mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-02-20 08:29:42 +01:00
Code Issues Packages Projects Releases Wiki Activity

qemu: Upgrade from 3.1.0 to 4.0.0

Browse Source 
This commit upgrade QEMU to the latest 4.0.0 release.

 - The COPYING.LIB file has changed SHA to:
    "Synchronize the LGPL 2.1 with the version from gnu.org"
 - SDL 1.2 has been removed, along with the --with-sdlabi command line
    arg
 - The backported patches have been removed
 - Al the other patches have been refreshed and the numbering has been
    updated

(From OE-Core rev: fed2a0f37a76732cd3de1b127d6902fb16dd4e05)

Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Alistair Francis
2019-05-02 04:09:27 +00:00
committed by Richard Purdie
parent 3d19803cbd
commit 69085ccb29
29 changed files with 583 additions and 769 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
meta/conf/distro/include/tcmode-default.inc
View File

@@ -24,7 +24,7 @@ BINUVERSION ?= "2.32%"
GDBVERSION ?= "8.2%"
GLIBCVERSION ?= "2.29%"
LINUXLIBCVERSION ?= "5.0%"
QEMUVERSION ?= "3.1%"
QEMUVERSION ?= "4.0%"
GOVERSION ?= "1.12%"
PREFERRED_VERSION_gcc ?= "${GCCVERSION}"

4
meta/recipes-devtools/qemu/qemu-native.inc
View File

@@ -3,8 +3,8 @@ inherit native
require qemu.inc
SRC_URI_append = " \
file://0012-fix-libcap-header-issue-on-some-distro.patch \
file://0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch \
file://0011-fix-libcap-header-issue-on-some-distro.patch \
file://0012-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch \
"
EXTRA_OECONF_append = " --python=python2.7"

0
meta/recipes-devtools/qemu/qemu-native_3.1.0.bb → meta/recipes-devtools/qemu/qemu-native_4.0.0.bb
View File

1
meta/recipes-devtools/qemu/qemu-system-native_3.1.0.bb → meta/recipes-devtools/qemu/qemu-system-native_4.0.0.bb
View File

@@ -20,4 +20,5 @@ do_install_append() {
# The following is also installed by qemu-native
rm -f ${D}${datadir}/qemu/trace-events-all
rm -rf ${D}${datadir}/qemu/keymaps
rm -rf ${D}${datadir}/icons/
}

41
meta/recipes-devtools/qemu/qemu.inc
View File

@@ -5,36 +5,27 @@ LICENSE = "GPLv2 & LGPLv2.1"
RDEPENDS_${PN}-ptest = "bash make"
LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \
file://COPYING.LIB;endline=24;md5=c04def7ae38850e7d3ef548588159913"
file://COPYING.LIB;endline=24;md5=8c5efda6cf1e1b03dcfd0e6c0d271c7f"
SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://powerpc_rom.bin \
file://0001-sdl.c-allow-user-to-disable-pointer-grabs.patch \
file://0002-qemu-Add-missing-wacom-HID-descriptor.patch \
file://0003-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch \
file://run-ptest \
file://0004-qemu-Add-addition-environment-space-to-boot-loader-q.patch \
file://0005-qemu-disable-Valgrind.patch \
file://0006-qemu-Limit-paths-searched-during-user-mode-emulation.patch \
file://0007-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch \
file://0008-chardev-connect-socket-to-a-spawned-command.patch \
file://0009-apic-fixup-fallthrough-to-PIC.patch \
file://0010-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \
file://0011-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch \
file://0001-Add-a-missing-X11-include.patch \
file://0001-egl-headless-add-egl_create_context.patch \
file://0014-fix-CVE-2018-16872.patch \
file://0015-fix-CVE-2018-20124.patch \
file://0016-fix-CVE-2018-20125.patch \
file://0017-fix-CVE-2018-20126.patch \
file://0018-fix-CVE-2018-20191.patch \
file://0019-fix-CVE-2018-20216.patch \
file://CVE-2019-3812.patch \
file://0001-qemu-Add-missing-wacom-HID-descriptor.patch \
file://0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch \
file://0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch \
file://0004-qemu-disable-Valgrind.patch \
file://0005-qemu-Limit-paths-searched-during-user-mode-emulation.patch \
file://0006-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch \
file://0007-chardev-connect-socket-to-a-spawned-command.patch \
file://0008-apic-fixup-fallthrough-to-PIC.patch \
file://0009-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \
file://0010-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch \
file://0013-Revert-target-arm-Use-vector-operations-for-saturati.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
SRC_URI[md5sum] = "fb687ce0b02d3bf4327e36d3b99427a8"
SRC_URI[sha256sum] = "6a0508df079a0a33c2487ca936a56c12122f105b8a96a44374704bef6c69abfc"
SRC_URI[md5sum] = "0afeca336fd57ae3d3086ec07f59d708"
SRC_URI[sha256sum] = "13a93dfe75b86734326f8d5b475fde82ec692d5b5a338b4262aeeb6b0fa4e469"
COMPATIBLE_HOST_mipsarchn32 = "null"
COMPATIBLE_HOST_mipsarchn64 = "null"
@@ -133,7 +124,7 @@ make_qemu_wrapper() {
PACKAGECONFIG_remove_darwin = "kvm virglrenderer glx gtk+"
PACKAGECONFIG_remove_mingw32 = "kvm virglrenderer glx gtk+"
PACKAGECONFIG[sdl] = "--enable-sdl --with-sdlabi=2.0,--disable-sdl,libsdl2"
PACKAGECONFIG[sdl] = "--enable-sdl,--disable-sdl,libsdl2"
PACKAGECONFIG[virtfs] = "--enable-virtfs --enable-attr,--disable-virtfs,libcap attr,"
PACKAGECONFIG[aio] = "--enable-linux-aio,--disable-linux-aio,libaio,"
PACKAGECONFIG[xfs] = "--enable-xfsctl,--disable-xfsctl,xfsprogs,"
@@ -169,3 +160,5 @@ PACKAGECONFIG[usb-redir] = "--enable-usb-redir,--disable-usb-redir,usbredir"
PACKAGECONFIG[snappy] = "--enable-snappy,--disable-snappy,snappy"
INSANE_SKIP_${PN} = "arch"
FILES_${PN} += "${datadir}/icons"

65
meta/recipes-devtools/qemu/qemu/0001-Add-a-missing-X11-include.patch
View File

@@ -1,65 +0,0 @@
From eb1a215a4f86dde4493c3e22ad9f6d698850915e Mon Sep 17 00:00:00 2001
From: Alexander Kanavin <alex.kanavin@gmail.com>
Date: Thu, 20 Dec 2018 18:06:29 +0100
Subject: [PATCH] egl-helpers.h: do not depend on X11 Window type, use
EGLNativeWindowType
It was assumed that mesa provides the necessary X11 includes,
but it is not always the case, as it can be configured without x11 support.
Upstream-Status: Submitted [http://lists.nongnu.org/archive/html/qemu-devel/2019-01/msg03706.html]
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
---
include/ui/egl-helpers.h | 2 +-
ui/egl-helpers.c | 4 ++--
ui/gtk-egl.c | 2 +-
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/include/ui/egl-helpers.h b/include/ui/egl-helpers.h
index 9db7293b..3fc656a7 100644
--- a/include/ui/egl-helpers.h
+++ b/include/ui/egl-helpers.h
@@ -43,7 +43,7 @@ void egl_dmabuf_release_texture(QemuDmaBuf *dmabuf);
#endif
-EGLSurface qemu_egl_init_surface_x11(EGLContext ectx, Window win);
+EGLSurface qemu_egl_init_surface_x11(EGLContext ectx, EGLNativeWindowType win);
int qemu_egl_init_dpy_x11(EGLNativeDisplayType dpy, DisplayGLMode mode);
int qemu_egl_init_dpy_mesa(EGLNativeDisplayType dpy, DisplayGLMode mode);
diff --git a/ui/egl-helpers.c b/ui/egl-helpers.c
index 4f475142..5e115b3f 100644
--- a/ui/egl-helpers.c
+++ b/ui/egl-helpers.c
@@ -273,14 +273,14 @@ void egl_dmabuf_release_texture(QemuDmaBuf *dmabuf)
/* ---------------------------------------------------------------------- */
-EGLSurface qemu_egl_init_surface_x11(EGLContext ectx, Window win)
+EGLSurface qemu_egl_init_surface_x11(EGLContext ectx, EGLNativeWindowType win)
{
EGLSurface esurface;
EGLBoolean b;
esurface = eglCreateWindowSurface(qemu_egl_display,
qemu_egl_config,
- (EGLNativeWindowType)win, NULL);
+ win, NULL);
if (esurface == EGL_NO_SURFACE) {
error_report("egl: eglCreateWindowSurface failed");
return NULL;
diff --git a/ui/gtk-egl.c b/ui/gtk-egl.c
index 5420c236..1f941162 100644
--- a/ui/gtk-egl.c
+++ b/ui/gtk-egl.c
@@ -54,7 +54,7 @@ void gd_egl_init(VirtualConsole *vc)
}
vc->gfx.ectx = qemu_egl_init_ctx();
- vc->gfx.esurface = qemu_egl_init_surface_x11(vc->gfx.ectx, x11_window);
+ vc->gfx.esurface = qemu_egl_init_surface_x11(vc->gfx.ectx, (EGLNativeWindowType)x11_window);
assert(vc->gfx.esurface);
}

50
meta/recipes-devtools/qemu/qemu/0001-egl-headless-add-egl_create_context.patch
View File

