public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2019-05-20 16:27 Matthias Maier
  0 siblings, 0 replies; 21+ messages in thread
From: Matthias Maier @ 2019-05-20 16:27 UTC (permalink / raw
  To: gentoo-commits

commit:     cbedf5e1f9b2591cdd337a5fa915d76210e96cdf
Author:     Matthias Maier <tamiko <AT> gentoo <DOT> org>
AuthorDate: Mon May 20 16:27:04 2019 +0000
Commit:     Matthias Maier <tamiko <AT> gentoo <DOT> org>
CommitDate: Mon May 20 16:27:28 2019 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cbedf5e1

app-emulation/qemu: fix systemtap patch

Thanks to hangglider <AT> gmx.de for pointing this out!

Closes: https://bugs.gentoo.org/686370
Package-Manager: Portage-2.3.66, Repoman-2.3.12
Signed-off-by: Matthias Maier <tamiko <AT> gentoo.org>

 app-emulation/qemu/files/qemu-4.0.0-mkdir_systemtap.patch | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/app-emulation/qemu/files/qemu-4.0.0-mkdir_systemtap.patch b/app-emulation/qemu/files/qemu-4.0.0-mkdir_systemtap.patch
index abfcbd1b9af..95ccdd7a4b1 100644
--- a/app-emulation/qemu/files/qemu-4.0.0-mkdir_systemtap.patch
+++ b/app-emulation/qemu/files/qemu-4.0.0-mkdir_systemtap.patch
@@ -2,11 +2,11 @@ diff --git a/Makefile b/Makefile
 index 04a0d450..e0013a59 100644
 --- a/Makefile
 +++ b/Makefile
-@@ -760,6 +760,7 @@ ifneq ($(TOOLS),)
- 	$(INSTALL_DATA) qemu-nbd.8 "$(DESTDIR)$(mandir)/man8"
+@@ -803,6 +802,7 @@
+ 	$(call install-prog,$(HELPERS-y),$(DESTDIR)$(libexecdir))
  endif
  ifdef CONFIG_TRACE_SYSTEMTAP
 +	mkdir -p $(DESTDIR)$(bindir)
- 	$(INSTALL_DATA) scripts/qemu-trace-stap.1 "$(DESTDIR)$(mandir)/man1"
+ 	$(INSTALL_PROG) "scripts/qemu-trace-stap" $(DESTDIR)$(bindir)
  endif
- ifneq (,$(findstring qemu-ga,$(TOOLS)))
+ ifneq ($(BLOBS),)


^ permalink raw reply related	[flat|nested] 21+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2024-08-20  8:01 Joonas Niilola
  0 siblings, 0 replies; 21+ messages in thread
From: Joonas Niilola @ 2024-08-20  8:01 UTC (permalink / raw
  To: gentoo-commits

commit:     90ea995dd8a8427bade0a55798cc97ee92990d42
Author:     Michael Mair-Keimberger <mmk <AT> levelnine <DOT> at>
AuthorDate: Mon Jul 22 16:38:46 2024 +0000
Commit:     Joonas Niilola <juippis <AT> gentoo <DOT> org>
CommitDate: Tue Aug 20 08:01:34 2024 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=90ea995d

app-emulation/qemu: remove unused patch

Signed-off-by: Michael Mair-Keimberger <mmk <AT> levelnine.at>
Signed-off-by: Joonas Niilola <juippis <AT> gentoo.org>

 .../qemu-7.2.0-linux-headers-6.2-glibc-2.36.patch  | 137 ---------------------
 1 file changed, 137 deletions(-)

diff --git a/app-emulation/qemu/files/qemu-7.2.0-linux-headers-6.2-glibc-2.36.patch b/app-emulation/qemu/files/qemu-7.2.0-linux-headers-6.2-glibc-2.36.patch
deleted file mode 100644
index 2a58ca1ad735..000000000000
--- a/app-emulation/qemu/files/qemu-7.2.0-linux-headers-6.2-glibc-2.36.patch
+++ /dev/null
@@ -1,137 +0,0 @@
-https://bugs.gentoo.org/895662
-https://gitlab.com/qemu-project/qemu/-/commit/9f0246539ae84a5e21efd1cc4516fc343f08115a
-https://gitlab.com/qemu-project/qemu/-/commit/6003159ce18faad4e1bc7bf9c85669019cd4950e
-
-From 9f0246539ae84a5e21efd1cc4516fc343f08115a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
-Date: Tue, 10 Jan 2023 12:49:00 -0500
-Subject: [PATCH] Revert "linux-user: add more compat ioctl definitions"
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This reverts commit c5495f4ecb0cdaaf2e9dddeb48f1689cdb520ca0.
-
-glibc has fixed (in 2.36.9000-40-g774058d729) the problem
-that caused a clash when both sys/mount.h annd linux/mount.h
-are included, and backported this to the 2.36 stable release
-too:
-
-  https://sourceware.org/glibc/wiki/Release/2.36#Usage_of_.3Clinux.2Fmount.h.3E_and_.3Csys.2Fmount.h.3E
-
-It is saner for QEMU to remove the workaround it applied for
-glibc 2.36 and expect distros to ship the 2.36 maint release
-with the fix. This avoids needing to add a further workaround
-to QEMU to deal with the fact that linux/brtfs.h now also pulls
-in linux/mount.h via linux/fs.h since Linux 6.1
-
-Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-Id: <20230110174901.2580297-2-berrange@redhat.com>
-Signed-off-by: Laurent Vivier <laurent@vivier.eu>
---- a/linux-user/syscall.c
-+++ b/linux-user/syscall.c
-@@ -111,31 +111,6 @@
- #define FS_IOC32_SETFLAGS              _IOW('f', 2, int)
- #define FS_IOC32_GETVERSION            _IOR('v', 1, int)
- #define FS_IOC32_SETVERSION            _IOW('v', 2, int)
--
--#define BLKGETSIZE64 _IOR(0x12,114,size_t)
--#define BLKDISCARD _IO(0x12,119)
--#define BLKIOMIN _IO(0x12,120)
--#define BLKIOOPT _IO(0x12,121)
--#define BLKALIGNOFF _IO(0x12,122)
--#define BLKPBSZGET _IO(0x12,123)
--#define BLKDISCARDZEROES _IO(0x12,124)
--#define BLKSECDISCARD _IO(0x12,125)
--#define BLKROTATIONAL _IO(0x12,126)
--#define BLKZEROOUT _IO(0x12,127)
--
--#define FIBMAP     _IO(0x00,1)
--#define FIGETBSZ   _IO(0x00,2)
--
--struct file_clone_range {
--        __s64 src_fd;
--        __u64 src_offset;
--        __u64 src_length;
--        __u64 dest_offset;
--};
--
--#define FICLONE         _IOW(0x94, 9, int)
--#define FICLONERANGE    _IOW(0x94, 13, struct file_clone_range)
--
- #else
- #include <linux/fs.h>
- #endif
--- 
-GitLab
-
-From 6003159ce18faad4e1bc7bf9c85669019cd4950e Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
-Date: Tue, 10 Jan 2023 12:49:01 -0500
-Subject: [PATCH] Revert "linux-user: fix compat with glibc >= 2.36
- sys/mount.h"
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This reverts commit 3cd3df2a9584e6f753bb62a0028bd67124ab5532.
-
-glibc has fixed (in 2.36.9000-40-g774058d729) the problem
-that caused a clash when both sys/mount.h annd linux/mount.h
-are included, and backported this to the 2.36 stable release
-too:
-
-  https://sourceware.org/glibc/wiki/Release/2.36#Usage_of_.3Clinux.2Fmount.h.3E_and_.3Csys.2Fmount.h.3E
-
-It is saner for QEMU to remove the workaround it applied for
-glibc 2.36 and expect distros to ship the 2.36 maint release
-with the fix. This avoids needing to add a further workaround
-to QEMU to deal with the fact that linux/brtfs.h now also pulls
-in linux/mount.h via linux/fs.h since Linux 6.1
-
-Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-Id: <20230110174901.2580297-3-berrange@redhat.com>
-Signed-off-by: Laurent Vivier <laurent@vivier.eu>
---- a/linux-user/syscall.c
-+++ b/linux-user/syscall.c
-@@ -95,25 +95,7 @@
- #include <linux/soundcard.h>
- #include <linux/kd.h>
- #include <linux/mtio.h>
--
--#ifdef HAVE_SYS_MOUNT_FSCONFIG
--/*
-- * glibc >= 2.36 linux/mount.h conflicts with sys/mount.h,
-- * which in turn prevents use of linux/fs.h. So we have to
-- * define the constants ourselves for now.
-- */
--#define FS_IOC_GETFLAGS                _IOR('f', 1, long)
--#define FS_IOC_SETFLAGS                _IOW('f', 2, long)
--#define FS_IOC_GETVERSION              _IOR('v', 1, long)
--#define FS_IOC_SETVERSION              _IOW('v', 2, long)
--#define FS_IOC_FIEMAP                  _IOWR('f', 11, struct fiemap)
--#define FS_IOC32_GETFLAGS              _IOR('f', 1, int)
--#define FS_IOC32_SETFLAGS              _IOW('f', 2, int)
--#define FS_IOC32_GETVERSION            _IOR('v', 1, int)
--#define FS_IOC32_SETVERSION            _IOW('v', 2, int)
--#else
- #include <linux/fs.h>
--#endif
- #include <linux/fd.h>
- #if defined(CONFIG_FIEMAP)
- #include <linux/fiemap.h>
---- a/meson.build
-+++ b/meson.build
-@@ -2046,8 +2046,6 @@ config_host_data.set('HAVE_OPTRESET',
-                      cc.has_header_symbol('getopt.h', 'optreset'))
- config_host_data.set('HAVE_IPPROTO_MPTCP',
-                      cc.has_header_symbol('netinet/in.h', 'IPPROTO_MPTCP'))
--config_host_data.set('HAVE_SYS_MOUNT_FSCONFIG',
--                     cc.has_header_symbol('sys/mount.h', 'FSCONFIG_SET_FLAG'))
- 
- # has_member
- config_host_data.set('HAVE_SIGEV_NOTIFY_THREAD_ID',
--- 
-GitLab


^ permalink raw reply related	[flat|nested] 21+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2023-11-20 20:20 Ulrich Müller
  0 siblings, 0 replies; 21+ messages in thread
From: Ulrich Müller @ 2023-11-20 20:20 UTC (permalink / raw
  To: gentoo-commits

commit:     467b4eb965534778ef9bc685ffe8038940d6b232
Author:     Michael Mair-Keimberger <mmk <AT> levelnine <DOT> at>
AuthorDate: Tue Nov  7 18:00:41 2023 +0000
Commit:     Ulrich Müller <ulm <AT> gentoo <DOT> org>
CommitDate: Mon Nov 20 20:19:54 2023 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=467b4eb9

app-emulation/qemu: remove unused patch

Signed-off-by: Michael Mair-Keimberger <mmk <AT> levelnine.at>
Signed-off-by: Ulrich Müller <ulm <AT> gentoo.org>

 .../qemu/files/qemu-7.2.0-tcg-curl-ssl.patch       | 182 ---------------------
 1 file changed, 182 deletions(-)

diff --git a/app-emulation/qemu/files/qemu-7.2.0-tcg-curl-ssl.patch b/app-emulation/qemu/files/qemu-7.2.0-tcg-curl-ssl.patch
deleted file mode 100644
index 2b0a9f630371..000000000000
--- a/app-emulation/qemu/files/qemu-7.2.0-tcg-curl-ssl.patch
+++ /dev/null
@@ -1,182 +0,0 @@
-https://bugs.gentoo.org/895746#c3
-https://gitlab.com/qemu-project/qemu/-/issues/1471
-https://gitlab.com/qemu-project/qemu/-/commit/60c7dd22e1383754d5f150bc9f7c2785c662a7b6
-
-From 60c7dd22e1383754d5f150bc9f7c2785c662a7b6 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Tue, 31 Jan 2023 09:48:03 +0100
-Subject: [PATCH] target/i386: fix ADOX followed by ADCX
-
-When ADCX is followed by ADOX or vice versa, the second instruction's
-carry comes from EFLAGS and the condition codes use the CC_OP_ADCOX
-operation.  Retrieving the carry from EFLAGS is handled by this bit
-of gen_ADCOX:
-
-        tcg_gen_extract_tl(carry_in, cpu_cc_src,
-            ctz32(cc_op == CC_OP_ADCX ? CC_C : CC_O), 1);
-
-Unfortunately, in this case cc_op has been overwritten by the previous
-"if" statement to CC_OP_ADCOX.  This works by chance when the first
-instruction is ADCX; however, if the first instruction is ADOX,
-ADCX will incorrectly take its carry from OF instead of CF.
-
-Fix by moving the computation of the new cc_op at the end of the function.
-The included exhaustive test case fails without this patch and passes
-afterwards.
-
-Because ADCX/ADOX need not be invoked through the VEX prefix, this
-regression bisects to commit 16fc5726a6e2 ("target/i386: reimplement
-0x0f 0x38, add AVX", 2022-10-18).  However, the mistake happened a
-little earlier, when BMI instructions were rewritten using the new
-decoder framework.
-
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1471
-Reported-by: Paul Jolly <https://gitlab.com/myitcv>
-Fixes: 1d0b926150e5 ("target/i386: move scalar 0F 38 and 0F 3A instruction to new decoder", 2022-10-18)
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---- a/target/i386/tcg/emit.c.inc
-+++ b/target/i386/tcg/emit.c.inc
-@@ -1015,6 +1015,7 @@ VSIB_AVX(VPGATHERQ, vpgatherq)
- 
- static void gen_ADCOX(DisasContext *s, CPUX86State *env, MemOp ot, int cc_op)
- {
-+    int opposite_cc_op;
-     TCGv carry_in = NULL;
-     TCGv carry_out = (cc_op == CC_OP_ADCX ? cpu_cc_dst : cpu_cc_src2);
-     TCGv zero;
-@@ -1022,14 +1023,8 @@ static void gen_ADCOX(DisasContext *s, CPUX86State *env, MemOp ot, int cc_op)
-     if (cc_op == s->cc_op || s->cc_op == CC_OP_ADCOX) {
-         /* Re-use the carry-out from a previous round.  */
-         carry_in = carry_out;
--        cc_op = s->cc_op;
--    } else if (s->cc_op == CC_OP_ADCX || s->cc_op == CC_OP_ADOX) {
--        /* Merge with the carry-out from the opposite instruction.  */
--        cc_op = CC_OP_ADCOX;
--    }
--
--    /* If we don't have a carry-in, get it out of EFLAGS.  */
--    if (!carry_in) {
-+    } else {
-+        /* We don't have a carry-in, get it out of EFLAGS.  */
-         if (s->cc_op != CC_OP_ADCX && s->cc_op != CC_OP_ADOX) {
-             gen_compute_eflags(s);
-         }
-@@ -1053,7 +1048,14 @@ static void gen_ADCOX(DisasContext *s, CPUX86State *env, MemOp ot, int cc_op)
-         tcg_gen_add2_tl(s->T0, carry_out, s->T0, carry_out, s->T1, zero);
-         break;
-     }
--    set_cc_op(s, cc_op);
-+
-+    opposite_cc_op = cc_op == CC_OP_ADCX ? CC_OP_ADOX : CC_OP_ADCX;
-+    if (s->cc_op == CC_OP_ADCOX || s->cc_op == opposite_cc_op) {
-+        /* Merge with the carry-out from the opposite instruction.  */
-+        set_cc_op(s, CC_OP_ADCOX);
-+    } else {
-+        set_cc_op(s, cc_op);
-+    }
- }
- 
- static void gen_ADCX(DisasContext *s, CPUX86State *env, X86DecodedInsn *decode)
---- a/tests/tcg/i386/Makefile.target
-+++ b/tests/tcg/i386/Makefile.target
-@@ -14,7 +14,7 @@ config-cc.mak: Makefile
- I386_SRCS=$(notdir $(wildcard $(I386_SRC)/*.c))
- ALL_X86_TESTS=$(I386_SRCS:.c=)
- SKIP_I386_TESTS=test-i386-ssse3 test-avx test-3dnow test-mmx
--X86_64_TESTS:=$(filter test-i386-bmi2 $(SKIP_I386_TESTS), $(ALL_X86_TESTS))
-+X86_64_TESTS:=$(filter test-i386-adcox test-i386-bmi2 $(SKIP_I386_TESTS), $(ALL_X86_TESTS))
- 
- test-i386-sse-exceptions: CFLAGS += -msse4.1 -mfpmath=sse
- run-test-i386-sse-exceptions: QEMU_OPTS += -cpu max
-@@ -28,6 +28,10 @@ test-i386-bmi2: CFLAGS=-O2
- run-test-i386-bmi2: QEMU_OPTS += -cpu max
- run-plugin-test-i386-bmi2-%: QEMU_OPTS += -cpu max
- 
-+test-i386-adcox: CFLAGS=-O2
-+run-test-i386-adcox: QEMU_OPTS += -cpu max
-+run-plugin-test-i386-adcox-%: QEMU_OPTS += -cpu max
-+
- #
- # hello-i386 is a barebones app
- #
---- /dev/null
-+++ b/tests/tcg/i386/test-i386-adcox.c
-@@ -0,0 +1,75 @@
-+/* See if various BMI2 instructions give expected results */
-+#include <assert.h>
-+#include <stdint.h>
-+#include <stdio.h>
-+
-+#define CC_C 1
-+#define CC_O (1 << 11)
-+
-+#ifdef __x86_64__
-+#define REG uint64_t
-+#else
-+#define REG uint32_t
-+#endif
-+
-+void test_adox_adcx(uint32_t in_c, uint32_t in_o, REG adcx_operand, REG adox_operand)
-+{
-+    REG flags;
-+    REG out_adcx, out_adox;
-+
-+    asm("pushf; pop %0" : "=r"(flags));
-+    flags &= ~(CC_C | CC_O);
-+    flags |= (in_c ? CC_C : 0);
-+    flags |= (in_o ? CC_O : 0);
-+
-+    out_adcx = adcx_operand;
-+    out_adox = adox_operand;
-+    asm("push %0; popf;"
-+        "adox %3, %2;"
-+        "adcx %3, %1;"
-+        "pushf; pop %0"
-+        : "+r" (flags), "+r" (out_adcx), "+r" (out_adox)
-+        : "r" ((REG)-1), "0" (flags), "1" (out_adcx), "2" (out_adox));
-+
-+    assert(out_adcx == in_c + adcx_operand - 1);
-+    assert(out_adox == in_o + adox_operand - 1);
-+    assert(!!(flags & CC_C) == (in_c || adcx_operand));
-+    assert(!!(flags & CC_O) == (in_o || adox_operand));
-+}
-+
-+void test_adcx_adox(uint32_t in_c, uint32_t in_o, REG adcx_operand, REG adox_operand)
-+{
-+    REG flags;
-+    REG out_adcx, out_adox;
-+
-+    asm("pushf; pop %0" : "=r"(flags));
-+    flags &= ~(CC_C | CC_O);
-+    flags |= (in_c ? CC_C : 0);
-+    flags |= (in_o ? CC_O : 0);
-+
-+    out_adcx = adcx_operand;
-+    out_adox = adox_operand;
-+    asm("push %0; popf;"
-+        "adcx %3, %1;"
-+        "adox %3, %2;"
-+        "pushf; pop %0"
-+        : "+r" (flags), "+r" (out_adcx), "+r" (out_adox)
-+        : "r" ((REG)-1), "0" (flags), "1" (out_adcx), "2" (out_adox));
-+
-+    assert(out_adcx == in_c + adcx_operand - 1);
-+    assert(out_adox == in_o + adox_operand - 1);
-+    assert(!!(flags & CC_C) == (in_c || adcx_operand));
-+    assert(!!(flags & CC_O) == (in_o || adox_operand));
-+}
-+
-+int main(int argc, char *argv[]) {
-+    /* try all combinations of input CF, input OF, CF from op1+op2,  OF from op2+op1 */
-+    int i;
-+    for (i = 0; i <= 15; i++) {
-+        printf("%d\n", i);
-+        test_adcx_adox(!!(i & 1), !!(i & 2), !!(i & 4), !!(i & 8));
-+        test_adox_adcx(!!(i & 1), !!(i & 2), !!(i & 4), !!(i & 8));
-+    }
-+    return 0;
-+}
-+
--- 
-GitLab


^ permalink raw reply related	[flat|nested] 21+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2023-10-22 16:33 Joonas Niilola
  0 siblings, 0 replies; 21+ messages in thread
From: Joonas Niilola @ 2023-10-22 16:33 UTC (permalink / raw
  To: gentoo-commits

commit:     196685c68adecedeb3c335e551924cab4aee55ea
Author:     Michael Mair-Keimberger <mmk <AT> levelnine <DOT> at>
AuthorDate: Sun Oct 22 08:35:37 2023 +0000
Commit:     Joonas Niilola <juippis <AT> gentoo <DOT> org>
CommitDate: Sun Oct 22 16:32:11 2023 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=196685c6

app-emulation/qemu: remove unused patches

Signed-off-by: Michael Mair-Keimberger <mmk <AT> levelnine.at>
Closes: https://github.com/gentoo/gentoo/pull/33451
Signed-off-by: Joonas Niilola <juippis <AT> gentoo.org>

 .../qemu/files/qemu-7.2.3-CVE-2023-2861.patch      | 162 --------------------
 .../qemu/files/qemu-8.0.2-CVE-2023-2861.patch      | 167 ---------------------
 2 files changed, 329 deletions(-)

diff --git a/app-emulation/qemu/files/qemu-7.2.3-CVE-2023-2861.patch b/app-emulation/qemu/files/qemu-7.2.3-CVE-2023-2861.patch
deleted file mode 100644
index 9a9c11a41d66..000000000000
--- a/app-emulation/qemu/files/qemu-7.2.3-CVE-2023-2861.patch
+++ /dev/null
@@ -1,162 +0,0 @@
-https://bugs.gentoo.org/909542
-https://gitlab.com/qemu-project/qemu/-/commit/10fad73a2bf1c76c8aa9d6322755e5f877d83ce5
-
-From 10fad73a2bf1c76c8aa9d6322755e5f877d83ce5 Mon Sep 17 00:00:00 2001
-From: Christian Schoenebeck <qemu_oss@crudebyte.com>
-Date: Wed, 7 Jun 2023 18:29:33 +0200
-Subject: [PATCH] 9pfs: prevent opening special files (CVE-2023-2861)
-
-The 9p protocol does not specifically define how server shall behave when
-client tries to open a special file, however from security POV it does
-make sense for 9p server to prohibit opening any special file on host side
-in general. A sane Linux 9p client for instance would never attempt to
-open a special file on host side, it would always handle those exclusively
-on its guest side. A malicious client however could potentially escape
-from the exported 9p tree by creating and opening a device file on host
-side.
-
-With QEMU this could only be exploited in the following unsafe setups:
-
-  - Running QEMU binary as root AND 9p 'local' fs driver AND 'passthrough'
-    security model.
-
-or
-
-  - Using 9p 'proxy' fs driver (which is running its helper daemon as
-    root).
-
-These setups were already discouraged for safety reasons before,
-however for obvious reasons we are now tightening behaviour on this.
-
-Fixes: CVE-2023-2861
-Reported-by: Yanwu Shen <ywsPlz@gmail.com>
-Reported-by: Jietao Xiao <shawtao1125@gmail.com>
-Reported-by: Jinku Li <jkli@xidian.edu.cn>
-Reported-by: Wenbo Shen <shenwenbo@zju.edu.cn>
-Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
-Reviewed-by: Greg Kurz <groug@kaod.org>
-Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
-Message-Id: <E1q6w7r-0000Q0-NM@lizzy.crudebyte.com>
-(cherry picked from commit f6b0de53fb87ddefed348a39284c8e2f28dc4eda)
-Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
-(Mjt: drop adding qemu_fstat wrapper for 7.2 where wrappers aren't used)
---- a/fsdev/virtfs-proxy-helper.c
-+++ b/fsdev/virtfs-proxy-helper.c
-@@ -26,6 +26,7 @@
- #include "qemu/xattr.h"
- #include "9p-iov-marshal.h"
- #include "hw/9pfs/9p-proxy.h"
-+#include "hw/9pfs/9p-util.h"
- #include "fsdev/9p-iov-marshal.h"
- 
- #define PROGNAME "virtfs-proxy-helper"
-@@ -338,6 +339,28 @@ static void resetugid(int suid, int sgid)
-     }
- }
- 
-+/*
-+ * Open regular file or directory. Attempts to open any special file are
-+ * rejected.
-+ *
-+ * returns file descriptor or -1 on error
-+ */
-+static int open_regular(const char *pathname, int flags, mode_t mode)
-+{
-+    int fd;
-+
-+    fd = open(pathname, flags, mode);
-+    if (fd < 0) {
-+        return fd;
-+    }
-+
-+    if (close_if_special_file(fd) < 0) {
-+        return -1;
-+    }
-+
-+    return fd;
-+}
-+
- /*
-  * send response in two parts
-  * 1) ProxyHeader
-@@ -682,7 +705,7 @@ static int do_create(struct iovec *iovec)
-     if (ret < 0) {
-         goto unmarshal_err_out;
-     }
--    ret = open(path.data, flags, mode);
-+    ret = open_regular(path.data, flags, mode);
-     if (ret < 0) {
-         ret = -errno;
-     }
-@@ -707,7 +730,7 @@ static int do_open(struct iovec *iovec)
-     if (ret < 0) {
-         goto err_out;
-     }
--    ret = open(path.data, flags);
-+    ret = open_regular(path.data, flags, 0);
-     if (ret < 0) {
-         ret = -errno;
-     }
---- a/hw/9pfs/9p-util.h
-+++ b/hw/9pfs/9p-util.h
-@@ -13,6 +13,8 @@
- #ifndef QEMU_9P_UTIL_H
- #define QEMU_9P_UTIL_H
- 
-+#include "qemu/error-report.h"
-+
- #ifdef O_PATH
- #define O_PATH_9P_UTIL O_PATH
- #else
-@@ -112,6 +114,38 @@ static inline void close_preserve_errno(int fd)
-     errno = serrno;
- }
- 
-+/**
-+ * close_if_special_file() - Close @fd if neither regular file nor directory.
-+ *
-+ * @fd: file descriptor of open file
-+ * Return: 0 on regular file or directory, -1 otherwise
-+ *
-+ * CVE-2023-2861: Prohibit opening any special file directly on host
-+ * (especially device files), as a compromised client could potentially gain
-+ * access outside exported tree under certain, unsafe setups. We expect
-+ * client to handle I/O on special files exclusively on guest side.
-+ */
-+static inline int close_if_special_file(int fd)
-+{
-+    struct stat stbuf;
-+
-+    if (fstat(fd, &stbuf) < 0) {
-+        close_preserve_errno(fd);
-+        return -1;
-+    }
-+    if (!S_ISREG(stbuf.st_mode) && !S_ISDIR(stbuf.st_mode)) {
-+        error_report_once(
-+            "9p: broken or compromised client detected; attempt to open "
-+            "special file (i.e. neither regular file, nor directory)"
-+        );
-+        close(fd);
-+        errno = ENXIO;
-+        return -1;
-+    }
-+
-+    return 0;
-+}
-+
- static inline int openat_dir(int dirfd, const char *name)
- {
-     return openat(dirfd, name,
-@@ -146,6 +180,10 @@ again:
-         return -1;
-     }
- 
-+    if (close_if_special_file(fd) < 0) {
-+        return -1;
-+    }
-+
-     serrno = errno;
-     /* O_NONBLOCK was only needed to open the file. Let's drop it. We don't
-      * do that with O_PATH since fcntl(F_SETFL) isn't supported, and openat()
--- 
-GitLab

diff --git a/app-emulation/qemu/files/qemu-8.0.2-CVE-2023-2861.patch b/app-emulation/qemu/files/qemu-8.0.2-CVE-2023-2861.patch
deleted file mode 100644
index 75fa534b4f1c..000000000000
--- a/app-emulation/qemu/files/qemu-8.0.2-CVE-2023-2861.patch
+++ /dev/null
@@ -1,167 +0,0 @@
-https://bugs.gentoo.org/909542
-https://gitlab.com/qemu-project/qemu/-/commit/b9d2887be4e616cdaeedd0b7456bfaa71ee798af
-
-From b9d2887be4e616cdaeedd0b7456bfaa71ee798af Mon Sep 17 00:00:00 2001
-From: Christian Schoenebeck <qemu_oss@crudebyte.com>
-Date: Wed, 7 Jun 2023 18:29:33 +0200
-Subject: [PATCH] 9pfs: prevent opening special files (CVE-2023-2861)
-
-The 9p protocol does not specifically define how server shall behave when
-client tries to open a special file, however from security POV it does
-make sense for 9p server to prohibit opening any special file on host side
-in general. A sane Linux 9p client for instance would never attempt to
-open a special file on host side, it would always handle those exclusively
-on its guest side. A malicious client however could potentially escape
-from the exported 9p tree by creating and opening a device file on host
-side.
-
-With QEMU this could only be exploited in the following unsafe setups:
-
-  - Running QEMU binary as root AND 9p 'local' fs driver AND 'passthrough'
-    security model.
-
-or
-
-  - Using 9p 'proxy' fs driver (which is running its helper daemon as
-    root).
-
-These setups were already discouraged for safety reasons before,
-however for obvious reasons we are now tightening behaviour on this.
-
-Fixes: CVE-2023-2861
-Reported-by: Yanwu Shen <ywsPlz@gmail.com>
-Reported-by: Jietao Xiao <shawtao1125@gmail.com>
-Reported-by: Jinku Li <jkli@xidian.edu.cn>
-Reported-by: Wenbo Shen <shenwenbo@zju.edu.cn>
-Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
-Reviewed-by: Greg Kurz <groug@kaod.org>
-Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
-Message-Id: <E1q6w7r-0000Q0-NM@lizzy.crudebyte.com>
-(cherry picked from commit f6b0de53fb87ddefed348a39284c8e2f28dc4eda)
-Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
---- a/fsdev/virtfs-proxy-helper.c
-+++ b/fsdev/virtfs-proxy-helper.c
-@@ -26,6 +26,7 @@
- #include "qemu/xattr.h"
- #include "9p-iov-marshal.h"
- #include "hw/9pfs/9p-proxy.h"
-+#include "hw/9pfs/9p-util.h"
- #include "fsdev/9p-iov-marshal.h"
- 
- #define PROGNAME "virtfs-proxy-helper"
-@@ -338,6 +339,28 @@ static void resetugid(int suid, int sgid)
-     }
- }
- 
-+/*
-+ * Open regular file or directory. Attempts to open any special file are
-+ * rejected.
-+ *
-+ * returns file descriptor or -1 on error
-+ */
-+static int open_regular(const char *pathname, int flags, mode_t mode)
-+{
-+    int fd;
-+
-+    fd = open(pathname, flags, mode);
-+    if (fd < 0) {
-+        return fd;
-+    }
-+
-+    if (close_if_special_file(fd) < 0) {
-+        return -1;
-+    }
-+
-+    return fd;
-+}
-+
- /*
-  * send response in two parts
-  * 1) ProxyHeader
-@@ -682,7 +705,7 @@ static int do_create(struct iovec *iovec)
-     if (ret < 0) {
-         goto unmarshal_err_out;
-     }
--    ret = open(path.data, flags, mode);
-+    ret = open_regular(path.data, flags, mode);
-     if (ret < 0) {
-         ret = -errno;
-     }
-@@ -707,7 +730,7 @@ static int do_open(struct iovec *iovec)
-     if (ret < 0) {
-         goto err_out;
-     }
--    ret = open(path.data, flags);
-+    ret = open_regular(path.data, flags, 0);
-     if (ret < 0) {
-         ret = -errno;
-     }
---- a/hw/9pfs/9p-util.h
-+++ b/hw/9pfs/9p-util.h
-@@ -13,6 +13,8 @@
- #ifndef QEMU_9P_UTIL_H
- #define QEMU_9P_UTIL_H
- 
-+#include "qemu/error-report.h"
-+
- #ifdef O_PATH
- #define O_PATH_9P_UTIL O_PATH
- #else
-@@ -95,6 +97,7 @@ static inline int errno_to_dotl(int err) {
- #endif
- 
- #define qemu_openat     openat
-+#define qemu_fstat      fstat
- #define qemu_fstatat    fstatat
- #define qemu_mkdirat    mkdirat
- #define qemu_renameat   renameat
-@@ -108,6 +111,38 @@ static inline void close_preserve_errno(int fd)
-     errno = serrno;
- }
- 
-+/**
-+ * close_if_special_file() - Close @fd if neither regular file nor directory.
-+ *
-+ * @fd: file descriptor of open file
-+ * Return: 0 on regular file or directory, -1 otherwise
-+ *
-+ * CVE-2023-2861: Prohibit opening any special file directly on host
-+ * (especially device files), as a compromised client could potentially gain
-+ * access outside exported tree under certain, unsafe setups. We expect
-+ * client to handle I/O on special files exclusively on guest side.
-+ */
-+static inline int close_if_special_file(int fd)
-+{
-+    struct stat stbuf;
-+
-+    if (qemu_fstat(fd, &stbuf) < 0) {
-+        close_preserve_errno(fd);
-+        return -1;
-+    }
-+    if (!S_ISREG(stbuf.st_mode) && !S_ISDIR(stbuf.st_mode)) {
-+        error_report_once(
-+            "9p: broken or compromised client detected; attempt to open "
-+            "special file (i.e. neither regular file, nor directory)"
-+        );
-+        close(fd);
-+        errno = ENXIO;
-+        return -1;
-+    }
-+
-+    return 0;
-+}
-+
- static inline int openat_dir(int dirfd, const char *name)
- {
-     return qemu_openat(dirfd, name,
-@@ -142,6 +177,10 @@ again:
-         return -1;
-     }
- 
-+    if (close_if_special_file(fd) < 0) {
-+        return -1;
-+    }
-+
-     serrno = errno;
-     /* O_NONBLOCK was only needed to open the file. Let's drop it. We don't
-      * do that with O_PATH since fcntl(F_SETFL) isn't supported, and openat()


