diff --git a/SOURCES/kvm-Enable-SGX-RH-Only.patch b/SOURCES/kvm-Enable-SGX-RH-Only.patch
new file mode 100644
index 0000000..efc8cac
--- /dev/null
+++ b/SOURCES/kvm-Enable-SGX-RH-Only.patch
@@ -0,0 +1,28 @@
+From db6e042fe4fdc1a1bbf562a46b15d4d8e33e2fa6 Mon Sep 17 00:00:00 2001
+From: Paul Lai <plai@redhat.com>
+Date: Tue, 25 Jan 2022 15:16:22 -0500
+Subject: [PATCH 4/7] Enable SGX -- RH Only
+
+RH-Author: Paul Lai <None>
+RH-MergeRequest: 111: numa: Enable numa for SGX EPC sections
+RH-Commit: [4/5] cea874f29984897ef1232fb7749c13203c888034
+RH-Bugzilla: 1518984
+RH-Acked-by: Paolo Bonzini <None>
+RH-Acked-by: Bandan Das <None>
+RH-Acked-by: Cornelia Huck <cohuck@redhat.com>
+---
+ configs/devices/x86_64-softmmu/x86_64-rh-devices.mak | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/configs/devices/x86_64-softmmu/x86_64-rh-devices.mak b/configs/devices/x86_64-softmmu/x86_64-rh-devices.mak
+index ddf036f042..fdbbdf9742 100644
+--- a/configs/devices/x86_64-softmmu/x86_64-rh-devices.mak
++++ b/configs/devices/x86_64-softmmu/x86_64-rh-devices.mak
+@@ -102,3 +102,4 @@ CONFIG_TPM_CRB=y
+ CONFIG_TPM_TIS_ISA=y
+ CONFIG_TPM_EMULATOR=y
+ CONFIG_TPM_PASSTHROUGH=y
++CONFIG_SGX=y
+--
+2.27.0
+
diff --git a/SOURCES/kvm-RHEL-disable-seqpacket-for-vhost-vsock-device-in-rhe.patch b/SOURCES/kvm-RHEL-disable-seqpacket-for-vhost-vsock-device-in-rhe.patch
new file mode 100644
index 0000000..27cc557
--- /dev/null
+++ b/SOURCES/kvm-RHEL-disable-seqpacket-for-vhost-vsock-device-in-rhe.patch
@@ -0,0 +1,107 @@
+From e0e4f01c6f4fb5881960f72ae4e80951b711131e Mon Sep 17 00:00:00 2001
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Thu, 24 Mar 2022 16:04:57 +0100
+Subject: [PATCH 1/5] RHEL: disable "seqpacket" for "vhost-vsock-device" in
+ rhel8.6.0
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Stefano Garzarella <sgarzare@redhat.com>
+RH-MergeRequest: 136: RHEL: disable "seqpacket" for "vhost-vsock-device" in rhel8.6.0 [rhel-8.7.0]
+RH-Commit: [1/1] d82ea09e123679521503689f7d9af1c03dc71bfc
+RH-Bugzilla: 2068202
+RH-Acked-by: Jason Wang <None>
+RH-Acked-by: Eugenio Pérez <None>
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+
+vhost-vsock device in RHEL 8 kernels doesn't support seqpacket.
+To avoid problems when migrating a VM from RHEL 9 host, we need to
+disable it in rhel8-* machine types.
+
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+---
+ hw/core/machine.c | 10 ++++++++++
+ hw/i386/pc_piix.c | 2 ++
+ hw/i386/pc_q35.c | 2 ++
+ hw/s390x/s390-virtio-ccw.c | 1 +
+ include/hw/boards.h | 3 +++
+ 5 files changed, 18 insertions(+)
+
+diff --git a/hw/core/machine.c b/hw/core/machine.c
+index 024b025fc2..76fcabec7a 100644
+--- a/hw/core/machine.c
++++ b/hw/core/machine.c
+@@ -37,6 +37,16 @@
+ #include "hw/virtio/virtio.h"
+ #include "hw/virtio/virtio-pci.h"
+
++GlobalProperty hw_compat_rhel_8_6[] = {
++ /* hw_compat_rhel_8_6 bz 2068202 */
++ /*
++ * vhost-vsock device in RHEL 8 kernels doesn't support seqpacket, so
++ * we need do disable it downstream on the latest hw_compat_rhel_8.
++ */
++ { "vhost-vsock-device", "seqpacket", "off" },
++};
++const size_t hw_compat_rhel_8_6_len = G_N_ELEMENTS(hw_compat_rhel_8_6);
++
+ /*
+ * Mostly the same as hw_compat_6_0 and hw_compat_6_1
+ */
+diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c
+index f03a8f0db8..ab6d03e07a 100644
+--- a/hw/i386/pc_piix.c
++++ b/hw/i386/pc_piix.c
+@@ -998,6 +998,8 @@ static void pc_machine_rhel760_options(MachineClass *m)
+ pcmc->kvmclock_create_always = false;
+ /* From pc_i440fx_5_1_machine_options() */
+ pcmc->pci_root_uid = 1;
++ compat_props_add(m->compat_props, hw_compat_rhel_8_6,
++ hw_compat_rhel_8_6_len);
+ compat_props_add(m->compat_props, hw_compat_rhel_8_5,
+ hw_compat_rhel_8_5_len);
+ compat_props_add(m->compat_props, pc_rhel_8_5_compat,
+diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c
+index 5559261d9e..882fe7a68d 100644
+--- a/hw/i386/pc_q35.c
++++ b/hw/i386/pc_q35.c
+@@ -658,6 +658,8 @@ static void pc_q35_machine_rhel860_options(MachineClass *m)
+ m->desc = "RHEL-8.6.0 PC (Q35 + ICH9, 2009)";
+ pcmc->smbios_stream_product = "RHEL-AV";
+ pcmc->smbios_stream_version = "8.6.0";
++ compat_props_add(m->compat_props, hw_compat_rhel_8_6,
++ hw_compat_rhel_8_6_len);
+ }
+
+ DEFINE_PC_MACHINE(q35_rhel860, "pc-q35-rhel8.6.0", pc_q35_init_rhel860,
+diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
+index 9795eb9406..bec270598b 100644
+--- a/hw/s390x/s390-virtio-ccw.c
++++ b/hw/s390x/s390-virtio-ccw.c
+@@ -1109,6 +1109,7 @@ static void ccw_machine_rhel860_instance_options(MachineState *machine)
+
+ static void ccw_machine_rhel860_class_options(MachineClass *mc)
+ {
++ compat_props_add(mc->compat_props, hw_compat_rhel_8_6, hw_compat_rhel_8_6_len);
+ }
+ DEFINE_CCW_MACHINE(rhel860, "rhel8.6.0", true);
+
+diff --git a/include/hw/boards.h b/include/hw/boards.h
+index 04e8759815..4ddb798144 100644
+--- a/include/hw/boards.h
++++ b/include/hw/boards.h
+@@ -443,6 +443,9 @@ extern const size_t hw_compat_2_2_len;
+ extern GlobalProperty hw_compat_2_1[];
+ extern const size_t hw_compat_2_1_len;
+
++extern GlobalProperty hw_compat_rhel_8_6[];
++extern const size_t hw_compat_rhel_8_6_len;
++
+ extern GlobalProperty hw_compat_rhel_8_5[];
+ extern const size_t hw_compat_rhel_8_5_len;
+
+--
+2.27.0
+
diff --git a/SOURCES/kvm-Revert-redhat-Add-hw_compat_4_2_extra-and-apply-to-u.patch b/SOURCES/kvm-Revert-redhat-Add-hw_compat_4_2_extra-and-apply-to-u.patch
new file mode 100644
index 0000000..56af50f
--- /dev/null
+++ b/SOURCES/kvm-Revert-redhat-Add-hw_compat_4_2_extra-and-apply-to-u.patch
@@ -0,0 +1,93 @@
+From e626dc16d130c724c400b99a93daad0a9abeae59 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Tue, 22 Mar 2022 19:23:36 -0400
+Subject: [PATCH 01/18] Revert "redhat: Add hw_compat_4_2_extra and apply to
+ upstream machines"
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 131: Revert "redhat: Add hw_compat_4_2_extra and apply to upstream machines"
+RH-Commit: [1/3] 47b7d9e5062f5e215d5ed1a3ecdc1a87ac3fa630 (jmaloy/qemu-kvm)
+RH-Bugzilla: 2062613
+RH-Acked-by: Peter Xu <peterx@redhat.com>
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+
+BZ: https://bugzilla.redhat.com/2062613
+UPSTREAM: no
+BREW: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=44038000
+
+commit dc2e9ec1e014950c7918e23a3e9b0096b34a4a92
+Author: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Date: Wed Mar 9 10:31:53 2022 +0000
+
+ Revert "redhat: Add hw_compat_4_2_extra and apply to upstream machines"
+
+ This reverts commit 66882f9a3230246409f3918424aca26add5c034a.
+ We no longer need these compat machines it was added for.
+
+ Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+
+(cherry picked from commit dc2e9ec1e014950c7918e23a3e9b0096b34a4a92)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ hw/i386/pc.c | 12 ------------
+ hw/i386/pc_piix.c | 6 ------
+ include/hw/i386/pc.h | 3 ---
+ 3 files changed, 21 deletions(-)
+
+diff --git a/hw/i386/pc.c b/hw/i386/pc.c
+index 4c08a1971c..357257349b 100644
+--- a/hw/i386/pc.c
++++ b/hw/i386/pc.c
+@@ -670,18 +670,6 @@ GlobalProperty pc_rhel_7_0_compat[] = {
+ };
+ const size_t pc_rhel_7_0_compat_len = G_N_ELEMENTS(pc_rhel_7_0_compat);
+
+-/*
+- * RHEL: These properties only apply to the RHEL exported machine types
+- * pc-4.2/2.11 for the purpose to have a limited upstream machines support
+- * which can be migrated to RHEL. Let's avoid touching hw_compat_4_2 directly
+- * so that we can have some isolation against the upstream code.
+- */
+-GlobalProperty hw_compat_4_2_extra[] = {
+- /* By default enlarge the default virtio-net-pci ROM to 512KB. */
+- { "virtio-net-pci", "romsize", "0x80000" },
+-};
+-const size_t hw_compat_4_2_extra_len = G_N_ELEMENTS(hw_compat_4_2_extra);
+-
+ GSIState *pc_gsi_create(qemu_irq **irqs, bool pci_enabled)
+ {
+ GSIState *s;
+diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c
+index c30057c443..7b7076cbc7 100644
+--- a/hw/i386/pc_piix.c
++++ b/hw/i386/pc_piix.c
+@@ -531,12 +531,6 @@ static void pc_i440fx_4_2_machine_options(MachineClass *m)
+ * supported by RHEL, even if exported.
+ */
+ m->deprecation_reason = "Not supported by RHEL";
+- /*
+- * RHEL: Specific compat properties to have limited support for upstream
+- * machines exported.
+- */
+- compat_props_add(m->compat_props, hw_compat_4_2_extra,
+- hw_compat_4_2_extra_len);
+ }
+
+ /* RHEL: Export pc-4.2 */
+diff --git a/include/hw/i386/pc.h b/include/hw/i386/pc.h
+index 9e8bfb69f8..4a593acb50 100644
+--- a/include/hw/i386/pc.h
++++ b/include/hw/i386/pc.h
+@@ -325,9 +325,6 @@ extern const size_t pc_rhel_7_1_compat_len;
+ extern GlobalProperty pc_rhel_7_0_compat[];
+ extern const size_t pc_rhel_7_0_compat_len;
+
+-extern GlobalProperty hw_compat_4_2_extra[];
+-extern const size_t hw_compat_4_2_extra_len;
+-
+ /* Helper for setting model-id for CPU models that changed model-id
+ * depending on QEMU versions up to QEMU 2.4.
+ */
+--
+2.27.0
+
diff --git a/SOURCES/kvm-Revert-redhat-Enable-FDC-device-for-upstream-machine.patch b/SOURCES/kvm-Revert-redhat-Enable-FDC-device-for-upstream-machine.patch
new file mode 100644
index 0000000..1b2051a
--- /dev/null
+++ b/SOURCES/kvm-Revert-redhat-Enable-FDC-device-for-upstream-machine.patch
@@ -0,0 +1,53 @@
+From 5bf8f1d69fea1225e927fbb3efe549a2a9d47d92 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Tue, 22 Mar 2022 19:23:36 -0400
+Subject: [PATCH 02/18] Revert "redhat: Enable FDC device for upstream machines
+ too"
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 131: Revert "redhat: Add hw_compat_4_2_extra and apply to upstream machines"
+RH-Commit: [2/3] 4e3c945e3de9bb9d9a6d24115f0719168c9669fe (jmaloy/qemu-kvm)
+RH-Bugzilla: 2062613
+RH-Acked-by: Peter Xu <peterx@redhat.com>
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+
+BZ: https://bugzilla.redhat.com/2062613
+UPSTREAM: no
+BREW: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=44038000
+
+commit 597cb6ca1da4a3eea77c1e4928f55203a1d5c70c
+Author: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Date: Wed Mar 9 10:32:39 2022 +0000
+
+ Revert "redhat: Enable FDC device for upstream machines too"
+
+ This reverts commit c4d1aa8bf21fe98da94a9cff30b7c25bed12c17f.
+ We no longer need these compat machines it was added for.
+
+ Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+
+(cherry picked from commit 597cb6ca1da4a3eea77c1e4928f55203a1d5c70c)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ hw/block/fdc.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/hw/block/fdc.c b/hw/block/fdc.c
+index 63042ef030..97fa6de423 100644
+--- a/hw/block/fdc.c
++++ b/hw/block/fdc.c
+@@ -2341,10 +2341,7 @@ void fdctrl_realize_common(DeviceState *dev, FDCtrl *fdctrl, Error **errp)
+
+ /* Restricted for Red Hat Enterprise Linux: */
+ MachineClass *mc = MACHINE_GET_CLASS(qdev_get_machine());
+- if (!strstr(mc->name, "-rhel7.") &&
+- /* Exported two upstream machine types allows FDC too */
+- strcmp(mc->name, "pc-i440fx-4.2") &&
+- strcmp(mc->name, "pc-i440fx-2.11")) {
++ if (!strstr(mc->name, "-rhel7.")) {
+ error_setg(errp, "Device %s is not supported with machine type %s",
+ object_get_typename(OBJECT(dev)), mc->name);
+ return;
+--
+2.27.0
+
diff --git a/SOURCES/kvm-Revert-redhat-Expose-upstream-machines-pc-4.2-and-pc.patch b/SOURCES/kvm-Revert-redhat-Expose-upstream-machines-pc-4.2-and-pc.patch
new file mode 100644
index 0000000..27e3dc9
--- /dev/null
+++ b/SOURCES/kvm-Revert-redhat-Expose-upstream-machines-pc-4.2-and-pc.patch
@@ -0,0 +1,191 @@
+From ee3cae3bb349469edcf725a1c5161521e95dcb9f Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Tue, 22 Mar 2022 19:23:36 -0400
+Subject: [PATCH 03/18] Revert "redhat: Expose upstream machines pc-4.2 and
+ pc-2.11"
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 131: Revert "redhat: Add hw_compat_4_2_extra and apply to upstream machines"
+RH-Commit: [3/3] 35cee68034580f81b3aa916921eecd2fdfa7dd15 (jmaloy/qemu-kvm)
+RH-Bugzilla: 2062613
+RH-Acked-by: Peter Xu <peterx@redhat.com>
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+
+BZ: https://bugzilla.redhat.com/2062613
+UPSTREAM: no
+BREW: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=44038000
+
+commit f3b50d6d4ae0be9e64aafe6a15f5423bab4899e9
+Author: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Date: Wed Mar 9 10:34:58 2022 +0000
+
+ Revert "redhat: Expose upstream machines pc-4.2 and pc-2.11"
+ This reverts commit 618e2424edba499d52cd26cf8363bc2dd85ef149.
+ We no longer need these compat machines.
+
+ Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+
+(cherry picked from commit f3b50d6d4ae0be9e64aafe6a15f5423bab4899e9)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ hw/i386/pc_piix.c | 37 -------------------------------------
+ 1 file changed, 37 deletions(-)
+
+diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c
+index 7b7076cbc7..f03a8f0db8 100644
+--- a/hw/i386/pc_piix.c
++++ b/hw/i386/pc_piix.c
+@@ -315,14 +315,6 @@ static void pc_init1(MachineState *machine,
+ * hw_compat_*, pc_compat_*, or * pc_*_machine_options().
+ */
+
+-/*
+- * NOTE! Not all the upstream machine types are disabled for RHEL. For
+- * providing a very limited support for upstream machine types, pc machines
+- * 2.11 and 4.2 are exposed explicitly. This will make the below "#if" macros
+- * a bit messed up, but please read this comment first so that we can have a
+- * rough understanding of what we're going to do.
+- */
+-
+ #if 0 /* Disabled for Red Hat Enterprise Linux */
+ static void pc_compat_2_3_fn(MachineState *machine)
+ {
+@@ -399,8 +391,6 @@ static void pc_xen_hvm_init(MachineState *machine)
+ }
+ #endif
+
+-#endif /* Disabled for Red Hat Enterprise Linux */
+-
+ #define DEFINE_I440FX_MACHINE(suffix, name, compatfn, optionfn) \
+ static void pc_init_##suffix(MachineState *machine) \
+ { \
+@@ -465,10 +455,8 @@ static void pc_i440fx_6_0_machine_options(MachineClass *m)
+ compat_props_add(m->compat_props, pc_compat_6_0, pc_compat_6_0_len);
+ }
+
+-#if 0 /* Disabled for Red Hat Enterprise Linux */
+ DEFINE_I440FX_MACHINE(v6_0, "pc-i440fx-6.0", NULL,
+ pc_i440fx_6_0_machine_options);
+-#endif /* Disabled for Red Hat Enterprise Linux */
+
+ static void pc_i440fx_5_2_machine_options(MachineClass *m)
+ {
+@@ -479,10 +467,8 @@ static void pc_i440fx_5_2_machine_options(MachineClass *m)
+ compat_props_add(m->compat_props, pc_compat_5_2, pc_compat_5_2_len);
+ }
+
+-#if 0 /* Disabled for Red Hat Enterprise Linux */
+ DEFINE_I440FX_MACHINE(v5_2, "pc-i440fx-5.2", NULL,
+ pc_i440fx_5_2_machine_options);
+-#endif /* Disabled for Red Hat Enterprise Linux */
+
+ static void pc_i440fx_5_1_machine_options(MachineClass *m)
+ {
+@@ -497,10 +483,8 @@ static void pc_i440fx_5_1_machine_options(MachineClass *m)
+ pcmc->pci_root_uid = 1;
+ }
+
+-#if 0 /* Disabled for Red Hat Enterprise Linux */
+ DEFINE_I440FX_MACHINE(v5_1, "pc-i440fx-5.1", NULL,
+ pc_i440fx_5_1_machine_options);
+-#endif /* Disabled for Red Hat Enterprise Linux */
+
+ static void pc_i440fx_5_0_machine_options(MachineClass *m)
+ {
+@@ -513,10 +497,8 @@ static void pc_i440fx_5_0_machine_options(MachineClass *m)
+ m->auto_enable_numa_with_memdev = false;
+ }
+
+-#if 0 /* Disabled for Red Hat Enterprise Linux */
+ DEFINE_I440FX_MACHINE(v5_0, "pc-i440fx-5.0", NULL,
+ pc_i440fx_5_0_machine_options);
+-#endif /* Disabled for Red Hat Enterprise Linux */
+
+ static void pc_i440fx_4_2_machine_options(MachineClass *m)
+ {
+@@ -525,15 +507,8 @@ static void pc_i440fx_4_2_machine_options(MachineClass *m)
+ m->is_default = false;
+ compat_props_add(m->compat_props, hw_compat_4_2, hw_compat_4_2_len);
+ compat_props_add(m->compat_props, pc_compat_4_2, pc_compat_4_2_len);
+-
+- /*
+- * RHEL: Mark all upstream machines as deprecated because they're not
+- * supported by RHEL, even if exported.
+- */
+- m->deprecation_reason = "Not supported by RHEL";
+ }
+
+-/* RHEL: Export pc-4.2 */
+ DEFINE_I440FX_MACHINE(v4_2, "pc-i440fx-4.2", NULL,
+ pc_i440fx_4_2_machine_options);
+
+@@ -546,10 +521,8 @@ static void pc_i440fx_4_1_machine_options(MachineClass *m)
+ compat_props_add(m->compat_props, pc_compat_4_1, pc_compat_4_1_len);
+ }
+
+-#if 0 /* Disabled for Red Hat Enterprise Linux */
+ DEFINE_I440FX_MACHINE(v4_1, "pc-i440fx-4.1", NULL,
+ pc_i440fx_4_1_machine_options);
+-#endif /* Disabled for Red Hat Enterprise Linux */
+
+ static void pc_i440fx_4_0_machine_options(MachineClass *m)
+ {
+@@ -562,10 +535,8 @@ static void pc_i440fx_4_0_machine_options(MachineClass *m)
+ compat_props_add(m->compat_props, pc_compat_4_0, pc_compat_4_0_len);
+ }
+
+-#if 0 /* Disabled for Red Hat Enterprise Linux */
+ DEFINE_I440FX_MACHINE(v4_0, "pc-i440fx-4.0", NULL,
+ pc_i440fx_4_0_machine_options);
+-#endif /* Disabled for Red Hat Enterprise Linux */
+
+ static void pc_i440fx_3_1_machine_options(MachineClass *m)
+ {
+@@ -581,10 +552,8 @@ static void pc_i440fx_3_1_machine_options(MachineClass *m)
+ compat_props_add(m->compat_props, pc_compat_3_1, pc_compat_3_1_len);
+ }
+
+-#if 0 /* Disabled for Red Hat Enterprise Linux */
+ DEFINE_I440FX_MACHINE(v3_1, "pc-i440fx-3.1", NULL,
+ pc_i440fx_3_1_machine_options);
+-#endif /* Disabled for Red Hat Enterprise Linux */
+
+ static void pc_i440fx_3_0_machine_options(MachineClass *m)
+ {
+@@ -593,10 +562,8 @@ static void pc_i440fx_3_0_machine_options(MachineClass *m)
+ compat_props_add(m->compat_props, pc_compat_3_0, pc_compat_3_0_len);
+ }
+
+-#if 0 /* Disabled for Red Hat Enterprise Linux */
+ DEFINE_I440FX_MACHINE(v3_0, "pc-i440fx-3.0", NULL,
+ pc_i440fx_3_0_machine_options);
+-#endif /* Disabled for Red Hat Enterprise Linux */
+
+ static void pc_i440fx_2_12_machine_options(MachineClass *m)
+ {
+@@ -605,10 +572,8 @@ static void pc_i440fx_2_12_machine_options(MachineClass *m)
+ compat_props_add(m->compat_props, pc_compat_2_12, pc_compat_2_12_len);
+ }
+
+-#if 0 /* Disabled for Red Hat Enterprise Linux */
+ DEFINE_I440FX_MACHINE(v2_12, "pc-i440fx-2.12", NULL,
+ pc_i440fx_2_12_machine_options);
+-#endif /* Disabled for Red Hat Enterprise Linux */
+
+ static void pc_i440fx_2_11_machine_options(MachineClass *m)
+ {
+@@ -617,11 +582,9 @@ static void pc_i440fx_2_11_machine_options(MachineClass *m)
+ compat_props_add(m->compat_props, pc_compat_2_11, pc_compat_2_11_len);
+ }
+
+-/* RHEL: Export pc-2.11 */
+ DEFINE_I440FX_MACHINE(v2_11, "pc-i440fx-2.11", NULL,
+ pc_i440fx_2_11_machine_options);
+
+-#if 0 /* Disabled for Red Hat Enterprise Linux */
+ static void pc_i440fx_2_10_machine_options(MachineClass *m)
+ {
+ pc_i440fx_2_11_machine_options(m);
+--
+2.27.0
+
diff --git a/SOURCES/kvm-acpi-fix-OEM-ID-OEM-Table-ID-padding.patch b/SOURCES/kvm-acpi-fix-OEM-ID-OEM-Table-ID-padding.patch
new file mode 100644
index 0000000..9d2594f
--- /dev/null
+++ b/SOURCES/kvm-acpi-fix-OEM-ID-OEM-Table-ID-padding.patch
@@ -0,0 +1,78 @@
+From af082f3499de265d123157d097b5c84981e0aa63 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Wed, 30 Mar 2022 14:52:34 -0400
+Subject: [PATCH 15/18] acpi: fix OEM ID/OEM Table ID padding
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 141: acpi: fix QEMU crash when started with SLIC table
+RH-Commit: [7/10] 51ea859cbe12b5a902d529ab589d18757d98f71d (jmaloy/qemu-kvm)
+RH-Bugzilla: 2062611
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062611
+Upstream: Merged
+
+commit 748c030f360a940fe0c9382c8ca1649096c3a80d
+Author: Igor Mammedov <imammedo@redhat.com>
+Date: Wed Jan 12 08:03:31 2022 -0500
+
+ acpi: fix OEM ID/OEM Table ID padding
+
+ Commit [2] broke original '\0' padding of OEM ID and OEM Table ID
+ fields in headers of ACPI tables. While it doesn't have impact on
+ default values since QEMU uses 6 and 8 characters long values
+ respectively, it broke usecase where IDs are provided on QEMU CLI.
+ It shouldn't affect guest (but may cause licensing verification
+ issues in guest OS).
+ One of the broken usecases is user supplied SLIC table with IDs
+ shorter than max possible length, where [2] mangles IDs with extra
+ spaces in RSDT and FADT tables whereas guest OS expects those to
+ mirror the respective values of the used SLIC table.
+
+ Fix it by replacing whitespace padding with '\0' padding in
+ accordance with [1] and expectations of guest OS
+
+ 1) ACPI spec, v2.0b
+ 17.2 AML Grammar Definition
+ ...
+ //OEM ID of up to 6 characters. If the OEM ID is
+ //shorter than 6 characters, it can be terminated
+ //with a NULL character.
+
+ 2)
+ Fixes: 602b458201 ("acpi: Permit OEM ID and OEM table ID fields to be changed")
+ Resolves: https://gitlab.com/qemu-project/qemu/-/issues/707
+ Reported-by: Dmitry V. Orekhov <dima.orekhov@gmail.com>
+ Signed-off-by: Igor Mammedov <imammedo@redhat.com>
+ Cc: qemu-stable@nongnu.org
+ Message-Id: <20220112130332.1648664-4-imammedo@redhat.com>
+ Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+ Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+ Reviewed-by: Ani Sinha <ani@anisinha.ca>
+ Tested-by: Dmitry V. Orekhov dima.orekhov@gmail.com
+
+(cherry picked from commit 748c030f360a940fe0c9382c8ca1649096c3a80d)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ hw/acpi/aml-build.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hw/acpi/aml-build.c b/hw/acpi/aml-build.c
+index b3b3310df3..65148d5b9d 100644
+--- a/hw/acpi/aml-build.c
++++ b/hw/acpi/aml-build.c
+@@ -1724,9 +1724,9 @@ void acpi_table_begin(AcpiTable *desc, GArray *array)
+ build_append_int_noprefix(array, 0, 4); /* Length */
+ build_append_int_noprefix(array, desc->rev, 1); /* Revision */
+ build_append_int_noprefix(array, 0, 1); /* Checksum */
+- build_append_padded_str(array, desc->oem_id, 6, ' '); /* OEMID */
++ build_append_padded_str(array, desc->oem_id, 6, '\0'); /* OEMID */
+ /* OEM Table ID */
+- build_append_padded_str(array, desc->oem_table_id, 8, ' ');
++ build_append_padded_str(array, desc->oem_table_id, 8, '\0');
+ build_append_int_noprefix(array, 1, 4); /* OEM Revision */
+ g_array_append_vals(array, ACPI_BUILD_APPNAME8, 4); /* Creator ID */
+ build_append_int_noprefix(array, 1, 4); /* Creator Revision */
+--
+2.27.0
+
diff --git a/SOURCES/kvm-acpi-fix-QEMU-crash-when-started-with-SLIC-table.patch b/SOURCES/kvm-acpi-fix-QEMU-crash-when-started-with-SLIC-table.patch
new file mode 100644
index 0000000..a6b1151
--- /dev/null
+++ b/SOURCES/kvm-acpi-fix-QEMU-crash-when-started-with-SLIC-table.patch
@@ -0,0 +1,108 @@
+From 4e8fb957a349558648d5cddb80a89460bc97439e Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Wed, 30 Mar 2022 14:52:34 -0400
+Subject: [PATCH 09/18] acpi: fix QEMU crash when started with SLIC table
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 141: acpi: fix QEMU crash when started with SLIC table
+RH-Commit: [1/10] 0c34e80346c33da4f220d9c486b120c35005144e (jmaloy/qemu-kvm)
+RH-Bugzilla: 2062611
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062611
+Upstream: Merged
+
+commit 8cdb99af45365727ac17f45239a9b8c1d5155c6d)
+Author: Igor Mammedov <imammedo@redhat.com>
+Date: Mon Dec 27 14:31:17 2021 -0500
+
+ acpi: fix QEMU crash when started with SLIC table
+
+ if QEMU is started with used provided SLIC table blob,
+
+ -acpitable sig=SLIC,oem_id='CRASH ',oem_table_id="ME",oem_rev=00002210,asl_compiler_id="",asl_compiler_rev=00000000,data=/dev/null
+ it will assert with:
+
+ hw/acpi/aml-build.c:61:build_append_padded_str: assertion failed: (len <= maxlen)
+
+ and following backtrace:
+
+ ...
