From 17a9a734122e446bd2708a4273af1fe4eacb87ae Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Wed, 10 May 2017 14:17:34 +0200 Subject: qemu: upgrade to 2.7.0 This upgrade can fix a qemuppc + openssh bug, the ssh connection maybe refused or closed randomly, and it's not easy to reproduce. RP pointed that this upgrade can fix the problem, and it does work in my local testing. * Update add-ptest-in-makefile.patch Here is the Changlog: http://wiki.qemu.org/ChangeLog/2.7 (From OE-Core rev: 056ce17e168bf856ff95a6f659098403169cb889) Signed-off-by: Robert Yang Signed-off-by: Richard Purdie Signed-off-by: Sona Sarmadi Signed-off-by: Adrian Dudau --- meta/recipes-devtools/qemu/qemu.inc | 3 +- .../recipes-devtools/qemu/qemu/CVE-2016-4002.patch | 39 -------- .../recipes-devtools/qemu/qemu/CVE-2016-4439.patch | 46 --------- .../recipes-devtools/qemu/qemu/CVE-2016-4441.patch | 78 --------------- .../recipes-devtools/qemu/qemu/CVE-2016-4952.patch | 105 --------------------- .../recipes-devtools/qemu/qemu/CVE-2016-5403.patch | 67 ------------- .../qemu/qemu/CVE-2016-6351_p1.patch | 75 --------------- .../qemu/qemu/CVE-2016-6351_p2.patch | 60 ------------ .../qemu/qemu/add-ptest-in-makefile.patch | 19 ++-- meta/recipes-devtools/qemu/qemu_2.6.0.bb | 30 ------ meta/recipes-devtools/qemu/qemu_2.7.0.bb | 22 +++++ 11 files changed, 33 insertions(+), 511 deletions(-) delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2016-4002.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2016-4439.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2016-4952.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p1.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p2.patch delete mode 100644 meta/recipes-devtools/qemu/qemu_2.6.0.bb create mode 100644 meta/recipes-devtools/qemu/qemu_2.7.0.bb diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 36d600f0ea..509bc95972 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -66,7 +66,8 @@ do_install_ptest() { cp -rL ${B}/tests ${D}${PTEST_PATH} find ${D}${PTEST_PATH}/tests -type f -name "*.[Sshcod]" | xargs -i rm -rf {} - cp ${S}/tests/Makefile ${D}${PTEST_PATH}/tests + cp ${S}/tests/Makefile.include ${D}${PTEST_PATH}/tests + } do_install () { diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-4002.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-4002.patch deleted file mode 100644 index 69c11e27d9..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2016-4002.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 7a2c32ec06533c54ddaf70136bfbd89eeaf6db16 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Thu, 7 Apr 2016 15:56:02 +0530 -Subject: [PATCH] net: mipsnet: check packet length against buffer - -When receiving packets over MIPSnet network device, it uses -receive buffer of size 1514 bytes. In case the controller -accepts large(MTU) packets, it could lead to memory corruption. -Add check to avoid it. - -Reported by: Oleksandr Bazhaniuk -Signed-off-by: Prasad J Pandit -Signed-off-by: Jason Wang - -(cherry picked from commit 3af9187fc6caaf415ab9c0c6d92c9678f65cb17f) -Signed-off-by: Michael Roth - -Upstream-Status: Backport -CVE: CVE-2016-4002 -Signed-off-by: Armin Kuster - ---- - hw/net/mipsnet.c | 3 +++ - 1 file changed, 3 insertions(+) - -Index: qemu-2.4.0/hw/net/mipsnet.c -=================================================================== ---- qemu-2.4.0.orig/hw/net/mipsnet.c -+++ qemu-2.4.0/hw/net/mipsnet.c -@@ -82,6 +82,9 @@ static ssize_t mipsnet_receive(NetClient - if (!mipsnet_can_receive(nc)) - return 0; - -+ if (size >= sizeof(s->rx_buffer)) { -+ return 0; -+ } - s->busy = 1; - - /* Just accept everything. */ diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-4439.