@@ -1,50 +0,0 @@
From 952e5d584f5aabe41298c278065fe628f3f7aa7a Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Thu, 29 Nov 2018 13:35:02 +0100
Subject: [PATCH] egl-headless: add egl_create_context
We must set the correct context (via eglMakeCurrent) before
calling qemu_egl_create_context, so we need a thin wrapper and can't
hook qemu_egl_create_context directly as ->dpy_gl_ctx_create callback.
Reported-by: Frederik Carlier <frederik.carlier@quamotion.mobi>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20181129123502.30129-1-kraxel@redhat.com
Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=952e5d584f5aabe41298c278065fe628f3f7aa7a]
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
---
ui/egl-headless.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/ui/egl-headless.c b/ui/egl-headless.c
index 4cf3bbc0e4..519e7bad32 100644
--- a/ui/egl-headless.c
+++ b/ui/egl-headless.c
@@ -38,6 +38,14 @@ static void egl_gfx_switch(DisplayChangeListener *dcl,
edpy->ds = new_surface;
}
+static QEMUGLContext egl_create_context(DisplayChangeListener *dcl,
+ QEMUGLParams *params)
+{
+ eglMakeCurrent(qemu_egl_display, EGL_NO_SURFACE, EGL_NO_SURFACE,
+ qemu_egl_rn_ctx);
+ return qemu_egl_create_context(dcl, params);
+}
+
static void egl_scanout_disable(DisplayChangeListener *dcl)
{
egl_dpy *edpy = container_of(dcl, egl_dpy, dcl);
@@ -150,7 +158,7 @@ static const DisplayChangeListenerOps egl_ops = {
.dpy_gfx_update = egl_gfx_update,
.dpy_gfx_switch = egl_gfx_switch,
- .dpy_gl_ctx_create = qemu_egl_create_context,
+ .dpy_gl_ctx_create = egl_create_context,
.dpy_gl_ctx_destroy = qemu_egl_destroy_context,
.dpy_gl_ctx_make_current = qemu_egl_make_context_current,
.dpy_gl_ctx_get_current = qemu_egl_get_current_context,
--
2.17.1

2
meta/recipes-devtools/qemu/qemu/0002-qemu-Add-missing-wacom-HID-descriptor.patch → meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch
View File

@@ -1,4 +1,4 @@
From 7ac3c84f28866491c58cc0f52a25a706949c8ef3 Mon Sep 17 00:00:00 2001
From 1cb804cf0e47116202011f3386b4739af668224a Mon Sep 17 00:00:00 2001
From: Richard Purdie <richard.purdie@linuxfoundation.org>
Date: Thu, 27 Nov 2014 14:04:29 +0000
Subject: [PATCH] qemu: Add missing wacom HID descriptor

72
meta/recipes-devtools/qemu/qemu/0001-sdl.c-allow-user-to-disable-pointer-grabs.patch
View File

@@ -1,72 +0,0 @@
From c53ddb5acbee56db6423f369b9f9a9b62501b4af Mon Sep 17 00:00:00 2001
From: Ross Burton <ross.burton@intel.com>
Date: Wed, 18 Sep 2013 14:04:54 +0100
Subject: [PATCH] sdl.c: allow user to disable pointer grabs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When the pointer enters the Qemu window it calls SDL_WM_GrabInput, which calls
XGrabPointer in a busyloop until it returns GrabSuccess. However if there's already
a pointer grab (screen is locked, a menu is open) then qemu will hang until the
grab can be taken. In the specific case of a headless X server on an autobuilder, once
the screensaver has kicked in any qemu instance that appears underneath the
pointer will hang.
I'm not entirely sure why pointer grabs are required (the documentation
explicitly says it doesn't do grabs when using a tablet, which we are) so wrap
them in a conditional that can be set by the autobuilder environment, preserving
the current grabbing behaviour for everyone else.
Upstream-Status: Pending
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Eric Bénard <eric@eukrea.com>
---
ui/sdl.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/ui/sdl.c b/ui/sdl.c
index 190b16f5..aa89471d 100644
--- a/ui/sdl.c
+++ b/ui/sdl.c
@@ -69,6 +69,11 @@ static int idle_counter;
static const guint16 *keycode_map;
static size_t keycode_maplen;
+#ifndef True
+#define True 1
+#endif
+static doing_grabs = True;
+
#define SDL_REFRESH_INTERVAL_BUSY 10
#define SDL_MAX_IDLE_COUNT (2 * GUI_REFRESH_INTERVAL_DEFAULT \
/ SDL_REFRESH_INTERVAL_BUSY + 1)
@@ -399,14 +404,16 @@ static void sdl_grab_start(void)
}
} else
sdl_hide_cursor();
- SDL_WM_GrabInput(SDL_GRAB_ON);
+ if (doing_grabs)
+ SDL_WM_GrabInput(SDL_GRAB_ON);
gui_grab = 1;
sdl_update_caption();
}
static void sdl_grab_end(void)
{
- SDL_WM_GrabInput(SDL_GRAB_OFF);
+ if (doing_grabs)
+ SDL_WM_GrabInput(SDL_GRAB_OFF);
gui_grab = 0;
sdl_show_cursor();
sdl_update_caption();
@@ -945,6 +952,8 @@ static void sdl1_display_init(DisplayState *ds, DisplayOptions *o)
* This requires SDL >= 1.2.14. */
setenv("SDL_DISABLE_LOCK_KEYS", "1", 1);
+ doing_grabs = (getenv("QEMU_DONT_GRAB") == NULL);
+
flags = SDL_INIT_VIDEO | SDL_INIT_NOPARACHUTE;
if (SDL_Init (flags)) {
fprintf(stderr, "Could not initialize SDL(%s) - exiting\n",

6
meta/recipes-devtools/qemu/qemu/0003-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch → meta/recipes-devtools/qemu/qemu/0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch
View File

@@ -1,4 +1,4 @@
From aac8834bfd5b79e724f2593895847b50968a1223 Mon Sep 17 00:00:00 2001
From 281116b31981b0b9e174bda8abe00f4eaa33c2ae Mon Sep 17 00:00:00 2001
From: Juro Bystricky <juro.bystricky@intel.com>
Date: Thu, 31 Aug 2017 11:06:56 -0700
Subject: [PATCH] Add subpackage -ptest which runs all unit test cases for
@@ -15,10 +15,10 @@ Signed-off-by: Juro Bystricky <juro.bystricky@intel.com>
1 file changed, 8 insertions(+)
diff --git a/tests/Makefile.include b/tests/Makefile.include
index fb0b449c..afedabd4 100644
index 36fc73fe..01fecd4d 100644
--- a/tests/Makefile.include
+++ b/tests/Makefile.include
@@ -967,4 +967,12 @@ all: $(QEMU_IOTESTS_HELPERS-y)
@@ -1184,4 +1184,12 @@ all: $(QEMU_IOTESTS_HELPERS-y)
-include $(wildcard tests/*.d)
-include $(wildcard tests/libqos/*.d)

6
meta/recipes-devtools/qemu/qemu/0004-qemu-Add-addition-environment-space-to-boot-loader-q.patch → meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch
View File

@@ -1,4 +1,4 @@
From 3de7a5635093c31dcb960ce9dff27da629b85d4d Mon Sep 17 00:00:00 2001
From bf04acef9ec31ddcc18ddbb4ac5b7b1e7368bf7d Mon Sep 17 00:00:00 2001
From: Jason Wessel <jason.wessel@windriver.com>
Date: Fri, 28 Mar 2014 17:42:43 +0800
Subject: [PATCH] qemu: Add addition environment space to boot loader
@@ -19,10 +19,10 @@ Signed-off-by: Roy Li <rongqing.li@windriver.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/mips/mips_malta.c b/hw/mips/mips_malta.c
index c1cf0fe1..decffd2f 100644
index 439665ab..285c78ef 100644
--- a/hw/mips/mips_malta.c
+++ b/hw/mips/mips_malta.c
@@ -62,7 +62,7 @@
@@ -60,7 +60,7 @@
#define ENVP_ADDR 0x80002000l
#define ENVP_NB_ENTRIES 16

6
meta/recipes-devtools/qemu/qemu/0005-qemu-disable-Valgrind.patch → meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch
View File

@@ -1,4 +1,4 @@
From 32e8a94b6ae664d9b5689e19d495e304c0f41954 Mon Sep 17 00:00:00 2001
From e40f797548bc3ff06c71b6cbe042a46406894d18 Mon Sep 17 00:00:00 2001
From: Ross Burton <ross.burton@intel.com>
Date: Tue, 20 Oct 2015 22:19:08 +0100
Subject: [PATCH] qemu: disable Valgrind
@@ -13,10 +13,10 @@ Signed-off-by: Ross Burton <ross.burton@intel.com>
1 file changed, 9 deletions(-)
diff --git a/configure b/configure
index 0a3c6a72..069e0daa 100755
index 1c563a70..eaf9bb5e 100755
--- a/configure
+++ b/configure
@@ -5044,15 +5044,6 @@ fi
@@ -5311,15 +5311,6 @@ fi
# check if we have valgrind/valgrind.h
valgrind_h=no

2
meta/recipes-devtools/qemu/qemu/0006-qemu-Limit-paths-searched-during-user-mode-emulation.patch → meta/recipes-devtools/qemu/qemu/0005-qemu-Limit-paths-searched-during-user-mode-emulation.patch
View File

@@ -1,4 +1,4 @@
From 02f80ee81681b6307a8032128a07686183662270 Mon Sep 17 00:00:00 2001
From 547c3710a1493d2fd6bb56b819cf162db433756a Mon Sep 17 00:00:00 2001
From: Richard Purdie <richard.purdie@linuxfoundation.org>
Date: Wed, 9 Mar 2016 22:49:02 +0000
Subject: [PATCH] qemu: Limit paths searched during user mode emulation

