summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2016-04-27 09:48:16 (GMT)
committerNora Björklund <nora.bjorklund@enea.com>2016-04-28 07:02:11 (GMT)
commitd3d0c7af34b996b4518b26d4f3b4eff831a651af (patch)
treed8dc6be1d65668e4cbaf04f47011542ed35b2031
parentc6477d7bc514c951746d6b717c033475fc45f3fc (diff)
downloadpoky-d3d0c7af34b996b4518b26d4f3b4eff831a651af.tar.gz
qemu: Upgrade 2.1.0 to 2.4.0 to address some CVEs
The upgrade addresses following CVEs: CVE-2015-7295 CVE-2015-7504 CVE-2015-7512 CVE-2015-8345 CVE-2015-8504 CVE-2016-1568 CVE-2016-2197 CVE-2016-2198 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Nora Björklund <nora.bjorklund@enea.com>
-rw-r--r--meta/recipes-devtools/qemu/files/0001-Back-porting-security-fix-CVE-2014-5388.patch30
-rw-r--r--meta/recipes-devtools/qemu/qemu.inc51
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch57
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2015-7295_1.patch63
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2015-7295_2.patch58
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2015-7295_3.patch52
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2015-7504.patch56
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2015-7512.patch44
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2015-8345.patch73
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2015-8504.patch51
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2016-1568.patch46
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2016-2197.patch59
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2016-2198.patch45
-rw-r--r--meta/recipes-devtools/qemu/qemu/Qemu-Arm-versatilepb-Add-memory-size-checking.patch (renamed from meta/recipes-devtools/qemu/files/Qemu-Arm-versatilepb-Add-memory-size-checking.patch)26
-rw-r--r--meta/recipes-devtools/qemu/qemu/add-ptest-in-makefile.patch29
-rw-r--r--meta/recipes-devtools/qemu/qemu/cpus.c-qemu_cpu_kick_thread_debugging.patch76
-rw-r--r--meta/recipes-devtools/qemu/qemu/cpus.c-qemu_mutex_lock_iothread-fix-race-condition-a.patch45
-rw-r--r--meta/recipes-devtools/qemu/qemu/exclude-some-arm-EABI-obsolete-syscalls.patch (renamed from meta/recipes-devtools/qemu/files/exclude-some-arm-EABI-obsolete-syscalls.patch)0
-rw-r--r--meta/recipes-devtools/qemu/qemu/larger_default_ram_size.patch22
-rw-r--r--meta/recipes-devtools/qemu/qemu/no-valgrind.patch19
-rw-r--r--meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch92
-rw-r--r--meta/recipes-devtools/qemu/qemu/qemu-enlarge-env-entry-size.patch (renamed from meta/recipes-devtools/qemu/files/qemu-enlarge-env-entry-size.patch)0
-rw-r--r--meta/recipes-devtools/qemu/qemu/run-ptest8
-rw-r--r--meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch48
-rw-r--r--meta/recipes-devtools/qemu/qemu/smc91c111_fix.patch74
-rw-r--r--meta/recipes-devtools/qemu/qemu/smc91c111_fix1.patch85
-rw-r--r--meta/recipes-devtools/qemu/qemu/smc91c111_fix2.patch46
-rw-r--r--meta/recipes-devtools/qemu/qemu/smc91c111_fix3.patch33
-rw-r--r--meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch53
-rw-r--r--meta/recipes-devtools/qemu/qemu/wacom.patch16
-rw-r--r--meta/recipes-devtools/qemu/qemu_2.1.0.bb32
-rw-r--r--meta/recipes-devtools/qemu/qemu_2.4.0.bb33
-rw-r--r--meta/recipes-devtools/qemu/qemu_git.bb15
-rw-r--r--meta/recipes-devtools/qemu/qemuwrapper-cross_1.0.bb4
34 files changed, 1050 insertions, 391 deletions
diff --git a/meta/recipes-devtools/qemu/files/0001-Back-porting-security-fix-CVE-2014-5388.patch b/meta/recipes-devtools/qemu/files/0001-Back-porting-security-fix-CVE-2014-5388.patch
deleted file mode 100644
index ec541fa..0000000
--- a/meta/recipes-devtools/qemu/files/0001-Back-porting-security-fix-CVE-2014-5388.patch
+++ /dev/null
@@ -1,30 +0,0 @@
1Prevent out-of-bounds array access on
2acpi_pcihp_pci_status.
3
4Upstream-Status: Backport
5
6Signed-off-by: Gonglei <arei.gonglei@huawei.com>
7Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
8---
9v2:
10 - change commit message.
11 - add 'Reviewed-by'
12---
13 hw/acpi/pcihp.c | 2 +-
14 1 file changed, 1 insertion(+), 1 deletion(-)
15
16diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c
17index fae663a..34dedf1 100644
18--- a/hw/acpi/pcihp.c
19+++ b/hw/acpi/pcihp.c
20@@ -231,7 +231,7 @@ static uint64_t pci_read(void *opaque, hwaddr addr, unsigned int size)
21 uint32_t val = 0;
22 int bsel = s->hotplug_select;
23
24- if (bsel < 0 || bsel > ACPI_PCIHP_MAX_HOTPLUG_BUS) {
25+ if (bsel < 0 || bsel >= ACPI_PCIHP_MAX_HOTPLUG_BUS) {
26 return 0;
27 }
28
29--
301.7.12.4
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index c9a5d32..abbace8 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -3,24 +3,30 @@ HOMEPAGE = "http://qemu.org"
3LICENSE = "GPLv2 & LGPLv2.1" 3LICENSE = "GPLv2 & LGPLv2.1"
4DEPENDS = "glib-2.0 zlib pixman" 4DEPENDS = "glib-2.0 zlib pixman"
5RDEPENDS_${PN}_class-target += "bash python" 5RDEPENDS_${PN}_class-target += "bash python"
6RDEPENDS_${PN}-ptest = "bash make"
6 7
7require qemu-targets.inc 8require qemu-targets.inc
8inherit autotools-brokensep 9inherit autotools ptest
9BBCLASSEXTEND = "native nativesdk" 10BBCLASSEXTEND = "native nativesdk"
10 11
12PR = "r1"
13
11# QEMU_TARGETS is overridable variable 14# QEMU_TARGETS is overridable variable
12QEMU_TARGETS ?= "arm aarch64 i386 mips mipsel mips64 mips64el ppc sh4 x86_64" 15QEMU_TARGETS ?= "arm aarch64 i386 mips mipsel mips64 mips64el ppc sh4 x86_64"
13 16
14SRC_URI = "\ 17SRC_URI = "\
15 file://powerpc_rom.bin \ 18 file://powerpc_rom.bin \
16 file://larger_default_ram_size.patch \
17 file://disable-grabs.patch \ 19 file://disable-grabs.patch \
18 file://exclude-some-arm-EABI-obsolete-syscalls.patch \ 20 file://exclude-some-arm-EABI-obsolete-syscalls.patch \
19 file://wacom.patch \ 21 file://wacom.patch \
22 file://add-ptest-in-makefile.patch \
23 file://run-ptest \
24 file://cpus.c-qemu_mutex_lock_iothread-fix-race-condition-a.patch \
20 " 25 "
21 26
22SRC_URI_append_class-native = "\ 27SRC_URI_append_class-native = "\
23 file://fix-libcap-header-issue-on-some-distro.patch \ 28 file://fix-libcap-header-issue-on-some-distro.patch \
29 file://cpus.c-qemu_cpu_kick_thread_debugging.patch \
24 " 30 "
25 31
26EXTRA_OECONF += "--target-list=${@get_qemu_target_list(d)} --disable-werror --disable-bluez --disable-libiscsi --with-system-pixman --extra-cflags='${CFLAGS}'" 32EXTRA_OECONF += "--target-list=${@get_qemu_target_list(d)} --disable-werror --disable-bluez --disable-libiscsi --with-system-pixman --extra-cflags='${CFLAGS}'"
@@ -35,16 +41,6 @@ do_configure_prepend_class-native() {
35 if [ ! -z "$BHOST_PKGCONFIG_PATH" ]; then 41 if [ ! -z "$BHOST_PKGCONFIG_PATH" ]; then
36 export PKG_CONFIG_PATH=$PKG_CONFIG_PATH:$BHOST_PKGCONFIG_PATH 42 export PKG_CONFIG_PATH=$PKG_CONFIG_PATH:$BHOST_PKGCONFIG_PATH
37 fi 43 fi
38
39 # Undo the -lX11 added by linker-flags.patch, don't assume that host has libX11 installed
40 sed -i 's/-lX11//g' Makefile.target
41}
42
43do_configure_prepend_class-nativesdk() {
44 if [ "${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'x11', '', d)}" = "" ] ; then
45 # Undo the -lX11 added by linker-flags.patch
46 sed -i 's/-lX11//g' Makefile.target
47 fi
48} 44}
49 45
50KVMENABLE = "--enable-kvm" 46KVMENABLE = "--enable-kvm"
@@ -63,6 +59,17 @@ do_configure() {
63 test ! -e ${S}/target-i386/beginend_funcs.sh || chmod a+x ${S}/target-i386/beginend_funcs.sh 59 test ! -e ${S}/target-i386/beginend_funcs.sh || chmod a+x ${S}/target-i386/beginend_funcs.sh
64} 60}
65 61
62do_compile_ptest() {
63 make buildtest-TESTS
64}
65
66do_install_ptest() {
67 cp -rL ${B}/tests ${D}${PTEST_PATH}
68 find ${D}${PTEST_PATH}/tests -type f -name "*.[Sshcod]" | xargs -i rm -rf {}
69
70 cp ${S}/tests/Makefile ${D}${PTEST_PATH}/tests
71}
72
66do_install () { 73do_install () {
67 export STRIP="true" 74 export STRIP="true"
68 autotools_do_install 75 autotools_do_install
@@ -84,8 +91,12 @@ do_install_append() {
84} 91}
85# END of qemu-mips workaround 92# END of qemu-mips workaround
86 93
87PACKAGECONFIG ??= "fdt sdl alsa" 94PACKAGECONFIG ??= " \
88PACKAGECONFIG_class-native ??= "fdt alsa" 95 fdt sdl \
96 ${@bb.utils.contains('DISTRO_FEATURES', 'alsa', 'alsa', '', d)} \
97 ${@bb.utils.contains('DISTRO_FEATURES', 'xen', 'xen', '', d)} \
98 "
