diff options
Diffstat (limited to 'meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0')
17 files changed, 859 insertions, 0 deletions
diff --git a/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0001-net-tulip-Restrict-DMA-engine-to-memories.patch b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0001-net-tulip-Restrict-DMA-engine-to-memories.patch new file mode 100644 index 00000000..6c85a77b --- /dev/null +++ b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0001-net-tulip-Restrict-DMA-engine-to-memories.patch @@ -0,0 +1,64 @@ +CVE: CVE-2022-2962 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From 5c5c50b0a73d78ffe18336c9996fef5eae9bbbb0 Mon Sep 17 00:00:00 2001 +From: Zheyu Ma <zheyuma97@gmail.com> +Date: Sun, 21 Aug 2022 20:43:43 +0800 +Subject: [PATCH] net: tulip: Restrict DMA engine to memories + +The DMA engine is started by I/O access and then itself accesses the +I/O registers, triggering a reentrancy bug. + +The following log can reveal it: +==5637==ERROR: AddressSanitizer: stack-overflow + #0 0x5595435f6078 in tulip_xmit_list_update qemu/hw/net/tulip.c:673 + #1 0x5595435f204a in tulip_write qemu/hw/net/tulip.c:805:13 + #2 0x559544637f86 in memory_region_write_accessor qemu/softmmu/memory.c:492:5 + #3 0x5595446379fa in access_with_adjusted_size qemu/softmmu/memory.c:554:18 + #4 0x5595446372fa in memory_region_dispatch_write qemu/softmmu/memory.c + #5 0x55954468b74c in flatview_write_continue qemu/softmmu/physmem.c:2825:23 + #6 0x559544683662 in flatview_write qemu/softmmu/physmem.c:2867:12 + #7 0x5595446833f3 in address_space_write qemu/softmmu/physmem.c:2963:18 + #8 0x5595435fb082 in dma_memory_rw_relaxed qemu/include/sysemu/dma.h:87:12 + #9 0x5595435fb082 in dma_memory_rw qemu/include/sysemu/dma.h:130:12 + #10 0x5595435fb082 in dma_memory_write qemu/include/sysemu/dma.h:171:12 + #11 0x5595435fb082 in stl_le_dma qemu/include/sysemu/dma.h:272:1 + #12 0x5595435fb082 in stl_le_pci_dma qemu/include/hw/pci/pci.h:910:1 + #13 0x5595435fb082 in tulip_desc_write qemu/hw/net/tulip.c:101:9 + #14 0x5595435f7e3d in tulip_xmit_list_update qemu/hw/net/tulip.c:706:9 + #15 0x5595435f204a in tulip_write qemu/hw/net/tulip.c:805:13 + +Fix this bug by restricting the DMA engine to memories regions. + +Signed-off-by: Zheyu Ma <zheyuma97@gmail.com> +Signed-off-by: Jason Wang <jasowang@redhat.com> +--- + hw/net/tulip.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/net/tulip.c b/hw/net/tulip.c +index 097e905bec..b9e42c322a 100644 +--- a/hw/net/tulip.c ++++ b/hw/net/tulip.c +@@ -70,7 +70,7 @@ static const VMStateDescription vmstate_pci_tulip = { + static void tulip_desc_read(TULIPState *s, hwaddr p, + struct tulip_descriptor *desc) + { +- const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; ++ const MemTxAttrs attrs = { .memory = true }; + + if (s->csr[0] & CSR0_DBO) { + ldl_be_pci_dma(&s->dev, p, &desc->status, attrs); +@@ -88,7 +88,7 @@ static void tulip_desc_read(TULIPState *s, hwaddr p, + static void tulip_desc_write(TULIPState *s, hwaddr p, + struct tulip_descriptor *desc) + { +- const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; ++ const MemTxAttrs attrs = { .memory = true }; + + if (s->csr[0] & CSR0_DBO) { + stl_be_pci_dma(&s->dev, p, desc->status, attrs); +-- +2.34.1 + diff --git a/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0001-qemu-Add-addition-environment-space-to-boot-loader-q.patch b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0001-qemu-Add-addition-environment-space-to-boot-loader-q.patch new file mode 100644 index 00000000..6fb160e6 --- /dev/null +++ b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0001-qemu-Add-addition-environment-space-to-boot-loader-q.patch @@ -0,0 +1,36 @@ +From de64af82950a6908f9407dfc92b83c17e2af3eab Mon Sep 17 00:00:00 2001 +From: Jason Wessel <jason.wessel@windriver.com> +Date: Fri, 28 Mar 2014 17:42:43 +0800 +Subject: [PATCH 01/12] qemu: Add addition environment space to boot loader + qemu-system-mips + +Upstream-Status: Inappropriate - OE uses deep paths + +If you create a project with very long directory names like 128 characters +deep and use NFS, the kernel arguments will be truncated. The kernel will +accept longer strings such as 1024 bytes, but the qemu boot loader defaulted +to only 256 bytes. This patch expands the limit. + +Signed-off-by: Jason Wessel <jason.wessel@windriver.com> +Signed-off-by: Roy Li <rongqing.li@windriver.com> + +--- + hw/mips/malta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/mips/malta.c b/hw/mips/malta.c +index 628851172..12d37f35d 100644 +--- a/hw/mips/malta.c ++++ b/hw/mips/malta.c +@@ -61,7 +61,7 @@ + #define ENVP_PADDR 0x2000 + #define ENVP_VADDR cpu_mips_phys_to_kseg0(NULL, ENVP_PADDR) + #define ENVP_NB_ENTRIES 16 +-#define ENVP_ENTRY_SIZE 256 ++#define ENVP_ENTRY_SIZE 1024 + + /* Hardware addresses */ + #define FLASH_ADDRESS 0x1e000000ULL +-- +2.30.2 + diff --git a/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0002-chardev-connect-socket-to-a-spawned-command.patch b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0002-chardev-connect-socket-to-a-spawned-command.patch new file mode 100644 index 00000000..63a99c96 --- /dev/null +++ b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0002-chardev-connect-socket-to-a-spawned-command.patch @@ -0,0 +1,246 @@ +From 14cd62607c9de232edf0a9b8503bd02783e03411 Mon Sep 17 00:00:00 2001 +From: Alistair Francis <alistair.francis@xilinx.com> +Date: Thu, 21 Dec 2017 11:35:16 -0800 +Subject: [PATCH 02/12] chardev: connect socket to a spawned command + +The command is started in a shell (sh -c) with stdin connect to QEMU +via a Unix domain stream socket. QEMU then exchanges data via its own +end of the socket, just like it normally does. + +"-chardev socket" supports some ways of connecting via protocols like +telnet, but that is only a subset of the functionality supported by +tools socat. To use socat instead, for example to connect via a socks +proxy, use: + + -chardev 'socket,id=socat,cmd=exec socat FD:0 SOCKS4A:socks-proxy.localdomain:example.com:9999,,socksuser=nobody' \ + -device usb-serial,chardev=socat + +Beware that commas in the command must be escaped as double commas. + +Or interactively in the console: + (qemu) chardev-add socket,id=cat,cmd=cat + (qemu) device_add usb-serial,chardev=cat + ^ac + # cat >/dev/ttyUSB0 + hello + hello + +Another usage is starting swtpm from inside QEMU. swtpm will +automatically shut down once it looses the connection to the parent +QEMU, so there is no risk of lingering processes: + + -chardev 'socket,id=chrtpm0,cmd=exec swtpm socket --terminate --ctrl type=unixio,,clientfd=0 --tpmstate dir=... --log file=swtpm.log' \ + -tpmdev emulator,id=tpm0,chardev=chrtpm0 \ + -device tpm-tis,tpmdev=tpm0 + +The patch was discussed upstream, but QEMU developers believe that the +code calling QEMU should be responsible for managing additional +processes. In OE-core, that would imply enhancing runqemu and +oeqa. This patch is a simpler solution. + +Because it is not going upstream, the patch was written so that it is +as simple as possible. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> + +--- + chardev/char-socket.c | 100 ++++++++++++++++++++++++++++++++++++++++++ + chardev/char.c | 3 ++ + qapi/char.json | 5 +++ + 3 files changed, 108 insertions(+) + +diff --git a/chardev/char-socket.c b/chardev/char-socket.c +index fab2d791d..c79641f24 100644 +--- a/chardev/char-socket.c ++++ b/chardev/char-socket.c +@@ -1315,6 +1315,67 @@ static bool qmp_chardev_validate_socket(ChardevSocket *sock, + return true; + } + ++#ifndef _WIN32 ++static void chardev_open_socket_cmd(Chardev *chr, ++ const char *cmd, ++ Error **errp) ++{ ++ int fds[2] = { -1, -1 }; ++ QIOChannelSocket *sioc = NULL; ++ pid_t pid = -1; ++ const char *argv[] = { "/bin/sh", "-c", cmd, NULL }; ++ ++ /* ++ * We need a Unix domain socket for commands like swtpm and a single ++ * connection, therefore we cannot use qio_channel_command_new_spawn() ++ * without patching it first. Duplicating the functionality is easier. ++ */ ++ if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0, fds)) { ++ error_setg_errno(errp, errno, "Error creating socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC)"); ++ goto error; ++ } ++ ++ pid = qemu_fork(errp); ++ if (pid < 0) { ++ goto error; ++ } ++ ++ if (!pid) { ++ /* child */ ++ dup2(fds[1], STDIN_FILENO); ++ execv(argv[0], (char * const *)argv); ++ _exit(1); ++ } ++ ++ /* ++ * Hand over our end of the socket pair to the qio channel. ++ * ++ * We don't reap the child because it is expected to keep ++ * running. We also don't support the "reconnect" option for the ++ * same reason. ++ */ ++ sioc = qio_channel_socket_new_fd(fds[0], errp); ++ if (!sioc) { ++ goto error; ++ } ++ fds[0] = -1; ++ ++ g_free(chr->filename); ++ chr->filename = g_strdup_printf("cmd:%s", cmd); ++ tcp_chr_new_client(chr, sioc); ++ ++ error: ++ if (fds[0] >= 0) { ++ close(fds[0]); ++ } ++ if (fds[1] >= 0) { ++ close(fds[1]); ++ } ++ if (sioc) { ++ object_unref(OBJECT(sioc)); ++ } ++} ++#endif + + static void qmp_chardev_open_socket(Chardev *chr, + ChardevBackend *backend, +@@ -1323,6 +1384,9 @@ static void qmp_chardev_open_socket(Chardev *chr, + { + SocketChardev *s = SOCKET_CHARDEV(chr); + ChardevSocket *sock = backend->u.socket.data; ++#ifndef _WIN32 ++ const char *cmd = sock->cmd; ++#endif + bool do_nodelay = sock->has_nodelay ? sock->nodelay : false; + bool is_listen = sock->has_server ? sock->server : true; + bool is_telnet = sock->has_telnet ? sock->telnet : false; +@@ -1393,6 +1457,14 @@ static void qmp_chardev_open_socket(Chardev *chr, + + update_disconnected_filename(s); + ++#ifndef _WIN32 ++ if (cmd) { ++ chardev_open_socket_cmd(chr, cmd, errp); ++ ++ /* everything ready (or failed permanently) before we return */ ++ *be_opened = true; ++ } else ++#endif + if (s->is_listen) { + if (qmp_chardev_open_socket_server(chr, is_telnet || is_tn3270, + is_waitconnect, errp) < 0) { +@@ -1412,6 +1484,9 @@ static void qemu_chr_parse_socket(QemuOpts *opts, ChardevBackend *backend, + const char *host = qemu_opt_get(opts, "host"); + const char *port = qemu_opt_get(opts, "port"); + const char *fd = qemu_opt_get(opts, "fd"); ++#ifndef _WIN32 ++ const char *cmd = qemu_opt_get(opts, "cmd"); ++#endif + #ifdef CONFIG_LINUX + bool tight = qemu_opt_get_bool(opts, "tight", true); + bool abstract = qemu_opt_get_bool(opts, "abstract", false); +@@ -1419,6 +1494,20 @@ static void qemu_chr_parse_socket(QemuOpts *opts, ChardevBackend *backend, + SocketAddressLegacy *addr; + ChardevSocket *sock; + ++#ifndef _WIN32 ++ if (cmd) { ++ /* ++ * Here we have to ensure that no options are set which are incompatible with ++ * spawning a command, otherwise unmodified code that doesn't know about ++ * command spawning (like socket_reconnect_timeout()) might get called. ++ */ ++ if (path || sock->server || sock->has_telnet || sock->has_tn3270 || sock->reconnect || host || port || sock->tls_creds) { ++ error_setg(errp, "chardev: socket: cmd does not support any additional options"); ++ return; ++ } ++ } else ++#endif ++ + if ((!!path + !!fd + !!host) > 1) { + error_setg(errp, + "None or one of 'path', 'fd' or 'host' option required."); +@@ -1469,13 +1558,24 @@ static void qemu_chr_parse_socket(QemuOpts *opts, ChardevBackend *backend, + sock->tls_creds = g_strdup(qemu_opt_get(opts, "tls-creds")); + sock->has_tls_authz = qemu_opt_get(opts, "tls-authz"); + sock->tls_authz = g_strdup(qemu_opt_get(opts, "tls-authz")); ++#ifndef _WIN32 ++ sock->cmd = g_strdup(cmd); ++#endif + + addr = g_new0(SocketAddressLegacy, 1); ++#ifndef _WIN32 ++ if (path || cmd) { ++#else + if (path) { ++#endif + UnixSocketAddress *q_unix; + addr->type = SOCKET_ADDRESS_TYPE_UNIX; + q_unix = addr->u.q_unix.data = g_new0(UnixSocketAddress, 1); ++#ifndef _WIN32 ++ q_unix->path = cmd ? g_strdup_printf("cmd:%s", cmd) : g_strdup(path); ++#else + q_unix->path = g_strdup(path); ++#endif + #ifdef CONFIG_LINUX + q_unix->has_tight = true; + q_unix->tight = tight; +diff --git a/chardev/char.c b/chardev/char.c +index 0169d8dde..ce9a21f41 100644 +--- a/chardev/char.c ++++ b/chardev/char.c +@@ -835,6 +835,9 @@ QemuOptsList qemu_chardev_opts = { + },{ + .name = "path", + .type = QEMU_OPT_STRING, ++ },{ ++ .name = "cmd", ++ .type = QEMU_OPT_STRING, + },{ + .name = "host", + .type = QEMU_OPT_STRING, +diff --git a/qapi/char.json b/qapi/char.json +index 7b4215157..37feabdac 100644 +--- a/qapi/char.json ++++ b/qapi/char.json +@@ -250,6 +250,10 @@ + # + # @addr: socket address to listen on (server=true) + # or connect to (server=false) ++# @cmd: command to run via "sh -c" with stdin as one end of ++# a AF_UNIX SOCK_DSTREAM socket pair. The other end ++# is used by the chardev. Either an addr or a cmd can ++# be specified, but not both. + # @tls-creds: the ID of the TLS credentials object (since 2.6) + # @tls-authz: the ID of the QAuthZ authorization object against which + # the client's x509 distinguished name will be validated. This +@@ -276,6 +280,7 @@ + ## + { 'struct': 'ChardevSocket', + 'data': { 'addr': 'SocketAddressLegacy', ++ '*cmd': 'str', + '*tls-creds': 'str', + '*tls-authz' : 'str', + '*server': 'bool', +-- +2.30.2 + diff --git