diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu')
41 files changed, 1675 insertions, 1143 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch b/meta/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch deleted file mode 100644 index 4b37967e7a..0000000000 --- a/meta/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch +++ /dev/null @@ -1,29 +0,0 @@ -From b921e5204030845dc7c9d16d5f66d965e8d05367 Mon Sep 17 00:00:00 2001 -From: Jeremy Puhlman <jpuhlman@mvista.com> -Date: Thu, 19 Mar 2020 11:54:26 -0700 -Subject: [PATCH] Add enable/disable libudev - -Upstream-Status: Pending -Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com> - -[update patch context] -Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> ---- - configure | 4 ++++ - 1 file changed, 4 insertions(+) - -Index: qemu-6.0.0/configure -=================================================================== ---- qemu-6.0.0.orig/configure -+++ qemu-6.0.0/configure -@@ -1565,6 +1565,10 @@ for opt do - ;; - --disable-gio) gio=no - ;; -+ --enable-libudev) libudev="yes" -+ ;; -+ --disable-libudev) libudev="no" -+ ;; - *) - echo "ERROR: unknown option $opt" - echo "Try '$0 --help' for more information" diff --git a/meta/recipes-devtools/qemu/qemu/0001-configure-fix-detection-of-gdbus-codegen.patch b/meta/recipes-devtools/qemu/qemu/0001-configure-fix-detection-of-gdbus-codegen.patch deleted file mode 100644 index 8bffc31293..0000000000 --- a/meta/recipes-devtools/qemu/qemu/0001-configure-fix-detection-of-gdbus-codegen.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 464cfc64201b21386030b8f353fe9724a3413a85 Mon Sep 17 00:00:00 2001 -From: Paolo Bonzini <pbonzini@redhat.com> -Date: Wed, 5 May 2021 10:15:34 -0400 -Subject: [PATCH] configure: fix detection of gdbus-codegen - -"pkg-config --variable=gdbus_codegen gio-2.0" returns "gdbus-codegen", -and it does not pass test -x (which does not walk the path). - -Meson 0.58.0 notices that something is iffy, as the dbus_vmstate1 -assignment in tests/qtest/meson.build uses an empty string as the -command, and fails very eloquently: - -../tests/qtest/meson.build:92:2: ERROR: No program name specified. - -Use the "has" function instead of test -x, and fix the generation -of config-host.mak since meson.build expects that GDBUS_CODEGEN -is absent, rather than empty, if the tool is unavailable. - -Reported-by: Sebastian Mitterle <smitterl@redhat.com> -Fixes: #178 -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> -Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commitdiff;h=5ecfb76ccc056eb6127e44268e475827ae73b9e0] -(not in 6.0.0, should be kept when upgrading) -Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> ---- - configure | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -Index: qemu-6.0.0/configure -=================================================================== ---- qemu-6.0.0.orig/configure -+++ qemu-6.0.0/configure -@@ -3366,7 +3366,7 @@ if ! test "$gio" = "no"; then - gio_cflags=$($pkg_config --cflags gio-2.0) - gio_libs=$($pkg_config --libs gio-2.0) - gdbus_codegen=$($pkg_config --variable=gdbus_codegen gio-2.0) -- if [ ! -x "$gdbus_codegen" ]; then -+ if ! has "$gdbus_codegen"; then - gdbus_codegen= - fi - # Check that the libraries actually work -- Ubuntu 18.04 ships -@@ -5704,6 +5704,8 @@ if test "$gio" = "yes" ; then - echo "CONFIG_GIO=y" >> $config_host_mak - echo "GIO_CFLAGS=$gio_cflags" >> $config_host_mak - echo "GIO_LIBS=$gio_libs" >> $config_host_mak -+fi -+if test "$gdbus_codegen" != "" ; then - echo "GDBUS_CODEGEN=$gdbus_codegen" >> $config_host_mak - fi - echo "CONFIG_TLS_PRIORITY=\"$tls_priority\"" >> $config_host_mak diff --git a/meta/recipes-devtools/qemu/qemu/0001-linux-user-Tag-vsx-with-ieee128-fpbits.patch b/meta/recipes-devtools/qemu/qemu/0001-linux-user-Tag-vsx-with-ieee128-fpbits.patch deleted file mode 100644 index 11b6e3c678..0000000000 --- a/meta/recipes-devtools/qemu/qemu/0001-linux-user-Tag-vsx-with-ieee128-fpbits.patch +++ /dev/null @@ -1,35 +0,0 @@ -From c5844a4cdee37268c9b65a65e6968ee129bb742d Mon Sep 17 00:00:00 2001 -From: Khem Raj <raj.khem@gmail.com> -Date: Mon, 14 Jun 2021 10:27:17 -0700 -Subject: [PATCH] linux-user: Tag vsx with ieee128 fpbits - -In OE we need this for ppc64le usermode to work since we generate 128bit -long doubles and glibc 2.34 is now checking for this in hwcaps at -runtime and failing to run the binary if machine does not support 128bit -IEEE fp - -Fixes -Fatal glibc error: CPU lacks float128 support (POWER 9 or later required) - -Upstream-Status: Pending -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- - linux-user/elfload.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/linux-user/elfload.c b/linux-user/elfload.c -index 17ab06f612..e7dd18fd40 100644 ---- a/linux-user/elfload.c -+++ b/linux-user/elfload.c -@@ -830,7 +830,7 @@ static uint32_t get_elf_hwcap2(void) - PPC2_ISA207S), QEMU_PPC_FEATURE2_ARCH_2_07 | - QEMU_PPC_FEATURE2_VEC_CRYPTO); - GET_FEATURE2(PPC2_ISA300, QEMU_PPC_FEATURE2_ARCH_3_00 | -- QEMU_PPC_FEATURE2_DARN); -+ QEMU_PPC_FEATURE2_DARN | QEMU_PPC_FEATURE2_HAS_IEEE128); - - #undef GET_FEATURE - #undef GET_FEATURE2 --- -2.32.0 - diff --git a/meta/recipes-devtools/qemu/qemu/0001-linux-user-x86_64-Handle-the-vsyscall-page-in-open_s.patch b/meta/recipes-devtools/qemu/qemu/0001-linux-user-x86_64-Handle-the-vsyscall-page-in-open_s.patch new file mode 100644 index 0000000000..2eaebe883c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0001-linux-user-x86_64-Handle-the-vsyscall-page-in-open_s.patch @@ -0,0 +1,56 @@ +From 4517e2046610722879761bcdb60edbb2b929c848 Mon Sep 17 00:00:00 2001 +From: Richard Henderson <richard.henderson@linaro.org> +Date: Wed, 28 Feb 2024 10:25:14 -1000 +Subject: [PATCH 1/5] linux-user/x86_64: Handle the vsyscall page in + open_self_maps_{2,4} + +This is the only case in which we expect to have no host memory backing +for a guest memory page, because in general linux user processes cannot +map any pages in the top half of the 64-bit address space. + +Upstream-Status: Submitted [https://www.mail-archive.com/qemu-devel@nongnu.org/msg1026793.html] + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2170 +Signed-off-by: Richard Henderson <richard.henderson@linaro.org> +Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> +--- + linux-user/syscall.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/linux-user/syscall.c b/linux-user/syscall.c +index a114f29a8..8307a8a61 100644 +--- a/linux-user/syscall.c ++++ b/linux-user/syscall.c +@@ -7922,6 +7922,10 @@ static void open_self_maps_4(const struct open_self_maps_data *d, + path = "[heap]"; + } else if (start == info->vdso) { + path = "[vdso]"; ++#ifdef TARGET_X86_64 ++ } else if (start == TARGET_VSYSCALL_PAGE) { ++ path = "[vsyscall]"; ++#endif + } + + /* Except null device (MAP_ANON), adjust offset for this fragment. */ +@@ -8010,6 +8014,18 @@ static int open_self_maps_2(void *opaque, target_ulong guest_start, + uintptr_t host_start = (uintptr_t)g2h_untagged(guest_start); + uintptr_t host_last = (uintptr_t)g2h_untagged(guest_end - 1); + ++#ifdef TARGET_X86_64 ++ /* ++ * Because of the extremely high position of the page within the guest ++ * virtual address space, this is not backed by host memory at all. ++ * Therefore the loop below would fail. This is the only instance ++ * of not having host backing memory. ++ */ ++ if (guest_start == TARGET_VSYSCALL_PAGE) { ++ return open_self_maps_3(opaque, guest_start, guest_end, flags); ++ } ++#endif ++ + while (1) { + IntervalTreeNode *n = + interval_tree_iter_first(d->host_maps, host_start, host_start); +-- +2.34.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch b/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-addition-environment-space-to-boot-loader-q.patch index 733789be29..c65508017d 100644 --- a/meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch +++ b/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-addition-environment-space-to-boot-loader-q.patch @@ -1,7 +1,7 @@ -From ce1eceab2350d27960ec254650717085f6a11c9a Mon Sep 17 00:00:00 2001 +From de64af82950a6908f9407dfc92b83c17e2af3eab Mon Sep 17 00:00:00 2001 From: Jason Wessel <jason.wessel@windriver.com> Date: Fri, 28 Mar 2014 17:42:43 +0800 -Subject: [PATCH] qemu: Add addition environment space to boot loader +Subject: [PATCH 01/12] qemu: Add addition environment space to boot loader qemu-system-mips Upstream-Status: Inappropriate - OE uses deep paths @@ -18,11 +18,11 @@ Signed-off-by: Roy Li <rongqing.li@windriver.com> hw/mips/malta.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -Index: qemu-6.0.0/hw/mips/malta.c +Index: qemu-8.0.0/hw/mips/malta.c =================================================================== ---- qemu-6.0.0.orig/hw/mips/malta.c -+++ qemu-6.0.0/hw/mips/malta.c -@@ -65,7 +65,7 @@ +--- qemu-8.0.0.orig/hw/mips/malta.c ++++ qemu-8.0.0/hw/mips/malta.c +@@ -64,7 +64,7 @@ #define ENVP_PADDR 0x2000 #define ENVP_VADDR cpu_mips_phys_to_kseg0(NULL, ENVP_PADDR) #define ENVP_NB_ENTRIES 16 diff --git a/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch b/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch deleted file mode 100644 index 2f2d19f536..0000000000 --- a/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch +++ /dev/null @@ -1,141 +0,0 @@ -From 883feb43129dc39b491e492c7ccfe89aefe53c44 Mon Sep 17 00:00:00 2001 -From: Richard Purdie <richard.purdie@linuxfoundation.org> -Date: Thu, 27 Nov 2014 14:04:29 +0000 -Subject: [PATCH] qemu: Add missing wacom HID descriptor - -The USB wacom device is missing a HID descriptor which causes it -to fail to operate with recent kernels (e.g. 3.17). - -This patch adds a HID desriptor to the device, based upon one from -real wcom device. - -Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> - -Upstream-Status: Submitted -2014/11/27 - -[update patch context] -Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> ---- - hw/usb/dev-wacom.c | 94 +++++++++++++++++++++++++++++++++++++++++++++- - 1 file changed, 93 insertions(+), 1 deletion(-) - -Index: qemu-6.0.0/hw/usb/dev-wacom.c -=================================================================== ---- qemu-6.0.0.orig/hw/usb/dev-wacom.c -+++ qemu-6.0.0/hw/usb/dev-wacom.c -@@ -69,6 +69,89 @@ static const USBDescStrings desc_strings - [STR_SERIALNUMBER] = "1", - }; - -+static const uint8_t qemu_tablet_hid_report_descriptor[] = { -+ 0x05, 0x01, /* Usage Page (Generic Desktop) */ -+ 0x09, 0x02, /* Usage (Mouse) */ -+ 0xa1, 0x01, /* Collection (Application) */ -+ 0x85, 0x01, /* Report ID (1) */ -+ 0x09, 0x01, /* Usage (Pointer) */ -+ 0xa1, 0x00, /* Collection (Physical) */ -+ 0x05, 0x09, /* Usage Page (Button) */ -+ 0x19, 0x01, /* Usage Minimum (1) */ -+ 0x29, 0x05, /* Usage Maximum (5) */ -+ 0x15, 0x00, /* Logical Minimum (0) */ -+ 0x25, 0x01, /* Logical Maximum (1) */ -+ 0x95, 0x05, /* Report Count (5) */ -+ 0x75, 0x01, /* Report Size (1) */ -+ 0x81, 0x02, /* Input (Data, Variable, Absolute) */ -+ 0x95, 0x01, /* Report Count (1) */ -+ 0x75, 0x03, /* Report Size (3) */ -+ 0x81, 0x01, /* Input (Constant) */ -+ 0x05, 0x01, /* Usage Page (Generic Desktop) */ -+ 0x09, 0x30, /* Usage (X) */ -+ 0x09, 0x31, /* Usage (Y) */ -+ 0x15, 0x81, /* Logical Minimum (-127) */ -+ 0x25, 0x7f, /* Logical Maximum (127) */ -+ 0x75, 0x08, /* Report Size (8) */ -+ 0x95, 0x02, /* Report Count (2) */ -+ 0x81, 0x06, /* Input (Data, Variable, Relative) */ -+ 0xc0, /* End Collection */ -+ 0xc0, /* End Collection */ -+ 0x05, 0x0d, /* Usage Page (Digitizer) */ -+ 0x09, 0x01, /* Usage (Digitizer) */ -+ 0xa1, 0x01, /* Collection (Application) */ -+ 0x85, 0x02, /* Report ID (2) */ -+ 0xa1, 0x00, /* Collection (Physical) */ -+ 0x06, 0x00, 0xff, /* Usage Page (Vendor 0xff00) */ -+ 0x09, 0x01, /* Usage (Digitizer) */ -+ 0x15, 0x00, /* Logical Minimum (0) */ -+ 0x26, 0xff, 0x00, /* Logical Maximum (255) */ -+ 0x75, 0x08, /* Report Size (8) */ -+ 0x95, 0x08, /* Report Count (8) */ -+ 0x81, 0x02, /* Input (Data, Variable, Absolute) */ -+ 0xc0, /* End Collection */ -+ 0x09, 0x01, /* Usage (Digitizer) */ -+ 0x85, 0x02, /* Report ID (2) */ -+ 0x95, 0x01, /* Report Count (1) */ -+ 0xb1, 0x02, /* FEATURE (2) */ -+ 0xc0, /* End Collection */ -+ 0x06, 0x00, 0xff, /* Usage Page (Vendor 0xff00) */ -+ 0x09, 0x01, /* Usage (Digitizer) */ -+ 0xa1, 0x01, /* Collection (Application) */ -+ 0x85, 0x02, /* Report ID (2) */ -+ 0x05, 0x0d, /* Usage Page (Digitizer) */ -+ 0x09, 0x22, /* Usage (Finger) */ -+ 0xa1, 0x00, /* Collection (Physical) */ -+ 0x06, 0x00, 0xff, /* Usage Page (Vendor 0xff00) */ -+ 0x09, 0x01, /* Usage (Digitizer) */ -+ 0x15, 0x00, /* Logical Minimum (0) */ -+ 0x26, 0xff, 0x00, /* Logical Maximum */ -+ 0x75, 0x08, /* Report Size (8) */ -+ 0x95, 0x02, /* Report Count (2) */ -+ 0x81, 0x02, /* Input (Data, Variable, Absolute) */ -+ 0x05, 0x01, /* Usage Page (Generic Desktop) */ -+ 0x09, 0x30, /* Usage (X) */ -+ 0x35, 0x00, /* Physical Minimum */ -+ 0x46, 0xe0, 0x2e, /* Physical Maximum */ -+ 0x26, 0xe0, 0x01, /* Logical Maximum */ -+ 0x75, 0x10, /* Report Size (16) */ -+ 0x95, 0x01, /* Report Count (1) */ -+ 0x81, 0x02, /* Input (Data, Variable, Absolute) */ -+ 0x09, 0x31, /* Usage (Y) */ -+ 0x46, 0x40, 0x1f, /* Physical Maximum */ -+ 0x26, 0x40, 0x01, /* Logical Maximum */ -+ 0x81, 0x02, /* Input (Data, Variable, Absolute) */ -+ 0x06, 0x00, 0xff, /* Usage Page (Vendor 0xff00) */ -+ 0x09, 0x01, /* Usage (Digitizer) */ -+ 0x26, 0xff, 0x00, /* Logical Maximum */ -+ 0x75, 0x08, /* Report Size (8) */ -+ 0x95, 0x0d, /* Report Count (13) */ -+ 0x81, 0x02, /* Input (Data, Variable, Absolute) */ -+ 0xc0, /* End Collection */ -+ 0xc0, /* End Collection */ -+}; -+ -+ - static const USBDescIface desc_iface_wacom = { - .bInterfaceNumber = 0, - .bNumEndpoints = 1, -@@ -86,7 +169,7 @@ static const USBDescIface desc_iface_wac - 0x00, /* u8 country_code */ - 0x01, /* u8 num_descriptors */ - USB_DT_REPORT, /* u8 type: Report */ -- 0x6e, 0, /* u16 len */ -+ sizeof(qemu_tablet_hid_report_descriptor), 0, /* u16 len */ - }, - }, - }, -@@ -266,6 +349,15 @@ static void usb_wacom_handle_control(USB - } - - switch (request) { -+ case InterfaceRequest | USB_REQ_GET_DESCRIPTOR: -+ switch (value >> 8) { -+ case 0x22: -+ memcpy(data, qemu_tablet_hid_report_descriptor, -+ sizeof(qemu_tablet_hid_report_descriptor)); -+ p->actual_length = sizeof(qemu_tablet_hid_report_descriptor); -+ break; -+ } -+ break; - case WACOM_SET_REPORT: - if (s->mouse_grabbed) { - qemu_remove_mouse_event_handler(s->eh_entry); diff --git a/meta/recipes-devtools/qemu/qemu/0001-tests-meson.build-use-relative-path-to-refer-to-file.patch b/meta/recipes-devtools/qemu/qemu/0001-tests-meson.build-use-relative-path-to-refer-to-file.patch deleted file mode 100644 index d5e1ab4d51..0000000000 --- a/meta/recipes-devtools/qemu/qemu/0001-tests-meson.build-use-relative-path-to-refer-to-file.patch +++ /dev/null @@ -1,31 +0,0 @@ -From a4bdc0416134477e4eae386db04b1de7491163bb Mon Sep 17 00:00:00 2001 -From: Changqing Li <changqing.li@windriver.com> -Date: Thu, 14 Jan 2021 06:33:04 +0000 -Subject: [PATCH] tests/meson.build: use relative path to refer to files - -Fix error like: -Fatal error: can't create tests/ptimer-test.p/..._qemu-5.2.0_hw_core_ptimer.c.o: File name too long - -when build path is too long, use meson.source_root() will make this -filename too long. Fixed by using relative path to refer to files - -Upstream-Status: Submitted [send to qemu-devel] - -Signed-off-by: Changqing Li <changqing.li@windriver.com> ---- - tests/meson.build | 2 +- - 1 files changed, 1 insertions(+), 1 deletion(-) - -Index: qemu-6.0.0/tests/unit/meson.build -=================================================================== ---- qemu-6.0.0.orig/tests/unit/meson.build -+++ qemu-6.0.0/tests/unit/meson.build -@@ -42,7 +42,7 @@ tests = { - 'test-keyval': [testqapi], - 'test-logging': [], - 'test-uuid': [], -- 'ptimer-test': ['ptimer-test-stubs.c', meson.source_root() / 'hw/core/ptimer.c'], -+ 'ptimer-test': ['ptimer-test-stubs.c', '../../hw/core/ptimer.c'], - 'test-qapi-util': [], - } - diff --git a/meta/recipes-devtools/qemu/qemu/0001-vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch b/meta/recipes-devtools/qemu/qemu/0001-vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch deleted file mode 100644 index 981c237292..0000000000 --- a/meta/recipes-devtools/qemu/qemu/0001-vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch +++ /dev/null @@ -1,43 +0,0 @@ -CVE: CVE-2021-3545 -Upstream-Status: Backport -Signed-off-by: Ross Burton <ross.burton@arm.com> - -From 121841b25d72d13f8cad554363138c360f1250ea Mon Sep 17 00:00:00 2001 -From: Li Qiang <liq3ea@163.com> -Date: Sat, 15 May 2021 20:03:56 -0700 -Subject: [PATCH 1/7] vhost-user-gpu: fix memory disclosure in - virgl_cmd_get_capset_info (CVE-2021-3545) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Otherwise some of the 'resp' will be leaked to guest. - -Fixes: CVE-2021-3545 -Reported-by: Li Qiang <liq3ea@163.com> -virtio-gpu fix: 42a8dadc74 ("virtio-gpu: fix information leak -in getting capset info dispatch") - -Signed-off-by: Li Qiang <liq3ea@163.com> -Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> -Message-Id: <20210516030403.107723-2-liq3ea@163.com> -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> ---- - contrib/vhost-user-gpu/virgl.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c -index 9e6660c7ab..6a332d601f 100644 ---- a/contrib/vhost-user-gpu/virgl.c -+++ b/contrib/vhost-user-gpu/virgl.c -@@ -128,6 +128,7 @@ virgl_cmd_get_capset_info(VuGpu *g, - - VUGPU_FILL_CMD(info); - -+ memset(&resp, 0, sizeof(resp)); - if (info.capset_index == 0) { - resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL; - virgl_renderer_get_cap_set(resp.capset_id, --- -2.25.1 - diff --git a/meta/recipes-devtools/qemu/qemu/0002-linux-user-Replace-use-of-lfs64-related-functions-an.patch b/meta/recipes-devtools/qemu/qemu/0002-linux-user-Replace-use-of-lfs64-related-functions-an.patch new file mode 100644 index 0000000000..ceae67be64 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0002-linux-user-Replace-use-of-lfs64-related-functions-an.patch @@ -0,0 +1,355 @@ +From 71f14902256e3c3529710b713e1ea43100bf4c40 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Sat, 17 Dec 2022 08:37:46 -0800 +Subject: [PATCH 2/2] linux-user: Replace use of lfs64 related functions and + macros + +Builds defines -D_FILE_OFFSET_BITS=64 which makes the original functions +anf macros behave same as their 64 suffixed counterparts. This also +helps in compiling with latest musl C library, where these macros and +functions are no more available under _GNU_SOURCE feature macro + +Upstream-Status: Submitted [https://lists.gnu.org/archive/html/qemu-devel/2022-12/msg02841.html] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +Cc: Laurent Vivier <laurent@vivier.eu> +--- + linux-user/syscall.c | 153 +++++++++++-------------------------------- + 1 file changed, 39 insertions(+), 114 deletions(-) + +Index: qemu-8.0.0/linux-user/syscall.c +=================================================================== +--- qemu-8.0.0.orig/linux-user/syscall.c ++++ qemu-8.0.0/linux-user/syscall.c +@@ -761,8 +761,8 @@ safe_syscall6(ssize_t, copy_file_range, + */ + #define safe_ioctl(...) safe_syscall(__NR_ioctl, __VA_ARGS__) + /* Similarly for fcntl. Note that callers must always: +- * pass the F_GETLK64 etc constants rather than the unsuffixed F_GETLK +- * use the flock64 struct rather than unsuffixed flock ++ * pass the F_GETLK etc constants rather than the unsuffixed F_GETLK ++ * use the flock struct rather than unsuffixed flock + * This will then work and use a 64-bit offset for both 32-bit and 64-bit hosts. + */ + #ifdef __NR_fcntl64 +@@ -6813,13 +6813,13 @@ static int target_to_host_fcntl_cmd(int + ret = cmd; + break; + case TARGET_F_GETLK: +- ret = F_GETLK64; ++ ret = F_GETLK; + break; + case TARGET_F_SETLK: +- ret = F_SETLK64; ++ ret = F_SETLK; + break; + case TARGET_F_SETLKW: +- ret = F_SETLKW64; ++ ret = F_SETLKW; + break; + case TARGET_F_GETOWN: + ret = F_GETOWN; +@@ -6833,17 +6833,6 @@ static int target_to_host_fcntl_cmd(int + case TARGET_F_SETSIG: + ret = F_SETSIG; + break; +-#if TARGET_ABI_BITS == 32 +- case TARGET_F_GETLK64: +- ret = F_GETLK64; +- break; +- case TARGET_F_SETLK64: +- ret = F_SETLK64; +- break; +- case TARGET_F_SETLKW64: +- ret = F_SETLKW64; +- break; +-#endif + case TARGET_F_SETLEASE: + ret = F_SETLEASE; + break; +@@ -6895,8 +6884,8 @@ static int target_to_host_fcntl_cmd(int + * them to 5, 6 and 7 before making the syscall(). Since we make the + * syscall directly, adjust to what is supported by the kernel. + */ +- if (ret >= F_GETLK64 && ret <= F_SETLKW64) { +- ret -= F_GETLK64 - 5; ++ if (ret >= F_GETLK && ret <= F_SETLKW) { ++ ret -= F_GETLK - 5; + } + #endif + +@@ -6929,55 +6918,11 @@ static int host_to_target_flock(int type + return type; + } + +-static inline abi_long copy_from_user_flock(struct flock64 *fl, +- abi_ulong target_flock_addr) +-{ +- struct target_flock *target_fl; +- int l_type; +- +- if (!lock_user_struct(VERIFY_READ, target_fl, target_flock_addr, 1)) { +- return -TARGET_EFAULT; +- } +- +- __get_user(l_type, &target_fl->l_type); +- l_type = target_to_host_flock(l_type); +- if (l_type < 0) { +- return l_type; +- } +- fl->l_type = l_type; +- __get_user(fl->l_whence, &target_fl->l_whence); +- __get_user(fl->l_start, &target_fl->l_start); +- __get_user(fl->l_len, &target_fl->l_len); +- __get_user(fl->l_pid, &target_fl->l_pid); +- unlock_user_struct(target_fl, target_flock_addr, 0); +- return 0; +-} +- +-static inline abi_long copy_to_user_flock(abi_ulong target_flock_addr, +- const struct flock64 *fl) +-{ +- struct target_flock *target_fl; +- short l_type; +- +- if (!lock_user_struct(VERIFY_WRITE, target_fl, target_flock_addr, 0)) { +- return -TARGET_EFAULT; +- } +- +- l_type = host_to_target_flock(fl->l_type); +- __put_user(l_type, &target_fl->l_type); +- __put_user(fl->l_whence, &target_fl->l_whence); +- __put_user(fl->l_start, &target_fl->l_start); +- __put_user(fl->l_len, &target_fl->l_len); +- __put_user(fl->l_pid, &target_fl->l_pid); +- unlock_user_struct(target_fl, target_flock_addr, 1); +- return 0; +-} +- +-typedef abi_long from_flock64_fn(struct flock64 *fl, abi_ulong target_addr); +-typedef abi_long to_flock64_fn(abi_ulong target_addr, const struct flock64 *fl); ++typedef abi_long from_flock_fn(struct flock *fl, abi_ulong target_addr); ++typedef abi_long to_flock_fn(abi_ulong target_addr, const struct flock *fl); + + #if defined(TARGET_ARM) && TARGET_ABI_BITS == 32 +-struct target_oabi_flock64 { ++struct target_oabi_flock { + abi_short l_type; + abi_short l_whence; + abi_llong l_start; +@@ -6985,10 +6930,10 @@ struct target_oabi_flock64 { + abi_int l_pid; + } QEMU_PACKED; + +-static inline abi_long copy_from_user_oabi_flock64(struct flock64 *fl, ++static inline abi_long copy_from_user_oabi_flock(struct flock *fl, + abi_ulong target_flock_addr) + { +- struct target_oabi_flock64 *target_fl; ++ struct target_oabi_flock *target_fl; + int l_type; + + if (!lock_user_struct(VERIFY_READ, target_fl, target_flock_addr, 1)) { +@@ -7009,10 +6954,10 @@ static inline abi_long copy_from_user_oa + return 0; + } + +-static inline abi_long copy_to_user_oabi_flock64(abi_ulong target_flock_addr, +- const struct flock64 *fl) ++static inline abi_long copy_to_user_oabi_flock(abi_ulong target_flock_addr, ++ const struct flock *fl) + { +- struct target_oabi_flock64 *target_fl; ++ struct target_oabi_flock *target_fl; + short l_type; + + if (!lock_user_struct(VERIFY_WRITE, target_fl, target_flock_addr, 0)) { +@@ -7030,10 +6975,10 @@ static inline abi_long copy_to_user_oabi + } + #endif + +-static inline abi_long copy_from_user_flock64(struct flock64 *fl, ++static inline abi_long copy_from_user_flock(struct flock *fl, + abi_ulong target_flock_addr) + { +- struct target_flock64 *target_fl; ++ struct target_flock *target_fl; + int l_type; + + if (!lock_user_struct(VERIFY_READ, target_fl, target_flock_addr, 1)) { +@@ -7054,10 +6999,10 @@ static inline abi_long copy_from_user_fl + return 0; + } + +-static inline abi_long copy_to_user_flock64(abi_ulong target_flock_addr, +- const struct flock64 *fl) ++static inline abi_long copy_to_user_flock(abi_ulong target_flock_addr, ++ const struct flock *fl) + { +- struct target_flock64 *target_fl; ++ struct target_flock *target_fl; + short l_type; + + if (!lock_user_struct(VERIFY_WRITE, target_fl, target_flock_addr, 0)) { +@@ -7076,7 +7021,7 @@ static inline abi_long copy_to_user_floc + + static abi_long do_fcntl(int fd, int cmd, abi_ulong arg) + { +- struct flock64 fl64; ++ struct flock fl64; + #ifdef F_GETOWN_EX + struct f_owner_ex fox; + struct target_f_owner_ex *target_fox; +@@ -7089,6 +7034,7 @@ static abi_long do_fcntl(int fd, int cmd + + switch(cmd) { + case TARGET_F_GETLK: ++ case TARGET_F_OFD_GETLK: + ret = copy_from_user_flock(&fl64, arg); + if (ret) { + return ret; +@@ -7098,32 +7044,11 @@ static abi_long do_fcntl(int fd, int cmd + ret = copy_to_user_flock(arg, &fl64); + } + break; +- + case TARGET_F_SETLK: + case TARGET_F_SETLKW: +- ret = copy_from_user_flock(&fl64, arg); +- if (ret) { +- return ret; +- } +- ret = get_errno(safe_fcntl(fd, host_cmd, &fl64)); +- break; +- +- case TARGET_F_GETLK64: +- case TARGET_F_OFD_GETLK: +- ret = copy_from_user_flock64(&fl64, arg); +- if (ret) { +- return ret; +- } +- ret = get_errno(safe_fcntl(fd, host_cmd, &fl64)); +- if (ret == 0) { +- ret = copy_to_user_flock64(arg, &fl64); +- } +- break; +- case TARGET_F_SETLK64: +- case TARGET_F_SETLKW64: + case TARGET_F_OFD_SETLK: + case TARGET_F_OFD_SETLKW: +- ret = copy_from_user_flock64(&fl64, arg); ++ ret = copy_from_user_flock(&fl64, arg); + if (ret) { + return ret; + } +@@ -7348,7 +7273,7 @@ static inline abi_long target_truncate64 + arg2 = arg3; + arg3 = arg4; + } +- return get_errno(truncate64(arg1, target_offset64(arg2, arg3))); ++ return get_errno(truncate(arg1, target_offset64(arg2, arg3))); + } + #endif + +@@ -7362,7 +7287,7 @@ static inline abi_long target_ftruncate6 + arg2 = arg3; + arg3 = arg4; + } +- return get_errno(ftruncate64(arg1, target_offset64(arg2, arg3))); ++ return get_errno(ftruncate(arg1, target_offset64(arg2, arg3))); + } + #endif + +@@ -8598,7 +8523,7 @@ static int do_getdents(abi_long dirfd, a + void *tdirp; + int hlen, hoff, toff; + int hreclen, treclen; +- off64_t prev_diroff = 0; ++ off_t prev_diroff = 0; + + hdirp = g_try_malloc(count); + if (!hdirp) { +@@ -8651,7 +8576,7 @@ static int do_getdents(abi_long dirfd, a + * Return what we have, resetting the file pointer to the + * location of the first record not returned. + */ +- lseek64(dirfd, prev_diroff, SEEK_SET); ++ lseek(dirfd, prev_diroff, SEEK_SET); + break; + } + +@@ -8685,7 +8610,7 @@ static int do_getdents64(abi_long dirfd, + void *tdirp; + int hlen, hoff, toff; + int hreclen, treclen; +- off64_t prev_diroff = 0; ++ off_t prev_diroff = 0; + + hdirp = g_try_malloc(count); + if (!hdirp) { +@@ -8727,7 +8652,7 @@ static int do_getdents64(abi_long dirfd, + * Return what we have, resetting the file pointer to the + * location of the first record not returned. + */ +- lseek64(dirfd, prev_diroff, SEEK_SET); ++ lseek(dirfd, prev_diroff, SEEK_SET); + break; + } + +@@ -11158,7 +11083,7 @@ static abi_long do_syscall1(CPUArchState + return -TARGET_EFAULT; + } + } +- ret = get_errno(pread64(arg1, p, arg3, target_offset64(arg4, arg5))); ++ ret = get_errno(pread(arg1, p, arg3, target_offset64(arg4, arg5))); + unlock_user(p, arg2, ret); + return ret; + case TARGET_NR_pwrite64: +@@ -11175,7 +11100,7 @@ static abi_long do_syscall1(CPUArchState + return -TARGET_EFAULT; + } + } +- ret = get_errno(pwrite64(arg1, p, arg3, target_offset64(arg4, arg5))); ++ ret = get_errno(pwrite(arg1, p, arg3, target_offset64(arg4, arg5))); + unlock_user(p, arg2, 0); + return ret; + #endif +@@ -11998,14 +11923,14 @@ static abi_long do_syscall1(CPUArchState + case TARGET_NR_fcntl64: + { + int cmd; +- struct flock64 fl; +- from_flock64_fn *copyfrom = copy_from_user_flock64; +- to_flock64_fn *copyto = copy_to_user_flock64; ++ struct flock fl; ++ from_flock_fn *copyfrom = copy_from_user_flock; ++ to_flock_fn *copyto = copy_to_user_flock; + + #ifdef TARGET_ARM + if (!cpu_env->eabi) { +- copyfrom = copy_from_user_oabi_flock64; +- copyto = copy_to_user_oabi_flock64; ++ copyfrom = copy_from_user_oabi_flock; ++ copyto = copy_to_user_oabi_flock; + } + #endif + +@@ -12015,7 +11940,7 @@ static abi_long do_syscall1(CPUArchState + } + + switch(arg2) { +- case TARGET_F_GETLK64: ++ case TARGET_F_GETLK: + ret = copyfrom(&fl, arg3); + if (ret) { + break; +@@ -12026,8 +11951,8 @@ static abi_long do_syscall1(CPUArchState + } + break; + +- case TARGET_F_SETLK64: +- case TARGET_F_SETLKW64: ++ case TARGET_F_SETLK: ++ case TARGET_F_SETLKW: + ret = copyfrom(&fl, arg3); + if (ret) { + break; diff --git a/meta/recipes-devtools/qemu/qemu/0002-linux-user-loongarch64-Remove-TARGET_FORCE_SHMLBA.patch b/meta/recipes-devtools/qemu/qemu/0002-linux-user-loongarch64-Remove-TARGET_FORCE_SHMLBA.patch new file mode 100644 index 0000000000..3f01aaa644 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0002-linux-user-loongarch64-Remove-TARGET_FORCE_SHMLBA.patch @@ -0,0 +1,43 @@ +From 5bf65b24414d3ff8339f6f1beb221c7c35c91e5d Mon Sep 17 00:00:00 2001 +From: Richard Henderson <richard.henderson@linaro.org> +Date: Wed, 28 Feb 2024 10:25:15 -1000 +Subject: [PATCH 2/5] linux-user/loongarch64: Remove TARGET_FORCE_SHMLBA + +The kernel abi was changed with + + commit d23b77953f5a4fbf94c05157b186aac2a247ae32 + Author: Huacai Chen <chenhuacai@kernel.org> + Date: Wed Jan 17 12:43:08 2024 +0800 + + LoongArch: Change SHMLBA from SZ_64K to PAGE_SIZE + +during the v6.8 cycle. + +Upstream-Status: Submitted [https://www.mail-archive.com/qemu-devel@nongnu.org/msg1026793.html] + +Reviewed-by: Song Gao <gaosong@loongson.cn> +Signed-off-by: Richard Henderson <richard.henderson@linaro.org> +Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> +--- + linux-user/loongarch64/target_syscall.h | 7 ------- + 1 file changed, 7 deletions(-) + +diff --git a/linux-user/loongarch64/target_syscall.h b/linux-user/loongarch64/target_syscall.h +index 8b5de5212..39f229bb9 100644 +--- a/linux-user/loongarch64/target_syscall.h ++++ b/linux-user/loongarch64/target_syscall.h +@@ -38,11 +38,4 @@ struct target_pt_regs { + #define TARGET_MCL_FUTURE 2 + #define TARGET_MCL_ONFAULT 4 + +-#define TARGET_FORCE_SHMLBA +- +-static inline abi_ulong target_shmlba(CPULoongArchState *env) +-{ +- return 64 * KiB; +-} +- + #endif +-- +2.34.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0002-vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch b/meta/recipes-devtools/qemu/qemu/0002-vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch deleted file mode 100644 index a9aee47e39..0000000000 --- a/meta/recipes-devtools/qemu/qemu/0002-vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch +++ /dev/null @@ -1,41 +0,0 @@ -CVE: CVE-2021-3544 -Upstream-Status: Backport -Signed-off-by: Ross Burton <ross.burton@arm.com> - -From 86dd8fac2acc366930a5dc08d3fb1b1e816f4e1e Mon Sep 17 00:00:00 2001 -From: Li Qiang <liq3ea@163.com> -Date: Sat, 15 May 2021 20:03:57 -0700 -Subject: [PATCH 2/7] vhost-user-gpu: fix resource leak in - 'vg_resource_create_2d' (CVE-2021-3544) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Call 'vugbm_buffer_destroy' in error path to avoid resource leak. - -Fixes: CVE-2021-3544 -Reported-by: Li Qiang <liq3ea@163.com> -Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> -Signed-off-by: Li Qiang <liq3ea@163.com> -Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> -Message-Id: <20210516030403.107723-3-liq3ea@163.com> -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> ---- - contrib/vhost-user-gpu/vhost-user-gpu.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c -index f73f292c9f..b5e153d0d6 100644 ---- a/contrib/vhost-user-gpu/vhost-user-gpu.c -+++ b/contrib/vhost-user-gpu/vhost-user-gpu.c -@@ -349,6 +349,7 @@ vg_resource_create_2d(VuGpu *g, - g_critical("%s: resource creation failed %d %d %d", - __func__, c2d.resource_id, c2d.width, c2d.height); - g_free(res); -+ vugbm_buffer_destroy(&res->buffer); - cmd->error = VIRTIO_GPU_RESP_ERR_OUT_OF_MEMORY; - return; - } --- -2.25.1 - diff --git a/meta/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch b/meta/recipes-devtools/qemu/qemu/0003-apic-fixup-fallthrough-to-PIC.patch index 3491fa8a53..e85f8202e9 100644 --- a/meta/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch +++ b/meta/recipes-devtools/qemu/qemu/0003-apic-fixup-fallthrough-to-PIC.patch @@ -1,7 +1,7 @@ -From a59a98d100123030a4145e7efe3b8a001920a9f1 Mon Sep 17 00:00:00 2001 +From dc2a8ccd440ee3741b61606eafed3f7e092f4312 Mon Sep 17 00:00:00 2001 From: Mark Asselstine <mark.asselstine@windriver.com> Date: Tue, 26 Feb 2013 11:43:28 -0500 -Subject: [PATCH] apic: fixup fallthrough to PIC +Subject: [PATCH 03/12] apic: fixup fallthrough to PIC Commit 0e21e12bb311c4c1095d0269dc2ef81196ccb60a [Don't route PIC interrupts through the local APIC if the local APIC config says so.] @@ -29,11 +29,11 @@ Signed-off-by: He Zhe <zhe.he@windriver.com> hw/intc/apic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -Index: qemu-6.0.0/hw/intc/apic.c +Index: qemu-8.0.0/hw/intc/apic.c =================================================================== ---- qemu-6.0.0.orig/hw/intc/apic.c -+++ qemu-6.0.0/hw/intc/apic.c -@@ -606,7 +606,7 @@ int apic_accept_pic_intr(DeviceState *de +--- qemu-8.0.0.orig/hw/intc/apic.c ++++ qemu-8.0.0/hw/intc/apic.c +@@ -607,7 +607,7 @@ int apic_accept_pic_intr(DeviceState *de APICCommonState *s = APIC(dev); uint32_t lvt0; diff --git a/meta/recipes-devtools/qemu/qemu/0003-linux-user-Add-strace-for-shmat.patch b/meta/recipes-devtools/qemu/qemu/0003-linux-user-Add-strace-for-shmat.patch new file mode 100644 index 0000000000..0c601c804a --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0003-linux-user-Add-strace-for-shmat.patch @@ -0,0 +1,71 @@ +From e8f06676c6c88e12cd5f4f81a839b7111c683596 Mon Sep 17 00:00:00 2001 +From: Richard Henderson <richard.henderson@linaro.org> +Date: Wed, 28 Feb 2024 10:25:16 -1000 +Subject: [PATCH 3/5] linux-user: Add strace for shmat + +Upstream-Status: Submitted [https://www.mail-archive.com/qemu-devel@nongnu.org/msg1026793.html] + +Signed-off-by: Richard Henderson <richard.henderson@linaro.org> +Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> +--- + linux-user/strace.c | 23 +++++++++++++++++++++++ + linux-user/strace.list | 2 +- + 2 files changed, 24 insertions(+), 1 deletion(-) + +diff --git a/linux-user/strace.c b/linux-user/strace.c +index cf26e5526..47d6ec326 100644 +--- a/linux-user/strace.c ++++ b/linux-user/strace.c +@@ -670,6 +670,25 @@ print_semctl(CPUArchState *cpu_env, const struct syscallname *name, + } + #endif + ++static void ++print_shmat(CPUArchState *cpu_env, const struct syscallname *name, ++ abi_long arg0, abi_long arg1, abi_long arg2, ++ abi_long arg3, abi_long arg4, abi_long arg5) ++{ ++ static const struct flags shmat_flags[] = { ++ FLAG_GENERIC(SHM_RND), ++ FLAG_GENERIC(SHM_REMAP), ++ FLAG_GENERIC(SHM_RDONLY), ++ FLAG_GENERIC(SHM_EXEC), ++ }; ++ ++ print_syscall_prologue(name); ++ print_raw_param(TARGET_ABI_FMT_ld, arg0, 0); ++ print_pointer(arg1, 0); ++ print_flags(shmat_flags, arg2, 1); ++ print_syscall_epilogue(name); ++} ++ + #ifdef TARGET_NR_ipc + static void + print_ipc(CPUArchState *cpu_env, const struct syscallname *name, +@@ -683,6 +702,10 @@ print_ipc(CPUArchState *cpu_env, const struct syscallname *name, + print_ipc_cmd(arg3); + qemu_log(",0x" TARGET_ABI_FMT_lx ")", arg4); + break; ++ case IPCOP_shmat: ++ print_shmat(cpu_env, &(const struct syscallname){ .name = "shmat" }, ++ arg1, arg4, arg2, 0, 0, 0); ++ break; + default: + qemu_log(("%s(" + TARGET_ABI_FMT_ld "," +diff --git a/linux-user/strace.list b/linux-user/strace.list +index 6655d4f26..dfd4237d1 100644 +--- a/linux-user/strace.list ++++ b/linux-user/strace.list +@@ -1398,7 +1398,7 @@ + { TARGET_NR_sgetmask, "sgetmask" , NULL, NULL, NULL }, + #endif + #ifdef TARGET_NR_shmat +-{ TARGET_NR_shmat, "shmat" , NULL, NULL, print_syscall_ret_addr }, ++{ TARGET_NR_shmat, "shmat" , NULL, print_shmat, print_syscall_ret_addr }, + #endif + #ifdef TARGET_NR_shmctl + { TARGET_NR_shmctl, "shmctl" , NULL, NULL, NULL }, +-- +2.34.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0003-vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch b/meta/recipes-devtools/qemu/qemu/0003-vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch deleted file mode 100644 index 1718486405..0000000000 --- a/meta/recipes-devtools/qemu/qemu/0003-vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch +++ /dev/null @@ -1,48 +0,0 @@ -CVE: CVE-2021-3544 -Upstream-Status: Backport -Signed-off-by: Ross Burton <ross.burton@arm.com> - -From b9f79858a614d95f5de875d0ca31096eaab72c3b Mon Sep 17 00:00:00 2001 -From: Li Qiang <liq3ea@163.com> -Date: Sat, 15 May 2021 20:03:58 -0700 -Subject: [PATCH 3/7] vhost-user-gpu: fix memory leak in - vg_resource_attach_backing (CVE-2021-3544) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Check whether the 'res' has already been attach_backing to avoid -memory leak. - -Fixes: CVE-2021-3544 -Reported-by: Li Qiang <liq3ea@163.com> -virtio-gpu fix: 204f01b309 ("virtio-gpu: fix memory leak -in resource attach backing") - -Signed-off-by: Li Qiang <liq3ea@163.com> -Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> -Message-Id: <20210516030403.107723-4-liq3ea@163.com> -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> ---- - contrib/vhost-user-gpu/vhost-user-gpu.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c -index b5e153d0d6..0437e52b64 100644 ---- a/contrib/vhost-user-gpu/vhost-user-gpu.c -+++ b/contrib/vhost-user-gpu/vhost-user-gpu.c -@@ -489,6 +489,11 @@ vg_resource_attach_backing(VuGpu *g, - return; - } - -+ if (res->iov) { -+ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; -+ return; -+ } -+ - ret = vg_create_mapping_iov(g, &ab, cmd, &res->iov); - if (ret != 0) { - cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; --- -2.25.1 - diff --git a/meta/recipes-devtools/qemu/qemu/0004-configure-Add-pkg-config-handling-for-libgcrypt.patch b/meta/recipes-devtools/qemu/qemu/0004-configure-Add-pkg-config-handling-for-libgcrypt.patch new file mode 100644 index 0000000000..f981a64a54 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0004-configure-Add-pkg-config-handling-for-libgcrypt.patch @@ -0,0 +1,29 @@ +From d8265abdce5dc2bf74b3fccdf2b7257b4f3894f0 Mon Sep 17 00:00:00 2001 +From: He Zhe <zhe.he@windriver.com> +Date: Wed, 28 Aug 2019 19:56:28 +0800 +Subject: [PATCH 04/12] configure: Add pkg-config handling for libgcrypt + +libgcrypt may also be controlled by pkg-config, this patch adds pkg-config +handling for libgcrypt. + +Upstream-Status: Denied [https://lists.nongnu.org/archive/html/qemu-devel/2019-08/msg06333.html] + +Signed-off-by: He Zhe <zhe.he@windriver.com> + +--- + meson.build | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: qemu-8.1.0/meson.build +=================================================================== +--- qemu-8.1.0.orig/meson.build ++++ qemu-8.1.0/meson.build +@@ -1481,7 +1481,7 @@ endif + if not gnutls_crypto.found() + if (not get_option('gcrypt').auto() or have_system) and not get_option('nettle').enabled() + gcrypt = dependency('libgcrypt', version: '>=1.8', +- method: 'config-tool', ++ method: 'pkg-config', + required: get_option('gcrypt')) + # Debian has removed -lgpg-error from libgcrypt-config + # as it "spreads unnecessary dependencies" which in diff --git a/meta/recipes-devtools/qemu/qemu/0004-linux-user-Rewrite-target_shmat.patch b/meta/recipes-devtools/qemu/qemu/0004-linux-user-Rewrite-target_shmat.patch new file mode 100644 index 0000000000..88c3ed40b0 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0004-linux-user-Rewrite-target_shmat.patch @@ -0,0 +1,236 @@ +From cb48d5d1592e63ebd0d4a3e300ef98e38e6306d7 Mon Sep 17 00:00:00 2001 +From: Richard Henderson <richard.henderson@linaro.org> +Date: Wed, 28 Feb 2024 10:25:17 -1000 +Subject: [PATCH 4/5] linux-user: Rewrite target_shmat + +Handle combined host and guest alignment requirements. +Handle host and guest page size differences. +Handle SHM_EXEC. + +Upstream-Status: Submitted [https://www.mail-archive.com/qemu-devel@nongnu.org/msg1026793.html] + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/115 +Signed-off-by: Richard Henderson <richard.henderson@linaro.org> +Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> +--- + linux-user/mmap.c | 166 +++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 133 insertions(+), 33 deletions(-) + +diff --git a/linux-user/mmap.c b/linux-user/mmap.c +index 18fb3aaf7..6a2f649bb 100644 +--- a/linux-user/mmap.c ++++ b/linux-user/mmap.c +@@ -1062,69 +1062,161 @@ static inline abi_ulong target_shmlba(CPUArchState *cpu_env) + } + #endif + ++#if defined(__arm__) || defined(__mips__) || defined(__sparc__) ++#define HOST_FORCE_SHMLBA 1 ++#else ++#define HOST_FORCE_SHMLBA 0 ++#endif ++ + abi_ulong target_shmat(CPUArchState *cpu_env, int shmid, + abi_ulong shmaddr, int shmflg) + { + CPUState *cpu = env_cpu(cpu_env); +- abi_ulong raddr; + struct shmid_ds shm_info; + int ret; +- abi_ulong shmlba; ++ int h_pagesize; ++ int t_shmlba, h_shmlba, m_shmlba; ++ size_t t_len, h_len, m_len; + + /* shmat pointers are always untagged */ + +- /* find out the length of the shared memory segment */ ++ /* ++ * Because we can't use host shmat() unless the address is sufficiently ++ * aligned for the host, we'll need to check both. ++ * TODO: Could be fixed with softmmu. ++ */ ++ t_shmlba = target_shmlba(cpu_env); ++ h_pagesize = qemu_real_host_page_size(); ++ h_shmlba = (HOST_FORCE_SHMLBA ? SHMLBA : h_pagesize); ++ m_shmlba = MAX(t_shmlba, h_shmlba); ++ ++ if (shmaddr) { ++ if (shmaddr & (m_shmlba - 1)) { ++ if (shmflg & SHM_RND) { ++ /* ++ * The guest is allowing the kernel to round the address. ++ * Assume that the guest is ok with us rounding to the ++ * host required alignment too. Anyway if we don't, we'll ++ * get an error from the kernel. ++ */ ++ shmaddr &= ~(m_shmlba - 1); ++ if (shmaddr == 0 && (shmflg & SHM_REMAP)) { ++ return -TARGET_EINVAL; ++ } ++ } else { ++ int require = TARGET_PAGE_SIZE; ++#ifdef TARGET_FORCE_SHMLBA ++ require = t_shmlba; ++#endif ++ /* ++ * Include host required alignment, as otherwise we cannot ++ * use host shmat at all. ++ */ ++ require = MAX(require, h_shmlba); ++ if (shmaddr & (require - 1)) { ++ return -TARGET_EINVAL; ++ } ++ } ++ } ++ } else { ++ if (shmflg & SHM_REMAP) { ++ return -TARGET_EINVAL; ++ } ++ } ++ /* All rounding now manually concluded. */ ++ shmflg &= ~SHM_RND; ++ ++ /* Find out the length of the shared memory segment. */ + ret = get_errno(shmctl(shmid, IPC_STAT, &shm_info)); + if (is_error(ret)) { + /* can't get length, bail out */ + return ret; + } ++ t_len = TARGET_PAGE_ALIGN(shm_info.shm_segsz); ++ h_len = ROUND_UP(shm_info.shm_segsz, h_pagesize); ++ m_len = MAX(t_len, h_len); + +- shmlba = target_shmlba(cpu_env); +- +- if (shmaddr & (shmlba - 1)) { +- if (shmflg & SHM_RND) { +- shmaddr &= ~(shmlba - 1); +- } else { +- return -TARGET_EINVAL; +- } +- } +- if (!guest_range_valid_untagged(shmaddr, shm_info.shm_segsz)) { ++ if (!guest_range_valid_untagged(shmaddr, m_len)) { + return -TARGET_EINVAL; + } + + WITH_MMAP_LOCK_GUARD() { +- void *host_raddr; ++ bool mapped = false; ++ void *want, *test; + abi_ulong last; + +- if (shmaddr) { +- host_raddr = shmat(shmid, (void *)g2h_untagged(shmaddr), shmflg); ++ if (!shmaddr) { ++ shmaddr = mmap_find_vma(0, m_len, m_shmlba); ++ if (shmaddr == -1) { ++ return -TARGET_ENOMEM; ++ } ++ mapped = !reserved_va; ++ } else if (shmflg & SHM_REMAP) { ++ /* ++ * If host page size > target page size, the host shmat may map ++ * more memory than the guest expects. Reject a mapping that ++ * would replace memory in the unexpected gap. ++ * TODO: Could be fixed with softmmu. ++ */ ++ if (t_len < h_len && ++ !page_check_range_empty(shmaddr + t_len, ++ shmaddr + h_len - 1)) { ++ return -TARGET_EINVAL; ++ } + } else { +- abi_ulong mmap_start; ++ if (!page_check_range_empty(shmaddr, shmaddr + m_len - 1)) { ++ return -TARGET_EINVAL; ++ } ++ } + +- /* In order to use the host shmat, we need to honor host SHMLBA. */ +- mmap_start = mmap_find_vma(0, shm_info.shm_segsz, +- MAX(SHMLBA, shmlba)); ++ /* All placement is now complete. */ ++ want = (void *)g2h_untagged(shmaddr); + +- if (mmap_start == -1) { +- return -TARGET_ENOMEM; ++ /* ++ * Map anonymous pages across the entire range, then remap with ++ * the shared memory. This is required for a number of corner ++ * cases for which host and guest page sizes differ. ++ */ ++ if (h_len != t_len) { ++ int mmap_p = PROT_READ | (shmflg & SHM_RDONLY ? 0 : PROT_WRITE); ++ int mmap_f = MAP_PRIVATE | MAP_ANONYMOUS ++ | (reserved_va || (shmflg & SHM_REMAP) ++ ? MAP_FIXED : MAP_FIXED_NOREPLACE); ++ ++ test = mmap(want, m_len, mmap_p, mmap_f, -1, 0); ++ if (unlikely(test != want)) { ++ /* shmat returns EINVAL not EEXIST like mmap. */ ++ ret = (test == MAP_FAILED && errno != EEXIST ++ ? get_errno(-1) : -TARGET_EINVAL); ++ if (mapped) { ++ do_munmap(want, m_len); ++ } ++ return ret; + } +- host_raddr = shmat(shmid, g2h_untagged(mmap_start), +- shmflg | SHM_REMAP); ++ mapped = true; + } + +- if (host_raddr == (void *)-1) { +- return get_errno(-1); ++ if (reserved_va || mapped) { ++ shmflg |= SHM_REMAP; ++ } ++ test = shmat(shmid, want, shmflg); ++ if (test == MAP_FAILED) { ++ ret = get_errno(-1); ++ if (mapped) { ++ do_munmap(want, m_len); ++ } ++ return ret; + } +- raddr = h2g(host_raddr); +- last = raddr + shm_info.shm_segsz - 1; ++ assert(test == want); + +- page_set_flags(raddr, last, ++ last = shmaddr + m_len - 1; ++ page_set_flags(shmaddr, last, + PAGE_VALID | PAGE_RESET | PAGE_READ | +- (shmflg & SHM_RDONLY ? 0 : PAGE_WRITE)); ++ (shmflg & SHM_RDONLY ? 0 : PAGE_WRITE) | ++ (shmflg & SHM_EXEC ? PAGE_EXEC : 0)); + +- shm_region_rm_complete(raddr, last); +- shm_region_add(raddr, last); ++ shm_region_rm_complete(shmaddr, last); ++ shm_region_add(shmaddr, last); + } + + /* +@@ -1138,7 +1230,15 @@ abi_ulong target_shmat(CPUArchState *cpu_env, int shmid, + tb_flush(cpu); + } + +- return raddr; ++ if (qemu_loglevel_mask(CPU_LOG_PAGE)) { ++ FILE *f = qemu_log_trylock(); ++ if (f) { ++ fprintf(f, "page layout changed following shmat\n"); ++ page_dump(f); ++ qemu_log_unlock(f); ++ } ++ } ++ return shmaddr; + } + + abi_long target_shmdt(abi_ulong shmaddr) +-- +2.34.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch b/meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch deleted file mode 100644 index 330bcaef0a..0000000000 --- a/meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 4127296bb1046cdf73994ba69dc913d8c02fd74f Mon Sep 17 00:00:00 2001 -From: Ross Burton <ross.burton@intel.com> -Date: Tue, 20 Oct 2015 22:19:08 +0100 -Subject: [PATCH] qemu: disable Valgrind - -There isn't an option to enable or disable valgrind support, so disable it to avoid non-deterministic builds. - -Upstream-Status: Inappropriate -Signed-off-by: Ross Burton <ross.burton@intel.com> - ---- - configure | 9 --------- - 1 file changed, 9 deletions(-) - -Index: qemu-6.0.0/configure -=================================================================== ---- qemu-6.0.0.orig/configure -+++ qemu-6.0.0/configure -@@ -4648,15 +4648,6 @@ fi - # check if we have valgrind/valgrind.h - - valgrind_h=no --cat > $TMPC << EOF --#include <valgrind/valgrind.h> --int main(void) { -- return 0; --} --EOF --if compile_prog "" "" ; then -- valgrind_h=yes --fi - - ######################################## - # check if environ is declared diff --git a/meta/recipes-devtools/qemu/qemu/0004-vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch b/meta/recipes-devtools/qemu/qemu/0004-vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch deleted file mode 100644 index 9fc2fafe1d..0000000000 --- a/meta/recipes-devtools/qemu/qemu/0004-vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch +++ /dev/null @@ -1,50 +0,0 @@ -CVE: CVE-2021-3544 -Upstream-Status: Backport -Signed-off-by: Ross Burton <ross.burton@arm.com> - -From b7afebcf9e6ecf3cf9b5a9b9b731ed04bca6aa3e Mon Sep 17 00:00:00 2001 -From: Li Qiang <liq3ea@163.com> -Date: Sat, 15 May 2021 20:03:59 -0700 -Subject: [PATCH 4/7] vhost-user-gpu: fix memory leak while calling - 'vg_resource_unref' (CVE-2021-3544) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If the guest trigger following sequences, the attach_backing will be leaked: - - vg_resource_create_2d - vg_resource_attach_backing - vg_resource_unref - -This patch fix this by freeing 'res->iov' in vg_resource_destroy. - -Fixes: CVE-2021-3544 -Reported-by: Li Qiang <liq3ea@163.com> -virtio-gpu fix: 5e8e3c4c75 ("virtio-gpu: fix resource leak -in virgl_cmd_resource_unref") - -Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> -Signed-off-by: Li Qiang <liq3ea@163.com> -Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> -Message-Id: <20210516030403.107723-5-liq3ea@163.com> -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> ---- - contrib/vhost-user-gpu/vhost-user-gpu.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c -index 0437e52b64..770dfad529 100644 ---- a/contrib/vhost-user-gpu/vhost-user-gpu.c -+++ b/contrib/vhost-user-gpu/vhost-user-gpu.c -@@ -400,6 +400,7 @@ vg_resource_destroy(VuGpu *g, - } - - vugbm_buffer_destroy(&res->buffer); -+ g_free(res->iov); - pixman_image_unref(res->image); - QTAILQ_REMOVE(&g->reslist, res, next); - g_free(res); --- -2.25.1 - diff --git a/meta/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch b/meta/recipes-devtools/qemu/qemu/0005-qemu-Do-not-include-file-if-not-exists.patch index b8d288d3a2..38aa4c3bbe 100644 --- a/meta/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch +++ b/meta/recipes-devtools/qemu/qemu/0005-qemu-Do-not-include-file-if-not-exists.patch @@ -1,7 +1,7 @@ -From 34247f83095f8cdcdc1f9d7f0c6ffbd46b25d979 Mon Sep 17 00:00:00 2001 +From f39e7bfc5ed07b5ecaeb705c4eae4855ca120d47 Mon Sep 17 00:00:00 2001 From: Oleksiy Obitotskyy <oobitots@cisco.com> Date: Wed, 25 Mar 2020 21:21:35 +0200 -Subject: [PATCH] qemu: Do not include file if not exists +Subject: [PATCH 05/12] qemu: Do not include file if not exists Script configure checks for if_alg.h and check failed but if_alg.h still included. @@ -11,15 +11,16 @@ Signed-off-by: Oleksiy Obitotskyy <oobitots@cisco.com> [update patch context] Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> + --- linux-user/syscall.c | 2 ++ 1 file changed, 2 insertions(+) -Index: qemu-6.0.0/linux-user/syscall.c +Index: qemu-8.0.0/linux-user/syscall.c =================================================================== ---- qemu-6.0.0.orig/linux-user/syscall.c -+++ qemu-6.0.0/linux-user/syscall.c -@@ -113,7 +113,9 @@ +--- qemu-8.0.0.orig/linux-user/syscall.c ++++ qemu-8.0.0/linux-user/syscall.c +@@ -115,7 +115,9 @@ #include <linux/blkpg.h> #include <netpacket/packet.h> #include <linux/netlink.h> diff --git a/meta/recipes-devtools/qemu/qemu/0005-tests-tcg-Check-that-shmat-does-not-break-proc-self-.patch b/meta/recipes-devtools/qemu/qemu/0005-tests-tcg-Check-that-shmat-does-not-break-proc-self-.patch new file mode 100644 index 0000000000..5afb35ea0c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0005-tests-tcg-Check-that-shmat-does-not-break-proc-self-.patch @@ -0,0 +1,85 @@ +From 1234063488134ad1f541f56dd30caa7896905f06 Mon Sep 17 00:00:00 2001 +From: Ilya Leoshkevich <iii@linux.ibm.com> +Date: Wed, 28 Feb 2024 10:25:18 -1000 +Subject: [PATCH 5/5] tests/tcg: Check that shmat() does not break + /proc/self/maps + +Add a regression test for a recently fixed issue, where shmat() +desynced the guest and the host view of the address space and caused +open("/proc/self/maps") to SEGV. + +Upstream-Status: Submitted [https://www.mail-archive.com/qemu-devel@nongnu.org/msg1026793.html] + +Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com> +Message-Id: <jwyuvao4apydvykmsnvacwshdgy3ixv7qvkh4dbxm3jkwgnttw@k4wpaayou7oq> +Signed-off-by: Richard Henderson <richard.henderson@linaro.org> +Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> +--- + tests/tcg/multiarch/linux/linux-shmat-maps.c | 55 ++++++++++++++++++++ + 1 file changed, 55 insertions(+) + create mode 100644 tests/tcg/multiarch/linux/linux-shmat-maps.c + +diff --git a/tests/tcg/multiarch/linux/linux-shmat-maps.c b/tests/tcg/multiarch/linux/linux-shmat-maps.c +new file mode 100644 +index 000000000..0ccf7a973 +--- /dev/null ++++ b/tests/tcg/multiarch/linux/linux-shmat-maps.c +@@ -0,0 +1,55 @@ ++/* ++ * Test that shmat() does not break /proc/self/maps. ++ * ++ * SPDX-License-Identifier: GPL-2.0-or-later ++ */ ++#include <assert.h> ++#include <fcntl.h> ++#include <stdlib.h> ++#include <sys/ipc.h> ++#include <sys/shm.h> ++#include <unistd.h> ++ ++int main(void) ++{ ++ char buf[128]; ++ int err, fd; ++ int shmid; ++ ssize_t n; ++ void *p; ++ ++ shmid = shmget(IPC_PRIVATE, 1, IPC_CREAT | 0600); ++ assert(shmid != -1); ++ ++ /* ++ * The original bug required a non-NULL address, which skipped the ++ * mmap_find_vma step, which could result in a host mapping smaller ++ * than the target mapping. Choose an address at random. ++ */ ++ p = shmat(shmid, (void *)0x800000, SHM_RND); ++ if (p == (void *)-1) { ++ /* ++ * Because we are now running the testcase for all guests for which ++ * we have a cross-compiler, the above random address might conflict ++ * with the guest executable in some way. Rather than stopping, ++ * continue with a system supplied address, which should never fail. ++ */ ++ p = shmat(shmid, NULL, 0); ++ assert(p != (void *)-1); ++ } ++ ++ fd = open("/proc/self/maps", O_RDONLY); ++ assert(fd != -1); ++ do { ++ n = read(fd, buf, sizeof(buf)); ++ assert(n >= 0); ++ } while (n != 0); ++ close(fd); ++ ++ err = shmdt(p); ++ assert(err == 0); ++ err = shmctl(shmid, IPC_RMID, NULL); ++ assert(err == 0); ++ ++ return EXIT_SUCCESS; ++} +-- +2.34.