^ permalink raw reply related	[flat|nested] 21+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2023-02-22 11:32 Sam James
  0 siblings, 0 replies; 21+ messages in thread
From: Sam James @ 2023-02-22 11:32 UTC (permalink / raw
  To: gentoo-commits

commit:     5b8aab265a7189016df100a2551f9c72055e8cd7
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Wed Feb 22 11:28:44 2023 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Wed Feb 22 11:32:27 2023 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5b8aab26

app-emulation/qemu: add additional glibc-2.36/linux-headers-6.2 patch

Closes: https://bugs.gentoo.org/895662
Closes: https://bugs.gentoo.org/895746
Signed-off-by: Sam James <sam <AT> gentoo.org>

 .../qemu-7.2.0-linux-headers-6.2-glibc-2.36.patch  | 71 ++++++++++++++++++++++
 1 file changed, 71 insertions(+)

diff --git a/app-emulation/qemu/files/qemu-7.2.0-linux-headers-6.2-glibc-2.36.patch b/app-emulation/qemu/files/qemu-7.2.0-linux-headers-6.2-glibc-2.36.patch
index 856997886cc9..2a58ca1ad735 100644
--- a/app-emulation/qemu/files/qemu-7.2.0-linux-headers-6.2-glibc-2.36.patch
+++ b/app-emulation/qemu/files/qemu-7.2.0-linux-headers-6.2-glibc-2.36.patch
@@ -1,5 +1,6 @@
 https://bugs.gentoo.org/895662
 https://gitlab.com/qemu-project/qemu/-/commit/9f0246539ae84a5e21efd1cc4516fc343f08115a
+https://gitlab.com/qemu-project/qemu/-/commit/6003159ce18faad4e1bc7bf9c85669019cd4950e
 
 From 9f0246539ae84a5e21efd1cc4516fc343f08115a Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
@@ -64,3 +65,73 @@ Signed-off-by: Laurent Vivier <laurent@vivier.eu>
  #endif
 -- 
 GitLab
+
+From 6003159ce18faad4e1bc7bf9c85669019cd4950e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Tue, 10 Jan 2023 12:49:01 -0500
+Subject: [PATCH] Revert "linux-user: fix compat with glibc >= 2.36
+ sys/mount.h"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This reverts commit 3cd3df2a9584e6f753bb62a0028bd67124ab5532.
+
+glibc has fixed (in 2.36.9000-40-g774058d729) the problem
+that caused a clash when both sys/mount.h annd linux/mount.h
+are included, and backported this to the 2.36 stable release
+too:
+
+  https://sourceware.org/glibc/wiki/Release/2.36#Usage_of_.3Clinux.2Fmount.h.3E_and_.3Csys.2Fmount.h.3E
+
+It is saner for QEMU to remove the workaround it applied for
+glibc 2.36 and expect distros to ship the 2.36 maint release
+with the fix. This avoids needing to add a further workaround
+to QEMU to deal with the fact that linux/brtfs.h now also pulls
+in linux/mount.h via linux/fs.h since Linux 6.1
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20230110174901.2580297-3-berrange@redhat.com>
+Signed-off-by: Laurent Vivier <laurent@vivier.eu>
+--- a/linux-user/syscall.c
++++ b/linux-user/syscall.c
+@@ -95,25 +95,7 @@
+ #include <linux/soundcard.h>
+ #include <linux/kd.h>
+ #include <linux/mtio.h>
+-
+-#ifdef HAVE_SYS_MOUNT_FSCONFIG
+-/*
+- * glibc >= 2.36 linux/mount.h conflicts with sys/mount.h,
+- * which in turn prevents use of linux/fs.h. So we have to
+- * define the constants ourselves for now.
+- */
+-#define FS_IOC_GETFLAGS                _IOR('f', 1, long)
+-#define FS_IOC_SETFLAGS                _IOW('f', 2, long)
+-#define FS_IOC_GETVERSION              _IOR('v', 1, long)
+-#define FS_IOC_SETVERSION              _IOW('v', 2, long)
+-#define FS_IOC_FIEMAP                  _IOWR('f', 11, struct fiemap)
+-#define FS_IOC32_GETFLAGS              _IOR('f', 1, int)
+-#define FS_IOC32_SETFLAGS              _IOW('f', 2, int)
+-#define FS_IOC32_GETVERSION            _IOR('v', 1, int)
+-#define FS_IOC32_SETVERSION            _IOW('v', 2, int)
+-#else
+ #include <linux/fs.h>
+-#endif
+ #include <linux/fd.h>
+ #if defined(CONFIG_FIEMAP)
+ #include <linux/fiemap.h>
+--- a/meson.build
++++ b/meson.build
+@@ -2046,8 +2046,6 @@ config_host_data.set('HAVE_OPTRESET',
+                      cc.has_header_symbol('getopt.h', 'optreset'))
+ config_host_data.set('HAVE_IPPROTO_MPTCP',
+                      cc.has_header_symbol('netinet/in.h', 'IPPROTO_MPTCP'))
+-config_host_data.set('HAVE_SYS_MOUNT_FSCONFIG',
+-                     cc.has_header_symbol('sys/mount.h', 'FSCONFIG_SET_FLAG'))
+ 
+ # has_member
+ config_host_data.set('HAVE_SIGEV_NOTIFY_THREAD_ID',
+-- 
+GitLab


^ permalink raw reply related	[flat|nested] 21+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2022-01-12  8:38 Matthias Maier
  0 siblings, 0 replies; 21+ messages in thread
From: Matthias Maier @ 2022-01-12  8:38 UTC (permalink / raw
  To: gentoo-commits

commit:     ff74b177a7355f83d0356c8853703959d8a9d470
Author:     Matthias Maier <tamiko <AT> gentoo <DOT> org>
AuthorDate: Wed Jan 12 08:31:54 2022 +0000
Commit:     Matthias Maier <tamiko <AT> gentoo <DOT> org>
CommitDate: Wed Jan 12 08:38:48 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ff74b177

app-emulation/qemu: fix build for USE=-caps

Package-Manager: Portage-3.0.30, Repoman-3.0.3
Signed-off-by: Matthias Maier <tamiko <AT> gentoo.org>

 .../qemu/files/qemu-6.2.0-also-build-virtfs-proxy-helper.patch        | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/app-emulation/qemu/files/qemu-6.2.0-also-build-virtfs-proxy-helper.patch b/app-emulation/qemu/files/qemu-6.2.0-also-build-virtfs-proxy-helper.patch
index b6af46552fe5..af220802069c 100644
--- a/app-emulation/qemu/files/qemu-6.2.0-also-build-virtfs-proxy-helper.patch
+++ b/app-emulation/qemu/files/qemu-6.2.0-also-build-virtfs-proxy-helper.patch
@@ -23,7 +23,9 @@ index fbe856700..d6918b04c 100644
      libcap_ng.found())
  
 -have_virtfs_proxy_helper = have_virtfs and have_tools
-+have_virtfs_proxy_helper = have_tools
++have_virtfs_proxy_helper = have_tools and libcap_ng.found()
+
+
  
  if get_option('virtfs').enabled()
    if not have_virtfs


^ permalink raw reply related	[flat|nested] 21+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2022-01-10 21:02 John Helmert III
  0 siblings, 0 replies; 21+ messages in thread
From: John Helmert III @ 2022-01-10 21:02 UTC (permalink / raw
  To: gentoo-commits

commit:     52a126660cdd959d861b7be8336a5b28acb5b1d2
Author:     Michael Mair-Keimberger <mmk <AT> levelnine <DOT> at>
AuthorDate: Mon Jan 10 16:57:21 2022 +0000
Commit:     John Helmert III <ajak <AT> gentoo <DOT> org>
CommitDate: Mon Jan 10 21:02:25 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=52a12666

app-emulation/qemu: remove unused patches

Package-Manager: Portage-3.0.30, Repoman-3.0.3
Signed-off-by: Michael Mair-Keimberger <mmk <AT> levelnine.at>
Closes: https://github.com/gentoo/gentoo/pull/23727
Signed-off-by: John Helmert III <ajak <AT> gentoo.org>

 .../qemu/files/qemu-6.1.0-automagic-libbpf.patch   |  21 ----
 .../qemu/files/qemu-6.1.0-data-corruption.patch    | 114 ---------------------
 .../files/qemu-6.1.0-fix-unix-socket-copy.patch    |  76 --------------
 3 files changed, 211 deletions(-)

diff --git a/app-emulation/qemu/files/qemu-6.1.0-automagic-libbpf.patch b/app-emulation/qemu/files/qemu-6.1.0-automagic-libbpf.patch
deleted file mode 100644
index d067650dc8fa..000000000000
--- a/app-emulation/qemu/files/qemu-6.1.0-automagic-libbpf.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-commit 080832e4f4801a28bd1170c49e61f6a0f5f05d03
-Author: Paolo Bonzini <pbonzini@redhat.com>
-Date:   Tue Sep 7 12:45:12 2021 +0200
-
-    ebpf: only include in system emulators
-    
-    eBPF files are being included in user emulators, which is useless and
-    also breaks compilation because ebpf/trace-events is only processed
-    if a system emulator is included in the build.
-    
-    Resolves: https://gitlab.com/qemu-project/qemu/-/issues/566
-    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-    Signed-off-by: Jason Wang <jasowang@redhat.com>
-
-diff --git a/ebpf/meson.build b/ebpf/meson.build
-index 9cd0635370..2dd0fd8948 100644
---- a/ebpf/meson.build
-+++ b/ebpf/meson.build
-@@ -1 +1 @@
--common_ss.add(when: libbpf, if_true: files('ebpf_rss.c'), if_false: files('ebpf_rss-stub.c'))
-+softmmu_ss.add(when: libbpf, if_true: files('ebpf_rss.c'), if_false: files('ebpf_rss-stub.c'))

diff --git a/app-emulation/qemu/files/qemu-6.1.0-data-corruption.patch b/app-emulation/qemu/files/qemu-6.1.0-data-corruption.patch
deleted file mode 100644
index 25c788426a9c..000000000000
--- a/app-emulation/qemu/files/qemu-6.1.0-data-corruption.patch
+++ /dev/null
@@ -1,114 +0,0 @@
-commit cc071629539dc1f303175a7e2d4ab854c0a8b20f
-Author: Paolo Bonzini <pbonzini@redhat.com>
-Date:   Thu Sep 23 09:04:36 2021 -0400
-
-    block: introduce max_hw_iov for use in scsi-generic
-    
-    Linux limits the size of iovecs to 1024 (UIO_MAXIOV in the kernel
-    sources, IOV_MAX in POSIX).  Because of this, on some host adapters
-    requests with many iovecs are rejected with -EINVAL by the
-    io_submit() or readv()/writev() system calls.
-    
-    In fact, the same limit applies to SG_IO as well.  To fix both the
-    EINVAL and the possible performance issues from using fewer iovecs
-    than allowed by Linux (some HBAs have max_segments as low as 128),
-    introduce a separate entry in BlockLimits to hold the max_segments
-    value from sysfs.  This new limit is used only for SG_IO and clamped
-    to bs->bl.max_iov anyway, just like max_hw_transfer is clamped to
-    bs->bl.max_transfer.
-    
-    Reported-by: Halil Pasic <pasic@linux.ibm.com>
-    Cc: Hanna Reitz <hreitz@redhat.com>
-    Cc: Kevin Wolf <kwolf@redhat.com>
-    Cc: qemu-block@nongnu.org
-    Cc: qemu-stable@nongnu.org
-    Fixes: 18473467d5 ("file-posix: try BLKSECTGET on block devices too, do not round to power of 2", 2021-06-25)
-    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-    Message-Id: <20210923130436.1187591-1-pbonzini@redhat.com>
-    Signed-off-by: Kevin Wolf <kwolf@redhat.com>
-
-diff --git a/block/block-backend.c b/block/block-backend.c
-index 6140d133e2..ba2b5ebb10 100644
---- a/block/block-backend.c
-+++ b/block/block-backend.c
-@@ -1986,6 +1986,12 @@ uint32_t blk_get_max_transfer(BlockBackend *blk)
-     return ROUND_DOWN(max, blk_get_request_alignment(blk));
- }
- 
-+int blk_get_max_hw_iov(BlockBackend *blk)
-+{
-+    return MIN_NON_ZERO(blk->root->bs->bl.max_hw_iov,
-+                        blk->root->bs->bl.max_iov);
-+}
-+
- int blk_get_max_iov(BlockBackend *blk)
- {
-     return blk->root->bs->bl.max_iov;
-diff --git a/block/file-posix.c b/block/file-posix.c
-index c62e42743d..53be0bdc1b 100644
---- a/block/file-posix.c
-+++ b/block/file-posix.c
-@@ -1273,7 +1273,7 @@ static void raw_refresh_limits(BlockDriverState *bs, Error **errp)
- 
-         ret = hdev_get_max_segments(s->fd, &st);
-         if (ret > 0) {
--            bs->bl.max_iov = ret;
-+            bs->bl.max_hw_iov = ret;
-         }
-     }
- }
-diff --git a/block/io.c b/block/io.c
-index 18d345a87a..bb0a254def 100644
---- a/block/io.c
-+++ b/block/io.c
-@@ -136,6 +136,7 @@ static void bdrv_merge_limits(BlockLimits *dst, const BlockLimits *src)
-     dst->min_mem_alignment = MAX(dst->min_mem_alignment,
-                                  src->min_mem_alignment);
-     dst->max_iov = MIN_NON_ZERO(dst->max_iov, src->max_iov);
-+    dst->max_hw_iov = MIN_NON_ZERO(dst->max_hw_iov, src->max_hw_iov);
- }
- 
- typedef struct BdrvRefreshLimitsState {
-diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c
-index 665baf900e..0306ccc7b1 100644
---- a/hw/scsi/scsi-generic.c
-+++ b/hw/scsi/scsi-generic.c
-@@ -180,7 +180,7 @@ static int scsi_handle_inquiry_reply(SCSIGenericReq *r, SCSIDevice *s, int len)
-         page = r->req.cmd.buf[2];
-         if (page == 0xb0) {
-             uint64_t max_transfer = blk_get_max_hw_transfer(s->conf.blk);
--            uint32_t max_iov = blk_get_max_iov(s->conf.blk);
-+            uint32_t max_iov = blk_get_max_hw_iov(s->conf.blk);
- 
-             assert(max_transfer);
-             max_transfer = MIN_NON_ZERO(max_transfer, max_iov * qemu_real_host_page_size)
-diff --git a/include/block/block_int.h b/include/block/block_int.h
-index ffe86068d4..f4c75e8ba9 100644
---- a/include/block/block_int.h
-+++ b/include/block/block_int.h
-@@ -718,6 +718,13 @@ typedef struct BlockLimits {
-      */
-     uint64_t max_hw_transfer;
- 
-+    /* Maximal number of scatter/gather elements allowed by the hardware.
-+     * Applies whenever transfers to the device bypass the kernel I/O
-+     * scheduler, for example with SG_IO.  If larger than max_iov
-+     * or if zero, blk_get_max_hw_iov will fall back to max_iov.
-+     */
-+    int max_hw_iov;
-+
-     /* memory alignment, in bytes so that no bounce buffer is needed */
-     size_t min_mem_alignment;
- 
-diff --git a/include/sysemu/block-backend.h b/include/sysemu/block-backend.h
-index 29d4fdbf63..82bae55161 100644
---- a/include/sysemu/block-backend.h
-+++ b/include/sysemu/block-backend.h
-@@ -211,6 +211,7 @@ uint32_t blk_get_request_alignment(BlockBackend *blk);
- uint32_t blk_get_max_transfer(BlockBackend *blk);
- uint64_t blk_get_max_hw_transfer(BlockBackend *blk);
- int blk_get_max_iov(BlockBackend *blk);
-+int blk_get_max_hw_iov(BlockBackend *blk);
- void blk_set_guest_block_size(BlockBackend *blk, int align);
- void *blk_try_blockalign(BlockBackend *blk, size_t size);
- void *blk_blockalign(BlockBackend *blk, size_t size);

diff --git a/app-emulation/qemu/files/qemu-6.1.0-fix-unix-socket-copy.patch b/app-emulation/qemu/files/qemu-6.1.0-fix-unix-socket-copy.patch
deleted file mode 100644
index 7701b26b4f9a..000000000000
--- a/app-emulation/qemu/files/qemu-6.1.0-fix-unix-socket-copy.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-commit 118d527f2e4baec5fe8060b22a6212468b8e4d3f
-Author: Michael Tokarev <mjt@tls.msk.ru>
-Date:   Wed Sep 1 16:16:24 2021 +0300
-
-    qemu-sockets: fix unix socket path copy (again)
-    
-    Commit 4cfd970ec188558daa6214f26203fe553fb1e01f added an
-    assert which ensures the path within an address of a unix
-    socket returned from the kernel is at least one byte and
-    does not exceed sun_path buffer. Both of this constraints
-    are wrong:
-    
-    A unix socket can be unnamed, in this case the path is
-    completely empty (not even \0)
-    
-    And some implementations (notable linux) can add extra
-    trailing byte (\0) _after_ the sun_path buffer if we
-    passed buffer larger than it (and we do).
-    
-    So remove the assertion (since it causes real-life breakage)
-    but at the same time fix the usage of sun_path. Namely,
-    we should not access sun_path[0] if kernel did not return
-    it at all (this is the case for unnamed sockets),
-    and use the returned salen when copyig actual path as an
-    upper constraint for the amount of bytes to copy - this
-    will ensure we wont exceed the information provided by
-    the kernel, regardless whenever there is a trailing \0
-    or not. This also helps with unnamed sockets.
-    
-    Note the case of abstract socket, the sun_path is actually
-    a blob and can contain \0 characters, - it should not be
-    passed to g_strndup and the like, it should be accessed by
-    memcpy-like functions.
-    
-    Fixes: 4cfd970ec188558daa6214f26203fe553fb1e01f
-    Fixes: http://bugs.debian.org/993145
-    Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
-    Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
-    Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-    CC: qemu-stable@nongnu.org
-
-diff --git a/util/qemu-sockets.c b/util/qemu-sockets.c
-index f2f3676d1f..c5043999e9 100644
---- a/util/qemu-sockets.c
-+++ b/util/qemu-sockets.c
-@@ -1345,25 +1345,22 @@ socket_sockaddr_to_address_unix(struct sockaddr_storage *sa,
-     SocketAddress *addr;
-     struct sockaddr_un *su = (struct sockaddr_un *)sa;
- 
--    assert(salen >= sizeof(su->sun_family) + 1 &&
--           salen <= sizeof(struct sockaddr_un));
--
-     addr = g_new0(SocketAddress, 1);
-     addr->type = SOCKET_ADDRESS_TYPE_UNIX;
-+    salen -= offsetof(struct sockaddr_un, sun_path);
- #ifdef CONFIG_LINUX
--    if (!su->sun_path[0]) {
-+    if (salen > 0 && !su->sun_path[0]) {
-         /* Linux abstract socket */
--        addr->u.q_unix.path = g_strndup(su->sun_path + 1,
--                                        salen - sizeof(su->sun_family) - 1);
-+        addr->u.q_unix.path = g_strndup(su->sun_path + 1, salen - 1);
-         addr->u.q_unix.has_abstract = true;
-         addr->u.q_unix.abstract = true;
-         addr->u.q_unix.has_tight = true;
--        addr->u.q_unix.tight = salen < sizeof(*su);
-+        addr->u.q_unix.tight = salen < sizeof(su->sun_path);
-         return addr;
-     }
- #endif
- 
--    addr->u.q_unix.path = g_strndup(su->sun_path, sizeof(su->sun_path));
-+    addr->u.q_unix.path = g_strndup(su->sun_path, salen);
-     return addr;
- }
- #endif /* WIN32 */


^ permalink raw reply related	[flat|nested] 21+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2022-01-06 19:08 John Helmert III
  0 siblings, 0 replies; 21+ messages in thread
From: John Helmert III @ 2022-01-06 19:08 UTC (permalink / raw
  To: gentoo-commits

commit:     b748f4135c3eb91e47f9cf914b9dc620d3aaa8d6
Author:     John Helmert III <ajak <AT> gentoo <DOT> org>
AuthorDate: Thu Jan  6 19:03:29 2022 +0000
Commit:     John Helmert III <ajak <AT> gentoo <DOT> org>
CommitDate: Thu Jan  6 19:07:30 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b748f413

app-emulation/qemu: add links to patch sources, upstream issue, gentoo bug in SLIC patch

Signed-off-by: John Helmert III <ajak <AT> gentoo.org>

 app-emulation/qemu/files/qemu-6.2.0-user-SLIC-crash.patch | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/app-emulation/qemu/files/qemu-6.2.0-user-SLIC-crash.patch b/app-emulation/qemu/files/qemu-6.2.0-user-SLIC-crash.patch
index 7d22feeade2a..76809782b5f7 100644
--- a/app-emulation/qemu/files/qemu-6.2.0-user-SLIC-crash.patch
+++ b/app-emulation/qemu/files/qemu-6.2.0-user-SLIC-crash.patch
@@ -1,3 +1,8 @@
+Gentoo bug: https://bugs.gentoo.org/830170
+Upstream bug: https://gitlab.com/qemu-project/qemu/-/issues/786
+Patches taken from
+https://lore.kernel.org/qemu-devel/20211227193120.1084176-1-imammedo@redhat.com/
+
 commit dce6c86f54eab61028e110497c222e73381379df
 Author: Igor Mammedov <imammedo@redhat.com>
 Date:   Mon Dec 27 14:31:17 2021 -0500


^ permalink raw reply related	[flat|nested] 21+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2021-06-16 20:59 Sergei Trofimovich
  0 siblings, 0 replies; 21+ messages in thread
From: Sergei Trofimovich @ 2021-06-16 20:59 UTC (permalink / raw
  To: gentoo-commits

commit:     78479bf6a6ccc2fac8954951cdc6e655a949d6d3
Author:     Michael Mair-Keimberger <mmk <AT> levelnine <DOT> at>
AuthorDate: Wed Jun 16 18:14:21 2021 +0000
Commit:     Sergei Trofimovich <slyfox <AT> gentoo <DOT> org>
CommitDate: Wed Jun 16 20:59:13 2021 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=78479bf6

app-emulation/qemu: remove unused patches

Package-Manager: Portage-3.0.19, Repoman-3.0.3
Signed-off-by: Michael Mair-Keimberger <mmk <AT> levelnine.at>
Closes: https://github.com/gentoo/gentoo/pull/21269
Signed-off-by: Sergei Trofimovich <slyfox <AT> gentoo.org>

 app-emulation/qemu/files/65-kvm.rules-r1           |  2 -
 .../qemu/files/qemu-5.2.0-fix-firmware-path.patch  | 16 -----
 .../qemu/files/qemu-5.2.0-no-pie-ld.patch          | 73 ----------------------
 3 files changed, 91 deletions(-)

diff --git a/app-emulation/qemu/files/65-kvm.rules-r1 b/app-emulation/qemu/files/65-kvm.rules-r1
deleted file mode 100644
index ab3776ac29e..00000000000
--- a/app-emulation/qemu/files/65-kvm.rules-r1
+++ /dev/null
@@ -1,2 +0,0 @@
-KERNEL=="kvm", GROUP="kvm", MODE="0660"
-KERNEL=="vhost-net", GROUP="kvm", MODE="0660", OPTIONS+="static_node=vhost-net"

diff --git a/app-emulation/qemu/files/qemu-5.2.0-fix-firmware-path.patch b/app-emulation/qemu/files/qemu-5.2.0-fix-firmware-path.patch
deleted file mode 100644
index 53969833795..00000000000
--- a/app-emulation/qemu/files/qemu-5.2.0-fix-firmware-path.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-Se absolute filename in files like
-    /usr/share/qemu/firmware/50-edk2-x86_64-secure.json
-
-Bug: https://bugs.gentoo.org/766743
-Patch-by: Jannik Glückert
---- a/pc-bios/descriptors/meson.build
-+++ b/pc-bios/descriptors/meson.build
-@@ -8,7 +8,7 @@ foreach f: [
- ]
-   configure_file(input: files(f),
-                  output: f,
--                 configuration: {'DATADIR': qemu_datadir},
-+                 configuration: {'DATADIR': get_option('prefix') / qemu_datadir},
-                  install: get_option('install_blobs'),
-                  install_dir: qemu_datadir / 'firmware')
- endforeach

diff --git a/app-emulation/qemu/files/qemu-5.2.0-no-pie-ld.patch b/app-emulation/qemu/files/qemu-5.2.0-no-pie-ld.patch
deleted file mode 100644
index f47a58790cc..00000000000
--- a/app-emulation/qemu/files/qemu-5.2.0-no-pie-ld.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From bbd2d5a8120771ec59b86a80a1f51884e0a26e53 Mon Sep 17 00:00:00 2001
-From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
-Date: Mon, 14 Dec 2020 16:09:38 +0100
-Subject: [PATCH] build: -no-pie is no functional linker flag
-
-Recent binutils changes dropping unsupported options [1] caused a build
-issue in regard to the optionroms.
-
-  ld -m elf_i386 -T /<<PKGBUILDDIR>>/pc-bios/optionrom//flat.lds -no-pie \
-    -s -o multiboot.img multiboot.o
-  ld.bfd: Error: unable to disambiguate: -no-pie (did you mean --no-pie ?)
-
-This isn't really a regression in ld.bfd, filing the bug upstream
-revealed that this never worked as a ld flag [2] - in fact it seems we
-were by accident setting --nmagic).
-
-Since it never had the wanted effect this usage of LDFLAGS_NOPIE, should be
-droppable without any effect. This also is the only use-case of LDFLAGS_NOPIE
-in .mak, therefore we can also remove it from being added there.
-
-[1]: https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=983d925d
-[2]: https://sourceware.org/bugzilla/show_bug.cgi?id=27050#c5
-
-Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
-Message-Id: <20201214150938.1297512-1-christian.ehrhardt@canonical.com>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- configure                  | 3 ---
- pc-bios/optionrom/Makefile | 1 -
- 2 files changed, 4 deletions(-)
-
---- a/configure
-+++ b/configure
-@@ -2137,7 +2137,6 @@ EOF
- # Check we support --no-pie first; we will need this for building ROMs.
- if compile_prog "-Werror -fno-pie" "-no-pie"; then
-   CFLAGS_NOPIE="-fno-pie"
--  LDFLAGS_NOPIE="-no-pie"
- fi
- 
- if test "$static" = "yes"; then
-@@ -2153,7 +2152,6 @@ if test "$static" = "yes"; then
-   fi
- elif test "$pie" = "no"; then
-   CONFIGURE_CFLAGS="$CFLAGS_NOPIE $CONFIGURE_CFLAGS"
--  CONFIGURE_LDFLAGS="$LDFLAGS_NOPIE $CONFIGURE_LDFLAGS"
- elif compile_prog "-Werror -fPIE -DPIE" "-pie"; then
-   CONFIGURE_CFLAGS="-fPIE -DPIE $CONFIGURE_CFLAGS"
-   CONFIGURE_LDFLAGS="-pie $CONFIGURE_LDFLAGS"
-@@ -6714,7 +6712,6 @@ echo "QEMU_CXXFLAGS=$QEMU_CXXFLAGS" >> $config_host_mak
- echo "GLIB_CFLAGS=$glib_cflags" >> $config_host_mak
- echo "GLIB_LIBS=$glib_libs" >> $config_host_mak
- echo "QEMU_LDFLAGS=$QEMU_LDFLAGS" >> $config_host_mak
--echo "LDFLAGS_NOPIE=$LDFLAGS_NOPIE" >> $config_host_mak
- echo "LD_I386_EMULATION=$ld_i386_emulation" >> $config_host_mak
- echo "EXESUF=$EXESUF" >> $config_host_mak
- echo "HOST_DSOSUF=$HOST_DSOSUF" >> $config_host_mak
-diff --git a/pc-bios/optionrom/Makefile b/pc-bios/optionrom/Makefile
-index 084fc10f05..30771f8d17 100644
---- a/pc-bios/optionrom/Makefile
-+++ b/pc-bios/optionrom/Makefile
-@@ -41,7 +41,6 @@ override CFLAGS += $(call cc-option, $(Wa)-32)
- 
- LD_I386_EMULATION ?= elf_i386
- override LDFLAGS = -m $(LD_I386_EMULATION) -T $(SRC_DIR)/flat.lds
--override LDFLAGS += $(LDFLAGS_NOPIE)
- 
- all: multiboot.bin linuxboot.bin linuxboot_dma.bin kvmvapic.bin pvh.bin
- 
--- 
-2.30.0
-


^ permalink raw reply related	[flat|nested] 21+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2021-03-14 18:53 Conrad Kostecki
  0 siblings, 0 replies; 21+ messages in thread
From: Conrad Kostecki @ 2021-03-14 18:53 UTC (permalink / raw
  To: gentoo-commits

commit:     f309e47704c04a153a328c9ad7c07547db51b5a6
Author:     Michael Mair-Keimberger <mmk <AT> levelnine <DOT> at>
AuthorDate: Sun Mar 14 16:45:36 2021 +0000
Commit:     Conrad Kostecki <conikost <AT> gentoo <DOT> org>
CommitDate: Sun Mar 14 18:51:54 2021 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f309e477

app-emulation/qemu: remove unused patches

Closes: https://github.com/gentoo/gentoo/pull/19927
Package-Manager: Portage-3.0.17, Repoman-3.0.2
Signed-off-by: Michael Mair-Keimberger <mmk <AT> levelnine.at>
Signed-off-by: Conrad Kostecki <conikost <AT> gentoo.org>

