Rebase to qemu-5.2.0-rc4

Signed-off-by: Cole Robinson <crobinso@redhat.com>

.gitignore

@@ -1,4 +1,4 @@
 /.build*.log
 /x86_64/
 /*.src.rpm
-/qemu-*.tar.bz2
+/qemu-*.tar.xz

0001-spice-F24-spice-has-backported-gl-support.patch

@@ -1,23 +0,0 @@
-From: Pavel Grunt <pgrunt@redhat.com>
-Date: Fri, 11 Mar 2016 14:40:59 +0100
-Subject: [PATCH] spice: F24 spice has backported gl support
-
-Not for upstream, this just adjusts the version check to work with
-f24 backported spice gl support
----
- include/ui/spice-display.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/include/ui/spice-display.h b/include/ui/spice-display.h
-index 30ccfe3..00e4a0b 100644
---- a/include/ui/spice-display.h
-+++ b/include/ui/spice-display.h
-@@ -25,7 +25,7 @@
- #include "sysemu/sysemu.h"
- 
- #if defined(CONFIG_OPENGL_DMABUF)
--# if SPICE_SERVER_VERSION >= 0x000d01 /* release 0.13.1 */
-+# if SPICE_SERVER_VERSION >= 0x000c07 /* release 0.12.7 */
- #  define HAVE_SPICE_GL 1
- #  include "ui/egl-helpers.h"
- #  include "ui/egl-context.h"

0002-ui-gtk-fix-crash-when-terminal-inner-border-is-NULL.patch

@@ -1,33 +0,0 @@
-From: Cole Robinson <crobinso@redhat.com>
-Date: Thu, 5 May 2016 19:39:38 -0400
-Subject: [PATCH] ui: gtk: fix crash when terminal inner-border is NULL
-
-VTE terminal inner-border can be NULL. The vte-0.36 (API 2.90)
-code checks for the condition too so I assume it's not just a bug
-
-Fixes a crash on Fedora 24 with gtk 3.20
----
- ui/gtk.c | 10 ++++++----
- 1 file changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/ui/gtk.c b/ui/gtk.c
-index f372a6d..9876d89 100644
---- a/ui/gtk.c
-+++ b/ui/gtk.c
-@@ -340,10 +340,12 @@ static void gd_update_geometry_hints(VirtualConsole *vc)
-         geo.min_height = geo.height_inc * VC_TERM_Y_MIN;
-         mask |= GDK_HINT_MIN_SIZE;
-         gtk_widget_style_get(vc->vte.terminal, "inner-border", &ib, NULL);
--        geo.base_width  += ib->left + ib->right;
--        geo.base_height += ib->top + ib->bottom;
--        geo.min_width   += ib->left + ib->right;
--        geo.min_height  += ib->top + ib->bottom;
-+        if (ib) {
-+            geo.base_width  += ib->left + ib->right;
-+            geo.base_height += ib->top + ib->bottom;
-+            geo.min_width   += ib->left + ib->right;
-+            geo.min_height  += ib->top + ib->bottom;
-+        }
-         geo_widget = vc->vte.terminal;
- #endif
-     }

0003-ui-sdl2-Release-grab-before-opening-console-window.patch

@@ -1,48 +0,0 @@
-From: Cole Robinson <crobinso@redhat.com>
-Date: Fri, 6 May 2016 12:36:46 -0400
-Subject: [PATCH] ui: sdl2: Release grab before opening console window
-
-sdl 2.0.4 currently has a bug which causes our UI shortcuts to fire
-rapidly in succession:
-
-  https://bugzilla.libsdl.org/show_bug.cgi?id=3287
-
-It's a toss up whether ctrl+alt+f or ctrl+alt+2 will fire an
-odd or even number of times, thus determining whether the action
-succeeds or fails.
-
-Opening monitor/serial windows is doubly broken, since it will often
-lock the UI trying to grab the pointer:
-
-  0x00007fffef3720a5 in SDL_Delay_REAL () at /lib64/libSDL2-2.0.so.0
-  0x00007fffef3688ba in X11_SetWindowGrab () at /lib64/libSDL2-2.0.so.0
-  0x00007fffef2f2da7 in SDL_SendWindowEvent () at /lib64/libSDL2-2.0.so.0
-  0x00007fffef2f080b in SDL_SetKeyboardFocus () at /lib64/libSDL2-2.0.so.0
-  0x00007fffef35d784 in X11_DispatchFocusIn.isra.8 () at /lib64/libSDL2-2.0.so.0
-  0x00007fffef35dbce in X11_DispatchEvent () at /lib64/libSDL2-2.0.so.0
-  0x00007fffef35ee4a in X11_PumpEvents () at /lib64/libSDL2-2.0.so.0
-  0x00007fffef2eea6a in SDL_PumpEvents_REAL () at /lib64/libSDL2-2.0.so.0
-  0x00007fffef2eeab5 in SDL_WaitEventTimeout_REAL () at /lib64/libSDL2-2.0.so.0
-  0x000055555597eed0 in sdl2_poll_events (scon=0x55555876f928) at ui/sdl2.c:593
-
-We can work around that hang by ungrabbing the pointer before launching
-a new window. This roughly matches what our sdl1 code does
----
- ui/sdl2.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/ui/sdl2.c b/ui/sdl2.c
-index d042442..909038f 100644
---- a/ui/sdl2.c
-+++ b/ui/sdl2.c
-@@ -357,6 +357,10 @@ static void handle_keydown(SDL_Event *ev)
-         case SDL_SCANCODE_7:
-         case SDL_SCANCODE_8:
-         case SDL_SCANCODE_9:
-+            if (gui_grab) {
-+                sdl_grab_end(scon);
-+            }
-+
-             win = ev->key.keysym.scancode - SDL_SCANCODE_1;
-             if (win < sdl2_num_outputs) {
-                 sdl2_console[win].hidden = !sdl2_console[win].hidden;

0004-ui-spice-Exit-if-gl-on-EGL-init-fails.patch

@@ -1,30 +0,0 @@
-From: Cole Robinson <crobinso@redhat.com>
-Date: Wed, 18 May 2016 11:44:33 -0400
-Subject: [PATCH] ui: spice: Exit if gl=on EGL init fails
-
-The user explicitly requested spice GL, so if we know it isn't
-going to work we should exit
-
-Signed-off-by: Cole Robinson <crobinso@redhat.com>
----
- ui/spice-core.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/ui/spice-core.c b/ui/spice-core.c
-index 61db3c1..da05054 100644
---- a/ui/spice-core.c
-+++ b/ui/spice-core.c
-@@ -833,9 +833,11 @@ void qemu_spice_init(void)
-                          "incompatible with -spice port/tls-port");
-             exit(1);
-         }
--        if (egl_rendernode_init() == 0) {
--            display_opengl = 1;
-+        if (egl_rendernode_init() != 0) {
-+            error_report("Failed to initialize EGL render node for SPICE GL");
-+            exit(1);
-         }
-+        display_opengl = 1;
-     }
- #endif
- }

0005-spice-gl-add-use-qemu_spice_gl_monitor_config.patch

@@ -1,83 +0,0 @@
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Wed, 3 Feb 2016 13:55:00 +0100
-Subject: [PATCH] spice/gl: add & use qemu_spice_gl_monitor_config
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-(cherry picked from commit 39414ef4e93db9041e463a097084a407d0d374f0)
----
- include/ui/spice-display.h |  1 +
- ui/spice-display.c         | 30 ++++++++++++++++++++++++++++++
- 2 files changed, 31 insertions(+)
-
-diff --git a/include/ui/spice-display.h b/include/ui/spice-display.h
-index 00e4a0b..3c679e8 100644
---- a/include/ui/spice-display.h
-+++ b/include/ui/spice-display.h
-@@ -71,6 +71,7 @@ typedef struct QXLCookie {
-             QXLRect area;
-             int redraw;
-         } render;
-+        void *data;
-     } u;
- } QXLCookie;
- 
-diff --git a/ui/spice-display.c b/ui/spice-display.c
-index 242ab5f..2a77a54 100644
---- a/ui/spice-display.c
-+++ b/ui/spice-display.c
-@@ -660,6 +660,11 @@ static void interface_async_complete(QXLInstance *sin, uint64_t cookie_token)
-         qemu_bh_schedule(ssd->gl_unblock_bh);
-         break;
-     }
-+    case QXL_COOKIE_TYPE_IO:
-+        if (cookie->io == QXL_IO_MONITORS_CONFIG_ASYNC) {
-+            g_free(cookie->u.data);
-+        }
-+        break;
- #endif
-     default:
-         /* should never be called, used in qxl native mode only */
-@@ -795,6 +800,29 @@ static const DisplayChangeListenerOps display_listener_ops = {
- 
- #ifdef HAVE_SPICE_GL
- 
-+static void qemu_spice_gl_monitor_config(SimpleSpiceDisplay *ssd,
-+                                         int x, int y, int w, int h)
-+{
-+    QXLMonitorsConfig *config;
-+    QXLCookie *cookie;
-+
-+    config = g_malloc0(sizeof(QXLMonitorsConfig) + sizeof(QXLHead));
-+    config->count = 1;
-+    config->max_allowed = 1;
-+    config->heads[0].x = x;
-+    config->heads[0].y = y;
-+    config->heads[0].width = w;
-+    config->heads[0].height = h;
-+    cookie = qxl_cookie_new(QXL_COOKIE_TYPE_IO,
-+                            QXL_IO_MONITORS_CONFIG_ASYNC);
-+    cookie->u.data = config;
-+
-+    spice_qxl_monitors_config_async(&ssd->qxl,
-+                                    (uintptr_t)config,
-+                                    MEMSLOT_GROUP_HOST,
-+                                    (uintptr_t)cookie);
-+}
-+
- static void qemu_spice_gl_block(SimpleSpiceDisplay *ssd, bool block)
- {
-     uint64_t timeout;
-@@ -858,6 +886,8 @@ static void qemu_spice_gl_scanout(DisplayChangeListener *dcl,
-                          surface_width(ssd->ds),
-                          surface_height(ssd->ds),
-                          stride, fourcc, y_0_top);
-+
-+    qemu_spice_gl_monitor_config(ssd, x, y, w, h);
- }
- 
- static void qemu_spice_gl_update(DisplayChangeListener *dcl,

