diff --git a/.gitignore b/.gitignore
index a1ef968..39dc421 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,4 @@ SOURCES/rhel6-ne2k_pci.rom
SOURCES/rhel6-pcnet.rom
SOURCES/rhel6-rtl8139.rom
SOURCES/rhel6-virtio.rom
+SOURCES/sample_images.tar
diff --git a/.qemu-kvm.metadata b/.qemu-kvm.metadata
index 0722292..791976e 100644
--- a/.qemu-kvm.metadata
+++ b/.qemu-kvm.metadata
@@ -5,3 +5,4 @@ faac4c56f0ef593721edc66af965bac63760965b SOURCES/rhel6-ne2k_pci.rom
f5ddbc9701698bc4adc5e98c63ad438c3b8e8510 SOURCES/rhel6-pcnet.rom
ca79836ccce0ffbf25aac4687a3aa64bf281a3c1 SOURCES/rhel6-rtl8139.rom
82eda3fb78a792745e46bcbbea8290cc444ae6bf SOURCES/rhel6-virtio.rom
+598e252c89da31924fbd9a6734fd15e4e97b67d8 SOURCES/sample_images.tar
diff --git a/SOURCES/kvm-Do-not-hang-on-full-PTY.patch b/SOURCES/kvm-Do-not-hang-on-full-PTY.patch
new file mode 100644
index 0000000..d7b9524
--- /dev/null
+++ b/SOURCES/kvm-Do-not-hang-on-full-PTY.patch
@@ -0,0 +1,40 @@
+From 40f55392d0bbe867547e5705c2be21d65924b024 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Fri, 9 Jun 2017 11:43:57 +0200
+Subject: [PATCH 2/6] Do not hang on full PTY
+
+RH-Author: Paolo Bonzini <pbonzini@redhat.com>
+Message-id: <20170609114359.13036-2-pbonzini@redhat.com>
+Patchwork-id: 75565
+O-Subject: [RHEL7.4 qemu-kvm PATCH v2 1/3] Do not hang on full PTY
+Bugzilla: 1452067
+RH-Acked-by: David Hildenbrand <david@redhat.com>
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+From: Don Slutz <dslutz@verizon.com>
+
+Signed-off-by: Don Slutz <dslutz@verizon.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+(cherry picked from commit fac6688a18574b6f2caa8c699a936e729ed53ece)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ qemu-char.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/qemu-char.c b/qemu-char.c
+index 5edca0a..08b2301 100644
+--- a/qemu-char.c
++++ b/qemu-char.c
+@@ -1182,6 +1182,7 @@ static CharDriverState *qemu_chr_open_pty(const char *id,
+ }
+
+ close(slave_fd);
++ qemu_set_nonblock(master_fd);
+
+ chr = g_malloc0(sizeof(CharDriverState));
+
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-Fix-memory-slot-page-alignment-logic-bug-1455745.patch b/SOURCES/kvm-Fix-memory-slot-page-alignment-logic-bug-1455745.patch
new file mode 100644
index 0000000..eebc4cb
--- /dev/null
+++ b/SOURCES/kvm-Fix-memory-slot-page-alignment-logic-bug-1455745.patch
@@ -0,0 +1,61 @@
+From be6123e0eadd895a9fa47005df38c4dce655236c Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 6 Jun 2017 17:08:19 +0200
+Subject: [PATCH 1/6] kvm: Fix memory slot page alignment logic (bug#1455745)
+
+RH-Author: Paolo Bonzini <pbonzini@redhat.com>
+Message-id: <20170606170819.18875-1-pbonzini@redhat.com>
+Patchwork-id: 75507
+O-Subject: [RHEL7.4 qemu-kvm PATCH] kvm: Fix memory slot page alignment logic (bug#1455745)
+Bugzilla: 1455745
+RH-Acked-by: Alex Williamson <alex.williamson@redhat.com>
+RH-Acked-by: Marcel Apfelbaum <marcel@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+From: Alexander Graf <agraf@suse.de>
+
+Brew build: 13356300
+
+Memory slots have to be page aligned to get entered into KVM. There
+is existing logic that tries to ensure that we pad memory slots that
+are not page aligned to the biggest region that would still fit in the
+alignment requirements.
+
+Unfortunately, that logic is broken. It tries to calculate the start
+offset based on the region size.
+
+Fix up the logic to do the thing it was intended to do and document it
+properly in the comment above it.
+
+With this patch applied, I can successfully run an e500 guest with more
+than 3GB RAM (at which point RAM starts overlapping subpage memory regions).
+[Paolo: in RHEL's case, the issue was reported with assigned devices]
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Alexander Graf <agraf@suse.de>
+(cherry picked from commit f2a64032a14c642d0ddc9a7a846fc3d737deede5)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ kvm-all.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/kvm-all.c b/kvm-all.c
+index fc6e3ab..9486b9a 100644
+--- a/kvm-all.c
++++ b/kvm-all.c
+@@ -621,8 +621,10 @@ static void kvm_set_phys_mem(MemoryRegionSection *section, bool add)
+ unsigned delta;
+
+ /* kvm works in page size chunks, but the function may be called
+- with sub-page size and unaligned start address. */
+- delta = TARGET_PAGE_ALIGN(size) - size;
++ with sub-page size and unaligned start address. Pad the start
++ address to next and truncate size to previous page boundary. */
++ delta = (TARGET_PAGE_SIZE - (start_addr & ~TARGET_PAGE_MASK));
++ delta &= ~TARGET_PAGE_MASK;
+ if (delta > size) {
+ return;
+ }
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-HMP-Fix-documentation-of-__com.redhat.drive_add.patch b/SOURCES/kvm-HMP-Fix-documentation-of-__com.redhat.drive_add.patch
new file mode 100644
index 0000000..2c9f803
--- /dev/null
+++ b/SOURCES/kvm-HMP-Fix-documentation-of-__com.redhat.drive_add.patch
@@ -0,0 +1,71 @@
+From cb8c7690048946dd298371876093997f07785269 Mon Sep 17 00:00:00 2001
+From: Markus Armbruster <armbru@redhat.com>
+Date: Tue, 7 Feb 2017 14:56:10 +0100
+Subject: [PATCH 11/11] HMP: Fix documentation of __com.redhat.drive_add
+
+RH-Author: Markus Armbruster <armbru@redhat.com>
+Message-id: <1486479370-24026-3-git-send-email-armbru@redhat.com>
+Patchwork-id: 73592
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 2/2] HMP: Fix documentation of __com.redhat.drive_add
+Bugzilla: 1419898
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Acked-by: Fam Zheng <famz@redhat.com>
+RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+
+It's similar to -drive if=none, not -device if=none. Screwed up in
+RHEL-6.0 commit 545d0d8, forward-ported to RHEL-7.0 in commit c18bb50.
+
+Signed-off-by: Markus Armbruster <armbru@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hmp-commands.hx | 4 ++--
+ qmp-commands.hx | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/hmp-commands.hx b/hmp-commands.hx
+index a8ba626..5356c4c 100644
+--- a/hmp-commands.hx
++++ b/hmp-commands.hx
+@@ -1105,7 +1105,7 @@ ETEXI
+ .name = RFQDN_REDHAT "drive_add",
+ .args_type = "simple-drive:O",
+ .params = "id=name,[file=file][,format=f][,media=d]...",
+- .help = "Create a drive similar to -device if=none.",
++ .help = "Create a drive similar to -drive if=none.",
+ .user_print = monitor_user_noop,
+ .mhandler.cmd_new = simple_drive_add,
+ },
+@@ -1113,7 +1113,7 @@ ETEXI
+ STEXI
+ @item __com.redhat_drive_add
+ @findex __com.redhat_drive_add
+-Create a drive similar to -device if=none.
++Create a drive similar to -drive if=none.
+ ETEXI
+
+ #if defined(TARGET_I386) && 0 /* Disabled for Red Hat Enterprise Linux */
+diff --git a/qmp-commands.hx b/qmp-commands.hx
+index 9522c44..4a89c24 100644
+--- a/qmp-commands.hx
++++ b/qmp-commands.hx
+@@ -110,7 +110,7 @@ EQMP
+ .name = RFQDN_REDHAT "drive_add",
+ .args_type = "simple-drive:O",
+ .params = "id=name,[file=file][,format=f][,media=d]...",
+- .help = "Create a drive similar to -device if=none.",
++ .help = "Create a drive similar to -drive if=none.",
+ .user_print = monitor_user_noop,
+ .mhandler.cmd_new = simple_drive_add,
+ },
+@@ -119,7 +119,7 @@ SQMP
+ __com.redhat_drive_add
+ ----------------------
+
+-Create a drive similar to -device if=none.
++Create a drive similar to -drive if=none.
+
+ Arguments:
+
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-HMP-Fix-user-manual-typo-of-__com.redhat_qxl_screend.patch b/SOURCES/kvm-HMP-Fix-user-manual-typo-of-__com.redhat_qxl_screend.patch
new file mode 100644
index 0000000..731c48a
--- /dev/null
+++ b/SOURCES/kvm-HMP-Fix-user-manual-typo-of-__com.redhat_qxl_screend.patch
@@ -0,0 +1,42 @@
+From ae12e1158b6a27d94070f95f36879ce2f0da604c Mon Sep 17 00:00:00 2001
+From: Markus Armbruster <armbru@redhat.com>
+Date: Tue, 7 Feb 2017 14:56:09 +0100
+Subject: [PATCH 10/11] HMP: Fix user manual typo of
+ __com.redhat_qxl_screendump
+
+RH-Author: Markus Armbruster <armbru@redhat.com>
+Message-id: <1486479370-24026-2-git-send-email-armbru@redhat.com>
+Patchwork-id: 73590
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 1/2] HMP: Fix user manual typo of __com.redhat_qxl_screendump
+Bugzilla: 1419898
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Acked-by: Fam Zheng <famz@redhat.com>
+RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+
+Fat-fingered in RHEL-6.2 commit 1c6074d, forward ported to RHEL-7.0 in
+commit faf00a8.
+
+Signed-off-by: Markus Armbruster <armbru@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hmp-commands.hx | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hmp-commands.hx b/hmp-commands.hx
+index dd528d2..a8ba626 100644
+--- a/hmp-commands.hx
++++ b/hmp-commands.hx
+@@ -264,8 +264,8 @@ ETEXI
+ },
+
+ STEXI
+-@item __com.redhat_screendump @var{id} @var{filename}
+-@findex __com.redhat_screendump
++@item __com.redhat_qxl_screendump @var{id} @var{filename}
++@findex __com.redhat_qxl_screendump
+ Save screen from qxl device @var{id} into PPM image @var{filename}.
+ ETEXI
+
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch b/SOURCES/kvm-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch
index 286031e..28dfa96 100644
--- a/SOURCES/kvm-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch
+++ b/SOURCES/kvm-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch
@@ -1,4 +1,4 @@
-From 1cd1297bf694c0a91d75a87b4fd22c2b80807b49 Mon Sep 17 00:00:00 2001
+From abfd9c2acaf70c60ec70807ba4d021ade69c7b79 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 10 Feb 2017 08:30:14 +0100
Subject: [PATCH 2/3] Revert "cirrus: allow zero source pitch in pattern fill
@@ -8,7 +8,7 @@ RH-Author: Gerd Hoffmann <kraxel@redhat.com>
Message-id: <1486715415-3462-3-git-send-email-kraxel@redhat.com>
Patchwork-id: 73774
O-Subject: [virt-devel] [RHEL-7.4 qemu-kvm PATCH 2/3] Revert "cirrus: allow zero source pitch in pattern fill rops"
-Bugzilla: 1420490
+Bugzilla: 1420492
CVE: CVE-2017-2620/20170221
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
diff --git a/SOURCES/kvm-balloon-fix-segfault-and-harden-the-stats-queue.patch b/SOURCES/kvm-balloon-fix-segfault-and-harden-the-stats-queue.patch
index 9540f26..b73ee3a 100644
--- a/SOURCES/kvm-balloon-fix-segfault-and-harden-the-stats-queue.patch
+++ b/SOURCES/kvm-balloon-fix-segfault-and-harden-the-stats-queue.patch
@@ -1,4 +1,4 @@
-From 75255574498fad12727529c4ecbd4ccdabe86839 Mon Sep 17 00:00:00 2001
+From 1f177df6a47fb1e2961067a50e005efad52595cc Mon Sep 17 00:00:00 2001
From: Ladi Prosek <lprosek@redhat.com>
Date: Wed, 5 Oct 2016 17:22:26 +0200
Subject: [PATCH 4/8] balloon: fix segfault and harden the stats queue
@@ -7,7 +7,7 @@ RH-Author: Ladi Prosek <lprosek@redhat.com>
Message-id: <1475666548-9186-5-git-send-email-lprosek@redhat.com>
Patchwork-id: 72483
O-Subject: [RHEL-7.4 qemu-kvm v2 PATCH 4/6] balloon: fix segfault and harden the stats queue
-Bugzilla: 1393484
+Bugzilla: 1377968
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
diff --git a/SOURCES/kvm-blkdebug-Add-bdrv_truncate.patch b/SOURCES/kvm-blkdebug-Add-bdrv_truncate.patch
new file mode 100644
index 0000000..ac3ea21
--- /dev/null
+++ b/SOURCES/kvm-blkdebug-Add-bdrv_truncate.patch
@@ -0,0 +1,63 @@
+From 6c316a417a80fcf892935c51eb01c0e273561b32 Mon Sep 17 00:00:00 2001
+From: Max Reitz <mreitz@redhat.com>
+Date: Mon, 13 Mar 2017 17:47:04 +0100
+Subject: [PATCH 16/24] blkdebug: Add bdrv_truncate()
+
+RH-Author: Max Reitz <mreitz@redhat.com>
+Message-id: <20170313174706.29316-1-mreitz@redhat.com>
+Patchwork-id: 74278
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 7/9] blkdebug: Add bdrv_truncate()
+Bugzilla: 1427176
+RH-Acked-by: Fam Zheng <famz@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+
+From: Kevin Wolf <kwolf@redhat.com>
+
+This is, amongst others, required for qemu-iotests 033 to run as
+intended on VHDX, which uses explicit bdrv_truncate() calls to bs->file
+when allocating new blocks.
+
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Reviewed-by: Jeff Cody <jcody@redhat.com>
+(cherry picked from commit 8eedfbd4a50299f03b3630659c34ad1b01f69370)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Conflicts:
+ block/blkdebug.c
+
+Contextual conflict due to blkdebug_refresh_filename() missing from
+downstream.
