2 files changed, 79 insertions, 1 deletions
diff --git a/meta/recipes-devtools/qemu/files/pcie_better_hotplug_support.patch b/meta/recipes-devtools/qemu/files/pcie_better_hotplug_support.patch
new file mode 100644
index 0000000000..c7035b2bf7
--- /dev/null
+++ b/meta/recipes-devtools/qemu/files/pcie_better_hotplug_support.patch
@@ -0,0 +1,74 @@
+The current code is broken: it does surprise removal which crashes guests.
+Reimplemented the steps:
+ - Hotplug triggers both 'present detect change' and
+   'attention button pressed'.
+ - Hotunplug starts by triggering 'attention button pressed',
+   then waits for the OS to power off the device and only
+   then detaches it.
+Fixes CVE-2014-3471.
+Originated-by: Marcel Apfelbaum <address@hidden>
+Updated-by: Daniel BORNAZ <daniel.bornaz@enea.com>
+--- a/hw/pci/pcie.c     2014-04-17 15:44:44.000000000 +0200
+++ b/hw/pci/pcie.c     2014-07-15 13:03:16.905070562 +0200
+@@ -258,7 +258,8 @@ void pcie_cap_slot_hotplug_cb(HotplugHan
+ 
+     pci_word_test_and_set_mask(exp_cap + PCI_EXP_SLTSTA,
+                                PCI_EXP_SLTSTA_PDS);
+-    pcie_cap_slot_event(PCI_DEVICE(hotplug_dev), PCI_EXP_HP_EV_PDC);
+    pcie_cap_slot_event(PCI_DEVICE(hotplug_dev),
+                        PCI_EXP_HP_EV_PDC | PCI_EXP_HP_EV_ABP);
+ }
+ 
+ void pcie_cap_slot_hot_unplug_cb(HotplugHandler *hotplug_dev, DeviceState *dev,
+@@ -268,10 +269,7 @@ void pcie_cap_slot_hot_unplug_cb(Hotplug
+ 
+     pcie_cap_slot_hotplug_common(PCI_DEVICE(hotplug_dev), dev, &exp_cap, errp);
+ 
+-    object_unparent(OBJECT(dev));
+-    pci_word_test_and_clear_mask(exp_cap + PCI_EXP_SLTSTA,
+-                                 PCI_EXP_SLTSTA_PDS);
+-    pcie_cap_slot_event(PCI_DEVICE(hotplug_dev), PCI_EXP_HP_EV_PDC);
+    pcie_cap_slot_push_attention_button(PCI_DEVICE(hotplug_dev));
+ }
+ 
+ /* pci express slot for pci express root/downstream port
+@@ -352,6 +350,11 @@ void pcie_cap_slot_reset(PCIDevice *dev)
+     hotplug_event_update_event_status(dev);
+ }
+ 
+static void pcie_unplug_device(PCIBus *bus, PCIDevice *dev, void *opaque)
+{
+    object_unparent(OBJECT(dev));
+}
+
+ void pcie_cap_slot_write_config(PCIDevice *dev,
+                                 uint32_t addr, uint32_t val, int len)
+ {
+@@ -376,6 +379,22 @@ void pcie_cap_slot_write_config(PCIDevic
+                         sltsta);
+     }
+ 
+    /*
+     * If the slot is polulated, power indicator is off and power
+     * controller is off, it is safe to detach the devices.
+     */
+    if ((sltsta & PCI_EXP_SLTSTA_PDS) && (val & PCI_EXP_SLTCTL_PCC) &&
+        ((val & PCI_EXP_SLTCTL_PIC_OFF) == PCI_EXP_SLTCTL_PIC_OFF)) {
+            PCIBus *sec_bus = pci_bridge_get_sec_bus(PCI_BRIDGE(dev));
+            pci_for_each_device(sec_bus, pci_bus_num(sec_bus),
+                                pcie_unplug_device, NULL);
+
+            pci_word_test_and_clear_mask(exp_cap + PCI_EXP_SLTSTA,
+                                         PCI_EXP_SLTSTA_PDS);
+            pci_word_test_and_set_mask(exp_cap + PCI_EXP_SLTSTA,
+                                       PCI_EXP_SLTSTA_PDC);
+    }
+
+     hotplug_event_notify(dev);
+ 
+     /* 
diff --git a/meta/recipes-devtools/qemu/qemu_2.0.0.bb b/meta/recipes-devtools/qemu/qemu_2.0.0.bb
index b8ce62428b..9a530a6fb5 100644
--- a/meta/recipes-devtools/qemu/qemu_2.0.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.0.0.bb
@@ -4,7 +4,11 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \
                    file://COPYING.LIB;endline=24;md5=c04def7ae38850e7d3ef548588159913"
 SRC_URI += "file://qemu-enlarge-env-entry-size.patch \
-            file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch"
+            file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \
+            file://pcie_better_hotplug_support.patch \
+            "
 SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
 SRC_URI[md5sum] = "2790f44fd76da5de5024b4aafeb594c2"

diff --git a/meta/recipes-devtools/qemu/files/pcie_better_hotplug_support.patch b/meta/recipes-devtools/qemu/files/pcie_better_hotplug_support.patch new file mode 100644 index 0000000000..c7035b2bf7 --- /dev/null +++ b/meta/recipes-devtools/qemu/files/pcie_better_hotplug_support.patch
@@ -0,0 +1,74 @@
		1	The current code is broken: it does surprise removal which crashes guests.
		2
		3	Reimplemented the steps:
		4	- Hotplug triggers both 'present detect change' and
		5	'attention button pressed'.
