34 files changed, 1050 insertions, 391 deletions

diff --git a/meta/recipes-devtools/qemu/files/0001-Back-porting-security-fix-CVE-2014-5388.patch b/meta/recipes-devtools/qemu/files/0001-Back-porting-security-fix-CVE-2014-5388.patch
deleted file mode 100644
index ec541fa668..0000000000
--- a/meta/recipes-devtools/qemu/files/0001-Back-porting-security-fix-CVE-2014-5388.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-Prevent out-of-bounds array access on
-acpi_pcihp_pci_status.
-
-Upstream-Status: Backport
-
-Signed-off-by: Gonglei <arei.gonglei@huawei.com>
-Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
----
-v2:
- - change commit message.
- - add 'Reviewed-by'
----
- hw/acpi/pcihp.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c
-index fae663a..34dedf1 100644
---- a/hw/acpi/pcihp.c
-+++ b/hw/acpi/pcihp.c
-@@ -231,7 +231,7 @@ static uint64_t pci_read(void *opaque, hwaddr addr, unsigned int size)
-     uint32_t val = 0;
-     int bsel = s->hotplug_select;
-
--    if (bsel < 0 || bsel > ACPI_PCIHP_MAX_HOTPLUG_BUS) {
-+    if (bsel < 0 || bsel >= ACPI_PCIHP_MAX_HOTPLUG_BUS) {
-         return 0;
-     }
-
---
-1.7.12.4
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index c9a5d328f9..abbace8704 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -3,24 +3,30 @@ HOMEPAGE = "http://qemu.org"
 LICENSE = "GPLv2 & LGPLv2.1"
 DEPENDS = "glib-2.0 zlib pixman"
 RDEPENDS_${PN}_class-target += "bash python"
+RDEPENDS_${PN}-ptest = "bash make"
 
 require qemu-targets.inc
-inherit autotools-brokensep
+inherit autotools ptest
 BBCLASSEXTEND = "native nativesdk"
 
+PR = "r1"
+
 # QEMU_TARGETS is overridable variable
 QEMU_TARGETS ?= "arm aarch64 i386 mips mipsel mips64 mips64el ppc sh4 x86_64"
 
 SRC_URI = "\
     file://powerpc_rom.bin \
-    file://larger_default_ram_size.patch \
     file://disable-grabs.patch \
     file://exclude-some-arm-EABI-obsolete-syscalls.patch \
     file://wacom.patch \
+    file://add-ptest-in-makefile.patch \
+    file://run-ptest \
+    file://cpus.c-qemu_mutex_lock_iothread-fix-race-condition-a.patch \
     "
 
 SRC_URI_append_class-native = "\
     file://fix-libcap-header-issue-on-some-distro.patch \
+    file://cpus.c-qemu_cpu_kick_thread_debugging.patch \
     "
 
 EXTRA_OECONF += "--target-list=${@get_qemu_target_list(d)} --disable-werror  --disable-bluez --disable-libiscsi --with-system-pixman --extra-cflags='${CFLAGS}'"
@@ -35,16 +41,6 @@ do_configure_prepend_class-native() {
         if [ ! -z "$BHOST_PKGCONFIG_PATH" ]; then
                 export PKG_CONFIG_PATH=$PKG_CONFIG_PATH:$BHOST_PKGCONFIG_PATH
         fi
-
-        # Undo the -lX11 added by linker-flags.patch, don't assume that host has libX11 installed
-        sed -i 's/-lX11//g' Makefile.target
-}
-
-do_configure_prepend_class-nativesdk() {
-        if [ "${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'x11', '', d)}" = "" ] ; then
-                # Undo the -lX11 added by linker-flags.patch
-                sed -i 's/-lX11//g' Makefile.target
-        fi
 }
 
 KVMENABLE = "--enable-kvm"
@@ -63,6 +59,17 @@ do_configure() {
     test ! -e ${S}/target-i386/beginend_funcs.sh || chmod a+x ${S}/target-i386/beginend_funcs.sh
 }
 
+do_compile_ptest() {
+        make buildtest-TESTS
+}
+
+do_install_ptest() {
+        cp -rL ${B}/tests ${D}${PTEST_PATH}
+        find ${D}${PTEST_PATH}/tests -type f -name "*.[Sshcod]" | xargs -i rm -rf {}
+
+        cp ${S}/tests/Makefile ${D}${PTEST_PATH}/tests
+}
+
 do_install () {
         export STRIP="true"
         autotools_do_install
@@ -84,8 +91,12 @@ do_install_append() {
 }
 # END of qemu-mips workaround
 
-PACKAGECONFIG ??= "fdt sdl alsa"
-PACKAGECONFIG_class-native ??= "fdt alsa"
+PACKAGECONFIG ??= " \
+        fdt sdl \
+        ${@bb.utils.contains('DISTRO_FEATURES', 'alsa', 'alsa', '', d)} \
+        ${@bb.utils.contains('DISTRO_FEATURES', 'xen', 'xen', '', d)} \
+        "
+PACKAGECONFIG_class-native ??= "fdt alsa uuid"
 PACKAGECONFIG_class-nativesdk ??= "fdt sdl"
 NATIVEDEPS = ""
 NATIVEDEPS_class-native = "${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'libxext-native', '',d)}"
@@ -93,10 +104,8 @@ PACKAGECONFIG[sdl] = "--enable-sdl,--disable-sdl,libsdl ${NATIVEDEPS},"
 PACKAGECONFIG[virtfs] = "--enable-virtfs --enable-attr,--disable-virtfs,libcap attr,"
 PACKAGECONFIG[aio] = "--enable-linux-aio,--disable-linux-aio,libaio,"
 PACKAGECONFIG[xfs] = "--enable-xfsctl,--disable-xfsctl,xfsprogs,"
-PACKAGECONFIG[xen] = "--enable-xen, --disable-xen,,"
-PACKAGECONFIG[quorum] = "--enable-quorum, --disable-quorum, gnutls,"
+PACKAGECONFIG[xen] = "--enable-xen,--disable-xen,xen,xen-libxenstore xen-libxenctrl xen-libxenguest"
 PACKAGECONFIG[vnc-tls] = "--enable-vnc --enable-vnc-tls,--disable-vnc-tls, gnutls,"
-PACKAGECONFIG[vnc-ws] = "--enable-vnc --enable-vnc-ws,--disable-vnc-ws, gnutls,"
 PACKAGECONFIG[vnc-sasl] = "--enable-vnc --enable-vnc-sasl,--disable-vnc-sasl,cyrus-sasl,"
 PACKAGECONFIG[vnc-jpeg] = "--enable-vnc --enable-vnc-jpeg,--disable-vnc-jpeg,jpeg,"
 PACKAGECONFIG[vnc-png] = "--enable-vnc --enable-vnc-png,--disable-vnc-png,libpng,"
@@ -110,15 +119,11 @@ PACKAGECONFIG[ssh2] = "--enable-libssh2,--disable-libssh2,libssh2,"
 PACKAGECONFIG[libusb] = "--enable-libusb,--disable-libusb,libusb1"
 PACKAGECONFIG[fdt] = "--enable-fdt,--disable-fdt,dtc"
 PACKAGECONFIG[alsa] = ",,alsa-lib"
-PACKAGECONFIG[glx] = "--enable-glx,--disable-glx,mesa"
+PACKAGECONFIG[glx] = "--enable-opengl,--disable-opengl,mesa"
 PACKAGECONFIG[lzo] = "--enable-lzo,--disable-lzo,lzo"
 PACKAGECONFIG[numa] = "--enable-numa,--disable-numa,numactl"
+PACKAGECONFIG[gnutls] = "--enable-gnutls,--disable-gnutls,gnutls"
 
 EXTRA_OECONF += "${@bb.utils.contains('PACKAGECONFIG', 'alsa', '--audio-drv-list=oss,alsa', '', d)}"
 
