diff --git a/SOURCES/kvm-apic-drop-debugging.patch b/SOURCES/kvm-apic-drop-debugging.patch
index e70d141..7707029 100644
--- a/SOURCES/kvm-apic-drop-debugging.patch
+++ b/SOURCES/kvm-apic-drop-debugging.patch
@@ -1,23 +1,13 @@
-From 4f34f153b4249624740401f2f65301932ff6898f Mon Sep 17 00:00:00 2001
-From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
-Date: Thu, 28 Jun 2018 17:57:09 +0200
-Subject: [PATCH 4/5] kvm/apic: drop debugging
-
-RH-Author: Dr. David Alan Gilbert <dgilbert@redhat.com>
-Message-id: <20180628175710.56848-5-dgilbert@redhat.com>
-Patchwork-id: 81145
-O-Subject: [RHEL-7.5.z/RHEL-7.4.z/RHEL-7.3.z qemu-kvm PATCH 4/5] kvm/apic: drop debugging
-Bugzilla: 1596302
-RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
-RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
-
+From 483ad2c6110b2810cb409d871cb9b4214f01bfdb Mon Sep 17 00:00:00 2001
From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
+Date: Tue, 15 May 2018 11:56:33 +0200
+Subject: [PATCH 07/10] kvm/apic: drop debugging
RH-Author: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-id: <20180515115634.24469-5-dgilbert@redhat.com>
Patchwork-id: 80270
O-Subject: [RHEL-7.6 qemu-kvm PATCH v2 4/5] kvm/apic: drop debugging
+Bugzilla: 1577680
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
@@ -35,9 +25,6 @@ Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
(cherry picked from commit 1560fcfa96594f62cb2062f88e6785dda663529c)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
-(cherry picked from commit 483ad2c6110b2810cb409d871cb9b4214f01bfdb)
-Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
-Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
hw/i386/kvm/apic.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/SOURCES/kvm-apic-fix-2.2-2.1-migration.patch b/SOURCES/kvm-apic-fix-2.2-2.1-migration.patch
index c048c32..cfc31dc 100644
--- a/SOURCES/kvm-apic-fix-2.2-2.1-migration.patch
+++ b/SOURCES/kvm-apic-fix-2.2-2.1-migration.patch
@@ -1,23 +1,13 @@
-From 8af398963fd14ea74210c0796b47b870b58ad497 Mon Sep 17 00:00:00 2001
-From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
-Date: Thu, 28 Jun 2018 17:57:07 +0200
-Subject: [PATCH 2/5] kvm/apic: fix 2.2->2.1 migration
-
-RH-Author: Dr. David Alan Gilbert <dgilbert@redhat.com>
-Message-id: <20180628175710.56848-3-dgilbert@redhat.com>
-Patchwork-id: 81146
-O-Subject: [RHEL-7.5.z/RHEL-7.4.z/RHEL-7.3.z qemu-kvm PATCH 2/5] kvm/apic: fix 2.2->2.1 migration
-Bugzilla: 1596302
-RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
-RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
-
+From 9001bf38b596c0eb50daa52181ec6b4cf56cfb94 Mon Sep 17 00:00:00 2001
From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
+Date: Tue, 15 May 2018 11:56:31 +0200
+Subject: [PATCH 05/10] kvm/apic: fix 2.2->2.1 migration
RH-Author: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-id: <20180515115634.24469-3-dgilbert@redhat.com>
Patchwork-id: 80269
O-Subject: [RHEL-7.6 qemu-kvm PATCH v2 2/5] kvm/apic: fix 2.2->2.1 migration
+Bugzilla: 1577680
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
@@ -37,9 +27,6 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
currently have the wait_for_sipi change in the kvm code.
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
-(cherry picked from commit 9001bf38b596c0eb50daa52181ec6b4cf56cfb94)
-Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
-Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
hw/i386/kvm/apic.c | 6 ++++++
hw/intc/apic_common.c | 5 +++++
diff --git a/SOURCES/kvm-apic-set-APIC-base-as-part-of-kvm_apic_put.patch b/SOURCES/kvm-apic-set-APIC-base-as-part-of-kvm_apic_put.patch
index f191938..913ed63 100644
--- a/SOURCES/kvm-apic-set-APIC-base-as-part-of-kvm_apic_put.patch
+++ b/SOURCES/kvm-apic-set-APIC-base-as-part-of-kvm_apic_put.patch
@@ -1,23 +1,13 @@
-From 62a4c6bf428aaf562fb4b4ebfac22486be7b8ab8 Mon Sep 17 00:00:00 2001
-From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
-Date: Thu, 28 Jun 2018 17:57:10 +0200
-Subject: [PATCH 5/5] kvm: apic: set APIC base as part of kvm_apic_put
-
-RH-Author: Dr. David Alan Gilbert <dgilbert@redhat.com>
-Message-id: <20180628175710.56848-6-dgilbert@redhat.com>
-Patchwork-id: 81148
-O-Subject: [RHEL-7.5.z/RHEL-7.4.z/RHEL-7.3.z qemu-kvm PATCH 5/5] kvm: apic: set APIC base as part of kvm_apic_put
-Bugzilla: 1596302
-RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
-RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
-
+From 4142f7546da561898f15169f6e8085167601e878 Mon Sep 17 00:00:00 2001
From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
+Date: Tue, 15 May 2018 11:56:34 +0200
+Subject: [PATCH 08/10] kvm: apic: set APIC base as part of kvm_apic_put
RH-Author: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-id: <20180515115634.24469-6-dgilbert@redhat.com>
Patchwork-id: 80271
O-Subject: [RHEL-7.6 qemu-kvm PATCH v2 5/5] kvm: apic: set APIC base as part of kvm_apic_put
+Bugzilla: 1577680
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
@@ -43,8 +33,6 @@ Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit f8d9ccf8d5f9f4b7d364100871c4c7303b546de5)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
-(cherry picked from commit 4142f7546da561898f15169f6e8085167601e878)
-Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
hw/i386/kvm/apic.c | 2 ++
target-i386/kvm.c | 8 ++++++++
@@ -72,10 +60,10 @@ index d47d8da..77d2999 100644
ret = kvm_vcpu_ioctl(CPU(s->cpu), KVM_SET_LAPIC, &kapic);
diff --git a/target-i386/kvm.c b/target-i386/kvm.c
-index 1658621..35a9cf4 100644
+index 71f1573..a1a49d8 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
-@@ -1157,6 +1157,14 @@ static int kvm_put_one_msr(X86CPU *cpu, int index, uint64_t value)
+@@ -1152,6 +1152,14 @@ static int kvm_put_one_msr(X86CPU *cpu, int index, uint64_t value)
return kvm_vcpu_ioctl(CPU(cpu), KVM_SET_MSRS, &msr_data);
}
diff --git a/SOURCES/kvm-console-minimal-hotplug-suport.patch b/SOURCES/kvm-console-minimal-hotplug-suport.patch
new file mode 100644
index 0000000..4f19619
--- /dev/null
+++ b/SOURCES/kvm-console-minimal-hotplug-suport.patch
@@ -0,0 +1,194 @@
+From 8d537fb77d744265a23b0eda33da269ed672e549 Mon Sep 17 00:00:00 2001
+From: Tarun Gupta <tgupta@redhat.com>
+Date: Wed, 20 Jun 2018 18:54:19 +0200
+Subject: [PATCH 11/17] console: minimal hotplug suport
+
+RH-Author: Tarun Gupta <tgupta@redhat.com>
+Message-id: <1529520865-18127-6-git-send-email-tgupta@redhat.com>
+Patchwork-id: 80914
+O-Subject: [RHEL7.6 qemu-kvm PATCH v3 05/11] console: minimal hotplug suport
+Bugzilla: 1555246
+RH-Acked-by: Alex Williamson <alex.williamson@redhat.com>
+RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+This patch allows to unbind devices from QemuConsoles, using the new
+graphic_console_close() function. The QemuConsole will show a static
+display then, saying the device was unplugged. When re-plugging a
+display later on the QemuConsole will be reused.
+
+Eventually we will allocate and release QemuConsoles dynamically at some
+point in the future, that'll need more infrastructure though to notify
+user interfaces (gtk, sdl, spice, ...) about QemuConsoles coming and
+going.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+
+(cherry picked from 9588d67e72f853349dbb318503368ad01b12feb6)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Conflicts:
+ qemu-kvm does not have ui/trace-events, so adding traces in
+ trace_events.
+
+ qemu-kvm does not have graphic_console_set_hwops() function,
+ so manually setting the ops.
+---
+ include/ui/console.h | 3 ++-
+ trace-events | 2 ++
+ ui/console.c | 75 ++++++++++++++++++++++++++++++++++++++++++++++++----
+ 3 files changed, 74 insertions(+), 6 deletions(-)
+
+diff --git a/include/ui/console.h b/include/ui/console.h
+index 7f5fa66..e23f809 100644
+--- a/include/ui/console.h
++++ b/include/ui/console.h
+@@ -275,13 +275,14 @@ typedef struct GraphicHwOps {
+ QemuConsole *graphic_console_init(DeviceState *dev,
+ const GraphicHwOps *ops,
+ void *opaque);
+-
++void graphic_console_close(QemuConsole *con);
+ void graphic_hw_update(QemuConsole *con);
+ void graphic_hw_invalidate(QemuConsole *con);
+ void graphic_hw_text_update(QemuConsole *con, console_ch_t *chardata);
+
+ QemuConsole *qemu_console_lookup_by_index(unsigned int index);
+ QemuConsole *qemu_console_lookup_by_device(DeviceState *dev);
++QemuConsole *qemu_console_lookup_unused(void);
+ bool qemu_console_is_visible(QemuConsole *con);
+ bool qemu_console_is_graphic(QemuConsole *con);
+ bool qemu_console_is_fixedsize(QemuConsole *con);
+diff --git a/trace-events b/trace-events
+index 8c3ce0c..7b7aad1 100644
+--- a/trace-events
++++ b/trace-events
+@@ -994,6 +994,8 @@ dma_map_wait(void *dbs) "dbs=%p"
+
+ # ui/console.c
+ console_gfx_new(void) ""
++console_gfx_reuse(int index) "%d"
++console_gfx_close(int index) "%d"
+ console_txt_new(int w, int h) "%dx%d"
+ console_select(int nr) "%d"
+ console_refresh(int interval) "interval %d ms"
+diff --git a/ui/console.c b/ui/console.c
+index c14a0bc..cc319a9 100644
+--- a/ui/console.c
++++ b/ui/console.c
+@@ -1246,11 +1246,16 @@ static QemuConsole *new_console(DisplayState *ds, console_type_t console_type)
+ }
+ s->ds = ds;
+ s->console_type = console_type;
+- if (console_type != GRAPHIC_CONSOLE) {
++ if (console_type != GRAPHIC_CONSOLE || qdev_hotplug) {
+ s->index = nb_consoles;
+ consoles[nb_consoles++] = s;
+ } else {
+- /* HACK: Put graphical consoles before text consoles. */
++ /*
++ * HACK: Put graphical consoles before text consoles.
++ *
++ * Only do that for coldplugged devices. After initial device
++ * initialization we will not renumber the consoles any more.
++ */
+ for (i = nb_consoles; i > 0; i--) {
+ if (consoles[i - 1]->console_type == GRAPHIC_CONSOLE)
+ break;
+@@ -1610,21 +1615,59 @@ QemuConsole *graphic_console_init(DeviceState *dev,
+ int height = 480;
+ QemuConsole *s;
+ DisplayState *ds;
++ DisplaySurface *surface;
+
+ ds = get_alloc_displaystate();
+- trace_console_gfx_new();
+- s = new_console(ds, GRAPHIC_CONSOLE);
++ s = qemu_console_lookup_unused();
++ if (s) {
++ trace_console_gfx_reuse(s->index);
++ if (s->surface) {
++ width = surface_width(s->surface);
++ height = surface_height(s->surface);
++ }
++ } else {
++ trace_console_gfx_new();
++ s = new_console(ds, GRAPHIC_CONSOLE);
++ }
++
+ s->hw_ops = hw_ops;
+ s->hw = opaque;
++
+ if (dev) {
+ object_property_set_link(OBJECT(s), OBJECT(dev),
+ "device", &local_err);
+ }
+
+- s->surface = qemu_create_message_surface(width, height, noinit);
++ surface = qemu_create_message_surface(width, height, noinit);
++ dpy_gfx_replace_surface(s, surface);
+ return s;
+ }
+
++static const GraphicHwOps unused_ops = {
++ /* no callbacks */
++};
++
++void graphic_console_close(QemuConsole *con)
++{
++ DisplaySurface *surface;
++ int width = 640;
++ int height = 480;
++
++ if (con->surface) {
++ width = surface_width(con->surface);
++ height = surface_height(con->surface);
++ }
++
++ trace_console_gfx_close(con->index);
++ object_property_set_link(OBJECT(con), NULL, "device", &error_abort);
++
++ con->hw_ops = &unused_ops;
++ con->hw = NULL;
++
++ surface = qemu_create_displaysurface(width, height);
++ dpy_gfx_replace_surface(con, surface);
++}
++
+ QemuConsole *qemu_console_lookup_by_index(unsigned int index)
+ {
+ if (index >= MAX_CONSOLES) {
+@@ -1652,6 +1695,28 @@ QemuConsole *qemu_console_lookup_by_device(DeviceState *dev)
+ return NULL;
+ }
+
++QemuConsole *qemu_console_lookup_unused(void)
++{
++ Object *obj;
++ int i;
++
++ for (i = 0; i < nb_consoles; i++) {
++ if (!consoles[i]) {
++ continue;
++ }
++ if (consoles[i]->hw_ops != &unused_ops) {
++ continue;
++ }
++ obj = object_property_get_link(OBJECT(consoles[i]),
++ "device", &error_abort);
++ if (obj != NULL) {
++ continue;
++ }
++ return consoles[i];
++ }
++ return NULL;
++}
++
+ bool qemu_console_is_visible(QemuConsole *con)
+ {
+ return (con == active_console) || (con->dcls > 0);
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-console-nicer-initial-screen.patch b/SOURCES/kvm-console-nicer-initial-screen.patch
new file mode 100644
index 0000000..478e300
--- /dev/null
+++ b/SOURCES/kvm-console-nicer-initial-screen.patch
@@ -0,0 +1,102 @@
+From 7d82cea3c5aa7abc7942eb63c9ce232e10084bd5 Mon Sep 17 00:00:00 2001
+From: Tarun Gupta <tgupta@redhat.com>
+Date: Wed, 20 Jun 2018 18:54:18 +0200
+Subject: [PATCH 10/17] console: nicer initial screen
+
+RH-Author: Tarun Gupta <tgupta@redhat.com>
+Message-id: <1529520865-18127-5-git-send-email-tgupta@redhat.com>
+Patchwork-id: 80915
+O-Subject: [RHEL7.6 qemu-kvm PATCH v3 04/11] console: nicer initial screen
+Bugzilla: 1555246
+RH-Acked-by: Alex Williamson <alex.williamson@redhat.com>
+RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Now that we have a function to create a fancy DisplaySurface with a
+message for the user, to handle non-existing graphics hardware, we
+can make it more generic and use it for other things too.
+
+This patch adds a text line to the in initial DisplaySurface,
+notifying the user that the display isn't initialized yet by the guest.
+
+You can see this in action when starting qemu with '-S'. Also when
+booting ovmf in qemu (which needs a few moments to initialize itself
+before it initializes the vga).
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+(cherry picked from 521a580d2352ad30086babcabb91e6338e47cf62)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ ui/console.c | 19 +++++++++++--------
+ 1 file changed, 11 insertions(+), 8 deletions(-)
+
+diff --git a/ui/console.c b/ui/console.c
+index fb08ec0..c14a0bc 100644
+--- a/ui/console.c
++++ b/ui/console.c
+@@ -1323,19 +1323,18 @@ DisplaySurface *qemu_create_displaysurface_from(int width, int height, int bpp,
+ return surface;
+ }
+
+-static DisplaySurface *qemu_create_dummy_surface(void)
++static DisplaySurface *qemu_create_message_surface(int w, int h,
++ const char *msg)
+ {
+- static const char msg[] =
+- "This VM has no graphic display device.";
+- DisplaySurface *surface = qemu_create_displaysurface(640, 480);
++ DisplaySurface *surface = qemu_create_displaysurface(w, h);
+ pixman_color_t bg = color_table_rgb[0][COLOR_BLACK];
+ pixman_color_t fg = color_table_rgb[0][COLOR_WHITE];
+ pixman_image_t *glyph;
+ int len, x, y, i;
+
+ len = strlen(msg);
+- x = (640/FONT_WIDTH - len) / 2;
+- y = (480/FONT_HEIGHT - 1) / 2;
++ x = (w/FONT_WIDTH - len) / 2;
++ y = (h/FONT_HEIGHT - 1) / 2;
+ for (i = 0; i < len; i++) {
+ glyph = qemu_pixman_glyph_from_vgafont(FONT_HEIGHT, vgafont16, msg[i]);
+ qemu_pixman_glyph_render(glyph, surface->image, &fg, &bg,
+@@ -1357,6 +1356,8 @@ void qemu_free_displaysurface(DisplaySurface *surface)
+
+ void register_displaychangelistener(DisplayChangeListener *dcl)
+ {
++ static const char nodev[] =
++ "This VM has no graphic display device.";
+ static DisplaySurface *dummy;
+ QemuConsole *con;
+
+@@ -1375,7 +1376,7 @@ void register_displaychangelistener(DisplayChangeListener *dcl)
+ dcl->ops->dpy_gfx_switch(dcl, con->surface);
+ } else {
+ if (!dummy) {
+- dummy = qemu_create_dummy_surface();
++ dummy = qemu_create_message_surface(640, 480, nodev);
+ }
+ dcl->ops->dpy_gfx_switch(dcl, dummy);
+ }
+@@ -1602,6 +1603,8 @@ QemuConsole *graphic_console_init(DeviceState *dev,
+ const GraphicHwOps *hw_ops,
+ void *opaque)
+ {
++ static const char noinit[] =
++ "Guest has not initialized the display (yet).";
+ Error *local_err = NULL;
+ int width = 640;
+ int height = 480;
+@@ -1618,7 +1621,7 @@ QemuConsole *graphic_console_init(DeviceState *dev,
+ "device", &local_err);
+ }
+
+- s->surface = qemu_create_displaysurface(width, height);
++ s->surface = qemu_create_message_surface(width, height, noinit);
+ return s;
+ }
+
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-headers-add-drm_fourcc.h.patch b/SOURCES/kvm-headers-add-drm_fourcc.h.patch
new file mode 100644
index 0000000..0473c21
--- /dev/null
+++ b/SOURCES/kvm-headers-add-drm_fourcc.h.patch
@@ -0,0 +1,450 @@
+From c1da33afa02ed4978c34f16ec56d60dbfa5ac2c0 Mon Sep 17 00:00:00 2001
+From: Tarun Gupta <tgupta@redhat.com>
+Date: Wed, 20 Jun 2018 18:54:15 +0200
+Subject: [PATCH 07/17] headers: add drm_fourcc.h
+
+RH-Author: Tarun Gupta <tgupta@redhat.com>
+Message-id: <1529520865-18127-2-git-send-email-tgupta@redhat.com>
+Patchwork-id: 80909
+O-Subject: [RHEL7.6 qemu-kvm PATCH v3 01/11] headers: add drm_fourcc.h
+Bugzilla: 1555246
+RH-Acked-by: Alex Williamson <alex.williamson@redhat.com>
+RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+So we can use the drm fourcc codes without a dependency on libdrm-devel.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+
+(cherry picked from 8e8ee8509a0d2d5a65d7533e6e9179b6f3b0a0d4)
+
+Conflict: qemu-kvm does not have the standard-headers directory.
+So, adding the drm_fourcc.h in include/ directory.
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ include/drm_fourcc.h | 411 +++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 411 insertions(+)
+ create mode 100644 include/drm_fourcc.h
+
+diff --git a/include/drm_fourcc.h b/include/drm_fourcc.h
+new file mode 100644
+index 0000000..11912fd
+--- /dev/null
++++ b/include/drm_fourcc.h
+@@ -0,0 +1,411 @@
++/*
++ * Copyright 2011 Intel Corporation
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining a
++ * copy of this software and associated documentation files (the "Software"),
++ * to deal in the Software without restriction, including without limitation
++ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
++ * and/or sell copies of the Software, and to permit persons to whom the
++ * Software is furnished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice (including the next
++ * paragraph) shall be included in all copies or substantial portions of the
++ * Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
++ * VA LINUX SYSTEMS AND/OR ITS SUPPLIERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
++ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
++ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
++ * OTHER DEALINGS IN THE SOFTWARE.