0006-i386-kvmvapic-initialise-imm32-variable.patch

@@ -1,32 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Thu, 7 Apr 2016 12:50:08 +0530
-Subject: [PATCH] i386: kvmvapic: initialise imm32 variable
-
-When processing Task Priorty Register(TPR) access, it could leak
-automatic stack variable 'imm32' in patch_instruction().
-Initialise the variable to avoid it.
-
-Reported by: Donghai Zdh <donghai.zdh@alibaba-inc.com>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <1460013608-16670-1-git-send-email-ppandit@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-
-(cherry picked from commit 691a02e2ce0c413236a78dee6f2651c937b09fb0)
----
- hw/i386/kvmvapic.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c
-index c69f374..ff1e31a 100644
---- a/hw/i386/kvmvapic.c
-+++ b/hw/i386/kvmvapic.c
-@@ -394,7 +394,7 @@ static void patch_instruction(VAPICROMState *s, X86CPU *cpu, target_ulong ip)
-     CPUX86State *env = &cpu->env;
-     VAPICHandlers *handlers;
-     uint8_t opcode[2];
--    uint32_t imm32;
-+    uint32_t imm32 = 0;
-     target_ulong current_pc = 0;
-     target_ulong current_cs_base = 0;
-     int current_flags = 0;

0007-esp-check-command-buffer-length-before-write-CVE-201.patch

@@ -1,39 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Thu, 19 May 2016 16:09:30 +0530
-Subject: [PATCH] esp: check command buffer length before write(CVE-2016-4439)
-
-The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
-FIFO buffer. It is used to handle command and data transfer. While
-writing to this command buffer 's->cmdbuf[TI_BUFSZ=16]', a check
-was missing to validate input length. Add check to avoid OOB write
-access.
-
-Fixes CVE-2016-4439.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <1463654371-11169-2-git-send-email-ppandit@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit c98c6c105f66f05aa0b7c1d2a4a3f716450907ef)
----
- hw/scsi/esp.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
-index 8961be2..01497e6 100644
---- a/hw/scsi/esp.c
-+++ b/hw/scsi/esp.c
-@@ -448,7 +448,11 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val)
-         break;
-     case ESP_FIFO:
-         if (s->do_cmd) {
--            s->cmdbuf[s->cmdlen++] = val & 0xff;
-+            if (s->cmdlen < TI_BUFSZ) {
-+                s->cmdbuf[s->cmdlen++] = val & 0xff;
-+            } else {
-+                trace_esp_error_fifo_overrun();
-+            }
-         } else if (s->ti_size == TI_BUFSZ - 1) {
-             trace_esp_error_fifo_overrun();
-         } else {

0008-esp-check-dma-length-before-reading-scsi-command-CVE.patch

@@ -1,73 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Thu, 19 May 2016 16:09:31 +0530
-Subject: [PATCH] esp: check dma length before reading scsi
- command(CVE-2016-4441)
-
-The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
-FIFO buffer. It is used to handle command and data transfer.
-Routine get_cmd() uses DMA to read scsi commands into this buffer.
-Add check to validate DMA length against buffer size to avoid any
-overrun.
-
-Fixes CVE-2016-4441.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <1463654371-11169-3-git-send-email-ppandit@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 6c1fef6b59563cc415f21e03f81539ed4b33ad90)
----
- hw/scsi/esp.c | 11 +++++++----
- 1 file changed, 7 insertions(+), 4 deletions(-)
-
-diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
-index 01497e6..591c817 100644
---- a/hw/scsi/esp.c
-+++ b/hw/scsi/esp.c
-@@ -82,7 +82,7 @@ void esp_request_cancelled(SCSIRequest *req)
-     }
- }
- 
--static uint32_t get_cmd(ESPState *s, uint8_t *buf)
-+static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen)
- {
-     uint32_t dmalen;
-     int target;
-@@ -92,6 +92,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf)
-         dmalen = s->rregs[ESP_TCLO];
-         dmalen |= s->rregs[ESP_TCMID] << 8;
-         dmalen |= s->rregs[ESP_TCHI] << 16;
-+        if (dmalen > buflen) {
-+            return 0;
-+        }
-         s->dma_memory_read(s->dma_opaque, buf, dmalen);
-     } else {
-         dmalen = s->ti_size;
-@@ -166,7 +169,7 @@ static void handle_satn(ESPState *s)
-         s->dma_cb = handle_satn;
-         return;
-     }
--    len = get_cmd(s, buf);
-+    len = get_cmd(s, buf, sizeof(buf));
-     if (len)
-         do_cmd(s, buf);
- }
-@@ -180,7 +183,7 @@ static void handle_s_without_atn(ESPState *s)
-         s->dma_cb = handle_s_without_atn;
-         return;
-     }
--    len = get_cmd(s, buf);
-+    len = get_cmd(s, buf, sizeof(buf));
-     if (len) {
-         do_busid_cmd(s, buf, 0);
-     }
-@@ -192,7 +195,7 @@ static void handle_satn_stop(ESPState *s)
-         s->dma_cb = handle_satn_stop;
-         return;
-     }
--    s->cmdlen = get_cmd(s, s->cmdbuf);
-+    s->cmdlen = get_cmd(s, s->cmdbuf, sizeof(s->cmdbuf));
-     if (s->cmdlen) {
-         trace_esp_handle_satn_stop(s->cmdlen);
-         s->do_cmd = 1;

