diff options
Diffstat (limited to 'poky/meta/recipes-devtools/qemu')
28 files changed, 533 insertions, 235 deletions
diff --git a/poky/meta/recipes-devtools/qemu/qemu-native_5.2.0.bb b/poky/meta/recipes-devtools/qemu/qemu-native_6.0.0.bb index c8acff8e1..d23d7a8ad 100644 --- a/poky/meta/recipes-devtools/qemu/qemu-native_5.2.0.bb +++ b/poky/meta/recipes-devtools/qemu/qemu-native_6.0.0.bb @@ -6,4 +6,4 @@ require qemu-native.inc EXTRA_OECONF_append = " --target-list=${@get_qemu_usermode_target_list(d)} --disable-tools --disable-blobs --disable-guest-agent" -PACKAGECONFIG ??= "" +PACKAGECONFIG ??= "pie" diff --git a/poky/meta/recipes-devtools/qemu/qemu-system-native_5.2.0.bb b/poky/meta/recipes-devtools/qemu/qemu-system-native_6.0.0.bb index 222b55cbc..9d7d0cdce 100644 --- a/poky/meta/recipes-devtools/qemu/qemu-system-native_5.2.0.bb +++ b/poky/meta/recipes-devtools/qemu/qemu-system-native_6.0.0.bb @@ -1,5 +1,7 @@ BPN = "qemu" +inherit python3-dir + require qemu-native.inc # As some of the files installed by qemu-native and qemu-system-native @@ -9,7 +11,7 @@ DEPENDS = "glib-2.0-native zlib-native pixman-native qemu-native bison-native" EXTRA_OECONF_append = " --target-list=${@get_qemu_system_target_list(d)}" -PACKAGECONFIG ??= "fdt alsa kvm \ +PACKAGECONFIG ??= "fdt alsa kvm pie \ ${@bb.utils.contains('DISTRO_FEATURES', 'opengl', 'virglrenderer glx', '', d)} \ " @@ -23,4 +25,7 @@ do_install_append() { rm -f ${D}${datadir}/qemu/trace-events-all rm -rf ${D}${datadir}/qemu/keymaps rm -rf ${D}${datadir}/icons/ + + # Install qmp.py to be used with testimage + install -D ${S}/python/qemu/qmp.py ${D}${PYTHON_SITEPACKAGES_DIR}/qmp.py } diff --git a/poky/meta/recipes-devtools/qemu/qemu.inc b/poky/meta/recipes-devtools/qemu/qemu.inc index a62580959..6674936fe 100644 --- a/poky/meta/recipes-devtools/qemu/qemu.inc +++ b/poky/meta/recipes-devtools/qemu/qemu.inc @@ -25,20 +25,37 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://0010-configure-Add-pkg-config-handling-for-libgcrypt.patch \ file://0001-Add-enable-disable-udev.patch \ file://0001-qemu-Do-not-include-file-if-not-exists.patch \ - file://mingwfix.patch \ - file://mmap.patch \ file://mmap2.patch \ file://determinism.patch \ file://0001-tests-meson.build-use-relative-path-to-refer-to-file.patch \ - file://CVE-2021-20203.patch \ + file://0001-configure-fix-detection-of-gdbus-codegen.patch \ + file://0001-vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch \ + file://0002-vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch \ + file://0003-vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch \ + file://0004-vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch \ + file://0005-vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch \ + file://0006-vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch \ + file://0007-vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch \ + file://0001-linux-user-Tag-vsx-with-ieee128-fpbits.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" -SRC_URI[sha256sum] = "cb18d889b628fbe637672b0326789d9b0e3b8027e0445b936537c78549df17bc" +SRC_URI[sha256sum] = "87bc1a471ca24b97e7005711066007d443423d19aacda3d442558ae032fa30b9" SRC_URI_append_class-target = " file://cross.patch" SRC_URI_append_class-nativesdk = " file://cross.patch" +# Applies against virglrender < 0.6.0 and not qemu itself +CVE_CHECK_WHITELIST += "CVE-2017-5957" + +# The VNC server can expose host files uder some circumstances. We don't +# enable it by default. +CVE_CHECK_WHITELIST += "CVE-2007-0998" + +# 'The issues identified by this CVE were determined to not constitute a vulnerability.' +# https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11 +CVE_CHECK_WHITELIST += "CVE-2018-18438" + COMPATIBLE_HOST_mipsarchn32 = "null" COMPATIBLE_HOST_mipsarchn64 = "null" @@ -56,8 +73,6 @@ do_install_ptest() { find ${D}${PTEST_PATH}/tests -type f -name "*.[Sshcodp]" | xargs -i rm -rf {} # Don't check the file genreated by configure - sed -i -e 's,${HOSTTOOLS_DIR}/python3,${bindir}/python3,' \ - ${D}/${PTEST_PATH}/tests/qemu-iotests/common.env sed -i -e "1s,#!/usr/bin/bash,#!${base_bindir}/bash," ${D}${PTEST_PATH}/tests/data/acpi/disassemle-aml.sh # Strip the paths from the QEMU variable, we can use PATH @@ -84,7 +99,7 @@ EXTRA_OECONF = " \ --extra-cflags='${CFLAGS}' \ --extra-ldflags='${LDFLAGS}' \ --with-git=/bin/false \ - --disable-git-update \ + --with-git-submodules=ignore \ --meson=meson \ ${PACKAGECONFIG_CONFARGS} \ " diff --git a/poky/meta/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch b/poky/meta/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch index c99adee8a..4b37967e7 100644 --- a/poky/meta/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch +++ b/poky/meta/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch @@ -12,13 +12,13 @@ Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> configure | 4 ++++ 1 file changed, 4 insertions(+) -Index: qemu-5.2.0/configure +Index: qemu-6.0.0/configure =================================================================== ---- qemu-5.2.0.orig/configure -+++ qemu-5.2.0/configure -@@ -1525,6 +1525,10 @@ for opt do +--- qemu-6.0.0.orig/configure ++++ qemu-6.0.0/configure +@@ -1565,6 +1565,10 @@ for opt do ;; - --disable-libdaxctl) libdaxctl=no + --disable-gio) gio=no ;; + --enable-libudev) libudev="yes" + ;; diff --git a/poky/meta/recipes-devtools/qemu/qemu/0001-configure-fix-detection-of-gdbus-codegen.patch b/poky/meta/recipes-devtools/qemu/qemu/0001-configure-fix-detection-of-gdbus-codegen.patch