diff --git a/.gitignore b/.gitignore
index a1ef968..39dc421 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,4 @@ SOURCES/rhel6-ne2k_pci.rom
 SOURCES/rhel6-pcnet.rom
 SOURCES/rhel6-rtl8139.rom
 SOURCES/rhel6-virtio.rom
+SOURCES/sample_images.tar
diff --git a/.qemu-kvm.metadata b/.qemu-kvm.metadata
index 0722292..791976e 100644
--- a/.qemu-kvm.metadata
+++ b/.qemu-kvm.metadata
@@ -5,3 +5,4 @@ faac4c56f0ef593721edc66af965bac63760965b SOURCES/rhel6-ne2k_pci.rom
 f5ddbc9701698bc4adc5e98c63ad438c3b8e8510 SOURCES/rhel6-pcnet.rom
 ca79836ccce0ffbf25aac4687a3aa64bf281a3c1 SOURCES/rhel6-rtl8139.rom
 82eda3fb78a792745e46bcbbea8290cc444ae6bf SOURCES/rhel6-virtio.rom
+598e252c89da31924fbd9a6734fd15e4e97b67d8 SOURCES/sample_images.tar
diff --git a/SOURCES/kvm-Do-not-hang-on-full-PTY.patch b/SOURCES/kvm-Do-not-hang-on-full-PTY.patch
new file mode 100644
index 0000000..d7b9524
--- /dev/null
+++ b/SOURCES/kvm-Do-not-hang-on-full-PTY.patch
@@ -0,0 +1,40 @@
+From 40f55392d0bbe867547e5705c2be21d65924b024 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Fri, 9 Jun 2017 11:43:57 +0200
+Subject: [PATCH 2/6] Do not hang on full PTY
+
+RH-Author: Paolo Bonzini <pbonzini@redhat.com>
+Message-id: <20170609114359.13036-2-pbonzini@redhat.com>
+Patchwork-id: 75565
+O-Subject: [RHEL7.4 qemu-kvm PATCH v2 1/3] Do not hang on full PTY
+Bugzilla: 1452067
+RH-Acked-by: David Hildenbrand <david@redhat.com>
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+From: Don Slutz <dslutz@verizon.com>
+
+Signed-off-by: Don Slutz <dslutz@verizon.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+(cherry picked from commit fac6688a18574b6f2caa8c699a936e729ed53ece)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ qemu-char.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/qemu-char.c b/qemu-char.c
+index 5edca0a..08b2301 100644
+--- a/qemu-char.c
++++ b/qemu-char.c
+@@ -1182,6 +1182,7 @@ static CharDriverState *qemu_chr_open_pty(const char *id,
+     }
+ 
+     close(slave_fd);
++    qemu_set_nonblock(master_fd);
+ 
+     chr = g_malloc0(sizeof(CharDriverState));
+ 
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-Fix-memory-slot-page-alignment-logic-bug-1455745.patch b/SOURCES/kvm-Fix-memory-slot-page-alignment-logic-bug-1455745.patch
new file mode 100644
index 0000000..eebc4cb
--- /dev/null
+++ b/SOURCES/kvm-Fix-memory-slot-page-alignment-logic-bug-1455745.patch
@@ -0,0 +1,61 @@
+From be6123e0eadd895a9fa47005df38c4dce655236c Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 6 Jun 2017 17:08:19 +0200
+Subject: [PATCH 1/6] kvm: Fix memory slot page alignment logic (bug#1455745)
+
+RH-Author: Paolo Bonzini <pbonzini@redhat.com>
+Message-id: <20170606170819.18875-1-pbonzini@redhat.com>
+Patchwork-id: 75507
+O-Subject: [RHEL7.4 qemu-kvm PATCH] kvm: Fix memory slot page alignment logic (bug#1455745)
+Bugzilla: 1455745
+RH-Acked-by: Alex Williamson <alex.williamson@redhat.com>
+RH-Acked-by: Marcel Apfelbaum <marcel@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+From: Alexander Graf <agraf@suse.de>
+
+Brew build: 13356300
+
+Memory slots have to be page aligned to get entered into KVM. There
+is existing logic that tries to ensure that we pad memory slots that
+are not page aligned to the biggest region that would still fit in the
+alignment requirements.
+
+Unfortunately, that logic is broken. It tries to calculate the start
+offset based on the region size.
+
+Fix up the logic to do the thing it was intended to do and document it
+properly in the comment above it.
+
+With this patch applied, I can successfully run an e500 guest with more
+than 3GB RAM (at which point RAM starts overlapping subpage memory regions).
+[Paolo: in RHEL's case, the issue was reported with assigned devices]
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Alexander Graf <agraf@suse.de>
+(cherry picked from commit f2a64032a14c642d0ddc9a7a846fc3d737deede5)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ kvm-all.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/kvm-all.c b/kvm-all.c
+index fc6e3ab..9486b9a 100644
+--- a/kvm-all.c
++++ b/kvm-all.c
+@@ -621,8 +621,10 @@ static void kvm_set_phys_mem(MemoryRegionSection *section, bool add)
+     unsigned delta;
+ 
+     /* kvm works in page size chunks, but the function may be called
+-       with sub-page size and unaligned start address. */
+-    delta = TARGET_PAGE_ALIGN(size) - size;
++       with sub-page size and unaligned start address. Pad the start
++       address to next and truncate size to previous page boundary. */
++    delta = (TARGET_PAGE_SIZE - (start_addr & ~TARGET_PAGE_MASK));
++    delta &= ~TARGET_PAGE_MASK;
+     if (delta > size) {
+         return;
+     }
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-HMP-Fix-documentation-of-__com.redhat.drive_add.patch b/SOURCES/kvm-HMP-Fix-documentation-of-__com.redhat.drive_add.patch
new file mode 100644
index 0000000..2c9f803
--- /dev/null
+++ b/SOURCES/kvm-HMP-Fix-documentation-of-__com.redhat.drive_add.patch
@@ -0,0 +1,71 @@
+From cb8c7690048946dd298371876093997f07785269 Mon Sep 17 00:00:00 2001
+From: Markus Armbruster <armbru@redhat.com>
+Date: Tue, 7 Feb 2017 14:56:10 +0100
+Subject: [PATCH 11/11] HMP: Fix documentation of __com.redhat.drive_add
+
+RH-Author: Markus Armbruster <armbru@redhat.com>
+Message-id: <1486479370-24026-3-git-send-email-armbru@redhat.com>
+Patchwork-id: 73592
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 2/2] HMP: Fix documentation of __com.redhat.drive_add
+Bugzilla: 1419898
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Acked-by: Fam Zheng <famz@redhat.com>
+RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+
+It's similar to -drive if=none, not -device if=none.  Screwed up in
+RHEL-6.0 commit 545d0d8, forward-ported to RHEL-7.0 in commit c18bb50.
+
+Signed-off-by: Markus Armbruster <armbru@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hmp-commands.hx | 4 ++--
+ qmp-commands.hx | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/hmp-commands.hx b/hmp-commands.hx
+index a8ba626..5356c4c 100644
+--- a/hmp-commands.hx
++++ b/hmp-commands.hx
+@@ -1105,7 +1105,7 @@ ETEXI
+         .name       = RFQDN_REDHAT "drive_add",
+         .args_type  = "simple-drive:O",
+         .params     = "id=name,[file=file][,format=f][,media=d]...",
+-        .help       = "Create a drive similar to -device if=none.",
++        .help       = "Create a drive similar to -drive if=none.",
+ 	.user_print = monitor_user_noop,
+         .mhandler.cmd_new = simple_drive_add,
+     },
+@@ -1113,7 +1113,7 @@ ETEXI
+ STEXI
+ @item __com.redhat_drive_add
+ @findex __com.redhat_drive_add
+-Create a drive similar to -device if=none.
++Create a drive similar to -drive if=none.
+ ETEXI
+ 
+ #if defined(TARGET_I386) && 0 /* Disabled for Red Hat Enterprise Linux */
+diff --git a/qmp-commands.hx b/qmp-commands.hx
+index 9522c44..4a89c24 100644
+--- a/qmp-commands.hx
++++ b/qmp-commands.hx
+@@ -110,7 +110,7 @@ EQMP
+         .name       = RFQDN_REDHAT "drive_add",
+         .args_type  = "simple-drive:O",
+         .params     = "id=name,[file=file][,format=f][,media=d]...",
+-        .help       = "Create a drive similar to -device if=none.",
++        .help       = "Create a drive similar to -drive if=none.",
+ 	.user_print = monitor_user_noop,
+         .mhandler.cmd_new = simple_drive_add,
+     },
+@@ -119,7 +119,7 @@ SQMP
+ __com.redhat_drive_add
+ ----------------------
+ 
+-Create a drive similar to -device if=none.
++Create a drive similar to -drive if=none.
+ 
+ Arguments:
+ 
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-HMP-Fix-user-manual-typo-of-__com.redhat_qxl_screend.patch b/SOURCES/kvm-HMP-Fix-user-manual-typo-of-__com.redhat_qxl_screend.patch
new file mode 100644
index 0000000..731c48a
--- /dev/null
+++ b/SOURCES/kvm-HMP-Fix-user-manual-typo-of-__com.redhat_qxl_screend.patch
@@ -0,0 +1,42 @@
+From ae12e1158b6a27d94070f95f36879ce2f0da604c Mon Sep 17 00:00:00 2001
+From: Markus Armbruster <armbru@redhat.com>
+Date: Tue, 7 Feb 2017 14:56:09 +0100
+Subject: [PATCH 10/11] HMP: Fix user manual typo of
+ __com.redhat_qxl_screendump
+
+RH-Author: Markus Armbruster <armbru@redhat.com>
+Message-id: <1486479370-24026-2-git-send-email-armbru@redhat.com>
+Patchwork-id: 73590
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 1/2] HMP: Fix user manual typo of __com.redhat_qxl_screendump
+Bugzilla: 1419898
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Acked-by: Fam Zheng <famz@redhat.com>
+RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+
+Fat-fingered in RHEL-6.2 commit 1c6074d, forward ported to RHEL-7.0 in
+commit faf00a8.
+
+Signed-off-by: Markus Armbruster <armbru@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hmp-commands.hx | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hmp-commands.hx b/hmp-commands.hx
+index dd528d2..a8ba626 100644
+--- a/hmp-commands.hx
++++ b/hmp-commands.hx
+@@ -264,8 +264,8 @@ ETEXI
+     },
+ 
+ STEXI
+-@item __com.redhat_screendump @var{id} @var{filename}
+-@findex __com.redhat_screendump
++@item __com.redhat_qxl_screendump @var{id} @var{filename}
++@findex __com.redhat_qxl_screendump
+ Save screen from qxl device @var{id} into PPM image @var{filename}.
+ ETEXI
+ 
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch b/SOURCES/kvm-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch
index 286031e..28dfa96 100644
--- a/SOURCES/kvm-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch
+++ b/SOURCES/kvm-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch
@@ -1,4 +1,4 @@
-From 1cd1297bf694c0a91d75a87b4fd22c2b80807b49 Mon Sep 17 00:00:00 2001
+From abfd9c2acaf70c60ec70807ba4d021ade69c7b79 Mon Sep 17 00:00:00 2001
 From: Gerd Hoffmann <kraxel@redhat.com>
 Date: Fri, 10 Feb 2017 08:30:14 +0100
 Subject: [PATCH 2/3] Revert "cirrus: allow zero source pitch in pattern fill
@@ -8,7 +8,7 @@ RH-Author: Gerd Hoffmann <kraxel@redhat.com>
 Message-id: <1486715415-3462-3-git-send-email-kraxel@redhat.com>
 Patchwork-id: 73774
 O-Subject: [virt-devel] [RHEL-7.4 qemu-kvm PATCH 2/3] Revert "cirrus: allow zero source pitch in pattern fill rops"
-Bugzilla: 1420490
+Bugzilla: 1420492
 CVE: CVE-2017-2620/20170221
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
 RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
diff --git a/SOURCES/kvm-balloon-fix-segfault-and-harden-the-stats-queue.patch b/SOURCES/kvm-balloon-fix-segfault-and-harden-the-stats-queue.patch
index 9540f26..b73ee3a 100644
--- a/SOURCES/kvm-balloon-fix-segfault-and-harden-the-stats-queue.patch
+++ b/SOURCES/kvm-balloon-fix-segfault-and-harden-the-stats-queue.patch
@@ -1,4 +1,4 @@
-From 75255574498fad12727529c4ecbd4ccdabe86839 Mon Sep 17 00:00:00 2001
+From 1f177df6a47fb1e2961067a50e005efad52595cc Mon Sep 17 00:00:00 2001
 From: Ladi Prosek <lprosek@redhat.com>
 Date: Wed, 5 Oct 2016 17:22:26 +0200
 Subject: [PATCH 4/8] balloon: fix segfault and harden the stats queue
@@ -7,7 +7,7 @@ RH-Author: Ladi Prosek <lprosek@redhat.com>
 Message-id: <1475666548-9186-5-git-send-email-lprosek@redhat.com>
 Patchwork-id: 72483
 O-Subject: [RHEL-7.4 qemu-kvm v2 PATCH 4/6] balloon: fix segfault and harden the stats queue
-Bugzilla: 1393484
+Bugzilla: 1377968
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
 RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
 RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
diff --git a/SOURCES/kvm-blkdebug-Add-bdrv_truncate.patch b/SOURCES/kvm-blkdebug-Add-bdrv_truncate.patch
new file mode 100644
index 0000000..ac3ea21
--- /dev/null
+++ b/SOURCES/kvm-blkdebug-Add-bdrv_truncate.patch
@@ -0,0 +1,63 @@
+From 6c316a417a80fcf892935c51eb01c0e273561b32 Mon Sep 17 00:00:00 2001
+From: Max Reitz <mreitz@redhat.com>
+Date: Mon, 13 Mar 2017 17:47:04 +0100
+Subject: [PATCH 16/24] blkdebug: Add bdrv_truncate()
+
+RH-Author: Max Reitz <mreitz@redhat.com>
+Message-id: <20170313174706.29316-1-mreitz@redhat.com>
+Patchwork-id: 74278
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 7/9] blkdebug: Add bdrv_truncate()
+Bugzilla: 1427176
+RH-Acked-by: Fam Zheng <famz@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+
+From: Kevin Wolf <kwolf@redhat.com>
+
+This is, amongst others, required for qemu-iotests 033 to run as
+intended on VHDX, which uses explicit bdrv_truncate() calls to bs->file
+when allocating new blocks.
+
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Reviewed-by: Jeff Cody <jcody@redhat.com>
+(cherry picked from commit 8eedfbd4a50299f03b3630659c34ad1b01f69370)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Conflicts:
+	block/blkdebug.c
+
+Contextual conflict due to blkdebug_refresh_filename() missing from
+downstream.
+
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+---
+ block/blkdebug.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/block/blkdebug.c b/block/blkdebug.c
+index 8e468b2..7cfeccb 100644
+--- a/block/blkdebug.c
++++ b/block/blkdebug.c
+@@ -652,6 +652,11 @@ static int64_t blkdebug_getlength(BlockDriverState *bs)
+     return bdrv_getlength(bs->file);
+ }
+ 
++static int blkdebug_truncate(BlockDriverState *bs, int64_t offset)
++{
++    return bdrv_truncate(bs->file, offset);
++}
++
+ static BlockDriver bdrv_blkdebug = {
+     .format_name            = "blkdebug",
+     .protocol_name          = "blkdebug",
+@@ -661,6 +666,7 @@ static BlockDriver bdrv_blkdebug = {
+     .bdrv_file_open         = blkdebug_open,
+     .bdrv_close             = blkdebug_close,
+     .bdrv_getlength         = blkdebug_getlength,
++    .bdrv_truncate          = blkdebug_truncate,
+ 
+     .bdrv_aio_readv         = blkdebug_aio_readv,
+     .bdrv_aio_writev        = blkdebug_aio_writev,
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-block-gluster-add-support-for-selecting-debug-loggin.patch b/SOURCES/kvm-block-gluster-add-support-for-selecting-debug-loggin.patch
new file mode 100644
index 0000000..031de1a
--- /dev/null
+++ b/SOURCES/kvm-block-gluster-add-support-for-selecting-debug-loggin.patch
@@ -0,0 +1,202 @@
+From 2ffc3b31eafe39cc11678ef0e0ea39cdfef0469d Mon Sep 17 00:00:00 2001
+From: Jeffrey Cody <jcody@redhat.com>
+Date: Tue, 17 Jan 2017 19:51:32 +0100
+Subject: [PATCH 3/3] block/gluster: add support for selecting debug logging
+ level
+
+RH-Author: Jeffrey Cody <jcody@redhat.com>
+Message-id: <87a60937c8dfa4bee63e59871811dbda7794e818.1484682588.git.jcody@redhat.com>
+Patchwork-id: 73255
+O-Subject: [RHEL-7.4 qemu-kvm 3/3] block/gluster: add support for selecting debug logging level
+Bugzilla: 1151859
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Fam Zheng <famz@redhat.com>
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+
+This adds commandline support for the logging level of the
+gluster protocol driver, output to stdout.  The option is 'debug',
+e.g.:
+
+-drive filename=gluster://192.168.15.180/gv2/test.qcow2,debug=9
+
+Debug levels are 0-9, with 9 being the most verbose, and 0 representing
+no debugging output.  The default is the same as it was before, which
+is a level of 4.  The current logging levels defined in the gluster
+source are:
+
+    0 - None
+    1 - Emergency
+    2 - Alert
+    3 - Critical
+    4 - Error
+    5 - Warning
+    6 - Notice
+    7 - Info
+    8 - Debug
+    9 - Trace
+
+(From: glusterfs/logging.h)
+
+Reviewed-by: Niels de Vos <ndevos@redhat.com>
+Signed-off-by: Jeff Cody <jcody@redhat.com>
+(cherry picked from commit 7eac868a508cdbf4cccef5c2084941b63fa3aded)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ block/gluster.c | 61 +++++++++++++++++++++++++++++++++++++++++++++------------
+ 1 file changed, 48 insertions(+), 13 deletions(-)
+
+diff --git a/block/gluster.c b/block/gluster.c
+index 5266dce..86e136d 100644
+--- a/block/gluster.c
++++ b/block/gluster.c
+@@ -35,6 +35,7 @@ typedef struct BDRVGlusterState {
+     int qemu_aio_count;
+     int event_reader_pos;
+     GlusterAIOCB *event_acb;
++    int debug_level;
+ } BDRVGlusterState;
+ 
+ #define GLUSTER_FD_READ  0
+@@ -46,6 +47,7 @@ typedef struct GlusterConf {
+     char *volname;
+     char *image;
+     char *transport;
++    int debug_level;
+ } GlusterConf;
+ 
+ static void qemu_gluster_gconf_free(GlusterConf *gconf)
+@@ -208,11 +210,7 @@ static struct glfs *qemu_gluster_init(GlusterConf *gconf, const char *filename,
+         goto out;
+     }
+ 
+-    /*
+-     * TODO: Use GF_LOG_ERROR instead of hard code value of 4 here when
+-     * GlusterFS makes GF_LOG_* macros available to libgfapi users.
+-     */
+-    ret = glfs_set_logging(glfs, "-", 4);
++    ret = glfs_set_logging(glfs, "-", gconf->debug_level);
+     if (ret < 0) {
+         goto out;
+     }
+@@ -292,16 +290,26 @@ static int qemu_gluster_aio_flush_cb(void *opaque)
+     return (s->qemu_aio_count > 0);
+ }
+ 
++#define GLUSTER_OPT_FILENAME "filename"
++#define GLUSTER_OPT_DEBUG "debug"
++#define GLUSTER_DEBUG_DEFAULT 4
++#define GLUSTER_DEBUG_MAX 9
++
+ /* TODO Convert to fine grained options */
+ static QemuOptsList runtime_opts = {
+     .name = "gluster",
+     .head = QTAILQ_HEAD_INITIALIZER(runtime_opts.head),
+     .desc = {
+         {
+-            .name = "filename",
++            .name = GLUSTER_OPT_FILENAME,
+             .type = QEMU_OPT_STRING,
+             .help = "URL to the gluster image",
+         },
++        {
++            .name = GLUSTER_OPT_DEBUG,
++            .type = QEMU_OPT_NUMBER,
++            .help = "Gluster log level, valid range is 0-9",
++        },
+         { /* end of list */ }
+     },
+ };
+@@ -342,8 +350,17 @@ static int qemu_gluster_open(BlockDriverState *bs,  QDict *options,
+         goto out;
+     }
+ 
+-    filename = qemu_opt_get(opts, "filename");
++    filename = qemu_opt_get(opts, GLUSTER_OPT_FILENAME);
+ 
++    s->debug_level = qemu_opt_get_number(opts, GLUSTER_OPT_DEBUG,
++                                         GLUSTER_DEBUG_DEFAULT);
++    if (s->debug_level < 0) {
++        s->debug_level = 0;
++    } else if (s->debug_level > GLUSTER_DEBUG_MAX) {
++        s->debug_level = GLUSTER_DEBUG_MAX;
++    }
++
++    gconf->debug_level = s->debug_level;
+     s->glfs = qemu_gluster_init(gconf, filename, errp);
+     if (!s->glfs) {
+         ret = -errno;
+@@ -398,6 +415,7 @@ static int qemu_gluster_reopen_prepare(BDRVReopenState *state,
+                                        BlockReopenQueue *queue, Error **errp)
+ {
+     int ret = 0;
++    BDRVGlusterState *s;
+     BDRVGlusterReopenState *reop_s;
+     GlusterConf *gconf = NULL;
+     int open_flags = 0;
+@@ -405,6 +423,8 @@ static int qemu_gluster_reopen_prepare(BDRVReopenState *state,
+     assert(state != NULL);
+     assert(state->bs != NULL);
+ 
++    s = state->bs->opaque;
++
+     state->opaque = g_malloc0(sizeof(BDRVGlusterReopenState));
+     reop_s = state->opaque;
+ 
+@@ -412,6 +432,7 @@ static int qemu_gluster_reopen_prepare(BDRVReopenState *state,
+ 
+     gconf = g_malloc0(sizeof(GlusterConf));
+ 
++    gconf->debug_level = s->debug_level;
+     reop_s->glfs = qemu_gluster_init(gconf, state->bs->filename, errp);
+     if (reop_s->glfs == NULL) {
+         ret = -errno;
+@@ -487,19 +508,28 @@ static int qemu_gluster_create(const char *filename,
+     int64_t total_size = 0;
+     GlusterConf *gconf = g_malloc0(sizeof(GlusterConf));
+ 
+-    glfs = qemu_gluster_init(gconf, filename, errp);
+-    if (!glfs) {
+-        ret = -errno;
+-        goto out;
+-    }
+-
++    gconf->debug_level = GLUSTER_DEBUG_DEFAULT;
+     while (options && options->name) {
+         if (!strcmp(options->name, BLOCK_OPT_SIZE)) {
+             total_size = options->value.n / BDRV_SECTOR_SIZE;
+         }
++        if (!strcmp(options->name, GLUSTER_OPT_DEBUG)) {
++            gconf->debug_level = options->value.n;
++            if (gconf->debug_level < 0) {
++                gconf->debug_level = 0;
++            } else if (gconf->debug_level > GLUSTER_DEBUG_MAX) {
++                gconf->debug_level = GLUSTER_DEBUG_MAX;
++            }
++        }
+         options++;
+     }
+ 
++    glfs = qemu_gluster_init(gconf, filename, errp);
++    if (!glfs) {
++        ret = -errno;
++        goto out;
++    }
++
+     fd = glfs_creat(glfs, gconf->image,
+         O_WRONLY | O_CREAT | O_TRUNC | O_BINARY, S_IRUSR | S_IWUSR);
+     if (!fd) {
+@@ -732,6 +762,11 @@ static QEMUOptionParameter qemu_gluster_create_options[] = {
+         .type = OPT_SIZE,
+         .help = "Virtual disk size"
+     },
++    {
++        .name = GLUSTER_OPT_DEBUG,
++        .type = QEMU_OPT_NUMBER,
++        .help = "Gluster log level, valid range is 0-9",
++    },
+     { NULL }
+ };
+ 
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-char-change-qemu_chr_fe_add_watch-to-return-unsigned.patch b/SOURCES/kvm-char-change-qemu_chr_fe_add_watch-to-return-unsigned.patch
index 87f18bf..6792339 100644
--- a/SOURCES/kvm-char-change-qemu_chr_fe_add_watch-to-return-unsigned.patch
+++ b/SOURCES/kvm-char-change-qemu_chr_fe_add_watch-to-return-unsigned.patch
@@ -1,21 +1,21 @@
-From 357b8e45c81e79a1547f65ea4109b0882050b1e9 Mon Sep 17 00:00:00 2001
+From 6106261b0f1501a3772f4f9b67ae329697c7b815 Mon Sep 17 00:00:00 2001
 From: Eduardo Habkost <ehabkost@redhat.com>
-Date: Tue, 23 May 2017 14:15:10 +0200
+Date: Tue, 23 May 2017 13:43:59 +0200
 Subject: [PATCH] char: change qemu_chr_fe_add_watch to return unsigned
 
 RH-Author: Eduardo Habkost <ehabkost@redhat.com>
-Message-id: <20170523141510.24762-1-ehabkost@redhat.com>
-Patchwork-id: 75397
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH] char: change qemu_chr_fe_add_watch to return unsigned
-Bugzilla: 1452332
+Message-id: <20170523134359.8747-1-ehabkost@redhat.com>
+Patchwork-id: 75396
+O-Subject: [RHEL-7.4 qemu-kvm PATCH] char: change qemu_chr_fe_add_watch to return unsigned
+Bugzilla: 1451470
 RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
 RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
 
 From: Paolo Bonzini <pbonzini@redhat.com>
 
-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1452332
-Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=13257135
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1451470#c32
+Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=13257025
 
 g_source_attach can return any value between 1 and UINT_MAX if you let
 QEMU run long enough.  However, qemu_chr_fe_add_watch can also return
@@ -26,11 +26,7 @@ these values.
 Fix the cadence_uart which asserts in this case (easily obtained with
 "-serial pty").
 
-Backport notes:
-
-  This is the same patch submitted to the 7.4 branch.
-
-7.4 backport conflicts:
+Backport Conflicts:
 	hw/char/cadence_uart.c (no qemu_chr_fe_add_watch() call)
 	net/vhost-user.c (doesn't exit)
 	qemu-char.c (trivial conflict)
diff --git a/SOURCES/kvm-char-serial-Fix-emptyness-check.patch b/SOURCES/kvm-char-serial-Fix-emptyness-check.patch
index 7b571ce..4a30500 100644
--- a/SOURCES/kvm-char-serial-Fix-emptyness-check.patch
+++ b/SOURCES/kvm-char-serial-Fix-emptyness-check.patch
@@ -1,15 +1,15 @@
-From c9b0af3739fc5b79a20bf2492b5e8c1dea055dc0 Mon Sep 17 00:00:00 2001
+From a7f735cccb7d7b98998600eebc789c709eac5bca Mon Sep 17 00:00:00 2001
 From: Fam Zheng <famz@redhat.com>
-Date: Fri, 19 May 2017 00:35:10 +0200
+Date: Thu, 18 May 2017 09:21:18 +0200
 Subject: [PATCH 05/18] char/serial: Fix emptyness check
 
 RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170519003523.21163-6-famz@redhat.com>
-Patchwork-id: 75361
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 05/18] char/serial: Fix emptyness check
-Bugzilla: 1452332
+Message-id: <20170518092131.16571-6-famz@redhat.com>
+Patchwork-id: 75296
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 05/18] char/serial: Fix emptyness check
+Bugzilla: 1451470
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
 RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
 
 From: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
diff --git a/SOURCES/kvm-char-serial-Fix-emptyness-handling.patch b/SOURCES/kvm-char-serial-Fix-emptyness-handling.patch
index 966d2f5..3f42fe8 100644
--- a/SOURCES/kvm-char-serial-Fix-emptyness-handling.patch
+++ b/SOURCES/kvm-char-serial-Fix-emptyness-handling.patch
@@ -1,15 +1,15 @@
-From a14715c6b64f4764259028923a9c04ae7844c546 Mon Sep 17 00:00:00 2001
+From 63857964e14bbf4bcb91eaa56ca46a30d14934ed Mon Sep 17 00:00:00 2001
 From: Fam Zheng <famz@redhat.com>
-Date: Fri, 19 May 2017 00:35:11 +0200
+Date: Thu, 18 May 2017 09:21:19 +0200
 Subject: [PATCH 06/18] char/serial: Fix emptyness handling
 
 RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170519003523.21163-7-famz@redhat.com>
-Patchwork-id: 75359
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 06/18] char/serial: Fix emptyness handling
-Bugzilla: 1452332
+Message-id: <20170518092131.16571-7-famz@redhat.com>
+Patchwork-id: 75298
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 06/18] char/serial: Fix emptyness handling
+Bugzilla: 1451470
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
 RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
 
 From: Don Slutz <dslutz@verizon.com>
diff --git a/SOURCES/kvm-char-serial-Use-generic-Fifo8.patch b/SOURCES/kvm-char-serial-Use-generic-Fifo8.patch
index ed8c9d1..bf9a9a4 100644
--- a/SOURCES/kvm-char-serial-Use-generic-Fifo8.patch
+++ b/SOURCES/kvm-char-serial-Use-generic-Fifo8.patch
@@ -1,15 +1,15 @@
-From 462caff619f890c56194ac50b70b095c26cd133e Mon Sep 17 00:00:00 2001
+From 18e92ed681383c787912d0cd4b8164d8e7df26d4 Mon Sep 17 00:00:00 2001
 From: Fam Zheng <famz@redhat.com>
-Date: Fri, 19 May 2017 00:35:07 +0200
+Date: Thu, 18 May 2017 09:21:15 +0200
 Subject: [PATCH 02/18] char/serial: Use generic Fifo8
 
 RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170519003523.21163-3-famz@redhat.com>
-Patchwork-id: 75358
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 02/18] char/serial: Use generic Fifo8
-Bugzilla: 1452332
+Message-id: <20170518092131.16571-3-famz@redhat.com>
+Patchwork-id: 75292
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 02/18] char/serial: Use generic Fifo8
+Bugzilla: 1451470
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
 RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
 
 From: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
diff --git a/SOURCES/kvm-char-serial-cosmetic-fixes.patch b/SOURCES/kvm-char-serial-cosmetic-fixes.patch
index 2f9e776..2a507bd 100644
--- a/SOURCES/kvm-char-serial-cosmetic-fixes.patch
+++ b/SOURCES/kvm-char-serial-cosmetic-fixes.patch
@@ -1,18 +1,18 @@
-From f3c1372702f7cac6d8b405cf8c51e15eabc7c054 Mon Sep 17 00:00:00 2001
+From 30482e796857e7d29877d93cc017aca5c844e4e1 Mon Sep 17 00:00:00 2001
 From: Fam Zheng <famz@redhat.com>
-Date: Fri, 19 May 2017 00:35:06 +0200
+Date: Thu, 18 May 2017 09:21:14 +0200
 Subject: [PATCH 01/18] char/serial: cosmetic fixes.
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 
 RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170519003523.21163-2-famz@redhat.com>
-Patchwork-id: 75356
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 01/18] char/serial: cosmetic fixes.
-Bugzilla: 1452332
+Message-id: <20170518092131.16571-2-famz@redhat.com>
+Patchwork-id: 75293
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 01/18] char/serial: cosmetic fixes.
+Bugzilla: 1451470
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
 RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
 
 From: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
diff --git a/SOURCES/kvm-char-serial-fix-copy-paste-error-fifo8_is_full-vs-em.patch b/SOURCES/kvm-char-serial-fix-copy-paste-error-fifo8_is_full-vs-em.patch
index 35577f6..0778ad2 100644
--- a/SOURCES/kvm-char-serial-fix-copy-paste-error-fifo8_is_full-vs-em.patch
+++ b/SOURCES/kvm-char-serial-fix-copy-paste-error-fifo8_is_full-vs-em.patch
@@ -1,16 +1,16 @@
-From a04a0d4cf131163600ebede71d223d9d01a32511 Mon Sep 17 00:00:00 2001
+From 6239c2bb55847293db2defeff645e1d5e6456a19 Mon Sep 17 00:00:00 2001
 From: Fam Zheng <famz@redhat.com>
-Date: Fri, 19 May 2017 00:35:09 +0200
+Date: Thu, 18 May 2017 09:21:17 +0200
 Subject: [PATCH 04/18] char/serial: fix copy&paste error (fifo8_is_full vs
  empty)
 
 RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170519003523.21163-5-famz@redhat.com>
-Patchwork-id: 75360
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 04/18] char/serial: fix copy&paste error (fifo8_is_full vs empty)
-Bugzilla: 1452332
+Message-id: <20170518092131.16571-5-famz@redhat.com>
+Patchwork-id: 75294
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 04/18] char/serial: fix copy&paste error (fifo8_is_full vs empty)
+Bugzilla: 1451470
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
 RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
 
 From: Vladimir Senkov <hangup@gmail.com>
diff --git a/SOURCES/kvm-char-serial-serial_ioport_write-Factor-out-common-co.patch b/SOURCES/kvm-char-serial-serial_ioport_write-Factor-out-common-co.patch
index 3970777..6b43fff 100644
--- a/SOURCES/kvm-char-serial-serial_ioport_write-Factor-out-common-co.patch
+++ b/SOURCES/kvm-char-serial-serial_ioport_write-Factor-out-common-co.patch
@@ -1,6 +1,6 @@
-From 5114efc4a077a1fdfa9873e6f44a00d5f8101f65 Mon Sep 17 00:00:00 2001
+From e675e8ae59a4eb6a39fa9d1f13011fd4e718ce67 Mon Sep 17 00:00:00 2001
 From: Fam Zheng <famz@redhat.com>
-Date: Fri, 19 May 2017 00:35:08 +0200
+Date: Thu, 18 May 2017 09:21:16 +0200
 Subject: [PATCH 03/18] char/serial: serial_ioport_write: Factor out common
  code
 MIME-Version: 1.0
@@ -8,12 +8,12 @@ Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 
 RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170519003523.21163-4-famz@redhat.com>
-Patchwork-id: 75357
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 03/18] char/serial: serial_ioport_write: Factor out common code
-Bugzilla: 1452332
+Message-id: <20170518092131.16571-4-famz@redhat.com>
+Patchwork-id: 75295
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 03/18] char/serial: serial_ioport_write: Factor out common code
+Bugzilla: 1451470
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
 RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
 
 From: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
diff --git a/SOURCES/kvm-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch b/SOURCES/kvm-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch
index 6e2023a..b6bfea6 100644
--- a/SOURCES/kvm-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch
+++ b/SOURCES/kvm-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch
@@ -1,4 +1,4 @@
-From e894ec03d7e6229488ae24d83809009162a0f9e0 Mon Sep 17 00:00:00 2001
+From 74db251c34369bd32148864b3abea6d6586270dc Mon Sep 17 00:00:00 2001
 From: Gerd Hoffmann <kraxel@redhat.com>
 Date: Fri, 10 Feb 2017 08:30:15 +0100
 Subject: [PATCH 3/3] cirrus: add blit_is_unsafe call to
@@ -8,7 +8,7 @@ RH-Author: Gerd Hoffmann <kraxel@redhat.com>
 Message-id: <1486715415-3462-4-git-send-email-kraxel@redhat.com>
 Patchwork-id: 73773
 O-Subject: [virt-devel] [EMBARGOED RHEL-7.4 qemu-kvm PATCH 3/3] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo
-Bugzilla: 1420490
+Bugzilla: 1420492
 CVE: CVE-2017-2620/20170221
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
 RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
diff --git a/SOURCES/kvm-cirrus-add-option-to-disable-blitter.patch b/SOURCES/kvm-cirrus-add-option-to-disable-blitter.patch
index 47d8984..48c7d9e 100644
--- a/SOURCES/kvm-cirrus-add-option-to-disable-blitter.patch
+++ b/SOURCES/kvm-cirrus-add-option-to-disable-blitter.patch
@@ -1,16 +1,16 @@
-From 319f3876fafc35412bbf0ef6797c6764c95af6f3 Mon Sep 17 00:00:00 2001
+From 04b0eed67c2564cf9c10a62f57ed606f627c9317 Mon Sep 17 00:00:00 2001
 From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Tue, 21 Mar 2017 09:58:03 +0100
+Date: Mon, 27 Mar 2017 10:01:18 +0200
 Subject: [PATCH 3/7] cirrus: add option to disable blitter
 
 RH-Author: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: <1490090287-1503-4-git-send-email-kraxel@redhat.com>
-Patchwork-id: 74424
-O-Subject: [RHEL-7.4 qemu-kvm PATCH 3/7] cirrus: add option to disable blitter
-Bugzilla: 1430059
+Message-id: <1490608882-10242-4-git-send-email-kraxel@redhat.com>
+Patchwork-id: 74551
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 3/7] cirrus: add option to disable blitter
+Bugzilla: 1430060
 RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
 RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
-RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
 
 Ok, we have this beast in the cirrus code which is not used at all by
 modern guests, except when you try to find security holes in qemu.  So,
diff --git a/SOURCES/kvm-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch b/SOURCES/kvm-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch
index ed65c41..e710937 100644
--- a/SOURCES/kvm-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch
+++ b/SOURCES/kvm-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch
@@ -1,13 +1,13 @@
-From 9fd5f5b599e19c4485c3c7e6689081965e833df6 Mon Sep 17 00:00:00 2001
+From 03b4fe1dacb0e4a2bdebb86d11e1cff13b2972c1 Mon Sep 17 00:00:00 2001
 From: Gerd Hoffmann <kraxel@redhat.com>
 Date: Tue, 7 Feb 2017 10:07:50 +0100
-Subject: [PATCH 6/8] cirrus: allow zero source pitch in pattern fill rops
+Subject: [PATCH 07/11] cirrus: allow zero source pitch in pattern fill rops
 
 RH-Author: Gerd Hoffmann <kraxel@redhat.com>
 Message-id: <1486462072-32174-6-git-send-email-kraxel@redhat.com>
 Patchwork-id: 73569
 O-Subject: [RHEL-7.4 qemu-kvm PATCH 5/7] cirrus: allow zero source pitch in pattern fill rops
-Bugzilla: 1418232
+Bugzilla: 1418233
 RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
 RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
diff --git a/SOURCES/kvm-cirrus-fix-blit-address-mask-handling.patch b/SOURCES/kvm-cirrus-fix-blit-address-mask-handling.patch
index 8bc4b87..158737d 100644
--- a/SOURCES/kvm-cirrus-fix-blit-address-mask-handling.patch
+++ b/SOURCES/kvm-cirrus-fix-blit-address-mask-handling.patch
@@ -1,13 +1,13 @@
-From fdb1ec384fe65b7ca2ab7303b56c2731e5999058 Mon Sep 17 00:00:00 2001
+From a5ce32ef09ab8eb8ba2467e12d37020048c8803f Mon Sep 17 00:00:00 2001
 From: Gerd Hoffmann <kraxel@redhat.com>
 Date: Tue, 7 Feb 2017 10:07:51 +0100
-Subject: [PATCH 7/8] cirrus: fix blit address mask handling
+Subject: [PATCH 08/11] cirrus: fix blit address mask handling
 
 RH-Author: Gerd Hoffmann <kraxel@redhat.com>
 Message-id: <1486462072-32174-7-git-send-email-kraxel@redhat.com>
 Patchwork-id: 73570
 O-Subject: [RHEL-7.4 qemu-kvm PATCH 6/7] cirrus: fix blit address mask handling
-Bugzilla: 1418232
+Bugzilla: 1418233
 RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
 RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
diff --git a/SOURCES/kvm-cirrus-fix-cirrus_invalidate_region.patch b/SOURCES/kvm-cirrus-fix-cirrus_invalidate_region.patch
index b180965..0e38fac 100644
--- a/SOURCES/kvm-cirrus-fix-cirrus_invalidate_region.patch
+++ b/SOURCES/kvm-cirrus-fix-cirrus_invalidate_region.patch
@@ -1,16 +1,16 @@
-From 6c17f6355cac0bc40bae876acf4d31e32978991f Mon Sep 17 00:00:00 2001
+From 8396435dbcd13dc27c7f1c7576499354be48d2c7 Mon Sep 17 00:00:00 2001
 From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Tue, 21 Mar 2017 09:58:04 +0100
+Date: Mon, 27 Mar 2017 10:01:19 +0200
 Subject: [PATCH 4/7] cirrus: fix cirrus_invalidate_region
 
 RH-Author: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: <1490090287-1503-5-git-send-email-kraxel@redhat.com>
-Patchwork-id: 74423
-O-Subject: [RHEL-7.4 qemu-kvm PATCH 4/7] cirrus: fix cirrus_invalidate_region
-Bugzilla: 1430059
+Message-id: <1490608882-10242-5-git-send-email-kraxel@redhat.com>
+Patchwork-id: 74552
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 4/7] cirrus: fix cirrus_invalidate_region
+Bugzilla: 1430060
 RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
 RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
-RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
 
 off_cur_end is exclusive, so off_cur_end == cirrus_addr_mask is valid.
 Fix calculation to make sure to allow that, otherwise the assert added
diff --git a/SOURCES/kvm-cirrus-fix-off-by-one-in-cirrus_bitblt_rop_bkwd_tran.patch b/SOURCES/kvm-cirrus-fix-off-by-one-in-cirrus_bitblt_rop_bkwd_tran.patch
index 6188818..fc0f512 100644
--- a/SOURCES/kvm-cirrus-fix-off-by-one-in-cirrus_bitblt_rop_bkwd_tran.patch
+++ b/SOURCES/kvm-cirrus-fix-off-by-one-in-cirrus_bitblt_rop_bkwd_tran.patch
@@ -1,6 +1,6 @@
-From 8c2a803f9ba8b4293c207917a2acfcfac0548d24 Mon Sep 17 00:00:00 2001
+From 081ddf9d66155dbec8ec064d7671ba0799642fd6 Mon Sep 17 00:00:00 2001
 From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Tue, 21 Mar 2017 09:58:07 +0100
+Date: Mon, 27 Mar 2017 10:01:22 +0200
 Subject: [PATCH 7/7] cirrus: fix off-by-one in
  cirrus_bitblt_rop_bkwd_transp_*_16
 MIME-Version: 1.0
@@ -8,13 +8,13 @@ Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 
 RH-Author: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: <1490090287-1503-8-git-send-email-kraxel@redhat.com>
-Patchwork-id: 74422
-O-Subject: [RHEL-7.4 qemu-kvm PATCH 7/7] cirrus: fix off-by-one in cirrus_bitblt_rop_bkwd_transp_*_16
-Bugzilla: 1430059
+Message-id: <1490608882-10242-8-git-send-email-kraxel@redhat.com>
+Patchwork-id: 74555
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 7/7] cirrus: fix off-by-one in cirrus_bitblt_rop_bkwd_transp_*_16
+Bugzilla: 1430060
 RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
 RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
-RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
 
 The switch from pointers to addresses (commit
 026aeffcb4752054830ba203020ed6eb05bcaba8 and
diff --git a/SOURCES/kvm-cirrus-fix-oob-access-issue-CVE-2017-2615.patch b/SOURCES/kvm-cirrus-fix-oob-access-issue-CVE-2017-2615.patch
index 2e4cca6..01aecbd 100644
--- a/SOURCES/kvm-cirrus-fix-oob-access-issue-CVE-2017-2615.patch
+++ b/SOURCES/kvm-cirrus-fix-oob-access-issue-CVE-2017-2615.patch
@@ -1,13 +1,13 @@
-From 55c542cca671a5a130c44359c73d1e908353418e Mon Sep 17 00:00:00 2001
+From 2ff46c139a37bbe66732b9024daa771eff3e6c36 Mon Sep 17 00:00:00 2001
 From: Gerd Hoffmann <kraxel@redhat.com>
 Date: Tue, 7 Feb 2017 10:07:52 +0100
-Subject: [PATCH 8/8] cirrus: fix oob access issue (CVE-2017-2615)
+Subject: [PATCH 09/11] cirrus: fix oob access issue (CVE-2017-2615)
 
 RH-Author: Gerd Hoffmann <kraxel@redhat.com>
 Message-id: <1486462072-32174-8-git-send-email-kraxel@redhat.com>
 Patchwork-id: 73565
 O-Subject: [RHEL-7.4 qemu-kvm PATCH 7/7] cirrus: fix oob access issue (CVE-2017-2615)
-Bugzilla: 1418232
+Bugzilla: 1418233
 RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
 RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
diff --git a/SOURCES/kvm-cirrus-fix-patterncopy-checks.patch b/SOURCES/kvm-cirrus-fix-patterncopy-checks.patch
index 993204c..057c2b3 100644
--- a/SOURCES/kvm-cirrus-fix-patterncopy-checks.patch
+++ b/SOURCES/kvm-cirrus-fix-patterncopy-checks.patch
@@ -1,4 +1,4 @@
-From 46da39c9f9a9a72cf9e833d46ce10d785581ce63 Mon Sep 17 00:00:00 2001
+From 8ce7227f70248c7f4926124e16baab74c5689841 Mon Sep 17 00:00:00 2001
 From: Gerd Hoffmann <kraxel@redhat.com>
 Date: Fri, 10 Feb 2017 08:30:13 +0100
 Subject: [PATCH 1/3] cirrus: fix patterncopy checks
@@ -7,7 +7,7 @@ RH-Author: Gerd Hoffmann <kraxel@redhat.com>
 Message-id: <1486715415-3462-2-git-send-email-kraxel@redhat.com>
 Patchwork-id: 73775
 O-Subject: [virt-devel] [RHEL-7.4 qemu-kvm PATCH 1/3] cirrus: fix patterncopy checks
-Bugzilla: 1420490
+Bugzilla: 1420492
 CVE: CVE-2017-2620/20170221
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
 RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
diff --git a/SOURCES/kvm-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch b/SOURCES/kvm-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch
index 023cff5..cd87244 100644
--- a/SOURCES/kvm-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch
+++ b/SOURCES/kvm-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch
@@ -1,14 +1,14 @@
-From 1d7bdd730d1537f931a95897b14fdb6c5754ea2c Mon Sep 17 00:00:00 2001
+From 45023277a5822c89806eae1cc5f4d5f897e28fcd Mon Sep 17 00:00:00 2001
 From: Gerd Hoffmann <kraxel@redhat.com>
 Date: Tue, 7 Feb 2017 10:07:49 +0100
-Subject: [PATCH 5/8] cirrus: handle negative pitch in
+Subject: [PATCH 06/11] cirrus: handle negative pitch in
  cirrus_invalidate_region()
 
 RH-Author: Gerd Hoffmann <kraxel@redhat.com>
 Message-id: <1486462072-32174-5-git-send-email-kraxel@redhat.com>
 Patchwork-id: 73566
 O-Subject: [RHEL-7.4 qemu-kvm PATCH 4/7] cirrus: handle negative pitch in cirrus_invalidate_region()
-Bugzilla: 1418232
+Bugzilla: 1418233
 RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
 RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
diff --git a/SOURCES/kvm-cirrus-stop-passing-around-dst-pointers-in-the-blitt.patch b/SOURCES/kvm-cirrus-stop-passing-around-dst-pointers-in-the-blitt.patch
index 2425a76..35b9eb0 100644
--- a/SOURCES/kvm-cirrus-stop-passing-around-dst-pointers-in-the-blitt.patch
+++ b/SOURCES/kvm-cirrus-stop-passing-around-dst-pointers-in-the-blitt.patch
@@ -1,16 +1,16 @@
-From c4928f394f862c78024f4dccb6ea1398dc743c49 Mon Sep 17 00:00:00 2001
+From f0327afe876acff27221cdeead1aca0444364133 Mon Sep 17 00:00:00 2001
 From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Tue, 21 Mar 2017 09:58:05 +0100
+Date: Mon, 27 Mar 2017 10:01:20 +0200
 Subject: [PATCH 5/7] cirrus: stop passing around dst pointers in the blitter
 
 RH-Author: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: <1490090287-1503-6-git-send-email-kraxel@redhat.com>
-Patchwork-id: 74421
-O-Subject: [RHEL-7.4 qemu-kvm PATCH 5/7] cirrus: stop passing around dst pointers in the blitter
-Bugzilla: 1430059
+Message-id: <1490608882-10242-6-git-send-email-kraxel@redhat.com>
+Patchwork-id: 74550
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 5/7] cirrus: stop passing around dst pointers in the blitter
+Bugzilla: 1430060
 RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
 RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
-RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
 
 Instead pass around the address (aka offset into vga memory).  Calculate
 the pointer in the rop_* functions, after applying the mask to the
diff --git a/SOURCES/kvm-cirrus-stop-passing-around-src-pointers-in-the-blitt.patch b/SOURCES/kvm-cirrus-stop-passing-around-src-pointers-in-the-blitt.patch
index 29837cc..d3f34c1 100644
--- a/SOURCES/kvm-cirrus-stop-passing-around-src-pointers-in-the-blitt.patch
+++ b/SOURCES/kvm-cirrus-stop-passing-around-src-pointers-in-the-blitt.patch
@@ -1,16 +1,16 @@
-From d29af2a00b6126d2c3af535d128beeb80216c197 Mon Sep 17 00:00:00 2001
+From cc965429746aac94b7c37991f676dcd323ef212d Mon Sep 17 00:00:00 2001
 From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Tue, 21 Mar 2017 09:58:06 +0100
+Date: Mon, 27 Mar 2017 10:01:21 +0200
 Subject: [PATCH 6/7] cirrus: stop passing around src pointers in the blitter
 
 RH-Author: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: <1490090287-1503-7-git-send-email-kraxel@redhat.com>
-Patchwork-id: 74417
-O-Subject: [RHEL-7.4 qemu-kvm PATCH 6/7] cirrus: stop passing around src pointers in the blitter
-Bugzilla: 1430059
+Message-id: <1490608882-10242-7-git-send-email-kraxel@redhat.com>
+Patchwork-id: 74549
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 6/7] cirrus: stop passing around src pointers in the blitter
+Bugzilla: 1430060
 RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
 RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
-RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
 
 Does basically the same as "cirrus: stop passing around dst pointers in
 the blitter", just for the src pointer instead of the dst pointer.
diff --git a/SOURCES/kvm-cirrus-vnc-zap-bitblit-support-from-console-code.patch b/SOURCES/kvm-cirrus-vnc-zap-bitblit-support-from-console-code.patch
index 854e932..87006bf 100644
--- a/SOURCES/kvm-cirrus-vnc-zap-bitblit-support-from-console-code.patch
+++ b/SOURCES/kvm-cirrus-vnc-zap-bitblit-support-from-console-code.patch
@@ -1,16 +1,16 @@
-From de457fc23e747a0c622e0fd23e49893c1f1da460 Mon Sep 17 00:00:00 2001
+From 9bd81fb917c9ac22055e0dc7b3a89a22d5cfbfc1 Mon Sep 17 00:00:00 2001
 From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Tue, 21 Mar 2017 09:58:02 +0100
+Date: Mon, 27 Mar 2017 10:01:17 +0200
 Subject: [PATCH 2/7] cirrus/vnc: zap bitblit support from console code.
 