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-4439.patch deleted file mode 100644 index 5d3b9a92d5..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2016-4439.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 0a5e3685ea10c578f8063ca0dbb009af45693d85 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Thu, 19 May 2016 16:09:30 +0530 -Subject: [PATCH] esp: check command buffer length before write(CVE-2016-4439) - -The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte -FIFO buffer. It is used to handle command and data transfer. While -writing to this command buffer 's->cmdbuf[TI_BUFSZ=16]', a check -was missing to validate input length. Add check to avoid OOB write -access. - -Fixes CVE-2016-4439. - -Reported-by: Li Qiang -Cc: qemu-stable@nongnu.org -Signed-off-by: Prasad J Pandit -Message-Id: <1463654371-11169-2-git-send-email-ppandit@redhat.com> -Signed-off-by: Paolo Bonzini -(cherry picked from commit c98c6c105f66f05aa0b7c1d2a4a3f716450907ef) -Signed-off-by: Michael Roth - -Upstream-Status: Backport -CVE: CVE-2016-4439 -Signed-off-by: Armin Kuster - ---- - hw/scsi/esp.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -Index: qemu-2.4.0/hw/scsi/esp.c -=================================================================== ---- qemu-2.4.0.orig/hw/scsi/esp.c -+++ qemu-2.4.0/hw/scsi/esp.c -@@ -446,7 +446,11 @@ void esp_reg_write(ESPState *s, uint32_t - break; - case ESP_FIFO: - if (s->do_cmd) { -- s->cmdbuf[s->cmdlen++] = val & 0xff; -+ if (s->cmdlen < TI_BUFSZ) { -+ s->cmdbuf[s->cmdlen++] = val & 0xff; -+ } else { -+ trace_esp_error_fifo_overrun(); -+ } - } else if (s->ti_size == TI_BUFSZ - 1) { - trace_esp_error_fifo_overrun(); - } else { diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch deleted file mode 100644 index 3cbe394bfd..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 6c1fef6b59563cc415f21e03f81539ed4b33ad90 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Thu, 19 May 2016 16:09:31 +0530 -Subject: [PATCH] esp: check dma length before reading scsi command(CVE-2016-4441) - -The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte -FIFO buffer. It is used to handle command and data transfer. -Routine get_cmd() uses DMA to read scsi commands into this buffer. -Add check to validate DMA length against buffer size to avoid any -overrun. - -Fixes CVE-2016-4441. - -Upstream-Status: Backport - -Reported-by: Li Qiang -Cc: qemu-stable@nongnu.org -Signed-off-by: Prasad J Pandit -Message-Id: <1463654371-11169-3-git-send-email-ppandit@redhat.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Adrian Dudau ---- - hw/scsi/esp.c | 11 +++++++---- - 1 files changed, 7 insertions(+), 4 deletions(-) - -diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c -index 01497e6..591c817 100644 ---- a/hw/scsi/esp.c -+++ b/hw/scsi/esp.c -@@ -82,7 +82,7 @@ void esp_request_cancelled(SCSIRequest *req) - } - } - --static uint32_t get_cmd(ESPState *s, uint8_t *buf) -+static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen) - { - uint32_t dmalen; - int target; -@@ -92,6 +92,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf) - dmalen = s->rregs[ESP_TCLO]; - dmalen |= s->rregs[ESP_TCMID] << 8; - dmalen |= s->rregs[ESP_TCHI] << 16; -+ if (dmalen > buflen) { -+ return 0; -+ } - s->dma_memory_read(s->dma_opaque, buf, dmalen); - } else { - dmalen = s->ti_size; -@@ -166,7 +169,7 @@ static void handle_satn(ESPState *s) - s->dma_cb = handle_satn; - return; - } -- len = get_cmd(s, buf); -+ len = get_cmd(s, buf, sizeof(buf)); - if (len) - do_cmd(s, buf); - } -@@ -180,7 +183,7 @@ static void handle_s_without_atn(ESPState *s) - s->dma_cb = handle_s_without_atn; - return; - } -- len = get_cmd(s, buf); -+ len = get_cmd(s, buf, sizeof(buf)); - if (len) { - do_busid_cmd(s, buf, 0); - } -@@ -192,7 +195,7 @@ static void handle_satn_stop(ESPState *s) - s->dma_cb = handle_satn_stop; - return; - } -- s->cmdlen = get_cmd(s, s->cmdbuf); -+ s->cmdlen = get_cmd(s, s->cmdbuf, sizeof(s->cmdbuf)); - if (s->cmdlen) { - trace_esp_handle_satn_stop(s->cmdlen); - s->do_cmd = 1; --- -1.7.0.4 - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-4952.