+
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+---
+ block/blkdebug.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/block/blkdebug.c b/block/blkdebug.c
+index 8e468b2..7cfeccb 100644
+--- a/block/blkdebug.c
++++ b/block/blkdebug.c
+@@ -652,6 +652,11 @@ static int64_t blkdebug_getlength(BlockDriverState *bs)
+ return bdrv_getlength(bs->file);
+ }
+
++static int blkdebug_truncate(BlockDriverState *bs, int64_t offset)
++{
++ return bdrv_truncate(bs->file, offset);
++}
++
+ static BlockDriver bdrv_blkdebug = {
+ .format_name = "blkdebug",
+ .protocol_name = "blkdebug",
+@@ -661,6 +666,7 @@ static BlockDriver bdrv_blkdebug = {
+ .bdrv_file_open = blkdebug_open,
+ .bdrv_close = blkdebug_close,
+ .bdrv_getlength = blkdebug_getlength,
++ .bdrv_truncate = blkdebug_truncate,
+
+ .bdrv_aio_readv = blkdebug_aio_readv,
+ .bdrv_aio_writev = blkdebug_aio_writev,
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-block-gluster-add-support-for-selecting-debug-loggin.patch b/SOURCES/kvm-block-gluster-add-support-for-selecting-debug-loggin.patch
new file mode 100644
index 0000000..031de1a
--- /dev/null
+++ b/SOURCES/kvm-block-gluster-add-support-for-selecting-debug-loggin.patch
@@ -0,0 +1,202 @@
+From 2ffc3b31eafe39cc11678ef0e0ea39cdfef0469d Mon Sep 17 00:00:00 2001
+From: Jeffrey Cody <jcody@redhat.com>
+Date: Tue, 17 Jan 2017 19:51:32 +0100
+Subject: [PATCH 3/3] block/gluster: add support for selecting debug logging
+ level
+
+RH-Author: Jeffrey Cody <jcody@redhat.com>
+Message-id: <87a60937c8dfa4bee63e59871811dbda7794e818.1484682588.git.jcody@redhat.com>
+Patchwork-id: 73255
+O-Subject: [RHEL-7.4 qemu-kvm 3/3] block/gluster: add support for selecting debug logging level
+Bugzilla: 1151859
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Fam Zheng <famz@redhat.com>
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+
+This adds commandline support for the logging level of the
+gluster protocol driver, output to stdout. The option is 'debug',
+e.g.:
+
+-drive filename=gluster://192.168.15.180/gv2/test.qcow2,debug=9
+
+Debug levels are 0-9, with 9 being the most verbose, and 0 representing
+no debugging output. The default is the same as it was before, which
+is a level of 4. The current logging levels defined in the gluster
+source are:
+
+ 0 - None
+ 1 - Emergency
+ 2 - Alert
+ 3 - Critical
+ 4 - Error
+ 5 - Warning
+ 6 - Notice
+ 7 - Info
+ 8 - Debug
+ 9 - Trace
+
+(From: glusterfs/logging.h)
+
+Reviewed-by: Niels de Vos <ndevos@redhat.com>
+Signed-off-by: Jeff Cody <jcody@redhat.com>
+(cherry picked from commit 7eac868a508cdbf4cccef5c2084941b63fa3aded)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ block/gluster.c | 61 +++++++++++++++++++++++++++++++++++++++++++++------------
+ 1 file changed, 48 insertions(+), 13 deletions(-)
+
+diff --git a/block/gluster.c b/block/gluster.c
+index 5266dce..86e136d 100644
+--- a/block/gluster.c
++++ b/block/gluster.c
+@@ -35,6 +35,7 @@ typedef struct BDRVGlusterState {
+ int qemu_aio_count;
+ int event_reader_pos;
+ GlusterAIOCB *event_acb;
++ int debug_level;
+ } BDRVGlusterState;
+
+ #define GLUSTER_FD_READ 0
+@@ -46,6 +47,7 @@ typedef struct GlusterConf {
+ char *volname;
+ char *image;
+ char *transport;
++ int debug_level;
+ } GlusterConf;
+
+ static void qemu_gluster_gconf_free(GlusterConf *gconf)
+@@ -208,11 +210,7 @@ static struct glfs *qemu_gluster_init(GlusterConf *gconf, const char *filename,
+ goto out;
+ }
+
+- /*
+- * TODO: Use GF_LOG_ERROR instead of hard code value of 4 here when
+- * GlusterFS makes GF_LOG_* macros available to libgfapi users.
+- */
+- ret = glfs_set_logging(glfs, "-", 4);
++ ret = glfs_set_logging(glfs, "-", gconf->debug_level);
+ if (ret < 0) {
+ goto out;
+ }
+@@ -292,16 +290,26 @@ static int qemu_gluster_aio_flush_cb(void *opaque)
+ return (s->qemu_aio_count > 0);
+ }
+
++#define GLUSTER_OPT_FILENAME "filename"
++#define GLUSTER_OPT_DEBUG "debug"
++#define GLUSTER_DEBUG_DEFAULT 4
++#define GLUSTER_DEBUG_MAX 9
++
+ /* TODO Convert to fine grained options */
+ static QemuOptsList runtime_opts = {
+ .name = "gluster",
+ .head = QTAILQ_HEAD_INITIALIZER(runtime_opts.head),
+ .desc = {
+ {
+- .name = "filename",
++ .name = GLUSTER_OPT_FILENAME,
+ .type = QEMU_OPT_STRING,
+ .help = "URL to the gluster image",
+ },
++ {
++ .name = GLUSTER_OPT_DEBUG,
++ .type = QEMU_OPT_NUMBER,
++ .help = "Gluster log level, valid range is 0-9",
++ },
+ { /* end of list */ }
+ },
+ };
+@@ -342,8 +350,17 @@ static int qemu_gluster_open(BlockDriverState *bs, QDict *options,
+ goto out;
+ }
+
+- filename = qemu_opt_get(opts, "filename");
++ filename = qemu_opt_get(opts, GLUSTER_OPT_FILENAME);
+
++ s->debug_level = qemu_opt_get_number(opts, GLUSTER_OPT_DEBUG,
++ GLUSTER_DEBUG_DEFAULT);
++ if (s->debug_level < 0) {
++ s->debug_level = 0;
++ } else if (s->debug_level > GLUSTER_DEBUG_MAX) {
++ s->debug_level = GLUSTER_DEBUG_MAX;
++ }
++
++ gconf->debug_level = s->debug_level;
+ s->glfs = qemu_gluster_init(gconf, filename, errp);
+ if (!s->glfs) {
+ ret = -errno;
+@@ -398,6 +415,7 @@ static int qemu_gluster_reopen_prepare(BDRVReopenState *state,
+ BlockReopenQueue *queue, Error **errp)
+ {
+ int ret = 0;
++ BDRVGlusterState *s;
+ BDRVGlusterReopenState *reop_s;
+ GlusterConf *gconf = NULL;
+ int open_flags = 0;
+@@ -405,6 +423,8 @@ static int qemu_gluster_reopen_prepare(BDRVReopenState *state,
+ assert(state != NULL);
+ assert(state->bs != NULL);
+
++ s = state->bs->opaque;
++
+ state->opaque = g_malloc0(sizeof(BDRVGlusterReopenState));
+ reop_s = state->opaque;
+
+@@ -412,6 +432,7 @@ static int qemu_gluster_reopen_prepare(BDRVReopenState *state,
+
+ gconf = g_malloc0(sizeof(GlusterConf));
+
++ gconf->debug_level = s->debug_level;
+ reop_s->glfs = qemu_gluster_init(gconf, state->bs->filename, errp);
+ if (reop_s->glfs == NULL) {
+ ret = -errno;
+@@ -487,19 +508,28 @@ static int qemu_gluster_create(const char *filename,
+ int64_t total_size = 0;
+ GlusterConf *gconf = g_malloc0(sizeof(GlusterConf));
+
+- glfs = qemu_gluster_init(gconf, filename, errp);
+- if (!glfs) {
+- ret = -errno;
+- goto out;
+- }
+-
++ gconf->debug_level = GLUSTER_DEBUG_DEFAULT;
+ while (options && options->name) {
+ if (!strcmp(options->name, BLOCK_OPT_SIZE)) {
+ total_size = options->value.n / BDRV_SECTOR_SIZE;
+ }
++ if (!strcmp(options->name, GLUSTER_OPT_DEBUG)) {
++ gconf->debug_level = options->value.n;
++ if (gconf->debug_level < 0) {
++ gconf->debug_level = 0;
++ } else if (gconf->debug_level > GLUSTER_DEBUG_MAX) {
++ gconf->debug_level = GLUSTER_DEBUG_MAX;
++ }
++ }
+ options++;
+ }
+
++ glfs = qemu_gluster_init(gconf, filename, errp);
++ if (!glfs) {
++ ret = -errno;
++ goto out;
++ }
++
+ fd = glfs_creat(glfs, gconf->image,
+ O_WRONLY | O_CREAT | O_TRUNC | O_BINARY, S_IRUSR | S_IWUSR);
+ if (!fd) {
+@@ -732,6 +762,11 @@ static QEMUOptionParameter qemu_gluster_create_options[] = {
+ .type = OPT_SIZE,
+ .help = "Virtual disk size"
+ },
++ {
++ .name = GLUSTER_OPT_DEBUG,
++ .type = QEMU_OPT_NUMBER,
++ .help = "Gluster log level, valid range is 0-9",
++ },
+ { NULL }
+ };
+
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-char-change-qemu_chr_fe_add_watch-to-return-unsigned.patch b/SOURCES/kvm-char-change-qemu_chr_fe_add_watch-to-return-unsigned.patch
index 87f18bf..6792339 100644
--- a/SOURCES/kvm-char-change-qemu_chr_fe_add_watch-to-return-unsigned.patch
+++ b/SOURCES/kvm-char-change-qemu_chr_fe_add_watch-to-return-unsigned.patch
@@ -1,21 +1,21 @@
-From 357b8e45c81e79a1547f65ea4109b0882050b1e9 Mon Sep 17 00:00:00 2001
+From 6106261b0f1501a3772f4f9b67ae329697c7b815 Mon Sep 17 00:00:00 2001
From: Eduardo Habkost <ehabkost@redhat.com>
-Date: Tue, 23 May 2017 14:15:10 +0200
+Date: Tue, 23 May 2017 13:43:59 +0200
Subject: [PATCH] char: change qemu_chr_fe_add_watch to return unsigned
RH-Author: Eduardo Habkost <ehabkost@redhat.com>
-Message-id: <20170523141510.24762-1-ehabkost@redhat.com>
-Patchwork-id: 75397
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH] char: change qemu_chr_fe_add_watch to return unsigned
-Bugzilla: 1452332
+Message-id: <20170523134359.8747-1-ehabkost@redhat.com>
+Patchwork-id: 75396
+O-Subject: [RHEL-7.4 qemu-kvm PATCH] char: change qemu_chr_fe_add_watch to return unsigned
+Bugzilla: 1451470
RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
From: Paolo Bonzini <pbonzini@redhat.com>
-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1452332
-Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=13257135
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1451470#c32
+Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=13257025
g_source_attach can return any value between 1 and UINT_MAX if you let
QEMU run long enough. However, qemu_chr_fe_add_watch can also return
@@ -26,11 +26,7 @@ these values.
Fix the cadence_uart which asserts in this case (easily obtained with
"-serial pty").
-Backport notes:
-
- This is the same patch submitted to the 7.4 branch.
-
-7.4 backport conflicts:
+Backport Conflicts:
hw/char/cadence_uart.c (no qemu_chr_fe_add_watch() call)
net/vhost-user.c (doesn't exit)
qemu-char.c (trivial conflict)
diff --git a/SOURCES/kvm-char-serial-Fix-emptyness-check.patch b/SOURCES/kvm-char-serial-Fix-emptyness-check.patch
index 7b571ce..4a30500 100644
--- a/SOURCES/kvm-char-serial-Fix-emptyness-check.patch
+++ b/SOURCES/kvm-char-serial-Fix-emptyness-check.patch
@@ -1,15 +1,15 @@
-From c9b0af3739fc5b79a20bf2492b5e8c1dea055dc0 Mon Sep 17 00:00:00 2001
+From a7f735cccb7d7b98998600eebc789c709eac5bca Mon Sep 17 00:00:00 2001
From: Fam Zheng <famz@redhat.com>
-Date: Fri, 19 May 2017 00:35:10 +0200
+Date: Thu, 18 May 2017 09:21:18 +0200
Subject: [PATCH 05/18] char/serial: Fix emptyness check
RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170519003523.21163-6-famz@redhat.com>
-Patchwork-id: 75361
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 05/18] char/serial: Fix emptyness check
-Bugzilla: 1452332
+Message-id: <20170518092131.16571-6-famz@redhat.com>
+Patchwork-id: 75296
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 05/18] char/serial: Fix emptyness check
+Bugzilla: 1451470
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
From: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
diff --git a/SOURCES/kvm-char-serial-Fix-emptyness-handling.patch b/SOURCES/kvm-char-serial-Fix-emptyness-handling.patch
index 966d2f5..3f42fe8 100644
--- a/SOURCES/kvm-char-serial-Fix-emptyness-handling.patch
+++ b/SOURCES/kvm-char-serial-Fix-emptyness-handling.patch
@@ -1,15 +1,15 @@
-From a14715c6b64f4764259028923a9c04ae7844c546 Mon Sep 17 00:00:00 2001
+From 63857964e14bbf4bcb91eaa56ca46a30d14934ed Mon Sep 17 00:00:00 2001
From: Fam Zheng <famz@redhat.com>
-Date: Fri, 19 May 2017 00:35:11 +0200
+Date: Thu, 18 May 2017 09:21:19 +0200
Subject: [PATCH 06/18] char/serial: Fix emptyness handling
RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170519003523.21163-7-famz@redhat.com>
-Patchwork-id: 75359
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 06/18] char/serial: Fix emptyness handling
-Bugzilla: 1452332
+Message-id: <20170518092131.16571-7-famz@redhat.com>
+Patchwork-id: 75298
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 06/18] char/serial: Fix emptyness handling
+Bugzilla: 1451470
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
From: Don Slutz <dslutz@verizon.com>
diff --git a/SOURCES/kvm-char-serial-Use-generic-Fifo8.patch b/SOURCES/kvm-char-serial-Use-generic-Fifo8.patch
index ed8c9d1..bf9a9a4 100644
--- a/SOURCES/kvm-char-serial-Use-generic-Fifo8.patch
+++ b/SOURCES/kvm-char-serial-Use-generic-Fifo8.patch
@@ -1,15 +1,15 @@
-From 462caff619f890c56194ac50b70b095c26cd133e Mon Sep 17 00:00:00 2001
+From 18e92ed681383c787912d0cd4b8164d8e7df26d4 Mon Sep 17 00:00:00 2001
From: Fam Zheng <famz@redhat.com>
-Date: Fri, 19 May 2017 00:35:07 +0200
+Date: Thu, 18 May 2017 09:21:15 +0200
Subject: [PATCH 02/18] char/serial: Use generic Fifo8
RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170519003523.21163-3-famz@redhat.com>
-Patchwork-id: 75358
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 02/18] char/serial: Use generic Fifo8
-Bugzilla: 1452332
+Message-id: <20170518092131.16571-3-famz@redhat.com>
+Patchwork-id: 75292
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 02/18] char/serial: Use generic Fifo8
+Bugzilla: 1451470
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
From: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
diff --git a/SOURCES/kvm-char-serial-cosmetic-fixes.patch b/SOURCES/kvm-char-serial-cosmetic-fixes.patch
index 2f9e776..2a507bd 100644
--- a/SOURCES/kvm-char-serial-cosmetic-fixes.patch
+++ b/SOURCES/kvm-char-serial-cosmetic-fixes.patch
@@ -1,18 +1,18 @@
-From f3c1372702f7cac6d8b405cf8c51e15eabc7c054 Mon Sep 17 00:00:00 2001
+From 30482e796857e7d29877d93cc017aca5c844e4e1 Mon Sep 17 00:00:00 2001
From: Fam Zheng <famz@redhat.com>
-Date: Fri, 19 May 2017 00:35:06 +0200
+Date: Thu, 18 May 2017 09:21:14 +0200
Subject: [PATCH 01/18] char/serial: cosmetic fixes.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170519003523.21163-2-famz@redhat.com>
-Patchwork-id: 75356
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 01/18] char/serial: cosmetic fixes.
-Bugzilla: 1452332
+Message-id: <20170518092131.16571-2-famz@redhat.com>
+Patchwork-id: 75293
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 01/18] char/serial: cosmetic fixes.