6
meta/recipes-devtools/qemu/qemu/0007-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch → meta/recipes-devtools/qemu/qemu/0006-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch
View File

@@ -1,4 +1,4 @@
From 74bce35b71f4733c13e96f96e25956ff943fae20 Mon Sep 17 00:00:00 2001
From 107fd860529a3c1319d54c3c225758457b0d9394 Mon Sep 17 00:00:00 2001
From: Stephen Arnold <sarnold@vctlabs.com>
Date: Sun, 12 Jun 2016 18:09:56 -0700
Subject: [PATCH] qemu-native: set ld.bfd, fix cflags, and set some environment
@@ -10,10 +10,10 @@ Upstream-Status: Pending
1 file changed, 4 deletions(-)
diff --git a/configure b/configure
index 069e0daa..5b97f3c1 100755
index eaf9bb5e..de2933d1 100755
--- a/configure
+++ b/configure
@@ -5622,10 +5622,6 @@ write_c_skeleton
@@ -5928,10 +5928,6 @@ write_c_skeleton
if test "$gcov" = "yes" ; then
CFLAGS="-fprofile-arcs -ftest-coverage -g $CFLAGS"
LDFLAGS="-fprofile-arcs -ftest-coverage $LDFLAGS"

69
meta/recipes-devtools/qemu/qemu/0008-chardev-connect-socket-to-a-spawned-command.patch → meta/recipes-devtools/qemu/qemu/0007-chardev-connect-socket-to-a-spawned-command.patch
View File

@@ -1,4 +1,4 @@
From 9c1e976290e87a83ab1bfe38eb7ff3521ff0d684 Mon Sep 17 00:00:00 2001
From 136e159482a1bc8676cbe6e767055d0c3fb20065 Mon Sep 17 00:00:00 2001
From: Alistair Francis <alistair.francis@xilinx.com>
Date: Thu, 21 Dec 2017 11:35:16 -0800
Subject: [PATCH] chardev: connect socket to a spawned command
@@ -46,17 +46,17 @@ Upstream-Status: Inappropriate [embedded specific]
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
chardev/char-socket.c | 102 ++++++++++++++++++++++++++++++++++++++++++
chardev/char-socket.c | 101 ++++++++++++++++++++++++++++++++++++++++++
chardev/char.c | 3 ++
qapi/char.json | 5 +++
3 files changed, 110 insertions(+)
3 files changed, 109 insertions(+)
diff --git a/chardev/char-socket.c b/chardev/char-socket.c
index eaa8e8b6..959ed183 100644
index 3916505d..a8e9dce8 100644
--- a/chardev/char-socket.c
+++ b/chardev/char-socket.c
@@ -987,6 +987,68 @@ static gboolean socket_reconnect_timeout(gpointer opaque)
return false;
@@ -1273,6 +1273,67 @@ static bool qmp_chardev_validate_socket(ChardevSocket *sock,
return true;
}
+#ifndef _WIN32
@@ -120,11 +120,10 @@ index eaa8e8b6..959ed183 100644
+ }
+}
+#endif
+
static void qmp_chardev_open_socket(Chardev *chr,
ChardevBackend *backend,
bool *be_opened,
@@ -994,6 +1056,9 @@ static void qmp_chardev_open_socket(Chardev *chr,
@@ -1281,6 +1342,9 @@ static void qmp_chardev_open_socket(Chardev *chr,
{
SocketChardev *s = SOCKET_CHARDEV(chr);
ChardevSocket *sock = backend->u.socket.data;
@@ -134,9 +133,9 @@ index eaa8e8b6..959ed183 100644
bool do_nodelay = sock->has_nodelay ? sock->nodelay : false;
bool is_listen = sock->has_server ? sock->server : true;
bool is_telnet = sock->has_telnet ? sock->telnet : false;
@@ -1072,6 +1137,14 @@ static void qmp_chardev_open_socket(Chardev *chr,
s->reconnect_time = reconnect;
}
@@ -1346,6 +1410,14 @@ static void qmp_chardev_open_socket(Chardev *chr,
update_disconnected_filename(s);
+#ifndef _WIN32
+ if (cmd) {
@@ -146,13 +145,13 @@ index eaa8e8b6..959ed183 100644
+ *be_opened = true;
+ } else
+#endif
if (s->reconnect_time) {
tcp_chr_connect_async(chr);
} else {
@@ -1131,9 +1204,26 @@ static void qemu_chr_parse_socket(QemuOpts *opts, ChardevBackend *backend,
if (s->is_listen) {
if (qmp_chardev_open_socket_server(chr, is_telnet || is_tn3270,
is_waitconnect, errp) < 0) {
@@ -1365,9 +1437,26 @@ static void qemu_chr_parse_socket(QemuOpts *opts, ChardevBackend *backend,
const char *host = qemu_opt_get(opts, "host");
const char *port = qemu_opt_get(opts, "port");
const char *fd = qemu_opt_get(opts, "fd");
const char *tls_creds = qemu_opt_get(opts, "tls-creds");
+#ifndef _WIN32
+ const char *cmd = qemu_opt_get(opts, "cmd");
+#endif
@@ -166,7 +165,7 @@ index eaa8e8b6..959ed183 100644
+ * spawning a command, otherwise unmodified code that doesn't know about
+ * command spawning (like socket_reconnect_timeout()) might get called.
+ */
+ if (path || is_listen || is_telnet || is_tn3270 || reconnect || host || port || tls_creds) {
+ if (path || sock->server || sock->has_telnet || sock->has_tn3270 || sock->reconnect || host || port || sock->tls_creds) {
+ error_setg(errp, "chardev: socket: cmd does not support any additional options");
+ return;
+ }
@@ -176,14 +175,14 @@ index eaa8e8b6..959ed183 100644
if ((!!path + !!fd + !!host) != 1) {
error_setg(errp,
"Exactly one of 'path', 'fd' or 'host' required");
@@ -1180,12 +1270,24 @@ static void qemu_chr_parse_socket(QemuOpts *opts, ChardevBackend *backend,
sock->reconnect = reconnect;
sock->tls_creds = g_strdup(tls_creds);
@@ -1410,12 +1499,24 @@ static void qemu_chr_parse_socket(QemuOpts *opts, ChardevBackend *backend,
sock->has_tls_authz = qemu_opt_get(opts, "tls-authz");
sock->tls_authz = g_strdup(qemu_opt_get(opts, "tls-authz"));
+#ifndef _WIN32
+ sock->cmd = g_strdup(cmd);
+#endif
+
+
addr = g_new0(SocketAddressLegacy, 1);
+#ifndef _WIN32
+ if (path || cmd) {
@@ -202,10 +201,10 @@ index eaa8e8b6..959ed183 100644
addr->type = SOCKET_ADDRESS_LEGACY_KIND_INET;
addr->u.inet.data = g_new(InetSocketAddress, 1);
diff --git a/chardev/char.c b/chardev/char.c
index 152dde53..62d5b578 100644
index 514cd6b0..36a40d67 100644
--- a/chardev/char.c
+++ b/chardev/char.c
@@ -818,6 +818,9 @@ QemuOptsList qemu_chardev_opts = {
@@ -835,6 +835,9 @@ QemuOptsList qemu_chardev_opts = {
},{
.name = "path",
.type = QEMU_OPT_STRING,
@@ -216,10 +215,10 @@ index 152dde53..62d5b578 100644
.name = "host",
.type = QEMU_OPT_STRING,
diff --git a/qapi/char.json b/qapi/char.json
index 79bac598..97bd161a 100644
index a6e81ac7..517962c6 100644
--- a/qapi/char.json
+++ b/qapi/char.json
@@ -242,6 +242,10 @@
@@ -247,6 +247,10 @@
#
# @addr: socket address to listen on (server=true)
# or connect to (server=false)
@@ -228,13 +227,13 @@ index 79bac598..97bd161a 100644
+# is used by the chardev. Either an addr or a cmd can
+# be specified, but not both.
# @tls-creds: the ID of the TLS credentials object (since 2.6)
# @server: create server socket (default: true)
# @wait: wait for incoming connection on server
@@ -261,6 +265,7 @@
# Since: 1.4
# @tls-authz: the ID of the QAuthZ authorization object against which
# the client's x509 distinguished name will be validated. This
@@ -272,6 +276,7 @@
##
{ 'struct': 'ChardevSocket', 'data': { 'addr' : 'SocketAddressLegacy',
+ '*cmd' : 'str',
'*tls-creds' : 'str',
'*server' : 'bool',
'*wait' : 'bool',
{ 'struct': 'ChardevSocket',
'data': { 'addr': 'SocketAddressLegacy',
+ '*cmd': 'str',
'*tls-creds': 'str',
'*tls-authz' : 'str',
'*server': 'bool',

6
meta/recipes-devtools/qemu/qemu/0009-apic-fixup-fallthrough-to-PIC.patch → meta/recipes-devtools/qemu/qemu/0008-apic-fixup-fallthrough-to-PIC.patch
View File

@@ -1,4 +1,4 @@
From 4829da131996548dc86775b8b97a29c436f3d130 Mon Sep 17 00:00:00 2001
From 1b3f264e2ba18caf658fae27293c426c8366c6a3 Mon Sep 17 00:00:00 2001
From: Mark Asselstine <mark.asselstine@windriver.com>
Date: Tue, 26 Feb 2013 11:43:28 -0500
Subject: [PATCH] apic: fixup fallthrough to PIC
@@ -30,10 +30,10 @@ Signed-off-by: He Zhe <zhe.he@windriver.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/intc/apic.c b/hw/intc/apic.c
index 97ffdd82..ef23430e 100644
index 6ea619c3..f892811e 100644
--- a/hw/intc/apic.c
+++ b/hw/intc/apic.c
@@ -603,7 +603,7 @@ int apic_accept_pic_intr(DeviceState *dev)
@@ -604,7 +604,7 @@ int apic_accept_pic_intr(DeviceState *dev)
APICCommonState *s = APIC(dev);
uint32_t lvt0;