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-4952.patch deleted file mode 100644 index 52d2a1e3d0..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2016-4952.patch +++ /dev/null @@ -1,105 +0,0 @@ -From 3e831b40e015ba34dfb55ff11f767001839425ff Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Mon, 23 May 2016 16:18:05 +0530 -Subject: [PATCH] scsi: pvscsi: check command descriptor ring buffer size (CVE-2016-4952) - -Vmware Paravirtual SCSI emulation uses command descriptors to -process SCSI commands. These descriptors come with their ring -buffers. A guest could set the ring buffer size to an arbitrary -value leading to OOB access issue. Add check to avoid it. - -Upstream-Status: Backported - -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit -Cc: qemu-stable@nongnu.org -Message-Id: <1464000485-27041-1-git-send-email-ppandit@redhat.com> -Reviewed-by: Shmulik Ladkani -Reviewed-by: Dmitry Fleytman -Signed-off-by: Paolo Bonzini -Signed-off-by: Adrian Dudau ---- - hw/scsi/vmw_pvscsi.c | 24 ++++++++++++++++++++---- - 1 files changed, 20 insertions(+), 4 deletions(-) - -diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c -index f67b5bf..2d7528d 100644 ---- a/hw/scsi/vmw_pvscsi.c -+++ b/hw/scsi/vmw_pvscsi.c -@@ -153,7 +153,7 @@ pvscsi_log2(uint32_t input) - return log; - } - --static void -+static int - pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) - { - int i; -@@ -161,6 +161,10 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) - uint32_t req_ring_size, cmp_ring_size; - m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT; - -+ if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES) -+ || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) { -+ return -1; -+ } - req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE; - cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE; - txr_len_log2 = pvscsi_log2(req_ring_size - 1); -@@ -192,15 +196,20 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) - - /* Flush ring state page changes */ - smp_wmb(); -+ -+ return 0; - } - --static void -+static int - pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri) - { - int i; - uint32_t len_log2; - uint32_t ring_size; - -+ if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) { -+ return -1; -+ } - ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE; - len_log2 = pvscsi_log2(ring_size - 1); - -@@ -220,6 +229,8 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri) - - /* Flush ring state page changes */ - smp_wmb(); -+ -+ return 0; - } - - static void -@@ -770,7 +781,10 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s) - trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS"); - - pvscsi_dbg_dump_tx_rings_config(rc); -- pvscsi_ring_init_data(&s->rings, rc); -+ if (pvscsi_ring_init_data(&s->rings, rc) < 0) { -+ return PVSCSI_COMMAND_PROCESSING_FAILED; -+ } -+ - s->rings_info_valid = TRUE; - return PVSCSI_COMMAND_PROCESSING_SUCCEEDED; - } -@@ -850,7 +864,9 @@ pvscsi_on_cmd_setup_msg_ring(PVSCSIState *s) - } - - if (s->rings_info_valid) { -- pvscsi_ring_init_msg(&s->rings, rc); -+ if (pvscsi_ring_init_msg(&s->rings, rc) < 0) { -+ return PVSCSI_COMMAND_PROCESSING_FAILED; -+ } - s->msg_ring_info_valid = TRUE; - } - return sizeof(PVSCSICmdDescSetupMsgRing) / sizeof(uint32_t); --- -1.7.0.4 - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch deleted file mode 100644 index fe084f5b08..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch +++ /dev/null @@ -1,67 +0,0 @@ -From afd9096eb1882f23929f5b5c177898ed231bac66 Mon Sep 17 00:00:00 2001 -From: Stefan Hajnoczi -Date: Tue, 19 Jul 2016 13:07:13 +0100 -Subject: [PATCH] virtio: error out if guest exceeds virtqueue size - -A broken or malicious guest can submit more requests than the virtqueue -size permits, causing unbounded memory allocation in QEMU. - -The guest can submit requests without bothering to wait for completion -and is therefore not bound by virtqueue size. This requires reusing -vring descriptors in more than one request, which is not allowed by the -VIRTIO 1.0 specification. - -In "3.2.1 Supplying Buffers to The Device", the VIRTIO 1.0 specification -says: - - 1. The driver places the buffer into free descriptor(s) in the - descriptor table, chaining as necessary - -and - - Note that the above code does not take precautions against the - available ring buffer wrapping around: this is not possible since the - ring buffer is the same size as the descriptor table, so step (1) will - prevent such a condition. - -This implies that placing more buffers into the virtqueue than the -descriptor table size is not allowed. - -QEMU is missing the check to prevent this case. Processing a request -allocates a VirtQueueElement leading to unbounded memory allocation -controlled by the guest. - -Exit with an error if the guest provides more requests than the -virtqueue size permits. This bounds memory allocation and makes the -buggy guest visible to the user. - -This patch fixes CVE-2016-5403 and was reported by Zhenhao Hong from 360 -Marvel Team, China. - -Reported-by: Zhenhao Hong -Signed-off-by: Stefan Hajnoczi - -Upstream-Status: Backport -CVE: CVE-2106-5403 -Signed-off-by: Armin Kuster - ---- - hw/virtio/virtio.c | 5 +++++ - 1 file changed, 5 insertions(+) - -Index: qemu-2.4.0/hw/virtio/virtio.c -=================================================================== ---- qemu-2.4.0.orig/hw/virtio/virtio.c -+++ qemu-2.4.0/hw/virtio/virtio.c -@@ -483,6 +483,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQue - - max = vq->vring.num; - -+ if (vq->inuse >= vq->vring.num) { -+ error_report("Virtqueue size exceeded"); -+ exit(1); -+ } -+ - i = head = virtqueue_get_head(vq, vq->last_avail_idx++); - if (virtio_has_feature(vdev, VIRTIO_RING_F_EVENT_IDX)) { - vring_set_avail_event(vq, vq->last_avail_idx); diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p1.patch deleted file mode 100644 index 350ae2becc..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p1.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 926cde5f3e4d2504ed161ed0cb771ac7cad6fd11 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Thu, 16 Jun 2016 00:22:35 +0200 -Subject: [PATCH] scsi: esp: make cmdbuf big enough for maximum CDB size - -While doing DMA read into ESP command buffer 's->cmdbuf', it could -write past the 's->cmdbuf' area, if it was transferring more than 16 -bytes. Increase the command buffer size to 32, which is maximum when -'s->do_cmd' is set, and add a check on 'len' to avoid OOB access. - -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit -Signed-off-by: Paolo Bonzini - -Upstream-Status: Backport -CVE: CVE-2016-6351 patch1 -Signed-off-by: Armin Kuster - ---- - hw/scsi/esp.c | 6 ++++-- - include/hw/scsi/esp.h | 3 ++- - 2 files changed, 6 insertions(+), 3 deletions(-) - -Index: qemu-2.4.0/hw/scsi/esp.c -=================================================================== ---- qemu-2.4.0.orig/hw/scsi/esp.c -+++ qemu-2.4.0/hw/scsi/esp.c -@@ -241,6 +241,8 @@ static void esp_do_dma(ESPState *s) - len = s->dma_left; - if (s->do_cmd) { - trace_esp_do_dma(s->cmdlen, len); -+ assert (s->cmdlen <= sizeof(s->cmdbuf) && -+ len <= sizeof(s->cmdbuf) - s->cmdlen); - s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len); - s->ti_size = 0; - s->cmdlen = 0; -@@ -340,7 +342,7 @@ static void handle_ti(ESPState *s) - s->dma_counter = dmalen; - - if (s->do_cmd) -- minlen = (dmalen < 32) ? dmalen : 32; -+ minlen = (dmalen < ESP_CMDBUF_SZ) ? dmalen : ESP_CMDBUF_SZ; - else if (s->ti_size < 0) - minlen = (dmalen < -s->ti_size) ? dmalen : -s->ti_size; - else -@@ -446,7 +448,7 @@ void esp_reg_write(ESPState *s, uint32_t - break; - case ESP_FIFO: - if (s->do_cmd) { -- if (s->cmdlen < TI_BUFSZ) { -+ if (s->cmdlen < ESP_CMDBUF_SZ) { - s->cmdbuf[s->cmdlen++] = val & 0xff; - } else { - trace_esp_error_fifo_overrun(); -Index: qemu-2.4.0/include/hw/scsi/esp.h -=================================================================== ---- qemu-2.4.0.orig/include/hw/scsi/esp.h -+++ qemu-2.4.0/include/hw/scsi/esp.h -@@ -14,6 +14,7 @@ void esp_init(hwaddr espaddr, int it_shi - - #define ESP_REGS 16 - #define TI_BUFSZ 16 -+#define ESP_CMDBUF_SZ 32 - - typedef struct ESPState ESPState; - -@@ -31,7 +32,7 @@ struct ESPState { - SCSIBus bus; - SCSIDevice *current_dev; - SCSIRequest *current_req; -- uint8_t cmdbuf[TI_BUFSZ]; -+ uint8_t cmdbuf[ESP_CMDBUF_SZ]; - uint32_t cmdlen; - uint32_t do_cmd; - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p2.patch deleted file mode 100644 index c4ed354e8e..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p2.patch +++ /dev/null @@ -1,60 +0,0 @@ -From cc96677469388bad3d66479379735cf75db069e3 Mon Sep 17 00:00:00 2001 -From: Paolo Bonzini -Date: Mon, 20 Jun 2016 16:32:39 +0200 -Subject: [PATCH] scsi: esp: fix migration - -Commit 926cde5 ("scsi: esp: make cmdbuf big enough for maximum CDB size", -2016-06-16) changed the size of a migrated field. Split it in two -parts, and only migrate the second part in a new vmstate version. - -Signed-off-by: Paolo Bonzini - -Upstream-Status: Backport -CVE: CVE-2016-6351 patch1 -Signed-off-by: Armin Kuster - ---- - hw/scsi/esp.c | 5 +++-- - include/migration/vmstate.h | 5 ++++- - 2 files changed, 7 insertions(+), 3 deletions(-) - -Index: qemu-2.4.0/hw/scsi/esp.c -=================================================================== ---- qemu-2.4.0.orig/hw/scsi/esp.c -+++ qemu-2.4.0/hw/scsi/esp.c -@@ -571,7 +571,7 @@ static bool esp_mem_accepts(void *opaque - - const VMStateDescription vmstate_esp = { - .name ="esp", -- .version_id = 3, -+ .version_id = 4, - .minimum_version_id = 3, - .fields = (VMStateField[]) { - VMSTATE_BUFFER(rregs, ESPState), -@@ -582,7 +582,8 @@ const VMStateDescription vmstate_esp = { - VMSTATE_BUFFER(ti_buf, ESPState), - VMSTATE_UINT32(status, ESPState), - VMSTATE_UINT32(dma, ESPState), -- VMSTATE_BUFFER(cmdbuf, ESPState), -+ VMSTATE_PARTIAL_BUFFER(cmdbuf, ESPState, 16), -+ VMSTATE_BUFFER_START_MIDDLE_V(cmdbuf, ESPState, 16, 4), - VMSTATE_UINT32(cmdlen, ESPState), - VMSTATE_UINT32(do_cmd, ESPState), - VMSTATE_UINT32(dma_left, ESPState), -Index: qemu-2.4.0/include/migration/vmstate.h -=================================================================== ---- qemu-2.4.0.orig/include/migration/vmstate.h -+++ qemu-2.4.0/include/migration/vmstate.h -@@ -778,8 +778,11 @@ extern const VMStateInfo vmstate_info_bi - #define VMSTATE_PARTIAL_BUFFER(_f, _s, _size) \ - VMSTATE_STATIC_BUFFER(_f, _s, 0, NULL, 0, _size) - -+#define VMSTATE_BUFFER_START_MIDDLE_V(_f, _s, _start, _v) \ -+ VMSTATE_STATIC_BUFFER(_f, _s, _v, NULL, _start, sizeof(typeof_field(_s, _f))) -+ - #define