7 files changed, 424 insertions, 48 deletions
diff --git a/user/qemu/APKBUILD b/user/qemu/APKBUILD
index 94a69c6ce..5e716695d 100644
--- a/user/qemu/APKBUILD
+++ b/user/qemu/APKBUILD
@@ -1,11 +1,12 @@
-# Contributor: Sergei Lukin <sergej.lukin@gmail.com>
+# Contributor: Sergey Lukin <sergej.lukin@gmail.com>
 # Contributor: Valery Kartel <valery.kartel@gmail.com>
 # Contributor: Jakub Jirutka <jakub@jirutka.cz>
 # Contributor: Natanael Copa <ncopa@alpinelinux.org>
+# Contributor: Max Rees <maxcrees@me.com>
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=qemu
-pkgver=3.0.0
-pkgrel=4
+pkgver=4.2.0
+pkgrel=3
 pkgdesc="Machine emulator and virtualisation software"
 url="https://www.qemu.org/"
 arch="all"
@@ -27,13 +28,14 @@ makedepends="
 	libjpeg-turbo-dev
 	libnfs-dev
 	libpng-dev
-	libssh2-dev
+	libslirp-dev
 	libusb-dev
 	libx11-dev
 	libxml2-dev
 	linux-headers
 	lzo-dev
 	ncurses-dev
+	py3-sphinx
 	python3
 	snappy-dev
 	spice-dev
@@ -109,7 +111,6 @@ _system_subsystems="
 	system-or1k
 	system-ppc
 	system-ppc64
-	system-ppcemb
 	system-riscv32
 	system-riscv64
 	system-s390x
@@ -151,12 +152,16 @@ source="https://download.qemu.org/$pkgname-$pkgver.tar.xz
 	ncurses.patch
 	ignore-signals-33-and-64-to-allow-golang-emulation.patch
 	0001-linux-user-fix-build-with-musl-on-ppc64le.patch
-	fix-sockios-header.patch
 	test-crypto-ivgen-skip-essiv.patch
 	ppc32-musl-support.patch
 	signal-fixes.patch
 	sysinfo-header.patch
 	fix-lm32-underlinking.patch
+	fix-no-pie-ld-flag.patch
+	time64.patch
+	MAP_SYNC-fix.patch
+	CVE-2020-1711.patch
+	CVE-2020-11102.patch
 
 	$pkgname-guest-agent.confd
 	$pkgname-guest-agent.initd
@@ -167,31 +172,68 @@ builddir="$srcdir/$pkgname-$pkgver"
 
 # secfixes:
 #   2.8.1-r1:
-#   - CVE-2016-7994
-#   - CVE-2016-7995
-#   - CVE-2016-8576
-#   - CVE-2016-8577
-#   - CVE-2016-8578
-#   - CVE-2016-8668
-#   - CVE-2016-8909
-#   - CVE-2016-8910
-#   - CVE-2016-9101
-#   - CVE-2016-9102
-#   - CVE-2016-9103
-#   - CVE-2016-9104
-#   - CVE-2016-9105
-#   - CVE-2016-9106
-#   - CVE-2017-2615
-#   - CVE-2017-2620
-#   - CVE-2017-5525
-#   - CVE-2017-5552
-#   - CVE-2017-5578
-#   - CVE-2017-5579
-#   - CVE-2017-5667
-#   - CVE-2017-5856
-#   - CVE-2017-5857
-#   - CVE-2017-5898
-#   - CVE-2017-5931
+#     - CVE-2016-7994
+#     - CVE-2016-7995
+#     - CVE-2016-8576
+#     - CVE-2016-8577
+#     - CVE-2016-8578
+#     - CVE-2016-8668
+#     - CVE-2016-8909
+#     - CVE-2016-8910
+#     - CVE-2016-9101
