aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMark Hatle <mark.hatle@kernel.crashing.org>2021-01-23 20:12:38 -0600
committerMark Hatle <mark.hatle@kernel.crashing.org>2021-02-03 10:03:40 -0600
commit689ba7e291e6de944aff7d15e5165ece00d34026 (patch)
tree5b40610df1962a68842cf291a31dab965d9d0d08
parente0b98958b4f5fbc346c8bca8ad4fc432f53f0435 (diff)
downloadmeta-xilinx-689ba7e291e6de944aff7d15e5165ece00d34026.tar.gz
meta-xilinx-689ba7e291e6de944aff7d15e5165ece00d34026.tar.bz2
meta-xilinx-689ba7e291e6de944aff7d15e5165ece00d34026.zip
qemu-xilinx: lock down on YP 5.1.0 integration
Yocto Project has moved to 5.2.0, but qemu-xilinx has not yet moved forward to a matching version. Temporarily include the last 5.1.0 version from master. Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
-rw-r--r--meta-xilinx-bsp/recipes-devtools/qemu/qemu-native.inc11
-rw-r--r--meta-xilinx-bsp/recipes-devtools/qemu/qemu-targets.inc28
-rw-r--r--meta-xilinx-bsp/recipes-devtools/qemu/qemu-xilinx-native.inc2
-rw-r--r--meta-xilinx-bsp/recipes-devtools/qemu/qemu-xilinx_2020.2.bb2
-rw-r--r--meta-xilinx-bsp/recipes-devtools/qemu/qemu.inc197
-rw-r--r--meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch29
-rw-r--r--meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch141
-rw-r--r--meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch31
-rw-r--r--meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch59
-rw-r--r--meta-xilinx-bsp/recipes-devtools/qemu/qemu/0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch35
-rw-r--r--meta-xilinx-bsp/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch33
-rw-r--r--meta-xilinx-bsp/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch34
-rw-r--r--meta-xilinx-bsp/recipes-devtools/qemu/qemu/0005-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch28
-rw-r--r--meta-xilinx-bsp/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch241
-rw-r--r--meta-xilinx-bsp/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch44
-rw-r--r--meta-xilinx-bsp/recipes-devtools/qemu/qemu/0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch33
-rw-r--r--meta-xilinx-bsp/recipes-devtools/qemu/qemu/0009-Fix-webkitgtk-builds.patch137
-rw-r--r--meta-xilinx-bsp/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch91
-rw-r--r--meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-24352.patch52
-rw-r--r--meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-25624.patch101
-rw-r--r--meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-25723.patch51
-rw-r--r--meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-28916.patch49
-rw-r--r--meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-29129-CVE-2020-29130.patch64
-rw-r--r--meta-xilinx-bsp/recipes-devtools/qemu/qemu/find_datadir.patch39
-rw-r--r--meta-xilinx-bsp/recipes-devtools/qemu/qemu/powerpc_rom.binbin0 -> 4096 bytes
-rw-r--r--meta-xilinx-bsp/recipes-devtools/qemu/qemu/run-ptest10
-rw-r--r--meta-xilinx-bsp/recipes-devtools/qemu/qemu/usb-fix-setup_len-init.patch89
27 files changed, 1629 insertions, 2 deletions
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu-native.inc b/meta-xilinx-bsp/recipes-devtools/qemu/qemu-native.inc
new file mode 100644
index 0000000..aa5c9b9
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu-native.inc
@@ -0,0 +1,11 @@
+inherit native
+
+require qemu.inc
+
+EXTRA_OEMAKE_append = " LD='${LD}' AR='${AR}' OBJCOPY='${OBJCOPY}' LDFLAGS='${LDFLAGS}'"
+
+LDFLAGS_append = " -fuse-ld=bfd"
+
+do_install_append() {
+ ${@bb.utils.contains('PACKAGECONFIG', 'gtk+', 'make_qemu_wrapper', '', d)}
+}
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu-targets.inc b/meta-xilinx-bsp/recipes-devtools/qemu/qemu-targets.inc
new file mode 100644
index 0000000..24f9a03
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu-targets.inc
@@ -0,0 +1,28 @@
+# possible arch values are:
+# aarch64 arm armeb alpha cris i386 x86_64 m68k microblaze
+# mips mipsel mips64 mips64el ppc ppc64 ppc64abi32 ppcemb
+# riscv32 riscv64 sparc sparc32 sparc32plus
+
+def get_qemu_target_list(d):
+ import bb
+ archs = d.getVar('QEMU_TARGETS').split()
+ tos = d.getVar('HOST_OS')
+ softmmuonly = ""
+ for arch in ['ppcemb', 'lm32']:
+ if arch in archs:
+ softmmuonly += arch + "-softmmu,"
+ archs.remove(arch)
+ linuxuseronly = ""
+ for arch in ['armeb', 'alpha', 'ppc64abi32', 'ppc64le', 'sparc32plus', 'aarch64_be']:
+ if arch in archs:
+ linuxuseronly += arch + "-linux-user,"
+ archs.remove(arch)
+ if 'linux' not in tos:
+ return softmmuonly + ''.join([arch + "-softmmu" + "," for arch in archs]).rstrip(',')
+ return softmmuonly + linuxuseronly + ''.join([arch + "-linux-user" + "," + arch + "-softmmu" + "," for arch in archs]).rstrip(',')
+
+def get_qemu_usermode_target_list(d):
+ return ",".join(filter(lambda i: "-linux-user" in i, get_qemu_target_list(d).split(',')))
+
+def get_qemu_system_target_list(d):
+ return ",".join(filter(lambda i: "-linux-user" not in i, get_qemu_target_list(d).split(',')))
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu-xilinx-native.inc b/meta-xilinx-bsp/recipes-devtools/qemu/qemu-xilinx-native.inc
index a1dc5d6..d8f06c7 100644
--- a/meta-xilinx-bsp/recipes-devtools/qemu/qemu-xilinx-native.inc
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu-xilinx-native.inc
@@ -1,4 +1,4 @@
-require recipes-devtools/qemu/qemu-native.inc
+require qemu-native.inc
require qemu-xilinx.inc
DEPENDS = "glib-2.0-native zlib-native"
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu-xilinx_2020.2.bb b/meta-xilinx-bsp/recipes-devtools/qemu/qemu-xilinx_2020.2.bb
index 09f431e..fd1904a 100644
--- a/meta-xilinx-bsp/recipes-devtools/qemu/qemu-xilinx_2020.2.bb
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu-xilinx_2020.2.bb
@@ -1,4 +1,4 @@
-require recipes-devtools/qemu/qemu.inc
+require qemu.inc
require qemu-xilinx.inc
BBCLASSEXTEND = "nativesdk"
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu.inc b/meta-xilinx-bsp/recipes-devtools/qemu/qemu.inc
new file mode 100644
index 0000000..4864d7e
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu.inc
@@ -0,0 +1,197 @@
+SUMMARY = "Fast open source processor emulator"
+DESCRIPTION = "QEMU is a hosted virtual machine monitor: it emulates the \
+machine's processor through dynamic binary translation and provides a set \
+of different hardware and device models for the machine, enabling it to run \
+a variety of guest operating systems"
+HOMEPAGE = "http://qemu.org"
+LICENSE = "GPLv2 & LGPLv2.1"
+
+RDEPENDS_${PN}-ptest = "bash make"
+
+require qemu-targets.inc
+inherit pkgconfig ptest
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \
+ file://COPYING.LIB;endline=24;md5=8c5efda6cf1e1b03dcfd0e6c0d271c7f"
+
+SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
+ file://powerpc_rom.bin \
+ file://run-ptest \
+ file://0001-qemu-Add-missing-wacom-HID-descriptor.patch \
+ file://0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch \
+ file://0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch \
+ file://0004-qemu-disable-Valgrind.patch \
+ file://0005-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch \
+ file://0006-chardev-connect-socket-to-a-spawned-command.patch \
+ file://0007-apic-fixup-fallthrough-to-PIC.patch \
+ file://0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \
+ file://0009-Fix-webkitgtk-builds.patch \
+ file://0010-configure-Add-pkg-config-handling-for-libgcrypt.patch \
+ file://0001-Add-enable-disable-udev.patch \
+ file://0001-qemu-Do-not-include-file-if-not-exists.patch \
+ file://find_datadir.patch \
+ file://usb-fix-setup_len-init.patch \
+ file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \
+ file://CVE-2020-24352.patch \
+ file://CVE-2020-29129-CVE-2020-29130.patch \
+ file://CVE-2020-25624.patch \
+ file://CVE-2020-25723.patch \
+ file://CVE-2020-28916.patch \
+ "
+UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
+
+SRC_URI[sha256sum] = "c9174eb5933d9eb5e61f541cd6d1184cd3118dfe4c5c4955bc1bdc4d390fa4e5"
+
+COMPATIBLE_HOST_mipsarchn32 = "null"
+COMPATIBLE_HOST_mipsarchn64 = "null"
+
+# Per https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg03873.html
+# upstream states qemu doesn't work without optimization
+DEBUG_BUILD = "0"
+
+do_install_append() {
+ # Prevent QA warnings about installed ${localstatedir}/run
+ if [ -d ${D}${localstatedir}/run ]; then rmdir ${D}${localstatedir}/run; fi
+}
+
+do_compile_ptest() {
+ make buildtest-TESTS
+}
+
+do_install_ptest() {
+ cp -rL ${B}/tests ${D}${PTEST_PATH}
+ find ${D}${PTEST_PATH}/tests -type f -name "*.[Sshcod]" | xargs -i rm -rf {}
+
+ cp ${S}/tests/Makefile.include ${D}${PTEST_PATH}/tests
+ # Don't check the file genreated by configure
+ sed -i -e '/wildcard config-host.mak/d' \
+ -e '$ {/endif/d}' ${D}${PTEST_PATH}/tests/Makefile.include
+ sed -i -e 's,${HOSTTOOLS_DIR}/python3,${bindir}/python3,' \
+ ${D}/${PTEST_PATH}/tests/qemu-iotests/common.env
+ sed -i -e "1s,#!/usr/bin/bash,#!${base_bindir}/bash," ${D}${PTEST_PATH}/tests/data/acpi/disassemle-aml.sh
+}
+
+# QEMU_TARGETS is overridable variable
+QEMU_TARGETS ?= "arm aarch64 i386 mips mipsel mips64 mips64el ppc ppc64 ppc64le riscv32 riscv64 sh4 x86_64"
+
+EXTRA_OECONF = " \
+ --prefix=${prefix} \
+ --bindir=${bindir} \
+ --includedir=${includedir} \
+ --libdir=${libdir} \
+ --mandir=${mandir} \
+ --datadir=${datadir} \
+ --docdir=${docdir}/${BPN} \
+ --sysconfdir=${sysconfdir} \
+ --libexecdir=${libexecdir} \
+ --localstatedir=${localstatedir} \
+ --with-confsuffix=/${BPN} \
+ --disable-strip \
+ --disable-werror \
+ --extra-cflags='${CFLAGS}' \
+ --extra-ldflags='${LDFLAGS}' \
+ --with-git=/bin/false \
+ --disable-git-update \
+ ${PACKAGECONFIG_CONFARGS} \
+ "
+
+export LIBTOOL="${HOST_SYS}-libtool"
+
+B = "${WORKDIR}/build"
+
+EXTRA_OECONF_append = " --python=${HOSTTOOLS_DIR}/python3"
+
+do_configure_prepend_class-native() {
+ # Append build host pkg-config paths for native target since the host may provide sdl
+ BHOST_PKGCONFIG_PATH=$(PATH=/usr/bin:/bin pkg-config --variable pc_path pkg-config || echo "")
+ if [ ! -z "$BHOST_PKGCONFIG_PATH" ]; then
+ export PKG_CONFIG_PATH=$PKG_CONFIG_PATH:$BHOST_PKGCONFIG_PATH
+ fi
+}
+
+do_configure() {
+ ${S}/configure ${EXTRA_OECONF}
+}
+do_configure[cleandirs] += "${B}"
+
+do_install () {
+ export STRIP=""
+ oe_runmake 'DESTDIR=${D}' install
+}
+
+# The following fragment will create a wrapper for qemu-mips user emulation
+# binary in order to work around a segmentation fault issue. Basically, by
+# default, the reserved virtual address space for 32-on-64 bit is set to 4GB.
