* [OE-core][kirkstone 00/13] Patch review
@ 2022-06-06 14:38 Steve Sakoman
0 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2022-06-06 14:38 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for kirkstone and have comments back by end
of day Wednesday.
This is a set of "housekeeping" commits: updating the Upstream-Status of patches
and removing obsolete patches.
The following changes since commit e63013cc38b82659658365da53b14952711d6701:
gcc: Upgrade to 11.3 release (2022-06-02 06:48:32 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Alexander Kanavin (3):
bash: submit patch upstream
valgrind: submit arm patches upstream
zip/unzip: mark all submittable patches as Inactive-Upstream
Jiaqing Zhao (4):
systemd: Drop 0001-test-parse-argument-Include-signal.h.patch
systemd: Remove __compare_fn_t type in musl-specific patch
systemd: Drop 0002-don-t-use-glibc-specific-qsort_r.patch
systemd: Correct path returned in sd_path_lookup()
Khem Raj (4):
systemd: Drop redundant musl patches
systemd: Document future actions needed for set of musl patches
systemd: Drop
0016-Hide-__start_BUS_ERROR_MAP-and-__stop_BUS_ERROR_MAP.patch
systemd: Update patch status
Martin Jansa (1):
makedevs: Don't use COPYING.patch just to add license file into ${S}
Richard Purdie (1):
lzo: Add further info to a patch and mark as Inactive-Upstream
...sysctl.d-binfmt.d-modules-load.d-to-.patch | 73 ++++
...se-ROOTPREFIX-without-suffixed-slash.patch | 42 ---
...test-parse-argument-Include-signal.h.patch | 27 --
.../0002-Add-sys-stat.h-for-S_IFDIR.patch | 2 +-
...002-don-t-use-glibc-specific-qsort_r.patch | 163 ---------
...-missing_type.h-add-comparison_fn_t.patch} | 41 +--
...missing.h-check-for-missing-strndupa.patch | 14 +-
...008-add-missing-FTW_-macros-for-musl.patch | 3 +
..._register_atfork-for-non-glibc-build.patch | 3 +
...S_ERROR_MAP-and-__stop_BUS_ERROR_MAP.patch | 33 --
...ype.h-add-__compar_d_fn_t-definition.patch | 28 --
.../systemd/0019-Handle-missing-LOCK_EX.patch | 24 --
...ible-pointer-type-struct-sockaddr_un.patch | 38 --
.../0021-test-json.c-define-M_PIl.patch | 4 +
meta/recipes-core/systemd/systemd_250.5.bb | 10 +-
.../makedevs/makedevs/COPYING.patch | 346 ------------------
.../makedevs/makedevs/makedevs.c | 4 +
.../makedevs/makedevs_1.0.1.bb | 5 +-
...etting-mcpu-to-cortex-a8-on-arm-arch.patch | 2 +-
...n-for-targets-which-don-t-support-it.patch | 2 +-
...te-march-mcpu-mfpu-for-ARM-test-apps.patch | 2 +-
.../bash/bash/makerace2.patch | 2 +-
...ass-LDFLAGS-to-tests-doing-link-step.patch | 2 +-
.../unzip/unzip/CVE-2021-4217.patch | 2 +-
.../unzip/unzip/avoid-strip.patch | 2 +-
.../unzip/unzip/define-ldflags.patch | 2 +-
.../unzip/unzip/fix-security-format.patch | 2 +-
.../unzip/unzip/symlink.patch | 2 +-
...LAGS-and-LDFLAGS-when-doing-link-tes.patch | 2 +-
.../zip/zip-3.0/10-remove-build-date.patch | 2 +-
.../zip/zip-3.0/fix-security-format.patch | 2 +-
.../zipnote-crashes-with-segfault.patch | 2 +-
...Use-memcpy-instead-of-reinventing-it.patch | 10 +-
33 files changed, 136 insertions(+), 762 deletions(-)
create mode 100644 meta/recipes-core/systemd/systemd/0001-Move-sysusers.d-sysctl.d-binfmt.d-modules-load.d-to-.patch
delete mode 100644 meta/recipes-core/systemd/systemd/0001-systemd.pc.in-use-ROOTPREFIX-without-suffixed-slash.patch
delete mode 100644 meta/recipes-core/systemd/systemd/0001-test-parse-argument-Include-signal.h.patch
delete mode 100644 meta/recipes-core/systemd/systemd/0002-don-t-use-glibc-specific-qsort_r.patch
rename meta/recipes-core/systemd/systemd/{0003-missing_type.h-add-__compare_fn_t-and-comparison_fn_.patch => 0003-missing_type.h-add-comparison_fn_t.patch} (63%)
delete mode 100644 meta/recipes-core/systemd/systemd/0016-Hide-__start_BUS_ERROR_MAP-and-__stop_BUS_ERROR_MAP.patch
delete mode 100644 meta/recipes-core/systemd/systemd/0017-missing_type.h-add-__compar_d_fn_t-definition.patch
delete mode 100644 meta/recipes-core/systemd/systemd/0019-Handle-missing-LOCK_EX.patch
delete mode 100644 meta/recipes-core/systemd/systemd/0020-Fix-incompatible-pointer-type-struct-sockaddr_un.patch
delete mode 100644 meta/recipes-devtools/makedevs/makedevs/COPYING.patch
--
2.25.1
^ permalink raw reply [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 00/13] Patch review
@ 2022-06-21 23:27 Steve Sakoman
0 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2022-06-21 23:27 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for kirkstone and have comments back by end
of day Thursday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3811
The following changes since commit b2d10487f80deb04a0893325a1ae79c8629a7655:
liberror-perl: Update sstate/equiv versions to clean cache (2022-06-17 05:02:15 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Alexander Kanavin (1):
python3: use built-in distutils for ptest, rather than setuptools'
'fork'
Davide Gardenal (1):
efivar: add musl libc compatibility
Dmitry Baryshkov (2):
linux-firmware: add support for building snapshots
linux-firmware: upgrade 20220509 -> 20220610
Marta Rybczynska (2):
cve-check: add support for Ignored CVEs
oeqa/selftest/cve_check: add tests for Ignored and partial reports
Martin Jansa (1):
mesa: backport a patch to support compositors without
zwp_linux_dmabuf_v1 again
Michael Opdenacker (1):
rootfs-postcommands.bbclass: correct comments
Nick Potenski (1):
systemd: systemd-systemctl: Support instance conf files during enable
Paulo Neves (2):
python: Avoid shebang overflow on python-config.py
gtk-doc: Fix potential shebang overflow on gtkdoc-mkhtml2
Richard Purdie (2):
python3: Remove problematic paths from sysroot files
python3: Ensure stale empty python module directories don't break the
build
meta/classes/cve-check.bbclass | 43 ++--
meta/classes/rootfs-postcommands.bbclass | 8 +-
meta/lib/oeqa/selftest/cases/cve_check.py | 82 ++++++++
.../efisecdb-fix-build-with-musl-libc.patch | 184 ++++++++++++++++++
meta/recipes-bsp/efivar/efivar_38.bb | 3 +-
.../systemd/systemd-systemctl/systemctl | 14 +-
...shebang-overflow-on-python-config.py.patch | 33 ++++
.../python3/deterministic_imports.patch | 32 +++
.../recipes-devtools/python/python3/run-ptest | 2 +-
.../recipes-devtools/python/python3_3.10.4.bb | 12 +-
meta/recipes-gnome/gtk-doc/gtk-doc_1.33.2.bb | 1 +
...nd-deprecate-drm_handle_format-and-d.patch | 158 +++++++++++++++
meta/recipes-graphics/mesa/mesa.inc | 1 +
...01-Makefile-replace-mkdir-by-install.patch | 84 --------
...20220509.bb => linux-firmware_20220610.bb} | 11 +-
15 files changed, 555 insertions(+), 113 deletions(-)
create mode 100644 meta/recipes-bsp/efivar/efivar/efisecdb-fix-build-with-musl-libc.patch
create mode 100644 meta/recipes-devtools/python/python3/0001-Avoid-shebang-overflow-on-python-config.py.patch
create mode 100644 meta/recipes-devtools/python/python3/deterministic_imports.patch
create mode 100644 meta/recipes-graphics/mesa/files/0001-Revert-egl-wayland-deprecate-drm_handle_format-and-d.patch
delete mode 100644 meta/recipes-kernel/linux-firmware/files/0001-Makefile-replace-mkdir-by-install.patch
rename meta/recipes-kernel/linux-firmware/{linux-firmware_20220509.bb => linux-firmware_20220610.bb} (99%)
--
2.25.1
^ permalink raw reply [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 00/13] Patch review
@ 2022-10-17 23:08 Steve Sakoman
2022-10-17 23:08 ` [OE-core][kirkstone 01/13] tiff: Security fixes CVE-2022-2867,CVE-2022-2868 and CVE-2022-2869 Steve Sakoman
` (12 more replies)
0 siblings, 13 replies; 21+ messages in thread
From: Steve Sakoman @ 2022-10-17 23:08 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for kirkstone and have comments back by
end of day Wednesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4347
The following changes since commit e728d0965d6fda8ac54e065ca7bf7eb9da9a8170:
coreutils: add openssl PACKAGECONFIG (2022-09-30 09:35:23 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Adrian Freihofer (1):
own-mirrors: add crate
Bhabu Bindu (1):
qemu: Fix CVE-2021-3611
Chen Qi (1):
image_types_wic.bbclass: fix cross binutils dependency
He Zhe (2):
lttng-tools: Upgrade 2.13.4 -> 2.13.8
lttng-modules: Fix crash on powerpc64
Michael Halstead (1):
uninative: Upgrade to 3.7 to work with glibc 2.36
Ross Burton (1):
qemu: fix CVE-2022-2962
Teoh Jay Shen (1):
tiff: Security fixes CVE-2022-2867,CVE-2022-2868 and CVE-2022-2869
Tim Orling (1):
python3: upgrade 3.10.4 -> 3.10.7
Virendra Thakur (1):
qemu: Fix CVE-2021-3750 for qemu
Xiangyu Chen (2):
qemu: Backport patches from upstream to support float128 on qemu-ppc64
linux-yocto-dev: add qemuarm64
pgowda (1):
binutils : Fix CVE-2022-38128
meta/classes/image_types_wic.bbclass | 2 +-
meta/classes/own-mirrors.bbclass | 1 +
meta/classes/sanity.bbclass | 2 +-
meta/conf/distro/include/yocto-uninative.inc | 10 +-
.../binutils/binutils-2.38.inc | 3 +
.../binutils/0018-CVE-2022-38128-1.patch | 350 ++++
.../binutils/0018-CVE-2022-38128-2.patch | 436 +++++
.../binutils/0018-CVE-2022-38128-3.patch | 95 ++
...h-92036-Fix-gc_fini_untrack-GH-92037.patch | 54 -
...report-missing-dependencies-for-disa.patch | 8 +-
.../{python3_3.10.4.bb => python3_3.10.7.bb} | 3 +-
meta/recipes-devtools/qemu/qemu.inc | 49 +
...ulip-Restrict-DMA-engine-to-memories.patch | 64 +
...end-float_exception_flags-to-16-bits.patch | 75 +
...32t-for-reply-queue-head-tail-values.patch | 83 +
...ftfloat-Add-flag-specific-to-Inf-Inf.patch | 59 +
...id_function_take_MemTxAttrs_argument.patch | 60 +
...softfloat-Add-flag-specific-to-Inf-0.patch | 126 ++
...et_function_take_MemTxAttrs_argument.patch | 98 ++
...dd-flags-specific-to-Inf-Inf-and-0-0.patch | 73 +
...ed_function_take_MemTxAttrs_argument.patch | 78 +
...-Add-flag-specific-to-signaling-nans.patch | 121 ++
...rw_function_take_MemTxAttrs_argument.patch | 158 ++
...e-float_invalid_op_addsub-for-new-fl.patch | 114 ++
...te_function_take_MemTxAttrs_argument.patch | 1453 +++++++++++++++++
...e-float_invalid_op_mul-for-new-flags.patch | 86 +
...ap_function_take_MemTxAttrs_argument.patch | 227 +++
...e-float_invalid_op_div-for-new-flags.patch | 99 ++
..._buf_rw_function_take_a_void_pointer.patch | 41 +
...arget-ppc-Update-fmadd-for-new-flags.patch | 102 ++
..._dma_buf_write_functions_take_a_void.patch | 167 ++
.../0010-target-ppc-Split-out-do_fmadd.patch | 71 +
...rw_function_take_MemTxAttrs_argument.patch | 91 ++
...s-max-min-cj-dp-to-use-VSX-registers.patch | 93 ++
...rw_function_take_MemTxAttrs_argument.patch | 65 +
...-Move-xs-max-min-cj-dp-to-decodetree.patch | 121 ++
...te_function_take_MemTxAttrs_argument.patch | 129 ++
...get-ppc-fix-xscvqpdp-register-access.patch | 41 +
...ad_function_take_MemTxAttrs_argument.patch | 222 +++
...rget-ppc-move-xscvqpdp-to-decodetree.patch | 130 ++
...uf_rw_function_propagate_MemTxResult.patch | 91 ++
...tore_fpscr-doesn-t-update-bits-0-to-.patch | 70 +
...ma_function_take_MemTxAttrs_argument.patch | 120 ++
...get-ppc-Introduce-TRANS-FLAGS-macros.patch | 133 ++
...ma_function_take_MemTxAttrs_argument.patch | 151 ++
...get-ppc-Implement-Vector-Expand-Mask.patch | 105 ++
...r_dma_function_propagate_MemTxResult.patch | 65 +
...et-ppc-Implement-Vector-Extract-Mask.patch | 141 ++
...r_dma_function_propagate_MemTxResult.patch | 175 ++
...ppc-Implement-Vector-Mask-Move-insns.patch | 187 +++
...ma_function_take_MemTxAttrs_argument.patch | 303 ++++
...xs-n-madd-am-ds-p-xs-n-msub-am-ds-p-.patch | 258 +++
...ma_function_take_MemTxAttrs_argument.patch | 271 +++
...mplement-xs-n-maddqp-o-xs-n-msubqp-o.patch | 174 ++
...i_dma_function_propagate_MemTxResult.patch | 47 +
...i_dma_function_propagate_MemTxResult.patch | 296 ++++
.../qemu/qemu/CVE-2021-3611_1.patch | 74 +
.../qemu/qemu/CVE-2021-3611_2.patch | 43 +
.../qemu/qemu/CVE-2021-3750-1.patch | 59 +
.../qemu/qemu/CVE-2021-3750-2.patch | 65 +
.../qemu/qemu/CVE-2021-3750-3.patch | 156 ++
meta/recipes-kernel/linux/linux-yocto-dev.bb | 2 +-
...4-fix-kernel-crash-caused-by-do_get_.patch | 94 ++
.../lttng/lttng-modules_2.13.4.bb | 1 +
...-tools_2.13.4.bb => lttng-tools_2.13.8.bb} | 2 +-
.../libtiff/tiff/CVE-2022-2867.patch | 129 ++
.../libtiff/tiff/CVE-2022-2869.patch | 84 +
...ed69a485a9cfb299d9f060eb2a46c54e5903.patch | 45 +
meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 3 +
69 files changed, 8536 insertions(+), 68 deletions(-)
create mode 100644 meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-1.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-2.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-3.patch
delete mode 100644 meta/recipes-devtools/python/python3/0001-gh-92036-Fix-gc_fini_untrack-GH-92037.patch
rename meta/recipes-devtools/python/{python3_3.10.4.bb => python3_3.10.7.bb} (99%)
create mode 100644 meta/recipes-devtools/qemu/qemu/0001-net-tulip-Restrict-DMA-engine-to-memories.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0001-softfloat-Extend-float_exception_flags-to-16-bits.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0001-use-uint32t-for-reply-queue-head-tail-values.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0002-softfloat-Add-flag-specific-to-Inf-Inf.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0002_let_dma_memory_valid_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0003-softfloat-Add-flag-specific-to-Inf-0.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0003_let_dma_memory_set_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0004-softfloat-Add-flags-specific-to-Inf-Inf-and-0-0.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0004_let_dma_memory_rw_relaxed_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0005-softfloat-Add-flag-specific-to-signaling-nans.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0005_let_dma_memory_rw_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0006-target-ppc-Update-float_invalid_op_addsub-for-new-fl.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0006_let_dma_memory_read_write_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0007-target-ppc-Update-float_invalid_op_mul-for-new-flags.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0007_let_dma_memory_map_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0008-target-ppc-Update-float_invalid_op_div-for-new-flags.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0008_have_dma_buf_rw_function_take_a_void_pointer.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0009-target-ppc-Update-fmadd-for-new-flags.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0009_have_dma_buf_read_and_dma_buf_write_functions_take_a_void.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0010-target-ppc-Split-out-do_fmadd.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0010_let_pci_dma_rw_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0011-target-ppc-Fix-xs-max-min-cj-dp-to-use-VSX-registers.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0011_let_dma_buf_rw_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0012-target-ppc-Move-xs-max-min-cj-dp-to-decodetree.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0012_let_dma_buf_write_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0013-target-ppc-fix-xscvqpdp-register-access.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0013_let_dma_buf_read_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0014-target-ppc-move-xscvqpdp-to-decodetree.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0014_let_dma_buf_rw_function_propagate_MemTxResult.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0015-target-ppc-ppc_store_fpscr-doesn-t-update-bits-0-to-.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0015_let_st_pointer_dma_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0016-target-ppc-Introduce-TRANS-FLAGS-macros.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0016_let_ld_pointer_dma_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0017-target-ppc-Implement-Vector-Expand-Mask.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0017_let_st_pointer_dma_function_propagate_MemTxResult.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0018-target-ppc-Implement-Vector-Extract-Mask.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0018_let_ld_pointer_dma_function_propagate_MemTxResult.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0019-target-ppc-Implement-Vector-Mask-Move-insns.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0019_let_st_pointer_pci_dma_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0020-target-ppc-move-xs-n-madd-am-ds-p-xs-n-msub-am-ds-p-.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0020_let_ld_pointer_pci_dma_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0021-target-ppc-implement-xs-n-maddqp-o-xs-n-msubqp-o.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0021_let_st_pointer_pci_dma_function_propagate_MemTxResult.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0022_let_ld_pointer_pci_dma_function_propagate_MemTxResult.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3611_1.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3611_2.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750-1.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750-2.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750-3.patch
create mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-wrapper-powerpc64-fix-kernel-crash-caused-by-do_get_.patch
rename meta/recipes-kernel/lttng/{lttng-tools_2.13.4.bb => lttng-tools_2.13.8.bb} (98%)
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-2867.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-2869.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch
--
2.25.1
^ permalink raw reply [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 01/13] tiff: Security fixes CVE-2022-2867,CVE-2022-2868 and CVE-2022-2869
2022-10-17 23:08 [OE-core][kirkstone 00/13] Patch review Steve Sakoman
@ 2022-10-17 23:08 ` Steve Sakoman
2022-10-17 23:08 ` [OE-core][kirkstone 02/13] binutils : Fix CVE-2022-38128 Steve Sakoman
` (11 subsequent siblings)
12 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2022-10-17 23:08 UTC (permalink / raw)
To: openembedded-core
From: Teoh Jay Shen <jay.shen.teoh@intel.com>
This series of patches include fixes for CVE-2022-2867,CVE-2022-2868 and CVE-2022-2869.
These patches are modified using devtool and a review was conducted to make sure they all get applied in the correct location.
References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2867
https://security-tracker.debian.org/tracker/CVE-2022-2867
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2868
https://security-tracker.debian.org/tracker/CVE-2022-2868
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2869
https://security-tracker.debian.org/tracker/CVE-2022-2869
Merge request:
https://gitlab.com/libtiff/libtiff/-/merge_requests/294/diffs?commit_id=7d7bfa4416366ec64068ac389414241ed4730a54
Patches from:
https://gitlab.com/libtiff/libtiff/-/commit/bcf28bb7f630f24fa47701a9907013f3548092cd?merge_request_iid=294
https://gitlab.com/libtiff/libtiff/-/commit/7d7bfa4416366ec64068ac389414241ed4730a54?merge_request_iid=294
https://gitlab.com/libtiff/libtiff/-/commit/b258ed69a485a9cfb299d9f060eb2a46c54e5903?merge_request_iid=294
Notes:
These CVEs are fixed in tiff v4.4.0
Signed-off-by: Teoh Jay Shen <jay.shen.teoh@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libtiff/tiff/CVE-2022-2867.patch | 129 ++++++++++++++++++
.../libtiff/tiff/CVE-2022-2869.patch | 84 ++++++++++++
...ed69a485a9cfb299d9f060eb2a46c54e5903.patch | 45 ++++++
meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 3 +
4 files changed, 261 insertions(+)
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-2867.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-2869.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2867.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2867.patch
new file mode 100644
index 0000000000..ae33a3b4e7
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2867.patch
@@ -0,0 +1,129 @@
+From 6ad097dac1d4908705f5a9d43dea76b7f2de89eb Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Sun, 6 Feb 2022 17:53:53 +0100
+Subject: [PATCH] tiffcrop.c: This update fixes also issues #350 and #351.
+
+ Issue 350 is fixed by checking for not allowed zone input cases like -Z 0:0
+ in getCropOffsets().
+
+CVE: CVE-2022-2867
+
+Upstream-Status: Backport
+[https://gitlab.com/libtiff/libtiff/-/commit/7d7bfa4416366ec64068ac389414241ed4730a54?merge_request_iid=294]
+
+Signed-off-by: Teoh Jay Shen <jay.shen.teoh@intel.com>
+
+---
+ tools/tiffcrop.c | 58 +++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 40 insertions(+), 18 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index 4a4ace8..0ef5bb2 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -5194,20 +5194,33 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
+ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
+ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
+ }
+- /* region needs to be within image sizes 0.. width-1; 0..length-1
+- * - be aware x,y are already casted to (uint32_t) and avoid (0 - 1)
++ /* a) Region needs to be within image sizes 0.. width-1; 0..length-1
++ * b) Corners are expected to be submitted as top-left to bottom-right.
++ * Therefore, check that and reorder input.
++ * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) )
+ */
+- if (x1 > image->width - 1)
++ uint32_t aux;
++ if (x1 > x2) {
++ aux = x1;
++ x1 = x2;
++ x2 = aux;
++ }
++ if (y1 > y2) {
++ aux = y1;
++ y1 = y2;
++ y2 = aux;
++ }
++ if (x1 > image->width - 1)
+ crop->regionlist[i].x1 = image->width - 1;
+- else if (x1 > 0)
+- crop->regionlist[i].x1 = (uint32_t) (x1 - 1);
++ else if (x1 > 0)
++ crop->regionlist[i].x1 = (uint32_t)(x1 - 1);
+
+- if (x2 > image->width - 1)
+- crop->regionlist[i].x2 = image->width - 1;
+- else if (x2 > 0)
+- crop->regionlist[i].x2 = (uint32_t)(x2 - 1);
++ if (x2 > image->width - 1)
++ crop->regionlist[i].x2 = image->width - 1;
++ else if (x2 > 0)
++ crop->regionlist[i].x2 = (uint32_t)(x2 - 1);
+
+- zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
++ zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
+
+ if (y1 > image->length - 1)
+ crop->regionlist[i].y1 = image->length - 1;
+@@ -5219,8 +5232,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
+ else if (y2 > 0)
+ crop->regionlist[i].y2 = (uint32_t)(y2 - 1);
+
+- zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
+-
++ zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
+ if (zwidth > max_width)
+ max_width = zwidth;
+ if (zlength > max_length)
+@@ -5250,7 +5262,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
+ }
+ }
+ return (0);
+- }
++ } /* crop_mode == CROP_REGIONS */
+
+ /* Convert crop margins into offsets into image
+ * Margins are expressed as pixel rows and columns, not bytes
+@@ -5286,7 +5298,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
+ bmargin = (uint32_t) 0;
+ return (-1);
+ }
+- }
++ } /* crop_mode == CROP_MARGINS */
+ else
+ { /* no margins requested */
+ tmargin = (uint32_t) 0;
+@@ -5494,10 +5506,17 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
+ else
+ crop->selections = crop->zones;
+
+- for (i = 0; i < crop->zones; i++)
++ /* Initialize regions iterator i */
++ i = 0;
++ for (int j = 0; j < crop->zones; j++)
+ {
+- seg = crop->zonelist[i].position;
+- total = crop->zonelist[i].total;
++ seg = crop->zonelist[j].position;
++ total = crop->zonelist[j].total;
++
++ /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */
++ if (seg == 0 || total == 0 || seg > total) {
++ continue;
++ }
+
+ switch (crop->edge_ref)
+ {
+@@ -5626,8 +5645,11 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
+ i + 1, zwidth, zlength,
+ crop->regionlist[i].x1, crop->regionlist[i].x2,
+ crop->regionlist[i].y1, crop->regionlist[i].y2);
++ /* increment regions iterator */
++ i++;
+ }
+-
++ /* set number of generated regions out of given zones */
++ crop->selections = i;
+ return (0);
+ } /* end getCropOffsets */
+
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2869.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2869.patch
new file mode 100644
index 0000000000..9a23e23fed
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2869.patch
@@ -0,0 +1,84 @@
+From 0ec36342df880f5ad41576cb1b03061b8697dabd Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Sun, 6 Feb 2022 10:53:45 +0100
+Subject: [PATCH] tiffcrop.c: Fix issue #352 heap-buffer-overflow by correcting
+
+ uint32_t underflow.
+
+CVE: CVE-2022-2869
+
+Upstream-Status: Backport
+[https://gitlab.com/libtiff/libtiff/-/commit/bcf28bb7f630f24fa47701a9907013f3548092cd?merge_request_iid=294]
+
+Signed-off-by: Teoh Jay Shen <jay.shen.teoh@intel.com>
+
+---
+ tools/tiffcrop.c | 34 +++++++++++++++++++---------------
+ 1 file changed, 19 insertions(+), 15 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index b9b13d8..4a4ace8 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -5194,26 +5194,30 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
+ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
+ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
+ }
+- if (x1 < 1)
+- crop->regionlist[i].x1 = 0;
+- else
++ /* region needs to be within image sizes 0.. width-1; 0..length-1
++ * - be aware x,y are already casted to (uint32_t) and avoid (0 - 1)
++ */
++ if (x1 > image->width - 1)
++ crop->regionlist[i].x1 = image->width - 1;
++ else if (x1 > 0)
+ crop->regionlist[i].x1 = (uint32_t) (x1 - 1);
+
+- if (x2 > image->width - 1)
+- crop->regionlist[i].x2 = image->width - 1;
+- else
+- crop->regionlist[i].x2 = (uint32_t) (x2 - 1);
++ if (x2 > image->width - 1)
++ crop->regionlist[i].x2 = image->width - 1;
++ else if (x2 > 0)
++ crop->regionlist[i].x2 = (uint32_t)(x2 - 1);
++
+ zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
+
+- if (y1 < 1)
+- crop->regionlist[i].y1 = 0;
+- else
+- crop->regionlist[i].y1 = (uint32_t) (y1 - 1);
++ if (y1 > image->length - 1)
++ crop->regionlist[i].y1 = image->length - 1;
++ else if (y1 > 0)
++ crop->regionlist[i].y1 = (uint32_t)(y1 - 1);
+
+ if (y2 > image->length - 1)
+ crop->regionlist[i].y2 = image->length - 1;
+- else
+- crop->regionlist[i].y2 = (uint32_t) (y2 - 1);
++ else if (y2 > 0)
++ crop->regionlist[i].y2 = (uint32_t)(y2 - 1);
+
+ zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
+
+@@ -5376,7 +5380,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
+ crop_width = endx - startx + 1;
+ crop_length = endy - starty + 1;
+
+- if (crop_width <= 0)
++ if (endx + 1 <= startx)
+ {
+ TIFFError("computeInputPixelOffsets",
+ "Invalid left/right margins and /or image crop width requested");
+@@ -5385,7 +5389,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
+ if (crop_width > image->width)
+ crop_width = image->width;
+
+- if (crop_length <= 0)
++ if (endy + 1 <= starty)
+ {
+ TIFFError("computeInputPixelOffsets",
+ "Invalid top/bottom margins and /or image crop length requested");
diff --git a/meta/recipes-multimedia/libtiff/tiff/b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch b/meta/recipes-multimedia/libtiff/tiff/b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch
new file mode 100644
index 0000000000..1fa6a11104
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch
@@ -0,0 +1,45 @@
+From 740111312ca6ae718f233d914662a9969e6820ee Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Sun, 6 Feb 2022 19:52:17 +0100
+Subject: [PATCH] Move the crop_width and crop_length computation after the
+ sanity check to avoid warnings when built with
+ -fsanitize=unsigned-integer-overflow.
+
+Upstream-Status: Backport
+[https://gitlab.com/libtiff/libtiff/-/commit/b258ed69a485a9cfb299d9f060eb2a46c54e5903?merge_request_iid=294]
+
+Signed-off-by: Teoh Jay Shen <jay.shen.teoh@intel.com>
+
+---
+ tools/tiffcrop.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index 0ef5bb2..99e4208 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -5389,15 +5389,13 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
+ off->endx = endx;
+ off->endy = endy;
+
+- crop_width = endx - startx + 1;
+- crop_length = endy - starty + 1;
+-
+ if (endx + 1 <= startx)
+ {
+ TIFFError("computeInputPixelOffsets",
+ "Invalid left/right margins and /or image crop width requested");
+ return (-1);
+ }
++ crop_width = endx - startx + 1;
+ if (crop_width > image->width)
+ crop_width = image->width;
+
+@@ -5407,6 +5405,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
+ "Invalid top/bottom margins and /or image crop length requested");
+ return (-1);
+ }
++ crop_length = endy - starty + 1;
+ if (crop_length > image->length)
+ crop_length = image->length;
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index b5ccd859f3..f84057c46b 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -22,6 +22,9 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2022-1354.patch \
file://CVE-2022-1355.patch \
file://CVE-2022-34526.patch \
+ file://CVE-2022-2869.patch \
+ file://CVE-2022-2867.patch \
+ file://b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch \
"
SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"
--
2.25.1
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 02/13] binutils : Fix CVE-2022-38128
2022-10-17 23:08 [OE-core][kirkstone 00/13] Patch review Steve Sakoman
2022-10-17 23:08 ` [OE-core][kirkstone 01/13] tiff: Security fixes CVE-2022-2867,CVE-2022-2868 and CVE-2022-2869 Steve Sakoman
@ 2022-10-17 23:08 ` Steve Sakoman
2022-10-17 23:08 ` [OE-core][kirkstone 03/13] qemu: Fix CVE-2021-3750 for qemu Steve Sakoman
` (10 subsequent siblings)
12 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2022-10-17 23:08 UTC (permalink / raw)
To: openembedded-core
From: pgowda <pgowda.cve@gmail.com>
Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=f07c08e115e27cddf5a0030dc6332bbee1bd9c6a]
Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=175b91507b83ad42607d2f6dadaf55b7b511bdbe]
Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=695c6dfe7e85006b98c8b746f3fd5f913c94ebff]
Signed-off-by: pgowda <pgowda.cve@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../binutils/binutils-2.38.inc | 3 +
.../binutils/0018-CVE-2022-38128-1.patch | 350 ++++++++++++++
.../binutils/0018-CVE-2022-38128-2.patch | 436 ++++++++++++++++++
.../binutils/0018-CVE-2022-38128-3.patch | 95 ++++
4 files changed, 884 insertions(+)
create mode 100644 meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-1.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-2.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-3.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc
index fc88d4a79e..8259ec3232 100644
--- a/meta/recipes-devtools/binutils/binutils-2.38.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.38.inc
@@ -39,5 +39,8 @@ SRC_URI = "\
file://0017-CVE-2022-38127-2.patch \
file://0017-CVE-2022-38127-3.patch \
file://0017-CVE-2022-38127-4.patch \
+ file://0018-CVE-2022-38128-1.patch \
+ file://0018-CVE-2022-38128-2.patch \
+ file://0018-CVE-2022-38128-3.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-1.patch b/meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-1.patch
new file mode 100644
index 0000000000..0a490d86b3
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-1.patch
@@ -0,0 +1,350 @@
+From f07c08e115e27cddf5a0030dc6332bbee1bd9c6a Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Thu, 21 Jul 2022 08:38:14 +0930
+Subject: [PATCH] binutils/dwarf.c: abbrev caching
+
+I'm inclined to think that abbrev caching is counter-productive. The
+time taken to search the list of abbrevs converted to internal form is
+non-zero, and it's easy to decode the raw abbrevs. It's especially
+silly to cache empty lists of decoded abbrevs (happens with zero
+padding in .debug_abbrev), or abbrevs as they are displayed when there
+is no further use of those abbrevs. This patch stops caching in those
+cases.
+
+ * dwarf.c (record_abbrev_list_for_cu): Add free_list param.
+ Put abbrevs on abbrev_lists here.
+ (new_abbrev_list): Delete function.
+ (process_abbrev_set): Return newly allocated list. Move
+ abbrev base, offset and size checking to..
+ (find_and_process_abbrev_set): ..here, new function. Handle
+ lookup of cached abbrevs here, and calculate start and end
+ for process_abbrev_set. Return free_list if newly alloc'd.
+ (process_debug_info): Consolidate cached list lookup, new list
+ alloc and processing into find_and_process_abbrev_set call.
+ Free list when not cached.
+ (display_debug_abbrev): Similarly.
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=f07c08e115e27cddf5a0030dc6332bbee1bd9c6a]
+
+Signed-off-by: Pgowda <pgowda.cve@gmail.com>
+---
+ binutils/dwarf.c | 208 +++++++++++++++++++++++++----------------------
+ 1 file changed, 110 insertions(+), 98 deletions(-)
+
+diff --git a/binutils/dwarf.c b/binutils/dwarf.c
+index 267ed3bb382..2fc352f74c5 100644
+--- a/binutils/dwarf.c
++++ b/binutils/dwarf.c
+@@ -882,8 +882,15 @@ static unsigned long next_free_abbrev_m
+ #define ABBREV_MAP_ENTRIES_INCREMENT 8
+
+ static void
+-record_abbrev_list_for_cu (dwarf_vma start, dwarf_vma end, abbrev_list * list)
++record_abbrev_list_for_cu (dwarf_vma start, dwarf_vma end,
++ abbrev_list *list, abbrev_list *free_list)
+ {
++ if (free_list != NULL)
++ {
++ list->next = abbrev_lists;
++ abbrev_lists = list;
++ }
++
+ if (cu_abbrev_map == NULL)
+ {
+ num_abbrev_map_entries = INITIAL_NUM_ABBREV_MAP_ENTRIES;
+@@ -936,20 +943,6 @@ free_all_abbrevs (void)
+ }
+
+ static abbrev_list *
+-new_abbrev_list (dwarf_vma abbrev_base, dwarf_vma abbrev_offset)
+-{
+- abbrev_list * list = (abbrev_list *) xcalloc (sizeof * list, 1);
+-
+- list->abbrev_base = abbrev_base;
+- list->abbrev_offset = abbrev_offset;
+-
+- list->next = abbrev_lists;
+- abbrev_lists = list;
+-
+- return list;
+-}
+-
+-static abbrev_list *
+ find_abbrev_list_by_abbrev_offset (dwarf_vma abbrev_base,
+ dwarf_vma abbrev_offset)
+ {
+@@ -966,7 +959,7 @@ find_abbrev_list_by_abbrev_offset (dwarf
+ /* Find the abbreviation map for the CU that includes OFFSET.
+ OFFSET is an absolute offset from the start of the .debug_info section. */
+ /* FIXME: This function is going to slow down readelf & objdump.
+- Consider using a better algorithm to mitigate this effect. */
++ Not caching abbrevs is likely the answer. */
+
+ static abbrev_map *
+ find_abbrev_map_by_offset (dwarf_vma offset)
+@@ -1033,40 +1026,18 @@ add_abbrev_attr (unsigned long attrib
+ list->last_abbrev->last_attr = attr;
+ }
+
+-/* Processes the (partial) contents of a .debug_abbrev section.
+- Returns NULL if the end of the section was encountered.
+- Returns the address after the last byte read if the end of
+- an abbreviation set was found. */
++/* Return processed (partial) contents of a .debug_abbrev section.
++ Returns NULL on errors. */
+
+-static unsigned char *
++static abbrev_list *
+ process_abbrev_set (struct dwarf_section *section,
+- dwarf_vma abbrev_base,
+- dwarf_vma abbrev_size,
+- dwarf_vma abbrev_offset,
+- abbrev_list *list)
++ unsigned char *start,
++ unsigned char *end)
+ {
+- if (abbrev_base >= section->size
+- || abbrev_size > section->size - abbrev_base)
+- {
+- /* PR 17531: file:4bcd9ce9. */
+- warn (_("Debug info is corrupted, abbrev size (%lx) is larger than "
+- "abbrev section size (%lx)\n"),
+- (unsigned long) (abbrev_base + abbrev_size),
+- (unsigned long) section->size);
+- return NULL;
+- }
+- if (abbrev_offset >= abbrev_size)
+- {
+- warn (_("Debug info is corrupted, abbrev offset (%lx) is larger than "
+- "abbrev section size (%lx)\n"),
+- (unsigned long) abbrev_offset,
+- (unsigned long) abbrev_size);
+- return NULL;
+- }
++ abbrev_list *list = xmalloc (sizeof (*list));
++ list->first_abbrev = NULL;
++ list->last_abbrev = NULL;
+
+- unsigned char *start = section->start + abbrev_base;
+- unsigned char *end = start + abbrev_size;
+- start += abbrev_offset;
+ while (start < end)
+ {
+ unsigned long entry;
+@@ -1079,14 +1050,18 @@ process_abbrev_set (struct dwarf_section
+ /* A single zero is supposed to end the set according
+ to the standard. If there's more, then signal that to
+ the caller. */
+- if (start == end)
+- return NULL;
+- if (entry == 0)
+- return start;
++ if (start == end || entry == 0)
++ {
++ list->start_of_next_abbrevs = start != end ? start : NULL;
++ return list;
++ }
+
+ READ_ULEB (tag, start, end);
+ if (start == end)
+- return NULL;
++ {
++ free (list);
++ return NULL;
++ }
+
+ children = *start++;
+
+@@ -1121,9 +1096,67 @@ process_abbrev_set (struct dwarf_section
+ /* Report the missing single zero which ends the section. */
+ error (_(".debug_abbrev section not zero terminated\n"));
+
++ free (list);
+ return NULL;
+ }
+
++/* Return a sequence of abbrevs in SECTION starting at ABBREV_BASE
++ plus ABBREV_OFFSET and finishing at ABBREV_BASE + ABBREV_SIZE.
++ If FREE_LIST is non-NULL search the already decoded abbrevs on
++ abbrev_lists first and if found set *FREE_LIST to NULL. If
++ searching doesn't find a matching abbrev, set *FREE_LIST to the
++ newly allocated list. If FREE_LIST is NULL, no search is done and
++ the returned abbrev_list is always newly allocated. */
++
++static abbrev_list *
++find_and_process_abbrev_set (struct dwarf_section *section,
++ dwarf_vma abbrev_base,
++ dwarf_vma abbrev_size,
++ dwarf_vma abbrev_offset,
++ abbrev_list **free_list)
++{
++ if (free_list)
++ *free_list = NULL;
++
++ if (abbrev_base >= section->size
++ || abbrev_size > section->size - abbrev_base)
++ {
++ /* PR 17531: file:4bcd9ce9. */
++ warn (_("Debug info is corrupted, abbrev size (%lx) is larger than "
++ "abbrev section size (%lx)\n"),
++ (unsigned long) (abbrev_base + abbrev_size),
++ (unsigned long) section->size);
++ return NULL;
++ }
++ if (abbrev_offset >= abbrev_size)
++ {
++ warn (_("Debug info is corrupted, abbrev offset (%lx) is larger than "
++ "abbrev section size (%lx)\n"),
++ (unsigned long) abbrev_offset,
++ (unsigned long) abbrev_size);
++ return NULL;
++ }
++
++ unsigned char *start = section->start + abbrev_base + abbrev_offset;
++ unsigned char *end = section->start + abbrev_base + abbrev_size;
++ abbrev_list *list = NULL;
++ if (free_list)
++ list = find_abbrev_list_by_abbrev_offset (abbrev_base, abbrev_offset);
++ if (list == NULL)
++ {
++ list = process_abbrev_set (section, start, end);
++ if (list)
++ {
++ list->abbrev_base = abbrev_base;
++ list->abbrev_offset = abbrev_offset;
++ list->next = NULL;
++ }
++ if (free_list)
++ *free_list = list;
++ }
++ return list;
++}
++
+ static const char *
+ get_TAG_name (unsigned long tag)
+ {
+@@ -3670,7 +3703,6 @@ process_debug_info (struct dwarf_section
+ dwarf_vma cu_offset;
+ unsigned int offset_size;
+ struct cu_tu_set * this_set;
+- abbrev_list * list;
+ unsigned char *end_cu;
+
+ hdrptr = start;
+@@ -3726,22 +3758,18 @@ process_debug_info (struct dwarf_section
+ abbrev_size = this_set->section_sizes [DW_SECT_ABBREV];
+ }
+
+- list = find_abbrev_list_by_abbrev_offset (abbrev_base,
+- compunit.cu_abbrev_offset);
+- if (list == NULL)
+- {
+- unsigned char * next;
+-
+- list = new_abbrev_list (abbrev_base,
+- compunit.cu_abbrev_offset);
+- next = process_abbrev_set (&debug_displays[abbrev_sec].section,
+- abbrev_base, abbrev_size,
+- compunit.cu_abbrev_offset, list);
+- list->start_of_next_abbrevs = next;
+- }
+-
++ abbrev_list *list;
++ abbrev_list *free_list;
++ list = find_and_process_abbrev_set (&debug_displays[abbrev_sec].section,
++ abbrev_base, abbrev_size,
++ compunit.cu_abbrev_offset,
++ &free_list);
+ start = end_cu;
+- record_abbrev_list_for_cu (cu_offset, start - section_begin, list);
++ if (list != NULL && list->first_abbrev != NULL)
++ record_abbrev_list_for_cu (cu_offset, start - section_begin,
++ list, free_list);
++ else if (free_list != NULL)
++ free_abbrev_list (free_list);
+ }
+
+ for (start = section_begin, unit = 0; start < end; unit++)
+@@ -3757,7 +3785,6 @@ process_debug_info (struct dwarf_section
+ struct cu_tu_set *this_set;
+ dwarf_vma abbrev_base;
+ size_t abbrev_size;
+- abbrev_list * list = NULL;
+ unsigned char *end_cu;
+
+ hdrptr = start;
+@@ -3936,20 +3963,10 @@ process_debug_info (struct dwarf_section
+ }
+
+ /* Process the abbrevs used by this compilation unit. */
+- list = find_abbrev_list_by_abbrev_offset (abbrev_base,
+- compunit.cu_abbrev_offset);
+- if (list == NULL)
+- {
+- unsigned char *next;
+-
+- list = new_abbrev_list (abbrev_base,
+- compunit.cu_abbrev_offset);
+- next = process_abbrev_set (&debug_displays[abbrev_sec].section,
+- abbrev_base, abbrev_size,
+- compunit.cu_abbrev_offset, list);
+- list->start_of_next_abbrevs = next;
+- }
+-
++ abbrev_list *list;
++ list = find_and_process_abbrev_set (&debug_displays[abbrev_sec].section,
++ abbrev_base, abbrev_size,
++ compunit.cu_abbrev_offset, NULL);
+ level = 0;
+ last_level = level;
+ saved_level = -1;
+@@ -4128,6 +4145,8 @@ process_debug_info (struct dwarf_section
+ if (entry->children)
+ ++level;
+ }
++ if (list != NULL)
++ free_abbrev_list (list);
+ }
+
+ /* Set num_debug_info_entries here so that it can be used to check if
+@@ -6353,24 +6372,15 @@ display_debug_abbrev (struct dwarf_secti
+
+ do
+ {
+- abbrev_list * list;
+- dwarf_vma offset;
+-
+- offset = start - section->start;
+- list = find_abbrev_list_by_abbrev_offset (0, offset);
++ dwarf_vma offset = start - section->start;
++ abbrev_list *list = find_and_process_abbrev_set (section, 0,
++ section->size, offset,
++ NULL);
+ if (list == NULL)
+- {
+- list = new_abbrev_list (0, offset);
+- start = process_abbrev_set (section, 0, section->size, offset, list);
+- list->start_of_next_abbrevs = start;
+- }
+- else
+- start = list->start_of_next_abbrevs;
+-
+- if (list->first_abbrev == NULL)
+- continue;
++ break;
+
+- printf (_(" Number TAG (0x%lx)\n"), (long) offset);
++ if (list->first_abbrev)
++ printf (_(" Number TAG (0x%lx)\n"), (long) offset);
+
+ for (entry = list->first_abbrev; entry; entry = entry->next)
+ {
+@@ -6391,6 +6401,8 @@ display_debug_abbrev (struct dwarf_secti
+ putchar ('\n');
+ }
+ }
++ start = list->start_of_next_abbrevs;
++ free_abbrev_list (list);
+ }
+ while (start);
+
diff --git a/meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-2.patch b/meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-2.patch
new file mode 100644
index 0000000000..b867b04e96
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-2.patch
@@ -0,0 +1,436 @@
+From 175b91507b83ad42607d2f6dadaf55b7b511bdbe Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 20 Jul 2022 18:28:50 +0930
+Subject: [PATCH] miscellaneous dwarf.c tidies
+
+ * dwarf.c: Leading and trailing whitespace fixes.
+ (free_abbrev_list): New function.
+ (free_all_abbrevs): Use the above. Free cu_abbrev_map here too.
+ (process_abbrev_set): Print actual section name on error.
+ (get_type_abbrev_from_form): Add overflow check.
+ (free_debug_memory): Don't free cu_abbrev_map here..
+ (process_debug_info): ..or here. Warn on another case of not
+ finding a neeeded abbrev.
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=175b91507b83ad42607d2f6dadaf55b7b511bdbe]
+
+Signed-off-by: Pgowda <pgowda.cve@gmail.com>
+---
+ binutils/dwarf.c | 216 +++++++++++++++++++++++------------------------
+ 1 file changed, 106 insertions(+), 110 deletions(-)
+
+diff --git a/binutils/dwarf.c b/binutils/dwarf.c
+index 2b1eec49422..267ed3bb382 100644
+--- a/binutils/dwarf.c
++++ b/binutils/dwarf.c
+@@ -954,38 +954,41 @@ record_abbrev_list_for_cu (dwarf_vma sta
+ next_free_abbrev_map_entry ++;
+ }
+
+-static void
+-free_all_abbrevs (void)
++static abbrev_list *
++free_abbrev_list (abbrev_list *list)
+ {
+- abbrev_list * list;
++ abbrev_entry *abbrv = list->first_abbrev;
+
+- for (list = abbrev_lists; list != NULL;)
++ while (abbrv)
+ {
+- abbrev_list * next = list->next;
+- abbrev_entry * abbrv;
++ abbrev_attr *attr = abbrv->first_attr;
+
+- for (abbrv = list->first_abbrev; abbrv != NULL;)
++ while (attr)
+ {
+- abbrev_entry * next_abbrev = abbrv->next;
+- abbrev_attr * attr;
+-
+- for (attr = abbrv->first_attr; attr;)
+- {
+- abbrev_attr *next_attr = attr->next;
+-
+- free (attr);
+- attr = next_attr;
+- }
+-
+- free (abbrv);
+- abbrv = next_abbrev;
++ abbrev_attr *next_attr = attr->next;
++ free (attr);
++ attr = next_attr;
+ }
+
+- free (list);
+- list = next;
++ abbrev_entry *next_abbrev = abbrv->next;
++ free (abbrv);
++ abbrv = next_abbrev;
+ }
+
+- abbrev_lists = NULL;
++ abbrev_list *next = list->next;
++ free (list);
++ return next;
++}
++
++static void
++free_all_abbrevs (void)
++{
++ while (abbrev_lists)
++ abbrev_lists = free_abbrev_list (abbrev_lists);
++
++ free (cu_abbrev_map);
++ cu_abbrev_map = NULL;
++ next_free_abbrev_map_entry = 0;
+ }
+
+ static abbrev_list *
+@@ -1017,7 +1020,7 @@ find_abbrev_map_by_offset (dwarf_vma off
+ && cu_abbrev_map[i].end > offset)
+ return cu_abbrev_map + i;
+
+- return NULL;
++ return NULL;
+ }
+
+ static void
+@@ -1140,7 +1143,7 @@ process_abbrev_set (struct dwarf_section
+ }
+
+ /* Report the missing single zero which ends the section. */
+- error (_(".debug_abbrev section not zero terminated\n"));
++ error (_("%s section not zero terminated\n"), section->name);
+
+ free (list);
+ return NULL;
+@@ -1917,7 +1920,7 @@ fetch_alt_indirect_string (dwarf_vma off
+ dwarf_vmatoa ("x", offset));
+ return _("<offset is too big>");
+ }
+-
++
+ static const char *
+ get_AT_name (unsigned long attribute)
+ {
+@@ -2199,7 +2202,8 @@ get_type_abbrev_from_form (unsigned long
+ case DW_FORM_ref4:
+ case DW_FORM_ref8:
+ case DW_FORM_ref_udata:
+- if (uvalue + cu_offset > (size_t) (cu_end - section->start))
++ if (uvalue + cu_offset < uvalue
++ || uvalue + cu_offset > (size_t) (cu_end - section->start))
+ {
+ warn (_("Unable to resolve ref form: uvalue %lx + cu_offset %lx > CU size %lx\n"),
+ uvalue, (long) cu_offset, (long) (cu_end - section->start));
+@@ -2236,7 +2240,7 @@ get_type_abbrev_from_form (unsigned long
+ else
+ *map_return = NULL;
+ }
+-
++
+ READ_ULEB (abbrev_number, data, section->start + section->size);
+
+ for (entry = map->list->first_abbrev; entry != NULL; entry = entry->next)
+@@ -2837,7 +2841,7 @@ read_and_display_attr_value (unsigned lo
+ if (!do_loc)
+ printf ("%c<0x%s>", delimiter, dwarf_vmatoa ("x", uvalue + cu_offset));
+ break;
+-
++
+ default:
+ warn (_("Unrecognized form: 0x%lx\n"), form);
+ /* What to do? Consume a byte maybe? */
+@@ -3009,7 +3013,7 @@ read_and_display_attr_value (unsigned lo
+ case DW_FORM_strx3:
+ case DW_FORM_strx4:
+ add_dwo_name (fetch_indexed_string (uvalue, this_set, offset_size, false,
+- debug_info_p->str_offsets_base),
++ debug_info_p->str_offsets_base),
+ cu_offset);
+ break;
+ case DW_FORM_string:
+@@ -3043,7 +3047,7 @@ read_and_display_attr_value (unsigned lo
+ case DW_FORM_strx3:
+ case DW_FORM_strx4:
+ add_dwo_dir (fetch_indexed_string (uvalue, this_set, offset_size, false,
+- debug_info_p->str_offsets_base),
++ debug_info_p->str_offsets_base),
+ cu_offset);
+ break;
+ case DW_FORM_string:
+@@ -3671,11 +3675,8 @@ process_debug_info (struct dwarf_section
+ introduce (section, false);
+
+ free_all_abbrevs ();
+- free (cu_abbrev_map);
+- cu_abbrev_map = NULL;
+- next_free_abbrev_map_entry = 0;
+
+- /* In order to be able to resolve DW_FORM_ref_attr forms we need
++ /* In order to be able to resolve DW_FORM_ref_addr forms we need
+ to load *all* of the abbrevs for all CUs in this .debug_info
+ section. This does effectively mean that we (partially) read
+ every CU header twice. */
+@@ -4029,12 +4030,11 @@ process_debug_info (struct dwarf_section
+
+ /* Scan through the abbreviation list until we reach the
+ correct entry. */
+- if (list == NULL)
+- continue;
+-
+- for (entry = list->first_abbrev; entry != NULL; entry = entry->next)
+- if (entry->number == abbrev_number)
+- break;
++ entry = NULL;
++ if (list != NULL)
++ for (entry = list->first_abbrev; entry != NULL; entry = entry->next)
++ if (entry->number == abbrev_number)
++ break;
+
+ if (entry == NULL)
+ {
+@@ -4442,7 +4442,7 @@ display_debug_sup (struct dwarf_section
+
+ SAFE_BYTE_GET_AND_INC (is_supplementary, start, 1, end);
+ if (is_supplementary != 0 && is_supplementary != 1)
+- warn (_("corrupt .debug_sup section: is_supplementary not 0 or 1\n"));
++ warn (_("corrupt .debug_sup section: is_supplementary not 0 or 1\n"));
+
+ sup_filename = start;
+ if (is_supplementary && sup_filename[0] != 0)
+@@ -5621,7 +5621,7 @@ display_debug_lines_decoded (struct dwar
+ printf ("%s %11d %#18" DWARF_VMA_FMT "x",
+ newFileName, state_machine_regs.line,
+ state_machine_regs.address);
+- }
++ }
+ else
+ {
+ if (xop == -DW_LNE_end_sequence)
+@@ -6075,7 +6075,7 @@ display_debug_macro (struct dwarf_sectio
+ load_debug_section_with_follow (str, file);
+ load_debug_section_with_follow (line, file);
+ load_debug_section_with_follow (str_index, file);
+-
++
+ introduce (section, false);
+
+ while (curr < end)
+@@ -6519,7 +6519,7 @@ display_loc_list (struct dwarf_section *
+
+ /* Check base address specifiers. */
+ if (is_max_address (begin, pointer_size)
+- && !is_max_address (end, pointer_size))
++ && !is_max_address (end, pointer_size))
+ {
+ base_address = end;
+ print_dwarf_vma (begin, pointer_size);
+@@ -6697,7 +6697,7 @@ display_loclists_list (struct dwarf_sect
+ case DW_LLE_default_location:
+ begin = end = 0;
+ break;
+-
++
+ case DW_LLE_offset_pair:
+ READ_ULEB (begin, start, section_end);
+ begin += base_address;
+@@ -6993,7 +6993,7 @@ display_offset_entry_loclists (struct dw
+ unsigned char * start = section->start;
+ unsigned char * const end = start + section->size;
+
+- introduce (section, false);
++ introduce (section, false);
+
+ do
+ {
+@@ -7042,14 +7042,14 @@ display_offset_entry_loclists (struct dw
+ section->name, segment_selector_size);
+ return 0;
+ }
+-
++
+ if (offset_entry_count == 0)
+ {
+ warn (_("The %s section contains a table without offset\n"),
+ section->name);
+ return 0;
+ }
+-
++
+ printf (_("\n Offset Entries starting at 0x%lx:\n"),
+ (long)(start - section->start));
+
+@@ -8295,12 +8295,12 @@ display_debug_ranges (struct dwarf_secti
+ next = section_begin + offset + debug_info_p->rnglists_base;
+
+ /* If multiple DWARF entities reference the same range then we will
+- have multiple entries in the `range_entries' list for the same
+- offset. Thanks to the sort above these will all be consecutive in
+- the `range_entries' list, so we can easily ignore duplicates
+- here. */
++ have multiple entries in the `range_entries' list for the same
++ offset. Thanks to the sort above these will all be consecutive in
++ the `range_entries' list, so we can easily ignore duplicates
++ here. */
+ if (i > 0 && last_offset == offset)
+- continue;
++ continue;
+ last_offset = offset;
+
+ if (dwarf_check != 0 && i > 0)
+@@ -10336,7 +10336,7 @@ display_debug_names (struct dwarf_sectio
+ break;
+ if (tagno >= 0)
+ printf ("%s<%lu>",
+- (tagno == 0 && second_abbrev_tag == 0 ? " " : "\n\t"),
++ (tagno == 0 && second_abbrev_tag == 0 ? " " : "\n\t"),
+ (unsigned long) abbrev_tag);
+
+ for (entry = abbrev_lookup;
+@@ -10901,7 +10901,7 @@ process_cu_tu_index (struct dwarf_sectio
+ Check for integer overflow (can occur when size_t is 32-bit)
+ with overlarge ncols or nused values. */
+ if (nused == -1u
+- || _mul_overflow ((size_t) ncols, 4, &temp)
++ || _mul_overflow ((size_t) ncols, 4, &temp)
+ || _mul_overflow ((size_t) nused + 1, temp, &total)
+ || total > (size_t) (limit - ppool))
+ {
+@@ -10909,7 +10909,7 @@ process_cu_tu_index (struct dwarf_sectio
+ section->name);
+ return 0;
+ }
+-
++
+ if (do_display)
+ {
+ printf (_(" Offset table\n"));
+@@ -11413,8 +11413,8 @@ add_separate_debug_file (const char * fi
+
+ static bool
+ debuginfod_fetch_separate_debug_info (struct dwarf_section * section,
+- char ** filename,
+- void * file)
++ char ** filename,
++ void * file)
+ {
+ size_t build_id_len;
+ unsigned char * build_id;
+@@ -11432,14 +11432,14 @@ debuginfod_fetch_separate_debug_info (st
+
+ filelen = strnlen ((const char *)section->start, section->size);
+ if (filelen == section->size)
+- /* Corrupt debugaltlink. */
+- return false;
++ /* Corrupt debugaltlink. */
++ return false;
+
+ build_id = section->start + filelen + 1;
+ build_id_len = section->size - (filelen + 1);
+
+ if (build_id_len == 0)
+- return false;
++ return false;
+ }
+ else
+ return false;
+@@ -11451,25 +11451,25 @@ debuginfod_fetch_separate_debug_info (st
+
+ client = debuginfod_begin ();
+ if (client == NULL)
+- return false;
++ return false;
+
+ /* Query debuginfod servers for the target file. If found its path
+- will be stored in filename. */
++ will be stored in filename. */
+ fd = debuginfod_find_debuginfo (client, build_id, build_id_len, filename);
+ debuginfod_end (client);
+
+ /* Only free build_id if we allocated space for a hex string
+- in get_build_id (). */
++ in get_build_id (). */
+ if (build_id_len == 0)
+- free (build_id);
++ free (build_id);
+
+ if (fd >= 0)
+- {
+- /* File successfully retrieved. Close fd since we want to
+- use open_debug_file () on filename instead. */
+- close (fd);
+- return true;
+- }
++ {
++ /* File successfully retrieved. Close fd since we want to
++ use open_debug_file () on filename instead. */
++ close (fd);
++ return true;
++ }
+ }
+
+ return false;
+@@ -11482,7 +11482,7 @@ load_separate_debug_info (const char *
+ parse_func_type parse_func,
+ check_func_type check_func,
+ void * func_data,
+- void * file ATTRIBUTE_UNUSED)
++ void * file ATTRIBUTE_UNUSED)
+ {
+ const char * separate_filename;
+ char * debug_filename;
+@@ -11597,11 +11597,11 @@ load_separate_debug_info (const char *
+ & tmp_filename,
+ file))
+ {
+- /* File successfully downloaded from server, replace
+- debug_filename with the file's path. */
+- free (debug_filename);
+- debug_filename = tmp_filename;
+- goto found;
++ /* File successfully downloaded from server, replace
++ debug_filename with the file's path. */
++ free (debug_filename);
++ debug_filename = tmp_filename;
++ goto found;
+ }
+ }
+ #endif
+@@ -11766,12 +11766,12 @@ load_build_id_debug_file (const char * m
+ /* In theory we should extract the contents of the section into
+ a note structure and then check the fields. For now though
+ just use hard coded offsets instead:
+-
++
+ Field Bytes Contents
+ NSize 0...3 4
+ DSize 4...7 8+
+ Type 8..11 3 (NT_GNU_BUILD_ID)
+- Name 12.15 GNU\0
++ Name 12.15 GNU\0
+ Data 16.... */
+
+ /* FIXME: Check the name size, name and type fields. */
+@@ -11783,7 +11783,7 @@ load_build_id_debug_file (const char * m
+ warn (_(".note.gnu.build-id data size is too small\n"));
+ return;
+ }
+-
++
+ if (build_id_size > (section->size - 16))
+ {
+ warn (_(".note.gnu.build-id data size is too bug\n"));
+@@ -12075,10 +12075,6 @@ free_debug_memory (void)
+
+ free_all_abbrevs ();
+
+- free (cu_abbrev_map);
+- cu_abbrev_map = NULL;
+- next_free_abbrev_map_entry = 0;
+-
+ free (shndx_pool);
+ shndx_pool = NULL;
+ shndx_pool_size = 0;
diff --git a/meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-3.patch b/meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-3.patch
new file mode 100644
index 0000000000..04d06ed6b6
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-3.patch
@@ -0,0 +1,95 @@
+From 695c6dfe7e85006b98c8b746f3fd5f913c94ebff Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Thu, 21 Jul 2022 09:56:15 +0930
+Subject: [PATCH] PR29370, infinite loop in display_debug_abbrev
+
+The PR29370 testcase is a fuzzed object file with multiple
+.trace_abbrev sections. Multiple .trace_abbrev or .debug_abbrev
+sections are not a violation of the DWARF standard. The DWARF5
+standard even gives an example of multiple .debug_abbrev sections
+contained in groups. Caching and lookup of processed abbrevs thus
+needs to be done by section and offset rather than base and offset.
+(Why base anyway?) Or, since section contents are kept, by a pointer
+into the contents.
+
+ PR 29370
+ * dwarf.c (struct abbrev_list): Replace abbrev_base and
+ abbrev_offset with raw field.
+ (find_abbrev_list_by_abbrev_offset): Delete.
+ (find_abbrev_list_by_raw_abbrev): New function.
+ (process_abbrev_set): Set list->raw and list->next.
+ (find_and_process_abbrev_set): Replace abbrev list lookup with
+ new function. Don't set list abbrev_base, abbrev_offset or next.