+#     - CVE-2016-9102
+#     - CVE-2016-9103
+#     - CVE-2016-9104
+#     - CVE-2016-9105
+#     - CVE-2016-9106
+#     - CVE-2017-2615
+#     - CVE-2017-2620
+#     - CVE-2017-5525
+#     - CVE-2017-5552
+#     - CVE-2017-5578
+#     - CVE-2017-5579
+#     - CVE-2017-5667
+#     - CVE-2017-5856
+#     - CVE-2017-5857
+#     - CVE-2017-5898
+#     - CVE-2017-5931
+#   4.2.0-r0:
+#     - CVE-2018-10839
+#     - CVE-2018-16847
+#     - CVE-2018-16867
+#     - CVE-2018-16872
+#     - CVE-2018-17958
+#     - CVE-2018-17962
+#     - CVE-2018-17963
+#     - CVE-2018-18849
+#     - CVE-2018-18954
+#     - CVE-2018-19364
+#     - CVE-2018-19489
+#     - CVE-2018-20123
+#     - CVE-2018-20124
+#     - CVE-2018-20125
+#     - CVE-2018-20126
+#     - CVE-2018-20191
+#     - CVE-2018-20216
+#     - CVE-2018-20815
+#     - CVE-2019-3812
+#     - CVE-2019-5008
+#     - CVE-2019-6501
+#     - CVE-2019-6778
+#     - CVE-2019-8934
+#     - CVE-2019-9824
+#     - CVE-2019-12068
+#     - CVE-2019-12155
+#     - CVE-2019-13164
+#     - CVE-2019-14378
+#     - CVE-2019-15034
+#     - CVE-2019-15890
+#     - CVE-2019-20382
+#     - CVE-2020-1711
+#     - CVE-2020-7039
+#     - CVE-2020-8608
+#   4.2.0-r1:
+#     - CVE-2020-11102
 
 prepare() {
 	default_prepare  # apply patches
@@ -217,6 +259,7 @@ _compile_common() {
 		--disable-gcrypt \
 		--cc="${CC:-gcc}" \
 		--python="/usr/bin/python3" \
+		--enable-slirp=system \
 		"$@"
 	make ARFLAGS="rc"
 }
@@ -232,7 +275,6 @@ _compile_system() {
 		--enable-cap-ng \
 		--enable-linux-aio \
 		--enable-usb-redir \
-		--enable-libssh2 \
 		--enable-vhost-net \
 		--enable-snappy \
 		--enable-tpm \
@@ -247,16 +289,19 @@ _compile_system() {
 
 build() {
 	local systems
+
 	mkdir -p "$builddir"/build \
 		"$builddir"/build-user \
 		"$builddir"/build-gtk
 
+	msg "Building -user..."
 	cd "$builddir"/build-user
 	_compile_common \
 		--enable-linux-user \
 		--disable-system \
 		--static
 
+	msg "Building -system..."
 	cd "$builddir"/build
 	_compile_system \
 		--enable-vnc \
@@ -267,10 +312,10 @@ build() {
 		--disable-gtk
 
 	if [ -n "$_arch" ]; then
+		msg "Building -gtk..."
 		cd "$builddir"/build-gtk
 		_compile_system \
 			--enable-gtk \
-			--with-gtkabi=3.0 \
 			--disable-vnc \
 			--disable-spice \
 			--disable-guest-agent \
@@ -286,9 +331,11 @@ check() {
 }
 
 package() {
+	msg "Installing -user..."
 	cd "$builddir"/build-user
 	make DESTDIR="$pkgdir" install
 
+	msg "Installing -system..."