++ */
++
++#ifndef DRM_FOURCC_H
++#define DRM_FOURCC_H
++
++
++#if defined(__cplusplus)
++extern "C" {
++#endif
++
++#define fourcc_code(a, b, c, d) ((uint32_t)(a) | ((uint32_t)(b) << 8) | \
++ ((uint32_t)(c) << 16) | ((uint32_t)(d) << 24))
++
++#define DRM_FORMAT_BIG_ENDIAN (1<<31) /* format is big endian instead of little endian */
++
++/* color index */
++#define DRM_FORMAT_C8 fourcc_code('C', '8', ' ', ' ') /* [7:0] C */
++
++/* 8 bpp Red */
++#define DRM_FORMAT_R8 fourcc_code('R', '8', ' ', ' ') /* [7:0] R */
++
++/* 16 bpp Red */
++#define DRM_FORMAT_R16 fourcc_code('R', '1', '6', ' ') /* [15:0] R little endian */
++
++/* 16 bpp RG */
++#define DRM_FORMAT_RG88 fourcc_code('R', 'G', '8', '8') /* [15:0] R:G 8:8 little endian */
++#define DRM_FORMAT_GR88 fourcc_code('G', 'R', '8', '8') /* [15:0] G:R 8:8 little endian */
++
++/* 32 bpp RG */
++#define DRM_FORMAT_RG1616 fourcc_code('R', 'G', '3', '2') /* [31:0] R:G 16:16 little endian */
++#define DRM_FORMAT_GR1616 fourcc_code('G', 'R', '3', '2') /* [31:0] G:R 16:16 little endian */
++
++/* 8 bpp RGB */
++#define DRM_FORMAT_RGB332 fourcc_code('R', 'G', 'B', '8') /* [7:0] R:G:B 3:3:2 */
++#define DRM_FORMAT_BGR233 fourcc_code('B', 'G', 'R', '8') /* [7:0] B:G:R 2:3:3 */
++
++/* 16 bpp RGB */
++#define DRM_FORMAT_XRGB4444 fourcc_code('X', 'R', '1', '2') /* [15:0] x:R:G:B 4:4:4:4 little endian */
++#define DRM_FORMAT_XBGR4444 fourcc_code('X', 'B', '1', '2') /* [15:0] x:B:G:R 4:4:4:4 little endian */
++#define DRM_FORMAT_RGBX4444 fourcc_code('R', 'X', '1', '2') /* [15:0] R:G:B:x 4:4:4:4 little endian */
++#define DRM_FORMAT_BGRX4444 fourcc_code('B', 'X', '1', '2') /* [15:0] B:G:R:x 4:4:4:4 little endian */
++
++#define DRM_FORMAT_ARGB4444 fourcc_code('A', 'R', '1', '2') /* [15:0] A:R:G:B 4:4:4:4 little endian */
++#define DRM_FORMAT_ABGR4444 fourcc_code('A', 'B', '1', '2') /* [15:0] A:B:G:R 4:4:4:4 little endian */
++#define DRM_FORMAT_RGBA4444 fourcc_code('R', 'A', '1', '2') /* [15:0] R:G:B:A 4:4:4:4 little endian */
++#define DRM_FORMAT_BGRA4444 fourcc_code('B', 'A', '1', '2') /* [15:0] B:G:R:A 4:4:4:4 little endian */
++
++#define DRM_FORMAT_XRGB1555 fourcc_code('X', 'R', '1', '5') /* [15:0] x:R:G:B 1:5:5:5 little endian */
++#define DRM_FORMAT_XBGR1555 fourcc_code('X', 'B', '1', '5') /* [15:0] x:B:G:R 1:5:5:5 little endian */
++#define DRM_FORMAT_RGBX5551 fourcc_code('R', 'X', '1', '5') /* [15:0] R:G:B:x 5:5:5:1 little endian */
++#define DRM_FORMAT_BGRX5551 fourcc_code('B', 'X', '1', '5') /* [15:0] B:G:R:x 5:5:5:1 little endian */
++
++#define DRM_FORMAT_ARGB1555 fourcc_code('A', 'R', '1', '5') /* [15:0] A:R:G:B 1:5:5:5 little endian */
++#define DRM_FORMAT_ABGR1555 fourcc_code('A', 'B', '1', '5') /* [15:0] A:B:G:R 1:5:5:5 little endian */
++#define DRM_FORMAT_RGBA5551 fourcc_code('R', 'A', '1', '5') /* [15:0] R:G:B:A 5:5:5:1 little endian */
++#define DRM_FORMAT_BGRA5551 fourcc_code('B', 'A', '1', '5') /* [15:0] B:G:R:A 5:5:5:1 little endian */
++
++#define DRM_FORMAT_RGB565 fourcc_code('R', 'G', '1', '6') /* [15:0] R:G:B 5:6:5 little endian */
++#define DRM_FORMAT_BGR565 fourcc_code('B', 'G', '1', '6') /* [15:0] B:G:R 5:6:5 little endian */
++
++/* 24 bpp RGB */
++#define DRM_FORMAT_RGB888 fourcc_code('R', 'G', '2', '4') /* [23:0] R:G:B little endian */
++#define DRM_FORMAT_BGR888 fourcc_code('B', 'G', '2', '4') /* [23:0] B:G:R little endian */
++
++/* 32 bpp RGB */
++#define DRM_FORMAT_XRGB8888 fourcc_code('X', 'R', '2', '4') /* [31:0] x:R:G:B 8:8:8:8 little endian */
++#define DRM_FORMAT_XBGR8888 fourcc_code('X', 'B', '2', '4') /* [31:0] x:B:G:R 8:8:8:8 little endian */
++#define DRM_FORMAT_RGBX8888 fourcc_code('R', 'X', '2', '4') /* [31:0] R:G:B:x 8:8:8:8 little endian */
++#define DRM_FORMAT_BGRX8888 fourcc_code('B', 'X', '2', '4') /* [31:0] B:G:R:x 8:8:8:8 little endian */
++
++#define DRM_FORMAT_ARGB8888 fourcc_code('A', 'R', '2', '4') /* [31:0] A:R:G:B 8:8:8:8 little endian */
++#define DRM_FORMAT_ABGR8888 fourcc_code('A', 'B', '2', '4') /* [31:0] A:B:G:R 8:8:8:8 little endian */
++#define DRM_FORMAT_RGBA8888 fourcc_code('R', 'A', '2', '4') /* [31:0] R:G:B:A 8:8:8:8 little endian */
++#define DRM_FORMAT_BGRA8888 fourcc_code('B', 'A', '2', '4') /* [31:0] B:G:R:A 8:8:8:8 little endian */
++
++#define DRM_FORMAT_XRGB2101010 fourcc_code('X', 'R', '3', '0') /* [31:0] x:R:G:B 2:10:10:10 little endian */
++#define DRM_FORMAT_XBGR2101010 fourcc_code('X', 'B', '3', '0') /* [31:0] x:B:G:R 2:10:10:10 little endian */
++#define DRM_FORMAT_RGBX1010102 fourcc_code('R', 'X', '3', '0') /* [31:0] R:G:B:x 10:10:10:2 little endian */
++#define DRM_FORMAT_BGRX1010102 fourcc_code('B', 'X', '3', '0') /* [31:0] B:G:R:x 10:10:10:2 little endian */
++
++#define DRM_FORMAT_ARGB2101010 fourcc_code('A', 'R', '3', '0') /* [31:0] A:R:G:B 2:10:10:10 little endian */
++#define DRM_FORMAT_ABGR2101010 fourcc_code('A', 'B', '3', '0') /* [31:0] A:B:G:R 2:10:10:10 little endian */
++#define DRM_FORMAT_RGBA1010102 fourcc_code('R', 'A', '3', '0') /* [31:0] R:G:B:A 10:10:10:2 little endian */
++#define DRM_FORMAT_BGRA1010102 fourcc_code('B', 'A', '3', '0') /* [31:0] B:G:R:A 10:10:10:2 little endian */
++
++/* packed YCbCr */
++#define DRM_FORMAT_YUYV fourcc_code('Y', 'U', 'Y', 'V') /* [31:0] Cr0:Y1:Cb0:Y0 8:8:8:8 little endian */
++#define DRM_FORMAT_YVYU fourcc_code('Y', 'V', 'Y', 'U') /* [31:0] Cb0:Y1:Cr0:Y0 8:8:8:8 little endian */
++#define DRM_FORMAT_UYVY fourcc_code('U', 'Y', 'V', 'Y') /* [31:0] Y1:Cr0:Y0:Cb0 8:8:8:8 little endian */
++#define DRM_FORMAT_VYUY fourcc_code('V', 'Y', 'U', 'Y') /* [31:0] Y1:Cb0:Y0:Cr0 8:8:8:8 little endian */
++
++#define DRM_FORMAT_AYUV fourcc_code('A', 'Y', 'U', 'V') /* [31:0] A:Y:Cb:Cr 8:8:8:8 little endian */
++
++/*
++ * 2 plane RGB + A
++ * index 0 = RGB plane, same format as the corresponding non _A8 format has
++ * index 1 = A plane, [7:0] A
++ */
++#define DRM_FORMAT_XRGB8888_A8 fourcc_code('X', 'R', 'A', '8')
++#define DRM_FORMAT_XBGR8888_A8 fourcc_code('X', 'B', 'A', '8')
++#define DRM_FORMAT_RGBX8888_A8 fourcc_code('R', 'X', 'A', '8')
++#define DRM_FORMAT_BGRX8888_A8 fourcc_code('B', 'X', 'A', '8')
++#define DRM_FORMAT_RGB888_A8 fourcc_code('R', '8', 'A', '8')
++#define DRM_FORMAT_BGR888_A8 fourcc_code('B', '8', 'A', '8')
++#define DRM_FORMAT_RGB565_A8 fourcc_code('R', '5', 'A', '8')
++#define DRM_FORMAT_BGR565_A8 fourcc_code('B', '5', 'A', '8')
++
++/*
++ * 2 plane YCbCr
++ * index 0 = Y plane, [7:0] Y
++ * index 1 = Cr:Cb plane, [15:0] Cr:Cb little endian
++ * or
++ * index 1 = Cb:Cr plane, [15:0] Cb:Cr little endian
++ */
++#define DRM_FORMAT_NV12 fourcc_code('N', 'V', '1', '2') /* 2x2 subsampled Cr:Cb plane */
++#define DRM_FORMAT_NV21 fourcc_code('N', 'V', '2', '1') /* 2x2 subsampled Cb:Cr plane */
++#define DRM_FORMAT_NV16 fourcc_code('N', 'V', '1', '6') /* 2x1 subsampled Cr:Cb plane */
++#define DRM_FORMAT_NV61 fourcc_code('N', 'V', '6', '1') /* 2x1 subsampled Cb:Cr plane */
++#define DRM_FORMAT_NV24 fourcc_code('N', 'V', '2', '4') /* non-subsampled Cr:Cb plane */
++#define DRM_FORMAT_NV42 fourcc_code('N', 'V', '4', '2') /* non-subsampled Cb:Cr plane */
++
++/*
++ * 3 plane YCbCr
++ * index 0: Y plane, [7:0] Y
++ * index 1: Cb plane, [7:0] Cb
++ * index 2: Cr plane, [7:0] Cr
++ * or
++ * index 1: Cr plane, [7:0] Cr
++ * index 2: Cb plane, [7:0] Cb
++ */
++#define DRM_FORMAT_YUV410 fourcc_code('Y', 'U', 'V', '9') /* 4x4 subsampled Cb (1) and Cr (2) planes */
++#define DRM_FORMAT_YVU410 fourcc_code('Y', 'V', 'U', '9') /* 4x4 subsampled Cr (1) and Cb (2) planes */
++#define DRM_FORMAT_YUV411 fourcc_code('Y', 'U', '1', '1') /* 4x1 subsampled Cb (1) and Cr (2) planes */
++#define DRM_FORMAT_YVU411 fourcc_code('Y', 'V', '1', '1') /* 4x1 subsampled Cr (1) and Cb (2) planes */
++#define DRM_FORMAT_YUV420 fourcc_code('Y', 'U', '1', '2') /* 2x2 subsampled Cb (1) and Cr (2) planes */
++#define DRM_FORMAT_YVU420 fourcc_code('Y', 'V', '1', '2') /* 2x2 subsampled Cr (1) and Cb (2) planes */
++#define DRM_FORMAT_YUV422 fourcc_code('Y', 'U', '1', '6') /* 2x1 subsampled Cb (1) and Cr (2) planes */
++#define DRM_FORMAT_YVU422 fourcc_code('Y', 'V', '1', '6') /* 2x1 subsampled Cr (1) and Cb (2) planes */
++#define DRM_FORMAT_YUV444 fourcc_code('Y', 'U', '2', '4') /* non-subsampled Cb (1) and Cr (2) planes */
++#define DRM_FORMAT_YVU444 fourcc_code('Y', 'V', '2', '4') /* non-subsampled Cr (1) and Cb (2) planes */
++
++
++/*
++ * Format Modifiers:
++ *
++ * Format modifiers describe, typically, a re-ordering or modification
++ * of the data in a plane of an FB. This can be used to express tiled/
++ * swizzled formats, or compression, or a combination of the two.
++ *
++ * The upper 8 bits of the format modifier are a vendor-id as assigned
++ * below. The lower 56 bits are assigned as vendor sees fit.
++ */
++
++/* Vendor Ids: */
++#define DRM_FORMAT_MOD_NONE 0
++#define DRM_FORMAT_MOD_VENDOR_NONE 0
++#define DRM_FORMAT_MOD_VENDOR_INTEL 0x01
++#define DRM_FORMAT_MOD_VENDOR_AMD 0x02
++#define DRM_FORMAT_MOD_VENDOR_NVIDIA 0x03
++#define DRM_FORMAT_MOD_VENDOR_SAMSUNG 0x04
++#define DRM_FORMAT_MOD_VENDOR_QCOM 0x05
++#define DRM_FORMAT_MOD_VENDOR_VIVANTE 0x06
++#define DRM_FORMAT_MOD_VENDOR_BROADCOM 0x07
++/* add more to the end as needed */
++
++#define DRM_FORMAT_RESERVED ((1ULL << 56) - 1)
++
++#define fourcc_mod_code(vendor, val) \
++ ((((uint64_t)DRM_FORMAT_MOD_VENDOR_## vendor) << 56) | ((val) & 0x00ffffffffffffffULL))
++
++/*
++ * Format Modifier tokens:
++ *
++ * When adding a new token please document the layout with a code comment,
++ * similar to the fourcc codes above. drm_fourcc.h is considered the
++ * authoritative source for all of these.
++ */
++
++/*
++ * Invalid Modifier
++ *
++ * This modifier can be used as a sentinel to terminate the format modifiers
++ * list, or to initialize a variable with an invalid modifier. It might also be
++ * used to report an error back to userspace for certain APIs.
++ */
++#define DRM_FORMAT_MOD_INVALID fourcc_mod_code(NONE, DRM_FORMAT_RESERVED)
++
++/*
++ * Linear Layout
++ *
++ * Just plain linear layout. Note that this is different from no specifying any
++ * modifier (e.g. not setting DRM_MODE_FB_MODIFIERS in the DRM_ADDFB2 ioctl),
++ * which tells the driver to also take driver-internal information into account
++ * and so might actually result in a tiled framebuffer.
++ */
++#define DRM_FORMAT_MOD_LINEAR fourcc_mod_code(NONE, 0)
++
++/* Intel framebuffer modifiers */
++
++/*
++ * Intel X-tiling layout
++ *
++ * This is a tiled layout using 4Kb tiles (except on gen2 where the tiles 2Kb)
++ * in row-major layout. Within the tile bytes are laid out row-major, with
++ * a platform-dependent stride. On top of that the memory can apply
++ * platform-depending swizzling of some higher address bits into bit6.
++ *
++ * This format is highly platforms specific and not useful for cross-driver
++ * sharing. It exists since on a given platform it does uniquely identify the
++ * layout in a simple way for i915-specific userspace.
++ */
++#define I915_FORMAT_MOD_X_TILED fourcc_mod_code(INTEL, 1)
++
++/*
++ * Intel Y-tiling layout
++ *
++ * This is a tiled layout using 4Kb tiles (except on gen2 where the tiles 2Kb)
++ * in row-major layout. Within the tile bytes are laid out in OWORD (16 bytes)
++ * chunks column-major, with a platform-dependent height. On top of that the
++ * memory can apply platform-depending swizzling of some higher address bits
++ * into bit6.
++ *
++ * This format is highly platforms specific and not useful for cross-driver
++ * sharing. It exists since on a given platform it does uniquely identify the
++ * layout in a simple way for i915-specific userspace.
++ */
++#define I915_FORMAT_MOD_Y_TILED fourcc_mod_code(INTEL, 2)
++
++/*
++ * Intel Yf-tiling layout
++ *
++ * This is a tiled layout using 4Kb tiles in row-major layout.
++ * Within the tile pixels are laid out in 16 256 byte units / sub-tiles which
++ * are arranged in four groups (two wide, two high) with column-major layout.
++ * Each group therefore consits out of four 256 byte units, which are also laid
++ * out as 2x2 column-major.
++ * 256 byte units are made out of four 64 byte blocks of pixels, producing
++ * either a square block or a 2:1 unit.
++ * 64 byte blocks of pixels contain four pixel rows of 16 bytes, where the width
++ * in pixel depends on the pixel depth.
++ */
++#define I915_FORMAT_MOD_Yf_TILED fourcc_mod_code(INTEL, 3)
++
++/*
++ * Intel color control surface (CCS) for render compression
++ *
++ * The framebuffer format must be one of the 8:8:8:8 RGB formats.
++ * The main surface will be plane index 0 and must be Y/Yf-tiled,
++ * the CCS will be plane index 1.
++ *
++ * Each CCS tile matches a 1024x512 pixel area of the main surface.
++ * To match certain aspects of the 3D hardware the CCS is
++ * considered to be made up of normal 128Bx32 Y tiles, Thus
++ * the CCS pitch must be specified in multiples of 128 bytes.
++ *
++ * In reality the CCS tile appears to be a 64Bx64 Y tile, composed
++ * of QWORD (8 bytes) chunks instead of OWORD (16 bytes) chunks.
++ * But that fact is not relevant unless the memory is accessed
++ * directly.
++ */
++#define I915_FORMAT_MOD_Y_TILED_CCS fourcc_mod_code(INTEL, 4)
++#define I915_FORMAT_MOD_Yf_TILED_CCS fourcc_mod_code(INTEL, 5)
++
++/*
++ * Tiled, NV12MT, grouped in 64 (pixels) x 32 (lines) -sized macroblocks
++ *
++ * Macroblocks are laid in a Z-shape, and each pixel data is following the
++ * standard NV12 style.
++ * As for NV12, an image is the result of two frame buffers: one for Y,
++ * one for the interleaved Cb/Cr components (1/2 the height of the Y buffer).
++ * Alignment requirements are (for each buffer):
++ * - multiple of 128 pixels for the width
++ * - multiple of 32 pixels for the height
++ *
++ * For more information: see https://linuxtv.org/downloads/v4l-dvb-apis/re32.html
++ */
++#define DRM_FORMAT_MOD_SAMSUNG_64_32_TILE fourcc_mod_code(SAMSUNG, 1)
++
++/* Vivante framebuffer modifiers */
++
++/*
++ * Vivante 4x4 tiling layout
++ *
++ * This is a simple tiled layout using tiles of 4x4 pixels in a row-major
++ * layout.
++ */
++#define DRM_FORMAT_MOD_VIVANTE_TILED fourcc_mod_code(VIVANTE, 1)
++
++/*
++ * Vivante 64x64 super-tiling layout
++ *
++ * This is a tiled layout using 64x64 pixel super-tiles, where each super-tile
++ * contains 8x4 groups of 2x4 tiles of 4x4 pixels (like above) each, all in row-
++ * major layout.
++ *
++ * For more information: see
++ * https://github.com/etnaviv/etna_viv/blob/master/doc/hardware.md#texture-tiling
++ */
++#define DRM_FORMAT_MOD_VIVANTE_SUPER_TILED fourcc_mod_code(VIVANTE, 2)
++
++/*
++ * Vivante 4x4 tiling layout for dual-pipe
++ *
++ * Same as the 4x4 tiling layout, except every second 4x4 pixel tile starts at a
++ * different base address. Offsets from the base addresses are therefore halved
++ * compared to the non-split tiled layout.
