17 files changed, 823 insertions, 0 deletions

diff --git a/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0001-net-tulip-Restrict-DMA-engine-to-memories.patch b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0001-net-tulip-Restrict-DMA-engine-to-memories.patch
new file mode 100644
index 00000000..6c85a77b
--- /dev/null
+++ b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0001-net-tulip-Restrict-DMA-engine-to-memories.patch
@@ -0,0 +1,64 @@
+CVE: CVE-2022-2962
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+From 5c5c50b0a73d78ffe18336c9996fef5eae9bbbb0 Mon Sep 17 00:00:00 2001
+From: Zheyu Ma <zheyuma97@gmail.com>
+Date: Sun, 21 Aug 2022 20:43:43 +0800
+Subject: [PATCH] net: tulip: Restrict DMA engine to memories
+
+The DMA engine is started by I/O access and then itself accesses the
+I/O registers, triggering a reentrancy bug.
+
+The following log can reveal it:
+==5637==ERROR: AddressSanitizer: stack-overflow
+    #0 0x5595435f6078 in tulip_xmit_list_update qemu/hw/net/tulip.c:673
+    #1 0x5595435f204a in tulip_write qemu/hw/net/tulip.c:805:13
+    #2 0x559544637f86 in memory_region_write_accessor qemu/softmmu/memory.c:492:5
+    #3 0x5595446379fa in access_with_adjusted_size qemu/softmmu/memory.c:554:18
+    #4 0x5595446372fa in memory_region_dispatch_write qemu/softmmu/memory.c
+    #5 0x55954468b74c in flatview_write_continue qemu/softmmu/physmem.c:2825:23
+    #6 0x559544683662 in flatview_write qemu/softmmu/physmem.c:2867:12
+    #7 0x5595446833f3 in address_space_write qemu/softmmu/physmem.c:2963:18
+    #8 0x5595435fb082 in dma_memory_rw_relaxed qemu/include/sysemu/dma.h:87:12
+    #9 0x5595435fb082 in dma_memory_rw qemu/include/sysemu/dma.h:130:12
+    #10 0x5595435fb082 in dma_memory_write qemu/include/sysemu/dma.h:171:12
+    #11 0x5595435fb082 in stl_le_dma qemu/include/sysemu/dma.h:272:1
+    #12 0x5595435fb082 in stl_le_pci_dma qemu/include/hw/pci/pci.h:910:1
+    #13 0x5595435fb082 in tulip_desc_write qemu/hw/net/tulip.c:101:9
+    #14 0x5595435f7e3d in tulip_xmit_list_update qemu/hw/net/tulip.c:706:9
+    #15 0x5595435f204a in tulip_write qemu/hw/net/tulip.c:805:13
+
+Fix this bug by restricting the DMA engine to memories regions.
+
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+---
+ hw/net/tulip.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hw/net/tulip.c b/hw/net/tulip.c
+index 097e905bec..b9e42c322a 100644
+--- a/hw/net/tulip.c
++++ b/hw/net/tulip.c
+@@ -70,7 +70,7 @@ static const VMStateDescription vmstate_pci_tulip = {
+ static void tulip_desc_read(TULIPState *s, hwaddr p,
+         struct tulip_descriptor *desc)
+ {
+-    const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
++    const MemTxAttrs attrs = { .memory = true };
+ 
+     if (s->csr[0] & CSR0_DBO) {
+         ldl_be_pci_dma(&s->dev, p, &desc->status, attrs);
+@@ -88,7 +88,7 @@ static void tulip_desc_read(TULIPState *s, hwaddr p,
+ static void tulip_desc_write(TULIPState *s, hwaddr p,
+         struct tulip_descriptor *desc)
+ {
+-    const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
++    const MemTxAttrs attrs = { .memory = true };
+ 
+     if (s->csr[0] & CSR0_DBO) {
+         stl_be_pci_dma(&s->dev, p, desc->status, attrs);
+-- 
+2.34.1
+
diff --git a/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0001-qemu-Add-addition-environment-space-to-boot-loader-q.patch b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0001-qemu-Add-addition-environment-space-to-boot-loader-q.patch
new file mode 100644
index 00000000..6fb160e6
--- /dev/null
+++ b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0001-qemu-Add-addition-environment-space-to-boot-loader-q.patch
@@ -0,0 +1,36 @@
+From de64af82950a6908f9407dfc92b83c17e2af3eab Mon Sep 17 00:00:00 2001
+From: Jason Wessel <jason.wessel@windriver.com>
+Date: Fri, 28 Mar 2014 17:42:43 +0800
+Subject: [PATCH 01/12] qemu: Add addition environment space to boot loader
+ qemu-system-mips
+
+Upstream-Status: Inappropriate - OE uses deep paths
+
+If you create a project with very long directory names like 128 characters
+deep and use NFS, the kernel arguments will be truncated. The kernel will
+accept longer strings such as 1024 bytes, but the qemu boot loader defaulted
+to only 256 bytes. This patch expands the limit.