-# Qemu target will not build in world build for ARM or Mips
-BROKEN_qemuarm = "1"
-BROKEN_qemumips64 = "1"
-BROKEN_qemumips = "1"
-
 INSANE_SKIP_${PN} = "arch"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch b/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch
deleted file mode 100644
index 4f992bae14..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From 0be839a2701369f669532ea5884c15bead1c6e08 Mon Sep 17 00:00:00 2001
-From: "Michael S. Tsirkin" <mst@redhat.com>
-Date: Wed, 12 Nov 2014 11:44:39 +0200
-Subject: [PATCH] migration: fix parameter validation on ram load
-
-During migration, the values read from migration stream during ram load
-are not validated. Especially offset in host_from_stream_offset() and
-also the length of the writes in the callers of said function.
-
-To fix this, we need to make sure that the [offset, offset + length]
-range fits into one of the allocated memory regions.
-
-Validating addr < len should be sufficient since data seems to always be
-managed in TARGET_PAGE_SIZE chunks.
-
-Fixes: CVE-2014-7840
-
-Upstream-Status: Backport
-
-Note: follow-up patches add extra checks on each block->host access.
-
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
-Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
-Signed-off-by: Amit Shah <amit.shah@redhat.com>
-Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
----
- arch_init.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/arch_init.c b/arch_init.c
-index 88a5ba0..593a990 100644
---- a/arch_init.c
-+++ b/arch_init.c
-@@ -1006,7 +1006,7 @@ static inline void *host_from_stream_offset(QEMUFile *f,
-     uint8_t len;
- 
-     if (flags & RAM_SAVE_FLAG_CONTINUE) {
--        if (!block) {
-+        if (!block || block->length <= offset) {
-             error_report("Ack, bad migration stream!");
-             return NULL;
-         }
-@@ -1019,8 +1019,9 @@ static inline void *host_from_stream_offset(QEMUFile *f,
-     id[len] = 0;
- 
-     QTAILQ_FOREACH(block, &ram_list.blocks, next) {
--        if (!strncmp(id, block->idstr, sizeof(id)))
-+        if (!strncmp(id, block->idstr, sizeof(id)) && block->length > offset) {
-             return memory_region_get_ram_ptr(block->mr) + offset;
-+        }
-     }
- 
-     error_report("Can't find block %s!", id);
--- 
-1.9.1
-
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_1.patch
new file mode 100644
index 0000000000..d7ae8713ca
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_1.patch
@@ -0,0 +1,63 @@
+From ce317461573bac12b10d67699b4ddf1f97cf066c Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Fri, 25 Sep 2015 13:21:28 +0800
+Subject: [PATCH] virtio: introduce virtqueue_unmap_sg()
+
+Factor out sg unmapping logic. This will be reused by the patch that
+can discard descriptor.
+
+Cc: Michael S. Tsirkin <mst@redhat.com>
+Cc: Andrew James <andrew.james@hpe.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+Upstream-Status: Backport
+
+git.qemu.org/?p=qemu.git;a=commit;h=ce317461573bac12b10d67699b4ddf1f97cf066c
+
+CVE: CVE-2015-7295 patch #1
+[Yocto # 9013]
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/virtio/virtio.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+Index: qemu-2.4.0/hw/virtio/virtio.c
+===================================================================
+--- qemu-2.4.0.orig/hw/virtio/virtio.c
++++ qemu-2.4.0/hw/virtio/virtio.c
+@@ -243,14 +243,12 @@ int virtio_queue_empty(VirtQueue *vq)
+     return vring_avail_idx(vq) == vq->last_avail_idx;
+ }
+ 
+-void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem,
+-                    unsigned int len, unsigned int idx)
++static void virtqueue_unmap_sg(VirtQueue *vq, const VirtQueueElement *elem,
++                               unsigned int len)
+ {
+     unsigned int offset;
+     int i;
+ 
+-    trace_virtqueue_fill(vq, elem, len, idx);
+-
+     offset = 0;
+     for (i = 0; i < elem->in_num; i++) {
+         size_t size = MIN(len - offset, elem->in_sg[i].iov_len);
+@@ -266,6 +264,14 @@ void virtqueue_fill(VirtQueue *vq, const
+         cpu_physical_memory_unmap(elem->out_sg[i].iov_base,
+                                   elem->out_sg[i].iov_len,
+                                   0, elem->out_sg[i].iov_len);
++}
++
++void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem,
++                    unsigned int len, unsigned int idx)
++{
++    trace_virtqueue_fill(vq, elem, len, idx);
++
++    virtqueue_unmap_sg(vq, elem, len);
+ 
+     idx = (idx + vring_used_idx(vq)) % vq->vring.num;
+ 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_2.patch
new file mode 100644
index 0000000000..45dfab36ef
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_2.patch
@@ -0,0 +1,58 @@
+From 29b9f5efd78ae0f9cc02dd169b6e80d2c404bade Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Fri, 25 Sep 2015 13:21:29 +0800
+Subject: [PATCH] virtio: introduce virtqueue_discard()
+
+This patch introduces virtqueue_discard() to discard a descriptor and
+unmap the sgs. This will be used by the patch that will discard
+descriptor when packet is truncated.
+
+Cc: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Upstream-Status: Backport
+
+git.qemu.org/?p=qemu.git;a=commit;h=29b9f5efd78ae0f9cc02dd169b6e80d2c404bade
+ 
+CVE: CVE-2015-7295 patch #2
+[Yocto # 9013]
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/virtio/virtio.c         | 7 +++++++
+ include/hw/virtio/virtio.h | 2 ++
+ 2 files changed, 9 insertions(+)
+
+Index: qemu-2.4.0/hw/virtio/virtio.c
+===================================================================
+--- qemu-2.4.0.orig/hw/virtio/virtio.c
++++ qemu-2.4.0/hw/virtio/virtio.c
+@@ -266,6 +266,13 @@ static void virtqueue_unmap_sg(VirtQueue
+                                   0, elem->out_sg[i].iov_len);
+ }
+ 
++void virtqueue_discard(VirtQueue *vq, const VirtQueueElement *elem,
++                       unsigned int len)
++{
++    vq->last_avail_idx--;
++    virtqueue_unmap_sg(vq, elem, len);
++}
++
+ void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem,
+                     unsigned int len, unsigned int idx)
+ {
+Index: qemu-2.4.0/include/hw/virtio/virtio.h
+===================================================================
+--- qemu-2.4.0.orig/include/hw/virtio/virtio.h
++++ qemu-2.4.0/include/hw/virtio/virtio.h
+@@ -146,6 +146,8 @@ void virtio_del_queue(VirtIODevice *vdev
+ void virtqueue_push(VirtQueue *vq, const VirtQueueElement *elem,
+                     unsigned int len);
+ void virtqueue_flush(VirtQueue *vq, unsigned int count);
++void virtqueue_discard(VirtQueue *vq, const VirtQueueElement *elem,
++                       unsigned int len);
+ void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem,
+                     unsigned int len, unsigned int idx);
+ 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_3.patch
new file mode 100644
index 0000000000..74442e32f5
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_3.patch
@@ -0,0 +1,52 @@
+From 0cf33fb6b49a19de32859e2cdc6021334f448fb3 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Fri, 25 Sep 2015 13:21:30 +0800
+Subject: [PATCH] virtio-net: correctly drop truncated packets
+
+When packet is truncated during receiving, we drop the packets but
+neither discard the descriptor nor add and signal used
+descriptor. This will lead several issues:
+
+- sg mappings are leaked
+- rx will be stalled if a lots of packets were truncated
+
+In order to be consistent with vhost, fix by discarding the descriptor
+in this case.
+
+Cc: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+Upstream-Status: Backport
+
+git.qemu.org/?p=qemu.git;a=commit;h=0cf33fb6b49a19de32859e2cdc6021334f448fb3
+
+CVE: CVE-2015-7295 patch #3
+[Yocto # 9013]
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/net/virtio-net.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+Index: qemu-2.4.0/hw/net/virtio-net.c
+===================================================================
+--- qemu-2.4.0.orig/hw/net/virtio-net.c
++++ qemu-2.4.0/hw/net/virtio-net.c
+@@ -1086,13 +1086,7 @@ static ssize_t virtio_net_receive(NetCli
+          * must have consumed the complete packet.
+          * Otherwise, drop it. */
+         if (!n->mergeable_rx_bufs && offset < size) {
+-#if 0
+-            error_report("virtio-net truncated non-mergeable packet: "
+-                         "i %zd mergeable %d offset %zd, size %zd, "
+-                         "guest hdr len %zd, host hdr len %zd",
+-                         i, n->mergeable_rx_bufs,
+-                         offset, size, n->guest_hdr_len, n->host_hdr_len);
+-#endif
++            virtqueue_discard(q->rx_vq, &elem, total);
+             return size;
+         }
+ 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-7504.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-7504.patch
new file mode 100644
index 0000000000..90a7947abb
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-7504.patch
@@ -0,0 +1,56 @@
+From 837f21aacf5a714c23ddaadbbc5212f9b661e3f7 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Fri, 20 Nov 2015 11:50:31 +0530
+Subject: [PATCH] net: pcnet: add check to validate receive data
+ size(CVE-2015-7504)
+
+In loopback mode, pcnet_receive routine appends CRC code to the
+receive buffer. If the data size given is same as the buffer size,
+the appended CRC code overwrites 4 bytes after s->buffer. Added a
+check to avoid that.
+
+Reported by: Qinghao Tang <luodalongde@gmail.com>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport
+
+http://git.qemu.org/?p=qemu.git;a=commit;h=837f21aacf5a714c23ddaadbbc5212f9b661e3f7
+
+CVE: CVE-2015-7504
+[Yocto # 9013]
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/net/pcnet.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+Index: qemu-2.4.0/hw/net/pcnet.c
+===================================================================
+--- qemu-2.4.0.orig/hw/net/pcnet.c
++++ qemu-2.4.0/hw/net/pcnet.c
+@@ -1085,7 +1085,7 @@ ssize_t pcnet_receive(NetClientState *nc
+                 uint32_t fcs = ~0;
+                 uint8_t *p = src;
+ 
+-                while (p != &src[size-4])
++                while (p != &src[size])
+                     CRC(fcs, *p++);
+                 crc_err = (*(uint32_t *)p != htonl(fcs));
+             }
+@@ -1234,8 +1234,10 @@ static void pcnet_transmit(PCNetState *s
+         bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
+ 
+         /* if multi-tmd packet outsizes s->buffer then skip it silently.
+-           Note: this is not what real hw does */
+-        if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
++         * Note: this is not what real hw does.
++         * Last four bytes of s->buffer are used to store CRC FCS code.
++         */
++        if (s->xmit_pos + bcnt > sizeof(s->buffer) - 4) {
+             s->xmit_pos = -1;
+             goto txdone;
+         }
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-7512.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-7512.patch
new file mode 100644
index 0000000000..50b8a6cee8
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-7512.patch
@@ -0,0 +1,44 @@
+From 8b98a2f07175d46c3f7217639bd5e03f2ec56343 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Mon, 30 Nov 2015 15:00:06 +0800
+Subject: [PATCH] pcnet: fix rx buffer overflow(CVE-2015-7512)
+
+Backends could provide a packet whose length is greater than buffer
+size. Check for this and truncate the packet to avoid rx buffer
+overflow in this case.
+
+Cc: Prasad J Pandit <pjp@fedoraproject.org>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upsteam_Status: Backport
+
+http://git.qemu.org/?p=qemu.git;a=commit;h=8b98a2f07175d46c3f7217639bd5e03f2ec56343
+
+CVE: CVE-2015-7512
+[Yocto # 9013]
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/net/pcnet.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+Index: qemu-2.4.0/hw/net/pcnet.c
+===================================================================
+--- qemu-2.4.0.orig/hw/net/pcnet.c
++++ qemu-2.4.0/hw/net/pcnet.c
+@@ -1065,6 +1065,12 @@ ssize_t pcnet_receive(NetClientState *nc
+             int pktcount = 0;
+ 
+             if (!s->looptest) {
++                if (size > 4092) {
++#ifdef PCNET_DEBUG_RMD
++                    fprintf(stderr, "pcnet: truncates rx packet.\n");
++#endif
++                    size = 4092;
++                }
+                 memcpy(src, buf, size);
+                 /* no need to compute the CRC */
+                 src[size] = 0;
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-8345.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-8345.patch
new file mode 100644
index 0000000000..310b458a0c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-8345.patch
@@ -0,0 +1,73 @@
+From 00837731d254908a841d69298a4f9f077babaf24 Mon Sep 17 00:00:00 2001
+From: Stefan Weil <sw@weilnetz.de>
+Date: Fri, 20 Nov 2015 08:42:33 +0100
+Subject: [PATCH] eepro100: Prevent two endless loops
+
+http://lists.nongnu.org/archive/html/qemu-devel/2015-11/msg04592.html
+shows an example how an endless loop in function action_command can
+be achieved.
+
+During my code review, I noticed a 2nd case which can result in an
+endless loop.
+
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Signed-off-by: Stefan Weil <sw@weilnetz.de>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport
+
+http://git.qemu.org/?p=qemu.git;a=commit;h=00837731d254908a841d69298a4f9f077babaf24
+
+CVE: CVE-2015-8345
+[Yocto # 9013]
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/net/eepro100.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c
+index 60333b7..685a478 100644
+--- a/hw/net/eepro100.c
++++ b/hw/net/eepro100.c
+@@ -774,6 +774,11 @@ static void tx_command(EEPRO100State *s)
+ #if 0
+         uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6);
+ #endif
++        if (tx_buffer_size == 0) {
++            /* Prevent an endless loop. */
++            logout("loop in %s:%u\n", __FILE__, __LINE__);
++            break;
++        }
+         tbd_address += 8;
+         TRACE(RXTX, logout
+             ("TBD (simplified mode): buffer address 0x%08x, size 0x%04x\n",
+@@ -855,6 +860,10 @@ static void set_multicast_list(EEPRO100State *s)
+ 
+ static void action_command(EEPRO100State *s)
+ {
++    /* The loop below won't stop if it gets special handcrafted data.
++       Therefore we limit the number of iterations. */
++    unsigned max_loop_count = 16;
++
+     for (;;) {
+         bool bit_el;
+         bool bit_s;
+@@ -870,6 +879,13 @@ static void action_command(EEPRO100State *s)
+ #if 0
+         bool bit_sf = ((s->tx.command & COMMAND_SF) != 0);
+ #endif
++
++        if (max_loop_count-- == 0) {
++            /* Prevent an endless loop. */
++            logout("loop in %s:%u\n", __FILE__, __LINE__);
++            break;
++        }
++
+         s->cu_offset = s->tx.link;
+         TRACE(OTHER,
+               logout("val=(cu start), status=0x%04x, command=0x%04x, link=0x%08x\n",
+-- 
+2.3.5
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-8504.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-8504.patch
new file mode 100644
index 0000000000..9e660217ff
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-8504.patch
@@ -0,0 +1,51 @@
+From 4c65fed8bdf96780735dbdb92a8bd0d6b6526cc3 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 3 Dec 2015 18:54:17 +0530
+Subject: [PATCH] ui: vnc: avoid floating point exception
+
+While sending 'SetPixelFormat' messages to a VNC server,
+the client could set the 'red-max', 'green-max' and 'blue-max'
+values to be zero. This leads to a floating point exception in
+write_png_palette while doing frame buffer updates.
+
+Reported-by: Lian Yihan <lianyihan@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+
+Upstream-Status: Backport
+
+http://git.qemu.org/?p=qemu.git;a=commitdiff;h=4c65fed8bdf96780735dbdb92a8
+
+CVE: CVE-2015-8504
+[Yocto # 9013]
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ui/vnc.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+Index: qemu-2.4.0/ui/vnc.c
+===================================================================
+--- qemu-2.4.0.orig/ui/vnc.c
++++ qemu-2.4.0/ui/vnc.c
+@@ -2189,15 +2189,15 @@ static void set_pixel_format(VncState *v
+         return;
+     }
+ 
+-    vs->client_pf.rmax = red_max;
++    vs->client_pf.rmax = red_max ? red_max : 0xFF;
+     vs->client_pf.rbits = hweight_long(red_max);
+     vs->client_pf.rshift = red_shift;
+     vs->client_pf.rmask = red_max << red_shift;
+-    vs->client_pf.gmax = green_max;
++    vs->client_pf.gmax = green_max ? green_max : 0xFF;
+     vs->client_pf.gbits = hweight_long(green_max);
+     vs->client_pf.gshift = green_shift;
+     vs->client_pf.gmask = green_max << green_shift;
+-    vs->client_pf.bmax = blue_max;
++    vs->client_pf.bmax = blue_max ? blue_max : 0xFF;
+     vs->client_pf.bbits = hweight_long(blue_max);
+     vs->client_pf.bshift = blue_shift;
+     vs->client_pf.bmask = blue_max << blue_shift;
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-1568.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-1568.patch
new file mode 100644
index 0000000000..9c40ffb5f8
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-1568.patch
@@ -0,0 +1,46 @@
+From 4ab0359a8ae182a7ac5c99609667273167703fab Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Mon, 11 Jan 2016 14:10:42 -0500
+Subject: [PATCH] ide: ahci: reset ncq object to unused on error
+
+When processing NCQ commands, AHCI device emulation prepares a
+NCQ transfer object; To which an aio control block(aiocb) object
+is assigned in 'execute_ncq_command'. In case, when the NCQ
+command is invalid, the 'aiocb' object is not assigned, and NCQ
+transfer object is left as 'used'. This leads to a use after
+free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'.
+Reset NCQ transfer object to 'unused' to avoid it.
+
+[Maintainer edit: s/ACHI/AHCI/ in the commit message. --js]
+
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: John Snow <jsnow@redhat.com>
+Message-id: 1452282511-4116-1-git-send-email-ppandit@redhat.com
+Signed-off-by: John Snow <jsnow@redhat.com>
+
+Upstream-Status: Backport
+
+http://git.qemu.org/?p=qemu.git;a=commit;h=4ab0359a8ae182a7ac5c99609667273167703fab
+
+CVE: CVE-2016-1568
+[Yocto # 9013]
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/ide/ahci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+Index: qemu-2.4.0/hw/ide/ahci.c
+===================================================================
+--- qemu-2.4.0.orig/hw/ide/ahci.c
++++ qemu-2.4.0/hw/ide/ahci.c
+@@ -898,6 +898,7 @@ static void ncq_err(NCQTransferState *nc
+     ide_state->error = ABRT_ERR;
+     ide_state->status = READY_STAT | ERR_STAT;
+     ncq_tfs->drive->port_regs.scr_err |= (1 << ncq_tfs->tag);
++    ncq_tfs->used = 0;
+ }
+ 
+ static void ncq_finish(NCQTransferState *ncq_tfs)
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-2197.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-2197.patch
new file mode 100644
index 0000000000..946435c430
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-2197.patch
@@ -0,0 +1,59 @@
+From: Prasad J Pandit <address@hidden>
+
+When IDE AHCI emulation uses Frame Information Structures(FIS)
+engine for data transfer, the mapped FIS buffer address is stored
+in a static 'bounce.buffer'. When a request is made to map another
+memory region, address_space_map() returns NULL because
+'bounce.buffer' is in_use. It leads to a null pointer dereference
+error while doing 'dma_memory_unmap'. Add a check to avoid it.
+
+Reported-by: Zuozhi fzz <address@hidden>
+Signed-off-by: Prasad J Pandit <address@hidden>
+
+Upstream-Status: Backport
+https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg05740.html
+
+CVE: CVE-2016-2197
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/ide/ahci.c | 16 ++++++++++------
+  1 file changed, 10 insertions(+), 6 deletions(-)
+
+  Update as per review
+    -> https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg05715.html
+
+Index: qemu-2.5.0/hw/ide/ahci.c
+===================================================================
+--- qemu-2.5.0.orig/hw/ide/ahci.c
++++ qemu-2.5.0/hw/ide/ahci.c
+@@ -661,9 +661,11 @@ static bool ahci_map_fis_address(AHCIDev
+ 
+ static void ahci_unmap_fis_address(AHCIDevice *ad)
+ {
+-    dma_memory_unmap(ad->hba->as, ad->res_fis, 256,
+-                     DMA_DIRECTION_FROM_DEVICE, 256);
+-    ad->res_fis = NULL;
++    if (ad->res_fis) {
++        dma_memory_unmap(ad->hba->as, ad->res_fis, 256,
++                         DMA_DIRECTION_FROM_DEVICE, 256);
++        ad->res_fis = NULL;
++    }
+ }
+ 
+ static bool ahci_map_clb_address(AHCIDevice *ad)
+@@ -677,9 +679,11 @@ static bool ahci_map_clb_address(AHCIDev
+ 
+ static void ahci_unmap_clb_address(AHCIDevice *ad)
+ {
+-    dma_memory_unmap(ad->hba->as, ad->lst, 1024,
+-                     DMA_DIRECTION_FROM_DEVICE, 1024);
+-    ad->lst = NULL;
++    if (ad->lst) {
++        dma_memory_unmap(ad->hba->as, ad->lst, 1024,
++                         DMA_DIRECTION_FROM_DEVICE, 1024);
++        ad->lst = NULL;
++    }
+ }
+ 
+ static void ahci_write_fis_sdb(AHCIState *s, NCQTransferState *ncq_tfs)
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-2198.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-2198.patch
new file mode 100644
index 0000000000..f1201f0613
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-2198.patch
@@ -0,0 +1,45 @@
+From: Prasad J Pandit <address@hidden>
+
+USB Ehci emulation supports host controller capability registers.
+But its mmio '.write' function was missing, which lead to a null
+pointer dereference issue. Add a do nothing 'ehci_caps_write'
+definition to avoid it; Do nothing because capability registers
+are Read Only(RO).
+
+Reported-by: Zuozhi Fzz <address@hidden>
+Signed-off-by: Prasad J Pandit <address@hidden>
+
+Upstream-Status: Backport
+https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg05899.html
+
+CVE: CVE-2016-2198
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/usb/hcd-ehci.c | 6 ++++++
+  1 file changed, 6 insertions(+)
+
+Index: qemu-2.5.0/hw/usb/hcd-ehci.c
+===================================================================
+--- qemu-2.5.0.orig/hw/usb/hcd-ehci.c
++++ qemu-2.5.0/hw/usb/hcd-ehci.c
+@@ -893,6 +893,11 @@ static uint64_t ehci_caps_read(void *ptr
+     return s->caps[addr];
+ }
+ 
++static void ehci_caps_write(void *ptr, hwaddr addr,
++                             uint64_t val, unsigned size)
++{
++}
++
+ static uint64_t ehci_opreg_read(void *ptr, hwaddr addr,
+                                 unsigned size)
+ {
+@@ -2310,6 +2315,7 @@ static void ehci_frame_timer(void *opaqu
+ 
+ static const MemoryRegionOps ehci_mmio_caps_ops = {
+     .read = ehci_caps_read,
++    .write = ehci_caps_write,
+     .valid.min_access_size = 1,
+     .valid.max_access_size = 4,
+     .impl.min_access_size = 1,
diff --git a/meta/recipes-devtools/qemu/files/Qemu-Arm-versatilepb-Add-memory-size-checking.patch b/meta/recipes-devtools/qemu/qemu/Qemu-Arm-versatilepb-Add-memory-size-checking.patch
index 7f1c5a9058..1a6cf5119b 100644
--- a/meta/recipes-devtools/qemu/files/Qemu-Arm-versatilepb-Add-memory-size-checking.patch
+++ b/meta/recipes-devtools/qemu/qemu/Qemu-Arm-versatilepb-Add-memory-size-checking.patch
@@ -14,27 +14,33 @@ Signed-off-by: Jiang Lu <lu.jiang@windriver.com>
 Updated it on 2014-01-15 for rebasing
 
 Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
+
+Update it when upgrade qemu to 2.2.0
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+Signed-off-by: Cristian Iorga <cristian.iorga@intel.com>
 ---
- hw/arm/versatilepb.c |    6 ++++++
- 1 file changed, 6 insertions(+)
+ hw/arm/versatilepb.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
 
 diff --git a/hw/arm/versatilepb.c b/hw/arm/versatilepb.c
-index b48d84c..ad2cd5a 100644
+index 6c69f4e..9278d90 100644
 --- a/hw/arm/versatilepb.c
 +++ b/hw/arm/versatilepb.c
-@@ -199,6 +199,12 @@ static void versatile_init(QEMUMachineInitArgs *args, int board_id)
-         fprintf(stderr, "Unable to find CPU definition\n");
+@@ -204,6 +204,13 @@ static void versatile_init(MachineState *machine, int board_id)
          exit(1);
      }
-+    if (ram_size > (256 << 20)) {
+
++    if (machine->ram_size > (256 << 20)) {
 +        fprintf(stderr,
 +                "qemu: Too much memory for this machine: %d MB, maximum 256 MB\n",
 +                ((unsigned int)ram_size / (1 << 20)));
 +        exit(1);
 +    }
-     memory_region_init_ram(ram, NULL, "versatile.ram", machine->ram_size);
-     vmstate_register_ram_global(ram);
-     /* ??? RAM should repeat to fill physical memory space.  */
++
+     cpuobj = object_new(object_class_get_name(cpu_oc));
+
+     /* By default ARM1176 CPUs have EL3 enabled.  This board does not
 -- 
-1.7.10.4
+2.1.0
 
diff --git a/meta/recipes-devtools/qemu/qemu/add-ptest-in-makefile.patch b/meta/recipes-devtools/qemu/qemu/add-ptest-in-makefile.patch
new file mode 100644
index 0000000000..a99f72098c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/add-ptest-in-makefile.patch
@@ -0,0 +1,29 @@
+Upstream-Status: Pending
+
+Add subpackage -ptest which runs all unit test cases for qemu.
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+ tests/Makefile |   10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/tests/Makefile b/tests/Makefile
+index 88f7105..3f40b4b 100644
+--- a/tests/Makefile
++++ b/tests/Makefile
+@@ -405,3 +405,12 @@ all: $(QEMU_IOTESTS_HELPERS-y)
+ 
+ -include $(wildcard tests/*.d)
+ -include $(wildcard tests/libqos/*.d)
++
++buildtest-TESTS: $(check-unit-y)
++
++runtest-TESTS:
++       for f in $(check-unit-y); do \
++               nf=$$(echo $$f | sed 's/tests\//\.\//g'); \
++               $$nf; \
++       done
++
+--
+1.7.9.5
+
diff --git a/meta/recipes-devtools/qemu/qemu/cpus.c-qemu_cpu_kick_thread_debugging.patch b/meta/recipes-devtools/qemu/qemu/cpus.c-qemu_cpu_kick_thread_debugging.patch
new file mode 100644
index 0000000000..6822132541
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/cpus.c-qemu_cpu_kick_thread_debugging.patch
@@ -0,0 +1,76 @@
+From 697a834c35d19447b7dcdb9e1d9434bc6ce17c21 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?An=C3=ADbal=20Lim=C3=B3n?= <anibal.limon@linux.intel.com>
+Date: Wed, 12 Aug 2015 15:11:30 -0500
+Subject: [PATCH] cpus.c: Add error messages when qemi_cpu_kick_thread fails.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Add custom_debug.h with function for print backtrace information.
+When pthread_kill fails in qemu_cpu_kick_thread display backtrace and
+current cpu information.
+
+Upstream-Status: Inappropriate
+Signed-off-by: Aníbal Limón <anibal.limon@linux.intel.com>
+---
+ cpus.c         |  5 +++++
+ custom_debug.h | 24 ++++++++++++++++++++++++
+ 2 files changed, 29 insertions(+)
+ create mode 100644 custom_debug.h
+
+diff --git a/cpus.c b/cpus.c
+index a822ce3..7e4786e 100644
+--- a/cpus.c
++++ b/cpus.c
+@@ -1080,6 +1080,8 @@ static void *qemu_tcg_cpu_thread_fn(void *arg)
+     return NULL;
+ }
+ 
++#include "custom_debug.h"
++
+ static void qemu_cpu_kick_thread(CPUState *cpu)
+ {
+ #ifndef _WIN32
+@@ -1088,6 +1090,9 @@ static void qemu_cpu_kick_thread(CPUState *cpu)
+     err = pthread_kill(cpu->thread->thread, SIG_IPI);
+     if (err) {
+         fprintf(stderr, "qemu:%s: %s", __func__, strerror(err));
++        fprintf(stderr, "CPU #%d:\n", cpu->cpu_index);
++        cpu_dump_state(cpu, stderr, fprintf, 0);
++        backtrace_print();
+         exit(1);
+     }
+ #else /* _WIN32 */
+diff --git a/custom_debug.h b/custom_debug.h
+new file mode 100644
+index 0000000..f029e45
+--- /dev/null
++++ b/custom_debug.h
+@@ -0,0 +1,24 @@
++#include <execinfo.h>
++#include <stdio.h>
++#define BACKTRACE_MAX 128
++static void backtrace_print(void)
++{
++       int nfuncs = 0;
++       void *buf[BACKTRACE_MAX];
++       char **symbols;
++       int i;
++
++       nfuncs = backtrace(buf, BACKTRACE_MAX);
++
++       symbols = backtrace_symbols(buf, nfuncs);
++       if (symbols == NULL) {
++               fprintf(stderr, "backtrace_print failed to get symbols");
++               return;
++       }
++
++       fprintf(stderr, "Backtrace ...\n");
++       for (i = 0; i < nfuncs; i++)
++               fprintf(stderr, "%s\n", symbols[i]);
++
++       free(symbols);
++}
+-- 
+1.9.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/cpus.c-qemu_mutex_lock_iothread-fix-race-condition-a.patch b/meta/recipes-devtools/qemu/qemu/cpus.c-qemu_mutex_lock_iothread-fix-race-condition-a.patch
new file mode 100644
index 0000000000..45dffabc34
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/cpus.c-qemu_mutex_lock_iothread-fix-race-condition-a.patch
@@ -0,0 +1,45 @@
+Upstream-Status: Submitted
+
+From f354b9333408d411854af058cc44cceda60b4473 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?An=C3=ADbal=20Lim=C3=B3n?= <anibal.limon@linux.intel.com>
+Date: Thu, 3 Sep 2015 14:07:34 -0500
+Subject: [PATCH] cpus.c: qemu_mutex_lock_iothread fix race condition at cpu
+ thread init
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When QEMU starts the RCU thread executes qemu_mutex_lock_thread
+causing error "qemu:qemu_cpu_kick_thread: No such process" and exits.
+
+This isn't occur frequently but in glibc the thread id can exist and
+this not guarantee that the thread is on active/running state. If is
+inserted a sleep(1) after newthread assignment [1] the issue appears.
+
+So not make assumption that thread exist if first_cpu->thread is set
+then change the validation of cpu to created that is set into cpu
+threads (kvm, tcg, dummy).
+
+[1] https://sourceware.org/git/?p=glibc.git;a=blob;f=nptl/pthread_create.c;h=d10f4ea8004e1d8f3a268b95cc0f8d93b8d89867;hb=HEAD#l621
+
+Signed-off-by: Aníbal Limón <anibal.limon@linux.intel.com>
+---
+ cpus.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cpus.c b/cpus.c
+index 7e4786e..05e5400 100644
+--- a/cpus.c
++++ b/cpus.c
+@@ -1171,7 +1171,7 @@ void qemu_mutex_lock_iothread(void)
+      * TCG code execution.
+      */
+     if (!tcg_enabled() || qemu_in_vcpu_thread() ||
+-        !first_cpu || !first_cpu->thread) {
++        !first_cpu || !first_cpu->created) {
+         qemu_mutex_lock(&qemu_global_mutex);
+         atomic_dec(&iothread_requesting_mutex);
+     } else {
+-- 
+1.9.1
+
diff --git a/meta/recipes-devtools/qemu/files/exclude-some-arm-EABI-obsolete-syscalls.patch b/meta/recipes-devtools/qemu/qemu/exclude-some-arm-EABI-obsolete-syscalls.patch
index 171bda7e95..171bda7e95 100644
--- a/meta/recipes-devtools/qemu/files/exclude-some-arm-EABI-obsolete-syscalls.patch
+++ b/meta/recipes-devtools/qemu/qemu/exclude-some-arm-EABI-obsolete-syscalls.patch
diff --git a/meta/recipes-devtools/qemu/qemu/larger_default_ram_size.patch b/meta/recipes-devtools/qemu/qemu/larger_default_ram_size.patch
deleted file mode 100644
index 711c36071d..0000000000
--- a/meta/recipes-devtools/qemu/qemu/larger_default_ram_size.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-This patch is taken from debian. 128M is too less sometimes if distro
-with lot of packages is booted so this patch raises the default to 384M
-
-It has not been applied to upstream qemu
-
-Khem Raj <raj.khem@gmail.com>
-
-Upstream-Status: Pending
-
-Index: qemu-0.14.0/vl.c
-===================================================================
---- qemu-0.14.0.orig/vl.c
-+++ qemu-0.14.0/vl.c
-@@ -168,7 +168,7 @@ int main(int argc, char **argv)
- //#define DEBUG_NET
- //#define DEBUG_SLIRP
- 
--#define DEFAULT_RAM_SIZE 128
-+#define DEFAULT_RAM_SIZE 384
- 
- #define MAX_VIRTIO_CONSOLES 1
- 
diff --git a/meta/recipes-devtools/qemu/qemu/no-valgrind.patch b/meta/recipes-devtools/qemu/qemu/no-valgrind.patch
new file mode 100644
index 0000000000..91f728042d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/no-valgrind.patch
@@ -0,0 +1,19 @@
+There isn't an option to enable or disable valgrind support, so disable it to avoid non-deterministic builds.
+
+Upstream-Status: Inappropriate
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+diff --git a/configure b/configure
+index b3c4f51..4d3929e 100755
+--- a/configure
++++ b/configure
+@@ -4193,9 +4192,0 @@ valgrind_h=no
+-cat > $TMPC << EOF
+-#include <valgrind/valgrind.h>
+-int main(void) {
+-  return 0;
+-}
+-EOF
+-if compile_prog "" "" ; then
+-    valgrind_h=yes
+-fi
diff --git a/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch b/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch
deleted file mode 100644
index f05441fce6..0000000000
--- a/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch
+++ /dev/null
@@ -1,92 +0,0 @@
-qemu: CVE-2015-3456
-
-the patch comes from:
-https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3456
-http://git.qemu.org/?p=qemu.git;a=commit;h=e907746266721f305d67bc0718795fedee2e824c
-
-fdc: force the fifo access to be in bounds of the allocated buffer
-
-During processing of certain commands such as FD_CMD_READ_ID and
-FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
-get out of bounds leading to memory corruption with values coming
-from the guest.
-
-Fix this by making sure that the index is always bounded by the
-allocated memory.
-
-This is CVE-2015-3456.