 RH-Author: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: <1490090287-1503-3-git-send-email-kraxel@redhat.com>
-Patchwork-id: 74418
-O-Subject: [RHEL-7.4 qemu-kvm PATCH 2/7] cirrus/vnc: zap bitblit support from console code.
-Bugzilla: 1430059
+Message-id: <1490608882-10242-3-git-send-email-kraxel@redhat.com>
+Patchwork-id: 74554
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 2/7] cirrus/vnc: zap bitblit support from console code.
+Bugzilla: 1430060
 RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
 RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
-RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
 
 There is a special code path (dpy_gfx_copy) to allow graphic emulation
 notify user interface code about bitblit operations carryed out by
@@ -51,11 +51,11 @@ Conflicts:
 	include/ui/console.h
 	ui/vnc.c
 ---
- hw/display/cirrus_vga.c | 12 ++-----
+ hw/display/cirrus_vga.c | 12 ++----
  include/ui/console.h    |  7 ----
- ui/console.c            | 28 ---------------
- ui/vnc.c                | 96 -------------------------------------------------
- 4 files changed, 3 insertions(+), 140 deletions(-)
+ ui/console.c            | 28 --------------
+ ui/vnc.c                | 99 -------------------------------------------------
+ 4 files changed, 3 insertions(+), 143 deletions(-)
 
 diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
 index 1b972db..83cef70 100644
@@ -165,7 +165,7 @@ index d422083..fb08ec0 100644
  {
      return console->surface;
 diff --git a/ui/vnc.c b/ui/vnc.c
-index a0e2d33..c7a7853 100644
+index b68918e..1834db0 100644
 --- a/ui/vnc.c
 +++ b/ui/vnc.c
 @@ -417,7 +417,6 @@ out_error:
@@ -176,7 +176,7 @@ index a0e2d33..c7a7853 100644
  static void vnc_disconnect_start(VncState *vs);
  
  static void vnc_colordepth(VncState *vs);
-@@ -721,93 +720,6 @@ int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
+@@ -728,96 +727,6 @@ int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
      return n;
  }
  
@@ -228,11 +228,12 @@ index a0e2d33..c7a7853 100644
 -        y = dst_y + h - 1;
 -        inc = -1;
 -    }
--    w_lim = w - (16 - (dst_x % 16));
--    if (w_lim < 0)
+-    w_lim = w - (VNC_DIRTY_PIXELS_PER_BIT - (dst_x % VNC_DIRTY_PIXELS_PER_BIT));
+-    if (w_lim < 0) {
 -        w_lim = w;
--    else
--        w_lim = w - (w_lim % 16);
+-    } else {
+-        w_lim = w - (w_lim % VNC_DIRTY_PIXELS_PER_BIT);
+-    }
 -    for (i = 0; i < h; i++) {
 -        for (x = 0; x <= w_lim;
 -                x += s, src_row += cmp_bytes, dst_row += cmp_bytes) {
@@ -240,10 +241,11 @@ index a0e2d33..c7a7853 100644
 -                if ((s = w - w_lim) == 0)
 -                    break;
 -            } else if (!x) {
--                s = (16 - (dst_x % 16));
+-                s = (VNC_DIRTY_PIXELS_PER_BIT -
+-                    (dst_x % VNC_DIRTY_PIXELS_PER_BIT));
 -                s = MIN(s, w_lim);
 -            } else {
--                s = 16;
+-                s = VNC_DIRTY_PIXELS_PER_BIT;
 -            }
 -            cmp_bytes = s * VNC_SERVER_FB_BYTES;
 -            if (memcmp(src_row, dst_row, cmp_bytes) == 0)
@@ -251,7 +253,8 @@ index a0e2d33..c7a7853 100644
 -            memmove(dst_row, src_row, cmp_bytes);
 -            QTAILQ_FOREACH(vs, &vd->clients, next) {
 -                if (!vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
--                    set_bit(((x + dst_x) / 16), vs->dirty[y]);
+-                    set_bit(((x + dst_x) / VNC_DIRTY_PIXELS_PER_BIT),
+-                            vs->dirty[y]);
 -                }
 -            }
 -        }
@@ -270,7 +273,7 @@ index a0e2d33..c7a7853 100644
  static void vnc_mouse_set(DisplayChangeListener *dcl,
                            int x, int y, int visible)
  {
-@@ -873,13 +785,6 @@ static int find_and_clear_dirty_height(struct VncState *vs,
+@@ -883,13 +792,6 @@ static int find_and_clear_dirty_height(struct VncState *vs,
      return h;
  }
  
@@ -284,7 +287,7 @@ index a0e2d33..c7a7853 100644
  static int vnc_update_client(VncState *vs, int has_dirty)
  {
      if (vs->need_update && vs->csock != -1) {
-@@ -2912,7 +2817,6 @@ static void vnc_listen_websocket_read(void *opaque)
+@@ -2936,7 +2838,6 @@ static void vnc_listen_websocket_read(void *opaque)
  static const DisplayChangeListenerOps dcl_ops = {
      .dpy_name          = "vnc",
      .dpy_refresh       = vnc_refresh,
diff --git a/SOURCES/kvm-cirrus_vga-fix-off-by-one-in-blit_region_is_unsafe.patch b/SOURCES/kvm-cirrus_vga-fix-off-by-one-in-blit_region_is_unsafe.patch
index 5b0accf..fb66656 100644
--- a/SOURCES/kvm-cirrus_vga-fix-off-by-one-in-blit_region_is_unsafe.patch
+++ b/SOURCES/kvm-cirrus_vga-fix-off-by-one-in-blit_region_is_unsafe.patch
@@ -1,13 +1,13 @@
-From 900ccf5cf6497234e1d3b1e80f4dfa8a60bcfb06 Mon Sep 17 00:00:00 2001
+From 8d230a5a57512c84545bd6345775e69b4b3b1983 Mon Sep 17 00:00:00 2001
 From: Gerd Hoffmann <kraxel@redhat.com>
 Date: Tue, 7 Feb 2017 10:07:46 +0100
-Subject: [PATCH 2/8] cirrus_vga: fix off-by-one in blit_region_is_unsafe
+Subject: [PATCH 03/11] cirrus_vga: fix off-by-one in blit_region_is_unsafe
 
 RH-Author: Gerd Hoffmann <kraxel@redhat.com>
 Message-id: <1486462072-32174-2-git-send-email-kraxel@redhat.com>
 Patchwork-id: 73564
 O-Subject: [RHEL-7.4 qemu-kvm PATCH 1/7] cirrus_vga: fix off-by-one in blit_region_is_unsafe
-Bugzilla: 1418232
+Bugzilla: 1418233
 RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
 RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
diff --git a/SOURCES/kvm-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch b/SOURCES/kvm-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch
index 569f78a..e3cbced 100644
--- a/SOURCES/kvm-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch
+++ b/SOURCES/kvm-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch
@@ -1,13 +1,13 @@
-From e0ec8bdaf64a147c83334ae6f59e279c4560d01b Mon Sep 17 00:00:00 2001
+From 4394f52159cec32cded60ec8f86cd4b92a85bfe5 Mon Sep 17 00:00:00 2001
 From: Gerd Hoffmann <kraxel@redhat.com>
 Date: Tue, 7 Feb 2017 10:07:47 +0100
-Subject: [PATCH 3/8] display: cirrus: check vga bits per pixel(bpp) value
+Subject: [PATCH 04/11] display: cirrus: check vga bits per pixel(bpp) value
 
 RH-Author: Gerd Hoffmann <kraxel@redhat.com>
 Message-id: <1486462072-32174-3-git-send-email-kraxel@redhat.com>
 Patchwork-id: 73568
 O-Subject: [RHEL-7.4 qemu-kvm PATCH 2/7] display: cirrus: check vga bits per pixel(bpp) value
-Bugzilla: 1418232
+Bugzilla: 1418233
 RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
 RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
diff --git a/SOURCES/kvm-display-cirrus-ignore-source-pitch-value-as-needed-i.patch b/SOURCES/kvm-display-cirrus-ignore-source-pitch-value-as-needed-i.patch
index eeaf45f..a61d958 100644
--- a/SOURCES/kvm-display-cirrus-ignore-source-pitch-value-as-needed-i.patch
+++ b/SOURCES/kvm-display-cirrus-ignore-source-pitch-value-as-needed-i.patch
@@ -1,14 +1,14 @@
-From 3178cae91f9fc3ddd025f1daa415b74ed387b6ca Mon Sep 17 00:00:00 2001
+From 23ae0a2bec72997626c3ba834f036b9a3626eedc Mon Sep 17 00:00:00 2001
 From: Gerd Hoffmann <kraxel@redhat.com>
 Date: Tue, 7 Feb 2017 10:07:48 +0100
-Subject: [PATCH 4/8] display: cirrus: ignore source pitch value as needed in
+Subject: [PATCH 05/11] display: cirrus: ignore source pitch value as needed in
  blit_is_unsafe
 
 RH-Author: Gerd Hoffmann <kraxel@redhat.com>
 Message-id: <1486462072-32174-4-git-send-email-kraxel@redhat.com>
 Patchwork-id: 73563
 O-Subject: [RHEL-7.4 qemu-kvm PATCH 3/7] display: cirrus: ignore source pitch value as needed in blit_is_unsafe
-Bugzilla: 1418232
+Bugzilla: 1418233
 RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
 RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
diff --git a/SOURCES/kvm-fix-cirrus_vga-fix-OOB-read-case-qemu-Segmentation-f.patch b/SOURCES/kvm-fix-cirrus_vga-fix-OOB-read-case-qemu-Segmentation-f.patch
index a8641a6..7c32197 100644
--- a/SOURCES/kvm-fix-cirrus_vga-fix-OOB-read-case-qemu-Segmentation-f.patch
+++ b/SOURCES/kvm-fix-cirrus_vga-fix-OOB-read-case-qemu-Segmentation-f.patch
@@ -1,16 +1,16 @@
-From d27fae125c1efd59ba3263260d41f8e054b070a2 Mon Sep 17 00:00:00 2001
+From f9b9adc4b66f991e655f51f2ef67dac46f6bd7d4 Mon Sep 17 00:00:00 2001
 From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Tue, 21 Mar 2017 09:58:01 +0100
+Date: Mon, 27 Mar 2017 10:01:16 +0200
 Subject: [PATCH 1/7] fix :cirrus_vga fix OOB read case qemu Segmentation fault
 
 RH-Author: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: <1490090287-1503-2-git-send-email-kraxel@redhat.com>
-Patchwork-id: 74419
-O-Subject: [RHEL-7.4 qemu-kvm PATCH 1/7] fix :cirrus_vga fix OOB read case qemu Segmentation fault
-Bugzilla: 1430059
+Message-id: <1490608882-10242-2-git-send-email-kraxel@redhat.com>
+Patchwork-id: 74553
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 1/7] fix :cirrus_vga fix OOB read case qemu Segmentation fault
+Bugzilla: 1430060
 RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
 RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
-RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
 
 From: hangaohuai <hangaohuai@huawei.com>
 
diff --git a/SOURCES/kvm-gluster-Correctly-propagate-errors-when-volume-isn-t.patch b/SOURCES/kvm-gluster-Correctly-propagate-errors-when-volume-isn-t.patch
new file mode 100644
index 0000000..92eeffb
--- /dev/null
+++ b/SOURCES/kvm-gluster-Correctly-propagate-errors-when-volume-isn-t.patch
@@ -0,0 +1,75 @@
+From 22e47c104ff73885357a0be7b94270f3955427ea Mon Sep 17 00:00:00 2001
+From: Jeffrey Cody <jcody@redhat.com>
+Date: Tue, 17 Jan 2017 19:51:31 +0100
+Subject: [PATCH 2/3] gluster: Correctly propagate errors when volume isn't
+ accessible
+
+RH-Author: Jeffrey Cody <jcody@redhat.com>
+Message-id: <963a714d4eae919df79e2031e02c77af5a8697e2.1484682588.git.jcody@redhat.com>
+Patchwork-id: 73256
+O-Subject: [RHEL-7.4 qemu-kvm 2/3] gluster: Correctly propagate errors when volume isn't accessible
+Bugzilla: 1151859
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Fam Zheng <famz@redhat.com>
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+
+From: Peter Krempa <pkrempa@redhat.com>
+
+The docs for glfs_init suggest that the function sets errno on every
+failure. In fact it doesn't. As other functions such as
+qemu_gluster_open() in the gluster block code report their errors based
+on this fact we need to make sure that errno is set on each failure.
+
+This fixes a crash of qemu-img/qemu when a gluster brick isn't
+accessible from given host while the server serving the volume
+description is.
+
+Thread 1 (Thread 0x7ffff7fba740 (LWP 203880)):
+ #0  0x00007ffff77673f8 in glfs_lseek () from /usr/lib64/libgfapi.so.0
+ #1  0x0000555555574a68 in qemu_gluster_getlength ()
+ #2  0x0000555555565742 in refresh_total_sectors ()
+ #3  0x000055555556914f in bdrv_open_common ()
+ #4  0x000055555556e8e8 in bdrv_open ()
+ #5  0x000055555556f02f in bdrv_open_image ()
+ #6  0x000055555556e5f6 in bdrv_open ()
+ #7  0x00005555555c5775 in bdrv_new_open ()
+ #8  0x00005555555c5b91 in img_info ()
+ #9  0x00007ffff62c9c05 in __libc_start_main () from /lib64/libc.so.6
+ #10 0x00005555555648ad in _start ()
+
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+(cherry picked from commit 4557117d9eed8cadc360aec23b42fc39a7011864)
+Signed-off-by: Jeff Cody <jcody@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ block/gluster.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/block/gluster.c b/block/gluster.c
+index 248a031..5266dce 100644
+--- a/block/gluster.c
++++ b/block/gluster.c
+@@ -224,6 +224,11 @@ static struct glfs *qemu_gluster_init(GlusterConf *gconf, const char *filename,
+                          "volume=%s image=%s transport=%s", gconf->server,
+                          gconf->port, gconf->volname, gconf->image,
+                          gconf->transport);
++
++        /* glfs_init sometimes doesn't set errno although docs suggest that */
++        if (errno == 0)
++            errno = EINVAL;
++
+         goto out;
+     }
+     return glfs;
+@@ -484,7 +489,7 @@ static int qemu_gluster_create(const char *filename,
+ 
+     glfs = qemu_gluster_init(gconf, filename, errp);
+     if (!glfs) {
+-        ret = -EINVAL;
++        ret = -errno;
+         goto out;
+     }
+ 
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-gluster-correctly-propagate-errors.patch b/SOURCES/kvm-gluster-correctly-propagate-errors.patch
new file mode 100644
index 0000000..0ab585f
--- /dev/null
+++ b/SOURCES/kvm-gluster-correctly-propagate-errors.patch
@@ -0,0 +1,111 @@
+From 582eb6c9eef89809283e8d79b3f39e1ae9eeb64a Mon Sep 17 00:00:00 2001
+From: Jeffrey Cody <jcody@redhat.com>
+Date: Tue, 17 Jan 2017 19:51:30 +0100
+Subject: [PATCH 1/3] gluster: correctly propagate errors
+
+RH-Author: Jeffrey Cody <jcody@redhat.com>
+Message-id: <9299039bbb1797e4e61cdc8b4be062efeb152abb.1484682588.git.jcody@redhat.com>
+Patchwork-id: 73254
+O-Subject: [RHEL-7.4 qemu-kvm 1/3] gluster: correctly propagate errors
+Bugzilla: 1151859
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Fam Zheng <famz@redhat.com>
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Reviewed-by: Fam Zheng <famz@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit a7451cb850d115f257080aff3fbc54f255ebf8f7)
+Signed-off-by: Jeff Cody <jcody@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ block/gluster.c | 29 +++++++++++++++--------------
+ 1 file changed, 15 insertions(+), 14 deletions(-)
+
+diff --git a/block/gluster.c b/block/gluster.c
+index 1793386..248a031 100644
+--- a/block/gluster.c
++++ b/block/gluster.c
+@@ -182,7 +182,8 @@ out:
+     return ret;
+ }
+ 
+-static struct glfs *qemu_gluster_init(GlusterConf *gconf, const char *filename)
++static struct glfs *qemu_gluster_init(GlusterConf *gconf, const char *filename,
++                                      Error **errp)
+ {
+     struct glfs *glfs = NULL;
+     int ret;
+@@ -190,8 +191,8 @@ static struct glfs *qemu_gluster_init(GlusterConf *gconf, const char *filename)
+ 
+     ret = qemu_gluster_parseuri(gconf, filename);
+     if (ret < 0) {
+-        error_report("Usage: file=gluster[+transport]://[server[:port]]/"
+-            "volname/image[?socket=...]");
++        error_setg(errp, "Usage: file=gluster[+transport]://[server[:port]]/"
++                   "volname/image[?socket=...]");
+         errno = -ret;
+         goto out;
+     }
+@@ -218,9 +219,11 @@ static struct glfs *qemu_gluster_init(GlusterConf *gconf, const char *filename)
+ 
+     ret = glfs_init(glfs);
+     if (ret) {
+-        error_report("Gluster connection failed for server=%s port=%d "
+-             "volume=%s image=%s transport=%s", gconf->server, gconf->port,
+-             gconf->volname, gconf->image, gconf->transport);
++        error_setg_errno(errp, errno,
++                         "Gluster connection failed for server=%s port=%d "
++                         "volume=%s image=%s transport=%s", gconf->server,
++                         gconf->port, gconf->volname, gconf->image,
++                         gconf->transport);
+         goto out;
+     }
+     return glfs;
+@@ -328,17 +331,15 @@ static int qemu_gluster_open(BlockDriverState *bs,  QDict *options,
+ 
+     opts = qemu_opts_create_nofail(&runtime_opts);
+     qemu_opts_absorb_qdict(opts, options, &local_err);
+-    if (error_is_set(&local_err)) {
+-        qerror_report_err(local_err);
+-        error_free(local_err);
++    if (local_err) {
++        error_propagate(errp, local_err);
+         ret = -EINVAL;
+         goto out;
+     }
+ 
+     filename = qemu_opt_get(opts, "filename");
+ 
+-
+-    s->glfs = qemu_gluster_init(gconf, filename);
++    s->glfs = qemu_gluster_init(gconf, filename, errp);
+     if (!s->glfs) {
+         ret = -errno;
+         goto out;
+@@ -406,7 +407,7 @@ static int qemu_gluster_reopen_prepare(BDRVReopenState *state,
+ 
+     gconf = g_malloc0(sizeof(GlusterConf));
+ 
+-    reop_s->glfs = qemu_gluster_init(gconf, state->bs->filename);
++    reop_s->glfs = qemu_gluster_init(gconf, state->bs->filename, errp);
+     if (reop_s->glfs == NULL) {
+         ret = -errno;
+         goto exit;
+@@ -481,9 +482,9 @@ static int qemu_gluster_create(const char *filename,
+     int64_t total_size = 0;
+     GlusterConf *gconf = g_malloc0(sizeof(GlusterConf));
+ 
+-    glfs = qemu_gluster_init(gconf, filename);
++    glfs = qemu_gluster_init(gconf, filename, errp);
+     if (!glfs) {
+-        ret = -errno;
++        ret = -EINVAL;
+         goto out;
+     }
+ 
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-hw-i386-regenerate-checked-in-AML-payload-RHEL-only.patch b/SOURCES/kvm-hw-i386-regenerate-checked-in-AML-payload-RHEL-only.patch
index d60e538..e591156 100644
--- a/SOURCES/kvm-hw-i386-regenerate-checked-in-AML-payload-RHEL-only.patch
+++ b/SOURCES/kvm-hw-i386-regenerate-checked-in-AML-payload-RHEL-only.patch
@@ -1,13 +1,13 @@
-From 4f55d2d2f6efdce59440b57726f09578b8692158 Mon Sep 17 00:00:00 2001
+From 436e7a406724efa98d05d4c32cae027f31a66033 Mon Sep 17 00:00:00 2001
 From: Laszlo Ersek <lersek@redhat.com>
-Date: Fri, 23 Sep 2016 14:39:35 +0200
-Subject: [PATCH 2/3] hw/i386: regenerate checked-in AML payload (RHEL only)
+Date: Fri, 23 Sep 2016 14:39:35 -0300
+Subject: [PATCH 1/2] hw/i386: regenerate checked-in AML payload (RHEL only)
 
 RH-Author: Laszlo Ersek <lersek@redhat.com>
 Message-id: <20160923143936.25594-2-lersek@redhat.com>
 Patchwork-id: 72414
 O-Subject: [RHEL-7.3 qemu-kvm PATCH 1/2] hw/i386: regenerate checked-in AML payload (RHEL only)
-Bugzilla: 1392027
+Bugzilla: 1377087
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
 RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
 RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
@@ -24,7 +24,7 @@ switch the build to them. I actually verified this in a RHEL-7 guest, with
 remained identical across this change.
 
 Signed-off-by: Laszlo Ersek <lersek@redhat.com>
-Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
 ---
  hw/i386/acpi-dsdt.hex.generated     |  8 ++++----
  hw/i386/q35-acpi-dsdt.hex.generated |  8 ++++----
diff --git a/SOURCES/kvm-i386-kvmvapic-initialise-imm32-variable.patch b/SOURCES/kvm-i386-kvmvapic-initialise-imm32-variable.patch
new file mode 100644
index 0000000..f8919b6
--- /dev/null
+++ b/SOURCES/kvm-i386-kvmvapic-initialise-imm32-variable.patch
@@ -0,0 +1,46 @@
+From edb9059eb8f42f892d67df324eeb0098c05d1f4a Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 28 Feb 2017 12:07:54 +0100
+Subject: [PATCH 09/24] i386: kvmvapic: initialise imm32 variable
+
+RH-Author: Paolo Bonzini <pbonzini@redhat.com>
+Message-id: <20170228120754.16073-1-pbonzini@redhat.com>
+Patchwork-id: 74089
+O-Subject: [RHEL7.4 qemu-kvm PATCH] i386: kvmvapic: initialise imm32 variable
+Bugzilla: 1335751
+RH-Acked-by: David Hildenbrand <david@redhat.com>
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+When processing Task Priorty Register(TPR) access, it could leak
+automatic stack variable 'imm32' in patch_instruction().
+Initialise the variable to avoid it.
+
+Reported by: Donghai Zdh <donghai.zdh@alibaba-inc.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <1460013608-16670-1-git-send-email-ppandit@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 691a02e2ce0c413236a78dee6f2651c937b09fb0)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/i386/kvmvapic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c
+index 577ae64..a5dd9dd 100644
+--- a/hw/i386/kvmvapic.c
++++ b/hw/i386/kvmvapic.c
+@@ -390,7 +390,7 @@ static void patch_instruction(VAPICROMState *s, X86CPU *cpu, target_ulong ip)
+     CPUX86State *env = &cpu->env;
+     VAPICHandlers *handlers;
+     uint8_t opcode[2];
+-    uint32_t imm32;
++    uint32_t imm32 = 0;
+     target_ulong current_pc = 0;
+     target_ulong current_cs_base = 0;
+     int current_flags = 0;
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-ide-fix-halted-IO-segfault-at-reset.patch b/SOURCES/kvm-ide-fix-halted-IO-segfault-at-reset.patch
index b558bdf..1fe27a1 100644
--- a/SOURCES/kvm-ide-fix-halted-IO-segfault-at-reset.patch
+++ b/SOURCES/kvm-ide-fix-halted-IO-segfault-at-reset.patch
@@ -1,15 +1,15 @@
-From 4d3c9646213bdf992af4e28eaf0d57610eb79fec Mon Sep 17 00:00:00 2001
+From 4fbb16d71e7e9a893c665926642122b165c63425 Mon Sep 17 00:00:00 2001
 From: John Snow <jsnow@redhat.com>
-Date: Thu, 29 Sep 2016 00:02:14 +0200
-Subject: [PATCH 1/3] ide: fix halted IO segfault at reset
+Date: Wed, 26 Apr 2017 23:49:07 +0200
+Subject: [PATCH] ide: fix halted IO segfault at reset
 
 RH-Author: John Snow <jsnow@redhat.com>
-Message-id: <1475107334-14972-2-git-send-email-jsnow@redhat.com>
-Patchwork-id: 72436
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 1/1] ide: fix halted IO segfault at reset
-Bugzilla: 1393042
-RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+Message-id: <20170426234907.21151-2-jsnow@redhat.com>
+Patchwork-id: 74905
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 1/1] ide: fix halted IO segfault at reset
+Bugzilla: 1299875
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
 RH-Acked-by: Markus Armbruster <armbru@redhat.com>
 
 If one attempts to perform a system_reset after a failed IO request
diff --git a/SOURCES/kvm-iotests-Filter-for-Killed-in-qemu-io-output.patch b/SOURCES/kvm-iotests-Filter-for-Killed-in-qemu-io-output.patch
new file mode 100644
index 0000000..ab7ff1e
--- /dev/null
+++ b/SOURCES/kvm-iotests-Filter-for-Killed-in-qemu-io-output.patch
@@ -0,0 +1,44 @@
+From 27158eec51a5a443d9ae9a7b565b40b749f6f41b Mon Sep 17 00:00:00 2001
+From: Max Reitz <mreitz@redhat.com>
+Date: Mon, 13 Mar 2017 17:46:45 +0100
+Subject: [PATCH 14/24] iotests: Filter for "Killed" in qemu-io output
+
+RH-Author: Max Reitz <mreitz@redhat.com>
+Message-id: <20170313174649.28932-1-mreitz@redhat.com>
+Patchwork-id: 74276
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 5/9] iotests: Filter for "Killed" in qemu-io output
+Bugzilla: 1427176
+RH-Acked-by: Fam Zheng <famz@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+
+_filter_qemu_io already filters out the process ID when qemu-io is
+aborted; the same should be done when it is killed.
+
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+Reviewed-by: Fam Zheng <famz@redhat.com>
+Message-id: 1418032092-16813-3-git-send-email-mreitz@redhat.com
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+(cherry picked from commit 9e0c3e8df5d1b12517d587d60b2fe587ea252ebe)
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ tests/qemu-iotests/common.filter | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/qemu-iotests/common.filter b/tests/qemu-iotests/common.filter
+index dcd246d..041e001 100644
+--- a/tests/qemu-iotests/common.filter
++++ b/tests/qemu-iotests/common.filter
+@@ -150,7 +150,7 @@ _filter_win32()
+ _filter_qemu_io()
+ {
+     _filter_win32 | sed -e "s/[0-9]* ops\; [0-9/:. sec]* ([0-9/.inf]* [EPTGMKiBbytes]*\/sec and [0-9/.inf]* ops\/sec)/X ops\; XX:XX:XX.X (XXX YYY\/sec and XXX ops\/sec)/" \
+-        -e "s/: line [0-9][0-9]*:  *[0-9][0-9]*\( Aborted\)/:\1/" \
++        -e "s/: line [0-9][0-9]*:  *[0-9][0-9]*\( Aborted\| Killed\)/:\1/" \
+         -e "s/qemu-io> //g"
+ }
+ 
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-iotests-Fix-test-039.patch b/SOURCES/kvm-iotests-Fix-test-039.patch
new file mode 100644
index 0000000..4dc4c38
--- /dev/null
+++ b/SOURCES/kvm-iotests-Fix-test-039.patch
@@ -0,0 +1,116 @@
+From 5eef8556fa85c070a242f93b675e7fb8e24a2fa0 Mon Sep 17 00:00:00 2001
+From: Max Reitz <mreitz@redhat.com>
+Date: Mon, 13 Mar 2017 17:46:56 +0100
+Subject: [PATCH 15/24] iotests: Fix test 039
+
+RH-Author: Max Reitz <mreitz@redhat.com>
+Message-id: <20170313174659.29164-1-mreitz@redhat.com>
+Patchwork-id: 74277
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 6/9] iotests: Fix test 039
+Bugzilla: 1427176
+RH-Acked-by: Fam Zheng <famz@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+
+Test 039 used qemu-io -c abort for simulating a qemu crash; however,
+abort() generally results in a core dump and ulimit -c 0 is no reliable
+way of preventing that. Use "sigraise $(kill -l KILL)" instead to have
+it crash without a core dump.
+
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+Reviewed-by: Fam Zheng <famz@redhat.com>
+Message-id: 1418032092-16813-4-git-send-email-mreitz@redhat.com
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+(cherry picked from commit 3f394472c5bca59de5cab9baafdff1984b0213a3)
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ tests/qemu-iotests/039     | 18 +++++++++++++-----
+ tests/qemu-iotests/039.out |  6 +++---
+ 2 files changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/tests/qemu-iotests/039 b/tests/qemu-iotests/039
+index 1e50651..ac85476 100755
+--- a/tests/qemu-iotests/039
++++ b/tests/qemu-iotests/039
+@@ -46,9 +46,11 @@ _supported_proto generic
+ _supported_os Linux
+ _unsupported_qemu_io_options --nocache
+ 
+-_no_dump_exec()
++_subshell_exec()
+ {
+-    (ulimit -c 0; exec "$@")
++    # Executing crashing commands in a subshell prevents information like the
++    # "Killed" line from being lost
++    (exec "$@")
+ }
+ 
+ size=128M
+@@ -71,7 +73,9 @@ echo "== Creating a dirty image file =="
+ IMGOPTS="compat=1.1,lazy_refcounts=on"
+ _make_test_img $size
+ 
+-_no_dump_exec $QEMU_IO -c "write -P 0x5a 0 512" -c "abort" "$TEST_IMG" 2>&1 | _filter_qemu_io
++_subshell_exec $QEMU_IO -c "write -P 0x5a 0 512" \
++                        -c "sigraise $(kill -l KILL)" "$TEST_IMG" 2>&1 \
++    | _filter_qemu_io
+ 
+ # The dirty bit must be set
+ ./qcow2.py "$TEST_IMG" dump-header | grep incompatible_features
+@@ -104,7 +108,9 @@ echo "== Opening a dirty image read/write should repair it =="
+ IMGOPTS="compat=1.1,lazy_refcounts=on"
+ _make_test_img $size
+ 
+-_no_dump_exec $QEMU_IO -c "write -P 0x5a 0 512" -c "abort" "$TEST_IMG" 2>&1 | _filter_qemu_io
++_subshell_exec $QEMU_IO -c "write -P 0x5a 0 512" \
++                        -c "sigraise $(kill -l KILL)" "$TEST_IMG" 2>&1 \
++    | _filter_qemu_io
+ 
+ # The dirty bit must be set
+ ./qcow2.py "$TEST_IMG" dump-header | grep incompatible_features
+@@ -120,7 +126,9 @@ echo "== Creating an image file with lazy_refcounts=off =="
+ IMGOPTS="compat=1.1,lazy_refcounts=off"
+ _make_test_img $size
+ 
+-_no_dump_exec $QEMU_IO -c "write -P 0x5a 0 512" -c "abort" "$TEST_IMG" 2>&1 | _filter_qemu_io
++_subshell_exec $QEMU_IO -c "write -P 0x5a 0 512" \
++                        -c "sigraise $(kill -l KILL)" "$TEST_IMG" 2>&1 \
++    | _filter_qemu_io
+ 
+ # The dirty bit must not be set since lazy_refcounts=off
+ ./qcow2.py "$TEST_IMG" dump-header | grep incompatible_features
+diff --git a/tests/qemu-iotests/039.out b/tests/qemu-iotests/039.out
+index af62da1..f3fe58b 100644
+--- a/tests/qemu-iotests/039.out
++++ b/tests/qemu-iotests/039.out
+@@ -11,7 +11,7 @@ No errors were found on the image.
+ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728 
+ wrote 512/512 bytes at offset 0
+ 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+-./039: Aborted                 ( ulimit -c 0; exec "$@" )
++./039: Killed                  ( exec "$@" )
+ incompatible_features     0x1
+ ERROR cluster 5 refcount=0 reference=1
+ ERROR OFLAG_COPIED data cluster: l2_entry=8000000000050000 refcount=0
+@@ -46,7 +46,7 @@ read 512/512 bytes at offset 0
+ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728 
+ wrote 512/512 bytes at offset 0
+ 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+-./039: Aborted                 ( ulimit -c 0; exec "$@" )
++./039: Killed                  ( exec "$@" )
+ incompatible_features     0x1
+ ERROR cluster 5 refcount=0 reference=1
+ Rebuilding refcount structure
+@@ -60,7 +60,7 @@ incompatible_features     0x0
+ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728 
+ wrote 512/512 bytes at offset 0
+ 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+-./039: Aborted                 ( ulimit -c 0; exec "$@" )
++./039: Killed                  ( exec "$@" )
+ incompatible_features     0x0
+ No errors were found on the image.
+ *** done
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-memory-Allow-access-only-upto-the-maximum-alignment-.patch b/SOURCES/kvm-memory-Allow-access-only-upto-the-maximum-alignment-.patch
new file mode 100644
index 0000000..0f4df3e
--- /dev/null
+++ b/SOURCES/kvm-memory-Allow-access-only-upto-the-maximum-alignment-.patch
@@ -0,0 +1,169 @@
+From 2ee2492513f9685cb716dc1cb4cf5b580da43e07 Mon Sep 17 00:00:00 2001
+From: Bandan Das <bsd@redhat.com>
+Date: Wed, 25 Jan 2017 03:36:07 +0100
+Subject: [PATCH 01/11] memory: Allow access only upto the maximum alignment
+ for memory_region_* functions
+
+RH-Author: Bandan Das <bsd@redhat.com>
+Message-id: <jpgefzrn74o.fsf@linux.bootlegged.copy>
+Patchwork-id: 73367
+O-Subject: [RHEL-7.4 qemu-kvm PATCH] memory: Allow access only upto the maximum alignment for memory_region_* functions
+Bugzilla: 1342768
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1342768
+Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=12437870
+Upstream: N/A, upstream doesn't exhibit this behavior
+
+Currently, there is no check in memory_region_iorange_* functions for whether
+the size requested is greater than the maximum alignment. This causes
+an abort with a specific version of the Linux kernel (4.7.0-RC1):
+/usr/libexec/qemu-kvm -kernel ~/vmlinuz-4.7.0-rc1 --enable-kvm -m 1G -vnc :2 -monitor stdio
+
+0  0x00007fb057cb65f7 in raise () from /lib64/libc.so.6
+1  0x00007fb057cb7ce8 in abort () from /lib64/libc.so.6
+2  0x00007fb05eca5537 in acpi_gpe_ioport_readb ()
+3  0x00007fb05eca5ff0 in gpe_readb ()
+4  0x00007fb05ede6f4c in memory_region_read_accessor ()
+5  0x00007fb05ede6993 in access_with_adjusted_size ()
+6  0x00007fb05ede7ce8 in memory_region_iorange_read ()
+7  0x00007fb05ede2ac7 in ioport_readl_thunk ()
+8  0x00007fb05ede3141 in cpu_inl ()
+9  0x00007fb05ede5c49 in kvm_cpu_exec ()
+10 0x00007fb05ed98485 in qemu_kvm_cpu_thread_fn ()
+11 0x00007fb05bcc9dc5 in start_thread () from /lib64/libpthread.so.0
+12 0x00007fb057d77ced in clone () from /lib64/libc.so.6
+
+This happens because guest code tries to read(l=4) from 0xafe2
+with GPE base being 0xafe0 which causes the abort in
+acpi_gpe_ioport_get_ptr() to trigger. This change adds a
+memory_access_size() which is similar to the one in upstream that
+forces size to be equal to the maximum alignment if it's greater.
+It also keeps the other checks present in upstream for safety and
+is called from the memory_region_read/write functions before
+calling the call specific access functions.
+
+Signed-off-by: Bandan Das <bsd@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ memory.c | 44 ++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 40 insertions(+), 4 deletions(-)
+
+diff --git a/memory.c b/memory.c
+index 7bd6e87..573ecdd 100644
+--- a/memory.c
++++ b/memory.c
+@@ -381,6 +381,33 @@ static const MemoryRegionPortio *find_portio(MemoryRegion *mr, uint64_t offset,
+     return NULL;
+ }
+ 
++static int memory_access_size(MemoryRegion *mr, unsigned l, hwaddr addr)
++{
++  unsigned access_size_max = mr->ops->valid.max_access_size;
++
++  /* Regions are assumed to support 1-4 byte accesses unless
++     otherwise specified.  */
++  if (access_size_max == 0) {
++    access_size_max = 4;
++  }
++
++  /* Bound the maximum access by the alignment of the address.  */
++  if (!mr->ops->impl.unaligned) {
++    unsigned align_size_max = addr & -addr;
++    if (align_size_max != 0 && align_size_max < access_size_max) {
++        access_size_max = align_size_max;
++    }
++  }
++
++  /* Don't attempt accesses larger than the maximum.  */
++  if (l > access_size_max) {
++    l = access_size_max;
++  }
++  l = pow2floor(l);
++
++  return l;
++}
++
+ static void memory_region_iorange_read(IORange *iorange,
+                                        uint64_t offset,
+                                        unsigned width,
+@@ -389,6 +416,7 @@ static void memory_region_iorange_read(IORange *iorange,
+     MemoryRegionIORange *mrio
+         = container_of(iorange, MemoryRegionIORange, iorange);
+     MemoryRegion *mr = mrio->mr;
++    unsigned l;
+ 
+     offset += mrio->offset;
+     if (mr->ops->old_portio) {
+@@ -407,7 +435,8 @@ static void memory_region_iorange_read(IORange *iorange,
+         return;
+     }
+     *data = 0;
+-    access_with_adjusted_size(offset, data, width,
++    l = memory_access_size(mr, width, offset);
++    access_with_adjusted_size(offset, data, l,
+                               mr->ops->impl.min_access_size,
+                               mr->ops->impl.max_access_size,
+                               memory_region_read_accessor, mr);
+@@ -421,6 +450,7 @@ static void memory_region_iorange_write(IORange *iorange,
+     MemoryRegionIORange *mrio
+         = container_of(iorange, MemoryRegionIORange, iorange);
+     MemoryRegion *mr = mrio->mr;
++    unsigned l;
+ 
+     offset += mrio->offset;
+     if (mr->ops->old_portio) {
+@@ -437,7 +467,8 @@ static void memory_region_iorange_write(IORange *iorange,
+         }
+         return;
+     }
+-    access_with_adjusted_size(offset, &data, width,
++    l = memory_access_size(mr, width, offset);
++    access_with_adjusted_size(offset, &data, l,
+                               mr->ops->impl.min_access_size,
+                               mr->ops->impl.max_access_size,
+                               memory_region_write_accessor, mr);
+@@ -850,6 +881,7 @@ static uint64_t memory_region_dispatch_read1(MemoryRegion *mr,
+                                              unsigned size)
+ {
+     uint64_t data = 0;
++    unsigned l;
+ 
+     if (!memory_region_access_valid(mr, addr, size, false)) {
+         return -1U; /* FIXME: better signalling */
+@@ -859,8 +891,9 @@ static uint64_t memory_region_dispatch_read1(MemoryRegion *mr,
+         return mr->ops->old_mmio.read[ctz32(size)](mr->opaque, addr);
+     }
+ 
++    l = memory_access_size(mr, size, addr);
+     /* FIXME: support unaligned access */
+-    access_with_adjusted_size(addr, &data, size,
++    access_with_adjusted_size(addr, &data, l,
+                               mr->ops->impl.min_access_size,
+                               mr->ops->impl.max_access_size,
+                               memory_region_read_accessor, mr);
+@@ -902,6 +935,8 @@ static void memory_region_dispatch_write(MemoryRegion *mr,
+                                          uint64_t data,
+                                          unsigned size)
+ {
++    unsigned l;
++
+     if (!memory_region_access_valid(mr, addr, size, true)) {
+         return; /* FIXME: better signalling */
+     }
+@@ -913,8 +948,9 @@ static void memory_region_dispatch_write(MemoryRegion *mr,
+         return;
+     }
+ 
++    l = memory_access_size(mr, size, addr);
+     /* FIXME: support unaligned access */
+-    access_with_adjusted_size(addr, &data, size,
++    access_with_adjusted_size(addr, &data, l,
+                               mr->ops->impl.min_access_size,
+                               mr->ops->impl.max_access_size,
+                               memory_region_write_accessor, mr);
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-nbd-Fix-regression-on-resiliency-to-port-scan.patch b/SOURCES/kvm-nbd-Fix-regression-on-resiliency-to-port-scan.patch
index 928ceab..72a0e45 100644
--- a/SOURCES/kvm-nbd-Fix-regression-on-resiliency-to-port-scan.patch
+++ b/SOURCES/kvm-nbd-Fix-regression-on-resiliency-to-port-scan.patch
@@ -1,15 +1,15 @@
-From 8ead1a8129b42b14a6ccddbf4c24535b3cb80209 Mon Sep 17 00:00:00 2001
+From 5bd3c61792fe793b1d42e675b53e47396f4219a3 Mon Sep 17 00:00:00 2001
 From: Eric Blake <eblake@redhat.com>
-Date: Fri, 9 Jun 2017 22:07:15 +0200
-Subject: [PATCH 2/2] nbd: Fix regression on resiliency to port scan
+Date: Fri, 9 Jun 2017 22:04:13 +0200
+Subject: [PATCH 6/6] nbd: Fix regression on resiliency to port scan
 
 RH-Author: Eric Blake <eblake@redhat.com>
-Message-id: <20170609220715.29645-3-eblake@redhat.com>
-Patchwork-id: 75578
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 2/2] nbd: Fix regression on resiliency to port scan
-Bugzilla: 1460179
+Message-id: <20170609220413.28793-3-eblake@redhat.com>
+Patchwork-id: 75575
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 2/2] nbd: Fix regression on resiliency to port scan
+Bugzilla: 1451614
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
 RH-Acked-by: Thomas Huth <thuth@redhat.com>
 
 Back in qemu 2.5, qemu-nbd was immune to port probes (a transient
@@ -52,7 +52,7 @@ Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1451614
 Signed-off-by: Eric Blake <eblake@redhat.com>
 Message-Id: <20170608222617.20376-1-eblake@redhat.com>
 (cherry picked from commit ???)
-https://bugzilla.redhat.com/show_bug.cgi?id=1460179
+https://bugzilla.redhat.com/show_bug.cgi?id=1451614
 Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
 
 Conflicts:
diff --git a/SOURCES/kvm-nbd-Fully-initialize-client-in-case-of-failed-negoti.patch b/SOURCES/kvm-nbd-Fully-initialize-client-in-case-of-failed-negoti.patch
index 765e2e7..17a739e 100644
--- a/SOURCES/kvm-nbd-Fully-initialize-client-in-case-of-failed-negoti.patch
+++ b/SOURCES/kvm-nbd-Fully-initialize-client-in-case-of-failed-negoti.patch
@@ -1,16 +1,16 @@
-From e34b480cd9a1fb23e361a514c98439672140bd37 Mon Sep 17 00:00:00 2001
+From 0e97bcfd7ab3c7b3d489de3cf4c7c4977b73cd23 Mon Sep 17 00:00:00 2001
 From: Eric Blake <eblake@redhat.com>
-Date: Fri, 9 Jun 2017 22:07:14 +0200
-Subject: [PATCH 1/2] nbd: Fully initialize client in case of failed
+Date: Fri, 9 Jun 2017 22:04:12 +0200
+Subject: [PATCH 5/6] nbd: Fully initialize client in case of failed
  negotiation
 
 RH-Author: Eric Blake <eblake@redhat.com>
-Message-id: <20170609220715.29645-2-eblake@redhat.com>
-Patchwork-id: 75580
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 1/2] nbd: Fully initialize client in case of failed negotiation
-Bugzilla: 1460179
+Message-id: <20170609220413.28793-2-eblake@redhat.com>
+Patchwork-id: 75576
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 1/2] nbd: Fully initialize client in case of failed negotiation
+Bugzilla: 1451614
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
 RH-Acked-by: Thomas Huth <thuth@redhat.com>
 
 If a non-NBD client connects to qemu-nbd, we would end up with
@@ -44,7 +44,7 @@ Signed-off-by: Eric Blake <eblake@redhat.com>
 Message-Id: <20170527030421.28366-1-eblake@redhat.com>
 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
 (cherry picked from commit ???)
-https://bugzilla.redhat.com/show_bug.cgi?id=1460179
+https://bugzilla.redhat.com/show_bug.cgi?id=1451614
 Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
 
 Conflicts:
diff --git a/SOURCES/kvm-net-check-packet-payload-length.patch b/SOURCES/kvm-net-check-packet-payload-length.patch
index 5ef1070..34b0106 100644
--- a/SOURCES/kvm-net-check-packet-payload-length.patch
+++ b/SOURCES/kvm-net-check-packet-payload-length.patch
@@ -1,13 +1,13 @@
-From 6d126da8f958c57413a4505d98cb4a3ff48cbbfe Mon Sep 17 00:00:00 2001
+From fa1aaeeab2f10d7f107dd45a2c06e40e71bde1c3 Mon Sep 17 00:00:00 2001
 From: "wexu@redhat.com" <wexu@redhat.com>
 Date: Wed, 21 Dec 2016 06:04:24 +0100
-Subject: [PATCH] net: check packet payload length
+Subject: [PATCH 3/4] net: check packet payload length
 
 RH-Author: wexu@redhat.com
 Message-id: <1482300264-29708-2-git-send-email-wexu@redhat.com>
 Patchwork-id: 73088
 O-Subject: [RHEL-7.4/7.3.z qemu-kvm Patch v2] net: check packet payload length
-Bugzilla: 1398217
+Bugzilla: 1398218
 RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
 RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
 RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
diff --git a/SOURCES/kvm-qcow2-Don-t-rely-on-free_cluster_index-in-alloc_ref2.patch b/SOURCES/kvm-qcow2-Don-t-rely-on-free_cluster_index-in-alloc_ref2.patch
new file mode 100644
index 0000000..7108c00
--- /dev/null
+++ b/SOURCES/kvm-qcow2-Don-t-rely-on-free_cluster_index-in-alloc_ref2.patch
@@ -0,0 +1,86 @@
+From 32dcdb3b1623e351d66bfe7cccbdcef3087f9b7b Mon Sep 17 00:00:00 2001
+From: Max Reitz <mreitz@redhat.com>
+Date: Mon, 13 Mar 2017 17:45:09 +0100
+Subject: [PATCH 11/24] qcow2: Don't rely on free_cluster_index in
+ alloc_refcount_block() (CVE-2014-0147)
+
+RH-Author: Max Reitz <mreitz@redhat.com>
+Message-id: <20170313174516.28044-3-mreitz@redhat.com>
+Patchwork-id: 74274
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 2/9] qcow2: Don't rely on free_cluster_index in alloc_refcount_block() (CVE-2014-0147)
+Bugzilla: 1427176
+RH-Acked-by: Fam Zheng <famz@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+
+From: Kevin Wolf <kwolf@redhat.com>
+
+free_cluster_index is only correct if update_refcount() was called from
+an allocation function, and even there it's brittle because it's used to
+protect unfinished allocations which still have a refcount of 0 - if it
+moves in the wrong place, the unfinished allocation can be corrupted.
+
+So not using it any more seems to be a good idea. Instead, use the
+first requested cluster to do the calculations. Return -EAGAIN if
+unfinished allocations could become invalid and let the caller restart
+its search for some free clusters.
+
+The context of creating a snapsnot is one situation where
+update_refcount() is called outside of a cluster allocation. For this
+case, the change fixes a buffer overflow if a cluster is referenced in
+an L2 table that cannot be represented by an existing refcount block.
+(new_table[refcount_table_index] was out of bounds)
+
+[Bump the qemu-iotests 026 refblock_alloc.write leak count from 10 to
+11.
+--Stefan]
+
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Reviewed-by: Max Reitz <mreitz@redhat.com>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+(cherry picked from commit b106ad9185f35fc4ad669555ad0e79e276083bd7)
+
+This patch was committed downstream before upstream (commit ID
+a2b10eec76a72aa7fe63e797181b93f69de9600e), therefore the change to 026's
+reference output is missing, which is amended by this backport.
+
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ tests/qemu-iotests/026.out | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/tests/qemu-iotests/026.out b/tests/qemu-iotests/026.out
+index 0764389..5cedefc 100644
+--- a/tests/qemu-iotests/026.out
++++ b/tests/qemu-iotests/026.out
+@@ -491,7 +491,7 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824
+ Event: refblock_alloc.write_blocks; errno: 28; imm: off; once: off; write 
+ write failed: No space left on device
+ 
+-10 leaked clusters were found on the image.
++11 leaked clusters were found on the image.
+ This means waste of disk space, but no harm to data.
+ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
+ 
+@@ -515,7 +515,7 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824
+ Event: refblock_alloc.write_table; errno: 28; imm: off; once: off; write 
+ write failed: No space left on device
+ 
+-10 leaked clusters were found on the image.
++11 leaked clusters were found on the image.
+ This means waste of disk space, but no harm to data.
+ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
+ 
+@@ -539,7 +539,7 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824
+ Event: refblock_alloc.switch_table; errno: 28; imm: off; once: off; write 
+ write failed: No space left on device
+ 
+-10 leaked clusters were found on the image.
++11 leaked clusters were found on the image.
+ This means waste of disk space, but no harm to data.
+ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
+ 
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-qemu-char-ignore-flow-control-if-a-PTY-s-slave-is-no.patch b/SOURCES/kvm-qemu-char-ignore-flow-control-if-a-PTY-s-slave-is-no.patch
index 6463982..5c7e901 100644
--- a/SOURCES/kvm-qemu-char-ignore-flow-control-if-a-PTY-s-slave-is-no.patch
+++ b/SOURCES/kvm-qemu-char-ignore-flow-control-if-a-PTY-s-slave-is-no.patch
@@ -1,16 +1,16 @@
-From 1e2929d890fb4cc88162b9771ed93b1c61f89b33 Mon Sep 17 00:00:00 2001
+From 6a40d58e03beaef265f6c1293301f5f8860ecbea Mon Sep 17 00:00:00 2001
 From: Fam Zheng <famz@redhat.com>
-Date: Fri, 19 May 2017 00:35:14 +0200
+Date: Thu, 18 May 2017 09:21:22 +0200
 Subject: [PATCH 09/18] qemu-char: ignore flow control if a PTY's slave is not
  connected
 
 RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170519003523.21163-10-famz@redhat.com>
-Patchwork-id: 75364
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 09/18] qemu-char: ignore flow control if a PTY's slave is not connected
-Bugzilla: 1452332
+Message-id: <20170518092131.16571-10-famz@redhat.com>
+Patchwork-id: 75301
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 09/18] qemu-char: ignore flow control if a PTY's slave is not connected
+Bugzilla: 1451470
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
 RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
 
 From: Paolo Bonzini <pbonzini@redhat.com>
diff --git a/SOURCES/kvm-qemu-io-Add-sigraise-command.patch b/SOURCES/kvm-qemu-io-Add-sigraise-command.patch
new file mode 100644
index 0000000..b85ab5f
--- /dev/null
+++ b/SOURCES/kvm-qemu-io-Add-sigraise-command.patch
@@ -0,0 +1,98 @@
+From 9bf536ecc296516cb5d82d5e9630663aaac56629 Mon Sep 17 00:00:00 2001
+From: Max Reitz <mreitz@redhat.com>
+Date: Mon, 13 Mar 2017 17:46:24 +0100
+Subject: [PATCH 13/24] qemu-io: Add sigraise command
+
+RH-Author: Max Reitz <mreitz@redhat.com>
+Message-id: <20170313174629.28735-2-mreitz@redhat.com>
+Patchwork-id: 74275
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 4/9] qemu-io: Add sigraise command
+Bugzilla: 1427176
+RH-Acked-by: Fam Zheng <famz@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+
+abort() has the sometimes undesirable side-effect of generating a core
+dump. If that is not needed, SIGKILL has the same effect of abruptly
+crash qemu; without a core dump.
+
+Thus, -c abort is not always useful to simulate a qemu-io crash;
+therefore, this patch adds a new sigraise command which allows raising
+a signal.
+
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+Reviewed-by: Fam Zheng <famz@redhat.com>
+Message-id: 1418032092-16813-2-git-send-email-mreitz@redhat.com
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+(cherry picked from commit 0e82dc7bbd96f9b0fb76e5fe263ba04b15e68127)
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ qemu-io-cmds.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 46 insertions(+)
+
+diff --git a/qemu-io-cmds.c b/qemu-io-cmds.c
+index b41d6ee..010f05f 100644
+--- a/qemu-io-cmds.c
++++ b/qemu-io-cmds.c
+@@ -2050,6 +2050,51 @@ static const cmdinfo_t abort_cmd = {
+        .oneline        = "simulate a program crash using abort(3)",
+ };
+ 
++static void sigraise_help(void)
++{
++    printf(
++"\n"
++" raises the given signal\n"
++"\n"
++" Example:\n"
++" 'sigraise %i' - raises SIGTERM\n"
++"\n"
++" Invokes raise(signal), where \"signal\" is the mandatory integer argument\n"
++" given to sigraise.\n"
++"\n", SIGTERM);
++}
++
++static int sigraise_f(BlockDriverState *bs, int argc, char **argv);
++
++static const cmdinfo_t sigraise_cmd = {
++    .name       = "sigraise",
++    .cfunc      = sigraise_f,
++    .argmin     = 1,
++    .argmax     = 1,
++    .flags      = CMD_NOFILE_OK,
++    .args       = "signal",
++    .oneline    = "raises a signal",
++    .help       = sigraise_help,
++};
++
++static int sigraise_f(BlockDriverState *bs, int argc, char **argv)
++{
++    int sig = cvtnum(argv[1]);
++    if (sig < 0) {
++        printf("non-numeric signal number argument -- %s\n", argv[1]);
++        return 0;
++    }
++
++    /* Using raise() to kill this process does not necessarily flush all open
++     * streams. At least stdout and stderr (although the latter should be
++     * non-buffered anyway) should be flushed, though. */
++    fflush(stdout);
++    fflush(stderr);
++
++    raise(sig);
++    return 0;
++}
++
+ static void sleep_cb(void *opaque)
+ {
+     bool *expired = opaque;
+@@ -2203,4 +2248,5 @@ static void __attribute((constructor)) init_qemuio_commands(void)
+     qemuio_add_command(&wait_break_cmd);
+     qemuio_add_command(&abort_cmd);
+     qemuio_add_command(&sleep_cmd);
++    qemuio_add_command(&sigraise_cmd);
+ }
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-qemu-iotests-Disable-030-040-041.patch b/SOURCES/kvm-qemu-iotests-Disable-030-040-041.patch
new file mode 100644
index 0000000..5f26239
--- /dev/null
+++ b/SOURCES/kvm-qemu-iotests-Disable-030-040-041.patch
@@ -0,0 +1,53 @@
+From 17c2dbd411ce0b2221b5559c3c0eff01920dea40 Mon Sep 17 00:00:00 2001
+From: Max Reitz <mreitz@redhat.com>
+Date: Mon, 13 Mar 2017 17:47:19 +0100
+Subject: [PATCH 18/24] qemu-iotests: Disable 030, 040, 041
+
+RH-Author: Max Reitz <mreitz@redhat.com>
+Message-id: <20170313174719.29543-1-mreitz@redhat.com>
+Patchwork-id: 74280
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 9/9] qemu-iotests: Disable 030, 040, 041
+Bugzilla: 1427176
+RH-Acked-by: Fam Zheng <famz@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+
+Upstream: N/A
+
+All of these tests require (and test) live block operations, 030 and 041
+also need blkdebug support. Both of these features are disabled
+downstream, so the tests need to be disabled, too.
+
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ tests/qemu-iotests/group | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group
+index 58b3d05..c1fc89d 100644
+--- a/tests/qemu-iotests/group
++++ b/tests/qemu-iotests/group
+@@ -36,7 +36,7 @@
+ 027 rw auto quick
+ 028 rw backing auto
+ 029 rw auto quick
+-030 rw auto backing
++# 030 rw auto backing -- requires blkdebug and block jobs
+ 031 rw auto quick
+ 032 rw auto
+ 033 rw auto quick
+@@ -46,8 +46,8 @@
+ 037 rw auto backing
+ 038 rw auto backing
+ 039 rw auto
+-040 rw auto
+-041 rw auto backing
++# 040 rw auto -- requires block jobs
++# 041 rw auto backing -- requires blkdebug and block jobs
+ 042 rw auto quick
+ 043 rw auto backing
+ 044 rw auto
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-qemu-iotests-Filter-out-actual-image-size-in-067.patch b/SOURCES/kvm-qemu-iotests-Filter-out-actual-image-size-in-067.patch
new file mode 100644
index 0000000..55fb981
--- /dev/null
+++ b/SOURCES/kvm-qemu-iotests-Filter-out-actual-image-size-in-067.patch
@@ -0,0 +1,93 @@
+From 858514a037db08493b7cdd6adaf87466ee2f7831 Mon Sep 17 00:00:00 2001
+From: Max Reitz <mreitz@redhat.com>
+Date: Mon, 13 Mar 2017 17:45:08 +0100
+Subject: [PATCH 10/24] qemu-iotests: Filter out actual image size in 067
+
+RH-Author: Max Reitz <mreitz@redhat.com>
+Message-id: <20170313174516.28044-2-mreitz@redhat.com>
+Patchwork-id: 74273
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 1/9] qemu-iotests: Filter out actual image size in 067
+Bugzilla: 1427176
+RH-Acked-by: Fam Zheng <famz@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+
+The actual size of the image file may differ depending on the Linux
+kernel currently running on the host. Filtering out this value makes
+this test pass in such cases.
+
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+Reviewed-by: Benoit Canet <benoit@irqsave.net>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+(cherry picked from commit 64815e2a966f0a3f18818b9d542f1ef02dc992a2)
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ tests/qemu-iotests/067     |  2 +-
+ tests/qemu-iotests/067.out | 10 +++++-----
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/tests/qemu-iotests/067 b/tests/qemu-iotests/067
+index 79dc38b..d025192 100644
+--- a/tests/qemu-iotests/067
++++ b/tests/qemu-iotests/067
+@@ -45,7 +45,7 @@ function do_run_qemu()
+ 
+ function run_qemu()
+ {
+-    do_run_qemu "$@" 2>&1 | _filter_testdir | _filter_qmp
++    do_run_qemu "$@" 2>&1 | _filter_testdir | _filter_qmp | sed -e 's/\("actual-size":\s*\)[0-9]\+/\1SIZE/g'
+ }
+ 
+ size=128M
+diff --git a/tests/qemu-iotests/067.out b/tests/qemu-iotests/067.out
+index 4bb9ff9..8d271cc 100644
+--- a/tests/qemu-iotests/067.out
++++ b/tests/qemu-iotests/067.out
+@@ -6,7 +6,7 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728
+ Testing: -drive file=TEST_DIR/t.qcow2,format=qcow2,if=none,id=disk -device virtio-blk-pci,drive=disk,id=virtio0
+ QMP_VERSION
+ {"return": {}}
+-{"return": [{"io-status": "ok", "device": "disk", "locked": false, "removable": false, "inserted": {"iops_rd": 0, "image": {"virtual-size": 134217728, "filename": "TEST_DIR/t.qcow2", "cluster-size": 65536, "format": "qcow2", "actual-size": 139264, "format-specific": {"type": "qcow2", "data": {"compat": "1.1", "lazy-refcounts": false}}, "dirty-flag": false}, "iops_wr": 0, "ro": false, "backing_file_depth": 0, "drv": "qcow2", "iops": 0, "bps_wr": 0, "encrypted": false, "bps": 0, "bps_rd": 0, "file": "TEST_DIR/t.qcow2", "encryption_key_missing": false}, "type": "unknown"}, {"io-status": "ok", "device": "ide1-cd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "floppy0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "sd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}]}
++{"return": [{"io-status": "ok", "device": "disk", "locked": false, "removable": false, "inserted": {"iops_rd": 0, "image": {"virtual-size": 134217728, "filename": "TEST_DIR/t.qcow2", "cluster-size": 65536, "format": "qcow2", "actual-size": SIZE, "format-specific": {"type": "qcow2", "data": {"compat": "1.1", "lazy-refcounts": false}}, "dirty-flag": false}, "iops_wr": 0, "ro": false, "backing_file_depth": 0, "drv": "qcow2", "iops": 0, "bps_wr": 0, "encrypted": false, "bps": 0, "bps_rd": 0, "file": "TEST_DIR/t.qcow2", "encryption_key_missing": false}, "type": "unknown"}, {"io-status": "ok", "device": "ide1-cd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "floppy0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "sd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}]}
+ {"return": {}}
+ {"return": {}}
+ {"timestamp": {"seconds":  TIMESTAMP, "microseconds":  TIMESTAMP}, "event": "DEVICE_DELETED", "data": {"path": "/machine/peripheral/virtio0/virtio-backend"}}
+@@ -24,7 +24,7 @@ QMP_VERSION
+ Testing: -drive file=TEST_DIR/t.qcow2,format=qcow2,if=none,id=disk
+ QMP_VERSION
+ {"return": {}}
+-{"return": [{"device": "disk", "locked": false, "removable": true, "inserted": {"iops_rd": 0, "image": {"virtual-size": 134217728, "filename": "TEST_DIR/t.qcow2", "cluster-size": 65536, "format": "qcow2", "actual-size": 139264, "format-specific": {"type": "qcow2", "data": {"compat": "1.1", "lazy-refcounts": false}}, "dirty-flag": false}, "iops_wr": 0, "ro": false, "backing_file_depth": 0, "drv": "qcow2", "iops": 0, "bps_wr": 0, "encrypted": false, "bps": 0, "bps_rd": 0, "file": "TEST_DIR/t.qcow2", "encryption_key_missing": false}, "tray_open": false, "type": "unknown"}, {"io-status": "ok", "device": "ide1-cd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "floppy0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "sd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}]}
++{"return": [{"device": "disk", "locked": false, "removable": true, "inserted": {"iops_rd": 0, "image": {"virtual-size": 134217728, "filename": "TEST_DIR/t.qcow2", "cluster-size": 65536, "format": "qcow2", "actual-size": SIZE, "format-specific": {"type": "qcow2", "data": {"compat": "1.1", "lazy-refcounts": false}}, "dirty-flag": false}, "iops_wr": 0, "ro": false, "backing_file_depth": 0, "drv": "qcow2", "iops": 0, "bps_wr": 0, "encrypted": false, "bps": 0, "bps_rd": 0, "file": "TEST_DIR/t.qcow2", "encryption_key_missing": false}, "tray_open": false, "type": "unknown"}, {"io-status": "ok", "device": "ide1-cd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "floppy0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "sd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}]}
+ {"return": {}}
+ {"return": {}}
+ {"return": {}}
+@@ -44,7 +44,7 @@ Testing:
+ QMP_VERSION
+ {"return": {}}
+ {"return": "OK\r\n"}
+-{"return": [{"io-status": "ok", "device": "ide1-cd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "floppy0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "sd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "disk", "locked": false, "removable": true, "inserted": {"iops_rd": 0, "image": {"virtual-size": 134217728, "filename": "TEST_DIR/t.qcow2", "cluster-size": 65536, "format": "qcow2", "actual-size": 139264, "format-specific": {"type": "qcow2", "data": {"compat": "1.1", "lazy-refcounts": false}}, "dirty-flag": false}, "iops_wr": 0, "ro": false, "backing_file_depth": 0, "drv": "qcow2", "iops": 0, "bps_wr": 0, "encrypted": false, "bps": 0, "bps_rd": 0, "file": "TEST_DIR/t.qcow2", "encryption_key_missing": false}, "tray_open": false, "type": "unknown"}]}
++{"return": [{"io-status": "ok", "device": "ide1-cd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "floppy0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "sd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "disk", "locked": false, "removable": true, "inserted": {"iops_rd": 0, "image": {"virtual-size": 134217728, "filename": "TEST_DIR/t.qcow2", "cluster-size": 65536, "format": "qcow2", "actual-size": SIZE, "format-specific": {"type": "qcow2", "data": {"compat": "1.1", "lazy-refcounts": false}}, "dirty-flag": false}, "iops_wr": 0, "ro": false, "backing_file_depth": 0, "drv": "qcow2", "iops": 0, "bps_wr": 0, "encrypted": false, "bps": 0, "bps_rd": 0, "file": "TEST_DIR/t.qcow2", "encryption_key_missing": false}, "tray_open": false, "type": "unknown"}]}
+ {"return": {}}
+ {"return": {}}
+ {"return": {}}
+@@ -64,14 +64,14 @@ Testing:
+ QMP_VERSION
+ {"return": {}}
+ {"return": {}}
+-{"return": [{"io-status": "ok", "device": "ide1-cd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "floppy0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "sd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "disk", "locked": false, "removable": true, "inserted": {"iops_rd": 0, "image": {"virtual-size": 134217728, "filename": "TEST_DIR/t.qcow2", "cluster-size": 65536, "format": "qcow2", "actual-size": 139264, "format-specific": {"type": "qcow2", "data": {"compat": "1.1", "lazy-refcounts": false}}, "dirty-flag": false}, "iops_wr": 0, "ro": false, "backing_file_depth": 0, "drv": "qcow2", "iops": 0, "bps_wr": 0, "encrypted": false, "bps": 0, "bps_rd": 0, "file": "TEST_DIR/t.qcow2", "encryption_key_missing": false}, "tray_open": false, "type": "unknown"}]}
++{"return": [{"io-status": "ok", "device": "ide1-cd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "floppy0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "sd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "disk", "locked": false, "removable": true, "inserted": {"iops_rd": 0, "image": {"virtual-size": 134217728, "filename": "TEST_DIR/t.qcow2", "cluster-size": 65536, "format": "qcow2", "actual-size": SIZE, "format-specific": {"type": "qcow2", "data": {"compat": "1.1", "lazy-refcounts": false}}, "dirty-flag": false}, "iops_wr": 0, "ro": false, "backing_file_depth": 0, "drv": "qcow2", "iops": 0, "bps_wr": 0, "encrypted": false, "bps": 0, "bps_rd": 0, "file": "TEST_DIR/t.qcow2", "encryption_key_missing": false}, "tray_open": false, "type": "unknown"}]}
+ {"return": {}}
+ {"return": {}}
+ {"return": {}}
+ {"timestamp": {"seconds":  TIMESTAMP, "microseconds":  TIMESTAMP}, "event": "DEVICE_DELETED", "data": {"path": "/machine/peripheral/virtio0/virtio-backend"}}
+ {"timestamp": {"seconds":  TIMESTAMP, "microseconds":  TIMESTAMP}, "event": "DEVICE_DELETED", "data": {"device": "virtio0", "path": "/machine/peripheral/virtio0"}}
+ {"timestamp": {"seconds":  TIMESTAMP, "microseconds":  TIMESTAMP}, "event": "RESET"}
+-{"return": [{"io-status": "ok", "device": "ide1-cd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "floppy0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "sd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"io-status": "ok", "device": "disk", "locked": false, "removable": true, "inserted": {"iops_rd": 0, "image": {"virtual-size": 134217728, "filename": "TEST_DIR/t.qcow2", "cluster-size": 65536, "format": "qcow2", "actual-size": 139264, "format-specific": {"type": "qcow2", "data": {"compat": "1.1", "lazy-refcounts": false}}, "dirty-flag": false}, "iops_wr": 0, "ro": false, "backing_file_depth": 0, "drv": "qcow2", "iops": 0, "bps_wr": 0, "encrypted": false, "bps": 0, "bps_rd": 0, "file": "TEST_DIR/t.qcow2", "encryption_key_missing": false}, "tray_open": false, "type": "unknown"}]}
++{"return": [{"io-status": "ok", "device": "ide1-cd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "floppy0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "sd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"io-status": "ok", "device": "disk", "locked": false, "removable": true, "inserted": {"iops_rd": 0, "image": {"virtual-size": 134217728, "filename": "TEST_DIR/t.qcow2", "cluster-size": 65536, "format": "qcow2", "actual-size": SIZE, "format-specific": {"type": "qcow2", "data": {"compat": "1.1", "lazy-refcounts": false}}, "dirty-flag": false}, "iops_wr": 0, "ro": false, "backing_file_depth": 0, "drv": "qcow2", "iops": 0, "bps_wr": 0, "encrypted": false, "bps": 0, "bps_rd": 0, "file": "TEST_DIR/t.qcow2", "encryption_key_missing": false}, "tray_open": false, "type": "unknown"}]}
+ {"return": {}}
+ {"timestamp": {"seconds":  TIMESTAMP, "microseconds":  TIMESTAMP}, "event": "SHUTDOWN"}
+ {"timestamp": {"seconds":  TIMESTAMP, "microseconds":  TIMESTAMP}, "event": "DEVICE_TRAY_MOVED", "data": {"device": "ide1-cd0", "tray-open": true}}
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-qemu-iotests-Fix-core-dump-suppression-in-test-039.patch b/SOURCES/kvm-qemu-iotests-Fix-core-dump-suppression-in-test-039.patch
new file mode 100644
index 0000000..d23e58c
--- /dev/null
+++ b/SOURCES/kvm-qemu-iotests-Fix-core-dump-suppression-in-test-039.patch
@@ -0,0 +1,141 @@
+From 3d0fa39257aac5ee843c0f3e5e69703e299bb90c Mon Sep 17 00:00:00 2001
+From: Max Reitz <mreitz@redhat.com>
+Date: Mon, 13 Mar 2017 17:46:23 +0100
+Subject: [PATCH 12/24] qemu-iotests: Fix core dump suppression in test 039
+
+RH-Author: Max Reitz <mreitz@redhat.com>
+Message-id: <20170313174629.28735-1-mreitz@redhat.com>
+Patchwork-id: 74281
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 3/9] qemu-iotests: Fix core dump suppression in test 039
+Bugzilla: 1427176
+RH-Acked-by: Fam Zheng <famz@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+
+From: Markus Armbruster <armbru@redhat.com>
+
+The shell script attempts to suppress core dumps like this:
+
+    old_ulimit=$(ulimit -c)
+    ulimit -c 0
+    $QEMU_IO arg...
+    ulimit -c "$old_ulimit"
+
+This breaks the test hard unless the limit was zero to begin with!
+ulimit sets both hard and soft limit by default, and (re-)raising the
+hard limit requires privileges.  Broken since it was added in commit
+dc68afe.
+
+Could be fixed by adding -S to set only the soft limit, but I'm not
+sure how portable that is in practice.  Simply do it in a subshell
+instead, like this:
+
+    (ulimit -c 0; exec $QEMU_IO arg...)
+
+Signed-off-by: Markus Armbruster <armbru@redhat.com>
+Reviewed-by: Fam Zheng <famz@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit d530e342320d4db3c9522bfadc60a7bc8142343a)
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ tests/qemu-iotests/039           | 20 ++++++++------------
+ tests/qemu-iotests/039.out       |  3 +++
+ tests/qemu-iotests/common.filter |  1 +
+ 3 files changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/tests/qemu-iotests/039 b/tests/qemu-iotests/039
+index 8bade92..1e50651 100755
+--- a/tests/qemu-iotests/039
++++ b/tests/qemu-iotests/039
+@@ -46,6 +46,11 @@ _supported_proto generic
+ _supported_os Linux
+ _unsupported_qemu_io_options --nocache
+ 
++_no_dump_exec()
++{
++    (ulimit -c 0; exec "$@")
++}
++
+ size=128M
+ 
+ echo
+@@ -66,10 +71,7 @@ echo "== Creating a dirty image file =="
+ IMGOPTS="compat=1.1,lazy_refcounts=on"
+ _make_test_img $size
+ 
+-old_ulimit=$(ulimit -c)
+-ulimit -c 0 # do not produce a core dump on abort(3)
+-$QEMU_IO -c "write -P 0x5a 0 512" -c "abort" "$TEST_IMG" | _filter_qemu_io
+-ulimit -c "$old_ulimit"
++_no_dump_exec $QEMU_IO -c "write -P 0x5a 0 512" -c "abort" "$TEST_IMG" 2>&1 | _filter_qemu_io
+ 
+ # The dirty bit must be set
+ ./qcow2.py "$TEST_IMG" dump-header | grep incompatible_features
+@@ -102,10 +104,7 @@ echo "== Opening a dirty image read/write should repair it =="
+ IMGOPTS="compat=1.1,lazy_refcounts=on"
+ _make_test_img $size
+ 
+-old_ulimit=$(ulimit -c)
+-ulimit -c 0 # do not produce a core dump on abort(3)
+-$QEMU_IO -c "write -P 0x5a 0 512" -c "abort" "$TEST_IMG" | _filter_qemu_io
+-ulimit -c "$old_ulimit"
++_no_dump_exec $QEMU_IO -c "write -P 0x5a 0 512" -c "abort" "$TEST_IMG" 2>&1 | _filter_qemu_io
+ 
+ # The dirty bit must be set
+ ./qcow2.py "$TEST_IMG" dump-header | grep incompatible_features
+@@ -121,10 +120,7 @@ echo "== Creating an image file with lazy_refcounts=off =="
+ IMGOPTS="compat=1.1,lazy_refcounts=off"
+ _make_test_img $size
+ 
+-old_ulimit=$(ulimit -c)
+-ulimit -c 0 # do not produce a core dump on abort(3)
+-$QEMU_IO -c "write -P 0x5a 0 512" -c "abort" "$TEST_IMG" | _filter_qemu_io
+-ulimit -c "$old_ulimit"
++_no_dump_exec $QEMU_IO -c "write -P 0x5a 0 512" -c "abort" "$TEST_IMG" 2>&1 | _filter_qemu_io
+ 
+ # The dirty bit must not be set since lazy_refcounts=off
+ ./qcow2.py "$TEST_IMG" dump-header | grep incompatible_features
+diff --git a/tests/qemu-iotests/039.out b/tests/qemu-iotests/039.out
+index d25bf0b..af62da1 100644
+--- a/tests/qemu-iotests/039.out
++++ b/tests/qemu-iotests/039.out
+@@ -11,6 +11,7 @@ No errors were found on the image.
+ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728 
+ wrote 512/512 bytes at offset 0
+ 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
++./039: Aborted                 ( ulimit -c 0; exec "$@" )
+ incompatible_features     0x1
+ ERROR cluster 5 refcount=0 reference=1
+ ERROR OFLAG_COPIED data cluster: l2_entry=8000000000050000 refcount=0
+@@ -45,6 +46,7 @@ read 512/512 bytes at offset 0
+ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728 
+ wrote 512/512 bytes at offset 0
+ 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
++./039: Aborted                 ( ulimit -c 0; exec "$@" )
+ incompatible_features     0x1
+ ERROR cluster 5 refcount=0 reference=1
+ Rebuilding refcount structure
+@@ -58,6 +60,7 @@ incompatible_features     0x0
+ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728 
+ wrote 512/512 bytes at offset 0
+ 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
++./039: Aborted                 ( ulimit -c 0; exec "$@" )
+ incompatible_features     0x0
+ No errors were found on the image.
+ *** done
+diff --git a/tests/qemu-iotests/common.filter b/tests/qemu-iotests/common.filter
+index 9c82c77..dcd246d 100644
+--- a/tests/qemu-iotests/common.filter
++++ b/tests/qemu-iotests/common.filter
+@@ -150,6 +150,7 @@ _filter_win32()
+ _filter_qemu_io()
+ {
+     _filter_win32 | sed -e "s/[0-9]* ops\; [0-9/:. sec]* ([0-9/.inf]* [EPTGMKiBbytes]*\/sec and [0-9/.inf]* ops\/sec)/X ops\; XX:XX:XX.X (XXX YYY\/sec and XXX ops\/sec)/" \
++        -e "s/: line [0-9][0-9]*:  *[0-9][0-9]*\( Aborted\)/:\1/" \
+         -e "s/qemu-io> //g"
+ }
+ 
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch b/SOURCES/kvm-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch
new file mode 100644
index 0000000..9794833
--- /dev/null
+++ b/SOURCES/kvm-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch
@@ -0,0 +1,125 @@
+From de84e9659aa6b91bd1a7c4fb30fde859882b9201 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Thu, 5 Jan 2017 23:58:10 +0100
+Subject: [PATCH 4/4] qxl: Only emit QXL_INTERRUPT_CLIENT_MONITORS_CONFIG on
+ config changes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-id: <20170105235810.27189-1-marcandre.lureau@redhat.com>
+Patchwork-id: 73185
+O-Subject: [RHEL-7.4 qemu-kvm PATCH] qxl: Only emit QXL_INTERRUPT_CLIENT_MONITORS_CONFIG on config changes
+Bugzilla: 1342489
+RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+RH-Acked-by: Christophe Fergeau <cfergeau@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+From: Christophe Fergeau <cfergeau@redhat.com>
+
+Currently if the client keeps sending the same monitor config to
+QEMU/spice-server, QEMU will always raise
+a QXL_INTERRUPT_CLIENT_MONITORS_CONFIG regardless of whether there was a
+change or not.
+Guest-side (with fedora 25), the kernel QXL KMS driver will also forward the
+event to user-space without checking if there were actual changes.
+Next in line are gnome-shell/mutter (on a default f25 install), which
+will try to reconfigure everything without checking if there is anything
+to do.
+Where this gets ugly is that when applying the resolution changes,
+gnome-shell/mutter will call drmModeRmFB, drmModeAddFB, and
+drmModeSetCrtc, which will cause the primary surface to be destroyed and
+recreated by the QXL KMS driver. This in turn will cause the client to
+resend a client monitors config message, which will cause QEMU to reemit
+an interrupt with an unchanged monitors configuration, ...
+This causes https://bugzilla.redhat.com/show_bug.cgi?id=1266484
+
+This commit makes sure that we only emit
+QXL_INTERRUPT_CLIENT_MONITORS_CONFIG when there are actual configuration
+changes the guest should act on.
+
+Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
+Message-id: 20161028144840.18326-1-cfergeau@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+(cherry picked from commit 6c7565028c272c4c6f2a83c3a90b044eeaf2804a)
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/display/qxl.c | 37 ++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 36 insertions(+), 1 deletion(-)
+
+diff --git a/hw/display/qxl.c b/hw/display/qxl.c
+index f762439..c76c237 100644
+--- a/hw/display/qxl.c
++++ b/hw/display/qxl.c
+@@ -989,6 +989,34 @@ static uint32_t qxl_crc32(const uint8_t *p, unsigned len)
+     return crc32(0xffffffff, p, len) ^ 0xffffffff;
+ }
+ 
++static bool qxl_rom_monitors_config_changed(QXLRom *rom,
++        VDAgentMonitorsConfig *monitors_config,
++        unsigned int max_outputs)
++{
++    int i;
++    unsigned int monitors_count;
++
++    monitors_count = MIN(monitors_config->num_of_monitors, max_outputs);
++
++    if (rom->client_monitors_config.count != monitors_count) {
++        return true;
++    }
++
++    for (i = 0 ; i < rom->client_monitors_config.count ; ++i) {
++        VDAgentMonConfig *monitor = &monitors_config->monitors[i];
++        QXLURect *rect = &rom->client_monitors_config.heads[i];
++        /* monitor->depth ignored */
++        if ((rect->left != monitor->x) ||
++            (rect->top != monitor->y)  ||
++            (rect->right != monitor->x + monitor->width) ||
++            (rect->bottom != monitor->y + monitor->height)) {
++            return true;
++        }
++    }
++
++    return false;
++}
++
+ /* called from main context only */
+ static int interface_client_monitors_config(QXLInstance *sin,
+                                         VDAgentMonitorsConfig *monitors_config)
+@@ -997,6 +1025,7 @@ static int interface_client_monitors_config(QXLInstance *sin,
+     QXLRom *rom = memory_region_get_ram_ptr(&qxl->rom_bar);
+     int i;
+     unsigned max_outputs = ARRAY_SIZE(rom->client_monitors_config.heads);
++    bool config_changed = false;
+ 
+     if (qxl->revision < 4) {
+         trace_qxl_client_monitors_config_unsupported_by_device(qxl->id,
+@@ -1027,6 +1056,10 @@ static int interface_client_monitors_config(QXLInstance *sin,
+     }
+ #endif
+ 
++    config_changed = qxl_rom_monitors_config_changed(rom,
++                                                     monitors_config,
++                                                     max_outputs);
++
+     memset(&rom->client_monitors_config, 0,
+            sizeof(rom->client_monitors_config));
+     rom->client_monitors_config.count = monitors_config->num_of_monitors;
+@@ -1056,7 +1089,9 @@ static int interface_client_monitors_config(QXLInstance *sin,
+     trace_qxl_interrupt_client_monitors_config(qxl->id,
+                         rom->client_monitors_config.count,
+                         rom->client_monitors_config.heads);
+-    qxl_send_events(qxl, QXL_INTERRUPT_CLIENT_MONITORS_CONFIG);
++    if (config_changed) {
++        qxl_send_events(qxl, QXL_INTERRUPT_CLIENT_MONITORS_CONFIG);
++    }
+     return 1;
+ }
+ 
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-serial-change-retry-logic-to-avoid-concurrency.patch b/SOURCES/kvm-serial-change-retry-logic-to-avoid-concurrency.patch
index df1f0e6..5b76103 100644
--- a/SOURCES/kvm-serial-change-retry-logic-to-avoid-concurrency.patch
+++ b/SOURCES/kvm-serial-change-retry-logic-to-avoid-concurrency.patch
@@ -1,15 +1,15 @@
-From 3ddb1809fc188f9aca337b19a81b40da5b992057 Mon Sep 17 00:00:00 2001
+From 19651bdbf15a4ce03d6fc6e3a6be514a3f46a118 Mon Sep 17 00:00:00 2001
 From: Fam Zheng <famz@redhat.com>
-Date: Fri, 19 May 2017 00:35:13 +0200
+Date: Thu, 18 May 2017 09:21:21 +0200
 Subject: [PATCH 08/18] serial: change retry logic to avoid concurrency
 
 RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170519003523.21163-9-famz@redhat.com>
-Patchwork-id: 75362
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 08/18] serial: change retry logic to avoid concurrency
-Bugzilla: 1452332
+Message-id: <20170518092131.16571-9-famz@redhat.com>
+Patchwork-id: 75300
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 08/18] serial: change retry logic to avoid concurrency
+Bugzilla: 1451470
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
 RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
 
 From: Kirill Batuzov <batuzovk@ispras.ru>
diff --git a/SOURCES/kvm-serial-check-if-backed-by-a-physical-serial-port-at-.patch b/SOURCES/kvm-serial-check-if-backed-by-a-physical-serial-port-at-.patch
index 733d5ba..9b8e621 100644
--- a/SOURCES/kvm-serial-check-if-backed-by-a-physical-serial-port-at-.patch
+++ b/SOURCES/kvm-serial-check-if-backed-by-a-physical-serial-port-at-.patch
@@ -1,16 +1,16 @@
-From 1882bb1a0967e7d513b0d5bd060fa214bc44efcb Mon Sep 17 00:00:00 2001
+From 3ad8bb6f424f7ff1d4bbf73237fb1590f0ce1810 Mon Sep 17 00:00:00 2001
 From: Fam Zheng <famz@redhat.com>
-Date: Fri, 19 May 2017 00:35:15 +0200
+Date: Thu, 18 May 2017 09:21:23 +0200
 Subject: [PATCH 10/18] serial: check if backed by a physical serial port at
  realize time
 
 RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170519003523.21163-11-famz@redhat.com>
-Patchwork-id: 75366
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 10/18] serial: check if backed by a physical serial port at realize time
-Bugzilla: 1452332
+Message-id: <20170518092131.16571-11-famz@redhat.com>
+Patchwork-id: 75299
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 10/18] serial: check if backed by a physical serial port at realize time
+Bugzilla: 1451470
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
 RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
 
 From: Paolo Bonzini <pbonzini@redhat.com>
diff --git a/SOURCES/kvm-serial-clean-up-THRE-TEMT-handling.patch b/SOURCES/kvm-serial-clean-up-THRE-TEMT-handling.patch
index 18e9b50..dfc6fa0 100644
--- a/SOURCES/kvm-serial-clean-up-THRE-TEMT-handling.patch
+++ b/SOURCES/kvm-serial-clean-up-THRE-TEMT-handling.patch
@@ -1,15 +1,15 @@
-From 9afba2b1b9f8c2af3165fb0d9b68888996fe2330 Mon Sep 17 00:00:00 2001
+From 1b37b298fc1f0d69e24229191e4bbe741e4d96ab Mon Sep 17 00:00:00 2001
 From: Fam Zheng <famz@redhat.com>
-Date: Fri, 19 May 2017 00:35:17 +0200
+Date: Thu, 18 May 2017 09:21:25 +0200
 Subject: [PATCH 12/18] serial: clean up THRE/TEMT handling
 
 RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170519003523.21163-13-famz@redhat.com>
-Patchwork-id: 75367
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 12/18] serial: clean up THRE/TEMT handling
-Bugzilla: 1452332
+Message-id: <20170518092131.16571-13-famz@redhat.com>
+Patchwork-id: 75303
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 12/18] serial: clean up THRE/TEMT handling
+Bugzilla: 1451470
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
 RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
 
 From: Paolo Bonzini <pbonzini@redhat.com>
diff --git a/SOURCES/kvm-serial-fixing-vmstate-for-save-restore.patch b/SOURCES/kvm-serial-fixing-vmstate-for-save-restore.patch
new file mode 100644
index 0000000..e23ec75
--- /dev/null
+++ b/SOURCES/kvm-serial-fixing-vmstate-for-save-restore.patch
@@ -0,0 +1,355 @@
+From 7d2e8f9662feb64c0b15b6fd53e06e3c56921f27 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Fri, 9 Jun 2017 11:43:58 +0200
+Subject: [PATCH 3/6] serial: fixing vmstate for save/restore
+
+RH-Author: Paolo Bonzini <pbonzini@redhat.com>
+Message-id: <20170609114359.13036-3-pbonzini@redhat.com>
+Patchwork-id: 75567
+O-Subject: [RHEL7.4 qemu-kvm PATCH v2 2/3] serial: fixing vmstate for save/restore
+Bugzilla: 1452067
+RH-Acked-by: David Hildenbrand <david@redhat.com>
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+From: Pavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru>
+
+Some fields were added to VMState by this patch to preserve correct
+loading of the serial port controller state.
+Updating FCR value while loading was also modified to disable generating
+an interrupt by loadvm.
+
+Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 7385b275d9ae8bdf3c012bc4e2ae9779fcea6312)
+
+[RHEL: omit some subsections.  thr_ipending can be reconstructed fairly
+       reliably by serial_post_load.  The others are features that are
+       unlikely to be used in RHEL, respectively receive timeout (Linux
+       does not even have the UART_IIR_CTI symbol in the driver) and
+       physical serial ports connected to a modem]
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/char/serial.c | 245 ++++++++++++++++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 215 insertions(+), 30 deletions(-)
+
+diff --git a/hw/char/serial.c b/hw/char/serial.c
+index 39de1ca..0518a6f 100644
+--- a/hw/char/serial.c
++++ b/hw/char/serial.c
+@@ -275,6 +275,36 @@ static void serial_xmit(SerialState *s)
+     s->lsr |= UART_LSR_TEMT;
+ }
+ 
++/* Setter for FCR.
++   is_load flag means, that value is set while loading VM state
++   and interrupt should not be invoked */
++static void serial_write_fcr(SerialState *s, uint8_t val)
++{
++    /* Set fcr - val only has the bits that are supposed to "stick" */
++    s->fcr = val;
++
++    if (val & UART_FCR_FE) {
++        s->iir |= UART_IIR_FE;
++        /* Set recv_fifo trigger Level */
++        switch (val & 0xC0) {
++        case UART_FCR_ITL_1:
++            s->recv_fifo_itl = 1;
++            break;
++        case UART_FCR_ITL_2:
++            s->recv_fifo_itl = 4;
++            break;
++        case UART_FCR_ITL_3:
++            s->recv_fifo_itl = 8;
++            break;
++        case UART_FCR_ITL_4:
++            s->recv_fifo_itl = 14;
++            break;
++        }
++    } else {
++        s->iir &= ~UART_IIR_FE;
++    }
++}
++
+ static void serial_ioport_write(void *opaque, hwaddr addr, uint64_t val,
+                                 unsigned size)
+ {
+@@ -351,21 +381,17 @@ static void serial_ioport_write(void *opaque, hwaddr addr, uint64_t val,
+         }
+         break;
+     case 2:
+-        val = val & 0xFF;
+-
+-        if (s->fcr == val)
+-            break;
+-
+         /* Did the enable/disable flag change? If so, make sure FIFOs get flushed */
+-        if ((val ^ s->fcr) & UART_FCR_FE)
++        if ((val ^ s->fcr) & UART_FCR_FE) {
+             val |= UART_FCR_XFR | UART_FCR_RFR;
++        }
+ 
+         /* FIFO clear */
+ 
+         if (val & UART_FCR_RFR) {
+             s->lsr &= ~(UART_LSR_DR | UART_LSR_BI);
+             qemu_del_timer(s->fifo_timeout_timer);
+-            s->timeout_ipending=0;
++            s->timeout_ipending = 0;
+             fifo8_reset(&s->recv_fifo);
+         }
+ 
+@@ -375,28 +401,7 @@ static void serial_ioport_write(void *opaque, hwaddr addr, uint64_t val,
+             fifo8_reset(&s->xmit_fifo);
+         }
+ 
+-        if (val & UART_FCR_FE) {
+-            s->iir |= UART_IIR_FE;
+-            /* Set recv_fifo trigger Level */
+-            switch (val & 0xC0) {
+-            case UART_FCR_ITL_1:
+-                s->recv_fifo_itl = 1;
+-                break;
+-            case UART_FCR_ITL_2:
+-                s->recv_fifo_itl = 4;
+-                break;
+-            case UART_FCR_ITL_3:
+-                s->recv_fifo_itl = 8;
+-                break;
+-            case UART_FCR_ITL_4:
+-                s->recv_fifo_itl = 14;
+-                break;
+-            }
+-        } else
+-            s->iir &= ~UART_IIR_FE;
+-
+-        /* Set fcr - or at least the bits in it that are supposed to "stick" */
+-        s->fcr = val & 0xC9;
++        serial_write_fcr(s, val & 0xC9);
+         serial_update_irq(s);
+         break;
+     case 3:
+@@ -617,6 +622,14 @@ static void serial_pre_save(void *opaque)
+     s->fcr_vmstate = s->fcr;
+ }
+ 
++static int serial_pre_load(void *opaque)
++{
++    SerialState *s = opaque;
++    s->thr_ipending = -1;
++    s->poll_msl = -1;
++    return 0;
++}
++
+ static int serial_post_load(void *opaque, int version_id)
+ {
+     SerialState *s = opaque;
+@@ -628,17 +641,159 @@ static int serial_post_load(void *opaque, int version_id)
+         s->tsr_retry = MAX_XMIT_RETRY;
+     }
+ 
++    if (s->thr_ipending == -1) {
++        s->thr_ipending = ((s->iir & UART_IIR_ID) == UART_IIR_THRI);
++    }
++    s->last_break_enable = (s->lcr >> 6) & 1;
+     /* Initialize fcr via setter to perform essential side-effects */
+-    serial_ioport_write(s, 0x02, s->fcr_vmstate, 1);
++    serial_write_fcr(s, s->fcr_vmstate);
+     serial_update_parameters(s);
+     return 0;
+ }
+ 
++static bool serial_thr_ipending_needed(void *opaque)
++{
++#if 0
++    SerialState *s = opaque;
++    bool expected_value = ((s->iir & UART_IIR_ID) == UART_IIR_THRI);
++    return s->thr_ipending != expected_value;
++#else
++    /* for migration compatibility with RHEL <= 7.3 */
++    return 0;
++#endif
++}
++
++const VMStateDescription vmstate_serial_thr_ipending = {
++    .name = "serial/thr_ipending",
++    .version_id = 1,
++    .minimum_version_id = 1,
++    .fields = (VMStateField[]) {
++        VMSTATE_INT32(thr_ipending, SerialState),
++        VMSTATE_END_OF_LIST()
++    }
++};
++
++static bool serial_tsr_needed(void *opaque)
++{
++    SerialState *s = (SerialState *)opaque;
++    return s->tsr_retry != 0;
++}
++
++const VMStateDescription vmstate_serial_tsr = {
++    .name = "serial/tsr",
++    .version_id = 1,
++    .minimum_version_id = 1,
++    .fields = (VMStateField[]) {
++        VMSTATE_UINT32(tsr_retry, SerialState),
++        VMSTATE_UINT8(thr, SerialState),
++        VMSTATE_UINT8(tsr, SerialState),
++        VMSTATE_END_OF_LIST()
++    }
++};
++
++static bool serial_recv_fifo_needed(void *opaque)
++{
++    SerialState *s = (SerialState *)opaque;
++    return !fifo8_is_empty(&s->recv_fifo);
++
++}
++
++const VMStateDescription vmstate_serial_recv_fifo = {
++    .name = "serial/recv_fifo",
++    .version_id = 1,
++    .minimum_version_id = 1,
++    .fields = (VMStateField[]) {
++        VMSTATE_STRUCT(recv_fifo, SerialState, 1, vmstate_fifo8, Fifo8),
++        VMSTATE_END_OF_LIST()
++    }
++};
++
++static bool serial_xmit_fifo_needed(void *opaque)
++{
++    SerialState *s = (SerialState *)opaque;
++    return !fifo8_is_empty(&s->xmit_fifo);
++}
++
++const VMStateDescription vmstate_serial_xmit_fifo = {
++    .name = "serial/xmit_fifo",
++    .version_id = 1,
++    .minimum_version_id = 1,
++    .fields = (VMStateField[]) {
++        VMSTATE_STRUCT(xmit_fifo, SerialState, 1, vmstate_fifo8, Fifo8),
++        VMSTATE_END_OF_LIST()
++    }
++};
++
++static bool serial_fifo_timeout_timer_needed(void *opaque)
++{
++#if 0
++    SerialState *s = (SerialState *)opaque;
++    return timer_pending(s->fifo_timeout_timer);
++#else
++    /* for migration compatibility with RHEL <= 7.3 */
++    return 0;
++#endif
++}
++
++const VMStateDescription vmstate_serial_fifo_timeout_timer = {
++    .name = "serial/fifo_timeout_timer",
++    .version_id = 1,
++    .minimum_version_id = 1,
++    .fields = (VMStateField[]) {
++        VMSTATE_TIMER(fifo_timeout_timer, SerialState),
++        VMSTATE_END_OF_LIST()
++    }
++};
++
++static bool serial_timeout_ipending_needed(void *opaque)
++{
++#if 0
++    SerialState *s = (SerialState *)opaque;
++    return s->timeout_ipending != 0;
++#else
++    /* for migration compatibility with RHEL <= 7.3 */
++    return 0;
++#endif
++}
++
++const VMStateDescription vmstate_serial_timeout_ipending = {
++    .name = "serial/timeout_ipending",
++    .version_id = 1,
++    .minimum_version_id = 1,
++    .fields = (VMStateField[]) {
++        VMSTATE_INT32(timeout_ipending, SerialState),
++        VMSTATE_END_OF_LIST()
++    }
++};
++
++static bool serial_poll_needed(void *opaque)
++{
++#if 0
++    SerialState *s = (SerialState *)opaque;
++    return s->poll_msl >= 0;
++#else
++    /* for migration compatibility with RHEL <= 7.3 */
++    return 0;
++#endif
++}
++
++const VMStateDescription vmstate_serial_poll = {
++    .name = "serial/poll",
++    .version_id = 1,
++    .minimum_version_id = 1,
++    .fields = (VMStateField[]) {
++        VMSTATE_INT32(poll_msl, SerialState),
++        VMSTATE_TIMER(modem_status_poll, SerialState),
++        VMSTATE_END_OF_LIST()
++    }
++};
++
+ const VMStateDescription vmstate_serial = {
+     .name = "serial",
+     .version_id = 3,
+     .minimum_version_id = 2,
+     .pre_save = serial_pre_save,
++    .pre_load = serial_pre_load,
+     .post_load = serial_post_load,
+     .fields      = (VMStateField []) {
+         VMSTATE_UINT16_V(divider, SerialState, 2),
+@@ -652,6 +807,32 @@ const VMStateDescription vmstate_serial = {
+         VMSTATE_UINT8(scr, SerialState),
+         VMSTATE_UINT8_V(fcr_vmstate, SerialState, 3),
+         VMSTATE_END_OF_LIST()
++    },
++    .subsections = (VMStateSubsection[]) {
++        {
++            .vmsd = &vmstate_serial_thr_ipending,
++            .needed = &serial_thr_ipending_needed,
++        } , {
++            .vmsd = &vmstate_serial_tsr,
++            .needed = &serial_tsr_needed,
++        } , {
++            .vmsd = &vmstate_serial_recv_fifo,
++            .needed = &serial_recv_fifo_needed,
++        } , {
++            .vmsd = &vmstate_serial_xmit_fifo,
++            .needed = &serial_xmit_fifo_needed,
++        } , {
++            .vmsd = &vmstate_serial_fifo_timeout_timer,
++            .needed = &serial_fifo_timeout_timer_needed,
++        } , {
++            .vmsd = &vmstate_serial_timeout_ipending,
++            .needed = &serial_timeout_ipending_needed,
++        } , {
++            .vmsd = &vmstate_serial_poll,
++            .needed = &serial_poll_needed,
++        } , {
++            /* empty */
++        }
+     }
+ };
+ 
+@@ -678,6 +859,10 @@ static void serial_reset(void *opaque)
+     s->char_transmit_time = (get_ticks_per_sec() / 9600) * 10;
+     s->poll_msl = 0;
+ 
++    s->timeout_ipending = 0;
++    qemu_del_timer(s->fifo_timeout_timer);
++    qemu_del_timer(s->modem_status_poll);
++
+     fifo8_reset(&s->recv_fifo);
+     fifo8_reset(&s->xmit_fifo);
+ 
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-serial-make-tsr_retry-unsigned.patch b/SOURCES/kvm-serial-make-tsr_retry-unsigned.patch
index 85fc949..be7cc03 100644
--- a/SOURCES/kvm-serial-make-tsr_retry-unsigned.patch
+++ b/SOURCES/kvm-serial-make-tsr_retry-unsigned.patch
@@ -1,15 +1,15 @@
-From fece1f0b57a8daa08e04338baab90202d75766ec Mon Sep 17 00:00:00 2001
+From 03b9104f9cf6c0b4f7b7976b987753afddb32599 Mon Sep 17 00:00:00 2001
 From: Fam Zheng <famz@redhat.com>
-Date: Fri, 19 May 2017 00:35:20 +0200
+Date: Thu, 18 May 2017 09:21:28 +0200
 Subject: [PATCH 15/18] serial: make tsr_retry unsigned
 
 RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170519003523.21163-16-famz@redhat.com>
-Patchwork-id: 75371
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 15/18] serial: make tsr_retry unsigned
-Bugzilla: 1452332
+Message-id: <20170518092131.16571-16-famz@redhat.com>
+Patchwork-id: 75305
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 15/18] serial: make tsr_retry unsigned
+Bugzilla: 1451470
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
 RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
 
 From: Paolo Bonzini <pbonzini@redhat.com>
diff --git a/SOURCES/kvm-serial-only-resample-THR-interrupt-on-rising-edge-of.patch b/SOURCES/kvm-serial-only-resample-THR-interrupt-on-rising-edge-of.patch
index 2e30ae8..6c0dce6 100644
--- a/SOURCES/kvm-serial-only-resample-THR-interrupt-on-rising-edge-of.patch
+++ b/SOURCES/kvm-serial-only-resample-THR-interrupt-on-rising-edge-of.patch
@@ -1,16 +1,16 @@
-From 95388b9e0745ca0125012f050c53f651811b5189 Mon Sep 17 00:00:00 2001
+From 0c6d2ffcebff88c6cda738aa46fa77c09b93b78b Mon Sep 17 00:00:00 2001
 From: Fam Zheng <famz@redhat.com>
-Date: Fri, 19 May 2017 00:35:19 +0200
+Date: Thu, 18 May 2017 09:21:27 +0200
 Subject: [PATCH 14/18] serial: only resample THR interrupt on rising edge of
  IER.THRI
 
 RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170519003523.21163-15-famz@redhat.com>
-Patchwork-id: 75370
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 14/18] serial: only resample THR interrupt on rising edge of IER.THRI
-Bugzilla: 1452332
+Message-id: <20170518092131.16571-15-famz@redhat.com>
+Patchwork-id: 75304
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 14/18] serial: only resample THR interrupt on rising edge of IER.THRI
+Bugzilla: 1451470
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
 RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
 
 From: Paolo Bonzini <pbonzini@redhat.com>
diff --git a/SOURCES/kvm-serial-poll-the-serial-console-with-G_IO_HUP.patch b/SOURCES/kvm-serial-poll-the-serial-console-with-G_IO_HUP.patch
index ae0367b..cfb1898 100644
--- a/SOURCES/kvm-serial-poll-the-serial-console-with-G_IO_HUP.patch
+++ b/SOURCES/kvm-serial-poll-the-serial-console-with-G_IO_HUP.patch
@@ -1,18 +1,18 @@
-From 3ca9dc028e21f6e66e4ad21d6b2948e23691d2ae Mon Sep 17 00:00:00 2001
+From 4b71b3a9e37d06da2ecc48e06eea7e4a4ae1cfe9 Mon Sep 17 00:00:00 2001
 From: Fam Zheng <famz@redhat.com>
-Date: Fri, 19 May 2017 00:35:12 +0200
+Date: Thu, 18 May 2017 09:21:20 +0200
 Subject: [PATCH 07/18] serial: poll the serial console with G_IO_HUP
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 
 RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170519003523.21163-8-famz@redhat.com>
-Patchwork-id: 75363
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 07/18] serial: poll the serial console with G_IO_HUP
-Bugzilla: 1452332
+Message-id: <20170518092131.16571-8-famz@redhat.com>
+Patchwork-id: 75297
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 07/18] serial: poll the serial console with G_IO_HUP
+Bugzilla: 1451470
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
 RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
 
 From: Roger Pau Monne <roger.pau@citrix.com>
diff --git a/SOURCES/kvm-serial-reinstate-watch-after-migration.patch b/SOURCES/kvm-serial-reinstate-watch-after-migration.patch
new file mode 100644
index 0000000..b18fcc0
--- /dev/null
+++ b/SOURCES/kvm-serial-reinstate-watch-after-migration.patch
@@ -0,0 +1,72 @@
+From ba96da130a625a71b574c1bb9f6027e3b8d655ab Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Fri, 9 Jun 2017 11:43:59 +0200
+Subject: [PATCH 4/6] serial: reinstate watch after migration
+
+RH-Author: Paolo Bonzini <pbonzini@redhat.com>
+Message-id: <20170609114359.13036-4-pbonzini@redhat.com>
+Patchwork-id: 75566
+O-Subject: [RHEL7.4 qemu-kvm PATCH v2 3/3] serial: reinstate watch after migration
+Bugzilla: 1452067
+RH-Acked-by: David Hildenbrand <david@redhat.com>
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+Otherwise, a serial port can get stuck if it is migrated while flow control
+is in effect.
+
+Tested-by: Bret Ketchum <bcketchum@gmail.com>
+Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 9f34a35e0020b0b2b2e21c086a486d7dfd18df4f)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/char/serial.c | 29 +++++++++++++++++++++++++----
+ 1 file changed, 25 insertions(+), 4 deletions(-)
+
+diff --git a/hw/char/serial.c b/hw/char/serial.c
+index 0518a6f..820960b 100644
+--- a/hw/char/serial.c
++++ b/hw/char/serial.c
+@@ -637,13 +637,34 @@ static int serial_post_load(void *opaque, int version_id)
+     if (version_id < 3) {
+         s->fcr_vmstate = 0;
+     }
+-    if (s->tsr_retry > MAX_XMIT_RETRY) {
+-        s->tsr_retry = MAX_XMIT_RETRY;
+-    }
+-
+     if (s->thr_ipending == -1) {
+         s->thr_ipending = ((s->iir & UART_IIR_ID) == UART_IIR_THRI);
+     }
++
++    if (s->tsr_retry > 0) {
++        /* tsr_retry > 0 implies LSR.TEMT = 0 (transmitter not empty).  */
++        if (s->lsr & UART_LSR_TEMT) {
++            error_report("inconsistent state in serial device "
++                         "(tsr empty, tsr_retry=%d", s->tsr_retry);
++            return -1;
++        }
++
++        if (s->tsr_retry > MAX_XMIT_RETRY) {
++            s->tsr_retry = MAX_XMIT_RETRY;
++        }
++
++        assert(s->watch_tag == 0);
++        s->watch_tag = qemu_chr_fe_add_watch(s->chr, G_IO_OUT|G_IO_HUP,
++                                             serial_watch_cb, s);
++    } else {
++        /* tsr_retry == 0 implies LSR.TEMT = 1 (transmitter empty).  */
++        if (!(s->lsr & UART_LSR_TEMT)) {
++            error_report("inconsistent state in serial device "
++                         "(tsr not empty, tsr_retry=0");
++            return -1;
++        }
++    }
++
+     s->last_break_enable = (s->lcr >> 6) & 1;
+     /* Initialize fcr via setter to perform essential side-effects */
+     serial_write_fcr(s, s->fcr_vmstate);
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-serial-remove-watch-on-reset.patch b/SOURCES/kvm-serial-remove-watch-on-reset.patch
index a33f76c..4293ee6 100644
--- a/SOURCES/kvm-serial-remove-watch-on-reset.patch
+++ b/SOURCES/kvm-serial-remove-watch-on-reset.patch
@@ -1,15 +1,15 @@
-From ac39e63d788b8bcb748f08347312b0fccde7ce0e Mon Sep 17 00:00:00 2001
+From 768dddfbe60ecc3a9a920101aa755804f8a5700e Mon Sep 17 00:00:00 2001
 From: Fam Zheng <famz@redhat.com>
-Date: Fri, 19 May 2017 00:35:23 +0200
+Date: Thu, 18 May 2017 09:21:31 +0200
 Subject: [PATCH 18/18] serial: remove watch on reset
 
 RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170519003523.21163-19-famz@redhat.com>
-Patchwork-id: 75373
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 18/18] serial: remove watch on reset
-Bugzilla: 1452332
+Message-id: <20170518092131.16571-19-famz@redhat.com>
+Patchwork-id: 75308
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 18/18] serial: remove watch on reset
+Bugzilla: 1451470
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
 RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
 
 From: Paolo Bonzini <pbonzini@redhat.com>
diff --git a/SOURCES/kvm-serial-reset-thri_pending-on-IER-writes-with-THRI-0.patch b/SOURCES/kvm-serial-reset-thri_pending-on-IER-writes-with-THRI-0.patch
index d7242e3..d04d626 100644
--- a/SOURCES/kvm-serial-reset-thri_pending-on-IER-writes-with-THRI-0.patch
+++ b/SOURCES/kvm-serial-reset-thri_pending-on-IER-writes-with-THRI-0.patch
@@ -1,15 +1,15 @@
-From 6d2a5ef7994e753197bb9653872601db4e6cff5d Mon Sep 17 00:00:00 2001
+From 09ff2706109ce647d1fe59e99f44f96810d80b7c Mon Sep 17 00:00:00 2001
 From: Fam Zheng <famz@redhat.com>
-Date: Fri, 19 May 2017 00:35:16 +0200
+Date: Thu, 18 May 2017 09:21:24 +0200
 Subject: [PATCH 11/18] serial: reset thri_pending on IER writes with THRI=0
 
 RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170519003523.21163-12-famz@redhat.com>
-Patchwork-id: 75365
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 11/18] serial: reset thri_pending on IER writes with THRI=0
-Bugzilla: 1452332
+Message-id: <20170518092131.16571-12-famz@redhat.com>
+Patchwork-id: 75302
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 11/18] serial: reset thri_pending on IER writes with THRI=0
+Bugzilla: 1451470
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
 RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
 
 From: Paolo Bonzini <pbonzini@redhat.com>
diff --git a/SOURCES/kvm-serial-separate-serial_xmit-and-serial_watch_cb.patch b/SOURCES/kvm-serial-separate-serial_xmit-and-serial_watch_cb.patch
index 698096f..79df988 100644
--- a/SOURCES/kvm-serial-separate-serial_xmit-and-serial_watch_cb.patch
+++ b/SOURCES/kvm-serial-separate-serial_xmit-and-serial_watch_cb.patch
@@ -1,15 +1,15 @@
-From 2600e8a94c5434d07e820c7cf5bcd62d69849099 Mon Sep 17 00:00:00 2001
+From 8497b21c6dabe117b27d76f3bdbd86d80b0dd1d7 Mon Sep 17 00:00:00 2001
 From: Fam Zheng <famz@redhat.com>
-Date: Fri, 19 May 2017 00:35:22 +0200
+Date: Thu, 18 May 2017 09:21:30 +0200
 Subject: [PATCH 17/18] serial: separate serial_xmit and serial_watch_cb
 
 RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170519003523.21163-18-famz@redhat.com>
-Patchwork-id: 75368
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 17/18] serial: separate serial_xmit and serial_watch_cb
-Bugzilla: 1452332
+Message-id: <20170518092131.16571-18-famz@redhat.com>
+Patchwork-id: 75309
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 17/18] serial: separate serial_xmit and serial_watch_cb
+Bugzilla: 1451470
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
 RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
 
 From: Paolo Bonzini <pbonzini@redhat.com>
diff --git a/SOURCES/kvm-serial-simplify-tsr_retry-reset.patch b/SOURCES/kvm-serial-simplify-tsr_retry-reset.patch
index 1325ff3..f61be2c 100644
--- a/SOURCES/kvm-serial-simplify-tsr_retry-reset.patch
+++ b/SOURCES/kvm-serial-simplify-tsr_retry-reset.patch
@@ -1,15 +1,15 @@
-From 4a5819d1786be74df4b2393f72d6901e05d0eb4a Mon Sep 17 00:00:00 2001
+From 8f143ae501a5bd1010dc4526ff8e0e85c4d2baf1 Mon Sep 17 00:00:00 2001
 From: Fam Zheng <famz@redhat.com>
-Date: Fri, 19 May 2017 00:35:21 +0200
+Date: Thu, 18 May 2017 09:21:29 +0200
 Subject: [PATCH 16/18] serial: simplify tsr_retry reset
 
 RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170519003523.21163-17-famz@redhat.com>
-Patchwork-id: 75372
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 16/18] serial: simplify tsr_retry reset
-Bugzilla: 1452332
+Message-id: <20170518092131.16571-17-famz@redhat.com>
+Patchwork-id: 75307
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 16/18] serial: simplify tsr_retry reset
+Bugzilla: 1451470
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
 RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
 
 From: Paolo Bonzini <pbonzini@redhat.com>
diff --git a/SOURCES/kvm-serial-update-LSR-on-enabling-disabling-FIFOs.patch b/SOURCES/kvm-serial-update-LSR-on-enabling-disabling-FIFOs.patch
index f4b8523..7a61ec1 100644
--- a/SOURCES/kvm-serial-update-LSR-on-enabling-disabling-FIFOs.patch
+++ b/SOURCES/kvm-serial-update-LSR-on-enabling-disabling-FIFOs.patch
@@ -1,15 +1,15 @@
-From 727ebf3f24a6f519aab1306bad6e63014c76aec5 Mon Sep 17 00:00:00 2001
+From d6acc0368578932ee6a2949054a6f640a5b6fa09 Mon Sep 17 00:00:00 2001
 From: Fam Zheng <famz@redhat.com>
-Date: Fri, 19 May 2017 00:35:18 +0200
+Date: Thu, 18 May 2017 09:21:26 +0200
 Subject: [PATCH 13/18] serial: update LSR on enabling/disabling FIFOs
 
 RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170519003523.21163-14-famz@redhat.com>
-Patchwork-id: 75369
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 13/18] serial: update LSR on enabling/disabling FIFOs
-Bugzilla: 1452332
+Message-id: <20170518092131.16571-14-famz@redhat.com>
+Patchwork-id: 75306
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 13/18] serial: update LSR on enabling/disabling FIFOs
+Bugzilla: 1451470
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
 RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
 
 From: Paolo Bonzini <pbonzini@redhat.com>
diff --git a/SOURCES/kvm-spice-fix-spice_chr_add_watch-pre-condition.patch b/SOURCES/kvm-spice-fix-spice_chr_add_watch-pre-condition.patch
index 35d702b..d184899 100644
--- a/SOURCES/kvm-spice-fix-spice_chr_add_watch-pre-condition.patch
+++ b/SOURCES/kvm-spice-fix-spice_chr_add_watch-pre-condition.patch
@@ -1,19 +1,19 @@
-From 9b379db2f11257f5ef88979fdf9660eaa0ad6b4b Mon Sep 17 00:00:00 2001
-From: Fam Zheng <famz@redhat.com>
-Date: Tue, 6 Jun 2017 06:16:56 +0200
+From a88811fcdd3dbc600a669eed0b106a5bf8f6b907 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Wed, 31 May 2017 08:09:49 +0200
 Subject: [PATCH] spice: fix spice_chr_add_watch() pre-condition
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 
-RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170606061656.29212-2-famz@redhat.com>
-Patchwork-id: 75488
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 1/1] spice: fix spice_chr_add_watch() pre-condition
-Bugzilla: 1452332
-RH-Acked-by: John Snow <jsnow@redhat.com>
+RH-Author: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-id: <20170531080949.17102-1-marcandre.lureau@redhat.com>
+Patchwork-id: 75440
+O-Subject: [RHEL-7.4 qemu-kvm PATCH] spice: fix spice_chr_add_watch() pre-condition
+Bugzilla: 1456983
+RH-Acked-by: Fam Zheng <famz@redhat.com>
 RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
-RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: John Snow <jsnow@redhat.com>
 
 From: Marc-André Lureau <marcandre.lureau@gmail.com>
 
@@ -24,18 +24,25 @@ precondition must be changed.
 https://bugzilla.redhat.com/show_bug.cgi?id=1128992
 
 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1456983
+Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=13310981
+
+"serial: poll the serial console with G_IO_HUP" was backported without
+the Spice related fix.
+
 (cherry picked from commit f7a8beb5e6a13dc924895244777d9ef08b23b367)
-Signed-off-by: Fam Zheng <famz@redhat.com>
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
 Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
 ---
  spice-qemu-char.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/spice-qemu-char.c b/spice-qemu-char.c
-index 6d147a7..079c214 100644
+index cd51f3c..02c568c 100644
 --- a/spice-qemu-char.c
 +++ b/spice-qemu-char.c
-@@ -171,7 +171,7 @@ static GSource *spice_chr_add_watch(CharDriverState *chr, GIOCondition cond)
+@@ -170,7 +170,7 @@ static GSource *spice_chr_add_watch(CharDriverState *chr, GIOCondition cond)
      SpiceCharDriver *scd = chr->opaque;
      SpiceCharSource *src;
  
diff --git a/SOURCES/kvm-spice-remove-spice-experimental.h-include.patch b/SOURCES/kvm-spice-remove-spice-experimental.h-include.patch
new file mode 100644
index 0000000..37f1f57
--- /dev/null
+++ b/SOURCES/kvm-spice-remove-spice-experimental.h-include.patch
@@ -0,0 +1,58 @@
+From 8ed773749fd59ff4036ded5ad106de027f92cefe Mon Sep 17 00:00:00 2001
+From: Miroslav Rezanina <mrezanin@redhat.com>
+Date: Thu, 9 Mar 2017 06:12:04 +0100
+Subject: [PATCH 16/17] spice: remove spice-experimental.h include
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Miroslav Rezanina <mrezanin@redhat.com>
+Message-id: <ed3cc22a1061a82e508c44c2c4b045997185c0e1.1489039263.git.mrezanin@redhat.com>
+Patchwork-id: 74258
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 1/2] spice: remove spice-experimental.h include
+Bugzilla: 1430606
+RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+RH-Acked-by: Marc-André Lureau <mlureau@redhat.com>
+RH-Acked-by: David Hildenbrand <david@redhat.com>
+
+From: Marc-André Lureau <marcandre.lureau@gmail.com>
+
+Nothing seems to be using functions from spice-experimental.h (better
+that way). Let's remove its inclusion.
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@gmail.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit e0883e2de0ef36f254acc274e80ddeac13a2a8f6)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ spice-qemu-char.c | 1 -
+ ui/spice-core.c   | 1 -
+ 2 files changed, 2 deletions(-)
+
+diff --git a/spice-qemu-char.c b/spice-qemu-char.c
+index 6d147a7..cd51f3c 100644
+--- a/spice-qemu-char.c
++++ b/spice-qemu-char.c
+@@ -3,7 +3,6 @@
+ #include "ui/qemu-spice.h"
+ #include "sysemu/char.h"
+ #include <spice.h>
+-#include <spice-experimental.h>
+ #include <spice/protocol.h>
+ 
+ #include "qemu/osdep.h"
+diff --git a/ui/spice-core.c b/ui/spice-core.c
+index 8d6e726..0585267 100644
+--- a/ui/spice-core.c
++++ b/ui/spice-core.c
+@@ -16,7 +16,6 @@
+  */
+ 
+ #include <spice.h>
+-#include <spice-experimental.h>
+ 
+ #include <netdb.h>
+ #include "sysemu/sysemu.h"
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-spice-replace-use-of-deprecated-API.patch b/SOURCES/kvm-spice-replace-use-of-deprecated-API.patch
new file mode 100644
index 0000000..e9ab192
--- /dev/null
+++ b/SOURCES/kvm-spice-replace-use-of-deprecated-API.patch
@@ -0,0 +1,179 @@
+From 43d3585ba869c97c46cffc3c9fd7e46885d539c0 Mon Sep 17 00:00:00 2001
+From: Miroslav Rezanina <mrezanin@redhat.com>
+Date: Thu, 9 Mar 2017 06:12:05 +0100
+Subject: [PATCH 17/17] spice: replace use of deprecated API
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Miroslav Rezanina <mrezanin@redhat.com>
+Message-id: <4696b589a948f544ea081abeb496cb383a466020.1489039263.git.mrezanin@redhat.com>
+Patchwork-id: 74259
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 2/2] spice: replace use of deprecated API
+Bugzilla: 1430606
+RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+RH-Acked-by: Marc-André Lureau <mlureau@redhat.com>
+RH-Acked-by: David Hildenbrand <david@redhat.com>
+
+From: Marc-André Lureau <marcandre.lureau@gmail.com>
+
+hose API are deprecated since 0.11, and qemu depends on 0.12 already.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit 26defe81f6a878f33e0aaeb1df4d0d7022c929ca)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/display/qxl.c   | 16 ++++++++--------
+ ui/spice-core.c    | 15 +++++++--------
+ ui/spice-display.c | 10 +++++-----
+ 3 files changed, 20 insertions(+), 21 deletions(-)
+
+diff --git a/hw/display/qxl.c b/hw/display/qxl.c
+index c76c237..0a755df 100644
+--- a/hw/display/qxl.c
++++ b/hw/display/qxl.c
+@@ -162,7 +162,7 @@ void qxl_spice_update_area(PCIQXLDevice *qxl, uint32_t surface_id,
+     trace_qxl_spice_update_area_rest(qxl->id, num_dirty_rects,
+                                      clear_dirty_region);
+     if (async == QXL_SYNC) {
+-        qxl->ssd.worker->update_area(qxl->ssd.worker, surface_id, area,
++        spice_qxl_update_area(&qxl->ssd.qxl, surface_id, area,
+                         dirty_rects, num_dirty_rects, clear_dirty_region);
+     } else {
+         assert(cookie != NULL);
+@@ -193,7 +193,7 @@ static void qxl_spice_destroy_surface_wait(PCIQXLDevice *qxl, uint32_t id,
+         cookie->u.surface_id = id;
+         spice_qxl_destroy_surface_async(&qxl->ssd.qxl, id, (uintptr_t)cookie);
+     } else {
+-        qxl->ssd.worker->destroy_surface_wait(qxl->ssd.worker, id);
++        spice_qxl_destroy_surface_wait(&qxl->ssd.qxl, id);
+         qxl_spice_destroy_surface_wait_complete(qxl, id);
+     }
+ }
+@@ -211,19 +211,19 @@ void qxl_spice_loadvm_commands(PCIQXLDevice *qxl, struct QXLCommandExt *ext,
+                                uint32_t count)
+ {
+     trace_qxl_spice_loadvm_commands(qxl->id, ext, count);
+-    qxl->ssd.worker->loadvm_commands(qxl->ssd.worker, ext, count);
++    spice_qxl_loadvm_commands(&qxl->ssd.qxl, ext, count);
+ }
+ 
+ void qxl_spice_oom(PCIQXLDevice *qxl)
+ {
+     trace_qxl_spice_oom(qxl->id);
+-    qxl->ssd.worker->oom(qxl->ssd.worker);
++    spice_qxl_oom(&qxl->ssd.qxl);
+ }
+ 
+ void qxl_spice_reset_memslots(PCIQXLDevice *qxl)
+ {
+     trace_qxl_spice_reset_memslots(qxl->id);
+-    qxl->ssd.worker->reset_memslots(qxl->ssd.worker);
++    spice_qxl_reset_memslots(&qxl->ssd.qxl);
+ }
+ 
+ static void qxl_spice_destroy_surfaces_complete(PCIQXLDevice *qxl)
+@@ -244,7 +244,7 @@ static void qxl_spice_destroy_surfaces(PCIQXLDevice *qxl, qxl_async_io async)
+                 (uintptr_t)qxl_cookie_new(QXL_COOKIE_TYPE_IO,
+                                           QXL_IO_DESTROY_ALL_SURFACES_ASYNC));
+     } else {
+-        qxl->ssd.worker->destroy_surfaces(qxl->ssd.worker);
++        spice_qxl_destroy_surfaces(&qxl->ssd.qxl);
+         qxl_spice_destroy_surfaces_complete(qxl);
+     }
+ }
+@@ -283,13 +283,13 @@ static void qxl_spice_monitors_config_async(PCIQXLDevice *qxl, int replay)
+ void qxl_spice_reset_image_cache(PCIQXLDevice *qxl)
+ {
+     trace_qxl_spice_reset_image_cache(qxl->id);
+-    qxl->ssd.worker->reset_image_cache(qxl->ssd.worker);
++    spice_qxl_reset_image_cache(&qxl->ssd.qxl);
+ }
+ 
+ void qxl_spice_reset_cursor(PCIQXLDevice *qxl)
+ {
+     trace_qxl_spice_reset_cursor(qxl->id);
+-    qxl->ssd.worker->reset_cursor(qxl->ssd.worker);
++    spice_qxl_reset_cursor(&qxl->ssd.qxl);
+     qemu_mutex_lock(&qxl->track_lock);
+     qxl->guest_cursor = 0;
+     qemu_mutex_unlock(&qxl->track_lock);
+diff --git a/ui/spice-core.c b/ui/spice-core.c
+index 0585267..0cd60f3 100644
+--- a/ui/spice-core.c
++++ b/ui/spice-core.c
+@@ -383,17 +383,16 @@ static SpiceChannelList *qmp_query_spice_channels(void)
+         struct sockaddr *paddr;
+         socklen_t plen;
+ 
++        if (!(item->info->flags & SPICE_CHANNEL_EVENT_FLAG_ADDR_EXT)) {
++            error_report("invalid channel event");
++            return NULL;
++        }
++
+         chan = g_malloc0(sizeof(*chan));
+         chan->value = g_malloc0(sizeof(*chan->value));
+ 
+-        if (item->info->flags & SPICE_CHANNEL_EVENT_FLAG_ADDR_EXT) {
+-            paddr = (struct sockaddr *)&item->info->paddr_ext;
+-            plen = item->info->plen_ext;
+-        } else {
+-            paddr = &item->info->paddr;
+-            plen = item->info->plen;
+-        }
+-
++        paddr = (struct sockaddr *)&item->info->paddr_ext;
++        plen = item->info->plen_ext;
+         getnameinfo(paddr, plen,
+                     host, sizeof(host), port, sizeof(port),
+                     NI_NUMERICHOST | NI_NUMERICSERV);
+diff --git a/ui/spice-display.c b/ui/spice-display.c
+index d29d2ab..e2c24a9 100644
+--- a/ui/spice-display.c
++++ b/ui/spice-display.c
+@@ -83,14 +83,14 @@ void qemu_spice_add_memslot(SimpleSpiceDisplay *ssd, QXLDevMemSlot *memslot,
+                 (uintptr_t)qxl_cookie_new(QXL_COOKIE_TYPE_IO,
+                                           QXL_IO_MEMSLOT_ADD_ASYNC));
+     } else {
+-        ssd->worker->add_memslot(ssd->worker, memslot);
++        spice_qxl_add_memslot(&ssd->qxl, memslot);
+     }
+ }
+ 
+ void qemu_spice_del_memslot(SimpleSpiceDisplay *ssd, uint32_t gid, uint32_t sid)
+ {
+     trace_qemu_spice_del_memslot(ssd->qxl.id, gid, sid);
+-    ssd->worker->del_memslot(ssd->worker, gid, sid);
++    spice_qxl_del_memslot(&ssd->qxl, gid, sid);
+ }
+ 
+ void qemu_spice_create_primary_surface(SimpleSpiceDisplay *ssd, uint32_t id,
+@@ -103,7 +103,7 @@ void qemu_spice_create_primary_surface(SimpleSpiceDisplay *ssd, uint32_t id,
+                 (uintptr_t)qxl_cookie_new(QXL_COOKIE_TYPE_IO,
+                                           QXL_IO_CREATE_PRIMARY_ASYNC));
+     } else {
+-        ssd->worker->create_primary_surface(ssd->worker, id, surface);
++        spice_qxl_create_primary_surface(&ssd->qxl, id, surface);
+     }
+ }
+ 
+@@ -116,14 +116,14 @@ void qemu_spice_destroy_primary_surface(SimpleSpiceDisplay *ssd,
+                 (uintptr_t)qxl_cookie_new(QXL_COOKIE_TYPE_IO,
+                                           QXL_IO_DESTROY_PRIMARY_ASYNC));
+     } else {
+-        ssd->worker->destroy_primary_surface(ssd->worker, id);
++        spice_qxl_destroy_primary_surface(&ssd->qxl, id);
+     }
+ }
+ 
+ void qemu_spice_wakeup(SimpleSpiceDisplay *ssd)
+ {
+     trace_qemu_spice_wakeup(ssd->qxl.id);
+-    ssd->worker->wakeup(ssd->worker);
++    spice_qxl_wakeup(&ssd->qxl);
+ }
+ 
+ static void qemu_spice_create_one_update(SimpleSpiceDisplay *ssd,
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-target-i386-Define-TCG_-_FEATURES-earlier-in-cpu.c.patch b/SOURCES/kvm-target-i386-Define-TCG_-_FEATURES-earlier-in-cpu.c.patch
new file mode 100644
index 0000000..0fcd889
--- /dev/null
+++ b/SOURCES/kvm-target-i386-Define-TCG_-_FEATURES-earlier-in-cpu.c.patch
@@ -0,0 +1,171 @@
+From 30c05c032f0af4e959b304f5223dbaf331955488 Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Thu, 23 Feb 2017 14:29:43 +0100
+Subject: [PATCH 13/17] target-i386: Define TCG_*_FEATURES earlier in cpu.c
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20170223142945.17790-13-ehabkost@redhat.com>
+Patchwork-id: 74042
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 12/14] target-i386: Define TCG_*_FEATURES earlier in cpu.c
+Bugzilla: 1382122
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Those macros will be used in the feature_word_info array data, so need
+to be defined earlier.
+
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+(cherry picked from commit 621626ce7d44f008298c7e6cfefa9fbb80a33dc2)
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c | 121 +++++++++++++++++++++++++++---------------------------
+ 1 file changed, 61 insertions(+), 60 deletions(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index e6821b6..d611062 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -187,6 +187,67 @@ static const char *cpuid_xsave_feature_name[] = {
+     NULL, NULL, NULL, NULL,
+ };
+ 
++#define I486_FEATURES (CPUID_FP87 | CPUID_VME | CPUID_PSE)
++#define PENTIUM_FEATURES (I486_FEATURES | CPUID_DE | CPUID_TSC | \
++          CPUID_MSR | CPUID_MCE | CPUID_CX8 | CPUID_MMX | CPUID_APIC)
++#define PENTIUM2_FEATURES (PENTIUM_FEATURES | CPUID_PAE | CPUID_SEP | \
++          CPUID_MTRR | CPUID_PGE | CPUID_MCA | CPUID_CMOV | CPUID_PAT | \
++          CPUID_PSE36 | CPUID_FXSR)
++#define PENTIUM3_FEATURES (PENTIUM2_FEATURES | CPUID_SSE)
++#define PPRO_FEATURES (CPUID_FP87 | CPUID_DE | CPUID_PSE | CPUID_TSC | \
++          CPUID_MSR | CPUID_MCE | CPUID_CX8 | CPUID_PGE | CPUID_CMOV | \
++          CPUID_PAT | CPUID_FXSR | CPUID_MMX | CPUID_SSE | CPUID_SSE2 | \
++          CPUID_PAE | CPUID_SEP | CPUID_APIC)
++
++#define TCG_FEATURES (CPUID_FP87 | CPUID_PSE | CPUID_TSC | CPUID_MSR | \
++          CPUID_PAE | CPUID_MCE | CPUID_CX8 | CPUID_APIC | CPUID_SEP | \
++          CPUID_MTRR | CPUID_PGE | CPUID_MCA | CPUID_CMOV | CPUID_PAT | \
++          CPUID_PSE36 | CPUID_CLFLUSH | CPUID_ACPI | CPUID_MMX | \
++          CPUID_FXSR | CPUID_SSE | CPUID_SSE2 | CPUID_SS)
++          /* partly implemented:
++          CPUID_MTRR, CPUID_MCA, CPUID_CLFLUSH (needed for Win64)
++          CPUID_PSE36 (needed for Solaris) */
++          /* missing:
++          CPUID_VME, CPUID_DTS, CPUID_SS, CPUID_HT, CPUID_TM, CPUID_PBE */
++#define TCG_EXT_FEATURES (CPUID_EXT_SSE3 | CPUID_EXT_PCLMULQDQ | \
++          CPUID_EXT_MONITOR | CPUID_EXT_SSSE3 | CPUID_EXT_CX16 | \
++          CPUID_EXT_SSE41 | CPUID_EXT_SSE42 | CPUID_EXT_POPCNT | \
++          CPUID_EXT_MOVBE | CPUID_EXT_AES | CPUID_EXT_HYPERVISOR)
++          /* missing:
++          CPUID_EXT_DTES64, CPUID_EXT_DSCPL, CPUID_EXT_VMX, CPUID_EXT_SMX,
++          CPUID_EXT_EST, CPUID_EXT_TM2, CPUID_EXT_CID, CPUID_EXT_FMA,
++          CPUID_EXT_XTPR, CPUID_EXT_PDCM, CPUID_EXT_PCID, CPUID_EXT_DCA,
++          CPUID_EXT_X2APIC, CPUID_EXT_TSC_DEADLINE_TIMER, CPUID_EXT_XSAVE,
++          CPUID_EXT_OSXSAVE, CPUID_EXT_AVX, CPUID_EXT_F16C,
++          CPUID_EXT_RDRAND */
++
++#ifdef TARGET_X86_64
++#define TCG_EXT2_X86_64_FEATURES (CPUID_EXT2_SYSCALL | CPUID_EXT2_LM)
++#else
++#define TCG_EXT2_X86_64_FEATURES 0
++#endif
++
++#define TCG_EXT2_FEATURES ((TCG_FEATURES & CPUID_EXT2_AMD_ALIASES) | \
++          CPUID_EXT2_NX | CPUID_EXT2_MMXEXT | CPUID_EXT2_RDTSCP | \
++          CPUID_EXT2_3DNOW | CPUID_EXT2_3DNOWEXT | \
++          TCG_EXT2_X86_64_FEATURES)
++          /* missing:
++          CPUID_EXT2_PDPE1GB */
++#define TCG_EXT3_FEATURES (CPUID_EXT3_LAHF_LM | CPUID_EXT3_SVM | \
++          CPUID_EXT3_CR8LEG | CPUID_EXT3_ABM | CPUID_EXT3_SSE4A)
++#define TCG_EXT4_FEATURES 0
++#define TCG_SVM_FEATURES 0
++#define TCG_KVM_FEATURES 0
++#define TCG_7_0_EBX_FEATURES (CPUID_7_0_EBX_SMEP | CPUID_7_0_EBX_SMAP | \
++          CPUID_7_0_EBX_BMI1 | CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ADX)
++          /* missing:
++          CPUID_7_0_EBX_FSGSBASE, CPUID_7_0_EBX_HLE, CPUID_7_0_EBX_AVX2,
++          CPUID_7_0_EBX_ERMS, CPUID_7_0_EBX_INVPCID, CPUID_7_0_EBX_RTM,
++          CPUID_7_0_EBX_RDSEED */
++#define TCG_7_0_ECX_FEATURES 0
++#define TCG_7_0_EDX_FEATURES 0
++
++
+ typedef struct FeatureWordInfo {
+     const char **feat_names;
+     uint32_t cpuid_eax;   /* Input EAX for CPUID */
+@@ -453,66 +514,6 @@ typedef struct x86_def_t {
+     char model_id[48];
+ } x86_def_t;
+ 
+-#define I486_FEATURES (CPUID_FP87 | CPUID_VME | CPUID_PSE)
+-#define PENTIUM_FEATURES (I486_FEATURES | CPUID_DE | CPUID_TSC | \
+-          CPUID_MSR | CPUID_MCE | CPUID_CX8 | CPUID_MMX | CPUID_APIC)
+-#define PENTIUM2_FEATURES (PENTIUM_FEATURES | CPUID_PAE | CPUID_SEP | \
+-          CPUID_MTRR | CPUID_PGE | CPUID_MCA | CPUID_CMOV | CPUID_PAT | \
+-          CPUID_PSE36 | CPUID_FXSR)
+-#define PENTIUM3_FEATURES (PENTIUM2_FEATURES | CPUID_SSE)
+-#define PPRO_FEATURES (CPUID_FP87 | CPUID_DE | CPUID_PSE | CPUID_TSC | \
+-          CPUID_MSR | CPUID_MCE | CPUID_CX8 | CPUID_PGE | CPUID_CMOV | \
+-          CPUID_PAT | CPUID_FXSR | CPUID_MMX | CPUID_SSE | CPUID_SSE2 | \
+-          CPUID_PAE | CPUID_SEP | CPUID_APIC)
+-
+-#define TCG_FEATURES (CPUID_FP87 | CPUID_PSE | CPUID_TSC | CPUID_MSR | \
+-          CPUID_PAE | CPUID_MCE | CPUID_CX8 | CPUID_APIC | CPUID_SEP | \
+-          CPUID_MTRR | CPUID_PGE | CPUID_MCA | CPUID_CMOV | CPUID_PAT | \
+-          CPUID_PSE36 | CPUID_CLFLUSH | CPUID_ACPI | CPUID_MMX | \
+-          CPUID_FXSR | CPUID_SSE | CPUID_SSE2 | CPUID_SS)
+-          /* partly implemented:
+-          CPUID_MTRR, CPUID_MCA, CPUID_CLFLUSH (needed for Win64)
+-          CPUID_PSE36 (needed for Solaris) */
+-          /* missing:
+-          CPUID_VME, CPUID_DTS, CPUID_SS, CPUID_HT, CPUID_TM, CPUID_PBE */
+-#define TCG_EXT_FEATURES (CPUID_EXT_SSE3 | CPUID_EXT_PCLMULQDQ | \
+-          CPUID_EXT_MONITOR | CPUID_EXT_SSSE3 | CPUID_EXT_CX16 | \
+-          CPUID_EXT_SSE41 | CPUID_EXT_SSE42 | CPUID_EXT_POPCNT | \
+-          CPUID_EXT_MOVBE | CPUID_EXT_AES | CPUID_EXT_HYPERVISOR)
+-          /* missing:
+-          CPUID_EXT_DTES64, CPUID_EXT_DSCPL, CPUID_EXT_VMX, CPUID_EXT_SMX,
+-          CPUID_EXT_EST, CPUID_EXT_TM2, CPUID_EXT_CID, CPUID_EXT_FMA,
+-          CPUID_EXT_XTPR, CPUID_EXT_PDCM, CPUID_EXT_PCID, CPUID_EXT_DCA,
+-          CPUID_EXT_X2APIC, CPUID_EXT_TSC_DEADLINE_TIMER, CPUID_EXT_XSAVE,
+-          CPUID_EXT_OSXSAVE, CPUID_EXT_AVX, CPUID_EXT_F16C,
+-          CPUID_EXT_RDRAND */
+-
+-#ifdef TARGET_X86_64
+-#define TCG_EXT2_X86_64_FEATURES (CPUID_EXT2_SYSCALL | CPUID_EXT2_LM)
+-#else
+-#define TCG_EXT2_X86_64_FEATURES 0
+-#endif
+-
+-#define TCG_EXT2_FEATURES ((TCG_FEATURES & CPUID_EXT2_AMD_ALIASES) | \
+-          CPUID_EXT2_NX | CPUID_EXT2_MMXEXT | CPUID_EXT2_RDTSCP | \
+-          CPUID_EXT2_3DNOW | CPUID_EXT2_3DNOWEXT | \
+-          TCG_EXT2_X86_64_FEATURES)
+-          /* missing:
+-          CPUID_EXT2_PDPE1GB */
+-#define TCG_EXT3_FEATURES (CPUID_EXT3_LAHF_LM | CPUID_EXT3_SVM | \
+-          CPUID_EXT3_CR8LEG | CPUID_EXT3_ABM | CPUID_EXT3_SSE4A)
+-#define TCG_EXT4_FEATURES 0
+-#define TCG_SVM_FEATURES 0
+-#define TCG_KVM_FEATURES 0
+-#define TCG_7_0_EBX_FEATURES (CPUID_7_0_EBX_SMEP | CPUID_7_0_EBX_SMAP | \
+-          CPUID_7_0_EBX_BMI1 | CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ADX)
+-          /* missing:
+-          CPUID_7_0_EBX_FSGSBASE, CPUID_7_0_EBX_HLE, CPUID_7_0_EBX_AVX2,
+-          CPUID_7_0_EBX_ERMS, CPUID_7_0_EBX_INVPCID, CPUID_7_0_EBX_RTM,
+-          CPUID_7_0_EBX_RDSEED */
+-#define TCG_7_0_ECX_FEATURES 0
+-#define TCG_7_0_EDX_FEATURES 0
+-
+ /* built-in CPU model definitions
+  */
+ static x86_def_t builtin_x86_defs[] = {
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-target-i386-Filter-FEAT_7_0_EBX-TCG-features-too.patch b/SOURCES/kvm-target-i386-Filter-FEAT_7_0_EBX-TCG-features-too.patch
new file mode 100644
index 0000000..0752c5f
--- /dev/null
+++ b/SOURCES/kvm-target-i386-Filter-FEAT_7_0_EBX-TCG-features-too.patch
@@ -0,0 +1,56 @@
+From 65c528e40cc9e6d3d887fd79284d465bb482bbe2 Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Thu, 23 Feb 2017 14:29:41 +0100
+Subject: [PATCH 11/17] target-i386: Filter FEAT_7_0_EBX TCG features too
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20170223142945.17790-11-ehabkost@redhat.com>
+Patchwork-id: 74044
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 10/14] target-i386: Filter FEAT_7_0_EBX TCG features too
+Bugzilla: 1382122
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+The TCG_7_0_EBX_FEATURES macro was defined but never used (it even had a
+typo that was never noticed). Make the existing TCG feature filtering
+code use it.
+
+Reviewed-by: Richard Henderson <rth@twiddle.net>
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+(cherry picked from commit d0a70f46fa9a3257089a56f2f620b0eff868557f)
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index e32d4d7..d424211 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -502,7 +502,7 @@ typedef struct x86_def_t {
+ #define TCG_EXT3_FEATURES (CPUID_EXT3_LAHF_LM | CPUID_EXT3_SVM | \
+           CPUID_EXT3_CR8LEG | CPUID_EXT3_ABM | CPUID_EXT3_SSE4A)
+ #define TCG_SVM_FEATURES 0
+-#define TCG_7_0_EBX_FEATURES (CPUID_7_0_EBX_SMEP | CPUID_7_0_EBX_SMAP \
++#define TCG_7_0_EBX_FEATURES (CPUID_7_0_EBX_SMEP | CPUID_7_0_EBX_SMAP | \
+           CPUID_7_0_EBX_BMI1 | CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ADX)
+           /* missing:
+           CPUID_7_0_EBX_FSGSBASE, CPUID_7_0_EBX_HLE, CPUID_7_0_EBX_AVX2,
+@@ -2640,6 +2640,7 @@ static void x86_cpu_realizefn(DeviceState *dev, Error **errp)
+     if (!kvm_enabled()) {
+         env->features[FEAT_1_EDX] &= TCG_FEATURES;
+         env->features[FEAT_1_ECX] &= TCG_EXT_FEATURES;
++        env->features[FEAT_7_0_EBX] &= TCG_7_0_EBX_FEATURES;
+         env->features[FEAT_8000_0001_EDX] &= TCG_EXT2_FEATURES;
+         env->features[FEAT_8000_0001_ECX] &= TCG_EXT3_FEATURES;
+         env->features[FEAT_SVM] &= TCG_SVM_FEATURES;
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-target-i386-Filter-KVM-and-0xC0000001-features-on-TC.patch b/SOURCES/kvm-target-i386-Filter-KVM-and-0xC0000001-features-on-TC.patch
new file mode 100644
index 0000000..20f595a
--- /dev/null
+++ b/SOURCES/kvm-target-i386-Filter-KVM-and-0xC0000001-features-on-TC.patch
@@ -0,0 +1,57 @@
+From d037664335efca55df79abcde79f4f2733ca535b Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Thu, 23 Feb 2017 14:29:42 +0100
+Subject: [PATCH 12/17] target-i386: Filter KVM and 0xC0000001 features on TCG
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20170223142945.17790-12-ehabkost@redhat.com>
+Patchwork-id: 74040
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 11/14] target-i386: Filter KVM and 0xC0000001 features on TCG
+Bugzilla: 1382122
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+TCG doesn't support any of the feature flags on FEAT_KVM and
+FEAT_C000_0001_EDX feature words, so clear all bits on those feature
+words.
+
+Reviewed-by: Richard Henderson <rth@twiddle.net>
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+(cherry picked from commit 84a6c6cd40687598c7e85d7de8095e08b5e636d7)
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index d424211..e6821b6 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -501,7 +501,9 @@ typedef struct x86_def_t {
+           CPUID_EXT2_PDPE1GB */
+ #define TCG_EXT3_FEATURES (CPUID_EXT3_LAHF_LM | CPUID_EXT3_SVM | \
+           CPUID_EXT3_CR8LEG | CPUID_EXT3_ABM | CPUID_EXT3_SSE4A)
++#define TCG_EXT4_FEATURES 0
+ #define TCG_SVM_FEATURES 0
++#define TCG_KVM_FEATURES 0
+ #define TCG_7_0_EBX_FEATURES (CPUID_7_0_EBX_SMEP | CPUID_7_0_EBX_SMAP | \
+           CPUID_7_0_EBX_BMI1 | CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ADX)
+           /* missing:
+@@ -2644,6 +2646,8 @@ static void x86_cpu_realizefn(DeviceState *dev, Error **errp)
+         env->features[FEAT_8000_0001_EDX] &= TCG_EXT2_FEATURES;
+         env->features[FEAT_8000_0001_ECX] &= TCG_EXT3_FEATURES;
+         env->features[FEAT_SVM] &= TCG_SVM_FEATURES;
++        env->features[FEAT_KVM] &= TCG_KVM_FEATURES;
++        env->features[FEAT_C000_0001_EDX] &= TCG_EXT4_FEATURES;
+         env->features[FEAT_XSAVE] = 0;
+         env->features[FEAT_7_0_ECX] &= TCG_7_0_ECX_FEATURES;
+         env->features[FEAT_7_0_EDX] &= TCG_7_0_EDX_FEATURES;
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-target-i386-Loop-based-copying-and-setting-unsetting.patch b/SOURCES/kvm-target-i386-Loop-based-copying-and-setting-unsetting.patch
new file mode 100644
index 0000000..6efcc59
--- /dev/null
+++ b/SOURCES/kvm-target-i386-Loop-based-copying-and-setting-unsetting.patch
@@ -0,0 +1,112 @@
+From 04a8a3d76b171deb5eaf8318591e5cfaea3cc843 Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Thu, 23 Feb 2017 14:29:44 +0100
+Subject: [PATCH 14/17] target-i386: Loop-based copying and setting/unsetting
+ of feature words
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20170223142945.17790-14-ehabkost@redhat.com>
+Patchwork-id: 74045
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 13/14] target-i386: Loop-based copying and setting/unsetting of feature words
+Bugzilla: 1382122
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Now that we have the feature word arrays, we don't need to manually copy
+each array item, we can simply iterate through each feature word.
+
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+(cherry picked from commit e1c224b4eb3b8693c230bb2762a959ae1f531f76)
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c | 44 ++++++++++----------------------------------
+ 1 file changed, 10 insertions(+), 34 deletions(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index d611062..010b95f 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -1755,6 +1755,7 @@ static inline void feat2prop(char *s)
+ static void cpu_x86_parse_featurestr(X86CPU *cpu, char *features, Error **errp)
+ {
+     char *featurestr; /* Single 'key=value" string being parsed */
++    FeatureWord w;
+     /* Features to be added */
+     FeatureWordArray plus_features = { 0 };
+     /* Features to be removed */
+@@ -1844,28 +1845,11 @@ static void cpu_x86_parse_featurestr(X86CPU *cpu, char *features, Error **errp)
+         }
+         featurestr = strtok(NULL, ",");
+     }
+-    env->features[FEAT_1_EDX] |= plus_features[FEAT_1_EDX];
+-    env->features[FEAT_1_ECX] |= plus_features[FEAT_1_ECX];
+-    env->features[FEAT_8000_0001_EDX] |= plus_features[FEAT_8000_0001_EDX];
+-    env->features[FEAT_8000_0001_ECX] |= plus_features[FEAT_8000_0001_ECX];
+-    env->features[FEAT_C000_0001_EDX] |= plus_features[FEAT_C000_0001_EDX];
+-    env->features[FEAT_KVM] |= plus_features[FEAT_KVM];
+-    env->features[FEAT_SVM] |= plus_features[FEAT_SVM];
+-    env->features[FEAT_7_0_EBX] |= plus_features[FEAT_7_0_EBX];
+-    env->features[FEAT_7_0_ECX] |= plus_features[FEAT_7_0_ECX];
+-    env->features[FEAT_7_0_EDX] |= plus_features[FEAT_7_0_EDX];
+-    env->features[FEAT_XSAVE] |= plus_features[FEAT_XSAVE];
+-    env->features[FEAT_1_EDX] &= ~minus_features[FEAT_1_EDX];
+-    env->features[FEAT_1_ECX] &= ~minus_features[FEAT_1_ECX];
+-    env->features[FEAT_8000_0001_EDX] &= ~minus_features[FEAT_8000_0001_EDX];
+-    env->features[FEAT_8000_0001_ECX] &= ~minus_features[FEAT_8000_0001_ECX];
+-    env->features[FEAT_C000_0001_EDX] &= ~minus_features[FEAT_C000_0001_EDX];
+-    env->features[FEAT_KVM] &= ~minus_features[FEAT_KVM];
+-    env->features[FEAT_SVM] &= ~minus_features[FEAT_SVM];
+-    env->features[FEAT_7_0_EBX] &= ~minus_features[FEAT_7_0_EBX];
+-    env->features[FEAT_7_0_ECX] &= ~minus_features[FEAT_7_0_ECX];
+-    env->features[FEAT_7_0_EDX] &= ~minus_features[FEAT_7_0_EDX];
+-    env->features[FEAT_XSAVE] &= ~minus_features[FEAT_XSAVE];
++
++    for (w = 0; w < FEATURE_WORDS; w++) {
++        env->features[w] |= plus_features[w];
++        env->features[w] &= ~minus_features[w];
++    }
+ 
+ out:
+     return;
+@@ -1974,6 +1958,7 @@ static void cpu_x86_register(X86CPU *cpu, const char *name, Error **errp)
+ {
+     CPUX86State *env = &cpu->env;
+     x86_def_t def1, *def = &def1;
++    FeatureWord w;
+ 
+     memset(def, 0, sizeof(*def));
+ 
+@@ -1992,21 +1977,12 @@ static void cpu_x86_register(X86CPU *cpu, const char *name, Error **errp)
+     object_property_set_int(OBJECT(cpu), def->family, "family", errp);
+     object_property_set_int(OBJECT(cpu), def->model, "model", errp);
+     object_property_set_int(OBJECT(cpu), def->stepping, "stepping", errp);
+-    env->features[FEAT_1_EDX] = def->features[FEAT_1_EDX];
+-    env->features[FEAT_1_ECX] = def->features[FEAT_1_ECX];
+-    env->features[FEAT_8000_0001_EDX] = def->features[FEAT_8000_0001_EDX];
+-    env->features[FEAT_8000_0001_ECX] = def->features[FEAT_8000_0001_ECX];
+     object_property_set_int(OBJECT(cpu), def->xlevel, "xlevel", errp);
+-    env->features[FEAT_KVM] = def->features[FEAT_KVM];
+-    env->features[FEAT_SVM] = def->features[FEAT_SVM];
+-    env->features[FEAT_C000_0001_EDX] = def->features[FEAT_C000_0001_EDX];
+-    env->features[FEAT_7_0_EBX] = def->features[FEAT_7_0_EBX];
+-    env->features[FEAT_7_0_ECX] = def->features[FEAT_7_0_ECX];
+-    env->features[FEAT_7_0_EDX] = def->features[FEAT_7_0_EDX];
+-    env->features[FEAT_XSAVE] = def->features[FEAT_XSAVE];
+     env->cpuid_xlevel2 = def->xlevel2;
+-
+     object_property_set_str(OBJECT(cpu), def->model_id, "model-id", errp);
++    for (w = 0; w < FEATURE_WORDS; w++) {
++        env->features[w] = def->features[w];
++    }
+ }
+ 
+ X86CPU *cpu_x86_create(const char *cpu_model, DeviceState *icc_bridge,
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-target-i386-Loop-based-feature-word-filtering-in-TCG.patch b/SOURCES/kvm-target-i386-Loop-based-feature-word-filtering-in-TCG.patch
new file mode 100644
index 0000000..5b90519
--- /dev/null
+++ b/SOURCES/kvm-target-i386-Loop-based-feature-word-filtering-in-TCG.patch
@@ -0,0 +1,127 @@
+From 91e436476830a82f429e1df848ea751280580b46 Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Thu, 23 Feb 2017 14:29:45 +0100
+Subject: [PATCH 15/17] target-i386: Loop-based feature word filtering in TCG
+ mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20170223142945.17790-15-ehabkost@redhat.com>
+Patchwork-id: 74046
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 14/14] target-i386: Loop-based feature word filtering in TCG mode
+Bugzilla: 1382122
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Instead of manually filtering each feature word, add a tcg_features
+field to FeatureWordInfo, and use that field to filter all feature words
+in TCG mode.
+
+Reviewed-by: Richard Henderson <rth@twiddle.net>
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+(cherry picked from commit 37ce3522cb88c524caec57cb52a4bfbb880abbe5)
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c | 26 +++++++++++++++-----------
+ 1 file changed, 15 insertions(+), 11 deletions(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index 010b95f..38056eb 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -254,54 +254,65 @@ typedef struct FeatureWordInfo {
+     bool cpuid_needs_ecx; /* CPUID instruction uses ECX as input */
+     uint32_t cpuid_ecx;   /* Input ECX value for CPUID */
+     int cpuid_reg;        /* output register (R_* constant) */
++    uint32_t tcg_features; /* Feature flags supported by TCG */
+ } FeatureWordInfo;
+ 
+ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
+     [FEAT_1_EDX] = {
+         .feat_names = feature_name,
+         .cpuid_eax = 1, .cpuid_reg = R_EDX,
++        .tcg_features = TCG_FEATURES,
+     },
+     [FEAT_1_ECX] = {
+         .feat_names = ext_feature_name,
+         .cpuid_eax = 1, .cpuid_reg = R_ECX,
++        .tcg_features = TCG_EXT_FEATURES,
+     },
+     [FEAT_8000_0001_EDX] = {
+         .feat_names = ext2_feature_name,
+         .cpuid_eax = 0x80000001, .cpuid_reg = R_EDX,
++        .tcg_features = TCG_EXT2_FEATURES,
+     },
+     [FEAT_8000_0001_ECX] = {
+         .feat_names = ext3_feature_name,
+         .cpuid_eax = 0x80000001, .cpuid_reg = R_ECX,
++        .tcg_features = TCG_EXT3_FEATURES,
+     },
+     [FEAT_C000_0001_EDX] = {
+         .feat_names = ext4_feature_name,
+         .cpuid_eax = 0xC0000001, .cpuid_reg = R_EDX,
++        .tcg_features = TCG_EXT4_FEATURES,
+     },
+     [FEAT_KVM] = {
+         .feat_names = kvm_feature_name,
+         .cpuid_eax = KVM_CPUID_FEATURES, .cpuid_reg = R_EAX,
++        .tcg_features = TCG_KVM_FEATURES,
+     },
+     [FEAT_SVM] = {
+         .feat_names = svm_feature_name,
+         .cpuid_eax = 0x8000000A, .cpuid_reg = R_EDX,
++        .tcg_features = TCG_SVM_FEATURES,
+     },
+     [FEAT_7_0_EBX] = {
+         .feat_names = cpuid_7_0_ebx_feature_name,
+         .cpuid_eax = 7,
+         .cpuid_needs_ecx = true, .cpuid_ecx = 0,
+         .cpuid_reg = R_EBX,
++        .tcg_features = TCG_7_0_EBX_FEATURES,
+     },
+     [FEAT_7_0_ECX] = {
+         .feat_names = cpuid_7_0_ecx_feature_name,
+         .cpuid_eax = 7,
+         .cpuid_needs_ecx = true, .cpuid_ecx = 0,
+         .cpuid_reg = R_ECX,
++        .tcg_features = TCG_7_0_ECX_FEATURES,
+     },
+     [FEAT_7_0_EDX] = {
+         .feat_names = cpuid_7_0_edx_feature_name,
+         .cpuid_eax = 7,
+         .cpuid_needs_ecx = true, .cpuid_ecx = 0,
+         .cpuid_reg = R_EDX,
++        .tcg_features = TCG_7_0_EDX_FEATURES,
+     },
+     [FEAT_XSAVE] = {
+         .feat_names = cpuid_xsave_feature_name,
+@@ -2617,17 +2628,10 @@ static void x86_cpu_realizefn(DeviceState *dev, Error **errp)
+     }
+ 
+     if (!kvm_enabled()) {
+-        env->features[FEAT_1_EDX] &= TCG_FEATURES;
+-        env->features[FEAT_1_ECX] &= TCG_EXT_FEATURES;
+-        env->features[FEAT_7_0_EBX] &= TCG_7_0_EBX_FEATURES;
+-        env->features[FEAT_8000_0001_EDX] &= TCG_EXT2_FEATURES;
+-        env->features[FEAT_8000_0001_ECX] &= TCG_EXT3_FEATURES;
+-        env->features[FEAT_SVM] &= TCG_SVM_FEATURES;
+-        env->features[FEAT_KVM] &= TCG_KVM_FEATURES;
+-        env->features[FEAT_C000_0001_EDX] &= TCG_EXT4_FEATURES;
+-        env->features[FEAT_XSAVE] = 0;
+-        env->features[FEAT_7_0_ECX] &= TCG_7_0_ECX_FEATURES;
+-        env->features[FEAT_7_0_EDX] &= TCG_7_0_EDX_FEATURES;
++        FeatureWord w;
++        for (w = 0; w < FEATURE_WORDS; w++) {
++            env->features[w] &= feature_word_info[w].tcg_features;
++        }
+     } else {
+         KVMState *s = kvm_state;
+         if ((cpu->check_cpuid || cpu->enforce_cpuid)
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-target-i386-Make-TCG-feature-filtering-more-readable.patch b/SOURCES/kvm-target-i386-Make-TCG-feature-filtering-more-readable.patch
new file mode 100644
index 0000000..2683994
--- /dev/null
+++ b/SOURCES/kvm-target-i386-Make-TCG-feature-filtering-more-readable.patch
@@ -0,0 +1,69 @@
+From 6e553d9996682836a35a1020e9d992c856236342 Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Thu, 23 Feb 2017 14:29:40 +0100
+Subject: [PATCH 10/17] target-i386: Make TCG feature filtering more readable
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20170223142945.17790-10-ehabkost@redhat.com>
+Patchwork-id: 74041
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 09/14] target-i386: Make TCG feature filtering more readable
+Bugzilla: 1382122
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Instead of an #ifdef in the middle of the code, just set
+TCG_EXT2_FEATURES to a different value depending on TARGET_X86_64.
+
+Reviewed-by: Richard Henderson <rth@twiddle.net>
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+(cherry picked from commit a42d9938a162c3e3c9e441d1927dca5bd59167d9)
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index bb8abf7..e32d4d7 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -486,9 +486,17 @@ typedef struct x86_def_t {
+           CPUID_EXT_X2APIC, CPUID_EXT_TSC_DEADLINE_TIMER, CPUID_EXT_XSAVE,
+           CPUID_EXT_OSXSAVE, CPUID_EXT_AVX, CPUID_EXT_F16C,
+           CPUID_EXT_RDRAND */
++
++#ifdef TARGET_X86_64
++#define TCG_EXT2_X86_64_FEATURES (CPUID_EXT2_SYSCALL | CPUID_EXT2_LM)
++#else
++#define TCG_EXT2_X86_64_FEATURES 0
++#endif
++
+ #define TCG_EXT2_FEATURES ((TCG_FEATURES & CPUID_EXT2_AMD_ALIASES) | \
+           CPUID_EXT2_NX | CPUID_EXT2_MMXEXT | CPUID_EXT2_RDTSCP | \
+-          CPUID_EXT2_3DNOW | CPUID_EXT2_3DNOWEXT)
++          CPUID_EXT2_3DNOW | CPUID_EXT2_3DNOWEXT | \
++          TCG_EXT2_X86_64_FEATURES)
+           /* missing:
+           CPUID_EXT2_PDPE1GB */
+ #define TCG_EXT3_FEATURES (CPUID_EXT3_LAHF_LM | CPUID_EXT3_SVM | \
+@@ -2632,11 +2640,7 @@ static void x86_cpu_realizefn(DeviceState *dev, Error **errp)
+     if (!kvm_enabled()) {
+         env->features[FEAT_1_EDX] &= TCG_FEATURES;
+         env->features[FEAT_1_ECX] &= TCG_EXT_FEATURES;
+-        env->features[FEAT_8000_0001_EDX] &= (TCG_EXT2_FEATURES
+-#ifdef TARGET_X86_64
+-            | CPUID_EXT2_SYSCALL | CPUID_EXT2_LM
+-#endif
+-            );
++        env->features[FEAT_8000_0001_EDX] &= TCG_EXT2_FEATURES;
+         env->features[FEAT_8000_0001_ECX] &= TCG_EXT3_FEATURES;
+         env->features[FEAT_SVM] &= TCG_SVM_FEATURES;
+         env->features[FEAT_XSAVE] = 0;
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-target-i386-add-Ivy-Bridge-CPU-model.patch b/SOURCES/kvm-target-i386-add-Ivy-Bridge-CPU-model.patch
new file mode 100644
index 0000000..d211806
--- /dev/null
+++ b/SOURCES/kvm-target-i386-add-Ivy-Bridge-CPU-model.patch
@@ -0,0 +1,73 @@
+From 8075eadce1f9f144ae2e2fcf23c1890943caf1f8 Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Wed, 22 Feb 2017 21:11:07 +0100
+Subject: [PATCH 01/17] target-i386: add Ivy Bridge CPU model
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20170222211107.29696-1-ehabkost@redhat.com>
+Patchwork-id: 74028
+O-Subject: [RHEL-7.4 qemu-kvm PATCH] target-i386: add Ivy Bridge CPU model
+Bugzilla: 1368375
+RH-Acked-by: Bandan Das <bsd@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1368375
+Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=12606134
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 2f9ac42acf4602453d5839221df6cc7cabc3355e)
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c | 32 ++++++++++++++++++++++++++++++++
+ 1 file changed, 32 insertions(+)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index 476306d..c3c8306 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -878,6 +878,38 @@ static x86_def_t builtin_x86_defs[] = {
+         .model_id = "Intel Xeon E312xx (Sandy Bridge)",
+     },
+     {
++        .name = "IvyBridge",
++        .level = 0xd,
++        .vendor = CPUID_VENDOR_INTEL,
++        .family = 6,
++        .model = 58,
++        .stepping = 9,
++        .features[FEAT_1_EDX] =
++            CPUID_VME | CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX |
++            CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA |
++            CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 |
++            CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE |
++            CPUID_DE | CPUID_FP87,
++        .features[FEAT_1_ECX] =
++            CPUID_EXT_AVX | CPUID_EXT_XSAVE | CPUID_EXT_AES |
++            CPUID_EXT_TSC_DEADLINE_TIMER | CPUID_EXT_POPCNT |
++            CPUID_EXT_X2APIC | CPUID_EXT_SSE42 | CPUID_EXT_SSE41 |
++            CPUID_EXT_CX16 | CPUID_EXT_SSSE3 | CPUID_EXT_PCLMULQDQ |
++            CPUID_EXT_SSE3 | CPUID_EXT_F16C | CPUID_EXT_RDRAND,
++        .features[FEAT_7_0_EBX] =
++            CPUID_7_0_EBX_FSGSBASE | CPUID_7_0_EBX_SMEP |
++            CPUID_7_0_EBX_ERMS,
++        .features[FEAT_8000_0001_EDX] =
++            CPUID_EXT2_LM | CPUID_EXT2_RDTSCP | CPUID_EXT2_NX |
++            CPUID_EXT2_SYSCALL,
++        .features[FEAT_8000_0001_ECX] =
++            CPUID_EXT3_LAHF_LM,
++        .features[FEAT_XSAVE] =
++            CPUID_XSAVE_XSAVEOPT,
++        .xlevel = 0x8000000A,
++        .model_id = "Intel Xeon E3-12xx v2 (Ivy Bridge)",
++    },
++    {
+         .name = "Haswell",
+         .level = 0xd,
+         .vendor = CPUID_VENDOR_INTEL,
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-target-i386-get-set-migrate-XSAVES-state.patch b/SOURCES/kvm-target-i386-get-set-migrate-XSAVES-state.patch
new file mode 100644
index 0000000..760ac99
--- /dev/null
+++ b/SOURCES/kvm-target-i386-get-set-migrate-XSAVES-state.patch
@@ -0,0 +1,170 @@
+From a824033fdc6956ee449f49f6d1a74ebfb21d0700 Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Fri, 31 Mar 2017 11:37:37 +0200
+Subject: [PATCH 1/4] target-i386: get/set/migrate XSAVES state
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20170331113737.9930-1-ehabkost@redhat.com>
+Patchwork-id: 74596
+O-Subject: [RHEL-7.4 qemu-kvm PATCH] target-i386: get/set/migrate XSAVES state
+Bugzilla: 1327593
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Bandan Das <bsd@redhat.com>
+RH-Acked-by: David Hildenbrand <david@redhat.com>
+
+From: Wanpeng Li <wanpeng.li@linux.intel.com>
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1327593
+Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=12913269
+
+Add xsaves related definition, it also adds corresponding part
+to kvm_get/put, and vmstate.
+
+Backport notes:
+* As we didn't have unmigratable_flags yet, our backport
+  of upstream commit 0bb0b2d2fe7f645ddaf1f0ff40ac669c9feb4aa1
+  (commit 5fcaf5176d7545518c76f3aa8ea7ce6fb063c62d) didn't
+  include "xsaves" cpuid_xsave_feature_name[]. This patch now
+  adds "xsave" to cpuid_xsave_feature_name[].
+
+Signed-off-by: Wanpeng Li <wanpeng.li@linux.intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 18cd2c17b5370369a886155c001da0a7f54bbcca)
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c     |  2 +-
+ target-i386/cpu.h     |  2 ++
+ target-i386/kvm.c     | 15 +++++++++++++++
+ target-i386/machine.c | 21 +++++++++++++++++++++
+ 4 files changed, 39 insertions(+), 1 deletion(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index 33f0997..ae56995 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -177,7 +177,7 @@ static const char *cpuid_7_0_edx_feature_name[] = {
+ };
+ 
+ static const char *cpuid_xsave_feature_name[] = {
+-    "xsaveopt", "xsavec", "xgetbv1", NULL,
++    "xsaveopt", "xsavec", "xgetbv1", "xsaves",
+     NULL, NULL, NULL, NULL,
+     NULL, NULL, NULL, NULL,
+     NULL, NULL, NULL, NULL,
+diff --git a/target-i386/cpu.h b/target-i386/cpu.h
+index f04deb4..ac60309 100644
+--- a/target-i386/cpu.h
++++ b/target-i386/cpu.h
+@@ -384,6 +384,7 @@
+ #define MSR_VM_HSAVE_PA                 0xc0010117
+ 
+ #define MSR_IA32_BNDCFGS                0x00000d90
++#define MSR_IA32_XSS                    0x00000da0
+ 
+ #define XSTATE_FP                       (1ULL << 0)
+ #define XSTATE_SSE                      (1ULL << 1)
+@@ -1026,6 +1027,7 @@ typedef struct CPUX86State {
+     uint64_t xstate_bv;
+ 
+     uint64_t xcr0;
++    uint64_t xss;
+ 
+     TPRAccess tpr_access_type;
+ } CPUX86State;
+diff --git a/target-i386/kvm.c b/target-i386/kvm.c
+index e1b0ca2..6a479f4 100644
+--- a/target-i386/kvm.c
++++ b/target-i386/kvm.c
+@@ -76,6 +76,7 @@ static bool has_msr_hv_hypercall;
+ static bool has_msr_hv_vapic;
+ static bool has_msr_hv_tsc;
+ static bool has_msr_mtrr;
++static bool has_msr_xss;
+ 
+ static bool has_msr_architectural_pmu;
+ static uint32_t num_architectural_pmu_counters;
+@@ -795,6 +796,10 @@ static int kvm_get_supported_msrs(KVMState *s)
+                     has_msr_bndcfgs = true;
+                     continue;
+                 }
++                if (kvm_msr_list->indices[i] == MSR_IA32_XSS) {
++                    has_msr_xss = true;
++                    continue;
++                }
+             }
+         }
+ 
+@@ -1177,6 +1182,9 @@ static int kvm_put_msrs(X86CPU *cpu, int level)
+     if (has_msr_bndcfgs) {
+         kvm_msr_entry_set(&msrs[n++], MSR_IA32_BNDCFGS, env->msr_bndcfgs);
+     }
++    if (has_msr_xss) {
++        kvm_msr_entry_set(&msrs[n++], MSR_IA32_XSS, env->xss);
++    }
+ #ifdef TARGET_X86_64
+     if (lm_capable_kernel) {
+         kvm_msr_entry_set(&msrs[n++], MSR_CSTAR, env->cstar);
+@@ -1530,6 +1538,10 @@ static int kvm_get_msrs(X86CPU *cpu)
+     if (has_msr_bndcfgs) {
+         msrs[n++].index = MSR_IA32_BNDCFGS;
+     }
++    if (has_msr_xss) {
++        msrs[n++].index = MSR_IA32_XSS;
++    }
++
+ 
+     if (!env->tsc_valid) {
+         msrs[n++].index = MSR_IA32_TSC;
+@@ -1677,6 +1689,9 @@ static int kvm_get_msrs(X86CPU *cpu)
+         case MSR_IA32_BNDCFGS:
+             env->msr_bndcfgs = msrs[i].data;
+             break;
++        case MSR_IA32_XSS:
++            env->xss = msrs[i].data;
++            break;
+         default:
+             if (msrs[i].index >= MSR_MC0_CTL &&
+                 msrs[i].index < MSR_MC0_CTL + (env->mcg_cap & 0xff) * 4) {
+diff --git a/target-i386/machine.c b/target-i386/machine.c
+index 2c97002..ce7fcd3 100644
+--- a/target-i386/machine.c
++++ b/target-i386/machine.c
+@@ -704,6 +704,24 @@ static const VMStateDescription vmstate_avx512 = {
+     }
+ };
+ 
++static bool xss_needed(void *opaque)
++{
++    X86CPU *cpu = opaque;
++    CPUX86State *env = &cpu->env;
++
++    return env->xss != 0;
++}
++
++static const VMStateDescription vmstate_xss = {
++    .name = "cpu/xss",
++    .version_id = 1,
++    .minimum_version_id = 1,
++    .fields = (VMStateField[]) {
++        VMSTATE_UINT64(env.xss, X86CPU),
++        VMSTATE_END_OF_LIST()
++    }
++};
++
+ const VMStateDescription vmstate_x86_cpu = {
+     .name = "cpu",
+     .version_id = 12,
+@@ -850,6 +868,9 @@ const VMStateDescription vmstate_x86_cpu = {
+         }, {
+             .vmsd = &vmstate_avx512,
+             .needed = avx512_needed,
++         }, {
++            .vmsd = &vmstate_xss,
++            .needed = xss_needed,
+         } , {
+             /* empty */
+         }
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-target-i386-kvm_check_features_against_host-Kill-fea.patch b/SOURCES/kvm-target-i386-kvm_check_features_against_host-Kill-fea.patch
new file mode 100644
index 0000000..ce9514e
--- /dev/null
+++ b/SOURCES/kvm-target-i386-kvm_check_features_against_host-Kill-fea.patch
@@ -0,0 +1,114 @@
+From 6d76a3d10423f99561a431964637b58d7e5f2e77 Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Thu, 23 Feb 2017 14:29:39 +0100
+Subject: [PATCH 09/17] target-i386: kvm_check_features_against_host(): Kill
+ feature word array
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20170223142945.17790-9-ehabkost@redhat.com>
+Patchwork-id: 74039
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 08/14] target-i386: kvm_check_features_against_host(): Kill feature word array
+Bugzilla: 1382122
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+We don't need the ft[] array on kvm_check_features_against_host()
+anymore, as we can simply use the feature_word_info[] array, that has
+everything we need.
+
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit f0b9b11164482a8a2283dee25cecc4a4c531259e)
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c | 57 ++++++++++++-------------------------------------------
+ 1 file changed, 12 insertions(+), 45 deletions(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index 22ad4f9..bb8abf7 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -1303,57 +1303,23 @@ static int unavailable_host_feature(FeatureWordInfo *f, uint32_t mask)
+  *
+  * This function may be called only if KVM is enabled.
+  */
+-static int kvm_check_features_against_host(X86CPU *cpu)
++static int kvm_check_features_against_host(KVMState *s, X86CPU *cpu)
+ {
+     CPUX86State *env = &cpu->env;
+-    x86_def_t host_def;
+-    uint32_t mask;
+-    int rv, i;
+-    struct model_features_t ft[] = {
+-        {&env->features[FEAT_1_EDX],
+-            &host_def.features[FEAT_1_EDX],
+-            FEAT_1_EDX },
+-        {&env->features[FEAT_1_ECX],
+-            &host_def.features[FEAT_1_ECX],
+-            FEAT_1_ECX },
+-        {&env->features[FEAT_8000_0001_EDX],
+-            &host_def.features[FEAT_8000_0001_EDX],
+-            FEAT_8000_0001_EDX },
+-        {&env->features[FEAT_8000_0001_ECX],
+-            &host_def.features[FEAT_8000_0001_ECX],
+-            FEAT_8000_0001_ECX },
+-        {&env->features[FEAT_C000_0001_EDX],
+-            &host_def.features[FEAT_C000_0001_EDX],
+-            FEAT_C000_0001_EDX },
+-        {&env->features[FEAT_7_0_EBX],
+-            &host_def.features[FEAT_7_0_EBX],
+-            FEAT_7_0_EBX },
+-        {&env->features[FEAT_7_0_ECX],
+-            &host_def.features[FEAT_7_0_ECX],
+-            FEAT_7_0_ECX },
+-        {&env->features[FEAT_7_0_EDX],
+-            &host_def.features[FEAT_7_0_EDX],
+-            FEAT_7_0_EDX },
+-        {&env->features[FEAT_XSAVE],
+-            &host_def.features[FEAT_XSAVE],
+-            FEAT_XSAVE },
+-        {&env->features[FEAT_SVM],
+-            &host_def.features[FEAT_SVM],
+-            FEAT_SVM },
+-        {&env->features[FEAT_KVM],
+-            &host_def.features[FEAT_KVM],
+-            FEAT_KVM },
+-    };
++    int rv = 0;
++    FeatureWord w;
+ 
+     assert(kvm_enabled());
+ 
+-    kvm_cpu_fill_host(&host_def);
+-    for (rv = 0, i = 0; i < ARRAY_SIZE(ft); ++i) {
+-        FeatureWord w = ft[i].feat_word;
++    for (w = 0; w < FEATURE_WORDS; w++) {
+         FeatureWordInfo *wi = &feature_word_info[w];
++        uint32_t guest_feat = env->features[w];
++        uint32_t host_feat = kvm_arch_get_supported_cpuid(s, wi->cpuid_eax,
++                                                             wi->cpuid_ecx,
++                                                             wi->cpuid_reg);
++        uint32_t mask;
+         for (mask = 1; mask; mask <<= 1) {
+-            if (*ft[i].guest_feat & mask &&
+-                !(*ft[i].host_feat & mask)) {
++            if (guest_feat & mask && !(host_feat & mask)) {
+                 unavailable_host_feature(wi, mask);
+                 rv = 1;
+             }
+@@ -2677,8 +2643,9 @@ static void x86_cpu_realizefn(DeviceState *dev, Error **errp)
+         env->features[FEAT_7_0_ECX] &= TCG_7_0_ECX_FEATURES;
+         env->features[FEAT_7_0_EDX] &= TCG_7_0_EDX_FEATURES;
+     } else {
++        KVMState *s = kvm_state;
+         if ((cpu->check_cpuid || cpu->enforce_cpuid)
+-            && kvm_check_features_against_host(cpu) && cpu->enforce_cpuid) {
++            && kvm_check_features_against_host(s, cpu) && cpu->enforce_cpuid) {
+             error_setg(&local_err,
+                        "Host's CPU doesn't support requested features");
+             goto out;
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-target-i386-kvm_cpu_fill_host-Fill-feature-words-in-.patch b/SOURCES/kvm-target-i386-kvm_cpu_fill_host-Fill-feature-words-in-.patch
new file mode 100644
index 0000000..ab2524c
--- /dev/null
+++ b/SOURCES/kvm-target-i386-kvm_cpu_fill_host-Fill-feature-words-in-.patch
@@ -0,0 +1,70 @@
+From acedcdc24c0aad54530c0d41958b19981207e803 Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Thu, 23 Feb 2017 14:29:38 +0100
+Subject: [PATCH 08/17] target-i386: kvm_cpu_fill_host(): Fill feature words in
+ a loop
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20170223142945.17790-8-ehabkost@redhat.com>
+Patchwork-id: 74038
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 07/14] target-i386: kvm_cpu_fill_host(): Fill feature words in a loop
+Bugzilla: 1382122
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Now that the kvm_cpu_fill_host() code is simplified, we can simply set
+the feature word array using a simple loop.
+
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 2bc65d2b020887da3eb9043ae4f7d133ed85a7fe)
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c | 29 +++++++----------------------
+ 1 file changed, 7 insertions(+), 22 deletions(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index 1515b87..22ad4f9 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -1268,28 +1268,13 @@ static void kvm_cpu_fill_host(x86_def_t *x86_cpu_def)
+ 
+     cpu_x86_fill_model_id(x86_cpu_def->model_id);
+ 
+-    x86_cpu_def->features[FEAT_1_EDX] =
+-        kvm_arch_get_supported_cpuid(s, 0x1, 0, R_EDX);
+-    x86_cpu_def->features[FEAT_1_ECX] =
+-        kvm_arch_get_supported_cpuid(s, 0x1, 0, R_ECX);
+-    x86_cpu_def->features[FEAT_7_0_EBX] =
+-        kvm_arch_get_supported_cpuid(s, 0x7, 0, R_EBX);
+-    x86_cpu_def->features[FEAT_7_0_ECX] =
+-        kvm_arch_get_supported_cpuid(s, 0x7, 0, R_ECX);
+-    x86_cpu_def->features[FEAT_7_0_EDX] =
+-        kvm_arch_get_supported_cpuid(s, 0x7, 0, R_EDX);
+-    x86_cpu_def->features[FEAT_XSAVE] =
+-        kvm_arch_get_supported_cpuid(s, 0xd, 1, R_EAX);
+-    x86_cpu_def->features[FEAT_8000_0001_EDX] =
+-        kvm_arch_get_supported_cpuid(s, 0x80000001, 0, R_EDX);
+-    x86_cpu_def->features[FEAT_8000_0001_ECX] =
+-        kvm_arch_get_supported_cpuid(s, 0x80000001, 0, R_ECX);
+-    x86_cpu_def->features[FEAT_C000_0001_EDX] =
+-        kvm_arch_get_supported_cpuid(s, 0xC0000001, 0, R_EDX);
+-    x86_cpu_def->features[FEAT_SVM] =
+-        kvm_arch_get_supported_cpuid(s, 0x8000000A, 0, R_EDX);
+-    x86_cpu_def->features[FEAT_KVM] =
+-        kvm_arch_get_supported_cpuid(s, KVM_CPUID_FEATURES, 0, R_EAX);
++    FeatureWord w;
++    for (w = 0; w < FEATURE_WORDS; w++) {
++        FeatureWordInfo *wi = &feature_word_info[w];
++        x86_cpu_def->features[w] =
++            kvm_arch_get_supported_cpuid(s, wi->cpuid_eax, wi->cpuid_ecx,
++                                         wi->cpuid_reg);
++    }
+ 
+ #endif /* CONFIG_KVM */
+ }
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-target-i386-kvm_cpu_fill_host-Kill-unused-code.patch b/SOURCES/kvm-target-i386-kvm_cpu_fill_host-Kill-unused-code.patch
new file mode 100644
index 0000000..7956a54
--- /dev/null
+++ b/SOURCES/kvm-target-i386-kvm_cpu_fill_host-Kill-unused-code.patch
@@ -0,0 +1,46 @@
+From bdde6d373b48144d8b4c1ebb60a3d50d9c31dc87 Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Thu, 23 Feb 2017 14:29:33 +0100
+Subject: [PATCH 03/17] target-i386: kvm_cpu_fill_host(): Kill unused code
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20170223142945.17790-3-ehabkost@redhat.com>
+Patchwork-id: 74034
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 02/14] target-i386: kvm_cpu_fill_host(): Kill unused code
+Bugzilla: 1382122
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Those host_cpuid() calls are useless. They are leftovers from when the
+old code using host_cpuid() was removed.
+
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 81e207707e7b6204f64451779d752f23777ed451)
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index 789e687..8a49ff5 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -1292,12 +1292,10 @@ static void kvm_cpu_fill_host(x86_def_t *x86_cpu_def)
+ 
+     /* Call Centaur's CPUID instruction. */
+     if (!strcmp(x86_cpu_def->vendor, CPUID_VENDOR_VIA)) {
+-        host_cpuid(0xC0000000, 0, &eax, &ebx, &ecx, &edx);
+         eax = kvm_arch_get_supported_cpuid(s, 0xC0000000, 0, R_EAX);
+         if (eax >= 0xC0000001) {
+             /* Support VIA max extended level */
+             x86_cpu_def->xlevel2 = eax;
+-            host_cpuid(0xC0000001, 0, &eax, &ebx, &ecx, &edx);
+             x86_cpu_def->features[FEAT_C000_0001_EDX] =
+                     kvm_arch_get_supported_cpuid(s, 0xC0000001, 0, R_EDX);
+         }
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-CPU-v.patch b/SOURCES/kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-CPU-v.patch
new file mode 100644
index 0000000..69ebd26
--- /dev/null
+++ b/SOURCES/kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-CPU-v.patch
@@ -0,0 +1,62 @@
+From ce8b0103a1c5cae9030156d9f17daf5dee5ed4c5 Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Thu, 23 Feb 2017 14:29:35 +0100
+Subject: [PATCH 05/17] target-i386: kvm_cpu_fill_host(): No need to check CPU
+ vendor
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20170223142945.17790-5-ehabkost@redhat.com>
+Patchwork-id: 74043
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 04/14] target-i386: kvm_cpu_fill_host(): No need to check CPU vendor
+Bugzilla: 1382122
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+There's no need to check CPU vendor before calling
+kvm_arch_get_supported_cpuid(s, 0xC0000000, 0, R_EAX), because:
+
+ * The kernel won't return any entry for 0xC0000000 if host CPU vendor
+   is not Centaur (See kvm_dev_ioctl_get_cpuid() on the kernel code);
+ * kvm_arch_get_supported_cpuid() will return 0 if no entry is returned
+   by the kernel for the requested leaf.
+
+This will simplify the kvm_cpu_fill_host() code a little.
+
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit b73dcfb16fc894041de553ac9f98b9e1640fcf06)
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index c82073e..a10055b 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -1285,14 +1285,12 @@ static void kvm_cpu_fill_host(x86_def_t *x86_cpu_def)
+     cpu_x86_fill_model_id(x86_cpu_def->model_id);
+ 
+     /* Call Centaur's CPUID instruction. */
+-    if (!strcmp(x86_cpu_def->vendor, CPUID_VENDOR_VIA)) {
+-        eax = kvm_arch_get_supported_cpuid(s, 0xC0000000, 0, R_EAX);
+-        if (eax >= 0xC0000001) {
+-            /* Support VIA max extended level */
+-            x86_cpu_def->xlevel2 = eax;
+-            x86_cpu_def->features[FEAT_C000_0001_EDX] =
+-                    kvm_arch_get_supported_cpuid(s, 0xC0000001, 0, R_EDX);
+-        }
++    eax = kvm_arch_get_supported_cpuid(s, 0xC0000000, 0, R_EAX);
++    if (eax >= 0xC0000001) {
++        /* Support VIA max extended level */
++        x86_cpu_def->xlevel2 = eax;
++        x86_cpu_def->features[FEAT_C000_0001_EDX] =
++                kvm_arch_get_supported_cpuid(s, 0xC0000001, 0, R_EDX);
+     }
+ 
+     /* Other KVM-specific feature fields: */
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-level.patch b/SOURCES/kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-level.patch
new file mode 100644
index 0000000..2a6cde8
--- /dev/null
+++ b/SOURCES/kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-level.patch
@@ -0,0 +1,66 @@
+From 40d8624f4a90769b60ee567035f8231b64c10011 Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Thu, 23 Feb 2017 14:29:34 +0100
+Subject: [PATCH 04/17] target-i386: kvm_cpu_fill_host(): No need to check
+ level
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20170223142945.17790-4-ehabkost@redhat.com>
+Patchwork-id: 74035
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 03/14] target-i386: kvm_cpu_fill_host(): No need to check level
+Bugzilla: 1382122
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+There's no need to check level (CPUID[0].EAX) before calling
+kvm_arch_get_supported_cpuid(s, 0x7, 0, R_EBX), because:
+
+ * The kernel won't return any entry for CPUID 7 if CPUID[0].EAX is < 7
+   on the host (See kvm_dev_ioctl_get_cpuid() on the kernel code);
+ * kvm_arch_get_supported_cpuid() will return 0 if no entry is returned
+   by the kernel for the requested leaf.
+
+This will simplify the kvm_cpu_fill_host() code a little.
+
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 7171a3933f2ee8cb984fd64c59ca081f39b943a4)
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c | 18 ++++++------------
+ 1 file changed, 6 insertions(+), 12 deletions(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index 8a49ff5..c82073e 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -1267,18 +1267,12 @@ static void kvm_cpu_fill_host(x86_def_t *x86_cpu_def)
+     x86_cpu_def->features[FEAT_1_ECX] =
+         kvm_arch_get_supported_cpuid(s, 0x1, 0, R_ECX);
+ 
+-    if (x86_cpu_def->level >= 7) {
+-        x86_cpu_def->features[FEAT_7_0_EBX] =
+-                    kvm_arch_get_supported_cpuid(s, 0x7, 0, R_EBX);
+-        x86_cpu_def->features[FEAT_7_0_ECX] =
+-                    kvm_arch_get_supported_cpuid(s, 0x7, 0, R_ECX);
+-        x86_cpu_def->features[FEAT_7_0_EDX] =
+-                    kvm_arch_get_supported_cpuid(s, 0x7, 0, R_EDX);
+-    } else {
+-        x86_cpu_def->features[FEAT_7_0_EBX] = 0;
+-        x86_cpu_def->features[FEAT_7_0_ECX] = 0;
+-        x86_cpu_def->features[FEAT_7_0_EDX] = 0;
+-    }
++    x86_cpu_def->features[FEAT_7_0_EBX] =
++                kvm_arch_get_supported_cpuid(s, 0x7, 0, R_EBX);
++    x86_cpu_def->features[FEAT_7_0_ECX] =
++                kvm_arch_get_supported_cpuid(s, 0x7, 0, R_ECX);
++    x86_cpu_def->features[FEAT_7_0_EDX] =
++                kvm_arch_get_supported_cpuid(s, 0x7, 0, R_EDX);
+     x86_cpu_def->features[FEAT_XSAVE] =
+                 kvm_arch_get_supported_cpuid(s, 0xd, 1, R_EAX);
+ 
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-xleve.patch b/SOURCES/kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-xleve.patch
new file mode 100644
index 0000000..3accad7
--- /dev/null
+++ b/SOURCES/kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-xleve.patch
@@ -0,0 +1,68 @@
+From f51c618ce3598d9a6a3256e4dd2b9dd3164fbc81 Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Thu, 23 Feb 2017 14:29:36 +0100
+Subject: [PATCH 06/17] target-i386: kvm_cpu_fill_host(): No need to check
+ xlevel2
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20170223142945.17790-6-ehabkost@redhat.com>
+Patchwork-id: 74036
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 05/14] target-i386: kvm_cpu_fill_host(): No need to check xlevel2
+Bugzilla: 1382122
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+There's no need to check CPU xlevel2 before calling
+kvm_arch_get_supported_cpuid(s, 0xC0000001, 0, R_EDX), because:
+
+ * The kernel won't return any entry for 0xC0000000 if host CPU vendor
+   is not Centaur (See kvm_dev_ioctl_get_supported_cpuid() on the kernel
+   code)
+ * Similarly, the kernel won't return any entry for 0xC0000001 if
+   CPUID[0xC0000000].EAX is < 0xC0000001
+ * kvm_arch_get_supported_cpuid() will return 0 if no entry is returned
+   by the kernel for the requested leaf
+
+For similar reasons, we can simply set x86_cpu_def->xlevel2 directly
+instead of making it conditional, because it will be set to 0 CPU vendor
+is not Centaur.
+
+This will simplify the kvm_cpu_fill_host() code a little.
+
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+[Remove unparseable comment. - Paolo]
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 803a932706e3ba335d4c98f3577a05cb000f1699)
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index a10055b..02bd038 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -1285,13 +1285,10 @@ static void kvm_cpu_fill_host(x86_def_t *x86_cpu_def)
+     cpu_x86_fill_model_id(x86_cpu_def->model_id);
+ 
+     /* Call Centaur's CPUID instruction. */
+-    eax = kvm_arch_get_supported_cpuid(s, 0xC0000000, 0, R_EAX);
+-    if (eax >= 0xC0000001) {
+-        /* Support VIA max extended level */
+-        x86_cpu_def->xlevel2 = eax;
+-        x86_cpu_def->features[FEAT_C000_0001_EDX] =
+-                kvm_arch_get_supported_cpuid(s, 0xC0000001, 0, R_EDX);
+-    }
++    x86_cpu_def->xlevel2 =
++        kvm_arch_get_supported_cpuid(s, 0xC0000000, 0, R_EAX);
++    x86_cpu_def->features[FEAT_C000_0001_EDX] =
++        kvm_arch_get_supported_cpuid(s, 0xC0000001, 0, R_EDX);
+ 
+     /* Other KVM-specific feature fields: */
+     x86_cpu_def->features[FEAT_SVM] =
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-target-i386-kvm_cpu_fill_host-Set-all-feature-words-.patch b/SOURCES/kvm-target-i386-kvm_cpu_fill_host-Set-all-feature-words-.patch
new file mode 100644
index 0000000..0de6ac3
--- /dev/null
+++ b/SOURCES/kvm-target-i386-kvm_cpu_fill_host-Set-all-feature-words-.patch
@@ -0,0 +1,82 @@
+From 905a9704d3099a82421850ae172b89f4de2e58b3 Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Thu, 23 Feb 2017 14:29:37 +0100
+Subject: [PATCH 07/17] target-i386: kvm_cpu_fill_host(): Set all feature words
+ at end of function
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20170223142945.17790-7-ehabkost@redhat.com>
+Patchwork-id: 74037
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 06/14] target-i386: kvm_cpu_fill_host(): Set all feature words at end of function
+Bugzilla: 1382122
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Reorder the code so all the code that sets x86_cpu_def->features is at
+the end of the function.
+
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 2a573259ebf8b1072707257d547603520d1ed236)
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c | 29 ++++++++++++-----------------
+ 1 file changed, 12 insertions(+), 17 deletions(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index 02bd038..1515b87 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -1262,35 +1262,30 @@ static void kvm_cpu_fill_host(x86_def_t *x86_cpu_def)
+     x86_cpu_def->stepping = eax & 0x0F;
+ 
+     x86_cpu_def->level = kvm_arch_get_supported_cpuid(s, 0x0, 0, R_EAX);
++    x86_cpu_def->xlevel = kvm_arch_get_supported_cpuid(s, 0x80000000, 0, R_EAX);
++    x86_cpu_def->xlevel2 =
++        kvm_arch_get_supported_cpuid(s, 0xC0000000, 0, R_EAX);
++
++    cpu_x86_fill_model_id(x86_cpu_def->model_id);
++
+     x86_cpu_def->features[FEAT_1_EDX] =
+         kvm_arch_get_supported_cpuid(s, 0x1, 0, R_EDX);
+     x86_cpu_def->features[FEAT_1_ECX] =
+         kvm_arch_get_supported_cpuid(s, 0x1, 0, R_ECX);
+-
+     x86_cpu_def->features[FEAT_7_0_EBX] =
+-                kvm_arch_get_supported_cpuid(s, 0x7, 0, R_EBX);
++        kvm_arch_get_supported_cpuid(s, 0x7, 0, R_EBX);
+     x86_cpu_def->features[FEAT_7_0_ECX] =
+-                kvm_arch_get_supported_cpuid(s, 0x7, 0, R_ECX);
++        kvm_arch_get_supported_cpuid(s, 0x7, 0, R_ECX);
+     x86_cpu_def->features[FEAT_7_0_EDX] =
+-                kvm_arch_get_supported_cpuid(s, 0x7, 0, R_EDX);
++        kvm_arch_get_supported_cpuid(s, 0x7, 0, R_EDX);
+     x86_cpu_def->features[FEAT_XSAVE] =
+-                kvm_arch_get_supported_cpuid(s, 0xd, 1, R_EAX);
+-
+-    x86_cpu_def->xlevel = kvm_arch_get_supported_cpuid(s, 0x80000000, 0, R_EAX);
++        kvm_arch_get_supported_cpuid(s, 0xd, 1, R_EAX);
+     x86_cpu_def->features[FEAT_8000_0001_EDX] =
+-                kvm_arch_get_supported_cpuid(s, 0x80000001, 0, R_EDX);
++        kvm_arch_get_supported_cpuid(s, 0x80000001, 0, R_EDX);
+     x86_cpu_def->features[FEAT_8000_0001_ECX] =
+-                kvm_arch_get_supported_cpuid(s, 0x80000001, 0, R_ECX);
+-
+-    cpu_x86_fill_model_id(x86_cpu_def->model_id);
+-
+-    /* Call Centaur's CPUID instruction. */
+-    x86_cpu_def->xlevel2 =
+-        kvm_arch_get_supported_cpuid(s, 0xC0000000, 0, R_EAX);
++        kvm_arch_get_supported_cpuid(s, 0x80000001, 0, R_ECX);
+     x86_cpu_def->features[FEAT_C000_0001_EDX] =
+         kvm_arch_get_supported_cpuid(s, 0xC0000001, 0, R_EDX);
+-
+-    /* Other KVM-specific feature fields: */
+     x86_cpu_def->features[FEAT_SVM] =
+         kvm_arch_get_supported_cpuid(s, 0x8000000A, 0, R_EDX);
+     x86_cpu_def->features[FEAT_KVM] =
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-ui-vnc-derive-cmp_bytes-from-VNC_DIRTY_PIXELS_PER_BI.patch b/SOURCES/kvm-ui-vnc-derive-cmp_bytes-from-VNC_DIRTY_PIXELS_PER_BI.patch
new file mode 100644
index 0000000..38db6ec
--- /dev/null
+++ b/SOURCES/kvm-ui-vnc-derive-cmp_bytes-from-VNC_DIRTY_PIXELS_PER_BI.patch
@@ -0,0 +1,47 @@
+From 6eed761f1505348596f34c915c56e8a98ce7c3af Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 22 Feb 2017 12:36:20 +0100
+Subject: [PATCH 02/24] ui/vnc: derive cmp_bytes from VNC_DIRTY_PIXELS_PER_BIT
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: <1487766986-6329-3-git-send-email-kraxel@redhat.com>
+Patchwork-id: 73973
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 2/8] ui/vnc: derive cmp_bytes from VNC_DIRTY_PIXELS_PER_BIT
+Bugzilla: 1377977
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+RH-Acked-by: Marc-André Lureau <mlureau@redhat.com>
+RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+
+From: Peter Lieven <pl@kamp.de>
+
+this allows for setting VNC_DIRTY_PIXELS_PER_BIT to different
+values than 16 if desired.
+
+Reviewed-by: Wenchao Xia <xiawenc@linux.vnet.ibm.com>
+Signed-off-by: Peter Lieven <pl@kamp.de>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit 6cd859aa8a7fb60fe6edb89e628cddfe25dfe186)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ ui/vnc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ui/vnc.c b/ui/vnc.c
+index 0c799ed..13fb34b 100644
+--- a/ui/vnc.c
++++ b/ui/vnc.c
+@@ -2709,7 +2709,7 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
+      * Check and copy modified bits from guest to server surface.
+      * Update server dirty map.
+      */
+-    cmp_bytes = 64;
++    cmp_bytes = VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES;
+     if (cmp_bytes > vnc_server_fb_stride(vd)) {
+         cmp_bytes = vnc_server_fb_stride(vd);
+     }
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-ui-vnc-fix-potential-memory-corruption-issues.patch b/SOURCES/kvm-ui-vnc-fix-potential-memory-corruption-issues.patch
new file mode 100644
index 0000000..ba588c9
--- /dev/null
+++ b/SOURCES/kvm-ui-vnc-fix-potential-memory-corruption-issues.patch
@@ -0,0 +1,407 @@
+From 3d842d39e26560dfb7679d88746c314a3545ca18 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 22 Feb 2017 12:36:24 +0100
+Subject: [PATCH 06/24] ui/vnc: fix potential memory corruption issues
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: <1487766986-6329-7-git-send-email-kraxel@redhat.com>
+Patchwork-id: 73977
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 6/8] ui/vnc: fix potential memory corruption issues
+Bugzilla: 1377977
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+RH-Acked-by: Marc-André Lureau <mlureau@redhat.com>
+RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+
+From: Peter Lieven <pl@kamp.de>
+
+this patch makes the VNC server work correctly if the
+server surface and the guest surface have different sizes.
+
+Basically the server surface is adjusted to not exceed VNC_MAX_WIDTH
+x VNC_MAX_HEIGHT and additionally the width is rounded up to multiple of
+VNC_DIRTY_PIXELS_PER_BIT.
+
+If we have a resolution whose width is not dividable by VNC_DIRTY_PIXELS_PER_BIT
+we now get a small black bar on the right of the screen.
+
+If the surface is too big to fit the limits only the upper left area is shown.
+
+On top of that this fixes 2 memory corruption issues:
+
+The first was actually discovered during playing
+around with a Windows 7 vServer. During resolution
+change in Windows 7 it happens sometimes that Windows
+changes to an intermediate resolution where
+server_stride % cmp_bytes != 0 (in vnc_refresh_server_surface).
+This happens only if width % VNC_DIRTY_PIXELS_PER_BIT != 0.
+
+The second is a theoretical issue, but is maybe exploitable
+by the guest. If for some reason the guest surface size is bigger
+than VNC_MAX_WIDTH x VNC_MAX_HEIGHT we end up in severe corruption since
+this limit is nowhere enforced.
+
+Signed-off-by: Peter Lieven <pl@kamp.de>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit bea60dd7679364493a0d7f5b54316c767cf894ef)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Conflicts:
+	ui/vnc.c  [ in pointer_event, input subsystem differences ]
+---
+ ui/vnc.c | 149 +++++++++++++++++++++++++++++----------------------------------
+ ui/vnc.h |  14 +++---
+ 2 files changed, 77 insertions(+), 86 deletions(-)
+
+diff --git a/ui/vnc.c b/ui/vnc.c
+index 51f95be..80b7792 100644
+--- a/ui/vnc.c
++++ b/ui/vnc.c
+@@ -427,14 +427,10 @@ static void framebuffer_update_request(VncState *vs, int incremental,
+ static void vnc_refresh(DisplayChangeListener *dcl);
+ static int vnc_refresh_server_surface(VncDisplay *vd);
+ 
+-static void vnc_dpy_update(DisplayChangeListener *dcl,
+-                           int x, int y, int w, int h)
+-{
+-    VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
+-    struct VncSurface *s = &vd->guest;
+-    int width = surface_width(vd->ds);
+-    int height = surface_height(vd->ds);
+-
++static void vnc_set_area_dirty(DECLARE_BITMAP(dirty[VNC_MAX_HEIGHT],
++                               VNC_MAX_WIDTH / VNC_DIRTY_PIXELS_PER_BIT),
++                               int width, int height,
++                               int x, int y, int w, int h) {
+     /* this is needed this to ensure we updated all affected
+      * blocks if x % VNC_DIRTY_PIXELS_PER_BIT != 0 */
+     w += (x % VNC_DIRTY_PIXELS_PER_BIT);
+@@ -446,11 +442,22 @@ static void vnc_dpy_update(DisplayChangeListener *dcl,
+     h = MIN(y + h, height);
+ 
+     for (; y < h; y++) {
+-        bitmap_set(s->dirty[y], x / VNC_DIRTY_PIXELS_PER_BIT,
++        bitmap_set(dirty[y], x / VNC_DIRTY_PIXELS_PER_BIT,
+                    DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT));
+     }
+ }
+ 
++static void vnc_dpy_update(DisplayChangeListener *dcl,
++                           int x, int y, int w, int h)
++{
++    VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
++    struct VncSurface *s = &vd->guest;
++    int width = pixman_image_get_width(vd->server);
++    int height = pixman_image_get_height(vd->server);
++
++    vnc_set_area_dirty(s->dirty, width, height, x, y, w, h);
++}
++
+ void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h,
+                             int32_t encoding)
+ {
+@@ -512,17 +519,15 @@ void buffer_advance(Buffer *buf, size_t len)
+ 
+ static void vnc_desktop_resize(VncState *vs)
+ {
+-    DisplaySurface *ds = vs->vd->ds;
+-
+     if (vs->csock == -1 || !vnc_has_feature(vs, VNC_FEATURE_RESIZE)) {
+         return;
+     }
+-    if (vs->client_width == surface_width(ds) &&
+-        vs->client_height == surface_height(ds)) {
++    if (vs->client_width == pixman_image_get_width(vs->vd->server) &&
++        vs->client_height == pixman_image_get_height(vs->vd->server)) {
+         return;
+     }
+-    vs->client_width = surface_width(ds);
+-    vs->client_height = surface_height(ds);
++    vs->client_width = pixman_image_get_width(vs->vd->server);
++    vs->client_height = pixman_image_get_height(vs->vd->server);
+     vnc_lock_output(vs);
+     vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
+     vnc_write_u8(vs, 0);
+@@ -566,31 +571,24 @@ void *vnc_server_fb_ptr(VncDisplay *vd, int x, int y)
+     ptr += x * VNC_SERVER_FB_BYTES;
+     return ptr;
+ }
+-/* this sets only the visible pixels of a dirty bitmap */
+-#define VNC_SET_VISIBLE_PIXELS_DIRTY(bitmap, w, h) {\
+-        int y;\
+-        memset(bitmap, 0x00, sizeof(bitmap));\
+-        for (y = 0; y < h; y++) {\
+-            bitmap_set(bitmap[y], 0,\
+-                       DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT));\
+-        } \
+-    }
+ 
+ static void vnc_dpy_switch(DisplayChangeListener *dcl,
+                            DisplaySurface *surface)
+ {
+     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
+     VncState *vs;
++    int width, height;
+ 
+     vnc_abort_display_jobs(vd);
+ 
+     /* server surface */
+     qemu_pixman_image_unref(vd->server);
+     vd->ds = surface;
++    width = MIN(VNC_MAX_WIDTH, ROUND_UP(surface_width(vd->ds),
++                                        VNC_DIRTY_PIXELS_PER_BIT));
++    height = MIN(VNC_MAX_HEIGHT, surface_height(vd->ds));
+     vd->server = pixman_image_create_bits(VNC_SERVER_FB_FORMAT,
+-                                          surface_width(vd->ds),
+-                                          surface_height(vd->ds),
+-                                          NULL, 0);
++                                          width, height, NULL, 0);
+ 
+     /* guest surface */
+ #if 0 /* FIXME */
+@@ -600,9 +598,9 @@ static void vnc_dpy_switch(DisplayChangeListener *dcl,
+     qemu_pixman_image_unref(vd->guest.fb);
+     vd->guest.fb = pixman_image_ref(surface->image);
+     vd->guest.format = surface->format;
+-    VNC_SET_VISIBLE_PIXELS_DIRTY(vd->guest.dirty,
+-                                 surface_width(vd->ds),
+-                                 surface_height(vd->ds));
++    memset(vd->guest.dirty, 0x00, sizeof(vd->guest.dirty));
++    vnc_set_area_dirty(vd->guest.dirty, width, height, 0, 0,
++                       width, height);
+ 
+     QTAILQ_FOREACH(vs, &vd->clients, next) {
+         vnc_colordepth(vs);
+@@ -610,9 +608,9 @@ static void vnc_dpy_switch(DisplayChangeListener *dcl,
+         if (vs->vd->cursor) {
+             vnc_cursor_define(vs);
+         }
+-        VNC_SET_VISIBLE_PIXELS_DIRTY(vs->dirty,
+-                                     surface_width(vd->ds),
+-                                     surface_height(vd->ds));
++        memset(vs->dirty, 0x00, sizeof(vs->dirty));
++        vnc_set_area_dirty(vs->dirty, width, height, 0, 0,
++                           width, height);
+     }
+ }
+ 
+@@ -916,8 +914,8 @@ static int vnc_update_client(VncState *vs, int has_dirty)
+          */
+         job = vnc_job_new(vs);
+ 
+-        height = MIN(pixman_image_get_height(vd->server), vs->client_height);
+-        width = MIN(pixman_image_get_width(vd->server), vs->client_width);
++        height = pixman_image_get_height(vd->server);
++        width = pixman_image_get_width(vd->server);
+ 
+         y = 0;
+         for (;;) {
+@@ -1500,8 +1498,8 @@ static void check_pointer_type_change(Notifier *notifier, void *data)
+         vnc_write_u8(vs, 0);
+         vnc_write_u16(vs, 1);
+         vnc_framebuffer_update(vs, absolute, 0,
+-                               surface_width(vs->vd->ds),
+-                               surface_height(vs->vd->ds),
++                               pixman_image_get_width(vs->vd->server),
++                               pixman_image_get_height(vs->vd->server),
+                                VNC_ENCODING_POINTER_TYPE_CHANGE);
+         vnc_unlock_output(vs);
+         vnc_flush(vs);
+@@ -1513,8 +1511,8 @@ static void pointer_event(VncState *vs, int button_mask, int x, int y)
+ {
+     int buttons = 0;
+     int dz = 0;
+-    int width = surface_width(vs->vd->ds);
+-    int height = surface_height(vs->vd->ds);
++    int width = pixman_image_get_width(vs->vd->server);
++    int height = pixman_image_get_height(vs->vd->server);
+ 
+     if (button_mask & 0x01)
+         buttons |= MOUSE_EVENT_LBUTTON;
+@@ -1866,29 +1864,18 @@ static void ext_key_event(VncState *vs, int down,
+ }
+ 
+ static void framebuffer_update_request(VncState *vs, int incremental,
+-                                       int x_position, int y_position,
+-                                       int w, int h)
++                                       int x, int y, int w, int h)
+ {
+-    int i;
+-    const size_t width = surface_width(vs->vd->ds) / VNC_DIRTY_PIXELS_PER_BIT;
+-    const size_t height = surface_height(vs->vd->ds);
+-
+-    if (y_position > height) {
+-        y_position = height;
+-    }
+-    if (y_position + h >= height) {
+-        h = height - y_position;
+-    }
++    int width = pixman_image_get_width(vs->vd->server);
++    int height = pixman_image_get_height(vs->vd->server);
+ 
+     vs->need_update = 1;
+-    if (!incremental) {
+-        vs->force_update = 1;
+-        for (i = 0; i < h; i++) {
+-            bitmap_set(vs->dirty[y_position + i], 0, width);
+-            bitmap_clear(vs->dirty[y_position + i], width,
+-                         VNC_DIRTY_BITS - width);
+-        }
++
++    if (incremental) {
++        return;
+     }
++
++    vnc_set_area_dirty(vs->dirty, width, height, x, y, w, h);
+ }
+ 
+ static void send_ext_key_event_ack(VncState *vs)
+@@ -1898,8 +1885,8 @@ static void send_ext_key_event_ack(VncState *vs)
+     vnc_write_u8(vs, 0);
+     vnc_write_u16(vs, 1);
+     vnc_framebuffer_update(vs, 0, 0,
+-                           surface_width(vs->vd->ds),
+-                           surface_height(vs->vd->ds),
++                           pixman_image_get_width(vs->vd->server),
++                           pixman_image_get_height(vs->vd->server),
+                            VNC_ENCODING_EXT_KEY_EVENT);
+     vnc_unlock_output(vs);
+     vnc_flush(vs);
+@@ -1912,8 +1899,8 @@ static void send_ext_audio_ack(VncState *vs)
+     vnc_write_u8(vs, 0);
+     vnc_write_u16(vs, 1);
+     vnc_framebuffer_update(vs, 0, 0,
+-                           surface_width(vs->vd->ds),
+-                           surface_height(vs->vd->ds),
++                           pixman_image_get_width(vs->vd->server),
++                           pixman_image_get_height(vs->vd->server),
+                            VNC_ENCODING_AUDIO);
+     vnc_unlock_output(vs);
+     vnc_flush(vs);
+@@ -2101,8 +2088,8 @@ static void vnc_colordepth(VncState *vs)
+         vnc_write_u8(vs, 0);
+         vnc_write_u16(vs, 1); /* number of rects */
+         vnc_framebuffer_update(vs, 0, 0,
+-                               surface_width(vs->vd->ds),
+-                               surface_height(vs->vd->ds),
++                               pixman_image_get_width(vs->vd->server),
++                               pixman_image_get_height(vs->vd->server),
+                                VNC_ENCODING_WMVi);
+         pixel_format_message(vs);
+         vnc_unlock_output(vs);
+@@ -2317,8 +2304,8 @@ static int protocol_client_init(VncState *vs, uint8_t *data, size_t len)
+     }
+     vnc_set_share_mode(vs, mode);
+ 
+-    vs->client_width = surface_width(vs->vd->ds);
+-    vs->client_height = surface_height(vs->vd->ds);
++    vs->client_width = pixman_image_get_width(vs->vd->server);
++    vs->client_height = pixman_image_get_height(vs->vd->server);
+     vnc_write_u16(vs, vs->client_width);
+     vnc_write_u16(vs, vs->client_height);
+ 
+@@ -2685,12 +2672,12 @@ static void vnc_rect_updated(VncDisplay *vd, int x, int y, struct timeval * tv)
+ 
+ static int vnc_refresh_server_surface(VncDisplay *vd)
+ {
+-    int width = pixman_image_get_width(vd->guest.fb);
+-    int height = pixman_image_get_height(vd->guest.fb);
+-    int y;
++    int width = MIN(pixman_image_get_width(vd->guest.fb),
++                    pixman_image_get_width(vd->server));
++    int height = MIN(pixman_image_get_height(vd->guest.fb),
++                     pixman_image_get_height(vd->server));
++    int cmp_bytes, server_stride, min_stride, guest_stride, y = 0;
+     uint8_t *guest_row0 = NULL, *server_row0;
+-    int guest_stride = 0, server_stride;
+-    int cmp_bytes;
+     VncState *vs;
+     int has_dirty = 0;
+     pixman_image_t *tmpbuf = NULL;
+@@ -2707,10 +2694,10 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
+      * Check and copy modified bits from guest to server surface.
+      * Update server dirty map.
+      */
+-    cmp_bytes = VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES;
+-    if (cmp_bytes > vnc_server_fb_stride(vd)) {
+-        cmp_bytes = vnc_server_fb_stride(vd);
+-    }
++    server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
++    server_stride = guest_stride = pixman_image_get_stride(vd->server);
++    cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES,
++                    server_stride);
+     if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
+         int width = pixman_image_get_width(vd->server);
+         tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width);
+@@ -2718,10 +2705,8 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
+         guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
+         guest_stride = pixman_image_get_stride(vd->guest.fb);
+     }
+-    server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
+-    server_stride = pixman_image_get_stride(vd->server);
++    min_stride = MIN(server_stride, guest_stride);
+ 
+-    y = 0;
+     for (;;) {
+         int x;
+         uint8_t *guest_ptr, *server_ptr;
+@@ -2747,13 +2732,17 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
+ 
+         for (; x < DIV_ROUND_UP(width, VNC_DIRTY_PIXELS_PER_BIT);
+              x++, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) {
++            int _cmp_bytes = cmp_bytes;
+             if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
+                 continue;
+             }
+-            if (memcmp(server_ptr, guest_ptr, cmp_bytes) == 0) {
++            if ((x + 1) * cmp_bytes > min_stride) {
++                _cmp_bytes = min_stride - x * cmp_bytes;
++            }
++            if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) {
+                 continue;
+             }
+-            memcpy(server_ptr, guest_ptr, cmp_bytes);
++            memcpy(server_ptr, guest_ptr, _cmp_bytes);
+             if (!vd->non_adaptive) {
+                 vnc_rect_updated(vd, x * VNC_DIRTY_PIXELS_PER_BIT,
+                                  y, &tv);
+diff --git a/ui/vnc.h b/ui/vnc.h
+index ebf4bdd..8d534b6 100644
+--- a/ui/vnc.h
++++ b/ui/vnc.h
+@@ -77,14 +77,15 @@ typedef void VncSendHextileTile(VncState *vs,
+                                 void *last_fg,
+                                 int *has_bg, int *has_fg);
+ 
+-/* VNC_MAX_WIDTH must be a multiple of 16. */
+-#define VNC_MAX_WIDTH 2560
+-#define VNC_MAX_HEIGHT 2048
+-
+ /* VNC_DIRTY_PIXELS_PER_BIT is the number of dirty pixels represented
+- * by one bit in the dirty bitmap */
++ * by one bit in the dirty bitmap, should be a power of 2 */
+ #define VNC_DIRTY_PIXELS_PER_BIT 16
+ 
++/* VNC_MAX_WIDTH must be a multiple of VNC_DIRTY_PIXELS_PER_BIT. */
++
++#define VNC_MAX_WIDTH ROUND_UP(2560, VNC_DIRTY_PIXELS_PER_BIT)
++#define VNC_MAX_HEIGHT 2048
++
+ /* VNC_DIRTY_BITS is the number of bits in the dirty bitmap. */
+ #define VNC_DIRTY_BITS (VNC_MAX_WIDTH / VNC_DIRTY_PIXELS_PER_BIT)
+ 
+@@ -126,7 +127,8 @@ typedef struct VncRectStat VncRectStat;
+ struct VncSurface
+ {
+     struct timeval last_freq_check;
+-    DECLARE_BITMAP(dirty[VNC_MAX_HEIGHT], VNC_MAX_WIDTH / 16);
++    DECLARE_BITMAP(dirty[VNC_MAX_HEIGHT],
++                   VNC_MAX_WIDTH / VNC_DIRTY_PIXELS_PER_BIT);
+     VncRectStat stats[VNC_STAT_ROWS][VNC_STAT_COLS];
+     pixman_image_t *fb;
+     pixman_format_code_t format;
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-ui-vnc-fix-vmware-VGA-incompatiblities.patch b/SOURCES/kvm-ui-vnc-fix-vmware-VGA-incompatiblities.patch
new file mode 100644
index 0000000..96479d3
--- /dev/null
+++ b/SOURCES/kvm-ui-vnc-fix-vmware-VGA-incompatiblities.patch
@@ -0,0 +1,94 @@
+From e35f40730d3d79ebc1870c5716c14f821a67a5ef Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 22 Feb 2017 12:36:23 +0100
+Subject: [PATCH 05/24] ui/vnc: fix vmware VGA incompatiblities
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: <1487766986-6329-6-git-send-email-kraxel@redhat.com>
+Patchwork-id: 73976
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 5/8] ui/vnc: fix vmware VGA incompatiblities
+Bugzilla: 1377977
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+RH-Acked-by: Marc-André Lureau <mlureau@redhat.com>
+RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+
+From: Peter Lieven <pl@kamp.de>
+
+this fixes invalid rectangle updates observed after commit 12b316d
+with the vmware VGA driver. The issues occured because the server
+and client surface update seems to be out of sync at some points
+and the max width of the surface is not dividable by
+VNC_DIRTY_BITS_PER_PIXEL (16).
+
+Reported-by: Serge Hallyn <serge.hallyn@ubuntu.com>
+Signed-off-by: Peter Lieven <pl@kamp.de>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit 2f487a3d40faff1772e14da6b921900915501f9a)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/display/vmware_vga.c |  3 ++-
+ ui/vnc.c                | 10 +++++++---
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
+index df76aec..8e334c0 100644
+--- a/hw/display/vmware_vga.c
++++ b/hw/display/vmware_vga.c
+@@ -24,6 +24,7 @@
+ #include "hw/hw.h"
+ #include "hw/loader.h"
+ #include "ui/console.h"
++#include "ui/vnc.h"
+ #include "hw/pci/pci.h"
+ 
+ #undef VERBOSE
+@@ -209,7 +210,7 @@ enum {
+ 
+ /* These values can probably be changed arbitrarily.  */
+ #define SVGA_SCRATCH_SIZE               0x8000
+-#define SVGA_MAX_WIDTH                  2360
++#define SVGA_MAX_WIDTH                  ROUND_UP(2360, VNC_DIRTY_PIXELS_PER_BIT)
+ #define SVGA_MAX_HEIGHT                 1770
+ 
+ #ifdef VERBOSE
+diff --git a/ui/vnc.c b/ui/vnc.c
+index 2540261..51f95be 100644
+--- a/ui/vnc.c
++++ b/ui/vnc.c
+@@ -898,7 +898,7 @@ static int vnc_update_client(VncState *vs, int has_dirty)
+         VncDisplay *vd = vs->vd;
+         VncJob *job;
+         int y;
+-        int height;
++        int height, width;
+         int n = 0;
+ 
+         if (vs->output.offset && !vs->audio_cap && !vs->force_update)
+@@ -917,6 +917,7 @@ static int vnc_update_client(VncState *vs, int has_dirty)
+         job = vnc_job_new(vs);
+ 
+         height = MIN(pixman_image_get_height(vd->server), vs->client_height);
++        width = MIN(pixman_image_get_width(vd->server), vs->client_width);
+ 
+         y = 0;
+         for (;;) {
+@@ -935,8 +936,11 @@ static int vnc_update_client(VncState *vs, int has_dirty)
+                                     VNC_DIRTY_BPL(vs), x);
+             bitmap_clear(vs->dirty[y], x, x2 - x);
+             h = find_and_clear_dirty_height(vs, y, x, x2, height);
+-            n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y,
+-                                  (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h);
++            x2 = MIN(x2, width / VNC_DIRTY_PIXELS_PER_BIT);
++            if (x2 > x) {
++                n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y,
++                                      (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h);
++            }
+         }
+ 
+         vnc_job_push(job);
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-ui-vnc-introduce-VNC_DIRTY_PIXELS_PER_BIT-macro.patch b/SOURCES/kvm-ui-vnc-introduce-VNC_DIRTY_PIXELS_PER_BIT-macro.patch
new file mode 100644
index 0000000..f435ab8
--- /dev/null
+++ b/SOURCES/kvm-ui-vnc-introduce-VNC_DIRTY_PIXELS_PER_BIT-macro.patch
@@ -0,0 +1,203 @@
+From fd7f778fd9bd7b99ce790081544b28adede189b2 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 22 Feb 2017 12:36:19 +0100
+Subject: [PATCH 01/24] ui/vnc: introduce VNC_DIRTY_PIXELS_PER_BIT macro
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: <1487766986-6329-2-git-send-email-kraxel@redhat.com>
+Patchwork-id: 73972
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 1/8] ui/vnc: introduce VNC_DIRTY_PIXELS_PER_BIT macro
+Bugzilla: 1377977
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+RH-Acked-by: Marc-André Lureau <mlureau@redhat.com>
+RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+
+From: Peter Lieven <pl@kamp.de>
+
+Signed-off-by: Peter Lieven <pl@kamp.de>
+Reviewed-by: Wenchao Xia <xiawenc@linux.vnet.ibm.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit b4c85ddcec24c60616aad9b3b7fc36ce19ba3ca4)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ ui/vnc.c | 65 ++++++++++++++++++++++++++++++++++++++++------------------------
+ ui/vnc.h |  6 +++++-
+ 2 files changed, 46 insertions(+), 25 deletions(-)
+
+diff --git a/ui/vnc.c b/ui/vnc.c
+index a0e2d33..0c799ed 100644
+--- a/ui/vnc.c
++++ b/ui/vnc.c
+@@ -442,17 +442,19 @@ static void vnc_dpy_update(DisplayChangeListener *dcl,
+        iteration.  otherwise, if (x % 16) != 0, the last iteration may span
+        two 16-pixel blocks but we only mark the first as dirty
+     */
+-    w += (x % 16);
+-    x -= (x % 16);
++    w += (x % VNC_DIRTY_PIXELS_PER_BIT);
++    x -= (x % VNC_DIRTY_PIXELS_PER_BIT);
+ 
+     x = MIN(x, width);
+     y = MIN(y, height);
+     w = MIN(x + w, width) - x;
+     h = MIN(h, height);
+ 
+-    for (; y < h; y++)
+-        for (i = 0; i < w; i += 16)
+-            set_bit((x + i) / 16, s->dirty[y]);
++    for (; y < h; y++) {
++        for (i = 0; i < w; i += VNC_DIRTY_PIXELS_PER_BIT) {
++            set_bit((x + i) / VNC_DIRTY_PIXELS_PER_BIT, s->dirty[y]);
++        }
++    }
+ }
+ 
+ void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h,
+@@ -769,11 +771,12 @@ static void vnc_dpy_copy(DisplayChangeListener *dcl,
+         y = dst_y + h - 1;
+         inc = -1;
+     }
+-    w_lim = w - (16 - (dst_x % 16));
+-    if (w_lim < 0)
++    w_lim = w - (VNC_DIRTY_PIXELS_PER_BIT - (dst_x % VNC_DIRTY_PIXELS_PER_BIT));
++    if (w_lim < 0) {
+         w_lim = w;
+-    else
+-        w_lim = w - (w_lim % 16);
++    } else {
++        w_lim = w - (w_lim % VNC_DIRTY_PIXELS_PER_BIT);
++    }
+     for (i = 0; i < h; i++) {
+         for (x = 0; x <= w_lim;
+                 x += s, src_row += cmp_bytes, dst_row += cmp_bytes) {
+@@ -781,10 +784,11 @@ static void vnc_dpy_copy(DisplayChangeListener *dcl,
+                 if ((s = w - w_lim) == 0)
+                     break;
+             } else if (!x) {
+-                s = (16 - (dst_x % 16));
++                s = (VNC_DIRTY_PIXELS_PER_BIT -
++                    (dst_x % VNC_DIRTY_PIXELS_PER_BIT));
+                 s = MIN(s, w_lim);
+             } else {
+-                s = 16;
++                s = VNC_DIRTY_PIXELS_PER_BIT;
+             }
+             cmp_bytes = s * VNC_SERVER_FB_BYTES;
+             if (memcmp(src_row, dst_row, cmp_bytes) == 0)
+@@ -792,7 +796,8 @@ static void vnc_dpy_copy(DisplayChangeListener *dcl,
+             memmove(dst_row, src_row, cmp_bytes);
+             QTAILQ_FOREACH(vs, &vd->clients, next) {
+                 if (!vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
+-                    set_bit(((x + dst_x) / 16), vs->dirty[y]);
++                    set_bit(((x + dst_x) / VNC_DIRTY_PIXELS_PER_BIT),
++                            vs->dirty[y]);
+                 }
+             }
+         }
+@@ -911,7 +916,7 @@ static int vnc_update_client(VncState *vs, int has_dirty)
+         for (y = 0; y < height; y++) {
+             int x;
+             int last_x = -1;
+-            for (x = 0; x < width / 16; x++) {
++            for (x = 0; x < width / VNC_DIRTY_PIXELS_PER_BIT; x++) {
+                 if (test_and_clear_bit(x, vs->dirty[y])) {
+                     if (last_x == -1) {
+                         last_x = x;
+@@ -921,16 +926,22 @@ static int vnc_update_client(VncState *vs, int has_dirty)
+                         int h = find_and_clear_dirty_height(vs, y, last_x, x,
+                                                             height);
+ 
+-                        n += vnc_job_add_rect(job, last_x * 16, y,
+-                                              (x - last_x) * 16, h);
++                        n += vnc_job_add_rect(job,
++                                              last_x * VNC_DIRTY_PIXELS_PER_BIT,
++                                              y,
++                                              (x - last_x) *
++                                              VNC_DIRTY_PIXELS_PER_BIT,
++                                              h);
+                     }
+                     last_x = -1;
+                 }
+             }
+             if (last_x != -1) {
+                 int h = find_and_clear_dirty_height(vs, y, last_x, x, height);
+-                n += vnc_job_add_rect(job, last_x * 16, y,
+-                                      (x - last_x) * 16, h);
++                n += vnc_job_add_rect(job, last_x * VNC_DIRTY_PIXELS_PER_BIT,
++                                      y,
++                                      (x - last_x) * VNC_DIRTY_PIXELS_PER_BIT,
++                                      h);
+             }
+         }
+ 
+@@ -1861,7 +1872,7 @@ static void framebuffer_update_request(VncState *vs, int incremental,
+                                        int w, int h)
+ {
+     int i;
+-    const size_t width = surface_width(vs->vd->ds) / 16;
++    const size_t width = surface_width(vs->vd->ds) / VNC_DIRTY_PIXELS_PER_BIT;
+     const size_t height = surface_height(vs->vd->ds);
+ 
+     if (y_position > height) {
+@@ -2573,7 +2584,9 @@ static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y)
+ 
+         vs->lossy_rect[sty][stx] = 0;
+         for (j = 0; j < VNC_STAT_RECT; ++j) {
+-            bitmap_set(vs->dirty[y + j], x / 16, VNC_STAT_RECT / 16);
++            bitmap_set(vs->dirty[y + j],
++                       x / VNC_DIRTY_PIXELS_PER_BIT,
++                       VNC_STAT_RECT / VNC_DIRTY_PIXELS_PER_BIT);
+         }
+         has_dirty++;
+     }
+@@ -2720,17 +2733,21 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
+             }
+             server_ptr = server_row;
+ 
+-            for (x = 0; x + 15 < width;
+-                    x += 16, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) {
+-                if (!test_and_clear_bit((x / 16), vd->guest.dirty[y]))
++            for (x = 0; x + VNC_DIRTY_PIXELS_PER_BIT - 1 < width;
++                 x += VNC_DIRTY_PIXELS_PER_BIT, guest_ptr += cmp_bytes,
++                 server_ptr += cmp_bytes) {
++                if (!test_and_clear_bit((x / VNC_DIRTY_PIXELS_PER_BIT),
++                    vd->guest.dirty[y])) {
+                     continue;
+-                if (memcmp(server_ptr, guest_ptr, cmp_bytes) == 0)
++                }
++                if (memcmp(server_ptr, guest_ptr, cmp_bytes) == 0) {
+                     continue;
++                }
+                 memcpy(server_ptr, guest_ptr, cmp_bytes);
+                 if (!vd->non_adaptive)
+                     vnc_rect_updated(vd, x, y, &tv);
+                 QTAILQ_FOREACH(vs, &vd->clients, next) {
+-                    set_bit((x / 16), vs->dirty[y]);
++                    set_bit((x / VNC_DIRTY_PIXELS_PER_BIT), vs->dirty[y]);
+                 }
+                 has_dirty++;
+             }
+diff --git a/ui/vnc.h b/ui/vnc.h
+index 0efc5c6..561f383 100644
+--- a/ui/vnc.h
++++ b/ui/vnc.h
+@@ -81,8 +81,12 @@ typedef void VncSendHextileTile(VncState *vs,
+ #define VNC_MAX_WIDTH 2560
+ #define VNC_MAX_HEIGHT 2048
+ 
++/* VNC_DIRTY_PIXELS_PER_BIT is the number of dirty pixels represented
++ * by one bit in the dirty bitmap */
++#define VNC_DIRTY_PIXELS_PER_BIT 16
++
+ /* VNC_DIRTY_BITS is the number of bits in the dirty bitmap. */
+-#define VNC_DIRTY_BITS (VNC_MAX_WIDTH / 16)
++#define VNC_DIRTY_BITS (VNC_MAX_WIDTH / VNC_DIRTY_PIXELS_PER_BIT)
+ 
+ #define VNC_STAT_RECT  64
+ #define VNC_STAT_COLS (VNC_MAX_WIDTH / VNC_STAT_RECT)
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-ui-vnc-optimize-dirty-bitmap-tracking.patch b/SOURCES/kvm-ui-vnc-optimize-dirty-bitmap-tracking.patch
new file mode 100644
index 0000000..d45c7a3
--- /dev/null
+++ b/SOURCES/kvm-ui-vnc-optimize-dirty-bitmap-tracking.patch
@@ -0,0 +1,287 @@
+From ea939f77fa0b152746821afb017cfef8170e5500 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 22 Feb 2017 12:36:21 +0100
+Subject: [PATCH 03/24] ui/vnc: optimize dirty bitmap tracking
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: <1487766986-6329-4-git-send-email-kraxel@redhat.com>
+Patchwork-id: 73979
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 3/8] ui/vnc: optimize dirty bitmap tracking
+Bugzilla: 1377977
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+RH-Acked-by: Marc-André Lureau <mlureau@redhat.com>
+RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+
+From: Peter Lieven <pl@kamp.de>
+
+vnc_update_client currently scans the dirty bitmap of each client
+bitwise which is a very costly operation if only few bits are dirty.
+vnc_refresh_server_surface does almost the same.
+this patch optimizes both by utilizing the heavily optimized
+function find_next_bit to find the offset of the next dirty
+bit in the dirty bitmaps.
+
+The following artifical test (just the bitmap operation part) running
+vnc_update_client 65536 times on a 2560x2048 surface illustrates the
+performance difference:
+
+All bits clean - vnc_update_client_new: 0.07 secs
+ vnc_update_client_old: 10.98 secs
+
+All bits dirty - vnc_update_client_new: 11.26 secs
+ vnc_update_client_old: 20.19 secs
+
+Few bits dirty - vnc_update_client_new: 0.08 secs
+ vnc_update_client_old: 10.98 secs
+
+The case for all bits dirty is still rather slow, this
+is due to the implementation of find_and_clear_dirty_height.
+This will be addresses in a separate patch.
+
+Signed-off-by: Peter Lieven <pl@kamp.de>
+Reviewed-by: Wenchao Xia <xiawenc@linux.vnet.ibm.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit 12b316d4c173bf07f421ef9dc98ba4b53916066e)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ ui/vnc.c | 155 ++++++++++++++++++++++++++++++++++-----------------------------
+ ui/vnc.h |   4 ++
+ 2 files changed, 88 insertions(+), 71 deletions(-)
+
+diff --git a/ui/vnc.c b/ui/vnc.c
+index 13fb34b..54530a2 100644
+--- a/ui/vnc.c
++++ b/ui/vnc.c
+@@ -572,6 +572,15 @@ void *vnc_server_fb_ptr(VncDisplay *vd, int x, int y)
+     ptr += x * VNC_SERVER_FB_BYTES;
+     return ptr;
+ }
++/* this sets only the visible pixels of a dirty bitmap */
++#define VNC_SET_VISIBLE_PIXELS_DIRTY(bitmap, w, h) {\
++        int y;\
++        memset(bitmap, 0x00, sizeof(bitmap));\
++        for (y = 0; y < h; y++) {\
++            bitmap_set(bitmap[y], 0,\
++                       DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT));\
++        } \
++    }
+ 
+ static void vnc_dpy_switch(DisplayChangeListener *dcl,
+                            DisplaySurface *surface)
+@@ -597,7 +606,9 @@ static void vnc_dpy_switch(DisplayChangeListener *dcl,
+     qemu_pixman_image_unref(vd->guest.fb);
+     vd->guest.fb = pixman_image_ref(surface->image);
+     vd->guest.format = surface->format;
+-    memset(vd->guest.dirty, 0xFF, sizeof(vd->guest.dirty));
++    VNC_SET_VISIBLE_PIXELS_DIRTY(vd->guest.dirty,
++                                 surface_width(vd->ds),
++                                 surface_height(vd->ds));
+ 
+     QTAILQ_FOREACH(vs, &vd->clients, next) {
+         vnc_colordepth(vs);
+@@ -605,7 +616,9 @@ static void vnc_dpy_switch(DisplayChangeListener *dcl,
+         if (vs->vd->cursor) {
+             vnc_cursor_define(vs);
+         }
+-        memset(vs->dirty, 0xFF, sizeof(vs->dirty));
++        VNC_SET_VISIBLE_PIXELS_DIRTY(vs->dirty,
++                                     surface_width(vd->ds),
++                                     surface_height(vd->ds));
+     }
+ }
+ 
+@@ -891,10 +904,9 @@ static int vnc_update_client(VncState *vs, int has_dirty)
+         VncDisplay *vd = vs->vd;
+         VncJob *job;
+         int y;
+-        int width, height;
++        int height;
+         int n = 0;
+ 
+-
+         if (vs->output.offset && !vs->audio_cap && !vs->force_update)
+             /* kernel send buffers are full -> drop frames to throttle */
+             return 0;
+@@ -910,39 +922,27 @@ static int vnc_update_client(VncState *vs, int has_dirty)
+          */
+         job = vnc_job_new(vs);
+ 
+-        width = MIN(pixman_image_get_width(vd->server), vs->client_width);
+         height = MIN(pixman_image_get_height(vd->server), vs->client_height);
+ 
+-        for (y = 0; y < height; y++) {
+-            int x;
+-            int last_x = -1;
+-            for (x = 0; x < width / VNC_DIRTY_PIXELS_PER_BIT; x++) {
+-                if (test_and_clear_bit(x, vs->dirty[y])) {
+-                    if (last_x == -1) {
+-                        last_x = x;
+-                    }
+-                } else {
+-                    if (last_x != -1) {
+-                        int h = find_and_clear_dirty_height(vs, y, last_x, x,
+-                                                            height);
+-
+-                        n += vnc_job_add_rect(job,
+-                                              last_x * VNC_DIRTY_PIXELS_PER_BIT,
+-                                              y,
+-                                              (x - last_x) *
+-                                              VNC_DIRTY_PIXELS_PER_BIT,
+-                                              h);
+-                    }
+-                    last_x = -1;
+-                }
+-            }
+-            if (last_x != -1) {
+-                int h = find_and_clear_dirty_height(vs, y, last_x, x, height);
+-                n += vnc_job_add_rect(job, last_x * VNC_DIRTY_PIXELS_PER_BIT,
+-                                      y,
+-                                      (x - last_x) * VNC_DIRTY_PIXELS_PER_BIT,
+-                                      h);
++        y = 0;
++        for (;;) {
++            int x, h;
++            unsigned long x2;
++            unsigned long offset = find_next_bit((unsigned long *) &vs->dirty,
++                                                 height * VNC_DIRTY_BPL(vs),
++                                                 y * VNC_DIRTY_BPL(vs));
++            if (offset == height * VNC_DIRTY_BPL(vs)) {
++                /* no more dirty bits */
++                break;
+             }
++            y = offset / VNC_DIRTY_BPL(vs);
++            x = offset % VNC_DIRTY_BPL(vs);
++            x2 = find_next_zero_bit((unsigned long *) &vs->dirty[y],
++                                    VNC_DIRTY_BPL(vs), x);
++            bitmap_clear(vs->dirty[y], x, x2 - x);
++            h = find_and_clear_dirty_height(vs, y, x, x2, height);
++            n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y,
++                                  (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h);
+         }
+ 
+         vnc_job_push(job);
+@@ -2690,8 +2690,8 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
+     int width = pixman_image_get_width(vd->guest.fb);
+     int height = pixman_image_get_height(vd->guest.fb);
+     int y;
+-    uint8_t *guest_row;
+-    uint8_t *server_row;
++    uint8_t *guest_row0 = NULL, *server_row0;
++    int guest_stride = 0, server_stride;
+     int cmp_bytes;
+     VncState *vs;
+     int has_dirty = 0;
+@@ -2716,44 +2716,57 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
+     if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
+         int width = pixman_image_get_width(vd->server);
+         tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width);
+-    }
+-    guest_row = (uint8_t *)pixman_image_get_data(vd->guest.fb);
+-    server_row = (uint8_t *)pixman_image_get_data(vd->server);
+-    for (y = 0; y < height; y++) {
+-        if (!bitmap_empty(vd->guest.dirty[y], VNC_DIRTY_BITS)) {
+-            int x;
+-            uint8_t *guest_ptr;
+-            uint8_t *server_ptr;
+-
+-            if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
+-                qemu_pixman_linebuf_fill(tmpbuf, vd->guest.fb, width, 0, y);
+-                guest_ptr = (uint8_t *)pixman_image_get_data(tmpbuf);
+-            } else {
+-                guest_ptr = guest_row;
+-            }
+-            server_ptr = server_row;
++    } else {
++        guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
++        guest_stride = pixman_image_get_stride(vd->guest.fb);
++    }
++    server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
++    server_stride = pixman_image_get_stride(vd->server);
++
++    y = 0;
++    for (;;) {
++        int x;
++        uint8_t *guest_ptr, *server_ptr;
++        unsigned long offset = find_next_bit((unsigned long *) &vd->guest.dirty,
++                                             height * VNC_DIRTY_BPL(&vd->guest),
++                                             y * VNC_DIRTY_BPL(&vd->guest));
++        if (offset == height * VNC_DIRTY_BPL(&vd->guest)) {
++            /* no more dirty bits */
++            break;
++        }
++        y = offset / VNC_DIRTY_BPL(&vd->guest);
++        x = offset % VNC_DIRTY_BPL(&vd->guest);
+ 
+-            for (x = 0; x + VNC_DIRTY_PIXELS_PER_BIT - 1 < width;
+-                 x += VNC_DIRTY_PIXELS_PER_BIT, guest_ptr += cmp_bytes,
+-                 server_ptr += cmp_bytes) {
+-                if (!test_and_clear_bit((x / VNC_DIRTY_PIXELS_PER_BIT),
+-                    vd->guest.dirty[y])) {
+-                    continue;
+-                }
+-                if (memcmp(server_ptr, guest_ptr, cmp_bytes) == 0) {
+-                    continue;
+-                }
+-                memcpy(server_ptr, guest_ptr, cmp_bytes);
+-                if (!vd->non_adaptive)
+-                    vnc_rect_updated(vd, x, y, &tv);
+-                QTAILQ_FOREACH(vs, &vd->clients, next) {
+-                    set_bit((x / VNC_DIRTY_PIXELS_PER_BIT), vs->dirty[y]);
+-                }
+-                has_dirty++;
++        server_ptr = server_row0 + y * server_stride + x * cmp_bytes;
++
++        if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
++            qemu_pixman_linebuf_fill(tmpbuf, vd->guest.fb, width, 0, y);
++            guest_ptr = (uint8_t *)pixman_image_get_data(tmpbuf);
++        } else {
++            guest_ptr = guest_row0 + y * guest_stride;
++        }
++        guest_ptr += x * cmp_bytes;
++
++        for (; x < DIV_ROUND_UP(width, VNC_DIRTY_PIXELS_PER_BIT);
++             x++, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) {
++            if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
++                continue;
++            }
++            if (memcmp(server_ptr, guest_ptr, cmp_bytes) == 0) {
++                continue;
++            }
++            memcpy(server_ptr, guest_ptr, cmp_bytes);
++            if (!vd->non_adaptive) {
++                vnc_rect_updated(vd, x * VNC_DIRTY_PIXELS_PER_BIT,
++                                 y, &tv);
+             }
++            QTAILQ_FOREACH(vs, &vd->clients, next) {
++                set_bit(x, vs->dirty[y]);
++            }
++            has_dirty++;
+         }
+-        guest_row  += pixman_image_get_stride(vd->guest.fb);
+-        server_row += pixman_image_get_stride(vd->server);
++
++        y++;
+     }
+     qemu_pixman_image_unref(tmpbuf);
+     return has_dirty;
+diff --git a/ui/vnc.h b/ui/vnc.h
+index 561f383..ebf4bdd 100644
+--- a/ui/vnc.h
++++ b/ui/vnc.h
+@@ -88,6 +88,10 @@ typedef void VncSendHextileTile(VncState *vs,
+ /* VNC_DIRTY_BITS is the number of bits in the dirty bitmap. */
+ #define VNC_DIRTY_BITS (VNC_MAX_WIDTH / VNC_DIRTY_PIXELS_PER_BIT)
+ 
++/* VNC_DIRTY_BPL (BPL = bits per line) might be greater than
++ * VNC_DIRTY_BITS due to alignment */
++#define VNC_DIRTY_BPL(x) (sizeof((x)->dirty) / VNC_MAX_HEIGHT * BITS_PER_BYTE)
++
+ #define VNC_STAT_RECT  64
+ #define VNC_STAT_COLS (VNC_MAX_WIDTH / VNC_STAT_RECT)
+ #define VNC_STAT_ROWS (VNC_MAX_HEIGHT / VNC_STAT_RECT)
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-ui-vnc-optimize-setting-in-vnc_dpy_update.patch b/SOURCES/kvm-ui-vnc-optimize-setting-in-vnc_dpy_update.patch
new file mode 100644
index 0000000..d2de57e
--- /dev/null
+++ b/SOURCES/kvm-ui-vnc-optimize-setting-in-vnc_dpy_update.patch
@@ -0,0 +1,71 @@
+From 9730b328cc524281334344466a01fb861b271b82 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 22 Feb 2017 12:36:22 +0100
+Subject: [PATCH 04/24] ui/vnc: optimize setting in vnc_dpy_update()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: <1487766986-6329-5-git-send-email-kraxel@redhat.com>
+Patchwork-id: 73974
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 4/8] ui/vnc: optimize setting in vnc_dpy_update()
+Bugzilla: 1377977
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+RH-Acked-by: Marc-André Lureau <mlureau@redhat.com>
+RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+
+From: Peter Lieven <pl@kamp.de>
+
+Signed-off-by: Peter Lieven <pl@kamp.de>
+Reviewed-by: Wenchao Xia <xiawenc@linux.vnet.ibm.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit 919372251cbfa9e43b0264fec475dd1eca23784f)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ ui/vnc.c | 16 +++++-----------
+ 1 file changed, 5 insertions(+), 11 deletions(-)
+
+diff --git a/ui/vnc.c b/ui/vnc.c
+index 54530a2..2540261 100644
+--- a/ui/vnc.c
++++ b/ui/vnc.c
+@@ -430,30 +430,24 @@ static int vnc_refresh_server_surface(VncDisplay *vd);
+ static void vnc_dpy_update(DisplayChangeListener *dcl,
+                            int x, int y, int w, int h)
+ {
+-    int i;
+     VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
+     struct VncSurface *s = &vd->guest;
+     int width = surface_width(vd->ds);
+     int height = surface_height(vd->ds);
+ 
+-    h += y;
+-
+-    /* round x down to ensure the loop only spans one 16-pixel block per,
+-       iteration.  otherwise, if (x % 16) != 0, the last iteration may span
+-       two 16-pixel blocks but we only mark the first as dirty
+-    */
++    /* this is needed this to ensure we updated all affected
++     * blocks if x % VNC_DIRTY_PIXELS_PER_BIT != 0 */
+     w += (x % VNC_DIRTY_PIXELS_PER_BIT);
+     x -= (x % VNC_DIRTY_PIXELS_PER_BIT);
+ 
+     x = MIN(x, width);
+     y = MIN(y, height);
+     w = MIN(x + w, width) - x;
+-    h = MIN(h, height);
++    h = MIN(y + h, height);
+ 
+     for (; y < h; y++) {
+-        for (i = 0; i < w; i += VNC_DIRTY_PIXELS_PER_BIT) {
+-            set_bit((x + i) / VNC_DIRTY_PIXELS_PER_BIT, s->dirty[y]);
+-        }
++        bitmap_set(s->dirty[y], x / VNC_DIRTY_PIXELS_PER_BIT,
++                   DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT));
+     }
+ }
+ 
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-usb-ccid-add-check-message-size-checks.patch b/SOURCES/kvm-usb-ccid-add-check-message-size-checks.patch
new file mode 100644
index 0000000..f0c2e48
--- /dev/null
+++ b/SOURCES/kvm-usb-ccid-add-check-message-size-checks.patch
@@ -0,0 +1,64 @@
+From 3d6cc57909eca16bd7bc4dc823b5eb71e65baffb Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 14 Mar 2017 08:52:56 +0100
+Subject: [PATCH 23/24] usb-ccid: add check message size checks
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: <1489481576-26911-5-git-send-email-kraxel@redhat.com>
+Patchwork-id: 74287
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 4/4] usb-ccid: add check message size checks
+Bugzilla: 1419818
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Check message size too when figuring whenever we should expect more data.
+Fix debug message to show useful data, p->iov.size is fixed anyway if we
+land there, print how much we got meanwhile instead.
+
+Also check announced message size against actual message size.  That
+is a more general fix for CVE-2017-5898 than commit "c7dfbf3 usb: ccid:
+check ccid apdu length".
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-id: 1487250819-23764-4-git-send-email-kraxel@redhat.com
+(cherry picked from commit 31fb4444a485a348f8e2699d7c3dd15e1819ad2c)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/usb/dev-smartcard-reader.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
+index 07d15ba..5e96a18 100644
+--- a/hw/usb/dev-smartcard-reader.c
++++ b/hw/usb/dev-smartcard-reader.c
+@@ -1009,12 +1009,19 @@ static void ccid_handle_bulk_out(USBCCIDState *s, USBPacket *p)
+     }
+ 
+     ccid_header = (CCID_Header *)s->bulk_out_data;
+-    if (p->iov.size == CCID_MAX_PACKET_SIZE) {
++    if ((s->bulk_out_pos - 10 < ccid_header->dwLength) &&
++        (p->iov.size == CCID_MAX_PACKET_SIZE)) {
+         DPRINTF(s, D_VERBOSE,
+-            "usb-ccid: bulk_in: expecting more packets (%zd/%d)\n",
+-            p->iov.size, ccid_header->dwLength);
++                "usb-ccid: bulk_in: expecting more packets (%d/%d)\n",
++                s->bulk_out_pos - 10, ccid_header->dwLength);
+         return;
+     }
++    if (s->bulk_out_pos - 10 != ccid_header->dwLength) {
++        DPRINTF(s, 1,
++                "usb-ccid: bulk_in: message size mismatch (got %d, expected %d)\n",
++                s->bulk_out_pos - 10, ccid_header->dwLength);
++        goto err;
++    }
+ 
+     DPRINTF(s, D_MORE_INFO, "%s %x %s\n", __func__,
+             ccid_header->bMessageType,
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-usb-ccid-better-bulk_out-error-handling.patch b/SOURCES/kvm-usb-ccid-better-bulk_out-error-handling.patch
new file mode 100644
index 0000000..6eab01a
--- /dev/null
+++ b/SOURCES/kvm-usb-ccid-better-bulk_out-error-handling.patch
@@ -0,0 +1,175 @@
+From b71bd2f7f4a259183fa3d38e6e891cffb86683e2 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 14 Mar 2017 08:52:54 +0100
+Subject: [PATCH 21/24] usb-ccid: better bulk_out error handling
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: <1489481576-26911-3-git-send-email-kraxel@redhat.com>
+Patchwork-id: 74289
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 2/4] usb-ccid: better bulk_out error handling
+Bugzilla: 1419818
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Add err goto label where we can jump to from all error conditions.
+STALL request on all errors.  Reset position on all errors.
+
+Normal request processing is not in a else branch any more, so this code
+is reintended, there are no code changes in that part of the code
+though.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-id: 1487250819-23764-2-git-send-email-kraxel@redhat.com
+(cherry picked from commit 0aeebc73b7976bae5cb7e9768e3d9a0fd9d634e8)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/usb/dev-smartcard-reader.c | 116 ++++++++++++++++++++++--------------------
+ 1 file changed, 61 insertions(+), 55 deletions(-)
+
+diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
+index 0e0b363..672a7bf 100644
+--- a/hw/usb/dev-smartcard-reader.c
++++ b/hw/usb/dev-smartcard-reader.c
+@@ -999,8 +999,7 @@ static void ccid_handle_bulk_out(USBCCIDState *s, USBPacket *p)
+     CCID_Header *ccid_header;
+ 
+     if (p->iov.size + s->bulk_out_pos > BULK_OUT_DATA_SIZE) {
+-        p->status = USB_RET_STALL;
+-        return;
++        goto err;
+     }
+     ccid_header = (CCID_Header *)s->bulk_out_data;
+     usb_packet_copy(p, s->bulk_out_data + s->bulk_out_pos, p->iov.size);
+@@ -1015,64 +1014,71 @@ static void ccid_handle_bulk_out(USBCCIDState *s, USBPacket *p)
+         DPRINTF(s, 1,
+                 "%s: bad USB_TOKEN_OUT length, should be at least 10 bytes\n",
+                 __func__);
+-    } else {
+-        DPRINTF(s, D_MORE_INFO, "%s %x %s\n", __func__,
+-                ccid_header->bMessageType,
+-                ccid_message_type_to_str(ccid_header->bMessageType));
+-        switch (ccid_header->bMessageType) {
+-        case CCID_MESSAGE_TYPE_PC_to_RDR_GetSlotStatus:
+-            ccid_write_slot_status(s, ccid_header);
+-            break;
+-        case CCID_MESSAGE_TYPE_PC_to_RDR_IccPowerOn:
+-            DPRINTF(s, 1, "%s: PowerOn: %d\n", __func__,
++        goto err;
++    }
++
++    DPRINTF(s, D_MORE_INFO, "%s %x %s\n", __func__,
++            ccid_header->bMessageType,
++            ccid_message_type_to_str(ccid_header->bMessageType));
++    switch (ccid_header->bMessageType) {
++    case CCID_MESSAGE_TYPE_PC_to_RDR_GetSlotStatus:
++        ccid_write_slot_status(s, ccid_header);
++        break;
++    case CCID_MESSAGE_TYPE_PC_to_RDR_IccPowerOn:
++        DPRINTF(s, 1, "%s: PowerOn: %d\n", __func__,
+                 ((CCID_IccPowerOn *)(ccid_header))->bPowerSelect);
+-            s->powered = true;
+-            if (!ccid_card_inserted(s)) {
+-                ccid_report_error_failed(s, ERROR_ICC_MUTE);
+-            }
+-            /* atr is written regardless of error. */
+-            ccid_write_data_block_atr(s, ccid_header);
+-            break;
+-        case CCID_MESSAGE_TYPE_PC_to_RDR_IccPowerOff:
+-            ccid_reset_error_status(s);
+-            s->powered = false;
+-            ccid_write_slot_status(s, ccid_header);
+-            break;
+-        case CCID_MESSAGE_TYPE_PC_to_RDR_XfrBlock:
+-            ccid_on_apdu_from_guest(s, (CCID_XferBlock *)s->bulk_out_data);
+-            break;
+-        case CCID_MESSAGE_TYPE_PC_to_RDR_SetParameters:
+-            ccid_reset_error_status(s);
+-            ccid_set_parameters(s, ccid_header);
+-            ccid_write_parameters(s, ccid_header);
+-            break;
+-        case CCID_MESSAGE_TYPE_PC_to_RDR_ResetParameters:
+-            ccid_reset_error_status(s);
+-            ccid_reset_parameters(s);
+-            ccid_write_parameters(s, ccid_header);
+-            break;
+-        case CCID_MESSAGE_TYPE_PC_to_RDR_GetParameters:
+-            ccid_reset_error_status(s);
+-            ccid_write_parameters(s, ccid_header);
+-            break;
+-        case CCID_MESSAGE_TYPE_PC_to_RDR_Mechanical:
+-            ccid_report_error_failed(s, 0);
+-            ccid_write_slot_status(s, ccid_header);
+-            break;
+-        default:
+-            DPRINTF(s, 1,
++        s->powered = true;
++        if (!ccid_card_inserted(s)) {
++            ccid_report_error_failed(s, ERROR_ICC_MUTE);
++        }
++        /* atr is written regardless of error. */
++        ccid_write_data_block_atr(s, ccid_header);
++        break;
++    case CCID_MESSAGE_TYPE_PC_to_RDR_IccPowerOff:
++        ccid_reset_error_status(s);
++        s->powered = false;
++        ccid_write_slot_status(s, ccid_header);
++        break;
++    case CCID_MESSAGE_TYPE_PC_to_RDR_XfrBlock:
++        ccid_on_apdu_from_guest(s, (CCID_XferBlock *)s->bulk_out_data);
++        break;
++    case CCID_MESSAGE_TYPE_PC_to_RDR_SetParameters:
++        ccid_reset_error_status(s);
++        ccid_set_parameters(s, ccid_header);
++        ccid_write_parameters(s, ccid_header);
++        break;
++    case CCID_MESSAGE_TYPE_PC_to_RDR_ResetParameters:
++        ccid_reset_error_status(s);
++        ccid_reset_parameters(s);
++        ccid_write_parameters(s, ccid_header);
++        break;
++    case CCID_MESSAGE_TYPE_PC_to_RDR_GetParameters:
++        ccid_reset_error_status(s);
++        ccid_write_parameters(s, ccid_header);
++        break;
++    case CCID_MESSAGE_TYPE_PC_to_RDR_Mechanical:
++        ccid_report_error_failed(s, 0);
++        ccid_write_slot_status(s, ccid_header);
++        break;
++    default:
++        DPRINTF(s, 1,
+                 "handle_data: ERROR: unhandled message type %Xh\n",
+                 ccid_header->bMessageType);
+-            /*
+-             * The caller is expecting the device to respond, tell it we
+-             * don't support the operation.
+-             */
+-            ccid_report_error_failed(s, ERROR_CMD_NOT_SUPPORTED);
+-            ccid_write_slot_status(s, ccid_header);
+-            break;
+-        }
++        /*
++         * The caller is expecting the device to respond, tell it we
++         * don't support the operation.
++         */
++        ccid_report_error_failed(s, ERROR_CMD_NOT_SUPPORTED);
++        ccid_write_slot_status(s, ccid_header);
++        break;
+     }
+     s->bulk_out_pos = 0;
++    return;
++
++err:
++    p->status = USB_RET_STALL;
++    s->bulk_out_pos = 0;
++    return;
+ }
+ 
+ static void ccid_bulk_in_copy_to_guest(USBCCIDState *s, USBPacket *p)
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-usb-ccid-check-ccid-apdu-length.patch b/SOURCES/kvm-usb-ccid-check-ccid-apdu-length.patch
new file mode 100644
index 0000000..7091df9
--- /dev/null
+++ b/SOURCES/kvm-usb-ccid-check-ccid-apdu-length.patch
@@ -0,0 +1,48 @@
+From c69bcffde2abc36576ff8b9d60f721e1261fec32 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 14 Mar 2017 08:52:53 +0100
+Subject: [PATCH 20/24] usb: ccid: check ccid apdu length
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: <1489481576-26911-2-git-send-email-kraxel@redhat.com>
+Patchwork-id: 74286
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 1/4] usb: ccid: check ccid apdu length
+Bugzilla: 1419818
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+From: Prasad J Pandit <pjp@fedoraproject.org>
+
+CCID device emulator uses Application Protocol Data Units(APDU)
+to exchange command and responses to and from the host.
+The length in these units couldn't be greater than 65536. Add
+check to ensure the same. It'd also avoid potential integer
+overflow in emulated_apdu_from_guest.
+
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 20170202192228.10847-1-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit c7dfbf322595ded4e70b626bf83158a9f3807c6a)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/usb/dev-smartcard-reader.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
+index 0e666e1..0e0b363 100644
+--- a/hw/usb/dev-smartcard-reader.c
++++ b/hw/usb/dev-smartcard-reader.c
+@@ -965,7 +965,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv)
+     DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__,
+                 recv->hdr.bSeq, len);
+     ccid_add_pending_answer(s, (CCID_Header *)recv);
+-    if (s->card) {
++    if (s->card && len <= BULK_OUT_DATA_SIZE) {
+         ccid_card_apdu_from_guest(s->card, recv->abData, len);
+     } else {
+         DPRINTF(s, D_WARN, "warning: discarded apdu\n");
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-usb-ccid-move-header-size-check.patch b/SOURCES/kvm-usb-ccid-move-header-size-check.patch
new file mode 100644
index 0000000..ac197eb
--- /dev/null
+++ b/SOURCES/kvm-usb-ccid-move-header-size-check.patch
@@ -0,0 +1,64 @@
+From 6116e5c19a7623b2543fbd937970da9a6e0e1ce7 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 14 Mar 2017 08:52:55 +0100
+Subject: [PATCH 22/24] usb-ccid: move header size check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: <1489481576-26911-4-git-send-email-kraxel@redhat.com>
+Patchwork-id: 74285
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 3/4] usb-ccid: move header size check
+Bugzilla: 1419818
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Move up header size check, so we can use header fields in sanity checks
+(in followup patches).  Also reword the debug message.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-id: 1487250819-23764-3-git-send-email-kraxel@redhat.com
+(cherry picked from commit 7569c54642e8aa9fa03e250c7c578bd4d3747f00)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/usb/dev-smartcard-reader.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
+index 672a7bf..07d15ba 100644
+--- a/hw/usb/dev-smartcard-reader.c
++++ b/hw/usb/dev-smartcard-reader.c
+@@ -1001,21 +1001,20 @@ static void ccid_handle_bulk_out(USBCCIDState *s, USBPacket *p)
+     if (p->iov.size + s->bulk_out_pos > BULK_OUT_DATA_SIZE) {
+         goto err;
+     }
+-    ccid_header = (CCID_Header *)s->bulk_out_data;
+     usb_packet_copy(p, s->bulk_out_data + s->bulk_out_pos, p->iov.size);
+     s->bulk_out_pos += p->iov.size;
++    if (s->bulk_out_pos < 10) {
++        DPRINTF(s, 1, "%s: header incomplete\n", __func__);
++        goto err;
++    }
++
++    ccid_header = (CCID_Header *)s->bulk_out_data;
+     if (p->iov.size == CCID_MAX_PACKET_SIZE) {
+         DPRINTF(s, D_VERBOSE,
+             "usb-ccid: bulk_in: expecting more packets (%zd/%d)\n",
+             p->iov.size, ccid_header->dwLength);
+         return;
+     }
+-    if (s->bulk_out_pos < 10) {
+-        DPRINTF(s, 1,
+-                "%s: bad USB_TOKEN_OUT length, should be at least 10 bytes\n",
+-                __func__);
+-        goto err;
+-    }
+ 
+     DPRINTF(s, D_MORE_INFO, "%s %x %s\n", __func__,
+             ccid_header->bMessageType,
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-vhdx-Fix-zero-fill-iov-length.patch b/SOURCES/kvm-vhdx-Fix-zero-fill-iov-length.patch
new file mode 100644
index 0000000..d0fdca3
--- /dev/null
+++ b/SOURCES/kvm-vhdx-Fix-zero-fill-iov-length.patch
@@ -0,0 +1,57 @@
+From a7cfda7b304697450f0a55c22f4459b25999e9c5 Mon Sep 17 00:00:00 2001
+From: Max Reitz <mreitz@redhat.com>
+Date: Mon, 13 Mar 2017 17:47:05 +0100
+Subject: [PATCH 17/24] vhdx: Fix zero-fill iov length
+
+RH-Author: Max Reitz <mreitz@redhat.com>
+Message-id: <20170313174706.29316-2-mreitz@redhat.com>
+Patchwork-id: 74279
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 8/9] vhdx: Fix zero-fill iov length
+Bugzilla: 1427176
+RH-Acked-by: Fam Zheng <famz@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+
+From: Kevin Wolf <kwolf@redhat.com>
+
+Fix the length of the zero-fill for the back, which was accidentally
+using the same value as for the front. This is caught by qemu-iotests
+033.
+
+For consistency, change the code for the front as well to use the length
+stored in the iov (it is the same value, copied four lines above).
+
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Acked-by: Jeff Cody <jcody@redhat.com>
+(cherry picked from commit d1a126c53ddc563b7b731cee013e0362f7a5f22f)
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ block/vhdx.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/block/vhdx.c b/block/vhdx.c
+index 21ad6ad..47a872d 100644
+--- a/block/vhdx.c
++++ b/block/vhdx.c
+@@ -1247,7 +1247,7 @@ static coroutine_fn int vhdx_co_writev(BlockDriverState *bs, int64_t sector_num,
+                         iov1.iov_base = qemu_blockalign(bs, iov1.iov_len);
+                         memset(iov1.iov_base, 0, iov1.iov_len);
+                         qemu_iovec_concat_iov(&hd_qiov, &iov1, 1, 0,
+-                                              sinfo.block_offset);
++                                              iov1.iov_len);
+                         sectors_to_write += iov1.iov_len >> BDRV_SECTOR_BITS;
+                     }
+ 
+@@ -1263,7 +1263,7 @@ static coroutine_fn int vhdx_co_writev(BlockDriverState *bs, int64_t sector_num,
+                         iov2.iov_base = qemu_blockalign(bs, iov2.iov_len);
+                         memset(iov2.iov_base, 0, iov2.iov_len);
+                         qemu_iovec_concat_iov(&hd_qiov, &iov2, 1, 0,
+-                                              sinfo.block_offset);
++                                              iov2.iov_len);
+                         sectors_to_write += iov2.iov_len >> BDRV_SECTOR_BITS;
+                     }
+                 }
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-virtio-add-virtqueue_rewind.patch b/SOURCES/kvm-virtio-add-virtqueue_rewind.patch
index 1915e93..a5d98d3 100644
--- a/SOURCES/kvm-virtio-add-virtqueue_rewind.patch
+++ b/SOURCES/kvm-virtio-add-virtqueue_rewind.patch
@@ -1,4 +1,4 @@
-From f7d6a76475d29e0edb5456e62492117b87f4bc41 Mon Sep 17 00:00:00 2001
+From 6b2d5dafa9847ce29e5cddeb369b35db5ce076b1 Mon Sep 17 00:00:00 2001
 From: Ladi Prosek <lprosek@redhat.com>
 Date: Thu, 10 Nov 2016 23:00:50 +0100
 Subject: [PATCH 7/8] virtio: add virtqueue_rewind()
@@ -7,7 +7,7 @@ RH-Author: Ladi Prosek <lprosek@redhat.com>
 Message-id: <1478797251-10302-1-git-send-email-lprosek@redhat.com>
 Patchwork-id: 72818
 O-Subject: [PATCH v2 7/6] virtio: add virtqueue_rewind()
-Bugzilla: 1393484
+Bugzilla: 1377968
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
 RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
 RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
diff --git a/SOURCES/kvm-virtio-balloon-discard-virtqueue-element-on-reset.patch b/SOURCES/kvm-virtio-balloon-discard-virtqueue-element-on-reset.patch
index a076d4e..2c37b1d 100644
--- a/SOURCES/kvm-virtio-balloon-discard-virtqueue-element-on-reset.patch
+++ b/SOURCES/kvm-virtio-balloon-discard-virtqueue-element-on-reset.patch
@@ -1,4 +1,4 @@
-From a1c91f04449eea0e678aeef78914213f092b7a19 Mon Sep 17 00:00:00 2001
+From 2c71eba27413f9b34610cee3f6b16b0678f4d102 Mon Sep 17 00:00:00 2001
 From: Ladi Prosek <lprosek@redhat.com>
 Date: Wed, 5 Oct 2016 17:22:27 +0200
 Subject: [PATCH 5/8] virtio-balloon: discard virtqueue element on reset
@@ -7,7 +7,7 @@ RH-Author: Ladi Prosek <lprosek@redhat.com>
 Message-id: <1475666548-9186-6-git-send-email-lprosek@redhat.com>
 Patchwork-id: 72484
 O-Subject: [RHEL-7.4 qemu-kvm v2 PATCH 5/6] virtio-balloon: discard virtqueue element on reset
-Bugzilla: 1393484
+Bugzilla: 1377968
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
 RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
 RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
diff --git a/SOURCES/kvm-virtio-balloon-fix-stats-vq-migration.patch b/SOURCES/kvm-virtio-balloon-fix-stats-vq-migration.patch
index bd3b2e7..38c7762 100644
--- a/SOURCES/kvm-virtio-balloon-fix-stats-vq-migration.patch
+++ b/SOURCES/kvm-virtio-balloon-fix-stats-vq-migration.patch
@@ -1,4 +1,4 @@
-From 6d5c0e0e98907244d72e7828337d7ff6160b6b80 Mon Sep 17 00:00:00 2001
+From 92a638cb3b0601746d47b4a443762fe71bb21431 Mon Sep 17 00:00:00 2001
 From: Ladi Prosek <lprosek@redhat.com>
 Date: Thu, 10 Nov 2016 23:00:51 +0100
 Subject: [PATCH 8/8] virtio-balloon: fix stats vq migration
@@ -7,7 +7,7 @@ RH-Author: Ladi Prosek <lprosek@redhat.com>
 Message-id: <1478797251-10302-2-git-send-email-lprosek@redhat.com>
 Patchwork-id: 72819
 O-Subject: [PATCH v2 8/6] virtio-balloon: fix stats vq migration
-Bugzilla: 1393484
+Bugzilla: 1377968
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
 RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
 RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
diff --git a/SOURCES/kvm-virtio-blk-Release-s-rq-queue-at-system_reset.patch b/SOURCES/kvm-virtio-blk-Release-s-rq-queue-at-system_reset.patch
index a58ed36..f730a9a 100644
--- a/SOURCES/kvm-virtio-blk-Release-s-rq-queue-at-system_reset.patch
+++ b/SOURCES/kvm-virtio-blk-Release-s-rq-queue-at-system_reset.patch
@@ -1,16 +1,16 @@
-From cc9a8ce29ba364abcf019f6fe44b218255b9e4d7 Mon Sep 17 00:00:00 2001
+From 200748826a6069c31f5004dde00614675bac659b Mon Sep 17 00:00:00 2001
 From: Fam Zheng <famz@redhat.com>
-Date: Wed, 8 Feb 2017 07:05:34 +0100
-Subject: [PATCH 1/8] virtio-blk: Release s->rq queue at system_reset
+Date: Tue, 7 Feb 2017 09:21:53 +0100
+Subject: [PATCH 02/11] virtio-blk: Release s->rq queue at system_reset
 
 RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170208070534.10571-1-famz@redhat.com>
-Patchwork-id: 73642
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH] virtio-blk: Release s->rq queue at system_reset
-Bugzilla: 1420049
-RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+Message-id: <20170207092153.8331-1-famz@redhat.com>
+Patchwork-id: 73553
+O-Subject: [RHEL-7.4 qemu-kvm PATCH] virtio-blk: Release s->rq queue at system_reset
+Bugzilla: 1361488
 RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
 
 At system_reset, there is no point in retrying the queued request,
 because the driver that issued the request won't be around any more.
diff --git a/SOURCES/kvm-virtio-decrement-vq-inuse-in-virtqueue_discard.patch b/SOURCES/kvm-virtio-decrement-vq-inuse-in-virtqueue_discard.patch
index 1822127..949fd97 100644
--- a/SOURCES/kvm-virtio-decrement-vq-inuse-in-virtqueue_discard.patch
+++ b/SOURCES/kvm-virtio-decrement-vq-inuse-in-virtqueue_discard.patch
@@ -1,4 +1,4 @@
-From c24e1c927bad95d84e0ffab665baff98d91fb916 Mon Sep 17 00:00:00 2001
+From bf7aa4bb11e9991a3d5a1007dbe52dd0ac6dae99 Mon Sep 17 00:00:00 2001
 From: Ladi Prosek <lprosek@redhat.com>
 Date: Wed, 5 Oct 2016 17:22:25 +0200
 Subject: [PATCH 3/8] virtio: decrement vq->inuse in virtqueue_discard()
@@ -7,7 +7,7 @@ RH-Author: Ladi Prosek <lprosek@redhat.com>
 Message-id: <1475666548-9186-4-git-send-email-lprosek@redhat.com>
 Patchwork-id: 72482
 O-Subject: [RHEL-7.4 qemu-kvm v2 PATCH 3/6] virtio: decrement vq->inuse in virtqueue_discard()
-Bugzilla: 1393484
+Bugzilla: 1377968
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
 RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
 RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
diff --git a/SOURCES/kvm-virtio-introduce-virtqueue_discard.patch b/SOURCES/kvm-virtio-introduce-virtqueue_discard.patch
index 8f233c6..ee5aedc 100644
--- a/SOURCES/kvm-virtio-introduce-virtqueue_discard.patch
+++ b/SOURCES/kvm-virtio-introduce-virtqueue_discard.patch
@@ -1,4 +1,4 @@
-From b5c6f7a910c5c16ac34ef2436d0a56991e0166e3 Mon Sep 17 00:00:00 2001
+From 06ca4cab12a4216d40c297d8a79c83a4df4dd80e Mon Sep 17 00:00:00 2001
 From: Ladi Prosek <lprosek@redhat.com>
 Date: Wed, 5 Oct 2016 17:22:24 +0200
 Subject: [PATCH 2/8] virtio: introduce virtqueue_discard()
@@ -7,7 +7,7 @@ RH-Author: Ladi Prosek <lprosek@redhat.com>
 Message-id: <1475666548-9186-3-git-send-email-lprosek@redhat.com>
 Patchwork-id: 72481
 O-Subject: [RHEL-7.4 qemu-kvm v2 PATCH 2/6] virtio: introduce virtqueue_discard()
-Bugzilla: 1393484
+Bugzilla: 1377968
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
 RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
 RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
diff --git a/SOURCES/kvm-virtio-introduce-virtqueue_unmap_sg.patch b/SOURCES/kvm-virtio-introduce-virtqueue_unmap_sg.patch
index 77d40c9..bd3e621 100644
--- a/SOURCES/kvm-virtio-introduce-virtqueue_unmap_sg.patch
+++ b/SOURCES/kvm-virtio-introduce-virtqueue_unmap_sg.patch
@@ -1,4 +1,4 @@
-From fc6f666f00182fe587068bd45e4e9e6d135d03fb Mon Sep 17 00:00:00 2001
+From 9d3ccec3b8323f7cfbce932f8c6530aa4105ba02 Mon Sep 17 00:00:00 2001
 From: Ladi Prosek <lprosek@redhat.com>
 Date: Wed, 5 Oct 2016 17:22:23 +0200
 Subject: [PATCH 1/8] virtio: introduce virtqueue_unmap_sg()
@@ -7,7 +7,7 @@ RH-Author: Ladi Prosek <lprosek@redhat.com>
 Message-id: <1475666548-9186-2-git-send-email-lprosek@redhat.com>
 Patchwork-id: 72480
 O-Subject: [RHEL-7.4 qemu-kvm v2 PATCH 1/6] virtio: introduce virtqueue_unmap_sg()
-Bugzilla: 1393484
+Bugzilla: 1377968
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
 RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
 RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
diff --git a/SOURCES/kvm-virtio-zero-vq-inuse-in-virtio_reset.patch b/SOURCES/kvm-virtio-zero-vq-inuse-in-virtio_reset.patch
index e231a0a..6c4eb84 100644
--- a/SOURCES/kvm-virtio-zero-vq-inuse-in-virtio_reset.patch
+++ b/SOURCES/kvm-virtio-zero-vq-inuse-in-virtio_reset.patch
@@ -1,4 +1,4 @@
-From e3e5226d8ed3907bb818eb8db74175c08c011459 Mon Sep 17 00:00:00 2001
+From f5f0d9ed92f4ba1ea746529ccc945cf60d4973c8 Mon Sep 17 00:00:00 2001
 From: Ladi Prosek <lprosek@redhat.com>
 Date: Wed, 5 Oct 2016 17:22:28 +0200
 Subject: [PATCH 6/8] virtio: zero vq->inuse in virtio_reset()
@@ -7,7 +7,7 @@ RH-Author: Ladi Prosek <lprosek@redhat.com>
 Message-id: <1475666548-9186-7-git-send-email-lprosek@redhat.com>
 Patchwork-id: 72485
 O-Subject: [RHEL-7.4 qemu-kvm v2 PATCH 6/6] virtio: zero vq->inuse in virtio_reset()
-Bugzilla: 1393484
+Bugzilla: 1377968
 RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
 RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
 RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
diff --git a/SOURCES/kvm-vl-Don-t-silently-change-topology-when-all-smp-optio.patch b/SOURCES/kvm-vl-Don-t-silently-change-topology-when-all-smp-optio.patch
new file mode 100644
index 0000000..8d9d72f
--- /dev/null
+++ b/SOURCES/kvm-vl-Don-t-silently-change-topology-when-all-smp-optio.patch
@@ -0,0 +1,57 @@
+From 1f9218a32773bb616f65f581f3a6b22699b2f6be Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Tue, 27 Dec 2016 20:43:20 +0100
+Subject: [PATCH 2/4] vl: Don't silently change topology when all -smp options
+ were set
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <1482871400-24971-1-git-send-email-ehabkost@redhat.com>
+Patchwork-id: 73103
+O-Subject: [RHEL-7.4 qemu-kvm PATCH] vl: Don't silently change topology when all -smp options were set
+Bugzilla: 1375507
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+RH-Acked-by: Andrew Jones <drjones@redhat.com>
+RH-Acked-by: David Hildenbrand <david@redhat.com>
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1375507
+
+QEMU tries to change the "threads" option even if it was explicitly set
+in the command-line, and it shouldn't do that.
+
+The right thing to do when all options (cpus, sockets, cores, threds)
+are explicitly set is to sanity check them and abort in case they don't
+make sense (i.e. when sockets*cores*threads < cpus).
+
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Reviewed-by: Andrew Jones <drjones@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit ec2cbbdd80463efd4bc81a9d1362a2acb3097a21)
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ vl.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/vl.c b/vl.c
+index 9756361..7c34b7c 100644
+--- a/vl.c
++++ b/vl.c
+@@ -1393,8 +1393,14 @@ static void smp_parse(const char *optarg)
+         if (cores == 0) {
+             threads = threads > 0 ? threads : 1;
+             cores = smp / (sockets * threads);
+-        } else {
++        } else if (threads == 0) {
+             threads = smp / (cores * sockets);
++        } else if (sockets * cores * threads < smp) {
++            fprintf(stderr, "cpu topology: error: "
++                    "sockets (%u) * cores (%u) * threads (%u) < "
++                    "smp_cpus (%u)\n",
++                    sockets, cores, threads, smp);
++            exit(1);
+         }
+     }
+     smp_cpus = smp;
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-vnc-fix-memory-corruption-CVE-2015-5225.patch b/SOURCES/kvm-vnc-fix-memory-corruption-CVE-2015-5225.patch
new file mode 100644
index 0000000..0808fa3
--- /dev/null
+++ b/SOURCES/kvm-vnc-fix-memory-corruption-CVE-2015-5225.patch
@@ -0,0 +1,93 @@
+From e543257370cce5153bbcf0085a116e6aa4a6d91b Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 22 Feb 2017 12:36:25 +0100
+Subject: [PATCH 07/24] vnc: fix memory corruption (CVE-2015-5225)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: <1487766986-6329-8-git-send-email-kraxel@redhat.com>
+Patchwork-id: 73978
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 7/8] vnc: fix memory corruption (CVE-2015-5225)
+Bugzilla: 1377977
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+RH-Acked-by: Marc-André Lureau <mlureau@redhat.com>
+RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+
+The _cmp_bytes variable added by commit "bea60dd ui/vnc: fix potential
+memory corruption issues" can become negative.  Result is (possibly
+exploitable) memory corruption.  Reason for that is it uses the stride
+instead of bytes per scanline to apply limits.
+
+For the server surface is is actually fine.  vnc creates that itself,
+there is never any padding and thus scanline length always equals stride.
+
+For the guest surface scanline length and stride are typically identical
+too, but it doesn't has to be that way.  So add and use a new variable
+(guest_ll) for the guest scanline length.  Also rename min_stride to
+line_bytes to make more clear what it actually is.  Finally sprinkle
+in an assert() to make sure we never use a negative _cmp_bytes again.
+
+Reported-by: 范祚至(库特) <zuozhi.fzz@alibaba-inc.com>
+Reviewed-by: P J P <ppandit@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit eb8934b0418b3b1d125edddc4fc334a54334a49b)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ ui/vnc.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/ui/vnc.c b/ui/vnc.c
+index 80b7792..d0ada7e 100644
+--- a/ui/vnc.c
++++ b/ui/vnc.c
+@@ -2676,7 +2676,7 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
+                     pixman_image_get_width(vd->server));
+     int height = MIN(pixman_image_get_height(vd->guest.fb),
+                      pixman_image_get_height(vd->server));
+-    int cmp_bytes, server_stride, min_stride, guest_stride, y = 0;
++    int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0;
+     uint8_t *guest_row0 = NULL, *server_row0;
+     VncState *vs;
+     int has_dirty = 0;
+@@ -2695,17 +2695,21 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
+      * Update server dirty map.
+      */
+     server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
+-    server_stride = guest_stride = pixman_image_get_stride(vd->server);
++    server_stride = guest_stride = guest_ll =
++        pixman_image_get_stride(vd->server);
+     cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES,
+                     server_stride);
+     if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
+         int width = pixman_image_get_width(vd->server);
+         tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width);
+     } else {
++        int guest_bpp =
++            PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb));
+         guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
+         guest_stride = pixman_image_get_stride(vd->guest.fb);
++        guest_ll = pixman_image_get_width(vd->guest.fb) * ((guest_bpp + 7) / 8);
+     }
+-    min_stride = MIN(server_stride, guest_stride);
++    line_bytes = MIN(server_stride, guest_ll);
+ 
+     for (;;) {
+         int x;
+@@ -2736,9 +2740,10 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
+             if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
+                 continue;
+             }
+-            if ((x + 1) * cmp_bytes > min_stride) {
+-                _cmp_bytes = min_stride - x * cmp_bytes;
++            if ((x + 1) * cmp_bytes > line_bytes) {
++                _cmp_bytes = line_bytes - x * cmp_bytes;
+             }
++            assert(_cmp_bytes >= 0);
+             if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) {
+                 continue;
+             }
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-vnc-fix-overflow-in-vnc_update_stats.patch b/SOURCES/kvm-vnc-fix-overflow-in-vnc_update_stats.patch
new file mode 100644
index 0000000..db0c181
--- /dev/null
+++ b/SOURCES/kvm-vnc-fix-overflow-in-vnc_update_stats.patch
@@ -0,0 +1,56 @@
+From 8c2d53ffb72c574d0c81e2c86115a18598e66c65 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 22 Feb 2017 12:36:26 +0100
+Subject: [PATCH 08/24] vnc: fix overflow in vnc_update_stats
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: <1487766986-6329-9-git-send-email-kraxel@redhat.com>
+Patchwork-id: 73975
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 8/8] vnc: fix overflow in vnc_update_stats
+Bugzilla: 1377977
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+RH-Acked-by: Marc-André Lureau <mlureau@redhat.com>
+RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+
+Commit "bea60dd ui/vnc: fix potential memory corruption issues" is
+incomplete.  vnc_update_stats must calculate width and height the same
+way vnc_refresh_server_surface does it, to make sure we don't use width
+and height values larger than the qemu vnc server can handle.
+
+Commit "e22492d ui/vnc: disable adaptive update calculations if not
+needed" masks the issue in the default configuration.  It triggers only
+in case the "lossy" option is set to "on" (default is "off").
+
+Cc: Marc-André Lureau <marcandre.lureau@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-id: 1485248428-575-1-git-send-email-kraxel@redhat.com
+(cherry picked from commit eebe0b7905642a986cbce7406d6ab7bf78f3e210)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ ui/vnc.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/ui/vnc.c b/ui/vnc.c
+index d0ada7e..b68918e 100644
+--- a/ui/vnc.c
++++ b/ui/vnc.c
+@@ -2581,8 +2581,10 @@ static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y)
+ 
+ static int vnc_update_stats(VncDisplay *vd,  struct timeval * tv)
+ {
+-    int width = pixman_image_get_width(vd->guest.fb);
+-    int height = pixman_image_get_height(vd->guest.fb);
++    int width = MIN(pixman_image_get_width(vd->guest.fb),
++                    pixman_image_get_width(vd->server));
++    int height = MIN(pixman_image_get_height(vd->guest.fb),
++                     pixman_image_get_height(vd->server));
+     int x, y;
+     struct timeval res;
+     int has_dirty = 0;
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-x86-add-AVX512_4VNNIW-and-AVX512_4FMAPS-features.patch b/SOURCES/kvm-x86-add-AVX512_4VNNIW-and-AVX512_4FMAPS-features.patch
new file mode 100644
index 0000000..1035dbe
--- /dev/null
+++ b/SOURCES/kvm-x86-add-AVX512_4VNNIW-and-AVX512_4FMAPS-features.patch
@@ -0,0 +1,174 @@
+From 7b43b5139f8e919203d3ed20fbba6cb143fde6d7 Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Thu, 23 Feb 2017 14:29:32 +0100
+Subject: [PATCH 02/17] x86: add AVX512_4VNNIW and AVX512_4FMAPS features
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20170223142945.17790-2-ehabkost@redhat.com>
+Patchwork-id: 74033
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 01/14] x86: add AVX512_4VNNIW and AVX512_4FMAPS features
+Bugzilla: 1382122
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+From: Luwei Kang <luwei.kang@intel.com>
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1382122
+
+The spec can be found in Intel Software Developer Manual or in
+Instruction Set Extensions Programming Reference.
+
+Backport notes:
+
+Changes v1 -> v2:
+* Fixed build error, moved feat_names to a separate static array
+  variable
+* Fixed backport mistakes (I had forgotten to add
+  features[FEAT_7_0_EDX] initialization and filtering code)
+
+Signed-off-by: Piotr Luc <piotr.luc@intel.com>
+Signed-off-by: Luwei Kang <luwei.kang@intel.com>
+Message-Id: <1477902446-5932-1-git-send-email-he.chen@linux.intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 95ea69fb46266aaa46d0c8b7f0ba8c4903dbe4e3)
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c | 31 ++++++++++++++++++++++++++++++-
+ target-i386/cpu.h |  4 ++++
+ 2 files changed, 34 insertions(+), 1 deletion(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index c3c8306..789e687 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -165,6 +165,17 @@ static const char *cpuid_7_0_ecx_feature_name[] = {
+     NULL, NULL, NULL, NULL,
+ };
+ 
++static const char *cpuid_7_0_edx_feature_name[] = {
++    NULL, NULL, "avx512-4vnniw", "avx512-4fmaps",
++    NULL, NULL, NULL, NULL,
++    NULL, NULL, NULL, NULL,
++    NULL, NULL, NULL, NULL,
++    NULL, NULL, NULL, NULL,
++    NULL, NULL, NULL, NULL,
++    NULL, NULL, NULL, NULL,
++    NULL, NULL, NULL, NULL,
++};
++
+ static const char *cpuid_xsave_feature_name[] = {
+     "xsaveopt", "xsavec", "xgetbv1", NULL,
+     NULL, NULL, NULL, NULL,
+@@ -225,6 +236,12 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
+         .cpuid_needs_ecx = true, .cpuid_ecx = 0,
+         .cpuid_reg = R_ECX,
+     },
++    [FEAT_7_0_EDX] = {
++        .feat_names = cpuid_7_0_edx_feature_name,
++        .cpuid_eax = 7,
++        .cpuid_needs_ecx = true, .cpuid_ecx = 0,
++        .cpuid_reg = R_EDX,
++    },
+     [FEAT_XSAVE] = {
+         .feat_names = cpuid_xsave_feature_name,
+         .cpuid_eax = 0xd,
+@@ -484,6 +501,7 @@ typedef struct x86_def_t {
+           CPUID_7_0_EBX_ERMS, CPUID_7_0_EBX_INVPCID, CPUID_7_0_EBX_RTM,
+           CPUID_7_0_EBX_RDSEED */
+ #define TCG_7_0_ECX_FEATURES 0
++#define TCG_7_0_EDX_FEATURES 0
+ 
+ /* built-in CPU model definitions
+  */
+@@ -1254,9 +1272,12 @@ static void kvm_cpu_fill_host(x86_def_t *x86_cpu_def)
+                     kvm_arch_get_supported_cpuid(s, 0x7, 0, R_EBX);
+         x86_cpu_def->features[FEAT_7_0_ECX] =
+                     kvm_arch_get_supported_cpuid(s, 0x7, 0, R_ECX);
++        x86_cpu_def->features[FEAT_7_0_EDX] =
++                    kvm_arch_get_supported_cpuid(s, 0x7, 0, R_EDX);
+     } else {
+         x86_cpu_def->features[FEAT_7_0_EBX] = 0;
+         x86_cpu_def->features[FEAT_7_0_ECX] = 0;
++        x86_cpu_def->features[FEAT_7_0_EDX] = 0;
+     }
+     x86_cpu_def->features[FEAT_XSAVE] =
+                 kvm_arch_get_supported_cpuid(s, 0xd, 1, R_EAX);
+@@ -1343,6 +1364,9 @@ static int kvm_check_features_against_host(X86CPU *cpu)
+         {&env->features[FEAT_7_0_ECX],
+             &host_def.features[FEAT_7_0_ECX],
+             FEAT_7_0_ECX },
++        {&env->features[FEAT_7_0_EDX],
++            &host_def.features[FEAT_7_0_EDX],
++            FEAT_7_0_EDX },
+         {&env->features[FEAT_XSAVE],
+             &host_def.features[FEAT_XSAVE],
+             FEAT_XSAVE },
+@@ -1885,6 +1909,7 @@ static void cpu_x86_parse_featurestr(X86CPU *cpu, char *features, Error **errp)
+     env->features[FEAT_SVM] |= plus_features[FEAT_SVM];
+     env->features[FEAT_7_0_EBX] |= plus_features[FEAT_7_0_EBX];
+     env->features[FEAT_7_0_ECX] |= plus_features[FEAT_7_0_ECX];
++    env->features[FEAT_7_0_EDX] |= plus_features[FEAT_7_0_EDX];
+     env->features[FEAT_XSAVE] |= plus_features[FEAT_XSAVE];
+     env->features[FEAT_1_EDX] &= ~minus_features[FEAT_1_EDX];
+     env->features[FEAT_1_ECX] &= ~minus_features[FEAT_1_ECX];
+@@ -1895,6 +1920,7 @@ static void cpu_x86_parse_featurestr(X86CPU *cpu, char *features, Error **errp)
+     env->features[FEAT_SVM] &= ~minus_features[FEAT_SVM];
+     env->features[FEAT_7_0_EBX] &= ~minus_features[FEAT_7_0_EBX];
+     env->features[FEAT_7_0_ECX] &= ~minus_features[FEAT_7_0_ECX];
++    env->features[FEAT_7_0_EDX] &= ~minus_features[FEAT_7_0_EDX];
+     env->features[FEAT_XSAVE] &= ~minus_features[FEAT_XSAVE];
+ 
+ out:
+@@ -2032,6 +2058,7 @@ static void cpu_x86_register(X86CPU *cpu, const char *name, Error **errp)
+     env->features[FEAT_C000_0001_EDX] = def->features[FEAT_C000_0001_EDX];
+     env->features[FEAT_7_0_EBX] = def->features[FEAT_7_0_EBX];
+     env->features[FEAT_7_0_ECX] = def->features[FEAT_7_0_ECX];
++    env->features[FEAT_7_0_EDX] = def->features[FEAT_7_0_EDX];
+     env->features[FEAT_XSAVE] = def->features[FEAT_XSAVE];
+     env->cpuid_xlevel2 = def->xlevel2;
+ 
+@@ -2270,7 +2297,7 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
+             *eax = 0; /* Maximum ECX value for sub-leaves */
+             *ebx = env->features[FEAT_7_0_EBX]; /* Feature flags */
+             *ecx = env->features[FEAT_7_0_ECX]; /* Feature flags */
+-            *edx = 0; /* Reserved */
++            *edx = env->features[FEAT_7_0_EDX]; /* Feature flags */
+         } else {
+             *eax = 0;
+             *ebx = 0;
+@@ -2680,6 +2707,8 @@ static void x86_cpu_realizefn(DeviceState *dev, Error **errp)
+         env->features[FEAT_8000_0001_ECX] &= TCG_EXT3_FEATURES;
+         env->features[FEAT_SVM] &= TCG_SVM_FEATURES;
+         env->features[FEAT_XSAVE] = 0;
++        env->features[FEAT_7_0_ECX] &= TCG_7_0_ECX_FEATURES;
++        env->features[FEAT_7_0_EDX] &= TCG_7_0_EDX_FEATURES;
+     } else {
+         if ((cpu->check_cpuid || cpu->enforce_cpuid)
+             && kvm_check_features_against_host(cpu) && cpu->enforce_cpuid) {
+diff --git a/target-i386/cpu.h b/target-i386/cpu.h
+index d541809..eec5c49 100644
+--- a/target-i386/cpu.h
++++ b/target-i386/cpu.h
+@@ -401,6 +401,7 @@ typedef enum FeatureWord {
+     FEAT_1_ECX,         /* CPUID[1].ECX */
+     FEAT_7_0_EBX,       /* CPUID[EAX=7,ECX=0].EBX */
+     FEAT_7_0_ECX,       /* CPUID[EAX=7,ECX=0].ECX */
++    FEAT_7_0_EDX,       /* CPUID[EAX=7,ECX=0].EDX */
+     FEAT_8000_0001_EDX, /* CPUID[8000_0001].EDX */
+     FEAT_8000_0001_ECX, /* CPUID[8000_0001].ECX */
+     FEAT_C000_0001_EDX, /* CPUID[C000_0001].EDX */
+@@ -580,6 +581,9 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS];
+ #define CPUID_7_0_ECX_OSPKE    (1U << 4)
+ #define CPUID_7_0_ECX_RDPID    (1U << 22)
+ 
++#define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network Instructions */
++#define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) /* AVX512 Multiply Accumulation Single Precision */
++
+ #define CPUID_XSAVE_XSAVEOPT   (1U << 0)
+ #define CPUID_XSAVE_XSAVEC     (1U << 1)
+ #define CPUID_XSAVE_XGETBV1    (1U << 2)
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-x86-add-AVX512_VPOPCNTDQ-features.patch b/SOURCES/kvm-x86-add-AVX512_VPOPCNTDQ-features.patch
new file mode 100644
index 0000000..a0e2e5f
--- /dev/null
+++ b/SOURCES/kvm-x86-add-AVX512_VPOPCNTDQ-features.patch
@@ -0,0 +1,63 @@
+From 3a10799602b257d8d890965a1c3144476d8aa48d Mon Sep 17 00:00:00 2001
+From: "plai@redhat.com" <plai@redhat.com>
+Date: Mon, 13 Mar 2017 20:15:12 +0100
+Subject: [PATCH 19/24] x86: add AVX512_VPOPCNTDQ features
+
+RH-Author: plai@redhat.com
+Message-id: <1489436112-5802-2-git-send-email-plai@redhat.com>
+Patchwork-id: 74283
+O-Subject: [RHEL7.4 qemu-kvm BZ1415830 v2 RESEND] x86: add AVX512_VPOPCNTDQ features
+Bugzilla: 1415830
+RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
+RH-Acked-by: David Hildenbrand <david@redhat.com>
+RH-Acked-by: Bandan Das <bsd@redhat.com>
+
+From: He Chen <he.chen@linux.intel.com>
+
+AVX512_VPOPCNTDQ: Vector POPCNT instructions for word and qwords.
+variable precision.
+
+Signed-off-by: He Chen <he.chen@linux.intel.com>
+Message-Id: <1484272411-28073-1-git-send-email-he.chen@linux.intel.com>
+Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+(cherry picked from commit f77543772dcd38fa438470d9b80bafbd3a3ebbd7)
+Signed-off-by: Paul Lai <plai@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Conflicts:
+	target/i386/cpu.c -> changes applied to target-i386/cpu.c
+	target/i386/cpu.h -> changes applied to target-i386/cpu.h
+---
+ target-i386/cpu.c | 2 +-
+ target-i386/cpu.h | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index 38056eb..33f0997 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -158,7 +158,7 @@ static const char *cpuid_7_0_ecx_feature_name[] = {
+     NULL, "avx512vbmi", NULL, NULL,
+     NULL, NULL, NULL, NULL,
+     NULL, NULL, NULL, NULL,
+-    NULL, NULL, NULL, NULL,
++    NULL, NULL, "avx512-vpopcntdq", NULL,
+     NULL, NULL, NULL, NULL,
+     NULL, NULL, NULL, NULL,
+     NULL, NULL, NULL, NULL,
+diff --git a/target-i386/cpu.h b/target-i386/cpu.h
+index eec5c49..f04deb4 100644
+--- a/target-i386/cpu.h
++++ b/target-i386/cpu.h
+@@ -579,6 +579,7 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS];
+ #define CPUID_7_0_ECX_UMIP     (1U << 2)
+ #define CPUID_7_0_ECX_PKU      (1U << 3)
+ #define CPUID_7_0_ECX_OSPKE    (1U << 4)
++#define CPUID_7_0_ECX_AVX512_VPOPCNTDQ (1U << 14) /* POPCNT for vectors of DW/QW */
+ #define CPUID_7_0_ECX_RDPID    (1U << 22)
+ 
+ #define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network Instructions */
+-- 
+1.8.3.1
+
diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec
index 69085fe..fc54cb1 100644
--- a/SPECS/qemu-kvm.spec
+++ b/SPECS/qemu-kvm.spec
@@ -73,19 +73,16 @@ Provides: %1%{extra_provides_suffix} = %{epoch}:%{version}-%{release} \
 Obsoletes: %1 < %{obsoletes_version}                                      \
     %endif
 
-Summary: QEMU is a FAST! processor emulator
+Summary: QEMU is a machine emulator and virtualizer
 Name: %{pkgname}%{?pkgsuffix}
 Version: 1.5.3
-Release: 126%{?dist}.10
+Release: 141%{?dist}
 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
 Epoch: 10
 License: GPLv2+ and LGPLv2+ and BSD
 Group: Development/Tools
 URL: http://www.qemu.org/
-# RHEV will build Qemu only on x86_64:
-%if %{rhev}
-ExclusiveArch: %{power64} x86_64
-%endif
+ExclusiveArch: x86_64 %{power64} aarch64 s390x
 Requires: seabios-bin >= 1.7.2.2-5
 Requires: sgabios-bin
 Requires: seavgabios-bin
@@ -130,6 +127,7 @@ Source17: rhel6-ne2k_pci.rom
 Source18: bios-256k.bin
 Source19: README.rhel6-gpxe-source
 Source20: rhel6-e1000.rom
+Source21: sample_images.tar
 
 # libcacard build fixes (heading upstream)
 Patch1: 0000-libcacard-fix-missing-symbols-in-libcacard.so.patch
@@ -3388,114 +3386,219 @@ Patch1664: kvm-target-i386-Add-more-Intel-AVX-512-instructions-supp.patch
 Patch1665: kvm-nbd-server-Set-O_NONBLOCK-on-client-fd.patch
 # For bz#1376542 - RHSA-2016-1756 breaks migration of instances
 Patch1666: kvm-virtio-recalculate-vq-inuse-after-migration.patch
-# For bz#1393042 - system_reset should clear pending request for error (IDE)
-Patch1667: kvm-ide-fix-halted-IO-segfault-at-reset.patch
-# For bz#1392027 - shutdown rhel 5.11 guest failed and stop at "system halted"
-Patch1668: kvm-hw-i386-regenerate-checked-in-AML-payload-RHEL-only.patch
-# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot
-Patch1669: kvm-virtio-introduce-virtqueue_unmap_sg.patch
-# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot
-Patch1670: kvm-virtio-introduce-virtqueue_discard.patch
-# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot
-Patch1671: kvm-virtio-decrement-vq-inuse-in-virtqueue_discard.patch
-# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot
-Patch1672: kvm-balloon-fix-segfault-and-harden-the-stats-queue.patch
-# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot
-Patch1673: kvm-virtio-balloon-discard-virtqueue-element-on-reset.patch
-# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot
-Patch1674: kvm-virtio-zero-vq-inuse-in-virtio_reset.patch
-# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot
-Patch1675: kvm-virtio-add-virtqueue_rewind.patch
-# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot
-Patch1676: kvm-virtio-balloon-fix-stats-vq-migration.patch
-# For bz#1398217 - CVE-2016-2857 qemu-kvm: Qemu: net: out of bounds read in net_checksum_calculate() [rhel-7.3.z]
+# For bz#1377087 - shutdown rhel 5.11 guest failed and stop at "system halted"
+Patch1667: kvm-hw-i386-regenerate-checked-in-AML-payload-RHEL-only.patch
+# For bz#1377968 - [RHEL7.3] KVM guest shuts itself down after 128th reboot
+Patch1668: kvm-virtio-introduce-virtqueue_unmap_sg.patch
+# For bz#1377968 - [RHEL7.3] KVM guest shuts itself down after 128th reboot
+Patch1669: kvm-virtio-introduce-virtqueue_discard.patch
+# For bz#1377968 - [RHEL7.3] KVM guest shuts itself down after 128th reboot
+Patch1670: kvm-virtio-decrement-vq-inuse-in-virtqueue_discard.patch
+# For bz#1377968 - [RHEL7.3] KVM guest shuts itself down after 128th reboot
+Patch1671: kvm-balloon-fix-segfault-and-harden-the-stats-queue.patch
+# For bz#1377968 - [RHEL7.3] KVM guest shuts itself down after 128th reboot
+Patch1672: kvm-virtio-balloon-discard-virtqueue-element-on-reset.patch
+# For bz#1377968 - [RHEL7.3] KVM guest shuts itself down after 128th reboot
+Patch1673: kvm-virtio-zero-vq-inuse-in-virtio_reset.patch
+# For bz#1377968 - [RHEL7.3] KVM guest shuts itself down after 128th reboot
+Patch1674: kvm-virtio-add-virtqueue_rewind.patch
+# For bz#1377968 - [RHEL7.3] KVM guest shuts itself down after 128th reboot
+Patch1675: kvm-virtio-balloon-fix-stats-vq-migration.patch
+# For bz#1375507 - "threads" option is overwritten if both "sockets" and "cores" is set on -smp
+Patch1676: kvm-vl-Don-t-silently-change-topology-when-all-smp-optio.patch
+# For bz#1398218 - CVE-2016-2857 qemu-kvm: Qemu: net: out of bounds read in net_checksum_calculate() [rhel-7.4]
 Patch1677: kvm-net-check-packet-payload-length.patch
-# For bz#1420049 - system_reset should clear pending request for error (virtio-blk)
-Patch1678: kvm-virtio-blk-Release-s-rq-queue-at-system_reset.patch
-# For bz#1418232 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.3.z]
-Patch1679: kvm-cirrus_vga-fix-off-by-one-in-blit_region_is_unsafe.patch
-# For bz#1418232 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.3.z]
-Patch1680: kvm-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch
-# For bz#1418232 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.3.z]
-Patch1681: kvm-display-cirrus-ignore-source-pitch-value-as-needed-i.patch
-# For bz#1418232 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.3.z]
-Patch1682: kvm-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch
-# For bz#1418232 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.3.z]
-Patch1683: kvm-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch
-# For bz#1418232 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.3.z]
-Patch1684: kvm-cirrus-fix-blit-address-mask-handling.patch
-# For bz#1418232 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.3.z]
-Patch1685: kvm-cirrus-fix-oob-access-issue-CVE-2017-2615.patch
-# For bz#1420490 - EMBARGOED CVE-2017-2620 qemu-kvm: Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo [rhel-7.3.z]
-Patch1686: kvm-cirrus-fix-patterncopy-checks.patch
-# For bz#1420490 - EMBARGOED CVE-2017-2620 qemu-kvm: Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo [rhel-7.3.z]
-Patch1687: kvm-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch
-# For bz#1420490 - EMBARGOED CVE-2017-2620 qemu-kvm: Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo [rhel-7.3.z]
-Patch1688: kvm-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch
-# For bz#1430059 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.3.z]
-Patch1689: kvm-fix-cirrus_vga-fix-OOB-read-case-qemu-Segmentation-f.patch
-# For bz#1430059 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.3.z]
-Patch1690: kvm-cirrus-vnc-zap-bitblit-support-from-console-code.patch
-# For bz#1430059 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.3.z]
-Patch1691: kvm-cirrus-add-option-to-disable-blitter.patch
-# For bz#1430059 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.3.z]
-Patch1692: kvm-cirrus-fix-cirrus_invalidate_region.patch
-# For bz#1430059 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.3.z]
-Patch1693: kvm-cirrus-stop-passing-around-dst-pointers-in-the-blitt.patch
-# For bz#1430059 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.3.z]
-Patch1694: kvm-cirrus-stop-passing-around-src-pointers-in-the-blitt.patch
-# For bz#1430059 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.3.z]
-Patch1695: kvm-cirrus-fix-off-by-one-in-cirrus_bitblt_rop_bkwd_tran.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1696: kvm-char-serial-cosmetic-fixes.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1697: kvm-char-serial-Use-generic-Fifo8.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1698: kvm-char-serial-serial_ioport_write-Factor-out-common-co.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1699: kvm-char-serial-fix-copy-paste-error-fifo8_is_full-vs-em.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1700: kvm-char-serial-Fix-emptyness-check.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1701: kvm-char-serial-Fix-emptyness-handling.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1702: kvm-serial-poll-the-serial-console-with-G_IO_HUP.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1703: kvm-serial-change-retry-logic-to-avoid-concurrency.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1704: kvm-qemu-char-ignore-flow-control-if-a-PTY-s-slave-is-no.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1705: kvm-serial-check-if-backed-by-a-physical-serial-port-at-.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1706: kvm-serial-reset-thri_pending-on-IER-writes-with-THRI-0.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1707: kvm-serial-clean-up-THRE-TEMT-handling.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1708: kvm-serial-update-LSR-on-enabling-disabling-FIFOs.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1709: kvm-serial-only-resample-THR-interrupt-on-rising-edge-of.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1710: kvm-serial-make-tsr_retry-unsigned.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1711: kvm-serial-simplify-tsr_retry-reset.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1712: kvm-serial-separate-serial_xmit-and-serial_watch_cb.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1713: kvm-serial-remove-watch-on-reset.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1714: kvm-char-change-qemu_chr_fe_add_watch-to-return-unsigned.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1715: kvm-spice-fix-spice_chr_add_watch-pre-condition.patch
-# For bz#1460179 - CVE-2017-9524 qemu-kvm: Qemu: nbd: segmentation fault due to client non-negotiation [rhel-7.3.z]
-Patch1716: kvm-nbd-Fully-initialize-client-in-case-of-failed-negoti.patch
-# For bz#1460179 - CVE-2017-9524 qemu-kvm: Qemu: nbd: segmentation fault due to client non-negotiation [rhel-7.3.z]
-Patch1717: kvm-nbd-Fix-regression-on-resiliency-to-port-scan.patch
+# For bz#1342489 - Flickering Fedora 24 Login Screen on RHEL 7
+Patch1678: kvm-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch
+# For bz#1151859 - [RFE] Allow the libgfapi logging level to be controlled.
+Patch1679: kvm-gluster-correctly-propagate-errors.patch
+# For bz#1151859 - [RFE] Allow the libgfapi logging level to be controlled.
+Patch1680: kvm-gluster-Correctly-propagate-errors-when-volume-isn-t.patch
+# For bz#1151859 - [RFE] Allow the libgfapi logging level to be controlled.
+Patch1681: kvm-block-gluster-add-support-for-selecting-debug-loggin.patch
+# For bz#1342768 - [Intel 7.4 Bug] qemu-kvm crashes with Linux kernel 4.6.0 or above
+Patch1682: kvm-memory-Allow-access-only-upto-the-maximum-alignment-.patch
+# For bz#1361488 - system_reset should clear pending request for error (virtio-blk)
+Patch1683: kvm-virtio-blk-Release-s-rq-queue-at-system_reset.patch
+# For bz#1418233 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.4]
+Patch1684: kvm-cirrus_vga-fix-off-by-one-in-blit_region_is_unsafe.patch
+# For bz#1418233 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.4]
+Patch1685: kvm-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch
+# For bz#1418233 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.4]
+Patch1686: kvm-display-cirrus-ignore-source-pitch-value-as-needed-i.patch
+# For bz#1418233 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.4]
+Patch1687: kvm-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch
+# For bz#1418233 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.4]
+Patch1688: kvm-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch
+# For bz#1418233 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.4]
+Patch1689: kvm-cirrus-fix-blit-address-mask-handling.patch
+# For bz#1418233 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.4]
+Patch1690: kvm-cirrus-fix-oob-access-issue-CVE-2017-2615.patch
+# For bz#1419898 - Documentation inaccurate for __com.redhat_qxl_screendump and __com.redhat_drive_add
+Patch1691: kvm-HMP-Fix-user-manual-typo-of-__com.redhat_qxl_screend.patch
+# For bz#1419898 - Documentation inaccurate for __com.redhat_qxl_screendump and __com.redhat_drive_add
+Patch1692: kvm-HMP-Fix-documentation-of-__com.redhat.drive_add.patch
+# For bz#1420492 - EMBARGOED CVE-2017-2620 qemu-kvm: Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo [rhel-7.4]
+Patch1693: kvm-cirrus-fix-patterncopy-checks.patch
+# For bz#1420492 - EMBARGOED CVE-2017-2620 qemu-kvm: Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo [rhel-7.4]
+Patch1694: kvm-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch
+# For bz#1420492 - EMBARGOED CVE-2017-2620 qemu-kvm: Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo [rhel-7.4]
+Patch1695: kvm-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch
+# For bz#1368375 - [Intel 7.4 Bug] qemu-kvm does not support “-cpu IvyBridge”
+Patch1696: kvm-target-i386-add-Ivy-Bridge-CPU-model.patch
+# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu
+Patch1697: kvm-x86-add-AVX512_4VNNIW-and-AVX512_4FMAPS-features.patch
+# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu
+Patch1698: kvm-target-i386-kvm_cpu_fill_host-Kill-unused-code.patch
+# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu
+Patch1699: kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-level.patch
+# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu
+Patch1700: kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-CPU-v.patch
+# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu
+Patch1701: kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-xleve.patch
+# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu
+Patch1702: kvm-target-i386-kvm_cpu_fill_host-Set-all-feature-words-.patch
+# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu
+Patch1703: kvm-target-i386-kvm_cpu_fill_host-Fill-feature-words-in-.patch
+# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu
+Patch1704: kvm-target-i386-kvm_check_features_against_host-Kill-fea.patch
+# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu
+Patch1705: kvm-target-i386-Make-TCG-feature-filtering-more-readable.patch
+# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu
+Patch1706: kvm-target-i386-Filter-FEAT_7_0_EBX-TCG-features-too.patch
+# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu
+Patch1707: kvm-target-i386-Filter-KVM-and-0xC0000001-features-on-TC.patch
+# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu
+Patch1708: kvm-target-i386-Define-TCG_-_FEATURES-earlier-in-cpu.c.patch
+# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu
+Patch1709: kvm-target-i386-Loop-based-copying-and-setting-unsetting.patch
+# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu
+Patch1710: kvm-target-i386-Loop-based-feature-word-filtering-in-TCG.patch
+# For bz#1430606 - Can't build qemu-kvm with newer spice packages
+Patch1711: kvm-spice-remove-spice-experimental.h-include.patch
+# For bz#1430606 - Can't build qemu-kvm with newer spice packages
+Patch1712: kvm-spice-replace-use-of-deprecated-API.patch
+# For bz#1377977 - qemu-kvm coredump in vnc_raw_send_framebuffer_update [rhel-7.4]
+Patch1713: kvm-ui-vnc-introduce-VNC_DIRTY_PIXELS_PER_BIT-macro.patch
+# For bz#1377977 - qemu-kvm coredump in vnc_raw_send_framebuffer_update [rhel-7.4]
+Patch1714: kvm-ui-vnc-derive-cmp_bytes-from-VNC_DIRTY_PIXELS_PER_BI.patch
+# For bz#1377977 - qemu-kvm coredump in vnc_raw_send_framebuffer_update [rhel-7.4]
+Patch1715: kvm-ui-vnc-optimize-dirty-bitmap-tracking.patch
+# For bz#1377977 - qemu-kvm coredump in vnc_raw_send_framebuffer_update [rhel-7.4]
+Patch1716: kvm-ui-vnc-optimize-setting-in-vnc_dpy_update.patch
+# For bz#1377977 - qemu-kvm coredump in vnc_raw_send_framebuffer_update [rhel-7.4]
+Patch1717: kvm-ui-vnc-fix-vmware-VGA-incompatiblities.patch
+# For bz#1377977 - qemu-kvm coredump in vnc_raw_send_framebuffer_update [rhel-7.4]
+Patch1718: kvm-ui-vnc-fix-potential-memory-corruption-issues.patch
+# For bz#1377977 - qemu-kvm coredump in vnc_raw_send_framebuffer_update [rhel-7.4]
+Patch1719: kvm-vnc-fix-memory-corruption-CVE-2015-5225.patch
+# For bz#1377977 - qemu-kvm coredump in vnc_raw_send_framebuffer_update [rhel-7.4]
+Patch1720: kvm-vnc-fix-overflow-in-vnc_update_stats.patch
+# For bz#1335751 - CVE-2016-4020 qemu-kvm: Qemu: i386: leakage of stack memory to guest in kvmvapic.c [rhel-7.4]
+Patch1721: kvm-i386-kvmvapic-initialise-imm32-variable.patch
+# For bz#1427176 - test cases of qemu-iotests failed
+Patch1722: kvm-qemu-iotests-Filter-out-actual-image-size-in-067.patch
+# For bz#1427176 - test cases of qemu-iotests failed
+Patch1723: kvm-qcow2-Don-t-rely-on-free_cluster_index-in-alloc_ref2.patch
+# For bz#1427176 - test cases of qemu-iotests failed
+Patch1724: kvm-qemu-iotests-Fix-core-dump-suppression-in-test-039.patch
+# For bz#1427176 - test cases of qemu-iotests failed
+Patch1725: kvm-qemu-io-Add-sigraise-command.patch
+# For bz#1427176 - test cases of qemu-iotests failed
+Patch1726: kvm-iotests-Filter-for-Killed-in-qemu-io-output.patch
+# For bz#1427176 - test cases of qemu-iotests failed
+Patch1727: kvm-iotests-Fix-test-039.patch
+# For bz#1427176 - test cases of qemu-iotests failed
+Patch1728: kvm-blkdebug-Add-bdrv_truncate.patch
+# For bz#1427176 - test cases of qemu-iotests failed
+Patch1729: kvm-vhdx-Fix-zero-fill-iov-length.patch
+# For bz#1427176 - test cases of qemu-iotests failed
+Patch1730: kvm-qemu-iotests-Disable-030-040-041.patch
+# For bz#1415830 - [Intel 7.4 FEAT] Enable vpopcntdq for KNM - qemu/kvm
+Patch1731: kvm-x86-add-AVX512_VPOPCNTDQ-features.patch
+# For bz#1419818 - CVE-2017-5898 qemu-kvm: Qemu: usb: integer overflow in emulated_apdu_from_guest [rhel-7.4]
+Patch1732: kvm-usb-ccid-check-ccid-apdu-length.patch
+# For bz#1419818 - CVE-2017-5898 qemu-kvm: Qemu: usb: integer overflow in emulated_apdu_from_guest [rhel-7.4]
+Patch1733: kvm-usb-ccid-better-bulk_out-error-handling.patch
+# For bz#1419818 - CVE-2017-5898 qemu-kvm: Qemu: usb: integer overflow in emulated_apdu_from_guest [rhel-7.4]
+Patch1734: kvm-usb-ccid-move-header-size-check.patch
+# For bz#1419818 - CVE-2017-5898 qemu-kvm: Qemu: usb: integer overflow in emulated_apdu_from_guest [rhel-7.4]
+Patch1735: kvm-usb-ccid-add-check-message-size-checks.patch
+# For bz#1430060 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.4]
+Patch1736: kvm-fix-cirrus_vga-fix-OOB-read-case-qemu-Segmentation-f.patch
+# For bz#1430060 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.4]
+Patch1737: kvm-cirrus-vnc-zap-bitblit-support-from-console-code.patch
+# For bz#1430060 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.4]
+Patch1738: kvm-cirrus-add-option-to-disable-blitter.patch
+# For bz#1430060 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.4]
+Patch1739: kvm-cirrus-fix-cirrus_invalidate_region.patch
+# For bz#1430060 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.4]
+Patch1740: kvm-cirrus-stop-passing-around-dst-pointers-in-the-blitt.patch
+# For bz#1430060 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.4]
+Patch1741: kvm-cirrus-stop-passing-around-src-pointers-in-the-blitt.patch
+# For bz#1430060 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.4]
+Patch1742: kvm-cirrus-fix-off-by-one-in-cirrus_bitblt_rop_bkwd_tran.patch
+# For bz#1327593 - [Intel 7.4 FEAT] KVM Enable the XSAVEC, XSAVES and XRSTORS instructions
+Patch1743: kvm-target-i386-get-set-migrate-XSAVES-state.patch
+# For bz#1299875 - system_reset should clear pending request for error (IDE)
+Patch1744: kvm-ide-fix-halted-IO-segfault-at-reset.patch
+# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
+Patch1745: kvm-char-serial-cosmetic-fixes.patch
+# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
+Patch1746: kvm-char-serial-Use-generic-Fifo8.patch
+# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
+Patch1747: kvm-char-serial-serial_ioport_write-Factor-out-common-co.patch
+# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
+Patch1748: kvm-char-serial-fix-copy-paste-error-fifo8_is_full-vs-em.patch
+# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
+Patch1749: kvm-char-serial-Fix-emptyness-check.patch
+# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
+Patch1750: kvm-char-serial-Fix-emptyness-handling.patch
+# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
+Patch1751: kvm-serial-poll-the-serial-console-with-G_IO_HUP.patch
+# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
+Patch1752: kvm-serial-change-retry-logic-to-avoid-concurrency.patch
+# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
+Patch1753: kvm-qemu-char-ignore-flow-control-if-a-PTY-s-slave-is-no.patch
+# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
+Patch1754: kvm-serial-check-if-backed-by-a-physical-serial-port-at-.patch
+# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
+Patch1755: kvm-serial-reset-thri_pending-on-IER-writes-with-THRI-0.patch
+# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
+Patch1756: kvm-serial-clean-up-THRE-TEMT-handling.patch
+# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
+Patch1757: kvm-serial-update-LSR-on-enabling-disabling-FIFOs.patch
+# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
+Patch1758: kvm-serial-only-resample-THR-interrupt-on-rising-edge-of.patch
+# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
+Patch1759: kvm-serial-make-tsr_retry-unsigned.patch
+# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
+Patch1760: kvm-serial-simplify-tsr_retry-reset.patch
+# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
+Patch1761: kvm-serial-separate-serial_xmit-and-serial_watch_cb.patch
+# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
+Patch1762: kvm-serial-remove-watch-on-reset.patch
+# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
+Patch1763: kvm-char-change-qemu_chr_fe_add_watch-to-return-unsigned.patch
+# For bz#1456983 - Character device regression due to missing patch
+Patch1764: kvm-spice-fix-spice_chr_add_watch-pre-condition.patch
+# For bz#1455745 - Backport fix for broken logic that's supposed to ensure memory slots are page aligned
+Patch1765: kvm-Fix-memory-slot-page-alignment-logic-bug-1455745.patch
+# For bz#1452067 - migration can confuse serial port user
+Patch1766: kvm-Do-not-hang-on-full-PTY.patch
+# For bz#1452067 - migration can confuse serial port user
+Patch1767: kvm-serial-fixing-vmstate-for-save-restore.patch
+# For bz#1452067 - migration can confuse serial port user
+Patch1768: kvm-serial-reinstate-watch-after-migration.patch
+# For bz#1451614 - CVE-2017-9524 qemu-kvm: segment fault when private user nmap qemu-nbd server [rhel-7.4]
+Patch1769: kvm-nbd-Fully-initialize-client-in-case-of-failed-negoti.patch
+# For bz#1451614 - CVE-2017-9524 qemu-kvm: segment fault when private user nmap qemu-nbd server [rhel-7.4]
+Patch1770: kvm-nbd-Fix-regression-on-resiliency-to-port-scan.patch
 
 
 BuildRequires: zlib-devel
 BuildRequires: SDL-devel
 BuildRequires: which
-BuildRequires: texi2html
 BuildRequires: gnutls-devel
 BuildRequires: cyrus-sasl-devel
 BuildRequires: libtool
@@ -3562,7 +3665,7 @@ BuildRequires: perl-podlators
 BuildRequires: texinfo
 # For rdma
 %if 0%{?have_librdma:1}
-BuildRequires: librdmacm-devel
+BuildRequires: rdma-core-devel
 %endif
 # cpp for preprocessing option ROM assembly files
 %ifarch %{ix86} x86_64
@@ -3590,12 +3693,10 @@ Requires: qemu-img = %{epoch}:%{version}-%{release}
 %define qemudocdir %{_docdir}/%{pkgname}
 
 %description
-qemu-kvm is an open source virtualizer that provides hardware emulation for
-the KVM hypervisor. qemu-kvm acts as a virtual machine monitor together with
-the KVM kernel modules, and emulates the hardware for a full system such as
-a PC and its assocated peripherals.
-
-As qemu-kvm requires no host kernel patches to run, it is safe and easy to use.
+qemu-kvm%{?pkgsuffix} is an open source virtualizer that provides hardware
+emulation for the KVM hypervisor. qemu-kvm%{?pkgsuffix} acts as a virtual
+machine monitor together with the KVM kernel modules, and emulates the
+hardware for a full system such as a PC and its associated peripherals.
 
 %package -n qemu-img%{?pkgsuffix}
 Summary: QEMU command line tool for manipulating disk images
@@ -3670,6 +3771,7 @@ such as kvm_stat.
 %prep
 %setup -q -n qemu-%{version}
 cp %{SOURCE18} pc-bios # keep "make check" happy
+tar -xf %{SOURCE21}
 %patch1 -p1
 #%%patch2 -p1
 #%%patch3 -p1
@@ -5387,6 +5489,59 @@ cp %{SOURCE18} pc-bios # keep "make check" happy
 %patch1715 -p1
 %patch1716 -p1
 %patch1717 -p1
+%patch1718 -p1
+%patch1719 -p1
+%patch1720 -p1
+%patch1721 -p1
+%patch1722 -p1
+%patch1723 -p1
+%patch1724 -p1
+%patch1725 -p1
+%patch1726 -p1
+%patch1727 -p1
+%patch1728 -p1
+%patch1729 -p1
+%patch1730 -p1
+%patch1731 -p1
+%patch1732 -p1
+%patch1733 -p1
+%patch1734 -p1
+%patch1735 -p1
+%patch1736 -p1
+%patch1737 -p1
+%patch1738 -p1
+%patch1739 -p1
+%patch1740 -p1
+%patch1741 -p1
+%patch1742 -p1
+%patch1743 -p1
+%patch1744 -p1
+%patch1745 -p1
+%patch1746 -p1
+%patch1747 -p1
+%patch1748 -p1
+%patch1749 -p1
+%patch1750 -p1
+%patch1751 -p1
+%patch1752 -p1
+%patch1753 -p1
+%patch1754 -p1
+%patch1755 -p1
+%patch1756 -p1
+%patch1757 -p1
+%patch1758 -p1
+%patch1759 -p1
+%patch1760 -p1
+%patch1761 -p1
+%patch1762 -p1
+%patch1763 -p1
+%patch1764 -p1
+%patch1765 -p1
+%patch1766 -p1
+%patch1767 -p1
+%patch1768 -p1
+%patch1769 -p1
+%patch1770 -p1
 
 %build
 buildarch="%{kvm_target}-softmmu"
@@ -5832,101 +5987,211 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || :
 %{_mandir}/man8/qemu-nbd.8*
 
 %changelog
-* Fri Jun 16 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-126.el7_3.10
-- kvm-nbd-Fully-initialize-client-in-case-of-failed-negoti.patch [bz#1460179]
-- kvm-nbd-Fix-regression-on-resiliency-to-port-scan.patch [bz#1460179]
-- Resolves: bz#1460179
-  (CVE-2017-9524 qemu-kvm: Qemu: nbd: segmentation fault due to client non-negotiation [rhel-7.3.z])
-
-* Tue Jun 06 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-126.el7_3.9
-- kvm-spice-fix-spice_chr_add_watch-pre-condition.patch [bz#1452332]
-- Resolves: bz#1452332
+* Tue Jun 13 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-141.el7
+- kvm-Fix-memory-slot-page-alignment-logic-bug-1455745.patch [bz#1455745]
+- kvm-Do-not-hang-on-full-PTY.patch [bz#1452067]
+- kvm-serial-fixing-vmstate-for-save-restore.patch [bz#1452067]
+- kvm-serial-reinstate-watch-after-migration.patch [bz#1452067]
+- kvm-nbd-Fully-initialize-client-in-case-of-failed-negoti.patch [bz#1451614]
+- kvm-nbd-Fix-regression-on-resiliency-to-port-scan.patch [bz#1451614]
+- Resolves: bz#1451614
+  (CVE-2017-9524 qemu-kvm: segment fault when private user nmap qemu-nbd server [rhel-7.4])
+- Resolves: bz#1452067
+  (migration can confuse serial port user)
+- Resolves: bz#1455745
+  (Backport fix for broken logic that's supposed to ensure memory slots are page aligned)
+
+* Tue Jun 06 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-140.el7
+- kvm-spice-fix-spice_chr_add_watch-pre-condition.patch [bz#1456983]
+- Resolves: bz#1456983
+  (Character device regression due to missing patch)
+
+* Wed May 24 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-139.el7
+- kvm-char-change-qemu_chr_fe_add_watch-to-return-unsigned.patch [bz#1451470]
+- Resolves: bz#1451470
   (RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop)
 
-* Wed May 24 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-126.el7_3.8
-- kvm-char-change-qemu_chr_fe_add_watch-to-return-unsigned.patch [bz#1452332]
-- Resolves: bz#1452332
+* Tue May 23 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-138.el7
+- kvm-char-serial-cosmetic-fixes.patch [bz#1451470]
+- kvm-char-serial-Use-generic-Fifo8.patch [bz#1451470]
+- kvm-char-serial-serial_ioport_write-Factor-out-common-co.patch [bz#1451470]
+- kvm-char-serial-fix-copy-paste-error-fifo8_is_full-vs-em.patch [bz#1451470]
+- kvm-char-serial-Fix-emptyness-check.patch [bz#1451470]
+- kvm-char-serial-Fix-emptyness-handling.patch [bz#1451470]
+- kvm-serial-poll-the-serial-console-with-G_IO_HUP.patch [bz#1451470]
+- kvm-serial-change-retry-logic-to-avoid-concurrency.patch [bz#1451470]
+- kvm-qemu-char-ignore-flow-control-if-a-PTY-s-slave-is-no.patch [bz#1451470]
+- kvm-serial-check-if-backed-by-a-physical-serial-port-at-.patch [bz#1451470]
+- kvm-serial-reset-thri_pending-on-IER-writes-with-THRI-0.patch [bz#1451470]
+- kvm-serial-clean-up-THRE-TEMT-handling.patch [bz#1451470]
+- kvm-serial-update-LSR-on-enabling-disabling-FIFOs.patch [bz#1451470]
+- kvm-serial-only-resample-THR-interrupt-on-rising-edge-of.patch [bz#1451470]
+- kvm-serial-make-tsr_retry-unsigned.patch [bz#1451470]
+- kvm-serial-simplify-tsr_retry-reset.patch [bz#1451470]
+- kvm-serial-separate-serial_xmit-and-serial_watch_cb.patch [bz#1451470]
+- kvm-serial-remove-watch-on-reset.patch [bz#1451470]
+- Resolves: bz#1451470
   (RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop)
 
-* Mon May 22 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-126.el7_3.7
-- kvm-char-serial-cosmetic-fixes.patch [bz#1452332]
-- kvm-char-serial-Use-generic-Fifo8.patch [bz#1452332]
-- kvm-char-serial-serial_ioport_write-Factor-out-common-co.patch [bz#1452332]
-- kvm-char-serial-fix-copy-paste-error-fifo8_is_full-vs-em.patch [bz#1452332]
-- kvm-char-serial-Fix-emptyness-check.patch [bz#1452332]
-- kvm-char-serial-Fix-emptyness-handling.patch [bz#1452332]
-- kvm-serial-poll-the-serial-console-with-G_IO_HUP.patch [bz#1452332]
-- kvm-serial-change-retry-logic-to-avoid-concurrency.patch [bz#1452332]
-- kvm-qemu-char-ignore-flow-control-if-a-PTY-s-slave-is-no.patch [bz#1452332]
-- kvm-serial-check-if-backed-by-a-physical-serial-port-at-.patch [bz#1452332]
-- kvm-serial-reset-thri_pending-on-IER-writes-with-THRI-0.patch [bz#1452332]
-- kvm-serial-clean-up-THRE-TEMT-handling.patch [bz#1452332]
-- kvm-serial-update-LSR-on-enabling-disabling-FIFOs.patch [bz#1452332]
-- kvm-serial-only-resample-THR-interrupt-on-rising-edge-of.patch [bz#1452332]
-- kvm-serial-make-tsr_retry-unsigned.patch [bz#1452332]
-- kvm-serial-simplify-tsr_retry-reset.patch [bz#1452332]
-- kvm-serial-separate-serial_xmit-and-serial_watch_cb.patch [bz#1452332]
-- kvm-serial-remove-watch-on-reset.patch [bz#1452332]
-- Resolves: bz#1452332
-  (RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop)
+* Fri Apr 28 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-137.el7
+- kvm-ide-fix-halted-IO-segfault-at-reset.patch [bz#1299875]
+- Resolves: bz#1299875
+  (system_reset should clear pending request for error (IDE))
 
-* Fri Mar 24 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-126.el7_3.6
-- kvm-fix-cirrus_vga-fix-OOB-read-case-qemu-Segmentation-f.patch [bz#1430059]
-- kvm-cirrus-vnc-zap-bitblit-support-from-console-code.patch [bz#1430059]
-- kvm-cirrus-add-option-to-disable-blitter.patch [bz#1430059]
-- kvm-cirrus-fix-cirrus_invalidate_region.patch [bz#1430059]
-- kvm-cirrus-stop-passing-around-dst-pointers-in-the-blitt.patch [bz#1430059]
-- kvm-cirrus-stop-passing-around-src-pointers-in-the-blitt.patch [bz#1430059]
-- kvm-cirrus-fix-off-by-one-in-cirrus_bitblt_rop_bkwd_tran.patch [bz#1430059]
-- Resolves: bz#1430059
-  (CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.3.z])
-
-* Mon Feb 13 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-126.el7_3.5
-- kvm-cirrus-fix-patterncopy-checks.patch [bz#1420490]
-- kvm-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch [bz#1420490]
-- kvm-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch [bz#1420490]
-- Resolves: bz#1420490
-  (EMBARGOED CVE-2017-2620 qemu-kvm: Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo [rhel-7.3.z])
-
-* Fri Feb 10 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-126.el7_3.4
-- kvm-virtio-blk-Release-s-rq-queue-at-system_reset.patch [bz#1420049]
-- kvm-cirrus_vga-fix-off-by-one-in-blit_region_is_unsafe.patch [bz#1418232]
-- kvm-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch [bz#1418232]
-- kvm-display-cirrus-ignore-source-pitch-value-as-needed-i.patch [bz#1418232]
-- kvm-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch [bz#1418232]
-- kvm-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch [bz#1418232]
-- kvm-cirrus-fix-blit-address-mask-handling.patch [bz#1418232]
-- kvm-cirrus-fix-oob-access-issue-CVE-2017-2615.patch [bz#1418232]
-- Resolves: bz#1418232
-  (CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.3.z])
-- Resolves: bz#1420049
+* Tue Apr 18 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-136.el7
+- kvm-target-i386-get-set-migrate-XSAVES-state.patch [bz#1327593]
+- kvm-Removing-texi2html-from-build-requirements.patch [bz#1440987]
+- kvm-Disable-build-of-32bit-packages.patch [bz#1441778]
+- kvm-Add-sample-images-to-srpm.patch [bz#1436280]
+- Resolves: bz#1327593
+  ([Intel 7.4 FEAT] KVM Enable the XSAVEC, XSAVES and XRSTORS instructions)
+- Resolves: bz#1436280
+  (sample images  for qemu-iotests are missing in the SRPM)
+- Resolves: bz#1440987
+  (Remove texi2html build dependancy from RPM)
+- Resolves: bz#1441778
+  (Stop building qemu-img for 32bit architectures.)
+
+* Thu Mar 30 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-135.el7
+- kvm-fix-cirrus_vga-fix-OOB-read-case-qemu-Segmentation-f.patch [bz#1430060]
+- kvm-cirrus-vnc-zap-bitblit-support-from-console-code.patch [bz#1430060]
+- kvm-cirrus-add-option-to-disable-blitter.patch [bz#1430060]
+- kvm-cirrus-fix-cirrus_invalidate_region.patch [bz#1430060]
+- kvm-cirrus-stop-passing-around-dst-pointers-in-the-blitt.patch [bz#1430060]
+- kvm-cirrus-stop-passing-around-src-pointers-in-the-blitt.patch [bz#1430060]
+- kvm-cirrus-fix-off-by-one-in-cirrus_bitblt_rop_bkwd_tran.patch [bz#1430060]
+- Resolves: bz#1430060
+  (CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.4])
+
+* Tue Mar 21 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-134.el7
+- kvm-ui-vnc-introduce-VNC_DIRTY_PIXELS_PER_BIT-macro.patch [bz#1377977]
+- kvm-ui-vnc-derive-cmp_bytes-from-VNC_DIRTY_PIXELS_PER_BI.patch [bz#1377977]
+- kvm-ui-vnc-optimize-dirty-bitmap-tracking.patch [bz#1377977]
+- kvm-ui-vnc-optimize-setting-in-vnc_dpy_update.patch [bz#1377977]
+- kvm-ui-vnc-fix-vmware-VGA-incompatiblities.patch [bz#1377977]
+- kvm-ui-vnc-fix-potential-memory-corruption-issues.patch [bz#1377977]
+- kvm-vnc-fix-memory-corruption-CVE-2015-5225.patch [bz#1377977]
+- kvm-vnc-fix-overflow-in-vnc_update_stats.patch [bz#1377977]
+- kvm-i386-kvmvapic-initialise-imm32-variable.patch [bz#1335751]
+- kvm-qemu-iotests-Filter-out-actual-image-size-in-067.patch [bz#1427176]
+- vm-qcow2-Don-t-rely-on-free_cluster_index-in-alloc_ref2.patch [bz#1427176]
+- kvm-qemu-iotests-Fix-core-dump-suppression-in-test-039.patch [bz#1427176]
+- kvm-qemu-io-Add-sigraise-command.patch [bz#1427176]
+- kvm-iotests-Filter-for-Killed-in-qemu-io-output.patch [bz#1427176]
+- kvm-iotests-Fix-test-039.patch [bz#1427176]
+- kvm-blkdebug-Add-bdrv_truncate.patch [bz#1427176]
+- kvm-vhdx-Fix-zero-fill-iov-length.patch [bz#1427176]
+- kvm-qemu-iotests-Disable-030-040-041.patch [bz#1427176]
+- kvm-x86-add-AVX512_VPOPCNTDQ-features.patch [bz#1415830]
+- kvm-usb-ccid-check-ccid-apdu-length.patch [bz#1419818]
+- kvm-usb-ccid-better-bulk_out-error-handling.patch [bz#1419818]
+- kvm-usb-ccid-move-header-size-check.patch [bz#1419818]
+- kvm-usb-ccid-add-check-message-size-checks.patch [bz#1419818]
+- kvm-spec-Update-rdma-build-dependency.patch [bz#1433920]
+- Resolves: bz#1335751
+  (CVE-2016-4020 qemu-kvm: Qemu: i386: leakage of stack memory to guest in kvmvapic.c [rhel-7.4])
+- Resolves: bz#1377977
+  (qemu-kvm coredump in vnc_raw_send_framebuffer_update [rhel-7.4])
+- Resolves: bz#1415830
+  ([Intel 7.4 FEAT] Enable vpopcntdq for KNM - qemu/kvm)
+- Resolves: bz#1419818
+  (CVE-2017-5898 qemu-kvm: Qemu: usb: integer overflow in emulated_apdu_from_guest [rhel-7.4])
+- Resolves: bz#1427176
+  (test cases of qemu-iotests failed)
+- Resolves: bz#1433920
+  (Switch from librdmacm-devel to rdma-core-devel)
+
+* Thu Mar 09 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-133.el7
+- kvm-target-i386-add-Ivy-Bridge-CPU-model.patch [bz#1368375]
+- kvm-x86-add-AVX512_4VNNIW-and-AVX512_4FMAPS-features.patch [bz#1382122]
+- kvm-target-i386-kvm_cpu_fill_host-Kill-unused-code.patch [bz#1382122]
+- kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-level.patch [bz#1382122]
+- kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-CPU-v.patch [bz#1382122]
+- kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-xleve.patch [bz#1382122]
+- kvm-target-i386-kvm_cpu_fill_host-Set-all-feature-words-.patch [bz#1382122]
+- kvm-target-i386-kvm_cpu_fill_host-Fill-feature-words-in-.patch [bz#1382122]
+- kvm-target-i386-kvm_check_features_against_host-Kill-fea.patch [bz#1382122]
+- kvm-target-i386-Make-TCG-feature-filtering-more-readable.patch [bz#1382122]
+- kvm-target-i386-Filter-FEAT_7_0_EBX-TCG-features-too.patch [bz#1382122]
+- kvm-target-i386-Filter-KVM-and-0xC0000001-features-on-TC.patch [bz#1382122]
+- kvm-target-i386-Define-TCG_-_FEATURES-earlier-in-cpu.c.patch [bz#1382122]
+- kvm-target-i386-Loop-based-copying-and-setting-unsetting.patch [bz#1382122]
+- kvm-target-i386-Loop-based-feature-word-filtering-in-TCG.patch [bz#1382122]
+- kvm-spice-remove-spice-experimental.h-include.patch [bz#1430606]
+- kvm-spice-replace-use-of-deprecated-API.patch [bz#1430606]
+- Resolves: bz#1368375
+  ([Intel 7.4 Bug] qemu-kvm does not support “-cpu IvyBridge”)
+- Resolves: bz#1382122
+  ([Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu)
+- Resolves: bz#1430606
+  (Can't build qemu-kvm with newer spice packages)
+
+* Tue Feb 21 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-132.el7
+- kvm-cirrus-fix-patterncopy-checks.patch [bz#1420492]
+- kvm-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch [bz#1420492]
+- kvm-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch [bz#1420492]
+- Resolves: bz#1420492
+  (EMBARGOED CVE-2017-2620 qemu-kvm: Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo [rhel-7.4])
+
+* Fri Feb 10 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-131.el7
+- kvm-memory-Allow-access-only-upto-the-maximum-alignment-.patch [bz#1342768]
+- kvm-virtio-blk-Release-s-rq-queue-at-system_reset.patch [bz#1361488]
+- kvm-cirrus_vga-fix-off-by-one-in-blit_region_is_unsafe.patch [bz#1418233]
+- kvm-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch [bz#1418233]
+- kvm-display-cirrus-ignore-source-pitch-value-as-needed-i.patch [bz#1418233]
+- kvm-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch [bz#1418233]
+- kvm-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch [bz#1418233]
+- kvm-cirrus-fix-blit-address-mask-handling.patch [bz#1418233]
+- kvm-cirrus-fix-oob-access-issue-CVE-2017-2615.patch [bz#1418233]
+- kvm-HMP-Fix-user-manual-typo-of-__com.redhat_qxl_screend.patch [bz#1419898]
+- kvm-HMP-Fix-documentation-of-__com.redhat.drive_add.patch [bz#1419898]
+- Resolves: bz#1342768
+  ([Intel 7.4 Bug] qemu-kvm crashes with Linux kernel 4.6.0 or above)
+- Resolves: bz#1361488
   (system_reset should clear pending request for error (virtio-blk))
-
-* Wed Jan 04 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-126.el7_3.3
-- kvm-net-check-packet-payload-length.patch [bz#1398217]
-- Resolves: bz#1398217
-  (CVE-2016-2857 qemu-kvm: Qemu: net: out of bounds read in net_checksum_calculate() [rhel-7.3.z])
-
-* Thu Nov 24 2016 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-126.el7_3.2
-- kvm-virtio-introduce-virtqueue_unmap_sg.patch [bz#1393484]
-- kvm-virtio-introduce-virtqueue_discard.patch [bz#1393484]
-- kvm-virtio-decrement-vq-inuse-in-virtqueue_discard.patch [bz#1393484]
-- kvm-balloon-fix-segfault-and-harden-the-stats-queue.patch [bz#1393484]
-- kvm-virtio-balloon-discard-virtqueue-element-on-reset.patch [bz#1393484]
-- kvm-virtio-zero-vq-inuse-in-virtio_reset.patch [bz#1393484]
-- kvm-virtio-add-virtqueue_rewind.patch [bz#1393484]
-- kvm-virtio-balloon-fix-stats-vq-migration.patch [bz#1393484]
-- Resolves: bz#1393484
+- Resolves: bz#1418233
+  (CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.4])
+- Resolves: bz#1419898
+  (Documentation inaccurate for __com.redhat_qxl_screendump and __com.redhat_drive_add)
+
+* Wed Feb 01 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-130.el7
+- kvm-gluster-correctly-propagate-errors.patch [bz#1151859]
+- kvm-gluster-Correctly-propagate-errors-when-volume-isn-t.patch [bz#1151859]
+- kvm-block-gluster-add-support-for-selecting-debug-loggin.patch [bz#1151859]
+- Resolves: bz#1151859
+  ([RFE] Allow the libgfapi logging level to be controlled.)
+
+* Wed Jan 18 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-129.el7
+- kvm-Update-qemu-kvm-package-Summary-and-Description.patch [bz#1378541]
+- kvm-vl-Don-t-silently-change-topology-when-all-smp-optio.patch [bz#1375507]
+- kvm-net-check-packet-payload-length.patch [bz#1398218]
+- kvm-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch [bz#1342489]
+- Resolves: bz#1342489
+  (Flickering Fedora 24 Login Screen on RHEL 7)
+- Resolves: bz#1375507
+  ("threads" option is overwritten if both "sockets" and "cores" is set on -smp)
+- Resolves: bz#1378541
+  (QEMU: update package summary and description)
+- Resolves: bz#1398218
+  (CVE-2016-2857 qemu-kvm: Qemu: net: out of bounds read in net_checksum_calculate() [rhel-7.4])
+
+* Thu Nov 24 2016 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-128.el7
+- kvm-virtio-introduce-virtqueue_unmap_sg.patch [bz#1377968]
+- kvm-virtio-introduce-virtqueue_discard.patch [bz#1377968]
+- kvm-virtio-decrement-vq-inuse-in-virtqueue_discard.patch [bz#1377968]
+- kvm-balloon-fix-segfault-and-harden-the-stats-queue.patch [bz#1377968]
+- kvm-virtio-balloon-discard-virtqueue-element-on-reset.patch [bz#1377968]
+- kvm-virtio-zero-vq-inuse-in-virtio_reset.patch [bz#1377968]
+- kvm-virtio-add-virtqueue_rewind.patch [bz#1377968]
+- kvm-virtio-balloon-fix-stats-vq-migration.patch [bz#1377968]
+- Resolves: bz#1377968
   ([RHEL7.3] KVM guest shuts itself down after 128th reboot)
 
-* Fri Nov 11 2016 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-126.el7_3.1
-- kvm-ide-fix-halted-IO-segfault-at-reset.patch [bz#1393042]
-- kvm-hw-i386-regenerate-checked-in-AML-payload-RHEL-only.patch [bz#1392027]
-- kvm-SPEC-file-flip-the-build-from-IASL-to-checked-in-AML.patch [bz#1392027]
-- Resolves: bz#1392027
+* Wed Nov 16 2016 Danilo de Paula <ddepaula@redhat.com> - 1.5.3-127.el7
+- kvm-hw-i386-regenerate-checked-in-AML-payload-RHEL-only.patch [bz#1377087]
+- kvm-ide-fix-halted-IO-segfault-at-reset.patch [bz#1377087]
+- Resolves: bz#1377087
   (shutdown rhel 5.11 guest failed and stop at "system halted")
-- Resolves: bz#1393042
-  (system_reset should clear pending request for error (IDE))
 
 * Tue Sep 20 2016 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-126.el7
 - kvm-virtio-recalculate-vq-inuse-after-migration.patch [bz#1376542]