10 files changed, 590 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch b/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch
new file mode 100644
index 0000000000..4f992bae14
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch
@@ -0,0 +1,57 @@
+From 0be839a2701369f669532ea5884c15bead1c6e08 Mon Sep 17 00:00:00 2001
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Wed, 12 Nov 2014 11:44:39 +0200
+Subject: [PATCH] migration: fix parameter validation on ram load
+During migration, the values read from migration stream during ram load
+are not validated. Especially offset in host_from_stream_offset() and
+also the length of the writes in the callers of said function.
+To fix this, we need to make sure that the [offset, offset + length]
+range fits into one of the allocated memory regions.
+Validating addr < len should be sufficient since data seems to always be
+managed in TARGET_PAGE_SIZE chunks.
+Fixes: CVE-2014-7840
+Upstream-Status: Backport
+Note: follow-up patches add extra checks on each block->host access.
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Signed-off-by: Amit Shah <amit.shah@redhat.com>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ arch_init.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+diff --git a/arch_init.c b/arch_init.c
+index 88a5ba0..593a990 100644
+--- a/arch_init.c
+++ b/arch_init.c
+@@ -1006,7 +1006,7 @@ static inline void *host_from_stream_offset(QEMUFile *f,
+     uint8_t len;
+ 
+     if (flags & RAM_SAVE_FLAG_CONTINUE) {
+-        if (!block) {
+        if (!block || block->length <= offset) {
+             error_report("Ack, bad migration stream!");
+             return NULL;
+         }
+@@ -1019,8 +1019,9 @@ static inline void *host_from_stream_offset(QEMUFile *f,
+     id[len] = 0;
+ 
+     QTAILQ_FOREACH(block, &ram_list.blocks, next) {
+-        if (!strncmp(id, block->idstr, sizeof(id)))
+        if (!strncmp(id, block->idstr, sizeof(id)) && block->length > offset) {
+             return memory_region_get_ram_ptr(block->mr) + offset;
+        }
+     }
+ 
+     error_report("Can't find block %s!", id);
+-- 
+1.9.1
diff --git a/meta/recipes-devtools/qemu/qemu/configure-fix-Darwin-target-detection.patch b/meta/recipes-devtools/qemu/qemu/configure-fix-Darwin-target-detection.patch
new file mode 100644
index 0000000000..59cdc1c304
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/configure-fix-Darwin-target-detection.patch
@@ -0,0 +1,32 @@
+Upstream-Status: Pending
+Signed-off-by: Cristian Iorga <cristian.iorga@intel.com>
+From 9ac096d8eccf2d56ece646320c282c8369f8337c Mon Sep 17 00:00:00 2001
+From: Cristian Iorga <cristian.iorga@intel.com>
+Date: Tue, 29 Jul 2014 18:35:59 +0300
+Subject: [PATCH] configure: fix Darwin target detection
+fix Darwin target detection for qemu
+cross-compilation.
+Signed-off-by: Cristian Iorga <cristian.iorga@intel.com>
+---
+ configure | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/configure b/configure
+index 283c71c..1c66a11 100755
+--- a/configure
+++ b/configure
+@@ -444,6 +444,8 @@ elif check_define __sun__ ; then
+   targetos='SunOS'
+ elif check_define __HAIKU__ ; then
+   targetos='Haiku'
+elif check_define __APPLE__ ; then
+  targetos='Darwin'
+ else
+   targetos=`uname -s`
+ fi
+-- 
+1.9.1
diff --git a/meta/recipes-devtools/qemu/qemu/disable-grabs.patch b/meta/recipes-devtools/qemu/qemu/disable-grabs.patch
new file mode 100644
index 0000000000..41726b1c87
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/disable-grabs.patch
@@ -0,0 +1,72 @@
+When the pointer enters the Qemu window it calls SDL_WM_GrabInput, which calls
+XGrabPointer in a busyloop until it returns GrabSuccess. However if there's already
+a pointer grab (screen is locked, a menu is open) then qemu will hang until the
+grab can be taken.  In the specific case of a headless X server on an autobuilder, once
+the screensaver has kicked in any qemu instance that appears underneath the
+pointer will hang.
+I'm not entirely sure why pointer grabs are required (the documentation
+explicitly says it doesn't do grabs when using a tablet, which we are) so wrap
+them in a conditional that can be set by the autobuilder environment, preserving
+the current grabbing behaviour for everyone else.