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=695c6dfe7e85006b98c8b746f3fd5f913c94ebff]
+
+Signed-off-by: Pgowda <pgowda.cve@gmail.com>
+---
+ binutils/dwarf.c | 19 ++++++-------------
+ 1 file changed, 6 insertions(+), 13 deletions(-)
+
+diff --git a/binutils/dwarf.c b/binutils/dwarf.c
+index 2fc352f74c5..99fb3566994 100644
+--- a/binutils/dwarf.c
++++ b/binutils/dwarf.c
+@@ -856,8 +856,7 @@ typedef struct abbrev_list
+ {
+ abbrev_entry * first_abbrev;
+ abbrev_entry * last_abbrev;
+- dwarf_vma abbrev_base;
+- dwarf_vma abbrev_offset;
++ unsigned char * raw;
+ struct abbrev_list * next;
+ unsigned char * start_of_next_abbrevs;
+ }
+@@ -946,14 +945,12 @@ free_all_abbrevs (void)
+ }
+
+ static abbrev_list *
+-find_abbrev_list_by_abbrev_offset (dwarf_vma abbrev_base,
+- dwarf_vma abbrev_offset)
++find_abbrev_list_by_raw_abbrev (unsigned char *raw)
+ {
+ abbrev_list * list;
+
+ for (list = abbrev_lists; list != NULL; list = list->next)
+- if (list->abbrev_base == abbrev_base
+- && list->abbrev_offset == abbrev_offset)
++ if (list->raw == raw)
+ return list;
+
+ return NULL;
+@@ -1040,6 +1037,7 @@ process_abbrev_set (struct dwarf_section
+ abbrev_list *list = xmalloc (sizeof (*list));
+ list->first_abbrev = NULL;
+ list->last_abbrev = NULL;
++ list->raw = start;
+
+ while (start < end)
+ {
+@@ -1055,6 +1053,7 @@ process_abbrev_set (struct dwarf_section
+ the caller. */
+ if (start == end || entry == 0)
+ {
++ list->next = NULL;
+ list->start_of_next_abbrevs = start != end ? start : NULL;
+ return list;
+ }
+@@ -1144,16 +1143,10 @@ find_and_process_abbrev_set (struct dwar
+ unsigned char *end = section->start + abbrev_base + abbrev_size;
+ abbrev_list *list = NULL;
+ if (free_list)
+- list = find_abbrev_list_by_abbrev_offset (abbrev_base, abbrev_offset);
++ list = find_abbrev_list_by_raw_abbrev (start);
+ if (list == NULL)
+ {
+ list = process_abbrev_set (section, start, end);
+- if (list)
+- {
+- list->abbrev_base = abbrev_base;
+- list->abbrev_offset = abbrev_offset;
+- list->next = NULL;
+- }
+ if (free_list)
+ *free_list = list;
+ }
--
2.25.1
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 03/13] qemu: Fix CVE-2021-3750 for qemu
2022-10-17 23:08 [OE-core][kirkstone 00/13] Patch review Steve Sakoman
2022-10-17 23:08 ` [OE-core][kirkstone 01/13] tiff: Security fixes CVE-2022-2867,CVE-2022-2868 and CVE-2022-2869 Steve Sakoman
2022-10-17 23:08 ` [OE-core][kirkstone 02/13] binutils : Fix CVE-2022-38128 Steve Sakoman
@ 2022-10-17 23:08 ` Steve Sakoman
2022-10-17 23:08 ` [OE-core][kirkstone 04/13] qemu: Fix CVE-2021-3611 Steve Sakoman
` (9 subsequent siblings)
12 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2022-10-17 23:08 UTC (permalink / raw)
To: openembedded-core
From: Virendra Thakur <virendra.thakur@kpit.com>
Add patch to fix CVE-2021-3750
Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/qemu/qemu.inc | 3 +
.../qemu/qemu/CVE-2021-3750-1.patch | 59 +++++++
.../qemu/qemu/CVE-2021-3750-2.patch | 65 ++++++++
.../qemu/qemu/CVE-2021-3750-3.patch | 156 ++++++++++++++++++
4 files changed, 283 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750-1.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750-2.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750-3.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index a493ac8add..816f9a7eac 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -43,6 +43,9 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2022-0358.patch \
file://CVE-2022-0216_1.patch \
file://CVE-2022-0216_2.patch \
+ file://CVE-2021-3750-1.patch \
+ file://CVE-2021-3750-2.patch \
+ file://CVE-2021-3750-3.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750-1.patch
new file mode 100644
index 0000000000..e898c20767
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750-1.patch
@@ -0,0 +1,59 @@
+From b9d383ab797f54ae5fa8746117770709921dc529 Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Wed, 15 Dec 2021 19:24:19 +0100
+Subject: [PATCH] hw/intc/arm_gicv3: Check for !MEMTX_OK instead of MEMTX_ERROR
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+Quoting Peter Maydell:
+
+ "These MEMTX_* aren't from the memory transaction
+ API functions; they're just being used by gicd_readl() and
+ friends as a way to indicate a success/failure so that the
+ actual MemoryRegionOps read/write fns like gicv3_dist_read()
+ can log a guest error."
+
+We are going to introduce more MemTxResult bits, so it is
+safer to check for !MEMTX_OK rather than MEMTX_ERROR.
+
+Reviewed-by: Peter Xu <peterx@redhat.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: Philippe Mathieu-DaudÃf© <philmd@redhat.com>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+
+CVE: CVE-2021-3750
+
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=b9d383ab797f54ae5fa8746117770709921dc529]
+---
+ hw/intc/arm_gicv3_redist.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hw/intc/arm_gicv3_redist.c b/hw/intc/arm_gicv3_redist.c
+index c8ff3ec..99b11ca 100644
+--- a/hw/intc/arm_gicv3_redist.c
++++ b/hw/intc/arm_gicv3_redist.c
+@@ -462,7 +462,7 @@ MemTxResult gicv3_redist_read(void *opaque, hwaddr offset, uint64_t *data,
+ break;
+ }
+
+- if (r == MEMTX_ERROR) {
++ if (r != MEMTX_OK) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "%s: invalid guest read at offset " TARGET_FMT_plx
+ " size %u\n", __func__, offset, size);
+@@ -521,7 +521,7 @@ MemTxResult gicv3_redist_write(void *opaque, hwaddr offset, uint64_t data,
+ break;
+ }
+
+- if (r == MEMTX_ERROR) {
++ if (r != MEMTX_OK) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "%s: invalid guest write at offset " TARGET_FMT_plx
+ " size %u\n", __func__, offset, size);
+--
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750-2.patch
new file mode 100644
index 0000000000..f163b4fab3
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750-2.patch
@@ -0,0 +1,65 @@
+From 58e74682baf4e1ad26b064d8c02e5bc99c75c5d9 Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Wed, 15 Dec 2021 19:24:20 +0100
+Subject: [PATCH] softmmu/physmem: Simplify flatview_write and
+ address_space_access_valid
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+Remove unuseful local 'result' variables.
+
+Reviewed-by: Peter Xu <peterx@redhat.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: Philippe Mathieu-DaudÃf© <philmd@redhat.com>
+Message-Id: <20211215182421.418374-3-philmd@redhat.com>
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+
+CVE: CVE-2021-3750
+
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=58e74682baf4e1ad26b064d8c02e5bc99c75c5d9]
+---
+ softmmu/physmem.c | 11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+diff --git a/softmmu/physmem.c b/softmmu/physmem.c
+index 43ae70f..3d968ca 100644
+--- a/softmmu/physmem.c
++++ b/softmmu/physmem.c
+@@ -2826,14 +2826,11 @@ static MemTxResult flatview_write(FlatVi
+ hwaddr l;
+ hwaddr addr1;
+ MemoryRegion *mr;
+- MemTxResult result = MEMTX_OK;
+
+ l = len;
+ mr = flatview_translate(fv, addr, &addr1, &l, true, attrs);
+- result = flatview_write_continue(fv, addr, attrs, buf, len,
+- addr1, l, mr);
+-
+- return result;
++ return flatview_write_continue(fv, addr, attrs, buf, len,
++ addr1, l, mr);
+ }
+
+ /* Called within RCU critical section. */
+@@ -3130,12 +3127,10 @@ bool address_space_access_valid(AddressS
+ MemTxAttrs attrs)
+ {
+ FlatView *fv;
+- bool result;
+
+ RCU_READ_LOCK_GUARD();
+ fv = address_space_to_flatview(as);
+- result = flatview_access_valid(fv, addr, len, is_write, attrs);
+- return result;
++ return flatview_access_valid(fv, addr, len, is_write, attrs);
+ }
+
+ static hwaddr
+--
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750-3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750-3.patch
new file mode 100644
index 0000000000..24668ad1a5
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750-3.patch
@@ -0,0 +1,156 @@
+From 3ab6fdc91b72e156da22848f0003ff4225690ced Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Wed, 15 Dec 2021 19:24:21 +0100
+Subject: [PATCH] softmmu/physmem: Introduce MemTxAttrs::memory field and
+ MEMTX_ACCESS_ERROR
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+Add the 'memory' bit to the memory attributes to restrict bus
+controller accesses to memories.
+
+Introduce flatview_access_allowed() to check bus permission
+before running any bus transaction.
+
+Have read/write accessors return MEMTX_ACCESS_ERROR if an access is
+restricted.
+
+There is no change for the default case where 'memory' is not set.
+
+Signed-off-by: Philippe Mathieu-DaudÃf© <philmd@redhat.com>
+Message-Id: <20211215182421.418374-4-philmd@redhat.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+[thuth: Replaced MEMTX_BUS_ERROR with MEMTX_ACCESS_ERROR, remove "inline"]
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+
+CVE: CVE-2021-3750
+
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=3ab6fdc91b72e156da22848f0003ff4225690ced]
+---
+ include/exec/memattrs.h | 9 +++++++++
+ softmmu/physmem.c | 44 ++++++++++++++++++++++++++++++++++++++++++--
+ 2 files changed, 51 insertions(+), 2 deletions(-)
+
+diff --git a/include/exec/memattrs.h b/include/exec/memattrs.h
+index 95f2d20..9fb98bc 100644
+--- a/include/exec/memattrs.h
++++ b/include/exec/memattrs.h
+@@ -35,6 +35,14 @@ typedef struct MemTxAttrs {
+ unsigned int secure:1;
+ /* Memory access is usermode (unprivileged) */
+ unsigned int user:1;
++ /*
++ * Bus interconnect and peripherals can access anything (memories,
++ * devices) by default. By setting the 'memory' bit, bus transaction
++ * are restricted to "normal" memories (per the AMBA documentation)
++ * versus devices. Access to devices will be logged and rejected
++ * (see MEMTX_ACCESS_ERROR).
++ */
++ unsigned int memory:1;
+ /* Requester ID (for MSI for example) */
+ unsigned int requester_id:16;
+ /* Invert endianness for this page */
+@@ -66,6 +74,7 @@ typedef struct MemTxAttrs {
+ #define MEMTX_OK 0
+ #define MEMTX_ERROR (1U << 0) /* device returned an error */
+ #define MEMTX_DECODE_ERROR (1U << 1) /* nothing at that address */
++#define MEMTX_ACCESS_ERROR (1U << 2) /* access denied */
+ typedef uint32_t MemTxResult;
+
+ #endif
+diff --git a/softmmu/physmem.c b/softmmu/physmem.c
+index 3d968ca..4e1b27a 100644
+--- a/softmmu/physmem.c
++++ b/softmmu/physmem.c
+@@ -41,6 +41,7 @@
+ #include "qemu/config-file.h"
+ #include "qemu/error-report.h"
+ #include "qemu/qemu-print.h"
++#include "qemu/log.h"
+ #include "exec/memory.h"
+ #include "exec/ioport.h"
+ #include "sysemu/dma.h"
+@@ -2759,6 +2760,33 @@ static bool prepare_mmio_access(MemoryRe
+ return release_lock;
+ }
+
++/**
++ * flatview_access_allowed
++ * @mr: #MemoryRegion to be accessed
++ * @attrs: memory transaction attributes
++ * @addr: address within that memory region
++ * @len: the number of bytes to access
++ *
++ * Check if a memory transaction is allowed.
++ *
++ * Returns: true if transaction is allowed, false if denied.
++ */
++static bool flatview_access_allowed(MemoryRegion *mr, MemTxAttrs attrs,
++ hwaddr addr, hwaddr len)
++{
++ if (likely(!attrs.memory)) {
++ return true;
++ }
++ if (memory_region_is_ram(mr)) {
++ return true;
++ }
++ qemu_log_mask(LOG_GUEST_ERROR,
++ "Invalid access to non-RAM device at "
++ "addr 0x%" HWADDR_PRIX ", size %" HWADDR_PRIu ", "
++ "region '%s'\n", addr, len, memory_region_name(mr));
++ return false;
++}
++
+ /* Called within RCU critical section. */
+ static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr,
+ MemTxAttrs attrs,
+@@ -2773,7 +2801,10 @@ static MemTxResult flatview_write_contin
+ const uint8_t *buf = ptr;
+
+ for (;;) {
+- if (!memory_access_is_direct(mr, true)) {
++ if (!flatview_access_allowed(mr, attrs, addr1, l)) {
++ result |= MEMTX_ACCESS_ERROR;
++ /* Keep going. */
++ } else if (!memory_access_is_direct(mr, true)) {
+ release_lock |= prepare_mmio_access(mr);
+ l = memory_access_size(mr, l, addr1);
+ /* XXX: could force current_cpu to NULL to avoid
+@@ -2818,6 +2849,9 @@ static MemTxResult flatview_write(FlatVi
+
+ l = len;
+ mr = flatview_translate(fv, addr, &addr1, &l, true, attrs);
++ if (!flatview_access_allowed(mr, attrs, addr, len)) {
++ return MEMTX_ACCESS_ERROR;
++ }
+ return flatview_write_continue(fv, addr, attrs, buf, len,
+ addr1, l, mr);
+ }
+@@ -2836,7 +2870,10 @@ MemTxResult flatview_read_continue(FlatV
+
+ fuzz_dma_read_cb(addr, len, mr);
+ for (;;) {
+- if (!memory_access_is_direct(mr, false)) {
++ if (!flatview_access_allowed(mr, attrs, addr1, l)) {
++ result |= MEMTX_ACCESS_ERROR;
++ /* Keep going. */
++ } else if (!memory_access_is_direct(mr, false)) {
+ /* I/O case */
+ release_lock |= prepare_mmio_access(mr);
+ l = memory_access_size(mr, l, addr1);
+@@ -2879,6 +2916,9 @@ static MemTxResult flatview_read(FlatVie
+
+ l = len;
+ mr = flatview_translate(fv, addr, &addr1, &l, false, attrs);
++ if (!flatview_access_allowed(mr, attrs, addr, len)) {
++ return MEMTX_ACCESS_ERROR;
++ }
+ return flatview_read_continue(fv, addr, attrs, buf, len,
+ addr1, l, mr);
+ }
+--
+1.8.3.1
+
--
2.25.1
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 04/13] qemu: Fix CVE-2021-3611
2022-10-17 23:08 [OE-core][kirkstone 00/13] Patch review Steve Sakoman
` (2 preceding siblings ...)
2022-10-17 23:08 ` [OE-core][kirkstone 03/13] qemu: Fix CVE-2021-3750 for qemu Steve Sakoman
@ 2022-10-17 23:08 ` Steve Sakoman
2022-10-17 23:08 ` [OE-core][kirkstone 05/13] qemu: fix CVE-2022-2962 Steve Sakoman
` (8 subsequent siblings)
12 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2022-10-17 23:08 UTC (permalink / raw)
To: openembedded-core
From: Bhabu Bindu <bhabu.bindu@kpit.com>
As per the ubuntu community [https://ubuntu.com/security/CVE-2021-3611]
To fix CVE-2021-3611 we need to backport the below support patches as well
Link: https://git.qemu.org/?p=qemu.git;a=commit;h=41d5e8da3d5e0a143a9fb397c9f34707ec544997
https://git.qemu.org/?p=qemu.git;a=commit;h=7ccb391ccd594b3f33de8deb293ff8d47bb4e219
https://git.qemu.org/?p=qemu.git;a=commit;h=7a36e42d9114474278ce30ba36945cc62292eb60
https://git.qemu.org/?p=qemu.git;a=commit;h=4afd0f2f220ec3dc8518b8de0d66cbf8d2fd1be7
https://git.qemu.org/?p=qemu.git;a=commit;h=23faf5694ff8054b847e9733297727be4a641132
https://git.qemu.org/?p=qemu.git;a=commit;h=ba06fe8add5b788956a7317246c6280dfc157040
https://git.qemu.org/?p=qemu.git;a=commit;h=a1d4b0a3051b3079c8db607f519bc0fcb30e17ec
https://git.qemu.org/?p=qemu.git;a=commit;h=c0ee1527358474c75067993d1bb233ad3a4ee081
https://git.qemu.org/?p=qemu.git;a=commit;h=5e468a36dcdd8fd5eb04282842b72967a29875e4
https://git.qemu.org/?p=qemu.git;a=commit;h=e2d784b67dc724a9b0854b49255ba0ee8ca46543
https://git.qemu.org/?p=qemu.git;a=commit;h=959384e74e1b508acc3af6e806b3d7b87335fc2a
https://git.qemu.org/?p=qemu.git;a=commit;h=392e48af3468d7f8e49db33fdc9e28b5f99276ce
https://git.qemu.org/?p=qemu.git;a=commit;h=1e5a3f8b2a976054da96cbbb9de6cbac7c2efb79
https://git.qemu.org/?p=qemu.git;a=commit;h=292e13142d277c15bdd68331abc607e46628b7e1
https://git.qemu.org/?p=qemu.git;a=commit;h=2280c27afc65bb2af95dd44a88e3b7117bfe240a
https://git.qemu.org/?p=qemu.git;a=commit;h=34cdea1db600540a5261dc474e986f28b637c8e6
https://git.qemu.org/?p=qemu.git;a=commit;h=24aed6bcb6b6d266149591f955c2460c28759eb4
https://git.qemu.org/?p=qemu.git;a=commit;h=cd1db8df7431edd2210ed0123e2e09b9b6d1e621
https://git.qemu.org/?p=qemu.git;a=commit;h=a423a1b523296f8798a5851aaaba64dd166c0a74
https://git.qemu.org/?p=qemu.git;a=commit;h=398f9a84ac7132e38caf7b066273734b3bf619ff
https://git.qemu.org/?p=qemu.git;a=commit;h=6bebb270731758fae3114b7d24c2b12b7c325cc5
https://git.qemu.org/?p=qemu.git;a=commit;h=4a63054bce23982b99f4d3c65528e47e614086b2
Add patches to fix CVE-2021-3611
Link: https://git.qemu.org/?p=qemu.git;a=patch;h=be5a8cf347d0c47ee3e933dde075526fd8bd5c40
https://git.qemu.org/?p=qemu.git;a=patch;h=79fa99831debc9782087e834382c577215f2f511
Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
Signed-off-by: virendra thakur <thakur.virendra1810@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/qemu/qemu.inc | 24 +
...32t-for-reply-queue-head-tail-values.patch | 83 +
...id_function_take_MemTxAttrs_argument.patch | 60 +
...et_function_take_MemTxAttrs_argument.patch | 98 ++
...ed_function_take_MemTxAttrs_argument.patch | 78 +
...rw_function_take_MemTxAttrs_argument.patch | 158 ++
...te_function_take_MemTxAttrs_argument.patch | 1453 +++++++++++++++++
...ap_function_take_MemTxAttrs_argument.patch | 227 +++
..._buf_rw_function_take_a_void_pointer.patch | 41 +
..._dma_buf_write_functions_take_a_void.patch | 167 ++
...rw_function_take_MemTxAttrs_argument.patch | 91 ++
...rw_function_take_MemTxAttrs_argument.patch | 65 +
...te_function_take_MemTxAttrs_argument.patch | 129 ++
...ad_function_take_MemTxAttrs_argument.patch | 222 +++
...uf_rw_function_propagate_MemTxResult.patch | 91 ++
...ma_function_take_MemTxAttrs_argument.patch | 120 ++
...ma_function_take_MemTxAttrs_argument.patch | 151 ++
...r_dma_function_propagate_MemTxResult.patch | 65 +
...r_dma_function_propagate_MemTxResult.patch | 175 ++
...ma_function_take_MemTxAttrs_argument.patch | 303 ++++
...ma_function_take_MemTxAttrs_argument.patch | 271 +++
...i_dma_function_propagate_MemTxResult.patch | 47 +
...i_dma_function_propagate_MemTxResult.patch | 296 ++++
.../qemu/qemu/CVE-2021-3611_1.patch | 74 +
.../qemu/qemu/CVE-2021-3611_2.patch | 43 +
25 files changed, 4532 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/0001-use-uint32t-for-reply-queue-head-tail-values.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0002_let_dma_memory_valid_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0003_let_dma_memory_set_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0004_let_dma_memory_rw_relaxed_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0005_let_dma_memory_rw_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0006_let_dma_memory_read_write_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0007_let_dma_memory_map_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0008_have_dma_buf_rw_function_take_a_void_pointer.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0009_have_dma_buf_read_and_dma_buf_write_functions_take_a_void.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0010_let_pci_dma_rw_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0011_let_dma_buf_rw_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0012_let_dma_buf_write_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0013_let_dma_buf_read_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0014_let_dma_buf_rw_function_propagate_MemTxResult.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0015_let_st_pointer_dma_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0016_let_ld_pointer_dma_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0017_let_st_pointer_dma_function_propagate_MemTxResult.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0018_let_ld_pointer_dma_function_propagate_MemTxResult.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0019_let_st_pointer_pci_dma_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0020_let_ld_pointer_pci_dma_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0021_let_st_pointer_pci_dma_function_propagate_MemTxResult.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0022_let_ld_pointer_pci_dma_function_propagate_MemTxResult.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3611_1.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3611_2.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 816f9a7eac..cb5f9358da 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -46,6 +46,30 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3750-1.patch \
file://CVE-2021-3750-2.patch \
file://CVE-2021-3750-3.patch \
+ file://0001-use-uint32t-for-reply-queue-head-tail-values.patch \
+ file://0002_let_dma_memory_valid_function_take_MemTxAttrs_argument.patch \
+ file://0003_let_dma_memory_set_function_take_MemTxAttrs_argument.patch \
+ file://0004_let_dma_memory_rw_relaxed_function_take_MemTxAttrs_argument.patch \
+ file://0005_let_dma_memory_rw_function_take_MemTxAttrs_argument.patch \
+ file://0006_let_dma_memory_read_write_function_take_MemTxAttrs_argument.patch \
+ file://0007_let_dma_memory_map_function_take_MemTxAttrs_argument.patch \
+ file://0008_have_dma_buf_rw_function_take_a_void_pointer.patch \
+ file://0009_have_dma_buf_read_and_dma_buf_write_functions_take_a_void.patch \
+ file://0010_let_pci_dma_rw_function_take_MemTxAttrs_argument.patch \
+ file://0011_let_dma_buf_rw_function_take_MemTxAttrs_argument.patch \
+ file://0012_let_dma_buf_write_function_take_MemTxAttrs_argument.patch \
+ file://0013_let_dma_buf_read_function_take_MemTxAttrs_argument.patch \
+ file://0014_let_dma_buf_rw_function_propagate_MemTxResult.patch \
+ file://0015_let_st_pointer_dma_function_take_MemTxAttrs_argument.patch \
+ file://0016_let_ld_pointer_dma_function_take_MemTxAttrs_argument.patch \
+ file://0017_let_st_pointer_dma_function_propagate_MemTxResult.patch \
+ file://0018_let_ld_pointer_dma_function_propagate_MemTxResult.patch \
+ file://0019_let_st_pointer_pci_dma_function_take_MemTxAttrs_argument.patch \
+ file://0020_let_ld_pointer_pci_dma_function_take_MemTxAttrs_argument.patch \
+ file://0021_let_st_pointer_pci_dma_function_propagate_MemTxResult.patch \
+ file://0022_let_ld_pointer_pci_dma_function_propagate_MemTxResult.patch \
+ file://CVE-2021-3611_1.patch \
+ file://CVE-2021-3611_2.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/0001-use-uint32t-for-reply-queue-head-tail-values.patch b/meta/recipes-devtools/qemu/qemu/0001-use-uint32t-for-reply-queue-head-tail-values.patch
new file mode 100644
index 0000000000..37e122f781
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0001-use-uint32t-for-reply-queue-head-tail-values.patch
@@ -0,0 +1,83 @@
+From 41d5e8da3d5e0a143a9fb397c9f34707ec544997 Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Fri, 17 Dec 2021 22:43:05 +0100
+Subject: [PATCH] hw/scsi/megasas: Use uint32_t for reply queue head/tail
+ values
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+While the reply queue values fit in 16-bit, they are accessed
+as 32-bit:
+
+ 661: s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa);
+ 662: s->reply_queue_head %= MEGASAS_MAX_FRAMES;
+ 663: s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa);
+ 664: s->reply_queue_tail %= MEGASAS_MAX_FRAMES;
+
+Having:
+
+ 41:#define MEGASAS_MAX_FRAMES 2048 /* Firmware limit at 65535 */
+
+In order to update the ld/st*_pci_dma() API to pass the address
+of the value to access, it is simpler to have the head/tail declared
+as 32-bit values. Replace the uint16_t by uint32_t, wasting 4 bytes in
+the MegasasState structure.
+
+CVE: CVE-2021-3611
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=41d5e8da3d5e0a143a9fb397c9f34707ec544997]
+
+Acked-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20211223115554.3155328-20-philmd@redhat.com>
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ hw/scsi/megasas.c | 4 ++--
+ hw/scsi/trace-events | 8 ++++----
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
+index 8f35784..14ec6d6 100644
+--- a/hw/scsi/megasas.c
++++ b/hw/scsi/megasas.c
+@@ -109,8 +109,8 @@ struct MegasasState {
+ uint64_t reply_queue_pa;
+ void *reply_queue;
+ uint16_t reply_queue_len;
+- uint16_t reply_queue_head;
+- uint16_t reply_queue_tail;
++ uint32_t reply_queue_head;
++ uint32_t reply_queue_tail;
+ uint64_t consumer_pa;
+ uint64_t producer_pa;
+
+diff --git a/hw/scsi/trace-events b/hw/scsi/trace-events
+index 92d5b40..ae8551f 100644
+--- a/hw/scsi/trace-events
++++ b/hw/scsi/trace-events
+@@ -42,18 +42,18 @@ mptsas_config_sas_phy(void *dev, int address, int port, int phy_handle, int dev_
+
+ # megasas.c
+ megasas_init_firmware(uint64_t pa) "pa 0x%" PRIx64 " "
+-megasas_init_queue(uint64_t queue_pa, int queue_len, uint64_t head, uint64_t tail, uint32_t flags) "queue at 0x%" PRIx64 " len %d head 0x%" PRIx64 " tail 0x%" PRIx64 " flags 0x%x"
++megasas_init_queue(uint64_t queue_pa, int queue_len, uint32_t head, uint32_t tail, uint32_t flags) "queue at 0x%" PRIx64 " len %d head 0x%" PRIx32 " tail 0x%" PRIx32 " flags 0x%x"
+ megasas_initq_map_failed(int frame) "scmd %d: failed to map queue"
+ megasas_initq_mapped(uint64_t pa) "queue already mapped at 0x%" PRIx64
+ megasas_initq_mismatch(int queue_len, int fw_cmds) "queue size %d max fw cmds %d"
+ megasas_qf_mapped(unsigned int index) "skip mapped frame 0x%x"
+ megasas_qf_new(unsigned int index, uint64_t frame) "frame 0x%x addr 0x%" PRIx64
+ megasas_qf_busy(unsigned long pa) "all frames busy for frame 0x%lx"
+-megasas_qf_enqueue(unsigned int index, unsigned int count, uint64_t context, unsigned int head, unsigned int tail, int busy) "frame 0x%x count %d context 0x%" PRIx64 " head 0x%x tail 0x%x busy %d"
+-megasas_qf_update(unsigned int head, unsigned int tail, unsigned int busy) "head 0x%x tail 0x%x busy %d"
++megasas_qf_enqueue(unsigned int index, unsigned int count, uint64_t context, uint32_t head, uint32_t tail, unsigned int busy) "frame 0x%x count %d context 0x%" PRIx64 " head 0x%" PRIx32 " tail 0x%" PRIx32 " busy %u"
++megasas_qf_update(uint32_t head, uint32_t tail, unsigned int busy) "head 0x%" PRIx32 " tail 0x%" PRIx32 " busy %u"
+ megasas_qf_map_failed(int cmd, unsigned long frame) "scmd %d: frame %lu"
+ megasas_qf_complete_noirq(uint64_t context) "context 0x%" PRIx64 " "
+-megasas_qf_complete(uint64_t context, unsigned int head, unsigned int tail, int busy) "context 0x%" PRIx64 " head 0x%x tail 0x%x busy %d"
++megasas_qf_complete(uint64_t context, uint32_t head, uint32_t tail, int busy) "context 0x%" PRIx64 " head 0x%" PRIx32 " tail 0x%" PRIx32 " busy %u"
+ megasas_frame_busy(uint64_t addr) "frame 0x%" PRIx64 " busy"
+ megasas_unhandled_frame_cmd(int cmd, uint8_t frame_cmd) "scmd %d: MFI cmd 0x%x"
+ megasas_handle_scsi(const char *frame, int bus, int dev, int lun, void *sdev, unsigned long size) "%s dev %x/%x/%x sdev %p xfer %lu"
+--
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0002_let_dma_memory_valid_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0002_let_dma_memory_valid_function_take_MemTxAttrs_argument.patch
new file mode 100644
index 0000000000..04a655315f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0002_let_dma_memory_valid_function_take_MemTxAttrs_argument.patch
@@ -0,0 +1,60 @@
+From 7ccb391ccd594b3f33de8deb293ff8d47bb4e219 Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 3 Sep 2020 09:28:49 +0200
+Subject: [PATCH] dma: Let dma_memory_valid() take MemTxAttrs argument
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+Let devices specify transaction attributes when calling
+dma_memory_valid().
+
+CVE: CVE-2021-3611
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=7ccb391ccd594b3f33de8deb293ff8d47bb4e219]
+
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Li Qiang <liq3ea@gmail.com>
+Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-Id: <20211223115554.3155328-2-philmd@redhat.com>
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ include/hw/ppc/spapr_vio.h | 2 +-
+ include/sysemu/dma.h | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/include/hw/ppc/spapr_vio.h b/include/hw/ppc/spapr_vio.h
+index 4bea87f..4c45f15 100644
+--- a/include/hw/ppc/spapr_vio.h
++++ b/include/hw/ppc/spapr_vio.h
+@@ -91,7 +91,7 @@ static inline void spapr_vio_irq_pulse(SpaprVioDevice *dev)
+ static inline bool spapr_vio_dma_valid(SpaprVioDevice *dev, uint64_t taddr,
+ uint32_t size, DMADirection dir)
+ {
+- return dma_memory_valid(&dev->as, taddr, size, dir);
++ return dma_memory_valid(&dev->as, taddr, size, dir, MEMTXATTRS_UNSPECIFIED);
+ }
+
+ static inline int spapr_vio_dma_read(SpaprVioDevice *dev, uint64_t taddr,
+diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
+index 3201e79..296f3b5 100644
+--- a/include/sysemu/dma.h
++++ b/include/sysemu/dma.h
+@@ -73,11 +73,11 @@ static inline void dma_barrier(AddressSpace *as, DMADirection dir)
+ * dma_memory_{read,write}() and check for errors */
+ static inline bool dma_memory_valid(AddressSpace *as,
+ dma_addr_t addr, dma_addr_t len,
+- DMADirection dir)
++ DMADirection dir, MemTxAttrs attrs)
+ {
+ return address_space_access_valid(as, addr, len,
+ dir == DMA_DIRECTION_FROM_DEVICE,
+- MEMTXATTRS_UNSPECIFIED);
++ attrs);
+ }
+
+ static inline MemTxResult dma_memory_rw_relaxed(AddressSpace *as,
+--
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0003_let_dma_memory_set_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0003_let_dma_memory_set_function_take_MemTxAttrs_argument.patch
new file mode 100644
index 0000000000..f13707a407
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0003_let_dma_memory_set_function_take_MemTxAttrs_argument.patch
@@ -0,0 +1,98 @@
+From 7a36e42d9114474278ce30ba36945cc62292eb60 Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 3 Sep 2020 10:28:32 +0200
+Subject: [PATCH] dma: Let dma_memory_set() take MemTxAttrs argument
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+Let devices specify transaction attributes when calling
+dma_memory_set().
+
+CVE: CVE-2021-3611
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=7a36e42d9114474278ce30ba36945cc62292eb60]
+
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Li Qiang <liq3ea@gmail.com>
+Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-Id: <20211223115554.3155328-3-philmd@redhat.com>
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ hw/nvram/fw_cfg.c | 3 ++-
+ include/hw/ppc/spapr_vio.h | 3 ++-
+ include/sysemu/dma.h | 3 ++-
+ softmmu/dma-helpers.c | 5 ++---
+ 4 files changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c
+index c06b30d..f7803fe 100644
+--- a/hw/nvram/fw_cfg.c
++++ b/hw/nvram/fw_cfg.c
+@@ -399,7 +399,8 @@ static void fw_cfg_dma_transfer(FWCfgState *s)
+ * tested before.
+ */
+ if (read) {
+- if (dma_memory_set(s->dma_as, dma.address, 0, len)) {
++ if (dma_memory_set(s->dma_as, dma.address, 0, len,
++ MEMTXATTRS_UNSPECIFIED)) {
+ dma.control |= FW_CFG_DMA_CTL_ERROR;
+ }
+ }
+diff --git a/include/hw/ppc/spapr_vio.h b/include/hw/ppc/spapr_vio.h
+index 4c45f15..c90e74a 100644
+--- a/include/hw/ppc/spapr_vio.h
++++ b/include/hw/ppc/spapr_vio.h
+@@ -111,7 +111,8 @@ static inline int spapr_vio_dma_write(SpaprVioDevice *dev, uint64_t taddr,
+ static inline int spapr_vio_dma_set(SpaprVioDevice *dev, uint64_t taddr,
+ uint8_t c, uint32_t size)
+ {
+- return (dma_memory_set(&dev->as, taddr, c, size) != 0) ?
++ return (dma_memory_set(&dev->as, taddr,
++ c, size, MEMTXATTRS_UNSPECIFIED) != 0) ?
+ H_DEST_PARM : H_SUCCESS;
+ }
+
+diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
+index 296f3b5..d23516f 100644
+--- a/include/sysemu/dma.h
++++ b/include/sysemu/dma.h
+@@ -175,9 +175,10 @@ static inline MemTxResult dma_memory_write(AddressSpace *as, dma_addr_t addr,
+ * @addr: address within that address space
+ * @c: constant byte to fill the memory
+ * @len: the number of bytes to fill with the constant byte
++ * @attrs: memory transaction attributes
+ */
+ MemTxResult dma_memory_set(AddressSpace *as, dma_addr_t addr,
+- uint8_t c, dma_addr_t len);
++ uint8_t c, dma_addr_t len, MemTxAttrs attrs);
+
+ /**
+ * address_space_map: Map a physical memory region into a host virtual address.
+diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c
+index 7d766a5..1f07217 100644
+--- a/softmmu/dma-helpers.c
++++ b/softmmu/dma-helpers.c
+@@ -19,7 +19,7 @@
+ /* #define DEBUG_IOMMU */
+
+ MemTxResult dma_memory_set(AddressSpace *as, dma_addr_t addr,
+- uint8_t c, dma_addr_t len)
++ uint8_t c, dma_addr_t len, MemTxAttrs attrs)
+ {
+ dma_barrier(as, DMA_DIRECTION_FROM_DEVICE);
+
+@@ -31,8 +31,7 @@ MemTxResult dma_memory_set(AddressSpace *as, dma_addr_t addr,
+ memset(fillbuf, c, FILLBUF_SIZE);
+ while (len > 0) {
+ l = len < FILLBUF_SIZE ? len : FILLBUF_SIZE;
+- error |= address_space_write(as, addr, MEMTXATTRS_UNSPECIFIED,
+- fillbuf, l);
++ error |= address_space_write(as, addr, attrs, fillbuf, l);
+ len -= l;
+ addr += l;
+ }
+--
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0004_let_dma_memory_rw_relaxed_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0004_let_dma_memory_rw_relaxed_function_take_MemTxAttrs_argument.patch
new file mode 100644
index 0000000000..cacb12909c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0004_let_dma_memory_rw_relaxed_function_take_MemTxAttrs_argument.patch
@@ -0,0 +1,78 @@
+From 4afd0f2f220ec3dc8518b8de0d66cbf8d2fd1be7 Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 3 Sep 2020 09:30:10 +0200
+Subject: [PATCH] dma: Let dma_memory_rw_relaxed() take MemTxAttrs argument
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+We will add the MemTxAttrs argument to dma_memory_rw() in
+the next commit. Since dma_memory_rw_relaxed() is only used
+by dma_memory_rw(), modify it first in a separate commit to
+keep the next commit easier to review.
+
+CVE: CVE-2021-3611
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=4afd0f2f220ec3dc8518b8de0d66cbf8d2fd1be7]
+
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Li Qiang <liq3ea@gmail.com>
+Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-Id: <20211223115554.3155328-4-philmd@redhat.com>
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ include/sysemu/dma.h | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
+index d23516f..3be803c 100644
+--- a/include/sysemu/dma.h
++++ b/include/sysemu/dma.h
+@@ -83,9 +83,10 @@ static inline bool dma_memory_valid(AddressSpace *as,
+ static inline MemTxResult dma_memory_rw_relaxed(AddressSpace *as,
+ dma_addr_t addr,
+ void *buf, dma_addr_t len,
+- DMADirection dir)
++ DMADirection dir,
++ MemTxAttrs attrs)
+ {
+- return address_space_rw(as, addr, MEMTXATTRS_UNSPECIFIED,
++ return address_space_rw(as, addr, attrs,
+ buf, len, dir == DMA_DIRECTION_FROM_DEVICE);
+ }
+
+@@ -93,7 +94,9 @@ static inline MemTxResult dma_memory_read_relaxed(AddressSpace *as,
+ dma_addr_t addr,
+ void *buf, dma_addr_t len)
+ {
+- return dma_memory_rw_relaxed(as, addr, buf, len, DMA_DIRECTION_TO_DEVICE);
++ return dma_memory_rw_relaxed(as, addr, buf, len,
++ DMA_DIRECTION_TO_DEVICE,
++ MEMTXATTRS_UNSPECIFIED);
+ }
+
+ static inline MemTxResult dma_memory_write_relaxed(AddressSpace *as,
+@@ -102,7 +105,8 @@ static inline MemTxResult dma_memory_write_relaxed(AddressSpace *as,
+ dma_addr_t len)
+ {
+ return dma_memory_rw_relaxed(as, addr, (void *)buf, len,
+- DMA_DIRECTION_FROM_DEVICE);
++ DMA_DIRECTION_FROM_DEVICE,
++ MEMTXATTRS_UNSPECIFIED);
+ }
+
+ /**
+@@ -124,7 +128,8 @@ static inline MemTxResult dma_memory_rw(AddressSpace *as, dma_addr_t addr,
+ {
+ dma_barrier(as, dir);
+
+- return dma_memory_rw_relaxed(as, addr, buf, len, dir);
++ return dma_memory_rw_relaxed(as, addr, buf, len, dir,
++ MEMTXATTRS_UNSPECIFIED);
+ }
+
+ /**
+--
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0005_let_dma_memory_rw_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0005_let_dma_memory_rw_function_take_MemTxAttrs_argument.patch
new file mode 100644
index 0000000000..e5daf966d5
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0005_let_dma_memory_rw_function_take_MemTxAttrs_argument.patch
@@ -0,0 +1,158 @@
+From 23faf5694ff8054b847e9733297727be4a641132 Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 3 Sep 2020 09:37:43 +0200
+Subject: [PATCH] dma: Let dma_memory_rw() take MemTxAttrs argument
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+Let devices specify transaction attributes when calling
+dma_memory_rw().
+
+CVE: CVE-2021-3611
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=23faf5694ff8054b847e9733297727be4a641132]
+
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Li Qiang <liq3ea@gmail.com>
+Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-Id: <20211223115554.3155328-5-philmd@redhat.com>
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ hw/intc/spapr_xive.c | 3 ++-
+ hw/usb/hcd-ohci.c | 10 ++++++----
+ include/hw/pci/pci.h | 3 ++-
+ include/sysemu/dma.h | 11 ++++++-----
+ softmmu/dma-helpers.c | 3 ++-
+ 5 files changed, 18 insertions(+), 12 deletions(-)
+
+diff --git a/hw/intc/spapr_xive.c b/hw/intc/spapr_xive.c
+index 4ec659b..eae95c7 100644
+--- a/hw/intc/spapr_xive.c
++++ b/hw/intc/spapr_xive.c
+@@ -1684,7 +1684,8 @@ static target_ulong h_int_esb(PowerPCCPU *cpu,
+ mmio_addr = xive->vc_base + xive_source_esb_mgmt(xsrc, lisn) + offset;
+
+ if (dma_memory_rw(&address_space_memory, mmio_addr, &data, 8,
+- (flags & SPAPR_XIVE_ESB_STORE))) {
++ (flags & SPAPR_XIVE_ESB_STORE),
++ MEMTXATTRS_UNSPECIFIED)) {
+ qemu_log_mask(LOG_GUEST_ERROR, "XIVE: failed to access ESB @0x%"
+ HWADDR_PRIx "\n", mmio_addr);
+ return H_HARDWARE;
+diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
+index 1cf2816..56e2315 100644
+--- a/hw/usb/hcd-ohci.c
++++ b/hw/usb/hcd-ohci.c
+@@ -586,7 +586,8 @@ static int ohci_copy_td(OHCIState *ohci, struct ohci_td *td,
+ if (n > len)
+ n = len;
+
+- if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, n, dir)) {
++ if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf,
++ n, dir, MEMTXATTRS_UNSPECIFIED)) {
+ return -1;
+ }
+ if (n == len) {
+@@ -595,7 +596,7 @@ static int ohci_copy_td(OHCIState *ohci, struct ohci_td *td,
+ ptr = td->be & ~0xfffu;
+ buf += n;
+ if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf,
+- len - n, dir)) {
++ len - n, dir, MEMTXATTRS_UNSPECIFIED)) {
+ return -1;
+ }
+ return 0;
+@@ -613,7 +614,8 @@ static int ohci_copy_iso_td(OHCIState *ohci,
+ if (n > len)
+ n = len;
+
+- if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, n, dir)) {
++ if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf,
++ n, dir, MEMTXATTRS_UNSPECIFIED)) {
+ return -1;
+ }
+ if (n == len) {
+@@ -622,7 +624,7 @@ static int ohci_copy_iso_td(OHCIState *ohci,
+ ptr = end_addr & ~0xfffu;
+ buf += n;
+ if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf,
+- len - n, dir)) {
++ len - n, dir, MEMTXATTRS_UNSPECIFIED)) {
+ return -1;
+ }
+ return 0;
+diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h
+index e7cdf2d..4383f1c 100644
+--- a/include/hw/pci/pci.h
++++ b/include/hw/pci/pci.h
+@@ -808,7 +808,8 @@ static inline MemTxResult pci_dma_rw(PCIDevice *dev, dma_addr_t addr,
+ void *buf, dma_addr_t len,
+ DMADirection dir)
+ {
+- return dma_memory_rw(pci_get_address_space(dev), addr, buf, len, dir);
++ return dma_memory_rw(pci_get_address_space(dev), addr, buf, len,
++ dir, MEMTXATTRS_UNSPECIFIED);
+ }
+
+ /**
+diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
+index 3be803c..e8ad422 100644
+--- a/include/sysemu/dma.h
++++ b/include/sysemu/dma.h
+@@ -121,15 +121,15 @@ static inline MemTxResult dma_memory_write_relaxed(AddressSpace *as,
+ * @buf: buffer with the data transferred
+ * @len: the number of bytes to read or write
+ * @dir: indicates the transfer direction
++ * @attrs: memory transaction attributes
+ */
+ static inline MemTxResult dma_memory_rw(AddressSpace *as, dma_addr_t addr,
+ void *buf, dma_addr_t len,
+- DMADirection dir)
++ DMADirection dir, MemTxAttrs attrs)
+ {
+ dma_barrier(as, dir);
+
+- return dma_memory_rw_relaxed(as, addr, buf, len, dir,
+- MEMTXATTRS_UNSPECIFIED);
++ return dma_memory_rw_relaxed(as, addr, buf, len, dir, attrs);
+ }
+
+ /**
+@@ -147,7 +147,8 @@ static inline MemTxResult dma_memory_rw(AddressSpace *as, dma_addr_t addr,
+ static inline MemTxResult dma_memory_read(AddressSpace *as, dma_addr_t addr,
+ void *buf, dma_addr_t len)
+ {
+- return dma_memory_rw(as, addr, buf, len, DMA_DIRECTION_TO_DEVICE);
++ return dma_memory_rw(as, addr, buf, len,
++ DMA_DIRECTION_TO_DEVICE, MEMTXATTRS_UNSPECIFIED);
+ }
+
+ /**
+@@ -166,7 +167,7 @@ static inline MemTxResult dma_memory_write(AddressSpace *as, dma_addr_t addr,
+ const void *buf, dma_addr_t len)
+ {
+ return dma_memory_rw(as, addr, (void *)buf, len,
+- DMA_DIRECTION_FROM_DEVICE);
++ DMA_DIRECTION_FROM_DEVICE, MEMTXATTRS_UNSPECIFIED);
+ }
+
+ /**
+diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c
+index 1f07217..5bf76ff 100644
+--- a/softmmu/dma-helpers.c
++++ b/softmmu/dma-helpers.c
+@@ -305,7 +305,8 @@ static uint64_t dma_buf_rw(uint8_t *ptr, int32_t len, QEMUSGList *sg,
+ while (len > 0) {
+ ScatterGatherEntry entry = sg->sg[sg_cur_index++];
+ int32_t xfer = MIN(len, entry.len);
+- dma_memory_rw(sg->as, entry.base, ptr, xfer, dir);
++ dma_memory_rw(sg->as, entry.base, ptr, xfer, dir,
++ MEMTXATTRS_UNSPECIFIED);
+ ptr += xfer;
+ len -= xfer;
+ resid -= xfer;
+--
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0006_let_dma_memory_read_write_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0006_let_dma_memory_read_write_function_take_MemTxAttrs_argument.patch
new file mode 100644
index 0000000000..1973e477f3
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0006_let_dma_memory_read_write_function_take_MemTxAttrs_argument.patch
@@ -0,0 +1,1453 @@
+From ba06fe8add5b788956a7317246c6280dfc157040 Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 3 Sep 2020 10:08:29 +0200
+Subject: [PATCH] dma: Let dma_memory_read/write() take MemTxAttrs argument
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+Let devices specify transaction attributes when calling
+dma_memory_read() or dma_memory_write().