0009-vga-add-sr_vbe-register-set.patch

@@ -1,233 +0,0 @@
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Tue, 17 May 2016 10:54:54 +0200
-Subject: [PATCH] vga: add sr_vbe register set
-
-Commit "fd3c136 vga: make sure vga register setup for vbe stays intact
-(CVE-2016-3712)." causes a regression.  The win7 installer is unhappy
-because it can't freely modify vga registers any more while in vbe mode.
-
-This patch introduces a new sr_vbe register set.  The vbe_update_vgaregs
-will fill sr_vbe[] instead of sr[].  Normal vga register reads and
-writes go to sr[].  Any sr register read access happens through a new
-sr() helper function which will read from sr_vbe[] with vbe active and
-from sr[] otherwise.
-
-This way we can allow guests update sr[] registers as they want, without
-allowing them disrupt vbe video modes that way.
-
-Cc: qemu-stable@nongnu.org
-Reported-by: Thomas Lamprecht <thomas@lamprecht.org>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: 1463475294-14119-1-git-send-email-kraxel@redhat.com
-(cherry picked from commit 94ef4f337fb614f18b765a8e0e878a4c23cdedcd)
----
- hw/display/vga.c     | 50 ++++++++++++++++++++++++++++----------------------
- hw/display/vga_int.h |  1 +
- 2 files changed, 29 insertions(+), 22 deletions(-)
-
-diff --git a/hw/display/vga.c b/hw/display/vga.c
-index 4a55ec6..9ebc54f 100644
---- a/hw/display/vga.c
-+++ b/hw/display/vga.c
-@@ -149,6 +149,11 @@ static inline bool vbe_enabled(VGACommonState *s)
-     return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED;
- }
- 
-+static inline uint8_t sr(VGACommonState *s, int idx)
-+{
-+    return vbe_enabled(s) ? s->sr_vbe[idx] : s->sr[idx];
-+}
-+
- static void vga_update_memory_access(VGACommonState *s)
- {
-     hwaddr base, offset, size;
-@@ -163,8 +168,8 @@ static void vga_update_memory_access(VGACommonState *s)
-         s->has_chain4_alias = false;
-         s->plane_updated = 0xf;
-     }
--    if ((s->sr[VGA_SEQ_PLANE_WRITE] & VGA_SR02_ALL_PLANES) ==
--        VGA_SR02_ALL_PLANES && s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
-+    if ((sr(s, VGA_SEQ_PLANE_WRITE) & VGA_SR02_ALL_PLANES) ==
-+        VGA_SR02_ALL_PLANES && sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) {
-         offset = 0;
-         switch ((s->gr[VGA_GFX_MISC] >> 2) & 3) {
-         case 0:
-@@ -234,7 +239,7 @@ static void vga_precise_update_retrace_info(VGACommonState *s)
-           ((s->cr[VGA_CRTC_OVERFLOW] >> 6) & 2)) << 8);
-     vretr_end_line = s->cr[VGA_CRTC_V_SYNC_END] & 0xf;
- 
--    clocking_mode = (s->sr[VGA_SEQ_CLOCK_MODE] >> 3) & 1;
-+    clocking_mode = (sr(s, VGA_SEQ_CLOCK_MODE) >> 3) & 1;
-     clock_sel = (s->msr >> 2) & 3;
-     dots = (s->msr & 1) ? 8 : 9;
- 
-@@ -486,7 +491,6 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)
-         printf("vga: write SR%x = 0x%02x\n", s->sr_index, val);
- #endif
-         s->sr[s->sr_index] = val & sr_mask[s->sr_index];
--        vbe_update_vgaregs(s);
-         if (s->sr_index == VGA_SEQ_CLOCK_MODE) {
-             s->update_retrace_info(s);
-         }
-@@ -680,13 +684,13 @@ static void vbe_update_vgaregs(VGACommonState *s)
- 
-     if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) {
-         shift_control = 0;
--        s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */
-+        s->sr_vbe[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */
-     } else {
-         shift_control = 2;
-         /* set chain 4 mode */
--        s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M;
-+        s->sr_vbe[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M;
-         /* activate all planes */
--        s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES;
-+        s->sr_vbe[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES;
-     }
-     s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) |
-         (shift_control << 5);
-@@ -836,7 +840,7 @@ uint32_t vga_mem_readb(VGACommonState *s, hwaddr addr)
-         break;
-     }
- 
--    if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
-+    if (sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) {
-         /* chain 4 mode : simplest access */
-         assert(addr < s->vram_size);
-         ret = s->vram_ptr[addr];
-@@ -904,11 +908,11 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
-         break;
-     }
- 
--    if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
-+    if (sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) {
-         /* chain 4 mode : simplest access */
-         plane = addr & 3;
-         mask = (1 << plane);
--        if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
-+        if (sr(s, VGA_SEQ_PLANE_WRITE) & mask) {
-             assert(addr < s->vram_size);
-             s->vram_ptr[addr] = val;
- #ifdef DEBUG_VGA_MEM
-@@ -921,7 +925,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
-         /* odd/even mode (aka text mode mapping) */
-         plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1);
-         mask = (1 << plane);
--        if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
-+        if (sr(s, VGA_SEQ_PLANE_WRITE) & mask) {
-             addr = ((addr & ~1) << 1) | plane;
-             if (addr >= s->vram_size) {
-                 return;
-@@ -996,7 +1000,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
- 
-     do_write:
-         /* mask data according to sr[2] */
--        mask = s->sr[VGA_SEQ_PLANE_WRITE];
-+        mask = sr(s, VGA_SEQ_PLANE_WRITE);
-         s->plane_updated |= mask; /* only used to detect font change */
-         write_mask = mask16[mask];
-         if (addr * sizeof(uint32_t) >= s->vram_size) {
-@@ -1152,10 +1156,10 @@ static void vga_get_text_resolution(VGACommonState *s, int *pwidth, int *pheight
-     /* total width & height */
-     cheight = (s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1;
-     cwidth = 8;
--    if (!(s->sr[VGA_SEQ_CLOCK_MODE] & VGA_SR01_CHAR_CLK_8DOTS)) {
-+    if (!(sr(s, VGA_SEQ_CLOCK_MODE) & VGA_SR01_CHAR_CLK_8DOTS)) {
-         cwidth = 9;
-     }
--    if (s->sr[VGA_SEQ_CLOCK_MODE] & 0x08) {
-+    if (sr(s, VGA_SEQ_CLOCK_MODE) & 0x08) {
-         cwidth = 16; /* NOTE: no 18 pixel wide */
-     }
-     width = (s->cr[VGA_CRTC_H_DISP] + 1);
-@@ -1197,7 +1201,7 @@ static void vga_draw_text(VGACommonState *s, int full_update)
-     int64_t now = qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL);
- 
-     /* compute font data address (in plane 2) */
--    v = s->sr[VGA_SEQ_CHARACTER_MAP];
-+    v = sr(s, VGA_SEQ_CHARACTER_MAP);
-     offset = (((v >> 4) & 1) | ((v << 1) & 6)) * 8192 * 4 + 2;
-     if (offset != s->font_offsets[0]) {
-         s->font_offsets[0] = offset;
-@@ -1506,11 +1510,11 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
-     }
- 
-     if (shift_control == 0) {
--        if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
-+        if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
-             disp_width <<= 1;
-         }
-     } else if (shift_control == 1) {
--        if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
-+        if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
-             disp_width <<= 1;
-         }
-     }
-@@ -1574,7 +1578,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
- 
-     if (shift_control == 0) {
-         full_update |= update_palette16(s);
--        if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
-+        if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
-             v = VGA_DRAW_LINE4D2;
-         } else {
-             v = VGA_DRAW_LINE4;
-@@ -1582,7 +1586,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
-         bits = 4;
-     } else if (shift_control == 1) {
-         full_update |= update_palette16(s);
--        if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
-+        if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
-             v = VGA_DRAW_LINE2D2;
-         } else {
-             v = VGA_DRAW_LINE2;
-@@ -1629,7 +1633,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
- #if 0
-     printf("w=%d h=%d v=%d line_offset=%d cr[0x09]=0x%02x cr[0x17]=0x%02x linecmp=%d sr[0x01]=0x%02x\n",
-            width, height, v, line_offset, s->cr[9], s->cr[VGA_CRTC_MODE],
--           s->line_compare, s->sr[VGA_SEQ_CLOCK_MODE]);
-+           s->line_compare, sr(s, VGA_SEQ_CLOCK_MODE));
- #endif
-     addr1 = (s->start_addr * 4);
-     bwidth = (width * bits + 7) / 8;
-@@ -1781,6 +1785,7 @@ void vga_common_reset(VGACommonState *s)
- {
-     s->sr_index = 0;
-     memset(s->sr, '\0', sizeof(s->sr));
-+    memset(s->sr_vbe, '\0', sizeof(s->sr_vbe));
-     s->gr_index = 0;
-     memset(s->gr, '\0', sizeof(s->gr));
-     s->ar_index = 0;
-@@ -1883,10 +1888,10 @@ static void vga_update_text(void *opaque, console_ch_t *chardata)
-         /* total width & height */
-         cheight = (s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1;
-         cw = 8;
--        if (!(s->sr[VGA_SEQ_CLOCK_MODE] & VGA_SR01_CHAR_CLK_8DOTS)) {
-+        if (!(sr(s, VGA_SEQ_CLOCK_MODE) & VGA_SR01_CHAR_CLK_8DOTS)) {
-             cw = 9;
-         }
--        if (s->sr[VGA_SEQ_CLOCK_MODE] & 0x08) {
-+        if (sr(s, VGA_SEQ_CLOCK_MODE) & 0x08) {
-             cw = 16; /* NOTE: no 18 pixel wide */
-         }
-         width = (s->cr[VGA_CRTC_H_DISP] + 1);
-@@ -2053,6 +2058,7 @@ static int vga_common_post_load(void *opaque, int version_id)
- 
-     /* force refresh */
-     s->graphic_mode = -1;
-+    vbe_update_vgaregs(s);
-     return 0;
- }
- 
-diff --git a/hw/display/vga_int.h b/hw/display/vga_int.h
-index bdb43a5..3ce5544 100644
---- a/hw/display/vga_int.h
-+++ b/hw/display/vga_int.h
-@@ -98,6 +98,7 @@ typedef struct VGACommonState {
-     MemoryRegion chain4_alias;
-     uint8_t sr_index;
-     uint8_t sr[256];
-+    uint8_t sr_vbe[256];
-     uint8_t gr_index;
-     uint8_t gr[256];
-     uint8_t ar_index;

0010-hw-arm-virt-Reject-gic-version-host-for-non-KVM.patch

@@ -1,35 +0,0 @@
-From: Cole Robinson <crobinso@redhat.com>
-Date: Thu, 26 May 2016 09:55:21 -0400
-Subject: [PATCH] hw/arm/virt: Reject gic-version=host for non-KVM
-
-If you try to gic-version=host with TCG on a KVM aarch64 host,
-qemu segfaults, since host requires KVM APIs.
-
-Explicitly reject gic-version=host if KVM is not enabled
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1339977
-(cherry picked from commit b1b3b0dd143b7995a7f4062966b80a2cf3e3c71e)
----
- hw/arm/virt.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/hw/arm/virt.c b/hw/arm/virt.c
-index 56d35c7..a535285 100644
---- a/hw/arm/virt.c
-+++ b/hw/arm/virt.c
-@@ -1114,10 +1114,14 @@ static void machvirt_init(MachineState *machine)
-      * KVM is not available yet
-      */
-     if (!gic_version) {
-+        if (!kvm_enabled()) {
-+            error_report("gic-version=host requires KVM");
-+            exit(1);
-+        }
-+
-         gic_version = kvm_arm_vgic_probe();
-         if (!gic_version) {
-             error_report("Unable to determine GIC version supported by host");
--            error_printf("KVM acceleration is probably not supported\n");
-             exit(1);
-         }
-     }

0011-net-mipsnet-check-packet-length-against-buffer.patch

@@ -1,32 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Thu, 7 Apr 2016 15:56:02 +0530
-Subject: [PATCH] net: mipsnet: check packet length against buffer
-
-When receiving packets over MIPSnet network device, it uses
-receive buffer of size 1514 bytes. In case the controller
-accepts large(MTU) packets, it could lead to memory corruption.
-Add check to avoid it.
-
-Reported by: Oleksandr Bazhaniuk <oleksandr.bazhaniuk@intel.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-
-(cherry picked from commit 3af9187fc6caaf415ab9c0c6d92c9678f65cb17f)
----
- hw/net/mipsnet.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/hw/net/mipsnet.c b/hw/net/mipsnet.c
-index 740cd98..cf8b823 100644
---- a/hw/net/mipsnet.c
-+++ b/hw/net/mipsnet.c
-@@ -83,6 +83,9 @@ static ssize_t mipsnet_receive(NetClientState *nc, const uint8_t *buf, size_t si
-     if (!mipsnet_can_receive(nc))
-         return 0;
- 
-+    if (size >= sizeof(s->rx_buffer)) {
-+        return 0;
-+    }
-     s->busy = 1;
- 
-     /* Just accept everything. */

