }
52+ dir = fdopendir(fd);
53 if (!dir) {
54 return;
55 }
56@@ -1007,7 +1012,7 @@ static MTPData *usb_mtp_get_object(MTPState *s, MTPControl *c,
57
58 trace_usb_mtp_op_get_object(s->dev.addr, o->handle, o->path);
59
60- d->fd = open(o->path, O_RDONLY);
61+ d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW);
62 if (d->fd == -1) {
63 usb_mtp_data_free(d);
64 return NULL;
65@@ -1031,7 +1036,7 @@ static MTPData *usb_mtp_get_partial_object(MTPState *s, MTPControl *c,
66 c->argv[1], c->argv[2]);
67
68 d = usb_mtp_data_alloc(c);
69- d->fd = open(o->path, O_RDONLY);
70+ d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW);
71 if (d->fd == -1) {
72 usb_mtp_data_free(d);
73 return NULL;
74@@ -1658,7 +1663,7 @@ static void usb_mtp_write_data(MTPState *s)
75 0, 0, 0, 0);
76 goto done;
77 }
78- d->fd = open(path, O_CREAT | O_WRONLY, mask);
79+ d->fd = open(path, O_CREAT | O_WRONLY | O_CLOEXEC | O_NOFOLLOW, mask);
80 if (d->fd == -1) {
81 usb_mtp_queue_result(s, RES_STORE_FULL, d->trans,
82 0, 0, 0, 0);
83--
842.20.1
85
diff --git a/meta/recipes-devtools/qemu/qemu/0015-fix-CVE-2018-20124.patch b/meta/recipes-devtools/qemu/qemu/0015-fix-CVE-2018-20124.patch
deleted file mode 100644
index 985b819409..0000000000
--- a/meta/recipes-devtools/qemu/qemu/0015-fix-CVE-2018-20124.patch
+++ /dev/null
@@ -1,60 +0,0 @@
1CVE: CVE-2018-20124
2Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=0e68373]
3
4Backport patch to fix CVE-2018-20124. Update context and stay with current
5function comp_handler() which has been replaced with complete_work() in latest
6git repo.
7
8Signed-off-by: Kai Kang <kai.kang@windriver.com>
9
10From 0e68373cc2b3a063ce067bc0cc3edaf370752890 Mon Sep 17 00:00:00 2001
11From: Prasad J Pandit <pjp@fedoraproject.org>
12Date: Thu, 13 Dec 2018 01:00:34 +0530
13Subject: [PATCH] rdma: check num_sge does not exceed MAX_SGE
14
15rdma back-end has scatter/gather array ibv_sge[MAX_SGE=4] set
16to have 4 elements. A guest could send a 'PvrdmaSqWqe' ring element
17with 'num_sge' set to > MAX_SGE, which may lead to OOB access issue.
18Add check to avoid it.
19
20Reported-by: Saar Amar <saaramar5@gmail.com>
21Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
22Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
23Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
24---
25 hw/rdma/rdma_backend.c | 12 ++++++------
26 1 file changed, 6 insertions(+), 6 deletions(-)
27
28diff --git a/hw/rdma/rdma_backend.c b/hw/rdma/rdma_backend.c
29index d7a4bbd9..7f8028f8 100644
30--- a/hw/rdma/rdma_backend.c
31+++ b/hw/rdma/rdma_backend.c
32@@ -311,9 +311,9 @@ void rdma_backend_post_send(RdmaBackendDev *backend_dev,
33 }
34
35 pr_dbg("num_sge=%d\n", num_sge);
36- if (!num_sge) {
37- pr_dbg("num_sge=0\n");
38- comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx);
39+ if (!num_sge || num_sge > MAX_SGE) {
40+ pr_dbg("invalid num_sge=%d\n", num_sge);
41+ comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx);
42 return;
43 }
44
45@@ -390,9 +390,9 @@ void rdma_backend_post_recv(RdmaBackendDev *backend_dev,
46 }
47
48 pr_dbg("num_sge=%d\n", num_sge);
49- if (!num_sge) {
50- pr_dbg("num_sge=0\n");
51- comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx);
52+ if (!num_sge || num_sge > MAX_SGE) {
53+ pr_dbg("invalid num_sge=%d\n", num_sge);
54+ comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx);
55 return;
56 }
57
58--
592.20.1
60
diff --git a/meta/recipes-devtools/qemu/qemu/0016-fix-CVE-2018-20125.patch b/meta/recipes-devtools/qemu/qemu/0016-fix-CVE-2018-20125.patch
deleted file mode 100644
index 56559c8388..0000000000
--- a/meta/recipes-devtools/qemu/qemu/0016-fix-CVE-2018-20125.patch
+++ /dev/null
@@ -1,54 +0,0 @@
1CVE: CVE-2018-20125
2Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=2c858ce]
3
4Signed-off-by: Kai Kang <kai.kang@windriver.com>
5
6From 2c858ce5da8ae6689c75182b73bc455a291cad41 Mon Sep 17 00:00:00 2001
7From: Prasad J Pandit <pjp@fedoraproject.org>
8Date: Thu, 13 Dec 2018 01:00:36 +0530
9Subject: [PATCH] pvrdma: check number of pages when creating rings
10
11When creating CQ/QP rings, an object can have up to
12PVRDMA_MAX_FAST_REG_PAGES 8 pages. Check 'npages' parameter
13to avoid excessive memory allocation or a null dereference.
14
15Reported-by: Li Qiang <liq3ea@163.com>
16Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
17Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
18Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
19---
20 hw/rdma/vmw/pvrdma_cmd.c | 11 +++++++++++
21 1 file changed, 11 insertions(+)
22
23diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
24index 3b94545761..f236ac4795 100644
25--- a/hw/rdma/vmw/pvrdma_cmd.c
26+++ b/hw/rdma/vmw/pvrdma_cmd.c
27@@ -259,6 +259,11 @@ static int create_cq_ring(PCIDevice *pci_dev , PvrdmaRing **ring,
28 int rc = -EINVAL;
29 char ring_name[MAX_RING_NAME_SZ];
30
31+ if (!nchunks || nchunks > PVRDMA_MAX_FAST_REG_PAGES) {
32+ pr_dbg("invalid nchunks: %d\n", nchunks);
33+ return rc;
34+ }
35+
36 pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)pdir_dma);
37 dir = rdma_pci_dma_map(pci_dev, pdir_dma, TARGET_PAGE_SIZE);
38 if (!dir) {
39@@ -372,6 +377,12 @@ static int create_qp_rings(PCIDevice *pci_dev, uint64_t pdir_dma,
40 char ring_name[MAX_RING_NAME_SZ];
41 uint32_t wqe_sz;
42
43+ if (!spages || spages > PVRDMA_MAX_FAST_REG_PAGES
44+ || !rpages || rpages > PVRDMA_MAX_FAST_REG_PAGES) {
45+ pr_dbg("invalid pages: %d, %d\n", spages, rpages);
46+ return rc;
47+ }
48+
49 pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)pdir_dma);
50 dir = rdma_pci_dma_map(pci_dev, pdir_dma, TARGET_PAGE_SIZE);
51 if (!dir) {
52--
532.20.1
54
diff --git a/meta/recipes-devtools/qemu/qemu/0017-fix-CVE-2018-20126.patch b/meta/recipes-devtools/qemu/qemu/0017-fix-CVE-2018-20126.patch
deleted file mode 100644
index 8329f2cfd0..0000000000
--- a/meta/recipes-devtools/qemu/qemu/0017-fix-CVE-2018-20126.patch
+++ /dev/null
@@ -1,113 +0,0 @@
1CVE: CVE-2018-20126
2Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=509f57c]
3
4Backport and rebase patch to fix CVE-2018-20126.
5
6Signed-off-by: Kai Kang <kai.kang@windriver.com>
7
8From 509f57c98e7536905bb4902363d0cba66ce7e089 Mon Sep 17 00:00:00 2001
9From: Prasad J Pandit <pjp@fedoraproject.org>
10Date: Thu, 13 Dec 2018 01:00:37 +0530
11Subject: [PATCH] pvrdma: release ring object in case of an error
12
13create_cq and create_qp routines allocate ring object, but it's
14not released in case of an error, leading to memory leakage.
15
16Reported-by: Li Qiang <liq3ea@163.com>
17Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
18Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
19Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
20---
21 hw/rdma/vmw/pvrdma_cmd.c | 41 ++++++++++++++++++++++++++++++-----------
22 1 file changed, 30 insertions(+), 11 deletions(-)
23
24diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
25index 4faeb21..9b6796f 100644
26--- a/hw/rdma/vmw/pvrdma_cmd.c
27+++ b/hw/rdma/vmw/pvrdma_cmd.c
28@@ -310,6 +310,14 @@ out:
29 return rc;
30 }
31
32+static void destroy_cq_ring(PvrdmaRing *ring)
33+{
34+ pvrdma_ring_free(ring);
35+ /* ring_state was in slot 1, not 0 so need to jump back */
36+ rdma_pci_dma_unmap(ring->dev, --ring->ring_state, TARGET_PAGE_SIZE);
37+ g_free(ring);
38+}
39+
40 static int create_cq(PVRDMADev *dev, union pvrdma_cmd_req *req,
41 union pvrdma_cmd_resp *rsp)
42 {
43@@ -333,6 +341,10 @@ static int create_cq(PVRDMADev *dev, union pvrdma_cmd_req *req,
44
45 resp->hdr.err = rdma_rm_alloc_cq(&dev->rdma_dev_res, &dev->backend_dev,
46 cmd->cqe, &resp->cq_handle, ring);
47+ if (resp->hdr.err) {
48+ destroy_cq_ring(ring);
49+ }
50+
51 resp->cqe = cmd->cqe;
52
53 out:
54@@ -356,10 +368,7 @@ static int destroy_cq(PVRDMADev *dev, union pvrdma_cmd_req *req,
55 }
56
57 ring = (PvrdmaRing *)cq->opaque;
58- pvrdma_ring_free(ring);
59- /* ring_state was in slot 1, not 0 so need to jump back */
60- rdma_pci_dma_unmap(PCI_DEVICE(dev), --ring->ring_state, TARGET_PAGE_SIZE);
61- g_free(ring);
62+ destroy_cq_ring(ring);
63
64 rdma_rm_dealloc_cq(&dev->rdma_dev_res, cmd->cq_handle);
65
66@@ -451,6 +460,17 @@ out:
67 return rc;
68 }
69
70+static void destroy_qp_rings(PvrdmaRing *ring)
71+{
72+ pr_dbg("sring=%p\n", &ring[0]);
73+ pvrdma_ring_free(&ring[0]);
74+ pr_dbg("rring=%p\n", &ring[1]);
75+ pvrdma_ring_free(&ring[1]);
76+
77+ rdma_pci_dma_unmap(ring->dev, ring->ring_state, TARGET_PAGE_SIZE);
78+ g_free(ring);
79+}
80+
81 static int create_qp(PVRDMADev *dev, union pvrdma_cmd_req *req,
82 union pvrdma_cmd_resp *rsp)
83 {
84@@ -482,6 +502,11 @@ static int create_qp(PVRDMADev *dev, union pvrdma_cmd_req *req,
85 cmd->max_recv_wr, cmd->max_recv_sge,
86 cmd->recv_cq_handle, rings, &resp->qpn);
87
88+ if (resp->hdr.err) {
89+ destroy_qp_rings(rings);
90+ return resp->hdr.err;
91+ }
92+
93 resp->max_send_wr = cmd->max_send_wr;
94 resp->max_recv_wr = cmd->max_recv_wr;
95 resp->max_send_sge = cmd->max_send_sge;
96@@ -555,13 +580,7 @@ static int destroy_qp(PVRDMADev *dev, union pvrdma_cmd_req *req,
97 rdma_rm_dealloc_qp(&dev->rdma_dev_res, cmd->qp_handle);
98
99 ring = (PvrdmaRing *)qp->opaque;
100- pr_dbg("sring=%p\n", &ring[0]);
101- pvrdma_ring_free(&ring[0]);
102- pr_dbg("rring=%p\n", &ring[1]);
103- pvrdma_ring_free(&ring[1]);
104-
105- rdma_pci_dma_unmap(PCI_DEVICE(dev), ring->ring_state, TARGET_PAGE_SIZE);
106- g_free(ring);
107+ destroy_qp_rings(ring);
108
109 return 0;
110 }
111--
1122.20.1
113
diff --git a/meta/recipes-devtools/qemu/qemu/0018-fix-CVE-2018-20191.patch b/meta/recipes-devtools/qemu/qemu/0018-fix-CVE-2018-20191.patch
deleted file mode 100644
index 8f8ff0567a..0000000000
--- a/meta/recipes-devtools/qemu/qemu/0018-fix-CVE-2018-20191.patch
+++ /dev/null
@@ -1,47 +0,0 @@
1CVE: CVE-2018-20191
2Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=2aa8645]
3
4Signed-off-by: Kai Kang <kai.kang@windriver.com>
5
6From 2aa86456fb938a11f2b7bd57c8643c213218681c Mon Sep 17 00:00:00 2001
7From: Prasad J Pandit <pjp@fedoraproject.org>
8Date: Thu, 13 Dec 2018 01:00:35 +0530
9Subject: [PATCH] pvrdma: add uar_read routine
10
11Define skeleton 'uar_read' routine. Avoid NULL dereference.
12
13Reported-by: Li Qiang <liq3ea@163.com>
14Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
15Reviewed-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
16Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
17---
18 hw/rdma/vmw/pvrdma_main.c | 6 ++++++
19 1 file changed, 6 insertions(+)
20
21diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
22index 64de16fb52..838ad8a949 100644
23--- a/hw/rdma/vmw/pvrdma_main.c
24+++ b/hw/rdma/vmw/pvrdma_main.c
25@@ -448,6 +448,11 @@ static const MemoryRegionOps regs_ops = {
26 },
27 };
28
29+static uint64_t uar_read(void *opaque, hwaddr addr, unsigned size)
30+{
31+ return 0xffffffff;
32+}
33+
34 static void uar_write(void *opaque, hwaddr addr, uint64_t val, unsigned size)
35 {
36 PVRDMADev *dev = opaque;
37@@ -489,6 +494,7 @@ static void uar_write(void *opaque, hwaddr addr, uint64_t val, unsigned size)
38 }
39
40 static const MemoryRegionOps uar_ops = {
41+ .read = uar_read,
42 .write = uar_write,
43 .endianness = DEVICE_LITTLE_ENDIAN,
44 .impl = {
45--
462.20.1
47
diff --git a/meta/recipes-devtools/qemu/qemu/0019-fix-CVE-2018-20216.patch b/meta/recipes-devtools/qemu/qemu/0019-fix-CVE-2018-20216.patch
deleted file mode 100644
index c02bad3bb9..0000000000
--- a/meta/recipes-devtools/qemu/qemu/0019-fix-CVE-2018-20216.patch
+++ /dev/null
@@ -1,85 +0,0 @@
1CVE: CVE-2018-20216
2Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=f1e2e38]
3
4Signed-off-by: Kai Kang <kai.kang@windriver.com>
5
6From f1e2e38ee0136b7710a2caa347049818afd57a1b Mon Sep 17 00:00:00 2001
7From: Prasad J Pandit <pjp@fedoraproject.org>
8Date: Thu, 13 Dec 2018 01:00:39 +0530
9Subject: [PATCH] pvrdma: check return value from pvrdma_idx_ring_has_ routines
10
11pvrdma_idx_ring_has_[data/space] routines also return invalid
12index PVRDMA_INVALID_IDX[=-1], if ring has no data/space. Check
13return value from these routines to avoid plausible infinite loops.
14
15Reported-by: Li Qiang <liq3ea@163.com>
16Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
17Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
18Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
19---
20 hw/rdma/vmw/pvrdma_dev_ring.c | 29 +++++++++++------------------
21 1 file changed, 11 insertions(+), 18 deletions(-)
22
23diff --git a/hw/rdma/vmw/pvrdma_dev_ring.c b/hw/rdma/vmw/pvrdma_dev_ring.c
24index 01247fc041..e8e5b502f6 100644
25--- a/hw/rdma/vmw/pvrdma_dev_ring.c
26+++ b/hw/rdma/vmw/pvrdma_dev_ring.c
27@@ -73,23 +73,16 @@ out:
28
29 void *pvrdma_ring_next_elem_read(PvrdmaRing *ring)
30 {
31+ int e;
32 unsigned int idx = 0, offset;
33
34- /*
35- pr_dbg("%s: t=%d, h=%d\n", ring->name, ring->ring_state->prod_tail,
36- ring->ring_state->cons_head);
37- */
38-
39- if (!pvrdma_idx_ring_has_data(ring->ring_state, ring->max_elems, &idx)) {
40+ e = pvrdma_idx_ring_has_data(ring->ring_state, ring->max_elems, &idx);
41+ if (e <= 0) {
42 pr_dbg("No more data in ring\n");
43 return NULL;
44 }
45
46 offset = idx * ring->elem_sz;
47- /*
48- pr_dbg("idx=%d\n", idx);
49- pr_dbg("offset=%d\n", offset);
50- */
51 return ring->pages[offset / TARGET_PAGE_SIZE] + (offset % TARGET_PAGE_SIZE);
52 }
53
54@@ -105,20 +98,20 @@ void pvrdma_ring_read_inc(PvrdmaRing *ring)
55
56 void *pvrdma_ring_next_elem_write(PvrdmaRing *ring)
57 {
58- unsigned int idx, offset, tail;
59+ int idx;
60+ unsigned int offset, tail;
61
62- /*
63- pr_dbg("%s: t=%d, h=%d\n", ring->name, ring->ring_state->prod_tail,
64- ring->ring_state->cons_head);
65- */
66-
67- if (!pvrdma_idx_ring_has_space(ring->ring_state, ring->max_elems, &tail)) {
68+ idx = pvrdma_idx_ring_has_space(ring->ring_state, ring->max_elems, &tail);
69+ if (idx <= 0) {
70 pr_dbg("CQ is full\n");
71 return NULL;
72 }
73
74 idx = pvrdma_idx(&ring->ring_state->prod_tail, ring->max_elems);
75- /* TODO: tail == idx */
76+ if (idx < 0 || tail != idx) {
77+ pr_dbg("invalid idx\n");
78+ return NULL;
79+ }
80
81 offset = idx * ring->elem_sz;
82 return ring->pages[offset / TARGET_PAGE_SIZE] + (offset % TARGET_PAGE_SIZE);
83--
842.20.1
85
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch
deleted file mode 100644
index 7de5882b3e..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch
+++ /dev/null
@@ -1,39 +0,0 @@
1QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an
2out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc()
3function. A local attacker with permission to execute i2c commands could exploit
4this to read stack memory of the qemu process on the host.
5
6CVE: CVE-2019-3812
7Upstream-Status: Backport
8Signed-off-by: Ross Burton <ross.burton@intel.com>
9
10From b05b267840515730dbf6753495d5b7bd8b04ad1c Mon Sep 17 00:00:00 2001
11From: Gerd Hoffmann <kraxel@redhat.com>
12Date: Tue, 8 Jan 2019 11:23:01 +0100
13Subject: [PATCH] i2c-ddc: fix oob read
14MIME-Version: 1.0
15Content-Type: text/plain; charset=UTF-8
16Content-Transfer-Encoding: 8bit
17
18Suggested-by: Michael Hanselmann <public@hansmi.ch>
19Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
20Reviewed-by: Michael Hanselmann <public@hansmi.ch>
21Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
22Message-id: 20190108102301.1957-1-kraxel@redhat.com
23---
24 hw/i2c/i2c-ddc.c | 2 +-
25 1 file changed, 1 insertion(+), 1 deletion(-)
26
27diff --git a/hw/i2c/i2c-ddc.c b/hw/i2c/i2c-ddc.c
28index be34fe072cf..0a0367ff38f 100644
29--- a/hw/i2c/i2c-ddc.c
30+++ b/hw/i2c/i2c-ddc.c
31@@ -56,7 +56,7 @@ static int i2c_ddc_rx(I2CSlave *i2c)
32 I2CDDCState *s = I2CDDC(i2c);
33
34 int value;
35- value = s->edid_blob[s->reg];
36+ value = s->edid_blob[s->reg % sizeof(s->edid_blob)];
37 s->reg++;
38 return value;
39 }
diff --git a/meta/recipes-devtools/qemu/qemu_3.1.0.bb b/meta/recipes-devtools/qemu/qemu_4.0.0.bb
index 04d8bee99f..247e0311ed 100644
--- a/meta/recipes-devtools/qemu/qemu_3.1.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_4.0.0.bb
@@ -18,5 +18,3 @@ PACKAGECONFIG ??= " \
18 ${@bb.utils.filter('DISTRO_FEATURES', 'alsa xen', d)} \ 18 ${@bb.utils.filter('DISTRO_FEATURES', 'alsa xen', d)} \
19" 19"
20PACKAGECONFIG_class-nativesdk ??= "fdt sdl kvm" 20PACKAGECONFIG_class-nativesdk ??= "fdt sdl kvm"
21
22
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-11-11 13:47:22 +0000