diff options
27 files changed, 1629 insertions, 2 deletions
diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu-native.inc b/meta-xilinx-bsp/recipes-devtools/qemu/qemu-native.inc new file mode 100644 index 00000000..aa5c9b9a --- /dev/null +++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu-native.inc @@ -0,0 +1,11 @@ +inherit native + +require qemu.inc + +EXTRA_OEMAKE_append = " LD='${LD}' AR='${AR}' OBJCOPY='${OBJCOPY}' LDFLAGS='${LDFLAGS}'" + +LDFLAGS_append = " -fuse-ld=bfd" + +do_install_append() { + ${@bb.utils.contains('PACKAGECONFIG', 'gtk+', 'make_qemu_wrapper', '', d)} +} diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu-targets.inc b/meta-xilinx-bsp/recipes-devtools/qemu/qemu-targets.inc new file mode 100644 index 00000000..24f9a039 --- /dev/null +++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu-targets.inc @@ -0,0 +1,28 @@ +# possible arch values are: +# aarch64 arm armeb alpha cris i386 x86_64 m68k microblaze +# mips mipsel mips64 mips64el ppc ppc64 ppc64abi32 ppcemb +# riscv32 riscv64 sparc sparc32 sparc32plus + +def get_qemu_target_list(d): + import bb + archs = d.getVar('QEMU_TARGETS').split() + tos = d.getVar('HOST_OS') + softmmuonly = "" + for arch in ['ppcemb', 'lm32']: + if arch in archs: + softmmuonly += arch + "-softmmu," + archs.remove(arch) + linuxuseronly = "" + for arch in ['armeb', 'alpha', 'ppc64abi32', 'ppc64le', 'sparc32plus', 'aarch64_be']: + if arch in archs: + linuxuseronly += arch + "-linux-user," + archs.remove(arch) + if 'linux' not in tos: + return softmmuonly + ''.join([arch + "-softmmu" + "," for arch in archs]).rstrip(',') + return softmmuonly + linuxuseronly + ''.join([arch + "-linux-user" + "," + arch + "-softmmu" + "," for arch in archs]).rstrip(',') + +def get_qemu_usermode_target_list(d): + return ",".join(filter(lambda i: "-linux-user" in i, get_qemu_target_list(d).split(','))) + +def get_qemu_system_target_list(d): + return ",".join(filter(lambda i: "-linux-user" not in i, get_qemu_target_list(d).split(','))) diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu-xilinx-native.inc b/meta-xilinx-bsp/recipes-devtools/qemu/qemu-xilinx-native.inc index a1dc5d66..d8f06c77 100644 --- a/meta-xilinx-bsp/recipes-devtools/qemu/qemu-xilinx-native.inc +++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu-xilinx-native.inc @@ -1,4 +1,4 @@ -require recipes-devtools/qemu/qemu-native.inc +require qemu-native.inc require qemu-xilinx.inc DEPENDS = "glib-2.0-native zlib-native" diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu-xilinx_2020.2.bb b/meta-xilinx-bsp/recipes-devtools/qemu/qemu-xilinx_2020.2.bb index 09f431ec..fd1904ab 100644 --- a/meta-xilinx-bsp/recipes-devtools/qemu/qemu-xilinx_2020.2.bb +++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu-xilinx_2020.2.bb @@ -1,4 +1,4 @@ -require recipes-devtools/qemu/qemu.inc +require qemu.inc require qemu-xilinx.inc BBCLASSEXTEND = "nativesdk" diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu.inc b/meta-xilinx-bsp/recipes-devtools/qemu/qemu.inc new file mode 100644 index 00000000..4864d7e9 --- /dev/null +++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu.inc @@ -0,0 +1,197 @@ +SUMMARY = "Fast open source processor emulator" +DESCRIPTION = "QEMU is a hosted virtual machine monitor: it emulates the \ +machine's processor through dynamic binary translation and provides a set \ +of different hardware and device models for the machine, enabling it to run \ +a variety of guest operating systems" +HOMEPAGE = "http://qemu.org" +LICENSE = "GPLv2 & LGPLv2.1" + +RDEPENDS_${PN}-ptest = "bash make" + +require qemu-targets.inc +inherit pkgconfig ptest + +LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \ + file://COPYING.LIB;endline=24;md5=8c5efda6cf1e1b03dcfd0e6c0d271c7f" + +SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ + file://powerpc_rom.bin \ + file://run-ptest \ + file://0001-qemu-Add-missing-wacom-HID-descriptor.patch \ + file://0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch \ + file://0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch \ + file://0004-qemu-disable-Valgrind.patch \ + file://0005-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch \ + file://0006-chardev-connect-socket-to-a-spawned-command.patch \ + file://0007-apic-fixup-fallthrough-to-PIC.patch \ + file://0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \ + file://0009-Fix-webkitgtk-builds.patch \ + file://0010-configure-Add-pkg-config-handling-for-libgcrypt.patch \ + file://0001-Add-enable-disable-udev.patch \ + file://0001-qemu-Do-not-include-file-if-not-exists.patch \ + file://find_datadir.patch \ + file://usb-fix-setup_len-init.patch \ + file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \ + file://CVE-2020-24352.patch \ + file://CVE-2020-29129-CVE-2020-29130.patch \ + file://CVE-2020-25624.patch \ + file://CVE-2020-25723.patch \ + file://CVE-2020-28916.patch \ + " +UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" + +SRC_URI[sha256sum] = "c9174eb5933d9eb5e61f541cd6d1184cd3118dfe4c5c4955bc1bdc4d390fa4e5" + +COMPATIBLE_HOST_mipsarchn32 = "null" +COMPATIBLE_HOST_mipsarchn64 = "null" + +# Per https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg03873.html +# upstream states qemu doesn't work without optimization +DEBUG_BUILD = "0" + +do_install_append() { + # Prevent QA warnings about installed ${localstatedir}/run + if [ -d ${D}${localstatedir}/run ]; then rmdir ${D}${localstatedir}/run; fi +} + +do_compile_ptest() { + make buildtest-TESTS +} + +do_install_ptest() { + cp -rL ${B}/tests ${D}${PTEST_PATH} + find ${D}${PTEST_PATH}/tests -type f -name "*.[Sshcod]" | xargs -i rm -rf {} + + cp ${S}/tests/Makefile.include ${D}${PTEST_PATH}/tests + # Don't check the file genreated by configure + sed -i -e '/wildcard config-host.mak/d' \ + -e '$ {/endif/d}' ${D}${PTEST_PATH}/tests/Makefile.include + sed -i -e 's,${HOSTTOOLS_DIR}/python3,${bindir}/python3,' \ + ${D}/${PTEST_PATH}/tests/qemu-iotests/common.env + sed -i -e "1s,#!/usr/bin/bash,#!${base_bindir}/bash," ${D}${PTEST_PATH}/tests/data/acpi/disassemle-aml.sh +} + +# QEMU_TARGETS is overridable variable +QEMU_TARGETS ?= "arm aarch64 i386 mips mipsel mips64 mips64el ppc ppc64 ppc64le riscv32 riscv64 sh4 x86_64" + +EXTRA_OECONF = " \ + --prefix=${prefix} \ + --bindir=${bindir} \ + --includedir=${includedir} \ + --libdir=${libdir} \ + --mandir=${mandir} \ + --datadir=${datadir} \ + --docdir=${docdir}/${BPN} \ + --sysconfdir=${sysconfdir} \ + --libexecdir=${libexecdir} \ + --localstatedir=${localstatedir} \ + --with-confsuffix=/${BPN} \ + --disable-strip \ + --disable-werror \ + --extra-cflags='${CFLAGS}' \ + --extra-ldflags='${LDFLAGS}' \ + --with-git=/bin/false \ + --disable-git-update \ + ${PACKAGECONFIG_CONFARGS} \ + " + +export LIBTOOL="${HOST_SYS}-libtool" + +B = "${WORKDIR}/build" + +EXTRA_OECONF_append = " --python=${HOSTTOOLS_DIR}/python3" + +do_configure_prepend_class-native() { + # Append build host pkg-config paths for native target since the host may provide sdl + BHOST_PKGCONFIG_PATH=$(PATH=/usr/bin:/bin pkg-config --variable pc_path pkg-config || echo "") + if [ ! -z "$BHOST_PKGCONFIG_PATH" ]; then + export PKG_CONFIG_PATH=$PKG_CONFIG_PATH:$BHOST_PKGCONFIG_PATH + fi +} + +do_configure() { + ${S}/configure ${EXTRA_OECONF} +} +do_configure[cleandirs] += "${B}" + +do_install () { + export STRIP="" + oe_runmake 'DESTDIR=${D}' install +} + +# The following fragment will create a wrapper for qemu-mips user emulation +# binary in order to work around a segmentation fault issue. Basically, by +# default, the reserved virtual address space for 32-on-64 bit is set to 4GB. +# This will trigger a MMU access fault in the virtual CPU. With this change, +# the qemu-mips works fine. +# IMPORTANT: This piece needs to be removed once the root cause is fixed! +do_install_append() { + if [ -e "${D}/${bindir}/qemu-mips" ]; then + create_wrapper ${D}/${bindir}/qemu-mips \ + QEMU_RESERVED_VA=0x0 + fi +} +# END of qemu-mips workaround + +make_qemu_wrapper() { + gdk_pixbuf_module_file=`pkg-config --variable=gdk_pixbuf_cache_file gdk-pixbuf-2.0` + + for tool in `ls ${D}${bindir}/qemu-system-*`; do + create_wrapper $tool \ + GDK_PIXBUF_MODULE_FILE=$gdk_pixbuf_module_file \ + FONTCONFIG_PATH=/etc/fonts \ + GTK_THEME=Adwaita + done +} + +# Disable kvm/virgl/mesa on targets that do not support it +PACKAGECONFIG_remove_darwin = "kvm virglrenderer glx gtk+" +PACKAGECONFIG_remove_mingw32 = "kvm virglrenderer glx gtk+" + +PACKAGECONFIG[sdl] = "--enable-sdl,--disable-sdl,libsdl2" +PACKAGECONFIG[virtfs] = "--enable-virtfs --enable-attr --enable-cap-ng,--disable-virtfs,libcap-ng attr," +PACKAGECONFIG[aio] = "--enable-linux-aio,--disable-linux-aio,libaio," +PACKAGECONFIG[xfs] = "--enable-xfsctl,--disable-xfsctl,xfsprogs," +PACKAGECONFIG[xen] = "--enable-xen,--disable-xen,xen-tools,xen-tools-libxenstore xen-tools-libxenctrl xen-tools-libxenguest" +PACKAGECONFIG[vnc-sasl] = "--enable-vnc --enable-vnc-sasl,--disable-vnc-sasl,cyrus-sasl," +PACKAGECONFIG[vnc-jpeg] = "--enable-vnc --enable-vnc-jpeg,--disable-vnc-jpeg,jpeg," +PACKAGECONFIG[vnc-png] = "--enable-vnc --enable-vnc-png,--disable-vnc-png,libpng," +PACKAGECONFIG[libcurl] = "--enable-curl,--disable-curl,curl," +PACKAGECONFIG[nss] = "--enable-smartcard,--disable-smartcard,nss," +PACKAGECONFIG[curses] = "--enable-curses,--disable-curses,ncurses," +PACKAGECONFIG[gtk+] = "--enable-gtk,--disable-gtk,gtk+3 gettext-native" +PACKAGECONFIG[vte] = "--enable-vte,--disable-vte,vte gettext-native" +PACKAGECONFIG[libcap-ng] = "--enable-cap-ng,--disable-cap-ng,libcap-ng," +PACKAGECONFIG[ssh] = "--enable-libssh,--disable-libssh,libssh," +PACKAGECONFIG[gcrypt] = "--enable-gcrypt,--disable-gcrypt,libgcrypt," +PACKAGECONFIG[nettle] = "--enable-nettle,--disable-nettle,nettle" +PACKAGECONFIG[libusb] = "--enable-libusb,--disable-libusb,libusb1" +PACKAGECONFIG[fdt] = "--enable-fdt,--disable-fdt,dtc" +PACKAGECONFIG[alsa] = "--audio-drv-list='oss alsa',,alsa-lib" +PACKAGECONFIG[glx] = "--enable-opengl,--disable-opengl,virtual/libgl" +PACKAGECONFIG[lzo] = "--enable-lzo,--disable-lzo,lzo" +PACKAGECONFIG[numa] = "--enable-numa,--disable-numa,numactl" +PACKAGECONFIG[gnutls] = "--enable-gnutls,--disable-gnutls,gnutls" +PACKAGECONFIG[bzip2] = "--enable-bzip2,--disable-bzip2,bzip2" +PACKAGECONFIG[libiscsi] = "--enable-libiscsi,--disable-libiscsi" +PACKAGECONFIG[kvm] = "--enable-kvm,--disable-kvm" +PACKAGECONFIG[virglrenderer] = "--enable-virglrenderer,--disable-virglrenderer,virglrenderer" +# spice will be in meta-networking layer +PACKAGECONFIG[spice] = "--enable-spice,--disable-spice,spice" +# usbredir will be in meta-networking layer +PACKAGECONFIG[usb-redir] = "--enable-usb-redir,--disable-usb-redir,usbredir" +PACKAGECONFIG[snappy] = "--enable-snappy,--disable-snappy,snappy" +PACKAGECONFIG[glusterfs] = "--enable-glusterfs,--disable-glusterfs,glusterfs" +PACKAGECONFIG[xkbcommon] = "--enable-xkbcommon,--disable-xkbcommon,libxkbcommon" +PACKAGECONFIG[libudev] = "--enable-libudev,--disable-libudev,eudev" +PACKAGECONFIG[libxml2] = "--enable-libxml2,--disable-libxml2,libxml2" +PACKAGECONFIG[attr] = "--enable-attr,--disable-attr,attr," +PACKAGECONFIG[rbd] = "--enable-rbd,--disable-rbd,ceph,ceph" +PACKAGECONFIG[vhost] = "--enable-vhost-net,--disable-vhost-net,," +PACKAGECONFIG[ust] = "--enable-trace-backend=ust,--enable-trace-backend=nop,lttng-ust," +PACKAGECONFIG[pie] = "--enable-pie,--disable-pie,," +PACKAGECONFIG[seccomp] = "--enable-seccomp,--disable-seccomp,libseccomp" + +INSANE_SKIP_${PN} = "arch" + +FILES_${PN} += "${datadir}/icons" diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch new file mode 100644 index 00000000..1304ee3b --- /dev/null +++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch @@ -0,0 +1,29 @@ +From b921e5204030845dc7c9d16d5f66d965e8d05367 Mon Sep 17 00:00:00 2001 +From: Jeremy Puhlman <jpuhlman@mvista.com> +Date: Thu, 19 Mar 2020 11:54:26 -0700 +Subject: [PATCH] Add enable/disable libudev + +Upstream-Status: Pending +Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com> + +[update patch context] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + configure | 4 ++++ + 1 file changed, 4 insertions(+) + +Index: qemu-5.1.0/configure +=================================================================== +--- qemu-5.1.0.orig/configure ++++ qemu-5.1.0/configure +@@ -1640,6 +1640,10 @@ for opt do + ;; + --disable-libdaxctl) libdaxctl=no + ;; ++ --enable-libudev) libudev="yes" ++ ;; ++ --disable-libudev) libudev="no" ++ ;; + *) + echo "ERROR: unknown option $opt" + echo "Try '$0 --help' for more information" diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch new file mode 100644 index 00000000..46c9da08 --- /dev/null +++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch @@ -0,0 +1,141 @@ +From 883feb43129dc39b491e492c7ccfe89aefe53c44 Mon Sep 17 00:00:00 2001 +From: Richard Purdie <richard.purdie@linuxfoundation.org> +Date: Thu, 27 Nov 2014 14:04:29 +0000 +Subject: [PATCH] qemu: Add missing wacom HID descriptor + +The USB wacom device is missing a HID descriptor which causes it +to fail to operate with recent kernels (e.g. 3.17). + +This patch adds a HID desriptor to the device, based upon one from +real wcom device. + +Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> + +Upstream-Status: Submitted +2014/11/27 + +[update patch context] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/usb/dev-wacom.c | 94 +++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 93 insertions(+), 1 deletion(-) + +Index: qemu-5.1.0/hw/usb/dev-wacom.c +=================================================================== +--- qemu-5.1.0.orig/hw/usb/dev-wacom.c ++++ qemu-5.1.0/hw/usb/dev-wacom.c +@@ -74,6 +74,89 @@ static const USBDescStrings desc_strings + [STR_SERIALNUMBER] = "1", + }; + ++static const uint8_t qemu_tablet_hid_report_descriptor[] = { ++ 0x05, 0x01, /* Usage Page (Generic Desktop) */ ++ 0x09, 0x02, /* Usage (Mouse) */ ++ 0xa1, 0x01, /* Collection (Application) */ ++ 0x85, 0x01, /* Report ID (1) */ ++ 0x09, 0x01, /* Usage (Pointer) */ ++ 0xa1, 0x00, /* Collection (Physical) */ ++ 0x05, 0x09, /* Usage Page (Button) */ ++ 0x19, 0x01, /* Usage Minimum (1) */ ++ 0x29, 0x05, /* Usage Maximum (5) */ ++ 0x15, 0x00, /* Logical Minimum (0) */ ++ 0x25, 0x01, /* Logical Maximum (1) */ ++ 0x95, 0x05, /* Report Count (5) */ ++ 0x75, 0x01, /* Report Size (1) */ ++ 0x81, 0x02, /* Input (Data, Variable, Absolute) */ ++ 0x95, 0x01, /* Report Count (1) */ ++ 0x75, 0x03, /* Report Size (3) */ ++ 0x81, 0x01, /* Input (Constant) */ ++ 0x05, 0x01, /* Usage Page (Generic Desktop) */ ++ 0x09, 0x30, /* Usage (X) */ ++ 0x09, 0x31, /* Usage (Y) */ ++ 0x15, 0x81, /* Logical Minimum (-127) */ ++ 0x25, 0x7f, /* Logical Maximum (127) */ ++ 0x75, 0x08, /* Report Size (8) */ ++ 0x95, 0x02, /* Report Count (2) */ ++ 0x81, 0x06, /* Input (Data, Variable, Relative) */ ++ 0xc0, /* End Collection */ ++ 0xc0, /* End Collection */ ++ 0x05, 0x0d, /* Usage Page (Digitizer) */ ++ 0x09, 0x01, /* Usage (Digitizer) */ ++ 0xa1, 0x01, /* Collection (Application) */ ++ 0x85, 0x02, /* Report ID (2) */ ++ 0xa1, 0x00, /* Collection (Physical) */ ++ 0x06, 0x00, 0xff, /* Usage Page (Vendor 0xff00) */ ++ 0x09, 0x01, /* Usage (Digitizer) */ ++ 0x15, 0x00, /* Logical Minimum (0) */ ++ 0x26, 0xff, 0x00, /* Logical Maximum (255) */ ++ 0x75, 0x08, /* Report Size (8) */ ++ 0x95, 0x08, /* Report Count (8) */ ++ 0x81, 0x02, /* Input (Data, Variable, Absolute) */ ++ 0xc0, /* End Collection */ ++ 0x09, 0x01, /* Usage (Digitizer) */ ++ 0x85, 0x02, /* Report ID (2) */ ++ 0x95, 0x01, /* Report Count (1) */ ++ 0xb1, 0x02, /* FEATURE (2) */ ++ 0xc0, /* End Collection */ ++ 0x06, 0x00, 0xff, /* Usage Page (Vendor 0xff00) */ ++ 0x09, 0x01, /* Usage (Digitizer) */ ++ 0xa1, 0x01, /* Collection (Application) */ ++ 0x85, 0x02, /* Report ID (2) */ ++ 0x05, 0x0d, /* Usage Page (Digitizer) */ ++ 0x09, 0x22, /* Usage (Finger) */ ++ 0xa1, 0x00, /* Collection (Physical) */ ++ 0x06, 0x00, 0xff, /* Usage Page (Vendor 0xff00) */ ++ 0x09, 0x01, /* Usage (Digitizer) */ ++ 0x15, 0x00, /* Logical Minimum (0) */ ++ 0x26, 0xff, 0x00, /* Logical Maximum */ ++ 0x75, 0x08, /* Report Size (8) */ ++ 0x95, 0x02, /* Report Count (2) */ ++ 0x81, 0x02, /* Input (Data, Variable, Absolute) */ ++ 0x05, 0x01, /* Usage Page (Generic Desktop) */ ++ 0x09, 0x30, /* Usage (X) */ ++ 0x35, 0x00, /* Physical Minimum */ ++ 0x46, 0xe0, 0x2e, /* Physical Maximum */ ++ 0x26, 0xe0, 0x01, /* Logical Maximum */ ++ 0x75, 0x10, /* Report Size (16) */ ++ 0x95, 0x01, /* Report Count (1) */ ++ 0x81, 0x02, /* Input (Data, Variable, Absolute) */ ++ 0x09, 0x31, /* Usage (Y) */ ++ 0x46, 0x40, 0x1f, /* Physical Maximum */ ++ 0x26, 0x40, 0x01, /* Logical Maximum */ ++ 0x81, 0x02, /* Input (Data, Variable, Absolute) */ ++ 0x06, 0x00, 0xff, /* Usage Page (Vendor 0xff00) */ ++ 0x09, 0x01, /* Usage (Digitizer) */ ++ 0x26, 0xff, 0x00, /* Logical Maximum */ ++ 0x75, 0x08, /* Report Size (8) */ ++ 0x95, 0x0d, /* Report Count (13) */ ++ 0x81, 0x02, /* Input (Data, Variable, Absolute) */ ++ 0xc0, /* End Collection */ ++ 0xc0, /* End Collection */ ++}; ++ ++ + static const USBDescIface desc_iface_wacom = { + .bInterfaceNumber = 0, + .bNumEndpoints = 1, +@@ -91,7 +174,7 @@ static const USBDescIface desc_iface_wac + 0x00, /* u8 country_code */ + 0x01, /* u8 num_descriptors */ + 0x22, /* u8 type: Report */ +- 0x6e, 0, /* u16 len */ ++ sizeof(qemu_tablet_hid_report_descriptor), 0, /* u16 len */ + }, + }, + }, +@@ -271,6 +354,15 @@ static void usb_wacom_handle_control(USB + } + + switch (request) { ++ case InterfaceRequest | USB_REQ_GET_DESCRIPTOR: ++ switch (value >> 8) { ++ case 0x22: ++ memcpy(data, qemu_tablet_hid_report_descriptor, ++ sizeof(qemu_tablet_hid_report_descriptor)); ++ p->actual_length = sizeof(qemu_tablet_hid_report_descriptor); ++ break; ++ } ++ break; + case WACOM_SET_REPORT: + if (s->mouse_grabbed) { + qemu_remove_mouse_event_handler(s->eh_entry); diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch new file mode 100644 index 00000000..d6c0f9eb --- /dev/null +++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch @@ -0,0 +1,31 @@ +From 34247f83095f8cdcdc1f9d7f0c6ffbd46b25d979 Mon Sep 17 00:00:00 2001 +From: Oleksiy Obitotskyy <oobitots@cisco.com> +Date: Wed, 25 Mar 2020 21:21:35 +0200 +Subject: [PATCH] qemu: Do not include file if not exists + +Script configure checks for if_alg.h and check failed but +if_alg.h still included. + +Upstream-Status: Submitted [https://lists.gnu.org/archive/html/qemu-devel/2020-03/msg07188.html] +Signed-off-by: Oleksiy Obitotskyy <oobitots@cisco.com> + +[update patch context] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + linux-user/syscall.c | 2 ++ + 1 file changed, 2 insertions(+) + +Index: qemu-5.1.0/linux-user/syscall.c +=================================================================== +--- qemu-5.1.0.orig/linux-user/syscall.c ++++ qemu-5.1.0/linux-user/syscall.c +@@ -109,7 +109,9 @@ + #include <linux/blkpg.h> + #include <netpacket/packet.h> + #include <linux/netlink.h> ++#if defined(CONFIG_AF_ALG) + #include <linux/if_alg.h> ++#endif + #include <linux/rtc.h> + #include <sound/asound.h> + #ifdef HAVE_DRM_H diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch new file mode 100644 index 00000000..5227b7cb --- /dev/null +++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch @@ -0,0 +1,59 @@ +From 68fa519a6cb455005317bd61f95214b58b2f1e69 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org> +Date: Fri, 16 Oct 2020 15:20:37 +0200 +Subject: [PATCH] target/mips: Increase number of TLB entries on the 34Kf core + (16 -> 64) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Per "MIPS32 34K Processor Core Family Software User's Manual, +Revision 01.13" page 8 in "Joint TLB (JTLB)" section: + + "The JTLB is a fully associative TLB cache containing 16, 32, + or 64-dual-entries mapping up to 128 virtual pages to their + corresponding physical addresses." + +There is no particular reason to restrict the 34Kf core model to +16 TLB entries, so raise its config to 64. + +This is helpful for other projects, in particular the Yocto Project: + + Yocto Project uses qemu-system-mips 34Kf cpu model, to run 32bit + MIPS CI loop. It was observed that in this case CI test execution + time was almost twice longer than 64bit MIPS variant that runs + under MIPS64R2-generic model. It was investigated and concluded + that the difference in number of TLBs 16 in 34Kf case vs 64 in + MIPS64R2-generic is responsible for most of CI real time execution + difference. Because with 16 TLBs linux user-land trashes TLB more + and it needs to execute more instructions in TLB refill handler + calls, as result it runs much longer. + +(https://lists.gnu.org/archive/html/qemu-devel/2020-10/msg03428.html) + +Buglink: https://bugzilla.yoctoproject.org/show_bug.cgi?id=13992 +Reported-by: Victor Kamensky <kamensky@cisco.com> +Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Message-Id: <20201016133317.553068-1-f4bug@amsat.org> + +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/68fa519a6cb455005317bd61f95214b58b2f1e69] +Signed-off-by: Victor Kamensky <kamensky@cisco.com> + +--- + target/mips/translate_init.c.inc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: qemu-5.1.0/target/mips/translate_init.inc.c +=================================================================== +--- qemu-5.1.0.orig/target/mips/translate_init.inc.c ++++ qemu-5.1.0/target/mips/translate_init.inc.c +@@ -254,7 +254,7 @@ const mips_def_t mips_defs[] = + .CP0_PRid = 0x00019500, + .CP0_Config0 = MIPS_CONFIG0 | (0x1 << CP0C0_AR) | + (MMU_TYPE_R4000 << CP0C0_MT), +- .CP0_Config1 = MIPS_CONFIG1 | (1 << CP0C1_FP) | (15 << CP0C1_MMU) | ++ .CP0_Config1 = MIPS_CONFIG1 | (1 << CP0C1_FP) | (63 << CP0C1_MMU) | + (0 << CP0C1_IS) | (3 << CP0C1_IL) | (1 << CP0C1_IA) | + (0 << CP0C1_DS) | (3 << CP0C1_DL) | (1 << CP0C1_DA) | + (1 << CP0C1_CA), diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch new file mode 100644 index 00000000..f379948f --- /dev/null +++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch @@ -0,0 +1,35 @@ +From 5da6cef7761157a003e7ebde74fb3cf90ab396d9 Mon Sep 17 00:00:00 2001 +From: Juro Bystricky <juro.bystricky@intel.com> +Date: Thu, 31 Aug 2017 11:06:56 -0700 +Subject: [PATCH] Add subpackage -ptest which runs all unit test cases for + qemu. + +Upstream-Status: Pending + +Signed-off-by: Kai Kang <kai.kang@windriver.com> + +Signed-off-by: Juro Bystricky <juro.bystricky@intel.com> + +[update patch context] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + tests/Makefile.include | 8 ++++++++ + 1 file changed, 8 insertions(+) + +Index: qemu-5.1.0/tests/Makefile.include +=================================================================== +--- qemu-5.1.0.orig/tests/Makefile.include ++++ qemu-5.1.0/tests/Makefile.include +@@ -982,4 +982,12 @@ all: $(QEMU_IOTESTS_HELPERS-y) + -include $(wildcard tests/qtest/*.d) + -include $(wildcard tests/qtest/libqos/*.d) + ++buildtest-TESTS: $(check-unit-y) ++ ++runtest-TESTS: ++ for f in $(check-unit-y); do \ ++ nf=$$(echo $$f | sed 's/tests\//\.\//g'); \ ++ $$nf; \ ++ done ++ + endif diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch new file mode 100644 index 00000000..33cef422 --- /dev/null +++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch @@ -0,0 +1,33 @@ +From ce1eceab2350d27960ec254650717085f6a11c9a Mon Sep 17 00:00:00 2001 +From: Jason Wessel <jason.wessel@windriver.com> +Date: Fri, 28 Mar 2014 17:42:43 +0800 +Subject: [PATCH] qemu: Add addition environment space to boot loader + qemu-system-mips + +Upstream-Status: Inappropriate - OE uses deep paths + +If you create a project with very long directory names like 128 characters +deep and use NFS, the kernel arguments will be truncated. The kernel will +accept longer strings such as 1024 bytes, but the qemu boot loader defaulted +to only 256 bytes. This patch expands the limit. + +Signed-off-by: Jason Wessel <jason.wessel@windriver.com> +Signed-off-by: Roy Li <rongqing.li@windriver.com> + +--- + hw/mips/malta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: qemu-5.1.0/hw/mips/malta.c +=================================================================== +--- qemu-5.1.0.orig/hw/mips/malta.c ++++ qemu-5.1.0/hw/mips/malta.c +@@ -59,7 +59,7 @@ + + #define ENVP_ADDR 0x80002000l + #define ENVP_NB_ENTRIES 16 +-#define ENVP_ENTRY_SIZE 256 ++#define ENVP_ENTRY_SIZE 1024 + + /* Hardware addresses */ + #define FLASH_ADDRESS 0x1e000000ULL diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch new file mode 100644 index 00000000..71f537f9 --- /dev/null +++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch @@ -0,0 +1,34 @@ +From 4127296bb1046cdf73994ba69dc913d8c02fd74f Mon Sep 17 00:00:00 2001 +From: Ross Burton <ross.burton@intel.com> +Date: Tue, 20 Oct 2015 22:19:08 +0100 +Subject: [PATCH] qemu: disable Valgrind + +There isn't an option to enable or disable valgrind support, so disable it to avoid non-deterministic builds. + +Upstream-Status: Inappropriate +Signed-off-by: Ross Burton <ross.burton@intel.com> + +--- + configure | 9 --------- + 1 file changed, 9 deletions(-) + +Index: qemu-5.1.0/configure +=================================================================== +--- qemu-5.1.0.orig/configure ++++ qemu-5.1.0/configure +@@ -5751,15 +5751,6 @@ fi + # check if we have valgrind/valgrind.h + + valgrind_h=no +-cat > $TMPC << EOF +-#include <valgrind/valgrind.h> +-int main(void) { +- return 0; +-} +-EOF +-if compile_prog "" "" ; then +- valgrind_h=yes +-fi + + ######################################## + # check if environ is declared diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0005-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0005-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch new file mode 100644 index 00000000..02ebbee1 --- /dev/null +++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0005-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch @@ -0,0 +1,28 @@ +From 230fe5804099bdca0c9e4cae7280c9fc513cb7f5 Mon Sep 17 00:00:00 2001 +From: Stephen Arnold <sarnold@vctlabs.com> +Date: Sun, 12 Jun 2016 18:09:56 -0700 +Subject: [PATCH] qemu-native: set ld.bfd, fix cflags, and set some environment + +Upstream-Status: Pending + +[update patch context] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + configure | 4 ---- + 1 file changed, 4 deletions(-) + +Index: qemu-5.1.0/configure +=================================================================== +--- qemu-5.1.0.orig/configure ++++ qemu-5.1.0/configure +@@ -6515,10 +6515,6 @@ write_c_skeleton + if test "$gcov" = "yes" ; then + QEMU_CFLAGS="-fprofile-arcs -ftest-coverage -g $QEMU_CFLAGS" + QEMU_LDFLAGS="-fprofile-arcs -ftest-coverage $QEMU_LDFLAGS" +-elif test "$fortify_source" = "yes" ; then +- CFLAGS="-O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 $CFLAGS" +-elif test "$debug" = "no"; then +- CFLAGS="-O2 $CFLAGS" + fi + + if test "$have_asan" = "yes"; then diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch new file mode 100644 index 00000000..98fd5e91 --- /dev/null +++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch @@ -0,0 +1,241 @@ +From bcc63f775e265df69963a4ad7805b8678ace68f0 Mon Sep 17 00:00:00 2001 +From: Alistair Francis <alistair.francis@xilinx.com> +Date: Thu, 21 Dec 2017 11:35:16 -0800 +Subject: [PATCH] chardev: connect socket to a spawned command + +The command is started in a shell (sh -c) with stdin connect to QEMU +via a Unix domain stream socket. QEMU then exchanges data via its own +end of the socket, just like it normally does. + +"-chardev socket" supports some ways of connecting via protocols like +telnet, but that is only a subset of the functionality supported by +tools socat. To use socat instead, for example to connect via a socks +proxy, use: + + -chardev 'socket,id=socat,cmd=exec socat FD:0 SOCKS4A:socks-proxy.localdomain:example.com:9999,,socksuser=nobody' \ + -device usb-serial,chardev=socat + +Beware that commas in the command must be escaped as double commas. + +Or interactively in the console: + (qemu) chardev-add socket,id=cat,cmd=cat + (qemu) device_add usb-serial,chardev=cat + ^ac + # cat >/dev/ttyUSB0 + hello + hello + +Another usage is starting swtpm from inside QEMU. swtpm will +automatically shut down once it looses the connection to the parent +QEMU, so there is no risk of lingering processes: + + -chardev 'socket,id=chrtpm0,cmd=exec swtpm socket --terminate --ctrl type=unixio,,clientfd=0 --tpmstate dir=... --log file=swtpm.log' \ + -tpmdev emulator,id=tpm0,chardev=chrtpm0 \ + -device tpm-tis,tpmdev=tpm0 + +The patch was discussed upstream, but QEMU developers believe that the +code calling QEMU should be responsible for managing additional +processes. In OE-core, that would imply enhancing runqemu and +oeqa. This patch is a simpler solution. + +Because it is not going upstream, the patch was written so that it is +as simple as possible. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> + +--- + chardev/char-socket.c | 101 ++++++++++++++++++++++++++++++++++++++++++ + chardev/char.c | 3 ++ + qapi/char.json | 5 +++ + 3 files changed, 109 insertions(+) + +Index: qemu-5.1.0/chardev/char-socket.c +=================================================================== +--- qemu-5.1.0.orig/chardev/char-socket.c ++++ qemu-5.1.0/chardev/char-socket.c +@@ -1292,6 +1292,67 @@ static bool qmp_chardev_validate_socket( + return true; + } + ++#ifndef _WIN32 ++static void chardev_open_socket_cmd(Chardev *chr, ++ const char *cmd, ++ Error **errp) ++{ ++ int fds[2] = { -1, -1 }; ++ QIOChannelSocket *sioc = NULL; ++ pid_t pid = -1; ++ const char *argv[] = { "/bin/sh", "-c", cmd, NULL }; ++ ++ /* ++ * We need a Unix domain socket for commands like swtpm and a single ++ * connection, therefore we cannot use qio_channel_command_new_spawn() ++ * without patching it first. Duplicating the functionality is easier. ++ */ ++ if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0, fds)) { ++ error_setg_errno(errp, errno, "Error creating socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC)"); ++ goto error; ++ } ++ ++ pid = qemu_fork(errp); ++ if (pid < 0) { ++ goto error; ++ } ++ ++ if (!pid) { ++ /* child */ ++ dup2(fds[1], STDIN_FILENO); ++ execv(argv[0], (char * const *)argv); ++ _exit(1); ++ } ++ ++ /* ++ * Hand over our end of the socket pair to the qio channel. ++ * ++ * We don't reap the child because it is expected to keep ++ * running. We also don't support the "reconnect" option for the ++ * same reason. ++ */ ++ sioc = qio_channel_socket_new_fd(fds[0], errp); ++ if (!sioc) { ++ goto error; ++ } ++ fds[0] = -1; ++ ++ g_free(chr->filename); ++ chr->filename = g_strdup_printf("cmd:%s", cmd); ++ tcp_chr_new_client(chr, sioc); ++ ++ error: ++ if (fds[0] >= 0) { ++ close(fds[0]); ++ } ++ if (fds[1] >= 0) { ++ close(fds[1]); ++ } ++ if (sioc) { ++ object_unref(OBJECT(sioc)); ++ } ++} ++#endif + + static void qmp_chardev_open_socket(Chardev *chr, + ChardevBackend *backend, +@@ -1300,6 +1361,9 @@ static void qmp_chardev_open_socket(Char + { + SocketChardev *s = SOCKET_CHARDEV(chr); + ChardevSocket *sock = backend->u.socket.data; ++#ifndef _WIN32 ++ const char *cmd = sock->cmd; ++#endif + bool do_nodelay = sock->has_nodelay ? sock->nodelay : false; + bool is_listen = sock->has_server ? sock->server : true; + bool is_telnet = sock->has_telnet ? sock->telnet : false; +@@ -1365,6 +1429,14 @@ static void qmp_chardev_open_socket(Char + + update_disconnected_filename(s); + ++#ifndef _WIN32 ++ if (cmd) { ++ chardev_open_socket_cmd(chr, cmd, errp); ++ ++ /* everything ready (or failed permanently) before we return */ ++ *be_opened = true; ++ } else ++#endif + if (s->is_listen) { + if (qmp_chardev_open_socket_server(chr, is_telnet || is_tn3270, + is_waitconnect, errp) < 0) { +@@ -1384,11 +1456,27 @@ static void qemu_chr_parse_socket(QemuOp + const char *host = qemu_opt_get(opts, "host"); + const char *port = qemu_opt_get(opts, "port"); + const char *fd = qemu_opt_get(opts, "fd"); ++#ifndef _WIN32 ++ const char *cmd = qemu_opt_get(opts, "cmd"); ++#endif + bool tight = qemu_opt_get_bool(opts, "tight", true); + bool abstract = qemu_opt_get_bool(opts, "abstract", false); + SocketAddressLegacy *addr; + ChardevSocket *sock; + ++#ifndef _WIN32 ++ if (cmd) { ++ /* ++ * Here we have to ensure that no options are set which are incompatible with ++ * spawning a command, otherwise unmodified code that doesn't know about ++ * command spawning (like socket_reconnect_timeout()) might get called. ++ */ ++ if (path || sock->server || sock->has_telnet || sock->has_tn3270 || sock->reconnect || host || port || sock->tls_creds) { ++ error_setg(errp, "chardev: socket: cmd does not support any additional options"); ++ return; ++ } ++ } else ++#endif + if ((!!path + !!fd + !!host) != 1) { + error_setg(errp, + "Exactly one of 'path', 'fd' or 'host' required"); +@@ -1431,12 +1519,24 @@ static void qemu_chr_parse_socket(QemuOp + sock->has_tls_authz = qemu_opt_get(opts, "tls-authz"); + sock->tls_authz = g_strdup(qemu_opt_get(opts, "tls-authz")); + +- addr = g_new0(SocketAddressLegacy, 1); ++#ifndef _WIN32 ++ sock->cmd = g_strdup(cmd); ++#endif ++ ++ addr = g_new0(SocketAddressLegacy, 1); ++#ifndef _WIN32 ++ if (path || cmd) { ++#else + if (path) { ++#endif + UnixSocketAddress *q_unix; + addr->type = SOCKET_ADDRESS_LEGACY_KIND_UNIX; + q_unix = addr->u.q_unix.data = g_new0(UnixSocketAddress, 1); ++#ifndef _WIN32 ++ q_unix->path = cmd ? g_strdup_printf("cmd:%s", cmd) : g_strdup(path); ++#else + q_unix->path = g_strdup(path); ++#endif + q_unix->tight = tight; + q_unix->abstract = abstract; + } else if (host) { +Index: qemu-5.1.0/chardev/char.c +=================================================================== +--- qemu-5.1.0.orig/chardev/char.c ++++ qemu-5.1.0/chardev/char.c +@@ -826,6 +826,9 @@ QemuOptsList qemu_chardev_opts = { + .name = "path", + .type = QEMU_OPT_STRING, + },{ ++ .name = "cmd", ++ .type = QEMU_OPT_STRING, ++ },{ + .name = "host", + .type = QEMU_OPT_STRING, + },{ +Index: qemu-5.1.0/qapi/char.json +=================================================================== +--- qemu-5.1.0.orig/qapi/char.json ++++ qemu-5.1.0/qapi/char.json +@@ -250,6 +250,10 @@ + # + # @addr: socket address to listen on (server=true) + # or connect to (server=false) ++# @cmd: command to run via "sh -c" with stdin as one end of ++# a AF_UNIX SOCK_DSTREAM socket pair. The other end ++# is used by the chardev. Either an addr or a cmd can ++# be specified, but not both. + # @tls-creds: the ID of the TLS credentials object (since 2.6) + # @tls-authz: the ID of the QAuthZ authorization object against which + # the client's x509 distinguished name will be validated. This +@@ -276,6 +280,7 @@ + ## + { 'struct': 'ChardevSocket', + 'data': { 'addr': 'SocketAddressLegacy', ++ '*cmd': 'str', + '*tls-creds': 'str', + '*tls-authz' : 'str', + '*server': 'bool', diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch new file mode 100644 index 00000000..034ac578 --- /dev/null +++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch @@ -0,0 +1,44 @@ +From a59a98d100123030a4145e7efe3b8a001920a9f1 Mon Sep 17 00:00:00 2001 +From: Mark Asselstine <mark.asselstine@windriver.com> +Date: Tue, 26 Feb 2013 11:43:28 -0500 +Subject: [PATCH] apic: fixup fallthrough to PIC + +Commit 0e21e12bb311c4c1095d0269dc2ef81196ccb60a [Don't route PIC +interrupts through the local APIC if the local APIC config says so.] +missed a check to ensure the local APIC is enabled. Since if the local +APIC is disabled it doesn't matter what the local APIC config says. + +If this check isn't done and the guest has disabled the local APIC the +guest will receive a general protection fault, similar to what is seen +here: + +https://lists.gnu.org/archive/html/qemu-devel/2012-12/msg02304.html + +The GPF is caused by an attempt to service interrupt 0xffffffff. This +comes about since cpu_get_pic_interrupt() calls apic_accept_pic_intr() +(with the local APIC disabled apic_get_interrupt() returns -1). +apic_accept_pic_intr() returns 0 and thus the interrupt number which +is returned from cpu_get_pic_interrupt(), and which is attempted to be +serviced, is -1. + +Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com> +Upstream-Status: Submitted [https://lists.gnu.org/archive/html/qemu-devel/2013-04/msg00878.html] +Signed-off-by: He Zhe <zhe.he@windriver.com> + +--- + hw/intc/apic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: qemu-5.1.0/hw/intc/apic.c +=================================================================== +--- qemu-5.1.0.orig/hw/intc/apic.c ++++ qemu-5.1.0/hw/intc/apic.c +@@ -603,7 +603,7 @@ int apic_accept_pic_intr(DeviceState *de + APICCommonState *s = APIC(dev); + uint32_t lvt0; + +- if (!s) ++ if (!s || !(s->spurious_vec & APIC_SV_ENABLE)) + return -1; + + lvt0 = s->lvt[APIC_LVT_LINT0]; diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch new file mode 100644 index 00000000..d20f04ee --- /dev/null +++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch @@ -0,0 +1,33 @@ +From cf8c9aac5243f506a1a3e8e284414f311cde04f5 Mon Sep 17 00:00:00 2001 +From: Alistair Francis <alistair.francis@xilinx.com> +Date: Wed, 17 Jan 2018 10:51:49 -0800 +Subject: [PATCH] linux-user: Fix webkitgtk hangs on 32-bit x86 target + +Since commit "linux-user: Tidy and enforce reserved_va initialization" +(18e80c55bb6ec17c05ec0ba717ec83933c2bfc07) the Yocto webkitgtk build +hangs when cross compiling for 32-bit x86 on a 64-bit x86 machine using +musl. + +To fix the issue reduce the MAX_RESERVED_VA macro to be a closer match +to what it was before the problematic commit. + +Upstream-Status: Submitted http://lists.gnu.org/archive/html/qemu-devel/2018-01/msg04185.html +Signed-off-by: Alistair Francis <alistair.francis@xilinx.com> + +--- + linux-user/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: qemu-5.1.0/linux-user/main.c +=================================================================== +--- qemu-5.1.0.orig/linux-user/main.c ++++ qemu-5.1.0/linux-user/main.c +@@ -92,7 +92,7 @@ static int last_log_mask; + (TARGET_LONG_BITS == 32 || defined(TARGET_ABI32)) + /* There are a number of places where we assign reserved_va to a variable + of type abi_ulong and expect it to fit. Avoid the last page. */ +-# define MAX_RESERVED_VA(CPU) (0xfffffffful & TARGET_PAGE_MASK) ++# define MAX_RESERVED_VA(CPU) (0x7ffffffful & TARGET_PAGE_MASK) + # else + # define MAX_RESERVED_VA(CPU) (1ul << TARGET_VIRT_ADDR_SPACE_BITS) + # endif diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0009-Fix-webkitgtk-builds.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0009-Fix-webkitgtk-builds.patch new file mode 100644 index 00000000..f2a44986 --- /dev/null +++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0009-Fix-webkitgtk-builds.patch @@ -0,0 +1,137 @@ +From 815c97ba0de02da9dace3fcfcbdf9b20e029f0d7 Mon Sep 17 00:00:00 2001 +From: Martin Jansa <martin.jansa@lge.com> +Date: Fri, 1 Jun 2018 08:41:07 +0000 +Subject: [PATCH] Fix webkitgtk builds + +This is a partial revert of "linux-user: fix mmap/munmap/mprotect/mremap/shmat". + +This patch fixes qemu-i386 hangs during gobject-introspection in webkitgtk build +when musl is used on qemux86. This is the same issue that +0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch was +fixing in the 2.11 release. + +This patch also fixes a build failure when building webkitgtk for +qemumips. A QEMU assert is seen while building webkitgtk: +page_check_range: Assertion `start < ((target_ulong)1 << L1_MAP_ADDR_SPACE_BITS)' failed. + +This reverts commit ebf9a3630c911d0cfc9c20f7cafe9ba4f88cf583. + +Upstream-Status: Pending +Signed-off-by: Alistair Francis <alistair.francis@wdc.com> + +[update patch context] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + include/exec/cpu-all.h | 6 +----- + include/exec/cpu_ldst.h | 5 ++++- + linux-user/mmap.c | 17 ++++------------- + linux-user/syscall.c | 5 +---- + 4 files changed, 10 insertions(+), 23 deletions(-) + +Index: qemu-5.1.0/include/exec/cpu-all.h +=================================================================== +--- qemu-5.1.0.orig/include/exec/cpu-all.h ++++ qemu-5.1.0/include/exec/cpu-all.h +@@ -176,11 +176,8 @@ extern unsigned long reserved_va; + * avoid setting bits at the top of guest addresses that might need + * to be used for tags. + */ +-#define GUEST_ADDR_MAX_ \ +- ((MIN_CONST(TARGET_VIRT_ADDR_SPACE_BITS, TARGET_ABI_BITS) <= 32) ? \ +- UINT32_MAX : ~0ul) +-#define GUEST_ADDR_MAX (reserved_va ? reserved_va - 1 : GUEST_ADDR_MAX_) +- ++#define GUEST_ADDR_MAX (reserved_va ? reserved_va : \ ++ (1ul << TARGET_VIRT_ADDR_SPACE_BITS) - 1) + #else + + #include "exec/hwaddr.h" +Index: qemu-5.1.0/include/exec/cpu_ldst.h +=================================================================== +--- qemu-5.1.0.orig/include/exec/cpu_ldst.h ++++ qemu-5.1.0/include/exec/cpu_ldst.h +@@ -75,7 +75,10 @@ typedef uint64_t abi_ptr; + #if HOST_LONG_BITS <= TARGET_VIRT_ADDR_SPACE_BITS + #define guest_addr_valid(x) (1) + #else +-#define guest_addr_valid(x) ((x) <= GUEST_ADDR_MAX) ++#define guest_addr_valid(x) ({ \ ++ ((x) < (1ul << TARGET_VIRT_ADDR_SPACE_BITS)) && \ ++ (!reserved_va || ((x) < reserved_va)); \ ++}) + #endif + #define h2g_valid(x) guest_addr_valid((unsigned long)(x) - guest_base) + +Index: qemu-5.1.0/linux-user/mmap.c +=================================================================== +--- qemu-5.1.0.orig/linux-user/mmap.c ++++ qemu-5.1.0/linux-user/mmap.c +@@ -71,7 +71,7 @@ int target_mprotect(abi_ulong start, abi + return -TARGET_EINVAL; + len = TARGET_PAGE_ALIGN(len); + end = start + len; +- if (!guest_range_valid(start, len)) { ++ if (end < start) { + return -TARGET_ENOMEM; + } + prot &= PROT_READ | PROT_WRITE | PROT_EXEC; +@@ -467,8 +467,8 @@ abi_long target_mmap(abi_ulong start, ab + * It can fail only on 64-bit host with 32-bit target. + * On any other target/host host mmap() handles this error correctly. + */ +- if (end < start || !guest_range_valid(start, len)) { +- errno = ENOMEM; ++ if (end < start || ((unsigned long)start + len - 1 > (abi_ulong) -1)) { ++ errno = EINVAL; + goto fail; + } + +@@ -604,10 +604,8 @@ int target_munmap(abi_ulong start, abi_u + if (start & ~TARGET_PAGE_MASK) + return -TARGET_EINVAL; + len = TARGET_PAGE_ALIGN(len); +- if (len == 0 || !guest_range_valid(start, len)) { ++ if (len == 0) + return -TARGET_EINVAL; +- } +- + mmap_lock(); + end = start + len; + real_start = start & qemu_host_page_mask; +@@ -662,13 +660,6 @@ abi_long target_mremap(abi_ulong old_add + int prot; + void *host_addr; + +- if (!guest_range_valid(old_addr, old_size) || +- ((flags & MREMAP_FIXED) && +- !guest_range_valid(new_addr, new_size))) { +- errno = ENOMEM; +- return -1; +- } +- + mmap_lock(); + + if (flags & MREMAP_FIXED) { +Index: qemu-5.1.0/linux-user/syscall.c +=================================================================== +--- qemu-5.1.0.orig/linux-user/syscall.c ++++ qemu-5.1.0/linux-user/syscall.c +@@ -4336,9 +4336,6 @@ static inline abi_ulong do_shmat(CPUArch + return -TARGET_EINVAL; + } + } +- if (!guest_range_valid(shmaddr, shm_info.shm_segsz)) { +- return -TARGET_EINVAL; +- } + + mmap_lock(); + +@@ -7376,7 +7373,7 @@ static int open_self_maps(void *cpu_env, + const char *path; + + max = h2g_valid(max - 1) ? +- max : (uintptr_t) g2h(GUEST_ADDR_MAX) + 1; ++ max : (uintptr_t) g2h(GUEST_ADDR_MAX); + + if (page_check_range(h2g(min), max - min, flags) == -1) { + continue; diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch new file mode 100644 index 00000000..d7e3fffd --- /dev/null +++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch @@ -0,0 +1,91 @@ +From c207607cdf3996ad9783c3bffbcd3d65e74c0158 Mon Sep 17 00:00:00 2001 +From: He Zhe <zhe.he@windriver.com> +Date: Wed, 28 Aug 2019 19:56:28 +0800 +Subject: [PATCH] configure: Add pkg-config handling for libgcrypt + +libgcrypt may also be controlled by pkg-config, this patch adds pkg-config +handling for libgcrypt. + +Upstream-Status: Denied [https://lists.nongnu.org/archive/html/qemu-devel/2019-08/msg06333.html] + +Signed-off-by: He Zhe <zhe.he@windriver.com> + +--- + configure | 48 ++++++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 40 insertions(+), 8 deletions(-) + +Index: qemu-5.1.0/configure +=================================================================== +--- qemu-5.1.0.orig/configure ++++ qemu-5.1.0/configure +@@ -3084,6 +3084,30 @@ has_libgcrypt() { + return 0 + } + ++has_libgcrypt_pkgconfig() { ++ if ! has $pkg_config ; then ++ return 1 ++ fi ++ ++ if ! $pkg_config --list-all | grep libgcrypt > /dev/null 2>&1 ; then ++ return 1 ++ fi ++ ++ if test -n "$cross_prefix" ; then ++ host=$($pkg_config --variable=host libgcrypt) ++ if test "${host%-gnu}-" != "${cross_prefix%-gnu}" ; then ++ print_error "host($host) does not match cross_prefix($cross_prefix)" ++ return 1 ++ fi ++ fi ++ ++ if ! $pkg_config --atleast-version=1.5.0 libgcrypt ; then ++ print_error "libgcrypt version is $($pkg_config --modversion libgcrypt)" ++ return 1 ++ fi ++ ++ return 0 ++} + + if test "$nettle" != "no"; then + pass="no" +@@ -3124,7 +3148,14 @@ fi + + if test "$gcrypt" != "no"; then + pass="no" +- if has_libgcrypt; then ++ if has_libgcrypt_pkgconfig; then ++ gcrypt_cflags=$($pkg_config --cflags libgcrypt) ++ if test "$static" = "yes" ; then ++ gcrypt_libs=$($pkg_config --libs --static libgcrypt) ++ else ++ gcrypt_libs=$($pkg_config --libs libgcrypt) ++ fi ++ elif has_libgcrypt; then + gcrypt_cflags=$(libgcrypt-config --cflags) + gcrypt_libs=$(libgcrypt-config --libs) + # Debian has removed -lgpg-error from libgcrypt-config +@@ -3134,15 +3165,16 @@ if test "$gcrypt" != "no"; then + then + gcrypt_libs="$gcrypt_libs -lgpg-error" + fi ++ fi + +- # Link test to make sure the given libraries work (e.g for static). +- write_c_skeleton +- if compile_prog "" "$gcrypt_libs" ; then +- LIBS="$gcrypt_libs $LIBS" +- QEMU_CFLAGS="$QEMU_CFLAGS $gcrypt_cflags" +- pass="yes" +- fi ++ # Link test to make sure the given libraries work (e.g for static). ++ write_c_skeleton ++ if compile_prog "" "$gcrypt_libs" ; then ++ LIBS="$gcrypt_libs $LIBS" ++ QEMU_CFLAGS="$QEMU_CFLAGS $gcrypt_cflags" ++ pass="yes" + fi ++ + if test "$pass" = "yes"; then + gcrypt="yes" + cat > $TMPC << EOF diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-24352.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-24352.patch new file mode 100644 index 00000000..861ff6c3 --- /dev/null +++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-24352.patch @@ -0,0 +1,52 @@ +From ca1f9cbfdce4d63b10d57de80fef89a89d92a540 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Wed, 21 Oct 2020 16:08:18 +0530 +Subject: [PATCH 1/1] ati: check x y display parameter values + +The source and destination x,y display parameters in ati_2d_blt() +may run off the vga limits if either of s->regs.[src|dst]_[xy] is +zero. Check the parameter values to avoid potential crash. + +Reported-by: Gaoning Pan <pgn@zju.edu.cn> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Message-id: 20201021103818.1704030-1-ppandit@redhat.com +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> + +Upstream-Status: Backport [ https://git.qemu.org/?p=qemu.git;a=commitdiff;h=ca1f9cbfdce4d63b10d57de80fef89a89d92a540;hp=2ddafce7f797082ad216657c830afd4546f16e37 ] +CVE: CVE-2020-24352 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + hw/display/ati_2d.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c +index 23a8ae0..4dc10ea 100644 +--- a/hw/display/ati_2d.c ++++ b/hw/display/ati_2d.c +@@ -75,8 +75,9 @@ void ati_2d_blt(ATIVGAState *s) + dst_stride *= bpp; + } + uint8_t *end = s->vga.vram_ptr + s->vga.vram_size; +- if (dst_bits >= end || dst_bits + dst_x + (dst_y + s->regs.dst_height) * +- dst_stride >= end) { ++ if (dst_x > 0x3fff || dst_y > 0x3fff || dst_bits >= end ++ || dst_bits + dst_x ++ + (dst_y + s->regs.dst_height) * dst_stride >= end) { + qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n"); + return; + } +@@ -107,8 +108,9 @@ void ati_2d_blt(ATIVGAState *s) + src_bits += s->regs.crtc_offset & 0x07ffffff; + src_stride *= bpp; + } +- if (src_bits >= end || src_bits + src_x + +- (src_y + s->regs.dst_height) * src_stride >= end) { ++ if (src_x > 0x3fff || src_y > 0x3fff || src_bits >= end ++ || src_bits + src_x ++ + (src_y + s->regs.dst_height) * src_stride >= end) { + qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n"); + return; + } +-- +1.8.3.1 + diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-25624.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-25624.patch new file mode 100644 index 00000000..7631bab3 --- /dev/null +++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-25624.patch @@ -0,0 +1,101 @@ +From 1328fe0c32d5474604105b8105310e944976b058 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Tue, 15 Sep 2020 23:52:58 +0530 +Subject: [PATCH] hw: usb: hcd-ohci: check len and frame_number variables + +While servicing the OHCI transfer descriptors(TD), OHCI host +controller derives variables 'start_addr', 'end_addr', 'len' +etc. from values supplied by the host controller driver. +Host controller driver may supply values such that using +above variables leads to out-of-bounds access issues. +Add checks to avoid them. + +AddressSanitizer: stack-buffer-overflow on address 0x7ffd53af76a0 + READ of size 2 at 0x7ffd53af76a0 thread T0 + #0 ohci_service_iso_td ../hw/usb/hcd-ohci.c:734 + #1 ohci_service_ed_list ../hw/usb/hcd-ohci.c:1180 + #2 ohci_process_lists ../hw/usb/hcd-ohci.c:1214 + #3 ohci_frame_boundary ../hw/usb/hcd-ohci.c:1257 + #4 timerlist_run_timers ../util/qemu-timer.c:572 + #5 qemu_clock_run_timers ../util/qemu-timer.c:586 + #6 qemu_clock_run_all_timers ../util/qemu-timer.c:672 + #7 main_loop_wait ../util/main-loop.c:527 + #8 qemu_main_loop ../softmmu/vl.c:1676 + #9 main ../softmmu/main.c:50 + +Reported-by: Gaoning Pan <pgn@zju.edu.cn> +Reported-by: Yongkang Jia <j_kangel@163.com> +Reported-by: Yi Ren <yunye.ry@alibaba-inc.com> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Message-id: 20200915182259.68522-2-ppandit@redhat.com +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> + +Upstream-Status: Backport +CVE: CVE-2020-25624 +[https://git.qemu.org/?p=qemu.git;a=commit;h=1328fe0c32d5474604105b8105310e944976b058] +Signed-off-by: Li Wang <li.wang@windriver.com> +--- + hw/usb/hcd-ohci.c | 24 ++++++++++++++++++++++-- + 1 file changed, 22 insertions(+), 2 deletions(-) + +diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c +index 1e6e85e..9dc5910 100644 +--- a/hw/usb/hcd-ohci.c ++++ b/hw/usb/hcd-ohci.c +@@ -731,7 +731,11 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed, + } + + start_offset = iso_td.offset[relative_frame_number]; +- next_offset = iso_td.offset[relative_frame_number + 1]; ++ if (relative_frame_number < frame_count) { ++ next_offset = iso_td.offset[relative_frame_number + 1]; ++ } else { ++ next_offset = iso_td.be; ++ } + + if (!(OHCI_BM(start_offset, TD_PSW_CC) & 0xe) || + ((relative_frame_number < frame_count) && +@@ -764,7 +768,12 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed, + } + } else { + /* Last packet in the ISO TD */ +- end_addr = iso_td.be; ++ end_addr = next_offset; ++ } ++ ++ if (start_addr > end_addr) { ++ trace_usb_ohci_iso_td_bad_cc_overrun(start_addr, end_addr); ++ return 1; + } + + if ((start_addr & OHCI_PAGE_MASK) != (end_addr & OHCI_PAGE_MASK)) { +@@ -773,6 +782,9 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed, + } else { + len = end_addr - start_addr + 1; + } ++ if (len > sizeof(ohci->usb_buf)) { ++ len = sizeof(ohci->usb_buf); ++ } + + if (len && dir != OHCI_TD_DIR_IN) { + if (ohci_copy_iso_td(ohci, start_addr, end_addr, ohci->usb_buf, len, +@@ -975,8 +987,16 @@ static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed) + if ((td.cbp & 0xfffff000) != (td.be & 0xfffff000)) { + len = (td.be & 0xfff) + 0x1001 - (td.cbp & 0xfff); + } else { ++ if (td.cbp > td.be) { ++ trace_usb_ohci_iso_td_bad_cc_overrun(td.cbp, td.be); ++ ohci_die(ohci); ++ return 1; ++ } + len = (td.be - td.cbp) + 1; + } ++ if (len > sizeof(ohci->usb_buf)) { ++ len = sizeof(ohci->usb_buf); ++ } + + pktlen = len; + if (len && dir != OHCI_TD_DIR_IN) { +-- +2.17.1 + diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-25723.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-25723.patch new file mode 100644 index 00000000..90b3a2f4 --- /dev/null +++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-25723.patch @@ -0,0 +1,51 @@ +From 2fdb42d840400d58f2e706ecca82c142b97bcbd6 Mon Sep 17 00:00:00 2001 +From: Li Qiang <liq3ea@163.com> +Date: Wed, 12 Aug 2020 09:17:27 -0700 +Subject: [PATCH] hw: ehci: check return value of 'usb_packet_map' + +If 'usb_packet_map' fails, we should stop to process the usb +request. + +Signed-off-by: Li Qiang <liq3ea@163.com> +Message-Id: <20200812161727.29412-1-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> + +Upstream-Status: Backport +CVE: CVE-2020-25723 +[https://git.qemu.org/?p=qemu.git;a=commit;h=2fdb42d840400d58f2e706ecca82c142b97bcbd6] +Signed-off-by: Li Wang <li.wang@windriver.com> +--- + hw/usb/hcd-ehci.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c +index 1495e8f..1fbb02a 100644 +--- a/hw/usb/hcd-ehci.c ++++ b/hw/usb/hcd-ehci.c +@@ -1373,7 +1373,10 @@ static int ehci_execute(EHCIPacket *p, const char *action) + spd = (p->pid == USB_TOKEN_IN && NLPTR_TBIT(p->qtd.altnext) == 0); + usb_packet_setup(&p->packet, p->pid, ep, 0, p->qtdaddr, spd, + (p->qtd.token & QTD_TOKEN_IOC) != 0); +- usb_packet_map(&p->packet, &p->sgl); ++ if (usb_packet_map(&p->packet, &p->sgl)) { ++ qemu_sglist_destroy(&p->sgl); ++ return -1; ++ } + p->async = EHCI_ASYNC_INITIALIZED; + } + +@@ -1452,7 +1455,10 @@ static int ehci_process_itd(EHCIState *ehci, + if (ep && ep->type == USB_ENDPOINT_XFER_ISOC) { + usb_packet_setup(&ehci->ipacket, pid, ep, 0, addr, false, + (itd->transact[i] & ITD_XACT_IOC) != 0); +- usb_packet_map(&ehci->ipacket, &ehci->isgl); ++ if (usb_packet_map(&ehci->ipacket, &ehci->isgl)) { ++ qemu_sglist_destroy(&ehci->isgl); ++ return -1; ++ } + usb_handle_packet(dev, &ehci->ipacket); + usb_packet_unmap(&ehci->ipacket, &ehci->isgl); + } else { +-- +2.17.1 + diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-28916.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-28916.patch new file mode 100644 index 00000000..52121968 --- /dev/null +++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-28916.patch @@ -0,0 +1,49 @@ +From c2cb511634012344e3d0fe49a037a33b12d8a98a Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Wed, 11 Nov 2020 18:36:36 +0530 +Subject: [PATCH] hw/net/e1000e: advance desc_offset in case of null +descriptor + +While receiving packets via e1000e_write_packet_to_guest() routine, +'desc_offset' is advanced only when RX descriptor is processed. And +RX descriptor is not processed if it has NULL buffer address. +This may lead to an infinite loop condition. Increament 'desc_offset' +to process next descriptor in the ring to avoid infinite loop. + +Reported-by: Cheol-woo Myung <330cjfdn@gmail.com> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Signed-off-by: Jason Wang <jasowang@redhat.com> + +Upstream-Status: Backport +CVE: CVE-2020-28916 +[https://git.qemu.org/?p=qemu.git;a=commit;h=c2cb511634012344e3d0fe49a037a33b12d8a98a] +Signed-off-by: Li Wang <li.wang@windriver.com> +--- + hw/net/e1000e_core.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c +index bcd186c..d3e3cdc 100644 +--- a/hw/net/e1000e_core.c ++++ b/hw/net/e1000e_core.c +@@ -1596,13 +1596,13 @@ e1000e_write_packet_to_guest(E1000ECore *core, struct NetRxPkt *pkt, + (const char *) &fcs_pad, e1000x_fcs_len(core->mac)); + } + } +- desc_offset += desc_size; +- if (desc_offset >= total_size) { +- is_last = true; +- } + } else { /* as per intel docs; skip descriptors with null buf addr */ + trace_e1000e_rx_null_descriptor(); + } ++ desc_offset += desc_size; ++ if (desc_offset >= total_size) { ++ is_last = true; ++ } + + e1000e_write_rx_descr(core, desc, is_last ? core->rx_pkt : NULL, + rss_info, do_ps ? ps_hdr_len : 0, &bastate.written); +-- +2.17.1 + diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-29129-CVE-2020-29130.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-29129-CVE-2020-29130.patch new file mode 100644 index 00000000..e5829f6d --- /dev/null +++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/CVE-2020-29129-CVE-2020-29130.patch @@ -0,0 +1,64 @@ +From 2e1dcbc0c2af64fcb17009eaf2ceedd81be2b27f Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Thu, 26 Nov 2020 19:27:06 +0530 +Subject: [PATCH] slirp: check pkt_len before reading protocol header +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +While processing ARP/NCSI packets in 'arp_input' or 'ncsi_input' +routines, ensure that pkt_len is large enough to accommodate the +respective protocol headers, lest it should do an OOB access. +Add check to avoid it. + +CVE-2020-29129 CVE-2020-29130 + QEMU: slirp: out-of-bounds access while processing ARP/NCSI packets + -> https://www.openwall.com/lists/oss-security/2020/11/27/1 + +Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Message-Id: <20201126135706.273950-1-ppandit@redhat.com> +Reviewed-by: Marc-Andrà Lureau <marcandre.lureau@redhat.com> + +Upstream-Status: Backport +CVE: CVE-2020-29129 CVE-2020-29130 +[https://git.qemu.org/?p=libslirp.git;a=commit;h=2e1dcbc0c2af64fcb17009eaf2ceedd81be2b27f] +Signed-off-by: Li Wang <li.wang@windriver.com> +--- + slirp/src/ncsi.c | 4 ++++ + slirp/src/slirp.c | 4 ++++ + 2 files changed, 8 insertions(+) + +diff --git a/slirp/src/ncsi.c b/slirp/src/ncsi.c +index 3c1dfef..75dcc08 100644 +--- a/slirp/src/ncsi.c ++++ b/slirp/src/ncsi.c +@@ -148,6 +148,10 @@ void ncsi_input(Slirp *slirp, const uint8_t *pkt, int pkt_len) + uint32_t checksum; + uint32_t *pchecksum; + ++ if (pkt_len < ETH_HLEN + sizeof(struct ncsi_pkt_hdr)) { ++ return; /* packet too short */ ++ } ++ + memset(ncsi_reply, 0, sizeof(ncsi_reply)); + + memset(reh->h_dest, 0xff, ETH_ALEN); +diff --git a/slirp/src/slirp.c b/slirp/src/slirp.c +index dba7c98..9be58e2 100644 +--- a/slirp/src/slirp.c ++++ b/slirp/src/slirp.c +@@ -756,6 +756,10 @@ static void arp_input(Slirp *slirp, const uint8_t *pkt, int pkt_len) + return; + } + ++ if (pkt_len < ETH_HLEN + sizeof(struct slirp_arphdr)) { ++ return; /* packet too short */ ++ } ++ + ar_op = ntohs(ah->ar_op); + switch (ar_op) { + case ARPOP_REQUEST: +-- +2.17.1 + diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/find_datadir.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/find_datadir.patch new file mode 100644 index 00000000..9a4c1126 --- /dev/null +++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/find_datadir.patch @@ -0,0 +1,39 @@ +qemu: search for datadir as in version 4.2 + +os_find_datadir() was changed after the 4.2 release. We need to check for +../share/qemu relative to the executable because that is where the runqemu +configuration assumes it will be. + +Upstream-Status: Submitted [qemu-devel@nongnu.org] + +Signed-off-by: Joe Slater <joe.slater@windriver.com> + + +Index: qemu-5.1.0/os-posix.c +=================================================================== +--- qemu-5.1.0.orig/os-posix.c ++++ qemu-5.1.0/os-posix.c +@@ -82,8 +82,9 @@ void os_setup_signal_handling(void) + + /* + * Find a likely location for support files using the location of the binary. ++ * Typically, this would be "$bindir/../share/qemu". + * When running from the build tree this will be "$bindir/../pc-bios". +- * Otherwise, this is CONFIG_QEMU_DATADIR. ++ * Otherwise, this is CONFIG_QEMU_DATADIR as constructed by configure. + * + * The caller must use g_free() to free the returned data when it is + * no longer required. +@@ -96,6 +97,12 @@ char *os_find_datadir(void) + exec_dir = qemu_get_exec_dir(); + g_return_val_if_fail(exec_dir != NULL, NULL); + ++ dir = g_build_filename(exec_dir, "..", "share", "qemu", NULL); ++ if (g_file_test(dir, G_FILE_TEST_IS_DIR)) { ++ return g_steal_pointer(&dir); ++ } ++ g_free(dir); /* no autofree this time */ ++ + dir = g_build_filename(exec_dir, "..", "pc-bios", NULL); + if (g_file_test(dir, G_FILE_TEST_IS_DIR)) { + return g_steal_pointer(&dir); diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/powerpc_rom.bin b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/powerpc_rom.bin Binary files differnew file mode 100644 index 00000000..c4044296 --- /dev/null +++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/powerpc_rom.bin diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/run-ptest b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/run-ptest new file mode 100644 index 00000000..b25a792d --- /dev/null +++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/run-ptest @@ -0,0 +1,10 @@ +#!/bin/sh +# +#This script is used to run qemu test suites +# + +ptestdir=$(dirname "$(readlink -f "$0")") +export SRC_PATH=$ptestdir + +cd $ptestdir/tests +make -f Makefile.include -k runtest-TESTS | sed '/^ok /s/ok /PASS: /g' diff --git a/meta-xilinx-bsp/recipes-devtools/qemu/qemu/usb-fix-setup_len-init.patch b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/usb-fix-setup_len-init.patch new file mode 100644 index 00000000..92801da4 --- /dev/null +++ b/meta-xilinx-bsp/recipes-devtools/qemu/qemu/usb-fix-setup_len-init.patch @@ -0,0 +1,89 @@ +CVE: CVE-2020-14364 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From b946434f2659a182afc17e155be6791ebfb302eb Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Tue, 25 Aug 2020 07:36:36 +0200 +Subject: [PATCH] usb: fix setup_len init (CVE-2020-14364) + +Store calculated setup_len in a local variable, verify it, and only +write it to the struct (USBDevice->setup_len) in case it passed the +sanity checks. + +This prevents other code (do_token_{in,out} functions specifically) +from working with invalid USBDevice->setup_len values and overrunning +the USBDevice->setup_buf[] buffer. + +Fixes: CVE-2020-14364 +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Tested-by: Gonglei <arei.gonglei@huawei.com> +Reviewed-by: Li Qiang <liq3ea@gmail.com> +Message-id: 20200825053636.29648-1-kraxel@redhat.com +--- + hw/usb/core.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/hw/usb/core.c b/hw/usb/core.c +index 5abd128b6bc..5234dcc73fe 100644 +--- a/hw/usb/core.c ++++ b/hw/usb/core.c +@@ -129,6 +129,7 @@ void usb_wakeup(USBEndpoint *ep, unsigned int stream) + static void do_token_setup(USBDevice *s, USBPacket *p) + { + int request, value, index; ++ unsigned int setup_len; + + if (p->iov.size != 8) { + p->status = USB_RET_STALL; +@@ -138,14 +139,15 @@ static void do_token_setup(USBDevice *s, USBPacket *p) + usb_packet_copy(p, s->setup_buf, p->iov.size); + s->setup_index = 0; + p->actual_length = 0; +- s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; +- if (s->setup_len > sizeof(s->data_buf)) { ++ setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; ++ if (setup_len > sizeof(s->data_buf)) { + fprintf(stderr, + "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n", +- s->setup_len, sizeof(s->data_buf)); ++ setup_len, sizeof(s->data_buf)); + p->status = USB_RET_STALL; + return; + } ++ s->setup_len = setup_len; + + request = (s->setup_buf[0] << 8) | s->setup_buf[1]; + value = (s->setup_buf[3] << 8) | s->setup_buf[2]; +@@ -259,26 +261,28 @@ static void do_token_out(USBDevice *s, USBPacket *p) + static void do_parameter(USBDevice *s, USBPacket *p) + { + int i, request, value, index; ++ unsigned int setup_len; + + for (i = 0; i < 8; i++) { + s->setup_buf[i] = p->parameter >> (i*8); + } + + s->setup_state = SETUP_STATE_PARAM; +- s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; + s->setup_index = 0; + + request = (s->setup_buf[0] << 8) | s->setup_buf[1]; + value = (s->setup_buf[3] << 8) | s->setup_buf[2]; + index = (s->setup_buf[5] << 8) | s->setup_buf[4]; + +- if (s->setup_len > sizeof(s->data_buf)) { ++ setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; ++ if (setup_len > sizeof(s->data_buf)) { + fprintf(stderr, + "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n", +- s->setup_len, sizeof(s->data_buf)); ++ setup_len, sizeof(s->data_buf)); + p->status = USB_RET_STALL; + return; + } ++ s->setup_len = setup_len; + + if (p->pid == USB_TOKEN_OUT) { + usb_packet_copy(p, s->data_buf, s->setup_len); |