+
+Patch created mechanically using spatch with this script:
+
+ @@
+ expression E1, E2, E3, E4;
+ @@
+ (
+ - dma_memory_read(E1, E2, E3, E4)
+ + dma_memory_read(E1, E2, E3, E4, MEMTXATTRS_UNSPECIFIED)
+ |
+ - dma_memory_write(E1, E2, E3, E4)
+ + dma_memory_write(E1, E2, E3, E4, MEMTXATTRS_UNSPECIFIED)
+ )
+
+CVE: CVE-2021-3611
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=ba06fe8add5b788956a7317246c6280dfc157040]
+
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Li Qiang <liq3ea@gmail.com>
+Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-Id: <20211223115554.3155328-6-philmd@redhat.com>
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ hw/arm/musicpal.c | 13 +++++++------
+ hw/arm/smmu-common.c | 3 ++-
+ hw/arm/smmuv3.c | 14 +++++++++-----
+ hw/core/generic-loader.c | 3 ++-
+ hw/dma/pl330.c | 12 ++++++++----
+ hw/dma/sparc32_dma.c | 16 ++++++++++------
+ hw/dma/xlnx-zynq-devcfg.c | 6 ++++--
+ hw/dma/xlnx_dpdma.c | 10 ++++++----
+ hw/i386/amd_iommu.c | 16 +++++++++-------
+ hw/i386/intel_iommu.c | 28 +++++++++++++++++-----------
+ hw/ide/macio.c | 2 +-
+ hw/intc/xive.c | 7 ++++---
+ hw/misc/bcm2835_property.c | 3 ++-
+ hw/misc/macio/mac_dbdma.c | 10 ++++++----
+ hw/net/allwinner-sun8i-emac.c | 18 ++++++++++++------
+ hw/net/ftgmac100.c | 25 ++++++++++++++++---------
+ hw/net/imx_fec.c | 32 ++++++++++++++++++++------------
+ hw/net/npcm7xx_emc.c | 20 ++++++++++++--------
+ hw/nvram/fw_cfg.c | 9 ++++++---
+ hw/pci-host/pnv_phb3.c | 5 +++--
+ hw/pci-host/pnv_phb3_msi.c | 9 ++++++---
+ hw/pci-host/pnv_phb4.c | 5 +++--
+ hw/sd/allwinner-sdhost.c | 14 ++++++++------
+ hw/sd/sdhci.c | 35 ++++++++++++++++++++++-------------
+ hw/usb/hcd-dwc2.c | 8 ++++----
+ hw/usb/hcd-ehci.c | 6 ++++--
+ hw/usb/hcd-ohci.c | 18 +++++++++++-------
+ hw/usb/hcd-xhci.c | 18 +++++++++++-------
+ include/hw/ppc/spapr_vio.h | 6 ++++--
+ include/sysemu/dma.h | 20 ++++++++++++--------
+ 30 files changed, 241 insertions(+), 150 deletions(-)
+
+diff --git a/hw/arm/musicpal.c b/hw/arm/musicpal.c
+index 2d612cc..2680ec5 100644
+--- a/hw/arm/musicpal.c
++++ b/hw/arm/musicpal.c
+@@ -185,13 +185,13 @@ static void eth_rx_desc_put(AddressSpace *dma_as, uint32_t addr,
+ cpu_to_le16s(&desc->buffer_size);
+ cpu_to_le32s(&desc->buffer);
+ cpu_to_le32s(&desc->next);
+- dma_memory_write(dma_as, addr, desc, sizeof(*desc));
++ dma_memory_write(dma_as, addr, desc, sizeof(*desc), MEMTXATTRS_UNSPECIFIED);
+ }
+
+ static void eth_rx_desc_get(AddressSpace *dma_as, uint32_t addr,
+ mv88w8618_rx_desc *desc)
+ {
+- dma_memory_read(dma_as, addr, desc, sizeof(*desc));
++ dma_memory_read(dma_as, addr, desc, sizeof(*desc), MEMTXATTRS_UNSPECIFIED);
+ le32_to_cpus(&desc->cmdstat);
+ le16_to_cpus(&desc->bytes);
+ le16_to_cpus(&desc->buffer_size);
+@@ -215,7 +215,7 @@ static ssize_t eth_receive(NetClientState *nc, const uint8_t *buf, size_t size)
+ eth_rx_desc_get(&s->dma_as, desc_addr, &desc);
+ if ((desc.cmdstat & MP_ETH_RX_OWN) && desc.buffer_size >= size) {
+ dma_memory_write(&s->dma_as, desc.buffer + s->vlan_header,
+- buf, size);
++ buf, size, MEMTXATTRS_UNSPECIFIED);
+ desc.bytes = size + s->vlan_header;
+ desc.cmdstat &= ~MP_ETH_RX_OWN;
+ s->cur_rx[i] = desc.next;
+@@ -241,13 +241,13 @@ static void eth_tx_desc_put(AddressSpace *dma_as, uint32_t addr,
+ cpu_to_le16s(&desc->bytes);
+ cpu_to_le32s(&desc->buffer);
+ cpu_to_le32s(&desc->next);
+- dma_memory_write(dma_as, addr, desc, sizeof(*desc));
++ dma_memory_write(dma_as, addr, desc, sizeof(*desc), MEMTXATTRS_UNSPECIFIED);
+ }
+
+ static void eth_tx_desc_get(AddressSpace *dma_as, uint32_t addr,
+ mv88w8618_tx_desc *desc)
+ {
+- dma_memory_read(dma_as, addr, desc, sizeof(*desc));
++ dma_memory_read(dma_as, addr, desc, sizeof(*desc), MEMTXATTRS_UNSPECIFIED);
+ le32_to_cpus(&desc->cmdstat);
+ le16_to_cpus(&desc->res);
+ le16_to_cpus(&desc->bytes);
+@@ -269,7 +269,8 @@ static void eth_send(mv88w8618_eth_state *s, int queue_index)
+ if (desc.cmdstat & MP_ETH_TX_OWN) {
+ len = desc.bytes;
+ if (len < 2048) {
+- dma_memory_read(&s->dma_as, desc.buffer, buf, len);
++ dma_memory_read(&s->dma_as, desc.buffer, buf, len,
++ MEMTXATTRS_UNSPECIFIED);
+ qemu_send_packet(qemu_get_queue(s->nic), buf, len);
+ }
+ desc.cmdstat &= ~MP_ETH_TX_OWN;
+diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
+index 0459850..e09b9c1 100644
+--- a/hw/arm/smmu-common.c
++++ b/hw/arm/smmu-common.c
+@@ -193,7 +193,8 @@ static int get_pte(dma_addr_t baseaddr, uint32_t index, uint64_t *pte,
+ dma_addr_t addr = baseaddr + index * sizeof(*pte);
+
+ /* TODO: guarantee 64-bit single-copy atomicity */
+- ret = dma_memory_read(&address_space_memory, addr, pte, sizeof(*pte));
++ ret = dma_memory_read(&address_space_memory, addr, pte, sizeof(*pte),
++ MEMTXATTRS_UNSPECIFIED);
+
+ if (ret != MEMTX_OK) {
+ info->type = SMMU_PTW_ERR_WALK_EABT;
+diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
+index 01b60be..3b43368 100644
+--- a/hw/arm/smmuv3.c
++++ b/hw/arm/smmuv3.c
+@@ -102,7 +102,8 @@ static inline MemTxResult queue_read(SMMUQueue *q, void *data)
+ {
+ dma_addr_t addr = Q_CONS_ENTRY(q);
+
+- return dma_memory_read(&address_space_memory, addr, data, q->entry_size);
++ return dma_memory_read(&address_space_memory, addr, data, q->entry_size,
++ MEMTXATTRS_UNSPECIFIED);
+ }
+
+ static MemTxResult queue_write(SMMUQueue *q, void *data)
+@@ -110,7 +111,8 @@ static MemTxResult queue_write(SMMUQueue *q, void *data)
+ dma_addr_t addr = Q_PROD_ENTRY(q);
+ MemTxResult ret;
+
+- ret = dma_memory_write(&address_space_memory, addr, data, q->entry_size);
++ ret = dma_memory_write(&address_space_memory, addr, data, q->entry_size,
++ MEMTXATTRS_UNSPECIFIED);
+ if (ret != MEMTX_OK) {
+ return ret;
+ }
+@@ -285,7 +287,8 @@ static int smmu_get_ste(SMMUv3State *s, dma_addr_t addr, STE *buf,
+
+ trace_smmuv3_get_ste(addr);
+ /* TODO: guarantee 64-bit single-copy atomicity */
+- ret = dma_memory_read(&address_space_memory, addr, buf, sizeof(*buf));
++ ret = dma_memory_read(&address_space_memory, addr, buf, sizeof(*buf),
++ MEMTXATTRS_UNSPECIFIED);
+ if (ret != MEMTX_OK) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "Cannot fetch pte at address=0x%"PRIx64"\n", addr);
+@@ -306,7 +309,8 @@ static int smmu_get_cd(SMMUv3State *s, STE *ste, uint32_t ssid,
+
+ trace_smmuv3_get_cd(addr);
+ /* TODO: guarantee 64-bit single-copy atomicity */
+- ret = dma_memory_read(&address_space_memory, addr, buf, sizeof(*buf));
++ ret = dma_memory_read(&address_space_memory, addr, buf, sizeof(*buf),
++ MEMTXATTRS_UNSPECIFIED);
+ if (ret != MEMTX_OK) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "Cannot fetch pte at address=0x%"PRIx64"\n", addr);
+@@ -411,7 +415,7 @@ static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste,
+ l1ptr = (dma_addr_t)(strtab_base + l1_ste_offset * sizeof(l1std));
+ /* TODO: guarantee 64-bit single-copy atomicity */
+ ret = dma_memory_read(&address_space_memory, l1ptr, &l1std,
+- sizeof(l1std));
++ sizeof(l1std), MEMTXATTRS_UNSPECIFIED);
+ if (ret != MEMTX_OK) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "Could not read L1PTR at 0X%"PRIx64"\n", l1ptr);
+diff --git a/hw/core/generic-loader.c b/hw/core/generic-loader.c
+index d14f932..9a24ffb 100644
+--- a/hw/core/generic-loader.c
++++ b/hw/core/generic-loader.c
+@@ -57,7 +57,8 @@ static void generic_loader_reset(void *opaque)
+
+ if (s->data_len) {
+ assert(s->data_len < sizeof(s->data));
+- dma_memory_write(s->cpu->as, s->addr, &s->data, s->data_len);
++ dma_memory_write(s->cpu->as, s->addr, &s->data, s->data_len,
++ MEMTXATTRS_UNSPECIFIED);
+ }
+ }
+
+diff --git a/hw/dma/pl330.c b/hw/dma/pl330.c
+index 0cb4619..31ce01b 100644
+--- a/hw/dma/pl330.c
++++ b/hw/dma/pl330.c
+@@ -1111,7 +1111,8 @@ static inline const PL330InsnDesc *pl330_fetch_insn(PL330Chan *ch)
+ uint8_t opcode;
+ int i;
+
+- dma_memory_read(ch->parent->mem_as, ch->pc, &opcode, 1);
++ dma_memory_read(ch->parent->mem_as, ch->pc, &opcode, 1,
++ MEMTXATTRS_UNSPECIFIED);
+ for (i = 0; insn_desc[i].size; i++) {
+ if ((opcode & insn_desc[i].opmask) == insn_desc[i].opcode) {
+ return &insn_desc[i];
+@@ -1125,7 +1126,8 @@ static inline void pl330_exec_insn(PL330Chan *ch, const PL330InsnDesc *insn)
+ uint8_t buf[PL330_INSN_MAXSIZE];
+
+ assert(insn->size <= PL330_INSN_MAXSIZE);
+- dma_memory_read(ch->parent->mem_as, ch->pc, buf, insn->size);
++ dma_memory_read(ch->parent->mem_as, ch->pc, buf, insn->size,
++ MEMTXATTRS_UNSPECIFIED);
+ insn->exec(ch, buf[0], &buf[1], insn->size - 1);
+ }
+
+@@ -1189,7 +1191,8 @@ static int pl330_exec_cycle(PL330Chan *channel)
+ if (q != NULL && q->len <= pl330_fifo_num_free(&s->fifo)) {
+ int len = q->len - (q->addr & (q->len - 1));
+
+- dma_memory_read(s->mem_as, q->addr, buf, len);
++ dma_memory_read(s->mem_as, q->addr, buf, len,
++ MEMTXATTRS_UNSPECIFIED);
+ trace_pl330_exec_cycle(q->addr, len);
+ if (trace_event_get_state_backends(TRACE_PL330_HEXDUMP)) {
+ pl330_hexdump(buf, len);
+@@ -1220,7 +1223,8 @@ static int pl330_exec_cycle(PL330Chan *channel)
+ fifo_res = pl330_fifo_get(&s->fifo, buf, len, q->tag);
+ }
+ if (fifo_res == PL330_FIFO_OK || q->z) {
+- dma_memory_write(s->mem_as, q->addr, buf, len);
++ dma_memory_write(s->mem_as, q->addr, buf, len,
++ MEMTXATTRS_UNSPECIFIED);
+ trace_pl330_exec_cycle(q->addr, len);
+ if (trace_event_get_state_backends(TRACE_PL330_HEXDUMP)) {
+ pl330_hexdump(buf, len);
+diff --git a/hw/dma/sparc32_dma.c b/hw/dma/sparc32_dma.c
+index 03bc500..0ef13c5 100644
+--- a/hw/dma/sparc32_dma.c
++++ b/hw/dma/sparc32_dma.c
+@@ -81,11 +81,11 @@ void ledma_memory_read(void *opaque, hwaddr addr,
+ addr |= s->dmaregs[3];
+ trace_ledma_memory_read(addr, len);
+ if (do_bswap) {
+- dma_memory_read(&is->iommu_as, addr, buf, len);
++ dma_memory_read(&is->iommu_as, addr, buf, len, MEMTXATTRS_UNSPECIFIED);
+ } else {
+ addr &= ~1;
+ len &= ~1;
+- dma_memory_read(&is->iommu_as, addr, buf, len);
++ dma_memory_read(&is->iommu_as, addr, buf, len, MEMTXATTRS_UNSPECIFIED);
+ for(i = 0; i < len; i += 2) {
+ bswap16s((uint16_t *)(buf + i));
+ }
+@@ -103,7 +103,8 @@ void ledma_memory_write(void *opaque, hwaddr addr,
+ addr |= s->dmaregs[3];
+ trace_ledma_memory_write(addr, len);
+ if (do_bswap) {
+- dma_memory_write(&is->iommu_as, addr, buf, len);
++ dma_memory_write(&is->iommu_as, addr, buf, len,
++ MEMTXATTRS_UNSPECIFIED);
+ } else {
+ addr &= ~1;
+ len &= ~1;
+@@ -114,7 +115,8 @@ void ledma_memory_write(void *opaque, hwaddr addr,
+ for(i = 0; i < l; i += 2) {
+ tmp_buf[i >> 1] = bswap16(*(uint16_t *)(buf + i));
+ }
+- dma_memory_write(&is->iommu_as, addr, tmp_buf, l);
++ dma_memory_write(&is->iommu_as, addr, tmp_buf, l,
++ MEMTXATTRS_UNSPECIFIED);
+ len -= l;
+ buf += l;
+ addr += l;
+@@ -148,7 +150,8 @@ void espdma_memory_read(void *opaque, uint8_t *buf, int len)
+ IOMMUState *is = (IOMMUState *)s->iommu;
+
+ trace_espdma_memory_read(s->dmaregs[1], len);
+- dma_memory_read(&is->iommu_as, s->dmaregs[1], buf, len);
++ dma_memory_read(&is->iommu_as, s->dmaregs[1], buf, len,
++ MEMTXATTRS_UNSPECIFIED);
+ s->dmaregs[1] += len;
+ }
+
+@@ -158,7 +161,8 @@ void espdma_memory_write(void *opaque, uint8_t *buf, int len)
+ IOMMUState *is = (IOMMUState *)s->iommu;
+
+ trace_espdma_memory_write(s->dmaregs[1], len);
+- dma_memory_write(&is->iommu_as, s->dmaregs[1], buf, len);
++ dma_memory_write(&is->iommu_as, s->dmaregs[1], buf, len,
++ MEMTXATTRS_UNSPECIFIED);
+ s->dmaregs[1] += len;
+ }
+
+diff --git a/hw/dma/xlnx-zynq-devcfg.c b/hw/dma/xlnx-zynq-devcfg.c
+index e33112b..f5ad1a0 100644
+--- a/hw/dma/xlnx-zynq-devcfg.c
++++ b/hw/dma/xlnx-zynq-devcfg.c
+@@ -161,12 +161,14 @@ static void xlnx_zynq_devcfg_dma_go(XlnxZynqDevcfg *s)
+ btt = MIN(btt, dmah->dest_len);
+ }
+ DB_PRINT("reading %x bytes from %x\n", btt, dmah->src_addr);
+- dma_memory_read(&address_space_memory, dmah->src_addr, buf, btt);
++ dma_memory_read(&address_space_memory, dmah->src_addr, buf, btt,
++ MEMTXATTRS_UNSPECIFIED);
+ dmah->src_len -= btt;
+ dmah->src_addr += btt;
+ if (loopback && (dmah->src_len || dmah->dest_len)) {
+ DB_PRINT("writing %x bytes from %x\n", btt, dmah->dest_addr);
+- dma_memory_write(&address_space_memory, dmah->dest_addr, buf, btt);
++ dma_memory_write(&address_space_memory, dmah->dest_addr, buf, btt,
++ MEMTXATTRS_UNSPECIFIED);
+ dmah->dest_len -= btt;
+ dmah->dest_addr += btt;
+ }
+diff --git a/hw/dma/xlnx_dpdma.c b/hw/dma/xlnx_dpdma.c
+index 967548a..2d7eae7 100644
+--- a/hw/dma/xlnx_dpdma.c
++++ b/hw/dma/xlnx_dpdma.c
+@@ -652,7 +652,7 @@ size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel,
+ }
+
+ if (dma_memory_read(&address_space_memory, desc_addr, &desc,
+- sizeof(DPDMADescriptor))) {
++ sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED)) {
+ s->registers[DPDMA_EISR] |= ((1 << 1) << channel);
+ xlnx_dpdma_update_irq(s);
+ s->operation_finished[channel] = true;
+@@ -708,7 +708,8 @@ size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel,
+ if (dma_memory_read(&address_space_memory,
+ source_addr[0],
+ &s->data[channel][ptr],
+- line_size)) {
++ line_size,
++ MEMTXATTRS_UNSPECIFIED)) {
+ s->registers[DPDMA_ISR] |= ((1 << 12) << channel);
+ xlnx_dpdma_update_irq(s);
+ DPRINTF("Can't get data.\n");
+@@ -736,7 +737,8 @@ size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel,
+ if (dma_memory_read(&address_space_memory,
+ source_addr[frag],
+ &(s->data[channel][ptr]),
+- fragment_len)) {
++ fragment_len,
++ MEMTXATTRS_UNSPECIFIED)) {
+ s->registers[DPDMA_ISR] |= ((1 << 12) << channel);
+ xlnx_dpdma_update_irq(s);
+ DPRINTF("Can't get data.\n");
+@@ -754,7 +756,7 @@ size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel,
+ DPRINTF("update the descriptor with the done flag set.\n");
+ xlnx_dpdma_desc_set_done(&desc);
+ dma_memory_write(&address_space_memory, desc_addr, &desc,
+- sizeof(DPDMADescriptor));
++ sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED);
+ }
+
+ if (xlnx_dpdma_desc_completion_interrupt(&desc)) {
+diff --git a/hw/i386/amd_iommu.c b/hw/i386/amd_iommu.c
+index 91fe34a..4d13d8e 100644
+--- a/hw/i386/amd_iommu.c
++++ b/hw/i386/amd_iommu.c
+@@ -181,7 +181,7 @@ static void amdvi_log_event(AMDVIState *s, uint64_t *evt)
+ }
+
+ if (dma_memory_write(&address_space_memory, s->evtlog + s->evtlog_tail,
+- evt, AMDVI_EVENT_LEN)) {
++ evt, AMDVI_EVENT_LEN, MEMTXATTRS_UNSPECIFIED)) {
+ trace_amdvi_evntlog_fail(s->evtlog, s->evtlog_tail);
+ }
+
+@@ -376,7 +376,8 @@ static void amdvi_completion_wait(AMDVIState *s, uint64_t *cmd)
+ }
+ if (extract64(cmd[0], 0, 1)) {
+ if (dma_memory_write(&address_space_memory, addr, &data,
+- AMDVI_COMPLETION_DATA_SIZE)) {
++ AMDVI_COMPLETION_DATA_SIZE,
++ MEMTXATTRS_UNSPECIFIED)) {
+ trace_amdvi_completion_wait_fail(addr);
+ }
+ }
+@@ -502,7 +503,7 @@ static void amdvi_cmdbuf_exec(AMDVIState *s)
+ uint64_t cmd[2];
+
+ if (dma_memory_read(&address_space_memory, s->cmdbuf + s->cmdbuf_head,
+- cmd, AMDVI_COMMAND_SIZE)) {
++ cmd, AMDVI_COMMAND_SIZE, MEMTXATTRS_UNSPECIFIED)) {
+ trace_amdvi_command_read_fail(s->cmdbuf, s->cmdbuf_head);
+ amdvi_log_command_error(s, s->cmdbuf + s->cmdbuf_head);
+ return;
+@@ -836,7 +837,7 @@ static bool amdvi_get_dte(AMDVIState *s, int devid, uint64_t *entry)
+ uint32_t offset = devid * AMDVI_DEVTAB_ENTRY_SIZE;
+
+ if (dma_memory_read(&address_space_memory, s->devtab + offset, entry,
+- AMDVI_DEVTAB_ENTRY_SIZE)) {
++ AMDVI_DEVTAB_ENTRY_SIZE, MEMTXATTRS_UNSPECIFIED)) {
+ trace_amdvi_dte_get_fail(s->devtab, offset);
+ /* log error accessing dte */
+ amdvi_log_devtab_error(s, devid, s->devtab + offset, 0);
+@@ -881,7 +882,8 @@ static inline uint64_t amdvi_get_pte_entry(AMDVIState *s, uint64_t pte_addr,
+ {
+ uint64_t pte;
+
+- if (dma_memory_read(&address_space_memory, pte_addr, &pte, sizeof(pte))) {
++ if (dma_memory_read(&address_space_memory, pte_addr,
++ &pte, sizeof(pte), MEMTXATTRS_UNSPECIFIED)) {
+ trace_amdvi_get_pte_hwerror(pte_addr);
+ amdvi_log_pagetab_error(s, devid, pte_addr, 0);
+ pte = 0;
+@@ -1048,7 +1050,7 @@ static int amdvi_get_irte(AMDVIState *s, MSIMessage *origin, uint64_t *dte,
+ trace_amdvi_ir_irte(irte_root, offset);
+
+ if (dma_memory_read(&address_space_memory, irte_root + offset,
+- irte, sizeof(*irte))) {
++ irte, sizeof(*irte), MEMTXATTRS_UNSPECIFIED)) {
+ trace_amdvi_ir_err("failed to get irte");
+ return -AMDVI_IR_GET_IRTE;
+ }
+@@ -1108,7 +1110,7 @@ static int amdvi_get_irte_ga(AMDVIState *s, MSIMessage *origin, uint64_t *dte,
+ trace_amdvi_ir_irte(irte_root, offset);
+
+ if (dma_memory_read(&address_space_memory, irte_root + offset,
+- irte, sizeof(*irte))) {
++ irte, sizeof(*irte), MEMTXATTRS_UNSPECIFIED)) {
+ trace_amdvi_ir_err("failed to get irte_ga");
+ return -AMDVI_IR_GET_IRTE;
+ }
+diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c
+index f584449..5b865ac 100644
+--- a/hw/i386/intel_iommu.c
++++ b/hw/i386/intel_iommu.c
+@@ -569,7 +569,8 @@ static int vtd_get_root_entry(IntelIOMMUState *s, uint8_t index,
+ dma_addr_t addr;
+
+ addr = s->root + index * sizeof(*re);
+- if (dma_memory_read(&address_space_memory, addr, re, sizeof(*re))) {
++ if (dma_memory_read(&address_space_memory, addr,
++ re, sizeof(*re), MEMTXATTRS_UNSPECIFIED)) {
+ re->lo = 0;
+ return -VTD_FR_ROOT_TABLE_INV;
+ }
+@@ -602,7 +603,8 @@ static int vtd_get_context_entry_from_root(IntelIOMMUState *s,
+ }
+
+ addr = addr + index * ce_size;
+- if (dma_memory_read(&address_space_memory, addr, ce, ce_size)) {
++ if (dma_memory_read(&address_space_memory, addr,
++ ce, ce_size, MEMTXATTRS_UNSPECIFIED)) {
+ return -VTD_FR_CONTEXT_TABLE_INV;
+ }
+
+@@ -639,8 +641,8 @@ static uint64_t vtd_get_slpte(dma_addr_t base_addr, uint32_t index)
+ assert(index < VTD_SL_PT_ENTRY_NR);
+
+ if (dma_memory_read(&address_space_memory,
+- base_addr + index * sizeof(slpte), &slpte,
+- sizeof(slpte))) {
++ base_addr + index * sizeof(slpte),
++ &slpte, sizeof(slpte), MEMTXATTRS_UNSPECIFIED)) {
+ slpte = (uint64_t)-1;
+ return slpte;
+ }
+@@ -704,7 +706,8 @@ static int vtd_get_pdire_from_pdir_table(dma_addr_t pasid_dir_base,
+ index = VTD_PASID_DIR_INDEX(pasid);
+ entry_size = VTD_PASID_DIR_ENTRY_SIZE;
+ addr = pasid_dir_base + index * entry_size;
+- if (dma_memory_read(&address_space_memory, addr, pdire, entry_size)) {
++ if (dma_memory_read(&address_space_memory, addr,
++ pdire, entry_size, MEMTXATTRS_UNSPECIFIED)) {
+ return -VTD_FR_PASID_TABLE_INV;
+ }
+
+@@ -728,7 +731,8 @@ static int vtd_get_pe_in_pasid_leaf_table(IntelIOMMUState *s,
+ index = VTD_PASID_TABLE_INDEX(pasid);
+ entry_size = VTD_PASID_ENTRY_SIZE;
+ addr = addr + index * entry_size;
+- if (dma_memory_read(&address_space_memory, addr, pe, entry_size)) {
++ if (dma_memory_read(&address_space_memory, addr,
++ pe, entry_size, MEMTXATTRS_UNSPECIFIED)) {
+ return -VTD_FR_PASID_TABLE_INV;
+ }
+
+@@ -2275,7 +2279,8 @@ static bool vtd_get_inv_desc(IntelIOMMUState *s,
+ uint32_t dw = s->iq_dw ? 32 : 16;
+ dma_addr_t addr = base_addr + offset * dw;
+
+- if (dma_memory_read(&address_space_memory, addr, inv_desc, dw)) {
++ if (dma_memory_read(&address_space_memory, addr,
++ inv_desc, dw, MEMTXATTRS_UNSPECIFIED)) {
+ error_report_once("Read INV DESC failed.");
+ return false;
+ }
+@@ -2308,8 +2313,9 @@ static bool vtd_process_wait_desc(IntelIOMMUState *s, VTDInvDesc *inv_desc)
+ dma_addr_t status_addr = inv_desc->hi;
+ trace_vtd_inv_desc_wait_sw(status_addr, status_data);
+ status_data = cpu_to_le32(status_data);
+- if (dma_memory_write(&address_space_memory, status_addr, &status_data,
+- sizeof(status_data))) {
++ if (dma_memory_write(&address_space_memory, status_addr,
++ &status_data, sizeof(status_data),
++ MEMTXATTRS_UNSPECIFIED)) {
+ trace_vtd_inv_desc_wait_write_fail(inv_desc->hi, inv_desc->lo);
+ return false;
+ }
+@@ -3120,8 +3126,8 @@ static int vtd_irte_get(IntelIOMMUState *iommu, uint16_t index,
+ }
+
+ addr = iommu->intr_root + index * sizeof(*entry);
+- if (dma_memory_read(&address_space_memory, addr, entry,
+- sizeof(*entry))) {
++ if (dma_memory_read(&address_space_memory, addr,
++ entry, sizeof(*entry), MEMTXATTRS_UNSPECIFIED)) {
+ error_report_once("%s: read failed: ind=0x%x addr=0x%" PRIx64,
+ __func__, index, addr);
+ return -VTD_FR_IR_ROOT_INVAL;
+diff --git a/hw/ide/macio.c b/hw/ide/macio.c
+index b03d401..f08318c 100644
+--- a/hw/ide/macio.c
++++ b/hw/ide/macio.c
+@@ -97,7 +97,7 @@ static void pmac_ide_atapi_transfer_cb(void *opaque, int ret)
+ /* Non-block ATAPI transfer - just copy to RAM */
+ s->io_buffer_size = MIN(s->io_buffer_size, io->len);
+ dma_memory_write(&address_space_memory, io->addr, s->io_buffer,
+- s->io_buffer_size);
++ s->io_buffer_size, MEMTXATTRS_UNSPECIFIED);
+ io->len = 0;
+ ide_atapi_cmd_ok(s);
+ m->dma_active = false;
+diff --git a/hw/intc/xive.c b/hw/intc/xive.c
+index 190194d..f15f985 100644
+--- a/hw/intc/xive.c
++++ b/hw/intc/xive.c
+@@ -1246,8 +1246,8 @@ void xive_end_queue_pic_print_info(XiveEND *end, uint32_t width, Monitor *mon)
+ uint64_t qaddr = qaddr_base + (qindex << 2);
+ uint32_t qdata = -1;
+
+- if (dma_memory_read(&address_space_memory, qaddr, &qdata,
+- sizeof(qdata))) {
++ if (dma_memory_read(&address_space_memory, qaddr,
++ &qdata, sizeof(qdata), MEMTXATTRS_UNSPECIFIED)) {
+ qemu_log_mask(LOG_GUEST_ERROR, "XIVE: failed to read EQ @0x%"
+ HWADDR_PRIx "\n", qaddr);
+ return;
+@@ -1311,7 +1311,8 @@ static void xive_end_enqueue(XiveEND *end, uint32_t data)
+ uint32_t qdata = cpu_to_be32((qgen << 31) | (data & 0x7fffffff));
+ uint32_t qentries = 1 << (qsize + 10);
+
+- if (dma_memory_write(&address_space_memory, qaddr, &qdata, sizeof(qdata))) {
++ if (dma_memory_write(&address_space_memory, qaddr,
++ &qdata, sizeof(qdata), MEMTXATTRS_UNSPECIFIED)) {
+ qemu_log_mask(LOG_GUEST_ERROR, "XIVE: failed to write END data @0x%"
+ HWADDR_PRIx "\n", qaddr);
+ return;
+diff --git a/hw/misc/bcm2835_property.c b/hw/misc/bcm2835_property.c
+index 73941bd..76ea511 100644
+--- a/hw/misc/bcm2835_property.c
++++ b/hw/misc/bcm2835_property.c
+@@ -69,7 +69,8 @@ static void bcm2835_property_mbox_push(BCM2835PropertyState *s, uint32_t value)
+ break;
+ case 0x00010003: /* Get board MAC address */
+ resplen = sizeof(s->macaddr.a);
+- dma_memory_write(&s->dma_as, value + 12, s->macaddr.a, resplen);
++ dma_memory_write(&s->dma_as, value + 12, s->macaddr.a, resplen,
++ MEMTXATTRS_UNSPECIFIED);
+ break;
+ case 0x00010004: /* Get board serial */
+ qemu_log_mask(LOG_UNIMP,
+diff --git a/hw/misc/macio/mac_dbdma.c b/hw/misc/macio/mac_dbdma.c
+index e220f1a..efcc026 100644
+--- a/hw/misc/macio/mac_dbdma.c
++++ b/hw/misc/macio/mac_dbdma.c
+@@ -94,7 +94,7 @@ static void dbdma_cmdptr_load(DBDMA_channel *ch)
+ DBDMA_DPRINTFCH(ch, "dbdma_cmdptr_load 0x%08x\n",
+ ch->regs[DBDMA_CMDPTR_LO]);
+ dma_memory_read(&address_space_memory, ch->regs[DBDMA_CMDPTR_LO],
+- &ch->current, sizeof(dbdma_cmd));
++ &ch->current, sizeof(dbdma_cmd), MEMTXATTRS_UNSPECIFIED);
+ }
+
+ static void dbdma_cmdptr_save(DBDMA_channel *ch)
+@@ -104,7 +104,7 @@ static void dbdma_cmdptr_save(DBDMA_channel *ch)
+ le16_to_cpu(ch->current.xfer_status),
+ le16_to_cpu(ch->current.res_count));
+ dma_memory_write(&address_space_memory, ch->regs[DBDMA_CMDPTR_LO],
+- &ch->current, sizeof(dbdma_cmd));
++ &ch->current, sizeof(dbdma_cmd), MEMTXATTRS_UNSPECIFIED);
+ }
+
+ static void kill_channel(DBDMA_channel *ch)
+@@ -371,7 +371,8 @@ static void load_word(DBDMA_channel *ch, int key, uint32_t addr,
+ return;
+ }
+
+- dma_memory_read(&address_space_memory, addr, ¤t->cmd_dep, len);
++ dma_memory_read(&address_space_memory, addr, ¤t->cmd_dep, len,
++ MEMTXATTRS_UNSPECIFIED);
+
+ if (conditional_wait(ch))
+ goto wait;
+@@ -403,7 +404,8 @@ static void store_word(DBDMA_channel *ch, int key, uint32_t addr,
+ return;
+ }
+
+- dma_memory_write(&address_space_memory, addr, ¤t->cmd_dep, len);
++ dma_memory_write(&address_space_memory, addr, ¤t->cmd_dep, len,
++ MEMTXATTRS_UNSPECIFIED);
+
+ if (conditional_wait(ch))
+ goto wait;
+diff --git a/hw/net/allwinner-sun8i-emac.c b/hw/net/allwinner-sun8i-emac.c
+index ff611f1..ecc0245 100644
+--- a/hw/net/allwinner-sun8i-emac.c
++++ b/hw/net/allwinner-sun8i-emac.c
+@@ -350,7 +350,8 @@ static void allwinner_sun8i_emac_get_desc(AwSun8iEmacState *s,
+ FrameDescriptor *desc,
+ uint32_t phys_addr)
+ {
+- dma_memory_read(&s->dma_as, phys_addr, desc, sizeof(*desc));
++ dma_memory_read(&s->dma_as, phys_addr, desc, sizeof(*desc),
++ MEMTXATTRS_UNSPECIFIED);
+ }
+
+ static uint32_t allwinner_sun8i_emac_next_desc(AwSun8iEmacState *s,
+@@ -402,7 +403,8 @@ static void allwinner_sun8i_emac_flush_desc(AwSun8iEmacState *s,
+ FrameDescriptor *desc,
+ uint32_t phys_addr)
+ {
+- dma_memory_write(&s->dma_as, phys_addr, desc, sizeof(*desc));
++ dma_memory_write(&s->dma_as, phys_addr, desc, sizeof(*desc),
++ MEMTXATTRS_UNSPECIFIED);
+ }
+
+ static bool allwinner_sun8i_emac_can_receive(NetClientState *nc)
+@@ -460,7 +462,8 @@ static ssize_t allwinner_sun8i_emac_receive(NetClientState *nc,
+ << RX_DESC_STATUS_FRM_LEN_SHIFT;
+ }
+
+- dma_memory_write(&s->dma_as, desc.addr, buf, desc_bytes);
++ dma_memory_write(&s->dma_as, desc.addr, buf, desc_bytes,
++ MEMTXATTRS_UNSPECIFIED);
+ allwinner_sun8i_emac_flush_desc(s, &desc, s->rx_desc_curr);
+ trace_allwinner_sun8i_emac_receive(s->rx_desc_curr, desc.addr,
+ desc_bytes);
+@@ -512,7 +515,8 @@ static void allwinner_sun8i_emac_transmit(AwSun8iEmacState *s)
+ desc.status |= TX_DESC_STATUS_LENGTH_ERR;
+ break;
+ }
+- dma_memory_read(&s->dma_as, desc.addr, packet_buf + packet_bytes, bytes);
++ dma_memory_read(&s->dma_as, desc.addr, packet_buf + packet_bytes,
++ bytes, MEMTXATTRS_UNSPECIFIED);
+ packet_bytes += bytes;
+ desc.status &= ~DESC_STATUS_CTL;
+ allwinner_sun8i_emac_flush_desc(s, &desc, s->tx_desc_curr);
+@@ -634,7 +638,8 @@ static uint64_t allwinner_sun8i_emac_read(void *opaque, hwaddr offset,
+ break;
+ case REG_TX_CUR_BUF: /* Transmit Current Buffer */
+ if (s->tx_desc_curr != 0) {
+- dma_memory_read(&s->dma_as, s->tx_desc_curr, &desc, sizeof(desc));
++ dma_memory_read(&s->dma_as, s->tx_desc_curr, &desc, sizeof(desc),
++ MEMTXATTRS_UNSPECIFIED);
+ value = desc.addr;
+ } else {
+ value = 0;
+@@ -647,7 +652,8 @@ static uint64_t allwinner_sun8i_emac_read(void *opaque, hwaddr offset,
+ break;
+ case REG_RX_CUR_BUF: /* Receive Current Buffer */
+ if (s->rx_desc_curr != 0) {
+- dma_memory_read(&s->dma_as, s->rx_desc_curr, &desc, sizeof(desc));
++ dma_memory_read(&s->dma_as, s->rx_desc_curr, &desc, sizeof(desc),
++ MEMTXATTRS_UNSPECIFIED);
+ value = desc.addr;
+ } else {
+ value = 0;
+diff --git a/hw/net/ftgmac100.c b/hw/net/ftgmac100.c
+index 25685ba..83ef0a7 100644
+--- a/hw/net/ftgmac100.c
++++ b/hw/net/ftgmac100.c
+@@ -453,7 +453,8 @@ static void do_phy_ctl(FTGMAC100State *s)
+
+ static int ftgmac100_read_bd(FTGMAC100Desc *bd, dma_addr_t addr)
+ {
+- if (dma_memory_read(&address_space_memory, addr, bd, sizeof(*bd))) {
++ if (dma_memory_read(&address_space_memory, addr,
++ bd, sizeof(*bd), MEMTXATTRS_UNSPECIFIED)) {
+ qemu_log_mask(LOG_GUEST_ERROR, "%s: failed to read descriptor @ 0x%"
+ HWADDR_PRIx "\n", __func__, addr);
+ return -1;
+@@ -473,7 +474,8 @@ static int ftgmac100_write_bd(FTGMAC100Desc *bd, dma_addr_t addr)
+ lebd.des1 = cpu_to_le32(bd->des1);
+ lebd.des2 = cpu_to_le32(bd->des2);
+ lebd.des3 = cpu_to_le32(bd->des3);
+- if (dma_memory_write(&address_space_memory, addr, &lebd, sizeof(lebd))) {
++ if (dma_memory_write(&address_space_memory, addr,
++ &lebd, sizeof(lebd), MEMTXATTRS_UNSPECIFIED)) {
+ qemu_log_mask(LOG_GUEST_ERROR, "%s: failed to write descriptor @ 0x%"
+ HWADDR_PRIx "\n", __func__, addr);
+ return -1;
+@@ -554,7 +556,8 @@ static void ftgmac100_do_tx(FTGMAC100State *s, uint32_t tx_ring,
+ len = sizeof(s->frame) - frame_size;
+ }
+
+- if (dma_memory_read(&address_space_memory, bd.des3, ptr, len)) {
++ if (dma_memory_read(&address_space_memory, bd.des3,
++ ptr, len, MEMTXATTRS_UNSPECIFIED)) {
+ qemu_log_mask(LOG_GUEST_ERROR, "%s: failed to read packet @ 0x%x\n",
+ __func__, bd.des3);
+ s->isr |= FTGMAC100_INT_AHB_ERR;
+@@ -1030,20 +1033,24 @@ static ssize_t ftgmac100_receive(NetClientState *nc, const uint8_t *buf,
+ bd.des1 = lduw_be_p(buf + 14) | FTGMAC100_RXDES1_VLANTAG_AVAIL;
+
+ if (s->maccr & FTGMAC100_MACCR_RM_VLAN) {
+- dma_memory_write(&address_space_memory, buf_addr, buf, 12);
+- dma_memory_write(&address_space_memory, buf_addr + 12, buf + 16,
+- buf_len - 16);
++ dma_memory_write(&address_space_memory, buf_addr, buf, 12,
++ MEMTXATTRS_UNSPECIFIED);
++ dma_memory_write(&address_space_memory, buf_addr + 12,
++ buf + 16, buf_len - 16,
++ MEMTXATTRS_UNSPECIFIED);
+ } else {
+- dma_memory_write(&address_space_memory, buf_addr, buf, buf_len);
++ dma_memory_write(&address_space_memory, buf_addr, buf,
++ buf_len, MEMTXATTRS_UNSPECIFIED);
+ }
+ } else {
+ bd.des1 = 0;
+- dma_memory_write(&address_space_memory, buf_addr, buf, buf_len);
++ dma_memory_write(&address_space_memory, buf_addr, buf, buf_len,
++ MEMTXATTRS_UNSPECIFIED);
+ }
+ buf += buf_len;
+ if (size < 4) {
+ dma_memory_write(&address_space_memory, buf_addr + buf_len,
+- crc_ptr, 4 - size);
++ crc_ptr, 4 - size, MEMTXATTRS_UNSPECIFIED);
+ crc_ptr += 4 - size;
+ }
+
+diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
+index 9c7035b..0db9aaf 100644
+--- a/hw/net/imx_fec.c
++++ b/hw/net/imx_fec.c
+@@ -387,19 +387,22 @@ static void imx_phy_write(IMXFECState *s, int reg, uint32_t val)
+
+ static void imx_fec_read_bd(IMXFECBufDesc *bd, dma_addr_t addr)
+ {
+- dma_memory_read(&address_space_memory, addr, bd, sizeof(*bd));
++ dma_memory_read(&address_space_memory, addr, bd, sizeof(*bd),
++ MEMTXATTRS_UNSPECIFIED);
+
+ trace_imx_fec_read_bd(addr, bd->flags, bd->length, bd->data);
+ }
+
+ static void imx_fec_write_bd(IMXFECBufDesc *bd, dma_addr_t addr)
+ {
+- dma_memory_write(&address_space_memory, addr, bd, sizeof(*bd));
++ dma_memory_write(&address_space_memory, addr, bd, sizeof(*bd),
++ MEMTXATTRS_UNSPECIFIED);
+ }
+
+ static void imx_enet_read_bd(IMXENETBufDesc *bd, dma_addr_t addr)
+ {
+- dma_memory_read(&address_space_memory, addr, bd, sizeof(*bd));
++ dma_memory_read(&address_space_memory, addr, bd, sizeof(*bd),
++ MEMTXATTRS_UNSPECIFIED);
+
+ trace_imx_enet_read_bd(addr, bd->flags, bd->length, bd->data,
+ bd->option, bd->status);
+@@ -407,7 +410,8 @@ static void imx_enet_read_bd(IMXENETBufDesc *bd, dma_addr_t addr)
+
+ static void imx_enet_write_bd(IMXENETBufDesc *bd, dma_addr_t addr)
+ {
+- dma_memory_write(&address_space_memory, addr, bd, sizeof(*bd));
++ dma_memory_write(&address_space_memory, addr, bd, sizeof(*bd),
++ MEMTXATTRS_UNSPECIFIED);
+ }
+
+ static void imx_eth_update(IMXFECState *s)
+@@ -474,7 +478,8 @@ static void imx_fec_do_tx(IMXFECState *s)
+ len = ENET_MAX_FRAME_SIZE - frame_size;
+ s->regs[ENET_EIR] |= ENET_INT_BABT;
+ }
+- dma_memory_read(&address_space_memory, bd.data, ptr, len);
++ dma_memory_read(&address_space_memory, bd.data, ptr, len,
++ MEMTXATTRS_UNSPECIFIED);
+ ptr += len;
+ frame_size += len;
+ if (bd.flags & ENET_BD_L) {
+@@ -555,7 +560,8 @@ static void imx_enet_do_tx(IMXFECState *s, uint32_t index)
+ len = ENET_MAX_FRAME_SIZE - frame_size;
+ s->regs[ENET_EIR] |= ENET_INT_BABT;
+ }
+- dma_memory_read(&address_space_memory, bd.data, ptr, len);
++ dma_memory_read(&address_space_memory, bd.data, ptr, len,
++ MEMTXATTRS_UNSPECIFIED);
+ ptr += len;
+ frame_size += len;
+ if (bd.flags & ENET_BD_L) {
+@@ -1103,11 +1109,12 @@ static ssize_t imx_fec_receive(NetClientState *nc, const uint8_t *buf,
+ buf_len += size - 4;
+ }
+ buf_addr = bd.data;
+- dma_memory_write(&address_space_memory, buf_addr, buf, buf_len);
++ dma_memory_write(&address_space_memory, buf_addr, buf, buf_len,
++ MEMTXATTRS_UNSPECIFIED);
+ buf += buf_len;
+ if (size < 4) {
+ dma_memory_write(&address_space_memory, buf_addr + buf_len,
+- crc_ptr, 4 - size);
++ crc_ptr, 4 - size, MEMTXATTRS_UNSPECIFIED);
+ crc_ptr += 4 - size;
+ }
+ bd.flags &= ~ENET_BD_E;
+@@ -1210,8 +1217,8 @@ static ssize_t imx_enet_receive(NetClientState *nc, const uint8_t *buf,
+ */
+ const uint8_t zeros[2] = { 0 };
+
+- dma_memory_write(&address_space_memory, buf_addr,
+- zeros, sizeof(zeros));
++ dma_memory_write(&address_space_memory, buf_addr, zeros,
++ sizeof(zeros), MEMTXATTRS_UNSPECIFIED);
+
+ buf_addr += sizeof(zeros);
+ buf_len -= sizeof(zeros);
+@@ -1220,11 +1227,12 @@ static ssize_t imx_enet_receive(NetClientState *nc, const uint8_t *buf,
+ shift16 = false;
+ }
+
+- dma_memory_write(&address_space_memory, buf_addr, buf, buf_len);
++ dma_memory_write(&address_space_memory, buf_addr, buf, buf_len,
++ MEMTXATTRS_UNSPECIFIED);
+ buf += buf_len;
+ if (size < 4) {
+ dma_memory_write(&address_space_memory, buf_addr + buf_len,
+- crc_ptr, 4 - size);
++ crc_ptr, 4 - size, MEMTXATTRS_UNSPECIFIED);
+ crc_ptr += 4 - size;
+ }
+ bd.flags &= ~ENET_BD_E;
+diff --git a/hw/net/npcm7xx_emc.c b/hw/net/npcm7xx_emc.c
+index 545b2b7..9a23289 100644
+--- a/hw/net/npcm7xx_emc.c
++++ b/hw/net/npcm7xx_emc.c
+@@ -200,7 +200,8 @@ static void emc_update_irq_from_reg_change(NPCM7xxEMCState *emc)
+
+ static int emc_read_tx_desc(dma_addr_t addr, NPCM7xxEMCTxDesc *desc)
+ {
+- if (dma_memory_read(&address_space_memory, addr, desc, sizeof(*desc))) {
++ if (dma_memory_read(&address_space_memory, addr, desc,
++ sizeof(*desc), MEMTXATTRS_UNSPECIFIED)) {
+ qemu_log_mask(LOG_GUEST_ERROR, "%s: Failed to read descriptor @ 0x%"
+ HWADDR_PRIx "\n", __func__, addr);
+ return -1;
+@@ -221,7 +222,7 @@ static int emc_write_tx_desc(const NPCM7xxEMCTxDesc *desc, dma_addr_t addr)
+ le_desc.status_and_length = cpu_to_le32(desc->status_and_length);
+ le_desc.ntxdsa = cpu_to_le32(desc->ntxdsa);
+ if (dma_memory_write(&address_space_memory, addr, &le_desc,
+- sizeof(le_desc))) {
++ sizeof(le_desc), MEMTXATTRS_UNSPECIFIED)) {
+ qemu_log_mask(LOG_GUEST_ERROR, "%s: Failed to write descriptor @ 0x%"
+ HWADDR_PRIx "\n", __func__, addr);
+ return -1;
+@@ -231,7 +232,8 @@ static int emc_write_tx_desc(const NPCM7xxEMCTxDesc *desc, dma_addr_t addr)
+
+ static int emc_read_rx_desc(dma_addr_t addr, NPCM7xxEMCRxDesc *desc)
+ {
+- if (dma_memory_read(&address_space_memory, addr, desc, sizeof(*desc))) {
++ if (dma_memory_read(&address_space_memory, addr, desc,
++ sizeof(*desc), MEMTXATTRS_UNSPECIFIED)) {
+ qemu_log_mask(LOG_GUEST_ERROR, "%s: Failed to read descriptor @ 0x%"
+ HWADDR_PRIx "\n", __func__, addr);
+ return -1;
+@@ -252,7 +254,7 @@ static int emc_write_rx_desc(const NPCM7xxEMCRxDesc *desc, dma_addr_t addr)
+ le_desc.reserved = cpu_to_le32(desc->reserved);
+ le_desc.nrxdsa = cpu_to_le32(desc->nrxdsa);
+ if (dma_memory_write(&address_space_memory, addr, &le_desc,
+- sizeof(le_desc))) {
++ sizeof(le_desc), MEMTXATTRS_UNSPECIFIED)) {
+ qemu_log_mask(LOG_GUEST_ERROR, "%s: Failed to write descriptor @ 0x%"
+ HWADDR_PRIx "\n", __func__, addr);
+ return -1;
+@@ -366,7 +368,8 @@ static void emc_try_send_next_packet(NPCM7xxEMCState *emc)
+ buf = malloced_buf;
+ }
+
+- if (dma_memory_read(&address_space_memory, next_buf_addr, buf, length)) {
++ if (dma_memory_read(&address_space_memory, next_buf_addr, buf,
++ length, MEMTXATTRS_UNSPECIFIED)) {
+ qemu_log_mask(LOG_GUEST_ERROR, "%s: Failed to read packet @ 0x%x\n",
+ __func__, next_buf_addr);
+ emc_set_mista(emc, REG_MISTA_TXBERR);
+@@ -551,10 +554,11 @@ static ssize_t emc_receive(NetClientState *nc, const uint8_t *buf, size_t len1)
+
+ buf_addr = rx_desc.rxbsa;
+ emc->regs[REG_CRXBSA] = buf_addr;
+- if (dma_memory_write(&address_space_memory, buf_addr, buf, len) ||
++ if (dma_memory_write(&address_space_memory, buf_addr, buf,
++ len, MEMTXATTRS_UNSPECIFIED) ||
+ (!(emc->regs[REG_MCMDR] & REG_MCMDR_SPCRC) &&
+- dma_memory_write(&address_space_memory, buf_addr + len, crc_ptr,
+- 4))) {
++ dma_memory_write(&address_space_memory, buf_addr + len,
++ crc_ptr, 4, MEMTXATTRS_UNSPECIFIED))) {
+ qemu_log_mask(LOG_GUEST_ERROR, "%s: Bus error writing packet\n",
+ __func__);
+ emc_set_mista(emc, REG_MISTA_RXBERR);
+diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c
+index f7803fe..9b91b15 100644
+--- a/hw/nvram/fw_cfg.c
++++ b/hw/nvram/fw_cfg.c
+@@ -357,7 +357,8 @@ static void fw_cfg_dma_transfer(FWCfgState *s)
+ dma_addr = s->dma_addr;
+ s->dma_addr = 0;
+
+- if (dma_memory_read(s->dma_as, dma_addr, &dma, sizeof(dma))) {
++ if (dma_memory_read(s->dma_as, dma_addr,
++ &dma, sizeof(dma), MEMTXATTRS_UNSPECIFIED)) {
+ stl_be_dma(s->dma_as, dma_addr + offsetof(FWCfgDmaAccess, control),
+ FW_CFG_DMA_CTL_ERROR);
+ return;
+@@ -419,7 +420,8 @@ static void fw_cfg_dma_transfer(FWCfgState *s)
+ */
+ if (read) {
+ if (dma_memory_write(s->dma_as, dma.address,
+- &e->data[s->cur_offset], len)) {
++ &e->data[s->cur_offset], len,
++ MEMTXATTRS_UNSPECIFIED)) {
+ dma.control |= FW_CFG_DMA_CTL_ERROR;
+ }
+ }
+@@ -427,7 +429,8 @@ static void fw_cfg_dma_transfer(FWCfgState *s)
+ if (!e->allow_write ||
+ len != dma.length ||
+ dma_memory_read(s->dma_as, dma.address,
+- &e->data[s->cur_offset], len)) {
++ &e->data[s->cur_offset], len,
++ MEMTXATTRS_UNSPECIFIED)) {
+ dma.control |= FW_CFG_DMA_CTL_ERROR;
+ } else if (e->write_cb) {
+ e->write_cb(e->callback_opaque, s->cur_offset, len);
+diff --git a/hw/pci-host/pnv_phb3.c b/hw/pci-host/pnv_phb3.c
+index 9c4451c..c6e7871 100644
+--- a/hw/pci-host/pnv_phb3.c
++++ b/hw/pci-host/pnv_phb3.c
+@@ -715,7 +715,8 @@ static bool pnv_phb3_resolve_pe(PnvPhb3DMASpace *ds)
+ bus_num = pci_bus_num(ds->bus);
+ addr = rtt & PHB_RTT_BASE_ADDRESS_MASK;
+ addr += 2 * ((bus_num << 8) | ds->devfn);
+- if (dma_memory_read(&address_space_memory, addr, &rte, sizeof(rte))) {
++ if (dma_memory_read(&address_space_memory, addr, &rte,
++ sizeof(rte), MEMTXATTRS_UNSPECIFIED)) {
+ phb3_error(ds->phb, "Failed to read RTT entry at 0x%"PRIx64, addr);
+ /* Set error bits ? fence ? ... */
+ return false;
+@@ -794,7 +795,7 @@ static void pnv_phb3_translate_tve(PnvPhb3DMASpace *ds, hwaddr addr,
+ /* Grab the TCE address */
+ taddr = base | (((addr >> sh) & ((1ul << tbl_shift) - 1)) << 3);
+ if (dma_memory_read(&address_space_memory, taddr, &tce,
+- sizeof(tce))) {
++ sizeof(tce), MEMTXATTRS_UNSPECIFIED)) {
+ phb3_error(phb, "Failed to read TCE at 0x%"PRIx64, taddr);
+ return;
+ }
+diff --git a/hw/pci-host/pnv_phb3_msi.c b/hw/pci-host/pnv_phb3_msi.c
+index 099d209..8bcbc2c 100644
+--- a/hw/pci-host/pnv_phb3_msi.c
++++ b/hw/pci-host/pnv_phb3_msi.c
+@@ -53,7 +53,8 @@ static bool phb3_msi_read_ive(PnvPHB3 *phb, int srcno, uint64_t *out_ive)
+ return false;
+ }
+
+- if (dma_memory_read(&address_space_memory, ive_addr, &ive, sizeof(ive))) {
++ if (dma_memory_read(&address_space_memory, ive_addr,
++ &ive, sizeof(ive), MEMTXATTRS_UNSPECIFIED)) {
+ qemu_log_mask(LOG_GUEST_ERROR, "Failed to read IVE at 0x%" PRIx64,
+ ive_addr);
+ return false;
+@@ -73,7 +74,8 @@ static void phb3_msi_set_p(Phb3MsiState *msi, int srcno, uint8_t gen)
+ return;
+ }
+
+- if (dma_memory_write(&address_space_memory, ive_addr + 4, &p, 1)) {
++ if (dma_memory_write(&address_space_memory, ive_addr + 4,
++ &p, 1, MEMTXATTRS_UNSPECIFIED)) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "Failed to write IVE (set P) at 0x%" PRIx64, ive_addr);
+ }
+@@ -89,7 +91,8 @@ static void phb3_msi_set_q(Phb3MsiState *msi, int srcno)
+ return;
+ }
+
+- if (dma_memory_write(&address_space_memory, ive_addr + 5, &q, 1)) {
++ if (dma_memory_write(&address_space_memory, ive_addr + 5,
++ &q, 1, MEMTXATTRS_UNSPECIFIED)) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "Failed to write IVE (set Q) at 0x%" PRIx64, ive_addr);
+ }
+diff --git a/hw/pci-host/pnv_phb4.c b/hw/pci-host/pnv_phb4.c
+index 40b7932..1fbf732 100644
+--- a/hw/pci-host/pnv_phb4.c
++++ b/hw/pci-host/pnv_phb4.c
+@@ -891,7 +891,8 @@ static bool pnv_phb4_resolve_pe(PnvPhb4DMASpace *ds)
+ bus_num = pci_bus_num(ds->bus);
+ addr = rtt & PHB_RTT_BASE_ADDRESS_MASK;
+ addr += 2 * PCI_BUILD_BDF(bus_num, ds->devfn);
+- if (dma_memory_read(&address_space_memory, addr, &rte, sizeof(rte))) {
++ if (dma_memory_read(&address_space_memory, addr, &rte,
++ sizeof(rte), MEMTXATTRS_UNSPECIFIED)) {
+ phb_error(ds->phb, "Failed to read RTT entry at 0x%"PRIx64, addr);
+ /* Set error bits ? fence ? ... */
+ return false;
+@@ -961,7 +962,7 @@ static void pnv_phb4_translate_tve(PnvPhb4DMASpace *ds, hwaddr addr,
+ /* Grab the TCE address */
+ taddr = base | (((addr >> sh) & ((1ul << tbl_shift) - 1)) << 3);
+ if (dma_memory_read(&address_space_memory, taddr, &tce,
+- sizeof(tce))) {
++ sizeof(tce), MEMTXATTRS_UNSPECIFIED)) {
+ phb_error(ds->phb, "Failed to read TCE at 0x%"PRIx64, taddr);
+ return;
+ }
+diff --git a/hw/sd/allwinner-sdhost.c b/hw/sd/allwinner-sdhost.c
+index 9166d66..de5bc49 100644
+--- a/hw/sd/allwinner-sdhost.c
++++ b/hw/sd/allwinner-sdhost.c
+@@ -311,7 +311,8 @@ static uint32_t allwinner_sdhost_process_desc(AwSdHostState *s,
+ uint8_t buf[1024];
+
+ /* Read descriptor */
+- dma_memory_read(&s->dma_as, desc_addr, desc, sizeof(*desc));
++ dma_memory_read(&s->dma_as, desc_addr, desc, sizeof(*desc),
++ MEMTXATTRS_UNSPECIFIED);
+ if (desc->size == 0) {
+ desc->size = klass->max_desc_size;
+ } else if (desc->size > klass->max_desc_size) {
+@@ -337,23 +338,24 @@ static uint32_t allwinner_sdhost_process_desc(AwSdHostState *s,
+ /* Write to SD bus */
+ if (is_write) {
+ dma_memory_read(&s->dma_as,
+- (desc->addr & DESC_SIZE_MASK) + num_done,
+- buf, buf_bytes);
++ (desc->addr & DESC_SIZE_MASK) + num_done, buf,
++ buf_bytes, MEMTXATTRS_UNSPECIFIED);
+ sdbus_write_data(&s->sdbus, buf, buf_bytes);
+
+ /* Read from SD bus */
+ } else {
+ sdbus_read_data(&s->sdbus, buf, buf_bytes);
+ dma_memory_write(&s->dma_as,
+- (desc->addr & DESC_SIZE_MASK) + num_done,
+- buf, buf_bytes);
++ (desc->addr & DESC_SIZE_MASK) + num_done, buf,
++ buf_bytes, MEMTXATTRS_UNSPECIFIED);
+ }
+ num_done += buf_bytes;
+ }
+
+ /* Clear hold flag and flush descriptor */
+ desc->status &= ~DESC_STATUS_HOLD;
+- dma_memory_write(&s->dma_as, desc_addr, desc, sizeof(*desc));
++ dma_memory_write(&s->dma_as, desc_addr, desc, sizeof(*desc),
++ MEMTXATTRS_UNSPECIFIED);
+
+ return num_done;
+ }
+diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
+index c9dc065..e0bbc90 100644
+--- a/hw/sd/sdhci.c
++++ b/hw/sd/sdhci.c
+@@ -616,8 +616,8 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
+ s->blkcnt--;
+ }
+ }
+- dma_memory_write(s->dma_as, s->sdmasysad,
+- &s->fifo_buffer[begin], s->data_count - begin);
++ dma_memory_write(s->dma_as, s->sdmasysad, &s->fifo_buffer[begin],
++ s->data_count - begin, MEMTXATTRS_UNSPECIFIED);
+ s->sdmasysad += s->data_count - begin;
+ if (s->data_count == block_size) {
+ s->data_count = 0;
+@@ -637,8 +637,8 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
+ s->data_count = block_size;
+ boundary_count -= block_size - begin;
+ }
+- dma_memory_read(s->dma_as, s->sdmasysad,
+- &s->fifo_buffer[begin], s->data_count - begin);
++ dma_memory_read(s->dma_as, s->sdmasysad, &s->fifo_buffer[begin],
++ s->data_count - begin, MEMTXATTRS_UNSPECIFIED);
+ s->sdmasysad += s->data_count - begin;
+ if (s->data_count == block_size) {
+ sdbus_write_data(&s->sdbus, s->fifo_buffer, block_size);
+@@ -670,9 +670,11 @@ static void sdhci_sdma_transfer_single_block(SDHCIState *s)
+
+ if (s->trnmod & SDHC_TRNS_READ) {
+ sdbus_read_data(&s->sdbus, s->fifo_buffer, datacnt);
+- dma_memory_write(s->dma_as, s->sdmasysad, s->fifo_buffer, datacnt);
++ dma_memory_write(s->dma_as, s->sdmasysad, s->fifo_buffer, datacnt,
++ MEMTXATTRS_UNSPECIFIED);
+ } else {
+- dma_memory_read(s->dma_as, s->sdmasysad, s->fifo_buffer, datacnt);
++ dma_memory_read(s->dma_as, s->sdmasysad, s->fifo_buffer, datacnt,
++ MEMTXATTRS_UNSPECIFIED);
+ sdbus_write_data(&s->sdbus, s->fifo_buffer, datacnt);
+ }
+ s->blkcnt--;
+@@ -694,7 +696,8 @@ static void get_adma_description(SDHCIState *s, ADMADescr *dscr)
+ hwaddr entry_addr = (hwaddr)s->admasysaddr;
+ switch (SDHC_DMA_TYPE(s->hostctl1)) {
+ case SDHC_CTRL_ADMA2_32:
+- dma_memory_read(s->dma_as, entry_addr, &adma2, sizeof(adma2));
++ dma_memory_read(s->dma_as, entry_addr, &adma2, sizeof(adma2),
++ MEMTXATTRS_UNSPECIFIED);
+ adma2 = le64_to_cpu(adma2);
+ /* The spec does not specify endianness of descriptor table.
+ * We currently assume that it is LE.
+@@ -705,7 +708,8 @@ static void get_adma_description(SDHCIState *s, ADMADescr *dscr)
+ dscr->incr = 8;
+ break;
+ case SDHC_CTRL_ADMA1_32:
+- dma_memory_read(s->dma_as, entry_addr, &adma1, sizeof(adma1));
++ dma_memory_read(s->dma_as, entry_addr, &adma1, sizeof(adma1),
++ MEMTXATTRS_UNSPECIFIED);
+ adma1 = le32_to_cpu(adma1);
+ dscr->addr = (hwaddr)(adma1 & 0xFFFFF000);
+ dscr->attr = (uint8_t)extract32(adma1, 0, 7);
+@@ -717,10 +721,13 @@ static void get_adma_description(SDHCIState *s, ADMADescr *dscr)
+ }
+ break;
+ case SDHC_CTRL_ADMA2_64:
+- dma_memory_read(s->dma_as, entry_addr, &dscr->attr, 1);
+- dma_memory_read(s->dma_as, entry_addr + 2, &dscr->length, 2);
++ dma_memory_read(s->dma_as, entry_addr, &dscr->attr, 1,
++ MEMTXATTRS_UNSPECIFIED);
++ dma_memory_read(s->dma_as, entry_addr + 2, &dscr->length, 2,
++ MEMTXATTRS_UNSPECIFIED);
+ dscr->length = le16_to_cpu(dscr->length);
+- dma_memory_read(s->dma_as, entry_addr + 4, &dscr->addr, 8);
++ dma_memory_read(s->dma_as, entry_addr + 4, &dscr->addr, 8,
++ MEMTXATTRS_UNSPECIFIED);
+ dscr->addr = le64_to_cpu(dscr->addr);
+ dscr->attr &= (uint8_t) ~0xC0;
+ dscr->incr = 12;
+@@ -785,7 +792,8 @@ static void sdhci_do_adma(SDHCIState *s)
+ }
+ dma_memory_write(s->dma_as, dscr.addr,
+ &s->fifo_buffer[begin],
+- s->data_count - begin);
++ s->data_count - begin,
++ MEMTXATTRS_UNSPECIFIED);
+ dscr.addr += s->data_count - begin;
+ if (s->data_count == block_size) {
+ s->data_count = 0;
+@@ -810,7 +818,8 @@ static void sdhci_do_adma(SDHCIState *s)
+ }
+ dma_memory_read(s->dma_as, dscr.addr,
+ &s->fifo_buffer[begin],
+- s->data_count - begin);
++ s->data_count - begin,
++ MEMTXATTRS_UNSPECIFIED);
+ dscr.addr += s->data_count - begin;
+ if (s->data_count == block_size) {
+ sdbus_write_data(&s->sdbus, s->fifo_buffer, block_size);
+diff --git a/hw/usb/hcd-dwc2.c b/hw/usb/hcd-dwc2.c
+index e1d96ac..8755e9c 100644
+--- a/hw/usb/hcd-dwc2.c
++++ b/hw/usb/hcd-dwc2.c
+@@ -272,8 +272,8 @@ static void dwc2_handle_packet(DWC2State *s, uint32_t devadr, USBDevice *dev,
+
+ if (pid != USB_TOKEN_IN) {
+ trace_usb_dwc2_memory_read(hcdma, tlen);
+- if (dma_memory_read(&s->dma_as, hcdma,
+- s->usb_buf[chan], tlen) != MEMTX_OK) {
++ if (dma_memory_read(&s->dma_as, hcdma, s->usb_buf[chan], tlen,
++ MEMTXATTRS_UNSPECIFIED) != MEMTX_OK) {
+ qemu_log_mask(LOG_GUEST_ERROR, "%s: dma_memory_read failed\n",
+ __func__);
+ }
+@@ -328,8 +328,8 @@ babble:
+
+ if (pid == USB_TOKEN_IN) {
+ trace_usb_dwc2_memory_write(hcdma, actual);
+- if (dma_memory_write(&s->dma_as, hcdma, s->usb_buf[chan],
+- actual) != MEMTX_OK) {
++ if (dma_memory_write(&s->dma_as, hcdma, s->usb_buf[chan], actual,
++ MEMTXATTRS_UNSPECIFIED) != MEMTX_OK) {
+ qemu_log_mask(LOG_GUEST_ERROR, "%s: dma_memory_write failed\n",
+ __func__);
+ }
+diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
+index 6caa7ac..33a8a37 100644
+--- a/hw/usb/hcd-ehci.c
++++ b/hw/usb/hcd-ehci.c
+@@ -383,7 +383,8 @@ static inline int get_dwords(EHCIState *ehci, uint32_t addr,
+ }
+
+ for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
+- dma_memory_read(ehci->as, addr, buf, sizeof(*buf));
++ dma_memory_read(ehci->as, addr, buf, sizeof(*buf),
++ MEMTXATTRS_UNSPECIFIED);
+ *buf = le32_to_cpu(*buf);
+ }
+
+@@ -405,7 +406,8 @@ static inline int put_dwords(EHCIState *ehci, uint32_t addr,
+
+ for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
+ uint32_t tmp = cpu_to_le32(*buf);
+- dma_memory_write(ehci->as, addr, &tmp, sizeof(tmp));
++ dma_memory_write(ehci->as, addr, &tmp, sizeof(tmp),
++ MEMTXATTRS_UNSPECIFIED);
+ }
+
+ return num;
+diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
+index 56e2315..a93d6b2 100644
+--- a/hw/usb/hcd-ohci.c
++++ b/hw/usb/hcd-ohci.c
+@@ -452,7 +452,8 @@ static inline int get_dwords(OHCIState *ohci,
+ addr += ohci->localmem_base;
+
+ for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
+- if (dma_memory_read(ohci->as, addr, buf, sizeof(*buf))) {
++ if (dma_memory_read(ohci->as, addr,
++ buf, sizeof(*buf), MEMTXATTRS_UNSPECIFIED)) {
+ return -1;
+ }
+ *buf = le32_to_cpu(*buf);
+@@ -471,7 +472,8 @@ static inline int put_dwords(OHCIState *ohci,
+
+ for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
+ uint32_t tmp = cpu_to_le32(*buf);
+- if (dma_memory_write(ohci->as, addr, &tmp, sizeof(tmp))) {
++ if (dma_memory_write(ohci->as, addr,
++ &tmp, sizeof(tmp), MEMTXATTRS_UNSPECIFIED)) {
+ return -1;
+ }
+ }
+@@ -488,7 +490,8 @@ static inline int get_words(OHCIState *ohci,
+ addr += ohci->localmem_base;
+
+ for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
+- if (dma_memory_read(ohci->as, addr, buf, sizeof(*buf))) {
++ if (dma_memory_read(ohci->as, addr,
++ buf, sizeof(*buf), MEMTXATTRS_UNSPECIFIED)) {
+ return -1;
+ }
+ *buf = le16_to_cpu(*buf);
+@@ -507,7 +510,8 @@ static inline int put_words(OHCIState *ohci,
+
+ for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
+ uint16_t tmp = cpu_to_le16(*buf);
+- if (dma_memory_write(ohci->as, addr, &tmp, sizeof(tmp))) {
++ if (dma_memory_write(ohci->as, addr,
++ &tmp, sizeof(tmp), MEMTXATTRS_UNSPECIFIED)) {
+ return -1;
+ }
+ }
+@@ -537,8 +541,8 @@ static inline int ohci_read_iso_td(OHCIState *ohci,
+ static inline int ohci_read_hcca(OHCIState *ohci,
+ dma_addr_t addr, struct ohci_hcca *hcca)
+ {
+- return dma_memory_read(ohci->as, addr + ohci->localmem_base,
+- hcca, sizeof(*hcca));
++ return dma_memory_read(ohci->as, addr + ohci->localmem_base, hcca,
++ sizeof(*hcca), MEMTXATTRS_UNSPECIFIED);
+ }
+
+ static inline int ohci_put_ed(OHCIState *ohci,
+@@ -572,7 +576,7 @@ static inline int ohci_put_hcca(OHCIState *ohci,
+ return dma_memory_write(ohci->as,
+ addr + ohci->localmem_base + HCCA_WRITEBACK_OFFSET,
+ (char *)hcca + HCCA_WRITEBACK_OFFSET,
+- HCCA_WRITEBACK_SIZE);
++ HCCA_WRITEBACK_SIZE, MEMTXATTRS_UNSPECIFIED);
+ }
+
+ /* Read/Write the contents of a TD from/to main memory. */
+diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
+index e017000..ed2b9ea 100644
+--- a/hw/usb/hcd-xhci.c
++++ b/hw/usb/hcd-xhci.c
+@@ -487,7 +487,7 @@ static inline void xhci_dma_read_u32s(XHCIState *xhci, dma_addr_t addr,
+
+ assert((len % sizeof(uint32_t)) == 0);
+
+- dma_memory_read(xhci->as, addr, buf, len);
++ dma_memory_read(xhci->as, addr, buf, len, MEMTXATTRS_UNSPECIFIED);
+
+ for (i = 0; i < (len / sizeof(uint32_t)); i++) {
+ buf[i] = le32_to_cpu(buf[i]);
+@@ -507,7 +507,7 @@ static inline void xhci_dma_write_u32s(XHCIState *xhci, dma_addr_t addr,
+ for (i = 0; i < n; i++) {
+ tmp[i] = cpu_to_le32(buf[i]);
+ }
+- dma_memory_write(xhci->as, addr, tmp, len);
++ dma_memory_write(xhci->as, addr, tmp, len, MEMTXATTRS_UNSPECIFIED);
+ }
+
+ static XHCIPort *xhci_lookup_port(XHCIState *xhci, struct USBPort *uport)
+@@ -618,7 +618,7 @@ static void xhci_write_event(XHCIState *xhci, XHCIEvent *event, int v)
+ ev_trb.status, ev_trb.control);
+
+ addr = intr->er_start + TRB_SIZE*intr->er_ep_idx;
+- dma_memory_write(xhci->as, addr, &ev_trb, TRB_SIZE);
++ dma_memory_write(xhci->as, addr, &ev_trb, TRB_SIZE, MEMTXATTRS_UNSPECIFIED);
+
+ intr->er_ep_idx++;
+ if (intr->er_ep_idx >= intr->er_size) {
+@@ -679,7 +679,8 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
+
+ while (1) {
+ TRBType type;
+- dma_memory_read(xhci->as, ring->dequeue, trb, TRB_SIZE);
++ dma_memory_read(xhci->as, ring->dequeue, trb, TRB_SIZE,
++ MEMTXATTRS_UNSPECIFIED);
+ trb->addr = ring->dequeue;
+ trb->ccs = ring->ccs;
+ le64_to_cpus(&trb->parameter);
+@@ -726,7 +727,8 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
+
+ while (1) {
+ TRBType type;
+- dma_memory_read(xhci->as, dequeue, &trb, TRB_SIZE);
++ dma_memory_read(xhci->as, dequeue, &trb, TRB_SIZE,
++ MEMTXATTRS_UNSPECIFIED);
+ le64_to_cpus(&trb.parameter);
+ le32_to_cpus(&trb.status);
+ le32_to_cpus(&trb.control);
+@@ -781,7 +783,8 @@ static void xhci_er_reset(XHCIState *xhci, int v)
+ xhci_die(xhci);
+ return;
+ }
+- dma_memory_read(xhci->as, erstba, &seg, sizeof(seg));
++ dma_memory_read(xhci->as, erstba, &seg, sizeof(seg),
++ MEMTXATTRS_UNSPECIFIED);
+ le32_to_cpus(&seg.addr_low);
+ le32_to_cpus(&seg.addr_high);
+ le32_to_cpus(&seg.size);
+@@ -2397,7 +2400,8 @@ static TRBCCode xhci_get_port_bandwidth(XHCIState *xhci, uint64_t pctx)
+ /* TODO: actually implement real values here */
+ bw_ctx[0] = 0;
+ memset(&bw_ctx[1], 80, xhci->numports); /* 80% */
+- dma_memory_write(xhci->as, ctx, bw_ctx, sizeof(bw_ctx));
++ dma_memory_write(xhci->as, ctx, bw_ctx, sizeof(bw_ctx),
++ MEMTXATTRS_UNSPECIFIED);
+
+ return CC_SUCCESS;
+ }
+diff --git a/include/hw/ppc/spapr_vio.h b/include/hw/ppc/spapr_vio.h
+index c90e74a..5d2ea8e 100644
+--- a/include/hw/ppc/spapr_vio.h
++++ b/include/hw/ppc/spapr_vio.h
+@@ -97,14 +97,16 @@ static inline bool spapr_vio_dma_valid(SpaprVioDevice *dev, uint64_t taddr,
+ static inline int spapr_vio_dma_read(SpaprVioDevice *dev, uint64_t taddr,
+ void *buf, uint32_t size)
+ {
+- return (dma_memory_read(&dev->as, taddr, buf, size) != 0) ?
++ return (dma_memory_read(&dev->as, taddr,
++ buf, size, MEMTXATTRS_UNSPECIFIED) != 0) ?
+ H_DEST_PARM : H_SUCCESS;
+ }
+
+ static inline int spapr_vio_dma_write(SpaprVioDevice *dev, uint64_t taddr,
+ const void *buf, uint32_t size)
+ {
+- return (dma_memory_write(&dev->as, taddr, buf, size) != 0) ?
++ return (dma_memory_write(&dev->as, taddr,
++ buf, size, MEMTXATTRS_UNSPECIFIED) != 0) ?
+ H_DEST_PARM : H_SUCCESS;
+ }
+
+diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
+index e8ad422..522682b 100644
+--- a/include/sysemu/dma.h
++++ b/include/sysemu/dma.h
+@@ -143,12 +143,14 @@ static inline MemTxResult dma_memory_rw(AddressSpace *as, dma_addr_t addr,
+ * @addr: address within that address space
+ * @buf: buffer with the data transferred
+ * @len: length of the data transferred
++ * @attrs: memory transaction attributes
+ */
+ static inline MemTxResult dma_memory_read(AddressSpace *as, dma_addr_t addr,
+- void *buf, dma_addr_t len)
++ void *buf, dma_addr_t len,
++ MemTxAttrs attrs)
+ {
+ return dma_memory_rw(as, addr, buf, len,
+- DMA_DIRECTION_TO_DEVICE, MEMTXATTRS_UNSPECIFIED);
++ DMA_DIRECTION_TO_DEVICE, attrs);
+ }
+
+ /**
+@@ -162,12 +164,14 @@ static inline MemTxResult dma_memory_read(AddressSpace *as, dma_addr_t addr,
+ * @addr: address within that address space
+ * @buf: buffer with the data transferred
+ * @len: the number of bytes to write
++ * @attrs: memory transaction attributes
+ */
+ static inline MemTxResult dma_memory_write(AddressSpace *as, dma_addr_t addr,
+- const void *buf, dma_addr_t len)
++ const void *buf, dma_addr_t len,
++ MemTxAttrs attrs)
+ {
+ return dma_memory_rw(as, addr, (void *)buf, len,
+- DMA_DIRECTION_FROM_DEVICE, MEMTXATTRS_UNSPECIFIED);
++ DMA_DIRECTION_FROM_DEVICE, attrs);
+ }
+
+ /**
+@@ -239,7 +243,7 @@ static inline void dma_memory_unmap(AddressSpace *as,
+ dma_addr_t addr) \
+ { \
+ uint##_bits##_t val; \
+- dma_memory_read(as, addr, &val, (_bits) / 8); \
++ dma_memory_read(as, addr, &val, (_bits) / 8, MEMTXATTRS_UNSPECIFIED); \
+ return _end##_bits##_to_cpu(val); \
+ } \
+ static inline void st##_sname##_##_end##_dma(AddressSpace *as, \
+@@ -247,20 +251,20 @@ static inline void dma_memory_unmap(AddressSpace *as,
+ uint##_bits##_t val) \
+ { \
+ val = cpu_to_##_end##_bits(val); \
+- dma_memory_write(as, addr, &val, (_bits) / 8); \
++ dma_memory_write(as, addr, &val, (_bits) / 8, MEMTXATTRS_UNSPECIFIED); \
+ }
+
+ static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr)
+ {
+ uint8_t val;
+
+- dma_memory_read(as, addr, &val, 1);
++ dma_memory_read(as, addr, &val, 1, MEMTXATTRS_UNSPECIFIED);
+ return val;
+ }
+
+ static inline void stb_dma(AddressSpace *as, dma_addr_t addr, uint8_t val)
+ {
+- dma_memory_write(as, addr, &val, 1);
++ dma_memory_write(as, addr, &val, 1, MEMTXATTRS_UNSPECIFIED);
+ }
+
+ DEFINE_LDST_DMA(uw, w, 16, le);
+--
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0007_let_dma_memory_map_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0007_let_dma_memory_map_function_take_MemTxAttrs_argument.patch
new file mode 100644
index 0000000000..8dd0476953
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0007_let_dma_memory_map_function_take_MemTxAttrs_argument.patch
@@ -0,0 +1,227 @@
+From a1d4b0a3051b3079c8db607f519bc0fcb30e17ec Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 3 Sep 2020 11:00:47 +0200
+Subject: [PATCH] dma: Let dma_memory_map() take MemTxAttrs argument
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+Let devices specify transaction attributes when calling
+dma_memory_map().