99PACKAGECONFIG_class-native ??= "fdt alsa uuid"
89PACKAGECONFIG_class-nativesdk ??= "fdt sdl" 100PACKAGECONFIG_class-nativesdk ??= "fdt sdl"
90NATIVEDEPS = "" 101NATIVEDEPS = ""
91NATIVEDEPS_class-native = "${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'libxext-native', '',d)}" 102NATIVEDEPS_class-native = "${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'libxext-native', '',d)}"
@@ -93,10 +104,8 @@ PACKAGECONFIG[sdl] = "--enable-sdl,--disable-sdl,libsdl ${NATIVEDEPS},"
93PACKAGECONFIG[virtfs] = "--enable-virtfs --enable-attr,--disable-virtfs,libcap attr," 104PACKAGECONFIG[virtfs] = "--enable-virtfs --enable-attr,--disable-virtfs,libcap attr,"
94PACKAGECONFIG[aio] = "--enable-linux-aio,--disable-linux-aio,libaio," 105PACKAGECONFIG[aio] = "--enable-linux-aio,--disable-linux-aio,libaio,"
95PACKAGECONFIG[xfs] = "--enable-xfsctl,--disable-xfsctl,xfsprogs," 106PACKAGECONFIG[xfs] = "--enable-xfsctl,--disable-xfsctl,xfsprogs,"
96PACKAGECONFIG[xen] = "--enable-xen, --disable-xen,," 107PACKAGECONFIG[xen] = "--enable-xen,--disable-xen,xen,xen-libxenstore xen-libxenctrl xen-libxenguest"
97PACKAGECONFIG[quorum] = "--enable-quorum, --disable-quorum, gnutls,"
98PACKAGECONFIG[vnc-tls] = "--enable-vnc --enable-vnc-tls,--disable-vnc-tls, gnutls," 108PACKAGECONFIG[vnc-tls] = "--enable-vnc --enable-vnc-tls,--disable-vnc-tls, gnutls,"
99PACKAGECONFIG[vnc-ws] = "--enable-vnc --enable-vnc-ws,--disable-vnc-ws, gnutls,"
100PACKAGECONFIG[vnc-sasl] = "--enable-vnc --enable-vnc-sasl,--disable-vnc-sasl,cyrus-sasl," 109PACKAGECONFIG[vnc-sasl] = "--enable-vnc --enable-vnc-sasl,--disable-vnc-sasl,cyrus-sasl,"
101PACKAGECONFIG[vnc-jpeg] = "--enable-vnc --enable-vnc-jpeg,--disable-vnc-jpeg,jpeg," 110PACKAGECONFIG[vnc-jpeg] = "--enable-vnc --enable-vnc-jpeg,--disable-vnc-jpeg,jpeg,"
102PACKAGECONFIG[vnc-png] = "--enable-vnc --enable-vnc-png,--disable-vnc-png,libpng," 111PACKAGECONFIG[vnc-png] = "--enable-vnc --enable-vnc-png,--disable-vnc-png,libpng,"
@@ -110,15 +119,11 @@ PACKAGECONFIG[ssh2] = "--enable-libssh2,--disable-libssh2,libssh2,"
110PACKAGECONFIG[libusb] = "--enable-libusb,--disable-libusb,libusb1" 119PACKAGECONFIG[libusb] = "--enable-libusb,--disable-libusb,libusb1"
111PACKAGECONFIG[fdt] = "--enable-fdt,--disable-fdt,dtc" 120PACKAGECONFIG[fdt] = "--enable-fdt,--disable-fdt,dtc"
112PACKAGECONFIG[alsa] = ",,alsa-lib" 121PACKAGECONFIG[alsa] = ",,alsa-lib"
113PACKAGECONFIG[glx] = "--enable-glx,--disable-glx,mesa" 122PACKAGECONFIG[glx] = "--enable-opengl,--disable-opengl,mesa"
114PACKAGECONFIG[lzo] = "--enable-lzo,--disable-lzo,lzo" 123PACKAGECONFIG[lzo] = "--enable-lzo,--disable-lzo,lzo"
115PACKAGECONFIG[numa] = "--enable-numa,--disable-numa,numactl" 124PACKAGECONFIG[numa] = "--enable-numa,--disable-numa,numactl"
125PACKAGECONFIG[gnutls] = "--enable-gnutls,--disable-gnutls,gnutls"
116 126
117EXTRA_OECONF += "${@bb.utils.contains('PACKAGECONFIG', 'alsa', '--audio-drv-list=oss,alsa', '', d)}" 127EXTRA_OECONF += "${@bb.utils.contains('PACKAGECONFIG', 'alsa', '--audio-drv-list=oss,alsa', '', d)}"
118 128
119# Qemu target will not build in world build for ARM or Mips
120BROKEN_qemuarm = "1"
121BROKEN_qemumips64 = "1"
122BROKEN_qemumips = "1"
123
124INSANE_SKIP_${PN} = "arch" 129INSANE_SKIP_${PN} = "arch"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch b/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch
deleted file mode 100644
index 4f992ba..0000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch
+++ /dev/null
@@ -1,57 +0,0 @@
1From 0be839a2701369f669532ea5884c15bead1c6e08 Mon Sep 17 00:00:00 2001
2From: "Michael S. Tsirkin" <mst@redhat.com>
3Date: Wed, 12 Nov 2014 11:44:39 +0200
4Subject: [PATCH] migration: fix parameter validation on ram load
5
6During migration, the values read from migration stream during ram load
7are not validated. Especially offset in host_from_stream_offset() and
8also the length of the writes in the callers of said function.
9
10To fix this, we need to make sure that the [offset, offset + length]
11range fits into one of the allocated memory regions.
12
13Validating addr < len should be sufficient since data seems to always be
14managed in TARGET_PAGE_SIZE chunks.
15
16Fixes: CVE-2014-7840
17
18Upstream-Status: Backport
19
20Note: follow-up patches add extra checks on each block->host access.
21
22Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
23Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
24Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
25Signed-off-by: Amit Shah <amit.shah@redhat.com>
26Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
27---
28 arch_init.c | 5 +++--
29 1 file changed, 3 insertions(+), 2 deletions(-)
30
31diff --git a/arch_init.c b/arch_init.c
32index 88a5ba0..593a990 100644
33--- a/arch_init.c
34+++ b/arch_init.c
35@@ -1006,7 +1006,7 @@ static inline void *host_from_stream_offset(QEMUFile *f,
36 uint8_t len;
37
38 if (flags & RAM_SAVE_FLAG_CONTINUE) {
39- if (!block) {
40+ if (!block || block->length <= offset) {
41 error_report("Ack, bad migration stream!");
42 return NULL;
43 }
44@@ -1019,8 +1019,9 @@ static inline void *host_from_stream_offset(QEMUFile *f,
45 id[len] = 0;
46
47 QTAILQ_FOREACH(block, &ram_list.blocks, next) {
48- if (!strncmp(id, block->idstr, sizeof(id)))
49+ if (!strncmp(id, block->idstr, sizeof(id)) && block->length > offset) {
50 return memory_region_get_ram_ptr(block->mr) + offset;
51+ }
52 }
53
54 error_report("Can't find block %s!", id);
55--
561.9.1
57
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_1.patch
new file mode 100644
index 0000000..d7ae871
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_1.patch
@@ -0,0 +1,63 @@
1From ce317461573bac12b10d67699b4ddf1f97cf066c Mon Sep 17 00:00:00 2001
2From: Jason Wang <jasowang@redhat.com>
3Date: Fri, 25 Sep 2015 13:21:28 +0800
4Subject: [PATCH] virtio: introduce virtqueue_unmap_sg()
5
6Factor out sg unmapping logic. This will be reused by the patch that
7can discard descriptor.
8
9Cc: Michael S. Tsirkin <mst@redhat.com>
10Cc: Andrew James <andrew.james@hpe.com>
11Signed-off-by: Jason Wang <jasowang@redhat.com>
12Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
13Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
14
15Upstream-Status: Backport
16
17git.qemu.org/?p=qemu.git;a=commit;h=ce317461573bac12b10d67699b4ddf1f97cf066c
18
19CVE: CVE-2015-7295 patch #1
20[Yocto # 9013]
21
22Signed-off-by: Armin Kuster <akuster@mvista.com>
23
24---
25 hw/virtio/virtio.c | 14 ++++++++++----
26 1 file changed, 10 insertions(+), 4 deletions(-)
27
28Index: qemu-2.4.0/hw/virtio/virtio.c
29===================================================================
30--- qemu-2.4.0.orig/hw/virtio/virtio.c
31+++ qemu-2.4.0/hw/virtio/virtio.c
32@@ -243,14 +243,12 @@ int virtio_queue_empty(VirtQueue *vq)
33 return vring_avail_idx(vq) == vq->last_avail_idx;
34 }
35
36-void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem,
37- unsigned int len, unsigned int idx)
38+static void virtqueue_unmap_sg(VirtQueue *vq, const VirtQueueElement *elem,
39+ unsigned int len)
40 {
41 unsigned int offset;
42 int i;
43
44- trace_virtqueue_fill(vq, elem, len, idx);
45-
46 offset = 0;
47 for (i = 0; i < elem->in_num; i++) {
48 size_t size = MIN(len - offset, elem->in_sg[i].iov_len);
49@@ -266,6 +264,14 @@ void virtqueue_fill(VirtQueue *vq, const
50 cpu_physical_memory_unmap(elem->out_sg[i].iov_base,
51 elem->out_sg[i].iov_len,
52 0, elem->out_sg[i].iov_len);
53+}
54+
55+void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem,
56+ unsigned int len, unsigned int idx)
57+{
58+ trace_virtqueue_fill(vq, elem, len, idx);
59+
60+ virtqueue_unmap_sg(vq, elem, len);
61
62 idx = (idx + vring_used_idx(vq)) % vq->vring.num;
63
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_2.patch
new file mode 100644
index 0000000..45dfab3
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_2.patch
@@ -0,0 +1,58 @@
1From 29b9f5efd78ae0f9cc02dd169b6e80d2c404bade Mon Sep 17 00:00:00 2001
2From: Jason Wang <jasowang@redhat.com>
3Date: Fri, 25 Sep 2015 13:21:29 +0800
4Subject: [PATCH] virtio: introduce virtqueue_discard()
5
6This patch introduces virtqueue_discard() to discard a descriptor and
7unmap the sgs. This will be used by the patch that will discard
8descriptor when packet is truncated.