0012-scsi-pvscsi-check-command-descriptor-ring-buffer-siz.patch

@@ -1,100 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Mon, 23 May 2016 16:18:05 +0530
-Subject: [PATCH] scsi: pvscsi: check command descriptor ring buffer size
- (CVE-2016-4952)
-
-Vmware Paravirtual SCSI emulation uses command descriptors to
-process SCSI commands. These descriptors come with their ring
-buffers. A guest could set the ring buffer size to an arbitrary
-value leading to OOB access issue. Add check to avoid it.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Cc: qemu-stable@nongnu.org
-Message-Id: <1464000485-27041-1-git-send-email-ppandit@redhat.com>
-Reviewed-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com>
-Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 3e831b40e015ba34dfb55ff11f767001839425ff)
----
- hw/scsi/vmw_pvscsi.c | 24 ++++++++++++++++++++----
- 1 file changed, 20 insertions(+), 4 deletions(-)
-
-diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
-index e690b4e..e1d6d06 100644
---- a/hw/scsi/vmw_pvscsi.c
-+++ b/hw/scsi/vmw_pvscsi.c
-@@ -153,7 +153,7 @@ pvscsi_log2(uint32_t input)
-     return log;
- }
- 
--static void
-+static int
- pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
- {
-     int i;
-@@ -161,6 +161,10 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
-     uint32_t req_ring_size, cmp_ring_size;
-     m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT;
- 
-+    if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)
-+        || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) {
-+        return -1;
-+    }
-     req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
-     cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE;
-     txr_len_log2 = pvscsi_log2(req_ring_size - 1);
-@@ -192,15 +196,20 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
- 
-     /* Flush ring state page changes */
-     smp_wmb();
-+
-+    return 0;
- }
- 
--static void
-+static int
- pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
- {
-     int i;
-     uint32_t len_log2;
-     uint32_t ring_size;
- 
-+    if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
-+        return -1;
-+    }
-     ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE;
-     len_log2 = pvscsi_log2(ring_size - 1);
- 
-@@ -220,6 +229,8 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
- 
-     /* Flush ring state page changes */
-     smp_wmb();
-+
-+    return 0;
- }
- 
- static void
-@@ -770,7 +781,10 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s)
-     trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS");
- 
-     pvscsi_dbg_dump_tx_rings_config(rc);
--    pvscsi_ring_init_data(&s->rings, rc);
-+    if (pvscsi_ring_init_data(&s->rings, rc) < 0) {
-+        return PVSCSI_COMMAND_PROCESSING_FAILED;
-+    }
-+
-     s->rings_info_valid = TRUE;
-     return PVSCSI_COMMAND_PROCESSING_SUCCEEDED;
- }
-@@ -850,7 +864,9 @@ pvscsi_on_cmd_setup_msg_ring(PVSCSIState *s)
-     }
- 
-     if (s->rings_info_valid) {
--        pvscsi_ring_init_msg(&s->rings, rc);
-+        if (pvscsi_ring_init_msg(&s->rings, rc) < 0) {
-+            return PVSCSI_COMMAND_PROCESSING_FAILED;
-+        }
-         s->msg_ring_info_valid = TRUE;
-     }
-     return sizeof(PVSCSICmdDescSetupMsgRing) / sizeof(uint32_t);

0013-scsi-mptsas-infinite-loop-while-fetching-requests.patch

@@ -1,46 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 24 May 2016 13:37:44 +0530
-Subject: [PATCH] scsi: mptsas: infinite loop while fetching requests
-
-The LSI SAS1068 Host Bus Adapter emulator in Qemu, periodically
-looks for requests and fetches them. A loop doing that in
-mptsas_fetch_requests() could run infinitely if 's->state' was
-not operational. Move check to avoid such a loop.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Cc: qemu-stable@nongnu.org
-Message-Id: <1464077264-25473-1-git-send-email-ppandit@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 06630554ccbdd25780aa03c3548aaff1eb56dffd)
----
- hw/scsi/mptsas.c | 9 ++++-----
- 1 file changed, 4 insertions(+), 5 deletions(-)
-
-diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
-index 499c146..be88e16 100644
---- a/hw/scsi/mptsas.c
-+++ b/hw/scsi/mptsas.c
-@@ -754,11 +754,6 @@ static void mptsas_fetch_request(MPTSASState *s)
-     hwaddr addr;
-     int size;
- 
--    if (s->state != MPI_IOC_STATE_OPERATIONAL) {
--        mptsas_set_fault(s, MPI_IOCSTATUS_INVALID_STATE);
--        return;
--    }
--
-     /* Read the message header from the guest first. */
-     addr = s->host_mfa_high_addr | MPTSAS_FIFO_GET(s, request_post);
-     pci_dma_read(pci, addr, req, sizeof(hdr));
-@@ -789,6 +784,10 @@ static void mptsas_fetch_requests(void *opaque)
- {
-     MPTSASState *s = opaque;
- 
-+    if (s->state != MPI_IOC_STATE_OPERATIONAL) {
-+        mptsas_set_fault(s, MPI_IOCSTATUS_INVALID_STATE);
-+        return;
-+    }
-     while (!MPTSAS_FIFO_EMPTY(s, request_post)) {
-         mptsas_fetch_request(s);
-     }

0014-scsi-megasas-use-appropriate-property-buffer-size.patch

@@ -1,31 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Wed, 25 May 2016 16:01:29 +0530
-Subject: [PATCH] scsi: megasas: use appropriate property buffer size
-
-When setting MegaRAID SAS controller properties via MegaRAID
-Firmware Interface(MFI) commands, a user supplied size parameter
-is used to set property value. Use appropriate size value to avoid
-OOB access issues.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <1464172291-2856-2-git-send-email-ppandit@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 1b85898025c4cd95dce673d15e67e60e98e91731)
----
- hw/scsi/megasas.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
-index a63a581..dcbd3e1 100644
---- a/hw/scsi/megasas.c
-+++ b/hw/scsi/megasas.c
-@@ -1446,7 +1446,7 @@ static int megasas_dcmd_set_properties(MegasasState *s, MegasasCmd *cmd)
-                                             dcmd_size);
-         return MFI_STAT_INVALID_PARAMETER;
-     }
--    dma_buf_write((uint8_t *)&info, cmd->iov_size, &cmd->qsg);
-+    dma_buf_write((uint8_t *)&info, dcmd_size, &cmd->qsg);
-     trace_megasas_dcmd_unsupported(cmd->index, cmd->iov_size);
-     return MFI_STAT_OK;
- }

0015-scsi-megasas-initialise-local-configuration-data-buf.patch

@@ -1,31 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Wed, 25 May 2016 17:41:44 +0530
-Subject: [PATCH] scsi: megasas: initialise local configuration data buffer
-
-When reading MegaRAID SAS controller configuration via MegaRAID
-Firmware Interface(MFI) commands, routine megasas_dcmd_cfg_read
-uses an uninitialised local data buffer. Initialise this buffer
-to avoid stack information leakage.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <1464178304-12831-1-git-send-email-ppandit@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit d37af740730dbbb93960cd318e040372d04d6dcf)
----
- hw/scsi/megasas.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
-index dcbd3e1..bf642d4 100644
---- a/hw/scsi/megasas.c
-+++ b/hw/scsi/megasas.c
-@@ -1293,7 +1293,7 @@ static int megasas_dcmd_ld_get_info(MegasasState *s, MegasasCmd *cmd)
- 
- static int megasas_dcmd_cfg_read(MegasasState *s, MegasasCmd *cmd)
- {
--    uint8_t data[4096];
-+    uint8_t data[4096] = { 0 };
-     struct mfi_config_data *info;
-     int num_pd_disks = 0, array_offset, ld_offset;
-     BusChild *kid;

0016-scsi-megasas-check-read_queue_head-index-value.patch

@@ -1,33 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Wed, 25 May 2016 17:55:10 +0530
-Subject: [PATCH] scsi: megasas: check 'read_queue_head' index value
-
-While doing MegaRAID SAS controller command frame lookup, routine
-'megasas_lookup_frame' uses 'read_queue_head' value as an index
-into 'frames[MEGASAS_MAX_FRAMES=2048]' array. Limit its value
-within array bounds to avoid any OOB access.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <1464179110-18593-1-git-send-email-ppandit@redhat.com>
-Reviewed-by: Alexander Graf <agraf@suse.de>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit b60bdd1f1ee1616b7a9aeeffb4088e1ce2710fb2)
----
- hw/scsi/megasas.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
-index bf642d4..cc66d36 100644
---- a/hw/scsi/megasas.c
-+++ b/hw/scsi/megasas.c
-@@ -650,7 +650,9 @@ static int megasas_init_firmware(MegasasState *s, MegasasCmd *cmd)
-     pa_hi = le32_to_cpu(initq->pi_addr_hi);
-     s->producer_pa = ((uint64_t) pa_hi << 32) | pa_lo;
-     s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa);
-+    s->reply_queue_head %= MEGASAS_MAX_FRAMES;
-     s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa);
-+    s->reply_queue_tail %= MEGASAS_MAX_FRAMES;
-     flags = le32_to_cpu(initq->flags);
-     if (flags & MFI_QUEUE_FLAG_CONTEXT64) {
-         s->flags |= MEGASAS_MASK_USE_QUEUE64;

