From b6c0e8ad80bf96f28e051645aae30133a00de59d Mon Sep 17 00:00:00 2001
From: Andrei Gherzan <andrei.gherzan@huawei.com>
Date: Wed, 8 Dec 2021 15:10:02 +0100
Subject: [PATCH] qemu: Drop version 5.2.0
oe-core now comes with a newer version: 6.1.0. 5.2.0 version was an
upgrade for dunfell but now that we move to newer layers, we can drop it
and use the latest in upstream.
Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>
---
meta-oniro-core/conf/distro/oniro-linux.conf | 1 -
.../qemu/nativesdk-qemu-helper_1.0.bb | 37 ---
.../qemu/qemu-helper-native_1.0.bb | 29 --
.../qemu/qemu-helper/qemu-oe-bridge-helper | 25 --
.../qemu/qemu-helper/tunctl.c | 158 ---------
.../recipes-devtools/qemu/qemu-native.inc | 11 -
.../qemu/qemu-native_5.2.0.bb | 9 -
.../qemu/qemu-system-native_5.2.0.bb | 26 --
.../recipes-devtools/qemu/qemu-targets.inc | 28 --
.../recipes-devtools/qemu/qemu.inc | 249 --------------
.../qemu/0001-Add-enable-disable-udev.patch | 29 --
...emu-Add-missing-wacom-HID-descriptor.patch | 141 --------
...mu-Do-not-include-file-if-not-exists.patch | 31 --
...d-use-relative-path-to-refer-to-file.patch | 34 --
...ix-memory-disclosure-in-virgl_cmd_ge.patch | 43 ---
...ix-resource-leak-in-vg_resource_crea.patch | 41 ---
...n-environment-space-to-boot-loader-q.patch | 33 --
...ix-memory-leak-in-vg_resource_attach.patch | 48 ---
.../qemu/0004-qemu-disable-Valgrind.patch | 34 --
...ix-memory-leak-while-calling-vg_reso.patch | 50 ---
...ix-memory-leak-in-virgl_cmd_resource.patch | 58 ----
...-connect-socket-to-a-spawned-command.patch | 243 --------------
...ix-memory-leak-in-virgl_resource_att.patch | 49 ---
.../0007-apic-fixup-fallthrough-to-PIC.patch | 44 ---
...ix-OOB-write-in-virgl_cmd_get_capset.patch | 49 ---
...dd-pkg-config-handling-for-libgcrypt.patch | 84 -----
.../qemu/qemu/CVE-2020-27821.patch | 143 ---------
.../qemu/qemu/CVE-2020-29443.patch | 107 -------
.../qemu/qemu/CVE-2020-35517_1.patch | 153 ---------
.../qemu/qemu/CVE-2020-35517_2.patch | 117 -------
.../qemu/qemu/CVE-2020-35517_3.patch | 303 ------------------
.../qemu/qemu/CVE-2021-20181.patch | 81 -----
.../qemu/qemu/CVE-2021-20203.patch | 73 -----
.../qemu/qemu/CVE-2021-20221.patch | 70 ----
.../qemu/qemu/CVE-2021-20257.patch | 55 ----
.../qemu/qemu/CVE-2021-20263.patch | 214 -------------
.../qemu/qemu/CVE-2021-3392.patch | 89 -----
.../qemu/qemu/CVE-2021-3409_1.patch | 56 ----
.../qemu/qemu/CVE-2021-3409_2.patch | 92 ------
.../qemu/qemu/CVE-2021-3409_3.patch | 109 -------
.../qemu/qemu/CVE-2021-3409_4.patch | 75 -----
.../qemu/qemu/CVE-2021-3409_5.patch | 56 ----
.../qemu/qemu/CVE-2021-3409_6.patch | 99 ------
.../qemu/qemu/CVE-2021-3416_1.patch | 177 ----------
.../qemu/qemu/CVE-2021-3416_10.patch | 44 ---
.../qemu/qemu/CVE-2021-3416_2.patch | 42 ---
.../qemu/qemu/CVE-2021-3416_3.patch | 43 ---
.../qemu/qemu/CVE-2021-3416_4.patch | 43 ---
.../qemu/qemu/CVE-2021-3416_5.patch | 45 ---
.../qemu/qemu/CVE-2021-3416_6.patch | 43 ---
.../qemu/qemu/CVE-2021-3416_7.patch | 45 ---
.../qemu/qemu/CVE-2021-3416_8.patch | 44 ---
.../qemu/qemu/CVE-2021-3416_9.patch | 46 ---
.../qemu/qemu/CVE-2021-3527-1.patch | 42 ---
.../qemu/qemu/CVE-2021-3527-2.patch | 59 ----
.../qemu/qemu/CVE-2021-3582.patch | 47 ---
.../qemu/qemu/CVE-2021-3607.patch | 43 ---
.../qemu/qemu/CVE-2021-3608.patch | 43 ---
.../recipes-devtools/qemu/qemu/cross.patch | 30 --
.../qemu/qemu/determinism.patch | 41 ---
.../recipes-devtools/qemu/qemu/mingwfix.patch | 21 --
.../recipes-devtools/qemu/qemu/mmap.patch | 29 --
.../recipes-devtools/qemu/qemu/mmap2.patch | 40 ---
.../qemu/qemu/powerpc_rom.bin | Bin 4096 -> 0 bytes
.../recipes-devtools/qemu/qemu/run-ptest | 13 -
.../recipes-devtools/qemu/qemu_5.2.0.bb | 28 --
.../qemu/qemuwrapper-cross_1.0.bb | 39 ---
67 files changed, 4523 deletions(-)
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/nativesdk-qemu-helper_1.0.bb
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu-helper-native_1.0.bb
delete mode 100755 meta-oniro-staging/recipes-devtools/qemu/qemu-helper/qemu-oe-bridge-helper
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu-helper/tunctl.c
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu-native.inc
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu-native_5.2.0.bb
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu-system-native_5.2.0.bb
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu-targets.inc
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu.inc
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/0001-tests-meson.build-use-relative-path-to-refer-to-file.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/0001-vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/0002-vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/0003-vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/0004-vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/0005-vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/0006-vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/0007-vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2020-27821.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2020-29443.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2020-35517_1.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2020-35517_2.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2020-35517_3.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-20181.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-20203.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-20221.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-20257.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-20263.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3392.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3409_1.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3409_2.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3409_3.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3409_4.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3409_5.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3409_6.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_4.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3582.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3607.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3608.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/cross.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/determinism.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/mingwfix.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/mmap.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/mmap2.patch
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/powerpc_rom.bin
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu/run-ptest
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemu_5.2.0.bb
delete mode 100644 meta-oniro-staging/recipes-devtools/qemu/qemuwrapper-cross_1.0.bb
diff --git a/meta-oniro-core/conf/distro/oniro-linux.conf b/meta-oniro-core/conf/distro/oniro-linux.conf
index 7f07de1b..99de2923 100644
--- a/meta-oniro-core/conf/distro/oniro-linux.conf
+++ b/meta-oniro-core/conf/distro/oniro-linux.conf
@@ -34,7 +34,6 @@ DISTRO_EXTRA_RRECOMMENDS += " ${ONIRO_DEFAULT_EXTRA_RRECOMMENDS}"
GOVERSION = "1.16%"
PREFERRED_PROVIDER_go-native ?= "go-binary-native"
-QEMUVERSION = "5.%"
ONIROQEMUDEPS = "${@bb.utils.contains("INCOMPATIBLE_LICENSE", "GPL-3.0", "", "packagegroup-core-device-devel",d)}"
DISTRO_EXTRA_RDEPENDS_append_qemuarm = " ${ONIROQEMUDEPS}"
DISTRO_EXTRA_RDEPENDS_append_qemuarm64 = " ${ONIROQEMUDEPS}"
diff --git a/meta-oniro-staging/recipes-devtools/qemu/nativesdk-qemu-helper_1.0.bb b/meta-oniro-staging/recipes-devtools/qemu/nativesdk-qemu-helper_1.0.bb
deleted file mode 100644
index ca1ad964..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/nativesdk-qemu-helper_1.0.bb
+++ /dev/null
@@ -1,37 +0,0 @@
-SUMMARY = "Qemu helper scripts"
-LICENSE = "GPLv2"
-RDEPENDS_${PN} = "nativesdk-qemu \
- nativesdk-python3-shell nativesdk-python3-fcntl nativesdk-python3-logging \
- "
-
-PR = "r9"
-
-LIC_FILES_CHKSUM = "file://${WORKDIR}/tunctl.c;endline=4;md5=ff3a09996bc5fff6bc5d4e0b4c28f999 \
- file://${COREBASE}/scripts/runqemu;beginline=5;endline=10;md5=ac2b489a58739c7628a2604698db5e7f"
-
-
-SRC_URI = "file://${COREBASE}/scripts/runqemu \
- file://${COREBASE}/scripts/runqemu-addptable2image \
- file://${COREBASE}/scripts/runqemu-gen-tapdevs \
- file://${COREBASE}/scripts/runqemu-ifup \
- file://${COREBASE}/scripts/runqemu-ifdown \
- file://${COREBASE}/scripts/oe-find-native-sysroot \
- file://${COREBASE}/scripts/runqemu-extract-sdk \
- file://${COREBASE}/scripts/runqemu-export-rootfs \
- file://tunctl.c \
- "
-
-S = "${WORKDIR}"
-
-inherit nativesdk
-
-do_compile() {
- ${CC} tunctl.c -o tunctl
-}
-
-do_install() {
- install -d ${D}${bindir}
- install -m 0755 ${WORKDIR}${COREBASE}/scripts/oe-* ${D}${bindir}/
- install -m 0755 ${WORKDIR}${COREBASE}/scripts/runqemu* ${D}${bindir}/
- install tunctl ${D}${bindir}/
-}
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu-helper-native_1.0.bb b/meta-oniro-staging/recipes-devtools/qemu/qemu-helper-native_1.0.bb
deleted file mode 100644
index 2fc07669..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu-helper-native_1.0.bb
+++ /dev/null
@@ -1,29 +0,0 @@
-SUMMARY = "Helper utilities needed by the runqemu script"
-LICENSE = "GPLv2"
-RDEPENDS_${PN} = "qemu-system-native"
-PR = "r1"
-
-LIC_FILES_CHKSUM = "file://${WORKDIR}/tunctl.c;endline=4;md5=ff3a09996bc5fff6bc5d4e0b4c28f999"
-
-SRC_URI = "\
- file://tunctl.c \
- file://qemu-oe-bridge-helper \
- "
-
-S = "${WORKDIR}"
-
-inherit native
-
-do_compile() {
- ${CC} ${CFLAGS} ${LDFLAGS} -Wall tunctl.c -o tunctl
-}
-
-do_install() {
- install -d ${D}${bindir}
- install tunctl ${D}${bindir}/
-
- install -m 755 ${WORKDIR}/qemu-oe-bridge-helper ${D}${bindir}/
-}
-
-DEPENDS += "qemu-system-native"
-addtask addto_recipe_sysroot after do_populate_sysroot before do_build
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu-helper/qemu-oe-bridge-helper b/meta-oniro-staging/recipes-devtools/qemu/qemu-helper/qemu-oe-bridge-helper
deleted file mode 100755
index f057d4ee..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu-helper/qemu-oe-bridge-helper
+++ /dev/null
@@ -1,25 +0,0 @@
-#! /bin/sh
-# Copyright 2020 Garmin Ltd. or its subsidiaries
-#
-# SPDX-License-Identifier: GPL-2.0
-#
-# Attempts to find and exec the host qemu-bridge-helper program
-
-# If the QEMU_BRIDGE_HELPER variable is set by the user, exec it.
-if [ -n "$QEMU_BRIDGE_HELPER" ]; then
- exec "$QEMU_BRIDGE_HELPER" "$@"
-fi
-
-# Search common paths for the helper program
-BN="qemu-bridge-helper"
-PATHS="/usr/libexec/ /usr/lib/qemu/"
-
-for p in $PATHS; do
- if [ -e "$p/$BN" ]; then
- exec "$p/$BN" "$@"
- fi
-done
-
-echo "$BN not found!" > /dev/stderr
-exit 1
-
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu-helper/tunctl.c b/meta-oniro-staging/recipes-devtools/qemu/qemu-helper/tunctl.c
deleted file mode 100644
index d745dd06..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu-helper/tunctl.c
+++ /dev/null
@@ -1,158 +0,0 @@
-/* Copyright 2002 Jeff Dike
- * Licensed under the GPL
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <unistd.h>
-#include <pwd.h>
-#include <grp.h>
-#include <net/if.h>
-#include <sys/ioctl.h>
-#include <linux/if_tun.h>
-
-/* TUNSETGROUP appeared in 2.6.23 */
-#ifndef TUNSETGROUP
-#define TUNSETGROUP _IOW('T', 206, int)
-#endif
-
-static void Usage(char *name, int status)
-{
- fprintf(stderr, "Create: %s [-b] [-u owner] [-g group] [-t device-name] "
- "[-f tun-clone-device]\n", name);
- fprintf(stderr, "Delete: %s -d device-name [-f tun-clone-device]\n\n",
- name);
- fprintf(stderr, "The default tun clone device is /dev/net/tun - some systems"
- " use\n/dev/misc/net/tun instead\n\n");
- fprintf(stderr, "-b will result in brief output (just the device name)\n");
- exit(status);
-}
-
-int main(int argc, char **argv)
-{
- struct ifreq ifr;
- struct passwd *pw;
- struct group *gr;
- uid_t owner = -1;
- gid_t group = -1;
- int tap_fd, opt, delete = 0, brief = 0;
- char *tun = "", *file = "/dev/net/tun", *name = argv[0], *end;
-
- while((opt = getopt(argc, argv, "bd:f:t:u:g:h")) > 0){
- switch(opt) {
- case 'b':
- brief = 1;
- break;
- case 'd':
- delete = 1;
- tun = optarg;
- break;
- case 'f':
- file = optarg;
- break;
- case 'u':
- pw = getpwnam(optarg);
- if(pw != NULL){
- owner = pw->pw_uid;
- break;
- }
- owner = strtol(optarg, &end, 0);
- if(*end != '\0'){
- fprintf(stderr, "'%s' is neither a username nor a numeric uid.\n",
- optarg);
- Usage(name, 1);
- }
- break;
- case 'g':
- gr = getgrnam(optarg);
- if(gr != NULL){
- group = gr->gr_gid;
- break;
- }
- group = strtol(optarg, &end, 0);
- if(*end != '\0'){
- fprintf(stderr, "'%s' is neither a groupname nor a numeric group.\n",
- optarg);
- Usage(name, 1);
- }
- break;
-
- case 't':
- tun = optarg;
- break;
- case 'h':
- Usage(name, 0);
- break;
- default:
- Usage(name, 1);
- }
- }
-
- argv += optind;
- argc -= optind;
-
- if(argc > 0)
- Usage(name, 1);
-
- if((tap_fd = open(file, O_RDWR)) < 0){
- fprintf(stderr, "Failed to open '%s' : ", file);
- perror("");
- exit(1);
- }
-
- memset(&ifr, 0, sizeof(ifr));
-
- ifr.ifr_flags = IFF_TAP | IFF_NO_PI;
- strncpy(ifr.ifr_name, tun, sizeof(ifr.ifr_name) - 1);
- if(ioctl(tap_fd, TUNSETIFF, (void *) &ifr) < 0){
- perror("TUNSETIFF");
- exit(1);
- }
-
- if(delete){
- if(ioctl(tap_fd, TUNSETPERSIST, 0) < 0){
- perror("disabling TUNSETPERSIST");
- exit(1);
- }
- printf("Set '%s' nonpersistent\n", ifr.ifr_name);
- }
- else {
- /* emulate behaviour prior to TUNSETGROUP */
- if(owner == -1 && group == -1) {
- owner = geteuid();
- }
-
- if(owner != -1) {
- if(ioctl(tap_fd, TUNSETOWNER, owner) < 0){
- perror("TUNSETOWNER");
- exit(1);
- }
- }
- if(group != -1) {
- if(ioctl(tap_fd, TUNSETGROUP, group) < 0){
- perror("TUNSETGROUP");
- exit(1);
- }
- }
-
- if(ioctl(tap_fd, TUNSETPERSIST, 1) < 0){
- perror("enabling TUNSETPERSIST");
- exit(1);
- }
-
- if(brief)
- printf("%s\n", ifr.ifr_name);
- else {
- printf("Set '%s' persistent and owned by", ifr.ifr_name);
- if(owner != -1)
- printf(" uid %d", owner);
- if(group != -1)
- printf(" gid %d", group);
- printf("\n");
- }
- }
- return(0);
-}
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu-native.inc b/meta-oniro-staging/recipes-devtools/qemu/qemu-native.inc
deleted file mode 100644
index 54e49d8b..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu-native.inc
+++ /dev/null
@@ -1,11 +0,0 @@
-require qemu.inc
-
-inherit native
-
-EXTRA_OEMAKE_append = " LD='${LD}' AR='${AR}' OBJCOPY='${OBJCOPY}' LDFLAGS='${LDFLAGS}'"
-
-LDFLAGS_append = " -fuse-ld=bfd"
-
-do_install_append() {
- ${@bb.utils.contains('PACKAGECONFIG', 'gtk+', 'make_qemu_wrapper', '', d)}
-}
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu-native_5.2.0.bb b/meta-oniro-staging/recipes-devtools/qemu/qemu-native_5.2.0.bb
deleted file mode 100644
index c8acff8e..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu-native_5.2.0.bb
+++ /dev/null
@@ -1,9 +0,0 @@
-BPN = "qemu"
-
-DEPENDS = "glib-2.0-native zlib-native"
-
-require qemu-native.inc
-
-EXTRA_OECONF_append = " --target-list=${@get_qemu_usermode_target_list(d)} --disable-tools --disable-blobs --disable-guest-agent"
-
-PACKAGECONFIG ??= ""
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu-system-native_5.2.0.bb b/meta-oniro-staging/recipes-devtools/qemu/qemu-system-native_5.2.0.bb
deleted file mode 100644
index 222b55cb..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu-system-native_5.2.0.bb
+++ /dev/null
@@ -1,26 +0,0 @@
-BPN = "qemu"
-
-require qemu-native.inc
-
-# As some of the files installed by qemu-native and qemu-system-native
-# are the same, we depend on qemu-native to get the full installation set
-# and avoid file clashes
-DEPENDS = "glib-2.0-native zlib-native pixman-native qemu-native bison-native"
-
-EXTRA_OECONF_append = " --target-list=${@get_qemu_system_target_list(d)}"
-
-PACKAGECONFIG ??= "fdt alsa kvm \
- ${@bb.utils.contains('DISTRO_FEATURES', 'opengl', 'virglrenderer glx', '', d)} \
-"
-
-# Handle distros such as CentOS 5 32-bit that do not have kvm support
-PACKAGECONFIG_remove = "${@'kvm' if not os.path.exists('/usr/include/linux/kvm.h') else ''}"
-
-do_install_append() {
- install -Dm 0755 ${WORKDIR}/powerpc_rom.bin ${D}${datadir}/qemu
-
- # The following is also installed by qemu-native
- rm -f ${D}${datadir}/qemu/trace-events-all
- rm -rf ${D}${datadir}/qemu/keymaps
- rm -rf ${D}${datadir}/icons/
-}
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu-targets.inc b/meta-oniro-staging/recipes-devtools/qemu/qemu-targets.inc
deleted file mode 100644
index 24f9a039..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu-targets.inc
+++ /dev/null
@@ -1,28 +0,0 @@
-# possible arch values are:
-# aarch64 arm armeb alpha cris i386 x86_64 m68k microblaze
-# mips mipsel mips64 mips64el ppc ppc64 ppc64abi32 ppcemb
-# riscv32 riscv64 sparc sparc32 sparc32plus
-
-def get_qemu_target_list(d):
- import bb
- archs = d.getVar('QEMU_TARGETS').split()
- tos = d.getVar('HOST_OS')
- softmmuonly = ""
- for arch in ['ppcemb', 'lm32']:
- if arch in archs:
- softmmuonly += arch + "-softmmu,"
- archs.remove(arch)
- linuxuseronly = ""
- for arch in ['armeb', 'alpha', 'ppc64abi32', 'ppc64le', 'sparc32plus', 'aarch64_be']:
- if arch in archs:
- linuxuseronly += arch + "-linux-user,"
- archs.remove(arch)
- if 'linux' not in tos:
- return softmmuonly + ''.join([arch + "-softmmu" + "," for arch in archs]).rstrip(',')
- return softmmuonly + linuxuseronly + ''.join([arch + "-linux-user" + "," + arch + "-softmmu" + "," for arch in archs]).rstrip(',')
-
-def get_qemu_usermode_target_list(d):
- return ",".join(filter(lambda i: "-linux-user" in i, get_qemu_target_list(d).split(',')))
-
-def get_qemu_system_target_list(d):
- return ",".join(filter(lambda i: "-linux-user" not in i, get_qemu_target_list(d).split(',')))
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu.inc b/meta-oniro-staging/recipes-devtools/qemu/qemu.inc
deleted file mode 100644
index f1e2e469..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu.inc
+++ /dev/null
@@ -1,249 +0,0 @@
-SUMMARY = "Fast open source processor emulator"
-DESCRIPTION = "QEMU is a hosted virtual machine monitor: it emulates the \
-machine's processor through dynamic binary translation and provides a set \
-of different hardware and device models for the machine, enabling it to run \
-a variety of guest operating systems"
-HOMEPAGE = "http://qemu.org"
-LICENSE = "GPLv2 & LGPLv2.1"
-
-RDEPENDS_${PN}-ptest = "bash"
-
-require qemu-targets.inc
-inherit pkgconfig ptest
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \
- file://COPYING.LIB;endline=24;md5=8c5efda6cf1e1b03dcfd0e6c0d271c7f"
-
-SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
- file://powerpc_rom.bin \
- file://run-ptest \
- file://0001-qemu-Add-missing-wacom-HID-descriptor.patch \
- file://0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch \
- file://0004-qemu-disable-Valgrind.patch \
- file://0006-chardev-connect-socket-to-a-spawned-command.patch \
- file://0007-apic-fixup-fallthrough-to-PIC.patch \
- file://0010-configure-Add-pkg-config-handling-for-libgcrypt.patch \
- file://0001-Add-enable-disable-udev.patch \
- file://0001-qemu-Do-not-include-file-if-not-exists.patch \
- file://mingwfix.patch \
- file://mmap.patch \
- file://mmap2.patch \
- file://determinism.patch \
- file://0001-tests-meson.build-use-relative-path-to-refer-to-file.patch \
- file://CVE-2021-20203.patch \
- file://CVE-2020-35517_1.patch \
- file://CVE-2020-35517_2.patch \
- file://CVE-2020-35517_3.patch \
- file://CVE-2021-20181.patch \
- file://CVE-2020-29443.patch \
- file://CVE-2021-20221.patch \
- file://CVE-2021-3409_1.patch \
- file://CVE-2021-3409_2.patch \
- file://CVE-2021-3409_3.patch \
- file://CVE-2021-3409_4.patch \
- file://CVE-2021-3409_5.patch \
- file://CVE-2021-3409_6.patch \
- file://CVE-2021-3416_1.patch \
- file://CVE-2021-3416_2.patch \
- file://CVE-2021-3416_3.patch \
- file://CVE-2021-3416_4.patch \
- file://CVE-2021-3416_5.patch \
- file://CVE-2021-3416_6.patch \
- file://CVE-2021-3416_7.patch \
- file://CVE-2021-3416_8.patch \
- file://CVE-2021-3416_9.patch \
- file://CVE-2021-3416_10.patch \
- file://CVE-2021-20257.patch \
- file://CVE-2020-27821.patch \
- file://CVE-2021-20263.patch \
- file://CVE-2021-3392.patch \
- file://0001-vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch \
- file://0002-vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch \
- file://0003-vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch \
- file://0004-vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch \
- file://0005-vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch \
- file://0006-vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch \
- file://0007-vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch \
- file://CVE-2021-3527-1.patch \
- file://CVE-2021-3527-2.patch \
- file://CVE-2021-3582.patch \
- file://CVE-2021-3607.patch \
- file://CVE-2021-3608.patch \
- "
-UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
-
-SRC_URI[sha256sum] = "cb18d889b628fbe637672b0326789d9b0e3b8027e0445b936537c78549df17bc"
-
-SRC_URI_append_class-target = " file://cross.patch"
-SRC_URI_append_class-nativesdk = " file://cross.patch"
-
-# Applies against virglrender < 0.6.0 and not qemu itself
-CVE_CHECK_WHITELIST += "CVE-2017-5957"
-
-# The VNC server can expose host files uder some circumstances. We don't
-# enable it by default.
