Don't use reserved word 'function' in systemtap files (bz #871286)

Fixes for iscsi dep
Fix -vga vmware crashes (bz #836260)
Fix possible crash with VNC and qxl (bz #919777)
Fix mellanox card passthrough (bz #907996)
Fix QXL migration from F17 to F18 (bz #907916)
Fix kvm module permissions after first install (bz #907215)

0713-vmware_vga-fix-out-of-bounds-and-invalid-rects-updat.patch

@@ -0,0 +1,109 @@
+From 58ef246dd1849e6b18b22c52ccca0a30e6325d1d Mon Sep 17 00:00:00 2001
+From: Michael Tokarev <mjt@tls.msk.ru>
+Date: Fri, 25 Jan 2013 21:23:24 +0400
+Subject: [PATCH] vmware_vga: fix out of bounds and invalid rects updating
+
+This is a follow up for several attempts to fix this issue.
+
+Previous incarnations:
+
+1. http://thread.gmane.org/gmane.linux.ubuntu.bugs.general/3156089
+https://bugs.launchpad.net/bugs/918791
+"qemu-kvm dies when using vmvga driver and unity in the guest" bug.
+Fix by Serge Hallyn:
+ https://launchpadlibrarian.net/94916786/qemu-vmware.debdiff
+This fix is incomplete, since it does not check width and height
+for being negative.  Serge weren't sure if that's the right place
+to fix it, maybe the fix should be up the stack somewhere.
+
+2. http://thread.gmane.org/gmane.comp.emulators.qemu/166064
+by Marek Vasut: "vmware_vga: Redraw only visible area"
+
+This one adds the (incomplete) check to vmsvga_update_rect_delayed(),
+the routine just queues the rect updating but does no interesting
+stuff.  It is also incomplete in the same way as patch by Serge,
+but also does not touch width&height at all after adjusting x&y,
+which is wrong.
+
+As far as I can see, when processing guest requests, the device
+places them into a queue (vmsvga_update_rect_delayed()) and
+processes this queue in different place/time, namely, in
+vmsvga_update_rect().  Sometimes, vmsvga_update_rect() is
+called directly, without placing the request to the gueue.
+This is the place this patch changes, which is the last
+(deepest) in the stack.  I'm not sure if this is the right
+place still, since it is possible we have some queue optimization
+(or may have in the future) which will be upset by negative/wrong
+values here, so maybe we should check for validity of input
+right when receiving request from the guest (and maybe even
+use unsigned types there).  But I don't know the protocol
+and implementation enough to have a definitive answer.
+
+But since vmsvga_update_rect() has other sanity checks already,
+I'm adding the missing ones there as well.
+
+Cc'ing BALATON Zoltan and Andrzej Zaborowski who shows in `git blame'
+output and may know something in this area.
+
+If this patch is accepted, it should be applied to all active
+stable branches (at least since 1.1, maybe even before), with
+minor context change (ds_get_*(s->vga.ds) => s->*).  I'm not
+Cc'ing -stable yet, will do it explicitly once the patch is
+accepted.
+
+BTW, these checks use fprintf(stderr) -- it should be converted
+to something more appropriate, since stderr will most likely
+disappear somewhere.
+
+Cc: Marek Vasut <marex@denx.de>
+CC: Serge Hallyn <serge.hallyn@ubuntu.com>
+Cc: BALATON Zoltan <balaton@eik.bme.hu>
+Cc: Andrzej Zaborowski <balrogg@gmail.com>
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+Reviewed-by: Marek Vasut <marex@denx.de>
+Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
+Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
+(cherry picked from commit 8cb6bfb54e91b1a31a6ae704def595c2099efde1)
+
+Conflicts:
+	hw/vmware_vga.c
+---
+ hw/vmware_vga.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/hw/vmware_vga.c b/hw/vmware_vga.c
+index f5e4f44..4c54946 100644
+--- a/hw/vmware_vga.c
++++ b/hw/vmware_vga.c
+@@ -298,6 +298,15 @@ static inline void vmsvga_update_rect(struct vmsvga_state_s *s,
+     uint8_t *src;
+     uint8_t *dst;
+ 
++    if (x < 0) {
++        fprintf(stderr, "%s: update x was < 0 (%d)\n", __func__, x);
++        w += x;
++        x = 0;
++    }
++    if (w < 0) {
++        fprintf(stderr, "%s: update w was < 0 (%d)\n", __func__, w);
++        w = 0;
++    }
+     if (x + w > s->width) {
+         fprintf(stderr, "%s: update width too large x: %d, w: %d\n",
+                         __FUNCTION__, x, w);
+@@ -305,6 +314,15 @@ static inline void vmsvga_update_rect(struct vmsvga_state_s *s,
+         w = s->width - x;
+     }
+ 
++    if (y < 0) {
++        fprintf(stderr, "%s: update y was < 0 (%d)\n",  __func__, y);
++        h += y;
++        y = 0;
++    }
++    if (h < 0) {
++        fprintf(stderr, "%s: update h was < 0 (%d)\n",  __func__, h);
++        h = 0;
++    }
+     if (y + h > s->height) {
+         fprintf(stderr, "%s: update height too large y: %d, h: %d\n",
+                         __FUNCTION__, y, h);