 	cd "$builddir"/build
 	make DESTDIR="$pkgdir" install
 
@@ -394,7 +441,7 @@ guest() {
 		"$subpkgdir"/etc/conf.d/$pkgname-guest-agent
 }
 
-sha512sums="a764302f50b9aca4134bbbc1f361b98e71240cdc7b25600dfe733bf4cf17bd86000bd28357697b08f3b656899dceb9e459350b8d55557817444ed5d7fa380a5a  qemu-3.0.0.tar.xz
+sha512sums="2a79973c2b07c53e8c57a808ea8add7b6b2cbca96488ed5d4b669ead8c9318907dec2b6109f180fc8ca8f04c0f73a56e82b3a527b5626b799d7e849f2474ec56  qemu-4.2.0.tar.xz
 405008589cad1c8b609eca004d520bf944366e8525f85a19fc6e283c95b84b6c2429822ba064675823ab69f1406a57377266a65021623d1cd581e7db000134fd  0001-elfload-load-PIE-executables-to-right-address.patch
 1ac043312864309e19f839a699ab2485bca51bbf3d5fdb39f1a87b87e3cbdd8cbda1a56e6b5c9ffccd65a8ac2f600da9ceb8713f4dbba26f245bc52bcd8a1c56  0001-linux-user-fix-build-with-musl-on-aarch64.patch
 224f5b44da749921e8a821359478c5238d8b6e24a9c0b4c5738c34e82f3062ec4639d495b8b5883d304af4a0d567e38aa6623aac1aa3a7164a5757c036528ac0  musl-F_SHLCK-and-F_EXLCK.patch
@@ -403,12 +450,16 @@ sha512sums="a764302f50b9aca4134bbbc1f361b98e71240cdc7b25600dfe733bf4cf17bd86000b
 b6ed02aaf95a9bb30a5f107d35371207967edca058f3ca11348b0b629ea7a9c4baa618db68a3df72199eea6d86d14ced74a5a229d17604cc3f0adedcfeae7a73  ncurses.patch
 fd178f2913639a0c33199b3880cb17536961f2b3ff171c12b27f4be6bca032d6b88fd16302d09c692bb34883346babef5c44407a6804b20a39a465bb2bc85136  ignore-signals-33-and-64-to-allow-golang-emulation.patch
 d8933df9484158c2b4888254e62117d78f8ed7c18527b249419f39c2b2ab1afa148010884b40661f8965f1ef3105580fceffdfddbb2c9221dc1c62066722ba65  0001-linux-user-fix-build-with-musl-on-ppc64le.patch
-39590476a4ebd7c1e79a4f0451b24c75b1817a2a83abaa1f71bb60b225d772152f0af8f3e51ff65645e378c536ffa6ff551dade52884d03a14b7c6a19c5c97d4  fix-sockios-header.patch
 8b8db136f78bd26b5da171effa9e11016ec2bc3e2fc8107228b5543b47aa370978ed883794aa4f917f334e284a5b49e82070e1da2d31d49301195b6713a48eff  test-crypto-ivgen-skip-essiv.patch
 fb0130fa4e8771b23ae337ea3e5e29fd5f7dcfe7f9f7a68968f5b059bb4dd1336b0d04c118840d55885bc784a96a99b28aeacbc6a5549b2e6750c9d3099a897c  ppc32-musl-support.patch
 c6436b1cc986788baccd5fe0f9d23c7db9026f6b723260611cf894bd94ee830140a17ee5859efe0dad0ca3bfe9caae1269bc5c9ab4c6e696f35c7857c1b5c86b  signal-fixes.patch
 698f6b134f4ca87f4de62caf7a656841a40a451b8686ca95928f67a296e58a7493d432d9baa5f6360917865aa4929600baf1699993b0600923a066ca9d45d1da  sysinfo-header.patch
 2828cc612539aa93b5789de7de6d4f85d3cf82311484c0fe91fdd3efeb972057e2baa2a3809ed633d6caa1785642d49196cb282b095d7553c510c47ce7d6a702  fix-lm32-underlinking.patch
+61a0bc1c3cc902f3ead47c4f3a7651768e8f01d655494c53600f28cecf27cdb3d2f3e3778750154bb54e92006005b6ca629e30683c47d18dd4a20feafa64c8cd  fix-no-pie-ld-flag.patch
+44db77cab330075da601cc6083678c5f3ed1528936a8fd81148875bc67ed53332b21466c79ac6e5cf2b2e7d3824392dd7a52d0aaed03689be9b2dfddd5abba06  time64.patch
+d7de79ea74e36702cac4a59e472564a55f0a663be7e63c3755e32b4b5dfbc04b390ee79f09f43f6ae706ee2aec9e005eade3c0fd4a202db60d11f436874a17d7  MAP_SYNC-fix.patch
+0ea3745c45507c00c3c036241992d594b5f7e9aa1f0fa9b425dd222390066e1ea2d0aa4923bde0e7f27b7cc2f759a122ae4b600c2fa682a5aad509e7d03ccad9  CVE-2020-1711.patch