+# This will trigger a MMU access fault in the virtual CPU. With this change,
+# the qemu-mips works fine.
+# IMPORTANT: This piece needs to be removed once the root cause is fixed!
+do_install_append() {
+ if [ -e "${D}/${bindir}/qemu-mips" ]; then
+ create_wrapper ${D}/${bindir}/qemu-mips \
+ QEMU_RESERVED_VA=0x0
+ fi
+}
+# END of qemu-mips workaround
+
+make_qemu_wrapper() {
+ gdk_pixbuf_module_file=`pkg-config --variable=gdk_pixbuf_cache_file gdk-pixbuf-2.0`
+
+ for tool in `ls ${D}${bindir}/qemu-system-*`; do
+ create_wrapper $tool \
+ GDK_PIXBUF_MODULE_FILE=$gdk_pixbuf_module_file \
+ FONTCONFIG_PATH=/etc/fonts \
+ GTK_THEME=Adwaita
+ done
+}
+
+# Disable kvm/virgl/mesa on targets that do not support it
+PACKAGECONFIG_remove_darwin = "kvm virglrenderer glx gtk+"
+PACKAGECONFIG_remove_mingw32 = "kvm virglrenderer glx gtk+"
+
+PACKAGECONFIG[sdl] = "--enable-sdl,--disable-sdl,libsdl2"
+PACKAGECONFIG[virtfs] = "--enable-virtfs --enable-attr --enable-cap-ng,--disable-virtfs,libcap-ng attr,"
+PACKAGECONFIG[aio] = "--enable-linux-aio,--disable-linux-aio,libaio,"
+PACKAGECONFIG[xfs] = "--enable-xfsctl,--disable-xfsctl,xfsprogs,"
+PACKAGECONFIG[xen] = "--enable-xen,--disable-xen,xen-tools,xen-tools-libxenstore xen-tools-libxenctrl xen-tools-libxenguest"
+PACKAGECONFIG[vnc-sasl] = "--enable-vnc --enable-vnc-sasl,--disable-vnc-sasl,cyrus-sasl,"
+PACKAGECONFIG[vnc-jpeg] = "--enable-vnc --enable-vnc-jpeg,--disable-vnc-jpeg,jpeg,"
+PACKAGECONFIG[vnc-png] = "--enable-vnc --enable-vnc-png,--disable-vnc-png,libpng,"
+PACKAGECONFIG[libcurl] = "--enable-curl,--disable-curl,curl,"
+PACKAGECONFIG[nss] = "--enable-smartcard,--disable-smartcard,nss,"
+PACKAGECONFIG[curses] = "--enable-curses,--disable-curses,ncurses,"
+PACKAGECONFIG[gtk+] = "--enable-gtk,--disable-gtk,gtk+3 gettext-native"
+PACKAGECONFIG[vte] = "--enable-vte,--disable-vte,vte gettext-native"
+PACKAGECONFIG[libcap-ng] = "--enable-cap-ng,--disable-cap-ng,libcap-ng,"
+PACKAGECONFIG[ssh] = "--enable-libssh,--disable-libssh,libssh,"
+PACKAGECONFIG[gcrypt] = "--enable-gcrypt,--disable-gcrypt,libgcrypt,"
+PACKAGECONFIG[nettle] = "--enable-nettle,--disable-nettle,nettle"
+PACKAGECONFIG[libusb] = "--enable-libusb,--disable-libusb,libusb1"
+PACKAGECONFIG[fdt] = "--enable-fdt,--disable-fdt,dtc"
+PACKAGECONFIG[alsa] = "--audio-drv-list='oss alsa',,alsa-lib"
+PACKAGECONFIG[glx] = "--enable-opengl,--disable-opengl,virtual/libgl"
+PACKAGECONFIG[lzo] = "--enable-lzo,--disable-lzo,lzo"
+PACKAGECONFIG[numa] = "--enable-numa,--disable-numa,numactl"
+PACKAGECONFIG[gnutls] = "--enable-gnutls,--disable-gnutls,gnutls"
+PACKAGECONFIG[bzip2] = "--enable-bzip2,--disable-bzip2,bzip2"
+PACKAGECONFIG[libiscsi] = "--enable-libiscsi,--disable-libiscsi"
+PACKAGECONFIG[kvm] = "--enable-kvm,--disable-kvm"
+PACKAGECONFIG[virglrenderer] = "--enable-virglrenderer,--disable-virglrenderer,virglrenderer"
+# spice will be in meta-networking layer
+PACKAGECONFIG[spice] = "--enable-spice,--disable-spice,spice"
+# usbredir will be in meta-networking layer
+PACKAGECONFIG[usb-redir] = "--enable-usb-redir,--disable-usb-redir,usbredir"
+PACKAGECONFIG[snappy] = "--enable-snappy,--disable-snappy,snappy"
+PACKAGECONFIG[glusterfs] = "--enable-glusterfs,--disable-glusterfs,glusterfs"
+PACKAGECONFIG[xkbcommon] = "--enable-xkbcommon,--disable-xkbcommon,libxkbcommon"
+PACKAGECONFIG[libudev] = "--enable-libudev,--disable-libudev,eudev"
+PACKAGECONFIG[libxml2] = "--enable-libxml2,--disable-libxml2,libxml2"
+PACKAGECONFIG[attr] = "--enable-attr,--disable-attr,attr,"
+PACKAGECONFIG[rbd] = "--enable-rbd,--disable-rbd,ceph,ceph"
+PACKAGECONFIG[vhost] = "--enable-vhost-net,--disable-vhost-net,,"
+PACKAGECONFIG[ust] = "--enable-trace-backend=ust,--enable-trace-backend=nop,lttng-ust,"
+PACKAGECONFIG[pie] = "--enable-pie,--disable-pie,,"
+PACKAGECONFIG[seccomp] = "--enable-seccomp,--disable-seccomp,libseccomp"
+
+INSANE_SKIP_${PN} = "arch"
+
+FILES_${PN} += "${datadir}/icons"
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch
new file mode 100644
index 0000000..1304ee3
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch
@@ -0,0 +1,29 @@
+From b921e5204030845dc7c9d16d5f66d965e8d05367 Mon Sep 17 00:00:00 2001
+From: Jeremy Puhlman <jpuhlman@mvista.com>
+Date: Thu, 19 Mar 2020 11:54:26 -0700
+Subject: [PATCH] Add enable/disable libudev
+
+Upstream-Status: Pending
+Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com>
+
+[update patch context]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ configure | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+Index: qemu-5.1.0/configure
+===================================================================
+--- qemu-5.1.0.orig/configure
++++ qemu-5.1.0/configure
+@@ -1640,6 +1640,10 @@ for opt do
+ ;;
+ --disable-libdaxctl) libdaxctl=no
+ ;;
++ --enable-libudev) libudev="yes"
++ ;;
++ --disable-libudev) libudev="no"
++ ;;
+ *)
+ echo "ERROR: unknown option $opt"
+ echo "Try '$0 --help' for more information"
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch
new file mode 100644
index 0000000..46c9da0
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch
@@ -0,0 +1,141 @@
+From 883feb43129dc39b491e492c7ccfe89aefe53c44 Mon Sep 17 00:00:00 2001
+From: Richard Purdie <richard.purdie@linuxfoundation.org>
+Date: Thu, 27 Nov 2014 14:04:29 +0000
+Subject: [PATCH] qemu: Add missing wacom HID descriptor
+
+The USB wacom device is missing a HID descriptor which causes it
+to fail to operate with recent kernels (e.g. 3.17).