0714-qxl-better-vga-init-in-enter_vga_mode.patch

@@ -0,0 +1,31 @@
+From e0b3fabbb6833242803f0b02848083e95aeaca6c Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Thu, 28 Feb 2013 11:08:50 +0100
+Subject: [PATCH] qxl: better vga init in enter_vga_mode
+
+Ask the vga core to update the display.  Will trigger dpy_gfx_resize
+if needed.  More complete than just calling dpy_gfx_resize.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit c099e7aa0295678859d58e9e60b7619f6ae3bac8)
+
+Conflicts:
+	hw/qxl.c
+---
+ hw/qxl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/qxl.c b/hw/qxl.c
+index 9418ecb..8374771 100644
+--- a/hw/qxl.c
++++ b/hw/qxl.c
+@@ -1084,8 +1084,8 @@ static void qxl_enter_vga_mode(PCIQXLDevice *d)
+     trace_qxl_enter_vga_mode(d->id);
+     qemu_spice_create_host_primary(&d->ssd);
+     d->mode = QXL_MODE_VGA;
+-    dpy_resize(d->ssd.ds);
+     vga_dirty_log_start(&d->vga);
++    vga_hw_update();
+ }
+ 
+ static void qxl_exit_vga_mode(PCIQXLDevice *d)

0715-pci-assign-Enable-MSIX-on-device-to-match-guest.patch

@@ -0,0 +1,70 @@
+From 96a60c347aa7da64d34b8980ea13f4fd06b3d679 Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Sun, 6 Jan 2013 21:30:31 -0700
+Subject: [PATCH] pci-assign: Enable MSIX on device to match guest
+
+When a guest enables MSIX on a device we evaluate the MSIX vector
+table, typically find no unmasked vectors and don't switch the device
+to MSIX mode.  This generally works fine and the device will be
+switched once the guest enables and therefore unmasks a vector.
+Unfortunately some drivers enable MSIX, then use interfaces to send
+commands between VF & PF or PF & firmware that act based on the host
+state of the device.  These therefore may break when MSIX is managed
+lazily.  This change re-enables the previous test used to enable MSIX
+(see qemu-kvm a6b402c9), which basically guesses whether a vector
+will be used based on the data field of the vector table.
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+(cherry picked from commit feb9a2ab4b0260d8d680a7ffd25063dafc7ec628)
+
+Conflicts:
+	hw/kvm/pci-assign.c
+---
+ hw/kvm/pci-assign.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/hw/kvm/pci-assign.c b/hw/kvm/pci-assign.c
+index 9cce02c..493225f 100644
+--- a/hw/kvm/pci-assign.c
++++ b/hw/kvm/pci-assign.c
+@@ -1046,6 +1046,19 @@ static bool msix_masked(MSIXTableEntry *entry)
+     return (entry->ctrl & cpu_to_le32(0x1)) != 0;
+ }
+ 
++/*
++ * When MSI-X is first enabled the vector table typically has all the
++ * vectors masked, so we can't use that as the obvious test to figure out
++ * how many vectors to initially enable.  Instead we look at the data field
++ * because this is what worked for pci-assign for a long time.  This makes
++ * sure the physical MSI-X state tracks the guest's view, which is important
++ * for some VF/PF and PF/fw communication channels.
++ */
++static bool assigned_dev_msix_skipped(MSIXTableEntry *entry)
++{
++    return !entry->data;
++}
++
+ static int assigned_dev_update_msix_mmio(PCIDevice *pci_dev)
+ {
+     AssignedDevice *adev = DO_UPCAST(AssignedDevice, dev, pci_dev);
+@@ -1056,7 +1069,7 @@ static int assigned_dev_update_msix_mmio(PCIDevice *pci_dev)
+ 
+     /* Get the usable entry number for allocating */
+     for (i = 0; i < adev->msix_max; i++, entry++) {
+-        if (msix_masked(entry)) {
++        if (assigned_dev_msix_skipped(entry)) {
+             continue;
+         }
+         entries_nr++;
+@@ -1085,7 +1098,7 @@ static int assigned_dev_update_msix_mmio(PCIDevice *pci_dev)
+     for (i = 0; i < adev->msix_max; i++, entry++) {
+         adev->msi_virq[i] = -1;
+ 
+-        if (msix_masked(entry)) {
++        if (assigned_dev_msix_skipped(entry)) {
+             continue;
+         }
+ 

0716-qxl-change-rom-size-to-8192.patch

@@ -0,0 +1,60 @@
+From b0929a65ac12a63a5b38f27261b13cf76ef7755e Mon Sep 17 00:00:00 2001
+From: Alon Levy <alevy@redhat.com>
+Date: Mon, 21 Jan 2013 14:48:07 +0200
+Subject: [PATCH] qxl: change rom size to 8192
+
+This is a simpler solution to 869981, where migration breaks since qxl's
+rom bar size has changed. Instead of ignoring fields in QXLRom, which is what has
+actually changed, we remove some of the modes, a mechanism already
+accounted for by the guest. The modes left allow for portrait and
+landscape only modes, corresponding to orientations 0 and 1.
+Orientations 2 and 3 are dropped.
+
+Added assert so that rom size will fit the future QXLRom increases via
+spice-protocol changes.
+
+This patch has been tested with 6.1.0.10015. With the newer 6.1.0.10016
+there are problems with both "(flipped)" modes prior to the patch, and
+the patch loses the ability to set "Portrait" modes. But this is a
+separate bug to be fixed in the driver, and besides the patch doesn't
+affect the new arbitrary mode setting functionality.
+
+Signed-off-by: Alon Levy <alevy@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit 038c1879a00153b14bce113315b693e8c2944fa9)
+---
+ hw/qxl.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/hw/qxl.c b/hw/qxl.c
+index 8374771..6a3467f 100644
+--- a/hw/qxl.c
++++ b/hw/qxl.c
+@@ -93,9 +93,7 @@
+ 
+ #define QXL_MODE_EX(x_res, y_res)                 \
+     QXL_MODE_16_32(x_res, y_res, 0),              \
+-    QXL_MODE_16_32(y_res, x_res, 1),              \
+-    QXL_MODE_16_32(x_res, y_res, 2),              \
+-    QXL_MODE_16_32(y_res, x_res, 3)
++    QXL_MODE_16_32(x_res, y_res, 1)
+ 
+ static QXLMode qxl_modes[] = {
+     QXL_MODE_EX(640, 480),
+@@ -322,10 +320,13 @@ static inline uint32_t msb_mask(uint32_t val)
+ 
+ static ram_addr_t qxl_rom_size(void)
+ {
+-    uint32_t rom_size = sizeof(QXLRom) + sizeof(QXLModes) + sizeof(qxl_modes);
++    uint32_t required_rom_size = sizeof(QXLRom) + sizeof(QXLModes) +
++                                 sizeof(qxl_modes);
++    uint32_t rom_size = 8192; /* two pages */
+ 
+-    rom_size = MAX(rom_size, TARGET_PAGE_SIZE);
+-    rom_size = msb_mask(rom_size * 2 - 1);
++    required_rom_size = MAX(required_rom_size, TARGET_PAGE_SIZE);
++    required_rom_size = msb_mask(required_rom_size * 2 - 1);
++    assert(required_rom_size <= rom_size);
+     return rom_size;
+ }
+ 