9
10Cc: Michael S. Tsirkin <mst@redhat.com>
11Signed-off-by: Jason Wang <jasowang@redhat.com>
12Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
13Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
14Upstream-Status: Backport
15
16git.qemu.org/?p=qemu.git;a=commit;h=29b9f5efd78ae0f9cc02dd169b6e80d2c404bade
17
18CVE: CVE-2015-7295 patch #2
19[Yocto # 9013]
20
21Signed-off-by: Armin Kuster <akuster@mvista.com>
22
23---
24 hw/virtio/virtio.c | 7 +++++++
25 include/hw/virtio/virtio.h | 2 ++
26 2 files changed, 9 insertions(+)
27
28Index: qemu-2.4.0/hw/virtio/virtio.c
29===================================================================
30--- qemu-2.4.0.orig/hw/virtio/virtio.c
31+++ qemu-2.4.0/hw/virtio/virtio.c
32@@ -266,6 +266,13 @@ static void virtqueue_unmap_sg(VirtQueue
33 0, elem->out_sg[i].iov_len);
34 }
35
36+void virtqueue_discard(VirtQueue *vq, const VirtQueueElement *elem,
37+ unsigned int len)
38+{
39+ vq->last_avail_idx--;
40+ virtqueue_unmap_sg(vq, elem, len);
41+}
42+
43 void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem,
44 unsigned int len, unsigned int idx)
45 {
46Index: qemu-2.4.0/include/hw/virtio/virtio.h
47===================================================================
48--- qemu-2.4.0.orig/include/hw/virtio/virtio.h
49+++ qemu-2.4.0/include/hw/virtio/virtio.h
50@@ -146,6 +146,8 @@ void virtio_del_queue(VirtIODevice *vdev
51 void virtqueue_push(VirtQueue *vq, const VirtQueueElement *elem,
52 unsigned int len);
53 void virtqueue_flush(VirtQueue *vq, unsigned int count);
54+void virtqueue_discard(VirtQueue *vq, const VirtQueueElement *elem,
55+ unsigned int len);
56 void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem,
57 unsigned int len, unsigned int idx);
58
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_3.patch
new file mode 100644
index 0000000..74442e3
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_3.patch
@@ -0,0 +1,52 @@
1From 0cf33fb6b49a19de32859e2cdc6021334f448fb3 Mon Sep 17 00:00:00 2001
2From: Jason Wang <jasowang@redhat.com>
3Date: Fri, 25 Sep 2015 13:21:30 +0800
4Subject: [PATCH] virtio-net: correctly drop truncated packets
5
6When packet is truncated during receiving, we drop the packets but
7neither discard the descriptor nor add and signal used
8descriptor. This will lead several issues:
9
10- sg mappings are leaked
11- rx will be stalled if a lots of packets were truncated
12
13In order to be consistent with vhost, fix by discarding the descriptor
14in this case.
15
16Cc: Michael S. Tsirkin <mst@redhat.com>
17Signed-off-by: Jason Wang <jasowang@redhat.com>
18Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
19Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
20
21Upstream-Status: Backport
22
23git.qemu.org/?p=qemu.git;a=commit;h=0cf33fb6b49a19de32859e2cdc6021334f448fb3
24
25CVE: CVE-2015-7295 patch #3
26[Yocto # 9013]
27
28Signed-off-by: Armin Kuster <akuster@mvista.com>
29
30---
31 hw/net/virtio-net.c | 8 +-------
32 1 file changed, 1 insertion(+), 7 deletions(-)
33
34Index: qemu-2.4.0/hw/net/virtio-net.c
35===================================================================
36--- qemu-2.4.0.orig/hw/net/virtio-net.c
37+++ qemu-2.4.0/hw/net/virtio-net.c
38@@ -1086,13 +1086,7 @@ static ssize_t virtio_net_receive(NetCli
39 * must have consumed the complete packet.
40 * Otherwise, drop it. */
41 if (!n->mergeable_rx_bufs && offset < size) {
42-#if 0
43- error_report("virtio-net truncated non-mergeable packet: "
44- "i %zd mergeable %d offset %zd, size %zd, "
45- "guest hdr len %zd, host hdr len %zd",
46- i, n->mergeable_rx_bufs,
47- offset, size, n->guest_hdr_len, n->host_hdr_len);
48-#endif
49+ virtqueue_discard(q->rx_vq, &elem, total);
50 return size;
51 }
52
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-7504.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-7504.patch
new file mode 100644
index 0000000..90a7947
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-7504.patch
@@ -0,0 +1,56 @@
1From 837f21aacf5a714c23ddaadbbc5212f9b661e3f7 Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Fri, 20 Nov 2015 11:50:31 +0530
4Subject: [PATCH] net: pcnet: add check to validate receive data
5 size(CVE-2015-7504)
6
7In loopback mode, pcnet_receive routine appends CRC code to the
8receive buffer. If the data size given is same as the buffer size,
9the appended CRC code overwrites 4 bytes after s->buffer. Added a
10check to avoid that.
11
12Reported by: Qinghao Tang <luodalongde@gmail.com>
13Cc: qemu-stable@nongnu.org
14Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
15Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
16Signed-off-by: Jason Wang <jasowang@redhat.com>
17
18Upstream-Status: Backport
19
20http://git.qemu.org/?p=qemu.git;a=commit;h=837f21aacf5a714c23ddaadbbc5212f9b661e3f7
21
22CVE: CVE-2015-7504
23[Yocto # 9013]
24
25Signed-off-by: Armin Kuster <akuster@mvista.com>
26
27---
28 hw/net/pcnet.c | 8 +++++---
29 1 file changed, 5 insertions(+), 3 deletions(-)
30
31Index: qemu-2.4.0/hw/net/pcnet.c
32===================================================================
33--- qemu-2.4.0.orig/hw/net/pcnet.c
34+++ qemu-2.4.0/hw/net/pcnet.c
35@@ -1085,7 +1085,7 @@ ssize_t pcnet_receive(NetClientState *nc
36 uint32_t fcs = ~0;
37 uint8_t *p = src;
38
39- while (p != &src[size-4])
40+ while (p != &src[size])
41 CRC(fcs, *p++);
42 crc_err = (*(uint32_t *)p != htonl(fcs));
43 }
44@@ -1234,8 +1234,10 @@ static void pcnet_transmit(PCNetState *s
45 bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
46
47 /* if multi-tmd packet outsizes s->buffer then skip it silently.
48- Note: this is not what real hw does */
49- if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
50+ * Note: this is not what real hw does.
51+ * Last four bytes of s->buffer are used to store CRC FCS code.
52+ */
53+ if (s->xmit_pos + bcnt > sizeof(s->buffer) - 4) {
54 s->xmit_pos = -1;
55 goto txdone;
56 }
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-7512.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-7512.patch
new file mode 100644
index 0000000..50b8a6c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-7512.patch
@@ -0,0 +1,44 @@
1From 8b98a2f07175d46c3f7217639bd5e03f2ec56343 Mon Sep 17 00:00:00 2001
2From: Jason Wang <jasowang@redhat.com>
3Date: Mon, 30 Nov 2015 15:00:06 +0800
4Subject: [PATCH] pcnet: fix rx buffer overflow(CVE-2015-7512)
5
6Backends could provide a packet whose length is greater than buffer
7size. Check for this and truncate the packet to avoid rx buffer
8overflow in this case.
9
10Cc: Prasad J Pandit <pjp@fedoraproject.org>
11Cc: qemu-stable@nongnu.org
12Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
13Signed-off-by: Jason Wang <jasowang@redhat.com>
14
15Upsteam_Status: Backport
16
17http://git.qemu.org/?p=qemu.git;a=commit;h=8b98a2f07175d46c3f7217639bd5e03f2ec56343
18
19CVE: CVE-2015-7512
20[Yocto # 9013]
21
22Signed-off-by: Armin Kuster <akuster@mvista.com>
23
24---
25 hw/net/pcnet.c | 6 ++++++
26 1 file changed, 6 insertions(+)
27
28Index: qemu-2.4.0/hw/net/pcnet.c
29===================================================================
30--- qemu-2.4.0.orig/hw/net/pcnet.c
31+++ qemu-2.4.0/hw/net/pcnet.c
32@@ -1065,6 +1065,12 @@ ssize_t pcnet_receive(NetClientState *nc
33 int pktcount = 0;
34
35 if (!s->looptest) {
36+ if (size > 4092) {
37+#ifdef PCNET_DEBUG_RMD
38+ fprintf(stderr, "pcnet: truncates rx packet.\n");
39+#endif
40+ size = 4092;
41+ }
42 memcpy(src, buf, size);
43 /* no need to compute the CRC */
44 src[size] = 0;
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-8345.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-8345.patch
new file mode 100644
index 0000000..310b458
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-8345.patch
@@ -0,0 +1,73 @@
1From 00837731d254908a841d69298a4f9f077babaf24 Mon Sep 17 00:00:00 2001
2From: Stefan Weil <sw@weilnetz.de>
3Date: Fri, 20 Nov 2015 08:42:33 +0100
4Subject: [PATCH] eepro100: Prevent two endless loops
5
6http://lists.nongnu.org/archive/html/qemu-devel/2015-11/msg04592.html
7shows an example how an endless loop in function action_command can
8be achieved.
9
10During my code review, I noticed a 2nd case which can result in an
11endless loop.
12
13Reported-by: Qinghao Tang <luodalongde@gmail.com>
14Signed-off-by: Stefan Weil <sw@weilnetz.de>
15Signed-off-by: Jason Wang <jasowang@redhat.com>
16
17Upstream-Status: Backport
18
19http://git.qemu.org/?p=qemu.git;a=commit;h=00837731d254908a841d69298a4f9f077babaf24
20
21CVE: CVE-2015-8345
22[Yocto # 9013]
23
24Signed-off-by: Armin Kuster <akuster@mvista.com>
25
26---
27 hw/net/eepro100.c | 16 ++++++++++++++++
28 1 file changed, 16 insertions(+)
29
30diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c
31index 60333b7..685a478 100644
32--- a/hw/net/eepro100.c
33+++ b/hw/net/eepro100.c
34@@ -774,6 +774,11 @@ static void tx_command(EEPRO100State *s)
35 #if 0
36 uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6);
37 #endif
38+ if (tx_buffer_size == 0) {
39+ /* Prevent an endless loop. */
40+ logout("loop in %s:%u\n", __FILE__, __LINE__);
41+ break;
42+ }
43 tbd_address += 8;
44 TRACE(RXTX, logout
45 ("TBD (simplified mode): buffer address 0x%08x, size 0x%04x\n",
46@@ -855,6 +860,10 @@ static void set_multicast_list(EEPRO100State *s)
47
48 static void action_command(EEPRO100State *s)
49 {
50+ /* The loop below won't stop if it gets special handcrafted data.
51+ Therefore we limit the number of iterations. */
52+ unsigned max_loop_count = 16;
53+
54 for (;;) {
55 bool bit_el;
56 bool bit_s;
57@@ -870,6 +879,13 @@ static void action_command(EEPRO100State *s)
58 #if 0
59 bool bit_sf = ((s->tx.command & COMMAND_SF) != 0);
60 #endif
61+
62+ if (max_loop_count-- == 0) {
63+ /* Prevent an endless loop. */
64+ logout("loop in %s:%u\n", __FILE__, __LINE__);
65+ break;
66+ }
67+
68 s->cu_offset = s->tx.link;
69 TRACE(OTHER,
70 logout("val=(cu start), status=0x%04x, command=0x%04x, link=0x%08x\n",
71--
722.3.5
73
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-8504.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-8504.patch
new file mode 100644
index 0000000..9e66021
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-8504.patch
@@ -0,0 +1,51 @@
1From 4c65fed8bdf96780735dbdb92a8bd0d6b6526cc3 Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Thu, 3 Dec 2015 18:54:17 +0530
4Subject: [PATCH] ui: vnc: avoid floating point exception
5
6While sending 'SetPixelFormat' messages to a VNC server,
7the client could set the 'red-max', 'green-max' and 'blue-max'
8values to be zero. This leads to a floating point exception in
9write_png_palette while doing frame buffer updates.