+5d9e7e065c6716024eab4984331071f42dcd5363c5456023f81a3ef0329ae578348d0f875868f85c9e1fee5e435d86e2eb7e342a957c36cd099cb5d5d9f3a78d  CVE-2020-11102.patch
 d90c034cae3f9097466854ed1a9f32ab4b02089fcdf7320e8f4da13b2b1ff65067233f48809911485e4431d7ec1a22448b934121bc9522a2dc489009e87e2b1f  qemu-guest-agent.confd
 1cd24c2444c5935a763c501af2b0da31635aad9cf62e55416d6477fcec153cddbe7de205d99616def11b085e0dd366ba22463d2270f831d884edbc307c7864a6  qemu-guest-agent.initd
 9b7a89b20fcf737832cb7b4d5dc7d8301dd88169cbe5339eda69fbb51c2e537d8cb9ec7cf37600899e734209e63410d50d0821bce97e401421db39c294d97be2  80-kvm.rules
diff --git a/user/qemu/CVE-2020-11102.patch b/user/qemu/CVE-2020-11102.patch
new file mode 100644
index 000000000..c437a7d47
--- /dev/null
+++ b/user/qemu/CVE-2020-11102.patch
@@ -0,0 +1,144 @@
+From 8ffb7265af64ec81748335ec8f20e7ab542c3850 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 24 Mar 2020 22:57:22 +0530
+Subject: [PATCH 1/1] net: tulip: check frame size and r/w data length
+
+Tulip network driver while copying tx/rx buffers does not check
+frame size against r/w data length. This may lead to OOB buffer
+access. Add check to avoid it.
+
+Limit iterations over descriptors to avoid potential infinite
+loop issue in tulip_xmit_list_update.
+
+Reported-by: Li Qiang <pangpei.lq@antfin.com>
+Reported-by: Ziming Zhang <ezrakiez@gmail.com>
+Reported-by: Jason Wang <jasowang@redhat.com>
+Tested-by: Li Qiang <liq3ea@gmail.com>
+Reviewed-by: Li Qiang <liq3ea@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+---
+ hw/net/tulip.c | 36 +++++++++++++++++++++++++++---------
+ 1 file changed, 27 insertions(+), 9 deletions(-)
+
+diff --git a/hw/net/tulip.c b/hw/net/tulip.c
+index cfac271..1295f51 100644
+--- a/hw/net/tulip.c
++++ b/hw/net/tulip.c
+@@ -170,6 +170,10 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc)
+         } else {
+             len = s->rx_frame_len;
+         }
++
++        if (s->rx_frame_len + len > sizeof(s->rx_frame)) {
++            return;
++        }
+         pci_dma_write(&s->dev, desc->buf_addr1, s->rx_frame +
+             (s->rx_frame_size - s->rx_frame_len), len);
+         s->rx_frame_len -= len;
+@@ -181,6 +185,10 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc)
+         } else {
+             len = s->rx_frame_len;
+         }
++
++        if (s->rx_frame_len + len > sizeof(s->rx_frame)) {
++            return;
++        }
+         pci_dma_write(&s->dev, desc->buf_addr2, s->rx_frame +
+             (s->rx_frame_size - s->rx_frame_len), len);
+         s->rx_frame_len -= len;
+@@ -227,7 +235,8 @@ static ssize_t tulip_receive(TULIPState *s, const uint8_t *buf, size_t size)
+ 
+     trace_tulip_receive(buf, size);
+ 
+-    if (size < 14 || size > 2048 || s->rx_frame_len || tulip_rx_stopped(s)) {
++    if (size < 14 || size > sizeof(s->rx_frame) - 4
++        || s->rx_frame_len || tulip_rx_stopped(s)) {
+         return 0;
+     }
+ 
+@@ -275,7 +284,6 @@ static ssize_t tulip_receive_nc(NetClientState *nc,
+     return tulip_receive(qemu_get_nic_opaque(nc), buf, size);
+ }
+ 
+-
+ static NetClientInfo net_tulip_info = {
+     .type = NET_CLIENT_DRIVER_NIC,
+     .size = sizeof(NICState),
+@@ -558,7 +566,7 @@ static void tulip_tx(TULIPState *s, struct tulip_descriptor *desc)
+         if ((s->csr[6] >> CSR6_OM_SHIFT) & CSR6_OM_MASK) {