0717-qxl-Add-rom_size-compat-property-fix-migration-from-.patch

@@ -0,0 +1,84 @@
+From cf8919bea07deeaa6cc07fd3f8ff000b13a7fac1 Mon Sep 17 00:00:00 2001
+From: Cole Robinson <crobinso@redhat.com>
+Date: Mon, 1 Apr 2013 20:02:59 -0400
+Subject: [PATCH] qxl: Add rom_size compat property, fix migration from 1.2
+
+Commit 038c1879a00153b14bce113315b693e8c2944fa9 changed the qxl rom
+size to 8192, which fixes incoming migration from qemu 1.0. However
+from qemu 1.2 and 1.3 had rom size 16384, so incoming migration
+from those versions is now broken.
+
+Add a rom_size compat property. 1.2+ get 16384, everything else is
+8192.
+
+This isn't actually fool proof, since rom_size can be dependent on
+the version of spice qemu is built against:
+
+https://lists.gnu.org/archive/html/qemu-devel/2013-02/msg03154.html
+
+However these sizes match what native Fedora packages get, so it's
+good enough for now.
+---
+ hw/pc_piix.c | 8 ++++++++
+ hw/qxl.c     | 9 ++++-----
+ 2 files changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/hw/pc_piix.c b/hw/pc_piix.c
+index a771d79..c0af9b8 100644
+--- a/hw/pc_piix.c
++++ b/hw/pc_piix.c
+@@ -398,6 +398,14 @@ static QEMUMachine pc_machine_v1_2 = {
+             .driver   = "virtio-blk-pci",\
+             .property = "config-wce",\
+             .value    = "off",\
++        },{ \
++            .driver   = "qxl", \
++            .property = "rom_size", \
++            .value    = stringify(8192), \
++        },{\
++            .driver   = "qxl-vga", \
++            .property = "rom_size", \
++            .value    = stringify(8192), \
+         }
+ 
+ static QEMUMachine pc_machine_v1_1 = {
+diff --git a/hw/qxl.c b/hw/qxl.c
+index 6a3467f..93fddb1 100644
+--- a/hw/qxl.c
++++ b/hw/qxl.c
+@@ -318,16 +318,14 @@ static inline uint32_t msb_mask(uint32_t val)
+     return mask;
+ }
+ 
+-static ram_addr_t qxl_rom_size(void)
++static void check_qxl_rom_size(PCIQXLDevice *d)
+ {
+     uint32_t required_rom_size = sizeof(QXLRom) + sizeof(QXLModes) +
+                                  sizeof(qxl_modes);
+-    uint32_t rom_size = 8192; /* two pages */
+ 
+     required_rom_size = MAX(required_rom_size, TARGET_PAGE_SIZE);
+     required_rom_size = msb_mask(required_rom_size * 2 - 1);
+-    assert(required_rom_size <= rom_size);
+-    return rom_size;
++    assert(required_rom_size <= d->rom_size);
+ }
+ 
+ static void init_qxl_rom(PCIQXLDevice *d)
+@@ -1987,7 +1985,7 @@ static int qxl_init_common(PCIQXLDevice *qxl)
+     pci_set_byte(&config[PCI_REVISION_ID], pci_device_rev);
+     pci_set_byte(&config[PCI_INTERRUPT_PIN], 1);
+ 
+-    qxl->rom_size = qxl_rom_size();
++    check_qxl_rom_size(qxl);
+     memory_region_init_ram(&qxl->rom_bar, "qxl.vrom", qxl->rom_size);
+     vmstate_register_ram(&qxl->rom_bar, &qxl->pci.qdev);
+     init_qxl_rom(qxl);
+@@ -2303,6 +2301,7 @@ static Property qxl_properties[] = {
+         DEFINE_PROP_UINT32("vram64_size_mb", PCIQXLDevice, vram_size_mb, -1),
+         DEFINE_PROP_UINT32("vgamem_mb", PCIQXLDevice, vgamem_size_mb, 16),
+         DEFINE_PROP_INT32("surfaces", PCIQXLDevice, ssd.num_surfaces, 1024),
++        DEFINE_PROP_UINT32("rom_size", PCIQXLDevice, rom_size, 16384),
+         DEFINE_PROP_END_OF_LIST(),
+ };
+ 