+
+This patch adds a HID desriptor to the device, based upon one from
+real wcom device.
+
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+
+Upstream-Status: Submitted
+2014/11/27
+
+[update patch context]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/usb/dev-wacom.c | 94 +++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 93 insertions(+), 1 deletion(-)
+
+Index: qemu-5.1.0/hw/usb/dev-wacom.c
+===================================================================
+--- qemu-5.1.0.orig/hw/usb/dev-wacom.c
++++ qemu-5.1.0/hw/usb/dev-wacom.c
+@@ -74,6 +74,89 @@ static const USBDescStrings desc_strings
+ [STR_SERIALNUMBER] = "1",
+ };
+
++static const uint8_t qemu_tablet_hid_report_descriptor[] = {
++ 0x05, 0x01, /* Usage Page (Generic Desktop) */
++ 0x09, 0x02, /* Usage (Mouse) */
++ 0xa1, 0x01, /* Collection (Application) */
++ 0x85, 0x01, /* Report ID (1) */
++ 0x09, 0x01, /* Usage (Pointer) */
++ 0xa1, 0x00, /* Collection (Physical) */
++ 0x05, 0x09, /* Usage Page (Button) */
++ 0x19, 0x01, /* Usage Minimum (1) */
++ 0x29, 0x05, /* Usage Maximum (5) */
++ 0x15, 0x00, /* Logical Minimum (0) */
++ 0x25, 0x01, /* Logical Maximum (1) */
++ 0x95, 0x05, /* Report Count (5) */
++ 0x75, 0x01, /* Report Size (1) */
++ 0x81, 0x02, /* Input (Data, Variable, Absolute) */
++ 0x95, 0x01, /* Report Count (1) */
++ 0x75, 0x03, /* Report Size (3) */
++ 0x81, 0x01, /* Input (Constant) */
++ 0x05, 0x01, /* Usage Page (Generic Desktop) */
++ 0x09, 0x30, /* Usage (X) */
++ 0x09, 0x31, /* Usage (Y) */
++ 0x15, 0x81, /* Logical Minimum (-127) */
++ 0x25, 0x7f, /* Logical Maximum (127) */
++ 0x75, 0x08, /* Report Size (8) */
++ 0x95, 0x02, /* Report Count (2) */
++ 0x81, 0x06, /* Input (Data, Variable, Relative) */
++ 0xc0, /* End Collection */
++ 0xc0, /* End Collection */
++ 0x05, 0x0d, /* Usage Page (Digitizer) */
++ 0x09, 0x01, /* Usage (Digitizer) */
++ 0xa1, 0x01, /* Collection (Application) */
++ 0x85, 0x02, /* Report ID (2) */
++ 0xa1, 0x00, /* Collection (Physical) */
++ 0x06, 0x00, 0xff, /* Usage Page (Vendor 0xff00) */
++ 0x09, 0x01, /* Usage (Digitizer) */
++ 0x15, 0x00, /* Logical Minimum (0) */
++ 0x26, 0xff, 0x00, /* Logical Maximum (255) */
++ 0x75, 0x08, /* Report Size (8) */
++ 0x95, 0x08, /* Report Count (8) */
++ 0x81, 0x02, /* Input (Data, Variable, Absolute) */
++ 0xc0, /* End Collection */
++ 0x09, 0x01, /* Usage (Digitizer) */
++ 0x85, 0x02, /* Report ID (2) */
++ 0x95, 0x01, /* Report Count (1) */
++ 0xb1, 0x02, /* FEATURE (2) */
++ 0xc0, /* End Collection */
++ 0x06, 0x00, 0xff, /* Usage Page (Vendor 0xff00) */
++ 0x09, 0x01, /* Usage (Digitizer) */
++ 0xa1, 0x01, /* Collection (Application) */
++ 0x85, 0x02, /* Report ID (2) */
++ 0x05, 0x0d, /* Usage Page (Digitizer) */
++ 0x09, 0x22, /* Usage (Finger) */
++ 0xa1, 0x00, /* Collection (Physical) */
++ 0x06, 0x00, 0xff, /* Usage Page (Vendor 0xff00) */
++ 0x09, 0x01, /* Usage (Digitizer) */
++ 0x15, 0x00, /* Logical Minimum (0) */
++ 0x26, 0xff, 0x00, /* Logical Maximum */
++ 0x75, 0x08, /* Report Size (8) */
++ 0x95, 0x02, /* Report Count (2) */
++ 0x81, 0x02, /* Input (Data, Variable, Absolute) */
++ 0x05, 0x01, /* Usage Page (Generic Desktop) */
++ 0x09, 0x30, /* Usage (X) */
++ 0x35, 0x00, /* Physical Minimum */
++ 0x46, 0xe0, 0x2e, /* Physical Maximum */
++ 0x26, 0xe0, 0x01, /* Logical Maximum */
++ 0x75, 0x10, /* Report Size (16) */
++ 0x95, 0x01, /* Report Count (1) */
++ 0x81, 0x02, /* Input (Data, Variable, Absolute) */
++ 0x09, 0x31, /* Usage (Y) */
++ 0x46, 0x40, 0x1f, /* Physical Maximum */
++ 0x26, 0x40, 0x01, /* Logical Maximum */
++ 0x81, 0x02, /* Input (Data, Variable, Absolute) */
++ 0x06, 0x00, 0xff, /* Usage Page (Vendor 0xff00) */
++ 0x09, 0x01, /* Usage (Digitizer) */
++ 0x26, 0xff, 0x00, /* Logical Maximum */
++ 0x75, 0x08, /* Report Size (8) */
++ 0x95, 0x0d, /* Report Count (13) */
++ 0x81, 0x02, /* Input (Data, Variable, Absolute) */
++ 0xc0, /* End Collection */
++ 0xc0, /* End Collection */
++};
++
++
+ static const USBDescIface desc_iface_wacom = {
+ .bInterfaceNumber = 0,
+ .bNumEndpoints = 1,
+@@ -91,7 +174,7 @@ static const USBDescIface desc_iface_wac
+ 0x00, /* u8 country_code */
+ 0x01, /* u8 num_descriptors */
+ 0x22, /* u8 type: Report */
+- 0x6e, 0, /* u16 len */
++ sizeof(qemu_tablet_hid_report_descriptor), 0, /* u16 len */
+ },
+ },
+ },
+@@ -271,6 +354,15 @@ static void usb_wacom_handle_control(USB
+ }
+
+ switch (request) {
++ case InterfaceRequest | USB_REQ_GET_DESCRIPTOR:
++ switch (value >> 8) {
++ case 0x22:
++ memcpy(data, qemu_tablet_hid_report_descriptor,
++ sizeof(qemu_tablet_hid_report_descriptor));
++ p->actual_length = sizeof(qemu_tablet_hid_report_descriptor);
++ break;
++ }
++ break;
+ case WACOM_SET_REPORT:
+ if (s->mouse_grabbed) {
+ qemu_remove_mouse_event_handler(s->eh_entry);
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch
new file mode 100644
index 0000000..d6c0f9e
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch
@@ -0,0 +1,31 @@
+From 34247f83095f8cdcdc1f9d7f0c6ffbd46b25d979 Mon Sep 17 00:00:00 2001
+From: Oleksiy Obitotskyy <oobitots@cisco.com>
+Date: Wed, 25 Mar 2020 21:21:35 +0200
+Subject: [PATCH] qemu: Do not include file if not exists
+
+Script configure checks for if_alg.h and check failed but
+if_alg.h still included.
+
+Upstream-Status: Submitted [https://lists.gnu.org/archive/html/qemu-devel/2020-03/msg07188.html]
+Signed-off-by: Oleksiy Obitotskyy <oobitots@cisco.com>
+
+[update patch context]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ linux-user/syscall.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+Index: qemu-5.1.0/linux-user/syscall.c
+===================================================================
+--- qemu-5.1.0.orig/linux-user/syscall.c
++++ qemu-5.1.0/linux-user/syscall.c
+@@ -109,7 +109,9 @@
+ #include <linux/blkpg.h>
+ #include <netpacket/packet.h>
+ #include <linux/netlink.h>
++#if defined(CONFIG_AF_ALG)
+ #include <linux/if_alg.h>
++#endif
+ #include <linux/rtc.h>
+ #include <sound/asound.h>
+ #ifdef HAVE_DRM_H
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch
new file mode 100644
index 0000000..5227b7c
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch
@@ -0,0 +1,59 @@
+From 68fa519a6cb455005317bd61f95214b58b2f1e69 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
+Date: Fri, 16 Oct 2020 15:20:37 +0200
+Subject: [PATCH] target/mips: Increase number of TLB entries on the 34Kf core
+ (16 -> 64)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Per "MIPS32 34K Processor Core Family Software User's Manual,
+Revision 01.13" page 8 in "Joint TLB (JTLB)" section:
+
+ "The JTLB is a fully associative TLB cache containing 16, 32,
+ or 64-dual-entries mapping up to 128 virtual pages to their
+ corresponding physical addresses."
+
+There is no particular reason to restrict the 34Kf core model to
+16 TLB entries, so raise its config to 64.
+
+This is helpful for other projects, in particular the Yocto Project:
+
+ Yocto Project uses qemu-system-mips 34Kf cpu model, to run 32bit
+ MIPS CI loop. It was observed that in this case CI test execution
+ time was almost twice longer than 64bit MIPS variant that runs
+ under MIPS64R2-generic model. It was investigated and concluded
+ that the difference in number of TLBs 16 in 34Kf case vs 64 in
+ MIPS64R2-generic is responsible for most of CI real time execution
+ difference. Because with 16 TLBs linux user-land trashes TLB more
+ and it needs to execute more instructions in TLB refill handler
+ calls, as result it runs much longer.