+
+Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+
+---
+ hw/mips/malta.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/mips/malta.c b/hw/mips/malta.c
+index 628851172..12d37f35d 100644
+--- a/hw/mips/malta.c
++++ b/hw/mips/malta.c
+@@ -61,7 +61,7 @@
+ #define ENVP_PADDR          0x2000
+ #define ENVP_VADDR          cpu_mips_phys_to_kseg0(NULL, ENVP_PADDR)
+ #define ENVP_NB_ENTRIES     16
+-#define ENVP_ENTRY_SIZE     256
++#define ENVP_ENTRY_SIZE     1024
+ 
+ /* Hardware addresses */
+ #define FLASH_ADDRESS       0x1e000000ULL
+-- 
+2.30.2
+
diff --git a/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0002-chardev-connect-socket-to-a-spawned-command.patch b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0002-chardev-connect-socket-to-a-spawned-command.patch
new file mode 100644
index 00000000..63a99c96
--- /dev/null
+++ b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0002-chardev-connect-socket-to-a-spawned-command.patch
@@ -0,0 +1,246 @@
+From 14cd62607c9de232edf0a9b8503bd02783e03411 Mon Sep 17 00:00:00 2001
+From: Alistair Francis <alistair.francis@xilinx.com>
+Date: Thu, 21 Dec 2017 11:35:16 -0800
+Subject: [PATCH 02/12] chardev: connect socket to a spawned command
+
+The command is started in a shell (sh -c) with stdin connect to QEMU
+via a Unix domain stream socket. QEMU then exchanges data via its own
+end of the socket, just like it normally does.
+
+"-chardev socket" supports some ways of connecting via protocols like
+telnet, but that is only a subset of the functionality supported by
+tools socat. To use socat instead, for example to connect via a socks
+proxy, use:
+
+  -chardev 'socket,id=socat,cmd=exec socat FD:0 SOCKS4A:socks-proxy.localdomain:example.com:9999,,socksuser=nobody' \
+  -device usb-serial,chardev=socat
+
+Beware that commas in the command must be escaped as double commas.
+
+Or interactively in the console:
+   (qemu) chardev-add socket,id=cat,cmd=cat
+   (qemu) device_add usb-serial,chardev=cat
+   ^ac
+   # cat >/dev/ttyUSB0
+   hello
+   hello
+
+Another usage is starting swtpm from inside QEMU. swtpm will
+automatically shut down once it looses the connection to the parent
+QEMU, so there is no risk of lingering processes:
+
+  -chardev 'socket,id=chrtpm0,cmd=exec swtpm socket --terminate --ctrl type=unixio,,clientfd=0 --tpmstate dir=... --log file=swtpm.log' \
+  -tpmdev emulator,id=tpm0,chardev=chrtpm0 \
+  -device tpm-tis,tpmdev=tpm0
+
+The patch was discussed upstream, but QEMU developers believe that the
+code calling QEMU should be responsible for managing additional
+processes. In OE-core, that would imply enhancing runqemu and
+oeqa. This patch is a simpler solution.
+
+Because it is not going upstream, the patch was written so that it is
+as simple as possible.
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+
+---
+ chardev/char-socket.c | 100 ++++++++++++++++++++++++++++++++++++++++++
+ chardev/char.c        |   3 ++
+ qapi/char.json        |   5 +++
+ 3 files changed, 108 insertions(+)
+
+diff --git a/chardev/char-socket.c b/chardev/char-socket.c
+index fab2d791d..c79641f24 100644
+--- a/chardev/char-socket.c
++++ b/chardev/char-socket.c
+@@ -1315,6 +1315,67 @@ static bool qmp_chardev_validate_socket(ChardevSocket *sock,
+     return true;
+ }
+ 
++#ifndef _WIN32
++static void chardev_open_socket_cmd(Chardev *chr,
++                                    const char *cmd,
++                                    Error **errp)
++{
++    int fds[2] = { -1, -1 };
++    QIOChannelSocket *sioc = NULL;
++    pid_t pid = -1;
++    const char *argv[] = { "/bin/sh", "-c", cmd, NULL };
++
++    /*
++     * We need a Unix domain socket for commands like swtpm and a single
++     * connection, therefore we cannot use qio_channel_command_new_spawn()
++     * without patching it first. Duplicating the functionality is easier.
++     */
++    if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0, fds)) {
++        error_setg_errno(errp, errno, "Error creating socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC)");
++        goto error;
++    }
++
++    pid = qemu_fork(errp);
++    if (pid < 0) {
++        goto error;
++    }
++
++    if (!pid) {
++        /* child */
++        dup2(fds[1], STDIN_FILENO);
++        execv(argv[0], (char * const *)argv);
++        _exit(1);
++    }
++
++    /*
++     * Hand over our end of the socket pair to the qio channel.
++     *
++     * We don't reap the child because it is expected to keep
++     * running. We also don't support the "reconnect" option for the
++     * same reason.