10
11Reported-by: Lian Yihan <lianyihan@360.cn>
12Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
13Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
14Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
15
16Upstream-Status: Backport
17
18http://git.qemu.org/?p=qemu.git;a=commitdiff;h=4c65fed8bdf96780735dbdb92a8
19
20CVE: CVE-2015-8504
21[Yocto # 9013]
22
23Signed-off-by: Armin Kuster <akuster@mvista.com>
24
25---
26 ui/vnc.c | 6 +++---
27 1 file changed, 3 insertions(+), 3 deletions(-)
28
29Index: qemu-2.4.0/ui/vnc.c
30===================================================================
31--- qemu-2.4.0.orig/ui/vnc.c
32+++ qemu-2.4.0/ui/vnc.c
33@@ -2189,15 +2189,15 @@ static void set_pixel_format(VncState *v
34 return;
35 }
36
37- vs->client_pf.rmax = red_max;
38+ vs->client_pf.rmax = red_max ? red_max : 0xFF;
39 vs->client_pf.rbits = hweight_long(red_max);
40 vs->client_pf.rshift = red_shift;
41 vs->client_pf.rmask = red_max << red_shift;
42- vs->client_pf.gmax = green_max;
43+ vs->client_pf.gmax = green_max ? green_max : 0xFF;
44 vs->client_pf.gbits = hweight_long(green_max);
45 vs->client_pf.gshift = green_shift;
46 vs->client_pf.gmask = green_max << green_shift;
47- vs->client_pf.bmax = blue_max;
48+ vs->client_pf.bmax = blue_max ? blue_max : 0xFF;
49 vs->client_pf.bbits = hweight_long(blue_max);
50 vs->client_pf.bshift = blue_shift;
51 vs->client_pf.bmask = blue_max << blue_shift;
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-1568.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-1568.patch
new file mode 100644
index 0000000..9c40ffb
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-1568.patch
@@ -0,0 +1,46 @@
1From 4ab0359a8ae182a7ac5c99609667273167703fab Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Mon, 11 Jan 2016 14:10:42 -0500
4Subject: [PATCH] ide: ahci: reset ncq object to unused on error
5
6When processing NCQ commands, AHCI device emulation prepares a
7NCQ transfer object; To which an aio control block(aiocb) object
8is assigned in 'execute_ncq_command'. In case, when the NCQ
9command is invalid, the 'aiocb' object is not assigned, and NCQ
10transfer object is left as 'used'. This leads to a use after
11free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'.
12Reset NCQ transfer object to 'unused' to avoid it.
13
14[Maintainer edit: s/ACHI/AHCI/ in the commit message. --js]
15
16Reported-by: Qinghao Tang <luodalongde@gmail.com>
17Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
18Reviewed-by: John Snow <jsnow@redhat.com>
19Message-id: 1452282511-4116-1-git-send-email-ppandit@redhat.com
20Signed-off-by: John Snow <jsnow@redhat.com>
21
22Upstream-Status: Backport
23
24http://git.qemu.org/?p=qemu.git;a=commit;h=4ab0359a8ae182a7ac5c99609667273167703fab
25
26CVE: CVE-2016-1568
27[Yocto # 9013]
28
29Signed-off-by: Armin Kuster <akuster@mvista.com>
30
31---
32 hw/ide/ahci.c | 1 +
33 1 file changed, 1 insertion(+)
34
35Index: qemu-2.4.0/hw/ide/ahci.c
36===================================================================
37--- qemu-2.4.0.orig/hw/ide/ahci.c
38+++ qemu-2.4.0/hw/ide/ahci.c
39@@ -898,6 +898,7 @@ static void ncq_err(NCQTransferState *nc
40 ide_state->error = ABRT_ERR;
41 ide_state->status = READY_STAT | ERR_STAT;
42 ncq_tfs->drive->port_regs.scr_err |= (1 << ncq_tfs->tag);
43+ ncq_tfs->used = 0;
44 }
45
46 static void ncq_finish(NCQTransferState *ncq_tfs)
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-2197.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-2197.patch
new file mode 100644
index 0000000..946435c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-2197.patch
@@ -0,0 +1,59 @@
1From: Prasad J Pandit <address@hidden>
2
3When IDE AHCI emulation uses Frame Information Structures(FIS)
4engine for data transfer, the mapped FIS buffer address is stored
5in a static 'bounce.buffer'. When a request is made to map another
6memory region, address_space_map() returns NULL because
7'bounce.buffer' is in_use. It leads to a null pointer dereference
8error while doing 'dma_memory_unmap'. Add a check to avoid it.
9
10Reported-by: Zuozhi fzz <address@hidden>
11Signed-off-by: Prasad J Pandit <address@hidden>
12
13Upstream-Status: Backport
14https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg05740.html
15
16CVE: CVE-2016-2197
17Signed-off-by: Armin Kuster <akuster@mvista.com>
18
19---
20 hw/ide/ahci.c | 16 ++++++++++------
21 1 file changed, 10 insertions(+), 6 deletions(-)
22
23 Update as per review
24 -> https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg05715.html
25
26Index: qemu-2.5.0/hw/ide/ahci.c
27===================================================================
28--- qemu-2.5.0.orig/hw/ide/ahci.c
29+++ qemu-2.5.0/hw/ide/ahci.c
30@@ -661,9 +661,11 @@ static bool ahci_map_fis_address(AHCIDev
31
32 static void ahci_unmap_fis_address(AHCIDevice *ad)
33 {
34- dma_memory_unmap(ad->hba->as, ad->res_fis, 256,
35- DMA_DIRECTION_FROM_DEVICE, 256);
36- ad->res_fis = NULL;
37+ if (ad->res_fis) {
38+ dma_memory_unmap(ad->hba->as, ad->res_fis, 256,
39+ DMA_DIRECTION_FROM_DEVICE, 256);
40+ ad->res_fis = NULL;
41+ }
42 }
43
44 static bool ahci_map_clb_address(AHCIDevice *ad)
45@@ -677,9 +679,11 @@ static bool ahci_map_clb_address(AHCIDev
46
47 static void ahci_unmap_clb_address(AHCIDevice *ad)
48 {
49- dma_memory_unmap(ad->hba->as, ad->lst, 1024,
50- DMA_DIRECTION_FROM_DEVICE, 1024);
51- ad->lst = NULL;
52+ if (ad->lst) {
53+ dma_memory_unmap(ad->hba->as, ad->lst, 1024,
54+ DMA_DIRECTION_FROM_DEVICE, 1024);
55+ ad->lst = NULL;
56+ }
57 }
58
59 static void ahci_write_fis_sdb(AHCIState *s, NCQTransferState *ncq_tfs)
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-2198.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-2198.patch
new file mode 100644
index 0000000..f1201f0
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-2198.patch
@@ -0,0 +1,45 @@
1From: Prasad J Pandit <address@hidden>
2
3USB Ehci emulation supports host controller capability registers.
4But its mmio '.write' function was missing, which lead to a null
5pointer dereference issue. Add a do nothing 'ehci_caps_write'
6definition to avoid it; Do nothing because capability registers
7are Read Only(RO).
8
9Reported-by: Zuozhi Fzz <address@hidden>
10Signed-off-by: Prasad J Pandit <address@hidden>
11
12Upstream-Status: Backport
13https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg05899.html
14
15CVE: CVE-2016-2198
16Signed-off-by: Armin Kuster <akuster@mvista.com>
17
18---
19 hw/usb/hcd-ehci.c | 6 ++++++
20 1 file changed, 6 insertions(+)
21
22Index: qemu-2.5.0/hw/usb/hcd-ehci.c
23===================================================================
24--- qemu-2.5.0.orig/hw/usb/hcd-ehci.c
25+++ qemu-2.5.0/hw/usb/hcd-ehci.c
26@@ -893,6 +893,11 @@ static uint64_t ehci_caps_read(void *ptr
27 return s->caps[addr];
28 }
29
30+static void ehci_caps_write(void *ptr, hwaddr addr,
31+ uint64_t val, unsigned size)
32+{
33+}
34+
35 static uint64_t ehci_opreg_read(void *ptr, hwaddr addr,
36 unsigned size)
37 {
38@@ -2310,6 +2315,7 @@ static void ehci_frame_timer(void *opaqu
39
40 static const MemoryRegionOps ehci_mmio_caps_ops = {
41 .read = ehci_caps_read,
42+ .write = ehci_caps_write,
43 .valid.min_access_size = 1,
44 .valid.max_access_size = 4,
45 .impl.min_access_size = 1,
diff --git a/meta/recipes-devtools/qemu/files/Qemu-Arm-versatilepb-Add-memory-size-checking.patch b/meta/recipes-devtools/qemu/qemu/Qemu-Arm-versatilepb-Add-memory-size-checking.patch
index 7f1c5a9..1a6cf51 100644
--- a/meta/recipes-devtools/qemu/files/Qemu-Arm-versatilepb-Add-memory-size-checking.patch
+++ b/meta/recipes-devtools/qemu/qemu/Qemu-Arm-versatilepb-Add-memory-size-checking.patch
@@ -14,27 +14,33 @@ Signed-off-by: Jiang Lu <lu.jiang@windriver.com>
14Updated it on 2014-01-15 for rebasing 14Updated it on 2014-01-15 for rebasing
15 15
16Signed-off-by: Robert Yang <liezhi.yang@windriver.com> 16Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
17
18Update it when upgrade qemu to 2.2.0
19
20Signed-off-by: Kai Kang <kai.kang@windriver.com>
21Signed-off-by: Cristian Iorga <cristian.iorga@intel.com>
17--- 22---
18 hw/arm/versatilepb.c | 6 ++++++ 23 hw/arm/versatilepb.c | 7 +++++++
19 1 file changed, 6 insertions(+) 24 1 file changed, 7 insertions(+)
20 25
21diff --git a/hw/arm/versatilepb.c b/hw/arm/versatilepb.c 26diff --git a/hw/arm/versatilepb.c b/hw/arm/versatilepb.c
22index b48d84c..ad2cd5a 100644 27index 6c69f4e..9278d90 100644
23--- a/hw/arm/versatilepb.c 28--- a/hw/arm/versatilepb.c
24+++ b/hw/arm/versatilepb.c 29+++ b/hw/arm/versatilepb.c
25@@ -199,6 +199,12 @@ static void versatile_init(QEMUMachineInitArgs *args, int board_id) 30@@ -204,6 +204,13 @@ static void versatile_init(MachineState *machine, int board_id)
26 fprintf(stderr, "Unable to find CPU definition\n");
27 exit(1); 31 exit(1);
28 } 32 }
29+ if (ram_size > (256 << 20)) { 33
34+ if (machine->ram_size > (256 << 20)) {
30+ fprintf(stderr, 35+ fprintf(stderr,
31+ "qemu: Too much memory for this machine: %d MB, maximum 256 MB\n", 36+ "qemu: Too much memory for this machine: %d MB, maximum 256 MB\n",
32+ ((unsigned int)ram_size / (1 << 20))); 37+ ((unsigned int)ram_size / (1 << 20)));
33+ exit(1); 38+ exit(1);
34+ } 39+ }
35 memory_region_init_ram(ram, NULL, "versatile.ram", machine->ram_size); 40+
36 vmstate_register_ram_global(ram); 41 cpuobj = object_new(object_class_get_name(cpu_oc));
37 /* ??? RAM should repeat to fill physical memory space. */ 42
43 /* By default ARM1176 CPUs have EL3 enabled. This board does not
38-- 44--
391.7.10.4 452.1.0
40 46
diff --git a/meta/recipes-devtools/qemu/qemu/add-ptest-in-makefile.patch b/meta/recipes-devtools/qemu/qemu/add-ptest-in-makefile.patch
new file mode 100644
index 0000000..a99f720
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/add-ptest-in-makefile.patch
@@ -0,0 +1,29 @@
1Upstream-Status: Pending
2
3Add subpackage -ptest which runs all unit test cases for qemu.