4
meta/recipes-devtools/qemu/qemu/0010-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch → meta/recipes-devtools/qemu/qemu/0009-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch
View File

@@ -1,4 +1,4 @@
From bce25c9cda73569963615ffd31ed949cbe3a3781 Mon Sep 17 00:00:00 2001
From a33ae91504ea4d254b5ace64a84791d3c96c9773 Mon Sep 17 00:00:00 2001
From: Alistair Francis <alistair.francis@xilinx.com>
Date: Wed, 17 Jan 2018 10:51:49 -0800
Subject: [PATCH] linux-user: Fix webkitgtk hangs on 32-bit x86 target
@@ -19,7 +19,7 @@ Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux-user/main.c b/linux-user/main.c
index 923cbb75..fe0b9ff4 100644
index a0aba9cb..34c54924 100644
--- a/linux-user/main.c
+++ b/linux-user/main.c
@@ -69,7 +69,7 @@ int have_guest_base;

20
meta/recipes-devtools/qemu/qemu/0011-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch → meta/recipes-devtools/qemu/qemu/0010-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch
View File

@@ -1,4 +1,4 @@
From 496231774f8bc17ecfaf543a6603e3cad3f3f74e Mon Sep 17 00:00:00 2001
From 2a66bd95c856de6950fbd802c5b99075207c1d76 Mon Sep 17 00:00:00 2001
From: Martin Jansa <martin.jansa@lge.com>
Date: Fri, 1 Jun 2018 08:41:07 +0000
Subject: [PATCH] Revert "linux-user: fix mmap/munmap/mprotect/mremap/shmat"
@@ -23,7 +23,7 @@ Upstream-Status: Pending
4 files changed, 15 insertions(+), 29 deletions(-)
diff --git a/include/exec/cpu-all.h b/include/exec/cpu-all.h
index 117d2fbb..90558c14 100644
index b16c9ec5..612db6a0 100644
--- a/include/exec/cpu-all.h
+++ b/include/exec/cpu-all.h
@@ -163,12 +163,8 @@ extern unsigned long guest_base;
@@ -41,7 +41,7 @@ index 117d2fbb..90558c14 100644
#include "exec/hwaddr.h"
diff --git a/include/exec/cpu_ldst.h b/include/exec/cpu_ldst.h
index 95906849..ed17b3f6 100644
index d78041d7..845639f7 100644
--- a/include/exec/cpu_ldst.h
+++ b/include/exec/cpu_ldst.h
@@ -62,13 +62,15 @@ typedef uint64_t abi_ptr;
@@ -68,7 +68,7 @@ index 95906849..ed17b3f6 100644
#define h2g_nocheck(x) ({ \
unsigned long __ret = (unsigned long)(x) - guest_base; \
diff --git a/linux-user/mmap.c b/linux-user/mmap.c
index 41e0983c..d0ee1c53 100644
index e0249efe..cfe34b35 100644
--- a/linux-user/mmap.c
+++ b/linux-user/mmap.c
@@ -79,7 +79,7 @@ int target_mprotect(abi_ulong start, abi_ulong len, int prot)
@@ -81,9 +81,9 @@ index 41e0983c..d0ee1c53 100644
}
prot &= PROT_READ | PROT_WRITE | PROT_EXEC;
@@ -490,8 +490,8 @@ abi_long target_mmap(abi_ulong start, abi_ulong len, int prot,
* It can fail only on 64-bit host with 32-bit target.
* On any other target/host host mmap() handles this error correctly.
*/
* It can fail only on 64-bit host with 32-bit target.
* On any other target/host host mmap() handles this error correctly.
*/
- if (!guest_range_valid(start, len)) {
- errno = ENOMEM;
+ if ((unsigned long)start + len - 1 > (abi_ulong) -1) {
@@ -118,10 +118,10 @@ index 41e0983c..d0ee1c53 100644
if (flags & MREMAP_FIXED) {
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 280137da..efdd0006 100644
index 96cd4bf8..e6754772 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -3818,9 +3818,6 @@ static inline abi_ulong do_shmat(CPUArchState *cpu_env,
@@ -3860,9 +3860,6 @@ static inline abi_ulong do_shmat(CPUArchState *cpu_env,
return -TARGET_EINVAL;
}
}
@@ -131,7 +131,7 @@ index 280137da..efdd0006 100644
mmap_lock();
@@ -6582,7 +6579,7 @@ static int open_self_maps(void *cpu_env, int fd)
@@ -6633,7 +6630,7 @@ static int open_self_maps(void *cpu_env, int fd)
}
if (h2g_valid(min)) {
int flags = page_get_flags(h2g(min));

2
meta/recipes-devtools/qemu/qemu/0012-fix-libcap-header-issue-on-some-distro.patch → meta/recipes-devtools/qemu/qemu/0011-fix-libcap-header-issue-on-some-distro.patch
View File

@@ -1,4 +1,4 @@
From d3e0b8dac7c2eb20d7fcff747bc98b981f4398ef Mon Sep 17 00:00:00 2001
From 9125afb733d8c96416bb83c5adad39bb8d0803a1 Mon Sep 17 00:00:00 2001
From: Hongxu Jia <hongxu.jia@windriver.com>
Date: Tue, 12 Mar 2013 09:54:06 +0800
Subject: [PATCH] fix libcap header issue on some distro

10
meta/recipes-devtools/qemu/qemu/0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch → meta/recipes-devtools/qemu/qemu/0012-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch
View File

@@ -1,4 +1,4 @@
From 861c522df7791d7e93743d5641f3ef2a5a3c4632 Mon Sep 17 00:00:00 2001
From 0a53e906510cce1f32bc04a11e81ea40f834dac4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?An=C3=ADbal=20Lim=C3=B3n?= <anibal.limon@linux.intel.com>
Date: Wed, 12 Aug 2015 15:11:30 -0500
Subject: [PATCH] cpus.c: Add error messages when qemi_cpu_kick_thread fails.
@@ -20,10 +20,10 @@ Signed-off-by: Aníbal Limón <anibal.limon@linux.intel.com>
create mode 100644 custom_debug.h
diff --git a/cpus.c b/cpus.c
index 0ddeeefc..4f3a5624 100644
index e83f72b4..e6e2576e 100644
--- a/cpus.c
+++ b/cpus.c
@@ -1768,6 +1768,8 @@ static void *qemu_tcg_cpu_thread_fn(void *arg)
@@ -1769,6 +1769,8 @@ static void *qemu_tcg_cpu_thread_fn(void *arg)
return NULL;
}
@@ -32,9 +32,9 @@ index 0ddeeefc..4f3a5624 100644
static void qemu_cpu_kick_thread(CPUState *cpu)
{
#ifndef _WIN32
@@ -1780,6 +1782,9 @@ static void qemu_cpu_kick_thread(CPUState *cpu)
@@ -1781,6 +1783,9 @@ static void qemu_cpu_kick_thread(CPUState *cpu)
err = pthread_kill(cpu->thread->thread, SIG_IPI);
if (err) {
if (err && err != ESRCH) {
fprintf(stderr, "qemu:%s: %s", __func__, strerror(err));
+ fprintf(stderr, "CPU #%d:\n", cpu->cpu_index);
+ cpu_dump_state(cpu, stderr, fprintf, 0);

493
meta/recipes-devtools/qemu/qemu/0013-Revert-target-arm-Use-vector-operations-for-saturati.patch Normal file
View File