+Bugzilla: 1451470
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
From: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
diff --git a/SOURCES/kvm-char-serial-fix-copy-paste-error-fifo8_is_full-vs-em.patch b/SOURCES/kvm-char-serial-fix-copy-paste-error-fifo8_is_full-vs-em.patch
index 35577f6..0778ad2 100644
--- a/SOURCES/kvm-char-serial-fix-copy-paste-error-fifo8_is_full-vs-em.patch
+++ b/SOURCES/kvm-char-serial-fix-copy-paste-error-fifo8_is_full-vs-em.patch
@@ -1,16 +1,16 @@
-From a04a0d4cf131163600ebede71d223d9d01a32511 Mon Sep 17 00:00:00 2001
+From 6239c2bb55847293db2defeff645e1d5e6456a19 Mon Sep 17 00:00:00 2001
From: Fam Zheng <famz@redhat.com>
-Date: Fri, 19 May 2017 00:35:09 +0200
+Date: Thu, 18 May 2017 09:21:17 +0200
Subject: [PATCH 04/18] char/serial: fix copy&paste error (fifo8_is_full vs
empty)
RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170519003523.21163-5-famz@redhat.com>
-Patchwork-id: 75360
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 04/18] char/serial: fix copy&paste error (fifo8_is_full vs empty)
-Bugzilla: 1452332
+Message-id: <20170518092131.16571-5-famz@redhat.com>
+Patchwork-id: 75294
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 04/18] char/serial: fix copy&paste error (fifo8_is_full vs empty)
+Bugzilla: 1451470
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
From: Vladimir Senkov <hangup@gmail.com>
diff --git a/SOURCES/kvm-char-serial-serial_ioport_write-Factor-out-common-co.patch b/SOURCES/kvm-char-serial-serial_ioport_write-Factor-out-common-co.patch
index 3970777..6b43fff 100644
--- a/SOURCES/kvm-char-serial-serial_ioport_write-Factor-out-common-co.patch
+++ b/SOURCES/kvm-char-serial-serial_ioport_write-Factor-out-common-co.patch
@@ -1,6 +1,6 @@
-From 5114efc4a077a1fdfa9873e6f44a00d5f8101f65 Mon Sep 17 00:00:00 2001
+From e675e8ae59a4eb6a39fa9d1f13011fd4e718ce67 Mon Sep 17 00:00:00 2001
From: Fam Zheng <famz@redhat.com>
-Date: Fri, 19 May 2017 00:35:08 +0200
+Date: Thu, 18 May 2017 09:21:16 +0200
Subject: [PATCH 03/18] char/serial: serial_ioport_write: Factor out common
code
MIME-Version: 1.0
@@ -8,12 +8,12 @@ Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170519003523.21163-4-famz@redhat.com>
-Patchwork-id: 75357
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 03/18] char/serial: serial_ioport_write: Factor out common code
-Bugzilla: 1452332
+Message-id: <20170518092131.16571-4-famz@redhat.com>
+Patchwork-id: 75295
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 03/18] char/serial: serial_ioport_write: Factor out common code
+Bugzilla: 1451470
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
From: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
diff --git a/SOURCES/kvm-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch b/SOURCES/kvm-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch
index 6e2023a..b6bfea6 100644
--- a/SOURCES/kvm-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch
+++ b/SOURCES/kvm-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch
@@ -1,4 +1,4 @@
-From e894ec03d7e6229488ae24d83809009162a0f9e0 Mon Sep 17 00:00:00 2001
+From 74db251c34369bd32148864b3abea6d6586270dc Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 10 Feb 2017 08:30:15 +0100
Subject: [PATCH 3/3] cirrus: add blit_is_unsafe call to
@@ -8,7 +8,7 @@ RH-Author: Gerd Hoffmann <kraxel@redhat.com>
Message-id: <1486715415-3462-4-git-send-email-kraxel@redhat.com>
Patchwork-id: 73773
O-Subject: [virt-devel] [EMBARGOED RHEL-7.4 qemu-kvm PATCH 3/3] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo
-Bugzilla: 1420490
+Bugzilla: 1420492
CVE: CVE-2017-2620/20170221
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
diff --git a/SOURCES/kvm-cirrus-add-option-to-disable-blitter.patch b/SOURCES/kvm-cirrus-add-option-to-disable-blitter.patch
index 47d8984..48c7d9e 100644
--- a/SOURCES/kvm-cirrus-add-option-to-disable-blitter.patch
+++ b/SOURCES/kvm-cirrus-add-option-to-disable-blitter.patch
@@ -1,16 +1,16 @@
-From 319f3876fafc35412bbf0ef6797c6764c95af6f3 Mon Sep 17 00:00:00 2001
+From 04b0eed67c2564cf9c10a62f57ed606f627c9317 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Tue, 21 Mar 2017 09:58:03 +0100
+Date: Mon, 27 Mar 2017 10:01:18 +0200
Subject: [PATCH 3/7] cirrus: add option to disable blitter
RH-Author: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: <1490090287-1503-4-git-send-email-kraxel@redhat.com>
-Patchwork-id: 74424
-O-Subject: [RHEL-7.4 qemu-kvm PATCH 3/7] cirrus: add option to disable blitter
-Bugzilla: 1430059
+Message-id: <1490608882-10242-4-git-send-email-kraxel@redhat.com>
+Patchwork-id: 74551
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 3/7] cirrus: add option to disable blitter
+Bugzilla: 1430060
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
-RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Ok, we have this beast in the cirrus code which is not used at all by
modern guests, except when you try to find security holes in qemu. So,
diff --git a/SOURCES/kvm-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch b/SOURCES/kvm-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch
index ed65c41..e710937 100644
--- a/SOURCES/kvm-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch
+++ b/SOURCES/kvm-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch
@@ -1,13 +1,13 @@
-From 9fd5f5b599e19c4485c3c7e6689081965e833df6 Mon Sep 17 00:00:00 2001
+From 03b4fe1dacb0e4a2bdebb86d11e1cff13b2972c1 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 7 Feb 2017 10:07:50 +0100
-Subject: [PATCH 6/8] cirrus: allow zero source pitch in pattern fill rops
+Subject: [PATCH 07/11] cirrus: allow zero source pitch in pattern fill rops
RH-Author: Gerd Hoffmann <kraxel@redhat.com>
Message-id: <1486462072-32174-6-git-send-email-kraxel@redhat.com>
Patchwork-id: 73569
O-Subject: [RHEL-7.4 qemu-kvm PATCH 5/7] cirrus: allow zero source pitch in pattern fill rops
-Bugzilla: 1418232
+Bugzilla: 1418233
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
diff --git a/SOURCES/kvm-cirrus-fix-blit-address-mask-handling.patch b/SOURCES/kvm-cirrus-fix-blit-address-mask-handling.patch
index 8bc4b87..158737d 100644
--- a/SOURCES/kvm-cirrus-fix-blit-address-mask-handling.patch
+++ b/SOURCES/kvm-cirrus-fix-blit-address-mask-handling.patch
@@ -1,13 +1,13 @@
-From fdb1ec384fe65b7ca2ab7303b56c2731e5999058 Mon Sep 17 00:00:00 2001
+From a5ce32ef09ab8eb8ba2467e12d37020048c8803f Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 7 Feb 2017 10:07:51 +0100
-Subject: [PATCH 7/8] cirrus: fix blit address mask handling
+Subject: [PATCH 08/11] cirrus: fix blit address mask handling
RH-Author: Gerd Hoffmann <kraxel@redhat.com>
Message-id: <1486462072-32174-7-git-send-email-kraxel@redhat.com>
Patchwork-id: 73570
O-Subject: [RHEL-7.4 qemu-kvm PATCH 6/7] cirrus: fix blit address mask handling
-Bugzilla: 1418232
+Bugzilla: 1418233
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
diff --git a/SOURCES/kvm-cirrus-fix-cirrus_invalidate_region.patch b/SOURCES/kvm-cirrus-fix-cirrus_invalidate_region.patch
index b180965..0e38fac 100644
--- a/SOURCES/kvm-cirrus-fix-cirrus_invalidate_region.patch
+++ b/SOURCES/kvm-cirrus-fix-cirrus_invalidate_region.patch
@@ -1,16 +1,16 @@
-From 6c17f6355cac0bc40bae876acf4d31e32978991f Mon Sep 17 00:00:00 2001
+From 8396435dbcd13dc27c7f1c7576499354be48d2c7 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Tue, 21 Mar 2017 09:58:04 +0100
+Date: Mon, 27 Mar 2017 10:01:19 +0200
Subject: [PATCH 4/7] cirrus: fix cirrus_invalidate_region
RH-Author: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: <1490090287-1503-5-git-send-email-kraxel@redhat.com>
-Patchwork-id: 74423
-O-Subject: [RHEL-7.4 qemu-kvm PATCH 4/7] cirrus: fix cirrus_invalidate_region
-Bugzilla: 1430059
+Message-id: <1490608882-10242-5-git-send-email-kraxel@redhat.com>
+Patchwork-id: 74552
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 4/7] cirrus: fix cirrus_invalidate_region
+Bugzilla: 1430060
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
-RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
off_cur_end is exclusive, so off_cur_end == cirrus_addr_mask is valid.
Fix calculation to make sure to allow that, otherwise the assert added
diff --git a/SOURCES/kvm-cirrus-fix-off-by-one-in-cirrus_bitblt_rop_bkwd_tran.patch b/SOURCES/kvm-cirrus-fix-off-by-one-in-cirrus_bitblt_rop_bkwd_tran.patch
index 6188818..fc0f512 100644
--- a/SOURCES/kvm-cirrus-fix-off-by-one-in-cirrus_bitblt_rop_bkwd_tran.patch
+++ b/SOURCES/kvm-cirrus-fix-off-by-one-in-cirrus_bitblt_rop_bkwd_tran.patch
@@ -1,6 +1,6 @@
-From 8c2a803f9ba8b4293c207917a2acfcfac0548d24 Mon Sep 17 00:00:00 2001
+From 081ddf9d66155dbec8ec064d7671ba0799642fd6 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Tue, 21 Mar 2017 09:58:07 +0100
+Date: Mon, 27 Mar 2017 10:01:22 +0200
Subject: [PATCH 7/7] cirrus: fix off-by-one in
cirrus_bitblt_rop_bkwd_transp_*_16
MIME-Version: 1.0
@@ -8,13 +8,13 @@ Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: <1490090287-1503-8-git-send-email-kraxel@redhat.com>
-Patchwork-id: 74422
-O-Subject: [RHEL-7.4 qemu-kvm PATCH 7/7] cirrus: fix off-by-one in cirrus_bitblt_rop_bkwd_transp_*_16
-Bugzilla: 1430059
+Message-id: <1490608882-10242-8-git-send-email-kraxel@redhat.com>
+Patchwork-id: 74555
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 7/7] cirrus: fix off-by-one in cirrus_bitblt_rop_bkwd_transp_*_16
+Bugzilla: 1430060
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
-RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
The switch from pointers to addresses (commit
026aeffcb4752054830ba203020ed6eb05bcaba8 and
diff --git a/SOURCES/kvm-cirrus-fix-oob-access-issue-CVE-2017-2615.patch b/SOURCES/kvm-cirrus-fix-oob-access-issue-CVE-2017-2615.patch
index 2e4cca6..01aecbd 100644
--- a/SOURCES/kvm-cirrus-fix-oob-access-issue-CVE-2017-2615.patch
+++ b/SOURCES/kvm-cirrus-fix-oob-access-issue-CVE-2017-2615.patch
@@ -1,13 +1,13 @@
-From 55c542cca671a5a130c44359c73d1e908353418e Mon Sep 17 00:00:00 2001
+From 2ff46c139a37bbe66732b9024daa771eff3e6c36 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 7 Feb 2017 10:07:52 +0100
-Subject: [PATCH 8/8] cirrus: fix oob access issue (CVE-2017-2615)
+Subject: [PATCH 09/11] cirrus: fix oob access issue (CVE-2017-2615)
RH-Author: Gerd Hoffmann <kraxel@redhat.com>
Message-id: <1486462072-32174-8-git-send-email-kraxel@redhat.com>
Patchwork-id: 73565
O-Subject: [RHEL-7.4 qemu-kvm PATCH 7/7] cirrus: fix oob access issue (CVE-2017-2615)
-Bugzilla: 1418232
+Bugzilla: 1418233
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
diff --git a/SOURCES/kvm-cirrus-fix-patterncopy-checks.patch b/SOURCES/kvm-cirrus-fix-patterncopy-checks.patch
index 993204c..057c2b3 100644
--- a/SOURCES/kvm-cirrus-fix-patterncopy-checks.patch
+++ b/SOURCES/kvm-cirrus-fix-patterncopy-checks.patch
@@ -1,4 +1,4 @@
-From 46da39c9f9a9a72cf9e833d46ce10d785581ce63 Mon Sep 17 00:00:00 2001
+From 8ce7227f70248c7f4926124e16baab74c5689841 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 10 Feb 2017 08:30:13 +0100
Subject: [PATCH 1/3] cirrus: fix patterncopy checks
@@ -7,7 +7,7 @@ RH-Author: Gerd Hoffmann <kraxel@redhat.com>
Message-id: <1486715415-3462-2-git-send-email-kraxel@redhat.com>
Patchwork-id: 73775
O-Subject: [virt-devel] [RHEL-7.4 qemu-kvm PATCH 1/3] cirrus: fix patterncopy checks
-Bugzilla: 1420490
+Bugzilla: 1420492
CVE: CVE-2017-2620/20170221
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
diff --git a/SOURCES/kvm-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch b/SOURCES/kvm-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch
index 023cff5..cd87244 100644
--- a/SOURCES/kvm-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch
+++ b/SOURCES/kvm-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch
@@ -1,14 +1,14 @@
-From 1d7bdd730d1537f931a95897b14fdb6c5754ea2c Mon Sep 17 00:00:00 2001
+From 45023277a5822c89806eae1cc5f4d5f897e28fcd Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 7 Feb 2017 10:07:49 +0100
-Subject: [PATCH 5/8] cirrus: handle negative pitch in
+Subject: [PATCH 06/11] cirrus: handle negative pitch in
cirrus_invalidate_region()
RH-Author: Gerd Hoffmann <kraxel@redhat.com>
Message-id: <1486462072-32174-5-git-send-email-kraxel@redhat.com>
Patchwork-id: 73566
O-Subject: [RHEL-7.4 qemu-kvm PATCH 4/7] cirrus: handle negative pitch in cirrus_invalidate_region()
-Bugzilla: 1418232
+Bugzilla: 1418233
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
diff --git a/SOURCES/kvm-cirrus-stop-passing-around-dst-pointers-in-the-blitt.patch b/SOURCES/kvm-cirrus-stop-passing-around-dst-pointers-in-the-blitt.patch
index 2425a76..35b9eb0 100644
--- a/SOURCES/kvm-cirrus-stop-passing-around-dst-pointers-in-the-blitt.patch
+++ b/SOURCES/kvm-cirrus-stop-passing-around-dst-pointers-in-the-blitt.patch
@@ -1,16 +1,16 @@
-From c4928f394f862c78024f4dccb6ea1398dc743c49 Mon Sep 17 00:00:00 2001
+From f0327afe876acff27221cdeead1aca0444364133 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Tue, 21 Mar 2017 09:58:05 +0100
+Date: Mon, 27 Mar 2017 10:01:20 +0200
Subject: [PATCH 5/7] cirrus: stop passing around dst pointers in the blitter
RH-Author: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: <1490090287-1503-6-git-send-email-kraxel@redhat.com>
-Patchwork-id: 74421
-O-Subject: [RHEL-7.4 qemu-kvm PATCH 5/7] cirrus: stop passing around dst pointers in the blitter
-Bugzilla: 1430059
+Message-id: <1490608882-10242-6-git-send-email-kraxel@redhat.com>
+Patchwork-id: 74550
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 5/7] cirrus: stop passing around dst pointers in the blitter
+Bugzilla: 1430060
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
-RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Instead pass around the address (aka offset into vga memory). Calculate
the pointer in the rop_* functions, after applying the mask to the
diff --git a/SOURCES/kvm-cirrus-stop-passing-around-src-pointers-in-the-blitt.patch b/SOURCES/kvm-cirrus-stop-passing-around-src-pointers-in-the-blitt.patch
index 29837cc..d3f34c1 100644
--- a/SOURCES/kvm-cirrus-stop-passing-around-src-pointers-in-the-blitt.patch
+++ b/SOURCES/kvm-cirrus-stop-passing-around-src-pointers-in-the-blitt.patch
@@ -1,16 +1,16 @@
-From d29af2a00b6126d2c3af535d128beeb80216c197 Mon Sep 17 00:00:00 2001
+From cc965429746aac94b7c37991f676dcd323ef212d Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Tue, 21 Mar 2017 09:58:06 +0100
+Date: Mon, 27 Mar 2017 10:01:21 +0200
Subject: [PATCH 6/7] cirrus: stop passing around src pointers in the blitter
RH-Author: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: <1490090287-1503-7-git-send-email-kraxel@redhat.com>
-Patchwork-id: 74417
-O-Subject: [RHEL-7.4 qemu-kvm PATCH 6/7] cirrus: stop passing around src pointers in the blitter
-Bugzilla: 1430059
+Message-id: <1490608882-10242-7-git-send-email-kraxel@redhat.com>
+Patchwork-id: 74549
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 6/7] cirrus: stop passing around src pointers in the blitter
+Bugzilla: 1430060
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
-RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Does basically the same as "cirrus: stop passing around dst pointers in
the blitter", just for the src pointer instead of the dst pointer.
