diff options
Diffstat (limited to 'import-layers/yocto-poky/meta/recipes-devtools/qemu')
7 files changed, 498 insertions, 3 deletions
diff --git a/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/0001-virtio-zero-vq-inuse-in-virtio_reset.patch b/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/0001-virtio-zero-vq-inuse-in-virtio_reset.patch new file mode 100644 index 000000000..86955d043 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/0001-virtio-zero-vq-inuse-in-virtio_reset.patch @@ -0,0 +1,57 @@ +Upstream-Status: Backport + +Supplementary fix of CVE-2016-5403 which is backported from: + +http://git.qemu.org/?p=qemu.git;a=commit;h=4b7f91e + +Signed-off-by: Kai Kang <kai.kang@windriver.com> +--- +From 4b7f91ed0270a371e1933efa21ba600b6da23ab9 Mon Sep 17 00:00:00 2001 +From: Stefan Hajnoczi <stefanha@redhat.com> +Date: Wed, 7 Sep 2016 11:51:25 -0400 +Subject: [PATCH] virtio: zero vq->inuse in virtio_reset() + +vq->inuse must be zeroed upon device reset like most other virtqueue +fields. + +In theory, virtio_reset() just needs assert(vq->inuse == 0) since +devices must clean up in-flight requests during reset (requests cannot +not be leaked!). + +In practice, it is difficult to achieve vq->inuse == 0 across reset +because balloon, blk, 9p, etc implement various different strategies for +cleaning up requests. Most devices call g_free(elem) directly without +telling virtio.c that the VirtQueueElement is cleaned up. Therefore +vq->inuse is not decremented during reset. + +This patch zeroes vq->inuse and trusts that devices are not leaking +VirtQueueElements across reset. + +I will send a follow-up series that refactors request life-cycle across +all devices and converts vq->inuse = 0 into assert(vq->inuse == 0) but +this more invasive approach is not appropriate for stable trees. + +Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> +Cc: qemu-stable <qemu-stable@nongnu.org> +Reviewed-by: Michael S. Tsirkin <mst@redhat.com> +Signed-off-by: Michael S. Tsirkin <mst@redhat.com> +Reviewed-by: Ladi Prosek <lprosek@redhat.com> +--- + hw/virtio/virtio.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c +index 74c085c..e8a13a5 100644 +--- a/hw/virtio/virtio.c ++++ b/hw/virtio/virtio.c +@@ -822,6 +822,7 @@ void virtio_reset(void *opaque) + vdev->vq[i].signalled_used_valid = false; + vdev->vq[i].notification = true; + vdev->vq[i].vring.num = vdev->vq[i].vring.num_default; ++ vdev->vq[i].inuse = 0; + } + } + +-- +2.9.3 + diff --git a/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/0002-fix-CVE-2016-7423.patch b/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/0002-fix-CVE-2016-7423.patch new file mode 100644 index 000000000..fdf58a3d6 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/0002-fix-CVE-2016-7423.patch @@ -0,0 +1,45 @@ +Upstream-Status: Backport + +Backport patch to fix CVE-2016-7423 from: + +http://git.qemu.org/?p=qemu.git;a=commit;h=670e56d3ed + +CVE: CVE-2016-7423 + +Signed-off-by: Kai Kang <kai.kang@windriver.com> +--- +From 670e56d3ed2918b3861d9216f2c0540d9e9ae0d5 Mon Sep 17 00:00:00 2001 +From: Li Qiang <liqiang6-s@360.cn> +Date: Mon, 12 Sep 2016 18:14:11 +0530 +Subject: [PATCH] scsi: mptsas: use g_new0 to allocate MPTSASRequest object + +When processing IO request in mptsas, it uses g_new to allocate +a 'req' object. If an error occurs before 'req->sreq' is +allocated, It could lead to an OOB write in mptsas_free_request +function. Use g_new0 to avoid it. + +Reported-by: Li Qiang <liqiang6-s@360.cn> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Message-Id: <1473684251-17476-1-git-send-email-ppandit@redhat.com> +Cc: qemu-stable@nongnu.org +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +--- + hw/scsi/mptsas.