@@ -0,0 +1,493 @@
From b46cdcdeb762c1f0eef68dc4a7d90f8176152e07 Mon Sep 17 00:00:00 2001
From: Alistair Francis <alistair.francis@wdc.com>
Date: Wed, 1 May 2019 19:51:27 -0700
Subject: [PATCH] Revert "target/arm: Use vector operations for saturation"
This reverts commit 89e68b575e138d0af1435f11a8ffcd8779c237bd.
This fixes QEMU aborts when running the qemuarm machine.
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Upstream-status: Pending
---
target/arm/helper.h | 33 -------
target/arm/translate-a64.c | 36 ++++----
target/arm/translate.c | 172 ++++++-------------------------------
target/arm/translate.h | 4 -
target/arm/vec_helper.c | 130 ----------------------------
5 files changed, 44 insertions(+), 331 deletions(-)
diff --git a/target/arm/helper.h b/target/arm/helper.h
index 50cb036378..b2669f140f 100644
--- a/target/arm/helper.h
+++ b/target/arm/helper.h
@@ -646,39 +646,6 @@ DEF_HELPER_FLAGS_6(gvec_fmla_idx_s, TCG_CALL_NO_RWG,
DEF_HELPER_FLAGS_6(gvec_fmla_idx_d, TCG_CALL_NO_RWG,
void, ptr, ptr, ptr, ptr, ptr, i32)
-DEF_HELPER_FLAGS_5(gvec_uqadd_b, TCG_CALL_NO_RWG,
- void, ptr, ptr, ptr, ptr, i32)
-DEF_HELPER_FLAGS_5(gvec_uqadd_h, TCG_CALL_NO_RWG,
- void, ptr, ptr, ptr, ptr, i32)
-DEF_HELPER_FLAGS_5(gvec_uqadd_s, TCG_CALL_NO_RWG,
- void, ptr, ptr, ptr, ptr, i32)
-DEF_HELPER_FLAGS_5(gvec_uqadd_d, TCG_CALL_NO_RWG,
- void, ptr, ptr, ptr, ptr, i32)
-DEF_HELPER_FLAGS_5(gvec_sqadd_b, TCG_CALL_NO_RWG,
- void, ptr, ptr, ptr, ptr, i32)
-DEF_HELPER_FLAGS_5(gvec_sqadd_h, TCG_CALL_NO_RWG,
- void, ptr, ptr, ptr, ptr, i32)
-DEF_HELPER_FLAGS_5(gvec_sqadd_s, TCG_CALL_NO_RWG,
- void, ptr, ptr, ptr, ptr, i32)
-DEF_HELPER_FLAGS_5(gvec_sqadd_d, TCG_CALL_NO_RWG,
- void, ptr, ptr, ptr, ptr, i32)
-DEF_HELPER_FLAGS_5(gvec_uqsub_b, TCG_CALL_NO_RWG,
- void, ptr, ptr, ptr, ptr, i32)
-DEF_HELPER_FLAGS_5(gvec_uqsub_h, TCG_CALL_NO_RWG,
- void, ptr, ptr, ptr, ptr, i32)
-DEF_HELPER_FLAGS_5(gvec_uqsub_s, TCG_CALL_NO_RWG,
- void, ptr, ptr, ptr, ptr, i32)
-DEF_HELPER_FLAGS_5(gvec_uqsub_d, TCG_CALL_NO_RWG,
- void, ptr, ptr, ptr, ptr, i32)
-DEF_HELPER_FLAGS_5(gvec_sqsub_b, TCG_CALL_NO_RWG,
- void, ptr, ptr, ptr, ptr, i32)
-DEF_HELPER_FLAGS_5(gvec_sqsub_h, TCG_CALL_NO_RWG,
- void, ptr, ptr, ptr, ptr, i32)
-DEF_HELPER_FLAGS_5(gvec_sqsub_s, TCG_CALL_NO_RWG,
- void, ptr, ptr, ptr, ptr, i32)
-DEF_HELPER_FLAGS_5(gvec_sqsub_d, TCG_CALL_NO_RWG,
- void, ptr, ptr, ptr, ptr, i32)
-
DEF_HELPER_FLAGS_5(gvec_fmlal_a32, TCG_CALL_NO_RWG,
void, ptr, ptr, ptr, ptr, i32)
DEF_HELPER_FLAGS_5(gvec_fmlal_a64, TCG_CALL_NO_RWG,
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index 9dcc5ff3a3..428211f92f 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -11230,22 +11230,6 @@ static void disas_simd_3same_int(DisasContext *s, uint32_t insn)
}
switch (opcode) {
- case 0x01: /* SQADD, UQADD */
- tcg_gen_gvec_4(vec_full_reg_offset(s, rd),
- offsetof(CPUARMState, vfp.qc),
- vec_full_reg_offset(s, rn),
- vec_full_reg_offset(s, rm),
- is_q ? 16 : 8, vec_full_reg_size(s),
- (u ? uqadd_op : sqadd_op) + size);
- return;
- case 0x05: /* SQSUB, UQSUB */
- tcg_gen_gvec_4(vec_full_reg_offset(s, rd),
- offsetof(CPUARMState, vfp.qc),
- vec_full_reg_offset(s, rn),
- vec_full_reg_offset(s, rm),
- is_q ? 16 : 8, vec_full_reg_size(s),
- (u ? uqsub_op : sqsub_op) + size);
- return;
case 0x0c: /* SMAX, UMAX */
if (u) {
gen_gvec_fn3(s, is_q, rd, rn, rm, tcg_gen_gvec_umax, size);
@@ -11341,6 +11325,16 @@ static void disas_simd_3same_int(DisasContext *s, uint32_t insn)
genfn = fns[size][u];
break;
}
+ case 0x1: /* SQADD, UQADD */
+ {
+ static NeonGenTwoOpEnvFn * const fns[3][2] = {
+ { gen_helper_neon_qadd_s8, gen_helper_neon_qadd_u8 },
+ { gen_helper_neon_qadd_s16, gen_helper_neon_qadd_u16 },
+ { gen_helper_neon_qadd_s32, gen_helper_neon_qadd_u32 },
+ };
+ genenvfn = fns[size][u];
+ break;
+ }
case 0x2: /* SRHADD, URHADD */
{
static NeonGenTwoOpFn * const fns[3][2] = {
@@ -11361,6 +11355,16 @@ static void disas_simd_3same_int(DisasContext *s, uint32_t insn)
genfn = fns[size][u];
break;
}
+ case 0x5: /* SQSUB, UQSUB */
+ {
+ static NeonGenTwoOpEnvFn * const fns[3][2] = {
+ { gen_helper_neon_qsub_s8, gen_helper_neon_qsub_u8 },
+ { gen_helper_neon_qsub_s16, gen_helper_neon_qsub_u16 },
+ { gen_helper_neon_qsub_s32, gen_helper_neon_qsub_u32 },
+ };
+ genenvfn = fns[size][u];
+ break;
+ }
case 0x8: /* SSHL, USHL */
{
static NeonGenTwoOpFn * const fns[3][2] = {
diff --git a/target/arm/translate.c b/target/arm/translate.c
index 10bc53f91c..cf675cef3f 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -6242,142 +6242,6 @@ const GVecGen3 cmtst_op[4] = {
.vece = MO_64 },
};
-static void gen_uqadd_vec(unsigned vece, TCGv_vec t, TCGv_vec sat,
- TCGv_vec a, TCGv_vec b)
-{
- TCGv_vec x = tcg_temp_new_vec_matching(t);
- tcg_gen_add_vec(vece, x, a, b);
- tcg_gen_usadd_vec(vece, t, a, b);
- tcg_gen_cmp_vec(TCG_COND_NE, vece, x, x, t);
- tcg_gen_or_vec(vece, sat, sat, x);
- tcg_temp_free_vec(x);
-}
-
-const GVecGen4 uqadd_op[4] = {
- { .fniv = gen_uqadd_vec,
- .fno = gen_helper_gvec_uqadd_b,
- .opc = INDEX_op_usadd_vec,
- .write_aofs = true,
- .vece = MO_8 },
- { .fniv = gen_uqadd_vec,
- .fno = gen_helper_gvec_uqadd_h,
- .opc = INDEX_op_usadd_vec,
- .write_aofs = true,
- .vece = MO_16 },
- { .fniv = gen_uqadd_vec,
- .fno = gen_helper_gvec_uqadd_s,
- .opc = INDEX_op_usadd_vec,
- .write_aofs = true,
- .vece = MO_32 },
- { .fniv = gen_uqadd_vec,
- .fno = gen_helper_gvec_uqadd_d,
- .opc = INDEX_op_usadd_vec,
- .write_aofs = true,
- .vece = MO_64 },
-};
-
-static void gen_sqadd_vec(unsigned vece, TCGv_vec t, TCGv_vec sat,
- TCGv_vec a, TCGv_vec b)
-{
- TCGv_vec x = tcg_temp_new_vec_matching(t);
- tcg_gen_add_vec(vece, x, a, b);
- tcg_gen_ssadd_vec(vece, t, a, b);
- tcg_gen_cmp_vec(TCG_COND_NE, vece, x, x, t);
- tcg_gen_or_vec(vece, sat, sat, x);
- tcg_temp_free_vec(x);
-}
-
-const GVecGen4 sqadd_op[4] = {
- { .fniv = gen_sqadd_vec,
- .fno = gen_helper_gvec_sqadd_b,
- .opc = INDEX_op_ssadd_vec,
- .write_aofs = true,
- .vece = MO_8 },
- { .fniv = gen_sqadd_vec,
- .fno = gen_helper_gvec_sqadd_h,
- .opc = INDEX_op_ssadd_vec,
- .write_aofs = true,
- .vece = MO_16 },
- { .fniv = gen_sqadd_vec,
- .fno = gen_helper_gvec_sqadd_s,
- .opc = INDEX_op_ssadd_vec,
- .write_aofs = true,
- .vece = MO_32 },
- { .fniv = gen_sqadd_vec,
- .fno = gen_helper_gvec_sqadd_d,
- .opc = INDEX_op_ssadd_vec,
- .write_aofs = true,
- .vece = MO_64 },
-};
-
-static void gen_uqsub_vec(unsigned vece, TCGv_vec t, TCGv_vec sat,
- TCGv_vec a, TCGv_vec b)
-{
- TCGv_vec x = tcg_temp_new_vec_matching(t);
- tcg_gen_sub_vec(vece, x, a, b);
- tcg_gen_ussub_vec(vece, t, a, b);
- tcg_gen_cmp_vec(TCG_COND_NE, vece, x, x, t);
- tcg_gen_or_vec(vece, sat, sat, x);
- tcg_temp_free_vec(x);
-}
-
-const GVecGen4 uqsub_op[4] = {
- { .fniv = gen_uqsub_vec,
- .fno = gen_helper_gvec_uqsub_b,
- .opc = INDEX_op_ussub_vec,
- .write_aofs = true,
- .vece = MO_8 },
- { .fniv = gen_uqsub_vec,
- .fno = gen_helper_gvec_uqsub_h,
- .opc = INDEX_op_ussub_vec,
- .write_aofs = true,
- .vece = MO_16 },
- { .fniv = gen_uqsub_vec,
- .fno = gen_helper_gvec_uqsub_s,
- .opc = INDEX_op_ussub_vec,
- .write_aofs = true,
- .vece = MO_32 },
- { .fniv = gen_uqsub_vec,
- .fno = gen_helper_gvec_uqsub_d,
- .opc = INDEX_op_ussub_vec,
- .write_aofs = true,
- .vece = MO_64 },
-};
-
-static void gen_sqsub_vec(unsigned vece, TCGv_vec t, TCGv_vec sat,
- TCGv_vec a, TCGv_vec b)
-{
- TCGv_vec x = tcg_temp_new_vec_matching(t);
- tcg_gen_sub_vec(vece, x, a, b);
- tcg_gen_sssub_vec(vece, t, a, b);
- tcg_gen_cmp_vec(TCG_COND_NE, vece, x, x, t);
- tcg_gen_or_vec(vece, sat, sat, x);
- tcg_temp_free_vec(x);
-}
-
-const GVecGen4 sqsub_op[4] = {
- { .fniv = gen_sqsub_vec,
- .fno = gen_helper_gvec_sqsub_b,
- .opc = INDEX_op_sssub_vec,
- .write_aofs = true,
- .vece = MO_8 },
- { .fniv = gen_sqsub_vec,
- .fno = gen_helper_gvec_sqsub_h,
- .opc = INDEX_op_sssub_vec,
- .write_aofs = true,
- .vece = MO_16 },
- { .fniv = gen_sqsub_vec,
- .fno = gen_helper_gvec_sqsub_s,
- .opc = INDEX_op_sssub_vec,
- .write_aofs = true,
- .vece = MO_32 },
- { .fniv = gen_sqsub_vec,
- .fno = gen_helper_gvec_sqsub_d,
- .opc = INDEX_op_sssub_vec,
- .write_aofs = true,
- .vece = MO_64 },
-};
-
/* Translate a NEON data processing instruction. Return nonzero if the
instruction is invalid.
We process data in a mixture of 32-bit and 64-bit chunks.
@@ -6561,18 +6425,6 @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
}
return 0;
- case NEON_3R_VQADD:
- tcg_gen_gvec_4(rd_ofs, offsetof(CPUARMState, vfp.qc),
- rn_ofs, rm_ofs, vec_size, vec_size,
- (u ? uqadd_op : sqadd_op) + size);
- break;
-
- case NEON_3R_VQSUB:
- tcg_gen_gvec_4(rd_ofs, offsetof(CPUARMState, vfp.qc),
- rn_ofs, rm_ofs, vec_size, vec_size,
- (u ? uqsub_op : sqsub_op) + size);
- break;
-
case NEON_3R_VMUL: /* VMUL */
if (u) {
/* Polynomial case allows only P8 and is handled below. */
@@ -6637,6 +6489,24 @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
neon_load_reg64(cpu_V0, rn + pass);
neon_load_reg64(cpu_V1, rm + pass);
switch (op) {
+ case NEON_3R_VQADD:
+ if (u) {
+ gen_helper_neon_qadd_u64(cpu_V0, cpu_env,
+ cpu_V0, cpu_V1);
+ } else {
+ gen_helper_neon_qadd_s64(cpu_V0, cpu_env,
+ cpu_V0, cpu_V1);
+ }
+ break;
+ case NEON_3R_VQSUB:
+ if (u) {
+ gen_helper_neon_qsub_u64(cpu_V0, cpu_env,
+ cpu_V0, cpu_V1);
+ } else {
+ gen_helper_neon_qsub_s64(cpu_V0, cpu_env,
+ cpu_V0, cpu_V1);
+ }
+ break;
case NEON_3R_VSHL:
if (u) {
gen_helper_neon_shl_u64(cpu_V0, cpu_V1, cpu_V0);
@@ -6752,12 +6622,18 @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
case NEON_3R_VHADD:
GEN_NEON_INTEGER_OP(hadd);
break;
+ case NEON_3R_VQADD:
+ GEN_NEON_INTEGER_OP_ENV(qadd);
+ break;
case NEON_3R_VRHADD:
GEN_NEON_INTEGER_OP(rhadd);
break;
case NEON_3R_VHSUB:
GEN_NEON_INTEGER_OP(hsub);
break;
+ case NEON_3R_VQSUB:
+ GEN_NEON_INTEGER_OP_ENV(qsub);
+ break;
case NEON_3R_VSHL:
GEN_NEON_INTEGER_OP(shl);
break;
diff --git a/target/arm/translate.h b/target/arm/translate.h
index c2348def0d..07055c9449 100644
--- a/target/arm/translate.h
+++ b/target/arm/translate.h
@@ -248,10 +248,6 @@ extern const GVecGen2i ssra_op[4];
extern const GVecGen2i usra_op[4];
extern const GVecGen2i sri_op[4];
extern const GVecGen2i sli_op[4];
-extern const GVecGen4 uqadd_op[4];
-extern const GVecGen4 sqadd_op[4];
-extern const GVecGen4 uqsub_op[4];
-extern const GVecGen4 sqsub_op[4];
void gen_cmtst_i64(TCGv_i64 d, TCGv_i64 a, TCGv_i64 b);
/*
diff --git a/target/arm/vec_helper.c b/target/arm/vec_helper.c
index dedef62403..be3271659f 100644
--- a/target/arm/vec_helper.c
+++ b/target/arm/vec_helper.c
@@ -769,136 +769,6 @@ DO_FMLA_IDX(gvec_fmla_idx_d, float64, )
#undef DO_FMLA_IDX
-#define DO_SAT(NAME, WTYPE, TYPEN, TYPEM, OP, MIN, MAX) \
-void HELPER(NAME)(void *vd, void *vq, void *vn, void *vm, uint32_t desc) \
-{ \
- intptr_t i, oprsz = simd_oprsz(desc); \
- TYPEN *d = vd, *n = vn; TYPEM *m = vm; \
- bool q = false; \
- for (i = 0; i < oprsz / sizeof(TYPEN); i++) { \
- WTYPE dd = (WTYPE)n[i] OP m[i]; \
- if (dd < MIN) { \
- dd = MIN; \
- q = true; \
- } else if (dd > MAX) { \
- dd = MAX; \
- q = true; \
- } \
- d[i] = dd; \
- } \
- if (q) { \
- uint32_t *qc = vq; \
- qc[0] = 1; \
- } \
- clear_tail(d, oprsz, simd_maxsz(desc)); \
-}
-
-DO_SAT(gvec_uqadd_b, int, uint8_t, uint8_t, +, 0, UINT8_MAX)
-DO_SAT(gvec_uqadd_h, int, uint16_t, uint16_t, +, 0, UINT16_MAX)
-DO_SAT(gvec_uqadd_s, int64_t, uint32_t, uint32_t, +, 0, UINT32_MAX)
-
-DO_SAT(gvec_sqadd_b, int, int8_t, int8_t, +, INT8_MIN, INT8_MAX)
-DO_SAT(gvec_sqadd_h, int, int16_t, int16_t, +, INT16_MIN, INT16_MAX)
-DO_SAT(gvec_sqadd_s, int64_t, int32_t, int32_t, +, INT32_MIN, INT32_MAX)
-
-DO_SAT(gvec_uqsub_b, int, uint8_t, uint8_t, -, 0, UINT8_MAX)
-DO_SAT(gvec_uqsub_h, int, uint16_t, uint16_t, -, 0, UINT16_MAX)
-DO_SAT(gvec_uqsub_s, int64_t, uint32_t, uint32_t, -, 0, UINT32_MAX)
-
-DO_SAT(gvec_sqsub_b, int, int8_t, int8_t, -, INT8_MIN, INT8_MAX)
-DO_SAT(gvec_sqsub_h, int, int16_t, int16_t, -, INT16_MIN, INT16_MAX)
-DO_SAT(gvec_sqsub_s, int64_t, int32_t, int32_t, -, INT32_MIN, INT32_MAX)
-
-#undef DO_SAT
-
-void HELPER(gvec_uqadd_d)(void *vd, void *vq, void *vn,
- void *vm, uint32_t desc)
-{
- intptr_t i, oprsz = simd_oprsz(desc);
- uint64_t *d = vd, *n = vn, *m = vm;
- bool q = false;
-
- for (i = 0; i < oprsz / 8; i++) {
- uint64_t nn = n[i], mm = m[i], dd = nn + mm;
- if (dd < nn) {
- dd = UINT64_MAX;
- q = true;
- }
- d[i] = dd;
- }
- if (q) {
- uint32_t *qc = vq;
- qc[0] = 1;
- }
- clear_tail(d, oprsz, simd_maxsz(desc));
-}
-
-void HELPER(gvec_uqsub_d)(void *vd, void *vq, void *vn,
- void *vm, uint32_t desc)
-{
- intptr_t i, oprsz = simd_oprsz(desc);
- uint64_t *d = vd, *n = vn, *m = vm;
- bool q = false;
-
- for (i = 0; i < oprsz / 8; i++) {
- uint64_t nn = n[i], mm = m[i], dd = nn - mm;
- if (nn < mm) {
- dd = 0;
- q = true;
- }
- d[i] = dd;
- }
- if (q) {
- uint32_t *qc = vq;
- qc[0] = 1;
- }
- clear_tail(d, oprsz, simd_maxsz(desc));
-}
-
-void HELPER(gvec_sqadd_d)(void *vd, void *vq, void *vn,
- void *vm, uint32_t desc)
-{
- intptr_t i, oprsz = simd_oprsz(desc);
- int64_t *d = vd, *n = vn, *m = vm;
- bool q = false;
-
- for (i = 0; i < oprsz / 8; i++) {
- int64_t nn = n[i], mm = m[i], dd = nn + mm;
- if (((dd ^ nn) & ~(nn ^ mm)) & INT64_MIN) {
- dd = (nn >> 63) ^ ~INT64_MIN;
- q = true;
- }
- d[i] = dd;
- }
- if (q) {
- uint32_t *qc = vq;
- qc[0] = 1;
- }
- clear_tail(d, oprsz, simd_maxsz(desc));
-}
-
-void HELPER(gvec_sqsub_d)(void *vd, void *vq, void *vn,
- void *vm, uint32_t desc)
-{
- intptr_t i, oprsz = simd_oprsz(desc);
- int64_t *d = vd, *n = vn, *m = vm;
- bool q = false;
-
- for (i = 0; i < oprsz / 8; i++) {
- int64_t nn = n[i], mm = m[i], dd = nn - mm;
- if (((dd ^ nn) & (nn ^ mm)) & INT64_MIN) {
- dd = (nn >> 63) ^ ~INT64_MIN;
- q = true;
- }
- d[i] = dd;
- }
- if (q) {
- uint32_t *qc = vq;
- qc[0] = 1;
- }
- clear_tail(d, oprsz, simd_maxsz(desc));
-}
-
/*
* Convert float16 to float32, raising no exceptions and
* preserving exceptional values, including SNaN.
--
2.21.0