a/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0003-apic-fixup-fallthrough-to-PIC.patch b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0003-apic-fixup-fallthrough-to-PIC.patch new file mode 100644 index 00000000..f350ffce --- /dev/null +++ b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0003-apic-fixup-fallthrough-to-PIC.patch @@ -0,0 +1,47 @@ +From dc2a8ccd440ee3741b61606eafed3f7e092f4312 Mon Sep 17 00:00:00 2001 +From: Mark Asselstine <mark.asselstine@windriver.com> +Date: Tue, 26 Feb 2013 11:43:28 -0500 +Subject: [PATCH 03/12] apic: fixup fallthrough to PIC + +Commit 0e21e12bb311c4c1095d0269dc2ef81196ccb60a [Don't route PIC +interrupts through the local APIC if the local APIC config says so.] +missed a check to ensure the local APIC is enabled. Since if the local +APIC is disabled it doesn't matter what the local APIC config says. + +If this check isn't done and the guest has disabled the local APIC the +guest will receive a general protection fault, similar to what is seen +here: + +https://lists.gnu.org/archive/html/qemu-devel/2012-12/msg02304.html + +The GPF is caused by an attempt to service interrupt 0xffffffff. This +comes about since cpu_get_pic_interrupt() calls apic_accept_pic_intr() +(with the local APIC disabled apic_get_interrupt() returns -1). +apic_accept_pic_intr() returns 0 and thus the interrupt number which +is returned from cpu_get_pic_interrupt(), and which is attempted to be +serviced, is -1. + +Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com> +Upstream-Status: Submitted [https://lists.gnu.org/archive/html/qemu-devel/2013-04/msg00878.html] +Signed-off-by: He Zhe <zhe.he@windriver.com> + +--- + hw/intc/apic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/intc/apic.c b/hw/intc/apic.c +index 3df11c34d..9506c88ce 100644 +--- a/hw/intc/apic.c ++++ b/hw/intc/apic.c +@@ -605,7 +605,7 @@ int apic_accept_pic_intr(DeviceState *dev) + APICCommonState *s = APIC(dev); + uint32_t lvt0; + +- if (!s) ++ if (!s || !(s->spurious_vec & APIC_SV_ENABLE)) + return -1; + + lvt0 = s->lvt[APIC_LVT_LINT0]; +-- +2.30.2 + diff --git a/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0004-configure-Add-pkg-config-handling-for-libgcrypt.patch b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0004-configure-Add-pkg-config-handling-for-libgcrypt.patch new file mode 100644 index 00000000..6faebd4e --- /dev/null +++ b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0004-configure-Add-pkg-config-handling-for-libgcrypt.patch @@ -0,0 +1,32 @@ +From d8265abdce5dc2bf74b3fccdf2b7257b4f3894f0 Mon Sep 17 00:00:00 2001 +From: He Zhe <zhe.he@windriver.com> +Date: Wed, 28 Aug 2019 19:56:28 +0800 +Subject: [PATCH 04/12] configure: Add pkg-config handling for libgcrypt + +libgcrypt may also be controlled by pkg-config, this patch adds pkg-config +handling for libgcrypt. + +Upstream-Status: Denied [https://lists.nongnu.org/archive/html/qemu-devel/2019-08/msg06333.html] + +Signed-off-by: He Zhe <zhe.he@windriver.com> + +--- + meson.build | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/meson.build b/meson.build +index 861de93c4..d45ff2d7c 100644 +--- a/meson.build ++++ b/meson.build +@@ -1063,7 +1063,7 @@ endif + if not gnutls_crypto.found() + if (not get_option('gcrypt').auto() or have_system) and not get_option('nettle').enabled() + gcrypt = dependency('libgcrypt', version: '>=1.8', +- method: 'config-tool', ++ method: 'pkg-config', + required: get_option('gcrypt'), + kwargs: static_kwargs) + # Debian has removed -lgpg-error from libgcrypt-config +-- +2.30.2 + diff --git a/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0005-qemu-Do-not-include-file-if-not-exists.patch b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0005-qemu-Do-not-include-file-if-not-exists.patch new file mode 100644 index 00000000..3f3c39f9 --- /dev/null +++ b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0005-qemu-Do-not-include-file-if-not-exists.patch @@ -0,0 +1,35 @@ +From f39e7bfc5ed07b5ecaeb705c4eae4855ca120d47 Mon Sep 17 00:00:00 2001 +From: Oleksiy Obitotskyy <oobitots@cisco.com> +Date: Wed, 25 Mar 2020 21:21:35 +0200 +Subject: [PATCH 05/12] qemu: Do not include file if not exists + +Script configure checks for if_alg.h and check failed but +if_alg.h still included. + +Upstream-Status: Submitted [https://lists.gnu.org/archive/html/qemu-devel/2020-03/msg07188.html] +Signed-off-by: Oleksiy Obitotskyy <oobitots@cisco.com> + +[update patch context] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> + +--- + linux-user/syscall.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/linux-user/syscall.c b/linux-user/syscall.c +index f65045efe..340e0c6f0 100644 +--- a/linux-user/syscall.c ++++ b/linux-user/syscall.c +@@ -113,7 +113,9 @@ + #include <linux/blkpg.h> + #include <netpacket/packet.h> + #include <linux/netlink.h> ++#if defined(CONFIG_AF_ALG) + #include <linux/if_alg.h> ++#endif + #include <linux/rtc.h> + #include <sound/asound.h> + #ifdef HAVE_BTRFS_H +-- +2.30.2 + diff --git a/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0006-qemu-Add-some-user-space-mmap-tweaks-to-address-musl.patch b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0006-qemu-Add-some-user-space-mmap-tweaks-to-address-musl.patch new file mode 100644 index 00000000..75c03693 --- /dev/null +++ b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0006-qemu-Add-some-user-space-mmap-tweaks-to-address-musl.patch @@ -0,0 +1,52 @@ +From 375cae3dd6151ef33cae8f243f6a2c2da6c0c356 Mon Sep 17 00:00:00 2001 +From: Richard Purdie <richard.purdie@linuxfoundation.org> +Date: Fri, 8 Jan 2021 17:27:06 +0000 +Subject: [PATCH 06/12] qemu: Add some user space mmap tweaks to address musl + 32 bit + +When using qemu-i386 to build qemux86 webkitgtk on musl, it sits in an +infinite loop of mremap calls of ever decreasing/increasing addresses. + +I suspect something in the musl memory allocation code loops indefinitely +if it only sees ENOMEM and only exits when it hits EFAULT. + +According to the docs, trying to mremap outside the address space +can/should return EFAULT and changing this allows the build to succeed. + +A better return value for the other cases of invalid addresses is EINVAL +rather than ENOMEM so adjust the other part of the test to this. + +Upstream-Status: Submitted [https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg01355.html] +Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org + +--- + linux-user/mmap.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/linux-user/mmap.c b/linux-user/mmap.c +index c125031b9..e651834a5 100644 +--- a/linux-user/mmap.c ++++ b/linux-user/mmap.c +@@ -749,12 +749,16 @@ abi_long target_mremap(abi_ulong old_addr, abi_ulong old_size, + int prot; + void *host_addr; + +- if (!guest_range_valid_untagged(old_addr, old_size) || +- ((flags & MREMAP_FIXED) && ++ if (!guest_range_valid_untagged(old_addr, old_size)) { ++ errno = EFAULT; ++ return -1; ++ } ++ ++ if (((flags & MREMAP_FIXED) && + !guest_range_valid_untagged(new_addr, new_size)) || + ((flags & MREMAP_MAYMOVE) == 0 && + !guest_range_valid_untagged(old_addr, new_size))) { +- errno = ENOMEM; ++ errno = EINVAL; + return -1; + } + +-- +2.30.2 + diff --git a/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0007-qemu-Determinism-fixes.patch b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0007-qemu-Determinism-fixes.patch new file mode 100644 index 00000000..0d7dae36 --- /dev/null +++ b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0007-qemu-Determinism-fixes.patch @@ -0,0 +1,34 @@ +From 50bab5c2605b609ea7ea154f57a9be96d656725a Mon Sep 17 00:00:00 2001 +From: Richard Purdie <richard.purdie@linuxfoundation.org> +Date: Mon, 1 Mar 2021 13:00:47 +0000 +Subject: [PATCH 07/12] qemu: Determinism fixes + +When sources are included within debug information, a couple of areas of the +qemu build are not reproducible due to either full buildpaths or timestamps. + +Replace the full paths with relative ones. I couldn't figure out how to get +meson to pass relative paths but we can fix that in the script. + +Upstream-Status: Pending [some version of all/part of this may be accepted] +RP 2021/3/1 + +--- + scripts/decodetree.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/decodetree.py b/scripts/decodetree.py +index a03dc6b5e..4ea24c1f3 100644 +--- a/scripts/decodetree.py ++++ b/scripts/decodetree.py +@@ -1328,7 +1328,7 @@ def main(): + toppat = ExcMultiPattern(0) + + for filename in args: +- input_file = filename ++ input_file = os.path.relpath(filename) + f = open(filename, 'rt', encoding='utf-8') + parse_file(f, toppat) + f.close() +-- +2.30.2 + diff --git a/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0008-tests-meson.build-use-relative-path-to-refer-to-file.patch b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0008-tests-meson.build-use-relative-path-to-refer-to-file.patch new file mode 100644 index 00000000..43d3c7cf --- /dev/null +++ b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0008-tests-meson.build-use-relative-path-to-refer-to-file.patch @@ -0,0 +1,38 @@ +From 2bf9388b801d4389e2d57e95a7897bfc1c42786e Mon Sep 17 00:00:00 2001 +From: Changqing Li <changqing.li@windriver.com> +Date: Thu, 14 Jan 2021 06:33:04 +0000 +Subject: [PATCH 08/12] tests/meson.build: use relative path to refer to files + +Fix error like: +Fatal error: can't create tests/ptimer-test.p/..._qemu-5.2.0_hw_core_ptimer.c.o: File name too long + +when build path is too long, use meson.source_root() will make this +filename too long. Fixed by using relative path to refer to files + +Upstream-Status: Submitted [send to qemu-devel] + +Signed-off-by: Changqing Li <changqing.li@windriver.com> + +--- + tests/unit/meson.build | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tests/unit/meson.build b/tests/unit/meson.build +index 96b295263..e4c3246dc 100644 +--- a/tests/unit/meson.build ++++ b/tests/unit/meson.build +@@ -44,9 +44,9 @@ tests = { + 'test-keyval': [testqapi], + 'test-logging': [], + 'test-uuid': [], +- 'ptimer-test': ['ptimer-test-stubs.c', meson.project_source_root() / 'hw/core/ptimer.c'], ++ 'ptimer-test': ['ptimer-test-stubs.c', '../../hw/core/ptimer.c'], + 'test-qapi-util': [], +- 'test-smp-parse': [qom, meson.project_source_root() / 'hw/core/machine-smp.c'], ++ 'test-smp-parse': [qom, '../../hw/core/machine-smp.c'], + } + + if have_system or have_tools +-- +2.30.2 + diff --git a/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0009-Define-MAP_SYNC-and-MAP_SHARED_VALIDATE-on-needed-li.patch b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0009-Define-MAP_SYNC-and-MAP_SHARED_VALIDATE-on-needed-li.patch new file mode 100644 index 00000000..23d0a698 --- /dev/null +++ b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0009-Define-MAP_SYNC-and-MAP_SHARED_VALIDATE-on-needed-li.patch @@ -0,0 +1,49 @@ +From ebf4bb2f51da83af0c61480414cfa156f7308b34 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Mon, 21 Mar 2022 10:09:38 -0700 +Subject: [PATCH 09/12] Define MAP_SYNC and MAP_SHARED_VALIDATE on needed linux + systems + +linux only wires MAP_SYNC and MAP_SHARED_VALIDATE for architectures +which include asm-generic/mman.h and mips/powerpc are not including this +file in linux/mman.h, therefore these should be defined for such +architectures on Linux as well. This fixes build on mips/musl/linux + +Upstream-Status: Submitted [https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg05298.html] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +Cc: Zhang Yi <yi.z.zhang@linux.intel.com> +Cc: Michael S. Tsirkin <mst@redhat.com> + +--- + util/mmap-alloc.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/util/mmap-alloc.c b/util/mmap-alloc.c +index 893d86435..86d3cda24 100644 +--- a/util/mmap-alloc.c ++++ b/util/mmap-alloc.c +@@ -10,14 +10,18 @@ + * later. See the COPYING file in the top-level directory. + */ + ++#include "qemu/osdep.h" + #ifdef CONFIG_LINUX + #include <linux/mman.h> +-#else /* !CONFIG_LINUX */ ++#endif /* CONFIG_LINUX */ ++ ++#ifndef MAP_SYNC + #define MAP_SYNC 0x0 ++#endif /* MAP_SYNC */ ++#ifndef MAP_SHARED_VALIDATE + #define MAP_SHARED_VALIDATE 0x0 +-#endif /* CONFIG_LINUX */ ++#endif /* MAP_SHARED_VALIDATE */ + +-#include "qemu/osdep.h" + #include "qemu/mmap-alloc.h" + #include "qemu/host-utils.h" + #include "qemu/cutils.h" +-- +2.30.2 + diff --git a/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch new file mode 100644 index 00000000..810c74fa --- /dev/null +++ b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch @@ -0,0 +1,43 @@ +CVE: CVE-2022-1050 +Upstream-Status: Submitted [https://lore.kernel.org/qemu-devel/20220403095234.2210-1-yuval.shaia.ml@gmail.com/] +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From dbdef95c272e8f3ec037c3db4197c66002e30995 Mon Sep 17 00:00:00 2001 +From: Yuval Shaia <yuval.shaia.ml@gmail.com> +Date: Sun, 3 Apr 2022 12:52:34 +0300 +Subject: [PATCH] hw/pvrdma: Protect against buggy or malicious guest driver + +Guest driver might execute HW commands when shared buffers are not yet +allocated. +This could happen on purpose (malicious guest) or because of some other +guest/host address mapping error. +We need to protect againts such case. + +Fixes: CVE-2022-1050 + +Reported-by: Raven <wxhusst@gmail.com> +Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com> +--- + hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c +index da7ddfa548..89db963c46 100644 +--- a/hw/rdma/vmw/pvrdma_cmd.c ++++ b/hw/rdma/vmw/pvrdma_cmd.c +@@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev) + + dsr_info = &dev->dsr_info; + ++ if (!dsr_info->dsr) { ++ /* Buggy or malicious guest driver */ ++ rdma_error_report("Exec command without dsr, req or rsp buffers"); ++ goto out; ++ } ++ + if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) / + sizeof(struct cmd_handler)) { + rdma_error_report("Unsupported command"); +-- +2.34.1 + diff --git a/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/CVE-2022-3165.patch b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/CVE-2022-3165.patch new file mode 100644 index 00000000..3b4a6694 --- /dev/null +++ b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/CVE-2022-3165.patch @@ -0,0 +1,59 @@ +CVE: CVE-2022-3165 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From d307040b18bfcb1393b910f1bae753d5c12a4dc7 Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella <mcascell@redhat.com> +Date: Sun, 25 Sep 2022 22:45:11 +0200 +Subject: [PATCH] ui/vnc-clipboard: fix integer underflow in + vnc_client_cut_text_ext + +Extended ClientCutText messages start with a 4-byte header. If len < 4, +an integer underflow occurs in vnc_client_cut_text_ext. The result is +used to decompress data in a while loop in inflate_buffer, leading to +CPU consumption and denial of service. Prevent this by checking dlen in +protocol_client_msg. + +Fixes: CVE-2022-3165 +Fixes: 0bf41cab93e5 ("ui/vnc: clipboard support") +Reported-by: TangPeng <tangpeng@qianxin.com> +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> +Message-Id: <20220925204511.1103214-1-mcascell@redhat.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + ui/vnc.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/ui/vnc.c b/ui/vnc.c +index 6a05d06147..acb3629cd8 100644 +--- a/ui/vnc.c ++++ b/ui/vnc.c +@@ -2442,8 +2442,8 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len) + if (len == 1) { + return 8; + } ++ uint32_t dlen = abs(read_s32(data, 4)); + if (len == 8) { +- uint32_t dlen = abs(read_s32(data, 4)); + if (dlen > (1 << 20)) { + error_report("vnc: client_cut_text msg payload has %u bytes" + " which exceeds our limit of 1MB.", dlen); +@@ -2456,8 +2456,13 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len) + } + + if (read_s32(data, 4) < 0) { +- vnc_client_cut_text_ext(vs, abs(read_s32(data, 4)), +- read_u32(data, 8), data + 12); ++ if (dlen < 4) { ++ error_report("vnc: malformed payload (header less than 4 bytes)" ++ " in extended clipboard pseudo-encoding."); ++ vnc_client_error(vs); ++ break; ++ } ++ vnc_client_cut_text_ext(vs, dlen, read_u32(data, 8), data + 12); + break; + } + vnc_client_cut_text(vs, read_u32(data, 4), data + 8); +-- +GitLab + diff --git a/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/arm-cpreg-fix.patch b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/arm-cpreg-fix.patch new file mode 100644 index 00000000..071691f8 --- /dev/null +++ b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/arm-cpreg-fix.patch @@ -0,0 +1,27 @@ +target/arm: mark SP_EL1 with ARM_CP_EL3_NO_EL2_KEEP + +SP_EL1 must be kept when EL3 is present but EL2 is not. Therefore mark +it with ARM_CP_EL3_NO_EL2_KEEP. + +Fixes: 696ba3771894 ("target/arm: Handle cpreg registration for missing EL") +Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> + +Upstream-Status: Submitted [https://lists.gnu.org/archive/html/qemu-devel/2022-09/msg04515.html] + +--- + target/arm/helper.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: qemu-7.1.0/target/arm/helper.c +=================================================================== +--- qemu-7.1.0.orig/target/arm/helper.c ++++ qemu-7.1.0/target/arm/helper.c +@@ -4971,7 +4971,7 @@ static const ARMCPRegInfo v8_cp_reginfo[ + .fieldoffset = offsetof(CPUARMState, sp_el[0]) }, + { .name = "SP_EL1", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 4, .crn = 4, .crm = 1, .opc2 = 0, +- .access = PL2_RW, .type = ARM_CP_ALIAS, ++ .access = PL2_RW, .type = ARM_CP_ALIAS | ARM_CP_EL3_NO_EL2_KEEP, + .fieldoffset = offsetof(CPUARMState, sp_el[1]) }, + { .name = "SPSel", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 0, .crn = 4, .crm = 2, .opc2 = 0, diff --git a/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/cross.patch