4
5Signed-off-by: Kai Kang <kai.kang@windriver.com>
6---
7 tests/Makefile | 10 ++++++++++
8 1 file changed, 10 insertions(+)
9
10diff --git a/tests/Makefile b/tests/Makefile
11index 88f7105..3f40b4b 100644
12--- a/tests/Makefile
13+++ b/tests/Makefile
14@@ -405,3 +405,12 @@ all: $(QEMU_IOTESTS_HELPERS-y)
15
16 -include $(wildcard tests/*.d)
17 -include $(wildcard tests/libqos/*.d)
18+
19+buildtest-TESTS: $(check-unit-y)
20+
21+runtest-TESTS:
22+ for f in $(check-unit-y); do \
23+ nf=$$(echo $$f | sed 's/tests\//\.\//g'); \
24+ $$nf; \
25+ done
26+
27--
281.7.9.5
29
diff --git a/meta/recipes-devtools/qemu/qemu/cpus.c-qemu_cpu_kick_thread_debugging.patch b/meta/recipes-devtools/qemu/qemu/cpus.c-qemu_cpu_kick_thread_debugging.patch
new file mode 100644
index 0000000..6822132
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/cpus.c-qemu_cpu_kick_thread_debugging.patch
@@ -0,0 +1,76 @@
1From 697a834c35d19447b7dcdb9e1d9434bc6ce17c21 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?An=C3=ADbal=20Lim=C3=B3n?= <anibal.limon@linux.intel.com>
3Date: Wed, 12 Aug 2015 15:11:30 -0500
4Subject: [PATCH] cpus.c: Add error messages when qemi_cpu_kick_thread fails.
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Add custom_debug.h with function for print backtrace information.
10When pthread_kill fails in qemu_cpu_kick_thread display backtrace and
11current cpu information.
12
13Upstream-Status: Inappropriate
14Signed-off-by: Aníbal Limón <anibal.limon@linux.intel.com>
15---
16 cpus.c | 5 +++++
17 custom_debug.h | 24 ++++++++++++++++++++++++
18 2 files changed, 29 insertions(+)
19 create mode 100644 custom_debug.h
20
21diff --git a/cpus.c b/cpus.c
22index a822ce3..7e4786e 100644
23--- a/cpus.c
24+++ b/cpus.c
25@@ -1080,6 +1080,8 @@ static void *qemu_tcg_cpu_thread_fn(void *arg)
26 return NULL;
27 }
28
29+#include "custom_debug.h"
30+
31 static void qemu_cpu_kick_thread(CPUState *cpu)
32 {
33 #ifndef _WIN32
34@@ -1088,6 +1090,9 @@ static void qemu_cpu_kick_thread(CPUState *cpu)
35 err = pthread_kill(cpu->thread->thread, SIG_IPI);
36 if (err) {
37 fprintf(stderr, "qemu:%s: %s", __func__, strerror(err));
38+ fprintf(stderr, "CPU #%d:\n", cpu->cpu_index);
39+ cpu_dump_state(cpu, stderr, fprintf, 0);
40+ backtrace_print();
41 exit(1);
42 }
43 #else /* _WIN32 */
44diff --git a/custom_debug.h b/custom_debug.h
45new file mode 100644
46index 0000000..f029e45
47--- /dev/null
48+++ b/custom_debug.h
49@@ -0,0 +1,24 @@
50+#include <execinfo.h>
51+#include <stdio.h>
52+#define BACKTRACE_MAX 128
53+static void backtrace_print(void)
54+{
55+ int nfuncs = 0;
56+ void *buf[BACKTRACE_MAX];
57+ char **symbols;
58+ int i;
59+
60+ nfuncs = backtrace(buf, BACKTRACE_MAX);
61+
62+ symbols = backtrace_symbols(buf, nfuncs);
63+ if (symbols == NULL) {
64+ fprintf(stderr, "backtrace_print failed to get symbols");
65+ return;
66+ }
67+
68+ fprintf(stderr, "Backtrace ...\n");
69+ for (i = 0; i < nfuncs; i++)
70+ fprintf(stderr, "%s\n", symbols[i]);
71+
72+ free(symbols);
73+}
74--
751.9.1
76
diff --git a/meta/recipes-devtools/qemu/qemu/cpus.c-qemu_mutex_lock_iothread-fix-race-condition-a.patch b/meta/recipes-devtools/qemu/qemu/cpus.c-qemu_mutex_lock_iothread-fix-race-condition-a.patch
new file mode 100644
index 0000000..45dffab
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/cpus.c-qemu_mutex_lock_iothread-fix-race-condition-a.patch
@@ -0,0 +1,45 @@
1Upstream-Status: Submitted
2
3From f354b9333408d411854af058cc44cceda60b4473 Mon Sep 17 00:00:00 2001
4From: =?UTF-8?q?An=C3=ADbal=20Lim=C3=B3n?= <anibal.limon@linux.intel.com>
5Date: Thu, 3 Sep 2015 14:07:34 -0500
6Subject: [PATCH] cpus.c: qemu_mutex_lock_iothread fix race condition at cpu
7 thread init
8MIME-Version: 1.0
9Content-Type: text/plain; charset=UTF-8
10Content-Transfer-Encoding: 8bit
11
12When QEMU starts the RCU thread executes qemu_mutex_lock_thread
13causing error "qemu:qemu_cpu_kick_thread: No such process" and exits.
14
15This isn't occur frequently but in glibc the thread id can exist and
16this not guarantee that the thread is on active/running state. If is
17inserted a sleep(1) after newthread assignment [1] the issue appears.
18
19So not make assumption that thread exist if first_cpu->thread is set
20then change the validation of cpu to created that is set into cpu
21threads (kvm, tcg, dummy).
22
23[1] https://sourceware.org/git/?p=glibc.git;a=blob;f=nptl/pthread_create.c;h=d10f4ea8004e1d8f3a268b95cc0f8d93b8d89867;hb=HEAD#l621
24
25Signed-off-by: Aníbal Limón <anibal.limon@linux.intel.com>
26---
27 cpus.c | 2 +-
28 1 file changed, 1 insertion(+), 1 deletion(-)
29
30diff --git a/cpus.c b/cpus.c
31index 7e4786e..05e5400 100644
32--- a/cpus.c
33+++ b/cpus.c
34@@ -1171,7 +1171,7 @@ void qemu_mutex_lock_iothread(void)
35 * TCG code execution.
36 */
37 if (!tcg_enabled() || qemu_in_vcpu_thread() ||
38- !first_cpu || !first_cpu->thread) {
39+ !first_cpu || !first_cpu->created) {
40 qemu_mutex_lock(&qemu_global_mutex);
41 atomic_dec(&iothread_requesting_mutex);
42 } else {
43--
441.9.1
45
diff --git a/meta/recipes-devtools/qemu/files/exclude-some-arm-EABI-obsolete-syscalls.patch b/meta/recipes-devtools/qemu/qemu/exclude-some-arm-EABI-obsolete-syscalls.patch
index 171bda7..171bda7 100644
--- a/meta/recipes-devtools/qemu/files/exclude-some-arm-EABI-obsolete-syscalls.patch
+++ b/meta/recipes-devtools/qemu/qemu/exclude-some-arm-EABI-obsolete-syscalls.patch
diff --git a/meta/recipes-devtools/qemu/qemu/larger_default_ram_size.patch b/meta/recipes-devtools/qemu/qemu/larger_default_ram_size.patch
deleted file mode 100644
index 711c360..0000000
--- a/meta/recipes-devtools/qemu/qemu/larger_default_ram_size.patch
+++ /dev/null
@@ -1,22 +0,0 @@
1This patch is taken from debian. 128M is too less sometimes if distro
2with lot of packages is booted so this patch raises the default to 384M
3
4It has not been applied to upstream qemu
5
6Khem Raj <raj.khem@gmail.com>
7
8Upstream-Status: Pending
9
10Index: qemu-0.14.0/vl.c
11===================================================================
12--- qemu-0.14.0.orig/vl.c
13+++ qemu-0.14.0/vl.c
14@@ -168,7 +168,7 @@ int main(int argc, char **argv)
15 //#define DEBUG_NET
16 //#define DEBUG_SLIRP
17
18-#define DEFAULT_RAM_SIZE 128
19+#define DEFAULT_RAM_SIZE 384
20
21 #define MAX_VIRTIO_CONSOLES 1
22
diff --git a/meta/recipes-devtools/qemu/qemu/no-valgrind.patch b/meta/recipes-devtools/qemu/qemu/no-valgrind.patch
new file mode 100644
index 0000000..91f7280
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/no-valgrind.patch
@@ -0,0 +1,19 @@
1There isn't an option to enable or disable valgrind support, so disable it to avoid non-deterministic builds.