new file mode 100644 index 000000000..8bffc3129 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0001-configure-fix-detection-of-gdbus-codegen.patch @@ -0,0 +1,50 @@ +From 464cfc64201b21386030b8f353fe9724a3413a85 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini <pbonzini@redhat.com> +Date: Wed, 5 May 2021 10:15:34 -0400 +Subject: [PATCH] configure: fix detection of gdbus-codegen + +"pkg-config --variable=gdbus_codegen gio-2.0" returns "gdbus-codegen", +and it does not pass test -x (which does not walk the path). + +Meson 0.58.0 notices that something is iffy, as the dbus_vmstate1 +assignment in tests/qtest/meson.build uses an empty string as the +command, and fails very eloquently: + +../tests/qtest/meson.build:92:2: ERROR: No program name specified. + +Use the "has" function instead of test -x, and fix the generation +of config-host.mak since meson.build expects that GDBUS_CODEGEN +is absent, rather than empty, if the tool is unavailable. + +Reported-by: Sebastian Mitterle <smitterl@redhat.com> +Fixes: #178 +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commitdiff;h=5ecfb76ccc056eb6127e44268e475827ae73b9e0] +(not in 6.0.0, should be kept when upgrading) +Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> +--- + configure | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +Index: qemu-6.0.0/configure +=================================================================== +--- qemu-6.0.0.orig/configure ++++ qemu-6.0.0/configure +@@ -3366,7 +3366,7 @@ if ! test "$gio" = "no"; then + gio_cflags=$($pkg_config --cflags gio-2.0) + gio_libs=$($pkg_config --libs gio-2.0) + gdbus_codegen=$($pkg_config --variable=gdbus_codegen gio-2.0) +- if [ ! -x "$gdbus_codegen" ]; then ++ if ! has "$gdbus_codegen"; then + gdbus_codegen= + fi + # Check that the libraries actually work -- Ubuntu 18.04 ships +@@ -5704,6 +5704,8 @@ if test "$gio" = "yes" ; then + echo "CONFIG_GIO=y" >> $config_host_mak + echo "GIO_CFLAGS=$gio_cflags" >> $config_host_mak + echo "GIO_LIBS=$gio_libs" >> $config_host_mak ++fi ++if test "$gdbus_codegen" != "" ; then + echo "GDBUS_CODEGEN=$gdbus_codegen" >> $config_host_mak + fi + echo "CONFIG_TLS_PRIORITY=\"$tls_priority\"" >> $config_host_mak diff --git a/poky/meta/recipes-devtools/qemu/qemu/0001-linux-user-Tag-vsx-with-ieee128-fpbits.patch b/poky/meta/recipes-devtools/qemu/qemu/0001-linux-user-Tag-vsx-with-ieee128-fpbits.patch new file mode 100644 index 000000000..11b6e3c67 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0001-linux-user-Tag-vsx-with-ieee128-fpbits.patch @@ -0,0 +1,35 @@ +From c5844a4cdee37268c9b65a65e6968ee129bb742d Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Mon, 14 Jun 2021 10:27:17 -0700 +Subject: [PATCH] linux-user: Tag vsx with ieee128 fpbits + +In OE we need this for ppc64le usermode to work since we generate 128bit +long doubles and glibc 2.34 is now checking for this in hwcaps at +runtime and failing to run the binary if machine does not support 128bit +IEEE fp + +Fixes +Fatal glibc error: CPU lacks float128 support (POWER 9 or later required) + +Upstream-Status: Pending +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + linux-user/elfload.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux-user/elfload.c b/linux-user/elfload.c +index 17ab06f612..e7dd18fd40 100644 +--- a/linux-user/elfload.c ++++ b/linux-user/elfload.c +@@ -830,7 +830,7 @@ static uint32_t get_elf_hwcap2(void) + PPC2_ISA207S), QEMU_PPC_FEATURE2_ARCH_2_07 | + QEMU_PPC_FEATURE2_VEC_CRYPTO); + GET_FEATURE2(PPC2_ISA300, QEMU_PPC_FEATURE2_ARCH_3_00 | +- QEMU_PPC_FEATURE2_DARN); ++ QEMU_PPC_FEATURE2_DARN | QEMU_PPC_FEATURE2_HAS_IEEE128); + + #undef GET_FEATURE + #undef GET_FEATURE2 +-- +2.32.0 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch b/poky/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch index 8ce12bdb4..2f2d19f53 100644 --- a/poky/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch +++ b/poky/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch @@ -20,10 +20,10 @@ Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> hw/usb/dev-wacom.c | 94 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 93 insertions(+), 1 deletion(-) -Index: qemu-5.2.0/hw/usb/dev-wacom.c +Index: qemu-6.0.0/hw/usb/dev-wacom.c =================================================================== ---- qemu-5.2.0.orig/hw/usb/dev-wacom.c -+++ qemu-5.2.0/hw/usb/dev-wacom.c +--- qemu-6.0.0.orig/hw/usb/dev-wacom.c ++++ qemu-6.0.0/hw/usb/dev-wacom.c @@ -69,6 +69,89 @@ static const USBDescStrings desc_strings [STR_SERIALNUMBER] = "1", }; diff --git a/poky/meta/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch b/poky/meta/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch index 3fe9aa6eb..b8d288d3a 100644 --- a/poky/meta/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch +++ b/poky/meta/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch @@ -15,11 +15,11 @@ Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> linux-user/syscall.c | 2 ++ 1 file changed, 2 insertions(+) -Index: qemu-5.2.0/linux-user/syscall.c +Index: qemu-6.0.0/linux-user/syscall.c =================================================================== ---- qemu-5.2.0.orig/linux-user/syscall.c -+++ qemu-5.2.0/linux-user/syscall.c -@@ -109,7 +109,9 @@ +--- qemu-6.0.0.orig/linux-user/syscall.c ++++ qemu-6.0.0/linux-user/syscall.c +@@ -113,7 +113,9 @@ #include <linux/blkpg.h> #include <netpacket/packet.h> #include <linux/netlink.h> @@ -28,4 +28,4 @@ Index: qemu-5.2.0/linux-user/syscall.c +#endif #include <linux/rtc.h> #include <sound/asound.h> - #ifdef CONFIG_BTRFS + #ifdef HAVE_BTRFS_H diff --git a/poky/meta/recipes-devtools/qemu/qemu/0001-tests-meson.build-use-relative-path-to-refer-to-file.patch b/poky/meta/recipes-devtools/qemu/qemu/0001-tests-meson.build-use-relative-path-to-refer-to-file.patch index 5cb5757c3..d5e1ab4d5 100644 --- a/poky/meta/recipes-devtools/qemu/qemu/0001-tests-meson.build-use-relative-path-to-refer-to-file.patch +++ b/poky/meta/recipes-devtools/qemu/qemu/0001-tests-meson.build-use-relative-path-to-refer-to-file.patch @@ -16,19 +16,16 @@ Signed-off-by: Changqing Li <changqing.li@windriver.com> tests/meson.build | 2 +- 1 files changed, 1 insertions(+), 1 deletion(-) -diff --git a/tests/meson.build b/tests/meson.build -index afeb6be..54684b5 100644 ---- a/tests/meson.build -+++ b/tests/meson.build -@@ -113,7 +113,7 @@ tests = { +Index: qemu-6.0.0/tests/unit/meson.build +=================================================================== +--- qemu-6.0.0.orig/tests/unit/meson.build ++++ qemu-6.0.0/tests/unit/meson.build +@@ -42,7 +42,7 @@ tests = { 'test-keyval': [testqapi], 'test-logging': [], 'test-uuid': [], - 'ptimer-test': ['ptimer-test-stubs.c', meson.source_root() / 'hw/core/ptimer.c'], -+ 'ptimer-test': ['ptimer-test-stubs.c', '../hw/core/ptimer.c'], ++ 'ptimer-test': ['ptimer-test-stubs.c', '../../hw/core/ptimer.c'], 'test-qapi-util': [], } --- -2.29.2 - diff --git a/poky/meta/recipes-devtools/qemu/qemu/0001-vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch b/poky/meta/recipes-devtools/qemu/qemu/0001-vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch new file mode 100644 index 000000000..981c23729 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0001-vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch @@ -0,0 +1,43 @@ +CVE: CVE-2021-3545 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From 121841b25d72d13f8cad554363138c360f1250ea Mon Sep 17 00:00:00 2001 +From: Li Qiang <liq3ea@163.com> +Date: Sat, 15 May 2021 20:03:56 -0700 +Subject: [PATCH 1/7] vhost-user-gpu: fix memory disclosure in + virgl_cmd_get_capset_info (CVE-2021-3545) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Otherwise some of the 'resp' will be leaked to guest. + +Fixes: CVE-2021-3545 +Reported-by: Li Qiang <liq3ea@163.com> +virtio-gpu fix: 42a8dadc74 ("virtio-gpu: fix information leak +in getting capset info dispatch") + +Signed-off-by: Li Qiang <liq3ea@163.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-Id: <20210516030403.107723-2-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + contrib/vhost-user-gpu/virgl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c +index 9e6660c7ab..6a332d601f 100644 +--- a/contrib/vhost-user-gpu/virgl.c ++++ b/contrib/vhost-user-gpu/virgl.c +@@ -128,6 +128,7 @@ virgl_cmd_get_capset_info(VuGpu *g, + + VUGPU_FILL_CMD(info); + ++ memset(&resp, 0, sizeof(resp)); + if (info.capset_index == 0) { + resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL; + virgl_renderer_get_cap_set(resp.capset_id, +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0002-vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch b/poky/meta/recipes-devtools/qemu/qemu/0002-vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch new file mode 100644 index 000000000..a9aee47e3 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0002-vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch @@ -0,0 +1,41 @@ +CVE: CVE-2021-3544 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From 86dd8fac2acc366930a5dc08d3fb1b1e816f4e1e Mon Sep 17 00:00:00 2001 +From: Li Qiang <liq3ea@163.com> +Date: Sat, 15 May 2021 20:03:57 -0700 +Subject: [PATCH 2/7] vhost-user-gpu: fix resource leak in + 'vg_resource_create_2d' (CVE-2021-3544) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Call 'vugbm_buffer_destroy' in error path to avoid resource leak. + +Fixes: CVE-2021-3544 +Reported-by: Li Qiang <liq3ea@163.com> +Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> +Signed-off-by: Li Qiang <liq3ea@163.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-Id: <20210516030403.107723-3-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + contrib/vhost-user-gpu/vhost-user-gpu.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c +index f73f292c9f..b5e153d0d6 100644 +--- a/contrib/vhost-user-gpu/vhost-user-gpu.c ++++ b/contrib/vhost-user-gpu/vhost-user-gpu.c +@@ -349,6 +349,7 @@ vg_resource_create_2d(VuGpu *g, + g_critical("%s: resource creation failed %d %d %d", + __func__, c2d.resource_id, c2d.width, c2d.height); + g_free(res); ++ vugbm_buffer_destroy(&res->buffer); + cmd->error = VIRTIO_GPU_RESP_ERR_OUT_OF_MEMORY; + return; + } +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch b/poky/meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch index fd54f96b0..733789be2 100644 --- a/poky/meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch +++ b/poky/meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch @@ -18,13 +18,13 @@ Signed-off-by: Roy Li <rongqing.li@windriver.com> hw/mips/malta.