+             /* Internal or external Loopback */
+             tulip_receive(s, s->tx_frame, s->tx_frame_len);
+-        } else {
++        } else if (s->tx_frame_len <= sizeof(s->tx_frame)) {
+             qemu_send_packet(qemu_get_queue(s->nic),
+                 s->tx_frame, s->tx_frame_len);
+         }
+@@ -570,23 +578,31 @@ static void tulip_tx(TULIPState *s, struct tulip_descriptor *desc)
+     }
+ }
+ 
+-static void tulip_copy_tx_buffers(TULIPState *s, struct tulip_descriptor *desc)
++static int tulip_copy_tx_buffers(TULIPState *s, struct tulip_descriptor *desc)
+ {
+     int len1 = (desc->control >> TDES1_BUF1_SIZE_SHIFT) & TDES1_BUF1_SIZE_MASK;
+     int len2 = (desc->control >> TDES1_BUF2_SIZE_SHIFT) & TDES1_BUF2_SIZE_MASK;
+ 
++    if (s->tx_frame_len + len1 > sizeof(s->tx_frame)) {
++        return -1;
++    }
+     if (len1) {
+         pci_dma_read(&s->dev, desc->buf_addr1,
+             s->tx_frame + s->tx_frame_len, len1);
+         s->tx_frame_len += len1;
+     }
+ 
++    if (s->tx_frame_len + len2 > sizeof(s->tx_frame)) {
++        return -1;
++    }
+     if (len2) {
+         pci_dma_read(&s->dev, desc->buf_addr2,
+             s->tx_frame + s->tx_frame_len, len2);
+         s->tx_frame_len += len2;
+     }
+     desc->status = (len1 + len2) ? 0 : 0x7fffffff;
++
++    return 0;
+ }
+ 
+ static void tulip_setup_filter_addr(TULIPState *s, uint8_t *buf, int n)
+@@ -651,13 +667,15 @@ static uint32_t tulip_ts(TULIPState *s)
+ 
+ static void tulip_xmit_list_update(TULIPState *s)
+ {
++#define TULIP_DESC_MAX 128
++    uint8_t i = 0;
+     struct tulip_descriptor desc;
+ 
+     if (tulip_ts(s) != CSR5_TS_SUSPENDED) {
+         return;
+     }
+ 
+-    for (;;) {
++    for (i = 0; i < TULIP_DESC_MAX; i++) {
+         tulip_desc_read(s, s->current_tx_desc, &desc);
+         tulip_dump_tx_descriptor(s, &desc);
+ 
+@@ -675,10 +693,10 @@ static void tulip_xmit_list_update(TULIPState *s)
+                 s->tx_frame_len = 0;
+             }
+ 
+-            tulip_copy_tx_buffers(s, &desc);
+-
+-            if (desc.control & TDES1_LS) {
+-                tulip_tx(s, &desc);
++            if (!tulip_copy_tx_buffers(s, &desc)) {
++                if (desc.control & TDES1_LS) {
++                    tulip_tx(s, &desc);
++                }
+             }
+         }
+         tulip_desc_write(s, s->current_tx_desc, &desc);
+-- 
+1.8.3.1
+
diff --git a/user/qemu/CVE-2020-1711.patch b/user/qemu/CVE-2020-1711.patch
new file mode 100644
index 000000000..c57b5c984
--- /dev/null
+++ b/user/qemu/CVE-2020-1711.patch
@@ -0,0 +1,61 @@
+From 693fd2acdf14dd86c0bf852610f1c2cca80a74dc Mon Sep 17 00:00:00 2001
+From: Felipe Franciosi <felipe@nutanix.com>
+Date: Thu, 23 Jan 2020 12:44:59 +0000
+Subject: [PATCH] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711)
+
+When querying an iSCSI server for the provisioning status of blocks (via
+GET LBA STATUS), Qemu only validates that the response descriptor zero's
+LBA matches the one requested. Given the SCSI spec allows servers to
+respond with the status of blocks beyond the end of the LUN, Qemu may
+have its heap corrupted by clearing/setting too many bits at the end of
+its allocmap for the LUN.
+
+A malicious guest in control of the iSCSI server could carefully program
+Qemu's heap (by selectively setting the bitmap) and then smash it.
+
+This limits the number of bits that iscsi_co_block_status() will try to
+update in the allocmap so it can't overflow the bitmap.
+
+Fixes: CVE-2020-1711
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Felipe Franciosi <felipe@nutanix.com>
+Signed-off-by: Peter Turschmid <peter.turschm@nutanix.com>
+Signed-off-by: Raphael Norwitz <raphael.norwitz@nutanix.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+---
+ block/iscsi.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/block/iscsi.c b/block/iscsi.c
+index 2aea7e3f13..cbd57294ab 100644
+--- a/block/iscsi.c
++++ b/block/iscsi.c
+@@ -701,7 +701,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs,
+     struct scsi_get_lba_status *lbas = NULL;
+     struct scsi_lba_status_descriptor *lbasd = NULL;
+     struct IscsiTask iTask;
+-    uint64_t lba;
++    uint64_t lba, max_bytes;
+     int ret;
+ 
+     iscsi_co_init_iscsitask(iscsilun, &iTask);
+@@ -721,6 +721,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs,
+     }
+ 
+     lba = offset / iscsilun->block_size;
++    max_bytes = (iscsilun->num_blocks - lba) * iscsilun->block_size;
+ 
+     qemu_mutex_lock(&iscsilun->mutex);
+ retry:
+@@ -764,7 +765,7 @@ retry:
+         goto out_unlock;
+     }
+ 
+-    *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size;
++    *pnum = MIN((int64_t) lbasd->num_blocks * iscsilun->block_size, max_bytes);
+ 
+     if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED ||
+         lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) {
+-- 
+2.25.1
+
diff --git a/user/qemu/MAP_SYNC-fix.patch b/user/qemu/MAP_SYNC-fix.patch
new file mode 100644
index 000000000..e13609d73
--- /dev/null
+++ b/user/qemu/MAP_SYNC-fix.patch
@@ -0,0 +1,22 @@
+diff --git a/util/mmap-alloc.c b/util/mmap-alloc.c
+index f7f177d..7598960 100644
+--- a/util/mmap-alloc.c
++++ b/util/mmap-alloc.c
+@@ -10,14 +10,16 @@
+  * later.  See the COPYING file in the top-level directory.