 .../qemu/files/qemu-4.0.0-mkdir_systemtap.patch    | 12 ---
 app-emulation/qemu/files/qemu-4.2.0-cflags.patch   | 16 ----
 .../qemu-5.1.0-pixman-for-vhost-user-gpu.patch     | 62 ---------------
 ...qemu-5.1.0-usb-host-workaround-libusb-bug.patch | 82 --------------------
 .../files/qemu-5.1.0-usb-oob-CVE-2020-14364.patch  | 90 ----------------------
 5 files changed, 262 deletions(-)

diff --git a/app-emulation/qemu/files/qemu-4.0.0-mkdir_systemtap.patch b/app-emulation/qemu/files/qemu-4.0.0-mkdir_systemtap.patch
deleted file mode 100644
index 95ccdd7a4b1..00000000000
--- a/app-emulation/qemu/files/qemu-4.0.0-mkdir_systemtap.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --git a/Makefile b/Makefile
-index 04a0d450..e0013a59 100644
---- a/Makefile
-+++ b/Makefile
-@@ -803,6 +802,7 @@
- 	$(call install-prog,$(HELPERS-y),$(DESTDIR)$(libexecdir))
- endif
- ifdef CONFIG_TRACE_SYSTEMTAP
-+	mkdir -p $(DESTDIR)$(bindir)
- 	$(INSTALL_PROG) "scripts/qemu-trace-stap" $(DESTDIR)$(bindir)
- endif
- ifneq ($(BLOBS),)

diff --git a/app-emulation/qemu/files/qemu-4.2.0-cflags.patch b/app-emulation/qemu/files/qemu-4.2.0-cflags.patch
deleted file mode 100644
index 101926589a6..00000000000
--- a/app-emulation/qemu/files/qemu-4.2.0-cflags.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-diff --git i/configure w/configure
-index a72a5def57..546d757603 100755
---- i/configure
-+++ w/configure
-@@ -6093,10 +6093,6 @@ write_c_skeleton
- if test "$gcov" = "yes" ; then
-   QEMU_CFLAGS="-fprofile-arcs -ftest-coverage -g $QEMU_CFLAGS"
-   QEMU_LDFLAGS="-fprofile-arcs -ftest-coverage $QEMU_LDFLAGS"
--elif test "$fortify_source" = "yes" ; then
--  CFLAGS="-O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 $CFLAGS"
--elif test "$debug" = "no"; then
--  CFLAGS="-O2 $CFLAGS"
- fi
- 
- if test "$have_asan" = "yes"; then
-

diff --git a/app-emulation/qemu/files/qemu-5.1.0-pixman-for-vhost-user-gpu.patch b/app-emulation/qemu/files/qemu-5.1.0-pixman-for-vhost-user-gpu.patch
deleted file mode 100644
index 4eb644fde54..00000000000
--- a/app-emulation/qemu/files/qemu-5.1.0-pixman-for-vhost-user-gpu.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-https://bugs.gentoo.org/735146
-
-From 4fd46e6cdd976f4aecdc3fbbad728e00a7bc4ee0 Mon Sep 17 00:00:00 2001
-From: Rafael Kitover <rkitover@gmail.com>
-Date: Thu, 13 Aug 2020 20:19:24 +0000
-Subject: [PATCH] configure: Require pixman for vhost-user-gpu.
-
-Use the test from Makefile to check if vhost-user-gpu is being built,
-and if so require pixman.
-
-Signed-off-by: Rafael Kitover <rkitover@gmail.com>
----
- configure | 28 ++++++++++++++--------------
- 1 file changed, 14 insertions(+), 14 deletions(-)
-
---- a/configure
-+++ b/configure
-@@ -4062,20 +4062,6 @@ if test "$modules" = yes; then
-     fi
- fi
- 
--##########################################
--# pixman support probe
--
--if test "$softmmu" = "no"; then
--  pixman_cflags=
--  pixman_libs=
--elif $pkg_config --atleast-version=0.21.8 pixman-1 > /dev/null 2>&1; then
--  pixman_cflags=$($pkg_config --cflags pixman-1)
--  pixman_libs=$($pkg_config --libs pixman-1)
--else
--  error_exit "pixman >= 0.21.8 not present." \
--      "Please install the pixman devel package."
--fi
--
- ##########################################
- # libmpathpersist probe
- 
-@@ -4491,6 +4477,20 @@ if test "$opengl" = "yes" && test "$have_x11" = "yes"; then
-   done
- fi
- 
-+##########################################
-+# pixman support probe
-+
-+if test "$softmmu" = "no" && ! test "${linux} ${virglrenderer} ${gbm} ${want_tools}" = "yes yes yes yes";  then
-+  pixman_cflags=
-+  pixman_libs=
-+elif $pkg_config --atleast-version=0.21.8 pixman-1 > /dev/null 2>&1; then
-+  pixman_cflags=$($pkg_config --cflags pixman-1)
-+  pixman_libs=$($pkg_config --libs pixman-1)
-+else
-+  error_exit "pixman >= 0.21.8 not present." \
-+      "Please install the pixman devel package."
-+fi
-+
- ##########################################
- # libxml2 probe
- if test "$libxml2" != "no" ; then
--- 
-2.28.0
-

diff --git a/app-emulation/qemu/files/qemu-5.1.0-usb-host-workaround-libusb-bug.patch b/app-emulation/qemu/files/qemu-5.1.0-usb-host-workaround-libusb-bug.patch
deleted file mode 100644
index 34a50a9bfb5..00000000000
--- a/app-emulation/qemu/files/qemu-5.1.0-usb-host-workaround-libusb-bug.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From 202d69a715a4b1824dcd7ec1683d027ed2bae6d3 Mon Sep 17 00:00:00 2001
-Message-Id: <202d69a715a4b1824dcd7ec1683d027ed2bae6d3.1606202550.git.mprivozn@redhat.com>
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Mon, 24 Aug 2020 13:00:57 +0200
-Subject: [PATCH] usb-host: workaround libusb bug
-
-libusb_get_device_speed() does not work for
-libusb_wrap_sys_device() devices in v1.0.23.
-
-Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1871090
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: 20200824110057.32089-1-kraxel@redhat.com
-Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
----
- hw/usb/host-libusb.c | 37 ++++++++++++++++++++++++++++++++++++-
- 1 file changed, 36 insertions(+), 1 deletion(-)
-
-diff --git a/hw/usb/host-libusb.c b/hw/usb/host-libusb.c
-index c474551d84..08604f787f 100644
---- a/hw/usb/host-libusb.c
-+++ b/hw/usb/host-libusb.c
-@@ -39,6 +39,11 @@
- #endif
- #include <libusb.h>
- 
-+#ifdef CONFIG_LINUX
-+#include <sys/ioctl.h>
-+#include <linux/usbdevice_fs.h>
-+#endif
-+
- #include "qapi/error.h"
- #include "migration/vmstate.h"
- #include "monitor/monitor.h"
-@@ -885,6 +890,7 @@ static void usb_host_ep_update(USBHostDevice *s)
- static int usb_host_open(USBHostDevice *s, libusb_device *dev, int hostfd)
- {
-     USBDevice *udev = USB_DEVICE(s);
-+    int libusb_speed;
-     int bus_num = 0;
-     int addr = 0;
-     int rc;
-@@ -935,7 +941,36 @@ static int usb_host_open(USBHostDevice *s, libusb_device *dev, int hostfd)
-     usb_ep_init(udev);
-     usb_host_ep_update(s);
- 
--    udev->speed     = speed_map[libusb_get_device_speed(dev)];
-+    libusb_speed = libusb_get_device_speed(dev);
-+#ifdef CONFIG_LINUX
-+    if (hostfd && libusb_speed == 0) {
-+        /*
-+         * Workaround libusb bug: libusb_get_device_speed() does not
-+         * work for libusb_wrap_sys_device() devices in v1.0.23.
-+         *
-+         * Speeds are defined in linux/usb/ch9.h, file not included
-+         * due to name conflicts.
-+         */
-+        int rc = ioctl(hostfd, USBDEVFS_GET_SPEED, NULL);
-+        switch (rc) {
-+        case 1: /* low */
-+            libusb_speed = LIBUSB_SPEED_LOW;
-+            break;
-+        case 2: /* full */
-+            libusb_speed = LIBUSB_SPEED_FULL;
-+            break;
-+        case 3: /* high */
-+        case 4: /* wireless */
-+            libusb_speed = LIBUSB_SPEED_HIGH;
-+            break;
-+        case 5: /* super */
-+        case 6: /* super plus */
-+            libusb_speed = LIBUSB_SPEED_SUPER;
-+            break;
-+        }
-+    }
-+#endif
-+    udev->speed = speed_map[libusb_speed];
-     usb_host_speed_compat(s);
- 
-     if (s->ddesc.iProduct) {
--- 
-2.26.2
-

diff --git a/app-emulation/qemu/files/qemu-5.1.0-usb-oob-CVE-2020-14364.patch b/app-emulation/qemu/files/qemu-5.1.0-usb-oob-CVE-2020-14364.patch
deleted file mode 100644
index d1d23ec6f0e..00000000000
--- a/app-emulation/qemu/files/qemu-5.1.0-usb-oob-CVE-2020-14364.patch
+++ /dev/null
@@ -1,90 +0,0 @@
-https://bugs.gentoo.org/743649
-
-From b946434f2659a182afc17e155be6791ebfb302eb Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Tue, 25 Aug 2020 07:36:36 +0200
-Subject: [PATCH] usb: fix setup_len init (CVE-2020-14364)
-
-Store calculated setup_len in a local variable, verify it, and only
-write it to the struct (USBDevice->setup_len) in case it passed the
-sanity checks.
-
-This prevents other code (do_token_{in,out} functions specifically)
-from working with invalid USBDevice->setup_len values and overrunning
-the USBDevice->setup_buf[] buffer.
-
-Fixes: CVE-2020-14364
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Tested-by: Gonglei <arei.gonglei@huawei.com>
-Reviewed-by: Li Qiang <liq3ea@gmail.com>
-Message-id: 20200825053636.29648-1-kraxel@redhat.com
----
- hw/usb/core.c | 16 ++++++++++------
- 1 file changed, 10 insertions(+), 6 deletions(-)
-
-diff --git a/hw/usb/core.c b/hw/usb/core.c
-index 5abd128b6b..5234dcc73f 100644
---- a/hw/usb/core.c
-+++ b/hw/usb/core.c
-@@ -129,6 +129,7 @@ void usb_wakeup(USBEndpoint *ep, unsigned int stream)
- static void do_token_setup(USBDevice *s, USBPacket *p)
- {
-     int request, value, index;
-+    unsigned int setup_len;
- 
-     if (p->iov.size != 8) {
-         p->status = USB_RET_STALL;
-@@ -138,14 +139,15 @@ static void do_token_setup(USBDevice *s, USBPacket *p)
-     usb_packet_copy(p, s->setup_buf, p->iov.size);
-     s->setup_index = 0;
-     p->actual_length = 0;
--    s->setup_len   = (s->setup_buf[7] << 8) | s->setup_buf[6];
--    if (s->setup_len > sizeof(s->data_buf)) {
-+    setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
-+    if (setup_len > sizeof(s->data_buf)) {
-         fprintf(stderr,
-                 "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
--                s->setup_len, sizeof(s->data_buf));
-+                setup_len, sizeof(s->data_buf));
-         p->status = USB_RET_STALL;
-         return;
-     }
-+    s->setup_len = setup_len;
- 
-     request = (s->setup_buf[0] << 8) | s->setup_buf[1];
-     value   = (s->setup_buf[3] << 8) | s->setup_buf[2];
-@@ -259,26 +261,28 @@ static void do_token_out(USBDevice *s, USBPacket *p)
- static void do_parameter(USBDevice *s, USBPacket *p)
- {
-     int i, request, value, index;
-+    unsigned int setup_len;
- 
-     for (i = 0; i < 8; i++) {
-         s->setup_buf[i] = p->parameter >> (i*8);
-     }
- 
-     s->setup_state = SETUP_STATE_PARAM;
--    s->setup_len   = (s->setup_buf[7] << 8) | s->setup_buf[6];
-     s->setup_index = 0;
- 
-     request = (s->setup_buf[0] << 8) | s->setup_buf[1];
-     value   = (s->setup_buf[3] << 8) | s->setup_buf[2];
-     index   = (s->setup_buf[5] << 8) | s->setup_buf[4];
- 
--    if (s->setup_len > sizeof(s->data_buf)) {
-+    setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
-+    if (setup_len > sizeof(s->data_buf)) {
-         fprintf(stderr,
-                 "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
--                s->setup_len, sizeof(s->data_buf));
-+                setup_len, sizeof(s->data_buf));
-         p->status = USB_RET_STALL;
-         return;
-     }
-+    s->setup_len = setup_len;
- 
-     if (p->pid == USB_TOKEN_OUT) {
-         usb_packet_copy(p, s->data_buf, s->setup_len);
--- 
-2.28.0
-


^ permalink raw reply related	[flat|nested] 21+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2020-09-21 21:48 Conrad Kostecki
  0 siblings, 0 replies; 21+ messages in thread
From: Conrad Kostecki @ 2020-09-21 21:48 UTC (permalink / raw
  To: gentoo-commits

commit:     5015b08faf87a9906d4bcf8ac8a92804fe95cc7c
Author:     Michael Mair-Keimberger <m.mairkeimberger <AT> gmail <DOT> com>
AuthorDate: Mon Sep 21 18:41:00 2020 +0000
Commit:     Conrad Kostecki <conikost <AT> gentoo <DOT> org>
CommitDate: Mon Sep 21 21:48:32 2020 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5015b08f

app-emulation/qemu: remove unused patches

Closes: https://github.com/gentoo/gentoo/pull/17629
Package-Manager: Portage-3.0.7, Repoman-3.0.1
Signed-off-by: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail.com>
Signed-off-by: Conrad Kostecki <conikost <AT> gentoo.org>

 .../qemu/files/qemu-5.0.0-epoll-strace.patch       | 50 ----------------------
 .../qemu-5.0.0-ipv6-slirp-CVE-2020-10756.patch     | 35 ---------------
 2 files changed, 85 deletions(-)

diff --git a/app-emulation/qemu/files/qemu-5.0.0-epoll-strace.patch b/app-emulation/qemu/files/qemu-5.0.0-epoll-strace.patch
deleted file mode 100644
index c0f9a2e008d..00000000000
--- a/app-emulation/qemu/files/qemu-5.0.0-epoll-strace.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-https://lists.nongnu.org/archive/html/qemu-devel/2020-04/msg02643.html
-
-From 6bce23d8daf96a7faa9288e7414948cda31ddaa2 Mon Sep 17 00:00:00 2001
-From: Sergei Trofimovich <slyfox@gentoo.org>
-Date: Thu, 16 Apr 2020 18:55:49 +0100
-Subject: [PATCH] linux-user/strace.list: fix epoll_create{,1} -strace output
-
-Fix syscall name and parameters priinter.
-
-Before the change:
-
-```
-$ alpha-linux-user/qemu-alpha -strace -L /usr/alpha-unknown-linux-gnu/ /tmp/a
-...
-1274697 %s(%d)(2097152,274903156744,274903156760,274905840712,274877908880,274903235616) = 3
-1274697 exit_group(0)
-```
-
-After the change:
-
-```
-$ alpha-linux-user/qemu-alpha -strace -L /usr/alpha-unknown-linux-gnu/ /tmp/a
-...
-1273719 epoll_create1(2097152) = 3
-1273719 exit_group(0)
-```
-
-Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
----
- linux-user/strace.list | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/linux-user/strace.list
-+++ b/linux-user/strace.list
-@@ -125,10 +125,10 @@
- { TARGET_NR_dup3, "dup3" , "%s(%d,%d,%d)", NULL, NULL },
- #endif
- #ifdef TARGET_NR_epoll_create
--{ TARGET_NR_epoll_create, "%s(%d)", NULL, NULL, NULL },
-+{ TARGET_NR_epoll_create, "epoll_create", "%s(%d)", NULL, NULL },
- #endif
- #ifdef TARGET_NR_epoll_create1
--{ TARGET_NR_epoll_create1, "%s(%d)", NULL, NULL, NULL },
-+{ TARGET_NR_epoll_create1, "epoll_create1", "%s(%d)", NULL, NULL },
- #endif
- #ifdef TARGET_NR_epoll_ctl
- { TARGET_NR_epoll_ctl, "epoll_ctl" , NULL, NULL, NULL },
--- 
-2.26.2
-

diff --git a/app-emulation/qemu/files/qemu-5.0.0-ipv6-slirp-CVE-2020-10756.patch b/app-emulation/qemu/files/qemu-5.0.0-ipv6-slirp-CVE-2020-10756.patch
deleted file mode 100644
index d1d3c49a58f..00000000000
--- a/app-emulation/qemu/files/qemu-5.0.0-ipv6-slirp-CVE-2020-10756.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-https://gitlab.freedesktop.org/slirp/libslirp/-/commit/c7ede54cbd2e2b25385325600958ba0124e31cc0
-https://bugzilla.redhat.com/show_bug.cgi?id=1835986
-https://bugs.gentoo.org/731992
-
-From c7ede54cbd2e2b25385325600958ba0124e31cc0 Mon Sep 17 00:00:00 2001
-From: Ralf Haferkamp <rhafer@suse.com>
-Date: Fri, 3 Jul 2020 14:51:16 +0200
-Subject: [PATCH] Drop bogus IPv6 messages
-
-Drop IPv6 message shorter than what's mentioned in the payload
-length header (+ the size of the IPv6 header). They're invalid an could
-lead to data leakage in icmp6_send_echoreply().
----
- src/ip6_input.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
---- a/slirp/src/ip6_input.c
-+++ b/slirp/src/ip6_input.c
-@@ -49,6 +49,13 @@ void ip6_input(struct mbuf *m)
-         goto bad;
-     }
- 
-+    // Check if the message size is big enough to hold what's
-+    // set in the payload length header. If not this is an invalid
-+    // packet
-+    if (m->m_len < ntohs(ip6->ip_pl) + sizeof(struct ip6)) {
-+        goto bad;
-+    }
-+
-     /* check ip_ttl for a correct ICMP reply */
-     if (ip6->ip_hl == 0) {
-         icmp6_send_error(m, ICMP6_TIMXCEED, ICMP6_TIMXCEED_INTRANS);
--- 
-GitLab
-


^ permalink raw reply related	[flat|nested] 21+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2020-07-06 18:40 Sergei Trofimovich
  0 siblings, 0 replies; 21+ messages in thread
From: Sergei Trofimovich @ 2020-07-06 18:40 UTC (permalink / raw
  To: gentoo-commits

commit:     dbfbd2a380ece3ff78b93dde0da2c086e542bdd6
Author:     Michael Mair-Keimberger <m.mairkeimberger <AT> gmail <DOT> com>
AuthorDate: Mon Jul  6 17:22:38 2020 +0000
Commit:     Sergei Trofimovich <slyfox <AT> gentoo <DOT> org>
CommitDate: Mon Jul  6 18:40:29 2020 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dbfbd2a3

app-emulation/qemu: remove unused patches

Package-Manager: Portage-2.3.103, Repoman-2.3.23
Signed-off-by: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail.com>
Closes: https://github.com/gentoo/gentoo/pull/16612
Signed-off-by: Sergei Trofimovich <slyfox <AT> gentoo.org>

 app-emulation/qemu/files/qemu-2.5.0-cflags.patch   | 13 ---
 .../qemu/files/qemu-4.2.0-ati-vga-crash.patch      | 94 ----------------------
 2 files changed, 107 deletions(-)

diff --git a/app-emulation/qemu/files/qemu-2.5.0-cflags.patch b/app-emulation/qemu/files/qemu-2.5.0-cflags.patch
deleted file mode 100644
index 173394fd02f..00000000000
--- a/app-emulation/qemu/files/qemu-2.5.0-cflags.patch
+++ /dev/null
@@ -1,13 +0,0 @@
---- a/configure
-+++ b/configure
-@@ -4468,10 +4468,6 @@ fi
- if test "$gcov" = "yes" ; then
-   CFLAGS="-fprofile-arcs -ftest-coverage -g $CFLAGS"
-   LDFLAGS="-fprofile-arcs -ftest-coverage $LDFLAGS"
--elif test "$fortify_source" = "yes" ; then
--  CFLAGS="-O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 $CFLAGS"
--elif test "$debug" = "no"; then
--  CFLAGS="-O2 $CFLAGS"
- fi
- 
- ##########################################

diff --git a/app-emulation/qemu/files/qemu-4.2.0-ati-vga-crash.patch b/app-emulation/qemu/files/qemu-4.2.0-ati-vga-crash.patch
deleted file mode 100644
index 5f442f0fd07..00000000000
--- a/app-emulation/qemu/files/qemu-4.2.0-ati-vga-crash.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-https://bugs.gentoo.org/719266
-
-From ac2071c3791b67fc7af78b8ceb320c01ca1b5df7 Mon Sep 17 00:00:00 2001
-From: BALATON Zoltan <balaton@eik.bme.hu>
-Date: Mon, 6 Apr 2020 22:34:26 +0200
-Subject: [PATCH] ati-vga: Fix checks in ati_2d_blt() to avoid crash
-
-In some corner cases (that never happen during normal operation but a
-malicious guest could program wrong values) pixman functions were
-called with parameters that result in a crash. Fix this and add more
-checks to disallow such cases.
-
-Reported-by: Ziming Zhang <ezrakiez@gmail.com>
-Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
-Message-id: 20200406204029.19559747D5D@zero.eik.bme.hu
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/display/ati_2d.c | 37 ++++++++++++++++++++++++++-----------
- 1 file changed, 26 insertions(+), 11 deletions(-)
-
---- a/hw/display/ati_2d.c
-+++ b/hw/display/ati_2d.c
-@@ -53,12 +53,20 @@ void ati_2d_blt(ATIVGAState *s)
-             s->vga.vbe_start_addr, surface_data(ds), surface_stride(ds),
-             surface_bits_per_pixel(ds),
-             (s->regs.dp_mix & GMC_ROP3_MASK) >> 16);
--    int dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
--                 s->regs.dst_x : s->regs.dst_x + 1 - s->regs.dst_width);
--    int dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
--                 s->regs.dst_y : s->regs.dst_y + 1 - s->regs.dst_height);
-+    unsigned dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
-+                      s->regs.dst_x : s->regs.dst_x + 1 - s->regs.dst_width);
-+    unsigned dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
-+                      s->regs.dst_y : s->regs.dst_y + 1 - s->regs.dst_height);
-     int bpp = ati_bpp_from_datatype(s);
-+    if (!bpp) {
-+        qemu_log_mask(LOG_GUEST_ERROR, "Invalid bpp\n");
-+        return;
-+    }
-     int dst_stride = DEFAULT_CNTL ? s->regs.dst_pitch : s->regs.default_pitch;
-+    if (!dst_stride) {
-+        qemu_log_mask(LOG_GUEST_ERROR, "Zero dest pitch\n");
-+        return;
-+    }
-     uint8_t *dst_bits = s->vga.vram_ptr + (DEFAULT_CNTL ?
-                         s->regs.dst_offset : s->regs.default_offset);
- 
-@@ -82,12 +90,16 @@ void ati_2d_blt(ATIVGAState *s)
-     switch (s->regs.dp_mix & GMC_ROP3_MASK) {
-     case ROP3_SRCCOPY:
-     {
--        int src_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
--                     s->regs.src_x : s->regs.src_x + 1 - s->regs.dst_width);
--        int src_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
--                     s->regs.src_y : s->regs.src_y + 1 - s->regs.dst_height);
-+        unsigned src_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
-+                       s->regs.src_x : s->regs.src_x + 1 - s->regs.dst_width);
-+        unsigned src_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
-+                       s->regs.src_y : s->regs.src_y + 1 - s->regs.dst_height);
-         int src_stride = DEFAULT_CNTL ?
-                          s->regs.src_pitch : s->regs.default_pitch;
-+        if (!src_stride) {
-+            qemu_log_mask(LOG_GUEST_ERROR, "Zero source pitch\n");
-+            return;
-+        }
-         uint8_t *src_bits = s->vga.vram_ptr + (DEFAULT_CNTL ?
-                             s->regs.src_offset : s->regs.default_offset);
- 
-@@ -137,8 +149,10 @@ void ati_2d_blt(ATIVGAState *s)
-                                     dst_y * surface_stride(ds),
-                                     s->regs.dst_height * surface_stride(ds));
-         }
--        s->regs.dst_x += s->regs.dst_width;
--        s->regs.dst_y += s->regs.dst_height;
-+        s->regs.dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
-+                         dst_x + s->regs.dst_width : dst_x);
-+        s->regs.dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
-+                         dst_y + s->regs.dst_height : dst_y);
-         break;
-     }
-     case ROP3_PATCOPY:
-@@ -179,7 +193,8 @@ void ati_2d_blt(ATIVGAState *s)
-                                     dst_y * surface_stride(ds),
-                                     s->regs.dst_height * surface_stride(ds));
-         }
--        s->regs.dst_y += s->regs.dst_height;
-+        s->regs.dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
-+                         dst_y + s->regs.dst_height : dst_y);
-         break;
-     }
-     default:
--- 
-2.26.2
-


^ permalink raw reply related	[flat|nested] 21+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2020-04-18 21:31 Sergei Trofimovich
  0 siblings, 0 replies; 21+ messages in thread
From: Sergei Trofimovich @ 2020-04-18 21:31 UTC (permalink / raw
  To: gentoo-commits

commit:     97b0f769363b5056565b24f10b28192e7b613689
Author:     Michael Mair-Keimberger <m.mairkeimberger <AT> gmail <DOT> com>
AuthorDate: Sat Apr 18 16:49:33 2020 +0000
Commit:     Sergei Trofimovich <slyfox <AT> gentoo <DOT> org>
CommitDate: Sat Apr 18 21:31:52 2020 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=97b0f769

app-emulation/qemu: remove unused patches

Package-Manager: Portage-2.3.99, Repoman-2.3.22
Signed-off-by: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail.com>
Closes: https://github.com/gentoo/gentoo/pull/15392
Signed-off-by: Sergei Trofimovich <slyfox <AT> gentoo.org>

 .../qemu/files/qemu-3.1.0-md-clear-md-no.patch     |  61 ----
 .../files/qemu-4.0.0-fix_infiniband_include.patch  |  12 -
 .../qemu/files/qemu-4.0.0-linux-headers-5.2.patch  | 334 ---------------------
 .../qemu/files/qemu-4.0.0-pc-q35-4.0.patch         | 135 ---------
 .../qemu/files/qemu-4.0.0-xkbcommon.patch          |  38 ---
 5 files changed, 580 deletions(-)

diff --git a/app-emulation/qemu/files/qemu-3.1.0-md-clear-md-no.patch b/app-emulation/qemu/files/qemu-3.1.0-md-clear-md-no.patch
deleted file mode 100644
index a7b3e8cb8f2..00000000000
--- a/app-emulation/qemu/files/qemu-3.1.0-md-clear-md-no.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-From 0fb766134bd97ead71646e13349f93769e536ed9 Mon Sep 17 00:00:00 2001
-From: Matthias Maier <tamiko@43-1.org>
-Date: Fri, 17 May 2019 02:21:10 -0500
-Subject: [PATCH] Define md-clear bit, expose md-no CPUID
-
-Fixes for CVE-2018-121{26|27|30}, CVE-2019-11091
-
-See related fixes for Ubuntu:
-  https://launchpad.net/ubuntu/+source/qemu/1:3.1+dfsg-2ubuntu3.1
----
- target/i386/cpu.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/target/i386/cpu.c b/target/i386/cpu.c
-index d6bb57d2..331a364a 100644
---- a/target/i386/cpu.c
-+++ b/target/i386/cpu.c
-@@ -1076,7 +1076,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
-         .feat_names = {
-             NULL, NULL, "avx512-4vnniw", "avx512-4fmaps",
-             NULL, NULL, NULL, NULL,
--            NULL, NULL, NULL, NULL,
-+            NULL, NULL, "md-clear", NULL,
-             NULL, NULL, NULL, NULL,
-             NULL, NULL, NULL, NULL,
-             NULL, NULL, NULL, NULL,
-@@ -1183,7 +1183,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
-         .type = MSR_FEATURE_WORD,
-         .feat_names = {
-             "rdctl-no", "ibrs-all", "rsba", "skip-l1dfl-vmentry",
--            "ssb-no", NULL, NULL, NULL,
-+            "ssb-no", "mds-no", NULL, NULL,
-             NULL, NULL, NULL, NULL,
-             NULL, NULL, NULL, NULL,
-             NULL, NULL, NULL, NULL,
-diff --git a/target/i386/cpu.h b/target/i386/cpu.h
-index 83fb5225..d0bab4d7 100644
---- a/target/i386/cpu.h
-+++ b/target/i386/cpu.h
-@@ -694,6 +694,7 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS];
- 
- #define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network Instructions */
- #define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) /* AVX512 Multiply Accumulation Single Precision */
-+#define CPUID_7_0_EDX_MD_CLEAR      (1U << 10) /* Microarchitectural Data Clear */
- #define CPUID_7_0_EDX_SPEC_CTRL     (1U << 26) /* Speculation Control */
- #define CPUID_7_0_EDX_ARCH_CAPABILITIES (1U << 29)  /*Arch Capabilities*/
- #define CPUID_7_0_EDX_SPEC_CTRL_SSBD  (1U << 31) /* Speculative Store Bypass Disable */
-diff --git a/target/i386/hvf/x86_cpuid.c b/target/i386/hvf/x86_cpuid.c
-index 4d957fe8..b453552f 100644
---- a/target/i386/hvf/x86_cpuid.c
-+++ b/target/i386/hvf/x86_cpuid.c
-@@ -90,7 +90,8 @@ uint32_t hvf_get_supported_cpuid(uint32_t func, uint32_t idx,
-             }
- 
-             ecx &= CPUID_7_0_ECX_AVX512BMI | CPUID_7_0_ECX_AVX512_VPOPCNTDQ;
--            edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS;
-+            edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS | \
-+                   CPUID_7_0_EDX_MD_CLEAR;
-         } else {
-             ebx = 0;
-             ecx = 0;

diff --git a/app-emulation/qemu/files/qemu-4.0.0-fix_infiniband_include.patch b/app-emulation/qemu/files/qemu-4.0.0-fix_infiniband_include.patch
deleted file mode 100644
index 2778cc8f4f2..00000000000
--- a/app-emulation/qemu/files/qemu-4.0.0-fix_infiniband_include.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --git a/hw/rdma/rdma_backend.c b/hw/rdma/rdma_backend.c
-index d1660b64..86715bfd 100644
---- a/hw/rdma/rdma_backend.c
-+++ b/hw/rdma/rdma_backend.c
-@@ -21,7 +21,6 @@
- #include "qapi/qapi-events-rdma.h"
- 
- #include <infiniband/verbs.h>
--#include <infiniband/umad_types.h>
- #include <infiniband/umad.h>
- #include <rdma/rdma_user_cm.h>
- 

diff --git a/app-emulation/qemu/files/qemu-4.0.0-linux-headers-5.2.patch b/app-emulation/qemu/files/qemu-4.0.0-linux-headers-5.2.patch
deleted file mode 100644
index 43be8629dfa..00000000000
--- a/app-emulation/qemu/files/qemu-4.0.0-linux-headers-5.2.patch
+++ /dev/null
@@ -1,334 +0,0 @@
-From 6d5d5dde9adb5acb32e6b8e3dfbf47fff0f308d2 Mon Sep 17 00:00:00 2001
-From: =?utf8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
-Date: Thu, 18 Jul 2019 15:06:41 +0200
-Subject: [PATCH] linux-user: fix to handle variably sized SIOCGSTAMP with new
- kernels
-MIME-Version: 1.0
-Content-Type: text/plain; charset=utf8
-Content-Transfer-Encoding: 8bit
-
-The SIOCGSTAMP symbol was previously defined in the
-asm-generic/sockios.h header file. QEMU sees that header
-indirectly via sys/socket.h
-
-In linux kernel commit 0768e17073dc527ccd18ed5f96ce85f9985e9115
-the asm-generic/sockios.h header no longer defines SIOCGSTAMP.
-Instead it provides only SIOCGSTAMP_OLD, which only uses a
-32-bit time_t on 32-bit architectures.
-
-The linux/sockios.h header then defines SIOCGSTAMP using
-either SIOCGSTAMP_OLD or SIOCGSTAMP_NEW as appropriate. If
-SIOCGSTAMP_NEW is used, then the tv_sec field is 64-bit even
-on 32-bit architectures
-
-To cope with this we must now convert the old and new type from
-the target to the host one.
-
-Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
-Signed-off-by: Laurent Vivier <laurent@vivier.eu>
-Reviewed-by: Arnd Bergmann <arnd@arndb.de>
-Message-Id: <20190718130641.15294-1-laurent@vivier.eu>
-Signed-off-by: Laurent Vivier <laurent@vivier.eu>
----
- linux-user/ioctls.h        |  21 ++++++-
- linux-user/syscall.c       | 140 ++++++++++++++++++++++++++++++++++++---------
- linux-user/syscall_defs.h  |  30 +++++++++-
- linux-user/syscall_types.h |   6 --
- 4 files changed, 159 insertions(+), 38 deletions(-)
-
-diff --git a/linux-user/ioctls.h b/linux-user/ioctls.h
-index ae895162..e6a27ad9 100644
---- a/linux-user/ioctls.h
-+++ b/linux-user/ioctls.h
-@@ -219,8 +219,25 @@
-   IOCTL(SIOCGRARP, IOC_R, MK_PTR(MK_STRUCT(STRUCT_arpreq)))
-   IOCTL(SIOCGIWNAME, IOC_W | IOC_R, MK_PTR(MK_STRUCT(STRUCT_char_ifreq)))
-   IOCTL(SIOCGPGRP, IOC_R, MK_PTR(TYPE_INT)) /* pid_t */
--  IOCTL(SIOCGSTAMP, IOC_R, MK_PTR(MK_STRUCT(STRUCT_timeval)))
--  IOCTL(SIOCGSTAMPNS, IOC_R, MK_PTR(MK_STRUCT(STRUCT_timespec)))
-+
-+  /*
-+   * We can't use IOCTL_SPECIAL() because it will set
-+   * host_cmd to XXX_OLD and XXX_NEW and these macros
-+   * are not defined with kernel prior to 5.2.
-+   * We must set host_cmd to the same value as in target_cmd
-+   * otherwise the consistency check in syscall_init()
-+   * will trigger an error.
-+   * host_cmd is ignored by the do_ioctl_XXX() helpers.
-+   * FIXME: create a macro to define this kind of entry
-+   */
-+  { TARGET_SIOCGSTAMP_OLD, TARGET_SIOCGSTAMP_OLD,
-+    "SIOCGSTAMP_OLD", IOC_R, do_ioctl_SIOCGSTAMP },
-+  { TARGET_SIOCGSTAMPNS_OLD, TARGET_SIOCGSTAMPNS_OLD,
-+    "SIOCGSTAMPNS_OLD", IOC_R, do_ioctl_SIOCGSTAMPNS },
-+  { TARGET_SIOCGSTAMP_NEW, TARGET_SIOCGSTAMP_NEW,
-+    "SIOCGSTAMP_NEW", IOC_R, do_ioctl_SIOCGSTAMP },
-+  { TARGET_SIOCGSTAMPNS_NEW, TARGET_SIOCGSTAMPNS_NEW,
-+    "SIOCGSTAMPNS_NEW", IOC_R, do_ioctl_SIOCGSTAMPNS },
- 
-   IOCTL(RNDGETENTCNT, IOC_R, MK_PTR(TYPE_INT))
-   IOCTL(RNDADDTOENTCNT, IOC_W, MK_PTR(TYPE_INT))
-diff --git a/linux-user/syscall.c b/linux-user/syscall.c
-index 96cd4bf8..6df480e1 100644
---- a/linux-user/syscall.c
-+++ b/linux-user/syscall.c
-@@ -37,6 +37,7 @@
- #include <sched.h>
- #include <sys/timex.h>
- #include <sys/socket.h>
-+#include <linux/sockios.h>
- #include <sys/un.h>
- #include <sys/uio.h>
- #include <poll.h>
-@@ -1139,8 +1140,9 @@ static inline abi_long copy_from_user_timeval(struct timeval *tv,
- {
-     struct target_timeval *target_tv;
- 
--    if (!lock_user_struct(VERIFY_READ, target_tv, target_tv_addr, 1))
-+    if (!lock_user_struct(VERIFY_READ, target_tv, target_tv_addr, 1)) {
-         return -TARGET_EFAULT;
-+    }
- 
-     __get_user(tv->tv_sec, &target_tv->tv_sec);
-     __get_user(tv->tv_usec, &target_tv->tv_usec);
-@@ -1155,8 +1157,26 @@ static inline abi_long copy_to_user_timeval(abi_ulong target_tv_addr,
- {
-     struct target_timeval *target_tv;
- 
--    if (!lock_user_struct(VERIFY_WRITE, target_tv, target_tv_addr, 0))
-+    if (!lock_user_struct(VERIFY_WRITE, target_tv, target_tv_addr, 0)) {
-+        return -TARGET_EFAULT;
-+    }
-+
-+    __put_user(tv->tv_sec, &target_tv->tv_sec);
-+    __put_user(tv->tv_usec, &target_tv->tv_usec);
-+
-+    unlock_user_struct(target_tv, target_tv_addr, 1);
-+
-+    return 0;
-+}
-+
-+static inline abi_long copy_to_user_timeval64(abi_ulong target_tv_addr,
-+                                             const struct timeval *tv)
-+{
-+    struct target__kernel_sock_timeval *target_tv;
-+
-+    if (!lock_user_struct(VERIFY_WRITE, target_tv, target_tv_addr, 0)) {
-         return -TARGET_EFAULT;
-+    }
- 
-     __put_user(tv->tv_sec, &target_tv->tv_sec);
-     __put_user(tv->tv_usec, &target_tv->tv_usec);
-@@ -1166,6 +1186,48 @@ static inline abi_long copy_to_user_timeval(abi_ulong target_tv_addr,
-     return 0;
- }
- 
-+static inline abi_long target_to_host_timespec(struct timespec *host_ts,
-+                                               abi_ulong target_addr)
-+{
-+    struct target_timespec *target_ts;
-+
-+    if (!lock_user_struct(VERIFY_READ, target_ts, target_addr, 1)) {
-+        return -TARGET_EFAULT;
-+    }
-+    __get_user(host_ts->tv_sec, &target_ts->tv_sec);
-+    __get_user(host_ts->tv_nsec, &target_ts->tv_nsec);
-+    unlock_user_struct(target_ts, target_addr, 0);
-+    return 0;
-+}
-+
-+static inline abi_long host_to_target_timespec(abi_ulong target_addr,
-+                                               struct timespec *host_ts)
-+{
-+    struct target_timespec *target_ts;
-+
-+    if (!lock_user_struct(VERIFY_WRITE, target_ts, target_addr, 0)) {
-+        return -TARGET_EFAULT;
-+    }
-+    __put_user(host_ts->tv_sec, &target_ts->tv_sec);
-+    __put_user(host_ts->tv_nsec, &target_ts->tv_nsec);
-+    unlock_user_struct(target_ts, target_addr, 1);
-+    return 0;
-+}
-+
-+static inline abi_long host_to_target_timespec64(abi_ulong target_addr,
-+                                                 struct timespec *host_ts)
-+{
-+    struct target__kernel_timespec *target_ts;
-+
-+    if (!lock_user_struct(VERIFY_WRITE, target_ts, target_addr, 0)) {
-+        return -TARGET_EFAULT;
-+    }
-+    __put_user(host_ts->tv_sec, &target_ts->tv_sec);
-+    __put_user(host_ts->tv_nsec, &target_ts->tv_nsec);
-+    unlock_user_struct(target_ts, target_addr, 1);
-+    return 0;
-+}
-+
- static inline abi_long copy_from_user_timezone(struct timezone *tz,
-                                                abi_ulong target_tz_addr)
- {
-@@ -4790,6 +4852,54 @@ static abi_long do_ioctl_kdsigaccept(const IOCTLEntry *ie, uint8_t *buf_temp,
-     return get_errno(safe_ioctl(fd, ie->host_cmd, sig));
- }
- 
-+static abi_long do_ioctl_SIOCGSTAMP(const IOCTLEntry *ie, uint8_t *buf_temp,
-+                                    int fd, int cmd, abi_long arg)
-+{
-+    struct timeval tv;
-+    abi_long ret;
-+
-+    ret = get_errno(safe_ioctl(fd, SIOCGSTAMP, &tv));
-+    if (is_error(ret)) {
-+        return ret;
-+    }
-+
-+    if (cmd == (int)TARGET_SIOCGSTAMP_OLD) {
-+        if (copy_to_user_timeval(arg, &tv)) {
-+            return -TARGET_EFAULT;
-+        }
-+    } else {
-+        if (copy_to_user_timeval64(arg, &tv)) {
-+            return -TARGET_EFAULT;
-+        }
-+    }
-+
-+    return ret;
-+}
-+
-+static abi_long do_ioctl_SIOCGSTAMPNS(const IOCTLEntry *ie, uint8_t *buf_temp,
-+                                      int fd, int cmd, abi_long arg)
-+{
-+    struct timespec ts;
-+    abi_long ret;
-+
-+    ret = get_errno(safe_ioctl(fd, SIOCGSTAMPNS, &ts));
-+    if (is_error(ret)) {
-+        return ret;
-+    }
-+
-+    if (cmd == (int)TARGET_SIOCGSTAMPNS_OLD) {
-+        if (host_to_target_timespec(arg, &ts)) {
-+            return -TARGET_EFAULT;
-+        }
-+    } else{
-+        if (host_to_target_timespec64(arg, &ts)) {
-+            return -TARGET_EFAULT;
-+        }
-+    }
-+
-+    return ret;
-+}
-+
- #ifdef TIOCGPTPEER
- static abi_long do_ioctl_tiocgptpeer(const IOCTLEntry *ie, uint8_t *buf_temp,
-                                      int fd, int cmd, abi_long arg)
-@@ -6160,32 +6270,6 @@ static inline abi_long target_ftruncate64(void *cpu_env, abi_long arg1,
- }
- #endif
- 
--static inline abi_long target_to_host_timespec(struct timespec *host_ts,
--                                               abi_ulong target_addr)
--{
--    struct target_timespec *target_ts;
--
--    if (!lock_user_struct(VERIFY_READ, target_ts, target_addr, 1))
--        return -TARGET_EFAULT;
--    __get_user(host_ts->tv_sec, &target_ts->tv_sec);
--    __get_user(host_ts->tv_nsec, &target_ts->tv_nsec);
--    unlock_user_struct(target_ts, target_addr, 0);
--    return 0;
--}
--
--static inline abi_long host_to_target_timespec(abi_ulong target_addr,
--                                               struct timespec *host_ts)
--{
--    struct target_timespec *target_ts;
--
--    if (!lock_user_struct(VERIFY_WRITE, target_ts, target_addr, 0))
--        return -TARGET_EFAULT;
--    __put_user(host_ts->tv_sec, &target_ts->tv_sec);
--    __put_user(host_ts->tv_nsec, &target_ts->tv_nsec);
--    unlock_user_struct(target_ts, target_addr, 1);
--    return 0;
--}
--
- static inline abi_long target_to_host_itimerspec(struct itimerspec *host_itspec,
-                                                  abi_ulong target_addr)
- {
-diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h
-index 12c84071..cfb3eeec 100644
---- a/linux-user/syscall_defs.h
-+++ b/linux-user/syscall_defs.h
-@@ -208,16 +208,34 @@ struct target_linger {
-     abi_int l_linger;       /* How long to linger for       */
- };
- 
-+#if defined(TARGET_SPARC64) && !defined(TARGET_ABI32)
-+struct target_timeval {
-+    abi_long tv_sec;
-+    abi_int tv_usec;
-+};
-+#define target__kernel_sock_timeval target_timeval
-+#else
- struct target_timeval {
-     abi_long tv_sec;
-     abi_long tv_usec;
- };
- 
-+struct target__kernel_sock_timeval {
-+    abi_llong tv_sec;
-+    abi_llong tv_usec;
-+};
-+#endif
-+
- struct target_timespec {
-     abi_long tv_sec;
-     abi_long tv_nsec;
- };
- 
-+struct target__kernel_timespec {
-+    abi_llong tv_sec;
-+    abi_llong tv_nsec;
-+};
-+
- struct target_timezone {
-     abi_int tz_minuteswest;
-     abi_int tz_dsttime;
-@@ -743,8 +761,17 @@ struct target_pollfd {
- #define TARGET_SIOCATMARK      0x8905
- #define TARGET_SIOCGPGRP       0x8904
- #endif
--#define TARGET_SIOCGSTAMP      0x8906          /* Get stamp (timeval) */
--#define TARGET_SIOCGSTAMPNS    0x8907          /* Get stamp (timespec) */
-+
-+#if defined(TARGET_SH4)
-+#define TARGET_SIOCGSTAMP_OLD   TARGET_IOR('s', 100, struct target_timeval)
-+#define TARGET_SIOCGSTAMPNS_OLD TARGET_IOR('s', 101, struct target_timespec)
-+#else
-+#define TARGET_SIOCGSTAMP_OLD   0x8906
-+#define TARGET_SIOCGSTAMPNS_OLD 0x8907
-+#endif
-+
-+#define TARGET_SIOCGSTAMP_NEW   TARGET_IOR(0x89, 0x06, abi_llong[2])
-+#define TARGET_SIOCGSTAMPNS_NEW TARGET_IOR(0x89, 0x07, abi_llong[2])
- 
- /* Networking ioctls */
- #define TARGET_SIOCADDRT       0x890B          /* add routing table entry */
-diff --git a/linux-user/syscall_types.h b/linux-user/syscall_types.h
-index b98a23b0..4e369838 100644
---- a/linux-user/syscall_types.h
-+++ b/linux-user/syscall_types.h
-@@ -14,12 +14,6 @@ STRUCT(serial_icounter_struct,
- STRUCT(sockaddr,
-        TYPE_SHORT, MK_ARRAY(TYPE_CHAR, 14))
- 
--STRUCT(timeval,
--       MK_ARRAY(TYPE_LONG, 2))
--
--STRUCT(timespec,
--       MK_ARRAY(TYPE_LONG, 2))
--
- STRUCT(rtentry,
-        TYPE_ULONG, MK_STRUCT(STRUCT_sockaddr), MK_STRUCT(STRUCT_sockaddr), MK_STRUCT(STRUCT_sockaddr),
-        TYPE_SHORT, TYPE_SHORT, TYPE_ULONG, TYPE_PTRVOID, TYPE_SHORT, TYPE_PTRVOID,

diff --git a/app-emulation/qemu/files/qemu-4.0.0-pc-q35-4.0.patch b/app-emulation/qemu/files/qemu-4.0.0-pc-q35-4.0.patch
deleted file mode 100644
index ebabc0c4c29..00000000000
--- a/app-emulation/qemu/files/qemu-4.0.0-pc-q35-4.0.patch
+++ /dev/null
@@ -1,135 +0,0 @@
-Backport of QEMU v4.1 commit for stable v4.0.1 release
-
-commit c87759ce876a7a0b17c2bf4f0b964bd51f0ee871
-Author: Alex Williamson <address@hidden>
-Date:   Tue May 14 14:14:41 2019 -0600
-
-    q35: Revert to kernel irqchip
-
-    Commit b2fc91db8447 ("q35: set split kernel irqchip as default") changed
-    the default for the pc-q35-4.0 machine type to use split irqchip, which
-    turned out to have disasterous effects on vfio-pci INTx support.  KVM
-    resampling irqfds are registered for handling these interrupts, but
-    these are non-functional in split irqchip mode.  We can't simply test
-    for split irqchip in QEMU as userspace handling of this interrupt is a
-    significant performance regression versus KVM handling (GeForce GPUs
-    assigned to Windows VMs are non-functional without forcing MSI mode or
-    re-enabling kernel irqchip).
-
-    The resolution is to revert the change in default irqchip mode in the
-    pc-q35-4.1 machine and create a pc-q35-4.0.1 machine for the 4.0-stable
-    branch.  The qemu-q35-4.0 machine type should not be used in vfio-pci
-    configurations for devices requiring legacy INTx support without
-    explicitly modifying the VM configuration to use kernel irqchip.
-
-Link: https://bugs.launchpad.net/qemu/+bug/1826422
-Fixes: b2fc91db8447 ("q35: set split kernel irqchip as default")
-Cc: address@hidden
-Reviewed-by: Peter Xu <address@hidden>
-Signed-off-by: Alex Williamson <address@hidden>
----
-
-Same code as v1, just updating the commit log as a formal backport of
-the merged 4.1 commit.
-
- hw/core/machine.c    |    3 +++
- hw/i386/pc.c         |    3 +++
- hw/i386/pc_q35.c     |   16 ++++++++++++++--
- include/hw/boards.h  |    3 +++
- include/hw/i386/pc.h |    3 +++
- 5 files changed, 26 insertions(+), 2 deletions(-)
-
-diff --git a/hw/core/machine.c b/hw/core/machine.c
-index 743fef28982c..5d046a43e3d2 100644
---- a/hw/core/machine.c
-+++ b/hw/core/machine.c
-@@ -24,6 +24,9 @@
- #include "hw/pci/pci.h"
- #include "hw/mem/nvdimm.h"
- 
-+GlobalProperty hw_compat_4_0[] = {};
-+const size_t hw_compat_4_0_len = G_N_ELEMENTS(hw_compat_4_0);
-+
- GlobalProperty hw_compat_3_1[] = {
-     { "pcie-root-port", "x-speed", "2_5" },
-     { "pcie-root-port", "x-width", "1" },
-diff --git a/hw/i386/pc.c b/hw/i386/pc.c
-index f2c15bf1f2c3..d98b737b8f3b 100644
---- a/hw/i386/pc.c
-+++ b/hw/i386/pc.c
-@@ -115,6 +115,9 @@ struct hpet_fw_config hpet_cfg = {.count = UINT8_MAX};
- /* Physical Address of PVH entry point read from kernel ELF NOTE */
- static size_t pvh_start_addr;
- 
-+GlobalProperty pc_compat_4_0[] = {};
-+const size_t pc_compat_4_0_len = G_N_ELEMENTS(pc_compat_4_0);
-+
- GlobalProperty pc_compat_3_1[] = {
-     { "intel-iommu", "dma-drain", "off" },
-     { "Opteron_G3" "-" TYPE_X86_CPU, "rdtscp", "off" },
-diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c
-index 372c6b73bebd..45cc29d1adb7 100644
---- a/hw/i386/pc_q35.c
-+++ b/hw/i386/pc_q35.c
-@@ -357,7 +357,7 @@ static void pc_q35_machine_options(MachineClass *m)
-     m->units_per_default_bus = 1;
-     m->default_machine_opts = "firmware=bios-256k.bin";
-     m->default_display = "std";
--    m->default_kernel_irqchip_split = true;
-+    m->default_kernel_irqchip_split = false;
-     m->no_floppy = 1;
-     machine_class_allow_dynamic_sysbus_dev(m, TYPE_AMD_IOMMU_DEVICE);
-     machine_class_allow_dynamic_sysbus_dev(m, TYPE_INTEL_IOMMU_DEVICE);
-@@ -365,12 +365,24 @@ static void pc_q35_machine_options(MachineClass *m)
-     m->max_cpus = 288;
- }
- 
--static void pc_q35_4_0_machine_options(MachineClass *m)
-+static void pc_q35_4_0_1_machine_options(MachineClass *m)
- {
-     pc_q35_machine_options(m);
-     m->alias = "q35";
- }
- 
-+DEFINE_Q35_MACHINE(v4_0_1, "pc-q35-4.0.1", NULL,
-+                   pc_q35_4_0_1_machine_options);
-+
-+static void pc_q35_4_0_machine_options(MachineClass *m)
-+{
-+    pc_q35_4_0_1_machine_options(m);
-+    m->default_kernel_irqchip_split = true;
-+    m->alias = NULL;
-+    compat_props_add(m->compat_props, hw_compat_4_0, hw_compat_4_0_len);
-+    compat_props_add(m->compat_props, pc_compat_4_0, pc_compat_4_0_len);
-+}
-+
- DEFINE_Q35_MACHINE(v4_0, "pc-q35-4.0", NULL,
-                    pc_q35_4_0_machine_options);
- 
-diff --git a/include/hw/boards.h b/include/hw/boards.h
-index e231860666a1..fe1885cbffa0 100644
---- a/include/hw/boards.h
-+++ b/include/hw/boards.h
-@@ -293,6 +293,9 @@ struct MachineState {
-     } \
-     type_init(machine_initfn##_register_types)
- 
-+extern GlobalProperty hw_compat_4_0[];
-+extern const size_t hw_compat_4_0_len;
-+
- extern GlobalProperty hw_compat_3_1[];
- extern const size_t hw_compat_3_1_len;
- 
-diff --git a/include/hw/i386/pc.h b/include/hw/i386/pc.h
-index ca65ef18afb4..43df7230a22b 100644
---- a/include/hw/i386/pc.h
-+++ b/include/hw/i386/pc.h
-@@ -293,6 +293,9 @@ int e820_add_entry(uint64_t, uint64_t, uint32_t);
- int e820_get_num_entries(void);
- bool e820_get_entry(int, uint32_t, uint64_t *, uint64_t *);
- 
-+extern GlobalProperty pc_compat_4_0[];
-+extern const size_t pc_compat_4_0_len;
-+
- extern GlobalProperty pc_compat_3_1[];
- extern const size_t pc_compat_3_1_len;

diff --git a/app-emulation/qemu/files/qemu-4.0.0-xkbcommon.patch b/app-emulation/qemu/files/qemu-4.0.0-xkbcommon.patch
deleted file mode 100644
index 3d9a5163ecf..00000000000
--- a/app-emulation/qemu/files/qemu-4.0.0-xkbcommon.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From cef396dc0b11a09ede85b275ed1ceee71b60a4b3 Mon Sep 17 00:00:00 2001
-From: James Le Cuirot <chewi@gentoo.org>
-Date: Sat, 14 Sep 2019 15:47:20 +0100
-Subject: [PATCH] configure: Add xkbcommon configure options
-
-This dependency is currently "automagic", which is bad for distributions.
-
-Signed-off-by: James Le Cuirot <chewi@gentoo.org>
----
- configure | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/configure b/configure
-index 30aad233d1..30544f52e6 100755
---- a/configure
-+++ b/configure
-@@ -1521,6 +1521,10 @@ for opt do
-   ;;
-   --disable-libpmem) libpmem=no
-   ;;
-+  --enable-xkbcommon) xkbcommon=yes
-+  ;;
-+  --disable-xkbcommon) xkbcommon=no
-+  ;;
-   *)
-       echo "ERROR: unknown option $opt"
-       echo "Try '$0 --help' for more information"
-@@ -1804,6 +1808,7 @@ disabled with --disable-FEATURE, default is enabled if available:
-   capstone        capstone disassembler support
-   debug-mutex     mutex debugging support
-   libpmem         libpmem support
-+  xkbcommon       xkbcommon support
- 
- NOTE: The object files are built at the place where configure is launched
- EOF
--- 
-2.23.0
-


^ permalink raw reply related	[flat|nested] 21+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2018-03-30  2:54 Aaron Bauman
  0 siblings, 0 replies; 21+ messages in thread
From: Aaron Bauman @ 2018-03-30  2:54 UTC (permalink / raw
  To: gentoo-commits

commit:     1e4aab7cf6539ac16335dfde1d83cd17ae2d1072
Author:     Michael Mair-Keimberger <m.mairkeimberger <AT> gmail <DOT> com>
AuthorDate: Wed Mar 28 20:30:24 2018 +0000
Commit:     Aaron Bauman <bman <AT> gentoo <DOT> org>
CommitDate: Fri Mar 30 02:37:44 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1e4aab7c

app-emulation/qemu: remove unused patch

Closes: https://github.com/gentoo/gentoo/pull/7686

 .../qemu/files/qemu-2.11.9999-cflags.patch         | 24 ----------------------
 1 file changed, 24 deletions(-)

diff --git a/app-emulation/qemu/files/qemu-2.11.9999-cflags.patch b/app-emulation/qemu/files/qemu-2.11.9999-cflags.patch
deleted file mode 100644
index 8d7c387851a..00000000000
--- a/app-emulation/qemu/files/qemu-2.11.9999-cflags.patch
+++ /dev/null
@@ -1,24 +0,0 @@
---- a/configure	2018-02-01 22:51:53.068467555 +0000
-+++ b/configure	2018-02-01 22:52:23.965041387 +0000
-@@ -5212,21 +5212,12 @@ fi
- if test "$gcov" = "yes" ; then
-   CFLAGS="-fprofile-arcs -ftest-coverage -g $CFLAGS"
-   LDFLAGS="-fprofile-arcs -ftest-coverage $LDFLAGS"
--elif test "$fortify_source" = "yes" ; then
--  CFLAGS="-O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 $CFLAGS"
- elif test "$debug" = "yes"; then
--  if compile_prog "-Og" ""; then
--      CFLAGS="-Og $CFLAGS"
--  elif compile_prog "-O1" ""; then
--      CFLAGS="-O1 $CFLAGS"
--  fi
-   # Workaround GCC false-positive Wuninitialized bugs with Og or O1:
-   # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=24639
-   if cc_has_warning_flag "-Wno-maybe-uninitialized"; then
-       CFLAGS="-Wno-maybe-uninitialized $CFLAGS"
-   fi
--else
--    CFLAGS="-O2 $CFLAGS"
- fi
- 
- ##########################################


^ permalink raw reply related	[flat|nested] 21+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2018-03-27 15:44 Matthias Maier
  0 siblings, 0 replies; 21+ messages in thread
From: Matthias Maier @ 2018-03-27 15:44 UTC (permalink / raw
  To: gentoo-commits

commit:     190b1a61ae287c47f2bcd4bee4cb620d6facaecd
Author:     Matthias Maier <tamiko <AT> gentoo <DOT> org>
AuthorDate: Tue Mar 27 14:57:10 2018 +0000
Commit:     Matthias Maier <tamiko <AT> gentoo <DOT> org>
CommitDate: Tue Mar 27 15:44:04 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=190b1a61

app-emulation/qemu: drop obsolete file

Package-Manager: Portage-2.3.24, Repoman-2.3.6

 app-emulation/qemu/files/65-kvm.rules | 1 -
 1 file changed, 1 deletion(-)

diff --git a/app-emulation/qemu/files/65-kvm.rules b/app-emulation/qemu/files/65-kvm.rules
deleted file mode 100644
index c2f7317aacc..00000000000
--- a/app-emulation/qemu/files/65-kvm.rules
+++ /dev/null
@@ -1 +0,0 @@
-KERNEL=="kvm", GROUP="kvm", MODE="0660"


^ permalink raw reply related	[flat|nested] 21+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2017-12-06 12:42 Michael Palimaka
  0 siblings, 0 replies; 21+ messages in thread
From: Michael Palimaka @ 2017-12-06 12:42 UTC (permalink / raw
  To: gentoo-commits

commit:     b4f56dd13d25045c4e6fdb245c41e0858e770a3c
Author:     Michael Mair-Keimberger <m.mairkeimberger <AT> gmail <DOT> com>
AuthorDate: Sun Dec  3 12:35:00 2017 +0000
Commit:     Michael Palimaka <kensington <AT> gentoo <DOT> org>
CommitDate: Wed Dec  6 12:41:52 2017 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b4f56dd1

app-emulation/qemu: remove unused file

Closes: https://github.com/gentoo/gentoo/pull/6419

 app-emulation/qemu/files/qemu-binfmt.initd-r1 | 138 --------------------------
 1 file changed, 138 deletions(-)

diff --git a/app-emulation/qemu/files/qemu-binfmt.initd-r1 b/app-emulation/qemu/files/qemu-binfmt.initd-r1
deleted file mode 100644
index fe62a2a211e..00000000000
--- a/app-emulation/qemu/files/qemu-binfmt.initd-r1
+++ /dev/null
@@ -1,138 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 1999-2016 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# enable automatic i386/ARM/M68K/MIPS/SPARC/PPC/s390 program execution by the kernel
-
-# Defaulting to OC should be safe because it comes down to:
-#  - do we trust the interp itself to not be malicious?  yes; we built it.
-#  - do we trust the programs we're running?  ish; same permission as native
-#    binaries apply.  so if user can do bad stuff natively, cross isn't worse.
-: ${QEMU_BINFMT_FLAGS:=OC}
-
-depend() {
-    after procfs
-}
-
-start() {
-   ebegin "Registering qemu-user binaries (flags: ${QEMU_BINFMT_FLAGS})"
-
-   if [ ! -d /proc/sys/fs/binfmt_misc ] ; then
-      modprobe -q binfmt_misc
-   fi
-
-   if [ ! -d /proc/sys/fs/binfmt_misc ] ; then
-       eend $? "You need support for 'misc binaries' in your kernel!" || return
-   fi
-
-   if [ ! -f /proc/sys/fs/binfmt_misc/register ] ; then
-      mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc >/dev/null 2>&1
-      eend $? || return
-   fi
-
-   # probe cpu type
-   cpu=`uname -m`
-   case "$cpu" in
-      i386|i486|i586|i686|i86pc|BePC|x86_64)
-         cpu="i386"
-         ;;
-      m68k)
-         cpu="m68k"
-         ;;
-      mips*)
-         cpu="mips"
-      ;;
-      "Power Macintosh"|ppc|ppc64)
-         cpu="ppc"
-      ;;
-      armv[4-9]*)
-         cpu="arm"
-      ;;
-      sparc*)
-         cpu="sparc"
-      ;;
-   esac
-
-   # register the interpreter for each cpu except for the native one
-   if [ $cpu != "i386" -a -x "/usr/bin/qemu-i386" ] ; then
-      echo ':i386:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-i386:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
-      echo ':i486:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x06\x00:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-i386:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
-   fi
-   if [ $cpu != "alpha" -a -x "/usr/bin/qemu-alpha" ] ; then
-      echo ':alpha:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x26\x90:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-alpha:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
-   fi
-   if [ $cpu != "arm" -a -x "/usr/bin/qemu-arm" ] ; then
-      echo   ':arm:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\x00\xff\xfe\xff\xff\xff:/usr/bin/qemu-arm:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
-   fi
-   if [ $cpu != "arm" -a -x "/usr/bin/qemu-armeb" ] ; then
-      echo   ':armeb:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-armeb:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
-   fi
-   if [ $cpu != "aarch64" -a -x "/usr/bin/qemu-aarch64" ] ; then
-      echo ':aarch64:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xb7\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-aarch64:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
-   fi
-   if [ $cpu != "sparc" -a -x "/usr/bin/qemu-sparc" ] ; then
-      echo   ':sparc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x02:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-sparc:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
-   fi
-   if [ $cpu != "ppc" -a -x "/usr/bin/qemu-ppc" ] ; then
-      echo   ':ppc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x14:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-ppc:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
-   fi
-   if [ $cpu != "m68k" -a -x "/usr/bin/qemu-m68k" ] ; then
-      #echo   'Please check cpu value and header information for m68k!'
-      echo   ':m68k:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-m68k:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
-   fi
-   if [ $cpu != "mips" -a -x "/usr/bin/qemu-mips" ] ; then
-      # FIXME: We could use the other endianness on a MIPS host.
-      echo   ':mips:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-mips:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
-   fi
-   if [ $cpu != "mips" -a -x "/usr/bin/qemu-mipsel" ] ; then
-      echo   ':mipsel:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-mipsel:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
-   fi
-   if [ $cpu != "mips" -a -x "/usr/bin/qemu-mipsn32" ] ; then
-      echo   ':mipsn32:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-mipsn32:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
-   fi
-   if [ $cpu != "mips" -a -x "/usr/bin/qemu-mipsn32el" ] ; then
-      echo   ':mipsn32el:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-mipsn32el:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
-   fi
-   if [ $cpu != "mips" -a -x "/usr/bin/qemu-mips64" ] ; then
-      echo   ':mips64:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-mips64:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
-   fi
-   if [ $cpu != "mips" -a -x "/usr/bin/qemu-mips64el" ] ; then
-      echo   ':mips64el:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-mips64el:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
-   fi
-   if [ $cpu != "sh" -a -x "/usr/bin/qemu-sh4" ] ; then
-      echo    ':sh4:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x2a\x00:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-sh4:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
-   fi
-   if [ $cpu != "sh" -a -x "/usr/bin/qemu-sh4eb" ] ; then
-      echo    ':sh4eb:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x2a:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-sh4eb:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
-   fi
-   if [ $cpu != "s390x" -a -x "/usr/bin/qemu-s390x" ] ; then
-      echo   ':s390x:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x16:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-s390x:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
-   fi
-   eend $?
-}
-
-stop() {
-   ebegin "Unregistering qemu-user binaries"
-   local arches
-
-   arches="${arches} i386 i486"
-   arches="${arches} alpha"
-   arches="${arches} arm armeb"
-   arches="${arches} aarch64"
-   arches="${arches} sparc"
-   arches="${arches} ppc"
-   arches="${arches} m68k"
-   arches="${arches} mips mipsel mipsn32 mipsn32el mips64 mips64el"
-   arches="${arches} sh4 sh4eb"
-   arches="${arches} s390x"
-
-   for a in ${arches}; do
-      if [ -f /proc/sys/fs/binfmt_misc/$a ] ; then
-         echo '-1' > /proc/sys/fs/binfmt_misc/$a
-      fi
-   done
-
-   eend $?
-}
-
-# vim: ts=4 :


^ permalink raw reply related	[flat|nested] 21+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2017-11-12 20:22 Matthias Maier
  0 siblings, 0 replies; 21+ messages in thread
From: Matthias Maier @ 2017-11-12 20:22 UTC (permalink / raw
  To: gentoo-commits

commit:     71ba961e21b1493ae7b335a6e2fa5a6669baf64c
Author:     Matthias Maier <tamiko <AT> gentoo <DOT> org>
AuthorDate: Sun Nov 12 20:01:23 2017 +0000
Commit:     Matthias Maier <tamiko <AT> gentoo <DOT> org>
CommitDate: Sun Nov 12 20:21:51 2017 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=71ba961e

app-emulation/qemu: drop obsolete patches

Package-Manager: Portage-2.3.8, Repoman-2.3.4

 .../qemu/files/qemu-2.9.0-CVE-2017-10664.patch     |  47 -----
 .../qemu/files/qemu-2.9.0-CVE-2017-10806.patch     |  50 ------
 .../qemu/files/qemu-2.9.0-CVE-2017-11334.patch     |  40 -----
 .../qemu/files/qemu-2.9.0-CVE-2017-11434.patch     |  29 ---
 .../qemu/files/qemu-2.9.0-CVE-2017-7493.patch      | 174 ------------------
 .../qemu/files/qemu-2.9.0-CVE-2017-8112.patch      |  22 ---
 .../qemu/files/qemu-2.9.0-CVE-2017-8309.patch      |  22 ---
 .../qemu/files/qemu-2.9.0-CVE-2017-8379.patch      |  76 --------
 .../qemu/files/qemu-2.9.0-CVE-2017-8380.patch      |  34 ----
 .../qemu/files/qemu-2.9.0-CVE-2017-9503-1.patch    | 122 -------------
 .../qemu/files/qemu-2.9.0-CVE-2017-9503-2.patch    | 114 ------------
 .../qemu/files/qemu-2.9.0-CVE-2017-9524-1.patch    |  80 ---------
 .../qemu/files/qemu-2.9.0-CVE-2017-9524-2.patch    | 197 ---------------------
 13 files changed, 1007 deletions(-)

diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-10664.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-10664.patch
deleted file mode 100644
index 7db06929cf2..00000000000
--- a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-10664.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 041e32b8d9d076980b4e35317c0339e57ab888f1 Mon Sep 17 00:00:00 2001
-From: Max Reitz <mreitz@redhat.com>
-Date: Sun, 11 Jun 2017 14:37:14 +0200
-Subject: [PATCH] qemu-nbd: Ignore SIGPIPE
-
-qemu proper has done so for 13 years
-(8a7ddc38a60648257dc0645ab4a05b33d6040063), qemu-img and qemu-io have
-done so for four years (526eda14a68d5b3596be715505289b541288ef2a).
-Ignoring this signal is especially important in qemu-nbd because
-otherwise a client can easily take down the qemu-nbd server by dropping
-the connection when the server wants to send something, for example:
-
-$ qemu-nbd -x foo -f raw -t null-co:// &
-[1] 12726
-$ qemu-io -c quit nbd://localhost/bar
-can't open device nbd://localhost/bar: No export with name 'bar' available
-[1]  + 12726 broken pipe  qemu-nbd -x foo -f raw -t null-co://
-
-In this case, the client sends an NBD_OPT_ABORT and closes the
-connection (because it is not required to wait for a reply), but the
-server replies with an NBD_REP_ACK (because it is required to reply).
-
-Signed-off-by: Max Reitz <mreitz@redhat.com>
-Message-Id: <20170611123714.31292-1-mreitz@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- qemu-nbd.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/qemu-nbd.c b/qemu-nbd.c
-index 9464a0461c..4dd3fd4732 100644
---- a/qemu-nbd.c
-+++ b/qemu-nbd.c
-@@ -581,6 +581,10 @@ int main(int argc, char **argv)
-     sa_sigterm.sa_handler = termsig_handler;
-     sigaction(SIGTERM, &sa_sigterm, NULL);
- 
-+#ifdef CONFIG_POSIX
-+    signal(SIGPIPE, SIG_IGN);
-+#endif
-+
-     module_call_init(MODULE_INIT_TRACE);
-     qcrypto_init(&error_fatal);
- 
--- 
-2.13.0
-

diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-10806.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-10806.patch
deleted file mode 100644
index 0074f5f8c77..00000000000
--- a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-10806.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From bd4a683505b27adc1ac809f71e918e58573d851d Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Tue, 9 May 2017 13:01:28 +0200
-Subject: [PATCH] usb-redir: fix stack overflow in usbredir_log_data
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Don't reinvent a broken wheel, just use the hexdump function we have.
-
-Impact: low, broken code doesn't run unless you have debug logging
-enabled.
-
-Reported-by: 李强 <liqiang6-s@360.cn>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: 20170509110128.27261-1-kraxel@redhat.com
----
- hw/usb/redirect.c | 13 +------------
- 1 file changed, 1 insertion(+), 12 deletions(-)
-
-diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
-index b001a27f05..ad5ef783a6 100644
---- a/hw/usb/redirect.c
-+++ b/hw/usb/redirect.c
-@@ -229,21 +229,10 @@ static void usbredir_log(void *priv, int level, const char *msg)
- static void usbredir_log_data(USBRedirDevice *dev, const char *desc,
-     const uint8_t *data, int len)
- {
--    int i, j, n;
--
-     if (dev->debug < usbredirparser_debug_data) {
-         return;
-     }
--
--    for (i = 0; i < len; i += j) {
--        char buf[128];
--
--        n = sprintf(buf, "%s", desc);
--        for (j = 0; j < 8 && i + j < len; j++) {
--            n += sprintf(buf + n, " %02X", data[i + j]);
--        }
--        error_report("%s", buf);
--    }
-+    qemu_hexdump((char *)data, stderr, desc, len);
- }
- 
- /*
--- 
-2.13.0
-

diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-11334.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-11334.patch
deleted file mode 100644
index bfe4c7d89f2..00000000000
--- a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-11334.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-[Qemu-devel] [PULL 21/41] exec: use qemu_ram_ptr_length to access guest 
-From: Prasad J Pandit <address@hidden>
-
-When accessing guest's ram block during DMA operation, use
-'qemu_ram_ptr_length' to get ram block pointer. It ensures
-that DMA operation of given length is possible; And avoids
-any OOB memory access situations.
-
-Reported-by: Alex <address@hidden>
-Signed-off-by: Prasad J Pandit <address@hidden>
-Message-Id: <address@hidden>
-Signed-off-by: Paolo Bonzini <address@hidden>
----
- exec.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/exec.c b/exec.c
-index a083ff8..ad103ce 100644
---- a/exec.c
-+++ b/exec.c
-@@ -2929,7 +2929,7 @@ static MemTxResult address_space_write_continue(AddressSpace *as, hwaddr addr,
-             }
-         } else {
-             /* RAM case */
--            ptr = qemu_map_ram_ptr(mr->ram_block, addr1);
-+            ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l);
-             memcpy(ptr, buf, l);
-             invalidate_and_set_dirty(mr, addr1, l);
-         }
-@@ -3020,7 +3020,7 @@ MemTxResult address_space_read_continue(AddressSpace *as, hwaddr addr,
-             }
-         } else {
-             /* RAM case */
--            ptr = qemu_map_ram_ptr(mr->ram_block, addr1);
-+            ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l);
-             memcpy(buf, ptr, l);
-         }
- 
--- 
-1.8.3.1

diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-11434.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-11434.patch
deleted file mode 100644
index 5d32067c7a0..00000000000
--- a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-11434.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-[Qemu-devel] [PATCH] slirp: check len against dhcp options array end
-From: Prasad J Pandit <address@hidden>
-
-While parsing dhcp options string in 'dhcp_decode', if an options'
-length 'len' appeared towards the end of 'bp_vend' array, ensuing
-read could lead to an OOB memory access issue. Add check to avoid it.
-
-Reported-by: Reno Robert <address@hidden>
-Signed-off-by: Prasad J Pandit <address@hidden>
----
- slirp/bootp.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/slirp/bootp.c b/slirp/bootp.c
-index 5a4646c..5dd1a41 100644
---- a/slirp/bootp.c
-+++ b/slirp/bootp.c
-@@ -123,6 +123,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
-             if (p >= p_end)
-                 break;
-             len = *p++;
-+            if (p + len > p_end) {
-+                break;
-+            }
-             DPRINTF("dhcp: tag=%d len=%d\n", tag, len);
- 
-             switch(tag) {
--- 
-2.9.4

diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-7493.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-7493.patch
deleted file mode 100644
index 346e7713f74..00000000000
--- a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-7493.patch
+++ /dev/null
@@ -1,174 +0,0 @@
-From 7a95434e0ca8a037fd8aa1a2e2461f92585eb77b Mon Sep 17 00:00:00 2001
-From: Greg Kurz <groug@kaod.org>
-Date: Fri, 5 May 2017 14:48:08 +0200
-Subject: [PATCH] 9pfs: local: forbid client access to metadata (CVE-2017-7493)
-
-When using the mapped-file security mode, we shouldn't let the client mess
-with the metadata. The current code already tries to hide the metadata dir
-from the client by skipping it in local_readdir(). But the client can still
-access or modify it through several other operations. This can be used to
-escalate privileges in the guest.
-
-Affected backend operations are:
-- local_mknod()
-- local_mkdir()
-- local_open2()
-- local_symlink()
-- local_link()
-- local_unlinkat()
-- local_renameat()
-- local_rename()
-- local_name_to_path()
-
-Other operations are safe because they are only passed a fid path, which
-is computed internally in local_name_to_path().
-
-This patch converts all the functions listed above to fail and return
-EINVAL when being passed the name of the metadata dir. This may look
-like a poor choice for errno, but there's no such thing as an illegal
-path name on Linux and I could not think of anything better.
-
-This fixes CVE-2017-7493.
-
-Reported-by: Leo Gaspard <leo@gaspard.io>
-Signed-off-by: Greg Kurz <groug@kaod.org>
-Reviewed-by: Eric Blake <eblake@redhat.com>
----
- hw/9pfs/9p-local.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++--
- 1 file changed, 56 insertions(+), 2 deletions(-)
-
-diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
-index f3ebca4f7a..a2486566af 100644
---- a/hw/9pfs/9p-local.c
-+++ b/hw/9pfs/9p-local.c
-@@ -452,6 +452,11 @@ static off_t local_telldir(FsContext *ctx, V9fsFidOpenState *fs)
-     return telldir(fs->dir.stream);
- }
- 
-+static bool local_is_mapped_file_metadata(FsContext *fs_ctx, const char *name)
-+{
-+    return !strcmp(name, VIRTFS_META_DIR);
-+}
-+
- static struct dirent *local_readdir(FsContext *ctx, V9fsFidOpenState *fs)
- {
-     struct dirent *entry;
-@@ -465,8 +470,8 @@ again:
-     if (ctx->export_flags & V9FS_SM_MAPPED) {
-         entry->d_type = DT_UNKNOWN;
-     } else if (ctx->export_flags & V9FS_SM_MAPPED_FILE) {
--        if (!strcmp(entry->d_name, VIRTFS_META_DIR)) {
--            /* skp the meta data directory */
-+        if (local_is_mapped_file_metadata(ctx, entry->d_name)) {
-+            /* skip the meta data directory */
-             goto again;
-         }
-         entry->d_type = DT_UNKNOWN;
-@@ -559,6 +564,12 @@ static int local_mknod(FsContext *fs_ctx, V9fsPath *dir_path,
-     int err = -1;
-     int dirfd;
- 
-+    if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE &&
-+        local_is_mapped_file_metadata(fs_ctx, name)) {
-+        errno = EINVAL;
-+        return -1;
-+    }
-+
-     dirfd = local_opendir_nofollow(fs_ctx, dir_path->data);
-     if (dirfd == -1) {
-         return -1;
-@@ -605,6 +616,12 @@ static int local_mkdir(FsContext *fs_ctx, V9fsPath *dir_path,
-     int err = -1;
-     int dirfd;
- 
-+    if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE &&
-+        local_is_mapped_file_metadata(fs_ctx, name)) {
-+        errno = EINVAL;
-+        return -1;
-+    }
-+
-     dirfd = local_opendir_nofollow(fs_ctx, dir_path->data);
-     if (dirfd == -1) {
-         return -1;
-@@ -694,6 +711,12 @@ static int local_open2(FsContext *fs_ctx, V9fsPath *dir_path, const char *name,
-     int err = -1;
-     int dirfd;
- 
-+    if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE &&
-+        local_is_mapped_file_metadata(fs_ctx, name)) {
-+        errno = EINVAL;
-+        return -1;
-+    }
-+
-     /*
-      * Mark all the open to not follow symlinks
-      */
-@@ -752,6 +775,12 @@ static int local_symlink(FsContext *fs_ctx, const char *oldpath,
-     int err = -1;
-     int dirfd;
- 
-+    if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE &&
-+        local_is_mapped_file_metadata(fs_ctx, name)) {
-+        errno = EINVAL;
-+        return -1;
-+    }
-+
-     dirfd = local_opendir_nofollow(fs_ctx, dir_path->data);
-     if (dirfd == -1) {
-         return -1;
-@@ -826,6 +855,12 @@ static int local_link(FsContext *ctx, V9fsPath *oldpath,
-     int ret = -1;
-     int odirfd, ndirfd;
- 
-+    if (ctx->export_flags & V9FS_SM_MAPPED_FILE &&
-+        local_is_mapped_file_metadata(ctx, name)) {
-+        errno = EINVAL;
-+        return -1;
-+    }
-+
-     odirfd = local_opendir_nofollow(ctx, odirpath);
-     if (odirfd == -1) {
-         goto out;
-@@ -1096,6 +1131,12 @@ static int local_lremovexattr(FsContext *ctx, V9fsPath *fs_path,
- static int local_name_to_path(FsContext *ctx, V9fsPath *dir_path,
-                               const char *name, V9fsPath *target)
- {
-+    if (ctx->export_flags & V9FS_SM_MAPPED_FILE &&
-+        local_is_mapped_file_metadata(ctx, name)) {
-+        errno = EINVAL;
-+        return -1;
-+    }
-+
-     if (dir_path) {
-         v9fs_path_sprintf(target, "%s/%s", dir_path->data, name);
-     } else if (strcmp(name, "/")) {
-@@ -1116,6 +1157,13 @@ static int local_renameat(FsContext *ctx, V9fsPath *olddir,
-     int ret;
-     int odirfd, ndirfd;
- 
-+    if (ctx->export_flags & V9FS_SM_MAPPED_FILE &&
-+        (local_is_mapped_file_metadata(ctx, old_name) ||
-+         local_is_mapped_file_metadata(ctx, new_name))) {
-+        errno = EINVAL;
-+        return -1;
-+    }
-+
-     odirfd = local_opendir_nofollow(ctx, olddir->data);
-     if (odirfd == -1) {
-         return -1;
-@@ -1206,6 +1254,12 @@ static int local_unlinkat(FsContext *ctx, V9fsPath *dir,
-     int ret;
-     int dirfd;
- 
-+    if (ctx->export_flags & V9FS_SM_MAPPED_FILE &&
-+        local_is_mapped_file_metadata(ctx, name)) {
-+        errno = EINVAL;
-+        return -1;
-+    }
-+
-     dirfd = local_opendir_nofollow(ctx, dir->data);
-     if (dirfd == -1) {
-         return -1;
--- 
-2.13.0
-

diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8112.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8112.patch
deleted file mode 100644
index 31fb69bf897..00000000000
--- a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8112.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-CVE-2017-8112
-
-https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg04494.html
----
- hw/scsi/vmw_pvscsi.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
-index 7557546..4a106da 100644
---- a/hw/scsi/vmw_pvscsi.c
-+++ b/hw/scsi/vmw_pvscsi.c
-@@ -202,7 +202,7 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
-     uint32_t len_log2;
-     uint32_t ring_size;
- 
--    if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
-+    if (!ri->numPages || ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
-         return -1;
-     }
-     ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE;
--- 
-2.9.3

diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8309.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8309.patch
deleted file mode 100644
index 4f7f870210c..00000000000
--- a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8309.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-bug #616870
-
-https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg05587.html
----
- audio/audio.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/audio/audio.c b/audio/audio.c
-index c8898d8422..beafed209b 100644
---- a/audio/audio.c
-+++ b/audio/audio.c
-@@ -2028,6 +2028,8 @@ void AUD_del_capture (CaptureVoiceOut *cap, void *cb_opaque)
-                     sw = sw1;
-                 }
-                 QLIST_REMOVE (cap, entries);
-+                g_free (cap->hw.mix_buf);
-+                g_free (cap->buf);
-                 g_free (cap);
-             }
-             return;
--- 
-2.9.3

diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8379.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8379.patch
deleted file mode 100644
index 0a34dae671c..00000000000
--- a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8379.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-bug #616872
-
-https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg05599.html
----
- ui/input.c | 14 +++++++++++---
- 1 file changed, 11 insertions(+), 3 deletions(-)
-
-diff --git a/ui/input.c b/ui/input.c
-index ed88cda6d6..fb1f404095 100644
---- a/ui/input.c
-+++ b/ui/input.c
-@@ -41,6 +41,8 @@ static QTAILQ_HEAD(QemuInputEventQueueHead, QemuInputEventQueue) kbd_queue =
-     QTAILQ_HEAD_INITIALIZER(kbd_queue);
- static QEMUTimer *kbd_timer;
- static uint32_t kbd_default_delay_ms = 10;
-+static uint32_t queue_count;
-+static uint32_t queue_limit = 1024;
- 
- QemuInputHandlerState *qemu_input_handler_register(DeviceState *dev,
-                                                    QemuInputHandler *handler)
-@@ -268,6 +270,7 @@ static void qemu_input_queue_process(void *opaque)
-             break;
-         }
-         QTAILQ_REMOVE(queue, item, node);
-+        queue_count--;
-         g_free(item);
-     }
- }
-@@ -282,6 +285,7 @@ static void qemu_input_queue_delay(struct QemuInputEventQueueHead *queue,
-     item->delay_ms = delay_ms;
-     item->timer = timer;
-     QTAILQ_INSERT_TAIL(queue, item, node);
-+    queue_count++;
- 
-     if (start_timer) {
-         timer_mod(item->timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL)
-@@ -298,6 +302,7 @@ static void qemu_input_queue_event(struct QemuInputEventQueueHead *queue,
-     item->src = src;
-     item->evt = evt;
-     QTAILQ_INSERT_TAIL(queue, item, node);
-+    queue_count++;
- }
- 
- static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue)
-@@ -306,6 +311,7 @@ static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue)
- 
-     item->type = QEMU_INPUT_QUEUE_SYNC;
-     QTAILQ_INSERT_TAIL(queue, item, node);
-+    queue_count++;
- }
- 
- void qemu_input_event_send_impl(QemuConsole *src, InputEvent *evt)
-@@ -381,7 +387,7 @@ void qemu_input_event_send_key(QemuConsole *src, KeyValue *key, bool down)
-         qemu_input_event_send(src, evt);
-         qemu_input_event_sync();
-         qapi_free_InputEvent(evt);
--    } else {
-+    } else if (queue_count < queue_limit) {
-         qemu_input_queue_event(&kbd_queue, src, evt);
-         qemu_input_queue_sync(&kbd_queue);
-     }
-@@ -409,8 +415,10 @@ void qemu_input_event_send_key_delay(uint32_t delay_ms)
-         kbd_timer = timer_new_ms(QEMU_CLOCK_VIRTUAL, qemu_input_queue_process,
-                                  &kbd_queue);
-     }
--    qemu_input_queue_delay(&kbd_queue, kbd_timer,
--                           delay_ms ? delay_ms : kbd_default_delay_ms);
-+    if (queue_count < queue_limit) {
-+        qemu_input_queue_delay(&kbd_queue, kbd_timer,
-+                               delay_ms ? delay_ms : kbd_default_delay_ms);
-+    }
- }
- 
- InputEvent *qemu_input_event_new_btn(InputButton btn, bool down)
--- 
-2.9.3

diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8380.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8380.patch
deleted file mode 100644
index 08911dd0bfb..00000000000
--- a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8380.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-bug #616874
-
-https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg04147.html
----
- hw/scsi/megasas.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
-index 84b8caf..804122a 100644
---- a/hw/scsi/megasas.c
-+++ b/hw/scsi/megasas.c
-@@ -2138,15 +2138,15 @@ static void megasas_mmio_write(void *opaque, hwaddr addr,
-     case MFI_SEQ:
-         trace_megasas_mmio_writel("MFI_SEQ", val);
-         /* Magic sequence to start ADP reset */
--        if (adp_reset_seq[s->adp_reset] == val) {
--            s->adp_reset++;
-+        if (adp_reset_seq[s->adp_reset++] == val) {
-+            if (s->adp_reset == 6) {
-+                s->adp_reset = 0;
-+                s->diag = MFI_DIAG_WRITE_ENABLE;
-+            }
-         } else {
-             s->adp_reset = 0;
-             s->diag = 0;
-         }
--        if (s->adp_reset == 6) {
--            s->diag = MFI_DIAG_WRITE_ENABLE;
--        }
-         break;
-     case MFI_DIAG:
-         trace_megasas_mmio_writel("MFI_DIAG", val);
--- 
-2.9.3

diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-9503-1.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-9503-1.patch
deleted file mode 100644
index 01c81d10ec0..00000000000
--- a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-9503-1.patch
+++ /dev/null
@@ -1,122 +0,0 @@
-From 87e459a810d7b1ec1638085b5a80ea3d9b43119a Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Thu, 1 Jun 2017 17:26:14 +0200
-Subject: [PATCH] megasas: always store SCSIRequest* into MegasasCmd
-
-This ensures that the request is unref'ed properly, and avoids a
-segmentation fault in the new qtest testcase that is added.
-This is CVE-2017-9503.
-
-Reported-by: Zhangyanyu <zyy4013@stu.ouc.edu.cn>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- hw/scsi/megasas.c    | 31 ++++++++++++++++---------------
- 2 files changed, 51 insertions(+), 15 deletions(-)
-
-diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
-index 135662df31..734fdaef90 100644
---- a/hw/scsi/megasas.c
-+++ b/hw/scsi/megasas.c
-@@ -609,6 +609,9 @@ static void megasas_reset_frames(MegasasState *s)
- static void megasas_abort_command(MegasasCmd *cmd)
- {
-     /* Never abort internal commands.  */
-+    if (cmd->dcmd_opcode != -1) {
-+        return;
-+    }
-     if (cmd->req != NULL) {
-         scsi_req_cancel(cmd->req);
-     }
-@@ -1017,7 +1020,6 @@ static int megasas_pd_get_info_submit(SCSIDevice *sdev, int lun,
-     uint64_t pd_size;
-     uint16_t pd_id = ((sdev->id & 0xFF) << 8) | (lun & 0xFF);
-     uint8_t cmdbuf[6];
--    SCSIRequest *req;
-     size_t len, resid;
- 
-     if (!cmd->iov_buf) {
-@@ -1026,8 +1028,8 @@ static int megasas_pd_get_info_submit(SCSIDevice *sdev, int lun,
-         info->inquiry_data[0] = 0x7f; /* Force PQual 0x3, PType 0x1f */
-         info->vpd_page83[0] = 0x7f;
-         megasas_setup_inquiry(cmdbuf, 0, sizeof(info->inquiry_data));
--        req = scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd);
--        if (!req) {
-+        cmd->req = scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd);
-+        if (!cmd->req) {
-             trace_megasas_dcmd_req_alloc_failed(cmd->index,
-                                                 "PD get info std inquiry");
-             g_free(cmd->iov_buf);
-@@ -1036,26 +1038,26 @@ static int megasas_pd_get_info_submit(SCSIDevice *sdev, int lun,
-         }
-         trace_megasas_dcmd_internal_submit(cmd->index,
-                                            "PD get info std inquiry", lun);
--        len = scsi_req_enqueue(req);
-+        len = scsi_req_enqueue(cmd->req);
-         if (len > 0) {
-             cmd->iov_size = len;
--            scsi_req_continue(req);
-+            scsi_req_continue(cmd->req);
-         }
-         return MFI_STAT_INVALID_STATUS;
-     } else if (info->inquiry_data[0] != 0x7f && info->vpd_page83[0] == 0x7f) {
-         megasas_setup_inquiry(cmdbuf, 0x83, sizeof(info->vpd_page83));
--        req = scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd);
--        if (!req) {
-+        cmd->req = scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd);
-+        if (!cmd->req) {
-             trace_megasas_dcmd_req_alloc_failed(cmd->index,
-                                                 "PD get info vpd inquiry");
-             return MFI_STAT_FLASH_ALLOC_FAIL;
-         }
-         trace_megasas_dcmd_internal_submit(cmd->index,
-                                            "PD get info vpd inquiry", lun);
--        len = scsi_req_enqueue(req);
-+        len = scsi_req_enqueue(cmd->req);
-         if (len > 0) {
-             cmd->iov_size = len;
--            scsi_req_continue(req);
-+            scsi_req_continue(cmd->req);
-         }
-         return MFI_STAT_INVALID_STATUS;
-     }
-@@ -1217,7 +1219,6 @@ static int megasas_ld_get_info_submit(SCSIDevice *sdev, int lun,
-     struct mfi_ld_info *info = cmd->iov_buf;
-     size_t dcmd_size = sizeof(struct mfi_ld_info);
-     uint8_t cdb[6];
--    SCSIRequest *req;
-     ssize_t len, resid;
-     uint16_t sdev_id = ((sdev->id & 0xFF) << 8) | (lun & 0xFF);
-     uint64_t ld_size;
-@@ -1226,8 +1227,8 @@ static int megasas_ld_get_info_submit(SCSIDevice *sdev, int lun,
-         cmd->iov_buf = g_malloc0(dcmd_size);
-         info = cmd->iov_buf;
-         megasas_setup_inquiry(cdb, 0x83, sizeof(info->vpd_page83));
--        req = scsi_req_new(sdev, cmd->index, lun, cdb, cmd);
--        if (!req) {
-+        cmd->req = scsi_req_new(sdev, cmd->index, lun, cdb, cmd);
-+        if (!cmd->req) {
-             trace_megasas_dcmd_req_alloc_failed(cmd->index,
-                                                 "LD get info vpd inquiry");
-             g_free(cmd->iov_buf);
-@@ -1236,10 +1237,10 @@ static int megasas_ld_get_info_submit(SCSIDevice *sdev, int lun,
-         }
-         trace_megasas_dcmd_internal_submit(cmd->index,
-                                            "LD get info vpd inquiry", lun);
--        len = scsi_req_enqueue(req);
-+        len = scsi_req_enqueue(cmd->req);
-         if (len > 0) {
-             cmd->iov_size = len;
--            scsi_req_continue(req);
-+            scsi_req_continue(cmd->req);
-         }
-         return MFI_STAT_INVALID_STATUS;
-     }
-@@ -1851,7 +1852,7 @@ static void megasas_command_complete(SCSIRequest *req, uint32_t status,
-         return;
-     }
- 
--    if (cmd->req == NULL) {
-+    if (cmd->dcmd_opcode != -1) {
-         /*
-          * Internal command complete
-          */

diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-9503-2.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-9503-2.patch
deleted file mode 100644
index 74725a92736..00000000000
--- a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-9503-2.patch
+++ /dev/null
@@ -1,114 +0,0 @@
-From 5104fac8539eaf155fc6de93e164be43e1e62242 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Thu, 1 Jun 2017 17:18:23 +0200
-Subject: [PATCH] megasas: do not read DCMD opcode more than once from frame
-
-Avoid TOC-TOU bugs by storing the DCMD opcode in the MegasasCmd
-
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- hw/scsi/megasas.c | 25 +++++++++++--------------
- 1 file changed, 11 insertions(+), 14 deletions(-)
-
-diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
-index c353118882..a3f75c1650 100644
---- a/hw/scsi/megasas.c
-+++ b/hw/scsi/megasas.c
-@@ -63,6 +63,7 @@ typedef struct MegasasCmd {
- 
-     hwaddr pa;
-     hwaddr pa_size;
-+    uint32_t dcmd_opcode;
-     union mfi_frame *frame;
-     SCSIRequest *req;
-     QEMUSGList qsg;
-@@ -513,6 +514,7 @@ static MegasasCmd *megasas_enqueue_frame(MegasasState *s,
-         cmd->context &= (uint64_t)0xFFFFFFFF;
-     }
-     cmd->count = count;
-+    cmd->dcmd_opcode = -1;
-     s->busy++;
- 
-     if (s->consumer_pa) {
-@@ -1562,22 +1564,21 @@ static const struct dcmd_cmd_tbl_t {
- 
- static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd)
- {
--    int opcode;
-     int retval = 0;
-     size_t len;
-     const struct dcmd_cmd_tbl_t *cmdptr = dcmd_cmd_tbl;
- 
--    opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
--    trace_megasas_handle_dcmd(cmd->index, opcode);
-+    cmd->dcmd_opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
-+    trace_megasas_handle_dcmd(cmd->index, cmd->dcmd_opcode);
-     if (megasas_map_dcmd(s, cmd) < 0) {
-         return MFI_STAT_MEMORY_NOT_AVAILABLE;
-     }
--    while (cmdptr->opcode != -1 && cmdptr->opcode != opcode) {
-+    while (cmdptr->opcode != -1 && cmdptr->opcode != cmd->dcmd_opcode) {
-         cmdptr++;
-     }
-     len = cmd->iov_size;
-     if (cmdptr->opcode == -1) {
--        trace_megasas_dcmd_unhandled(cmd->index, opcode, len);
-+        trace_megasas_dcmd_unhandled(cmd->index, cmd->dcmd_opcode, len);
-         retval = megasas_dcmd_dummy(s, cmd);
-     } else {
-         trace_megasas_dcmd_enter(cmd->index, cmdptr->desc, len);
-@@ -1592,13 +1593,11 @@ static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd)
- static int megasas_finish_internal_dcmd(MegasasCmd *cmd,
-                                         SCSIRequest *req)
- {
--    int opcode;
-     int retval = MFI_STAT_OK;
-     int lun = req->lun;
- 
--    opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
--    trace_megasas_dcmd_internal_finish(cmd->index, opcode, lun);
--    switch (opcode) {
-+    trace_megasas_dcmd_internal_finish(cmd->index, cmd->dcmd_opcode, lun);
-+    switch (cmd->dcmd_opcode) {
-     case MFI_DCMD_PD_GET_INFO:
-         retval = megasas_pd_get_info_submit(req->dev, lun, cmd);
-         break;
-@@ -1606,7 +1605,7 @@ static int megasas_finish_internal_dcmd(MegasasCmd *cmd,
-         retval = megasas_ld_get_info_submit(req->dev, lun, cmd);
-         break;
-     default:
--        trace_megasas_dcmd_internal_invalid(cmd->index, opcode);
-+        trace_megasas_dcmd_internal_invalid(cmd->index, cmd->dcmd_opcode);
-         retval = MFI_STAT_INVALID_DCMD;
-         break;
-     }
-@@ -1827,7 +1826,6 @@ static void megasas_xfer_complete(SCSIRequest *req, uint32_t len)
- {
-     MegasasCmd *cmd = req->hba_private;
-     uint8_t *buf;
--    uint32_t opcode;
- 
-     trace_megasas_io_complete(cmd->index, len);
- 
-@@ -1837,8 +1835,7 @@ static void megasas_xfer_complete(SCSIRequest *req, uint32_t len)
-     }
- 
-     buf = scsi_req_get_buf(req);
--    opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
--    if (opcode == MFI_DCMD_PD_GET_INFO && cmd->iov_buf) {
-+    if (cmd->dcmd_opcode == MFI_DCMD_PD_GET_INFO && cmd->iov_buf) {
-         struct mfi_pd_info *info = cmd->iov_buf;
- 
-         if (info->inquiry_data[0] == 0x7f) {
-@@ -1849,7 +1846,7 @@ static void megasas_xfer_complete(SCSIRequest *req, uint32_t len)
-             memcpy(info->vpd_page83, buf, len);
-         }
-         scsi_req_continue(req);
--    } else if (opcode == MFI_DCMD_LD_GET_INFO) {
-+    } else if (cmd->dcmd_opcode == MFI_DCMD_LD_GET_INFO) {
-         struct mfi_ld_info *info = cmd->iov_buf;
- 
-         if (cmd->iov_buf) {
--- 
-2.13.0
-

diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-9524-1.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-9524-1.patch
deleted file mode 100644
index 9d77193b1f6..00000000000
--- a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-9524-1.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From df8ad9f128c15aa0a0ebc7b24e9a22c9775b67af Mon Sep 17 00:00:00 2001
-From: Eric Blake <eblake@redhat.com>
-Date: Fri, 26 May 2017 22:04:21 -0500
-Subject: [PATCH] nbd: Fully initialize client in case of failed negotiation
-
-If a non-NBD client connects to qemu-nbd, we would end up with
-a SIGSEGV in nbd_client_put() because we were trying to
-unregister the client's association to the export, even though
-we skipped inserting the client into that list.  Easy trigger
-in two terminals:
-
-$ qemu-nbd -p 30001 --format=raw file
-$ nmap 127.0.0.1 -p 30001
-
-nmap claims that it thinks it connected to a pago-services1
-server (which probably means nmap could be updated to learn the
-NBD protocol and give a more accurate diagnosis of the open
-port - but that's not our problem), then terminates immediately,
-so our call to nbd_negotiate() fails.  The fix is to reorder
-nbd_co_client_start() to ensure that all initialization occurs
-before we ever try talking to a client in nbd_negotiate(), so
-that the teardown sequence on negotiation failure doesn't fault
-while dereferencing a half-initialized object.
-
-While debugging this, I also noticed that nbd_update_server_watch()
-called by nbd_client_closed() was still adding a channel to accept
-the next client, even when the state was no longer RUNNING.  That
-is fixed by making nbd_can_accept() pay attention to the current
-state.
-
-Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1451614
-
-Signed-off-by: Eric Blake <eblake@redhat.com>
-Message-Id: <20170527030421.28366-1-eblake@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- nbd/server.c | 8 +++-----
- qemu-nbd.c   | 2 +-
- 2 files changed, 4 insertions(+), 6 deletions(-)
-
-diff --git a/nbd/server.c b/nbd/server.c
-index ee59e5d234..49b55f6ede 100644
---- a/nbd/server.c
-+++ b/nbd/server.c
-@@ -1358,16 +1358,14 @@ static coroutine_fn void nbd_co_client_start(void *opaque)
- 
-     if (exp) {
-         nbd_export_get(exp);
-+        QTAILQ_INSERT_TAIL(&exp->clients, client, next);
-     }
-+    qemu_co_mutex_init(&client->send_lock);
-+
-     if (nbd_negotiate(data)) {
-         client_close(client);
-         goto out;
-     }
--    qemu_co_mutex_init(&client->send_lock);
--
--    if (exp) {
--        QTAILQ_INSERT_TAIL(&exp->clients, client, next);
--    }
- 
-     nbd_client_receive_next_request(client);
- 
-diff --git a/qemu-nbd.c b/qemu-nbd.c
-index f60842fd86..651f85ecc1 100644
---- a/qemu-nbd.c
-+++ b/qemu-nbd.c
-@@ -325,7 +325,7 @@ out:
- 
- static int nbd_can_accept(void)
- {
--    return nb_fds < shared;
-+    return state == RUNNING && nb_fds < shared;
- }
- 
- static void nbd_export_closed(NBDExport *exp)
--- 
-2.13.0
-

diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-9524-2.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-9524-2.patch
deleted file mode 100644
index e6934b379a2..00000000000
--- a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-9524-2.patch
+++ /dev/null
@@ -1,197 +0,0 @@
-From 0c9390d978cbf61e8f16c9f580fa96b305c43568 Mon Sep 17 00:00:00 2001
-From: Eric Blake <eblake@redhat.com>
-Date: Thu, 8 Jun 2017 17:26:17 -0500
-Subject: [PATCH] nbd: Fix regression on resiliency to port scan
-
-Back in qemu 2.5, qemu-nbd was immune to port probes (a transient
-server would not quit, regardless of how many probe connections
-came and went, until a connection actually negotiated).  But we
-broke that in commit ee7d7aa when removing the return value to
-nbd_client_new(), although that patch also introduced a bug causing
-an assertion failure on a client that fails negotiation.  We then
-made it worse during refactoring in commit 1a6245a (a segfault
-before we could even assert); the (masked) assertion was cleaned
-up in d3780c2 (still in 2.6), and just recently we finally fixed
-the segfault ("nbd: Fully intialize client in case of failed
-negotiation").  But that still means that ever since we added
-TLS support to qemu-nbd, we have been vulnerable to an ill-timed
-port-scan being able to cause a denial of service by taking down
-qemu-nbd before a real client has a chance to connect.
-
-Since negotiation is now handled asynchronously via coroutines,
-we no longer have a synchronous point of return by re-adding a
-return value to nbd_client_new().  So this patch instead wires
-things up to pass the negotiation status through the close_fn
-callback function.
-
-Simple test across two terminals:
-$ qemu-nbd -f raw -p 30001 file
-$ nmap 127.0.0.1 -p 30001 && \
-  qemu-io -c 'r 0 512' -f raw nbd://localhost:30001
-
-Note that this patch does not change what constitutes successful
-negotiation (thus, a client must enter transmission phase before
-that client can be considered as a reason to terminate the server
-when the connection ends).  Perhaps we may want to tweak things
-in a later patch to also treat a client that uses NBD_OPT_ABORT
-as being a 'successful' negotiation (the client correctly talked
-the NBD protocol, and informed us it was not going to use our
-export after all), but that's a discussion for another day.
-
-Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1451614
-
-Signed-off-by: Eric Blake <eblake@redhat.com>
-Message-Id: <20170608222617.20376-1-eblake@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- blockdev-nbd.c      |  6 +++++-
- include/block/nbd.h |  2 +-
- nbd/server.c        | 24 +++++++++++++++---------
- qemu-nbd.c          |  4 ++--
- 4 files changed, 23 insertions(+), 13 deletions(-)
-
-diff --git a/blockdev-nbd.c b/blockdev-nbd.c
-index dd0860f4a6..28f551a7b0 100644
---- a/blockdev-nbd.c
-+++ b/blockdev-nbd.c
-@@ -27,6 +27,10 @@ typedef struct NBDServerData {
- 
- static NBDServerData *nbd_server;
- 
-+static void nbd_blockdev_client_closed(NBDClient *client, bool ignored)
-+{
-+    nbd_client_put(client);
-+}
- 
- static gboolean nbd_accept(QIOChannel *ioc, GIOCondition condition,
-                            gpointer opaque)
-@@ -46,7 +50,7 @@ static gboolean nbd_accept(QIOChannel *ioc, GIOCondition condition,
-     qio_channel_set_name(QIO_CHANNEL(cioc), "nbd-server");
-     nbd_client_new(NULL, cioc,
-                    nbd_server->tlscreds, NULL,
--                   nbd_client_put);
-+                   nbd_blockdev_client_closed);
-     object_unref(OBJECT(cioc));
-     return TRUE;
- }
-diff --git a/include/block/nbd.h b/include/block/nbd.h
-index 416257abca..8fa5ce51f3 100644
---- a/include/block/nbd.h
-+++ b/include/block/nbd.h
-@@ -162,7 +162,7 @@ void nbd_client_new(NBDExport *exp,
-                     QIOChannelSocket *sioc,
-                     QCryptoTLSCreds *tlscreds,
-                     const char *tlsaclname,
--                    void (*close)(NBDClient *));
-+                    void (*close_fn)(NBDClient *, bool));
- void nbd_client_get(NBDClient *client);
- void nbd_client_put(NBDClient *client);
- 
-diff --git a/nbd/server.c b/nbd/server.c
-index 49b55f6ede..f2b1aa47ce 100644
---- a/nbd/server.c
-+++ b/nbd/server.c
-@@ -81,7 +81,7 @@ static QTAILQ_HEAD(, NBDExport) exports = QTAILQ_HEAD_INITIALIZER(exports);
- 
- struct NBDClient {
-     int refcount;
--    void (*close)(NBDClient *client);
-+    void (*close_fn)(NBDClient *client, bool negotiated);
- 
-     bool no_zeroes;
-     NBDExport *exp;
-@@ -778,7 +778,7 @@ void nbd_client_put(NBDClient *client)
-     }
- }
- 
--static void client_close(NBDClient *client)
-+static void client_close(NBDClient *client, bool negotiated)
- {
-     if (client->closing) {
-         return;
-@@ -793,8 +793,8 @@ static void client_close(NBDClient *client)
-                          NULL);
- 
-     /* Also tell the client, so that they release their reference.  */
--    if (client->close) {
--        client->close(client);
-+    if (client->close_fn) {
-+        client->close_fn(client, negotiated);
-     }
- }
- 
-@@ -975,7 +975,7 @@ void nbd_export_close(NBDExport *exp)
- 
-     nbd_export_get(exp);
-     QTAILQ_FOREACH_SAFE(client, &exp->clients, next, next) {
--        client_close(client);
-+        client_close(client, true);
-     }
-     nbd_export_set_name(exp, NULL);
-     nbd_export_set_description(exp, NULL);
-@@ -1337,7 +1337,7 @@ done:
- 
- out:
-     nbd_request_put(req);
--    client_close(client);
-+    client_close(client, true);
-     nbd_client_put(client);
- }
- 
-@@ -1363,7 +1363,7 @@ static coroutine_fn void nbd_co_client_start(void *opaque)
-     qemu_co_mutex_init(&client->send_lock);
- 
-     if (nbd_negotiate(data)) {
--        client_close(client);
-+        client_close(client, false);
-         goto out;
-     }
- 
-@@ -1373,11 +1373,17 @@ out:
-     g_free(data);
- }
- 
-+/*
-+ * Create a new client listener on the given export @exp, using the
-+ * given channel @sioc.  Begin servicing it in a coroutine.  When the
-+ * connection closes, call @close_fn with an indication of whether the
-+ * client completed negotiation.
-+ */
- void nbd_client_new(NBDExport *exp,
-                     QIOChannelSocket *sioc,
-                     QCryptoTLSCreds *tlscreds,
-                     const char *tlsaclname,
--                    void (*close_fn)(NBDClient *))
-+                    void (*close_fn)(NBDClient *, bool))
- {
-     NBDClient *client;
-     NBDClientNewData *data = g_new(NBDClientNewData, 1);
-@@ -1394,7 +1400,7 @@ void nbd_client_new(NBDExport *exp,
-     object_ref(OBJECT(client->sioc));
-     client->ioc = QIO_CHANNEL(sioc);
-     object_ref(OBJECT(client->ioc));
--    client->close = close_fn;
-+    client->close_fn = close_fn;
- 
-     data->client = client;
-     data->co = qemu_coroutine_create(nbd_co_client_start, data);
-diff --git a/qemu-nbd.c b/qemu-nbd.c
-index 651f85ecc1..9464a0461c 100644
---- a/qemu-nbd.c
-+++ b/qemu-nbd.c
-@@ -336,10 +336,10 @@ static void nbd_export_closed(NBDExport *exp)
- 
- static void nbd_update_server_watch(void);
- 
--static void nbd_client_closed(NBDClient *client)
-+static void nbd_client_closed(NBDClient *client, bool negotiated)
- {
-     nb_fds--;
--    if (nb_fds == 0 && !persistent && state == RUNNING) {
-+    if (negotiated && nb_fds == 0 && !persistent && state == RUNNING) {
-         state = TERMINATE;
-     }
-     nbd_update_server_watch();
--- 
-2.13.0
-