++ */
++#define DRM_FORMAT_MOD_VIVANTE_SPLIT_TILED fourcc_mod_code(VIVANTE, 3)
++
++/*
++ * Vivante 64x64 super-tiling layout for dual-pipe
++ *
++ * Same as the 64x64 super-tiling layout, except every second 4x4 pixel tile
++ * starts at a different base address. Offsets from the base addresses are
++ * therefore halved compared to the non-split super-tiled layout.
++ */
++#define DRM_FORMAT_MOD_VIVANTE_SPLIT_SUPER_TILED fourcc_mod_code(VIVANTE, 4)
++
++/* NVIDIA frame buffer modifiers */
++
++/*
++ * Tegra Tiled Layout, used by Tegra 2, 3 and 4.
++ *
++ * Pixels are arranged in simple tiles of 16 x 16 bytes.
++ */
++#define DRM_FORMAT_MOD_NVIDIA_TEGRA_TILED fourcc_mod_code(NVIDIA, 1)
++
++/*
++ * 16Bx2 Block Linear layout, used by desktop GPUs, and Tegra K1 and later
++ *
++ * Pixels are arranged in 64x8 Groups Of Bytes (GOBs). GOBs are then stacked
++ * vertically by a power of 2 (1 to 32 GOBs) to form a block.
++ *
++ * Within a GOB, data is ordered as 16B x 2 lines sectors laid in Z-shape.
++ *
++ * Parameter 'v' is the log2 encoding of the number of GOBs stacked vertically.
++ * Valid values are:
++ *
++ * 0 == ONE_GOB
++ * 1 == TWO_GOBS
++ * 2 == FOUR_GOBS
++ * 3 == EIGHT_GOBS
++ * 4 == SIXTEEN_GOBS
++ * 5 == THIRTYTWO_GOBS
++ *
++ * Chapter 20 "Pixel Memory Formats" of the Tegra X1 TRM describes this format
++ * in full detail.
++ */
++#define DRM_FORMAT_MOD_NVIDIA_16BX2_BLOCK(v) \
++ fourcc_mod_code(NVIDIA, 0x10 | ((v) & 0xf))
++
++#define DRM_FORMAT_MOD_NVIDIA_16BX2_BLOCK_ONE_GOB \
++ fourcc_mod_code(NVIDIA, 0x10)
++#define DRM_FORMAT_MOD_NVIDIA_16BX2_BLOCK_TWO_GOB \
++ fourcc_mod_code(NVIDIA, 0x11)
++#define DRM_FORMAT_MOD_NVIDIA_16BX2_BLOCK_FOUR_GOB \
++ fourcc_mod_code(NVIDIA, 0x12)
++#define DRM_FORMAT_MOD_NVIDIA_16BX2_BLOCK_EIGHT_GOB \
++ fourcc_mod_code(NVIDIA, 0x13)
++#define DRM_FORMAT_MOD_NVIDIA_16BX2_BLOCK_SIXTEEN_GOB \
++ fourcc_mod_code(NVIDIA, 0x14)
++#define DRM_FORMAT_MOD_NVIDIA_16BX2_BLOCK_THIRTYTWO_GOB \
++ fourcc_mod_code(NVIDIA, 0x15)
++
++/*
++ * Broadcom VC4 "T" format
++ *
++ * This is the primary layout that the V3D GPU can texture from (it
++ * can't do linear). The T format has:
++ *
++ * - 64b utiles of pixels in a raster-order grid according to cpp. It's 4x4
++ * pixels at 32 bit depth.
++ *
++ * - 1k subtiles made of a 4x4 raster-order grid of 64b utiles (so usually
++ * 16x16 pixels).
++ *
++ * - 4k tiles made of a 2x2 grid of 1k subtiles (so usually 32x32 pixels). On
++ * even 4k tile rows, they're arranged as (BL, TL, TR, BR), and on odd rows
++ * they're (TR, BR, BL, TL), where bottom left is start of memory.
++ *
++ * - an image made of 4k tiles in rows either left-to-right (even rows of 4k
++ * tiles) or right-to-left (odd rows of 4k tiles).
++ */
++#define DRM_FORMAT_MOD_BROADCOM_VC4_T_TILED fourcc_mod_code(BROADCOM, 1)
++
++#if defined(__cplusplus)
++}
++#endif
++
++#endif /* DRM_FOURCC_H */
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-i386-Define-the-Virt-SSBD-MSR-and-handling-of-it-CVE.patch b/SOURCES/kvm-i386-Define-the-Virt-SSBD-MSR-and-handling-of-it-CVE.patch
index 2c3fd84..1d3e2aa 100644
--- a/SOURCES/kvm-i386-Define-the-Virt-SSBD-MSR-and-handling-of-it-CVE.patch
+++ b/SOURCES/kvm-i386-Define-the-Virt-SSBD-MSR-and-handling-of-it-CVE.patch
@@ -1,18 +1,17 @@
-From 404335e8ed73046c079435fe73b921ec993614e4 Mon Sep 17 00:00:00 2001
+From eba382cf6a9a9b0003f10ac3da3e638d6f70d492 Mon Sep 17 00:00:00 2001
From: Eduardo Habkost <ehabkost@redhat.com>
-Date: Wed, 23 May 2018 20:54:57 +0200
-Subject: [PATCH 1/2] i386: Define the Virt SSBD MSR and handling of it
+Date: Wed, 13 Jun 2018 18:50:55 +0200
+Subject: [PATCH 03/17] i386: Define the Virt SSBD MSR and handling of it
(CVE-2018-3639)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Eduardo Habkost <ehabkost@redhat.com>
-Message-id: <20180523205458.32764-2-ehabkost@redhat.com>
-Patchwork-id: 80461
-O-Subject: [RHEL-7.5.z qemu-kvm PATCH 1/2] i386: Define the Virt SSBD MSR and handling of it (CVE-2018-3639)
-Bugzilla: 1584363
-RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+Message-id: <20180613185056.18066-2-ehabkost@redhat.com>
+Patchwork-id: 80679
+O-Subject: [RHEL-7.5 qemu-kvm PATCH 1/2] i386: Define the Virt SSBD MSR and handling of it (CVE-2018-3639)
+Bugzilla: 1584583
RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
@@ -50,7 +49,7 @@ Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
3 files changed, 38 insertions(+), 2 deletions(-)
diff --git a/target-i386/cpu.h b/target-i386/cpu.h
-index da84443..68d0c0e 100644
+index c72b545..debb0e5 100644
--- a/target-i386/cpu.h
+++ b/target-i386/cpu.h
@@ -305,6 +305,7 @@
@@ -61,7 +60,7 @@ index da84443..68d0c0e 100644
#define MSR_IA32_TSCDEADLINE 0x6e0
#define MSR_P6_PERFCTR0 0xc1
-@@ -1044,6 +1045,7 @@ typedef struct CPUX86State {
+@@ -1052,6 +1053,7 @@ typedef struct CPUX86State {
uint32_t pkru;
uint64_t spec_ctrl;
@@ -70,7 +69,7 @@ index da84443..68d0c0e 100644
TPRAccess tpr_access_type;
} CPUX86State;
diff --git a/target-i386/kvm.c b/target-i386/kvm.c
-index 24d17ad..656e24b 100644
+index a1a49d8..35a9cf4 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -78,6 +78,7 @@ static bool has_msr_hv_tsc;
@@ -92,7 +91,7 @@ index 24d17ad..656e24b 100644
}
}
-@@ -1195,6 +1200,10 @@ static int kvm_put_msrs(X86CPU *cpu, int level)
+@@ -1217,6 +1222,10 @@ static int kvm_put_msrs(X86CPU *cpu, int level)
if (has_msr_spec_ctrl) {
kvm_msr_entry_set(&msrs[n++], MSR_IA32_SPEC_CTRL, env->spec_ctrl);
}
@@ -103,7 +102,7 @@ index 24d17ad..656e24b 100644
#ifdef TARGET_X86_64
if (lm_capable_kernel) {
kvm_msr_entry_set(&msrs[n++], MSR_CSTAR, env->cstar);
-@@ -1555,8 +1564,9 @@ static int kvm_get_msrs(X86CPU *cpu)
+@@ -1577,8 +1586,9 @@ static int kvm_get_msrs(X86CPU *cpu)
if (has_msr_spec_ctrl) {
msrs[n++].index = MSR_IA32_SPEC_CTRL;
}
@@ -115,7 +114,7 @@ index 24d17ad..656e24b 100644
if (!env->tsc_valid) {
msrs[n++].index = MSR_IA32_TSC;
env->tsc_valid = !runstate_is_running();
-@@ -1800,6 +1810,9 @@ static int kvm_get_msrs(X86CPU *cpu)
+@@ -1822,6 +1832,9 @@ static int kvm_get_msrs(X86CPU *cpu)
case MSR_IA32_SPEC_CTRL:
env->spec_ctrl = msrs[i].data;
break;
diff --git a/SOURCES/kvm-i386-define-the-AMD-virt-ssbd-CPUID-feature-bit-CVE-.patch b/SOURCES/kvm-i386-define-the-AMD-virt-ssbd-CPUID-feature-bit-CVE-.patch
index 4217be2..11e6e57 100644
--- a/SOURCES/kvm-i386-define-the-AMD-virt-ssbd-CPUID-feature-bit-CVE-.patch
+++ b/SOURCES/kvm-i386-define-the-AMD-virt-ssbd-CPUID-feature-bit-CVE-.patch
@@ -1,18 +1,17 @@
-From 575e827677fb3c238250c44b5287ae327ddbfcde Mon Sep 17 00:00:00 2001
+From c95345b4fea239a4482652ad57b4106254cd79f0 Mon Sep 17 00:00:00 2001
From: Eduardo Habkost <ehabkost@redhat.com>
-Date: Wed, 23 May 2018 20:54:58 +0200
-Subject: [PATCH 2/2] i386: define the AMD 'virt-ssbd' CPUID feature bit
+Date: Wed, 13 Jun 2018 18:50:56 +0200
+Subject: [PATCH 04/17] i386: define the AMD 'virt-ssbd' CPUID feature bit
(CVE-2018-3639)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Eduardo Habkost <ehabkost@redhat.com>
-Message-id: <20180523205458.32764-3-ehabkost@redhat.com>
-Patchwork-id: 80462
-O-Subject: [RHEL-7.5.z qemu-kvm PATCH 2/2] i386: define the AMD 'virt-ssbd' CPUID feature bit (CVE-2018-3639)
-Bugzilla: 1584363
-RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+Message-id: <20180613185056.18066-3-ehabkost@redhat.com>
+Patchwork-id: 80680
+O-Subject: [RHEL-7.5 qemu-kvm PATCH 2/2] i386: define the AMD 'virt-ssbd' CPUID feature bit (CVE-2018-3639)
+Bugzilla: 1584583
RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
@@ -41,7 +40,7 @@ Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/target-i386/cpu.c b/target-i386/cpu.c
-index 539c202..02dcc4b 100644
+index 0254747..4b3a238 100644
--- a/target-i386/cpu.c
+++ b/target-i386/cpu.c
@@ -183,7 +183,7 @@ static const char *cpuid_80000008_ebx_feature_name[] = {
diff --git a/SOURCES/kvm-i386-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch b/SOURCES/kvm-i386-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch
index 389f6f5..77e33ee 100644
--- a/SOURCES/kvm-i386-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch
+++ b/SOURCES/kvm-i386-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch
@@ -1,13 +1,14 @@
-From f5a29669048a0a889348839c8707f7f10b0bec48 Mon Sep 17 00:00:00 2001
+From 3aa3deed539cd90a2eee32d3d8c2f673adb58aa8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Wed, 9 May 2018 09:06:29 +0100
-Subject: [PATCH] i386: define the 'ssbd' CPUID feature bit (CVE-2018-3639)
+Subject: [PATCH 03/10] i386: define the 'ssbd' CPUID feature bit
+ (CVE-2018-3639)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Daniel P. Berrangé <berrange@redhat.com>
-Bugzilla: 1574075
+Bugzilla: 1574082
RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
diff --git a/SOURCES/kvm-ide-avoid-referencing-NULL-dev-in-rotational-rate-se.patch b/SOURCES/kvm-ide-avoid-referencing-NULL-dev-in-rotational-rate-se.patch
new file mode 100644
index 0000000..68e6046
--- /dev/null
+++ b/SOURCES/kvm-ide-avoid-referencing-NULL-dev-in-rotational-rate-se.patch
@@ -0,0 +1,49 @@
+From a967318ce21d68d30afbb02bcd8b43dd7157916d Mon Sep 17 00:00:00 2001
+From: John Snow <jsnow@redhat.com>
+Date: Thu, 2 Aug 2018 15:53:36 +0200
+Subject: [PATCH 3/4] ide: avoid referencing NULL dev in rotational rate
+ setting
+
+RH-Author: John Snow <jsnow@redhat.com>
+Message-id: <20180802155336.10347-4-jsnow@redhat.com>
+Patchwork-id: 81611
+O-Subject: [RHEL-7.6 qemu-kvm PATCH 3/3] ide: avoid referencing NULL dev in rotational rate setting
+Bugzilla: 1583807
+RH-Acked-by: Daniel P. Berrange <berrange@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+
+From: "Daniel P. Berrange" <berrange@redhat.com>
+
+The 'dev' variable can be NULL when the guest OS calls identify on an IDE
+unit that does not have a drive attached to it.
+
+Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-id: 20171020091403.1479-1-berrange@redhat.com
+Signed-off-by: John Snow <jsnow@redhat.com>
+(cherry picked from commit 96f43c2b0a663f4789b51ed97297163321e7ba5e)
+Signed-off-by: John Snow <jsnow@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/ide/core.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/hw/ide/core.c b/hw/ide/core.c
+index aea2ff9..be6e0c9 100644
+--- a/hw/ide/core.c
++++ b/hw/ide/core.c
+@@ -179,7 +179,9 @@ static void ide_identify(IDEState *s)
+ if (dev && dev->conf.discard_granularity) {
+ put_le16(p + 169, 1); /* TRIM support */
+ }
+- put_le16(p + 217, dev->rotation_rate); /* Nominal media rotation rate */
++ if (dev) {
++ put_le16(p + 217, dev->rotation_rate); /* Nominal media rotation rate */
++ }
+
+ memcpy(s->identify_data, p, sizeof(s->identify_data));
+ s->identify_set = 1;
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-ide-support-reporting-of-rotation-rate.patch b/SOURCES/kvm-ide-support-reporting-of-rotation-rate.patch
new file mode 100644
index 0000000..0ccf067
--- /dev/null
+++ b/SOURCES/kvm-ide-support-reporting-of-rotation-rate.patch
@@ -0,0 +1,89 @@
+From f4030862f7ac7e6217415e3ca6be6a4151fa8208 Mon Sep 17 00:00:00 2001
+From: John Snow <jsnow@redhat.com>
+Date: Thu, 2 Aug 2018 15:53:35 +0200
+Subject: [PATCH 2/4] ide: support reporting of rotation rate
+
+RH-Author: John Snow <jsnow@redhat.com>
+Message-id: <20180802155336.10347-3-jsnow@redhat.com>
+Patchwork-id: 81614
+O-Subject: [RHEL-7.6 qemu-kvm PATCH 2/3] ide: support reporting of rotation rate
+Bugzilla: 1583807
+RH-Acked-by: Daniel P. Berrange <berrange@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+
+From: "Daniel P. Berrange" <berrange@redhat.com>
+
+The Linux kernel will query the ATA IDENTITY DEVICE data, word 217
+to determine the rotations per minute of the disk. If this has
+the value 1, it is taken to be an SSD and so Linux sets the
+'rotational' flag to 0 for the I/O queue and will stop using that
+disk as a source of random entropy. Other operating systems may
+also take into account rotation rate when setting up default
+behaviour.
+
+Mgmt apps should be able to set the rotation rate for virtualized
+block devices, based on characteristics of the host storage in use,
+so that the guest OS gets sensible behaviour out of the box. This
+patch thus adds a 'rotation-rate' parameter for 'ide-hd' device
+types.
+
+Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+Message-Id: <20171004114008.14849-3-berrange@redhat.com>
+Reviewed-by: John Snow <jsnow@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 3b19f4506901ecce25ff36cf62353a2b4bfe4f2b)
+Signed-off-by: John Snow <jsnow@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/ide/core.c | 1 +
+ hw/ide/internal.h | 8 ++++++++
+ hw/ide/qdev.c | 1 +
+ 3 files changed, 10 insertions(+)
+
+diff --git a/hw/ide/core.c b/hw/ide/core.c
+index 5c33735..aea2ff9 100644
+--- a/hw/ide/core.c
++++ b/hw/ide/core.c
+@@ -179,6 +179,7 @@ static void ide_identify(IDEState *s)
+ if (dev && dev->conf.discard_granularity) {
+ put_le16(p + 169, 1); /* TRIM support */
+ }
++ put_le16(p + 217, dev->rotation_rate); /* Nominal media rotation rate */
+
+ memcpy(s->identify_data, p, sizeof(s->identify_data));
+ s->identify_set = 1;
+diff --git a/hw/ide/internal.h b/hw/ide/internal.h
+index f8fb564..1062f85 100644
+--- a/hw/ide/internal.h
++++ b/hw/ide/internal.h
+@@ -484,6 +484,14 @@ struct IDEDevice {
+ char *serial;
+ char *model;
+ uint64_t wwn;
++ /*
++ * 0x0000 - rotation rate not reported
++ * 0x0001 - non-rotating medium (SSD)
++ * 0x0002-0x0400 - reserved
++ * 0x0401-0xffe - rotations per minute
++ * 0xffff - reserved
++ */
++ uint16_t rotation_rate;
+ };
+
+ #define BM_STATUS_DMAING 0x01
+diff --git a/hw/ide/qdev.c b/hw/ide/qdev.c
+index 44f36c3..4ba2c63 100644
+--- a/hw/ide/qdev.c
++++ b/hw/ide/qdev.c
+@@ -219,6 +219,7 @@ static Property ide_hd_properties[] = {
+ DEFINE_BLOCK_CHS_PROPERTIES(IDEDrive, dev.conf),
+ DEFINE_PROP_BIOS_CHS_TRANS("bios-chs-trans",
+ IDEDrive, dev.chs_trans, BIOS_ATA_TRANSLATION_AUTO),
++ DEFINE_PROP_UINT16("rotation_rate", IDEDrive, dev.rotation_rate, 0),
+ DEFINE_PROP_END_OF_LIST(),
+ };
+
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-iotests-Repairing-error-during-snapshot-deletion.patch b/SOURCES/kvm-iotests-Repairing-error-during-snapshot-deletion.patch
new file mode 100644
index 0000000..393c66d
--- /dev/null
+++ b/SOURCES/kvm-iotests-Repairing-error-during-snapshot-deletion.patch
@@ -0,0 +1,199 @@
+From dd504cf4643e80d0b7afe16c82ac247a9e35a4af Mon Sep 17 00:00:00 2001
+From: Max Reitz <mreitz@redhat.com>
+Date: Mon, 18 Jun 2018 17:24:54 +0200
+Subject: [PATCH 06/17] iotests: Repairing error during snapshot deletion
+
+RH-Author: Max Reitz <mreitz@redhat.com>
+Message-id: <20180618172454.27434-3-mreitz@redhat.com>
+Patchwork-id: 80787
+O-Subject: [RHEL-7.6 qemu-kvm PATCH 2/2] iotests: Repairing error during snapshot deletion
+Bugzilla: 1527122
+RH-Acked-by: John Snow <jsnow@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+
+This adds a test for an I/O error during snapshot deletion, and maybe
+more importantly, for how to repair the resulting image. If the
+snapshot has been deleted before the error occurs, the only negative
+result will be leaked clusters -- and those should be repairable with
+qemu-img check -r leaks.
+
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Message-id: 20180509200059.31125-3-mreitz@redhat.com
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+(cherry picked from commit b41ad73a3bb972eb43cf52d28669f67ea3fe1762)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Conflicts:
+ tests/qemu-iotests/group
+ tests/qemu-iotests/217.out
+
+The error message when a snapshot failed to be deleted is less verbose
+(just based on errno instead of a nice Error object).
+
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+---
+ tests/qemu-iotests/217 | 90 ++++++++++++++++++++++++++++++++++++++++++++++
+ tests/qemu-iotests/217.out | 42 ++++++++++++++++++++++
+ tests/qemu-iotests/group | 1 +
+ 3 files changed, 133 insertions(+)
+ create mode 100755 tests/qemu-iotests/217
+ create mode 100644 tests/qemu-iotests/217.out
+
+diff --git a/tests/qemu-iotests/217 b/tests/qemu-iotests/217
+new file mode 100755
+index 0000000..d3ab5d7
+--- /dev/null
++++ b/tests/qemu-iotests/217
+@@ -0,0 +1,90 @@
++#!/bin/bash
++#
++# I/O errors when working with internal qcow2 snapshots, and repairing
++# the result
++#
++# Copyright (C) 2018 Red Hat, Inc.