diff --git a/SOURCES/kvm-cirrus-vnc-zap-bitblit-support-from-console-code.patch b/SOURCES/kvm-cirrus-vnc-zap-bitblit-support-from-console-code.patch
index 854e932..87006bf 100644
--- a/SOURCES/kvm-cirrus-vnc-zap-bitblit-support-from-console-code.patch
+++ b/SOURCES/kvm-cirrus-vnc-zap-bitblit-support-from-console-code.patch
@@ -1,16 +1,16 @@
-From de457fc23e747a0c622e0fd23e49893c1f1da460 Mon Sep 17 00:00:00 2001
+From 9bd81fb917c9ac22055e0dc7b3a89a22d5cfbfc1 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Tue, 21 Mar 2017 09:58:02 +0100
+Date: Mon, 27 Mar 2017 10:01:17 +0200
Subject: [PATCH 2/7] cirrus/vnc: zap bitblit support from console code.
RH-Author: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: <1490090287-1503-3-git-send-email-kraxel@redhat.com>
-Patchwork-id: 74418
-O-Subject: [RHEL-7.4 qemu-kvm PATCH 2/7] cirrus/vnc: zap bitblit support from console code.
-Bugzilla: 1430059
+Message-id: <1490608882-10242-3-git-send-email-kraxel@redhat.com>
+Patchwork-id: 74554
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 2/7] cirrus/vnc: zap bitblit support from console code.
+Bugzilla: 1430060
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
-RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
There is a special code path (dpy_gfx_copy) to allow graphic emulation
notify user interface code about bitblit operations carryed out by
@@ -51,11 +51,11 @@ Conflicts:
include/ui/console.h
ui/vnc.c
---
- hw/display/cirrus_vga.c | 12 ++-----
+ hw/display/cirrus_vga.c | 12 ++----
include/ui/console.h | 7 ----
- ui/console.c | 28 ---------------
- ui/vnc.c | 96 -------------------------------------------------
- 4 files changed, 3 insertions(+), 140 deletions(-)
+ ui/console.c | 28 --------------
+ ui/vnc.c | 99 -------------------------------------------------
+ 4 files changed, 3 insertions(+), 143 deletions(-)
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index 1b972db..83cef70 100644
@@ -165,7 +165,7 @@ index d422083..fb08ec0 100644
{
return console->surface;
diff --git a/ui/vnc.c b/ui/vnc.c
-index a0e2d33..c7a7853 100644
+index b68918e..1834db0 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -417,7 +417,6 @@ out_error:
@@ -176,7 +176,7 @@ index a0e2d33..c7a7853 100644
static void vnc_disconnect_start(VncState *vs);
static void vnc_colordepth(VncState *vs);
-@@ -721,93 +720,6 @@ int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
+@@ -728,96 +727,6 @@ int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
return n;
}
@@ -228,11 +228,12 @@ index a0e2d33..c7a7853 100644
- y = dst_y + h - 1;
- inc = -1;
- }
-- w_lim = w - (16 - (dst_x % 16));
-- if (w_lim < 0)
+- w_lim = w - (VNC_DIRTY_PIXELS_PER_BIT - (dst_x % VNC_DIRTY_PIXELS_PER_BIT));
+- if (w_lim < 0) {
- w_lim = w;
-- else
-- w_lim = w - (w_lim % 16);
+- } else {
+- w_lim = w - (w_lim % VNC_DIRTY_PIXELS_PER_BIT);
+- }
- for (i = 0; i < h; i++) {
- for (x = 0; x <= w_lim;
- x += s, src_row += cmp_bytes, dst_row += cmp_bytes) {
@@ -240,10 +241,11 @@ index a0e2d33..c7a7853 100644
- if ((s = w - w_lim) == 0)
- break;
- } else if (!x) {
-- s = (16 - (dst_x % 16));
+- s = (VNC_DIRTY_PIXELS_PER_BIT -
+- (dst_x % VNC_DIRTY_PIXELS_PER_BIT));
- s = MIN(s, w_lim);
- } else {
-- s = 16;
+- s = VNC_DIRTY_PIXELS_PER_BIT;
- }
- cmp_bytes = s * VNC_SERVER_FB_BYTES;
- if (memcmp(src_row, dst_row, cmp_bytes) == 0)
@@ -251,7 +253,8 @@ index a0e2d33..c7a7853 100644
- memmove(dst_row, src_row, cmp_bytes);
- QTAILQ_FOREACH(vs, &vd->clients, next) {
- if (!vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
-- set_bit(((x + dst_x) / 16), vs->dirty[y]);
+- set_bit(((x + dst_x) / VNC_DIRTY_PIXELS_PER_BIT),
+- vs->dirty[y]);
- }
- }
- }
@@ -270,7 +273,7 @@ index a0e2d33..c7a7853 100644
static void vnc_mouse_set(DisplayChangeListener *dcl,
int x, int y, int visible)
{
-@@ -873,13 +785,6 @@ static int find_and_clear_dirty_height(struct VncState *vs,
+@@ -883,13 +792,6 @@ static int find_and_clear_dirty_height(struct VncState *vs,
return h;
}
@@ -284,7 +287,7 @@ index a0e2d33..c7a7853 100644
static int vnc_update_client(VncState *vs, int has_dirty)
{
if (vs->need_update && vs->csock != -1) {
-@@ -2912,7 +2817,6 @@ static void vnc_listen_websocket_read(void *opaque)
+@@ -2936,7 +2838,6 @@ static void vnc_listen_websocket_read(void *opaque)
static const DisplayChangeListenerOps dcl_ops = {
.dpy_name = "vnc",
.dpy_refresh = vnc_refresh,
diff --git a/SOURCES/kvm-cirrus_vga-fix-off-by-one-in-blit_region_is_unsafe.patch b/SOURCES/kvm-cirrus_vga-fix-off-by-one-in-blit_region_is_unsafe.patch
index 5b0accf..fb66656 100644
--- a/SOURCES/kvm-cirrus_vga-fix-off-by-one-in-blit_region_is_unsafe.patch
+++ b/SOURCES/kvm-cirrus_vga-fix-off-by-one-in-blit_region_is_unsafe.patch
@@ -1,13 +1,13 @@
-From 900ccf5cf6497234e1d3b1e80f4dfa8a60bcfb06 Mon Sep 17 00:00:00 2001
+From 8d230a5a57512c84545bd6345775e69b4b3b1983 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 7 Feb 2017 10:07:46 +0100
-Subject: [PATCH 2/8] cirrus_vga: fix off-by-one in blit_region_is_unsafe
+Subject: [PATCH 03/11] cirrus_vga: fix off-by-one in blit_region_is_unsafe
RH-Author: Gerd Hoffmann <kraxel@redhat.com>
Message-id: <1486462072-32174-2-git-send-email-kraxel@redhat.com>
Patchwork-id: 73564
O-Subject: [RHEL-7.4 qemu-kvm PATCH 1/7] cirrus_vga: fix off-by-one in blit_region_is_unsafe
-Bugzilla: 1418232
+Bugzilla: 1418233
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
diff --git a/SOURCES/kvm-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch b/SOURCES/kvm-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch
index 569f78a..e3cbced 100644
--- a/SOURCES/kvm-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch
+++ b/SOURCES/kvm-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch
@@ -1,13 +1,13 @@
-From e0ec8bdaf64a147c83334ae6f59e279c4560d01b Mon Sep 17 00:00:00 2001
+From 4394f52159cec32cded60ec8f86cd4b92a85bfe5 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 7 Feb 2017 10:07:47 +0100
-Subject: [PATCH 3/8] display: cirrus: check vga bits per pixel(bpp) value
+Subject: [PATCH 04/11] display: cirrus: check vga bits per pixel(bpp) value
RH-Author: Gerd Hoffmann <kraxel@redhat.com>
Message-id: <1486462072-32174-3-git-send-email-kraxel@redhat.com>
Patchwork-id: 73568
O-Subject: [RHEL-7.4 qemu-kvm PATCH 2/7] display: cirrus: check vga bits per pixel(bpp) value
-Bugzilla: 1418232
+Bugzilla: 1418233
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
diff --git a/SOURCES/kvm-display-cirrus-ignore-source-pitch-value-as-needed-i.patch b/SOURCES/kvm-display-cirrus-ignore-source-pitch-value-as-needed-i.patch
index eeaf45f..a61d958 100644
--- a/SOURCES/kvm-display-cirrus-ignore-source-pitch-value-as-needed-i.patch
+++ b/SOURCES/kvm-display-cirrus-ignore-source-pitch-value-as-needed-i.patch
@@ -1,14 +1,14 @@
-From 3178cae91f9fc3ddd025f1daa415b74ed387b6ca Mon Sep 17 00:00:00 2001
+From 23ae0a2bec72997626c3ba834f036b9a3626eedc Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 7 Feb 2017 10:07:48 +0100
-Subject: [PATCH 4/8] display: cirrus: ignore source pitch value as needed in
+Subject: [PATCH 05/11] display: cirrus: ignore source pitch value as needed in
blit_is_unsafe
RH-Author: Gerd Hoffmann <kraxel@redhat.com>
Message-id: <1486462072-32174-4-git-send-email-kraxel@redhat.com>
Patchwork-id: 73563
O-Subject: [RHEL-7.4 qemu-kvm PATCH 3/7] display: cirrus: ignore source pitch value as needed in blit_is_unsafe
-Bugzilla: 1418232
+Bugzilla: 1418233
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
diff --git a/SOURCES/kvm-fix-cirrus_vga-fix-OOB-read-case-qemu-Segmentation-f.patch b/SOURCES/kvm-fix-cirrus_vga-fix-OOB-read-case-qemu-Segmentation-f.patch
index a8641a6..7c32197 100644
--- a/SOURCES/kvm-fix-cirrus_vga-fix-OOB-read-case-qemu-Segmentation-f.patch
+++ b/SOURCES/kvm-fix-cirrus_vga-fix-OOB-read-case-qemu-Segmentation-f.patch
@@ -1,16 +1,16 @@
-From d27fae125c1efd59ba3263260d41f8e054b070a2 Mon Sep 17 00:00:00 2001
+From f9b9adc4b66f991e655f51f2ef67dac46f6bd7d4 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Tue, 21 Mar 2017 09:58:01 +0100
+Date: Mon, 27 Mar 2017 10:01:16 +0200
Subject: [PATCH 1/7] fix :cirrus_vga fix OOB read case qemu Segmentation fault
RH-Author: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: <1490090287-1503-2-git-send-email-kraxel@redhat.com>
-Patchwork-id: 74419
-O-Subject: [RHEL-7.4 qemu-kvm PATCH 1/7] fix :cirrus_vga fix OOB read case qemu Segmentation fault
-Bugzilla: 1430059
+Message-id: <1490608882-10242-2-git-send-email-kraxel@redhat.com>
+Patchwork-id: 74553
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 1/7] fix :cirrus_vga fix OOB read case qemu Segmentation fault
+Bugzilla: 1430060
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
-RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
From: hangaohuai <hangaohuai@huawei.com>
diff --git a/SOURCES/kvm-gluster-Correctly-propagate-errors-when-volume-isn-t.patch b/SOURCES/kvm-gluster-Correctly-propagate-errors-when-volume-isn-t.patch
new file mode 100644
index 0000000..92eeffb
--- /dev/null
+++ b/SOURCES/kvm-gluster-Correctly-propagate-errors-when-volume-isn-t.patch
@@ -0,0 +1,75 @@
+From 22e47c104ff73885357a0be7b94270f3955427ea Mon Sep 17 00:00:00 2001
+From: Jeffrey Cody <jcody@redhat.com>
+Date: Tue, 17 Jan 2017 19:51:31 +0100
+Subject: [PATCH 2/3] gluster: Correctly propagate errors when volume isn't
+ accessible
+
+RH-Author: Jeffrey Cody <jcody@redhat.com>
+Message-id: <963a714d4eae919df79e2031e02c77af5a8697e2.1484682588.git.jcody@redhat.com>
+Patchwork-id: 73256
+O-Subject: [RHEL-7.4 qemu-kvm 2/3] gluster: Correctly propagate errors when volume isn't accessible
+Bugzilla: 1151859
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Fam Zheng <famz@redhat.com>
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+
+From: Peter Krempa <pkrempa@redhat.com>
+
+The docs for glfs_init suggest that the function sets errno on every
+failure. In fact it doesn't. As other functions such as
+qemu_gluster_open() in the gluster block code report their errors based
+on this fact we need to make sure that errno is set on each failure.
+
+This fixes a crash of qemu-img/qemu when a gluster brick isn't
+accessible from given host while the server serving the volume
+description is.