+
+Patch created mechanically using spatch with this script:
+
+ @@
+ expression E1, E2, E3, E4;
+ @@
+ - dma_memory_map(E1, E2, E3, E4)
+ + dma_memory_map(E1, E2, E3, E4, MEMTXATTRS_UNSPECIFIED)
+
+CVE: CVE-2021-3611
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=a1d4b0a3051b3079c8db607f519bc0fcb30e17ec]
+
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Li Qiang <liq3ea@gmail.com>
+Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-Id: <20211223115554.3155328-7-philmd@redhat.com>
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ hw/display/virtio-gpu.c | 10 ++++++----
+ hw/hyperv/vmbus.c | 8 +++++---
+ hw/ide/ahci.c | 8 +++++---
+ hw/usb/libhw.c | 3 ++-
+ hw/virtio/virtio.c | 6 ++++--
+ include/hw/pci/pci.h | 3 ++-
+ include/sysemu/dma.h | 5 +++--
+ softmmu/dma-helpers.c | 3 ++-
+ 8 files changed, 29 insertions(+), 17 deletions(-)
+
+diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
+index d78b970..c6dc818 100644
+--- a/hw/display/virtio-gpu.c
++++ b/hw/display/virtio-gpu.c
+@@ -814,8 +814,9 @@ int virtio_gpu_create_mapping_iov(VirtIOGPU *g,
+
+ do {
+ len = l;
+- map = dma_memory_map(VIRTIO_DEVICE(g)->dma_as,
+- a, &len, DMA_DIRECTION_TO_DEVICE);
++ map = dma_memory_map(VIRTIO_DEVICE(g)->dma_as, a, &len,
++ DMA_DIRECTION_TO_DEVICE,
++ MEMTXATTRS_UNSPECIFIED);
+ if (!map) {
+ qemu_log_mask(LOG_GUEST_ERROR, "%s: failed to map MMIO memory for"
+ " element %d\n", __func__, e);
+@@ -1252,8 +1253,9 @@ static int virtio_gpu_load(QEMUFile *f, void *opaque, size_t size,
+ for (i = 0; i < res->iov_cnt; i++) {
+ hwaddr len = res->iov[i].iov_len;
+ res->iov[i].iov_base =
+- dma_memory_map(VIRTIO_DEVICE(g)->dma_as,
+- res->addrs[i], &len, DMA_DIRECTION_TO_DEVICE);
++ dma_memory_map(VIRTIO_DEVICE(g)->dma_as, res->addrs[i], &len,
++ DMA_DIRECTION_TO_DEVICE,
++ MEMTXATTRS_UNSPECIFIED);
+
+ if (!res->iov[i].iov_base || len != res->iov[i].iov_len) {
+ /* Clean up the half-a-mapping we just created... */
+diff --git a/hw/hyperv/vmbus.c b/hw/hyperv/vmbus.c
+index dbce3b3..8aad29f 100644
+--- a/hw/hyperv/vmbus.c
++++ b/hw/hyperv/vmbus.c
+@@ -373,7 +373,8 @@ static ssize_t gpadl_iter_io(GpadlIter *iter, void *buf, uint32_t len)
+
+ maddr = (iter->gpadl->gfns[idx] << TARGET_PAGE_BITS) | off_in_page;
+
+- iter->map = dma_memory_map(iter->as, maddr, &mlen, iter->dir);
++ iter->map = dma_memory_map(iter->as, maddr, &mlen, iter->dir,
++ MEMTXATTRS_UNSPECIFIED);
+ if (mlen != pgleft) {
+ dma_memory_unmap(iter->as, iter->map, mlen, iter->dir, 0);
+ iter->map = NULL;
+@@ -490,7 +491,8 @@ int vmbus_map_sgl(VMBusChanReq *req, DMADirection dir, struct iovec *iov,
+ goto err;
+ }
+
+- iov[ret_cnt].iov_base = dma_memory_map(sgl->as, a, &l, dir);
++ iov[ret_cnt].iov_base = dma_memory_map(sgl->as, a, &l, dir,
++ MEMTXATTRS_UNSPECIFIED);
+ if (!l) {
+ ret = -EFAULT;
+ goto err;
+@@ -566,7 +568,7 @@ static vmbus_ring_buffer *ringbuf_map_hdr(VMBusRingBufCommon *ringbuf)
+ dma_addr_t mlen = sizeof(*rb);
+
+ rb = dma_memory_map(ringbuf->as, ringbuf->rb_addr, &mlen,
+- DMA_DIRECTION_FROM_DEVICE);
++ DMA_DIRECTION_FROM_DEVICE, MEMTXATTRS_UNSPECIFIED);
+ if (mlen != sizeof(*rb)) {
+ dma_memory_unmap(ringbuf->as, rb, mlen,
+ DMA_DIRECTION_FROM_DEVICE, 0);
+diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
+index a94c6e2..8e77ddb 100644
+--- a/hw/ide/ahci.c
++++ b/hw/ide/ahci.c
+@@ -249,7 +249,8 @@ static void map_page(AddressSpace *as, uint8_t **ptr, uint64_t addr,
+ dma_memory_unmap(as, *ptr, len, DMA_DIRECTION_FROM_DEVICE, len);
+ }
+
+- *ptr = dma_memory_map(as, addr, &len, DMA_DIRECTION_FROM_DEVICE);
++ *ptr = dma_memory_map(as, addr, &len, DMA_DIRECTION_FROM_DEVICE,
++ MEMTXATTRS_UNSPECIFIED);
+ if (len < wanted && *ptr) {
+ dma_memory_unmap(as, *ptr, len, DMA_DIRECTION_FROM_DEVICE, len);
+ *ptr = NULL;
+@@ -939,7 +940,8 @@ static int ahci_populate_sglist(AHCIDevice *ad, QEMUSGList *sglist,
+
+ /* map PRDT */
+ if (!(prdt = dma_memory_map(ad->hba->as, prdt_addr, &prdt_len,
+- DMA_DIRECTION_TO_DEVICE))){
++ DMA_DIRECTION_TO_DEVICE,
++ MEMTXATTRS_UNSPECIFIED))){
+ trace_ahci_populate_sglist_no_map(ad->hba, ad->port_no);
+ return -1;
+ }
+@@ -1301,7 +1303,7 @@ static int handle_cmd(AHCIState *s, int port, uint8_t slot)
+ tbl_addr = le64_to_cpu(cmd->tbl_addr);
+ cmd_len = 0x80;
+ cmd_fis = dma_memory_map(s->as, tbl_addr, &cmd_len,
+- DMA_DIRECTION_TO_DEVICE);
++ DMA_DIRECTION_TO_DEVICE, MEMTXATTRS_UNSPECIFIED);
+ if (!cmd_fis) {
+ trace_handle_cmd_badfis(s, port);
+ return -1;
+diff --git a/hw/usb/libhw.c b/hw/usb/libhw.c
+index 9c33a16..f350eae 100644
+--- a/hw/usb/libhw.c
++++ b/hw/usb/libhw.c
+@@ -36,7 +36,8 @@ int usb_packet_map(USBPacket *p, QEMUSGList *sgl)
+
+ while (len) {
+ dma_addr_t xlen = len;
+- mem = dma_memory_map(sgl->as, base, &xlen, dir);
++ mem = dma_memory_map(sgl->as, base, &xlen, dir,
++ MEMTXATTRS_UNSPECIFIED);
+ if (!mem) {
+ goto err;
+ }
+diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
+index ea7c079..e11a8a0d 100644
+--- a/hw/virtio/virtio.c
++++ b/hw/virtio/virtio.c
+@@ -1306,7 +1306,8 @@ static bool virtqueue_map_desc(VirtIODevice *vdev, unsigned int *p_num_sg,
+ iov[num_sg].iov_base = dma_memory_map(vdev->dma_as, pa, &len,
+ is_write ?
+ DMA_DIRECTION_FROM_DEVICE :
+- DMA_DIRECTION_TO_DEVICE);
++ DMA_DIRECTION_TO_DEVICE,
++ MEMTXATTRS_UNSPECIFIED);
+ if (!iov[num_sg].iov_base) {
+ virtio_error(vdev, "virtio: bogus descriptor or out of resources");
+ goto out;
+@@ -1355,7 +1356,8 @@ static void virtqueue_map_iovec(VirtIODevice *vdev, struct iovec *sg,
+ sg[i].iov_base = dma_memory_map(vdev->dma_as,
+ addr[i], &len, is_write ?
+ DMA_DIRECTION_FROM_DEVICE :
+- DMA_DIRECTION_TO_DEVICE);
++ DMA_DIRECTION_TO_DEVICE,
++ MEMTXATTRS_UNSPECIFIED);
+ if (!sg[i].iov_base) {
+ error_report("virtio: error trying to map MMIO memory");
+ exit(1);
+diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h
+index 4383f1c..1acefc2 100644
+--- a/include/hw/pci/pci.h
++++ b/include/hw/pci/pci.h
+@@ -875,7 +875,8 @@ static inline void *pci_dma_map(PCIDevice *dev, dma_addr_t addr,
+ {
+ void *buf;
+
+- buf = dma_memory_map(pci_get_address_space(dev), addr, plen, dir);
++ buf = dma_memory_map(pci_get_address_space(dev), addr, plen, dir,
++ MEMTXATTRS_UNSPECIFIED);
+ return buf;
+ }
+
+diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
+index 522682b..97ff6f2 100644
+--- a/include/sysemu/dma.h
++++ b/include/sysemu/dma.h
+@@ -202,16 +202,17 @@ MemTxResult dma_memory_set(AddressSpace *as, dma_addr_t addr,
+ * @addr: address within that address space
+ * @len: pointer to length of buffer; updated on return
+ * @dir: indicates the transfer direction
++ * @attrs: memory attributes
+ */
+ static inline void *dma_memory_map(AddressSpace *as,
+ dma_addr_t addr, dma_addr_t *len,
+- DMADirection dir)
++ DMADirection dir, MemTxAttrs attrs)
+ {
+ hwaddr xlen = *len;
+ void *p;
+
+ p = address_space_map(as, addr, &xlen, dir == DMA_DIRECTION_FROM_DEVICE,
+- MEMTXATTRS_UNSPECIFIED);
++ attrs);
+ *len = xlen;
+ return p;
+ }
+diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c
+index 5bf76ff..3c06a2f 100644
+--- a/softmmu/dma-helpers.c
++++ b/softmmu/dma-helpers.c
+@@ -143,7 +143,8 @@ static void dma_blk_cb(void *opaque, int ret)
+ while (dbs->sg_cur_index < dbs->sg->nsg) {
+ cur_addr = dbs->sg->sg[dbs->sg_cur_index].base + dbs->sg_cur_byte;
+ cur_len = dbs->sg->sg[dbs->sg_cur_index].len - dbs->sg_cur_byte;
+- mem = dma_memory_map(dbs->sg->as, cur_addr, &cur_len, dbs->dir);
++ mem = dma_memory_map(dbs->sg->as, cur_addr, &cur_len, dbs->dir,
++ MEMTXATTRS_UNSPECIFIED);
+ /*
+ * Make reads deterministic in icount mode. Windows sometimes issues
+ * disk read requests with overlapping SGs. It leads
+--
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0008_have_dma_buf_rw_function_take_a_void_pointer.patch b/meta/recipes-devtools/qemu/qemu/0008_have_dma_buf_rw_function_take_a_void_pointer.patch
new file mode 100644
index 0000000000..0876ef184d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0008_have_dma_buf_rw_function_take_a_void_pointer.patch
@@ -0,0 +1,41 @@
+From c0ee1527358474c75067993d1bb233ad3a4ee081 Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 16 Dec 2021 11:24:56 +0100
+Subject: [PATCH] dma: Have dma_buf_rw() take a void pointer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+DMA operations are run on any kind of buffer, not arrays of
+uint8_t. Convert dma_buf_rw() to take a void pointer argument
+to save us pointless casts to uint8_t *.
+
+CVE: CVE-2021-3611
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=c0ee1527358474c75067993d1bb233ad3a4ee081]
+
+Reviewed-by: Klaus Jensen <k.jensen@samsung.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20211223115554.3155328-8-philmd@redhat.com>
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ softmmu/dma-helpers.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c
+index 3c06a2f..09e2999 100644
+--- a/softmmu/dma-helpers.c
++++ b/softmmu/dma-helpers.c
+@@ -294,9 +294,10 @@ BlockAIOCB *dma_blk_write(BlockBackend *blk,
+ }
+
+
+-static uint64_t dma_buf_rw(uint8_t *ptr, int32_t len, QEMUSGList *sg,
++static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg,
+ DMADirection dir)
+ {
++ uint8_t *ptr = buf;
+ uint64_t resid;
+ int sg_cur_index;
+
+--
+1.8.3.1
diff --git a/meta/recipes-devtools/qemu/qemu/0009_have_dma_buf_read_and_dma_buf_write_functions_take_a_void.patch b/meta/recipes-devtools/qemu/qemu/0009_have_dma_buf_read_and_dma_buf_write_functions_take_a_void.patch
new file mode 100644
index 0000000000..d65e0b4305
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0009_have_dma_buf_read_and_dma_buf_write_functions_take_a_void.patch
@@ -0,0 +1,167 @@
+From 5e468a36dcdd8fd5eb04282842b72967a29875e4 Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 16 Dec 2021 11:27:23 +0100
+Subject: [PATCH] dma: Have dma_buf_read() / dma_buf_write() take a void
+ pointer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+DMA operations are run on any kind of buffer, not arrays of
+uint8_t. Convert dma_buf_read/dma_buf_write functions to take
+a void pointer argument and save us pointless casts to uint8_t *.
+
+Remove this pointless casts in the megasas device model.
+
+CVE: CVE-2021-3611
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=5e468a36dcdd8fd5eb04282842b72967a29875e4]
+
+Reviewed-by: Klaus Jensen <k.jensen@samsung.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20211223115554.3155328-9-philmd@redhat.com>
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ hw/scsi/megasas.c | 22 +++++++++++-----------
+ include/sysemu/dma.h | 4 ++--
+ softmmu/dma-helpers.c | 4 ++--
+ 3 files changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
+index 14ec6d6..2dae33f 100644
+--- a/hw/scsi/megasas.c
++++ b/hw/scsi/megasas.c
+@@ -848,7 +848,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd)
+ MFI_INFO_PDMIX_SATA |
+ MFI_INFO_PDMIX_LD);
+
+- cmd->iov_size -= dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg);
++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg);
+ return MFI_STAT_OK;
+ }
+
+@@ -878,7 +878,7 @@ static int megasas_mfc_get_defaults(MegasasState *s, MegasasCmd *cmd)
+ info.disable_preboot_cli = 1;
+ info.cluster_disable = 1;
+
+- cmd->iov_size -= dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg);
++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg);
+ return MFI_STAT_OK;
+ }
+
+@@ -899,7 +899,7 @@ static int megasas_dcmd_get_bios_info(MegasasState *s, MegasasCmd *cmd)
+ info.expose_all_drives = 1;
+ }
+
+- cmd->iov_size -= dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg);
++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg);
+ return MFI_STAT_OK;
+ }
+
+@@ -910,7 +910,7 @@ static int megasas_dcmd_get_fw_time(MegasasState *s, MegasasCmd *cmd)
+
+ fw_time = cpu_to_le64(megasas_fw_time());
+
+- cmd->iov_size -= dma_buf_read((uint8_t *)&fw_time, dcmd_size, &cmd->qsg);
++ cmd->iov_size -= dma_buf_read(&fw_time, dcmd_size, &cmd->qsg);
+ return MFI_STAT_OK;
+ }
+
+@@ -937,7 +937,7 @@ static int megasas_event_info(MegasasState *s, MegasasCmd *cmd)
+ info.shutdown_seq_num = cpu_to_le32(s->shutdown_event);
+ info.boot_seq_num = cpu_to_le32(s->boot_event);
+
+- cmd->iov_size -= dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg);
++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg);
+ return MFI_STAT_OK;
+ }
+
+@@ -1006,7 +1006,7 @@ static int megasas_dcmd_pd_get_list(MegasasState *s, MegasasCmd *cmd)
+ info.size = cpu_to_le32(offset);
+ info.count = cpu_to_le32(num_pd_disks);
+
+- cmd->iov_size -= dma_buf_read((uint8_t *)&info, offset, &cmd->qsg);
++ cmd->iov_size -= dma_buf_read(&info, offset, &cmd->qsg);
+ return MFI_STAT_OK;
+ }
+
+@@ -1172,7 +1172,7 @@ static int megasas_dcmd_ld_get_list(MegasasState *s, MegasasCmd *cmd)
+ info.ld_count = cpu_to_le32(num_ld_disks);
+ trace_megasas_dcmd_ld_get_list(cmd->index, num_ld_disks, max_ld_disks);
+
+- resid = dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg);
++ resid = dma_buf_read(&info, dcmd_size, &cmd->qsg);
+ cmd->iov_size = dcmd_size - resid;
+ return MFI_STAT_OK;
+ }
+@@ -1221,7 +1221,7 @@ static int megasas_dcmd_ld_list_query(MegasasState *s, MegasasCmd *cmd)
+ info.size = dcmd_size;
+ trace_megasas_dcmd_ld_get_list(cmd->index, num_ld_disks, max_ld_disks);
+
+- resid = dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg);
++ resid = dma_buf_read(&info, dcmd_size, &cmd->qsg);
+ cmd->iov_size = dcmd_size - resid;
+ return MFI_STAT_OK;
+ }
+@@ -1390,7 +1390,7 @@ static int megasas_dcmd_cfg_read(MegasasState *s, MegasasCmd *cmd)
+ ld_offset += sizeof(struct mfi_ld_config);
+ }
+
+- cmd->iov_size -= dma_buf_read((uint8_t *)data, info->size, &cmd->qsg);
++ cmd->iov_size -= dma_buf_read(data, info->size, &cmd->qsg);
+ return MFI_STAT_OK;
+ }
+
+@@ -1420,7 +1420,7 @@ static int megasas_dcmd_get_properties(MegasasState *s, MegasasCmd *cmd)
+ info.ecc_bucket_leak_rate = cpu_to_le16(1440);
+ info.expose_encl_devices = 1;
+
+- cmd->iov_size -= dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg);
++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg);
+ return MFI_STAT_OK;
+ }
+
+@@ -1465,7 +1465,7 @@ static int megasas_dcmd_set_properties(MegasasState *s, MegasasCmd *cmd)
+ dcmd_size);
+ return MFI_STAT_INVALID_PARAMETER;
+ }
+- dma_buf_write((uint8_t *)&info, dcmd_size, &cmd->qsg);
++ dma_buf_write(&info, dcmd_size, &cmd->qsg);
+ trace_megasas_dcmd_unsupported(cmd->index, cmd->iov_size);
+ return MFI_STAT_OK;
+ }
+diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
+index 97ff6f2..0d5b836 100644
+--- a/include/sysemu/dma.h
++++ b/include/sysemu/dma.h
+@@ -302,8 +302,8 @@ BlockAIOCB *dma_blk_read(BlockBackend *blk,
+ BlockAIOCB *dma_blk_write(BlockBackend *blk,
+ QEMUSGList *sg, uint64_t offset, uint32_t align,
+ BlockCompletionFunc *cb, void *opaque);
+-uint64_t dma_buf_read(uint8_t *ptr, int32_t len, QEMUSGList *sg);
+-uint64_t dma_buf_write(uint8_t *ptr, int32_t len, QEMUSGList *sg);
++uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg);
++uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg);
+
+ void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie,
+ QEMUSGList *sg, enum BlockAcctType type);
+diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c
+index 09e2999..7f37548 100644
+--- a/softmmu/dma-helpers.c
++++ b/softmmu/dma-helpers.c
+@@ -317,12 +317,12 @@ static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg,
+ return resid;
+ }
+
+-uint64_t dma_buf_read(uint8_t *ptr, int32_t len, QEMUSGList *sg)
++uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg)
+ {
+ return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_FROM_DEVICE);
+ }
+
+-uint64_t dma_buf_write(uint8_t *ptr, int32_t len, QEMUSGList *sg)
++uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg)
+ {
+ return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_TO_DEVICE);
+ }
+--
+1.8.3.1
diff --git a/meta/recipes-devtools/qemu/qemu/0010_let_pci_dma_rw_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0010_let_pci_dma_rw_function_take_MemTxAttrs_argument.patch
new file mode 100644
index 0000000000..8207058aca
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0010_let_pci_dma_rw_function_take_MemTxAttrs_argument.patch
@@ -0,0 +1,91 @@
+From e2d784b67dc724a9b0854b49255ba0ee8ca46543 Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Wed, 15 Dec 2021 22:18:19 +0100
+Subject: [PATCH] pci: Let pci_dma_rw() take MemTxAttrs argument
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+Let devices specify transaction attributes when calling pci_dma_rw().
+
+Keep the default MEMTXATTRS_UNSPECIFIED in the few callers.
+
+CVE: CVE-2021-3611
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=e2d784b67dc724a9b0854b49255ba0ee8ca46543]
+
+Reviewed-by: Klaus Jensen <k.jensen@samsung.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20211223115554.3155328-10-philmd@redhat.com>
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ hw/audio/intel-hda.c | 3 ++-
+ hw/scsi/esp-pci.c | 2 +-
+ include/hw/pci/pci.h | 10 ++++++----
+ 3 files changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
+index 8ce9df6..fb3d34a 100644
+--- a/hw/audio/intel-hda.c
++++ b/hw/audio/intel-hda.c
+@@ -427,7 +427,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
+ dprint(d, 3, "dma: entry %d, pos %d/%d, copy %d\n",
+ st->be, st->bp, st->bpl[st->be].len, copy);
+
+- pci_dma_rw(&d->pci, st->bpl[st->be].addr + st->bp, buf, copy, !output);
++ pci_dma_rw(&d->pci, st->bpl[st->be].addr + st->bp, buf, copy, !output,
++ MEMTXATTRS_UNSPECIFIED);
+ st->lpib += copy;
+ st->bp += copy;
+ buf += copy;
+diff --git a/hw/scsi/esp-pci.c b/hw/scsi/esp-pci.c
+index dac054a..1792f84 100644
+--- a/hw/scsi/esp-pci.c
++++ b/hw/scsi/esp-pci.c
+@@ -280,7 +280,7 @@ static void esp_pci_dma_memory_rw(PCIESPState *pci, uint8_t *buf, int len,
+ len = pci->dma_regs[DMA_WBC];
+ }
+
+- pci_dma_rw(PCI_DEVICE(pci), addr, buf, len, dir);
++ pci_dma_rw(PCI_DEVICE(pci), addr, buf, len, dir, MEMTXATTRS_UNSPECIFIED);
+
+ /* update status registers */
+ pci->dma_regs[DMA_WBC] -= len;
+diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h
+index 1acefc2..a751ab5 100644
+--- a/include/hw/pci/pci.h
++++ b/include/hw/pci/pci.h
+@@ -806,10 +806,10 @@ static inline AddressSpace *pci_get_address_space(PCIDevice *dev)
+ */
+ static inline MemTxResult pci_dma_rw(PCIDevice *dev, dma_addr_t addr,
+ void *buf, dma_addr_t len,
+- DMADirection dir)
++ DMADirection dir, MemTxAttrs attrs)
+ {
+ return dma_memory_rw(pci_get_address_space(dev), addr, buf, len,
+- dir, MEMTXATTRS_UNSPECIFIED);
++ dir, attrs);
+ }
+
+ /**
+@@ -827,7 +827,8 @@ static inline MemTxResult pci_dma_rw(PCIDevice *dev, dma_addr_t addr,
+ static inline MemTxResult pci_dma_read(PCIDevice *dev, dma_addr_t addr,
+ void *buf, dma_addr_t len)
+ {
+- return pci_dma_rw(dev, addr, buf, len, DMA_DIRECTION_TO_DEVICE);
++ return pci_dma_rw(dev, addr, buf, len,
++ DMA_DIRECTION_TO_DEVICE, MEMTXATTRS_UNSPECIFIED);
+ }
+
+ /**
+@@ -845,7 +846,8 @@ static inline MemTxResult pci_dma_read(PCIDevice *dev, dma_addr_t addr,
+ static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr,
+ const void *buf, dma_addr_t len)
+ {
+- return pci_dma_rw(dev, addr, (void *) buf, len, DMA_DIRECTION_FROM_DEVICE);
++ return pci_dma_rw(dev, addr, (void *) buf, len,
++ DMA_DIRECTION_FROM_DEVICE, MEMTXATTRS_UNSPECIFIED);
+ }
+
+ #define PCI_DMA_DEFINE_LDST(_l, _s, _bits) \
+--
+1.8.3.1
diff --git a/meta/recipes-devtools/qemu/qemu/0011_let_dma_buf_rw_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0011_let_dma_buf_rw_function_take_MemTxAttrs_argument.patch
new file mode 100644
index 0000000000..4f7276ef8b
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0011_let_dma_buf_rw_function_take_MemTxAttrs_argument.patch
@@ -0,0 +1,65 @@
+From 959384e74e1b508acc3af6e806b3d7b87335fc2a Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Wed, 15 Dec 2021 22:59:46 +0100
+Subject: [PATCH] dma: Let dma_buf_rw() take MemTxAttrs argument
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+Let devices specify transaction attributes when calling dma_buf_rw().
+
+Keep the default MEMTXATTRS_UNSPECIFIED in the 2 callers.
+
+CVE: CVE-2021-3611
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=959384e74e1b508acc3af6e806b3d7b87335fc2a]
+
+Reviewed-by: Klaus Jensen <k.jensen@samsung.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20211223115554.3155328-11-philmd@redhat.com>
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ softmmu/dma-helpers.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c
+index 7f37548..fa81d2b 100644
+--- a/softmmu/dma-helpers.c
++++ b/softmmu/dma-helpers.c
+@@ -295,7 +295,7 @@ BlockAIOCB *dma_blk_write(BlockBackend *blk,
+
+
+ static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg,
+- DMADirection dir)
++ DMADirection dir, MemTxAttrs attrs)
+ {
+ uint8_t *ptr = buf;
+ uint64_t resid;
+@@ -307,8 +307,7 @@ static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg,
+ while (len > 0) {
+ ScatterGatherEntry entry = sg->sg[sg_cur_index++];
+ int32_t xfer = MIN(len, entry.len);
+- dma_memory_rw(sg->as, entry.base, ptr, xfer, dir,
+- MEMTXATTRS_UNSPECIFIED);
++ dma_memory_rw(sg->as, entry.base, ptr, xfer, dir, attrs);
+ ptr += xfer;
+ len -= xfer;
+ resid -= xfer;
+@@ -319,12 +318,14 @@ static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg,
+
+ uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg)
+ {
+- return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_FROM_DEVICE);
++ return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_FROM_DEVICE,
++ MEMTXATTRS_UNSPECIFIED);
+ }
+
+ uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg)
+ {
+- return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_TO_DEVICE);
++ return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_TO_DEVICE,
++ MEMTXATTRS_UNSPECIFIED);
+ }
+
+ void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie,
+--
+1.8.3.1
diff --git a/meta/recipes-devtools/qemu/qemu/0012_let_dma_buf_write_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0012_let_dma_buf_write_function_take_MemTxAttrs_argument.patch
new file mode 100644
index 0000000000..9837516422
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0012_let_dma_buf_write_function_take_MemTxAttrs_argument.patch
@@ -0,0 +1,129 @@
+From 392e48af3468d7f8e49db33fdc9e28b5f99276ce Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Wed, 15 Dec 2021 23:02:21 +0100
+Subject: [PATCH] dma: Let dma_buf_write() take MemTxAttrs argument
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+Let devices specify transaction attributes when calling
+dma_buf_write().
+
+Keep the default MEMTXATTRS_UNSPECIFIED in the few callers.
+
+CVE: CVE-2021-3611
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=392e48af3468d7f8e49db33fdc9e28b5f99276ce]
+
+Reviewed-by: Klaus Jensen <k.jensen@samsung.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20211223115554.3155328-12-philmd@redhat.com>
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ hw/ide/ahci.c | 6 ++++--
+ hw/nvme/ctrl.c | 3 ++-
+ hw/scsi/megasas.c | 2 +-
+ hw/scsi/scsi-bus.c | 2 +-
+ include/sysemu/dma.h | 2 +-
+ softmmu/dma-helpers.c | 5 ++---
+ 6 files changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
+index 8e77ddb..079d297 100644
+--- a/hw/ide/ahci.c
++++ b/hw/ide/ahci.c
+@@ -1381,8 +1381,10 @@ static void ahci_pio_transfer(const IDEDMA *dma)
+ has_sglist ? "" : "o");
+
+ if (has_sglist && size) {
++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
++
+ if (is_write) {
+- dma_buf_write(s->data_ptr, size, &s->sg);
++ dma_buf_write(s->data_ptr, size, &s->sg, attrs);
+ } else {
+ dma_buf_read(s->data_ptr, size, &s->sg);
+ }
+@@ -1479,7 +1481,7 @@ static int ahci_dma_rw_buf(const IDEDMA *dma, bool is_write)
+ if (is_write) {
+ dma_buf_read(p, l, &s->sg);
+ } else {
+- dma_buf_write(p, l, &s->sg);
++ dma_buf_write(p, l, &s->sg, MEMTXATTRS_UNSPECIFIED);
+ }
+
+ /* free sglist, update byte count */
+diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
+index 5f573c4..e1a531d 100644
+--- a/hw/nvme/ctrl.c
++++ b/hw/nvme/ctrl.c
+@@ -1146,10 +1146,11 @@ static uint16_t nvme_tx(NvmeCtrl *n, NvmeSg *sg, uint8_t *ptr, uint32_t len,
+ assert(sg->flags & NVME_SG_ALLOC);
+
+ if (sg->flags & NVME_SG_DMA) {
++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
+ uint64_t residual;
+
+ if (dir == NVME_TX_DIRECTION_TO_DEVICE) {
+- residual = dma_buf_write(ptr, len, &sg->qsg);
++ residual = dma_buf_write(ptr, len, &sg->qsg, attrs);
+ } else {
+ residual = dma_buf_read(ptr, len, &sg->qsg);
+ }
+diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
+index 2dae33f..79fd14c 100644
+--- a/hw/scsi/megasas.c
++++ b/hw/scsi/megasas.c
+@@ -1465,7 +1465,7 @@ static int megasas_dcmd_set_properties(MegasasState *s, MegasasCmd *cmd)
+ dcmd_size);
+ return MFI_STAT_INVALID_PARAMETER;
+ }
+- dma_buf_write(&info, dcmd_size, &cmd->qsg);
++ dma_buf_write(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED);
+ trace_megasas_dcmd_unsupported(cmd->index, cmd->iov_size);
+ return MFI_STAT_OK;
+ }
+diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
+index 77325d8..64a506a 100644
+--- a/hw/scsi/scsi-bus.c
++++ b/hw/scsi/scsi-bus.c
+@@ -1423,7 +1423,7 @@ void scsi_req_data(SCSIRequest *req, int len)
+ if (req->cmd.mode == SCSI_XFER_FROM_DEV) {
+ req->resid = dma_buf_read(buf, len, req->sg);
+ } else {
+- req->resid = dma_buf_write(buf, len, req->sg);
++ req->resid = dma_buf_write(buf, len, req->sg, MEMTXATTRS_UNSPECIFIED);
+ }
+ scsi_req_continue(req);
+ }
+diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
+index 0d5b836..e3dd74a 100644
+--- a/include/sysemu/dma.h
++++ b/include/sysemu/dma.h
+@@ -303,7 +303,7 @@ BlockAIOCB *dma_blk_write(BlockBackend *blk,
+ QEMUSGList *sg, uint64_t offset, uint32_t align,
+ BlockCompletionFunc *cb, void *opaque);
+ uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg);
+-uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg);
++uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs);
+
+ void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie,
+ QEMUSGList *sg, enum BlockAcctType type);
+diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c
+index fa81d2b..2f1a241 100644
+--- a/softmmu/dma-helpers.c
++++ b/softmmu/dma-helpers.c
+@@ -322,10 +322,9 @@ uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg)
+ MEMTXATTRS_UNSPECIFIED);
+ }
+
+-uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg)
++uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs)
+ {
+- return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_TO_DEVICE,
+- MEMTXATTRS_UNSPECIFIED);
++ return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_TO_DEVICE, attrs);
+ }
+
+ void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie,
+--
+1.8.3.1
diff --git a/meta/recipes-devtools/qemu/qemu/0013_let_dma_buf_read_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0013_let_dma_buf_read_function_take_MemTxAttrs_argument.patch
new file mode 100644
index 0000000000..4057caa8b0
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0013_let_dma_buf_read_function_take_MemTxAttrs_argument.patch
@@ -0,0 +1,222 @@
+From 1e5a3f8b2a976054da96cbbb9de6cbac7c2efb79 Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Wed, 15 Dec 2021 23:29:52 +0100
+Subject: [PATCH] dma: Let dma_buf_read() take MemTxAttrs argument
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+Let devices specify transaction attributes when calling
+dma_buf_read().
+
+Keep the default MEMTXATTRS_UNSPECIFIED in the few callers.
+
+CVE: CVE-2021-3611
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=1e5a3f8b2a976054da96cbbb9de6cbac7c2efb79]
+
+Reviewed-by: Klaus Jensen <k.jensen@samsung.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20211223115554.3155328-13-philmd@redhat.com>
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ hw/ide/ahci.c | 4 ++--
+ hw/nvme/ctrl.c | 2 +-
+ hw/scsi/megasas.c | 24 ++++++++++++------------
+ hw/scsi/scsi-bus.c | 2 +-
+ include/sysemu/dma.h | 2 +-
+ softmmu/dma-helpers.c | 5 ++---
+ 6 files changed, 19 insertions(+), 20 deletions(-)
+
+diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
+index 079d297..205dfdc 100644
+--- a/hw/ide/ahci.c
++++ b/hw/ide/ahci.c
+@@ -1386,7 +1386,7 @@ static void ahci_pio_transfer(const IDEDMA *dma)
+ if (is_write) {
+ dma_buf_write(s->data_ptr, size, &s->sg, attrs);
+ } else {
+- dma_buf_read(s->data_ptr, size, &s->sg);
++ dma_buf_read(s->data_ptr, size, &s->sg, attrs);
+ }
+ }
+
+@@ -1479,7 +1479,7 @@ static int ahci_dma_rw_buf(const IDEDMA *dma, bool is_write)
+ }
+
+ if (is_write) {
+- dma_buf_read(p, l, &s->sg);
++ dma_buf_read(p, l, &s->sg, MEMTXATTRS_UNSPECIFIED);
+ } else {
+ dma_buf_write(p, l, &s->sg, MEMTXATTRS_UNSPECIFIED);
+ }
+diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
+index e1a531d..462f79a 100644
+--- a/hw/nvme/ctrl.c
++++ b/hw/nvme/ctrl.c
+@@ -1152,7 +1152,7 @@ static uint16_t nvme_tx(NvmeCtrl *n, NvmeSg *sg, uint8_t *ptr, uint32_t len,
+ if (dir == NVME_TX_DIRECTION_TO_DEVICE) {
+ residual = dma_buf_write(ptr, len, &sg->qsg, attrs);
+ } else {
+- residual = dma_buf_read(ptr, len, &sg->qsg);
++ residual = dma_buf_read(ptr, len, &sg->qsg, attrs);
+ }
+
+ if (unlikely(residual)) {
+diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
+index 79fd14c..091a350 100644
+--- a/hw/scsi/megasas.c
++++ b/hw/scsi/megasas.c
+@@ -848,7 +848,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd)
+ MFI_INFO_PDMIX_SATA |
+ MFI_INFO_PDMIX_LD);
+
+- cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg);
++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED);
+ return MFI_STAT_OK;
+ }
+
+@@ -878,7 +878,7 @@ static int megasas_mfc_get_defaults(MegasasState *s, MegasasCmd *cmd)
+ info.disable_preboot_cli = 1;
+ info.cluster_disable = 1;
+
+- cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg);
++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED);
+ return MFI_STAT_OK;
+ }
+
+@@ -899,7 +899,7 @@ static int megasas_dcmd_get_bios_info(MegasasState *s, MegasasCmd *cmd)
+ info.expose_all_drives = 1;
+ }
+
+- cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg);
++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED);
+ return MFI_STAT_OK;
+ }
+
+@@ -910,7 +910,7 @@ static int megasas_dcmd_get_fw_time(MegasasState *s, MegasasCmd *cmd)
+
+ fw_time = cpu_to_le64(megasas_fw_time());
+
+- cmd->iov_size -= dma_buf_read(&fw_time, dcmd_size, &cmd->qsg);
++ cmd->iov_size -= dma_buf_read(&fw_time, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED);
+ return MFI_STAT_OK;
+ }
+
+@@ -937,7 +937,7 @@ static int megasas_event_info(MegasasState *s, MegasasCmd *cmd)
+ info.shutdown_seq_num = cpu_to_le32(s->shutdown_event);
+ info.boot_seq_num = cpu_to_le32(s->boot_event);
+
+- cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg);
++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED);
+ return MFI_STAT_OK;
+ }
+
+@@ -1006,7 +1006,7 @@ static int megasas_dcmd_pd_get_list(MegasasState *s, MegasasCmd *cmd)
+ info.size = cpu_to_le32(offset);
+ info.count = cpu_to_le32(num_pd_disks);
+
+- cmd->iov_size -= dma_buf_read(&info, offset, &cmd->qsg);
++ cmd->iov_size -= dma_buf_read(&info, offset, &cmd->qsg, MEMTXATTRS_UNSPECIFIED);
+ return MFI_STAT_OK;
+ }
+
+@@ -1100,7 +1100,7 @@ static int megasas_pd_get_info_submit(SCSIDevice *sdev, int lun,
+ info->connected_port_bitmap = 0x1;
+ info->device_speed = 1;
+ info->link_speed = 1;
+- resid = dma_buf_read(cmd->iov_buf, dcmd_size, &cmd->qsg);
++ resid = dma_buf_read(cmd->iov_buf, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED);
+ g_free(cmd->iov_buf);
+ cmd->iov_size = dcmd_size - resid;
+ cmd->iov_buf = NULL;
+@@ -1172,7 +1172,7 @@ static int megasas_dcmd_ld_get_list(MegasasState *s, MegasasCmd *cmd)
+ info.ld_count = cpu_to_le32(num_ld_disks);
+ trace_megasas_dcmd_ld_get_list(cmd->index, num_ld_disks, max_ld_disks);
+
+- resid = dma_buf_read(&info, dcmd_size, &cmd->qsg);
++ resid = dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED);
+ cmd->iov_size = dcmd_size - resid;
+ return MFI_STAT_OK;
+ }
+@@ -1221,7 +1221,7 @@ static int megasas_dcmd_ld_list_query(MegasasState *s, MegasasCmd *cmd)
+ info.size = dcmd_size;
+ trace_megasas_dcmd_ld_get_list(cmd->index, num_ld_disks, max_ld_disks);
+
+- resid = dma_buf_read(&info, dcmd_size, &cmd->qsg);
++ resid = dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED);
+ cmd->iov_size = dcmd_size - resid;
+ return MFI_STAT_OK;
+ }
+@@ -1271,7 +1271,7 @@ static int megasas_ld_get_info_submit(SCSIDevice *sdev, int lun,
+ info->ld_config.span[0].num_blocks = info->size;
+ info->ld_config.span[0].array_ref = cpu_to_le16(sdev_id);
+
+- resid = dma_buf_read(cmd->iov_buf, dcmd_size, &cmd->qsg);
++ resid = dma_buf_read(cmd->iov_buf, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED);
+ g_free(cmd->iov_buf);
+ cmd->iov_size = dcmd_size - resid;
+ cmd->iov_buf = NULL;
+@@ -1390,7 +1390,7 @@ static int megasas_dcmd_cfg_read(MegasasState *s, MegasasCmd *cmd)
+ ld_offset += sizeof(struct mfi_ld_config);
+ }
+
+- cmd->iov_size -= dma_buf_read(data, info->size, &cmd->qsg);
++ cmd->iov_size -= dma_buf_read(data, info->size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED);
+ return MFI_STAT_OK;
+ }
+
+@@ -1420,7 +1420,7 @@ static int megasas_dcmd_get_properties(MegasasState *s, MegasasCmd *cmd)
+ info.ecc_bucket_leak_rate = cpu_to_le16(1440);
+ info.expose_encl_devices = 1;
+
+- cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg);
++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED);
+ return MFI_STAT_OK;
+ }
+
+diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
+index 64a506a..2b5e9dc 100644
+--- a/hw/scsi/scsi-bus.c
++++ b/hw/scsi/scsi-bus.c
+@@ -1421,7 +1421,7 @@ void scsi_req_data(SCSIRequest *req, int len)
+
+ buf = scsi_req_get_buf(req);
+ if (req->cmd.mode == SCSI_XFER_FROM_DEV) {
+- req->resid = dma_buf_read(buf, len, req->sg);
++ req->resid = dma_buf_read(buf, len, req->sg, MEMTXATTRS_UNSPECIFIED);
+ } else {
+ req->resid = dma_buf_write(buf, len, req->sg, MEMTXATTRS_UNSPECIFIED);
+ }
+diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
+index e3dd74a..fd8f160 100644
+--- a/include/sysemu/dma.h
++++ b/include/sysemu/dma.h
+@@ -302,7 +302,7 @@ BlockAIOCB *dma_blk_read(BlockBackend *blk,
+ BlockAIOCB *dma_blk_write(BlockBackend *blk,
+ QEMUSGList *sg, uint64_t offset, uint32_t align,
+ BlockCompletionFunc *cb, void *opaque);
+-uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg);
++uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs);
+ uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs);
+
+ void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie,
+diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c
+index 2f1a241..a391773 100644
+--- a/softmmu/dma-helpers.c
++++ b/softmmu/dma-helpers.c
+@@ -316,10 +316,9 @@ static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg,
+ return resid;
+ }
+
+-uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg)
++uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs)
+ {
+- return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_FROM_DEVICE,
+- MEMTXATTRS_UNSPECIFIED);
++ return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_FROM_DEVICE, attrs);
+ }
+
+ uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs)
+--
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0014_let_dma_buf_rw_function_propagate_MemTxResult.patch b/meta/recipes-devtools/qemu/qemu/0014_let_dma_buf_rw_function_propagate_MemTxResult.patch
new file mode 100644
index 0000000000..571ce9cc9b
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0014_let_dma_buf_rw_function_propagate_MemTxResult.patch
@@ -0,0 +1,91 @@
+From 292e13142d277c15bdd68331abc607e46628b7e1 Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Wed, 15 Dec 2021 23:38:52 +0100
+Subject: [PATCH] dma: Let dma_buf_rw() propagate MemTxResult
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+dma_memory_rw() returns a MemTxResult type. Do not discard
+it, return it to the caller.
+
+Since dma_buf_rw() was previously returning the QEMUSGList
+size not consumed, add an extra argument where this size
+can be stored.
+
+Update the 2 callers.
+
+CVE: CVE-2021-3611
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=292e13142d277c15bdd68331abc607e46628b7e1]
+
+Reviewed-by: Klaus Jensen <k.jensen@samsung.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20211223115554.3155328-14-philmd@redhat.com>
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ softmmu/dma-helpers.c | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c
+index a391773..b0be156 100644
+--- a/softmmu/dma-helpers.c
++++ b/softmmu/dma-helpers.c
+@@ -294,12 +294,14 @@ BlockAIOCB *dma_blk_write(BlockBackend *blk,
+ }
+
+
+-static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg,
+- DMADirection dir, MemTxAttrs attrs)
++static MemTxResult dma_buf_rw(void *buf, int32_t len, uint64_t *residp,
++ QEMUSGList *sg, DMADirection dir,
++ MemTxAttrs attrs)
+ {
+ uint8_t *ptr = buf;
+ uint64_t resid;
+ int sg_cur_index;
++ MemTxResult res = MEMTX_OK;
+
+ resid = sg->size;
+ sg_cur_index = 0;
+@@ -307,23 +309,34 @@ static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg,
+ while (len > 0) {
+ ScatterGatherEntry entry = sg->sg[sg_cur_index++];
+ int32_t xfer = MIN(len, entry.len);
+- dma_memory_rw(sg->as, entry.base, ptr, xfer, dir, attrs);
++ res |= dma_memory_rw(sg->as, entry.base, ptr, xfer, dir, attrs);
+ ptr += xfer;
+ len -= xfer;
+ resid -= xfer;
+ }
+
+- return resid;
++ if (residp) {
++ *residp = resid;
++ }
++ return res;
+ }
+
+ uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs)
+ {
+- return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_FROM_DEVICE, attrs);
++ uint64_t resid;
++
++ dma_buf_rw(ptr, len, &resid, sg, DMA_DIRECTION_FROM_DEVICE, attrs);
++
++ return resid;
+ }
+
+ uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs)
+ {
+- return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_TO_DEVICE, attrs);
++ uint64_t resid;
++
++ dma_buf_rw(ptr, len, &resid, sg, DMA_DIRECTION_TO_DEVICE, attrs);
++
++ return resid;
+ }
+
+ void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie,
+--
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0015_let_st_pointer_dma_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0015_let_st_pointer_dma_function_take_MemTxAttrs_argument.patch
new file mode 100644
index 0000000000..7f56dcb6eb
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0015_let_st_pointer_dma_function_take_MemTxAttrs_argument.patch
@@ -0,0 +1,120 @@
+From 2280c27afc65bb2af95dd44a88e3b7117bfe240a Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Fri, 17 Dec 2021 23:53:34 +0100
+Subject: [PATCH] dma: Let st*_dma() take MemTxAttrs argument
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+Let devices specify transaction attributes when calling st*_dma().
+
+Keep the default MEMTXATTRS_UNSPECIFIED in the few callers.
+
+CVE: CVE-2021-3611
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=2280c27afc65bb2af95dd44a88e3b7117bfe240a]
+
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20211223115554.3155328-16-philmd@redhat.com>
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ hw/nvram/fw_cfg.c | 4 ++--
+ include/hw/pci/pci.h | 3 ++-
+ include/hw/ppc/spapr_vio.h | 12 ++++++++----
+ include/sysemu/dma.h | 10 ++++++----
+ 4 files changed, 18 insertions(+), 11 deletions(-)
+
+diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c
+index 9b91b15..e5f3c981 100644
+--- a/hw/nvram/fw_cfg.c
++++ b/hw/nvram/fw_cfg.c
+@@ -360,7 +360,7 @@ static void fw_cfg_dma_transfer(FWCfgState *s)
+ if (dma_memory_read(s->dma_as, dma_addr,
+ &dma, sizeof(dma), MEMTXATTRS_UNSPECIFIED)) {
+ stl_be_dma(s->dma_as, dma_addr + offsetof(FWCfgDmaAccess, control),
+- FW_CFG_DMA_CTL_ERROR);
++ FW_CFG_DMA_CTL_ERROR, MEMTXATTRS_UNSPECIFIED);
+ return;
+ }
+
+@@ -446,7 +446,7 @@ static void fw_cfg_dma_transfer(FWCfgState *s)
+ }
+
+ stl_be_dma(s->dma_as, dma_addr + offsetof(FWCfgDmaAccess, control),
+- dma.control);
++ dma.control, MEMTXATTRS_UNSPECIFIED);
+
+ trace_fw_cfg_read(s, 0);
+ }
+diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h
+index a751ab5..d07e970 100644
+--- a/include/hw/pci/pci.h
++++ b/include/hw/pci/pci.h
+@@ -859,7 +859,8 @@ static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr,
+ static inline void st##_s##_pci_dma(PCIDevice *dev, \
+ dma_addr_t addr, uint##_bits##_t val) \
+ { \
+- st##_s##_dma(pci_get_address_space(dev), addr, val); \
++ st##_s##_dma(pci_get_address_space(dev), addr, val, \
++ MEMTXATTRS_UNSPECIFIED); \
+ }
+
+ PCI_DMA_DEFINE_LDST(ub, b, 8);
+diff --git a/include/hw/ppc/spapr_vio.h b/include/hw/ppc/spapr_vio.h
+index 5d2ea8e..e87f8e6 100644
+--- a/include/hw/ppc/spapr_vio.h
++++ b/include/hw/ppc/spapr_vio.h
+@@ -118,10 +118,14 @@ static inline int spapr_vio_dma_set(SpaprVioDevice *dev, uint64_t taddr,
+ H_DEST_PARM : H_SUCCESS;
+ }
+
+-#define vio_stb(_dev, _addr, _val) (stb_dma(&(_dev)->as, (_addr), (_val)))
+-#define vio_sth(_dev, _addr, _val) (stw_be_dma(&(_dev)->as, (_addr), (_val)))
+-#define vio_stl(_dev, _addr, _val) (stl_be_dma(&(_dev)->as, (_addr), (_val)))
+-#define vio_stq(_dev, _addr, _val) (stq_be_dma(&(_dev)->as, (_addr), (_val)))
++#define vio_stb(_dev, _addr, _val) \
++ (stb_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED))
++#define vio_sth(_dev, _addr, _val) \
++ (stw_be_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED))
++#define vio_stl(_dev, _addr, _val) \
++ (stl_be_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED))
++#define vio_stq(_dev, _addr, _val) \
++ (stq_be_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED))
+ #define vio_ldq(_dev, _addr) (ldq_be_dma(&(_dev)->as, (_addr)))
+
+ int spapr_vio_send_crq(SpaprVioDevice *dev, uint8_t *crq);
+diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
+index fd8f160..009dd3c 100644
+--- a/include/sysemu/dma.h
++++ b/include/sysemu/dma.h
+@@ -249,10 +249,11 @@ static inline void dma_memory_unmap(AddressSpace *as,
+ } \
+ static inline void st##_sname##_##_end##_dma(AddressSpace *as, \
+ dma_addr_t addr, \
+- uint##_bits##_t val) \
++ uint##_bits##_t val, \
++ MemTxAttrs attrs) \
+ { \
+ val = cpu_to_##_end##_bits(val); \
+- dma_memory_write(as, addr, &val, (_bits) / 8, MEMTXATTRS_UNSPECIFIED); \
++ dma_memory_write(as, addr, &val, (_bits) / 8, attrs); \
+ }
+
+ static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr)
+@@ -263,9 +264,10 @@ static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr)
+ return val;
+ }
+
+-static inline void stb_dma(AddressSpace *as, dma_addr_t addr, uint8_t val)
++static inline void stb_dma(AddressSpace *as, dma_addr_t addr,
++ uint8_t val, MemTxAttrs attrs)
+ {
+- dma_memory_write(as, addr, &val, 1, MEMTXATTRS_UNSPECIFIED);
++ dma_memory_write(as, addr, &val, 1, attrs);
+ }
+
+ DEFINE_LDST_DMA(uw, w, 16, le);
+--
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0016_let_ld_pointer_dma_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0016_let_ld_pointer_dma_function_take_MemTxAttrs_argument.patch
new file mode 100644
index 0000000000..a51451d343
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0016_let_ld_pointer_dma_function_take_MemTxAttrs_argument.patch
@@ -0,0 +1,151 @@
+From 34cdea1db600540a5261dc474e986f28b637c8e6 Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Fri, 17 Dec 2021 22:18:07 +0100
+Subject: [PATCH] dma: Let ld*_dma() take MemTxAttrs argument
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+Let devices specify transaction attributes when calling ld*_dma().
+
+Keep the default MEMTXATTRS_UNSPECIFIED in the few callers.
+
+CVE: CVE-2021-3611
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=34cdea1db600540a5261dc474e986f28b637c8e6]
+
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20211223115554.3155328-17-philmd@redhat.com>
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ hw/intc/pnv_xive.c | 7 ++++---
+ hw/usb/hcd-xhci.c | 6 +++---
+ include/hw/pci/pci.h | 3 ++-
+ include/hw/ppc/spapr_vio.h | 3 ++-
+ include/sysemu/dma.h | 11 ++++++-----
+ 5 files changed, 17 insertions(+), 13 deletions(-)
+
+diff --git a/hw/intc/pnv_xive.c b/hw/intc/pnv_xive.c
+index ad43483..d9249bb 100644
+--- a/hw/intc/pnv_xive.c
++++ b/hw/intc/pnv_xive.c
+@@ -172,7 +172,7 @@ static uint64_t pnv_xive_vst_addr_indirect(PnvXive *xive, uint32_t type,
+
+ /* Get the page size of the indirect table. */
+ vsd_addr = vsd & VSD_ADDRESS_MASK;
+- vsd = ldq_be_dma(&address_space_memory, vsd_addr);
++ vsd = ldq_be_dma(&address_space_memory, vsd_addr, MEMTXATTRS_UNSPECIFIED);
+
+ if (!(vsd & VSD_ADDRESS_MASK)) {
+ #ifdef XIVE_DEBUG
+@@ -195,7 +195,8 @@ static uint64_t pnv_xive_vst_addr_indirect(PnvXive *xive, uint32_t type,
+ /* Load the VSD we are looking for, if not already done */
+ if (vsd_idx) {
+ vsd_addr = vsd_addr + vsd_idx * XIVE_VSD_SIZE;
+- vsd = ldq_be_dma(&address_space_memory, vsd_addr);
++ vsd = ldq_be_dma(&address_space_memory, vsd_addr,
++ MEMTXATTRS_UNSPECIFIED);
+
+ if (!(vsd & VSD_ADDRESS_MASK)) {
+ #ifdef XIVE_DEBUG
+@@ -542,7 +543,7 @@ static uint64_t pnv_xive_vst_per_subpage(PnvXive *xive, uint32_t type)
+
+ /* Get the page size of the indirect table. */
+ vsd_addr = vsd & VSD_ADDRESS_MASK;
+- vsd = ldq_be_dma(&address_space_memory, vsd_addr);
++ vsd = ldq_be_dma(&address_space_memory, vsd_addr, MEMTXATTRS_UNSPECIFIED);
+
+ if (!(vsd & VSD_ADDRESS_MASK)) {
+ #ifdef XIVE_DEBUG
+diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
+index ed2b9ea..d960b81 100644
+--- a/hw/usb/hcd-xhci.c
++++ b/hw/usb/hcd-xhci.c
+@@ -2062,7 +2062,7 @@ static TRBCCode xhci_address_slot(XHCIState *xhci, unsigned int slotid,
+ assert(slotid >= 1 && slotid <= xhci->numslots);
+
+ dcbaap = xhci_addr64(xhci->dcbaap_low, xhci->dcbaap_high);
+- poctx = ldq_le_dma(xhci->as, dcbaap + 8 * slotid);
++ poctx = ldq_le_dma(xhci->as, dcbaap + 8 * slotid, MEMTXATTRS_UNSPECIFIED);
+ ictx = xhci_mask64(pictx);
+ octx = xhci_mask64(poctx);
+
+@@ -3437,8 +3437,8 @@ static int usb_xhci_post_load(void *opaque, int version_id)
+ if (!slot->addressed) {
+ continue;
+ }
+- slot->ctx =
+- xhci_mask64(ldq_le_dma(xhci->as, dcbaap + 8 * slotid));
++ slot->ctx = xhci_mask64(ldq_le_dma(xhci->as, dcbaap + 8 * slotid,
++ MEMTXATTRS_UNSPECIFIED));
+ xhci_dma_read_u32s(xhci, slot->ctx, slot_ctx, sizeof(slot_ctx));
+ slot->uport = xhci_lookup_uport(xhci, slot_ctx);
+ if (!slot->uport) {
+diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h
+index d07e970..0613308 100644
+--- a/include/hw/pci/pci.h
++++ b/include/hw/pci/pci.h
+@@ -854,7 +854,8 @@ static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr,
+ static inline uint##_bits##_t ld##_l##_pci_dma(PCIDevice *dev, \
+ dma_addr_t addr) \
+ { \
+- return ld##_l##_dma(pci_get_address_space(dev), addr); \
++ return ld##_l##_dma(pci_get_address_space(dev), addr, \
++ MEMTXATTRS_UNSPECIFIED); \
+ } \
+ static inline void st##_s##_pci_dma(PCIDevice *dev, \
+ dma_addr_t addr, uint##_bits##_t val) \
+diff --git a/include/hw/ppc/spapr_vio.h b/include/hw/ppc/spapr_vio.h
+index e87f8e6..d2ec9b0 100644
+--- a/include/hw/ppc/spapr_vio.h
++++ b/include/hw/ppc/spapr_vio.h
+@@ -126,7 +126,8 @@ static inline int spapr_vio_dma_set(SpaprVioDevice *dev, uint64_t taddr,
+ (stl_be_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED))
+ #define vio_stq(_dev, _addr, _val) \
+ (stq_be_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED))
+-#define vio_ldq(_dev, _addr) (ldq_be_dma(&(_dev)->as, (_addr)))
++#define vio_ldq(_dev, _addr) \
++ (ldq_be_dma(&(_dev)->as, (_addr), MEMTXATTRS_UNSPECIFIED))
+
+ int spapr_vio_send_crq(SpaprVioDevice *dev, uint8_t *crq);
+
+diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
+index 009dd3c..d1635f5 100644
+--- a/include/sysemu/dma.h
++++ b/include/sysemu/dma.h
+@@ -241,10 +241,11 @@ static inline void dma_memory_unmap(AddressSpace *as,
+
+ #define DEFINE_LDST_DMA(_lname, _sname, _bits, _end) \
+ static inline uint##_bits##_t ld##_lname##_##_end##_dma(AddressSpace *as, \
+- dma_addr_t addr) \
++ dma_addr_t addr, \
++ MemTxAttrs attrs) \
+ { \
+ uint##_bits##_t val; \
+- dma_memory_read(as, addr, &val, (_bits) / 8, MEMTXATTRS_UNSPECIFIED); \
++ dma_memory_read(as, addr, &val, (_bits) / 8, attrs); \
+ return _end##_bits##_to_cpu(val); \
+ } \
+ static inline void st##_sname##_##_end##_dma(AddressSpace *as, \
+@@ -253,14 +254,14 @@ static inline void dma_memory_unmap(AddressSpace *as,
+ MemTxAttrs attrs) \
+ { \
+ val = cpu_to_##_end##_bits(val); \
+- dma_memory_write(as, addr, &val, (_bits) / 8, attrs); \
++ dma_memory_write(as, addr, &val, (_bits) / 8, attrs); \
+ }
+
+-static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr)
++static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr, MemTxAttrs attrs)
+ {
+ uint8_t val;
+
+- dma_memory_read(as, addr, &val, 1, MEMTXATTRS_UNSPECIFIED);
++ dma_memory_read(as, addr, &val, 1, attrs);
+ return val;
+ }
+
+--
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0017_let_st_pointer_dma_function_propagate_MemTxResult.patch b/meta/recipes-devtools/qemu/qemu/0017_let_st_pointer_dma_function_propagate_MemTxResult.patch
new file mode 100644
index 0000000000..3fc7b631a4
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0017_let_st_pointer_dma_function_propagate_MemTxResult.patch
@@ -0,0 +1,65 @@
+From 24aed6bcb6b6d266149591f955c2460c28759eb4 Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Fri, 17 Dec 2021 23:56:14 +0100
+Subject: [PATCH] dma: Let st*_dma() propagate MemTxResult
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+dma_memory_write() returns a MemTxResult type. Do not discard
+it, return it to the caller.
+
+CVE: CVE-2021-3611
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=24aed6bcb6b6d266149591f955c2460c28759eb4]
+
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20211223115554.3155328-18-philmd@redhat.com>
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ include/sysemu/dma.h | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
+index d1635f5..895044d 100644
+--- a/include/sysemu/dma.h
++++ b/include/sysemu/dma.h
+@@ -248,13 +248,13 @@ static inline void dma_memory_unmap(AddressSpace *as,
+ dma_memory_read(as, addr, &val, (_bits) / 8, attrs); \
+ return _end##_bits##_to_cpu(val); \
+ } \
+- static inline void st##_sname##_##_end##_dma(AddressSpace *as, \
+- dma_addr_t addr, \
+- uint##_bits##_t val, \
+- MemTxAttrs attrs) \
+- { \
+- val = cpu_to_##_end##_bits(val); \
+- dma_memory_write(as, addr, &val, (_bits) / 8, attrs); \
++ static inline MemTxResult st##_sname##_##_end##_dma(AddressSpace *as, \
++ dma_addr_t addr, \
++ uint##_bits##_t val, \
++ MemTxAttrs attrs) \
++ { \
++ val = cpu_to_##_end##_bits(val); \
++ return dma_memory_write(as, addr, &val, (_bits) / 8, attrs); \
+ }
+
+ static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr, MemTxAttrs attrs)
+@@ -265,10 +265,10 @@ static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr, MemTxAttrs att
+ return val;
+ }
+
+-static inline void stb_dma(AddressSpace *as, dma_addr_t addr,
+- uint8_t val, MemTxAttrs attrs)
++static inline MemTxResult stb_dma(AddressSpace *as, dma_addr_t addr,
++ uint8_t val, MemTxAttrs attrs)
+ {
+- dma_memory_write(as, addr, &val, 1, attrs);
++ return dma_memory_write(as, addr, &val, 1, attrs);
+ }
+
+ DEFINE_LDST_DMA(uw, w, 16, le);
+--
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0018_let_ld_pointer_dma_function_propagate_MemTxResult.patch b/meta/recipes-devtools/qemu/qemu/0018_let_ld_pointer_dma_function_propagate_MemTxResult.patch
new file mode 100644
index 0000000000..d8a136c47f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0018_let_ld_pointer_dma_function_propagate_MemTxResult.patch
@@ -0,0 +1,175 @@
+From cd1db8df7431edd2210ed0123e2e09b9b6d1e621 Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Fri, 17 Dec 2021 22:31:11 +0100
+Subject: [PATCH] dma: Let ld*_dma() propagate MemTxResult
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+dma_memory_read() returns a MemTxResult type. Do not discard
+it, return it to the caller.