-
-Signed-off-by: Petr Matousek <pmatouse@redhat.com>
-Reviewed-by: John Snow <jsnow@redhat.com>
-Signed-off-by: John Snow <jsnow@redhat.com>
-Signed-off-by: Li Wang <li.wang@windriver.com>
-
-Upstream-Status: Backport
-
-Signed-off-by: Kai Kang <kai.kang@windriver.com>
----
- hw/block/fdc.c |   17 +++++++++++------
- 1 file changed, 11 insertions(+), 6 deletions(-)
-
-diff --git a/hw/block/fdc.c b/hw/block/fdc.c
-index 490d127..045459e 100644
---- a/hw/block/fdc.c
-+++ b/hw/block/fdc.c
-@@ -1436,7 +1436,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
- {
-     FDrive *cur_drv;
-     uint32_t retval = 0;
--    int pos;
-+    uint32_t pos;
- 
-     cur_drv = get_cur_drv(fdctrl);
-     fdctrl->dsr &= ~FD_DSR_PWRDOWN;
-@@ -1445,8 +1445,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
-         return 0;
-     }
-     pos = fdctrl->data_pos;
-+    pos %= FD_SECTOR_LEN;
-     if (fdctrl->msr & FD_MSR_NONDMA) {
--        pos %= FD_SECTOR_LEN;
-         if (pos == 0) {
-             if (fdctrl->data_pos != 0)
-                 if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
-@@ -1790,10 +1790,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
- static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
- {
-     FDrive *cur_drv = get_cur_drv(fdctrl);
-+    uint32_t pos;
- 
--    if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
-+    pos = fdctrl->data_pos - 1;
-+    pos %= FD_SECTOR_LEN;
-+    if (fdctrl->fifo[pos] & 0x80) {
-         /* Command parameters done */
--        if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
-+        if (fdctrl->fifo[pos] & 0x40) {
-             fdctrl->fifo[0] = fdctrl->fifo[1];
-             fdctrl->fifo[2] = 0;
-             fdctrl->fifo[3] = 0;
-@@ -1893,7 +1896,7 @@ static uint8_t command_to_handler[256];
- static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
- {
-     FDrive *cur_drv;
--    int pos;
-+    uint32_t pos;
- 
-     /* Reset mode */
-     if (!(fdctrl->dor & FD_DOR_nRESET)) {
-@@ -1941,7 +1944,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
-     }
- 
-     FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
--    fdctrl->fifo[fdctrl->data_pos++] = value;
-+    pos = fdctrl->data_pos++;
-+    pos %= FD_SECTOR_LEN;
-+    fdctrl->fifo[pos] = value;
-     if (fdctrl->data_pos == fdctrl->data_len) {
-         /* We now have all parameters
-          * and will be able to treat the command
--- 
-1.7.9.5
-
diff --git a/meta/recipes-devtools/qemu/files/qemu-enlarge-env-entry-size.patch b/meta/recipes-devtools/qemu/qemu/qemu-enlarge-env-entry-size.patch
index c7425ab8d4..c7425ab8d4 100644
--- a/meta/recipes-devtools/qemu/files/qemu-enlarge-env-entry-size.patch
+++ b/meta/recipes-devtools/qemu/qemu/qemu-enlarge-env-entry-size.patch
diff --git a/meta/recipes-devtools/qemu/qemu/run-ptest b/meta/recipes-devtools/qemu/qemu/run-ptest
new file mode 100644
index 0000000000..f4b8e97e1e
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/run-ptest
@@ -0,0 +1,8 @@
+#!/bin/sh
+#
+#This script is used to run qemu test suites
+ptestdir=$(pwd)
+cd tests
+
+export SRC_PATH=$ptestdir
+make -k runtest-TESTS | sed '/: OK/ s/^/PASS: /g'
diff --git a/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch b/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch
deleted file mode 100644
index a7ecf31c01..0000000000
--- a/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 9a72433843d912a45046959b1953861211d1838d Mon Sep 17 00:00:00 2001
-From: Petr Matousek <pmatouse@redhat.com>
-Date: Thu, 18 Sep 2014 08:35:37 +0200
-Subject: [PATCH] slirp: udp: fix NULL pointer dereference because of
- uninitialized socket
-
-When guest sends udp packet with source port and source addr 0,
-uninitialized socket is picked up when looking for matching and already
-created udp sockets, and later passed to sosendto() where NULL pointer
-dereference is hit during so->slirp->vnetwork_mask.s_addr access.
-
-Fix this by checking that the socket is not just a socket stub.
-
-This is CVE-2014-3640.
-
-Upstream-Status: Backport
-
-Signed-off-by: Petr Matousek <pmatouse@redhat.com>
-Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com>
-Reported-by: Stephane Duverger <stephane.duverger@eads.net>
-Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
-Message-id: 20140918063537.GX9321@dhcp-25-225.brq.redhat.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-(cherry picked from commit 01f7cecf0037997cb0e58ec0d56bf9b5a6f7cb2a)
-Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
----
- slirp/udp.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/slirp/udp.c b/slirp/udp.c
-index 8cc6cb6..f77e00f 100644
---- a/slirp/udp.c
-+++ b/slirp/udp.c
-@@ -152,7 +152,7 @@ udp_input(register struct mbuf *m, int iphlen)
-         * Locate pcb for datagram.
-         */
-        so = slirp->udp_last_so;
--       if (so->so_lport != uh->uh_sport ||
-+       if (so == &slirp->udb || so->so_lport != uh->uh_sport ||
-            so->so_laddr.s_addr != ip->ip_src.s_addr) {
-                struct socket *tmp;
- 
--- 
-1.9.1
-
diff --git a/meta/recipes-devtools/qemu/qemu/smc91c111_fix.patch b/meta/recipes-devtools/qemu/qemu/smc91c111_fix.patch
new file mode 100644
index 0000000000..e37e777347
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/smc91c111_fix.patch
@@ -0,0 +1,74 @@
+The smc91c111.c driver appears to have several issues. The can_receive()
+function can return that the driver is ready when rx_fifo has not been 
+freed yet. There is also no sanity check of rx_fifo() in _receive() which
+can lead to corruption of the rx_fifo array.
+
+release_packet() can also call qemu_flush_queued_packets() before rx_fifo 
+has been cleaned up, resulting in cases where packets are submitted
+for which there is not yet any space.
+
+This patch therefore:
+
+* fixes the logic in can_receive()
+* adds logic to receive() as a sanity check
+* moves the flush() calls to the correct places where data is ready
+  to be received
+
+Upstream-Status: Pending [discussion in progress on mailing list]
+RP 2015/9/7
+
+Index: qemu-2.4.0/hw/net/smc91c111.c
+===================================================================
+--- qemu-2.4.0.orig/hw/net/smc91c111.c
++++ qemu-2.4.0/hw/net/smc91c111.c
+@@ -185,7 +185,6 @@ static void smc91c111_release_packet(smc
+     s->allocated &= ~(1 << packet);
+     if (s->tx_alloc == 0x80)
+         smc91c111_tx_alloc(s);
+-    qemu_flush_queued_packets(qemu_get_queue(s->nic));
+ }
+ 
+ /* Flush the TX FIFO.  */
+@@ -237,9 +236,11 @@ static void smc91c111_do_tx(smc91c111_st
+             }
+         }
+ #endif
+-        if (s->ctr & CTR_AUTO_RELEASE)
++        if (s->ctr & CTR_AUTO_RELEASE) {
+             /* Race?  */
+             smc91c111_release_packet(s, packetnum);
++            qemu_flush_queued_packets(qemu_get_queue(s->nic));
++        }
+         else if (s->tx_fifo_done_len < NUM_PACKETS)
+             s->tx_fifo_done[s->tx_fifo_done_len++] = packetnum;
+         qemu_send_packet(qemu_get_queue(s->nic), p, len);
+@@ -379,9 +380,11 @@ static void smc91c111_writeb(void *opaqu
+                     smc91c111_release_packet(s, s->rx_fifo[0]);
+                 }
+                 smc91c111_pop_rx_fifo(s);
++                qemu_flush_queued_packets(qemu_get_queue(s->nic));
+                 break;
+             case 5: /* Release.  */
+                 smc91c111_release_packet(s, s->packet_num);
++                qemu_flush_queued_packets(qemu_get_queue(s->nic));
+                 break;
+             case 6: /* Add to TX FIFO.  */
+                 smc91c111_queue_tx(s, s->packet_num);
+@@ -642,7 +642,7 @@ static int smc91c111_can_receive(NetClie
+ 
+     if ((s->rcr & RCR_RXEN) == 0 || (s->rcr & RCR_SOFT_RST))
+         return 1;
+-    if (s->allocated == (1 << NUM_PACKETS) - 1)
++    if ((s->allocated == (1 << NUM_PACKETS) - 1) || (s->rx_fifo_len == NUM_PACKETS))
+         return 0;
+     return 1;
+ }
+@@ -671,6 +671,8 @@ static ssize_t smc91c111_receive(NetClie
+     /* TODO: Flag overrun and receive errors.  */
+     if (packetsize > 2048)
+         return -1;
++    if  (s->rx_fifo_len == NUM_PACKETS)
++        return -1;    
+     packetnum = smc91c111_allocate_packet(s);
+     if (packetnum == 0x80)
+         return -1;
diff --git a/meta/recipes-devtools/qemu/qemu/smc91c111_fix1.patch b/meta/recipes-devtools/qemu/qemu/smc91c111_fix1.patch
new file mode 100644
index 0000000000..bd1223a446
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/smc91c111_fix1.patch
@@ -0,0 +1,85 @@
+From: Peter Crosthwaite <crosthwaitepeter@gmail.com>
+Subject: [RFT PATCH v1 1/3] net: smc91c111: guard flush_queued_packets() on
+ can_rx()
+Date: Thu, 10 Sep 2015 21:23:43 -0700
+
+Check that the core can once again receive packets before asking the
+net layer to do a flush. This will make it more convenient to flush
+packets when adding new conditions to can_receive.
+
+Add missing if braces while moving the can_receive() core code.
+
+Signed-off-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
+
+Upstream-Status: Submitted
+
+---
+
+ hw/net/smc91c111.c | 30 ++++++++++++++++++++++--------
+ 1 file changed, 22 insertions(+), 8 deletions(-)
+
+Index: qemu-2.4.0/hw/net/smc91c111.c
+===================================================================
+--- qemu-2.4.0.orig/hw/net/smc91c111.c
++++ qemu-2.4.0/hw/net/smc91c111.c
+@@ -124,6 +124,24 @@ static void smc91c111_update(smc91c111_s
+     qemu_set_irq(s->irq, level);
+ }
+ 
++static int smc91c111_can_receive(smc91c111_state *s)
++{
++    if ((s->rcr & RCR_RXEN) == 0 || (s->rcr & RCR_SOFT_RST)) {
++        return 1;
++    }
++    if (s->allocated == (1 << NUM_PACKETS) - 1) {
++        return 0;
++    }
++    return 1;
++}
++
++static inline void smc91c111_flush_queued_packets(smc91c111_state *s)
++{
++    if (smc91c111_can_receive(s)) {
++        qemu_flush_queued_packets(qemu_get_queue(s->nic));
++    }
++}
++
+ /* Try to allocate a packet.  Returns 0x80 on failure.  */
+ static int smc91c111_allocate_packet(smc91c111_state *s)
+ {
+@@ -185,7 +203,7 @@ static void smc91c111_release_packet(smc
+     s->allocated &= ~(1 << packet);
+     if (s->tx_alloc == 0x80)
+         smc91c111_tx_alloc(s);
+-    qemu_flush_queued_packets(qemu_get_queue(s->nic));
++    smc91c111_flush_queued_packets(s);
+ }
+ 
+ /* Flush the TX FIFO.  */
+@@ -636,15 +654,11 @@ static uint32_t smc91c111_readl(void *op
+     return val;
+ }
+ 
+-static int smc91c111_can_receive(NetClientState *nc)
++static int smc91c111_can_receive_nc(NetClientState *nc)
+ {
+     smc91c111_state *s = qemu_get_nic_opaque(nc);
+ 
+-    if ((s->rcr & RCR_RXEN) == 0 || (s->rcr & RCR_SOFT_RST))
+-        return 1;
+-    if (s->allocated == (1 << NUM_PACKETS) - 1)
+-        return 0;
+-    return 1;
++    return smc91c111_can_receive(s);
+ }
+ 
+ static ssize_t smc91c111_receive(NetClientState *nc, const uint8_t *buf, size_t size)
+@@ -739,7 +753,7 @@ static const MemoryRegionOps smc91c111_m
+ static NetClientInfo net_smc91c111_info = {
+     .type = NET_CLIENT_OPTIONS_KIND_NIC,
+     .size = sizeof(NICState),
+-    .can_receive = smc91c111_can_receive,
++    .can_receive = smc91c111_can_receive_nc,
+     .receive = smc91c111_receive,
+ };
+ 
diff --git a/meta/recipes-devtools/qemu/qemu/smc91c111_fix2.patch b/meta/recipes-devtools/qemu/qemu/smc91c111_fix2.patch
new file mode 100644
index 0000000000..018aed5f80
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/smc91c111_fix2.patch
@@ -0,0 +1,46 @@
+From: Peter Crosthwaite <crosthwaitepeter@gmail.com>
+X-Google-Original-From: Peter Crosthwaite <crosthwaite.peter@gmail.com>
+To: qemu-devel@nongnu.org
+Cc: peter.maydell@linaro.org, richard.purdie@linuxfoundation.org
+Subject: [RFT PATCH v1 2/3] net: smc91c111: gate can_receive() on rx FIFO
+ having a slot
+Date: Thu, 10 Sep 2015 21:23:57 -0700
+
+Return false from can_receive() when the FIFO doesn't have a free RX
+slot. This fixes a bug in the current code where the allocated buffer
+is freed before the fifo pop, triggering a premature flush of queued RX
+packets. It also will handle a corner case, where the guest manually
+frees the allocated buffer before popping the rx FIFO (hence it is not
+enough to just delay the flush_queued_packets()).
+
+Reported-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+Signed-off-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
+
+Upstream-Status: Submitted
+---
+
+ hw/net/smc91c111.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+Index: qemu-2.4.0/hw/net/smc91c111.c
+===================================================================
+--- qemu-2.4.0.orig/hw/net/smc91c111.c
++++ qemu-2.4.0/hw/net/smc91c111.c
+@@ -129,7 +129,8 @@ static int smc91c111_can_receive(smc91c1
+     if ((s->rcr & RCR_RXEN) == 0 || (s->rcr & RCR_SOFT_RST)) {
+         return 1;
+     }
+-    if (s->allocated == (1 << NUM_PACKETS) - 1) {
++    if (s->allocated == (1 << NUM_PACKETS) - 1 ||
++        s->rx_fifo_len == NUM_PACKETS) {
+         return 0;
+     }
+     return 1;
+@@ -182,6 +183,7 @@ static void smc91c111_pop_rx_fifo(smc91c
+     } else {
+         s->int_level &= ~INT_RCV;
+     }
++    smc91c111_flush_queued_packets(s);
+     smc91c111_update(s);
+ }
+ 
diff --git a/meta/recipes-devtools/qemu/qemu/smc91c111_fix3.patch b/meta/recipes-devtools/qemu/qemu/smc91c111_fix3.patch
new file mode 100644
index 0000000000..9e865f7f09
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/smc91c111_fix3.patch
@@ -0,0 +1,33 @@
+From: Peter Crosthwaite <crosthwaitepeter@gmail.com>
+To: qemu-devel@nongnu.org
+Cc: peter.maydell@linaro.org, richard.purdie@linuxfoundation.org
+Subject: [RFT PATCH v1 3/3] net: smc91c111: flush packets on RCR register
+ changes
+Date: Thu, 10 Sep 2015 21:24:12 -0700
+
+The SOFT_RST or RXEN in the control register can be used as a condition
+to unblock the net layer via can_receive(). So check for possible
+flushes on RCR changes. This will drop all pending packets on soft
+reset or disable which is the functional intent of the can_receive()
+logic.
+
+Signed-off-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
+
+Upstream-Status: Submitted
+---
+
+ hw/net/smc91c111.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+Index: qemu-2.4.0/hw/net/smc91c111.c
+===================================================================
+--- qemu-2.4.0.orig/hw/net/smc91c111.c
++++ qemu-2.4.0/hw/net/smc91c111.c
+@@ -331,6 +331,7 @@ static void smc91c111_writeb(void *opaqu
+             if (s->rcr & RCR_SOFT_RST) {
+                 smc91c111_reset(DEVICE(s));
+             }
++            smc91c111_flush_queued_packets(s);
+             return;
+         case 10: case 11: /* RPCR */
+             /* Ignored */
diff --git a/meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch b/meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch
deleted file mode 100644
index 10a6dacbe5..0000000000
--- a/meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From b2f1d90530301d7915dddc8a750063757675b21a Mon Sep 17 00:00:00 2001
-From: Petr Matousek <pmatouse@redhat.com>
-Date: Mon, 27 Oct 2014 12:41:44 +0100
-Subject: [PATCH] vnc: sanitize bits_per_pixel from the client
-
-bits_per_pixel that are less than 8 could result in accessing
-non-initialized buffers later in the code due to the expectation
-that bytes_per_pixel value that is used to initialize these buffers is
-never zero.
-
-To fix this check that bits_per_pixel from the client is one of the
-values that the rfb protocol specification allows.
-
-This is CVE-2014-7815.
-
-Upstream-Status: Backport
-
-Signed-off-by: Petr Matousek <pmatouse@redhat.com>
-
-[ kraxel: apply codestyle fix ]
-
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-(cherry picked from commit e6908bfe8e07f2b452e78e677da1b45b1c0f6829)
-Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
----
- ui/vnc.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/ui/vnc.c b/ui/vnc.c
-index f8d9b7d..87e34ae 100644
---- a/ui/vnc.c
-+++ b/ui/vnc.c
-@@ -2026,6 +2026,16 @@ static void set_pixel_format(VncState *vs,
-         return;
-     }
- 
-+    switch (bits_per_pixel) {
-+    case 8:
-+    case 16:
-+    case 32:
-+        break;
-+    default:
-+        vnc_client_error(vs);
-+        return;
-+    }
-+
-     vs->client_pf.rmax = red_max;
-     vs->client_pf.rbits = hweight_long(red_max);
-     vs->client_pf.rshift = red_shift;
--- 
-1.9.1
-
diff --git a/meta/recipes-devtools/qemu/qemu/wacom.patch b/meta/recipes-devtools/qemu/qemu/wacom.patch
index fd1b4a6963..cd06aa4ac6 100644
--- a/meta/recipes-devtools/qemu/qemu/wacom.patch
+++ b/meta/recipes-devtools/qemu/qemu/wacom.patch
@@ -1,7 +1,7 @@
 The USB wacom device is missing a HID descriptor which causes it
 to fail to operate with recent kernels (e.g. 3.17).
 