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c +index 0e0a22f..eaae1bb 100644 +--- a/hw/scsi/mptsas.c ++++ b/hw/scsi/mptsas.c +@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s, + goto bad; + } + +- req = g_new(MPTSASRequest, 1); ++ req = g_new0(MPTSASRequest, 1); + QTAILQ_INSERT_TAIL(&s->pending, req, next); + req->scsi_io = *scsi_io; + req->dev = s; +-- +2.9.3 + diff --git a/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/0003-fix-CVE-2016-7908.patch b/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/0003-fix-CVE-2016-7908.patch new file mode 100644 index 000000000..05cc3d9d1 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/0003-fix-CVE-2016-7908.patch @@ -0,0 +1,62 @@ +Upstream-Status: Backport + +Backport patch to fix CVE-2016-7908 from: + +http://git.qemu.org/?p=qemu.git;a=commit;h=070c4b92b8c + +CVE: CVE-2016-7908 + +Signed-off-by: Kai Kang <kai.kang@windriver.com> +--- +From 070c4b92b8cd5390889716677a0b92444d6e087a Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Thu, 22 Sep 2016 16:02:37 +0530 +Subject: [PATCH] net: mcf: limit buffer descriptor count + +ColdFire Fast Ethernet Controller uses buffer descriptors to manage +data flow to/fro receive & transmit queues. While transmitting +packets, it could continue to read buffer descriptors if a buffer +descriptor has length of zero and has crafted values in bd.flags. +Set upper limit to number of buffer descriptors. + +Reported-by: Li Qiang <liqiang6-s@360.cn> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> +Signed-off-by: Jason Wang <jasowang@redhat.com> +--- + hw/net/mcf_fec.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c +index 0ee8ad9..d31fea1 100644 +--- a/hw/net/mcf_fec.c ++++ b/hw/net/mcf_fec.c +@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0) + #define DPRINTF(fmt, ...) do {} while(0) + #endif + ++#define FEC_MAX_DESC 1024 + #define FEC_MAX_FRAME_SIZE 2032 + + typedef struct { +@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s) + uint32_t addr; + mcf_fec_bd bd; + int frame_size; +- int len; ++ int len, descnt = 0; + uint8_t frame[FEC_MAX_FRAME_SIZE]; + uint8_t *ptr; + +@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s) + ptr = frame; + frame_size = 0; + addr = s->tx_descriptor; +- while (1) { ++ while (descnt++ < FEC_MAX_DESC) { + mcf_fec_read_bd(&bd, addr); + DPRINTF("tx_bd %x flags %04x len %d data %08x\n", + addr, bd.flags, bd.length, bd.data); +-- +2.9.3 + diff --git a/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/0004-fix-CVE-2016-7909.patch b/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/0004-fix-CVE-2016-7909.patch new file mode 100644 index 000000000..e71bbf620 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/0004-fix-CVE-2016-7909.patch @@ -0,0 +1,42 @@ +Upstream-Status: Backport [http://git.qemu.org/?p=qemu.git;a=commit;h=34e29ce] +CVE: CVE-2016-7909 + +Signed-off-by: Kai Kang <kai.kang@windriver.com> +--- +From 34e29ce754c02bb6b3bdd244fbb85033460feaff Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Fri, 30 Sep 2016 00:27:33 +0530 +Subject: [PATCH] net: pcnet: check rx/tx descriptor ring length + +The AMD PC-Net II emulator has set of control and status(CSR) +registers. Of these, CSR76 and CSR78 hold receive and transmit +descriptor ring length respectively. This ring length could range +from 1 to 65535. Setting ring length to zero leads to an infinite +loop in pcnet_rdra_addr() or pcnet_transmit(). Add check to avoid it. + +Reported-by: Li Qiang <liqiang6-s@360.cn> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Signed-off-by: Jason Wang <jasowang@redhat.com> +--- + hw/net/pcnet.