+
+Update the few callers.
+
+CVE: CVE-2021-3611
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=cd1db8df7431edd2210ed0123e2e09b9b6d1e621]
+
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20211223115554.3155328-19-philmd@redhat.com>
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ hw/intc/pnv_xive.c | 8 ++++----
+ hw/usb/hcd-xhci.c | 7 ++++---
+ include/hw/pci/pci.h | 6 ++++--
+ include/hw/ppc/spapr_vio.h | 6 +++++-
+ include/sysemu/dma.h | 25 ++++++++++++-------------
+ 5 files changed, 29 insertions(+), 23 deletions(-)
+
+diff --git a/hw/intc/pnv_xive.c b/hw/intc/pnv_xive.c
+index d9249bb..bb20751 100644
+--- a/hw/intc/pnv_xive.c
++++ b/hw/intc/pnv_xive.c
+@@ -172,7 +172,7 @@ static uint64_t pnv_xive_vst_addr_indirect(PnvXive *xive, uint32_t type,
+
+ /* Get the page size of the indirect table. */
+ vsd_addr = vsd & VSD_ADDRESS_MASK;
+- vsd = ldq_be_dma(&address_space_memory, vsd_addr, MEMTXATTRS_UNSPECIFIED);
++ ldq_be_dma(&address_space_memory, vsd_addr, &vsd, MEMTXATTRS_UNSPECIFIED);
+
+ if (!(vsd & VSD_ADDRESS_MASK)) {
+ #ifdef XIVE_DEBUG
+@@ -195,8 +195,8 @@ static uint64_t pnv_xive_vst_addr_indirect(PnvXive *xive, uint32_t type,
+ /* Load the VSD we are looking for, if not already done */
+ if (vsd_idx) {
+ vsd_addr = vsd_addr + vsd_idx * XIVE_VSD_SIZE;
+- vsd = ldq_be_dma(&address_space_memory, vsd_addr,
+- MEMTXATTRS_UNSPECIFIED);
++ ldq_be_dma(&address_space_memory, vsd_addr, &vsd,
++ MEMTXATTRS_UNSPECIFIED);
+
+ if (!(vsd & VSD_ADDRESS_MASK)) {
+ #ifdef XIVE_DEBUG
+@@ -543,7 +543,7 @@ static uint64_t pnv_xive_vst_per_subpage(PnvXive *xive, uint32_t type)
+
+ /* Get the page size of the indirect table. */
+ vsd_addr = vsd & VSD_ADDRESS_MASK;
+- vsd = ldq_be_dma(&address_space_memory, vsd_addr, MEMTXATTRS_UNSPECIFIED);
++ ldq_be_dma(&address_space_memory, vsd_addr, &vsd, MEMTXATTRS_UNSPECIFIED);
+
+ if (!(vsd & VSD_ADDRESS_MASK)) {
+ #ifdef XIVE_DEBUG
+diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
+index d960b81..da5a407 100644
+--- a/hw/usb/hcd-xhci.c
++++ b/hw/usb/hcd-xhci.c
+@@ -2062,7 +2062,7 @@ static TRBCCode xhci_address_slot(XHCIState *xhci, unsigned int slotid,
+ assert(slotid >= 1 && slotid <= xhci->numslots);
+
+ dcbaap = xhci_addr64(xhci->dcbaap_low, xhci->dcbaap_high);
+- poctx = ldq_le_dma(xhci->as, dcbaap + 8 * slotid, MEMTXATTRS_UNSPECIFIED);
++ ldq_le_dma(xhci->as, dcbaap + 8 * slotid, &poctx, MEMTXATTRS_UNSPECIFIED);
+ ictx = xhci_mask64(pictx);
+ octx = xhci_mask64(poctx);
+
+@@ -3429,6 +3429,7 @@ static int usb_xhci_post_load(void *opaque, int version_id)
+ uint32_t slot_ctx[4];
+ uint32_t ep_ctx[5];
+ int slotid, epid, state;
++ uint64_t addr;
+
+ dcbaap = xhci_addr64(xhci->dcbaap_low, xhci->dcbaap_high);
+
+@@ -3437,8 +3438,8 @@ static int usb_xhci_post_load(void *opaque, int version_id)
+ if (!slot->addressed) {
+ continue;
+ }
+- slot->ctx = xhci_mask64(ldq_le_dma(xhci->as, dcbaap + 8 * slotid,
+- MEMTXATTRS_UNSPECIFIED));
++ ldq_le_dma(xhci->as, dcbaap + 8 * slotid, &addr, MEMTXATTRS_UNSPECIFIED);
++ slot->ctx = xhci_mask64(addr);
+ xhci_dma_read_u32s(xhci, slot->ctx, slot_ctx, sizeof(slot_ctx));
+ slot->uport = xhci_lookup_uport(xhci, slot_ctx);
+ if (!slot->uport) {
+diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h
+index 0613308..8c5f2ed 100644
+--- a/include/hw/pci/pci.h
++++ b/include/hw/pci/pci.h
+@@ -854,8 +854,10 @@ static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr,
+ static inline uint##_bits##_t ld##_l##_pci_dma(PCIDevice *dev, \
+ dma_addr_t addr) \
+ { \
+- return ld##_l##_dma(pci_get_address_space(dev), addr, \
+- MEMTXATTRS_UNSPECIFIED); \
++ uint##_bits##_t val; \
++ ld##_l##_dma(pci_get_address_space(dev), addr, &val, \
++ MEMTXATTRS_UNSPECIFIED); \
++ return val; \
+ } \
+ static inline void st##_s##_pci_dma(PCIDevice *dev, \
+ dma_addr_t addr, uint##_bits##_t val) \
+diff --git a/include/hw/ppc/spapr_vio.h b/include/hw/ppc/spapr_vio.h
+index d2ec9b0..7eae1a4 100644
+--- a/include/hw/ppc/spapr_vio.h
++++ b/include/hw/ppc/spapr_vio.h
+@@ -127,7 +127,11 @@ static inline int spapr_vio_dma_set(SpaprVioDevice *dev, uint64_t taddr,
+ #define vio_stq(_dev, _addr, _val) \
+ (stq_be_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED))
+ #define vio_ldq(_dev, _addr) \
+- (ldq_be_dma(&(_dev)->as, (_addr), MEMTXATTRS_UNSPECIFIED))
++ ({ \
++ uint64_t _val; \
++ ldq_be_dma(&(_dev)->as, (_addr), &_val, MEMTXATTRS_UNSPECIFIED); \
++ _val; \
++ })
+
+ int spapr_vio_send_crq(SpaprVioDevice *dev, uint8_t *crq);
+
+diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
+index 895044d..b3faef4 100644
+--- a/include/sysemu/dma.h
++++ b/include/sysemu/dma.h
+@@ -240,14 +240,15 @@ static inline void dma_memory_unmap(AddressSpace *as,
+ }
+
+ #define DEFINE_LDST_DMA(_lname, _sname, _bits, _end) \
+- static inline uint##_bits##_t ld##_lname##_##_end##_dma(AddressSpace *as, \
+- dma_addr_t addr, \
+- MemTxAttrs attrs) \
+- { \
+- uint##_bits##_t val; \
+- dma_memory_read(as, addr, &val, (_bits) / 8, attrs); \
+- return _end##_bits##_to_cpu(val); \
+- } \
++ static inline MemTxResult ld##_lname##_##_end##_dma(AddressSpace *as, \
++ dma_addr_t addr, \
++ uint##_bits##_t *pval, \
++ MemTxAttrs attrs) \
++ { \
++ MemTxResult res = dma_memory_read(as, addr, pval, (_bits) / 8, attrs); \
++ _end##_bits##_to_cpus(pval); \
++ return res; \
++ } \
+ static inline MemTxResult st##_sname##_##_end##_dma(AddressSpace *as, \
+ dma_addr_t addr, \
+ uint##_bits##_t val, \
+@@ -257,12 +258,10 @@ static inline void dma_memory_unmap(AddressSpace *as,
+ return dma_memory_write(as, addr, &val, (_bits) / 8, attrs); \
+ }
+
+-static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr, MemTxAttrs attrs)
++static inline MemTxResult ldub_dma(AddressSpace *as, dma_addr_t addr,
++ uint8_t *val, MemTxAttrs attrs)
+ {
+- uint8_t val;
+-
+- dma_memory_read(as, addr, &val, 1, attrs);
+- return val;
++ return dma_memory_read(as, addr, val, 1, attrs);
+ }
+
+ static inline MemTxResult stb_dma(AddressSpace *as, dma_addr_t addr,
+--
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0019_let_st_pointer_pci_dma_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0019_let_st_pointer_pci_dma_function_take_MemTxAttrs_argument.patch
new file mode 100644
index 0000000000..69101f308d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0019_let_st_pointer_pci_dma_function_take_MemTxAttrs_argument.patch
@@ -0,0 +1,303 @@
+From a423a1b523296f8798a5851aaaba64dd166c0a74 Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Fri, 17 Dec 2021 22:39:42 +0100
+Subject: [PATCH] pci: Let st*_pci_dma() take MemTxAttrs argument
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+Let devices specify transaction attributes when calling st*_pci_dma().
+
+Keep the default MEMTXATTRS_UNSPECIFIED in the few callers.
+
+CVE: CVE-2021-3611
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=a423a1b523296f8798a5851aaaba64dd166c0a74]
+
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20211223115554.3155328-21-philmd@redhat.com>
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ hw/audio/intel-hda.c | 10 ++++++----
+ hw/net/eepro100.c | 29 ++++++++++++++++++-----------
+ hw/net/tulip.c | 18 ++++++++++--------
+ hw/scsi/megasas.c | 15 ++++++++++-----
+ hw/scsi/vmw_pvscsi.c | 3 ++-
+ include/hw/pci/pci.h | 11 ++++++-----
+ 6 files changed, 52 insertions(+), 34 deletions(-)
+
+diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
+index fb3d34a..3309ae0 100644
+--- a/hw/audio/intel-hda.c
++++ b/hw/audio/intel-hda.c
+@@ -345,6 +345,7 @@ static void intel_hda_corb_run(IntelHDAState *d)
+
+ static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t response)
+ {
++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
+ HDACodecBus *bus = HDA_BUS(dev->qdev.parent_bus);
+ IntelHDAState *d = container_of(bus, IntelHDAState, codecs);
+ hwaddr addr;
+@@ -367,8 +368,8 @@ static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t res
+ ex = (solicited ? 0 : (1 << 4)) | dev->cad;
+ wp = (d->rirb_wp + 1) & 0xff;
+ addr = intel_hda_addr(d->rirb_lbase, d->rirb_ubase);
+- stl_le_pci_dma(&d->pci, addr + 8*wp, response);
+- stl_le_pci_dma(&d->pci, addr + 8*wp + 4, ex);
++ stl_le_pci_dma(&d->pci, addr + 8 * wp, response, attrs);
++ stl_le_pci_dma(&d->pci, addr + 8 * wp + 4, ex, attrs);
+ d->rirb_wp = wp;
+
+ dprint(d, 2, "%s: [wp 0x%x] response 0x%x, extra 0x%x\n",
+@@ -394,6 +395,7 @@ static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t res
+ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
+ uint8_t *buf, uint32_t len)
+ {
++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
+ HDACodecBus *bus = HDA_BUS(dev->qdev.parent_bus);
+ IntelHDAState *d = container_of(bus, IntelHDAState, codecs);
+ hwaddr addr;
+@@ -428,7 +430,7 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
+ st->be, st->bp, st->bpl[st->be].len, copy);
+
+ pci_dma_rw(&d->pci, st->bpl[st->be].addr + st->bp, buf, copy, !output,
+- MEMTXATTRS_UNSPECIFIED);
++ attrs);
+ st->lpib += copy;
+ st->bp += copy;
+ buf += copy;
+@@ -451,7 +453,7 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
+ if (d->dp_lbase & 0x01) {
+ s = st - d->st;
+ addr = intel_hda_addr(d->dp_lbase & ~0x01, d->dp_ubase);
+- stl_le_pci_dma(&d->pci, addr + 8*s, st->lpib);
++ stl_le_pci_dma(&d->pci, addr + 8 * s, st->lpib, attrs);
+ }
+ dprint(d, 3, "dma: --\n");
+
+diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c
+index 16e95ef..83c4431 100644
+--- a/hw/net/eepro100.c
++++ b/hw/net/eepro100.c
+@@ -700,6 +700,8 @@ static void set_ru_state(EEPRO100State * s, ru_state_t state)
+
+ static void dump_statistics(EEPRO100State * s)
+ {
++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
++
+ /* Dump statistical data. Most data is never changed by the emulation
+ * and always 0, so we first just copy the whole block and then those
+ * values which really matter.
+@@ -707,16 +709,18 @@ static void dump_statistics(EEPRO100State * s)
+ */
+ pci_dma_write(&s->dev, s->statsaddr, &s->statistics, s->stats_size);
+ stl_le_pci_dma(&s->dev, s->statsaddr + 0,
+- s->statistics.tx_good_frames);
++ s->statistics.tx_good_frames, attrs);
+ stl_le_pci_dma(&s->dev, s->statsaddr + 36,
+- s->statistics.rx_good_frames);
++ s->statistics.rx_good_frames, attrs);
+ stl_le_pci_dma(&s->dev, s->statsaddr + 48,
+- s->statistics.rx_resource_errors);
++ s->statistics.rx_resource_errors, attrs);
+ stl_le_pci_dma(&s->dev, s->statsaddr + 60,
+- s->statistics.rx_short_frame_errors);
++ s->statistics.rx_short_frame_errors, attrs);
+ #if 0
+- stw_le_pci_dma(&s->dev, s->statsaddr + 76, s->statistics.xmt_tco_frames);
+- stw_le_pci_dma(&s->dev, s->statsaddr + 78, s->statistics.rcv_tco_frames);
++ stw_le_pci_dma(&s->dev, s->statsaddr + 76,
++ s->statistics.xmt_tco_frames, attrs);
++ stw_le_pci_dma(&s->dev, s->statsaddr + 78,
++ s->statistics.rcv_tco_frames, attrs);
+ missing("CU dump statistical counters");
+ #endif
+ }
+@@ -833,6 +837,7 @@ static void set_multicast_list(EEPRO100State *s)
+
+ static void action_command(EEPRO100State *s)
+ {
++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
+ /* The loop below won't stop if it gets special handcrafted data.
+ Therefore we limit the number of iterations. */
+ unsigned max_loop_count = 16;
+@@ -911,7 +916,7 @@ static void action_command(EEPRO100State *s)
+ }
+ /* Write new status. */
+ stw_le_pci_dma(&s->dev, s->cb_address,
+- s->tx.status | ok_status | STATUS_C);
++ s->tx.status | ok_status | STATUS_C, attrs);
+ if (bit_i) {
+ /* CU completed action. */
+ eepro100_cx_interrupt(s);
+@@ -937,6 +942,7 @@ static void action_command(EEPRO100State *s)
+
+ static void eepro100_cu_command(EEPRO100State * s, uint8_t val)
+ {
++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
+ cu_state_t cu_state;
+ switch (val) {
+ case CU_NOP:
+@@ -986,7 +992,7 @@ static void eepro100_cu_command(EEPRO100State * s, uint8_t val)
+ /* Dump statistical counters. */
+ TRACE(OTHER, logout("val=0x%02x (dump stats)\n", val));
+ dump_statistics(s);
+- stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa005);
++ stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa005, attrs);
+ break;
+ case CU_CMD_BASE:
+ /* Load CU base. */
+@@ -997,7 +1003,7 @@ static void eepro100_cu_command(EEPRO100State * s, uint8_t val)
+ /* Dump and reset statistical counters. */
+ TRACE(OTHER, logout("val=0x%02x (dump stats and reset)\n", val));
+ dump_statistics(s);
+- stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa007);
++ stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa007, attrs);
+ memset(&s->statistics, 0, sizeof(s->statistics));
+ break;
+ case CU_SRESUME:
+@@ -1612,6 +1618,7 @@ static ssize_t nic_receive(NetClientState *nc, const uint8_t * buf, size_t size)
+ * - Magic packets should set bit 30 in power management driver register.
+ * - Interesting packets should set bit 29 in power management driver register.
+ */
++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
+ EEPRO100State *s = qemu_get_nic_opaque(nc);
+ uint16_t rfd_status = 0xa000;
+ #if defined(CONFIG_PAD_RECEIVED_FRAMES)
+@@ -1726,9 +1733,9 @@ static ssize_t nic_receive(NetClientState *nc, const uint8_t * buf, size_t size)
+ TRACE(OTHER, logout("command 0x%04x, link 0x%08x, addr 0x%08x, size %u\n",
+ rfd_command, rx.link, rx.rx_buf_addr, rfd_size));
+ stw_le_pci_dma(&s->dev, s->ru_base + s->ru_offset +
+- offsetof(eepro100_rx_t, status), rfd_status);
++ offsetof(eepro100_rx_t, status), rfd_status, attrs);
+ stw_le_pci_dma(&s->dev, s->ru_base + s->ru_offset +
+- offsetof(eepro100_rx_t, count), size);
++ offsetof(eepro100_rx_t, count), size, attrs);
+ /* Early receive interrupt not supported. */
+ #if 0
+ eepro100_er_interrupt(s);
+diff --git a/hw/net/tulip.c b/hw/net/tulip.c
+index ca69f7e..1f2c79d 100644
+--- a/hw/net/tulip.c
++++ b/hw/net/tulip.c
+@@ -86,16 +86,18 @@ static void tulip_desc_read(TULIPState *s, hwaddr p,
+ static void tulip_desc_write(TULIPState *s, hwaddr p,
+ struct tulip_descriptor *desc)
+ {
++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
++
+ if (s->csr[0] & CSR0_DBO) {
+- stl_be_pci_dma(&s->dev, p, desc->status);
+- stl_be_pci_dma(&s->dev, p + 4, desc->control);
+- stl_be_pci_dma(&s->dev, p + 8, desc->buf_addr1);
+- stl_be_pci_dma(&s->dev, p + 12, desc->buf_addr2);
++ stl_be_pci_dma(&s->dev, p, desc->status, attrs);
++ stl_be_pci_dma(&s->dev, p + 4, desc->control, attrs);
++ stl_be_pci_dma(&s->dev, p + 8, desc->buf_addr1, attrs);
++ stl_be_pci_dma(&s->dev, p + 12, desc->buf_addr2, attrs);
+ } else {
+- stl_le_pci_dma(&s->dev, p, desc->status);
+- stl_le_pci_dma(&s->dev, p + 4, desc->control);
+- stl_le_pci_dma(&s->dev, p + 8, desc->buf_addr1);
+- stl_le_pci_dma(&s->dev, p + 12, desc->buf_addr2);
++ stl_le_pci_dma(&s->dev, p, desc->status, attrs);
++ stl_le_pci_dma(&s->dev, p + 4, desc->control, attrs);
++ stl_le_pci_dma(&s->dev, p + 8, desc->buf_addr1, attrs);
++ stl_le_pci_dma(&s->dev, p + 12, desc->buf_addr2, attrs);
+ }
+ }
+
+diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
+index 091a350..b5e8b14 100644
+--- a/hw/scsi/megasas.c
++++ b/hw/scsi/megasas.c
+@@ -168,14 +168,16 @@ static void megasas_frame_set_cmd_status(MegasasState *s,
+ unsigned long frame, uint8_t v)
+ {
+ PCIDevice *pci = &s->parent_obj;
+- stb_pci_dma(pci, frame + offsetof(struct mfi_frame_header, cmd_status), v);
++ stb_pci_dma(pci, frame + offsetof(struct mfi_frame_header, cmd_status),
++ v, MEMTXATTRS_UNSPECIFIED);
+ }
+
+ static void megasas_frame_set_scsi_status(MegasasState *s,
+ unsigned long frame, uint8_t v)
+ {
+ PCIDevice *pci = &s->parent_obj;
+- stb_pci_dma(pci, frame + offsetof(struct mfi_frame_header, scsi_status), v);
++ stb_pci_dma(pci, frame + offsetof(struct mfi_frame_header, scsi_status),
++ v, MEMTXATTRS_UNSPECIFIED);
+ }
+
+ static inline const char *mfi_frame_desc(unsigned int cmd)
+@@ -542,6 +544,7 @@ static MegasasCmd *megasas_enqueue_frame(MegasasState *s,
+
+ static void megasas_complete_frame(MegasasState *s, uint64_t context)
+ {
++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
+ PCIDevice *pci_dev = PCI_DEVICE(s);
+ int tail, queue_offset;
+
+@@ -555,10 +558,12 @@ static void megasas_complete_frame(MegasasState *s, uint64_t context)
+ */
+ if (megasas_use_queue64(s)) {
+ queue_offset = s->reply_queue_head * sizeof(uint64_t);
+- stq_le_pci_dma(pci_dev, s->reply_queue_pa + queue_offset, context);
++ stq_le_pci_dma(pci_dev, s->reply_queue_pa + queue_offset,
++ context, attrs);
+ } else {
+ queue_offset = s->reply_queue_head * sizeof(uint32_t);
+- stl_le_pci_dma(pci_dev, s->reply_queue_pa + queue_offset, context);
++ stl_le_pci_dma(pci_dev, s->reply_queue_pa + queue_offset,
++ context, attrs);
+ }
+ s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa);
+ trace_megasas_qf_complete(context, s->reply_queue_head,
+@@ -572,7 +577,7 @@ static void megasas_complete_frame(MegasasState *s, uint64_t context)
+ s->reply_queue_head = megasas_next_index(s, tail, s->fw_cmds);
+ trace_megasas_qf_update(s->reply_queue_head, s->reply_queue_tail,
+ s->busy);
+- stl_le_pci_dma(pci_dev, s->producer_pa, s->reply_queue_head);
++ stl_le_pci_dma(pci_dev, s->producer_pa, s->reply_queue_head, attrs);
+ /* Notify HBA */
+ if (msix_enabled(pci_dev)) {
+ trace_megasas_msix_raise(0);
+diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
+index cd76bd6..59c3e8b 100644
+--- a/hw/scsi/vmw_pvscsi.c
++++ b/hw/scsi/vmw_pvscsi.c
+@@ -55,7 +55,8 @@
+ (m)->rs_pa + offsetof(struct PVSCSIRingsState, field)))
+ #define RS_SET_FIELD(m, field, val) \
+ (stl_le_pci_dma(&container_of(m, PVSCSIState, rings)->parent_obj, \
+- (m)->rs_pa + offsetof(struct PVSCSIRingsState, field), val))
++ (m)->rs_pa + offsetof(struct PVSCSIRingsState, field), val, \
++ MEMTXATTRS_UNSPECIFIED))
+
+ struct PVSCSIClass {
+ PCIDeviceClass parent_class;
+diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h
+index 8c5f2ed..9f51ef2 100644
+--- a/include/hw/pci/pci.h
++++ b/include/hw/pci/pci.h
+@@ -859,11 +859,12 @@ static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr,
+ MEMTXATTRS_UNSPECIFIED); \
+ return val; \
+ } \
+- static inline void st##_s##_pci_dma(PCIDevice *dev, \
+- dma_addr_t addr, uint##_bits##_t val) \
+- { \
+- st##_s##_dma(pci_get_address_space(dev), addr, val, \
+- MEMTXATTRS_UNSPECIFIED); \
++ static inline void st##_s##_pci_dma(PCIDevice *dev, \
++ dma_addr_t addr, \
++ uint##_bits##_t val, \
++ MemTxAttrs attrs) \
++ { \
++ st##_s##_dma(pci_get_address_space(dev), addr, val, attrs); \
+ }
+
+ PCI_DMA_DEFINE_LDST(ub, b, 8);
+--
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0020_let_ld_pointer_pci_dma_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0020_let_ld_pointer_pci_dma_function_take_MemTxAttrs_argument.patch
new file mode 100644
index 0000000000..7f9de244be
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0020_let_ld_pointer_pci_dma_function_take_MemTxAttrs_argument.patch
@@ -0,0 +1,271 @@
+From 398f9a84ac7132e38caf7b066273734b3bf619ff Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Fri, 17 Dec 2021 23:45:06 +0100
+Subject: [PATCH] pci: Let ld*_pci_dma() take MemTxAttrs argument
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+Let devices specify transaction attributes when calling ld*_pci_dma().
+
+Keep the default MEMTXATTRS_UNSPECIFIED in the few callers.
+
+CVE: CVE-2021-3611
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=398f9a84ac7132e38caf7b066273734b3bf619ff]
+
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20211223115554.3155328-22-philmd@redhat.com>
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ hw/audio/intel-hda.c | 2 +-
+ hw/net/eepro100.c | 19 +++++++++++++------
+ hw/net/tulip.c | 18 ++++++++++--------
+ hw/scsi/megasas.c | 16 ++++++++++------
+ hw/scsi/mptsas.c | 10 ++++++----
+ hw/scsi/vmw_pvscsi.c | 3 ++-
+ hw/usb/hcd-xhci.c | 1 +
+ include/hw/pci/pci.h | 6 +++---
+ 8 files changed, 46 insertions(+), 29 deletions(-)
+
+diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
+index 3309ae0..e34b7ab 100644
+--- a/hw/audio/intel-hda.c
++++ b/hw/audio/intel-hda.c
+@@ -335,7 +335,7 @@ static void intel_hda_corb_run(IntelHDAState *d)
+
+ rp = (d->corb_rp + 1) & 0xff;
+ addr = intel_hda_addr(d->corb_lbase, d->corb_ubase);
+- verb = ldl_le_pci_dma(&d->pci, addr + 4*rp);
++ verb = ldl_le_pci_dma(&d->pci, addr + 4 * rp, MEMTXATTRS_UNSPECIFIED);
+ d->corb_rp = rp;
+
+ dprint(d, 2, "%s: [rp 0x%x] verb 0x%08x\n", __func__, rp, verb);
+diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c
+index 83c4431..eb82e9c 100644
+--- a/hw/net/eepro100.c
++++ b/hw/net/eepro100.c
+@@ -737,6 +737,7 @@ static void read_cb(EEPRO100State *s)
+
+ static void tx_command(EEPRO100State *s)
+ {
++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
+ uint32_t tbd_array = s->tx.tbd_array_addr;
+ uint16_t tcb_bytes = s->tx.tcb_bytes & 0x3fff;
+ /* Sends larger than MAX_ETH_FRAME_SIZE are allowed, up to 2600 bytes. */
+@@ -772,11 +773,14 @@ static void tx_command(EEPRO100State *s)
+ /* Extended Flexible TCB. */
+ for (; tbd_count < 2; tbd_count++) {
+ uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev,
+- tbd_address);
++ tbd_address,
++ attrs);
+ uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev,
+- tbd_address + 4);
++ tbd_address + 4,
++ attrs);
+ uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev,
+- tbd_address + 6);
++ tbd_address + 6,
++ attrs);
+ tbd_address += 8;
+ TRACE(RXTX, logout
+ ("TBD (extended flexible mode): buffer address 0x%08x, size 0x%04x\n",
+@@ -792,9 +796,12 @@ static void tx_command(EEPRO100State *s)
+ }
+ tbd_address = tbd_array;
+ for (; tbd_count < s->tx.tbd_count; tbd_count++) {
+- uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev, tbd_address);
+- uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev, tbd_address + 4);
+- uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6);
++ uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev, tbd_address,
++ attrs);
++ uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev, tbd_address + 4,
++ attrs);
++ uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6,
++ attrs);
+ tbd_address += 8;
+ TRACE(RXTX, logout
+ ("TBD (flexible mode): buffer address 0x%08x, size 0x%04x\n",
+diff --git a/hw/net/tulip.c b/hw/net/tulip.c
+index 1f2c79d..c76e486 100644
+--- a/hw/net/tulip.c
++++ b/hw/net/tulip.c
+@@ -70,16 +70,18 @@ static const VMStateDescription vmstate_pci_tulip = {
+ static void tulip_desc_read(TULIPState *s, hwaddr p,
+ struct tulip_descriptor *desc)
+ {
++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
++
+ if (s->csr[0] & CSR0_DBO) {
+- desc->status = ldl_be_pci_dma(&s->dev, p);
+- desc->control = ldl_be_pci_dma(&s->dev, p + 4);
+- desc->buf_addr1 = ldl_be_pci_dma(&s->dev, p + 8);
+- desc->buf_addr2 = ldl_be_pci_dma(&s->dev, p + 12);
++ desc->status = ldl_be_pci_dma(&s->dev, p, attrs);
++ desc->control = ldl_be_pci_dma(&s->dev, p + 4, attrs);
++ desc->buf_addr1 = ldl_be_pci_dma(&s->dev, p + 8, attrs);
++ desc->buf_addr2 = ldl_be_pci_dma(&s->dev, p + 12, attrs);
+ } else {
+- desc->status = ldl_le_pci_dma(&s->dev, p);
+- desc->control = ldl_le_pci_dma(&s->dev, p + 4);
+- desc->buf_addr1 = ldl_le_pci_dma(&s->dev, p + 8);
+- desc->buf_addr2 = ldl_le_pci_dma(&s->dev, p + 12);
++ desc->status = ldl_le_pci_dma(&s->dev, p, attrs);
++ desc->control = ldl_le_pci_dma(&s->dev, p + 4, attrs);
++ desc->buf_addr1 = ldl_le_pci_dma(&s->dev, p + 8, attrs);
++ desc->buf_addr2 = ldl_le_pci_dma(&s->dev, p + 12, attrs);
+ }
+ }
+
+diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
+index b5e8b14..98b1370 100644
+--- a/hw/scsi/megasas.c
++++ b/hw/scsi/megasas.c
+@@ -202,7 +202,9 @@ static uint64_t megasas_frame_get_context(MegasasState *s,
+ unsigned long frame)
+ {
+ PCIDevice *pci = &s->parent_obj;
+- return ldq_le_pci_dma(pci, frame + offsetof(struct mfi_frame_header, context));
++ return ldq_le_pci_dma(pci,
++ frame + offsetof(struct mfi_frame_header, context),
++ MEMTXATTRS_UNSPECIFIED);
+ }
+
+ static bool megasas_frame_is_ieee_sgl(MegasasCmd *cmd)
+@@ -534,7 +536,8 @@ static MegasasCmd *megasas_enqueue_frame(MegasasState *s,
+ s->busy++;
+
+ if (s->consumer_pa) {
+- s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa);
++ s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa,
++ MEMTXATTRS_UNSPECIFIED);
+ }
+ trace_megasas_qf_enqueue(cmd->index, cmd->count, cmd->context,
+ s->reply_queue_head, s->reply_queue_tail, s->busy);
+@@ -565,14 +568,14 @@ static void megasas_complete_frame(MegasasState *s, uint64_t context)
+ stl_le_pci_dma(pci_dev, s->reply_queue_pa + queue_offset,
+ context, attrs);
+ }
+- s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa);
++ s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa, attrs);
+ trace_megasas_qf_complete(context, s->reply_queue_head,
+ s->reply_queue_tail, s->busy);
+ }
+
+ if (megasas_intr_enabled(s)) {
+ /* Update reply queue pointer */
+- s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa);
++ s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa, attrs);
+ tail = s->reply_queue_head;
+ s->reply_queue_head = megasas_next_index(s, tail, s->fw_cmds);
+ trace_megasas_qf_update(s->reply_queue_head, s->reply_queue_tail,
+@@ -637,6 +640,7 @@ static void megasas_abort_command(MegasasCmd *cmd)
+
+ static int megasas_init_firmware(MegasasState *s, MegasasCmd *cmd)
+ {
++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
+ PCIDevice *pcid = PCI_DEVICE(s);
+ uint32_t pa_hi, pa_lo;
+ hwaddr iq_pa, initq_size = sizeof(struct mfi_init_qinfo);
+@@ -675,9 +679,9 @@ static int megasas_init_firmware(MegasasState *s, MegasasCmd *cmd)
+ pa_lo = le32_to_cpu(initq->pi_addr_lo);
+ pa_hi = le32_to_cpu(initq->pi_addr_hi);
+ s->producer_pa = ((uint64_t) pa_hi << 32) | pa_lo;
+- s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa);
++ s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa, attrs);
+ s->reply_queue_head %= MEGASAS_MAX_FRAMES;
+- s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa);
++ s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa, attrs);
+ s->reply_queue_tail %= MEGASAS_MAX_FRAMES;
+ flags = le32_to_cpu(initq->flags);
+ if (flags & MFI_QUEUE_FLAG_CONTEXT64) {
+diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
+index f6c7765..ac9f4df 100644
+--- a/hw/scsi/mptsas.c
++++ b/hw/scsi/mptsas.c
+@@ -172,14 +172,15 @@ static const int mpi_request_sizes[] = {
+ static dma_addr_t mptsas_ld_sg_base(MPTSASState *s, uint32_t flags_and_length,
+ dma_addr_t *sgaddr)
+ {
++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
+ PCIDevice *pci = (PCIDevice *) s;
+ dma_addr_t addr;
+
+ if (flags_and_length & MPI_SGE_FLAGS_64_BIT_ADDRESSING) {
+- addr = ldq_le_pci_dma(pci, *sgaddr + 4);
++ addr = ldq_le_pci_dma(pci, *sgaddr + 4, attrs);
+ *sgaddr += 12;
+ } else {
+- addr = ldl_le_pci_dma(pci, *sgaddr + 4);
++ addr = ldl_le_pci_dma(pci, *sgaddr + 4, attrs);
+ *sgaddr += 8;
+ }
+ return addr;
+@@ -203,7 +204,7 @@ static int mptsas_build_sgl(MPTSASState *s, MPTSASRequest *req, hwaddr addr)
+ dma_addr_t addr, len;
+ uint32_t flags_and_length;
+
+- flags_and_length = ldl_le_pci_dma(pci, sgaddr);
++ flags_and_length = ldl_le_pci_dma(pci, sgaddr, MEMTXATTRS_UNSPECIFIED);
+ len = flags_and_length & MPI_SGE_LENGTH_MASK;
+ if ((flags_and_length & MPI_SGE_FLAGS_ELEMENT_TYPE_MASK)
+ != MPI_SGE_FLAGS_SIMPLE_ELEMENT ||
+@@ -234,7 +235,8 @@ static int mptsas_build_sgl(MPTSASState *s, MPTSASRequest *req, hwaddr addr)
+ break;
+ }
+
+- flags_and_length = ldl_le_pci_dma(pci, next_chain_addr);
++ flags_and_length = ldl_le_pci_dma(pci, next_chain_addr,
++ MEMTXATTRS_UNSPECIFIED);
+ if ((flags_and_length & MPI_SGE_FLAGS_ELEMENT_TYPE_MASK)
+ != MPI_SGE_FLAGS_CHAIN_ELEMENT) {
+ return MPI_IOCSTATUS_INVALID_SGL;
+diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
+index 59c3e8b..33e16f9 100644
+--- a/hw/scsi/vmw_pvscsi.c
++++ b/hw/scsi/vmw_pvscsi.c
+@@ -52,7 +52,8 @@
+
+ #define RS_GET_FIELD(m, field) \
+ (ldl_le_pci_dma(&container_of(m, PVSCSIState, rings)->parent_obj, \
+- (m)->rs_pa + offsetof(struct PVSCSIRingsState, field)))
++ (m)->rs_pa + offsetof(struct PVSCSIRingsState, field), \
++ MEMTXATTRS_UNSPECIFIED))
+ #define RS_SET_FIELD(m, field, val) \
+ (stl_le_pci_dma(&container_of(m, PVSCSIState, rings)->parent_obj, \
+ (m)->rs_pa + offsetof(struct PVSCSIRingsState, field), val, \
+diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
+index da5a407..14bdb89 100644
+--- a/hw/usb/hcd-xhci.c
++++ b/hw/usb/hcd-xhci.c
+@@ -3440,6 +3440,7 @@ static int usb_xhci_post_load(void *opaque, int version_id)
+ }
+ ldq_le_dma(xhci->as, dcbaap + 8 * slotid, &addr, MEMTXATTRS_UNSPECIFIED);
+ slot->ctx = xhci_mask64(addr);
++
+ xhci_dma_read_u32s(xhci, slot->ctx, slot_ctx, sizeof(slot_ctx));
+ slot->uport = xhci_lookup_uport(xhci, slot_ctx);
+ if (!slot->uport) {
+diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h
+index 9f51ef2..7a46c1f 100644
+--- a/include/hw/pci/pci.h
++++ b/include/hw/pci/pci.h
+@@ -852,11 +852,11 @@ static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr,
+
+ #define PCI_DMA_DEFINE_LDST(_l, _s, _bits) \
+ static inline uint##_bits##_t ld##_l##_pci_dma(PCIDevice *dev, \
+- dma_addr_t addr) \
++ dma_addr_t addr, \
++ MemTxAttrs attrs) \
+ { \
+ uint##_bits##_t val; \
+- ld##_l##_dma(pci_get_address_space(dev), addr, &val, \
+- MEMTXATTRS_UNSPECIFIED); \
++ ld##_l##_dma(pci_get_address_space(dev), addr, &val, attrs); \
+ return val; \
+ } \
+ static inline void st##_s##_pci_dma(PCIDevice *dev, \
+--
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0021_let_st_pointer_pci_dma_function_propagate_MemTxResult.patch b/meta/recipes-devtools/qemu/qemu/0021_let_st_pointer_pci_dma_function_propagate_MemTxResult.patch
new file mode 100644
index 0000000000..e52a45b90f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0021_let_st_pointer_pci_dma_function_propagate_MemTxResult.patch
@@ -0,0 +1,47 @@
+From 6bebb270731758fae3114b7d24c2b12b7c325cc5 Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Fri, 17 Dec 2021 23:47:30 +0100
+Subject: [PATCH] pci: Let st*_pci_dma() propagate MemTxResult
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+st*_dma() returns a MemTxResult type. Do not discard
+it, return it to the caller.
+
+CVE: CVE-2021-3611
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=6bebb270731758fae3114b7d24c2b12b7c325cc5]
+
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20211223115554.3155328-23-philmd@redhat.com>
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ include/hw/pci/pci.h | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h
+index 7a46c1f..c90cecc 100644
+--- a/include/hw/pci/pci.h
++++ b/include/hw/pci/pci.h
+@@ -859,12 +859,12 @@ static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr,
+ ld##_l##_dma(pci_get_address_space(dev), addr, &val, attrs); \
+ return val; \
+ } \
+- static inline void st##_s##_pci_dma(PCIDevice *dev, \
+- dma_addr_t addr, \
+- uint##_bits##_t val, \
+- MemTxAttrs attrs) \
++ static inline MemTxResult st##_s##_pci_dma(PCIDevice *dev, \
++ dma_addr_t addr, \
++ uint##_bits##_t val, \
++ MemTxAttrs attrs) \
+ { \
+- st##_s##_dma(pci_get_address_space(dev), addr, val, attrs); \
++ return st##_s##_dma(pci_get_address_space(dev), addr, val, attrs); \
+ }
+
+ PCI_DMA_DEFINE_LDST(ub, b, 8);
+--
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0022_let_ld_pointer_pci_dma_function_propagate_MemTxResult.patch b/meta/recipes-devtools/qemu/qemu/0022_let_ld_pointer_pci_dma_function_propagate_MemTxResult.patch
new file mode 100644
index 0000000000..6bd6350f44
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0022_let_ld_pointer_pci_dma_function_propagate_MemTxResult.patch
@@ -0,0 +1,296 @@
+From 4a63054bce23982b99f4d3c65528e47e614086b2 Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Fri, 17 Dec 2021 23:49:30 +0100
+Subject: [PATCH] pci: Let ld*_pci_dma() propagate MemTxResult
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+ld*_dma() returns a MemTxResult type. Do not discard
+it, return it to the caller.
+
+Update the few callers.
+
+CVE: CVE-2021-3611
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=4a63054bce23982b99f4d3c65528e47e614086b2]
+
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20211223115554.3155328-24-philmd@redhat.com>
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ hw/audio/intel-hda.c | 2 +-
+ hw/net/eepro100.c | 25 ++++++++++---------------
+ hw/net/tulip.c | 16 ++++++++--------
+ hw/scsi/megasas.c | 21 ++++++++++++---------
+ hw/scsi/mptsas.c | 16 +++++++++++-----
+ hw/scsi/vmw_pvscsi.c | 16 ++++++++++------
+ include/hw/pci/pci.h | 17 ++++++++---------
+ 7 files changed, 60 insertions(+), 53 deletions(-)
+
+diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
+index e34b7ab..2b55d52 100644
+--- a/hw/audio/intel-hda.c
++++ b/hw/audio/intel-hda.c
+@@ -335,7 +335,7 @@ static void intel_hda_corb_run(IntelHDAState *d)
+
+ rp = (d->corb_rp + 1) & 0xff;
+ addr = intel_hda_addr(d->corb_lbase, d->corb_ubase);
+- verb = ldl_le_pci_dma(&d->pci, addr + 4 * rp, MEMTXATTRS_UNSPECIFIED);
++ ldl_le_pci_dma(&d->pci, addr + 4 * rp, &verb, MEMTXATTRS_UNSPECIFIED);
+ d->corb_rp = rp;
+
+ dprint(d, 2, "%s: [rp 0x%x] verb 0x%08x\n", __func__, rp, verb);
+diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c
+index eb82e9c..679f52f 100644
+--- a/hw/net/eepro100.c
++++ b/hw/net/eepro100.c
+@@ -769,18 +769,16 @@ static void tx_command(EEPRO100State *s)
+ } else {
+ /* Flexible mode. */
+ uint8_t tbd_count = 0;
++ uint32_t tx_buffer_address;
++ uint16_t tx_buffer_size;
++ uint16_t tx_buffer_el;
++
+ if (s->has_extended_tcb_support && !(s->configuration[6] & BIT(4))) {
+ /* Extended Flexible TCB. */
+ for (; tbd_count < 2; tbd_count++) {
+- uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev,
+- tbd_address,
+- attrs);
+- uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev,
+- tbd_address + 4,
+- attrs);
+- uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev,
+- tbd_address + 6,
+- attrs);
++ ldl_le_pci_dma(&s->dev, tbd_address, &tx_buffer_address, attrs);
++ lduw_le_pci_dma(&s->dev, tbd_address + 4, &tx_buffer_size, attrs);
++ lduw_le_pci_dma(&s->dev, tbd_address + 6, &tx_buffer_el, attrs);
+ tbd_address += 8;
+ TRACE(RXTX, logout
+ ("TBD (extended flexible mode): buffer address 0x%08x, size 0x%04x\n",
+@@ -796,12 +794,9 @@ static void tx_command(EEPRO100State *s)
+ }
+ tbd_address = tbd_array;
+ for (; tbd_count < s->tx.tbd_count; tbd_count++) {
+- uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev, tbd_address,
+- attrs);
+- uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev, tbd_address + 4,
+- attrs);
+- uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6,
+- attrs);
++ ldl_le_pci_dma(&s->dev, tbd_address, &tx_buffer_address, attrs);
++ lduw_le_pci_dma(&s->dev, tbd_address + 4, &tx_buffer_size, attrs);
++ lduw_le_pci_dma(&s->dev, tbd_address + 6, &tx_buffer_el, attrs);
+ tbd_address += 8;
+ TRACE(RXTX, logout
+ ("TBD (flexible mode): buffer address 0x%08x, size 0x%04x\n",
+diff --git a/hw/net/tulip.c b/hw/net/tulip.c
+index c76e486..d5b6cc5 100644
+--- a/hw/net/tulip.c
++++ b/hw/net/tulip.c
+@@ -73,15 +73,15 @@ static void tulip_desc_read(TULIPState *s, hwaddr p,
+ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
+
+ if (s->csr[0] & CSR0_DBO) {
+- desc->status = ldl_be_pci_dma(&s->dev, p, attrs);
+- desc->control = ldl_be_pci_dma(&s->dev, p + 4, attrs);
+- desc->buf_addr1 = ldl_be_pci_dma(&s->dev, p + 8, attrs);
+- desc->buf_addr2 = ldl_be_pci_dma(&s->dev, p + 12, attrs);
++ ldl_be_pci_dma(&s->dev, p, &desc->status, attrs);
++ ldl_be_pci_dma(&s->dev, p + 4, &desc->control, attrs);
++ ldl_be_pci_dma(&s->dev, p + 8, &desc->buf_addr1, attrs);
++ ldl_be_pci_dma(&s->dev, p + 12, &desc->buf_addr2, attrs);
+ } else {
+- desc->status = ldl_le_pci_dma(&s->dev, p, attrs);
+- desc->control = ldl_le_pci_dma(&s->dev, p + 4, attrs);
+- desc->buf_addr1 = ldl_le_pci_dma(&s->dev, p + 8, attrs);
+- desc->buf_addr2 = ldl_le_pci_dma(&s->dev, p + 12, attrs);
++ ldl_le_pci_dma(&s->dev, p, &desc->status, attrs);
++ ldl_le_pci_dma(&s->dev, p + 4, &desc->control, attrs);
++ ldl_le_pci_dma(&s->dev, p + 8, &desc->buf_addr1, attrs);
++ ldl_le_pci_dma(&s->dev, p + 12, &desc->buf_addr2, attrs);
+ }
+ }
+
+diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
+index 98b1370..dc9bbdb 100644
+--- a/hw/scsi/megasas.c
++++ b/hw/scsi/megasas.c
+@@ -202,9 +202,12 @@ static uint64_t megasas_frame_get_context(MegasasState *s,
+ unsigned long frame)
+ {
+ PCIDevice *pci = &s->parent_obj;
+- return ldq_le_pci_dma(pci,
+- frame + offsetof(struct mfi_frame_header, context),
+- MEMTXATTRS_UNSPECIFIED);
++ uint64_t val;
++
++ ldq_le_pci_dma(pci, frame + offsetof(struct mfi_frame_header, context),
++ &val, MEMTXATTRS_UNSPECIFIED);
++
++ return val;
+ }
+
+ static bool megasas_frame_is_ieee_sgl(MegasasCmd *cmd)
+@@ -536,8 +539,8 @@ static MegasasCmd *megasas_enqueue_frame(MegasasState *s,
+ s->busy++;
+
+ if (s->consumer_pa) {
+- s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa,
+- MEMTXATTRS_UNSPECIFIED);
++ ldl_le_pci_dma(pcid, s->consumer_pa, &s->reply_queue_tail,
++ MEMTXATTRS_UNSPECIFIED);
+ }
+ trace_megasas_qf_enqueue(cmd->index, cmd->count, cmd->context,
+ s->reply_queue_head, s->reply_queue_tail, s->busy);
+@@ -568,14 +571,14 @@ static void megasas_complete_frame(MegasasState *s, uint64_t context)
+ stl_le_pci_dma(pci_dev, s->reply_queue_pa + queue_offset,
+ context, attrs);
+ }
+- s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa, attrs);
++ ldl_le_pci_dma(pci_dev, s->consumer_pa, &s->reply_queue_tail, attrs);
+ trace_megasas_qf_complete(context, s->reply_queue_head,
+ s->reply_queue_tail, s->busy);
+ }
+
+ if (megasas_intr_enabled(s)) {
+ /* Update reply queue pointer */
+- s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa, attrs);
++ ldl_le_pci_dma(pci_dev, s->consumer_pa, &s->reply_queue_tail, attrs);
+ tail = s->reply_queue_head;
+ s->reply_queue_head = megasas_next_index(s, tail, s->fw_cmds);
+ trace_megasas_qf_update(s->reply_queue_head, s->reply_queue_tail,
+@@ -679,9 +682,9 @@ static int megasas_init_firmware(MegasasState *s, MegasasCmd *cmd)
+ pa_lo = le32_to_cpu(initq->pi_addr_lo);
+ pa_hi = le32_to_cpu(initq->pi_addr_hi);
+ s->producer_pa = ((uint64_t) pa_hi << 32) | pa_lo;
+- s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa, attrs);
++ ldl_le_pci_dma(pcid, s->producer_pa, &s->reply_queue_head, attrs);
+ s->reply_queue_head %= MEGASAS_MAX_FRAMES;
+- s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa, attrs);
++ ldl_le_pci_dma(pcid, s->consumer_pa, &s->reply_queue_tail, attrs);
+ s->reply_queue_tail %= MEGASAS_MAX_FRAMES;
+ flags = le32_to_cpu(initq->flags);
+ if (flags & MFI_QUEUE_FLAG_CONTEXT64) {
+diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
+index ac9f4df..5181b0c 100644
+--- a/hw/scsi/mptsas.c
++++ b/hw/scsi/mptsas.c
+@@ -177,10 +177,16 @@ static dma_addr_t mptsas_ld_sg_base(MPTSASState *s, uint32_t flags_and_length,
+ dma_addr_t addr;
+
+ if (flags_and_length & MPI_SGE_FLAGS_64_BIT_ADDRESSING) {
+- addr = ldq_le_pci_dma(pci, *sgaddr + 4, attrs);
++ uint64_t addr64;
++
++ ldq_le_pci_dma(pci, *sgaddr + 4, &addr64, attrs);
++ addr = addr64;
+ *sgaddr += 12;
+ } else {
+- addr = ldl_le_pci_dma(pci, *sgaddr + 4, attrs);
++ uint32_t addr32;
++
++ ldl_le_pci_dma(pci, *sgaddr + 4, &addr32, attrs);
++ addr = addr32;
+ *sgaddr += 8;
+ }
+ return addr;
+@@ -204,7 +210,7 @@ static int mptsas_build_sgl(MPTSASState *s, MPTSASRequest *req, hwaddr addr)
+ dma_addr_t addr, len;
+ uint32_t flags_and_length;
+
+- flags_and_length = ldl_le_pci_dma(pci, sgaddr, MEMTXATTRS_UNSPECIFIED);
++ ldl_le_pci_dma(pci, sgaddr, &flags_and_length, MEMTXATTRS_UNSPECIFIED);
+ len = flags_and_length & MPI_SGE_LENGTH_MASK;
+ if ((flags_and_length & MPI_SGE_FLAGS_ELEMENT_TYPE_MASK)
+ != MPI_SGE_FLAGS_SIMPLE_ELEMENT ||
+@@ -235,8 +241,8 @@ static int mptsas_build_sgl(MPTSASState *s, MPTSASRequest *req, hwaddr addr)
+ break;
+ }
+
+- flags_and_length = ldl_le_pci_dma(pci, next_chain_addr,
+- MEMTXATTRS_UNSPECIFIED);
++ ldl_le_pci_dma(pci, next_chain_addr, &flags_and_length,
++ MEMTXATTRS_UNSPECIFIED);
+ if ((flags_and_length & MPI_SGE_FLAGS_ELEMENT_TYPE_MASK)
+ != MPI_SGE_FLAGS_CHAIN_ELEMENT) {
+ return MPI_IOCSTATUS_INVALID_SGL;
+diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
+index 33e16f9..4d9969f 100644
+--- a/hw/scsi/vmw_pvscsi.c
++++ b/hw/scsi/vmw_pvscsi.c
+@@ -50,10 +50,10 @@
+ #define PVSCSI_MAX_CMD_DATA_WORDS \
+ (sizeof(PVSCSICmdDescSetupRings)/sizeof(uint32_t))
+
+-#define RS_GET_FIELD(m, field) \
+- (ldl_le_pci_dma(&container_of(m, PVSCSIState, rings)->parent_obj, \
++#define RS_GET_FIELD(pval, m, field) \
++ ldl_le_pci_dma(&container_of(m, PVSCSIState, rings)->parent_obj, \
+ (m)->rs_pa + offsetof(struct PVSCSIRingsState, field), \
+- MEMTXATTRS_UNSPECIFIED))
++ pval, MEMTXATTRS_UNSPECIFIED)
+ #define RS_SET_FIELD(m, field, val) \
+ (stl_le_pci_dma(&container_of(m, PVSCSIState, rings)->parent_obj, \
+ (m)->rs_pa + offsetof(struct PVSCSIRingsState, field), val, \
+@@ -249,10 +249,11 @@ pvscsi_ring_cleanup(PVSCSIRingInfo *mgr)
+ static hwaddr
+ pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr)
+ {
+- uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx);
++ uint32_t ready_ptr;
+ uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING
+ * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
+
++ RS_GET_FIELD(&ready_ptr, mgr, reqProdIdx);
+ if (ready_ptr != mgr->consumed_ptr
+ && ready_ptr - mgr->consumed_ptr < ring_size) {
+ uint32_t next_ready_ptr =
+@@ -323,8 +324,11 @@ pvscsi_ring_flush_cmp(PVSCSIRingInfo *mgr)
+ static bool
+ pvscsi_ring_msg_has_room(PVSCSIRingInfo *mgr)
+ {
+- uint32_t prodIdx = RS_GET_FIELD(mgr, msgProdIdx);
+- uint32_t consIdx = RS_GET_FIELD(mgr, msgConsIdx);
++ uint32_t prodIdx;
++ uint32_t consIdx;
++
++ RS_GET_FIELD(&prodIdx, mgr, msgProdIdx);
++ RS_GET_FIELD(&consIdx, mgr, msgConsIdx);
+
+ return (prodIdx - consIdx) < (mgr->msg_len_mask + 1);
+ }
+diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h
+index c90cecc..5b36334 100644
+--- a/include/hw/pci/pci.h
++++ b/include/hw/pci/pci.h
+@@ -850,15 +850,14 @@ static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr,
+ DMA_DIRECTION_FROM_DEVICE, MEMTXATTRS_UNSPECIFIED);
+ }
+
+-#define PCI_DMA_DEFINE_LDST(_l, _s, _bits) \
+- static inline uint##_bits##_t ld##_l##_pci_dma(PCIDevice *dev, \
+- dma_addr_t addr, \
+- MemTxAttrs attrs) \
+- { \
+- uint##_bits##_t val; \
+- ld##_l##_dma(pci_get_address_space(dev), addr, &val, attrs); \
+- return val; \
+- } \
++#define PCI_DMA_DEFINE_LDST(_l, _s, _bits) \
++ static inline MemTxResult ld##_l##_pci_dma(PCIDevice *dev, \
++ dma_addr_t addr, \
++ uint##_bits##_t *val, \
++ MemTxAttrs attrs) \
++ { \
++ return ld##_l##_dma(pci_get_address_space(dev), addr, val, attrs); \
++ } \
+ static inline MemTxResult st##_s##_pci_dma(PCIDevice *dev, \
+ dma_addr_t addr, \
+ uint##_bits##_t val, \
+--
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3611_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3611_1.patch
new file mode 100644
index 0000000000..dc7990d1b7
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3611_1.patch
@@ -0,0 +1,74 @@
+From be5a8cf347d0c47ee3e933dde075526fd8bd5c40 Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Sat, 18 Dec 2021 17:09:10 +0100
+Subject: [PATCH] hw/audio/intel-hda: Do not ignore DMA overrun errors
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+Per the "High Definition Audio Specification" manual (rev. 1.0a),
+section "3.3.30 Offset 5Dh: RIRBSTS - RIRB Status":
+
+ Response Overrun Interrupt Status (RIRBOIS):
+
+ Hardware sets this bit to a 1 when an overrun occurs in the RIRB.
+ An interrupt may be generated if the Response Overrun Interrupt
+ Control bit is set.
+
+ This bit will be set if the RIRB DMA engine is not able to write
+ the incoming responses to memory before additional incoming
+ responses overrun the internal FIFO.
+
+ When hardware detects an overrun, it will drop the responses which
+ overrun the buffer and set the RIRBOIS status bit to indicate the
+ error condition. Optionally, if the RIRBOIC is set, the hardware
+ will also generate an error to alert software to the problem.
+
+QEMU emulates the DMA engine with the stl_le_pci_dma() calls. This
+function returns a MemTxResult indicating whether the DMA access
+was successful.
+Handle any MemTxResult error as "DMA engine is not able to write the
+incoming responses to memory" and raise the Overrun Interrupt flag
+when this case occurs.
+
+CVE: CVE-2021-3611
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=be5a8cf347d0c47ee3e933dde075526fd8bd5c40]
+
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20211218160912.1591633-2-philmd@redhat.com>
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ hw/audio/intel-hda.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
+index 5f8a878..47a36ac 100644
+--- a/hw/audio/intel-hda.c
++++ b/hw/audio/intel-hda.c
+@@ -350,6 +350,7 @@ static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t res
+ IntelHDAState *d = container_of(bus, IntelHDAState, codecs);
+ hwaddr addr;
+ uint32_t wp, ex;
++ MemTxResult res = MEMTX_OK;
+
+ if (d->ics & ICH6_IRS_BUSY) {
+ dprint(d, 2, "%s: [irr] response 0x%x, cad 0x%x\n",
+@@ -368,8 +369,12 @@ static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t res
+ ex = (solicited ? 0 : (1 << 4)) | dev->cad;
+ wp = (d->rirb_wp + 1) & 0xff;
+ addr = intel_hda_addr(d->rirb_lbase, d->rirb_ubase);
+- stl_le_pci_dma(&d->pci, addr + 8 * wp, response, attrs);
+- stl_le_pci_dma(&d->pci, addr + 8 * wp + 4, ex, attrs);
++ res |= stl_le_pci_dma(&d->pci, addr + 8 * wp, response, attrs);
++ res |= stl_le_pci_dma(&d->pci, addr + 8 * wp + 4, ex, attrs);
++ if (res != MEMTX_OK && (d->rirb_ctl & ICH6_RBCTL_OVERRUN_EN)) {
++ d->rirb_sts |= ICH6_RBSTS_OVERRUN;
++ intel_hda_update_irq(d);
++ }
+ d->rirb_wp = wp;
+
+ dprint(d, 2, "%s: [wp 0x%x] response 0x%x, extra 0x%x\n",
+--
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3611_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3611_2.patch
new file mode 100644
index 0000000000..b79fadf3f6
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3611_2.patch
@@ -0,0 +1,43 @@
+From 79fa99831debc9782087e834382c577215f2f511 Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Sat, 18 Dec 2021 17:09:11 +0100
+Subject: [PATCH] hw/audio/intel-hda: Restrict DMA engine to memories (not MMIO
+ devices)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+Issue #542 reports a reentrancy problem when the DMA engine accesses
+the HDA controller I/O registers. Fix by restricting the DMA engine
+to memories regions (forbidding MMIO devices such the HDA controller).
+
+Reported-by: OSS-Fuzz (Issue 28435)
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Thomas Huth <thuth@redhat.com>
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/542
+CVE: CVE-2021-3611
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=79fa99831debc9782087e834382c577215f2f511]
+
+Message-Id: <20211218160912.1591633-3-philmd@redhat.com>
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ hw/audio/intel-hda.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
+index 47a36ac..78a47bc 100644
+--- a/hw/audio/intel-hda.c
++++ b/hw/audio/intel-hda.c
+@@ -345,7 +345,7 @@ static void intel_hda_corb_run(IntelHDAState *d)
+
+ static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t response)
+ {
+- const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
++ const MemTxAttrs attrs = { .memory = true };
+ HDACodecBus *bus = HDA_BUS(dev->qdev.parent_bus);
+ IntelHDAState *d = container_of(bus, IntelHDAState, codecs);
+ hwaddr addr;
+--
+1.8.3.1
--
2.25.1
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 05/13] qemu: fix CVE-2022-2962
2022-10-17 23:08 [OE-core][kirkstone 00/13] Patch review Steve Sakoman
` (3 preceding siblings ...)
2022-10-17 23:08 ` [OE-core][kirkstone 04/13] qemu: Fix CVE-2021-3611 Steve Sakoman
@ 2022-10-17 23:08 ` Steve Sakoman
2022-10-17 23:08 ` [OE-core][kirkstone 06/13] qemu: Backport patches from upstream to support float128 on qemu-ppc64 Steve Sakoman
` (7 subsequent siblings)
12 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2022-10-17 23:08 UTC (permalink / raw)
To: openembedded-core
From: Ross Burton <ross.burton@arm.com>
Backport the fix for CVE-2022-2962.
(From OE-Core rev: 943d28a3395455fd475cb6c84247d106adf5fca3)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ddc4258012e0d3fa946c319b601b0e73db7ac5e6)
Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
Signed-off-by: virendra thakur <thakur.virendra1810@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
...ulip-Restrict-DMA-engine-to-memories.patch | 64 +++++++++++++++++++
2 files changed, 65 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/0001-net-tulip-Restrict-DMA-engine-to-memories.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index cb5f9358da..76ae603ee4 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -70,6 +70,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://0022_let_ld_pointer_pci_dma_function_propagate_MemTxResult.patch \
file://CVE-2021-3611_1.patch \
file://CVE-2021-3611_2.patch \
+ file://0001-net-tulip-Restrict-DMA-engine-to-memories.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/0001-net-tulip-Restrict-DMA-engine-to-memories.patch b/meta/recipes-devtools/qemu/qemu/0001-net-tulip-Restrict-DMA-engine-to-memories.patch
new file mode 100644
index 0000000000..6c85a77ba7
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0001-net-tulip-Restrict-DMA-engine-to-memories.patch
@@ -0,0 +1,64 @@
+CVE: CVE-2022-2962
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+From 5c5c50b0a73d78ffe18336c9996fef5eae9bbbb0 Mon Sep 17 00:00:00 2001
+From: Zheyu Ma <zheyuma97@gmail.com>
+Date: Sun, 21 Aug 2022 20:43:43 +0800
+Subject: [PATCH] net: tulip: Restrict DMA engine to memories
+
+The DMA engine is started by I/O access and then itself accesses the
+I/O registers, triggering a reentrancy bug.
+
+The following log can reveal it:
+==5637==ERROR: AddressSanitizer: stack-overflow
+ #0 0x5595435f6078 in tulip_xmit_list_update qemu/hw/net/tulip.c:673
+ #1 0x5595435f204a in tulip_write qemu/hw/net/tulip.c:805:13
+ #2 0x559544637f86 in memory_region_write_accessor qemu/softmmu/memory.c:492:5
+ #3 0x5595446379fa in access_with_adjusted_size qemu/softmmu/memory.c:554:18
+ #4 0x5595446372fa in memory_region_dispatch_write qemu/softmmu/memory.c
+ #5 0x55954468b74c in flatview_write_continue qemu/softmmu/physmem.c:2825:23
+ #6 0x559544683662 in flatview_write qemu/softmmu/physmem.c:2867:12
+ #7 0x5595446833f3 in address_space_write qemu/softmmu/physmem.c:2963:18
+ #8 0x5595435fb082 in dma_memory_rw_relaxed qemu/include/sysemu/dma.h:87:12
+ #9 0x5595435fb082 in dma_memory_rw qemu/include/sysemu/dma.h:130:12
+ #10 0x5595435fb082 in dma_memory_write qemu/include/sysemu/dma.h:171:12
+ #11 0x5595435fb082 in stl_le_dma qemu/include/sysemu/dma.h:272:1
+ #12 0x5595435fb082 in stl_le_pci_dma qemu/include/hw/pci/pci.h:910:1
+ #13 0x5595435fb082 in tulip_desc_write qemu/hw/net/tulip.c:101:9
+ #14 0x5595435f7e3d in tulip_xmit_list_update qemu/hw/net/tulip.c:706:9
+ #15 0x5595435f204a in tulip_write qemu/hw/net/tulip.c:805:13
+
+Fix this bug by restricting the DMA engine to memories regions.