++#
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 2 of the License, or
++# (at your option) any later version.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program. If not, see <http://www.gnu.org/licenses/>.
++
++seq=$(basename $0)
++echo "QA output created by $seq"
++
++status=1 # failure is the default!
++
++_cleanup()
++{
++ _cleanup_test_img
++ rm -f "$TEST_DIR/blkdebug.conf"
++}
++trap "_cleanup; exit \$status" 0 1 2 3 15
++
++# get standard environment, filters and checks
++. ./common.rc
++. ./common.filter
++
++# This test is specific to qcow2
++_supported_fmt qcow2
++_supported_proto file
++_supported_os Linux
++
++# This test needs clusters with at least a refcount of 2 so that
++# OFLAG_COPIED is not set. refcount_bits=1 is therefore unsupported.
++_unsupported_imgopts 'refcount_bits=1[^0-9]'
++
++echo
++echo '=== Simulating an I/O error during snapshot deletion ==='
++echo
++
++_make_test_img 64M
++$QEMU_IO -c 'write 0 64k' "$TEST_IMG" | _filter_qemu_io
++
++# Create the snapshot
++$QEMU_IMG snapshot -c foo "$TEST_IMG"
++
++# Verify the snapshot is there
++echo
++_img_info | grep 'Snapshot list'
++echo '(Snapshot filtered)'
++echo
++
++# Try to delete the snapshot (with an error happening when freeing the
++# then leaked clusters)
++cat > "$TEST_DIR/blkdebug.conf" <<EOF
++[inject-error]
++event = "cluster_free"
++errno = "5"
++EOF
++$QEMU_IMG snapshot -d foo "blkdebug:$TEST_DIR/blkdebug.conf:$TEST_IMG"
++
++# Verify the snapshot is gone
++echo
++_img_info | grep 'Snapshot list'
++
++# Should only show leaks
++echo '--- Checking test image ---'
++_check_test_img
++
++echo
++
++# As there are only leaks, this should be able to fully repair the
++# image
++echo '--- Repairing test image ---'
++_check_test_img -r leaks
++
++
++# success, all done
++echo '*** done'
++rm -f $seq.full
++status=0
+diff --git a/tests/qemu-iotests/217.out b/tests/qemu-iotests/217.out
+new file mode 100644
+index 0000000..4b1020b
+--- /dev/null
++++ b/tests/qemu-iotests/217.out
+@@ -0,0 +1,42 @@
++QA output created by 217
++
++=== Simulating an I/O error during snapshot deletion ===
++
++Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
++wrote 65536/65536 bytes at offset 0
++64 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
++
++Snapshot list:
++(Snapshot filtered)
++
++qcow2_free_clusters failed: Input/output error
++qemu-img: Could not delete snapshot 'foo': -5 (Input/output error)
++
++--- Checking test image ---
++Leaked cluster 4 refcount=2 reference=1
++Leaked cluster 5 refcount=2 reference=1
++Leaked cluster 6 refcount=1 reference=0
++Leaked cluster 7 refcount=1 reference=0
++
++4 leaked clusters were found on the image.
++This means waste of disk space, but no harm to data.
++
++--- Repairing test image ---
++Leaked cluster 4 refcount=2 reference=1
++Leaked cluster 5 refcount=2 reference=1
++Leaked cluster 6 refcount=1 reference=0
++Leaked cluster 7 refcount=1 reference=0
++Repairing cluster 4 refcount=2 reference=1
++Repairing cluster 5 refcount=2 reference=1
++Repairing cluster 6 refcount=1 reference=0
++Repairing cluster 7 refcount=1 reference=0
++Repairing OFLAG_COPIED L2 cluster: l1_index=0 l1_entry=40000 refcount=1
++Repairing OFLAG_COPIED data cluster: l2_entry=50000 refcount=1
++The following inconsistencies were found and repaired:
++
++ 4 leaked clusters
++ 2 corruptions
++
++Double checking the fixed image now...
++No errors were found on the image.
++*** done
+diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group
+index c1fc89d..8c96d65 100644
+--- a/tests/qemu-iotests/group
++++ b/tests/qemu-iotests/group
+@@ -93,3 +93,4 @@
+ 121 rw auto
+ 130 rw auto quick
+ 135 rw auto
++217 rw auto quick
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-linux-headers-Update-to-include-region-based-display.patch b/SOURCES/kvm-linux-headers-Update-to-include-region-based-display.patch
new file mode 100644
index 0000000..92d8171
--- /dev/null
+++ b/SOURCES/kvm-linux-headers-Update-to-include-region-based-display.patch
@@ -0,0 +1,97 @@
+From 2065c7a1c75f56c8ea23952fd4de4b031a96552c Mon Sep 17 00:00:00 2001
+From: Tarun Gupta <tgupta@redhat.com>
+Date: Wed, 20 Jun 2018 18:54:21 +0200
+Subject: [PATCH 13/17] linux-headers: Update to include region based display
+ support.
+
+RH-Author: Tarun Gupta <tgupta@redhat.com>
+Message-id: <1529520865-18127-8-git-send-email-tgupta@redhat.com>
+Patchwork-id: 80913
+O-Subject: [RHEL7.6 qemu-kvm PATCH v3 07/11] linux-headers: Update to include region based display support.
+Bugzilla: 1555246
+RH-Acked-by: Alex Williamson <alex.williamson@redhat.com>
+RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+update Linux headers to 4.16-rc5
+
+Note that VIRTIO_GPU_CAPSET_VIRGL2 was added manually so it has to
+be added manually after re-running scripts/update-linux-headers.sh.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from 9f2d175db5c29b23bc1a560041043d0b10ee57dc)
+
+Conflict: Only cherry-picking macros for adding region based display
+support
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ linux-headers/linux/vfio.h | 52 ++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 52 insertions(+)
+
+diff --git a/linux-headers/linux/vfio.h b/linux-headers/linux/vfio.h
+index 8995a34..0dab0cc 100644
+--- a/linux-headers/linux/vfio.h
++++ b/linux-headers/linux/vfio.h
+@@ -414,6 +414,58 @@ struct vfio_pci_hot_reset {
+
+ #define VFIO_DEVICE_PCI_HOT_RESET _IO(VFIO_TYPE, VFIO_BASE + 13)
+
++/**
++ * VFIO_DEVICE_QUERY_GFX_PLANE - _IOW(VFIO_TYPE, VFIO_BASE + 14,
++ * struct vfio_device_query_gfx_plane)
++ *
++ * Set the drm_plane_type and flags, then retrieve the gfx plane info.
++ *
++ * flags supported:
++ * - VFIO_GFX_PLANE_TYPE_PROBE and VFIO_GFX_PLANE_TYPE_DMABUF are set
++ * to ask if the mdev supports dma-buf. 0 on support, -EINVAL on no
++ * support for dma-buf.
++ * - VFIO_GFX_PLANE_TYPE_PROBE and VFIO_GFX_PLANE_TYPE_REGION are set
++ * to ask if the mdev supports region. 0 on support, -EINVAL on no
++ * support for region.
++ * - VFIO_GFX_PLANE_TYPE_DMABUF or VFIO_GFX_PLANE_TYPE_REGION is set
++ * with each call to query the plane info.
++ * - Others are invalid and return -EINVAL.
++ *
++ * Note:
++ * 1. Plane could be disabled by guest. In that case, success will be
++ * returned with zero-initialized drm_format, size, width and height
++ * fields.
++ * 2. x_hot/y_hot is set to 0xFFFFFFFF if no hotspot information available
++ *
++ * Return: 0 on success, -errno on other failure.
++ */
++struct vfio_device_gfx_plane_info {
++ __u32 argsz;
++ __u32 flags;
++#define VFIO_GFX_PLANE_TYPE_PROBE (1 << 0)
++#define VFIO_GFX_PLANE_TYPE_DMABUF (1 << 1)
++#define VFIO_GFX_PLANE_TYPE_REGION (1 << 2)
++ /* in */
++ __u32 drm_plane_type; /* type of plane: DRM_PLANE_TYPE_* */
++ /* out */
++ __u32 drm_format; /* drm format of plane */
++ __u64 drm_format_mod; /* tiled mode */
++ __u32 width; /* width of plane */
++ __u32 height; /* height of plane */
++ __u32 stride; /* stride of plane */
++ __u32 size; /* size of plane in bytes, align on page*/
++ __u32 x_pos; /* horizontal position of cursor plane */
++ __u32 y_pos; /* vertical position of cursor plane*/
++ __u32 x_hot; /* horizontal position of cursor hotspot */
++ __u32 y_hot; /* vertical position of cursor hotspot */
++ union {
++ __u32 region_index; /* region index */
++ __u32 dmabuf_id; /* dma-buf id */
++ };
++};
++
++#define VFIO_DEVICE_QUERY_GFX_PLANE _IO(VFIO_TYPE, VFIO_BASE + 14)
++
+ /* -------- API for Type1 VFIO IOMMU -------- */
+
+ /**
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-multiboot-Check-validity-of-mh_header_addr.patch b/SOURCES/kvm-multiboot-Check-validity-of-mh_header_addr.patch
index 25dccb0..98f279e 100644
--- a/SOURCES/kvm-multiboot-Check-validity-of-mh_header_addr.patch
+++ b/SOURCES/kvm-multiboot-Check-validity-of-mh_header_addr.patch
@@ -1,4 +1,4 @@
-From 10868fe0444b0c74589e42695af665ee8d13e0b9 Mon Sep 17 00:00:00 2001
+From 9ea892729b9c77eaf7b923da8a3e370dbb022e6e Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Thu, 26 Jul 2018 16:24:48 +0200
Subject: [PATCH 6/8] multiboot: Check validity of mh_header_addr
@@ -7,7 +7,7 @@ RH-Author: Kevin Wolf <kwolf@redhat.com>
Message-id: <20180726162448.22072-7-kwolf@redhat.com>
Patchwork-id: 81515
O-Subject: [RHEL-7.6/7.5.z qemu-kvm PATCH 6/6] multiboot: Check validity of mh_header_addr
-Bugzilla: 1549824
+Bugzilla: 1549822
RH-Acked-by: John Snow <jsnow@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
diff --git a/SOURCES/kvm-multiboot-Reject-kernels-exceeding-the-address-space.patch b/SOURCES/kvm-multiboot-Reject-kernels-exceeding-the-address-space.patch
index b34d4f8..f284cd8 100644
--- a/SOURCES/kvm-multiboot-Reject-kernels-exceeding-the-address-space.patch
+++ b/SOURCES/kvm-multiboot-Reject-kernels-exceeding-the-address-space.patch
@@ -1,4 +1,4 @@
-From 241aa1a7f62c5eba0fc95cbe310aaad3ee489a3d Mon Sep 17 00:00:00 2001
+From 7ca60898ccb2e1dc5e47dca5d53eb42922a0a0bc Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Thu, 26 Jul 2018 16:24:47 +0200
Subject: [PATCH 5/8] multiboot: Reject kernels exceeding the address space
@@ -7,7 +7,7 @@ RH-Author: Kevin Wolf <kwolf@redhat.com>
Message-id: <20180726162448.22072-6-kwolf@redhat.com>
Patchwork-id: 81514
O-Subject: [RHEL-7.6/7.5.z qemu-kvm PATCH 5/6] multiboot: Reject kernels exceeding the address space
-Bugzilla: 1549824
+Bugzilla: 1549822
RH-Acked-by: John Snow <jsnow@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
diff --git a/SOURCES/kvm-multiboot-Remove-unused-variables-from-multiboot.c.patch b/SOURCES/kvm-multiboot-Remove-unused-variables-from-multiboot.c.patch
index 80f9eae..71c6fde 100644
--- a/SOURCES/kvm-multiboot-Remove-unused-variables-from-multiboot.c.patch
+++ b/SOURCES/kvm-multiboot-Remove-unused-variables-from-multiboot.c.patch
@@ -1,4 +1,4 @@
-From 8afeffd25dd6af6861439904f66a15f1606e06d5 Mon Sep 17 00:00:00 2001
+From 863255a5677066edbfb2833372804284a64831d3 Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Thu, 26 Jul 2018 16:24:44 +0200
Subject: [PATCH 2/8] multiboot: Remove unused variables from multiboot.c
@@ -7,7 +7,7 @@ RH-Author: Kevin Wolf <kwolf@redhat.com>
Message-id: <20180726162448.22072-3-kwolf@redhat.com>
Patchwork-id: 81516
O-Subject: [RHEL-7.6/7.5.z qemu-kvm PATCH 2/6] multiboot: Remove unused variables from multiboot.c
-Bugzilla: 1549824
+Bugzilla: 1549822
RH-Acked-by: John Snow <jsnow@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
diff --git a/SOURCES/kvm-multiboot-Use-header-names-when-displaying-fields.patch b/SOURCES/kvm-multiboot-Use-header-names-when-displaying-fields.patch
index f58649d..2d4fda3 100644
--- a/SOURCES/kvm-multiboot-Use-header-names-when-displaying-fields.patch
+++ b/SOURCES/kvm-multiboot-Use-header-names-when-displaying-fields.patch
@@ -1,4 +1,4 @@
-From 62b1260b11b0e93105377eadbf6deeadb84e5516 Mon Sep 17 00:00:00 2001
+From 0bd67b62f13b15c36fa66304fffd70d01382e234 Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Thu, 26 Jul 2018 16:24:45 +0200
Subject: [PATCH 3/8] multiboot: Use header names when displaying fields
@@ -7,7 +7,7 @@ RH-Author: Kevin Wolf <kwolf@redhat.com>
Message-id: <20180726162448.22072-4-kwolf@redhat.com>
Patchwork-id: 81520
O-Subject: [RHEL-7.6/7.5.z qemu-kvm PATCH 3/6] multiboot: Use header names when displaying fields
-Bugzilla: 1549824
+Bugzilla: 1549822
RH-Acked-by: John Snow <jsnow@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
diff --git a/SOURCES/kvm-multiboot-bss_end_addr-can-be-zero.patch b/SOURCES/kvm-multiboot-bss_end_addr-can-be-zero.patch
index 0074cb4..fe43002 100644
--- a/SOURCES/kvm-multiboot-bss_end_addr-can-be-zero.patch
+++ b/SOURCES/kvm-multiboot-bss_end_addr-can-be-zero.patch
@@ -1,4 +1,4 @@
-From c36441a8376c6edddf4d1bc1ef27e132e71e4ddd Mon Sep 17 00:00:00 2001
+From 758b4f721ba664f383bd234458f78984f22823b6 Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Thu, 26 Jul 2018 16:24:43 +0200
Subject: [PATCH 1/8] multiboot: bss_end_addr can be zero
@@ -7,7 +7,7 @@ RH-Author: Kevin Wolf <kwolf@redhat.com>
Message-id: <20180726162448.22072-2-kwolf@redhat.com>
Patchwork-id: 81517
O-Subject: [RHEL-7.6/7.5.z qemu-kvm PATCH 1/6] multiboot: bss_end_addr can be zero
-Bugzilla: 1549824
+Bugzilla: 1549822
RH-Acked-by: John Snow <jsnow@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
diff --git a/SOURCES/kvm-multiboot-fprintf-stderr.-error_report.patch b/SOURCES/kvm-multiboot-fprintf-stderr.-error_report.patch
index e96f7ce..e8cc4ae 100644
--- a/SOURCES/kvm-multiboot-fprintf-stderr.-error_report.patch
+++ b/SOURCES/kvm-multiboot-fprintf-stderr.-error_report.patch
@@ -1,4 +1,4 @@
-From 5c4df6bfd7a729f99c61fc6e1068c8df22f18e7d Mon Sep 17 00:00:00 2001
+From a6a1a4a3a9890749501a2a22f6883397a8579b60 Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Thu, 26 Jul 2018 16:24:46 +0200
Subject: [PATCH 4/8] multiboot: fprintf(stderr...) -> error_report()
@@ -7,7 +7,7 @@ RH-Author: Kevin Wolf <kwolf@redhat.com>
Message-id: <20180726162448.22072-5-kwolf@redhat.com>
Patchwork-id: 81519
O-Subject: [RHEL-7.6/7.5.z qemu-kvm PATCH 4/6] multiboot: fprintf(stderr...) -> error_report()
-Bugzilla: 1549824
+Bugzilla: 1549822
RH-Acked-by: John Snow <jsnow@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
diff --git a/SOURCES/kvm-qcow2-Repair-OFLAG_COPIED-when-fixing-leaks.patch b/SOURCES/kvm-qcow2-Repair-OFLAG_COPIED-when-fixing-leaks.patch
new file mode 100644
index 0000000..16101b0
--- /dev/null
+++ b/SOURCES/kvm-qcow2-Repair-OFLAG_COPIED-when-fixing-leaks.patch
@@ -0,0 +1,99 @@
+From ec8057f43c44075e02b59078b38b40340220f955 Mon Sep 17 00:00:00 2001
+From: Max Reitz <mreitz@redhat.com>
+Date: Mon, 18 Jun 2018 17:24:53 +0200
+Subject: [PATCH 05/17] qcow2: Repair OFLAG_COPIED when fixing leaks
+
+RH-Author: Max Reitz <mreitz@redhat.com>
+Message-id: <20180618172454.27434-2-mreitz@redhat.com>
+Patchwork-id: 80785
+O-Subject: [RHEL-7.6 qemu-kvm PATCH 1/2] qcow2: Repair OFLAG_COPIED when fixing leaks
+Bugzilla: 1527122
+RH-Acked-by: John Snow <jsnow@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+
+Repairing OFLAG_COPIED is usually safe because it is done after the
+refcounts have been repaired. Therefore, it we did not find anyone else
+referencing a data or L2 cluster, it makes no sense to not set
+OFLAG_COPIED -- and the other direction (clearing OFLAG_COPIED) is
+always safe, anyway, it may just induce leaks.
+
+Furthermore, if OFLAG_COPIED is actually consistent with a wrong (leaky)
+refcount, we will decrement the refcount with -r leaks, but OFLAG_COPIED
+will then be wrong. qemu-img check should not produce images that are
+more corrupted afterwards then they were before.
+
+Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1527085
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Message-id: 20180509200059.31125-2-mreitz@redhat.com
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+(cherry picked from commit 3cce51c919c7b4028cf6676dfcb80a45741b5117)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Conflicts:
+ block/qcow2-refcount.c
+
+Conflicts due to refcounts being fixed to 16 bit downstream, which means
+that every instance of the "refcount" variable is an int instead of
+uint64_t. This results in contextual conflicts in the corruption
+printf()s.
+
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+---
+ block/qcow2-refcount.c | 25 +++++++++++++++++--------
+ 1 file changed, 17 insertions(+), 8 deletions(-)
+
+diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
+index 848fd31..7a69bcd 100644
+--- a/block/qcow2-refcount.c
++++ b/block/qcow2-refcount.c
+@@ -1333,6 +1333,19 @@ static int check_oflag_copied(BlockDriverState *bs, BdrvCheckResult *res,
+ int ret;
+ int refcount;
+ int i, j;
++ bool repair;
++
++ if (fix & BDRV_FIX_ERRORS) {
++ /* Always repair */
++ repair = true;
++ } else if (fix & BDRV_FIX_LEAKS) {
++ /* Repair only if that seems safe: This function is always
++ * called after the refcounts have been fixed, so the refcount
++ * is accurate if that repair was successful */
++ repair = !res->check_errors && !res->corruptions && !res->leaks;
++ } else {
++ repair = false;
++ }
+
+ for (i = 0; i < s->l1_size; i++) {
+ uint64_t l1_entry = s->l1_table[i];
+@@ -1351,10 +1364,8 @@ static int check_oflag_copied(BlockDriverState *bs, BdrvCheckResult *res,
+ if ((refcount == 1) != ((l1_entry & QCOW_OFLAG_COPIED) != 0)) {
+ fprintf(stderr, "%s OFLAG_COPIED L2 cluster: l1_index=%d "
+ "l1_entry=%" PRIx64 " refcount=%d\n",
+- fix & BDRV_FIX_ERRORS ? "Repairing" :
+- "ERROR",
+- i, l1_entry, refcount);
+- if (fix & BDRV_FIX_ERRORS) {
++ repair ? "Repairing" : "ERROR", i, l1_entry, refcount);
++ if (repair) {
+ s->l1_table[i] = refcount == 1
+ ? l1_entry | QCOW_OFLAG_COPIED
+ : l1_entry & ~QCOW_OFLAG_COPIED;
+@@ -1393,10 +1404,8 @@ static int check_oflag_copied(BlockDriverState *bs, BdrvCheckResult *res,
+ if ((refcount == 1) != ((l2_entry & QCOW_OFLAG_COPIED) != 0)) {
+ fprintf(stderr, "%s OFLAG_COPIED data cluster: "
+ "l2_entry=%" PRIx64 " refcount=%d\n",
+- fix & BDRV_FIX_ERRORS ? "Repairing" :
+- "ERROR",
+- l2_entry, refcount);
+- if (fix & BDRV_FIX_ERRORS) {
++ repair ? "Repairing" : "ERROR", l2_entry, refcount);
++ if (repair) {
+ l2_table[j] = cpu_to_be64(refcount == 1
+ ? l2_entry | QCOW_OFLAG_COPIED
+ : l2_entry & ~QCOW_OFLAG_COPIED);
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-qdev-New-DEFINE_PROP_ON_OFF_AUTO.patch b/SOURCES/kvm-qdev-New-DEFINE_PROP_ON_OFF_AUTO.patch
new file mode 100644
index 0000000..eb18103
--- /dev/null
+++ b/SOURCES/kvm-qdev-New-DEFINE_PROP_ON_OFF_AUTO.patch
@@ -0,0 +1,102 @@
+From 74c36c49f488579f224013cddfc753c21ce4829e Mon Sep 17 00:00:00 2001
+From: Tarun Gupta <tgupta@redhat.com>
+Date: Wed, 20 Jun 2018 18:54:22 +0200
+Subject: [PATCH 14/17] qdev: New DEFINE_PROP_ON_OFF_AUTO
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Tarun Gupta <tgupta@redhat.com>
+Message-id: <1529520865-18127-9-git-send-email-tgupta@redhat.com>
+Patchwork-id: 80916
+O-Subject: [RHEL7.6 qemu-kvm PATCH v3 08/11] qdev: New DEFINE_PROP_ON_OFF_AUTO
+Bugzilla: 1555246
+RH-Acked-by: Alex Williamson <alex.williamson@redhat.com>
+RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Signed-off-by: Markus Armbruster <armbru@redhat.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+(cherry picked from 55e8a154359be12ca4c9730c562d1e3d4b1bd2a1)
+
+Conflict: qemu-kvm does not have the json based framework to define
+properties, so using the exting enum based framework here.
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/core/qdev-properties.c | 17 +++++++++++++++++
+ include/hw/qdev-properties.h | 3 +++
+ include/qemu-common.h | 7 +++++++
+ 3 files changed, 27 insertions(+)
+
+diff --git a/hw/core/qdev-properties.c b/hw/core/qdev-properties.c
+index a61250e..71ba10e 100644
+--- a/hw/core/qdev-properties.c
++++ b/hw/core/qdev-properties.c
+@@ -568,6 +568,23 @@ PropertyInfo qdev_prop_macaddr = {
+ .set = set_mac,
+ };
+
++/* --- on/off/auto --- */
++static const char *on_off_auto_table[ON_OFF_AUTO_MAX+1] = {
++ [ON_OFF_AUTO_AUTO] = "auto",
++ [ON_OFF_AUTO_ON] = "on",
++ [ON_OFF_AUTO_OFF] = "off",
++ [ON_OFF_AUTO_MAX] = NULL,
++};
++
++PropertyInfo qdev_prop_on_off_auto = {
++ .name = "OnOffAuto",
++ .enum_table = on_off_auto_table,
++ .get = get_enum,
++ .set = set_enum,
++};
++
++QEMU_BUILD_BUG_ON(sizeof(OnOffAuto) != sizeof(int));
++
+ /* --- lost tick policy --- */
+
+ static const char *lost_tick_policy_table[LOST_TICK_MAX+1] = {
+diff --git a/include/hw/qdev-properties.h b/include/hw/qdev-properties.h
+index 77c6f7c..90eaf8f 100644
+--- a/include/hw/qdev-properties.h
++++ b/include/hw/qdev-properties.h
+@@ -20,6 +20,7 @@ extern PropertyInfo qdev_prop_string;
+ extern PropertyInfo qdev_prop_chr;
+ extern PropertyInfo qdev_prop_ptr;
+ extern PropertyInfo qdev_prop_macaddr;
++extern PropertyInfo qdev_prop_on_off_auto;
+ extern PropertyInfo qdev_prop_losttickpolicy;
+ extern PropertyInfo qdev_prop_bios_chs_trans;
+ extern PropertyInfo qdev_prop_drive;
+@@ -153,6 +154,8 @@ extern PropertyInfo qdev_prop_arraylen;
+ DEFINE_PROP(_n, _s, _f, qdev_prop_drive, BlockDriverState *)
+ #define DEFINE_PROP_MACADDR(_n, _s, _f) \
+ DEFINE_PROP(_n, _s, _f, qdev_prop_macaddr, MACAddr)
++#define DEFINE_PROP_ON_OFF_AUTO(_n, _s, _f, _d) \
++ DEFINE_PROP_DEFAULT(_n, _s, _f, _d, qdev_prop_on_off_auto, OnOffAuto)
+ #define DEFINE_PROP_LOSTTICKPOLICY(_n, _s, _f, _d) \
+ DEFINE_PROP_DEFAULT(_n, _s, _f, _d, qdev_prop_losttickpolicy, \
+ LostTickPolicy)
+diff --git a/include/qemu-common.h b/include/qemu-common.h
+index 4569d52..d0c74e3 100644
+--- a/include/qemu-common.h
++++ b/include/qemu-common.h
+@@ -258,6 +258,13 @@ typedef int (*DMA_transfer_handler) (void *opaque, int nchan, int pos, int size)
+
+ typedef uint64_t pcibus_t;
+
++typedef enum OnOffAuto {
++ ON_OFF_AUTO_AUTO,
++ ON_OFF_AUTO_ON,
++ ON_OFF_AUTO_OFF,
++ ON_OFF_AUTO_MAX,
++} OnOffAuto;
++
+ typedef enum LostTickPolicy {
+ LOST_TICK_DISCARD,
+ LOST_TICK_DELAY,
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-scsi-disk-support-reporting-of-rotation-rate.patch b/SOURCES/kvm-scsi-disk-support-reporting-of-rotation-rate.patch
new file mode 100644
index 0000000..02733ca
--- /dev/null
+++ b/SOURCES/kvm-scsi-disk-support-reporting-of-rotation-rate.patch
@@ -0,0 +1,103 @@
+From 04ab93423b97ab5bc175032e0e4e1da288840805 Mon Sep 17 00:00:00 2001
+From: John Snow <jsnow@redhat.com>
+Date: Thu, 2 Aug 2018 15:53:34 +0200
+Subject: [PATCH 1/4] scsi-disk: support reporting of rotation rate
+
+RH-Author: John Snow <jsnow@redhat.com>
+Message-id: <20180802155336.10347-2-jsnow@redhat.com>
+Patchwork-id: 81613
+O-Subject: [RHEL-7.6 qemu-kvm PATCH 1/3] scsi-disk: support reporting of rotation rate
+Bugzilla: 1583807
+RH-Acked-by: Daniel P. Berrange <berrange@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+
+From: "Daniel P. Berrange" <berrange@redhat.com>
+
+The Linux kernel will query the SCSI "Block device characteristics"
+VPD to determine the rotations per minute of the disk. If this has
+the value 1, it is taken to be an SSD and so Linux sets the
+'rotational' flag to 0 for the I/O queue and will stop using that
+disk as a source of random entropy. Other operating systems may
+also take into account rotation rate when setting up default
+behaviour.
+
+Mgmt apps should be able to set the rotation rate for virtualized
+block devices, based on characteristics of the host storage in use,
+so that the guest OS gets sensible behaviour out of the box. This
+patch thus adds a 'rotation-rate' parameter for 'scsi-hd' and
+'scsi-block' device types. For the latter, this parameter will be
+ignored unless the host device has TYPE_DISK.
+
+Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+Message-Id: <20171004114008.14849-2-berrange@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 070f80095ad5b1143b50d2faffd2b1a84292e00d)
+Signed-off-by: John Snow <jsnow@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/scsi/scsi-disk.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
+index 8a8b0ab..911c7b7 100644
+--- a/hw/scsi/scsi-disk.c
++++ b/hw/scsi/scsi-disk.c
+@@ -83,6 +83,14 @@ struct SCSIDiskState
+ char *product;
+ bool tray_open;
+ bool tray_locked;
++ /*
++ * 0x0000 - rotation rate not reported
++ * 0x0001 - non-rotating medium (SSD)
++ * 0x0002-0x0400 - reserved
++ * 0x0401-0xffe - rotations per minute
++ * 0xffff - reserved
++ */
++ uint16_t rotation_rate;
+ };
+
+ static int scsi_handle_rw_error(SCSIDiskReq *r, int error);
+@@ -565,6 +573,7 @@ static int scsi_disk_emulate_inquiry(SCSIRequest *req, uint8_t *outbuf)
+ outbuf[buflen++] = 0x83; // device identification
+ if (s->qdev.type == TYPE_DISK) {
+ outbuf[buflen++] = 0xb0; // block limits
++ outbuf[buflen++] = 0xb1; /* block device characteristics */
+ outbuf[buflen++] = 0xb2; // thin provisioning
+ }
+ break;
+@@ -670,6 +679,15 @@ static int scsi_disk_emulate_inquiry(SCSIRequest *req, uint8_t *outbuf)
+ outbuf[31] = unmap_sectors & 0xff;
+ break;
+ }
++ case 0xb1: /* block device characteristics */
++ {
++ buflen = 8;
++ outbuf[4] = (s->rotation_rate >> 8) & 0xff;
++ outbuf[5] = s->rotation_rate & 0xff;
++ outbuf[6] = 0;
++ outbuf[7] = 0;
++ break;
++ }
+ case 0xb2: /* thin provisioning */
+ {
+ buflen = 8;
+@@ -2543,6 +2561,7 @@ static Property scsi_hd_properties[] = {
+ DEFINE_PROP_HEX64("wwn", SCSIDiskState, wwn, 0),
+ DEFINE_PROP_UINT64("max_unmap_size", SCSIDiskState, max_unmap_size,
+ DEFAULT_MAX_UNMAP_SIZE),
++ DEFINE_PROP_UINT16("rotation_rate", SCSIDiskState, rotation_rate, 0),
+ DEFINE_BLOCK_CHS_PROPERTIES(SCSIDiskState, qdev.conf),
+ DEFINE_PROP_END_OF_LIST(),
+ };
+@@ -2619,6 +2638,7 @@ static const TypeInfo scsi_cd_info = {
+ static Property scsi_block_properties[] = {
+ DEFINE_PROP_DRIVE("drive", SCSIDiskState, qdev.conf.bs),
+ DEFINE_PROP_INT32("bootindex", SCSIDiskState, qdev.conf.bootindex, -1),
++ DEFINE_PROP_UINT16("rotation_rate", SCSIDiskState, rotation_rate, 0),
+ DEFINE_PROP_END_OF_LIST(),
+ };
+
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-slirp-Correct-size-check-in-m_inc.patch b/SOURCES/kvm-slirp-Correct-size-check-in-m_inc.patch
new file mode 100644
index 0000000..6d9514b
--- /dev/null
+++ b/SOURCES/kvm-slirp-Correct-size-check-in-m_inc.patch
@@ -0,0 +1,76 @@
+From b25ccac372f3289d7b0b5500064fe0a38eb32d6f Mon Sep 17 00:00:00 2001
+From: Xiao Wang <jasowang@redhat.com>
+Date: Wed, 8 Aug 2018 08:44:36 +0200
+Subject: [PATCH 4/4] slirp: Correct size check in m_inc()
+
+RH-Author: Xiao Wang <jasowang@redhat.com>
+Message-id: <1533717876-2330-1-git-send-email-jasowang@redhat.com>
+Patchwork-id: 81676
+O-Subject: [RHEL-7.6/7.5z qemu-kvm PATCH] slirp: Correct size check in m_inc()
+Bugzilla: 1586253
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+RH-Acked-by: wexu@redhat.com
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+
+From: Peter Maydell <peter.maydell@linaro.org>
+
+Notes:
+- Conflict since we lacks 6da5de1ee87e ("slirp: reformat m_inc
+ routine"), and its backport has various other dependicies.
+- This is a fixup for CVE-2018-11806 fix
+
+The data in an mbuf buffer is not necessarily at the start of the
+allocated buffer. (For instance m_adj() allows data to be trimmed
+from the start by just advancing the pointer and reducing the length.)
+This means that the allocated buffer size (m->m_size) and the
+amount of space from the m_data pointer to the end of the
+buffer (M_ROOM(m)) are not necessarily the same.
+
+Commit 864036e251f54c9 tried to change the m_inc() function from
+taking the new allocated-buffer-size to taking the new room-size,
+but forgot to change the initial "do we already have enough space"
+check. This meant that if we were trying to extend a buffer which
+had a leading gap between the buffer start and the data, we might
+incorrectly decide it didn't need to be extended, and then
+overrun the end of the buffer, causing memory corruption and
+an eventual crash.
+
+Change the "already big enough?" condition from checking the
+argument against m->m_size to checking against M_ROOM().
+This only makes a difference for the callsite in m_cat();
+the other three callsites all start with a freshly allocated
+mbuf from m_get(), which will have m->m_size == M_ROOM(m).
+
+Fixes: 864036e251f54c9
+Fixes: https://bugs.launchpad.net/qemu/+bug/1785670
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Message-id: 20180807114501.12370-1-peter.maydell@linaro.org
+Tested-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+(cherry picked from commit c22098c74a09164797fae6511c5eaf68f32c4dd8)
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ slirp/mbuf.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/slirp/mbuf.c b/slirp/mbuf.c
+index ced2033..63f071f 100644
+--- a/slirp/mbuf.c
++++ b/slirp/mbuf.c
+@@ -154,8 +154,10 @@ m_inc(struct mbuf *m, int size)
+ {
+ int datasize;
+
+- /* some compiles throw up on gotos. This one we can fake. */
+- if(m->m_size>size) return;
++ /* some compilers throw up on gotos. This one we can fake. */
++ if (M_ROOM(m) > size) {
++ return;
++ }
+
+ if (m->m_flags & M_EXT) {
+ datasize = m->m_data - m->m_ext;
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-slirp-correct-size-computation-while-concatenating-m.patch b/SOURCES/kvm-slirp-correct-size-computation-while-concatenating-m.patch
index ab1a661..af506aa 100644
--- a/SOURCES/kvm-slirp-correct-size-computation-while-concatenating-m.patch
+++ b/SOURCES/kvm-slirp-correct-size-computation-while-concatenating-m.patch
@@ -1,4 +1,4 @@
-From 58416c6786fa972314cb699a7df28d8c09268f03 Mon Sep 17 00:00:00 2001
+From 2c90d2f3ad8d299df7df7c055c66fa6711397f4a Mon Sep 17 00:00:00 2001
From: Xiao Wang <jasowang@redhat.com>
Date: Mon, 30 Jul 2018 06:31:57 +0200
Subject: [PATCH 8/8] slirp: correct size computation while concatenating mbuf
@@ -7,7 +7,7 @@ RH-Author: Xiao Wang <jasowang@redhat.com>
Message-id: <1532932317-6100-3-git-send-email-jasowang@redhat.com>
Patchwork-id: 81543
O-Subject: [RHEL7.6/7.5.z qemu-kvm PATCH 2/2] slirp: correct size computation while concatenating mbuf
-Bugzilla: 1586248
+Bugzilla: 1586253
RH-Acked-by: wexu@redhat.com
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
diff --git a/SOURCES/kvm-slirp-remove-mbuf-m_hdr-m_dat-indirection.patch b/SOURCES/kvm-slirp-remove-mbuf-m_hdr-m_dat-indirection.patch
index f55b4f2..39862cf 100644
--- a/SOURCES/kvm-slirp-remove-mbuf-m_hdr-m_dat-indirection.patch
+++ b/SOURCES/kvm-slirp-remove-mbuf-m_hdr-m_dat-indirection.patch
@@ -1,4 +1,4 @@
-From 07fe03ab45fdc201fdfdd8e45809c86dbd0ab116 Mon Sep 17 00:00:00 2001
+From aac430f476746c628665b96d2ef520a4fc88ca67 Mon Sep 17 00:00:00 2001
From: Xiao Wang <jasowang@redhat.com>
Date: Mon, 30 Jul 2018 06:31:56 +0200
Subject: [PATCH 7/8] slirp: remove mbuf(m_hdr, m_dat) indirection
@@ -7,7 +7,7 @@ RH-Author: Xiao Wang <jasowang@redhat.com>
Message-id: <1532932317-6100-2-git-send-email-jasowang@redhat.com>
Patchwork-id: 81542
O-Subject: [RHEL7.6/7.5.z qemu-kvm PATCH 1/2] slirp: remove mbuf(m_hdr, m_dat) indirection
-Bugzilla: 1586248
+Bugzilla: 1586253
RH-Acked-by: wexu@redhat.com
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
diff --git a/SOURCES/kvm-spice-fix-simple-display-on-bigendian-hosts.patch b/SOURCES/kvm-spice-fix-simple-display-on-bigendian-hosts.patch
new file mode 100644
index 0000000..15f0bd1
--- /dev/null
+++ b/SOURCES/kvm-spice-fix-simple-display-on-bigendian-hosts.patch
@@ -0,0 +1,60 @@
+From b01048102e5cc91d484d23531799a130a49d723a Mon Sep 17 00:00:00 2001
+From: Tarun Gupta <tgupta@redhat.com>
+Date: Wed, 20 Jun 2018 18:54:16 +0200
+Subject: [PATCH 08/17] spice: fix simple display on bigendian hosts
+
+RH-Author: Tarun Gupta <tgupta@redhat.com>
+Message-id: <1529520865-18127-3-git-send-email-tgupta@redhat.com>
+Patchwork-id: 80907
+O-Subject: [RHEL7.6 qemu-kvm PATCH v3 02/11] spice: fix simple display on bigendian hosts
+Bugzilla: 1555246
+RH-Acked-by: Alex Williamson <alex.williamson@redhat.com>
+RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Denis Kirjanov is busy getting spice run on ppc64 and trapped into this
+one. Spice wire format is little endian, so we have to explicitly say
+we want little endian when letting pixman convert the data for us.
+
+Reported-by: Denis Kirjanov <kirjanov@gmail.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+(cherry picked from c1d37cd353be3ea4c5773fc227ba8459c1f20470)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ include/ui/qemu-pixman.h | 2 ++
+ ui/spice-display.c | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/include/ui/qemu-pixman.h b/include/ui/qemu-pixman.h
+index ba970f8..500725c 100644
+--- a/include/ui/qemu-pixman.h
++++ b/include/ui/qemu-pixman.h
+@@ -27,8 +27,10 @@
+
+ #ifdef HOST_WORDS_BIGENDIAN
+ # define PIXMAN_BE_r8g8b8 PIXMAN_r8g8b8
++# define PIXMAN_LE_x8r8g8b8 PIXMAN_b8g8r8x8
+ #else
+ # define PIXMAN_BE_r8g8b8 PIXMAN_b8g8r8
++# define PIXMAN_LE_x8r8g8b8 PIXMAN_x8r8g8b8
+ #endif
+
+ /* -------------------------------------------------------------------- */
+diff --git a/ui/spice-display.c b/ui/spice-display.c
+index e2c24a9..8b73e5a 100644
+--- a/ui/spice-display.c
++++ b/ui/spice-display.c
+@@ -178,7 +178,7 @@ static void qemu_spice_create_one_update(SimpleSpiceDisplay *ssd,
+ image->bitmap.palette = 0;
+ image->bitmap.format = SPICE_BITMAP_FMT_32BIT;
+
+- dest = pixman_image_create_bits(PIXMAN_x8r8g8b8, bw, bh,
++ dest = pixman_image_create_bits(PIXMAN_LE_x8r8g8b8, bw, bh,
+ (void *)update->bitmap, bw * 4);
+ pixman_image_composite(PIXMAN_OP_SRC, ssd->surface, NULL, ssd->mirror,
+ rect->left, rect->top, 0, 0,
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-target-i386-Add-support-for-UMIP-and-RDPID-CPUID-bit.patch b/SOURCES/kvm-target-i386-Add-support-for-UMIP-and-RDPID-CPUID-bit.patch
new file mode 100644
index 0000000..c0de457
--- /dev/null
+++ b/SOURCES/kvm-target-i386-Add-support-for-UMIP-and-RDPID-CPUID-bit.patch
@@ -0,0 +1,82 @@
+From 9349e4be5ecf8b70dfc36f6cad56297cd7aa5fc9 Mon Sep 17 00:00:00 2001
+From: "plai@redhat.com" <plai@redhat.com>
+Date: Wed, 27 Jun 2018 07:53:07 +0200
+Subject: [PATCH 02/17] target-i386: Add support for UMIP and RDPID CPUID bits
+
+RH-Author: plai@redhat.com
+Message-id: <1526495303-9837-1-git-send-email-plai@redhat.com>
+Patchwork-id: 80372
+O-Subject: [RHEL7.6 PATCH BZ 1526638] target-i386: Add support for UMIP and RDPID CPUID bits
+Bugzilla: 1526638
+RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+Tested by Intel OTC QA on icelake client hw.