+
+Thread 1 (Thread 0x7ffff7fba740 (LWP 203880)):
+ #0 0x00007ffff77673f8 in glfs_lseek () from /usr/lib64/libgfapi.so.0
+ #1 0x0000555555574a68 in qemu_gluster_getlength ()
+ #2 0x0000555555565742 in refresh_total_sectors ()
+ #3 0x000055555556914f in bdrv_open_common ()
+ #4 0x000055555556e8e8 in bdrv_open ()
+ #5 0x000055555556f02f in bdrv_open_image ()
+ #6 0x000055555556e5f6 in bdrv_open ()
+ #7 0x00005555555c5775 in bdrv_new_open ()
+ #8 0x00005555555c5b91 in img_info ()
+ #9 0x00007ffff62c9c05 in __libc_start_main () from /lib64/libc.so.6
+ #10 0x00005555555648ad in _start ()
+
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+(cherry picked from commit 4557117d9eed8cadc360aec23b42fc39a7011864)
+Signed-off-by: Jeff Cody <jcody@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ block/gluster.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/block/gluster.c b/block/gluster.c
+index 248a031..5266dce 100644
+--- a/block/gluster.c
++++ b/block/gluster.c
+@@ -224,6 +224,11 @@ static struct glfs *qemu_gluster_init(GlusterConf *gconf, const char *filename,
+ "volume=%s image=%s transport=%s", gconf->server,
+ gconf->port, gconf->volname, gconf->image,
+ gconf->transport);
++
++ /* glfs_init sometimes doesn't set errno although docs suggest that */
++ if (errno == 0)
++ errno = EINVAL;
++
+ goto out;
+ }
+ return glfs;
+@@ -484,7 +489,7 @@ static int qemu_gluster_create(const char *filename,
+
+ glfs = qemu_gluster_init(gconf, filename, errp);
+ if (!glfs) {
+- ret = -EINVAL;
++ ret = -errno;
+ goto out;
+ }
+
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-gluster-correctly-propagate-errors.patch b/SOURCES/kvm-gluster-correctly-propagate-errors.patch
new file mode 100644
index 0000000..0ab585f
--- /dev/null
+++ b/SOURCES/kvm-gluster-correctly-propagate-errors.patch
@@ -0,0 +1,111 @@
+From 582eb6c9eef89809283e8d79b3f39e1ae9eeb64a Mon Sep 17 00:00:00 2001
+From: Jeffrey Cody <jcody@redhat.com>
+Date: Tue, 17 Jan 2017 19:51:30 +0100
+Subject: [PATCH 1/3] gluster: correctly propagate errors
+
+RH-Author: Jeffrey Cody <jcody@redhat.com>
+Message-id: <9299039bbb1797e4e61cdc8b4be062efeb152abb.1484682588.git.jcody@redhat.com>
+Patchwork-id: 73254
+O-Subject: [RHEL-7.4 qemu-kvm 1/3] gluster: correctly propagate errors
+Bugzilla: 1151859
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Fam Zheng <famz@redhat.com>
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Reviewed-by: Fam Zheng <famz@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit a7451cb850d115f257080aff3fbc54f255ebf8f7)
+Signed-off-by: Jeff Cody <jcody@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ block/gluster.c | 29 +++++++++++++++--------------
+ 1 file changed, 15 insertions(+), 14 deletions(-)
+
+diff --git a/block/gluster.c b/block/gluster.c
+index 1793386..248a031 100644
+--- a/block/gluster.c
++++ b/block/gluster.c
+@@ -182,7 +182,8 @@ out:
+ return ret;
+ }
+
+-static struct glfs *qemu_gluster_init(GlusterConf *gconf, const char *filename)
++static struct glfs *qemu_gluster_init(GlusterConf *gconf, const char *filename,
++ Error **errp)
+ {
+ struct glfs *glfs = NULL;
+ int ret;
+@@ -190,8 +191,8 @@ static struct glfs *qemu_gluster_init(GlusterConf *gconf, const char *filename)
+
+ ret = qemu_gluster_parseuri(gconf, filename);
+ if (ret < 0) {
+- error_report("Usage: file=gluster[+transport]://[server[:port]]/"
+- "volname/image[?socket=...]");
++ error_setg(errp, "Usage: file=gluster[+transport]://[server[:port]]/"
++ "volname/image[?socket=...]");
+ errno = -ret;
+ goto out;
+ }
+@@ -218,9 +219,11 @@ static struct glfs *qemu_gluster_init(GlusterConf *gconf, const char *filename)
+
+ ret = glfs_init(glfs);
+ if (ret) {
+- error_report("Gluster connection failed for server=%s port=%d "
+- "volume=%s image=%s transport=%s", gconf->server, gconf->port,
+- gconf->volname, gconf->image, gconf->transport);
++ error_setg_errno(errp, errno,
++ "Gluster connection failed for server=%s port=%d "
++ "volume=%s image=%s transport=%s", gconf->server,
++ gconf->port, gconf->volname, gconf->image,
++ gconf->transport);
+ goto out;
+ }
+ return glfs;
+@@ -328,17 +331,15 @@ static int qemu_gluster_open(BlockDriverState *bs, QDict *options,
+
+ opts = qemu_opts_create_nofail(&runtime_opts);
+ qemu_opts_absorb_qdict(opts, options, &local_err);
+- if (error_is_set(&local_err)) {
+- qerror_report_err(local_err);
+- error_free(local_err);
++ if (local_err) {
++ error_propagate(errp, local_err);
+ ret = -EINVAL;
+ goto out;
+ }
+
+ filename = qemu_opt_get(opts, "filename");
+
+-
+- s->glfs = qemu_gluster_init(gconf, filename);
++ s->glfs = qemu_gluster_init(gconf, filename, errp);
+ if (!s->glfs) {
+ ret = -errno;
+ goto out;
+@@ -406,7 +407,7 @@ static int qemu_gluster_reopen_prepare(BDRVReopenState *state,
+
+ gconf = g_malloc0(sizeof(GlusterConf));
+
+- reop_s->glfs = qemu_gluster_init(gconf, state->bs->filename);
++ reop_s->glfs = qemu_gluster_init(gconf, state->bs->filename, errp);
+ if (reop_s->glfs == NULL) {
+ ret = -errno;
+ goto exit;
+@@ -481,9 +482,9 @@ static int qemu_gluster_create(const char *filename,
+ int64_t total_size = 0;
+ GlusterConf *gconf = g_malloc0(sizeof(GlusterConf));
+
+- glfs = qemu_gluster_init(gconf, filename);
++ glfs = qemu_gluster_init(gconf, filename, errp);
+ if (!glfs) {
+- ret = -errno;
++ ret = -EINVAL;
+ goto out;
+ }
+
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-hw-i386-regenerate-checked-in-AML-payload-RHEL-only.patch b/SOURCES/kvm-hw-i386-regenerate-checked-in-AML-payload-RHEL-only.patch
index d60e538..e591156 100644
--- a/SOURCES/kvm-hw-i386-regenerate-checked-in-AML-payload-RHEL-only.patch
+++ b/SOURCES/kvm-hw-i386-regenerate-checked-in-AML-payload-RHEL-only.patch
@@ -1,13 +1,13 @@
-From 4f55d2d2f6efdce59440b57726f09578b8692158 Mon Sep 17 00:00:00 2001
+From 436e7a406724efa98d05d4c32cae027f31a66033 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
-Date: Fri, 23 Sep 2016 14:39:35 +0200
-Subject: [PATCH 2/3] hw/i386: regenerate checked-in AML payload (RHEL only)
+Date: Fri, 23 Sep 2016 14:39:35 -0300
+Subject: [PATCH 1/2] hw/i386: regenerate checked-in AML payload (RHEL only)
RH-Author: Laszlo Ersek <lersek@redhat.com>
Message-id: <20160923143936.25594-2-lersek@redhat.com>
Patchwork-id: 72414
O-Subject: [RHEL-7.3 qemu-kvm PATCH 1/2] hw/i386: regenerate checked-in AML payload (RHEL only)
-Bugzilla: 1392027
+Bugzilla: 1377087
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
@@ -24,7 +24,7 @@ switch the build to them. I actually verified this in a RHEL-7 guest, with
remained identical across this change.
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
-Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
hw/i386/acpi-dsdt.hex.generated | 8 ++++----
hw/i386/q35-acpi-dsdt.hex.generated | 8 ++++----
diff --git a/SOURCES/kvm-i386-kvmvapic-initialise-imm32-variable.patch b/SOURCES/kvm-i386-kvmvapic-initialise-imm32-variable.patch
new file mode 100644
index 0000000..f8919b6
--- /dev/null
+++ b/SOURCES/kvm-i386-kvmvapic-initialise-imm32-variable.patch
@@ -0,0 +1,46 @@
+From edb9059eb8f42f892d67df324eeb0098c05d1f4a Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 28 Feb 2017 12:07:54 +0100
+Subject: [PATCH 09/24] i386: kvmvapic: initialise imm32 variable
+
+RH-Author: Paolo Bonzini <pbonzini@redhat.com>
+Message-id: <20170228120754.16073-1-pbonzini@redhat.com>
+Patchwork-id: 74089
+O-Subject: [RHEL7.4 qemu-kvm PATCH] i386: kvmvapic: initialise imm32 variable
+Bugzilla: 1335751
+RH-Acked-by: David Hildenbrand <david@redhat.com>
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+When processing Task Priorty Register(TPR) access, it could leak
+automatic stack variable 'imm32' in patch_instruction().
+Initialise the variable to avoid it.
+
+Reported by: Donghai Zdh <donghai.zdh@alibaba-inc.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <1460013608-16670-1-git-send-email-ppandit@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 691a02e2ce0c413236a78dee6f2651c937b09fb0)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/i386/kvmvapic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c
+index 577ae64..a5dd9dd 100644
+--- a/hw/i386/kvmvapic.c
++++ b/hw/i386/kvmvapic.c
+@@ -390,7 +390,7 @@ static void patch_instruction(VAPICROMState *s, X86CPU *cpu, target_ulong ip)
+ CPUX86State *env = &cpu->env;
+ VAPICHandlers *handlers;
+ uint8_t opcode[2];
+- uint32_t imm32;
++ uint32_t imm32 = 0;
+ target_ulong current_pc = 0;
+ target_ulong current_cs_base = 0;
+ int current_flags = 0;
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-ide-fix-halted-IO-segfault-at-reset.patch b/SOURCES/kvm-ide-fix-halted-IO-segfault-at-reset.patch
index b558bdf..1fe27a1 100644
--- a/SOURCES/kvm-ide-fix-halted-IO-segfault-at-reset.patch
+++ b/SOURCES/kvm-ide-fix-halted-IO-segfault-at-reset.patch
@@ -1,15 +1,15 @@
-From 4d3c9646213bdf992af4e28eaf0d57610eb79fec Mon Sep 17 00:00:00 2001
+From 4fbb16d71e7e9a893c665926642122b165c63425 Mon Sep 17 00:00:00 2001
From: John Snow <jsnow@redhat.com>
-Date: Thu, 29 Sep 2016 00:02:14 +0200
-Subject: [PATCH 1/3] ide: fix halted IO segfault at reset
+Date: Wed, 26 Apr 2017 23:49:07 +0200
+Subject: [PATCH] ide: fix halted IO segfault at reset
RH-Author: John Snow <jsnow@redhat.com>
-Message-id: <1475107334-14972-2-git-send-email-jsnow@redhat.com>
-Patchwork-id: 72436
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 1/1] ide: fix halted IO segfault at reset
-Bugzilla: 1393042
-RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+Message-id: <20170426234907.21151-2-jsnow@redhat.com>
+Patchwork-id: 74905
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 1/1] ide: fix halted IO segfault at reset
+Bugzilla: 1299875
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Markus Armbruster <armbru@redhat.com>
If one attempts to perform a system_reset after a failed IO request
diff --git a/SOURCES/kvm-iotests-Filter-for-Killed-in-qemu-io-output.patch b/SOURCES/kvm-iotests-Filter-for-Killed-in-qemu-io-output.patch
new file mode 100644
index 0000000..ab7ff1e
--- /dev/null
+++ b/SOURCES/kvm-iotests-Filter-for-Killed-in-qemu-io-output.patch
@@ -0,0 +1,44 @@
+From 27158eec51a5a443d9ae9a7b565b40b749f6f41b Mon Sep 17 00:00:00 2001
+From: Max Reitz <mreitz@redhat.com>
+Date: Mon, 13 Mar 2017 17:46:45 +0100
+Subject: [PATCH 14/24] iotests: Filter for "Killed" in qemu-io output
+
+RH-Author: Max Reitz <mreitz@redhat.com>
+Message-id: <20170313174649.28932-1-mreitz@redhat.com>
+Patchwork-id: 74276
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 5/9] iotests: Filter for "Killed" in qemu-io output
+Bugzilla: 1427176
+RH-Acked-by: Fam Zheng <famz@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+
+_filter_qemu_io already filters out the process ID when qemu-io is
+aborted; the same should be done when it is killed.
+
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+Reviewed-by: Fam Zheng <famz@redhat.com>
+Message-id: 1418032092-16813-3-git-send-email-mreitz@redhat.com
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+(cherry picked from commit 9e0c3e8df5d1b12517d587d60b2fe587ea252ebe)
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ tests/qemu-iotests/common.filter | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/qemu-iotests/common.filter b/tests/qemu-iotests/common.filter
+index dcd246d..041e001 100644
+--- a/tests/qemu-iotests/common.filter
++++ b/tests/qemu-iotests/common.filter
+@@ -150,7 +150,7 @@ _filter_win32()
+ _filter_qemu_io()
+ {
+ _filter_win32 | sed -e "s/[0-9]* ops\; [0-9/:. sec]* ([0-9/.inf]* [EPTGMKiBbytes]*\/sec and [0-9/.inf]* ops\/sec)/X ops\; XX:XX:XX.X (XXX YYY\/sec and XXX ops\/sec)/" \
+- -e "s/: line [0-9][0-9]*: *[0-9][0-9]*\( Aborted\)/:\1/" \
++ -e "s/: line [0-9][0-9]*: *[0-9][0-9]*\( Aborted\| Killed\)/:\1/" \
+ -e "s/qemu-io> //g"
+ }
+
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-iotests-Fix-test-039.patch b/SOURCES/kvm-iotests-Fix-test-039.patch
new file mode 100644
index 0000000..4dc4c38
--- /dev/null
+++ b/SOURCES/kvm-iotests-Fix-test-039.patch
@@ -0,0 +1,116 @@
+From 5eef8556fa85c070a242f93b675e7fb8e24a2fa0 Mon Sep 17 00:00:00 2001
+From: Max Reitz <mreitz@redhat.com>
+Date: Mon, 13 Mar 2017 17:46:56 +0100
+Subject: [PATCH 15/24] iotests: Fix test 039
+
+RH-Author: Max Reitz <mreitz@redhat.com>
+Message-id: <20170313174659.29164-1-mreitz@redhat.com>
+Patchwork-id: 74277
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 6/9] iotests: Fix test 039
+Bugzilla: 1427176
+RH-Acked-by: Fam Zheng <famz@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+
+Test 039 used qemu-io -c abort for simulating a qemu crash; however,
+abort() generally results in a core dump and ulimit -c 0 is no reliable
+way of preventing that. Use "sigraise $(kill -l KILL)" instead to have
+it crash without a core dump.