+  */
+ 
++#include "qemu/osdep.h"
++
+ #ifdef CONFIG_LINUX
+ #include <linux/mman.h>
++#include <asm-generic/mman.h> /* for ppc64le */
+ #else  /* !CONFIG_LINUX */
+ #define MAP_SYNC              0x0
+ #define MAP_SHARED_VALIDATE   0x0
+ #endif /* CONFIG_LINUX */
+ 
+-#include "qemu/osdep.h"
+ #include "qemu/mmap-alloc.h"
+ #include "qemu/host-utils.h"
+ 
diff --git a/user/qemu/fix-no-pie-ld-flag.patch b/user/qemu/fix-no-pie-ld-flag.patch
new file mode 100644
index 000000000..5501a267f
--- /dev/null
+++ b/user/qemu/fix-no-pie-ld-flag.patch
@@ -0,0 +1,71 @@
+This patch differs from upstream in the following way:
+
+  * It applies to 4.2.0
+
+From bbd2d5a8120771ec59b86a80a1f51884e0a26e53 Mon Sep 17 00:00:00 2001
+From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
+Date: Mon, 14 Dec 2020 16:09:38 +0100
+Subject: [PATCH] build: -no-pie is no functional linker flag
+
+Recent binutils changes dropping unsupported options [1] caused a build
+issue in regard to the optionroms.
+
+  ld -m elf_i386 -T /<<PKGBUILDDIR>>/pc-bios/optionrom//flat.lds -no-pie \
+    -s -o multiboot.img multiboot.o
+  ld.bfd: Error: unable to disambiguate: -no-pie (did you mean --no-pie ?)
+
+This isn't really a regression in ld.bfd, filing the bug upstream
+revealed that this never worked as a ld flag [2] - in fact it seems we
+were by accident setting --nmagic).
+
+Since it never had the wanted effect this usage of LDFLAGS_NOPIE, should be
+droppable without any effect. This also is the only use-case of LDFLAGS_NOPIE
+in .mak, therefore we can also remove it from being added there.
+
+[1]: https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=983d925d
+[2]: https://sourceware.org/bugzilla/show_bug.cgi?id=27050#c5
+
+Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
+Message-Id: <20201214150938.1297512-1-christian.ehrhardt@canonical.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ configure                  | 3 ---
+ pc-bios/optionrom/Makefile | 1 -
+ 2 files changed, 4 deletions(-)
+
+diff -ur a/configure b/configure
+--- a/configure	2023-10-05 04:04:33.203940722 +0000
++++ b/configure	2023-10-05 04:04:58.968996416 +0000
+@@ -2045,7 +2045,6 @@
+   # check we support --no-pie first...
+   if compile_prog "-Werror -fno-pie" "-no-pie"; then
+     CFLAGS_NOPIE="-fno-pie"
+-    LDFLAGS_NOPIE="-nopie"
+   fi
+ 
+   if compile_prog "-fPIE -DPIE" "-pie"; then
+@@ -7515,7 +7514,6 @@
+   echo "QEMU_CFLAGS  += -Wbitwise -Wno-transparent-union -Wno-old-initializer -Wno-non-pointer-null" >> $config_host_mak
+ fi
+ echo "LDFLAGS=$LDFLAGS" >> $config_host_mak
+-echo "LDFLAGS_NOPIE=$LDFLAGS_NOPIE" >> $config_host_mak
+ echo "QEMU_LDFLAGS=$QEMU_LDFLAGS" >> $config_host_mak
+ echo "LD_REL_FLAGS=$LD_REL_FLAGS" >> $config_host_mak
+ echo "LD_I386_EMULATION=$ld_i386_emulation" >> $config_host_mak
+diff -ur a/pc-bios/optionrom/Makefile b/pc-bios/optionrom/Makefile
+--- a/pc-bios/optionrom/Makefile	2023-10-05 04:04:34.143979321 +0000
++++ b/pc-bios/optionrom/Makefile	2023-10-05 04:06:01.267530732 +0000
+@@ -47,10 +47,10 @@