++     */
++    sioc = qio_channel_socket_new_fd(fds[0], errp);
++    if (!sioc) {
++        goto error;
++    }
++    fds[0] = -1;
++
++    g_free(chr->filename);
++    chr->filename = g_strdup_printf("cmd:%s", cmd);
++    tcp_chr_new_client(chr, sioc);
++
++ error:
++    if (fds[0] >= 0) {
++        close(fds[0]);
++    }
++    if (fds[1] >= 0) {
++        close(fds[1]);
++    }
++    if (sioc) {
++        object_unref(OBJECT(sioc));
++    }
++}
++#endif
+ 
+ static void qmp_chardev_open_socket(Chardev *chr,
+                                     ChardevBackend *backend,
+@@ -1323,6 +1384,9 @@ static void qmp_chardev_open_socket(Chardev *chr,
+ {
+     SocketChardev *s = SOCKET_CHARDEV(chr);
+     ChardevSocket *sock = backend->u.socket.data;
++#ifndef _WIN32
++    const char *cmd     = sock->cmd;
++#endif
+     bool do_nodelay     = sock->has_nodelay ? sock->nodelay : false;
+     bool is_listen      = sock->has_server  ? sock->server  : true;
+     bool is_telnet      = sock->has_telnet  ? sock->telnet  : false;
+@@ -1393,6 +1457,14 @@ static void qmp_chardev_open_socket(Chardev *chr,
+ 
+     update_disconnected_filename(s);
+ 
++#ifndef _WIN32
++    if (cmd) {
++        chardev_open_socket_cmd(chr, cmd, errp);
++
++        /* everything ready (or failed permanently) before we return */
++        *be_opened = true;
++    } else
++#endif
+     if (s->is_listen) {
+         if (qmp_chardev_open_socket_server(chr, is_telnet || is_tn3270,
+                                            is_waitconnect, errp) < 0) {
+@@ -1412,6 +1484,9 @@ static void qemu_chr_parse_socket(QemuOpts *opts, ChardevBackend *backend,
+     const char *host = qemu_opt_get(opts, "host");
+     const char *port = qemu_opt_get(opts, "port");
+     const char *fd = qemu_opt_get(opts, "fd");
++#ifndef _WIN32
++    const char *cmd = qemu_opt_get(opts, "cmd");
++#endif
+ #ifdef CONFIG_LINUX
+     bool tight = qemu_opt_get_bool(opts, "tight", true);
+     bool abstract = qemu_opt_get_bool(opts, "abstract", false);
+@@ -1419,6 +1494,20 @@ static void qemu_chr_parse_socket(QemuOpts *opts, ChardevBackend *backend,
+     SocketAddressLegacy *addr;
+     ChardevSocket *sock;
+ 
++#ifndef _WIN32
++    if (cmd) {
++        /*
++         * Here we have to ensure that no options are set which are incompatible with
++         * spawning a command, otherwise unmodified code that doesn't know about
++         * command spawning (like socket_reconnect_timeout()) might get called.
++         */
++        if (path || sock->server || sock->has_telnet || sock->has_tn3270 || sock->reconnect || host || port || sock->tls_creds) {
++            error_setg(errp, "chardev: socket: cmd does not support any additional options");
++            return;
++        }
++    } else
++#endif
++
+     if ((!!path + !!fd + !!host) > 1) {
+         error_setg(errp,
+                    "None or one of 'path', 'fd' or 'host' option required.");
+@@ -1469,13 +1558,24 @@ static void qemu_chr_parse_socket(QemuOpts *opts, ChardevBackend *backend,
+     sock->tls_creds = g_strdup(qemu_opt_get(opts, "tls-creds"));
+     sock->has_tls_authz = qemu_opt_get(opts, "tls-authz");
+     sock->tls_authz = g_strdup(qemu_opt_get(opts, "tls-authz"));
++#ifndef _WIN32
++    sock->cmd = g_strdup(cmd);
++#endif
+ 
+     addr = g_new0(SocketAddressLegacy, 1);
++#ifndef _WIN32
++    if (path || cmd) {
++#else
+     if (path) {
++#endif
+         UnixSocketAddress *q_unix;
+         addr->type = SOCKET_ADDRESS_TYPE_UNIX;
+         q_unix = addr->u.q_unix.data = g_new0(UnixSocketAddress, 1);
++#ifndef _WIN32
++        q_unix->path = cmd ? g_strdup_printf("cmd:%s", cmd) : g_strdup(path);
++#else
+         q_unix->path = g_strdup(path);
++#endif
+ #ifdef CONFIG_LINUX
+         q_unix->has_tight = true;
+         q_unix->tight = tight;
+diff --git a/chardev/char.c b/chardev/char.c
+index 0169d8dde..ce9a21f41 100644
+--- a/chardev/char.c
++++ b/chardev/char.c
+@@ -835,6 +835,9 @@ QemuOptsList qemu_chardev_opts = {
+         },{
+             .name = "path",
+             .type = QEMU_OPT_STRING,
++        },{
++            .name = "cmd",
++            .type = QEMU_OPT_STRING,
+         },{
+             .name = "host",
+             .type = QEMU_OPT_STRING,
+diff --git a/qapi/char.json b/qapi/char.json
+index 7b4215157..37feabdac 100644
+--- a/qapi/char.json
++++ b/qapi/char.json
+@@ -250,6 +250,10 @@
+ #
+ # @addr: socket address to listen on (server=true)
+ #        or connect to (server=false)
++# @cmd: command to run via "sh -c" with stdin as one end of
++#       a AF_UNIX SOCK_DSTREAM socket pair. The other end
++#       is used by the chardev. Either an addr or a cmd can
++#       be specified, but not both.