+
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+Reviewed-by: Fam Zheng <famz@redhat.com>
+Message-id: 1418032092-16813-4-git-send-email-mreitz@redhat.com
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+(cherry picked from commit 3f394472c5bca59de5cab9baafdff1984b0213a3)
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ tests/qemu-iotests/039 | 18 +++++++++++++-----
+ tests/qemu-iotests/039.out | 6 +++---
+ 2 files changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/tests/qemu-iotests/039 b/tests/qemu-iotests/039
+index 1e50651..ac85476 100755
+--- a/tests/qemu-iotests/039
++++ b/tests/qemu-iotests/039
+@@ -46,9 +46,11 @@ _supported_proto generic
+ _supported_os Linux
+ _unsupported_qemu_io_options --nocache
+
+-_no_dump_exec()
++_subshell_exec()
+ {
+- (ulimit -c 0; exec "$@")
++ # Executing crashing commands in a subshell prevents information like the
++ # "Killed" line from being lost
++ (exec "$@")
+ }
+
+ size=128M
+@@ -71,7 +73,9 @@ echo "== Creating a dirty image file =="
+ IMGOPTS="compat=1.1,lazy_refcounts=on"
+ _make_test_img $size
+
+-_no_dump_exec $QEMU_IO -c "write -P 0x5a 0 512" -c "abort" "$TEST_IMG" 2>&1 | _filter_qemu_io
++_subshell_exec $QEMU_IO -c "write -P 0x5a 0 512" \
++ -c "sigraise $(kill -l KILL)" "$TEST_IMG" 2>&1 \
++ | _filter_qemu_io
+
+ # The dirty bit must be set
+ ./qcow2.py "$TEST_IMG" dump-header | grep incompatible_features
+@@ -104,7 +108,9 @@ echo "== Opening a dirty image read/write should repair it =="
+ IMGOPTS="compat=1.1,lazy_refcounts=on"
+ _make_test_img $size
+
+-_no_dump_exec $QEMU_IO -c "write -P 0x5a 0 512" -c "abort" "$TEST_IMG" 2>&1 | _filter_qemu_io
++_subshell_exec $QEMU_IO -c "write -P 0x5a 0 512" \
++ -c "sigraise $(kill -l KILL)" "$TEST_IMG" 2>&1 \
++ | _filter_qemu_io
+
+ # The dirty bit must be set
+ ./qcow2.py "$TEST_IMG" dump-header | grep incompatible_features
+@@ -120,7 +126,9 @@ echo "== Creating an image file with lazy_refcounts=off =="
+ IMGOPTS="compat=1.1,lazy_refcounts=off"
+ _make_test_img $size
+
+-_no_dump_exec $QEMU_IO -c "write -P 0x5a 0 512" -c "abort" "$TEST_IMG" 2>&1 | _filter_qemu_io
++_subshell_exec $QEMU_IO -c "write -P 0x5a 0 512" \
++ -c "sigraise $(kill -l KILL)" "$TEST_IMG" 2>&1 \
++ | _filter_qemu_io
+
+ # The dirty bit must not be set since lazy_refcounts=off
+ ./qcow2.py "$TEST_IMG" dump-header | grep incompatible_features
+diff --git a/tests/qemu-iotests/039.out b/tests/qemu-iotests/039.out
+index af62da1..f3fe58b 100644
+--- a/tests/qemu-iotests/039.out
++++ b/tests/qemu-iotests/039.out
+@@ -11,7 +11,7 @@ No errors were found on the image.
+ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728
+ wrote 512/512 bytes at offset 0
+ 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+-./039: Aborted ( ulimit -c 0; exec "$@" )
++./039: Killed ( exec "$@" )
+ incompatible_features 0x1
+ ERROR cluster 5 refcount=0 reference=1
+ ERROR OFLAG_COPIED data cluster: l2_entry=8000000000050000 refcount=0
+@@ -46,7 +46,7 @@ read 512/512 bytes at offset 0
+ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728
+ wrote 512/512 bytes at offset 0
+ 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+-./039: Aborted ( ulimit -c 0; exec "$@" )
++./039: Killed ( exec "$@" )
+ incompatible_features 0x1
+ ERROR cluster 5 refcount=0 reference=1
+ Rebuilding refcount structure
+@@ -60,7 +60,7 @@ incompatible_features 0x0
+ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728
+ wrote 512/512 bytes at offset 0
+ 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+-./039: Aborted ( ulimit -c 0; exec "$@" )
++./039: Killed ( exec "$@" )
+ incompatible_features 0x0
+ No errors were found on the image.
+ *** done
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-memory-Allow-access-only-upto-the-maximum-alignment-.patch b/SOURCES/kvm-memory-Allow-access-only-upto-the-maximum-alignment-.patch
new file mode 100644
index 0000000..0f4df3e
--- /dev/null
+++ b/SOURCES/kvm-memory-Allow-access-only-upto-the-maximum-alignment-.patch
@@ -0,0 +1,169 @@
+From 2ee2492513f9685cb716dc1cb4cf5b580da43e07 Mon Sep 17 00:00:00 2001
+From: Bandan Das <bsd@redhat.com>
+Date: Wed, 25 Jan 2017 03:36:07 +0100
+Subject: [PATCH 01/11] memory: Allow access only upto the maximum alignment
+ for memory_region_* functions
+
+RH-Author: Bandan Das <bsd@redhat.com>
+Message-id: <jpgefzrn74o.fsf@linux.bootlegged.copy>
+Patchwork-id: 73367
+O-Subject: [RHEL-7.4 qemu-kvm PATCH] memory: Allow access only upto the maximum alignment for memory_region_* functions
+Bugzilla: 1342768
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1342768
+Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=12437870
+Upstream: N/A, upstream doesn't exhibit this behavior
+
+Currently, there is no check in memory_region_iorange_* functions for whether
+the size requested is greater than the maximum alignment. This causes
+an abort with a specific version of the Linux kernel (4.7.0-RC1):
+/usr/libexec/qemu-kvm -kernel ~/vmlinuz-4.7.0-rc1 --enable-kvm -m 1G -vnc :2 -monitor stdio
+
+0 0x00007fb057cb65f7 in raise () from /lib64/libc.so.6
+1 0x00007fb057cb7ce8 in abort () from /lib64/libc.so.6
+2 0x00007fb05eca5537 in acpi_gpe_ioport_readb ()
+3 0x00007fb05eca5ff0 in gpe_readb ()
+4 0x00007fb05ede6f4c in memory_region_read_accessor ()
+5 0x00007fb05ede6993 in access_with_adjusted_size ()
+6 0x00007fb05ede7ce8 in memory_region_iorange_read ()
+7 0x00007fb05ede2ac7 in ioport_readl_thunk ()
+8 0x00007fb05ede3141 in cpu_inl ()
+9 0x00007fb05ede5c49 in kvm_cpu_exec ()
+10 0x00007fb05ed98485 in qemu_kvm_cpu_thread_fn ()
+11 0x00007fb05bcc9dc5 in start_thread () from /lib64/libpthread.so.0
+12 0x00007fb057d77ced in clone () from /lib64/libc.so.6
+
+This happens because guest code tries to read(l=4) from 0xafe2
+with GPE base being 0xafe0 which causes the abort in
+acpi_gpe_ioport_get_ptr() to trigger. This change adds a
+memory_access_size() which is similar to the one in upstream that
+forces size to be equal to the maximum alignment if it's greater.
+It also keeps the other checks present in upstream for safety and
+is called from the memory_region_read/write functions before
+calling the call specific access functions.
+
+Signed-off-by: Bandan Das <bsd@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ memory.c | 44 ++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 40 insertions(+), 4 deletions(-)
+
+diff --git a/memory.c b/memory.c
+index 7bd6e87..573ecdd 100644
+--- a/memory.c
++++ b/memory.c
+@@ -381,6 +381,33 @@ static const MemoryRegionPortio *find_portio(MemoryRegion *mr, uint64_t offset,
+ return NULL;
+ }
+
++static int memory_access_size(MemoryRegion *mr, unsigned l, hwaddr addr)
++{
++ unsigned access_size_max = mr->ops->valid.max_access_size;
++
++ /* Regions are assumed to support 1-4 byte accesses unless
++ otherwise specified. */
++ if (access_size_max == 0) {
++ access_size_max = 4;
++ }
++
++ /* Bound the maximum access by the alignment of the address. */
++ if (!mr->ops->impl.unaligned) {
++ unsigned align_size_max = addr & -addr;
++ if (align_size_max != 0 && align_size_max < access_size_max) {
++ access_size_max = align_size_max;
++ }
++ }
++
++ /* Don't attempt accesses larger than the maximum. */
++ if (l > access_size_max) {
++ l = access_size_max;
++ }
++ l = pow2floor(l);
++
++ return l;
++}
++
+ static void memory_region_iorange_read(IORange *iorange,
+ uint64_t offset,
+ unsigned width,
+@@ -389,6 +416,7 @@ static void memory_region_iorange_read(IORange *iorange,
+ MemoryRegionIORange *mrio
+ = container_of(iorange, MemoryRegionIORange, iorange);
+ MemoryRegion *mr = mrio->mr;
++ unsigned l;
+
+ offset += mrio->offset;
+ if (mr->ops->old_portio) {
+@@ -407,7 +435,8 @@ static void memory_region_iorange_read(IORange *iorange,
+ return;
+ }
+ *data = 0;
+- access_with_adjusted_size(offset, data, width,
++ l = memory_access_size(mr, width, offset);
++ access_with_adjusted_size(offset, data, l,
+ mr->ops->impl.min_access_size,
+ mr->ops->impl.max_access_size,
+ memory_region_read_accessor, mr);
+@@ -421,6 +450,7 @@ static void memory_region_iorange_write(IORange *iorange,
+ MemoryRegionIORange *mrio
+ = container_of(iorange, MemoryRegionIORange, iorange);
+ MemoryRegion *mr = mrio->mr;
++ unsigned l;
+
+ offset += mrio->offset;
+ if (mr->ops->old_portio) {
+@@ -437,7 +467,8 @@ static void memory_region_iorange_write(IORange *iorange,
+ }
+ return;
+ }
+- access_with_adjusted_size(offset, &data, width,
++ l = memory_access_size(mr, width, offset);
++ access_with_adjusted_size(offset, &data, l,
+ mr->ops->impl.min_access_size,
+ mr->ops->impl.max_access_size,
+ memory_region_write_accessor, mr);
+@@ -850,6 +881,7 @@ static uint64_t memory_region_dispatch_read1(MemoryRegion *mr,
+ unsigned size)
+ {
+ uint64_t data = 0;
++ unsigned l;
+
+ if (!memory_region_access_valid(mr, addr, size, false)) {
+ return -1U; /* FIXME: better signalling */
+@@ -859,8 +891,9 @@ static uint64_t memory_region_dispatch_read1(MemoryRegion *mr,
+ return mr->ops->old_mmio.read[ctz32(size)](mr->opaque, addr);
+ }
+
++ l = memory_access_size(mr, size, addr);
+ /* FIXME: support unaligned access */
+- access_with_adjusted_size(addr, &data, size,
++ access_with_adjusted_size(addr, &data, l,
+ mr->ops->impl.min_access_size,
+ mr->ops->impl.max_access_size,
+ memory_region_read_accessor, mr);
+@@ -902,6 +935,8 @@ static void memory_region_dispatch_write(MemoryRegion *mr,
+ uint64_t data,
+ unsigned size)
+ {
++ unsigned l;
++
+ if (!memory_region_access_valid(mr, addr, size, true)) {
+ return; /* FIXME: better signalling */
+ }
+@@ -913,8 +948,9 @@ static void memory_region_dispatch_write(MemoryRegion *mr,
+ return;
+ }
+
++ l = memory_access_size(mr, size, addr);
+ /* FIXME: support unaligned access */
+- access_with_adjusted_size(addr, &data, size,
++ access_with_adjusted_size(addr, &data, l,
+ mr->ops->impl.min_access_size,
+ mr->ops->impl.max_access_size,
+ memory_region_write_accessor, mr);
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-nbd-Fix-regression-on-resiliency-to-port-scan.patch b/SOURCES/kvm-nbd-Fix-regression-on-resiliency-to-port-scan.patch
index 928ceab..72a0e45 100644
--- a/SOURCES/kvm-nbd-Fix-regression-on-resiliency-to-port-scan.patch
+++ b/SOURCES/kvm-nbd-Fix-regression-on-resiliency-to-port-scan.patch
@@ -1,15 +1,15 @@
-From 8ead1a8129b42b14a6ccddbf4c24535b3cb80209 Mon Sep 17 00:00:00 2001
+From 5bd3c61792fe793b1d42e675b53e47396f4219a3 Mon Sep 17 00:00:00 2001
From: Eric Blake <eblake@redhat.com>
-Date: Fri, 9 Jun 2017 22:07:15 +0200
-Subject: [PATCH 2/2] nbd: Fix regression on resiliency to port scan
+Date: Fri, 9 Jun 2017 22:04:13 +0200
+Subject: [PATCH 6/6] nbd: Fix regression on resiliency to port scan
RH-Author: Eric Blake <eblake@redhat.com>
-Message-id: <20170609220715.29645-3-eblake@redhat.com>
-Patchwork-id: 75578
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 2/2] nbd: Fix regression on resiliency to port scan
-Bugzilla: 1460179
+Message-id: <20170609220413.28793-3-eblake@redhat.com>
+Patchwork-id: 75575
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 2/2] nbd: Fix regression on resiliency to port scan
+Bugzilla: 1451614
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Thomas Huth <thuth@redhat.com>
Back in qemu 2.5, qemu-nbd was immune to port probes (a transient
@@ -52,7 +52,7 @@ Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1451614
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <20170608222617.20376-1-eblake@redhat.com>
(cherry picked from commit ???)
-https://bugzilla.redhat.com/show_bug.cgi?id=1460179
+https://bugzilla.redhat.com/show_bug.cgi?id=1451614
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
Conflicts:
diff --git a/SOURCES/kvm-nbd-Fully-initialize-client-in-case-of-failed-negoti.patch b/SOURCES/kvm-nbd-Fully-initialize-client-in-case-of-failed-negoti.patch
index 765e2e7..17a739e 100644
--- a/SOURCES/kvm-nbd-Fully-initialize-client-in-case-of-failed-negoti.patch
+++ b/SOURCES/kvm-nbd-Fully-initialize-client-in-case-of-failed-negoti.patch
@@ -1,16 +1,16 @@
-From e34b480cd9a1fb23e361a514c98439672140bd37 Mon Sep 17 00:00:00 2001
+From 0e97bcfd7ab3c7b3d489de3cf4c7c4977b73cd23 Mon Sep 17 00:00:00 2001
From: Eric Blake <eblake@redhat.com>
-Date: Fri, 9 Jun 2017 22:07:14 +0200
-Subject: [PATCH 1/2] nbd: Fully initialize client in case of failed
+Date: Fri, 9 Jun 2017 22:04:12 +0200
+Subject: [PATCH 5/6] nbd: Fully initialize client in case of failed
negotiation
RH-Author: Eric Blake <eblake@redhat.com>
-Message-id: <20170609220715.29645-2-eblake@redhat.com>
-Patchwork-id: 75580
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 1/2] nbd: Fully initialize client in case of failed negotiation
-Bugzilla: 1460179
+Message-id: <20170609220413.28793-2-eblake@redhat.com>
+Patchwork-id: 75576
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 1/2] nbd: Fully initialize client in case of failed negotiation
+Bugzilla: 1451614
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Thomas Huth <thuth@redhat.com>
If a non-NBD client connects to qemu-nbd, we would end up with
@@ -44,7 +44,7 @@ Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <20170527030421.28366-1-eblake@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit ???)
-https://bugzilla.redhat.com/show_bug.cgi?id=1460179
+https://bugzilla.redhat.com/show_bug.cgi?id=1451614
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
Conflicts:
diff --git a/SOURCES/kvm-net-check-packet-payload-length.patch b/SOURCES/kvm-net-check-packet-payload-length.patch
index 5ef1070..34b0106 100644
--- a/SOURCES/kvm-net-check-packet-payload-length.patch
+++ b/SOURCES/kvm-net-check-packet-payload-length.patch
@@ -1,13 +1,13 @@
-From 6d126da8f958c57413a4505d98cb4a3ff48cbbfe Mon Sep 17 00:00:00 2001
+From fa1aaeeab2f10d7f107dd45a2c06e40e71bde1c3 Mon Sep 17 00:00:00 2001
From: "wexu@redhat.com" <wexu@redhat.com>
Date: Wed, 21 Dec 2016 06:04:24 +0100
-Subject: [PATCH] net: check packet payload length
+Subject: [PATCH 3/4] net: check packet payload length
RH-Author: wexu@redhat.com
Message-id: <1482300264-29708-2-git-send-email-wexu@redhat.com>
Patchwork-id: 73088
O-Subject: [RHEL-7.4/7.3.z qemu-kvm Patch v2] net: check packet payload length
-Bugzilla: 1398217
+Bugzilla: 1398218
RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
diff --git a/SOURCES/kvm-qcow2-Don-t-rely-on-free_cluster_index-in-alloc_ref2.patch b/SOURCES/kvm-qcow2-Don-t-rely-on-free_cluster_index-in-alloc_ref2.patch
new file mode 100644
index 0000000..7108c00
--- /dev/null
+++ b/SOURCES/kvm-qcow2-Don-t-rely-on-free_cluster_index-in-alloc_ref2.patch
@@ -0,0 +1,86 @@
+From 32dcdb3b1623e351d66bfe7cccbdcef3087f9b7b Mon Sep 17 00:00:00 2001
+From: Max Reitz <mreitz@redhat.com>
+Date: Mon, 13 Mar 2017 17:45:09 +0100
+Subject: [PATCH 11/24] qcow2: Don't rely on free_cluster_index in
+ alloc_refcount_block() (CVE-2014-0147)
+
+RH-Author: Max Reitz <mreitz@redhat.com>
+Message-id: <20170313174516.28044-3-mreitz@redhat.com>
+Patchwork-id: 74274
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 2/9] qcow2: Don't rely on free_cluster_index in alloc_refcount_block() (CVE-2014-0147)
+Bugzilla: 1427176
+RH-Acked-by: Fam Zheng <famz@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+
+From: Kevin Wolf <kwolf@redhat.com>
+
+free_cluster_index is only correct if update_refcount() was called from
+an allocation function, and even there it's brittle because it's used to
+protect unfinished allocations which still have a refcount of 0 - if it
+moves in the wrong place, the unfinished allocation can be corrupted.