		6
		7	- Hotunplug starts by triggering 'attention button pressed',
		8	then waits for the OS to power off the device and only
		9	then detaches it.
		10
		11	Fixes CVE-2014-3471.
		12
		13	Originated-by: Marcel Apfelbaum <address@hidden>
		14	Updated-by: Daniel BORNAZ <daniel.bornaz@enea.com>
		15
		16	--- a/hw/pci/pcie.c 2014-04-17 15:44:44.000000000 +0200
		17	+++ b/hw/pci/pcie.c 2014-07-15 13:03:16.905070562 +0200
		18	@@ -258,7 +258,8 @@ void pcie_cap_slot_hotplug_cb(HotplugHan
		19
		20	pci_word_test_and_set_mask(exp_cap + PCI_EXP_SLTSTA,
		21	PCI_EXP_SLTSTA_PDS);
		22	- pcie_cap_slot_event(PCI_DEVICE(hotplug_dev), PCI_EXP_HP_EV_PDC);
		23	+ pcie_cap_slot_event(PCI_DEVICE(hotplug_dev),
		24	+ PCI_EXP_HP_EV_PDC \| PCI_EXP_HP_EV_ABP);
		25	}
		26
		27	void pcie_cap_slot_hot_unplug_cb(HotplugHandler hotplug_dev, DeviceState dev,
		28	@@ -268,10 +269,7 @@ void pcie_cap_slot_hot_unplug_cb(Hotplug
		29
		30	pcie_cap_slot_hotplug_common(PCI_DEVICE(hotplug_dev), dev, &exp_cap, errp);
		31
		32	- object_unparent(OBJECT(dev));
		33	- pci_word_test_and_clear_mask(exp_cap + PCI_EXP_SLTSTA,
		34	- PCI_EXP_SLTSTA_PDS);
		35	- pcie_cap_slot_event(PCI_DEVICE(hotplug_dev), PCI_EXP_HP_EV_PDC);
		36	+ pcie_cap_slot_push_attention_button(PCI_DEVICE(hotplug_dev));
		37	}
		38
		39	/* pci express slot for pci express root/downstream port
		40	@@ -352,6 +350,11 @@ void pcie_cap_slot_reset(PCIDevice *dev)
		41	hotplug_event_update_event_status(dev);
		42	}
		43
		44	+static void pcie_unplug_device(PCIBus bus, PCIDevice dev, void *opaque)
		45	+{
		46	+ object_unparent(OBJECT(dev));
		47	+}
		48	+
		49	void pcie_cap_slot_write_config(PCIDevice *dev,
		50	uint32_t addr, uint32_t val, int len)
		51	{
		52	@@ -376,6 +379,22 @@ void pcie_cap_slot_write_config(PCIDevic
		53	sltsta);
		54	}
		55
		56	+ /*
		57	+ * If the slot is polulated, power indicator is off and power
		58	+ * controller is off, it is safe to detach the devices.
		59	+ */
		60	+ if ((sltsta & PCI_EXP_SLTSTA_PDS) && (val & PCI_EXP_SLTCTL_PCC) &&
		61	+ ((val & PCI_EXP_SLTCTL_PIC_OFF) == PCI_EXP_SLTCTL_PIC_OFF)) {
		62	+ PCIBus *sec_bus = pci_bridge_get_sec_bus(PCI_BRIDGE(dev));
		63	+ pci_for_each_device(sec_bus, pci_bus_num(sec_bus),
		64	+ pcie_unplug_device, NULL);
		65	+
		66	+ pci_word_test_and_clear_mask(exp_cap + PCI_EXP_SLTSTA,
		67	+ PCI_EXP_SLTSTA_PDS);
		68	+ pci_word_test_and_set_mask(exp_cap + PCI_EXP_SLTSTA,
		69	+ PCI_EXP_SLTSTA_PDC);
		70	+ }
		71	+
		72	hotplug_event_notify(dev);
		73
		74	/*


diff --git a/meta/recipes-devtools/qemu/qemu_2.0.0.bb b/meta/recipes-devtools/qemu/qemu_2.0.0.bb index b8ce62428b..9a530a6fb5 100644 --- a/meta/recipes-devtools/qemu/qemu_2.0.0.bb +++ b/meta/recipes-devtools/qemu/qemu_2.0.0.bb
@@ -4,7 +4,11 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \
4	file://COPYING.LIB;endline=24;md5=c04def7ae38850e7d3ef548588159913"	4	file://COPYING.LIB;endline=24;md5=c04def7ae38850e7d3ef548588159913"
5		5
6	SRC_URI += "file://qemu-enlarge-env-entry-size.patch \	6	SRC_URI += "file://qemu-enlarge-env-entry-size.patch \
7	file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch"	7	file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \
		8	file://pcie_better_hotplug_support.patch \
		9	"
		10
		11
8		12
9	SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"	13	SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
10	SRC_URI[md5sum] = "2790f44fd76da5de5024b4aafeb594c2"	14	SRC_URI[md5sum] = "2790f44fd76da5de5024b4aafeb594c2"