+
+(https://lists.gnu.org/archive/html/qemu-devel/2020-10/msg03428.html)
+
+Buglink: https://bugzilla.yoctoproject.org/show_bug.cgi?id=13992
+Reported-by: Victor Kamensky <kamensky@cisco.com>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-Id: <20201016133317.553068-1-f4bug@amsat.org>
+
+Upstream-Status: Backport [https://github.com/qemu/qemu/commit/68fa519a6cb455005317bd61f95214b58b2f1e69]
+Signed-off-by: Victor Kamensky <kamensky@cisco.com>
+
+---
+ target/mips/translate_init.c.inc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: qemu-5.1.0/target/mips/translate_init.inc.c
+===================================================================
+--- qemu-5.1.0.orig/target/mips/translate_init.inc.c
++++ qemu-5.1.0/target/mips/translate_init.inc.c
+@@ -254,7 +254,7 @@ const mips_def_t mips_defs[] =
+ .CP0_PRid = 0x00019500,
+ .CP0_Config0 = MIPS_CONFIG0 | (0x1 << CP0C0_AR) |
+ (MMU_TYPE_R4000 << CP0C0_MT),
+- .CP0_Config1 = MIPS_CONFIG1 | (1 << CP0C1_FP) | (15 << CP0C1_MMU) |
++ .CP0_Config1 = MIPS_CONFIG1 | (1 << CP0C1_FP) | (63 << CP0C1_MMU) |
+ (0 << CP0C1_IS) | (3 << CP0C1_IL) | (1 << CP0C1_IA) |
+ (0 << CP0C1_DS) | (3 << CP0C1_DL) | (1 << CP0C1_DA) |
+ (1 << CP0C1_CA),
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch
new file mode 100644
index 0000000..f379948
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch
@@ -0,0 +1,35 @@
+From 5da6cef7761157a003e7ebde74fb3cf90ab396d9 Mon Sep 17 00:00:00 2001
+From: Juro Bystricky <juro.bystricky@intel.com>
+Date: Thu, 31 Aug 2017 11:06:56 -0700
+Subject: [PATCH] Add subpackage -ptest which runs all unit test cases for
+ qemu.
+
+Upstream-Status: Pending
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+Signed-off-by: Juro Bystricky <juro.bystricky@intel.com>
+
+[update patch context]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ tests/Makefile.include | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+Index: qemu-5.1.0/tests/Makefile.include
+===================================================================
+--- qemu-5.1.0.orig/tests/Makefile.include
++++ qemu-5.1.0/tests/Makefile.include
+@@ -982,4 +982,12 @@ all: $(QEMU_IOTESTS_HELPERS-y)
+ -include $(wildcard tests/qtest/*.d)
+ -include $(wildcard tests/qtest/libqos/*.d)
+
++buildtest-TESTS: $(check-unit-y)
++
++runtest-TESTS:
++ for f in $(check-unit-y); do \
++ nf=$$(echo $$f | sed 's/tests\//\.\//g'); \
++ $$nf; \
++ done
++
+ endif
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch
new file mode 100644
index 0000000..33cef42
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch
@@ -0,0 +1,33 @@
+From ce1eceab2350d27960ec254650717085f6a11c9a Mon Sep 17 00:00:00 2001
+From: Jason Wessel <jason.wessel@windriver.com>
+Date: Fri, 28 Mar 2014 17:42:43 +0800
+Subject: [PATCH] qemu: Add addition environment space to boot loader
+ qemu-system-mips
+
+Upstream-Status: Inappropriate - OE uses deep paths
+
+If you create a project with very long directory names like 128 characters
+deep and use NFS, the kernel arguments will be truncated. The kernel will
+accept longer strings such as 1024 bytes, but the qemu boot loader defaulted
+to only 256 bytes. This patch expands the limit.
+
+Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+
+---
+ hw/mips/malta.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: qemu-5.1.0/hw/mips/malta.c
+===================================================================
+--- qemu-5.1.0.orig/hw/mips/malta.c
++++ qemu-5.1.0/hw/mips/malta.c
+@@ -59,7 +59,7 @@
+
+ #define ENVP_ADDR 0x80002000l
+ #define ENVP_NB_ENTRIES 16
+-#define ENVP_ENTRY_SIZE 256
++#define ENVP_ENTRY_SIZE 1024
+
+ /* Hardware addresses */
+ #define FLASH_ADDRESS 0x1e000000ULL
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch
new file mode 100644
index 0000000..71f537f
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch
@@ -0,0 +1,34 @@
+From 4127296bb1046cdf73994ba69dc913d8c02fd74f Mon Sep 17 00:00:00 2001
+From: Ross Burton <ross.burton@intel.com>
+Date: Tue, 20 Oct 2015 22:19:08 +0100
+Subject: [PATCH] qemu: disable Valgrind
+
+There isn't an option to enable or disable valgrind support, so disable it to avoid non-deterministic builds.
+
+Upstream-Status: Inappropriate
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+---
+ configure | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+Index: qemu-5.1.0/configure
+===================================================================
+--- qemu-5.1.0.orig/configure
++++ qemu-5.1.0/configure
+@@ -5751,15 +5751,6 @@ fi
+ # check if we have valgrind/valgrind.h
+
+ valgrind_h=no
+-cat > $TMPC << EOF
+-#include <valgrind/valgrind.h>
+-int main(void) {
+- return 0;
+-}
+-EOF
+-if compile_prog "" "" ; then
+- valgrind_h=yes
+-fi
+
+ ########################################
+ # check if environ is declared
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0005-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0005-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch
new file mode 100644
index 0000000..02ebbee
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0005-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch
@@ -0,0 +1,28 @@
+From 230fe5804099bdca0c9e4cae7280c9fc513cb7f5 Mon Sep 17 00:00:00 2001
+From: Stephen Arnold <sarnold@vctlabs.com>
+Date: Sun, 12 Jun 2016 18:09:56 -0700
+Subject: [PATCH] qemu-native: set ld.bfd, fix cflags, and set some environment
+
+Upstream-Status: Pending
+
+[update patch context]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ configure | 4 ----
+ 1 file changed, 4 deletions(-)
+
+Index: qemu-5.1.0/configure
+===================================================================
+--- qemu-5.1.0.orig/configure
++++ qemu-5.1.0/configure
+@@ -6515,10 +6515,6 @@ write_c_skeleton
+ if test "$gcov" = "yes" ; then
+ QEMU_CFLAGS="-fprofile-arcs -ftest-coverage -g $QEMU_CFLAGS"
+ QEMU_LDFLAGS="-fprofile-arcs -ftest-coverage $QEMU_LDFLAGS"
+-elif test "$fortify_source" = "yes" ; then
+- CFLAGS="-O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 $CFLAGS"
+-elif test "$debug" = "no"; then
+- CFLAGS="-O2 $CFLAGS"
+ fi
+
+ if test "$have_asan" = "yes"; then
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch
new file mode 100644
index 0000000..98fd5e9
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch
@@ -0,0 +1,241 @@
+From bcc63f775e265df69963a4ad7805b8678ace68f0 Mon Sep 17 00:00:00 2001
+From: Alistair Francis <alistair.francis@xilinx.com>
+Date: Thu, 21 Dec 2017 11:35:16 -0800
+Subject: [PATCH] chardev: connect socket to a spawned command
+
+The command is started in a shell (sh -c) with stdin connect to QEMU
+via a Unix domain stream socket. QEMU then exchanges data via its own
+end of the socket, just like it normally does.
+
+"-chardev socket" supports some ways of connecting via protocols like
+telnet, but that is only a subset of the functionality supported by
+tools socat. To use socat instead, for example to connect via a socks
+proxy, use:
+
+ -chardev 'socket,id=socat,cmd=exec socat FD:0 SOCKS4A:socks-proxy.localdomain:example.com:9999,,socksuser=nobody' \
+ -device usb-serial,chardev=socat
+
+Beware that commas in the command must be escaped as double commas.
+
+Or interactively in the console:
+ (qemu) chardev-add socket,id=cat,cmd=cat
+ (qemu) device_add usb-serial,chardev=cat
+ ^ac
+ # cat >/dev/ttyUSB0
+ hello
+ hello
+
+Another usage is starting swtpm from inside QEMU. swtpm will
+automatically shut down once it looses the connection to the parent
+QEMU, so there is no risk of lingering processes:
+
+ -chardev 'socket,id=chrtpm0,cmd=exec swtpm socket --terminate --ctrl type=unixio,,clientfd=0 --tpmstate dir=... --log file=swtpm.log' \
+ -tpmdev emulator,id=tpm0,chardev=chrtpm0 \
+ -device tpm-tis,tpmdev=tpm0
+
+The patch was discussed upstream, but QEMU developers believe that the
+code calling QEMU should be responsible for managing additional
+processes. In OE-core, that would imply enhancing runqemu and
+oeqa. This patch is a simpler solution.
+
+Because it is not going upstream, the patch was written so that it is
+as simple as possible.
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+
+---
+ chardev/char-socket.c | 101 ++++++++++++++++++++++++++++++++++++++++++
+ chardev/char.c | 3 ++
+ qapi/char.json | 5 +++
+ 3 files changed, 109 insertions(+)
+
+Index: qemu-5.1.0/chardev/char-socket.c
+===================================================================
+--- qemu-5.1.0.orig/chardev/char-socket.c
++++ qemu-5.1.0/chardev/char-socket.c
+@@ -1292,6 +1292,67 @@ static bool qmp_chardev_validate_socket(
+ return true;
+ }
+
++#ifndef _WIN32
++static void chardev_open_socket_cmd(Chardev *chr,
++ const char *cmd,
++ Error **errp)
++{
++ int fds[2] = { -1, -1 };
++ QIOChannelSocket *sioc = NULL;
++ pid_t pid = -1;
++ const char *argv[] = { "/bin/sh", "-c", cmd, NULL };
++
++ /*
++ * We need a Unix domain socket for commands like swtpm and a single
++ * connection, therefore we cannot use qio_channel_command_new_spawn()
++ * without patching it first. Duplicating the functionality is easier.
