Rebase to qemu-5.2.0-rc4

Signed-off-by: Cole Robinson <crobinso@redhat.com>

.gitignore

@@ -1,4 +1,4 @@
 /.build*.log
 /x86_64/
 /*.src.rpm
-/qemu-*.tar.bz2
+/qemu-*.tar.xz

0001-spice-F24-spice-has-backported-gl-support.patch

@@ -1,23 +0,0 @@
-From: Pavel Grunt <pgrunt@redhat.com>
-Date: Fri, 11 Mar 2016 14:40:59 +0100
-Subject: [PATCH] spice: F24 spice has backported gl support
-
-Not for upstream, this just adjusts the version check to work with
-f24 backported spice gl support
----
- include/ui/spice-display.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/include/ui/spice-display.h b/include/ui/spice-display.h
-index 568b64a..3c679e8 100644
---- a/include/ui/spice-display.h
-+++ b/include/ui/spice-display.h
-@@ -25,7 +25,7 @@
- #include "sysemu/sysemu.h"
- 
- #if defined(CONFIG_OPENGL_DMABUF)
--# if SPICE_SERVER_VERSION >= 0x000d01 /* release 0.13.1 */
-+# if SPICE_SERVER_VERSION >= 0x000c07 /* release 0.12.7 */
- #  define HAVE_SPICE_GL 1
- #  include "ui/egl-helpers.h"
- #  include "ui/egl-context.h"

0002-scsi-esp-fix-migration.patch

@@ -1,55 +0,0 @@
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Mon, 20 Jun 2016 16:32:39 +0200
-Subject: [PATCH] scsi: esp: fix migration
-
-Commit 926cde5 ("scsi: esp: make cmdbuf big enough for maximum CDB size",
-2016-06-16) changed the size of a migrated field.  Split it in two
-parts, and only migrate the second part in a new vmstate version.
-
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit cc96677469388bad3d66479379735cf75db069e3)
----
- hw/scsi/esp.c               | 5 +++--
- include/migration/vmstate.h | 5 ++++-
- 2 files changed, 7 insertions(+), 3 deletions(-)
-
-diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
-index baa0a2c..1f2f2d3 100644
---- a/hw/scsi/esp.c
-+++ b/hw/scsi/esp.c
-@@ -574,7 +574,7 @@ static bool esp_mem_accepts(void *opaque, hwaddr addr,
- 
- const VMStateDescription vmstate_esp = {
-     .name ="esp",
--    .version_id = 3,
-+    .version_id = 4,
-     .minimum_version_id = 3,
-     .fields = (VMStateField[]) {
-         VMSTATE_BUFFER(rregs, ESPState),
-@@ -585,7 +585,8 @@ const VMStateDescription vmstate_esp = {
-         VMSTATE_BUFFER(ti_buf, ESPState),
-         VMSTATE_UINT32(status, ESPState),
-         VMSTATE_UINT32(dma, ESPState),
--        VMSTATE_BUFFER(cmdbuf, ESPState),
-+        VMSTATE_PARTIAL_BUFFER(cmdbuf, ESPState, 16),
-+        VMSTATE_BUFFER_START_MIDDLE_V(cmdbuf, ESPState, 16, 4),
-         VMSTATE_UINT32(cmdlen, ESPState),
-         VMSTATE_UINT32(do_cmd, ESPState),
-         VMSTATE_UINT32(dma_left, ESPState),
-diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h
-index 84ee355..853a2bd 100644
---- a/include/migration/vmstate.h
-+++ b/include/migration/vmstate.h
-@@ -888,8 +888,11 @@ extern const VMStateInfo vmstate_info_bitmap;
- #define VMSTATE_PARTIAL_BUFFER(_f, _s, _size)                         \
-     VMSTATE_STATIC_BUFFER(_f, _s, 0, NULL, 0, _size)
- 
-+#define VMSTATE_BUFFER_START_MIDDLE_V(_f, _s, _start, _v) \
-+    VMSTATE_STATIC_BUFFER(_f, _s, _v, NULL, _start, sizeof(typeof_field(_s, _f)))
-+
- #define VMSTATE_BUFFER_START_MIDDLE(_f, _s, _start) \
--    VMSTATE_STATIC_BUFFER(_f, _s, 0, NULL, _start, sizeof(typeof_field(_s, _f)))
-+    VMSTATE_BUFFER_START_MIDDLE_V(_f, _s, _start, 0)
- 
- #define VMSTATE_PARTIAL_VBUFFER(_f, _s, _size)                        \
-     VMSTATE_VBUFFER(_f, _s, 0, NULL, 0, _size)

0003-net-vmxnet3-check-for-device_active-before-write.patch

@@ -1,33 +0,0 @@
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Mon, 8 Aug 2016 18:08:31 +0530
-Subject: [PATCH] net: vmxnet3: check for device_active before write
-
-Vmxnet3 device emulator does not check if the device is active,
-before using it for write. It leads to a use after free issue,
-if the vmxnet3_io_bar0_write routine is called after the device is
-deactivated. Add check to avoid it.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Acked-by: Dmitry Fleytman <dmitry@daynix.com>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-(cherry picked from commit 6c352ca9b4ee3e1e286ea9e8434bd8e69ac7d0d8)
----
- hw/net/vmxnet3.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
-index 20f26b7..a6ce16e 100644
---- a/hw/net/vmxnet3.c
-+++ b/hw/net/vmxnet3.c
-@@ -1158,6 +1158,10 @@ vmxnet3_io_bar0_write(void *opaque, hwaddr addr,
- {
-     VMXNET3State *s = opaque;
- 
-+    if (!s->device_active) {
-+        return;
-+    }
-+
-     if (VMW_IS_MULTIREG_ADDR(addr, VMXNET3_REG_TXPROD,
-                         VMXNET3_DEVICE_MAX_TX_QUEUES, VMXNET3_REG_ALIGN)) {
-         int tx_queue_idx =

0004-virtio-check-vring-descriptor-buffer-length.patch

@@ -1,34 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Wed, 27 Jul 2016 21:07:56 +0530
-Subject: [PATCH] virtio: check vring descriptor buffer length
-
-virtio back end uses set of buffers to facilitate I/O operations.
-An infinite loop unfolds in virtqueue_pop() if a buffer was
-of zero size. Add check to avoid it.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-(cherry picked from commit 1e7aed70144b4673fc26e73062064b6724795e5f)
----
- hw/virtio/virtio.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
-index 519bb03..20c4f39 100644
---- a/hw/virtio/virtio.c
-+++ b/hw/virtio/virtio.c
-@@ -458,6 +458,11 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove
-     unsigned num_sg = *p_num_sg;
-     assert(num_sg <= max_num_sg);
- 
-+    if (!sz) {
-+        error_report("virtio: zero sized buffers are not allowed");
-+        exit(1);
-+    }
-+
-     while (sz) {
-         hwaddr len = sz;
- 

0005-scsi-pvscsi-limit-loop-to-fetch-SG-list.patch

@@ -1,61 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 6 Sep 2016 02:20:43 +0530
-Subject: [PATCH] scsi: pvscsi: limit loop to fetch SG list
-
-In PVSCSI paravirtual SCSI bus, pvscsi_convert_sglist can take a very
-long time or go into an infinite loop due to two different bugs:
-
-1) the request descriptor data length is defined to be 64 bit. While
-building SG list from a request descriptor, it gets truncated to 32bit
-in routine 'pvscsi_convert_sglist'. This could lead to an infinite loop
-situation large 'dataLen' values when data_length is cast to uint32_t and
-chunk_size becomes always zero.  Fix this by removing the incorrect cast.
-
-2) pvscsi_get_next_sg_elem can be called arbitrarily many times if the
-element has a zero length.  Get out of the loop early when this happens,
-by introducing an upper limit on the number of SG list elements.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <1473108643-12983-1-git-send-email-ppandit@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 49adc5d3f8c6bb75e55ebfeab109c5c37dea65e8)
----
- hw/scsi/vmw_pvscsi.c | 11 ++++++-----
- 1 file changed, 6 insertions(+), 5 deletions(-)
-
-diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
-index b845729..a13e72c 100644
---- a/hw/scsi/vmw_pvscsi.c
-+++ b/hw/scsi/vmw_pvscsi.c
-@@ -40,6 +40,8 @@
- #define PVSCSI_MAX_DEVS                   (64)
- #define PVSCSI_MSIX_NUM_VECTORS           (1)
- 
-+#define PVSCSI_MAX_SG_ELEM                2048
-+
- #define PVSCSI_MAX_CMD_DATA_WORDS \
-     (sizeof(PVSCSICmdDescSetupRings)/sizeof(uint32_t))
- 
-@@ -632,17 +634,16 @@ pvscsi_queue_pending_descriptor(PVSCSIState *s, SCSIDevice **d,
- static void
- pvscsi_convert_sglist(PVSCSIRequest *r)
- {
--    int chunk_size;
-+    uint32_t chunk_size, elmcnt = 0;
-     uint64_t data_length = r->req.dataLen;
-     PVSCSISGState sg = r->sg;
--    while (data_length) {
--        while (!sg.resid) {
-+    while (data_length && elmcnt < PVSCSI_MAX_SG_ELEM) {
-+        while (!sg.resid && elmcnt++ < PVSCSI_MAX_SG_ELEM) {
-             pvscsi_get_next_sg_elem(&sg);
-             trace_pvscsi_convert_sglist(r->req.context, r->sg.dataAddr,
-                                         r->sg.resid);
-         }
--        assert(data_length > 0);
--        chunk_size = MIN((unsigned) data_length, sg.resid);
-+        chunk_size = MIN(data_length, sg.resid);
-         if (chunk_size) {
-             qemu_sglist_add(&r->sgl, sg.dataAddr, chunk_size);
-         }

0006-vmsvga-correct-bitmap-and-pixmap-size-checks.patch

@@ -1,42 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Thu, 8 Sep 2016 18:15:54 +0530
-Subject: [PATCH] vmsvga: correct bitmap and pixmap size checks
-
-When processing svga command DEFINE_CURSOR in vmsvga_fifo_run,
-the computed BITMAP and PIXMAP size are checked against the
-'cursor.mask[]' and 'cursor.image[]' array sizes in bytes.
-Correct these checks to avoid OOB memory access.
-
-Reported-by: Qinghao Tang <luodalongde@gmail.com>
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-id: 1473338754-15430-1-git-send-email-ppandit@redhat.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-(cherry picked from commit 167d97a3def77ee2dbf6e908b0ecbfe2103977db)
----
- hw/display/vmware_vga.c | 12 +++++++-----
- 1 file changed, 7 insertions(+), 5 deletions(-)
-
-diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
-index e51a05e..6599cf0 100644
---- a/hw/display/vmware_vga.c
-+++ b/hw/display/vmware_vga.c
-@@ -676,11 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
-             cursor.bpp = vmsvga_fifo_read(s);
- 
-             args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp);
--            if (cursor.width > 256 ||
--                cursor.height > 256 ||
--                cursor.bpp > 32 ||
--                SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
--                SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) {
-+            if (cursor.width > 256
-+                || cursor.height > 256
-+                || cursor.bpp > 32
-+                || SVGA_BITMAP_SIZE(x, y)
-+                    > sizeof(cursor.mask) / sizeof(cursor.mask[0])
-+                || SVGA_PIXMAP_SIZE(x, y, cursor.bpp)
-+                    > sizeof(cursor.image) / sizeof(cursor.image[0])) {
-                     goto badcmd;
-             }
- 

0007-hw-net-Fix-a-heap-overflow-in-xlnx.xps-ethernetlite.patch

@@ -1,32 +0,0 @@
-From: chaojianhu <chaojianhu@hotmail.com>
-Date: Tue, 9 Aug 2016 11:52:54 +0800
-Subject: [PATCH] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite
-
-The .receive callback of xlnx.xps-ethernetlite doesn't check the length
-of data before calling memcpy. As a result, the NetClientState object in
-heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite
-will be affected.
-
-Reported-by: chaojianhu <chaojianhu@hotmail.com>
-Signed-off-by: chaojianhu <chaojianhu@hotmail.com>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-(cherry picked from commit a0d1cbdacff5df4ded16b753b38fdd9da6092968)
----
- hw/net/xilinx_ethlite.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c
-index bc846e7..12b7419 100644
---- a/hw/net/xilinx_ethlite.c
-+++ b/hw/net/xilinx_ethlite.c
-@@ -197,6 +197,10 @@ static ssize_t eth_rx(NetClientState *nc, const uint8_t *buf, size_t size)
-     }
- 
-     D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase));
-+    if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4) {
-+        D(qemu_log("ethlite packet is too big, size=%x\n", size));
-+        return -1;
-+    }
-     memcpy(&s->regs[rxbase + R_RX_BUF0], buf, size);
- 
-     s->regs[rxbase + R_RX_CTRL0] |= CTRL_S;

0008-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch

@@ -1,29 +0,0 @@
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Tue, 13 Sep 2016 03:20:03 -0700
-Subject: [PATCH] usb:xhci:fix memory leak in usb_xhci_exit
-
-If the xhci uses msix, it doesn't free the corresponding
-memory, thus leading a memory leak. This patch avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Message-id: 57d7d2e0.d4301c0a.d13e9.9a55@mx.google.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-(cherry picked from commit b53dd4495ced2432a0b652ea895e651d07336f7e)
----
- hw/usb/hcd-xhci.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
-index 43ba615..510a3e1 100644
---- a/hw/usb/hcd-xhci.c
-+++ b/hw/usb/hcd-xhci.c
-@@ -3689,8 +3689,7 @@ static void usb_xhci_exit(PCIDevice *dev)
-     /* destroy msix memory region */
-     if (dev->msix_table && dev->msix_pba
-         && dev->msix_entry_used) {
--        memory_region_del_subregion(&xhci->mem, &dev->msix_table_mmio);
--        memory_region_del_subregion(&xhci->mem, &dev->msix_pba_mmio);
-+        msix_uninit(dev, &xhci->mem, &xhci->mem);
-     }
- 
-     usb_bus_release(&xhci->bus);

0009-virtio-add-check-for-descriptor-s-mapped-address.patch

@@ -1,35 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Mon, 19 Sep 2016 23:55:45 +0530
-Subject: [PATCH] virtio: add check for descriptor's mapped address
-
-virtio back end uses set of buffers to facilitate I/O operations.
-If its size is too large, 'cpu_physical_memory_map' could return
-a null address. This would result in a null dereference while
-un-mapping descriptors. Add check to avoid it.
-
-Reported-by: Qinghao Tang <luodalongde@gmail.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Reviewed-by: Laszlo Ersek <lersek@redhat.com>
-(cherry picked from commit 973e7170dddefb491a48df5cba33b2ae151013a0)
----
- hw/virtio/virtio.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
-index 20c4f39..3a470fc 100644
---- a/hw/virtio/virtio.c
-+++ b/hw/virtio/virtio.c
-@@ -472,6 +472,11 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove
-         }
- 
-         iov[num_sg].iov_base = cpu_physical_memory_map(pa, &len, is_write);
-+        if (!iov[num_sg].iov_base) {
-+            error_report("virtio: bogus descriptor or out of resources");
-+            exit(1);
-+        }
-+
-         iov[num_sg].iov_len = len;
-         addr[num_sg] = pa;
- 

0010-net-mcf-limit-buffer-descriptor-count.patch

@@ -1,49 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Thu, 22 Sep 2016 16:02:37 +0530
-Subject: [PATCH] net: mcf: limit buffer descriptor count
-
-ColdFire Fast Ethernet Controller uses buffer descriptors to manage
-data flow to/fro receive & transmit queues. While transmitting
-packets, it could continue to read buffer descriptors if a buffer
-descriptor has length of zero and has crafted values in bd.flags.
-Set upper limit to number of buffer descriptors.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-(cherry picked from commit 070c4b92b8cd5390889716677a0b92444d6e087a)
----
- hw/net/mcf_fec.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
-index 7c0398e..6d3418e 100644
---- a/hw/net/mcf_fec.c
-+++ b/hw/net/mcf_fec.c
-@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0)
- #define DPRINTF(fmt, ...) do {} while(0)
- #endif
- 
-+#define FEC_MAX_DESC 1024
- #define FEC_MAX_FRAME_SIZE 2032
- 
- typedef struct {
-@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
-     uint32_t addr;
-     mcf_fec_bd bd;
-     int frame_size;
--    int len;
-+    int len, descnt = 0;
-     uint8_t frame[FEC_MAX_FRAME_SIZE];
-     uint8_t *ptr;
- 
-@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
-     ptr = frame;
-     frame_size = 0;
-     addr = s->tx_descriptor;
--    while (1) {
-+    while (descnt++ < FEC_MAX_DESC) {
-         mcf_fec_read_bd(&bd, addr);
-         DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
-                 addr, bd.flags, bd.length, bd.data);

0011-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch

@@ -1,65 +0,0 @@
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Mon, 10 Oct 2016 12:46:22 +0200
-Subject: [PATCH] xhci: limit the number of link trbs we are willing to process
-
-Needed to avoid we run in circles forever in case the guest builds
-an endless loop with link trbs.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Tested-by: P J P <ppandit@redhat.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: 1476096382-7981-1-git-send-email-kraxel@redhat.com
-(cherry picked from commit 05f43d44e4bc26611ce25fd7d726e483f73363ce)
----
- hw/usb/hcd-xhci.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
-index 510a3e1..4e9dea5 100644
---- a/hw/usb/hcd-xhci.c
-+++ b/hw/usb/hcd-xhci.c
-@@ -53,6 +53,8 @@
-  * to the specs when it gets them */
- #define ER_FULL_HACK
- 
-+#define TRB_LINK_LIMIT  4
-+
- #define LEN_CAP         0x40
- #define LEN_OPER        (0x400 + 0x10 * MAXPORTS)
- #define LEN_RUNTIME     ((MAXINTRS + 1) * 0x20)
-@@ -999,6 +1001,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
-                                dma_addr_t *addr)
- {
-     PCIDevice *pci_dev = PCI_DEVICE(xhci);
-+    uint32_t link_cnt = 0;
- 
-     while (1) {
-         TRBType type;
-@@ -1025,6 +1028,9 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
-             ring->dequeue += TRB_SIZE;
-             return type;
-         } else {
-+            if (++link_cnt > TRB_LINK_LIMIT) {
-+                return 0;
-+            }
-             ring->dequeue = xhci_mask64(trb->parameter);
-             if (trb->control & TRB_LK_TC) {
-                 ring->ccs = !ring->ccs;
-@@ -1042,6 +1048,7 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
-     bool ccs = ring->ccs;
-     /* hack to bundle together the two/three TDs that make a setup transfer */
-     bool control_td_set = 0;
-+    uint32_t link_cnt = 0;
- 
-     while (1) {
-         TRBType type;
-@@ -1057,6 +1064,9 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
-         type = TRB_TYPE(trb);
- 
-         if (type == TR_LINK) {
-+            if (++link_cnt > TRB_LINK_LIMIT) {
-+                return -length;
-+            }
-             dequeue = xhci_mask64(trb.parameter);
-             if (trb.control & TRB_LK_TC) {
-                 ccs = !ccs;

0012-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch

@@ -1,29 +0,0 @@
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Sun, 18 Sep 2016 19:48:35 -0700
-Subject: [PATCH] usb: ehci: fix memory leak in ehci_process_itd
-
-While processing isochronous transfer descriptors(iTD), if the page
-select(PG) field value is out of bands it will return. In this
-situation the ehci's sg list is not freed thus leading to a memory
-leak issue. This patch avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Thomas Huth <thuth@redhat.com>
-Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
-(cherry picked from commit b16c129daf0fed91febbb88de23dae8271c8898a)
----
- hw/usb/hcd-ehci.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
-index 43a8f7a..92241bb 100644
---- a/hw/usb/hcd-ehci.c
-+++ b/hw/usb/hcd-ehci.c
-@@ -1426,6 +1426,7 @@ static int ehci_process_itd(EHCIState *ehci,
-             if (off + len > 4096) {
-                 /* transfer crosses page border */
-                 if (pg == 6) {
-+                    qemu_sglist_destroy(&ehci->isgl);
-                     return -1;  /* avoid page pg + 1 */
-                 }
-                 ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK);

0013-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch

@@ -1,74 +0,0 @@
-From: Christophe Fergeau <cfergeau@redhat.com>
-Date: Fri, 14 Oct 2016 14:22:36 +0200
-Subject: [PATCH] qxl: Only emit QXL_INTERRUPT_CLIENT_MONITORS_CONFIG on config
- changes
-
-Currently if the client keeps sending the same monitor config to
-QEMU/spice-server, QEMU will always raise
-a QXL_INTERRUPT_CLIENT_MONITORS_CONFIG regardless of whether there was a
-change or not.
-Guest-side (with fedora 25), the kernel QXL KMS driver will also forward the
-event to user-space without checking if there were actual changes.
-Next in line are gnome-shell/mutter (on a default f25 install), which
-will try to reconfigure everything without checking if there is anything
-to do.
-Where this gets ugly is that when applying the resolution changes,
-gnome-shell/mutter will call drmModeRmFB, drmModeAddFB, and
-drmModeSetCrtc, which will cause the primary surface to be destroyed and
-recreated by the QXL KMS driver. This in turn will cause the client to
-resend a client monitors config message, which will cause QEMU to reemit
-an interrupt with an unchanged monitors configuration, ...
-This causes https://bugzilla.redhat.com/show_bug.cgi?id=1266484
-
-This commit makes sure that we only emit
-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG when there are actual configuration
-changes the guest should act on.
----
- hw/display/qxl.c | 20 +++++++++++++++++++-
- 1 file changed, 19 insertions(+), 1 deletion(-)
-
-diff --git a/hw/display/qxl.c b/hw/display/qxl.c
-index 919dc5c..3cc8d38 100644
---- a/hw/display/qxl.c
-+++ b/hw/display/qxl.c
-@@ -997,6 +997,7 @@ static int interface_client_monitors_config(QXLInstance *sin,
-     QXLRom *rom = memory_region_get_ram_ptr(&qxl->rom_bar);
-     int i;
-     unsigned max_outputs = ARRAY_SIZE(rom->client_monitors_config.heads);
-+    bool config_changed = false;
- 
-     if (qxl->revision < 4) {
-         trace_qxl_client_monitors_config_unsupported_by_device(qxl->id,
-@@ -1027,6 +1028,21 @@ static int interface_client_monitors_config(QXLInstance *sin,
-     }
- #endif
- 
-+    if (rom->client_monitors_config.count != MIN(monitors_config->num_of_monitors, max_outputs)) {
-+        config_changed = true;
-+    }
-+    for (i = 0 ; i < rom->client_monitors_config.count ; ++i) {
-+        VDAgentMonConfig *monitor = &monitors_config->monitors[i];
-+        QXLURect *rect = &rom->client_monitors_config.heads[i];
-+        /* monitor->depth ignored */
-+        if ((rect->left != monitor->x) ||
-+            (rect->top != monitor->y)  ||
-+            (rect->right != monitor->x + monitor->width) ||
-+            (rect->bottom != monitor->y + monitor->height)) {
-+            config_changed = true;
-+        }
-+    }
-+
-     memset(&rom->client_monitors_config, 0,
-            sizeof(rom->client_monitors_config));
-     rom->client_monitors_config.count = monitors_config->num_of_monitors;
-@@ -1056,7 +1072,9 @@ static int interface_client_monitors_config(QXLInstance *sin,
-     trace_qxl_interrupt_client_monitors_config(qxl->id,
-                         rom->client_monitors_config.count,
-                         rom->client_monitors_config.heads);
--    qxl_send_events(qxl, QXL_INTERRUPT_CLIENT_MONITORS_CONFIG);
-+    if (config_changed) {
-+        qxl_send_events(qxl, QXL_INTERRUPT_CLIENT_MONITORS_CONFIG);
-+    }
-     return 1;
- }
- 

0014-net-vmxnet-initialise-local-tx-descriptor.patch

@@ -1,30 +0,0 @@
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Thu, 11 Aug 2016 00:42:20 +0530
-Subject: [PATCH] net: vmxnet: initialise local tx descriptor
-
-In Vmxnet3 device emulator while processing transmit(tx) queue,
-when it reaches end of packet, it calls vmxnet3_complete_packet.
-In that local 'txcq_descr' object is not initialised, which could
-leak host memory bytes a guest.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-(cherry picked from commit fdda170e50b8af062cf5741e12c4fb5e57a2eacf)
----
- hw/net/vmxnet3.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
-index a6ce16e..360290d 100644
---- a/hw/net/vmxnet3.c
-+++ b/hw/net/vmxnet3.c
-@@ -529,6 +529,7 @@ static void vmxnet3_complete_packet(VMXNET3State *s, int qidx, uint32_t tx_ridx)
- 
-     VMXNET3_RING_DUMP(VMW_RIPRN, "TXC", qidx, &s->txq_descr[qidx].comp_ring);
- 
-+    memset(&txcq_descr, 0, sizeof(txcq_descr));
-     txcq_descr.txdIdx = tx_ridx;
-     txcq_descr.gen = vmxnet3_ring_curr_gen(&s->txq_descr[qidx].comp_ring);
- 

0015-net-pcnet-check-rx-tx-descriptor-ring-length.patch

@@ -1,34 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Fri, 30 Sep 2016 00:27:33 +0530
-Subject: [PATCH] net: pcnet: check rx/tx descriptor ring length
-
-The AMD PC-Net II emulator has set of control and status(CSR)
-registers. Of these, CSR76 and CSR78 hold receive and transmit
-descriptor ring length respectively. This ring length could range
-from 1 to 65535. Setting ring length to zero leads to an infinite
-loop in pcnet_rdra_addr() or pcnet_transmit(). Add check to avoid it.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-(cherry picked from commit 34e29ce754c02bb6b3bdd244fbb85033460feaff)
----
- hw/net/pcnet.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
-index 198a01f..3078de8 100644
---- a/hw/net/pcnet.c
-+++ b/hw/net/pcnet.c
-@@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value)
-     case 47: /* POLLINT */
-     case 72:
-     case 74:
-+        break;
-     case 76: /* RCVRL */
-     case 78: /* XMTRL */
-+        val = (val > 0) ? val : 512;
-+        break;
-     case 112:
-        if (CSR_STOP(s) || CSR_SPND(s))
-            break;

0016-virtio-gpu-fix-memory-leak-in-virtio_gpu_resource_cr.patch

@@ -1,32 +0,0 @@
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Sun, 18 Sep 2016 19:07:11 -0700
-Subject: [PATCH] virtio-gpu: fix memory leak in virtio_gpu_resource_create_2d
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-In virtio gpu resource create dispatch, if the pixman format is zero
-it doesn't free the resource object allocated previously. Thus leading
-a host memory leak issue. This patch avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-id: 57df486e.8379240a.c3620.ff81@mx.google.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-(cherry picked from commit cb3a0522b694cc5bb6424497b3f828ccd28fd1dd)
----
- hw/display/virtio-gpu.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
-index c181fb3..d345276 100644
---- a/hw/display/virtio-gpu.c
-+++ b/hw/display/virtio-gpu.c
-@@ -323,6 +323,7 @@ static void virtio_gpu_resource_create_2d(VirtIOGPU *g,
-         qemu_log_mask(LOG_GUEST_ERROR,
-                       "%s: host couldn't handle guest format %d\n",
-                       __func__, c2d.format);
-+        g_free(res);
-         cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
-         return;
-     }

0017-9pfs-fix-potential-host-memory-leak-in-v9fs_read.patch

@@ -1,36 +0,0 @@
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Mon, 17 Oct 2016 14:13:58 +0200
-Subject: [PATCH] 9pfs: fix potential host memory leak in v9fs_read
-
-In 9pfs read dispatch function, it doesn't free two QEMUIOVector
-object thus causing potential memory leak. This patch avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Greg Kurz <groug@kaod.org>
-(cherry picked from commit e95c9a493a5a8d6f969e86c9f19f80ffe6587e19)
----
- hw/9pfs/9p.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
-index d47f5de..afb1c4e 100644
---- a/hw/9pfs/9p.c
-+++ b/hw/9pfs/9p.c
-@@ -1807,14 +1807,15 @@ static void v9fs_read(void *opaque)
-             if (len < 0) {
-                 /* IO error return the error */
-                 err = len;
--                goto out;
-+                goto out_free_iovec;
-             }
-         } while (count < max_count && len > 0);
-         err = pdu_marshal(pdu, offset, "d", count);
-         if (err < 0) {
--            goto out;
-+            goto out_free_iovec;
-         }
-         err += offset + count;
-+out_free_iovec:
-         qemu_iovec_destroy(&qiov);
-         qemu_iovec_destroy(&qiov_full);
-     } else if (fidp->fid_type == P9_FID_XATTR) {

0018-9pfs-allocate-space-for-guest-originated-empty-strin.patch

@@ -1,56 +0,0 @@
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Mon, 17 Oct 2016 14:13:58 +0200
-Subject: [PATCH] 9pfs: allocate space for guest originated empty strings
-
-If a guest sends an empty string paramater to any 9P operation, the current
-code unmarshals it into a V9fsString equal to { .size = 0, .data = NULL }.
-
-This is unfortunate because it can cause NULL pointer dereference to happen
-at various locations in the 9pfs code. And we don't want to check str->data
-everywhere we pass it to strcmp() or any other function which expects a
-dereferenceable pointer.
-
-This patch enforces the allocation of genuine C empty strings instead, so
-callers don't have to bother.
-
-Out of all v9fs_iov_vunmarshal() users, only v9fs_xattrwalk() checks if
-the returned string is empty. It now uses v9fs_string_size() since
-name.data cannot be NULL anymore.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-[groug, rewritten title and changelog,
- fix empty string check in v9fs_xattrwalk()]
-Signed-off-by: Greg Kurz <groug@kaod.org>
-
-(cherry picked from commit ba42ebb863ab7d40adc79298422ed9596df8f73a)
----
- fsdev/9p-iov-marshal.c | 2 +-
- hw/9pfs/9p.c           | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/fsdev/9p-iov-marshal.c b/fsdev/9p-iov-marshal.c
-index fb40bdf..741e4d9 100644
---- a/fsdev/9p-iov-marshal.c
-+++ b/fsdev/9p-iov-marshal.c
-@@ -127,7 +127,7 @@ ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset,
-                 str->data = g_malloc(str->size + 1);
-                 copied = v9fs_unpack(str->data, out_sg, out_num, offset,
-                                      str->size);
--                if (copied > 0) {
-+                if (copied >= 0) {
-                     str->data[str->size] = 0;
-                 } else {
-                     v9fs_string_free(str);
-diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
-index afb1c4e..856544d 100644
---- a/hw/9pfs/9p.c
-+++ b/hw/9pfs/9p.c
-@@ -3151,7 +3151,7 @@ static void v9fs_xattrwalk(void *opaque)
-         goto out;
-     }
-     v9fs_path_copy(&xattr_fidp->path, &file_fidp->path);
--    if (name.data == NULL) {
-+    if (!v9fs_string_size(&name)) {
-         /*
-          * listxattr request. Get the size first
-          */

0019-net-rocker-set-limit-to-DMA-buffer-size.patch

@@ -1,33 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Wed, 12 Oct 2016 14:40:55 +0530
-Subject: [PATCH] net: rocker: set limit to DMA buffer size
-
-Rocker network switch emulator has test registers to help debug
-DMA operations. While testing host DMA access, a buffer address
-is written to register 'TEST_DMA_ADDR' and its size is written to
-register 'TEST_DMA_SIZE'. When performing TEST_DMA_CTRL_INVERT
-test, if DMA buffer size was greater than 'INT_MAX', it leads to
-an invalid buffer access. Limit the DMA buffer size to avoid it.
-
-Reported-by: Huawei PSIRT <psirt@huawei.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Reviewed-by: Jiri Pirko <jiri@mellanox.com>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-(cherry picked from commit 8caed3d564672e8bc6d2e4c6a35228afd01f4723)
----
- hw/net/rocker/rocker.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
-index 30f2ce4..e9d215a 100644
---- a/hw/net/rocker/rocker.c
-+++ b/hw/net/rocker/rocker.c
-@@ -860,7 +860,7 @@ static void rocker_io_writel(void *opaque, hwaddr addr, uint32_t val)
-         rocker_msix_irq(r, val);
-         break;
-     case ROCKER_TEST_DMA_SIZE:
--        r->test_dma_size = val;
-+        r->test_dma_size = val & 0xFFFF;
-         break;
-     case ROCKER_TEST_DMA_ADDR + 4:
-         r->test_dma_addr = ((uint64_t)val) << 32 | r->lower32;

0020-char-serial-check-divider-value-against-baud-base.patch

@@ -1,34 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Wed, 12 Oct 2016 11:28:08 +0530
-Subject: [PATCH] char: serial: check divider value against baud base
-
-16550A UART device uses an oscillator to generate frequencies
-(baud base), which decide communication speed. This speed could
-be changed by dividing it by a divider. If the divider is
-greater than the baud base, speed is set to zero, leading to a
-divide by zero error. Add check to avoid it.
-
-Reported-by: Huawei PSIRT <psirt@huawei.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <1476251888-20238-1-git-send-email-ppandit@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 3592fe0c919cf27a81d8e9f9b4f269553418bb01)
----
- hw/char/serial.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/hw/char/serial.c b/hw/char/serial.c
-index 6d815b5..3998131 100644
---- a/hw/char/serial.c
-+++ b/hw/char/serial.c
-@@ -152,8 +152,9 @@ static void serial_update_parameters(SerialState *s)
-     int speed, parity, data_bits, stop_bits, frame_size;
-     QEMUSerialSetParams ssp;
- 
--    if (s->divider == 0)
-+    if (s->divider == 0 || s->divider > s->baudbase) {
-         return;
-+    }
- 
-     /* Start bit. */
-     frame_size = 1;

0021-net-rtl8139-limit-processing-of-ring-descriptors.patch

@@ -1,31 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Fri, 21 Oct 2016 17:39:29 +0530
-Subject: [PATCH] net: rtl8139: limit processing of ring descriptors
-
-RTL8139 ethernet controller in C+ mode supports multiple
-descriptor rings, each with maximum of 64 descriptors. While
-processing transmit descriptor ring in 'rtl8139_cplus_transmit',
-it does not limit the descriptor count and runs forever. Add
-check to avoid it.
-
-Reported-by: Andrew Henderson <hendersa@icculus.org>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-(cherry picked from commit c7c35916692fe010fef25ac338443d3fe40be225)
----
- hw/net/rtl8139.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
-index 1e5ec14..138fa62 100644
---- a/hw/net/rtl8139.c
-+++ b/hw/net/rtl8139.c
-@@ -2379,7 +2379,7 @@ static void rtl8139_cplus_transmit(RTL8139State *s)
- {
-     int txcount = 0;
- 
--    while (rtl8139_cplus_transmit_one(s))
-+    while (txcount < 64 && rtl8139_cplus_transmit_one(s))
-     {
-         ++txcount;
-     }

0022-audio-intel-hda-check-stream-entry-count-during-tran.patch

@@ -1,35 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Thu, 20 Oct 2016 13:10:24 +0530
-Subject: [PATCH] audio: intel-hda: check stream entry count during transfer
-
-Intel HDA emulator uses stream of buffers during DMA data
-transfers. Each entry has buffer length and buffer pointer
-position, which are used to derive bytes to 'copy'. If this
-length and buffer pointer were to be same, 'copy' could be
-set to zero(0), leading to an infinite loop. Add check to
-avoid it.
-
-Reported-by: Huawei PSIRT <psirt@huawei.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Message-id: 1476949224-6865-1-git-send-email-ppandit@redhat.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-(cherry picked from commit 0c0fc2b5fd534786051889459848764edd798050)
----
- hw/audio/intel-hda.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
-index d372d4a..cd3b03c 100644
---- a/hw/audio/intel-hda.c
-+++ b/hw/audio/intel-hda.c
-@@ -415,7 +415,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
-     }
- 
-     left = len;
--    while (left > 0) {
-+    s = st->bentries;
-+    while (left > 0 && s-- > 0) {
-         copy = left;
-         if (copy > st->bsize - st->lpib)
-             copy = st->bsize - st->lpib;

0023-timer-a9gtimer-remove-loop-to-auto-increment-compara.patch

@@ -1,48 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Mon, 24 Oct 2016 16:26:54 +0100
-Subject: [PATCH] timer: a9gtimer: remove loop to auto-increment comparator
-
-ARM A9MP processor has a peripheral timer with an auto-increment
-register, which holds an increment step value. A user could set
-this value to zero. When auto-increment control bit is enabled,
-it leads to an infinite loop in 'a9_gtimer_update' while
-updating comparator value. Remove this loop incrementing the
-comparator value.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-id: 1476733226-11635-1-git-send-email-ppandit@redhat.com
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-(cherry picked from commit 6be8f5e2626e102433e569d9cece2120baf0c879)
----
- hw/timer/a9gtimer.c | 14 +++++++-------
- 1 file changed, 7 insertions(+), 7 deletions(-)
-
-diff --git a/hw/timer/a9gtimer.c b/hw/timer/a9gtimer.c
-index 772f85f..ce1dc63 100644
---- a/hw/timer/a9gtimer.c
-+++ b/hw/timer/a9gtimer.c
-@@ -82,15 +82,15 @@ static void a9_gtimer_update(A9GTimerState *s, bool sync)
-         if ((s->control & R_CONTROL_TIMER_ENABLE) &&
-                 (gtb->control & R_CONTROL_COMP_ENABLE)) {
-             /* R2p0+, where the compare function is >= */
--            while (gtb->compare < update.new) {
-+            if (gtb->compare < update.new) {
-                 DB_PRINT("Compare event happened for CPU %d\n", i);
-                 gtb->status = 1;
--                if (gtb->control & R_CONTROL_AUTO_INCREMENT) {
--                    DB_PRINT("Auto incrementing timer compare by %" PRId32 "\n",
--                             gtb->inc);
--                    gtb->compare += gtb->inc;
--                } else {
--                    break;
-+                if (gtb->control & R_CONTROL_AUTO_INCREMENT && gtb->inc) {
-+                    uint64_t inc =
-+                        QEMU_ALIGN_UP(update.new - gtb->compare, gtb->inc);
-+                    DB_PRINT("Auto incrementing timer compare by %"
-+                                                        PRId64 "\n", inc);
-+                    gtb->compare += inc;
-                 }
-             }
-             cdiff = (int64_t)gtb->compare - (int64_t)update.new + 1;

0024-net-eepro100-fix-memory-leak-in-device-uninit.patch

@@ -1,27 +0,0 @@
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Sat, 8 Oct 2016 05:07:25 -0700
-Subject: [PATCH] net: eepro100: fix memory leak in device uninit
-
-The exit dispatch of eepro100 network card device doesn't free
-the 's->vmstate' field which was allocated in device realize thus
-leading a host memory leak. This patch avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-(cherry picked from commit 2634ab7fe29b3f75d0865b719caf8f310d634aae)
----
- hw/net/eepro100.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c
-index 9b4b9b5..c39fd19 100644
---- a/hw/net/eepro100.c
-+++ b/hw/net/eepro100.c
-@@ -1843,6 +1843,7 @@ static void pci_nic_uninit(PCIDevice *pci_dev)
-     EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, pci_dev);
- 
-     vmstate_unregister(&pci_dev->qdev, s->vmstate, s);
-+    g_free(s->vmstate);
-     eeprom93xx_free(&pci_dev->qdev, s->eeprom);
-     qemu_del_nic(s->nic);
- }

0025-9pfs-fix-information-leak-in-xattr-read.patch

@@ -1,29 +0,0 @@
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Mon, 17 Oct 2016 14:13:58 +0200
-Subject: [PATCH] 9pfs: fix information leak in xattr read
-
-9pfs uses g_malloc() to allocate the xattr memory space, if the guest
-reads this memory before writing to it, this will leak host heap memory
-to the guest. This patch avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Greg Kurz <groug@kaod.org>
-Signed-off-by: Greg Kurz <groug@kaod.org>
-(cherry picked from commit eb687602853b4ae656e9236ee4222609f3a6887d)
----
- hw/9pfs/9p.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
-index 856544d..0735246 100644
---- a/hw/9pfs/9p.c
-+++ b/hw/9pfs/9p.c
-@@ -3259,7 +3259,7 @@ static void v9fs_xattrcreate(void *opaque)
-     xattr_fidp->fs.xattr.flags = flags;
-     v9fs_string_init(&xattr_fidp->fs.xattr.name);
-     v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);
--    xattr_fidp->fs.xattr.value = g_malloc(size);
-+    xattr_fidp->fs.xattr.value = g_malloc0(size);
-     err = offset;
-     put_fid(pdu, file_fidp);
- out_nofid:

0026-9pfs-fix-memory-leak-in-v9fs_xattrcreate.patch

@@ -1,32 +0,0 @@
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Mon, 17 Oct 2016 14:13:58 +0200
-Subject: [PATCH] 9pfs: fix memory leak in v9fs_xattrcreate
-
-The 'fs.xattr.value' field in V9fsFidState object doesn't consider the
-situation that this field has been allocated previously. Every time, it
-will be allocated directly. This leads to a host memory leak issue if
-the client sends another Txattrcreate message with the same fid number
-before the fid from the previous time got clunked.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Greg Kurz <groug@kaod.org>
-[groug, updated the changelog to indicate how the leak can occur]
-Signed-off-by: Greg Kurz <groug@kaod.org>
-
-(cherry picked from commit ff55e94d23ae94c8628b0115320157c763eb3e06)
----
- hw/9pfs/9p.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
-index 0735246..54e5ed4 100644
---- a/hw/9pfs/9p.c
-+++ b/hw/9pfs/9p.c
-@@ -3259,6 +3259,7 @@ static void v9fs_xattrcreate(void *opaque)
-     xattr_fidp->fs.xattr.flags = flags;
-     v9fs_string_init(&xattr_fidp->fs.xattr.name);
-     v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);
-+    g_free(xattr_fidp->fs.xattr.value);
-     xattr_fidp->fs.xattr.value = g_malloc0(size);
-     err = offset;
-     put_fid(pdu, file_fidp);

0027-9pfs-add-xattrwalk_fid-field-in-V9fsXattr-struct.patch

@@ -1,70 +0,0 @@
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Tue, 1 Nov 2016 12:00:40 +0100
-Subject: [PATCH] 9pfs: add xattrwalk_fid field in V9fsXattr struct
-
-Currently, 9pfs sets the 'copied_len' field in V9fsXattr
-to -1 to tag xattr walk fid. As the 'copied_len' is also
-used to account for copied bytes, this may make confusion. This patch
-add a bool 'xattrwalk_fid' to tag the xattr walk fid.
-
-Suggested-by: Greg Kurz <groug@kaod.org>
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Greg Kurz <groug@kaod.org>
-Signed-off-by: Greg Kurz <groug@kaod.org>
-(cherry picked from commit dd28fbbc2edc0822965d402d927ce646326d6954)
----
- hw/9pfs/9p.c | 7 ++++---
- hw/9pfs/9p.h | 1 +
- 2 files changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
-index 54e5ed4..22690f2 100644
---- a/hw/9pfs/9p.c
-+++ b/hw/9pfs/9p.c
-@@ -308,7 +308,7 @@ static int v9fs_xattr_fid_clunk(V9fsPDU *pdu, V9fsFidState *fidp)
- {
-     int retval = 0;
- 
--    if (fidp->fs.xattr.copied_len == -1) {
-+    if (fidp->fs.xattr.xattrwalk_fid) {
-         /* getxattr/listxattr fid */
-         goto free_value;
-     }
-@@ -3166,7 +3166,7 @@ static void v9fs_xattrwalk(void *opaque)
-          */
-         xattr_fidp->fs.xattr.len = size;
-         xattr_fidp->fid_type = P9_FID_XATTR;
--        xattr_fidp->fs.xattr.copied_len = -1;
-+        xattr_fidp->fs.xattr.xattrwalk_fid = true;
-         if (size) {
-             xattr_fidp->fs.xattr.value = g_malloc(size);
-             err = v9fs_co_llistxattr(pdu, &xattr_fidp->path,
-@@ -3199,7 +3199,7 @@ static void v9fs_xattrwalk(void *opaque)
-          */
-         xattr_fidp->fs.xattr.len = size;
-         xattr_fidp->fid_type = P9_FID_XATTR;
--        xattr_fidp->fs.xattr.copied_len = -1;
-+        xattr_fidp->fs.xattr.xattrwalk_fid = true;
-         if (size) {
-             xattr_fidp->fs.xattr.value = g_malloc(size);
-             err = v9fs_co_lgetxattr(pdu, &xattr_fidp->path,
-@@ -3255,6 +3255,7 @@ static void v9fs_xattrcreate(void *opaque)
-     xattr_fidp = file_fidp;
-     xattr_fidp->fid_type = P9_FID_XATTR;
-     xattr_fidp->fs.xattr.copied_len = 0;
-+    xattr_fidp->fs.xattr.xattrwalk_fid = false;
-     xattr_fidp->fs.xattr.len = size;
-     xattr_fidp->fs.xattr.flags = flags;
-     v9fs_string_init(&xattr_fidp->fs.xattr.name);
-diff --git a/hw/9pfs/9p.h b/hw/9pfs/9p.h
-index 589b3a5..5750d67 100644
---- a/hw/9pfs/9p.h
-+++ b/hw/9pfs/9p.h
-@@ -167,6 +167,7 @@ typedef struct V9fsXattr
-     void *value;
-     V9fsString name;
-     int flags;
-+    bool xattrwalk_fid;
- } V9fsXattr;
- 
- /*

0028-9pfs-convert-len-copied_len-field-in-V9fsXattr-to-th.patch

@@ -1,44 +0,0 @@
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Tue, 1 Nov 2016 12:00:40 +0100
-Subject: [PATCH] 9pfs: convert 'len/copied_len' field in V9fsXattr to the type
- of uint64_t
-
-The 'len' in V9fsXattr comes from the 'size' argument in setxattr()
-function in guest. The setxattr() function's declaration is this:
-
-int setxattr(const char *path, const char *name,
-             const void *value, size_t size, int flags);
-
-and 'size' is treated as u64 in linux kernel client code:
-
-int p9_client_xattrcreate(struct p9_fid *fid, const char *name,
-                          u64 attr_size, int flags)
-
-So the 'len' should have an type of 'uint64_t'.
-The 'copied_len' in V9fsXattr is used to account for copied bytes, it
-should also have an type of 'uint64_t'.
-
-Suggested-by: Greg Kurz <groug@kaod.org>
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Greg Kurz <groug@kaod.org>
-Signed-off-by: Greg Kurz <groug@kaod.org>
-(cherry picked from commit 8495f9ad26d398f01e208a53f1a5152483a16084)
----
- hw/9pfs/9p.h | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/hw/9pfs/9p.h b/hw/9pfs/9p.h
-index 5750d67..4e3bc52 100644
---- a/hw/9pfs/9p.h
-+++ b/hw/9pfs/9p.h
-@@ -162,8 +162,8 @@ typedef struct V9fsConf
- 
- typedef struct V9fsXattr
- {
--    int64_t copied_len;
--    int64_t len;
-+    uint64_t copied_len;
-+    uint64_t len;
-     void *value;
-     V9fsString name;
-     int flags;

0029-9pfs-fix-integer-overflow-issue-in-xattr-read-write.patch

@@ -1,89 +0,0 @@
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Tue, 1 Nov 2016 12:00:40 +0100
-Subject: [PATCH] 9pfs: fix integer overflow issue in xattr read/write
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The v9fs_xattr_read() and v9fs_xattr_write() are passed a guest
-originated offset: they must ensure this offset does not go beyond
-the size of the extended attribute that was set in v9fs_xattrcreate().
-Unfortunately, the current code implement these checks with unsafe
-calculations on 32 and 64 bit values, which may allow a malicious
-guest to cause OOB access anyway.
-
-Fix this by comparing the offset and the xattr size, which are
-both uint64_t, before trying to compute the effective number of bytes
-to read or write.
-
-Suggested-by: Greg Kurz <groug@kaod.org>
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Greg Kurz <groug@kaod.org>
-Reviewed-By: Guido Günther <agx@sigxcpu.org>
-Signed-off-by: Greg Kurz <groug@kaod.org>
-(cherry picked from commit 7e55d65c56a03dcd2c5d7c49d37c5a74b55d4bd6)
----
- hw/9pfs/9p.c | 32 ++++++++++++--------------------
- 1 file changed, 12 insertions(+), 20 deletions(-)
-
-diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
-index 22690f2..5126459 100644
---- a/hw/9pfs/9p.c
-+++ b/hw/9pfs/9p.c
-@@ -1627,20 +1627,17 @@ static int v9fs_xattr_read(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
- {
-     ssize_t err;
-     size_t offset = 7;
--    int read_count;
--    int64_t xattr_len;
-+    uint64_t read_count;
-     V9fsVirtioState *v = container_of(s, V9fsVirtioState, state);
-     VirtQueueElement *elem = v->elems[pdu->idx];
- 
--    xattr_len = fidp->fs.xattr.len;
--    read_count = xattr_len - off;
-+    if (fidp->fs.xattr.len < off) {
-+        read_count = 0;
-+    } else {
-+        read_count = fidp->fs.xattr.len - off;
-+    }
-     if (read_count > max_count) {
-         read_count = max_count;
--    } else if (read_count < 0) {
--        /*
--         * read beyond XATTR value
--         */
--        read_count = 0;
-     }
-     err = pdu_marshal(pdu, offset, "d", read_count);
-     if (err < 0) {
-@@ -1959,23 +1956,18 @@ static int v9fs_xattr_write(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
- {
-     int i, to_copy;
-     ssize_t err = 0;
--    int write_count;
--    int64_t xattr_len;
-+    uint64_t write_count;
-     size_t offset = 7;
- 
- 
--    xattr_len = fidp->fs.xattr.len;
--    write_count = xattr_len - off;
--    if (write_count > count) {
--        write_count = count;
--    } else if (write_count < 0) {
--        /*
--         * write beyond XATTR value len specified in
--         * xattrcreate
--         */
-+    if (fidp->fs.xattr.len < off) {
-         err = -ENOSPC;
-         goto out;
-     }
-+    write_count = fidp->fs.xattr.len - off;
-+    if (write_count > count) {
-+        write_count = count;
-+    }
-     err = pdu_marshal(pdu, offset, "d", write_count);
-     if (err < 0) {
-         return err;

0030-9pfs-fix-memory-leak-in-v9fs_link.patch

@@ -1,30 +0,0 @@
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Mon, 17 Oct 2016 14:13:58 +0200
-Subject: [PATCH] 9pfs: fix memory leak in v9fs_link
-
-The v9fs_link() function keeps a reference on the source fid object. This
-causes a memory leak since the reference never goes down to 0. This patch
-fixes the issue.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Greg Kurz <groug@kaod.org>
-[groug, rephrased the changelog]
-Signed-off-by: Greg Kurz <groug@kaod.org>
-
-(cherry picked from commit 4c1586787ff43c9acd18a56c12d720e3e6be9f7c)
----
- hw/9pfs/9p.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
-index 5126459..0de545b 100644
---- a/hw/9pfs/9p.c
-+++ b/hw/9pfs/9p.c
-@@ -2385,6 +2385,7 @@ static void v9fs_link(void *opaque)
-     if (!err) {
-         err = offset;
-     }
-+    put_fid(pdu, oldfidp);
- out:
-     put_fid(pdu, dfidp);
- out_nofid:

0031-9pfs-fix-memory-leak-in-v9fs_write.patch

@@ -1,31 +0,0 @@
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Mon, 17 Oct 2016 14:13:58 +0200
-Subject: [PATCH] 9pfs: fix memory leak in v9fs_write
-
-If an error occurs when marshalling the transfer length to the guest, the
-v9fs_write() function doesn't free an IO vector, thus leading to a memory
-leak. This patch fixes the issue.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Greg Kurz <groug@kaod.org>
-[groug, rephrased the changelog]
-Signed-off-by: Greg Kurz <groug@kaod.org>
-
-(cherry picked from commit fdfcc9aeea1492f4b819a24c94dfb678145b1bf9)
----
- hw/9pfs/9p.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
-index 0de545b..86f44db 100644
---- a/hw/9pfs/9p.c
-+++ b/hw/9pfs/9p.c
-@@ -2062,7 +2062,7 @@ static void v9fs_write(void *opaque)
-     offset = 7;
-     err = pdu_marshal(pdu, offset, "d", total);
-     if (err < 0) {
--        goto out;
-+        goto out_qiov;
-     }
-     err += offset;
-     trace_v9fs_write_return(pdu->tag, pdu->id, total, err);

0032-xen-fix-ioreq-handling.patch

@@ -1,71 +0,0 @@
-From: Jan Beulich <JBeulich@suse.com>
-Date: Tue, 22 Nov 2016 05:56:51 -0700
-Subject: [PATCH] xen: fix ioreq handling
-
-Avoid double fetches and bounds check size to avoid overflowing
-internal variables.
-
-This is CVE-2016-9381 / XSA-197.
-
-Reported-by: yanghongke <yanghongke@huawei.com>
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
-Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
-(cherry picked from commit b85f9dfdb156ae2a2a52f39a36e9f1f270614cd2)
----
- xen-hvm.c | 16 +++++++++++++++-
- 1 file changed, 15 insertions(+), 1 deletion(-)
-
-diff --git a/xen-hvm.c b/xen-hvm.c
-index 039680a..ba823c3 100644
---- a/xen-hvm.c
-+++ b/xen-hvm.c
-@@ -797,6 +797,10 @@ static void cpu_ioreq_pio(ioreq_t *req)
-     trace_cpu_ioreq_pio(req, req->dir, req->df, req->data_is_ptr, req->addr,
-                          req->data, req->count, req->size);
- 
-+    if (req->size > sizeof(uint32_t)) {
-+        hw_error("PIO: bad size (%u)", req->size);
-+    }
-+
-     if (req->dir == IOREQ_READ) {
-         if (!req->data_is_ptr) {
-             req->data = do_inp(req->addr, req->size);
-@@ -833,6 +837,10 @@ static void cpu_ioreq_move(ioreq_t *req)
-     trace_cpu_ioreq_move(req, req->dir, req->df, req->data_is_ptr, req->addr,
-                          req->data, req->count, req->size);
- 
-+    if (req->size > sizeof(req->data)) {
-+        hw_error("MMIO: bad size (%u)", req->size);
-+    }
-+
-     if (!req->data_is_ptr) {
-         if (req->dir == IOREQ_READ) {
-             for (i = 0; i < req->count; i++) {
-@@ -997,11 +1005,13 @@ static int handle_buffered_iopage(XenIOState *state)
-         req.df = 1;
-         req.type = buf_req->type;
-         req.data_is_ptr = 0;
-+        xen_rmb();
-         qw = (req.size == 8);
-         if (qw) {
-             buf_req = &buf_page->buf_ioreq[(rdptr + 1) %
-                                            IOREQ_BUFFER_SLOT_NUM];
-             req.data |= ((uint64_t)buf_req->data) << 32;
-+            xen_rmb();
-         }
- 
-         handle_ioreq(state, &req);
-@@ -1032,7 +1042,11 @@ static void cpu_handle_ioreq(void *opaque)
- 
-     handle_buffered_iopage(state);
-     if (req) {
--        handle_ioreq(state, req);
-+        ioreq_t copy = *req;
-+
-+        xen_rmb();
-+        handle_ioreq(state, &copy);
-+        req->data = copy.data;
- 
-         if (req->state != STATE_IOREQ_INPROCESS) {
-             fprintf(stderr, "Badness in I/O request ... not in service?!: "

0033-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch

@@ -1,73 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 18 Oct 2016 13:15:17 +0530
-Subject: [PATCH] display: cirrus: check vga bits per pixel(bpp) value
-
-In Cirrus CLGD 54xx VGA Emulator, if cirrus graphics mode is VGA,
-'cirrus_get_bpp' returns zero(0), which could lead to a divide
-by zero error in while copying pixel data. The same could occur
-via blit pitch values. Add check to avoid it.
-
-Reported-by: Huawei PSIRT <psirt@huawei.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-id: 1476776717-24807-1-git-send-email-ppandit@redhat.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-(cherry picked from commit 4299b90e9ba9ce5ca9024572804ba751aa1a7e70)
----
- hw/display/cirrus_vga.c | 14 ++++++++++----
- 1 file changed, 10 insertions(+), 4 deletions(-)
-
-diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
-index 3d712d5..bdb092e 100644
---- a/hw/display/cirrus_vga.c
-+++ b/hw/display/cirrus_vga.c
-@@ -272,6 +272,9 @@ static void cirrus_update_memory_access(CirrusVGAState *s);
- static bool blit_region_is_unsafe(struct CirrusVGAState *s,
-                                   int32_t pitch, int32_t addr)
- {
-+    if (!pitch) {
-+        return true;
-+    }
-     if (pitch < 0) {
-         int64_t min = addr
-             + ((int64_t)s->cirrus_blt_height-1) * pitch;
-@@ -715,7 +718,7 @@ static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s)
-                                             s->cirrus_addr_mask));
- }
- 
--static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
-+static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
- {
-     int sx = 0, sy = 0;
-     int dx = 0, dy = 0;
-@@ -729,6 +732,9 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
-         int width, height;
- 
-         depth = s->vga.get_bpp(&s->vga) / 8;
-+        if (!depth) {
-+            return 0;
-+        }
-         s->vga.get_resolution(&s->vga, &width, &height);
- 
-         /* extra x, y */
-@@ -783,6 +789,8 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
-     cirrus_invalidate_region(s, s->cirrus_blt_dstaddr,
- 				s->cirrus_blt_dstpitch, s->cirrus_blt_width,
- 				s->cirrus_blt_height);
-+
-+    return 1;
- }
- 
- static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
-@@ -790,11 +798,9 @@ static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
-     if (blit_is_unsafe(s))
-         return 0;
- 
--    cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
-+    return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
-             s->cirrus_blt_srcaddr - s->vga.start_addr,
-             s->cirrus_blt_width, s->cirrus_blt_height);
--
--    return 1;
- }
- 
- /***************************************

0034-net-mcf-check-receive-buffer-size-register-value.patch

@@ -1,31 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 29 Nov 2016 00:38:39 +0530
-Subject: [PATCH] net: mcf: check receive buffer size register value
-
-ColdFire Fast Ethernet Controller uses a receive buffer size
-register(EMRBR) to hold maximum size of all receive buffers.
-It is set by a user before any operation. If it was set to be
-zero, ColdFire emulator would go into an infinite loop while
-receiving data in mcf_fec_receive. Add check to avoid it.
-
-Reported-by: Wjjzhang <wjjzhang@tencent.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-(cherry picked from commit 77d54985b85a0cb760330ec2bd92505e0a2a97a9)
----
- hw/net/mcf_fec.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
-index 6d3418e..8a69fa2 100644
---- a/hw/net/mcf_fec.c
-+++ b/hw/net/mcf_fec.c
-@@ -393,7 +393,7 @@ static void mcf_fec_write(void *opaque, hwaddr addr,
-         s->tx_descriptor = s->etdsr;
-         break;
-     case 0x188:
--        s->emrbr = value & 0x7f0;
-+        s->emrbr = value > 0 ? value & 0x7F0 : 0x7F0;
-         break;
-     default:
-         hw_error("mcf_fec_write Bad address 0x%x\n", (int)addr);

0035-virtio-gpu-fix-information-leak-in-getting-capset-in.patch

@@ -1,34 +0,0 @@
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Tue, 1 Nov 2016 02:53:11 -0700
-Subject: [PATCH] virtio-gpu: fix information leak in getting capset info
- dispatch
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-In virgl_cmd_get_capset_info dispatch function, the 'resp' hasn't
-been full initialized before writing to the guest. This will leak
-the 'resp.padding' and 'resp.hdr.padding' fieds to the guest. This
-patch fix this issue.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Message-id: 5818661e.0860240a.77264.7a56@mx.google.com
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-(cherry picked from commit 42a8dadc74f8982fc269e54e3c5627b54d9f83d8)
----
- hw/display/virtio-gpu-3d.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
-index fa19294..5878809 100644
---- a/hw/display/virtio-gpu-3d.c
-+++ b/hw/display/virtio-gpu-3d.c
-@@ -345,6 +345,7 @@ static void virgl_cmd_get_capset_info(VirtIOGPU *g,
- 
-     VIRTIO_GPU_FILL_CMD(info);
- 
-+    memset(&resp, 0, sizeof(resp));
-     if (info.capset_index == 0) {
-         resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL;
-         virgl_renderer_get_cap_set(resp.capset_id,

0036-virtio-gpu-fix-memory-leak-in-update_cursor_data_vir.patch

@@ -1,33 +0,0 @@
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Tue, 1 Nov 2016 04:06:58 -0700
-Subject: [PATCH] virtio-gpu: fix memory leak in update_cursor_data_virgl
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-In update_cursor_data_virgl function, if the 'width'/ 'height'
-is not equal to current cursor's width/height it will return
-without free the 'data' allocated previously. This will lead
-a memory leak issue. This patch fix this issue.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Message-id: 58187760.41d71c0a.cca75.4cb9@mx.google.com
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-(cherry picked from commit 2d1cd6c7a91a4beb99a0c3a21be529222a708545)
----
- hw/display/virtio-gpu.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
-index d345276..f41afc7 100644
---- a/hw/display/virtio-gpu.c
-+++ b/hw/display/virtio-gpu.c
-@@ -79,6 +79,7 @@ static void update_cursor_data_virgl(VirtIOGPU *g,
- 
-     if (width != s->current_cursor->width ||
-         height != s->current_cursor->height) {
-+        free(data);
-         return;
-     }
- 

0037-usbredir-free-vm_change_state_handler-in-usbredir-de.patch

@@ -1,51 +0,0 @@
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Mon, 7 Nov 2016 21:57:46 -0800
-Subject: [PATCH] usbredir: free vm_change_state_handler in usbredir destroy
- dispatch
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-In usbredir destroy dispatch function, it doesn't free the vm change
-state handler once registered in usbredir_realize function. This will
-lead a memory leak issue. This patch avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-id: 58216976.d0236b0a.77b99.bcd6@mx.google.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-(cherry picked from commit 07b026fd82d6cf11baf7d7c603c4f5f6070b35bf)
----
- hw/usb/redirect.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
-index 8d80540..136cacc 100644
---- a/hw/usb/redirect.c
-+++ b/hw/usb/redirect.c
-@@ -131,6 +131,7 @@ struct USBRedirDevice {
-     struct usbredirfilter_rule *filter_rules;
-     int filter_rules_count;
-     int compatible_speedmask;
-+    VMChangeStateEntry *vmstate;
- };
- 
- #define TYPE_USB_REDIR "usb-redir"
-@@ -1406,7 +1407,8 @@ static void usbredir_realize(USBDevice *udev, Error **errp)
-     qemu_chr_add_handlers(dev->cs, usbredir_chardev_can_read,
-                           usbredir_chardev_read, usbredir_chardev_event, dev);
- 
--    qemu_add_vm_change_state_handler(usbredir_vm_state_change, dev);
-+    dev->vmstate =
-+        qemu_add_vm_change_state_handler(usbredir_vm_state_change, dev);
- }
- 
- static void usbredir_cleanup_device_queues(USBRedirDevice *dev)
-@@ -1443,6 +1445,7 @@ static void usbredir_handle_destroy(USBDevice *udev)
-     }
- 
-     free(dev->filter_rules);
-+    qemu_del_vm_change_state_handler(dev->vmstate);
- }
- 
- static int usbredir_check_filter(USBRedirDevice *dev)

0038-usb-ehci-fix-memory-leak-in-ehci_init_transfer.patch

@@ -1,28 +0,0 @@
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Tue, 8 Nov 2016 04:11:10 -0800
-Subject: [PATCH] usb: ehci: fix memory leak in ehci_init_transfer
-
-In ehci_init_transfer function, if the 'cpage' is bigger than 4,
-it doesn't free the 'p->sgl' once allocated previously thus leading
-a memory leak issue. This patch avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Message-id: 5821c0f4.091c6b0a.e0c92.e811@mx.google.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-(cherry picked from commit 791f97758e223de3290592d169f8e6339c281714)
----
- hw/usb/hcd-ehci.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
-index 92241bb..b8559e2 100644
---- a/hw/usb/hcd-ehci.c
-+++ b/hw/usb/hcd-ehci.c
-@@ -1190,6 +1190,7 @@ static int ehci_init_transfer(EHCIPacket *p)
-     while (bytes > 0) {
-         if (cpage > 4) {
-             fprintf(stderr, "cpage out of range (%d)\n", cpage);
-+            qemu_sglist_destroy(&p->sgl);
-             return -1;
-         }
- 

0039-9pfs-adjust-the-order-of-resource-cleanup-in-device-.patch

@@ -1,40 +0,0 @@
-From: Li Qiang <liq3ea@gmail.com>
-Date: Wed, 23 Nov 2016 13:53:34 +0100
-Subject: [PATCH] 9pfs: adjust the order of resource cleanup in device
- unrealize
-
-Unrealize should undo things that were set during realize in
-reverse order. So should do in the error path in realize.
-
-Signed-off-by: Li Qiang <liq3ea@gmail.com>
-Reviewed-by: Greg Kurz <groug@kaod.org>
-Signed-off-by: Greg Kurz <groug@kaod.org>
-(cherry picked from commit 4774718e5c194026ba5ee7a28d9be49be3080e42)
----
- hw/9pfs/9p.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
-index 86f44db..6979c58 100644
---- a/hw/9pfs/9p.c
-+++ b/hw/9pfs/9p.c
-@@ -3481,8 +3481,8 @@ int v9fs_device_realize_common(V9fsState *s, Error **errp)
-     rc = 0;
- out:
-     if (rc) {
--        g_free(s->ctx.fs_root);
-         g_free(s->tag);
-+        g_free(s->ctx.fs_root);
-         v9fs_path_free(&path);
-     }
-     return rc;
-@@ -3490,8 +3490,8 @@ out:
- 
- void v9fs_device_unrealize_common(V9fsState *s, Error **errp)
- {
--    g_free(s->ctx.fs_root);
-     g_free(s->tag);
-+    g_free(s->ctx.fs_root);
- }
- 
- static void __attribute__((__constructor__)) v9fs_set_fd_limit(void)

0040-9pfs-add-cleanup-operation-in-FileOperations.patch

@@ -1,53 +0,0 @@
-From: Li Qiang <liq3ea@gmail.com>
-Date: Wed, 23 Nov 2016 13:53:34 +0100
-Subject: [PATCH] 9pfs: add cleanup operation in FileOperations
-
-Currently, the backend of VirtFS doesn't have a cleanup
-function. This will lead resource leak issues if the backed
-driver allocates resources. This patch addresses this issue.
-
-Signed-off-by: Li Qiang <liq3ea@gmail.com>
-Reviewed-by: Greg Kurz <groug@kaod.org>
-Signed-off-by: Greg Kurz <groug@kaod.org>
-(cherry picked from commit 702dbcc274e2ca43be20ba64c758c0ca57dab91d)
----
- fsdev/file-op-9p.h | 1 +
- hw/9pfs/9p.c       | 6 ++++++
- 2 files changed, 7 insertions(+)
-
-diff --git a/fsdev/file-op-9p.h b/fsdev/file-op-9p.h
-index b8c2602..0681021 100644
---- a/fsdev/file-op-9p.h
-+++ b/fsdev/file-op-9p.h
-@@ -99,6 +99,7 @@ struct FileOperations
- {
-     int (*parse_opts)(QemuOpts *, struct FsDriverEntry *);
-     int (*init)(struct FsContext *);
-+    void (*cleanup)(struct FsContext *);
-     int (*lstat)(FsContext *, V9fsPath *, struct stat *);
-     ssize_t (*readlink)(FsContext *, V9fsPath *, char *, size_t);
-     int (*chmod)(FsContext *, V9fsPath *, FsCred *);
-diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
-index 6979c58..84be1c8 100644
---- a/hw/9pfs/9p.c
-+++ b/hw/9pfs/9p.c
-@@ -3481,6 +3481,9 @@ int v9fs_device_realize_common(V9fsState *s, Error **errp)
-     rc = 0;
- out:
-     if (rc) {
-+        if (s->ops->cleanup && s->ctx.private) {
-+            s->ops->cleanup(&s->ctx);
-+        }
-         g_free(s->tag);
-         g_free(s->ctx.fs_root);
-         v9fs_path_free(&path);
-@@ -3490,6 +3493,9 @@ out:
- 
- void v9fs_device_unrealize_common(V9fsState *s, Error **errp)
- {
-+    if (s->ops->cleanup) {
-+        s->ops->cleanup(&s->ctx);
-+    }
-     g_free(s->tag);
-     g_free(s->ctx.fs_root);
- }

0041-9pfs-add-cleanup-operation-for-handle-backend-driver.patch

@@ -1,44 +0,0 @@
-From: Li Qiang <liq3ea@gmail.com>
-Date: Wed, 23 Nov 2016 13:53:34 +0100
-Subject: [PATCH] 9pfs: add cleanup operation for handle backend driver
-
-In the init operation of handle backend dirver, it allocates a
-handle_data struct and opens a mount file. We should free these
-resources when the 9pfs device is unrealized. This is what this
-patch does.
-
-Signed-off-by: Li Qiang <liq3ea@gmail.com>
-Reviewed-by: Greg Kurz <groug@kaod.org>
-Signed-off-by: Greg Kurz <groug@kaod.org>
-(cherry picked from commit 971f406b77a6eb84e0ad27dcc416b663765aee30)
----
- hw/9pfs/9p-handle.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/hw/9pfs/9p-handle.c b/hw/9pfs/9p-handle.c
-index 8940414..6ce923d 100644
---- a/hw/9pfs/9p-handle.c
-+++ b/hw/9pfs/9p-handle.c
-@@ -651,6 +651,14 @@ out:
-     return ret;
- }
- 
-+static void handle_cleanup(FsContext *ctx)
-+{
-+    struct handle_data *data = ctx->private;
-+
-+    close(data->mountfd);
-+    g_free(data);
-+}
-+
- static int handle_parse_opts(QemuOpts *opts, struct FsDriverEntry *fse)
- {
-     const char *sec_model = qemu_opt_get(opts, "security_model");
-@@ -673,6 +681,7 @@ static int handle_parse_opts(QemuOpts *opts, struct FsDriverEntry *fse)
- FileOperations handle_ops = {
-     .parse_opts   = handle_parse_opts,
-     .init         = handle_init,
-+    .cleanup      = handle_cleanup,
-     .lstat        = handle_lstat,
-     .readlink     = handle_readlink,
-     .close        = handle_close,

0042-9pfs-add-cleanup-operation-for-proxy-backend-driver.patch

@@ -1,44 +0,0 @@
-From: Li Qiang <liq3ea@gmail.com>
-Date: Wed, 23 Nov 2016 13:53:34 +0100
-Subject: [PATCH] 9pfs: add cleanup operation for proxy backend driver
-
-In the init operation of proxy backend dirver, it allocates a
-V9fsProxy struct and some other resources. We should free these
-resources when the 9pfs device is unrealized. This is what this
-patch does.
-
-Signed-off-by: Li Qiang <liq3ea@gmail.com>
-Reviewed-by: Greg Kurz <groug@kaod.org>
-Signed-off-by: Greg Kurz <groug@kaod.org>
-(cherry picked from commit 898ae90a44551d25b8e956fd87372d303c82fe68)
----
- hw/9pfs/9p-proxy.c | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
-diff --git a/hw/9pfs/9p-proxy.c b/hw/9pfs/9p-proxy.c
-index 00a4eb2..7c6aaf3 100644
---- a/hw/9pfs/9p-proxy.c
-+++ b/hw/9pfs/9p-proxy.c
-@@ -1181,9 +1181,22 @@ static int proxy_init(FsContext *ctx)
-     return 0;
- }
- 
-+static void proxy_cleanup(FsContext *ctx)
-+{
-+    V9fsProxy *proxy = ctx->private;
-+
-+    g_free(proxy->out_iovec.iov_base);
-+    g_free(proxy->in_iovec.iov_base);
-+    if (ctx->export_flags & V9FS_PROXY_SOCK_NAME) {
-+        close(proxy->sockfd);
-+    }
-+    g_free(proxy);
-+}
-+
- FileOperations proxy_ops = {
-     .parse_opts   = proxy_parse_opts,
-     .init         = proxy_init,
-+    .cleanup      = proxy_cleanup,
-     .lstat        = proxy_lstat,
-     .readlink     = proxy_readlink,
-     .close        = proxy_close,

0043-9pfs-fix-crash-when-fsdev-is-missing.patch

@@ -1,29 +0,0 @@
-From: Greg Kurz <groug@kaod.org>
-Date: Tue, 3 Jan 2017 17:28:44 +0100
-Subject: [PATCH] 9pfs: fix crash when fsdev is missing
-
-If the user passes -device virtio-9p without the corresponding -fsdev, QEMU
-dereferences a NULL pointer and crashes.
-
-This is a 2.8 regression introduced by commit 702dbcc274e2c.
-
-Signed-off-by: Greg Kurz <groug@kaod.org>
-Reviewed-by: Li Qiang <liq3ea@gmail.com>
-(cherry picked from commit f2b58c43758efc61e2a49b899f5e58848489d0dc)
----
- hw/9pfs/9p.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
-index 84be1c8..be2095a 100644
---- a/hw/9pfs/9p.c
-+++ b/hw/9pfs/9p.c
-@@ -3481,7 +3481,7 @@ int v9fs_device_realize_common(V9fsState *s, Error **errp)
-     rc = 0;
- out:
-     if (rc) {
--        if (s->ops->cleanup && s->ctx.private) {
-+        if (s->ops && s->ops->cleanup && s->ctx.private) {
-             s->ops->cleanup(&s->ctx);
-         }
-         g_free(s->tag);

0044-display-virtio-gpu-3d-check-virgl-capabilities-max_s.patch

@@ -1,37 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Wed, 14 Dec 2016 12:31:56 +0530
-Subject: [PATCH] display: virtio-gpu-3d: check virgl capabilities max_size
-
-Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET'
-command, retrieves the maximum capabilities size to fill in the
-response object. It continues to fill in capabilities even if
-retrieved 'max_size' is zero(0), thus resulting in OOB access.
-Add check to avoid it.
-
-Reported-by: Zhenhao Hong <zhenhaohong@gmail.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-id: 20161214070156.23368-1-ppandit@redhat.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-(cherry picked from commit abd7f08b2353f43274b785db8c7224f082ef4d31)
----
- hw/display/virtio-gpu-3d.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
-index 5878809..bb2e9a1 100644
---- a/hw/display/virtio-gpu-3d.c
-+++ b/hw/display/virtio-gpu-3d.c
-@@ -369,8 +369,12 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
- 
-     virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
-                                &max_size);
--    resp = g_malloc(sizeof(*resp) + max_size);
-+    if (!max_size) {
-+        cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
-+        return;
-+    }
- 
-+    resp = g_malloc(sizeof(*resp) + max_size);
-     resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
-     virgl_renderer_fill_caps(gc.capset_id,
-                              gc.capset_version,

0045-virtio-gpu-fix-information-leak-in-capset-get-dispat.patch

@@ -1,37 +0,0 @@
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Tue, 1 Nov 2016 05:37:57 -0700
-Subject: [PATCH] virtio-gpu: fix information leak in capset get dispatch
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-In virgl_cmd_get_capset function, it uses g_malloc to allocate
-a response struct to the guest. As the 'resp'struct hasn't been full
-initialized it will lead the 'resp->padding' field to the guest.
-Use g_malloc0 to avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-id: 58188cae.4a6ec20a.3d2d1.aff2@mx.google.com
-
-[ kraxel: resolved conflict ]
-
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-(cherry picked from commit 85d9d044471f93c48c5c396f7e217b4ef12f69f8)
----
- hw/display/virtio-gpu-3d.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
-index bb2e9a1..420187e 100644
---- a/hw/display/virtio-gpu-3d.c
-+++ b/hw/display/virtio-gpu-3d.c
-@@ -374,7 +374,7 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
-         return;
-     }
- 
--    resp = g_malloc(sizeof(*resp) + max_size);
-+    resp = g_malloc0(sizeof(*resp) + max_size);
-     resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
-     virgl_renderer_fill_caps(gc.capset_id,
-                              gc.capset_version,

0046-virtio-gpu-call-cleanup-mapping-function-in-resource.patch

@@ -1,41 +0,0 @@
-From: Li Qiang <liq3ea@gmail.com>
-Date: Mon, 28 Nov 2016 21:29:25 -0500
-Subject: [PATCH] virtio-gpu: call cleanup mapping function in resource destroy
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-If the guest destroy the resource before detach banking, the 'iov'
-and 'addrs' field in resource is not freed thus leading memory
-leak issue. This patch avoid this.
-
-Signed-off-by: Li Qiang <liq3ea@gmail.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-id: 1480386565-10077-1-git-send-email-liq3ea@gmail.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-(cherry picked from commit b8e23926c568f2e963af39028b71c472e3023793)
----
- hw/display/virtio-gpu.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
-index f41afc7..4ccc8bc 100644
---- a/hw/display/virtio-gpu.c
-+++ b/hw/display/virtio-gpu.c
-@@ -23,6 +23,8 @@
- static struct virtio_gpu_simple_resource*
- virtio_gpu_find_resource(VirtIOGPU *g, uint32_t resource_id);
- 
-+static void virtio_gpu_cleanup_mapping(struct virtio_gpu_simple_resource *res);
-+
- #ifdef CONFIG_VIRGL
- #include "virglrenderer.h"
- #define VIRGL(_g, _virgl, _simple, ...)                     \
-@@ -349,6 +351,7 @@ static void virtio_gpu_resource_destroy(VirtIOGPU *g,
-                                         struct virtio_gpu_simple_resource *res)
- {
-     pixman_image_unref(res->image);
-+    virtio_gpu_cleanup_mapping(res);
-     QTAILQ_REMOVE(&g->reslist, res, next);
-     g_free(res);
- }

0047-audio-ac97-add-exit-function.patch

@@ -1,49 +0,0 @@
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Wed, 14 Dec 2016 18:30:21 -0800
-Subject: [PATCH] audio: ac97: add exit function
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Currently the ac97 device emulation doesn't have a exit function,
-hot unplug this device will leak some memory. Add a exit function to
-avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-id: 58520052.4825ed0a.27a71.6cae@mx.google.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-(cherry picked from commit 12351a91da97b414eec8cdb09f1d9f41e535a401)
----
- hw/audio/ac97.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/hw/audio/ac97.c b/hw/audio/ac97.c
-index cbd959e..c306575 100644
---- a/hw/audio/ac97.c
-+++ b/hw/audio/ac97.c
-@@ -1387,6 +1387,16 @@ static void ac97_realize(PCIDevice *dev, Error **errp)
-     ac97_on_reset (&s->dev.qdev);
- }
- 
-+static void ac97_exit(PCIDevice *dev)
-+{
-+    AC97LinkState *s = DO_UPCAST(AC97LinkState, dev, dev);
-+
-+    AUD_close_in(&s->card, s->voice_pi);
-+    AUD_close_out(&s->card, s->voice_po);
-+    AUD_close_in(&s->card, s->voice_mc);
-+    AUD_remove_card(&s->card);
-+}
-+
- static int ac97_init (PCIBus *bus)
- {
-     pci_create_simple (bus, -1, "AC97");
-@@ -1404,6 +1414,7 @@ static void ac97_class_init (ObjectClass *klass, void *data)
-     PCIDeviceClass *k = PCI_DEVICE_CLASS (klass);
- 
-     k->realize = ac97_realize;
-+    k->exit = ac97_exit;
-     k->vendor_id = PCI_VENDOR_ID_INTEL;
-     k->device_id = PCI_DEVICE_ID_INTEL_82801AA_5;
-     k->revision = 0x01;

0048-audio-es1370-add-exit-function.patch

@@ -1,52 +0,0 @@
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Wed, 14 Dec 2016 18:32:22 -0800
-Subject: [PATCH] audio: es1370: add exit function
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Currently the es1370 device emulation doesn't have a exit function,
-hot unplug this device will leak some memory. Add a exit function to
-avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-id: 585200c9.a968ca0a.1ab80.4c98@mx.google.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-(cherry picked from commit 069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da)
----
- hw/audio/es1370.c | 14 ++++++++++++++
- 1 file changed, 14 insertions(+)
-
-diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c
-index 8449b5f..883ec69 100644
---- a/hw/audio/es1370.c
-+++ b/hw/audio/es1370.c
-@@ -1041,6 +1041,19 @@ static void es1370_realize(PCIDevice *dev, Error **errp)
-     es1370_reset (s);
- }
- 
-+static void es1370_exit(PCIDevice *dev)
-+{
-+    ES1370State *s = ES1370(dev);
-+    int i;
-+
-+    for (i = 0; i < 2; ++i) {
-+        AUD_close_out(&s->card, s->dac_voice[i]);
-+    }
-+
-+    AUD_close_in(&s->card, s->adc_voice);
-+    AUD_remove_card(&s->card);
-+}
-+
- static int es1370_init (PCIBus *bus)
- {
-     pci_create_simple (bus, -1, TYPE_ES1370);
-@@ -1053,6 +1066,7 @@ static void es1370_class_init (ObjectClass *klass, void *data)
-     PCIDeviceClass *k = PCI_DEVICE_CLASS (klass);
- 
-     k->realize = es1370_realize;
-+    k->exit = es1370_exit;
-     k->vendor_id = PCI_VENDOR_ID_ENSONIQ;
-     k->device_id = PCI_DEVICE_ID_ENSONIQ_ES1370;
-     k->class_id = PCI_CLASS_MULTIMEDIA_AUDIO;

0049-watchdog-6300esb-add-exit-function.patch

@@ -1,43 +0,0 @@
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Mon, 28 Nov 2016 17:49:04 -0800
-Subject: [PATCH] watchdog: 6300esb: add exit function
-
-When the Intel 6300ESB watchdog is hot unplug. The timer allocated
-in realize isn't freed thus leaking memory leak. This patch avoid
-this through adding the exit function.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Message-Id: <583cde9c.3223ed0a.7f0c2.886e@mx.google.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit eb7a20a3616085d46aa6b4b4224e15587ec67e6e)
----
- hw/watchdog/wdt_i6300esb.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/hw/watchdog/wdt_i6300esb.c b/hw/watchdog/wdt_i6300esb.c
-index a83d951..49b3cd1 100644
---- a/hw/watchdog/wdt_i6300esb.c
-+++ b/hw/watchdog/wdt_i6300esb.c
-@@ -428,6 +428,14 @@ static void i6300esb_realize(PCIDevice *dev, Error **errp)
-     /* qemu_register_coalesced_mmio (addr, 0x10); ? */
- }
- 
-+static void i6300esb_exit(PCIDevice *dev)
-+{
-+    I6300State *d = WATCHDOG_I6300ESB_DEVICE(dev);
-+
-+    timer_del(d->timer);
-+    timer_free(d->timer);
-+}
-+
- static WatchdogTimerModel model = {
-     .wdt_name = "i6300esb",
-     .wdt_description = "Intel 6300ESB",
-@@ -441,6 +449,7 @@ static void i6300esb_class_init(ObjectClass *klass, void *data)
-     k->config_read = i6300esb_config_read;
-     k->config_write = i6300esb_config_write;
-     k->realize = i6300esb_realize;
-+    k->exit = i6300esb_exit;
-     k->vendor_id = PCI_VENDOR_ID_INTEL;
-     k->device_id = PCI_DEVICE_ID_INTEL_ESB_9;
-     k->class_id = PCI_CLASS_SYSTEM_OTHER;

0050-virtio-gpu-3d-fix-memory-leak-in-resource-attach-bac.patch

@@ -1,38 +0,0 @@
-From: Li Qiang <liq3ea@gmail.com>
-Date: Thu, 29 Dec 2016 03:11:26 -0500
-Subject: [PATCH] virtio-gpu-3d: fix memory leak in resource attach backing
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-If the virgl_renderer_resource_attach_iov function fails the
-'res_iovs' will be leaked. Add check of the return value to
-free the 'res_iovs' when failing.
-
-Signed-off-by: Li Qiang <liq3ea@gmail.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-id: 1482999086-59795-1-git-send-email-liq3ea@gmail.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-(cherry picked from commit 33243031dad02d161225ba99d782616da133f689)
----
- hw/display/virtio-gpu-3d.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
-index 420187e..4cffab5 100644
---- a/hw/display/virtio-gpu-3d.c
-+++ b/hw/display/virtio-gpu-3d.c
-@@ -289,8 +289,11 @@ static void virgl_resource_attach_backing(VirtIOGPU *g,
-         return;
-     }
- 
--    virgl_renderer_resource_attach_iov(att_rb.resource_id,
--                                       res_iovs, att_rb.nr_entries);
-+    ret = virgl_renderer_resource_attach_iov(att_rb.resource_id,
-+                                             res_iovs, att_rb.nr_entries);
-+
-+    if (ret != 0)
-+        virtio_gpu_cleanup_mapping_iov(res_iovs, att_rb.nr_entries);
- }
- 
- static void virgl_resource_detach_backing(VirtIOGPU *g,

0051-sd-sdhci-check-data-length-during-dma_memory_read.patch

@@ -1,34 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 7 Feb 2017 18:29:59 +0000
-Subject: [PATCH] sd: sdhci: check data length during dma_memory_read
-
-While doing multi block SDMA transfer in routine
-'sdhci_sdma_transfer_multi_blocks', the 's->fifo_buffer' starting
-index 'begin' and data length 's->data_count' could end up to be same.
-This could lead to an OOB access issue. Correct transfer data length
-to avoid it.
-
-Cc: qemu-stable@nongnu.org
-Reported-by: Jiang Xin <jiangxin1@huawei.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20170130064736.9236-1-ppandit@redhat.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-(cherry picked from commit 42922105beb14c2fc58185ea022b9f72fb5465e9)
----
- hw/sd/sdhci.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
-index d28b587..f4cf5c7 100644
---- a/hw/sd/sdhci.c
-+++ b/hw/sd/sdhci.c
-@@ -535,7 +535,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
-                 boundary_count -= block_size - begin;
-             }
-             dma_memory_read(&address_space_memory, s->sdmasysad,
--                            &s->fifo_buffer[begin], s->data_count);
-+                            &s->fifo_buffer[begin], s->data_count - begin);
-             s->sdmasysad += s->data_count - begin;
-             if (s->data_count == block_size) {
-                 for (n = 0; n < block_size; n++) {

0052-megasas-fix-guest-triggered-memory-leak.patch

@@ -1,61 +0,0 @@
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Mon, 2 Jan 2017 11:03:33 +0100
-Subject: [PATCH] megasas: fix guest-triggered memory leak
-
-If the guest sets the sglist size to a value >=2GB, megasas_handle_dcmd
-will return MFI_STAT_MEMORY_NOT_AVAILABLE without freeing the memory.
-Avoid this by returning only the status from map_dcmd, and loading
-cmd->iov_size in the caller.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 765a707000e838c30b18d712fe6cb3dd8e0435f3)
----
- hw/scsi/megasas.c | 11 ++++++-----
- 1 file changed, 6 insertions(+), 5 deletions(-)
-
-diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
-index a9ffc32..d42d34b 100644
---- a/hw/scsi/megasas.c
-+++ b/hw/scsi/megasas.c
-@@ -682,14 +682,14 @@ static int megasas_map_dcmd(MegasasState *s, MegasasCmd *cmd)
-         trace_megasas_dcmd_invalid_sge(cmd->index,
-                                        cmd->frame->header.sge_count);
-         cmd->iov_size = 0;
--        return -1;
-+        return -EINVAL;
-     }
-     iov_pa = megasas_sgl_get_addr(cmd, &cmd->frame->dcmd.sgl);
-     iov_size = megasas_sgl_get_len(cmd, &cmd->frame->dcmd.sgl);
-     pci_dma_sglist_init(&cmd->qsg, PCI_DEVICE(s), 1);
-     qemu_sglist_add(&cmd->qsg, iov_pa, iov_size);
-     cmd->iov_size = iov_size;
--    return cmd->iov_size;
-+    return 0;
- }
- 
- static void megasas_finish_dcmd(MegasasCmd *cmd, uint32_t iov_size)
-@@ -1562,19 +1562,20 @@ static const struct dcmd_cmd_tbl_t {
- 
- static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd)
- {
--    int opcode, len;
-+    int opcode;
-     int retval = 0;
-+    size_t len;
-     const struct dcmd_cmd_tbl_t *cmdptr = dcmd_cmd_tbl;
- 
-     opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
-     trace_megasas_handle_dcmd(cmd->index, opcode);
--    len = megasas_map_dcmd(s, cmd);
--    if (len < 0) {
-+    if (megasas_map_dcmd(s, cmd) < 0) {
-         return MFI_STAT_MEMORY_NOT_AVAILABLE;
-     }
-     while (cmdptr->opcode != -1 && cmdptr->opcode != opcode) {
-         cmdptr++;
-     }
-+    len = cmd->iov_size;
-     if (cmdptr->opcode == -1) {
-         trace_megasas_dcmd_unhandled(cmd->index, opcode, len);
-         retval = megasas_dcmd_dummy(s, cmd);

0053-virtio-gpu-fix-resource-leak-in-virgl_cmd_resource_u.patch

@@ -1,45 +0,0 @@
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Mon, 23 Jan 2017 11:26:50 +0100
-Subject: [PATCH] virtio-gpu: fix resource leak in virgl_cmd_resource_unref
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-When the guest sends VIRTIO_GPU_CMD_RESOURCE_UNREF without detaching the
-backing storage beforehand (VIRTIO_GPU_CMD_RESOURCE_DETACH_BACKING)
-we'll leak memory.
-
-This patch fixes it for 3d mode, simliar to the 2d mode fix in commit
-"b8e2392 virtio-gpu: call cleanup mapping function in resource destroy".
-
-Reported-by: 李强 <liqiang6-s@360.cn>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: 1485167210-4757-1-git-send-email-kraxel@redhat.com
-(cherry picked from commit 5e8e3c4c75c199aa1017db816fca02be2a9f8798)
----
- hw/display/virtio-gpu-3d.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
-index 4cffab5..e78b3c8 100644
---- a/hw/display/virtio-gpu-3d.c
-+++ b/hw/display/virtio-gpu-3d.c
-@@ -76,10 +76,18 @@ static void virgl_cmd_resource_unref(VirtIOGPU *g,
-                                      struct virtio_gpu_ctrl_command *cmd)
- {
-     struct virtio_gpu_resource_unref unref;
-+    struct iovec *res_iovs = NULL;
-+    int num_iovs = 0;
- 
-     VIRTIO_GPU_FILL_CMD(unref);
-     trace_virtio_gpu_cmd_res_unref(unref.resource_id);
- 
-+    virgl_renderer_resource_detach_iov(unref.resource_id,
-+                                       &res_iovs,
-+                                       &num_iovs);
-+    if (res_iovs != NULL && num_iovs != 0) {
-+        virtio_gpu_cleanup_mapping_iov(res_iovs, num_iovs);
-+    }
-     virgl_renderer_resource_unref(unref.resource_id);
- }
- 

0054-usb-ccid-check-ccid-apdu-length.patch

@@ -1,32 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Fri, 3 Feb 2017 00:52:28 +0530
-Subject: [PATCH] usb: ccid: check ccid apdu length
-
-CCID device emulator uses Application Protocol Data Units(APDU)
-to exchange command and responses to and from the host.
-The length in these units couldn't be greater than 65536. Add
-check to ensure the same. It'd also avoid potential integer
-overflow in emulated_apdu_from_guest.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-id: 20170202192228.10847-1-ppandit@redhat.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-(cherry picked from commit c7dfbf322595ded4e70b626bf83158a9f3807c6a)
----
- hw/usb/dev-smartcard-reader.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
-index af4b851..fc32b00 100644
---- a/hw/usb/dev-smartcard-reader.c
-+++ b/hw/usb/dev-smartcard-reader.c
-@@ -967,7 +967,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv)
-     DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__,
-                 recv->hdr.bSeq, len);
-     ccid_add_pending_answer(s, (CCID_Header *)recv);
--    if (s->card) {
-+    if (s->card && len <= BULK_OUT_DATA_SIZE) {
-         ccid_card_apdu_from_guest(s->card, recv->abData, len);
-     } else {
-         DPRINTF(s, D_WARN, "warning: discarded apdu\n");

0055-sd-sdhci-check-transfer-mode-register-in-multi-block.patch

@@ -1,51 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 28 Feb 2017 12:08:14 +0000
-Subject: [PATCH] sd: sdhci: check transfer mode register in multi block
- transfer
-
-In the SDHCI protocol, the transfer mode register value
-is used during multi block transfer to check if block count
-register is enabled and should be updated. Transfer mode
-register could be set such that, block count register would
-not be updated, thus leading to an infinite loop. Add check
-to avoid it.
-
-Reported-by: Wjjzhang <wjjzhang@tencent.com>
-Reported-by: Jiang Xin <jiangxin1@huawei.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-id: 20170214185225.7994-3-ppandit@redhat.com
-Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-(cherry picked from commit 6e86d90352adf6cb08295255220295cf23c4286e)
----
- hw/sd/sdhci.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
-index f4cf5c7..fedc786 100644
---- a/hw/sd/sdhci.c
-+++ b/hw/sd/sdhci.c
-@@ -485,6 +485,11 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
-     uint32_t boundary_chk = 1 << (((s->blksize & 0xf000) >> 12) + 12);
-     uint32_t boundary_count = boundary_chk - (s->sdmasysad % boundary_chk);
- 
-+    if (!(s->trnmod & SDHC_TRNS_BLK_CNT_EN) || !s->blkcnt) {
-+        qemu_log_mask(LOG_UNIMP, "infinite transfer is not supported\n");
-+        return;
-+    }
-+
-     /* XXX: Some sd/mmc drivers (for example, u-boot-slp) do not account for
-      * possible stop at page boundary if initial address is not page aligned,
-      * allow them to work properly */
-@@ -796,11 +801,6 @@ static void sdhci_data_transfer(void *opaque)
-     if (s->trnmod & SDHC_TRNS_DMA) {
-         switch (SDHC_DMA_TYPE(s->hostctl)) {
-         case SDHC_CTRL_SDMA:
--            if ((s->trnmod & SDHC_TRNS_MULTI) &&
--                    (!(s->trnmod & SDHC_TRNS_BLK_CNT_EN) || s->blkcnt == 0)) {
--                break;
--            }
--
-             if ((s->blkcnt == 1) || !(s->trnmod & SDHC_TRNS_MULTI)) {
-                 sdhci_sdma_transfer_single_block(s);
-             } else {

0056-usb-ohci-limit-the-number-of-link-eds.patch

@@ -1,49 +0,0 @@
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Tue, 7 Feb 2017 02:23:33 -0800
-Subject: [PATCH] usb: ohci: limit the number of link eds
-
-The guest may builds an infinite loop with link eds. This patch
-limit the number of linked ed to avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Message-id: 5899a02e.45ca240a.6c373.93c1@mx.google.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-(cherry picked from commit 95ed56939eb2eaa4e2f349fe6dcd13ca4edfd8fb)
----
- hw/usb/hcd-ohci.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
-index 16d9ff7..1af518d 100644
---- a/hw/usb/hcd-ohci.c
-+++ b/hw/usb/hcd-ohci.c
-@@ -42,6 +42,8 @@
- 
- #define OHCI_MAX_PORTS 15
- 
-+#define ED_LINK_LIMIT 4
-+
- static int64_t usb_frame_time;
- static int64_t usb_bit_time;
- 
-@@ -1184,7 +1186,7 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion)
-     uint32_t next_ed;
-     uint32_t cur;
-     int active;
--
-+    uint32_t link_cnt = 0;
-     active = 0;
- 
-     if (head == 0)
-@@ -1199,6 +1201,11 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion)
- 
-         next_ed = ed.next & OHCI_DPTR_MASK;
- 
-+        if (++link_cnt > ED_LINK_LIMIT) {
-+            ohci_die(ohci);
-+            return 0;
-+        }
-+
-         if ((ed.head & OHCI_ED_H) || (ed.flags & OHCI_ED_K)) {
-             uint32_t addr;
-             /* Cancel pending packets for ED that have been paused.  */

0057-display-cirrus-ignore-source-pitch-value-as-needed-i.patch

@@ -1,69 +0,0 @@
-From: Bruce Rogers <brogers@suse.com>
-Date: Mon, 9 Jan 2017 13:35:20 -0700
-Subject: [PATCH] display: cirrus: ignore source pitch value as needed in
- blit_is_unsafe
-
-Commit 4299b90 added a check which is too broad, given that the source
-pitch value is not required to be initialized for solid fill operations.
-This patch refines the blit_is_unsafe() check to ignore source pitch in
-that case. After applying the above commit as a security patch, we
-noticed the SLES 11 SP4 guest gui failed to initialize properly.
-
-Signed-off-by: Bruce Rogers <brogers@suse.com>
-Message-id: 20170109203520.5619-1-brogers@suse.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-(cherry picked from commit 913a87885f589d263e682c2eb6637c6e14538061)
----
- hw/display/cirrus_vga.c | 11 +++++++----
- 1 file changed, 7 insertions(+), 4 deletions(-)
-
-diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
-index bdb092e..379910d 100644
---- a/hw/display/cirrus_vga.c
-+++ b/hw/display/cirrus_vga.c
-@@ -294,7 +294,7 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
-     return false;
- }
- 
--static bool blit_is_unsafe(struct CirrusVGAState *s)
-+static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
- {
-     /* should be the case, see cirrus_bitblt_start */
-     assert(s->cirrus_blt_width > 0);
-@@ -308,6 +308,9 @@ static bool blit_is_unsafe(struct CirrusVGAState *s)
-                               s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
-         return true;
-     }
-+    if (dst_only) {
-+        return false;
-+    }
-     if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
-                               s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
-         return true;
-@@ -673,7 +676,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
- 
-     dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
- 
--    if (blit_is_unsafe(s))
-+    if (blit_is_unsafe(s, false))
-         return 0;
- 
-     (*s->cirrus_rop) (s, dst, src,
-@@ -691,7 +694,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
- {
-     cirrus_fill_t rop_func;
- 
--    if (blit_is_unsafe(s)) {
-+    if (blit_is_unsafe(s, true)) {
-         return 0;
-     }
-     rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
-@@ -795,7 +798,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
- 
- static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
- {
--    if (blit_is_unsafe(s))
-+    if (blit_is_unsafe(s, false))
-         return 0;
- 
-     return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,

0058-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch

@@ -1,47 +0,0 @@
-From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Wed, 25 Jan 2017 14:48:57 +0100
-Subject: [PATCH] cirrus: handle negative pitch in cirrus_invalidate_region()
-
-cirrus_invalidate_region() calls memory_region_set_dirty()
-on a per-line basis, always ranging from off_begin to
-off_begin+bytesperline. With a negative pitch off_begin
-marks the top most used address and thus we need to do an
-initial shift backwards by a line for negative pitches of
-backward blits, otherwise the first iteration covers the
-line going from the start offset forwards instead of
-backwards.
-Additionally since the start address is inclusive, if we
-shift by a full `bytesperline` we move to the first address
-*not* included in the blit, so we only shift by one less
-than bytesperline.
-
-Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Message-id: 1485352137-29367-1-git-send-email-w.bumiller@proxmox.com
-
-[ kraxel: codestyle fixes ]
-
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-(cherry picked from commit f153b563f8cf121aebf5a2fff5f0110faf58ccb3)
----
- hw/display/cirrus_vga.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
-index 379910d..0f05e45 100644
---- a/hw/display/cirrus_vga.c
-+++ b/hw/display/cirrus_vga.c
-@@ -661,9 +661,14 @@ static void cirrus_invalidate_region(CirrusVGAState * s, int off_begin,
-     int off_cur;
-     int off_cur_end;
- 
-+    if (off_pitch < 0) {
-+        off_begin -= bytesperline - 1;
-+    }
-+
-     for (y = 0; y < lines; y++) {
- 	off_cur = off_begin;
- 	off_cur_end = (off_cur + bytesperline) & s->cirrus_addr_mask;
-+        assert(off_cur_end >= off_cur);
-         memory_region_set_dirty(&s->vga.vram, off_cur, off_cur_end - off_cur);
- 	off_begin += off_pitch;
-     }

0059-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch

@@ -1,99 +0,0 @@
-From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Tue, 24 Jan 2017 16:35:38 +0100
-Subject: [PATCH] cirrus: allow zero source pitch in pattern fill rops
-
-The rops used by cirrus_bitblt_common_patterncopy only use
-the destination pitch, so the source pitch shoul allowed to
-be zero and the blit with used for the range check around the
-source address.
-
-Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Message-id: 1485272138-23249-1-git-send-email-w.bumiller@proxmox.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-(cherry picked from commit 5858dd1801883309bdd208d72ddb81c4e9fee30c)
----
- hw/display/cirrus_vga.c | 27 +++++++++++++++++++--------
- 1 file changed, 19 insertions(+), 8 deletions(-)
-
-diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
-index 0f05e45..98f089e 100644
---- a/hw/display/cirrus_vga.c
-+++ b/hw/display/cirrus_vga.c
-@@ -272,9 +272,6 @@ static void cirrus_update_memory_access(CirrusVGAState *s);
- static bool blit_region_is_unsafe(struct CirrusVGAState *s,
-                                   int32_t pitch, int32_t addr)
- {
--    if (!pitch) {
--        return true;
--    }
-     if (pitch < 0) {
-         int64_t min = addr
-             + ((int64_t)s->cirrus_blt_height-1) * pitch;
-@@ -294,8 +291,11 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
-     return false;
- }
- 
--static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
-+static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only,
-+                           bool zero_src_pitch_ok)
- {
-+    int32_t check_pitch;
-+
-     /* should be the case, see cirrus_bitblt_start */
-     assert(s->cirrus_blt_width > 0);
-     assert(s->cirrus_blt_height > 0);
-@@ -304,6 +304,10 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
-         return true;
-     }
- 
-+    if (!s->cirrus_blt_dstpitch) {
-+        return true;
-+    }
-+
-     if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch,
-                               s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
-         return true;
-@@ -311,7 +315,13 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
-     if (dst_only) {
-         return false;
-     }
--    if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
-+
-+    check_pitch = s->cirrus_blt_srcpitch;
-+    if (!zero_src_pitch_ok && !check_pitch) {
-+        check_pitch = s->cirrus_blt_width;
-+    }
-+
-+    if (blit_region_is_unsafe(s, check_pitch,
-                               s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
-         return true;
-     }
-@@ -681,8 +691,9 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
- 
-     dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
- 
--    if (blit_is_unsafe(s, false))
-+    if (blit_is_unsafe(s, false, true)) {
-         return 0;
-+    }
- 
-     (*s->cirrus_rop) (s, dst, src,
-                       s->cirrus_blt_dstpitch, 0,
-@@ -699,7 +710,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
- {
-     cirrus_fill_t rop_func;
- 
--    if (blit_is_unsafe(s, true)) {
-+    if (blit_is_unsafe(s, true, true)) {
-         return 0;
-     }
-     rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
-@@ -803,7 +814,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
- 
- static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
- {
--    if (blit_is_unsafe(s, false))
-+    if (blit_is_unsafe(s, false, false))
-         return 0;
- 
-     return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,

0060-cirrus-fix-blit-address-mask-handling.patch

@@ -1,101 +0,0 @@
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Wed, 25 Jan 2017 11:09:56 +0100
-Subject: [PATCH] cirrus: fix blit address mask handling
-
-Apply the cirrus_addr_mask to cirrus_blt_dstaddr and cirrus_blt_srcaddr
-right after assigning them, in cirrus_bitblt_start(), instead of having
-this all over the place in the cirrus code, and missing a few places.
-
-Reported-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: 1485338996-17095-1-git-send-email-kraxel@redhat.com
-(cherry picked from commit 60cd23e85151525ab26591394c4e7e06fa07d216)
----
- hw/display/cirrus_vga.c | 25 ++++++++++++-------------
- 1 file changed, 12 insertions(+), 13 deletions(-)
-
-diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
-index 98f089e..7db6409 100644
---- a/hw/display/cirrus_vga.c
-+++ b/hw/display/cirrus_vga.c
-@@ -309,7 +309,7 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only,
-     }
- 
-     if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch,
--                              s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
-+                              s->cirrus_blt_dstaddr)) {
-         return true;
-     }
-     if (dst_only) {
-@@ -322,7 +322,7 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only,
-     }
- 
-     if (blit_region_is_unsafe(s, check_pitch,
--                              s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
-+                              s->cirrus_blt_srcaddr)) {
-         return true;
-     }
- 
-@@ -689,7 +689,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
- {
-     uint8_t *dst;
- 
--    dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
-+    dst = s->vga.vram_ptr + s->cirrus_blt_dstaddr;
- 
-     if (blit_is_unsafe(s, false, true)) {
-         return 0;
-@@ -714,7 +714,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
-         return 0;
-     }
-     rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
--    rop_func(s, s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
-+    rop_func(s, s->vga.vram_ptr + s->cirrus_blt_dstaddr,
-              s->cirrus_blt_dstpitch,
-              s->cirrus_blt_width, s->cirrus_blt_height);
-     cirrus_invalidate_region(s, s->cirrus_blt_dstaddr,
-@@ -732,9 +732,8 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
- 
- static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s)
- {
--    return cirrus_bitblt_common_patterncopy(s,
--					    s->vga.vram_ptr + ((s->cirrus_blt_srcaddr & ~7) &
--                                            s->cirrus_addr_mask));
-+    return cirrus_bitblt_common_patterncopy(s, s->vga.vram_ptr +
-+                                            (s->cirrus_blt_srcaddr & ~7));
- }
- 
- static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
-@@ -788,10 +787,8 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
-     if (notify)
-         graphic_hw_update(s->vga.con);
- 
--    (*s->cirrus_rop) (s, s->vga.vram_ptr +
--		      (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
--		      s->vga.vram_ptr +
--		      (s->cirrus_blt_srcaddr & s->cirrus_addr_mask),
-+    (*s->cirrus_rop) (s, s->vga.vram_ptr + s->cirrus_blt_dstaddr,
-+                      s->vga.vram_ptr + s->cirrus_blt_srcaddr,
- 		      s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch,
- 		      s->cirrus_blt_width, s->cirrus_blt_height);
- 
-@@ -842,8 +839,7 @@ static void cirrus_bitblt_cputovideo_next(CirrusVGAState * s)
-         } else {
-             /* at least one scan line */
-             do {
--                (*s->cirrus_rop)(s, s->vga.vram_ptr +
--                                 (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
-+                (*s->cirrus_rop)(s, s->vga.vram_ptr + s->cirrus_blt_dstaddr,
-                                   s->cirrus_bltbuf, 0, 0, s->cirrus_blt_width, 1);
-                 cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, 0,
-                                          s->cirrus_blt_width, 1);
-@@ -962,6 +958,9 @@ static void cirrus_bitblt_start(CirrusVGAState * s)
-     s->cirrus_blt_modeext = s->vga.gr[0x33];
-     blt_rop = s->vga.gr[0x32];
- 
-+    s->cirrus_blt_dstaddr &= s->cirrus_addr_mask;
-+    s->cirrus_blt_srcaddr &= s->cirrus_addr_mask;
-+
- #ifdef DEBUG_BITBLT
-     printf("rop=0x%02x mode=0x%02x modeext=0x%02x w=%d h=%d dpitch=%d spitch=%d daddr=0x%08x saddr=0x%08x writemask=0x%02x\n",
-            blt_rop,

0061-cirrus-fix-oob-access-issue-CVE-2017-2615.patch

@@ -1,45 +0,0 @@
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Wed, 1 Feb 2017 09:35:01 +0100
-Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615)
-
-When doing bitblt copy in backward mode, we should minus the
-blt width first just like the adding in the forward mode. This
-can avoid the oob access of the front of vga's vram.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-
-{ kraxel: with backward blits (negative pitch) addr is the topmost
-          address, so check it as-is against vram size ]
-
-Cc: qemu-stable@nongnu.org
-Cc: P J P <ppandit@redhat.com>
-Cc: Laszlo Ersek <lersek@redhat.com>
-Cc: Paolo Bonzini <pbonzini@redhat.com>
-Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
-Reviewed-by: Laszlo Ersek <lersek@redhat.com>
-(cherry picked from commit 62d4c6bd5263bb8413a06c80144fc678df6dfb64)
----
- hw/display/cirrus_vga.c | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
-diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
-index 7db6409..16f27e8 100644
---- a/hw/display/cirrus_vga.c
-+++ b/hw/display/cirrus_vga.c
-@@ -274,10 +274,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
- {
-     if (pitch < 0) {
-         int64_t min = addr
--            + ((int64_t)s->cirrus_blt_height-1) * pitch;
--        int32_t max = addr
--            + s->cirrus_blt_width;
--        if (min < 0 || max > s->vga.vram_size) {
-+            + ((int64_t)s->cirrus_blt_height - 1) * pitch
-+            - s->cirrus_blt_width;
-+        if (min < -1 || addr >= s->vga.vram_size) {
-             return true;
-         }
-     } else {

0062-cirrus-fix-patterncopy-checks.patch

@@ -1,101 +0,0 @@
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Thu, 9 Feb 2017 14:02:20 +0100
-Subject: [PATCH] cirrus: fix patterncopy checks
-
-The blit_region_is_unsafe checks don't work correctly for the
-patterncopy source.  It's a fixed-sized region, which doesn't
-depend on cirrus_blt_{width,height}.  So go do the check in
-cirrus_bitblt_common_patterncopy instead, then tell blit_is_unsafe that
-it doesn't need to verify the source.  Also handle the case where we
-blit from cirrus_bitbuf correctly.
-
-This patch replaces 5858dd1801883309bdd208d72ddb81c4e9fee30c.
-
-Security impact:  I think for the most part error on the safe side this
-time, refusing blits which should have been allowed.
-
-Only exception is placing the blit source at the end of the video ram,
-so cirrus_blt_srcaddr + 256 goes beyond the end of video memory.  But
-even in that case I'm not fully sure this actually allows read access to
-host memory.  To trick the commit 5858dd18 security checks one has to
-pick very small cirrus_blt_{width,height} values, which in turn implies
-only a fraction of the blit source will actually be used.
-
-Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Cc: Dr. David Alan Gilbert <dgilbert@redhat.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
-Reviewed-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Reviewed-by: Laurent Vivier <lvivier@redhat.com>
-Message-id: 1486645341-5010-1-git-send-email-kraxel@redhat.com
-(cherry picked from commit 95280c31cda79bb1d0968afc7b19a220b3a9d986)
----
- hw/display/cirrus_vga.c | 36 ++++++++++++++++++++++++++++++------
- 1 file changed, 30 insertions(+), 6 deletions(-)
-
-diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
-index 16f27e8..6bd13fc 100644
---- a/hw/display/cirrus_vga.c
-+++ b/hw/display/cirrus_vga.c
-@@ -683,14 +683,39 @@ static void cirrus_invalidate_region(CirrusVGAState * s, int off_begin,
-     }
- }
- 
--static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
--					    const uint8_t * src)
-+static int cirrus_bitblt_common_patterncopy(CirrusVGAState *s, bool videosrc)
- {
-+    uint32_t patternsize;
-     uint8_t *dst;
-+    uint8_t *src;
- 
-     dst = s->vga.vram_ptr + s->cirrus_blt_dstaddr;
- 
--    if (blit_is_unsafe(s, false, true)) {
-+    if (videosrc) {
-+        switch (s->vga.get_bpp(&s->vga)) {
-+        case 8:
-+            patternsize = 64;
-+            break;
-+        case 15:
-+        case 16:
-+            patternsize = 128;
-+            break;
-+        case 24:
-+        case 32:
-+        default:
-+            patternsize = 256;
-+            break;
-+        }
-+        s->cirrus_blt_srcaddr &= ~(patternsize - 1);
-+        if (s->cirrus_blt_srcaddr + patternsize > s->vga.vram_size) {
-+            return 0;
-+        }
-+        src = s->vga.vram_ptr + s->cirrus_blt_srcaddr;
-+    } else {
-+        src = s->cirrus_bltbuf;
-+    }
-+
-+    if (blit_is_unsafe(s, true, true)) {
-         return 0;
-     }
- 
-@@ -731,8 +756,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
- 
- static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s)
- {
--    return cirrus_bitblt_common_patterncopy(s, s->vga.vram_ptr +
--                                            (s->cirrus_blt_srcaddr & ~7));
-+    return cirrus_bitblt_common_patterncopy(s, true);
- }
- 
- static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
-@@ -831,7 +855,7 @@ static void cirrus_bitblt_cputovideo_next(CirrusVGAState * s)
- 
-     if (s->cirrus_srccounter > 0) {
-         if (s->cirrus_blt_mode & CIRRUS_BLTMODE_PATTERNCOPY) {
--            cirrus_bitblt_common_patterncopy(s, s->cirrus_bltbuf);
-+            cirrus_bitblt_common_patterncopy(s, false);
-         the_end:
-             s->cirrus_srccounter = 0;
-             cirrus_bitblt_reset(s);

0063-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch

@@ -1,100 +0,0 @@
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Thu, 9 Feb 2017 14:02:21 +0100
-Subject: [PATCH] Revert "cirrus: allow zero source pitch in pattern fill rops"
-
-This reverts commit 5858dd1801883309bdd208d72ddb81c4e9fee30c.
-
-Conflicts:
-	hw/display/cirrus_vga.c
-
-Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Cc: Dr. David Alan Gilbert <dgilbert@redhat.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
-Reviewed-by: Laurent Vivier <lvivier@redhat.com>
-Message-id: 1486645341-5010-2-git-send-email-kraxel@redhat.com
-(cherry picked from commit 12e97ec39931e5321645fd483ab761319d48bf16)
----
- hw/display/cirrus_vga.c | 26 ++++++++------------------
- 1 file changed, 8 insertions(+), 18 deletions(-)
-
-diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
-index 6bd13fc..0e47cf8 100644
---- a/hw/display/cirrus_vga.c
-+++ b/hw/display/cirrus_vga.c
-@@ -272,6 +272,9 @@ static void cirrus_update_memory_access(CirrusVGAState *s);
- static bool blit_region_is_unsafe(struct CirrusVGAState *s,
-                                   int32_t pitch, int32_t addr)
- {
-+    if (!pitch) {
-+        return true;
-+    }
-     if (pitch < 0) {
-         int64_t min = addr
-             + ((int64_t)s->cirrus_blt_height - 1) * pitch
-@@ -290,11 +293,8 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
-     return false;
- }
- 
--static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only,
--                           bool zero_src_pitch_ok)
-+static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
- {
--    int32_t check_pitch;
--
-     /* should be the case, see cirrus_bitblt_start */
-     assert(s->cirrus_blt_width > 0);
-     assert(s->cirrus_blt_height > 0);
-@@ -303,10 +303,6 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only,
-         return true;
-     }
- 
--    if (!s->cirrus_blt_dstpitch) {
--        return true;
--    }
--
-     if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch,
-                               s->cirrus_blt_dstaddr)) {
-         return true;
-@@ -314,13 +310,7 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only,
-     if (dst_only) {
-         return false;
-     }
--
--    check_pitch = s->cirrus_blt_srcpitch;
--    if (!zero_src_pitch_ok && !check_pitch) {
--        check_pitch = s->cirrus_blt_width;
--    }
--
--    if (blit_region_is_unsafe(s, check_pitch,
-+    if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
-                               s->cirrus_blt_srcaddr)) {
-         return true;
-     }
-@@ -715,7 +705,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState *s, bool videosrc)
-         src = s->cirrus_bltbuf;
-     }
- 
--    if (blit_is_unsafe(s, true, true)) {
-+    if (blit_is_unsafe(s, true)) {
-         return 0;
-     }
- 
-@@ -734,7 +724,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
- {
-     cirrus_fill_t rop_func;
- 
--    if (blit_is_unsafe(s, true, true)) {
-+    if (blit_is_unsafe(s, true)) {
-         return 0;
-     }
-     rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
-@@ -834,7 +824,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
- 
- static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
- {
--    if (blit_is_unsafe(s, false, false))
-+    if (blit_is_unsafe(s, false))
-         return 0;
- 
-     return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,

0064-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch

@@ -1,46 +0,0 @@
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Wed, 8 Feb 2017 11:18:36 +0100
-Subject: [PATCH] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo
- (CVE-2017-2620)
-
-CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
-and blit width, at all.  Oops.  Fix it.
-
-Security impact: high.
-
-The missing blit destination check allows to write to host memory.
-Basically same as CVE-2014-8106 for the other blit variants.
-
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-(cherry picked from commit 92f2b88cea48c6aeba8de568a45f2ed958f3c298)
----
- hw/display/cirrus_vga.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
-index 0e47cf8..a093dc8 100644
---- a/hw/display/cirrus_vga.c
-+++ b/hw/display/cirrus_vga.c
-@@ -899,6 +899,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
- {
-     int w;
- 
-+    if (blit_is_unsafe(s, true)) {
-+        return 0;
-+    }
-+
-     s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC;
-     s->cirrus_srcptr = &s->cirrus_bltbuf[0];
-     s->cirrus_srcptr_end = &s->cirrus_bltbuf[0];
-@@ -924,6 +928,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
- 	}
-         s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height;
-     }
-+
-+    /* the blit_is_unsafe call above should catch this */
-+    assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE);
-+
-     s->cirrus_srcptr = s->cirrus_bltbuf;
-     s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch;
-     cirrus_update_memory_access(s);

0065-vnc-enc-tight-use-thread-local-storage-for-palette.patch

@@ -1,99 +0,0 @@
-From: Peter Lieven <pl@kamp.de>
-Date: Thu, 30 Jun 2016 12:00:46 +0200
-Subject: [PATCH] vnc-enc-tight: use thread local storage for palette
-
-currently the color counting palette is allocated from heap, used and destroyed
-for each single subrect. Use a static palette per thread for this purpose and
-avoid the malloc and free for each update.
-
-Signed-off-by: Peter Lieven <pl@kamp.de>
-Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
-Message-id: 1467280846-9674-1-git-send-email-pl@kamp.de
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-(cherry picked from commit 095497ffc66b7f031ff2a17f1e50f5cb105ce588)
----
- ui/vnc-enc-tight.c | 23 ++++++++++++-----------
- 1 file changed, 12 insertions(+), 11 deletions(-)
-
-diff --git a/ui/vnc-enc-tight.c b/ui/vnc-enc-tight.c
-index 678c5df..877c093 100644
---- a/ui/vnc-enc-tight.c
-+++ b/ui/vnc-enc-tight.c
-@@ -349,7 +349,7 @@ tight_detect_smooth_image(VncState *vs, int w, int h)
-     tight_fill_palette##bpp(VncState *vs, int x, int y,                 \
-                             int max, size_t count,                      \
-                             uint32_t *bg, uint32_t *fg,                 \
--                            VncPalette **palette) {                     \
-+                            VncPalette *palette) {                      \
-         uint##bpp##_t *data;                                            \
-         uint##bpp##_t c0, c1, ci;                                       \
-         int i, n0, n1;                                                  \
-@@ -396,23 +396,23 @@ tight_detect_smooth_image(VncState *vs, int w, int h)
-             return 0;                                                   \
-         }                                                               \
-                                                                         \
--        *palette = palette_new(max, bpp);                               \
--        palette_put(*palette, c0);                                      \
--        palette_put(*palette, c1);                                      \
--        palette_put(*palette, ci);                                      \
-+        palette_init(palette, max, bpp);                                \
-+        palette_put(palette, c0);                                       \
-+        palette_put(palette, c1);                                       \
-+        palette_put(palette, ci);                                       \
-                                                                         \
-         for (i++; i < count; i++) {                                     \
-             if (data[i] == ci) {                                        \
-                 continue;                                               \
-             } else {                                                    \
-                 ci = data[i];                                           \
--                if (!palette_put(*palette, (uint32_t)ci)) {             \
-+                if (!palette_put(palette, (uint32_t)ci)) {              \
-                     return 0;                                           \
-                 }                                                       \
-             }                                                           \
-         }                                                               \
-                                                                         \
--        return palette_size(*palette);                                  \
-+        return palette_size(palette);                                   \
-     }
- 
- DEFINE_FILL_PALETTE_FUNCTION(8)
-@@ -421,7 +421,7 @@ DEFINE_FILL_PALETTE_FUNCTION(32)
- 
- static int tight_fill_palette(VncState *vs, int x, int y,
-                               size_t count, uint32_t *bg, uint32_t *fg,
--                              VncPalette **palette)
-+                              VncPalette *palette)
- {
-     int max;
- 
-@@ -1458,9 +1458,11 @@ static int send_sub_rect_jpeg(VncState *vs, int x, int y, int w, int h,
- }
- #endif
- 
-+static __thread VncPalette color_count_palette;
-+
- static int send_sub_rect(VncState *vs, int x, int y, int w, int h)
- {
--    VncPalette *palette = NULL;
-+    VncPalette *palette = &color_count_palette;
-     uint32_t bg = 0, fg = 0;
-     int colors;
-     int ret = 0;
-@@ -1489,7 +1491,7 @@ static int send_sub_rect(VncState *vs, int x, int y, int w, int h)
-     }
- #endif
- 
--    colors = tight_fill_palette(vs, x, y, w * h, &bg, &fg, &palette);
-+    colors = tight_fill_palette(vs, x, y, w * h, &bg, &fg, palette);
- 
- #ifdef CONFIG_VNC_JPEG
-     if (allow_jpeg && vs->tight.quality != (uint8_t)-1) {
-@@ -1502,7 +1504,6 @@ static int send_sub_rect(VncState *vs, int x, int y, int w, int h)
-     ret = send_sub_rect_nojpeg(vs, x, y, w, h, bg, fg, colors, palette);
- #endif
- 
--    palette_destroy(palette);
-     return ret;
- }
- 

0066-vnc-tight-fix-regression-with-libxenstore.patch

@@ -1,84 +0,0 @@
-From: Peter Lieven <pl@kamp.de>
-Date: Fri, 15 Jul 2016 11:45:11 +0200
-Subject: [PATCH] vnc-tight: fix regression with libxenstore
-
-commit 095497ff added thread local storage for the color counting
-palette. Unfortunately, a VncPalette is about 7kB on a x86_64 system.
-This memory is reserved from the stack of every thread and it
-exhausted the stack space of a libxenstore thread.
-
-Fix this by allocating memory only for the VNC encoding thread.
-
-Fixes: 095497ffc66b7f031ff2a17f1e50f5cb105ce588
-Reported-by: Juergen Gross <jgross@suse.com>
-Tested-by: Juergen Gross <jgross@suse.com>
-Signed-off-by: Peter Lieven <pl@kamp.de>
-Message-id: 1468575911-20656-1-git-send-email-pl@kamp.de
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-(cherry picked from commit 66668d197fa40747e835e15617eda2f1bc80982f)
----
- ui/vnc-enc-tight.c | 28 +++++++++++++++++++++-------
- 1 file changed, 21 insertions(+), 7 deletions(-)
-
-diff --git a/ui/vnc-enc-tight.c b/ui/vnc-enc-tight.c
-index 877c093..49df85e 100644
---- a/ui/vnc-enc-tight.c
-+++ b/ui/vnc-enc-tight.c
-@@ -1458,11 +1458,17 @@ static int send_sub_rect_jpeg(VncState *vs, int x, int y, int w, int h,
- }
- #endif
- 
--static __thread VncPalette color_count_palette;
-+static __thread VncPalette *color_count_palette;
-+static __thread Notifier vnc_tight_cleanup_notifier;
-+
-+static void vnc_tight_cleanup(Notifier *n, void *value)
-+{
-+    g_free(color_count_palette);
-+    color_count_palette = NULL;
-+}
- 
- static int send_sub_rect(VncState *vs, int x, int y, int w, int h)
- {
--    VncPalette *palette = &color_count_palette;
-     uint32_t bg = 0, fg = 0;
-     int colors;
-     int ret = 0;
-@@ -1471,6 +1477,12 @@ static int send_sub_rect(VncState *vs, int x, int y, int w, int h)
-     bool allow_jpeg = true;
- #endif
- 
-+    if (!color_count_palette) {
-+        color_count_palette = g_malloc(sizeof(VncPalette));
-+        vnc_tight_cleanup_notifier.notify = vnc_tight_cleanup;
-+        qemu_thread_atexit_add(&vnc_tight_cleanup_notifier);
-+    }
-+
-     vnc_framebuffer_update(vs, x, y, w, h, vs->tight.type);
- 
-     vnc_tight_start(vs);
-@@ -1491,17 +1503,19 @@ static int send_sub_rect(VncState *vs, int x, int y, int w, int h)
-     }
- #endif
- 
--    colors = tight_fill_palette(vs, x, y, w * h, &bg, &fg, palette);
-+    colors = tight_fill_palette(vs, x, y, w * h, &bg, &fg, color_count_palette);
- 
- #ifdef CONFIG_VNC_JPEG
-     if (allow_jpeg && vs->tight.quality != (uint8_t)-1) {
--        ret = send_sub_rect_jpeg(vs, x, y, w, h, bg, fg, colors, palette,
--                                 force_jpeg);
-+        ret = send_sub_rect_jpeg(vs, x, y, w, h, bg, fg, colors,
-+                                 color_count_palette, force_jpeg);
-     } else {
--        ret = send_sub_rect_nojpeg(vs, x, y, w, h, bg, fg, colors, palette);
-+        ret = send_sub_rect_nojpeg(vs, x, y, w, h, bg, fg, colors,
-+                                   color_count_palette);
-     }
- #else
--    ret = send_sub_rect_nojpeg(vs, x, y, w, h, bg, fg, colors, palette);
-+    ret = send_sub_rect_nojpeg(vs, x, y, w, h, bg, fg, colors,
-+                               color_count_palette);
- #endif
- 
-     return ret;

0067-dma-rc4030-limit-interval-timer-reload-value.patch

@@ -1,35 +0,0 @@
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Wed, 12 Oct 2016 18:07:41 +0530
-Subject: [PATCH] dma: rc4030: limit interval timer reload value
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The JAZZ RC4030 chipset emulator has a periodic timer and
-associated interval reload register. The reload value is used
-as divider when computing timer's next tick value. If reload
-value is large, it could lead to divide by zero error. Limit
-the interval reload value to avoid it.
-
-Reported-by: Huawei PSIRT <psirt@huawei.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Tested-by: Hervé Poussineau <hpoussin@reactos.org>
-Signed-off-by: Yongbok Kim <yongbok.kim@imgtec.com>
-(cherry picked from commit c0a3172fa6bbddcc73192f2a2c48d0bf3a7ba61c)
----
- hw/dma/rc4030.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/dma/rc4030.c b/hw/dma/rc4030.c
-index a06c235..1814ca6 100644
---- a/hw/dma/rc4030.c
-+++ b/hw/dma/rc4030.c
-@@ -459,7 +459,7 @@ static void rc4030_write(void *opaque, hwaddr addr, uint64_t data,
-         break;
-     /* Interval timer reload */
-     case 0x0228:
--        s->itr = val;
-+        s->itr = val & 0x01FF;
-         qemu_irq_lower(s->timer_irq);
-         set_next_tick(s);
-         break;

0068-serial-fix-memory-leak-in-serial-exit.patch

@@ -1,37 +0,0 @@
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Wed, 4 Jan 2017 00:43:16 -0800
-Subject: [PATCH] serial: fix memory leak in serial exit
-
-The serial_exit_core function doesn't free some resources.
-This can lead memory leak when hotplug and unplug. This
-patch avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Message-Id: <586cb5ab.f31d9d0a.38ac3.acf2@mx.google.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 8409dc884a201bf74b30a9d232b6bbdd00cb7e2b)
----
- hw/char/serial.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/hw/char/serial.c b/hw/char/serial.c
-index 3998131..ebf507b 100644
---- a/hw/char/serial.c
-+++ b/hw/char/serial.c
-@@ -869,6 +869,16 @@ void serial_realize_core(SerialState *s, Error **errp)
- void serial_exit_core(SerialState *s)
- {
-     qemu_chr_add_handlers(s->chr, NULL, NULL, NULL, NULL);
-+
-+    timer_del(s->modem_status_poll);
-+    timer_free(s->modem_status_poll);
-+
-+    timer_del(s->fifo_timeout_timer);
-+    timer_free(s->fifo_timeout_timer);
-+
-+    fifo8_destroy(&s->recv_fifo);
-+    fifo8_destroy(&s->xmit_fifo);
-+
-     qemu_unregister_reset(serial_reset, s);
- }
- 

50-kvm-s390x.conf

@@ -1,3 +0,0 @@
-# KVM S390 VM creation fails without this set
-# https://www.mail-archive.com/kvm@vger.kernel.org/msg115576.html
-vm.allocate_pgste = 1

80-kvm.rules

@@ -1 +0,0 @@
-KERNEL=="kvm", GROUP="kvm", MODE="0666"

ksm.service

@@ -1,14 +0,0 @@
-[Unit]
-Description=Kernel Samepage Merging
-ConditionPathExists=/sys/kernel/mm/ksm
-ConditionVirtualization=no
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-EnvironmentFile=-/etc/sysconfig/ksm
-ExecStart=/usr/libexec/ksmctl start
-ExecStop=/usr/libexec/ksmctl stop
-
-[Install]
-WantedBy=multi-user.target

ksm.sysconfig

@@ -1,4 +0,0 @@
-# The maximum number of unswappable kernel pages
-# which may be allocated by ksm (0 for unlimited)
-# If unset, defaults to half of total memory
-# KSM_MAX_KERNEL_PAGES=

ksmctl.c

@@ -1,77 +0,0 @@
-/* Start/stop KSM, for systemd.
- * Copyright (C) 2009, 2011 Red Hat, Inc.
- * Written by Paolo Bonzini <pbonzini@redhat.com>.
- * Based on the original sysvinit script by Dan Kenigsberg <danken@redhat.com>
- * This file is distributed under the GNU General Public License, version 2
- * or later.  */
-
-#include <unistd.h>
-#include <stdio.h>
-#include <limits.h>
-#include <stdint.h>
-#include <stdlib.h>
-#include <string.h>
-
-#define KSM_MAX_KERNEL_PAGES_FILE "/sys/kernel/mm/ksm/max_kernel_pages"
-#define KSM_RUN_FILE		  "/sys/kernel/mm/ksm/run"
-
-char *program_name;
-
-int usage(void)
-{
-	fprintf(stderr, "Usage: %s {start|stop}\n", program_name);
-	return 1;
-}
-
-int write_value(uint64_t value, char *filename)
-{
-	FILE *fp;
-	if (!(fp = fopen(filename, "w")) ||
-	    fprintf(fp, "%llu\n", (unsigned long long) value) == EOF ||
-	    fflush(fp) == EOF ||
-	    fclose(fp) == EOF)
-		return 1;
-
-	return 0;
-}
-
-uint64_t ksm_max_kernel_pages()
-{
-	char *var = getenv("KSM_MAX_KERNEL_PAGES");
-	char *endptr;
-	uint64_t value;
-	if (var && *var) {
-		value = strtoll(var, &endptr, 0);
-		if (value < LLONG_MAX && !*endptr)
-			return value;
-	}
-	/* Unless KSM_MAX_KERNEL_PAGES is set, let KSM munch up to half of
-	 * total memory.  */
-	return sysconf(_SC_PHYS_PAGES) / 2;
-}
-
-int start(void)
-{
-	if (access(KSM_MAX_KERNEL_PAGES_FILE, R_OK) >= 0)
-		write_value(ksm_max_kernel_pages(), KSM_MAX_KERNEL_PAGES_FILE);
-	return write_value(1, KSM_RUN_FILE);
-}
-
-int stop(void)
-{
-	return write_value(0, KSM_RUN_FILE);
-}
-
-int main(int argc, char **argv)
-{
-	program_name = argv[0];
-	if (argc < 2) {
-		return usage();
-	} else if (!strcmp(argv[1], "start")) {
-		return start();
-	} else if (!strcmp(argv[1], "stop")) {
-		return stop();
-	} else {
-		return usage();
-	}
-}

ksmtuned

@@ -1,139 +0,0 @@
-#!/bin/bash
-#
-# Copyright 2009 Red Hat, Inc. and/or its affiliates.
-# Released under the GPL
-#
-# Author:      Dan Kenigsberg <danken@redhat.com>
-#
-# ksmtuned - a simple script that controls whether (and with what vigor) ksm
-# should search for duplicated pages.
-#
-# starts ksm when memory commited to qemu processes exceeds a threshold, and
-# make ksm work harder and harder untill memory load falls below that
-# threshold.
-#
-# send SIGUSR1 to this process right after a new qemu process is started, or
-# following its death, to retune ksm accordingly
-#
-# needs testing and ironing. contact danken@redhat.com if something breaks.
-
-if [ -f /etc/ksmtuned.conf ]; then
-    . /etc/ksmtuned.conf
-fi
-
-debug() {
-    if [ -n "$DEBUG" ]; then
-        s="`/bin/date`: $*"
-        [ -n "$LOGFILE" ] && echo "$s" >> "$LOGFILE" || echo "$s"
-    fi
-}
-
-
-KSM_MONITOR_INTERVAL=${KSM_MONITOR_INTERVAL:-60}
-KSM_NPAGES_BOOST=${KSM_NPAGES_BOOST:-300}
-KSM_NPAGES_DECAY=${KSM_NPAGES_DECAY:--50}
-
-KSM_NPAGES_MIN=${KSM_NPAGES_MIN:-64}
-KSM_NPAGES_MAX=${KSM_NPAGES_MAX:-1250}
-# millisecond sleep between ksm scans for 16Gb server. Smaller servers sleep
-# more, bigger sleep less.
-KSM_SLEEP_MSEC=${KSM_SLEEP_MSEC:-10}
-
-KSM_THRES_COEF=${KSM_THRES_COEF:-20}
-KSM_THRES_CONST=${KSM_THRES_CONST:-2048}
-
-total=`awk '/^MemTotal:/ {print $2}' /proc/meminfo`
-debug total $total
-
-npages=0
-sleep=$[KSM_SLEEP_MSEC * 16 * 1024 * 1024 / total]
-[ $sleep -le 10 ] && sleep=10
-debug sleep $sleep
-thres=$[total * KSM_THRES_COEF / 100]
-if [ $KSM_THRES_CONST -gt $thres ]; then
-    thres=$KSM_THRES_CONST
-fi
-debug thres $thres
-
-KSMCTL () {
-    case x$1 in
-        xstop)
-            echo 0 > /sys/kernel/mm/ksm/run
-            ;;
-        xstart)
-            echo $2 > /sys/kernel/mm/ksm/pages_to_scan
-            echo $3 > /sys/kernel/mm/ksm/sleep_millisecs
-            echo 1 > /sys/kernel/mm/ksm/run
-            ;;
-    esac
-}
-
-committed_memory () {
-    # calculate how much memory is committed to running qemu processes
-    local pidlist
-    pidlist=$(pgrep -d ' ' -- '^qemu(-(kvm|system-.+)|:.{1,11})$')
-    if [ -n "$pidlist" ]; then
-        ps -p "$pidlist" -o rsz=
-    fi | awk '{ sum += $1 }; END { print 0+sum }'
-}
-
-free_memory () {
-    awk '/^(MemFree|Buffers|Cached):/ {free += $2}; END {print free}' \
-                /proc/meminfo
-}
-
-increase_npages() {
-    local delta
-    delta=${1:-0}
-    npages=$[npages + delta]
-    if [ $npages -lt $KSM_NPAGES_MIN ]; then
-        npages=$KSM_NPAGES_MIN
-    elif [ $npages -gt $KSM_NPAGES_MAX ]; then
-        npages=$KSM_NPAGES_MAX
-    fi
-    echo $npages
-}
-
-
-adjust () {
-    local free committed
-    free=`free_memory`
-    committed=`committed_memory`
-    debug committed $committed free $free
-    if [ $[committed + thres] -lt $total -a $free -gt $thres ]; then
-        KSMCTL stop
-        debug "$[committed + thres] < $total and free > $thres, stop ksm"
-        return 1
-    fi
-    debug "$[committed + thres] > $total, start ksm"
-    if [ $free -lt $thres ]; then
-        npages=`increase_npages $KSM_NPAGES_BOOST`
-        debug "$free < $thres, boost"
-    else
-        npages=`increase_npages $KSM_NPAGES_DECAY`
-        debug "$free > $thres, decay"
-    fi
-    KSMCTL start $npages $sleep
-    debug "KSMCTL start $npages $sleep"
-    return 0
-}
-
-function nothing () {
-    :
-}
-
-loop () {
-    trap nothing SIGUSR1
-    while true
-    do
-        sleep $KSM_MONITOR_INTERVAL &
-        wait $!
-        adjust
-    done
-}
-
-PIDFILE=${PIDFILE-/var/run/ksmtune.pid}
-if touch "$PIDFILE"; then
-  loop &
-  echo $! > "$PIDFILE"
-fi

ksmtuned.conf

@@ -1,21 +0,0 @@
-# Configuration file for ksmtuned.
-
-# How long ksmtuned should sleep between tuning adjustments
-# KSM_MONITOR_INTERVAL=60
-
-# Millisecond sleep between ksm scans for 16Gb server.
-# Smaller servers sleep more, bigger sleep less.
-# KSM_SLEEP_MSEC=10
-
-# KSM_NPAGES_BOOST=300
-# KSM_NPAGES_DECAY=-50
-# KSM_NPAGES_MIN=64
-# KSM_NPAGES_MAX=1250
-
-# KSM_THRES_COEF=20
-# KSM_THRES_CONST=2048
-
-# uncomment the following if you want ksmtuned debug info
-
-# LOGFILE=/var/log/ksmtuned
-# DEBUG=1

ksmtuned.service

@@ -1,13 +0,0 @@
-[Unit]
-Description=Kernel Samepage Merging (KSM) Tuning Daemon
-After=ksm.service
-Requires=ksm.service
-ConditionVirtualization=no
-
-[Service]
-ExecStart=/usr/sbin/ksmtuned
-ExecReload=/bin/kill -USR1 $MAINPID
-Type=forking
-
-[Install]
-WantedBy=multi-user.target

kvm.modules

@@ -1,18 +0,0 @@
-#!/bin/sh
-
-case $(uname -m) in
-    ppc64)
-        grep OPAL  /proc/cpuinfo >/dev/null 2>&1 && opal=1
-
-        modprobe -b kvm >/dev/null 2>&1
-        modprobe -b kvm-pr >/dev/null 2>&1 && kvm=1
-        if [ "$opal" ]; then
-            modprobe -b kvm-hv >/dev/null 2>&1
-        fi
-        ;;
-    s390x)
-        modprobe -b kvm >/dev/null 2>&1 && kvm=1
-        ;;
-esac
-
-exit 0

qemu-ga.sysconfig

@@ -0,0 +1,19 @@
+# This is a systemd environment file, not a shell script.
+# It provides settings for "/lib/systemd/system/qemu-guest-agent.service".
+
+# Comma-separated blacklist of RPCs to disable, or empty list to enable all.
+#
+# You can get the list of RPC commands using "qemu-ga --blacklist='?'".
+# There should be no spaces between commas and commands in the blacklist.
+#BLACKLIST_RPC=guest-file-open,guest-file-close,guest-file-read,guest-file-write,guest-file-seek,guest-file-flush,guest-exec,guest-exec-status
+
+# Fsfreeze hook script specification.
+#
+# FSFREEZE_HOOK_PATHNAME=/dev/null           : disables the feature.
+#
+# FSFREEZE_HOOK_PATHNAME=/path/to/executable : enables the feature with the
+# specified binary or shell script.
+#
+# FSFREEZE_HOOK_PATHNAME=                    : enables the feature with the
+# default value (invoke "qemu-ga --help" to interrogate).
+FSFREEZE_HOOK_PATHNAME=/etc/qemu-ga/fsfreeze-hook

qemu-guest-agent.service

@@ -1,11 +1,19 @@
 [Unit]
 Description=QEMU Guest Agent
-BindTo=dev-virtio\x2dports-org.qemu.guest_agent.0.device
+BindsTo=dev-virtio\x2dports-org.qemu.guest_agent.0.device
 After=dev-virtio\x2dports-org.qemu.guest_agent.0.device
+IgnoreOnIsolate=True
 
 [Service]
-ExecStart=-/usr/bin/qemu-ga
+UMask=0077
+EnvironmentFile=/etc/sysconfig/qemu-ga
+ExecStart=/usr/bin/qemu-ga \
+  --method=virtio-serial \
+  --path=/dev/virtio-ports/org.qemu.guest_agent.0 \
+  --blacklist=${BLACKLIST_RPC} \
+  -F${FSFREEZE_HOOK_PATHNAME}
 Restart=always
 RestartSec=0
 
 [Install]
+WantedBy=dev-virtio\x2dports-org.qemu.guest_agent.0.device

qemu.binfmt

@@ -1,22 +0,0 @@
-:qemu-alpha:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x26\x90:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-alpha:
-:qemu-armeb:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-armeb:
-:qemu-arm:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-arm:
-:qemu-cris:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x4c\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-cris:
-:qemu-i386:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-i386:
-:qemu-i486:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x06\x00:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-i386:
-:qemu-m68k:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x04:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-m68k:
-:qemu-microblazeel:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xab\xba:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-microblazeel:
-:qemu-microblaze:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\xba\xab:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-microblaze:
-:qemu-mips64el:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xfe\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-mips64el:
-:qemu-mips64:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-mips64:
-:qemu-mipsel:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xfe\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-mipsel:
-:qemu-mips:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-mips:
-:qemu-ppc64abi32:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x15:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-ppc64abi32:
-:qemu-ppc64:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x15:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-ppc64:
-:qemu-ppc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x14:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-ppc:
-:qemu-s390x:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x16:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-s390x:
-:qemu-sh4eb:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x2a:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-sh4eb:
-:qemu-sh4:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x2a\x00:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-sh4:
-:qemu-sparc32plus:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x12:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-sparc32plus:
-:qemu-sparc64:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x2b:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-sparc64:
-:qemu-sparc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x02:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-sparc:

sources

@@ -1 +1 @@
-bdf1f3d0c177ebeb35a079a4bc3fc74e  qemu-2.6.2.tar.bz2
+SHA512 (qemu-5.2.0-rc4.tar.xz) = 47e918392609c34f904962e5759125485407ae52c273053729054300e10fc67fc7ed443c9af25d1d852a5f5c70eee125c703ce15d0e571068848f405de33db3b