+ # @tls-creds: the ID of the TLS credentials object (since 2.6)
+ # @tls-authz: the ID of the QAuthZ authorization object against which
+ #             the client's x509 distinguished name will be validated. This
+@@ -276,6 +280,7 @@
+ ##
+ { 'struct': 'ChardevSocket',
+   'data': { 'addr': 'SocketAddressLegacy',
++            '*cmd': 'str',
+             '*tls-creds': 'str',
+             '*tls-authz'  : 'str',
+             '*server': 'bool',
+-- 
+2.30.2
+
diff --git a/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0003-apic-fixup-fallthrough-to-PIC.patch b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0003-apic-fixup-fallthrough-to-PIC.patch
new file mode 100644
index 00000000..f350ffce
--- /dev/null
+++ b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0003-apic-fixup-fallthrough-to-PIC.patch
@@ -0,0 +1,47 @@
+From dc2a8ccd440ee3741b61606eafed3f7e092f4312 Mon Sep 17 00:00:00 2001
+From: Mark Asselstine <mark.asselstine@windriver.com>
+Date: Tue, 26 Feb 2013 11:43:28 -0500
+Subject: [PATCH 03/12] apic: fixup fallthrough to PIC
+
+Commit 0e21e12bb311c4c1095d0269dc2ef81196ccb60a [Don't route PIC
+interrupts through the local APIC if the local APIC config says so.]
+missed a check to ensure the local APIC is enabled. Since if the local
+APIC is disabled it doesn't matter what the local APIC config says.
+
+If this check isn't done and the guest has disabled the local APIC the
+guest will receive a general protection fault, similar to what is seen
+here:
+
+https://lists.gnu.org/archive/html/qemu-devel/2012-12/msg02304.html
+
+The GPF is caused by an attempt to service interrupt 0xffffffff. This
+comes about since cpu_get_pic_interrupt() calls apic_accept_pic_intr()
+(with the local APIC disabled apic_get_interrupt() returns -1).
+apic_accept_pic_intr() returns 0 and thus the interrupt number which
+is returned from cpu_get_pic_interrupt(), and which is attempted to be
+serviced, is -1.
+
+Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
+Upstream-Status: Submitted [https://lists.gnu.org/archive/html/qemu-devel/2013-04/msg00878.html]
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+
+---
+ hw/intc/apic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/intc/apic.c b/hw/intc/apic.c
+index 3df11c34d..9506c88ce 100644
+--- a/hw/intc/apic.c
++++ b/hw/intc/apic.c
+@@ -605,7 +605,7 @@ int apic_accept_pic_intr(DeviceState *dev)
+     APICCommonState *s = APIC(dev);
+     uint32_t lvt0;
+ 
+-    if (!s)
++    if (!s || !(s->spurious_vec & APIC_SV_ENABLE))
+         return -1;
+ 
+     lvt0 = s->lvt[APIC_LVT_LINT0];
+-- 
+2.30.2
+
diff --git a/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0004-configure-Add-pkg-config-handling-for-libgcrypt.patch b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0004-configure-Add-pkg-config-handling-for-libgcrypt.patch
new file mode 100644
index 00000000..6faebd4e
--- /dev/null
+++ b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0004-configure-Add-pkg-config-handling-for-libgcrypt.patch
@@ -0,0 +1,32 @@
+From d8265abdce5dc2bf74b3fccdf2b7257b4f3894f0 Mon Sep 17 00:00:00 2001
+From: He Zhe <zhe.he@windriver.com>
+Date: Wed, 28 Aug 2019 19:56:28 +0800
+Subject: [PATCH 04/12] configure: Add pkg-config handling for libgcrypt
+
+libgcrypt may also be controlled by pkg-config, this patch adds pkg-config
+handling for libgcrypt.