-CVE_CHECK_WHITELIST += "CVE-2007-0998"
-
-# 'The issues identified by this CVE were determined to not constitute a vulnerability.'
-# https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11
-CVE_CHECK_WHITELIST += "CVE-2018-18438"
-
-# Following CVE's affect ESP (NCR53C90) part of chip STP2000 (Master I/O).
-# On Sparc32 it is the NCR89C100 part of the chip.
-# On Macintosh Quadra it is NCR53C96.
-# Both are not supported by yocto.
-# Reference: https://www.openwall.com/lists/oss-security/2021/04/16/3
-CVE_CHECK_WHITELIST += "CVE-2020-35504"
-CVE_CHECK_WHITELIST += "CVE-2020-35505"
-CVE_CHECK_WHITELIST += "CVE-2020-35506"
-
-COMPATIBLE_HOST_mipsarchn32 = "null"
-COMPATIBLE_HOST_mipsarchn64 = "null"
-
-# Per https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg03873.html
-# upstream states qemu doesn't work without optimization
-DEBUG_BUILD = "0"
-
-do_install_append() {
- # Prevent QA warnings about installed ${localstatedir}/run
- if [ -d ${D}${localstatedir}/run ]; then rmdir ${D}${localstatedir}/run; fi
-}
-
-do_install_ptest() {
- cp -rL ${B}/tests ${D}${PTEST_PATH}
- find ${D}${PTEST_PATH}/tests -type f -name "*.[Sshcodp]" | xargs -i rm -rf {}
-
- # Don't check the file genreated by configure
- sed -i -e 's,${HOSTTOOLS_DIR}/python3,${bindir}/python3,' \
- ${D}/${PTEST_PATH}/tests/qemu-iotests/common.env
- sed -i -e "1s,#!/usr/bin/bash,#!${base_bindir}/bash," ${D}${PTEST_PATH}/tests/data/acpi/disassemle-aml.sh
-
- # Strip the paths from the QEMU variable, we can use PATH
- sed -i -e "s#^QEMU=.*/qemu-#QEMU=qemu-#g" ${D}${PTEST_PATH}/tests/tcg/*.mak
-}
-
-# QEMU_TARGETS is overridable variable
-QEMU_TARGETS ?= "arm aarch64 i386 mips mipsel mips64 mips64el ppc ppc64 ppc64le riscv32 riscv64 sh4 x86_64"
-
-EXTRA_OECONF = " \
- --prefix=${prefix} \
- --bindir=${bindir} \
- --includedir=${includedir} \
- --libdir=${libdir} \
- --mandir=${mandir} \
- --datadir=${datadir} \
- --docdir=${docdir}/${BPN} \
- --sysconfdir=${sysconfdir} \
- --libexecdir=${libexecdir} \
- --localstatedir=${localstatedir} \
- --with-suffix=${BPN} \
- --disable-strip \
- --disable-werror \
- --extra-cflags='${CFLAGS}' \
- --extra-ldflags='${LDFLAGS}' \
- --with-git=/bin/false \
- --disable-git-update \
- --skip-meson \
- ${PACKAGECONFIG_CONFARGS} \
- "
-
-export LIBTOOL="${HOST_SYS}-libtool"
-
-B = "${WORKDIR}/build"
-
-#EXTRA_OECONF_append = " --python=${HOSTTOOLS_DIR}/python3"
-
-do_configure_prepend_class-native() {
- # Append build host pkg-config paths for native target since the host may provide sdl
- BHOST_PKGCONFIG_PATH=$(PATH=/usr/bin:/bin pkg-config --variable pc_path pkg-config || echo "")
- if [ ! -z "$BHOST_PKGCONFIG_PATH" ]; then
- export PKG_CONFIG_PATH=$PKG_CONFIG_PATH:$BHOST_PKGCONFIG_PATH
- fi
-}
-
-do_configure() {
- ${S}/configure ${EXTRA_OECONF}
-}
-do_configure[cleandirs] += "${B}"
-
-do_install () {
- export STRIP=""
- oe_runmake 'DESTDIR=${D}' install
-}
-
-# The following fragment will create a wrapper for qemu-mips user emulation
-# binary in order to work around a segmentation fault issue. Basically, by
-# default, the reserved virtual address space for 32-on-64 bit is set to 4GB.
-# This will trigger a MMU access fault in the virtual CPU. With this change,
-# the qemu-mips works fine.
-# IMPORTANT: This piece needs to be removed once the root cause is fixed!
-do_install_append() {
- if [ -e "${D}/${bindir}/qemu-mips" ]; then
- create_wrapper ${D}/${bindir}/qemu-mips \
- QEMU_RESERVED_VA=0x0
- fi
-}
-# END of qemu-mips workaround
-
-make_qemu_wrapper() {
- gdk_pixbuf_module_file=`pkg-config --variable=gdk_pixbuf_cache_file gdk-pixbuf-2.0`
-
- for tool in `ls ${D}${bindir}/qemu-system-*`; do
- create_wrapper $tool \
- GDK_PIXBUF_MODULE_FILE=$gdk_pixbuf_module_file \
- FONTCONFIG_PATH=/etc/fonts \
- GTK_THEME=Adwaita
- done
-}
-
-# Disable kvm/virgl/mesa on targets that do not support it
-PACKAGECONFIG_remove_darwin = "kvm virglrenderer glx gtk+"
-PACKAGECONFIG_remove_mingw32 = "kvm virglrenderer glx gtk+"
-
-PACKAGECONFIG[sdl] = "--enable-sdl,--disable-sdl,libsdl2"
-PACKAGECONFIG[virtfs] = "--enable-virtfs --enable-attr --enable-cap-ng,--disable-virtfs,libcap-ng attr,"
-PACKAGECONFIG[aio] = "--enable-linux-aio,--disable-linux-aio,libaio,"
-PACKAGECONFIG[xfs] = "--enable-xfsctl,--disable-xfsctl,xfsprogs,"
-PACKAGECONFIG[xen] = "--enable-xen,--disable-xen,xen-tools,xen-tools-libxenstore xen-tools-libxenctrl xen-tools-libxenguest"
-PACKAGECONFIG[vnc-sasl] = "--enable-vnc --enable-vnc-sasl,--disable-vnc-sasl,cyrus-sasl,"
-PACKAGECONFIG[vnc-jpeg] = "--enable-vnc --enable-vnc-jpeg,--disable-vnc-jpeg,jpeg,"
-PACKAGECONFIG[vnc-png] = "--enable-vnc --enable-vnc-png,--disable-vnc-png,libpng,"
-PACKAGECONFIG[libcurl] = "--enable-curl,--disable-curl,curl,"
-PACKAGECONFIG[nss] = "--enable-smartcard,--disable-smartcard,nss,"
-PACKAGECONFIG[curses] = "--enable-curses,--disable-curses,ncurses,"
-PACKAGECONFIG[gtk+] = "--enable-gtk,--disable-gtk,gtk+3 gettext-native"
-PACKAGECONFIG[vte] = "--enable-vte,--disable-vte,vte gettext-native"
-PACKAGECONFIG[libcap-ng] = "--enable-cap-ng,--disable-cap-ng,libcap-ng,"
-PACKAGECONFIG[ssh] = "--enable-libssh,--disable-libssh,libssh,"
-PACKAGECONFIG[gcrypt] = "--enable-gcrypt,--disable-gcrypt,libgcrypt,"
-PACKAGECONFIG[nettle] = "--enable-nettle,--disable-nettle,nettle"
-PACKAGECONFIG[libusb] = "--enable-libusb,--disable-libusb,libusb1"
-PACKAGECONFIG[fdt] = "--enable-fdt,--disable-fdt,dtc"
-PACKAGECONFIG[alsa] = "--audio-drv-list='oss alsa',,alsa-lib"
-PACKAGECONFIG[glx] = "--enable-opengl,--disable-opengl,virtual/libgl"
-PACKAGECONFIG[lzo] = "--enable-lzo,--disable-lzo,lzo"
-PACKAGECONFIG[numa] = "--enable-numa,--disable-numa,numactl"
-PACKAGECONFIG[gnutls] = "--enable-gnutls,--disable-gnutls,gnutls"
-PACKAGECONFIG[bzip2] = "--enable-bzip2,--disable-bzip2,bzip2"
-PACKAGECONFIG[libiscsi] = "--enable-libiscsi,--disable-libiscsi"
-PACKAGECONFIG[kvm] = "--enable-kvm,--disable-kvm"
-PACKAGECONFIG[virglrenderer] = "--enable-virglrenderer,--disable-virglrenderer,virglrenderer"
-# spice will be in meta-networking layer
-PACKAGECONFIG[spice] = "--enable-spice,--disable-spice,spice"
-# usbredir will be in meta-networking layer
-PACKAGECONFIG[usb-redir] = "--enable-usb-redir,--disable-usb-redir,usbredir"
-PACKAGECONFIG[snappy] = "--enable-snappy,--disable-snappy,snappy"
-PACKAGECONFIG[glusterfs] = "--enable-glusterfs,--disable-glusterfs,glusterfs"
-PACKAGECONFIG[xkbcommon] = "--enable-xkbcommon,--disable-xkbcommon,libxkbcommon"
-PACKAGECONFIG[libudev] = "--enable-libudev,--disable-libudev,eudev"
-PACKAGECONFIG[libxml2] = "--enable-libxml2,--disable-libxml2,libxml2"
-PACKAGECONFIG[attr] = "--enable-attr,--disable-attr,attr,"
-PACKAGECONFIG[rbd] = "--enable-rbd,--disable-rbd,ceph,ceph"
-PACKAGECONFIG[vhost] = "--enable-vhost-net,--disable-vhost-net,,"
-PACKAGECONFIG[ust] = "--enable-trace-backend=ust,--enable-trace-backend=nop,lttng-ust,"
-PACKAGECONFIG[pie] = "--enable-pie,--disable-pie,,"
-PACKAGECONFIG[seccomp] = "--enable-seccomp,--disable-seccomp,libseccomp"
-
-INSANE_SKIP_${PN} = "arch"
-
-FILES_${PN} += "${datadir}/icons"
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch
deleted file mode 100644
index c99adee8..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From b921e5204030845dc7c9d16d5f66d965e8d05367 Mon Sep 17 00:00:00 2001
-From: Jeremy Puhlman <jpuhlman@mvista.com>
-Date: Thu, 19 Mar 2020 11:54:26 -0700
-Subject: [PATCH] Add enable/disable libudev
-
-Upstream-Status: Pending
-Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com>
-
-[update patch context]
-Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
----
- configure | 4 ++++
- 1 file changed, 4 insertions(+)
-
-Index: qemu-5.2.0/configure
-===================================================================
---- qemu-5.2.0.orig/configure
-+++ qemu-5.2.0/configure
-@@ -1525,6 +1525,10 @@ for opt do
- ;;
- --disable-libdaxctl) libdaxctl=no
- ;;
-+ --enable-libudev) libudev="yes"
-+ ;;
-+ --disable-libudev) libudev="no"
-+ ;;
- *)
- echo "ERROR: unknown option $opt"
- echo "Try '$0 --help' for more information"
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch
deleted file mode 100644
index 8ce12bdb..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch
+++ /dev/null
@@ -1,141 +0,0 @@
-From 883feb43129dc39b491e492c7ccfe89aefe53c44 Mon Sep 17 00:00:00 2001
-From: Richard Purdie <richard.purdie@linuxfoundation.org>
-Date: Thu, 27 Nov 2014 14:04:29 +0000
-Subject: [PATCH] qemu: Add missing wacom HID descriptor
-
-The USB wacom device is missing a HID descriptor which causes it
-to fail to operate with recent kernels (e.g. 3.17).
-
-This patch adds a HID desriptor to the device, based upon one from
-real wcom device.
-
-Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-
-Upstream-Status: Submitted
-2014/11/27
-
-[update patch context]
-Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
----
- hw/usb/dev-wacom.c | 94 +++++++++++++++++++++++++++++++++++++++++++++-
- 1 file changed, 93 insertions(+), 1 deletion(-)
-
-Index: qemu-5.2.0/hw/usb/dev-wacom.c
-===================================================================
---- qemu-5.2.0.orig/hw/usb/dev-wacom.c
-+++ qemu-5.2.0/hw/usb/dev-wacom.c
-@@ -69,6 +69,89 @@ static const USBDescStrings desc_strings
- [STR_SERIALNUMBER] = "1",
- };
-
-+static const uint8_t qemu_tablet_hid_report_descriptor[] = {
-+ 0x05, 0x01, /* Usage Page (Generic Desktop) */
-+ 0x09, 0x02, /* Usage (Mouse) */
-+ 0xa1, 0x01, /* Collection (Application) */
-+ 0x85, 0x01, /* Report ID (1) */
-+ 0x09, 0x01, /* Usage (Pointer) */
-+ 0xa1, 0x00, /* Collection (Physical) */
-+ 0x05, 0x09, /* Usage Page (Button) */
-+ 0x19, 0x01, /* Usage Minimum (1) */
-+ 0x29, 0x05, /* Usage Maximum (5) */
-+ 0x15, 0x00, /* Logical Minimum (0) */
-+ 0x25, 0x01, /* Logical Maximum (1) */
-+ 0x95, 0x05, /* Report Count (5) */
-+ 0x75, 0x01, /* Report Size (1) */
-+ 0x81, 0x02, /* Input (Data, Variable, Absolute) */
-+ 0x95, 0x01, /* Report Count (1) */
-+ 0x75, 0x03, /* Report Size (3) */
-+ 0x81, 0x01, /* Input (Constant) */
-+ 0x05, 0x01, /* Usage Page (Generic Desktop) */
-+ 0x09, 0x30, /* Usage (X) */
-+ 0x09, 0x31, /* Usage (Y) */
-+ 0x15, 0x81, /* Logical Minimum (-127) */
-+ 0x25, 0x7f, /* Logical Maximum (127) */
-+ 0x75, 0x08, /* Report Size (8) */
-+ 0x95, 0x02, /* Report Count (2) */
-+ 0x81, 0x06, /* Input (Data, Variable, Relative) */
-+ 0xc0, /* End Collection */
-+ 0xc0, /* End Collection */
-+ 0x05, 0x0d, /* Usage Page (Digitizer) */
-+ 0x09, 0x01, /* Usage (Digitizer) */
-+ 0xa1, 0x01, /* Collection (Application) */
-+ 0x85, 0x02, /* Report ID (2) */
-+ 0xa1, 0x00, /* Collection (Physical) */
-+ 0x06, 0x00, 0xff, /* Usage Page (Vendor 0xff00) */
-+ 0x09, 0x01, /* Usage (Digitizer) */
-+ 0x15, 0x00, /* Logical Minimum (0) */
-+ 0x26, 0xff, 0x00, /* Logical Maximum (255) */
-+ 0x75, 0x08, /* Report Size (8) */
-+ 0x95, 0x08, /* Report Count (8) */
-+ 0x81, 0x02, /* Input (Data, Variable, Absolute) */
-+ 0xc0, /* End Collection */
-+ 0x09, 0x01, /* Usage (Digitizer) */
-+ 0x85, 0x02, /* Report ID (2) */
-+ 0x95, 0x01, /* Report Count (1) */
-+ 0xb1, 0x02, /* FEATURE (2) */
-+ 0xc0, /* End Collection */
-+ 0x06, 0x00, 0xff, /* Usage Page (Vendor 0xff00) */
-+ 0x09, 0x01, /* Usage (Digitizer) */
-+ 0xa1, 0x01, /* Collection (Application) */
-+ 0x85, 0x02, /* Report ID (2) */
-+ 0x05, 0x0d, /* Usage Page (Digitizer) */
-+ 0x09, 0x22, /* Usage (Finger) */
-+ 0xa1, 0x00, /* Collection (Physical) */
-+ 0x06, 0x00, 0xff, /* Usage Page (Vendor 0xff00) */
-+ 0x09, 0x01, /* Usage (Digitizer) */
-+ 0x15, 0x00, /* Logical Minimum (0) */
-+ 0x26, 0xff, 0x00, /* Logical Maximum */
-+ 0x75, 0x08, /* Report Size (8) */
-+ 0x95, 0x02, /* Report Count (2) */
-+ 0x81, 0x02, /* Input (Data, Variable, Absolute) */
-+ 0x05, 0x01, /* Usage Page (Generic Desktop) */
-+ 0x09, 0x30, /* Usage (X) */
-+ 0x35, 0x00, /* Physical Minimum */
-+ 0x46, 0xe0, 0x2e, /* Physical Maximum */
-+ 0x26, 0xe0, 0x01, /* Logical Maximum */
-+ 0x75, 0x10, /* Report Size (16) */
-+ 0x95, 0x01, /* Report Count (1) */
-+ 0x81, 0x02, /* Input (Data, Variable, Absolute) */
-+ 0x09, 0x31, /* Usage (Y) */
-+ 0x46, 0x40, 0x1f, /* Physical Maximum */
-+ 0x26, 0x40, 0x01, /* Logical Maximum */
-+ 0x81, 0x02, /* Input (Data, Variable, Absolute) */
-+ 0x06, 0x00, 0xff, /* Usage Page (Vendor 0xff00) */
-+ 0x09, 0x01, /* Usage (Digitizer) */
-+ 0x26, 0xff, 0x00, /* Logical Maximum */
-+ 0x75, 0x08, /* Report Size (8) */
-+ 0x95, 0x0d, /* Report Count (13) */
-+ 0x81, 0x02, /* Input (Data, Variable, Absolute) */
-+ 0xc0, /* End Collection */
-+ 0xc0, /* End Collection */
-+};
-+
-+
- static const USBDescIface desc_iface_wacom = {
- .bInterfaceNumber = 0,
- .bNumEndpoints = 1,
-@@ -86,7 +169,7 @@ static const USBDescIface desc_iface_wac
- 0x00, /* u8 country_code */
- 0x01, /* u8 num_descriptors */
- USB_DT_REPORT, /* u8 type: Report */
-- 0x6e, 0, /* u16 len */
-+ sizeof(qemu_tablet_hid_report_descriptor), 0, /* u16 len */
- },
- },
- },
-@@ -266,6 +349,15 @@ static void usb_wacom_handle_control(USB
- }
-
- switch (request) {
-+ case InterfaceRequest | USB_REQ_GET_DESCRIPTOR:
-+ switch (value >> 8) {
-+ case 0x22:
-+ memcpy(data, qemu_tablet_hid_report_descriptor,
-+ sizeof(qemu_tablet_hid_report_descriptor));
-+ p->actual_length = sizeof(qemu_tablet_hid_report_descriptor);
-+ break;
-+ }
-+ break;
- case WACOM_SET_REPORT:
- if (s->mouse_grabbed) {
- qemu_remove_mouse_event_handler(s->eh_entry);
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch
deleted file mode 100644
index 3fe9aa6e..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 34247f83095f8cdcdc1f9d7f0c6ffbd46b25d979 Mon Sep 17 00:00:00 2001
-From: Oleksiy Obitotskyy <oobitots@cisco.com>
-Date: Wed, 25 Mar 2020 21:21:35 +0200
-Subject: [PATCH] qemu: Do not include file if not exists
-
-Script configure checks for if_alg.h and check failed but
-if_alg.h still included.
-
-Upstream-Status: Submitted [https://lists.gnu.org/archive/html/qemu-devel/2020-03/msg07188.html]
-Signed-off-by: Oleksiy Obitotskyy <oobitots@cisco.com>
-
-[update patch context]
-Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
----
- linux-user/syscall.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-Index: qemu-5.2.0/linux-user/syscall.c
-===================================================================
---- qemu-5.2.0.orig/linux-user/syscall.c
-+++ qemu-5.2.0/linux-user/syscall.c
-@@ -109,7 +109,9 @@
- #include <linux/blkpg.h>
- #include <netpacket/packet.h>
- #include <linux/netlink.h>
-+#if defined(CONFIG_AF_ALG)
- #include <linux/if_alg.h>
-+#endif
- #include <linux/rtc.h>
- #include <sound/asound.h>
- #ifdef CONFIG_BTRFS
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/0001-tests-meson.build-use-relative-path-to-refer-to-file.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/0001-tests-meson.build-use-relative-path-to-refer-to-file.patch
deleted file mode 100644
index 5cb5757c..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/0001-tests-meson.build-use-relative-path-to-refer-to-file.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From a4bdc0416134477e4eae386db04b1de7491163bb Mon Sep 17 00:00:00 2001
-From: Changqing Li <changqing.li@windriver.com>
-Date: Thu, 14 Jan 2021 06:33:04 +0000
-Subject: [PATCH] tests/meson.build: use relative path to refer to files
-
-Fix error like:
-Fatal error: can't create tests/ptimer-test.p/..._qemu-5.2.0_hw_core_ptimer.c.o: File name too long
-
-when build path is too long, use meson.source_root() will make this
-filename too long. Fixed by using relative path to refer to files
-
-Upstream-Status: Submitted [send to qemu-devel]
-
-Signed-off-by: Changqing Li <changqing.li@windriver.com>
----
- tests/meson.build | 2 +-
- 1 files changed, 1 insertions(+), 1 deletion(-)
-
-diff --git a/tests/meson.build b/tests/meson.build
-index afeb6be..54684b5 100644
---- a/tests/meson.build
-+++ b/tests/meson.build
-@@ -113,7 +113,7 @@ tests = {
- 'test-keyval': [testqapi],
- 'test-logging': [],
- 'test-uuid': [],
-- 'ptimer-test': ['ptimer-test-stubs.c', meson.source_root() / 'hw/core/ptimer.c'],
-+ 'ptimer-test': ['ptimer-test-stubs.c', '../hw/core/ptimer.c'],
- 'test-qapi-util': [],
- }
-
---
-2.29.2
-
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/0001-vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/0001-vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch
deleted file mode 100644
index 981c2372..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/0001-vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-CVE: CVE-2021-3545
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-
-From 121841b25d72d13f8cad554363138c360f1250ea Mon Sep 17 00:00:00 2001
-From: Li Qiang <liq3ea@163.com>
-Date: Sat, 15 May 2021 20:03:56 -0700
-Subject: [PATCH 1/7] vhost-user-gpu: fix memory disclosure in
- virgl_cmd_get_capset_info (CVE-2021-3545)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Otherwise some of the 'resp' will be leaked to guest.
-
-Fixes: CVE-2021-3545
-Reported-by: Li Qiang <liq3ea@163.com>
-virtio-gpu fix: 42a8dadc74 ("virtio-gpu: fix information leak
-in getting capset info dispatch")
-
-Signed-off-by: Li Qiang <liq3ea@163.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-Id: <20210516030403.107723-2-liq3ea@163.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- contrib/vhost-user-gpu/virgl.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c
-index 9e6660c7ab..6a332d601f 100644
---- a/contrib/vhost-user-gpu/virgl.c
-+++ b/contrib/vhost-user-gpu/virgl.c
-@@ -128,6 +128,7 @@ virgl_cmd_get_capset_info(VuGpu *g,
-
- VUGPU_FILL_CMD(info);
-
-+ memset(&resp, 0, sizeof(resp));
- if (info.capset_index == 0) {
- resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL;
- virgl_renderer_get_cap_set(resp.capset_id,
---
-2.25.1
-
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/0002-vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/0002-vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch
deleted file mode 100644
index a9aee47e..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/0002-vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-CVE: CVE-2021-3544
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-
-From 86dd8fac2acc366930a5dc08d3fb1b1e816f4e1e Mon Sep 17 00:00:00 2001
-From: Li Qiang <liq3ea@163.com>
-Date: Sat, 15 May 2021 20:03:57 -0700
-Subject: [PATCH 2/7] vhost-user-gpu: fix resource leak in
- 'vg_resource_create_2d' (CVE-2021-3544)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Call 'vugbm_buffer_destroy' in error path to avoid resource leak.