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c +index 198a01f..3078de8 100644 +--- a/hw/net/pcnet.c ++++ b/hw/net/pcnet.c +@@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value) + case 47: /* POLLINT */ + case 72: + case 74: ++ break; + case 76: /* RCVRL */ + case 78: /* XMTRL */ ++ val = (val > 0) ? val : 512; ++ break; + case 112: + if (CSR_STOP(s) || CSR_SPND(s)) + break; +-- +2.10.1 + diff --git a/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/04b33e21866412689f18b7ad6daf0a54d8f959a7.patch b/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/04b33e21866412689f18b7ad6daf0a54d8f959a7.patch new file mode 100644 index 000000000..d947e8cba --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/04b33e21866412689f18b7ad6daf0a54d8f959a7.patch @@ -0,0 +1,282 @@ +From 04b33e21866412689f18b7ad6daf0a54d8f959a7 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Wed, 28 Jun 2017 13:44:52 -0700 +Subject: [PATCH] Replace 'struct ucontext' with 'ucontext_t' type + +glibc used to have: + + typedef struct ucontext { ... } ucontext_t; + +glibc now has: + + typedef struct ucontext_t { ... } ucontext_t; + +(See https://sourceware.org/bugzilla/show_bug.cgi?id=21457 + for detail and rationale for the glibc change) + +However, QEMU used "struct ucontext" in declarations. This is a +private name and compatibility cannot be guaranteed. Switch to +only using the standardized type name. + +Signed-off-by: Khem Raj <raj.khem@gmail.com> +Message-id: 20170628204452.41230-1-raj.khem@gmail.com +Cc: Kamil Rytarowski <kamil@netbsd.org> +Cc: Riku Voipio <riku.voipio@iki.fi> +Cc: Laurent Vivier <laurent@vivier.eu> +Cc: Paolo Bonzini <pbonzini@redhat.com> +Reviewed-by: Eric Blake <eblake@redhat.com> +[PMM: Rewrote commit message, based mostly on the one from + Nathaniel McCallum] +Signed-off-by: Peter Maydell <peter.maydell@linaro.org> + +Upstream-Status: Backport +RP 2017/9/6 +--- + linux-user/host/aarch64/hostdep.h | 2 +- + linux-user/host/arm/hostdep.h | 2 +- + linux-user/host/i386/hostdep.h | 2 +- + linux-user/host/ppc64/hostdep.h | 2 +- + linux-user/host/s390x/hostdep.h | 2 +- + linux-user/host/x86_64/hostdep.h | 2 +- + linux-user/signal.c | 10 +++++----- + tests/tcg/test-i386.c | 4 ++-- + user-exec.c | 18 +++++++++--------- + 9 files changed, 22 insertions(+), 22 deletions(-) + +diff --git a/linux-user/host/aarch64/hostdep.h b/linux-user/host/aarch64/hostdep.h +index 64f75ce..a8d41a2 100644 +--- a/linux-user/host/aarch64/hostdep.h ++++ b/linux-user/host/aarch64/hostdep.h +@@ -24,7 +24,7 @@ extern char safe_syscall_end[]; + /* Adjust the signal context to rewind out of safe-syscall if we're in it */ + static inline void rewind_if_in_safe_syscall(void *puc) + { +- struct ucontext *uc = puc; ++ ucontext_t *uc = puc; + __u64 *pcreg = &uc->uc_mcontext.pc; + + if (*pcreg > (uintptr_t)safe_syscall_start +diff --git a/linux-user/host/arm/hostdep.h b/linux-user/host/arm/hostdep.h +index 5c1ae60..9276fe6 100644 +--- a/linux-user/host/arm/hostdep.h ++++ b/linux-user/host/arm/hostdep.h +@@ -24,7 +24,7 @@ extern char safe_syscall_end[]; + /* Adjust the signal context to rewind out of safe-syscall if we're in it */ + static inline void rewind_if_in_safe_syscall(void *puc) + { +- struct ucontext *uc = puc; ++ ucontext_t *uc = puc; + unsigned long *pcreg = &uc->uc_mcontext.arm_pc; + + if (*pcreg > (uintptr_t)safe_syscall_start +diff --git a/linux-user/host/i386/hostdep.h b/linux-user/host/i386/hostdep.h +index d834bd8..073be74 100644 +--- a/linux-user/host/i386/hostdep.h ++++ b/linux-user/host/i386/hostdep.h +@@ -24,7 +24,7 @@ extern char safe_syscall_end[]; + /* Adjust the signal context to rewind out of safe-syscall if we're in it */ + static inline void rewind_if_in_safe_syscall(void *puc) + { +- struct ucontext *uc = puc; ++ ucontext_t *uc = puc; + greg_t *pcreg = &uc->uc_mcontext.gregs[REG_EIP]; + + if (*pcreg > (uintptr_t)safe_syscall_start +diff --git a/linux-user/host/ppc64/hostdep.h