^ permalink raw reply related	[flat|nested] 21+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2017-07-26 19:37 Matthias Maier
  0 siblings, 0 replies; 21+ messages in thread
From: Matthias Maier @ 2017-07-26 19:37 UTC (permalink / raw
  To: gentoo-commits

commit:     07b6f997d19ce19197604ffc7b123497d635405c
Author:     Matthias Maier <tamiko <AT> gentoo <DOT> org>
AuthorDate: Wed Jul 26 19:06:15 2017 +0000
Commit:     Matthias Maier <tamiko <AT> gentoo <DOT> org>
CommitDate: Wed Jul 26 19:37:32 2017 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=07b6f997

app-emulation/qemu: Bugfix: Fix patch file

Package-Manager: Portage-2.3.6, Repoman-2.3.3

 .../qemu/files/qemu-2.9.0-CVE-2017-7539.patch      | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-7539.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-7539.patch
index 3af16977b93..ee77a59373e 100644
--- a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-7539.patch
+++ b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-7539.patch
@@ -375,25 +375,25 @@ index 924a1fe..a1f106b 100644
  
      magic = cpu_to_be64(NBD_REP_MAGIC);
 -    if (nbd_negotiate_write(ioc, &magic, sizeof(magic)) != sizeof(magic)) {
-+    if (nbd_write(ioc, &magic, sizeof(magic), NULL) < 0) {
++    if (write_sync(ioc, &magic, sizeof(magic), NULL) < 0) {
          LOG("write failed (rep magic)");
          return -EINVAL;
      }
      opt = cpu_to_be32(opt);
 -    if (nbd_negotiate_write(ioc, &opt, sizeof(opt)) != sizeof(opt)) {
-+    if (nbd_write(ioc, &opt, sizeof(opt), NULL) < 0) {
++    if (write_sync(ioc, &opt, sizeof(opt), NULL) < 0) {
          LOG("write failed (rep opt)");
          return -EINVAL;
      }
      type = cpu_to_be32(type);
 -    if (nbd_negotiate_write(ioc, &type, sizeof(type)) != sizeof(type)) {
-+    if (nbd_write(ioc, &type, sizeof(type), NULL) < 0) {
++    if (write_sync(ioc, &type, sizeof(type), NULL) < 0) {
          LOG("write failed (rep type)");
          return -EINVAL;
      }
      len = cpu_to_be32(len);
 -    if (nbd_negotiate_write(ioc, &len, sizeof(len)) != sizeof(len)) {
-+    if (nbd_write(ioc, &len, sizeof(len), NULL) < 0) {
++    if (write_sync(ioc, &len, sizeof(len), NULL) < 0) {
          LOG("write failed (rep data length)");
          return -EINVAL;
      }
@@ -402,7 +402,7 @@ index 924a1fe..a1f106b 100644
          goto out;
      }
 -    if (nbd_negotiate_write(ioc, msg, len) != len) {
-+    if (nbd_write(ioc, msg, len, NULL) < 0) {
++    if (write_sync(ioc, msg, len, NULL) < 0) {
          LOG("write failed (error message)");
          ret = -EIO;
      } else {
@@ -411,17 +411,17 @@ index 924a1fe..a1f106b 100644
  
      len = cpu_to_be32(name_len);
 -    if (nbd_negotiate_write(ioc, &len, sizeof(len)) != sizeof(len)) {
-+    if (nbd_write(ioc, &len, sizeof(len), NULL) < 0) {
++    if (write_sync(ioc, &len, sizeof(len), NULL) < 0) {
          LOG("write failed (name length)");
          return -EINVAL;
      }
 -    if (nbd_negotiate_write(ioc, name, name_len) != name_len) {
-+    if (nbd_write(ioc, name, name_len, NULL) < 0) {
++    if (write_sync(ioc, name, name_len, NULL) < 0) {
          LOG("write failed (name buffer)");
          return -EINVAL;
      }
 -    if (nbd_negotiate_write(ioc, desc, desc_len) != desc_len) {
-+    if (nbd_write(ioc, desc, desc_len, NULL) < 0) {
++    if (write_sync(ioc, desc, desc_len, NULL) < 0) {
          LOG("write failed (description buffer)");
          return -EINVAL;
      }
@@ -524,13 +524,13 @@ index 924a1fe..a1f106b 100644
              goto fail;
          }
 -        if (nbd_negotiate_write(client->ioc, buf, sizeof(buf)) != sizeof(buf)) {
-+        if (nbd_write(client->ioc, buf, sizeof(buf), NULL) < 0) {
++        if (write_sync(client->ioc, buf, sizeof(buf), NULL) < 0) {
              LOG("write failed");
              goto fail;
          }
      } else {
 -        if (nbd_negotiate_write(client->ioc, buf, 18) != 18) {
-+        if (nbd_write(client->ioc, buf, 18, NULL) < 0) {
++        if (write_sync(client->ioc, buf, 18, NULL) < 0) {
              LOG("write failed");
              goto fail;
          }
@@ -539,7 +539,7 @@ index 924a1fe..a1f106b 100644
          stw_be_p(buf + 26, client->exp->nbdflags | myflags);
          len = client->no_zeroes ? 10 : sizeof(buf) - 18;
 -        if (nbd_negotiate_write(client->ioc, buf + 18, len) != len) {
-+        if (nbd_write(client->ioc, buf + 18, len, NULL) < 0) {
++        if (write_sync(client->ioc, buf + 18, len, NULL) < 0) {
              LOG("write failed");
              goto fail;
          }


^ permalink raw reply related	[flat|nested] 21+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2017-07-26 17:15 Matthias Maier
  0 siblings, 0 replies; 21+ messages in thread
From: Matthias Maier @ 2017-07-26 17:15 UTC (permalink / raw
  To: gentoo-commits

commit:     4716c9ae8666e4cfc6eff46960f7bff8f4f3d708
Author:     Matthias Maier <tamiko <AT> gentoo <DOT> org>
AuthorDate: Wed Jul 26 17:14:28 2017 +0000
Commit:     Matthias Maier <tamiko <AT> gentoo <DOT> org>
CommitDate: Wed Jul 26 17:14:53 2017 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4716c9ae

app-emulation/qemu: drop old patch files

Package-Manager: Portage-2.3.6, Repoman-2.3.3

 .../qemu/files/qemu-2.7.0-CVE-2016-8669-1.patch    |  32 ------
 .../qemu/files/qemu-2.8.0-CVE-2016-10028.patch     |  40 --------
 .../qemu/files/qemu-2.8.0-CVE-2016-10155.patch     |  46 ---------
 .../qemu/files/qemu-2.8.0-CVE-2016-9908.patch      |  35 -------
 .../qemu/files/qemu-2.8.0-CVE-2016-9912.patch      |  38 -------
 .../qemu/files/qemu-2.8.0-CVE-2017-2615.patch      |  48 ---------
 .../qemu/files/qemu-2.8.0-CVE-2017-2620.patch      |  56 -----------
 .../qemu/files/qemu-2.8.0-CVE-2017-2630.patch      |  22 ----
 .../qemu/files/qemu-2.8.0-CVE-2017-5525-1.patch    |  52 ----------
 .../qemu/files/qemu-2.8.0-CVE-2017-5525-2.patch    |  55 ----------
 .../qemu/files/qemu-2.8.0-CVE-2017-5552.patch      |  41 --------
 .../qemu/files/qemu-2.8.0-CVE-2017-5578.patch      |  35 -------
 .../qemu/files/qemu-2.8.0-CVE-2017-5579.patch      |  40 --------
 .../qemu/files/qemu-2.8.0-CVE-2017-5667.patch      |  37 -------
 .../qemu/files/qemu-2.8.0-CVE-2017-5856.patch      |  64 ------------
 .../qemu/files/qemu-2.8.0-CVE-2017-5857.patch      |  38 -------
 .../qemu/files/qemu-2.8.0-CVE-2017-5898.patch      |  35 -------
 .../qemu/files/qemu-2.8.0-CVE-2017-5931.patch      |  46 ---------
 .../qemu/files/qemu-2.8.0-CVE-2017-5973.patch      |  87 ----------------
 .../qemu/files/qemu-2.8.0-CVE-2017-5987.patch      |  50 ---------
 .../qemu/files/qemu-2.8.0-CVE-2017-6058.patch      | 112 ---------------------
 .../qemu/files/qemu-2.8.0-CVE-2017-6505.patch      |  52 ----------
 .../qemu/files/qemu-2.8.0-CVE-2017-7377.patch      |  49 ---------
 .../qemu/files/qemu-2.8.1-CVE-2017-7471.patch      |  64 ------------
 .../qemu/files/qemu-2.8.1-CVE-2017-8086.patch      |  28 ------
 25 files changed, 1202 deletions(-)

diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-1.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-1.patch
deleted file mode 100644
index cea8efc0686..00000000000
--- a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-1.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-http://bugs.gentoo.org/597108
-https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg02577.html
-
-From: Prasad J Pandit <address@hidden>
-
-The JAZZ RC4030 chipset emulator has a periodic timer and
-associated interval reload register. The reload value is used
-as divider when computing timer's next tick value. If reload
-value is large, it could lead to divide by zero error. Limit
-the interval reload value to avoid it.
-
-Reported-by: Huawei PSIRT <address@hidden>
-Signed-off-by: Prasad J Pandit <address@hidden>
----
- hw/dma/rc4030.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/dma/rc4030.c b/hw/dma/rc4030.c
-index 2f2576f..c1b4997 100644
---- a/hw/dma/rc4030.c
-+++ b/hw/dma/rc4030.c
-@@ -460,7 +460,7 @@ static void rc4030_write(void *opaque, hwaddr addr, uint64_t data,
-         break;
-     /* Interval timer reload */
-     case 0x0228:
--        s->itr = val;
-+        s->itr = val & 0x01FF;
-         qemu_irq_lower(s->timer_irq);
-         set_next_tick(s);
-         break;
--- 
-2.5.5

diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10028.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10028.patch
deleted file mode 100644
index 466c819e78a..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10028.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-https://lists.gnu.org/archive/html/qemu-devel/2016-12/msg01903.html
-https://bugs.gentoo.org/603444
-
-From:	P J P
-Subject:	[Qemu-devel] [PATCH] display: virtio-gpu-3d: check virgl capabilities max_size
-Date:	Wed, 14 Dec 2016 12:31:56 +0530
-From: Prasad J Pandit <address@hidden>
-
-Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET'
-command, retrieves the maximum capabilities size to fill in the
-response object. It continues to fill in capabilities even if
-retrieved 'max_size' is zero(0), thus resulting in OOB access.
-Add check to avoid it.
-
-Reported-by: Zhenhao Hong <address@hidden>
-Signed-off-by: Prasad J Pandit <address@hidden>
----
- hw/display/virtio-gpu-3d.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
-index 758d33a..6ceeba3 100644
---- a/hw/display/virtio-gpu-3d.c
-+++ b/hw/display/virtio-gpu-3d.c
-@@ -370,8 +370,12 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
- 
-     virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
-                                &max_size);
-+    if (!max_size) {
-+        cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
-+        return;
-+    }
-+
-     resp = g_malloc0(sizeof(*resp) + max_size);
--
-     resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
-     virgl_renderer_fill_caps(gc.capset_id,
-                              gc.capset_version,
--- 
-2.9.3

diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10155.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10155.patch
deleted file mode 100644
index c486295d06f..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10155.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From eb7a20a3616085d46aa6b4b4224e15587ec67e6e Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Mon, 28 Nov 2016 17:49:04 -0800
-Subject: [PATCH] watchdog: 6300esb: add exit function
-
-When the Intel 6300ESB watchdog is hot unplug. The timer allocated
-in realize isn't freed thus leaking memory leak. This patch avoid
-this through adding the exit function.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Message-Id: <583cde9c.3223ed0a.7f0c2.886e@mx.google.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- hw/watchdog/wdt_i6300esb.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/hw/watchdog/wdt_i6300esb.c b/hw/watchdog/wdt_i6300esb.c
-index a83d951..49b3cd1 100644
---- a/hw/watchdog/wdt_i6300esb.c
-+++ b/hw/watchdog/wdt_i6300esb.c
-@@ -428,6 +428,14 @@ static void i6300esb_realize(PCIDevice *dev, Error **errp)
-     /* qemu_register_coalesced_mmio (addr, 0x10); ? */
- }
- 
-+static void i6300esb_exit(PCIDevice *dev)
-+{
-+    I6300State *d = WATCHDOG_I6300ESB_DEVICE(dev);
-+
-+    timer_del(d->timer);
-+    timer_free(d->timer);
-+}
-+
- static WatchdogTimerModel model = {
-     .wdt_name = "i6300esb",
-     .wdt_description = "Intel 6300ESB",
-@@ -441,6 +449,7 @@ static void i6300esb_class_init(ObjectClass *klass, void *data)
-     k->config_read = i6300esb_config_read;
-     k->config_write = i6300esb_config_write;
-     k->realize = i6300esb_realize;
-+    k->exit = i6300esb_exit;
-     k->vendor_id = PCI_VENDOR_ID_INTEL;
-     k->device_id = PCI_DEVICE_ID_INTEL_ESB_9;
-     k->class_id = PCI_CLASS_SYSTEM_OTHER;
--- 
-2.10.2
-

diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9908.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9908.patch
deleted file mode 100644
index 841de65d48c..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9908.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg00059.html
-https://bugs.gentoo.org/601826
-
-From:	Li Qiang
-Subject:	[Qemu-devel] [PATCH] virtio-gpu: fix information leak in capset get dispatch
-Date:	Tue, 1 Nov 2016 05:37:57 -0700
-From: Li Qiang <address@hidden>
-
-In virgl_cmd_get_capset function, it uses g_malloc to allocate
-a response struct to the guest. As the 'resp'struct hasn't been full
-initialized it will lead the 'resp->padding' field to the guest.
-Use g_malloc0 to avoid this.
-
-Signed-off-by: Li Qiang <address@hidden>
----
- hw/display/virtio-gpu-3d.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
-index 23f39de..d98b140 100644
---- a/hw/display/virtio-gpu-3d.c
-+++ b/hw/display/virtio-gpu-3d.c
-@@ -371,7 +371,7 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
- 
-     virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
-                                &max_size);
--    resp = g_malloc(sizeof(*resp) + max_size);
-+    resp = g_malloc0(sizeof(*resp) + max_size);
- 
-     resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
-     virgl_renderer_fill_caps(gc.capset_id,
--- 
-1.8.3.1
-
-

diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9912.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9912.patch
deleted file mode 100644
index 55963f70b98..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9912.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg05043.html
-https://bugs.gentoo.org/602630
-
-From:	Li Qiang
-Subject:	[Qemu-devel] [PATCH] virtio-gpu: call cleanup mapping function in resource destroy
-Date:	Mon, 28 Nov 2016 21:29:25 -0500
-If the guest destroy the resource before detach banking, the 'iov'
-and 'addrs' field in resource is not freed thus leading memory
-leak issue. This patch avoid this.
-
-Signed-off-by: Li Qiang <address@hidden>
----
- hw/display/virtio-gpu.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
-index 60bce94..98dadf2 100644
---- a/hw/display/virtio-gpu.c
-+++ b/hw/display/virtio-gpu.c
-@@ -28,6 +28,8 @@
- static struct virtio_gpu_simple_resource*
- virtio_gpu_find_resource(VirtIOGPU *g, uint32_t resource_id);
- 
-+static void virtio_gpu_cleanup_mapping(struct virtio_gpu_simple_resource *res);
-+
- #ifdef CONFIG_VIRGL
- #include <virglrenderer.h>
- #define VIRGL(_g, _virgl, _simple, ...)                     \
-@@ -358,6 +360,7 @@ static void virtio_gpu_resource_destroy(VirtIOGPU *g,
-                                         struct virtio_gpu_simple_resource *res)
- {
-     pixman_image_unref(res->image);
-+    virtio_gpu_cleanup_mapping(res);
-     QTAILQ_REMOVE(&g->reslist, res, next);
-     g_free(res);
- }
--- 
-1.8.3.1

diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2615.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2615.patch
deleted file mode 100644
index f0bba801657..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2615.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 62d4c6bd5263bb8413a06c80144fc678df6dfb64 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Wed, 1 Feb 2017 09:35:01 +0100
-Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615)
-
-When doing bitblt copy in backward mode, we should minus the
-blt width first just like the adding in the forward mode. This
-can avoid the oob access of the front of vga's vram.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-
-{ kraxel: with backward blits (negative pitch) addr is the topmost
-          address, so check it as-is against vram size ]
-
-Cc: qemu-stable@nongnu.org
-Cc: P J P <ppandit@redhat.com>
-Cc: Laszlo Ersek <lersek@redhat.com>
-Cc: Paolo Bonzini <pbonzini@redhat.com>
-Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
-Reviewed-by: Laszlo Ersek <lersek@redhat.com>
----
- hw/display/cirrus_vga.c | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
-diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
-index 7db6409..16f27e8 100644
---- a/hw/display/cirrus_vga.c
-+++ b/hw/display/cirrus_vga.c
-@@ -274,10 +274,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
- {
-     if (pitch < 0) {
-         int64_t min = addr
--            + ((int64_t)s->cirrus_blt_height-1) * pitch;
--        int32_t max = addr
--            + s->cirrus_blt_width;
--        if (min < 0 || max > s->vga.vram_size) {
-+            + ((int64_t)s->cirrus_blt_height - 1) * pitch
-+            - s->cirrus_blt_width;
-+        if (min < -1 || addr >= s->vga.vram_size) {
-             return true;
-         }
-     } else {
--- 
-2.10.2
-

diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2620.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2620.patch
deleted file mode 100644
index e2a98012d7c..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2620.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From: Gerd Hoffmann <kraxel@redhat.com>
-Subject: [PATCH 3/3] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo
-
-CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
-and blit width, at all.  Oops.  Fix it.
-
-Security impact: high.
-
-The missing blit destination check allows to write to host memory.
-Basically same as CVE-2014-8106 for the other blit variants.
-
-The missing blit width check allows to overflow cirrus_bltbuf,
-with the attractive target cirrus_srcptr (current cirrus_bltbuf write
-position) being located right after cirrus_bltbuf in CirrusVGAState.
-
-Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker
-hasn't full control over cirrus_srcptr though, only one byte can be
-changed.  Once the first byte has been modified further writes land
-elsewhere.
-
-[ This is CVE-2017-2620 / XSA-209  - Ian Jackson ]
-
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/display/cirrus_vga.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
-index 0e47cf8..a093dc8 100644
---- a/hw/display/cirrus_vga.c
-+++ b/hw/display/cirrus_vga.c
-@@ -899,6 +899,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
- {
-     int w;
- 
-+    if (blit_is_unsafe(s)) {
-+        return 0;
-+    }
-+
-     s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC;
-     s->cirrus_srcptr = &s->cirrus_bltbuf[0];
-     s->cirrus_srcptr_end = &s->cirrus_bltbuf[0];
-@@ -924,6 +928,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
- 	}
-         s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height;
-     }
-+
-+    /* the blit_is_unsafe call above should catch this */
-+    assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE);
-+
-     s->cirrus_srcptr = s->cirrus_bltbuf;
-     s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch;
-     cirrus_update_memory_access(s);
--- 
-1.8.3.1
-

diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2630.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2630.patch
deleted file mode 100644
index 034b322de5f..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2630.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-Comparison symbol is misused. It may lead to memory corruption.
-
-Signed-off-by: Vladimir Sementsov-Ogievskiy <address@hidden>
----
- nbd/client.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/nbd/client.c b/nbd/client.c
-index 6caf6bda6d..351731bc63 100644
---- a/nbd/client.c
-+++ b/nbd/client.c
-@@ -94,7 +94,7 @@ static ssize_t drop_sync(QIOChannel *ioc, size_t size)
-     char small[1024];
-     char *buffer;
- 
--    buffer = sizeof(small) < size ? small : g_malloc(MIN(65536, size));
-+    buffer = sizeof(small) > size ? small : g_malloc(MIN(65536, size));
-     while (size > 0) {
-         ssize_t count = read_sync(ioc, buffer, MIN(65536, size));
- 
--- 
-2.11.0

diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-1.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-1.patch
deleted file mode 100644
index 24411b4dca3..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-1.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 12351a91da97b414eec8cdb09f1d9f41e535a401 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Wed, 14 Dec 2016 18:30:21 -0800
-Subject: [PATCH] audio: ac97: add exit function
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Currently the ac97 device emulation doesn't have a exit function,
-hot unplug this device will leak some memory. Add a exit function to
-avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-id: 58520052.4825ed0a.27a71.6cae@mx.google.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/audio/ac97.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/hw/audio/ac97.c b/hw/audio/ac97.c
-index cbd959e..c306575 100644
---- a/hw/audio/ac97.c
-+++ b/hw/audio/ac97.c
-@@ -1387,6 +1387,16 @@ static void ac97_realize(PCIDevice *dev, Error **errp)
-     ac97_on_reset (&s->dev.qdev);
- }
- 
-+static void ac97_exit(PCIDevice *dev)
-+{
-+    AC97LinkState *s = DO_UPCAST(AC97LinkState, dev, dev);
-+
-+    AUD_close_in(&s->card, s->voice_pi);
-+    AUD_close_out(&s->card, s->voice_po);
-+    AUD_close_in(&s->card, s->voice_mc);
-+    AUD_remove_card(&s->card);
-+}
-+
- static int ac97_init (PCIBus *bus)
- {
-     pci_create_simple (bus, -1, "AC97");
-@@ -1404,6 +1414,7 @@ static void ac97_class_init (ObjectClass *klass, void *data)
-     PCIDeviceClass *k = PCI_DEVICE_CLASS (klass);
- 
-     k->realize = ac97_realize;
-+    k->exit = ac97_exit;
-     k->vendor_id = PCI_VENDOR_ID_INTEL;
-     k->device_id = PCI_DEVICE_ID_INTEL_82801AA_5;
-     k->revision = 0x01;
--- 
-2.10.2
-

diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-2.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-2.patch
deleted file mode 100644
index 6bbac580c3c..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-2.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Wed, 14 Dec 2016 18:32:22 -0800
-Subject: [PATCH] audio: es1370: add exit function
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Currently the es1370 device emulation doesn't have a exit function,
-hot unplug this device will leak some memory. Add a exit function to
-avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-id: 585200c9.a968ca0a.1ab80.4c98@mx.google.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/audio/es1370.c | 14 ++++++++++++++
- 1 file changed, 14 insertions(+)
-
-diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c
-index 8449b5f..883ec69 100644
---- a/hw/audio/es1370.c
-+++ b/hw/audio/es1370.c
-@@ -1041,6 +1041,19 @@ static void es1370_realize(PCIDevice *dev, Error **errp)
-     es1370_reset (s);
- }
- 
-+static void es1370_exit(PCIDevice *dev)
-+{
-+    ES1370State *s = ES1370(dev);
-+    int i;
-+
-+    for (i = 0; i < 2; ++i) {
-+        AUD_close_out(&s->card, s->dac_voice[i]);
-+    }
-+
-+    AUD_close_in(&s->card, s->adc_voice);
-+    AUD_remove_card(&s->card);
-+}
-+
- static int es1370_init (PCIBus *bus)
- {
-     pci_create_simple (bus, -1, TYPE_ES1370);
-@@ -1053,6 +1066,7 @@ static void es1370_class_init (ObjectClass *klass, void *data)
-     PCIDeviceClass *k = PCI_DEVICE_CLASS (klass);
- 
-     k->realize = es1370_realize;
-+    k->exit = es1370_exit;
-     k->vendor_id = PCI_VENDOR_ID_ENSONIQ;
-     k->device_id = PCI_DEVICE_ID_ENSONIQ_ES1370;
-     k->class_id = PCI_CLASS_MULTIMEDIA_AUDIO;
--- 
-2.10.2
-

diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5552.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5552.patch
deleted file mode 100644
index 9475f3fd2a2..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5552.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 33243031dad02d161225ba99d782616da133f689 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liq3ea@gmail.com>
-Date: Thu, 29 Dec 2016 03:11:26 -0500
-Subject: [PATCH] virtio-gpu-3d: fix memory leak in resource attach backing
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-If the virgl_renderer_resource_attach_iov function fails the
-'res_iovs' will be leaked. Add check of the return value to
-free the 'res_iovs' when failing.
-
-Signed-off-by: Li Qiang <liq3ea@gmail.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-id: 1482999086-59795-1-git-send-email-liq3ea@gmail.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/display/virtio-gpu-3d.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
-index e29f099..b13ced3 100644
---- a/hw/display/virtio-gpu-3d.c
-+++ b/hw/display/virtio-gpu-3d.c
-@@ -291,8 +291,11 @@ static void virgl_resource_attach_backing(VirtIOGPU *g,
-         return;
-     }
- 
--    virgl_renderer_resource_attach_iov(att_rb.resource_id,
--                                       res_iovs, att_rb.nr_entries);
-+    ret = virgl_renderer_resource_attach_iov(att_rb.resource_id,
-+                                             res_iovs, att_rb.nr_entries);
-+
-+    if (ret != 0)
-+        virtio_gpu_cleanup_mapping_iov(res_iovs, att_rb.nr_entries);
- }
- 
- static void virgl_resource_detach_backing(VirtIOGPU *g,
--- 
-2.10.2
-

diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5578.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5578.patch
deleted file mode 100644
index f93d1e7f9e9..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5578.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 204f01b30975923c64006f8067f0937b91eea68b Mon Sep 17 00:00:00 2001
-From: Li Qiang <liq3ea@gmail.com>
-Date: Thu, 29 Dec 2016 04:28:41 -0500
-Subject: [PATCH] virtio-gpu: fix memory leak in resource attach backing
-
-In the resource attach backing function, everytime it will
-allocate 'res->iov' thus can leading a memory leak. This
-patch avoid this.
-
-Signed-off-by: Li Qiang <liq3ea@gmail.com>
-Message-id: 1483003721-65360-1-git-send-email-liq3ea@gmail.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/display/virtio-gpu.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
-index 6a26258..ca88cf4 100644
---- a/hw/display/virtio-gpu.c
-+++ b/hw/display/virtio-gpu.c
-@@ -714,6 +714,11 @@ virtio_gpu_resource_attach_backing(VirtIOGPU *g,
-         return;
-     }
- 
-+    if (res->iov) {
-+        cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
-+        return;
-+    }
-+
-     ret = virtio_gpu_create_mapping_iov(&ab, cmd, &res->addrs, &res->iov);
-     if (ret != 0) {
-         cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
--- 
-2.10.2
-

diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5579.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5579.patch
deleted file mode 100644
index e4572a8d571..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5579.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 8409dc884a201bf74b30a9d232b6bbdd00cb7e2b Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Wed, 4 Jan 2017 00:43:16 -0800
-Subject: [PATCH] serial: fix memory leak in serial exit
-
-The serial_exit_core function doesn't free some resources.
-This can lead memory leak when hotplug and unplug. This
-patch avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Message-Id: <586cb5ab.f31d9d0a.38ac3.acf2@mx.google.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- hw/char/serial.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/hw/char/serial.c b/hw/char/serial.c
-index ffbacd8..67b18ed 100644
---- a/hw/char/serial.c
-+++ b/hw/char/serial.c
-@@ -906,6 +906,16 @@ void serial_realize_core(SerialState *s, Error **errp)
- void serial_exit_core(SerialState *s)
- {
-     qemu_chr_fe_deinit(&s->chr);
-+
-+    timer_del(s->modem_status_poll);
-+    timer_free(s->modem_status_poll);
-+
-+    timer_del(s->fifo_timeout_timer);
-+    timer_free(s->fifo_timeout_timer);
-+
-+    fifo8_destroy(&s->recv_fifo);
-+    fifo8_destroy(&s->xmit_fifo);
-+
-     qemu_unregister_reset(serial_reset, s);
- }
- 
--- 
-2.10.2
-

diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5667.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5667.patch
deleted file mode 100644
index 93e9c9406c4..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5667.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 42922105beb14c2fc58185ea022b9f72fb5465e9 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 7 Feb 2017 18:29:59 +0000
-Subject: [PATCH] sd: sdhci: check data length during dma_memory_read
-
-While doing multi block SDMA transfer in routine
-'sdhci_sdma_transfer_multi_blocks', the 's->fifo_buffer' starting
-index 'begin' and data length 's->data_count' could end up to be same.
-This could lead to an OOB access issue. Correct transfer data length
-to avoid it.
-
-Cc: qemu-stable@nongnu.org
-Reported-by: Jiang Xin <jiangxin1@huawei.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20170130064736.9236-1-ppandit@redhat.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/sd/sdhci.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
-index 01fbf22..5bd5ab6 100644
---- a/hw/sd/sdhci.c
-+++ b/hw/sd/sdhci.c
-@@ -536,7 +536,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
-                 boundary_count -= block_size - begin;
-             }
-             dma_memory_read(&address_space_memory, s->sdmasysad,
--                            &s->fifo_buffer[begin], s->data_count);
-+                            &s->fifo_buffer[begin], s->data_count - begin);
-             s->sdmasysad += s->data_count - begin;
-             if (s->data_count == block_size) {
-                 for (n = 0; n < block_size; n++) {
--- 
-2.10.2
-

diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5856.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5856.patch
deleted file mode 100644
index 2ebd49fa54d..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5856.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 765a707000e838c30b18d712fe6cb3dd8e0435f3 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Mon, 2 Jan 2017 11:03:33 +0100
-Subject: [PATCH] megasas: fix guest-triggered memory leak
-
-If the guest sets the sglist size to a value >=2GB, megasas_handle_dcmd
-will return MFI_STAT_MEMORY_NOT_AVAILABLE without freeing the memory.
-Avoid this by returning only the status from map_dcmd, and loading
-cmd->iov_size in the caller.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- hw/scsi/megasas.c | 11 ++++++-----
- 1 file changed, 6 insertions(+), 5 deletions(-)
-
-diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
-index 67fc1e7..6233865 100644
---- a/hw/scsi/megasas.c
-+++ b/hw/scsi/megasas.c
-@@ -683,14 +683,14 @@ static int megasas_map_dcmd(MegasasState *s, MegasasCmd *cmd)
-         trace_megasas_dcmd_invalid_sge(cmd->index,
-                                        cmd->frame->header.sge_count);
-         cmd->iov_size = 0;
--        return -1;
-+        return -EINVAL;
-     }
-     iov_pa = megasas_sgl_get_addr(cmd, &cmd->frame->dcmd.sgl);
-     iov_size = megasas_sgl_get_len(cmd, &cmd->frame->dcmd.sgl);
-     pci_dma_sglist_init(&cmd->qsg, PCI_DEVICE(s), 1);
-     qemu_sglist_add(&cmd->qsg, iov_pa, iov_size);
-     cmd->iov_size = iov_size;
--    return cmd->iov_size;
-+    return 0;
- }
- 
- static void megasas_finish_dcmd(MegasasCmd *cmd, uint32_t iov_size)
-@@ -1559,19 +1559,20 @@ static const struct dcmd_cmd_tbl_t {
- 
- static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd)
- {
--    int opcode, len;
-+    int opcode;
-     int retval = 0;
-+    size_t len;
-     const struct dcmd_cmd_tbl_t *cmdptr = dcmd_cmd_tbl;
- 
-     opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
-     trace_megasas_handle_dcmd(cmd->index, opcode);
--    len = megasas_map_dcmd(s, cmd);
--    if (len < 0) {
-+    if (megasas_map_dcmd(s, cmd) < 0) {
-         return MFI_STAT_MEMORY_NOT_AVAILABLE;
-     }
-     while (cmdptr->opcode != -1 && cmdptr->opcode != opcode) {
-         cmdptr++;
-     }
-+    len = cmd->iov_size;
-     if (cmdptr->opcode == -1) {
-         trace_megasas_dcmd_unhandled(cmd->index, opcode, len);
-         retval = megasas_dcmd_dummy(s, cmd);
--- 
-2.10.2
-

diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5857.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5857.patch
deleted file mode 100644
index 664a669ffaa..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5857.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-When the guest sends VIRTIO_GPU_CMD_RESOURCE_UNREF without detaching the
-backing storage beforehand (VIRTIO_GPU_CMD_RESOURCE_DETACH_BACKING)
-we'll leak memory.
-
-This patch fixes it for 3d mode, simliar to the 2d mode fix in commit
-"b8e2392 virtio-gpu: call cleanup mapping function in resource destroy".
-
-Reported-by: 李强 <address@hidden>
-Signed-off-by: Gerd Hoffmann <address@hidden>
----
- hw/display/virtio-gpu-3d.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
-index f96a0c2..ecb09d1 100644
---- a/hw/display/virtio-gpu-3d.c
-+++ b/hw/display/virtio-gpu-3d.c
-@@ -77,10 +77,18 @@ static void virgl_cmd_resource_unref(VirtIOGPU *g,
-                                      struct virtio_gpu_ctrl_command *cmd)
- {
-     struct virtio_gpu_resource_unref unref;
-+    struct iovec *res_iovs = NULL;
-+    int num_iovs = 0;
- 
-     VIRTIO_GPU_FILL_CMD(unref);
-     trace_virtio_gpu_cmd_res_unref(unref.resource_id);
- 
-+    virgl_renderer_resource_detach_iov(unref.resource_id,
-+                                       &res_iovs,
-+                                       &num_iovs);
-+    if (res_iovs != NULL && num_iovs != 0) {
-+        virtio_gpu_cleanup_mapping_iov(res_iovs, num_iovs);
-+    }
-     virgl_renderer_resource_unref(unref.resource_id);
- }
- 
--- 
-1.8.3.1

diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5898.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5898.patch
deleted file mode 100644
index 9f94477a46b..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5898.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From c7dfbf322595ded4e70b626bf83158a9f3807c6a Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Fri, 3 Feb 2017 00:52:28 +0530
-Subject: [PATCH] usb: ccid: check ccid apdu length
-
-CCID device emulator uses Application Protocol Data Units(APDU)
-to exchange command and responses to and from the host.
-The length in these units couldn't be greater than 65536. Add
-check to ensure the same. It'd also avoid potential integer
-overflow in emulated_apdu_from_guest.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-id: 20170202192228.10847-1-ppandit@redhat.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/usb/dev-smartcard-reader.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
-index 89e11b6..1325ea1 100644
---- a/hw/usb/dev-smartcard-reader.c
-+++ b/hw/usb/dev-smartcard-reader.c
-@@ -967,7 +967,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv)
-     DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__,
-                 recv->hdr.bSeq, len);
-     ccid_add_pending_answer(s, (CCID_Header *)recv);
--    if (s->card) {
-+    if (s->card && len <= BULK_OUT_DATA_SIZE) {
-         ccid_card_apdu_from_guest(s->card, recv->abData, len);
-     } else {
-         DPRINTF(s, D_WARN, "warning: discarded apdu\n");
--- 
-2.10.2
-

diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5931.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5931.patch
deleted file mode 100644
index f24d557c96d..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5931.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From a08aaff811fb194950f79711d2afe5a892ae03a4 Mon Sep 17 00:00:00 2001
-From: Gonglei <arei.gonglei@huawei.com>
-Date: Tue, 3 Jan 2017 14:50:03 +0800
-Subject: [PATCH] virtio-crypto: fix possible integer and heap overflow
-
-Because the 'size_t' type is 4 bytes in 32-bit platform, which
-is the same with 'int'. It's easy to make 'max_len' to zero when
-integer overflow and then cause heap overflow if 'max_len' is zero.
-
-Using uint_64 instead of size_t to avoid the integer overflow.
-
-Cc: qemu-stable@nongnu.org
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Gonglei <arei.gonglei@huawei.com>
-Tested-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
----
- hw/virtio/virtio-crypto.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
-index 2f2467e..c23e1ad 100644
---- a/hw/virtio/virtio-crypto.c
-+++ b/hw/virtio/virtio-crypto.c
-@@ -416,7 +416,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
-     uint32_t hash_start_src_offset = 0, len_to_hash = 0;
-     uint32_t cipher_start_src_offset = 0, len_to_cipher = 0;
- 
--    size_t max_len, curr_size = 0;
-+    uint64_t max_len, curr_size = 0;
-     size_t s;
- 
-     /* Plain cipher */
-@@ -441,7 +441,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
-         return NULL;
-     }
- 
--    max_len = iv_len + aad_len + src_len + dst_len + hash_result_len;
-+    max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len;
-     if (unlikely(max_len > vcrypto->conf.max_size)) {
-         virtio_error(vdev, "virtio-crypto too big length");
-         return NULL;
--- 
-2.10.2
-

diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5973.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5973.patch
deleted file mode 100644
index 50ff3c99792..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5973.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-Limits should be big enough that normal guest should not hit it.
-Add a tracepoint to log them, just in case.  Also, while being
-at it, log the existing link trb limit too.
-
-Reported-by: 李强 <address@hidden>
-Signed-off-by: Gerd Hoffmann <address@hidden>
----
- hw/usb/hcd-xhci.c   | 15 ++++++++++++++-
- hw/usb/trace-events |  1 +
- 2 files changed, 15 insertions(+), 1 deletion(-)
-
-diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
-index fbf8a8b..28dd2f2 100644
---- a/hw/usb/hcd-xhci.c
-+++ b/hw/usb/hcd-xhci.c
-@@ -51,6 +51,8 @@
- #define EV_QUEUE (((3 * 24) + 16) * MAXSLOTS)
- 
- #define TRB_LINK_LIMIT  4
-+#define COMMAND_LIMIT   256
-+#define TRANSFER_LIMIT  256
- 
- #define LEN_CAP         0x40
- #define LEN_OPER        (0x400 + 0x10 * MAXPORTS)
-@@ -943,6 +945,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
-             return type;
-         } else {
-             if (++link_cnt > TRB_LINK_LIMIT) {
-+                trace_usb_xhci_enforced_limit("trb-link");
-                 return 0;
-             }
-             ring->dequeue = xhci_mask64(trb->parameter);
-@@ -2060,6 +2063,7 @@ static void xhci_kick_epctx(XHCIEPContext *epctx, unsigned int streamid)
-     XHCIRing *ring;
-     USBEndpoint *ep = NULL;
-     uint64_t mfindex;
-+    unsigned int count = 0;
-     int length;
-     int i;
- 
-@@ -2172,6 +2176,10 @@ static void xhci_kick_epctx(XHCIEPContext *epctx, unsigned int streamid)
-             epctx->retry = xfer;
-             break;
-         }
-+        if (count++ > TRANSFER_LIMIT) {
-+            trace_usb_xhci_enforced_limit("transfers");
-+            break;
-+        }
-     }
-     epctx->kick_active--;
- 
-@@ -2618,7 +2626,7 @@ static void xhci_process_commands(XHCIState *xhci)
-     TRBType type;
-     XHCIEvent event = {ER_COMMAND_COMPLETE, CC_SUCCESS};
-     dma_addr_t addr;
--    unsigned int i, slotid = 0;
-+    unsigned int i, slotid = 0, count = 0;
- 
-     DPRINTF("xhci_process_commands()\n");
-     if (!xhci_running(xhci)) {
-@@ -2735,6 +2743,11 @@ static void xhci_process_commands(XHCIState *xhci)
-         }
-         event.slotid = slotid;
-         xhci_event(xhci, &event, 0);
-+
-+        if (count++ > COMMAND_LIMIT) {
-+            trace_usb_xhci_enforced_limit("commands");
-+            return;
-+        }
-     }
- }
- 
-diff --git a/hw/usb/trace-events b/hw/usb/trace-events
-index fdd1d29..0c323d4 100644
---- a/hw/usb/trace-events
-+++ b/hw/usb/trace-events
-@@ -174,6 +174,7 @@ usb_xhci_xfer_retry(void *xfer) "%p"
- usb_xhci_xfer_success(void *xfer, uint32_t bytes) "%p: len %d"
- usb_xhci_xfer_error(void *xfer, uint32_t ret) "%p: ret %d"
- usb_xhci_unimplemented(const char *item, int nr) "%s (0x%x)"
-+usb_xhci_enforced_limit(const char *item) "%s"
- 
- # hw/usb/desc.c
- usb_desc_device(int addr, int len, int ret) "dev %d query device, len %d, ret %d"
--- 
-1.8.3.1
-

diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5987.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5987.patch
deleted file mode 100644
index bfde2e9d4b7..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5987.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From: Prasad J Pandit <address@hidden>
-
-In the SDHCI protocol, the transfer mode register value
-is used during multi block transfer to check if block count
-register is enabled and should be updated. Transfer mode
-register could be set such that, block count register would
-not be updated, thus leading to an infinite loop. Add check
-to avoid it.
-
-Reported-by: Wjjzhang <address@hidden>
-Reported-by: Jiang Xin <address@hidden>
-Signed-off-by: Prasad J Pandit <address@hidden>
----
- hw/sd/sdhci.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-Update: use qemu_log_mask(LOG_UNIMP, ...)
-  -> https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg02354.html
-
-diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
-index 5bd5ab6..a9c744b 100644
---- a/hw/sd/sdhci.c
-+++ b/hw/sd/sdhci.c
-@@ -486,6 +486,11 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
-     uint32_t boundary_chk = 1 << (((s->blksize & 0xf000) >> 12) + 12);
-     uint32_t boundary_count = boundary_chk - (s->sdmasysad % boundary_chk);
- 
-+    if (!(s->trnmod & SDHC_TRNS_BLK_CNT_EN) || !s->blkcnt) {
-+        qemu_log_mask(LOG_UNIMP, "infinite transfer is not supported\n");
-+        return;
-+    }
-+
-     /* XXX: Some sd/mmc drivers (for example, u-boot-slp) do not account for
-      * possible stop at page boundary if initial address is not page aligned,
-      * allow them to work properly */
-@@ -797,11 +802,6 @@ static void sdhci_data_transfer(void *opaque)
-     if (s->trnmod & SDHC_TRNS_DMA) {
-         switch (SDHC_DMA_TYPE(s->hostctl)) {
-         case SDHC_CTRL_SDMA:
--            if ((s->trnmod & SDHC_TRNS_MULTI) &&
--                    (!(s->trnmod & SDHC_TRNS_BLK_CNT_EN) || s->blkcnt == 0)) {
--                break;
--            }
--
-             if ((s->blkcnt == 1) || !(s->trnmod & SDHC_TRNS_MULTI)) {
-                 sdhci_sdma_transfer_single_block(s);
-             } else {
--- 
-2.9.3
-

diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6058.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6058.patch
deleted file mode 100644
index 666c18ccea1..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6058.patch
+++ /dev/null
@@ -1,112 +0,0 @@
-This patch fixed a problem that was introduced in commit eb700029.
-
-When net_rx_pkt_attach_iovec() calls eth_strip_vlan()
-this can result in pkt->ehdr_buf being overflowed, because
-ehdr_buf is only sizeof(struct eth_header) bytes large
-but eth_strip_vlan() can write
-sizeof(struct eth_header) + sizeof(struct vlan_header)
-bytes into it.
-
-Devices affected by this problem: vmxnet3.
-
-Reported-by: Peter Maydell <address@hidden>
-Signed-off-by: Dmitry Fleytman <address@hidden>
----
- hw/net/net_rx_pkt.c | 34 +++++++++++++++++-----------------
- 1 file changed, 17 insertions(+), 17 deletions(-)
-
-diff --git a/hw/net/net_rx_pkt.c b/hw/net/net_rx_pkt.c
-index 1019b50..7c0beac 100644
---- a/hw/net/net_rx_pkt.c
-+++ b/hw/net/net_rx_pkt.c
-@@ -23,13 +23,13 @@
- 
- struct NetRxPkt {
-     struct virtio_net_hdr virt_hdr;
--    uint8_t ehdr_buf[sizeof(struct eth_header)];
-+    uint8_t ehdr_buf[sizeof(struct eth_header) + sizeof(struct vlan_header)];
-     struct iovec *vec;
-     uint16_t vec_len_total;
-     uint16_t vec_len;
-     uint32_t tot_len;
-     uint16_t tci;
--    bool vlan_stripped;
-+    size_t ehdr_buf_len;
-     bool has_virt_hdr;
-     eth_pkt_types_e packet_type;
- 
-@@ -88,15 +88,13 @@ net_rx_pkt_pull_data(struct NetRxPkt *pkt,
-                         const struct iovec *iov, int iovcnt,
-                         size_t ploff)
- {
--    if (pkt->vlan_stripped) {
-+    if (pkt->ehdr_buf_len) {
-         net_rx_pkt_iovec_realloc(pkt, iovcnt + 1);
- 
-         pkt->vec[0].iov_base = pkt->ehdr_buf;
--        pkt->vec[0].iov_len = sizeof(pkt->ehdr_buf);
--
--        pkt->tot_len =
--            iov_size(iov, iovcnt) - ploff + sizeof(struct eth_header);
-+        pkt->vec[0].iov_len = pkt->ehdr_buf_len;
- 
-+        pkt->tot_len = iov_size(iov, iovcnt) - ploff + pkt->ehdr_buf_len;
-         pkt->vec_len = iov_copy(pkt->vec + 1, pkt->vec_len_total - 1,
-                                 iov, iovcnt, ploff, pkt->tot_len);
-     } else {
-@@ -123,11 +121,12 @@ void net_rx_pkt_attach_iovec(struct NetRxPkt *pkt,
-     uint16_t tci = 0;
-     uint16_t ploff = iovoff;
-     assert(pkt);
--    pkt->vlan_stripped = false;
- 
-     if (strip_vlan) {
--        pkt->vlan_stripped = eth_strip_vlan(iov, iovcnt, iovoff, pkt->ehdr_buf,
--                                            &ploff, &tci);
-+        pkt->ehdr_buf_len = eth_strip_vlan(iov, iovcnt, iovoff, pkt->ehdr_buf,
-+                                           &ploff, &tci);
-+    } else {
-+        pkt->ehdr_buf_len = 0;
-     }
- 
-     pkt->tci = tci;
-@@ -143,12 +142,13 @@ void net_rx_pkt_attach_iovec_ex(struct NetRxPkt *pkt,
-     uint16_t tci = 0;
-     uint16_t ploff = iovoff;
-     assert(pkt);
--    pkt->vlan_stripped = false;
- 
-     if (strip_vlan) {
--        pkt->vlan_stripped = eth_strip_vlan_ex(iov, iovcnt, iovoff, vet,
--                                               pkt->ehdr_buf,
--                                               &ploff, &tci);
-+        pkt->ehdr_buf_len = eth_strip_vlan_ex(iov, iovcnt, iovoff, vet,
-+                                              pkt->ehdr_buf,
-+                                              &ploff, &tci);
-+    } else {
-+        pkt->ehdr_buf_len = 0;
-     }
- 
-     pkt->tci = tci;
-@@ -162,8 +162,8 @@ void net_rx_pkt_dump(struct NetRxPkt *pkt)
-     NetRxPkt *pkt = (NetRxPkt *)pkt;
-     assert(pkt);
- 
--    printf("RX PKT: tot_len: %d, vlan_stripped: %d, vlan_tag: %d\n",
--              pkt->tot_len, pkt->vlan_stripped, pkt->tci);
-+    printf("RX PKT: tot_len: %d, ehdr_buf_len: %lu, vlan_tag: %d\n",
-+              pkt->tot_len, pkt->ehdr_buf_len, pkt->tci);
- #endif
- }
- 
-@@ -426,7 +426,7 @@ bool net_rx_pkt_is_vlan_stripped(struct NetRxPkt *pkt)
- {
-     assert(pkt);
- 
--    return pkt->vlan_stripped;
-+    return pkt->ehdr_buf_len ? true : false;
- }
- 
- bool net_rx_pkt_has_virt_hdr(struct NetRxPkt *pkt)
--- 
-2.7.4

diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6505.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6505.patch
deleted file mode 100644
index a15aa96bd56..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6505.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 95ed56939eb2eaa4e2f349fe6dcd13ca4edfd8fb Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Tue, 7 Feb 2017 02:23:33 -0800
-Subject: [PATCH] usb: ohci: limit the number of link eds
-
-The guest may builds an infinite loop with link eds. This patch
-limit the number of linked ed to avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Message-id: 5899a02e.45ca240a.6c373.93c1@mx.google.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/usb/hcd-ohci.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
-index 2cba3e3..21c93e0 100644
---- a/hw/usb/hcd-ohci.c
-+++ b/hw/usb/hcd-ohci.c
-@@ -42,6 +42,8 @@
- 
- #define OHCI_MAX_PORTS 15
- 
-+#define ED_LINK_LIMIT 4
-+
- static int64_t usb_frame_time;
- static int64_t usb_bit_time;
- 
-@@ -1184,7 +1186,7 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion)
-     uint32_t next_ed;
-     uint32_t cur;
-     int active;
--
-+    uint32_t link_cnt = 0;
-     active = 0;
- 
-     if (head == 0)
-@@ -1199,6 +1201,11 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion)
- 
-         next_ed = ed.next & OHCI_DPTR_MASK;
- 
-+        if (++link_cnt > ED_LINK_LIMIT) {
-+            ohci_die(ohci);
-+            return 0;
-+        }
-+
-         if ((ed.head & OHCI_ED_H) || (ed.flags & OHCI_ED_K)) {
-             uint32_t addr;
-             /* Cancel pending packets for ED that have been paused.  */
--- 
-2.10.2
-

diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-7377.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-7377.patch
deleted file mode 100644
index f2d317c3c94..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-7377.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From d63fb193e71644a073b77ff5ac6f1216f2f6cf6e Mon Sep 17 00:00:00 2001
-From: Li Qiang <liq3ea@gmail.com>
-Date: Mon, 27 Mar 2017 21:13:19 +0200
-Subject: [PATCH] 9pfs: fix file descriptor leak
-
-The v9fs_create() and v9fs_lcreate() functions are used to create a file
-on the backend and to associate it to a fid. The fid shouldn't be already
-in-use, otherwise both functions may silently leak a file descriptor or
-allocated memory. The current code doesn't check that.
-
-This patch ensures that the fid isn't already associated to anything
-before using it.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-(reworded the changelog, Greg Kurz)
-Signed-off-by: Greg Kurz <groug@kaod.org>
----
- hw/9pfs/9p.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
-index b8c0b99..48babce 100644
---- a/hw/9pfs/9p.c
-+++ b/hw/9pfs/9p.c
-@@ -1550,6 +1550,10 @@ static void coroutine_fn v9fs_lcreate(void *opaque)
-         err = -ENOENT;
-         goto out_nofid;
-     }
-+    if (fidp->fid_type != P9_FID_NONE) {
-+        err = -EINVAL;
-+        goto out;
-+    }
- 
-     flags = get_dotl_openflags(pdu->s, flags);
-     err = v9fs_co_open2(pdu, fidp, &name, gid,
-@@ -2153,6 +2157,10 @@ static void coroutine_fn v9fs_create(void *opaque)
-         err = -EINVAL;
-         goto out_nofid;
-     }
-+    if (fidp->fid_type != P9_FID_NONE) {
-+        err = -EINVAL;
-+        goto out;
-+    }
-     if (perm & P9_STAT_MODE_DIR) {
-         err = v9fs_co_mkdir(pdu, fidp, &name, perm & 0777,
-                             fidp->uid, -1, &stbuf);
--- 
-2.10.2
-

diff --git a/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-7471.patch b/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-7471.patch
deleted file mode 100644
index c5366f5758e..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-7471.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 9c6b899f7a46893ab3b671e341a2234e9c0c060e Mon Sep 17 00:00:00 2001
-From: Greg Kurz <groug@kaod.org>
-Date: Mon, 17 Apr 2017 10:53:23 +0200
-Subject: [PATCH] 9pfs: local: set the path of the export root to "."
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The local backend was recently converted to using "at*()" syscalls in order
-to ensure all accesses happen below the shared directory. This requires that
-we only pass relative paths, otherwise the dirfd argument to the "at*()"
-syscalls is ignored and the path is treated as an absolute path in the host.
-This is actually the case for paths in all fids, with the notable exception
-of the root fid, whose path is "/". This causes the following backend ops to
-act on the "/" directory of the host instead of the virtfs shared directory
-when the export root is involved:
-- lstat
-- chmod
-- chown
-- utimensat
-
-ie, chmod /9p_mount_point in the guest will be converted to chmod / in the
-host for example. This could cause security issues with a privileged QEMU.
-
-All "*at()" syscalls are being passed an open file descriptor. In the case
-of the export root, this file descriptor points to the path in the host that
-was passed to -fsdev.
-
-The fix is thus as simple as changing the path of the export root fid to be
-"." instead of "/".
-
-This is CVE-2017-7471.
-
-Cc: qemu-stable@nongnu.org
-Reported-by: Léo Gaspard <leo@gaspard.io>
-Signed-off-by: Greg Kurz <groug@kaod.org>
-Reviewed-by: Eric Blake <eblake@redhat.com>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/9pfs/9p-local.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
-index 45e9a1f..f3ebca4 100644
---- a/hw/9pfs/9p-local.c
-+++ b/hw/9pfs/9p-local.c
-@@ -1098,8 +1098,13 @@ static int local_name_to_path(FsContext *ctx, V9fsPath *dir_path,
- {
-     if (dir_path) {
-         v9fs_path_sprintf(target, "%s/%s", dir_path->data, name);
--    } else {
-+    } else if (strcmp(name, "/")) {
-         v9fs_path_sprintf(target, "%s", name);
-+    } else {
-+        /* We want the path of the export root to be relative, otherwise
-+         * "*at()" syscalls would treat it as "/" in the host.
-+         */
-+        v9fs_path_sprintf(target, "%s", ".");
-     }
-     return 0;
- }
--- 
-2.10.2
-

diff --git a/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-8086.patch b/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-8086.patch
deleted file mode 100644
index eac72f3dcb5..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-8086.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 4ffcdef4277a91af15a3c09f7d16af072c29f3f2 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liq3ea@gmail.com>
-Date: Fri, 7 Apr 2017 03:48:52 -0700
-Subject: [PATCH] 9pfs: xattr: fix memory leak in v9fs_list_xattr
-
-Free 'orig_value' in error path.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Greg Kurz <groug@kaod.org>
----
- hw/9pfs/9p-xattr.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/hw/9pfs/9p-xattr.c b/hw/9pfs/9p-xattr.c
-index eec160b..d05c1a1 100644
---- a/hw/9pfs/9p-xattr.c
-+++ b/hw/9pfs/9p-xattr.c
-@@ -108,6 +108,7 @@ ssize_t v9fs_list_xattr(FsContext *ctx, const char *path,
-     g_free(name);
-     close_preserve_errno(dirfd);
-     if (xattr_len < 0) {
-+        g_free(orig_value);
-         return -1;
-     }
- 
--- 
-2.10.2
-


^ permalink raw reply related	[flat|nested] 21+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2016-09-05  5:30 Matthias Maier
  0 siblings, 0 replies; 21+ messages in thread
From: Matthias Maier @ 2016-09-05  5:30 UTC (permalink / raw
  To: gentoo-commits

commit:     6ac7a9b9a00ee2c1afb780ffcafc8e66ce1b59d9
Author:     Matthias Maier <tamiko <AT> gentoo <DOT> org>
AuthorDate: Mon Sep  5 05:00:00 2016 +0000
Commit:     Matthias Maier <tamiko <AT> gentoo <DOT> org>
CommitDate: Mon Sep  5 05:30:00 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6ac7a9b9

app-emulation/qemu: drop obsolete patches

Package-Manager: portage-2.2.28

 .../qemu/files/qemu-2.5.0-9pfs-segfault.patch      |  34 ------
 .../qemu/files/qemu-2.5.0-CVE-2015-8567.patch      |  95 ----------------
 .../qemu/files/qemu-2.5.0-CVE-2015-8613.patch      |  35 ------
 .../qemu/files/qemu-2.5.0-CVE-2015-8619.patch      | 121 ---------------------
 .../qemu/files/qemu-2.5.0-CVE-2015-8701.patch      |  49 ---------
 .../qemu/files/qemu-2.5.0-CVE-2015-8743.patch      |  50 ---------
 .../qemu/files/qemu-2.5.0-CVE-2016-1568.patch      |  41 -------
 .../qemu/files/qemu-2.5.0-CVE-2016-1714.patch      |  58 ----------
 .../qemu/files/qemu-2.5.0-CVE-2016-1922.patch      |  65 -----------
 .../qemu/files/qemu-2.5.0-CVE-2016-1981.patch      |  98 -----------------
 .../qemu/files/qemu-2.5.0-CVE-2016-2197.patch      |  43 --------
 .../qemu/files/qemu-2.5.0-CVE-2016-2392.patch      |  35 ------
 .../qemu/files/qemu-2.5.0-ne2000-reg-check.patch   |  37 -------
 .../qemu/files/qemu-2.5.0-usb-ehci-oob.patch       |  52 ---------
 .../files/qemu-2.5.0-usb-ndis-int-overflow.patch   |  59 ----------
 .../qemu/files/qemu-2.6.0-crypto-static.patch      |  60 ----------
 .../qemu/files/qemu-2.6.0-glib-size_t.patch        |  11 --
 17 files changed, 943 deletions(-)

diff --git a/app-emulation/qemu/files/qemu-2.5.0-9pfs-segfault.patch b/app-emulation/qemu/files/qemu-2.5.0-9pfs-segfault.patch
deleted file mode 100644
index 0e27684..00000000
--- a/app-emulation/qemu/files/qemu-2.5.0-9pfs-segfault.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 4b3a4f2d458ca5a7c6c16ac36a8d9ac22cc253d6 Mon Sep 17 00:00:00 2001
-From: Greg Kurz <gkurz@linux.vnet.ibm.com>
-Date: Wed, 23 Dec 2015 10:56:58 +0100
-Subject: [PATCH] virtio-9p: use accessor to get thread_pool
-
-The aio_context_new() function does not allocate a thread pool. This is
-deferred to the first call to the aio_get_thread_pool() accessor. It is
-hence forbidden to access the thread_pool field directly, as it may be
-NULL. The accessor *must* be used always.
-
-Fixes: ebac1202c95a4f1b76b6ef3f0f63926fa76e753e
-Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
-Tested-by: Michael Tokarev <mjt@tls.msk.ru>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
----
- hw/9pfs/virtio-9p-coth.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/9pfs/virtio-9p-coth.c b/hw/9pfs/virtio-9p-coth.c
-index fb6e8f8..ab9425c 100644
---- a/hw/9pfs/virtio-9p-coth.c
-+++ b/hw/9pfs/virtio-9p-coth.c
-@@ -36,6 +36,6 @@ static int coroutine_enter_func(void *arg)
- void co_run_in_worker_bh(void *opaque)
- {
-     Coroutine *co = opaque;
--    thread_pool_submit_aio(qemu_get_aio_context()->thread_pool,
-+    thread_pool_submit_aio(aio_get_thread_pool(qemu_get_aio_context()),
-                            coroutine_enter_func, co, coroutine_enter_cb, co);
- }
--- 
-2.7.4
-

diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8567.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8567.patch
deleted file mode 100644
index e196043..00000000
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8567.patch
+++ /dev/null
@@ -1,95 +0,0 @@
-https://bugs.gentoo.org/567868
-
-From aa4a3dce1c88ed51b616806b8214b7c8428b7470 Mon Sep 17 00:00:00 2001
-From: P J P <ppandit@redhat.com>
-Date: Tue, 15 Dec 2015 12:27:54 +0530
-Subject: [PATCH] net: vmxnet3: avoid memory leakage in activate_device
-
-Vmxnet3 device emulator does not check if the device is active
-before activating it, also it did not free the transmit & receive
-buffers while deactivating the device, thus resulting in memory
-leakage on the host. This patch fixes both these issues to avoid
-host memory leakage.
-
-Reported-by: Qinghao Tang <luodalongde@gmail.com>
-Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Jason Wang <jasowang@redhat.com>
----
- hw/net/vmxnet3.c | 24 ++++++++++++++++--------
- 1 file changed, 16 insertions(+), 8 deletions(-)
-
-diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
-index a5dd79a..9c1adfc 100644
---- a/hw/net/vmxnet3.c
-+++ b/hw/net/vmxnet3.c
-@@ -1194,8 +1194,13 @@ static void vmxnet3_reset_mac(VMXNET3State *s)
- 
- static void vmxnet3_deactivate_device(VMXNET3State *s)
- {
--    VMW_CBPRN("Deactivating vmxnet3...");
--    s->device_active = false;
-+    if (s->device_active) {
-+        VMW_CBPRN("Deactivating vmxnet3...");
-+        vmxnet_tx_pkt_reset(s->tx_pkt);
-+        vmxnet_tx_pkt_uninit(s->tx_pkt);
-+        vmxnet_rx_pkt_uninit(s->rx_pkt);
-+        s->device_active = false;
-+    }
- }
- 
- static void vmxnet3_reset(VMXNET3State *s)
-@@ -1204,7 +1209,6 @@ static void vmxnet3_reset(VMXNET3State *s)
- 
-     vmxnet3_deactivate_device(s);
-     vmxnet3_reset_interrupt_states(s);
--    vmxnet_tx_pkt_reset(s->tx_pkt);
-     s->drv_shmem = 0;
-     s->tx_sop = true;
-     s->skip_current_tx_pkt = false;
-@@ -1431,6 +1435,12 @@ static void vmxnet3_activate_device(VMXNET3State *s)
-         return;
-     }
- 
-+    /* Verify if device is active */
-+    if (s->device_active) {
-+        VMW_CFPRN("Vmxnet3 device is active");
-+        return;
-+    }
-+
-     vmxnet3_adjust_by_guest_type(s);
-     vmxnet3_update_features(s);
-     vmxnet3_update_pm_state(s);
-@@ -1627,7 +1637,7 @@ static void vmxnet3_handle_command(VMXNET3State *s, uint64_t cmd)
-         break;
- 
-     case VMXNET3_CMD_QUIESCE_DEV:
--        VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - pause the device");
-+        VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - deactivate the device");
-         vmxnet3_deactivate_device(s);
-         break;
- 
-@@ -1741,7 +1751,7 @@ vmxnet3_io_bar1_write(void *opaque,
-          * shared address only after we get the high part
-          */
-         if (val == 0) {
--            s->device_active = false;
-+            vmxnet3_deactivate_device(s);
-         }
-         s->temp_shared_guest_driver_memory = val;
-         s->drv_shmem = 0;
-@@ -2021,9 +2031,7 @@ static bool vmxnet3_peer_has_vnet_hdr(VMXNET3State *s)
- static void vmxnet3_net_uninit(VMXNET3State *s)
- {
-     g_free(s->mcast_list);
--    vmxnet_tx_pkt_reset(s->tx_pkt);
--    vmxnet_tx_pkt_uninit(s->tx_pkt);
--    vmxnet_rx_pkt_uninit(s->rx_pkt);
-+    vmxnet3_deactivate_device(s);
-     qemu_del_nic(s->nic);
- }
- 
--- 
-2.6.2
-

diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8613.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8613.patch
deleted file mode 100644
index 61a52ee..00000000
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8613.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 36fef36b91f7ec0435215860f1458b5342ce2811 Mon Sep 17 00:00:00 2001
-From: P J P <ppandit@redhat.com>
-Date: Mon, 21 Dec 2015 15:13:13 +0530
-Subject: [PATCH] scsi: initialise info object with appropriate size
-
-While processing controller 'CTRL_GET_INFO' command, the routine
-'megasas_ctrl_get_info' overflows the '&info' object size. Use its
-appropriate size to null initialise it.
-
-Reported-by: Qinghao Tang <luodalongde@gmail.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <alpine.LFD.2.20.1512211501420.22471@wniryva>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: P J P <ppandit@redhat.com>
----
- hw/scsi/megasas.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
-index d7dc667..576f56c 100644
---- a/hw/scsi/megasas.c
-+++ b/hw/scsi/megasas.c
-@@ -718,7 +718,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd)
-     BusChild *kid;
-     int num_pd_disks = 0;
- 
--    memset(&info, 0x0, cmd->iov_size);
-+    memset(&info, 0x0, dcmd_size);
-     if (cmd->iov_size < dcmd_size) {
-         trace_megasas_dcmd_invalid_xfer_len(cmd->index, cmd->iov_size,
-                                             dcmd_size);
--- 
-2.7.4
-

diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8619.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8619.patch
deleted file mode 100644
index be67336..00000000
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8619.patch
+++ /dev/null
@@ -1,121 +0,0 @@
-From 64ffbe04eaafebf4045a3ace52a360c14959d196 Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Wed, 13 Jan 2016 09:09:58 +0100
-Subject: [PATCH] hmp: fix sendkey out of bounds write (CVE-2015-8619)
-
-When processing 'sendkey' command, hmp_sendkey routine null
-terminates the 'keyname_buf' array. This results in an OOB
-write issue, if 'keyname_len' was to fall outside of
-'keyname_buf' array.
-
-Since the keyname's length is known the keyname_buf can be
-removed altogether by adding a length parameter to
-index_from_key() and using it for the error output as well.
-
-Reported-by: Ling Liu <liuling-it@360.cn>
-Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Message-Id: <20160113080958.GA18934@olga>
-[Comparison with "<" dumbed down, test for junk after strtoul()
-tweaked]
-Signed-off-by: Markus Armbruster <armbru@redhat.com>
----
- hmp.c                | 18 ++++++++----------
- include/ui/console.h |  2 +-
- ui/input-legacy.c    |  5 +++--
- 3 files changed, 12 insertions(+), 13 deletions(-)
-
-diff --git a/hmp.c b/hmp.c
-index 54f2620..9c571f5 100644
---- a/hmp.c
-+++ b/hmp.c
-@@ -1731,21 +1731,18 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict)
-     int has_hold_time = qdict_haskey(qdict, "hold-time");
-     int hold_time = qdict_get_try_int(qdict, "hold-time", -1);
-     Error *err = NULL;
--    char keyname_buf[16];
-     char *separator;
-     int keyname_len;
- 
-     while (1) {
-         separator = strchr(keys, '-');
-         keyname_len = separator ? separator - keys : strlen(keys);
--        pstrcpy(keyname_buf, sizeof(keyname_buf), keys);
- 
-         /* Be compatible with old interface, convert user inputted "<" */
--        if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) {
--            pstrcpy(keyname_buf, sizeof(keyname_buf), "less");
-+        if (keys[0] == '<' && keyname_len == 1) {
-+            keys = "less";
-             keyname_len = 4;
-         }
--        keyname_buf[keyname_len] = 0;
- 
-         keylist = g_malloc0(sizeof(*keylist));
-         keylist->value = g_malloc0(sizeof(*keylist->value));
-@@ -1758,16 +1755,17 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict)
-         }
-         tmp = keylist;
- 
--        if (strstart(keyname_buf, "0x", NULL)) {
-+        if (strstart(keys, "0x", NULL)) {
-             char *endp;
--            int value = strtoul(keyname_buf, &endp, 0);
--            if (*endp != '\0') {
-+            int value = strtoul(keys, &endp, 0);
-+            assert(endp <= keys + keyname_len);
-+            if (endp != keys + keyname_len) {
-                 goto err_out;
-             }
-             keylist->value->type = KEY_VALUE_KIND_NUMBER;
-             keylist->value->u.number = value;
-         } else {
--            int idx = index_from_key(keyname_buf);
-+            int idx = index_from_key(keys, keyname_len);
-             if (idx == Q_KEY_CODE_MAX) {
-                 goto err_out;
-             }
-@@ -1789,7 +1787,7 @@ out:
-     return;
- 
- err_out:
--    monitor_printf(mon, "invalid parameter: %s\n", keyname_buf);
-+    monitor_printf(mon, "invalid parameter: %.*s\n", keyname_len, keys);
-     goto out;
- }
- 
-diff --git a/include/ui/console.h b/include/ui/console.h
-index adac36d..116bc2b 100644
---- a/include/ui/console.h
-+++ b/include/ui/console.h
-@@ -448,7 +448,7 @@ static inline int vnc_display_pw_expire(const char *id, time_t expires)
- void curses_display_init(DisplayState *ds, int full_screen);
- 
- /* input.c */
--int index_from_key(const char *key);
-+int index_from_key(const char *key, size_t key_length);
- 
- /* gtk.c */
- void early_gtk_display_init(int opengl);
-diff --git a/ui/input-legacy.c b/ui/input-legacy.c
-index 35dfc27..3454055 100644
---- a/ui/input-legacy.c
-+++ b/ui/input-legacy.c
-@@ -57,12 +57,13 @@ struct QEMUPutLEDEntry {
- static QTAILQ_HEAD(, QEMUPutLEDEntry) led_handlers =
-     QTAILQ_HEAD_INITIALIZER(led_handlers);
- 
--int index_from_key(const char *key)
-+int index_from_key(const char *key, size_t key_length)
- {
-     int i;
- 
-     for (i = 0; QKeyCode_lookup[i] != NULL; i++) {
--        if (!strcmp(key, QKeyCode_lookup[i])) {
-+        if (!strncmp(key, QKeyCode_lookup[i], key_length) &&
-+            !QKeyCode_lookup[i][key_length]) {
-             break;
-         }
-     }
--- 
-2.7.4
-

diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8701.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8701.patch
deleted file mode 100644
index 0dab1c3..00000000
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8701.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-https://bugs.gentoo.org/570110
-
-From 007cd223de527b5f41278f2d886c1a4beb3e67aa Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Mon, 28 Dec 2015 16:24:08 +0530
-Subject: [PATCH] net: rocker: fix an incorrect array bounds check
-
-While processing transmit(tx) descriptors in 'tx_consume' routine
-the switch emulator suffers from an off-by-one error, if a
-descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=16)
-fragments. Fix an incorrect bounds check to avoid it.
-
-Reported-by: Qinghao Tang <luodalongde@gmail.com>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
----
- hw/net/rocker/rocker.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
-index c57f1a6..2e77e50 100644
---- a/hw/net/rocker/rocker.c
-+++ b/hw/net/rocker/rocker.c
-@@ -232,6 +232,9 @@ static int tx_consume(Rocker *r, DescInfo *info)
-         frag_addr = rocker_tlv_get_le64(tlvs[ROCKER_TLV_TX_FRAG_ATTR_ADDR]);
-         frag_len = rocker_tlv_get_le16(tlvs[ROCKER_TLV_TX_FRAG_ATTR_LEN]);
- 
-+        if (iovcnt >= ROCKER_TX_FRAGS_MAX) {
-+            goto err_too_many_frags;
-+        }
-         iov[iovcnt].iov_len = frag_len;
-         iov[iovcnt].iov_base = g_malloc(frag_len);
-         if (!iov[iovcnt].iov_base) {
-@@ -244,10 +247,7 @@ static int tx_consume(Rocker *r, DescInfo *info)
-             err = -ROCKER_ENXIO;
-             goto err_bad_io;
-         }
--
--        if (++iovcnt > ROCKER_TX_FRAGS_MAX) {
--            goto err_too_many_frags;
--        }
-+        iovcnt++;
-     }
- 
-     if (iovcnt) {
--- 
-2.6.2
-

diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8743.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8743.patch
deleted file mode 100644
index b2bca56..00000000
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8743.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-https://bugs.gentoo.org/570988
-
-From aa7f9966dfdff500bbbf1956d9e115b1fa8987a6 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Thu, 31 Dec 2015 17:05:27 +0530
-Subject: [PATCH] net: ne2000: fix bounds check in ioport operations
-
-While doing ioport r/w operations, ne2000 device emulation suffers
-from OOB r/w errors. Update respective array bounds check to avoid
-OOB access.
-
-Reported-by: Ling Liu <liuling-it@360.cn>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
----
- hw/net/ne2000.c | 10 ++++++----
- 1 file changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
-index 010f9ef..a3dffff 100644
---- a/hw/net/ne2000.c
-+++ b/hw/net/ne2000.c
-@@ -467,8 +467,9 @@ static inline void ne2000_mem_writel(NE2000State *s, uint32_t addr,
-                                      uint32_t val)
- {
-     addr &= ~1; /* XXX: check exact behaviour if not even */
--    if (addr < 32 ||
--        (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
-+    if (addr < 32
-+        || (addr >= NE2000_PMEM_START
-+            && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
-         stl_le_p(s->mem + addr, val);
-     }
- }
-@@ -497,8 +498,9 @@ static inline uint32_t ne2000_mem_readw(NE2000State *s, uint32_t addr)
- static inline uint32_t ne2000_mem_readl(NE2000State *s, uint32_t addr)
- {
-     addr &= ~1; /* XXX: check exact behaviour if not even */
--    if (addr < 32 ||
--        (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
-+    if (addr < 32
-+        || (addr >= NE2000_PMEM_START
-+            && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
-         return ldl_le_p(s->mem + addr);
-     } else {
-         return 0xffffffff;
--- 
-2.6.2
-

diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1568.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1568.patch
deleted file mode 100644
index 4ce9a35..00000000
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1568.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-https://bugs.gentoo.org/571566
-
-From 4ab0359a8ae182a7ac5c99609667273167703fab Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Mon, 11 Jan 2016 14:10:42 -0500
-Subject: [PATCH] ide: ahci: reset ncq object to unused on error
-
-When processing NCQ commands, AHCI device emulation prepares a
-NCQ transfer object; To which an aio control block(aiocb) object
-is assigned in 'execute_ncq_command'. In case, when the NCQ
-command is invalid, the 'aiocb' object is not assigned, and NCQ
-transfer object is left as 'used'. This leads to a use after
-free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'.
-Reset NCQ transfer object to 'unused' to avoid it.
-
-[Maintainer edit: s/ACHI/AHCI/ in the commit message. --js]
-
-Reported-by: Qinghao Tang <luodalongde@gmail.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Reviewed-by: John Snow <jsnow@redhat.com>
-Message-id: 1452282511-4116-1-git-send-email-ppandit@redhat.com
-Signed-off-by: John Snow <jsnow@redhat.com>
----
- hw/ide/ahci.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
-index dd1912e..17f1cbd 100644
---- a/hw/ide/ahci.c
-+++ b/hw/ide/ahci.c
-@@ -910,6 +910,7 @@ static void ncq_err(NCQTransferState *ncq_tfs)
-     ide_state->error = ABRT_ERR;
-     ide_state->status = READY_STAT | ERR_STAT;
-     ncq_tfs->drive->port_regs.scr_err |= (1 << ncq_tfs->tag);
-+    ncq_tfs->used = 0;
- }
- 
- static void ncq_finish(NCQTransferState *ncq_tfs)
--- 
-2.6.2
-

diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch
deleted file mode 100644
index 917fa2f..00000000
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 66f8fd9dda312191b78d2a2ba2848bcee76127a2 Mon Sep 17 00:00:00 2001
-From: "Gabriel L. Somlo" <somlo@cmu.edu>
-Date: Thu, 5 Nov 2015 09:32:50 -0500
-Subject: [PATCH] fw_cfg: avoid calculating invalid current entry pointer
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-When calculating a pointer to the currently selected fw_cfg item, the
-following is used:
-
-  FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
-
-When s->cur_entry is FW_CFG_INVALID, we are calculating the address of
-a non-existent element in s->entries[arch][...], which is undefined.
-
-This patch ensures the resulting entry pointer is set to NULL whenever
-s->cur_entry is FW_CFG_INVALID.
-
-Reported-by: Laszlo Ersek <lersek@redhat.com>
-Reviewed-by: Laszlo Ersek <lersek@redhat.com>
-Signed-off-by: Gabriel Somlo <somlo@cmu.edu>
-Message-id: 1446733972-1602-5-git-send-email-somlo@cmu.edu
-Cc: Marc Marí <markmb@redhat.com>
-Signed-off-by: Gabriel Somlo <somlo@cmu.edu>
-Reviewed-by: Laszlo Ersek <lersek@redhat.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/nvram/fw_cfg.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c
-index c2d3a0a..046fa74 100644
---- a/hw/nvram/fw_cfg.c
-+++ b/hw/nvram/fw_cfg.c
-@@ -277,7 +277,8 @@ static int fw_cfg_select(FWCfgState *s, uint16_t key)
- static uint8_t fw_cfg_read(FWCfgState *s)
- {
-     int arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL);
--    FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
-+    FWCfgEntry *e = (s->cur_entry == FW_CFG_INVALID) ? NULL :
-+                    &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
-     uint8_t ret;
- 
-     if (s->cur_entry == FW_CFG_INVALID || !e->data || s->cur_offset >= e->len)
-@@ -342,7 +343,8 @@ static void fw_cfg_dma_transfer(FWCfgState *s)
-     }
- 
-     arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL);
--    e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
-+    e = (s->cur_entry == FW_CFG_INVALID) ? NULL :
-+        &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
- 
-     if (dma.control & FW_CFG_DMA_CTL_READ) {
-         read = 1;
--- 
-2.7.4
-

diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1922.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1922.patch
deleted file mode 100644
index 23c2341..00000000
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1922.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From 4c1396cb576c9b14425558b73de1584c7a9735d7 Mon Sep 17 00:00:00 2001
-From: P J P <ppandit@redhat.com>
-Date: Fri, 18 Dec 2015 11:35:07 +0530
-Subject: [PATCH] i386: avoid null pointer dereference
-
-    Hello,
-
-A null pointer dereference issue was reported by Mr Ling Liu, CC'd here. It
-occurs while doing I/O port write operations via hmp interface. In that,
-'current_cpu' remains null as it is not called from cpu_exec loop, which
-results in the said issue.
-
-Below is a proposed (tested)patch to fix this issue; Does it look okay?
-
-===
-From ae88a4947fab9a148cd794f8ad2d812e7f5a1d0f Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Fri, 18 Dec 2015 11:16:07 +0530
-Subject: [PATCH] i386: avoid null pointer dereference
-
-When I/O port write operation is called from hmp interface,
-'current_cpu' remains null, as it is not called from cpu_exec()
-loop. This leads to a null pointer dereference in vapic_write
-routine. Add check to avoid it.
-
-Reported-by: Ling Liu <liuling-it@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <alpine.LFD.2.20.1512181129320.9805@wniryva>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: P J P <ppandit@redhat.com>
----
- hw/i386/kvmvapic.c | 15 ++++++++++-----
- 1 file changed, 10 insertions(+), 5 deletions(-)
-
-diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c
-index c6d34b2..f0922da 100644
---- a/hw/i386/kvmvapic.c
-+++ b/hw/i386/kvmvapic.c
-@@ -634,13 +634,18 @@ static int vapic_prepare(VAPICROMState *s)
- static void vapic_write(void *opaque, hwaddr addr, uint64_t data,
-                         unsigned int size)
- {
--    CPUState *cs = current_cpu;
--    X86CPU *cpu = X86_CPU(cs);
--    CPUX86State *env = &cpu->env;
--    hwaddr rom_paddr;
-     VAPICROMState *s = opaque;
-+    X86CPU *cpu;
-+    CPUX86State *env;
-+    hwaddr rom_paddr;
- 
--    cpu_synchronize_state(cs);
-+    if (!current_cpu) {
-+        return;
-+    }
-+
-+    cpu_synchronize_state(current_cpu);
-+    cpu = X86_CPU(current_cpu);
-+    env = &cpu->env;
- 
-     /*
-      * The VAPIC supports two PIO-based hypercalls, both via port 0x7E.
--- 
-2.7.4
-

diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1981.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1981.patch
deleted file mode 100644
index 2922193..00000000
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1981.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-From dd793a74882477ca38d49e191110c17dfee51dcc Mon Sep 17 00:00:00 2001
-From: Laszlo Ersek <lersek@redhat.com>
-Date: Tue, 19 Jan 2016 14:17:20 +0100
-Subject: [PATCH] e1000: eliminate infinite loops on out-of-bounds transfer
- start
-
-The start_xmit() and e1000_receive_iov() functions implement DMA transfers
-iterating over a set of descriptors that the guest's e1000 driver
-prepares:
-
-- the TDLEN and RDLEN registers store the total size of the descriptor
-  area,
-
-- while the TDH and RDH registers store the offset (in whole tx / rx
-  descriptors) into the area where the transfer is supposed to start.
-
-Each time a descriptor is processed, the TDH and RDH register is bumped
-(as appropriate for the transfer direction).
-
-QEMU already contains logic to deal with bogus transfers submitted by the
-guest:
-
-- Normally, the transmit case wants to increase TDH from its initial value
-  to TDT. (TDT is allowed to be numerically smaller than the initial TDH
-  value; wrapping at or above TDLEN bytes to zero is normal.) The failsafe
-  that QEMU currently has here is a check against reaching the original
-  TDH value again -- a complete wraparound, which should never happen.
-
-- In the receive case RDH is increased from its initial value until
-  "total_size" bytes have been received; preferably in a single step, or
-  in "s->rxbuf_size" byte steps, if the latter is smaller. However, null
-  RX descriptors are skipped without receiving data, while RDH is
-  incremented just the same. QEMU tries to prevent an infinite loop
-  (processing only null RX descriptors) by detecting whether RDH assumes
-  its original value during the loop. (Again, wrapping from RDLEN to 0 is
-  normal.)
-
-What both directions miss is that the guest could program TDLEN and RDLEN
-so low, and the initial TDH and RDH so high, that these registers will
-immediately be truncated to zero, and then never reassume their initial
-values in the loop -- a full wraparound will never occur.
-
-The condition that expresses this is:
-
-  xdh_start >= s->mac_reg[XDLEN] / sizeof(desc)
-
-i.e., TDH or RDH start out after the last whole rx or tx descriptor that
-fits into the TDLEN or RDLEN sized area.
-
-This condition could be checked before we enter the loops, but
-pci_dma_read() / pci_dma_write() knows how to fill in buffers safely for
-bogus DMA addresses, so we just extend the existing failsafes with the
-above condition.
-
-This is CVE-2016-1981.
-
-Cc: "Michael S. Tsirkin" <mst@redhat.com>
-Cc: Petr Matousek <pmatouse@redhat.com>
-Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
-Cc: Prasad Pandit <ppandit@redhat.com>
-Cc: Michael Roth <mdroth@linux.vnet.ibm.com>
-Cc: Jason Wang <jasowang@redhat.com>
-Cc: qemu-stable@nongnu.org
-RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1296044
-Signed-off-by: Laszlo Ersek <lersek@redhat.com>
-Reviewed-by: Jason Wang <jasowang@redhat.com>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
----
- hw/net/e1000.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/hw/net/e1000.c b/hw/net/e1000.c
-index 4eda7a3..0387fa0 100644
---- a/hw/net/e1000.c
-+++ b/hw/net/e1000.c
-@@ -909,7 +909,8 @@ start_xmit(E1000State *s)
-          * bogus values to TDT/TDLEN.
-          * there's nothing too intelligent we could do about this.
-          */
--        if (s->mac_reg[TDH] == tdh_start) {
-+        if (s->mac_reg[TDH] == tdh_start ||
-+            tdh_start >= s->mac_reg[TDLEN] / sizeof(desc)) {
-             DBGOUT(TXERR, "TDH wraparound @%x, TDT %x, TDLEN %x\n",
-                    tdh_start, s->mac_reg[TDT], s->mac_reg[TDLEN]);
-             break;
-@@ -1166,7 +1167,8 @@ e1000_receive_iov(NetClientState *nc, const struct iovec *iov, int iovcnt)
-         if (++s->mac_reg[RDH] * sizeof(desc) >= s->mac_reg[RDLEN])
-             s->mac_reg[RDH] = 0;
-         /* see comment in start_xmit; same here */
--        if (s->mac_reg[RDH] == rdh_start) {
-+        if (s->mac_reg[RDH] == rdh_start ||
-+            rdh_start >= s->mac_reg[RDLEN] / sizeof(desc)) {
-             DBGOUT(RXERR, "RDH wraparound @%x, RDT %x, RDLEN %x\n",
-                    rdh_start, s->mac_reg[RDT], s->mac_reg[RDLEN]);
-             set_ics(s, 0, E1000_ICS_RXO);
--- 
-2.7.4
-

diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2197.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2197.patch
deleted file mode 100644
index 0ab7b02..00000000
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2197.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 99b4cb71069f109b79b27bc629fc0cf0886dbc4b Mon Sep 17 00:00:00 2001
-From: John Snow <jsnow@redhat.com>
-Date: Wed, 10 Feb 2016 13:29:40 -0500
-Subject: [PATCH] ahci: Do not unmap NULL addresses
-
-Definitely don't try to unmap a garbage address.
-
-Reported-by: Zuozhi fzz <zuozhi.fzz@alibaba-inc.com>
-Signed-off-by: John Snow <jsnow@redhat.com>
-Message-id: 1454103689-13042-2-git-send-email-jsnow@redhat.com
----
- hw/ide/ahci.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
-index 7e87b18..3a95dad 100644
---- a/hw/ide/ahci.c
-+++ b/hw/ide/ahci.c
-@@ -662,6 +662,10 @@ static bool ahci_map_fis_address(AHCIDevice *ad)
- 
- static void ahci_unmap_fis_address(AHCIDevice *ad)
- {
-+    if (ad->res_fis == NULL) {
-+        DPRINTF(ad->port_no, "Attempt to unmap NULL FIS address\n");
-+        return;
-+    }
-     dma_memory_unmap(ad->hba->as, ad->res_fis, 256,
-                      DMA_DIRECTION_FROM_DEVICE, 256);
-     ad->res_fis = NULL;
-@@ -678,6 +682,10 @@ static bool ahci_map_clb_address(AHCIDevice *ad)
- 
- static void ahci_unmap_clb_address(AHCIDevice *ad)
- {
-+    if (ad->lst == NULL) {
-+        DPRINTF(ad->port_no, "Attempt to unmap NULL CLB address\n");
-+        return;
-+    }
-     dma_memory_unmap(ad->hba->as, ad->lst, 1024,
-                      DMA_DIRECTION_FROM_DEVICE, 1024);
-     ad->lst = NULL;
--- 
-2.7.4
-

diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2392.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2392.patch
deleted file mode 100644
index e7aa5ca..00000000
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2392.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 80eecda8e5d09c442c24307f340840a5b70ea3b9 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Thu, 11 Feb 2016 16:31:20 +0530
-Subject: [PATCH] usb: check USB configuration descriptor object
-
-When processing remote NDIS control message packets, the USB Net
-device emulator checks to see if the USB configuration descriptor
-object is of RNDIS type(2). But it does not check if it is null,
-which leads to a null dereference error. Add check to avoid it.
-
-Reported-by: Qinghao Tang <luodalongde@gmail.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-id: 1455188480-14688-1-git-send-email-ppandit@redhat.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/usb/dev-network.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c
-index 985a629..5dc4538 100644
---- a/hw/usb/dev-network.c
-+++ b/hw/usb/dev-network.c
-@@ -654,7 +654,8 @@ typedef struct USBNetState {
- 
- static int is_rndis(USBNetState *s)
- {
--    return s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE;
-+    return s->dev.config ?
-+            s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE : 0;
- }
- 
- static int ndis_query(USBNetState *s, uint32_t oid,
--- 
-2.7.4
-

diff --git a/app-emulation/qemu/files/qemu-2.5.0-ne2000-reg-check.patch b/app-emulation/qemu/files/qemu-2.5.0-ne2000-reg-check.patch
deleted file mode 100644
index 2874b75..00000000
--- a/app-emulation/qemu/files/qemu-2.5.0-ne2000-reg-check.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 415ab35a441eca767d033a2702223e785b9d5190 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Wed, 24 Feb 2016 11:41:33 +0530
-Subject: [PATCH] net: ne2000: check ring buffer control registers
-
-Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
-bytes to process network packets. Registers PSTART & PSTOP
-define ring buffer size & location. Setting these registers
-to invalid values could lead to infinite loop or OOB r/w
-access issues. Add check to avoid it.
-
-Reported-by: Yang Hongke <yanghongke@huawei.com>
-Tested-by: Yang Hongke <yanghongke@huawei.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
----
- hw/net/ne2000.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
-index e408083..f0feaf9 100644
---- a/hw/net/ne2000.c
-+++ b/hw/net/ne2000.c
-@@ -155,6 +155,10 @@ static int ne2000_buffer_full(NE2000State *s)
- {
-     int avail, index, boundary;
- 
-+    if (s->stop <= s->start) {
-+        return 1;
-+    }
-+
-     index = s->curpag << 8;
-     boundary = s->boundary << 8;
-     if (index < boundary)
--- 
-2.7.4
-

diff --git a/app-emulation/qemu/files/qemu-2.5.0-usb-ehci-oob.patch b/app-emulation/qemu/files/qemu-2.5.0-usb-ehci-oob.patch
deleted file mode 100644
index 2ddca3e..00000000
--- a/app-emulation/qemu/files/qemu-2.5.0-usb-ehci-oob.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 49d925ce50383a286278143c05511d30ec41a36e Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Wed, 20 Jan 2016 01:26:46 +0530
-Subject: [PATCH] usb: check page select value while processing iTD
-
-While processing isochronous transfer descriptors(iTD), the page
-select(PG) field value could lead to an OOB read access. Add
-check to avoid it.
-
-Reported-by: Qinghao Tang <luodalongde@gmail.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-id: 1453233406-12165-1-git-send-email-ppandit@redhat.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/usb/hcd-ehci.c | 10 ++++++----
- 1 file changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
-index ab00268..93601d9 100644
---- a/hw/usb/hcd-ehci.c
-+++ b/hw/usb/hcd-ehci.c
-@@ -1405,21 +1405,23 @@ static int ehci_process_itd(EHCIState *ehci,
-         if (itd->transact[i] & ITD_XACT_ACTIVE) {
-             pg   = get_field(itd->transact[i], ITD_XACT_PGSEL);
-             off  = itd->transact[i] & ITD_XACT_OFFSET_MASK;
--            ptr1 = (itd->bufptr[pg] & ITD_BUFPTR_MASK);
--            ptr2 = (itd->bufptr[pg+1] & ITD_BUFPTR_MASK);
-             len  = get_field(itd->transact[i], ITD_XACT_LENGTH);
- 
-             if (len > max * mult) {
-                 len = max * mult;
-             }
--
--            if (len > BUFF_SIZE) {
-+            if (len > BUFF_SIZE || pg > 6) {
-                 return -1;
-             }
- 
-+            ptr1 = (itd->bufptr[pg] & ITD_BUFPTR_MASK);
-             qemu_sglist_init(&ehci->isgl, ehci->device, 2, ehci->as);
-             if (off + len > 4096) {
-                 /* transfer crosses page border */
-+                if (pg == 6) {
-+                    return -1;  /* avoid page pg + 1 */
-+                }
-+                ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK);
-                 uint32_t len2 = off + len - 4096;
-                 uint32_t len1 = len - len2;
-                 qemu_sglist_add(&ehci->isgl, ptr1 + off, len1);
--- 
-2.7.4
-

diff --git a/app-emulation/qemu/files/qemu-2.5.0-usb-ndis-int-overflow.patch b/app-emulation/qemu/files/qemu-2.5.0-usb-ndis-int-overflow.patch
deleted file mode 100644
index da643fd..00000000
--- a/app-emulation/qemu/files/qemu-2.5.0-usb-ndis-int-overflow.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From fe3c546c5ff2a6210f9a4d8561cc64051ca8603e Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Wed, 17 Feb 2016 00:23:41 +0530
-Subject: [PATCH] usb: check RNDIS buffer offsets & length
-
-When processing remote NDIS control message packets,
-the USB Net device emulator uses a fixed length(4096) data buffer.
-The incoming informationBufferOffset & Length combination could
-overflow and cross that range. Check control message buffer
-offsets and length to avoid it.
-
-Reported-by: Qinghao Tang <luodalongde@gmail.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-id: 1455648821-17340-3-git-send-email-ppandit@redhat.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/usb/dev-network.c | 9 ++++++---
- 1 file changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c
-index 5dc4538..c6abd38 100644
---- a/hw/usb/dev-network.c
-+++ b/hw/usb/dev-network.c
-@@ -916,8 +916,9 @@ static int rndis_query_response(USBNetState *s,
- 
-     bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8;
-     buflen = le32_to_cpu(buf->InformationBufferLength);
--    if (bufoffs + buflen > length)
-+    if (buflen > length || bufoffs >= length || bufoffs + buflen > length) {
-         return USB_RET_STALL;
-+    }
- 
-     infobuflen = ndis_query(s, le32_to_cpu(buf->OID),
-                             bufoffs + (uint8_t *) buf, buflen, infobuf,
-@@ -962,8 +963,9 @@ static int rndis_set_response(USBNetState *s,
- 
-     bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8;
-     buflen = le32_to_cpu(buf->InformationBufferLength);
--    if (bufoffs + buflen > length)
-+    if (buflen > length || bufoffs >= length || bufoffs + buflen > length) {
-         return USB_RET_STALL;
-+    }
- 
-     ret = ndis_set(s, le32_to_cpu(buf->OID),
-                     bufoffs + (uint8_t *) buf, buflen);
-@@ -1213,8 +1215,9 @@ static void usb_net_handle_dataout(USBNetState *s, USBPacket *p)
-     if (le32_to_cpu(msg->MessageType) == RNDIS_PACKET_MSG) {
-         uint32_t offs = 8 + le32_to_cpu(msg->DataOffset);
-         uint32_t size = le32_to_cpu(msg->DataLength);
--        if (offs + size <= len)
-+        if (offs < len && size < len && offs + size <= len) {
-             qemu_send_packet(qemu_get_queue(s->nic), s->out_buf + offs, size);
-+        }
-     }
-     s->out_ptr -= len;
-     memmove(s->out_buf, &s->out_buf[len], s->out_ptr);
--- 
-2.7.4
-

diff --git a/app-emulation/qemu/files/qemu-2.6.0-crypto-static.patch b/app-emulation/qemu/files/qemu-2.6.0-crypto-static.patch
deleted file mode 100644
index 4856373..00000000
--- a/app-emulation/qemu/files/qemu-2.6.0-crypto-static.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-https://lists.gnu.org/archive/html/qemu-devel/2016-06/msg01611.html
-
-From 6a2909cf98e892783b2502df6f7f4de46d13e42b Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@chromium.org>
-Date: Mon, 6 Jun 2016 17:58:26 -0400
-Subject: [PATCH] crypto: aes: always rename internal symbols
-
-OpenSSL's libcrypto always defines AES symbols with the same names as
-qemu's local aes code.  This is problematic when enabling at least curl
-as that frequently also uses libcrypto.  It might not be noticed when
-running, but if you try to statically link, everything falls down.
-
-An example snippet:
-  LINK  qemu-nbd
-.../libcrypto.a(aes-x86_64.o): In function 'AES_encrypt':
-(.text+0x460): multiple definition of 'AES_encrypt'
-crypto/aes.o:aes.c:(.text+0x670): first defined here
-.../libcrypto.a(aes-x86_64.o): In function 'AES_decrypt':
-(.text+0x9f0): multiple definition of 'AES_decrypt'
-crypto/aes.o:aes.c:(.text+0xb30): first defined here
-.../libcrypto.a(aes-x86_64.o): In function 'AES_cbc_encrypt':
-(.text+0xf90): multiple definition of 'AES_cbc_encrypt'
-crypto/aes.o:aes.c:(.text+0xff0): first defined here
-collect2: error: ld returned 1 exit status
-.../qemu-2.6.0/rules.mak:105: recipe for target 'qemu-nbd' failed
-make: *** [qemu-nbd] Error 1
-
-The aes.h header has redefines already for FreeBSD, but go ahead and
-enable that for everyone since there's no real good reason to not use
-a namespace all the time.
-
-Signed-off-by: Mike Frysinger <vapier@chromium.org>
----
- include/crypto/aes.h | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/include/crypto/aes.h b/include/crypto/aes.h
-index a006da2224a9..12fb321b89de 100644
---- a/include/crypto/aes.h
-+++ b/include/crypto/aes.h
-@@ -10,14 +10,13 @@ struct aes_key_st {
- };
- typedef struct aes_key_st AES_KEY;
- 
--/* FreeBSD has its own AES_set_decrypt_key in -lcrypto, avoid conflicts */
--#ifdef __FreeBSD__
-+/* FreeBSD/OpenSSL have their own AES functions with the same names in -lcrypto
-+ * (which might be pulled in via curl), so redefine to avoid conflicts. */
- #define AES_set_encrypt_key QEMU_AES_set_encrypt_key
- #define AES_set_decrypt_key QEMU_AES_set_decrypt_key
- #define AES_encrypt QEMU_AES_encrypt
- #define AES_decrypt QEMU_AES_decrypt
- #define AES_cbc_encrypt QEMU_AES_cbc_encrypt
--#endif
- 
- int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
- 	AES_KEY *key);
--- 
-2.8.2
-

diff --git a/app-emulation/qemu/files/qemu-2.6.0-glib-size_t.patch b/app-emulation/qemu/files/qemu-2.6.0-glib-size_t.patch
deleted file mode 100644
index 5fd678c..00000000
--- a/app-emulation/qemu/files/qemu-2.6.0-glib-size_t.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- a/configure	2016-08-07 15:50:20.386687733 +0200
-+++ b/configure	2016-08-07 15:53:55.489691690 +0200
-@@ -2967,7 +2967,7 @@
- }
- EOF
-
--if ! compile_prog "-Werror $CFLAGS" "$LIBS" ; then
-+if ! compile_prog "$CFLAGS" "$LIBS" ; then
-     error_exit "sizeof(size_t) doesn't match GLIB_SIZEOF_SIZE_T."\
-                "You probably need to set PKG_CONFIG_LIBDIR"\
- 	       "to point to the right pkg-config files for your"\


^ permalink raw reply related	[flat|nested] 21+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
@ 2016-08-15 20:36 Luca Barbato
  0 siblings, 0 replies; 21+ messages in thread
From: Luca Barbato @ 2016-08-15 20:36 UTC (permalink / raw
  To: gentoo-commits

commit:     7e098a5f99fd05748c2925a1811ac08cce82ae56
Author:     Luca Barbato <lu_zero <AT> gentoo <DOT> org>
AuthorDate: Mon Aug 15 20:36:12 2016 +0000
Commit:     Luca Barbato <lu_zero <AT> gentoo <DOT> org>
CommitDate: Mon Aug 15 20:36:12 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7e098a5f

app-emulation/qemu: Update ppc magic mask

Unbreak using qemu-user with current stage3.

Package-Manager: portage-2.3.0

 app-emulation/qemu/files/qemu-binfmt.initd-r1 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app-emulation/qemu/files/qemu-binfmt.initd-r1 b/app-emulation/qemu/files/qemu-binfmt.initd-r1
index 5ad0fc0..18adb65 100644
--- a/app-emulation/qemu/files/qemu-binfmt.initd-r1
+++ b/app-emulation/qemu/files/qemu-binfmt.initd-r1
@@ -1,5 +1,5 @@
 #!/sbin/openrc-run
-# Copyright 1999-2014 Gentoo Foundation
+# Copyright 1999-2016 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 # $Id$
 
@@ -75,7 +75,7 @@ start() {
       echo   ':sparc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x02:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-sparc:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
    fi
    if [ $cpu != "ppc" -a -x "/usr/bin/qemu-ppc" ] ; then
-      echo   ':ppc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x14:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-ppc:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
+      echo   ':ppc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x14:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-ppc:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
    fi
    if [ $cpu != "m68k" -a -x "/usr/bin/qemu-m68k" ] ; then
       #echo   'Please check cpu value and header information for m68k!'


^ permalink raw reply related	[flat|nested] 21+ messages in thread

end of thread, other threads:[~2024-08-20  8:01 UTC | newest]

Thread overview: 21+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-05-20 16:27 [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/ Matthias Maier
  -- strict thread matches above, loose matches on Subject: below --
2024-08-20  8:01 Joonas Niilola
2023-11-20 20:20 Ulrich Müller
2023-10-22 16:33 Joonas Niilola
2023-02-22 11:32 Sam James
2022-01-12  8:38 Matthias Maier
2022-01-10 21:02 John Helmert III
2022-01-06 19:08 John Helmert III
2021-06-16 20:59 Sergei Trofimovich
2021-03-14 18:53 Conrad Kostecki
2020-09-21 21:48 Conrad Kostecki
2020-07-06 18:40 Sergei Trofimovich
2020-04-18 21:31 Sergei Trofimovich
2018-03-30  2:54 Aaron Bauman
2018-03-27 15:44 Matthias Maier
2017-12-06 12:42 Michael Palimaka
2017-11-12 20:22 Matthias Maier
2017-07-26 19:37 Matthias Maier
2017-07-26 17:15 Matthias Maier
2016-09-05  5:30 Matthias Maier
2016-08-15 20:36 Luca Barbato

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox