Add support for riscv64

Signed-off-by: David Abdurachmanov <davidlt@rivosinc.com>

.fmf/version

@@ -0,0 +1 @@
+1

0001-target-i386-the-sgx_epc_get_section-stub-is-reachabl.patch

@@ -0,0 +1,30 @@
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 1 Feb 2022 20:09:37 +0100
+Subject: [PATCH] target/i386: the sgx_epc_get_section stub is reachable
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Content-type: text/plain
+
+The sgx_epc_get_section stub is reachable from cpu_x86_cpuid.  It
+should not assert, instead it should just return true just like
+the "real" sgx_epc_get_section does when SGX is disabled.
+
+Reported-by: Vladimír Beneš <vbenes@redhat.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ hw/i386/sgx-stub.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/i386/sgx-stub.c b/hw/i386/sgx-stub.c
+index 26833eb233..16b1dfd90b 100644
+--- a/hw/i386/sgx-stub.c
++++ b/hw/i386/sgx-stub.c
+@@ -34,5 +34,5 @@ void pc_machine_init_sgx_epc(PCMachineState *pcms)
+ 
+ bool sgx_epc_get_section(int section_nr, uint64_t *addr, uint64_t *size)
+ {
+-    g_assert_not_reached();
++    return true;
+ }

0002-virtio-scsi-fix-ctrl-and-event-handler-functions-in-.patch

@@ -0,0 +1,108 @@
+From: Stefan Hajnoczi <stefanha@redhat.com>
+Date: Wed, 27 Apr 2022 15:35:36 +0100
+Subject: [PATCH] virtio-scsi: fix ctrl and event handler functions in
+ dataplane mode
+Content-type: text/plain
+
+Commit f34e8d8b8d48d73f36a67b6d5e492ef9784b5012 ("virtio-scsi: prepare
+virtio_scsi_handle_cmd for dataplane") prepared the virtio-scsi cmd
+virtqueue handler function to be used in both the dataplane and
+non-datpalane code paths.
+
+It failed to convert the ctrl and event virtqueue handler functions,
+which are not designed to be called from the dataplane code path but
+will be since the ioeventfd is set up for those virtqueues when
+dataplane starts.
+
+Convert the ctrl and event virtqueue handler functions now so they
+operate correctly when called from the dataplane code path. Avoid code
+duplication by extracting this code into a helper function.
+
+Fixes: f34e8d8b8d48d73f36a67b6d5e492ef9784b5012 ("virtio-scsi: prepare virtio_scsi_handle_cmd for dataplane")
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Message-id: 20220427143541.119567-2-stefanha@redhat.com
+[Fixed s/by used/be used/ typo pointed out by Michael Tokarev
+<mjt@tls.msk.ru>.
+--Stefan]
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+(cherry picked from commit 2f743ef6366c2df4ef51ef3ae318138cdc0125ab)
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+---
+ hw/scsi/virtio-scsi.c | 42 +++++++++++++++++++++++++++---------------
+ 1 file changed, 27 insertions(+), 15 deletions(-)
+
+diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
+index 34a968ecfb..417fbc71d6 100644
+--- a/hw/scsi/virtio-scsi.c
++++ b/hw/scsi/virtio-scsi.c
+@@ -472,16 +472,32 @@ bool virtio_scsi_handle_ctrl_vq(VirtIOSCSI *s, VirtQueue *vq)
+     return progress;
+ }
+ 
++/*
++ * If dataplane is configured but not yet started, do so now and return true on
++ * success.
++ *
++ * Dataplane is started by the core virtio code but virtqueue handler functions
++ * can also be invoked when a guest kicks before DRIVER_OK, so this helper
++ * function helps us deal with manually starting ioeventfd in that case.
++ */
++static bool virtio_scsi_defer_to_dataplane(VirtIOSCSI *s)
++{
++    if (!s->ctx || s->dataplane_started) {
++        return false;
++    }
++
++    virtio_device_start_ioeventfd(&s->parent_obj.parent_obj);
++    return !s->dataplane_fenced;
++}
++
+ static void virtio_scsi_handle_ctrl(VirtIODevice *vdev, VirtQueue *vq)
+ {
+     VirtIOSCSI *s = (VirtIOSCSI *)vdev;
+ 
+-    if (s->ctx) {
+-        virtio_device_start_ioeventfd(vdev);
+-        if (!s->dataplane_fenced) {
+-            return;
+-        }
++    if (virtio_scsi_defer_to_dataplane(s)) {
++        return;
+     }
++
+     virtio_scsi_acquire(s);
+     virtio_scsi_handle_ctrl_vq(s, vq);
+     virtio_scsi_release(s);
+@@ -720,12 +736,10 @@ static void virtio_scsi_handle_cmd(VirtIODevice *vdev, VirtQueue *vq)
+     /* use non-QOM casts in the data path */
+     VirtIOSCSI *s = (VirtIOSCSI *)vdev;
+ 
+-    if (s->ctx && !s->dataplane_started) {
+-        virtio_device_start_ioeventfd(vdev);
+-        if (!s->dataplane_fenced) {
+-            return;
+-        }
++    if (virtio_scsi_defer_to_dataplane(s)) {
++        return;
+     }
++
+     virtio_scsi_acquire(s);
+     virtio_scsi_handle_cmd_vq(s, vq);
+     virtio_scsi_release(s);
+@@ -855,12 +869,10 @@ static void virtio_scsi_handle_event(VirtIODevice *vdev, VirtQueue *vq)
+ {
+     VirtIOSCSI *s = VIRTIO_SCSI(vdev);
+ 
+-    if (s->ctx) {
+-        virtio_device_start_ioeventfd(vdev);
+-        if (!s->dataplane_fenced) {
+-            return;
+-        }
++    if (virtio_scsi_defer_to_dataplane(s)) {
++        return;
+     }
++
+     virtio_scsi_acquire(s);
+     virtio_scsi_handle_event_vq(s, vq);
+     virtio_scsi_release(s);

0003-virtio-scsi-don-t-waste-CPU-polling-the-event-virtqu.patch

@@ -0,0 +1,91 @@
+From: Stefan Hajnoczi <stefanha@redhat.com>
+Date: Tue, 17 May 2022 09:27:45 +0100
+Subject: [PATCH] virtio-scsi: don't waste CPU polling the event virtqueue
+Content-type: text/plain
+
+The virtio-scsi event virtqueue is not emptied by its handler function.
+This is typical for rx virtqueues where the device uses buffers when
+some event occurs (e.g. a packet is received, an error condition
+happens, etc).
+
+Polling non-empty virtqueues wastes CPU cycles. We are not waiting for
+new buffers to become available, we are waiting for an event to occur,
+so it's a misuse of CPU resources to poll for buffers.
+
+Introduce the new virtio_queue_aio_attach_host_notifier_no_poll() API,
+which is identical to virtio_queue_aio_attach_host_notifier() except
+that it does not poll the virtqueue.
+
+Before this patch the following command-line consumed 100% CPU in the
+IOThread polling and calling virtio_scsi_handle_event():
+
+  $ qemu-system-x86_64 -M accel=kvm -m 1G -cpu host \
+      --object iothread,id=iothread0 \
+      --device virtio-scsi-pci,iothread=iothread0 \
+      --blockdev file,filename=test.img,aio=native,cache.direct=on,node-name=drive0 \
+      --device scsi-hd,drive=drive0
+
+After this patch CPU is no longer wasted.
+
+Reported-by: Nir Soffer <nsoffer@redhat.com>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Tested-by: Nir Soffer <nsoffer@redhat.com>
+Message-id: 20220427143541.119567-3-stefanha@redhat.com
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+(cherry picked from commit 38738f7dbbda90fbc161757b7f4be35b52205552)
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+---
+ hw/scsi/virtio-scsi-dataplane.c |  2 +-
+ hw/virtio/virtio.c              | 13 +++++++++++++
+ include/hw/virtio/virtio.h      |  1 +
+ 3 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/hw/scsi/virtio-scsi-dataplane.c b/hw/scsi/virtio-scsi-dataplane.c
+index 29575cbaf6..8bb6e6acfc 100644
+--- a/hw/scsi/virtio-scsi-dataplane.c
++++ b/hw/scsi/virtio-scsi-dataplane.c
+@@ -138,7 +138,7 @@ int virtio_scsi_dataplane_start(VirtIODevice *vdev)
+ 
+     aio_context_acquire(s->ctx);
+     virtio_queue_aio_attach_host_notifier(vs->ctrl_vq, s->ctx);
+-    virtio_queue_aio_attach_host_notifier(vs->event_vq, s->ctx);
++    virtio_queue_aio_attach_host_notifier_no_poll(vs->event_vq, s->ctx);
+ 
+     for (i = 0; i < vs->conf.num_queues; i++) {
+         virtio_queue_aio_attach_host_notifier(vs->cmd_vqs[i], s->ctx);
+diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
+index 9d637e043e..67a873f54a 100644
+--- a/hw/virtio/virtio.c
++++ b/hw/virtio/virtio.c
+@@ -3534,6 +3534,19 @@ void virtio_queue_aio_attach_host_notifier(VirtQueue *vq, AioContext *ctx)
+                                 virtio_queue_host_notifier_aio_poll_end);
+ }
+ 
++/*
++ * Same as virtio_queue_aio_attach_host_notifier() but without polling. Use
++ * this for rx virtqueues and similar cases where the virtqueue handler
++ * function does not pop all elements. When the virtqueue is left non-empty
++ * polling consumes CPU cycles and should not be used.
++ */
++void virtio_queue_aio_attach_host_notifier_no_poll(VirtQueue *vq, AioContext *ctx)
++{
++    aio_set_event_notifier(ctx, &vq->host_notifier, true,
++                           virtio_queue_host_notifier_read,
++                           NULL, NULL);
++}
++
+ void virtio_queue_aio_detach_host_notifier(VirtQueue *vq, AioContext *ctx)
+ {
+     aio_set_event_notifier(ctx, &vq->host_notifier, true, NULL, NULL, NULL);
+diff --git a/include/hw/virtio/virtio.h b/include/hw/virtio/virtio.h
+index b31c4507f5..b62a35fdca 100644
+--- a/include/hw/virtio/virtio.h
++++ b/include/hw/virtio/virtio.h
+@@ -317,6 +317,7 @@ EventNotifier *virtio_queue_get_host_notifier(VirtQueue *vq);
+ void virtio_queue_set_host_notifier_enabled(VirtQueue *vq, bool enabled);
+ void virtio_queue_host_notifier_read(EventNotifier *n);
+ void virtio_queue_aio_attach_host_notifier(VirtQueue *vq, AioContext *ctx);
++void virtio_queue_aio_attach_host_notifier_no_poll(VirtQueue *vq, AioContext *ctx);
+ void virtio_queue_aio_detach_host_notifier(VirtQueue *vq, AioContext *ctx);
+ VirtQueue *virtio_vector_first_queue(VirtIODevice *vdev, uint16_t vector);
+ VirtQueue *virtio_vector_next_queue(VirtQueue *vq);

0004-virtio-scsi-clean-up-virtio_scsi_handle_event_vq.patch

@@ -0,0 +1,51 @@
+From: Stefan Hajnoczi <stefanha@redhat.com>
+Date: Tue, 17 May 2022 09:28:06 +0100
+Subject: [PATCH] virtio-scsi: clean up virtio_scsi_handle_event_vq()
+Content-type: text/plain
+
+virtio_scsi_handle_event_vq() is only called from hw/scsi/virtio-scsi.c
+now and its return value is no longer used. Remove the function
+prototype from virtio-scsi.h and drop the return value.
+
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Message-id: 20220427143541.119567-4-stefanha@redhat.com
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+(cherry picked from commit 37ce2de95169dacab3fb53d11bd4509b9c2e3a4c)
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+---
+ hw/scsi/virtio-scsi.c           | 4 +---
+ include/hw/virtio/virtio-scsi.h | 1 -
+ 2 files changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
+index 417fbc71d6..aa03a713d8 100644
+--- a/hw/scsi/virtio-scsi.c
++++ b/hw/scsi/virtio-scsi.c
+@@ -856,13 +856,11 @@ void virtio_scsi_push_event(VirtIOSCSI *s, SCSIDevice *dev,
+     virtio_scsi_complete_req(req);
+ }
+ 
+-bool virtio_scsi_handle_event_vq(VirtIOSCSI *s, VirtQueue *vq)
++static void virtio_scsi_handle_event_vq(VirtIOSCSI *s, VirtQueue *vq)
+ {
+     if (s->events_dropped) {
+         virtio_scsi_push_event(s, NULL, VIRTIO_SCSI_T_NO_EVENT, 0);
+-        return true;
+     }
+-    return false;
+ }
+ 
+ static void virtio_scsi_handle_event(VirtIODevice *vdev, VirtQueue *vq)
+diff --git a/include/hw/virtio/virtio-scsi.h b/include/hw/virtio/virtio-scsi.h
+index 543681bc18..5957597825 100644
+--- a/include/hw/virtio/virtio-scsi.h
++++ b/include/hw/virtio/virtio-scsi.h
+@@ -151,7 +151,6 @@ void virtio_scsi_common_realize(DeviceState *dev,
+                                 Error **errp);
+ 
+ void virtio_scsi_common_unrealize(DeviceState *dev);
+-bool virtio_scsi_handle_event_vq(VirtIOSCSI *s, VirtQueue *vq);
+ bool virtio_scsi_handle_cmd_vq(VirtIOSCSI *s, VirtQueue *vq);
+ bool virtio_scsi_handle_ctrl_vq(VirtIOSCSI *s, VirtQueue *vq);
+ void virtio_scsi_init_req(VirtIOSCSI *s, VirtQueue *vq, VirtIOSCSIReq *req);

0005-virtio-scsi-clean-up-virtio_scsi_handle_ctrl_vq.patch

@@ -0,0 +1,54 @@
+From: Stefan Hajnoczi <stefanha@redhat.com>
+Date: Tue, 17 May 2022 09:28:12 +0100
+Subject: [PATCH] virtio-scsi: clean up virtio_scsi_handle_ctrl_vq()
+Content-type: text/plain
+
+virtio_scsi_handle_ctrl_vq() is only called from hw/scsi/virtio-scsi.c
+now and its return value is no longer used. Remove the function
+prototype from virtio-scsi.h and drop the return value.
+
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Message-id: 20220427143541.119567-5-stefanha@redhat.com
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+(cherry picked from commit 73b3b49f1880f236b4d0ffd7efb00280c05a5fab)
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+---
+ hw/scsi/virtio-scsi.c           | 5 +----
+ include/hw/virtio/virtio-scsi.h | 1 -
+ 2 files changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
+index aa03a713d8..eefda16e4b 100644
+--- a/hw/scsi/virtio-scsi.c
++++ b/hw/scsi/virtio-scsi.c
+@@ -460,16 +460,13 @@ static void virtio_scsi_handle_ctrl_req(VirtIOSCSI *s, VirtIOSCSIReq *req)
+     }
+ }
+ 
+-bool virtio_scsi_handle_ctrl_vq(VirtIOSCSI *s, VirtQueue *vq)
++static void virtio_scsi_handle_ctrl_vq(VirtIOSCSI *s, VirtQueue *vq)
+ {
+     VirtIOSCSIReq *req;
+-    bool progress = false;
+ 
+     while ((req = virtio_scsi_pop_req(s, vq))) {
+-        progress = true;
+         virtio_scsi_handle_ctrl_req(s, req);
+     }
+-    return progress;
+ }
+ 
+ /*
+diff --git a/include/hw/virtio/virtio-scsi.h b/include/hw/virtio/virtio-scsi.h
+index 5957597825..44dc3b81ec 100644
+--- a/include/hw/virtio/virtio-scsi.h
++++ b/include/hw/virtio/virtio-scsi.h
+@@ -152,7 +152,6 @@ void virtio_scsi_common_realize(DeviceState *dev,
+ 
+ void virtio_scsi_common_unrealize(DeviceState *dev);
+ bool virtio_scsi_handle_cmd_vq(VirtIOSCSI *s, VirtQueue *vq);
+-bool virtio_scsi_handle_ctrl_vq(VirtIOSCSI *s, VirtQueue *vq);
+ void virtio_scsi_init_req(VirtIOSCSI *s, VirtQueue *vq, VirtIOSCSIReq *req);
+ void virtio_scsi_free_req(VirtIOSCSIReq *req);
+ void virtio_scsi_push_event(VirtIOSCSI *s, SCSIDevice *dev,

0006-virtio-scsi-clean-up-virtio_scsi_handle_cmd_vq.patch

@@ -0,0 +1,66 @@
+From: Stefan Hajnoczi <stefanha@redhat.com>
+Date: Tue, 17 May 2022 09:28:19 +0100
+Subject: [PATCH] virtio-scsi: clean up virtio_scsi_handle_cmd_vq()
+Content-type: text/plain
+
+virtio_scsi_handle_cmd_vq() is only called from hw/scsi/virtio-scsi.c
+now and its return value is no longer used. Remove the function
+prototype from virtio-scsi.h and drop the return value.
+
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Message-id: 20220427143541.119567-6-stefanha@redhat.com
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+(cherry picked from commit ad482b57ef841b2d4883c5079d20ba44ff5e4b3e)
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+---
+ hw/scsi/virtio-scsi.c           | 5 +----
+ include/hw/virtio/virtio-scsi.h | 1 -
+ 2 files changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
+index eefda16e4b..12c6a21202 100644
+--- a/hw/scsi/virtio-scsi.c
++++ b/hw/scsi/virtio-scsi.c
+@@ -685,12 +685,11 @@ static void virtio_scsi_handle_cmd_req_submit(VirtIOSCSI *s, VirtIOSCSIReq *req)
+     scsi_req_unref(sreq);
+ }
+ 
+-bool virtio_scsi_handle_cmd_vq(VirtIOSCSI *s, VirtQueue *vq)
++static void virtio_scsi_handle_cmd_vq(VirtIOSCSI *s, VirtQueue *vq)
+ {
+     VirtIOSCSIReq *req, *next;
+     int ret = 0;
+     bool suppress_notifications = virtio_queue_get_notification(vq);
+-    bool progress = false;
+ 
+     QTAILQ_HEAD(, VirtIOSCSIReq) reqs = QTAILQ_HEAD_INITIALIZER(reqs);
+ 
+@@ -700,7 +699,6 @@ bool virtio_scsi_handle_cmd_vq(VirtIOSCSI *s, VirtQueue *vq)
+         }
+ 
+         while ((req = virtio_scsi_pop_req(s, vq))) {
+-            progress = true;
+             ret = virtio_scsi_handle_cmd_req_prepare(s, req);
+             if (!ret) {
+                 QTAILQ_INSERT_TAIL(&reqs, req, next);
+@@ -725,7 +723,6 @@ bool virtio_scsi_handle_cmd_vq(VirtIOSCSI *s, VirtQueue *vq)
+     QTAILQ_FOREACH_SAFE(req, &reqs, next, next) {
+         virtio_scsi_handle_cmd_req_submit(s, req);
+     }
+-    return progress;
+ }
+ 
+ static void virtio_scsi_handle_cmd(VirtIODevice *vdev, VirtQueue *vq)
+diff --git a/include/hw/virtio/virtio-scsi.h b/include/hw/virtio/virtio-scsi.h
+index 44dc3b81ec..2497530064 100644
+--- a/include/hw/virtio/virtio-scsi.h
++++ b/include/hw/virtio/virtio-scsi.h
+@@ -151,7 +151,6 @@ void virtio_scsi_common_realize(DeviceState *dev,
+                                 Error **errp);
+ 
+ void virtio_scsi_common_unrealize(DeviceState *dev);
+-bool virtio_scsi_handle_cmd_vq(VirtIOSCSI *s, VirtQueue *vq);
+ void virtio_scsi_init_req(VirtIOSCSI *s, VirtQueue *vq, VirtIOSCSIReq *req);
+ void virtio_scsi_free_req(VirtIOSCSIReq *req);
+ void virtio_scsi_push_event(VirtIOSCSI *s, SCSIDevice *dev,

0007-virtio-scsi-move-request-related-items-from-.h-to-.c.patch

@@ -0,0 +1,157 @@
+From: Stefan Hajnoczi <stefanha@redhat.com>
+Date: Tue, 17 May 2022 09:28:26 +0100
+Subject: [PATCH] virtio-scsi: move request-related items from .h to .c
+Content-type: text/plain
+
+There is no longer a need to expose the request and related APIs in
+virtio-scsi.h since there are no callers outside virtio-scsi.c.
+
+Note the block comment in VirtIOSCSIReq has been adjusted to meet the
+coding style.
+
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Message-id: 20220427143541.119567-7-stefanha@redhat.com
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+(cherry picked from commit 3dc584abeef0e1277c2de8c1c1974cb49444eb0a)
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+---
+ hw/scsi/virtio-scsi.c           | 45 ++++++++++++++++++++++++++++++---
+ include/hw/virtio/virtio-scsi.h | 40 -----------------------------
+ 2 files changed, 41 insertions(+), 44 deletions(-)
+
+diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
+index 12c6a21202..db54d104be 100644
+--- a/hw/scsi/virtio-scsi.c
++++ b/hw/scsi/virtio-scsi.c
+@@ -29,6 +29,43 @@
+ #include "hw/virtio/virtio-access.h"
+ #include "trace.h"
+ 
++typedef struct VirtIOSCSIReq {
++    /*
++     * Note:
++     * - fields up to resp_iov are initialized by virtio_scsi_init_req;
++     * - fields starting at vring are zeroed by virtio_scsi_init_req.
++     */
++    VirtQueueElement elem;
++
++    VirtIOSCSI *dev;
++    VirtQueue *vq;
++    QEMUSGList qsgl;
++    QEMUIOVector resp_iov;
++
++    union {
++        /* Used for two-stage request submission */
++        QTAILQ_ENTRY(VirtIOSCSIReq) next;
++
++        /* Used for cancellation of request during TMFs */
++        int remaining;
++    };
++
++    SCSIRequest *sreq;
++    size_t resp_size;
++    enum SCSIXferMode mode;
++    union {
++        VirtIOSCSICmdResp     cmd;
++        VirtIOSCSICtrlTMFResp tmf;
++        VirtIOSCSICtrlANResp  an;
++        VirtIOSCSIEvent       event;
++    } resp;
++    union {
++        VirtIOSCSICmdReq      cmd;
++        VirtIOSCSICtrlTMFReq  tmf;
++        VirtIOSCSICtrlANReq   an;
++    } req;
++} VirtIOSCSIReq;
++
+ static inline int virtio_scsi_get_lun(uint8_t *lun)
+ {
+     return ((lun[2] << 8) | lun[3]) & 0x3FFF;
+@@ -45,7 +82,7 @@ static inline SCSIDevice *virtio_scsi_device_get(VirtIOSCSI *s, uint8_t *lun)
+     return scsi_device_get(&s->bus, 0, lun[1], virtio_scsi_get_lun(lun));
+ }
+ 
+-void virtio_scsi_init_req(VirtIOSCSI *s, VirtQueue *vq, VirtIOSCSIReq *req)
++static void virtio_scsi_init_req(VirtIOSCSI *s, VirtQueue *vq, VirtIOSCSIReq *req)
+ {
+     VirtIODevice *vdev = VIRTIO_DEVICE(s);
+     const size_t zero_skip =
+@@ -58,7 +95,7 @@ void virtio_scsi_init_req(VirtIOSCSI *s, VirtQueue *vq, VirtIOSCSIReq *req)
+     memset((uint8_t *)req + zero_skip, 0, sizeof(*req) - zero_skip);
+ }
+ 
+-void virtio_scsi_free_req(VirtIOSCSIReq *req)
++static void virtio_scsi_free_req(VirtIOSCSIReq *req)
+ {
+     qemu_iovec_destroy(&req->resp_iov);
+     qemu_sglist_destroy(&req->qsgl);
+@@ -801,8 +838,8 @@ static void virtio_scsi_reset(VirtIODevice *vdev)
+     s->events_dropped = false;
+ }
+ 
+-void virtio_scsi_push_event(VirtIOSCSI *s, SCSIDevice *dev,
+-                            uint32_t event, uint32_t reason)
++static void virtio_scsi_push_event(VirtIOSCSI *s, SCSIDevice *dev,
++                                   uint32_t event, uint32_t reason)
+ {
+     VirtIOSCSICommon *vs = VIRTIO_SCSI_COMMON(s);
+     VirtIOSCSIReq *req;
+diff --git a/include/hw/virtio/virtio-scsi.h b/include/hw/virtio/virtio-scsi.h
+index 2497530064..abdda2cbd0 100644
+--- a/include/hw/virtio/virtio-scsi.h
++++ b/include/hw/virtio/virtio-scsi.h
+@@ -94,42 +94,6 @@ struct VirtIOSCSI {
+     uint32_t host_features;
+ };
+ 
+-typedef struct VirtIOSCSIReq {
+-    /* Note:
+-     * - fields up to resp_iov are initialized by virtio_scsi_init_req;
+-     * - fields starting at vring are zeroed by virtio_scsi_init_req.
+-     * */
+-    VirtQueueElement elem;
+-
+-    VirtIOSCSI *dev;
+-    VirtQueue *vq;
+-    QEMUSGList qsgl;
+-    QEMUIOVector resp_iov;
+-
+-    union {
+-        /* Used for two-stage request submission */
+-        QTAILQ_ENTRY(VirtIOSCSIReq) next;
+-
+-        /* Used for cancellation of request during TMFs */
+-        int remaining;
+-    };
+-
+-    SCSIRequest *sreq;
+-    size_t resp_size;
+-    enum SCSIXferMode mode;
+-    union {
+-        VirtIOSCSICmdResp     cmd;
+-        VirtIOSCSICtrlTMFResp tmf;
+-        VirtIOSCSICtrlANResp  an;
+-        VirtIOSCSIEvent       event;
+-    } resp;
+-    union {
+-        VirtIOSCSICmdReq      cmd;
+-        VirtIOSCSICtrlTMFReq  tmf;
+-        VirtIOSCSICtrlANReq   an;
+-    } req;
+-} VirtIOSCSIReq;
+-
+ static inline void virtio_scsi_acquire(VirtIOSCSI *s)
+ {
+     if (s->ctx) {
+@@ -151,10 +115,6 @@ void virtio_scsi_common_realize(DeviceState *dev,
+                                 Error **errp);
+ 
+ void virtio_scsi_common_unrealize(DeviceState *dev);
+-void virtio_scsi_init_req(VirtIOSCSI *s, VirtQueue *vq, VirtIOSCSIReq *req);
+-void virtio_scsi_free_req(VirtIOSCSIReq *req);
+-void virtio_scsi_push_event(VirtIOSCSI *s, SCSIDevice *dev,
+-                            uint32_t event, uint32_t reason);
+ 
+ void virtio_scsi_dataplane_setup(VirtIOSCSI *s, Error **errp);
+ int virtio_scsi_dataplane_start(VirtIODevice *s);

0008-Disable-flakey-dbus-display-test.patch

@@ -0,0 +1,36 @@
+From: Cole Robinson <crobinso@redhat.com>
+Date: Sat, 4 Jun 2022 20:28:58 -0400
+Subject: [PATCH] Disable flakey dbus-display-test
+Content-type: text/plain
+
+Signed-off-by: Cole Robinson <crobinso@redhat.com>
+---
+ tests/qtest/meson.build | 8 --------
+ 1 file changed, 8 deletions(-)
+
+diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
+index d25f82bb5a..d085604727 100644
+--- a/tests/qtest/meson.build
++++ b/tests/qtest/meson.build
+@@ -94,10 +94,6 @@ qtests_i386 = \
+    'test-filter-redirector'
+   ]
+ 
+-if dbus_display
+-  qtests_i386 += ['dbus-display-test']
+-endif
+-
+ dbus_daemon = find_program('dbus-daemon', required: false)
+ if dbus_daemon.found() and config_host.has_key('GDBUS_CODEGEN')
+   # Temporarily disabled due to Patchew failures:
+@@ -298,10 +294,6 @@ qtests = {
+   'vmgenid-test': files('boot-sector.c', 'acpi-utils.c'),
+ }
+ 
+-if dbus_display
+-qtests += {'dbus-display-test': [dbus_display1, gio]}
+-endif
+-
+ qtest_executables = {}
+ foreach dir : target_dirs
+   if not dir.endswith('-softmmu')

0009-Fix-iotests-with-modules-and-qemu-system-s390x.patch

@@ -0,0 +1,32 @@
+From: Cole Robinson <crobinso@redhat.com>
+Date: Sat, 4 Jun 2022 20:29:46 -0400
+Subject: [PATCH] Fix iotests with modules and qemu-system-s390x
+Content-type: text/plain
+
+Signed-off-by: Cole Robinson <crobinso@redhat.com>
+---
+ tests/qemu-iotests/common.rc | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tests/qemu-iotests/common.rc b/tests/qemu-iotests/common.rc
+index 227e0a5be9..97f8e0a15f 100644
+--- a/tests/qemu-iotests/common.rc
++++ b/tests/qemu-iotests/common.rc
+@@ -975,7 +975,7 @@ _require_large_file()
+ #
+ _require_devices()
+ {
+-    available=$($QEMU -M none -device help | \
++    available=$($QEMU -M none -device help 2> /dev/null | \
+                 grep ^name | sed -e 's/^name "//' -e 's/".*$//')
+     for device
+     do
+@@ -987,7 +987,7 @@ _require_devices()
+ 
+ _require_one_device_of()
+ {
+-    available=$($QEMU -M none -device help | \
++    available=$($QEMU -M none -device help 2> /dev/null | \
+                 grep ^name | sed -e 's/^name "//' -e 's/".*$//')
+     for device
+     do

0010-Skip-iotests-entirely.patch

@@ -0,0 +1,26 @@
+From: Cole Robinson <crobinso@redhat.com>
+Date: Sun, 5 Jun 2022 12:48:29 -0400
+Subject: [PATCH] Skip iotests entirely
+Content-type: text/plain
+
+Getting sporadic failures like described here:
+https://www.mail-archive.com/qemu-devel@nongnu.org/msg887683.html
+
+Signed-off-by: Cole Robinson <crobinso@redhat.com>
+---
+ tests/check-block.sh | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tests/check-block.sh b/tests/check-block.sh
+index f59496396c..09cc735da4 100755
+--- a/tests/check-block.sh
++++ b/tests/check-block.sh
+@@ -50,6 +50,8 @@ fi
+ 
+ cd tests/qemu-iotests
+ 
++exit 0
++
+ # QEMU_CHECK_BLOCK_AUTO is used to disable some unstable sub-tests
+ export QEMU_CHECK_BLOCK_AUTO=1
+ export PYTHONUTF8=1

0011-linux-user-fix-compat-with-glibc-2.36-sys-mount.h.patch

@@ -0,0 +1,100 @@
+From a7f14aae85022007a4c77e0792a1abb0509a08eb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Tue, 2 Aug 2022 12:34:23 -0400
+Subject: [PATCH] linux-user: fix compat with glibc >= 2.36 sys/mount.h
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The latest glibc 2.36 has extended sys/mount.h so that it
+defines the FSCONFIG_* enum constants. These are historically
+defined in linux/mount.h, and thus if you include both headers
+the compiler complains:
+
+In file included from /usr/include/linux/fs.h:19,
+                 from ../linux-user/syscall.c:98:
+/usr/include/linux/mount.h:95:6: error: redeclaration of 'enum fsconfig_command'
+   95 | enum fsconfig_command {
+      |      ^~~~~~~~~~~~~~~~
+In file included from ../linux-user/syscall.c:31:
+/usr/include/sys/mount.h:189:6: note: originally defined here
+  189 | enum fsconfig_command
+      |      ^~~~~~~~~~~~~~~~
+/usr/include/linux/mount.h:96:9: error: redeclaration of enumerator 'FSCONFIG_SET_FLAG'
+   96 |         FSCONFIG_SET_FLAG       = 0,    /* Set parameter, supplying no value */
+      |         ^~~~~~~~~~~~~~~~~
+/usr/include/sys/mount.h:191:3: note: previous definition of 'FSCONFIG_SET_FLAG' with type 'enum fsconfig_command'
+  191 |   FSCONFIG_SET_FLAG       = 0,    /* Set parameter, supplying no value */
+      |   ^~~~~~~~~~~~~~~~~
+...snip...
+
+QEMU doesn't include linux/mount.h, but it does use
+linux/fs.h and thus gets linux/mount.h indirectly.
+
+glibc acknowledges this problem but does not appear to
+be intending to fix it in the forseeable future, simply
+documenting it as a known incompatibility with no
+workaround:
+
+  https://sourceware.org/glibc/wiki/Release/2.36#Usage_of_.3Clinux.2Fmount.h.3E_and_.3Csys.2Fmount.h.3E
+  https://sourceware.org/glibc/wiki/Synchronizing_Headers
+
+To address this requires either removing use of sys/mount.h
+or linux/fs.h, despite QEMU needing declarations from
+both.
+
+This patch removes linux/fs.h, meaning we have to define
+various FS_IOC constants that are now unavailable.
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ linux-user/syscall.c | 18 ++++++++++++++++++
+ meson.build          |  2 ++
+ 2 files changed, 20 insertions(+)
+
+diff --git a/linux-user/syscall.c b/linux-user/syscall.c
+index b27a6552aa..52d178afe7 100644
+--- a/linux-user/syscall.c
++++ b/linux-user/syscall.c
+@@ -95,7 +95,25 @@
+ #include <linux/soundcard.h>
+ #include <linux/kd.h>
+ #include <linux/mtio.h>
++
++#ifdef HAVE_SYS_MOUNT_FSCONFIG
++/*
++ * glibc >= 2.36 linux/mount.h conflicts with sys/mount.h,
++ * which in turn prevents use of linux/fs.h. So we have to
++ * define the constants ourselves for now.
++ */
++#define FS_IOC_GETFLAGS                _IOR('f', 1, long)
++#define FS_IOC_SETFLAGS                _IOW('f', 2, long)
++#define FS_IOC_GETVERSION              _IOR('v', 1, long)
++#define FS_IOC_SETVERSION              _IOW('v', 2, long)
++#define FS_IOC_FIEMAP                  _IOWR('f', 11, struct fiemap)
++#define FS_IOC32_GETFLAGS              _IOR('f', 1, int)
++#define FS_IOC32_SETFLAGS              _IOW('f', 2, int)
++#define FS_IOC32_GETVERSION            _IOR('v', 1, int)
++#define FS_IOC32_SETVERSION            _IOW('v', 2, int)
++#else
+ #include <linux/fs.h>
++#endif
+ #include <linux/fd.h>
+ #if defined(CONFIG_FIEMAP)
+ #include <linux/fiemap.h>
+diff --git a/meson.build b/meson.build
+index 294e9a8f32..30a380752c 100644
+--- a/meson.build
++++ b/meson.build
+@@ -1963,6 +1963,8 @@ config_host_data.set('HAVE_OPTRESET',
+                      cc.has_header_symbol('getopt.h', 'optreset'))
+ config_host_data.set('HAVE_IPPROTO_MPTCP',
+                      cc.has_header_symbol('netinet/in.h', 'IPPROTO_MPTCP'))
++config_host_data.set('HAVE_SYS_MOUNT_FSCONFIG',
++                     cc.has_header_symbol('sys/mount.h', 'FSCONFIG_SET_FLAG'))
+ 
+ # has_member
+ config_host_data.set('HAVE_SIGEV_NOTIFY_THREAD_ID',
+-- 
+2.37.1
+

0012-vga-avoid-crash-if-no-default-vga-card.patch

@@ -0,0 +1,32 @@
+From: Guo Zhi <qtxuning1999@sjtu.edu.cn>
+Date: Tue, 3 May 2022 17:17:24 +0800
+Subject: [PATCH] vga: avoid crash if no default vga card
+
+QEMU in some arch will crash when executing -vga help command, because
+there is no default vga model.  Add check to this case and avoid crash.
+
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/978
+
+Signed-off-by: Guo Zhi <qtxuning1999@sjtu.edu.cn>
+Reviewed-by: Thomas Huth <thuth@redhat.com>
+Tested-by: Thomas Huth <thuth@redhat.com>
+Message-Id: <20220503091724.970009-1-qtxuning1999@sjtu.edu.cn>
+Signed-off-by: Laurent Vivier <laurent@vivier.eu>
+---
+ softmmu/vl.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/softmmu/vl.c b/softmmu/vl.c
+index 6f646531a0..b16c1c48fa 100644
+--- a/softmmu/vl.c
++++ b/softmmu/vl.c
+@@ -974,7 +974,8 @@ static void select_vgahw(const MachineClass *machine_class, const char *p)
+
+             if (vga_interface_available(t) && ti->opt_name) {
+                 printf("%-20s %s%s\n", ti->opt_name, ti->name ?: "",
+-                       g_str_equal(ti->opt_name, def) ? " (default)" : "");
++                        (def && g_str_equal(ti->opt_name, def)) ?
++                        " (default)" : "");
+             }
+         }
+         exit(0);

0013-scsi-lsi53c895a-fix-use-after-free-in-lsi_do_msgout.patch

@@ -0,0 +1,136 @@
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Tue, 5 Jul 2022 22:05:43 +0200
+Subject: [PATCH] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout
+ (CVE-2022-0216)
+
+Set current_req to NULL to prevent reusing a free'd buffer in case of
+repeated SCSI cancel requests. Also apply the fix to CLEAR QUEUE and BUS
+DEVICE RESET messages as well, since they also cancel the request.
+
+Fixes: CVE-2022-0216
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Reviewed-by: Thomas Huth <thuth@redhat.com>
+Message-Id: <20220705200543.2366809-1-mcascell@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ hw/scsi/lsi53c895a.c               |  4 +-
+ tests/qtest/fuzz-lsi53c895a-test.c | 75 ++++++++++++++++++++++++++++++
+ 2 files changed, 78 insertions(+), 1 deletion(-)
+
+diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
+index c8773f73f7..ad5f5e5f39 100644
+--- a/hw/scsi/lsi53c895a.c
++++ b/hw/scsi/lsi53c895a.c
+@@ -1028,8 +1028,9 @@ static void lsi_do_msgout(LSIState *s)
+         case 0x0d:
+             /* The ABORT TAG message clears the current I/O process only. */
+             trace_lsi_do_msgout_abort(current_tag);
+-            if (current_req) {
++            if (current_req && current_req->req) {
+                 scsi_req_cancel(current_req->req);
++                current_req = NULL;
+             }
+             lsi_disconnect(s);
+             break;
+@@ -1055,6 +1056,7 @@ static void lsi_do_msgout(LSIState *s)
+             /* clear the current I/O process */
+             if (s->current) {
+                 scsi_req_cancel(s->current->req);
++                current_req = NULL;
+             }
+
+             /* As the current implemented devices scsi_disk and scsi_generic
+diff --git a/tests/qtest/fuzz-lsi53c895a-test.c b/tests/qtest/fuzz-lsi53c895a-test.c
+index ba5d468970..0f968024c8 100644
+--- a/tests/qtest/fuzz-lsi53c895a-test.c
++++ b/tests/qtest/fuzz-lsi53c895a-test.c
+@@ -8,6 +8,79 @@
+ #include "qemu/osdep.h"
+ #include "libqos/libqtest.h"
+
++/*
++ * This used to trigger a UAF in lsi_do_msgout()
++ * https://gitlab.com/qemu-project/qemu/-/issues/972
++ */
++static void test_lsi_do_msgout_cancel_req(void)
++{
++    QTestState *s;
++
++    if (sizeof(void *) == 4) {
++        g_test_skip("memory size too big for 32-bit build");
++        return;
++    }
++
++    s = qtest_init("-M q35 -m 4G -display none -nodefaults "
++                   "-device lsi53c895a,id=scsi "
++                   "-device scsi-hd,drive=disk0 "
++                   "-drive file=null-co://,id=disk0,if=none,format=raw");
++
++    qtest_outl(s, 0xcf8, 0x80000810);
++    qtest_outl(s, 0xcf8, 0xc000);
++    qtest_outl(s, 0xcf8, 0x80000810);
++    qtest_outw(s, 0xcfc, 0x7);
++    qtest_outl(s, 0xcf8, 0x80000810);
++    qtest_outl(s, 0xcfc, 0xc000);
++    qtest_outl(s, 0xcf8, 0x80000804);
++    qtest_outw(s, 0xcfc, 0x05);
++    qtest_writeb(s, 0x69736c10, 0x08);
++    qtest_writeb(s, 0x69736c13, 0x58);
++    qtest_writeb(s, 0x69736c1a, 0x01);
++    qtest_writeb(s, 0x69736c1b, 0x06);
++    qtest_writeb(s, 0x69736c22, 0x01);
++    qtest_writeb(s, 0x69736c23, 0x07);
++    qtest_writeb(s, 0x69736c2b, 0x02);
++    qtest_writeb(s, 0x69736c48, 0x08);
++    qtest_writeb(s, 0x69736c4b, 0x58);
++    qtest_writeb(s, 0x69736c52, 0x04);
++    qtest_writeb(s, 0x69736c53, 0x06);
++    qtest_writeb(s, 0x69736c5b, 0x02);
++    qtest_outl(s, 0xc02d, 0x697300);
++    qtest_writeb(s, 0x5a554662, 0x01);
++    qtest_writeb(s, 0x5a554663, 0x07);
++    qtest_writeb(s, 0x5a55466a, 0x10);
++    qtest_writeb(s, 0x5a55466b, 0x22);
++    qtest_writeb(s, 0x5a55466c, 0x5a);
++    qtest_writeb(s, 0x5a55466d, 0x5a);
++    qtest_writeb(s, 0x5a55466e, 0x34);
++    qtest_writeb(s, 0x5a55466f, 0x5a);
++    qtest_writeb(s, 0x5a345a5a, 0x77);
++    qtest_writeb(s, 0x5a345a5b, 0x55);
++    qtest_writeb(s, 0x5a345a5c, 0x51);
++    qtest_writeb(s, 0x5a345a5d, 0x27);
++    qtest_writeb(s, 0x27515577, 0x41);
++    qtest_outl(s, 0xc02d, 0x5a5500);
++    qtest_writeb(s, 0x364001d0, 0x08);
++    qtest_writeb(s, 0x364001d3, 0x58);
++    qtest_writeb(s, 0x364001da, 0x01);
++    qtest_writeb(s, 0x364001db, 0x26);
++    qtest_writeb(s, 0x364001dc, 0x0d);
++    qtest_writeb(s, 0x364001dd, 0xae);
++    qtest_writeb(s, 0x364001de, 0x41);
++    qtest_writeb(s, 0x364001df, 0x5a);
++    qtest_writeb(s, 0x5a41ae0d, 0xf8);
++    qtest_writeb(s, 0x5a41ae0e, 0x36);
++    qtest_writeb(s, 0x5a41ae0f, 0xd7);
++    qtest_writeb(s, 0x5a41ae10, 0x36);
++    qtest_writeb(s, 0x36d736f8, 0x0c);
++    qtest_writeb(s, 0x36d736f9, 0x80);
++    qtest_writeb(s, 0x36d736fa, 0x0d);
++    qtest_outl(s, 0xc02d, 0x364000);
++
++    qtest_quit(s);
++}
++
+ /*
+  * This used to trigger the assert in lsi_do_dma()
+  * https://bugs.launchpad.net/qemu/+bug/697510
+@@ -46,6 +119,8 @@ int main(int argc, char **argv)
+     if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) {
+         qtest_add_func("fuzz/lsi53c895a/lsi_do_dma_empty_queue",
+                        test_lsi_do_dma_empty_queue);
++        qtest_add_func("fuzz/lsi53c895a/lsi_do_msgout_cancel_req",
++                       test_lsi_do_msgout_cancel_req);
+     }
+
+     return g_test_run();

0014-ui-vnc-clipboard-fix-integer-underflow-in-vnc_client.patch

@@ -0,0 +1,51 @@
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Sun, 25 Sep 2022 22:45:11 +0200
+Subject: [PATCH] ui/vnc-clipboard: fix integer underflow in
+ vnc_client_cut_text_ext
+
+Extended ClientCutText messages start with a 4-byte header. If len < 4,
+an integer underflow occurs in vnc_client_cut_text_ext. The result is
+used to decompress data in a while loop in inflate_buffer, leading to
+CPU consumption and denial of service. Prevent this by checking dlen in
+protocol_client_msg.
+
+Fixes: CVE-2022-3165
+Fixes: 0bf41cab93e5 ("ui/vnc: clipboard support")
+Reported-by: TangPeng <tangpeng@qianxin.com>
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Message-Id: <20220925204511.1103214-1-mcascell@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ ui/vnc.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/ui/vnc.c b/ui/vnc.c
+index 310a873c21..8a2e176b64 100644
+--- a/ui/vnc.c
++++ b/ui/vnc.c
+@@ -2442,8 +2442,8 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
+         if (len == 1) {
+             return 8;
+         }
++        uint32_t dlen = abs(read_s32(data, 4));
+         if (len == 8) {
+-            uint32_t dlen = abs(read_s32(data, 4));
+             if (dlen > (1 << 20)) {
+                 error_report("vnc: client_cut_text msg payload has %u bytes"
+                              " which exceeds our limit of 1MB.", dlen);
+@@ -2456,8 +2456,13 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
+         }
+
+         if (read_s32(data, 4) < 0) {
+-            vnc_client_cut_text_ext(vs, abs(read_s32(data, 4)),
+-                                    read_u32(data, 8), data + 12);
++            if (dlen < 4) {
++                error_report("vnc: malformed payload (header less than 4 bytes)"
++                             " in extended clipboard pseudo-encoding.");
++                vnc_client_error(vs);
++                break;
++            }
++            vnc_client_cut_text_ext(vs, dlen, read_u32(data, 8), data + 12);
+             break;
+         }
+         vnc_client_cut_text(vs, read_u32(data, 4), data + 8);

README.tests

@@ -0,0 +1,39 @@
+qemu-kvm-tests README
+=====================
+
+The qemu-kvm-tests rpm contains tests that can be used to verify the
+functionality of the installed qemu-kvm package
+
+When installed, the files from this rpm will be arranged in the following
+directory structure
+
+tests-src/
+├── README
+├── scripts
+│   ├── qemu.py
+│   └── qmp
+└── tests
+    ├── acceptance
+    ├── Makefile.include
+    └── qemu-iotests
+
+The tests/ directory within the tests-src/ directory is setup to remain a copy
+of a subset of the tests/ directory from the QEMU source tree
+
+The avocado_qemu tests and qemu-iotests, along with files required for the
+execution of the avocado_qemu tests (scripts/qemu.py and scripts/qmp/) will be
+installed in a new location - /usr/lib64/qemu-kvm/tests-src/
+
+avocado_qemu tests:
+The avocado_qemu tests can be executed by running the following avocado command:
+avocado run -p qemu_bin=/usr/libexec/qemu-kvm /usr/lib64/qemu-kvm/tests/acceptance/
+Avocado needs to be installed separately using either pip or from source as
+Avocado is not being packaged for RHEL-8.
+
+qemu-iotests:
+symlinks to corresponding binaries need to be created for QEMU_PROG,
+QEMU_IO_PROG, QEMU_IMG_PROG, and QEMU_NBD_PROG before the iotests can be
+executed.
+
+The primary purpose of this package is to make these tests available to be
+executed as gating tests for the virt module in the RHEL-8 OSCI environment.

gating.yaml

@@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - fedora-*
+decision_context: bodhi_update_push_stable
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}

kvm-s390x.conf

@@ -0,0 +1,19 @@
+# User changes in this file are preserved across upgrades.
+#
+# Setting "modprobe kvm nested=1" only enables Nested Virtualization until
+# the next reboot or module reload. Uncomment the option below to enable
+# the feature permanently.
+#
+#options kvm nested=1
+#
+#
+# Setting "modprobe kvm hpage=1" only enables Huge Page Backing (1MB)
+# support until the next reboot or module reload. Uncomment the option
+# below to enable the feature permanently.
+#
+# Note: - Incompatible with "nested=1". Loading the module will fail.
+#       - Dirty page logging will be performed on a 1MB (not 4KB) basis,
+#         which can result in a lot of data having to be transferred during
+#         migration, and therefore taking very long to converge.
+#
+#options kvm hpage=1

kvm-x86.conf

@@ -0,0 +1,12 @@
+# Setting modprobe kvm_intel/kvm_amd nested = 1
+# only enables Nested Virtualization until the next reboot or
+# module reload. Uncomment the option applicable
+# to your system below to enable the feature permanently.
+#
+# User changes in this file are preserved across upgrades.
+#
+# For Intel
+#options kvm_intel nested=1
+#
+# For AMD
+#options kvm_amd nested=1

kvm-x86.modprobe.conf

@@ -1,11 +0,0 @@
-###
-### This configuration file was provided by the qemu package.
-### Feel free to update as needed.
-###
-
-###
-### Set these options to enable nested virtualization
-###
-
-#options kvm_intel nested=1
-#options kvm_amd nested=1

kvm.conf

@@ -0,0 +1,3 @@
+#
+# User changes in this file are preserved across upgrades.
+#

plans/main.fmf

@@ -0,0 +1,8 @@
+# toplevel plan boilerplate
+summary: qemu tests
+description:
+    Test qemu
+discover:
+    how: fmf
+execute:
+    how: tmt

qemu-kvm.sh

@@ -1,10 +0,0 @@
-#!/bin/sh
-
-# Libvirt introspects the binary using -M none. In that case, don't try
-# to init KVM, which will fail and be noisy if the host has kvm disabled
-opts="-machine accel=kvm"
-if echo "$@" | grep -q " -M none "; then
-    opts=
-fi
-
-exec /usr/bin/qemu-system-x86_64 $opts "$@"

sources

@@ -1 +1 @@
-SHA512 (qemu-5.2.0-rc4.tar.xz) = 47e918392609c34f904962e5759125485407ae52c273053729054300e10fc67fc7ed443c9af25d1d852a5f5c70eee125c703ce15d0e571068848f405de33db3b
+SHA512 (qemu-7.0.0.tar.xz) = 44ecd10c018a3763e1bc87d1d35b98890d0d5636acd69fe9b5cadf5024d5af6a31684d60cbe1c3370e02986434c1fb0ad99224e0e6f6fe7eda169992508157b1

tests/main.fmf

@@ -0,0 +1,20 @@
+# This is 'tmt' config format
+# https://tmt.readthedocs.io/en/stable/spec.html
+
+summary: Runtime test qemu
+
+require:
+    - qemu
+    - qemu-sanity-check
+
+/smoke:
+    # Make sure -help doesn't fail
+    test: |
+        set -eux
+        qemu-system-x86_64 -help
+        qemu-img -help
+
+/qemu-sanity-check:
+    test: |
+        set -eux
+        qemu-sanity-check -v

vhost.conf

@@ -0,0 +1,3 @@
+# Increase default vhost memory map limit to match
+# KVM's memory slot limit
+options vhost max_mem_regions=509