+
+Upstream-Status: Denied [https://lists.nongnu.org/archive/html/qemu-devel/2019-08/msg06333.html]
+
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+
+---
+ meson.build | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/meson.build b/meson.build
+index 861de93c4..d45ff2d7c 100644
+--- a/meson.build
++++ b/meson.build
+@@ -1063,7 +1063,7 @@ endif
+ if not gnutls_crypto.found()
+   if (not get_option('gcrypt').auto() or have_system) and not get_option('nettle').enabled()
+     gcrypt = dependency('libgcrypt', version: '>=1.8',
+-                        method: 'config-tool',
++                        method: 'pkg-config',
+                         required: get_option('gcrypt'),
+                         kwargs: static_kwargs)
+     # Debian has removed -lgpg-error from libgcrypt-config
+-- 
+2.30.2
+
diff --git a/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0005-qemu-Do-not-include-file-if-not-exists.patch b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0005-qemu-Do-not-include-file-if-not-exists.patch
new file mode 100644
index 00000000..3f3c39f9
--- /dev/null
+++ b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0005-qemu-Do-not-include-file-if-not-exists.patch
@@ -0,0 +1,35 @@
+From f39e7bfc5ed07b5ecaeb705c4eae4855ca120d47 Mon Sep 17 00:00:00 2001
+From: Oleksiy Obitotskyy <oobitots@cisco.com>
+Date: Wed, 25 Mar 2020 21:21:35 +0200
+Subject: [PATCH 05/12] qemu: Do not include file if not exists
+
+Script configure checks for if_alg.h and check failed but
+if_alg.h still included.
+
+Upstream-Status: Submitted [https://lists.gnu.org/archive/html/qemu-devel/2020-03/msg07188.html]
+Signed-off-by: Oleksiy Obitotskyy <oobitots@cisco.com>
+
+[update patch context]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+
+---
+ linux-user/syscall.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/linux-user/syscall.c b/linux-user/syscall.c
+index f65045efe..340e0c6f0 100644
+--- a/linux-user/syscall.c
++++ b/linux-user/syscall.c
+@@ -113,7 +113,9 @@
+ #include <linux/blkpg.h>
+ #include <netpacket/packet.h>
+ #include <linux/netlink.h>
++#if defined(CONFIG_AF_ALG)
+ #include <linux/if_alg.h>
++#endif
+ #include <linux/rtc.h>
+ #include <sound/asound.h>
+ #ifdef HAVE_BTRFS_H
+-- 
+2.30.2
+
diff --git a/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0006-qemu-Add-some-user-space-mmap-tweaks-to-address-musl.patch b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0006-qemu-Add-some-user-space-mmap-tweaks-to-address-musl.patch
new file mode 100644
index 00000000..75c03693
--- /dev/null
+++ b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0006-qemu-Add-some-user-space-mmap-tweaks-to-address-musl.patch
@@ -0,0 +1,52 @@
+From 375cae3dd6151ef33cae8f243f6a2c2da6c0c356 Mon Sep 17 00:00:00 2001
+From: Richard Purdie <richard.purdie@linuxfoundation.org>
+Date: Fri, 8 Jan 2021 17:27:06 +0000
+Subject: [PATCH 06/12] qemu: Add some user space mmap tweaks to address musl
+ 32 bit
+
+When using qemu-i386 to build qemux86 webkitgtk on musl, it sits in an
+infinite loop of mremap calls of ever decreasing/increasing addresses.
+
+I suspect something in the musl memory allocation code loops indefinitely
+if it only sees ENOMEM and only exits when it hits EFAULT.
+
+According to the docs, trying to mremap outside the address space
+can/should return EFAULT and changing this allows the build to succeed.
+
+A better return value for the other cases of invalid addresses is EINVAL
+rather than ENOMEM so adjust the other part of the test to this.
+
+Upstream-Status: Submitted [https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg01355.html]
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org
+
+---
+ linux-user/mmap.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/linux-user/mmap.c b/linux-user/mmap.c
+index c125031b9..e651834a5 100644
+--- a/linux-user/mmap.c
++++ b/linux-user/mmap.c
+@@ -749,12 +749,16 @@ abi_long target_mremap(abi_ulong old_addr, abi_ulong old_size,
+     int prot;
+     void *host_addr;
+ 
+-    if (!guest_range_valid_untagged(old_addr, old_size) ||
+-        ((flags & MREMAP_FIXED) &&
++    if (!guest_range_valid_untagged(old_addr, old_size)) {
++        errno = EFAULT;
++        return -1;
++    }
++    
++    if (((flags & MREMAP_FIXED) &&
+          !guest_range_valid_untagged(new_addr, new_size)) ||
+         ((flags & MREMAP_MAYMOVE) == 0 &&
+          !guest_range_valid_untagged(old_addr, new_size))) {
+-        errno = ENOMEM;
++        errno = EINVAL;
+         return -1;
+     }
+ 
+-- 
+2.30.2
+
diff --git a/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0007-qemu-Determinism-fixes.patch b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0007-qemu-Determinism-fixes.patch
new file mode 100644
index 00000000..0d7dae36
--- /dev/null
+++ b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0007-qemu-Determinism-fixes.patch
@@ -0,0 +1,34 @@
+From 50bab5c2605b609ea7ea154f57a9be96d656725a Mon Sep 17 00:00:00 2001
+From: Richard Purdie <richard.purdie@linuxfoundation.org>
+Date: Mon, 1 Mar 2021 13:00:47 +0000
+Subject: [PATCH 07/12] qemu: Determinism fixes
+
+When sources are included within debug information, a couple of areas of the
+qemu build are not reproducible due to either full buildpaths or timestamps.
+
+Replace the full paths with relative ones. I couldn't figure out how to get
+meson to pass relative paths but we can fix that in the script.
+
+Upstream-Status: Pending [some version of all/part of this may be accepted]
+RP 2021/3/1
+
+---
+ scripts/decodetree.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/decodetree.py b/scripts/decodetree.py
+index a03dc6b5e..4ea24c1f3 100644
+--- a/scripts/decodetree.py
++++ b/scripts/decodetree.py
+@@ -1328,7 +1328,7 @@ def main():
+     toppat = ExcMultiPattern(0)
+ 
+     for filename in args:
+-        input_file = filename
++        input_file = os.path.relpath(filename)
+         f = open(filename, 'rt', encoding='utf-8')
+         parse_file(f, toppat)
+         f.close()
+-- 
+2.30.2
+
diff --git a/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0008-tests-meson.build-use-relative-path-to-refer-to-file.patch b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0008-tests-meson.build-use-relative-path-to-refer-to-file.patch
new file mode 100644
index 00000000..43d3c7cf
--- /dev/null
+++ b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0008-tests-meson.build-use-relative-path-to-refer-to-file.patch
@@ -0,0 +1,38 @@
+From 2bf9388b801d4389e2d57e95a7897bfc1c42786e Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Thu, 14 Jan 2021 06:33:04 +0000
+Subject: [PATCH 08/12] tests/meson.build: use relative path to refer to files
+
+Fix error like:
+Fatal error: can't create tests/ptimer-test.p/..._qemu-5.2.0_hw_core_ptimer.c.o: File name too long
+
+when build path is too long, use meson.source_root() will make this
+filename too long. Fixed by using relative path to refer to files
+
+Upstream-Status: Submitted [send to qemu-devel]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+
+---
+ tests/unit/meson.build | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tests/unit/meson.build b/tests/unit/meson.build
+index 96b295263..e4c3246dc 100644
+--- a/tests/unit/meson.build
++++ b/tests/unit/meson.build
+@@ -44,9 +44,9 @@ tests = {
+   'test-keyval': [testqapi],
+   'test-logging': [],
+   'test-uuid': [],
+-  'ptimer-test': ['ptimer-test-stubs.c', meson.project_source_root() / 'hw/core/ptimer.c'],
++  'ptimer-test': ['ptimer-test-stubs.c', '../../hw/core/ptimer.c'],
+   'test-qapi-util': [],
+-  'test-smp-parse': [qom, meson.project_source_root() / 'hw/core/machine-smp.c'],
++  'test-smp-parse': [qom, '../../hw/core/machine-smp.c'],
+ }
+ 
+ if have_system or have_tools
+-- 
+2.30.2
+
diff --git a/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0009-Define-MAP_SYNC-and-MAP_SHARED_VALIDATE-on-needed-li.patch b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0009-Define-MAP_SYNC-and-MAP_SHARED_VALIDATE-on-needed-li.patch
new file mode 100644
index 00000000..23d0a698
--- /dev/null
+++ b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0009-Define-MAP_SYNC-and-MAP_SHARED_VALIDATE-on-needed-li.patch
@@ -0,0 +1,49 @@
+From ebf4bb2f51da83af0c61480414cfa156f7308b34 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Mon, 21 Mar 2022 10:09:38 -0700
+Subject: [PATCH 09/12] Define MAP_SYNC and MAP_SHARED_VALIDATE on needed linux
+ systems
+
+linux only wires MAP_SYNC and MAP_SHARED_VALIDATE for architectures
+which include asm-generic/mman.h and mips/powerpc are not including this
+file in linux/mman.h, therefore these should be defined for such
+architectures on Linux as well. This fixes build on mips/musl/linux
+
+Upstream-Status: Submitted [https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg05298.html]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+Cc: Zhang Yi <yi.z.zhang@linux.intel.com>
+Cc: Michael S. Tsirkin <mst@redhat.com>
+
+---
+ util/mmap-alloc.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/util/mmap-alloc.c b/util/mmap-alloc.c
+index 893d86435..86d3cda24 100644
+--- a/util/mmap-alloc.c
++++ b/util/mmap-alloc.c
+@@ -10,14 +10,18 @@
+  * later.  See the COPYING file in the top-level directory.