b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/cross.patch new file mode 100644 index 00000000..ca2ad361 --- /dev/null +++ b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/cross.patch @@ -0,0 +1,38 @@ +From 76c3fc4c87231bed32974ebbbdb5079cff45a6b7 Mon Sep 17 00:00:00 2001 +From: Richard Purdie <richard.purdie@linuxfoundation.org> +Date: Tue, 5 Jan 2021 23:00:14 +0000 +Subject: [PATCH 12/12] qemu: Upgrade 5.1.0->5.2.0 + +We need to be able to trigger configure's cross code but we don't want +to set cross_prefix as it does other things we don't want. Patch things +so we can do what we need in the target config case. + +Upstream-Status: Inappropriate [may be rewritten in a way upstream may accept?] +Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> + +--- + configure | 4 ---- + 1 file changed, 4 deletions(-) + +Index: qemu-7.1.0/configure +=================================================================== +--- qemu-7.1.0.orig/configure ++++ qemu-7.1.0/configure +@@ -2710,7 +2710,6 @@ if test "$skip_meson" = no; then + echo "strip = [$(meson_quote $strip)]" >> $cross + echo "widl = [$(meson_quote $widl)]" >> $cross + echo "windres = [$(meson_quote $windres)]" >> $cross +- if test "$cross_compile" = "yes"; then + cross_arg="--cross-file config-meson.cross" + echo "[host_machine]" >> $cross + echo "system = '$targetos'" >> $cross +@@ -2728,9 +2727,6 @@ if test "$skip_meson" = no; then + else + echo "endian = 'little'" >> $cross + fi +- else +- cross_arg="--native-file config-meson.cross" +- fi + mv $cross config-meson.cross + + rm -rf meson-private meson-info meson-logs diff --git a/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/powerpc_rom.bin b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/powerpc_rom.bin Binary files differnew file mode 100644 index 00000000..c4044296 --- /dev/null +++ b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/powerpc_rom.bin diff --git a/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/qemu-7.0.0-glibc-2.36.patch b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/qemu-7.0.0-glibc-2.36.patch new file mode 100644 index 00000000..abad1cfe --- /dev/null +++ b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/qemu-7.0.0-glibc-2.36.patch @@ -0,0 +1,46 @@ +Avoid conflicts between sys/mount.h and linux/mount.h that are seen +with glibc 2.36 + +Source: https://github.com/archlinux/svntogit-packages/blob/packages/qemu/trunk/qemu-7.0.0-glibc-2.36.patch + +Upstream-Status: Pending +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- a/linux-user/syscall.c ++++ b/linux-user/syscall.c +@@ -95,7 +95,25 @@ + #include <linux/soundcard.h> + #include <linux/kd.h> + #include <linux/mtio.h> ++ ++#ifdef HAVE_SYS_MOUNT_FSCONFIG ++/* ++ * glibc >= 2.36 linux/mount.h conflicts with sys/mount.h, ++ * which in turn prevents use of linux/fs.h. So we have to ++ * define the constants ourselves for now. ++ */ ++#define FS_IOC_GETFLAGS _IOR('f', 1, long) ++#define FS_IOC_SETFLAGS _IOW('f', 2, long) ++#define FS_IOC_GETVERSION _IOR('v', 1, long) ++#define FS_IOC_SETVERSION _IOW('v', 2, long) ++#define FS_IOC_FIEMAP _IOWR('f', 11, struct fiemap) ++#define FS_IOC32_GETFLAGS _IOR('f', 1, int) ++#define FS_IOC32_SETFLAGS _IOW('f', 2, int) ++#define FS_IOC32_GETVERSION _IOR('v', 1, int) ++#define FS_IOC32_SETVERSION _IOW('v', 2, int) ++#else + #include <linux/fs.h> ++#endif + #include <linux/fd.h> + #if defined(CONFIG_FIEMAP) + #include <linux/fiemap.h> +--- a/meson.build ++++ b/meson.build +@@ -1686,6 +1686,8 @@ config_host_data.set('HAVE_OPTRESET', + cc.has_header_symbol('getopt.h', 'optreset')) + config_host_data.set('HAVE_IPPROTO_MPTCP', + cc.has_header_symbol('netinet/in.h', 'IPPROTO_MPTCP')) ++config_host_data.set('HAVE_SYS_MOUNT_FSCONFIG', ++ cc.has_header_symbol('sys/mount.h', 'FSCONFIG_SET_FLAG')) + + # has_member + config_host_data.set('HAVE_SIGEV_NOTIFY_THREAD_ID', diff --git a/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/run-ptest b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/run-ptest new file mode 100644 index 00000000..f9a4e8fb --- /dev/null +++ b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/run-ptest @@ -0,0 +1,13 @@ +#!/bin/sh +# +#This script is used to run qemu test suites +# + +ptestdir=$(dirname "$(readlink -f "$0")") +export SRC_PATH=$ptestdir + +cd $ptestdir/tests +tests=$(find . -name "test-*" ! -name "*.p") +for f in $tests; do + $f | sed '/^ok/ s/ok/PASS:/g' +done |