+
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+---
+ hw/net/tulip.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hw/net/tulip.c b/hw/net/tulip.c
+index 097e905bec..b9e42c322a 100644
+--- a/hw/net/tulip.c
++++ b/hw/net/tulip.c
+@@ -70,7 +70,7 @@ static const VMStateDescription vmstate_pci_tulip = {
+ static void tulip_desc_read(TULIPState *s, hwaddr p,
+ struct tulip_descriptor *desc)
+ {
+- const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
++ const MemTxAttrs attrs = { .memory = true };
+
+ if (s->csr[0] & CSR0_DBO) {
+ ldl_be_pci_dma(&s->dev, p, &desc->status, attrs);
+@@ -88,7 +88,7 @@ static void tulip_desc_read(TULIPState *s, hwaddr p,
+ static void tulip_desc_write(TULIPState *s, hwaddr p,
+ struct tulip_descriptor *desc)
+ {
+- const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
++ const MemTxAttrs attrs = { .memory = true };
+
+ if (s->csr[0] & CSR0_DBO) {
+ stl_be_pci_dma(&s->dev, p, desc->status, attrs);
+--
+2.34.1
+
--
2.25.1
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 06/13] qemu: Backport patches from upstream to support float128 on qemu-ppc64
2022-10-17 23:08 [OE-core][kirkstone 00/13] Patch review Steve Sakoman
` (4 preceding siblings ...)
2022-10-17 23:08 ` [OE-core][kirkstone 05/13] qemu: fix CVE-2022-2962 Steve Sakoman
@ 2022-10-17 23:08 ` Steve Sakoman
2022-10-17 23:08 ` [OE-core][kirkstone 07/13] python3: upgrade 3.10.4 -> 3.10.7 Steve Sakoman
` (6 subsequent siblings)
12 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2022-10-17 23:08 UTC (permalink / raw)
To: openembedded-core
From: Xiangyu Chen <xiangyu.chen@windriver.com>
Background:
Due to current qemu 6.2 doesn't support float128, this cause some POSIX APIs(e.g. double difftime()..)
return a wrong value, this issue can be reproduced by open_posix_testsuit difftime case[1].
The qemu upstream has already supported ppc64 float128, but need to update to qemu 7.0 or later.
We backport the commits[2] from upstream to support that in qemu-ppc64 6.2.0.
[1] difftime test case:
https://github.com/linux-test-project/ltp/tree/master/testcases/open_posix_testsuite/conformance/interfaces/difftime
[2] commits link:
LINK: https://git.qemu.org/?p=qemu.git;a=commit;h=149a48f6e6ccedfa01307d45884aa480f5bf77c5
https://git.qemu.org/?p=qemu.git;a=commit;h=ba11446c40903b9d97fb75a078d43fee6444d3b6
https://git.qemu.org/?p=qemu.git;a=commit;h=bead3c9b0ff8efd652afb27923d8ab4458b3bbd9
https://git.qemu.org/?p=qemu.git;a=commit;h=10cc964030fca459591d9353571f3b1b4e1b5aec
https://git.qemu.org/?p=qemu.git;a=commit;h=e706d4455b8d54252b11fc504c56df060151cb89
https://git.qemu.org/?p=qemu.git;a=commit;h=941298ecd7e3103d3789d2dd87dd0f119e81c69e
https://git.qemu.org/?p=qemu.git;a=commit;h=4edf55698fc2ea30903657c63ed95db0d5548943
https://git.qemu.org/?p=qemu.git;a=commit;h=c07f82416cb7973c64d1e21c09957182b4b033dc
https://git.qemu.org/?p=qemu.git;a=commit;h=e4052bb773cc829a27786d68caa22f28cff19d39
https://git.qemu.org/?p=qemu.git;a=commit;h=ffdaff8e9c698061f57a6b1827570562c5a1c909
https://git.qemu.org/?p=qemu.git;a=commit;h=201fc774e0e1cc76ec23b595968004a7b14fb6e8
https://git.qemu.org/?p=qemu.git;a=commit;h=c5df1898a147c232f0502cda5dac8df6074070fc
https://git.qemu.org/?p=qemu.git;a=commit;h=38d4914c5065e14f0969161274793ded448f067f
https://git.qemu.org/?p=qemu.git;a=commit;h=caf6f9b568479bea6f6d97798be670f21641a006
https://git.qemu.org/?p=qemu.git;a=commit;h=25ee608d79c1890c0f4e8c495ec8629d5712de45
https://git.qemu.org/?p=qemu.git;a=commit;h=19f0862dd8fa6510b2f5b3aff4859363602cd0cf
https://git.qemu.org/?p=qemu.git;a=commit;h=5f1470b091007f24035d6d33149df49a6dd61682
https://git.qemu.org/?p=qemu.git;a=commit;h=17868d81e0074905b2c1e414af6618570e8059eb
https://git.qemu.org/?p=qemu.git;a=commit;h=9193eaa901c54dbff4a91ea0b12a99e0135dbca1
https://git.qemu.org/?p=qemu.git;a=commit;h=e4318ab2e423c4caf9a88a4e99b5e234096b81a9
https://git.qemu.org/?p=qemu.git;a=commit;h=3bb1aed246d7b59ceee625a82628f7369d492a8f
Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/qemu/qemu.inc | 21 ++
...end-float_exception_flags-to-16-bits.patch | 75 +++++
...ftfloat-Add-flag-specific-to-Inf-Inf.patch | 59 ++++
...softfloat-Add-flag-specific-to-Inf-0.patch | 126 +++++++++
...dd-flags-specific-to-Inf-Inf-and-0-0.patch | 73 +++++
...-Add-flag-specific-to-signaling-nans.patch | 121 ++++++++
...e-float_invalid_op_addsub-for-new-fl.patch | 114 ++++++++
...e-float_invalid_op_mul-for-new-flags.patch | 86 ++++++
...e-float_invalid_op_div-for-new-flags.patch | 99 +++++++
...arget-ppc-Update-fmadd-for-new-flags.patch | 102 +++++++
.../0010-target-ppc-Split-out-do_fmadd.patch | 71 +++++
...s-max-min-cj-dp-to-use-VSX-registers.patch | 93 +++++++
...-Move-xs-max-min-cj-dp-to-decodetree.patch | 121 ++++++++
...get-ppc-fix-xscvqpdp-register-access.patch | 41 +++
...rget-ppc-move-xscvqpdp-to-decodetree.patch | 130 +++++++++
...tore_fpscr-doesn-t-update-bits-0-to-.patch | 70 +++++
...get-ppc-Introduce-TRANS-FLAGS-macros.patch | 133 +++++++++
...get-ppc-Implement-Vector-Expand-Mask.patch | 105 +++++++
| 141 ++++++++++
...ppc-Implement-Vector-Mask-Move-insns.patch | 187 +++++++++++++
...xs-n-madd-am-ds-p-xs-n-msub-am-ds-p-.patch | 258 ++++++++++++++++++
...mplement-xs-n-maddqp-o-xs-n-msubqp-o.patch | 174 ++++++++++++
22 files changed, 2400 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/0001-softfloat-Extend-float_exception_flags-to-16-bits.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0002-softfloat-Add-flag-specific-to-Inf-Inf.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0003-softfloat-Add-flag-specific-to-Inf-0.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0004-softfloat-Add-flags-specific-to-Inf-Inf-and-0-0.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0005-softfloat-Add-flag-specific-to-signaling-nans.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0006-target-ppc-Update-float_invalid_op_addsub-for-new-fl.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0007-target-ppc-Update-float_invalid_op_mul-for-new-flags.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0008-target-ppc-Update-float_invalid_op_div-for-new-flags.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0009-target-ppc-Update-fmadd-for-new-flags.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0010-target-ppc-Split-out-do_fmadd.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0011-target-ppc-Fix-xs-max-min-cj-dp-to-use-VSX-registers.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0012-target-ppc-Move-xs-max-min-cj-dp-to-decodetree.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0013-target-ppc-fix-xscvqpdp-register-access.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0014-target-ppc-move-xscvqpdp-to-decodetree.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0015-target-ppc-ppc_store_fpscr-doesn-t-update-bits-0-to-.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0016-target-ppc-Introduce-TRANS-FLAGS-macros.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0017-target-ppc-Implement-Vector-Expand-Mask.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0018-target-ppc-Implement-Vector-Extract-Mask.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0019-target-ppc-Implement-Vector-Mask-Move-insns.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0020-target-ppc-move-xs-n-madd-am-ds-p-xs-n-msub-am-ds-p-.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0021-target-ppc-implement-xs-n-maddqp-o-xs-n-msubqp-o.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 76ae603ee4..14feb4f1e0 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -71,6 +71,27 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3611_1.patch \
file://CVE-2021-3611_2.patch \
file://0001-net-tulip-Restrict-DMA-engine-to-memories.patch \
+ file://0001-softfloat-Extend-float_exception_flags-to-16-bits.patch \
+ file://0002-softfloat-Add-flag-specific-to-Inf-Inf.patch \
+ file://0003-softfloat-Add-flag-specific-to-Inf-0.patch \
+ file://0004-softfloat-Add-flags-specific-to-Inf-Inf-and-0-0.patch \
+ file://0005-softfloat-Add-flag-specific-to-signaling-nans.patch \
+ file://0006-target-ppc-Update-float_invalid_op_addsub-for-new-fl.patch \
+ file://0007-target-ppc-Update-float_invalid_op_mul-for-new-flags.patch \
+ file://0008-target-ppc-Update-float_invalid_op_div-for-new-flags.patch \
+ file://0009-target-ppc-Update-fmadd-for-new-flags.patch \
+ file://0010-target-ppc-Split-out-do_fmadd.patch \
+ file://0011-target-ppc-Fix-xs-max-min-cj-dp-to-use-VSX-registers.patch \
+ file://0012-target-ppc-Move-xs-max-min-cj-dp-to-decodetree.patch \
+ file://0013-target-ppc-fix-xscvqpdp-register-access.patch \
+ file://0014-target-ppc-move-xscvqpdp-to-decodetree.patch \
+ file://0015-target-ppc-ppc_store_fpscr-doesn-t-update-bits-0-to-.patch \
+ file://0016-target-ppc-Introduce-TRANS-FLAGS-macros.patch \
+ file://0017-target-ppc-Implement-Vector-Expand-Mask.patch \
+ file://0018-target-ppc-Implement-Vector-Extract-Mask.patch \
+ file://0019-target-ppc-Implement-Vector-Mask-Move-insns.patch \
+ file://0020-target-ppc-move-xs-n-madd-am-ds-p-xs-n-msub-am-ds-p-.patch \
+ file://0021-target-ppc-implement-xs-n-maddqp-o-xs-n-msubqp-o.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/0001-softfloat-Extend-float_exception_flags-to-16-bits.patch b/meta/recipes-devtools/qemu/qemu/0001-softfloat-Extend-float_exception_flags-to-16-bits.patch
new file mode 100644
index 0000000000..e9c47f6901
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0001-softfloat-Extend-float_exception_flags-to-16-bits.patch
@@ -0,0 +1,75 @@
+From 0bec1ded33a857f59cf5f3ceca2f72694256e710 Mon Sep 17 00:00:00 2001
+From: Richard Henderson <richard.henderson@linaro.org>
+Date: Fri, 17 Dec 2021 17:57:14 +0100
+Subject: [PATCH 01/21] softfloat: Extend float_exception_flags to 16 bits
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We will shortly have more than 8 bits of exceptions.
+Repack the existing flags into low bits and reformat to hex.
+
+Upstream-Status: Backport
+[https://git.qemu.org/?p=qemu.git;a=commit;h=149a48f6e6ccedfa01307d45884aa480f5bf77c5]
+
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-Id: <20211119160502.17432-2-richard.henderson@linaro.org>
+Signed-off-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+---
+ include/fpu/softfloat-types.h | 16 ++++++++--------
+ include/fpu/softfloat.h | 2 +-
+ 2 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/include/fpu/softfloat-types.h b/include/fpu/softfloat-types.h
+index 5bcbd041f7..65a43aff59 100644
+--- a/include/fpu/softfloat-types.h
++++ b/include/fpu/softfloat-types.h
+@@ -145,13 +145,13 @@ typedef enum __attribute__((__packed__)) {
+ */
+
+ enum {
+- float_flag_invalid = 1,
+- float_flag_divbyzero = 4,
+- float_flag_overflow = 8,
+- float_flag_underflow = 16,
+- float_flag_inexact = 32,
+- float_flag_input_denormal = 64,
+- float_flag_output_denormal = 128
++ float_flag_invalid = 0x0001,
++ float_flag_divbyzero = 0x0002,
++ float_flag_overflow = 0x0004,
++ float_flag_underflow = 0x0008,
++ float_flag_inexact = 0x0010,
++ float_flag_input_denormal = 0x0020,
++ float_flag_output_denormal = 0x0040,
+ };
+
+ /*
+@@ -171,8 +171,8 @@ typedef enum __attribute__((__packed__)) {
+ */
+
+ typedef struct float_status {
++ uint16_t float_exception_flags;
+ FloatRoundMode float_rounding_mode;
+- uint8_t float_exception_flags;
+ FloatX80RoundPrec floatx80_rounding_precision;
+ bool tininess_before_rounding;
+ /* should denormalised results go to zero and set the inexact flag? */
+diff --git a/include/fpu/softfloat.h b/include/fpu/softfloat.h
+index a249991e61..0d3b407807 100644
+--- a/include/fpu/softfloat.h
++++ b/include/fpu/softfloat.h
+@@ -100,7 +100,7 @@ typedef enum {
+ | Routine to raise any or all of the software IEC/IEEE floating-point
+ | exception flags.
+ *----------------------------------------------------------------------------*/
+-static inline void float_raise(uint8_t flags, float_status *status)
++static inline void float_raise(uint16_t flags, float_status *status)
+ {
+ status->float_exception_flags |= flags;
+ }
+--
+2.17.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0002-softfloat-Add-flag-specific-to-Inf-Inf.patch b/meta/recipes-devtools/qemu/qemu/0002-softfloat-Add-flag-specific-to-Inf-Inf.patch
new file mode 100644
index 0000000000..2713ff370d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0002-softfloat-Add-flag-specific-to-Inf-Inf.patch
@@ -0,0 +1,59 @@
+From 9b0737858b2b68c3a4d1e0611f2732679c997c6d Mon Sep 17 00:00:00 2001
+From: Richard Henderson <richard.henderson@linaro.org>
+Date: Fri, 17 Dec 2021 17:57:14 +0100
+Subject: [PATCH 02/21] softfloat: Add flag specific to Inf - Inf
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+PowerPC has this flag, and it's easier to compute it here
+than after the fact.
+
+Upstream-Status: Backport
+[https://git.qemu.org/?p=qemu.git;a=commit;h=ba11446c40903b9d97fb75a078d43fee6444d3b6]
+
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-Id: <20211119160502.17432-3-richard.henderson@linaro.org>
+Signed-off-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+---
+ fpu/softfloat-parts.c.inc | 3 ++-
+ include/fpu/softfloat-types.h | 1 +
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fpu/softfloat-parts.c.inc b/fpu/softfloat-parts.c.inc
+index 41d4b17e41..eb2b475ca4 100644
+--- a/fpu/softfloat-parts.c.inc
++++ b/fpu/softfloat-parts.c.inc
+@@ -354,7 +354,7 @@ static FloatPartsN *partsN(addsub)(FloatPartsN *a, FloatPartsN *b,
+ return a;
+ }
+ /* Inf - Inf */
+- float_raise(float_flag_invalid, s);
++ float_raise(float_flag_invalid | float_flag_invalid_isi, s);
+ parts_default_nan(a, s);
+ return a;
+ }
+@@ -494,6 +494,7 @@ static FloatPartsN *partsN(muladd)(FloatPartsN *a, FloatPartsN *b,
+
+ if (ab_mask & float_cmask_inf) {
+ if (c->cls == float_class_inf && a->sign != c->sign) {
++ float_raise(float_flag_invalid | float_flag_invalid_isi, s);
+ goto d_nan;
+ }
+ goto return_inf;
+diff --git a/include/fpu/softfloat-types.h b/include/fpu/softfloat-types.h
+index 65a43aff59..eaa12e1e00 100644
+--- a/include/fpu/softfloat-types.h
++++ b/include/fpu/softfloat-types.h
+@@ -152,6 +152,7 @@ enum {
+ float_flag_inexact = 0x0010,
+ float_flag_input_denormal = 0x0020,
+ float_flag_output_denormal = 0x0040,
++ float_flag_invalid_isi = 0x0080, /* inf - inf */
+ };
+
+ /*
+--
+2.17.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0003-softfloat-Add-flag-specific-to-Inf-0.patch b/meta/recipes-devtools/qemu/qemu/0003-softfloat-Add-flag-specific-to-Inf-0.patch
new file mode 100644
index 0000000000..1b21e3cfeb
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0003-softfloat-Add-flag-specific-to-Inf-0.patch
@@ -0,0 +1,126 @@
+From 613f373f0b652ab2fb2572633e7a23807096790b Mon Sep 17 00:00:00 2001
+From: Richard Henderson <richard.henderson@linaro.org>
+Date: Fri, 17 Dec 2021 17:57:14 +0100
+Subject: [PATCH 03/21] softfloat: Add flag specific to Inf * 0
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+PowerPC has this flag, and it's easier to compute it here
+than after the fact.
+
+Upstream-Status: Backport
+[https://git.qemu.org/?p=qemu.git;a=commit;h=bead3c9b0ff8efd652afb27923d8ab4458b3bbd9]
+
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-Id: <20211119160502.17432-4-richard.henderson@linaro.org>
+Signed-off-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+---
+ fpu/softfloat-parts.c.inc | 4 ++--
+ fpu/softfloat-specialize.c.inc | 12 ++++++------
+ include/fpu/softfloat-types.h | 1 +
+ 3 files changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/fpu/softfloat-parts.c.inc b/fpu/softfloat-parts.c.inc
+index eb2b475ca4..3ed793347b 100644
+--- a/fpu/softfloat-parts.c.inc
++++ b/fpu/softfloat-parts.c.inc
+@@ -423,7 +423,7 @@ static FloatPartsN *partsN(mul)(FloatPartsN *a, FloatPartsN *b,
+
+ /* Inf * Zero == NaN */
+ if (unlikely(ab_mask == float_cmask_infzero)) {
+- float_raise(float_flag_invalid, s);
++ float_raise(float_flag_invalid | float_flag_invalid_imz, s);
+ parts_default_nan(a, s);
+ return a;
+ }
+@@ -489,6 +489,7 @@ static FloatPartsN *partsN(muladd)(FloatPartsN *a, FloatPartsN *b,
+
+ if (unlikely(ab_mask != float_cmask_normal)) {
+ if (unlikely(ab_mask == float_cmask_infzero)) {
++ float_raise(float_flag_invalid | float_flag_invalid_imz, s);
+ goto d_nan;
+ }
+
+@@ -567,7 +568,6 @@ static FloatPartsN *partsN(muladd)(FloatPartsN *a, FloatPartsN *b,
+ goto finish_sign;
+
+ d_nan:
+- float_raise(float_flag_invalid, s);
+ parts_default_nan(a, s);
+ return a;
+ }
+diff --git a/fpu/softfloat-specialize.c.inc b/fpu/softfloat-specialize.c.inc
+index f2ad0f335e..943e3301d2 100644
+--- a/fpu/softfloat-specialize.c.inc
++++ b/fpu/softfloat-specialize.c.inc
+@@ -506,7 +506,7 @@ static int pickNaNMulAdd(FloatClass a_cls, FloatClass b_cls, FloatClass c_cls,
+ * the default NaN
+ */
+ if (infzero && is_qnan(c_cls)) {
+- float_raise(float_flag_invalid, status);
++ float_raise(float_flag_invalid | float_flag_invalid_imz, status);
+ return 3;
+ }
+
+@@ -533,7 +533,7 @@ static int pickNaNMulAdd(FloatClass a_cls, FloatClass b_cls, FloatClass c_cls,
+ * case sets InvalidOp and returns the default NaN
+ */
+ if (infzero) {
+- float_raise(float_flag_invalid, status);
++ float_raise(float_flag_invalid | float_flag_invalid_imz, status);
+ return 3;
+ }
+ /* Prefer sNaN over qNaN, in the a, b, c order. */
+@@ -556,7 +556,7 @@ static int pickNaNMulAdd(FloatClass a_cls, FloatClass b_cls, FloatClass c_cls,
+ * case sets InvalidOp and returns the input value 'c'
+ */
+ if (infzero) {
+- float_raise(float_flag_invalid, status);
++ float_raise(float_flag_invalid | float_flag_invalid_imz, status);
+ return 2;
+ }
+ /* Prefer sNaN over qNaN, in the c, a, b order. */
+@@ -580,7 +580,7 @@ static int pickNaNMulAdd(FloatClass a_cls, FloatClass b_cls, FloatClass c_cls,
+ * a default NaN
+ */
+ if (infzero) {
+- float_raise(float_flag_invalid, status);
++ float_raise(float_flag_invalid | float_flag_invalid_imz, status);
+ return 2;
+ }
+
+@@ -597,7 +597,7 @@ static int pickNaNMulAdd(FloatClass a_cls, FloatClass b_cls, FloatClass c_cls,
+ #elif defined(TARGET_RISCV)
+ /* For RISC-V, InvalidOp is set when multiplicands are Inf and zero */
+ if (infzero) {
+- float_raise(float_flag_invalid, status);
++ float_raise(float_flag_invalid | float_flag_invalid_imz, status);
+ }
+ return 3; /* default NaN */
+ #elif defined(TARGET_XTENSA)
+@@ -606,7 +606,7 @@ static int pickNaNMulAdd(FloatClass a_cls, FloatClass b_cls, FloatClass c_cls,
+ * an input NaN if we have one (ie c).
+ */
+ if (infzero) {
+- float_raise(float_flag_invalid, status);
++ float_raise(float_flag_invalid | float_flag_invalid_imz, status);
+ return 2;
+ }
+ if (status->use_first_nan) {
+diff --git a/include/fpu/softfloat-types.h b/include/fpu/softfloat-types.h
+index eaa12e1e00..56b4cf7835 100644
+--- a/include/fpu/softfloat-types.h
++++ b/include/fpu/softfloat-types.h
+@@ -153,6 +153,7 @@ enum {
+ float_flag_input_denormal = 0x0020,
+ float_flag_output_denormal = 0x0040,
+ float_flag_invalid_isi = 0x0080, /* inf - inf */
++ float_flag_invalid_imz = 0x0100, /* inf * 0 */
+ };
+
+ /*
+--
+2.17.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0004-softfloat-Add-flags-specific-to-Inf-Inf-and-0-0.patch b/meta/recipes-devtools/qemu/qemu/0004-softfloat-Add-flags-specific-to-Inf-Inf-and-0-0.patch
new file mode 100644
index 0000000000..c5377fbe70
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0004-softfloat-Add-flags-specific-to-Inf-Inf-and-0-0.patch
@@ -0,0 +1,73 @@
+From 52f1760d2d65e1a61028cb9d8610c8a38aa44cfc Mon Sep 17 00:00:00 2001
+From: Richard Henderson <richard.henderson@linaro.org>
+Date: Fri, 17 Dec 2021 17:57:14 +0100
+Subject: [PATCH 04/21] softfloat: Add flags specific to Inf / Inf and 0 / 0
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+PowerPC has these flags, and it's easier to compute them here
+than after the fact.
+
+Upstream-Status: Backport
+[https://git.qemu.org/?p=qemu.git;a=commit;h=10cc964030fca459591d9353571f3b1b4e1b5aec]
+
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-Id: <20211119160502.17432-5-richard.henderson@linaro.org>
+Signed-off-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+---
+ fpu/softfloat-parts.c.inc | 16 +++++++++++-----
+ include/fpu/softfloat-types.h | 2 ++
+ 2 files changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/fpu/softfloat-parts.c.inc b/fpu/softfloat-parts.c.inc
+index 3ed793347b..b8563cd2df 100644
+--- a/fpu/softfloat-parts.c.inc
++++ b/fpu/softfloat-parts.c.inc
+@@ -590,11 +590,13 @@ static FloatPartsN *partsN(div)(FloatPartsN *a, FloatPartsN *b,
+ }
+
+ /* 0/0 or Inf/Inf => NaN */
+- if (unlikely(ab_mask == float_cmask_zero) ||
+- unlikely(ab_mask == float_cmask_inf)) {
+- float_raise(float_flag_invalid, s);
+- parts_default_nan(a, s);
+- return a;
++ if (unlikely(ab_mask == float_cmask_zero)) {
++ float_raise(float_flag_invalid | float_flag_invalid_zdz, s);
++ goto d_nan;
++ }
++ if (unlikely(ab_mask == float_cmask_inf)) {
++ float_raise(float_flag_invalid | float_flag_invalid_idi, s);
++ goto d_nan;
+ }
+
+ /* All the NaN cases */
+@@ -625,6 +627,10 @@ static FloatPartsN *partsN(div)(FloatPartsN *a, FloatPartsN *b,
+ float_raise(float_flag_divbyzero, s);
+ a->cls = float_class_inf;
+ return a;
++
++ d_nan:
++ parts_default_nan(a, s);
++ return a;
+ }
+
+ /*
+diff --git a/include/fpu/softfloat-types.h b/include/fpu/softfloat-types.h
+index 56b4cf7835..5a9671e564 100644
+--- a/include/fpu/softfloat-types.h
++++ b/include/fpu/softfloat-types.h
+@@ -154,6 +154,8 @@ enum {
+ float_flag_output_denormal = 0x0040,
+ float_flag_invalid_isi = 0x0080, /* inf - inf */
+ float_flag_invalid_imz = 0x0100, /* inf * 0 */
++ float_flag_invalid_idi = 0x0200, /* inf / inf */
++ float_flag_invalid_zdz = 0x0400, /* 0 / 0 */
+ };
+
+ /*
+--
+2.17.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0005-softfloat-Add-flag-specific-to-signaling-nans.patch b/meta/recipes-devtools/qemu/qemu/0005-softfloat-Add-flag-specific-to-signaling-nans.patch
new file mode 100644
index 0000000000..e4ecb496ae
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0005-softfloat-Add-flag-specific-to-signaling-nans.patch
@@ -0,0 +1,121 @@
+From 6bc0b2cffab0ee280ae9730262f162f25c16f6c2 Mon Sep 17 00:00:00 2001
+From: Richard Henderson <richard.henderson@linaro.org>
+Date: Fri, 17 Dec 2021 17:57:14 +0100
+Subject: [PATCH 05/21] softfloat: Add flag specific to signaling nans
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+PowerPC has this flag, and it's easier to compute it here
+than after the fact.
+
+Upstream-Status: Backport
+[https://git.qemu.org/?p=qemu.git;a=commit;h=e706d4455b8d54252b11fc504c56df060151cb89]
+
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-Id: <20211119160502.17432-8-richard.henderson@linaro.org>
+Signed-off-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+---
+ fpu/softfloat-parts.c.inc | 18 ++++++++++++------
+ fpu/softfloat.c | 4 +++-
+ include/fpu/softfloat-types.h | 1 +
+ 3 files changed, 16 insertions(+), 7 deletions(-)
+
+diff --git a/fpu/softfloat-parts.c.inc b/fpu/softfloat-parts.c.inc
+index b8563cd2df..9518f3dc61 100644
+--- a/fpu/softfloat-parts.c.inc
++++ b/fpu/softfloat-parts.c.inc
+@@ -19,7 +19,7 @@ static void partsN(return_nan)(FloatPartsN *a, float_status *s)
+ {
+ switch (a->cls) {
+ case float_class_snan:
+- float_raise(float_flag_invalid, s);
++ float_raise(float_flag_invalid | float_flag_invalid_snan, s);
+ if (s->default_nan_mode) {
+ parts_default_nan(a, s);
+ } else {
+@@ -40,7 +40,7 @@ static FloatPartsN *partsN(pick_nan)(FloatPartsN *a, FloatPartsN *b,
+ float_status *s)
+ {
+ if (is_snan(a->cls) || is_snan(b->cls)) {
+- float_raise(float_flag_invalid, s);
++ float_raise(float_flag_invalid | float_flag_invalid_snan, s);
+ }
+
+ if (s->default_nan_mode) {
+@@ -68,7 +68,7 @@ static FloatPartsN *partsN(pick_nan_muladd)(FloatPartsN *a, FloatPartsN *b,
+ int which;
+
+ if (unlikely(abc_mask & float_cmask_snan)) {
+- float_raise(float_flag_invalid, s);
++ float_raise(float_flag_invalid | float_flag_invalid_snan, s);
+ }
+
+ which = pickNaNMulAdd(a->cls, b->cls, c->cls,
+@@ -1049,8 +1049,10 @@ static int64_t partsN(float_to_sint)(FloatPartsN *p, FloatRoundMode rmode,
+
+ switch (p->cls) {
+ case float_class_snan:
++ flags |= float_flag_invalid_snan;
++ /* fall through */
+ case float_class_qnan:
+- flags = float_flag_invalid;
++ flags |= float_flag_invalid;
+ r = max;
+ break;
+
+@@ -1114,8 +1116,10 @@ static uint64_t partsN(float_to_uint)(FloatPartsN *p, FloatRoundMode rmode,
+
+ switch (p->cls) {
+ case float_class_snan:
++ flags |= float_flag_invalid_snan;
++ /* fall through */
+ case float_class_qnan:
+- flags = float_flag_invalid;
++ flags |= float_flag_invalid;
+ r = max;
+ break;
+
+@@ -1341,7 +1345,9 @@ static FloatRelation partsN(compare)(FloatPartsN *a, FloatPartsN *b,
+ }
+
+ if (unlikely(ab_mask & float_cmask_anynan)) {
+- if (!is_quiet || (ab_mask & float_cmask_snan)) {
++ if (ab_mask & float_cmask_snan) {
++ float_raise(float_flag_invalid | float_flag_invalid_snan, s);
++ } else if (!is_quiet) {
+ float_raise(float_flag_invalid, s);
+ }
+ return float_relation_unordered;
+diff --git a/fpu/softfloat.c b/fpu/softfloat.c
+index 9a28720d82..834ed3a054 100644
+--- a/fpu/softfloat.c
++++ b/fpu/softfloat.c
+@@ -2543,8 +2543,10 @@ floatx80 floatx80_mod(floatx80 a, floatx80 b, float_status *status)
+ static void parts_float_to_ahp(FloatParts64 *a, float_status *s)
+ {
+ switch (a->cls) {
+- case float_class_qnan:
+ case float_class_snan:
++ float_raise(float_flag_invalid_snan, s);
++ /* fall through */
++ case float_class_qnan:
+ /*
+ * There is no NaN in the destination format. Raise Invalid
+ * and return a zero with the sign of the input NaN.
+diff --git a/include/fpu/softfloat-types.h b/include/fpu/softfloat-types.h
+index 5a9671e564..e557b9126b 100644
+--- a/include/fpu/softfloat-types.h
++++ b/include/fpu/softfloat-types.h
+@@ -156,6 +156,7 @@ enum {
+ float_flag_invalid_imz = 0x0100, /* inf * 0 */
+ float_flag_invalid_idi = 0x0200, /* inf / inf */
+ float_flag_invalid_zdz = 0x0400, /* 0 / 0 */
++ float_flag_invalid_snan = 0x2000, /* any operand was snan */
+ };
+
+ /*
+--
+2.17.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0006-target-ppc-Update-float_invalid_op_addsub-for-new-fl.patch b/meta/recipes-devtools/qemu/qemu/0006-target-ppc-Update-float_invalid_op_addsub-for-new-fl.patch
new file mode 100644
index 0000000000..5f38c7265f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0006-target-ppc-Update-float_invalid_op_addsub-for-new-fl.patch
@@ -0,0 +1,114 @@
+From ba4a60dd5df31b9fff8b7b8006bf9f15140cc6c5 Mon Sep 17 00:00:00 2001
+From: Richard Henderson <richard.henderson@linaro.org>
+Date: Fri, 17 Dec 2021 17:57:14 +0100
+Subject: [PATCH 06/21] target/ppc: Update float_invalid_op_addsub for new
+ flags
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Now that vxisi and vxsnan are computed directly by
+softfloat, we don't need to recompute it via classes.
+
+Upstream-Status: Backport
+[https://git.qemu.org/?p=qemu.git;a=commit;h=941298ecd7e3103d3789d2dd87dd0f119e81c69e]
+
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-Id: <20211119160502.17432-9-richard.henderson@linaro.org>
+Signed-off-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+---
+ target/ppc/fpu_helper.c | 38 ++++++++++++++------------------------
+ 1 file changed, 14 insertions(+), 24 deletions(-)
+
+diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c
+index c4896cecc8..f0deada84b 100644
+--- a/target/ppc/fpu_helper.c
++++ b/target/ppc/fpu_helper.c
+@@ -450,13 +450,12 @@ void helper_reset_fpstatus(CPUPPCState *env)
+ set_float_exception_flags(0, &env->fp_status);
+ }
+
+-static void float_invalid_op_addsub(CPUPPCState *env, bool set_fpcc,
+- uintptr_t retaddr, int classes)
++static void float_invalid_op_addsub(CPUPPCState *env, int flags,
++ bool set_fpcc, uintptr_t retaddr)
+ {
+- if ((classes & ~is_neg) == is_inf) {
+- /* Magnitude subtraction of infinities */
++ if (flags & float_flag_invalid_isi) {
+ float_invalid_op_vxisi(env, set_fpcc, retaddr);
+- } else if (classes & is_snan) {
++ } else if (flags & float_flag_invalid_snan) {
+ float_invalid_op_vxsnan(env, retaddr);
+ }
+ }
+@@ -465,12 +464,10 @@ static void float_invalid_op_addsub(CPUPPCState *env, bool set_fpcc,
+ float64 helper_fadd(CPUPPCState *env, float64 arg1, float64 arg2)
+ {
+ float64 ret = float64_add(arg1, arg2, &env->fp_status);
+- int status = get_float_exception_flags(&env->fp_status);
++ int flags = get_float_exception_flags(&env->fp_status);
+
+- if (unlikely(status & float_flag_invalid)) {
+- float_invalid_op_addsub(env, 1, GETPC(),
+- float64_classify(arg1) |
+- float64_classify(arg2));
++ if (unlikely(flags & float_flag_invalid)) {
++ float_invalid_op_addsub(env, flags, 1, GETPC());
+ }
+
+ return ret;
+@@ -480,12 +477,10 @@ float64 helper_fadd(CPUPPCState *env, float64 arg1, float64 arg2)
+ float64 helper_fsub(CPUPPCState *env, float64 arg1, float64 arg2)
+ {
+ float64 ret = float64_sub(arg1, arg2, &env->fp_status);
+- int status = get_float_exception_flags(&env->fp_status);
++ int flags = get_float_exception_flags(&env->fp_status);
+
+- if (unlikely(status & float_flag_invalid)) {
+- float_invalid_op_addsub(env, 1, GETPC(),
+- float64_classify(arg1) |
+- float64_classify(arg2));
++ if (unlikely(flags & float_flag_invalid)) {
++ float_invalid_op_addsub(env, flags, 1, GETPC());
+ }
+
+ return ret;
+@@ -1616,9 +1611,8 @@ void helper_##name(CPUPPCState *env, ppc_vsr_t *xt, \
+ env->fp_status.float_exception_flags |= tstat.float_exception_flags; \
+ \
+ if (unlikely(tstat.float_exception_flags & float_flag_invalid)) { \
+- float_invalid_op_addsub(env, sfprf, GETPC(), \
+- tp##_classify(xa->fld) | \
+- tp##_classify(xb->fld)); \
++ float_invalid_op_addsub(env, tstat.float_exception_flags, \
++ sfprf, GETPC()); \
+ } \
+ \
+ if (r2sp) { \
+@@ -1660,9 +1654,7 @@ void helper_xsaddqp(CPUPPCState *env, uint32_t opcode,
+ env->fp_status.float_exception_flags |= tstat.float_exception_flags;
+
+ if (unlikely(tstat.float_exception_flags & float_flag_invalid)) {
+- float_invalid_op_addsub(env, 1, GETPC(),
+- float128_classify(xa->f128) |
+- float128_classify(xb->f128));
++ float_invalid_op_addsub(env, tstat.float_exception_flags, 1, GETPC());
+ }
+
+ helper_compute_fprf_float128(env, t.f128);
+@@ -3278,9 +3270,7 @@ void helper_xssubqp(CPUPPCState *env, uint32_t opcode,
+ env->fp_status.float_exception_flags |= tstat.float_exception_flags;
+
+ if (unlikely(tstat.float_exception_flags & float_flag_invalid)) {
+- float_invalid_op_addsub(env, 1, GETPC(),
+- float128_classify(xa->f128) |
+- float128_classify(xb->f128));
++ float_invalid_op_addsub(env, tstat.float_exception_flags, 1, GETPC());
+ }
+
+ helper_compute_fprf_float128(env, t.f128);
+--
+2.17.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0007-target-ppc-Update-float_invalid_op_mul-for-new-flags.patch b/meta/recipes-devtools/qemu/qemu/0007-target-ppc-Update-float_invalid_op_mul-for-new-flags.patch
new file mode 100644
index 0000000000..1cc4e9e35c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0007-target-ppc-Update-float_invalid_op_mul-for-new-flags.patch
@@ -0,0 +1,86 @@
+From ee8ba2dbb046f48457566b64ad95bf0440d2513e Mon Sep 17 00:00:00 2001
+From: Richard Henderson <richard.henderson@linaro.org>
+Date: Fri, 17 Dec 2021 17:57:14 +0100
+Subject: [PATCH 07/21] target/ppc: Update float_invalid_op_mul for new flags
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Now that vximz and vxsnan are computed directly by
+softfloat, we don't need to recompute it via classes.
+
+Upstream-Status: Backport
+[https://git.qemu.org/?p=qemu.git;a=commit;h=4edf55698fc2ea30903657c63ed95db0d5548943]
+
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-Id: <20211119160502.17432-10-richard.henderson@linaro.org>
+Signed-off-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+---
+ target/ppc/fpu_helper.c | 26 ++++++++++----------------
+ 1 file changed, 10 insertions(+), 16 deletions(-)
+
+diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c
+index f0deada84b..23264e6528 100644
+--- a/target/ppc/fpu_helper.c
++++ b/target/ppc/fpu_helper.c
+@@ -486,13 +486,12 @@ float64 helper_fsub(CPUPPCState *env, float64 arg1, float64 arg2)
+ return ret;
+ }
+
+-static void float_invalid_op_mul(CPUPPCState *env, bool set_fprc,
+- uintptr_t retaddr, int classes)
++static void float_invalid_op_mul(CPUPPCState *env, int flags,
++ bool set_fprc, uintptr_t retaddr)
+ {
+- if ((classes & (is_zero | is_inf)) == (is_zero | is_inf)) {
+- /* Multiplication of zero by infinity */
++ if (flags & float_flag_invalid_imz) {
+ float_invalid_op_vximz(env, set_fprc, retaddr);
+- } else if (classes & is_snan) {
++ } else if (flags & float_flag_invalid_snan) {
+ float_invalid_op_vxsnan(env, retaddr);
+ }
+ }
+@@ -501,12 +500,10 @@ static void float_invalid_op_mul(CPUPPCState *env, bool set_fprc,
+ float64 helper_fmul(CPUPPCState *env, float64 arg1, float64 arg2)
+ {
+ float64 ret = float64_mul(arg1, arg2, &env->fp_status);
+- int status = get_float_exception_flags(&env->fp_status);
++ int flags = get_float_exception_flags(&env->fp_status);
+
+- if (unlikely(status & float_flag_invalid)) {
+- float_invalid_op_mul(env, 1, GETPC(),
+- float64_classify(arg1) |
+- float64_classify(arg2));
++ if (unlikely(flags & float_flag_invalid)) {
++ float_invalid_op_mul(env, flags, 1, GETPC());
+ }
+
+ return ret;
+@@ -1687,9 +1684,8 @@ void helper_##op(CPUPPCState *env, ppc_vsr_t *xt, \
+ env->fp_status.float_exception_flags |= tstat.float_exception_flags; \
+ \
+ if (unlikely(tstat.float_exception_flags & float_flag_invalid)) { \
+- float_invalid_op_mul(env, sfprf, GETPC(), \
+- tp##_classify(xa->fld) | \
+- tp##_classify(xb->fld)); \
++ float_invalid_op_mul(env, tstat.float_exception_flags, \
++ sfprf, GETPC()); \
+ } \
+ \
+ if (r2sp) { \
+@@ -1727,9 +1723,7 @@ void helper_xsmulqp(CPUPPCState *env, uint32_t opcode,
+ env->fp_status.float_exception_flags |= tstat.float_exception_flags;
+
+ if (unlikely(tstat.float_exception_flags & float_flag_invalid)) {
+- float_invalid_op_mul(env, 1, GETPC(),
+- float128_classify(xa->f128) |
+- float128_classify(xb->f128));
++ float_invalid_op_mul(env, tstat.float_exception_flags, 1, GETPC());
+ }
+ helper_compute_fprf_float128(env, t.f128);
+
+--
+2.17.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0008-target-ppc-Update-float_invalid_op_div-for-new-flags.patch b/meta/recipes-devtools/qemu/qemu/0008-target-ppc-Update-float_invalid_op_div-for-new-flags.patch
new file mode 100644
index 0000000000..cb657eefd5
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0008-target-ppc-Update-float_invalid_op_div-for-new-flags.patch
@@ -0,0 +1,99 @@
+From a13c0819ef14120a0e30077fcc6a7470409fa732 Mon Sep 17 00:00:00 2001
+From: Richard Henderson <richard.henderson@linaro.org>
+Date: Fri, 17 Dec 2021 17:57:14 +0100
+Subject: [PATCH 08/21] target/ppc: Update float_invalid_op_div for new flags
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Now that vxidi, vxzdz, and vxsnan are computed directly by
+softfloat, we don't need to recompute it via classes.
+
+Upstream-Status: Backport
+[https://git.qemu.org/?p=qemu.git;a=commit;h=c07f82416cb7973c64d1e21c09957182b4b033dc]
+
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-Id: <20211119160502.17432-11-richard.henderson@linaro.org>
+Signed-off-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+---
+ target/ppc/fpu_helper.c | 38 ++++++++++++++------------------------
+ 1 file changed, 14 insertions(+), 24 deletions(-)
+
+diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c
+index 23264e6528..2ab34236a3 100644
+--- a/target/ppc/fpu_helper.c
++++ b/target/ppc/fpu_helper.c
+@@ -509,17 +509,14 @@ float64 helper_fmul(CPUPPCState *env, float64 arg1, float64 arg2)
+ return ret;
+ }
+
+-static void float_invalid_op_div(CPUPPCState *env, bool set_fprc,
+- uintptr_t retaddr, int classes)
++static void float_invalid_op_div(CPUPPCState *env, int flags,
++ bool set_fprc, uintptr_t retaddr)
+ {
+- classes &= ~is_neg;
+- if (classes == is_inf) {
+- /* Division of infinity by infinity */
++ if (flags & float_flag_invalid_idi) {
+ float_invalid_op_vxidi(env, set_fprc, retaddr);
+- } else if (classes == is_zero) {
+- /* Division of zero by zero */
++ } else if (flags & float_flag_invalid_zdz) {
+ float_invalid_op_vxzdz(env, set_fprc, retaddr);
+- } else if (classes & is_snan) {
++ } else if (flags & float_flag_invalid_snan) {
+ float_invalid_op_vxsnan(env, retaddr);
+ }
+ }
+@@ -528,17 +525,13 @@ static void float_invalid_op_div(CPUPPCState *env, bool set_fprc,
+ float64 helper_fdiv(CPUPPCState *env, float64 arg1, float64 arg2)
+ {
+ float64 ret = float64_div(arg1, arg2, &env->fp_status);
+- int status = get_float_exception_flags(&env->fp_status);
++ int flags = get_float_exception_flags(&env->fp_status);
+
+- if (unlikely(status)) {
+- if (status & float_flag_invalid) {
+- float_invalid_op_div(env, 1, GETPC(),
+- float64_classify(arg1) |
+- float64_classify(arg2));
+- }
+- if (status & float_flag_divbyzero) {
+- float_zero_divide_excp(env, GETPC());
+- }
++ if (unlikely(flags & float_flag_invalid)) {
++ float_invalid_op_div(env, flags, 1, GETPC());
++ }
++ if (unlikely(flags & float_flag_divbyzero)) {
++ float_zero_divide_excp(env, GETPC());
+ }
+
+ return ret;
+@@ -1755,9 +1748,8 @@ void helper_##op(CPUPPCState *env, ppc_vsr_t *xt, \
+ env->fp_status.float_exception_flags |= tstat.float_exception_flags; \
+ \
+ if (unlikely(tstat.float_exception_flags & float_flag_invalid)) { \
+- float_invalid_op_div(env, sfprf, GETPC(), \
+- tp##_classify(xa->fld) | \
+- tp##_classify(xb->fld)); \
++ float_invalid_op_div(env, tstat.float_exception_flags, \
++ sfprf, GETPC()); \
+ } \
+ if (unlikely(tstat.float_exception_flags & float_flag_divbyzero)) { \
+ float_zero_divide_excp(env, GETPC()); \
+@@ -1798,9 +1790,7 @@ void helper_xsdivqp(CPUPPCState *env, uint32_t opcode,
+ env->fp_status.float_exception_flags |= tstat.float_exception_flags;
+
+ if (unlikely(tstat.float_exception_flags & float_flag_invalid)) {
+- float_invalid_op_div(env, 1, GETPC(),
+- float128_classify(xa->f128) |
+- float128_classify(xb->f128));
++ float_invalid_op_div(env, tstat.float_exception_flags, 1, GETPC());
+ }
+ if (unlikely(tstat.float_exception_flags & float_flag_divbyzero)) {
+ float_zero_divide_excp(env, GETPC());
+--
+2.17.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0009-target-ppc-Update-fmadd-for-new-flags.patch b/meta/recipes-devtools/qemu/qemu/0009-target-ppc-Update-fmadd-for-new-flags.patch
new file mode 100644
index 0000000000..2e723582b7
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0009-target-ppc-Update-fmadd-for-new-flags.patch
@@ -0,0 +1,102 @@
+From ce768160ee1ee9673d60e800389c41b3c707411a Mon Sep 17 00:00:00 2001
+From: Richard Henderson <richard.henderson@linaro.org>
+Date: Fri, 17 Dec 2021 17:57:15 +0100
+Subject: [PATCH 09/21] target/ppc: Update fmadd for new flags
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Now that vximz, vxisi, and vxsnan are computed directly by
+softfloat, we don't need to recompute it. This replaces the
+separate float{32,64}_maddsub_update_excp functions with a
+single float_invalid_op_madd function.
+
+Fix VSX_MADD by passing sfprf to float_invalid_op_madd,
+whereas the previous *_maddsub_update_excp assumed it true.
+
+Upstream-Status: Backport
+[https://git.qemu.org/?p=qemu.git;a=commit;h=e4052bb773cc829a27786d68caa22f28cff19d39]
+
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-Id: <20211119160502.17432-19-richard.henderson@linaro.org>
+Signed-off-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+---
+ target/ppc/fpu_helper.c | 46 ++++++++++-------------------------------
+ 1 file changed, 11 insertions(+), 35 deletions(-)
+
+diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c
+index 2ab34236a3..3b1cb25666 100644
+--- a/target/ppc/fpu_helper.c
++++ b/target/ppc/fpu_helper.c
+@@ -639,38 +639,15 @@ uint64_t helper_frim(CPUPPCState *env, uint64_t arg)
+ return do_fri(env, arg, float_round_down);
+ }
+
+-#define FPU_MADDSUB_UPDATE(NAME, TP) \
+-static void NAME(CPUPPCState *env, TP arg1, TP arg2, TP arg3, \
+- unsigned int madd_flags, uintptr_t retaddr) \
+-{ \
+- if (TP##_is_signaling_nan(arg1, &env->fp_status) || \
+- TP##_is_signaling_nan(arg2, &env->fp_status) || \
+- TP##_is_signaling_nan(arg3, &env->fp_status)) { \
+- /* sNaN operation */ \
+- float_invalid_op_vxsnan(env, retaddr); \
+- } \
+- if ((TP##_is_infinity(arg1) && TP##_is_zero(arg2)) || \
+- (TP##_is_zero(arg1) && TP##_is_infinity(arg2))) { \
+- /* Multiplication of zero by infinity */ \
+- float_invalid_op_vximz(env, 1, retaddr); \
+- } \
+- if ((TP##_is_infinity(arg1) || TP##_is_infinity(arg2)) && \
+- TP##_is_infinity(arg3)) { \
+- uint8_t aSign, bSign, cSign; \
+- \
+- aSign = TP##_is_neg(arg1); \
+- bSign = TP##_is_neg(arg2); \
+- cSign = TP##_is_neg(arg3); \
+- if (madd_flags & float_muladd_negate_c) { \
+- cSign ^= 1; \
+- } \
+- if (aSign ^ bSign ^ cSign) { \
+- float_invalid_op_vxisi(env, 1, retaddr); \
+- } \
+- } \
++static void float_invalid_op_madd(CPUPPCState *env, int flags,
++ bool set_fpcc, uintptr_t retaddr)
++{
++ if (flags & float_flag_invalid_imz) {
++ float_invalid_op_vximz(env, set_fpcc, retaddr);
++ } else {
++ float_invalid_op_addsub(env, flags, set_fpcc, retaddr);
++ }
+ }
+-FPU_MADDSUB_UPDATE(float32_maddsub_update_excp, float32)
+-FPU_MADDSUB_UPDATE(float64_maddsub_update_excp, float64)
+
+ #define FPU_FMADD(op, madd_flags) \
+ uint64_t helper_##op(CPUPPCState *env, uint64_t arg1, \
+@@ -682,8 +659,7 @@ uint64_t helper_##op(CPUPPCState *env, uint64_t arg1, \
+ flags = get_float_exception_flags(&env->fp_status); \
+ if (flags) { \
+ if (flags & float_flag_invalid) { \
+- float64_maddsub_update_excp(env, arg1, arg2, arg3, \
+- madd_flags, GETPC()); \
++ float_invalid_op_madd(env, flags, 1, GETPC()); \
+ } \
+ do_float_check_status(env, GETPC()); \
+ } \
+@@ -2087,8 +2063,8 @@ void helper_##op(CPUPPCState *env, ppc_vsr_t *xt, \
+ env->fp_status.float_exception_flags |= tstat.float_exception_flags; \
+ \
+ if (unlikely(tstat.float_exception_flags & float_flag_invalid)) { \
+- tp##_maddsub_update_excp(env, xa->fld, b->fld, \
+- c->fld, maddflgs, GETPC()); \
++ float_invalid_op_madd(env, tstat.float_exception_flags, \
++ sfprf, GETPC()); \
+ } \
+ \
+ if (r2sp) { \
+--
+2.17.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0010-target-ppc-Split-out-do_fmadd.patch b/meta/recipes-devtools/qemu/qemu/0010-target-ppc-Split-out-do_fmadd.patch
new file mode 100644
index 0000000000..4d19773200
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0010-target-ppc-Split-out-do_fmadd.patch
@@ -0,0 +1,71 @@
+From f024b8937d8b614994b94e86d2240fafcc7d2d73 Mon Sep 17 00:00:00 2001
+From: Richard Henderson <richard.henderson@linaro.org>
+Date: Fri, 17 Dec 2021 17:57:15 +0100
+Subject: [PATCH 10/21] target/ppc: Split out do_fmadd
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Create a common function for all of the madd helpers.
+Let the compiler tail call or inline as it chooses.
+
+Upstream-Status: Backport
+[https://git.qemu.org/?p=qemu.git;a=commit;h=ffdaff8e9c698061f57a6b1827570562c5a1c909]
+
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-Id: <20211119160502.17432-20-richard.henderson@linaro.org>
+Signed-off-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+---
+ target/ppc/fpu_helper.c | 33 ++++++++++++++++++---------------
+ 1 file changed, 18 insertions(+), 15 deletions(-)
+
+diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c
+index 3b1cb25666..9a1e7e6244 100644
+--- a/target/ppc/fpu_helper.c
++++ b/target/ppc/fpu_helper.c
+@@ -649,23 +649,26 @@ static void float_invalid_op_madd(CPUPPCState *env, int flags,
+ }
+ }
+
+-#define FPU_FMADD(op, madd_flags) \
+-uint64_t helper_##op(CPUPPCState *env, uint64_t arg1, \
+- uint64_t arg2, uint64_t arg3) \
+-{ \
+- uint32_t flags; \
+- float64 ret = float64_muladd(arg1, arg2, arg3, madd_flags, \
+- &env->fp_status); \
+- flags = get_float_exception_flags(&env->fp_status); \
+- if (flags) { \
+- if (flags & float_flag_invalid) { \
+- float_invalid_op_madd(env, flags, 1, GETPC()); \
+- } \
+- do_float_check_status(env, GETPC()); \
+- } \
+- return ret; \
++static float64 do_fmadd(CPUPPCState *env, float64 a, float64 b,
++ float64 c, int madd_flags, uintptr_t retaddr)
++{
++ float64 ret = float64_muladd(a, b, c, madd_flags, &env->fp_status);
++ int flags = get_float_exception_flags(&env->fp_status);
++
++ if (flags) {
++ if (flags & float_flag_invalid) {
++ float_invalid_op_madd(env, flags, 1, retaddr);
++ }
++ do_float_check_status(env, retaddr);
++ }
++ return ret;
+ }
+
++#define FPU_FMADD(op, madd_flags) \
++ uint64_t helper_##op(CPUPPCState *env, uint64_t arg1, \
++ uint64_t arg2, uint64_t arg3) \
++ { return do_fmadd(env, arg1, arg2, arg3, madd_flags, GETPC()); }
++
+ #define MADD_FLGS 0
+ #define MSUB_FLGS float_muladd_negate_c
+ #define NMADD_FLGS float_muladd_negate_result
+--
+2.17.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0011-target-ppc-Fix-xs-max-min-cj-dp-to-use-VSX-registers.patch b/meta/recipes-devtools/qemu/qemu/0011-target-ppc-Fix-xs-max-min-cj-dp-to-use-VSX-registers.patch
new file mode 100644
index 0000000000..0daae55b99
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0011-target-ppc-Fix-xs-max-min-cj-dp-to-use-VSX-registers.patch
@@ -0,0 +1,93 @@
+From a1821ad612994b95cb6597efd15e0a888676386c Mon Sep 17 00:00:00 2001
+From: Victor Colombo <victor.colombo@eldorado.org.br>
+Date: Fri, 17 Dec 2021 17:57:18 +0100
+Subject: [PATCH 11/21] target/ppc: Fix xs{max, min}[cj]dp to use VSX registers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+PPC instruction xsmaxcdp, xsmincdp, xsmaxjdp, and xsminjdp are using
+vector registers when they should be using VSX ones. This happens
+because the instructions are using GEN_VSX_HELPER_R3, which adds 32
+to the register numbers, effectively making them vector registers.
+
+This patch fixes it by changing these instructions to use
+GEN_VSX_HELPER_X3.