+Upstream-Status: Pending
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+From 4b1988ecb01a178269ec0513a75f2ec620c7ef6a Mon Sep 17 00:00:00 2001
+From: Ross Burton <ross.burton@intel.com>
+Date: Wed, 18 Sep 2013 14:04:54 +0100
+Subject: [PATCH] sdl.c: allow user to disable pointer grabs
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+Signed-off-by: Eric Bénard <eric@eukrea.com>
+---
+ ui/sdl.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+diff --git a/ui/sdl.c b/ui/sdl.c
+index 39a42d6..9b8abe5 100644
+--- a/ui/sdl.c
+++ b/ui/sdl.c
+@@ -59,6 +59,10 @@ static SDL_Cursor *guest_sprite = NULL;
+ static SDL_PixelFormat host_format;
+ static int scaling_active = 0;
+ static Notifier mouse_mode_notifier;
+#ifndef True
+#define True 1
+#endif
+static doing_grabs = True;
+ 
+ static void sdl_update(DisplayChangeListener *dcl,
+                        int x, int y, int w, int h)
+@@ -384,14 +388,16 @@ static void sdl_grab_start(void)
+             SDL_WarpMouse(guest_x, guest_y);
+     } else
+         sdl_hide_cursor();
+-    SDL_WM_GrabInput(SDL_GRAB_ON);
+    if (doing_grabs)
+      SDL_WM_GrabInput(SDL_GRAB_ON);
+     gui_grab = 1;
+     sdl_update_caption();
+ }
+ 
+ static void sdl_grab_end(void)
+ {
+-    SDL_WM_GrabInput(SDL_GRAB_OFF);
+    if (doing_grabs)
+      SDL_WM_GrabInput(SDL_GRAB_OFF);
+     gui_grab = 0;
+     sdl_show_cursor();
+     sdl_update_caption();
+@@ -909,6 +915,8 @@ void sdl_display_init(DisplayState *ds, int full_screen, int no_frame)
+      * This requires SDL >= 1.2.14. */
+     setenv("SDL_DISABLE_LOCK_KEYS", "1", 1);
+ 
+    doing_grabs = (getenv("QEMU_DONT_GRAB") == NULL);
+
+     flags = SDL_INIT_VIDEO | SDL_INIT_NOPARACHUTE;
+     if (SDL_Init (flags)) {
+         fprintf(stderr, "Could not initialize SDL(%s) - exiting\n",
+-- 
+1.8.3.1
diff --git a/meta/recipes-devtools/qemu/qemu/fix-libcap-header-issue-on-some-distro.patch b/meta/recipes-devtools/qemu/qemu/fix-libcap-header-issue-on-some-distro.patch
new file mode 100644
index 0000000000..13a6ea23b1
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/fix-libcap-header-issue-on-some-distro.patch
@@ -0,0 +1,84 @@
+fix libcap header issue on some distro
+1, When build qemu-native on SLED 11.2, there is an error:
+...
+| In file included from /usr/include/bits/sigcontext.h:28,
+|  from /usr/include/signal.h:339,
+|  from /buildarea2/tmp/work/i686-linux/qemu-native/1.4.0-r0/
+qemu-1.4.0/include/qemu-common.h:42,
+|  from fsdev/virtfs-proxy-helper.c:23:
+|  /usr/include/asm/sigcontext.h:28: error: expected specifier-
+qualifier-list before '__u64'
+|  /usr/include/asm/sigcontext.h:191: error: expected specifier-
+qualifier-list before '__u64'
+...
+2, The virtfs-proxy-helper.c includes <sys/capability.h> and
+qemu-common.h in sequence. The header include map is:
+(`-->' presents `include')
+...
+"virtfs-proxy-helper.c" --> <sys/capability.h>
+...
+"virtfs-proxy-helper.c" --> "qemu-common.h" --> <signal.h> -->
+<bits/sigcontext.h> --> <asm/sigcontext.h> --> <linux/types.h> -->
+<asm/types.h> --> <asm-generic/types.h> --> <asm-generic/int-ll64.h>
+...
+3, The bug is found on SLED 11.2 x86. In libcap header file
+/usr/include/sys/capability.h, it does evil stuff like this:
+...