b/linux-user/host/ppc64/hostdep.h +index 0b0f5f7..98979ad 100644 +--- a/linux-user/host/ppc64/hostdep.h ++++ b/linux-user/host/ppc64/hostdep.h +@@ -24,7 +24,7 @@ extern char safe_syscall_end[]; + /* Adjust the signal context to rewind out of safe-syscall if we're in it */ + static inline void rewind_if_in_safe_syscall(void *puc) + { +- struct ucontext *uc = puc; ++ ucontext_t *uc = puc; + unsigned long *pcreg = &uc->uc_mcontext.gp_regs[PT_NIP]; + + if (*pcreg > (uintptr_t)safe_syscall_start +diff --git a/linux-user/host/s390x/hostdep.h b/linux-user/host/s390x/hostdep.h +index 6f9da9c..4f0171f 100644 +--- a/linux-user/host/s390x/hostdep.h ++++ b/linux-user/host/s390x/hostdep.h +@@ -24,7 +24,7 @@ extern char safe_syscall_end[]; + /* Adjust the signal context to rewind out of safe-syscall if we're in it */ + static inline void rewind_if_in_safe_syscall(void *puc) + { +- struct ucontext *uc = puc; ++ ucontext_t *uc = puc; + unsigned long *pcreg = &uc->uc_mcontext.psw.addr; + + if (*pcreg > (uintptr_t)safe_syscall_start +diff --git a/linux-user/host/x86_64/hostdep.h b/linux-user/host/x86_64/hostdep.h +index 3b42596..a4fefb5 100644 +--- a/linux-user/host/x86_64/hostdep.h ++++ b/linux-user/host/x86_64/hostdep.h +@@ -24,7 +24,7 @@ extern char safe_syscall_end[]; + /* Adjust the signal context to rewind out of safe-syscall if we're in it */ + static inline void rewind_if_in_safe_syscall(void *puc) + { +- struct ucontext *uc = puc; ++ ucontext_t *uc = puc; + greg_t *pcreg = &uc->uc_mcontext.gregs[REG_RIP]; + + if (*pcreg > (uintptr_t)safe_syscall_start +diff --git a/linux-user/signal.c b/linux-user/signal.c +index d68bd26..cc0c3fc 100644 +--- a/linux-user/signal.c ++++ b/linux-user/signal.c +@@ -3346,7 +3346,7 @@ static void setup_rt_frame(int sig, struct target_sigaction *ka, + * + * a0 = signal number + * a1 = pointer to siginfo_t +- * a2 = pointer to struct ucontext ++ * a2 = pointer to ucontext_t + * + * $25 and PC point to the signal handler, $29 points to the + * struct sigframe. +@@ -3764,7 +3764,7 @@ struct target_signal_frame { + + struct rt_signal_frame { + siginfo_t info; +- struct ucontext uc; ++ ucontext_t uc; + uint32_t tramp[2]; + }; + +@@ -3980,7 +3980,7 @@ struct rt_signal_frame { + siginfo_t *pinfo; + void *puc; + siginfo_t info; +- struct ucontext uc; ++ ucontext_t uc; + uint16_t retcode[4]; /* Trampoline code. */ + }; + +@@ -4515,7 +4515,7 @@ static void setup_rt_frame(int sig, struct target_sigaction *ka, + tswap_siginfo(&frame->info, info); + } + +- /*err |= __clear_user(&frame->uc, offsetof(struct ucontext, uc_mcontext));*/ ++ /*err |= __clear_user(&frame->uc, offsetof(ucontext_t, uc_mcontext));*/ + __put_user(0, &frame->uc.tuc_flags); + __put_user(0, &frame->uc.tuc_link); + __put_user(target_sigaltstack_used.ss_sp, +@@ -5007,7 +5007,7 @@ enum { + + struct target_ucontext { + target_ulong tuc_flags; +- target_ulong tuc_link; /* struct ucontext __user * */ ++ target_ulong tuc_link; /* ucontext_t __user * */ + struct target_sigaltstack tuc_stack; + #if !defined(TARGET_PPC64) + int32_t tuc_pad[7]; +diff --git a/tests/tcg/test-i386.c b/tests/tcg/test-i386.c +index 0f7b943..9599204 100644 +--- a/tests/tcg/test-i386.c ++++ b/tests/tcg/test-i386.c +@@ -1720,7 +1720,7 @@ int tab[2]; + + void sig_handler(int sig, siginfo_t *info, void *puc) + { +- struct ucontext *uc = puc; ++ ucontext_t *uc = puc; + + printf("si_signo=%d si_errno=%d si_code=%d", + info->si_signo, info->si_errno, info->si_code); +@@ -1912,7 +1912,7 @@ void test_exceptions(void) + /* specific precise single step test */ + void sig_trap_handler(int sig, siginfo_t *info, void *puc) + { +- struct ucontext *uc = puc; ++ ucontext_t *uc = puc; + printf("EIP=" FMTLX "\n", (long)uc->uc_mcontext.gregs[REG_EIP]); + } + +diff --git