++ */
++ if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0, fds)) {
++ error_setg_errno(errp, errno, "Error creating socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC)");
++ goto error;
++ }
++
++ pid = qemu_fork(errp);
++ if (pid < 0) {
++ goto error;
++ }
++
++ if (!pid) {
++ /* child */
++ dup2(fds[1], STDIN_FILENO);
++ execv(argv[0], (char * const *)argv);
++ _exit(1);
++ }
++
++ /*
++ * Hand over our end of the socket pair to the qio channel.
++ *
++ * We don't reap the child because it is expected to keep
++ * running. We also don't support the "reconnect" option for the
++ * same reason.
++ */
++ sioc = qio_channel_socket_new_fd(fds[0], errp);
++ if (!sioc) {
++ goto error;
++ }
++ fds[0] = -1;
++
++ g_free(chr->filename);
++ chr->filename = g_strdup_printf("cmd:%s", cmd);
++ tcp_chr_new_client(chr, sioc);
++
++ error:
++ if (fds[0] >= 0) {
++ close(fds[0]);
++ }
++ if (fds[1] >= 0) {
++ close(fds[1]);
++ }
++ if (sioc) {
++ object_unref(OBJECT(sioc));
++ }
++}
++#endif
+
+ static void qmp_chardev_open_socket(Chardev *chr,
+ ChardevBackend *backend,
+@@ -1300,6 +1361,9 @@ static void qmp_chardev_open_socket(Char
+ {
+ SocketChardev *s = SOCKET_CHARDEV(chr);
+ ChardevSocket *sock = backend->u.socket.data;
++#ifndef _WIN32
++ const char *cmd = sock->cmd;
++#endif
+ bool do_nodelay = sock->has_nodelay ? sock->nodelay : false;
+ bool is_listen = sock->has_server ? sock->server : true;
+ bool is_telnet = sock->has_telnet ? sock->telnet : false;
+@@ -1365,6 +1429,14 @@ static void qmp_chardev_open_socket(Char
+
+ update_disconnected_filename(s);
+
++#ifndef _WIN32
++ if (cmd) {
++ chardev_open_socket_cmd(chr, cmd, errp);
++
++ /* everything ready (or failed permanently) before we return */
++ *be_opened = true;
++ } else
++#endif
+ if (s->is_listen) {
+ if (qmp_chardev_open_socket_server(chr, is_telnet || is_tn3270,
+ is_waitconnect, errp) < 0) {
+@@ -1384,11 +1456,27 @@ static void qemu_chr_parse_socket(QemuOp
+ const char *host = qemu_opt_get(opts, "host");
+ const char *port = qemu_opt_get(opts, "port");
+ const char *fd = qemu_opt_get(opts, "fd");
++#ifndef _WIN32
++ const char *cmd = qemu_opt_get(opts, "cmd");
++#endif
+ bool tight = qemu_opt_get_bool(opts, "tight", true);
+ bool abstract = qemu_opt_get_bool(opts, "abstract", false);
+ SocketAddressLegacy *addr;
+ ChardevSocket *sock;
+
++#ifndef _WIN32
++ if (cmd) {
++ /*
++ * Here we have to ensure that no options are set which are incompatible with
++ * spawning a command, otherwise unmodified code that doesn't know about
++ * command spawning (like socket_reconnect_timeout()) might get called.
++ */
++ if (path || sock->server || sock->has_telnet || sock->has_tn3270 || sock->reconnect || host || port || sock->tls_creds) {
++ error_setg(errp, "chardev: socket: cmd does not support any additional options");
++ return;
++ }
++ } else
++#endif
+ if ((!!path + !!fd + !!host) != 1) {
+ error_setg(errp,
+ "Exactly one of 'path', 'fd' or 'host' required");
+@@ -1431,12 +1519,24 @@ static void qemu_chr_parse_socket(QemuOp
+ sock->has_tls_authz = qemu_opt_get(opts, "tls-authz");
+ sock->tls_authz = g_strdup(qemu_opt_get(opts, "tls-authz"));
+
+- addr = g_new0(SocketAddressLegacy, 1);
++#ifndef _WIN32
++ sock->cmd = g_strdup(cmd);
++#endif
++
++ addr = g_new0(SocketAddressLegacy, 1);
++#ifndef _WIN32
++ if (path || cmd) {
++#else
+ if (path) {
++#endif
+ UnixSocketAddress *q_unix;
+ addr->type = SOCKET_ADDRESS_LEGACY_KIND_UNIX;
+ q_unix = addr->u.q_unix.data = g_new0(UnixSocketAddress, 1);
++#ifndef _WIN32
++ q_unix->path = cmd ? g_strdup_printf("cmd:%s", cmd) : g_strdup(path);
++#else
+ q_unix->path = g_strdup(path);
++#endif
+ q_unix->tight = tight;
+ q_unix->abstract = abstract;
+ } else if (host) {
+Index: qemu-5.1.0/chardev/char.c
+===================================================================
+--- qemu-5.1.0.orig/chardev/char.c
++++ qemu-5.1.0/chardev/char.c
+@@ -826,6 +826,9 @@ QemuOptsList qemu_chardev_opts = {
+ .name = "path",
+ .type = QEMU_OPT_STRING,
+ },{
++ .name = "cmd",
++ .type = QEMU_OPT_STRING,
++ },{
+ .name = "host",
+ .type = QEMU_OPT_STRING,
+ },{
+Index: qemu-5.1.0/qapi/char.json
+===================================================================
+--- qemu-5.1.0.orig/qapi/char.json
++++ qemu-5.1.0/qapi/char.json
+@@ -250,6 +250,10 @@
+ #
+ # @addr: socket address to listen on (server=true)
+ # or connect to (server=false)
++# @cmd: command to run via "sh -c" with stdin as one end of
++# a AF_UNIX SOCK_DSTREAM socket pair. The other end
++# is used by the chardev. Either an addr or a cmd can
++# be specified, but not both.
+ # @tls-creds: the ID of the TLS credentials object (since 2.6)
+ # @tls-authz: the ID of the QAuthZ authorization object against which
+ # the client's x509 distinguished name will be validated. This
+@@ -276,6 +280,7 @@
+ ##
+ { 'struct': 'ChardevSocket',
+ 'data': { 'addr': 'SocketAddressLegacy',
++ '*cmd': 'str',
+ '*tls-creds': 'str',
+ '*tls-authz' : 'str',
+ '*server': 'bool',
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch
new file mode 100644
index 0000000..034ac57
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch
@@ -0,0 +1,44 @@
+From a59a98d100123030a4145e7efe3b8a001920a9f1 Mon Sep 17 00:00:00 2001
+From: Mark Asselstine <mark.asselstine@windriver.com>
+Date: Tue, 26 Feb 2013 11:43:28 -0500
+Subject: [PATCH] apic: fixup fallthrough to PIC
+
+Commit 0e21e12bb311c4c1095d0269dc2ef81196ccb60a [Don't route PIC
+interrupts through the local APIC if the local APIC config says so.]
+missed a check to ensure the local APIC is enabled. Since if the local
+APIC is disabled it doesn't matter what the local APIC config says.
+
+If this check isn't done and the guest has disabled the local APIC the
+guest will receive a general protection fault, similar to what is seen
+here:
+
+https://lists.gnu.org/archive/html/qemu-devel/2012-12/msg02304.html
+
+The GPF is caused by an attempt to service interrupt 0xffffffff. This
+comes about since cpu_get_pic_interrupt() calls apic_accept_pic_intr()
+(with the local APIC disabled apic_get_interrupt() returns -1).
+apic_accept_pic_intr() returns 0 and thus the interrupt number which
+is returned from cpu_get_pic_interrupt(), and which is attempted to be
+serviced, is -1.
+
+Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
+Upstream-Status: Submitted [https://lists.gnu.org/archive/html/qemu-devel/2013-04/msg00878.html]
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+
+---
+ hw/intc/apic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: qemu-5.1.0/hw/intc/apic.c
+===================================================================
+--- qemu-5.1.0.orig/hw/intc/apic.c
++++ qemu-5.1.0/hw/intc/apic.c
+@@ -603,7 +603,7 @@ int apic_accept_pic_intr(DeviceState *de
+ APICCommonState *s = APIC(dev);
+ uint32_t lvt0;
+
+- if (!s)
++ if (!s || !(s->spurious_vec & APIC_SV_ENABLE))
+ return -1;
+
+ lvt0 = s->lvt[APIC_LVT_LINT0];
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch
new file mode 100644
index 0000000..d20f04e
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch
@@ -0,0 +1,33 @@
+From cf8c9aac5243f506a1a3e8e284414f311cde04f5 Mon Sep 17 00:00:00 2001
+From: Alistair Francis <alistair.francis@xilinx.com>
+Date: Wed, 17 Jan 2018 10:51:49 -0800
+Subject: [PATCH] linux-user: Fix webkitgtk hangs on 32-bit x86 target
+
+Since commit "linux-user: Tidy and enforce reserved_va initialization"
+(18e80c55bb6ec17c05ec0ba717ec83933c2bfc07) the Yocto webkitgtk build
+hangs when cross compiling for 32-bit x86 on a 64-bit x86 machine using
+musl.
+
+To fix the issue reduce the MAX_RESERVED_VA macro to be a closer match
+to what it was before the problematic commit.
