diff options
Diffstat (limited to 'import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu')
14 files changed, 882 insertions, 466 deletions
diff --git a/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/0004-Add-support-for-VM-suspend-resume-for-TPM-TIS.patch b/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/0004-Add-support-for-VM-suspend-resume-for-TPM-TIS-v2.9.patch index b8a783d4e..f1dbaffea 100644 --- a/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/0004-Add-support-for-VM-suspend-resume-for-TPM-TIS.patch +++ b/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/0004-Add-support-for-VM-suspend-resume-for-TPM-TIS-v2.9.patch @@ -239,19 +239,19 @@ index 44739ebad2..bc8072d0bc 100644 + VMSTATE_UINT32(tpm_blobs.permanent_flags, TPMPassthruState), + VMSTATE_UINT32(tpm_blobs.permanent.size, TPMPassthruState), + VMSTATE_VBUFFER_ALLOC_UINT32(tpm_blobs.permanent.buffer, -+ TPMPassthruState, 1, NULL, 0, ++ TPMPassthruState, 1, NULL, + tpm_blobs.permanent.size), + + VMSTATE_UINT32(tpm_blobs.volatil_flags, TPMPassthruState), + VMSTATE_UINT32(tpm_blobs.volatil.size, TPMPassthruState), + VMSTATE_VBUFFER_ALLOC_UINT32(tpm_blobs.volatil.buffer, -+ TPMPassthruState, 1, NULL, 0, ++ TPMPassthruState, 1, NULL, + tpm_blobs.volatil.size), + + VMSTATE_UINT32(tpm_blobs.savestate_flags, TPMPassthruState), + VMSTATE_UINT32(tpm_blobs.savestate.size, TPMPassthruState), + VMSTATE_VBUFFER_ALLOC_UINT32(tpm_blobs.savestate.buffer, -+ TPMPassthruState, 1, NULL, 0, ++ TPMPassthruState, 1, NULL, + tpm_blobs.savestate.size), + VMSTATE_END_OF_LIST() + } diff --git a/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/04b33e21866412689f18b7ad6daf0a54d8f959a7.patch b/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/04b33e21866412689f18b7ad6daf0a54d8f959a7.patch deleted file mode 100644 index d947e8cba..000000000 --- a/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/04b33e21866412689f18b7ad6daf0a54d8f959a7.patch +++ /dev/null @@ -1,282 +0,0 @@ -From 04b33e21866412689f18b7ad6daf0a54d8f959a7 Mon Sep 17 00:00:00 2001 -From: Khem Raj <raj.khem@gmail.com> -Date: Wed, 28 Jun 2017 13:44:52 -0700 -Subject: [PATCH] Replace 'struct ucontext' with 'ucontext_t' type - -glibc used to have: - - typedef struct ucontext { ... } ucontext_t; - -glibc now has: - - typedef struct ucontext_t { ... } ucontext_t; - -(See https://sourceware.org/bugzilla/show_bug.cgi?id=21457 - for detail and rationale for the glibc change) - -However, QEMU used "struct ucontext" in declarations. This is a -private name and compatibility cannot be guaranteed. Switch to -only using the standardized type name. - -Signed-off-by: Khem Raj <raj.khem@gmail.com> -Message-id: 20170628204452.41230-1-raj.khem@gmail.com -Cc: Kamil Rytarowski <kamil@netbsd.org> -Cc: Riku Voipio <riku.voipio@iki.fi> -Cc: Laurent Vivier <laurent@vivier.eu> -Cc: Paolo Bonzini <pbonzini@redhat.com> -Reviewed-by: Eric Blake <eblake@redhat.com> -[PMM: Rewrote commit message, based mostly on the one from - Nathaniel McCallum] -Signed-off-by: Peter Maydell <peter.maydell@linaro.org> - -Upstream-Status: Backport -RP 2017/9/6 ---- - linux-user/host/aarch64/hostdep.h | 2 +- - linux-user/host/arm/hostdep.h | 2 +- - linux-user/host/i386/hostdep.h | 2 +- - linux-user/host/ppc64/hostdep.h | 2 +- - linux-user/host/s390x/hostdep.h | 2 +- - linux-user/host/x86_64/hostdep.h | 2 +- - linux-user/signal.c | 10 +++++----- - tests/tcg/test-i386.c | 4 ++-- - user-exec.c | 18 +++++++++--------- - 9 files changed, 22 insertions(+), 22 deletions(-) - -diff --git a/linux-user/host/aarch64/hostdep.h b/linux-user/host/aarch64/hostdep.h -index 64f75ce..a8d41a2 100644 ---- a/linux-user/host/aarch64/hostdep.h -+++ b/linux-user/host/aarch64/hostdep.h -@@ -24,7 +24,7 @@ extern char safe_syscall_end[]; - /* Adjust the signal context to rewind out of safe-syscall if we're in it */ - static inline void rewind_if_in_safe_syscall(void *puc) - { -- struct ucontext *uc = puc; -+ ucontext_t *uc = puc; - __u64 *pcreg = &uc->uc_mcontext.pc; - - if (*pcreg > (uintptr_t)safe_syscall_start -diff --git a/linux-user/host/arm/hostdep.h b/linux-user/host/arm/hostdep.h -index 5c1ae60..9276fe6 100644 ---- a/linux-user/host/arm/hostdep.h -+++ b/linux-user/host/arm/hostdep.h -@@ -24,7 +24,7 @@ extern char safe_syscall_end[]; - /* Adjust the signal context to rewind out of safe-syscall if we're in it */ - static inline void rewind_if_in_safe_syscall(void *puc) - { -- struct ucontext *uc = puc; -+ ucontext_t *uc = puc; - unsigned long *pcreg = &uc->uc_mcontext.arm_pc; - - if (*pcreg > (uintptr_t)safe_syscall_start -diff --git a/linux-user/host/i386/hostdep.h b/linux-user/host/i386/hostdep.h -index d834bd8..073be74 100644 ---- a/linux-user/host/i386/hostdep.h -+++ b/linux-user/host/i386/hostdep.h -@@ -24,7 +24,7 @@ extern char safe_syscall_end[]; - /* Adjust the signal context to rewind out of safe-syscall if we're in it */ - static inline void rewind_if_in_safe_syscall(void *puc) - { -- struct ucontext *uc = puc; -+ ucontext_t *uc = puc; - greg_t *pcreg = &uc->uc_mcontext.gregs[REG_EIP]; - - if (*pcreg > (uintptr_t)safe_syscall_start -diff --git a/linux-user/host/ppc64/hostdep.h b/linux-user/host/ppc64/hostdep.h -index 0b0f5f7..98979ad 100644 ---- a/linux-user/host/ppc64/hostdep.h -+++ b/linux-user/host/ppc64/hostdep.h -@@ -24,7 +24,7 @@ extern char safe_syscall_end[]; - /* Adjust the signal context to rewind out of safe-syscall if we're in it */ - static inline void rewind_if_in_safe_syscall(void *puc) - { -- struct ucontext *uc = puc; -+ ucontext_t *uc = puc; - unsigned long *pcreg = &uc->uc_mcontext.gp_regs[PT_NIP]; - - if (*pcreg > (uintptr_t)safe_syscall_start -diff --git a/linux-user/host/s390x/hostdep.h b/linux-user/host/s390x/hostdep.h -index 6f9da9c..4f0171f 100644 ---- a/linux-user/host/s390x/hostdep.h -+++ b/linux-user/host/s390x/hostdep.h -@@ -24,7 +24,7 @@ extern char safe_syscall_end[]; - /* Adjust the signal context to rewind out of safe-syscall if we're in it */ - static inline void rewind_if_in_safe_syscall(void *puc) - { -- struct ucontext *uc = puc; -+ ucontext_t *uc = puc; - unsigned long *pcreg = &uc->uc_mcontext.psw.addr; - - if (*pcreg > (uintptr_t)safe_syscall_start -diff --git a/linux-user/host/x86_64/hostdep.h b/linux-user/host/x86_64/hostdep.h -index 3b42596..a4fefb5 100644 ---- a/linux-user/host/x86_64/hostdep.h -+++ b/linux-user/host/x86_64/hostdep.h -@@ -24,7 +24,7 @@ extern char safe_syscall_end[]; - /* Adjust the signal context to rewind out of safe-syscall if we're in it */ - static inline void rewind_if_in_safe_syscall(void *puc) - { -- struct ucontext *uc = puc; -+ ucontext_t *uc = puc; - greg_t *pcreg = &uc->uc_mcontext.gregs[REG_RIP]; - - if (*pcreg > (uintptr_t)safe_syscall_start -diff --git a/linux-user/signal.c b/linux-user/signal.c -index d68bd26..cc0c3fc 100644 ---- a/linux-user/signal.c -+++ b/linux-user/signal.c -@@ -3346,7 +3346,7 @@ static void setup_rt_frame(int sig, struct target_sigaction *ka, - * - * a0 = signal number - * a1 = pointer to siginfo_t -- * a2 = pointer to struct ucontext -+ * a2 = pointer to ucontext_t - * - * $25 and PC point to the signal handler, $29 points to the - * struct sigframe. -@@ -3764,7 +3764,7 @@ struct target_signal_frame { - - struct rt_signal_frame { - siginfo_t info; -- struct ucontext uc; -+ ucontext_t uc; - uint32_t tramp[2]; - }; - -@@ -3980,7 +3980,7 @@ struct rt_signal_frame { - siginfo_t *pinfo; - void *puc; - siginfo_t info; -- struct ucontext uc; -+ ucontext_t uc; - uint16_t retcode[4]; /* Trampoline code. */ - }; - -@@ -4515,7 +4515,7 @@ static void setup_rt_frame(int sig, struct target_sigaction *ka, - tswap_siginfo(&frame->info, info); - } - -- /*err |= __clear_user(&frame->uc, offsetof(struct ucontext, uc_mcontext));*/ -+ /*err |= __clear_user(&frame->uc, offsetof(ucontext_t, uc_mcontext));*/ - __put_user(0, &frame->uc.tuc_flags); - __put_user(0, &frame->uc.tuc_link); - __put_user(target_sigaltstack_used.ss_sp, -@@ -5007,7 +5007,7 @@ enum { - - struct target_ucontext { - target_ulong tuc_flags; -- target_ulong tuc_link; /* struct ucontext __user * */ -+ target_ulong tuc_link; /* ucontext_t __user * */ - struct target_sigaltstack tuc_stack; - #if !defined(TARGET_PPC64) - int32_t tuc_pad[7]; -diff --git a/tests/tcg/test-i386.c b/tests/tcg/test-i386.c -index 0f7b943..9599204 100644 ---- a/tests/tcg/test-i386.c -+++ b/tests/tcg/test-i386.c -@@ -1720,7 +1720,7 @@ int tab[2]; - - void sig_handler(int sig, siginfo_t *info, void *puc) - { -- struct ucontext *uc = puc; -+ ucontext_t *uc = puc; - - printf("si_signo=%d si_errno=%d si_code=%d", - info->si_signo, info->si_errno, info->si_code); -@@ -1912,7 +1912,7 @@ void test_exceptions(void) - /* specific precise single step test */ - void sig_trap_handler(int sig, siginfo_t *info, void *puc) - { -- struct ucontext *uc = puc; -+ ucontext_t *uc = puc; - printf("EIP=" FMTLX "\n", (long)uc->uc_mcontext.gregs[REG_EIP]); - } - -diff --git a/user-exec.c b/user-exec.c -index a8f95fa..2a975ea 100644 ---- a/user-exec.c -+++ b/user-exec.c -@@ -167,7 +167,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, - #elif defined(__OpenBSD__) - struct sigcontext *uc = puc; - #else -- struct ucontext *uc = puc; -+ ucontext_t *uc = puc; - #endif - unsigned long pc; - int trapno; -@@ -222,7 +222,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, - #elif defined(__OpenBSD__) - struct sigcontext *uc = puc; - #else -- struct ucontext *uc = puc; -+ ucontext_t *uc = puc; - #endif - - pc = PC_sig(uc); -@@ -289,7 +289,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, - #if defined(__FreeBSD__) || defined(__FreeBSD_kernel__) - ucontext_t *uc = puc; - #else -- struct ucontext *uc = puc; -+ ucontext_t *uc = puc; - #endif - unsigned long pc; - int is_write; -@@ -316,7 +316,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, - void *puc) - { - siginfo_t *info = pinfo; -- struct ucontext *uc = puc; -+ ucontext_t *uc = puc; - uint32_t *pc = uc->uc_mcontext.sc_pc; - uint32_t insn = *pc; - int is_write = 0; -@@ -414,7 +414,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, - #if defined(__NetBSD__) - ucontext_t *uc = puc; - #else -- struct ucontext *uc = puc; -+ ucontext_t *uc = puc; - #endif - unsigned long pc; - int is_write; -@@ -441,7 +441,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, - int cpu_signal_handler(int host_signum, void *pinfo, void *puc) - { - siginfo_t *info = pinfo; -- struct ucontext *uc = puc; -+ ucontext_t *uc = puc; - uintptr_t pc = uc->uc_mcontext.pc; - uint32_t insn = *(uint32_t *)pc; - bool is_write; -@@ -474,7 +474,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, void *puc) - int cpu_signal_handler(int host_signum, void *pinfo, void *puc) - { - siginfo_t *info = pinfo; -- struct ucontext *uc = puc; -+ ucontext_t *uc = puc; - unsigned long ip; - int is_write = 0; - -@@ -505,7 +505,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, - void *puc) - { - siginfo_t *info = pinfo; -- struct ucontext *uc = puc; -+ ucontext_t *uc = puc; - unsigned long pc; - uint16_t *pinsn; - int is_write = 0; -@@ -558,7 +558,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, - void *puc) - { - siginfo_t *info = pinfo; -- struct ucontext *uc = puc; -+ ucontext_t *uc = puc; - greg_t pc = uc->uc_mcontext.pc; - int is_write; - --- -1.8.3.1 - diff --git a/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/CVE-2016-9908.patch b/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/CVE-2016-9908.patch deleted file mode 100644 index e0f7a1a3f..000000000 --- a/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/CVE-2016-9908.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 7139ccbc907441337b4b59cde2c5b5a54cb5b2cc Mon Sep 17 00:00:00 2001 -From: Sona Sarmadi <sona.sarmadi@enea.com> - -virtio-gpu: fix information leak in capset get dispatch - -In virgl_cmd_get_capset function, it uses g_malloc to allocate -a response struct to the guest. As the 'resp'struct hasn't been full -initialized it will lead the 'resp->padding' field to the guest. -Use g_malloc0 to avoid this. - -Signed-off-by: Li Qiang <liqiang6-s@360.cn> -Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> -Message-id: 58188cae.4a6ec20a.3d2d1.aff2@mx.google.com - -[Sona: backported from master to v2.8.0 and resolved conflict] - -Reference to upstream patch: -http://git.qemu-project.org/?p=qemu.git;a=commit;h=85d9d044471f93c48c5c396f7e217b4ef12f69f8 - -CVE: CVE-2016-9908 -Upstream-Status: Backport - -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> -Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> ---- - hw/display/virtio-gpu-3d.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c -index 23f39de..d98b140 100644 ---- a/hw/display/virtio-gpu-3d.c -+++ b/hw/display/virtio-gpu-3d.c -@@ -371,7 +371,7 @@ static void virgl_cmd_get_capset(VirtIOGPU *g, - - virgl_renderer_get_cap_set(gc.capset_id, &max_ver, - &max_size); -- resp = g_malloc(sizeof(*resp) + max_size); -+ resp = g_malloc0(sizeof(*resp) + max_size); - - resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET; - virgl_renderer_fill_caps(gc.capset_id, --- -1.9.1 - diff --git a/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/CVE-2016-9912.patch b/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/CVE-2016-9912.patch deleted file mode 100644 index c009ffd96..000000000 --- a/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/CVE-2016-9912.patch +++ /dev/null @@ -1,45 +0,0 @@ -From b8e23926c568f2e963af39028b71c472e3023793 Mon Sep 17 00:00:00 2001 -From: Li Qiang <liq3ea@gmail.com> -Date: Mon, 28 Nov 2016 21:29:25 -0500 -Subject: [PATCH] virtio-gpu: call cleanup mapping function in resource destroy - -If the guest destroy the resource before detach banking, the 'iov' -and 'addrs' field in resource is not freed thus leading memory -leak issue. This patch avoid this. - -CVE: CVE-2016-9912 -Upstream-Status: Backport - -Signed-off-by: Li Qiang <liq3ea@gmail.com> -Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> -Message-id: 1480386565-10077-1-git-send-email-liq3ea@gmail.com -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> -Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> ---- - hw/display/virtio-gpu.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c -index ed2b6d3..6a26258 100644 ---- a/hw/display/virtio-gpu.c -+++ b/hw/display/virtio-gpu.c -@@ -28,6 +28,8 @@ - static struct virtio_gpu_simple_resource* - virtio_gpu_find_resource(VirtIOGPU *g, uint32_t resource_id); - -+static void virtio_gpu_cleanup_mapping(struct virtio_gpu_simple_resource *res); -+ - #ifdef CONFIG_VIRGL - #include <virglrenderer.h> - #define VIRGL(_g, _virgl, _simple, ...) \ -@@ -364,6 +366,7 @@ static void virtio_gpu_resource_destroy(VirtIOGPU *g, - struct virtio_gpu_simple_resource *res) - { - pixman_image_unref(res->image); -+ virtio_gpu_cleanup_mapping(res); - QTAILQ_REMOVE(&g->reslist, res, next); - g->hostmem -= res->hostmem; - g_free(res); --- -1.9.1 - diff --git a/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/CVE-2017-13672.patch b/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/CVE-2017-13672.patch new file mode 100644 index 000000000..ce0b1ee3e --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/CVE-2017-13672.patch @@ -0,0 +1,504 @@ +From 3d90c6254863693a6b13d918d2b8682e08bbc681 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Mon, 28 Aug 2017 14:29:06 +0200 +Subject: [PATCH] vga: stop passing pointers to vga_draw_line* functions + +Instead pass around the address (aka offset into vga memory). +Add vga_read_* helper functions which apply vbe_size_mask to +the address, to make sure the address stays within the valid +range, similar to the cirrus blitter fixes (commits ffaf857778 +and 026aeffcb4). + +Impact: DoS for privileged guest users. qemu crashes with +a segfault, when hitting the guard page after vga memory +allocation, while reading vga memory for display updates. + +Fixes: CVE-2017-13672 +Cc: P J P <ppandit@redhat.com> +Reported-by: David Buchanan <d@vidbuchanan.co.uk> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Message-id: 20170828122906.18993-1-kraxel@redhat.com + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=3d90c6254863693a6b13d918d2b8682e08bbc681] + +CVE: CVE-2017-13672 + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + hw/display/vga-helpers.h | 202 ++++++++++++++++++++++++++--------------------- + hw/display/vga.c | 5 +- + hw/display/vga_int.h | 1 + + 3 files changed, 114 insertions(+), 94 deletions(-) + +diff --git a/hw/display/vga-helpers.h b/hw/display/vga-helpers.h +index 94f6de2..5a752b3 100644 +--- a/hw/display/vga-helpers.h ++++ b/hw/display/vga-helpers.h +@@ -95,20 +95,46 @@ static void vga_draw_glyph9(uint8_t *d, int linesize, + } while (--h); + } + ++static inline uint8_t vga_read_byte(VGACommonState *vga, uint32_t addr) ++{ ++ return vga->vram_ptr[addr & vga->vbe_size_mask]; ++} ++ ++static inline uint16_t vga_read_word_le(VGACommonState *vga, uint32_t addr) ++{ ++ uint32_t offset = addr & vga->vbe_size_mask & ~1; ++ uint16_t *ptr = (uint16_t *)(vga->vram_ptr + offset); ++ return lduw_le_p(ptr); ++} ++ ++static inline uint16_t vga_read_word_be(VGACommonState *vga, uint32_t addr) ++{ ++ uint32_t offset = addr & vga->vbe_size_mask & ~1; ++ uint16_t *ptr = (uint16_t *)(vga->vram_ptr + offset); ++ return lduw_be_p(ptr); ++} ++ ++static inline uint32_t vga_read_dword_le(VGACommonState *vga, uint32_t addr) ++{ ++ uint32_t offset = addr & vga->vbe_size_mask & ~3; ++ uint32_t *ptr = (uint32_t *)(vga->vram_ptr + offset); ++ return ldl_le_p(ptr); ++} ++ + /* + * 4 color mode + */ +-static void vga_draw_line2(VGACommonState *s1, uint8_t *d, +- const uint8_t *s, int width) ++static void vga_draw_line2(VGACommonState *vga, uint8_t *d, ++ uint32_t addr, int width) + { + uint32_t plane_mask, *palette, data, v; + int x; + +- palette = s1->last_palette; +- plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; ++ palette = vga->last_palette; ++ plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; + width >>= 3; + for(x = 0; x < width; x++) { +- data = ((uint32_t *)s)[0]; ++ data = vga_read_dword_le(vga, addr); + data &= plane_mask; + v = expand2[GET_PLANE(data, 0)]; + v |= expand2[GET_PLANE(data, 2)] << 2; +@@ -124,7 +150,7 @@ static void vga_draw_line2(VGACommonState *s1, uint8_t *d, + ((uint32_t *)d)[6] = palette[(v >> 4) & 0xf]; + ((uint32_t *)d)[7] = palette[(v >> 0) & 0xf]; + d += 32; +- s += 4; ++ addr += 4; + } + } + +@@ -134,17 +160,17 @@ static void vga_draw_line2(VGACommonState *s1, uint8_t *d, + /* + * 4 color mode, dup2 horizontal + */ +-static void vga_draw_line2d2(VGACommonState *s1, uint8_t *d, +- const uint8_t *s, int width) ++static void vga_draw_line2d2(VGACommonState *vga, uint8_t *d, ++ uint32_t addr, int width) + { + uint32_t plane_mask, *palette, data, v; + int x; + +- palette = s1->last_palette; +- plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; ++ palette = vga->last_palette; ++ plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; + width >>= 3; + for(x = 0; x < width; x++) { +- data = ((uint32_t *)s)[0]; ++ data = vga_read_dword_le(vga, addr); + data &= plane_mask; + v = expand2[GET_PLANE(data, 0)]; + v |= expand2[GET_PLANE(data, 2)] << 2; +@@ -160,24 +186,24 @@ static void vga_draw_line2d2(VGACommonState *s1, uint8_t *d, + PUT_PIXEL2(d, 6, palette[(v >> 4) & 0xf]); + PUT_PIXEL2(d, 7, palette[(v >> 0) & 0xf]); + d += 64; +- s += 4; ++ addr += 4; + } + } + + /* + * 16 color mode + */ +-static void vga_draw_line4(VGACommonState *s1, uint8_t *d, +- const uint8_t *s, int width) ++static void vga_draw_line4(VGACommonState *vga, uint8_t *d, ++ uint32_t addr, int width) + { + uint32_t plane_mask, data, v, *palette; + int x; + +- palette = s1->last_palette; +- plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; ++ palette = vga->last_palette; ++ plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; + width >>= 3; + for(x = 0; x < width; x++) { +- data = ((uint32_t *)s)[0]; ++ data = vga_read_dword_le(vga, addr); + data &= plane_mask; + v = expand4[GET_PLANE(data, 0)]; + v |= expand4[GET_PLANE(data, 1)] << 1; +@@ -192,24 +218,24 @@ static void vga_draw_line4(VGACommonState *s1, uint8_t *d, + ((uint32_t *)d)[6] = palette[(v >> 4) & 0xf]; + ((uint32_t *)d)[7] = palette[(v >> 0) & 0xf]; + d += 32; +- s += 4; ++ addr += 4; + } + } + + /* + * 16 color mode, dup2 horizontal + */ +-static void vga_draw_line4d2(VGACommonState *s1, uint8_t *d, +- const uint8_t *s, int width) ++static void vga_draw_line4d2(VGACommonState *vga, uint8_t *d, ++ uint32_t addr, int width) + { + uint32_t plane_mask, data, v, *palette; + int x; + +- palette = s1->last_palette; +- plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; ++ palette = vga->last_palette; ++ plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; + width >>= 3; + for(x = 0; x < width; x++) { +- data = ((uint32_t *)s)[0]; ++ data = vga_read_dword_le(vga, addr); + data &= plane_mask; + v = expand4[GET_PLANE(data, 0)]; + v |= expand4[GET_PLANE(data, 1)] << 1; +@@ -224,7 +250,7 @@ static void vga_draw_line4d2(VGACommonState *s1, uint8_t *d, + PUT_PIXEL2(d, 6, palette[(v >> 4) & 0xf]); + PUT_PIXEL2(d, 7, palette[(v >> 0) & 0xf]); + d += 64; +- s += 4; ++ addr += 4; + } + } + +@@ -233,21 +259,21 @@ static void vga_draw_line4d2(VGACommonState *s1, uint8_t *d, + * + * XXX: add plane_mask support (never used in standard VGA modes) + */ +-static void vga_draw_line8d2(VGACommonState *s1, uint8_t *d, +- const uint8_t *s, int width) ++static void vga_draw_line8d2(VGACommonState *vga, uint8_t *d, ++ uint32_t addr, int width) + { + uint32_t *palette; + int x; + +- palette = s1->last_palette; ++ palette = vga->last_palette; + width >>= 3; + for(x = 0; x < width; x++) { +- PUT_PIXEL2(d, 0, palette[s[0]]); +- PUT_PIXEL2(d, 1, palette[s[1]]); +- PUT_PIXEL2(d, 2, palette[s[2]]); +- PUT_PIXEL2(d, 3, palette[s[3]]); ++ PUT_PIXEL2(d, 0, palette[vga_read_byte(vga, addr + 0)]); ++ PUT_PIXEL2(d, 1, palette[vga_read_byte(vga, addr + 1)]); ++ PUT_PIXEL2(d, 2, palette[vga_read_byte(vga, addr + 2)]); ++ PUT_PIXEL2(d, 3, palette[vga_read_byte(vga, addr + 3)]); + d += 32; +- s += 4; ++ addr += 4; + } + } + +@@ -256,63 +282,63 @@ static void vga_draw_line8d2(VGACommonState *s1, uint8_t *d, + * + * XXX: add plane_mask support (never used in standard VGA modes) + */ +-static void vga_draw_line8(VGACommonState *s1, uint8_t *d, +- const uint8_t *s, int width) ++static void vga_draw_line8(VGACommonState *vga, uint8_t *d, ++ uint32_t addr, int width) + { + uint32_t *palette; + int x; + +- palette = s1->last_palette; ++ palette = vga->last_palette; + width >>= 3; + for(x = 0; x < width; x++) { +- ((uint32_t *)d)[0] = palette[s[0]]; +- ((uint32_t *)d)[1] = palette[s[1]]; +- ((uint32_t *)d)[2] = palette[s[2]]; +- ((uint32_t *)d)[3] = palette[s[3]]; +- ((uint32_t *)d)[4] = palette[s[4]]; +- ((uint32_t *)d)[5] = palette[s[5]]; +- ((uint32_t *)d)[6] = palette[s[6]]; +- ((uint32_t *)d)[7] = palette[s[7]]; ++ ((uint32_t *)d)[0] = palette[vga_read_byte(vga, addr + 0)]; ++ ((uint32_t *)d)[1] = palette[vga_read_byte(vga, addr + 1)]; ++ ((uint32_t *)d)[2] = palette[vga_read_byte(vga, addr + 2)]; ++ ((uint32_t *)d)[3] = palette[vga_read_byte(vga, addr + 3)]; ++ ((uint32_t *)d)[4] = palette[vga_read_byte(vga, addr + 4)]; ++ ((uint32_t *)d)[5] = palette[vga_read_byte(vga, addr + 5)]; ++ ((uint32_t *)d)[6] = palette[vga_read_byte(vga, addr + 6)]; ++ ((uint32_t *)d)[7] = palette[vga_read_byte(vga, addr + 7)]; + d += 32; +- s += 8; ++ addr += 8; + } + } + + /* + * 15 bit color + */ +-static void vga_draw_line15_le(VGACommonState *s1, uint8_t *d, +- const uint8_t *s, int width) ++static void vga_draw_line15_le(VGACommonState *vga, uint8_t *d, ++ uint32_t addr, int width) + { + int w; + uint32_t v, r, g, b; + + w = width; + do { +- v = lduw_le_p((void *)s); ++ v = vga_read_word_le(vga, addr); + r = (v >> 7) & 0xf8; + g = (v >> 2) & 0xf8; + b = (v << 3) & 0xf8; + ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b); +- s += 2; ++ addr += 2; + d += 4; + } while (--w != 0); + } + +-static void vga_draw_line15_be(VGACommonState *s1, uint8_t *d, +- const uint8_t *s, int width) ++static void vga_draw_line15_be(VGACommonState *vga, uint8_t *d, ++ uint32_t addr, int width) + { + int w; + uint32_t v, r, g, b; + + w = width; + do { +- v = lduw_be_p((void *)s); ++ v = vga_read_word_be(vga, addr); + r = (v >> 7) & 0xf8; + g = (v >> 2) & 0xf8; + b = (v << 3) & 0xf8; + ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b); +- s += 2; ++ addr += 2; + d += 4; + } while (--w != 0); + } +@@ -320,38 +346,38 @@ static void vga_draw_line15_be(VGACommonState *s1, uint8_t *d, + /* + * 16 bit color + */ +-static void vga_draw_line16_le(VGACommonState *s1, uint8_t *d, +- const uint8_t *s, int width) ++static void vga_draw_line16_le(VGACommonState *vga, uint8_t *d, ++ uint32_t addr, int width) + { + int w; + uint32_t v, r, g, b; + + w = width; + do { +- v = lduw_le_p((void *)s); ++ v = vga_read_word_le(vga, addr); + r = (v >> 8) & 0xf8; + g = (v >> 3) & 0xfc; + b = (v << 3) & 0xf8; + ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b); +- s += 2; ++ addr += 2; + d += 4; + } while (--w != 0); + } + +-static void vga_draw_line16_be(VGACommonState *s1, uint8_t *d, +- const uint8_t *s, int width) ++static void vga_draw_line16_be(VGACommonState *vga, uint8_t *d, ++ uint32_t addr, int width) + { + int w; + uint32_t v, r, g, b; + + w = width; + do { +- v = lduw_be_p((void *)s); ++ v = vga_read_word_be(vga, addr); + r = (v >> 8) & 0xf8; + g = (v >> 3) & 0xfc; + b = (v << 3) & 0xf8; + ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b); +- s += 2; ++ addr += 2; + d += 4; + } while (--w != 0); + } +@@ -359,36 +385,36 @@ static void vga_draw_line16_be(VGACommonState *s1, uint8_t *d, + /* + * 24 bit color + */ +-static void vga_draw_line24_le(VGACommonState *s1, uint8_t *d, +- const uint8_t *s, int width) ++static void vga_draw_line24_le(VGACommonState *vga, uint8_t *d, ++ uint32_t addr, int width) + { + int w; + uint32_t r, g, b; + + w = width; + do { +- b = s[0]; +- g = s[1]; +- r = s[2]; ++ b = vga_read_byte(vga, addr + 0); ++ g = vga_read_byte(vga, addr + 1); ++ r = vga_read_byte(vga, addr + 2); + ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b); +- s += 3; ++ addr += 3; + d += 4; + } while (--w != 0); + } + +-static void vga_draw_line24_be(VGACommonState *s1, uint8_t *d, +- const uint8_t *s, int width) ++static void vga_draw_line24_be(VGACommonState *vga, uint8_t *d, ++ uint32_t addr, int width) + { + int w; + uint32_t r, g, b; + + w = width; + do { +- r = s[0]; +- g = s[1]; +- b = s[2]; ++ r = vga_read_byte(vga, addr + 0); ++ g = vga_read_byte(vga, addr + 1); ++ b = vga_read_byte(vga, addr + 2); + ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b); +- s += 3; ++ addr += 3; + d += 4; + } while (--w != 0); + } +@@ -396,44 +422,36 @@ static void vga_draw_line24_be(VGACommonState *s1, uint8_t *d, + /* + * 32 bit color + */ +-static void vga_draw_line32_le(VGACommonState *s1, uint8_t *d, +- const uint8_t *s, int width) ++static void vga_draw_line32_le(VGACommonState *vga, uint8_t *d, ++ uint32_t addr, int width) + { +-#ifndef HOST_WORDS_BIGENDIAN +- memcpy(d, s, width * 4); +-#else + int w; + uint32_t r, g, b; + + w = width; + do { +- b = s[0]; +- g = s[1]; +- r = s[2]; ++ b = vga_read_byte(vga, addr + 0); ++ g = vga_read_byte(vga, addr + 1); ++ r = vga_read_byte(vga, addr + 2); + ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b); +- s += 4; ++ addr += 4; + d += 4; + } while (--w != 0); +-#endif + } + +-static void vga_draw_line32_be(VGACommonState *s1, uint8_t *d, +- const uint8_t *s, int width) ++static void vga_draw_line32_be(VGACommonState *vga, uint8_t *d, ++ uint32_t addr, int width) + { +-#ifdef HOST_WORDS_BIGENDIAN +- memcpy(d, s, width * 4); +-#else + int w; + uint32_t r, g, b; + + w = width; + do { +- r = s[1]; +- g = s[2]; +- b = s[3]; ++ r = vga_read_byte(vga, addr + 1); ++ g = vga_read_byte(vga, addr + 2); ++ b = vga_read_byte(vga, addr + 3); + ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b); +- s += 4; ++ addr += 4; + d += 4; + } while (--w != 0); +-#endif + } +diff --git a/hw/display/vga.c b/hw/display/vga.c +index ad7a465..6fc8c87 100644 +--- a/hw/display/vga.c ++++ b/hw/display/vga.c +@@ -1005,7 +1005,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val) + } + + typedef void vga_draw_line_func(VGACommonState *s1, uint8_t *d, +- const uint8_t *s, int width); ++ uint32_t srcaddr, int width); + + #include "vga-helpers.h" + +@@ -1666,7 +1666,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) + if (y_start < 0) + y_start = y; + if (!(is_buffer_shared(surface))) { +- vga_draw_line(s, d, s->vram_ptr + addr, width); ++ vga_draw_line(s, d, addr, width); + if (s->cursor_draw_line) + s->cursor_draw_line(s, d, y); + } +@@ -2170,6 +2170,7 @@ void vga_common_init(VGACommonState *s, Object *obj, bool global_vmstate) + if (!s->vbe_size) { + s->vbe_size = s->vram_size; + } ++ s->vbe_size_mask = s->vbe_size - 1; + + s->is_vbe_vmstate = 1; + memory_region_init_ram_nomigrate(&s->vram, obj, "vga.vram", s->vram_size, +diff --git a/hw/display/vga_int.h b/hw/display/vga_int.h +index dd6c958..ad34a1f 100644 +--- a/hw/display/vga_int.h ++++ b/hw/display/vga_int.h +@@ -94,6 +94,7 @@ typedef struct VGACommonState { + uint32_t vram_size; + uint32_t vram_size_mb; /* property */ + uint32_t vbe_size; ++ uint32_t vbe_size_mask; + uint32_t latch; + bool has_chain4_alias; + MemoryRegion chain4_alias; +-- +2.7.4 + diff --git a/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/CVE-2017-13673.patch b/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/CVE-2017-13673.patch new file mode 100644 index 000000000..3d0695fd6 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/CVE-2017-13673.patch @@ -0,0 +1,53 @@ +From e65294157d4b69393b3f819c99f4f647452b48e3 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Mon, 28 Aug 2017 14:33:07 +0200 +Subject: [PATCH] vga: fix display update region calculation (split screen) + +vga display update mis-calculated the region for the dirty bitmap +snapshot in case split screen mode is used. This can trigger an +assert in cpu_physical_memory_snapshot_get_dirty(). + +Impact: DoS for privileged guest users. + +Fixes: CVE-2017-13673 +Fixes: fec5e8c92becad223df9d972770522f64aafdb72 +Cc: P J P <ppandit@redhat.com> +Reported-by: David Buchanan <d@vidbuchanan.co.uk> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Message-id: 20170828123307.15392-1-kraxel@redhat.com + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=e65294157d4b69393b3f819c99f4f647452b48e3] + +CVE: CVE-2017-13673 + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + hw/display/vga.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/hw/display/vga.c b/hw/display/vga.c +index 3433102..ad7a465 100644 +--- a/hw/display/vga.c ++++ b/hw/display/vga.c +@@ -1628,9 +1628,15 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) + y1 = 0; + + if (!full_update) { ++ ram_addr_t region_start = addr1; ++ ram_addr_t region_end = addr1 + line_offset * height; + vga_sync_dirty_bitmap(s); +- snap = memory_region_snapshot_and_clear_dirty(&s->vram, addr1, +- line_offset * height, ++ if (s->line_compare < height) { ++ /* split screen mode */ ++ region_start = 0; ++ } ++ snap = memory_region_snapshot_and_clear_dirty(&s->vram, region_start, ++ region_end - region_start, + DIRTY_MEMORY_VGA); + } + +-- +2.7.4 + diff --git a/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/CVE-2017-13711.patch b/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/CVE-2017-13711.patch new file mode 100644 index 000000000..352f73f62 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/CVE-2017-13711.patch @@ -0,0 +1,87 @@ +From 1201d308519f1e915866d7583d5136d03cc1d384 Mon Sep 17 00:00:00 2001 +From: Samuel Thibault <samuel.thibault@ens-lyon.org> +Date: Fri, 25 Aug 2017 01:35:53 +0200 +Subject: [PATCH] slirp: fix clearing ifq_so from pending packets +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The if_fastq and if_batchq contain not only packets, but queues of packets +for the same socket. When sofree frees a socket, it thus has to clear ifq_so +from all the packets from the queues, not only the first. + +Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> +Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> +Cc: qemu-stable@nongnu.org +Signed-off-by: Peter Maydell <peter.maydell@linaro.org> + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=1201d308519f1e915866d7583d5136d03cc1d384] + +CVE: CVE-2017-13711 + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + slirp/socket.c | 39 +++++++++++++++++++++++---------------- + 1 file changed, 23 insertions(+), 16 deletions(-) + +diff --git a/slirp/socket.c b/slirp/socket.c +index ecec029..cb7b5b6 100644 +--- a/slirp/socket.c ++++ b/slirp/socket.c +@@ -60,29 +60,36 @@ socreate(Slirp *slirp) + } + + /* ++ * Remove references to so from the given message queue. ++ */ ++static void ++soqfree(struct socket *so, struct quehead *qh) ++{ ++ struct mbuf *ifq; ++ ++ for (ifq = (struct mbuf *) qh->qh_link; ++ (struct quehead *) ifq != qh; ++ ifq = ifq->ifq_next) { ++ if (ifq->ifq_so == so) { ++ struct mbuf *ifm; ++ ifq->ifq_so = NULL; ++ for (ifm = ifq->ifs_next; ifm != ifq; ifm = ifm->ifs_next) { ++ ifm->ifq_so = NULL; ++ } ++ } ++ } ++} ++ ++/* + * remque and free a socket, clobber cache + */ + void + sofree(struct socket *so) + { + Slirp *slirp = so->slirp; +- struct mbuf *ifm; + +- for (ifm = (struct mbuf *) slirp->if_fastq.qh_link; +- (struct quehead *) ifm != &slirp->if_fastq; +- ifm = ifm->ifq_next) { +- if (ifm->ifq_so == so) { +- ifm->ifq_so = NULL; +- } +- } +- +- for (ifm = (struct mbuf *) slirp->if_batchq.qh_link; +- (struct quehead *) ifm != &slirp->if_batchq; +- ifm = ifm->ifq_next) { +- if (ifm->ifq_so == so) { +- ifm->ifq_so = NULL; +- } +- } ++ soqfree(so, &slirp->if_fastq); ++ soqfree(so, &slirp->if_batchq); + + if (so->so_emu==EMU_RSH && so->extra) { + sofree(so->extra); +-- +2.7.4 + diff --git a/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/CVE-2017-14167.patch b/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/CVE-2017-14167.patch new file mode 100644 index 000000000..969ad877d --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/CVE-2017-14167.patch @@ -0,0 +1,70 @@ +From ed4f86e8b6eff8e600c69adee68c7cd34dd2cccb Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Thu, 7 Sep 2017 12:02:56 +0530 +Subject: [PATCH] multiboot: validate multiboot header address values + +While loading kernel via multiboot-v1 image, (flags & 0x00010000) +indicates that multiboot header contains valid addresses to load +the kernel image. These addresses are used to compute kernel +size and kernel text offset in the OS image. Validate these +address values to avoid an OOB access issue. + +This is CVE-2017-14167. + +Reported-by: Thomas Garnier <thgarnie@google.com> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Message-Id: <20170907063256.7418-1-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=ed4f86e8b6eff8e600c69adee68c7cd34dd2cccb] + +CVE: CVE-2017-14167 + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + hw/i386/multiboot.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c +index 6001f4c..c7b70c9 100644 +--- a/hw/i386/multiboot.c ++++ b/hw/i386/multiboot.c +@@ -221,15 +221,34 @@ int load_multiboot(FWCfgState *fw_cfg, + uint32_t mh_header_addr = ldl_p(header+i+12); + uint32_t mh_load_end_addr = ldl_p(header+i+20); + uint32_t mh_bss_end_addr = ldl_p(header+i+24); ++ + mh_load_addr = ldl_p(header+i+16); ++ if (mh_header_addr < mh_load_addr) { ++ fprintf(stderr, "invalid mh_load_addr address\n"); ++ exit(1); ++ } ++ + uint32_t mb_kernel_text_offset = i - (mh_header_addr - mh_load_addr); + uint32_t mb_load_size = 0; + mh_entry_addr = ldl_p(header+i+28); + + if (mh_load_end_addr) { ++ if (mh_bss_end_addr < mh_load_addr) { ++ fprintf(stderr, "invalid mh_bss_end_addr address\n"); ++ exit(1); ++ } + mb_kernel_size = mh_bss_end_addr - mh_load_addr; ++ ++ if (mh_load_end_addr < mh_load_addr) { ++ fprintf(stderr, "invalid mh_load_end_addr address\n"); ++ exit(1); ++ } + mb_load_size = mh_load_end_addr - mh_load_addr; + } else { ++ if (kernel_file_size < mb_kernel_text_offset) { ++ fprintf(stderr, "invalid kernel_file_size\n"); ++ exit(1); ++ } + mb_kernel_size = kernel_file_size - mb_kernel_text_offset; + mb_load_size = mb_kernel_size; + } +-- +2.7.4 + diff --git a/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/add-ptest-in-makefile.patch b/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/add-ptest-in-makefile-v10.patch index 2ce3478e4..e9639820b 100644 --- a/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/add-ptest-in-makefile.patch +++ b/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/add-ptest-in-makefile-v10.patch @@ -1,21 +1,22 @@ -Upstream-Status: Pending +From 4201a5791fc4798a45a9b9f881602d7bacb74ed1 Mon Sep 17 00:00:00 2001 +From: Juro Bystricky <juro.bystricky@intel.com> +Date: Thu, 31 Aug 2017 11:06:56 -0700 +Subject: Add subpackage -ptest which runs all unit test cases for qemu. -Add subpackage -ptest which runs all unit test cases for qemu. +Upstream-Status: Pending Signed-off-by: Kai Kang <kai.kang@windriver.com> ---- - tests/Makefile.include | 8 ++++++++ - 1 file changed, 8 insertions(+) + +Signed-off-by: Juro Bystricky <juro.bystricky@intel.com> diff --git a/tests/Makefile.include b/tests/Makefile.include -index 14be491..0fce37a 100644 +index f08b741..3d1b3e9 100644 --- a/tests/Makefile.include +++ b/tests/Makefile.include -@@ -776,3 +776,11 @@ all: $(QEMU_IOTESTS_HELPERS-y) - +@@ -924,4 +924,12 @@ all: $(QEMU_IOTESTS_HELPERS-y) -include $(wildcard tests/*.d) -include $(wildcard tests/libqos/*.d) -+ + +buildtest-TESTS: $(check-unit-y) + +runtest-TESTS: @@ -23,6 +24,5 @@ index 14be491..0fce37a 100644 + nf=$$(echo $$f | sed 's/tests\//\.\//g'); \ + $$nf; \ + done --- -2.9.0 - ++ + endif diff --git a/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/apic-fixup-fallthrough-to-PIC.patch b/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/apic-fixup-fallthrough-to-PIC.patch new file mode 100644 index 000000000..9bbbc6f76 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/apic-fixup-fallthrough-to-PIC.patch @@ -0,0 +1,46 @@ +From bef93bb81588b5323a52d2e1886f2a77b64a976b Mon Sep 17 00:00:00 2001 +From: Mark Asselstine <mark.asselstine@windriver.com> +Date: Tue, 26 Feb 2013 11:43:28 -0500 +Subject: [PATCH 03/18] apic: fixup fallthrough to PIC + +Commit 0e21e12bb311c4c1095d0269dc2ef81196ccb60a [Don't route PIC +interrupts through the local APIC if the local APIC config says so.] +missed a check to ensure the local APIC is enabled. Since if the local +APIC is disabled it doesn't matter what the local APIC config says. + +If this check isn't done and the guest has disabled the local APIC the +guest will receive a general protection fault, similar to what is seen +here: + +https://lists.gnu.org/archive/html/qemu-devel/2012-12/msg02304.html + +The GPF is caused by an attempt to service interrupt 0xffffffff. This +comes about since cpu_get_pic_interrupt() calls apic_accept_pic_intr() +(with the local APIC disabled apic_get_interrupt() returns -1). +apic_accept_pic_intr() returns 0 and thus the interrupt number which +is returned from cpu_get_pic_interrupt(), and which is attempted to be +serviced, is -1. + +Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com> +Upstream-Status: Submitted [https://lists.gnu.org/archive/html/qemu-devel/2013-04/msg00878.html] +Signed-off-by: He Zhe <zhe.he@windriver.com> +--- + hw/intc/apic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/intc/apic.c b/hw/intc/apic.c +index 45887d99..c5ae4087 100644 +--- a/hw/intc/apic.c ++++ b/hw/intc/apic.c +@@ -587,7 +587,7 @@ int apic_accept_pic_intr(DeviceState *dev) + APICCommonState *s = APIC_COMMON(dev); + uint32_t lvt0; + +- if (!s) ++ if (!s || !(s->spurious_vec & APIC_SV_ENABLE)) + return -1; + + lvt0 = s->lvt[APIC_LVT_LINT0]; +-- +2.11.0 + diff --git a/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/configure-fix-Darwin-target-detection.patch b/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/configure-fix-Darwin-target-detection.patch deleted file mode 100644 index 59cdc1c30..000000000 --- a/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/configure-fix-Darwin-target-detection.patch +++ /dev/null @@ -1,32 +0,0 @@ -Upstream-Status: Pending -Signed-off-by: Cristian Iorga <cristian.iorga@intel.com> - -From 9ac096d8eccf2d56ece646320c282c8369f8337c Mon Sep 17 00:00:00 2001 -From: Cristian Iorga <cristian.iorga@intel.com> -Date: Tue, 29 Jul 2014 18:35:59 +0300 -Subject: [PATCH] configure: fix Darwin target detection - -fix Darwin target detection for qemu -cross-compilation. - -Signed-off-by: Cristian Iorga <cristian.iorga@intel.com> ---- - configure | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/configure b/configure -index 283c71c..1c66a11 100755 ---- a/configure -+++ b/configure -@@ -444,6 +444,8 @@ elif check_define __sun__ ; then - targetos='SunOS' - elif check_define __HAIKU__ ; then - targetos='Haiku' -+elif check_define __APPLE__ ; then -+ targetos='Darwin' - else - targetos=`uname -s` - fi --- -1.9.1 - diff --git a/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/ppc_locking.patch b/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/ppc_locking.patch new file mode 100644 index 000000000..6f722433d --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/ppc_locking.patch @@ -0,0 +1,105 @@ +I've tracked down what I think is a problem causing qemu-system-ppc +to hang whilst booting images. + +I believe the decrementer timer stops receiving interrupts so +tasks in our images hang indefinitely as the timer stopped. + +It can be summed up with this line of debug: + +ppc_set_irq: 0x55b4e0d562f0 n_IRQ 8 level 1 => pending 00000100req 00000004 + +It should normally read: + +ppc_set_irq: 0x55b4e0d562f0 n_IRQ 8 level 1 => pending 00000100req 00000002 + +The question is why CPU_INTERRUPT_EXITTB ends up being set when the +lines above this log message clearly sets CPU_INTERRUPT_HARD (via +cpu_interrupt() ). + +I note in cpu.h: + + /* updates protected by BQL */ + uint32_t interrupt_request; + +(for struct CPUState) + +The ppc code does "cs->interrupt_request |= CPU_INTERRUPT_EXITTB" in 5 +places, 3 in excp_helper.c and 2 in helper_regs.h. In all cases, +g_assert(qemu_mutex_iothread_locked()); fails. If I do something like: + +if (!qemu_mutex_iothread_locked()) { + qemu_mutex_lock_iothread(); + cpu_interrupt(cs, CPU_INTERRUPT_EXITTB); + qemu_mutex_unlock_iothread(); +} else { + cpu_interrupt(cs, CPU_INTERRUPT_EXITTB); +} + +in these call sites then I can no longer lock qemu up with my test +case. + +I suspect the _HARD setting gets overwritten which stops the +decrementer interrupts being delivered. + +Upstream-Status: Submitted [Issue discussed on qemu mailing list 2017/11/20] +RP 2017/11/20 + +Index: qemu-2.10.1/target/ppc/excp_helper.c +=================================================================== +--- qemu-2.10.1.orig/target/ppc/excp_helper.c ++++ qemu-2.10.1/target/ppc/excp_helper.c +@@ -207,7 +207,9 @@ static inline void powerpc_excp(PowerPCC + "Entering checkstop state\n"); + } + cs->halted = 1; +- cs->interrupt_request |= CPU_INTERRUPT_EXITTB; ++ qemu_mutex_lock_iothread(); ++ cpu_interrupt(cs, CPU_INTERRUPT_EXITTB); ++ qemu_mutex_unlock_iothread(); + } + if (env->msr_mask & MSR_HVB) { + /* ISA specifies HV, but can be delivered to guest with HV clear +@@ -940,7 +942,9 @@ void helper_store_msr(CPUPPCState *env, + + if (excp != 0) { + CPUState *cs = CPU(ppc_env_get_cpu(env)); +- cs->interrupt_request |= CPU_INTERRUPT_EXITTB; ++ qemu_mutex_lock_iothread(); ++ cpu_interrupt(cs, CPU_INTERRUPT_EXITTB); ++ qemu_mutex_unlock_iothread(); + raise_exception(env, excp); + } + } +@@ -995,7 +999,9 @@ static inline void do_rfi(CPUPPCState *e + /* No need to raise an exception here, + * as rfi is always the last insn of a TB + */ +- cs->interrupt_request |= CPU_INTERRUPT_EXITTB; ++ qemu_mutex_lock_iothread(); ++ cpu_interrupt(cs, CPU_INTERRUPT_EXITTB); ++ qemu_mutex_unlock_iothread(); + + /* Reset the reservation */ + env->reserve_addr = -1; +Index: qemu-2.10.1/target/ppc/helper_regs.h +=================================================================== +--- qemu-2.10.1.orig/target/ppc/helper_regs.h ++++ qemu-2.10.1/target/ppc/helper_regs.h +@@ -114,11 +114,15 @@ static inline int hreg_store_msr(CPUPPCS + } + if (((value >> MSR_IR) & 1) != msr_ir || + ((value >> MSR_DR) & 1) != msr_dr) { +- cs->interrupt_request |= CPU_INTERRUPT_EXITTB; ++ qemu_mutex_lock_iothread(); ++ cpu_interrupt(cs, CPU_INTERRUPT_EXITTB); ++ qemu_mutex_unlock_iothread(); + } + if ((env->mmu_model & POWERPC_MMU_BOOKE) && + ((value >> MSR_GS) & 1) != msr_gs) { +- cs->interrupt_request |= CPU_INTERRUPT_EXITTB; ++ qemu_mutex_lock_iothread(); ++ cpu_interrupt(cs, CPU_INTERRUPT_EXITTB); ++ qemu_mutex_unlock_iothread(); + } + if (unlikely((env->flags & POWERPC_FLAG_TGPR) && + ((value ^ env->msr) & (1 << MSR_TGPR)))) { diff --git a/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/qemu-2.5.0-cflags.patch b/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/qemu-2.5.0-cflags.patch index 173394fd0..eb99d1463 100644 --- a/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/qemu-2.5.0-cflags.patch +++ b/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/qemu-2.5.0-cflags.patch @@ -1,3 +1,5 @@ +Upstream-Status: Pending + --- a/configure +++ b/configure @@ -4468,10 +4468,6 @@ fi diff --git a/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/target-ppc-fix-user-mode.patch b/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/target-ppc-fix-user-mode.patch deleted file mode 100644 index ba21e71b0..000000000 --- a/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/target-ppc-fix-user-mode.patch +++ /dev/null @@ -1,48 +0,0 @@ -[Qemu-ppc] [PATCH 1/1] target-ppc, tcg: fix usermode segfault with pthread - -From: Sam Bobroff -Subject: [Qemu-ppc] [PATCH 1/1] target-ppc, tcg: fix usermode segfault with pthread_create() -Date: Mon, 30 Jan 2017 16:08:07 +1100 -Programs run under qemu-ppc64 on an x86_64 host currently segfault -if they use pthread_create() due to the adjustment made to the NIP in -commit bd6fefe71cec5a0c7d2be4ac96307f25db56abf9. - -This patch changes cpu_loop() to set the NIP back to the -pre-incremented value before calling do_syscall(), which causes the -correct address to be used for the new thread and corrects the fault. - -Signed-off-by: Sam Bobroff <address@hidden> - -Upstream-Status: Backport - ---- - -linux-user/main.c | 4 +++- -1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/linux-user/main.c b/linux-user/main.c -index 30049581ef..b5dee01541 100644 ---- a/linux-user/main.c -+++ b/linux-user/main.c -@@ -1712,18 +1712,20 @@ void cpu_loop(CPUPPCState *env) - * in syscalls. - */ - env->crf[0] &= ~0x1; -+ env->nip += 4; - ret = do_syscall(env, env->gpr[0], env->gpr[3], env->gpr[4], - env->gpr[5], env->gpr[6], env->gpr[7], - env->gpr[8], 0, 0); - if (ret == -TARGET_ERESTARTSYS) { -+ env->nip -= 4; - break; - } - if (ret == (target_ulong)(-TARGET_QEMU_ESIGRETURN)) { -+ env->nip -= 4; - /* Returning from a successful sigreturn syscall. - Avoid corrupting register state. */ - break; - } -- env->nip += 4; - if (ret > (target_ulong)(-515)) { - env->crf[0] |= 0x1; - ret = -ret; |