+ build_append_padded_str (array=0x555556afe320, str=0x555556afdb2e "CRASH ME", maxlen=0x6, pad=0x20) at hw/acpi/aml-build.c:61
+ acpi_table_begin (desc=0x7fffffffd1b0, array=0x555556afe320) at hw/acpi/aml-build.c:1727
+ build_fadt (tbl=0x555556afe320, linker=0x555557ca3830, f=0x7fffffffd318, oem_id=0x555556afdb2e "CRASH ME", oem_table_id=0x555556afdb34 "ME") at hw/acpi/aml-build.c:2064
+ ...
+
+ which happens due to acpi_table_begin() expecting NULL terminated
+ oem_id and oem_table_id strings, which is normally the case, but
+ in case of user provided SLIC table, oem_id points to table's blob
+ directly and as result oem_id became longer than expected.
+
+ Fix issue by handling oem_id consistently and make acpi_get_slic_oem()
+ return NULL terminated strings.
+
+ PS:
+ After [1] refactoring, oem_id semantics became inconsistent, where
+ NULL terminated string was coming from machine and old way pointer
+ into byte array coming from -acpitable option. That used to work
+ since build_header() wasn't expecting NULL terminated string and
+ blindly copied the 1st 6 bytes only.
+
+ However commit [2] broke that by replacing build_header() with
+ acpi_table_begin(), which was expecting NULL terminated string
+ and was checking oem_id size.
+
+ 1) 602b45820 ("acpi: Permit OEM ID and OEM table ID fields to be changed")
+ 2)
+ Fixes: 4b56e1e4eb08 ("acpi: build_fadt: use acpi_table_begin()/acpi_table_end() instead of build_header()")
+ Resolves: https://gitlab.com/qemu-project/qemu/-/issues/786
+ Signed-off-by: Igor Mammedov <imammedo@redhat.com>
+ Message-Id: <20211227193120.1084176-2-imammedo@redhat.com>
+ Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+ Tested-by: Denis Lisov <dennis.lissov@gmail.com>
+ Tested-by: Alexander Tsoy <alexander@tsoy.me>
+ Cc: qemu-stable@nongnu.org
+ Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+ Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+(cherry picked from commit 8cdb99af45365727ac17f45239a9b8c1d5155c6d)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ hw/acpi/core.c | 4 ++--
+ hw/i386/acpi-build.c | 2 ++
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/hw/acpi/core.c b/hw/acpi/core.c
+index 1e004d0078..3e811bf03c 100644
+--- a/hw/acpi/core.c
++++ b/hw/acpi/core.c
+@@ -345,8 +345,8 @@ int acpi_get_slic_oem(AcpiSlicOem *oem)
+ struct acpi_table_header *hdr = (void *)(u - sizeof(hdr->_length));
+
+ if (memcmp(hdr->sig, "SLIC", 4) == 0) {
+- oem->id = hdr->oem_id;
+- oem->table_id = hdr->oem_table_id;
++ oem->id = g_strndup(hdr->oem_id, 6);
++ oem->table_id = g_strndup(hdr->oem_table_id, 8);
+ return 0;
+ }
+ }
+diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
+index a4478e77b7..acc4869db0 100644
+--- a/hw/i386/acpi-build.c
++++ b/hw/i386/acpi-build.c
+@@ -2726,6 +2726,8 @@ void acpi_build(AcpiBuildTables *tables, MachineState *machine)
+
+ /* Cleanup memory that's no longer used. */
+ g_array_free(table_offsets, true);
++ g_free(slic_oem.id);
++ g_free(slic_oem.table_id);
+ }
+
+ static void acpi_ram_update(MemoryRegion *mr, GArray *data)
+--
+2.27.0
+
diff --git a/SOURCES/kvm-acpi-pcihp-pcie-set-power-on-cap-on-parent-slot.patch b/SOURCES/kvm-acpi-pcihp-pcie-set-power-on-cap-on-parent-slot.patch
new file mode 100644
index 0000000..2be41b6
--- /dev/null
+++ b/SOURCES/kvm-acpi-pcihp-pcie-set-power-on-cap-on-parent-slot.patch
@@ -0,0 +1,140 @@
+From c9ceb175667cdeead59384a97a812367ae19c570 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Wed, 23 Mar 2022 13:21:40 -0400
+Subject: [PATCH 06/18] acpi: pcihp: pcie: set power on cap on parent slot
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 134: pci: expose TYPE_XIO3130_DOWNSTREAM name
+RH-Commit: [2/2] d883872647a6e90ec573140b2c171f3f53b600ab (jmaloy/qemu-kvm)
+RH-Bugzilla: 2062610
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+
+BZ: https://bugzilla.redhat.com/2062610
+UPSTREAM: merged
+BREW: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=44038138
+
+commit 6b0969f1ec825984cd74619f0730be421b0c46fb
+Author: Igor Mammedov <imammedo@redhat.com>
+Date: Tue Mar 1 10:11:59 2022 -0500
+
+ acpi: pcihp: pcie: set power on cap on parent slot
+
+ on creation a PCIDevice has power turned on at the end of pci_qdev_realize()
+ however later on if PCIe slot isn't populated with any children
+ it's power is turned off. It's fine if native hotplug is used
+ as plug callback will power slot on among other things.
+ However when ACPI hotplug is enabled it replaces native PCIe plug
+ callbacks with ACPI specific ones (acpi_pcihp_device_*plug_cb) and
+ as result slot stays powered off. It works fine as ACPI hotplug
+ on guest side takes care of enumerating/initializing hotplugged
+ device. But when later guest is migrated, call chain introduced by]
+ commit d5daff7d312 (pcie: implement slot power control for pcie root ports)
+
+ pcie_cap_slot_post_load()
+ -> pcie_cap_update_power()
+ -> pcie_set_power_device()
+ -> pci_set_power()
+ -> pci_update_mappings()
+
+ will disable earlier initialized BARs for the hotplugged device
+ in powered off slot due to commit 23786d13441 (pci: implement power state)
+ which disables BARs if power is off.
+
+ Fix it by setting PCI_EXP_SLTCTL_PCC to PCI_EXP_SLTCTL_PWR_ON
+ on slot (root port/downstream port) at the time a device
+ hotplugged into it. As result PCI_EXP_SLTCTL_PWR_ON is migrated
+ to target and above call chain keeps device plugged into it
+ powered on.
+
+ Fixes: d5daff7d312 ("pcie: implement slot power control for pcie root ports")
+ Fixes: 23786d13441 ("pci: implement power state")
+ Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2053584
+ Suggested-by: "Michael S. Tsirkin" <mst@redhat.com>
+ Signed-off-by: Igor Mammedov <imammedo@redhat.com>
+ Message-Id: <20220301151200.3507298-3-imammedo@redhat.com>
+ Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+ Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+(cherry picked from commit 6b0969f1ec825984cd74619f0730be421b0c46fb)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ hw/acpi/pcihp.c | 12 +++++++++++-
+ hw/pci/pcie.c | 11 +++++++++++
+ include/hw/pci/pcie.h | 1 +
+ 3 files changed, 23 insertions(+), 1 deletion(-)
+
+diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c
+index a5e182dd3a..be0e846b34 100644
+--- a/hw/acpi/pcihp.c
++++ b/hw/acpi/pcihp.c
+@@ -32,6 +32,7 @@
+ #include "hw/pci/pci_bridge.h"
+ #include "hw/pci/pci_host.h"
+ #include "hw/pci/pcie_port.h"
++#include "hw/pci-bridge/xio3130_downstream.h"
+ #include "hw/i386/acpi-build.h"
+ #include "hw/acpi/acpi.h"
+ #include "hw/pci/pci_bus.h"
+@@ -341,6 +342,8 @@ void acpi_pcihp_device_plug_cb(HotplugHandler *hotplug_dev, AcpiPciHpState *s,
+ {
+ PCIDevice *pdev = PCI_DEVICE(dev);
+ int slot = PCI_SLOT(pdev->devfn);
++ PCIDevice *bridge;
++ PCIBus *bus;
+ int bsel;
+
+ /* Don't send event when device is enabled during qemu machine creation:
+@@ -370,7 +373,14 @@ void acpi_pcihp_device_plug_cb(HotplugHandler *hotplug_dev, AcpiPciHpState *s,
+ return;
+ }
+
+- bsel = acpi_pcihp_get_bsel(pci_get_bus(pdev));
++ bus = pci_get_bus(pdev);
++ bridge = pci_bridge_get_device(bus);
++ if (object_dynamic_cast(OBJECT(bridge), TYPE_PCIE_ROOT_PORT) ||
++ object_dynamic_cast(OBJECT(bridge), TYPE_XIO3130_DOWNSTREAM)) {
++ pcie_cap_slot_enable_power(bridge);
++ }
++
++ bsel = acpi_pcihp_get_bsel(bus);
+ g_assert(bsel >= 0);
+ s->acpi_pcihp_pci_status[bsel].up |= (1U << slot);
+ acpi_send_event(DEVICE(hotplug_dev), ACPI_PCI_HOTPLUG_STATUS);
+diff --git a/hw/pci/pcie.c b/hw/pci/pcie.c
+index d7d73a31e4..996f0e24fe 100644
+--- a/hw/pci/pcie.c
++++ b/hw/pci/pcie.c
+@@ -366,6 +366,17 @@ static void hotplug_event_clear(PCIDevice *dev)
+ }
+ }
+
++void pcie_cap_slot_enable_power(PCIDevice *dev)
++{
++ uint8_t *exp_cap = dev->config + dev->exp.exp_cap;
++ uint32_t sltcap = pci_get_long(exp_cap + PCI_EXP_SLTCAP);
++
++ if (sltcap & PCI_EXP_SLTCAP_PCP) {
++ pci_set_word_by_mask(exp_cap + PCI_EXP_SLTCTL,
++ PCI_EXP_SLTCTL_PCC, PCI_EXP_SLTCTL_PWR_ON);
++ }
++}
++
+ static void pcie_set_power_device(PCIBus *bus, PCIDevice *dev, void *opaque)
+ {
+ bool *power = opaque;
+diff --git a/include/hw/pci/pcie.h b/include/hw/pci/pcie.h
+index 6063bee0ec..c27368d077 100644
+--- a/include/hw/pci/pcie.h
++++ b/include/hw/pci/pcie.h
+@@ -112,6 +112,7 @@ void pcie_cap_slot_write_config(PCIDevice *dev,
+ uint32_t addr, uint32_t val, int len);
+ int pcie_cap_slot_post_load(void *opaque, int version_id);
+ void pcie_cap_slot_push_attention_button(PCIDevice *dev);
++void pcie_cap_slot_enable_power(PCIDevice *dev);
+
+ void pcie_cap_root_init(PCIDevice *dev);
+ void pcie_cap_root_reset(PCIDevice *dev);
+--
+2.27.0
+
diff --git a/SOURCES/kvm-block-Lock-AioContext-for-drain_end-in-blockdev-reop.patch b/SOURCES/kvm-block-Lock-AioContext-for-drain_end-in-blockdev-reop.patch
new file mode 100644
index 0000000..eb0f3cf
--- /dev/null
+++ b/SOURCES/kvm-block-Lock-AioContext-for-drain_end-in-blockdev-reop.patch
@@ -0,0 +1,63 @@
+From b21fa5ecd9acf2b91839a2915fb4bb39dac4c803 Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf@redhat.com>
+Date: Thu, 3 Feb 2022 15:05:33 +0100
+Subject: [PATCH 2/5] block: Lock AioContext for drain_end in blockdev-reopen
+
+RH-Author: Kevin Wolf <kwolf@redhat.com>
+RH-MergeRequest: 142: block: Lock AioContext for drain_end in blockdev-reopen
+RH-Commit: [1/2] 98de3b5987f88ea6b4b503f623d6c4475574e037
+RH-Bugzilla: 2067118
+RH-Acked-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Hanna Reitz <hreitz@redhat.com>
+
+bdrv_subtree_drained_end() requires the caller to hold the AioContext
+lock for the drained node. Not doing this for nodes outside of the main
+AioContext leads to crashes when AIO_WAIT_WHILE() needs to wait and
+tries to temporarily release the lock.
+
+Fixes: 3908b7a8994fa5ef7a89aa58cd5a02fc58141592
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2046659
+Reported-by: Qing Wang <qinwang@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Message-Id: <20220203140534.36522-2-kwolf@redhat.com>
+Reviewed-by: Hanna Reitz <hreitz@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit aba8205be0707b9d108e32254e186ba88107a869)
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+---
+ blockdev.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/blockdev.c b/blockdev.c
+index b35072644e..565f6a81fd 100644
+--- a/blockdev.c
++++ b/blockdev.c
+@@ -3562,6 +3562,7 @@ void qmp_blockdev_reopen(BlockdevOptionsList *reopen_list, Error **errp)
+ {
+ BlockReopenQueue *queue = NULL;
+ GSList *drained = NULL;
++ GSList *p;
+
+ /* Add each one of the BDS that we want to reopen to the queue */
+ for (; reopen_list != NULL; reopen_list = reopen_list->next) {
+@@ -3611,7 +3612,15 @@ void qmp_blockdev_reopen(BlockdevOptionsList *reopen_list, Error **errp)
+
+ fail:
+ bdrv_reopen_queue_free(queue);
+- g_slist_free_full(drained, (GDestroyNotify) bdrv_subtree_drained_end);
++ for (p = drained; p; p = p->next) {
++ BlockDriverState *bs = p->data;
++ AioContext *ctx = bdrv_get_aio_context(bs);
++
++ aio_context_acquire(ctx);
++ bdrv_subtree_drained_end(bs);
++ aio_context_release(ctx);
++ }
++ g_slist_free(drained);
+ }
+
+ void qmp_blockdev_del(const char *node_name, Error **errp)
+--
+2.27.0
+
diff --git a/SOURCES/kvm-block-backend-prevent-dangling-BDS-pointers-across-a.patch b/SOURCES/kvm-block-backend-prevent-dangling-BDS-pointers-across-a.patch
new file mode 100644
index 0000000..52d37d8
--- /dev/null
+++ b/SOURCES/kvm-block-backend-prevent-dangling-BDS-pointers-across-a.patch
@@ -0,0 +1,129 @@
+From bf4c15a3debbe68b6eb25c52174843470a9c014f Mon Sep 17 00:00:00 2001
+From: Stefan Hajnoczi <stefanha@redhat.com>
+Date: Tue, 11 Jan 2022 15:36:12 +0000
+Subject: [PATCH 3/6] block-backend: prevent dangling BDS pointers across
+ aio_poll()
+
+RH-Author: Stefan Hajnoczi <stefanha@redhat.com>
+RH-MergeRequest: 109: block-backend: prevent dangling BDS pointers across aio_poll()
+RH-Commit: [1/2] da5a59eddff0dc10be7de8e291fa675143d11d73
+RH-Bugzilla: 2021778 2036178
+RH-Acked-by: Hanna Reitz <hreitz@redhat.com>
+RH-Acked-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+
+The BlockBackend root child can change when aio_poll() is invoked. This
+happens when a temporary filter node is removed upon blockjob
+completion, for example.
+
+Functions in block/block-backend.c must be aware of this when using a
+blk_bs() pointer across aio_poll() because the BlockDriverState refcnt
+may reach 0, resulting in a stale pointer.
+
+One example is scsi_device_purge_requests(), which calls blk_drain() to
+wait for in-flight requests to cancel. If the backup blockjob is active,
+then the BlockBackend root child is a temporary filter BDS owned by the
+blockjob. The blockjob can complete during bdrv_drained_begin() and the
+last reference to the BDS is released when the temporary filter node is
+removed. This results in a use-after-free when blk_drain() calls
+bdrv_drained_end(bs) on the dangling pointer.
+
+Explicitly hold a reference to bs across block APIs that invoke
+aio_poll().
+
+Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2021778
+Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2036178
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-Id: <20220111153613.25453-2-stefanha@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit 1e3552dbd28359d35967b7c28dc86cde1bc29205)
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+---
+ block/block-backend.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/block/block-backend.c b/block/block-backend.c
+index 12ef80ea17..23e727199b 100644
+--- a/block/block-backend.c
++++ b/block/block-backend.c
+@@ -822,16 +822,22 @@ BlockBackend *blk_by_public(BlockBackendPublic *public)
+ void blk_remove_bs(BlockBackend *blk)
+ {
+ ThrottleGroupMember *tgm = &blk->public.throttle_group_member;
+- BlockDriverState *bs;
+ BdrvChild *root;
+
+ notifier_list_notify(&blk->remove_bs_notifiers, blk);
+ if (tgm->throttle_state) {
+- bs = blk_bs(blk);
++ BlockDriverState *bs = blk_bs(blk);
++
++ /*
++ * Take a ref in case blk_bs() changes across bdrv_drained_begin(), for
++ * example, if a temporary filter node is removed by a blockjob.
++ */
++ bdrv_ref(bs);
+ bdrv_drained_begin(bs);
+ throttle_group_detach_aio_context(tgm);
+ throttle_group_attach_aio_context(tgm, qemu_get_aio_context());
+ bdrv_drained_end(bs);
++ bdrv_unref(bs);
+ }
+
+ blk_update_root_state(blk);
+@@ -1705,6 +1711,7 @@ void blk_drain(BlockBackend *blk)
+ BlockDriverState *bs = blk_bs(blk);
+
+ if (bs) {
++ bdrv_ref(bs);
+ bdrv_drained_begin(bs);
+ }
+
+@@ -1714,6 +1721,7 @@ void blk_drain(BlockBackend *blk)
+
+ if (bs) {
+ bdrv_drained_end(bs);
++ bdrv_unref(bs);
+ }
+ }
+
+@@ -2044,10 +2052,13 @@ static int blk_do_set_aio_context(BlockBackend *blk, AioContext *new_context,
+ int ret;
+
+ if (bs) {
++ bdrv_ref(bs);
++
+ if (update_root_node) {
+ ret = bdrv_child_try_set_aio_context(bs, new_context, blk->root,
+ errp);
+ if (ret < 0) {
++ bdrv_unref(bs);
+ return ret;
+ }
+ }
+@@ -2057,6 +2068,8 @@ static int blk_do_set_aio_context(BlockBackend *blk, AioContext *new_context,
+ throttle_group_attach_aio_context(tgm, new_context);
+ bdrv_drained_end(bs);
+ }
++
++ bdrv_unref(bs);
+ }
+
+ blk->ctx = new_context;
+@@ -2326,11 +2339,13 @@ void blk_io_limits_disable(BlockBackend *blk)
+ ThrottleGroupMember *tgm = &blk->public.throttle_group_member;
+ assert(tgm->throttle_state);
+ if (bs) {
++ bdrv_ref(bs);
+ bdrv_drained_begin(bs);
+ }
+ throttle_group_unregister_tgm(tgm);
+ if (bs) {
+ bdrv_drained_end(bs);
++ bdrv_unref(bs);
+ }
+ }
+
+--
+2.27.0
+
diff --git a/SOURCES/kvm-block-io-Update-BSC-only-if-want_zero-is-true.patch b/SOURCES/kvm-block-io-Update-BSC-only-if-want_zero-is-true.patch
new file mode 100644
index 0000000..c1ee128
--- /dev/null
+++ b/SOURCES/kvm-block-io-Update-BSC-only-if-want_zero-is-true.patch
@@ -0,0 +1,56 @@
+From 4c6eff78f4b31ec4bd7b42440396760d19fde63e Mon Sep 17 00:00:00 2001
+From: Hanna Reitz <hreitz@redhat.com>
+Date: Tue, 18 Jan 2022 17:59:59 +0100
+Subject: [PATCH 6/7] block/io: Update BSC only if want_zero is true
+
+RH-Author: Hanna Reitz <hreitz@redhat.com>
+RH-MergeRequest: 112: block/io: Update BSC only if want_zero is true
+RH-Commit: [1/2] a202de1f52110d1e871c3b5b58f2d9e9b5d17570
+RH-Bugzilla: 2041480
+RH-Acked-by: Eric Blake <eblake@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+
+We update the block-status cache whenever we get new information from a
+bdrv_co_block_status() call to the block driver. However, if we have
+passed want_zero=false to that call, it may flag areas containing zeroes
+as data, and so we would update the block-status cache with wrong
+information.
+
+Therefore, we should not update the cache with want_zero=false.
+
+Reported-by: Nir Soffer <nsoffer@redhat.com>
+Fixes: 0bc329fbb00 ("block: block-status cache for data regions")
+Reviewed-by: Nir Soffer <nsoffer@redhat.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Hanna Reitz <hreitz@redhat.com>
+Message-Id: <20220118170000.49423-2-hreitz@redhat.com>
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Signed-off-by: Eric Blake <eblake@redhat.com>
+(cherry picked from commit 113b727ce788335cf76f65355d670c9bc130fd75)
+Signed-off-by: Hanna Reitz <hreitz@redhat.com>
+---
+ block/io.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/block/io.c b/block/io.c
+index bb0a254def..4e4cb556c5 100644
+--- a/block/io.c
++++ b/block/io.c
+@@ -2497,8 +2497,12 @@ static int coroutine_fn bdrv_co_block_status(BlockDriverState *bs,
+ * non-protocol nodes, and then it is never used. However, filling
+ * the cache requires an RCU update, so double check here to avoid
+ * such an update if possible.
++ *
++ * Check want_zero, because we only want to update the cache when we
++ * have accurate information about what is zero and what is data.
+ */
+- if (ret == (BDRV_BLOCK_DATA | BDRV_BLOCK_OFFSET_VALID) &&
++ if (want_zero &&
++ ret == (BDRV_BLOCK_DATA | BDRV_BLOCK_OFFSET_VALID) &&
+ QLIST_EMPTY(&bs->children))
+ {
+ /*
+--
+2.27.0
+
diff --git a/SOURCES/kvm-block-nbd-Assert-there-are-no-timers-when-closed.patch b/SOURCES/kvm-block-nbd-Assert-there-are-no-timers-when-closed.patch
new file mode 100644
index 0000000..324021b
--- /dev/null
+++ b/SOURCES/kvm-block-nbd-Assert-there-are-no-timers-when-closed.patch
@@ -0,0 +1,52 @@
+From d5a85fcf996948d1154e88e9ee3b4e8c64ec2694 Mon Sep 17 00:00:00 2001
+From: Hanna Reitz <hreitz@redhat.com>
+Date: Fri, 4 Feb 2022 12:10:08 +0100
+Subject: [PATCH 2/6] block/nbd: Assert there are no timers when closed
+
+RH-Author: Hanna Reitz <hreitz@redhat.com>
+RH-MergeRequest: 117: block/nbd: Handle AioContext changes
+RH-Commit: [2/6] 995795ae9844a7d2b28cb1e57fd7fe81482d0205
+RH-Bugzilla: 2035185
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+RH-Acked-by: Eric Blake <eblake@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+
+Our two timers must not remain armed beyond nbd_clear_bdrvstate(), or
+they will access freed data when they fire.
+
+This patch is separate from the patches that actually fix the issue
+(HEAD^^ and HEAD^) so that you can run the associated regression iotest
+(281) on a configuration that reproducibly exposes the bug.
+
+Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
+Signed-off-by: Hanna Reitz <hreitz@redhat.com>
+Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
+(cherry picked from commit 8a39c381e5e407d2fe5500324323f90a8540fa90)
+
+Conflict:
+- block/nbd.c: open_timer was introduced after the 6.2 release (for
+ nbd's @open-timeout parameter), and has not been backported, so drop
+ the assertion that it is NULL
+
+Signed-off-by: Hanna Reitz <hreitz@redhat.com>
+---
+ block/nbd.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/block/nbd.c b/block/nbd.c
+index b8e5a9b4cc..aab20125d8 100644
+--- a/block/nbd.c
++++ b/block/nbd.c
+@@ -108,6 +108,9 @@ static void nbd_clear_bdrvstate(BlockDriverState *bs)
+
+ yank_unregister_instance(BLOCKDEV_YANK_INSTANCE(bs->node_name));
+
++ /* Must not leave timers behind that would access freed data */
++ assert(!s->reconnect_delay_timer);
++
+ object_unref(OBJECT(s->tlscreds));
+ qapi_free_SocketAddress(s->saddr);
+ s->saddr = NULL;
+--
+2.27.0
+
diff --git a/SOURCES/kvm-block-nbd-Delete-reconnect-delay-timer-when-done.patch b/SOURCES/kvm-block-nbd-Delete-reconnect-delay-timer-when-done.patch
new file mode 100644
index 0000000..7d1c000
--- /dev/null
+++ b/SOURCES/kvm-block-nbd-Delete-reconnect-delay-timer-when-done.patch
@@ -0,0 +1,54 @@
+From 8e23c0f208c6bd5bb64c4f6e4863b93fa6f4e9de Mon Sep 17 00:00:00 2001
+From: Hanna Reitz <hreitz@redhat.com>
+Date: Fri, 4 Feb 2022 12:10:06 +0100
+Subject: [PATCH 1/6] block/nbd: Delete reconnect delay timer when done
+
+RH-Author: Hanna Reitz <hreitz@redhat.com>
+RH-MergeRequest: 117: block/nbd: Handle AioContext changes
+RH-Commit: [1/6] 70814602a8a43a7c14857d76266d82b1aa5174a9
+RH-Bugzilla: 2035185
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+RH-Acked-by: Eric Blake <eblake@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+
+We start the reconnect delay timer to cancel the reconnection attempt
+after a while. Once nbd_co_do_establish_connection() has returned, this
+attempt is over, and we no longer need the timer.
+
+Delete it before returning from nbd_reconnect_attempt(), so that it does
+not persist beyond the I/O request that was paused for reconnecting; we
+do not want it to fire in a drained section, because all sort of things
+can happen in such a section (e.g. the AioContext might be changed, and
+we do not want the timer to fire in the wrong context; or the BDS might
+even be deleted, and so the timer CB would access already-freed data).
+
+Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
+Signed-off-by: Hanna Reitz <hreitz@redhat.com>
+Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
+(cherry picked from commit 3ce1fc16bad9c3f8b7b10b451a224d6d76e5c551)
+Signed-off-by: Hanna Reitz <hreitz@redhat.com>
+---
+ block/nbd.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/block/nbd.c b/block/nbd.c
+index 5ef462db1b..b8e5a9b4cc 100644
+--- a/block/nbd.c
++++ b/block/nbd.c
+@@ -353,6 +353,13 @@ static coroutine_fn void nbd_reconnect_attempt(BDRVNBDState *s)
+ }
+
+ nbd_co_do_establish_connection(s->bs, NULL);
++
++ /*
++ * The reconnect attempt is done (maybe successfully, maybe not), so
++ * we no longer need this timer. Delete it so it will not outlive
++ * this I/O request (so draining removes all timers).
++ */
++ reconnect_delay_timer_del(s);
+ }
+
+ static coroutine_fn int nbd_receive_replies(BDRVNBDState *s, uint64_t handle)
+--
+2.27.0
+
diff --git a/SOURCES/kvm-block-nbd-Move-s-ioc-on-AioContext-change.patch b/SOURCES/kvm-block-nbd-Move-s-ioc-on-AioContext-change.patch
new file mode 100644
index 0000000..4cd3cce
--- /dev/null
+++ b/SOURCES/kvm-block-nbd-Move-s-ioc-on-AioContext-change.patch
@@ -0,0 +1,107 @@
+From c7f63e7bbc5119d92775e20d1ebbf8280c78b732 Mon Sep 17 00:00:00 2001
+From: Hanna Reitz <hreitz@redhat.com>
+Date: Fri, 4 Feb 2022 12:10:11 +0100
+Subject: [PATCH 5/6] block/nbd: Move s->ioc on AioContext change
+
+RH-Author: Hanna Reitz <hreitz@redhat.com>
+RH-MergeRequest: 117: block/nbd: Handle AioContext changes
+RH-Commit: [5/6] 107757b9fbadfb832c75521317108525daa4174e
+RH-Bugzilla: 2035185
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+RH-Acked-by: Eric Blake <eblake@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+
+s->ioc must always be attached to the NBD node's AioContext. If that
+context changes, s->ioc must be attached to the new context.
+
+Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2033626
+Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
+Signed-off-by: Hanna Reitz <hreitz@redhat.com>
+Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
+(cherry picked from commit e15f3a66c830e3fce99c9d56c493c2f7078a1225)
+
+Conflict:
+- block/nbd.c: open_timer was added after the 6.2 release, so we need
+ not (and cannot) assert it is NULL here.
+
+Signed-off-by: Hanna Reitz <hreitz@redhat.com>
+---
+ block/nbd.c | 41 +++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 41 insertions(+)
+
+diff --git a/block/nbd.c b/block/nbd.c
+index aab20125d8..a3896c7f5f 100644
+--- a/block/nbd.c
++++ b/block/nbd.c
+@@ -2003,6 +2003,38 @@ static void nbd_cancel_in_flight(BlockDriverState *bs)
+ nbd_co_establish_connection_cancel(s->conn);
+ }
+
++static void nbd_attach_aio_context(BlockDriverState *bs,
++ AioContext *new_context)
++{
++ BDRVNBDState *s = bs->opaque;
++
++ /*
++ * The reconnect_delay_timer is scheduled in I/O paths when the
++ * connection is lost, to cancel the reconnection attempt after a
++ * given time. Once this attempt is done (successfully or not),
++ * nbd_reconnect_attempt() ensures the timer is deleted before the
++ * respective I/O request is resumed.
++ * Since the AioContext can only be changed when a node is drained,
++ * the reconnect_delay_timer cannot be active here.
++ */
++ assert(!s->reconnect_delay_timer);
++
++ if (s->ioc) {
++ qio_channel_attach_aio_context(s->ioc, new_context);
++ }
++}
++
++static void nbd_detach_aio_context(BlockDriverState *bs)
++{
++ BDRVNBDState *s = bs->opaque;
++
++ assert(!s->reconnect_delay_timer);
++
++ if (s->ioc) {
++ qio_channel_detach_aio_context(s->ioc);
++ }
++}
++
+ static BlockDriver bdrv_nbd = {
+ .format_name = "nbd",
+ .protocol_name = "nbd",
+@@ -2026,6 +2058,9 @@ static BlockDriver bdrv_nbd = {
+ .bdrv_dirname = nbd_dirname,
+ .strong_runtime_opts = nbd_strong_runtime_opts,
+ .bdrv_cancel_in_flight = nbd_cancel_in_flight,
++
++ .bdrv_attach_aio_context = nbd_attach_aio_context,
++ .bdrv_detach_aio_context = nbd_detach_aio_context,
+ };
+
+ static BlockDriver bdrv_nbd_tcp = {
+@@ -2051,6 +2086,9 @@ static BlockDriver bdrv_nbd_tcp = {
+ .bdrv_dirname = nbd_dirname,
+ .strong_runtime_opts = nbd_strong_runtime_opts,
+ .bdrv_cancel_in_flight = nbd_cancel_in_flight,
++
++ .bdrv_attach_aio_context = nbd_attach_aio_context,
++ .bdrv_detach_aio_context = nbd_detach_aio_context,
+ };
+
+ static BlockDriver bdrv_nbd_unix = {
+@@ -2076,6 +2114,9 @@ static BlockDriver bdrv_nbd_unix = {
+ .bdrv_dirname = nbd_dirname,
+ .strong_runtime_opts = nbd_strong_runtime_opts,
+ .bdrv_cancel_in_flight = nbd_cancel_in_flight,
++
++ .bdrv_attach_aio_context = nbd_attach_aio_context,
++ .bdrv_detach_aio_context = nbd_detach_aio_context,
+ };
+
+ static void bdrv_nbd_init(void)
+--
+2.27.0
+
diff --git a/SOURCES/kvm-block-rbd-fix-handling-of-holes-in-.bdrv_co_block_st.patch b/SOURCES/kvm-block-rbd-fix-handling-of-holes-in-.bdrv_co_block_st.patch
new file mode 100644
index 0000000..2d8f3b4
--- /dev/null
+++ b/SOURCES/kvm-block-rbd-fix-handling-of-holes-in-.bdrv_co_block_st.patch
@@ -0,0 +1,59 @@
+From f4b7133d7aeb1d0b9115d01b5cff4df7f6b24e78 Mon Sep 17 00:00:00 2001
+From: Peter Lieven <pl@kamp.de>
+Date: Thu, 13 Jan 2022 15:44:25 +0100
+Subject: [PATCH 5/6] block/rbd: fix handling of holes in .bdrv_co_block_status
+
+RH-Author: Stefano Garzarella <sgarzare@redhat.com>
+RH-MergeRequest: 110: block/rbd: fix handling of holes in .bdrv_co_block_status
+RH-Commit: [1/2] 352656a5c77cc7855b476c3559a10c6aa64a4f58
+RH-Bugzilla: 2037135
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+RH-Acked-by: Hanna Reitz <hreitz@redhat.com>
+
+the assumption that we can't hit a hole if we do not diff against a snapshot was wrong.
+
+We can see a hole in an image if we diff against base if there exists an older snapshot
+of the image and we have discarded blocks in the image where the snapshot has data.
+
+Fix this by simply handling a hole like an unallocated area. There are no callbacks
+for unallocated areas so just bail out if we hit a hole.
+
+Fixes: 0347a8fd4c3faaedf119be04c197804be40a384b
+Suggested-by: Ilya Dryomov <idryomov@gmail.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Peter Lieven <pl@kamp.de>
+Message-Id: <20220113144426.4036493-2-pl@kamp.de>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit 9e302f64bb407a9bb097b626da97228c2654cfee)
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+---
+ block/rbd.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/block/rbd.c b/block/rbd.c
+index def96292e0..20bb896c4a 100644
+--- a/block/rbd.c
++++ b/block/rbd.c
+@@ -1279,11 +1279,11 @@ static int qemu_rbd_diff_iterate_cb(uint64_t offs, size_t len,
+ RBDDiffIterateReq *req = opaque;
+
+ assert(req->offs + req->bytes <= offs);
+- /*
+- * we do not diff against a snapshot so we should never receive a callback
+- * for a hole.
+- */
+- assert(exists);
++
++ /* treat a hole like an unallocated area and bail out */
++ if (!exists) {
++ return 0;
++ }
+
+ if (!req->exists && offs > req->offs) {
+ /*
+--
+2.27.0
+
diff --git a/SOURCES/kvm-block-rbd-workaround-for-ceph-issue-53784.patch b/SOURCES/kvm-block-rbd-workaround-for-ceph-issue-53784.patch
new file mode 100644
index 0000000..7e052f2
--- /dev/null
+++ b/SOURCES/kvm-block-rbd-workaround-for-ceph-issue-53784.patch
@@ -0,0 +1,103 @@
+From 8c50eedf03d8e62acd387b9aa9369dadcea9324c Mon Sep 17 00:00:00 2001
+From: Peter Lieven <pl@kamp.de>
+Date: Thu, 13 Jan 2022 15:44:26 +0100
+Subject: [PATCH 6/6] block/rbd: workaround for ceph issue #53784
+
+RH-Author: Stefano Garzarella <sgarzare@redhat.com>
+RH-MergeRequest: 110: block/rbd: fix handling of holes in .bdrv_co_block_status
+RH-Commit: [2/2] 1384557462e89bb539d0d25a1a471ad738fb9e89
+RH-Bugzilla: 2037135
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+RH-Acked-by: Hanna Reitz <hreitz@redhat.com>
+
+librbd had a bug until early 2022 that affected all versions of ceph that
+supported fast-diff. This bug results in reporting of incorrect offsets
+if the offset parameter to rbd_diff_iterate2 is not object aligned.
+
+This patch works around this bug for pre Quincy versions of librbd.
+
+Fixes: 0347a8fd4c3faaedf119be04c197804be40a384b
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Peter Lieven <pl@kamp.de>
+Message-Id: <20220113144426.4036493-3-pl@kamp.de>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Tested-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit fc176116cdea816ceb8dd969080b2b95f58edbc0)
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+---
+ block/rbd.c | 42 ++++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 40 insertions(+), 2 deletions(-)
+
+diff --git a/block/rbd.c b/block/rbd.c
+index 20bb896c4a..8f183eba2a 100644
+--- a/block/rbd.c
++++ b/block/rbd.c
+@@ -1320,6 +1320,7 @@ static int coroutine_fn qemu_rbd_co_block_status(BlockDriverState *bs,
+ int status, r;
+ RBDDiffIterateReq req = { .offs = offset };
+ uint64_t features, flags;
++ uint64_t head = 0;
+
+ assert(offset + bytes <= s->image_size);
+
+@@ -1347,7 +1348,43 @@ static int coroutine_fn qemu_rbd_co_block_status(BlockDriverState *bs,
+ return status;
+ }
+
+- r = rbd_diff_iterate2(s->image, NULL, offset, bytes, true, true,
++#if LIBRBD_VERSION_CODE < LIBRBD_VERSION(1, 17, 0)
++ /*
++ * librbd had a bug until early 2022 that affected all versions of ceph that
++ * supported fast-diff. This bug results in reporting of incorrect offsets
++ * if the offset parameter to rbd_diff_iterate2 is not object aligned.
++ * Work around this bug by rounding down the offset to object boundaries.
++ * This is OK because we call rbd_diff_iterate2 with whole_object = true.
++ * However, this workaround only works for non cloned images with default
++ * striping.
++ *
++ * See: https://tracker.ceph.com/issues/53784
++ */
++
++ /* check if RBD image has non-default striping enabled */
++ if (features & RBD_FEATURE_STRIPINGV2) {
++ return status;
++ }
++
++#pragma GCC diagnostic push
++#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
++ /*
++ * check if RBD image is a clone (= has a parent).
++ *
++ * rbd_get_parent_info is deprecated from Nautilus onwards, but the
++ * replacement rbd_get_parent is not present in Luminous and Mimic.
++ */
++ if (rbd_get_parent_info(s->image, NULL, 0, NULL, 0, NULL, 0) != -ENOENT) {
++ return status;
++ }
++#pragma GCC diagnostic pop
++
++ head = req.offs & (s->object_size - 1);
++ req.offs -= head;
++ bytes += head;
++#endif
++
++ r = rbd_diff_iterate2(s->image, NULL, req.offs, bytes, true, true,
+ qemu_rbd_diff_iterate_cb, &req);
+ if (r < 0 && r != QEMU_RBD_EXIT_DIFF_ITERATE2) {
+ return status;
+@@ -1366,7 +1403,8 @@ static int coroutine_fn qemu_rbd_co_block_status(BlockDriverState *bs,
+ status = BDRV_BLOCK_ZERO | BDRV_BLOCK_OFFSET_VALID;
+ }
+
+- *pnum = req.bytes;
++ assert(req.bytes > head);
++ *pnum = req.bytes - head;
+ return status;
+ }
+
+--
+2.27.0
+
diff --git a/SOURCES/kvm-display-qxl-render-fix-race-condition-in-qxl_cursor-.patch b/SOURCES/kvm-display-qxl-render-fix-race-condition-in-qxl_cursor-.patch
new file mode 100644
index 0000000..040cfe1
--- /dev/null
+++ b/SOURCES/kvm-display-qxl-render-fix-race-condition-in-qxl_cursor-.patch
@@ -0,0 +1,58 @@
+From abd84f26e0fe0bc9952d91fbd35fb3a7253cfecf Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@rehat.com>
+Date: Wed, 13 Apr 2022 20:54:45 -0400
+Subject: [PATCH 1/2] display/qxl-render: fix race condition in qxl_cursor
+ (CVE-2021-4207)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 152: display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207)
+RH-Commit: [1/1] f05b9a956f2e0ca522b5be127beff813d04b5588 (jmaloy/qemu-kvm)
+RH-Bugzilla: 2040738
+RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+RH-Acked-by: Mauro Matteo Cascella <None>
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2040738
+Upstream: Merged
+CVE: CVE-2021-4207
+
+commit 9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895
+Author: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Thu Apr 7 10:11:06 2022 +0200
+
+ display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207)
+
+ Avoid fetching 'width' and 'height' a second time to prevent possible
+ race condition. Refer to security advisory
+ https://starlabs.sg/advisories/22-4207/ for more information.
+
+ Fixes: CVE-2021-4207
+ Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+ Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+ Message-Id: <20220407081106.343235-1-mcascell@redhat.com>
+ Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+(cherry picked from commit 9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ hw/display/qxl-render.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c
+index d28849b121..237ed293ba 100644
+--- a/hw/display/qxl-render.c
++++ b/hw/display/qxl-render.c
+@@ -266,7 +266,7 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor,
+ }
+ break;
+ case SPICE_CURSOR_TYPE_ALPHA:
+- size = sizeof(uint32_t) * cursor->header.width * cursor->header.height;
++ size = sizeof(uint32_t) * c->width * c->height;
+ qxl_unpack_chunks(c->data, size, qxl, &cursor->chunk, group_id);
+ if (qxl->debug > 2) {
+ cursor_print_ascii_art(c, "qxl/alpha");
+--
+2.27.0
+
diff --git a/SOURCES/kvm-doc-Add-the-SGX-numa-description.patch b/SOURCES/kvm-doc-Add-the-SGX-numa-description.patch
new file mode 100644
index 0000000..0bed8a6
--- /dev/null
+++ b/SOURCES/kvm-doc-Add-the-SGX-numa-description.patch
@@ -0,0 +1,77 @@
+From e8377e3f4d540e2594a50985523e87d1f3cabbc7 Mon Sep 17 00:00:00 2001
+From: Yang Zhong <yang.zhong@intel.com>
+Date: Mon, 1 Nov 2021 12:20:08 -0400
+Subject: [PATCH 3/7] doc: Add the SGX numa description
+
+RH-Author: Paul Lai <None>
+RH-MergeRequest: 111: numa: Enable numa for SGX EPC sections
+RH-Commit: [3/5] 41c74688c9662b966c243566a837135ff52341c4
+RH-Bugzilla: 1518984
+RH-Acked-by: Paolo Bonzini <None>
+RH-Acked-by: Bandan Das <None>
+RH-Acked-by: Cornelia Huck <cohuck@redhat.com>
+
+Add the SGX numa reference command and how to check if
+SGX numa is support or not with multiple EPC sections.
+
+Signed-off-by: Yang Zhong <yang.zhong@intel.com>
+Message-Id: <20211101162009.62161-5-yang.zhong@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit d1889b36098c79e2e6ac90faf3d0dc5ec0057677)
+Signed-off-by: Paul Lai <plai@redhat.com>
+---
+ docs/system/i386/sgx.rst | 31 +++++++++++++++++++++++++++----
+ 1 file changed, 27 insertions(+), 4 deletions(-)
+
+diff --git a/docs/system/i386/sgx.rst b/docs/system/i386/sgx.rst
+index f8fade5ac2..0f0a73f758 100644
+--- a/docs/system/i386/sgx.rst
++++ b/docs/system/i386/sgx.rst
+@@ -141,8 +141,7 @@ To launch a SGX guest:
+ |qemu_system_x86| \\
+ -cpu host,+sgx-provisionkey \\
+ -object memory-backend-epc,id=mem1,size=64M,prealloc=on \\
+- -object memory-backend-epc,id=mem2,size=28M \\
+- -M sgx-epc.0.memdev=mem1,sgx-epc.1.memdev=mem2
++ -M sgx-epc.0.memdev=mem1,sgx-epc.0.node=0
+
+ Utilizing SGX in the guest requires a kernel/OS with SGX support.
+ The support can be determined in guest by::
+@@ -152,8 +151,32 @@ The support can be determined in guest by::
+ and SGX epc info by::
+
+ $ dmesg | grep sgx
+- [ 1.242142] sgx: EPC section 0x180000000-0x181bfffff
+- [ 1.242319] sgx: EPC section 0x181c00000-0x1837fffff
++ [ 0.182807] sgx: EPC section 0x140000000-0x143ffffff
++ [ 0.183695] sgx: [Firmware Bug]: Unable to map EPC section to online node. Fallback to the NUMA node 0.
++
++To launch a SGX numa guest:
++
++.. parsed-literal::
++
++ |qemu_system_x86| \\
++ -cpu host,+sgx-provisionkey \\
++ -object memory-backend-ram,size=2G,host-nodes=0,policy=bind,id=node0 \\
++ -object memory-backend-epc,id=mem0,size=64M,prealloc=on,host-nodes=0,policy=bind \\
++ -numa node,nodeid=0,cpus=0-1,memdev=node0 \\
++ -object memory-backend-ram,size=2G,host-nodes=1,policy=bind,id=node1 \\
++ -object memory-backend-epc,id=mem1,size=28M,prealloc=on,host-nodes=1,policy=bind \\
++ -numa node,nodeid=1,cpus=2-3,memdev=node1 \\
++ -M sgx-epc.0.memdev=mem0,sgx-epc.0.node=0,sgx-epc.1.memdev=mem1,sgx-epc.1.node=1
++
++and SGX epc numa info by::
++
++ $ dmesg | grep sgx
++ [ 0.369937] sgx: EPC section 0x180000000-0x183ffffff
++ [ 0.370259] sgx: EPC section 0x184000000-0x185bfffff
++
++ $ dmesg | grep SRAT
++ [ 0.009981] ACPI: SRAT: Node 0 PXM 0 [mem 0x180000000-0x183ffffff]
++ [ 0.009982] ACPI: SRAT: Node 1 PXM 1 [mem 0x184000000-0x185bfffff]
+
+ References
+ ----------
+--
+2.27.0
+
diff --git a/SOURCES/kvm-hw-intc-arm_gicv3-Check-for-MEMTX_OK-instead-of-MEMT.patch b/SOURCES/kvm-hw-intc-arm_gicv3-Check-for-MEMTX_OK-instead-of-MEMT.patch
new file mode 100644
index 0000000..eea6fa2
--- /dev/null
+++ b/SOURCES/kvm-hw-intc-arm_gicv3-Check-for-MEMTX_OK-instead-of-MEMT.patch
@@ -0,0 +1,75 @@
+From 2db3d0de1be018f14cb91fdd4a368996b09d8bec Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Wed, 13 Apr 2022 14:51:06 -0400
+Subject: [PATCH 1/3] hw/intc/arm_gicv3: Check for !MEMTX_OK instead of
+ MEMTX_ERROR
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 151: hw/intc/arm_gicv3: Check for !MEMTX_OK instead of MEMTX_ERROR
+RH-Commit: [1/3] 561c9c2b1249f07d33013040b1c495ed1fbf825b (jmaloy/qemu-kvm)
+RH-Bugzilla: 1999236
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Peter Xu <peterx@redhat.com>
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1999236
+Upstream: Merged
+CVE: CVE-2021-3750
+
+commit b9d383ab797f54ae5fa8746117770709921dc529
+Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+Date: Wed Dec 15 19:24:19 2021 +0100
+
+ hw/intc/arm_gicv3: Check for !MEMTX_OK instead of MEMTX_ERROR
+
+ Quoting Peter Maydell:
+
+ "These MEMTX_* aren't from the memory transaction
+ API functions; they're just being used by gicd_readl() and
+ friends as a way to indicate a success/failure so that the
+ actual MemoryRegionOps read/write fns like gicv3_dist_read()
+ can log a guest error."
+
+ We are going to introduce more MemTxResult bits, so it is
+ safer to check for !MEMTX_OK rather than MEMTX_ERROR.
+
+ Reviewed-by: Peter Xu <peterx@redhat.com>
+ Reviewed-by: David Hildenbrand <david@redhat.com>
+ Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+ Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+ Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+ Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+
+(cherry picked from commit b9d383ab797f54ae5fa8746117770709921dc529)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ hw/intc/arm_gicv3_redist.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hw/intc/arm_gicv3_redist.c b/hw/intc/arm_gicv3_redist.c
+index c8ff3eca08..99b11ca5ee 100644
+--- a/hw/intc/arm_gicv3_redist.c
++++ b/hw/intc/arm_gicv3_redist.c
+@@ -462,7 +462,7 @@ MemTxResult gicv3_redist_read(void *opaque, hwaddr offset, uint64_t *data,
+ break;
+ }
+
+- if (r == MEMTX_ERROR) {
++ if (r != MEMTX_OK) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "%s: invalid guest read at offset " TARGET_FMT_plx
+ " size %u\n", __func__, offset, size);
+@@ -521,7 +521,7 @@ MemTxResult gicv3_redist_write(void *opaque, hwaddr offset, uint64_t data,
+ break;
+ }
+
+- if (r == MEMTX_ERROR) {
++ if (r != MEMTX_OK) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "%s: invalid guest write at offset " TARGET_FMT_plx
+ " size %u\n", __func__, offset, size);
+--
+2.27.0
+
diff --git a/SOURCES/kvm-hw-virtio-vdpa-Fix-leak-of-host-notifier-memory-regi.patch b/SOURCES/kvm-hw-virtio-vdpa-Fix-leak-of-host-notifier-memory-regi.patch
new file mode 100644
index 0000000..bb42634
--- /dev/null
+++ b/SOURCES/kvm-hw-virtio-vdpa-Fix-leak-of-host-notifier-memory-regi.patch
@@ -0,0 +1,66 @@
+From f0115d856f46e65e3b62896f84fe1902a958bf79 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Tue, 22 Mar 2022 19:23:36 -0400
+Subject: [PATCH 04/18] hw/virtio: vdpa: Fix leak of host-notifier
+ memory-region
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 132: hw/virtio: vdpa: Fix leak of host-notifier memory-region
+RH-Commit: [1/1] b3cec35d185e3b9844a458f5c51c5d5ef7e3d8f1 (jmaloy/qemu-kvm)
+RH-Bugzilla: 2060843
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+
+BZ: https://bugzilla.redhat.com/2060843
+UPSTREAM: no
+BREW: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=44038138
+
+commit 98f7607ecda00dea3cbb2ed7b4427c96846efb83
+Author: Laurent Vivier <lvivier@redhat.com>
+Date: Fri Feb 11 18:02:59 2022 +0100
+
+ hw/virtio: vdpa: Fix leak of host-notifier memory-region
+
+ If call virtio_queue_set_host_notifier_mr fails, should free
+ host-notifier memory-region.
+
+ This problem can trigger a coredump with some vDPA drivers (mlx5,
+ but not with the vdpasim), if we unplug the virtio-net card from
+ the guest after a stop/start.
+
+ The same fix has been done for vhost-user:
+ 1f89d3b91e3e ("hw/virtio: Fix leak of host-notifier memory-region")
+
+ Fixes: d0416d487bd5 ("vhost-vdpa: map virtqueue notification area if possible")
+ Cc: jasowang@redhat.com
+ Resolves: https://bugzilla.redhat.com/2027208
+ Signed-off-by: Laurent Vivier <lvivier@redhat.com>
+ Message-Id: <20220211170259.1388734-1-lvivier@redhat.com>
+ Cc: qemu-stable@nongnu.org
+ Acked-by: Jason Wang <jasowang@redhat.com>
+ Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+ Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+ Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+(cherry picked from commit 98f7607ecda00dea3cbb2ed7b4427c96846efb83)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ hw/virtio/vhost-vdpa.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/virtio/vhost-vdpa.c b/hw/virtio/vhost-vdpa.c
+index bcaf00e09f..78da48a333 100644
+--- a/hw/virtio/vhost-vdpa.c
++++ b/hw/virtio/vhost-vdpa.c
+@@ -415,6 +415,7 @@ static int vhost_vdpa_host_notifier_init(struct vhost_dev *dev, int queue_index)
+ g_free(name);
+
+ if (virtio_queue_set_host_notifier_mr(vdev, queue_index, &n->mr, true)) {
++ object_unparent(OBJECT(&n->mr));
+ munmap(addr, page_size);
+ goto err;
+ }
+--
+2.27.0
+
diff --git a/SOURCES/kvm-i386-Add-Icelake-Server-v6-CPU-model-with-5-level-EP.patch b/SOURCES/kvm-i386-Add-Icelake-Server-v6-CPU-model-with-5-level-EP.patch
new file mode 100644
index 0000000..540f721
--- /dev/null
+++ b/SOURCES/kvm-i386-Add-Icelake-Server-v6-CPU-model-with-5-level-EP.patch
@@ -0,0 +1,59 @@
+From ccaa1135bd1aa90c94f0e8b5417bd2a420134e6c Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Wed, 30 Mar 2022 14:52:34 -0400
+Subject: [PATCH 08/18] i386: Add Icelake-Server-v6 CPU model with 5-level EPT
+ support
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 139: vmxcap: Add 5-level EPT bit
+RH-Commit: [2/2] e913746b2df9cbd0308014ab5cc72577458857fa (jmaloy/qemu-kvm)
+RH-Bugzilla: 2065207
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+
+BZ: https://bugzilla.redhat.com/show_bug.cgi?id=2065207
+UPSTREAM: Merged
+
+commit: 12cab535db6440af41ed8dfefe908a594321b6ce
+Author: Vitaly Kuznetsov <vkuznets@redhat.com>
+Date: Mon Feb 21 15:53:15 2022 +0100
+
+ i386: Add Icelake-Server-v6 CPU model with 5-level EPT support
+
+ Windows 11 with WSL2 enabled (Hyper-V) fails to boot with Icelake-Server
+ {-v5} CPU model but boots well with '-cpu host'. Apparently, it expects
+ 5-level paging and 5-level EPT support to come in pair but QEMU's
+ Icelake-Server CPU model lacks the later. Introduce 'Icelake-Server-v6'
+ CPU model with 'vmx-page-walk-5' enabled by default.
+
+ Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+ Message-Id: <20220221145316.576138-1-vkuznets@redhat.com>
+ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+(cherry picked from commit 12cab535db6440af41ed8dfefe908a594321b6ce)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ target/i386/cpu.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/target/i386/cpu.c b/target/i386/cpu.c
+index aa9e636800..6e25d13339 100644
+--- a/target/i386/cpu.c
++++ b/target/i386/cpu.c
+@@ -3505,6 +3505,14 @@ static const X86CPUDefinition builtin_x86_defs[] = {
+ { /* end of list */ }
+ },
+ },
++ {
++ .version = 6,
++ .note = "5-level EPT",
++ .props = (PropValue[]) {
++ { "vmx-page-walk-5", "on" },
++ { /* end of list */ }
++ },
++ },
+ { /* end of list */ }
+ }
+ },
+--
+2.27.0
+
diff --git a/SOURCES/kvm-iotests-281-Let-NBD-connection-yield-in-iothread.patch b/SOURCES/kvm-iotests-281-Let-NBD-connection-yield-in-iothread.patch
new file mode 100644
index 0000000..b703c23
--- /dev/null
+++ b/SOURCES/kvm-iotests-281-Let-NBD-connection-yield-in-iothread.patch
@@ -0,0 +1,108 @@
+From 2ed48247fd39ade97164dee3c65162b96a116f14 Mon Sep 17 00:00:00 2001
+From: Hanna Reitz <hreitz@redhat.com>
+Date: Fri, 4 Feb 2022 12:10:12 +0100
+Subject: [PATCH 6/6] iotests/281: Let NBD connection yield in iothread
+
+RH-Author: Hanna Reitz <hreitz@redhat.com>
+RH-MergeRequest: 117: block/nbd: Handle AioContext changes
+RH-Commit: [6/6] a23706f34022d301eb7ffc84fc0d0a77d72b9844
+RH-Bugzilla: 2035185
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+RH-Acked-by: Eric Blake <eblake@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+
+Put an NBD block device into an I/O thread, and then read data from it,
+hoping that the NBD connection will yield during that read. When it
+does, the coroutine must be reentered in the block device's I/O thread,
+which will only happen if the NBD block driver attaches the connection's
+QIOChannel to the new AioContext. It did not do that after 4ddb5d2fde
+("block/nbd: drop connection_co") and prior to "block/nbd: Move s->ioc
+on AioContext change", which would cause an assertion failure.
+
+To improve our chances of yielding, the NBD server is throttled to
+reading 64 kB/s, and the NBD client reads 128 kB, so it should yield at
+some point.
+
+Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
+Signed-off-by: Hanna Reitz <hreitz@redhat.com>
+Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
+(cherry picked from commit 8cfbe929e8c26050f0a4580a1606a370a947d4ce)
+Signed-off-by: Hanna Reitz <hreitz@redhat.com>
+---
+ tests/qemu-iotests/281 | 28 +++++++++++++++++++++++++---
+ tests/qemu-iotests/281.out | 4 ++--
+ 2 files changed, 27 insertions(+), 5 deletions(-)
+
+diff --git a/tests/qemu-iotests/281 b/tests/qemu-iotests/281
+index 13c588be75..b2ead7f388 100755
+--- a/tests/qemu-iotests/281
++++ b/tests/qemu-iotests/281
+@@ -253,8 +253,9 @@ class TestYieldingAndTimers(iotests.QMPTestCase):
+ self.create_nbd_export()
+
+ # Simple VM with an NBD block device connected to the NBD export
+- # provided by the QSD
++ # provided by the QSD, and an (initially unused) iothread
+ self.vm = iotests.VM()
++ self.vm.add_object('iothread,id=iothr')
+ self.vm.add_blockdev('nbd,node-name=nbd,server.type=unix,' +
+ f'server.path={self.sock},export=exp,' +
+ 'reconnect-delay=1')
+@@ -293,19 +294,40 @@ class TestYieldingAndTimers(iotests.QMPTestCase):
+ # thus not see the error, and so the test will pass.)
+ time.sleep(2)
+
++ def test_yield_in_iothread(self):
++ # Move the NBD node to the I/O thread; the NBD block driver should
++ # attach the connection's QIOChannel to that thread's AioContext, too
++ result = self.vm.qmp('x-blockdev-set-iothread',
++ node_name='nbd', iothread='iothr')
++ self.assert_qmp(result, 'return', {})
++
++ # Do some I/O that will be throttled by the QSD, so that the network
++ # connection hopefully will yield here. When it is resumed, it must
++ # then be resumed in the I/O thread's AioContext.
++ result = self.vm.qmp('human-monitor-command',
++ command_line='qemu-io nbd "read 0 128K"')
++ self.assert_qmp(result, 'return', '')
++
+ def create_nbd_export(self):
+ assert self.qsd is None
+
+- # Simple NBD export of a null-co BDS
++ # Export a throttled null-co BDS: Reads are throttled (max 64 kB/s),
++ # writes are not.
+ self.qsd = QemuStorageDaemon(
++ '--object',
++ 'throttle-group,id=thrgr,x-bps-read=65536,x-bps-read-max=65536',
++
+ '--blockdev',
+ 'null-co,node-name=null,read-zeroes=true',
+
++ '--blockdev',
++ 'throttle,node-name=thr,file=null,throttle-group=thrgr',
++
+ '--nbd-server',
+ f'addr.type=unix,addr.path={self.sock}',
+
+ '--export',
+- 'nbd,id=exp,node-name=null,name=exp,writable=true'
++ 'nbd,id=exp,node-name=thr,name=exp,writable=true'
+ )
+
+ def stop_nbd_export(self):
+diff --git a/tests/qemu-iotests/281.out b/tests/qemu-iotests/281.out
+index 914e3737bd..3f8a935a08 100644
+--- a/tests/qemu-iotests/281.out
++++ b/tests/qemu-iotests/281.out
+@@ -1,5 +1,5 @@
+-.....
++......
+ ----------------------------------------------------------------------
+-Ran 5 tests
++Ran 6 tests
+
+ OK
+--
+2.27.0
+
diff --git a/SOURCES/kvm-iotests-281-Test-lingering-timers.patch b/SOURCES/kvm-iotests-281-Test-lingering-timers.patch
new file mode 100644
index 0000000..c31b413
--- /dev/null
+++ b/SOURCES/kvm-iotests-281-Test-lingering-timers.patch
@@ -0,0 +1,174 @@
+From b56684f6c1bef4fb5bf87ac5a1106d3830c05ad0 Mon Sep 17 00:00:00 2001
+From: Hanna Reitz <hreitz@redhat.com>
+Date: Fri, 4 Feb 2022 12:10:10 +0100
+Subject: [PATCH 4/6] iotests/281: Test lingering timers
+
+RH-Author: Hanna Reitz <hreitz@redhat.com>
+RH-MergeRequest: 117: block/nbd: Handle AioContext changes
+RH-Commit: [4/6] aaad466941637a34224dc037bbea37d128b5676b
+RH-Bugzilla: 2035185
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+RH-Acked-by: Eric Blake <eblake@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+
+Prior to "block/nbd: Delete reconnect delay timer when done" and
+"block/nbd: Delete open timer when done", both of those timers would
+remain scheduled even after successfully (re-)connecting to the server,
+and they would not even be deleted when the BDS is deleted.
+
+This test constructs exactly this situation:
+(1) Configure an @open-timeout, so the open timer is armed, and
+(2) Configure a @reconnect-delay and trigger a reconnect situation
+ (which succeeds immediately), so the reconnect delay timer is armed.
+Then we immediately delete the BDS, and sleep for longer than the
+@open-timeout and @reconnect-delay. Prior to said patches, this caused
+one (or both) of the timer CBs to access already-freed data.
+
+Accessing freed data may or may not crash, so this test can produce
+false successes, but I do not know how to show the problem in a better
+or more reliable way. If you run this test on "block/nbd: Assert there
+are no timers when closed" and without the fix patches mentioned above,
+you should reliably see an assertion failure.
+(But all other tests that use the reconnect delay timer (264 and 277)
+will fail in that configuration, too; as will nbd-reconnect-on-open,
+which uses the open timer.)
+
+Remove this test from the quick group because of the two second sleep
+this patch introduces.
+
+(I decided to put this test case into 281, because the main bug this
+series addresses is in the interaction of the NBD block driver and I/O
+threads, which is precisely the scope of 281. The test case for that
+other bug will also be put into the test class added here.
+
+Also, excuse the test class's name, I couldn't come up with anything
+better. The "yield" part will make sense two patches from now.)
+
+Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
+Signed-off-by: Hanna Reitz <hreitz@redhat.com>
+Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
+(cherry picked from commit eaf1e85d4ddefdbd197f393fa9c5acc7ba8133b0)
+
+Conflict:
+- @open-timeout was introduced after the 6.2 release, and has not been
+ backported. Consequently, there is no open_timer, and we can (and
+ must) drop the respective parts of the test here.
+
+Signed-off-by: Hanna Reitz <hreitz@redhat.com>
+---
+ tests/qemu-iotests/281 | 73 ++++++++++++++++++++++++++++++++++++--
+ tests/qemu-iotests/281.out | 4 +--
+ 2 files changed, 73 insertions(+), 4 deletions(-)
+
+diff --git a/tests/qemu-iotests/281 b/tests/qemu-iotests/281
+index 956698083f..13c588be75 100755
+--- a/tests/qemu-iotests/281
++++ b/tests/qemu-iotests/281
+@@ -1,5 +1,5 @@
+ #!/usr/bin/env python3
+-# group: rw quick
++# group: rw
+ #
+ # Test cases for blockdev + IOThread interactions
+ #
+@@ -20,8 +20,9 @@
+ #
+
+ import os
++import time
+ import iotests
+-from iotests import qemu_img
++from iotests import qemu_img, QemuStorageDaemon
+
+ image_len = 64 * 1024 * 1024
+
+@@ -243,6 +244,74 @@ class TestBlockdevBackupAbort(iotests.QMPTestCase):
+ # Hangs on failure, we expect this error.
+ self.assert_qmp(result, 'error/class', 'GenericError')
+
++# Test for RHBZ#2033626
++class TestYieldingAndTimers(iotests.QMPTestCase):
++ sock = os.path.join(iotests.sock_dir, 'nbd.sock')
++ qsd = None
++
++ def setUp(self):
++ self.create_nbd_export()
++
++ # Simple VM with an NBD block device connected to the NBD export
++ # provided by the QSD
++ self.vm = iotests.VM()
++ self.vm.add_blockdev('nbd,node-name=nbd,server.type=unix,' +
++ f'server.path={self.sock},export=exp,' +
++ 'reconnect-delay=1')
++
++ self.vm.launch()
++
++ def tearDown(self):
++ self.stop_nbd_export()
++ self.vm.shutdown()
++
++ def test_timers_with_blockdev_del(self):
++ # Stop and restart the NBD server, and do some I/O on the client to
++ # trigger a reconnect and start the reconnect delay timer
++ self.stop_nbd_export()
++ self.create_nbd_export()
++
++ result = self.vm.qmp('human-monitor-command',
++ command_line='qemu-io nbd "write 0 512"')
++ self.assert_qmp(result, 'return', '')
++
++ # Reconnect is done, so the reconnect delay timer should be gone.
++ # (But there used to be a bug where it remained active, for which this
++ # is a regression test.)
++
++ # Delete the BDS to see whether the timer is gone. If it is not,
++ # it will remain active, fire later, and then access freed data.
++ # (Or, with "block/nbd: Assert there are no timers when closed"
++ # applied, the assertion added in that patch will fail.)
++ result = self.vm.qmp('blockdev-del', node_name='nbd')
++ self.assert_qmp(result, 'return', {})
++
++ # Give the timer some time to fire (it has a timeout of 1 s).
++ # (Sleeping in an iotest may ring some alarm bells, but note that if
++ # the timing is off here, the test will just always pass. If we kill
++ # the VM too early, then we just kill the timer before it can fire,
++ # thus not see the error, and so the test will pass.)
++ time.sleep(2)
++
++ def create_nbd_export(self):
++ assert self.qsd is None
++
++ # Simple NBD export of a null-co BDS
++ self.qsd = QemuStorageDaemon(
++ '--blockdev',
++ 'null-co,node-name=null,read-zeroes=true',
++
++ '--nbd-server',
++ f'addr.type=unix,addr.path={self.sock}',
++
++ '--export',
++ 'nbd,id=exp,node-name=null,name=exp,writable=true'
++ )
++
++ def stop_nbd_export(self):
++ self.qsd.stop()
++ self.qsd = None
++
+ if __name__ == '__main__':
+ iotests.main(supported_fmts=['qcow2'],
+ supported_protocols=['file'])
+diff --git a/tests/qemu-iotests/281.out b/tests/qemu-iotests/281.out
+index 89968f35d7..914e3737bd 100644
+--- a/tests/qemu-iotests/281.out
++++ b/tests/qemu-iotests/281.out
+@@ -1,5 +1,5 @@
+-....
++.....
+ ----------------------------------------------------------------------
+-Ran 4 tests
++Ran 5 tests
+
+ OK
+--
+2.27.0
+
diff --git a/SOURCES/kvm-iotests-Test-blockdev-reopen-with-iothreads-and-thro.patch b/SOURCES/kvm-iotests-Test-blockdev-reopen-with-iothreads-and-thro.patch
new file mode 100644
index 0000000..1caf73c
--- /dev/null
+++ b/SOURCES/kvm-iotests-Test-blockdev-reopen-with-iothreads-and-thro.patch
@@ -0,0 +1,106 @@
+From ea4d8424fb2053b1cbb9538190b2b06351054125 Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf@redhat.com>
+Date: Thu, 3 Feb 2022 15:05:34 +0100
+Subject: [PATCH 3/5] iotests: Test blockdev-reopen with iothreads and
+ throttling
+
+RH-Author: Kevin Wolf <kwolf@redhat.com>
+RH-MergeRequest: 142: block: Lock AioContext for drain_end in blockdev-reopen
+RH-Commit: [2/2] 91d365864c391ca7db7db13260913fb61987b833
+RH-Bugzilla: 2067118
+RH-Acked-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Hanna Reitz <hreitz@redhat.com>
+
+The 'throttle' block driver implements .bdrv_co_drain_end, so
+blockdev-reopen will have to wait for it to complete in the polling
+loop at the end of qmp_blockdev_reopen(). This makes AIO_WAIT_WHILE()
+release the AioContext lock, which causes a crash if the lock hasn't
+correctly been taken.
+
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Message-Id: <20220203140534.36522-3-kwolf@redhat.com>
+Reviewed-by: Hanna Reitz <hreitz@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit ee810602376125ca0e0afd6b7c715e13740978ea)
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+---
+ tests/qemu-iotests/245 | 36 +++++++++++++++++++++++++++++++++---
+ tests/qemu-iotests/245.out | 4 ++--
+ 2 files changed, 35 insertions(+), 5 deletions(-)
+
+diff --git a/tests/qemu-iotests/245 b/tests/qemu-iotests/245
+index 24ac43f70e..8cbed7821b 100755
+--- a/tests/qemu-iotests/245
++++ b/tests/qemu-iotests/245
+@@ -1138,12 +1138,13 @@ class TestBlockdevReopen(iotests.QMPTestCase):
+ self.assertEqual(self.get_node('hd1'), None)
+ self.assert_qmp(self.get_node('hd2'), 'ro', True)
+
+- def run_test_iothreads(self, iothread_a, iothread_b, errmsg = None):
+- opts = hd_opts(0)
++ def run_test_iothreads(self, iothread_a, iothread_b, errmsg = None,
++ opts_a = None, opts_b = None):
++ opts = opts_a or hd_opts(0)
+ result = self.vm.qmp('blockdev-add', conv_keys = False, **opts)
+ self.assert_qmp(result, 'return', {})
+
+- opts2 = hd_opts(2)
++ opts2 = opts_b or hd_opts(2)
+ result = self.vm.qmp('blockdev-add', conv_keys = False, **opts2)
+ self.assert_qmp(result, 'return', {})
+
+@@ -1194,6 +1195,35 @@ class TestBlockdevReopen(iotests.QMPTestCase):
+ def test_iothreads_switch_overlay(self):
+ self.run_test_iothreads('', 'iothread0')
+
++ def test_iothreads_with_throttling(self):
++ # Create a throttle-group object
++ opts = { 'qom-type': 'throttle-group', 'id': 'group0',
++ 'limits': { 'iops-total': 1000 } }
++ result = self.vm.qmp('object-add', conv_keys = False, **opts)
++ self.assert_qmp(result, 'return', {})
++
++ # Options with a throttle filter between format and protocol
++ opts = [
++ {
++ 'driver': iotests.imgfmt,
++ 'node-name': f'hd{idx}',
++ 'file' : {
++ 'node-name': f'hd{idx}-throttle',
++ 'driver': 'throttle',
++ 'throttle-group': 'group0',
++ 'file': {
++ 'driver': 'file',
++ 'node-name': f'hd{idx}-file',
++ 'filename': hd_path[idx],
++ },
++ },
++ }
++ for idx in (0, 2)
++ ]
++
++ self.run_test_iothreads('iothread0', 'iothread0', None,
++ opts[0], opts[1])
++
+ if __name__ == '__main__':
+ iotests.activate_logging()
+ iotests.main(supported_fmts=["qcow2"],
+diff --git a/tests/qemu-iotests/245.out b/tests/qemu-iotests/245.out
+index 4eced19294..a4e04a3266 100644
+--- a/tests/qemu-iotests/245.out
++++ b/tests/qemu-iotests/245.out
+@@ -17,8 +17,8 @@ read 1/1 bytes at offset 262152
+ read 1/1 bytes at offset 262160
+ 1 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+
+-...............
++................
+ ----------------------------------------------------------------------
+-Ran 25 tests
++Ran 26 tests
+
+ OK
+--
+2.27.0
+
diff --git a/SOURCES/kvm-iotests-block-status-cache-New-test.patch b/SOURCES/kvm-iotests-block-status-cache-New-test.patch
new file mode 100644
index 0000000..25f057c
--- /dev/null
+++ b/SOURCES/kvm-iotests-block-status-cache-New-test.patch
@@ -0,0 +1,197 @@
+From 0ba4c0836f702bb3abbd173c7ee486a8247331ae Mon Sep 17 00:00:00 2001
+From: Hanna Reitz <hreitz@redhat.com>
+Date: Tue, 18 Jan 2022 18:00:00 +0100
+Subject: [PATCH 7/7] iotests/block-status-cache: New test
+
+RH-Author: Hanna Reitz <hreitz@redhat.com>
+RH-MergeRequest: 112: block/io: Update BSC only if want_zero is true
+RH-Commit: [2/2] ba86b4db32c33e17a85f476d445ef0523cf8f60e
+RH-Bugzilla: 2041480
+RH-Acked-by: Eric Blake <eblake@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+
+Add a new test to verify that want_zero=false block-status calls do not
+pollute the block-status cache for want_zero=true calls.
+
+We check want_zero=true calls and their results using `qemu-img map`
+(over NBD), and want_zero=false calls also using `qemu-img map` over
+NBD, but using the qemu:allocation-depth context.
+
+(This test case cannot be integrated into nbd-qemu-allocation, because
+that is a qcow2 test, and this is a raw test.)
+
+Signed-off-by: Hanna Reitz <hreitz@redhat.com>
+Message-Id: <20220118170000.49423-3-hreitz@redhat.com>
+Reviewed-by: Nir Soffer <nsoffer@redhat.com>
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Tested-by: Eric Blake <eblake@redhat.com>
+Signed-off-by: Eric Blake <eblake@redhat.com>
+(cherry picked from commit 6384dd534d742123d26c008d9794b20bc41359d5)
+Signed-off-by: Hanna Reitz <hreitz@redhat.com>
+---
+ tests/qemu-iotests/tests/block-status-cache | 139 ++++++++++++++++++
+ .../qemu-iotests/tests/block-status-cache.out | 5 +
+ 2 files changed, 144 insertions(+)
+ create mode 100755 tests/qemu-iotests/tests/block-status-cache
+ create mode 100644 tests/qemu-iotests/tests/block-status-cache.out
+
+diff --git a/tests/qemu-iotests/tests/block-status-cache b/tests/qemu-iotests/tests/block-status-cache
+new file mode 100755
+index 0000000000..6fa10bb8f8
+--- /dev/null
++++ b/tests/qemu-iotests/tests/block-status-cache
+@@ -0,0 +1,139 @@
++#!/usr/bin/env python3
++# group: rw quick
++#
++# Test cases for the block-status cache.
++#
++# Copyright (C) 2022 Red Hat, Inc.
++#
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 2 of the License, or
++# (at your option) any later version.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program. If not, see <http://www.gnu.org/licenses/>.
++#
++
++import os
++import signal
++import iotests
++from iotests import qemu_img_create, qemu_img_pipe, qemu_nbd
++
++
++image_size = 1 * 1024 * 1024
++test_img = os.path.join(iotests.test_dir, 'test.img')
++
++nbd_pidfile = os.path.join(iotests.test_dir, 'nbd.pid')
++nbd_sock = os.path.join(iotests.sock_dir, 'nbd.sock')
++
++
++class TestBscWithNbd(iotests.QMPTestCase):
++ def setUp(self) -> None:
++ """Just create an empty image with a read-only NBD server on it"""
++ assert qemu_img_create('-f', iotests.imgfmt, test_img,
++ str(image_size)) == 0
++
++ # Pass --allocation-depth to enable the qemu:allocation-depth context,
++ # which we are going to query to provoke a block-status inquiry with
++ # want_zero=false.
++ assert qemu_nbd(f'--socket={nbd_sock}',
++ f'--format={iotests.imgfmt}',
++ '--persistent',
++ '--allocation-depth',
++ '--read-only',
++ f'--pid-file={nbd_pidfile}',
++ test_img) \
++ == 0
++
++ def tearDown(self) -> None:
++ with open(nbd_pidfile, encoding='utf-8') as f:
++ pid = int(f.read())
++ os.kill(pid, signal.SIGTERM)
++ os.remove(nbd_pidfile)
++ os.remove(test_img)
++
++ def test_with_zero_bug(self) -> None:
++ """
++ Verify that the block-status cache is not corrupted by a
++ want_zero=false call.
++ We can provoke a want_zero=false call with `qemu-img map` over NBD with
++ x-dirty-bitmap=qemu:allocation-depth, so we first run a normal `map`
++ (which results in want_zero=true), then using said
++ qemu:allocation-depth context, and finally another normal `map` to
++ verify that the cache has not been corrupted.
++ """
++
++ nbd_img_opts = f'driver=nbd,server.type=unix,server.path={nbd_sock}'
++ nbd_img_opts_alloc_depth = nbd_img_opts + \
++ ',x-dirty-bitmap=qemu:allocation-depth'
++
++ # Normal map, results in want_zero=true.
++ # This will probably detect an allocated data sector first (qemu likes
++ # to allocate the first sector to facilitate alignment probing), and
++ # then the rest to be zero. The BSC will thus contain (if anything)
++ # one range covering the first sector.
++ map_pre = qemu_img_pipe('map', '--output=json', '--image-opts',
++ nbd_img_opts)
++
++ # qemu:allocation-depth maps for want_zero=false.
++ # want_zero=false should (with the file driver, which the server is
++ # using) report everything as data. While this is sufficient for
++ # want_zero=false, this is nothing that should end up in the
++ # block-status cache.
++ # Due to a bug, this information did end up in the cache, though, and
++ # this would lead to wrong information being returned on subsequent
++ # want_zero=true calls.
++ #
++ # We need to run this map twice: On the first call, we probably still
++ # have the first sector in the cache, and so this will be served from
++ # the cache; and only the subsequent range will be queried from the
++ # block driver. This subsequent range will then be entered into the
++ # cache.
++ # If we did a want_zero=true call at this point, we would thus get
++ # correct information: The first sector is not covered by the cache, so
++ # we would get fresh block-status information from the driver, which
++ # would return a data range, and this would then go into the cache,
++ # evicting the wrong range from the want_zero=false call before.
++ #
++ # Therefore, we need a second want_zero=false map to reproduce:
++ # Since the first sector is not in the cache, the query for its status
++ # will go to the driver, which will return a result that reports the
++ # whole image to be a single data area. This result will then go into
++ # the cache, and so the cache will then report the whole image to
++ # contain data.
++ #
++ # Note that once the cache reports the whole image to contain data, any
++ # subsequent map operation will be served from the cache, and so we can
++ # never loop too many times here.
++ for _ in range(2):
++ # (Ignore the result, this is just to contaminate the cache)
++ qemu_img_pipe('map', '--output=json', '--image-opts',
++ nbd_img_opts_alloc_depth)
++
++ # Now let's see whether the cache reports everything as data, or
++ # whether we get correct information (i.e. the same as we got on our
++ # first attempt).
++ map_post = qemu_img_pipe('map', '--output=json', '--image-opts',
++ nbd_img_opts)
++
++ if map_pre != map_post:
++ print('ERROR: Map information differs before and after querying ' +
++ 'qemu:allocation-depth')
++ print('Before:')
++ print(map_pre)
++ print('After:')
++ print(map_post)
++
++ self.fail("Map information differs")
++
++
++if __name__ == '__main__':
++ # The block-status cache only works on the protocol layer, so to test it,
++ # we can only use the raw format
++ iotests.main(supported_fmts=['raw'],
++ supported_protocols=['file'])
+diff --git a/tests/qemu-iotests/tests/block-status-cache.out b/tests/qemu-iotests/tests/block-status-cache.out
+new file mode 100644
+index 0000000000..ae1213e6f8
+--- /dev/null
++++ b/tests/qemu-iotests/tests/block-status-cache.out
+@@ -0,0 +1,5 @@
++.
++----------------------------------------------------------------------
++Ran 1 tests
++
++OK
+--
+2.27.0
+
diff --git a/SOURCES/kvm-iotests-stream-error-on-reset-New-test.patch b/SOURCES/kvm-iotests-stream-error-on-reset-New-test.patch
new file mode 100644
index 0000000..0214854
--- /dev/null
+++ b/SOURCES/kvm-iotests-stream-error-on-reset-New-test.patch
@@ -0,0 +1,198 @@
+From ffdec41922a34b6fe4e7e11f259553d65b41563e Mon Sep 17 00:00:00 2001
+From: Stefan Hajnoczi <stefanha@redhat.com>
+Date: Tue, 11 Jan 2022 15:36:13 +0000
+Subject: [PATCH 4/6] iotests/stream-error-on-reset: New test
+
+RH-Author: Stefan Hajnoczi <stefanha@redhat.com>
+RH-MergeRequest: 109: block-backend: prevent dangling BDS pointers across aio_poll()
+RH-Commit: [2/2] 0ecb7010d9c121398e7ee22ee47dd85d89bcd941
+RH-Bugzilla: 2021778 2036178
+RH-Acked-by: Hanna Reitz <hreitz@redhat.com>
+RH-Acked-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+
+Author: Hanna Reitz <hreitz@redhat.com>
+
+Test the following scenario:
+- Simple stream block in two-layer backing chain (base and top)
+- The job is drained via blk_drain(), then an error occurs while the job
+ settles the ongoing request
+- And so the job completes while in blk_drain()
+
+This was reported as a segfault, but is fixed by "block-backend: prevent
+dangling BDS pointers across aio_poll()".
+
+Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2036178
+Signed-off-by: Hanna Reitz <hreitz@redhat.com>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-Id: <20220111153613.25453-3-stefanha@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit 2ca1d5d6b91f8a52a5c651f660b2f58c94bf97ba)
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+---
+ .../qemu-iotests/tests/stream-error-on-reset | 140 ++++++++++++++++++
+ .../tests/stream-error-on-reset.out | 5 +
+ 2 files changed, 145 insertions(+)
+ create mode 100755 tests/qemu-iotests/tests/stream-error-on-reset
+ create mode 100644 tests/qemu-iotests/tests/stream-error-on-reset.out
+
+diff --git a/tests/qemu-iotests/tests/stream-error-on-reset b/tests/qemu-iotests/tests/stream-error-on-reset
+new file mode 100755
+index 0000000000..7eaedb24d7
+--- /dev/null
++++ b/tests/qemu-iotests/tests/stream-error-on-reset
+@@ -0,0 +1,140 @@
++#!/usr/bin/env python3
++# group: rw quick
++#
++# Test what happens when a stream job completes in a blk_drain().
++#
++# Copyright (C) 2022 Red Hat, Inc.
++#
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 2 of the License, or
++# (at your option) any later version.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program. If not, see <http://www.gnu.org/licenses/>.
++#
++
++import os
++import iotests
++from iotests import imgfmt, qemu_img_create, qemu_io_silent, QMPTestCase
++
++
++image_size = 1 * 1024 * 1024
++data_size = 64 * 1024
++base = os.path.join(iotests.test_dir, 'base.img')
++top = os.path.join(iotests.test_dir, 'top.img')
++
++
++# We want to test completing a stream job in a blk_drain().
++#
++# The blk_drain() we are going to use is a virtio-scsi device resetting,
++# which we can trigger by resetting the system.
++#
++# In order to have the block job complete on drain, we (1) throttle its
++# base image so we can start the drain after it has begun, but before it
++# completes, and (2) make it encounter an I/O error on the ensuing write.
++# (If it completes regularly, the completion happens after the drain for
++# some reason.)
++
++class TestStreamErrorOnReset(QMPTestCase):
++ def setUp(self) -> None:
++ """
++ Create two images:
++ - base image {base} with {data_size} bytes allocated
++ - top image {top} without any data allocated
++
++ And the following VM configuration:
++ - base image throttled to {data_size}
++ - top image with a blkdebug configuration so the first write access
++ to it will result in an error
++ - top image is attached to a virtio-scsi device
++ """
++ assert qemu_img_create('-f', imgfmt, base, str(image_size)) == 0
++ assert qemu_io_silent('-c', f'write 0 {data_size}', base) == 0
++ assert qemu_img_create('-f', imgfmt, top, str(image_size)) == 0
++
++ self.vm = iotests.VM()
++ self.vm.add_args('-accel', 'tcg') # Make throttling work properly
++ self.vm.add_object(self.vm.qmp_to_opts({
++ 'qom-type': 'throttle-group',
++ 'id': 'thrgr',
++ 'x-bps-total': str(data_size)
++ }))
++ self.vm.add_blockdev(self.vm.qmp_to_opts({
++ 'driver': imgfmt,
++ 'node-name': 'base',
++ 'file': {
++ 'driver': 'throttle',
++ 'throttle-group': 'thrgr',
++ 'file': {
++ 'driver': 'file',
++ 'filename': base
++ }
++ }
++ }))
++ self.vm.add_blockdev(self.vm.qmp_to_opts({
++ 'driver': imgfmt,
++ 'node-name': 'top',
++ 'file': {
++ 'driver': 'blkdebug',
++ 'node-name': 'top-blkdebug',
++ 'inject-error': [{
++ 'event': 'pwritev',
++ 'immediately': 'true',
++ 'once': 'true'
++ }],
++ 'image': {
++ 'driver': 'file',
++ 'filename': top
++ }
++ },
++ 'backing': 'base'
++ }))
++ self.vm.add_device(self.vm.qmp_to_opts({
++ 'driver': 'virtio-scsi',
++ 'id': 'vscsi'
++ }))
++ self.vm.add_device(self.vm.qmp_to_opts({
++ 'driver': 'scsi-hd',
++ 'bus': 'vscsi.0',
++ 'drive': 'top'
++ }))
++ self.vm.launch()
++
++ def tearDown(self) -> None:
++ self.vm.shutdown()
++ os.remove(top)
++ os.remove(base)
++
++ def test_stream_error_on_reset(self) -> None:
++ # Launch a stream job, which will take at least a second to
++ # complete, because the base image is throttled (so we can
++ # get in between it having started and it having completed)
++ res = self.vm.qmp('block-stream', job_id='stream', device='top')
++ self.assert_qmp(res, 'return', {})
++
++ while True:
++ ev = self.vm.event_wait('JOB_STATUS_CHANGE')
++ if ev['data']['status'] == 'running':
++ # Once the stream job is running, reset the system, which
++ # forces the virtio-scsi device to be reset, thus draining
++ # the stream job, and making it complete. Completing
++ # inside of that drain should not result in a segfault.
++ res = self.vm.qmp('system_reset')
++ self.assert_qmp(res, 'return', {})
++ elif ev['data']['status'] == 'null':
++ # The test is done once the job is gone
++ break
++
++
++if __name__ == '__main__':
++ # Passes with any format with backing file support, but qed and
++ # qcow1 do not seem to exercise the used-to-be problematic code
++ # path, so there is no point in having them in this list
++ iotests.main(supported_fmts=['qcow2', 'vmdk'],
++ supported_protocols=['file'])
+diff --git a/tests/qemu-iotests/tests/stream-error-on-reset.out b/tests/qemu-iotests/tests/stream-error-on-reset.out
+new file mode 100644
+index 0000000000..ae1213e6f8
+--- /dev/null
++++ b/tests/qemu-iotests/tests/stream-error-on-reset.out
+@@ -0,0 +1,5 @@
++.
++----------------------------------------------------------------------
++Ran 1 tests
++
++OK
+--
+2.27.0
+
diff --git a/SOURCES/kvm-iotests.py-Add-QemuStorageDaemon-class.patch b/SOURCES/kvm-iotests.py-Add-QemuStorageDaemon-class.patch
new file mode 100644
index 0000000..539897f
--- /dev/null
+++ b/SOURCES/kvm-iotests.py-Add-QemuStorageDaemon-class.patch
@@ -0,0 +1,92 @@
+From 34ffcd1a463bd3c1d36ed2f33dd6335b35b38460 Mon Sep 17 00:00:00 2001
+From: Hanna Reitz <hreitz@redhat.com>
+Date: Fri, 4 Feb 2022 12:10:09 +0100
+Subject: [PATCH 3/6] iotests.py: Add QemuStorageDaemon class
+
+RH-Author: Hanna Reitz <hreitz@redhat.com>
+RH-MergeRequest: 117: block/nbd: Handle AioContext changes
+RH-Commit: [3/6] 754fe76bc5e8be57f4b78f176531014c4a12b044
+RH-Bugzilla: 2035185
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+RH-Acked-by: Eric Blake <eblake@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+
+This is a rather simple class that allows creating a QSD instance
+running in the background and stopping it when no longer needed.
+
+The __del__ handler is a safety net for when something goes so wrong in
+a test that e.g. the tearDown() method is not called (e.g. setUp()
+launches the QSD, but then launching a VM fails). We do not want the
+QSD to continue running after the test has failed, so __del__() will
+take care to kill it.
+
+Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
+Signed-off-by: Hanna Reitz <hreitz@redhat.com>
+Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
+(cherry picked from commit 091dc7b2b5553a529bff9a7bf9ad3bc85bc5bdcd)
+Signed-off-by: Hanna Reitz <hreitz@redhat.com>
+---
+ tests/qemu-iotests/iotests.py | 40 +++++++++++++++++++++++++++++++++++
+ 1 file changed, 40 insertions(+)
+
+diff --git a/tests/qemu-iotests/iotests.py b/tests/qemu-iotests/iotests.py
+index 83bfedb902..a51b5ce8cd 100644
+--- a/tests/qemu-iotests/iotests.py
++++ b/tests/qemu-iotests/iotests.py
+@@ -72,6 +72,8 @@
+ qemu_prog = os.environ.get('QEMU_PROG', 'qemu')
+ qemu_opts = os.environ.get('QEMU_OPTIONS', '').strip().split(' ')
+
++qsd_prog = os.environ.get('QSD_PROG', 'qemu-storage-daemon')
++
+ gdb_qemu_env = os.environ.get('GDB_OPTIONS')
+ qemu_gdb = []
+ if gdb_qemu_env:
+@@ -312,6 +314,44 @@ def cmd(self, cmd):
+ return self._read_output()
+
+
++class QemuStorageDaemon:
++ def __init__(self, *args: str, instance_id: str = 'a'):
++ assert '--pidfile' not in args
++ self.pidfile = os.path.join(test_dir, f'qsd-{instance_id}-pid')
++ all_args = [qsd_prog] + list(args) + ['--pidfile', self.pidfile]
++
++ # Cannot use with here, we want the subprocess to stay around
++ # pylint: disable=consider-using-with
++ self._p = subprocess.Popen(all_args)
++ while not os.path.exists(self.pidfile):
++ if self._p.poll() is not None:
++ cmd = ' '.join(all_args)
++ raise RuntimeError(
++ 'qemu-storage-daemon terminated with exit code ' +
++ f'{self._p.returncode}: {cmd}')
++
++ time.sleep(0.01)
++
++ with open(self.pidfile, encoding='utf-8') as f:
++ self._pid = int(f.read().strip())
++
++ assert self._pid == self._p.pid
++
++ def stop(self, kill_signal=15):
++ self._p.send_signal(kill_signal)
++ self._p.wait()
++ self._p = None
++
++ try:
++ os.remove(self.pidfile)
++ except OSError:
++ pass
++
++ def __del__(self):
++ if self._p is not None:
++ self.stop(kill_signal=9)
++
++
+ def qemu_nbd(*args):
+ '''Run qemu-nbd in daemon mode and return the parent's exit code'''
+ return subprocess.call(qemu_nbd_args + ['--fork'] + list(args))
+--
+2.27.0
+
diff --git a/SOURCES/kvm-numa-Enable-numa-for-SGX-EPC-sections.patch b/SOURCES/kvm-numa-Enable-numa-for-SGX-EPC-sections.patch
new file mode 100644
index 0000000..68f7647
--- /dev/null
+++ b/SOURCES/kvm-numa-Enable-numa-for-SGX-EPC-sections.patch
@@ -0,0 +1,287 @@
+From 35bf6693fb5bba5a9d5fdf4a7fdac06ce574b83d Mon Sep 17 00:00:00 2001
+From: Yang Zhong <yang.zhong@intel.com>
+Date: Mon, 1 Nov 2021 12:20:05 -0400
+Subject: [PATCH 1/7] numa: Enable numa for SGX EPC sections
+
+RH-Author: Paul Lai <None>
+RH-MergeRequest: 111: numa: Enable numa for SGX EPC sections
+RH-Commit: [1/5] c29297cbacc4cb65c9ac125db349a767aa2574af
+RH-Bugzilla: 1518984
+RH-Acked-by: Paolo Bonzini <None>
+RH-Acked-by: Bandan Das <None>
+RH-Acked-by: Cornelia Huck <cohuck@redhat.com>
+
+The basic SGX did not enable numa for SGX EPC sections, which
+result in all EPC sections located in numa node 0. This patch
+enable SGX numa function in the guest and the EPC section can
+work with RAM as one numa node.
+
+The Guest kernel related log:
+[ 0.009981] ACPI: SRAT: Node 0 PXM 0 [mem 0x180000000-0x183ffffff]
+[ 0.009982] ACPI: SRAT: Node 1 PXM 1 [mem 0x184000000-0x185bfffff]
+The SRAT table can normally show SGX EPC sections menory info in different
+numa nodes.
+
+The SGX EPC numa related command:
+ ......
+ -m 4G,maxmem=20G \
+ -smp sockets=2,cores=2 \
+ -cpu host,+sgx-provisionkey \
+ -object memory-backend-ram,size=2G,host-nodes=0,policy=bind,id=node0 \
+ -object memory-backend-epc,id=mem0,size=64M,prealloc=on,host-nodes=0,policy=bind \
+ -numa node,nodeid=0,cpus=0-1,memdev=node0 \
+ -object memory-backend-ram,size=2G,host-nodes=1,policy=bind,id=node1 \
+ -object memory-backend-epc,id=mem1,size=28M,prealloc=on,host-nodes=1,policy=bind \
+ -numa node,nodeid=1,cpus=2-3,memdev=node1 \
+ -M sgx-epc.0.memdev=mem0,sgx-epc.0.node=0,sgx-epc.1.memdev=mem1,sgx-epc.1.node=1 \
+ ......
+
+Signed-off-by: Yang Zhong <yang.zhong@intel.com>
+Message-Id: <20211101162009.62161-2-yang.zhong@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 1105812382e1126d86dddc16b3700f8c79dc93d1)
+Signed-off-by: Paul Lai <plai@redhat.com>
+---
+ hw/core/numa.c | 5 ++---
+ hw/i386/acpi-build.c | 2 ++
+ hw/i386/sgx-epc.c | 3 +++
+ hw/i386/sgx-stub.c | 4 ++++
+ hw/i386/sgx.c | 44 +++++++++++++++++++++++++++++++++++++++
+ include/hw/i386/sgx-epc.h | 3 +++
+ monitor/hmp-cmds.c | 1 +
+ qapi/machine.json | 10 ++++++++-
+ qemu-options.hx | 4 ++--
+ 9 files changed, 70 insertions(+), 6 deletions(-)
+
+diff --git a/hw/core/numa.c b/hw/core/numa.c
+index e6050b2273..1aa05dcf42 100644
+--- a/hw/core/numa.c
++++ b/hw/core/numa.c
+@@ -784,9 +784,8 @@ static void numa_stat_memory_devices(NumaNodeMem node_mem[])
+ break;
+ case MEMORY_DEVICE_INFO_KIND_SGX_EPC:
+ se = value->u.sgx_epc.data;
+- /* TODO: once we support numa, assign to right node */
+- node_mem[0].node_mem += se->size;
+- node_mem[0].node_plugged_mem += se->size;
++ node_mem[se->node].node_mem += se->size;
++ node_mem[se->node].node_plugged_mem = 0;
+ break;
+ default:
+ g_assert_not_reached();
+diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
+index 447ea35275..a4478e77b7 100644
+--- a/hw/i386/acpi-build.c
++++ b/hw/i386/acpi-build.c
+@@ -2071,6 +2071,8 @@ build_srat(GArray *table_data, BIOSLinker *linker, MachineState *machine)
+ nvdimm_build_srat(table_data);
+ }
+
++ sgx_epc_build_srat(table_data);
++
+ /*
+ * TODO: this part is not in ACPI spec and current linux kernel boots fine
+ * without these entries. But I recall there were issues the last time I
+diff --git a/hw/i386/sgx-epc.c b/hw/i386/sgx-epc.c
+index e508827e78..96b2940d75 100644
+--- a/hw/i386/sgx-epc.c
++++ b/hw/i386/sgx-epc.c
+@@ -21,6 +21,7 @@
+
+ static Property sgx_epc_properties[] = {
+ DEFINE_PROP_UINT64(SGX_EPC_ADDR_PROP, SGXEPCDevice, addr, 0),
++ DEFINE_PROP_UINT32(SGX_EPC_NUMA_NODE_PROP, SGXEPCDevice, node, 0),
+ DEFINE_PROP_LINK(SGX_EPC_MEMDEV_PROP, SGXEPCDevice, hostmem,
+ TYPE_MEMORY_BACKEND_EPC, HostMemoryBackendEpc *),
+ DEFINE_PROP_END_OF_LIST(),
+@@ -139,6 +140,8 @@ static void sgx_epc_md_fill_device_info(const MemoryDeviceState *md,
+ se->memaddr = epc->addr;
+ se->size = object_property_get_uint(OBJECT(epc), SGX_EPC_SIZE_PROP,
+ NULL);
++ se->node = object_property_get_uint(OBJECT(epc), SGX_EPC_NUMA_NODE_PROP,
++ NULL);
+ se->memdev = object_get_canonical_path(OBJECT(epc->hostmem));
+
+ info->u.sgx_epc.data = se;
+diff --git a/hw/i386/sgx-stub.c b/hw/i386/sgx-stub.c
+index c9b379e665..26833eb233 100644
+--- a/hw/i386/sgx-stub.c
++++ b/hw/i386/sgx-stub.c
+@@ -6,6 +6,10 @@
+ #include "qapi/error.h"
+ #include "qapi/qapi-commands-misc-target.h"
+
++void sgx_epc_build_srat(GArray *table_data)
++{
++}
++
+ SGXInfo *qmp_query_sgx(Error **errp)
+ {
+ error_setg(errp, "SGX support is not compiled in");
+diff --git a/hw/i386/sgx.c b/hw/i386/sgx.c
+index 8fef3dd8fa..d04299904a 100644
+--- a/hw/i386/sgx.c
++++ b/hw/i386/sgx.c
+@@ -23,6 +23,7 @@
+ #include "sysemu/hw_accel.h"
+ #include "sysemu/reset.h"
+ #include <sys/ioctl.h>
++#include "hw/acpi/aml-build.h"
+
+ #define SGX_MAX_EPC_SECTIONS 8
+ #define SGX_CPUID_EPC_INVALID 0x0
+@@ -36,6 +37,46 @@
+
+ #define RETRY_NUM 2
+
++static int sgx_epc_device_list(Object *obj, void *opaque)
++{
++ GSList **list = opaque;
++
++ if (object_dynamic_cast(obj, TYPE_SGX_EPC)) {
++ *list = g_slist_append(*list, DEVICE(obj));
++ }
++
++ object_child_foreach(obj, sgx_epc_device_list, opaque);
++ return 0;
++}
++
++static GSList *sgx_epc_get_device_list(void)
++{
++ GSList *list = NULL;
++
++ object_child_foreach(qdev_get_machine(), sgx_epc_device_list, &list);
++ return list;
++}
++
++void sgx_epc_build_srat(GArray *table_data)
++{
++ GSList *device_list = sgx_epc_get_device_list();
++
++ for (; device_list; device_list = device_list->next) {
++ DeviceState *dev = device_list->data;
++ Object *obj = OBJECT(dev);
++ uint64_t addr, size;
++ int node;
++
++ node = object_property_get_uint(obj, SGX_EPC_NUMA_NODE_PROP,
++ &error_abort);
++ addr = object_property_get_uint(obj, SGX_EPC_ADDR_PROP, &error_abort);
++ size = object_property_get_uint(obj, SGX_EPC_SIZE_PROP, &error_abort);
++
++ build_srat_memory(table_data, addr, size, node, MEM_AFFINITY_ENABLED);
++ }
++ g_slist_free(device_list);
++}
++
+ static uint64_t sgx_calc_section_metric(uint64_t low, uint64_t high)
+ {
+ return (low & MAKE_64BIT_MASK(12, 20)) +
+@@ -226,6 +267,9 @@ void pc_machine_init_sgx_epc(PCMachineState *pcms)
+ /* set the memdev link with memory backend */
+ object_property_parse(obj, SGX_EPC_MEMDEV_PROP, list->value->memdev,
+ &error_fatal);
++ /* set the numa node property for sgx epc object */
++ object_property_set_uint(obj, SGX_EPC_NUMA_NODE_PROP, list->value->node,
++ &error_fatal);
+ object_property_set_bool(obj, "realized", true, &error_fatal);
+ object_unref(obj);
+ }
+diff --git a/include/hw/i386/sgx-epc.h b/include/hw/i386/sgx-epc.h
+index a6a65be854..581fac389a 100644
+--- a/include/hw/i386/sgx-epc.h
++++ b/include/hw/i386/sgx-epc.h
+@@ -25,6 +25,7 @@
+ #define SGX_EPC_ADDR_PROP "addr"
+ #define SGX_EPC_SIZE_PROP "size"
+ #define SGX_EPC_MEMDEV_PROP "memdev"
++#define SGX_EPC_NUMA_NODE_PROP "node"
+
+ /**
+ * SGXEPCDevice:
+@@ -38,6 +39,7 @@ typedef struct SGXEPCDevice {
+
+ /* public */
+ uint64_t addr;
++ uint32_t node;
+ HostMemoryBackendEpc *hostmem;
+ } SGXEPCDevice;
+
+@@ -56,6 +58,7 @@ typedef struct SGXEPCState {
+ } SGXEPCState;
+
+ bool sgx_epc_get_section(int section_nr, uint64_t *addr, uint64_t *size);
++void sgx_epc_build_srat(GArray *table_data);
+
+ static inline uint64_t sgx_epc_above_4g_end(SGXEPCState *sgx_epc)
+ {
+diff --git a/monitor/hmp-cmds.c b/monitor/hmp-cmds.c
+index 9c91bf93e9..2669156b28 100644
+--- a/monitor/hmp-cmds.c
++++ b/monitor/hmp-cmds.c
+@@ -1810,6 +1810,7 @@ void hmp_info_memory_devices(Monitor *mon, const QDict *qdict)
+ se->id ? se->id : "");
+ monitor_printf(mon, " memaddr: 0x%" PRIx64 "\n", se->memaddr);
+ monitor_printf(mon, " size: %" PRIu64 "\n", se->size);
++ monitor_printf(mon, " node: %" PRId64 "\n", se->node);
+ monitor_printf(mon, " memdev: %s\n", se->memdev);
+ break;
+ default:
+diff --git a/qapi/machine.json b/qapi/machine.json
+index 067e3f5378..16e771affc 100644
+--- a/qapi/machine.json
++++ b/qapi/machine.json
+@@ -1207,12 +1207,15 @@
+ #
+ # @memdev: memory backend linked with device
+ #
++# @node: the numa node
++#
+ # Since: 6.2
+ ##
+ { 'struct': 'SgxEPCDeviceInfo',
+ 'data': { '*id': 'str',
+ 'memaddr': 'size',
+ 'size': 'size',
++ 'node': 'int',
+ 'memdev': 'str'
+ }
+ }
+@@ -1285,10 +1288,15 @@
+ #
+ # @memdev: memory backend linked with device
+ #
++# @node: the numa node
++#
+ # Since: 6.2
+ ##
+ { 'struct': 'SgxEPC',
+- 'data': { 'memdev': 'str' } }
++ 'data': { 'memdev': 'str',
++ 'node': 'int'
++ }
++}
+
+ ##
+ # @SgxEPCProperties:
+diff --git a/qemu-options.hx b/qemu-options.hx
+index 94c4a8dbaf..4b7798088b 100644
+--- a/qemu-options.hx
++++ b/qemu-options.hx
+@@ -127,11 +127,11 @@ SRST
+ ERST
+
+ DEF("M", HAS_ARG, QEMU_OPTION_M,
+- " sgx-epc.0.memdev=memid\n",
++ " sgx-epc.0.memdev=memid,sgx-epc.0.node=numaid\n",
+ QEMU_ARCH_ALL)
+
+ SRST
+-``sgx-epc.0.memdev=@var{memid}``
++``sgx-epc.0.memdev=@var{memid},sgx-epc.0.node=@var{numaid}``
+ Define an SGX EPC section.
+ ERST
+
+--
+2.27.0
+
diff --git a/SOURCES/kvm-numa-Support-SGX-numa-in-the-monitor-and-Libvirt-int.patch b/SOURCES/kvm-numa-Support-SGX-numa-in-the-monitor-and-Libvirt-int.patch
new file mode 100644
index 0000000..659dc22
--- /dev/null
+++ b/SOURCES/kvm-numa-Support-SGX-numa-in-the-monitor-and-Libvirt-int.patch
@@ -0,0 +1,210 @@
+From ea46a86ba6319ea98573c65af5186cd5399ab0ce Mon Sep 17 00:00:00 2001
+From: Yang Zhong <yang.zhong@intel.com>
+Date: Mon, 1 Nov 2021 12:20:07 -0400
+Subject: [PATCH 2/7] numa: Support SGX numa in the monitor and Libvirt
+ interfaces
+
+RH-Author: Paul Lai <None>
+RH-MergeRequest: 111: numa: Enable numa for SGX EPC sections
+RH-Commit: [2/5] 403c4f98dccd023293cd3246081ae12f4782bed0
+RH-Bugzilla: 1518984
+RH-Acked-by: Paolo Bonzini <None>
+RH-Acked-by: Bandan Das <None>
+RH-Acked-by: Cornelia Huck <cohuck@redhat.com>
+
+Add the SGXEPCSection list into SGXInfo to show the multiple
+SGX EPC sections detailed info, not the total size like before.
+This patch can enable numa support for 'info sgx' command and
+QMP interfaces. The new interfaces show each EPC section info
+in one numa node. Libvirt can use QMP interface to get the
+detailed host SGX EPC capabilities to decide how to allocate
+host EPC sections to guest.
+
+(qemu) info sgx
+ SGX support: enabled
+ SGX1 support: enabled
+ SGX2 support: enabled
+ FLC support: enabled
+ NUMA node #0: size=67108864
+ NUMA node #1: size=29360128
+
+The QMP interface show:
+(QEMU) query-sgx
+{"return": {"sgx": true, "sgx2": true, "sgx1": true, "sections": \
+[{"node": 0, "size": 67108864}, {"node": 1, "size": 29360128}], "flc": true}}
+
+(QEMU) query-sgx-capabilities
+{"return": {"sgx": true, "sgx2": true, "sgx1": true, "sections": \
+[{"node": 0, "size": 17070817280}, {"node": 1, "size": 17079205888}], "flc": true}}
+
+Signed-off-by: Yang Zhong <yang.zhong@intel.com>
+Message-Id: <20211101162009.62161-4-yang.zhong@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 4755927ae12547c2e7cb22c5fa1b39038c6c11b1)
+Signed-off-by: Paul Lai <plai@redhat.com>
+---
+ hw/i386/sgx.c | 51 +++++++++++++++++++++++++++++++++++--------
+ qapi/misc-target.json | 19 ++++++++++++++--
+ 2 files changed, 59 insertions(+), 11 deletions(-)
+
+diff --git a/hw/i386/sgx.c b/hw/i386/sgx.c
+index d04299904a..5de5dd0893 100644
+--- a/hw/i386/sgx.c
++++ b/hw/i386/sgx.c
+@@ -83,11 +83,13 @@ static uint64_t sgx_calc_section_metric(uint64_t low, uint64_t high)
+ ((high & MAKE_64BIT_MASK(0, 20)) << 32);
+ }
+
+-static uint64_t sgx_calc_host_epc_section_size(void)
++static SGXEPCSectionList *sgx_calc_host_epc_sections(void)
+ {
++ SGXEPCSectionList *head = NULL, **tail = &head;
++ SGXEPCSection *section;
+ uint32_t i, type;
+ uint32_t eax, ebx, ecx, edx;
+- uint64_t size = 0;
++ uint32_t j = 0;
+
+ for (i = 0; i < SGX_MAX_EPC_SECTIONS; i++) {
+ host_cpuid(0x12, i + 2, &eax, &ebx, &ecx, &edx);
+@@ -101,10 +103,13 @@ static uint64_t sgx_calc_host_epc_section_size(void)
+ break;
+ }
+
+- size += sgx_calc_section_metric(ecx, edx);
++ section = g_new0(SGXEPCSection, 1);
++ section->node = j++;
++ section->size = sgx_calc_section_metric(ecx, edx);
++ QAPI_LIST_APPEND(tail, section);
+ }
+
+- return size;
++ return head;
+ }
+
+ static void sgx_epc_reset(void *opaque)
+@@ -168,13 +173,35 @@ SGXInfo *qmp_query_sgx_capabilities(Error **errp)
+ info->sgx1 = eax & (1U << 0) ? true : false;
+ info->sgx2 = eax & (1U << 1) ? true : false;
+
+- info->section_size = sgx_calc_host_epc_section_size();
++ info->sections = sgx_calc_host_epc_sections();
+
+ close(fd);
+
+ return info;
+ }
+
++static SGXEPCSectionList *sgx_get_epc_sections_list(void)
++{
++ GSList *device_list = sgx_epc_get_device_list();
++ SGXEPCSectionList *head = NULL, **tail = &head;
++ SGXEPCSection *section;
++
++ for (; device_list; device_list = device_list->next) {
++ DeviceState *dev = device_list->data;
++ Object *obj = OBJECT(dev);
++
++ section = g_new0(SGXEPCSection, 1);
++ section->node = object_property_get_uint(obj, SGX_EPC_NUMA_NODE_PROP,
++ &error_abort);
++ section->size = object_property_get_uint(obj, SGX_EPC_SIZE_PROP,
++ &error_abort);
++ QAPI_LIST_APPEND(tail, section);
++ }
++ g_slist_free(device_list);
++
++ return head;
++}
++
+ SGXInfo *qmp_query_sgx(Error **errp)
+ {
+ SGXInfo *info = NULL;
+@@ -193,14 +220,13 @@ SGXInfo *qmp_query_sgx(Error **errp)
+ return NULL;
+ }
+
+- SGXEPCState *sgx_epc = &pcms->sgx_epc;
+ info = g_new0(SGXInfo, 1);
+
+ info->sgx = true;
+ info->sgx1 = true;
+ info->sgx2 = true;
+ info->flc = true;
+- info->section_size = sgx_epc->size;
++ info->sections = sgx_get_epc_sections_list();
+
+ return info;
+ }
+@@ -208,6 +234,7 @@ SGXInfo *qmp_query_sgx(Error **errp)
+ void hmp_info_sgx(Monitor *mon, const QDict *qdict)
+ {
+ Error *err = NULL;
++ SGXEPCSectionList *section_list, *section;
+ g_autoptr(SGXInfo) info = qmp_query_sgx(&err);
+
+ if (err) {
+@@ -222,8 +249,14 @@ void hmp_info_sgx(Monitor *mon, const QDict *qdict)
+ info->sgx2 ? "enabled" : "disabled");
+ monitor_printf(mon, "FLC support: %s\n",
+ info->flc ? "enabled" : "disabled");
+- monitor_printf(mon, "size: %" PRIu64 "\n",
+- info->section_size);
++
++ section_list = info->sections;
++ for (section = section_list; section; section = section->next) {
++ monitor_printf(mon, "NUMA node #%" PRId64 ": ",
++ section->value->node);
++ monitor_printf(mon, "size=%" PRIu64 "\n",
++ section->value->size);
++ }
+ }
+
+ bool sgx_epc_get_section(int section_nr, uint64_t *addr, uint64_t *size)
+diff --git a/qapi/misc-target.json b/qapi/misc-target.json
+index 5aa2b95b7d..1022aa0184 100644
+--- a/qapi/misc-target.json
++++ b/qapi/misc-target.json
+@@ -337,6 +337,21 @@
+ 'if': 'TARGET_ARM' }
+
+
++##
++# @SGXEPCSection:
++#
++# Information about intel SGX EPC section info
++#
++# @node: the numa node
++#
++# @size: the size of epc section
++#
++# Since: 6.2
++##
++{ 'struct': 'SGXEPCSection',
++ 'data': { 'node': 'int',
++ 'size': 'uint64'}}
++
+ ##
+ # @SGXInfo:
+ #
+@@ -350,7 +365,7 @@
+ #
+ # @flc: true if FLC is supported
+ #
+-# @section-size: The EPC section size for guest
++# @sections: The EPC sections info for guest
+ #
+ # Since: 6.2
+ ##
+@@ -359,7 +374,7 @@
+ 'sgx1': 'bool',
+ 'sgx2': 'bool',
+ 'flc': 'bool',
+- 'section-size': 'uint64'},
++ 'sections': ['SGXEPCSection']},
+ 'if': 'TARGET_I386' }
+
+ ##
+--
+2.27.0
+
diff --git a/SOURCES/kvm-pci-expose-TYPE_XIO3130_DOWNSTREAM-name.patch b/SOURCES/kvm-pci-expose-TYPE_XIO3130_DOWNSTREAM-name.patch
new file mode 100644
index 0000000..817f0ab
--- /dev/null
+++ b/SOURCES/kvm-pci-expose-TYPE_XIO3130_DOWNSTREAM-name.patch
@@ -0,0 +1,83 @@
+From 7998e8aa78caa35c2ab2da44f9e29e21d7548c61 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Wed, 23 Mar 2022 13:21:40 -0400
+Subject: [PATCH 05/18] pci: expose TYPE_XIO3130_DOWNSTREAM name
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 134: pci: expose TYPE_XIO3130_DOWNSTREAM name
+RH-Commit: [1/2] f09ddcaf686f22b545bf269f87787ebfc33fccda (jmaloy/qemu-kvm)
+RH-Bugzilla: 2062610
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+
+BZ: https://bugzilla.redhat.com/2062610
+UPSTREAM: merged
+BREW: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=44038138
+
+commit c41481af9a5d0d463607cc45b45c510875570817
+Author: Igor Mammedov <imammedo@redhat.com>
+Date: Tue Mar 1 10:11:58 2022 -0500
+
+ pci: expose TYPE_XIO3130_DOWNSTREAM name
+
+ Type name will be used in followup patch for cast check
+ in pcihp code.
+
+ Signed-off-by: Igor Mammedov <imammedo@redhat.com>
+ Message-Id: <20220301151200.3507298-2-imammedo@redhat.com>
+ Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+ Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+(cherry picked from commit c41481af9a5d0d463607cc45b45c510875570817)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ hw/pci-bridge/xio3130_downstream.c | 3 ++-
+ include/hw/pci-bridge/xio3130_downstream.h | 15 +++++++++++++++
+ 2 files changed, 17 insertions(+), 1 deletion(-)
+ create mode 100644 include/hw/pci-bridge/xio3130_downstream.h
+
+diff --git a/hw/pci-bridge/xio3130_downstream.c b/hw/pci-bridge/xio3130_downstream.c
+index 04aae72cd6..b17cafd359 100644
+--- a/hw/pci-bridge/xio3130_downstream.c
++++ b/hw/pci-bridge/xio3130_downstream.c
+@@ -28,6 +28,7 @@
+ #include "migration/vmstate.h"
+ #include "qapi/error.h"
+ #include "qemu/module.h"
++#include "hw/pci-bridge/xio3130_downstream.h"
+
+ #define PCI_DEVICE_ID_TI_XIO3130D 0x8233 /* downstream port */
+ #define XIO3130_REVISION 0x1
+@@ -173,7 +174,7 @@ static void xio3130_downstream_class_init(ObjectClass *klass, void *data)
+ }
+
+ static const TypeInfo xio3130_downstream_info = {
+- .name = "xio3130-downstream",
++ .name = TYPE_XIO3130_DOWNSTREAM,
+ .parent = TYPE_PCIE_SLOT,
+ .class_init = xio3130_downstream_class_init,
+ .interfaces = (InterfaceInfo[]) {
+diff --git a/include/hw/pci-bridge/xio3130_downstream.h b/include/hw/pci-bridge/xio3130_downstream.h
+new file mode 100644
+index 0000000000..1d10139aea
+--- /dev/null
++++ b/include/hw/pci-bridge/xio3130_downstream.h
+@@ -0,0 +1,15 @@
++/*
++ * TI X3130 pci express downstream port switch
++ *
++ * Copyright (C) 2022 Igor Mammedov <imammedo@redhat.com>
++ *
++ * SPDX-License-Identifier: GPL-2.0-or-later
++ */
++
++#ifndef HW_PCI_BRIDGE_XIO3130_DOWNSTREAM_H
++#define HW_PCI_BRIDGE_XIO3130_DOWNSTREAM_H
++
++#define TYPE_XIO3130_DOWNSTREAM "xio3130-downstream"
++
++#endif
++
+--
+2.27.0
+
diff --git a/SOURCES/kvm-qapi-Cleanup-SGX-related-comments-and-restore-sectio.patch b/SOURCES/kvm-qapi-Cleanup-SGX-related-comments-and-restore-sectio.patch
new file mode 100644
index 0000000..5ef458c
--- /dev/null
+++ b/SOURCES/kvm-qapi-Cleanup-SGX-related-comments-and-restore-sectio.patch
@@ -0,0 +1,214 @@
+From d0cd7be4d347ebe118eb8f3f2fc2eb3e3eb77e3a Mon Sep 17 00:00:00 2001
+From: Yang Zhong <yang.zhong@intel.com>
+Date: Thu, 20 Jan 2022 17:31:04 -0500
+Subject: [PATCH 5/7] qapi: Cleanup SGX related comments and restore
+ @section-size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Paul Lai <None>
+RH-MergeRequest: 111: numa: Enable numa for SGX EPC sections
+RH-Commit: [5/5] 497dbeaebb7b8f99f5f8a7de58000dcab0d0c22d
+RH-Bugzilla: 1518984
+RH-Acked-by: Paolo Bonzini <None>
+RH-Acked-by: Bandan Das <None>
+RH-Acked-by: Cornelia Huck <cohuck@redhat.com>
+
+The SGX NUMA patches were merged into Qemu 7.0 release, we need
+clarify detailed version history information and also change
+some related comments, which make SGX related comments clearer.
+
+The QMP command schema promises backwards compatibility as standard.
+We temporarily restore "@section-size", which can avoid incompatible
+API breakage. The "@section-size" will be deprecated in 7.2 version.
+
+Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
+Signed-off-by: Yang Zhong <yang.zhong@intel.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-Id: <20220120223104.437161-1-yang.zhong@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit a66bd91f030827742778a9e0da19fe55716b4a60)
+Signed-off-by: Paul Lai <plai@redhat.com>
+---
+ docs/about/deprecated.rst | 13 +++++++++++++
+ hw/i386/sgx.c | 11 +++++++++--
+ qapi/machine.json | 4 ++--
+ qapi/misc-target.json | 22 +++++++++++++++++-----
+ 4 files changed, 41 insertions(+), 9 deletions(-)
+
+diff --git a/docs/about/deprecated.rst b/docs/about/deprecated.rst
+index ff7488cb63..33925edf45 100644
+--- a/docs/about/deprecated.rst
++++ b/docs/about/deprecated.rst
+@@ -270,6 +270,19 @@ accepted incorrect commands will return an error. Users should make sure that
+ all arguments passed to ``device_add`` are consistent with the documented
+ property types.
+
++``query-sgx`` return value member ``section-size`` (since 7.0)
++''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
++
++Member ``section-size`` in return value elements with meta-type ``uint64`` is
++deprecated. Use ``sections`` instead.
++
++
++``query-sgx-capabilities`` return value member ``section-size`` (since 7.0)
++'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
++
++Member ``section-size`` in return value elements with meta-type ``uint64`` is
++deprecated. Use ``sections`` instead.
++
+ System accelerators
+ -------------------
+
+diff --git a/hw/i386/sgx.c b/hw/i386/sgx.c
+index 5de5dd0893..a2b318dd93 100644
+--- a/hw/i386/sgx.c
++++ b/hw/i386/sgx.c
+@@ -83,7 +83,7 @@ static uint64_t sgx_calc_section_metric(uint64_t low, uint64_t high)
+ ((high & MAKE_64BIT_MASK(0, 20)) << 32);
+ }
+
+-static SGXEPCSectionList *sgx_calc_host_epc_sections(void)
++static SGXEPCSectionList *sgx_calc_host_epc_sections(uint64_t *size)
+ {
+ SGXEPCSectionList *head = NULL, **tail = &head;
+ SGXEPCSection *section;
+@@ -106,6 +106,7 @@ static SGXEPCSectionList *sgx_calc_host_epc_sections(void)
+ section = g_new0(SGXEPCSection, 1);
+ section->node = j++;
+ section->size = sgx_calc_section_metric(ecx, edx);
++ *size += section->size;
+ QAPI_LIST_APPEND(tail, section);
+ }
+
+@@ -156,6 +157,7 @@ SGXInfo *qmp_query_sgx_capabilities(Error **errp)
+ {
+ SGXInfo *info = NULL;
+ uint32_t eax, ebx, ecx, edx;
++ uint64_t size = 0;
+
+ int fd = qemu_open_old("/dev/sgx_vepc", O_RDWR);
+ if (fd < 0) {
+@@ -173,7 +175,8 @@ SGXInfo *qmp_query_sgx_capabilities(Error **errp)
+ info->sgx1 = eax & (1U << 0) ? true : false;
+ info->sgx2 = eax & (1U << 1) ? true : false;
+
+- info->sections = sgx_calc_host_epc_sections();
++ info->sections = sgx_calc_host_epc_sections(&size);
++ info->section_size = size;
+
+ close(fd);
+
+@@ -220,12 +223,14 @@ SGXInfo *qmp_query_sgx(Error **errp)
+ return NULL;
+ }
+
++ SGXEPCState *sgx_epc = &pcms->sgx_epc;
+ info = g_new0(SGXInfo, 1);
+
+ info->sgx = true;
+ info->sgx1 = true;
+ info->sgx2 = true;
+ info->flc = true;
++ info->section_size = sgx_epc->size;
+ info->sections = sgx_get_epc_sections_list();
+
+ return info;
+@@ -249,6 +254,8 @@ void hmp_info_sgx(Monitor *mon, const QDict *qdict)
+ info->sgx2 ? "enabled" : "disabled");
+ monitor_printf(mon, "FLC support: %s\n",
+ info->flc ? "enabled" : "disabled");
++ monitor_printf(mon, "size: %" PRIu64 "\n",
++ info->section_size);
+
+ section_list = info->sections;
+ for (section = section_list; section; section = section->next) {
+diff --git a/qapi/machine.json b/qapi/machine.json
+index 16e771affc..a9f33d0f27 100644
+--- a/qapi/machine.json
++++ b/qapi/machine.json
+@@ -1207,7 +1207,7 @@
+ #
+ # @memdev: memory backend linked with device
+ #
+-# @node: the numa node
++# @node: the numa node (Since: 7.0)
+ #
+ # Since: 6.2
+ ##
+@@ -1288,7 +1288,7 @@
+ #
+ # @memdev: memory backend linked with device
+ #
+-# @node: the numa node
++# @node: the numa node (Since: 7.0)
+ #
+ # Since: 6.2
+ ##
+diff --git a/qapi/misc-target.json b/qapi/misc-target.json
+index 1022aa0184..4bc45d2474 100644
+--- a/qapi/misc-target.json
++++ b/qapi/misc-target.json
+@@ -344,9 +344,9 @@
+ #
+ # @node: the numa node
+ #
+-# @size: the size of epc section
++# @size: the size of EPC section
+ #
+-# Since: 6.2
++# Since: 7.0
+ ##
+ { 'struct': 'SGXEPCSection',
+ 'data': { 'node': 'int',
+@@ -365,7 +365,13 @@
+ #
+ # @flc: true if FLC is supported
+ #
+-# @sections: The EPC sections info for guest
++# @section-size: The EPC section size for guest
++# Redundant with @sections. Just for backward compatibility.
++#
++# @sections: The EPC sections info for guest (Since: 7.0)
++#
++# Features:
++# @deprecated: Member @section-size is deprecated. Use @sections instead.
+ #
+ # Since: 6.2
+ ##
+@@ -374,6 +380,8 @@
+ 'sgx1': 'bool',
+ 'sgx2': 'bool',
+ 'flc': 'bool',
++ 'section-size': { 'type': 'uint64',
++ 'features': [ 'deprecated' ] },
+ 'sections': ['SGXEPCSection']},
+ 'if': 'TARGET_I386' }
+
+@@ -390,7 +398,9 @@
+ #
+ # -> { "execute": "query-sgx" }
+ # <- { "return": { "sgx": true, "sgx1" : true, "sgx2" : true,
+-# "flc": true, "section-size" : 0 } }
++# "flc": true, "section-size" : 96468992,
++# "sections": [{"node": 0, "size": 67108864},
++# {"node": 1, "size": 29360128}]} }
+ #
+ ##
+ { 'command': 'query-sgx', 'returns': 'SGXInfo', 'if': 'TARGET_I386' }
+@@ -408,7 +418,9 @@
+ #
+ # -> { "execute": "query-sgx-capabilities" }
+ # <- { "return": { "sgx": true, "sgx1" : true, "sgx2" : true,
+-# "flc": true, "section-size" : 0 } }
++# "flc": true, "section-size" : 96468992,
++# "section" : [{"node": 0, "size": 67108864},
++# {"node": 1, "size": 29360128}]} }
+ #
+ ##
+ { 'command': 'query-sgx-capabilities', 'returns': 'SGXInfo', 'if': 'TARGET_I386' }
+--
+2.27.0
+
diff --git a/SOURCES/kvm-s390x-css-fix-PMCW-invalid-mask.patch b/SOURCES/kvm-s390x-css-fix-PMCW-invalid-mask.patch
new file mode 100644
index 0000000..959eea9
--- /dev/null
+++ b/SOURCES/kvm-s390x-css-fix-PMCW-invalid-mask.patch
@@ -0,0 +1,58 @@
+From f3125f6379cbc070e9acaf58d0ec37972992744b Mon Sep 17 00:00:00 2001
+From: Thomas Huth <thuth@redhat.com>
+Date: Wed, 6 Apr 2022 10:56:26 +0200
+Subject: [PATCH 4/5] s390x/css: fix PMCW invalid mask
+
+RH-Author: Thomas Huth <thuth@redhat.com>
+RH-MergeRequest: 145: s390x/css: fix PMCW invalid mask
+RH-Commit: [1/1] fbf192f651aa668af56ca5c77455595fcdb19508
+RH-Bugzilla: 2071070
+RH-Acked-by: Jon Maloy <jmaloy@redhat.com>
+RH-Acked-by: David Hildenbrand <david@redhat.com>
+RH-Acked-by: Cornelia Huck <cohuck@redhat.com>
+
+Bugzilla: http://bugzilla.redhat.com/2071070
+
+commit 2df59b73e0864f021f6179f32f7ed364f6d4f38d
+Author: Nico Boehr <nrb@linux.ibm.com>
+Date: Thu Dec 16 14:16:57 2021 +0100
+
+ s390x/css: fix PMCW invalid mask
+
+ Previously, we required bits 5, 6 and 7 to be zero (0x07 == 0b111). But,
+ as per the principles of operation, bit 5 is ignored in MSCH and bits 0,
+ 1, 6 and 7 need to be zero.
+
+ As both PMCW_FLAGS_MASK_INVALID and ioinst_schib_valid() are only used
+ by ioinst_handle_msch(), adjust the mask accordingly.
+
+ Fixes: db1c8f53bfb1 ("s390: Channel I/O basic definitions.")
+ Signed-off-by: Nico Boehr <nrb@linux.ibm.com>
+ Reviewed-by: Pierre Morel <pmorel@linux.ibm.com>
+ Reviewed-by: Halil Pasic <pasic@linux.ibm.com>
+ Reviewed-by: Janosch Frank <frankja@linux.ibm.com>
+ Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+ Message-Id: <20211216131657.1057978-1-nrb@linux.ibm.com>
+ Signed-off-by: Thomas Huth <thuth@redhat.com>
+
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+---
+ include/hw/s390x/ioinst.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/hw/s390x/ioinst.h b/include/hw/s390x/ioinst.h
+index 3771fff9d4..ea8d0f2444 100644
+--- a/include/hw/s390x/ioinst.h
++++ b/include/hw/s390x/ioinst.h
+@@ -107,7 +107,7 @@ QEMU_BUILD_BUG_MSG(sizeof(PMCW) != 28, "size of PMCW is wrong");
+ #define PMCW_FLAGS_MASK_MP 0x0004
+ #define PMCW_FLAGS_MASK_TF 0x0002
+ #define PMCW_FLAGS_MASK_DNV 0x0001
+-#define PMCW_FLAGS_MASK_INVALID 0x0700
++#define PMCW_FLAGS_MASK_INVALID 0xc300
+
+ #define PMCW_CHARS_MASK_ST 0x00e00000
+ #define PMCW_CHARS_MASK_MBFC 0x00000004
+--
+2.27.0
+
diff --git a/SOURCES/kvm-softmmu-fix-device-deletion-events-with-device-JSON-.patch b/SOURCES/kvm-softmmu-fix-device-deletion-events-with-device-JSON-.patch
new file mode 100644
index 0000000..c6fcf61
--- /dev/null
+++ b/SOURCES/kvm-softmmu-fix-device-deletion-events-with-device-JSON-.patch
@@ -0,0 +1,131 @@
+From afe1a63fe0cf863e024889edd82b9a380bfa8230 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Wed, 5 Jan 2022 12:38:47 +0000
+Subject: [PATCH 2/6] softmmu: fix device deletion events with -device JSON
+ syntax
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Kevin Wolf <kwolf@redhat.com>
+RH-MergeRequest: 103: Fix hot unplug of devices created with -device JSON syntax
+RH-Commit: [1/1] 64cbc78bcb46bdb24d5f589ceb5ad598c388e447
+RH-Bugzilla: 2033279
+RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+RH-Acked-by: Jano Tomko <None>
+RH-Acked-by: Daniel P. Berrangé <berrange@redhat.com>
+
+The -device JSON syntax impl leaks a reference on the created
+DeviceState instance. As a result when you hot-unplug the
+device, the device_finalize method won't be called and thus
+it will fail to emit the required DEVICE_DELETED event.
+
+A 'json-cli' feature was previously added against the
+'device_add' QMP command QAPI schema to indicated to mgmt
+apps that -device supported JSON syntax. Given the hotplug
+bug that feature flag is not usable for its purpose, so
+we add a new 'json-cli-hotplug' feature to indicate the
+-device supports JSON without breaking hotplug.
+
+Fixes: 5dacda5167560b3af8eadbce5814f60ba44b467e
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/802
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+Message-Id: <20220105123847.4047954-2-berrange@redhat.com>
+Reviewed-by: Laurent Vivier <lvivier@redhat.com>
+Tested-by: Ján Tomko <jtomko@redhat.com>
+Reviewed-by: Thomas Huth <thuth@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit 64b4529a432507ee84a924be69a03432639e87ba)
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+---
+ qapi/qdev.json | 5 ++++-
+ softmmu/vl.c | 4 +++-
+ tests/qtest/device-plug-test.c | 19 +++++++++++++++++++
+ 3 files changed, 26 insertions(+), 2 deletions(-)
+
+diff --git a/qapi/qdev.json b/qapi/qdev.json
+index 69656b14df..26cd10106b 100644
+--- a/qapi/qdev.json
++++ b/qapi/qdev.json
+@@ -44,6 +44,9 @@
+ # @json-cli: If present, the "-device" command line option supports JSON
+ # syntax with a structure identical to the arguments of this
+ # command.
++# @json-cli-hotplug: If present, the "-device" command line option supports JSON
++# syntax without the reference counting leak that broke
++# hot-unplug
+ #
+ # Notes:
+ #
+@@ -74,7 +77,7 @@
+ { 'command': 'device_add',
+ 'data': {'driver': 'str', '*bus': 'str', '*id': 'str'},
+ 'gen': false, # so we can get the additional arguments
+- 'features': ['json-cli'] }
++ 'features': ['json-cli', 'json-cli-hotplug'] }
+
+ ##
+ # @device_del:
+diff --git a/softmmu/vl.c b/softmmu/vl.c
+index d46b8fb4ab..b3829e2edd 100644
+--- a/softmmu/vl.c
++++ b/softmmu/vl.c
+@@ -2690,6 +2690,7 @@ static void qemu_create_cli_devices(void)
+ qemu_opts_foreach(qemu_find_opts("device"),
+ device_init_func, NULL, &error_fatal);
+ QTAILQ_FOREACH(opt, &device_opts, next) {
++ DeviceState *dev;
+ loc_push_restore(&opt->loc);
+ /*
+ * TODO Eventually we should call qmp_device_add() here to make sure it
+@@ -2698,7 +2699,8 @@ static void qemu_create_cli_devices(void)
+ * from the start, so call qdev_device_add_from_qdict() directly for
+ * now.
+ */
+- qdev_device_add_from_qdict(opt->opts, true, &error_fatal);
++ dev = qdev_device_add_from_qdict(opt->opts, true, &error_fatal);
++ object_unref(OBJECT(dev));
+ loc_pop(&opt->loc);
+ }
+ rom_reset_order_override();
+diff --git a/tests/qtest/device-plug-test.c b/tests/qtest/device-plug-test.c
+index 559d47727a..ad79bd4c14 100644
+--- a/tests/qtest/device-plug-test.c
++++ b/tests/qtest/device-plug-test.c
+@@ -77,6 +77,23 @@ static void test_pci_unplug_request(void)
+ qtest_quit(qtest);
+ }
+
++static void test_pci_unplug_json_request(void)
++{
++ QTestState *qtest = qtest_initf(
++ "-device '{\"driver\": \"virtio-mouse-pci\", \"id\": \"dev0\"}'");
++
++ /*
++ * Request device removal. As the guest is not running, the request won't
++ * be processed. However during system reset, the removal will be
++ * handled, removing the device.
++ */
++ device_del(qtest, "dev0");
++ system_reset(qtest);
++ wait_device_deleted_event(qtest, "dev0");
++
++ qtest_quit(qtest);
++}
++
+ static void test_ccw_unplug(void)
+ {
+ QTestState *qtest = qtest_initf("-device virtio-balloon-ccw,id=dev0");
+@@ -145,6 +162,8 @@ int main(int argc, char **argv)
+ */
+ qtest_add_func("/device-plug/pci-unplug-request",
+ test_pci_unplug_request);
++ qtest_add_func("/device-plug/pci-unplug-json-request",
++ test_pci_unplug_json_request);
+
+ if (!strcmp(arch, "s390x")) {
+ qtest_add_func("/device-plug/ccw-unplug",
+--
+2.27.0
+
diff --git a/SOURCES/kvm-softmmu-physmem-Introduce-MemTxAttrs-memory-field-an.patch b/SOURCES/kvm-softmmu-physmem-Introduce-MemTxAttrs-memory-field-an.patch
new file mode 100644
index 0000000..519c48d
--- /dev/null
+++ b/SOURCES/kvm-softmmu-physmem-Introduce-MemTxAttrs-memory-field-an.patch
@@ -0,0 +1,175 @@
+From fe4e22b9ccf2eb55d61eccf5050fb7aeafb5fe20 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Wed, 13 Apr 2022 14:51:06 -0400
+Subject: [PATCH 3/3] softmmu/physmem: Introduce MemTxAttrs::memory field and
+ MEMTX_ACCESS_ERROR
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 151: hw/intc/arm_gicv3: Check for !MEMTX_OK instead of MEMTX_ERROR
+RH-Commit: [3/3] b1ebc1e99f21ba0b9eccb284e260b56c7a8e64d8 (jmaloy/qemu-kvm)
+RH-Bugzilla: 1999236
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Peter Xu <peterx@redhat.com>
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1999236
+Upstream: Merged
+CVE: CVE-2021-3750
+Conflicts: memalign.h has not been introduced in this version. Instead,
+ we include osdep.h where the function prototypes are to be
+ found.
+
+commit 3ab6fdc91b72e156da22848f0003ff4225690ced
+Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+Date: Wed Dec 15 19:24:21 2021 +0100
+
+ softmmu/physmem: Introduce MemTxAttrs::memory field and MEMTX_ACCESS_ERROR
+
+ Add the 'memory' bit to the memory attributes to restrict bus
+ controller accesses to memories.
+
+ Introduce flatview_access_allowed() to check bus permission
+ before running any bus transaction.
+
+ Have read/write accessors return MEMTX_ACCESS_ERROR if an access is
+ restricted.
+
+ There is no change for the default case where 'memory' is not set.
+
+ Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+ Message-Id: <20211215182421.418374-4-philmd@redhat.com>
+ Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+ Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+ [thuth: Replaced MEMTX_BUS_ERROR with MEMTX_ACCESS_ERROR, remove "inline"]
+ Signed-off-by: Thomas Huth <thuth@redhat.com>
+
+(cherry picked from commit 3ab6fdc91b72e156da22848f0003ff4225690ced)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ include/exec/memattrs.h | 9 +++++++++
+ softmmu/physmem.c | 45 +++++++++++++++++++++++++++++++++++++++--
+ 2 files changed, 52 insertions(+), 2 deletions(-)
+
+diff --git a/include/exec/memattrs.h b/include/exec/memattrs.h
+index 95f2d20d55..9fb98bc1ef 100644
+--- a/include/exec/memattrs.h
++++ b/include/exec/memattrs.h
+@@ -35,6 +35,14 @@ typedef struct MemTxAttrs {
+ unsigned int secure:1;
+ /* Memory access is usermode (unprivileged) */
+ unsigned int user:1;
++ /*
++ * Bus interconnect and peripherals can access anything (memories,
++ * devices) by default. By setting the 'memory' bit, bus transaction
++ * are restricted to "normal" memories (per the AMBA documentation)
++ * versus devices. Access to devices will be logged and rejected
++ * (see MEMTX_ACCESS_ERROR).
++ */
++ unsigned int memory:1;
+ /* Requester ID (for MSI for example) */
+ unsigned int requester_id:16;
+ /* Invert endianness for this page */
+@@ -66,6 +74,7 @@ typedef struct MemTxAttrs {
+ #define MEMTX_OK 0
+ #define MEMTX_ERROR (1U << 0) /* device returned an error */
+ #define MEMTX_DECODE_ERROR (1U << 1) /* nothing at that address */
++#define MEMTX_ACCESS_ERROR (1U << 2) /* access denied */
+ typedef uint32_t MemTxResult;
+
+ #endif
+diff --git a/softmmu/physmem.c b/softmmu/physmem.c
+index 483a31be81..4d0ef5f92f 100644
+--- a/softmmu/physmem.c
++++ b/softmmu/physmem.c
+@@ -41,6 +41,8 @@
+ #include "qemu/config-file.h"
+ #include "qemu/error-report.h"
+ #include "qemu/qemu-print.h"
++#include "qemu/log.h"
++#include "qemu/osdep.h"
+ #include "exec/memory.h"
+ #include "exec/ioport.h"
+ #include "sysemu/dma.h"
+@@ -2759,6 +2761,33 @@ static bool prepare_mmio_access(MemoryRegion *mr)
+ return release_lock;
+ }
+
++/**
++ * flatview_access_allowed
++ * @mr: #MemoryRegion to be accessed
++ * @attrs: memory transaction attributes
++ * @addr: address within that memory region
++ * @len: the number of bytes to access
++ *
++ * Check if a memory transaction is allowed.
++ *
++ * Returns: true if transaction is allowed, false if denied.
++ */
++static bool flatview_access_allowed(MemoryRegion *mr, MemTxAttrs attrs,
++ hwaddr addr, hwaddr len)
++{
++ if (likely(!attrs.memory)) {
++ return true;
++ }
++ if (memory_region_is_ram(mr)) {
++ return true;
++ }
++ qemu_log_mask(LOG_GUEST_ERROR,
++ "Invalid access to non-RAM device at "
++ "addr 0x%" HWADDR_PRIX ", size %" HWADDR_PRIu ", "
++ "region '%s'\n", addr, len, memory_region_name(mr));
++ return false;
++}
++
+ /* Called within RCU critical section. */
+ static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr,
+ MemTxAttrs attrs,
+@@ -2773,7 +2802,10 @@ static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr,
+ const uint8_t *buf = ptr;
+
+ for (;;) {
+- if (!memory_access_is_direct(mr, true)) {
++ if (!flatview_access_allowed(mr, attrs, addr1, l)) {
++ result |= MEMTX_ACCESS_ERROR;
++ /* Keep going. */
++ } else if (!memory_access_is_direct(mr, true)) {
+ release_lock |= prepare_mmio_access(mr);
+ l = memory_access_size(mr, l, addr1);
+ /* XXX: could force current_cpu to NULL to avoid
+@@ -2818,6 +2850,9 @@ static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs,
+
+ l = len;
+ mr = flatview_translate(fv, addr, &addr1, &l, true, attrs);
++ if (!flatview_access_allowed(mr, attrs, addr, len)) {
++ return MEMTX_ACCESS_ERROR;
++ }
+ return flatview_write_continue(fv, addr, attrs, buf, len,
+ addr1, l, mr);
+ }
+@@ -2836,7 +2871,10 @@ MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr,
+
+ fuzz_dma_read_cb(addr, len, mr);
+ for (;;) {
+- if (!memory_access_is_direct(mr, false)) {
++ if (!flatview_access_allowed(mr, attrs, addr1, l)) {
++ result |= MEMTX_ACCESS_ERROR;
++ /* Keep going. */
++ } else if (!memory_access_is_direct(mr, false)) {
+ /* I/O case */
+ release_lock |= prepare_mmio_access(mr);
+ l = memory_access_size(mr, l, addr1);
+@@ -2879,6 +2917,9 @@ static MemTxResult flatview_read(FlatView *fv, hwaddr addr,
+
+ l = len;
+ mr = flatview_translate(fv, addr, &addr1, &l, false, attrs);
++ if (!flatview_access_allowed(mr, attrs, addr, len)) {
++ return MEMTX_ACCESS_ERROR;
++ }
+ return flatview_read_continue(fv, addr, attrs, buf, len,
+ addr1, l, mr);
+ }
+--
+2.27.0
+
diff --git a/SOURCES/kvm-softmmu-physmem-Simplify-flatview_write-and-address_.patch b/SOURCES/kvm-softmmu-physmem-Simplify-flatview_write-and-address_.patch
new file mode 100644
index 0000000..62f7037
--- /dev/null
+++ b/SOURCES/kvm-softmmu-physmem-Simplify-flatview_write-and-address_.patch
@@ -0,0 +1,80 @@
+From 916423392b46167c6683b0240610bb5a745590da Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Wed, 13 Apr 2022 14:51:06 -0400
+Subject: [PATCH 2/3] softmmu/physmem: Simplify flatview_write and
+ address_space_access_valid
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 151: hw/intc/arm_gicv3: Check for !MEMTX_OK instead of MEMTX_ERROR
+RH-Commit: [2/3] daabe41eefd5c519def592e374fa368e32a680d3 (jmaloy/qemu-kvm)
+RH-Bugzilla: 1999236
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Peter Xu <peterx@redhat.com>
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1999236
+Upstream: Merged
+CVE: CVE-2021-3750
+
+commit 58e74682baf4e1ad26b064d8c02e5bc99c75c5d9
+Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+Date: Wed Dec 15 19:24:20 2021 +0100
+
+ softmmu/physmem: Simplify flatview_write and address_space_access_valid
+
+ Remove unuseful local 'result' variables.
+
+ Reviewed-by: Peter Xu <peterx@redhat.com>
+ Reviewed-by: David Hildenbrand <david@redhat.com>
+ Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
+ Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+ Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+ Message-Id: <20211215182421.418374-3-philmd@redhat.com>
+ Signed-off-by: Thomas Huth <thuth@redhat.com>
+
+(cherry picked from commit 58e74682baf4e1ad26b064d8c02e5bc99c75c5d9)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ softmmu/physmem.c | 11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+diff --git a/softmmu/physmem.c b/softmmu/physmem.c
+index 3524c04c2a..483a31be81 100644
+--- a/softmmu/physmem.c
++++ b/softmmu/physmem.c
+@@ -2815,14 +2815,11 @@ static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs,
+ hwaddr l;
+ hwaddr addr1;
+ MemoryRegion *mr;
+- MemTxResult result = MEMTX_OK;
+
+ l = len;
+ mr = flatview_translate(fv, addr, &addr1, &l, true, attrs);
+- result = flatview_write_continue(fv, addr, attrs, buf, len,
+- addr1, l, mr);
+-
+- return result;
++ return flatview_write_continue(fv, addr, attrs, buf, len,
++ addr1, l, mr);
+ }
+
+ /* Called within RCU critical section. */
+@@ -3119,12 +3116,10 @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr,
+ MemTxAttrs attrs)
+ {
+ FlatView *fv;
+- bool result;
+
+ RCU_READ_LOCK_GUARD();
+ fv = address_space_to_flatview(as);
+- result = flatview_access_valid(fv, addr, len, is_write, attrs);
+- return result;
++ return flatview_access_valid(fv, addr, len, is_write, attrs);
+ }
+
+ static hwaddr
+--
+2.27.0
+
diff --git a/SOURCES/kvm-tests-acpi-SLIC-update-expected-blobs.patch b/SOURCES/kvm-tests-acpi-SLIC-update-expected-blobs.patch
new file mode 100644
index 0000000..4d5fc35
--- /dev/null
+++ b/SOURCES/kvm-tests-acpi-SLIC-update-expected-blobs.patch
@@ -0,0 +1,47 @@
+From 0f5984bd89d481bf2494d4b3c36ef80350f44811 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Wed, 30 Mar 2022 14:52:34 -0400
+Subject: [PATCH 12/18] tests: acpi: SLIC: update expected blobs
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 141: acpi: fix QEMU crash when started with SLIC table
+RH-Commit: [4/10] ca28e5c57f9eb432e5ad6b1cb7ef646a86890dd5 (jmaloy/qemu-kvm)
+RH-Bugzilla: 2062611
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062611
+Upstream: Merged
+
+commit c8adb4d222c42951a9d0367e5f5d4e1f5e2c9ad7
+Author: Igor Mammedov <imammedo@redhat.com>
+Date: Mon Dec 27 14:31:20 2021 -0500
+
+ tests: acpi: SLIC: update expected blobs
+
+ Signed-off-by: Igor Mammedov <imammedo@redhat.com>
+ Message-Id: <20211227193120.1084176-5-imammedo@redhat.com>
+ Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+ Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+(cherry picked from commit c8adb4d222c42951a9d0367e5f5d4e1f5e2c9ad7)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ tests/data/acpi/q35/FACP.slic | Bin 244 -> 244 bytes
+ tests/data/acpi/q35/SLIC.slic | Bin 0 -> 36 bytes
+ tests/qtest/bios-tables-test-allowed-diff.h | 2 --
+ 3 files changed, 2 deletions(-)
+
+literal 0
+HcmV?d00001
+
+diff --git a/tests/qtest/bios-tables-test-allowed-diff.h b/tests/qtest/bios-tables-test-allowed-diff.h
+index 49dbf8fa3e..dfb8523c8b 100644
+--- a/tests/qtest/bios-tables-test-allowed-diff.h
++++ b/tests/qtest/bios-tables-test-allowed-diff.h
+@@ -1,3 +1 @@
+ /* List of comma-separated changed AML files to ignore */
+-"tests/data/acpi/q35/FACP.slic",
+-"tests/data/acpi/q35/SLIC.slic",
+--
+2.27.0
+
diff --git a/SOURCES/kvm-tests-acpi-add-SLIC-table-test.patch b/SOURCES/kvm-tests-acpi-add-SLIC-table-test.patch
new file mode 100644
index 0000000..9e54a7f
--- /dev/null
+++ b/SOURCES/kvm-tests-acpi-add-SLIC-table-test.patch
@@ -0,0 +1,76 @@
+From 341715473c2a71f11a3888420a0caecf27ed4eb5 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Wed, 30 Mar 2022 14:52:34 -0400
+Subject: [PATCH 11/18] tests: acpi: add SLIC table test
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 141: acpi: fix QEMU crash when started with SLIC table
+RH-Commit: [3/10] baac9b82c16a50eb4640fd7146775c9d507c7b21 (jmaloy/qemu-kvm)
+RH-Bugzilla: 2062611
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062611
+Upstream: Merged
+
+commit 11edfabee443b149468a82b5efc88c96d1d259ec
+Author: Igor Mammedov <imammedo@redhat.com>
+Date: Mon Dec 27 14:31:19 2021 -0500
+
+ tests: acpi: add SLIC table test
+
+ When user uses '-acpitable' to add SLIC table, some ACPI
+ tables (FADT) will change its 'Oem ID'/'Oem Table ID' fields to
+ match that of SLIC. Test makes sure thati QEMU handles
+ those fields correctly when SLIC table is added with
+ '-acpitable' option.
+
+ Conflicts: tests/qtest/bios-tables-test.c
+ due to missing 39d7554b2009 ("tests/acpi: add test case for VIOT")
+
+ Signed-off-by: Igor Mammedov <imammedo@redhat.com>
+ Message-Id: <20211227193120.1084176-4-imammedo@redhat.com>
+ Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+ Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+(cherry picked from commit 11edfabee443b149468a82b5efc88c96d1d259ec)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ tests/qtest/bios-tables-test.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/tests/qtest/bios-tables-test.c b/tests/qtest/bios-tables-test.c
+index 16d8304cde..e159b71136 100644
+--- a/tests/qtest/bios-tables-test.c
++++ b/tests/qtest/bios-tables-test.c
+@@ -1467,6 +1467,20 @@ static void test_acpi_virt_tcg(void)
+ free_test_data(&data);
+ }
+
++static void test_acpi_q35_slic(void)
++{
++ test_data data = {
++ .machine = MACHINE_Q35,
++ .variant = ".slic",
++ };
++
++ test_acpi_one("-acpitable sig=SLIC,oem_id='CRASH ',oem_table_id='ME',"
++ "oem_rev=00002210,asl_compiler_id='qemu',"
++ "asl_compiler_rev=00000000,data=/dev/null",
++ &data);
++ free_test_data(&data);
++}
++
+ static void test_oem_fields(test_data *data)
+ {
+ int i;
+@@ -1641,6 +1655,7 @@ int main(int argc, char *argv[])
+ qtest_add_func("acpi/q35/kvm/xapic", test_acpi_q35_kvm_xapic);
+ qtest_add_func("acpi/q35/kvm/dmar", test_acpi_q35_kvm_dmar);
+ }
++ qtest_add_func("acpi/q35/slic", test_acpi_q35_slic);
+ } else if (strcmp(arch, "aarch64") == 0) {
+ if (has_tcg) {
+ qtest_add_func("acpi/virt", test_acpi_virt_tcg);
+--
+2.27.0
+
diff --git a/SOURCES/kvm-tests-acpi-manually-pad-OEM_ID-OEM_TABLE_ID-for-test.patch b/SOURCES/kvm-tests-acpi-manually-pad-OEM_ID-OEM_TABLE_ID-for-test.patch
new file mode 100644
index 0000000..05a6838
--- /dev/null
+++ b/SOURCES/kvm-tests-acpi-manually-pad-OEM_ID-OEM_TABLE_ID-for-test.patch
@@ -0,0 +1,84 @@
+From d94b3278c84cf7451489631d804a6b5cbd28a59d Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Wed, 30 Mar 2022 14:52:34 -0400
+Subject: [PATCH 13/18] tests: acpi: manually pad OEM_ID/OEM_TABLE_ID for
+ test_oem_fields() test
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 141: acpi: fix QEMU crash when started with SLIC table
+RH-Commit: [5/10] 4ec8c738acec178c2f005f189b0c2a77a7af4088 (jmaloy/qemu-kvm)
+RH-Bugzilla: 2062611
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062611
+Upstream: Merged
+
+commit a849522f726767022203ef2b6c395ea19facb866
+Author: Igor Mammedov <imammedo@redhat.com>
+Date: Wed Jan 12 08:03:29 2022 -0500
+
+ tests: acpi: manually pad OEM_ID/OEM_TABLE_ID for test_oem_fields() test
+
+ The next commit will revert OEM fields padding with whitespace to
+ padding with '\0' as it was before [1]. As result test_oem_fields() will
+ fail due to unexpectedly smaller ID sizes read from QEMU ACPI tables.
+
+ Pad OEM_ID/OEM_TABLE_ID manually with spaces so that values the test
+ puts on QEMU CLI and expected values match.
+
+ 1) 602b458201 ("acpi: Permit OEM ID and OEM table ID fields to be changed")
+ Signed-off-by: Igor Mammedov <imammedo@redhat.com>
+ Message-Id: <20220112130332.1648664-2-imammedo@redhat.com>
+ Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+ Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+(cherry picked from commit a849522f726767022203ef2b6c395ea19facb866)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ tests/qtest/bios-tables-test.c | 15 ++++++---------
+ 1 file changed, 6 insertions(+), 9 deletions(-)
+
+diff --git a/tests/qtest/bios-tables-test.c b/tests/qtest/bios-tables-test.c
+index e159b71136..348fdbd202 100644
+--- a/tests/qtest/bios-tables-test.c
++++ b/tests/qtest/bios-tables-test.c
+@@ -71,9 +71,10 @@
+
+ #define ACPI_REBUILD_EXPECTED_AML "TEST_ACPI_REBUILD_AML"
+
+-#define OEM_ID "TEST"
+-#define OEM_TABLE_ID "OEM"
+-#define OEM_TEST_ARGS "-machine x-oem-id="OEM_ID",x-oem-table-id="OEM_TABLE_ID
++#define OEM_ID "TEST "
++#define OEM_TABLE_ID "OEM "
++#define OEM_TEST_ARGS "-machine x-oem-id='" OEM_ID "',x-oem-table-id='" \
++ OEM_TABLE_ID "'"
+
+ typedef struct {
+ bool tcg_only;
+@@ -1484,11 +1485,7 @@ static void test_acpi_q35_slic(void)
+ static void test_oem_fields(test_data *data)
+ {
+ int i;
+- char oem_id[6];
+- char oem_table_id[8];
+
+- strpadcpy(oem_id, sizeof oem_id, OEM_ID, ' ');
+- strpadcpy(oem_table_id, sizeof oem_table_id, OEM_TABLE_ID, ' ');
+ for (i = 0; i < data->tables->len; ++i) {
+ AcpiSdtTable *sdt;
+
+@@ -1498,8 +1495,8 @@ static void test_oem_fields(test_data *data)
+ continue;
+ }
+
+- g_assert(memcmp(sdt->aml + 10, oem_id, 6) == 0);
+- g_assert(memcmp(sdt->aml + 16, oem_table_id, 8) == 0);
++ g_assert(memcmp(sdt->aml + 10, OEM_ID, 6) == 0);
++ g_assert(memcmp(sdt->aml + 16, OEM_TABLE_ID, 8) == 0);
+ }
+ }
+
+--
+2.27.0
+
diff --git a/SOURCES/kvm-tests-acpi-test-short-OEM_ID-OEM_TABLE_ID-values-in-.patch b/SOURCES/kvm-tests-acpi-test-short-OEM_ID-OEM_TABLE_ID-values-in-.patch
new file mode 100644
index 0000000..66d62e5
--- /dev/null
+++ b/SOURCES/kvm-tests-acpi-test-short-OEM_ID-OEM_TABLE_ID-values-in-.patch
@@ -0,0 +1,77 @@
+From 485bf2eb8edabd4553d995d5e32224df1e510aa2 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Wed, 30 Mar 2022 14:52:34 -0400
+Subject: [PATCH 17/18] tests: acpi: test short OEM_ID/OEM_TABLE_ID values in
+ test_oem_fields()
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 141: acpi: fix QEMU crash when started with SLIC table
+RH-Commit: [9/10] 31339223fb6c6cc32185b9fdaac76f2709b17ad6 (jmaloy/qemu-kvm)
+RH-Bugzilla: 2062611
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062611
+Upstream: Merged
+
+commit 408ca92634770de5eac7965ed97c6260e770f2e7
+Author: Igor Mammedov <imammedo@redhat.com>
+Date: Fri Jan 14 09:26:41 2022 -0500
+
+ tests: acpi: test short OEM_ID/OEM_TABLE_ID values in test_oem_fields()
+
+ Previous patch [1] added explicit whitespace padding to OEM_ID/OEM_TABLE_ID
+ values used in test_oem_fields() testcase to avoid false positive and
+ bisection issues when QEMU is switched to \0' padding. As result
+ testcase ceased to test values that were shorter than max possible
+ length values.
+
+ Update testcase to make sure that it's testing shorter IDs like it
+ used to before [2].
+
+ 1) "tests: acpi: manually pad OEM_ID/OEM_TABLE_ID for test_oem_fields() test"
+ 2) 602b458201 ("acpi: Permit OEM ID and OEM table ID fields to be changed")
+
+ Signed-off-by: Igor Mammedov <imammedo@redhat.com>
+ Message-Id: <20220114142641.1727679-1-imammedo@redhat.com>
+ Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+ Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+(cherry picked from commit 408ca92634770de5eac7965ed97c6260e770f2e7)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ tests/qtest/bios-tables-test.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/tests/qtest/bios-tables-test.c b/tests/qtest/bios-tables-test.c
+index 348fdbd202..515a647490 100644
+--- a/tests/qtest/bios-tables-test.c
++++ b/tests/qtest/bios-tables-test.c
+@@ -71,10 +71,10 @@
+
+ #define ACPI_REBUILD_EXPECTED_AML "TEST_ACPI_REBUILD_AML"
+
+-#define OEM_ID "TEST "
+-#define OEM_TABLE_ID "OEM "
+-#define OEM_TEST_ARGS "-machine x-oem-id='" OEM_ID "',x-oem-table-id='" \
+- OEM_TABLE_ID "'"
++#define OEM_ID "TEST"
++#define OEM_TABLE_ID "OEM"
++#define OEM_TEST_ARGS "-machine x-oem-id=" OEM_ID ",x-oem-table-id=" \
++ OEM_TABLE_ID
+
+ typedef struct {
+ bool tcg_only;
+@@ -1495,8 +1495,8 @@ static void test_oem_fields(test_data *data)
+ continue;
+ }
+
+- g_assert(memcmp(sdt->aml + 10, OEM_ID, 6) == 0);
+- g_assert(memcmp(sdt->aml + 16, OEM_TABLE_ID, 8) == 0);
++ g_assert(strncmp((char *)sdt->aml + 10, OEM_ID, 6) == 0);
++ g_assert(strncmp((char *)sdt->aml + 16, OEM_TABLE_ID, 8) == 0);
+ }
+ }
+
+--
+2.27.0
+
diff --git a/SOURCES/kvm-tests-acpi-update-expected-blobs.patch b/SOURCES/kvm-tests-acpi-update-expected-blobs.patch
new file mode 100644
index 0000000..8f300c4
--- /dev/null
+++ b/SOURCES/kvm-tests-acpi-update-expected-blobs.patch
@@ -0,0 +1,58 @@
+From 4785d2a77fbea681975e5c48ae6a1be49058e089 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Wed, 30 Mar 2022 14:52:34 -0400
+Subject: [PATCH 16/18] tests: acpi: update expected blobs
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 141: acpi: fix QEMU crash when started with SLIC table
+RH-Commit: [8/10] e069c5de88f34393d65d32b60380865832820302 (jmaloy/qemu-kvm)
+RH-Bugzilla: 2062611
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062611
+Upstream: Merged
+
+commit 5adc3aba875416b0e077d8a29ddd0357883746f4
+Author: Igor Mammedov <imammedo@redhat.com>
+Date: Wed Jan 12 08:03:32 2022 -0500
+
+ tests: acpi: update expected blobs
+
+ Expected changes caused by previous commit:
+
+ nvdimm ssdt (q35/pc/virt):
+ - * OEM Table ID "NVDIMM "
+ + * OEM Table ID "NVDIMM"
+
+ SLIC test FADT (tests/data/acpi/q35/FACP.slic):
+ -[010h 0016 8] Oem Table ID : "ME "
+ +[010h 0016 8] Oem Table ID : "ME"
+
+ Signed-off-by: Igor Mammedov <imammedo@redhat.com>
+ Message-Id: <20220112130332.1648664-5-imammedo@redhat.com>
+ Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+ Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+(cherry picked from commit 5adc3aba875416b0e077d8a29ddd0357883746f4)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ tests/data/acpi/pc/SSDT.dimmpxm | Bin 734 -> 734 bytes
+ tests/data/acpi/q35/FACP.slic | Bin 244 -> 244 bytes
+ tests/data/acpi/q35/SSDT.dimmpxm | Bin 734 -> 734 bytes
+ tests/data/acpi/virt/SSDT.memhp | Bin 736 -> 736 bytes
+ tests/qtest/bios-tables-test-allowed-diff.h | 4 ----
+ 5 files changed, 4 deletions(-)
+
+diff --git a/tests/qtest/bios-tables-test-allowed-diff.h b/tests/qtest/bios-tables-test-allowed-diff.h
+index 7faa8f53be..dfb8523c8b 100644
+--- a/tests/qtest/bios-tables-test-allowed-diff.h
++++ b/tests/qtest/bios-tables-test-allowed-diff.h
+@@ -1,5 +1 @@
+ /* List of comma-separated changed AML files to ignore */
+-"tests/data/acpi/virt/SSDT.memhp",
+-"tests/data/acpi/pc/SSDT.dimmpxm",
+-"tests/data/acpi/q35/SSDT.dimmpxm",
+-"tests/data/acpi/q35/FACP.slic",
+--
+2.27.0
+
diff --git a/SOURCES/kvm-tests-acpi-whitelist-expected-blobs-before-changing-.patch b/SOURCES/kvm-tests-acpi-whitelist-expected-blobs-before-changing-.patch
new file mode 100644
index 0000000..4a1b350
--- /dev/null
+++ b/SOURCES/kvm-tests-acpi-whitelist-expected-blobs-before-changing-.patch
@@ -0,0 +1,47 @@
+From 4e6482073df85db5982aa03ab0355e632b7157fc Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Wed, 30 Mar 2022 14:52:34 -0400
+Subject: [PATCH 10/18] tests: acpi: whitelist expected blobs before changing
+ them
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 141: acpi: fix QEMU crash when started with SLIC table
+RH-Commit: [2/10] c664ecad30ca9c13025a63bb31ae7b80fd63e4df (jmaloy/qemu-kvm)
+RH-Bugzilla: 2062611
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062611
+Upstream: Merged
+
+commit e71f6ab9d93a7d01e833647e7010c1079c4cef30
+Author: Igor Mammedov <imammedo@redhat.com>
+Date: Mon Dec 27 14:31:18 2021 -0500
+
+ tests: acpi: whitelist expected blobs before changing them
+
+ Signed-off-by: Igor Mammedov <imammedo@redhat.com>
+ Message-Id: <20211227193120.1084176-3-imammedo@redhat.com>
+ Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+ Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+(cherry picked from commit e71f6ab9d93a7d01e833647e7010c1079c4cef30)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ tests/data/acpi/q35/FACP.slic | Bin 0 -> 244 bytes
+ tests/data/acpi/q35/SLIC.slic | 0
+ tests/qtest/bios-tables-test-allowed-diff.h | 2 ++
+ 3 files changed, 2 insertions(+)
+ create mode 100644 tests/data/acpi/q35/FACP.slic
+ create mode 100644 tests/data/acpi/q35/SLIC.slic
+
+diff --git a/tests/qtest/bios-tables-test-allowed-diff.h b/tests/qtest/bios-tables-test-allowed-diff.h
+index dfb8523c8b..49dbf8fa3e 100644
+--- a/tests/qtest/bios-tables-test-allowed-diff.h
++++ b/tests/qtest/bios-tables-test-allowed-diff.h
+@@ -1 +1,3 @@
+ /* List of comma-separated changed AML files to ignore */
++"tests/data/acpi/q35/FACP.slic",
++"tests/data/acpi/q35/SLIC.slic",
+--
+2.27.0
+
diff --git a/SOURCES/kvm-tests-acpi-whitelist-nvdimm-s-SSDT-and-FACP.slic-exp.patch b/SOURCES/kvm-tests-acpi-whitelist-nvdimm-s-SSDT-and-FACP.slic-exp.patch
new file mode 100644
index 0000000..30289c7
--- /dev/null
+++ b/SOURCES/kvm-tests-acpi-whitelist-nvdimm-s-SSDT-and-FACP.slic-exp.patch
@@ -0,0 +1,57 @@
+From a132a22e316121cf00ff733afb1ad1dc313e14b3 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Wed, 30 Mar 2022 14:52:34 -0400
+Subject: [PATCH 14/18] tests: acpi: whitelist nvdimm's SSDT and FACP.slic
+ expected blobs
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 141: acpi: fix QEMU crash when started with SLIC table
+RH-Commit: [6/10] 3f3a929cde82f228da1e4bc66e4c869467c0289c (jmaloy/qemu-kvm)
+RH-Bugzilla: 2062611
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062611
+Upstream: Merged
+
+commit d1e4a4654154925eddf0fc449fa9c92b806b9c8c
+Author: Igor Mammedov <imammedo@redhat.com>
+Date: Wed Jan 12 08:03:30 2022 -0500
+
+ tests: acpi: whitelist nvdimm's SSDT and FACP.slic expected blobs
+
+ The next commit will revert OEM fields whitespace padding to
+ padding with '\0' as it was before [1]. That will change OEM
+ Table ID for:
+ * SSDT.*: where it was padded from 6 characters to 8
+ * FACP.slic: where it was padded from 2 characters to 8
+ after reverting whitespace padding, it will be replaced with
+ '\0' which effectively will shorten OEM table ID to 6 and 2
+ characters.
+
+ Whitelist affected tables before introducing the change.
+
+ 1) 602b458201 ("acpi: Permit OEM ID and OEM table ID fields to be changed")
+ Signed-off-by: Igor Mammedov <imammedo@redhat.com>
+ Message-Id: <20220112130332.1648664-3-imammedo@redhat.com>
+ Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+ Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+(cherry picked from commit d1e4a4654154925eddf0fc449fa9c92b806b9c8c)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ tests/qtest/bios-tables-test-allowed-diff.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/tests/qtest/bios-tables-test-allowed-diff.h b/tests/qtest/bios-tables-test-allowed-diff.h
+index dfb8523c8b..7faa8f53be 100644
+--- a/tests/qtest/bios-tables-test-allowed-diff.h
++++ b/tests/qtest/bios-tables-test-allowed-diff.h
+@@ -1 +1,5 @@
+ /* List of comma-separated changed AML files to ignore */
++"tests/data/acpi/virt/SSDT.memhp",
++"tests/data/acpi/pc/SSDT.dimmpxm",
++"tests/data/acpi/q35/SSDT.dimmpxm",
++"tests/data/acpi/q35/FACP.slic",
+--
+2.27.0
+
diff --git a/SOURCES/kvm-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch b/SOURCES/kvm-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch
new file mode 100644
index 0000000..50013c9
--- /dev/null
+++ b/SOURCES/kvm-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch
@@ -0,0 +1,76 @@
+From ff4e95d8652dadfed09913c7968514a2a7f36591 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@rehat.com>
+Date: Thu, 14 Apr 2022 10:38:26 -0400
+Subject: [PATCH 2/2] vhost-vsock: detach the virqueue element in case of error
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 153: vhost-vsock: detach the virqueue element in case of error
+RH-Commit: [1/1] 024dbc9073fddbe89a8ae8eb201f5bc674bffb64 (jmaloy/qemu-kvm)
+RH-Bugzilla: 2063262
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2063262
+Upstream: Merged
+CVE: CVE-2022-26354
+
+commit 8d1b247f3748ac4078524130c6d7ae42b6140aaf
+Author: Stefano Garzarella <sgarzare@redhat.com>
+Date: Mon Feb 28 10:50:58 2022 +0100
+
+ vhost-vsock: detach the virqueue element in case of error
+
+ In vhost_vsock_common_send_transport_reset(), if an element popped from
+ the virtqueue is invalid, we should call virtqueue_detach_element() to
+ detach it from the virtqueue before freeing its memory.
+
+ Fixes: fc0b9b0e1c ("vhost-vsock: add virtio sockets device")
+ Fixes: CVE-2022-26354
+ Cc: qemu-stable@nongnu.org
+ Reported-by: VictorV <vv474172261@gmail.com>
+ Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+ Message-Id: <20220228095058.27899-1-sgarzare@redhat.com>
+ Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+ Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+ Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+(cherry picked from commit 8d1b247f3748ac4078524130c6d7ae42b6140aaf)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ hw/virtio/vhost-vsock-common.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/hw/virtio/vhost-vsock-common.c b/hw/virtio/vhost-vsock-common.c
+index 3f3771274e..ed706681ac 100644
+--- a/hw/virtio/vhost-vsock-common.c
++++ b/hw/virtio/vhost-vsock-common.c
+@@ -153,19 +153,23 @@ static void vhost_vsock_common_send_transport_reset(VHostVSockCommon *vvc)
+ if (elem->out_num) {
+ error_report("invalid vhost-vsock event virtqueue element with "
+ "out buffers");
+- goto out;
++ goto err;
+ }
+
+ if (iov_from_buf(elem->in_sg, elem->in_num, 0,
+ &event, sizeof(event)) != sizeof(event)) {
+ error_report("vhost-vsock event virtqueue element is too short");
+- goto out;
++ goto err;
+ }
+
+ virtqueue_push(vq, elem, sizeof(event));
+ virtio_notify(VIRTIO_DEVICE(vvc), vq);
+
+-out:
++ g_free(elem);
++ return;
++
++err:
++ virtqueue_detach_element(vq, elem, 0);
+ g_free(elem);
+ }
+
+--
+2.27.0
+
diff --git a/SOURCES/kvm-virtiofsd-Drop-membership-of-all-supplementary-group.patch b/SOURCES/kvm-virtiofsd-Drop-membership-of-all-supplementary-group.patch
new file mode 100644
index 0000000..face8e6
--- /dev/null
+++ b/SOURCES/kvm-virtiofsd-Drop-membership-of-all-supplementary-group.patch
@@ -0,0 +1,110 @@
+From 2754dc2c7def01d7dd1bb39f3e86ef444652d397 Mon Sep 17 00:00:00 2001
+From: Vivek Goyal <vgoyal@redhat.com>
+Date: Tue, 25 Jan 2022 13:51:14 -0500
+Subject: [PATCH 1/6] virtiofsd: Drop membership of all supplementary groups
+ (CVE-2022-0358)
+
+RH-Author: Dr. David Alan Gilbert <dgilbert@redhat.com>
+RH-MergeRequest: 102: virtiofsd: Drop membership of all supplementary groups (CVE-2022-0358)
+RH-Commit: [1/1] 93e56c88277fec8e42559a899d32b80fac4a923f
+RH-Bugzilla: 2046198
+RH-Acked-by: Greg Kurz <gkurz@redhat.com>
+RH-Acked-by: Sergio Lopez <None>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+At the start, drop membership of all supplementary groups. This is
+not required.
+
+If we have membership of "root" supplementary group and when we switch
+uid/gid using setresuid/setsgid, we still retain membership of existing
+supplemntary groups. And that can allow some operations which are not
+normally allowed.
+
+For example, if root in guest creates a dir as follows.
+
+$ mkdir -m 03777 test_dir
+
+This sets SGID on dir as well as allows unprivileged users to write into
+this dir.
+
+And now as unprivileged user open file as follows.
+
+$ su test
+$ fd = open("test_dir/priviledge_id", O_RDWR|O_CREAT|O_EXCL, 02755);
+
+This will create SGID set executable in test_dir/.
+
+And that's a problem because now an unpriviliged user can execute it,
+get egid=0 and get access to resources owned by "root" group. This is
+privilege escalation.
+
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2044863
+Fixes: CVE-2022-0358
+Reported-by: JIETAO XIAO <shawtao1125@gmail.com>
+Suggested-by: Miklos Szeredi <mszeredi@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
+Message-Id: <YfBGoriS38eBQrAb@redhat.com>
+Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+ dgilbert: Fixed missing {}'s style nit
+(cherry picked from commit 449e8171f96a6a944d1f3b7d3627ae059eae21ca)
+---
+ tools/virtiofsd/passthrough_ll.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
+index 64b5b4fbb1..b3d0674f6d 100644
+--- a/tools/virtiofsd/passthrough_ll.c
++++ b/tools/virtiofsd/passthrough_ll.c
+@@ -54,6 +54,7 @@
+ #include <sys/wait.h>
+ #include <sys/xattr.h>
+ #include <syslog.h>
++#include <grp.h>
+
+ #include "qemu/cutils.h"
+ #include "passthrough_helpers.h"
+@@ -1161,6 +1162,30 @@ static void lo_lookup(fuse_req_t req, fuse_ino_t parent, const char *name)
+ #define OURSYS_setresuid SYS_setresuid
+ #endif
+
++static void drop_supplementary_groups(void)
++{
++ int ret;
++
++ ret = getgroups(0, NULL);
++ if (ret == -1) {
++ fuse_log(FUSE_LOG_ERR, "getgroups() failed with error=%d:%s\n",
++ errno, strerror(errno));
++ exit(1);
++ }
++
++ if (!ret) {
++ return;
++ }
++
++ /* Drop all supplementary groups. We should not need it */
++ ret = setgroups(0, NULL);
++ if (ret == -1) {
++ fuse_log(FUSE_LOG_ERR, "setgroups() failed with error=%d:%s\n",
++ errno, strerror(errno));
++ exit(1);
++ }
++}
++
+ /*
+ * Change to uid/gid of caller so that file is created with
+ * ownership of caller.
+@@ -3926,6 +3951,8 @@ int main(int argc, char *argv[])
+
+ qemu_init_exec_dir(argv[0]);
+
++ drop_supplementary_groups();
++
+ pthread_mutex_init(&lo.mutex, NULL);
+ lo.inodes = g_hash_table_new(lo_key_hash, lo_key_equal);
+ lo.root.fd = -1;
+--
+2.27.0
+
diff --git a/SOURCES/kvm-vmxcap-Add-5-level-EPT-bit.patch b/SOURCES/kvm-vmxcap-Add-5-level-EPT-bit.patch
new file mode 100644
index 0000000..8cdb980
--- /dev/null
+++ b/SOURCES/kvm-vmxcap-Add-5-level-EPT-bit.patch
@@ -0,0 +1,48 @@
+From f0f87dcea3fe14b20b8599cda9b1151ca2490d0c Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Wed, 30 Mar 2022 14:52:34 -0400
+Subject: [PATCH 07/18] vmxcap: Add 5-level EPT bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 139: vmxcap: Add 5-level EPT bit
+RH-Commit: [1/2] 4c098f551f1ed8e2a5582f466afda35b28d97055 (jmaloy/qemu-kvm)
+RH-Bugzilla: 2065207
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+
+BZ: https://bugzilla.redhat.com/show_bug.cgi?id=2065207
+UPSTREAM: Merged
+
+commit d312378e59658473aa91aa15c67ec6200d92e5ff
+Author: Vitaly Kuznetsov <vkuznets@redhat.com>
+Date: Mon Feb 21 15:53:16 2022 +0100
+
+ vmxcap: Add 5-level EPT bit
+
+ 5-level EPT is present in Icelake Server CPUs and is supported by QEMU
+ ('vmx-page-walk-5').
+
+ Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+ Message-Id: <20220221145316.576138-2-vkuznets@redhat.com>
+ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+(cherry picked from commit d312378e59658473aa91aa15c67ec6200d92e5ff)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ scripts/kvm/vmxcap | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/scripts/kvm/vmxcap b/scripts/kvm/vmxcap
+index 6fe66d5f57..f140040104 100755
+--- a/scripts/kvm/vmxcap
++++ b/scripts/kvm/vmxcap
+@@ -249,6 +249,7 @@ controls = [
+ bits = {
+ 0: 'Execute-only EPT translations',
+ 6: 'Page-walk length 4',
++ 7: 'Page-walk length 5',
+ 8: 'Paging-structure memory type UC',
+ 14: 'Paging-structure memory type WB',
+ 16: '2MB EPT pages',
+--
+2.27.0
+
diff --git a/SOURCES/tests_data_acpi_pc_SSDT.dimmpxm b/SOURCES/tests_data_acpi_pc_SSDT.dimmpxm
new file mode 100644
index 0000000..ac55387
Binary files /dev/null and b/SOURCES/tests_data_acpi_pc_SSDT.dimmpxm differ
diff --git a/SOURCES/tests_data_acpi_q35_FACP.slic b/SOURCES/tests_data_acpi_q35_FACP.slic
new file mode 100644
index 0000000..15986e0
Binary files /dev/null and b/SOURCES/tests_data_acpi_q35_FACP.slic differ
diff --git a/SOURCES/tests_data_acpi_q35_SSDT.dimmpxm b/SOURCES/tests_data_acpi_q35_SSDT.dimmpxm
new file mode 100644
index 0000000..98e6f0e
Binary files /dev/null and b/SOURCES/tests_data_acpi_q35_SSDT.dimmpxm differ
diff --git a/SOURCES/tests_data_acpi_virt_SSDT.memhp b/SOURCES/tests_data_acpi_virt_SSDT.memhp
new file mode 100644
index 0000000..375d7b6
Binary files /dev/null and b/SOURCES/tests_data_acpi_virt_SSDT.memhp differ
diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec
index 521101b..66f14a2 100644
--- a/SPECS/qemu-kvm.spec
+++ b/SPECS/qemu-kvm.spec
@@ -83,7 +83,7 @@ Obsoletes: %1-rhev <= %{epoch}:%{version}-%{release}
Summary: QEMU is a machine emulator and virtualizer
Name: qemu-kvm
Version: 6.2.0
-Release: 5%{?rcrel}%{?dist}
+Release: 12%{?rcrel}%{?dist}
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
Epoch: 15
License: GPLv2 and GPLv2+ and CC-BY
@@ -118,7 +118,10 @@ Source33: qemu-pr-helper.socket
Source34: 81-kvm-rhel.rules
Source35: udev-kvm-check.c
Source36: README.tests
-
+Source37: tests_data_acpi_pc_SSDT.dimmpxm
+Source38: tests_data_acpi_q35_FACP.slic
+Source39: tests_data_acpi_q35_SSDT.dimmpxm
+Source40: tests_data_acpi_virt_SSDT.memhp
Patch0001: 0001-redhat-Adding-slirp-to-the-exploded-tree.patch
Patch0005: 0005-Initial-redhat-build.patch
@@ -162,6 +165,98 @@ Patch33: kvm-rhel-machine-types-x86-set-prefer_sockets.patch
Patch34: kvm-acpi-validate-hotplug-selector-on-access.patch
# For bz#2031035 - Add rhel-8.6.0 machine types for RHEL 8.6 [x86]
Patch35: kvm-x86-Add-q35-RHEL-8.6.0-machine-type.patch
+# For bz#2046198 - CVE-2022-0358 virt:av/qemu-kvm: QEMU: virtiofsd: potential privilege escalation via CVE-2018-13405 [rhel-8.6]
+Patch36: kvm-virtiofsd-Drop-membership-of-all-supplementary-group.patch
+# For bz#2033279 - [wrb][qemu-kvm 6.2] The hot-unplugged device can not be hot-plugged back
+Patch37: kvm-softmmu-fix-device-deletion-events-with-device-JSON-.patch
+# For bz#2021778 - Qemu core dump when do full backup during system reset
+# For bz#2036178 - Qemu core dumped when do block-stream to a snapshot node on non-enough space storage
+Patch38: kvm-block-backend-prevent-dangling-BDS-pointers-across-a.patch
+# For bz#2021778 - Qemu core dump when do full backup during system reset
+# For bz#2036178 - Qemu core dumped when do block-stream to a snapshot node on non-enough space storage
+Patch39: kvm-iotests-stream-error-on-reset-New-test.patch
+# For bz#2037135 - Booting from Local Snapshot Core Dumped Whose Backing File Is Based on RBD
+Patch40: kvm-block-rbd-fix-handling-of-holes-in-.bdrv_co_block_st.patch
+# For bz#2037135 - Booting from Local Snapshot Core Dumped Whose Backing File Is Based on RBD
+Patch41: kvm-block-rbd-workaround-for-ceph-issue-53784.patch
+# For bz#1518984 - [Intel 8.6 Feat] qemu-kvm: SGX 1.5 (SGX1 + Flexible Launch Control) support
+Patch42: kvm-numa-Enable-numa-for-SGX-EPC-sections.patch
+# For bz#1518984 - [Intel 8.6 Feat] qemu-kvm: SGX 1.5 (SGX1 + Flexible Launch Control) support
+Patch43: kvm-numa-Support-SGX-numa-in-the-monitor-and-Libvirt-int.patch
+# For bz#1518984 - [Intel 8.6 Feat] qemu-kvm: SGX 1.5 (SGX1 + Flexible Launch Control) support
+Patch44: kvm-doc-Add-the-SGX-numa-description.patch
+# For bz#1518984 - [Intel 8.6 Feat] qemu-kvm: SGX 1.5 (SGX1 + Flexible Launch Control) support
+Patch45: kvm-Enable-SGX-RH-Only.patch
+# For bz#1518984 - [Intel 8.6 Feat] qemu-kvm: SGX 1.5 (SGX1 + Flexible Launch Control) support
+Patch46: kvm-qapi-Cleanup-SGX-related-comments-and-restore-sectio.patch
+# For bz#2041480 - [incremental_backup] Inconsistent block status reply in qemu-nbd
+Patch47: kvm-block-io-Update-BSC-only-if-want_zero-is-true.patch
+# For bz#2041480 - [incremental_backup] Inconsistent block status reply in qemu-nbd
+Patch48: kvm-iotests-block-status-cache-New-test.patch
+# For bz#2035185 - Qemu core dump when start guest with nbd node or do block jobs to nbd node
+Patch49: kvm-block-nbd-Delete-reconnect-delay-timer-when-done.patch
+# For bz#2035185 - Qemu core dump when start guest with nbd node or do block jobs to nbd node
+Patch50: kvm-block-nbd-Assert-there-are-no-timers-when-closed.patch
+# For bz#2035185 - Qemu core dump when start guest with nbd node or do block jobs to nbd node
+Patch51: kvm-iotests.py-Add-QemuStorageDaemon-class.patch
+# For bz#2035185 - Qemu core dump when start guest with nbd node or do block jobs to nbd node
+Patch52: kvm-iotests-281-Test-lingering-timers.patch
+# For bz#2035185 - Qemu core dump when start guest with nbd node or do block jobs to nbd node
+Patch53: kvm-block-nbd-Move-s-ioc-on-AioContext-change.patch
+# For bz#2035185 - Qemu core dump when start guest with nbd node or do block jobs to nbd node
+Patch54: kvm-iotests-281-Let-NBD-connection-yield-in-iothread.patch
+# For bz#2062613 - Revert IBM-specific Ubuntu-compatibility machine type for 8.6-AV GA [rhel-8.7.0]
+Patch55: kvm-Revert-redhat-Add-hw_compat_4_2_extra-and-apply-to-u.patch
+# For bz#2062613 - Revert IBM-specific Ubuntu-compatibility machine type for 8.6-AV GA [rhel-8.7.0]
+Patch56: kvm-Revert-redhat-Enable-FDC-device-for-upstream-machine.patch
+# For bz#2062613 - Revert IBM-specific Ubuntu-compatibility machine type for 8.6-AV GA [rhel-8.7.0]
+Patch57: kvm-Revert-redhat-Expose-upstream-machines-pc-4.2-and-pc.patch
+# For bz#2060843 - [virtual network][vDPA] qemu crash after hot unplug vdpa device [rhel-8.7.0]
+Patch58: kvm-hw-virtio-vdpa-Fix-leak-of-host-notifier-memory-regi.patch
+# For bz#2062610 - Do operation to disk will hang in the guest of target host after hotplugging and migrating [rhel-8.7.0]
+Patch59: kvm-pci-expose-TYPE_XIO3130_DOWNSTREAM-name.patch
+# For bz#2062610 - Do operation to disk will hang in the guest of target host after hotplugging and migrating [rhel-8.7.0]
+Patch60: kvm-acpi-pcihp-pcie-set-power-on-cap-on-parent-slot.patch
+# For bz#2065207 - Win11 (q35+edk2) guest broke after install wsl2 through 'wsl --install -d Ubuntu-20.04' [rhel-8.7.0]
+Patch61: kvm-vmxcap-Add-5-level-EPT-bit.patch
+# For bz#2065207 - Win11 (q35+edk2) guest broke after install wsl2 through 'wsl --install -d Ubuntu-20.04' [rhel-8.7.0]
+Patch62: kvm-i386-Add-Icelake-Server-v6-CPU-model-with-5-level-EP.patch
+# For bz#2062611 - Guest can not start with SLIC acpi table [rhel-8.7.0]
+Patch63: kvm-acpi-fix-QEMU-crash-when-started-with-SLIC-table.patch
+# For bz#2062611 - Guest can not start with SLIC acpi table [rhel-8.7.0]
+Patch64: kvm-tests-acpi-whitelist-expected-blobs-before-changing-.patch
+# For bz#2062611 - Guest can not start with SLIC acpi table [rhel-8.7.0]
+Patch65: kvm-tests-acpi-add-SLIC-table-test.patch
+# For bz#2062611 - Guest can not start with SLIC acpi table [rhel-8.7.0]
+Patch66: kvm-tests-acpi-SLIC-update-expected-blobs.patch
+# For bz#2062611 - Guest can not start with SLIC acpi table [rhel-8.7.0]
+Patch67: kvm-tests-acpi-manually-pad-OEM_ID-OEM_TABLE_ID-for-test.patch
+# For bz#2062611 - Guest can not start with SLIC acpi table [rhel-8.7.0]
+Patch68: kvm-tests-acpi-whitelist-nvdimm-s-SSDT-and-FACP.slic-exp.patch
+# For bz#2062611 - Guest can not start with SLIC acpi table [rhel-8.7.0]
+Patch69: kvm-acpi-fix-OEM-ID-OEM-Table-ID-padding.patch
+# For bz#2062611 - Guest can not start with SLIC acpi table [rhel-8.7.0]
+Patch70: kvm-tests-acpi-update-expected-blobs.patch
+# For bz#2062611 - Guest can not start with SLIC acpi table [rhel-8.7.0]
+Patch71: kvm-tests-acpi-test-short-OEM_ID-OEM_TABLE_ID-values-in-.patch
+# For bz#2068202 - RHEL 9.0 guest with vsock device migration failed from RHEL 9.0 > RHEL 8.6 [rhel-8.7.0]
+Patch72: kvm-RHEL-disable-seqpacket-for-vhost-vsock-device-in-rhe.patch
+# For bz#2067118 - qemu crash after execute blockdev-reopen with iothread
+Patch73: kvm-block-Lock-AioContext-for-drain_end-in-blockdev-reop.patch
+# For bz#2067118 - qemu crash after execute blockdev-reopen with iothread
+Patch74: kvm-iotests-Test-blockdev-reopen-with-iothreads-and-thro.patch
+# For bz#2071070 - s390x/css: fix PMCW invalid mask
+Patch75: kvm-s390x-css-fix-PMCW-invalid-mask.patch
+# For bz#1999236 - CVE-2021-3750 virt:rhel/qemu-kvm: QEMU: hcd-ehci: DMA reentrancy issue leads to use-after-free [rhel-8]
+Patch76: kvm-hw-intc-arm_gicv3-Check-for-MEMTX_OK-instead-of-MEMT.patch
+# For bz#1999236 - CVE-2021-3750 virt:rhel/qemu-kvm: QEMU: hcd-ehci: DMA reentrancy issue leads to use-after-free [rhel-8]
+Patch77: kvm-softmmu-physmem-Simplify-flatview_write-and-address_.patch
+# For bz#1999236 - CVE-2021-3750 virt:rhel/qemu-kvm: QEMU: hcd-ehci: DMA reentrancy issue leads to use-after-free [rhel-8]
+Patch78: kvm-softmmu-physmem-Introduce-MemTxAttrs-memory-field-an.patch
+# For bz#2040738 - CVE-2021-4207 virt:rhel/qemu-kvm: QEMU: QXL: double fetch in qxl_cursor() can lead to heap buffer overflow [rhel-8]
+Patch79: kvm-display-qxl-render-fix-race-condition-in-qxl_cursor-.patch
+# For bz#2063262 - CVE-2022-26354 virt:rhel/qemu-kvm: QEMU: vhost-vsock: missing virtqueue detach on error can lead to memory leak [rhel-8]
+Patch80: kvm-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch
BuildRequires: wget
BuildRequires: rpm-build
@@ -493,6 +588,10 @@ mkdir slirp
%global qemu_kvm_build qemu_kvm_build
mkdir -p %{qemu_kvm_build}
+cp -f %{SOURCE37} tests/data/acpi/pc/SSDT.dimmpxm
+cp -f %{SOURCE38} tests/data/acpi/q35/FACP.slic
+cp -f %{SOURCE39} tests/data/acpi/q35/SSDT.dimmpxm
+cp -f %{SOURCE40} tests/data/acpi/virt/SSDT.memhp
%build
%global buildarch %{kvm_target}-softmmu
@@ -815,7 +914,7 @@ cp -R tests/avocado/* $RPM_BUILD_ROOT%{testsdir}/tests/avocado/
# Install qemu.py and qmp/ scripts required to run avocado_qemu tests
cp -R python/qemu $RPM_BUILD_ROOT%{testsdir}/python
cp -R scripts/qmp/* $RPM_BUILD_ROOT%{testsdir}/scripts/qmp
-install -p -m 0755 ../tests/Makefile.include $RPM_BUILD_ROOT%{testsdir}/tests/
+install -p -m 0644 ../tests/Makefile.include $RPM_BUILD_ROOT%{testsdir}/tests/
# Install qemu-iotests
cp -R ../tests/qemu-iotests/* $RPM_BUILD_ROOT%{testsdir}/tests/qemu-iotests/
@@ -914,7 +1013,7 @@ install -D -p -m 0644 ../qemu.sasl $RPM_BUILD_ROOT%{_sysconfdir}/sasl2/%{name}.c
# Install keymaps
pushd pc-bios/keymaps
for kmp in *; do
- install $kmp ${RPM_BUILD_ROOT}%{_datadir}/%{name}/keymaps/
+ install -m 0644 $kmp ${RPM_BUILD_ROOT}%{_datadir}/%{name}/keymaps/
done
rm -f ${RPM_BUILD_ROOT}%{_datadir}/%{name}/keymaps/*.stamp
popd
@@ -1327,6 +1426,107 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || :
%changelog
+* Thu Apr 21 2022 Jon Maloy <jmaloy@redhat.com> - 6.2.0-12
+- kvm-display-qxl-render-fix-race-condition-in-qxl_cursor-.patch [bz#2040738]
+- kvm-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch [bz#2063262]
+- Resolves: bz#2040738
+ (CVE-2021-4207 virt:rhel/qemu-kvm: QEMU: QXL: double fetch in qxl_cursor() can lead to heap buffer overflow [rhel-8])
+- Resolves: bz#2063262
+ (CVE-2022-26354 virt:rhel/qemu-kvm: QEMU: vhost-vsock: missing virtqueue detach on error can lead to memory leak [rhel-8])
+
+* Thu Apr 21 2022 Jon Maloy <jmaloy@redhat.com> - 6.2.0-11
+- kvm-hw-intc-arm_gicv3-Check-for-MEMTX_OK-instead-of-MEMT.patch [bz#1999236]
+- kvm-softmmu-physmem-Simplify-flatview_write-and-address_.patch [bz#1999236]
+- kvm-softmmu-physmem-Introduce-MemTxAttrs-memory-field-an.patch [bz#1999236]
+- Resolves: bz#1999236
+ (CVE-2021-3750 virt:rhel/qemu-kvm: QEMU: hcd-ehci: DMA reentrancy issue leads to use-after-free [rhel-8])
+
+* Thu Apr 21 2022 Jon Maloy <jmaloy@redhat.com> - 6.2.0-10
+- kvm-RHEL-disable-seqpacket-for-vhost-vsock-device-in-rhe.patch [bz#2068202]
+- kvm-block-Lock-AioContext-for-drain_end-in-blockdev-reop.patch [bz#2067118]
+- kvm-iotests-Test-blockdev-reopen-with-iothreads-and-thro.patch [bz#2067118]
+- kvm-s390x-css-fix-PMCW-invalid-mask.patch [bz#2071070]
+- kvm-Set-permission-on-installing-files.patch [bz#2072377]
+- Resolves: bz#2068202
+ (RHEL 9.0 guest with vsock device migration failed from RHEL 9.0 > RHEL 8.6 [rhel-8.7.0])
+- Resolves: bz#2067118
+ (qemu crash after execute blockdev-reopen with iothread)
+- Resolves: bz#2071070
+ (s390x/css: fix PMCW invalid mask)
+- Resolves: bz#2072377
+ (Fix build warnings that occur when installing the keymap files)
+
+* Wed Apr 06 2022 Jon Maloy <jmaloy@redhat.com> - 6.2.0-9
+- kvm-Revert-redhat-Add-hw_compat_4_2_extra-and-apply-to-u.patch [bz#2062613]
+- kvm-Revert-redhat-Enable-FDC-device-for-upstream-machine.patch [bz#2062613]
+- kvm-Revert-redhat-Expose-upstream-machines-pc-4.2-and-pc.patch [bz#2062613]
+- kvm-hw-virtio-vdpa-Fix-leak-of-host-notifier-memory-regi.patch [bz#2060843]
+- kvm-pci-expose-TYPE_XIO3130_DOWNSTREAM-name.patch [bz#2062610]
+- kvm-acpi-pcihp-pcie-set-power-on-cap-on-parent-slot.patch [bz#2062610]
+- kvm-vmxcap-Add-5-level-EPT-bit.patch [bz#2065207]
+- kvm-i386-Add-Icelake-Server-v6-CPU-model-with-5-level-EP.patch [bz#2065207]
+- kvm-acpi-fix-QEMU-crash-when-started-with-SLIC-table.patch [bz#2062611]
+- kvm-tests-acpi-whitelist-expected-blobs-before-changing-.patch [bz#2062611]
+- kvm-tests-acpi-add-SLIC-table-test.patch [bz#2062611]
+- kvm-tests-acpi-SLIC-update-expected-blobs.patch [bz#2062611]
+- kvm-tests-acpi-manually-pad-OEM_ID-OEM_TABLE_ID-for-test.patch [bz#2062611]
+- kvm-tests-acpi-whitelist-nvdimm-s-SSDT-and-FACP.slic-exp.patch [bz#2062611]
+- kvm-acpi-fix-OEM-ID-OEM-Table-ID-padding.patch [bz#2062611]
+- kvm-tests-acpi-update-expected-blobs.patch [bz#2062611]
+- kvm-tests-acpi-test-short-OEM_ID-OEM_TABLE_ID-values-in-.patch [bz#2062611]
+- kvm-rhel-workaround-for-lack-of-binary-patches-in-SRPM.patch [bz#2062611]
+- Resolves: bz#2062613
+ (Revert IBM-specific Ubuntu-compatibility machine type for 8.6-AV GA [rhel-8.7.0])
+- Resolves: bz#2060843
+ ([virtual network][vDPA] qemu crash after hot unplug vdpa device [rhel-8.7.0])
+- Resolves: bz#2062610
+ (Do operation to disk will hang in the guest of target host after hotplugging and migrating [rhel-8.7.0])
+- Resolves: bz#2065207
+ (Win11 (q35+edk2) guest broke after install wsl2 through 'wsl --install -d Ubuntu-20.04' [rhel-8.7.0])
+- Resolves: bz#2062611
+ (Guest can not start with SLIC acpi table [rhel-8.7.0])
+
+* Tue Feb 22 2022 Jon Maloy <jmaloy@redhat.com> - 6.2.0-8
+- kvm-block-nbd-Delete-reconnect-delay-timer-when-done.patch [bz#2035185]
+- kvm-block-nbd-Assert-there-are-no-timers-when-closed.patch [bz#2035185]
+- kvm-iotests.py-Add-QemuStorageDaemon-class.patch [bz#2035185]
+- kvm-iotests-281-Test-lingering-timers.patch [bz#2035185]
+- kvm-block-nbd-Move-s-ioc-on-AioContext-change.patch [bz#2035185]
+- kvm-iotests-281-Let-NBD-connection-yield-in-iothread.patch [bz#2035185]
+- Resolves: bz#2035185
+ (Qemu core dump when start guest with nbd node or do block jobs to nbd node)
+
+* Tue Feb 15 2022 Jon Maloy <jmaloy@redhat.com> - 6.2.0-7
+- kvm-numa-Enable-numa-for-SGX-EPC-sections.patch [bz#1518984]
+- kvm-numa-Support-SGX-numa-in-the-monitor-and-Libvirt-int.patch [bz#1518984]
+- kvm-doc-Add-the-SGX-numa-description.patch [bz#1518984]
+- kvm-Enable-SGX-RH-Only.patch [bz#1518984]
+- kvm-qapi-Cleanup-SGX-related-comments-and-restore-sectio.patch [bz#1518984]
+- kvm-block-io-Update-BSC-only-if-want_zero-is-true.patch [bz#2041480]
+- kvm-iotests-block-status-cache-New-test.patch [bz#2041480]
+- Resolves: bz#1518984
+ ([Intel 8.6 Feat] qemu-kvm: SGX 1.5 (SGX1 + Flexible Launch Control) support)
+- Resolves: bz#2041480
+ ([incremental_backup] Inconsistent block status reply in qemu-nbd)
+
+* Tue Feb 08 2022 Jon Maloy <jmaloy@redhat.com> - 6.2.0-6
+- kvm-virtiofsd-Drop-membership-of-all-supplementary-group.patch [bz#2046198]
+- kvm-softmmu-fix-device-deletion-events-with-device-JSON-.patch [bz#2033279]
+- kvm-block-backend-prevent-dangling-BDS-pointers-across-a.patch [bz#2021778 bz#2036178]
+- kvm-iotests-stream-error-on-reset-New-test.patch [bz#2021778 bz#2036178]
+- kvm-block-rbd-fix-handling-of-holes-in-.bdrv_co_block_st.patch [bz#2037135]
+- kvm-block-rbd-workaround-for-ceph-issue-53784.patch [bz#2037135]
+- Resolves: bz#2046198
+ (CVE-2022-0358 virt:av/qemu-kvm: QEMU: virtiofsd: potential privilege escalation via CVE-2018-13405 [rhel-8.6])
+- Resolves: bz#2033279
+ ([wrb][qemu-kvm 6.2] The hot-unplugged device can not be hot-plugged back)
+- Resolves: bz#2021778
+ (Qemu core dump when do full backup during system reset)
+- Resolves: bz#2036178
+ (Qemu core dumped when do block-stream to a snapshot node on non-enough space storage)
+- Resolves: bz#2037135
+ (Booting from Local Snapshot Core Dumped Whose Backing File Is Based on RBD)
+
* Tue Jan 25 2022 Jon Maloy <jmaloy@redhat.com> - 6.2.0-5
- kvm-acpi-validate-hotplug-selector-on-access.patch [bz#2036580]
- kvm-x86-Add-q35-RHEL-8.6.0-machine-type.patch [bz#2031035]