+  */
+ 
++#include "qemu/osdep.h"
+ #ifdef CONFIG_LINUX
+ #include <linux/mman.h>
+-#else  /* !CONFIG_LINUX */
++#endif  /* CONFIG_LINUX */
++
++#ifndef MAP_SYNC
+ #define MAP_SYNC              0x0
++#endif /* MAP_SYNC */
++#ifndef MAP_SHARED_VALIDATE
+ #define MAP_SHARED_VALIDATE   0x0
+-#endif /* CONFIG_LINUX */
++#endif /* MAP_SHARED_VALIDATE */
+ 
+-#include "qemu/osdep.h"
+ #include "qemu/mmap-alloc.h"
+ #include "qemu/host-utils.h"
+ #include "qemu/cutils.h"
+-- 
+2.30.2
+
diff --git a/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch
new file mode 100644
index 00000000..810c74fa
--- /dev/null
+++ b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch
@@ -0,0 +1,43 @@
+CVE: CVE-2022-1050
+Upstream-Status: Submitted [https://lore.kernel.org/qemu-devel/20220403095234.2210-1-yuval.shaia.ml@gmail.com/]
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+From dbdef95c272e8f3ec037c3db4197c66002e30995 Mon Sep 17 00:00:00 2001
+From: Yuval Shaia <yuval.shaia.ml@gmail.com>
+Date: Sun, 3 Apr 2022 12:52:34 +0300
+Subject: [PATCH] hw/pvrdma: Protect against buggy or malicious guest driver
+
+Guest driver might execute HW commands when shared buffers are not yet
+allocated.
+This could happen on purpose (malicious guest) or because of some other
+guest/host address mapping error.
+We need to protect againts such case.
+
+Fixes: CVE-2022-1050
+
+Reported-by: Raven <wxhusst@gmail.com>
+Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
+---
+ hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
+index da7ddfa548..89db963c46 100644
+--- a/hw/rdma/vmw/pvrdma_cmd.c
++++ b/hw/rdma/vmw/pvrdma_cmd.c
+@@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev)
+ 
+     dsr_info = &dev->dsr_info;
+ 
++    if (!dsr_info->dsr) {
++            /* Buggy or malicious guest driver */
++            rdma_error_report("Exec command without dsr, req or rsp buffers");
++            goto out;
++    }
++
+     if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) /
+                       sizeof(struct cmd_handler)) {
+         rdma_error_report("Unsupported command");
+-- 
+2.34.1
+
diff --git a/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/CVE-2022-3165.patch b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/CVE-2022-3165.patch
new file mode 100644
index 00000000..3b4a6694
--- /dev/null
+++ b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/CVE-2022-3165.patch
@@ -0,0 +1,59 @@
+CVE: CVE-2022-3165
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+From d307040b18bfcb1393b910f1bae753d5c12a4dc7 Mon Sep 17 00:00:00 2001
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Sun, 25 Sep 2022 22:45:11 +0200
+Subject: [PATCH] ui/vnc-clipboard: fix integer underflow in
+ vnc_client_cut_text_ext
+
+Extended ClientCutText messages start with a 4-byte header. If len < 4,
+an integer underflow occurs in vnc_client_cut_text_ext. The result is
+used to decompress data in a while loop in inflate_buffer, leading to
+CPU consumption and denial of service. Prevent this by checking dlen in
+protocol_client_msg.
+
+Fixes: CVE-2022-3165
+Fixes: 0bf41cab93e5 ("ui/vnc: clipboard support")
+Reported-by: TangPeng <tangpeng@qianxin.com>
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Message-Id: <20220925204511.1103214-1-mcascell@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ ui/vnc.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/ui/vnc.c b/ui/vnc.c
+index 6a05d06147..acb3629cd8 100644
+--- a/ui/vnc.c
++++ b/ui/vnc.c
+@@ -2442,8 +2442,8 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
+         if (len == 1) {
+             return 8;
+         }
++        uint32_t dlen = abs(read_s32(data, 4));
+         if (len == 8) {
+-            uint32_t dlen = abs(read_s32(data, 4));
+             if (dlen > (1 << 20)) {
+                 error_report("vnc: client_cut_text msg payload has %u bytes"
+                              " which exceeds our limit of 1MB.", dlen);
+@@ -2456,8 +2456,13 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
+         }
+ 
+         if (read_s32(data, 4) < 0) {
+-            vnc_client_cut_text_ext(vs, abs(read_s32(data, 4)),
+-                                    read_u32(data, 8), data + 12);
++            if (dlen < 4) {
++                error_report("vnc: malformed payload (header less than 4 bytes)"
++                             " in extended clipboard pseudo-encoding.");
++                vnc_client_error(vs);
++                break;
++            }
++            vnc_client_cut_text_ext(vs, dlen, read_u32(data, 8), data + 12);
+             break;
+         }
+         vnc_client_cut_text(vs, read_u32(data, 4), data + 8);
+-- 
+GitLab
+
diff --git a/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/arm-cpreg-fix.patch b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/arm-cpreg-fix.patch
new file mode 100644
index 00000000..071691f8
--- /dev/null
+++ b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/arm-cpreg-fix.patch
@@ -0,0 +1,27 @@
+target/arm: mark SP_EL1 with ARM_CP_EL3_NO_EL2_KEEP
+
+SP_EL1 must be kept when EL3 is present but EL2 is not. Therefore mark
+it with ARM_CP_EL3_NO_EL2_KEEP.