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0005-vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch b/meta/recipes-devtools/qemu/qemu/0005-vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch deleted file mode 100644 index e70f3c02c2..0000000000 --- a/meta/recipes-devtools/qemu/qemu/0005-vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch +++ /dev/null @@ -1,58 +0,0 @@ -CVE: CVE-2021-3544 -Upstream-Status: Backport -Signed-off-by: Ross Burton <ross.burton@arm.com> - -From f6091d86ba9ea05f4e111b9b42ee0005c37a6779 Mon Sep 17 00:00:00 2001 -From: Li Qiang <liq3ea@163.com> -Date: Sat, 15 May 2021 20:04:00 -0700 -Subject: [PATCH 5/7] vhost-user-gpu: fix memory leak in - 'virgl_cmd_resource_unref' (CVE-2021-3544) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The 'res->iov' will be leaked if the guest trigger following sequences: - - virgl_cmd_create_resource_2d - virgl_resource_attach_backing - virgl_cmd_resource_unref - -This patch fixes this. - -Fixes: CVE-2021-3544 -Reported-by: Li Qiang <liq3ea@163.com> -virtio-gpu fix: 5e8e3c4c75 ("virtio-gpu: fix resource leak -in virgl_cmd_resource_unref" - -Signed-off-by: Li Qiang <liq3ea@163.com> -Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> -Message-Id: <20210516030403.107723-6-liq3ea@163.com> -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> ---- - contrib/vhost-user-gpu/virgl.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c -index 6a332d601f..c669d73a1d 100644 ---- a/contrib/vhost-user-gpu/virgl.c -+++ b/contrib/vhost-user-gpu/virgl.c -@@ -108,9 +108,16 @@ virgl_cmd_resource_unref(VuGpu *g, - struct virtio_gpu_ctrl_command *cmd) - { - struct virtio_gpu_resource_unref unref; -+ struct iovec *res_iovs = NULL; -+ int num_iovs = 0; - - VUGPU_FILL_CMD(unref); - -+ virgl_renderer_resource_detach_iov(unref.resource_id, -+ &res_iovs, -+ &num_iovs); -+ g_free(res_iovs); -+ - virgl_renderer_resource_unref(unref.resource_id); - } - --- -2.25.1 - diff --git a/meta/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch b/meta/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch deleted file mode 100644 index 05dc849dad..0000000000 --- a/meta/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch +++ /dev/null @@ -1,243 +0,0 @@ -From bcc63f775e265df69963a4ad7805b8678ace68f0 Mon Sep 17 00:00:00 2001 -From: Alistair Francis <alistair.francis@xilinx.com> -Date: Thu, 21 Dec 2017 11:35:16 -0800 -Subject: [PATCH] chardev: connect socket to a spawned command - -The command is started in a shell (sh -c) with stdin connect to QEMU -via a Unix domain stream socket. QEMU then exchanges data via its own -end of the socket, just like it normally does. - -"-chardev socket" supports some ways of connecting via protocols like -telnet, but that is only a subset of the functionality supported by -tools socat. To use socat instead, for example to connect via a socks -proxy, use: - - -chardev 'socket,id=socat,cmd=exec socat FD:0 SOCKS4A:socks-proxy.localdomain:example.com:9999,,socksuser=nobody' \ - -device usb-serial,chardev=socat - -Beware that commas in the command must be escaped as double commas. - -Or interactively in the console: - (qemu) chardev-add socket,id=cat,cmd=cat - (qemu) device_add usb-serial,chardev=cat - ^ac - # cat >/dev/ttyUSB0 - hello - hello - -Another usage is starting swtpm from inside QEMU. swtpm will -automatically shut down once it looses the connection to the parent -QEMU, so there is no risk of lingering processes: - - -chardev 'socket,id=chrtpm0,cmd=exec swtpm socket --terminate --ctrl type=unixio,,clientfd=0 --tpmstate dir=... --log file=swtpm.log' \ - -tpmdev emulator,id=tpm0,chardev=chrtpm0 \ - -device tpm-tis,tpmdev=tpm0 - -The patch was discussed upstream, but QEMU developers believe that the -code calling QEMU should be responsible for managing additional -processes. In OE-core, that would imply enhancing runqemu and -oeqa. This patch is a simpler solution. - -Because it is not going upstream, the patch was written so that it is -as simple as possible. - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> - ---- - chardev/char-socket.c | 101 ++++++++++++++++++++++++++++++++++++++++++ - chardev/char.c | 3 ++ - qapi/char.json | 5 +++ - 3 files changed, 109 insertions(+) - -Index: qemu-6.0.0/chardev/char-socket.c -=================================================================== ---- qemu-6.0.0.orig/chardev/char-socket.c -+++ qemu-6.0.0/chardev/char-socket.c -@@ -1362,6 +1362,67 @@ static bool qmp_chardev_validate_socket( - return true; - } - -+#ifndef _WIN32 -+static void chardev_open_socket_cmd(Chardev *chr, -+ const char *cmd, -+ Error **errp) -+{ -+ int fds[2] = { -1, -1 }; -+ QIOChannelSocket *sioc = NULL; -+ pid_t pid = -1; -+ const char *argv[] = { "/bin/sh", "-c", cmd, NULL }; -+ -+ /* -+ * We need a Unix domain socket for commands like swtpm and a single -+ * connection, therefore we cannot use qio_channel_command_new_spawn() -+ * without patching it first. Duplicating the functionality is easier. -+ */ -+ if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0, fds)) { -+ error_setg_errno(errp, errno, "Error creating socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC)"); -+ goto error; -+ } -+ -+ pid = qemu_fork(errp); -+ if (pid < 0) { -+ goto error; -+ } -+ -+ if (!pid) { -+ /* child */ -+ dup2(fds[1], STDIN_FILENO); -+ execv(argv[0], (char * const *)argv); -+ _exit(1); -+ } -+ -+ /* -+ * Hand over our end of the socket pair to the qio channel. -+ * -+ * We don't reap the child because it is expected to keep -+ * running. We also don't support the "reconnect" option for the -+ * same reason. -+ */ -+ sioc = qio_channel_socket_new_fd(fds[0], errp); -+ if (!sioc) { -+ goto error; -+ } -+ fds[0] = -1; -+ -+ g_free(chr->filename); -+ chr->filename = g_strdup_printf("cmd:%s", cmd); -+ tcp_chr_new_client(chr, sioc); -+ -+ error: -+ if (fds[0] >= 0) { -+ close(fds[0]); -+ } -+ if (fds[1] >= 0) { -+ close(fds[1]); -+ } -+ if (sioc) { -+ object_unref(OBJECT(sioc)); -+ } -+} -+#endif - - static void qmp_chardev_open_socket(Chardev *chr, - ChardevBackend *backend, -@@ -1370,6 +1431,9 @@ static void qmp_chardev_open_socket(Char - { - SocketChardev *s = SOCKET_CHARDEV(chr); - ChardevSocket *sock = backend->u.socket.data; -+#ifndef _WIN32 -+ const char *cmd = sock->cmd; -+#endif - bool do_nodelay = sock->has_nodelay ? sock->nodelay : false; - bool is_listen = sock->has_server ? sock->server : true; - bool is_telnet = sock->has_telnet ? sock->telnet : false; -@@ -1446,6 +1510,14 @@ static void qmp_chardev_open_socket(Char - - update_disconnected_filename(s); - -+#ifndef _WIN32 -+ if (cmd) { -+ chardev_open_socket_cmd(chr, cmd, errp); -+ -+ /* everything ready (or failed permanently) before we return */ -+ *be_opened = true; -+ } else -+#endif - if (s->is_listen) { - if (qmp_chardev_open_socket_server(chr, is_telnet || is_tn3270, - is_waitconnect, errp) < 0) { -@@ -1465,6 +1537,9 @@ static void qemu_chr_parse_socket(QemuOp - const char *host = qemu_opt_get(opts, "host"); - const char *port = qemu_opt_get(opts, "port"); - const char *fd = qemu_opt_get(opts, "fd"); -+#ifndef _WIN32 -+ const char *cmd = qemu_opt_get(opts, "cmd"); -+#endif - #ifdef CONFIG_LINUX - bool tight = qemu_opt_get_bool(opts, "tight", true); - bool abstract = qemu_opt_get_bool(opts, "abstract", false); -@@ -1472,6 +1547,20 @@ static void qemu_chr_parse_socket(QemuOp - SocketAddressLegacy *addr; - ChardevSocket *sock; - -+#ifndef _WIN32 -+ if (cmd) { -+ /* -+ * Here we have to ensure that no options are set which are incompatible with -+ * spawning a command, otherwise unmodified code that doesn't know about -+ * command spawning (like socket_reconnect_timeout()) might get called. -+ */ -+ if (path || sock->server || sock->has_telnet || sock->has_tn3270 || sock->reconnect || host || port || sock->tls_creds) { -+ error_setg(errp, "chardev: socket: cmd does not support any additional options"); -+ return; -+ } -+ } else -+#endif -+ - if ((!!path + !!fd + !!host) != 1) { - error_setg(errp, - "Exactly one of 'path', 'fd' or 'host' required"); -@@ -1522,13 +1611,24 @@ static void qemu_chr_parse_socket(QemuOp - sock->tls_creds = g_strdup(qemu_opt_get(opts, "tls-creds")); - sock->has_tls_authz = qemu_opt_get(opts, "tls-authz"); - sock->tls_authz = g_strdup(qemu_opt_get(opts, "tls-authz")); -+#ifndef _WIN32 -+ sock->cmd = g_strdup(cmd); -+#endif - - addr = g_new0(SocketAddressLegacy, 1); -+#ifndef _WIN32 -+ if (path || cmd) { -+#else - if (path) { -+#endif - UnixSocketAddress *q_unix; - addr->type = SOCKET_ADDRESS_LEGACY_KIND_UNIX; - q_unix = addr->u.q_unix.data = g_new0(UnixSocketAddress, 1); -+#ifndef _WIN32 -+ q_unix->path = cmd ? g_strdup_printf("cmd:%s", cmd) : g_strdup(path); -+#else - q_unix->path = g_strdup(path); -+#endif - #ifdef CONFIG_LINUX - q_unix->has_tight = true; - q_unix->tight = tight; -Index: qemu-6.0.0/chardev/char.c -=================================================================== ---- qemu-6.0.0.orig/chardev/char.c -+++ qemu-6.0.0/chardev/char.c -@@ -840,6 +840,9 @@ QemuOptsList qemu_chardev_opts = { - .name = "path", - .type = QEMU_OPT_STRING, - },{ -+ .name = "cmd", -+ .type = QEMU_OPT_STRING, -+ },{ - .name = "host", - .type = QEMU_OPT_STRING, - },{ -Index: qemu-6.0.0/qapi/char.json -=================================================================== ---- qemu-6.0.0.orig/qapi/char.json -+++ qemu-6.0.0/qapi/char.json -@@ -250,6 +250,10 @@ - # - # @addr: socket address to listen on (server=true) - # or connect to (server=false) -+# @cmd: command to run via "sh -c" with stdin as one end of -+# a AF_UNIX SOCK_DSTREAM socket pair. The other end -+# is used by the chardev. Either an addr or a cmd can -+# be specified, but not both. - # @tls-creds: the ID of the TLS credentials object (since 2.6) - # @tls-authz: the ID of the QAuthZ authorization object against which - # the client's x509 distinguished name will be validated. This -@@ -276,6 +280,7 @@ - ## - { 'struct': 'ChardevSocket', - 'data': { 'addr': 'SocketAddressLegacy', -+ '*cmd': 'str', - '*tls-creds': 'str', - '*tls-authz' : 'str', - '*server': 'bool', diff --git a/meta/recipes-devtools/qemu/qemu/mmap2.patch b/meta/recipes-devtools/qemu/qemu/0006-qemu-Add-some-user-space-mmap-tweaks-to-address-musl.patch index e115473b70..5d1d7c6881 100644 --- a/meta/recipes-devtools/qemu/qemu/mmap2.patch +++ b/meta/recipes-devtools/qemu/qemu/0006-qemu-Add-some-user-space-mmap-tweaks-to-address-musl.patch @@ -1,3 +1,9 @@ +From 375cae3dd6151ef33cae8f243f6a2c2da6c0c356 Mon Sep 17 00:00:00 2001 +From: Richard Purdie <richard.purdie@linuxfoundation.org> +Date: Fri, 8 Jan 2021 17:27:06 +0000 +Subject: [PATCH 06/12] qemu: Add some user space mmap tweaks to address musl + 32 bit + When using qemu-i386 to build qemux86 webkitgtk on musl, it sits in an infinite loop of mremap calls of ever decreasing/increasing addresses. @@ -13,11 +19,15 @@ rather than ENOMEM so adjust the other part of the test to this. Upstream-Status: Submitted [https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg01355.html] Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org -Index: qemu-6.0.0/linux-user/mmap.c +--- + linux-user/mmap.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +Index: qemu-8.0.0/linux-user/mmap.c =================================================================== ---- qemu-6.0.0.orig/linux-user/mmap.c -+++ qemu-6.0.0/linux-user/mmap.c -@@ -733,12 +733,16 @@ abi_long target_mremap(abi_ulong old_add +--- qemu-8.0.0.orig/linux-user/mmap.c ++++ qemu-8.0.0/linux-user/mmap.c +@@ -776,12 +776,16 @@ abi_long target_mremap(abi_ulong old_add int prot; void *host_addr; diff --git a/meta/recipes-devtools/qemu/qemu/0006-vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch b/meta/recipes-devtools/qemu/qemu/0006-vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch deleted file mode 100644 index 5efb87ca33..0000000000 --- a/meta/recipes-devtools/qemu/qemu/0006-vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch +++ /dev/null @@ -1,49 +0,0 @@ -CVE: CVE-2021-3544 -Upstream-Status: Backport -Signed-off-by: Ross Burton <ross.burton@arm.com> - -From 63736af5a6571d9def93769431e0d7e38c6677bf Mon Sep 17 00:00:00 2001 -From: Li Qiang <liq3ea@163.com> -Date: Sat, 15 May 2021 20:04:01 -0700 -Subject: [PATCH 6/7] vhost-user-gpu: fix memory leak in - 'virgl_resource_attach_backing' (CVE-2021-3544) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If 'virgl_renderer_resource_attach_iov' failed, the 'res_iovs' will -be leaked. - -Fixes: CVE-2021-3544 -Reported-by: Li Qiang <liq3ea@163.com> -virtio-gpu fix: 33243031da ("virtio-gpu-3d: fix memory leak -in resource attach backing") - -Signed-off-by: Li Qiang <liq3ea@163.com> -Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> -Message-Id: <20210516030403.107723-7-liq3ea@163.com> -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> ---- - contrib/vhost-user-gpu/virgl.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c -index c669d73a1d..a16a311d80 100644 ---- a/contrib/vhost-user-gpu/virgl.c -+++ b/contrib/vhost-user-gpu/virgl.c -@@ -287,8 +287,11 @@ virgl_resource_attach_backing(VuGpu *g, - return; - } - -- virgl_renderer_resource_attach_iov(att_rb.resource_id, -+ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id, - res_iovs, att_rb.nr_entries); -+ if (ret != 0) { -+ g_free(res_iovs); -+ } - } - - static void --- -2.25.1 - diff --git a/meta/recipes-devtools/qemu/qemu/determinism.patch b/meta/recipes-devtools/qemu/qemu/0007-qemu-Determinism-fixes.patch index 330a31204d..d3f965e070 100644 --- a/meta/recipes-devtools/qemu/qemu/determinism.patch +++ b/meta/recipes-devtools/qemu/qemu/0007-qemu-Determinism-fixes.patch @@ -1,4 +1,9 @@ -When sources are included within debug information, a couple of areas of the +From 50bab5c2605b609ea7ea154f57a9be96d656725a Mon Sep 17 00:00:00 2001 +From: Richard Purdie <richard.purdie@linuxfoundation.org> +Date: Mon, 1 Mar 2021 13:00:47 +0000 +Subject: [PATCH 07/12] qemu: Determinism fixes + +When sources are included within debug information, a couple of areas of the qemu build are not reproducible due to either full buildpaths or timestamps. Replace the full paths with relative ones. I couldn't figure out how to get @@ -7,11 +12,15 @@ meson to pass relative paths but we can fix that in the script. Upstream-Status: Pending [some version of all/part of this may be accepted] RP 2021/3/1 -Index: qemu-6.0.0/scripts/decodetree.py +--- + scripts/decodetree.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: qemu-8.0.0/scripts/decodetree.py =================================================================== ---- qemu-6.0.0.orig/scripts/decodetree.py -+++ qemu-6.0.0/scripts/decodetree.py -@@ -1304,7 +1304,7 @@ def main(): +--- qemu-8.0.0.orig/scripts/decodetree.py ++++ qemu-8.0.0/scripts/decodetree.py +@@ -1328,7 +1328,7 @@ def main(): toppat = ExcMultiPattern(0) for filename in args: diff --git a/meta/recipes-devtools/qemu/qemu/0007-vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch b/meta/recipes-devtools/qemu/qemu/0007-vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch deleted file mode 100644 index 33e6a66193..0000000000 --- a/meta/recipes-devtools/qemu/qemu/0007-vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch +++ /dev/null @@ -1,49 +0,0 @@ -CVE: CVE-2021-3546 -Upstream-Status: Backport -Signed-off-by: Ross Burton <ross.burton@arm.com> - -From 9f22893adcb02580aee5968f32baa2cd109b3ec2 Mon Sep 17 00:00:00 2001 -From: Li Qiang <liq3ea@163.com> -Date: Sat, 15 May 2021 20:04:02 -0700 -Subject: [PATCH 7/7] vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset' - (CVE-2021-3546) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If 'virgl_cmd_get_capset' set 'max_size' to 0, -the 'virgl_renderer_fill_caps' will write the data after the 'resp'. -This patch avoid this by checking the returned 'max_size'. - -virtio-gpu fix: abd7f08b23 ("display: virtio-gpu-3d: check -virgl capabilities max_size") - -Fixes: CVE-2021-3546 -Reported-by: Li Qiang <liq3ea@163.com> -Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> -Signed-off-by: Li Qiang <liq3ea@163.com> -Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> -Message-Id: <20210516030403.107723-8-liq3ea@163.com> -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> ---- - contrib/vhost-user-gpu/virgl.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c -index a16a311d80..7172104b19 100644 ---- a/contrib/vhost-user-gpu/virgl.c -+++ b/contrib/vhost-user-gpu/virgl.c -@@ -177,6 +177,10 @@ virgl_cmd_get_capset(VuGpu *g, - - virgl_renderer_get_cap_set(gc.capset_id, &max_ver, - &max_size); -+ if (!max_size) { -+ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER; -+ return; -+ } - resp = g_malloc0(sizeof(*resp) + max_size); - - resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET; --- -2.25.1 - diff --git a/meta/recipes-devtools/qemu/qemu/0008-tests-meson.build-use-relative-path-to-refer-to-file.patch b/meta/recipes-devtools/qemu/qemu/0008-tests-meson.build-use-relative-path-to-refer-to-file.patch new file mode 100644 index 0000000000..a84364ccc1 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0008-tests-meson.build-use-relative-path-to-refer-to-file.patch @@ -0,0 +1,41 @@ +From 2bf9388b801d4389e2d57e95a7897bfc1c42786e Mon Sep 17 00:00:00 2001 +From: Changqing Li <changqing.li@windriver.com> +Date: Thu, 14 Jan 2021 06:33:04 +0000 +Subject: [PATCH 08/12] tests/meson.build: use relative path to refer to files + +Fix error like: +Fatal error: can't create tests/ptimer-test.p/..._qemu-5.2.0_hw_core_ptimer.c.o: File name too long + +when build path is too long, use meson.source_root() will make this +filename too long. Fixed by using relative path to refer to files + +Upstream-Status: Submitted [send to qemu-devel] + +Signed-off-by: Changqing Li <changqing.li@windriver.com> + +--- + tests/unit/meson.build | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Index: qemu-8.0.0/tests/unit/meson.build +=================================================================== +--- qemu-8.0.0.orig/tests/unit/meson.build ++++ qemu-8.0.0/tests/unit/meson.build +@@ -46,7 +46,7 @@ tests = { + 'test-keyval': [testqapi], + 'test-logging': [], + 'test-uuid': [], +- 'ptimer-test': ['ptimer-test-stubs.c', meson.project_source_root() / 'hw/core/ptimer.c'], ++ 'ptimer-test': ['ptimer-test-stubs.c', '../../hw/core/ptimer.c'], + 'test-qapi-util': [], + 'test-interval-tree': [], + 'test-xs-node': [qom], +@@ -136,7 +136,7 @@ if have_system + 'test-util-sockets': ['socket-helpers.c'], + 'test-base64': [], + 'test-bufferiszero': [], +- 'test-smp-parse': [qom, meson.project_source_root() / 'hw/core/machine-smp.c'], ++ 'test-smp-parse': [qom, '../../hw/core/machine-smp.c'], + 'test-vmstate': [migration, io], + 'test-yank': ['socket-helpers.c', qom, io, chardev] + } diff --git a/meta/recipes-devtools/qemu/qemu/0009-Define-MAP_SYNC-and-MAP_SHARED_VALIDATE-on-needed-li.patch b/meta/recipes-devtools/qemu/qemu/0009-Define-MAP_SYNC-and-MAP_SHARED_VALIDATE-on-needed-li.patch new file mode 100644 index 0000000000..4de6cc2445 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0009-Define-MAP_SYNC-and-MAP_SHARED_VALIDATE-on-needed-li.patch @@ -0,0 +1,46 @@ +From ebf4bb2f51da83af0c61480414cfa156f7308b34 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Mon, 21 Mar 2022 10:09:38 -0700 +Subject: [PATCH 09/12] Define MAP_SYNC and MAP_SHARED_VALIDATE on needed linux + systems + +linux only wires MAP_SYNC and MAP_SHARED_VALIDATE for architectures +which include asm-generic/mman.h and mips/powerpc are not including this +file in linux/mman.h, therefore these should be defined for such +architectures on Linux as well. This fixes build on mips/musl/linux + +Upstream-Status: Submitted [https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg05298.html] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +Cc: Zhang Yi <yi.z.zhang@linux.intel.com> +Cc: Michael S. Tsirkin <mst@redhat.com> + +--- + util/mmap-alloc.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +Index: qemu-8.0.0/util/mmap-alloc.c +=================================================================== +--- qemu-8.0.0.orig/util/mmap-alloc.c ++++ qemu-8.0.0/util/mmap-alloc.c +@@ -10,14 +10,18 @@ + * later. See the COPYING file in the top-level directory. + */ + ++#include "qemu/osdep.h" + #ifdef CONFIG_LINUX + #include <linux/mman.h> +-#else /* !CONFIG_LINUX */ ++#endif /* CONFIG_LINUX */ ++ ++#ifndef MAP_SYNC + #define MAP_SYNC 0x0 ++#endif /* MAP_SYNC */ ++#ifndef MAP_SHARED_VALIDATE + #define MAP_SHARED_VALIDATE 0x0 +-#endif /* CONFIG_LINUX */ ++#endif /* MAP_SHARED_VALIDATE */ + +-#include "qemu/osdep.h" + #include "qemu/mmap-alloc.h" + #include "qemu/host-utils.h" + #include "qemu/cutils.h" diff --git a/meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch b/meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch deleted file mode 100644 index cc6a5fe754..0000000000 --- a/meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch +++ /dev/null @@ -1,84 +0,0 @@ -From c207607cdf3996ad9783c3bffbcd3d65e74c0158 Mon Sep 17 00:00:00 2001 -From: He Zhe <zhe.he@windriver.com> -Date: Wed, 28 Aug 2019 19:56:28 +0800 -Subject: [PATCH] configure: Add pkg-config handling for libgcrypt - -libgcrypt may also be controlled by pkg-config, this patch adds pkg-config -handling for libgcrypt. - -Upstream-Status: Denied [https://lists.nongnu.org/archive/html/qemu-devel/2019-08/msg06333.html] - -Signed-off-by: He Zhe <zhe.he@windriver.com> - ---- - configure | 48 ++++++++++++++++++++++++++++++++++++++++-------- - 1 file changed, 40 insertions(+), 8 deletions(-) - -Index: qemu-6.0.0/configure -=================================================================== ---- qemu-6.0.0.orig/configure -+++ qemu-6.0.0/configure -@@ -2847,6 +2847,30 @@ has_libgcrypt() { - return 0 - } - -+has_libgcrypt_pkgconfig() { -+ if ! has $pkg_config ; then -+ return 1 -+ fi -+ -+ if ! $pkg_config --list-all | grep libgcrypt > /dev/null 2>&1 ; then -+ return 1 -+ fi -+ -+ if test -n "$cross_prefix" ; then -+ host=$($pkg_config --variable=host libgcrypt) -+ if test "${host%-gnu}-" != "${cross_prefix%-gnu}" ; then -+ print_error "host($host) does not match cross_prefix($cross_prefix)" -+ return 1 -+ fi -+ fi -+ -+ if ! $pkg_config --atleast-version=1.5.0 libgcrypt ; then -+ print_error "libgcrypt version is $($pkg_config --modversion libgcrypt)" -+ return 1 -+ fi -+ -+ return 0 -+} - - if test "$nettle" != "no"; then - pass="no" -@@ -2885,7 +2909,14 @@ fi - - if test "$gcrypt" != "no"; then - pass="no" -- if has_libgcrypt; then -+ if has_libgcrypt_pkgconfig; then -+ gcrypt_cflags=$($pkg_config --cflags libgcrypt) -+ if test "$static" = "yes" ; then -+ gcrypt_libs=$($pkg_config --libs --static libgcrypt) -+ else -+ gcrypt_libs=$($pkg_config --libs libgcrypt) -+ fi -+ elif has_libgcrypt; then - gcrypt_cflags=$(libgcrypt-config --cflags) - gcrypt_libs=$(libgcrypt-config --libs) - # Debian has removed -lgpg-error from libgcrypt-config -@@ -2895,12 +2926,12 @@ if test "$gcrypt" != "no"; then - then - gcrypt_libs="$gcrypt_libs -lgpg-error" - fi -+ fi - -- # Link test to make sure the given libraries work (e.g for static). -- write_c_skeleton -- if compile_prog "" "$gcrypt_libs" ; then -+ # Link test to make sure the given libraries work (e.g for static). -+ write_c_skeleton -+ if compile_prog "" "$gcrypt_libs" ; then - pass="yes" -- fi - fi - if test "$pass" = "yes"; then - gcrypt="yes" diff --git a/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch b/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch new file mode 100644 index 0000000000..6caf35b634 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch @@ -0,0 +1,40 @@ +CVE: CVE-2022-1050 +Upstream-Status: Submitted [https://lore.kernel.org/qemu-devel/20220403095234.2210-1-yuval.shaia.ml@gmail.com/] +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From dbdef95c272e8f3ec037c3db4197c66002e30995 Mon Sep 17 00:00:00 2001 +From: Yuval Shaia <yuval.shaia.ml@gmail.com> +Date: Sun, 3 Apr 2022 12:52:34 +0300 +Subject: [PATCH] hw/pvrdma: Protect against buggy or malicious guest driver + +Guest driver might execute HW commands when shared buffers are not yet +allocated. +This could happen on purpose (malicious guest) or because of some other +guest/host address mapping error. +We need to protect againts such case. + +Fixes: CVE-2022-1050 + +Reported-by: Raven <wxhusst@gmail.com> +Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com> +--- + hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +Index: qemu-8.0.0/hw/rdma/vmw/pvrdma_cmd.c +=================================================================== +--- qemu-8.0.0.orig/hw/rdma/vmw/pvrdma_cmd.c ++++ qemu-8.0.0/hw/rdma/vmw/pvrdma_cmd.c +@@ -782,6 +782,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev) + goto out; + } + ++ if (!dsr_info->dsr) { ++ /* Buggy or malicious guest driver */ ++ rdma_error_report("Exec command without dsr, req or rsp buffers"); ++ goto out; ++ } ++ + if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) / + sizeof(struct cmd_handler)) { + rdma_error_report("Unsupported command"); diff --git a/meta/recipes-devtools/qemu/qemu/0011-linux-user-workaround-for-missing-MAP_FIXED_NOREPLAC.patch b/meta/recipes-devtools/qemu/qemu/0011-linux-user-workaround-for-missing-MAP_FIXED_NOREPLAC.patch new file mode 100644 index 0000000000..cc53b1eedd --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0011-linux-user-workaround-for-missing-MAP_FIXED_NOREPLAC.patch @@ -0,0 +1,282 @@ +From fa9bcabe2387bb230ef82d62827ad6f93b8a1e61 Mon Sep 17 00:00:00 2001 +From: Frederic Konrad <fkonrad@amd.com> +Date: Wed, 17 Jan 2024 18:15:06 +0000 +Subject: [PATCH 1/2] linux-user/*: workaround for missing MAP_FIXED_NOREPLACE + +QEMU v8.1.0 recently requires MAP_FIXED_NOREPLACE flags implementation for mmap. + +This is missing from ubuntu 18.04, thus this patch catches the mmap calls which +could use that new flag and forwards them to mmap when MAP_FIXED_NOREPLACE +flag isn't set or emulates them by checking the returned address w.r.t the +requested address. + +Signed-off-by: Frederic Konrad <fkonrad@amd.com> +Signed-off-by: Francisco Iglesias <francisco.iglesias@amd.com> + +Upstream-Status: Inappropriate [OE specific] + +The upstream only supports the last two major releases of an OS. The ones +they have declared all have kernel 4.17 or newer. + +See: +https://xilinx.slack.com/archives/D04G2647CTV/p1705074697942019 + +https://www.qemu.org/docs/master/about/build-platforms.html + + The project aims to support the most recent major version at all times for up + to five years after its initial release. Support for the previous major + version will be dropped 2 years after the new major version is released or + when the vendor itself drops support, whichever comes first. + +Signed-off-by: Mark Hatle <mark.hatle@amd.com> +--- + linux-user/elfload.c | 7 +++-- + linux-user/meson.build | 1 + + linux-user/mmap-fixed.c | 63 +++++++++++++++++++++++++++++++++++++++++ + linux-user/mmap-fixed.h | 39 +++++++++++++++++++++++++ + linux-user/mmap.c | 31 +++++++++++--------- + linux-user/syscall.c | 1 + + 6 files changed, 125 insertions(+), 17 deletions(-) + create mode 100644 linux-user/mmap-fixed.c + create mode 100644 linux-user/mmap-fixed.h + +Index: qemu-8.2.1/linux-user/elfload.c +=================================================================== +--- qemu-8.2.1.orig/linux-user/elfload.c ++++ qemu-8.2.1/linux-user/elfload.c +@@ -22,6 +22,7 @@ + #include "qemu/error-report.h" + #include "target_signal.h" + #include "accel/tcg/debuginfo.h" ++#include "mmap-fixed.h" + + #ifdef TARGET_ARM + #include "target/arm/cpu-features.h" +@@ -2765,9 +2766,9 @@ static abi_ulong create_elf_tables(abi_u + static int pgb_try_mmap(uintptr_t addr, uintptr_t addr_last, bool keep) + { + size_t size = addr_last - addr + 1; +- void *p = mmap((void *)addr, size, PROT_NONE, +- MAP_ANONYMOUS | MAP_PRIVATE | +- MAP_NORESERVE | MAP_FIXED_NOREPLACE, -1, 0); ++ void *p = mmap_fixed_noreplace((void *)addr, size, PROT_NONE, ++ MAP_ANONYMOUS | MAP_PRIVATE | ++ MAP_NORESERVE | MAP_FIXED_NOREPLACE, -1, 0); + int ret; + + if (p == MAP_FAILED) { +Index: qemu-8.2.1/linux-user/meson.build +=================================================================== +--- qemu-8.2.1.orig/linux-user/meson.build ++++ qemu-8.2.1/linux-user/meson.build +@@ -14,6 +14,7 @@ linux_user_ss.add(files( + 'linuxload.c', + 'main.c', + 'mmap.c', ++ 'mmap-fixed.c', + 'signal.c', + 'strace.c', + 'syscall.c', +Index: qemu-8.2.1/linux-user/mmap-fixed.c +=================================================================== +--- /dev/null ++++ qemu-8.2.1/linux-user/mmap-fixed.c +@@ -0,0 +1,63 @@ ++/* ++ * Workaround for MAP_FIXED_NOREPLACE ++ * ++ * Copyright (c) 2024, Advanced Micro Devices, Inc. ++ * Developed by Fred Konrad <fkonrad@amd.com> ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a copy ++ * of this software and associated documentation files (the "Software"), to deal ++ * in the Software without restriction, including without limitation the rights ++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell ++ * copies of the Software, and to permit persons to whom the Software is ++ * furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice shall be included in ++ * all copies or substantial portions of the Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL ++ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, ++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN ++ * THE SOFTWARE. ++ */ ++ ++#include <sys/mman.h> ++#include <errno.h> ++ ++#ifndef MAP_FIXED_NOREPLACE ++#include "mmap-fixed.h" ++ ++void *mmap_fixed_noreplace(void *addr, size_t len, int prot, int flags, ++ int fd, off_t offset) ++{ ++ void *retaddr; ++ ++ if (!(flags & MAP_FIXED_NOREPLACE)) { ++ /* General case, use the regular mmap. */ ++ return mmap(addr, len, prot, flags, fd, offset); ++ } ++ ++ /* Since MAP_FIXED_NOREPLACE is not implemented, try to emulate it. */ ++ flags = flags & ~(MAP_FIXED_NOREPLACE | MAP_FIXED); ++ retaddr = mmap(addr, len, prot, flags, fd, offset); ++ if ((retaddr == addr) || (retaddr == MAP_FAILED)) { ++ /* ++ * Either the map worked and we get the good address so it can be ++ * returned, or it failed and would have failed the same with ++ * MAP_FIXED*, in which case return MAP_FAILED. ++ */ ++ return retaddr; ++ } else { ++ /* ++ * Page has been mapped but not at the requested address.. unmap it and ++ * return EEXIST. ++ */ ++ munmap(retaddr, len); ++ errno = EEXIST; ++ return MAP_FAILED; ++ } ++} ++ ++#endif +Index: qemu-8.2.1/linux-user/mmap-fixed.h +=================================================================== +--- /dev/null ++++ qemu-8.2.1/linux-user/mmap-fixed.h +@@ -0,0 +1,39 @@ ++/* ++ * Workaround for MAP_FIXED_NOREPLACE ++ * ++ * Copyright (c) 2024, Advanced Micro Devices, Inc. ++ * Developed by Fred Konrad <fkonrad@amd.com> ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a copy ++ * of this software and associated documentation files (the "Software"), to deal ++ * in the Software without restriction, including without limitation the rights ++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell ++ * copies of the Software, and to permit persons to whom the Software is ++ * furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice shall be included in ++ * all copies or substantial portions of the Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL ++ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, ++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN ++ * THE SOFTWARE. ++ */ ++ ++#ifndef MMAP_FIXED_H ++#define MMAP_FIXED_H ++ ++#ifndef MAP_FIXED_NOREPLACE ++#define MAP_FIXED_NOREPLACE 0x100000 ++ ++void *mmap_fixed_noreplace(void *addr, size_t len, int prot, int flags, ++ int fd, off_t offset); ++ ++#else /* MAP_FIXED_NOREPLACE */ ++#define mmap_fixed_noreplace mmap ++#endif /* MAP_FIXED_NOREPLACE */ ++ ++#endif /* MMAP_FIXED_H */ +Index: qemu-8.2.1/linux-user/mmap.c +=================================================================== +--- qemu-8.2.1.orig/linux-user/mmap.c ++++ qemu-8.2.1/linux-user/mmap.c +@@ -25,6 +25,7 @@ + #include "user-mmap.h" + #include "target_mman.h" + #include "qemu/interval-tree.h" ++#include "mmap-fixed.h" + + #ifdef TARGET_ARM + #include "target/arm/cpu-features.h" +@@ -273,7 +274,7 @@ int target_mprotect(abi_ulong start, abi + static int do_munmap(void *addr, size_t len) + { + if (reserved_va) { +- void *ptr = mmap(addr, len, PROT_NONE, ++ void *ptr = mmap_fixed_noreplace(addr, len, PROT_NONE, + MAP_FIXED | MAP_ANONYMOUS + | MAP_PRIVATE | MAP_NORESERVE, -1, 0); + return ptr == addr ? 0 : -1; +@@ -319,9 +320,9 @@ static bool mmap_frag(abi_ulong real_sta + * outside of the fragment we need to map. Allocate a new host + * page to cover, discarding whatever else may have been present. + */ +- void *p = mmap(host_start, qemu_host_page_size, +- target_to_host_prot(prot), +- flags | MAP_ANONYMOUS, -1, 0); ++ void *p = mmap_fixed_noreplace(host_start, qemu_host_page_size, ++ target_to_host_prot(prot), ++ flags | MAP_ANONYMOUS, -1, 0); + if (p != host_start) { + if (p != MAP_FAILED) { + munmap(p, qemu_host_page_size); +@@ -420,8 +421,9 @@ abi_ulong mmap_find_vma(abi_ulong start, + * - mremap() with MREMAP_FIXED flag + * - shmat() with SHM_REMAP flag + */ +- ptr = mmap(g2h_untagged(addr), size, PROT_NONE, +- MAP_ANONYMOUS | MAP_PRIVATE | MAP_NORESERVE, -1, 0); ++ ptr = mmap_fixed_noreplace(g2h_untagged(addr), size, PROT_NONE, ++ MAP_ANONYMOUS | MAP_PRIVATE | MAP_NORESERVE, ++ -1, 0); + + /* ENOMEM, if host address space has no memory */ + if (ptr == MAP_FAILED) { +@@ -615,16 +617,16 @@ abi_long target_mmap(abi_ulong start, ab + * especially important if qemu_host_page_size > + * qemu_real_host_page_size. + */ +- p = mmap(g2h_untagged(start), host_len, host_prot, +- flags | MAP_FIXED | MAP_ANONYMOUS, -1, 0); ++ p = mmap_fixed_noreplace(g2h_untagged(start), host_len, host_prot, ++ flags | MAP_FIXED | MAP_ANONYMOUS, -1, 0); + if (p == MAP_FAILED) { + goto fail; + } + /* update start so that it points to the file position at 'offset' */ + host_start = (uintptr_t)p; + if (!(flags & MAP_ANONYMOUS)) { +- p = mmap(g2h_untagged(start), len, host_prot, +- flags | MAP_FIXED, fd, host_offset); ++ p = mmap_fixed_noreplace(g2h_untagged(start), len, host_prot, ++ flags | MAP_FIXED, fd, host_offset); + if (p == MAP_FAILED) { + munmap(g2h_untagged(start), host_len); + goto fail; +@@ -749,8 +751,9 @@ abi_long target_mmap(abi_ulong start, ab + len1 = real_last - real_start + 1; + want_p = g2h_untagged(real_start); + +- p = mmap(want_p, len1, target_to_host_prot(target_prot), +- flags, fd, offset1); ++ p = mmap_fixed_noreplace(want_p, len1, ++ target_to_host_prot(target_prot), ++ flags, fd, offset1); + if (p != want_p) { + if (p != MAP_FAILED) { + munmap(p, len1); +Index: qemu-8.2.1/linux-user/syscall.c +=================================================================== +--- qemu-8.2.1.orig/linux-user/syscall.c ++++ qemu-8.2.1/linux-user/syscall.c +@@ -145,6 +145,7 @@ + #include "qapi/error.h" + #include "fd-trans.h" + #include "cpu_loop-common.h" ++#include "mmap-fixed.h" + + #ifndef CLONE_IO + #define CLONE_IO 0x80000000 /* Clone io context */ diff --git a/meta/recipes-devtools/qemu/qemu/0012-linux-user-workaround-for-missing-MAP_SHARED_VALIDAT.patch b/meta/recipes-devtools/qemu/qemu/0012-linux-user-workaround-for-missing-MAP_SHARED_VALIDAT.patch new file mode 100644 index 0000000000..48034a4680 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0012-linux-user-workaround-for-missing-MAP_SHARED_VALIDAT.patch @@ -0,0 +1,51 @@ +From 5c73e53997df800a742f9cd7355f3045861984bb Mon Sep 17 00:00:00 2001 +From: Frederic Konrad <fkonrad@amd.com> +Date: Thu, 18 Jan 2024 10:43:44 +0000 +Subject: [PATCH 2/2] linux-user/*: workaround for missing MAP_SHARED_VALIDATE + +QEMU v8.1.0 recently requires MAP_SHARED_VALIDATE flags implementation for mmap. + +This is missing from the Ubuntu 18.04 compiler but looks like to be in the +kernel source. + +Signed-off-by: Frederic Konrad <fkonrad@amd.com> +Signed-off-by: Francisco Iglesias <francisco.iglesias@amd.com> + +Upstream-Status: Inappropriate [OE specific] + +The upstream only supports the last two major releases of an OS. The ones +they have declared all have kernel 4.17 or newer. + +See: +https://xilinx.slack.com/archives/D04G2647CTV/p1705074697942019 + +https://www.qemu.org/docs/master/about/build-platforms.html + + The project aims to support the most recent major version at all times for up + to five years after its initial release. Support for the previous major + version will be dropped 2 years after the new major version is released or + when the vendor itself drops support, whichever comes first. + +Signed-off-by: Mark Hatle <mark.hatle@amd.com> +--- + linux-user/mmap-fixed.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/linux-user/mmap-fixed.h b/linux-user/mmap-fixed.h +index ef6eef5114..ec86586c1f 100644 +--- a/linux-user/mmap-fixed.h ++++ b/linux-user/mmap-fixed.h +@@ -26,6 +26,10 @@ + #ifndef MMAP_FIXED_H + #define MMAP_FIXED_H + ++#ifndef MAP_SHARED_VALIDATE ++#define MAP_SHARED_VALIDATE 0x03 ++#endif ++ + #ifndef MAP_FIXED_NOREPLACE + #define MAP_FIXED_NOREPLACE 0x100000 + +-- +2.34.1 + diff --git a/meta/recipes-devtools/qemu/qemu/4a8579ad8629b57a43daa62e46cc7af6e1078116.patch b/meta/recipes-devtools/qemu/qemu/4a8579ad8629b57a43daa62e46cc7af6e1078116.patch new file mode 100644 index 0000000000..5ad859ebe6 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/4a8579ad8629b57a43daa62e46cc7af6e1078116.patch @@ -0,0 +1,60 @@ +From 4a8579ad8629b57a43daa62e46cc7af6e1078116 Mon Sep 17 00:00:00 2001 +From: Richard Henderson <richard.henderson@linaro.org> +Date: Tue, 13 Feb 2024 10:20:27 -1000 +Subject: [PATCH] linux-user: Split out do_munmap +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Upstream-Status: Submitted [https://gitlab.com/rth7680/qemu/-/commit/4a8579ad8629b57a43daa62e46cc7af6e1078116] + +Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> +Signed-off-by: Richard Henderson <richard.henderson@linaro.org> +--- + linux-user/mmap.c | 23 ++++++++++++++++------- + 1 file changed, 16 insertions(+), 7 deletions(-) + +diff --git a/linux-user/mmap.c b/linux-user/mmap.c +index 1bbfeb25b14..8ebcca44444 100644 +--- a/linux-user/mmap.c ++++ b/linux-user/mmap.c +@@ -267,6 +267,21 @@ int target_mprotect(abi_ulong start, abi_ulong len, int target_prot) + return ret; + } + ++/* ++ * Perform munmap on behalf of the target, with host parameters. ++ * If reserved_va, we must replace the memory reservation. ++ */ ++static int do_munmap(void *addr, size_t len) ++{ ++ if (reserved_va) { ++ void *ptr = mmap(addr, len, PROT_NONE, ++ MAP_FIXED | MAP_ANONYMOUS ++ | MAP_PRIVATE | MAP_NORESERVE, -1, 0); ++ return ptr == addr ? 0 : -1; ++ } ++ return munmap(addr, len); ++} ++ + /* map an incomplete host page */ + static bool mmap_frag(abi_ulong real_start, abi_ulong start, abi_ulong last, + int prot, int flags, int fd, off_t offset) +@@ -854,13 +869,7 @@ static int mmap_reserve_or_unmap(abi_ulong start, abi_ulong len) + real_len = real_last - real_start + 1; + host_start = g2h_untagged(real_start); + +- if (reserved_va) { +- void *ptr = mmap(host_start, real_len, PROT_NONE, +- MAP_FIXED | MAP_ANONYMOUS +- | MAP_PRIVATE | MAP_NORESERVE, -1, 0); +- return ptr == host_start ? 0 : -1; +- } +- return munmap(host_start, real_len); ++ return do_munmap(host_start, real_len); + } + + int target_munmap(abi_ulong start, abi_ulong len) +-- +GitLab + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch deleted file mode 100644 index 77a5385692..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 05a40b172e4d691371534828078be47e7fff524c Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann <kraxel@redhat.com> -Date: Mon, 3 May 2021 15:29:15 +0200 -Subject: [PATCH] usb: limit combined packets to 1 MiB (CVE-2021-3527) - -usb-host and usb-redirect try to batch bulk transfers by combining many -small usb packets into a single, large transfer request, to reduce the -overhead and improve performance. - -This patch adds a size limit of 1 MiB for those combined packets to -restrict the host resources the guest can bind that way. - -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> -Message-Id: <20210503132915.2335822-6-kraxel@redhat.com> - -Upstream-Status: Backport -https://gitlab.com/qemu-project/qemu/-/commit/05a40b172e4d691371534828078be47e7fff524c -CVE: CVE-2021-3527 -Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> - ---- - hw/usb/combined-packet.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c -index 5d57e883dc..e56802f89a 100644 ---- a/hw/usb/combined-packet.c -+++ b/hw/usb/combined-packet.c -@@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep) - if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok || - next == NULL || - /* Work around for Linux usbfs bulk splitting + migration */ -- (totalsize == (16 * KiB - 36) && p->int_req)) { -+ (totalsize == (16 * KiB - 36) && p->int_req) || -+ /* Next package may grow combined package over 1MiB */ -+ totalsize > 1 * MiB - ep->max_packet_size) { - usb_device_handle_data(ep->dev, first); - assert(first->status == USB_RET_ASYNC); - if (first->combined) { --- -GitLab - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch deleted file mode 100644 index 6371aced12..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986 Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann <kraxel@redhat.com> -Date: Mon, 3 May 2021 15:29:12 +0200 -Subject: [PATCH] usb/redir: avoid dynamic stack allocation (CVE-2021-3527) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Use autofree heap allocation instead. - -Fixes: 4f4321c11ff ("usb: use iovecs in USBPacket") -Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> -Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com> -Message-Id: <20210503132915.2335822-3-kraxel@redhat.com> - -Upstream-Status: Backport -https://gitlab.com/qemu-project/qemu/-/commit/7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986 -CVE: CVE-2021-3527 -Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> - ---- - hw/usb/redirect.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c -index 17f06f3417..6a75b0dc4a 100644 ---- a/hw/usb/redirect.c -+++ b/hw/usb/redirect.c -@@ -620,7 +620,7 @@ static void usbredir_handle_iso_data(USBRedirDevice *dev, USBPacket *p, - .endpoint = ep, - .length = p->iov.size - }; -- uint8_t buf[p->iov.size]; -+ g_autofree uint8_t *buf = g_malloc(p->iov.size); - /* No id, we look at the ep when receiving a status back */ - usb_packet_copy(p, buf, p->iov.size); - usbredirparser_send_iso_packet(dev->parser, 0, &iso_packet, -@@ -818,7 +818,7 @@ static void usbredir_handle_bulk_data(USBRedirDevice *dev, USBPacket *p, - usbredirparser_send_bulk_packet(dev->parser, p->id, - &bulk_packet, NULL, 0); - } else { -- uint8_t buf[size]; -+ g_autofree uint8_t *buf = g_malloc(size); - usb_packet_copy(p, buf, size); - usbredir_log_data(dev, "bulk data out:", buf, size); - usbredirparser_send_bulk_packet(dev->parser, p->id, -@@ -923,7 +923,7 @@ static void usbredir_handle_interrupt_out_data(USBRedirDevice *dev, - USBPacket *p, uint8_t ep) - { - struct usb_redir_interrupt_packet_header interrupt_packet; -- uint8_t buf[p->iov.size]; -+ g_autofree uint8_t *buf = g_malloc(p->iov.size); - - DPRINTF("interrupt-out ep %02X len %zd id %"PRIu64"\n", ep, - p->iov.size, p->id); --- -GitLab - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch new file mode 100644 index 0000000000..732cb6af18 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch @@ -0,0 +1,91 @@ +From 405484b29f6548c7b86549b0f961b906337aa68a Mon Sep 17 00:00:00 2001 +From: Fiona Ebner <f.ebner@proxmox.com> +Date: Wed, 24 Jan 2024 11:57:48 +0100 +Subject: [PATCH] ui/clipboard: mark type as not available when there is no + data +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +With VNC, a client can send a non-extended VNC_MSG_CLIENT_CUT_TEXT +message with len=0. In qemu_clipboard_set_data(), the clipboard info +will be updated setting data to NULL (because g_memdup(data, size) +returns NULL when size is 0). If the client does not set the +VNC_ENCODING_CLIPBOARD_EXT feature when setting up the encodings, then +the 'request' callback for the clipboard peer is not initialized. +Later, because data is NULL, qemu_clipboard_request() can be reached +via vdagent_chr_write() and vdagent_clipboard_recv_request() and +there, the clipboard owner's 'request' callback will be attempted to +be called, but that is a NULL pointer. + +In particular, this can happen when using the KRDC (22.12.3) VNC +client. + +Another scenario leading to the same issue is with two clients (say +noVNC and KRDC): + +The noVNC client sets the extension VNC_FEATURE_CLIPBOARD_EXT and +initializes its cbpeer. + +The KRDC client does not, but triggers a vnc_client_cut_text() (note +it's not the _ext variant)). There, a new clipboard info with it as +the 'owner' is created and via qemu_clipboard_set_data() is called, +which in turn calls qemu_clipboard_update() with that info. + +In qemu_clipboard_update(), the notifier for the noVNC client will be +called, i.e. vnc_clipboard_notify() and also set vs->cbinfo for the +noVNC client. The 'owner' in that clipboard info is the clipboard peer +for the KRDC client, which did not initialize the 'request' function. +That sounds correct to me, it is the owner of that clipboard info. + +Then when noVNC sends a VNC_MSG_CLIENT_CUT_TEXT message (it did set +the VNC_FEATURE_CLIPBOARD_EXT feature correctly, so a check for it +passes), that clipboard info is passed to qemu_clipboard_request() and +the original segfault still happens. + +Fix the issue by handling updates with size 0 differently. In +particular, mark in the clipboard info that the type is not available. + +While at it, switch to g_memdup2(), because g_memdup() is deprecated. + +Cc: qemu-stable@nongnu.org +Fixes: CVE-2023-6683 +Reported-by: Markus Frank <m.frank@proxmox.com> +Suggested-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Signed-off-by: Fiona Ebner <f.ebner@proxmox.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Tested-by: Markus Frank <m.frank@proxmox.com> +Message-ID: <20240124105749.204610-1-f.ebner@proxmox.com> + +CVE: CVE-2023-6683 + +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/405484b29f6548c7b86549b0f961b906337aa68a] +Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com> + +--- + ui/clipboard.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/ui/clipboard.c b/ui/clipboard.c +index 3d14bffaf80f..b3f6fa3c9e1f 100644 +--- a/ui/clipboard.c ++++ b/ui/clipboard.c +@@ -163,9 +163,15 @@ void qemu_clipboard_set_data(QemuClipboardPeer *peer, + } + + g_free(info->types[type].data); +- info->types[type].data = g_memdup(data, size); +- info->types[type].size = size; +- info->types[type].available = true; ++ if (size) { ++ info->types[type].data = g_memdup2(data, size); ++ info->types[type].size = size; ++ info->types[type].available = true; ++ } else { ++ info->types[type].data = NULL; ++ info->types[type].size = 0; ++ info->types[type].available = false; ++ } + + if (update) { + qemu_clipboard_update(info); diff --git a/meta/recipes-devtools/qemu/qemu/cross.patch b/meta/recipes-devtools/qemu/qemu/cross.patch deleted file mode 100644 index a0fc39e5e2..0000000000 --- a/meta/recipes-devtools/qemu/qemu/cross.patch +++ /dev/null @@ -1,30 +0,0 @@ -We need to be able to trigger configure's cross code but we don't want -to set cross_prefix as it does other things we don't want. Patch things -so we can do what we need in the target config case. - -Upstream-Status: Inappropriate [may be rewritten in a way upstream may accept?] -Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> - - -Index: qemu-6.0.0/configure -=================================================================== ---- qemu-6.0.0.orig/configure -+++ qemu-6.0.0/configure -@@ -6371,7 +6371,6 @@ if has $sdl2_config; then - fi - echo "strip = [$(meson_quote $strip)]" >> $cross - echo "windres = [$(meson_quote $windres)]" >> $cross --if test "$cross_compile" = "yes"; then - cross_arg="--cross-file config-meson.cross" - echo "[host_machine]" >> $cross - if test "$mingw32" = "yes" ; then -@@ -6403,9 +6402,6 @@ if test "$cross_compile" = "yes"; then - else - echo "endian = 'little'" >> $cross - fi --else -- cross_arg="--native-file config-meson.cross" --fi - mv $cross config-meson.cross - - rm -rf meson-private meson-info meson-logs diff --git a/meta/recipes-devtools/qemu/qemu/fixedmeson.patch b/meta/recipes-devtools/qemu/qemu/fixedmeson.patch new file mode 100644 index 0000000000..9047f66dc3 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/fixedmeson.patch @@ -0,0 +1,20 @@ +Upstream-Status: Inappropriate [workaround, would need a real fix for upstream] + +Index: qemu-8.2.0/configure +=================================================================== +--- qemu-8.2.0.orig/configure ++++ qemu-8.2.0/configure +@@ -955,12 +955,7 @@ fi + $mkvenv ensuregroup --dir "${source_path}/python/wheels" \ + ${source_path}/pythondeps.toml meson || exit 1 + +-# At this point, we expect Meson to be installed and available. +-# We expect mkvenv or pip to have created pyvenv/bin/meson for us. +-# We ignore PATH completely here: we want to use the venv's Meson +-# *exclusively*. +- +-meson="$(cd pyvenv/bin; pwd)/meson" ++meson=`which meson` + + # Conditionally ensure Sphinx is installed. + diff --git a/meta/recipes-devtools/qemu/qemu/no-pip.patch b/meta/recipes-devtools/qemu/qemu/no-pip.patch new file mode 100644 index 0000000000..92b2edbe9f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/no-pip.patch @@ -0,0 +1,45 @@ +qemu: Ensure pip and the python venv aren't used for meson + +Qemu wants to use a supported python version and a specific meson version +to "help" users and uses pip and creates a venv to do this. This is a nightmare +for us. Our versions stay up to date and should be supported so we don't +really need/want this wrapping. Tweak things to disable it. + +There was breakage from the wrapper shown by: + +bitbake qemu-system-native +<add DISTRO_FEATURES:remove = "opengl" to local.conf> +bitbake qemu-system-native -c configure + +which would crash. The issue is the change in configuration removes pieces +from the sysroot but pyc files remainm as do pieces of pip which causes +problems. + +Ideally we'd convince upstream to allow some way to disable the venv on +the understanding that if/when it breaks, we keep the pieces. The patch +as it stands is a workaround. + +Upstream-Status: Inappropriate [oe specific] +Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> + +Index: qemu-8.2.0/configure +=================================================================== +--- qemu-8.2.0.orig/configure ++++ qemu-8.2.0/configure +@@ -937,7 +937,7 @@ python="$(command -v "$python")" + echo "python determined to be '$python'" + echo "python version: $($python --version)" + +-python="$($python -B "${source_path}/python/scripts/mkvenv.py" create pyvenv)" ++python=python3 + if test "$?" -ne 0 ; then + error_exit "python venv creation failed" + fi +@@ -945,6 +945,7 @@ fi + # Suppress writing compiled files + python="$python -B" + mkvenv="$python ${source_path}/python/scripts/mkvenv.py" ++mkvenv=true + + # Finish preparing the virtual environment using vendored .whl files + diff --git a/meta/recipes-devtools/qemu/qemu/qemu-guest-agent.init b/meta/recipes-devtools/qemu/qemu/qemu-guest-agent.init new file mode 100644 index 0000000000..5ebaaddeae --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/qemu-guest-agent.init @@ -0,0 +1,75 @@ +# SPDX-License-Identifier: GPL-2.0-only +# Initially written by: Michael Tokarev <mjt@tls.msk.ru> +# For QEMU Debian downstream package + +set -e + +. /etc/init.d/functions + +PATH=/sbin:/usr/sbin:/bin:/usr/bin +DESC="QEMU Guest Agent" +NAME=qemu-ga +DAEMON=@bindir@/$NAME +PIDFILE=/var/run/$NAME.pid + +# config +DAEMON_ARGS="" +# default transport +TRANSPORT=virtio-serial:/dev/virtio-ports/org.qemu.guest_agent.0 +NO_START=0 + +test ! -r /etc/default/qemu-guest-agent || . /etc/default/qemu-guest-agent +test "$NO_START" = "0" || exit 0 +test -x "$DAEMON" || exit 0 + +# +# Function that checks whenever system has necessary environment +# It also splits $TRANSPORT into $method and $path +# +do_check_transport() { + method=${TRANSPORT%%:*}; + path=${TRANSPORT#*:} + case "$method" in + virtio-serial | isa-serial) + if [ ! -e "$path" ]; then + echo "$NAME: transport endpoint not found, not starting" + return 1 + fi + ;; + esac +} + +case "$1" in + start) + do_check_transport || exit 0 + echo -n "Starting $DESC: " + start-stop-daemon -S -p $PIDFILE -x "$DAEMON" -- \ + $DAEMON_ARGS -d -m "$method" -p "$path" + echo "$NAME." + ;; + stop) + echo -n "Stopping $DESC: " + start-stop-daemon -K -x "$DAEMON" -p $PIDFILE + echo "$NAME." + ;; + status) + status "$DAEMON" + exit $? + ;; + restart|force-reload) + do_check_transport || exit 0 + echo -n "Restarting $DESC: " + start-stop-daemon -K -x "$DAEMON" -p $PIDFILE + sleep 1 + start-stop-daemon -S -p $PIDFILE -x "$DAEMON" -- \ + $DAEMON_ARGS -d -m "$method" -p "$path" + echo "$NAME." + ;; + *) + N=/etc/init.d/$NAME + echo "Usage: $N {start|stop|status|restart|force-reload}" >&2 + exit 1 + ;; +esac + +exit 0 diff --git a/meta/recipes-devtools/qemu/qemu/qemu-guest-agent.udev b/meta/recipes-devtools/qemu/qemu/qemu-guest-agent.udev new file mode 100644 index 0000000000..47097057e3 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/qemu-guest-agent.udev @@ -0,0 +1,2 @@ +SUBSYSTEM=="virtio-ports", ATTR{name}=="org.qemu.guest_agent.0", \ + TAG+="systemd", ENV{SYSTEMD_WANTS}="qemu-guest-agent.service" |