2
3Upstream-Status: Inappropriate
4Signed-off-by: Ross Burton <ross.burton@intel.com>
5
6diff --git a/configure b/configure
7index b3c4f51..4d3929e 100755
8--- a/configure
9+++ b/configure
10@@ -4193,9 +4192,0 @@ valgrind_h=no
11-cat > $TMPC << EOF
12-#include <valgrind/valgrind.h>
13-int main(void) {
14- return 0;
15-}
16-EOF
17-if compile_prog "" "" ; then
18- valgrind_h=yes
19-fi
diff --git a/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch b/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch
deleted file mode 100644
index f05441f..0000000
--- a/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch
+++ /dev/null
@@ -1,92 +0,0 @@
1qemu: CVE-2015-3456
2
3the patch comes from:
4https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3456
5http://git.qemu.org/?p=qemu.git;a=commit;h=e907746266721f305d67bc0718795fedee2e824c
6
7fdc: force the fifo access to be in bounds of the allocated buffer
8
9During processing of certain commands such as FD_CMD_READ_ID and
10FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
11get out of bounds leading to memory corruption with values coming
12from the guest.
13
14Fix this by making sure that the index is always bounded by the
15allocated memory.
16
17This is CVE-2015-3456.
18
19Signed-off-by: Petr Matousek <pmatouse@redhat.com>
20Reviewed-by: John Snow <jsnow@redhat.com>
21Signed-off-by: John Snow <jsnow@redhat.com>
22Signed-off-by: Li Wang <li.wang@windriver.com>
23
24Upstream-Status: Backport
25
26Signed-off-by: Kai Kang <kai.kang@windriver.com>
27---
28 hw/block/fdc.c | 17 +++++++++++------
29 1 file changed, 11 insertions(+), 6 deletions(-)
30
31diff --git a/hw/block/fdc.c b/hw/block/fdc.c
32index 490d127..045459e 100644
33--- a/hw/block/fdc.c
34+++ b/hw/block/fdc.c
35@@ -1436,7 +1436,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
36 {
37 FDrive *cur_drv;
38 uint32_t retval = 0;
39- int pos;
40+ uint32_t pos;
41
42 cur_drv = get_cur_drv(fdctrl);
43 fdctrl->dsr &= ~FD_DSR_PWRDOWN;
44@@ -1445,8 +1445,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
45 return 0;
46 }
47 pos = fdctrl->data_pos;
48+ pos %= FD_SECTOR_LEN;
49 if (fdctrl->msr & FD_MSR_NONDMA) {
50- pos %= FD_SECTOR_LEN;
51 if (pos == 0) {
52 if (fdctrl->data_pos != 0)
53 if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
54@@ -1790,10 +1790,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
55 static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
56 {
57 FDrive *cur_drv = get_cur_drv(fdctrl);
58+ uint32_t pos;
59
60- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
61+ pos = fdctrl->data_pos - 1;
62+ pos %= FD_SECTOR_LEN;
63+ if (fdctrl->fifo[pos] & 0x80) {
64 /* Command parameters done */
65- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
66+ if (fdctrl->fifo[pos] & 0x40) {
67 fdctrl->fifo[0] = fdctrl->fifo[1];
68 fdctrl->fifo[2] = 0;
69 fdctrl->fifo[3] = 0;
70@@ -1893,7 +1896,7 @@ static uint8_t command_to_handler[256];
71 static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
72 {
73 FDrive *cur_drv;
74- int pos;
75+ uint32_t pos;
76
77 /* Reset mode */
78 if (!(fdctrl->dor & FD_DOR_nRESET)) {
79@@ -1941,7 +1944,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
80 }
81
82 FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
83- fdctrl->fifo[fdctrl->data_pos++] = value;
84+ pos = fdctrl->data_pos++;
85+ pos %= FD_SECTOR_LEN;
86+ fdctrl->fifo[pos] = value;
87 if (fdctrl->data_pos == fdctrl->data_len) {
88 /* We now have all parameters
89 * and will be able to treat the command
90--
911.7.9.5
92
diff --git a/meta/recipes-devtools/qemu/files/qemu-enlarge-env-entry-size.patch b/meta/recipes-devtools/qemu/qemu/qemu-enlarge-env-entry-size.patch
index c7425ab..c7425ab 100644
--- a/meta/recipes-devtools/qemu/files/qemu-enlarge-env-entry-size.patch
+++ b/meta/recipes-devtools/qemu/qemu/qemu-enlarge-env-entry-size.patch
diff --git a/meta/recipes-devtools/qemu/qemu/run-ptest b/meta/recipes-devtools/qemu/qemu/run-ptest
new file mode 100644
index 0000000..f4b8e97
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/run-ptest
@@ -0,0 +1,8 @@
1#!/bin/sh
2#
3#This script is used to run qemu test suites
4ptestdir=$(pwd)
5cd tests
6
7export SRC_PATH=$ptestdir
8make -k runtest-TESTS | sed '/: OK/ s/^/PASS: /g'
diff --git a/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch b/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch
deleted file mode 100644
index a7ecf31..0000000
--- a/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch
+++ /dev/null
@@ -1,48 +0,0 @@
1From 9a72433843d912a45046959b1953861211d1838d Mon Sep 17 00:00:00 2001
2From: Petr Matousek <pmatouse@redhat.com>
3Date: Thu, 18 Sep 2014 08:35:37 +0200
4Subject: [PATCH] slirp: udp: fix NULL pointer dereference because of
5 uninitialized socket
6
7When guest sends udp packet with source port and source addr 0,
8uninitialized socket is picked up when looking for matching and already
9created udp sockets, and later passed to sosendto() where NULL pointer
10dereference is hit during so->slirp->vnetwork_mask.s_addr access.
11
12Fix this by checking that the socket is not just a socket stub.
13
14This is CVE-2014-3640.
15
16Upstream-Status: Backport
17
18Signed-off-by: Petr Matousek <pmatouse@redhat.com>
19Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com>
20Reported-by: Stephane Duverger <stephane.duverger@eads.net>
21Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com>
22Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
23Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
24Message-id: 20140918063537.GX9321@dhcp-25-225.brq.redhat.com
25Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
26(cherry picked from commit 01f7cecf0037997cb0e58ec0d56bf9b5a6f7cb2a)
27Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
28Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
29---
30 slirp/udp.c | 2 +-
31 1 file changed, 1 insertion(+), 1 deletion(-)
32
33diff --git a/slirp/udp.c b/slirp/udp.c
34index 8cc6cb6..f77e00f 100644
35--- a/slirp/udp.c
36+++ b/slirp/udp.c
37@@ -152,7 +152,7 @@ udp_input(register struct mbuf *m, int iphlen)
38 * Locate pcb for datagram.
39 */
40 so = slirp->udp_last_so;
41- if (so->so_lport != uh->uh_sport ||
42+ if (so == &slirp->udb || so->so_lport != uh->uh_sport ||
43 so->so_laddr.s_addr != ip->ip_src.s_addr) {
44 struct socket *tmp;
45
46--
471.9.1
48
diff --git a/meta/recipes-devtools/qemu/qemu/smc91c111_fix.patch b/meta/recipes-devtools/qemu/qemu/smc91c111_fix.patch
new file mode 100644
index 0000000..e37e777
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/smc91c111_fix.patch
@@ -0,0 +1,74 @@
1The smc91c111.c driver appears to have several issues. The can_receive()
2function can return that the driver is ready when rx_fifo has not been
3freed yet. There is also no sanity check of rx_fifo() in _receive() which
4can lead to corruption of the rx_fifo array.
5
6release_packet() can also call qemu_flush_queued_packets() before rx_fifo
7has been cleaned up, resulting in cases where packets are submitted
8for which there is not yet any space.
9
10This patch therefore:
11
12* fixes the logic in can_receive()
13* adds logic to receive() as a sanity check
14* moves the flush() calls to the correct places where data is ready
15 to be received
16
17Upstream-Status: Pending [discussion in progress on mailing list]
18RP 2015/9/7
19
20Index: qemu-2.4.0/hw/net/smc91c111.c
21===================================================================
22--- qemu-2.4.0.orig/hw/net/smc91c111.c
23+++ qemu-2.4.0/hw/net/smc91c111.c
24@@ -185,7 +185,6 @@ static void smc91c111_release_packet(smc
25 s->allocated &= ~(1 << packet);
26 if (s->tx_alloc == 0x80)
27 smc91c111_tx_alloc(s);
28- qemu_flush_queued_packets(qemu_get_queue(s->nic));
29 }
30
31 /* Flush the TX FIFO. */
32@@ -237,9 +236,11 @@ static void smc91c111_do_tx(smc91c111_st
33 }
34 }
35 #endif
36- if (s->ctr & CTR_AUTO_RELEASE)
37+ if (s->ctr & CTR_AUTO_RELEASE) {
38 /* Race? */
39 smc91c111_release_packet(s, packetnum);
40+ qemu_flush_queued_packets(qemu_get_queue(s->nic));
41+ }
42 else if (s->tx_fifo_done_len < NUM_PACKETS)
43 s->tx_fifo_done[s->tx_fifo_done_len++] = packetnum;
44 qemu_send_packet(qemu_get_queue(s->nic), p, len);
45@@ -379,9 +380,11 @@ static void smc91c111_writeb(void *opaqu
46 smc91c111_release_packet(s, s->rx_fifo[0]);
47 }
48 smc91c111_pop_rx_fifo(s);
49+ qemu_flush_queued_packets(qemu_get_queue(s->nic));
50 break;
51 case 5: /* Release. */
52 smc91c111_release_packet(s, s->packet_num);
53+ qemu_flush_queued_packets(qemu_get_queue(s->nic));
54 break;
55 case 6: /* Add to TX FIFO. */
56 smc91c111_queue_tx(s, s->packet_num);
57@@ -642,7 +642,7 @@ static int smc91c111_can_receive(NetClie
58
59 if ((s->rcr & RCR_RXEN) == 0 || (s->rcr & RCR_SOFT_RST))
60 return 1;
61- if (s->allocated == (1 << NUM_PACKETS) - 1)
62+ if ((s->allocated == (1 << NUM_PACKETS) - 1) || (s->rx_fifo_len == NUM_PACKETS))
63 return 0;
64 return 1;
65 }
66@@ -671,6 +671,8 @@ static ssize_t smc91c111_receive(NetClie
67 /* TODO: Flag overrun and receive errors. */
68 if (packetsize > 2048)
69 return -1;
70+ if (s->rx_fifo_len == NUM_PACKETS)
71+ return -1;
72 packetnum = smc91c111_allocate_packet(s);
73 if (packetnum == 0x80)
74 return -1;
diff --git a/meta/recipes-devtools/qemu/qemu/smc91c111_fix1.patch b/meta/recipes-devtools/qemu/qemu/smc91c111_fix1.patch
new file mode 100644
index 0000000..bd1223a
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/smc91c111_fix1.patch
@@ -0,0 +1,85 @@
1From: Peter Crosthwaite <crosthwaitepeter@gmail.com>
2Subject: [RFT PATCH v1 1/3] net: smc91c111: guard flush_queued_packets() on
3 can_rx()
4Date: Thu, 10 Sep 2015 21:23:43 -0700
5
6Check that the core can once again receive packets before asking the
7net layer to do a flush. This will make it more convenient to flush
8packets when adding new conditions to can_receive.
9
10Add missing if braces while moving the can_receive() core code.
11
12Signed-off-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
13
14Upstream-Status: Submitted
15
16---
17
18 hw/net/smc91c111.c | 30 ++++++++++++++++++++++--------
19 1 file changed, 22 insertions(+), 8 deletions(-)
20
21Index: qemu-2.4.0/hw/net/smc91c111.c
22===================================================================
23--- qemu-2.4.0.orig/hw/net/smc91c111.c
24+++ qemu-2.4.0/hw/net/smc91c111.c
25@@ -124,6 +124,24 @@ static void smc91c111_update(smc91c111_s
26 qemu_set_irq(s->irq, level);
27 }
28
29+static int smc91c111_can_receive(smc91c111_state *s)
30+{
31+ if ((s->rcr & RCR_RXEN) == 0 || (s->rcr & RCR_SOFT_RST)) {
32+ return 1;
33+ }
34+ if (s->allocated == (1 << NUM_PACKETS) - 1) {
35+ return 0;
36+ }
37+ return 1;
38+}
39+
40+static inline void smc91c111_flush_queued_packets(smc91c111_state *s)
41+{
42+ if (smc91c111_can_receive(s)) {
43+ qemu_flush_queued_packets(qemu_get_queue(s->nic));
44+ }
45+}
46+
47 /* Try to allocate a packet. Returns 0x80 on failure. */
48 static int smc91c111_allocate_packet(smc91c111_state *s)
49 {
50@@ -185,7 +203,7 @@ static void smc91c111_release_packet(smc
51 s->allocated &= ~(1 << packet);
52 if (s->tx_alloc == 0x80)
53 smc91c111_tx_alloc(s);
54- qemu_flush_queued_packets(qemu_get_queue(s->nic));
55+ smc91c111_flush_queued_packets(s);
56 }
57
58 /* Flush the TX FIFO. */
59@@ -636,15 +654,11 @@ static uint32_t smc91c111_readl(void *op
60 return val;
61 }
62
63-static int smc91c111_can_receive(NetClientState *nc)
64+static int smc91c111_can_receive_nc(NetClientState *nc)
65 {
66 smc91c111_state *s = qemu_get_nic_opaque(nc);
67
68- if ((s->rcr & RCR_RXEN) == 0 || (s->rcr & RCR_SOFT_RST))
69- return 1;
70- if (s->allocated == (1 << NUM_PACKETS) - 1)
71- return 0;
72- return 1;
73+ return smc91c111_can_receive(s);
74 }
75
76 static ssize_t smc91c111_receive(NetClientState *nc, const uint8_t *buf, size_t size)
77@@ -739,7 +753,7 @@ static const MemoryRegionOps smc91c111_m
78 static NetClientInfo net_smc91c111_info = {
79 .type = NET_CLIENT_OPTIONS_KIND_NIC,
80 .size = sizeof(NICState),
81- .can_receive = smc91c111_can_receive,
82+ .can_receive = smc91c111_can_receive_nc,
83 .receive = smc91c111_receive,
84 };
85
diff --git a/meta/recipes-devtools/qemu/qemu/smc91c111_fix2.patch b/meta/recipes-devtools/qemu/qemu/smc91c111_fix2.patch
new file mode 100644
index 0000000..018aed5
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/smc91c111_fix2.patch
@@ -0,0 +1,46 @@
1From: Peter Crosthwaite <crosthwaitepeter@gmail.com>
2X-Google-Original-From: Peter Crosthwaite <crosthwaite.peter@gmail.com>
3To: qemu-devel@nongnu.org
4Cc: peter.maydell@linaro.org, richard.purdie@linuxfoundation.org
5Subject: [RFT PATCH v1 2/3] net: smc91c111: gate can_receive() on rx FIFO
6 having a slot
7Date: Thu, 10 Sep 2015 21:23:57 -0700
8
9Return false from can_receive() when the FIFO doesn't have a free RX
10slot. This fixes a bug in the current code where the allocated buffer
11is freed before the fifo pop, triggering a premature flush of queued RX
12packets. It also will handle a corner case, where the guest manually
13frees the allocated buffer before popping the rx FIFO (hence it is not
14enough to just delay the flush_queued_packets()).
15
16Reported-by: Richard Purdie <richard.purdie@linuxfoundation.org>
17Signed-off-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
18
19Upstream-Status: Submitted
20---
21
22 hw/net/smc91c111.c | 4 +++-
23 1 file changed, 3 insertions(+), 1 deletion(-)
24
25Index: qemu-2.4.0/hw/net/smc91c111.c
26===================================================================
27--- qemu-2.4.0.orig/hw/net/smc91c111.c
28+++ qemu-2.4.0/hw/net/smc91c111.c
29@@ -129,7 +129,8 @@ static int smc91c111_can_receive(smc91c1
30 if ((s->rcr & RCR_RXEN) == 0 || (s->rcr & RCR_SOFT_RST)) {
31 return 1;
32 }
33- if (s->allocated == (1 << NUM_PACKETS) - 1) {
34+ if (s->allocated == (1 << NUM_PACKETS) - 1 ||
35+ s->rx_fifo_len == NUM_PACKETS) {
36 return 0;
37 }
38 return 1;
39@@ -182,6 +183,7 @@ static void smc91c111_pop_rx_fifo(smc91c
40 } else {
41 s->int_level &= ~INT_RCV;
42 }
43+ smc91c111_flush_queued_packets(s);
44 smc91c111_update(s);
45 }
46
diff --git a/meta/recipes-devtools/qemu/qemu/smc91c111_fix3.patch b/meta/recipes-devtools/qemu/qemu/smc91c111_fix3.patch
new file mode 100644
index 0000000..9e865f7
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/smc91c111_fix3.patch
@@ -0,0 +1,33 @@
1From: Peter Crosthwaite <crosthwaitepeter@gmail.com>
2To: qemu-devel@nongnu.org
3Cc: peter.maydell@linaro.org, richard.purdie@linuxfoundation.org
4Subject: [RFT PATCH v1 3/3] net: smc91c111: flush packets on RCR register
5 changes
6Date: Thu, 10 Sep 2015 21:24:12 -0700
7
8The SOFT_RST or RXEN in the control register can be used as a condition
9to unblock the net layer via can_receive(). So check for possible
10flushes on RCR changes. This will drop all pending packets on soft
11reset or disable which is the functional intent of the can_receive()
12logic.
13
14Signed-off-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
15
16Upstream-Status: Submitted
17---
18
19 hw/net/smc91c111.c | 1 +
20 1 file changed, 1 insertion(+)
21
22Index: qemu-2.4.0/hw/net/smc91c111.c
23===================================================================
24--- qemu-2.4.0.orig/hw/net/smc91c111.c
25+++ qemu-2.4.0/hw/net/smc91c111.c
26@@ -331,6 +331,7 @@ static void smc91c111_writeb(void *opaqu
27 if (s->rcr & RCR_SOFT_RST) {
28 smc91c111_reset(DEVICE(s));
29 }
30+ smc91c111_flush_queued_packets(s);
31 return;
32 case 10: case 11: /* RPCR */
33 /* Ignored */
diff --git a/meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch b/meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch
deleted file mode 100644
index 10a6dac..0000000
--- a/meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch
+++ /dev/null
@@ -1,53 +0,0 @@
1From b2f1d90530301d7915dddc8a750063757675b21a Mon Sep 17 00:00:00 2001
2From: Petr Matousek <pmatouse@redhat.com>
3Date: Mon, 27 Oct 2014 12:41:44 +0100
4Subject: [PATCH] vnc: sanitize bits_per_pixel from the client
5
6bits_per_pixel that are less than 8 could result in accessing
7non-initialized buffers later in the code due to the expectation
8that bytes_per_pixel value that is used to initialize these buffers is
9never zero.
10
11To fix this check that bits_per_pixel from the client is one of the
12values that the rfb protocol specification allows.
13
14This is CVE-2014-7815.
15
16Upstream-Status: Backport
17
18Signed-off-by: Petr Matousek <pmatouse@redhat.com>
19
20[ kraxel: apply codestyle fix ]
21
22Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
23(cherry picked from commit e6908bfe8e07f2b452e78e677da1b45b1c0f6829)
24Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
25Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
26---
27 ui/vnc.c | 10 ++++++++++
28 1 file changed, 10 insertions(+)
29
30diff --git a/ui/vnc.c b/ui/vnc.c
31index f8d9b7d..87e34ae 100644
32--- a/ui/vnc.c
33+++ b/ui/vnc.c
34@@ -2026,6 +2026,16 @@ static void set_pixel_format(VncState *vs,
35 return;
36 }
37
38+ switch (bits_per_pixel) {
39+ case 8:
40+ case 16:
41+ case 32:
42+ break;
43+ default:
44+ vnc_client_error(vs);
45+ return;
46+ }
47+
48 vs->client_pf.rmax = red_max;
49 vs->client_pf.rbits = hweight_long(red_max);
50 vs->client_pf.rshift = red_shift;
51--
521.9.1
53
diff --git a/meta/recipes-devtools/qemu/qemu/wacom.patch b/meta/recipes-devtools/qemu/qemu/wacom.patch
index fd1b4a6..cd06aa4 100644
--- a/meta/recipes-devtools/qemu/qemu/wacom.patch
+++ b/meta/recipes-devtools/qemu/qemu/wacom.patch
@@ -1,7 +1,7 @@
1The USB wacom device is missing a HID descriptor which causes it 1The USB wacom device is missing a HID descriptor which causes it
2to fail to operate with recent kernels (e.g. 3.17). 2to fail to operate with recent kernels (e.g. 3.17).
3 3
4This patch adds a HID desriptor to the device, based upon one from 4This patch adds a HID desriptor to the device, based upon one from
5real wcom device. 5real wcom device.