+ 	$(call quiet-command,$(CPP) $(QEMU_INCLUDES) $(QEMU_DGFLAGS) -c -o - $< | $(AS) $(ASFLAGS) -o $@,"AS","$(TARGET_DIR)$@")
+ 
+ pvh.img: pvh.o pvh_main.o
+-	$(call quiet-command,$(LD) $(LDFLAGS_NOPIE) -m $(LD_I386_EMULATION) -T $(SRC_PATH)/pc-bios/optionrom/flat.lds -s -o $@ $^,"BUILD","$(TARGET_DIR)$@")
++	$(call quiet-command,$(LD) -m $(LD_I386_EMULATION) -T $(SRC_PATH)/pc-bios/optionrom/flat.lds -s -o $@ $^,"BUILD","$(TARGET_DIR)$@")
+ 
+ %.img: %.o
+-	$(call quiet-command,$(LD) $(LDFLAGS_NOPIE) -m $(LD_I386_EMULATION) -T $(SRC_PATH)/pc-bios/optionrom/flat.lds -s -o $@ $<,"BUILD","$(TARGET_DIR)$@")
++	$(call quiet-command,$(LD) -m $(LD_I386_EMULATION) -T $(SRC_PATH)/pc-bios/optionrom/flat.lds -s -o $@ $<,"BUILD","$(TARGET_DIR)$@")
+ 
+ %.raw: %.img
+ 	$(call quiet-command,$(OBJCOPY) -O binary -j .text $< $@,"BUILD","$(TARGET_DIR)$@")
diff --git a/user/qemu/fix-sockios-header.patch b/user/qemu/fix-sockios-header.patch
deleted file mode 100644
index 1f3cd767c..000000000
--- a/user/qemu/fix-sockios-header.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/linux-user/syscall.c b/linux-user/syscall.c
-index 43d0562..afa0ac4 100644
---- a/linux-user/syscall.c
-+++ b/linux-user/syscall.c
-@@ -59,6 +59,7 @@ int __clone2(int (*fn)(void *), void *child_stack_base,
- #include <linux/icmp.h>
- #include <linux/icmpv6.h>
- #include <linux/errqueue.h>
-+#include <linux/sockios.h>
- #include <linux/random.h>
- #include "qemu-common.h"
- #ifdef CONFIG_TIMERFD
- #include <sys/timerfd.h>
diff --git a/user/qemu/time64.patch b/user/qemu/time64.patch
new file mode 100644
index 000000000..342231146
--- /dev/null
+++ b/user/qemu/time64.patch
@@ -0,0 +1,40 @@
+--- qemu-3.0.0/hw/input/virtio-input-host.c.old	2018-08-14 19:10:34.000000000 +0000
++++ qemu-3.0.0/hw/input/virtio-input-host.c	2020-01-24 06:12:08.788062930 +0000
+@@ -193,13 +193,16 @@
+ {
+     VirtIOInputHost *vih = VIRTIO_INPUT_HOST(vinput);
+     struct input_event evdev;
++    struct timeval tv;
+     int rc;
+ 
+-    if (gettimeofday(&evdev.time, NULL)) {
++    if (gettimeofday(&tv, NULL)) {
+         perror("virtio_input_host_handle_status: gettimeofday");
+         return;
+     }
+ 
++    evdev.input_event_sec = tv.tv_sec;
++    evdev.input_event_usec = tv.tv_usec;
+     evdev.type = le16_to_cpu(event->type);
+     evdev.code = le16_to_cpu(event->code);
+     evdev.value = le32_to_cpu(event->value);
+--- qemu-4.2.0/contrib/vhost-user-input/main.c.old	2019-12-12 18:20:47.000000000 +0000
++++ qemu-4.2.0/contrib/vhost-user-input/main.c	2020-06-15 04:46:15.198762807 +0000
+@@ -115,13 +115,16 @@
+ static void vi_handle_status(VuInput *vi, virtio_input_event *event)
+ {
+     struct input_event evdev;
++    struct timeval tv;
+     int rc;
+ 
+-    if (gettimeofday(&evdev.time, NULL)) {
++    if (gettimeofday(&tv, NULL)) {
+         perror("vi_handle_status: gettimeofday");
+         return;
+     }
+ 
++    evdev.input_event_sec = tv.tv_sec;
++    evdev.input_event_usec = tv.tv_usec;
+     evdev.type = le16toh(event->type);
+     evdev.code = le16toh(event->code);
+     evdev.value = le32toh(event->value);