a/user-exec.c b/user-exec.c +index a8f95fa..2a975ea 100644 +--- a/user-exec.c ++++ b/user-exec.c +@@ -167,7 +167,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, + #elif defined(__OpenBSD__) + struct sigcontext *uc = puc; + #else +- struct ucontext *uc = puc; ++ ucontext_t *uc = puc; + #endif + unsigned long pc; + int trapno; +@@ -222,7 +222,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, + #elif defined(__OpenBSD__) + struct sigcontext *uc = puc; + #else +- struct ucontext *uc = puc; ++ ucontext_t *uc = puc; + #endif + + pc = PC_sig(uc); +@@ -289,7 +289,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, + #if defined(__FreeBSD__) || defined(__FreeBSD_kernel__) + ucontext_t *uc = puc; + #else +- struct ucontext *uc = puc; ++ ucontext_t *uc = puc; + #endif + unsigned long pc; + int is_write; +@@ -316,7 +316,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, + void *puc) + { + siginfo_t *info = pinfo; +- struct ucontext *uc = puc; ++ ucontext_t *uc = puc; + uint32_t *pc = uc->uc_mcontext.sc_pc; + uint32_t insn = *pc; + int is_write = 0; +@@ -414,7 +414,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, + #if defined(__NetBSD__) + ucontext_t *uc = puc; + #else +- struct ucontext *uc = puc; ++ ucontext_t *uc = puc; + #endif + unsigned long pc; + int is_write; +@@ -441,7 +441,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, + int cpu_signal_handler(int host_signum, void *pinfo, void *puc) + { + siginfo_t *info = pinfo; +- struct ucontext *uc = puc; ++ ucontext_t *uc = puc; + uintptr_t pc = uc->uc_mcontext.pc; + uint32_t insn = *(uint32_t *)pc; + bool is_write; +@@ -474,7 +474,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, void *puc) + int cpu_signal_handler(int host_signum, void *pinfo, void *puc) + { + siginfo_t *info = pinfo; +- struct ucontext *uc = puc; ++ ucontext_t *uc = puc; + unsigned long ip; + int is_write = 0; + +@@ -505,7 +505,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, + void *puc) + { + siginfo_t *info = pinfo; +- struct ucontext *uc = puc; ++ ucontext_t *uc = puc; + unsigned long pc; + uint16_t *pinsn; + int is_write = 0; +@@ -558,7 +558,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, + void *puc) + { + siginfo_t *info = pinfo; +- struct ucontext *uc = puc; ++ ucontext_t *uc = puc; + greg_t pc = uc->uc_mcontext.pc; + int is_write; + +-- +1.8.3.1 + diff --git a/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/run-ptest b/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/run-ptest index f4b8e97e1..2206b3192 100644 --- a/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/run-ptest +++ b/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu/run-ptest @@ -1,8 +1,10 @@ #!/bin/sh # #This script is used to run qemu test suites -ptestdir=$(pwd) -cd tests +# +ptestdir=$(dirname "$(readlink -f "$0")") export SRC_PATH=$ptestdir -make -k runtest-TESTS | sed '/: OK/ s/^/PASS: /g' + +cd $ptestdir/tests +make -f Makefile.include -k runtest-TESTS | sed '/: OK/ s/^/PASS: /g' diff --git a/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu_2.7.0.bb b/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu_2.7.0.bb index 619b8ed44..85aadecf0 100644 --- a/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu_2.7.0.bb +++ b/import-layers/yocto-poky/meta/recipes-devtools/qemu/qemu_2.7.0.bb @@ -9,6 +9,11 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \ file://no-valgrind.patch \ file://pathlimit.patch \ file://qemu-2.5.0-cflags.patch \ + file://0001-virtio-zero-vq-inuse-in-virtio_reset.patch \ + file://0002-fix-CVE-2016-7423.patch \ + file://0003-fix-CVE-2016-7908.patch \ + file://0004-fix-CVE-2016-7909.patch \ + file://04b33e21866412689f18b7ad6daf0a54d8f959a7.patch \ " SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" |