0017-vmsvga-move-fifo-sanity-checks-to-vmsvga_fifo_length.patch

@@ -1,70 +0,0 @@
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Mon, 30 May 2016 09:09:18 +0200
-Subject: [PATCH] vmsvga: move fifo sanity checks to vmsvga_fifo_length
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Sanity checks are applied when the fifo is enabled by the guest
-(SVGA_REG_CONFIG_DONE write).  Which doesn't help much if the guest
-changes the fifo registers afterwards.  Move the checks to
-vmsvga_fifo_length so they are done each time qemu is about to read
-from the fifo.
-
-Fixes: CVE-2016-4454
-Cc: qemu-stable@nongnu.org
-Cc: P J P <ppandit@redhat.com>
-Reported-by: 李强 <liqiang6-s@360.cn>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: 1464592161-18348-2-git-send-email-kraxel@redhat.com
-(cherry picked from commit 521360267876d3b6518b328051a2e56bca55bef8)
----
- hw/display/vmware_vga.c | 28 +++++++++++++++-------------
- 1 file changed, 15 insertions(+), 13 deletions(-)
-
-diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
-index 0c63fa8..63a7c05 100644
---- a/hw/display/vmware_vga.c
-+++ b/hw/display/vmware_vga.c
-@@ -555,6 +555,21 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
-     if (!s->config || !s->enable) {
-         return 0;
-     }
-+
-+    /* Check range and alignment.  */
-+    if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) {
-+        return 0;
-+    }
-+    if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
-+        return 0;
-+    }
-+    if (CMD(max) > SVGA_FIFO_SIZE) {
-+        return 0;
-+    }
-+    if (CMD(max) < CMD(min) + 10 * 1024) {
-+        return 0;
-+    }
-+
-     num = CMD(next_cmd) - CMD(stop);
-     if (num < 0) {
-         num += CMD(max) - CMD(min);
-@@ -1005,19 +1020,6 @@ static void vmsvga_value_write(void *opaque, uint32_t address, uint32_t value)
-     case SVGA_REG_CONFIG_DONE:
-         if (value) {
-             s->fifo = (uint32_t *) s->fifo_ptr;
--            /* Check range and alignment.  */
--            if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) {
--                break;
--            }
--            if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
--                break;
--            }
--            if (CMD(max) > SVGA_FIFO_SIZE) {
--                break;
--            }
--            if (CMD(max) < CMD(min) + 10 * 1024) {
--                break;
--            }
-             vga_dirty_log_stop(&s->vga);
-         }
-         s->config = !!value;

0018-vmsvga-add-more-fifo-checks.patch

@@ -1,36 +0,0 @@
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Mon, 30 May 2016 09:09:19 +0200
-Subject: [PATCH] vmsvga: add more fifo checks
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Make sure all fifo ptrs are within range.
-
-Fixes: CVE-2016-4454
-Cc: qemu-stable@nongnu.org
-Cc: P J P <ppandit@redhat.com>
-Reported-by: 李强 <liqiang6-s@360.cn>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: 1464592161-18348-3-git-send-email-kraxel@redhat.com
-(cherry picked from commit c2e3c54d3960bc53bfa3a5ce7ea7a050b9be267e)
----
- hw/display/vmware_vga.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
-index 63a7c05..a26e62e 100644
---- a/hw/display/vmware_vga.c
-+++ b/hw/display/vmware_vga.c
-@@ -563,7 +563,10 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
-     if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
-         return 0;
-     }
--    if (CMD(max) > SVGA_FIFO_SIZE) {
-+    if (CMD(max) > SVGA_FIFO_SIZE ||
-+        CMD(min) >= SVGA_FIFO_SIZE ||
-+        CMD(stop) >= SVGA_FIFO_SIZE ||
-+        CMD(next_cmd) >= SVGA_FIFO_SIZE) {
-         return 0;
-     }
-     if (CMD(max) < CMD(min) + 10 * 1024) {

0019-vmsvga-shadow-fifo-registers.patch

@@ -1,143 +0,0 @@
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Mon, 30 May 2016 09:09:20 +0200
-Subject: [PATCH] vmsvga: shadow fifo registers
-
-The fifo is normal ram.  So kvm vcpu threads and qemu iothread can
-access the fifo in parallel without syncronization.  Which in turn
-implies we can't use the fifo pointers in-place because the guest
-can try changing them underneath us.  So add shadows for them, to
-make sure the guest can't modify them after we've applied sanity
-checks.
-
-Fixes: CVE-2016-4454
-Cc: qemu-stable@nongnu.org
-Cc: P J P <ppandit@redhat.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: 1464592161-18348-4-git-send-email-kraxel@redhat.com
-(cherry picked from commit 7e486f7577764a07aa35588e119903c80a5c30a2)
----
- hw/display/vmware_vga.c | 57 ++++++++++++++++++++++++-------------------------
- 1 file changed, 28 insertions(+), 29 deletions(-)
-
-diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
-index a26e62e..de2567b 100644
---- a/hw/display/vmware_vga.c
-+++ b/hw/display/vmware_vga.c
-@@ -66,17 +66,11 @@ struct vmsvga_state_s {
-     uint8_t *fifo_ptr;
-     unsigned int fifo_size;
- 
--    union {
--        uint32_t *fifo;
--        struct QEMU_PACKED {
--            uint32_t min;
--            uint32_t max;
--            uint32_t next_cmd;
--            uint32_t stop;
--            /* Add registers here when adding capabilities.  */
--            uint32_t fifo[0];
--        } *cmd;
--    };
-+    uint32_t *fifo;
-+    uint32_t fifo_min;
-+    uint32_t fifo_max;
-+    uint32_t fifo_next;
-+    uint32_t fifo_stop;
- 
- #define REDRAW_FIFO_LEN  512
-     struct vmsvga_rect_s {
-@@ -198,7 +192,7 @@ enum {
-      */
-     SVGA_FIFO_MIN = 0,
-     SVGA_FIFO_MAX,      /* The distance from MIN to MAX must be at least 10K */
--    SVGA_FIFO_NEXT_CMD,
-+    SVGA_FIFO_NEXT,
-     SVGA_FIFO_STOP,
- 
-     /*
-@@ -546,8 +540,6 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s,
- }
- #endif
- 
--#define CMD(f)  le32_to_cpu(s->cmd->f)
--
- static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
- {
-     int num;
-@@ -556,38 +548,44 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
-         return 0;
-     }
- 
-+    s->fifo_min  = le32_to_cpu(s->fifo[SVGA_FIFO_MIN]);
-+    s->fifo_max  = le32_to_cpu(s->fifo[SVGA_FIFO_MAX]);
-+    s->fifo_next = le32_to_cpu(s->fifo[SVGA_FIFO_NEXT]);
-+    s->fifo_stop = le32_to_cpu(s->fifo[SVGA_FIFO_STOP]);
-+
-     /* Check range and alignment.  */
--    if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) {
-+    if ((s->fifo_min | s->fifo_max | s->fifo_next | s->fifo_stop) & 3) {
-         return 0;
-     }
--    if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
-+    if (s->fifo_min < sizeof(uint32_t) * 4) {
-         return 0;
-     }
--    if (CMD(max) > SVGA_FIFO_SIZE ||
--        CMD(min) >= SVGA_FIFO_SIZE ||
--        CMD(stop) >= SVGA_FIFO_SIZE ||
--        CMD(next_cmd) >= SVGA_FIFO_SIZE) {
-+    if (s->fifo_max > SVGA_FIFO_SIZE ||
-+        s->fifo_min >= SVGA_FIFO_SIZE ||
-+        s->fifo_stop >= SVGA_FIFO_SIZE ||
-+        s->fifo_next >= SVGA_FIFO_SIZE) {
-         return 0;
-     }
--    if (CMD(max) < CMD(min) + 10 * 1024) {
-+    if (s->fifo_max < s->fifo_min + 10 * 1024) {
-         return 0;
-     }
- 
--    num = CMD(next_cmd) - CMD(stop);
-+    num = s->fifo_next - s->fifo_stop;
-     if (num < 0) {
--        num += CMD(max) - CMD(min);
-+        num += s->fifo_max - s->fifo_min;
-     }
-     return num >> 2;
- }
- 
- static inline uint32_t vmsvga_fifo_read_raw(struct vmsvga_state_s *s)
- {
--    uint32_t cmd = s->fifo[CMD(stop) >> 2];
-+    uint32_t cmd = s->fifo[s->fifo_stop >> 2];
- 
--    s->cmd->stop = cpu_to_le32(CMD(stop) + 4);
--    if (CMD(stop) >= CMD(max)) {
--        s->cmd->stop = s->cmd->min;
-+    s->fifo_stop += 4;
-+    if (s->fifo_stop >= s->fifo_max) {
-+        s->fifo_stop = s->fifo_min;
-     }
-+    s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop);
-     return cmd;
- }
- 
-@@ -607,7 +605,7 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
-     len = vmsvga_fifo_length(s);
-     while (len > 0) {
-         /* May need to go back to the start of the command if incomplete */
--        cmd_start = s->cmd->stop;
-+        cmd_start = s->fifo_stop;
- 
-         switch (cmd = vmsvga_fifo_read(s)) {
-         case SVGA_CMD_UPDATE:
-@@ -766,7 +764,8 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
-             break;
- 
-         rewind:
--            s->cmd->stop = cmd_start;
-+            s->fifo_stop = cmd_start;
-+            s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop);
-             break;
-         }
-     }