+Tested by Intel OTC Virtualization QA. Test Result:
+ XEN_UMIP_ENABLE : Check if UMIP has been enabled on the feature supported machine / PASS
+ XEN_UMIP_DISABLE: Verify if the UMIP can be turned off by boot. / PASS
+ XEN_UMIP_TEST : Check if the protection effect on the instructions of sgdt/sidt/sldt/smsw/str / PASS
+ XEN_UMIP_EX_TEST :Check if the protection effects on instruction of str, sldtand smsw for register and memory operands. /PASS
+ XEN_UMIP_TEST: Check if the protection effect on the instructions of sgdt/sidt/sldt/smsw/str / PASS
+ XEN_UMIP_EX_TEST: Check if the protection effects on instruction of str, sldtand smsw for register and memory operands / PASS
+ XEN_UMIP_LDT: Verify all the possible 32-bit address encodings / PASS
+
+These are both stored in CPUID[EAX=7,EBX=0].ECX. KVM is going to
+be able to emulate both (albeit with a performance loss in the case
+of RDPID, which therefore will be in KVM_GET_EMULATED_CPUID rather
+than KVM_GET_SUPPORTED_CPUID).
+
+It's also possible to implement both in TCG, but this is for 2.8.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+(cherry picked from commit c2f193b538032accb9db504998bf2ea7c0ef65af)
+Signed-off-by: Paul Lai <plai@redhat.com>
+
+Resolved Conflicts:
+ target-i386/cpu.c
+---
+ target-i386/cpu.c | 4 ++--
+ target-i386/cpu.h | 2 ++
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index 48a5507..0254747 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -155,12 +155,12 @@ static const char *cpuid_7_0_ebx_feature_name[] = {
+ };
+
+ static const char *cpuid_7_0_ecx_feature_name[] = {
+- NULL, "avx512vbmi", NULL, "pku",
++ NULL, "avx512vbmi", "umip", "pku",
+ "ospke", NULL, "avx512vbmi2", NULL,
+ "gfni", "vaes", "vpclmulqdq", "avx512vnni",
+ "avx512bitalg", NULL, "avx512-vpopcntdq", NULL,
+ NULL, NULL, NULL, NULL,
+- NULL, NULL, NULL, NULL,
++ NULL, NULL, "rdpid", NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ };
+diff --git a/target-i386/cpu.h b/target-i386/cpu.h
+index a781639..c72b545 100644
+--- a/target-i386/cpu.h
++++ b/target-i386/cpu.h
+@@ -600,8 +600,10 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS];
+
+ #define CPUID_8000_0008_EBX_IBPB (1U << 12) /* Indirect Branch Prediction Barrier */
+
++#define CPUID_7_0_ECX_UMIP (1U << 2)
+ #define CPUID_7_0_ECX_PKU (1U << 3)
+ #define CPUID_7_0_ECX_OSPKE (1U << 4)
++#define CPUID_7_0_ECX_RDPID (1U << 22)
+
+ #define CPUID_XSAVE_XSAVEOPT (1U << 0)
+ #define CPUID_XSAVE_XSAVEC (1U << 1)
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-target-i386-introduce-kvm_put_one_msr.patch b/SOURCES/kvm-target-i386-introduce-kvm_put_one_msr.patch
index 406e6de..7751a52 100644
--- a/SOURCES/kvm-target-i386-introduce-kvm_put_one_msr.patch
+++ b/SOURCES/kvm-target-i386-introduce-kvm_put_one_msr.patch
@@ -1,23 +1,13 @@
-From 608f71fea5a9cc79483d0b66aa59cd652ee5bf9c Mon Sep 17 00:00:00 2001
-From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
-Date: Thu, 28 Jun 2018 17:57:06 +0200
-Subject: [PATCH 1/5] target-i386: introduce kvm_put_one_msr
-
-RH-Author: Dr. David Alan Gilbert <dgilbert@redhat.com>
-Message-id: <20180628175710.56848-2-dgilbert@redhat.com>
-Patchwork-id: 81144
-O-Subject: [RHEL-7.5.z/RHEL-7.4.z/RHEL-7.3.z qemu-kvm PATCH 1/5] target-i386: introduce kvm_put_one_msr
-Bugzilla: 1596302
-RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
-RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
-
+From 596e3e7f77a1570aff586199e7bb34de0b4e0ba6 Mon Sep 17 00:00:00 2001
From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
+Date: Tue, 15 May 2018 11:56:30 +0200
+Subject: [PATCH 04/10] target-i386: introduce kvm_put_one_msr
RH-Author: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-id: <20180515115634.24469-2-dgilbert@redhat.com>
Patchwork-id: 80272
O-Subject: [RHEL-7.6 qemu-kvm PATCH v2 1/5] target-i386: introduce kvm_put_one_msr
+Bugzilla: 1577680
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
@@ -37,17 +27,15 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
-(cherry picked from commit 596e3e7f77a1570aff586199e7bb34de0b4e0ba6)
-Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
target-i386/kvm.c | 28 +++++++++++++++++++++-------
1 file changed, 21 insertions(+), 7 deletions(-)
diff --git a/target-i386/kvm.c b/target-i386/kvm.c
-index 656e24b..8544e52 100644
+index 24d17ad..6f3424e 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
-@@ -1141,24 +1141,38 @@ static void kvm_msr_entry_set(struct kvm_msr_entry *entry,
+@@ -1136,24 +1136,38 @@ static void kvm_msr_entry_set(struct kvm_msr_entry *entry,
entry->data = value;
}
diff --git a/SOURCES/kvm-ui-pixman-add-qemu_drm_format_to_pixman.patch b/SOURCES/kvm-ui-pixman-add-qemu_drm_format_to_pixman.patch
new file mode 100644
index 0000000..ce1bb52
--- /dev/null
+++ b/SOURCES/kvm-ui-pixman-add-qemu_drm_format_to_pixman.patch
@@ -0,0 +1,91 @@
+From df989559119707094b17269d025bcdf83df765f1 Mon Sep 17 00:00:00 2001
+From: Tarun Gupta <tgupta@redhat.com>
+Date: Wed, 20 Jun 2018 18:54:17 +0200
+Subject: [PATCH 09/17] ui/pixman: add qemu_drm_format_to_pixman()
+
+RH-Author: Tarun Gupta <tgupta@redhat.com>
+Message-id: <1529520865-18127-4-git-send-email-tgupta@redhat.com>
+Patchwork-id: 80911
+O-Subject: [RHEL7.6 qemu-kvm PATCH v3 03/11] ui/pixman: add qemu_drm_format_to_pixman()
+Bugzilla: 1555246
+RH-Acked-by: Alex Williamson <alex.williamson@redhat.com>
+RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Map drm fourcc codes to pixman formats.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed by: Kirti Wankhede <kwankhede@nvidia.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+
+(cherry picked from a5127bd73f77b90b50d63014be10cef467c1c3f9)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ include/ui/qemu-pixman.h | 6 ++++++
+ ui/qemu-pixman.c | 22 ++++++++++++++++++++++
+ 2 files changed, 28 insertions(+)
+
+diff --git a/include/ui/qemu-pixman.h b/include/ui/qemu-pixman.h
+index 500725c..8deb008 100644
+--- a/include/ui/qemu-pixman.h
++++ b/include/ui/qemu-pixman.h
+@@ -27,9 +27,13 @@
+
+ #ifdef HOST_WORDS_BIGENDIAN
+ # define PIXMAN_BE_r8g8b8 PIXMAN_r8g8b8
++# define PIXMAN_LE_r8g8b8 PIXMAN_b8g8r8
++# define PIXMAN_LE_a8r8g8b8 PIXMAN_b8g8r8a8
+ # define PIXMAN_LE_x8r8g8b8 PIXMAN_b8g8r8x8
+ #else
+ # define PIXMAN_BE_r8g8b8 PIXMAN_b8g8r8
++# define PIXMAN_LE_r8g8b8 PIXMAN_r8g8b8
++# define PIXMAN_LE_a8r8g8b8 PIXMAN_a8r8g8b8
+ # define PIXMAN_LE_x8r8g8b8 PIXMAN_x8r8g8b8
+ #endif
+
+@@ -46,6 +50,8 @@ pixman_image_t *qemu_pixman_mirror_create(pixman_format_code_t format,
+ pixman_image_t *image);
+ void qemu_pixman_image_unref(pixman_image_t *image);
+
++pixman_format_code_t qemu_drm_format_to_pixman(uint32_t drm_format);
++
+ pixman_color_t qemu_pixman_color(PixelFormat *pf, uint32_t color);
+ pixman_image_t *qemu_pixman_glyph_from_vgafont(int height, const uint8_t *font,
+ unsigned int ch);
+diff --git a/ui/qemu-pixman.c b/ui/qemu-pixman.c
+index 254bd8c..4be422c 100644
+--- a/ui/qemu-pixman.c
++++ b/ui/qemu-pixman.c
+@@ -5,6 +5,28 @@
+
+ #include "qemu-common.h"
+ #include "ui/console.h"
++#include "drm_fourcc.h"
++
++/* Note: drm is little endian, pixman is native endian */
++pixman_format_code_t qemu_drm_format_to_pixman(uint32_t drm_format)
++{
++ static const struct {
++ uint32_t drm_format;
++ pixman_format_code_t pixman;
++ } map[] = {
++ { DRM_FORMAT_RGB888, PIXMAN_LE_r8g8b8 },
++ { DRM_FORMAT_ARGB8888, PIXMAN_LE_a8r8g8b8 },
++ { DRM_FORMAT_XRGB8888, PIXMAN_LE_x8r8g8b8 }
++ };
++ int i;
++
++ for (i = 0; i < ARRAY_SIZE(map); i++) {
++ if (drm_format == map[i].drm_format) {
++ return map[i].pixman;
++ }
++ }
++ return 0;
++}
+
+ int qemu_pixman_get_type(int rshift, int gshift, int bshift)
+ {
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-vfio-common-cleanup-in-vfio_region_finalize.patch b/SOURCES/kvm-vfio-common-cleanup-in-vfio_region_finalize.patch
new file mode 100644
index 0000000..ffdc163
--- /dev/null
+++ b/SOURCES/kvm-vfio-common-cleanup-in-vfio_region_finalize.patch
@@ -0,0 +1,46 @@
+From b79ac72e8192d3f1036a7027ffed668399183be5 Mon Sep 17 00:00:00 2001
+From: Tarun Gupta <tgupta@redhat.com>
+Date: Wed, 20 Jun 2018 18:54:20 +0200
+Subject: [PATCH 12/17] vfio/common: cleanup in vfio_region_finalize
+
+RH-Author: Tarun Gupta <tgupta@redhat.com>
+Message-id: <1529520865-18127-7-git-send-email-tgupta@redhat.com>
+Patchwork-id: 80910
+O-Subject: [RHEL7.6 qemu-kvm PATCH v3 06/11] vfio/common: cleanup in vfio_region_finalize
+Bugzilla: 1555246
+RH-Acked-by: Alex Williamson <alex.williamson@redhat.com>
+RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed by: Kirti Wankhede <kwankhede@nvidia.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+
+(cherry picked from 92f86bff088dc6f0c0ed93b8e82d4d2459c35145)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/misc/vfio.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/hw/misc/vfio.c b/hw/misc/vfio.c
+index 68ff949..414b689 100644
+--- a/hw/misc/vfio.c
++++ b/hw/misc/vfio.c
+@@ -2798,6 +2798,13 @@ static void vfio_region_finalize(VFIORegion *region)
+ g_free(region->mmaps);
+
+ trace_vfio_region_finalize(region->vbasedev->name, region->nr);
++
++ region->mem = NULL;
++ region->mmaps = NULL;
++ region->nr_mmaps = 0;
++ region->size = 0;
++ region->flags = 0;
++ region->nr = 0;
+ }
+
+ static void vfio_region_mmaps_set_enabled(VFIORegion *region, bool enabled)
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-vfio-display-adding-region-support.patch b/SOURCES/kvm-vfio-display-adding-region-support.patch
new file mode 100644
index 0000000..024187c
--- /dev/null
+++ b/SOURCES/kvm-vfio-display-adding-region-support.patch
@@ -0,0 +1,205 @@
+From 8635eaec9dd5152d94e2cd98056b80879357cf56 Mon Sep 17 00:00:00 2001
+From: Tarun Gupta <tgupta@redhat.com>
+Date: Wed, 20 Jun 2018 18:54:24 +0200
+Subject: [PATCH 16/17] vfio/display: adding region support
+
+RH-Author: Tarun Gupta <tgupta@redhat.com>
+Message-id: <1529520865-18127-11-git-send-email-tgupta@redhat.com>
+Patchwork-id: 80912
+O-Subject: [RHEL7.6 qemu-kvm PATCH v3 10/11] vfio/display: adding region support
+Bugzilla: 1555246
+RH-Acked-by: Alex Williamson <alex.williamson@redhat.com>
+RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Wire up region-based display.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed By: Kirti Wankhede <kwankhede@nvidia.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+
+(cherry picked from 00195ba710a004af02a711239324d7137f0b189a)
+
+Bugzilla: https://bugzilla.redhat.com/1555246
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Conflicts:
+ qemu_create_displaysurface_from() function in qemu-kvm does not
+ have "format" argument. It instead has the "bpp" and "byteswap"
+ argument.
+
+ graphic_console_init() function in qemu-kvm does not have the
+ "head" argument
+---
+ hw/misc/vfio.c | 127 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 125 insertions(+), 2 deletions(-)
+
+diff --git a/hw/misc/vfio.c b/hw/misc/vfio.c
+index 22d5cac..dd3efb3 100644
+--- a/hw/misc/vfio.c
++++ b/hw/misc/vfio.c
+@@ -211,6 +211,14 @@ struct VFIODeviceOps {
+ void (*vfio_eoi)(VFIODevice *vdev);
+ };
+
++typedef struct VFIODisplay {
++ QemuConsole *con;
++ struct {
++ VFIORegion buffer;
++ DisplaySurface *surface;
++ } region;
++} VFIODisplay;
++
+ typedef struct VFIOPCIDevice {
+ PCIDevice pdev;
+ VFIODevice vbasedev;
+@@ -245,6 +253,7 @@ typedef struct VFIOPCIDevice {
+ bool has_flr;
+ bool has_pm_reset;
+ bool rom_read_failed;
++ VFIODisplay *dpy;
+ } VFIOPCIDevice;
+
+ typedef struct VFIOGroup {
+@@ -2762,6 +2771,114 @@ static int vfio_region_mmap(VFIORegion *region)
+ return 0;
+ }
+
++/* ---------------------------------------------------------------------- */
++
++static void vfio_display_region_update(void *opaque)
++{
++ VFIOPCIDevice *vdev = opaque;
++ VFIODisplay *dpy = vdev->dpy;
++ struct vfio_device_gfx_plane_info plane = {
++ .argsz = sizeof(plane),
++ .flags = VFIO_GFX_PLANE_TYPE_REGION
++ };
++ pixman_format_code_t format;
++ int ret;
++
++ ret = ioctl(vdev->vbasedev.fd, VFIO_DEVICE_QUERY_GFX_PLANE, &plane);
++ if (ret < 0) {
++ error_report("ioctl VFIO_DEVICE_QUERY_GFX_PLANE: %s",
++ strerror(errno));
++ return;
++ }
++ if (!plane.drm_format || !plane.size) {
++ return;
++ }
++ format = qemu_drm_format_to_pixman(plane.drm_format);
++ if (!format) {
++ return;
++ }
++
++ if (dpy->region.buffer.size &&
++ dpy->region.buffer.nr != plane.region_index) {
++ /* region changed */
++ vfio_region_exit(&dpy->region.buffer);
++ vfio_region_finalize(&dpy->region.buffer);
++ dpy->region.surface = NULL;
++ }
++
++ if (dpy->region.surface &&
++ (surface_width(dpy->region.surface) != plane.width ||
++ surface_height(dpy->region.surface) != plane.height ||
++ dpy->region.surface->format != format)) {
++ /* size changed */
++ dpy->region.surface = NULL;
++ }
++
++ if (!dpy->region.buffer.size) {
++ /* mmap region */
++ ret = vfio_region_setup(OBJECT(vdev), &vdev->vbasedev,
++ &dpy->region.buffer,
++ plane.region_index,
++ "display");
++ if (ret != 0) {
++ error_report("%s: vfio_region_setup(%d): %s",
++ __func__, plane.region_index, strerror(-ret));
++ goto err;
++ }
++ ret = vfio_region_mmap(&dpy->region.buffer);
++ if (ret != 0) {
++ error_report("%s: vfio_region_mmap(%d): %s", __func__,
++ plane.region_index, strerror(-ret));
++ goto err;
++ }
++ assert(dpy->region.buffer.mmaps[0].mmap != NULL);
++ }
++
++ if (dpy->region.surface == NULL) {
++ int bpp = PIXMAN_FORMAT_BPP(format);
++ /* create surface */
++ dpy->region.surface = qemu_create_displaysurface_from
++ (plane.width, plane.height, bpp,
++ plane.stride, dpy->region.buffer.mmaps[0].mmap, false);
++ dpy_gfx_replace_surface(dpy->con, dpy->region.surface);
++ }
++
++ /* full screen update */
++ dpy_gfx_update(dpy->con, 0, 0,
++ surface_width(dpy->region.surface),
++ surface_height(dpy->region.surface));
++ return;
++
++err:
++ vfio_region_exit(&dpy->region.buffer);
++ vfio_region_finalize(&dpy->region.buffer);
++}
++
++static const GraphicHwOps vfio_display_region_ops = {
++ .gfx_update = vfio_display_region_update,
++};
++
++static int vfio_display_region_init(VFIOPCIDevice *vdev)
++{
++ vdev->dpy = g_new0(VFIODisplay, 1);
++ vdev->dpy->con = graphic_console_init(DEVICE(vdev),
++ &vfio_display_region_ops,
++ vdev);
++ return 0;
++}
++
++static void vfio_display_region_exit(VFIODisplay *dpy)
++{
++ if (!dpy->region.buffer.size) {
++ return;
++ }
++
++ vfio_region_exit(&dpy->region.buffer);
++ vfio_region_finalize(&dpy->region.buffer);
++}
++
++/* ---------------------------------------------------------------------- */
++
+ static int vfio_display_probe(VFIOPCIDevice *vdev)
+ {
+ struct vfio_device_gfx_plane_info probe;
+@@ -2772,8 +2889,7 @@ static int vfio_display_probe(VFIOPCIDevice *vdev)
+ probe.flags = VFIO_GFX_PLANE_TYPE_PROBE | VFIO_GFX_PLANE_TYPE_REGION;
+ ret = ioctl(vdev->vbasedev.fd, VFIO_DEVICE_QUERY_GFX_PLANE, &probe);
+ if (ret == 0) {
+- error_report("vfio-display: region support not implemented yet");
+- return -1;
++ return vfio_display_region_init(vdev);
+ }
+
+ if (vdev->display == ON_OFF_AUTO_AUTO) {
+@@ -2787,6 +2903,13 @@ static int vfio_display_probe(VFIOPCIDevice *vdev)
+
+ static void vfio_display_finalize(VFIOPCIDevice *vdev)
+ {
++ if (!vdev->dpy) {
++ return;
++ }
++
++ graphic_console_close(vdev->dpy->con);
++ vfio_display_region_exit(vdev->dpy);
++ g_free(vdev->dpy);
+ }
+
+ static void vfio_region_exit(VFIORegion *region)
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-vfio-display-core-wireup.patch b/SOURCES/kvm-vfio-display-core-wireup.patch
new file mode 100644
index 0000000..45e8b6e
--- /dev/null
+++ b/SOURCES/kvm-vfio-display-core-wireup.patch
@@ -0,0 +1,117 @@
+From 5a0718f03d4da66682d5580e156c6cf4b8005891 Mon Sep 17 00:00:00 2001
+From: Tarun Gupta <tgupta@redhat.com>
+Date: Wed, 20 Jun 2018 18:54:23 +0200
+Subject: [PATCH 15/17] vfio/display: core & wireup
+
+RH-Author: Tarun Gupta <tgupta@redhat.com>
+Message-id: <1529520865-18127-10-git-send-email-tgupta@redhat.com>
+Patchwork-id: 80918
+O-Subject: [RHEL7.6 qemu-kvm PATCH v3 09/11] vfio/display: core & wireup
+Bugzilla: 1555246
+RH-Acked-by: Alex Williamson <alex.williamson@redhat.com>
+RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+nfrastructure for display support. Must be enabled
+using 'display' property.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed By: Kirti Wankhede <kwankhede@nvidia.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+
+(cherry picked from a9994687cb9b5f72399398a0985419f4d2b95dc5)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/misc/vfio.c | 40 ++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 40 insertions(+)
+
+diff --git a/hw/misc/vfio.c b/hw/misc/vfio.c
+index 414b689..22d5cac 100644
+--- a/hw/misc/vfio.c
++++ b/hw/misc/vfio.c
+@@ -40,6 +40,7 @@
+ #include "sysemu/kvm.h"
+ #include "sysemu/sysemu.h"
+ #include "trace.h"
++#include "ui/console.h"
+
+ /* #define DEBUG_VFIO */
+ #ifdef DEBUG_VFIO
+@@ -235,6 +236,7 @@ typedef struct VFIOPCIDevice {
+ #define VFIO_FEATURE_ENABLE_VGA (1 << VFIO_FEATURE_ENABLE_VGA_BIT)
+ #define VFIO_FEATURE_ENABLE_REQ_BIT 1
+ #define VFIO_FEATURE_ENABLE_REQ (1 << VFIO_FEATURE_ENABLE_REQ_BIT)
++ OnOffAuto display;
+ int32_t bootindex;
+ uint8_t pm_cap;
+ bool has_vga;
+@@ -2760,6 +2762,33 @@ static int vfio_region_mmap(VFIORegion *region)
+ return 0;
+ }
+
++static int vfio_display_probe(VFIOPCIDevice *vdev)
++{
++ struct vfio_device_gfx_plane_info probe;
++ int ret;
++
++ memset(&probe, 0, sizeof(probe));
++ probe.argsz = sizeof(probe);
++ probe.flags = VFIO_GFX_PLANE_TYPE_PROBE | VFIO_GFX_PLANE_TYPE_REGION;
++ ret = ioctl(vdev->vbasedev.fd, VFIO_DEVICE_QUERY_GFX_PLANE, &probe);
++ if (ret == 0) {
++ error_report("vfio-display: region support not implemented yet");
++ return -1;
++ }
++
++ if (vdev->display == ON_OFF_AUTO_AUTO) {
++ /* not an error in automatic mode */
++ return 0;
++ }
++
++ error_report("vfio: device doesn't support any (known) display method");
++ return -1;
++}
++
++static void vfio_display_finalize(VFIOPCIDevice *vdev)
++{
++}
++
+ static void vfio_region_exit(VFIORegion *region)
+ {
+ int i;
+@@ -4232,6 +4261,14 @@ static int vfio_initfn(PCIDevice *pdev)
+ }
+
+ add_boot_device_path(vdev->bootindex, &pdev->qdev, NULL);
++
++ if (vdev->display != ON_OFF_AUTO_OFF) {
++ ret = vfio_display_probe(vdev);
++ if (ret) {
++ goto out_teardown;
++ }
++ }
++
+ vfio_register_err_notifier(vdev);
+ vfio_register_req_notifier(vdev);
+
+@@ -4261,6 +4298,7 @@ static void vfio_exitfn(PCIDevice *pdev)
+ qemu_free_timer(vdev->intx.mmap_timer);
+ }
+ vfio_teardown_msi(vdev);
++ vfio_display_finalize(vdev);
+ vfio_unmap_bars(vdev);
+ g_free(vdev->emulated_config_bits);
+ g_free(vdev->rom);
+@@ -4313,6 +4351,8 @@ static void vfio_instance_init(Object *obj)
+ static Property vfio_pci_dev_properties[] = {
+ DEFINE_PROP_PCI_HOST_DEVADDR("host", VFIOPCIDevice, host),
+ DEFINE_PROP_STRING("sysfsdev", VFIOPCIDevice, vbasedev.sysfsdev),
++ DEFINE_PROP_ON_OFF_AUTO("display", VFIOPCIDevice,
++ display, ON_OFF_AUTO_AUTO),
+ DEFINE_PROP_UINT32("x-intx-mmap-timeout-ms", VFIOPCIDevice,
+ intx.mmap_timeout, 1100),
+ DEFINE_PROP_BIT("x-vga", VFIOPCIDevice, features,
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-vfio-pci-Default-display-option-to-off.patch b/SOURCES/kvm-vfio-pci-Default-display-option-to-off.patch
new file mode 100644
index 0000000..7997e43
--- /dev/null
+++ b/SOURCES/kvm-vfio-pci-Default-display-option-to-off.patch
@@ -0,0 +1,48 @@
+From 24d5cb5f451e6e41456e5967d326fa51c844b22f Mon Sep 17 00:00:00 2001
+From: Tarun Gupta <tgupta@redhat.com>
+Date: Wed, 20 Jun 2018 18:54:25 +0200
+Subject: [PATCH 17/17] vfio/pci: Default display option to "off"
+
+RH-Author: Tarun Gupta <tgupta@redhat.com>
+Message-id: <1529520865-18127-12-git-send-email-tgupta@redhat.com>
+Patchwork-id: 80917
+O-Subject: [RHEL7.6 qemu-kvm PATCH v3 11/11] vfio/pci: Default display option to "off"
+Bugzilla: 1555246
+RH-Acked-by: Alex Williamson <alex.williamson@redhat.com>
+RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Commit a9994687cb9b ("vfio/display: core & wireup") added display
+support to vfio-pci with the default being "auto", which breaks
+existing VMs when the vGPU requires GL support but had no previous
+requirement for a GL compatible configuration. "Off" is the safer
+default as we impose no new requirements to VM configurations.
+
+Fixes: a9994687cb9b ("vfio/display: core & wireup")
+
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+
+(cherry picked from upstream qemu
+8151a9c56d31eeeea872b8103c8b86d03c411667)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/misc/vfio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/misc/vfio.c b/hw/misc/vfio.c
+index dd3efb3..f91eecb 100644
+--- a/hw/misc/vfio.c
++++ b/hw/misc/vfio.c
+@@ -4475,7 +4475,7 @@ static Property vfio_pci_dev_properties[] = {
+ DEFINE_PROP_PCI_HOST_DEVADDR("host", VFIOPCIDevice, host),
+ DEFINE_PROP_STRING("sysfsdev", VFIOPCIDevice, vbasedev.sysfsdev),
+ DEFINE_PROP_ON_OFF_AUTO("display", VFIOPCIDevice,
+- display, ON_OFF_AUTO_AUTO),
++ display, ON_OFF_AUTO_OFF),
+ DEFINE_PROP_UINT32("x-intx-mmap-timeout-ms", VFIOPCIDevice,
+ intx.mmap_timeout, 1100),
+ DEFINE_PROP_BIT("x-vga", VFIOPCIDevice, features,
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-vga-add-ram_addr_t-cast.patch b/SOURCES/kvm-vga-add-ram_addr_t-cast.patch
index bc09fa1..0a614ab 100644
--- a/SOURCES/kvm-vga-add-ram_addr_t-cast.patch
+++ b/SOURCES/kvm-vga-add-ram_addr_t-cast.patch
@@ -1,13 +1,13 @@
-From 793f93597e16bbe37da8b0e884f9f17d1790b99a Mon Sep 17 00:00:00 2001
+From c7db4596ac0794d7feaea30fcc5f3a05aa7210c3 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Mon, 9 Apr 2018 13:27:35 +0200
-Subject: [PATCH 1/2] vga: add ram_addr_t cast
+Subject: [PATCH 01/10] vga: add ram_addr_t cast
RH-Author: Gerd Hoffmann <kraxel@redhat.com>
Message-id: <20180409132736.24598-2-kraxel@redhat.com>
Patchwork-id: 79513
O-Subject: [RHEL-7.5 qemu-kvm PATCH 1/2] vga: add ram_addr_t cast
-Bugzilla: 1567913
+Bugzilla: 1553670
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: John Snow <jsnow@redhat.com>
diff --git a/SOURCES/kvm-vga-fix-region-calculation.patch b/SOURCES/kvm-vga-fix-region-calculation.patch
index 099430e..bfe5614 100644
--- a/SOURCES/kvm-vga-fix-region-calculation.patch
+++ b/SOURCES/kvm-vga-fix-region-calculation.patch
@@ -1,13 +1,13 @@
-From 3ed3904f7411bd5896aebdfcc6fe202dbfc2eef6 Mon Sep 17 00:00:00 2001
+From e47337aa12a371cded61aefee052a808d32e0d64 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Mon, 9 Apr 2018 13:27:36 +0200
-Subject: [PATCH 2/2] vga: fix region calculation
+Subject: [PATCH 02/10] vga: fix region calculation
RH-Author: Gerd Hoffmann <kraxel@redhat.com>
Message-id: <20180409132736.24598-3-kraxel@redhat.com>
Patchwork-id: 79512
O-Subject: [RHEL-7.5 qemu-kvm PATCH 2/2] vga: fix region calculation
-Bugzilla: 1567913
+Bugzilla: 1553670
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: John Snow <jsnow@redhat.com>
diff --git a/SOURCES/kvm-x86-cpu-Enable-new-SSE-AVX-AVX512-cpu-features.patch b/SOURCES/kvm-x86-cpu-Enable-new-SSE-AVX-AVX512-cpu-features.patch
new file mode 100644
index 0000000..32b1b61
--- /dev/null
+++ b/SOURCES/kvm-x86-cpu-Enable-new-SSE-AVX-AVX512-cpu-features.patch
@@ -0,0 +1,88 @@
+From 1d9d6bd6721a92ae161bd7a4e9de202691b90da0 Mon Sep 17 00:00:00 2001
+From: "plai@redhat.com" <plai@redhat.com>
+Date: Tue, 8 May 2018 17:40:48 +0200
+Subject: [PATCH 01/17] x86/cpu: Enable new SSE/AVX/AVX512 cpu features
+
+RH-Author: plai@redhat.com
+Message-id: <1525801248-24104-1-git-send-email-plai@redhat.com>
+Patchwork-id: 80114
+O-Subject: [RHEL7.6 PATCH BZ 1513686] x86/cpu: Enable new SSE/AVX/AVX512 cpu features
+Bugzilla: 1513686
+RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+RH-Acked-by: Radim Krcmar <rkrcmar@redhat.com>
+
+From: Yang Zhong <yang.zhong@intel.com>
+
+Intel OTC Virt tested.
+
+Intel IceLake cpu has added new cpu features,AVX512_VBMI2/GFNI/
+VAES/VPCLMULQDQ/AVX512_VNNI/AVX512_BITALG. Those new cpu features
+need expose to guest VM.
+
+The bit definition:
+CPUID.(EAX=7,ECX=0):ECX[bit 06] AVX512_VBMI2
+CPUID.(EAX=7,ECX=0):ECX[bit 08] GFNI
+CPUID.(EAX=7,ECX=0):ECX[bit 09] VAES
+CPUID.(EAX=7,ECX=0):ECX[bit 10] VPCLMULQDQ
+CPUID.(EAX=7,ECX=0):ECX[bit 11] AVX512_VNNI
+CPUID.(EAX=7,ECX=0):ECX[bit 12] AVX512_BITALG
+
+The release document ref below link:
+https://software.intel.com/sites/default/files/managed/c5/15/\
+architecture-instruction-set-extensions-programming-reference.pdf
+
+Signed-off-by: Yang Zhong <yang.zhong@intel.com>
+Message-Id: <1511335676-20797-1-git-send-email-yang.zhong@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit aff9e6e46a343e1404498be4edd03db1112f0950)
+Signed-off-by: Paul Lai <plai@redhat.com>
+
+Resolved Conflicts:
+ target/i386/cpu.c
+ target/i386/cpu.h
+ changes applied to target-i386/cpu.{c,h}
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c | 6 +++---
+ target-i386/cpu.h | 6 ++++++
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index 539c202..48a5507 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -156,9 +156,9 @@ static const char *cpuid_7_0_ebx_feature_name[] = {
+
+ static const char *cpuid_7_0_ecx_feature_name[] = {
+ NULL, "avx512vbmi", NULL, "pku",
+- "ospke", NULL, NULL, NULL,
+- NULL, NULL, NULL, NULL,
+- NULL, NULL, "avx512-vpopcntdq", NULL,
++ "ospke", NULL, "avx512vbmi2", NULL,
++ "gfni", "vaes", "vpclmulqdq", "avx512vnni",
++ "avx512bitalg", NULL, "avx512-vpopcntdq", NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+diff --git a/target-i386/cpu.h b/target-i386/cpu.h
+index da84443..a781639 100644
+--- a/target-i386/cpu.h
++++ b/target-i386/cpu.h
+@@ -584,6 +584,12 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS];
+ #define CPUID_7_0_ECX_UMIP (1U << 2)
+ #define CPUID_7_0_ECX_PKU (1U << 3)
+ #define CPUID_7_0_ECX_OSPKE (1U << 4)
++#define CPUID_7_0_ECX_VBMI2 (1U << 6) /* Additional VBMI Instrs */
++#define CPUID_7_0_ECX_GFNI (1U << 8)
++#define CPUID_7_0_ECX_VAES (1U << 9)
++#define CPUID_7_0_ECX_VPCLMULQDQ (1U << 10)
++#define CPUID_7_0_ECX_AVX512VNNI (1U << 11)
++#define CPUID_7_0_ECX_AVX512BITALG (1U << 12)
+ #define CPUID_7_0_ECX_AVX512_VPOPCNTDQ (1U << 14) /* POPCNT for vectors of DW/QW */
+ #define CPUID_7_0_ECX_RDPID (1U << 22)
+
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-x86-lapic-Load-LAPIC-state-at-post_load.patch b/SOURCES/kvm-x86-lapic-Load-LAPIC-state-at-post_load.patch
index c39f91b..e310843 100644
--- a/SOURCES/kvm-x86-lapic-Load-LAPIC-state-at-post_load.patch
+++ b/SOURCES/kvm-x86-lapic-Load-LAPIC-state-at-post_load.patch
@@ -1,23 +1,13 @@
-From 0076f45c587331bb0b49a6b643377d8522789456 Mon Sep 17 00:00:00 2001
-From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
-Date: Thu, 28 Jun 2018 17:57:08 +0200
-Subject: [PATCH 3/5] x86/lapic: Load LAPIC state at post_load
-
-RH-Author: Dr. David Alan Gilbert <dgilbert@redhat.com>
-Message-id: <20180628175710.56848-4-dgilbert@redhat.com>
-Patchwork-id: 81143
-O-Subject: [RHEL-7.5.z/RHEL-7.4.z/RHEL-7.3.z qemu-kvm PATCH 3/5] x86/lapic: Load LAPIC state at post_load
-Bugzilla: 1596302
-RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
-RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
-
+From f0254b84d490273e922d04b01a7b48f0ac370185 Mon Sep 17 00:00:00 2001
From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
+Date: Tue, 15 May 2018 11:56:32 +0200
+Subject: [PATCH 06/10] x86/lapic: Load LAPIC state at post_load
RH-Author: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-id: <20180515115634.24469-4-dgilbert@redhat.com>
Patchwork-id: 80273
O-Subject: [RHEL-7.6 qemu-kvm PATCH v2 3/5] x86/lapic: Load LAPIC state at post_load
+Bugzilla: 1577680
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
@@ -39,8 +29,6 @@ Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 78d6a05d2f69cbfa6e95f0a4a24a2c934969913b)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
-(cherry picked from commit f0254b84d490273e922d04b01a7b48f0ac370185)
-Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
hw/i386/kvm/apic.c | 27 ++++++++++++++++++++++++---
include/sysemu/kvm.h | 1 -
@@ -120,10 +108,10 @@ index 0c6833f..49cfc42 100644
struct kvm_guest_debug;
diff --git a/target-i386/kvm.c b/target-i386/kvm.c
-index 8544e52..1658621 100644
+index 6f3424e..71f1573 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
-@@ -1876,20 +1876,6 @@ static int kvm_get_apic(X86CPU *cpu)
+@@ -1863,20 +1863,6 @@ static int kvm_get_apic(X86CPU *cpu)
return 0;
}
@@ -144,7 +132,7 @@ index 8544e52..1658621 100644
static int kvm_put_vcpu_events(X86CPU *cpu, int level)
{
CPUX86State *env = &cpu->env;
-@@ -2071,10 +2057,6 @@ int kvm_arch_put_registers(CPUState *cpu, int level)
+@@ -2058,10 +2044,6 @@ int kvm_arch_put_registers(CPUState *cpu, int level)
if (ret < 0) {
return ret;
}
diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec
index 384543a..007479a 100644
--- a/SPECS/qemu-kvm.spec
+++ b/SPECS/qemu-kvm.spec
@@ -76,10 +76,10 @@ Obsoletes: %1 < %{obsoletes_version} \
Summary: QEMU is a machine emulator and virtualizer
Name: %{pkgname}%{?pkgsuffix}
Version: 1.5.3
-Release: 156%{?dist}.5
+Release: 160%{?dist}
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
Epoch: 10
-License: GPLv2+ and LGPLv2+ and BSD
+License: GPLv2 and GPLv2+ and CC-BY
Group: Development/Tools
URL: http://www.qemu.org/
ExclusiveArch: x86_64
@@ -3865,42 +3865,80 @@ Patch1903: kvm-ui-avoid-sign-extension-using-client-width-height.patch
Patch1904: kvm-ui-correctly-advance-output-buffer-when-writing-SASL.patch
# For bz#1518711 - CVE-2017-15268 qemu-kvm: Qemu: I/O: potential memory exhaustion via websock connection to VNC [rhel-7.5]
Patch1905: kvm-io-skip-updates-to-client-if-websocket-output-buffer.patch
-# For bz#1567913 - CVE-2018-7858 qemu-kvm: Qemu: cirrus: OOB access when updating vga display [rhel-7] [rhel-7.5.z]
+# For bz#1553670 - CVE-2018-7858 qemu-kvm: Qemu: cirrus: OOB access when updating vga display [rhel-7]
Patch1906: kvm-vga-add-ram_addr_t-cast.patch
-# For bz#1567913 - CVE-2018-7858 qemu-kvm: Qemu: cirrus: OOB access when updating vga display [rhel-7] [rhel-7.5.z]
+# For bz#1553670 - CVE-2018-7858 qemu-kvm: Qemu: cirrus: OOB access when updating vga display [rhel-7]
Patch1907: kvm-vga-fix-region-calculation.patch
-# For bz#1574075 - EMBARGOED CVE-2018-3639 qemu-kvm: Kernel: omega-4 [rhel-7.5.z]
+# For bz#1574082 - CVE-2018-3639 qemu-kvm: hw: cpu: speculative store bypass [rhel-7.6]
Patch1908: kvm-i386-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch
-# For bz#1584363 - CVE-2018-3639 qemu-kvm: hw: cpu: AMD: speculative store bypass [rhel-7.5.z]
-Patch1909: kvm-i386-Define-the-Virt-SSBD-MSR-and-handling-of-it-CVE.patch
-# For bz#1584363 - CVE-2018-3639 qemu-kvm: hw: cpu: AMD: speculative store bypass [rhel-7.5.z]
-Patch1910: kvm-i386-define-the-AMD-virt-ssbd-CPUID-feature-bit-CVE-.patch
-# For bz#1596302 - Windows 2012 Guest hangs after live migration with RTC clock stopped. [rhel-7.5.z]
-Patch1911: kvm-target-i386-introduce-kvm_put_one_msr.patch
-# For bz#1596302 - Windows 2012 Guest hangs after live migration with RTC clock stopped. [rhel-7.5.z]
-Patch1912: kvm-apic-fix-2.2-2.1-migration.patch
-# For bz#1596302 - Windows 2012 Guest hangs after live migration with RTC clock stopped. [rhel-7.5.z]
-Patch1913: kvm-x86-lapic-Load-LAPIC-state-at-post_load.patch
-# For bz#1596302 - Windows 2012 Guest hangs after live migration with RTC clock stopped. [rhel-7.5.z]
-Patch1914: kvm-apic-drop-debugging.patch
-# For bz#1596302 - Windows 2012 Guest hangs after live migration with RTC clock stopped. [rhel-7.5.z]
-Patch1915: kvm-apic-set-APIC-base-as-part-of-kvm_apic_put.patch
-# For bz#1549824 - CVE-2018-7550 qemu-kvm: Qemu: i386: multiboot OOB access while loading kernel image [rhel-7.5.z]
-Patch1916: kvm-multiboot-bss_end_addr-can-be-zero.patch
-# For bz#1549824 - CVE-2018-7550 qemu-kvm: Qemu: i386: multiboot OOB access while loading kernel image [rhel-7.5.z]
-Patch1917: kvm-multiboot-Remove-unused-variables-from-multiboot.c.patch
-# For bz#1549824 - CVE-2018-7550 qemu-kvm: Qemu: i386: multiboot OOB access while loading kernel image [rhel-7.5.z]
-Patch1918: kvm-multiboot-Use-header-names-when-displaying-fields.patch
-# For bz#1549824 - CVE-2018-7550 qemu-kvm: Qemu: i386: multiboot OOB access while loading kernel image [rhel-7.5.z]
-Patch1919: kvm-multiboot-fprintf-stderr.-error_report.patch
-# For bz#1549824 - CVE-2018-7550 qemu-kvm: Qemu: i386: multiboot OOB access while loading kernel image [rhel-7.5.z]
-Patch1920: kvm-multiboot-Reject-kernels-exceeding-the-address-space.patch
-# For bz#1549824 - CVE-2018-7550 qemu-kvm: Qemu: i386: multiboot OOB access while loading kernel image [rhel-7.5.z]
-Patch1921: kvm-multiboot-Check-validity-of-mh_header_addr.patch
-# For bz#1586248 - CVE-2018-11806 qemu-kvm: QEMU: slirp: heap buffer overflow while reassembling fragmented datagrams [rhel-7.5.z]
-Patch1922: kvm-slirp-remove-mbuf-m_hdr-m_dat-indirection.patch
-# For bz#1586248 - CVE-2018-11806 qemu-kvm: QEMU: slirp: heap buffer overflow while reassembling fragmented datagrams [rhel-7.5.z]
-Patch1923: kvm-slirp-correct-size-computation-while-concatenating-m.patch
+# For bz#1577680 - Windows 2012 Guest hangs after live migration with RTC clock stopped.
+Patch1909: kvm-target-i386-introduce-kvm_put_one_msr.patch
+# For bz#1577680 - Windows 2012 Guest hangs after live migration with RTC clock stopped.
+Patch1910: kvm-apic-fix-2.2-2.1-migration.patch
+# For bz#1577680 - Windows 2012 Guest hangs after live migration with RTC clock stopped.
+Patch1911: kvm-x86-lapic-Load-LAPIC-state-at-post_load.patch
+# For bz#1577680 - Windows 2012 Guest hangs after live migration with RTC clock stopped.
+Patch1912: kvm-apic-drop-debugging.patch
+# For bz#1577680 - Windows 2012 Guest hangs after live migration with RTC clock stopped.
+Patch1913: kvm-apic-set-APIC-base-as-part-of-kvm_apic_put.patch
+# For bz#1513686 - [Intel 7.6 Feat] qemu-kvm Enabling Icelake new NIs
+Patch1914: kvm-x86-cpu-Enable-new-SSE-AVX-AVX512-cpu-features.patch
+# For bz#1526638 - [Intel 7.6 FEAT] KVM User Mode Instruction Prevention (UMIP) - qemu-kvm
+Patch1915: kvm-target-i386-Add-support-for-UMIP-and-RDPID-CPUID-bit.patch
+# For bz#1584583 - CVE-2018-3639 qemu-kvm: hw: cpu: speculative store bypass [rhel-7.6]
+Patch1916: kvm-i386-Define-the-Virt-SSBD-MSR-and-handling-of-it-CVE.patch
+# For bz#1584583 - CVE-2018-3639 qemu-kvm: hw: cpu: speculative store bypass [rhel-7.6]
+Patch1917: kvm-i386-define-the-AMD-virt-ssbd-CPUID-feature-bit-CVE-.patch
+# For bz#1527122 - The copied flag should be updated during '-r leaks'
+Patch1918: kvm-qcow2-Repair-OFLAG_COPIED-when-fixing-leaks.patch
+# For bz#1527122 - The copied flag should be updated during '-r leaks'
+Patch1919: kvm-iotests-Repairing-error-during-snapshot-deletion.patch
+# For bz#1555246 - [RFE] Support console VNC on Nvidia vGPU - qemu
+Patch1920: kvm-headers-add-drm_fourcc.h.patch
+# For bz#1555246 - [RFE] Support console VNC on Nvidia vGPU - qemu
+Patch1921: kvm-spice-fix-simple-display-on-bigendian-hosts.patch
+# For bz#1555246 - [RFE] Support console VNC on Nvidia vGPU - qemu
+Patch1922: kvm-ui-pixman-add-qemu_drm_format_to_pixman.patch
+# For bz#1555246 - [RFE] Support console VNC on Nvidia vGPU - qemu
+Patch1923: kvm-console-nicer-initial-screen.patch
+# For bz#1555246 - [RFE] Support console VNC on Nvidia vGPU - qemu
+Patch1924: kvm-console-minimal-hotplug-suport.patch
+# For bz#1555246 - [RFE] Support console VNC on Nvidia vGPU - qemu
+Patch1925: kvm-vfio-common-cleanup-in-vfio_region_finalize.patch
+# For bz#1555246 - [RFE] Support console VNC on Nvidia vGPU - qemu
+Patch1926: kvm-linux-headers-Update-to-include-region-based-display.patch
+# For bz#1555246 - [RFE] Support console VNC on Nvidia vGPU - qemu
+Patch1927: kvm-qdev-New-DEFINE_PROP_ON_OFF_AUTO.patch
+# For bz#1555246 - [RFE] Support console VNC on Nvidia vGPU - qemu
+Patch1928: kvm-vfio-display-core-wireup.patch
+# For bz#1555246 - [RFE] Support console VNC on Nvidia vGPU - qemu
+Patch1929: kvm-vfio-display-adding-region-support.patch
+# For bz#1555246 - [RFE] Support console VNC on Nvidia vGPU - qemu
+Patch1930: kvm-vfio-pci-Default-display-option-to-off.patch
+# For bz#1549822 - CVE-2018-7550 qemu-kvm: Qemu: i386: multiboot OOB access while loading kernel image [rhel-7.6]
+Patch1931: kvm-multiboot-bss_end_addr-can-be-zero.patch
+# For bz#1549822 - CVE-2018-7550 qemu-kvm: Qemu: i386: multiboot OOB access while loading kernel image [rhel-7.6]
+Patch1932: kvm-multiboot-Remove-unused-variables-from-multiboot.c.patch
+# For bz#1549822 - CVE-2018-7550 qemu-kvm: Qemu: i386: multiboot OOB access while loading kernel image [rhel-7.6]
+Patch1933: kvm-multiboot-Use-header-names-when-displaying-fields.patch
+# For bz#1549822 - CVE-2018-7550 qemu-kvm: Qemu: i386: multiboot OOB access while loading kernel image [rhel-7.6]
+Patch1934: kvm-multiboot-fprintf-stderr.-error_report.patch
+# For bz#1549822 - CVE-2018-7550 qemu-kvm: Qemu: i386: multiboot OOB access while loading kernel image [rhel-7.6]
+Patch1935: kvm-multiboot-Reject-kernels-exceeding-the-address-space.patch
+# For bz#1549822 - CVE-2018-7550 qemu-kvm: Qemu: i386: multiboot OOB access while loading kernel image [rhel-7.6]
+Patch1936: kvm-multiboot-Check-validity-of-mh_header_addr.patch
+# For bz#1586253 - CVE-2018-11806 qemu-kvm: QEMU: slirp: heap buffer overflow while reassembling fragmented datagrams [rhel-7.6]
+Patch1937: kvm-slirp-remove-mbuf-m_hdr-m_dat-indirection.patch
+# For bz#1586253 - CVE-2018-11806 qemu-kvm: QEMU: slirp: heap buffer overflow while reassembling fragmented datagrams [rhel-7.6]
+Patch1938: kvm-slirp-correct-size-computation-while-concatenating-m.patch
+# For bz#1583807 - [DELL EMC 7.6 FEAT] option to mark virtual block device as rotational/non-rotational
+Patch1939: kvm-scsi-disk-support-reporting-of-rotation-rate.patch
+# For bz#1583807 - [DELL EMC 7.6 FEAT] option to mark virtual block device as rotational/non-rotational
+Patch1940: kvm-ide-support-reporting-of-rotation-rate.patch
+# For bz#1583807 - [DELL EMC 7.6 FEAT] option to mark virtual block device as rotational/non-rotational
+Patch1941: kvm-ide-avoid-referencing-NULL-dev-in-rotational-rate-se.patch
+# For bz#1586253 - CVE-2018-11806 qemu-kvm: QEMU: slirp: heap buffer overflow while reassembling fragmented datagrams [rhel-7.6]
+Patch1942: kvm-slirp-Correct-size-check-in-m_inc.patch
BuildRequires: zlib-devel
@@ -6002,6 +6040,25 @@ tar -xf %{SOURCE21}
%patch1921 -p1
%patch1922 -p1
%patch1923 -p1
+%patch1924 -p1
+%patch1925 -p1
+%patch1926 -p1
+%patch1927 -p1
+%patch1928 -p1
+%patch1929 -p1
+%patch1930 -p1
+%patch1931 -p1
+%patch1932 -p1
+%patch1933 -p1
+%patch1934 -p1
+%patch1935 -p1
+%patch1936 -p1
+%patch1937 -p1
+%patch1938 -p1
+%patch1939 -p1
+%patch1940 -p1
+%patch1941 -p1
+%patch1942 -p1
%build
buildarch="%{kvm_target}-softmmu"
@@ -6011,11 +6068,11 @@ extraldflags="-Wl,--build-id";
buildldflags="VL_LDFLAGS=-Wl,--build-id"
# QEMU already knows how to set _FORTIFY_SOURCE
-%global optflags %(echo %{optflags} | sed 's/-Wp,-D_FORTIFY_SOURCE=2//')
+%global qemuoptflags %(echo %{optflags} | sed 's/-Wp,-D_FORTIFY_SOURCE=2//')
%ifarch s390
# drop -g flag to prevent memory exhaustion by linker
- %global optflags %(echo %{optflags} | sed 's/-g//')
+ %global qemuoptflags %(echo %{qemuoptflags} | sed 's/-g//')
sed -i.debug 's/"-g $CFLAGS"/"$CFLAGS"/g' configure
%endif
@@ -6034,7 +6091,7 @@ dobuild() {
--disable-strip \
--disable-qom-cast-debug \
--extra-ldflags="$extraldflags -pie -Wl,-z,relro -Wl,-z,now" \
- --extra-cflags="%{optflags} -fPIE -DPIE" \
+ --extra-cflags="%{qemuoptflags} -fPIE -DPIE" \
--enable-trace-backend=dtrace \
--enable-werror \
--disable-xen \
@@ -6130,7 +6187,7 @@ dobuild --target-list="$buildarch"
cp -a %{kvm_target}-softmmu/qemu-system-%{kvm_target} qemu-kvm
- gcc %{SOURCE6} -O2 -g -o ksmctl
+ gcc %{SOURCE6} $RPM_OPT_FLAGS $RPM_LD_FLAGS -o ksmctl
%endif
%install
@@ -6447,45 +6504,80 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || :
%{_mandir}/man8/qemu-nbd.8*
%changelog
-* Wed Aug 01 2018 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-156.el7_5.5
-- kvm-multiboot-bss_end_addr-can-be-zero.patch [bz#1549824]
-- kvm-multiboot-Remove-unused-variables-from-multiboot.c.patch [bz#1549824]
-- kvm-multiboot-Use-header-names-when-displaying-fields.patch [bz#1549824]
-- kvm-multiboot-fprintf-stderr.-error_report.patch [bz#1549824]
-- kvm-multiboot-Reject-kernels-exceeding-the-address-space.patch [bz#1549824]
-- kvm-multiboot-Check-validity-of-mh_header_addr.patch [bz#1549824]
-- kvm-slirp-remove-mbuf-m_hdr-m_dat-indirection.patch [bz#1586248]
-- kvm-slirp-correct-size-computation-while-concatenating-m.patch [bz#1586248]
-- Resolves: bz#1549824
- (CVE-2018-7550 qemu-kvm: Qemu: i386: multiboot OOB access while loading kernel image [rhel-7.5.z])
-- Resolves: bz#1586248
- (CVE-2018-11806 qemu-kvm: QEMU: slirp: heap buffer overflow while reassembling fragmented datagrams [rhel-7.5.z])
-
-* Mon Jul 23 2018 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-156.el7_5.4
-- kvm-target-i386-introduce-kvm_put_one_msr.patch [bz#1596302]
-- kvm-apic-fix-2.2-2.1-migration.patch [bz#1596302]
-- kvm-x86-lapic-Load-LAPIC-state-at-post_load.patch [bz#1596302]
-- kvm-apic-drop-debugging.patch [bz#1596302]
-- kvm-apic-set-APIC-base-as-part-of-kvm_apic_put.patch [bz#1596302]
-- Resolves: bz#1596302
- (Windows 2012 Guest hangs after live migration with RTC clock stopped. [rhel-7.5.z])
-
-* Fri Jun 08 2018 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-156.el7_5.3
-- kvm-i386-Define-the-Virt-SSBD-MSR-and-handling-of-it-CVE.patch [bz#1584363]
-- kvm-i386-define-the-AMD-virt-ssbd-CPUID-feature-bit-CVE-.patch [bz#1584363]
-- Resolves: bz#1584363
- (CVE-2018-3639 qemu-kvm: hw: cpu: AMD: speculative store bypass [rhel-7.5.z])
-
-* Fri May 11 2018 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-156.el7_5.2
-- kvm-i386-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch [bz#1574075]
-- Resolves: bz#1574075
- (EMBARGOED CVE-2018-3639 qemu-kvm: Kernel: omega-4 [rhel-7.5.z])
-
-* Mon Apr 16 2018 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-156.el7_5.1
-- kvm-vga-add-ram_addr_t-cast.patch [bz#1567913]
-- kvm-vga-fix-region-calculation.patch [bz#1567913]
-- Resolves: bz#1567913
- (CVE-2018-7858 qemu-kvm: Qemu: cirrus: OOB access when updating vga display [rhel-7] [rhel-7.5.z])
+* Mon Aug 20 2018 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-160.el7
+- kvm-scsi-disk-support-reporting-of-rotation-rate.patch [bz#1583807]
+- kvm-ide-support-reporting-of-rotation-rate.patch [bz#1583807]
+- kvm-ide-avoid-referencing-NULL-dev-in-rotational-rate-se.patch [bz#1583807]
+- kvm-slirp-Correct-size-check-in-m_inc.patch [bz#1586253]
+- Resolves: bz#1583807
+ ([DELL EMC 7.6 FEAT] option to mark virtual block device as rotational/non-rotational)
+- Resolves: bz#1586253
+ (CVE-2018-11806 qemu-kvm: QEMU: slirp: heap buffer overflow while reassembling fragmented datagrams [rhel-7.6])
+
+* Wed Aug 01 2018 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-159.el7
+- kvm-multiboot-bss_end_addr-can-be-zero.patch [bz#1549822]
+- kvm-multiboot-Remove-unused-variables-from-multiboot.c.patch [bz#1549822]
+- kvm-multiboot-Use-header-names-when-displaying-fields.patch [bz#1549822]
+- kvm-multiboot-fprintf-stderr.-error_report.patch [bz#1549822]
+- kvm-multiboot-Reject-kernels-exceeding-the-address-space.patch [bz#1549822]
+- kvm-multiboot-Check-validity-of-mh_header_addr.patch [bz#1549822]
+- kvm-slirp-remove-mbuf-m_hdr-m_dat-indirection.patch [bz#1586253]
+- kvm-slirp-correct-size-computation-while-concatenating-m.patch [bz#1586253]
+- Resolves: bz#1549822
+ (CVE-2018-7550 qemu-kvm: Qemu: i386: multiboot OOB access while loading kernel image [rhel-7.6])
+- Resolves: bz#1586253
+ (CVE-2018-11806 qemu-kvm: QEMU: slirp: heap buffer overflow while reassembling fragmented datagrams [rhel-7.6])
+
+* Wed Jun 27 2018 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-158.el7
+- kvm-x86-cpu-Enable-new-SSE-AVX-AVX512-cpu-features.patch [bz#1513686]
+- kvm-target-i386-Add-support-for-UMIP-and-RDPID-CPUID-bit.patch [bz#1526638]
+- kvm-i386-Define-the-Virt-SSBD-MSR-and-handling-of-it-CVE.patch [bz#1584583]
+- kvm-i386-define-the-AMD-virt-ssbd-CPUID-feature-bit-CVE-.patch [bz#1584583]
+- kvm-qcow2-Repair-OFLAG_COPIED-when-fixing-leaks.patch [bz#1527122]
+- kvm-iotests-Repairing-error-during-snapshot-deletion.patch [bz#1527122]
+- kvm-headers-add-drm_fourcc.h.patch [bz#1555246]
+- kvm-spice-fix-simple-display-on-bigendian-hosts.patch [bz#1555246]
+- kvm-ui-pixman-add-qemu_drm_format_to_pixman.patch [bz#1555246]
+- kvm-console-nicer-initial-screen.patch [bz#1555246]
+- kvm-console-minimal-hotplug-suport.patch [bz#1555246]
+- kvm-vfio-common-cleanup-in-vfio_region_finalize.patch [bz#1555246]
+- kvm-linux-headers-Update-to-include-region-based-display.patch [bz#1555246]
+- kvm-qdev-New-DEFINE_PROP_ON_OFF_AUTO.patch [bz#1555246]
+- kvm-vfio-display-core-wireup.patch [bz#1555246]
+- kvm-vfio-display-adding-region-support.patch [bz#1555246]
+- kvm-vfio-pci-Default-display-option-to-off.patch [bz#1555246]
+- Resolves: bz#1513686
+ ([Intel 7.6 Feat] qemu-kvm Enabling Icelake new NIs)
+- Resolves: bz#1526638
+ ([Intel 7.6 FEAT] KVM User Mode Instruction Prevention (UMIP) - qemu-kvm)
+- Resolves: bz#1527122
+ (The copied flag should be updated during '-r leaks')
+- Resolves: bz#1555246
+ ([RFE] Support console VNC on Nvidia vGPU - qemu)
+- Resolves: bz#1584583
+ (CVE-2018-3639 qemu-kvm: hw: cpu: speculative store bypass [rhel-7.6])
+
+* Thu Jun 07 2018 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-157.el7
+- kvm-vga-add-ram_addr_t-cast.patch [bz#1553670]
+- kvm-vga-fix-region-calculation.patch [bz#1553670]
+- kvm-i386-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch [bz#1574082]
+- kvm-target-i386-introduce-kvm_put_one_msr.patch [bz#1577680]
+- kvm-apic-fix-2.2-2.1-migration.patch [bz#1577680]
+- kvm-x86-lapic-Load-LAPIC-state-at-post_load.patch [bz#1577680]
+- kvm-apic-drop-debugging.patch [bz#1577680]
+- kvm-apic-set-APIC-base-as-part-of-kvm_apic_put.patch [bz#1577680]
+- kvm-spec-Change-License-line.patch [bz#1549108]
+- kvm-spec-Use-hardening-flags-for-ksmctl-build.patch [bz#1558895]
+- Resolves: bz#1549108
+ (Incorrect License information in RPM specfile)
+- Resolves: bz#1553670
+ (CVE-2018-7858 qemu-kvm: Qemu: cirrus: OOB access when updating vga display [rhel-7])
+- Resolves: bz#1558895
+ (ksmctl is built without any hardening flags set [rhel-7.6])
+- Resolves: bz#1574082
+ (CVE-2018-3639 qemu-kvm: hw: cpu: speculative store bypass [rhel-7.6])
+- Resolves: bz#1577680
+ (Windows 2012 Guest hangs after live migration with RTC clock stopped.)
* Tue Feb 20 2018 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-156.el7
- kvm-vnc-Fix-qemu-crashed-when-vnc-client-disconnect-sudd.patch [bz#1527405]