+
+Upstream-Status: Submitted http://lists.gnu.org/archive/html/qemu-devel/2018-01/msg04185.html
+Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
+
+---
+ linux-user/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: qemu-5.1.0/linux-user/main.c
+===================================================================
+--- qemu-5.1.0.orig/linux-user/main.c
++++ qemu-5.1.0/linux-user/main.c
+@@ -92,7 +92,7 @@ static int last_log_mask;
+ (TARGET_LONG_BITS == 32 || defined(TARGET_ABI32))
+ /* There are a number of places where we assign reserved_va to a variable
+ of type abi_ulong and expect it to fit. Avoid the last page. */
+-# define MAX_RESERVED_VA(CPU) (0xfffffffful & TARGET_PAGE_MASK)
++# define MAX_RESERVED_VA(CPU) (0x7ffffffful & TARGET_PAGE_MASK)
+ # else
+ # define MAX_RESERVED_VA(CPU) (1ul << TARGET_VIRT_ADDR_SPACE_BITS)
+ # endif
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0009-Fix-webkitgtk-builds.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0009-Fix-webkitgtk-builds.patch
new file mode 100644
index 0000000..f2a4498
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0009-Fix-webkitgtk-builds.patch
@@ -0,0 +1,137 @@
+From 815c97ba0de02da9dace3fcfcbdf9b20e029f0d7 Mon Sep 17 00:00:00 2001
+From: Martin Jansa <martin.jansa@lge.com>
+Date: Fri, 1 Jun 2018 08:41:07 +0000
+Subject: [PATCH] Fix webkitgtk builds
+
+This is a partial revert of "linux-user: fix mmap/munmap/mprotect/mremap/shmat".
+
+This patch fixes qemu-i386 hangs during gobject-introspection in webkitgtk build
+when musl is used on qemux86. This is the same issue that
+0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch was
+fixing in the 2.11 release.
+
+This patch also fixes a build failure when building webkitgtk for
+qemumips. A QEMU assert is seen while building webkitgtk:
+page_check_range: Assertion `start < ((target_ulong)1 << L1_MAP_ADDR_SPACE_BITS)' failed.
+
+This reverts commit ebf9a3630c911d0cfc9c20f7cafe9ba4f88cf583.
+
+Upstream-Status: Pending
+Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
+
+[update patch context]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ include/exec/cpu-all.h | 6 +-----
+ include/exec/cpu_ldst.h | 5 ++++-
+ linux-user/mmap.c | 17 ++++-------------
+ linux-user/syscall.c | 5 +----
+ 4 files changed, 10 insertions(+), 23 deletions(-)
+
+Index: qemu-5.1.0/include/exec/cpu-all.h
+===================================================================
+--- qemu-5.1.0.orig/include/exec/cpu-all.h
++++ qemu-5.1.0/include/exec/cpu-all.h
+@@ -176,11 +176,8 @@ extern unsigned long reserved_va;
+ * avoid setting bits at the top of guest addresses that might need
+ * to be used for tags.
+ */
+-#define GUEST_ADDR_MAX_ \
+- ((MIN_CONST(TARGET_VIRT_ADDR_SPACE_BITS, TARGET_ABI_BITS) <= 32) ? \
+- UINT32_MAX : ~0ul)
+-#define GUEST_ADDR_MAX (reserved_va ? reserved_va - 1 : GUEST_ADDR_MAX_)
+-
++#define GUEST_ADDR_MAX (reserved_va ? reserved_va : \
++ (1ul << TARGET_VIRT_ADDR_SPACE_BITS) - 1)
+ #else
+
+ #include "exec/hwaddr.h"
+Index: qemu-5.1.0/include/exec/cpu_ldst.h
+===================================================================
+--- qemu-5.1.0.orig/include/exec/cpu_ldst.h
++++ qemu-5.1.0/include/exec/cpu_ldst.h
+@@ -75,7 +75,10 @@ typedef uint64_t abi_ptr;
+ #if HOST_LONG_BITS <= TARGET_VIRT_ADDR_SPACE_BITS
+ #define guest_addr_valid(x) (1)
+ #else
+-#define guest_addr_valid(x) ((x) <= GUEST_ADDR_MAX)
++#define guest_addr_valid(x) ({ \
++ ((x) < (1ul << TARGET_VIRT_ADDR_SPACE_BITS)) && \
++ (!reserved_va || ((x) < reserved_va)); \
++})
+ #endif
+ #define h2g_valid(x) guest_addr_valid((unsigned long)(x) - guest_base)
+
+Index: qemu-5.1.0/linux-user/mmap.c
+===================================================================
+--- qemu-5.1.0.orig/linux-user/mmap.c
++++ qemu-5.1.0/linux-user/mmap.c
+@@ -71,7 +71,7 @@ int target_mprotect(abi_ulong start, abi
+ return -TARGET_EINVAL;
+ len = TARGET_PAGE_ALIGN(len);
+ end = start + len;
+- if (!guest_range_valid(start, len)) {
++ if (end < start) {
+ return -TARGET_ENOMEM;
+ }
+ prot &= PROT_READ | PROT_WRITE | PROT_EXEC;
+@@ -467,8 +467,8 @@ abi_long target_mmap(abi_ulong start, ab
+ * It can fail only on 64-bit host with 32-bit target.
+ * On any other target/host host mmap() handles this error correctly.
+ */
+- if (end < start || !guest_range_valid(start, len)) {
+- errno = ENOMEM;
++ if (end < start || ((unsigned long)start + len - 1 > (abi_ulong) -1)) {
++ errno = EINVAL;
+ goto fail;
+ }
+
+@@ -604,10 +604,8 @@ int target_munmap(abi_ulong start, abi_u
+ if (start & ~TARGET_PAGE_MASK)
+ return -TARGET_EINVAL;
+ len = TARGET_PAGE_ALIGN(len);
+- if (len == 0 || !guest_range_valid(start, len)) {
++ if (len == 0)
+ return -TARGET_EINVAL;
+- }
+-
+ mmap_lock();
+ end = start + len;
+ real_start = start & qemu_host_page_mask;
+@@ -662,13 +660,6 @@ abi_long target_mremap(abi_ulong old_add
+ int prot;
+ void *host_addr;
+
+- if (!guest_range_valid(old_addr, old_size) ||
+- ((flags & MREMAP_FIXED) &&
+- !guest_range_valid(new_addr, new_size))) {
+- errno = ENOMEM;
+- return -1;
+- }
+-
+ mmap_lock();
+
+ if (flags & MREMAP_FIXED) {
+Index: qemu-5.1.0/linux-user/syscall.c
+===================================================================
+--- qemu-5.1.0.orig/linux-user/syscall.c
++++ qemu-5.1.0/linux-user/syscall.c
+@@ -4336,9 +4336,6 @@ static inline abi_ulong do_shmat(CPUArch
+ return -TARGET_EINVAL;
+ }
+ }
+- if (!guest_range_valid(shmaddr, shm_info.shm_segsz)) {
+- return -TARGET_EINVAL;
+- }
+
+ mmap_lock();
+
+@@ -7376,7 +7373,7 @@ static int open_self_maps(void *cpu_env,
+ const char *path;
+
+ max = h2g_valid(max - 1) ?
+- max : (uintptr_t) g2h(GUEST_ADDR_MAX) + 1;
++ max : (uintptr_t) g2h(GUEST_ADDR_MAX);
+
+ if (page_check_range(h2g(min), max - min, flags) == -1) {
+ continue;
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch
new file mode 100644
index 0000000..d7e3fff
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch
@@ -0,0 +1,91 @@
+From c207607cdf3996ad9783c3bffbcd3d65e74c0158 Mon Sep 17 00:00:00 2001
+From: He Zhe <zhe.he@windriver.com>
+Date: Wed, 28 Aug 2019 19:56:28 +0800
+Subject: [PATCH] configure: Add pkg-config handling for libgcrypt
+
+libgcrypt may also be controlled by pkg-config, this patch adds pkg-config
+handling for libgcrypt.
+
+Upstream-Status: Denied [https://lists.nongnu.org/archive/html/qemu-devel/2019-08/msg06333.html]
+
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+
+---
+ configure | 48 ++++++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 40 insertions(+), 8 deletions(-)
+
+Index: qemu-5.1.0/configure
+===================================================================
+--- qemu-5.1.0.orig/configure
++++ qemu-5.1.0/configure
+@@ -3084,6 +3084,30 @@ has_libgcrypt() {
+ return 0
+ }
+
++has_libgcrypt_pkgconfig() {
++ if ! has $pkg_config ; then
++ return 1
++ fi
++
++ if ! $pkg_config --list-all | grep libgcrypt > /dev/null 2>&1 ; then
++ return 1
++ fi
++
++ if test -n "$cross_prefix" ; then
++ host=$($pkg_config --variable=host libgcrypt)
++ if test "${host%-gnu}-" != "${cross_prefix%-gnu}" ; then
++ print_error "host($host) does not match cross_prefix($cross_prefix)"
++ return 1
++ fi
++ fi
++
++ if ! $pkg_config --atleast-version=1.5.0 libgcrypt ; then
++ print_error "libgcrypt version is $($pkg_config --modversion libgcrypt)"
++ return 1
++ fi
++
++ return 0
++}
+
+ if test "$nettle" != "no"; then
+ pass="no"
+@@ -3124,7 +3148,14 @@ fi
+
+ if test "$gcrypt" != "no"; then
+ pass="no"
+- if has_libgcrypt; then
++ if has_libgcrypt_pkgconfig; then
++ gcrypt_cflags=$($pkg_config --cflags libgcrypt)
++ if test "$static" = "yes" ; then
++ gcrypt_libs=$($pkg_config --libs --static libgcrypt)
++ else
++ gcrypt_libs=$($pkg_config --libs libgcrypt)
++ fi
++ elif has_libgcrypt; then
+ gcrypt_cflags=$(libgcrypt-config --cflags)
+ gcrypt_libs=$(libgcrypt-config --libs)
+ # Debian has removed -lgpg-error from libgcrypt-config
+@@ -3134,15 +3165,16 @@ if test "$gcrypt" != "no"; then
+ then
+ gcrypt_libs="$gcrypt_libs -lgpg-error"
+ fi
++ fi
+
+- # Link test to make sure the given libraries work (e.g for static).
+- write_c_skeleton
+- if compile_prog "" "$gcrypt_libs" ; then
+- LIBS="$gcrypt_libs $LIBS"
+- QEMU_CFLAGS="$QEMU_CFLAGS $gcrypt_cflags"
+- pass="yes"
+- fi
++ # Link test to make sure the given libraries work (e.g for static).
++ write_c_skeleton
++ if compile_prog "" "$gcrypt_libs" ; then
++ LIBS="$gcrypt_libs $LIBS"
++ QEMU_CFLAGS="$QEMU_CFLAGS $gcrypt_cflags"
++ pass="yes"
+ fi
++
+ if test "$pass" = "yes"; then
+ gcrypt="yes"
+ cat > $TMPC << EOF
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-24352.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-24352.patch
new file mode 100644
index 0000000..861ff6c
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-24352.patch
@@ -0,0 +1,52 @@
+From ca1f9cbfdce4d63b10d57de80fef89a89d92a540 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 21 Oct 2020 16:08:18 +0530
+Subject: [PATCH 1/1] ati: check x y display parameter values
+
+The source and destination x,y display parameters in ati_2d_blt()
+may run off the vga limits if either of s->regs.[src|dst]_[xy] is
+zero. Check the parameter values to avoid potential crash.
+
+Reported-by: Gaoning Pan <pgn@zju.edu.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 20201021103818.1704030-1-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport [ https://git.qemu.org/?p=qemu.git;a=commitdiff;h=ca1f9cbfdce4d63b10d57de80fef89a89d92a540;hp=2ddafce7f797082ad216657c830afd4546f16e37 ]
+CVE: CVE-2020-24352
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/display/ati_2d.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c
+index 23a8ae0..4dc10ea 100644
+--- a/hw/display/ati_2d.c
++++ b/hw/display/ati_2d.c
+@@ -75,8 +75,9 @@ void ati_2d_blt(ATIVGAState *s)
+ dst_stride *= bpp;
+ }
+ uint8_t *end = s->vga.vram_ptr + s->vga.vram_size;
+- if (dst_bits >= end || dst_bits + dst_x + (dst_y + s->regs.dst_height) *
+- dst_stride >= end) {
++ if (dst_x > 0x3fff || dst_y > 0x3fff || dst_bits >= end
++ || dst_bits + dst_x
++ + (dst_y + s->regs.dst_height) * dst_stride >= end) {
+ qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
+ return;
+ }
+@@ -107,8 +108,9 @@ void ati_2d_blt(ATIVGAState *s)
+ src_bits += s->regs.crtc_offset & 0x07ffffff;
+ src_stride *= bpp;
+ }
+- if (src_bits >= end || src_bits + src_x +
+- (src_y + s->regs.dst_height) * src_stride >= end) {
++ if (src_x > 0x3fff || src_y > 0x3fff || src_bits >= end
++ || src_bits + src_x
++ + (src_y + s->regs.dst_height) * src_stride >= end) {
+ qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
+ return;
+ }
+--
+1.8.3.1
+
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-25624.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-25624.patch
new file mode 100644
index 0000000..7631bab
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-25624.patch
@@ -0,0 +1,101 @@
+From 1328fe0c32d5474604105b8105310e944976b058 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 15 Sep 2020 23:52:58 +0530
+Subject: [PATCH] hw: usb: hcd-ohci: check len and frame_number variables
+
+While servicing the OHCI transfer descriptors(TD), OHCI host
+controller derives variables 'start_addr', 'end_addr', 'len'
+etc. from values supplied by the host controller driver.
+Host controller driver may supply values such that using
+above variables leads to out-of-bounds access issues.
+Add checks to avoid them.
+
+AddressSanitizer: stack-buffer-overflow on address 0x7ffd53af76a0
+ READ of size 2 at 0x7ffd53af76a0 thread T0
+ #0 ohci_service_iso_td ../hw/usb/hcd-ohci.c:734
+ #1 ohci_service_ed_list ../hw/usb/hcd-ohci.c:1180
+ #2 ohci_process_lists ../hw/usb/hcd-ohci.c:1214
+ #3 ohci_frame_boundary ../hw/usb/hcd-ohci.c:1257
+ #4 timerlist_run_timers ../util/qemu-timer.c:572
+ #5 qemu_clock_run_timers ../util/qemu-timer.c:586
+ #6 qemu_clock_run_all_timers ../util/qemu-timer.c:672
+ #7 main_loop_wait ../util/main-loop.c:527
+ #8 qemu_main_loop ../softmmu/vl.c:1676
+ #9 main ../softmmu/main.c:50
+
+Reported-by: Gaoning Pan <pgn@zju.edu.cn>
+Reported-by: Yongkang Jia <j_kangel@163.com>
+Reported-by: Yi Ren <yunye.ry@alibaba-inc.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 20200915182259.68522-2-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-25624
+[https://git.qemu.org/?p=qemu.git;a=commit;h=1328fe0c32d5474604105b8105310e944976b058]
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ hw/usb/hcd-ohci.c | 24 ++++++++++++++++++++++--
+ 1 file changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
+index 1e6e85e..9dc5910 100644
+--- a/hw/usb/hcd-ohci.c
++++ b/hw/usb/hcd-ohci.c
+@@ -731,7 +731,11 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
+ }
+
+ start_offset = iso_td.offset[relative_frame_number];
+- next_offset = iso_td.offset[relative_frame_number + 1];
++ if (relative_frame_number < frame_count) {
++ next_offset = iso_td.offset[relative_frame_number + 1];
++ } else {
++ next_offset = iso_td.be;
++ }
+
+ if (!(OHCI_BM(start_offset, TD_PSW_CC) & 0xe) ||
+ ((relative_frame_number < frame_count) &&
+@@ -764,7 +768,12 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
+ }
+ } else {
+ /* Last packet in the ISO TD */
+- end_addr = iso_td.be;
++ end_addr = next_offset;
++ }
++
++ if (start_addr > end_addr) {
++ trace_usb_ohci_iso_td_bad_cc_overrun(start_addr, end_addr);
++ return 1;
+ }
+
+ if ((start_addr & OHCI_PAGE_MASK) != (end_addr & OHCI_PAGE_MASK)) {
+@@ -773,6 +782,9 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
+ } else {
+ len = end_addr - start_addr + 1;
+ }
++ if (len > sizeof(ohci->usb_buf)) {
++ len = sizeof(ohci->usb_buf);
++ }
+
+ if (len && dir != OHCI_TD_DIR_IN) {
+ if (ohci_copy_iso_td(ohci, start_addr, end_addr, ohci->usb_buf, len,
+@@ -975,8 +987,16 @@ static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed)
+ if ((td.cbp & 0xfffff000) != (td.be & 0xfffff000)) {
+ len = (td.be & 0xfff) + 0x1001 - (td.cbp & 0xfff);
+ } else {
++ if (td.cbp > td.be) {
++ trace_usb_ohci_iso_td_bad_cc_overrun(td.cbp, td.be);
++ ohci_die(ohci);
++ return 1;
++ }
+ len = (td.be - td.cbp) + 1;
+ }
++ if (len > sizeof(ohci->usb_buf)) {
++ len = sizeof(ohci->usb_buf);
++ }
+
+ pktlen = len;
+ if (len && dir != OHCI_TD_DIR_IN) {
+--
+2.17.1
+
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-25723.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-25723.patch
new file mode 100644
index 0000000..90b3a2f
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-25723.patch
@@ -0,0 +1,51 @@
+From 2fdb42d840400d58f2e706ecca82c142b97bcbd6 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Wed, 12 Aug 2020 09:17:27 -0700
+Subject: [PATCH] hw: ehci: check return value of 'usb_packet_map'
+
+If 'usb_packet_map' fails, we should stop to process the usb
+request.
+
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Message-Id: <20200812161727.29412-1-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-25723
+[https://git.qemu.org/?p=qemu.git;a=commit;h=2fdb42d840400d58f2e706ecca82c142b97bcbd6]
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ hw/usb/hcd-ehci.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
+index 1495e8f..1fbb02a 100644
+--- a/hw/usb/hcd-ehci.c
++++ b/hw/usb/hcd-ehci.c
+@@ -1373,7 +1373,10 @@ static int ehci_execute(EHCIPacket *p, const char *action)
+ spd = (p->pid == USB_TOKEN_IN && NLPTR_TBIT(p->qtd.altnext) == 0);
+ usb_packet_setup(&p->packet, p->pid, ep, 0, p->qtdaddr, spd,
+ (p->qtd.token & QTD_TOKEN_IOC) != 0);
+- usb_packet_map(&p->packet, &p->sgl);
++ if (usb_packet_map(&p->packet, &p->sgl)) {
++ qemu_sglist_destroy(&p->sgl);
++ return -1;
++ }
+ p->async = EHCI_ASYNC_INITIALIZED;
+ }
+
+@@ -1452,7 +1455,10 @@ static int ehci_process_itd(EHCIState *ehci,
+ if (ep && ep->type == USB_ENDPOINT_XFER_ISOC) {
+ usb_packet_setup(&ehci->ipacket, pid, ep, 0, addr, false,
+ (itd->transact[i] & ITD_XACT_IOC) != 0);
+- usb_packet_map(&ehci->ipacket, &ehci->isgl);
++ if (usb_packet_map(&ehci->ipacket, &ehci->isgl)) {
++ qemu_sglist_destroy(&ehci->isgl);
++ return -1;
++ }
+ usb_handle_packet(dev, &ehci->ipacket);
+ usb_packet_unmap(&ehci->ipacket, &ehci->isgl);
+ } else {
+--
+2.17.1
+
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-28916.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-28916.patch
new file mode 100644
index 0000000..5212196
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-28916.patch
@@ -0,0 +1,49 @@
+From c2cb511634012344e3d0fe49a037a33b12d8a98a Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 11 Nov 2020 18:36:36 +0530
+Subject: [PATCH] hw/net/e1000e: advance desc_offset in case of null
+descriptor
+
+While receiving packets via e1000e_write_packet_to_guest() routine,
+'desc_offset' is advanced only when RX descriptor is processed. And
+RX descriptor is not processed if it has NULL buffer address.
+This may lead to an infinite loop condition. Increament 'desc_offset'
+to process next descriptor in the ring to avoid infinite loop.
+
+Reported-by: Cheol-woo Myung <330cjfdn@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-28916
+[https://git.qemu.org/?p=qemu.git;a=commit;h=c2cb511634012344e3d0fe49a037a33b12d8a98a]
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ hw/net/e1000e_core.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c
+index bcd186c..d3e3cdc 100644
+--- a/hw/net/e1000e_core.c
++++ b/hw/net/e1000e_core.c
+@@ -1596,13 +1596,13 @@ e1000e_write_packet_to_guest(E1000ECore *core, struct NetRxPkt *pkt,
+ (const char *) &fcs_pad, e1000x_fcs_len(core->mac));
+ }
+ }
+- desc_offset += desc_size;
+- if (desc_offset >= total_size) {
+- is_last = true;
+- }
+ } else { /* as per intel docs; skip descriptors with null buf addr */
+ trace_e1000e_rx_null_descriptor();
+ }
++ desc_offset += desc_size;
++ if (desc_offset >= total_size) {
++ is_last = true;
++ }
+
+ e1000e_write_rx_descr(core, desc, is_last ? core->rx_pkt : NULL,
+ rss_info, do_ps ? ps_hdr_len : 0, &bastate.written);
+--
+2.17.1
+
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-29129-CVE-2020-29130.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-29129-CVE-2020-29130.patch
new file mode 100644
index 0000000..e5829f6
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-29129-CVE-2020-29130.patch
@@ -0,0 +1,64 @@
+From 2e1dcbc0c2af64fcb17009eaf2ceedd81be2b27f Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 26 Nov 2020 19:27:06 +0530
+Subject: [PATCH] slirp: check pkt_len before reading protocol header
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+While processing ARP/NCSI packets in 'arp_input' or 'ncsi_input'
+routines, ensure that pkt_len is large enough to accommodate the
+respective protocol headers, lest it should do an OOB access.
+Add check to avoid it.
+
+CVE-2020-29129 CVE-2020-29130
+ QEMU: slirp: out-of-bounds access while processing ARP/NCSI packets
+ -> https://www.openwall.com/lists/oss-security/2020/11/27/1
+
+Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <20201126135706.273950-1-ppandit@redhat.com>
+Reviewed-by: Marc-Andrà Lureau <marcandre.lureau@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-29129 CVE-2020-29130
+[https://git.qemu.org/?p=libslirp.git;a=commit;h=2e1dcbc0c2af64fcb17009eaf2ceedd81be2b27f]
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ slirp/src/ncsi.c | 4 ++++
+ slirp/src/slirp.c | 4 ++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/slirp/src/ncsi.c b/slirp/src/ncsi.c
+index 3c1dfef..75dcc08 100644
+--- a/slirp/src/ncsi.c
++++ b/slirp/src/ncsi.c
+@@ -148,6 +148,10 @@ void ncsi_input(Slirp *slirp, const uint8_t *pkt, int pkt_len)
+ uint32_t checksum;
+ uint32_t *pchecksum;
+
++ if (pkt_len < ETH_HLEN + sizeof(struct ncsi_pkt_hdr)) {
++ return; /* packet too short */
++ }
++
+ memset(ncsi_reply, 0, sizeof(ncsi_reply));
+
+ memset(reh->h_dest, 0xff, ETH_ALEN);
+diff --git a/slirp/src/slirp.c b/slirp/src/slirp.c
+index dba7c98..9be58e2 100644
+--- a/slirp/src/slirp.c
++++ b/slirp/src/slirp.c
+@@ -756,6 +756,10 @@ static void arp_input(Slirp *slirp, const uint8_t *pkt, int pkt_len)
+ return;
+ }
+
++ if (pkt_len < ETH_HLEN + sizeof(struct slirp_arphdr)) {
++ return; /* packet too short */
++ }
++
+ ar_op = ntohs(ah->ar_op);
+ switch (ar_op) {
+ case ARPOP_REQUEST:
+--
+2.17.1
+
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/find_datadir.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/find_datadir.patch
new file mode 100644
index 0000000..9a4c112
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/find_datadir.patch
@@ -0,0 +1,39 @@
+qemu: search for datadir as in version 4.2
+
+os_find_datadir() was changed after the 4.2 release. We need to check for
+../share/qemu relative to the executable because that is where the runqemu
+configuration assumes it will be.
+
+Upstream-Status: Submitted [qemu-devel@nongnu.org]
+
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+
+
+Index: qemu-5.1.0/os-posix.c
+===================================================================
+--- qemu-5.1.0.orig/os-posix.c
++++ qemu-5.1.0/os-posix.c
+@@ -82,8 +82,9 @@ void os_setup_signal_handling(void)
+
+ /*
+ * Find a likely location for support files using the location of the binary.
++ * Typically, this would be "$bindir/../share/qemu".
+ * When running from the build tree this will be "$bindir/../pc-bios".
+- * Otherwise, this is CONFIG_QEMU_DATADIR.
++ * Otherwise, this is CONFIG_QEMU_DATADIR as constructed by configure.
+ *
+ * The caller must use g_free() to free the returned data when it is
+ * no longer required.
+@@ -96,6 +97,12 @@ char *os_find_datadir(void)
+ exec_dir = qemu_get_exec_dir();
+ g_return_val_if_fail(exec_dir != NULL, NULL);
+
++ dir = g_build_filename(exec_dir, "..", "share", "qemu", NULL);
++ if (g_file_test(dir, G_FILE_TEST_IS_DIR)) {
++ return g_steal_pointer(&dir);
++ }
++ g_free(dir); /* no autofree this time */
++
+ dir = g_build_filename(exec_dir, "..", "pc-bios", NULL);
+ if (g_file_test(dir, G_FILE_TEST_IS_DIR)) {
+ return g_steal_pointer(&dir);
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/powerpc_rom.bin b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/powerpc_rom.bin
new file mode 100644
index 0000000..c404429
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/powerpc_rom.bin
Binary files differ
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/run-ptest b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/run-ptest
new file mode 100644
index 0000000..b25a792
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/run-ptest
@@ -0,0 +1,10 @@
+#!/bin/sh
+#
+#This script is used to run qemu test suites
+#
+
+ptestdir=$(dirname "$(readlink -f "$0")")
+export SRC_PATH=$ptestdir
+
+cd $ptestdir/tests
+make -f Makefile.include -k runtest-TESTS | sed '/^ok /s/ok /PASS: /g'
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/usb-fix-setup_len-init.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/usb-fix-setup_len-init.patch
new file mode 100644
index 0000000..92801da
--- /dev/null
+++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/usb-fix-setup_len-init.patch
@@ -0,0 +1,89 @@
+CVE: CVE-2020-14364
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+From b946434f2659a182afc17e155be6791ebfb302eb Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 25 Aug 2020 07:36:36 +0200
+Subject: [PATCH] usb: fix setup_len init (CVE-2020-14364)
+
+Store calculated setup_len in a local variable, verify it, and only
+write it to the struct (USBDevice->setup_len) in case it passed the
+sanity checks.
+
+This prevents other code (do_token_{in,out} functions specifically)
+from working with invalid USBDevice->setup_len values and overrunning
+the USBDevice->setup_buf[] buffer.
+
+Fixes: CVE-2020-14364
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Tested-by: Gonglei <arei.gonglei@huawei.com>
+Reviewed-by: Li Qiang <liq3ea@gmail.com>
+Message-id: 20200825053636.29648-1-kraxel@redhat.com
+---
+ hw/usb/core.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/hw/usb/core.c b/hw/usb/core.c
+index 5abd128b6bc..5234dcc73fe 100644
+--- a/hw/usb/core.c
++++ b/hw/usb/core.c
+@@ -129,6 +129,7 @@ void usb_wakeup(USBEndpoint *ep, unsigned int stream)
+ static void do_token_setup(USBDevice *s, USBPacket *p)
+ {
+ int request, value, index;
++ unsigned int setup_len;
+
+ if (p->iov.size != 8) {
+ p->status = USB_RET_STALL;
+@@ -138,14 +139,15 @@ static void do_token_setup(USBDevice *s, USBPacket *p)
+ usb_packet_copy(p, s->setup_buf, p->iov.size);
+ s->setup_index = 0;
+ p->actual_length = 0;
+- s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
+- if (s->setup_len > sizeof(s->data_buf)) {
++ setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
++ if (setup_len > sizeof(s->data_buf)) {
+ fprintf(stderr,
+ "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
+- s->setup_len, sizeof(s->data_buf));
++ setup_len, sizeof(s->data_buf));
+ p->status = USB_RET_STALL;
+ return;
+ }
++ s->setup_len = setup_len;
+
+ request = (s->setup_buf[0] << 8) | s->setup_buf[1];
+ value = (s->setup_buf[3] << 8) | s->setup_buf[2];
+@@ -259,26 +261,28 @@ static void do_token_out(USBDevice *s, USBPacket *p)
+ static void do_parameter(USBDevice *s, USBPacket *p)
+ {
+ int i, request, value, index;
++ unsigned int setup_len;
+
+ for (i = 0; i < 8; i++) {
+ s->setup_buf[i] = p->parameter >> (i*8);
+ }
+
+ s->setup_state = SETUP_STATE_PARAM;
+- s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
+ s->setup_index = 0;
+
+ request = (s->setup_buf[0] << 8) | s->setup_buf[1];
+ value = (s->setup_buf[3] << 8) | s->setup_buf[2];
+ index = (s->setup_buf[5] << 8) | s->setup_buf[4];
+
+- if (s->setup_len > sizeof(s->data_buf)) {
++ setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
++ if (setup_len > sizeof(s->data_buf)) {
+ fprintf(stderr,
+ "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
+- s->setup_len, sizeof(s->data_buf));
++ setup_len, sizeof(s->data_buf));
+ p->status = USB_RET_STALL;
+ return;
+ }
++ s->setup_len = setup_len;
+
+ if (p->pid == USB_TOKEN_OUT) {
+ usb_packet_copy(p, s->data_buf, s->setup_len);