+  25 /*
+  26  * Make sure we can be included from userland by preventing
+  27  * capability.h from including other kernel headers
+  28  */
+  29 #define _LINUX_TYPES_H
+  30 #define _LINUX_FS_H
+  31 #define __LINUX_COMPILER_H
+  32 #define __user
+  33
+  34 typedef unsigned int __u32;
+  35 typedef __u32 __le32;
+...
+This completely prevents including /usr/include/linux/types.h.
+The above `<asm/sigcontext.h> --> <linux/types.h>' is prevented,
+and '__u64' is defined in <asm-generic/int-ll64.h>.
+4, Modify virtfs-proxy-helper.c to include <sys/capability.h>
+last to workaround the issue.
+http://www.linuxtv.org/pipermail/vdr/2009-August/021194.html
+http://patchwork.linuxtv.org/patch/12748/
+Upstream-Status: Pending
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ fsdev/virtfs-proxy-helper.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c
+--- a/fsdev/virtfs-proxy-helper.c
+++ b/fsdev/virtfs-proxy-helper.c
+@@ -12,7 +12,6 @@
+ #include <sys/resource.h>
+ #include <getopt.h>
+ #include <syslog.h>
+-#include <sys/capability.h>
+ #include <sys/fsuid.h>
+ #include <sys/vfs.h>
+ #include <sys/ioctl.h>
+@@ -26,7 +25,11 @@
+ #include "virtio-9p-marshal.h"
+ #include "hw/9pfs/virtio-9p-proxy.h"
+ #include "fsdev/virtio-9p-marshal.h"
+-
+/*
+ * Include this one last due to some versions of it being buggy:
+ * http://www.linuxtv.org/pipermail/vdr/2009-August/021194.html
+ */
+#include <sys/capability.h>
+ #define PROGNAME "virtfs-proxy-helper"
+ 
+ #ifndef XFS_SUPER_MAGIC
+-- 
+1.7.10.4
diff --git a/meta/recipes-devtools/qemu/qemu/larger_default_ram_size.patch b/meta/recipes-devtools/qemu/qemu/larger_default_ram_size.patch
new file mode 100644
index 0000000000..711c36071d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/larger_default_ram_size.patch
@@ -0,0 +1,22 @@
+This patch is taken from debian. 128M is too less sometimes if distro
+with lot of packages is booted so this patch raises the default to 384M
+It has not been applied to upstream qemu
+Khem Raj <raj.khem@gmail.com>
+Upstream-Status: Pending
+Index: qemu-0.14.0/vl.c
+===================================================================
+--- qemu-0.14.0.orig/vl.c
+++ qemu-0.14.0/vl.c
+@@ -168,7 +168,7 @@ int main(int argc, char **argv)
+ //#define DEBUG_NET
+ //#define DEBUG_SLIRP
+ 
+-#define DEFAULT_RAM_SIZE 128
+#define DEFAULT_RAM_SIZE 384
+ 
+ #define MAX_VIRTIO_CONSOLES 1
+ 
diff --git a/meta/recipes-devtools/qemu/qemu/powerpc_rom.bin b/meta/recipes-devtools/qemu/qemu/powerpc_rom.bin
new file mode 100644
index 0000000000..c4044296c5
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/powerpc_rom.bin
Binary files differ
diff --git a/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch b/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch
new file mode 100644
index 0000000000..f05441fce6
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch
@@ -0,0 +1,92 @@
+qemu: CVE-2015-3456
+the patch comes from:
+https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3456
+http://git.qemu.org/?p=qemu.git;a=commit;h=e907746266721f305d67bc0718795fedee2e824c
+fdc: force the fifo access to be in bounds of the allocated buffer
+During processing of certain commands such as FD_CMD_READ_ID and
+FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
+get out of bounds leading to memory corruption with values coming
+from the guest.
+Fix this by making sure that the index is always bounded by the
+allocated memory.
+This is CVE-2015-3456.
+Signed-off-by: Petr Matousek <pmatouse@redhat.com>
+Reviewed-by: John Snow <jsnow@redhat.com>
+Signed-off-by: John Snow <jsnow@redhat.com>
+Signed-off-by: Li Wang <li.wang@windriver.com>
+Upstream-Status: Backport
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+ hw/block/fdc.c |   17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+diff --git a/hw/block/fdc.c b/hw/block/fdc.c
+index 490d127..045459e 100644
+--- a/hw/block/fdc.c
+++ b/hw/block/fdc.c
+@@ -1436,7 +1436,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+ {
+     FDrive *cur_drv;
+     uint32_t retval = 0;
+-    int pos;
+    uint32_t pos;
+ 
+     cur_drv = get_cur_drv(fdctrl);
+     fdctrl->dsr &= ~FD_DSR_PWRDOWN;
+@@ -1445,8 +1445,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+         return 0;
+     }
+     pos = fdctrl->data_pos;
+    pos %= FD_SECTOR_LEN;
+     if (fdctrl->msr & FD_MSR_NONDMA) {
+-        pos %= FD_SECTOR_LEN;
+         if (pos == 0) {
+             if (fdctrl->data_pos != 0)
+                 if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
+@@ -1790,10 +1790,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
+ static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
+ {
+     FDrive *cur_drv = get_cur_drv(fdctrl);
+    uint32_t pos;
+ 
+-    if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
+    pos = fdctrl->data_pos - 1;
+    pos %= FD_SECTOR_LEN;
+    if (fdctrl->fifo[pos] & 0x80) {
+         /* Command parameters done */
+-        if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
+        if (fdctrl->fifo[pos] & 0x40) {
+             fdctrl->fifo[0] = fdctrl->fifo[1];
+             fdctrl->fifo[2] = 0;
+             fdctrl->fifo[3] = 0;
+@@ -1893,7 +1896,7 @@ static uint8_t command_to_handler[256];
+ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+ {
+     FDrive *cur_drv;
+-    int pos;
+    uint32_t pos;
+ 
+     /* Reset mode */
+     if (!(fdctrl->dor & FD_DOR_nRESET)) {
+@@ -1941,7 +1944,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+     }
+ 
+     FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
+-    fdctrl->fifo[fdctrl->data_pos++] = value;
+    pos = fdctrl->data_pos++;
+    pos %= FD_SECTOR_LEN;
+    fdctrl->fifo[pos] = value;
+     if (fdctrl->data_pos == fdctrl->data_len) {
+         /* We now have all parameters
+          * and will be able to treat the command
+-- 
+1.7.9.5
diff --git a/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch b/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch
new file mode 100644
index 0000000000..a7ecf31c01
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch
@@ -0,0 +1,48 @@
+From 9a72433843d912a45046959b1953861211d1838d Mon Sep 17 00:00:00 2001
+From: Petr Matousek <pmatouse@redhat.com>
+Date: Thu, 18 Sep 2014 08:35:37 +0200
+Subject: [PATCH] slirp: udp: fix NULL pointer dereference because of
+ uninitialized socket
+When guest sends udp packet with source port and source addr 0,
+uninitialized socket is picked up when looking for matching and already
+created udp sockets, and later passed to sosendto() where NULL pointer
+dereference is hit during so->slirp->vnetwork_mask.s_addr access.
+Fix this by checking that the socket is not just a socket stub.
+This is CVE-2014-3640.
+Upstream-Status: Backport
+Signed-off-by: Petr Matousek <pmatouse@redhat.com>
+Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com>
+Reported-by: Stephane Duverger <stephane.duverger@eads.net>
+Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
+Message-id: 20140918063537.GX9321@dhcp-25-225.brq.redhat.com
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+(cherry picked from commit 01f7cecf0037997cb0e58ec0d56bf9b5a6f7cb2a)
+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ slirp/udp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/slirp/udp.c b/slirp/udp.c
+index 8cc6cb6..f77e00f 100644
+--- a/slirp/udp.c
+++ b/slirp/udp.c
+@@ -152,7 +152,7 @@ udp_input(register struct mbuf *m, int iphlen)
+         * Locate pcb for datagram.
+         */
+        so = slirp->udp_last_so;
+-       if (so->so_lport != uh->uh_sport ||
+       if (so == &slirp->udb || so->so_lport != uh->uh_sport ||
+            so->so_laddr.s_addr != ip->ip_src.s_addr) {
+                struct socket *tmp;
+ 
+-- 
+1.9.1
diff --git a/meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch b/meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch
new file mode 100644
index 0000000000..10a6dacbe5
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch
@@ -0,0 +1,53 @@
+From b2f1d90530301d7915dddc8a750063757675b21a Mon Sep 17 00:00:00 2001
+From: Petr Matousek <pmatouse@redhat.com>
+Date: Mon, 27 Oct 2014 12:41:44 +0100
+Subject: [PATCH] vnc: sanitize bits_per_pixel from the client
+bits_per_pixel that are less than 8 could result in accessing
+non-initialized buffers later in the code due to the expectation
+that bytes_per_pixel value that is used to initialize these buffers is
+never zero.
+To fix this check that bits_per_pixel from the client is one of the
+values that the rfb protocol specification allows.
+This is CVE-2014-7815.
+Upstream-Status: Backport
+Signed-off-by: Petr Matousek <pmatouse@redhat.com>
+[ kraxel: apply codestyle fix ]
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit e6908bfe8e07f2b452e78e677da1b45b1c0f6829)
+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ ui/vnc.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+diff --git a/ui/vnc.c b/ui/vnc.c
+index f8d9b7d..87e34ae 100644
+--- a/ui/vnc.c
+++ b/ui/vnc.c
+@@ -2026,6 +2026,16 @@ static void set_pixel_format(VncState *vs,
+         return;
+     }
+ 
+    switch (bits_per_pixel) {
+    case 8:
+    case 16:
+    case 32:
+        break;
+    default:
+        vnc_client_error(vs);
+        return;
+    }
+
+     vs->client_pf.rmax = red_max;
+     vs->client_pf.rbits = hweight_long(red_max);
+     vs->client_pf.rshift = red_shift;
+-- 
+1.9.1
diff --git a/meta/recipes-devtools/qemu/qemu/wacom.patch b/meta/recipes-devtools/qemu/qemu/wacom.patch
new file mode 100644
index 0000000000..fd1b4a6963
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/wacom.patch
@@ -0,0 +1,130 @@
+The USB wacom device is missing a HID descriptor which causes it
+to fail to operate with recent kernels (e.g. 3.17).
+This patch adds a HID desriptor to the device, based upon one from
+real wcom device.
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+Upstream-Status: Submitted
+2014/11/27
+Index: qemu-2.1.0/hw/usb/dev-wacom.c
+===================================================================
+--- qemu-2.1.0.orig/hw/usb/dev-wacom.c  2014-08-01 15:12:17.000000000 +0100
+++ qemu-2.1.0/hw/usb/dev-wacom.c       2014-10-12 12:13:30.540306042 +0100
+@@ -68,6 +68,89 @@
+     [STR_SERIALNUMBER]     = "1",
+ };
+static const uint8_t qemu_tablet_hid_report_descriptor[] = {
+    0x05, 0x01,                /* Usage Page (Generic Desktop) */
+    0x09, 0x02,                /* Usage (Mouse) */
+    0xa1, 0x01,                /* Collection (Application) */
+    0x85, 0x01,                /*   Report ID (1) */
+    0x09, 0x01,                /*   Usage (Pointer) */
+    0xa1, 0x00,                /*   Collection (Physical) */
+    0x05, 0x09,                /*     Usage Page (Button) */
+    0x19, 0x01,                /*     Usage Minimum (1) */
+    0x29, 0x05,                /*     Usage Maximum (5) */
+    0x15, 0x00,                /*     Logical Minimum (0) */
+    0x25, 0x01,                /*     Logical Maximum (1) */
+    0x95, 0x05,                /*     Report Count (5) */
+    0x75, 0x01,                /*     Report Size (1) */
+    0x81, 0x02,                /*     Input (Data, Variable, Absolute) */
+    0x95, 0x01,                /*     Report Count (1) */
+    0x75, 0x03,                /*     Report Size (3) */
+    0x81, 0x01,                /*     Input (Constant) */
+    0x05, 0x01,                /*     Usage Page (Generic Desktop) */
+    0x09, 0x30,                /*     Usage (X) */
+    0x09, 0x31,                /*     Usage (Y) */
+    0x15, 0x81,                /*     Logical Minimum (-127) */
+    0x25, 0x7f,                /*     Logical Maximum (127) */
+    0x75, 0x08,                /*     Report Size (8) */
+    0x95, 0x02,                /*     Report Count (2) */
+    0x81, 0x06,                /*     Input (Data, Variable, Relative) */
+    0xc0,              /*   End Collection */
+    0xc0,              /* End Collection */
+    0x05, 0x0d,                /* Usage Page (Digitizer) */
+    0x09, 0x01,                /* Usage (Digitizer) */
+    0xa1, 0x01,                /* Collection (Application) */
+    0x85, 0x02,                /*   Report ID (2) */
+    0xa1, 0x00,                /*   Collection (Physical) */
+    0x06, 0x00, 0xff,   /*   Usage Page (Vendor 0xff00) */
+    0x09, 0x01,        /*   Usage (Digitizer) */
+    0x15, 0x00,        /*     Logical Minimum (0) */
+    0x26, 0xff, 0x00,  /*     Logical Maximum (255) */
+    0x75, 0x08,                /*     Report Size (8) */
+    0x95, 0x08,                /*     Report Count (8) */
+    0x81, 0x02,                /*     Input (Data, Variable, Absolute) */
+    0xc0,              /*   End Collection */
+    0x09, 0x01,                /*   Usage (Digitizer) */
+    0x85, 0x02,        /*   Report ID (2) */
+    0x95, 0x01,                /*   Report Count (1) */
+    0xb1, 0x02,                /*   FEATURE (2) */
+    0xc0,              /* End Collection */
+    0x06, 0x00, 0xff,  /* Usage Page (Vendor 0xff00) */
+    0x09, 0x01,                /* Usage (Digitizer) */
+    0xa1, 0x01,                /* Collection (Application) */
+    0x85, 0x02,        /*   Report ID (2) */
+    0x05, 0x0d,                /*   Usage Page (Digitizer)  */
+    0x09, 0x22,        /*   Usage (Finger) */
+    0xa1, 0x00,        /*   Collection (Physical) */
+    0x06, 0x00, 0xff,  /*   Usage Page (Vendor 0xff00) */
+    0x09, 0x01,                /*     Usage (Digitizer) */
+    0x15, 0x00,        /*     Logical Minimum (0) */
+    0x26, 0xff, 0x00,          /*     Logical Maximum */
+    0x75, 0x08,                /*     Report Size (8) */
+    0x95, 0x02,                /*     Report Count (2) */
+    0x81, 0x02,        /*     Input (Data, Variable, Absolute) */
+    0x05, 0x01,                /*     Usage Page (Generic Desktop) */
+    0x09, 0x30,                /*     Usage (X) */
+    0x35, 0x00,        /*     Physical Minimum */
+    0x46, 0xe0, 0x2e,  /*     Physical Maximum */
+    0x26, 0xe0, 0x01,   /*     Logical Maximum */
+    0x75, 0x10,                /*     Report Size (16) */
+    0x95, 0x01,                /*     Report Count (1) */
+    0x81, 0x02,                /*     Input (Data, Variable, Absolute) */
+    0x09, 0x31,                /*     Usage (Y) */
+    0x46, 0x40, 0x1f,  /*     Physical Maximum */
+    0x26, 0x40, 0x01,  /*     Logical Maximum */
+    0x81, 0x02,        /*     Input (Data, Variable, Absolute) */
+    0x06, 0x00, 0xff,  /*     Usage Page (Vendor 0xff00) */
+    0x09, 0x01,        /*     Usage (Digitizer) */
+    0x26, 0xff, 0x00,          /*     Logical Maximum */
+    0x75, 0x08,                /*     Report Size (8) */
+    0x95, 0x0d,                /*     Report Count (13) */
+    0x81, 0x02,                /*     Input (Data, Variable, Absolute) */
+    0xc0,              /*   End Collection */
+    0xc0,              /* End Collection */
+};
+
+
+ static const USBDescIface desc_iface_wacom = {
+     .bInterfaceNumber              = 0,
+     .bNumEndpoints                 = 1,
+@@ -85,7 +168,7 @@
+                 0x00,          /*  u8  country_code */
+                 0x01,          /*  u8  num_descriptors */
+                 0x22,          /*  u8  type: Report */
+-                0x6e, 0,       /*  u16 len */
+                sizeof(qemu_tablet_hid_report_descriptor), 0, /*  u16 len */
+             },
+         },
+     },
+@@ -265,6 +350,15 @@
+     }
+     switch (request) {
+    case InterfaceRequest | USB_REQ_GET_DESCRIPTOR:
+        switch (value >> 8) {
+        case 0x22:
+                memcpy(data, qemu_tablet_hid_report_descriptor,
+                       sizeof(qemu_tablet_hid_report_descriptor));
+                p->actual_length = sizeof(qemu_tablet_hid_report_descriptor);
+            break;
+        }
+        break;
+     case WACOM_SET_REPORT:
+         if (s->mouse_grabbed) {
+             qemu_remove_mouse_event_handler(s->eh_entry);