VMSTATE_BUFFER_START_MIDDLE(_f, _s, _start) \ -- VMSTATE_STATIC_BUFFER(_f, _s, 0, NULL, _start, sizeof(typeof_field(_s, _f))) -+ VMSTATE_BUFFER_START_MIDDLE_V(_f, _s, _start, 0) - - #define VMSTATE_PARTIAL_VBUFFER(_f, _s, _size) \ - VMSTATE_VBUFFER(_f, _s, 0, NULL, 0, _size) diff --git a/meta/recipes-devtools/qemu/qemu/add-ptest-in-makefile.patch b/meta/recipes-devtools/qemu/qemu/add-ptest-in-makefile.patch index a99f72098c..2ce3478e4a 100644 --- a/meta/recipes-devtools/qemu/qemu/add-ptest-in-makefile.patch +++ b/meta/recipes-devtools/qemu/qemu/add-ptest-in-makefile.patch @@ -4,14 +4,14 @@ Add subpackage -ptest which runs all unit test cases for qemu. Signed-off-by: Kai Kang --- - tests/Makefile | 10 ++++++++++ - 1 file changed, 10 insertions(+) + tests/Makefile.include | 8 ++++++++ + 1 file changed, 8 insertions(+) -diff --git a/tests/Makefile b/tests/Makefile -index 88f7105..3f40b4b 100644 ---- a/tests/Makefile -+++ b/tests/Makefile -@@ -405,3 +405,12 @@ all: $(QEMU_IOTESTS_HELPERS-y) +diff --git a/tests/Makefile.include b/tests/Makefile.include +index 14be491..0fce37a 100644 +--- a/tests/Makefile.include ++++ b/tests/Makefile.include +@@ -776,3 +776,11 @@ all: $(QEMU_IOTESTS_HELPERS-y) -include $(wildcard tests/*.d) -include $(wildcard tests/libqos/*.d) @@ -23,7 +23,6 @@ index 88f7105..3f40b4b 100644 + nf=$$(echo $$f | sed 's/tests\//\.\//g'); \ + $$nf; \ + done -+ --- -1.7.9.5 +-- +2.9.0 diff --git a/meta/recipes-devtools/qemu/qemu_2.6.0.bb b/meta/recipes-devtools/qemu/qemu_2.6.0.bb deleted file mode 100644 index 837e6aef6b..0000000000 --- a/meta/recipes-devtools/qemu/qemu_2.6.0.bb +++ /dev/null @@ -1,30 +0,0 @@ -require qemu.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \ - file://COPYING.LIB;endline=24;md5=c04def7ae38850e7d3ef548588159913" - -SRC_URI += "file://configure-fix-Darwin-target-detection.patch \ - file://qemu-enlarge-env-entry-size.patch \ - file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \ - file://no-valgrind.patch \ - file://pathlimit.patch \ - file://CVE-2016-4439.patch \ - file://CVE-2016-6351_p1.patch \ - file://CVE-2016-6351_p2.patch \ - file://CVE-2016-4002.patch \ - file://CVE-2016-5403.patch \ - file://CVE-2016-4441.patch \ - file://CVE-2016-4952.patch \ - " -SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" - -SRC_URI[md5sum] = "ca3f70b43f093e33e9e014f144067f13" -SRC_URI[sha256sum] = "c9ac4a651b273233d21b8bec32e30507cb9cce7900841febc330956a1a8434ec" - - -COMPATIBLE_HOST_class-target_mips64 = "null" - -do_install_append() { - # Prevent QA warnings about installed ${localstatedir}/run - if [ -d ${D}${localstatedir}/run ]; then rmdir ${D}${localstatedir}/run; fi -} diff --git a/meta/recipes-devtools/qemu/qemu_2.7.0.bb b/meta/recipes-devtools/qemu/qemu_2.7.0.bb new file mode 100644 index 0000000000..5be9768a1c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu_2.7.0.bb @@ -0,0 +1,22 @@ +require qemu.inc + +LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \ + file://COPYING.LIB;endline=24;md5=c04def7ae38850e7d3ef548588159913" + +SRC_URI += "file://configure-fix-Darwin-target-detection.patch \ + file://qemu-enlarge-env-entry-size.patch \ + file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \ + file://no-valgrind.patch \ + file://pathlimit.patch \ + " +SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" + +SRC_URI[md5sum] = "08d4d06d1cb598efecd796137f4844ab" +SRC_URI[sha256sum] = "326e739506ba690daf69fc17bd3913a6c313d9928d743bd8eddb82f403f81e53" + +COMPATIBLE_HOST_class-target_mips64 = "null" + +do_install_append() { + # Prevent QA warnings about installed ${localstatedir}/run + if [ -d ${D}${localstatedir}/run ]; then rmdir ${D}${localstatedir}/run; fi +} -- cgit v1.2.3-54-g00ecf