+
+Upstream-Status: Backport
+[https://git.qemu.org/?p=qemu.git;a=commit;h=201fc774e0e1cc76ec23b595968004a7b14fb6e8]
+
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Victor Colombo <victor.colombo@eldorado.org.br>
+Message-Id: <20211213120958.24443-2-victor.colombo@eldorado.org.br>
+Signed-off-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+---
+ target/ppc/fpu_helper.c | 4 ++--
+ target/ppc/helper.h | 8 ++++----
+ target/ppc/translate/vsx-impl.c.inc | 8 ++++----
+ 3 files changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c
+index 9a1e7e6244..ecdcd36a11 100644
+--- a/target/ppc/fpu_helper.c
++++ b/target/ppc/fpu_helper.c
+@@ -2375,7 +2375,7 @@ VSX_MAX_MIN(xvmindp, minnum, 2, float64, VsrD(i))
+ VSX_MAX_MIN(xvminsp, minnum, 4, float32, VsrW(i))
+
+ #define VSX_MAX_MINC(name, max) \
+-void helper_##name(CPUPPCState *env, uint32_t opcode, \
++void helper_##name(CPUPPCState *env, \
+ ppc_vsr_t *xt, ppc_vsr_t *xa, ppc_vsr_t *xb) \
+ { \
+ ppc_vsr_t t = *xt; \
+@@ -2410,7 +2410,7 @@ VSX_MAX_MINC(xsmaxcdp, 1);
+ VSX_MAX_MINC(xsmincdp, 0);
+
+ #define VSX_MAX_MINJ(name, max) \
+-void helper_##name(CPUPPCState *env, uint32_t opcode, \
++void helper_##name(CPUPPCState *env, \
+ ppc_vsr_t *xt, ppc_vsr_t *xa, ppc_vsr_t *xb) \
+ { \
+ ppc_vsr_t t = *xt; \
+diff --git a/target/ppc/helper.h b/target/ppc/helper.h
+index 627811cefc..12a3d5f269 100644
+--- a/target/ppc/helper.h
++++ b/target/ppc/helper.h
+@@ -392,10 +392,10 @@ DEF_HELPER_4(xscmpoqp, void, env, i32, vsr, vsr)
+ DEF_HELPER_4(xscmpuqp, void, env, i32, vsr, vsr)
+ DEF_HELPER_4(xsmaxdp, void, env, vsr, vsr, vsr)
+ DEF_HELPER_4(xsmindp, void, env, vsr, vsr, vsr)
+-DEF_HELPER_5(xsmaxcdp, void, env, i32, vsr, vsr, vsr)
+-DEF_HELPER_5(xsmincdp, void, env, i32, vsr, vsr, vsr)
+-DEF_HELPER_5(xsmaxjdp, void, env, i32, vsr, vsr, vsr)
+-DEF_HELPER_5(xsminjdp, void, env, i32, vsr, vsr, vsr)
++DEF_HELPER_4(xsmaxcdp, void, env, vsr, vsr, vsr)
++DEF_HELPER_4(xsmincdp, void, env, vsr, vsr, vsr)
++DEF_HELPER_4(xsmaxjdp, void, env, vsr, vsr, vsr)
++DEF_HELPER_4(xsminjdp, void, env, vsr, vsr, vsr)
+ DEF_HELPER_3(xscvdphp, void, env, vsr, vsr)
+ DEF_HELPER_4(xscvdpqp, void, env, i32, vsr, vsr)
+ DEF_HELPER_3(xscvdpsp, void, env, vsr, vsr)
+diff --git a/target/ppc/translate/vsx-impl.c.inc b/target/ppc/translate/vsx-impl.c.inc
+index c0e38060b4..02df75339e 100644
+--- a/target/ppc/translate/vsx-impl.c.inc
++++ b/target/ppc/translate/vsx-impl.c.inc
+@@ -1098,10 +1098,10 @@ GEN_VSX_HELPER_R2_AB(xscmpoqp, 0x04, 0x04, 0, PPC2_VSX)
+ GEN_VSX_HELPER_R2_AB(xscmpuqp, 0x04, 0x14, 0, PPC2_VSX)
+ GEN_VSX_HELPER_X3(xsmaxdp, 0x00, 0x14, 0, PPC2_VSX)
+ GEN_VSX_HELPER_X3(xsmindp, 0x00, 0x15, 0, PPC2_VSX)
+-GEN_VSX_HELPER_R3(xsmaxcdp, 0x00, 0x10, 0, PPC2_ISA300)
+-GEN_VSX_HELPER_R3(xsmincdp, 0x00, 0x11, 0, PPC2_ISA300)
+-GEN_VSX_HELPER_R3(xsmaxjdp, 0x00, 0x12, 0, PPC2_ISA300)
+-GEN_VSX_HELPER_R3(xsminjdp, 0x00, 0x12, 0, PPC2_ISA300)
++GEN_VSX_HELPER_X3(xsmaxcdp, 0x00, 0x10, 0, PPC2_ISA300)
++GEN_VSX_HELPER_X3(xsmincdp, 0x00, 0x11, 0, PPC2_ISA300)
++GEN_VSX_HELPER_X3(xsmaxjdp, 0x00, 0x12, 0, PPC2_ISA300)
++GEN_VSX_HELPER_X3(xsminjdp, 0x00, 0x12, 0, PPC2_ISA300)
+ GEN_VSX_HELPER_X2(xscvdphp, 0x16, 0x15, 0x11, PPC2_ISA300)
+ GEN_VSX_HELPER_X2(xscvdpsp, 0x12, 0x10, 0, PPC2_VSX)
+ GEN_VSX_HELPER_R2(xscvdpqp, 0x04, 0x1A, 0x16, PPC2_ISA300)
+--
+2.17.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0012-target-ppc-Move-xs-max-min-cj-dp-to-decodetree.patch b/meta/recipes-devtools/qemu/qemu/0012-target-ppc-Move-xs-max-min-cj-dp-to-decodetree.patch
new file mode 100644
index 0000000000..e9b99c9b4e
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0012-target-ppc-Move-xs-max-min-cj-dp-to-decodetree.patch
@@ -0,0 +1,121 @@
+From 1cbb2622de34ee034f1dd7196567673c52c84805 Mon Sep 17 00:00:00 2001
+From: Victor Colombo <victor.colombo@eldorado.org.br>
+Date: Fri, 17 Dec 2021 17:57:18 +0100
+Subject: [PATCH 12/21] target/ppc: Move xs{max,min}[cj]dp to decodetree
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Upstream-Status: Backport
+[https://git.qemu.org/?p=qemu.git;a=commit;h=c5df1898a147c232f0502cda5dac8df6074070fc]
+
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Victor Colombo <victor.colombo@eldorado.org.br>
+Message-Id: <20211213120958.24443-3-victor.colombo@eldorado.org.br>
+Signed-off-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+---
+ target/ppc/insn32.decode | 17 +++++++++++++---
+ target/ppc/translate/vsx-impl.c.inc | 30 +++++++++++++++++++++++++----
+ target/ppc/translate/vsx-ops.c.inc | 4 ----
+ 3 files changed, 40 insertions(+), 11 deletions(-)
+
+diff --git a/target/ppc/insn32.decode b/target/ppc/insn32.decode
+index e135b8aba4..759b2a9aa5 100644
+--- a/target/ppc/insn32.decode
++++ b/target/ppc/insn32.decode
+@@ -123,10 +123,14 @@
+ &X_vrt_frbp vrt frbp
+ @X_vrt_frbp ...... vrt:5 ..... ....0 .......... . &X_vrt_frbp frbp=%x_frbp
+
++%xx_xt 0:1 21:5
++%xx_xb 1:1 11:5
++%xx_xa 2:1 16:5
+ &XX2 xt xb uim:uint8_t
+-%xx2_xt 0:1 21:5
+-%xx2_xb 1:1 11:5
+-@XX2 ...... ..... ... uim:2 ..... ......... .. &XX2 xt=%xx2_xt xb=%xx2_xb
++@XX2 ...... ..... ... uim:2 ..... ......... .. &XX2 xt=%xx_xt xb=%xx_xb
++
++&XX3 xt xa xb
++@XX3 ...... ..... ..... ..... ........ ... &XX3 xt=%xx_xt xa=%xx_xa xb=%xx_xb
+
+ &Z22_bf_fra bf fra dm
+ @Z22_bf_fra ...... bf:3 .. fra:5 dm:6 ......... . &Z22_bf_fra
+@@ -427,3 +431,10 @@ XXSPLTW 111100 ..... ---.. ..... 010100100 . . @XX2
+ ## VSX Vector Load Special Value Instruction
+
+ LXVKQ 111100 ..... 11111 ..... 0101101000 . @X_uim5
++
++## VSX Comparison Instructions
++
++XSMAXCDP 111100 ..... ..... ..... 10000000 ... @XX3
++XSMINCDP 111100 ..... ..... ..... 10001000 ... @XX3
++XSMAXJDP 111100 ..... ..... ..... 10010000 ... @XX3
++XSMINJDP 111100 ..... ..... ..... 10011000 ... @XX3
+diff --git a/target/ppc/translate/vsx-impl.c.inc b/target/ppc/translate/vsx-impl.c.inc
+index 02df75339e..e2447750dd 100644
+--- a/target/ppc/translate/vsx-impl.c.inc
++++ b/target/ppc/translate/vsx-impl.c.inc
+@@ -1098,10 +1098,6 @@ GEN_VSX_HELPER_R2_AB(xscmpoqp, 0x04, 0x04, 0, PPC2_VSX)
+ GEN_VSX_HELPER_R2_AB(xscmpuqp, 0x04, 0x14, 0, PPC2_VSX)
+ GEN_VSX_HELPER_X3(xsmaxdp, 0x00, 0x14, 0, PPC2_VSX)
+ GEN_VSX_HELPER_X3(xsmindp, 0x00, 0x15, 0, PPC2_VSX)
+-GEN_VSX_HELPER_X3(xsmaxcdp, 0x00, 0x10, 0, PPC2_ISA300)
+-GEN_VSX_HELPER_X3(xsmincdp, 0x00, 0x11, 0, PPC2_ISA300)
+-GEN_VSX_HELPER_X3(xsmaxjdp, 0x00, 0x12, 0, PPC2_ISA300)
+-GEN_VSX_HELPER_X3(xsminjdp, 0x00, 0x12, 0, PPC2_ISA300)
+ GEN_VSX_HELPER_X2(xscvdphp, 0x16, 0x15, 0x11, PPC2_ISA300)
+ GEN_VSX_HELPER_X2(xscvdpsp, 0x12, 0x10, 0, PPC2_VSX)
+ GEN_VSX_HELPER_R2(xscvdpqp, 0x04, 0x1A, 0x16, PPC2_ISA300)
+@@ -2185,6 +2181,32 @@ TRANS(XXBLENDVH, do_xxblendv, MO_16)
+ TRANS(XXBLENDVW, do_xxblendv, MO_32)
+ TRANS(XXBLENDVD, do_xxblendv, MO_64)
+
++static bool do_xsmaxmincjdp(DisasContext *ctx, arg_XX3 *a,
++ void (*helper)(TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_ptr))
++{
++ TCGv_ptr xt, xa, xb;
++
++ REQUIRE_INSNS_FLAGS2(ctx, ISA300);
++ REQUIRE_VSX(ctx);
++
++ xt = gen_vsr_ptr(a->xt);
++ xa = gen_vsr_ptr(a->xa);
++ xb = gen_vsr_ptr(a->xb);
++
++ helper(cpu_env, xt, xa, xb);
++
++ tcg_temp_free_ptr(xt);
++ tcg_temp_free_ptr(xa);
++ tcg_temp_free_ptr(xb);
++
++ return true;
++}
++
++TRANS(XSMAXCDP, do_xsmaxmincjdp, gen_helper_xsmaxcdp)
++TRANS(XSMINCDP, do_xsmaxmincjdp, gen_helper_xsmincdp)
++TRANS(XSMAXJDP, do_xsmaxmincjdp, gen_helper_xsmaxjdp)
++TRANS(XSMINJDP, do_xsmaxmincjdp, gen_helper_xsminjdp)
++
+ #undef GEN_XX2FORM
+ #undef GEN_XX3FORM
+ #undef GEN_XX2IFORM
+diff --git a/target/ppc/translate/vsx-ops.c.inc b/target/ppc/translate/vsx-ops.c.inc
+index 152d1e5c3b..f980bc1bae 100644
+--- a/target/ppc/translate/vsx-ops.c.inc
++++ b/target/ppc/translate/vsx-ops.c.inc
+@@ -207,10 +207,6 @@ GEN_VSX_XFORM_300(xscmpoqp, 0x04, 0x04, 0x00600001),
+ GEN_VSX_XFORM_300(xscmpuqp, 0x04, 0x14, 0x00600001),
+ GEN_XX3FORM(xsmaxdp, 0x00, 0x14, PPC2_VSX),
+ GEN_XX3FORM(xsmindp, 0x00, 0x15, PPC2_VSX),
+-GEN_XX3FORM(xsmaxcdp, 0x00, 0x10, PPC2_ISA300),
+-GEN_XX3FORM(xsmincdp, 0x00, 0x11, PPC2_ISA300),
+-GEN_XX3FORM(xsmaxjdp, 0x00, 0x12, PPC2_ISA300),
+-GEN_XX3FORM(xsminjdp, 0x00, 0x13, PPC2_ISA300),
+ GEN_XX2FORM_EO(xscvdphp, 0x16, 0x15, 0x11, PPC2_ISA300),
+ GEN_XX2FORM(xscvdpsp, 0x12, 0x10, PPC2_VSX),
+ GEN_XX2FORM(xscvdpspn, 0x16, 0x10, PPC2_VSX207),
+--
+2.17.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0013-target-ppc-fix-xscvqpdp-register-access.patch b/meta/recipes-devtools/qemu/qemu/0013-target-ppc-fix-xscvqpdp-register-access.patch
new file mode 100644
index 0000000000..100dcd25bc
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0013-target-ppc-fix-xscvqpdp-register-access.patch
@@ -0,0 +1,41 @@
+From 98ff271a4d1a1d60ae53b1f742df7c188b163375 Mon Sep 17 00:00:00 2001
+From: Matheus Ferst <matheus.ferst@eldorado.org.br>
+Date: Fri, 17 Dec 2021 17:57:18 +0100
+Subject: [PATCH 13/21] target/ppc: fix xscvqpdp register access
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This instruction has VRT and VRB fields instead of T/TX and B/BX.
+
+Upstream-Status: Backport
+[https://git.qemu.org/?p=qemu.git;a=commit;h=38d4914c5065e14f0969161274793ded448f067f]
+
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Matheus Ferst <matheus.ferst@eldorado.org.br>
+Message-Id: <20211213120958.24443-4-victor.colombo@eldorado.org.br>
+Signed-off-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+---
+ target/ppc/translate/vsx-impl.c.inc | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/target/ppc/translate/vsx-impl.c.inc b/target/ppc/translate/vsx-impl.c.inc
+index e2447750dd..ab5cb21f13 100644
+--- a/target/ppc/translate/vsx-impl.c.inc
++++ b/target/ppc/translate/vsx-impl.c.inc
+@@ -913,8 +913,9 @@ static void gen_xscvqpdp(DisasContext *ctx)
+ return;
+ }
+ opc = tcg_const_i32(ctx->opcode);
+- xt = gen_vsr_ptr(xT(ctx->opcode));
+- xb = gen_vsr_ptr(xB(ctx->opcode));
++
++ xt = gen_vsr_ptr(rD(ctx->opcode) + 32);
++ xb = gen_vsr_ptr(rB(ctx->opcode) + 32);
+ gen_helper_xscvqpdp(cpu_env, opc, xt, xb);
+ tcg_temp_free_i32(opc);
+ tcg_temp_free_ptr(xt);
+--
+2.17.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0014-target-ppc-move-xscvqpdp-to-decodetree.patch b/meta/recipes-devtools/qemu/qemu/0014-target-ppc-move-xscvqpdp-to-decodetree.patch
new file mode 100644
index 0000000000..345a49c90c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0014-target-ppc-move-xscvqpdp-to-decodetree.patch
@@ -0,0 +1,130 @@
+From c76ea6322bd70c36c9b396cf356167b36928e811 Mon Sep 17 00:00:00 2001
+From: Matheus Ferst <matheus.ferst@eldorado.org.br>
+Date: Fri, 17 Dec 2021 17:57:18 +0100
+Subject: [PATCH 14/21] target/ppc: move xscvqpdp to decodetree
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Upstream-Status: Backport
+[https://git.qemu.org/?p=qemu.git;a=commit;h=caf6f9b568479bea6f6d97798be670f21641a006]
+
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Matheus Ferst <matheus.ferst@eldorado.org.br>
+Message-Id: <20211213120958.24443-5-victor.colombo@eldorado.org.br>
+Signed-off-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+---
+ target/ppc/fpu_helper.c | 10 +++-------
+ target/ppc/helper.h | 2 +-
+ target/ppc/insn32.decode | 4 ++++
+ target/ppc/translate/vsx-impl.c.inc | 24 +++++++++++++-----------
+ target/ppc/translate/vsx-ops.c.inc | 1 -
+ 5 files changed, 21 insertions(+), 20 deletions(-)
+
+diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c
+index ecdcd36a11..5cc7fb1dcb 100644
+--- a/target/ppc/fpu_helper.c
++++ b/target/ppc/fpu_helper.c
+@@ -2631,18 +2631,14 @@ VSX_CVT_FP_TO_FP_HP(xscvhpdp, 1, float16, float64, VsrH(3), VsrD(0), 1)
+ VSX_CVT_FP_TO_FP_HP(xvcvsphp, 4, float32, float16, VsrW(i), VsrH(2 * i + 1), 0)
+ VSX_CVT_FP_TO_FP_HP(xvcvhpsp, 4, float16, float32, VsrH(2 * i + 1), VsrW(i), 0)
+
+-/*
+- * xscvqpdp isn't using VSX_CVT_FP_TO_FP() because xscvqpdpo will be
+- * added to this later.
+- */
+-void helper_xscvqpdp(CPUPPCState *env, uint32_t opcode,
+- ppc_vsr_t *xt, ppc_vsr_t *xb)
++void helper_XSCVQPDP(CPUPPCState *env, uint32_t ro, ppc_vsr_t *xt,
++ ppc_vsr_t *xb)
+ {
+ ppc_vsr_t t = { };
+ float_status tstat;
+
+ tstat = env->fp_status;
+- if (unlikely(Rc(opcode) != 0)) {
++ if (ro != 0) {
+ tstat.float_rounding_mode = float_round_to_odd;
+ }
+
+diff --git a/target/ppc/helper.h b/target/ppc/helper.h
+index 12a3d5f269..ef5bdd38a7 100644
+--- a/target/ppc/helper.h
++++ b/target/ppc/helper.h
+@@ -400,7 +400,7 @@ DEF_HELPER_3(xscvdphp, void, env, vsr, vsr)
+ DEF_HELPER_4(xscvdpqp, void, env, i32, vsr, vsr)
+ DEF_HELPER_3(xscvdpsp, void, env, vsr, vsr)
+ DEF_HELPER_2(xscvdpspn, i64, env, i64)
+-DEF_HELPER_4(xscvqpdp, void, env, i32, vsr, vsr)
++DEF_HELPER_4(XSCVQPDP, void, env, i32, vsr, vsr)
+ DEF_HELPER_4(xscvqpsdz, void, env, i32, vsr, vsr)
+ DEF_HELPER_4(xscvqpswz, void, env, i32, vsr, vsr)
+ DEF_HELPER_4(xscvqpudz, void, env, i32, vsr, vsr)
+diff --git a/target/ppc/insn32.decode b/target/ppc/insn32.decode
+index 759b2a9aa5..fd6bb13fa0 100644
+--- a/target/ppc/insn32.decode
++++ b/target/ppc/insn32.decode
+@@ -438,3 +438,7 @@ XSMAXCDP 111100 ..... ..... ..... 10000000 ... @XX3
+ XSMINCDP 111100 ..... ..... ..... 10001000 ... @XX3
+ XSMAXJDP 111100 ..... ..... ..... 10010000 ... @XX3
+ XSMINJDP 111100 ..... ..... ..... 10011000 ... @XX3
++
++## VSX Binary Floating-Point Convert Instructions
++
++XSCVQPDP 111111 ..... 10100 ..... 1101000100 . @X_tb_rc
+diff --git a/target/ppc/translate/vsx-impl.c.inc b/target/ppc/translate/vsx-impl.c.inc
+index ab5cb21f13..c08185e857 100644
+--- a/target/ppc/translate/vsx-impl.c.inc
++++ b/target/ppc/translate/vsx-impl.c.inc
+@@ -904,22 +904,24 @@ VSX_CMP(xvcmpgesp, 0x0C, 0x0A, 0, PPC2_VSX)
+ VSX_CMP(xvcmpgtsp, 0x0C, 0x09, 0, PPC2_VSX)
+ VSX_CMP(xvcmpnesp, 0x0C, 0x0B, 0, PPC2_VSX)
+
+-static void gen_xscvqpdp(DisasContext *ctx)
++static bool trans_XSCVQPDP(DisasContext *ctx, arg_X_tb_rc *a)
+ {
+- TCGv_i32 opc;
++ TCGv_i32 ro;
+ TCGv_ptr xt, xb;
+- if (unlikely(!ctx->vsx_enabled)) {
+- gen_exception(ctx, POWERPC_EXCP_VSXU);
+- return;
+- }
+- opc = tcg_const_i32(ctx->opcode);
+
+- xt = gen_vsr_ptr(rD(ctx->opcode) + 32);
+- xb = gen_vsr_ptr(rB(ctx->opcode) + 32);
+- gen_helper_xscvqpdp(cpu_env, opc, xt, xb);
+- tcg_temp_free_i32(opc);
++ REQUIRE_INSNS_FLAGS2(ctx, ISA300);
++ REQUIRE_VSX(ctx);
++
++ ro = tcg_const_i32(a->rc);
++
++ xt = gen_avr_ptr(a->rt);
++ xb = gen_avr_ptr(a->rb);
++ gen_helper_XSCVQPDP(cpu_env, ro, xt, xb);
++ tcg_temp_free_i32(ro);
+ tcg_temp_free_ptr(xt);
+ tcg_temp_free_ptr(xb);
++
++ return true;
+ }
+
+ #define GEN_VSX_HELPER_2(name, op1, op2, inval, type) \
+diff --git a/target/ppc/translate/vsx-ops.c.inc b/target/ppc/translate/vsx-ops.c.inc
+index f980bc1bae..c974324c4c 100644
+--- a/target/ppc/translate/vsx-ops.c.inc
++++ b/target/ppc/translate/vsx-ops.c.inc
+@@ -133,7 +133,6 @@ GEN_VSX_XFORM_300_EO(xsnabsqp, 0x04, 0x19, 0x08, 0x00000001),
+ GEN_VSX_XFORM_300_EO(xsnegqp, 0x04, 0x19, 0x10, 0x00000001),
+ GEN_VSX_XFORM_300(xscpsgnqp, 0x04, 0x03, 0x00000001),
+ GEN_VSX_XFORM_300_EO(xscvdpqp, 0x04, 0x1A, 0x16, 0x00000001),
+-GEN_VSX_XFORM_300_EO(xscvqpdp, 0x04, 0x1A, 0x14, 0x0),
+ GEN_VSX_XFORM_300_EO(xscvqpsdz, 0x04, 0x1A, 0x19, 0x00000001),
+ GEN_VSX_XFORM_300_EO(xscvqpswz, 0x04, 0x1A, 0x09, 0x00000001),
+ GEN_VSX_XFORM_300_EO(xscvqpudz, 0x04, 0x1A, 0x11, 0x00000001),
+--
+2.17.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0015-target-ppc-ppc_store_fpscr-doesn-t-update-bits-0-to-.patch b/meta/recipes-devtools/qemu/qemu/0015-target-ppc-ppc_store_fpscr-doesn-t-update-bits-0-to-.patch
new file mode 100644
index 0000000000..5c5f972961
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0015-target-ppc-ppc_store_fpscr-doesn-t-update-bits-0-to-.patch
@@ -0,0 +1,70 @@
+From 7448ee811d86b18a7f7f59e20853bd852e548f59 Mon Sep 17 00:00:00 2001
+From: "Lucas Mateus Castro (alqotel)" <lucas.araujo@eldorado.org.br>
+Date: Fri, 17 Dec 2021 17:57:13 +0100
+Subject: [PATCH 15/21] target/ppc: ppc_store_fpscr doesn't update bits 0 to 28
+ and 52
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This commit fixes the difference reported in the bug in the reserved
+bit 52, it does this by adding this bit to the mask of bits to not be
+directly altered in the ppc_store_fpscr function (the hardware used to
+compare to QEMU was a Power9).
+
+The bits 0 to 27 were also added to the mask, as they are marked as
+reserved in the PowerISA and bit 28 is a reserved extension of the DRN
+field (bits 29:31) but can't be set using mtfsfi, while the other DRN
+bits may be set using mtfsfi instruction, so bit 28 was also added to
+the mask.
+
+Although this is a difference reported in the bug, since it's a reserved
+bit it may be a "don't care" case, as put in the bug report. Looking at
+the ISA it doesn't explicitly mention this bit can't be set, like it
+does for FEX and VX, so I'm unsure if this is necessary.
+
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/266
+
+Upstream-Status: Backport
+[https://git.qemu.org/?p=qemu.git;a=commit;h=25ee608d79c1890c0f4e8c495ec8629d5712de45]
+
+Signed-off-by: Lucas Mateus Castro (alqotel) <lucas.araujo@eldorado.org.br>
+Message-Id: <20211201163808.440385-4-lucas.araujo@eldorado.org.br>
+Signed-off-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+---
+ target/ppc/cpu.c | 2 +-
+ target/ppc/cpu.h | 4 ++++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/target/ppc/cpu.c b/target/ppc/cpu.c
+index f933d9f2bd..d7b42bae52 100644
+--- a/target/ppc/cpu.c
++++ b/target/ppc/cpu.c
+@@ -112,7 +112,7 @@ static inline void fpscr_set_rounding_mode(CPUPPCState *env)
+
+ void ppc_store_fpscr(CPUPPCState *env, target_ulong val)
+ {
+- val &= ~(FP_VX | FP_FEX);
++ val &= FPSCR_MTFS_MASK;
+ if (val & FPSCR_IX) {
+ val |= FP_VX;
+ }
+diff --git a/target/ppc/cpu.h b/target/ppc/cpu.h
+index e946da5f3a..441d3dce19 100644
+--- a/target/ppc/cpu.h
++++ b/target/ppc/cpu.h
+@@ -759,6 +759,10 @@ enum {
+ FP_VXZDZ | FP_VXIMZ | FP_VXVC | FP_VXSOFT | \
+ FP_VXSQRT | FP_VXCVI)
+
++/* FPSCR bits that can be set by mtfsf, mtfsfi and mtfsb1 */
++#define FPSCR_MTFS_MASK (~(MAKE_64BIT_MASK(36, 28) | PPC_BIT(28) | \
++ FP_FEX | FP_VX | PPC_BIT(52)))
++
+ /*****************************************************************************/
+ /* Vector status and control register */
+ #define VSCR_NJ 16 /* Vector non-java */
+--
+2.17.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0016-target-ppc-Introduce-TRANS-FLAGS-macros.patch b/meta/recipes-devtools/qemu/qemu/0016-target-ppc-Introduce-TRANS-FLAGS-macros.patch
new file mode 100644
index 0000000000..3b651c0b3e
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0016-target-ppc-Introduce-TRANS-FLAGS-macros.patch
@@ -0,0 +1,133 @@
+From 232f979babccd6dfac40a54ee33521e652a0577c Mon Sep 17 00:00:00 2001
+From: Luis Pires <luis.pires@eldorado.org.br>
+Date: Wed, 2 Mar 2022 06:51:36 +0100
+Subject: [PATCH 16/21] target/ppc: Introduce TRANS*FLAGS macros
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+New macros that add FLAGS and FLAGS2 checking were added for
+both TRANS and TRANS64.
+
+Upstream-Status: Backport
+[https://git.qemu.org/?p=qemu.git;a=commit;h=19f0862dd8fa6510b2f5b3aff4859363602cd0cf]
+
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Luis Pires <luis.pires@eldorado.org.br>
+[ferst: - TRANS_FLAGS2 instead of TRANS_FLAGS_E
+ - Use the new macros in load/store vector insns ]
+Signed-off-by: Matheus Ferst <matheus.ferst@eldorado.org.br>
+Message-Id: <20220225210936.1749575-2-matheus.ferst@eldorado.org.br>
+Signed-off-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+---
+ target/ppc/translate.c | 19 +++++++++++++++
+ target/ppc/translate/vsx-impl.c.inc | 37 ++++++++++-------------------
+ 2 files changed, 31 insertions(+), 25 deletions(-)
+
+diff --git a/target/ppc/translate.c b/target/ppc/translate.c
+index 9960df6e18..c12abc32f6 100644
+--- a/target/ppc/translate.c
++++ b/target/ppc/translate.c
+@@ -7377,10 +7377,29 @@ static int times_16(DisasContext *ctx, int x)
+ #define TRANS(NAME, FUNC, ...) \
+ static bool trans_##NAME(DisasContext *ctx, arg_##NAME *a) \
+ { return FUNC(ctx, a, __VA_ARGS__); }
++#define TRANS_FLAGS(FLAGS, NAME, FUNC, ...) \
++ static bool trans_##NAME(DisasContext *ctx, arg_##NAME *a) \
++ { \
++ REQUIRE_INSNS_FLAGS(ctx, FLAGS); \
++ return FUNC(ctx, a, __VA_ARGS__); \
++ }
++#define TRANS_FLAGS2(FLAGS2, NAME, FUNC, ...) \
++ static bool trans_##NAME(DisasContext *ctx, arg_##NAME *a) \
++ { \
++ REQUIRE_INSNS_FLAGS2(ctx, FLAGS2); \
++ return FUNC(ctx, a, __VA_ARGS__); \
++ }
+
+ #define TRANS64(NAME, FUNC, ...) \
+ static bool trans_##NAME(DisasContext *ctx, arg_##NAME *a) \
+ { REQUIRE_64BIT(ctx); return FUNC(ctx, a, __VA_ARGS__); }
++#define TRANS64_FLAGS2(FLAGS2, NAME, FUNC, ...) \
++ static bool trans_##NAME(DisasContext *ctx, arg_##NAME *a) \
++ { \
++ REQUIRE_64BIT(ctx); \
++ REQUIRE_INSNS_FLAGS2(ctx, FLAGS2); \
++ return FUNC(ctx, a, __VA_ARGS__); \
++ }
+
+ /* TODO: More TRANS* helpers for extra insn_flags checks. */
+
+diff --git a/target/ppc/translate/vsx-impl.c.inc b/target/ppc/translate/vsx-impl.c.inc
+index c08185e857..99c8a57e50 100644
+--- a/target/ppc/translate/vsx-impl.c.inc
++++ b/target/ppc/translate/vsx-impl.c.inc
+@@ -2070,12 +2070,6 @@ static bool do_lstxv(DisasContext *ctx, int ra, TCGv displ,
+
+ static bool do_lstxv_D(DisasContext *ctx, arg_D *a, bool store, bool paired)
+ {
+- if (paired) {
+- REQUIRE_INSNS_FLAGS2(ctx, ISA310);
+- } else {
+- REQUIRE_INSNS_FLAGS2(ctx, ISA300);
+- }
+-
+ if (paired || a->rt >= 32) {
+ REQUIRE_VSX(ctx);
+ } else {
+@@ -2089,7 +2083,6 @@ static bool do_lstxv_PLS_D(DisasContext *ctx, arg_PLS_D *a,
+ bool store, bool paired)
+ {
+ arg_D d;
+- REQUIRE_INSNS_FLAGS2(ctx, ISA310);
+ REQUIRE_VSX(ctx);
+
+ if (!resolve_PLS_D(ctx, &d, a)) {
+@@ -2101,12 +2094,6 @@ static bool do_lstxv_PLS_D(DisasContext *ctx, arg_PLS_D *a,
+
+ static bool do_lstxv_X(DisasContext *ctx, arg_X *a, bool store, bool paired)
+ {
+- if (paired) {
+- REQUIRE_INSNS_FLAGS2(ctx, ISA310);
+- } else {
+- REQUIRE_INSNS_FLAGS2(ctx, ISA300);
+- }
+-
+ if (paired || a->rt >= 32) {
+ REQUIRE_VSX(ctx);
+ } else {
+@@ -2116,18 +2103,18 @@ static bool do_lstxv_X(DisasContext *ctx, arg_X *a, bool store, bool paired)
+ return do_lstxv(ctx, a->ra, cpu_gpr[a->rb], a->rt, store, paired);
+ }
+
+-TRANS(STXV, do_lstxv_D, true, false)
+-TRANS(LXV, do_lstxv_D, false, false)
+-TRANS(STXVP, do_lstxv_D, true, true)
+-TRANS(LXVP, do_lstxv_D, false, true)
+-TRANS(STXVX, do_lstxv_X, true, false)
+-TRANS(LXVX, do_lstxv_X, false, false)
+-TRANS(STXVPX, do_lstxv_X, true, true)
+-TRANS(LXVPX, do_lstxv_X, false, true)
+-TRANS64(PSTXV, do_lstxv_PLS_D, true, false)
+-TRANS64(PLXV, do_lstxv_PLS_D, false, false)
+-TRANS64(PSTXVP, do_lstxv_PLS_D, true, true)
+-TRANS64(PLXVP, do_lstxv_PLS_D, false, true)
++TRANS_FLAGS2(ISA300, STXV, do_lstxv_D, true, false)
++TRANS_FLAGS2(ISA300, LXV, do_lstxv_D, false, false)
++TRANS_FLAGS2(ISA310, STXVP, do_lstxv_D, true, true)
++TRANS_FLAGS2(ISA310, LXVP, do_lstxv_D, false, true)
++TRANS_FLAGS2(ISA300, STXVX, do_lstxv_X, true, false)
++TRANS_FLAGS2(ISA300, LXVX, do_lstxv_X, false, false)
++TRANS_FLAGS2(ISA310, STXVPX, do_lstxv_X, true, true)
++TRANS_FLAGS2(ISA310, LXVPX, do_lstxv_X, false, true)
++TRANS64_FLAGS2(ISA310, PSTXV, do_lstxv_PLS_D, true, false)
++TRANS64_FLAGS2(ISA310, PLXV, do_lstxv_PLS_D, false, false)
++TRANS64_FLAGS2(ISA310, PSTXVP, do_lstxv_PLS_D, true, true)
++TRANS64_FLAGS2(ISA310, PLXVP, do_lstxv_PLS_D, false, true)
+
+ static void gen_xxblendv_vec(unsigned vece, TCGv_vec t, TCGv_vec a, TCGv_vec b,
+ TCGv_vec c)
+--
+2.17.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0017-target-ppc-Implement-Vector-Expand-Mask.patch b/meta/recipes-devtools/qemu/qemu/0017-target-ppc-Implement-Vector-Expand-Mask.patch
new file mode 100644
index 0000000000..6d6d6b86ed
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0017-target-ppc-Implement-Vector-Expand-Mask.patch
@@ -0,0 +1,105 @@
+From 4c6a16c2bcdd14249eef876d3d029c445716fb13 Mon Sep 17 00:00:00 2001
+From: Matheus Ferst <matheus.ferst@eldorado.org.br>
+Date: Fri, 17 Dec 2021 17:57:13 +0100
+Subject: [PATCH 17/21] target/ppc: Implement Vector Expand Mask
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Implement the following PowerISA v3.1 instructions:
+vexpandbm: Vector Expand Byte Mask
+vexpandhm: Vector Expand Halfword Mask
+vexpandwm: Vector Expand Word Mask
+vexpanddm: Vector Expand Doubleword Mask
+vexpandqm: Vector Expand Quadword Mask
+
+Upstream-Status: Backport
+[https://git.qemu.org/?p=qemu.git;a=commit;h=5f1470b091007f24035d6d33149df49a6dd61682]
+
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Matheus Ferst <matheus.ferst@eldorado.org.br>
+Message-Id: <20211203194229.746275-2-matheus.ferst@eldorado.org.br>
+Signed-off-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+---
+ target/ppc/insn32.decode | 11 ++++++++++
+ target/ppc/translate/vmx-impl.c.inc | 34 +++++++++++++++++++++++++++++
+ 2 files changed, 45 insertions(+)
+
+diff --git a/target/ppc/insn32.decode b/target/ppc/insn32.decode
+index fd6bb13fa0..e032251c74 100644
+--- a/target/ppc/insn32.decode
++++ b/target/ppc/insn32.decode
+@@ -56,6 +56,9 @@
+ &VX_uim4 vrt uim vrb
+ @VX_uim4 ...... vrt:5 . uim:4 vrb:5 ........... &VX_uim4
+
++&VX_tb vrt vrb
++@VX_tb ...... vrt:5 ..... vrb:5 ........... &VX_tb
++
+ &X rt ra rb
+ @X ...... rt:5 ra:5 rb:5 .......... . &X
+
+@@ -412,6 +415,14 @@ VINSWVRX 000100 ..... ..... ..... 00110001111 @VX
+ VSLDBI 000100 ..... ..... ..... 00 ... 010110 @VN
+ VSRDBI 000100 ..... ..... ..... 01 ... 010110 @VN
+
++## Vector Mask Manipulation Instructions
++
++VEXPANDBM 000100 ..... 00000 ..... 11001000010 @VX_tb
++VEXPANDHM 000100 ..... 00001 ..... 11001000010 @VX_tb
++VEXPANDWM 000100 ..... 00010 ..... 11001000010 @VX_tb
++VEXPANDDM 000100 ..... 00011 ..... 11001000010 @VX_tb
++VEXPANDQM 000100 ..... 00100 ..... 11001000010 @VX_tb
++
+ # VSX Load/Store Instructions
+
+ LXV 111101 ..... ..... ............ . 001 @DQ_TSX
+diff --git a/target/ppc/translate/vmx-impl.c.inc b/target/ppc/translate/vmx-impl.c.inc
+index 8eb8d3a067..ebb0484323 100644
+--- a/target/ppc/translate/vmx-impl.c.inc
++++ b/target/ppc/translate/vmx-impl.c.inc
+@@ -1491,6 +1491,40 @@ static bool trans_VSRDBI(DisasContext *ctx, arg_VN *a)
+ return true;
+ }
+
++static bool do_vexpand(DisasContext *ctx, arg_VX_tb *a, unsigned vece)
++{
++ REQUIRE_INSNS_FLAGS2(ctx, ISA310);
++ REQUIRE_VECTOR(ctx);
++
++ tcg_gen_gvec_sari(vece, avr_full_offset(a->vrt), avr_full_offset(a->vrb),
++ (8 << vece) - 1, 16, 16);
++
++ return true;
++}
++
++TRANS(VEXPANDBM, do_vexpand, MO_8)
++TRANS(VEXPANDHM, do_vexpand, MO_16)
++TRANS(VEXPANDWM, do_vexpand, MO_32)
++TRANS(VEXPANDDM, do_vexpand, MO_64)
++
++static bool trans_VEXPANDQM(DisasContext *ctx, arg_VX_tb *a)
++{
++ TCGv_i64 tmp;
++
++ REQUIRE_INSNS_FLAGS2(ctx, ISA310);
++ REQUIRE_VECTOR(ctx);
++
++ tmp = tcg_temp_new_i64();
++
++ get_avr64(tmp, a->vrb, true);
++ tcg_gen_sari_i64(tmp, tmp, 63);
++ set_avr64(a->vrt, tmp, false);
++ set_avr64(a->vrt, tmp, true);
++
++ tcg_temp_free_i64(tmp);
++ return true;
++}
++
+ #define GEN_VAFORM_PAIRED(name0, name1, opc2) \
+ static void glue(gen_, name0##_##name1)(DisasContext *ctx) \
+ { \
+--
+2.17.1
+
--git a/meta/recipes-devtools/qemu/qemu/0018-target-ppc-Implement-Vector-Extract-Mask.patch b/meta/recipes-devtools/qemu/qemu/0018-target-ppc-Implement-Vector-Extract-Mask.patch
new file mode 100644
index 0000000000..57450c6fb7
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0018-target-ppc-Implement-Vector-Extract-Mask.patch
@@ -0,0 +1,141 @@
+From 2dc8450e80b82c481904570dce789843b031db13 Mon Sep 17 00:00:00 2001
+From: Matheus Ferst <matheus.ferst@eldorado.org.br>
+Date: Fri, 17 Dec 2021 17:57:13 +0100
+Subject: [PATCH 18/21] target/ppc: Implement Vector Extract Mask
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Implement the following PowerISA v3.1 instructions:
+vextractbm: Vector Extract Byte Mask
+vextracthm: Vector Extract Halfword Mask
+vextractwm: Vector Extract Word Mask
+vextractdm: Vector Extract Doubleword Mask
+vextractqm: Vector Extract Quadword Mask
+
+Upstream-Status: Backport
+[https://git.qemu.org/?p=qemu.git;a=commit;h=17868d81e0074905b2c1e414af6618570e8059eb]
+
+Signed-off-by: Matheus Ferst <matheus.ferst@eldorado.org.br>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-Id: <20211203194229.746275-3-matheus.ferst@eldorado.org.br>
+Signed-off-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+---
+ target/ppc/insn32.decode | 6 +++
+ target/ppc/translate/vmx-impl.c.inc | 82 +++++++++++++++++++++++++++++
+ 2 files changed, 88 insertions(+)
+
+diff --git a/target/ppc/insn32.decode b/target/ppc/insn32.decode
+index e032251c74..b0568b1356 100644
+--- a/target/ppc/insn32.decode
++++ b/target/ppc/insn32.decode
+@@ -423,6 +423,12 @@ VEXPANDWM 000100 ..... 00010 ..... 11001000010 @VX_tb
+ VEXPANDDM 000100 ..... 00011 ..... 11001000010 @VX_tb
+ VEXPANDQM 000100 ..... 00100 ..... 11001000010 @VX_tb
+
++VEXTRACTBM 000100 ..... 01000 ..... 11001000010 @VX_tb
++VEXTRACTHM 000100 ..... 01001 ..... 11001000010 @VX_tb
++VEXTRACTWM 000100 ..... 01010 ..... 11001000010 @VX_tb
++VEXTRACTDM 000100 ..... 01011 ..... 11001000010 @VX_tb
++VEXTRACTQM 000100 ..... 01100 ..... 11001000010 @VX_tb
++
+ # VSX Load/Store Instructions
+
+ LXV 111101 ..... ..... ............ . 001 @DQ_TSX
+diff --git a/target/ppc/translate/vmx-impl.c.inc b/target/ppc/translate/vmx-impl.c.inc
+index ebb0484323..96c97bf6e7 100644
+--- a/target/ppc/translate/vmx-impl.c.inc
++++ b/target/ppc/translate/vmx-impl.c.inc
+@@ -1525,6 +1525,88 @@ static bool trans_VEXPANDQM(DisasContext *ctx, arg_VX_tb *a)
+ return true;
+ }
+
++static bool do_vextractm(DisasContext *ctx, arg_VX_tb *a, unsigned vece)
++{
++ const uint64_t elem_width = 8 << vece, elem_count_half = 8 >> vece,
++ mask = dup_const(vece, 1 << (elem_width - 1));
++ uint64_t i, j;
++ TCGv_i64 lo, hi, t0, t1;
++
++ REQUIRE_INSNS_FLAGS2(ctx, ISA310);
++ REQUIRE_VECTOR(ctx);
++
++ hi = tcg_temp_new_i64();
++ lo = tcg_temp_new_i64();
++ t0 = tcg_temp_new_i64();
++ t1 = tcg_temp_new_i64();
++
++ get_avr64(lo, a->vrb, false);
++ get_avr64(hi, a->vrb, true);
++
++ tcg_gen_andi_i64(lo, lo, mask);
++ tcg_gen_andi_i64(hi, hi, mask);
++
++ /*
++ * Gather the most significant bit of each element in the highest element
++ * element. E.g. for bytes:
++ * aXXXXXXXbXXXXXXXcXXXXXXXdXXXXXXXeXXXXXXXfXXXXXXXgXXXXXXXhXXXXXXX
++ * & dup(1 << (elem_width - 1))
++ * a0000000b0000000c0000000d0000000e0000000f0000000g0000000h0000000
++ * << 32 - 4
++ * 0000e0000000f0000000g0000000h00000000000000000000000000000000000
++ * |
++ * a000e000b000f000c000g000d000h000e0000000f0000000g0000000h0000000
++ * << 16 - 2
++ * 00c000g000d000h000e0000000f0000000g0000000h000000000000000000000
++ * |
++ * a0c0e0g0b0d0f0h0c0e0g000d0f0h000e0g00000f0h00000g0000000h0000000
++ * << 8 - 1
++ * 0b0d0f0h0c0e0g000d0f0h000e0g00000f0h00000g0000000h00000000000000
++ * |
++ * abcdefghbcdefgh0cdefgh00defgh000efgh0000fgh00000gh000000h0000000
++ */
++ for (i = elem_count_half / 2, j = 32; i > 0; i >>= 1, j >>= 1) {
++ tcg_gen_shli_i64(t0, hi, j - i);
++ tcg_gen_shli_i64(t1, lo, j - i);
++ tcg_gen_or_i64(hi, hi, t0);
++ tcg_gen_or_i64(lo, lo, t1);
++ }
++
++ tcg_gen_shri_i64(hi, hi, 64 - elem_count_half);
++ tcg_gen_extract2_i64(lo, lo, hi, 64 - elem_count_half);
++ tcg_gen_trunc_i64_tl(cpu_gpr[a->vrt], lo);
++
++ tcg_temp_free_i64(hi);
++ tcg_temp_free_i64(lo);
++ tcg_temp_free_i64(t0);
++ tcg_temp_free_i64(t1);
++
++ return true;
++}
++
++TRANS(VEXTRACTBM, do_vextractm, MO_8)
++TRANS(VEXTRACTHM, do_vextractm, MO_16)
++TRANS(VEXTRACTWM, do_vextractm, MO_32)
++TRANS(VEXTRACTDM, do_vextractm, MO_64)
++
++static bool trans_VEXTRACTQM(DisasContext *ctx, arg_VX_tb *a)
++{
++ TCGv_i64 tmp;
++
++ REQUIRE_INSNS_FLAGS2(ctx, ISA310);
++ REQUIRE_VECTOR(ctx);
++
++ tmp = tcg_temp_new_i64();
++
++ get_avr64(tmp, a->vrb, true);
++ tcg_gen_shri_i64(tmp, tmp, 63);
++ tcg_gen_trunc_i64_tl(cpu_gpr[a->vrt], tmp);
++
++ tcg_temp_free_i64(tmp);
++
++ return true;
++}
++
+ #define GEN_VAFORM_PAIRED(name0, name1, opc2) \
+ static void glue(gen_, name0##_##name1)(DisasContext *ctx) \
+ { \
+--
+2.17.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0019-target-ppc-Implement-Vector-Mask-Move-insns.patch b/meta/recipes-devtools/qemu/qemu/0019-target-ppc-Implement-Vector-Mask-Move-insns.patch
new file mode 100644
index 0000000000..96fda98771
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0019-target-ppc-Implement-Vector-Mask-Move-insns.patch
@@ -0,0 +1,187 @@
+From 4d5202aad706fd338646d19aafbf255c3864333c Mon Sep 17 00:00:00 2001
+From: Matheus Ferst <matheus.ferst@eldorado.org.br>
+Date: Fri, 17 Dec 2021 17:57:13 +0100
+Subject: [PATCH 19/21] target/ppc: Implement Vector Mask Move insns
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Implement the following PowerISA v3.1 instructions:
+mtvsrbm: Move to VSR Byte Mask
+mtvsrhm: Move to VSR Halfword Mask
+mtvsrwm: Move to VSR Word Mask
+mtvsrdm: Move to VSR Doubleword Mask
+mtvsrqm: Move to VSR Quadword Mask
+mtvsrbmi: Move to VSR Byte Mask Immediate
+
+Upstream-Status: Backport
+[https://git.qemu.org/?p=qemu.git;a=commit;h=9193eaa901c54dbff4a91ea0b12a99e0135dbca1]
+
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Matheus Ferst <matheus.ferst@eldorado.org.br>
+Message-Id: <20211203194229.746275-4-matheus.ferst@eldorado.org.br>
+Signed-off-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+---
+ target/ppc/insn32.decode | 11 +++
+ target/ppc/translate/vmx-impl.c.inc | 115 ++++++++++++++++++++++++++++
+ 2 files changed, 126 insertions(+)
+
+diff --git a/target/ppc/insn32.decode b/target/ppc/insn32.decode
+index b0568b1356..8bdc059a4c 100644
+--- a/target/ppc/insn32.decode
++++ b/target/ppc/insn32.decode
+@@ -40,6 +40,10 @@
+ %ds_rtp 22:4 !function=times_2
+ @DS_rtp ...... ....0 ra:5 .............. .. &D rt=%ds_rtp si=%ds_si
+
++&DX_b vrt b
++%dx_b 6:10 16:5 0:1
++@DX_b ...... vrt:5 ..... .......... ..... . &DX_b b=%dx_b
++
+ &DX rt d
+ %dx_d 6:s10 16:5 0:1
+ @DX ...... rt:5 ..... .......... ..... . &DX d=%dx_d
+@@ -417,6 +421,13 @@ VSRDBI 000100 ..... ..... ..... 01 ... 010110 @VN
+
+ ## Vector Mask Manipulation Instructions
+
++MTVSRBM 000100 ..... 10000 ..... 11001000010 @VX_tb
++MTVSRHM 000100 ..... 10001 ..... 11001000010 @VX_tb
++MTVSRWM 000100 ..... 10010 ..... 11001000010 @VX_tb
++MTVSRDM 000100 ..... 10011 ..... 11001000010 @VX_tb
++MTVSRQM 000100 ..... 10100 ..... 11001000010 @VX_tb
++MTVSRBMI 000100 ..... ..... .......... 01010 . @DX_b
++
+ VEXPANDBM 000100 ..... 00000 ..... 11001000010 @VX_tb
+ VEXPANDHM 000100 ..... 00001 ..... 11001000010 @VX_tb
+ VEXPANDWM 000100 ..... 00010 ..... 11001000010 @VX_tb
+diff --git a/target/ppc/translate/vmx-impl.c.inc b/target/ppc/translate/vmx-impl.c.inc
+index 96c97bf6e7..d5e02fd7f2 100644
+--- a/target/ppc/translate/vmx-impl.c.inc
++++ b/target/ppc/translate/vmx-impl.c.inc
+@@ -1607,6 +1607,121 @@ static bool trans_VEXTRACTQM(DisasContext *ctx, arg_VX_tb *a)
+ return true;
+ }
+
++static bool do_mtvsrm(DisasContext *ctx, arg_VX_tb *a, unsigned vece)
++{
++ const uint64_t elem_width = 8 << vece, elem_count_half = 8 >> vece;
++ uint64_t c;
++ int i, j;
++ TCGv_i64 hi, lo, t0, t1;
++
++ REQUIRE_INSNS_FLAGS2(ctx, ISA310);
++ REQUIRE_VECTOR(ctx);
++
++ hi = tcg_temp_new_i64();
++ lo = tcg_temp_new_i64();
++ t0 = tcg_temp_new_i64();
++ t1 = tcg_temp_new_i64();
++
++ tcg_gen_extu_tl_i64(t0, cpu_gpr[a->vrb]);
++ tcg_gen_extract_i64(hi, t0, elem_count_half, elem_count_half);
++ tcg_gen_extract_i64(lo, t0, 0, elem_count_half);
++
++ /*
++ * Spread the bits into their respective elements.