-This patch adds a HID desriptor to the device, based upon one from
+This patch adds a HID desriptor to the device, based upon one from 
 real wcom device.
 
 Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
@@ -16,12 +16,12 @@ Index: qemu-2.1.0/hw/usb/dev-wacom.c
 @@ -68,6 +68,89 @@
      [STR_SERIALNUMBER]     = "1",
  };
-
+ 
 +static const uint8_t qemu_tablet_hid_report_descriptor[] = {
 +    0x05, 0x01,                /* Usage Page (Generic Desktop) */
 +    0x09, 0x02,                /* Usage (Mouse) */
 +    0xa1, 0x01,                /* Collection (Application) */
-+    0x85, 0x01,                /*   Report ID (1) */
++    0x85, 0x01,                /*   Report ID (1) */ 
 +    0x09, 0x01,                /*   Usage (Pointer) */
 +    0xa1, 0x00,                /*   Collection (Physical) */
 +    0x05, 0x09,                /*     Usage Page (Button) */
@@ -48,7 +48,7 @@ Index: qemu-2.1.0/hw/usb/dev-wacom.c
 +    0x05, 0x0d,                /* Usage Page (Digitizer) */
 +    0x09, 0x01,                /* Usage (Digitizer) */
 +    0xa1, 0x01,                /* Collection (Application) */
-+    0x85, 0x02,                /*   Report ID (2) */
++    0x85, 0x02,                /*   Report ID (2) */ 
 +    0xa1, 0x00,                /*   Collection (Physical) */
 +    0x06, 0x00, 0xff,   /*   Usage Page (Vendor 0xff00) */
 +    0x09, 0x01,        /*   Usage (Digitizer) */
@@ -59,14 +59,14 @@ Index: qemu-2.1.0/hw/usb/dev-wacom.c
 +    0x81, 0x02,                /*     Input (Data, Variable, Absolute) */
 +    0xc0,              /*   End Collection */
 +    0x09, 0x01,                /*   Usage (Digitizer) */
-+    0x85, 0x02,        /*   Report ID (2) */
++    0x85, 0x02,        /*   Report ID (2) */ 
 +    0x95, 0x01,                /*   Report Count (1) */
 +    0xb1, 0x02,                /*   FEATURE (2) */
 +    0xc0,              /* End Collection */
 +    0x06, 0x00, 0xff,  /* Usage Page (Vendor 0xff00) */
 +    0x09, 0x01,                /* Usage (Digitizer) */
 +    0xa1, 0x01,                /* Collection (Application) */
-+    0x85, 0x02,        /*   Report ID (2) */
++    0x85, 0x02,        /*   Report ID (2) */ 
 +    0x05, 0x0d,                /*   Usage Page (Digitizer)  */
 +    0x09, 0x22,        /*   Usage (Finger) */
 +    0xa1, 0x00,        /*   Collection (Physical) */
@@ -95,7 +95,7 @@ Index: qemu-2.1.0/hw/usb/dev-wacom.c
 +    0x75, 0x08,                /*     Report Size (8) */
 +    0x95, 0x0d,                /*     Report Count (13) */
 +    0x81, 0x02,                /*     Input (Data, Variable, Absolute) */
-+    0xc0,              /*   End Collection */
++    0xc0,              /*   End Collection */ 
 +    0xc0,              /* End Collection */
 +};
 +
@@ -114,7 +114,7 @@ Index: qemu-2.1.0/hw/usb/dev-wacom.c
      },
 @@ -265,6 +350,15 @@
      }
-
+ 
      switch (request) {
 +    case InterfaceRequest | USB_REQ_GET_DESCRIPTOR:
 +        switch (value >> 8) {
diff --git a/meta/recipes-devtools/qemu/qemu_2.1.0.bb b/meta/recipes-devtools/qemu/qemu_2.1.0.bb
deleted file mode 100644
index 92a89d699c..0000000000
--- a/meta/recipes-devtools/qemu/qemu_2.1.0.bb
+++ /dev/null
@@ -1,32 +0,0 @@
-require qemu.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \
-                    file://COPYING.LIB;endline=24;md5=c04def7ae38850e7d3ef548588159913"
-
-SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
-            file://qemu-enlarge-env-entry-size.patch \
-            file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \
-            file://0001-Back-porting-security-fix-CVE-2014-5388.patch \
-            file://qemu-CVE-2015-3456.patch \
-            file://CVE-2014-7840.patch \
-            file://vnc-CVE-2014-7815.patch \
-            file://slirp-CVE-2014-3640.patch \
-            "
-SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
-SRC_URI[md5sum] = "6726977292b448cbc7f89998fac6983b"
-SRC_URI[sha256sum] = "397e23184f4bf613589a8fe0c6542461dc2afdf17ed337e97e6fd2f31e8f8802"
-
-COMPATIBLE_HOST_class-target_mips64 = "null"
-
-do_sanitize_sources() {
-    # These .git files point to a nonexistent path "../.git/modules" and will confuse git
-    # if it tries to recurse into those directories.
-    rm -f ${S}/dtc/.git ${S}/pixman/.git
-}
-
-addtask sanitize_sources after do_unpack before do_patch
-
-do_install_append() {
-    # Prevent QA warnings about installed ${localstatedir}/run
-    if [ -d ${D}${localstatedir}/run ]; then rmdir ${D}${localstatedir}/run; fi
-}
diff --git a/meta/recipes-devtools/qemu/qemu_2.4.0.bb b/meta/recipes-devtools/qemu/qemu_2.4.0.bb
new file mode 100644
index 0000000000..8d47b16e64
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu_2.4.0.bb
@@ -0,0 +1,33 @@
+require qemu.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \
+                    file://COPYING.LIB;endline=24;md5=c04def7ae38850e7d3ef548588159913"
+
+SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
+            file://qemu-enlarge-env-entry-size.patch \
+            file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \
+            file://smc91c111_fix1.patch \
+            file://smc91c111_fix2.patch \
+            file://smc91c111_fix3.patch \
+            file://no-valgrind.patch \
+            file://CVE-2015-8504.patch \
+            file://CVE-2015-7504.patch \
+            file://CVE-2015-7512.patch \
+            file://CVE-2015-8345.patch \
+            file://CVE-2016-1568.patch \
+            file://CVE-2015-7295_1.patch \
+            file://CVE-2015-7295_2.patch \
+            file://CVE-2015-7295_3.patch \
+            file://CVE-2016-2197.patch \
+            file://CVE-2016-2198.patch \
+           "
+SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
+SRC_URI[md5sum] = "186ee8194140a484a455f8e3c74589f4"
+SRC_URI[sha256sum] = "72b0b991bbcc540663a019e1e8c4f714053b691dda32c9b9ee80b25f367e6620"
+
+COMPATIBLE_HOST_class-target_mips64 = "null"
+
+do_install_append() {
+    # Prevent QA warnings about installed ${localstatedir}/run
+    if [ -d ${D}${localstatedir}/run ]; then rmdir ${D}${localstatedir}/run; fi
+}
diff --git a/meta/recipes-devtools/qemu/qemu_git.bb b/meta/recipes-devtools/qemu/qemu_git.bb
deleted file mode 100644
index a30932a8ba..0000000000
--- a/meta/recipes-devtools/qemu/qemu_git.bb
+++ /dev/null
@@ -1,15 +0,0 @@
-require qemu.inc
-
-SRCREV = "04024dea2674861fcf13582a77b58130c67fccd8"
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \
-                    file://COPYING.LIB;endline=24;md5=c04def7ae38850e7d3ef548588159913"
-
-PV = "1.3.0+git${SRCPV}"
-
-SRC_URI_prepend = "git://git.qemu.org/qemu.git"
-S = "${WORKDIR}/git"
-
-DEFAULT_PREFERENCE = "-1"
-
-COMPATIBLE_HOST_class-target_mips64 = "null"
diff --git a/meta/recipes-devtools/qemu/qemuwrapper-cross_1.0.bb b/meta/recipes-devtools/qemu/qemuwrapper-cross_1.0.bb
index d2981b5575..7f4c6d9349 100644
--- a/meta/recipes-devtools/qemu/qemuwrapper-cross_1.0.bb
+++ b/meta/recipes-devtools/qemu/qemuwrapper-cross_1.0.bb
@@ -2,6 +2,8 @@ SUMMARY = "QEMU wrapper script"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
 
+S = "${WORKDIR}"
+
 inherit qemu
 
 do_install () {
@@ -9,7 +11,7 @@ do_install () {
 
         echo "#!/bin/sh" > ${D}${bindir_crossscripts}/qemuwrapper
         qemu_binary=${@qemu_target_binary(d)}
-        qemu_options='${@d.getVar("QEMU_OPTIONS_%s" % d.getVar('PACKAGE_ARCH', True), True) or d.getVar('QEMU_OPTIONS', True) or ""}'
+        qemu_options='${QEMU_OPTIONS}'
         echo "$qemu_binary $qemu_options \"\$@\"" >> ${D}${bindir_crossscripts}/qemuwrapper
         fallback_qemu_bin=
         case $qemu_binary in