0020-vmsvga-don-t-process-more-than-1024-fifo-commands-at.patch

@@ -1,42 +0,0 @@
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Mon, 30 May 2016 09:09:21 +0200
-Subject: [PATCH] vmsvga: don't process more than 1024 fifo commands at once
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-vmsvga_fifo_run is called in regular intervals (on each display update)
-and will resume where it left off.  So we can simply exit the loop,
-without having to worry about how processing will continue.
-
-Fixes: CVE-2016-4453
-Cc: qemu-stable@nongnu.org
-Cc: P J P <ppandit@redhat.com>
-Reported-by: 李强 <liqiang6-s@360.cn>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: 1464592161-18348-5-git-send-email-kraxel@redhat.com
-(cherry picked from commit 4e68a0ee17dad7b8d870df0081d4ab2e079016c2)
----
- hw/display/vmware_vga.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
-index de2567b..e51a05e 100644
---- a/hw/display/vmware_vga.c
-+++ b/hw/display/vmware_vga.c
-@@ -597,13 +597,13 @@ static inline uint32_t vmsvga_fifo_read(struct vmsvga_state_s *s)
- static void vmsvga_fifo_run(struct vmsvga_state_s *s)
- {
-     uint32_t cmd, colour;
--    int args, len;
-+    int args, len, maxloop = 1024;
-     int x, y, dx, dy, width, height;
-     struct vmsvga_cursor_definition_s cursor;
-     uint32_t cmd_start;
- 
-     len = vmsvga_fifo_length(s);
--    while (len > 0) {
-+    while (len > 0 && --maxloop > 0) {
-         /* May need to go back to the start of the command if incomplete */
-         cmd_start = s->fifo_stop;
- 

0021-block-iscsi-avoid-potential-overflow-of-acb-task-cdb.patch

@@ -1,34 +0,0 @@
-From: Peter Lieven <pl@kamp.de>
-Date: Tue, 24 May 2016 10:59:28 +0200
-Subject: [PATCH] block/iscsi: avoid potential overflow of acb->task->cdb
-
-at least in the path via virtio-blk the maximum size is not
-restricted.
-
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Peter Lieven <pl@kamp.de>
-Message-Id: <1464080368-29584-1-git-send-email-pl@kamp.de>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit a6b3167fa0e825aebb5a7cd8b437b6d41584a196)
----
- block/iscsi.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/block/iscsi.c b/block/iscsi.c
-index 302baf8..172e6cf 100644
---- a/block/iscsi.c
-+++ b/block/iscsi.c
-@@ -837,6 +837,13 @@ static BlockAIOCB *iscsi_aio_ioctl(BlockDriverState *bs,
-         return &acb->common;
-     }
- 
-+    if (acb->ioh->cmd_len > SCSI_CDB_MAX_SIZE) {
-+        error_report("iSCSI: ioctl error CDB exceeds max size (%d > %d)",
-+                     acb->ioh->cmd_len, SCSI_CDB_MAX_SIZE);
-+        qemu_aio_unref(acb);
-+        return NULL;
-+    }
-+
-     acb->task = malloc(sizeof(struct scsi_task));
-     if (acb->task == NULL) {
-         error_report("iSCSI: Failed to allocate task for scsi command. %s",

0022-scsi-esp-check-buffer-length-before-reading-scsi-com.patch

@@ -1,33 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 31 May 2016 23:23:27 +0530
-Subject: [PATCH] scsi: esp: check buffer length before reading scsi command
-
-The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
-FIFO buffer. It is used to handle command and data transfer.
-Routine get_cmd() in non-DMA mode, uses 'ti_size' to read scsi
-command into a buffer. Add check to validate command length against
-buffer size to avoid any overrun.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <1464717207-7549-1-git-send-email-ppandit@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit d3cdc49138c30be1d3c2f83d18f85d9fdee95f1a)
----
- hw/scsi/esp.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
-index 591c817..c2f6f8f 100644
---- a/hw/scsi/esp.c
-+++ b/hw/scsi/esp.c
-@@ -98,6 +98,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen)
-         s->dma_memory_read(s->dma_opaque, buf, dmalen);
-     } else {
-         dmalen = s->ti_size;
-+        if (dmalen > TI_BUFSZ) {
-+            return 0;
-+        }
-         memcpy(buf, s->ti_buf, dmalen);
-         buf[0] = buf[2] >> 5;
-     }

0023-scsi-esp-respect-FIFO-invariant-after-message-phase.patch

@@ -1,26 +0,0 @@
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Tue, 14 Jun 2016 15:10:24 +0200
-Subject: [PATCH] scsi: esp: respect FIFO invariant after message phase
-
-The FIFO contains two bytes; hence the write ptr should be two bytes ahead
-of the read pointer.
-
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit d020aa504cec8f525b55ba2ef982c09dc847c72e)
----
- hw/scsi/esp.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
-index c2f6f8f..6407844 100644
---- a/hw/scsi/esp.c
-+++ b/hw/scsi/esp.c
-@@ -222,7 +222,7 @@ static void write_response(ESPState *s)
-     } else {
-         s->ti_size = 2;
-         s->ti_rptr = 0;
--        s->ti_wptr = 0;
-+        s->ti_wptr = 2;
-         s->rregs[ESP_RFLAGS] = 2;
-     }
-     esp_raise_irq(s);

0024-scsi-esp-clean-up-handle_ti-esp_do_dma-if-s-do_cmd.patch

@@ -1,76 +0,0 @@
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Wed, 15 Jun 2016 14:29:33 +0200
-Subject: [PATCH] scsi: esp: clean up handle_ti/esp_do_dma if s->do_cmd
-
-Avoid duplicated code between esp_do_dma and handle_ti.  esp_do_dma
-has the same code that handle_ti contains after the call to esp_do_dma;
-but the code in handle_ti is never reached because it is in an "else if".
-Remove the else and also the pointless return.
-
-esp_do_dma also has a partially dead assignment of the to_device
-variable.  Sink it to the point where it's actually used.
-
-Finally, assert that the other caller of esp_do_dma (esp_transfer_data)
-only transfers data and not a command.  This is true because get_cmd
-cancels the old request synchronously before its caller handle_satn_stop
-sets do_cmd to 1.
-
-Reviewed-by: Laszlo Ersek <lersek@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 7f0b6e114ae4e142e2b3dfc9fac138f4a30edc4f)
----
- hw/scsi/esp.c | 11 ++++-------
- 1 file changed, 4 insertions(+), 7 deletions(-)
-
-diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
-index 6407844..68d3e4d 100644
---- a/hw/scsi/esp.c
-+++ b/hw/scsi/esp.c
-@@ -245,15 +245,10 @@ static void esp_do_dma(ESPState *s)
-     uint32_t len;
-     int to_device;
- 
--    to_device = (s->ti_size < 0);
-     len = s->dma_left;
-     if (s->do_cmd) {
-         trace_esp_do_dma(s->cmdlen, len);
-         s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len);
--        s->ti_size = 0;
--        s->cmdlen = 0;
--        s->do_cmd = 0;
--        do_cmd(s, s->cmdbuf);
-         return;
-     }
-     if (s->async_len == 0) {
-@@ -263,6 +258,7 @@ static void esp_do_dma(ESPState *s)
-     if (len > s->async_len) {
-         len = s->async_len;
-     }
-+    to_device = (s->ti_size < 0);
-     if (to_device) {
-         s->dma_memory_read(s->dma_opaque, s->async_buf, len);
-     } else {
-@@ -318,6 +314,7 @@ void esp_transfer_data(SCSIRequest *req, uint32_t len)
- {
-     ESPState *s = req->hba_private;
- 
-+    assert(!s->do_cmd);
-     trace_esp_transfer_data(s->dma_left, s->ti_size);
-     s->async_len = len;
-     s->async_buf = scsi_req_get_buf(req);
-@@ -358,13 +355,13 @@ static void handle_ti(ESPState *s)
-         s->dma_left = minlen;
-         s->rregs[ESP_RSTAT] &= ~STAT_TC;
-         esp_do_dma(s);
--    } else if (s->do_cmd) {
-+    }
-+    if (s->do_cmd) {
-         trace_esp_handle_ti_cmd(s->cmdlen);
-         s->ti_size = 0;
-         s->cmdlen = 0;
-         s->do_cmd = 0;
-         do_cmd(s, s->cmdbuf);
--        return;
-     }
- }
- 

0025-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch

@@ -1,70 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Thu, 16 Jun 2016 00:22:35 +0200
-Subject: [PATCH] scsi: esp: make cmdbuf big enough for maximum CDB size
-
-While doing DMA read into ESP command buffer 's->cmdbuf', it could
-write past the 's->cmdbuf' area, if it was transferring more than 16
-bytes.  Increase the command buffer size to 32, which is maximum when
-'s->do_cmd' is set, and add a check on 'len' to avoid OOB access.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 926cde5f3e4d2504ed161ed0cb771ac7cad6fd11)
----
- hw/scsi/esp.c         | 6 ++++--
- include/hw/scsi/esp.h | 3 ++-
- 2 files changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
-index 68d3e4d..b4601ad 100644
---- a/hw/scsi/esp.c
-+++ b/hw/scsi/esp.c
-@@ -248,6 +248,8 @@ static void esp_do_dma(ESPState *s)
-     len = s->dma_left;
-     if (s->do_cmd) {
-         trace_esp_do_dma(s->cmdlen, len);
-+        assert (s->cmdlen <= sizeof(s->cmdbuf) &&
-+                len <= sizeof(s->cmdbuf) - s->cmdlen);
-         s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len);
-         return;
-     }
-@@ -345,7 +347,7 @@ static void handle_ti(ESPState *s)
-     s->dma_counter = dmalen;
- 
-     if (s->do_cmd)
--        minlen = (dmalen < 32) ? dmalen : 32;
-+        minlen = (dmalen < ESP_CMDBUF_SZ) ? dmalen : ESP_CMDBUF_SZ;
-     else if (s->ti_size < 0)
-         minlen = (dmalen < -s->ti_size) ? dmalen : -s->ti_size;
-     else
-@@ -451,7 +453,7 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val)
-         break;
-     case ESP_FIFO:
-         if (s->do_cmd) {
--            if (s->cmdlen < TI_BUFSZ) {
-+            if (s->cmdlen < ESP_CMDBUF_SZ) {
-                 s->cmdbuf[s->cmdlen++] = val & 0xff;
-             } else {
-                 trace_esp_error_fifo_overrun();
-diff --git a/include/hw/scsi/esp.h b/include/hw/scsi/esp.h
-index 6c79527..d2c4886 100644
---- a/include/hw/scsi/esp.h
-+++ b/include/hw/scsi/esp.h
-@@ -14,6 +14,7 @@ void esp_init(hwaddr espaddr, int it_shift,
- 
- #define ESP_REGS 16
- #define TI_BUFSZ 16
-+#define ESP_CMDBUF_SZ 32
- 
- typedef struct ESPState ESPState;
- 
-@@ -31,7 +32,7 @@ struct ESPState {
-     SCSIBus bus;
-     SCSIDevice *current_dev;
-     SCSIRequest *current_req;
--    uint8_t cmdbuf[TI_BUFSZ];
-+    uint8_t cmdbuf[ESP_CMDBUF_SZ];
-     uint32_t cmdlen;
-     uint32_t do_cmd;
- 

0026-scsi-megasas-null-terminate-bios-version-buffer.patch

@@ -1,29 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 7 Jun 2016 16:44:03 +0530
-Subject: [PATCH] scsi: megasas: null terminate bios version buffer
-
-While reading information via 'megasas_ctrl_get_info' routine,
-a local bios version buffer isn't null terminated. Add the
-terminating null byte to avoid any OOB access.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 844864fbae66935951529408831c2f22367a57b6)
----
- hw/scsi/megasas.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
-index cc66d36..a9ffc32 100644
---- a/hw/scsi/megasas.c
-+++ b/hw/scsi/megasas.c
-@@ -773,6 +773,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd)
- 
-         ptr = memory_region_get_ram_ptr(&pci_dev->rom);
-         memcpy(biosver, ptr + 0x41, 31);
-+        biosver[31] = 0;
-         memcpy(info.image_component[1].name, "BIOS", 4);
-         memcpy(info.image_component[1].version, biosver,
-                strlen((const char *)biosver));

0027-sdl2-skip-init-without-outputs.patch

@@ -1,26 +0,0 @@
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Wed, 1 Jun 2016 16:08:36 +0200
-Subject: [PATCH] sdl2: skip init without outputs
-
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Tested-by: Cole Robinson <crobinso@redhat.com>
-Message-id: 1464790116-32405-1-git-send-email-kraxel@redhat.com
-(cherry picked from commit 8efa5f29f83816ae34f428143de49acbaacccb24)
----
- ui/sdl2.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/ui/sdl2.c b/ui/sdl2.c
-index 909038f..30d2a3c 100644
---- a/ui/sdl2.c
-+++ b/ui/sdl2.c
-@@ -794,6 +794,9 @@ void sdl_display_init(DisplayState *ds, int full_screen, int no_frame)
-         }
-     }
-     sdl2_num_outputs = i;
-+    if (sdl2_num_outputs == 0) {
-+        return;
-+    }
-     sdl2_console = g_new0(struct sdl2_console, sdl2_num_outputs);
-     for (i = 0; i < sdl2_num_outputs; i++) {
-         QemuConsole *con = qemu_console_lookup_by_index(i);

50-kvm-s390x.conf

@@ -1,3 +0,0 @@
-# KVM S390 VM creation fails without this set
-# https://www.mail-archive.com/kvm@vger.kernel.org/msg115576.html
-vm.allocate_pgste = 1

80-kvm.rules

@@ -1 +0,0 @@
-KERNEL=="kvm", GROUP="kvm", MODE="0666"

95-kvm-ppc64-memlock.conf

@@ -0,0 +1,12 @@
+# The KVM HV implementation on Power can require a significant amount
+# of unswappable memory (about half of which also needs to be host
+# physically contiguous) to hold the guest's Hash Page Table (HPT) -
+# roughly 1/64th of the guest's RAM size, minimum 16MiB.
+#
+# These limits allow unprivileged users to start smallish VMs, such as
+# those used by libguestfs.
+#
+# https://bugzilla.redhat.com/show_bug.cgi?id=1293024
+#
+*	hard	memlock		65536
+*	soft	memlock		65536

ksm.service

@@ -1,14 +0,0 @@
-[Unit]
-Description=Kernel Samepage Merging
-ConditionPathExists=/sys/kernel/mm/ksm
-ConditionVirtualization=no
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-EnvironmentFile=-/etc/sysconfig/ksm
-ExecStart=/usr/libexec/ksmctl start
-ExecStop=/usr/libexec/ksmctl stop
-
-[Install]
-WantedBy=multi-user.target

ksm.sysconfig

@@ -1,4 +0,0 @@
-# The maximum number of unswappable kernel pages
-# which may be allocated by ksm (0 for unlimited)
-# If unset, defaults to half of total memory
-# KSM_MAX_KERNEL_PAGES=

ksmctl.c

@@ -1,77 +0,0 @@
-/* Start/stop KSM, for systemd.
- * Copyright (C) 2009, 2011 Red Hat, Inc.
- * Written by Paolo Bonzini <pbonzini@redhat.com>.
- * Based on the original sysvinit script by Dan Kenigsberg <danken@redhat.com>
- * This file is distributed under the GNU General Public License, version 2
- * or later.  */
-
-#include <unistd.h>
-#include <stdio.h>
-#include <limits.h>
-#include <stdint.h>
-#include <stdlib.h>
-#include <string.h>
-
-#define KSM_MAX_KERNEL_PAGES_FILE "/sys/kernel/mm/ksm/max_kernel_pages"
-#define KSM_RUN_FILE		  "/sys/kernel/mm/ksm/run"
-
-char *program_name;
-
-int usage(void)
-{
-	fprintf(stderr, "Usage: %s {start|stop}\n", program_name);
-	return 1;
-}
-
-int write_value(uint64_t value, char *filename)
-{
-	FILE *fp;
-	if (!(fp = fopen(filename, "w")) ||
-	    fprintf(fp, "%llu\n", (unsigned long long) value) == EOF ||
-	    fflush(fp) == EOF ||
-	    fclose(fp) == EOF)
-		return 1;
-
-	return 0;
-}
-
-uint64_t ksm_max_kernel_pages()
-{
-	char *var = getenv("KSM_MAX_KERNEL_PAGES");
-	char *endptr;
-	uint64_t value;
-	if (var && *var) {
-		value = strtoll(var, &endptr, 0);
-		if (value < LLONG_MAX && !*endptr)
-			return value;
-	}
-	/* Unless KSM_MAX_KERNEL_PAGES is set, let KSM munch up to half of
-	 * total memory.  */
-	return sysconf(_SC_PHYS_PAGES) / 2;
-}
-
-int start(void)
-{
-	if (access(KSM_MAX_KERNEL_PAGES_FILE, R_OK) >= 0)
-		write_value(ksm_max_kernel_pages(), KSM_MAX_KERNEL_PAGES_FILE);
-	return write_value(1, KSM_RUN_FILE);
-}
-
-int stop(void)
-{
-	return write_value(0, KSM_RUN_FILE);
-}
-
-int main(int argc, char **argv)
-{
-	program_name = argv[0];
-	if (argc < 2) {
-		return usage();
-	} else if (!strcmp(argv[1], "start")) {
-		return start();
-	} else if (!strcmp(argv[1], "stop")) {
-		return stop();
-	} else {
-		return usage();
-	}
-}