-
-Fixes: CVE-2021-3544
-Reported-by: Li Qiang <liq3ea@163.com>
-Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
-Signed-off-by: Li Qiang <liq3ea@163.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-Id: <20210516030403.107723-3-liq3ea@163.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- contrib/vhost-user-gpu/vhost-user-gpu.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c
-index f73f292c9f..b5e153d0d6 100644
---- a/contrib/vhost-user-gpu/vhost-user-gpu.c
-+++ b/contrib/vhost-user-gpu/vhost-user-gpu.c
-@@ -349,6 +349,7 @@ vg_resource_create_2d(VuGpu *g,
- g_critical("%s: resource creation failed %d %d %d",
- __func__, c2d.resource_id, c2d.width, c2d.height);
- g_free(res);
-+ vugbm_buffer_destroy(&res->buffer);
- cmd->error = VIRTIO_GPU_RESP_ERR_OUT_OF_MEMORY;
- return;
- }
---
-2.25.1
-
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch
deleted file mode 100644
index fd54f96b..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From ce1eceab2350d27960ec254650717085f6a11c9a Mon Sep 17 00:00:00 2001
-From: Jason Wessel <jason.wessel@windriver.com>
-Date: Fri, 28 Mar 2014 17:42:43 +0800
-Subject: [PATCH] qemu: Add addition environment space to boot loader
- qemu-system-mips
-
-Upstream-Status: Inappropriate - OE uses deep paths
-
-If you create a project with very long directory names like 128 characters
-deep and use NFS, the kernel arguments will be truncated. The kernel will
-accept longer strings such as 1024 bytes, but the qemu boot loader defaulted
-to only 256 bytes. This patch expands the limit.
-
-Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
-Signed-off-by: Roy Li <rongqing.li@windriver.com>
-
----
- hw/mips/malta.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-Index: qemu-5.2.0/hw/mips/malta.c
-===================================================================
---- qemu-5.2.0.orig/hw/mips/malta.c
-+++ qemu-5.2.0/hw/mips/malta.c
-@@ -62,7 +62,7 @@
-
- #define ENVP_ADDR 0x80002000l
- #define ENVP_NB_ENTRIES 16
--#define ENVP_ENTRY_SIZE 256
-+#define ENVP_ENTRY_SIZE 1024
-
- /* Hardware addresses */
- #define FLASH_ADDRESS 0x1e000000ULL
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/0003-vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/0003-vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch
deleted file mode 100644
index 17184864..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/0003-vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-CVE: CVE-2021-3544
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-
-From b9f79858a614d95f5de875d0ca31096eaab72c3b Mon Sep 17 00:00:00 2001
-From: Li Qiang <liq3ea@163.com>
-Date: Sat, 15 May 2021 20:03:58 -0700
-Subject: [PATCH 3/7] vhost-user-gpu: fix memory leak in
- vg_resource_attach_backing (CVE-2021-3544)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Check whether the 'res' has already been attach_backing to avoid
-memory leak.
-
-Fixes: CVE-2021-3544
-Reported-by: Li Qiang <liq3ea@163.com>
-virtio-gpu fix: 204f01b309 ("virtio-gpu: fix memory leak
-in resource attach backing")
-
-Signed-off-by: Li Qiang <liq3ea@163.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-Id: <20210516030403.107723-4-liq3ea@163.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- contrib/vhost-user-gpu/vhost-user-gpu.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c
-index b5e153d0d6..0437e52b64 100644
---- a/contrib/vhost-user-gpu/vhost-user-gpu.c
-+++ b/contrib/vhost-user-gpu/vhost-user-gpu.c
-@@ -489,6 +489,11 @@ vg_resource_attach_backing(VuGpu *g,
- return;
- }
-
-+ if (res->iov) {
-+ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
-+ return;
-+ }
-+
- ret = vg_create_mapping_iov(g, &ab, cmd, &res->iov);
- if (ret != 0) {
- cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
---
-2.25.1
-
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch
deleted file mode 100644
index a0bd1c5e..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 4127296bb1046cdf73994ba69dc913d8c02fd74f Mon Sep 17 00:00:00 2001
-From: Ross Burton <ross.burton@intel.com>
-Date: Tue, 20 Oct 2015 22:19:08 +0100
-Subject: [PATCH] qemu: disable Valgrind
-
-There isn't an option to enable or disable valgrind support, so disable it to avoid non-deterministic builds.
-
-Upstream-Status: Inappropriate
-Signed-off-by: Ross Burton <ross.burton@intel.com>
-
----
- configure | 9 ---------
- 1 file changed, 9 deletions(-)
-
-Index: qemu-5.2.0/configure
-===================================================================
---- qemu-5.2.0.orig/configure
-+++ qemu-5.2.0/configure
-@@ -5001,15 +5001,6 @@ fi
- # check if we have valgrind/valgrind.h
-
- valgrind_h=no
--cat > $TMPC << EOF
--#include <valgrind/valgrind.h>
--int main(void) {
-- return 0;
--}
--EOF
--if compile_prog "" "" ; then
-- valgrind_h=yes
--fi
-
- ########################################
- # check if environ is declared
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/0004-vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/0004-vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch
deleted file mode 100644
index 9fc2fafe..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/0004-vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-CVE: CVE-2021-3544
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-
-From b7afebcf9e6ecf3cf9b5a9b9b731ed04bca6aa3e Mon Sep 17 00:00:00 2001
-From: Li Qiang <liq3ea@163.com>
-Date: Sat, 15 May 2021 20:03:59 -0700
-Subject: [PATCH 4/7] vhost-user-gpu: fix memory leak while calling
- 'vg_resource_unref' (CVE-2021-3544)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-If the guest trigger following sequences, the attach_backing will be leaked:
-
- vg_resource_create_2d
- vg_resource_attach_backing
- vg_resource_unref
-
-This patch fix this by freeing 'res->iov' in vg_resource_destroy.
-
-Fixes: CVE-2021-3544
-Reported-by: Li Qiang <liq3ea@163.com>
-virtio-gpu fix: 5e8e3c4c75 ("virtio-gpu: fix resource leak
-in virgl_cmd_resource_unref")
-
-Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
-Signed-off-by: Li Qiang <liq3ea@163.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-Id: <20210516030403.107723-5-liq3ea@163.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- contrib/vhost-user-gpu/vhost-user-gpu.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c
-index 0437e52b64..770dfad529 100644
---- a/contrib/vhost-user-gpu/vhost-user-gpu.c
-+++ b/contrib/vhost-user-gpu/vhost-user-gpu.c
-@@ -400,6 +400,7 @@ vg_resource_destroy(VuGpu *g,
- }
-
- vugbm_buffer_destroy(&res->buffer);
-+ g_free(res->iov);
- pixman_image_unref(res->image);
- QTAILQ_REMOVE(&g->reslist, res, next);
- g_free(res);
---
-2.25.1
-
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/0005-vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/0005-vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch
deleted file mode 100644
index e70f3c02..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/0005-vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-CVE: CVE-2021-3544
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-
-From f6091d86ba9ea05f4e111b9b42ee0005c37a6779 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liq3ea@163.com>
-Date: Sat, 15 May 2021 20:04:00 -0700
-Subject: [PATCH 5/7] vhost-user-gpu: fix memory leak in
- 'virgl_cmd_resource_unref' (CVE-2021-3544)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The 'res->iov' will be leaked if the guest trigger following sequences:
-
- virgl_cmd_create_resource_2d
- virgl_resource_attach_backing
- virgl_cmd_resource_unref
-
-This patch fixes this.
-
-Fixes: CVE-2021-3544
-Reported-by: Li Qiang <liq3ea@163.com>
-virtio-gpu fix: 5e8e3c4c75 ("virtio-gpu: fix resource leak
-in virgl_cmd_resource_unref"
-
-Signed-off-by: Li Qiang <liq3ea@163.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-Id: <20210516030403.107723-6-liq3ea@163.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- contrib/vhost-user-gpu/virgl.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c
-index 6a332d601f..c669d73a1d 100644
---- a/contrib/vhost-user-gpu/virgl.c
-+++ b/contrib/vhost-user-gpu/virgl.c
-@@ -108,9 +108,16 @@ virgl_cmd_resource_unref(VuGpu *g,
- struct virtio_gpu_ctrl_command *cmd)
- {
- struct virtio_gpu_resource_unref unref;
-+ struct iovec *res_iovs = NULL;
-+ int num_iovs = 0;
-
- VUGPU_FILL_CMD(unref);
-
-+ virgl_renderer_resource_detach_iov(unref.resource_id,
-+ &res_iovs,
-+ &num_iovs);
-+ g_free(res_iovs);
-+
- virgl_renderer_resource_unref(unref.resource_id);
- }
-
---
-2.25.1
-
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch
deleted file mode 100644
index 201125c1..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch
+++ /dev/null
@@ -1,243 +0,0 @@
-From bcc63f775e265df69963a4ad7805b8678ace68f0 Mon Sep 17 00:00:00 2001
-From: Alistair Francis <alistair.francis@xilinx.com>
-Date: Thu, 21 Dec 2017 11:35:16 -0800
-Subject: [PATCH] chardev: connect socket to a spawned command
-
-The command is started in a shell (sh -c) with stdin connect to QEMU
-via a Unix domain stream socket. QEMU then exchanges data via its own
-end of the socket, just like it normally does.
-
-"-chardev socket" supports some ways of connecting via protocols like
-telnet, but that is only a subset of the functionality supported by
-tools socat. To use socat instead, for example to connect via a socks
-proxy, use:
-
- -chardev 'socket,id=socat,cmd=exec socat FD:0 SOCKS4A:socks-proxy.localdomain:example.com:9999,,socksuser=nobody' \
- -device usb-serial,chardev=socat
-
-Beware that commas in the command must be escaped as double commas.
-
-Or interactively in the console:
- (qemu) chardev-add socket,id=cat,cmd=cat
- (qemu) device_add usb-serial,chardev=cat
- ^ac
- # cat >/dev/ttyUSB0
- hello
- hello
-
-Another usage is starting swtpm from inside QEMU. swtpm will
-automatically shut down once it looses the connection to the parent
-QEMU, so there is no risk of lingering processes:
-
- -chardev 'socket,id=chrtpm0,cmd=exec swtpm socket --terminate --ctrl type=unixio,,clientfd=0 --tpmstate dir=... --log file=swtpm.log' \
- -tpmdev emulator,id=tpm0,chardev=chrtpm0 \
- -device tpm-tis,tpmdev=tpm0
-
-The patch was discussed upstream, but QEMU developers believe that the
-code calling QEMU should be responsible for managing additional
-processes. In OE-core, that would imply enhancing runqemu and
-oeqa. This patch is a simpler solution.
-
-Because it is not going upstream, the patch was written so that it is
-as simple as possible.
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
-
----
- chardev/char-socket.c | 101 ++++++++++++++++++++++++++++++++++++++++++
- chardev/char.c | 3 ++
- qapi/char.json | 5 +++
- 3 files changed, 109 insertions(+)
-
-Index: qemu-5.2.0/chardev/char-socket.c
-===================================================================
---- qemu-5.2.0.orig/chardev/char-socket.c
-+++ qemu-5.2.0/chardev/char-socket.c
-@@ -1308,6 +1308,67 @@ static bool qmp_chardev_validate_socket(
- return true;
- }
-
-+#ifndef _WIN32
-+static void chardev_open_socket_cmd(Chardev *chr,
-+ const char *cmd,
-+ Error **errp)
-+{
-+ int fds[2] = { -1, -1 };
-+ QIOChannelSocket *sioc = NULL;
-+ pid_t pid = -1;
-+ const char *argv[] = { "/bin/sh", "-c", cmd, NULL };
-+
-+ /*
-+ * We need a Unix domain socket for commands like swtpm and a single
-+ * connection, therefore we cannot use qio_channel_command_new_spawn()
-+ * without patching it first. Duplicating the functionality is easier.
-+ */
-+ if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0, fds)) {
-+ error_setg_errno(errp, errno, "Error creating socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC)");
-+ goto error;
-+ }
-+
-+ pid = qemu_fork(errp);
-+ if (pid < 0) {
-+ goto error;
-+ }
-+
-+ if (!pid) {
-+ /* child */
-+ dup2(fds[1], STDIN_FILENO);
-+ execv(argv[0], (char * const *)argv);
-+ _exit(1);
-+ }
-+
-+ /*
-+ * Hand over our end of the socket pair to the qio channel.
-+ *
-+ * We don't reap the child because it is expected to keep
-+ * running. We also don't support the "reconnect" option for the
-+ * same reason.
-+ */
-+ sioc = qio_channel_socket_new_fd(fds[0], errp);
-+ if (!sioc) {
-+ goto error;
-+ }
-+ fds[0] = -1;
-+
-+ g_free(chr->filename);
-+ chr->filename = g_strdup_printf("cmd:%s", cmd);
-+ tcp_chr_new_client(chr, sioc);
-+
-+ error:
-+ if (fds[0] >= 0) {
-+ close(fds[0]);
-+ }
-+ if (fds[1] >= 0) {
-+ close(fds[1]);
-+ }
-+ if (sioc) {
-+ object_unref(OBJECT(sioc));
-+ }
-+}
-+#endif
-
- static void qmp_chardev_open_socket(Chardev *chr,
- ChardevBackend *backend,
-@@ -1316,6 +1377,9 @@ static void qmp_chardev_open_socket(Char
- {
- SocketChardev *s = SOCKET_CHARDEV(chr);
- ChardevSocket *sock = backend->u.socket.data;
-+#ifndef _WIN32
-+ const char *cmd = sock->cmd;
-+#endif
- bool do_nodelay = sock->has_nodelay ? sock->nodelay : false;
- bool is_listen = sock->has_server ? sock->server : true;
- bool is_telnet = sock->has_telnet ? sock->telnet : false;
-@@ -1381,6 +1445,14 @@ static void qmp_chardev_open_socket(Char
-
- update_disconnected_filename(s);
-
-+#ifndef _WIN32
-+ if (cmd) {
-+ chardev_open_socket_cmd(chr, cmd, errp);
-+
-+ /* everything ready (or failed permanently) before we return */
-+ *be_opened = true;
-+ } else
-+#endif
- if (s->is_listen) {
- if (qmp_chardev_open_socket_server(chr, is_telnet || is_tn3270,
- is_waitconnect, errp) < 0) {
-@@ -1400,6 +1472,9 @@ static void qemu_chr_parse_socket(QemuOp
- const char *host = qemu_opt_get(opts, "host");
- const char *port = qemu_opt_get(opts, "port");
- const char *fd = qemu_opt_get(opts, "fd");
-+#ifndef _WIN32
-+ const char *cmd = qemu_opt_get(opts, "cmd");
-+#endif
- #ifdef CONFIG_LINUX
- bool tight = qemu_opt_get_bool(opts, "tight", true);
- bool abstract = qemu_opt_get_bool(opts, "abstract", false);
-@@ -1407,6 +1482,20 @@ static void qemu_chr_parse_socket(QemuOp
- SocketAddressLegacy *addr;
- ChardevSocket *sock;
-
-+#ifndef _WIN32
-+ if (cmd) {
-+ /*
-+ * Here we have to ensure that no options are set which are incompatible with
-+ * spawning a command, otherwise unmodified code that doesn't know about
-+ * command spawning (like socket_reconnect_timeout()) might get called.
-+ */
-+ if (path || sock->server || sock->has_telnet || sock->has_tn3270 || sock->reconnect || host || port || sock->tls_creds) {
-+ error_setg(errp, "chardev: socket: cmd does not support any additional options");
-+ return;
-+ }
-+ } else
-+#endif
-+
- if ((!!path + !!fd + !!host) != 1) {
- error_setg(errp,
- "Exactly one of 'path', 'fd' or 'host' required");
-@@ -1448,13 +1537,24 @@ static void qemu_chr_parse_socket(QemuOp
- sock->tls_creds = g_strdup(qemu_opt_get(opts, "tls-creds"));
- sock->has_tls_authz = qemu_opt_get(opts, "tls-authz");
- sock->tls_authz = g_strdup(qemu_opt_get(opts, "tls-authz"));
-+#ifndef _WIN32
-+ sock->cmd = g_strdup(cmd);
-+#endif
-
- addr = g_new0(SocketAddressLegacy, 1);
-+#ifndef _WIN32
-+ if (path || cmd) {
-+#else
- if (path) {
-+#endif
- UnixSocketAddress *q_unix;
- addr->type = SOCKET_ADDRESS_LEGACY_KIND_UNIX;
- q_unix = addr->u.q_unix.data = g_new0(UnixSocketAddress, 1);
-+#ifndef _WIN32
-+ q_unix->path = cmd ? g_strdup_printf("cmd:%s", cmd) : g_strdup(path);
-+#else
- q_unix->path = g_strdup(path);
-+#endif
- #ifdef CONFIG_LINUX
- q_unix->has_tight = true;
- q_unix->tight = tight;
-Index: qemu-5.2.0/chardev/char.c
-===================================================================
---- qemu-5.2.0.orig/chardev/char.c
-+++ qemu-5.2.0/chardev/char.c
-@@ -839,6 +839,9 @@ QemuOptsList qemu_chardev_opts = {
- .name = "path",
- .type = QEMU_OPT_STRING,
- },{
-+ .name = "cmd",
-+ .type = QEMU_OPT_STRING,
-+ },{
- .name = "host",
- .type = QEMU_OPT_STRING,
- },{
-Index: qemu-5.2.0/qapi/char.json
-===================================================================
---- qemu-5.2.0.orig/qapi/char.json
-+++ qemu-5.2.0/qapi/char.json
-@@ -250,6 +250,10 @@
- #
- # @addr: socket address to listen on (server=true)
- # or connect to (server=false)
-+# @cmd: command to run via "sh -c" with stdin as one end of
-+# a AF_UNIX SOCK_DSTREAM socket pair. The other end
-+# is used by the chardev. Either an addr or a cmd can
-+# be specified, but not both.
- # @tls-creds: the ID of the TLS credentials object (since 2.6)
- # @tls-authz: the ID of the QAuthZ authorization object against which
- # the client's x509 distinguished name will be validated. This
-@@ -276,6 +280,7 @@
- ##
- { 'struct': 'ChardevSocket',
- 'data': { 'addr': 'SocketAddressLegacy',
-+ '*cmd': 'str',
- '*tls-creds': 'str',
- '*tls-authz' : 'str',
- '*server': 'bool',
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/0006-vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/0006-vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch
deleted file mode 100644
index 5efb87ca..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/0006-vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-CVE: CVE-2021-3544
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-
-From 63736af5a6571d9def93769431e0d7e38c6677bf Mon Sep 17 00:00:00 2001
-From: Li Qiang <liq3ea@163.com>
-Date: Sat, 15 May 2021 20:04:01 -0700
-Subject: [PATCH 6/7] vhost-user-gpu: fix memory leak in
- 'virgl_resource_attach_backing' (CVE-2021-3544)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-If 'virgl_renderer_resource_attach_iov' failed, the 'res_iovs' will
-be leaked.
-
-Fixes: CVE-2021-3544
-Reported-by: Li Qiang <liq3ea@163.com>
-virtio-gpu fix: 33243031da ("virtio-gpu-3d: fix memory leak
-in resource attach backing")
-
-Signed-off-by: Li Qiang <liq3ea@163.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-Id: <20210516030403.107723-7-liq3ea@163.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- contrib/vhost-user-gpu/virgl.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c
-index c669d73a1d..a16a311d80 100644
---- a/contrib/vhost-user-gpu/virgl.c
-+++ b/contrib/vhost-user-gpu/virgl.c
-@@ -287,8 +287,11 @@ virgl_resource_attach_backing(VuGpu *g,
- return;
- }
-
-- virgl_renderer_resource_attach_iov(att_rb.resource_id,
-+ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id,
- res_iovs, att_rb.nr_entries);
-+ if (ret != 0) {
-+ g_free(res_iovs);
-+ }
- }
-
- static void
---
-2.25.1
-
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch
deleted file mode 100644
index 294cf512..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From a59a98d100123030a4145e7efe3b8a001920a9f1 Mon Sep 17 00:00:00 2001
-From: Mark Asselstine <mark.asselstine@windriver.com>
-Date: Tue, 26 Feb 2013 11:43:28 -0500
-Subject: [PATCH] apic: fixup fallthrough to PIC
-
-Commit 0e21e12bb311c4c1095d0269dc2ef81196ccb60a [Don't route PIC
-interrupts through the local APIC if the local APIC config says so.]
-missed a check to ensure the local APIC is enabled. Since if the local
-APIC is disabled it doesn't matter what the local APIC config says.
-
-If this check isn't done and the guest has disabled the local APIC the
-guest will receive a general protection fault, similar to what is seen
-here:
-
-https://lists.gnu.org/archive/html/qemu-devel/2012-12/msg02304.html
-
-The GPF is caused by an attempt to service interrupt 0xffffffff. This
-comes about since cpu_get_pic_interrupt() calls apic_accept_pic_intr()
-(with the local APIC disabled apic_get_interrupt() returns -1).
-apic_accept_pic_intr() returns 0 and thus the interrupt number which
-is returned from cpu_get_pic_interrupt(), and which is attempted to be
-serviced, is -1.
-
-Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
-Upstream-Status: Submitted [https://lists.gnu.org/archive/html/qemu-devel/2013-04/msg00878.html]
-Signed-off-by: He Zhe <zhe.he@windriver.com>
-
----
- hw/intc/apic.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-Index: qemu-5.2.0/hw/intc/apic.c
-===================================================================
---- qemu-5.2.0.orig/hw/intc/apic.c
-+++ qemu-5.2.0/hw/intc/apic.c
-@@ -605,7 +605,7 @@ int apic_accept_pic_intr(DeviceState *de
- APICCommonState *s = APIC(dev);
- uint32_t lvt0;
-
-- if (!s)
-+ if (!s || !(s->spurious_vec & APIC_SV_ENABLE))
- return -1;
-
- lvt0 = s->lvt[APIC_LVT_LINT0];
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/0007-vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/0007-vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch
deleted file mode 100644
index 33e6a661..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/0007-vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-CVE: CVE-2021-3546
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-
-From 9f22893adcb02580aee5968f32baa2cd109b3ec2 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liq3ea@163.com>
-Date: Sat, 15 May 2021 20:04:02 -0700
-Subject: [PATCH 7/7] vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset'
- (CVE-2021-3546)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-If 'virgl_cmd_get_capset' set 'max_size' to 0,
-the 'virgl_renderer_fill_caps' will write the data after the 'resp'.
-This patch avoid this by checking the returned 'max_size'.
-
-virtio-gpu fix: abd7f08b23 ("display: virtio-gpu-3d: check
-virgl capabilities max_size")
-
-Fixes: CVE-2021-3546
-Reported-by: Li Qiang <liq3ea@163.com>
-Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
-Signed-off-by: Li Qiang <liq3ea@163.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-Id: <20210516030403.107723-8-liq3ea@163.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- contrib/vhost-user-gpu/virgl.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c
-index a16a311d80..7172104b19 100644
---- a/contrib/vhost-user-gpu/virgl.c
-+++ b/contrib/vhost-user-gpu/virgl.c
-@@ -177,6 +177,10 @@ virgl_cmd_get_capset(VuGpu *g,
-
- virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
- &max_size);
-+ if (!max_size) {
-+ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
-+ return;
-+ }
- resp = g_malloc0(sizeof(*resp) + max_size);
-
- resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
---
-2.25.1
-
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch
deleted file mode 100644
index c5d206b9..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-From c207607cdf3996ad9783c3bffbcd3d65e74c0158 Mon Sep 17 00:00:00 2001
-From: He Zhe <zhe.he@windriver.com>
-Date: Wed, 28 Aug 2019 19:56:28 +0800
-Subject: [PATCH] configure: Add pkg-config handling for libgcrypt
-
-libgcrypt may also be controlled by pkg-config, this patch adds pkg-config
-handling for libgcrypt.