+
+Fixes: 696ba3771894 ("target/arm: Handle cpreg registration for missing EL")
+Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
+
+Upstream-Status: Submitted [https://lists.gnu.org/archive/html/qemu-devel/2022-09/msg04515.html]
+
+---
+ target/arm/helper.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: qemu-7.1.0/target/arm/helper.c
+===================================================================
+--- qemu-7.1.0.orig/target/arm/helper.c
++++ qemu-7.1.0/target/arm/helper.c
+@@ -4971,7 +4971,7 @@ static const ARMCPRegInfo v8_cp_reginfo[
+       .fieldoffset = offsetof(CPUARMState, sp_el[0]) },
+     { .name = "SP_EL1", .state = ARM_CP_STATE_AA64,
+       .opc0 = 3, .opc1 = 4, .crn = 4, .crm = 1, .opc2 = 0,
+-      .access = PL2_RW, .type = ARM_CP_ALIAS,
++      .access = PL2_RW, .type = ARM_CP_ALIAS | ARM_CP_EL3_NO_EL2_KEEP,
+       .fieldoffset = offsetof(CPUARMState, sp_el[1]) },
+     { .name = "SPSel", .state = ARM_CP_STATE_AA64,
+       .opc0 = 3, .opc1 = 0, .crn = 4, .crm = 2, .opc2 = 0,
diff --git a/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/powerpc_rom.bin b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/powerpc_rom.bin
new file mode 100644
index 00000000..c4044296
--- /dev/null
+++ b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/powerpc_rom.bin
diff --git a/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/qemu-7.0.0-glibc-2.36.patch b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/qemu-7.0.0-glibc-2.36.patch
new file mode 100644
index 00000000..abad1cfe
--- /dev/null
+++ b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/qemu-7.0.0-glibc-2.36.patch
@@ -0,0 +1,46 @@
+Avoid conflicts between sys/mount.h and linux/mount.h that are seen
+with glibc 2.36
+
+Source: https://github.com/archlinux/svntogit-packages/blob/packages/qemu/trunk/qemu-7.0.0-glibc-2.36.patch
+
+Upstream-Status: Pending
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+--- a/linux-user/syscall.c
++++ b/linux-user/syscall.c
+@@ -95,7 +95,25 @@
+ #include <linux/soundcard.h>
+ #include <linux/kd.h>
+ #include <linux/mtio.h>
++
++#ifdef HAVE_SYS_MOUNT_FSCONFIG
++/*
++ * glibc >= 2.36 linux/mount.h conflicts with sys/mount.h,
++ * which in turn prevents use of linux/fs.h. So we have to
++ * define the constants ourselves for now.
++ */
++#define FS_IOC_GETFLAGS                _IOR('f', 1, long)
++#define FS_IOC_SETFLAGS                _IOW('f', 2, long)
++#define FS_IOC_GETVERSION              _IOR('v', 1, long)
++#define FS_IOC_SETVERSION              _IOW('v', 2, long)
++#define FS_IOC_FIEMAP                  _IOWR('f', 11, struct fiemap)
++#define FS_IOC32_GETFLAGS              _IOR('f', 1, int)
++#define FS_IOC32_SETFLAGS              _IOW('f', 2, int)
++#define FS_IOC32_GETVERSION            _IOR('v', 1, int)
++#define FS_IOC32_SETVERSION            _IOW('v', 2, int)
++#else
+ #include <linux/fs.h>
++#endif
+ #include <linux/fd.h>
+ #if defined(CONFIG_FIEMAP)
+ #include <linux/fiemap.h>
+--- a/meson.build
++++ b/meson.build
+@@ -1686,6 +1686,8 @@ config_host_data.set('HAVE_OPTRESET',
+                      cc.has_header_symbol('getopt.h', 'optreset'))
+ config_host_data.set('HAVE_IPPROTO_MPTCP',
+                      cc.has_header_symbol('netinet/in.h', 'IPPROTO_MPTCP'))
++config_host_data.set('HAVE_SYS_MOUNT_FSCONFIG',
++                     cc.has_header_symbol('sys/mount.h', 'FSCONFIG_SET_FLAG'))
+ 
+ # has_member
+ config_host_data.set('HAVE_SIGEV_NOTIFY_THREAD_ID',
diff --git a/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/run-ptest b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/run-ptest
new file mode 100644
index 00000000..f9a4e8fb
--- /dev/null
+++ b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/run-ptest
@@ -0,0 +1,13 @@
+#!/bin/sh
+#
+#This script is used to run qemu test suites
+#
+
+ptestdir=$(dirname "$(readlink -f "$0")")
+export SRC_PATH=$ptestdir
+
+cd $ptestdir/tests
+tests=$(find . -name "test-*" ! -name "*.p")
+for f in $tests; do
+    $f  | sed '/^ok/ s/ok/PASS:/g'
+done
diff --git a/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.inc b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.inc
index b65a1682..c8f593a7 100644
--- a/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.inc
+++ b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.inc
@@ -36,6 +36,8 @@ SRC_URI += "\
            file://0001-net-tulip-Restrict-DMA-engine-to-memories.patch \
            file://arm-cpreg-fix.patch \
            file://CVE-2022-3165.patch \
+           file://qemu-guest-agent.init \
+           file://qemu-guest-agent.udev \
            "
 
 S = "${WORKDIR}/git"