6 6
7Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 7Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
@@ -16,12 +16,12 @@ Index: qemu-2.1.0/hw/usb/dev-wacom.c
16@@ -68,6 +68,89 @@ 16@@ -68,6 +68,89 @@
17 [STR_SERIALNUMBER] = "1", 17 [STR_SERIALNUMBER] = "1",
18 }; 18 };
19 19
20+static const uint8_t qemu_tablet_hid_report_descriptor[] = { 20+static const uint8_t qemu_tablet_hid_report_descriptor[] = {
21+ 0x05, 0x01, /* Usage Page (Generic Desktop) */ 21+ 0x05, 0x01, /* Usage Page (Generic Desktop) */
22+ 0x09, 0x02, /* Usage (Mouse) */ 22+ 0x09, 0x02, /* Usage (Mouse) */
23+ 0xa1, 0x01, /* Collection (Application) */ 23+ 0xa1, 0x01, /* Collection (Application) */
24+ 0x85, 0x01, /* Report ID (1) */ 24+ 0x85, 0x01, /* Report ID (1) */
25+ 0x09, 0x01, /* Usage (Pointer) */ 25+ 0x09, 0x01, /* Usage (Pointer) */
26+ 0xa1, 0x00, /* Collection (Physical) */ 26+ 0xa1, 0x00, /* Collection (Physical) */
27+ 0x05, 0x09, /* Usage Page (Button) */ 27+ 0x05, 0x09, /* Usage Page (Button) */
@@ -48,7 +48,7 @@ Index: qemu-2.1.0/hw/usb/dev-wacom.c
48+ 0x05, 0x0d, /* Usage Page (Digitizer) */ 48+ 0x05, 0x0d, /* Usage Page (Digitizer) */
49+ 0x09, 0x01, /* Usage (Digitizer) */ 49+ 0x09, 0x01, /* Usage (Digitizer) */
50+ 0xa1, 0x01, /* Collection (Application) */ 50+ 0xa1, 0x01, /* Collection (Application) */
51+ 0x85, 0x02, /* Report ID (2) */ 51+ 0x85, 0x02, /* Report ID (2) */
52+ 0xa1, 0x00, /* Collection (Physical) */ 52+ 0xa1, 0x00, /* Collection (Physical) */
53+ 0x06, 0x00, 0xff, /* Usage Page (Vendor 0xff00) */ 53+ 0x06, 0x00, 0xff, /* Usage Page (Vendor 0xff00) */
54+ 0x09, 0x01, /* Usage (Digitizer) */ 54+ 0x09, 0x01, /* Usage (Digitizer) */
@@ -59,14 +59,14 @@ Index: qemu-2.1.0/hw/usb/dev-wacom.c
59+ 0x81, 0x02, /* Input (Data, Variable, Absolute) */ 59+ 0x81, 0x02, /* Input (Data, Variable, Absolute) */
60+ 0xc0, /* End Collection */ 60+ 0xc0, /* End Collection */
61+ 0x09, 0x01, /* Usage (Digitizer) */ 61+ 0x09, 0x01, /* Usage (Digitizer) */
62+ 0x85, 0x02, /* Report ID (2) */ 62+ 0x85, 0x02, /* Report ID (2) */
63+ 0x95, 0x01, /* Report Count (1) */ 63+ 0x95, 0x01, /* Report Count (1) */
64+ 0xb1, 0x02, /* FEATURE (2) */ 64+ 0xb1, 0x02, /* FEATURE (2) */
65+ 0xc0, /* End Collection */ 65+ 0xc0, /* End Collection */
66+ 0x06, 0x00, 0xff, /* Usage Page (Vendor 0xff00) */ 66+ 0x06, 0x00, 0xff, /* Usage Page (Vendor 0xff00) */
67+ 0x09, 0x01, /* Usage (Digitizer) */ 67+ 0x09, 0x01, /* Usage (Digitizer) */
68+ 0xa1, 0x01, /* Collection (Application) */ 68+ 0xa1, 0x01, /* Collection (Application) */
69+ 0x85, 0x02, /* Report ID (2) */ 69+ 0x85, 0x02, /* Report ID (2) */
70+ 0x05, 0x0d, /* Usage Page (Digitizer) */ 70+ 0x05, 0x0d, /* Usage Page (Digitizer) */
71+ 0x09, 0x22, /* Usage (Finger) */ 71+ 0x09, 0x22, /* Usage (Finger) */
72+ 0xa1, 0x00, /* Collection (Physical) */ 72+ 0xa1, 0x00, /* Collection (Physical) */
@@ -95,7 +95,7 @@ Index: qemu-2.1.0/hw/usb/dev-wacom.c
95+ 0x75, 0x08, /* Report Size (8) */ 95+ 0x75, 0x08, /* Report Size (8) */
96+ 0x95, 0x0d, /* Report Count (13) */ 96+ 0x95, 0x0d, /* Report Count (13) */
97+ 0x81, 0x02, /* Input (Data, Variable, Absolute) */ 97+ 0x81, 0x02, /* Input (Data, Variable, Absolute) */
98+ 0xc0, /* End Collection */ 98+ 0xc0, /* End Collection */
99+ 0xc0, /* End Collection */ 99+ 0xc0, /* End Collection */
100+}; 100+};
101+ 101+
@@ -114,7 +114,7 @@ Index: qemu-2.1.0/hw/usb/dev-wacom.c
114 }, 114 },
115@@ -265,6 +350,15 @@ 115@@ -265,6 +350,15 @@
116 } 116 }
117 117
118 switch (request) { 118 switch (request) {
119+ case InterfaceRequest | USB_REQ_GET_DESCRIPTOR: 119+ case InterfaceRequest | USB_REQ_GET_DESCRIPTOR:
120+ switch (value >> 8) { 120+ switch (value >> 8) {
diff --git a/meta/recipes-devtools/qemu/qemu_2.1.0.bb b/meta/recipes-devtools/qemu/qemu_2.1.0.bb
deleted file mode 100644
index 92a89d6..0000000
--- a/meta/recipes-devtools/qemu/qemu_2.1.0.bb
+++ /dev/null
@@ -1,32 +0,0 @@
1require qemu.inc
2
3LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \
4 file://COPYING.LIB;endline=24;md5=c04def7ae38850e7d3ef548588159913"
5
6SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
7 file://qemu-enlarge-env-entry-size.patch \
8 file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \
9 file://0001-Back-porting-security-fix-CVE-2014-5388.patch \
10 file://qemu-CVE-2015-3456.patch \
11 file://CVE-2014-7840.patch \
12 file://vnc-CVE-2014-7815.patch \
13 file://slirp-CVE-2014-3640.patch \
14 "
15SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
16SRC_URI[md5sum] = "6726977292b448cbc7f89998fac6983b"
17SRC_URI[sha256sum] = "397e23184f4bf613589a8fe0c6542461dc2afdf17ed337e97e6fd2f31e8f8802"
18
19COMPATIBLE_HOST_class-target_mips64 = "null"
20
21do_sanitize_sources() {
22 # These .git files point to a nonexistent path "../.git/modules" and will confuse git
23 # if it tries to recurse into those directories.
24 rm -f ${S}/dtc/.git ${S}/pixman/.git
25}
26
27addtask sanitize_sources after do_unpack before do_patch
28
29do_install_append() {
30 # Prevent QA warnings about installed ${localstatedir}/run
31 if [ -d ${D}${localstatedir}/run ]; then rmdir ${D}${localstatedir}/run; fi
32}
diff --git a/meta/recipes-devtools/qemu/qemu_2.4.0.bb b/meta/recipes-devtools/qemu/qemu_2.4.0.bb
new file mode 100644
index 0000000..8d47b16
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu_2.4.0.bb
@@ -0,0 +1,33 @@
1require qemu.inc
2
3LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \
4 file://COPYING.LIB;endline=24;md5=c04def7ae38850e7d3ef548588159913"
5
6SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
7 file://qemu-enlarge-env-entry-size.patch \
8 file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \
9 file://smc91c111_fix1.patch \
10 file://smc91c111_fix2.patch \
11 file://smc91c111_fix3.patch \
12 file://no-valgrind.patch \
13 file://CVE-2015-8504.patch \
14 file://CVE-2015-7504.patch \
15 file://CVE-2015-7512.patch \
16 file://CVE-2015-8345.patch \
17 file://CVE-2016-1568.patch \
18 file://CVE-2015-7295_1.patch \
19 file://CVE-2015-7295_2.patch \
20 file://CVE-2015-7295_3.patch \
21 file://CVE-2016-2197.patch \
22 file://CVE-2016-2198.patch \
23 "
24SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
25SRC_URI[md5sum] = "186ee8194140a484a455f8e3c74589f4"
26SRC_URI[sha256sum] = "72b0b991bbcc540663a019e1e8c4f714053b691dda32c9b9ee80b25f367e6620"
27
28COMPATIBLE_HOST_class-target_mips64 = "null"
29
30do_install_append() {
31 # Prevent QA warnings about installed ${localstatedir}/run
32 if [ -d ${D}${localstatedir}/run ]; then rmdir ${D}${localstatedir}/run; fi
33}
diff --git a/meta/recipes-devtools/qemu/qemu_git.bb b/meta/recipes-devtools/qemu/qemu_git.bb
deleted file mode 100644
index a30932a..0000000
--- a/meta/recipes-devtools/qemu/qemu_git.bb
+++ /dev/null
@@ -1,15 +0,0 @@
1require qemu.inc
2
3SRCREV = "04024dea2674861fcf13582a77b58130c67fccd8"
4
5LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \
6 file://COPYING.LIB;endline=24;md5=c04def7ae38850e7d3ef548588159913"
7
8PV = "1.3.0+git${SRCPV}"
9
10SRC_URI_prepend = "git://git.qemu.org/qemu.git"
11S = "${WORKDIR}/git"
12
13DEFAULT_PREFERENCE = "-1"
14
15COMPATIBLE_HOST_class-target_mips64 = "null"
diff --git a/meta/recipes-devtools/qemu/qemuwrapper-cross_1.0.bb b/meta/recipes-devtools/qemu/qemuwrapper-cross_1.0.bb
index d2981b5..7f4c6d9 100644
--- a/meta/recipes-devtools/qemu/qemuwrapper-cross_1.0.bb
+++ b/meta/recipes-devtools/qemu/qemuwrapper-cross_1.0.bb
@@ -2,6 +2,8 @@ SUMMARY = "QEMU wrapper script"
2LICENSE = "MIT" 2LICENSE = "MIT"
3LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" 3LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
4 4
5S = "${WORKDIR}"
6
5inherit qemu 7inherit qemu
6 8
7do_install () { 9do_install () {
@@ -9,7 +11,7 @@ do_install () {
9 11
10 echo "#!/bin/sh" > ${D}${bindir_crossscripts}/qemuwrapper 12 echo "#!/bin/sh" > ${D}${bindir_crossscripts}/qemuwrapper
11 qemu_binary=${@qemu_target_binary(d)} 13 qemu_binary=${@qemu_target_binary(d)}
12 qemu_options='${@d.getVar("QEMU_OPTIONS_%s" % d.getVar('PACKAGE_ARCH', True), True) or d.getVar('QEMU_OPTIONS', True) or ""}' 14 qemu_options='${QEMU_OPTIONS}'
13 echo "$qemu_binary $qemu_options \"\$@\"" >> ${D}${bindir_crossscripts}/qemuwrapper 15 echo "$qemu_binary $qemu_options \"\$@\"" >> ${D}${bindir_crossscripts}/qemuwrapper
14 fallback_qemu_bin= 16 fallback_qemu_bin=
15 case $qemu_binary in 17 case $qemu_binary in