qemu.spec

@@ -109,7 +109,7 @@
 Summary: QEMU is a FAST! processor emulator
 Name: qemu
 Version: 1.2.2
-Release: 7%{?dist}
+Release: 8%{?dist}
 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
 Epoch: 2
 License: GPLv2+ and LGPLv2+ and BSD
@@ -149,7 +149,6 @@ Source10: qemu-guest-agent.service
 Source11: 99-qemu-guest-agent.rules
 Source12: bridge.conf
 
-
 # Stable 1.2.1 patches
 Patch0001: 0001-target-xtensa-convert-host-errno-values-to-guest.patch
 Patch0002: 0002-target-cris-Fix-buffer-overflow.patch
@@ -519,23 +518,33 @@ Patch0635: 0635-usb-redir-Don-t-make-migration-fail-in-none-seamless.patch
 Patch0701: 0701-mips-Fix-link-error-with-piix4_pm_init.patch
 # Add ./configure --disable-kvm-options
 Patch0702: 0702-configure-Add-disable-kvm-options.patch
-# Fix loading arm initrd if kernel is very large (bz 862766)
+# Fix loading arm initrd if kernel is very large (bz #862766)
 Patch0703: 0703-arm_boot-Change-initrd-load-address-to-halfway-throu.patch
-# libcacard build fixes
+# Don't use reserved word 'function' in systemtap files (bz #871286)
 Patch0704: 0704-dtrace-backend-add-function-to-reserved-words.patch
+# libcacard build fixes
 Patch0705: 0705-libcacard-fix-missing-symbols-in-libcacard.so.patch
 Patch0706: 0706-configure-move-vscclient-binary-under-libcacard.patch
-# Fix libvirt + seccomp combo (bz 855162)
 Patch0707: 0707-libcacard-fix-missing-symbol-in-libcacard.so.patch
-# CVE-2012-6075: Buffer overflow in e1000 nic (bz 889301, bz 889304)
+# Fix libvirt + seccomp combo (bz #855162)
 Patch0708: 0708-seccomp-adding-new-syscalls-bugzilla-855162.patch
-# Fix boot hang if console is not connected (bz 894451)
+# CVE-2012-6075: Buffer overflow in e1000 nic (bz #889301, bz #889304)
 Patch0709: 0709-e1000-Discard-oversized-packets-based-on-SBP-LPE.patch
-# Fix segfault with zero length virtio-scsi disk (bz 847549)
+# Fix boot hang if console is not connected (bz #894451)
 Patch0710: 0710-Revert-serial-fix-retry-logic.patch
+# Fix segfault with zero length virtio-scsi disk (bz #847549)
 Patch0711: 0711-scsi-fix-segfault-with-0-byte-disk.patch
-# Adapt to libiscsi packaging in Fedora (included upstream)
+# Fixes for iscsi dep
 Patch0712: 0712-iscsi-look-for-pkg-config-file-too.patch
+# Fix -vga vmware crashes (bz #836260)
+Patch0713: 0713-vmware_vga-fix-out-of-bounds-and-invalid-rects-updat.patch
+# Fix possible crash with VNC and qxl (bz #919777)
+Patch0714: 0714-qxl-better-vga-init-in-enter_vga_mode.patch
+# Fix mellanox card passthrough (bz #907996)
+Patch0715: 0715-pci-assign-Enable-MSIX-on-device-to-match-guest.patch
+# Fix QXL migration from F17 to F18 (bz #907916)
+Patch0716: 0716-qxl-change-rom-size-to-8192.patch
+Patch0717: 0717-qxl-Add-rom_size-compat-property-fix-migration-from-.patch
 
 
 BuildRequires: SDL-devel
@@ -1341,23 +1350,33 @@ CAC emulation development files.
 %patch0701 -p1
 # Add ./configure --disable-kvm-options
 %patch0702 -p1
-# Fix loading arm initrd if kernel is very large (bz 862766)
+# Fix loading arm initrd if kernel is very large (bz #862766)
 %patch0703 -p1
-# libcacard build fixes
+# Don't use reserved word 'function' in systemtap files (bz #871286)
 %patch0704 -p1
+# libcacard build fixes
 %patch0705 -p1
 %patch0706 -p1
-# Fix libvirt + seccomp combo (bz 855162)
 %patch0707 -p1
-# CVE-2012-6075: Buffer overflow in e1000 nic (bz 889301, bz 889304)
+# Fix libvirt + seccomp combo (bz #855162)
 %patch0708 -p1
-# Fix boot hang if console is not connected (bz 894451)
+# CVE-2012-6075: Buffer overflow in e1000 nic (bz #889301, bz #889304)
 %patch0709 -p1
-# Fix segfault with zero length virtio-scsi disk (bz 847549)
+# Fix boot hang if console is not connected (bz #894451)
 %patch0710 -p1
+# Fix segfault with zero length virtio-scsi disk (bz #847549)
 %patch0711 -p1
-# Adapt to libiscsi packaging in Fedora (included upstream)
+# Fixes for iscsi dep
 %patch0712 -p1
+# Fix -vga vmware crashes (bz #836260)
+%patch0713 -p1
+# Fix possible crash with VNC and qxl (bz #919777)
+%patch0714 -p1
+# Fix mellanox card passthrough (bz #907996)
+%patch0715 -p1
+# Fix QXL migration from F17 to F18 (bz #907916)
+%patch0716 -p1
+%patch0717 -p1
 
 
 %build
@@ -1636,7 +1655,7 @@ make check
 # load kvm modules now, so we can make sure no reboot is needed.
 # If there's already a kvm module installed, we don't mess with it
 sh %{_sysconfdir}/sysconfig/modules/kvm.modules || :
-udevadm trigger --sysname-match=kvm || :
+udevadm trigger --subsystem-match=misc --sysname-match=kvm --action=add || :
 %endif
 
 
@@ -1967,6 +1986,15 @@ getent passwd qemu >/dev/null || \
 %{_libdir}/pkgconfig/libcacard.pc
 
 %changelog
+* Mon Apr 01 2013 Cole Robinson <crobinso@redhat.com> - 2:1.2.2-8
+- Don't use reserved word 'function' in systemtap files (bz #871286)
+- Fixes for iscsi dep
+- Fix -vga vmware crashes (bz #836260)
+- Fix possible crash with VNC and qxl (bz #919777)
+- Fix mellanox card passthrough (bz #907996)
+- Fix QXL migration from F17 to F18 (bz #907916)
+- Fix kvm module permissions after first install (bz #907215)
+
 * Mon Mar 11 2013 Paolo Bonzini <pbonzini@redhat.com> - 2:1.2.2-7
 - Added libiscsi-devel BuildRequires
 - Use pkg-config to search for libiscsi