++ * E.g. for bytes:
++ * 00000000000000000000000000000000000000000000000000000000abcdefgh
++ * << 32 - 4
++ * 0000000000000000000000000000abcdefgh0000000000000000000000000000
++ * |
++ * 0000000000000000000000000000abcdefgh00000000000000000000abcdefgh
++ * << 16 - 2
++ * 00000000000000abcdefgh00000000000000000000abcdefgh00000000000000
++ * |
++ * 00000000000000abcdefgh000000abcdefgh000000abcdefgh000000abcdefgh
++ * << 8 - 1
++ * 0000000abcdefgh000000abcdefgh000000abcdefgh000000abcdefgh0000000
++ * |
++ * 0000000abcdefgXbcdefgXbcdefgXbcdefgXbcdefgXbcdefgXbcdefgXbcdefgh
++ * & dup(1)
++ * 0000000a0000000b0000000c0000000d0000000e0000000f0000000g0000000h
++ * * 0xff
++ * aaaaaaaabbbbbbbbccccccccddddddddeeeeeeeeffffffffgggggggghhhhhhhh
++ */
++ for (i = elem_count_half / 2, j = 32; i > 0; i >>= 1, j >>= 1) {
++ tcg_gen_shli_i64(t0, hi, j - i);
++ tcg_gen_shli_i64(t1, lo, j - i);
++ tcg_gen_or_i64(hi, hi, t0);
++ tcg_gen_or_i64(lo, lo, t1);
++ }
++
++ c = dup_const(vece, 1);
++ tcg_gen_andi_i64(hi, hi, c);
++ tcg_gen_andi_i64(lo, lo, c);
++
++ c = MAKE_64BIT_MASK(0, elem_width);
++ tcg_gen_muli_i64(hi, hi, c);
++ tcg_gen_muli_i64(lo, lo, c);
++
++ set_avr64(a->vrt, lo, false);
++ set_avr64(a->vrt, hi, true);
++
++ tcg_temp_free_i64(hi);
++ tcg_temp_free_i64(lo);
++ tcg_temp_free_i64(t0);
++ tcg_temp_free_i64(t1);
++
++ return true;
++}
++
++TRANS(MTVSRBM, do_mtvsrm, MO_8)
++TRANS(MTVSRHM, do_mtvsrm, MO_16)
++TRANS(MTVSRWM, do_mtvsrm, MO_32)
++TRANS(MTVSRDM, do_mtvsrm, MO_64)
++
++static bool trans_MTVSRQM(DisasContext *ctx, arg_VX_tb *a)
++{
++ TCGv_i64 tmp;
++
++ REQUIRE_INSNS_FLAGS2(ctx, ISA310);
++ REQUIRE_VECTOR(ctx);
++
++ tmp = tcg_temp_new_i64();
++
++ tcg_gen_ext_tl_i64(tmp, cpu_gpr[a->vrb]);
++ tcg_gen_sextract_i64(tmp, tmp, 0, 1);
++ set_avr64(a->vrt, tmp, false);
++ set_avr64(a->vrt, tmp, true);
++
++ tcg_temp_free_i64(tmp);
++
++ return true;
++}
++
++static bool trans_MTVSRBMI(DisasContext *ctx, arg_DX_b *a)
++{
++ const uint64_t mask = dup_const(MO_8, 1);
++ uint64_t hi, lo;
++
++ REQUIRE_INSNS_FLAGS2(ctx, ISA310);
++ REQUIRE_VECTOR(ctx);
++
++ hi = extract16(a->b, 8, 8);
++ lo = extract16(a->b, 0, 8);
++
++ for (int i = 4, j = 32; i > 0; i >>= 1, j >>= 1) {
++ hi |= hi << (j - i);
++ lo |= lo << (j - i);
++ }
++
++ hi = (hi & mask) * 0xFF;
++ lo = (lo & mask) * 0xFF;
++
++ set_avr64(a->vrt, tcg_constant_i64(hi), true);
++ set_avr64(a->vrt, tcg_constant_i64(lo), false);
++
++ return true;
++}
++
+ #define GEN_VAFORM_PAIRED(name0, name1, opc2) \
+ static void glue(gen_, name0##_##name1)(DisasContext *ctx) \
+ { \
+--
+2.17.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0020-target-ppc-move-xs-n-madd-am-ds-p-xs-n-msub-am-ds-p-.patch b/meta/recipes-devtools/qemu/qemu/0020-target-ppc-move-xs-n-madd-am-ds-p-xs-n-msub-am-ds-p-.patch
new file mode 100644
index 0000000000..7e747298a9
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0020-target-ppc-move-xs-n-madd-am-ds-p-xs-n-msub-am-ds-p-.patch
@@ -0,0 +1,258 @@
+From a3c7553efdec661a8f7d7dfc0c0618a35fab005c Mon Sep 17 00:00:00 2001
+From: Matheus Ferst <matheus.ferst@eldorado.org.br>
+Date: Wed, 2 Mar 2022 06:51:38 +0100
+Subject: [PATCH 20/21] target/ppc: move xs[n]madd[am][ds]p/xs[n]msub[am][ds]p
+ to decodetree
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Upstream-Status: Backport
+[https://git.qemu.org/?p=qemu.git;a=commit;h=e4318ab2e423c4caf9a88a4e99b5e234096b81a9]
+
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Matheus Ferst <matheus.ferst@eldorado.org.br>
+Message-Id: <20220225210936.1749575-37-matheus.ferst@eldorado.org.br>
+Signed-off-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+---
+ target/ppc/fpu_helper.c | 23 ++++++------
+ target/ppc/helper.h | 16 ++++-----
+ target/ppc/insn32.decode | 22 ++++++++++++
+ target/ppc/translate/vsx-impl.c.inc | 56 ++++++++++++++++++++++++-----
+ target/ppc/translate/vsx-ops.c.inc | 16 ---------
+ 5 files changed, 90 insertions(+), 43 deletions(-)
+
+diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c
+index 5cc7fb1dcb..853e5f6029 100644
+--- a/target/ppc/fpu_helper.c
++++ b/target/ppc/fpu_helper.c
+@@ -2036,10 +2036,11 @@ VSX_TSQRT(xvtsqrtsp, 4, float32, VsrW(i), -126, 23)
+ * maddflgs - flags for the float*muladd routine that control the
+ * various forms (madd, msub, nmadd, nmsub)
+ * sfprf - set FPRF
++ * r2sp - round intermediate double precision result to single precision
+ */
+ #define VSX_MADD(op, nels, tp, fld, maddflgs, sfprf, r2sp) \
+ void helper_##op(CPUPPCState *env, ppc_vsr_t *xt, \
+- ppc_vsr_t *xa, ppc_vsr_t *b, ppc_vsr_t *c) \
++ ppc_vsr_t *s1, ppc_vsr_t *s2, ppc_vsr_t *s3) \
+ { \
+ ppc_vsr_t t = *xt; \
+ int i; \
+@@ -2055,12 +2056,12 @@ void helper_##op(CPUPPCState *env, ppc_vsr_t *xt, \
+ * result to odd. \
+ */ \
+ set_float_rounding_mode(float_round_to_zero, &tstat); \
+- t.fld = tp##_muladd(xa->fld, b->fld, c->fld, \
++ t.fld = tp##_muladd(s1->fld, s3->fld, s2->fld, \
+ maddflgs, &tstat); \
+ t.fld |= (get_float_exception_flags(&tstat) & \
+ float_flag_inexact) != 0; \
+ } else { \
+- t.fld = tp##_muladd(xa->fld, b->fld, c->fld, \
++ t.fld = tp##_muladd(s1->fld, s3->fld, s2->fld, \
+ maddflgs, &tstat); \
+ } \
+ env->fp_status.float_exception_flags |= tstat.float_exception_flags; \
+@@ -2082,14 +2083,14 @@ void helper_##op(CPUPPCState *env, ppc_vsr_t *xt, \
+ do_float_check_status(env, GETPC()); \
+ }
+
+-VSX_MADD(xsmadddp, 1, float64, VsrD(0), MADD_FLGS, 1, 0)
+-VSX_MADD(xsmsubdp, 1, float64, VsrD(0), MSUB_FLGS, 1, 0)
+-VSX_MADD(xsnmadddp, 1, float64, VsrD(0), NMADD_FLGS, 1, 0)
+-VSX_MADD(xsnmsubdp, 1, float64, VsrD(0), NMSUB_FLGS, 1, 0)
+-VSX_MADD(xsmaddsp, 1, float64, VsrD(0), MADD_FLGS, 1, 1)
+-VSX_MADD(xsmsubsp, 1, float64, VsrD(0), MSUB_FLGS, 1, 1)
+-VSX_MADD(xsnmaddsp, 1, float64, VsrD(0), NMADD_FLGS, 1, 1)
+-VSX_MADD(xsnmsubsp, 1, float64, VsrD(0), NMSUB_FLGS, 1, 1)
++VSX_MADD(XSMADDDP, 1, float64, VsrD(0), MADD_FLGS, 1, 0)
++VSX_MADD(XSMSUBDP, 1, float64, VsrD(0), MSUB_FLGS, 1, 0)
++VSX_MADD(XSNMADDDP, 1, float64, VsrD(0), NMADD_FLGS, 1, 0)
++VSX_MADD(XSNMSUBDP, 1, float64, VsrD(0), NMSUB_FLGS, 1, 0)
++VSX_MADD(XSMADDSP, 1, float64, VsrD(0), MADD_FLGS, 1, 1)
++VSX_MADD(XSMSUBSP, 1, float64, VsrD(0), MSUB_FLGS, 1, 1)
++VSX_MADD(XSNMADDSP, 1, float64, VsrD(0), NMADD_FLGS, 1, 1)
++VSX_MADD(XSNMSUBSP, 1, float64, VsrD(0), NMSUB_FLGS, 1, 1)
+
+ VSX_MADD(xvmadddp, 2, float64, VsrD(i), MADD_FLGS, 0, 0)
+ VSX_MADD(xvmsubdp, 2, float64, VsrD(i), MSUB_FLGS, 0, 0)
+diff --git a/target/ppc/helper.h b/target/ppc/helper.h
+index ef5bdd38a7..e147b37644 100644
+--- a/target/ppc/helper.h
++++ b/target/ppc/helper.h
+@@ -376,10 +376,10 @@ DEF_HELPER_3(xssqrtdp, void, env, vsr, vsr)
+ DEF_HELPER_3(xsrsqrtedp, void, env, vsr, vsr)
+ DEF_HELPER_4(xstdivdp, void, env, i32, vsr, vsr)
+ DEF_HELPER_3(xstsqrtdp, void, env, i32, vsr)
+-DEF_HELPER_5(xsmadddp, void, env, vsr, vsr, vsr, vsr)
+-DEF_HELPER_5(xsmsubdp, void, env, vsr, vsr, vsr, vsr)
+-DEF_HELPER_5(xsnmadddp, void, env, vsr, vsr, vsr, vsr)
+-DEF_HELPER_5(xsnmsubdp, void, env, vsr, vsr, vsr, vsr)
++DEF_HELPER_5(XSMADDDP, void, env, vsr, vsr, vsr, vsr)
++DEF_HELPER_5(XSMSUBDP, void, env, vsr, vsr, vsr, vsr)
++DEF_HELPER_5(XSNMADDDP, void, env, vsr, vsr, vsr, vsr)
++DEF_HELPER_5(XSNMSUBDP, void, env, vsr, vsr, vsr, vsr)
+ DEF_HELPER_4(xscmpeqdp, void, env, vsr, vsr, vsr)
+ DEF_HELPER_4(xscmpgtdp, void, env, vsr, vsr, vsr)
+ DEF_HELPER_4(xscmpgedp, void, env, vsr, vsr, vsr)
+@@ -439,10 +439,10 @@ DEF_HELPER_3(xsresp, void, env, vsr, vsr)
+ DEF_HELPER_2(xsrsp, i64, env, i64)
+ DEF_HELPER_3(xssqrtsp, void, env, vsr, vsr)
+ DEF_HELPER_3(xsrsqrtesp, void, env, vsr, vsr)
+-DEF_HELPER_5(xsmaddsp, void, env, vsr, vsr, vsr, vsr)
+-DEF_HELPER_5(xsmsubsp, void, env, vsr, vsr, vsr, vsr)
+-DEF_HELPER_5(xsnmaddsp, void, env, vsr, vsr, vsr, vsr)
+-DEF_HELPER_5(xsnmsubsp, void, env, vsr, vsr, vsr, vsr)
++DEF_HELPER_5(XSMADDSP, void, env, vsr, vsr, vsr, vsr)
++DEF_HELPER_5(XSMSUBSP, void, env, vsr, vsr, vsr, vsr)
++DEF_HELPER_5(XSNMADDSP, void, env, vsr, vsr, vsr, vsr)
++DEF_HELPER_5(XSNMSUBSP, void, env, vsr, vsr, vsr, vsr)
+
+ DEF_HELPER_4(xvadddp, void, env, vsr, vsr, vsr)
+ DEF_HELPER_4(xvsubdp, void, env, vsr, vsr, vsr)
+diff --git a/target/ppc/insn32.decode b/target/ppc/insn32.decode
+index 8bdc059a4c..0ff8818084 100644
+--- a/target/ppc/insn32.decode
++++ b/target/ppc/insn32.decode
+@@ -451,6 +451,28 @@ STXVX 011111 ..... ..... ..... 0110001100 . @X_TSX
+ LXVPX 011111 ..... ..... ..... 0101001101 - @X_TSXP
+ STXVPX 011111 ..... ..... ..... 0111001101 - @X_TSXP
+
++## VSX Scalar Multiply-Add Instructions
++
++XSMADDADP 111100 ..... ..... ..... 00100001 . . . @XX3
++XSMADDMDP 111100 ..... ..... ..... 00101001 . . . @XX3
++XSMADDASP 111100 ..... ..... ..... 00000001 . . . @XX3
++XSMADDMSP 111100 ..... ..... ..... 00001001 . . . @XX3
++
++XSMSUBADP 111100 ..... ..... ..... 00110001 . . . @XX3
++XSMSUBMDP 111100 ..... ..... ..... 00111001 . . . @XX3
++XSMSUBASP 111100 ..... ..... ..... 00010001 . . . @XX3
++XSMSUBMSP 111100 ..... ..... ..... 00011001 . . . @XX3
++
++XSNMADDASP 111100 ..... ..... ..... 10000001 . . . @XX3
++XSNMADDMSP 111100 ..... ..... ..... 10001001 . . . @XX3
++XSNMADDADP 111100 ..... ..... ..... 10100001 . . . @XX3
++XSNMADDMDP 111100 ..... ..... ..... 10101001 . . . @XX3
++
++XSNMSUBASP 111100 ..... ..... ..... 10010001 . . . @XX3
++XSNMSUBMSP 111100 ..... ..... ..... 10011001 . . . @XX3
++XSNMSUBADP 111100 ..... ..... ..... 10110001 . . . @XX3
++XSNMSUBMDP 111100 ..... ..... ..... 10111001 . . . @XX3
++
+ ## VSX splat instruction
+
+ XXSPLTIB 111100 ..... 00 ........ 0101101000 . @X_imm8
+diff --git a/target/ppc/translate/vsx-impl.c.inc b/target/ppc/translate/vsx-impl.c.inc
+index 99c8a57e50..90d3ac665b 100644
+--- a/target/ppc/translate/vsx-impl.c.inc
++++ b/target/ppc/translate/vsx-impl.c.inc
+@@ -1201,6 +1201,54 @@ GEN_VSX_HELPER_2(xvtstdcdp, 0x14, 0x1E, 0, PPC2_VSX)
+ GEN_VSX_HELPER_X3(xxperm, 0x08, 0x03, 0, PPC2_ISA300)
+ GEN_VSX_HELPER_X3(xxpermr, 0x08, 0x07, 0, PPC2_ISA300)
+
++static bool do_xsmadd(DisasContext *ctx, int tgt, int src1, int src2, int src3,
++ void (*gen_helper)(TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_ptr))
++{
++ TCGv_ptr t, s1, s2, s3;
++
++ t = gen_vsr_ptr(tgt);
++ s1 = gen_vsr_ptr(src1);
++ s2 = gen_vsr_ptr(src2);
++ s3 = gen_vsr_ptr(src3);
++
++ gen_helper(cpu_env, t, s1, s2, s3);
++
++ tcg_temp_free_ptr(t);
++ tcg_temp_free_ptr(s1);
++ tcg_temp_free_ptr(s2);
++ tcg_temp_free_ptr(s3);
++
++ return true;
++}
++
++static bool do_xsmadd_XX3(DisasContext *ctx, arg_XX3 *a, bool type_a,
++ void (*gen_helper)(TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_ptr))
++{
++ REQUIRE_VSX(ctx);
++
++ if (type_a) {
++ return do_xsmadd(ctx, a->xt, a->xa, a->xt, a->xb, gen_helper);
++ }
++ return do_xsmadd(ctx, a->xt, a->xa, a->xb, a->xt, gen_helper);
++}
++
++TRANS_FLAGS2(VSX, XSMADDADP, do_xsmadd_XX3, true, gen_helper_XSMADDDP)
++TRANS_FLAGS2(VSX, XSMADDMDP, do_xsmadd_XX3, false, gen_helper_XSMADDDP)
++TRANS_FLAGS2(VSX, XSMSUBADP, do_xsmadd_XX3, true, gen_helper_XSMSUBDP)
++TRANS_FLAGS2(VSX, XSMSUBMDP, do_xsmadd_XX3, false, gen_helper_XSMSUBDP)
++TRANS_FLAGS2(VSX, XSNMADDADP, do_xsmadd_XX3, true, gen_helper_XSNMADDDP)
++TRANS_FLAGS2(VSX, XSNMADDMDP, do_xsmadd_XX3, false, gen_helper_XSNMADDDP)
++TRANS_FLAGS2(VSX, XSNMSUBADP, do_xsmadd_XX3, true, gen_helper_XSNMSUBDP)
++TRANS_FLAGS2(VSX, XSNMSUBMDP, do_xsmadd_XX3, false, gen_helper_XSNMSUBDP)
++TRANS_FLAGS2(VSX207, XSMADDASP, do_xsmadd_XX3, true, gen_helper_XSMADDSP)
++TRANS_FLAGS2(VSX207, XSMADDMSP, do_xsmadd_XX3, false, gen_helper_XSMADDSP)
++TRANS_FLAGS2(VSX207, XSMSUBASP, do_xsmadd_XX3, true, gen_helper_XSMSUBSP)
++TRANS_FLAGS2(VSX207, XSMSUBMSP, do_xsmadd_XX3, false, gen_helper_XSMSUBSP)
++TRANS_FLAGS2(VSX207, XSNMADDASP, do_xsmadd_XX3, true, gen_helper_XSNMADDSP)
++TRANS_FLAGS2(VSX207, XSNMADDMSP, do_xsmadd_XX3, false, gen_helper_XSNMADDSP)
++TRANS_FLAGS2(VSX207, XSNMSUBASP, do_xsmadd_XX3, true, gen_helper_XSNMSUBSP)
++TRANS_FLAGS2(VSX207, XSNMSUBMSP, do_xsmadd_XX3, false, gen_helper_XSNMSUBSP)
++
+ #define GEN_VSX_HELPER_VSX_MADD(name, op1, aop, mop, inval, type) \
+ static void gen_##name(DisasContext *ctx) \
+ { \
+@@ -1231,14 +1279,6 @@ static void gen_##name(DisasContext *ctx) \
+ tcg_temp_free_ptr(c); \
+ }
+
+-GEN_VSX_HELPER_VSX_MADD(xsmadddp, 0x04, 0x04, 0x05, 0, PPC2_VSX)
+-GEN_VSX_HELPER_VSX_MADD(xsmsubdp, 0x04, 0x06, 0x07, 0, PPC2_VSX)
+-GEN_VSX_HELPER_VSX_MADD(xsnmadddp, 0x04, 0x14, 0x15, 0, PPC2_VSX)
+-GEN_VSX_HELPER_VSX_MADD(xsnmsubdp, 0x04, 0x16, 0x17, 0, PPC2_VSX)
+-GEN_VSX_HELPER_VSX_MADD(xsmaddsp, 0x04, 0x00, 0x01, 0, PPC2_VSX207)
+-GEN_VSX_HELPER_VSX_MADD(xsmsubsp, 0x04, 0x02, 0x03, 0, PPC2_VSX207)
+-GEN_VSX_HELPER_VSX_MADD(xsnmaddsp, 0x04, 0x10, 0x11, 0, PPC2_VSX207)
+-GEN_VSX_HELPER_VSX_MADD(xsnmsubsp, 0x04, 0x12, 0x13, 0, PPC2_VSX207)
+ GEN_VSX_HELPER_VSX_MADD(xvmadddp, 0x04, 0x0C, 0x0D, 0, PPC2_VSX)
+ GEN_VSX_HELPER_VSX_MADD(xvmsubdp, 0x04, 0x0E, 0x0F, 0, PPC2_VSX)
+ GEN_VSX_HELPER_VSX_MADD(xvnmadddp, 0x04, 0x1C, 0x1D, 0, PPC2_VSX)
+diff --git a/target/ppc/translate/vsx-ops.c.inc b/target/ppc/translate/vsx-ops.c.inc
+index c974324c4c..ef0200eead 100644
+--- a/target/ppc/translate/vsx-ops.c.inc
++++ b/target/ppc/translate/vsx-ops.c.inc
+@@ -186,14 +186,6 @@ GEN_XX2FORM(xssqrtdp, 0x16, 0x04, PPC2_VSX),
+ GEN_XX2FORM(xsrsqrtedp, 0x14, 0x04, PPC2_VSX),
+ GEN_XX3FORM(xstdivdp, 0x14, 0x07, PPC2_VSX),
+ GEN_XX2FORM(xstsqrtdp, 0x14, 0x06, PPC2_VSX),
+-GEN_XX3FORM_NAME(xsmadddp, "xsmaddadp", 0x04, 0x04, PPC2_VSX),
+-GEN_XX3FORM_NAME(xsmadddp, "xsmaddmdp", 0x04, 0x05, PPC2_VSX),
+-GEN_XX3FORM_NAME(xsmsubdp, "xsmsubadp", 0x04, 0x06, PPC2_VSX),
+-GEN_XX3FORM_NAME(xsmsubdp, "xsmsubmdp", 0x04, 0x07, PPC2_VSX),
+-GEN_XX3FORM_NAME(xsnmadddp, "xsnmaddadp", 0x04, 0x14, PPC2_VSX),
+-GEN_XX3FORM_NAME(xsnmadddp, "xsnmaddmdp", 0x04, 0x15, PPC2_VSX),
+-GEN_XX3FORM_NAME(xsnmsubdp, "xsnmsubadp", 0x04, 0x16, PPC2_VSX),
+-GEN_XX3FORM_NAME(xsnmsubdp, "xsnmsubmdp", 0x04, 0x17, PPC2_VSX),
+ GEN_XX3FORM(xscmpeqdp, 0x0C, 0x00, PPC2_ISA300),
+ GEN_XX3FORM(xscmpgtdp, 0x0C, 0x01, PPC2_ISA300),
+ GEN_XX3FORM(xscmpgedp, 0x0C, 0x02, PPC2_ISA300),
+@@ -235,14 +227,6 @@ GEN_XX2FORM(xsresp, 0x14, 0x01, PPC2_VSX207),
+ GEN_XX2FORM(xsrsp, 0x12, 0x11, PPC2_VSX207),
+ GEN_XX2FORM(xssqrtsp, 0x16, 0x00, PPC2_VSX207),
+ GEN_XX2FORM(xsrsqrtesp, 0x14, 0x00, PPC2_VSX207),
+-GEN_XX3FORM_NAME(xsmaddsp, "xsmaddasp", 0x04, 0x00, PPC2_VSX207),
+-GEN_XX3FORM_NAME(xsmaddsp, "xsmaddmsp", 0x04, 0x01, PPC2_VSX207),
+-GEN_XX3FORM_NAME(xsmsubsp, "xsmsubasp", 0x04, 0x02, PPC2_VSX207),
+-GEN_XX3FORM_NAME(xsmsubsp, "xsmsubmsp", 0x04, 0x03, PPC2_VSX207),
+-GEN_XX3FORM_NAME(xsnmaddsp, "xsnmaddasp", 0x04, 0x10, PPC2_VSX207),
+-GEN_XX3FORM_NAME(xsnmaddsp, "xsnmaddmsp", 0x04, 0x11, PPC2_VSX207),
+-GEN_XX3FORM_NAME(xsnmsubsp, "xsnmsubasp", 0x04, 0x12, PPC2_VSX207),
+-GEN_XX3FORM_NAME(xsnmsubsp, "xsnmsubmsp", 0x04, 0x13, PPC2_VSX207),
+ GEN_XX2FORM(xscvsxdsp, 0x10, 0x13, PPC2_VSX207),
+ GEN_XX2FORM(xscvuxdsp, 0x10, 0x12, PPC2_VSX207),
+
+--
+2.17.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0021-target-ppc-implement-xs-n-maddqp-o-xs-n-msubqp-o.patch b/meta/recipes-devtools/qemu/qemu/0021-target-ppc-implement-xs-n-maddqp-o-xs-n-msubqp-o.patch
new file mode 100644
index 0000000000..11d732ac13
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0021-target-ppc-implement-xs-n-maddqp-o-xs-n-msubqp-o.patch
@@ -0,0 +1,174 @@
+From 1c1f82fbf0a434948b041eb35c671137628d5538 Mon Sep 17 00:00:00 2001
+From: Matheus Ferst <matheus.ferst@eldorado.org.br>
+Date: Wed, 2 Mar 2022 06:51:38 +0100
+Subject: [PATCH 21/21] target/ppc: implement xs[n]maddqp[o]/xs[n]msubqp[o]
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Implement the following PowerISA v3.0 instuctions:
+xsmaddqp[o]: VSX Scalar Multiply-Add Quad-Precision [using round to Odd]
+xsmsubqp[o]: VSX Scalar Multiply-Subtract Quad-Precision [using round
+ to Odd]
+xsnmaddqp[o]: VSX Scalar Negative Multiply-Add Quad-Precision [using
+ round to Odd]
+xsnmsubqp[o]: VSX Scalar Negative Multiply-Subtract Quad-Precision
+ [using round to Odd]
+
+Upstream-Status: Backport
+[https://git.qemu.org/?p=qemu.git;a=commit;h=3bb1aed246d7b59ceee625a82628f7369d492a8f]
+
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Matheus Ferst <matheus.ferst@eldorado.org.br>
+Message-Id: <20220225210936.1749575-38-matheus.ferst@eldorado.org.br>
+Signed-off-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+---
+ target/ppc/fpu_helper.c | 42 +++++++++++++++++++++++++++++
+ target/ppc/helper.h | 9 +++++++
+ target/ppc/insn32.decode | 4 +++
+ target/ppc/translate/vsx-impl.c.inc | 25 +++++++++++++++++
+ 4 files changed, 80 insertions(+)
+
+diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c
+index 853e5f6029..bdbbdb3b11 100644
+--- a/target/ppc/fpu_helper.c
++++ b/target/ppc/fpu_helper.c
+@@ -2102,6 +2102,48 @@ VSX_MADD(xvmsubsp, 4, float32, VsrW(i), MSUB_FLGS, 0, 0)
+ VSX_MADD(xvnmaddsp, 4, float32, VsrW(i), NMADD_FLGS, 0, 0)
+ VSX_MADD(xvnmsubsp, 4, float32, VsrW(i), NMSUB_FLGS, 0, 0)
+
++/*
++ * VSX_MADDQ - VSX floating point quad-precision muliply/add
++ * op - instruction mnemonic
++ * maddflgs - flags for the float*muladd routine that control the
++ * various forms (madd, msub, nmadd, nmsub)
++ * ro - round to odd
++ */
++#define VSX_MADDQ(op, maddflgs, ro) \
++void helper_##op(CPUPPCState *env, ppc_vsr_t *xt, ppc_vsr_t *s1, ppc_vsr_t *s2,\
++ ppc_vsr_t *s3) \
++{ \
++ ppc_vsr_t t = *xt; \
++ \
++ helper_reset_fpstatus(env); \
++ \
++ float_status tstat = env->fp_status; \
++ set_float_exception_flags(0, &tstat); \
++ if (ro) { \
++ tstat.float_rounding_mode = float_round_to_odd; \
++ } \
++ t.f128 = float128_muladd(s1->f128, s3->f128, s2->f128, maddflgs, &tstat); \
++ env->fp_status.float_exception_flags |= tstat.float_exception_flags; \
++ \
++ if (unlikely(tstat.float_exception_flags & float_flag_invalid)) { \
++ float_invalid_op_madd(env, tstat.float_exception_flags, \
++ false, GETPC()); \
++ } \
++ \
++ helper_compute_fprf_float128(env, t.f128); \
++ *xt = t; \
++ do_float_check_status(env, GETPC()); \
++}
++
++VSX_MADDQ(XSMADDQP, MADD_FLGS, 0)
++VSX_MADDQ(XSMADDQPO, MADD_FLGS, 1)
++VSX_MADDQ(XSMSUBQP, MSUB_FLGS, 0)
++VSX_MADDQ(XSMSUBQPO, MSUB_FLGS, 1)
++VSX_MADDQ(XSNMADDQP, NMADD_FLGS, 0)
++VSX_MADDQ(XSNMADDQPO, NMADD_FLGS, 1)
++VSX_MADDQ(XSNMSUBQP, NMSUB_FLGS, 0)
++VSX_MADDQ(XSNMSUBQPO, NMSUB_FLGS, 0)
++
+ /*
+ * VSX_SCALAR_CMP_DP - VSX scalar floating point compare double precision
+ * op - instruction mnemonic
+diff --git a/target/ppc/helper.h b/target/ppc/helper.h
+index e147b37644..b5080c4955 100644
+--- a/target/ppc/helper.h
++++ b/target/ppc/helper.h
+@@ -444,6 +444,15 @@ DEF_HELPER_5(XSMSUBSP, void, env, vsr, vsr, vsr, vsr)
+ DEF_HELPER_5(XSNMADDSP, void, env, vsr, vsr, vsr, vsr)
+ DEF_HELPER_5(XSNMSUBSP, void, env, vsr, vsr, vsr, vsr)
+
++DEF_HELPER_5(XSMADDQP, void, env, vsr, vsr, vsr, vsr)
++DEF_HELPER_5(XSMADDQPO, void, env, vsr, vsr, vsr, vsr)
++DEF_HELPER_5(XSMSUBQP, void, env, vsr, vsr, vsr, vsr)
++DEF_HELPER_5(XSMSUBQPO, void, env, vsr, vsr, vsr, vsr)
++DEF_HELPER_5(XSNMADDQP, void, env, vsr, vsr, vsr, vsr)
++DEF_HELPER_5(XSNMADDQPO, void, env, vsr, vsr, vsr, vsr)
++DEF_HELPER_5(XSNMSUBQP, void, env, vsr, vsr, vsr, vsr)
++DEF_HELPER_5(XSNMSUBQPO, void, env, vsr, vsr, vsr, vsr)
++
+ DEF_HELPER_4(xvadddp, void, env, vsr, vsr, vsr)
+ DEF_HELPER_4(xvsubdp, void, env, vsr, vsr, vsr)
+ DEF_HELPER_4(xvmuldp, void, env, vsr, vsr, vsr)
+diff --git a/target/ppc/insn32.decode b/target/ppc/insn32.decode
+index 0ff8818084..6bcb1e6804 100644
+--- a/target/ppc/insn32.decode
++++ b/target/ppc/insn32.decode
+@@ -457,21 +457,25 @@ XSMADDADP 111100 ..... ..... ..... 00100001 . . . @XX3
+ XSMADDMDP 111100 ..... ..... ..... 00101001 . . . @XX3
+ XSMADDASP 111100 ..... ..... ..... 00000001 . . . @XX3
+ XSMADDMSP 111100 ..... ..... ..... 00001001 . . . @XX3
++XSMADDQP 111111 ..... ..... ..... 0110000100 . @X_rc
+
+ XSMSUBADP 111100 ..... ..... ..... 00110001 . . . @XX3
+ XSMSUBMDP 111100 ..... ..... ..... 00111001 . . . @XX3
+ XSMSUBASP 111100 ..... ..... ..... 00010001 . . . @XX3
+ XSMSUBMSP 111100 ..... ..... ..... 00011001 . . . @XX3
++XSMSUBQP 111111 ..... ..... ..... 0110100100 . @X_rc
+
+ XSNMADDASP 111100 ..... ..... ..... 10000001 . . . @XX3
+ XSNMADDMSP 111100 ..... ..... ..... 10001001 . . . @XX3
+ XSNMADDADP 111100 ..... ..... ..... 10100001 . . . @XX3
+ XSNMADDMDP 111100 ..... ..... ..... 10101001 . . . @XX3
++XSNMADDQP 111111 ..... ..... ..... 0111000100 . @X_rc
+
+ XSNMSUBASP 111100 ..... ..... ..... 10010001 . . . @XX3
+ XSNMSUBMSP 111100 ..... ..... ..... 10011001 . . . @XX3
+ XSNMSUBADP 111100 ..... ..... ..... 10110001 . . . @XX3
+ XSNMSUBMDP 111100 ..... ..... ..... 10111001 . . . @XX3
++XSNMSUBQP 111111 ..... ..... ..... 0111100100 . @X_rc
+
+ ## VSX splat instruction
+
+diff --git a/target/ppc/translate/vsx-impl.c.inc b/target/ppc/translate/vsx-impl.c.inc
+index 90d3ac665b..4253f01319 100644
+--- a/target/ppc/translate/vsx-impl.c.inc
++++ b/target/ppc/translate/vsx-impl.c.inc
+@@ -1249,6 +1249,31 @@ TRANS_FLAGS2(VSX207, XSNMADDMSP, do_xsmadd_XX3, false, gen_helper_XSNMADDSP)
+ TRANS_FLAGS2(VSX207, XSNMSUBASP, do_xsmadd_XX3, true, gen_helper_XSNMSUBSP)
+ TRANS_FLAGS2(VSX207, XSNMSUBMSP, do_xsmadd_XX3, false, gen_helper_XSNMSUBSP)
+
++static bool do_xsmadd_X(DisasContext *ctx, arg_X_rc *a,
++ void (*gen_helper)(TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_ptr),
++ void (*gen_helper_ro)(TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_ptr))
++{
++ int vrt, vra, vrb;
++
++ REQUIRE_INSNS_FLAGS2(ctx, ISA300);
++ REQUIRE_VSX(ctx);
++
++ vrt = a->rt + 32;
++ vra = a->ra + 32;
++ vrb = a->rb + 32;
++
++ if (a->rc) {
++ return do_xsmadd(ctx, vrt, vra, vrt, vrb, gen_helper_ro);
++ }
++
++ return do_xsmadd(ctx, vrt, vra, vrt, vrb, gen_helper);
++}
++
++TRANS(XSMADDQP, do_xsmadd_X, gen_helper_XSMADDQP, gen_helper_XSMADDQPO)
++TRANS(XSMSUBQP, do_xsmadd_X, gen_helper_XSMSUBQP, gen_helper_XSMSUBQPO)
++TRANS(XSNMADDQP, do_xsmadd_X, gen_helper_XSNMADDQP, gen_helper_XSNMADDQPO)
++TRANS(XSNMSUBQP, do_xsmadd_X, gen_helper_XSNMSUBQP, gen_helper_XSNMSUBQPO)
++
+ #define GEN_VSX_HELPER_VSX_MADD(name, op1, aop, mop, inval, type) \
+ static void gen_##name(DisasContext *ctx) \
+ { \
+--
+2.17.1
+
--
2.25.1
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 07/13] python3: upgrade 3.10.4 -> 3.10.7
2022-10-17 23:08 [OE-core][kirkstone 00/13] Patch review Steve Sakoman
` (5 preceding siblings ...)
2022-10-17 23:08 ` [OE-core][kirkstone 06/13] qemu: Backport patches from upstream to support float128 on qemu-ppc64 Steve Sakoman
@ 2022-10-17 23:08 ` Steve Sakoman
2022-10-17 23:08 ` [OE-core][kirkstone 08/13] lttng-tools: Upgrade 2.13.4 -> 2.13.8 Steve Sakoman
` (5 subsequent siblings)
12 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2022-10-17 23:08 UTC (permalink / raw)
To: openembedded-core
From: Tim Orling <ticotimo@gmail.com>
Security and bug fixes.
Drop patch for gh-92036 which was merged in 3.10.5
Refresh 0017-setup.py-do-not-report-missing-dependencies-for-disa.pathc
Fixes:
* CVE-2020-10735
https://nvd.nist.gov/vuln/detail/CVE-2020-10735
* CVE-2021-28861
https://nvd.nist.gov/vuln/detail/CVE-2021-28861
* CVE-2018-25032
https://nvd.nist.gov/vuln/detail/CVE-2018-25032
For a list of changes see:
https://docs.python.org/3.10/whatsnew/changelog.html#python-3-10-7-final
https://docs.python.org/3.10/whatsnew/changelog.html#python-3-10-6-final
https://docs.python.org/3.10/whatsnew/changelog.html#python-3-10-6-final
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...h-92036-Fix-gc_fini_untrack-GH-92037.patch | 54 -------------------
...report-missing-dependencies-for-disa.patch | 8 +--
.../{python3_3.10.4.bb => python3_3.10.7.bb} | 3 +-
3 files changed, 6 insertions(+), 59 deletions(-)
delete mode 100644 meta/recipes-devtools/python/python3/0001-gh-92036-Fix-gc_fini_untrack-GH-92037.patch
rename meta/recipes-devtools/python/{python3_3.10.4.bb => python3_3.10.7.bb} (99%)
diff --git a/meta/recipes-devtools/python/python3/0001-gh-92036-Fix-gc_fini_untrack-GH-92037.patch b/meta/recipes-devtools/python/python3/0001-gh-92036-Fix-gc_fini_untrack-GH-92037.patch
deleted file mode 100644
index 6a58c35cc6..0000000000
--- a/meta/recipes-devtools/python/python3/0001-gh-92036-Fix-gc_fini_untrack-GH-92037.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From 178a238f25ab8aff7689d7a09d66dc1583ecd6cb Mon Sep 17 00:00:00 2001
-From: "Miss Islington (bot)"
- <31488909+miss-islington@users.noreply.github.com>
-Date: Wed, 4 May 2022 03:23:29 -0700
-Subject: [PATCH 01/40] gh-92036: Fix gc_fini_untrack() (GH-92037)
-
-Fix a crash in subinterpreters related to the garbage collector. When
-a subinterpreter is deleted, untrack all objects tracked by its GC.
-To prevent a crash in deallocator functions expecting objects to be
-tracked by the GC, leak a strong reference to these objects on
-purpose, so they are never deleted and their deallocator functions
-are not called.
-(cherry picked from commit 14243369b5f80613628a565c224bba7fb3fcacd8)
-
-Co-authored-by: Victor Stinner <vstinner@python.org>
-
-Upstream-Status: Backport
----
- .../2022-04-28-23-37-30.gh-issue-92036.GZJAC9.rst | 5 +++++
- Modules/gcmodule.c | 6 ++++++
- 2 files changed, 11 insertions(+)
- create mode 100644 Misc/NEWS.d/next/Core and Builtins/2022-04-28-23-37-30.gh-issue-92036.GZJAC9.rst
-
-diff --git a/Misc/NEWS.d/next/Core and Builtins/2022-04-28-23-37-30.gh-issue-92036.GZJAC9.rst b/Misc/NEWS.d/next/Core and Builtins/2022-04-28-23-37-30.gh-issue-92036.GZJAC9.rst
-new file mode 100644
-index 0000000000..78094c5e4f
---- /dev/null
-+++ b/Misc/NEWS.d/next/Core and Builtins/2022-04-28-23-37-30.gh-issue-92036.GZJAC9.rst
-@@ -0,0 +1,5 @@
-+Fix a crash in subinterpreters related to the garbage collector. When a
-+subinterpreter is deleted, untrack all objects tracked by its GC. To prevent a
-+crash in deallocator functions expecting objects to be tracked by the GC, leak
-+a strong reference to these objects on purpose, so they are never deleted and
-+their deallocator functions are not called. Patch by Victor Stinner.
-diff --git a/Modules/gcmodule.c b/Modules/gcmodule.c
-index 805a159d53..43ae6fa98b 100644
---- a/Modules/gcmodule.c
-+++ b/Modules/gcmodule.c
-@@ -2170,6 +2170,12 @@ gc_fini_untrack(PyGC_Head *list)
- for (gc = GC_NEXT(list); gc != list; gc = GC_NEXT(list)) {
- PyObject *op = FROM_GC(gc);
- _PyObject_GC_UNTRACK(op);
-+ // gh-92036: If a deallocator function expect the object to be tracked
-+ // by the GC (ex: func_dealloc()), it can crash if called on an object
-+ // which is no longer tracked by the GC. Leak one strong reference on
-+ // purpose so the object is never deleted and its deallocator is not
-+ // called.
-+ Py_INCREF(op);
- }
- }
-
---
-2.25.1
-
diff --git a/meta/recipes-devtools/python/python3/0017-setup.py-do-not-report-missing-dependencies-for-disa.patch b/meta/recipes-devtools/python/python3/0017-setup.py-do-not-report-missing-dependencies-for-disa.patch
index 0ead57e465..8c554feb4b 100644
--- a/meta/recipes-devtools/python/python3/0017-setup.py-do-not-report-missing-dependencies-for-disa.patch
+++ b/meta/recipes-devtools/python/python3/0017-setup.py-do-not-report-missing-dependencies-for-disa.patch
@@ -12,16 +12,18 @@ Upstream-Status: Inappropriate [oe-core specific]
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Alejandro Hernandez Samaniego <alejandro@enedino.org>
+Refresh for 3.10.7:
+Signed-off-by: Tim Orling <tim.orling@konsulko.com>
---
setup.py | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/setup.py b/setup.py
-index 2be4738..62f0e18 100644
+index 85a2b26357..7605347bf5 100644
--- a/setup.py
+++ b/setup.py
-@@ -517,6 +517,14 @@ class PyBuildExt(build_ext):
+@@ -517,6 +517,14 @@ def print_three_column(lst):
print("%-*s %-*s %-*s" % (longest, e, longest, f,
longest, g))
@@ -35,4 +37,4 @@ index 2be4738..62f0e18 100644
+
if self.missing:
print()
- print("Python build finished successfully!")
+ print("The necessary bits to build these optional modules were not "
diff --git a/meta/recipes-devtools/python/python3_3.10.4.bb b/meta/recipes-devtools/python/python3_3.10.7.bb
similarity index 99%
rename from meta/recipes-devtools/python/python3_3.10.4.bb
rename to meta/recipes-devtools/python/python3_3.10.7.bb
index 34fd2895a3..404a582135 100644
--- a/meta/recipes-devtools/python/python3_3.10.4.bb
+++ b/meta/recipes-devtools/python/python3_3.10.7.bb
@@ -35,7 +35,6 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://0001-setup.py-Do-not-detect-multiarch-paths-when-cross-co.patch \
file://deterministic_imports.patch \
file://0001-Avoid-shebang-overflow-on-python-config.py.patch \
- file://0001-gh-92036-Fix-gc_fini_untrack-GH-92037.patch \
"
SRC_URI:append:class-native = " \
@@ -44,7 +43,7 @@ SRC_URI:append:class-native = " \
file://12-distutils-prefix-is-inside-staging-area.patch \
file://0001-Don-t-search-system-for-headers-libraries.patch \
"
-SRC_URI[sha256sum] = "80bf925f571da436b35210886cf79f6eb5fa5d6c571316b73568343451f77a19"
+SRC_URI[sha256sum] = "6eed8415b7516fb2f260906db5d48dd4c06acc0cb24a7d6cc15296a604dcdc48"
# exclude pre-releases for both python 2.x and 3.x
UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
--
2.25.1
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 08/13] lttng-tools: Upgrade 2.13.4 -> 2.13.8
2022-10-17 23:08 [OE-core][kirkstone 00/13] Patch review Steve Sakoman
` (6 preceding siblings ...)
2022-10-17 23:08 ` [OE-core][kirkstone 07/13] python3: upgrade 3.10.4 -> 3.10.7 Steve Sakoman
@ 2022-10-17 23:08 ` Steve Sakoman
2022-10-17 23:08 ` [OE-core][kirkstone 09/13] uninative: Upgrade to 3.7 to work with glibc 2.36 Steve Sakoman
` (4 subsequent siblings)
12 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2022-10-17 23:08 UTC (permalink / raw)
To: openembedded-core
From: He Zhe <zhe.he@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../lttng/{lttng-tools_2.13.4.bb => lttng-tools_2.13.8.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-kernel/lttng/{lttng-tools_2.13.4.bb => lttng-tools_2.13.8.bb} (98%)
diff --git a/meta/recipes-kernel/lttng/lttng-tools_2.13.4.bb b/meta/recipes-kernel/lttng/lttng-tools_2.13.8.bb
similarity index 98%
rename from meta/recipes-kernel/lttng/lttng-tools_2.13.4.bb
rename to meta/recipes-kernel/lttng/lttng-tools_2.13.8.bb
index 0ea4da05ce..0b6dfa48a4 100644
--- a/meta/recipes-kernel/lttng/lttng-tools_2.13.4.bb
+++ b/meta/recipes-kernel/lttng/lttng-tools_2.13.8.bb
@@ -39,7 +39,7 @@ SRC_URI = "https://lttng.org/files/lttng-tools/lttng-tools-${PV}.tar.bz2 \
file://disable-tests.patch \
"
-SRC_URI[sha256sum] = "565f3102410a53d484f4c8ff517978f1dc59f67f9d16f872f4357f3ca12200f6"
+SRC_URI[sha256sum] = "b1e959579b260790930b20f3c7aa7cefb8a40e0de80d4a777c2bf78c6b353dc1"
inherit autotools ptest pkgconfig useradd python3-dir manpages systemd
--
2.25.1
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 09/13] uninative: Upgrade to 3.7 to work with glibc 2.36
2022-10-17 23:08 [OE-core][kirkstone 00/13] Patch review Steve Sakoman
` (7 preceding siblings ...)
2022-10-17 23:08 ` [OE-core][kirkstone 08/13] lttng-tools: Upgrade 2.13.4 -> 2.13.8 Steve Sakoman
@ 2022-10-17 23:08 ` Steve Sakoman
2022-10-17 23:08 ` [OE-core][kirkstone 10/13] image_types_wic.bbclass: fix cross binutils dependency Steve Sakoman
` (3 subsequent siblings)
12 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2022-10-17 23:08 UTC (permalink / raw)
To: openembedded-core
From: Michael Halstead <mhalstead@linuxfoundation.org>
Update uninative to work with the new glibc 2.36 version
Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 410226b053e14e32add1f9b4b811f84a1c445a7c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/conf/distro/include/yocto-uninative.inc | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc
index 411fe45a24..7012db441b 100644
--- a/meta/conf/distro/include/yocto-uninative.inc
+++ b/meta/conf/distro/include/yocto-uninative.inc
@@ -6,10 +6,10 @@
# to the distro running on the build machine.
#
-UNINATIVE_MAXGLIBCVERSION = "2.35"
-UNINATIVE_VERSION = "3.6"
+UNINATIVE_MAXGLIBCVERSION = "2.36"
+UNINATIVE_VERSION = "3.7"
UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/${UNINATIVE_VERSION}/"
-UNINATIVE_CHECKSUM[aarch64] ?= "d64831cf2792c8e470c2e42230660e1a8e5de56a579cdd59978791f663c2f3ed"
-UNINATIVE_CHECKSUM[i686] ?= "2f0ee9b66b1bb2c85e2b592fb3c9c7f5d77399fa638d74961330cdb8de34ca3b"
-UNINATIVE_CHECKSUM[x86_64] ?= "9bfc4c970495b3716b2f9e52c4df9f968c02463a9a95000f6657fbc3fde1f098"
+UNINATIVE_CHECKSUM[aarch64] ?= "6a29bcae4b5b716d2d520e18800b33943b65f8a835eac1ff8793fc5ee65b4be6"
+UNINATIVE_CHECKSUM[i686] ?= "3f6d52e64996570c716108d49f8108baccf499a283bbefae438c7266b7a93305"
+UNINATIVE_CHECKSUM[x86_64] ?= "b110bf2e10fe420f5ca2f3ec55f048ee5f0a54c7e34856a3594e51eb2aea0570"
--
2.25.1
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 10/13] image_types_wic.bbclass: fix cross binutils dependency
2022-10-17 23:08 [OE-core][kirkstone 00/13] Patch review Steve Sakoman
` (8 preceding siblings ...)
2022-10-17 23:08 ` [OE-core][kirkstone 09/13] uninative: Upgrade to 3.7 to work with glibc 2.36 Steve Sakoman
@ 2022-10-17 23:08 ` Steve Sakoman
2022-10-17 23:08 ` [OE-core][kirkstone 11/13] linux-yocto-dev: add qemuarm64 Steve Sakoman
` (2 subsequent siblings)
12 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2022-10-17 23:08 UTC (permalink / raw)
To: openembedded-core
From: Chen Qi <Qi.Chen@windriver.com>
Enable multilib and wic at the same time and we'll meet the
following error.
ERROR: Nothing PROVIDES 'virtual/i686-wrsmllib32-linux-binutils'
Adjust the dependency to take multilib into consideration.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
(cherry picked from commit 958ee0eede859bdba659e3343856b1c226207854)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/image_types_wic.bbclass | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/classes/image_types_wic.bbclass b/meta/classes/image_types_wic.bbclass
index 5374d6125e..6453dd1b74 100644
--- a/meta/classes/image_types_wic.bbclass
+++ b/meta/classes/image_types_wic.bbclass
@@ -85,7 +85,7 @@ do_image_wic[deptask] += "do_image_complete"
WKS_FILE_DEPENDS_DEFAULT = '${@bb.utils.contains_any("BUILD_ARCH", [ 'x86_64', 'i686' ], "syslinux-native", "",d)}'
WKS_FILE_DEPENDS_DEFAULT += "bmap-tools-native cdrtools-native btrfs-tools-native squashfs-tools-native e2fsprogs-native"
# Unified kernel images need objcopy
-WKS_FILE_DEPENDS_DEFAULT += "virtual/${TARGET_PREFIX}binutils"
+WKS_FILE_DEPENDS_DEFAULT += "virtual/${MLPREFIX}${TARGET_PREFIX}binutils"
WKS_FILE_DEPENDS_BOOTLOADERS = ""
WKS_FILE_DEPENDS_BOOTLOADERS:x86 = "syslinux grub-efi systemd-boot os-release"
WKS_FILE_DEPENDS_BOOTLOADERS:x86-64 = "syslinux grub-efi systemd-boot os-release"
--
2.25.1
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 11/13] linux-yocto-dev: add qemuarm64
2022-10-17 23:08 [OE-core][kirkstone 00/13] Patch review Steve Sakoman
` (9 preceding siblings ...)
2022-10-17 23:08 ` [OE-core][kirkstone 10/13] image_types_wic.bbclass: fix cross binutils dependency Steve Sakoman
@ 2022-10-17 23:08 ` Steve Sakoman
2022-10-17 23:08 ` [OE-core][kirkstone 12/13] own-mirrors: add crate Steve Sakoman
2022-10-17 23:08 ` [OE-core][kirkstone 13/13] lttng-modules: Fix crash on powerpc64 Steve Sakoman
12 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2022-10-17 23:08 UTC (permalink / raw)
To: openembedded-core
From: Xiangyu Chen <xiangyu.chen@windriver.com>
Mark the qemuarm64 as compatible
Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-kernel/linux/linux-yocto-dev.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-kernel/linux/linux-yocto-dev.bb b/meta/recipes-kernel/linux/linux-yocto-dev.bb
index 75b1cb2a49..403993486b 100644
--- a/meta/recipes-kernel/linux/linux-yocto-dev.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-dev.bb
@@ -50,7 +50,7 @@ PACKAGECONFIG[dt-validation] = ",,python3-dtschema-native"
# we need the wrappers if validation isn't in the packageconfig
DEPENDS += "${@bb.utils.contains('PACKAGECONFIG', 'dt-validation', '', 'python3-dtschema-wrapper-native', d)}"
-COMPATIBLE_MACHINE = "^(qemuarm|qemux86|qemuppc|qemumips|qemumips64|qemux86-64|qemuriscv32|qemuriscv64)$"
+COMPATIBLE_MACHINE = "^(qemuarm|qemuarm64|qemux86|qemuppc|qemumips|qemumips64|qemux86-64|qemuriscv32|qemuriscv64)$"
KERNEL_DEVICETREE:qemuarmv5 = "versatile-pb.dtb"
--
2.25.1
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 12/13] own-mirrors: add crate
2022-10-17 23:08 [OE-core][kirkstone 00/13] Patch review Steve Sakoman
` (10 preceding siblings ...)
2022-10-17 23:08 ` [OE-core][kirkstone 11/13] linux-yocto-dev: add qemuarm64 Steve Sakoman
@ 2022-10-17 23:08 ` Steve Sakoman
2022-10-17 23:08 ` [OE-core][kirkstone 13/13] lttng-modules: Fix crash on powerpc64 Steve Sakoman
12 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2022-10-17 23:08 UTC (permalink / raw)
To: openembedded-core
From: Adrian Freihofer <adrian.freihofer@gmail.com>
Support downloading crate files from a mirror at SOURCE_MIRROR_URL.
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/own-mirrors.bbclass | 1 +
meta/classes/sanity.bbclass | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/meta/classes/own-mirrors.bbclass b/meta/classes/own-mirrors.bbclass
index ef972740ce..30c7ccd8e7 100644
--- a/meta/classes/own-mirrors.bbclass
+++ b/meta/classes/own-mirrors.bbclass
@@ -11,4 +11,5 @@ https?://.*/.* ${SOURCE_MIRROR_URL} \
ftp://.*/.* ${SOURCE_MIRROR_URL} \
npm://.*/?.* ${SOURCE_MIRROR_URL} \
s3://.*/.* ${SOURCE_MIRROR_URL} \
+crate://.*/.* ${SOURCE_MIRROR_URL} \
"
diff --git a/meta/classes/sanity.bbclass b/meta/classes/sanity.bbclass
index a79e36b594..5c97effb96 100644
--- a/meta/classes/sanity.bbclass
+++ b/meta/classes/sanity.bbclass
@@ -859,7 +859,7 @@ def check_sanity_everybuild(status, d):
mirror_vars = ['MIRRORS', 'PREMIRRORS', 'SSTATE_MIRRORS']
protocols = ['http', 'ftp', 'file', 'https', \
'git', 'gitsm', 'hg', 'osc', 'p4', 'svn', \
- 'bzr', 'cvs', 'npm', 'sftp', 'ssh', 's3', 'az', 'ftps']
+ 'bzr', 'cvs', 'npm', 'sftp', 'ssh', 's3', 'az', 'ftps', 'crate']
for mirror_var in mirror_vars:
mirrors = (d.getVar(mirror_var) or '').replace('\\n', ' ').split()
--
2.25.1
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 13/13] lttng-modules: Fix crash on powerpc64
2022-10-17 23:08 [OE-core][kirkstone 00/13] Patch review Steve Sakoman
` (11 preceding siblings ...)
2022-10-17 23:08 ` [OE-core][kirkstone 12/13] own-mirrors: add crate Steve Sakoman
@ 2022-10-17 23:08 ` Steve Sakoman
12 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2022-10-17 23:08 UTC (permalink / raw)
To: openembedded-core
From: He Zhe <zhe.he@windriver.com>
Backport a patch to fix the following on powerpc64 ABIv2.
root@qemuppc64:~# lttng create trace_session --live -U net://127.0.0.1
Spawning a session daemon
lttng_kretprobes: loading out-of-tree module taints kernel.
BUG: Unable to handle kernel data access on read at 0xfffffffffffffff8
Faulting instruction address: 0xc0000000001f6fd0
Oops: Kernel access of bad area, sig: 11 [#1]
<snip>
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...4-fix-kernel-crash-caused-by-do_get_.patch | 94 +++++++++++++++++++
.../lttng/lttng-modules_2.13.4.bb | 1 +
2 files changed, 95 insertions(+)
create mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-wrapper-powerpc64-fix-kernel-crash-caused-by-do_get_.patch
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0001-wrapper-powerpc64-fix-kernel-crash-caused-by-do_get_.patch b/meta/recipes-kernel/lttng/lttng-modules/0001-wrapper-powerpc64-fix-kernel-crash-caused-by-do_get_.patch
new file mode 100644
index 0000000000..b3b191c7ac
--- /dev/null
+++ b/meta/recipes-kernel/lttng/lttng-modules/0001-wrapper-powerpc64-fix-kernel-crash-caused-by-do_get_.patch
@@ -0,0 +1,94 @@
+From 480cce4315ce5bf59a509e8a53a52545f393de68 Mon Sep 17 00:00:00 2001
+From: He Zhe <zhe.he@windriver.com>
+Date: Tue, 27 Sep 2022 15:59:42 +0800
+Subject: [PATCH] wrapper: powerpc64: fix kernel crash caused by
+ do_get_kallsyms
+
+Kernel crashes on powerpc64 ABIv2 as follow when lttng_tracer initializes,
+since do_get_kallsyms in lttng_wrapper fails to return a proper address of
+kallsyms_lookup_name.
+
+root@qemuppc64:~# lttng create trace_session --live -U net://127.0.0.1
+Spawning a session daemon
+lttng_kretprobes: loading out-of-tree module taints kernel.
+BUG: Unable to handle kernel data access on read at 0xfffffffffffffff8
+Faulting instruction address: 0xc0000000001f6fd0
+Oops: Kernel access of bad area, sig: 11 [#1]
+<snip>
+NIP [c0000000001f6fd0] module_kallsyms_lookup_name+0xf0/0x180
+LR [c0000000001f6f28] module_kallsyms_lookup_name+0x48/0x180
+Call Trace:
+module_kallsyms_lookup_name+0x34/0x180 (unreliable)
+kallsyms_lookup_name+0x258/0x2b0
+wrapper_kallsyms_lookup_name+0x4c/0xd0 [lttng_wrapper]
+wrapper_get_pfnblock_flags_mask_init+0x28/0x60 [lttng_wrapper]
+lttng_events_init+0x40/0x344 [lttng_tracer]
+do_one_initcall+0x78/0x340
+do_init_module+0x6c/0x2f0
+__do_sys_finit_module+0xd0/0x120
+system_call_exception+0x194/0x2f0
+system_call_vectored_common+0xe8/0x278
+<snip>
+
+do_get_kallsyms makes use of kprobe_register and in turn kprobe_lookup_name
+to get the address of the kernel function kallsyms_lookup_name. In case of
+PPC64_ELF_ABI_v2, when kprobes are placed at function entry,
+kprobe_lookup_name adjusts the global entry point of the function returned
+by kallsyms_lookup_name to the local entry point(at some fixed offset of
+global one). This adjustment is all for kprobes to be able to work properly.
+Global and local entry point are defined in powerpc64 ABIv2.
+
+When the local entry point is given, some instructions at the beginning of
+the function are skipped and thus causes the above kernel crash. We just
+want to make a simple function call which needs global entry point.
+
+This patch adds 4 bytes which is the length of one instruction to
+kallsyms_lookup_name so that it will not trigger the global to local
+adjustment, and then substracts 4 bytes from the returned address. See the
+following kernel change for more details.
+
+https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=290e3070762ac80e5fc4087d8c4de7e3f1d90aca
+
+Upstream-Status: Backport
+
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Change-Id: I34e68e886b97e3976d0b5e25be295a8bb866c1a4
+---
+ src/wrapper/kallsyms.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/src/wrapper/kallsyms.c b/src/wrapper/kallsyms.c
+index d2848764..93017adc 100644
+--- a/src/wrapper/kallsyms.c
++++ b/src/wrapper/kallsyms.c
+@@ -39,10 +39,26 @@ unsigned long do_get_kallsyms(void)
+ memset(&probe, 0, sizeof(probe));
+ probe.pre_handler = dummy_kprobe_handler;
+ probe.symbol_name = "kallsyms_lookup_name";
++#ifdef PPC64_ELF_ABI_v2
++ /*
++ * With powerpc64 ABIv2, we need the global entry point of
++ * kallsyms_lookup_name to call it later, while kprobe_register would
++ * automatically adjust the global entry point to the local entry point,
++ * when a kprobe was registered at a function entry. So we add 4 bytes
++ * which is the length of one instruction to kallsyms_lookup_name to
++ * avoid the adjustment.
++ */
++ probe.offset = 4;
++#endif
+ ret = register_kprobe(&probe);
+ if (ret)
+ return 0;
++#ifdef PPC64_ELF_ABI_v2
++ /* Substract 4 bytes to get what we originally want */
++ addr = (unsigned long)(((char *)probe.addr) - 4);
++#else
+ addr = (unsigned long)probe.addr;
++#endif
+ #ifdef CONFIG_ARM
+ #ifdef CONFIG_THUMB2_KERNEL
+ if (addr)
+--
+2.17.1
+
diff --git a/meta/recipes-kernel/lttng/lttng-modules_2.13.4.bb b/meta/recipes-kernel/lttng/lttng-modules_2.13.4.bb
index 80b9ceec3f..ad4063bed3 100644
--- a/meta/recipes-kernel/lttng/lttng-modules_2.13.4.bb
+++ b/meta/recipes-kernel/lttng/lttng-modules_2.13.4.bb
@@ -17,6 +17,7 @@ SRC_URI = "https://lttng.org/files/${BPN}/${BPN}-${PV}.tar.bz2 \
file://0001-fix-net-skb-introduce-kfree_skb_reason-v5.15.58.v5.1.patch \
file://0001-fix-compaction.patch \
file://0001-fix-adjust-range-v5.10.137-in-block-probe.patch \
+ file://0001-wrapper-powerpc64-fix-kernel-crash-caused-by-do_get_.patch \
"
# Use :append here so that the patch is applied also when using devupstream
--
2.25.1
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 00/13] Patch review
@ 2023-02-01 22:15 Steve Sakoman
0 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2023-02-01 22:15 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for kirkstone and have comments back by
end of day Friday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4872
The following changes since commit a8c82902384f7430519a31732a4bb631f21693ac:
build-appliance-image: Update to kirkstone head revision (2023-01-26 23:40:27 +0000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Armin Kuster (1):
lttng-modules: Fix for 5.10.163 kernel version
Bruce Ashfield (1):
linux-yocto/5.15: update to v5.15.87
Khem Raj (3):
libtirpc: Check if file exists before operating on it
libusb1: Link with latomic only if compiler has no atomic builtins
libusb1: Strip trailing whitespaces
Niko Mauno (1):
Fix missing leading whitespace with ':append'
Richard Purdie (1):
native: Drop special variable handling
Ross Burton (4):
ppp: backport fix for CVE-2022-4603
quilt: fix intermittent failure in faildiff.test
spirv-headers: set correct branch name
quilt: use upstreamed faildiff.test fix
Thomas Roos (1):
devtool: fix devtool finish when gitmodules file is empty
Xiangyu Chen (1):
numactl: skip test case when target platform doesn't have 2 CPU node
meta/classes/core-image.bbclass | 2 +-
meta/classes/externalsrc.bbclass | 2 +-
meta/classes/native.bbclass | 2 +-
meta/classes/populate_sdk_ext.bbclass | 2 +-
.../distro/include/ptest-packagelists.inc | 2 +-
.../ppp/ppp/CVE-2022-4603.patch | 48 +++++++++++++++
meta/recipes-connectivity/ppp/ppp_2.4.9.bb | 1 +
meta/recipes-devtools/quilt/quilt.inc | 1 +
.../quilt/quilt/faildiff-order.patch | 41 +++++++++++++
.../libtirpc/libtirpc_1.3.2.bb | 2 +-
.../spir/spirv-headers_1.3.204.1.bb | 2 +-
.../linux/linux-yocto-rt_5.15.bb | 6 +-
.../linux/linux-yocto-tiny_5.15.bb | 6 +-
meta/recipes-kernel/linux/linux-yocto_5.15.bb | 26 ++++----
.../fix-jbd2-upper-bound-for-v5.10.163.patch | 52 ++++++++++++++++
...e-the-correct-print-format-v5.10.163.patch | 61 +++++++++++++++++++
.../lttng/lttng-modules_2.13.8.bb | 2 +
...k-with-latomic-only-if-no-atomic-bui.patch | 46 ++++++++++++++
meta/recipes-support/libusb/libusb1_1.0.26.bb | 13 ++--
.../numactl/Fix-the-test-output-format.patch | 3 +-
.../recipes-support/numactl/numactl/run-ptest | 6 +-
21 files changed, 292 insertions(+), 34 deletions(-)
create mode 100644 meta/recipes-connectivity/ppp/ppp/CVE-2022-4603.patch
create mode 100644 meta/recipes-devtools/quilt/quilt/faildiff-order.patch
create mode 100644 meta/recipes-kernel/lttng/lttng-modules/fix-jbd2-upper-bound-for-v5.10.163.patch
create mode 100644 meta/recipes-kernel/lttng/lttng-modules/fix-jbd2-use-the-correct-print-format-v5.10.163.patch
create mode 100644 meta/recipes-support/libusb/libusb1/0001-configure.ac-Link-with-latomic-only-if-no-atomic-bui.patch
--
2.25.1
^ permalink raw reply [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 00/13] Patch review
@ 2023-04-29 17:20 Steve Sakoman
0 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2023-04-29 17:20 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for kirkstone and have comments back by
end of day Tuesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5234
The following changes since commit 15c07dff384ce4fb0e90f4f32c182a82101a1c82:
go: fix CVE-2023-24537 Infinite loop in parsing (2023-04-21 03:57:50 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Archana Polampalli (1):
nasm: fix CVE-2022-44370
Bruce Ashfield (3):
linux-yocto/5.15: update to v5.15.106
linux-yocto/5.15: update to v5.15.107
linux-yocto/5.15: update to v5.15.108
Christoph Lauer (1):
populate_sdk_base: add zip options
Deepthi Hemraj (1):
glibc: stable 2.35 branch updates.
Joe Slater (1):
ghostscript: fix CVE-2023-29979
Mingli Yu (1):
ruby: Fix CVE-2023-28755
Pascal Bach (1):
cmake: add CMAKE_SYSROOT to generated toolchain file
Ross Burton (1):
xserver-xorg: backport fix for CVE-2023-1393
Virendra Thakur (1):
qemu: Whitelist CVE-2023-0664
Yogita Urade (2):
xorg-lib-common: Add variable to set tarball type
libxpm: upgrade 3.5.13 -> 3.5.15
meta/classes/cmake.bbclass | 5 +
meta/classes/populate_sdk_base.bbclass | 4 +-
meta/recipes-core/glibc/glibc-version.inc | 2 +-
.../nasm/nasm/CVE-2022-44370.patch | 104 ++++++++++++++++++
meta/recipes-devtools/nasm/nasm_2.15.05.bb | 1 +
meta/recipes-devtools/qemu/qemu.inc | 5 +
.../ruby/ruby/CVE-2023-28755.patch | 68 ++++++++++++
meta/recipes-devtools/ruby/ruby_3.1.3.bb | 1 +
.../ghostscript/cve-2023-28879.patch | 60 ++++++++++
.../ghostscript/ghostscript_9.55.0.bb | 1 +
.../{libxpm_3.5.13.bb => libxpm_3.5.15.bb} | 8 +-
.../xorg-lib/xorg-lib-common.inc | 3 +-
...posite-Fix-use-after-free-of-the-COW.patch | 46 ++++++++
.../xorg-xserver/xserver-xorg_21.1.7.bb | 3 +-
.../linux/linux-yocto-rt_5.15.bb | 6 +-
.../linux/linux-yocto-tiny_5.15.bb | 6 +-
meta/recipes-kernel/linux/linux-yocto_5.15.bb | 26 ++---
17 files changed, 323 insertions(+), 26 deletions(-)
create mode 100644 meta/recipes-devtools/nasm/nasm/CVE-2022-44370.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2023-28755.patch
create mode 100644 meta/recipes-extended/ghostscript/ghostscript/cve-2023-28879.patch
rename meta/recipes-graphics/xorg-lib/{libxpm_3.5.13.bb => libxpm_3.5.15.bb} (67%)
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-composite-Fix-use-after-free-of-the-COW.patch
--
2.34.1
^ permalink raw reply [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 00/13] Patch review
@ 2023-05-31 2:34 Steve Sakoman
0 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2023-05-31 2:34 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Thursday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5365
The following changes since commit 5e26ead1ca016d1691dccba1b58060ac853bf0d2:
piglit: Add missing glslang dependencies (2023-05-25 05:42:54 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Bhabu Bindu (4):
curl: Fix CVE-2023-28319
curl: Fix CVE-2023-28320
curl: Fix CVE-2023-28321
curl: Fix CVE-2023-28322
Bruce Ashfield (5):
linux-yocto/5.10: update to v5.10.176
linux-yocto/5.10: update to v5.10.177
linux-yocto/5.10: update to v5.10.178
linux-yocto/5.10: update to v5.10.179
linux-yocto/5.10: update to v5.10.180
Martin Jansa (1):
kernel-devicetree: make shell scripts posix compliant
Randolph Sapp (3):
kernel-devicetree: allow specification of dtb directory
package: enable recursion on file globs
kernel-devicetree: recursively search for dtbs
meta/classes/kernel-devicetree.bbclass | 22 +-
meta/classes/kernel.bbclass | 2 +
meta/classes/package.bbclass | 2 +-
.../linux/linux-yocto-rt_5.10.bb | 6 +-
.../linux/linux-yocto-tiny_5.10.bb | 8 +-
meta/recipes-kernel/linux/linux-yocto_5.10.bb | 24 +-
.../curl/curl/CVE-2023-28319.patch | 33 ++
.../curl/curl/CVE-2023-28320.patch | 83 ++++
.../curl/curl/CVE-2023-28321.patch | 302 ++++++++++++
.../curl/curl/CVE-2023-28322-1.patch | 84 ++++
.../curl/curl/CVE-2023-28322-2.patch | 436 ++++++++++++++++++
meta/recipes-support/curl/curl_7.82.0.bb | 5 +
12 files changed, 982 insertions(+), 25 deletions(-)
create mode 100644 meta/recipes-support/curl/curl/CVE-2023-28319.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2023-28320.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2023-28321.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2023-28322-1.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2023-28322-2.patch
--
2.34.1
^ permalink raw reply [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 00/13] Patch review
@ 2023-10-14 21:44 Steve Sakoman
0 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2023-10-14 21:44 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kikrstone and have comments back by
end of day Tuesday, October 17
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6044
The following changes since commit bca43f95850d395f9dc56644fa1d12910cabb0c5:
glibc: Update to latest on stable 2.35 branch (2023-10-06 12:03:30 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Alexander Kanavin (2):
python3-urllib3: upgrade 1.26.10 -> 1.26.11
python3-urllib3: upgrade 1.26.12 -> 1.26.13
Hitendra Prajapati (2):
libtiff: fix CVE-2022-40090 improved IFD-Loop handling
xdg-utils: Fix CVE-2022-4055
Khem Raj (1):
apt: add missing <cstdint> for uint16_t
Lee Chee Yang (1):
python3-urllib3: 1.26.15 -> 1.26.17
Siddharth Doshi (1):
vim: Upgrade 9.0.1894 -> 9.0.2009
Tim Orling (1):
python3-urllib3: upgrade 1.26.13 -> 1.26.14
Wang Mingyu (1):
python3-urllib3: upgrade 1.26.14 -> 1.26.15
Yash Shinde (2):
binutils: Fix CVE-2022-44840
binutils: Fix CVE-2022-45703
wangmy (2):
python3-urllib3: upgrade 1.26.9 -> 1.26.10
python3-urllib3: upgrade 1.26.11 -> 1.26.12
...001-add-missing-cstdint-for-uint16_t.patch | 35 ++
meta/recipes-devtools/apt/apt_2.4.5.bb | 1 +
.../binutils/binutils-2.38.inc | 3 +
.../binutils/0030-CVE-2022-44840.patch | 151 +++++
.../binutils/0031-CVE-2022-45703-1.patch | 147 +++++
.../binutils/0031-CVE-2022-45703-2.patch | 31 +
...3_1.26.9.bb => python3-urllib3_1.26.17.bb} | 3 +-
.../xdg-utils/xdg-utils/CVE-2022-4055.patch | 165 +++++
.../xdg-utils/xdg-utils_1.1.3.bb | 1 +
.../libtiff/tiff/CVE-2022-40090.patch | 569 ++++++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 1 +
meta/recipes-support/vim/vim.inc | 4 +-
12 files changed, 1108 insertions(+), 3 deletions(-)
create mode 100644 meta/recipes-devtools/apt/apt/0001-add-missing-cstdint-for-uint16_t.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/0030-CVE-2022-44840.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/0031-CVE-2022-45703-1.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/0031-CVE-2022-45703-2.patch
rename meta/recipes-devtools/python/{python3-urllib3_1.26.9.bb => python3-urllib3_1.26.17.bb} (82%)
create mode 100644 meta/recipes-extended/xdg-utils/xdg-utils/CVE-2022-4055.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-40090.patch
--
2.34.1
^ permalink raw reply [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 00/13] Patch review
@ 2025-01-07 13:31 Steve Sakoman
0 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-01-07 13:31 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Thursday, January 9
Passed a-full on autobuilder:
https://valkyrie.yoctoproject.org/#/builders/29/builds/751
The following changes since commit a20b02fdfe64c005f7587a1d9077bdc282f7b6b1:
base-passwd: Add the sgx group (2024-12-18 07:06:28 -0800)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Archana Polampalli (3):
ffmpeg: fix CVE-2024-35366
ffmpeg: fix CVE-2024-35367
ffmpeg: fix CVE-2024-35368
Mikko Rapeli (1):
ovmf-native: remove .pyc files from install
Peter Marko (6):
ghostscript: ignore CVE-2024-46954
tiff: ignore CVE-2023-2731
tiff: patch CVE-2023-3164
gstreame1.0: ignore CVEs from gstreamer1.0-plugins-bad
xwayland: patch CVE-2023-5380 CVE-2024-0229
python3: upgrade 3.10.15 -> 3.10.16
Rohini Sangam (1):
webkitgtk: Security fix for CVE-2024-40776 and CVE-2024-40780
Vijay Anusuri (1):
libsndfile1: Backport fix for CVE-2022-33065
aszh07 (1):
libarchive: Fix CVE-2024-20696
meta/recipes-core/ovmf/ovmf_git.bb | 1 +
...-search-system-for-headers-libraries.patch | 2 +-
...{python3_3.10.15.bb => python3_3.10.16.bb} | 2 +-
.../ghostscript/ghostscript_9.55.0.bb | 2 +-
.../libarchive/CVE-2024-20696.patch | 114 +++++++++
.../libarchive/libarchive_3.6.2.bb | 1 +
.../xwayland/xwayland/CVE-2023-5380.patch | 103 ++++++++
.../xwayland/xwayland/CVE-2024-0229-1.patch | 88 +++++++
.../xwayland/xwayland/CVE-2024-0229-2.patch | 222 +++++++++++++++++
.../xwayland/xwayland/CVE-2024-0229-3.patch | 42 ++++
.../xwayland/xwayland/CVE-2024-0229-4.patch | 46 ++++
.../xwayland/xwayland_22.1.8.bb | 5 +
.../ffmpeg/ffmpeg/CVE-2024-35366.patch | 37 +++
.../ffmpeg/ffmpeg/CVE-2024-35367.patch | 47 ++++
.../ffmpeg/ffmpeg/CVE-2024-35368.patch | 41 ++++
.../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 3 +
.../gstreamer/gstreamer1.0_1.20.7.bb | 4 +-
...022-33065.patch => CVE-2022-33065-1.patch} | 0
.../libsndfile1/CVE-2022-33065-10.patch | 39 +++
.../libsndfile1/CVE-2022-33065-11.patch | 35 +++
.../libsndfile1/CVE-2022-33065-12.patch | 40 +++
.../libsndfile1/CVE-2022-33065-13.patch | 58 +++++
.../libsndfile1/CVE-2022-33065-2.patch | 58 +++++
.../libsndfile1/CVE-2022-33065-3.patch | 34 +++
.../libsndfile1/CVE-2022-33065-4.patch | 60 +++++
.../libsndfile1/CVE-2022-33065-5.patch | 39 +++
.../libsndfile1/CVE-2022-33065-6.patch | 82 +++++++
.../libsndfile1/CVE-2022-33065-7.patch | 48 ++++
.../libsndfile1/CVE-2022-33065-8.patch | 179 ++++++++++++++
.../libsndfile1/CVE-2022-33065-9.patch | 231 ++++++++++++++++++
.../libsndfile/libsndfile1_1.0.31.bb | 14 +-
.../libtiff/tiff/CVE-2023-3164.patch | 114 +++++++++
meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 5 +-
.../webkit/webkitgtk/CVE-2024-40776.patch | 141 +++++++++++
.../webkit/webkitgtk/CVE-2024-40780.patch | 94 +++++++
meta/recipes-sato/webkit/webkitgtk_2.36.8.bb | 2 +
36 files changed, 2025 insertions(+), 8 deletions(-)
rename meta/recipes-devtools/python/{python3_3.10.15.bb => python3_3.10.16.bb} (99%)
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2024-20696.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2023-5380.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-1.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-2.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-3.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-4.patch
create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35366.patch
create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35367.patch
create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35368.patch
rename meta/recipes-multimedia/libsndfile/libsndfile1/{CVE-2022-33065.patch => CVE-2022-33065-1.patch} (100%)
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-10.patch
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-11.patch
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-12.patch
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-13.patch
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-2.patch
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-3.patch
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-4.patch
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-5.patch
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-6.patch
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-7.patch
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-8.patch
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-9.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-3164.patch
create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2024-40776.patch
create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2024-40780.patch
--
2.43.0
^ permalink raw reply [flat|nested] 21+ messages in thread
end of thread, other threads:[~2025-01-07 13:31 UTC | newest]
Thread overview: 21+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-10-17 23:08 [OE-core][kirkstone 00/13] Patch review Steve Sakoman
2022-10-17 23:08 ` [OE-core][kirkstone 01/13] tiff: Security fixes CVE-2022-2867,CVE-2022-2868 and CVE-2022-2869 Steve Sakoman
2022-10-17 23:08 ` [OE-core][kirkstone 02/13] binutils : Fix CVE-2022-38128 Steve Sakoman
2022-10-17 23:08 ` [OE-core][kirkstone 03/13] qemu: Fix CVE-2021-3750 for qemu Steve Sakoman
2022-10-17 23:08 ` [OE-core][kirkstone 04/13] qemu: Fix CVE-2021-3611 Steve Sakoman
2022-10-17 23:08 ` [OE-core][kirkstone 05/13] qemu: fix CVE-2022-2962 Steve Sakoman
2022-10-17 23:08 ` [OE-core][kirkstone 06/13] qemu: Backport patches from upstream to support float128 on qemu-ppc64 Steve Sakoman
2022-10-17 23:08 ` [OE-core][kirkstone 07/13] python3: upgrade 3.10.4 -> 3.10.7 Steve Sakoman
2022-10-17 23:08 ` [OE-core][kirkstone 08/13] lttng-tools: Upgrade 2.13.4 -> 2.13.8 Steve Sakoman
2022-10-17 23:08 ` [OE-core][kirkstone 09/13] uninative: Upgrade to 3.7 to work with glibc 2.36 Steve Sakoman
2022-10-17 23:08 ` [OE-core][kirkstone 10/13] image_types_wic.bbclass: fix cross binutils dependency Steve Sakoman
2022-10-17 23:08 ` [OE-core][kirkstone 11/13] linux-yocto-dev: add qemuarm64 Steve Sakoman
2022-10-17 23:08 ` [OE-core][kirkstone 12/13] own-mirrors: add crate Steve Sakoman
2022-10-17 23:08 ` [OE-core][kirkstone 13/13] lttng-modules: Fix crash on powerpc64 Steve Sakoman
-- strict thread matches above, loose matches on Subject: below --
2025-01-07 13:31 [OE-core][kirkstone 00/13] Patch review Steve Sakoman
2023-10-14 21:44 Steve Sakoman
2023-05-31 2:34 Steve Sakoman
2023-04-29 17:20 Steve Sakoman
2023-02-01 22:15 Steve Sakoman
2022-06-21 23:27 Steve Sakoman
2022-06-06 14:38 Steve Sakoman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox