CVE-2016-4002: net: buffer overflow in MIPSnet (bz #1326083)

CVE-2016-4952 scsi: pvscsi: out-of-bounds access issue
CVE-2016-5106: scsi: megasas: out-of-bounds write (bz #1339581)
CVE-2016-5105: scsi: megasas: stack information leakage (bz #1339585)
CVE-2016-5107: scsi: megasas: out-of-bounds read (bz #1339573)
CVE-2016-4454: display: vmsvga: out-of-bounds read (bz #1340740)
CVE-2016-4453: display: vmsvga: infinite loop (bz #1340744)
CVE-2016-5238: scsi: esp: OOB write (bz #1341932)
CVE-2016-5338: scsi: esp: OOB r/w access (bz #1343325)
CVE-2016-5337: scsi: megasas: information leakage (bz #1343910)

0001-slirp-use-less-predictable-directory-name-in-tmp-for.patch

@@ -0,0 +1,50 @@
+From: Michael Tokarev <mjt@tls.msk.ru>
+Date: Thu, 28 May 2015 14:12:26 +0300
+Subject: [PATCH] slirp: use less predictable directory name in /tmp for smb
+ config (CVE-2015-4037)
+
+In this version I used mkdtemp(3) which is:
+
+        _BSD_SOURCE
+        || /* Since glibc 2.10: */
+            (_POSIX_C_SOURCE >= 200809L || _XOPEN_SOURCE >= 700)
+
+(POSIX.1-2008), so should be available on systems we care about.
+
+While at it, reset the resulting directory name within smb structure
+on error so cleanup function wont try to remove directory which we
+failed to create.
+
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+Reviewed-by: Markus Armbruster <armbru@redhat.com>
+(cherry picked from commit 8b8f1c7e9ddb2e88a144638f6527bf70e32343e3)
+---
+ net/slirp.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/net/slirp.c b/net/slirp.c
+index 9bbed74..3090c10 100644
+--- a/net/slirp.c
++++ b/net/slirp.c
+@@ -481,7 +481,6 @@ static void slirp_smb_cleanup(SlirpState *s)
+ static int slirp_smb(SlirpState* s, const char *exported_dir,
+                      struct in_addr vserver_addr)
+ {
+-    static int instance;
+     char smb_conf[128];
+     char smb_cmdline[128];
+     struct passwd *passwd;
+@@ -505,10 +504,10 @@ static int slirp_smb(SlirpState* s, const char *exported_dir,
+         return -1;
+     }
+ 
+-    snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.%ld-%d",
+-             (long)getpid(), instance++);
+-    if (mkdir(s->smb_dir, 0700) < 0) {
++    snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.XXXXXX");
++    if (!mkdtemp(s->smb_dir)) {
+         error_report("could not create samba server dir '%s'", s->smb_dir);
++        s->smb_dir[0] = 0;
+         return -1;
+     }
+     snprintf(smb_conf, sizeof(smb_conf), "%s/%s", s->smb_dir, "smb.conf");

0002-qcow2-Handle-EAGAIN-returned-from-update_refcount.patch

@@ -0,0 +1,54 @@
+From: =?UTF-8?q?Jind=C5=99ich=20Makovi=C4=8Dka?= <makovick@gmail.com>
+Date: Wed, 24 Jun 2015 07:05:25 +0200
+Subject: [PATCH] qcow2: Handle EAGAIN returned from update_refcount
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes a crash during image compression
+
+Signed-off-by: Jindřich Makovička <makovick@gmail.com>
+Tested-by: Richard W.M. Jones <rjones@redhat.com>
+Reviewed-by: Max Reitz <mreitz@redhat.com>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+(cherry picked from commit 3e5feb6202149e8a963a33b911216e40d790f1d7)
+---
+ block/qcow2-refcount.c | 22 ++++++++++++----------
+ 1 file changed, 12 insertions(+), 10 deletions(-)
+
+diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
+index 63c0085..d4f3351 100644
+--- a/block/qcow2-refcount.c
++++ b/block/qcow2-refcount.c
+@@ -954,19 +954,21 @@ int64_t qcow2_alloc_bytes(BlockDriverState *bs, int size)
+     }
+ 
+     free_in_cluster = s->cluster_size - offset_into_cluster(s, offset);
+-    if (!offset || free_in_cluster < size) {
+-        int64_t new_cluster = alloc_clusters_noref(bs, s->cluster_size);
+-        if (new_cluster < 0) {
+-            return new_cluster;
+-        }
++    do {
++        if (!offset || free_in_cluster < size) {
++            int64_t new_cluster = alloc_clusters_noref(bs, s->cluster_size);
++            if (new_cluster < 0) {
++                return new_cluster;
++            }
+ 
+-        if (!offset || ROUND_UP(offset, s->cluster_size) != new_cluster) {
+-            offset = new_cluster;
++            if (!offset || ROUND_UP(offset, s->cluster_size) != new_cluster) {
++                offset = new_cluster;
++            }
+         }
+-    }
+ 
+-    assert(offset);
+-    ret = update_refcount(bs, offset, size, 1, false, QCOW2_DISCARD_NEVER);
++        assert(offset);
++        ret = update_refcount(bs, offset, size, 1, false, QCOW2_DISCARD_NEVER);
++    } while (ret == -EAGAIN);
+     if (ret < 0) {
+         return ret;
+     }

0003-raw-posix-Fix-.bdrv_co_get_block_status-for-unaligne.patch

@@ -0,0 +1,41 @@
+From: Kevin Wolf <kwolf@redhat.com>
+Date: Tue, 9 Jun 2015 10:45:16 +0200
+Subject: [PATCH] raw-posix: Fix .bdrv_co_get_block_status() for unaligned
+ image size
+
+Image files with an unaligned image size have a final hole that starts
+at EOF, i.e. in the middle of a sector. Currently, *pnum == 0 is
+returned when checking the status of this sector. In qemu-img, this
+triggers an assertion failure.
+
+In order to fix this, one type for the sector that contains EOF must be
+found. Treating a hole as data is safe, so this patch rounds the
+calculated number of data sectors up, so that a partial sector at EOF is
+treated as a full data sector.
+
+This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1229394
+
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Tested-by: Cole Robinson <crobinso@redhat.com>
+(cherry picked from commit b8684454e152ca2e100f4b59d80de2be27186206)
+---
+ block/raw-posix.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/block/raw-posix.c b/block/raw-posix.c
+index 24d8582..88f0462 100644
+--- a/block/raw-posix.c
++++ b/block/raw-posix.c
+@@ -1846,8 +1846,9 @@ static int64_t coroutine_fn raw_co_get_block_status(BlockDriverState *bs,
+         *pnum = nb_sectors;
+         ret = BDRV_BLOCK_DATA;
+     } else if (data == start) {
+-        /* On a data extent, compute sectors to the end of the extent.  */
+-        *pnum = MIN(nb_sectors, (hole - start) / BDRV_SECTOR_SIZE);
++        /* On a data extent, compute sectors to the end of the extent,
++         * possibly including a partial sector at EOF. */
++        *pnum = MIN(nb_sectors, DIV_ROUND_UP(hole - start, BDRV_SECTOR_SIZE));
+         ret = BDRV_BLOCK_DATA;
+     } else {
+         /* On a hole, compute sectors to the beginning of the next extent.  */

0004-pcnet-force-the-buffer-access-to-be-in-bounds-during.patch

@@ -0,0 +1,46 @@
+From: Petr Matousek <pmatouse@redhat.com>
+Date: Sun, 24 May 2015 10:53:44 +0200
+Subject: [PATCH] pcnet: force the buffer access to be in bounds during tx
+
+4096 is the maximum length per TMD and it is also currently the size of
+the relay buffer pcnet driver uses for sending the packet data to QEMU
+for further processing. With packet spanning multiple TMDs it can
+happen that the overall packet size will be bigger than sizeof(buffer),
+which results in memory corruption.
+
+Fix this by only allowing to queue maximum sizeof(buffer) bytes.
+
+This is CVE-2015-3209.
+
+[Fixed 3-space indentation to QEMU's 4-space coding standard.
+--Stefan]
+
+Signed-off-by: Petr Matousek <pmatouse@redhat.com>
+Reported-by: Matt Tait <matttait@google.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+(cherry picked from commit 9f7c594c006289ad41169b854d70f5da6e400a2a)
+---
+ hw/net/pcnet.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
+index bdfd38f..68b9981 100644
+--- a/hw/net/pcnet.c
++++ b/hw/net/pcnet.c
+@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s)
+         }
+ 
+         bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
++
++        /* if multi-tmd packet outsizes s->buffer then skip it silently.
++           Note: this is not what real hw does */
++        if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
++            s->xmit_pos = -1;
++            goto txdone;
++        }
++
+         s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
+                          s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
+         s->xmit_pos += bcnt;

0005-virtio-serial-fix-ANY_LAYOUT.patch

@@ -0,0 +1,29 @@
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Thu, 23 Jul 2015 17:52:02 +0300
+Subject: [PATCH] virtio-serial: fix ANY_LAYOUT
+
+Don't assume a specific layout for control messages.
+Required by virtio 1.
+
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Amit Shah <amit.shah@redhat.com>
+Reviewed-by: Jason Wang <jasowang@redhat.com>
+(cherry picked from commit 7882080388be5088e72c425b02223c02e6cb4295)
+---
+ hw/char/virtio-serial-bus.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/hw/char/virtio-serial-bus.c b/hw/char/virtio-serial-bus.c
+index e336bdb..2565521 100644
+--- a/hw/char/virtio-serial-bus.c
++++ b/hw/char/virtio-serial-bus.c
+@@ -194,7 +194,8 @@ static size_t send_control_msg(VirtIOSerial *vser, void *buf, size_t len)
+         return 0;
+     }
+ 
+-    memcpy(elem.in_sg[0].iov_base, buf, len);
++    /* TODO: detect a buffer that's too short, set NEEDS_RESET */
++    iov_from_buf(elem.in_sg, elem.in_num, 0, buf, len);
+ 
+     virtqueue_push(vq, &elem, len);
+     virtio_notify(VIRTIO_DEVICE(vser), vq);

0006-vnc-fix-memory-corruption-CVE-2015-5225.patch

@@ -0,0 +1,79 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 17 Aug 2015 19:56:53 +0200
+Subject: [PATCH] vnc: fix memory corruption (CVE-2015-5225)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The _cmp_bytes variable added by commit "bea60dd ui/vnc: fix potential
+memory corruption issues" can become negative.  Result is (possibly
+exploitable) memory corruption.  Reason for that is it uses the stride
+instead of bytes per scanline to apply limits.
+
+For the server surface is is actually fine.  vnc creates that itself,
+there is never any padding and thus scanline length always equals stride.
+
+For the guest surface scanline length and stride are typically identical
+too, but it doesn't has to be that way.  So add and use a new variable
+(guest_ll) for the guest scanline length.  Also rename min_stride to
+line_bytes to make more clear what it actually is.  Finally sprinkle
+in an assert() to make sure we never use a negative _cmp_bytes again.
+
+Reported-by: 范祚至(库特) <zuozhi.fzz@alibaba-inc.com>
+Reviewed-by: P J P <ppandit@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit eb8934b0418b3b1d125edddc4fc334a54334a49b)
+---
+ ui/vnc.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/ui/vnc.c b/ui/vnc.c
+index f989dfb..472c30e 100644
+--- a/ui/vnc.c
++++ b/ui/vnc.c
+@@ -2863,7 +2863,7 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
+                     pixman_image_get_width(vd->server));
+     int height = MIN(pixman_image_get_height(vd->guest.fb),
+                      pixman_image_get_height(vd->server));
+-    int cmp_bytes, server_stride, min_stride, guest_stride, y = 0;
++    int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0;
+     uint8_t *guest_row0 = NULL, *server_row0;
+     VncState *vs;
+     int has_dirty = 0;
+@@ -2882,17 +2882,21 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
+      * Update server dirty map.
+      */
+     server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
+-    server_stride = guest_stride = pixman_image_get_stride(vd->server);
++    server_stride = guest_stride = guest_ll =
++        pixman_image_get_stride(vd->server);
+     cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES,
+                     server_stride);
+     if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
+         int width = pixman_image_get_width(vd->server);
+         tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width);
+     } else {
++        int guest_bpp =
++            PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb));
+         guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
+         guest_stride = pixman_image_get_stride(vd->guest.fb);
++        guest_ll = pixman_image_get_width(vd->guest.fb) * ((guest_bpp + 7) / 8);
+     }
+-    min_stride = MIN(server_stride, guest_stride);
++    line_bytes = MIN(server_stride, guest_ll);
+ 
+     for (;;) {
+         int x;
+@@ -2923,9 +2927,10 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
+             if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
+                 continue;
+             }
+-            if ((x + 1) * cmp_bytes > min_stride) {
+-                _cmp_bytes = min_stride - x * cmp_bytes;
++            if ((x + 1) * cmp_bytes > line_bytes) {
++                _cmp_bytes = line_bytes - x * cmp_bytes;
+             }
++            assert(_cmp_bytes >= 0);
+             if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) {
+                 continue;
+             }

0007-Fix-typo-causing-qemu-img-to-link-against-entire-wor.patch

@@ -0,0 +1,30 @@
+From: Cole Robinson <crobinso@redhat.com>
+Date: Tue, 8 Sep 2015 12:43:59 -0400
+Subject: [PATCH] Fix typo causing qemu-img to link against entire world (rhbz
+ #1260996)
+
+This is a minimal fix that's not upstream in this form. Upstream was
+accidentally fixed with:
+
+commit 488981a4af396551a3178d032cc2b41d9553ada2
+Author: Daniel P. Berrange <berrange@redhat.com>
+Date:   Wed Jul 1 18:10:35 2015 +0100
+
+    block: convert quorum blockdrv to use crypto APIs
+---
+ configure | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure b/configure
+index 6969f6f..adbe117 100755
+--- a/configure
++++ b/configure
+@@ -2323,7 +2323,7 @@ quorum_tls_libs=`$pkg_config --libs gnutls 2> /dev/null`
+ if compile_prog "$quorum_tls_cflags" "$quorum_tls_libs" ; then
+   qcow_tls=yes
+   libs_softmmu="$quorum_tls_libs $libs_softmmu"
+-  libs_tools="$quorum_tls_libs $libs_softmmu"
++  libs_tools="$quorum_tls_libs $libs_tools"
+   QEMU_CFLAGS="$QEMU_CFLAGS $quorum_tls_cflags"
+   quorum="yes"
+ else

0008-e1000-Avoid-infinite-loop-in-processing-transmit-des.patch

@@ -0,0 +1,35 @@
+From: P J P <pjp@fedoraproject.org>
+Date: Fri, 4 Sep 2015 17:21:06 +0100
+Subject: [PATCH] e1000: Avoid infinite loop in processing transmit descriptor
+ (CVE-2015-6815)
+
+While processing transmit descriptors, it could lead to an infinite
+loop if 'bytes' was to become zero; Add a check to avoid it.
+
+[The guest can force 'bytes' to 0 by setting the hdr_len and mss
+descriptor fields to 0.
+--Stefan]
+
+Signed-off-by: P J P <pjp@fedoraproject.org>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Thomas Huth <thuth@redhat.com>
+Message-id: 1441383666-6590-1-git-send-email-stefanha@redhat.com
+(cherry picked from commit b947ac2bf26479e710489739c465c8af336599e7)
+---
+ hw/net/e1000.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/hw/net/e1000.c b/hw/net/e1000.c
+index 091d61a..f02b9ce 100644
+--- a/hw/net/e1000.c
++++ b/hw/net/e1000.c
+@@ -737,7 +737,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
+                 memmove(tp->data, tp->header, tp->hdr_len);
+                 tp->size = tp->hdr_len;
+             }
+-        } while (split_size -= bytes);
++            split_size -= bytes;
++        } while (bytes && split_size);
+     } else if (!tp->tse && tp->cptse) {
+         // context descriptor TSE is not set, while data descriptor TSE is set
+         DBGOUT(TXERR, "TCP segmentation error\n");

0009-ide-fix-ATAPI-command-permissions.patch

@@ -0,0 +1,141 @@
+From: John Snow <jsnow@redhat.com>
+Date: Thu, 17 Sep 2015 14:17:05 -0400
+Subject: [PATCH] ide: fix ATAPI command permissions
+
+We're a little too lenient with what we'll let an ATAPI drive handle.
+Clamp down on the IDE command execution table to remove CD_OK permissions
+from commands that are not and have never been ATAPI commands.
+
+For ATAPI command validity, please see:
+- ATA4 Section 6.5 ("PACKET Command feature set")
+- ATA8/ACS Section 4.3 ("The PACKET feature set")
+- ACS3 Section 4.3 ("The PACKET feature set")
+
+ACS3 has a historical command validity table in Table B.4
+("Historical Command Assignments") that can be referenced to find when
+a command was introduced, deprecated, obsoleted, etc.
+
+The only reference for ATAPI command validity is by checking that
+version's PACKET feature set section.
+
+ATAPI was introduced by T13 into ATA4, all commands retired prior to ATA4
+therefore are assumed to have never been ATAPI commands.
+
+Mandatory commands, as listed in ATA8-ACS3, are:
+
+- DEVICE RESET
+- EXECUTE DEVICE DIAGNOSTIC
+- IDENTIFY DEVICE
+- IDENTIFY PACKET DEVICE
+- NOP
+- PACKET
+- READ SECTOR(S)
+- SET FEATURES
+
+Optional commands as listed in ATA8-ACS3, are:
+
+- FLUSH CACHE
+- READ LOG DMA EXT
+- READ LOG EXT
+- WRITE LOG DMA EXT
+- WRITE LOG EXT
+
+All other commands are illegal to send to an ATAPI device and should
+be rejected by the device.
+
+CD_OK removal justifications:
+
+0x06 WIN_DSM              Defined in ACS2. Not valid for ATAPI.
+0x21 WIN_READ_ONCE        Retired in ATA5. Not ATAPI in ATA4.
+0x94 WIN_STANDBYNOW2      Retired in ATA4. Did not coexist with ATAPI.
+0x95 WIN_IDLEIMMEDIATE2   Retired in ATA4. Did not coexist with ATAPI.
+0x96 WIN_STANDBY2         Retired in ATA4. Did not coexist with ATAPI.
+0x97 WIN_SETIDLE2         Retired in ATA4. Did not coexist with ATAPI.
+0x98 WIN_CHECKPOWERMODE2  Retired in ATA4. Did not coexist with ATAPI.
+0x99 WIN_SLEEPNOW2        Retired in ATA4. Did not coexist with ATAPI.
+0xE0 WIN_STANDBYNOW1      Not part of ATAPI in ATA4, ACS or ACS3.
+0xE1 WIN_IDLEIMMDIATE     Not part of ATAPI in ATA4, ACS or ACS3.
+0xE2 WIN_STANDBY          Not part of ATAPI in ATA4, ACS or ACS3.
+0xE3 WIN_SETIDLE1         Not part of ATAPI in ATA4, ACS or ACS3.
+0xE4 WIN_CHECKPOWERMODE1  Not part of ATAPI in ATA4, ACS or ACS3.
+0xE5 WIN_SLEEPNOW1        Not part of ATAPI in ATA4, ACS or ACS3.
+0xF8 WIN_READ_NATIVE_MAX  Obsoleted in ACS3. Not ATAPI in ATA4 or ACS.
+
+This patch fixes a divide by zero fault that can be caused by sending
+the WIN_READ_NATIVE_MAX command to an ATAPI drive, which causes it to
+attempt to use zeroed CHS values to perform sector arithmetic.
+
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Signed-off-by: John Snow <jsnow@redhat.com>
+Reviewed-by: Markus Armbruster <armbru@redhat.com>
+Message-id: 1441816082-21031-1-git-send-email-jsnow@redhat.com
+CC: qemu-stable@nongnu.org
+(cherry picked from commit d9033e1d3aa666c5071580617a57bd853c5d794a)
+---
+ hw/ide/core.c | 30 +++++++++++++++---------------
+ 1 file changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/hw/ide/core.c b/hw/ide/core.c
+index 822519b..90e103f 100644
+--- a/hw/ide/core.c
++++ b/hw/ide/core.c
+@@ -1747,11 +1747,11 @@ static const struct {
+ } ide_cmd_table[0x100] = {
+     /* NOP not implemented, mandatory for CD */
+     [CFA_REQ_EXT_ERROR_CODE]      = { cmd_cfa_req_ext_error_code, CFA_OK },
+-    [WIN_DSM]                     = { cmd_data_set_management, ALL_OK },
++    [WIN_DSM]                     = { cmd_data_set_management, HD_CFA_OK },
+     [WIN_DEVICE_RESET]            = { cmd_device_reset, CD_OK },
+     [WIN_RECAL]                   = { cmd_nop, HD_CFA_OK | SET_DSC},
+     [WIN_READ]                    = { cmd_read_pio, ALL_OK },
+-    [WIN_READ_ONCE]               = { cmd_read_pio, ALL_OK },
++    [WIN_READ_ONCE]               = { cmd_read_pio, HD_CFA_OK },
+     [WIN_READ_EXT]                = { cmd_read_pio, HD_CFA_OK },
+     [WIN_READDMA_EXT]             = { cmd_read_dma, HD_CFA_OK },
+     [WIN_READ_NATIVE_MAX_EXT]     = { cmd_read_native_max, HD_CFA_OK | SET_DSC },
+@@ -1770,12 +1770,12 @@ static const struct {
+     [CFA_TRANSLATE_SECTOR]        = { cmd_cfa_translate_sector, CFA_OK },
+     [WIN_DIAGNOSE]                = { cmd_exec_dev_diagnostic, ALL_OK },
+     [WIN_SPECIFY]                 = { cmd_nop, HD_CFA_OK | SET_DSC },
+-    [WIN_STANDBYNOW2]             = { cmd_nop, ALL_OK },
+-    [WIN_IDLEIMMEDIATE2]          = { cmd_nop, ALL_OK },
+-    [WIN_STANDBY2]                = { cmd_nop, ALL_OK },
+-    [WIN_SETIDLE2]                = { cmd_nop, ALL_OK },
+-    [WIN_CHECKPOWERMODE2]         = { cmd_check_power_mode, ALL_OK | SET_DSC },
+-    [WIN_SLEEPNOW2]               = { cmd_nop, ALL_OK },
++    [WIN_STANDBYNOW2]             = { cmd_nop, HD_CFA_OK },
++    [WIN_IDLEIMMEDIATE2]          = { cmd_nop, HD_CFA_OK },
++    [WIN_STANDBY2]                = { cmd_nop, HD_CFA_OK },
++    [WIN_SETIDLE2]                = { cmd_nop, HD_CFA_OK },
++    [WIN_CHECKPOWERMODE2]         = { cmd_check_power_mode, HD_CFA_OK | SET_DSC },
++    [WIN_SLEEPNOW2]               = { cmd_nop, HD_CFA_OK },
+     [WIN_PACKETCMD]               = { cmd_packet, CD_OK },
+     [WIN_PIDENTIFY]               = { cmd_identify_packet, CD_OK },
+     [WIN_SMART]                   = { cmd_smart, HD_CFA_OK | SET_DSC },
+@@ -1789,19 +1789,19 @@ static const struct {
+     [WIN_WRITEDMA]                = { cmd_write_dma, HD_CFA_OK },
+     [WIN_WRITEDMA_ONCE]           = { cmd_write_dma, HD_CFA_OK },
+     [CFA_WRITE_MULTI_WO_ERASE]    = { cmd_write_multiple, CFA_OK },
+-    [WIN_STANDBYNOW1]             = { cmd_nop, ALL_OK },
+-    [WIN_IDLEIMMEDIATE]           = { cmd_nop, ALL_OK },
+-    [WIN_STANDBY]                 = { cmd_nop, ALL_OK },
+-    [WIN_SETIDLE1]                = { cmd_nop, ALL_OK },
+-    [WIN_CHECKPOWERMODE1]         = { cmd_check_power_mode, ALL_OK | SET_DSC },
+-    [WIN_SLEEPNOW1]               = { cmd_nop, ALL_OK },
++    [WIN_STANDBYNOW1]             = { cmd_nop, HD_CFA_OK },
++    [WIN_IDLEIMMEDIATE]           = { cmd_nop, HD_CFA_OK },
++    [WIN_STANDBY]                 = { cmd_nop, HD_CFA_OK },
++    [WIN_SETIDLE1]                = { cmd_nop, HD_CFA_OK },
++    [WIN_CHECKPOWERMODE1]         = { cmd_check_power_mode, HD_CFA_OK | SET_DSC },
++    [WIN_SLEEPNOW1]               = { cmd_nop, HD_CFA_OK },
+     [WIN_FLUSH_CACHE]             = { cmd_flush_cache, ALL_OK },
+     [WIN_FLUSH_CACHE_EXT]         = { cmd_flush_cache, HD_CFA_OK },
+     [WIN_IDENTIFY]                = { cmd_identify, ALL_OK },
+     [WIN_SETFEATURES]             = { cmd_set_features, ALL_OK | SET_DSC },
+     [IBM_SENSE_CONDITION]         = { cmd_ibm_sense_condition, CFA_OK | SET_DSC },
+     [CFA_WEAR_LEVEL]              = { cmd_cfa_erase_sectors, HD_CFA_OK | SET_DSC },
+-    [WIN_READ_NATIVE_MAX]         = { cmd_read_native_max, ALL_OK | SET_DSC },
++    [WIN_READ_NATIVE_MAX]         = { cmd_read_native_max, HD_CFA_OK | SET_DSC },
+ };
+ 
+ static bool ide_cmd_permitted(IDEState *s, uint32_t cmd)

0010-net-avoid-infinite-loop-when-receiving-packets-CVE-2.patch

@@ -0,0 +1,32 @@
+From: P J P <pjp@fedoraproject.org>
+Date: Tue, 15 Sep 2015 16:46:59 +0530
+Subject: [PATCH] net: avoid infinite loop when receiving
+ packets(CVE-2015-5278)
+
+Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
+bytes to process network packets. While receiving packets
+via ne2000_receive() routine, a local 'index' variable
+could exceed the ring buffer size, leading to an infinite
+loop situation.
+
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Signed-off-by: P J P <pjp@fedoraproject.org>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+(cherry picked from commit 737d2b3c41d59eb8f94ab7eb419b957938f24943)
+---
+ hw/net/ne2000.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
+index 3492db3..44a4264 100644
+--- a/hw/net/ne2000.c
++++ b/hw/net/ne2000.c
+@@ -253,7 +253,7 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
+         if (index <= s->stop)
+             avail = s->stop - index;
+         else
+-            avail = 0;
++            break;
+         len = size;
+         if (len > avail)
+             len = avail;

0011-net-add-checks-to-validate-ring-buffer-pointers-CVE-.patch

@@ -0,0 +1,67 @@
+From: P J P <pjp@fedoraproject.org>
+Date: Tue, 15 Sep 2015 16:40:49 +0530
+Subject: [PATCH] net: add checks to validate ring buffer
+ pointers(CVE-2015-5279)
+
+Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
+bytes to process network packets. While receiving packets
+via ne2000_receive() routine, a local 'index' variable
+could exceed the ring buffer size, which could lead to a
+memory buffer overflow. Added other checks at initialisation.
+
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Signed-off-by: P J P <pjp@fedoraproject.org>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+(cherry picked from commit 9bbdbc66e5765068dce76e9269dce4547afd8ad4)
+---
+ hw/net/ne2000.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
+index 44a4264..2bdb4c9 100644
+--- a/hw/net/ne2000.c
++++ b/hw/net/ne2000.c
+@@ -230,6 +230,9 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
+     }
+ 
+     index = s->curpag << 8;
++    if (index >= NE2000_PMEM_END) {
++        index = s->start;
++    }
+     /* 4 bytes for header */
+     total_len = size + 4;
+     /* address for next packet (4 bytes for CRC) */
+@@ -315,13 +318,19 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
+         offset = addr | (page << 4);
+         switch(offset) {
+         case EN0_STARTPG:
+-            s->start = val << 8;
++            if (val << 8 <= NE2000_PMEM_END) {
++                s->start = val << 8;
++            }
+             break;
+         case EN0_STOPPG:
+-            s->stop = val << 8;
++            if (val << 8 <= NE2000_PMEM_END) {
++                s->stop = val << 8;
++            }
+             break;
+         case EN0_BOUNDARY:
+-            s->boundary = val;
++            if (val << 8 < NE2000_PMEM_END) {
++                s->boundary = val;
++            }
+             break;
+         case EN0_IMR:
+             s->imr = val;
+@@ -362,7 +371,9 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
+             s->phys[offset - EN1_PHYS] = val;
+             break;
+         case EN1_CURPAG:
+-            s->curpag = val;
++            if (val << 8 < NE2000_PMEM_END) {
++                s->curpag = val;
++            }
+             break;
+         case EN1_MULT ... EN1_MULT + 7:
+             s->mult[offset - EN1_MULT] = val;

0012-block-mirror-limit-qiov-to-IOV_MAX-elements.patch

@@ -0,0 +1,60 @@
+From: Stefan Hajnoczi <stefanha@redhat.com>
+Date: Wed, 1 Jul 2015 15:45:50 +0100
+Subject: [PATCH] block/mirror: limit qiov to IOV_MAX elements
+
+If mirror has more free buffers than IOV_MAX, preadv(2)/pwritev(2)
+EINVAL failures may be encountered.
+
+It is possible to trigger this by setting granularity to a low value
+like 8192.
+
+This patch stops appending chunks once IOV_MAX is reached.
+
+The spurious EINVAL failure can be reproduced with a qcow2 image file
+and the following QMP invocation:
+
+  qmp.command('drive-mirror', device='virtio0', target='/tmp/r7.s1',
+              granularity=8192, sync='full', mode='absolute-paths',
+              format='raw')
+
+While the guest is running dd if=/dev/zero of=/var/tmp/foo oflag=direct
+bs=4k.
+
+Cc: Jeff Cody <jcody@redhat.com>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Message-id: 1435761950-26714-1-git-send-email-stefanha@redhat.com
+Signed-off-by: Jeff Cody <jcody@redhat.com>
+(cherry picked from commit cae98cb87d269c33d23b2bccd79bb8d99a60d811)
+---
+ block/mirror.c | 4 ++++
+ trace-events   | 1 +
+ 2 files changed, 5 insertions(+)
+
+diff --git a/block/mirror.c b/block/mirror.c
+index bd079a4..9407287 100644
+--- a/block/mirror.c
++++ b/block/mirror.c
+@@ -248,6 +248,10 @@ static uint64_t coroutine_fn mirror_iteration(MirrorBlockJob *s)
+             trace_mirror_break_buf_busy(s, nb_chunks, s->in_flight);
+             break;
+         }
++        if (IOV_MAX < nb_chunks + added_chunks) {
++            trace_mirror_break_iov_max(s, nb_chunks, added_chunks);
++            break;
++        }
+ 
+         /* We have enough free space to copy these sectors.  */
+         bitmap_set(s->in_flight_bitmap, next_chunk, added_chunks);
+diff --git a/trace-events b/trace-events
+index 30eba92..6f992c4 100644
+--- a/trace-events
++++ b/trace-events
+@@ -94,6 +94,7 @@ mirror_yield(void *s, int64_t cnt, int buf_free_count, int in_flight) "s %p dirt
+ mirror_yield_in_flight(void *s, int64_t sector_num, int in_flight) "s %p sector_num %"PRId64" in_flight %d"
+ mirror_yield_buf_busy(void *s, int nb_chunks, int in_flight) "s %p requested chunks %d in_flight %d"
+ mirror_break_buf_busy(void *s, int nb_chunks, int in_flight) "s %p requested chunks %d in_flight %d"
++mirror_break_iov_max(void *s, int nb_chunks, int added_chunks) "s %p requested chunks %d added_chunks %d"
+ 
+ # block/backup.c
+ backup_do_cow_enter(void *job, int64_t start, int64_t sector_num, int nb_sectors) "job %p start %"PRId64" sector_num %"PRId64" nb_sectors %d"

0013-block-mirror-Sleep-periodically-during-bitmap-scanni.patch

@@ -0,0 +1,57 @@
+From: Fam Zheng <famz@redhat.com>
+Date: Wed, 13 May 2015 11:11:13 +0800
+Subject: [PATCH] block/mirror: Sleep periodically during bitmap scanning
+
+Before, we only yield after initializing dirty bitmap, where the QMP
+command would return. That may take very long, and guest IO will be
+blocked.
+
+Add sleep points like the later mirror iterations.
+
+Signed-off-by: Fam Zheng <famz@redhat.com>
+Reviewed-by: Wen Congyang <wency@cn.fujitsu.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-id: 1431486673-19280-1-git-send-email-famz@redhat.com
+Signed-off-by: Jeff Cody <jcody@redhat.com>
+(cherry picked from commit 4c0cbd6fec7db182a6deb52d5a8a8e7b0c5cbe64)
+---
+ block/mirror.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/block/mirror.c b/block/mirror.c
+index 9407287..6f1bc3c 100644
+--- a/block/mirror.c
++++ b/block/mirror.c
+@@ -453,11 +453,23 @@ static void coroutine_fn mirror_run(void *opaque)
+     sectors_per_chunk = s->granularity >> BDRV_SECTOR_BITS;
+     mirror_free_init(s);
+ 
++    last_pause_ns = qemu_clock_get_ns(QEMU_CLOCK_REALTIME);
+     if (!s->is_none_mode) {
+         /* First part, loop on the sectors and initialize the dirty bitmap.  */
+         BlockDriverState *base = s->base;
+         for (sector_num = 0; sector_num < end; ) {
+             int64_t next = (sector_num | (sectors_per_chunk - 1)) + 1;
++            int64_t now = qemu_clock_get_ns(QEMU_CLOCK_REALTIME);
++
++            if (now - last_pause_ns > SLICE_TIME) {
++                last_pause_ns = now;
++                block_job_sleep_ns(&s->common, QEMU_CLOCK_REALTIME, 0);
++            }
++
++            if (block_job_is_cancelled(&s->common)) {
++                goto immediate_exit;
++            }
++
+             ret = bdrv_is_allocated_above(bs, base,
+                                           sector_num, next - sector_num, &n);
+ 
+@@ -476,7 +488,6 @@ static void coroutine_fn mirror_run(void *opaque)
+     }
+ 
+     bdrv_dirty_iter_init(bs, s->dirty_bitmap, &s->hbi);
+-    last_pause_ns = qemu_clock_get_ns(QEMU_CLOCK_REALTIME);
+     for (;;) {
+         uint64_t delay_ns = 0;
+         int64_t cnt;

0014-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch

@@ -0,0 +1,94 @@
+From: Aurelien Jarno <aurelien@aurel32.net>
+Date: Sun, 13 Sep 2015 23:03:44 +0200
+Subject: [PATCH] target-ppc: fix vcipher, vcipherlast, vncipherlast and
+ vpermxor
+
+For vector instructions, the helpers get pointers to the vector register
+in arguments. Some operands might point to the same register, including
+the operand holding the result.
+
+When emulating instructions which access the vector elements in a
+non-linear way, we need to store the result in an temporary variable.
+
+This fixes openssl when emulating a POWER8 CPU.
+
+Cc: Tom Musta <tommusta@gmail.com>
+Cc: Alexander Graf <agraf@suse.de>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
+---
+ target-ppc/int_helper.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/target-ppc/int_helper.c b/target-ppc/int_helper.c
+index 4c2b71c..b1f6abd 100644
+--- a/target-ppc/int_helper.c
++++ b/target-ppc/int_helper.c
+@@ -2327,24 +2327,28 @@ void helper_vsbox(ppc_avr_t *r, ppc_avr_t *a)
+ 
+ void helper_vcipher(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b)
+ {
++    ppc_avr_t result;
+     int i;
+ 
+     VECTOR_FOR_INORDER_I(i, u32) {
+-        r->AVRW(i) = b->AVRW(i) ^
++        result.AVRW(i) = b->AVRW(i) ^
+             (AES_Te0[a->AVRB(AES_shifts[4*i + 0])] ^
+              AES_Te1[a->AVRB(AES_shifts[4*i + 1])] ^
+              AES_Te2[a->AVRB(AES_shifts[4*i + 2])] ^
+              AES_Te3[a->AVRB(AES_shifts[4*i + 3])]);
+     }
++    *r = result;
+ }
+ 
+ void helper_vcipherlast(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b)
+ {
++    ppc_avr_t result;
+     int i;
+ 
+     VECTOR_FOR_INORDER_I(i, u8) {
+-        r->AVRB(i) = b->AVRB(i) ^ (AES_sbox[a->AVRB(AES_shifts[i])]);
++        result.AVRB(i) = b->AVRB(i) ^ (AES_sbox[a->AVRB(AES_shifts[i])]);
+     }
++    *r = result;
+ }
+ 
+ void helper_vncipher(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b)
+@@ -2369,11 +2373,13 @@ void helper_vncipher(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b)
+ 
+ void helper_vncipherlast(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b)
+ {
++    ppc_avr_t result;
+     int i;
+ 
+     VECTOR_FOR_INORDER_I(i, u8) {
+-        r->AVRB(i) = b->AVRB(i) ^ (AES_isbox[a->AVRB(AES_ishifts[i])]);
++        result.AVRB(i) = b->AVRB(i) ^ (AES_isbox[a->AVRB(AES_ishifts[i])]);
+     }
++    *r = result;
+ }
+ 
+ #define ROTRu32(v, n) (((v) >> (n)) | ((v) << (32-n)))
+@@ -2460,16 +2466,19 @@ void helper_vshasigmad(ppc_avr_t *r,  ppc_avr_t *a, uint32_t st_six)
+ 
+ void helper_vpermxor(ppc_avr_t *r,  ppc_avr_t *a, ppc_avr_t *b, ppc_avr_t *c)
+ {
++    ppc_avr_t result;
+     int i;
++
+     VECTOR_FOR_INORDER_I(i, u8) {
+         int indexA = c->u8[i] >> 4;
+         int indexB = c->u8[i] & 0xF;
+ #if defined(HOST_WORDS_BIGENDIAN)
+-        r->u8[i] = a->u8[indexA] ^ b->u8[indexB];
++        result.u8[i] = a->u8[indexA] ^ b->u8[indexB];
+ #else
+-        r->u8[i] = a->u8[15-indexA] ^ b->u8[15-indexB];
++        result.u8[i] = a->u8[15-indexA] ^ b->u8[15-indexB];
+ #endif
+     }
++    *r = result;
+ }
+ 
+ #undef VECTOR_FOR_INORDER_I

0015-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch

@@ -0,0 +1,49 @@
+From: Aurelien Jarno <aurelien@aurel32.net>
+Date: Sun, 13 Sep 2015 23:03:45 +0200
+Subject: [PATCH] target-ppc: fix xscmpodp and xscmpudp decoding
+
+The xscmpodp and xscmpudp instructions only have the AX, BX bits in
+there encoding, the lowest bit (usually TX) is marked as an invalid
+bit. We therefore can't decode them with GEN_XX2FORM, which decodes
+the two lowest bit.
+
+Introduce a new form GEN_XX2FORM, which decodes AX and BX and mark
+the lowest bit as invalid.
+
+Cc: Tom Musta <tommusta@gmail.com>
+Cc: Alexander Graf <agraf@suse.de>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
+---
+ target-ppc/translate.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/target-ppc/translate.c b/target-ppc/translate.c
+index 8f255ea..13866b9 100644
+--- a/target-ppc/translate.c
++++ b/target-ppc/translate.c
+@@ -10670,6 +10670,13 @@ GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 1, opc3, 0, PPC_NONE, fl2), \
+ GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 2, opc3, 0, PPC_NONE, fl2), \
+ GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 3, opc3, 0, PPC_NONE, fl2)
+ 
++#undef GEN_XX2IFORM
++#define GEN_XX2IFORM(name, opc2, opc3, fl2)                           \
++GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 0, opc3, 1, PPC_NONE, fl2), \
++GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 1, opc3, 1, PPC_NONE, fl2), \
++GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 2, opc3, 1, PPC_NONE, fl2), \
++GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 3, opc3, 1, PPC_NONE, fl2)
++
+ #undef GEN_XX3_RC_FORM
+ #define GEN_XX3_RC_FORM(name, opc2, opc3, fl2)                          \
+ GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 0x00, opc3 | 0x00, 0, PPC_NONE, fl2), \
+@@ -10731,8 +10738,8 @@ GEN_XX3FORM(xsnmaddadp, 0x04, 0x14, PPC2_VSX),
+ GEN_XX3FORM(xsnmaddmdp, 0x04, 0x15, PPC2_VSX),
+ GEN_XX3FORM(xsnmsubadp, 0x04, 0x16, PPC2_VSX),
+ GEN_XX3FORM(xsnmsubmdp, 0x04, 0x17, PPC2_VSX),
+-GEN_XX2FORM(xscmpodp,  0x0C, 0x05, PPC2_VSX),
+-GEN_XX2FORM(xscmpudp,  0x0C, 0x04, PPC2_VSX),
++GEN_XX2IFORM(xscmpodp,  0x0C, 0x05, PPC2_VSX),
++GEN_XX2IFORM(xscmpudp,  0x0C, 0x04, PPC2_VSX),
+ GEN_XX3FORM(xsmaxdp, 0x00, 0x14, PPC2_VSX),
+ GEN_XX3FORM(xsmindp, 0x00, 0x15, PPC2_VSX),
+ GEN_XX2FORM(xscvdpsp, 0x12, 0x10, PPC2_VSX),

0016-virtio-introduce-virtqueue_unmap_sg.patch

@@ -0,0 +1,54 @@
+From: Jason Wang <jasowang@redhat.com>
+Date: Fri, 25 Sep 2015 13:21:28 +0800
+Subject: [PATCH] virtio: introduce virtqueue_unmap_sg()
+
+Factor out sg unmapping logic. This will be reused by the patch that
+can discard descriptor.
+
+Cc: Michael S. Tsirkin <mst@redhat.com>
+Cc: Andrew James <andrew.james@hpe.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+(cherry picked from commit ce317461573bac12b10d67699b4ddf1f97cf066c)
+---
+ hw/virtio/virtio.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
+index 17c1260..7d88f26 100644
+--- a/hw/virtio/virtio.c
++++ b/hw/virtio/virtio.c
+@@ -240,14 +240,12 @@ int virtio_queue_empty(VirtQueue *vq)
+     return vring_avail_idx(vq) == vq->last_avail_idx;
+ }
+ 
+-void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem,
+-                    unsigned int len, unsigned int idx)
++static void virtqueue_unmap_sg(VirtQueue *vq, const VirtQueueElement *elem,
++                               unsigned int len)
+ {
+     unsigned int offset;
+     int i;
+ 
+-    trace_virtqueue_fill(vq, elem, len, idx);
+-
+     offset = 0;
+     for (i = 0; i < elem->in_num; i++) {
+         size_t size = MIN(len - offset, elem->in_sg[i].iov_len);
+@@ -263,6 +261,14 @@ void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem,
+         cpu_physical_memory_unmap(elem->out_sg[i].iov_base,
+                                   elem->out_sg[i].iov_len,
+                                   0, elem->out_sg[i].iov_len);
++}
++
++void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem,
++                    unsigned int len, unsigned int idx)
++{
++    trace_virtqueue_fill(vq, elem, len, idx);
++
++    virtqueue_unmap_sg(vq, elem, len);
+ 
+     idx = (idx + vring_used_idx(vq)) % vq->vring.num;
+ 

0017-virtio-introduce-virtqueue_discard.patch

@@ -0,0 +1,50 @@
+From: Jason Wang <jasowang@redhat.com>
+Date: Fri, 25 Sep 2015 13:21:29 +0800
+Subject: [PATCH] virtio: introduce virtqueue_discard()
+
+This patch introduces virtqueue_discard() to discard a descriptor and
+unmap the sgs. This will be used by the patch that will discard
+descriptor when packet is truncated.
+
+Cc: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+(cherry picked from commit 29b9f5efd78ae0f9cc02dd169b6e80d2c404bade)
+---
+ hw/virtio/virtio.c         | 7 +++++++
+ include/hw/virtio/virtio.h | 2 ++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
+index 7d88f26..e9f72a5 100644
+--- a/hw/virtio/virtio.c
++++ b/hw/virtio/virtio.c
+@@ -263,6 +263,13 @@ static void virtqueue_unmap_sg(VirtQueue *vq, const VirtQueueElement *elem,
+                                   0, elem->out_sg[i].iov_len);
+ }
+ 
++void virtqueue_discard(VirtQueue *vq, const VirtQueueElement *elem,
++                       unsigned int len)
++{
++    vq->last_avail_idx--;
++    virtqueue_unmap_sg(vq, elem, len);
++}
++
+ void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem,
+                     unsigned int len, unsigned int idx)
+ {
+diff --git a/include/hw/virtio/virtio.h b/include/hw/virtio/virtio.h
+index d95f8b6..1899654 100644
+--- a/include/hw/virtio/virtio.h
++++ b/include/hw/virtio/virtio.h
+@@ -136,6 +136,8 @@ void virtio_del_queue(VirtIODevice *vdev, int n);
+ void virtqueue_push(VirtQueue *vq, const VirtQueueElement *elem,
+                     unsigned int len);
+ void virtqueue_flush(VirtQueue *vq, unsigned int count);
++void virtqueue_discard(VirtQueue *vq, const VirtQueueElement *elem,
++                       unsigned int len);
+ void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem,
+                     unsigned int len, unsigned int idx);
+ 

0018-virtio-net-correctly-drop-truncated-packets.patch

@@ -0,0 +1,43 @@
+From: Jason Wang <jasowang@redhat.com>
+Date: Fri, 25 Sep 2015 13:21:30 +0800
+Subject: [PATCH] virtio-net: correctly drop truncated packets
+
+When packet is truncated during receiving, we drop the packets but
+neither discard the descriptor nor add and signal used
+descriptor. This will lead several issues:
+
+- sg mappings are leaked
+- rx will be stalled if a lots of packets were truncated
+
+In order to be consistent with vhost, fix by discarding the descriptor
+in this case.
+
+Cc: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+(cherry picked from commit 0cf33fb6b49a19de32859e2cdc6021334f448fb3)
+---
+ hw/net/virtio-net.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
+index 2d570e4..48b6655 100644
+--- a/hw/net/virtio-net.c
++++ b/hw/net/virtio-net.c
+@@ -1073,13 +1073,7 @@ static ssize_t virtio_net_receive(NetClientState *nc, const uint8_t *buf, size_t
+          * must have consumed the complete packet.
+          * Otherwise, drop it. */
+         if (!n->mergeable_rx_bufs && offset < size) {
+-#if 0
+-            error_report("virtio-net truncated non-mergeable packet: "
+-                         "i %zd mergeable %d offset %zd, size %zd, "
+-                         "guest hdr len %zd, host hdr len %zd",
+-                         i, n->mergeable_rx_bufs,
+-                         offset, size, n->guest_hdr_len, n->host_hdr_len);
+-#endif
++            virtqueue_discard(q->rx_vq, &elem, total);
+             return size;
+         }
+ 

0019-mirror-Fix-coroutine-reentrance.patch

@@ -0,0 +1,117 @@
+From: Kevin Wolf <kwolf@redhat.com>
+Date: Thu, 13 Aug 2015 10:41:50 +0200
+Subject: [PATCH] mirror: Fix coroutine reentrance
+
+This fixes a regression introduced by commit dcfb3beb ("mirror: Do zero
+write on target if sectors not allocated"), which was reported to cause
+aborts with the message "Co-routine re-entered recursively".
+
+The cause for this bug is the following code in mirror_iteration_done():
+
+    if (s->common.busy) {
+        qemu_coroutine_enter(s->common.co, NULL);
+    }
+
+This has always been ugly because - unlike most places that reenter - it
+doesn't have a specific yield that it pairs with, but is more
+uncontrolled.  What we really mean here is "reenter the coroutine if
+it's in one of the four explicit yields in mirror.c".
+
+This used to be equivalent with s->common.busy because neither
+mirror_run() nor mirror_iteration() call any function that could yield.
+However since commit dcfb3beb this doesn't hold true any more:
+bdrv_get_block_status_above() can yield.
+
+So what happens is that bdrv_get_block_status_above() wants to take a
+lock that is already held, so it adds itself to the queue of waiting
+coroutines and yields. Instead of being woken up by the unlock function,
+however, it gets woken up by mirror_iteration_done(), which is obviously
+wrong.
+
+In most cases the code actually happens to cope fairly well with such
+cases, but in this specific case, the unlock must already have scheduled
+the coroutine for wakeup when mirror_iteration_done() reentered it. And
+then the coroutine happened to process the scheduled restarts and tried
+to reenter itself recursively.
+
+This patch fixes the problem by pairing the reenter in
+mirror_iteration_done() with specific yields instead of abusing
+s->common.busy.
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Jeff Cody <jcody@redhat.com>
+Message-id: 1439455310-11263-1-git-send-email-kwolf@redhat.com
+Signed-off-by: Jeff Cody <jcody@redhat.com>
+(cherry picked from commit e424aff5f307227b1c2512bbb8ece891bb895cef)
+---
+ block/mirror.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/block/mirror.c b/block/mirror.c
+index 6f1bc3c..d06a0be 100644
+--- a/block/mirror.c
++++ b/block/mirror.c
+@@ -58,6 +58,7 @@ typedef struct MirrorBlockJob {
+     int sectors_in_flight;
+     int ret;
+     bool unmap;
++    bool waiting_for_io;
+ } MirrorBlockJob;
+ 
+ typedef struct MirrorOp {
+@@ -112,11 +113,7 @@ static void mirror_iteration_done(MirrorOp *op, int ret)
+     qemu_iovec_destroy(&op->qiov);
+     g_slice_free(MirrorOp, op);
+ 
+-    /* Enter coroutine when it is not sleeping.  The coroutine sleeps to
+-     * rate-limit itself.  The coroutine will eventually resume since there is
+-     * a sleep timeout so don't wake it early.
+-     */
+-    if (s->common.busy) {
++    if (s->waiting_for_io) {
+         qemu_coroutine_enter(s->common.co, NULL);
+     }
+ }
+@@ -206,7 +203,9 @@ static uint64_t coroutine_fn mirror_iteration(MirrorBlockJob *s)
+     /* Wait for I/O to this cluster (from a previous iteration) to be done.  */
+     while (test_bit(next_chunk, s->in_flight_bitmap)) {
+         trace_mirror_yield_in_flight(s, sector_num, s->in_flight);
++        s->waiting_for_io = true;
+         qemu_coroutine_yield();
++        s->waiting_for_io = false;
+     }
+ 
+     do {
+@@ -242,7 +241,9 @@ static uint64_t coroutine_fn mirror_iteration(MirrorBlockJob *s)
+          */
+         while (nb_chunks == 0 && s->buf_free_count < added_chunks) {
+             trace_mirror_yield_buf_busy(s, nb_chunks, s->in_flight);
++            s->waiting_for_io = true;
+             qemu_coroutine_yield();
++            s->waiting_for_io = false;
+         }
+         if (s->buf_free_count < nb_chunks + added_chunks) {
+             trace_mirror_break_buf_busy(s, nb_chunks, s->in_flight);
+@@ -341,7 +342,9 @@ static void mirror_free_init(MirrorBlockJob *s)
+ static void mirror_drain(MirrorBlockJob *s)
+ {
+     while (s->in_flight > 0) {
++        s->waiting_for_io = true;
+         qemu_coroutine_yield();
++        s->waiting_for_io = false;
+     }
+ }
+ 
+@@ -516,7 +519,9 @@ static void coroutine_fn mirror_run(void *opaque)
+             if (s->in_flight == MAX_IN_FLIGHT || s->buf_free_count == 0 ||
+                 (cnt == 0 && s->in_flight > 0)) {
+                 trace_mirror_yield(s, s->in_flight, s->buf_free_count, cnt);
++                s->waiting_for_io = true;
+                 qemu_coroutine_yield();
++                s->waiting_for_io = false;
+                 continue;
+             } else if (cnt != 0) {
+                 delay_ns = mirror_iteration(s);

0020-util-socket-Add-missing-localaddr-and-localport-opti.patch

@@ -0,0 +1,52 @@
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Fri, 15 May 2015 11:31:43 +0200
+Subject: [PATCH] util: socket: Add missing localaddr and localport option for
+ DGRAM socket
+
+The 'socket_optslist' structure does not contain the 'localaddr' and
+'localport' options that are parsed in case you are creating a
+'connect' type UDP character device.
+
+I've noticed it happening after commit f43e47dbf6de24db20ec9b588bb6cc762
+made qemu abort() after seeing the invalid option.
+
+A minimal reproducer for the case is:
+$ qemu-system-x86_64 -chardev udp,id=charrng0,host=127.0.0.1,port=1234,localaddr=,localport=1234
+qemu-system-x86_64: -chardev udp,id=charrng0,host=127.0.0.1,port=1234,localaddr=,localport=1234: Invalid parameter 'localaddr'
+Aborted (core dumped)
+
+Prior to the commit mentioned above the error would be printed but the
+value for localaddr and localport was simply ignored. I did not go
+through the code to find out when it was broken.
+
+Add the two fields so that the options can again be parsed correctly and
+qemu doesn't abort().
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1220252
+
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Reviewed-by: Markus Armbruster <armbru@redhat.com>
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+(cherry picked from commit b8981dc9aae25fa79e5f35609e63f50f078a572d)
+---
+ util/qemu-sockets.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/util/qemu-sockets.c b/util/qemu-sockets.c
+index 87c9bc6..72066be 100644
+--- a/util/qemu-sockets.c
++++ b/util/qemu-sockets.c
+@@ -45,6 +45,12 @@ QemuOptsList socket_optslist = {
+             .name = "port",
+             .type = QEMU_OPT_STRING,
+         },{
++            .name = "localaddr",
++            .type = QEMU_OPT_STRING,
++        },{
++            .name = "localport",
++            .type = QEMU_OPT_STRING,
++        },{
+             .name = "to",
+             .type = QEMU_OPT_NUMBER,
+         },{

0021-atomics-add-explicit-compiler-fence-in-__atomic-memo.patch

@@ -0,0 +1,61 @@
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 3 Jun 2015 14:21:20 +0200
+Subject: [PATCH] atomics: add explicit compiler fence in __atomic memory
+ barriers
+
+__atomic_thread_fence does not include a compiler barrier; in the
+C++11 memory model, fences take effect in combination with other
+atomic operations.  GCC implements this by making __atomic_load and
+__atomic_store access memory as if the pointer was volatile, and
+leaves no trace whatsoever of acquire and release fences in the
+compiler's intermediate representation.
+
+In QEMU, we want memory barriers to act on all memory, but at the same
+time we would like to use __atomic_thread_fence for portability reasons.
+Add compiler barriers manually around the __atomic_thread_fence.
+
+Message-Id: <1433334080-14912-1-git-send-email-pbonzini@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 3bbf572345c65813f86a8fc434ea1b23beb08e16)
+---
+ include/qemu/atomic.h | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/include/qemu/atomic.h b/include/qemu/atomic.h
+index 98e05ca..bd2c075 100644
+--- a/include/qemu/atomic.h
++++ b/include/qemu/atomic.h
+@@ -99,7 +99,13 @@
+ 
+ #ifndef smp_wmb
+ #ifdef __ATOMIC_RELEASE
+-#define smp_wmb()   __atomic_thread_fence(__ATOMIC_RELEASE)
++/* __atomic_thread_fence does not include a compiler barrier; instead,
++ * the barrier is part of __atomic_load/__atomic_store's "volatile-like"
++ * semantics. If smp_wmb() is a no-op, absence of the barrier means that
++ * the compiler is free to reorder stores on each side of the barrier.
++ * Add one here, and similarly in smp_rmb() and smp_read_barrier_depends().
++ */
++#define smp_wmb()   ({ barrier(); __atomic_thread_fence(__ATOMIC_RELEASE); barrier(); })
+ #else
+ #define smp_wmb()   __sync_synchronize()
+ #endif
+@@ -107,7 +113,7 @@
+ 
+ #ifndef smp_rmb
+ #ifdef __ATOMIC_ACQUIRE
+-#define smp_rmb()   __atomic_thread_fence(__ATOMIC_ACQUIRE)
++#define smp_rmb()   ({ barrier(); __atomic_thread_fence(__ATOMIC_ACQUIRE); barrier(); })
+ #else
+ #define smp_rmb()   __sync_synchronize()
+ #endif
+@@ -115,7 +121,7 @@
+ 
+ #ifndef smp_read_barrier_depends
+ #ifdef __ATOMIC_CONSUME
+-#define smp_read_barrier_depends()   __atomic_thread_fence(__ATOMIC_CONSUME)
++#define smp_read_barrier_depends()   ({ barrier(); __atomic_thread_fence(__ATOMIC_CONSUME); barrier(); })
+ #else
+ #define smp_read_barrier_depends()   barrier()
+ #endif

0022-target-i386-fix-pcmpxstrx-equal-ordered-strstr-mode.patch

@@ -0,0 +1,40 @@
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Mon, 12 Oct 2015 11:50:27 +0200
+Subject: [PATCH] target-i386: fix pcmpxstrx equal-ordered (strstr) mode
+
+In this mode, referring an invalid element of the source forces the
+result to false (table 4-7, last column) but referring an invalid
+element of the destination forces the result to true, so the outer
+loop should still be run even if some elements of the destination
+will be invalid.  They will be avoided in the inner loop, which
+correctly bounds "i" to validd, but they will still contribute to a
+positive outcome of the search.
+
+This fixes tst_strstr in glibc 2.17.
+
+Reported-by: Florian Weimer <fweimer@redhat.com>
+Cc: Richard Henderson <rth@twiddle.net>
+Cc: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 54c54f8b56047d3c2420e1ae06a6a8890c220ac4)
+---
+ target-i386/ops_sse.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/target-i386/ops_sse.h b/target-i386/ops_sse.h
+index 0765073..34eb141 100644
+--- a/target-i386/ops_sse.h
++++ b/target-i386/ops_sse.h
+@@ -2037,10 +2037,10 @@ static inline unsigned pcmpxstrx(CPUX86State *env, Reg *d, Reg *s,
+         }
+         break;
+     case 3:
+-        for (j = valids - validd; j >= 0; j--) {
++        for (j = valids; j >= 0; j--) {
+             res <<= 1;
+             v = 1;
+-            for (i = MIN(upper - j, validd); i >= 0; i--) {
++            for (i = MIN(valids - j, validd); i >= 0; i--) {
+                 v &= (pcmp_val(s, ctrl, i + j) == pcmp_val(d, ctrl, i));
+             }
+             res |= v;

0023-eepro100-Prevent-two-endless-loops.patch

@@ -0,0 +1,60 @@
+From: Stefan Weil <sw@weilnetz.de>
+Date: Fri, 20 Nov 2015 08:42:33 +0100
+Subject: [PATCH] eepro100: Prevent two endless loops
+
+http://lists.nongnu.org/archive/html/qemu-devel/2015-11/msg04592.html
+shows an example how an endless loop in function action_command can
+be achieved.
+
+During my code review, I noticed a 2nd case which can result in an
+endless loop.
+
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Signed-off-by: Stefan Weil <sw@weilnetz.de>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+(cherry picked from commit 00837731d254908a841d69298a4f9f077babaf24)
+---
+ hw/net/eepro100.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c
+index c374c1a..3e874cd 100644
+--- a/hw/net/eepro100.c
++++ b/hw/net/eepro100.c
+@@ -774,6 +774,11 @@ static void tx_command(EEPRO100State *s)
+ #if 0
+         uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6);
+ #endif
++        if (tx_buffer_size == 0) {
++            /* Prevent an endless loop. */
++            logout("loop in %s:%u\n", __FILE__, __LINE__);
++            break;
++        }
+         tbd_address += 8;
+         TRACE(RXTX, logout
+             ("TBD (simplified mode): buffer address 0x%08x, size 0x%04x\n",
+@@ -855,6 +860,10 @@ static void set_multicast_list(EEPRO100State *s)
+ 
+ static void action_command(EEPRO100State *s)
+ {
++    /* The loop below won't stop if it gets special handcrafted data.
++       Therefore we limit the number of iterations. */
++    unsigned max_loop_count = 16;
++
+     for (;;) {
+         bool bit_el;
+         bool bit_s;
+@@ -870,6 +879,13 @@ static void action_command(EEPRO100State *s)
+ #if 0
+         bool bit_sf = ((s->tx.command & COMMAND_SF) != 0);
+ #endif
++
++        if (max_loop_count-- == 0) {
++            /* Prevent an endless loop. */
++            logout("loop in %s:%u\n", __FILE__, __LINE__);
++            break;
++        }
++
+         s->cu_offset = s->tx.link;
+         TRACE(OTHER,
+               logout("val=(cu start), status=0x%04x, command=0x%04x, link=0x%08x\n",

0024-net-pcnet-add-check-to-validate-receive-data-size-CV.patch

@@ -0,0 +1,47 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Fri, 20 Nov 2015 11:50:31 +0530
+Subject: [PATCH] net: pcnet: add check to validate receive data
+ size(CVE-2015-7504)
+
+In loopback mode, pcnet_receive routine appends CRC code to the
+receive buffer. If the data size given is same as the buffer size,
+the appended CRC code overwrites 4 bytes after s->buffer. Added a
+check to avoid that.
+
+Reported by: Qinghao Tang <luodalongde@gmail.com>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+(cherry picked from commit 837f21aacf5a714c23ddaadbbc5212f9b661e3f7)
+---
+ hw/net/pcnet.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
+index 68b9981..03a56b2 100644
+--- a/hw/net/pcnet.c
++++ b/hw/net/pcnet.c
+@@ -1094,7 +1094,7 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
+                 uint32_t fcs = ~0;
+                 uint8_t *p = src;
+ 
+-                while (p != &src[size-4])
++                while (p != &src[size])
+                     CRC(fcs, *p++);
+                 crc_err = (*(uint32_t *)p != htonl(fcs));
+             }
+@@ -1243,8 +1243,10 @@ static void pcnet_transmit(PCNetState *s)
+         bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
+ 
+         /* if multi-tmd packet outsizes s->buffer then skip it silently.
+-           Note: this is not what real hw does */
+-        if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
++         * Note: this is not what real hw does.
++         * Last four bytes of s->buffer are used to store CRC FCS code.
++         */
++        if (s->xmit_pos + bcnt > sizeof(s->buffer) - 4) {
+             s->xmit_pos = -1;
+             goto txdone;
+         }

0025-pcnet-fix-rx-buffer-overflow-CVE-2015-7512.patch

@@ -0,0 +1,34 @@
+From: Jason Wang <jasowang@redhat.com>
+Date: Mon, 30 Nov 2015 15:00:06 +0800
+Subject: [PATCH] pcnet: fix rx buffer overflow(CVE-2015-7512)
+
+Backends could provide a packet whose length is greater than buffer
+size. Check for this and truncate the packet to avoid rx buffer
+overflow in this case.
+
+Cc: Prasad J Pandit <pjp@fedoraproject.org>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+(cherry picked from commit 8b98a2f07175d46c3f7217639bd5e03f2ec56343)
+---
+ hw/net/pcnet.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
+index 03a56b2..d8957ab 100644
+--- a/hw/net/pcnet.c
++++ b/hw/net/pcnet.c
+@@ -1074,6 +1074,12 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
+             int pktcount = 0;
+ 
+             if (!s->looptest) {
++                if (size > 4092) {
++#ifdef PCNET_DEBUG_RMD
++                    fprintf(stderr, "pcnet: truncates rx packet.\n");
++#endif
++                    size = 4092;
++                }
+                 memcpy(src, buf, size);
+                 /* no need to compute the CRC */
+                 src[size] = 0;

0026-ui-vnc-avoid-floating-point-exception.patch

@@ -0,0 +1,41 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 3 Dec 2015 18:54:17 +0530
+Subject: [PATCH] ui: vnc: avoid floating point exception
+
+While sending 'SetPixelFormat' messages to a VNC server,
+the client could set the 'red-max', 'green-max' and 'blue-max'
+values to be zero. This leads to a floating point exception in
+write_png_palette while doing frame buffer updates.
+
+Reported-by: Lian Yihan <lianyihan@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+(cherry picked from commit 4c65fed8bdf96780735dbdb92a8bd0d6b6526cc3)
+---
+ ui/vnc.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/ui/vnc.c b/ui/vnc.c
+index 472c30e..66c5494 100644
+--- a/ui/vnc.c
++++ b/ui/vnc.c
+@@ -2205,15 +2205,15 @@ static void set_pixel_format(VncState *vs,
+         return;
+     }
+ 
+-    vs->client_pf.rmax = red_max;
++    vs->client_pf.rmax = red_max ? red_max : 0xFF;
+     vs->client_pf.rbits = hweight_long(red_max);
+     vs->client_pf.rshift = red_shift;
+     vs->client_pf.rmask = red_max << red_shift;
+-    vs->client_pf.gmax = green_max;
++    vs->client_pf.gmax = green_max ? green_max : 0xFF;
+     vs->client_pf.gbits = hweight_long(green_max);
+     vs->client_pf.gshift = green_shift;
+     vs->client_pf.gmask = green_max << green_shift;
+-    vs->client_pf.bmax = blue_max;
++    vs->client_pf.bmax = blue_max ? blue_max : 0xFF;
+     vs->client_pf.bbits = hweight_long(blue_max);
+     vs->client_pf.bshift = blue_shift;
+     vs->client_pf.bmask = blue_max << blue_shift;

0027-msix-implement-pba-write-but-read-only.patch

@@ -0,0 +1,57 @@
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Fri, 26 Jun 2015 14:25:29 +0200
+Subject: [PATCH] msix: implement pba write (but read-only)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+qpci_msix_pending() writes on pba region, causing qemu to SEGV:
+
+  Program received signal SIGSEGV, Segmentation fault.
+  [Switching to Thread 0x7ffff7fba8c0 (LWP 25882)]
+  0x0000000000000000 in ?? ()
+  (gdb) bt
+  #0  0x0000000000000000 in  ()
+  #1  0x00005555556556c5 in memory_region_oldmmio_write_accessor (mr=0x5555579f3f80, addr=0, value=0x7fffffffbf68, size=4, shift=0, mask=4294967295, attrs=...) at /home/elmarco/src/qemu/memory.c:434
+  #2  0x00005555556558e1 in access_with_adjusted_size (addr=0, value=0x7fffffffbf68, size=4, access_size_min=1, access_size_max=4, access=0x55555565563e <memory_region_oldmmio_write_accessor>, mr=0x5555579f3f80, attrs=...) at /home/elmarco/src/qemu/memory.c:506
+  #3  0x00005555556581eb in memory_region_dispatch_write (mr=0x5555579f3f80, addr=0, data=0, size=4, attrs=...) at /home/elmarco/src/qemu/memory.c:1176
+  #4  0x000055555560b6f9 in address_space_rw (as=0x555555eff4e0 <address_space_memory>, addr=3759147008, attrs=..., buf=0x7fffffffc1b0 "", len=4, is_write=true) at /home/elmarco/src/qemu/exec.c:2439
+  #5  0x000055555560baa2 in cpu_physical_memory_rw (addr=3759147008, buf=0x7fffffffc1b0 "", len=4, is_write=1) at /home/elmarco/src/qemu/exec.c:2534
+  #6  0x000055555564c005 in cpu_physical_memory_write (addr=3759147008, buf=0x7fffffffc1b0, len=4) at /home/elmarco/src/qemu/include/exec/cpu-common.h:80
+  #7  0x000055555564cd9c in qtest_process_command (chr=0x55555642b890, words=0x5555578de4b0) at /home/elmarco/src/qemu/qtest.c:378
+  #8  0x000055555564db77 in qtest_process_inbuf (chr=0x55555642b890, inbuf=0x55555641b340) at /home/elmarco/src/qemu/qtest.c:569
+  #9  0x000055555564dc07 in qtest_read (opaque=0x55555642b890, buf=0x7fffffffc2e0 "writel 0xe0100800 0x0\n", size=22) at /home/elmarco/src/qemu/qtest.c:581
+  #10 0x000055555574ce3e in qemu_chr_be_write (s=0x55555642b890, buf=0x7fffffffc2e0 "writel 0xe0100800 0x0\n", len=22) at qemu-char.c:306
+  #11 0x0000555555751263 in tcp_chr_read (chan=0x55555642bcf0, cond=G_IO_IN, opaque=0x55555642b890) at qemu-char.c:2876
+  #12 0x00007ffff64c9a8a in g_main_context_dispatch (context=0x55555641c400) at gmain.c:3122
+
+(without this patch, this can be reproduced with the ivshmem qtest)
+
+Implement an empty mmio write to avoid the crash.
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 43b11a91dd861a946b231b89b7542856ade23d1b)
+---
+ hw/pci/msix.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/hw/pci/msix.c b/hw/pci/msix.c
+index 24de260..68ab050 100644
+--- a/hw/pci/msix.c
++++ b/hw/pci/msix.c
+@@ -200,8 +200,14 @@ static uint64_t msix_pba_mmio_read(void *opaque, hwaddr addr,
+     return pci_get_long(dev->msix_pba + addr);
+ }
+ 
++static void msix_pba_mmio_write(void *opaque, hwaddr addr,
++                                uint64_t val, unsigned size)
++{
++}
++
+ static const MemoryRegionOps msix_pba_mmio_ops = {
+     .read = msix_pba_mmio_read,
++    .write = msix_pba_mmio_write,
+     .endianness = DEVICE_LITTLE_ENDIAN,
+     .valid = {
+         .min_access_size = 4,

0028-ehci-make-idt-processing-more-robust.patch

@@ -0,0 +1,45 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 14 Dec 2015 09:21:23 +0100
+Subject: [PATCH] ehci: make idt processing more robust
+
+Make ehci_process_itd return an error in case we didn't do any actual
+iso transfer because we've found no active transaction.  That'll avoid
+ehci happily run in circles forever if the guest builds a loop out of
+idts.
+
+This is CVE-2015-8558.
+
+Cc: qemu-stable@nongnu.org
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Tested-by: P J P <ppandit@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit 156a2e4dbffa85997636a7a39ef12da6f1b40254)
+---
+ hw/usb/hcd-ehci.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
+index d4d7547..51d39c6 100644
+--- a/hw/usb/hcd-ehci.c
++++ b/hw/usb/hcd-ehci.c
+@@ -1389,7 +1389,7 @@ static int ehci_process_itd(EHCIState *ehci,
+ {
+     USBDevice *dev;
+     USBEndpoint *ep;
+-    uint32_t i, len, pid, dir, devaddr, endp;
++    uint32_t i, len, pid, dir, devaddr, endp, xfers = 0;
+     uint32_t pg, off, ptr1, ptr2, max, mult;
+ 
+     ehci->periodic_sched_active = PERIODIC_ACTIVE;
+@@ -1479,9 +1479,10 @@ static int ehci_process_itd(EHCIState *ehci,
+                 ehci_raise_irq(ehci, USBSTS_INT);
+             }
+             itd->transact[i] &= ~ITD_XACT_ACTIVE;
++            xfers++;
+         }
+     }
+-    return 0;
++    return xfers ? 0 : -1;
+ }
+ 
+ 

0029-acpi-fix-buffer-overrun-on-migration.patch

@@ -0,0 +1,42 @@
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Thu, 19 Nov 2015 15:14:07 +0200
+Subject: [PATCH] acpi: fix buffer overrun on migration
+
+ich calls acpi_gpe_init with length ICH9_PMIO_GPE0_LEN so
+ICH9_PMIO_GPE0_LEN/2 bytes are allocated, but then the full
+ICH9_PMIO_GPE0_LEN bytes are migrated.
+
+As a quick work-around, allocate twice the memory.
+We'll probably want to tweak code to avoid
+migrating the extra ICH9_PMIO_GPE0_LEN/2 bytes,
+but that is a bit trickier to do without breaking
+migration compatibility.
+
+Tested-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
+Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+(cherry picked from commit d9a3b33d2c9f996537b7f1d0246dee2d0120cefb)
+---
+ hw/acpi/core.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/hw/acpi/core.c b/hw/acpi/core.c
+index 51913d6..c505952 100644
+--- a/hw/acpi/core.c
++++ b/hw/acpi/core.c
+@@ -611,8 +611,12 @@ void acpi_pm1_cnt_reset(ACPIREGS *ar)
+ void acpi_gpe_init(ACPIREGS *ar, uint8_t len)
+ {
+     ar->gpe.len = len;
+-    ar->gpe.sts = g_malloc0(len / 2);
+-    ar->gpe.en = g_malloc0(len / 2);
++    /* Only first len / 2 bytes are ever used,
++     * but the caller in ich9.c migrates full len bytes.
++     * TODO: fix ich9.c and drop the extra allocation.
++     */
++    ar->gpe.sts = g_malloc0(len);
++    ar->gpe.en = g_malloc0(len);
+ }
+ 
+ void acpi_gpe_reset(ACPIREGS *ar)

0030-net-vmxnet3-Refine-l2-header-validation.patch

@@ -0,0 +1,73 @@
+From: Dana Rubin <dana.rubin@ravellosystems.com>
+Date: Tue, 18 Aug 2015 12:45:55 +0300
+Subject: [PATCH] net/vmxnet3: Refine l2 header validation
+
+Validation of l2 header length assumed minimal packet size as
+eth_header + 2 * vlan_header regardless of the actual protocol.
+
+This caused crash for valid non-IP packets shorter than 22 bytes, as
+'tx_pkt->packet_type' hasn't been assigned for such packets, and
+'vmxnet3_on_tx_done_update_stats()' expects it to be properly set.
+
+Refine header length validation in 'vmxnet_tx_pkt_parse_headers'.
+Check its return value during packet processing flow.
+
+As a side effect, in case IPv4 and IPv6 header validation failure,
+corrupt packets will be dropped.
+
+Signed-off-by: Dana Rubin <dana.rubin@ravellosystems.com>
+Signed-off-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+(cherry picked from commit a7278b36fcab9af469563bd7b9dadebe2ae25e48)
+---
+ hw/net/vmxnet3.c       |  4 +---
+ hw/net/vmxnet_tx_pkt.c | 19 ++++++++++++++++---
+ 2 files changed, 17 insertions(+), 6 deletions(-)
+
+diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
+index dfb328d..aa81a38 100644
+--- a/hw/net/vmxnet3.c
++++ b/hw/net/vmxnet3.c
+@@ -729,9 +729,7 @@ static void vmxnet3_process_tx_queue(VMXNET3State *s, int qidx)
+         }
+ 
+         if (txd.eop) {
+-            if (!s->skip_current_tx_pkt) {
+-                vmxnet_tx_pkt_parse(s->tx_pkt);
+-
++            if (!s->skip_current_tx_pkt && vmxnet_tx_pkt_parse(s->tx_pkt)) {
+                 if (s->needs_vlan) {
+                     vmxnet_tx_pkt_setup_vlan_header(s->tx_pkt, s->tci);
+                 }
+diff --git a/hw/net/vmxnet_tx_pkt.c b/hw/net/vmxnet_tx_pkt.c
+index f7344c4..eb88ddf 100644
+--- a/hw/net/vmxnet_tx_pkt.c
++++ b/hw/net/vmxnet_tx_pkt.c
+@@ -142,11 +142,24 @@ static bool vmxnet_tx_pkt_parse_headers(struct VmxnetTxPkt *pkt)
+ 
+     bytes_read = iov_to_buf(pkt->raw, pkt->raw_frags, 0, l2_hdr->iov_base,
+                             ETH_MAX_L2_HDR_LEN);
+-    if (bytes_read < ETH_MAX_L2_HDR_LEN) {
++    if (bytes_read < sizeof(struct eth_header)) {
++        l2_hdr->iov_len = 0;
++        return false;
++    }
++
++    l2_hdr->iov_len = sizeof(struct eth_header);
++    switch (be16_to_cpu(PKT_GET_ETH_HDR(l2_hdr->iov_base)->h_proto)) {
++    case ETH_P_VLAN:
++        l2_hdr->iov_len += sizeof(struct vlan_header);
++        break;
++    case ETH_P_DVLAN:
++        l2_hdr->iov_len += 2 * sizeof(struct vlan_header);
++        break;
++    }
++
++    if (bytes_read < l2_hdr->iov_len) {
+         l2_hdr->iov_len = 0;
+         return false;
+-    } else {
+-        l2_hdr->iov_len = eth_get_l2_hdr_length(l2_hdr->iov_base);
+     }
+ 
+     l3_proto = eth_get_l3_proto(l2_hdr->iov_base, l2_hdr->iov_len);

0031-vmxnet3-Support-reading-IMR-registers-on-bar0.patch

@@ -0,0 +1,34 @@
+From: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com>
+Date: Mon, 21 Sep 2015 17:09:02 +0300
+Subject: [PATCH] vmxnet3: Support reading IMR registers on bar0
+
+Instead of asserting, return the actual IMR register value.
+This is aligned with what's returned on ESXi.
+
+Signed-off-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com>
+Tested-by: Dana Rubin <dana.rubin@ravellosystems.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+(cherry picked from commit c6048f849c7e3f009786df76206e895a69de032c)
+---
+ hw/net/vmxnet3.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
+index aa81a38..c9caa94 100644
+--- a/hw/net/vmxnet3.c
++++ b/hw/net/vmxnet3.c
+@@ -1106,9 +1106,13 @@ vmxnet3_io_bar0_write(void *opaque, hwaddr addr,
+ static uint64_t
+ vmxnet3_io_bar0_read(void *opaque, hwaddr addr, unsigned size)
+ {
++    VMXNET3State *s = opaque;
++
+     if (VMW_IS_MULTIREG_ADDR(addr, VMXNET3_REG_IMR,
+                         VMXNET3_MAX_INTRS, VMXNET3_REG_ALIGN)) {
+-        g_assert_not_reached();
++        int l = VMW_MULTIREG_IDX_BY_ADDR(addr, VMXNET3_REG_IMR,
++                                         VMXNET3_REG_ALIGN);
++        return s->interrupt_states[l].is_masked;
+     }
+ 
+     VMW_CBPRN("BAR0 unknown read [%" PRIx64 "], size %d", addr, size);

0032-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch

@@ -0,0 +1,90 @@
+From: P J P <ppandit@redhat.com>
+Date: Tue, 15 Dec 2015 12:27:54 +0530
+Subject: [PATCH] net: vmxnet3: avoid memory leakage in activate_device
+
+Vmxnet3 device emulator does not check if the device is active
+before activating it, also it did not free the transmit & receive
+buffers while deactivating the device, thus resulting in memory
+leakage on the host. This patch fixes both these issues to avoid
+host memory leakage.
+
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+(cherry picked from commit aa4a3dce1c88ed51b616806b8214b7c8428b7470)
+---
+ hw/net/vmxnet3.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
+index c9caa94..3328a08 100644
+--- a/hw/net/vmxnet3.c
++++ b/hw/net/vmxnet3.c
+@@ -1137,8 +1137,13 @@ static void vmxnet3_reset_mac(VMXNET3State *s)
+ 
+ static void vmxnet3_deactivate_device(VMXNET3State *s)
+ {
+-    VMW_CBPRN("Deactivating vmxnet3...");
+-    s->device_active = false;
++    if (s->device_active) {
++        VMW_CBPRN("Deactivating vmxnet3...");
++        vmxnet_tx_pkt_reset(s->tx_pkt);
++        vmxnet_tx_pkt_uninit(s->tx_pkt);
++        vmxnet_rx_pkt_uninit(s->rx_pkt);
++        s->device_active = false;
++    }
+ }
+ 
+ static void vmxnet3_reset(VMXNET3State *s)
+@@ -1147,7 +1152,6 @@ static void vmxnet3_reset(VMXNET3State *s)
+ 
+     vmxnet3_deactivate_device(s);
+     vmxnet3_reset_interrupt_states(s);
+-    vmxnet_tx_pkt_reset(s->tx_pkt);
+     s->drv_shmem = 0;
+     s->tx_sop = true;
+     s->skip_current_tx_pkt = false;
+@@ -1370,6 +1374,12 @@ static void vmxnet3_activate_device(VMXNET3State *s)
+         return;
+     }
+ 
++    /* Verify if device is active */
++    if (s->device_active) {
++        VMW_CFPRN("Vmxnet3 device is active");
++        return;
++    }
++
+     vmxnet3_adjust_by_guest_type(s);
+     vmxnet3_update_features(s);
+     vmxnet3_update_pm_state(s);
+@@ -1566,7 +1576,7 @@ static void vmxnet3_handle_command(VMXNET3State *s, uint64_t cmd)
+         break;
+ 
+     case VMXNET3_CMD_QUIESCE_DEV:
+-        VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - pause the device");
++        VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - deactivate the device");
+         vmxnet3_deactivate_device(s);
+         break;
+ 
+@@ -1671,7 +1681,7 @@ vmxnet3_io_bar1_write(void *opaque,
+          * shared address only after we get the high part
+          */
+         if (val == 0) {
+-            s->device_active = false;
++            vmxnet3_deactivate_device(s);
+         }
+         s->temp_shared_guest_driver_memory = val;
+         s->drv_shmem = 0;
+@@ -1951,9 +1961,7 @@ static bool vmxnet3_peer_has_vnet_hdr(VMXNET3State *s)
+ static void vmxnet3_net_uninit(VMXNET3State *s)
+ {
+     g_free(s->mcast_list);
+-    vmxnet_tx_pkt_reset(s->tx_pkt);
+-    vmxnet_tx_pkt_uninit(s->tx_pkt);
+-    vmxnet_rx_pkt_uninit(s->rx_pkt);
++    vmxnet3_deactivate_device(s);
+     qemu_del_nic(s->nic);
+ }
+ 

0033-i386-avoid-null-pointer-dereference.patch

@@ -0,0 +1,62 @@
+From: P J P <ppandit@redhat.com>
+Date: Fri, 18 Dec 2015 11:35:07 +0530
+Subject: [PATCH] i386: avoid null pointer dereference
+
+    Hello,
+
+A null pointer dereference issue was reported by Mr Ling Liu, CC'd here. It
+occurs while doing I/O port write operations via hmp interface. In that,
+'current_cpu' remains null as it is not called from cpu_exec loop, which
+results in the said issue.
+
+Below is a proposed (tested)patch to fix this issue; Does it look okay?
+
+===
+From ae88a4947fab9a148cd794f8ad2d812e7f5a1d0f Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Fri, 18 Dec 2015 11:16:07 +0530
+Subject: [PATCH] i386: avoid null pointer dereference
+
+When I/O port write operation is called from hmp interface,
+'current_cpu' remains null, as it is not called from cpu_exec()
+loop. This leads to a null pointer dereference in vapic_write
+routine. Add check to avoid it.
+
+Reported-by: Ling Liu <liuling-it@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <alpine.LFD.2.20.1512181129320.9805@wniryva>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: P J P <ppandit@redhat.com>
+(cherry picked from commit 4c1396cb576c9b14425558b73de1584c7a9735d7)
+---
+ hw/i386/kvmvapic.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c
+index c6d34b2..f0922da 100644
+--- a/hw/i386/kvmvapic.c
++++ b/hw/i386/kvmvapic.c
+@@ -634,13 +634,18 @@ static int vapic_prepare(VAPICROMState *s)
+ static void vapic_write(void *opaque, hwaddr addr, uint64_t data,
+                         unsigned int size)
+ {
+-    CPUState *cs = current_cpu;
+-    X86CPU *cpu = X86_CPU(cs);
+-    CPUX86State *env = &cpu->env;
+-    hwaddr rom_paddr;
+     VAPICROMState *s = opaque;
++    X86CPU *cpu;
++    CPUX86State *env;
++    hwaddr rom_paddr;
+ 
+-    cpu_synchronize_state(cs);
++    if (!current_cpu) {
++        return;
++    }
++
++    cpu_synchronize_state(current_cpu);
++    cpu = X86_CPU(current_cpu);
++    env = &cpu->env;
+ 
+     /*
+      * The VAPIC supports two PIO-based hypercalls, both via port 0x7E.

0034-scsi-initialise-info-object-with-appropriate-size.patch

@@ -0,0 +1,32 @@
+From: P J P <ppandit@redhat.com>
+Date: Mon, 21 Dec 2015 15:13:13 +0530
+Subject: [PATCH] scsi: initialise info object with appropriate size
+
+While processing controller 'CTRL_GET_INFO' command, the routine
+'megasas_ctrl_get_info' overflows the '&info' object size. Use its
+appropriate size to null initialise it.
+
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <alpine.LFD.2.20.1512211501420.22471@wniryva>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: P J P <ppandit@redhat.com>
+(cherry picked from commit 36fef36b91f7ec0435215860f1458b5342ce2811)
+---
+ hw/scsi/megasas.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
+index ad7317b..108448e 100644
+--- a/hw/scsi/megasas.c
++++ b/hw/scsi/megasas.c
+@@ -718,7 +718,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd)
+     BusChild *kid;
+     int num_pd_disks = 0;
+ 
+-    memset(&info, 0x0, cmd->iov_size);
++    memset(&info, 0x0, dcmd_size);
+     if (cmd->iov_size < dcmd_size) {
+         trace_megasas_dcmd_invalid_xfer_len(cmd->index, cmd->iov_size,
+                                             dcmd_size);

0035-net-ne2000-fix-bounds-check-in-ioport-operations.patch

@@ -0,0 +1,45 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 31 Dec 2015 17:05:27 +0530
+Subject: [PATCH] net: ne2000: fix bounds check in ioport operations
+
+While doing ioport r/w operations, ne2000 device emulation suffers
+from OOB r/w errors. Update respective array bounds check to avoid
+OOB access.
+
+Reported-by: Ling Liu <liuling-it@360.cn>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+(cherry picked from commit aa7f9966dfdff500bbbf1956d9e115b1fa8987a6)
+---
+ hw/net/ne2000.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
+index 2bdb4c9..364f226 100644
+--- a/hw/net/ne2000.c
++++ b/hw/net/ne2000.c
+@@ -476,8 +476,9 @@ static inline void ne2000_mem_writel(NE2000State *s, uint32_t addr,
+                                      uint32_t val)
+ {
+     addr &= ~1; /* XXX: check exact behaviour if not even */
+-    if (addr < 32 ||
+-        (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
++    if (addr < 32
++        || (addr >= NE2000_PMEM_START
++            && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
+         stl_le_p(s->mem + addr, val);
+     }
+ }
+@@ -506,8 +507,9 @@ static inline uint32_t ne2000_mem_readw(NE2000State *s, uint32_t addr)
+ static inline uint32_t ne2000_mem_readl(NE2000State *s, uint32_t addr)
+ {
+     addr &= ~1; /* XXX: check exact behaviour if not even */
+-    if (addr < 32 ||
+-        (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
++    if (addr < 32
++        || (addr >= NE2000_PMEM_START
++            && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
+         return ldl_le_p(s->mem + addr);
+     } else {
+         return 0xffffffff;

0036-hmp-fix-sendkey-out-of-bounds-write-CVE-2015-8619.patch

@@ -0,0 +1,120 @@
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Wed, 13 Jan 2016 09:09:58 +0100
+Subject: [PATCH] hmp: fix sendkey out of bounds write (CVE-2015-8619)
+
+When processing 'sendkey' command, hmp_sendkey routine null
+terminates the 'keyname_buf' array. This results in an OOB
+write issue, if 'keyname_len' was to fall outside of
+'keyname_buf' array.
+
+Since the keyname's length is known the keyname_buf can be
+removed altogether by adding a length parameter to
+index_from_key() and using it for the error output as well.
+
+Reported-by: Ling Liu <liuling-it@360.cn>
+Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Message-Id: <20160113080958.GA18934@olga>
+[Comparison with "<" dumbed down, test for junk after strtoul()
+tweaked]
+Signed-off-by: Markus Armbruster <armbru@redhat.com>
+
+(cherry picked from commit 64ffbe04eaafebf4045a3ace52a360c14959d196)
+Signed-off-by: Cole Robinson <crobinso@redhat.com>
+---
+ hmp.c                | 18 ++++++++----------
+ include/ui/console.h |  2 +-
+ ui/input-legacy.c    |  5 +++--
+ 3 files changed, 12 insertions(+), 13 deletions(-)
+
+diff --git a/hmp.c b/hmp.c
+index 1b9a317..b058b1f 100644
+--- a/hmp.c
++++ b/hmp.c
+@@ -1584,21 +1584,18 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict)
+     int has_hold_time = qdict_haskey(qdict, "hold-time");
+     int hold_time = qdict_get_try_int(qdict, "hold-time", -1);
+     Error *err = NULL;
+-    char keyname_buf[16];
+     char *separator;
+     int keyname_len;
+ 
+     while (1) {
+         separator = strchr(keys, '-');
+         keyname_len = separator ? separator - keys : strlen(keys);
+-        pstrcpy(keyname_buf, sizeof(keyname_buf), keys);
+ 
+         /* Be compatible with old interface, convert user inputted "<" */
+-        if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) {
+-            pstrcpy(keyname_buf, sizeof(keyname_buf), "less");
++        if (keys[0] == '<' && keyname_len == 1) {
++            keys = "less";
+             keyname_len = 4;
+         }
+-        keyname_buf[keyname_len] = 0;
+ 
+         keylist = g_malloc0(sizeof(*keylist));
+         keylist->value = g_malloc0(sizeof(*keylist->value));
+@@ -1611,16 +1608,17 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict)
+         }
+         tmp = keylist;
+ 
+-        if (strstart(keyname_buf, "0x", NULL)) {
++        if (strstart(keys, "0x", NULL)) {
+             char *endp;
+-            int value = strtoul(keyname_buf, &endp, 0);
+-            if (*endp != '\0') {
++            int value = strtoul(keys, &endp, 0);
++            assert(endp <= keys + keyname_len);
++            if (endp != keys + keyname_len) {
+                 goto err_out;
+             }
+             keylist->value->kind = KEY_VALUE_KIND_NUMBER;
+             keylist->value->number = value;
+         } else {
+-            int idx = index_from_key(keyname_buf);
++            int idx = index_from_key(keys, keyname_len);
+             if (idx == Q_KEY_CODE_MAX) {
+                 goto err_out;
+             }
+@@ -1642,7 +1640,7 @@ out:
+     return;
+ 
+ err_out:
+-    monitor_printf(mon, "invalid parameter: %s\n", keyname_buf);
++    monitor_printf(mon, "invalid parameter: %.*s\n", keyname_len, keys);
+     goto out;
+ }
+ 
+diff --git a/include/ui/console.h b/include/ui/console.h
+index 2f5b9f0..c28ef58 100644
+--- a/include/ui/console.h
++++ b/include/ui/console.h
+@@ -352,7 +352,7 @@ static inline int vnc_display_pw_expire(const char *id, time_t expires)
+ void curses_display_init(DisplayState *ds, int full_screen);
+ 
+ /* input.c */
+-int index_from_key(const char *key);
++int index_from_key(const char *key, size_t key_length);
+ 
+ /* gtk.c */
+ void early_gtk_display_init(void);
+diff --git a/ui/input-legacy.c b/ui/input-legacy.c
+index 2d4ca19..270672a 100644
+--- a/ui/input-legacy.c
++++ b/ui/input-legacy.c
+@@ -60,12 +60,13 @@ static QTAILQ_HEAD(, QEMUPutLEDEntry) led_handlers =
+ static QTAILQ_HEAD(, QEMUPutMouseEntry) mouse_handlers =
+     QTAILQ_HEAD_INITIALIZER(mouse_handlers);
+ 
+-int index_from_key(const char *key)
++int index_from_key(const char *key, size_t key_length)
+ {
+     int i;
+ 
+     for (i = 0; QKeyCode_lookup[i] != NULL; i++) {
+-        if (!strcmp(key, QKeyCode_lookup[i])) {
++        if (!strncmp(key, QKeyCode_lookup[i], key_length) &&
++            !QKeyCode_lookup[i][key_length]) {
+             break;
+         }
+     }

0037-e1000-eliminate-infinite-loops-on-out-of-bounds-tran.patch

@@ -0,0 +1,95 @@
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 19 Jan 2016 14:17:20 +0100
+Subject: [PATCH] e1000: eliminate infinite loops on out-of-bounds transfer
+ start
+
+The start_xmit() and e1000_receive_iov() functions implement DMA transfers
+iterating over a set of descriptors that the guest's e1000 driver
+prepares:
+
+- the TDLEN and RDLEN registers store the total size of the descriptor
+  area,
+
+- while the TDH and RDH registers store the offset (in whole tx / rx
+  descriptors) into the area where the transfer is supposed to start.
+
+Each time a descriptor is processed, the TDH and RDH register is bumped
+(as appropriate for the transfer direction).
+
+QEMU already contains logic to deal with bogus transfers submitted by the
+guest:
+
+- Normally, the transmit case wants to increase TDH from its initial value
+  to TDT. (TDT is allowed to be numerically smaller than the initial TDH
+  value; wrapping at or above TDLEN bytes to zero is normal.) The failsafe
+  that QEMU currently has here is a check against reaching the original
+  TDH value again -- a complete wraparound, which should never happen.
+
+- In the receive case RDH is increased from its initial value until
+  "total_size" bytes have been received; preferably in a single step, or
+  in "s->rxbuf_size" byte steps, if the latter is smaller. However, null
+  RX descriptors are skipped without receiving data, while RDH is
+  incremented just the same. QEMU tries to prevent an infinite loop
+  (processing only null RX descriptors) by detecting whether RDH assumes
+  its original value during the loop. (Again, wrapping from RDLEN to 0 is
+  normal.)
+
+What both directions miss is that the guest could program TDLEN and RDLEN
+so low, and the initial TDH and RDH so high, that these registers will
+immediately be truncated to zero, and then never reassume their initial
+values in the loop -- a full wraparound will never occur.
+
+The condition that expresses this is:
+
+  xdh_start >= s->mac_reg[XDLEN] / sizeof(desc)
+
+i.e., TDH or RDH start out after the last whole rx or tx descriptor that
+fits into the TDLEN or RDLEN sized area.
+
+This condition could be checked before we enter the loops, but
+pci_dma_read() / pci_dma_write() knows how to fill in buffers safely for
+bogus DMA addresses, so we just extend the existing failsafes with the
+above condition.
+
+This is CVE-2016-1981.
+
+Cc: "Michael S. Tsirkin" <mst@redhat.com>
+Cc: Petr Matousek <pmatouse@redhat.com>
+Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
+Cc: Prasad Pandit <ppandit@redhat.com>
+Cc: Michael Roth <mdroth@linux.vnet.ibm.com>
+Cc: Jason Wang <jasowang@redhat.com>
+Cc: qemu-stable@nongnu.org
+RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1296044
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+(cherry picked from commit dd793a74882477ca38d49e191110c17dfee51dcc)
+---
+ hw/net/e1000.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/hw/net/e1000.c b/hw/net/e1000.c
+index f02b9ce..a365357 100644
+--- a/hw/net/e1000.c
++++ b/hw/net/e1000.c
+@@ -816,7 +816,8 @@ start_xmit(E1000State *s)
+          * bogus values to TDT/TDLEN.
+          * there's nothing too intelligent we could do about this.
+          */
+-        if (s->mac_reg[TDH] == tdh_start) {
++        if (s->mac_reg[TDH] == tdh_start ||
++            tdh_start >= s->mac_reg[TDLEN] / sizeof(desc)) {
+             DBGOUT(TXERR, "TDH wraparound @%x, TDT %x, TDLEN %x\n",
+                    tdh_start, s->mac_reg[TDT], s->mac_reg[TDLEN]);
+             break;
+@@ -1062,7 +1063,8 @@ e1000_receive_iov(NetClientState *nc, const struct iovec *iov, int iovcnt)
+         if (++s->mac_reg[RDH] * sizeof(desc) >= s->mac_reg[RDLEN])
+             s->mac_reg[RDH] = 0;
+         /* see comment in start_xmit; same here */
+-        if (s->mac_reg[RDH] == rdh_start) {
++        if (s->mac_reg[RDH] == rdh_start ||
++            rdh_start >= s->mac_reg[RDLEN] / sizeof(desc)) {
+             DBGOUT(RXERR, "RDH wraparound @%x, RDT %x, RDLEN %x\n",
+                    rdh_start, s->mac_reg[RDT], s->mac_reg[RDLEN]);
+             set_ics(s, 0, E1000_ICS_RXO);

0038-usb-check-page-select-value-while-processing-iTD.patch

@@ -0,0 +1,49 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 20 Jan 2016 01:26:46 +0530
+Subject: [PATCH] usb: check page select value while processing iTD
+
+While processing isochronous transfer descriptors(iTD), the page
+select(PG) field value could lead to an OOB read access. Add
+check to avoid it.
+
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 1453233406-12165-1-git-send-email-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit 49d925ce50383a286278143c05511d30ec41a36e)
+---
+ hw/usb/hcd-ehci.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
+index 51d39c6..2f492d9 100644
+--- a/hw/usb/hcd-ehci.c
++++ b/hw/usb/hcd-ehci.c
+@@ -1404,21 +1404,23 @@ static int ehci_process_itd(EHCIState *ehci,
+         if (itd->transact[i] & ITD_XACT_ACTIVE) {
+             pg   = get_field(itd->transact[i], ITD_XACT_PGSEL);
+             off  = itd->transact[i] & ITD_XACT_OFFSET_MASK;
+-            ptr1 = (itd->bufptr[pg] & ITD_BUFPTR_MASK);
+-            ptr2 = (itd->bufptr[pg+1] & ITD_BUFPTR_MASK);
+             len  = get_field(itd->transact[i], ITD_XACT_LENGTH);
+ 
+             if (len > max * mult) {
+                 len = max * mult;
+             }
+-
+-            if (len > BUFF_SIZE) {
++            if (len > BUFF_SIZE || pg > 6) {
+                 return -1;
+             }
+ 
++            ptr1 = (itd->bufptr[pg] & ITD_BUFPTR_MASK);
+             qemu_sglist_init(&ehci->isgl, ehci->device, 2, ehci->as);
+             if (off + len > 4096) {
+                 /* transfer crosses page border */
++                if (pg == 6) {
++                    return -1;  /* avoid page pg + 1 */
++                }
++                ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK);
+                 uint32_t len2 = off + len - 4096;
+                 uint32_t len1 = len - len2;
+                 qemu_sglist_add(&ehci->isgl, ptr1 + off, len1);

0039-ahci-Do-not-unmap-NULL-addresses.patch

@@ -0,0 +1,40 @@
+From: John Snow <jsnow@redhat.com>
+Date: Wed, 10 Feb 2016 13:29:40 -0500
+Subject: [PATCH] ahci: Do not unmap NULL addresses
+
+Definitely don't try to unmap a garbage address.
+
+Reported-by: Zuozhi fzz <zuozhi.fzz@alibaba-inc.com>
+Signed-off-by: John Snow <jsnow@redhat.com>
+Message-id: 1454103689-13042-2-git-send-email-jsnow@redhat.com
+(cherry picked from commit 99b4cb71069f109b79b27bc629fc0cf0886dbc4b)
+---
+ hw/ide/ahci.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
+index 833fd45..e939df0 100644
+--- a/hw/ide/ahci.c
++++ b/hw/ide/ahci.c
+@@ -587,6 +587,10 @@ static bool ahci_map_fis_address(AHCIDevice *ad)
+ 
+ static void ahci_unmap_fis_address(AHCIDevice *ad)
+ {
++    if (ad->res_fis == NULL) {
++        DPRINTF(ad->port_no, "Attempt to unmap NULL FIS address\n");
++        return;
++    }
+     dma_memory_unmap(ad->hba->as, ad->res_fis, 256,
+                      DMA_DIRECTION_FROM_DEVICE, 256);
+     ad->res_fis = NULL;
+@@ -603,6 +607,10 @@ static bool ahci_map_clb_address(AHCIDevice *ad)
+ 
+ static void ahci_unmap_clb_address(AHCIDevice *ad)
+ {
++    if (ad->lst == NULL) {
++        DPRINTF(ad->port_no, "Attempt to unmap NULL CLB address\n");
++        return;
++    }
+     dma_memory_unmap(ad->hba->as, ad->lst, 1024,
+                      DMA_DIRECTION_FROM_DEVICE, 1024);
+     ad->lst = NULL;

0040-target-ppc-rename-and-export-maybe_bswap_register.patch

@@ -0,0 +1,74 @@
+From: Greg Kurz <gkurz@linux.vnet.ibm.com>
+Date: Fri, 15 Jan 2016 16:00:18 +0100
+Subject: [PATCH] target-ppc: rename and export maybe_bswap_register()
+
+This helper will be used to support FP, Altivec and VSX registers when
+the guest is little-endian.
+
+Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
+Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
+(cherry picked from commit 376dbce0e3abe456fb8c7a3cd40dc369f8b33d30)
+---
+ target-ppc/cpu.h     |  1 +
+ target-ppc/gdbstub.c | 10 +++++-----
+ 2 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/target-ppc/cpu.h b/target-ppc/cpu.h
+index f15815f..d5a1a5f 100644
+--- a/target-ppc/cpu.h
++++ b/target-ppc/cpu.h
+@@ -2328,4 +2328,5 @@ int ppc_get_vcpu_dt_id(PowerPCCPU *cpu);
+  */
+ PowerPCCPU *ppc_get_vcpu_by_dt_id(int cpu_dt_id);
+ 
++void ppc_maybe_bswap_register(CPUPPCState *env, uint8_t *mem_buf, int len);
+ #endif /* !defined (__CPU_PPC_H__) */
+diff --git a/target-ppc/gdbstub.c b/target-ppc/gdbstub.c
+index 14675f4..b20bb0c 100644
+--- a/target-ppc/gdbstub.c
++++ b/target-ppc/gdbstub.c
+@@ -88,7 +88,7 @@ static int ppc_gdb_register_len(int n)
+    the proper ordering for the binary, and cannot be changed.
+    For system mode, TARGET_WORDS_BIGENDIAN is always set, and we must check
+    the current mode of the chip to see if we're running in little-endian.  */
+-static void maybe_bswap_register(CPUPPCState *env, uint8_t *mem_buf, int len)
++void ppc_maybe_bswap_register(CPUPPCState *env, uint8_t *mem_buf, int len)
+ {
+ #ifndef CONFIG_USER_ONLY
+     if (!msr_le) {
+@@ -158,7 +158,7 @@ int ppc_cpu_gdb_read_register(CPUState *cs, uint8_t *mem_buf, int n)
+             break;
+         }
+     }
+-    maybe_bswap_register(env, mem_buf, r);
++    ppc_maybe_bswap_register(env, mem_buf, r);
+     return r;
+ }
+ 
+@@ -214,7 +214,7 @@ int ppc_cpu_gdb_read_register_apple(CPUState *cs, uint8_t *mem_buf, int n)
+             break;
+         }
+     }
+-    maybe_bswap_register(env, mem_buf, r);
++    ppc_maybe_bswap_register(env, mem_buf, r);
+     return r;
+ }
+ 
+@@ -227,7 +227,7 @@ int ppc_cpu_gdb_write_register(CPUState *cs, uint8_t *mem_buf, int n)
+     if (!r) {
+         return r;
+     }
+-    maybe_bswap_register(env, mem_buf, r);
++    ppc_maybe_bswap_register(env, mem_buf, r);
+     if (n < 32) {
+         /* gprs */
+         env->gpr[n] = ldtul_p(mem_buf);
+@@ -277,7 +277,7 @@ int ppc_cpu_gdb_write_register_apple(CPUState *cs, uint8_t *mem_buf, int n)
+     if (!r) {
+         return r;
+     }
+-    maybe_bswap_register(env, mem_buf, r);
++    ppc_maybe_bswap_register(env, mem_buf, r);
+     if (n < 32) {
+         /* gprs */
+         env->gpr[n] = ldq_p(mem_buf);

0041-target-ppc-gdbstub-fix-float-registers-for-little-en.patch

@@ -0,0 +1,45 @@
+From: Greg Kurz <gkurz@linux.vnet.ibm.com>
+Date: Fri, 15 Jan 2016 16:00:25 +0100
+Subject: [PATCH] target-ppc: gdbstub: fix float registers for little-endian
+ guests
+
+Let's reuse the ppc_maybe_bswap_register() helper, like we already do
+with the general registers.
+
+Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
+Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
+(cherry picked from commit 385abeb3e356452eace44f3fe15e18c2532dcaa7)
+---
+ target-ppc/translate_init.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/target-ppc/translate_init.c b/target-ppc/translate_init.c
+index d74f4f0..51fa03c 100644
+--- a/target-ppc/translate_init.c
++++ b/target-ppc/translate_init.c
+@@ -8758,10 +8758,12 @@ static int gdb_get_float_reg(CPUPPCState *env, uint8_t *mem_buf, int n)
+ {
+     if (n < 32) {
+         stfq_p(mem_buf, env->fpr[n]);
++        ppc_maybe_bswap_register(env, mem_buf, 8);
+         return 8;
+     }
+     if (n == 32) {
+         stl_p(mem_buf, env->fpscr);
++        ppc_maybe_bswap_register(env, mem_buf, 4);
+         return 4;
+     }
+     return 0;
+@@ -8770,10 +8772,12 @@ static int gdb_get_float_reg(CPUPPCState *env, uint8_t *mem_buf, int n)
+ static int gdb_set_float_reg(CPUPPCState *env, uint8_t *mem_buf, int n)
+ {
+     if (n < 32) {
++        ppc_maybe_bswap_register(env, mem_buf, 8);
+         env->fpr[n] = ldfq_p(mem_buf);
+         return 8;
+     }
+     if (n == 32) {
++        ppc_maybe_bswap_register(env, mem_buf, 4);
+         helper_store_fpscr(env, ldl_p(mem_buf), 0xffffffff);
+         return 4;
+     }

0042-target-ppc-gdbstub-introduce-avr_need_swap.patch

@@ -0,0 +1,79 @@
+From: Greg Kurz <gkurz@linux.vnet.ibm.com>
+Date: Fri, 15 Jan 2016 16:00:31 +0100
+Subject: [PATCH] target-ppc: gdbstub: introduce avr_need_swap()
+
+This helper will be used to support Altivec registers in little-endian guests.
+This patch does not change functionnality.
+
+Note: I had to put the helper some lines away from the gdb_*_avr_reg()
+routines to get a more readable patch.
+
+Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
+Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
+(cherry picked from commit 87601e2d5c22d9c1fef0e09978d377f46336c1db)
+---
+ target-ppc/translate_init.c | 37 +++++++++++++++++++++++--------------
+ 1 file changed, 23 insertions(+), 14 deletions(-)
+
+diff --git a/target-ppc/translate_init.c b/target-ppc/translate_init.c
+index 51fa03c..c1d2db6 100644
+--- a/target-ppc/translate_init.c
++++ b/target-ppc/translate_init.c
+@@ -8754,6 +8754,15 @@ static void dump_ppc_insns (CPUPPCState *env)
+ }
+ #endif
+ 
++static bool avr_need_swap(CPUPPCState *env)
++{
++#ifdef HOST_WORDS_BIGENDIAN
++    return false;
++#else
++    return true;
++#endif
++}
++
+ static int gdb_get_float_reg(CPUPPCState *env, uint8_t *mem_buf, int n)
+ {
+     if (n < 32) {
+@@ -8787,13 +8796,13 @@ static int gdb_set_float_reg(CPUPPCState *env, uint8_t *mem_buf, int n)
+ static int gdb_get_avr_reg(CPUPPCState *env, uint8_t *mem_buf, int n)
+ {
+     if (n < 32) {
+-#ifdef HOST_WORDS_BIGENDIAN
+-        stq_p(mem_buf, env->avr[n].u64[0]);
+-        stq_p(mem_buf+8, env->avr[n].u64[1]);
+-#else
+-        stq_p(mem_buf, env->avr[n].u64[1]);
+-        stq_p(mem_buf+8, env->avr[n].u64[0]);
+-#endif
++        if (!avr_need_swap(env)) {
++            stq_p(mem_buf, env->avr[n].u64[0]);
++            stq_p(mem_buf+8, env->avr[n].u64[1]);
++        } else {
++            stq_p(mem_buf, env->avr[n].u64[1]);
++            stq_p(mem_buf+8, env->avr[n].u64[0]);
++        }
+         return 16;
+     }
+     if (n == 32) {
+@@ -8810,13 +8819,13 @@ static int gdb_get_avr_reg(CPUPPCState *env, uint8_t *mem_buf, int n)
+ static int gdb_set_avr_reg(CPUPPCState *env, uint8_t *mem_buf, int n)
+ {
+     if (n < 32) {
+-#ifdef HOST_WORDS_BIGENDIAN
+-        env->avr[n].u64[0] = ldq_p(mem_buf);
+-        env->avr[n].u64[1] = ldq_p(mem_buf+8);
+-#else
+-        env->avr[n].u64[1] = ldq_p(mem_buf);
+-        env->avr[n].u64[0] = ldq_p(mem_buf+8);
+-#endif
++        if (!avr_need_swap(env)) {
++            env->avr[n].u64[0] = ldq_p(mem_buf);
++            env->avr[n].u64[1] = ldq_p(mem_buf+8);
++        } else {
++            env->avr[n].u64[1] = ldq_p(mem_buf);
++            env->avr[n].u64[0] = ldq_p(mem_buf+8);
++        }
+         return 16;
+     }
+     if (n == 32) {

0043-target-ppc-gdbstub-fix-altivec-registers-for-little-.patch

@@ -0,0 +1,76 @@
+From: Greg Kurz <gkurz@linux.vnet.ibm.com>
+Date: Fri, 15 Jan 2016 16:00:38 +0100
+Subject: [PATCH] target-ppc: gdbstub: fix altivec registers for little-endian
+ guests
+
+Altivec registers are 128-bit wide. They are stored in memory as two
+64-bit values that must be byteswapped when the guest is little-endian.
+Let's reuse the ppc_maybe_bswap_register() helper for this.
+
+We also need to fix the ordering of the 64-bit elements according to
+the target endianness, for both system and user mode.
+
+Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
+Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
+(cherry picked from commit ea499e71506c91aa259a7fdccf1d6b2022f5b530)
+---
+ target-ppc/translate_init.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/target-ppc/translate_init.c b/target-ppc/translate_init.c
+index c1d2db6..a72e4b6 100644
+--- a/target-ppc/translate_init.c
++++ b/target-ppc/translate_init.c
+@@ -8757,9 +8757,9 @@ static void dump_ppc_insns (CPUPPCState *env)
+ static bool avr_need_swap(CPUPPCState *env)
+ {
+ #ifdef HOST_WORDS_BIGENDIAN
+-    return false;
++    return msr_le;
+ #else
+-    return true;
++    return !msr_le;
+ #endif
+ }
+ 
+@@ -8803,14 +8803,18 @@ static int gdb_get_avr_reg(CPUPPCState *env, uint8_t *mem_buf, int n)
+             stq_p(mem_buf, env->avr[n].u64[1]);
+             stq_p(mem_buf+8, env->avr[n].u64[0]);
+         }
++        ppc_maybe_bswap_register(env, mem_buf, 8);
++        ppc_maybe_bswap_register(env, mem_buf + 8, 8);
+         return 16;
+     }
+     if (n == 32) {
+         stl_p(mem_buf, env->vscr);
++        ppc_maybe_bswap_register(env, mem_buf, 4);
+         return 4;
+     }
+     if (n == 33) {
+         stl_p(mem_buf, (uint32_t)env->spr[SPR_VRSAVE]);
++        ppc_maybe_bswap_register(env, mem_buf, 4);
+         return 4;
+     }
+     return 0;
+@@ -8819,6 +8823,8 @@ static int gdb_get_avr_reg(CPUPPCState *env, uint8_t *mem_buf, int n)
+ static int gdb_set_avr_reg(CPUPPCState *env, uint8_t *mem_buf, int n)
+ {
+     if (n < 32) {
++        ppc_maybe_bswap_register(env, mem_buf, 8);
++        ppc_maybe_bswap_register(env, mem_buf + 8, 8);
+         if (!avr_need_swap(env)) {
+             env->avr[n].u64[0] = ldq_p(mem_buf);
+             env->avr[n].u64[1] = ldq_p(mem_buf+8);
+@@ -8829,10 +8835,12 @@ static int gdb_set_avr_reg(CPUPPCState *env, uint8_t *mem_buf, int n)
+         return 16;
+     }
+     if (n == 32) {
++        ppc_maybe_bswap_register(env, mem_buf, 4);
+         env->vscr = ldl_p(mem_buf);
+         return 4;
+     }
+     if (n == 33) {
++        ppc_maybe_bswap_register(env, mem_buf, 4);
+         env->spr[SPR_VRSAVE] = (target_ulong)ldl_p(mem_buf);
+         return 4;
+     }

0044-target-ppc-gdbstub-fix-spe-registers-for-little-endi.patch

@@ -0,0 +1,66 @@
+From: Greg Kurz <gkurz@linux.vnet.ibm.com>
+Date: Fri, 15 Jan 2016 16:00:44 +0100
+Subject: [PATCH] target-ppc: gdbstub: fix spe registers for little-endian
+ guests
+
+Let's reuse the ppc_maybe_bswap_register() helper, like we already do
+with the general registers.
+
+Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
+Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
+(cherry picked from commit 95f5b540abd964ac3bc9c63434d07681a5a175eb)
+---
+ target-ppc/translate_init.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/target-ppc/translate_init.c b/target-ppc/translate_init.c
+index a72e4b6..879d283 100644
+--- a/target-ppc/translate_init.c
++++ b/target-ppc/translate_init.c
+@@ -8852,6 +8852,7 @@ static int gdb_get_spe_reg(CPUPPCState *env, uint8_t *mem_buf, int n)
+     if (n < 32) {
+ #if defined(TARGET_PPC64)
+         stl_p(mem_buf, env->gpr[n] >> 32);
++        ppc_maybe_bswap_register(env, mem_buf, 4);
+ #else
+         stl_p(mem_buf, env->gprh[n]);
+ #endif
+@@ -8859,10 +8860,12 @@ static int gdb_get_spe_reg(CPUPPCState *env, uint8_t *mem_buf, int n)
+     }
+     if (n == 32) {
+         stq_p(mem_buf, env->spe_acc);
++        ppc_maybe_bswap_register(env, mem_buf, 8);
+         return 8;
+     }
+     if (n == 33) {
+         stl_p(mem_buf, env->spe_fscr);
++        ppc_maybe_bswap_register(env, mem_buf, 4);
+         return 4;
+     }
+     return 0;
+@@ -8873,7 +8876,11 @@ static int gdb_set_spe_reg(CPUPPCState *env, uint8_t *mem_buf, int n)
+     if (n < 32) {
+ #if defined(TARGET_PPC64)
+         target_ulong lo = (uint32_t)env->gpr[n];
+-        target_ulong hi = (target_ulong)ldl_p(mem_buf) << 32;
++        target_ulong hi;
++
++        ppc_maybe_bswap_register(env, mem_buf, 4);
++
++        hi = (target_ulong)ldl_p(mem_buf) << 32;
+         env->gpr[n] = lo | hi;
+ #else
+         env->gprh[n] = ldl_p(mem_buf);
+@@ -8881,10 +8888,12 @@ static int gdb_set_spe_reg(CPUPPCState *env, uint8_t *mem_buf, int n)
+         return 4;
+     }
+     if (n == 32) {
++        ppc_maybe_bswap_register(env, mem_buf, 8);
+         env->spe_acc = ldq_p(mem_buf);
+         return 8;
+     }
+     if (n == 33) {
++        ppc_maybe_bswap_register(env, mem_buf, 4);
+         env->spe_fscr = ldl_p(mem_buf);
+         return 4;
+     }

0045-target-ppc-gdbstub-Add-VSX-support.patch

@@ -0,0 +1,139 @@
+From: Anton Blanchard <anton@samba.org>
+Date: Fri, 15 Jan 2016 16:00:51 +0100
+Subject: [PATCH] target-ppc: gdbstub: Add VSX support
+
+Add the XML and functions to get and set VSX registers.
+
+Signed-off-by: Anton Blanchard <anton@samba.org>
+(fixed little-endian guests)
+Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
+Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
+
+(cherry picked from commit 1438eff302cbc6c85d477fd7181b8a9aeea2efd7)
+---
+ configure                   |  6 +++---
+ gdb-xml/power-vsx.xml       | 44 ++++++++++++++++++++++++++++++++++++++++++++
+ target-ppc/translate_init.c | 24 ++++++++++++++++++++++++
+ 3 files changed, 71 insertions(+), 3 deletions(-)
+ create mode 100644 gdb-xml/power-vsx.xml
+
+diff --git a/configure b/configure
+index adbe117..69a5e2d 100755
+--- a/configure
++++ b/configure
+@@ -5188,20 +5188,20 @@ case "$target_name" in
+   ppc64)
+     TARGET_BASE_ARCH=ppc
+     TARGET_ABI_DIR=ppc
+-    gdb_xml_files="power64-core.xml power-fpu.xml power-altivec.xml power-spe.xml"
++    gdb_xml_files="power64-core.xml power-fpu.xml power-altivec.xml power-spe.xml power-vsx.xml"
+   ;;
+   ppc64le)
+     TARGET_ARCH=ppc64
+     TARGET_BASE_ARCH=ppc
+     TARGET_ABI_DIR=ppc
+-    gdb_xml_files="power64-core.xml power-fpu.xml power-altivec.xml power-spe.xml"
++    gdb_xml_files="power64-core.xml power-fpu.xml power-altivec.xml power-spe.xml power-vsx.xml"
+   ;;
+   ppc64abi32)
+     TARGET_ARCH=ppc64
+     TARGET_BASE_ARCH=ppc
+     TARGET_ABI_DIR=ppc
+     echo "TARGET_ABI32=y" >> $config_target_mak
+-    gdb_xml_files="power64-core.xml power-fpu.xml power-altivec.xml power-spe.xml"
++    gdb_xml_files="power64-core.xml power-fpu.xml power-altivec.xml power-spe.xml power-vsx.xml"
+   ;;
+   sh4|sh4eb)
+     TARGET_ARCH=sh4
+diff --git a/gdb-xml/power-vsx.xml b/gdb-xml/power-vsx.xml
+new file mode 100644
+index 0000000..fd290e9
+--- /dev/null
++++ b/gdb-xml/power-vsx.xml
+@@ -0,0 +1,44 @@
++<?xml version="1.0"?>
++<!-- Copyright (C) 2008-2015 Free Software Foundation, Inc.
++
++     Copying and distribution of this file, with or without modification,
++     are permitted in any medium without royalty provided the copyright
++     notice and this notice are preserved.  -->
++
++<!-- POWER7 VSX registers that do not overlap existing FP and VMX
++     registers.  -->
++<!DOCTYPE feature SYSTEM "gdb-target.dtd">
++<feature name="org.gnu.gdb.power.vsx">
++  <reg name="vs0h" bitsize="64" type="uint64"/>
++  <reg name="vs1h" bitsize="64" type="uint64"/>
++  <reg name="vs2h" bitsize="64" type="uint64"/>
++  <reg name="vs3h" bitsize="64" type="uint64"/>
++  <reg name="vs4h" bitsize="64" type="uint64"/>
++  <reg name="vs5h" bitsize="64" type="uint64"/>
++  <reg name="vs6h" bitsize="64" type="uint64"/>
++  <reg name="vs7h" bitsize="64" type="uint64"/>
++  <reg name="vs8h" bitsize="64" type="uint64"/>
++  <reg name="vs9h" bitsize="64" type="uint64"/>
++  <reg name="vs10h" bitsize="64" type="uint64"/>
++  <reg name="vs11h" bitsize="64" type="uint64"/>
++  <reg name="vs12h" bitsize="64" type="uint64"/>
++  <reg name="vs13h" bitsize="64" type="uint64"/>
++  <reg name="vs14h" bitsize="64" type="uint64"/>
++  <reg name="vs15h" bitsize="64" type="uint64"/>
++  <reg name="vs16h" bitsize="64" type="uint64"/>
++  <reg name="vs17h" bitsize="64" type="uint64"/>
++  <reg name="vs18h" bitsize="64" type="uint64"/>
++  <reg name="vs19h" bitsize="64" type="uint64"/>
++  <reg name="vs20h" bitsize="64" type="uint64"/>
++  <reg name="vs21h" bitsize="64" type="uint64"/>
++  <reg name="vs22h" bitsize="64" type="uint64"/>
++  <reg name="vs23h" bitsize="64" type="uint64"/>
++  <reg name="vs24h" bitsize="64" type="uint64"/>
++  <reg name="vs25h" bitsize="64" type="uint64"/>
++  <reg name="vs26h" bitsize="64" type="uint64"/>
++  <reg name="vs27h" bitsize="64" type="uint64"/>
++  <reg name="vs28h" bitsize="64" type="uint64"/>
++  <reg name="vs29h" bitsize="64" type="uint64"/>
++  <reg name="vs30h" bitsize="64" type="uint64"/>
++  <reg name="vs31h" bitsize="64" type="uint64"/>
++</feature>
+diff --git a/target-ppc/translate_init.c b/target-ppc/translate_init.c
+index 879d283..130e27e 100644
+--- a/target-ppc/translate_init.c
++++ b/target-ppc/translate_init.c
+@@ -8900,6 +8900,26 @@ static int gdb_set_spe_reg(CPUPPCState *env, uint8_t *mem_buf, int n)
+     return 0;
+ }
+ 
++static int gdb_get_vsx_reg(CPUPPCState *env, uint8_t *mem_buf, int n)
++{
++    if (n < 32) {
++        stq_p(mem_buf, env->vsr[n]);
++        ppc_maybe_bswap_register(env, mem_buf, 8);
++        return 8;
++    }
++    return 0;
++}
++
++static int gdb_set_vsx_reg(CPUPPCState *env, uint8_t *mem_buf, int n)
++{
++    if (n < 32) {
++        ppc_maybe_bswap_register(env, mem_buf, 8);
++        env->vsr[n] = ldq_p(mem_buf);
++        return 8;
++    }
++    return 0;
++}
++
+ static int ppc_fixup_cpu(PowerPCCPU *cpu)
+ {
+     CPUPPCState *env = &cpu->env;
+@@ -8997,6 +9017,10 @@ static void ppc_cpu_realizefn(DeviceState *dev, Error **errp)
+         gdb_register_coprocessor(cs, gdb_get_spe_reg, gdb_set_spe_reg,
+                                  34, "power-spe.xml", 0);
+     }
++    if (pcc->insns_flags2 & PPC2_VSX) {
++        gdb_register_coprocessor(cs, gdb_get_vsx_reg, gdb_set_vsx_reg,
++                                 32, "power-vsx.xml", 0);
++    }
+ 
+     qemu_init_vcpu(cs);
+ 

0046-target-ppc-kvm-fix-floating-point-registers-sync-on-.patch

@@ -0,0 +1,85 @@
+From: Greg Kurz <gkurz@linux.vnet.ibm.com>
+Date: Fri, 15 Jan 2016 16:00:12 +0100
+Subject: [PATCH] target-ppc: kvm: fix floating point registers sync on
+ little-endian hosts
+
+On VSX capable CPUs, the 32 FP registers are mapped to the high-bits
+of the 32 first VSX registers. So if you have:
+
+VSR31 = (uint128) 0x0102030405060708090a0b0c0d0e0f00
+
+then
+
+FPR31 = (uint64) 0x0102030405060708
+
+The kernel stores the VSX registers in the fp_state struct following the
+host endian element ordering.
+
+On big-endian:
+
+fp_state.fpr[31][0] = 0x0102030405060708
+fp_state.fpr[31][1] = 0x090a0b0c0d0e0f00
+
+On little-endian:
+
+fp_state.fpr[31][0] = 0x090a0b0c0d0e0f00
+fp_state.fpr[31][1] = 0x0102030405060708
+
+The KVM_GET_ONE_REG and KVM_SET_ONE_REG ioctls preserve this ordering, but
+QEMU considers it as big-endian and always copies element [0] to the
+fpr[] array and element [1] to the vsr[] array. This does not work with
+little-endian hosts, and you will get:
+
+(qemu) p $f31
+0x90a0b0c0d0e0f00
+
+instead of:
+
+(qemu) p $f31
+0x102030405060708
+
+This patch fixes the element ordering for little-endian hosts.
+
+Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
+Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
+(cherry picked from commit 3a4b791b4c13e02537a5cc572fa3de70bc5f68da)
+---
+ target-ppc/kvm.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/target-ppc/kvm.c b/target-ppc/kvm.c
+index 84ae447..7f789d6 100644
+--- a/target-ppc/kvm.c
++++ b/target-ppc/kvm.c
+@@ -640,8 +640,13 @@ static int kvm_put_fp(CPUState *cs)
+         for (i = 0; i < 32; i++) {
+             uint64_t vsr[2];
+ 
++#ifdef HOST_WORDS_BIGENDIAN
+             vsr[0] = float64_val(env->fpr[i]);
+             vsr[1] = env->vsr[i];
++#else
++            vsr[0] = env->vsr[i];
++            vsr[1] = float64_val(env->fpr[i]);
++#endif
+             reg.addr = (uintptr_t) &vsr;
+             reg.id = vsx ? KVM_REG_PPC_VSR(i) : KVM_REG_PPC_FPR(i);
+ 
+@@ -711,10 +716,17 @@ static int kvm_get_fp(CPUState *cs)
+                         vsx ? "VSR" : "FPR", i, strerror(errno));
+                 return ret;
+             } else {
++#ifdef HOST_WORDS_BIGENDIAN
+                 env->fpr[i] = vsr[0];
+                 if (vsx) {
+                     env->vsr[i] = vsr[1];
+                 }
++#else
++                env->fpr[i] = vsr[1];
++                if (vsx) {
++                    env->vsr[i] = vsr[0];
++                }
++#endif
+             }
+         }
+     }

0101-vmdk-Create-streamOptimized-as-version-3.patch

@@ -0,0 +1,34 @@
+From: Fam Zheng <famz@redhat.com>
+Date: Thu, 17 Sep 2015 13:04:10 +0800
+Subject: [PATCH] vmdk: Create streamOptimized as version 3
+
+VMware products accept only version 3 for streamOptimized, let's bump
+the version.
+
+Reported-by: Radoslav Gerganov <rgerganov@vmware.com>
+Signed-off-by: Fam Zheng <famz@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit d62d9dc4b814950dcc8bd261a3e2e9300d9065e6)
+---
+ block/vmdk.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/block/vmdk.c b/block/vmdk.c
+index 4c71cde..27d86f0 100644
+--- a/block/vmdk.c
++++ b/block/vmdk.c
+@@ -1662,7 +1662,13 @@ static int vmdk_create_extent(const char *filename, int64_t filesize,
+     }
+     magic = cpu_to_be32(VMDK4_MAGIC);
+     memset(&header, 0, sizeof(header));
+-    header.version = zeroed_grain ? 2 : 1;
++    if (compress) {
++        header.version = 3;
++    } else if (zeroed_grain) {
++        header.version = 2;
++    } else {
++        header.version = 1;
++    }
+     header.flags = VMDK4_FLAG_RGD | VMDK4_FLAG_NL_DETECT
+                    | (compress ? VMDK4_FLAG_COMPRESS | VMDK4_FLAG_MARKER : 0)
+                    | (zeroed_grain ? VMDK4_FLAG_ZERO_GRAIN : 0);

0102-vmdk-Fix-converting-to-streamOptimized.patch

@@ -0,0 +1,48 @@
+From: Fam Zheng <famz@redhat.com>
+Date: Mon, 25 Jan 2016 10:26:23 +0800
+Subject: [PATCH] vmdk: Fix converting to streamOptimized
+
+Commit d62d9dc4b8 lifted streamOptimized images's version to 3, but we
+now refuse to open version 3 images read-write.  We need to make
+streamOptimized an exception to allow converting to it. This fixes the
+accidentally broken iotests case 059 for the same reason.
+
+Signed-off-by: Fam Zheng <famz@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+(cherry picked from commit 3db1d98a20262228373bb973ca62b1ab64b29af4)
+---
+ block/vmdk.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/block/vmdk.c b/block/vmdk.c
+index 27d86f0..c551ebc 100644
+--- a/block/vmdk.c
++++ b/block/vmdk.c
+@@ -591,6 +591,7 @@ static int vmdk_open_vmdk4(BlockDriverState *bs,
+     VmdkExtent *extent;
+     BDRVVmdkState *s = bs->opaque;
+     int64_t l1_backup_offset = 0;
++    bool compressed;
+ 
+     ret = bdrv_pread(file, sizeof(magic), &header, sizeof(header));
+     if (ret < 0) {
+@@ -665,6 +666,8 @@ static int vmdk_open_vmdk4(BlockDriverState *bs,
+         header = footer.header;
+     }
+ 
++    compressed =
++        le16_to_cpu(header.compressAlgorithm) == VMDK4_COMPRESSION_DEFLATE;
+     if (le32_to_cpu(header.version) > 3) {
+         char buf[64];
+         snprintf(buf, sizeof(buf), "VMDK version %" PRId32,
+@@ -672,7 +675,8 @@ static int vmdk_open_vmdk4(BlockDriverState *bs,
+         error_set(errp, QERR_UNKNOWN_BLOCK_FORMAT_FEATURE,
+                   bdrv_get_device_name(bs), "vmdk", buf);
+         return -ENOTSUP;
+-    } else if (le32_to_cpu(header.version) == 3 && (flags & BDRV_O_RDWR)) {
++    } else if (le32_to_cpu(header.version) == 3 && (flags & BDRV_O_RDWR) &&
++               !compressed) {
+         /* VMware KB 2064959 explains that version 3 added support for
+          * persistent changed block tracking (CBT), and backup software can
+          * read it as version=1 if it doesn't care about the changed area

0103-usb-check-RNDIS-message-length.patch

@@ -0,0 +1,61 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 17 Feb 2016 00:23:40 +0530
+Subject: [PATCH] usb: check RNDIS message length
+
+When processing remote NDIS control message packets, the USB Net
+device emulator uses a fixed length(4096) data buffer. The incoming
+packet length could exceed this limit. Add a check to avoid it.
+
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 1455648821-17340-2-git-send-email-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit 64c9bc181fc78275596649f591302d72df2d3071)
+---
+ hw/usb/core.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/hw/usb/core.c b/hw/usb/core.c
+index cf34755..f0201e3 100644
+--- a/hw/usb/core.c
++++ b/hw/usb/core.c
+@@ -128,9 +128,16 @@ static void do_token_setup(USBDevice *s, USBPacket *p)
+     }
+ 
+     usb_packet_copy(p, s->setup_buf, p->iov.size);
++    s->setup_index = 0;
+     p->actual_length = 0;
+     s->setup_len   = (s->setup_buf[7] << 8) | s->setup_buf[6];
+-    s->setup_index = 0;
++    if (s->setup_len > sizeof(s->data_buf)) {
++        fprintf(stderr,
++                "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
++                s->setup_len, sizeof(s->data_buf));
++        p->status = USB_RET_STALL;
++        return;
++    }
+ 
+     request = (s->setup_buf[0] << 8) | s->setup_buf[1];
+     value   = (s->setup_buf[3] << 8) | s->setup_buf[2];
+@@ -151,13 +158,6 @@ static void do_token_setup(USBDevice *s, USBPacket *p)
+         }
+         s->setup_state = SETUP_STATE_DATA;
+     } else {
+-        if (s->setup_len > sizeof(s->data_buf)) {
+-            fprintf(stderr,
+-                "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
+-                s->setup_len, sizeof(s->data_buf));
+-            p->status = USB_RET_STALL;
+-            return;
+-        }
+         if (s->setup_len == 0)
+             s->setup_state = SETUP_STATE_ACK;
+         else
+@@ -176,7 +176,7 @@ static void do_token_in(USBDevice *s, USBPacket *p)
+     request = (s->setup_buf[0] << 8) | s->setup_buf[1];
+     value   = (s->setup_buf[3] << 8) | s->setup_buf[2];
+     index   = (s->setup_buf[5] << 8) | s->setup_buf[4];
+- 
++
+     switch(s->setup_state) {
+     case SETUP_STATE_ACK:
+         if (!(s->setup_buf[0] & USB_DIR_IN)) {

0104-usb-check-RNDIS-buffer-offsets-length.patch

@@ -0,0 +1,56 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 17 Feb 2016 00:23:41 +0530
+Subject: [PATCH] usb: check RNDIS buffer offsets & length
+
+When processing remote NDIS control message packets,
+the USB Net device emulator uses a fixed length(4096) data buffer.
+The incoming informationBufferOffset & Length combination could
+overflow and cross that range. Check control message buffer
+offsets and length to avoid it.
+
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 1455648821-17340-3-git-send-email-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit fe3c546c5ff2a6210f9a4d8561cc64051ca8603e)
+---
+ hw/usb/dev-network.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c
+index 9be3a64..919ba2d 100644
+--- a/hw/usb/dev-network.c
++++ b/hw/usb/dev-network.c
+@@ -911,8 +911,9 @@ static int rndis_query_response(USBNetState *s,
+ 
+     bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8;
+     buflen = le32_to_cpu(buf->InformationBufferLength);
+-    if (bufoffs + buflen > length)
++    if (buflen > length || bufoffs >= length || bufoffs + buflen > length) {
+         return USB_RET_STALL;
++    }
+ 
+     infobuflen = ndis_query(s, le32_to_cpu(buf->OID),
+                             bufoffs + (uint8_t *) buf, buflen, infobuf,
+@@ -957,8 +958,9 @@ static int rndis_set_response(USBNetState *s,
+ 
+     bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8;
+     buflen = le32_to_cpu(buf->InformationBufferLength);
+-    if (bufoffs + buflen > length)
++    if (buflen > length || bufoffs >= length || bufoffs + buflen > length) {
+         return USB_RET_STALL;
++    }
+ 
+     ret = ndis_set(s, le32_to_cpu(buf->OID),
+                     bufoffs + (uint8_t *) buf, buflen);
+@@ -1208,8 +1210,9 @@ static void usb_net_handle_dataout(USBNetState *s, USBPacket *p)
+     if (le32_to_cpu(msg->MessageType) == RNDIS_PACKET_MSG) {
+         uint32_t offs = 8 + le32_to_cpu(msg->DataOffset);
+         uint32_t size = le32_to_cpu(msg->DataLength);
+-        if (offs + size <= len)
++        if (offs < len && size < len && offs + size <= len) {
+             qemu_send_packet(qemu_get_queue(s->nic), s->out_buf + offs, size);
++        }
+     }
+     s->out_ptr -= len;
+     memmove(s->out_buf, &s->out_buf[len], s->out_ptr);

0105-net-ne2000-check-ring-buffer-control-registers.patch

@@ -0,0 +1,34 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 24 Feb 2016 11:41:33 +0530
+Subject: [PATCH] net: ne2000: check ring buffer control registers
+
+Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
+bytes to process network packets. Registers PSTART & PSTOP
+define ring buffer size & location. Setting these registers
+to invalid values could lead to infinite loop or OOB r/w
+access issues. Add check to avoid it.
+
+Reported-by: Yang Hongke <yanghongke@huawei.com>
+Tested-by: Yang Hongke <yanghongke@huawei.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+(cherry picked from commit 415ab35a441eca767d033a2702223e785b9d5190)
+---
+ hw/net/ne2000.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
+index 364f226..d196be6 100644
+--- a/hw/net/ne2000.c
++++ b/hw/net/ne2000.c
+@@ -154,6 +154,10 @@ static int ne2000_buffer_full(NE2000State *s)
+ {
+     int avail, index, boundary;
+ 
++    if (s->stop <= s->start) {
++        return 1;
++    }
++
+     index = s->curpag << 8;
+     boundary = s->boundary << 8;
+     if (index < boundary)

0106-net-check-packet-payload-length.patch

@@ -0,0 +1,44 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 2 Mar 2016 17:29:58 +0530
+Subject: [PATCH] net: check packet payload length
+
+While computing IP checksum, 'net_checksum_calculate' reads
+payload length from the packet. It could exceed the given 'data'
+buffer size. Add a check to avoid it.
+
+Reported-by: Liu Ling <liuling-it@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+(cherry picked from commit 362786f14a753d8a5256ef97d7c10ed576d6572b)
+---
+ net/checksum.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/net/checksum.c b/net/checksum.c
+index 14c0855..0942437 100644
+--- a/net/checksum.c
++++ b/net/checksum.c
+@@ -59,6 +59,11 @@ void net_checksum_calculate(uint8_t *data, int length)
+     int hlen, plen, proto, csum_offset;
+     uint16_t csum;
+ 
++    /* Ensure data has complete L2 & L3 headers. */
++    if (length < 14 + 20) {
++        return;
++    }
++
+     if ((data[14] & 0xf0) != 0x40)
+ 	return; /* not IPv4 */
+     hlen  = (data[14] & 0x0f) * 4;
+@@ -76,8 +81,9 @@ void net_checksum_calculate(uint8_t *data, int length)
+ 	return;
+     }
+ 
+-    if (plen < csum_offset+2)
+-	return;
++    if (plen < csum_offset + 2 || 14 + hlen + plen > length) {
++        return;
++    }
+ 
+     data[14+hlen+csum_offset]   = 0;
+     data[14+hlen+csum_offset+1] = 0;

0107-usb-check-USB-configuration-descriptor-object.patch

@@ -0,0 +1,32 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 11 Feb 2016 16:31:20 +0530
+Subject: [PATCH] usb: check USB configuration descriptor object
+
+When processing remote NDIS control message packets, the USB Net
+device emulator checks to see if the USB configuration descriptor
+object is of RNDIS type(2). But it does not check if it is null,
+which leads to a null dereference error. Add check to avoid it.
+
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 1455188480-14688-1-git-send-email-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit 80eecda8e5d09c442c24307f340840a5b70ea3b9)
+---
+ hw/usb/dev-network.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c
+index 919ba2d..baf56b7 100644
+--- a/hw/usb/dev-network.c
++++ b/hw/usb/dev-network.c
+@@ -650,7 +650,8 @@ typedef struct USBNetState {
+ 
+ static int is_rndis(USBNetState *s)
+ {
+-    return s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE;
++    return s->dev.config ?
++            s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE : 0;
+ }
+ 
+ static int ndis_query(USBNetState *s, uint32_t oid,

0108-spice-fix-spice_chr_add_watch-pre-condition.patch

@@ -0,0 +1,29 @@
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@gmail.com>
+Date: Thu, 28 May 2015 15:04:58 +0200
+Subject: [PATCH] spice: fix spice_chr_add_watch() pre-condition
+
+Since e02bc6de30c44fd668dc0d6e1cd1804f2eed3ed3, add_watch() is called
+with G_IO_HUP. Even if spice-qemu-char ignores this flag, the
+precondition must be changed.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1128992
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit f7a8beb5e6a13dc924895244777d9ef08b23b367)
+---
+ spice-qemu-char.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/spice-qemu-char.c b/spice-qemu-char.c
+index a4f4e57..4199bc2 100644
+--- a/spice-qemu-char.c
++++ b/spice-qemu-char.c
+@@ -169,7 +169,7 @@ static GSource *spice_chr_add_watch(CharDriverState *chr, GIOCondition cond)
+     SpiceCharDriver *scd = chr->opaque;
+     SpiceCharSource *src;
+ 
+-    assert(cond == G_IO_OUT);
++    assert(cond & G_IO_OUT);
+ 
+     src = (SpiceCharSource *)g_source_new(&SpiceCharSourceFuncs,
+                                           sizeof(SpiceCharSource));

0109-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch

@@ -0,0 +1,104 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 26 Apr 2016 08:49:10 +0200
+Subject: [PATCH] vga: fix banked access bounds checking (CVE-2016-3710)
+
+vga allows banked access to video memory using the window at 0xa00000
+and it supports a different access modes with different address
+calculations.
+
+The VBE bochs extentions support banked access too, using the
+VBE_DISPI_INDEX_BANK register.  The code tries to take the different
+address calculations into account and applies different limits to
+VBE_DISPI_INDEX_BANK depending on the current access mode.
+
+Which is probably effective in stopping misprogramming by accident.
+But from a security point of view completely useless as an attacker
+can easily change access modes after setting the bank register.
+
+Drop the bogus check, add range checks to vga_mem_{readb,writeb}
+instead.
+
+Fixes: CVE-2016-3710
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit 3bf1817079bb0d80c0d8a86a7c7dd0bfe90eb82e)
+---
+ hw/display/vga.c | 24 ++++++++++++++++++------
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+
+diff --git a/hw/display/vga.c b/hw/display/vga.c
+index d1d296c..a26c8f4 100644
+--- a/hw/display/vga.c
++++ b/hw/display/vga.c
+@@ -177,6 +177,7 @@ static void vga_update_memory_access(VGACommonState *s)
+             size = 0x8000;
+             break;
+         }
++        assert(offset + size <= s->vram_size);
+         memory_region_init_alias(&s->chain4_alias, memory_region_owner(&s->vram),
+                                  "vga.chain4", &s->vram, offset, size);
+         memory_region_add_subregion_overlap(s->legacy_address_space, base,
+@@ -714,11 +715,7 @@ void vbe_ioport_write_data(void *opaque, uint32_t addr, uint32_t val)
+             vbe_fixup_regs(s);
+             break;
+         case VBE_DISPI_INDEX_BANK:
+-            if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) {
+-              val &= (s->vbe_bank_mask >> 2);
+-            } else {
+-              val &= s->vbe_bank_mask;
+-            }
++            val &= s->vbe_bank_mask;
+             s->vbe_regs[s->vbe_index] = val;
+             s->bank_offset = (val << 16);
+             vga_update_memory_access(s);
+@@ -817,13 +814,21 @@ uint32_t vga_mem_readb(VGACommonState *s, hwaddr addr)
+ 
+     if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
+         /* chain 4 mode : simplest access */
++        assert(addr < s->vram_size);
+         ret = s->vram_ptr[addr];
+     } else if (s->gr[VGA_GFX_MODE] & 0x10) {
+         /* odd/even mode (aka text mode mapping) */
+         plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1);
+-        ret = s->vram_ptr[((addr & ~1) << 1) | plane];
++        addr = ((addr & ~1) << 1) | plane;
++        if (addr >= s->vram_size) {
++            return 0xff;
++        }
++        ret = s->vram_ptr[addr];
+     } else {
+         /* standard VGA latched access */
++        if (addr * sizeof(uint32_t) >= s->vram_size) {
++            return 0xff;
++        }
+         s->latch = ((uint32_t *)s->vram_ptr)[addr];
+ 
+         if (!(s->gr[VGA_GFX_MODE] & 0x08)) {
+@@ -880,6 +885,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
+         plane = addr & 3;
+         mask = (1 << plane);
+         if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
++            assert(addr < s->vram_size);
+             s->vram_ptr[addr] = val;
+ #ifdef DEBUG_VGA_MEM
+             printf("vga: chain4: [0x" TARGET_FMT_plx "]\n", addr);
+@@ -893,6 +899,9 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
+         mask = (1 << plane);
+         if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
+             addr = ((addr & ~1) << 1) | plane;
++            if (addr >= s->vram_size) {
++                return;
++            }
+             s->vram_ptr[addr] = val;
+ #ifdef DEBUG_VGA_MEM
+             printf("vga: odd/even: [0x" TARGET_FMT_plx "]\n", addr);
+@@ -966,6 +975,9 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
+         mask = s->sr[VGA_SEQ_PLANE_WRITE];
+         s->plane_updated |= mask; /* only used to detect font change */
+         write_mask = mask16[mask];
++        if (addr * sizeof(uint32_t) >= s->vram_size) {
++            return;
++        }
+         ((uint32_t *)s->vram_ptr)[addr] =
+             (((uint32_t *)s->vram_ptr)[addr] & ~write_mask) |
+             (val & write_mask);

0110-vga-add-vbe_enabled-helper.patch

@@ -0,0 +1,64 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 26 Apr 2016 14:11:34 +0200
+Subject: [PATCH] vga: add vbe_enabled() helper
+
+Makes code a bit easier to read.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit bfa0f151a564a83b5a26f3e917da98674bf3cf62)
+---
+ hw/display/vga.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/hw/display/vga.c b/hw/display/vga.c
+index a26c8f4..955ad6f 100644
+--- a/hw/display/vga.c
++++ b/hw/display/vga.c
+@@ -140,6 +140,11 @@ static uint32_t expand4[256];
+ static uint16_t expand2[256];
+ static uint8_t expand4to8[16];
+ 
++static inline bool vbe_enabled(VGACommonState *s)
++{
++    return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED;
++}
++
+ static void vga_update_memory_access(VGACommonState *s)
+ {
+     hwaddr base, offset, size;
+@@ -562,7 +567,7 @@ static void vbe_fixup_regs(VGACommonState *s)
+     uint16_t *r = s->vbe_regs;
+     uint32_t bits, linelength, maxy, offset;
+ 
+-    if (!(r[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED)) {
++    if (!vbe_enabled(s)) {
+         /* vbe is turned off -- nothing to do */
+         return;
+     }
+@@ -1056,7 +1061,7 @@ static void vga_get_offsets(VGACommonState *s,
+ {
+     uint32_t start_addr, line_offset, line_compare;
+ 
+-    if (s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED) {
++    if (vbe_enabled(s)) {
+         line_offset = s->vbe_line_offset;
+         start_addr = s->vbe_start_addr;
+         line_compare = 65535;
+@@ -1381,7 +1386,7 @@ static int vga_get_bpp(VGACommonState *s)
+ {
+     int ret;
+ 
+-    if (s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED) {
++    if (vbe_enabled(s)) {
+         ret = s->vbe_regs[VBE_DISPI_INDEX_BPP];
+     } else {
+         ret = 0;
+@@ -1393,7 +1398,7 @@ static void vga_get_resolution(VGACommonState *s, int *pwidth, int *pheight)
+ {
+     int width, height;
+ 
+-    if (s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED) {
++    if (vbe_enabled(s)) {
+         width = s->vbe_regs[VBE_DISPI_INDEX_XRES];
+         height = s->vbe_regs[VBE_DISPI_INDEX_YRES];
+     } else {

0111-vga-factor-out-vga-register-setup.patch

@@ -0,0 +1,123 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 26 Apr 2016 15:24:18 +0200
+Subject: [PATCH] vga: factor out vga register setup
+
+When enabling vbe mode qemu will setup a bunch of vga registers to make
+sure the vga emulation operates in correct mode for a linear
+framebuffer.  Move that code to a separate function so we can call it
+from other places too.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit 7fa5c2c5dc9f9bf878c1e8669eb9644d70a71e71)
+---
+ hw/display/vga.c | 78 ++++++++++++++++++++++++++++++++------------------------
+ 1 file changed, 44 insertions(+), 34 deletions(-)
+
+diff --git a/hw/display/vga.c b/hw/display/vga.c
+index 955ad6f..e46a2f8 100644
+--- a/hw/display/vga.c
++++ b/hw/display/vga.c
+@@ -642,6 +642,49 @@ static void vbe_fixup_regs(VGACommonState *s)
+     s->vbe_start_addr  = offset / 4;
+ }
+ 
++/* we initialize the VGA graphic mode */
++static void vbe_update_vgaregs(VGACommonState *s)
++{
++    int h, shift_control;
++
++    if (!vbe_enabled(s)) {
++        /* vbe is turned off -- nothing to do */
++        return;
++    }
++
++    /* graphic mode + memory map 1 */
++    s->gr[VGA_GFX_MISC] = (s->gr[VGA_GFX_MISC] & ~0x0c) | 0x04 |
++        VGA_GR06_GRAPHICS_MODE;
++    s->cr[VGA_CRTC_MODE] |= 3; /* no CGA modes */
++    s->cr[VGA_CRTC_OFFSET] = s->vbe_line_offset >> 3;
++    /* width */
++    s->cr[VGA_CRTC_H_DISP] =
++        (s->vbe_regs[VBE_DISPI_INDEX_XRES] >> 3) - 1;
++    /* height (only meaningful if < 1024) */
++    h = s->vbe_regs[VBE_DISPI_INDEX_YRES] - 1;
++    s->cr[VGA_CRTC_V_DISP_END] = h;
++    s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x42) |
++        ((h >> 7) & 0x02) | ((h >> 3) & 0x40);
++    /* line compare to 1023 */
++    s->cr[VGA_CRTC_LINE_COMPARE] = 0xff;
++    s->cr[VGA_CRTC_OVERFLOW] |= 0x10;
++    s->cr[VGA_CRTC_MAX_SCAN] |= 0x40;
++
++    if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) {
++        shift_control = 0;
++        s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */
++    } else {
++        shift_control = 2;
++        /* set chain 4 mode */
++        s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M;
++        /* activate all planes */
++        s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES;
++    }
++    s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) |
++        (shift_control << 5);
++    s->cr[VGA_CRTC_MAX_SCAN] &= ~0x9f; /* no double scan */
++}
++
+ static uint32_t vbe_ioport_read_index(void *opaque, uint32_t addr)
+ {
+     VGACommonState *s = opaque;
+@@ -728,52 +771,19 @@ void vbe_ioport_write_data(void *opaque, uint32_t addr, uint32_t val)
+         case VBE_DISPI_INDEX_ENABLE:
+             if ((val & VBE_DISPI_ENABLED) &&
+                 !(s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED)) {
+-                int h, shift_control;
+ 
+                 s->vbe_regs[VBE_DISPI_INDEX_VIRT_WIDTH] = 0;
+                 s->vbe_regs[VBE_DISPI_INDEX_X_OFFSET] = 0;
+                 s->vbe_regs[VBE_DISPI_INDEX_Y_OFFSET] = 0;
+                 s->vbe_regs[VBE_DISPI_INDEX_ENABLE] |= VBE_DISPI_ENABLED;
+                 vbe_fixup_regs(s);
++                vbe_update_vgaregs(s);
+ 
+                 /* clear the screen */
+                 if (!(val & VBE_DISPI_NOCLEARMEM)) {
+                     memset(s->vram_ptr, 0,
+                            s->vbe_regs[VBE_DISPI_INDEX_YRES] * s->vbe_line_offset);
+                 }
+-
+-                /* we initialize the VGA graphic mode */
+-                /* graphic mode + memory map 1 */
+-                s->gr[VGA_GFX_MISC] = (s->gr[VGA_GFX_MISC] & ~0x0c) | 0x04 |
+-                    VGA_GR06_GRAPHICS_MODE;
+-                s->cr[VGA_CRTC_MODE] |= 3; /* no CGA modes */
+-                s->cr[VGA_CRTC_OFFSET] = s->vbe_line_offset >> 3;
+-                /* width */
+-                s->cr[VGA_CRTC_H_DISP] =
+-                    (s->vbe_regs[VBE_DISPI_INDEX_XRES] >> 3) - 1;
+-                /* height (only meaningful if < 1024) */
+-                h = s->vbe_regs[VBE_DISPI_INDEX_YRES] - 1;
+-                s->cr[VGA_CRTC_V_DISP_END] = h;
+-                s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x42) |
+-                    ((h >> 7) & 0x02) | ((h >> 3) & 0x40);
+-                /* line compare to 1023 */
+-                s->cr[VGA_CRTC_LINE_COMPARE] = 0xff;
+-                s->cr[VGA_CRTC_OVERFLOW] |= 0x10;
+-                s->cr[VGA_CRTC_MAX_SCAN] |= 0x40;
+-
+-                if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) {
+-                    shift_control = 0;
+-                    s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */
+-                } else {
+-                    shift_control = 2;
+-                    /* set chain 4 mode */
+-                    s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M;
+-                    /* activate all planes */
+-                    s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES;
+-                }
+-                s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) |
+-                    (shift_control << 5);
+-                s->cr[VGA_CRTC_MAX_SCAN] &= ~0x9f; /* no double scan */
+             } else {
+                 s->bank_offset = 0;
+             }

0112-vga-update-vga-register-setup-on-vbe-changes.patch

@@ -0,0 +1,25 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 26 Apr 2016 15:39:22 +0200
+Subject: [PATCH] vga: update vga register setup on vbe changes
+
+Call the new vbe_update_vgaregs() function on vbe configuration
+changes, to make sure vga registers are up-to-date.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit 2068192dcccd8a80dddfcc8df6164cf9c26e0fc4)
+---
+ hw/display/vga.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/display/vga.c b/hw/display/vga.c
+index e46a2f8..ecfcf05 100644
+--- a/hw/display/vga.c
++++ b/hw/display/vga.c
+@@ -761,6 +761,7 @@ void vbe_ioport_write_data(void *opaque, uint32_t addr, uint32_t val)
+         case VBE_DISPI_INDEX_Y_OFFSET:
+             s->vbe_regs[s->vbe_index] = val;
+             vbe_fixup_regs(s);
++            vbe_update_vgaregs(s);
+             break;
+         case VBE_DISPI_INDEX_BANK:
+             val &= s->vbe_bank_mask;

0113-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch

@@ -0,0 +1,71 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 26 Apr 2016 14:48:06 +0200
+Subject: [PATCH] vga: make sure vga register setup for vbe stays intact
+ (CVE-2016-3712).
+
+Call vbe_update_vgaregs() when the guest touches GFX, SEQ or CRT
+registers, to make sure the vga registers will always have the
+values needed by vbe mode.  This makes sure the sanity checks
+applied by vbe_fixup_regs() are effective.
+
+Without this guests can muck with shift_control, can turn on planar
+vga modes or text mode emulation while VBE is active, making qemu
+take code paths meant for CGA compatibility, but with the very
+large display widths and heigts settable using VBE registers.
+
+Which is good for one or another buffer overflow.  Not that
+critical as they typically read overflows happening somewhere
+in the display code.  So guests can DoS by crashing qemu with a
+segfault, but it is probably not possible to break out of the VM.
+
+Fixes: CVE-2016-3712
+Reported-by: Zuozhi Fzz <zuozhi.fzz@alibaba-inc.com>
+Reported-by: P J P <ppandit@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit fd3c136b3e1482cd0ec7285d6bc2a3e6a62c38d7)
+---
+ hw/display/vga.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/hw/display/vga.c b/hw/display/vga.c
+index ecfcf05..1fc8f12 100644
+--- a/hw/display/vga.c
++++ b/hw/display/vga.c
+@@ -140,6 +140,8 @@ static uint32_t expand4[256];
+ static uint16_t expand2[256];
+ static uint8_t expand4to8[16];
+ 
++static void vbe_update_vgaregs(VGACommonState *s);
++
+ static inline bool vbe_enabled(VGACommonState *s)
+ {
+     return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED;
+@@ -482,6 +484,7 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)
+         printf("vga: write SR%x = 0x%02x\n", s->sr_index, val);
+ #endif
+         s->sr[s->sr_index] = val & sr_mask[s->sr_index];
++        vbe_update_vgaregs(s);
+         if (s->sr_index == VGA_SEQ_CLOCK_MODE) {
+             s->update_retrace_info(s);
+         }
+@@ -513,6 +516,7 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)
+         printf("vga: write GR%x = 0x%02x\n", s->gr_index, val);
+ #endif
+         s->gr[s->gr_index] = val & gr_mask[s->gr_index];
++        vbe_update_vgaregs(s);
+         vga_update_memory_access(s);
+         break;
+     case VGA_CRT_IM:
+@@ -531,10 +535,12 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)
+             if (s->cr_index == VGA_CRTC_OVERFLOW) {
+                 s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x10) |
+                     (val & 0x10);
++                vbe_update_vgaregs(s);
+             }
+             return;
+         }
+         s->cr[s->cr_index] = val;
++        vbe_update_vgaregs(s);
+ 
+         switch(s->cr_index) {
+         case VGA_CRTC_H_TOTAL:

0114-ehci-clear-suspend-bit-on-detach.patch

@@ -0,0 +1,37 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 21 Oct 2015 09:44:22 +0200
+Subject: [PATCH] ehci: clear suspend bit on detach
+
+When a device is detached, clear the suspend bit (PORTSC_SUSPEND)
+in the port status register.
+
+The specs are not *that* clear what is supposed to happen in case
+a suspended device is unplugged.  But the enable bit (PORTSC_PED)
+is cleared, and the specs mention setting suspend with enable being
+unset is undefined behavior.  So clearing them both looks reasonable,
+and it actually fixes the reported bug.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1268879
+
+Cc: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Message-id: 1445413462-18004-1-git-send-email-kraxel@redhat.com
+(cherry picked from commit cbf82fa01e6fd4ecb234b235b10ffce548154a95)
+---
+ hw/usb/hcd-ehci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
+index 2f492d9..d6d7de3 100644
+--- a/hw/usb/hcd-ehci.c
++++ b/hw/usb/hcd-ehci.c
+@@ -726,7 +726,7 @@ static void ehci_detach(USBPort *port)
+     ehci_queues_rip_device(s, port->dev, 0);
+     ehci_queues_rip_device(s, port->dev, 1);
+ 
+-    *portsc &= ~(PORTSC_CONNECT|PORTSC_PED);
++    *portsc &= ~(PORTSC_CONNECT|PORTSC_PED|PORTSC_SUSPEND);
+     *portsc |= PORTSC_CSC;
+ 
+     ehci_raise_irq(s, USBSTS_PCD);

0115-ehci-apply-limit-to-iTD-sidt-descriptors.patch

@@ -0,0 +1,59 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 18 Apr 2016 09:11:38 +0200
+Subject: [PATCH] ehci: apply limit to iTD/sidt descriptors
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Commit "156a2e4 ehci: make idt processing more robust" tries to avoid a
+DoS by the guest (create a circular iTD queue and let qemu ehci
+emulation run in circles forever).  Unfortunately this has two problems:
+First it misses the case of siTDs, and second it reportedly breaks
+FreeBSD.
+
+So lets go for a different approach: just count the number of iTDs and
+siTDs we have seen per frame and apply a limit.  That should really
+catch all cases now.
+
+Reported-by: 杜少博 <dushaobo@360.cn>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit 1ae3f2f178087711f9591350abad133525ba93f2)
+---
+ hw/usb/hcd-ehci.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
+index d6d7de3..8dbfbe3 100644
+--- a/hw/usb/hcd-ehci.c
++++ b/hw/usb/hcd-ehci.c
+@@ -2003,6 +2003,7 @@ static int ehci_state_writeback(EHCIQueue *q)
+ static void ehci_advance_state(EHCIState *ehci, int async)
+ {
+     EHCIQueue *q = NULL;
++    int itd_count = 0;
+     int again;
+ 
+     do {
+@@ -2027,10 +2028,12 @@ static void ehci_advance_state(EHCIState *ehci, int async)
+ 
+         case EST_FETCHITD:
+             again = ehci_state_fetchitd(ehci, async);
++            itd_count++;
+             break;
+ 
+         case EST_FETCHSITD:
+             again = ehci_state_fetchsitd(ehci, async);
++            itd_count++;
+             break;
+ 
+         case EST_ADVANCEQUEUE:
+@@ -2079,7 +2082,8 @@ static void ehci_advance_state(EHCIState *ehci, int async)
+             break;
+         }
+ 
+-        if (again < 0) {
++        if (again < 0 || itd_count > 16) {
++            /* TODO: notify guest (raise HSE irq?) */
+             fprintf(stderr, "processing error - resetting ehci HC\n");
+             ehci_reset(ehci);
+             again = 0;

0116-Revert-ehci-make-idt-processing-more-robust.patch

@@ -0,0 +1,39 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 18 Apr 2016 09:20:54 +0200
+Subject: [PATCH] Revert "ehci: make idt processing more robust"
+
+This reverts commit 156a2e4dbffa85997636a7a39ef12da6f1b40254.
+
+Breaks FreeBSD.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit a49923d2837d20510d645d3758f1ad87c32d0730)
+---
+ hw/usb/hcd-ehci.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
+index 8dbfbe3..ba5baf9 100644
+--- a/hw/usb/hcd-ehci.c
++++ b/hw/usb/hcd-ehci.c
+@@ -1389,7 +1389,7 @@ static int ehci_process_itd(EHCIState *ehci,
+ {
+     USBDevice *dev;
+     USBEndpoint *ep;
+-    uint32_t i, len, pid, dir, devaddr, endp, xfers = 0;
++    uint32_t i, len, pid, dir, devaddr, endp;
+     uint32_t pg, off, ptr1, ptr2, max, mult;
+ 
+     ehci->periodic_sched_active = PERIODIC_ACTIVE;
+@@ -1481,10 +1481,9 @@ static int ehci_process_itd(EHCIState *ehci,
+                 ehci_raise_irq(ehci, USBSTS_INT);
+             }
+             itd->transact[i] &= ~ITD_XACT_ACTIVE;
+-            xfers++;
+         }
+     }
+-    return xfers ? 0 : -1;
++    return 0;
+ }
+ 
+ 

0117-net-stellaris_enet-check-packet-length-against-recei.patch

@@ -0,0 +1,44 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Fri, 8 Apr 2016 11:33:48 +0530
+Subject: [PATCH] net: stellaris_enet: check packet length against receive
+ buffer
+
+When receiving packets over Stellaris ethernet controller, it
+uses receive buffer of size 2048 bytes. In case the controller
+accepts large(MTU) packets, it could lead to memory corruption.
+Add check to avoid it.
+
+Reported-by: Oleksandr Bazhaniuk <oleksandr.bazhaniuk@intel.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 1460095428-22698-1-git-send-email-ppandit@redhat.com
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+(cherry picked from commit 3a15cc0e1ee7168db0782133d2607a6bfa422d66)
+---
+ hw/net/stellaris_enet.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/hw/net/stellaris_enet.c b/hw/net/stellaris_enet.c
+index 278a654..90ada81 100644
+--- a/hw/net/stellaris_enet.c
++++ b/hw/net/stellaris_enet.c
+@@ -236,8 +236,18 @@ static ssize_t stellaris_enet_receive(NetClientState *nc, const uint8_t *buf, si
+     n = s->next_packet + s->np;
+     if (n >= 31)
+         n -= 31;
+-    s->np++;
+ 
++    if (size >= sizeof(s->rx[n].data) - 6) {
++        /* If the packet won't fit into the
++         * emulated 2K RAM, this is reported
++         * as a FIFO overrun error.
++         */
++        s->ris |= SE_INT_FOV;
++        stellaris_enet_update(s);
++        return -1;
++    }
++
++    s->np++;
+     s->rx[n].len = size + 6;
+     p = s->rx[n].data;
+     *(p++) = (size + 6);

0118-rng-remove-the-unused-request-cancellation-code.patch

@@ -0,0 +1,95 @@
+From: Ladi Prosek <lprosek@redhat.com>
+Date: Thu, 3 Mar 2016 09:37:15 +0100
+Subject: [PATCH] rng: remove the unused request cancellation code
+
+rng_backend_cancel_requests had no callers and none of the code
+deleted in this commit ever ran.
+
+Signed-off-by: Ladi Prosek <lprosek@redhat.com>
+Reviewed-by: Amit Shah <amit.shah@redhat.com>
+Message-Id: <1456994238-9585-2-git-send-email-lprosek@redhat.com>
+Signed-off-by: Amit Shah <amit.shah@redhat.com>
+(cherry picked from commit 3c52ddcdc548e7fbe65112d8a7bdc9cd105b4750)
+---
+ backends/rng-egd.c   | 12 ------------
+ backends/rng.c       |  9 ---------
+ include/sysemu/rng.h | 11 -----------
+ 3 files changed, 32 deletions(-)
+
+diff --git a/backends/rng-egd.c b/backends/rng-egd.c
+index 2962795..0a42f05 100644
+--- a/backends/rng-egd.c
++++ b/backends/rng-egd.c
+@@ -124,17 +124,6 @@ static void rng_egd_free_requests(RngEgd *s)
+     s->requests = NULL;
+ }
+ 
+-static void rng_egd_cancel_requests(RngBackend *b)
+-{
+-    RngEgd *s = RNG_EGD(b);
+-
+-    /* We simply delete the list of pending requests.  If there is data in the 
+-     * queue waiting to be read, this is okay, because there will always be
+-     * more data than we requested originally
+-     */
+-    rng_egd_free_requests(s);
+-}
+-
+ static void rng_egd_opened(RngBackend *b, Error **errp)
+ {
+     RngEgd *s = RNG_EGD(b);
+@@ -211,7 +200,6 @@ static void rng_egd_class_init(ObjectClass *klass, void *data)
+     RngBackendClass *rbc = RNG_BACKEND_CLASS(klass);
+ 
+     rbc->request_entropy = rng_egd_request_entropy;
+-    rbc->cancel_requests = rng_egd_cancel_requests;
+     rbc->opened = rng_egd_opened;
+ }
+ 
+diff --git a/backends/rng.c b/backends/rng.c
+index 0f2fc11..b806140 100644
+--- a/backends/rng.c
++++ b/backends/rng.c
+@@ -25,15 +25,6 @@ void rng_backend_request_entropy(RngBackend *s, size_t size,
+     }
+ }
+ 
+-void rng_backend_cancel_requests(RngBackend *s)
+-{
+-    RngBackendClass *k = RNG_BACKEND_GET_CLASS(s);
+-
+-    if (k->cancel_requests) {
+-        k->cancel_requests(s);
+-    }
+-}
+-
+ static bool rng_backend_prop_get_opened(Object *obj, Error **errp)
+ {
+     RngBackend *s = RNG_BACKEND(obj);
+diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h
+index 0a27c9b..c7da17d 100644
+--- a/include/sysemu/rng.h
++++ b/include/sysemu/rng.h
+@@ -38,7 +38,6 @@ struct RngBackendClass
+ 
+     void (*request_entropy)(RngBackend *s, size_t size,
+                             EntropyReceiveFunc *receive_entropy, void *opaque);
+-    void (*cancel_requests)(RngBackend *s);
+ 
+     void (*opened)(RngBackend *s, Error **errp);
+ };
+@@ -69,14 +68,4 @@ struct RngBackend
+ void rng_backend_request_entropy(RngBackend *s, size_t size,
+                                  EntropyReceiveFunc *receive_entropy,
+                                  void *opaque);
+-
+-/**
+- * rng_backend_cancel_requests:
+- * @s: the backend to cancel all pending requests in
+- *
+- * Cancels all pending requests submitted by @rng_backend_request_entropy.  This
+- * should be used by a device during reset or in preparation for live migration
+- * to stop tracking any request.
+- */
+-void rng_backend_cancel_requests(RngBackend *s);
+ #endif

0119-rng-move-request-queue-from-RngEgd-to-RngBackend.patch

@@ -0,0 +1,132 @@
+From: Ladi Prosek <lprosek@redhat.com>
+Date: Thu, 3 Mar 2016 09:37:16 +0100
+Subject: [PATCH] rng: move request queue from RngEgd to RngBackend
+
+The 'requests' field now lives in the RngBackend parent class.
+There are no functional changes in this commit.
+
+Signed-off-by: Ladi Prosek <lprosek@redhat.com>
+Reviewed-by: Amit Shah <amit.shah@redhat.com>
+Message-Id: <1456994238-9585-3-git-send-email-lprosek@redhat.com>
+Signed-off-by: Amit Shah <amit.shah@redhat.com>
+(cherry picked from commit 74074e8a7c60592cf1cc6469dbc2550d24aeded3)
+---
+ backends/rng-egd.c   | 28 +++++++++-------------------
+ include/sysemu/rng.h | 11 +++++++++++
+ 2 files changed, 20 insertions(+), 19 deletions(-)
+
+diff --git a/backends/rng-egd.c b/backends/rng-egd.c
+index 0a42f05..e0d2860 100644
+--- a/backends/rng-egd.c
++++ b/backends/rng-egd.c
+@@ -24,19 +24,8 @@ typedef struct RngEgd
+ 
+     CharDriverState *chr;
+     char *chr_name;
+-
+-    GSList *requests;
+ } RngEgd;
+ 
+-typedef struct RngRequest
+-{
+-    EntropyReceiveFunc *receive_entropy;
+-    uint8_t *data;
+-    void *opaque;
+-    size_t offset;
+-    size_t size;
+-} RngRequest;
+-
+ static void rng_egd_request_entropy(RngBackend *b, size_t size,
+                                     EntropyReceiveFunc *receive_entropy,
+                                     void *opaque)
+@@ -65,7 +54,7 @@ static void rng_egd_request_entropy(RngBackend *b, size_t size,
+         size -= len;
+     }
+ 
+-    s->requests = g_slist_append(s->requests, req);
++    s->parent.requests = g_slist_append(s->parent.requests, req);
+ }
+ 
+ static void rng_egd_free_request(RngRequest *req)
+@@ -80,7 +69,7 @@ static int rng_egd_chr_can_read(void *opaque)
+     GSList *i;
+     int size = 0;
+ 
+-    for (i = s->requests; i; i = i->next) {
++    for (i = s->parent.requests; i; i = i->next) {
+         RngRequest *req = i->data;
+         size += req->size - req->offset;
+     }
+@@ -93,8 +82,8 @@ static void rng_egd_chr_read(void *opaque, const uint8_t *buf, int size)
+     RngEgd *s = RNG_EGD(opaque);
+     size_t buf_offset = 0;
+ 
+-    while (size > 0 && s->requests) {
+-        RngRequest *req = s->requests->data;
++    while (size > 0 && s->parent.requests) {
++        RngRequest *req = s->parent.requests->data;
+         int len = MIN(size, req->size - req->offset);
+ 
+         memcpy(req->data + req->offset, buf + buf_offset, len);
+@@ -103,7 +92,8 @@ static void rng_egd_chr_read(void *opaque, const uint8_t *buf, int size)
+         size -= len;
+ 
+         if (req->offset == req->size) {
+-            s->requests = g_slist_remove_link(s->requests, s->requests);
++            s->parent.requests = g_slist_remove_link(s->parent.requests,
++                                                     s->parent.requests);
+ 
+             req->receive_entropy(req->opaque, req->data, req->size);
+ 
+@@ -116,12 +106,12 @@ static void rng_egd_free_requests(RngEgd *s)
+ {
+     GSList *i;
+ 
+-    for (i = s->requests; i; i = i->next) {
++    for (i = s->parent.requests; i; i = i->next) {
+         rng_egd_free_request(i->data);
+     }
+ 
+-    g_slist_free(s->requests);
+-    s->requests = NULL;
++    g_slist_free(s->parent.requests);
++    s->parent.requests = NULL;
+ }
+ 
+ static void rng_egd_opened(RngBackend *b, Error **errp)
+diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h
+index c7da17d..084164c 100644
+--- a/include/sysemu/rng.h
++++ b/include/sysemu/rng.h
+@@ -25,6 +25,7 @@
+ #define RNG_BACKEND_CLASS(klass) \
+     OBJECT_CLASS_CHECK(RngBackendClass, (klass), TYPE_RNG_BACKEND)
+ 
++typedef struct RngRequest RngRequest;
+ typedef struct RngBackendClass RngBackendClass;
+ typedef struct RngBackend RngBackend;
+ 
+@@ -32,6 +33,15 @@ typedef void (EntropyReceiveFunc)(void *opaque,
+                                   const void *data,
+                                   size_t size);
+ 
++struct RngRequest
++{
++    EntropyReceiveFunc *receive_entropy;
++    uint8_t *data;
++    void *opaque;
++    size_t offset;
++    size_t size;
++};
++
+ struct RngBackendClass
+ {
+     ObjectClass parent_class;
+@@ -48,6 +58,7 @@ struct RngBackend
+ 
+     /*< protected >*/
+     bool opened;
++    GSList *requests;
+ };
+ 
+ /**

0120-rng-move-request-queue-cleanup-from-RngEgd-to-RngBac.patch

@@ -0,0 +1,160 @@
+From: Ladi Prosek <lprosek@redhat.com>
+Date: Thu, 3 Mar 2016 09:37:17 +0100
+Subject: [PATCH] rng: move request queue cleanup from RngEgd to RngBackend
+
+RngBackend is now in charge of cleaning up the linked list on
+instance finalization. It also exposes a function to finalize
+individual RngRequest instances, called by its child classes.
+
+Signed-off-by: Ladi Prosek <lprosek@redhat.com>
+Reviewed-by: Amit Shah <amit.shah@redhat.com>
+Message-Id: <1456994238-9585-4-git-send-email-lprosek@redhat.com>
+Signed-off-by: Amit Shah <amit.shah@redhat.com>
+(cherry picked from commit 9f14b0add1dcdbfa2ee61051d068211fb0a1fcc9)
+---
+ backends/rng-egd.c   | 25 +------------------------
+ backends/rng.c       | 32 ++++++++++++++++++++++++++++++++
+ include/sysemu/rng.h | 12 ++++++++++++
+ 3 files changed, 45 insertions(+), 24 deletions(-)
+
+diff --git a/backends/rng-egd.c b/backends/rng-egd.c
+index e0d2860..df58f1d 100644
+--- a/backends/rng-egd.c
++++ b/backends/rng-egd.c
+@@ -57,12 +57,6 @@ static void rng_egd_request_entropy(RngBackend *b, size_t size,
+     s->parent.requests = g_slist_append(s->parent.requests, req);
+ }
+ 
+-static void rng_egd_free_request(RngRequest *req)
+-{
+-    g_free(req->data);
+-    g_free(req);
+-}
+-
+ static int rng_egd_chr_can_read(void *opaque)
+ {
+     RngEgd *s = RNG_EGD(opaque);
+@@ -92,28 +86,13 @@ static void rng_egd_chr_read(void *opaque, const uint8_t *buf, int size)
+         size -= len;
+ 
+         if (req->offset == req->size) {
+-            s->parent.requests = g_slist_remove_link(s->parent.requests,
+-                                                     s->parent.requests);
+-
+             req->receive_entropy(req->opaque, req->data, req->size);
+ 
+-            rng_egd_free_request(req);
++            rng_backend_finalize_request(&s->parent, req);
+         }
+     }
+ }
+ 
+-static void rng_egd_free_requests(RngEgd *s)
+-{
+-    GSList *i;
+-
+-    for (i = s->parent.requests; i; i = i->next) {
+-        rng_egd_free_request(i->data);
+-    }
+-
+-    g_slist_free(s->parent.requests);
+-    s->parent.requests = NULL;
+-}
+-
+ static void rng_egd_opened(RngBackend *b, Error **errp)
+ {
+     RngEgd *s = RNG_EGD(b);
+@@ -181,8 +160,6 @@ static void rng_egd_finalize(Object *obj)
+     }
+ 
+     g_free(s->chr_name);
+-
+-    rng_egd_free_requests(s);
+ }
+ 
+ static void rng_egd_class_init(ObjectClass *klass, void *data)
+diff --git a/backends/rng.c b/backends/rng.c
+index b806140..437119c 100644
+--- a/backends/rng.c
++++ b/backends/rng.c
+@@ -63,6 +63,30 @@ static void rng_backend_prop_set_opened(Object *obj, bool value, Error **errp)
+     s->opened = true;
+ }
+ 
++static void rng_backend_free_request(RngRequest *req)
++{
++    g_free(req->data);
++    g_free(req);
++}
++
++static void rng_backend_free_requests(RngBackend *s)
++{
++    GSList *i;
++
++    for (i = s->requests; i; i = i->next) {
++        rng_backend_free_request(i->data);
++    }
++
++    g_slist_free(s->requests);
++    s->requests = NULL;
++}
++
++void rng_backend_finalize_request(RngBackend *s, RngRequest *req)
++{
++    s->requests = g_slist_remove(s->requests, req);
++    rng_backend_free_request(req);
++}
++
+ static void rng_backend_init(Object *obj)
+ {
+     object_property_add_bool(obj, "opened",
+@@ -71,6 +95,13 @@ static void rng_backend_init(Object *obj)
+                              NULL);
+ }
+ 
++static void rng_backend_finalize(Object *obj)
++{
++    RngBackend *s = RNG_BACKEND(obj);
++
++    rng_backend_free_requests(s);
++}
++
+ static void rng_backend_class_init(ObjectClass *oc, void *data)
+ {
+     UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
+@@ -83,6 +114,7 @@ static const TypeInfo rng_backend_info = {
+     .parent = TYPE_OBJECT,
+     .instance_size = sizeof(RngBackend),
+     .instance_init = rng_backend_init,
++    .instance_finalize = rng_backend_finalize,
+     .class_size = sizeof(RngBackendClass),
+     .class_init = rng_backend_class_init,
+     .abstract = true,
+diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h
+index 084164c..c2c9035 100644
+--- a/include/sysemu/rng.h
++++ b/include/sysemu/rng.h
+@@ -61,6 +61,7 @@ struct RngBackend
+     GSList *requests;
+ };
+ 
++
+ /**
+  * rng_backend_request_entropy:
+  * @s: the backend to request entropy from
+@@ -79,4 +80,15 @@ struct RngBackend
+ void rng_backend_request_entropy(RngBackend *s, size_t size,
+                                  EntropyReceiveFunc *receive_entropy,
+                                  void *opaque);
++
++/**
++ * rng_backend_free_request:
++ * @s: the backend that created the request
++ * @req: the request to finalize
++ *
++ * Used by child rng backend classes to finalize requests once they've been
++ * processed. The request is removed from the list of active requests and
++ * deleted.
++ */
++void rng_backend_finalize_request(RngBackend *s, RngRequest *req);
+ #endif

0121-rng-add-request-queue-support-to-rng-random.patch

@@ -0,0 +1,176 @@
+From: Ladi Prosek <lprosek@redhat.com>
+Date: Thu, 3 Mar 2016 09:37:18 +0100
+Subject: [PATCH] rng: add request queue support to rng-random
+
+Requests are now created in the RngBackend parent class and the
+code path is shared by both rng-egd and rng-random.
+
+This commit fixes the rng-random implementation which processed
+only one request at a time and simply discarded all but the most
+recent one. In the guest this manifested as delayed completion
+of reads from virtio-rng, i.e. a read was completed only after
+another read was issued.
+
+By switching rng-random to use the same request queue as rng-egd,
+the unsafe stack-based allocation of the entropy buffer is
+eliminated and replaced with g_malloc.
+
+Signed-off-by: Ladi Prosek <lprosek@redhat.com>
+Reviewed-by: Amit Shah <amit.shah@redhat.com>
+Message-Id: <1456994238-9585-5-git-send-email-lprosek@redhat.com>
+Signed-off-by: Amit Shah <amit.shah@redhat.com>
+(cherry picked from commit 60253ed1e6ec6d8e5ef2efe7bf755f475dce9956)
+---
+ backends/rng-egd.c    | 16 ++--------------
+ backends/rng-random.c | 43 +++++++++++++++++++------------------------
+ backends/rng.c        | 13 ++++++++++++-
+ include/sysemu/rng.h  |  3 +--
+ 4 files changed, 34 insertions(+), 41 deletions(-)
+
+diff --git a/backends/rng-egd.c b/backends/rng-egd.c
+index df58f1d..9c6bde4 100644
+--- a/backends/rng-egd.c
++++ b/backends/rng-egd.c
+@@ -26,20 +26,10 @@ typedef struct RngEgd
+     char *chr_name;
+ } RngEgd;
+ 
+-static void rng_egd_request_entropy(RngBackend *b, size_t size,
+-                                    EntropyReceiveFunc *receive_entropy,
+-                                    void *opaque)
++static void rng_egd_request_entropy(RngBackend *b, RngRequest *req)
+ {
+     RngEgd *s = RNG_EGD(b);
+-    RngRequest *req;
+-
+-    req = g_malloc(sizeof(*req));
+-
+-    req->offset = 0;
+-    req->size = size;
+-    req->receive_entropy = receive_entropy;
+-    req->opaque = opaque;
+-    req->data = g_malloc(req->size);
++    size_t size = req->size;
+ 
+     while (size > 0) {
+         uint8_t header[2];
+@@ -53,8 +43,6 @@ static void rng_egd_request_entropy(RngBackend *b, size_t size,
+ 
+         size -= len;
+     }
+-
+-    s->parent.requests = g_slist_append(s->parent.requests, req);
+ }
+ 
+ static int rng_egd_chr_can_read(void *opaque)
+diff --git a/backends/rng-random.c b/backends/rng-random.c
+index 4f85a8e..fc0bc75 100644
+--- a/backends/rng-random.c
++++ b/backends/rng-random.c
+@@ -21,10 +21,6 @@ struct RndRandom
+ 
+     int fd;
+     char *filename;
+-
+-    EntropyReceiveFunc *receive_func;
+-    void *opaque;
+-    size_t size;
+ };
+ 
+ /**
+@@ -37,36 +33,35 @@ struct RndRandom
+ static void entropy_available(void *opaque)
+ {
+     RndRandom *s = RNG_RANDOM(opaque);
+-    uint8_t buffer[s->size];
+-    ssize_t len;
+ 
+-    len = read(s->fd, buffer, s->size);
+-    if (len < 0 && errno == EAGAIN) {
+-        return;
+-    }
+-    g_assert(len != -1);
++    while (s->parent.requests != NULL) {
++        RngRequest *req = s->parent.requests->data;
++        ssize_t len;
++
++        len = read(s->fd, req->data, req->size);
++        if (len < 0 && errno == EAGAIN) {
++            return;
++        }
++        g_assert(len != -1);
+ 
+-    s->receive_func(s->opaque, buffer, len);
+-    s->receive_func = NULL;
++        req->receive_entropy(req->opaque, req->data, len);
+ 
++        rng_backend_finalize_request(&s->parent, req);
++    }
++
++    /* We've drained all requests, the fd handler can be reset. */
+     qemu_set_fd_handler(s->fd, NULL, NULL, NULL);
+ }
+ 
+-static void rng_random_request_entropy(RngBackend *b, size_t size,
+-                                        EntropyReceiveFunc *receive_entropy,
+-                                        void *opaque)
++static void rng_random_request_entropy(RngBackend *b, RngRequest *req)
+ {
+     RndRandom *s = RNG_RANDOM(b);
+ 
+-    if (s->receive_func) {
+-        s->receive_func(s->opaque, NULL, 0);
++    if (s->parent.requests == NULL) {
++        /* If there are no pending requests yet, we need to
++         * install our fd handler. */
++        qemu_set_fd_handler(s->fd, entropy_available, NULL, s);
+     }
+-
+-    s->receive_func = receive_entropy;
+-    s->opaque = opaque;
+-    s->size = size;
+-
+-    qemu_set_fd_handler(s->fd, entropy_available, NULL, s);
+ }
+ 
+ static void rng_random_opened(RngBackend *b, Error **errp)
+diff --git a/backends/rng.c b/backends/rng.c
+index 437119c..3383e01 100644
+--- a/backends/rng.c
++++ b/backends/rng.c
+@@ -19,9 +19,20 @@ void rng_backend_request_entropy(RngBackend *s, size_t size,
+                                  void *opaque)
+ {
+     RngBackendClass *k = RNG_BACKEND_GET_CLASS(s);
++    RngRequest *req;
+ 
+     if (k->request_entropy) {
+-        k->request_entropy(s, size, receive_entropy, opaque);
++        req = g_malloc(sizeof(*req));
++
++        req->offset = 0;
++        req->size = size;
++        req->receive_entropy = receive_entropy;
++        req->opaque = opaque;
++        req->data = g_malloc(req->size);
++
++        k->request_entropy(s, req);
++
++        s->requests = g_slist_append(s->requests, req);
+     }
+ }
+ 
+diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h
+index c2c9035..a7ed580 100644
+--- a/include/sysemu/rng.h
++++ b/include/sysemu/rng.h
+@@ -46,8 +46,7 @@ struct RngBackendClass
+ {
+     ObjectClass parent_class;
+ 
+-    void (*request_entropy)(RngBackend *s, size_t size,
+-                            EntropyReceiveFunc *receive_entropy, void *opaque);
++    void (*request_entropy)(RngBackend *s, RngRequest *req);
+ 
+     void (*opened)(RngBackend *s, Error **errp);
+ };

0122-ohci-allocate-timer-only-once.patch

@@ -0,0 +1,96 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 22 Feb 2016 09:50:11 +0100
+Subject: [PATCH] ohci: allocate timer only once.
+
+Allocate timer once, at init time, instead of allocating/freeing
+it all the time when starting/stopping the bus.  Simplifies the
+code, also fixes bugs (memory leak) due to missing checks whenever
+the time is already allocated or not.
+
+Cc: Prasad J Pandit <pjp@fedoraproject.org>
+Reported-by: Zuozhi Fzz <zuozhi.fzz@alibaba-inc.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit fa1298c2d623522eda7b4f1f721fcb935abb7360)
+---
+ hw/usb/hcd-ohci.c | 34 ++++++++--------------------------
+ 1 file changed, 8 insertions(+), 26 deletions(-)
+
+diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
+index 1a22c9c..4b13d3c 100644
+--- a/hw/usb/hcd-ohci.c
++++ b/hw/usb/hcd-ohci.c
+@@ -1331,16 +1331,6 @@ static void ohci_frame_boundary(void *opaque)
+  */
+ static int ohci_bus_start(OHCIState *ohci)
+ {
+-    ohci->eof_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL,
+-                    ohci_frame_boundary,
+-                    ohci);
+-
+-    if (ohci->eof_timer == NULL) {
+-        trace_usb_ohci_bus_eof_timer_failed(ohci->name);
+-        ohci_die(ohci);
+-        return 0;
+-    }
+-
+     trace_usb_ohci_start(ohci->name);
+ 
+     ohci_sof(ohci);
+@@ -1352,11 +1342,7 @@ static int ohci_bus_start(OHCIState *ohci)
+ static void ohci_bus_stop(OHCIState *ohci)
+ {
+     trace_usb_ohci_stop(ohci->name);
+-    if (ohci->eof_timer) {
+-        timer_del(ohci->eof_timer);
+-        timer_free(ohci->eof_timer);
+-    }
+-    ohci->eof_timer = NULL;
++    timer_del(ohci->eof_timer);
+ }
+ 
+ /* Sets a flag in a port status register but only set it if the port is
+@@ -1883,6 +1869,9 @@ static void usb_ohci_init(OHCIState *ohci, DeviceState *dev,
+     usb_packet_init(&ohci->usb_packet);
+ 
+     ohci->async_td = 0;
++
++    ohci->eof_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL,
++                                   ohci_frame_boundary, ohci);
+ }
+ 
+ #define TYPE_PCI_OHCI "pci-ohci"
+@@ -1952,6 +1941,9 @@ static void usb_ohci_exit(PCIDevice *dev)
+     if (!ohci->masterbus) {
+         usb_bus_release(&s->bus);
+     }
++
++    timer_del(s->eof_timer);
++    timer_free(s->eof_timer);
+ }
+ 
+ static void usb_ohci_reset_pci(DeviceState *d)
+@@ -2017,23 +2009,13 @@ static bool ohci_eof_timer_needed(void *opaque)
+ {
+     OHCIState *ohci = opaque;
+ 
+-    return ohci->eof_timer != NULL;
+-}
+-
+-static int ohci_eof_timer_pre_load(void *opaque)
+-{
+-    OHCIState *ohci = opaque;
+-
+-    ohci_bus_start(ohci);
+-
+-    return 0;
++    return timer_pending(ohci->eof_timer);
+ }
+ 
+ static const VMStateDescription vmstate_ohci_eof_timer = {
+     .name = "ohci-core/eof-timer",
+     .version_id = 1,
+     .minimum_version_id = 1,
+-    .pre_load = ohci_eof_timer_pre_load,
+     .fields = (VMStateField[]) {
+         VMSTATE_TIMER_PTR(eof_timer, OHCIState),
+         VMSTATE_END_OF_LIST()

0123-usb-ehci-add-capability-mmio-write-function.patch

@@ -0,0 +1,43 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Fri, 29 Jan 2016 18:30:34 +0530
+Subject: [PATCH] usb: ehci: add capability mmio write function
+
+USB Ehci emulation supports host controller capability registers.
+But its mmio '.write' function was missing, which lead to a null
+pointer dereference issue. Add a do nothing 'ehci_caps_write'
+definition to avoid it; Do nothing because capability registers
+are Read Only(RO).
+
+Reported-by: Zuozhi Fzz <zuozhi.fzz@alibaba-inc.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 1454072434-16045-1-git-send-email-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit dff0367cf66f489aa772320fa2937a8cac1ca30d)
+---
+ hw/usb/hcd-ehci.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
+index ba5baf9..5946955 100644
+--- a/hw/usb/hcd-ehci.c
++++ b/hw/usb/hcd-ehci.c
+@@ -893,6 +893,11 @@ static uint64_t ehci_caps_read(void *ptr, hwaddr addr,
+     return s->caps[addr];
+ }
+ 
++static void ehci_caps_write(void *ptr, hwaddr addr,
++                             uint64_t val, unsigned size)
++{
++}
++
+ static uint64_t ehci_opreg_read(void *ptr, hwaddr addr,
+                                 unsigned size)
+ {
+@@ -2316,6 +2321,7 @@ static void ehci_frame_timer(void *opaque)
+ 
+ static const MemoryRegionOps ehci_mmio_caps_ops = {
+     .read = ehci_caps_read,
++    .write = ehci_caps_write,
+     .valid.min_access_size = 1,
+     .valid.max_access_size = 4,
+     .impl.min_access_size = 1,

0124-configure-disallow-ccache-during-compile-tests.patch

@@ -0,0 +1,38 @@
+From: John Snow <jsnow@redhat.com>
+Date: Wed, 28 Oct 2015 13:56:40 -0400
+Subject: [PATCH] configure: disallow ccache during compile tests
+
+If the user is using ccache during the configuration step,
+it may interfere with some of the configuration tests,
+particularly the "Is ccache interfering with macro analysis" step,
+which is a bit of a poetic problem.
+
+1) Disallow ccache from reading from the cache during configure,
+   but don't disable it entirely to allow us to see if it causes other
+   problems.
+
+2) Force off CCACHE_CPP2 during the ccache test to get a deterministic
+   answer over whether or not we need to enable that feature later.
+
+Signed-off-by: John Snow <jsnow@redhat.com>
+Message-Id: <1446055000-29150-1-git-send-email-jsnow@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 5e4dfd3d4e87e0464d599ecef06aa8fe78420a9b)
+---
+ configure | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/configure b/configure
+index 69a5e2d..b29c923 100755
+--- a/configure
++++ b/configure
+@@ -8,6 +8,9 @@
+ CLICOLOR_FORCE= GREP_OPTIONS=
+ unset CLICOLOR_FORCE GREP_OPTIONS
+ 
++# Don't allow CCACHE, if present, to use cached results of compile tests!
++export CCACHE_RECACHE=yes
++
+ # Temporary directory used for files created while
+ # configure runs. Since it is in the build directory
+ # we can safely blow away any previous version of it

0125-i386-kvmvapic-initialise-imm32-variable.patch

@@ -0,0 +1,32 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 7 Apr 2016 12:50:08 +0530
+Subject: [PATCH] i386: kvmvapic: initialise imm32 variable
+
+When processing Task Priorty Register(TPR) access, it could leak
+automatic stack variable 'imm32' in patch_instruction().
+Initialise the variable to avoid it.
+
+Reported by: Donghai Zdh <donghai.zdh@alibaba-inc.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <1460013608-16670-1-git-send-email-ppandit@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+(cherry picked from commit 691a02e2ce0c413236a78dee6f2651c937b09fb0)
+---
+ hw/i386/kvmvapic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c
+index f0922da..97f3646 100644
+--- a/hw/i386/kvmvapic.c
++++ b/hw/i386/kvmvapic.c
+@@ -393,7 +393,7 @@ static void patch_instruction(VAPICROMState *s, X86CPU *cpu, target_ulong ip)
+     CPUX86State *env = &cpu->env;
+     VAPICHandlers *handlers;
+     uint8_t opcode[2];
+-    uint32_t imm32;
++    uint32_t imm32 = 0;
+     target_ulong current_pc = 0;
+     target_ulong current_cs_base = 0;
+     int current_flags = 0;

0126-esp-check-command-buffer-length-before-write-CVE-201.patch

@@ -0,0 +1,39 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 19 May 2016 16:09:30 +0530
+Subject: [PATCH] esp: check command buffer length before write(CVE-2016-4439)
+
+The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
+FIFO buffer. It is used to handle command and data transfer. While
+writing to this command buffer 's->cmdbuf[TI_BUFSZ=16]', a check
+was missing to validate input length. Add check to avoid OOB write
+access.
+
+Fixes CVE-2016-4439.
+
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <1463654371-11169-2-git-send-email-ppandit@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit c98c6c105f66f05aa0b7c1d2a4a3f716450907ef)
+---
+ hw/scsi/esp.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
+index 272d13d..cda9755 100644
+--- a/hw/scsi/esp.c
++++ b/hw/scsi/esp.c
+@@ -446,7 +446,11 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val)
+         break;
+     case ESP_FIFO:
+         if (s->do_cmd) {
+-            s->cmdbuf[s->cmdlen++] = val & 0xff;
++            if (s->cmdlen < TI_BUFSZ) {
++                s->cmdbuf[s->cmdlen++] = val & 0xff;
++            } else {
++                trace_esp_error_fifo_overrun();
++            }
+         } else if (s->ti_size == TI_BUFSZ - 1) {
+             trace_esp_error_fifo_overrun();
+         } else {

0127-esp-check-dma-length-before-reading-scsi-command-CVE.patch

@@ -0,0 +1,73 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 19 May 2016 16:09:31 +0530
+Subject: [PATCH] esp: check dma length before reading scsi
+ command(CVE-2016-4441)
+
+The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
+FIFO buffer. It is used to handle command and data transfer.
+Routine get_cmd() uses DMA to read scsi commands into this buffer.
+Add check to validate DMA length against buffer size to avoid any
+overrun.
+
+Fixes CVE-2016-4441.
+
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <1463654371-11169-3-git-send-email-ppandit@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 6c1fef6b59563cc415f21e03f81539ed4b33ad90)
+---
+ hw/scsi/esp.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
+index cda9755..63a2a01 100644
+--- a/hw/scsi/esp.c
++++ b/hw/scsi/esp.c
+@@ -80,7 +80,7 @@ void esp_request_cancelled(SCSIRequest *req)
+     }
+ }
+ 
+-static uint32_t get_cmd(ESPState *s, uint8_t *buf)
++static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen)
+ {
+     uint32_t dmalen;
+     int target;
+@@ -90,6 +90,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf)
+         dmalen = s->rregs[ESP_TCLO];
+         dmalen |= s->rregs[ESP_TCMID] << 8;
+         dmalen |= s->rregs[ESP_TCHI] << 16;
++        if (dmalen > buflen) {
++            return 0;
++        }
+         s->dma_memory_read(s->dma_opaque, buf, dmalen);
+     } else {
+         dmalen = s->ti_size;
+@@ -164,7 +167,7 @@ static void handle_satn(ESPState *s)
+         s->dma_cb = handle_satn;
+         return;
+     }
+-    len = get_cmd(s, buf);
++    len = get_cmd(s, buf, sizeof(buf));
+     if (len)
+         do_cmd(s, buf);
+ }
+@@ -178,7 +181,7 @@ static void handle_s_without_atn(ESPState *s)
+         s->dma_cb = handle_s_without_atn;
+         return;
+     }
+-    len = get_cmd(s, buf);
++    len = get_cmd(s, buf, sizeof(buf));
+     if (len) {
+         do_busid_cmd(s, buf, 0);
+     }
+@@ -190,7 +193,7 @@ static void handle_satn_stop(ESPState *s)
+         s->dma_cb = handle_satn_stop;
+         return;
+     }
+-    s->cmdlen = get_cmd(s, s->cmdbuf);
++    s->cmdlen = get_cmd(s, s->cmdbuf, sizeof(s->cmdbuf));
+     if (s->cmdlen) {
+         trace_esp_handle_satn_stop(s->cmdlen);
+         s->do_cmd = 1;

0128-vga-add-sr_vbe-register-set.patch

@@ -0,0 +1,233 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 17 May 2016 10:54:54 +0200
+Subject: [PATCH] vga: add sr_vbe register set
+
+Commit "fd3c136 vga: make sure vga register setup for vbe stays intact
+(CVE-2016-3712)." causes a regression.  The win7 installer is unhappy
+because it can't freely modify vga registers any more while in vbe mode.
+
+This patch introduces a new sr_vbe register set.  The vbe_update_vgaregs
+will fill sr_vbe[] instead of sr[].  Normal vga register reads and
+writes go to sr[].  Any sr register read access happens through a new
+sr() helper function which will read from sr_vbe[] with vbe active and
+from sr[] otherwise.
+
+This way we can allow guests update sr[] registers as they want, without
+allowing them disrupt vbe video modes that way.
+
+Cc: qemu-stable@nongnu.org
+Reported-by: Thomas Lamprecht <thomas@lamprecht.org>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 1463475294-14119-1-git-send-email-kraxel@redhat.com
+(cherry picked from commit 94ef4f337fb614f18b765a8e0e878a4c23cdedcd)
+---
+ hw/display/vga.c     | 50 ++++++++++++++++++++++++++++----------------------
+ hw/display/vga_int.h |  1 +
+ 2 files changed, 29 insertions(+), 22 deletions(-)
+
+diff --git a/hw/display/vga.c b/hw/display/vga.c
+index 1fc8f12..da23265 100644
+--- a/hw/display/vga.c
++++ b/hw/display/vga.c
+@@ -147,6 +147,11 @@ static inline bool vbe_enabled(VGACommonState *s)
+     return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED;
+ }
+ 
++static inline uint8_t sr(VGACommonState *s, int idx)
++{
++    return vbe_enabled(s) ? s->sr_vbe[idx] : s->sr[idx];
++}
++
+ static void vga_update_memory_access(VGACommonState *s)
+ {
+     hwaddr base, offset, size;
+@@ -161,8 +166,8 @@ static void vga_update_memory_access(VGACommonState *s)
+         s->has_chain4_alias = false;
+         s->plane_updated = 0xf;
+     }
+-    if ((s->sr[VGA_SEQ_PLANE_WRITE] & VGA_SR02_ALL_PLANES) ==
+-        VGA_SR02_ALL_PLANES && s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
++    if ((sr(s, VGA_SEQ_PLANE_WRITE) & VGA_SR02_ALL_PLANES) ==
++        VGA_SR02_ALL_PLANES && sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) {
+         offset = 0;
+         switch ((s->gr[VGA_GFX_MISC] >> 2) & 3) {
+         case 0:
+@@ -232,7 +237,7 @@ static void vga_precise_update_retrace_info(VGACommonState *s)
+           ((s->cr[VGA_CRTC_OVERFLOW] >> 6) & 2)) << 8);
+     vretr_end_line = s->cr[VGA_CRTC_V_SYNC_END] & 0xf;
+ 
+-    clocking_mode = (s->sr[VGA_SEQ_CLOCK_MODE] >> 3) & 1;
++    clocking_mode = (sr(s, VGA_SEQ_CLOCK_MODE) >> 3) & 1;
+     clock_sel = (s->msr >> 2) & 3;
+     dots = (s->msr & 1) ? 8 : 9;
+ 
+@@ -484,7 +489,6 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)
+         printf("vga: write SR%x = 0x%02x\n", s->sr_index, val);
+ #endif
+         s->sr[s->sr_index] = val & sr_mask[s->sr_index];
+-        vbe_update_vgaregs(s);
+         if (s->sr_index == VGA_SEQ_CLOCK_MODE) {
+             s->update_retrace_info(s);
+         }
+@@ -678,13 +682,13 @@ static void vbe_update_vgaregs(VGACommonState *s)
+ 
+     if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) {
+         shift_control = 0;
+-        s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */
++        s->sr_vbe[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */
+     } else {
+         shift_control = 2;
+         /* set chain 4 mode */
+-        s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M;
++        s->sr_vbe[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M;
+         /* activate all planes */
+-        s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES;
++        s->sr_vbe[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES;
+     }
+     s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) |
+         (shift_control << 5);
+@@ -834,7 +838,7 @@ uint32_t vga_mem_readb(VGACommonState *s, hwaddr addr)
+         break;
+     }
+ 
+-    if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
++    if (sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) {
+         /* chain 4 mode : simplest access */
+         assert(addr < s->vram_size);
+         ret = s->vram_ptr[addr];
+@@ -902,11 +906,11 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
+         break;
+     }
+ 
+-    if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
++    if (sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) {
+         /* chain 4 mode : simplest access */
+         plane = addr & 3;
+         mask = (1 << plane);
+-        if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
++        if (sr(s, VGA_SEQ_PLANE_WRITE) & mask) {
+             assert(addr < s->vram_size);
+             s->vram_ptr[addr] = val;
+ #ifdef DEBUG_VGA_MEM
+@@ -919,7 +923,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
+         /* odd/even mode (aka text mode mapping) */
+         plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1);
+         mask = (1 << plane);
+-        if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
++        if (sr(s, VGA_SEQ_PLANE_WRITE) & mask) {
+             addr = ((addr & ~1) << 1) | plane;
+             if (addr >= s->vram_size) {
+                 return;
+@@ -994,7 +998,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
+ 
+     do_write:
+         /* mask data according to sr[2] */
+-        mask = s->sr[VGA_SEQ_PLANE_WRITE];
++        mask = sr(s, VGA_SEQ_PLANE_WRITE);
+         s->plane_updated |= mask; /* only used to detect font change */
+         write_mask = mask16[mask];
+         if (addr * sizeof(uint32_t) >= s->vram_size) {
+@@ -1150,10 +1154,10 @@ static void vga_get_text_resolution(VGACommonState *s, int *pwidth, int *pheight
+     /* total width & height */
+     cheight = (s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1;
+     cwidth = 8;
+-    if (!(s->sr[VGA_SEQ_CLOCK_MODE] & VGA_SR01_CHAR_CLK_8DOTS)) {
++    if (!(sr(s, VGA_SEQ_CLOCK_MODE) & VGA_SR01_CHAR_CLK_8DOTS)) {
+         cwidth = 9;
+     }
+-    if (s->sr[VGA_SEQ_CLOCK_MODE] & 0x08) {
++    if (sr(s, VGA_SEQ_CLOCK_MODE) & 0x08) {
+         cwidth = 16; /* NOTE: no 18 pixel wide */
+     }
+     width = (s->cr[VGA_CRTC_H_DISP] + 1);
+@@ -1195,7 +1199,7 @@ static void vga_draw_text(VGACommonState *s, int full_update)
+     int64_t now = qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL);
+ 
+     /* compute font data address (in plane 2) */
+-    v = s->sr[VGA_SEQ_CHARACTER_MAP];
++    v = sr(s, VGA_SEQ_CHARACTER_MAP);
+     offset = (((v >> 4) & 1) | ((v << 1) & 6)) * 8192 * 4 + 2;
+     if (offset != s->font_offsets[0]) {
+         s->font_offsets[0] = offset;
+@@ -1504,11 +1508,11 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
+     }
+ 
+     if (shift_control == 0) {
+-        if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
++        if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
+             disp_width <<= 1;
+         }
+     } else if (shift_control == 1) {
+-        if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
++        if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
+             disp_width <<= 1;
+         }
+     }
+@@ -1572,7 +1576,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
+ 
+     if (shift_control == 0) {
+         full_update |= update_palette16(s);
+-        if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
++        if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
+             v = VGA_DRAW_LINE4D2;
+         } else {
+             v = VGA_DRAW_LINE4;
+@@ -1580,7 +1584,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
+         bits = 4;
+     } else if (shift_control == 1) {
+         full_update |= update_palette16(s);
+-        if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
++        if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
+             v = VGA_DRAW_LINE2D2;
+         } else {
+             v = VGA_DRAW_LINE2;
+@@ -1627,7 +1631,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
+ #if 0
+     printf("w=%d h=%d v=%d line_offset=%d cr[0x09]=0x%02x cr[0x17]=0x%02x linecmp=%d sr[0x01]=0x%02x\n",
+            width, height, v, line_offset, s->cr[9], s->cr[VGA_CRTC_MODE],
+-           s->line_compare, s->sr[VGA_SEQ_CLOCK_MODE]);
++           s->line_compare, sr(s, VGA_SEQ_CLOCK_MODE));
+ #endif
+     addr1 = (s->start_addr * 4);
+     bwidth = (width * bits + 7) / 8;
+@@ -1779,6 +1783,7 @@ void vga_common_reset(VGACommonState *s)
+ {
+     s->sr_index = 0;
+     memset(s->sr, '\0', sizeof(s->sr));
++    memset(s->sr_vbe, '\0', sizeof(s->sr_vbe));
+     s->gr_index = 0;
+     memset(s->gr, '\0', sizeof(s->gr));
+     s->ar_index = 0;
+@@ -1881,10 +1886,10 @@ static void vga_update_text(void *opaque, console_ch_t *chardata)
+         /* total width & height */
+         cheight = (s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1;
+         cw = 8;
+-        if (!(s->sr[VGA_SEQ_CLOCK_MODE] & VGA_SR01_CHAR_CLK_8DOTS)) {
++        if (!(sr(s, VGA_SEQ_CLOCK_MODE) & VGA_SR01_CHAR_CLK_8DOTS)) {
+             cw = 9;
+         }
+-        if (s->sr[VGA_SEQ_CLOCK_MODE] & 0x08) {
++        if (sr(s, VGA_SEQ_CLOCK_MODE) & 0x08) {
+             cw = 16; /* NOTE: no 18 pixel wide */
+         }
+         width = (s->cr[VGA_CRTC_H_DISP] + 1);
+@@ -2050,6 +2055,7 @@ static int vga_common_post_load(void *opaque, int version_id)
+ 
+     /* force refresh */
+     s->graphic_mode = -1;
++    vbe_update_vgaregs(s);
+     return 0;
+ }
+ 
+diff --git a/hw/display/vga_int.h b/hw/display/vga_int.h
+index fcfcc5f..01bdd3e 100644
+--- a/hw/display/vga_int.h
++++ b/hw/display/vga_int.h
+@@ -99,6 +99,7 @@ typedef struct VGACommonState {
+     MemoryRegion chain4_alias;
+     uint8_t sr_index;
+     uint8_t sr[256];
++    uint8_t sr_vbe[256];
+     uint8_t gr_index;
+     uint8_t gr[256];
+     uint8_t ar_index;

0129-net-mipsnet-check-packet-length-against-buffer.patch

@@ -0,0 +1,32 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 7 Apr 2016 15:56:02 +0530
+Subject: [PATCH] net: mipsnet: check packet length against buffer
+
+When receiving packets over MIPSnet network device, it uses
+receive buffer of size 1514 bytes. In case the controller
+accepts large(MTU) packets, it could lead to memory corruption.
+Add check to avoid it.
+
+Reported by: Oleksandr Bazhaniuk <oleksandr.bazhaniuk@intel.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+(cherry picked from commit 3af9187fc6caaf415ab9c0c6d92c9678f65cb17f)
+---
+ hw/net/mipsnet.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/net/mipsnet.c b/hw/net/mipsnet.c
+index c813e0c..e0973f2 100644
+--- a/hw/net/mipsnet.c
++++ b/hw/net/mipsnet.c
+@@ -82,6 +82,9 @@ static ssize_t mipsnet_receive(NetClientState *nc, const uint8_t *buf, size_t si
+     if (!mipsnet_can_receive(nc))
+         return -1;
+ 
++    if (size >= sizeof(s->rx_buffer)) {
++        return 0;
++    }
+     s->busy = 1;
+ 
+     /* Just accept everything. */

0130-scsi-pvscsi-check-command-descriptor-ring-buffer-siz.patch

@@ -0,0 +1,100 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Mon, 23 May 2016 16:18:05 +0530
+Subject: [PATCH] scsi: pvscsi: check command descriptor ring buffer size
+ (CVE-2016-4952)
+
+Vmware Paravirtual SCSI emulation uses command descriptors to
+process SCSI commands. These descriptors come with their ring
+buffers. A guest could set the ring buffer size to an arbitrary
+value leading to OOB access issue. Add check to avoid it.
+
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Cc: qemu-stable@nongnu.org
+Message-Id: <1464000485-27041-1-git-send-email-ppandit@redhat.com>
+Reviewed-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com>
+Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 3e831b40e015ba34dfb55ff11f767001839425ff)
+---
+ hw/scsi/vmw_pvscsi.c | 24 ++++++++++++++++++++----
+ 1 file changed, 20 insertions(+), 4 deletions(-)
+
+diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
+index c6148d3..2596d71 100644
+--- a/hw/scsi/vmw_pvscsi.c
++++ b/hw/scsi/vmw_pvscsi.c
+@@ -126,7 +126,7 @@ pvscsi_log2(uint32_t input)
+     return log;
+ }
+ 
+-static void
++static int
+ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
+ {
+     int i;
+@@ -134,6 +134,10 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
+     uint32_t req_ring_size, cmp_ring_size;
+     m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT;
+ 
++    if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)
++        || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) {
++        return -1;
++    }
+     req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
+     cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE;
+     txr_len_log2 = pvscsi_log2(req_ring_size - 1);
+@@ -165,15 +169,20 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
+ 
+     /* Flush ring state page changes */
+     smp_wmb();
++
++    return 0;
+ }
+ 
+-static void
++static int
+ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
+ {
+     int i;
+     uint32_t len_log2;
+     uint32_t ring_size;
+ 
++    if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
++        return -1;
++    }
+     ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE;
+     len_log2 = pvscsi_log2(ring_size - 1);
+ 
+@@ -193,6 +202,8 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
+ 
+     /* Flush ring state page changes */
+     smp_wmb();
++
++    return 0;
+ }
+ 
+ static void
+@@ -743,7 +754,10 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s)
+     trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS");
+ 
+     pvscsi_dbg_dump_tx_rings_config(rc);
+-    pvscsi_ring_init_data(&s->rings, rc);
++    if (pvscsi_ring_init_data(&s->rings, rc) < 0) {
++        return PVSCSI_COMMAND_PROCESSING_FAILED;
++    }
++
+     s->rings_info_valid = TRUE;
+     return PVSCSI_COMMAND_PROCESSING_SUCCEEDED;
+ }
+@@ -823,7 +837,9 @@ pvscsi_on_cmd_setup_msg_ring(PVSCSIState *s)
+     }
+ 
+     if (s->rings_info_valid) {
+-        pvscsi_ring_init_msg(&s->rings, rc);
++        if (pvscsi_ring_init_msg(&s->rings, rc) < 0) {
++            return PVSCSI_COMMAND_PROCESSING_FAILED;
++        }
+         s->msg_ring_info_valid = TRUE;
+     }
+     return sizeof(PVSCSICmdDescSetupMsgRing) / sizeof(uint32_t);

0131-scsi-megasas-use-appropriate-property-buffer-size.patch

@@ -0,0 +1,31 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 25 May 2016 16:01:29 +0530
+Subject: [PATCH] scsi: megasas: use appropriate property buffer size
+
+When setting MegaRAID SAS controller properties via MegaRAID
+Firmware Interface(MFI) commands, a user supplied size parameter
+is used to set property value. Use appropriate size value to avoid
+OOB access issues.
+
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <1464172291-2856-2-git-send-email-ppandit@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 1b85898025c4cd95dce673d15e67e60e98e91731)
+---
+ hw/scsi/megasas.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
+index 108448e..ba62adf 100644
+--- a/hw/scsi/megasas.c
++++ b/hw/scsi/megasas.c
+@@ -1445,7 +1445,7 @@ static int megasas_dcmd_set_properties(MegasasState *s, MegasasCmd *cmd)
+                                             dcmd_size);
+         return MFI_STAT_INVALID_PARAMETER;
+     }
+-    dma_buf_write((uint8_t *)&info, cmd->iov_size, &cmd->qsg);
++    dma_buf_write((uint8_t *)&info, dcmd_size, &cmd->qsg);
+     trace_megasas_dcmd_unsupported(cmd->index, cmd->iov_size);
+     return MFI_STAT_OK;
+ }

0132-scsi-megasas-initialise-local-configuration-data-buf.patch

@@ -0,0 +1,31 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 25 May 2016 17:41:44 +0530
+Subject: [PATCH] scsi: megasas: initialise local configuration data buffer
+
+When reading MegaRAID SAS controller configuration via MegaRAID
+Firmware Interface(MFI) commands, routine megasas_dcmd_cfg_read
+uses an uninitialised local data buffer. Initialise this buffer
+to avoid stack information leakage.
+
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <1464178304-12831-1-git-send-email-ppandit@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit d37af740730dbbb93960cd318e040372d04d6dcf)
+---
+ hw/scsi/megasas.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
+index ba62adf..c746a7e 100644
+--- a/hw/scsi/megasas.c
++++ b/hw/scsi/megasas.c
+@@ -1292,7 +1292,7 @@ static int megasas_dcmd_ld_get_info(MegasasState *s, MegasasCmd *cmd)
+ 
+ static int megasas_dcmd_cfg_read(MegasasState *s, MegasasCmd *cmd)
+ {
+-    uint8_t data[4096];
++    uint8_t data[4096] = { 0 };
+     struct mfi_config_data *info;
+     int num_pd_disks = 0, array_offset, ld_offset;
+     BusChild *kid;

0133-scsi-megasas-check-read_queue_head-index-value.patch

@@ -0,0 +1,33 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 25 May 2016 17:55:10 +0530
+Subject: [PATCH] scsi: megasas: check 'read_queue_head' index value
+
+While doing MegaRAID SAS controller command frame lookup, routine
+'megasas_lookup_frame' uses 'read_queue_head' value as an index
+into 'frames[MEGASAS_MAX_FRAMES=2048]' array. Limit its value
+within array bounds to avoid any OOB access.
+
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <1464179110-18593-1-git-send-email-ppandit@redhat.com>
+Reviewed-by: Alexander Graf <agraf@suse.de>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit b60bdd1f1ee1616b7a9aeeffb4088e1ce2710fb2)
+---
+ hw/scsi/megasas.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
+index c746a7e..bcb1a0c 100644
+--- a/hw/scsi/megasas.c
++++ b/hw/scsi/megasas.c
+@@ -649,7 +649,9 @@ static int megasas_init_firmware(MegasasState *s, MegasasCmd *cmd)
+     pa_hi = le32_to_cpu(initq->pi_addr_hi);
+     s->producer_pa = ((uint64_t) pa_hi << 32) | pa_lo;
+     s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa);
++    s->reply_queue_head %= MEGASAS_MAX_FRAMES;
+     s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa);
++    s->reply_queue_tail %= MEGASAS_MAX_FRAMES;
+     flags = le32_to_cpu(initq->flags);
+     if (flags & MFI_QUEUE_FLAG_CONTEXT64) {
+         s->flags |= MEGASAS_MASK_USE_QUEUE64;

0134-vmsvga-move-fifo-sanity-checks-to-vmsvga_fifo_length.patch

@@ -0,0 +1,70 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 30 May 2016 09:09:18 +0200
+Subject: [PATCH] vmsvga: move fifo sanity checks to vmsvga_fifo_length
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Sanity checks are applied when the fifo is enabled by the guest
+(SVGA_REG_CONFIG_DONE write).  Which doesn't help much if the guest
+changes the fifo registers afterwards.  Move the checks to
+vmsvga_fifo_length so they are done each time qemu is about to read
+from the fifo.
+
+Fixes: CVE-2016-4454
+Cc: qemu-stable@nongnu.org
+Cc: P J P <ppandit@redhat.com>
+Reported-by: 李强 <liqiang6-s@360.cn>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 1464592161-18348-2-git-send-email-kraxel@redhat.com
+(cherry picked from commit 521360267876d3b6518b328051a2e56bca55bef8)
+---
+ hw/display/vmware_vga.c | 28 +++++++++++++++-------------
+ 1 file changed, 15 insertions(+), 13 deletions(-)
+
+diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
+index c17ddd1..b12128a 100644
+--- a/hw/display/vmware_vga.c
++++ b/hw/display/vmware_vga.c
+@@ -553,6 +553,21 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
+     if (!s->config || !s->enable) {
+         return 0;
+     }
++
++    /* Check range and alignment.  */
++    if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) {
++        return 0;
++    }
++    if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
++        return 0;
++    }
++    if (CMD(max) > SVGA_FIFO_SIZE) {
++        return 0;
++    }
++    if (CMD(max) < CMD(min) + 10 * 1024) {
++        return 0;
++    }
++
+     num = CMD(next_cmd) - CMD(stop);
+     if (num < 0) {
+         num += CMD(max) - CMD(min);
+@@ -1000,19 +1015,6 @@ static void vmsvga_value_write(void *opaque, uint32_t address, uint32_t value)
+     case SVGA_REG_CONFIG_DONE:
+         if (value) {
+             s->fifo = (uint32_t *) s->fifo_ptr;
+-            /* Check range and alignment.  */
+-            if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) {
+-                break;
+-            }
+-            if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
+-                break;
+-            }
+-            if (CMD(max) > SVGA_FIFO_SIZE) {
+-                break;
+-            }
+-            if (CMD(max) < CMD(min) + 10 * 1024) {
+-                break;
+-            }
+             vga_dirty_log_stop(&s->vga);
+         }
+         s->config = !!value;

0135-vmsvga-add-more-fifo-checks.patch

@@ -0,0 +1,36 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 30 May 2016 09:09:19 +0200
+Subject: [PATCH] vmsvga: add more fifo checks
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Make sure all fifo ptrs are within range.
+
+Fixes: CVE-2016-4454
+Cc: qemu-stable@nongnu.org
+Cc: P J P <ppandit@redhat.com>
+Reported-by: 李强 <liqiang6-s@360.cn>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 1464592161-18348-3-git-send-email-kraxel@redhat.com
+(cherry picked from commit c2e3c54d3960bc53bfa3a5ce7ea7a050b9be267e)
+---
+ hw/display/vmware_vga.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
+index b12128a..0329d9f 100644
+--- a/hw/display/vmware_vga.c
++++ b/hw/display/vmware_vga.c
+@@ -561,7 +561,10 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
+     if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
+         return 0;
+     }
+-    if (CMD(max) > SVGA_FIFO_SIZE) {
++    if (CMD(max) > SVGA_FIFO_SIZE ||
++        CMD(min) >= SVGA_FIFO_SIZE ||
++        CMD(stop) >= SVGA_FIFO_SIZE ||
++        CMD(next_cmd) >= SVGA_FIFO_SIZE) {
+         return 0;
+     }
+     if (CMD(max) < CMD(min) + 10 * 1024) {

0136-vmsvga-shadow-fifo-registers.patch

@@ -0,0 +1,143 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 30 May 2016 09:09:20 +0200
+Subject: [PATCH] vmsvga: shadow fifo registers
+
+The fifo is normal ram.  So kvm vcpu threads and qemu iothread can
+access the fifo in parallel without syncronization.  Which in turn
+implies we can't use the fifo pointers in-place because the guest
+can try changing them underneath us.  So add shadows for them, to
+make sure the guest can't modify them after we've applied sanity
+checks.
+
+Fixes: CVE-2016-4454
+Cc: qemu-stable@nongnu.org
+Cc: P J P <ppandit@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 1464592161-18348-4-git-send-email-kraxel@redhat.com
+(cherry picked from commit 7e486f7577764a07aa35588e119903c80a5c30a2)
+---
+ hw/display/vmware_vga.c | 57 ++++++++++++++++++++++++-------------------------
+ 1 file changed, 28 insertions(+), 29 deletions(-)
+
+diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
+index 0329d9f..8b9feb8 100644
+--- a/hw/display/vmware_vga.c
++++ b/hw/display/vmware_vga.c
+@@ -64,17 +64,11 @@ struct vmsvga_state_s {
+     uint8_t *fifo_ptr;
+     unsigned int fifo_size;
+ 
+-    union {
+-        uint32_t *fifo;
+-        struct QEMU_PACKED {
+-            uint32_t min;
+-            uint32_t max;
+-            uint32_t next_cmd;
+-            uint32_t stop;
+-            /* Add registers here when adding capabilities.  */
+-            uint32_t fifo[0];
+-        } *cmd;
+-    };
++    uint32_t *fifo;
++    uint32_t fifo_min;
++    uint32_t fifo_max;
++    uint32_t fifo_next;
++    uint32_t fifo_stop;
+ 
+ #define REDRAW_FIFO_LEN  512
+     struct vmsvga_rect_s {
+@@ -196,7 +190,7 @@ enum {
+      */
+     SVGA_FIFO_MIN = 0,
+     SVGA_FIFO_MAX,      /* The distance from MIN to MAX must be at least 10K */
+-    SVGA_FIFO_NEXT_CMD,
++    SVGA_FIFO_NEXT,
+     SVGA_FIFO_STOP,
+ 
+     /*
+@@ -544,8 +538,6 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s,
+ }
+ #endif
+ 
+-#define CMD(f)  le32_to_cpu(s->cmd->f)
+-
+ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
+ {
+     int num;
+@@ -554,38 +546,44 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
+         return 0;
+     }
+ 
++    s->fifo_min  = le32_to_cpu(s->fifo[SVGA_FIFO_MIN]);
++    s->fifo_max  = le32_to_cpu(s->fifo[SVGA_FIFO_MAX]);
++    s->fifo_next = le32_to_cpu(s->fifo[SVGA_FIFO_NEXT]);
++    s->fifo_stop = le32_to_cpu(s->fifo[SVGA_FIFO_STOP]);
++
+     /* Check range and alignment.  */
+-    if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) {
++    if ((s->fifo_min | s->fifo_max | s->fifo_next | s->fifo_stop) & 3) {
+         return 0;
+     }
+-    if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
++    if (s->fifo_min < sizeof(uint32_t) * 4) {
+         return 0;
+     }
+-    if (CMD(max) > SVGA_FIFO_SIZE ||
+-        CMD(min) >= SVGA_FIFO_SIZE ||
+-        CMD(stop) >= SVGA_FIFO_SIZE ||
+-        CMD(next_cmd) >= SVGA_FIFO_SIZE) {
++    if (s->fifo_max > SVGA_FIFO_SIZE ||
++        s->fifo_min >= SVGA_FIFO_SIZE ||
++        s->fifo_stop >= SVGA_FIFO_SIZE ||
++        s->fifo_next >= SVGA_FIFO_SIZE) {
+         return 0;
+     }
+-    if (CMD(max) < CMD(min) + 10 * 1024) {
++    if (s->fifo_max < s->fifo_min + 10 * 1024) {
+         return 0;
+     }
+ 
+-    num = CMD(next_cmd) - CMD(stop);
++    num = s->fifo_next - s->fifo_stop;
+     if (num < 0) {
+-        num += CMD(max) - CMD(min);
++        num += s->fifo_max - s->fifo_min;
+     }
+     return num >> 2;
+ }
+ 
+ static inline uint32_t vmsvga_fifo_read_raw(struct vmsvga_state_s *s)
+ {
+-    uint32_t cmd = s->fifo[CMD(stop) >> 2];
++    uint32_t cmd = s->fifo[s->fifo_stop >> 2];
+ 
+-    s->cmd->stop = cpu_to_le32(CMD(stop) + 4);
+-    if (CMD(stop) >= CMD(max)) {
+-        s->cmd->stop = s->cmd->min;
++    s->fifo_stop += 4;
++    if (s->fifo_stop >= s->fifo_max) {
++        s->fifo_stop = s->fifo_min;
+     }
++    s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop);
+     return cmd;
+ }
+ 
+@@ -605,7 +603,7 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
+     len = vmsvga_fifo_length(s);
+     while (len > 0) {
+         /* May need to go back to the start of the command if incomplete */
+-        cmd_start = s->cmd->stop;
++        cmd_start = s->fifo_stop;
+ 
+         switch (cmd = vmsvga_fifo_read(s)) {
+         case SVGA_CMD_UPDATE:
+@@ -761,7 +759,8 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
+             break;
+ 
+         rewind:
+-            s->cmd->stop = cmd_start;
++            s->fifo_stop = cmd_start;
++            s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop);
+             break;
+         }
+     }

0137-vmsvga-don-t-process-more-than-1024-fifo-commands-at.patch

@@ -0,0 +1,42 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 30 May 2016 09:09:21 +0200
+Subject: [PATCH] vmsvga: don't process more than 1024 fifo commands at once
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+vmsvga_fifo_run is called in regular intervals (on each display update)
+and will resume where it left off.  So we can simply exit the loop,
+without having to worry about how processing will continue.
+
+Fixes: CVE-2016-4453
+Cc: qemu-stable@nongnu.org
+Cc: P J P <ppandit@redhat.com>
+Reported-by: 李强 <liqiang6-s@360.cn>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 1464592161-18348-5-git-send-email-kraxel@redhat.com
+(cherry picked from commit 4e68a0ee17dad7b8d870df0081d4ab2e079016c2)
+---
+ hw/display/vmware_vga.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
+index 8b9feb8..a856a97 100644
+--- a/hw/display/vmware_vga.c
++++ b/hw/display/vmware_vga.c
+@@ -595,13 +595,13 @@ static inline uint32_t vmsvga_fifo_read(struct vmsvga_state_s *s)
+ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
+ {
+     uint32_t cmd, colour;
+-    int args, len;
++    int args, len, maxloop = 1024;
+     int x, y, dx, dy, width, height;
+     struct vmsvga_cursor_definition_s cursor;
+     uint32_t cmd_start;
+ 
+     len = vmsvga_fifo_length(s);
+-    while (len > 0) {
++    while (len > 0 && --maxloop > 0) {
+         /* May need to go back to the start of the command if incomplete */
+         cmd_start = s->fifo_stop;
+ 

0138-scsi-esp-check-buffer-length-before-reading-scsi-com.patch

@@ -0,0 +1,33 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 31 May 2016 23:23:27 +0530
+Subject: [PATCH] scsi: esp: check buffer length before reading scsi command
+
+The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
+FIFO buffer. It is used to handle command and data transfer.
+Routine get_cmd() in non-DMA mode, uses 'ti_size' to read scsi
+command into a buffer. Add check to validate command length against
+buffer size to avoid any overrun.
+
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <1464717207-7549-1-git-send-email-ppandit@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit d3cdc49138c30be1d3c2f83d18f85d9fdee95f1a)
+---
+ hw/scsi/esp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
+index 63a2a01..e1a8090 100644
+--- a/hw/scsi/esp.c
++++ b/hw/scsi/esp.c
+@@ -96,6 +96,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen)
+         s->dma_memory_read(s->dma_opaque, buf, dmalen);
+     } else {
+         dmalen = s->ti_size;
++        if (dmalen > TI_BUFSZ) {
++            return 0;
++        }
+         memcpy(buf, s->ti_buf, dmalen);
+         buf[0] = buf[2] >> 5;
+     }

0139-scsi-esp-respect-FIFO-invariant-after-message-phase.patch

@@ -0,0 +1,26 @@
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 14 Jun 2016 15:10:24 +0200
+Subject: [PATCH] scsi: esp: respect FIFO invariant after message phase
+
+The FIFO contains two bytes; hence the write ptr should be two bytes ahead
+of the read pointer.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit d020aa504cec8f525b55ba2ef982c09dc847c72e)
+---
+ hw/scsi/esp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
+index e1a8090..65d1830 100644
+--- a/hw/scsi/esp.c
++++ b/hw/scsi/esp.c
+@@ -220,7 +220,7 @@ static void write_response(ESPState *s)
+     } else {
+         s->ti_size = 2;
+         s->ti_rptr = 0;
+-        s->ti_wptr = 0;
++        s->ti_wptr = 2;
+         s->rregs[ESP_RFLAGS] = 2;
+     }
+     esp_raise_irq(s);

0140-scsi-esp-clean-up-handle_ti-esp_do_dma-if-s-do_cmd.patch

@@ -0,0 +1,76 @@
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 15 Jun 2016 14:29:33 +0200
+Subject: [PATCH] scsi: esp: clean up handle_ti/esp_do_dma if s->do_cmd
+
+Avoid duplicated code between esp_do_dma and handle_ti.  esp_do_dma
+has the same code that handle_ti contains after the call to esp_do_dma;
+but the code in handle_ti is never reached because it is in an "else if".
+Remove the else and also the pointless return.
+
+esp_do_dma also has a partially dead assignment of the to_device
+variable.  Sink it to the point where it's actually used.
+
+Finally, assert that the other caller of esp_do_dma (esp_transfer_data)
+only transfers data and not a command.  This is true because get_cmd
+cancels the old request synchronously before its caller handle_satn_stop
+sets do_cmd to 1.
+
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 7f0b6e114ae4e142e2b3dfc9fac138f4a30edc4f)
+---
+ hw/scsi/esp.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
+index 65d1830..7337d27 100644
+--- a/hw/scsi/esp.c
++++ b/hw/scsi/esp.c
+@@ -243,15 +243,10 @@ static void esp_do_dma(ESPState *s)
+     uint32_t len;
+     int to_device;
+ 
+-    to_device = (s->ti_size < 0);
+     len = s->dma_left;
+     if (s->do_cmd) {
+         trace_esp_do_dma(s->cmdlen, len);
+         s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len);
+-        s->ti_size = 0;
+-        s->cmdlen = 0;
+-        s->do_cmd = 0;
+-        do_cmd(s, s->cmdbuf);
+         return;
+     }
+     if (s->async_len == 0) {
+@@ -261,6 +256,7 @@ static void esp_do_dma(ESPState *s)
+     if (len > s->async_len) {
+         len = s->async_len;
+     }
++    to_device = (s->ti_size < 0);
+     if (to_device) {
+         s->dma_memory_read(s->dma_opaque, s->async_buf, len);
+     } else {
+@@ -316,6 +312,7 @@ void esp_transfer_data(SCSIRequest *req, uint32_t len)
+ {
+     ESPState *s = req->hba_private;
+ 
++    assert(!s->do_cmd);
+     trace_esp_transfer_data(s->dma_left, s->ti_size);
+     s->async_len = len;
+     s->async_buf = scsi_req_get_buf(req);
+@@ -356,13 +353,13 @@ static void handle_ti(ESPState *s)
+         s->dma_left = minlen;
+         s->rregs[ESP_RSTAT] &= ~STAT_TC;
+         esp_do_dma(s);
+-    } else if (s->do_cmd) {
++    }
++    if (s->do_cmd) {
+         trace_esp_handle_ti_cmd(s->cmdlen);
+         s->ti_size = 0;
+         s->cmdlen = 0;
+         s->do_cmd = 0;
+         do_cmd(s, s->cmdbuf);
+-        return;
+     }
+ }
+ 

0141-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch

@@ -0,0 +1,70 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 16 Jun 2016 00:22:35 +0200
+Subject: [PATCH] scsi: esp: make cmdbuf big enough for maximum CDB size
+
+While doing DMA read into ESP command buffer 's->cmdbuf', it could
+write past the 's->cmdbuf' area, if it was transferring more than 16
+bytes.  Increase the command buffer size to 32, which is maximum when
+'s->do_cmd' is set, and add a check on 'len' to avoid OOB access.
+
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 926cde5f3e4d2504ed161ed0cb771ac7cad6fd11)
+---
+ hw/scsi/esp.c         | 6 ++++--
+ include/hw/scsi/esp.h | 3 ++-
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
+index 7337d27..a5f1095 100644
+--- a/hw/scsi/esp.c
++++ b/hw/scsi/esp.c
+@@ -246,6 +246,8 @@ static void esp_do_dma(ESPState *s)
+     len = s->dma_left;
+     if (s->do_cmd) {
+         trace_esp_do_dma(s->cmdlen, len);
++        assert (s->cmdlen <= sizeof(s->cmdbuf) &&
++                len <= sizeof(s->cmdbuf) - s->cmdlen);
+         s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len);
+         return;
+     }
+@@ -343,7 +345,7 @@ static void handle_ti(ESPState *s)
+     s->dma_counter = dmalen;
+ 
+     if (s->do_cmd)
+-        minlen = (dmalen < 32) ? dmalen : 32;
++        minlen = (dmalen < ESP_CMDBUF_SZ) ? dmalen : ESP_CMDBUF_SZ;
+     else if (s->ti_size < 0)
+         minlen = (dmalen < -s->ti_size) ? dmalen : -s->ti_size;
+     else
+@@ -449,7 +451,7 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val)
+         break;
+     case ESP_FIFO:
+         if (s->do_cmd) {
+-            if (s->cmdlen < TI_BUFSZ) {
++            if (s->cmdlen < ESP_CMDBUF_SZ) {
+                 s->cmdbuf[s->cmdlen++] = val & 0xff;
+             } else {
+                 trace_esp_error_fifo_overrun();
+diff --git a/include/hw/scsi/esp.h b/include/hw/scsi/esp.h
+index 6c79527..d2c4886 100644
+--- a/include/hw/scsi/esp.h
++++ b/include/hw/scsi/esp.h
+@@ -14,6 +14,7 @@ void esp_init(hwaddr espaddr, int it_shift,
+ 
+ #define ESP_REGS 16
+ #define TI_BUFSZ 16
++#define ESP_CMDBUF_SZ 32
+ 
+ typedef struct ESPState ESPState;
+ 
+@@ -31,7 +32,7 @@ struct ESPState {
+     SCSIBus bus;
+     SCSIDevice *current_dev;
+     SCSIRequest *current_req;
+-    uint8_t cmdbuf[TI_BUFSZ];
++    uint8_t cmdbuf[ESP_CMDBUF_SZ];
+     uint32_t cmdlen;
+     uint32_t do_cmd;
+ 

0142-scsi-megasas-null-terminate-bios-version-buffer.patch

@@ -0,0 +1,29 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 7 Jun 2016 16:44:03 +0530
+Subject: [PATCH] scsi: megasas: null terminate bios version buffer
+
+While reading information via 'megasas_ctrl_get_info' routine,
+a local bios version buffer isn't null terminated. Add the
+terminating null byte to avoid any OOB access.
+
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 844864fbae66935951529408831c2f22367a57b6)
+---
+ hw/scsi/megasas.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
+index bcb1a0c..6a80995 100644
+--- a/hw/scsi/megasas.c
++++ b/hw/scsi/megasas.c
+@@ -772,6 +772,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd)
+ 
+         ptr = memory_region_get_ram_ptr(&pci_dev->rom);
+         memcpy(biosver, ptr + 0x41, 31);
++        biosver[31] = 0;
+         memcpy(info.image_component[1].name, "BIOS", 4);
+         memcpy(info.image_component[1].version, biosver,
+                strlen((const char *)biosver));

qemu.spec

@@ -42,8 +42,8 @@
 
 Summary: QEMU is a FAST! processor emulator
 Name: qemu
-Version: 2.3.0
-Release: 3%{?dist}
+Version: 2.3.1
+Release: 16%{?dist}
 Epoch: 2
 License: GPLv2+ and LGPLv2+ and BSD
 Group: Development/Tools
@@ -71,6 +71,169 @@ Source12: bridge.conf
 # qemu-kvm back compat wrapper
 Source13: qemu-kvm.sh
 
+# CVE-2015-4037: insecure temporary file use in /net/slirp.c (bz #1222894)
+Patch0001: 0001-slirp-use-less-predictable-directory-name-in-tmp-for.patch
+# Fix: qemu-img: error while compressing sector <NNN>: Input/output error
+# (bz #1214855)
+Patch0002: 0002-qcow2-Handle-EAGAIN-returned-from-update_refcount.patch
+# Fix qemu-img map crash for unaligned image (bz #1229394)
+Patch0003: 0003-raw-posix-Fix-.bdrv_co_get_block_status-for-unaligne.patch
+# CVE-2015-3209: pcnet: multi-tmd buffer overflow in the tx path (bz
+# #1230536)
+Patch0004: 0004-pcnet-force-the-buffer-access-to-be-in-bounds-during.patch
+# CVE-2015-5745: buffer overflow in virtio-serial (bz #1251160)
+Patch0005: 0005-virtio-serial-fix-ANY_LAYOUT.patch
+# CVE-2015-5225: heap memory corruption in vnc_refresh_server_surface (bz
+# #1255899)
+Patch0006: 0006-vnc-fix-memory-corruption-CVE-2015-5225.patch
+# Fix typo causing qemu-img to link against entire world (bz #1260996)
+Patch0007: 0007-Fix-typo-causing-qemu-img-to-link-against-entire-wor.patch
+# CVE-2015-6815: net: e1000: infinite loop issue (bz #1260225)
+Patch0008: 0008-e1000-Avoid-infinite-loop-in-processing-transmit-des.patch
+# CVE-2015-6855: ide: divide by zero issue (bz #1261793)
+Patch0009: 0009-ide-fix-ATAPI-command-permissions.patch
+# CVE-2015-5278: Infinite loop in ne2000_receive() (bz #1263284)
+Patch0010: 0010-net-avoid-infinite-loop-when-receiving-packets-CVE-2.patch
+# CVE-2015-5279: Heap overflow vulnerability in ne2000_receive() (bz
+# #1263287)
+Patch0011: 0011-net-add-checks-to-validate-ring-buffer-pointers-CVE-.patch
+# Make block copy more stable (bz #1264416)
+Patch0012: 0012-block-mirror-limit-qiov-to-IOV_MAX-elements.patch
+# Fix hang at start of live merge for large images (bz #1262901)
+Patch0013: 0013-block-mirror-Sleep-periodically-during-bitmap-scanni.patch
+# Fix emulation of various instructions, required by libm in F22 ppc64
+# guests
+Patch0014: 0014-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch
+Patch0015: 0015-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch
+# CVE-2015-7295: virtio-net possible remote DoS (bz #1264393)
+Patch0016: 0016-virtio-introduce-virtqueue_unmap_sg.patch
+Patch0017: 0017-virtio-introduce-virtqueue_discard.patch
+Patch0018: 0018-virtio-net-correctly-drop-truncated-packets.patch
+# drive-mirror: Fix coroutine reentrance (bz #1266936)
+Patch0019: 0019-mirror-Fix-coroutine-reentrance.patch
+# Fix udp socket 'localaddr' (bz #1268708)
+Patch0020: 0020-util-socket-Add-missing-localaddr-and-localport-opti.patch
+# Fix abort in abort in bdrv_error_action (bz #1277482)
+Patch0021: 0021-atomics-add-explicit-compiler-fence-in-__atomic-memo.patch
+# Fix SSE4 emulation with accel=tcg (bz #1270703)
+Patch0022: 0022-target-i386-fix-pcmpxstrx-equal-ordered-strstr-mode.patch
+# CVE-2015-8345: Fix infinite loop in eepro100 (bz #1285214)
+Patch0023: 0023-eepro100-Prevent-two-endless-loops.patch
+# CVE-2015-7504: Fix heap overflow in pcnet (bz #1286543)
+Patch0024: 0024-net-pcnet-add-check-to-validate-receive-data-size-CV.patch
+# CVE-2015-7512: Fix buffer overflow in pcnet (bz #1286549)
+Patch0025: 0025-pcnet-fix-rx-buffer-overflow-CVE-2015-7512.patch
+# vnc: avoid floating point exceptions (bz #1289541, bz #1289542)
+Patch0026: 0026-ui-vnc-avoid-floating-point-exception.patch
+# CVE-2015-7549: pci: null pointer dereference issue (bz #1291138)
+Patch0027: 0027-msix-implement-pba-write-but-read-only.patch
+# CVE-2015-8558: DoS by infinite loop in ehci_advance_state (bz #1291309)
+Patch0028: 0028-ehci-make-idt-processing-more-robust.patch
+# CVE-2015-8666: Heap-based buffer overrun during VM migration (bz #1294027)
+Patch0029: 0029-acpi-fix-buffer-overrun-on-migration.patch
+# CVE-2015-8744: vmxnet3: fix crash with short packets (bz #1295440)
+Patch0030: 0030-net-vmxnet3-Refine-l2-header-validation.patch
+# CVE-2015-8745: vmxnet3: don't assert reading registers in bar0 (bz
+# #1295442)
+Patch0031: 0031-vmxnet3-Support-reading-IMR-registers-on-bar0.patch
+# CVE-2015-8567: net: vmxnet3: host memory leakage (bz #1289818)
+Patch0032: 0032-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch
+# CVE-2016-1922: i386: avoid null pointer dereference (bz #1292766)
+Patch0033: 0033-i386-avoid-null-pointer-dereference.patch
+# CVE-2015-8613: buffer overflow in megasas_ctrl_get_info (bz #1284008)
+Patch0034: 0034-scsi-initialise-info-object-with-appropriate-size.patch
+# CVE-2015-8743: ne2000: OOB memory access in ioport r/w functions (bz
+# #1294787)
+Patch0035: 0035-net-ne2000-fix-bounds-check-in-ioport-operations.patch
+# CVE-2015-8619: Fix sendkey out of bounds (bz #1292757)
+Patch0036: 0036-hmp-fix-sendkey-out-of-bounds-write-CVE-2015-8619.patch
+# CVE-2016-1981: infinite loop in e1000 (bz #1299995)
+Patch0037: 0037-e1000-eliminate-infinite-loops-on-out-of-bounds-tran.patch
+# Fix Out-of-bounds read in usb-ehci (bz #1300234, bz #1299455)
+Patch0038: 0038-usb-check-page-select-value-while-processing-iTD.patch
+# CVE-2016-2197: ahci: null pointer dereference (bz #1302952)
+Patch0039: 0039-ahci-Do-not-unmap-NULL-addresses.patch
+# Fix gdbstub for VSX registers for ppc64 (bz #1304377)
+Patch0040: 0040-target-ppc-rename-and-export-maybe_bswap_register.patch
+Patch0041: 0041-target-ppc-gdbstub-fix-float-registers-for-little-en.patch
+Patch0042: 0042-target-ppc-gdbstub-introduce-avr_need_swap.patch
+Patch0043: 0043-target-ppc-gdbstub-fix-altivec-registers-for-little-.patch
+Patch0044: 0044-target-ppc-gdbstub-fix-spe-registers-for-little-endi.patch
+Patch0045: 0045-target-ppc-gdbstub-Add-VSX-support.patch
+Patch0046: 0046-target-ppc-kvm-fix-floating-point-registers-sync-on-.patch
+
+# Fix qemu-img vmdk images to work with VMware (bz #1299185)
+Patch0101: 0101-vmdk-Create-streamOptimized-as-version-3.patch
+Patch0102: 0102-vmdk-Fix-converting-to-streamOptimized.patch
+# CVE-2016-2538: Integer overflow in usb module (bz #1305815)
+Patch0103: 0103-usb-check-RNDIS-message-length.patch
+Patch0104: 0104-usb-check-RNDIS-buffer-offsets-length.patch
+# CVE-2016-2841: ne2000: infinite loop (bz #1304047)
+Patch0105: 0105-net-ne2000-check-ring-buffer-control-registers.patch
+# CVE-2016-2857: net: out of bounds read (bz #1309564)
+Patch0106: 0106-net-check-packet-payload-length.patch
+# CVE-2016-2392: usb: null pointer dereference (bz #1307115)
+Patch0107: 0107-usb-check-USB-configuration-descriptor-object.patch
+# spice: fix spice_chr_add_watch() crash (bz #1315049)
+Patch0108: 0108-spice-fix-spice_chr_add_watch-pre-condition.patch
+# CVE-2016-3710: incorrect bounds checking in vga (bz #1334345)
+Patch0109: 0109-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch
+Patch0110: 0110-vga-add-vbe_enabled-helper.patch
+Patch0111: 0111-vga-factor-out-vga-register-setup.patch
+Patch0112: 0112-vga-update-vga-register-setup-on-vbe-changes.patch
+# CVE-2016-3712: out of bounds read in vga (bz #1334342)
+Patch0113: 0113-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch
+# Fix USB redirection (bz #1330221)
+Patch0114: 0114-ehci-clear-suspend-bit-on-detach.patch
+# CVE-2016-4037: infinite loop in usb ehci (bz #1328080)
+Patch0115: 0115-ehci-apply-limit-to-iTD-sidt-descriptors.patch
+Patch0116: 0116-Revert-ehci-make-idt-processing-more-robust.patch
+# CVE-2016-4001: buffer overflow in stellaris net (bz #1325885)
+Patch0117: 0117-net-stellaris_enet-check-packet-length-against-recei.patch
+# CVE-2016-2858: rng stack corruption (bz #1314677)
+Patch0118: 0118-rng-remove-the-unused-request-cancellation-code.patch
+Patch0119: 0119-rng-move-request-queue-from-RngEgd-to-RngBackend.patch
+Patch0120: 0120-rng-move-request-queue-cleanup-from-RngEgd-to-RngBac.patch
+Patch0121: 0121-rng-add-request-queue-support-to-rng-random.patch
+# CVE-2016-2391: ohci: crash via multiple timers (bz #1308881)
+Patch0122: 0122-ohci-allocate-timer-only-once.patch
+# CVE-2016-2198: ehci: null pointer dereference (bz #1303134)
+Patch0123: 0123-usb-ehci-add-capability-mmio-write-function.patch
+# Fix ./configure with ccache
+Patch0124: 0124-configure-disallow-ccache-during-compile-tests.patch
+# CVE-2016-4020: memory leak in kvmvapic.c (bz #1326904)
+Patch0125: 0125-i386-kvmvapic-initialise-imm32-variable.patch
+# CVE-2016-4439: scsi: esb: OOB write #1 (bz #1337503)
+Patch0126: 0126-esp-check-command-buffer-length-before-write-CVE-201.patch
+# CVE-2016-4441: scsi: esb: OOB write #2 (bz #1337506)
+Patch0127: 0127-esp-check-dma-length-before-reading-scsi-command-CVE.patch
+# Fix regression installing windows 7 with qxl/vga (bz #1339267)
+Patch0128: 0128-vga-add-sr_vbe-register-set.patch
+# CVE-2016-4002: net: buffer overflow in MIPSnet (bz #1326083)
+Patch0129: 0129-net-mipsnet-check-packet-length-against-buffer.patch
+# CVE-2016-4952 scsi: pvscsi: out-of-bounds access issue
+Patch0130: 0130-scsi-pvscsi-check-command-descriptor-ring-buffer-siz.patch
+# CVE-2016-5106: scsi: megasas: out-of-bounds write (bz #1339581)
+Patch0131: 0131-scsi-megasas-use-appropriate-property-buffer-size.patch
+# CVE-2016-5105: scsi: megasas: stack information leakage (bz #1339585)
+Patch0132: 0132-scsi-megasas-initialise-local-configuration-data-buf.patch
+# CVE-2016-5107: scsi: megasas: out-of-bounds read (bz #1339573)
+Patch0133: 0133-scsi-megasas-check-read_queue_head-index-value.patch
+# CVE-2016-4454: display: vmsvga: out-of-bounds read (bz #1340740)
+Patch0134: 0134-vmsvga-move-fifo-sanity-checks-to-vmsvga_fifo_length.patch
+Patch0135: 0135-vmsvga-add-more-fifo-checks.patch
+Patch0136: 0136-vmsvga-shadow-fifo-registers.patch
+# CVE-2016-4453: display: vmsvga: infinite loop (bz #1340744)
+Patch0137: 0137-vmsvga-don-t-process-more-than-1024-fifo-commands-at.patch
+# CVE-2016-5238: scsi: esp: OOB write (bz #1341932)
+Patch0138: 0138-scsi-esp-check-buffer-length-before-reading-scsi-com.patch
+Patch0139: 0139-scsi-esp-respect-FIFO-invariant-after-message-phase.patch
+Patch0140: 0140-scsi-esp-clean-up-handle_ti-esp_do_dma-if-s-do_cmd.patch
+# CVE-2016-5338: scsi: esp: OOB r/w access (bz #1343325)
+Patch0141: 0141-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch
+# CVE-2016-5337: scsi: megasas: information leakage (bz #1343910)
+Patch0142: 0142-scsi-megasas-null-terminate-bios-version-buffer.patch
+
 BuildRequires: SDL2-devel
 BuildRequires: zlib-devel
 BuildRequires: which
@@ -538,7 +701,7 @@ CAC emulation development files.
 
 %prep
 %setup -q -n qemu-%{version}
-%autopatch
+%autopatch -p1
 
 
 %build
@@ -1172,6 +1335,129 @@ getent passwd qemu >/dev/null || \
 
 
 %changelog
+* Wed Jun 22 2016 Cole Robinson <crobinso@redhat.com> - 2:2.3.1-16
+- CVE-2016-4002: net: buffer overflow in MIPSnet (bz #1326083)
+- CVE-2016-4952 scsi: pvscsi: out-of-bounds access issue
+- CVE-2016-5106: scsi: megasas: out-of-bounds write (bz #1339581)
+- CVE-2016-5105: scsi: megasas: stack information leakage (bz #1339585)
+- CVE-2016-5107: scsi: megasas: out-of-bounds read (bz #1339573)
+- CVE-2016-4454: display: vmsvga: out-of-bounds read (bz #1340740)
+- CVE-2016-4453: display: vmsvga: infinite loop (bz #1340744)
+- CVE-2016-5238: scsi: esp: OOB write (bz #1341932)
+- CVE-2016-5338: scsi: esp: OOB r/w access (bz #1343325)
+- CVE-2016-5337: scsi: megasas: information leakage (bz #1343910)
+
+* Thu May 26 2016 Cole Robinson <crobinso@redhat.com> - 2:2.3.1-15
+- CVE-2016-4020: memory leak in kvmvapic.c (bz #1326904)
+- CVE-2016-4439: scsi: esb: OOB write #1 (bz #1337503)
+- CVE-2016-4441: scsi: esb: OOB write #2 (bz #1337506)
+- Fix regression installing windows 7 with qxl/vga (bz #1339267)
+
+* Mon May 09 2016 Cole Robinson <crobinso@redhat.com> - 2:2.3.1-14
+- CVE-2016-3710: incorrect bounds checking in vga (bz #1334345)
+- CVE-2016-3712: out of bounds read in vga (bz #1334342)
+- Fix USB redirection (bz #1330221)
+- CVE-2016-4037: infinite loop in usb ehci (bz #1328080)
+- CVE-2016-4001: buffer overflow in stellaris net (bz #1325885)
+- CVE-2016-2858: rng stack corruption (bz #1314677)
+- CVE-2016-2391: ohci: crash via multiple timers (bz #1308881)
+- CVE-2016-2198: ehci: null pointer dereference (bz #1303134)
+- Fix ./configure with ccache
+
+* Thu Mar 17 2016 Cole Robinson <crobinso@redhat.com> - 2:2.3.1-13
+- CVE-2016-2538: Integer overflow in usb module (bz #1305815)
+- CVE-2016-2841: ne2000: infinite loop (bz #1304047)
+- CVE-2016-2857: net: out of bounds read (bz #1309564)
+- CVE-2016-2392: usb: null pointer dereference (bz #1307115)
+- spice: fix spice_chr_add_watch() crash (bz #1315049)
+
+* Mon Feb 15 2016 Cole Robinson <crobinso@redhat.com> - 2:2.3.1-12
+- CVE-2015-8619: Fix sendkey out of bounds (bz #1292757)
+- CVE-2016-1981: infinite loop in e1000 (bz #1299995)
+- Fix Out-of-bounds read in usb-ehci (bz #1300234, bz #1299455)
+- CVE-2016-2197: ahci: null pointer dereference (bz #1302952)
+- Fix gdbstub for VSX registers for ppc64 (bz #1304377)
+- Fix qemu-img vmdk images to work with VMware (bz #1299185)
+
+* Wed Jan 20 2016 Cole Robinson <crobinso@redhat.com> - 2:2.3.1-11
+- CVE-2015-8567: net: vmxnet3: host memory leakage (bz #1289818)
+- CVE-2016-1922: i386: avoid null pointer dereference (bz #1292766)
+- CVE-2015-8613: buffer overflow in megasas_ctrl_get_info (bz #1284008)
+- CVE-2015-8743: ne2000: OOB memory access in ioport r/w functions (bz
+  #1294787)
+
+* Sat Jan 09 2016 Cole Robinson <crobinso@redhat.com> - 2:2.3.1-10
+- CVE-2015-7549: pci: null pointer dereference issue (bz #1291138)
+- CVE-2015-8558: DoS by infinite loop in ehci_advance_state (bz #1291309)
+- CVE-2015-8666: Heap-based buffer overrun during VM migration (bz #1294027)
+- CVE-2015-8744: vmxnet3: fix crash with short packets (bz #1295440)
+- CVE-2015-8745: vmxnet3: don't assert reading registers in bar0 (bz
+  #1295442)
+
+* Tue Dec 08 2015 Cole Robinson <crobinso@redhat.com> - 2:2.3.1-9
+- vnc: avoid floating point exceptions (bz #1289541, bz #1289542)
+
+* Mon Dec 07 2015 Cole Robinson <crobinso@redhat.com> - 2:2.3.1-8
+- Fix abort in abort in bdrv_error_action (bz #1277482)
+- Fix SSE4 emulation with accel=tcg (bz #1270703)
+- CVE-2015-8345: Fix infinite loop in eepro100 (bz #1285214)
+- CVE-2015-7504: Fix heap overflow in pcnet (bz #1286543)
+- CVE-2015-7512: Fix buffer overflow in pcnet (bz #1286549)
+
+* Thu Oct 08 2015 Cole Robinson <crobinso@redhat.com> - 2:2.3.1-7
+- CVE-2015-7295: virtio-net possible remote DoS (bz #1264393)
+- drive-mirror: Fix coroutine reentrance (bz #1266936)
+- Fix udp socket 'localaddr' (bz #1268708)
+
+* Tue Sep 22 2015 Cole Robinson <crobinso@redhat.com> - 2:2.3.1-6
+- Fix emulation of various instructions, required by libm in F22 ppc64 guests
+- Re-add patches accidentally dropped in last build
+
+* Mon Sep 21 2015 Cole Robinson <crobinso@redhat.com> - 2:2.3.1-5
+- Fix typo causing qemu-img to link against entire world (bz #1260996)
+- CVE-2015-6815: net: e1000: infinite loop issue (bz #1260225)
+- CVE-2015-6855: ide: divide by zero issue (bz #1261793)
+- CVE-2015-5278: Infinite loop in ne2000_receive() (bz #1263284)
+- CVE-2015-5279: Heap overflow vulnerability in ne2000_receive() (bz #1263287)
+- Make block copy more stable (bz #1264416)
+- Fix hang at start of live merge for large images (bz #1262901)
+
+* Sun Sep 20 2015 Richard W.M. Jones <rjones@redhat.com> - 2:2.3.1-4
+- Fix emulation of various instructions, required by libm in F22 ppc64 guests.
+
+* Tue Sep  8 2015 Daniel P. Berrange <berrange@redhat.com> - 2:2.3.1-3
+- Fix typo causing qemu-img to link against entire world (bz #1260996)
+
+* Mon Aug 31 2015 Cole Robinson <crobinso@redhat.com> - 2:2.3.1-2
+- CVE-2015-5255: heap memory corruption in vnc_refresh_server_surface (bz
+  #1255899)
+
+* Tue Aug 11 2015 Cole Robinson <crobinso@redhat.com> - 2:2.3.1-1
+- Rebased to version 2.3.1
+
+* Tue Aug 11 2015 Cole Robinson <crobinso@redhat.com> - 2:2.3.0-7
+- Fix crash in qemu_spice_create_display (bz #1163047)
+- Fix qemu-img map crash for unaligned image (bz #1229394)
+- CVE-2015-3209: pcnet: multi-tmd buffer overflow in the tx path (bz #1230536)
+- CVE-2015-3214: i8254: out-of-bounds memory access (bz #1243728)
+- CVE-2015-5158: scsi stack buffer overflow (bz #1246025)
+- CVE-2015-5154: ide: atapi: heap overflow during I/O buffer memory access (bz
+  #1247141)
+- CVE-2015-5166: BlockBackend object use after free issue (bz #1249758)
+- CVE-2015-5745: buffer overflow in virtio-serial (bz #1251160)
+- CVE-2015-5165: rtl8139 uninitialized heap memory information leakage to
+  guest (bz #1249755)
+
+* Mon Jul 20 2015 Richard W.M. Jones <rjones@redhat.com> - 2:2.3.0-6
+- Fix: qemu-img: error while compressing sector <NNN>: Input/output error (bz #1214855)
+
+* Fri Jun 05 2015 Cole Robinson <crobinso@redhat.com> - 2:2.3.0-5
+- CVE-2015-4037: insecure temporary file use in /net/slirp.c (bz #1222894)
+
+* Wed May 13 2015 Cole Robinson <crobinso@redhat.com> - 2:2.3.0-4
+- CVE-2015-3456: (VENOM) fdc: out-of-bounds fifo buffer memory access (bz
+  #1221152)
+
 * Wed May 06 2015 Cole Robinson <crobinso@redhat.com> 2:2.3.0-3%
 - Fix ksm.service (bz 1218814)
 

sources

@@ -1 +1 @@
-2fab3ea4460de9b57192e5b8b311f221  qemu-2.3.0.tar.bz2
+fb6bbdb32e6af5c2d2980a32ac4ea051  qemu-2.3.1.tar.bz2