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -Index: qemu-5.2.0/hw/mips/malta.c +Index: qemu-6.0.0/hw/mips/malta.c =================================================================== ---- qemu-5.2.0.orig/hw/mips/malta.c -+++ qemu-5.2.0/hw/mips/malta.c -@@ -62,7 +62,7 @@ - - #define ENVP_ADDR 0x80002000l +--- qemu-6.0.0.orig/hw/mips/malta.c ++++ qemu-6.0.0/hw/mips/malta.c +@@ -65,7 +65,7 @@ + #define ENVP_PADDR 0x2000 + #define ENVP_VADDR cpu_mips_phys_to_kseg0(NULL, ENVP_PADDR) #define ENVP_NB_ENTRIES 16 -#define ENVP_ENTRY_SIZE 256 +#define ENVP_ENTRY_SIZE 1024 diff --git a/poky/meta/recipes-devtools/qemu/qemu/0003-vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch b/poky/meta/recipes-devtools/qemu/qemu/0003-vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch new file mode 100644 index 000000000..171848640 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0003-vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch @@ -0,0 +1,48 @@ +CVE: CVE-2021-3544 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From b9f79858a614d95f5de875d0ca31096eaab72c3b Mon Sep 17 00:00:00 2001 +From: Li Qiang <liq3ea@163.com> +Date: Sat, 15 May 2021 20:03:58 -0700 +Subject: [PATCH 3/7] vhost-user-gpu: fix memory leak in + vg_resource_attach_backing (CVE-2021-3544) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Check whether the 'res' has already been attach_backing to avoid +memory leak. + +Fixes: CVE-2021-3544 +Reported-by: Li Qiang <liq3ea@163.com> +virtio-gpu fix: 204f01b309 ("virtio-gpu: fix memory leak +in resource attach backing") + +Signed-off-by: Li Qiang <liq3ea@163.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-Id: <20210516030403.107723-4-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + contrib/vhost-user-gpu/vhost-user-gpu.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c +index b5e153d0d6..0437e52b64 100644 +--- a/contrib/vhost-user-gpu/vhost-user-gpu.c ++++ b/contrib/vhost-user-gpu/vhost-user-gpu.c +@@ -489,6 +489,11 @@ vg_resource_attach_backing(VuGpu *g, + return; + } + ++ if (res->iov) { ++ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; ++ return; ++ } ++ + ret = vg_create_mapping_iov(g, &ab, cmd, &res->iov); + if (ret != 0) { + cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch b/poky/meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch index a0bd1c5eb..330bcaef0 100644 --- a/poky/meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch +++ b/poky/meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch @@ -12,11 +12,11 @@ Signed-off-by: Ross Burton <ross.burton@intel.com> configure | 9 --------- 1 file changed, 9 deletions(-) -Index: qemu-5.2.0/configure +Index: qemu-6.0.0/configure =================================================================== ---- qemu-5.2.0.orig/configure -+++ qemu-5.2.0/configure -@@ -5001,15 +5001,6 @@ fi +--- qemu-6.0.0.orig/configure ++++ qemu-6.0.0/configure +@@ -4648,15 +4648,6 @@ fi # check if we have valgrind/valgrind.h valgrind_h=no diff --git a/poky/meta/recipes-devtools/qemu/qemu/0004-vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch b/poky/meta/recipes-devtools/qemu/qemu/0004-vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch new file mode 100644 index 000000000..9fc2fafe1 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0004-vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch @@ -0,0 +1,50 @@ +CVE: CVE-2021-3544 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From b7afebcf9e6ecf3cf9b5a9b9b731ed04bca6aa3e Mon Sep 17 00:00:00 2001 +From: Li Qiang <liq3ea@163.com> +Date: Sat, 15 May 2021 20:03:59 -0700 +Subject: [PATCH 4/7] vhost-user-gpu: fix memory leak while calling + 'vg_resource_unref' (CVE-2021-3544) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If the guest trigger following sequences, the attach_backing will be leaked: + + vg_resource_create_2d + vg_resource_attach_backing + vg_resource_unref + +This patch fix this by freeing 'res->iov' in vg_resource_destroy. + +Fixes: CVE-2021-3544 +Reported-by: Li Qiang <liq3ea@163.com> +virtio-gpu fix: 5e8e3c4c75 ("virtio-gpu: fix resource leak +in virgl_cmd_resource_unref") + +Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> +Signed-off-by: Li Qiang <liq3ea@163.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-Id: <20210516030403.107723-5-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + contrib/vhost-user-gpu/vhost-user-gpu.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c +index 0437e52b64..770dfad529 100644 +--- a/contrib/vhost-user-gpu/vhost-user-gpu.c ++++ b/contrib/vhost-user-gpu/vhost-user-gpu.c +@@ -400,6 +400,7 @@ vg_resource_destroy(VuGpu *g, + } + + vugbm_buffer_destroy(&res->buffer); ++ g_free(res->iov); + pixman_image_unref(res->image); + QTAILQ_REMOVE(&g->reslist, res, next); + g_free(res); +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0005-vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch b/poky/meta/recipes-devtools/qemu/qemu/0005-vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch new file mode 100644 index 000000000..e70f3c02c --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0005-vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch @@ -0,0 +1,58 @@ +CVE: CVE-2021-3544 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From f6091d86ba9ea05f4e111b9b42ee0005c37a6779 Mon Sep 17 00:00:00 2001 +From: Li Qiang <liq3ea@163.com> +Date: Sat, 15 May 2021 20:04:00 -0700 +Subject: [PATCH 5/7] vhost-user-gpu: fix memory leak in + 'virgl_cmd_resource_unref' (CVE-2021-3544) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The 'res->iov' will be leaked if the guest trigger following sequences: + + virgl_cmd_create_resource_2d + virgl_resource_attach_backing + virgl_cmd_resource_unref + +This patch fixes this. + +Fixes: CVE-2021-3544 +Reported-by: Li Qiang <liq3ea@163.com> +virtio-gpu fix: 5e8e3c4c75 ("virtio-gpu: fix resource leak +in virgl_cmd_resource_unref" + +Signed-off-by: Li Qiang <liq3ea@163.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-Id: <20210516030403.107723-6-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + contrib/vhost-user-gpu/virgl.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c +index 6a332d601f..c669d73a1d 100644 +--- a/contrib/vhost-user-gpu/virgl.c ++++ b/contrib/vhost-user-gpu/virgl.c +@@ -108,9 +108,16 @@ virgl_cmd_resource_unref(VuGpu *g, + struct virtio_gpu_ctrl_command *cmd) + { + struct virtio_gpu_resource_unref unref; ++ struct iovec *res_iovs = NULL; ++ int num_iovs = 0; + + VUGPU_FILL_CMD(unref); + ++ virgl_renderer_resource_detach_iov(unref.resource_id, ++ &res_iovs, ++ &num_iovs); ++ g_free(res_iovs); ++ + virgl_renderer_resource_unref(unref.resource_id); + } + +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch b/poky/meta/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch index 201125c1f..05dc849da 100644 --- a/poky/meta/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch +++ b/poky/meta/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch @@ -51,11 +51,11 @@ Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> qapi/char.json | 5 +++ 3 files changed, 109 insertions(+) -Index: qemu-5.2.0/chardev/char-socket.c +Index: qemu-6.0.0/chardev/char-socket.c =================================================================== ---- qemu-5.2.0.orig/chardev/char-socket.c -+++ qemu-5.2.0/chardev/char-socket.c -@@ -1308,6 +1308,67 @@ static bool qmp_chardev_validate_socket( +--- qemu-6.0.0.orig/chardev/char-socket.c ++++ qemu-6.0.0/chardev/char-socket.c +@@ -1362,6 +1362,67 @@ static bool qmp_chardev_validate_socket( return true; } @@ -123,7 +123,7 @@ Index: qemu-5.2.0/chardev/char-socket.c static void qmp_chardev_open_socket(Chardev *chr, ChardevBackend *backend, -@@ -1316,6 +1377,9 @@ static void qmp_chardev_open_socket(Char +@@ -1370,6 +1431,9 @@ static void qmp_chardev_open_socket(Char { SocketChardev *s = SOCKET_CHARDEV(chr); ChardevSocket *sock = backend->u.socket.data; @@ -133,7 +133,7 @@ Index: qemu-5.2.0/chardev/char-socket.c bool do_nodelay = sock->has_nodelay ? sock->nodelay : false; bool is_listen = sock->has_server ? sock->server : true; bool is_telnet = sock->has_telnet ? sock->telnet : false; -@@ -1381,6 +1445,14 @@ static void qmp_chardev_open_socket(Char +@@ -1446,6 +1510,14 @@ static void qmp_chardev_open_socket(Char update_disconnected_filename(s); @@ -148,7 +148,7 @@ Index: qemu-5.2.0/chardev/char-socket.c if (s->is_listen) { if (qmp_chardev_open_socket_server(chr, is_telnet || is_tn3270, is_waitconnect, errp) < 0) { -@@ -1400,6 +1472,9 @@ static void qemu_chr_parse_socket(QemuOp +@@ -1465,6 +1537,9 @@ static void qemu_chr_parse_socket(QemuOp const char *host = qemu_opt_get(opts, "host"); const char *port = qemu_opt_get(opts, "port"); const char *fd = qemu_opt_get(opts, "fd"); @@ -158,7 +158,7 @@ Index: qemu-5.2.0/chardev/char-socket.c #ifdef CONFIG_LINUX bool tight = qemu_opt_get_bool(opts, "tight", true); bool abstract = qemu_opt_get_bool(opts, "abstract", false); -@@ -1407,6 +1482,20 @@ static void qemu_chr_parse_socket(QemuOp +@@ -1472,6 +1547,20 @@ static void qemu_chr_parse_socket(QemuOp SocketAddressLegacy *addr; ChardevSocket *sock; @@ -179,7 +179,7 @@ Index: qemu-5.2.0/chardev/char-socket.c if ((!!path + !!fd + !!host) != 1) { error_setg(errp, "Exactly one of 'path', 'fd' or 'host' required"); -@@ -1448,13 +1537,24 @@ static void qemu_chr_parse_socket(QemuOp +@@ -1522,13 +1611,24 @@ static void qemu_chr_parse_socket(QemuOp sock->tls_creds = g_strdup(qemu_opt_get(opts, "tls-creds")); sock->has_tls_authz = qemu_opt_get(opts, "tls-authz"); sock->tls_authz = g_strdup(qemu_opt_get(opts, "tls-authz")); @@ -204,11 +204,11 @@ Index: qemu-5.2.0/chardev/char-socket.c #ifdef CONFIG_LINUX q_unix->has_tight = true; q_unix->tight = tight; -Index: qemu-5.2.0/chardev/char.c +Index: qemu-6.0.0/chardev/char.c =================================================================== ---- qemu-5.2.0.orig/chardev/char.c -+++ qemu-5.2.0/chardev/char.c -@@ -839,6 +839,9 @@ QemuOptsList qemu_chardev_opts = { +--- qemu-6.0.0.orig/chardev/char.c ++++ qemu-6.0.0/chardev/char.c +@@ -840,6 +840,9 @@ QemuOptsList qemu_chardev_opts = { .name = "path", .type = QEMU_OPT_STRING, },{ @@ -218,10 +218,10 @@ Index: qemu-5.2.0/chardev/char.c .name = "host", .type = QEMU_OPT_STRING, },{ -Index: qemu-5.2.0/qapi/char.json +Index: qemu-6.0.0/qapi/char.json =================================================================== ---- qemu-5.2.0.orig/qapi/char.json -+++ qemu-5.2.0/qapi/char.json +--- qemu-6.0.0.orig/qapi/char.json ++++ qemu-6.0.0/qapi/char.json @@ -250,6 +250,10 @@ # # @addr: socket address to listen on (server=true) diff --git a/poky/meta/recipes-devtools/qemu/qemu/0006-vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch b/poky/meta/recipes-devtools/qemu/qemu/0006-vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch new file mode 100644 index 000000000..5efb87ca3 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0006-vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch @@ -0,0 +1,49 @@ +CVE: CVE-2021-3544 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From 63736af5a6571d9def93769431e0d7e38c6677bf Mon Sep 17 00:00:00 2001 +From: Li Qiang <liq3ea@163.com> +Date: Sat, 15 May 2021 20:04:01 -0700 +Subject: [PATCH 6/7] vhost-user-gpu: fix memory leak in + 'virgl_resource_attach_backing' (CVE-2021-3544) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If 'virgl_renderer_resource_attach_iov' failed, the 'res_iovs' will +be leaked. + +Fixes: CVE-2021-3544 +Reported-by: Li Qiang <liq3ea@163.com> +virtio-gpu fix: 33243031da ("virtio-gpu-3d: fix memory leak +in resource attach backing") + +Signed-off-by: Li Qiang <liq3ea@163.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-Id: <20210516030403.107723-7-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + contrib/vhost-user-gpu/virgl.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c +index c669d73a1d..a16a311d80 100644 +--- a/contrib/vhost-user-gpu/virgl.c ++++ b/contrib/vhost-user-gpu/virgl.c +@@ -287,8 +287,11 @@ virgl_resource_attach_backing(VuGpu *g, + return; + } + +- virgl_renderer_resource_attach_iov(att_rb.resource_id, ++ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id, + res_iovs, att_rb.nr_entries); ++ if (ret != 0) { ++ g_free(res_iovs); ++ } + } + + static void +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch b/poky/meta/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch index 294cf5129..3491fa8a5 100644 --- a/poky/meta/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch +++ b/poky/meta/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch @@ -29,11 +29,11 @@ Signed-off-by: He Zhe <zhe.he@windriver.com> hw/intc/apic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -Index: qemu-5.2.0/hw/intc/apic.c +Index: qemu-6.0.0/hw/intc/apic.c =================================================================== ---- qemu-5.2.0.orig/hw/intc/apic.c -+++ qemu-5.2.0/hw/intc/apic.c -@@ -605,7 +605,7 @@ int apic_accept_pic_intr(DeviceState *de +--- qemu-6.0.0.orig/hw/intc/apic.c ++++ qemu-6.0.0/hw/intc/apic.c +@@ -606,7 +606,7 @@ int apic_accept_pic_intr(DeviceState *de APICCommonState *s = APIC(dev); uint32_t lvt0; diff --git a/poky/meta/recipes-devtools/qemu/qemu/0007-vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch b/poky/meta/recipes-devtools/qemu/qemu/0007-vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch new file mode 100644 index 000000000..33e6a6619 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0007-vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch @@ -0,0 +1,49 @@ +CVE: CVE-2021-3546 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From 9f22893adcb02580aee5968f32baa2cd109b3ec2 Mon Sep 17 00:00:00 2001 +From: Li Qiang <liq3ea@163.com> +Date: Sat, 15 May 2021 20:04:02 -0700 +Subject: [PATCH 7/7] vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset' + (CVE-2021-3546) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If 'virgl_cmd_get_capset' set 'max_size' to 0, +the 'virgl_renderer_fill_caps' will write the data after the 'resp'. +This patch avoid this by checking the returned 'max_size'. + +virtio-gpu fix: abd7f08b23 ("display: virtio-gpu-3d: check +virgl capabilities max_size") + +Fixes: CVE-2021-3546 +Reported-by: Li Qiang <liq3ea@163.com> +Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> +Signed-off-by: Li Qiang <liq3ea@163.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-Id: <20210516030403.107723-8-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + contrib/vhost-user-gpu/virgl.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c +index a16a311d80..7172104b19 100644 +--- a/contrib/vhost-user-gpu/virgl.c ++++ b/contrib/vhost-user-gpu/virgl.c +@@ -177,6 +177,10 @@ virgl_cmd_get_capset(VuGpu *g, + + virgl_renderer_get_cap_set(gc.capset_id, &max_ver, + &max_size); ++ if (!max_size) { ++ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER; ++ return; ++ } + resp = g_malloc0(sizeof(*resp) + max_size); + + resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET; +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch b/poky/meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch index c5d206b91..cc6a5fe75 100644 --- a/poky/meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch +++ b/poky/meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch @@ -14,11 +14,11 @@ Signed-off-by: He Zhe <zhe.he@windriver.com> configure | 48 ++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 40 insertions(+), 8 deletions(-) -Index: qemu-5.2.0/configure +Index: qemu-6.0.0/configure =================================================================== ---- qemu-5.2.0.orig/configure -+++ qemu-5.2.0/configure -@@ -2956,6 +2956,30 @@ has_libgcrypt() { +--- qemu-6.0.0.orig/configure ++++ qemu-6.0.0/configure +@@ -2847,6 +2847,30 @@ has_libgcrypt() { return 0 } @@ -49,7 +49,7 @@ Index: qemu-5.2.0/configure if test "$nettle" != "no"; then pass="no" -@@ -2994,7 +3018,14 @@ fi +@@ -2885,7 +2909,14 @@ fi if test "$gcrypt" != "no"; then pass="no" @@ -65,7 +65,7 @@ Index: qemu-5.2.0/configure gcrypt_cflags=$(libgcrypt-config --cflags) gcrypt_libs=$(libgcrypt-config --libs) # Debian has removed -lgpg-error from libgcrypt-config -@@ -3004,12 +3035,12 @@ if test "$gcrypt" != "no"; then +@@ -2895,12 +2926,12 @@ if test "$gcrypt" != "no"; then then gcrypt_libs="$gcrypt_libs -lgpg-error" fi diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20203.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20203.patch deleted file mode 100644 index 269c6f129..000000000 --- a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20203.patch +++ /dev/null @@ -1,73 +0,0 @@ -From: Prasad J Pandit <pjp@fedoraproject.org> - -While activating device in vmxnet3_acticate_device(), it does not -validate guest supplied configuration values against predefined -minimum - maximum limits. This may lead to integer overflow or -OOB access issues. Add checks to avoid it. - -Fixes: CVE-2021-20203 -Buglink: https://bugs.launchpad.net/qemu/+bug/1913873 -Reported-by: Gaoning Pan <pgn@zju.edu.cn> -Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> - -Upstream-Status: Acepted [https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg07935.html] -CVE: CVE-2021-20203 -Signed-off-by: Minjae Kim <flowergom@gmail.com> ---- - hw/net/vmxnet3.c | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c -index eff299f629..4a910ca971 100644 ---- a/hw/net/vmxnet3.c -+++ b/hw/net/vmxnet3.c -@@ -1420,6 +1420,7 @@ static void vmxnet3_activate_device(VMXNET3State *s) - vmxnet3_setup_rx_filtering(s); - /* Cache fields from shared memory */ - s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu); -+ assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu < VMXNET3_MAX_MTU); - VMW_CFPRN("MTU is %u", s->mtu); - - s->max_rx_frags = -@@ -1473,6 +1474,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) - /* Read rings memory locations for TX queues */ - pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.txRingBasePA); - size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.txRingSize); -+ if (size > VMXNET3_TX_RING_MAX_SIZE) { -+ size = VMXNET3_TX_RING_MAX_SIZE; -+ } - - vmxnet3_ring_init(d, &s->txq_descr[i].tx_ring, pa, size, - sizeof(struct Vmxnet3_TxDesc), false); -@@ -1483,6 +1487,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) - /* TXC ring */ - pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.compRingBasePA); - size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.compRingSize); -+ if (size > VMXNET3_TC_RING_MAX_SIZE) { -+ size = VMXNET3_TC_RING_MAX_SIZE; -+ } - vmxnet3_ring_init(d, &s->txq_descr[i].comp_ring, pa, size, - sizeof(struct Vmxnet3_TxCompDesc), true); - VMXNET3_RING_DUMP(VMW_CFPRN, "TXC", i, &s->txq_descr[i].comp_ring); -@@ -1524,6 +1531,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) - /* RX rings */ - pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.rxRingBasePA[j]); - size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.rxRingSize[j]); -+ if (size > VMXNET3_RX_RING_MAX_SIZE) { -+ size = VMXNET3_RX_RING_MAX_SIZE; -+ } - vmxnet3_ring_init(d, &s->rxq_descr[i].rx_ring[j], pa, size, - sizeof(struct Vmxnet3_RxDesc), false); - VMW_CFPRN("RX queue %d:%d: Base: %" PRIx64 ", Size: %d", -@@ -1533,6 +1543,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) - /* RXC ring */ - pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.compRingBasePA); - size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.compRingSize); -+ if (size > VMXNET3_RC_RING_MAX_SIZE) { -+ size = VMXNET3_RC_RING_MAX_SIZE; -+ } - vmxnet3_ring_init(d, &s->rxq_descr[i].comp_ring, pa, size, - sizeof(struct Vmxnet3_RxCompDesc), true); - VMW_CFPRN("RXC queue %d: Base: %" PRIx64 ", Size: %d", i, pa, size); --- -2.29.2 diff --git a/poky/meta/recipes-devtools/qemu/qemu/cross.patch b/poky/meta/recipes-devtools/qemu/qemu/cross.patch index 438c1ad08..a0fc39e5e 100644 --- a/poky/meta/recipes-devtools/qemu/qemu/cross.patch +++ b/poky/meta/recipes-devtools/qemu/qemu/cross.patch @@ -6,19 +6,19 @@ Upstream-Status: Inappropriate [may be rewritten in a way upstream may accept?] Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> -Index: qemu-5.2.0/configure +Index: qemu-6.0.0/configure =================================================================== ---- qemu-5.2.0.orig/configure -+++ qemu-5.2.0/configure -@@ -6973,7 +6973,6 @@ if has $sdl2_config; then +--- qemu-6.0.0.orig/configure ++++ qemu-6.0.0/configure +@@ -6371,7 +6371,6 @@ if has $sdl2_config; then fi echo "strip = [$(meson_quote $strip)]" >> $cross echo "windres = [$(meson_quote $windres)]" >> $cross --if test -n "$cross_prefix"; then +-if test "$cross_compile" = "yes"; then cross_arg="--cross-file config-meson.cross" echo "[host_machine]" >> $cross if test "$mingw32" = "yes" ; then -@@ -6999,9 +6998,6 @@ if test -n "$cross_prefix"; then +@@ -6403,9 +6402,6 @@ if test "$cross_compile" = "yes"; then else echo "endian = 'little'" >> $cross fi diff --git a/poky/meta/recipes-devtools/qemu/qemu/determinism.patch b/poky/meta/recipes-devtools/qemu/qemu/determinism.patch index cb1c90777..330a31204 100644 --- a/poky/meta/recipes-devtools/qemu/qemu/determinism.patch +++ b/poky/meta/recipes-devtools/qemu/qemu/determinism.patch @@ -4,38 +4,19 @@ qemu build are not reproducible due to either full buildpaths or timestamps. Replace the full paths with relative ones. I couldn't figure out how to get meson to pass relative paths but we can fix that in the script. -For the keymaps, omit the timestamps as they don't matter to us. - Upstream-Status: Pending [some version of all/part of this may be accepted] RP 2021/3/1 -Index: qemu-5.2.0/scripts/decodetree.py +Index: qemu-6.0.0/scripts/decodetree.py =================================================================== ---- qemu-5.2.0.orig/scripts/decodetree.py -+++ qemu-5.2.0/scripts/decodetree.py -@@ -1303,8 +1303,8 @@ def main(): +--- qemu-6.0.0.orig/scripts/decodetree.py ++++ qemu-6.0.0/scripts/decodetree.py +@@ -1304,7 +1304,7 @@ def main(): toppat = ExcMultiPattern(0) for filename in args: - input_file = filename -- f = open(filename, 'r') + input_file = os.path.relpath(filename) -+ f = open(input_file, 'r') + f = open(filename, 'rt', encoding='utf-8') parse_file(f, toppat) f.close() - -Index: qemu-5.2.0/ui/keycodemapdb/tools/keymap-gen -=================================================================== ---- qemu-5.2.0.orig/ui/keycodemapdb/tools/keymap-gen -+++ qemu-5.2.0/ui/keycodemapdb/tools/keymap-gen -@@ -317,9 +317,8 @@ class LanguageGenerator(object): - raise NotImplementedError() - - def generate_header(self, database, args): -- today = time.strftime("%Y-%m-%d %H:%M") - self._boilerplate([ -- "This file is auto-generated from keymaps.csv on %s" % today, -+ "This file is auto-generated from keymaps.csv", - "Database checksum sha256(%s)" % database.mapchecksum, - "To re-generate, run:", - " %s" % args, diff --git a/poky/meta/recipes-devtools/qemu/qemu/mingwfix.patch b/poky/meta/recipes-devtools/qemu/qemu/mingwfix.patch deleted file mode 100644 index 8d76cef63..000000000 --- a/poky/meta/recipes-devtools/qemu/qemu/mingwfix.patch +++ /dev/null @@ -1,21 +0,0 @@ -OE assumes that mingw files are in a unix like file layout. The -'flattening' done by configure in qemu for mingw32 breaks things -for us. We are discussing with upstream but for now, hack this to -disable it and use the unix like layout everywhere. - -Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> -Upstream-Status: Submitted [https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg01073.html] - -Index: qemu-5.2.0/configure -=================================================================== ---- qemu-5.2.0.orig/configure -+++ qemu-5.2.0/configure -@@ -1541,7 +1541,7 @@ libdir="${libdir:-$prefix/lib}" - libexecdir="${libexecdir:-$prefix/libexec}" - includedir="${includedir:-$prefix/include}" - --if test "$mingw32" = "yes" ; then -+if test "$mingw32" = "dontwantthis" ; then - mandir="$prefix" - datadir="$prefix" - docdir="$prefix" diff --git a/poky/meta/recipes-devtools/qemu/qemu/mmap.patch b/poky/meta/recipes-devtools/qemu/qemu/mmap.patch deleted file mode 100644 index edd9734f3..000000000 --- a/poky/meta/recipes-devtools/qemu/qemu/mmap.patch +++ /dev/null @@ -1,29 +0,0 @@ -If mremap() is called without the MREMAP_MAYMOVE flag with a start address -just before the end of memory (reserved_va) where new_size would exceed -GUEST_ADD_MAX, the assert(end - 1 <= GUEST_ADDR_MAX) in page_set_flags() -would trigger. - -Add an extra guard to the guest_range_valid() checks to prevent this and -avoid asserting binaries when reserved_va is set. - -This meant a test case now gives the same behaviour regardless of whether -reserved_va is set or not. - -Upstream-Status: Backport [https://github.com/qemu/qemu/commit/ccc5ccc17f8cfbfd87d9aede5d12a2d47c56e712] -Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org - -Index: qemu-5.2.0/linux-user/mmap.c -=================================================================== ---- qemu-5.2.0.orig/linux-user/mmap.c -+++ qemu-5.2.0/linux-user/mmap.c -@@ -727,7 +727,9 @@ abi_long target_mremap(abi_ulong old_add - - if (!guest_range_valid(old_addr, old_size) || - ((flags & MREMAP_FIXED) && -- !guest_range_valid(new_addr, new_size))) { -+ !guest_range_valid(new_addr, new_size)) || -+ ((flags & MREMAP_MAYMOVE) == 0 && -+ !guest_range_valid(old_addr, new_size))) { - errno = ENOMEM; - return -1; - } diff --git a/poky/meta/recipes-devtools/qemu/qemu/mmap2.patch b/poky/meta/recipes-devtools/qemu/qemu/mmap2.patch index 165213175..e115473b7 100644 --- a/poky/meta/recipes-devtools/qemu/qemu/mmap2.patch +++ b/poky/meta/recipes-devtools/qemu/qemu/mmap2.patch @@ -13,27 +13,26 @@ rather than ENOMEM so adjust the other part of the test to this. Upstream-Status: Submitted [https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg01355.html] Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org -Index: qemu-5.2.0/linux-user/mmap.c +Index: qemu-6.0.0/linux-user/mmap.c =================================================================== ---- qemu-5.2.0.orig/linux-user/mmap.c -+++ qemu-5.2.0/linux-user/mmap.c -@@ -722,12 +722,14 @@ abi_long target_mremap(abi_ulong old_add +--- qemu-6.0.0.orig/linux-user/mmap.c ++++ qemu-6.0.0/linux-user/mmap.c +@@ -733,12 +733,16 @@ abi_long target_mremap(abi_ulong old_add int prot; void *host_addr; -- if (!guest_range_valid(old_addr, old_size) || +- if (!guest_range_valid_untagged(old_addr, old_size) || - ((flags & MREMAP_FIXED) && -- !guest_range_valid(new_addr, new_size)) || -- ((flags & MREMAP_MAYMOVE) == 0 && -- !guest_range_valid(old_addr, new_size))) { -- errno = ENOMEM; -+ if (!guest_range_valid(old_addr, old_size)) { ++ if (!guest_range_valid_untagged(old_addr, old_size)) { + errno = EFAULT; + return -1; + } -+ -+ if (((flags & MREMAP_FIXED) && !guest_range_valid(new_addr, new_size)) || -+ ((flags & MREMAP_MAYMOVE) == 0 && !guest_range_valid(old_addr, new_size))) { ++ ++ if (((flags & MREMAP_FIXED) && + !guest_range_valid_untagged(new_addr, new_size)) || + ((flags & MREMAP_MAYMOVE) == 0 && + !guest_range_valid_untagged(old_addr, new_size))) { +- errno = ENOMEM; + errno = EINVAL; return -1; } diff --git a/poky/meta/recipes-devtools/qemu/qemu_5.2.0.bb b/poky/meta/recipes-devtools/qemu/qemu_6.0.0.bb index 7afa66e39..90b135a61 100644 --- a/poky/meta/recipes-devtools/qemu/qemu_5.2.0.bb +++ b/poky/meta/recipes-devtools/qemu/qemu_6.0.0.bb @@ -19,10 +19,11 @@ do_install_append_class-nativesdk() { } PACKAGECONFIG ??= " \ - fdt sdl kvm \ + fdt sdl kvm pie \ ${@bb.utils.filter('DISTRO_FEATURES', 'alsa xen', d)} \ ${@bb.utils.contains('DISTRO_FEATURES', 'opengl', 'virglrenderer glx', '', d)} \ + ${@bb.utils.filter('DISTRO_FEATURES', 'seccomp', d)} \ " -PACKAGECONFIG_class-nativesdk ??= "fdt sdl kvm \ +PACKAGECONFIG_class-nativesdk ??= "fdt sdl kvm pie \ ${@bb.utils.contains('DISTRO_FEATURES', 'opengl', 'virglrenderer glx', '', d)} \ " |