ksmtuned

@@ -1,139 +0,0 @@
-#!/bin/bash
-#
-# Copyright 2009 Red Hat, Inc. and/or its affiliates.
-# Released under the GPL
-#
-# Author:      Dan Kenigsberg <danken@redhat.com>
-#
-# ksmtuned - a simple script that controls whether (and with what vigor) ksm
-# should search for duplicated pages.
-#
-# starts ksm when memory commited to qemu processes exceeds a threshold, and
-# make ksm work harder and harder untill memory load falls below that
-# threshold.
-#
-# send SIGUSR1 to this process right after a new qemu process is started, or
-# following its death, to retune ksm accordingly
-#
-# needs testing and ironing. contact danken@redhat.com if something breaks.
-
-if [ -f /etc/ksmtuned.conf ]; then
-    . /etc/ksmtuned.conf
-fi
-
-debug() {
-    if [ -n "$DEBUG" ]; then
-        s="`/bin/date`: $*"
-        [ -n "$LOGFILE" ] && echo "$s" >> "$LOGFILE" || echo "$s"
-    fi
-}
-
-
-KSM_MONITOR_INTERVAL=${KSM_MONITOR_INTERVAL:-60}
-KSM_NPAGES_BOOST=${KSM_NPAGES_BOOST:-300}
-KSM_NPAGES_DECAY=${KSM_NPAGES_DECAY:--50}
-
-KSM_NPAGES_MIN=${KSM_NPAGES_MIN:-64}
-KSM_NPAGES_MAX=${KSM_NPAGES_MAX:-1250}
-# millisecond sleep between ksm scans for 16Gb server. Smaller servers sleep
-# more, bigger sleep less.
-KSM_SLEEP_MSEC=${KSM_SLEEP_MSEC:-10}
-
-KSM_THRES_COEF=${KSM_THRES_COEF:-20}
-KSM_THRES_CONST=${KSM_THRES_CONST:-2048}
-
-total=`awk '/^MemTotal:/ {print $2}' /proc/meminfo`
-debug total $total
-
-npages=0
-sleep=$[KSM_SLEEP_MSEC * 16 * 1024 * 1024 / total]
-[ $sleep -le 10 ] && sleep=10
-debug sleep $sleep
-thres=$[total * KSM_THRES_COEF / 100]
-if [ $KSM_THRES_CONST -gt $thres ]; then
-    thres=$KSM_THRES_CONST
-fi
-debug thres $thres
-
-KSMCTL () {
-    case x$1 in
-        xstop)
-            echo 0 > /sys/kernel/mm/ksm/run
-            ;;
-        xstart)
-            echo $2 > /sys/kernel/mm/ksm/pages_to_scan
-            echo $3 > /sys/kernel/mm/ksm/sleep_millisecs
-            echo 1 > /sys/kernel/mm/ksm/run
-            ;;
-    esac
-}
-
-committed_memory () {
-    # calculate how much memory is committed to running qemu processes
-    local pidlist
-    pidlist=$(pgrep -d ' ' -- '^qemu(-(kvm|system-.+)|:.{1,11})$')
-    if [ -n "$pidlist" ]; then
-        ps -p "$pidlist" -o rsz=
-    fi | awk '{ sum += $1 }; END { print 0+sum }'
-}
-
-free_memory () {
-    awk '/^(MemFree|Buffers|Cached):/ {free += $2}; END {print free}' \
-                /proc/meminfo
-}
-
-increase_npages() {
-    local delta
-    delta=${1:-0}
-    npages=$[npages + delta]
-    if [ $npages -lt $KSM_NPAGES_MIN ]; then
-        npages=$KSM_NPAGES_MIN
-    elif [ $npages -gt $KSM_NPAGES_MAX ]; then
-        npages=$KSM_NPAGES_MAX
-    fi
-    echo $npages
-}
-
-
-adjust () {
-    local free committed
-    free=`free_memory`
-    committed=`committed_memory`
-    debug committed $committed free $free
-    if [ $[committed + thres] -lt $total -a $free -gt $thres ]; then
-        KSMCTL stop
-        debug "$[committed + thres] < $total and free > $thres, stop ksm"
-        return 1
-    fi
-    debug "$[committed + thres] > $total, start ksm"
-    if [ $free -lt $thres ]; then
-        npages=`increase_npages $KSM_NPAGES_BOOST`
-        debug "$free < $thres, boost"
-    else
-        npages=`increase_npages $KSM_NPAGES_DECAY`
-        debug "$free > $thres, decay"
-    fi
-    KSMCTL start $npages $sleep
-    debug "KSMCTL start $npages $sleep"
-    return 0
-}
-
-function nothing () {
-    :
-}
-
-loop () {
-    trap nothing SIGUSR1
-    while true
-    do
-        sleep $KSM_MONITOR_INTERVAL &
-        wait $!
-        adjust
-    done
-}
-
-PIDFILE=${PIDFILE-/var/run/ksmtune.pid}
-if touch "$PIDFILE"; then
-  loop &
-  echo $! > "$PIDFILE"
-fi

ksmtuned.conf

@@ -1,21 +0,0 @@
-# Configuration file for ksmtuned.
-
-# How long ksmtuned should sleep between tuning adjustments
-# KSM_MONITOR_INTERVAL=60
-
-# Millisecond sleep between ksm scans for 16Gb server.
-# Smaller servers sleep more, bigger sleep less.
-# KSM_SLEEP_MSEC=10
-
-# KSM_NPAGES_BOOST=300
-# KSM_NPAGES_DECAY=-50
-# KSM_NPAGES_MIN=64
-# KSM_NPAGES_MAX=1250
-
-# KSM_THRES_COEF=20
-# KSM_THRES_CONST=2048
-
-# uncomment the following if you want ksmtuned debug info
-
-# LOGFILE=/var/log/ksmtuned
-# DEBUG=1

ksmtuned.service

@@ -1,13 +0,0 @@
-[Unit]
-Description=Kernel Samepage Merging (KSM) Tuning Daemon
-After=ksm.service
-Requires=ksm.service
-ConditionVirtualization=no
-
-[Service]
-ExecStart=/usr/sbin/ksmtuned
-ExecReload=/bin/kill -USR1 $MAINPID
-Type=forking
-
-[Install]
-WantedBy=multi-user.target

kvm.modules

@@ -1,18 +0,0 @@
-#!/bin/sh
-
-case $(uname -m) in
-    ppc64)
-        grep OPAL  /proc/cpuinfo >/dev/null 2>&1 && opal=1
-
-        modprobe -b kvm >/dev/null 2>&1
-        modprobe -b kvm-pr >/dev/null 2>&1 && kvm=1
-        if [ "$opal" ]; then
-            modprobe -b kvm-hv >/dev/null 2>&1
-        fi
-        ;;
-    s390x)
-        modprobe -b kvm >/dev/null 2>&1 && kvm=1
-        ;;
-esac
-
-exit 0

qemu-ga.sysconfig

@@ -0,0 +1,19 @@
+# This is a systemd environment file, not a shell script.
+# It provides settings for "/lib/systemd/system/qemu-guest-agent.service".
+
+# Comma-separated blacklist of RPCs to disable, or empty list to enable all.
+#
+# You can get the list of RPC commands using "qemu-ga --blacklist='?'".
+# There should be no spaces between commas and commands in the blacklist.
+#BLACKLIST_RPC=guest-file-open,guest-file-close,guest-file-read,guest-file-write,guest-file-seek,guest-file-flush,guest-exec,guest-exec-status
+
+# Fsfreeze hook script specification.
+#
+# FSFREEZE_HOOK_PATHNAME=/dev/null           : disables the feature.
+#
+# FSFREEZE_HOOK_PATHNAME=/path/to/executable : enables the feature with the
+# specified binary or shell script.
+#
+# FSFREEZE_HOOK_PATHNAME=                    : enables the feature with the
+# default value (invoke "qemu-ga --help" to interrogate).
+FSFREEZE_HOOK_PATHNAME=/etc/qemu-ga/fsfreeze-hook

qemu-guest-agent.service

@@ -1,11 +1,19 @@
 [Unit]
 Description=QEMU Guest Agent
-BindTo=dev-virtio\x2dports-org.qemu.guest_agent.0.device
+BindsTo=dev-virtio\x2dports-org.qemu.guest_agent.0.device
 After=dev-virtio\x2dports-org.qemu.guest_agent.0.device
+IgnoreOnIsolate=True
 
 [Service]
-ExecStart=-/usr/bin/qemu-ga
+UMask=0077
+EnvironmentFile=/etc/sysconfig/qemu-ga
+ExecStart=/usr/bin/qemu-ga \
+  --method=virtio-serial \
+  --path=/dev/virtio-ports/org.qemu.guest_agent.0 \
+  --blacklist=${BLACKLIST_RPC} \
+  -F${FSFREEZE_HOOK_PATHNAME}
 Restart=always
 RestartSec=0
 
 [Install]
+WantedBy=dev-virtio\x2dports-org.qemu.guest_agent.0.device

qemu.binfmt

@@ -1,22 +0,0 @@
-:qemu-alpha:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x26\x90:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-alpha:
-:qemu-armeb:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-armeb:
-:qemu-arm:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-arm:
-:qemu-cris:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x4c\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-cris:
-:qemu-i386:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-i386:
-:qemu-i486:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x06\x00:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-i386:
-:qemu-m68k:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x04:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-m68k:
-:qemu-microblazeel:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xab\xba:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-microblazeel:
-:qemu-microblaze:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\xba\xab:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-microblaze:
-:qemu-mips64el:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xfe\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-mips64el:
-:qemu-mips64:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-mips64:
-:qemu-mipsel:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xfe\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-mipsel:
-:qemu-mips:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-mips:
-:qemu-ppc64abi32:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x15:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-ppc64abi32:
-:qemu-ppc64:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x15:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-ppc64:
-:qemu-ppc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x14:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-ppc:
-:qemu-s390x:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x16:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-s390x:
-:qemu-sh4eb:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x2a:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-sh4eb:
-:qemu-sh4:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x2a\x00:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-sh4:
-:qemu-sparc32plus:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x12:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-sparc32plus:
-:qemu-sparc64:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x2b:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-sparc64:
-:qemu-sparc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x02:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-sparc:

sources

@@ -1 +1 @@
-ca3f70b43f093e33e9e014f144067f13  qemu-2.6.0.tar.bz2
+SHA512 (qemu-5.2.0-rc4.tar.xz) = 47e918392609c34f904962e5759125485407ae52c273053729054300e10fc67fc7ed443c9af25d1d852a5f5c70eee125c703ce15d0e571068848f405de33db3b