85
meta/recipes-devtools/qemu/qemu/0014-fix-CVE-2018-16872.patch
View File

@@ -1,85 +0,0 @@
CVE: CVE-2018-16872
Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=bab9df35]
Signed-off-by: Kai Kang <kai.kang@windriver.com>
From bab9df35ce73d1c8e19a37e2737717ea1c984dc1 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Thu, 13 Dec 2018 13:25:11 +0100
Subject: [PATCH] usb-mtp: use O_NOFOLLOW and O_CLOEXEC.
Open files and directories with O_NOFOLLOW to avoid symlinks attacks.
While being at it also add O_CLOEXEC.
usb-mtp only handles regular files and directories and ignores
everything else, so users should not see a difference.
Because qemu ignores symlinks, carrying out a successful symlink attack
requires swapping an existing file or directory below rootdir for a
symlink and winning the race against the inotify notification to qemu.
Fixes: CVE-2018-16872
Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: Bandan Das <bsd@redhat.com>
Reported-by: Michael Hanselmann <public@hansmi.ch>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Michael Hanselmann <public@hansmi.ch>
Message-id: 20181213122511.13853-1-kraxel@redhat.com
---
hw/usb/dev-mtp.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
index 100b7171f4..36c43b8c20 100644
--- a/hw/usb/dev-mtp.c
+++ b/hw/usb/dev-mtp.c
@@ -653,13 +653,18 @@ static void usb_mtp_object_readdir(MTPState *s, MTPObject *o)
{
struct dirent *entry;
DIR *dir;
+ int fd;
if (o->have_children) {
return;
}
o->have_children = true;
- dir = opendir(o->path);
+ fd = open(o->path, O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW);
+ if (fd < 0) {
+ return;
+ }
+ dir = fdopendir(fd);
if (!dir) {
return;
}
@@ -1007,7 +1012,7 @@ static MTPData *usb_mtp_get_object(MTPState *s, MTPControl *c,
trace_usb_mtp_op_get_object(s->dev.addr, o->handle, o->path);
- d->fd = open(o->path, O_RDONLY);
+ d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW);
if (d->fd == -1) {
usb_mtp_data_free(d);
return NULL;
@@ -1031,7 +1036,7 @@ static MTPData *usb_mtp_get_partial_object(MTPState *s, MTPControl *c,
c->argv[1], c->argv[2]);
d = usb_mtp_data_alloc(c);
- d->fd = open(o->path, O_RDONLY);
+ d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW);
if (d->fd == -1) {
usb_mtp_data_free(d);
return NULL;
@@ -1658,7 +1663,7 @@ static void usb_mtp_write_data(MTPState *s)
0, 0, 0, 0);
goto done;
}
- d->fd = open(path, O_CREAT | O_WRONLY, mask);
+ d->fd = open(path, O_CREAT | O_WRONLY | O_CLOEXEC | O_NOFOLLOW, mask);
if (d->fd == -1) {
usb_mtp_queue_result(s, RES_STORE_FULL, d->trans,
0, 0, 0, 0);
--
2.20.1

60
meta/recipes-devtools/qemu/qemu/0015-fix-CVE-2018-20124.patch
View File

@@ -1,60 +0,0 @@
CVE: CVE-2018-20124
Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=0e68373]
Backport patch to fix CVE-2018-20124. Update context and stay with current
function comp_handler() which has been replaced with complete_work() in latest
git repo.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
From 0e68373cc2b3a063ce067bc0cc3edaf370752890 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 13 Dec 2018 01:00:34 +0530
Subject: [PATCH] rdma: check num_sge does not exceed MAX_SGE
rdma back-end has scatter/gather array ibv_sge[MAX_SGE=4] set
to have 4 elements. A guest could send a 'PvrdmaSqWqe' ring element
with 'num_sge' set to > MAX_SGE, which may lead to OOB access issue.
Add check to avoid it.
Reported-by: Saar Amar <saaramar5@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
---
hw/rdma/rdma_backend.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/hw/rdma/rdma_backend.c b/hw/rdma/rdma_backend.c
index d7a4bbd9..7f8028f8 100644
--- a/hw/rdma/rdma_backend.c
+++ b/hw/rdma/rdma_backend.c
@@ -311,9 +311,9 @@ void rdma_backend_post_send(RdmaBackendDev *backend_dev,
}
pr_dbg("num_sge=%d\n", num_sge);
- if (!num_sge) {
- pr_dbg("num_sge=0\n");
- comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx);
+ if (!num_sge || num_sge > MAX_SGE) {
+ pr_dbg("invalid num_sge=%d\n", num_sge);
+ comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx);
return;
}
@@ -390,9 +390,9 @@ void rdma_backend_post_recv(RdmaBackendDev *backend_dev,
}
pr_dbg("num_sge=%d\n", num_sge);
- if (!num_sge) {
- pr_dbg("num_sge=0\n");
- comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx);
+ if (!num_sge || num_sge > MAX_SGE) {
+ pr_dbg("invalid num_sge=%d\n", num_sge);
+ comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx);
return;
}
--
2.20.1

54
meta/recipes-devtools/qemu/qemu/0016-fix-CVE-2018-20125.patch
View File

@@ -1,54 +0,0 @@
CVE: CVE-2018-20125
Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=2c858ce]
Signed-off-by: Kai Kang <kai.kang@windriver.com>
From 2c858ce5da8ae6689c75182b73bc455a291cad41 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 13 Dec 2018 01:00:36 +0530
Subject: [PATCH] pvrdma: check number of pages when creating rings
When creating CQ/QP rings, an object can have up to
PVRDMA_MAX_FAST_REG_PAGES 8 pages. Check 'npages' parameter
to avoid excessive memory allocation or a null dereference.
Reported-by: Li Qiang <liq3ea@163.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
---
hw/rdma/vmw/pvrdma_cmd.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
index 3b94545761..f236ac4795 100644
--- a/hw/rdma/vmw/pvrdma_cmd.c
+++ b/hw/rdma/vmw/pvrdma_cmd.c
@@ -259,6 +259,11 @@ static int create_cq_ring(PCIDevice *pci_dev , PvrdmaRing **ring,
int rc = -EINVAL;
char ring_name[MAX_RING_NAME_SZ];
+ if (!nchunks || nchunks > PVRDMA_MAX_FAST_REG_PAGES) {
+ pr_dbg("invalid nchunks: %d\n", nchunks);
+ return rc;
+ }
+
pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)pdir_dma);
dir = rdma_pci_dma_map(pci_dev, pdir_dma, TARGET_PAGE_SIZE);
if (!dir) {
@@ -372,6 +377,12 @@ static int create_qp_rings(PCIDevice *pci_dev, uint64_t pdir_dma,
char ring_name[MAX_RING_NAME_SZ];
uint32_t wqe_sz;
+ if (!spages || spages > PVRDMA_MAX_FAST_REG_PAGES
+ || !rpages || rpages > PVRDMA_MAX_FAST_REG_PAGES) {
+ pr_dbg("invalid pages: %d, %d\n", spages, rpages);
+ return rc;
+ }
+
pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)pdir_dma);
dir = rdma_pci_dma_map(pci_dev, pdir_dma, TARGET_PAGE_SIZE);
if (!dir) {
--
2.20.1

113
meta/recipes-devtools/qemu/qemu/0017-fix-CVE-2018-20126.patch
View File

@@ -1,113 +0,0 @@
CVE: CVE-2018-20126
Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=509f57c]
Backport and rebase patch to fix CVE-2018-20126.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
From 509f57c98e7536905bb4902363d0cba66ce7e089 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 13 Dec 2018 01:00:37 +0530
Subject: [PATCH] pvrdma: release ring object in case of an error
create_cq and create_qp routines allocate ring object, but it's
not released in case of an error, leading to memory leakage.
Reported-by: Li Qiang <liq3ea@163.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
---
hw/rdma/vmw/pvrdma_cmd.c | 41 ++++++++++++++++++++++++++++++-----------
1 file changed, 30 insertions(+), 11 deletions(-)
diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
index 4faeb21..9b6796f 100644
--- a/hw/rdma/vmw/pvrdma_cmd.c
+++ b/hw/rdma/vmw/pvrdma_cmd.c
@@ -310,6 +310,14 @@ out:
return rc;
}
+static void destroy_cq_ring(PvrdmaRing *ring)
+{
+ pvrdma_ring_free(ring);
+ /* ring_state was in slot 1, not 0 so need to jump back */
+ rdma_pci_dma_unmap(ring->dev, --ring->ring_state, TARGET_PAGE_SIZE);
+ g_free(ring);
+}
+
static int create_cq(PVRDMADev *dev, union pvrdma_cmd_req *req,
union pvrdma_cmd_resp *rsp)
{
@@ -333,6 +341,10 @@ static int create_cq(PVRDMADev *dev, union pvrdma_cmd_req *req,
resp->hdr.err = rdma_rm_alloc_cq(&dev->rdma_dev_res, &dev->backend_dev,
cmd->cqe, &resp->cq_handle, ring);
+ if (resp->hdr.err) {
+ destroy_cq_ring(ring);
+ }
+
resp->cqe = cmd->cqe;
out:
@@ -356,10 +368,7 @@ static int destroy_cq(PVRDMADev *dev, union pvrdma_cmd_req *req,
}
ring = (PvrdmaRing *)cq->opaque;
- pvrdma_ring_free(ring);
- /* ring_state was in slot 1, not 0 so need to jump back */
- rdma_pci_dma_unmap(PCI_DEVICE(dev), --ring->ring_state, TARGET_PAGE_SIZE);
- g_free(ring);
+ destroy_cq_ring(ring);
rdma_rm_dealloc_cq(&dev->rdma_dev_res, cmd->cq_handle);
@@ -451,6 +460,17 @@ out:
return rc;
}
+static void destroy_qp_rings(PvrdmaRing *ring)
+{
+ pr_dbg("sring=%p\n", &ring[0]);
+ pvrdma_ring_free(&ring[0]);
+ pr_dbg("rring=%p\n", &ring[1]);
+ pvrdma_ring_free(&ring[1]);
+
+ rdma_pci_dma_unmap(ring->dev, ring->ring_state, TARGET_PAGE_SIZE);
+ g_free(ring);
+}
+
static int create_qp(PVRDMADev *dev, union pvrdma_cmd_req *req,
union pvrdma_cmd_resp *rsp)
{
@@ -482,6 +502,11 @@ static int create_qp(PVRDMADev *dev, union pvrdma_cmd_req *req,
cmd->max_recv_wr, cmd->max_recv_sge,
cmd->recv_cq_handle, rings, &resp->qpn);
+ if (resp->hdr.err) {
+ destroy_qp_rings(rings);
+ return resp->hdr.err;
+ }
+
resp->max_send_wr = cmd->max_send_wr;
resp->max_recv_wr = cmd->max_recv_wr;
resp->max_send_sge = cmd->max_send_sge;
@@ -555,13 +580,7 @@ static int destroy_qp(PVRDMADev *dev, union pvrdma_cmd_req *req,
rdma_rm_dealloc_qp(&dev->rdma_dev_res, cmd->qp_handle);
ring = (PvrdmaRing *)qp->opaque;
- pr_dbg("sring=%p\n", &ring[0]);
- pvrdma_ring_free(&ring[0]);
- pr_dbg("rring=%p\n", &ring[1]);
- pvrdma_ring_free(&ring[1]);
-
- rdma_pci_dma_unmap(PCI_DEVICE(dev), ring->ring_state, TARGET_PAGE_SIZE);
- g_free(ring);
+ destroy_qp_rings(ring);
return 0;
}
--
2.20.1

47
meta/recipes-devtools/qemu/qemu/0018-fix-CVE-2018-20191.patch
View File

@@ -1,47 +0,0 @@
CVE: CVE-2018-20191
Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=2aa8645]
Signed-off-by: Kai Kang <kai.kang@windriver.com>
From 2aa86456fb938a11f2b7bd57c8643c213218681c Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 13 Dec 2018 01:00:35 +0530
Subject: [PATCH] pvrdma: add uar_read routine
Define skeleton 'uar_read' routine. Avoid NULL dereference.
Reported-by: Li Qiang <liq3ea@163.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
---
hw/rdma/vmw/pvrdma_main.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
index 64de16fb52..838ad8a949 100644
--- a/hw/rdma/vmw/pvrdma_main.c
+++ b/hw/rdma/vmw/pvrdma_main.c
@@ -448,6 +448,11 @@ static const MemoryRegionOps regs_ops = {
},
};
+static uint64_t uar_read(void *opaque, hwaddr addr, unsigned size)
+{
+ return 0xffffffff;
+}
+
static void uar_write(void *opaque, hwaddr addr, uint64_t val, unsigned size)
{
PVRDMADev *dev = opaque;
@@ -489,6 +494,7 @@ static void uar_write(void *opaque, hwaddr addr, uint64_t val, unsigned size)
}
static const MemoryRegionOps uar_ops = {
+ .read = uar_read,
.write = uar_write,
.endianness = DEVICE_LITTLE_ENDIAN,
.impl = {
--
2.20.1

85
meta/recipes-devtools/qemu/qemu/0019-fix-CVE-2018-20216.patch
View File

@@ -1,85 +0,0 @@
CVE: CVE-2018-20216
Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=f1e2e38]
Signed-off-by: Kai Kang <kai.kang@windriver.com>
From f1e2e38ee0136b7710a2caa347049818afd57a1b Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 13 Dec 2018 01:00:39 +0530
Subject: [PATCH] pvrdma: check return value from pvrdma_idx_ring_has_ routines
pvrdma_idx_ring_has_[data/space] routines also return invalid
index PVRDMA_INVALID_IDX[=-1], if ring has no data/space. Check
return value from these routines to avoid plausible infinite loops.
Reported-by: Li Qiang <liq3ea@163.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
---
hw/rdma/vmw/pvrdma_dev_ring.c | 29 +++++++++++------------------
1 file changed, 11 insertions(+), 18 deletions(-)
diff --git a/hw/rdma/vmw/pvrdma_dev_ring.c b/hw/rdma/vmw/pvrdma_dev_ring.c
index 01247fc041..e8e5b502f6 100644
--- a/hw/rdma/vmw/pvrdma_dev_ring.c
+++ b/hw/rdma/vmw/pvrdma_dev_ring.c
@@ -73,23 +73,16 @@ out:
void *pvrdma_ring_next_elem_read(PvrdmaRing *ring)
{
+ int e;
unsigned int idx = 0, offset;
- /*
- pr_dbg("%s: t=%d, h=%d\n", ring->name, ring->ring_state->prod_tail,
- ring->ring_state->cons_head);
- */
-
- if (!pvrdma_idx_ring_has_data(ring->ring_state, ring->max_elems, &idx)) {
+ e = pvrdma_idx_ring_has_data(ring->ring_state, ring->max_elems, &idx);
+ if (e <= 0) {
pr_dbg("No more data in ring\n");
return NULL;
}
offset = idx * ring->elem_sz;
- /*
- pr_dbg("idx=%d\n", idx);
- pr_dbg("offset=%d\n", offset);
- */
return ring->pages[offset / TARGET_PAGE_SIZE] + (offset % TARGET_PAGE_SIZE);
}
@@ -105,20 +98,20 @@ void pvrdma_ring_read_inc(PvrdmaRing *ring)
void *pvrdma_ring_next_elem_write(PvrdmaRing *ring)
{
- unsigned int idx, offset, tail;
+ int idx;
+ unsigned int offset, tail;
- /*
- pr_dbg("%s: t=%d, h=%d\n", ring->name, ring->ring_state->prod_tail,
- ring->ring_state->cons_head);
- */
-
- if (!pvrdma_idx_ring_has_space(ring->ring_state, ring->max_elems, &tail)) {
+ idx = pvrdma_idx_ring_has_space(ring->ring_state, ring->max_elems, &tail);
+ if (idx <= 0) {
pr_dbg("CQ is full\n");
return NULL;
}
idx = pvrdma_idx(&ring->ring_state->prod_tail, ring->max_elems);
- /* TODO: tail == idx */
+ if (idx < 0 || tail != idx) {
+ pr_dbg("invalid idx\n");
+ return NULL;
+ }
offset = idx * ring->elem_sz;
return ring->pages[offset / TARGET_PAGE_SIZE] + (offset % TARGET_PAGE_SIZE);
--
2.20.1

39
meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch
View File

@@ -1,39 +0,0 @@
QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an
out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc()
function. A local attacker with permission to execute i2c commands could exploit
this to read stack memory of the qemu process on the host.
CVE: CVE-2019-3812
Upstream-Status: Backport
Signed-off-by: Ross Burton <ross.burton@intel.com>
From b05b267840515730dbf6753495d5b7bd8b04ad1c Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 8 Jan 2019 11:23:01 +0100
Subject: [PATCH] i2c-ddc: fix oob read
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Suggested-by: Michael Hanselmann <public@hansmi.ch>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Michael Hanselmann <public@hansmi.ch>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190108102301.1957-1-kraxel@redhat.com
---
hw/i2c/i2c-ddc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/i2c/i2c-ddc.c b/hw/i2c/i2c-ddc.c
index be34fe072cf..0a0367ff38f 100644
--- a/hw/i2c/i2c-ddc.c
+++ b/hw/i2c/i2c-ddc.c
@@ -56,7 +56,7 @@ static int i2c_ddc_rx(I2CSlave *i2c)
I2CDDCState *s = I2CDDC(i2c);
int value;
- value = s->edid_blob[s->reg];
+ value = s->edid_blob[s->reg % sizeof(s->edid_blob)];
s->reg++;
return value;
}

2
meta/recipes-devtools/qemu/qemu_3.1.0.bb → meta/recipes-devtools/qemu/qemu_4.0.0.bb
View File

@@ -18,5 +18,3 @@ PACKAGECONFIG ??= " \
${@bb.utils.filter('DISTRO_FEATURES', 'alsa xen', d)} \
"
PACKAGECONFIG_class-nativesdk ??= "fdt sdl kvm"