-
-Upstream-Status: Denied [https://lists.nongnu.org/archive/html/qemu-devel/2019-08/msg06333.html]
-
-Signed-off-by: He Zhe <zhe.he@windriver.com>
-
----
- configure | 48 ++++++++++++++++++++++++++++++++++++++++--------
- 1 file changed, 40 insertions(+), 8 deletions(-)
-
-Index: qemu-5.2.0/configure
-===================================================================
---- qemu-5.2.0.orig/configure
-+++ qemu-5.2.0/configure
-@@ -2956,6 +2956,30 @@ has_libgcrypt() {
- return 0
- }
-
-+has_libgcrypt_pkgconfig() {
-+ if ! has $pkg_config ; then
-+ return 1
-+ fi
-+
-+ if ! $pkg_config --list-all | grep libgcrypt > /dev/null 2>&1 ; then
-+ return 1
-+ fi
-+
-+ if test -n "$cross_prefix" ; then
-+ host=$($pkg_config --variable=host libgcrypt)
-+ if test "${host%-gnu}-" != "${cross_prefix%-gnu}" ; then
-+ print_error "host($host) does not match cross_prefix($cross_prefix)"
-+ return 1
-+ fi
-+ fi
-+
-+ if ! $pkg_config --atleast-version=1.5.0 libgcrypt ; then
-+ print_error "libgcrypt version is $($pkg_config --modversion libgcrypt)"
-+ return 1
-+ fi
-+
-+ return 0
-+}
-
- if test "$nettle" != "no"; then
- pass="no"
-@@ -2994,7 +3018,14 @@ fi
-
- if test "$gcrypt" != "no"; then
- pass="no"
-- if has_libgcrypt; then
-+ if has_libgcrypt_pkgconfig; then
-+ gcrypt_cflags=$($pkg_config --cflags libgcrypt)
-+ if test "$static" = "yes" ; then
-+ gcrypt_libs=$($pkg_config --libs --static libgcrypt)
-+ else
-+ gcrypt_libs=$($pkg_config --libs libgcrypt)
-+ fi
-+ elif has_libgcrypt; then
- gcrypt_cflags=$(libgcrypt-config --cflags)
- gcrypt_libs=$(libgcrypt-config --libs)
- # Debian has removed -lgpg-error from libgcrypt-config
-@@ -3004,12 +3035,12 @@ if test "$gcrypt" != "no"; then
- then
- gcrypt_libs="$gcrypt_libs -lgpg-error"
- fi
-+ fi
-
-- # Link test to make sure the given libraries work (e.g for static).
-- write_c_skeleton
-- if compile_prog "" "$gcrypt_libs" ; then
-+ # Link test to make sure the given libraries work (e.g for static).
-+ write_c_skeleton
-+ if compile_prog "" "$gcrypt_libs" ; then
- pass="yes"
-- fi
- fi
- if test "$pass" = "yes"; then
- gcrypt="yes"
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2020-27821.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2020-27821.patch
deleted file mode 100644
index 58622f04..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2020-27821.patch
+++ /dev/null
@@ -1,143 +0,0 @@
-From 279f90a9ab07304f0a49fc10e4bfd1243a8cddbe Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Tue, 1 Dec 2020 09:29:56 -0500
-Subject: [PATCH 1/2] memory: clamp cached translation in case it points to an
- MMIO region
-
-In using the address_space_translate_internal API, address_space_cache_init
-forgot one piece of advice that can be found in the code for
-address_space_translate_internal:
-
- /* MMIO registers can be expected to perform full-width accesses based only
- * on their address, without considering adjacent registers that could
- * decode to completely different MemoryRegions. When such registers
- * exist (e.g. I/O ports 0xcf8 and 0xcf9 on most PC chipsets), MMIO
- * regions overlap wildly. For this reason we cannot clamp the accesses
- * here.
- *
- * If the length is small (as is the case for address_space_ldl/stl),
- * everything works fine. If the incoming length is large, however,
- * the caller really has to do the clamping through memory_access_size.
- */
-
-address_space_cache_init is exactly one such case where "the incoming length
-is large", therefore we need to clamp the resulting length---not to
-memory_access_size though, since we are not doing an access yet, but to
-the size of the resulting section. This ensures that subsequent accesses
-to the cached MemoryRegionSection will be in range.
-
-With this patch, the enclosed testcase notices that the used ring does
-not fit into the MSI-X table and prints a "qemu-system-x86_64: Cannot map used"
-error.
-
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-
-Upstream-Status: Backport [4bfb024bc76973d40a359476dc0291f46e435442]
-CVE: CVE-2020-27821
-
-Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
----
- softmmu/physmem.c | 10 ++++++++
- tests/qtest/fuzz-test.c | 51 +++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 61 insertions(+)
-
-diff --git a/softmmu/physmem.c b/softmmu/physmem.c
-index 3027747c0..2cd1de4a2 100644
---- a/softmmu/physmem.c
-+++ b/softmmu/physmem.c
-@@ -3255,6 +3255,7 @@ int64_t address_space_cache_init(MemoryRegionCache *cache,
- AddressSpaceDispatch *d;
- hwaddr l;
- MemoryRegion *mr;
-+ Int128 diff;
-
- assert(len > 0);
-
-@@ -3263,6 +3264,15 @@ int64_t address_space_cache_init(MemoryRegionCache *cache,
- d = flatview_to_dispatch(cache->fv);
- cache->mrs = *address_space_translate_internal(d, addr, &cache->xlat, &l, true);
-
-+ /*
-+ * cache->xlat is now relative to cache->mrs.mr, not to the section itself.
-+ * Take that into account to compute how many bytes are there between
-+ * cache->xlat and the end of the section.
-+ */
-+ diff = int128_sub(cache->mrs.size,
-+ int128_make64(cache->xlat - cache->mrs.offset_within_region));
-+ l = int128_get64(int128_min(diff, int128_make64(l)));
-+
- mr = cache->mrs.mr;
- memory_region_ref(mr);
- if (memory_access_is_direct(mr, is_write)) {
-diff --git a/tests/qtest/fuzz-test.c b/tests/qtest/fuzz-test.c
-index 9cb4c42bd..28739248e 100644
---- a/tests/qtest/fuzz-test.c
-+++ b/tests/qtest/fuzz-test.c
-@@ -47,6 +47,55 @@ static void test_lp1878642_pci_bus_get_irq_level_assert(void)
- qtest_outl(s, 0x5d02, 0xebed205d);
- }
-
-+/*
-+ * Here a MemoryRegionCache pointed to an MMIO region but had a
-+ * larger size than the underlying region.
-+ */
-+static void test_mmio_oob_from_memory_region_cache(void)
-+{
-+ QTestState *s;
-+
-+ s = qtest_init("-M pc-q35-5.2 -display none -m 512M "
-+ "-device virtio-scsi,num_queues=8,addr=03.0 ");
-+
-+ qtest_outl(s, 0xcf8, 0x80001811);
-+ qtest_outb(s, 0xcfc, 0x6e);
-+ qtest_outl(s, 0xcf8, 0x80001824);
-+ qtest_outl(s, 0xcf8, 0x80001813);
-+ qtest_outl(s, 0xcfc, 0xa080000);
-+ qtest_outl(s, 0xcf8, 0x80001802);
-+ qtest_outl(s, 0xcfc, 0x5a175a63);
-+ qtest_outb(s, 0x6e08, 0x9e);
-+ qtest_writeb(s, 0x9f003, 0xff);
-+ qtest_writeb(s, 0x9f004, 0x01);
-+ qtest_writeb(s, 0x9e012, 0x0e);
-+ qtest_writeb(s, 0x9e01b, 0x0e);
-+ qtest_writeb(s, 0x9f006, 0x01);
-+ qtest_writeb(s, 0x9f008, 0x01);
-+ qtest_writeb(s, 0x9f00a, 0x01);
-+ qtest_writeb(s, 0x9f00c, 0x01);
-+ qtest_writeb(s, 0x9f00e, 0x01);
-+ qtest_writeb(s, 0x9f010, 0x01);
-+ qtest_writeb(s, 0x9f012, 0x01);
-+ qtest_writeb(s, 0x9f014, 0x01);
-+ qtest_writeb(s, 0x9f016, 0x01);
-+ qtest_writeb(s, 0x9f018, 0x01);
-+ qtest_writeb(s, 0x9f01a, 0x01);
-+ qtest_writeb(s, 0x9f01c, 0x01);
-+ qtest_writeb(s, 0x9f01e, 0x01);
-+ qtest_writeb(s, 0x9f020, 0x01);
-+ qtest_writeb(s, 0x9f022, 0x01);
-+ qtest_writeb(s, 0x9f024, 0x01);
-+ qtest_writeb(s, 0x9f026, 0x01);
-+ qtest_writeb(s, 0x9f028, 0x01);
-+ qtest_writeb(s, 0x9f02a, 0x01);
-+ qtest_writeb(s, 0x9f02c, 0x01);
-+ qtest_writeb(s, 0x9f02e, 0x01);
-+ qtest_writeb(s, 0x9f030, 0x01);
-+ qtest_outb(s, 0x6e10, 0x00);
-+ qtest_quit(s);
-+}
-+
- int main(int argc, char **argv)
- {
- const char *arch = qtest_get_arch();
-@@ -58,6 +107,8 @@ int main(int argc, char **argv)
- test_lp1878263_megasas_zero_iov_cnt);
- qtest_add_func("fuzz/test_lp1878642_pci_bus_get_irq_level_assert",
- test_lp1878642_pci_bus_get_irq_level_assert);
-+ qtest_add_func("fuzz/test_mmio_oob_from_memory_region_cache",
-+ test_mmio_oob_from_memory_region_cache);
- }
-
- return g_test_run();
---
-2.29.2
-
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2020-29443.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2020-29443.patch
deleted file mode 100644
index c72324fc..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2020-29443.patch
+++ /dev/null
@@ -1,107 +0,0 @@
-From c9a71afe182be5b62bd2ccdaf861695e0ec0731a Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Mon, 18 Jan 2021 17:21:30 +0530
-Subject: [PATCH] ide: atapi: check logical block address and read size
- (CVE-2020-29443)
-
-While processing ATAPI cmd_read/cmd_read_cd commands,
-Logical Block Address (LBA) maybe invalid OR closer to the last block,
-leading to an OOB access issues. Add range check to avoid it.
-
-Fixes: CVE-2020-29443
-Reported-by: Wenxiang Qian <leonwxqian@gmail.com>
-Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
-Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <20210118115130.457044-1-ppandit@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-
-Upstream-Status: Backport [b8d7f1bc59276fec85e4d09f1567613a3e14d31e]
-CVE: CVE-2020-29443
-
-Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
----
- hw/ide/atapi.c | 30 ++++++++++++++++++++++++------
- 1 file changed, 24 insertions(+), 6 deletions(-)
-
-diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c
-index e79157863..b626199e3 100644
---- a/hw/ide/atapi.c
-+++ b/hw/ide/atapi.c
-@@ -322,6 +322,8 @@ static void ide_atapi_cmd_reply(IDEState *s, int size, int max_size)
- static void ide_atapi_cmd_read_pio(IDEState *s, int lba, int nb_sectors,
- int sector_size)
- {
-+ assert(0 <= lba && lba < (s->nb_sectors >> 2));
-+
- s->lba = lba;
- s->packet_transfer_size = nb_sectors * sector_size;
- s->elementary_transfer_size = 0;
-@@ -420,6 +422,8 @@ eot:
- static void ide_atapi_cmd_read_dma(IDEState *s, int lba, int nb_sectors,
- int sector_size)
- {
-+ assert(0 <= lba && lba < (s->nb_sectors >> 2));
-+
- s->lba = lba;
- s->packet_transfer_size = nb_sectors * sector_size;
- s->io_buffer_size = 0;
-@@ -973,35 +977,49 @@ static void cmd_prevent_allow_medium_removal(IDEState *s, uint8_t* buf)
-
- static void cmd_read(IDEState *s, uint8_t* buf)
- {
-- int nb_sectors, lba;
-+ unsigned int nb_sectors, lba;
-+
-+ /* Total logical sectors of ATAPI_SECTOR_SIZE(=2048) bytes */
-+ uint64_t total_sectors = s->nb_sectors >> 2;
-
- if (buf[0] == GPCMD_READ_10) {
- nb_sectors = lduw_be_p(buf + 7);
- } else {
- nb_sectors = ldl_be_p(buf + 6);
- }
--
-- lba = ldl_be_p(buf + 2);
- if (nb_sectors == 0) {
- ide_atapi_cmd_ok(s);
- return;
- }
-
-+ lba = ldl_be_p(buf + 2);
-+ if (lba >= total_sectors || lba + nb_sectors - 1 >= total_sectors) {
-+ ide_atapi_cmd_error(s, ILLEGAL_REQUEST, ASC_LOGICAL_BLOCK_OOR);
-+ return;
-+ }
-+
- ide_atapi_cmd_read(s, lba, nb_sectors, 2048);
- }
-
- static void cmd_read_cd(IDEState *s, uint8_t* buf)
- {
-- int nb_sectors, lba, transfer_request;
-+ unsigned int nb_sectors, lba, transfer_request;
-
-- nb_sectors = (buf[6] << 16) | (buf[7] << 8) | buf[8];
-- lba = ldl_be_p(buf + 2);
-+ /* Total logical sectors of ATAPI_SECTOR_SIZE(=2048) bytes */
-+ uint64_t total_sectors = s->nb_sectors >> 2;
-
-+ nb_sectors = (buf[6] << 16) | (buf[7] << 8) | buf[8];
- if (nb_sectors == 0) {
- ide_atapi_cmd_ok(s);
- return;
- }
-
-+ lba = ldl_be_p(buf + 2);
-+ if (lba >= total_sectors || lba + nb_sectors - 1 >= total_sectors) {
-+ ide_atapi_cmd_error(s, ILLEGAL_REQUEST, ASC_LOGICAL_BLOCK_OOR);
-+ return;
-+ }
-+
- transfer_request = buf[9] & 0xf8;
- if (transfer_request == 0x00) {
- /* nothing */
---
-2.29.2
-
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2020-35517_1.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2020-35517_1.patch
deleted file mode 100644
index 73a4cb20..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2020-35517_1.patch
+++ /dev/null
@@ -1,153 +0,0 @@
-From 8afaaee976965b7fb90ec225a51d60f35c5f173c Mon Sep 17 00:00:00 2001
-From: Stefan Hajnoczi <stefanha@redhat.com>
-Date: Thu, 4 Feb 2021 15:02:06 +0000
-Subject: [PATCH] virtiofsd: extract lo_do_open() from lo_open()
-
-Both lo_open() and lo_create() have similar code to open a file. Extract
-a common lo_do_open() function from lo_open() that will be used by
-lo_create() in a later commit.
-
-Since lo_do_open() does not otherwise need fuse_req_t req, convert
-lo_add_fd_mapping() to use struct lo_data *lo instead.
-
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-Message-Id: <20210204150208.367837-2-stefanha@redhat.com>
-Reviewed-by: Greg Kurz <groug@kaod.org>
-Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
-
-Upstream-Status: Backport
-[https://github.com/qemu/qemu/commit/8afaaee976965b7fb90ec225a51d60f35c5f173c]
-
-CVE: CVE-2020-35517
-
-Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
-Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
----
- tools/virtiofsd/passthrough_ll.c | 73 +++++++++++++++++++++++++---------------
- 1 file changed, 46 insertions(+), 27 deletions(-)
-
-diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
-index 5fb36d9..f14fa51 100644
---- a/tools/virtiofsd/passthrough_ll.c
-+++ b/tools/virtiofsd/passthrough_ll.c
-@@ -459,17 +459,17 @@ static void lo_map_remove(struct lo_map *map, size_t key)
- }
-
- /* Assumes lo->mutex is held */
--static ssize_t lo_add_fd_mapping(fuse_req_t req, int fd)
-+static ssize_t lo_add_fd_mapping(struct lo_data *lo, int fd)
- {
- struct lo_map_elem *elem;
-
-- elem = lo_map_alloc_elem(&lo_data(req)->fd_map);
-+ elem = lo_map_alloc_elem(&lo->fd_map);
- if (!elem) {
- return -1;
- }
-
- elem->fd = fd;
-- return elem - lo_data(req)->fd_map.elems;
-+ return elem - lo->fd_map.elems;
- }
-
- /* Assumes lo->mutex is held */
-@@ -1651,6 +1651,38 @@ static void update_open_flags(int writeback, int allow_direct_io,
- }
- }
-
-+static int lo_do_open(struct lo_data *lo, struct lo_inode *inode,
-+ struct fuse_file_info *fi)
-+{
-+ char buf[64];
-+ ssize_t fh;
-+ int fd;
-+
-+ update_open_flags(lo->writeback, lo->allow_direct_io, fi);
-+
-+ sprintf(buf, "%i", inode->fd);
-+ fd = openat(lo->proc_self_fd, buf, fi->flags & ~O_NOFOLLOW);
-+ if (fd == -1) {
-+ return errno;
-+ }
-+
-+ pthread_mutex_lock(&lo->mutex);
-+ fh = lo_add_fd_mapping(lo, fd);
-+ pthread_mutex_unlock(&lo->mutex);
-+ if (fh == -1) {
-+ close(fd);
-+ return ENOMEM;
-+ }
-+
-+ fi->fh = fh;
-+ if (lo->cache == CACHE_NONE) {
-+ fi->direct_io = 1;
-+ } else if (lo->cache == CACHE_ALWAYS) {
-+ fi->keep_cache = 1;
-+ }
-+ return 0;
-+}
-+
- static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name,
- mode_t mode, struct fuse_file_info *fi)
- {
-@@ -1691,7 +1723,7 @@ static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name,
- ssize_t fh;
-
- pthread_mutex_lock(&lo->mutex);
-- fh = lo_add_fd_mapping(req, fd);
-+ fh = lo_add_fd_mapping(lo, fd);
- pthread_mutex_unlock(&lo->mutex);
- if (fh == -1) {
- close(fd);
-@@ -1892,38 +1924,25 @@ static void lo_fsyncdir(fuse_req_t req, fuse_ino_t ino, int datasync,
-
- static void lo_open(fuse_req_t req, fuse_ino_t ino, struct fuse_file_info *fi)
- {
-- int fd;
-- ssize_t fh;
-- char buf[64];
- struct lo_data *lo = lo_data(req);
-+ struct lo_inode *inode = lo_inode(req, ino);
-+ int err;
-
- fuse_log(FUSE_LOG_DEBUG, "lo_open(ino=%" PRIu64 ", flags=%d)\n", ino,
- fi->flags);
-
-- update_open_flags(lo->writeback, lo->allow_direct_io, fi);
--
-- sprintf(buf, "%i", lo_fd(req, ino));
-- fd = openat(lo->proc_self_fd, buf, fi->flags & ~O_NOFOLLOW);
-- if (fd == -1) {
-- return (void)fuse_reply_err(req, errno);
-- }
--
-- pthread_mutex_lock(&lo->mutex);
-- fh = lo_add_fd_mapping(req, fd);
-- pthread_mutex_unlock(&lo->mutex);
-- if (fh == -1) {
-- close(fd);
-- fuse_reply_err(req, ENOMEM);
-+ if (!inode) {
-+ fuse_reply_err(req, EBADF);
- return;
- }
-
-- fi->fh = fh;
-- if (lo->cache == CACHE_NONE) {
-- fi->direct_io = 1;
-- } else if (lo->cache == CACHE_ALWAYS) {
-- fi->keep_cache = 1;
-+ err = lo_do_open(lo, inode, fi);
-+ lo_inode_put(lo, &inode);
-+ if (err) {
-+ fuse_reply_err(req, err);
-+ } else {
-+ fuse_reply_open(req, fi);
- }
-- fuse_reply_open(req, fi);
- }
-
- static void lo_release(fuse_req_t req, fuse_ino_t ino,
---
-1.8.3.1
-
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2020-35517_2.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2020-35517_2.patch
deleted file mode 100644
index bf11bdb6..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2020-35517_2.patch
+++ /dev/null
@@ -1,117 +0,0 @@
-From 22d2ece71e533310da31f2857ebc4a00d91968b3 Mon Sep 17 00:00:00 2001
-From: Stefan Hajnoczi <stefanha@redhat.com>
-Date: Thu, 4 Feb 2021 15:02:07 +0000
-Subject: [PATCH] virtiofsd: optionally return inode pointer from
- lo_do_lookup()
-
-lo_do_lookup() finds an existing inode or allocates a new one. It
-increments nlookup so that the inode stays alive until the client
-releases it.
-
-Existing callers don't need the struct lo_inode so the function doesn't
-return it. Extend the function to optionally return the inode. The next
-commit will need it.
-
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-Reviewed-by: Greg Kurz <groug@kaod.org>
-Message-Id: <20210204150208.367837-3-stefanha@redhat.com>
-Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
-
-Upstream-Status: Backport
-[https://github.com/qemu/qemu/commit/22d2ece71e533310da31f2857ebc4a00d91968b3]
-
-CVE: CVE-2020-35517
-
-Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
-Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
----
- tools/virtiofsd/passthrough_ll.c | 29 +++++++++++++++++++++--------
- 1 file changed, 21 insertions(+), 8 deletions(-)
-
-diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
-index f14fa51..aa35fc6 100644
---- a/tools/virtiofsd/passthrough_ll.c
-+++ b/tools/virtiofsd/passthrough_ll.c
-@@ -831,11 +831,13 @@ static int do_statx(struct lo_data *lo, int dirfd, const char *pathname,
- }
-
- /*
-- * Increments nlookup and caller must release refcount using
-- * lo_inode_put(&parent).
-+ * Increments nlookup on the inode on success. unref_inode_lolocked() must be
-+ * called eventually to decrement nlookup again. If inodep is non-NULL, the
-+ * inode pointer is stored and the caller must call lo_inode_put().
- */
- static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, const char *name,
-- struct fuse_entry_param *e)
-+ struct fuse_entry_param *e,
-+ struct lo_inode **inodep)
- {
- int newfd;
- int res;
-@@ -845,6 +847,10 @@ static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, const char *name,
- struct lo_inode *inode = NULL;
- struct lo_inode *dir = lo_inode(req, parent);
-
-+ if (inodep) {
-+ *inodep = NULL;
-+ }
-+
- /*
- * name_to_handle_at() and open_by_handle_at() can reach here with fuse
- * mount point in guest, but we don't have its inode info in the
-@@ -913,7 +919,14 @@ static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, const char *name,
- pthread_mutex_unlock(&lo->mutex);
- }
- e->ino = inode->fuse_ino;
-- lo_inode_put(lo, &inode);
-+
-+ /* Transfer ownership of inode pointer to caller or drop it */
-+ if (inodep) {
-+ *inodep = inode;
-+ } else {
-+ lo_inode_put(lo, &inode);
-+ }
-+
- lo_inode_put(lo, &dir);
-
- fuse_log(FUSE_LOG_DEBUG, " %lli/%s -> %lli\n", (unsigned long long)parent,
-@@ -948,7 +961,7 @@ static void lo_lookup(fuse_req_t req, fuse_ino_t parent, const char *name)
- return;
- }
-
-- err = lo_do_lookup(req, parent, name, &e);
-+ err = lo_do_lookup(req, parent, name, &e, NULL);
- if (err) {
- fuse_reply_err(req, err);
- } else {
-@@ -1056,7 +1069,7 @@ static void lo_mknod_symlink(fuse_req_t req, fuse_ino_t parent,
- goto out;
- }
-
-- saverr = lo_do_lookup(req, parent, name, &e);
-+ saverr = lo_do_lookup(req, parent, name, &e, NULL);
- if (saverr) {
- goto out;
- }
-@@ -1534,7 +1547,7 @@ static void lo_do_readdir(fuse_req_t req, fuse_ino_t ino, size_t size,
-
- if (plus) {
- if (!is_dot_or_dotdot(name)) {
-- err = lo_do_lookup(req, ino, name, &e);
-+ err = lo_do_lookup(req, ino, name, &e, NULL);
- if (err) {
- goto error;
- }
-@@ -1732,7 +1745,7 @@ static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name,
- }
-
- fi->fh = fh;
-- err = lo_do_lookup(req, parent, name, &e);
-+ err = lo_do_lookup(req, parent, name, &e, NULL);
- }
- if (lo->cache == CACHE_NONE) {
- fi->direct_io = 1;
---
-1.8.3.1
-
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2020-35517_3.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2020-35517_3.patch
deleted file mode 100644
index f348f3f2..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2020-35517_3.patch
+++ /dev/null
@@ -1,303 +0,0 @@
-From a3fdbbc7f271bff7d53d0501b29d910ece0b3789 Mon Sep 17 00:00:00 2001
-From: Stefan Hajnoczi <stefanha@redhat.com>
-Date: Thu, 4 Feb 2021 15:02:08 +0000
-Subject: [PATCH] virtiofsd: prevent opening of special files (CVE-2020-35517)
-
-A well-behaved FUSE client does not attempt to open special files with
-FUSE_OPEN because they are handled on the client side (e.g. device nodes
-are handled by client-side device drivers).
-
-The check to prevent virtiofsd from opening special files is missing in
-a few cases, most notably FUSE_OPEN. A malicious client can cause
-virtiofsd to open a device node, potentially allowing the guest to
-escape. This can be exploited by a modified guest device driver. It is
-not exploitable from guest userspace since the guest kernel will handle
-special files inside the guest instead of sending FUSE requests.
-
-This patch fixes this issue by introducing the lo_inode_open() function
-to check the file type before opening it. This is a short-term solution
-because it does not prevent a compromised virtiofsd process from opening
-device nodes on the host.
-
-Restructure lo_create() to try O_CREAT | O_EXCL first. Note that O_CREAT
-| O_EXCL does not follow symlinks, so O_NOFOLLOW masking is not
-necessary here. If the file exists and the user did not specify O_EXCL,
-open it via lo_do_open().
-
-Reported-by: Alex Xu <alex@alxu.ca>
-Fixes: CVE-2020-35517
-Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
-Reviewed-by: Vivek Goyal <vgoyal@redhat.com>
-Reviewed-by: Greg Kurz <groug@kaod.org>
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-Message-Id: <20210204150208.367837-4-stefanha@redhat.com>
-Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
-
-Upstream-Status: Backport
-[https://github.com/qemu/qemu/commit/a3fdbbc7f271bff7d53d0501b29d910ece0b3789]
-
-CVE: CVE-2020-35517
-
-Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
-Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
----
- tools/virtiofsd/passthrough_ll.c | 144 ++++++++++++++++++++-----------
- 1 file changed, 92 insertions(+), 52 deletions(-)
-
-diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
-index aa35fc6ba5a5..147b59338a18 100644
---- a/tools/virtiofsd/passthrough_ll.c
-+++ b/tools/virtiofsd/passthrough_ll.c
-@@ -555,6 +555,38 @@ static int lo_fd(fuse_req_t req, fuse_ino_t ino)
- return fd;
- }
-
-+/*
-+ * Open a file descriptor for an inode. Returns -EBADF if the inode is not a
-+ * regular file or a directory.
-+ *
-+ * Use this helper function instead of raw openat(2) to prevent security issues
-+ * when a malicious client opens special files such as block device nodes.
-+ * Symlink inodes are also rejected since symlinks must already have been
-+ * traversed on the client side.
-+ */
-+static int lo_inode_open(struct lo_data *lo, struct lo_inode *inode,
-+ int open_flags)
-+{
-+ g_autofree char *fd_str = g_strdup_printf("%d", inode->fd);
-+ int fd;
-+
-+ if (!S_ISREG(inode->filetype) && !S_ISDIR(inode->filetype)) {
-+ return -EBADF;
-+ }
-+
-+ /*
-+ * The file is a symlink so O_NOFOLLOW must be ignored. We checked earlier
-+ * that the inode is not a special file but if an external process races
-+ * with us then symlinks are traversed here. It is not possible to escape
-+ * the shared directory since it is mounted as "/" though.
-+ */
-+ fd = openat(lo->proc_self_fd, fd_str, open_flags & ~O_NOFOLLOW);
-+ if (fd < 0) {
-+ return -errno;
-+ }
-+ return fd;
-+}
-+
- static void lo_init(void *userdata, struct fuse_conn_info *conn)
- {
- struct lo_data *lo = (struct lo_data *)userdata;
-@@ -684,9 +716,9 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr,
- if (fi) {
- truncfd = fd;
- } else {
-- sprintf(procname, "%i", ifd);
-- truncfd = openat(lo->proc_self_fd, procname, O_RDWR);
-+ truncfd = lo_inode_open(lo, inode, O_RDWR);
- if (truncfd < 0) {
-+ errno = -truncfd;
- goto out_err;
- }
- }
-@@ -848,7 +880,7 @@ static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, const char *name,
- struct lo_inode *dir = lo_inode(req, parent);
-
- if (inodep) {
-- *inodep = NULL;
-+ *inodep = NULL; /* in case there is an error */
- }
-
- /*
-@@ -1664,19 +1696,26 @@ static void update_open_flags(int writeback, int allow_direct_io,
- }
- }
-
-+/*
-+ * Open a regular file, set up an fd mapping, and fill out the struct
-+ * fuse_file_info for it. If existing_fd is not negative, use that fd instead
-+ * opening a new one. Takes ownership of existing_fd.
-+ *
-+ * Returns 0 on success or a positive errno.
-+ */
- static int lo_do_open(struct lo_data *lo, struct lo_inode *inode,
-- struct fuse_file_info *fi)
-+ int existing_fd, struct fuse_file_info *fi)
- {
-- char buf[64];
- ssize_t fh;
-- int fd;
-+ int fd = existing_fd;
-
- update_open_flags(lo->writeback, lo->allow_direct_io, fi);
-
-- sprintf(buf, "%i", inode->fd);
-- fd = openat(lo->proc_self_fd, buf, fi->flags & ~O_NOFOLLOW);
-- if (fd == -1) {
-- return errno;
-+ if (fd < 0) {
-+ fd = lo_inode_open(lo, inode, fi->flags);
-+ if (fd < 0) {
-+ return -fd;
-+ }
- }
-
- pthread_mutex_lock(&lo->mutex);
-@@ -1699,9 +1738,10 @@ static int lo_do_open(struct lo_data *lo, struct lo_inode *inode,
- static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name,
- mode_t mode, struct fuse_file_info *fi)
- {
-- int fd;
-+ int fd = -1;
- struct lo_data *lo = lo_data(req);
- struct lo_inode *parent_inode;
-+ struct lo_inode *inode = NULL;
- struct fuse_entry_param e;
- int err;
- struct lo_cred old = {};
-@@ -1727,36 +1767,38 @@ static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name,
-
- update_open_flags(lo->writeback, lo->allow_direct_io, fi);
-
-- fd = openat(parent_inode->fd, name, (fi->flags | O_CREAT) & ~O_NOFOLLOW,
-- mode);
-+ /* Try to create a new file but don't open existing files */
-+ fd = openat(parent_inode->fd, name, fi->flags | O_CREAT | O_EXCL, mode);
- err = fd == -1 ? errno : 0;
-- lo_restore_cred(&old);
-
-- if (!err) {
-- ssize_t fh;
-+ lo_restore_cred(&old);
-
-- pthread_mutex_lock(&lo->mutex);
-- fh = lo_add_fd_mapping(lo, fd);
-- pthread_mutex_unlock(&lo->mutex);
-- if (fh == -1) {
-- close(fd);
-- err = ENOMEM;
-- goto out;
-- }
-+ /* Ignore the error if file exists and O_EXCL was not given */
-+ if (err && (err != EEXIST || (fi->flags & O_EXCL))) {
-+ goto out;
-+ }
-
-- fi->fh = fh;
-- err = lo_do_lookup(req, parent, name, &e, NULL);
-+ err = lo_do_lookup(req, parent, name, &e, &inode);
-+ if (err) {
-+ goto out;
- }
-- if (lo->cache == CACHE_NONE) {
-- fi->direct_io = 1;
-- } else if (lo->cache == CACHE_ALWAYS) {
-- fi->keep_cache = 1;
-+
-+ err = lo_do_open(lo, inode, fd, fi);
-+ fd = -1; /* lo_do_open() takes ownership of fd */
-+ if (err) {
-+ /* Undo lo_do_lookup() nlookup ref */
-+ unref_inode_lolocked(lo, inode, 1);
- }
-
- out:
-+ lo_inode_put(lo, &inode);
- lo_inode_put(lo, &parent_inode);
-
- if (err) {
-+ if (fd >= 0) {
-+ close(fd);
-+ }
-+
- fuse_reply_err(req, err);
- } else {
- fuse_reply_create(req, &e, fi);
-@@ -1770,7 +1812,6 @@ static struct lo_inode_plock *lookup_create_plock_ctx(struct lo_data *lo,
- pid_t pid, int *err)
- {
- struct lo_inode_plock *plock;
-- char procname[64];
- int fd;
-
- plock =
-@@ -1787,12 +1828,10 @@ static struct lo_inode_plock *lookup_create_plock_ctx(struct lo_data *lo,
- }
-
- /* Open another instance of file which can be used for ofd locks. */
-- sprintf(procname, "%i", inode->fd);
--
- /* TODO: What if file is not writable? */
-- fd = openat(lo->proc_self_fd, procname, O_RDWR);
-- if (fd == -1) {
-- *err = errno;
-+ fd = lo_inode_open(lo, inode, O_RDWR);
-+ if (fd < 0) {
-+ *err = -fd;
- free(plock);
- return NULL;
- }
-@@ -1949,7 +1988,7 @@ static void lo_open(fuse_req_t req, fuse_ino_t ino, struct fuse_file_info *fi)
- return;
- }
-
-- err = lo_do_open(lo, inode, fi);
-+ err = lo_do_open(lo, inode, -1, fi);
- lo_inode_put(lo, &inode);
- if (err) {
- fuse_reply_err(req, err);
-@@ -2014,39 +2053,40 @@ static void lo_flush(fuse_req_t req, fuse_ino_t ino, struct fuse_file_info *fi)
- static void lo_fsync(fuse_req_t req, fuse_ino_t ino, int datasync,
- struct fuse_file_info *fi)
- {
-+ struct lo_inode *inode = lo_inode(req, ino);
-+ struct lo_data *lo = lo_data(req);
- int res;
- int fd;
-- char *buf;
-
- fuse_log(FUSE_LOG_DEBUG, "lo_fsync(ino=%" PRIu64 ", fi=0x%p)\n", ino,
- (void *)fi);
-
-- if (!fi) {
-- struct lo_data *lo = lo_data(req);
--
-- res = asprintf(&buf, "%i", lo_fd(req, ino));
-- if (res == -1) {
-- return (void)fuse_reply_err(req, errno);
-- }
-+ if (!inode) {
-+ fuse_reply_err(req, EBADF);
-+ return;
-+ }
-
-- fd = openat(lo->proc_self_fd, buf, O_RDWR);
-- free(buf);
-- if (fd == -1) {
-- return (void)fuse_reply_err(req, errno);
-+ if (!fi) {
-+ fd = lo_inode_open(lo, inode, O_RDWR);
-+ if (fd < 0) {
-+ res = -fd;
-+ goto out;
- }
- } else {
- fd = lo_fi_fd(req, fi);
- }
-
- if (datasync) {
-- res = fdatasync(fd);
-+ res = fdatasync(fd) == -1 ? errno : 0;
- } else {
-- res = fsync(fd);
-+ res = fsync(fd) == -1 ? errno : 0;
- }
- if (!fi) {
- close(fd);
- }
-- fuse_reply_err(req, res == -1 ? errno : 0);
-+out:
-+ lo_inode_put(lo, &inode);
-+ fuse_reply_err(req, res);
- }
-
- static void lo_read(fuse_req_t req, fuse_ino_t ino, size_t size, off_t offset,
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-20181.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-20181.patch
deleted file mode 100644
index 1b8c77f8..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-20181.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-From c2d2d14e8deece958bbc4fc649d22c3564bc4e7e Mon Sep 17 00:00:00 2001
-From: Greg Kurz <groug@kaod.org>
-Date: Thu, 14 Jan 2021 17:04:12 +0100
-Subject: [PATCH] 9pfs: Fully restart unreclaim loop (CVE-2021-20181)
-
-Depending on the client activity, the server can be asked to open a huge
-number of file descriptors and eventually hit RLIMIT_NOFILE. This is
-currently mitigated using a reclaim logic : the server closes the file
-descriptors of idle fids, based on the assumption that it will be able
-to re-open them later. This assumption doesn't hold of course if the
-client requests the file to be unlinked. In this case, we loop on the
-entire fid list and mark all related fids as unreclaimable (the reclaim
-logic will just ignore them) and, of course, we open or re-open their
-file descriptors if needed since we're about to unlink the file.
-
-This is the purpose of v9fs_mark_fids_unreclaim(). Since the actual
-opening of a file can cause the coroutine to yield, another client
-request could possibly add a new fid that we may want to mark as
-non-reclaimable as well. The loop is thus restarted if the re-open
-request was actually transmitted to the backend. This is achieved
-by keeping a reference on the first fid (head) before traversing
-the list.
-
-This is wrong in several ways:
-- a potential clunk request from the client could tear the first
- fid down and cause the reference to be stale. This leads to a
- use-after-free error that can be detected with ASAN, using a
- custom 9p client
-- fids are added at the head of the list : restarting from the
- previous head will always miss fids added by a some other
- potential request
-
-All these problems could be avoided if fids were being added at the
-end of the list. This can be achieved with a QSIMPLEQ, but this is
-probably too much change for a bug fix. For now let's keep it
-simple and just restart the loop from the current head.
-
-Fixes: CVE-2021-20181
-Buglink: https://bugs.launchpad.net/qemu/+bug/1911666
-Reported-by: Zero Day Initiative <zdi-disclosures@trendmicro.com>
-Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
-Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
-Message-Id: <161064025265.1838153.15185571283519390907.stgit@bahia.lan>
-Signed-off-by: Greg Kurz <groug@kaod.org>
-
-Upstream-Status: Backport [89fbea8737e8f7b954745a1ffc4238d377055305]
-CVE: CVE-2021-20181
-
-Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
----
- hw/9pfs/9p.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
-index 94df440fc..6026b51a1 100644
---- a/hw/9pfs/9p.c
-+++ b/hw/9pfs/9p.c
-@@ -502,9 +502,9 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path)
- {
- int err;
- V9fsState *s = pdu->s;
-- V9fsFidState *fidp, head_fid;
-+ V9fsFidState *fidp;
-
-- head_fid.next = s->fid_list;
-+again:
- for (fidp = s->fid_list; fidp; fidp = fidp->next) {
- if (fidp->path.size != path->size) {
- continue;
-@@ -524,7 +524,7 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path)
- * switched to the worker thread
- */
- if (err == 0) {
-- fidp = &head_fid;
-+ goto again;
- }
- }
- }
---
-2.29.2
-
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-20203.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-20203.patch
deleted file mode 100644
index 269c6f12..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-20203.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-
-While activating device in vmxnet3_acticate_device(), it does not
-validate guest supplied configuration values against predefined
-minimum - maximum limits. This may lead to integer overflow or
-OOB access issues. Add checks to avoid it.
-
-Fixes: CVE-2021-20203
-Buglink: https://bugs.launchpad.net/qemu/+bug/1913873
-Reported-by: Gaoning Pan <pgn@zju.edu.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-
-Upstream-Status: Acepted [https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg07935.html]
-CVE: CVE-2021-20203
-Signed-off-by: Minjae Kim <flowergom@gmail.com>
----
- hw/net/vmxnet3.c | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
-diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
-index eff299f629..4a910ca971 100644
---- a/hw/net/vmxnet3.c
-+++ b/hw/net/vmxnet3.c
-@@ -1420,6 +1420,7 @@ static void vmxnet3_activate_device(VMXNET3State *s)
- vmxnet3_setup_rx_filtering(s);
- /* Cache fields from shared memory */
- s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu);
-+ assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu < VMXNET3_MAX_MTU);
- VMW_CFPRN("MTU is %u", s->mtu);
-
- s->max_rx_frags =
-@@ -1473,6 +1474,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
- /* Read rings memory locations for TX queues */
- pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.txRingBasePA);
- size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.txRingSize);
-+ if (size > VMXNET3_TX_RING_MAX_SIZE) {
-+ size = VMXNET3_TX_RING_MAX_SIZE;
-+ }
-
- vmxnet3_ring_init(d, &s->txq_descr[i].tx_ring, pa, size,
- sizeof(struct Vmxnet3_TxDesc), false);
-@@ -1483,6 +1487,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
- /* TXC ring */
- pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.compRingBasePA);
- size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.compRingSize);
-+ if (size > VMXNET3_TC_RING_MAX_SIZE) {
-+ size = VMXNET3_TC_RING_MAX_SIZE;
-+ }
- vmxnet3_ring_init(d, &s->txq_descr[i].comp_ring, pa, size,
- sizeof(struct Vmxnet3_TxCompDesc), true);
- VMXNET3_RING_DUMP(VMW_CFPRN, "TXC", i, &s->txq_descr[i].comp_ring);
-@@ -1524,6 +1531,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
- /* RX rings */
- pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.rxRingBasePA[j]);
- size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.rxRingSize[j]);
-+ if (size > VMXNET3_RX_RING_MAX_SIZE) {
-+ size = VMXNET3_RX_RING_MAX_SIZE;
-+ }
- vmxnet3_ring_init(d, &s->rxq_descr[i].rx_ring[j], pa, size,
- sizeof(struct Vmxnet3_RxDesc), false);
- VMW_CFPRN("RX queue %d:%d: Base: %" PRIx64 ", Size: %d",
-@@ -1533,6 +1543,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
- /* RXC ring */
- pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.compRingBasePA);
- size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.compRingSize);
-+ if (size > VMXNET3_RC_RING_MAX_SIZE) {
-+ size = VMXNET3_RC_RING_MAX_SIZE;
-+ }
- vmxnet3_ring_init(d, &s->rxq_descr[i].comp_ring, pa, size,
- sizeof(struct Vmxnet3_RxCompDesc), true);
- VMW_CFPRN("RXC queue %d: Base: %" PRIx64 ", Size: %d", i, pa, size);
---
-2.29.2
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-20221.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-20221.patch
deleted file mode 100644
index d762a51d..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-20221.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From e428bcfb86fb46d9773ae11e69712052dcff3d45 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
-Date: Sun, 31 Jan 2021 11:34:01 +0100
-Subject: [PATCH] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Per the ARM Generic Interrupt Controller Architecture specification
-(document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit,
-not 10:
-
- - 4.3 Distributor register descriptions
- - 4.3.15 Software Generated Interrupt Register, GICD_SG
-
- - Table 4-21 GICD_SGIR bit assignments
-
- The Interrupt ID of the SGI to forward to the specified CPU
- interfaces. The value of this field is the Interrupt ID, in
- the range 0-15, for example a value of 0b0011 specifies
- Interrupt ID 3.
-
-Correct the irq mask to fix an undefined behavior (which eventually
-lead to a heap-buffer-overflow, see [Buglink]):
-
- $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio
- [I 1612088147.116987] OPENED
- [R +0.278293] writel 0x8000f00 0xff4affb0
- ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]'
- SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13
-
-This fixes a security issue when running with KVM on Arm with
-kernel-irqchip=off. (The default is kernel-irqchip=on, which is
-unaffected, and which is also the correct choice for performance.)
-
-Cc: qemu-stable@nongnu.org
-Fixes: CVE-2021-20221
-Fixes: 9ee6e8bb853 ("ARMv7 support.")
-Buglink: https://bugs.launchpad.net/qemu/+bug/1913916
-Buglink: https://bugs.launchpad.net/qemu/+bug/1913917
-Reported-by: Alexander Bulekov <alxndr@bu.edu>
-Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Message-id: 20210131103401.217160-1-f4bug@amsat.org
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-
-Upstream-Status: Backport [edfe2eb4360cde4ed5d95bda7777edcb3510f76a]
-CVE: CVE-2021-20221
-
-Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
----
- hw/intc/arm_gic.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c
-index c60dc6b5e..fbde60de0 100644
---- a/hw/intc/arm_gic.c
-+++ b/hw/intc/arm_gic.c
-@@ -1474,7 +1474,7 @@ static void gic_dist_writel(void *opaque, hwaddr offset,
- int target_cpu;
-
- cpu = gic_get_current_cpu(s);
-- irq = value & 0x3ff;
-+ irq = value & 0xf;
- switch ((value >> 24) & 3) {
- case 0:
- mask = (value >> 16) & ALL_CPU_MASK;
---
-2.29.2
-
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-20257.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-20257.patch
deleted file mode 100644
index 7175b24e..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-20257.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From affdf476543405045c281a7c67d1eaedbcea8135 Mon Sep 17 00:00:00 2001
-From: Jason Wang <jasowang@redhat.com>
-Date: Wed, 24 Feb 2021 13:45:28 +0800
-Subject: [PATCH] e1000: fail early for evil descriptor
-
-During procss_tx_desc(), driver can try to chain data descriptor with
-legacy descriptor, when will lead underflow for the following
-calculation in process_tx_desc() for bytes:
-
- if (tp->size + bytes > msh)
- bytes = msh - tp->size;
-
-This will lead a infinite loop. So check and fail early if tp->size if
-greater or equal to msh.
-
-Reported-by: Alexander Bulekov <alxndr@bu.edu>
-Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
-Reported-by: Ruhr-University Bochum <bugs-syssec@rub.de>
-Cc: Prasad J Pandit <ppandit@redhat.com>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-
-Upstream-Status: Backport [3de46e6fc489c52c9431a8a832ad8170a7569bd8]
-CVE: CVE-2021-20257
-
-Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
----
- hw/net/e1000.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/hw/net/e1000.c b/hw/net/e1000.c
-index cf22c4f07..c3564c7ce 100644
---- a/hw/net/e1000.c
-+++ b/hw/net/e1000.c
-@@ -670,6 +670,9 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
- msh = tp->tso_props.hdr_len + tp->tso_props.mss;
- do {
- bytes = split_size;
-+ if (tp->size >= msh) {
-+ goto eop;
-+ }
- if (tp->size + bytes > msh)
- bytes = msh - tp->size;
-
-@@ -695,6 +698,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
- tp->size += split_size;
- }
-
-+eop:
- if (!(txd_lower & E1000_TXD_CMD_EOP))
- return;
- if (!(tp->cptse && tp->size < tp->tso_props.hdr_len)) {
---
-2.29.2
-
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-20263.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-20263.patch
deleted file mode 100644
index 4f9a91f0..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-20263.patch
+++ /dev/null
@@ -1,214 +0,0 @@
-From aaa5f8e00c2e85a893b972f1e243fb14c26b70dc Mon Sep 17 00:00:00 2001
-From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
-Date: Wed, 24 Feb 2021 19:56:25 +0000
-Subject: [PATCH 2/2] virtiofs: drop remapped security.capability xattr as
- needed
-
-On Linux, the 'security.capability' xattr holds a set of
-capabilities that can change when an executable is run, giving
-a limited form of privilege escalation to those programs that
-the writer of the file deemed worthy.
-
-Any write causes the 'security.capability' xattr to be dropped,
-stopping anyone from gaining privilege by modifying a blessed
-file.
-
-Fuse relies on the daemon to do this dropping, and in turn the
-daemon relies on the host kernel to drop the xattr for it. However,
-with the addition of -o xattrmap, the xattr that the guest
-stores its capabilities in is now not the same as the one that
-the host kernel automatically clears.
-
-Where the mapping changes 'security.capability', explicitly clear
-the remapped name to preserve the same behaviour.
-
-This bug is assigned CVE-2021-20263.
-
-Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
-Reviewed-by: Vivek Goyal <vgoyal@redhat.com>
-
-Upstream-Status: Backport [e586edcb410543768ef009eaa22a2d9dd4a53846]
-CVE: CVE-2021-20263
-
-Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
----
- docs/tools/virtiofsd.rst | 4 ++
- tools/virtiofsd/passthrough_ll.c | 77 +++++++++++++++++++++++++++++++-
- 2 files changed, 80 insertions(+), 1 deletion(-)
-
-diff --git a/docs/tools/virtiofsd.rst b/docs/tools/virtiofsd.rst
-index 866b7db3e..00554c75b 100644
---- a/docs/tools/virtiofsd.rst
-+++ b/docs/tools/virtiofsd.rst
-@@ -228,6 +228,10 @@ The 'map' type adds a number of separate rules to add **prepend** as a prefix
- to the matched **key** (or all attributes if **key** is empty).
- There may be at most one 'map' rule and it must be the last rule in the set.
-
-+Note: When the 'security.capability' xattr is remapped, the daemon has to do
-+extra work to remove it during many operations, which the host kernel normally
-+does itself.
-+
- xattr-mapping Examples
- ----------------------
-
-diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
-index 03c5e0d13..c9197da86 100644
---- a/tools/virtiofsd/passthrough_ll.c
-+++ b/tools/virtiofsd/passthrough_ll.c
-@@ -160,6 +160,7 @@ struct lo_data {
- int posix_lock;
- int xattr;
- char *xattrmap;
-+ char *xattr_security_capability;
- char *source;
- char *modcaps;
- double timeout;
-@@ -226,6 +227,8 @@ static __thread bool cap_loaded = 0;
-
- static struct lo_inode *lo_find(struct lo_data *lo, struct stat *st,
- uint64_t mnt_id);
-+static int xattr_map_client(const struct lo_data *lo, const char *client_name,
-+ char **out_name);
-
- static int is_dot_or_dotdot(const char *name)
- {
-@@ -365,6 +368,37 @@ out:
- return ret;
- }
-
-+/*
-+ * The host kernel normally drops security.capability xattr's on
-+ * any write, however if we're remapping xattr names we need to drop
-+ * whatever the clients security.capability is actually stored as.
-+ */
-+static int drop_security_capability(const struct lo_data *lo, int fd)
-+{
-+ if (!lo->xattr_security_capability) {
-+ /* We didn't remap the name, let the host kernel do it */
-+ return 0;
-+ }
-+ if (!fremovexattr(fd, lo->xattr_security_capability)) {
-+ /* All good */
-+ return 0;
-+ }
-+
-+ switch (errno) {
-+ case ENODATA:
-+ /* Attribute didn't exist, that's fine */
-+ return 0;
-+
-+ case ENOTSUP:
-+ /* FS didn't support attribute anyway, also fine */
-+ return 0;
-+
-+ default:
-+ /* Hmm other error */
-+ return errno;
-+ }
-+}
-+
- static void lo_map_init(struct lo_map *map)
- {
- map->elems = NULL;
-@@ -717,6 +751,11 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr,
- uid_t uid = (valid & FUSE_SET_ATTR_UID) ? attr->st_uid : (uid_t)-1;
- gid_t gid = (valid & FUSE_SET_ATTR_GID) ? attr->st_gid : (gid_t)-1;
-
-+ saverr = drop_security_capability(lo, ifd);
-+ if (saverr) {
-+ goto out_err;
-+ }
-+
- res = fchownat(ifd, "", uid, gid, AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW);
- if (res == -1) {
- goto out_err;
-@@ -735,6 +774,14 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr,
- }
- }
-
-+ saverr = drop_security_capability(lo, truncfd);
-+ if (saverr) {
-+ if (!fi) {
-+ close(truncfd);
-+ }
-+ goto out_err;
-+ }
-+
- res = ftruncate(truncfd, attr->st_size);
- if (!fi) {
- saverr = errno;
-@@ -1726,6 +1773,13 @@ static int lo_do_open(struct lo_data *lo, struct lo_inode *inode,
- if (fd < 0) {
- return -fd;
- }
-+ if (fi->flags & (O_TRUNC)) {
-+ int err = drop_security_capability(lo, fd);
-+ if (err) {
-+ close(fd);
-+ return err;
-+ }
-+ }
- }
-
- pthread_mutex_lock(&lo->mutex);
-@@ -2114,6 +2168,12 @@ static void lo_write_buf(fuse_req_t req, fuse_ino_t ino,
- "lo_write_buf(ino=%" PRIu64 ", size=%zd, off=%lu)\n", ino,
- out_buf.buf[0].size, (unsigned long)off);
-
-+ res = drop_security_capability(lo_data(req), out_buf.buf[0].fd);
-+ if (res) {
-+ fuse_reply_err(req, res);
-+ return;
-+ }
-+
- /*
- * If kill_priv is set, drop CAP_FSETID which should lead to kernel
- * clearing setuid/setgid on file.
-@@ -2353,6 +2413,7 @@ static void parse_xattrmap(struct lo_data *lo)
- {
- const char *map = lo->xattrmap;
- const char *tmp;
-+ int ret;
-
- lo->xattr_map_nentries = 0;
- while (*map) {
-@@ -2383,7 +2444,7 @@ static void parse_xattrmap(struct lo_data *lo)
- * the last entry.
- */
- parse_xattrmap_map(lo, map, sep);
-- return;
-+ break;
- } else {
- fuse_log(FUSE_LOG_ERR,
- "%s: Unexpected type;"
-@@ -2452,6 +2513,19 @@ static void parse_xattrmap(struct lo_data *lo)
- fuse_log(FUSE_LOG_ERR, "Empty xattr map\n");
- exit(1);
- }
-+
-+ ret = xattr_map_client(lo, "security.capability",
-+ &lo->xattr_security_capability);
-+ if (ret) {
-+ fuse_log(FUSE_LOG_ERR, "Failed to map security.capability: %s\n",
-+ strerror(ret));
-+ exit(1);
-+ }
-+ if (!strcmp(lo->xattr_security_capability, "security.capability")) {
-+ /* 1-1 mapping, don't need to do anything */
-+ free(lo->xattr_security_capability);
-+ lo->xattr_security_capability = NULL;
-+ }
- }
-
- /*
-@@ -3480,6 +3554,7 @@ static void fuse_lo_data_cleanup(struct lo_data *lo)
-
- free(lo->xattrmap);
- free_xattrmap(lo);
-+ free(lo->xattr_security_capability);
- free(lo->source);
- }
-
---
-2.29.2
-
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3392.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3392.patch
deleted file mode 100644
index af94cff7..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3392.patch
+++ /dev/null
@@ -1,89 +0,0 @@
-From 3791642c8d60029adf9b00bcb4e34d7d8a1aea4d Mon Sep 17 00:00:00 2001
-From: Michael Tokarev <mjt@tls.msk.ru>
-Date: Mon, 19 Apr 2021 15:42:47 +0200
-Subject: [PATCH] mptsas: Remove unused MPTSASState 'pending' field
- (CVE-2021-3392)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-While processing SCSI i/o requests in mptsas_process_scsi_io_request(),
-the Megaraid emulator appends new MPTSASRequest object 'req' to
-the 's->pending' queue. In case of an error, this same object gets
-dequeued in mptsas_free_request() only if SCSIRequest object
-'req->sreq' is initialised. This may lead to a use-after-free issue.
-
-Since s->pending is actually not used, simply remove it from
-MPTSASState.
-
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
-Message-id: 20210419134247.1467982-1-f4bug@amsat.org
-Message-Id: <20210416102243.1293871-1-mjt@msgid.tls.msk.ru>
-Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
-Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
-BugLink: https://bugs.launchpad.net/qemu/+bug/1914236 (CVE-2021-3392)
-Fixes: e351b826112 ("hw: Add support for LSI SAS1068 (mptsas) device")
-[PMD: Reworded description, added more tags]
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-
-CVE: CVE-2021-3392
-Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=3791642c8d60029adf9b00bcb4e34d7d8a1aea4d]
-Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
----
- hw/scsi/mptsas.c | 6 ------
- hw/scsi/mptsas.h | 1 -
- 2 files changed, 7 deletions(-)
-
-diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
-index 7416e7870614..db3219e7d206 100644
---- a/hw/scsi/mptsas.c
-+++ b/hw/scsi/mptsas.c
-@@ -251,13 +251,10 @@ static int mptsas_build_sgl(MPTSASState *s, MPTSASRequest *req, hwaddr addr)
-
- static void mptsas_free_request(MPTSASRequest *req)
- {
-- MPTSASState *s = req->dev;
--
- if (req->sreq != NULL) {
- req->sreq->hba_private = NULL;
- scsi_req_unref(req->sreq);
- req->sreq = NULL;
-- QTAILQ_REMOVE(&s->pending, req, next);
- }
- qemu_sglist_destroy(&req->qsg);
- g_free(req);
-@@ -303,7 +300,6 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
- }
-
- req = g_new0(MPTSASRequest, 1);
-- QTAILQ_INSERT_TAIL(&s->pending, req, next);
- req->scsi_io = *scsi_io;
- req->dev = s;
-
-@@ -1319,8 +1315,6 @@ static void mptsas_scsi_realize(PCIDevice *dev, Error **errp)
-
- s->request_bh = qemu_bh_new(mptsas_fetch_requests, s);
-
-- QTAILQ_INIT(&s->pending);
--
- scsi_bus_new(&s->bus, sizeof(s->bus), &dev->qdev, &mptsas_scsi_info, NULL);
- }
-
-diff --git a/hw/scsi/mptsas.h b/hw/scsi/mptsas.h
-index b85ac1a5fcc7..c046497db719 100644
---- a/hw/scsi/mptsas.h
-+++ b/hw/scsi/mptsas.h
-@@ -79,7 +79,6 @@ struct MPTSASState {
- uint16_t reply_frame_size;
-
- SCSIBus bus;
-- QTAILQ_HEAD(, MPTSASRequest) pending;
- };
-
- void mptsas_fix_scsi_io_endianness(MPIMsgSCSIIORequest *req);
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3409_1.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3409_1.patch
deleted file mode 100644
index f9395add..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3409_1.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From c01ae9a35b3c6b4a8e1f1bfa0a0caafe394f8b5c Mon Sep 17 00:00:00 2001
-From: Bin Meng <bmeng.cn@gmail.com>
-Date: Tue, 16 Feb 2021 11:46:52 +0800
-Subject: [PATCH 1/6] hw/sd: sdhci: Simplify updating s->prnsts in
- sdhci_sdma_transfer_multi_blocks()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-s->prnsts is updated in both branches of the if () else () statement.
-Move the common bits outside so that it is cleaner.
-
-Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
-Tested-by: Alexander Bulekov <alxndr@bu.edu>
-Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Message-Id: <1613447214-81951-5-git-send-email-bmeng.cn@gmail.com>
-Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-
-Upstream-Status: Backport [8bc1f1aa51d32c3184e7b19d5b94c35ecc06f056]
-CVE: CVE-2021-3409
-
-Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
----
- hw/sd/sdhci.c | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
-diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
-index 2f8b74a84..f83c5e295 100644
---- a/hw/sd/sdhci.c
-+++ b/hw/sd/sdhci.c
-@@ -596,9 +596,9 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
- page_aligned = true;
- }
-
-+ s->prnsts |= SDHC_DATA_INHIBIT | SDHC_DAT_LINE_ACTIVE;
- if (s->trnmod & SDHC_TRNS_READ) {
-- s->prnsts |= SDHC_DOING_READ | SDHC_DATA_INHIBIT |
-- SDHC_DAT_LINE_ACTIVE;
-+ s->prnsts |= SDHC_DOING_READ;
- while (s->blkcnt) {
- if (s->data_count == 0) {
- sdbus_read_data(&s->sdbus, s->fifo_buffer, block_size);
-@@ -625,8 +625,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
- }
- }
- } else {
-- s->prnsts |= SDHC_DOING_WRITE | SDHC_DATA_INHIBIT |
-- SDHC_DAT_LINE_ACTIVE;
-+ s->prnsts |= SDHC_DOING_WRITE;
- while (s->blkcnt) {
- begin = s->data_count;
- if (((boundary_count + begin) < block_size) && page_aligned) {
---
-2.29.2
-
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3409_2.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3409_2.patch
deleted file mode 100644
index f3d2bb13..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3409_2.patch
+++ /dev/null
@@ -1,92 +0,0 @@
-From b9bb4700798bce98888c51d7b6dbc19ec49159d5 Mon Sep 17 00:00:00 2001
-From: Bin Meng <bmeng.cn@gmail.com>
-Date: Wed, 3 Mar 2021 20:26:35 +0800
-Subject: [PATCH 2/6] hw/sd: sdhci: Don't transfer any data when command time
- out
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-At the end of sdhci_send_command(), it starts a data transfer if the
-command register indicates data is associated. But the data transfer
-should only be initiated when the command execution has succeeded.
-
-With this fix, the following reproducer:
-
-outl 0xcf8 0x80001810
-outl 0xcfc 0xe1068000
-outl 0xcf8 0x80001804
-outw 0xcfc 0x7
-write 0xe106802c 0x1 0x0f
-write 0xe1068004 0xc 0x2801d10101fffffbff28a384
-write 0xe106800c 0x1f 0x9dacbbcad9e8f7061524334251606f7e8d9cabbac9d8e7f60514233241505f
-write 0xe1068003 0x28 0x80d000251480d000252280d000253080d000253e80d000254c80d000255a80d000256880d0002576
-write 0xe1068003 0x1 0xfe
-
-cannot be reproduced with the following QEMU command line:
-
-$ qemu-system-x86_64 -nographic -M pc-q35-5.0 \
- -device sdhci-pci,sd-spec-version=3 \
- -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
- -device sd-card,drive=mydrive \
- -monitor none -serial none -qtest stdio
-
-Cc: qemu-stable@nongnu.org
-Fixes: CVE-2020-17380
-Fixes: CVE-2020-25085
-Fixes: CVE-2021-3409
-Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
-Reported-by: Alexander Bulekov <alxndr@bu.edu>
-Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
-Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
-Reported-by: Simon Wörner (Ruhr-Universität Bochum)
-Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
-Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
-Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
-Acked-by: Alistair Francis <alistair.francis@wdc.com>
-Tested-by: Alexander Bulekov <alxndr@bu.edu>
-Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
-Message-Id: <20210303122639.20004-2-bmeng.cn@gmail.com>
-Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-
-Upstream-Status: Backport [b263d8f928001b5cfa2a993ea43b7a5b3a1811e8]
-CVE: CVE-2021-3409
-
-Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
----
- hw/sd/sdhci.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
-index f83c5e295..44f8a82ea 100644
---- a/hw/sd/sdhci.c
-+++ b/hw/sd/sdhci.c
-@@ -326,6 +326,7 @@ static void sdhci_send_command(SDHCIState *s)
- SDRequest request;
- uint8_t response[16];
- int rlen;
-+ bool timeout = false;
-
- s->errintsts = 0;
- s->acmd12errsts = 0;
-@@ -349,6 +350,7 @@ static void sdhci_send_command(SDHCIState *s)
- trace_sdhci_response16(s->rspreg[3], s->rspreg[2],
- s->rspreg[1], s->rspreg[0]);
- } else {
-+ timeout = true;
- trace_sdhci_error("timeout waiting for command response");
- if (s->errintstsen & SDHC_EISEN_CMDTIMEOUT) {
- s->errintsts |= SDHC_EIS_CMDTIMEOUT;
-@@ -369,7 +371,7 @@ static void sdhci_send_command(SDHCIState *s)
-
- sdhci_update_irq(s);
-
-- if (s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) {
-+ if (!timeout && s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) {
- s->data_count = 0;
- sdhci_data_transfer(s);
- }
---
-2.29.2
-
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3409_3.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3409_3.patch
deleted file mode 100644
index c3b37ed6..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3409_3.patch
+++ /dev/null
@@ -1,109 +0,0 @@
-From 405ca416ccc8135544a4fe5732974497244128c9 Mon Sep 17 00:00:00 2001
-From: Bin Meng <bmeng.cn@gmail.com>
-Date: Wed, 3 Mar 2021 20:26:36 +0800
-Subject: [PATCH 3/6] hw/sd: sdhci: Don't write to SDHC_SYSAD register when
- transfer is in progress
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Per "SD Host Controller Standard Specification Version 7.00"
-chapter 2.2.1 SDMA System Address Register:
-
-This register can be accessed only if no transaction is executing
-(i.e., after a transaction has stopped).
-
-With this fix, the following reproducer:
-
-outl 0xcf8 0x80001010
-outl 0xcfc 0xfbefff00
-outl 0xcf8 0x80001001
-outl 0xcfc 0x06000000
-write 0xfbefff2c 0x1 0x05
-write 0xfbefff0f 0x1 0x37
-write 0xfbefff0a 0x1 0x01
-write 0xfbefff0f 0x1 0x29
-write 0xfbefff0f 0x1 0x02
-write 0xfbefff0f 0x1 0x03
-write 0xfbefff04 0x1 0x01
-write 0xfbefff05 0x1 0x01
-write 0xfbefff07 0x1 0x02
-write 0xfbefff0c 0x1 0x33
-write 0xfbefff0e 0x1 0x20
-write 0xfbefff0f 0x1 0x00
-write 0xfbefff2a 0x1 0x01
-write 0xfbefff0c 0x1 0x00
-write 0xfbefff03 0x1 0x00
-write 0xfbefff05 0x1 0x00
-write 0xfbefff2a 0x1 0x02
-write 0xfbefff0c 0x1 0x32
-write 0xfbefff01 0x1 0x01
-write 0xfbefff02 0x1 0x01
-write 0xfbefff03 0x1 0x01
-
-cannot be reproduced with the following QEMU command line:
-
-$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
- -nodefaults -device sdhci-pci,sd-spec-version=3 \
- -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
- -device sd-card,drive=mydrive -qtest stdio
-
-Cc: qemu-stable@nongnu.org
-Fixes: CVE-2020-17380
-Fixes: CVE-2020-25085
-Fixes: CVE-2021-3409
-Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
-Reported-by: Alexander Bulekov <alxndr@bu.edu>
-Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
-Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
-Reported-by: Simon Wörner (Ruhr-Universität Bochum)
-Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
-Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
-Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
-Tested-by: Alexander Bulekov <alxndr@bu.edu>
-Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
-Message-Id: <20210303122639.20004-3-bmeng.cn@gmail.com>
-Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-
-Upstream-Status: Backport [8be45cc947832b3c02144c9d52921f499f2d77fe]
-CVE: CVE-2021-3409
-
-Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
----
- hw/sd/sdhci.c | 20 +++++++++++---------
- 1 file changed, 11 insertions(+), 9 deletions(-)
-
-diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
-index 44f8a82ea..d8a46f307 100644
---- a/hw/sd/sdhci.c
-+++ b/hw/sd/sdhci.c
-@@ -1121,15 +1121,17 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
-
- switch (offset & ~0x3) {
- case SDHC_SYSAD:
-- s->sdmasysad = (s->sdmasysad & mask) | value;
-- MASKED_WRITE(s->sdmasysad, mask, value);
-- /* Writing to last byte of sdmasysad might trigger transfer */
-- if (!(mask & 0xFF000000) && TRANSFERRING_DATA(s->prnsts) && s->blkcnt &&
-- s->blksize && SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) {
-- if (s->trnmod & SDHC_TRNS_MULTI) {
-- sdhci_sdma_transfer_multi_blocks(s);
-- } else {
-- sdhci_sdma_transfer_single_block(s);
-+ if (!TRANSFERRING_DATA(s->prnsts)) {
-+ s->sdmasysad = (s->sdmasysad & mask) | value;
-+ MASKED_WRITE(s->sdmasysad, mask, value);
-+ /* Writing to last byte of sdmasysad might trigger transfer */
-+ if (!(mask & 0xFF000000) && s->blkcnt && s->blksize &&
-+ SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) {
-+ if (s->trnmod & SDHC_TRNS_MULTI) {
-+ sdhci_sdma_transfer_multi_blocks(s);
-+ } else {
-+ sdhci_sdma_transfer_single_block(s);
-+ }
- }
- }
- break;
---
-2.29.2
-
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3409_4.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3409_4.patch
deleted file mode 100644
index d5be9975..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3409_4.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From b672bcaf5522294a4d8de3e88e0932d55585ee3b Mon Sep 17 00:00:00 2001
-From: Bin Meng <bmeng.cn@gmail.com>
-Date: Wed, 3 Mar 2021 20:26:37 +0800
-Subject: [PATCH 4/6] hw/sd: sdhci: Correctly set the controller status for
- ADMA
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-When an ADMA transfer is started, the codes forget to set the
-controller status to indicate a transfer is in progress.
-
-With this fix, the following 2 reproducers:
-
-https://paste.debian.net/plain/1185136
-https://paste.debian.net/plain/1185141
-
-cannot be reproduced with the following QEMU command line:
-
-$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
- -nodefaults -device sdhci-pci,sd-spec-version=3 \
- -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
- -device sd-card,drive=mydrive -qtest stdio
-
-Cc: qemu-stable@nongnu.org
-Fixes: CVE-2020-17380
-Fixes: CVE-2020-25085
-Fixes: CVE-2021-3409
-Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
-Reported-by: Alexander Bulekov <alxndr@bu.edu>
-Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
-Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
-Reported-by: Simon Wörner (Ruhr-Universität Bochum)
-Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
-Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
-Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
-Tested-by: Alexander Bulekov <alxndr@bu.edu>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
-Message-Id: <20210303122639.20004-4-bmeng.cn@gmail.com>
-Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-
-Upstream-Status: Backport [bc6f28995ff88f5d82c38afcfd65406f0ae375aa]
-CVE: CVE-2021-3409
-
-Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
----
- hw/sd/sdhci.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
-index d8a46f307..7de03c6dd 100644
---- a/hw/sd/sdhci.c
-+++ b/hw/sd/sdhci.c
-@@ -768,7 +768,9 @@ static void sdhci_do_adma(SDHCIState *s)
-
- switch (dscr.attr & SDHC_ADMA_ATTR_ACT_MASK) {
- case SDHC_ADMA_ATTR_ACT_TRAN: /* data transfer */
-+ s->prnsts |= SDHC_DATA_INHIBIT | SDHC_DAT_LINE_ACTIVE;
- if (s->trnmod & SDHC_TRNS_READ) {
-+ s->prnsts |= SDHC_DOING_READ;
- while (length) {
- if (s->data_count == 0) {
- sdbus_read_data(&s->sdbus, s->fifo_buffer, block_size);
-@@ -796,6 +798,7 @@ static void sdhci_do_adma(SDHCIState *s)
- }
- }
- } else {
-+ s->prnsts |= SDHC_DOING_WRITE;
- while (length) {
- begin = s->data_count;
- if ((length + begin) < block_size) {
---
-2.29.2
-
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3409_5.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3409_5.patch
deleted file mode 100644
index 71990568..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3409_5.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From c2298884cf6bcf2b047b4bae5f78432b052b5729 Mon Sep 17 00:00:00 2001
-From: Bin Meng <bmeng.cn@gmail.com>
-Date: Wed, 3 Mar 2021 20:26:38 +0800
-Subject: [PATCH 5/6] hw/sd: sdhci: Limit block size only when SDHC_BLKSIZE
- register is writable
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The codes to limit the maximum block size is only necessary when
-SDHC_BLKSIZE register is writable.
-
-Tested-by: Alexander Bulekov <alxndr@bu.edu>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
-Message-Id: <20210303122639.20004-5-bmeng.cn@gmail.com>
-Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-
-Upstream-Status: Backport [5cd7aa3451b76bb19c0f6adc2b931f091e5d7fcd]
-CVE: CVE-2021-3409
-
-Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
----
- hw/sd/sdhci.c | 14 +++++++-------
- 1 file changed, 7 insertions(+), 7 deletions(-)
-
-diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
-index 7de03c6dd..6c780126e 100644
---- a/hw/sd/sdhci.c
-+++ b/hw/sd/sdhci.c
-@@ -1142,15 +1142,15 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
- if (!TRANSFERRING_DATA(s->prnsts)) {
- MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
- MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
-- }
-
-- /* Limit block size to the maximum buffer size */
-- if (extract32(s->blksize, 0, 12) > s->buf_maxsz) {
-- qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than "
-- "the maximum buffer 0x%x\n", __func__, s->blksize,
-- s->buf_maxsz);
-+ /* Limit block size to the maximum buffer size */
-+ if (extract32(s->blksize, 0, 12) > s->buf_maxsz) {
-+ qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than "
-+ "the maximum buffer 0x%x\n", __func__, s->blksize,
-+ s->buf_maxsz);
-
-- s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
-+ s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
-+ }
- }
-
- break;
---
-2.29.2
-
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3409_6.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3409_6.patch
deleted file mode 100644
index 624c1f64..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3409_6.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-From db916870a839346767b6d5ca7d0eed3128ba5fea Mon Sep 17 00:00:00 2001
-From: Bin Meng <bmeng.cn@gmail.com>
-Date: Wed, 3 Mar 2021 20:26:39 +0800
-Subject: [PATCH 6/6] hw/sd: sdhci: Reset the data pointer of s->fifo_buffer[]
- when a different block size is programmed
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-If the block size is programmed to a different value from the
-previous one, reset the data pointer of s->fifo_buffer[] so that
-s->fifo_buffer[] can be filled in using the new block size in
-the next transfer.
-
-With this fix, the following reproducer:
-
-outl 0xcf8 0x80001010
-outl 0xcfc 0xe0000000
-outl 0xcf8 0x80001001
-outl 0xcfc 0x06000000
-write 0xe000002c 0x1 0x05
-write 0xe0000005 0x1 0x02
-write 0xe0000007 0x1 0x01
-write 0xe0000028 0x1 0x10
-write 0x0 0x1 0x23
-write 0x2 0x1 0x08
-write 0xe000000c 0x1 0x01
-write 0xe000000e 0x1 0x20
-write 0xe000000f 0x1 0x00
-write 0xe000000c 0x1 0x32
-write 0xe0000004 0x2 0x0200
-write 0xe0000028 0x1 0x00
-write 0xe0000003 0x1 0x40
-
-cannot be reproduced with the following QEMU command line:
-
-$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
- -nodefaults -device sdhci-pci,sd-spec-version=3 \
- -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
- -device sd-card,drive=mydrive -qtest stdio
-
-Cc: qemu-stable@nongnu.org
-Fixes: CVE-2020-17380
-Fixes: CVE-2020-25085
-Fixes: CVE-2021-3409
-Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
-Reported-by: Alexander Bulekov <alxndr@bu.edu>
-Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
-Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
-Reported-by: Simon Wörner (Ruhr-Universität Bochum)
-Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
-Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
-Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
-Tested-by: Alexander Bulekov <alxndr@bu.edu>
-Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
-Message-Id: <20210303122639.20004-6-bmeng.cn@gmail.com>
-Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-
-Upstream-Status: Backport [cffb446e8fd19a14e1634c7a3a8b07be3f01d5c9]
-CVE: CVE-2021-3409
-
-Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
----
- hw/sd/sdhci.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
-index 6c780126e..216842420 100644
---- a/hw/sd/sdhci.c
-+++ b/hw/sd/sdhci.c
-@@ -1140,6 +1140,8 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
- break;
- case SDHC_BLKSIZE:
- if (!TRANSFERRING_DATA(s->prnsts)) {
-+ uint16_t blksize = s->blksize;
-+
- MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
- MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
-
-@@ -1151,6 +1153,16 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
-
- s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
- }
-+
-+ /*
-+ * If the block size is programmed to a different value from
-+ * the previous one, reset the data pointer of s->fifo_buffer[]
-+ * so that s->fifo_buffer[] can be filled in using the new block
-+ * size in the next transfer.
-+ */
-+ if (blksize != s->blksize) {
-+ s->data_count = 0;
-+ }
- }
-
- break;
---
-2.29.2
-
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch
deleted file mode 100644
index 5bacd674..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch
+++ /dev/null
@@ -1,177 +0,0 @@
-From 4b1988a29d67277d6c8ce1df52975f5616592913 Mon Sep 17 00:00:00 2001
-From: Jason Wang <jasowang@redhat.com>
-Date: Wed, 24 Feb 2021 11:44:36 +0800
-Subject: [PATCH 01/10] net: introduce qemu_receive_packet()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Some NIC supports loopback mode and this is done by calling
-nc->info->receive() directly which in fact suppresses the effort of
-reentrancy check that is done in qemu_net_queue_send().
-
-Unfortunately we can't use qemu_net_queue_send() here since for
-loopback there's no sender as peer, so this patch introduce a
-qemu_receive_packet() which is used for implementing loopback mode
-for a NIC with this check.
-
-NIC that supports loopback mode will be converted to this helper.
-
-This is intended to address CVE-2021-3416.
-
-Cc: Prasad J Pandit <ppandit@redhat.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-
-Upstream-Status: Backport [705df5466c98f3efdd2b68d3b31dad86858acad7]
-CVE: CVE-2021-3416
-
-Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
----
- include/net/net.h | 5 +++++
- include/net/queue.h | 8 ++++++++
- net/net.c | 38 +++++++++++++++++++++++++++++++-------
- net/queue.c | 22 ++++++++++++++++++++++
- 4 files changed, 66 insertions(+), 7 deletions(-)
-
-diff --git a/include/net/net.h b/include/net/net.h
-index 778fc787c..03f058ecb 100644
---- a/include/net/net.h
-+++ b/include/net/net.h
-@@ -143,12 +143,17 @@ void *qemu_get_nic_opaque(NetClientState *nc);
- void qemu_del_net_client(NetClientState *nc);
- typedef void (*qemu_nic_foreach)(NICState *nic, void *opaque);
- void qemu_foreach_nic(qemu_nic_foreach func, void *opaque);
-+int qemu_can_receive_packet(NetClientState *nc);
- int qemu_can_send_packet(NetClientState *nc);
- ssize_t qemu_sendv_packet(NetClientState *nc, const struct iovec *iov,
- int iovcnt);
- ssize_t qemu_sendv_packet_async(NetClientState *nc, const struct iovec *iov,
- int iovcnt, NetPacketSent *sent_cb);
- ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size);
-+ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size);
-+ssize_t qemu_receive_packet_iov(NetClientState *nc,
-+ const struct iovec *iov,
-+ int iovcnt);
- ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size);
- ssize_t qemu_send_packet_async(NetClientState *nc, const uint8_t *buf,
- int size, NetPacketSent *sent_cb);
-diff --git a/include/net/queue.h b/include/net/queue.h
-index c0269bb1d..9f2f289d7 100644
---- a/include/net/queue.h
-+++ b/include/net/queue.h
-@@ -55,6 +55,14 @@ void qemu_net_queue_append_iov(NetQueue *queue,
-
- void qemu_del_net_queue(NetQueue *queue);
-
-+ssize_t qemu_net_queue_receive(NetQueue *queue,
-+ const uint8_t *data,
-+ size_t size);
-+
-+ssize_t qemu_net_queue_receive_iov(NetQueue *queue,
-+ const struct iovec *iov,
-+ int iovcnt);
-+
- ssize_t qemu_net_queue_send(NetQueue *queue,
- NetClientState *sender,
- unsigned flags,
-diff --git a/net/net.c b/net/net.c
-index 6a2c3d956..5e15e5d27 100644
---- a/net/net.c
-+++ b/net/net.c
-@@ -528,6 +528,17 @@ int qemu_set_vnet_be(NetClientState *nc, bool is_be)
- #endif
- }
-
-+int qemu_can_receive_packet(NetClientState *nc)
-+{
-+ if (nc->receive_disabled) {
-+ return 0;
-+ } else if (nc->info->can_receive &&
-+ !nc->info->can_receive(nc)) {
-+ return 0;
-+ }
-+ return 1;
-+}
-+
- int qemu_can_send_packet(NetClientState *sender)
- {
- int vm_running = runstate_is_running();
-@@ -540,13 +551,7 @@ int qemu_can_send_packet(NetClientState *sender)
- return 1;
- }
-
-- if (sender->peer->receive_disabled) {
-- return 0;
-- } else if (sender->peer->info->can_receive &&
-- !sender->peer->info->can_receive(sender->peer)) {
-- return 0;
-- }
-- return 1;
-+ return qemu_can_receive_packet(sender->peer);
- }
-
- static ssize_t filter_receive_iov(NetClientState *nc,
-@@ -679,6 +684,25 @@ ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size)
- return qemu_send_packet_async(nc, buf, size, NULL);
- }
-
-+ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size)
-+{
-+ if (!qemu_can_receive_packet(nc)) {
-+ return 0;
-+ }
-+
-+ return qemu_net_queue_receive(nc->incoming_queue, buf, size);
-+}
-+
-+ssize_t qemu_receive_packet_iov(NetClientState *nc, const struct iovec *iov,
-+ int iovcnt)
-+{
-+ if (!qemu_can_receive_packet(nc)) {
-+ return 0;
-+ }
-+
-+ return qemu_net_queue_receive_iov(nc->incoming_queue, iov, iovcnt);
-+}
-+
- ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size)
- {
- return qemu_send_packet_async_with_flags(nc, QEMU_NET_PACKET_FLAG_RAW,
-diff --git a/net/queue.c b/net/queue.c
-index 19e32c80f..c872d51df 100644
---- a/net/queue.c
-+++ b/net/queue.c
-@@ -182,6 +182,28 @@ static ssize_t qemu_net_queue_deliver_iov(NetQueue *queue,
- return ret;
- }
-
-+ssize_t qemu_net_queue_receive(NetQueue *queue,
-+ const uint8_t *data,
-+ size_t size)
-+{
-+ if (queue->delivering) {
-+ return 0;
-+ }
-+
-+ return qemu_net_queue_deliver(queue, NULL, 0, data, size);
-+}
-+
-+ssize_t qemu_net_queue_receive_iov(NetQueue *queue,
-+ const struct iovec *iov,
-+ int iovcnt)
-+{
-+ if (queue->delivering) {
-+ return 0;
-+ }
-+
-+ return qemu_net_queue_deliver_iov(queue, NULL, 0, iov, iovcnt);
-+}
-+
- ssize_t qemu_net_queue_send(NetQueue *queue,
- NetClientState *sender,
- unsigned flags,
---
-2.29.2
-
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch
deleted file mode 100644
index 7deec1a3..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 65b851efd3d0280425c202f4e5880c48f8334dae Mon Sep 17 00:00:00 2001
-From: Alexander Bulekov <alxndr@bu.edu>
-Date: Mon, 1 Mar 2021 14:35:30 -0500
-Subject: [PATCH 10/10] lan9118: switch to use qemu_receive_packet() for
- loopback
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This patch switches to use qemu_receive_packet() which can detect
-reentrancy and return early.
-
-This is intended to address CVE-2021-3416.
-
-Cc: Prasad J Pandit <ppandit@redhat.com>
-Cc: qemu-stable@nongnu.org
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
-Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-
-Upstream-Status: Backport [37cee01784ff0df13e5209517e1b3594a5e792d1]
-CVE: CVE-2021-3416
-
-Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
----
- hw/net/lan9118.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/net/lan9118.c b/hw/net/lan9118.c
-index ab57c02c8..75f18ae2d 100644
---- a/hw/net/lan9118.c
-+++ b/hw/net/lan9118.c
-@@ -669,7 +669,7 @@ static void do_tx_packet(lan9118_state *s)
- /* FIXME: Honor TX disable, and allow queueing of packets. */
- if (s->phy_control & 0x4000) {
- /* This assumes the receive routine doesn't touch the VLANClient. */
-- lan9118_receive(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
-+ qemu_receive_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
- } else {
- qemu_send_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
- }
---
-2.29.2
-
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch
deleted file mode 100644
index 5e53e20b..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From e2a48a3c7cc33dbbe89f896e0f07462cb04ff6b5 Mon Sep 17 00:00:00 2001
-From: Jason Wang <jasowang@redhat.com>
-Date: Wed, 24 Feb 2021 12:13:22 +0800
-Subject: [PATCH 02/10] e1000: switch to use qemu_receive_packet() for loopback
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This patch switches to use qemu_receive_packet() which can detect
-reentrancy and return early.
-
-This is intended to address CVE-2021-3416.
-
-Cc: Prasad J Pandit <ppandit@redhat.com>
-Cc: qemu-stable@nongnu.org
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-
-Upstream-Status: Backport [1caff0340f49c93d535c6558a5138d20d475315c]
-CVE: CVE-2021-3416
-
-Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
----
- hw/net/e1000.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/net/e1000.c b/hw/net/e1000.c
-index d7d05ae30..cf22c4f07 100644
---- a/hw/net/e1000.c
-+++ b/hw/net/e1000.c
-@@ -546,7 +546,7 @@ e1000_send_packet(E1000State *s, const uint8_t *buf, int size)
-
- NetClientState *nc = qemu_get_queue(s->nic);
- if (s->phy_reg[PHY_CTRL] & MII_CR_LOOPBACK) {
-- nc->info->receive(nc, buf, size);
-+ qemu_receive_packet(nc, buf, size);
- } else {
- qemu_send_packet(nc, buf, size);
- }
---
-2.29.2
-
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch
deleted file mode 100644
index 3fc469e3..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From c041a4da1ff119715e0ccf2d4a7af62568f17b93 Mon Sep 17 00:00:00 2001
-From: Jason Wang <jasowang@redhat.com>
-Date: Wed, 24 Feb 2021 12:57:40 +0800
-Subject: [PATCH 03/10] dp8393x: switch to use qemu_receive_packet() for
- loopback packet
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This patch switches to use qemu_receive_packet() which can detect
-reentrancy and return early.
-
-This is intended to address CVE-2021-3416.
-
-Cc: Prasad J Pandit <ppandit@redhat.com>
-Cc: qemu-stable@nongnu.org
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-
-Upstream-Status: Backport [331d2ac9ea307c990dc86e6493e8f0c48d14bb33]
-CVE: CVE-2021-3416
-
-Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
----
- hw/net/dp8393x.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
-index 205c0decc..533a8304d 100644
---- a/hw/net/dp8393x.c
-+++ b/hw/net/dp8393x.c
-@@ -506,7 +506,7 @@ static void dp8393x_do_transmit_packets(dp8393xState *s)
- s->regs[SONIC_TCR] |= SONIC_TCR_CRSL;
- if (nc->info->can_receive(nc)) {
- s->loopback_packet = 1;
-- nc->info->receive(nc, s->tx_buffer, tx_len);
-+ qemu_receive_packet(nc, s->tx_buffer, tx_len);
- }
- } else {
- /* Transmit packet */
---
-2.29.2
-
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_4.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_4.patch
deleted file mode 100644
index e14f3773..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_4.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 9ac5345344b75995bc96d171eaa5dc8d26bf0e21 Mon Sep 17 00:00:00 2001
-From: Jason Wang <jasowang@redhat.com>
-Date: Wed, 24 Feb 2021 13:00:01 +0800
-Subject: [PATCH 04/10] msf2-mac: switch to use qemu_receive_packet() for
- loopback
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This patch switches to use qemu_receive_packet() which can detect
-reentrancy and return early.
-
-This is intended to address CVE-2021-3416.
-
-Cc: Prasad J Pandit <ppandit@redhat.com>
-Cc: qemu-stable@nongnu.org
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-
-Upstream-Status: Backport [26194a58f4eb83c5bdf4061a1628508084450ba1]
-CVE: CVE-2021-3416
-
-Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
----
- hw/net/msf2-emac.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/net/msf2-emac.c b/hw/net/msf2-emac.c
-index 32ba9e841..3e6206044 100644
---- a/hw/net/msf2-emac.c
-+++ b/hw/net/msf2-emac.c
-@@ -158,7 +158,7 @@ static void msf2_dma_tx(MSF2EmacState *s)
- * R_CFG1 bit 0 is set.
- */
- if (s->regs[R_CFG1] & R_CFG1_LB_EN_MASK) {
-- nc->info->receive(nc, buf, size);
-+ qemu_receive_packet(nc, buf, size);
- } else {
- qemu_send_packet(nc, buf, size);
- }
---
-2.29.2
-
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch
deleted file mode 100644
index c3f8f975..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From d465dc79c9ee729d91ef086b993e956b1935be69 Mon Sep 17 00:00:00 2001
-From: Jason Wang <jasowang@redhat.com>
-Date: Wed, 24 Feb 2021 13:14:35 +0800
-Subject: [PATCH 05/10] sungem: switch to use qemu_receive_packet() for
- loopback
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This patch switches to use qemu_receive_packet() which can detect
-reentrancy and return early.
-
-This is intended to address CVE-2021-3416.
-
-Cc: Prasad J Pandit <ppandit@redhat.com>
-Cc: qemu-stable@nongnu.org
-Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-
-Upstream-Status: Backport [8c92060d3c0248bd4d515719a35922cd2391b9b4]
-CVE: CVE-2021-3416
-
-Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
----
- hw/net/sungem.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/net/sungem.c b/hw/net/sungem.c
-index 33c3722df..3684a4d73 100644
---- a/hw/net/sungem.c
-+++ b/hw/net/sungem.c
-@@ -306,7 +306,7 @@ static void sungem_send_packet(SunGEMState *s, const uint8_t *buf,
- NetClientState *nc = qemu_get_queue(s->nic);
-
- if (s->macregs[MAC_XIFCFG >> 2] & MAC_XIFCFG_LBCK) {
-- nc->info->receive(nc, buf, size);
-+ qemu_receive_packet(nc, buf, size);
- } else {
- qemu_send_packet(nc, buf, size);
- }
---
-2.29.2
-
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch
deleted file mode 100644
index 855c6970..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From c0010f9b2bafe866fe32e3c2688454bc24147136 Mon Sep 17 00:00:00 2001
-From: Jason Wang <jasowang@redhat.com>
-Date: Wed, 24 Feb 2021 13:27:52 +0800
-Subject: [PATCH 06/10] tx_pkt: switch to use qemu_receive_packet_iov() for
- loopback
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This patch switches to use qemu_receive_receive_iov() which can detect
-reentrancy and return early.
-
-This is intended to address CVE-2021-3416.
-
-Cc: Prasad J Pandit <ppandit@redhat.com>
-Cc: qemu-stable@nongnu.org
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-
-Upstream-Status: Backport [8c552542b81e56ff532dd27ec6e5328954bdda73]
-CVE: CVE-2021-3416
-
-Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
----
- hw/net/net_tx_pkt.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
-index da262edc3..1f9aa59ec 100644
---- a/hw/net/net_tx_pkt.c
-+++ b/hw/net/net_tx_pkt.c
-@@ -553,7 +553,7 @@ static inline void net_tx_pkt_sendv(struct NetTxPkt *pkt,
- NetClientState *nc, const struct iovec *iov, int iov_cnt)
- {
- if (pkt->is_loopback) {
-- nc->info->receive_iov(nc, iov, iov_cnt);
-+ qemu_receive_packet_iov(nc, iov, iov_cnt);
- } else {
- qemu_sendv_packet(nc, iov, iov_cnt);
- }
---
-2.29.2
-
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch
deleted file mode 100644
index 4e1115de..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 64b38675c728354e4015e4bec3d975cd4cb8a981 Mon Sep 17 00:00:00 2001
-From: Alexander Bulekov <alxndr@bu.edu>
-Date: Fri, 26 Feb 2021 13:47:53 -0500
-Subject: [PATCH 07/10] rtl8139: switch to use qemu_receive_packet() for
- loopback
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This patch switches to use qemu_receive_packet() which can detect
-reentrancy and return early.
-
-This is intended to address CVE-2021-3416.
-
-Cc: Prasad J Pandit <ppandit@redhat.com>
-Cc: qemu-stable@nongnu.org
-Buglink: https://bugs.launchpad.net/qemu/+bug/1910826
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
-Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-
-Upstream-Status: Backport [5311fb805a4403bba024e83886fa0e7572265de4]
-CVE: CVE-2021-3416
-
-Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
----
- hw/net/rtl8139.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
-index ba5ace1ab..d2dd03e6a 100644
---- a/hw/net/rtl8139.c
-+++ b/hw/net/rtl8139.c
-@@ -1795,7 +1795,7 @@ static void rtl8139_transfer_frame(RTL8139State *s, uint8_t *buf, int size,
- }
-
- DPRINTF("+++ transmit loopback mode\n");
-- rtl8139_do_receive(qemu_get_queue(s->nic), buf, size, do_interrupt);
-+ qemu_receive_packet(qemu_get_queue(s->nic), buf, size);
-
- if (iov) {
- g_free(buf2);
---
-2.29.2
-
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch
deleted file mode 100644
index ed716468..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 023ce62f0a788ad3a8233c7a828554bceeafd031 Mon Sep 17 00:00:00 2001
-From: Alexander Bulekov <alxndr@bu.edu>
-Date: Mon, 1 Mar 2021 10:33:34 -0500
-Subject: [PATCH 08/10] pcnet: switch to use qemu_receive_packet() for loopback
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This patch switches to use qemu_receive_packet() which can detect
-reentrancy and return early.
-
-This is intended to address CVE-2021-3416.
-
-Cc: Prasad J Pandit <ppandit@redhat.com>
-Cc: qemu-stable@nongnu.org
-Buglink: https://bugs.launchpad.net/qemu/+bug/1917085
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
-Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-
-Upstream-Status: Backport [99ccfaa1edafd79f7a3a0ff7b58ae4da7c514928]
-CVE: CVE-2021-3416
-
-Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
----
- hw/net/pcnet.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
-index f3f18d859..dcd3fc494 100644
---- a/hw/net/pcnet.c
-+++ b/hw/net/pcnet.c
-@@ -1250,7 +1250,7 @@ txagain:
- if (BCR_SWSTYLE(s) == 1)
- add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS);
- s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC;
-- pcnet_receive(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);
-+ qemu_receive_packet(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);
- s->looptest = 0;
- } else {
- if (s->nic) {
---
-2.29.2
-
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch
deleted file mode 100644
index 39d32b33..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From ecf7e62bb2cb02c9bd40082504ae376f3e19ffd2 Mon Sep 17 00:00:00 2001
-From: Alexander Bulekov <alxndr@bu.edu>
-Date: Mon, 1 Mar 2021 14:33:43 -0500
-Subject: [PATCH 09/10] cadence_gem: switch to use qemu_receive_packet() for
- loopback
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This patch switches to use qemu_receive_packet() which can detect
-reentrancy and return early.
-
-This is intended to address CVE-2021-3416.
-
-Cc: Prasad J Pandit <ppandit@redhat.com>
-Cc: qemu-stable@nongnu.org
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-
-Upstream-Status: Backport [e73adfbeec9d4e008630c814759052ed945c3fed]
-CVE: CVE-2021-3416
-
-Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
----
- hw/net/cadence_gem.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
-index 7a534691f..43b760e3f 100644
---- a/hw/net/cadence_gem.c
-+++ b/hw/net/cadence_gem.c
-@@ -1275,8 +1275,8 @@ static void gem_transmit(CadenceGEMState *s)
- /* Send the packet somewhere */
- if (s->phy_loop || (s->regs[GEM_NWCTRL] &
- GEM_NWCTRL_LOCALLOOP)) {
-- gem_receive(qemu_get_queue(s->nic), s->tx_packet,
-- total_bytes);
-+ qemu_receive_packet(qemu_get_queue(s->nic), s->tx_packet,
-+ total_bytes);
- } else {
- qemu_send_packet(qemu_get_queue(s->nic), s->tx_packet,
- total_bytes);
---
-2.29.2
-
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch
deleted file mode 100644
index 77a53856..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 05a40b172e4d691371534828078be47e7fff524c Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Mon, 3 May 2021 15:29:15 +0200
-Subject: [PATCH] usb: limit combined packets to 1 MiB (CVE-2021-3527)
-
-usb-host and usb-redirect try to batch bulk transfers by combining many
-small usb packets into a single, large transfer request, to reduce the
-overhead and improve performance.
-
-This patch adds a size limit of 1 MiB for those combined packets to
-restrict the host resources the guest can bind that way.
-
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-Id: <20210503132915.2335822-6-kraxel@redhat.com>
-
-Upstream-Status: Backport
-https://gitlab.com/qemu-project/qemu/-/commit/05a40b172e4d691371534828078be47e7fff524c
-CVE: CVE-2021-3527
-Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
-
----
- hw/usb/combined-packet.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c
-index 5d57e883dc..e56802f89a 100644
---- a/hw/usb/combined-packet.c
-+++ b/hw/usb/combined-packet.c
-@@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep)
- if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok ||
- next == NULL ||
- /* Work around for Linux usbfs bulk splitting + migration */
-- (totalsize == (16 * KiB - 36) && p->int_req)) {
-+ (totalsize == (16 * KiB - 36) && p->int_req) ||
-+ /* Next package may grow combined package over 1MiB */
-+ totalsize > 1 * MiB - ep->max_packet_size) {
- usb_device_handle_data(ep->dev, first);
- assert(first->status == USB_RET_ASYNC);
- if (first->combined) {
---
-GitLab
-
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch
deleted file mode 100644
index 6371aced..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From 7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986 Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Mon, 3 May 2021 15:29:12 +0200
-Subject: [PATCH] usb/redir: avoid dynamic stack allocation (CVE-2021-3527)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Use autofree heap allocation instead.
-
-Fixes: 4f4321c11ff ("usb: use iovecs in USBPacket")
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-Id: <20210503132915.2335822-3-kraxel@redhat.com>
-
-Upstream-Status: Backport
-https://gitlab.com/qemu-project/qemu/-/commit/7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986
-CVE: CVE-2021-3527
-Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
-
----
- hw/usb/redirect.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
-index 17f06f3417..6a75b0dc4a 100644
---- a/hw/usb/redirect.c
-+++ b/hw/usb/redirect.c
-@@ -620,7 +620,7 @@ static void usbredir_handle_iso_data(USBRedirDevice *dev, USBPacket *p,
- .endpoint = ep,
- .length = p->iov.size
- };
-- uint8_t buf[p->iov.size];
-+ g_autofree uint8_t *buf = g_malloc(p->iov.size);
- /* No id, we look at the ep when receiving a status back */
- usb_packet_copy(p, buf, p->iov.size);
- usbredirparser_send_iso_packet(dev->parser, 0, &iso_packet,
-@@ -818,7 +818,7 @@ static void usbredir_handle_bulk_data(USBRedirDevice *dev, USBPacket *p,
- usbredirparser_send_bulk_packet(dev->parser, p->id,
- &bulk_packet, NULL, 0);
- } else {
-- uint8_t buf[size];
-+ g_autofree uint8_t *buf = g_malloc(size);
- usb_packet_copy(p, buf, size);
- usbredir_log_data(dev, "bulk data out:", buf, size);
- usbredirparser_send_bulk_packet(dev->parser, p->id,
-@@ -923,7 +923,7 @@ static void usbredir_handle_interrupt_out_data(USBRedirDevice *dev,
- USBPacket *p, uint8_t ep)
- {
- struct usb_redir_interrupt_packet_header interrupt_packet;
-- uint8_t buf[p->iov.size];
-+ g_autofree uint8_t *buf = g_malloc(p->iov.size);
-
- DPRINTF("interrupt-out ep %02X len %zd id %"PRIu64"\n", ep,
- p->iov.size, p->id);
---
-GitLab
-
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3582.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3582.patch
deleted file mode 100644
index 7a88e293..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3582.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 284f191b4abad213aed04cb0458e1600fd18d7c4 Mon Sep 17 00:00:00 2001
-From: Marcel Apfelbaum <marcel@redhat.com>
-Date: Wed, 16 Jun 2021 14:06:00 +0300
-Subject: [PATCH] hw/rdma: Fix possible mremap overflow in the pvrdma device
- (CVE-2021-3582)
-
-Ensure mremap boundaries not trusting the guest kernel to
-pass the correct buffer length.
-
-Fixes: CVE-2021-3582
-Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
-Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
-Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
-Message-Id: <20210616110600.20889-1-marcel.apfelbaum@gmail.com>
-Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
-Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
-Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
-Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
-
-CVE: CVE-2021-3582
-Upstream-Status: Backport [284f191b4abad213aed04cb0458e1600fd18d7c4]
-Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
----
- hw/rdma/vmw/pvrdma_cmd.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
-index f59879e257..da7ddfa548 100644
---- a/hw/rdma/vmw/pvrdma_cmd.c
-+++ b/hw/rdma/vmw/pvrdma_cmd.c
-@@ -38,6 +38,13 @@ static void *pvrdma_map_to_pdir(PCIDevice *pdev, uint64_t pdir_dma,
- return NULL;
- }
-
-+ length = ROUND_UP(length, TARGET_PAGE_SIZE);
-+ if (nchunks * TARGET_PAGE_SIZE != length) {
-+ rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks,
-+ (unsigned long)length);
-+ return NULL;
-+ }
-+
- dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE);
- if (!dir) {
- rdma_error_report("Failed to map to page directory");
---
-2.25.1
-
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3607.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3607.patch
deleted file mode 100644
index 0547c744..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3607.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 32e5703cfea07c91e6e84bcb0313f633bb146534 Mon Sep 17 00:00:00 2001
-From: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
-Date: Wed, 30 Jun 2021 14:46:34 +0300
-Subject: [PATCH] pvrdma: Ensure correct input on ring init (CVE-2021-3607)
-
-Check the guest passed a non zero page count
-for pvrdma device ring buffers.
-
-Fixes: CVE-2021-3607
-Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
-Reviewed-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
-Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
-Message-Id: <20210630114634.2168872-1-marcel@redhat.com>
-Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
-Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
-Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
-
-CVE: CVE-2021-3607
-Upstream-Status: Backport [32e5703cfea07c91e6e84bcb0313f633bb146534]
-Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
----
- hw/rdma/vmw/pvrdma_main.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
-index 84ae8024fc..7c0c3551a8 100644
---- a/hw/rdma/vmw/pvrdma_main.c
-+++ b/hw/rdma/vmw/pvrdma_main.c
-@@ -92,6 +92,11 @@ static int init_dev_ring(PvrdmaRing *ring, PvrdmaRingState **ring_state,
- uint64_t *dir, *tbl;
- int rc = 0;
-
-+ if (!num_pages) {
-+ rdma_error_report("Ring pages count must be strictly positive");
-+ return -EINVAL;
-+ }
-+
- dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE);
- if (!dir) {
- rdma_error_report("Failed to map to page directory (ring %s)", name);
---
-2.25.1
-
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3608.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3608.patch
deleted file mode 100644
index 22d68b02..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/CVE-2021-3608.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 66ae37d8cc313f89272e711174a846a229bcdbd3 Mon Sep 17 00:00:00 2001
-From: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
-Date: Wed, 30 Jun 2021 14:52:46 +0300
-Subject: [PATCH] pvrdma: Fix the ring init error flow (CVE-2021-3608)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Do not unmap uninitialized dma addresses.
-
-Fixes: CVE-2021-3608
-Reviewed-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
-Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
-Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
-Message-Id: <20210630115246.2178219-1-marcel@redhat.com>
-Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
-Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
-
-CVE: CVE-2021-3608
-Upstream-Status: Backport [66ae37d8cc313f89272e711174a846a229bcdbd3]
-Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
----
- hw/rdma/vmw/pvrdma_dev_ring.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/rdma/vmw/pvrdma_dev_ring.c b/hw/rdma/vmw/pvrdma_dev_ring.c
-index 074ac59b84..42130667a7 100644
---- a/hw/rdma/vmw/pvrdma_dev_ring.c
-+++ b/hw/rdma/vmw/pvrdma_dev_ring.c
-@@ -41,7 +41,7 @@ int pvrdma_ring_init(PvrdmaRing *ring, const char *name, PCIDevice *dev,
- qatomic_set(&ring->ring_state->cons_head, 0);
- */
- ring->npages = npages;
-- ring->pages = g_malloc(npages * sizeof(void *));
-+ ring->pages = g_malloc0(npages * sizeof(void *));
-
- for (i = 0; i < npages; i++) {
- if (!tbl[i]) {
---
-2.25.1
-
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/cross.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/cross.patch
deleted file mode 100644
index 438c1ad0..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/cross.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-We need to be able to trigger configure's cross code but we don't want
-to set cross_prefix as it does other things we don't want. Patch things
-so we can do what we need in the target config case.
-
-Upstream-Status: Inappropriate [may be rewritten in a way upstream may accept?]
-Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-
-
-Index: qemu-5.2.0/configure
-===================================================================
---- qemu-5.2.0.orig/configure
-+++ qemu-5.2.0/configure
-@@ -6973,7 +6973,6 @@ if has $sdl2_config; then
- fi
- echo "strip = [$(meson_quote $strip)]" >> $cross
- echo "windres = [$(meson_quote $windres)]" >> $cross
--if test -n "$cross_prefix"; then
- cross_arg="--cross-file config-meson.cross"
- echo "[host_machine]" >> $cross
- if test "$mingw32" = "yes" ; then
-@@ -6999,9 +6998,6 @@ if test -n "$cross_prefix"; then
- else
- echo "endian = 'little'" >> $cross
- fi
--else
-- cross_arg="--native-file config-meson.cross"
--fi
- mv $cross config-meson.cross
-
- rm -rf meson-private meson-info meson-logs
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/determinism.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/determinism.patch
deleted file mode 100644
index cb1c9077..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/determinism.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-When sources are included within debug information, a couple of areas of the
-qemu build are not reproducible due to either full buildpaths or timestamps.
-
-Replace the full paths with relative ones. I couldn't figure out how to get
-meson to pass relative paths but we can fix that in the script.
-
-For the keymaps, omit the timestamps as they don't matter to us.
-
-Upstream-Status: Pending [some version of all/part of this may be accepted]
-RP 2021/3/1
-
-Index: qemu-5.2.0/scripts/decodetree.py
-===================================================================
---- qemu-5.2.0.orig/scripts/decodetree.py
-+++ qemu-5.2.0/scripts/decodetree.py
-@@ -1303,8 +1303,8 @@ def main():
- toppat = ExcMultiPattern(0)
-
- for filename in args:
-- input_file = filename
-- f = open(filename, 'r')
-+ input_file = os.path.relpath(filename)
-+ f = open(input_file, 'r')
- parse_file(f, toppat)
- f.close()
-
-Index: qemu-5.2.0/ui/keycodemapdb/tools/keymap-gen
-===================================================================
---- qemu-5.2.0.orig/ui/keycodemapdb/tools/keymap-gen
-+++ qemu-5.2.0/ui/keycodemapdb/tools/keymap-gen
-@@ -317,9 +317,8 @@ class LanguageGenerator(object):
- raise NotImplementedError()
-
- def generate_header(self, database, args):
-- today = time.strftime("%Y-%m-%d %H:%M")
- self._boilerplate([
-- "This file is auto-generated from keymaps.csv on %s" % today,
-+ "This file is auto-generated from keymaps.csv",
- "Database checksum sha256(%s)" % database.mapchecksum,
- "To re-generate, run:",
- " %s" % args,
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/mingwfix.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/mingwfix.patch
deleted file mode 100644
index 8d76cef6..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/mingwfix.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-OE assumes that mingw files are in a unix like file layout. The
-'flattening' done by configure in qemu for mingw32 breaks things
-for us. We are discussing with upstream but for now, hack this to
-disable it and use the unix like layout everywhere.
-
-Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-Upstream-Status: Submitted [https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg01073.html]
-
-Index: qemu-5.2.0/configure
-===================================================================
---- qemu-5.2.0.orig/configure
-+++ qemu-5.2.0/configure
-@@ -1541,7 +1541,7 @@ libdir="${libdir:-$prefix/lib}"
- libexecdir="${libexecdir:-$prefix/libexec}"
- includedir="${includedir:-$prefix/include}"
-
--if test "$mingw32" = "yes" ; then
-+if test "$mingw32" = "dontwantthis" ; then
- mandir="$prefix"
- datadir="$prefix"
- docdir="$prefix"
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/mmap.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/mmap.patch
deleted file mode 100644
index edd9734f..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/mmap.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-If mremap() is called without the MREMAP_MAYMOVE flag with a start address
-just before the end of memory (reserved_va) where new_size would exceed
-GUEST_ADD_MAX, the assert(end - 1 <= GUEST_ADDR_MAX) in page_set_flags()
-would trigger.
-
-Add an extra guard to the guest_range_valid() checks to prevent this and
-avoid asserting binaries when reserved_va is set.
-
-This meant a test case now gives the same behaviour regardless of whether
-reserved_va is set or not.
-
-Upstream-Status: Backport [https://github.com/qemu/qemu/commit/ccc5ccc17f8cfbfd87d9aede5d12a2d47c56e712]
-Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org
-
-Index: qemu-5.2.0/linux-user/mmap.c
-===================================================================
---- qemu-5.2.0.orig/linux-user/mmap.c
-+++ qemu-5.2.0/linux-user/mmap.c
-@@ -727,7 +727,9 @@ abi_long target_mremap(abi_ulong old_add
-
- if (!guest_range_valid(old_addr, old_size) ||
- ((flags & MREMAP_FIXED) &&
-- !guest_range_valid(new_addr, new_size))) {
-+ !guest_range_valid(new_addr, new_size)) ||
-+ ((flags & MREMAP_MAYMOVE) == 0 &&
-+ !guest_range_valid(old_addr, new_size))) {
- errno = ENOMEM;
- return -1;
- }
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/mmap2.patch b/meta-oniro-staging/recipes-devtools/qemu/qemu/mmap2.patch
deleted file mode 100644
index 16521317..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/mmap2.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-When using qemu-i386 to build qemux86 webkitgtk on musl, it sits in an
-infinite loop of mremap calls of ever decreasing/increasing addresses.
-
-I suspect something in the musl memory allocation code loops indefinitely
-if it only sees ENOMEM and only exits when it hits EFAULT.
-
-According to the docs, trying to mremap outside the address space
-can/should return EFAULT and changing this allows the build to succeed.
-
-A better return value for the other cases of invalid addresses is EINVAL
-rather than ENOMEM so adjust the other part of the test to this.
-
-Upstream-Status: Submitted [https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg01355.html]
-Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org
-
-Index: qemu-5.2.0/linux-user/mmap.c
-===================================================================
---- qemu-5.2.0.orig/linux-user/mmap.c
-+++ qemu-5.2.0/linux-user/mmap.c
-@@ -722,12 +722,14 @@ abi_long target_mremap(abi_ulong old_add
- int prot;
- void *host_addr;
-
-- if (!guest_range_valid(old_addr, old_size) ||
-- ((flags & MREMAP_FIXED) &&
-- !guest_range_valid(new_addr, new_size)) ||
-- ((flags & MREMAP_MAYMOVE) == 0 &&
-- !guest_range_valid(old_addr, new_size))) {
-- errno = ENOMEM;
-+ if (!guest_range_valid(old_addr, old_size)) {
-+ errno = EFAULT;
-+ return -1;
-+ }
-+
-+ if (((flags & MREMAP_FIXED) && !guest_range_valid(new_addr, new_size)) ||
-+ ((flags & MREMAP_MAYMOVE) == 0 && !guest_range_valid(old_addr, new_size))) {
-+ errno = EINVAL;
- return -1;
- }
-
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/powerpc_rom.bin b/meta-oniro-staging/recipes-devtools/qemu/qemu/powerpc_rom.bin
deleted file mode 100644
index c4044296c51529878f5d2a46230949d09ef1d4e2..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001
literal 4096
zcmeHJQEMDk6h4#Pn8Z}5VUd7UHb$_7oo16ZWvl_Wq7bx}RV;`Ib~1CD44Ivo&djz(
z20DZ^Sm;B1^P!YL$|?xr50Dxx<W1-=Nb#jAB1A;VL+N<VoqKm?mo4n8m<wmm`OZ1_
zyXT&{cV+<&$6*H!JMdrW!2M?){{b*MgY{|vBVVIFj`A$ZQ4}1?4fK1d-SMjkR6spQ
z_GQ*+=6p}1edN8j-n~$%zt8GvfO5${M!BlzGeJ!LBFYOW#4B+{V8!s70opWVtXD3@
zDYsT7E6WA+<uUG+56Lw@`umUh__@Kqf6n8Nx^M%7WfVF8S{METF%22NokAEuO`<ed
z!}V9WmvV;4>hcYvi`OX{&F6WBRnw|kl?KhhA=dzmNj!qa7`0aw&RpKS@@VUVz<iB3
zMpQ$|xW4%zN%nJ?dQI!dwdlD}J%p)_T~Q;N05Shf4N8(@M;Ibka{YvEauGg?vIjtA
zbqtD8FaGQiqq(Cfl+!&ZM!lezVg)+I$)>XgU6}SL_e61d_GCWQDdT+4h>0J6J|vY6
z?n%vooL{&VPxp1(X12&CZmJJ@_@6`fnCE!)^YzN9>I}3^S{w(>9Y>+QAbsI`)YLe%
zhsb^kg>uN3pwJm3OoIDU=pIs8v?nECzNOo>lb47s&EaP<^|yU5q9tpZ%W9g#!{`Jv
zr|0H!wb2^S$51#BeALr<I95i*YdC^h)=oK8XTDy_e`39s6Efd#dZB8#PUySXQy=qb
zi2XtSc~LLG(q`vgB_qvg-;s)C8L6AkMN@f2<h+bp)Cgs?d9P4!Wp?qtu*JH{JmPj=
z9X5+MwRTe6R?5lm8zJYFbLBH3ET5Y^zkF@UH=8!Po3GplAFV<2I`~fY=BxF=C+}Vd
z-|60b7yIC&+PdqT)q3&`#C`C|bJS5^Z@xl5eDtl8^${oMHJ06gIf&9&36H?r)A;V4
z#+S@==jEcgSd;QG&rb6RyBX$`vA~Dw|Jwn1zD7)T#WL6@;i|`=;hOjXG2Diyht{Ia
zU{W_tp9O(xFxw7bGO#{l!uHt`7`AJysF!?pxyc-36&9O84uw{OE$RWwxh&Ptjb*0V
zmcvvc1M`U<9+ne0ptr1=y`Obs#c{9N%v@sN>&_Cx0<&mZafTbZr#AFp1v*?A3Nlm0
zZzgj>xMKNXQ@2&xYBnqPS-@>HKdpGnx?^IqQWS)y+YFH+ToxY7u|nTegHZRwP8V}b
zSae+sEb;%K*M1#ny}qNsYkLXA5B@1?u>#SJLhH*7Xlm<8f;#-X1y`fH6W_i8$-egB
zukYdwC~E6a_+TB*MCN`S^Bz_3)<>=KiD-M`L~SkEkMBZtb6dHCdSP>WD2n&sT(mn?
z+PpV(Q@b~GE4~eH#;xQaDju($jbT{3o+O+D*Tz`w>>7;I`r2-i+`I$ItrjS_{sHo6
zTN_Ym=RSmE(Ze$(%wLGV!aq8Lpw!l&igq#Dm@1(jj;@#MaSO(y^{Eo=O`A-R1mJvJ
aoLIp7h<sDgFE5ple~0izly{QHzx@jx&XA}8
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu/run-ptest b/meta-oniro-staging/recipes-devtools/qemu/qemu/run-ptest
deleted file mode 100644
index f9a4e8fb..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu/run-ptest
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/bin/sh
-#
-#This script is used to run qemu test suites
-#
-
-ptestdir=$(dirname "$(readlink -f "$0")")
-export SRC_PATH=$ptestdir
-
-cd $ptestdir/tests
-tests=$(find . -name "test-*" ! -name "*.p")
-for f in $tests; do
- $f | sed '/^ok/ s/ok/PASS:/g'
-done
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemu_5.2.0.bb b/meta-oniro-staging/recipes-devtools/qemu/qemu_5.2.0.bb
deleted file mode 100644
index 7afa66e3..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemu_5.2.0.bb
+++ /dev/null
@@ -1,28 +0,0 @@
-BBCLASSEXTEND = "nativesdk"
-
-require qemu.inc
-
-# error: a parameter list without types is only allowed in a function definition
-# void (*_function)(sigval_t);
-COMPATIBLE_HOST_libc-musl = 'null'
-
-DEPENDS = "glib-2.0 zlib pixman bison-native ninja-native meson-native"
-
-RDEPENDS_${PN}_class-target += "bash"
-
-EXTRA_OECONF_append_class-target = " --target-list=${@get_qemu_target_list(d)}"
-EXTRA_OECONF_append_class-target_mipsarcho32 = "${@bb.utils.contains('BBEXTENDCURR', 'multilib', ' --disable-capstone', '', d)}"
-EXTRA_OECONF_append_class-nativesdk = " --target-list=${@get_qemu_target_list(d)}"
-
-do_install_append_class-nativesdk() {
- ${@bb.utils.contains('PACKAGECONFIG', 'gtk+', 'make_qemu_wrapper', '', d)}
-}
-
-PACKAGECONFIG ??= " \
- fdt sdl kvm \
- ${@bb.utils.filter('DISTRO_FEATURES', 'alsa xen', d)} \
- ${@bb.utils.contains('DISTRO_FEATURES', 'opengl', 'virglrenderer glx', '', d)} \
-"
-PACKAGECONFIG_class-nativesdk ??= "fdt sdl kvm \
- ${@bb.utils.contains('DISTRO_FEATURES', 'opengl', 'virglrenderer glx', '', d)} \
-"
diff --git a/meta-oniro-staging/recipes-devtools/qemu/qemuwrapper-cross_1.0.bb b/meta-oniro-staging/recipes-devtools/qemu/qemuwrapper-cross_1.0.bb
deleted file mode 100644
index a0448a18..00000000
--- a/meta-oniro-staging/recipes-devtools/qemu/qemuwrapper-cross_1.0.bb
+++ /dev/null
@@ -1,39 +0,0 @@
-SUMMARY = "QEMU wrapper script"
-HOMEPAGE = "http://qemu.org"
-LICENSE = "MIT"
-
-S = "${WORKDIR}"
-
-DEPENDS += "qemu-native"
-
-inherit qemu
-
-do_populate_sysroot[depends] = ""
-
-do_install () {
- install -d ${D}${bindir_crossscripts}/
-
- qemu_binary=${@qemu_target_binary(d)}
- qemu_options='${QEMU_OPTIONS} -E LD_LIBRARY_PATH=$D${libdir}:$D${base_libdir}'
-
- cat >> ${D}${bindir_crossscripts}/${MLPREFIX}qemuwrapper << EOF
-#!/bin/sh
-set -x
-
-if [ ${@bb.utils.contains('MACHINE_FEATURES', 'qemu-usermode', 'True', 'False', d)} = False -a "${PN}" != "nativesdk-qemuwrapper-cross" ]; then
- echo "qemuwrapper: qemu usermode is not supported"
- exit 1
-fi
-
-
-$qemu_binary $qemu_options "\$@"
-EOF
-
- chmod +x ${D}${bindir_crossscripts}/${MLPREFIX}qemuwrapper
-}
-
-SYSROOT_DIRS += "${bindir_crossscripts}"
-
-INHIBIT_DEFAULT_DEPS = "1"
-
-BBCLASSEXTEND = "nativesdk"
--
GitLab