+
+So not using it any more seems to be a good idea. Instead, use the
+first requested cluster to do the calculations. Return -EAGAIN if
+unfinished allocations could become invalid and let the caller restart
+its search for some free clusters.
+
+The context of creating a snapsnot is one situation where
+update_refcount() is called outside of a cluster allocation. For this
+case, the change fixes a buffer overflow if a cluster is referenced in
+an L2 table that cannot be represented by an existing refcount block.
+(new_table[refcount_table_index] was out of bounds)
+
+[Bump the qemu-iotests 026 refblock_alloc.write leak count from 10 to
+11.
+--Stefan]
+
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Reviewed-by: Max Reitz <mreitz@redhat.com>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+(cherry picked from commit b106ad9185f35fc4ad669555ad0e79e276083bd7)
+
+This patch was committed downstream before upstream (commit ID
+a2b10eec76a72aa7fe63e797181b93f69de9600e), therefore the change to 026's
+reference output is missing, which is amended by this backport.
+
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ tests/qemu-iotests/026.out | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/tests/qemu-iotests/026.out b/tests/qemu-iotests/026.out
+index 0764389..5cedefc 100644
+--- a/tests/qemu-iotests/026.out
++++ b/tests/qemu-iotests/026.out
+@@ -491,7 +491,7 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824
+ Event: refblock_alloc.write_blocks; errno: 28; imm: off; once: off; write
+ write failed: No space left on device
+
+-10 leaked clusters were found on the image.
++11 leaked clusters were found on the image.
+ This means waste of disk space, but no harm to data.
+ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824
+
+@@ -515,7 +515,7 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824
+ Event: refblock_alloc.write_table; errno: 28; imm: off; once: off; write
+ write failed: No space left on device
+
+-10 leaked clusters were found on the image.
++11 leaked clusters were found on the image.
+ This means waste of disk space, but no harm to data.
+ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824
+
+@@ -539,7 +539,7 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824
+ Event: refblock_alloc.switch_table; errno: 28; imm: off; once: off; write
+ write failed: No space left on device
+
+-10 leaked clusters were found on the image.
++11 leaked clusters were found on the image.
+ This means waste of disk space, but no harm to data.
+ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824
+
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-qemu-char-ignore-flow-control-if-a-PTY-s-slave-is-no.patch b/SOURCES/kvm-qemu-char-ignore-flow-control-if-a-PTY-s-slave-is-no.patch
index 6463982..5c7e901 100644
--- a/SOURCES/kvm-qemu-char-ignore-flow-control-if-a-PTY-s-slave-is-no.patch
+++ b/SOURCES/kvm-qemu-char-ignore-flow-control-if-a-PTY-s-slave-is-no.patch
@@ -1,16 +1,16 @@
-From 1e2929d890fb4cc88162b9771ed93b1c61f89b33 Mon Sep 17 00:00:00 2001
+From 6a40d58e03beaef265f6c1293301f5f8860ecbea Mon Sep 17 00:00:00 2001
From: Fam Zheng <famz@redhat.com>
-Date: Fri, 19 May 2017 00:35:14 +0200
+Date: Thu, 18 May 2017 09:21:22 +0200
Subject: [PATCH 09/18] qemu-char: ignore flow control if a PTY's slave is not
connected
RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170519003523.21163-10-famz@redhat.com>
-Patchwork-id: 75364
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 09/18] qemu-char: ignore flow control if a PTY's slave is not connected
-Bugzilla: 1452332
+Message-id: <20170518092131.16571-10-famz@redhat.com>
+Patchwork-id: 75301
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 09/18] qemu-char: ignore flow control if a PTY's slave is not connected
+Bugzilla: 1451470
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
From: Paolo Bonzini <pbonzini@redhat.com>
diff --git a/SOURCES/kvm-qemu-io-Add-sigraise-command.patch b/SOURCES/kvm-qemu-io-Add-sigraise-command.patch
new file mode 100644
index 0000000..b85ab5f
--- /dev/null
+++ b/SOURCES/kvm-qemu-io-Add-sigraise-command.patch
@@ -0,0 +1,98 @@
+From 9bf536ecc296516cb5d82d5e9630663aaac56629 Mon Sep 17 00:00:00 2001
+From: Max Reitz <mreitz@redhat.com>
+Date: Mon, 13 Mar 2017 17:46:24 +0100
+Subject: [PATCH 13/24] qemu-io: Add sigraise command
+
+RH-Author: Max Reitz <mreitz@redhat.com>
+Message-id: <20170313174629.28735-2-mreitz@redhat.com>
+Patchwork-id: 74275
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 4/9] qemu-io: Add sigraise command
+Bugzilla: 1427176
+RH-Acked-by: Fam Zheng <famz@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+
+abort() has the sometimes undesirable side-effect of generating a core
+dump. If that is not needed, SIGKILL has the same effect of abruptly
+crash qemu; without a core dump.
+
+Thus, -c abort is not always useful to simulate a qemu-io crash;
+therefore, this patch adds a new sigraise command which allows raising
+a signal.
+
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+Reviewed-by: Fam Zheng <famz@redhat.com>
+Message-id: 1418032092-16813-2-git-send-email-mreitz@redhat.com
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+(cherry picked from commit 0e82dc7bbd96f9b0fb76e5fe263ba04b15e68127)
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ qemu-io-cmds.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 46 insertions(+)
+
+diff --git a/qemu-io-cmds.c b/qemu-io-cmds.c
+index b41d6ee..010f05f 100644
+--- a/qemu-io-cmds.c
++++ b/qemu-io-cmds.c
+@@ -2050,6 +2050,51 @@ static const cmdinfo_t abort_cmd = {
+ .oneline = "simulate a program crash using abort(3)",
+ };
+
++static void sigraise_help(void)
++{
++ printf(
++"\n"
++" raises the given signal\n"
++"\n"
++" Example:\n"
++" 'sigraise %i' - raises SIGTERM\n"
++"\n"
++" Invokes raise(signal), where \"signal\" is the mandatory integer argument\n"
++" given to sigraise.\n"
++"\n", SIGTERM);
++}
++
++static int sigraise_f(BlockDriverState *bs, int argc, char **argv);
++
++static const cmdinfo_t sigraise_cmd = {
++ .name = "sigraise",
++ .cfunc = sigraise_f,
++ .argmin = 1,
++ .argmax = 1,
++ .flags = CMD_NOFILE_OK,
++ .args = "signal",
++ .oneline = "raises a signal",
++ .help = sigraise_help,
++};
++
++static int sigraise_f(BlockDriverState *bs, int argc, char **argv)
++{
++ int sig = cvtnum(argv[1]);
++ if (sig < 0) {
++ printf("non-numeric signal number argument -- %s\n", argv[1]);
++ return 0;
++ }
++
++ /* Using raise() to kill this process does not necessarily flush all open
++ * streams. At least stdout and stderr (although the latter should be
++ * non-buffered anyway) should be flushed, though. */
++ fflush(stdout);
++ fflush(stderr);
++
++ raise(sig);
++ return 0;
++}
++
+ static void sleep_cb(void *opaque)
+ {
+ bool *expired = opaque;
+@@ -2203,4 +2248,5 @@ static void __attribute((constructor)) init_qemuio_commands(void)
+ qemuio_add_command(&wait_break_cmd);
+ qemuio_add_command(&abort_cmd);
+ qemuio_add_command(&sleep_cmd);
++ qemuio_add_command(&sigraise_cmd);
+ }
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-qemu-iotests-Disable-030-040-041.patch b/SOURCES/kvm-qemu-iotests-Disable-030-040-041.patch
new file mode 100644
index 0000000..5f26239
--- /dev/null
+++ b/SOURCES/kvm-qemu-iotests-Disable-030-040-041.patch
@@ -0,0 +1,53 @@
+From 17c2dbd411ce0b2221b5559c3c0eff01920dea40 Mon Sep 17 00:00:00 2001
+From: Max Reitz <mreitz@redhat.com>
+Date: Mon, 13 Mar 2017 17:47:19 +0100
+Subject: [PATCH 18/24] qemu-iotests: Disable 030, 040, 041
+
+RH-Author: Max Reitz <mreitz@redhat.com>
+Message-id: <20170313174719.29543-1-mreitz@redhat.com>
+Patchwork-id: 74280
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 9/9] qemu-iotests: Disable 030, 040, 041
+Bugzilla: 1427176
+RH-Acked-by: Fam Zheng <famz@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+
+Upstream: N/A
+
+All of these tests require (and test) live block operations, 030 and 041
+also need blkdebug support. Both of these features are disabled
+downstream, so the tests need to be disabled, too.
+
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ tests/qemu-iotests/group | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group
+index 58b3d05..c1fc89d 100644
+--- a/tests/qemu-iotests/group
++++ b/tests/qemu-iotests/group
+@@ -36,7 +36,7 @@
+ 027 rw auto quick
+ 028 rw backing auto
+ 029 rw auto quick
+-030 rw auto backing
++# 030 rw auto backing -- requires blkdebug and block jobs
+ 031 rw auto quick
+ 032 rw auto
+ 033 rw auto quick
+@@ -46,8 +46,8 @@
+ 037 rw auto backing
+ 038 rw auto backing
+ 039 rw auto
+-040 rw auto
+-041 rw auto backing
++# 040 rw auto -- requires block jobs
++# 041 rw auto backing -- requires blkdebug and block jobs
+ 042 rw auto quick
+ 043 rw auto backing
+ 044 rw auto
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-qemu-iotests-Filter-out-actual-image-size-in-067.patch b/SOURCES/kvm-qemu-iotests-Filter-out-actual-image-size-in-067.patch
new file mode 100644
index 0000000..55fb981
--- /dev/null
+++ b/SOURCES/kvm-qemu-iotests-Filter-out-actual-image-size-in-067.patch
@@ -0,0 +1,93 @@
+From 858514a037db08493b7cdd6adaf87466ee2f7831 Mon Sep 17 00:00:00 2001
+From: Max Reitz <mreitz@redhat.com>
+Date: Mon, 13 Mar 2017 17:45:08 +0100
+Subject: [PATCH 10/24] qemu-iotests: Filter out actual image size in 067
+
+RH-Author: Max Reitz <mreitz@redhat.com>
+Message-id: <20170313174516.28044-2-mreitz@redhat.com>
+Patchwork-id: 74273
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 1/9] qemu-iotests: Filter out actual image size in 067
+Bugzilla: 1427176
+RH-Acked-by: Fam Zheng <famz@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+
+The actual size of the image file may differ depending on the Linux
+kernel currently running on the host. Filtering out this value makes
+this test pass in such cases.
+
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+Reviewed-by: Benoit Canet <benoit@irqsave.net>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+(cherry picked from commit 64815e2a966f0a3f18818b9d542f1ef02dc992a2)
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ tests/qemu-iotests/067 | 2 +-
+ tests/qemu-iotests/067.out | 10 +++++-----
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/tests/qemu-iotests/067 b/tests/qemu-iotests/067
+index 79dc38b..d025192 100644
+--- a/tests/qemu-iotests/067
++++ b/tests/qemu-iotests/067
+@@ -45,7 +45,7 @@ function do_run_qemu()
+
+ function run_qemu()
+ {
+- do_run_qemu "$@" 2>&1 | _filter_testdir | _filter_qmp
++ do_run_qemu "$@" 2>&1 | _filter_testdir | _filter_qmp | sed -e 's/\("actual-size":\s*\)[0-9]\+/\1SIZE/g'
+ }
+
+ size=128M
+diff --git a/tests/qemu-iotests/067.out b/tests/qemu-iotests/067.out
+index 4bb9ff9..8d271cc 100644
+--- a/tests/qemu-iotests/067.out
++++ b/tests/qemu-iotests/067.out
+@@ -6,7 +6,7 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728
+ Testing: -drive file=TEST_DIR/t.qcow2,format=qcow2,if=none,id=disk -device virtio-blk-pci,drive=disk,id=virtio0
+ QMP_VERSION
+ {"return": {}}
+-{"return": [{"io-status": "ok", "device": "disk", "locked": false, "removable": false, "inserted": {"iops_rd": 0, "image": {"virtual-size": 134217728, "filename": "TEST_DIR/t.qcow2", "cluster-size": 65536, "format": "qcow2", "actual-size": 139264, "format-specific": {"type": "qcow2", "data": {"compat": "1.1", "lazy-refcounts": false}}, "dirty-flag": false}, "iops_wr": 0, "ro": false, "backing_file_depth": 0, "drv": "qcow2", "iops": 0, "bps_wr": 0, "encrypted": false, "bps": 0, "bps_rd": 0, "file": "TEST_DIR/t.qcow2", "encryption_key_missing": false}, "type": "unknown"}, {"io-status": "ok", "device": "ide1-cd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "floppy0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "sd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}]}
++{"return": [{"io-status": "ok", "device": "disk", "locked": false, "removable": false, "inserted": {"iops_rd": 0, "image": {"virtual-size": 134217728, "filename": "TEST_DIR/t.qcow2", "cluster-size": 65536, "format": "qcow2", "actual-size": SIZE, "format-specific": {"type": "qcow2", "data": {"compat": "1.1", "lazy-refcounts": false}}, "dirty-flag": false}, "iops_wr": 0, "ro": false, "backing_file_depth": 0, "drv": "qcow2", "iops": 0, "bps_wr": 0, "encrypted": false, "bps": 0, "bps_rd": 0, "file": "TEST_DIR/t.qcow2", "encryption_key_missing": false}, "type": "unknown"}, {"io-status": "ok", "device": "ide1-cd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "floppy0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "sd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}]}
+ {"return": {}}
+ {"return": {}}
+ {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "DEVICE_DELETED", "data": {"path": "/machine/peripheral/virtio0/virtio-backend"}}
+@@ -24,7 +24,7 @@ QMP_VERSION
+ Testing: -drive file=TEST_DIR/t.qcow2,format=qcow2,if=none,id=disk
+ QMP_VERSION
+ {"return": {}}
+-{"return": [{"device": "disk", "locked": false, "removable": true, "inserted": {"iops_rd": 0, "image": {"virtual-size": 134217728, "filename": "TEST_DIR/t.qcow2", "cluster-size": 65536, "format": "qcow2", "actual-size": 139264, "format-specific": {"type": "qcow2", "data": {"compat": "1.1", "lazy-refcounts": false}}, "dirty-flag": false}, "iops_wr": 0, "ro": false, "backing_file_depth": 0, "drv": "qcow2", "iops": 0, "bps_wr": 0, "encrypted": false, "bps": 0, "bps_rd": 0, "file": "TEST_DIR/t.qcow2", "encryption_key_missing": false}, "tray_open": false, "type": "unknown"}, {"io-status": "ok", "device": "ide1-cd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "floppy0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "sd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}]}
++{"return": [{"device": "disk", "locked": false, "removable": true, "inserted": {"iops_rd": 0, "image": {"virtual-size": 134217728, "filename": "TEST_DIR/t.qcow2", "cluster-size": 65536, "format": "qcow2", "actual-size": SIZE, "format-specific": {"type": "qcow2", "data": {"compat": "1.1", "lazy-refcounts": false}}, "dirty-flag": false}, "iops_wr": 0, "ro": false, "backing_file_depth": 0, "drv": "qcow2", "iops": 0, "bps_wr": 0, "encrypted": false, "bps": 0, "bps_rd": 0, "file": "TEST_DIR/t.qcow2", "encryption_key_missing": false}, "tray_open": false, "type": "unknown"}, {"io-status": "ok", "device": "ide1-cd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "floppy0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "sd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}]}
+ {"return": {}}
+ {"return": {}}
+ {"return": {}}
+@@ -44,7 +44,7 @@ Testing:
+ QMP_VERSION
+ {"return": {}}
+ {"return": "OK\r\n"}
+-{"return": [{"io-status": "ok", "device": "ide1-cd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "floppy0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "sd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "disk", "locked": false, "removable": true, "inserted": {"iops_rd": 0, "image": {"virtual-size": 134217728, "filename": "TEST_DIR/t.qcow2", "cluster-size": 65536, "format": "qcow2", "actual-size": 139264, "format-specific": {"type": "qcow2", "data": {"compat": "1.1", "lazy-refcounts": false}}, "dirty-flag": false}, "iops_wr": 0, "ro": false, "backing_file_depth": 0, "drv": "qcow2", "iops": 0, "bps_wr": 0, "encrypted": false, "bps": 0, "bps_rd": 0, "file": "TEST_DIR/t.qcow2", "encryption_key_missing": false}, "tray_open": false, "type": "unknown"}]}
++{"return": [{"io-status": "ok", "device": "ide1-cd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "floppy0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "sd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "disk", "locked": false, "removable": true, "inserted": {"iops_rd": 0, "image": {"virtual-size": 134217728, "filename": "TEST_DIR/t.qcow2", "cluster-size": 65536, "format": "qcow2", "actual-size": SIZE, "format-specific": {"type": "qcow2", "data": {"compat": "1.1", "lazy-refcounts": false}}, "dirty-flag": false}, "iops_wr": 0, "ro": false, "backing_file_depth": 0, "drv": "qcow2", "iops": 0, "bps_wr": 0, "encrypted": false, "bps": 0, "bps_rd": 0, "file": "TEST_DIR/t.qcow2", "encryption_key_missing": false}, "tray_open": false, "type": "unknown"}]}
+ {"return": {}}
+ {"return": {}}
+ {"return": {}}
+@@ -64,14 +64,14 @@ Testing:
+ QMP_VERSION
+ {"return": {}}
+ {"return": {}}
+-{"return": [{"io-status": "ok", "device": "ide1-cd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "floppy0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "sd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "disk", "locked": false, "removable": true, "inserted": {"iops_rd": 0, "image": {"virtual-size": 134217728, "filename": "TEST_DIR/t.qcow2", "cluster-size": 65536, "format": "qcow2", "actual-size": 139264, "format-specific": {"type": "qcow2", "data": {"compat": "1.1", "lazy-refcounts": false}}, "dirty-flag": false}, "iops_wr": 0, "ro": false, "backing_file_depth": 0, "drv": "qcow2", "iops": 0, "bps_wr": 0, "encrypted": false, "bps": 0, "bps_rd": 0, "file": "TEST_DIR/t.qcow2", "encryption_key_missing": false}, "tray_open": false, "type": "unknown"}]}
++{"return": [{"io-status": "ok", "device": "ide1-cd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "floppy0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "sd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "disk", "locked": false, "removable": true, "inserted": {"iops_rd": 0, "image": {"virtual-size": 134217728, "filename": "TEST_DIR/t.qcow2", "cluster-size": 65536, "format": "qcow2", "actual-size": SIZE, "format-specific": {"type": "qcow2", "data": {"compat": "1.1", "lazy-refcounts": false}}, "dirty-flag": false}, "iops_wr": 0, "ro": false, "backing_file_depth": 0, "drv": "qcow2", "iops": 0, "bps_wr": 0, "encrypted": false, "bps": 0, "bps_rd": 0, "file": "TEST_DIR/t.qcow2", "encryption_key_missing": false}, "tray_open": false, "type": "unknown"}]}
+ {"return": {}}
+ {"return": {}}
+ {"return": {}}
+ {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "DEVICE_DELETED", "data": {"path": "/machine/peripheral/virtio0/virtio-backend"}}
+ {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "DEVICE_DELETED", "data": {"device": "virtio0", "path": "/machine/peripheral/virtio0"}}
+ {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "RESET"}
+-{"return": [{"io-status": "ok", "device": "ide1-cd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "floppy0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "sd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"io-status": "ok", "device": "disk", "locked": false, "removable": true, "inserted": {"iops_rd": 0, "image": {"virtual-size": 134217728, "filename": "TEST_DIR/t.qcow2", "cluster-size": 65536, "format": "qcow2", "actual-size": 139264, "format-specific": {"type": "qcow2", "data": {"compat": "1.1", "lazy-refcounts": false}}, "dirty-flag": false}, "iops_wr": 0, "ro": false, "backing_file_depth": 0, "drv": "qcow2", "iops": 0, "bps_wr": 0, "encrypted": false, "bps": 0, "bps_rd": 0, "file": "TEST_DIR/t.qcow2", "encryption_key_missing": false}, "tray_open": false, "type": "unknown"}]}
++{"return": [{"io-status": "ok", "device": "ide1-cd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "floppy0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "sd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"io-status": "ok", "device": "disk", "locked": false, "removable": true, "inserted": {"iops_rd": 0, "image": {"virtual-size": 134217728, "filename": "TEST_DIR/t.qcow2", "cluster-size": 65536, "format": "qcow2", "actual-size": SIZE, "format-specific": {"type": "qcow2", "data": {"compat": "1.1", "lazy-refcounts": false}}, "dirty-flag": false}, "iops_wr": 0, "ro": false, "backing_file_depth": 0, "drv": "qcow2", "iops": 0, "bps_wr": 0, "encrypted": false, "bps": 0, "bps_rd": 0, "file": "TEST_DIR/t.qcow2", "encryption_key_missing": false}, "tray_open": false, "type": "unknown"}]}
+ {"return": {}}
+ {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN"}
+ {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "DEVICE_TRAY_MOVED", "data": {"device": "ide1-cd0", "tray-open": true}}
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-qemu-iotests-Fix-core-dump-suppression-in-test-039.patch b/SOURCES/kvm-qemu-iotests-Fix-core-dump-suppression-in-test-039.patch
new file mode 100644
index 0000000..d23e58c
--- /dev/null
+++ b/SOURCES/kvm-qemu-iotests-Fix-core-dump-suppression-in-test-039.patch
@@ -0,0 +1,141 @@
+From 3d0fa39257aac5ee843c0f3e5e69703e299bb90c Mon Sep 17 00:00:00 2001
+From: Max Reitz <mreitz@redhat.com>
+Date: Mon, 13 Mar 2017 17:46:23 +0100
+Subject: [PATCH 12/24] qemu-iotests: Fix core dump suppression in test 039
+
+RH-Author: Max Reitz <mreitz@redhat.com>
+Message-id: <20170313174629.28735-1-mreitz@redhat.com>
+Patchwork-id: 74281
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 3/9] qemu-iotests: Fix core dump suppression in test 039
+Bugzilla: 1427176
+RH-Acked-by: Fam Zheng <famz@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+
+From: Markus Armbruster <armbru@redhat.com>
+
+The shell script attempts to suppress core dumps like this:
+
+ old_ulimit=$(ulimit -c)
+ ulimit -c 0
+ $QEMU_IO arg...
+ ulimit -c "$old_ulimit"
+
+This breaks the test hard unless the limit was zero to begin with!
+ulimit sets both hard and soft limit by default, and (re-)raising the
+hard limit requires privileges. Broken since it was added in commit
+dc68afe.
+
+Could be fixed by adding -S to set only the soft limit, but I'm not
+sure how portable that is in practice. Simply do it in a subshell
+instead, like this:
+
+ (ulimit -c 0; exec $QEMU_IO arg...)
+
+Signed-off-by: Markus Armbruster <armbru@redhat.com>
+Reviewed-by: Fam Zheng <famz@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit d530e342320d4db3c9522bfadc60a7bc8142343a)
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ tests/qemu-iotests/039 | 20 ++++++++------------
+ tests/qemu-iotests/039.out | 3 +++
+ tests/qemu-iotests/common.filter | 1 +
+ 3 files changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/tests/qemu-iotests/039 b/tests/qemu-iotests/039
+index 8bade92..1e50651 100755
+--- a/tests/qemu-iotests/039
++++ b/tests/qemu-iotests/039
+@@ -46,6 +46,11 @@ _supported_proto generic
+ _supported_os Linux
+ _unsupported_qemu_io_options --nocache
+
++_no_dump_exec()
++{
++ (ulimit -c 0; exec "$@")
++}
++
+ size=128M
+
+ echo
+@@ -66,10 +71,7 @@ echo "== Creating a dirty image file =="
+ IMGOPTS="compat=1.1,lazy_refcounts=on"
+ _make_test_img $size
+
+-old_ulimit=$(ulimit -c)
+-ulimit -c 0 # do not produce a core dump on abort(3)
+-$QEMU_IO -c "write -P 0x5a 0 512" -c "abort" "$TEST_IMG" | _filter_qemu_io
+-ulimit -c "$old_ulimit"
++_no_dump_exec $QEMU_IO -c "write -P 0x5a 0 512" -c "abort" "$TEST_IMG" 2>&1 | _filter_qemu_io
+
+ # The dirty bit must be set
+ ./qcow2.py "$TEST_IMG" dump-header | grep incompatible_features
+@@ -102,10 +104,7 @@ echo "== Opening a dirty image read/write should repair it =="
+ IMGOPTS="compat=1.1,lazy_refcounts=on"
+ _make_test_img $size
+
+-old_ulimit=$(ulimit -c)
+-ulimit -c 0 # do not produce a core dump on abort(3)
+-$QEMU_IO -c "write -P 0x5a 0 512" -c "abort" "$TEST_IMG" | _filter_qemu_io
+-ulimit -c "$old_ulimit"
++_no_dump_exec $QEMU_IO -c "write -P 0x5a 0 512" -c "abort" "$TEST_IMG" 2>&1 | _filter_qemu_io
+
+ # The dirty bit must be set
+ ./qcow2.py "$TEST_IMG" dump-header | grep incompatible_features
+@@ -121,10 +120,7 @@ echo "== Creating an image file with lazy_refcounts=off =="
+ IMGOPTS="compat=1.1,lazy_refcounts=off"
+ _make_test_img $size
+
+-old_ulimit=$(ulimit -c)
+-ulimit -c 0 # do not produce a core dump on abort(3)
+-$QEMU_IO -c "write -P 0x5a 0 512" -c "abort" "$TEST_IMG" | _filter_qemu_io
+-ulimit -c "$old_ulimit"
++_no_dump_exec $QEMU_IO -c "write -P 0x5a 0 512" -c "abort" "$TEST_IMG" 2>&1 | _filter_qemu_io
+
+ # The dirty bit must not be set since lazy_refcounts=off
+ ./qcow2.py "$TEST_IMG" dump-header | grep incompatible_features
+diff --git a/tests/qemu-iotests/039.out b/tests/qemu-iotests/039.out
+index d25bf0b..af62da1 100644
+--- a/tests/qemu-iotests/039.out
++++ b/tests/qemu-iotests/039.out
+@@ -11,6 +11,7 @@ No errors were found on the image.
+ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728
+ wrote 512/512 bytes at offset 0
+ 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
++./039: Aborted ( ulimit -c 0; exec "$@" )
+ incompatible_features 0x1
+ ERROR cluster 5 refcount=0 reference=1
+ ERROR OFLAG_COPIED data cluster: l2_entry=8000000000050000 refcount=0
+@@ -45,6 +46,7 @@ read 512/512 bytes at offset 0
+ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728
+ wrote 512/512 bytes at offset 0
+ 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
++./039: Aborted ( ulimit -c 0; exec "$@" )
+ incompatible_features 0x1
+ ERROR cluster 5 refcount=0 reference=1
+ Rebuilding refcount structure
+@@ -58,6 +60,7 @@ incompatible_features 0x0
+ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728
+ wrote 512/512 bytes at offset 0
+ 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
++./039: Aborted ( ulimit -c 0; exec "$@" )
+ incompatible_features 0x0
+ No errors were found on the image.
+ *** done
+diff --git a/tests/qemu-iotests/common.filter b/tests/qemu-iotests/common.filter
+index 9c82c77..dcd246d 100644
+--- a/tests/qemu-iotests/common.filter
++++ b/tests/qemu-iotests/common.filter
+@@ -150,6 +150,7 @@ _filter_win32()
+ _filter_qemu_io()
+ {
+ _filter_win32 | sed -e "s/[0-9]* ops\; [0-9/:. sec]* ([0-9/.inf]* [EPTGMKiBbytes]*\/sec and [0-9/.inf]* ops\/sec)/X ops\; XX:XX:XX.X (XXX YYY\/sec and XXX ops\/sec)/" \
++ -e "s/: line [0-9][0-9]*: *[0-9][0-9]*\( Aborted\)/:\1/" \
+ -e "s/qemu-io> //g"
+ }
+
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch b/SOURCES/kvm-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch
new file mode 100644
index 0000000..9794833
--- /dev/null
+++ b/SOURCES/kvm-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch
@@ -0,0 +1,125 @@
+From de84e9659aa6b91bd1a7c4fb30fde859882b9201 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Thu, 5 Jan 2017 23:58:10 +0100
+Subject: [PATCH 4/4] qxl: Only emit QXL_INTERRUPT_CLIENT_MONITORS_CONFIG on
+ config changes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-id: <20170105235810.27189-1-marcandre.lureau@redhat.com>
+Patchwork-id: 73185
+O-Subject: [RHEL-7.4 qemu-kvm PATCH] qxl: Only emit QXL_INTERRUPT_CLIENT_MONITORS_CONFIG on config changes
+Bugzilla: 1342489
+RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+RH-Acked-by: Christophe Fergeau <cfergeau@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+From: Christophe Fergeau <cfergeau@redhat.com>
+
+Currently if the client keeps sending the same monitor config to
+QEMU/spice-server, QEMU will always raise
+a QXL_INTERRUPT_CLIENT_MONITORS_CONFIG regardless of whether there was a
+change or not.
+Guest-side (with fedora 25), the kernel QXL KMS driver will also forward the
+event to user-space without checking if there were actual changes.
+Next in line are gnome-shell/mutter (on a default f25 install), which
+will try to reconfigure everything without checking if there is anything
+to do.
+Where this gets ugly is that when applying the resolution changes,
+gnome-shell/mutter will call drmModeRmFB, drmModeAddFB, and
+drmModeSetCrtc, which will cause the primary surface to be destroyed and
+recreated by the QXL KMS driver. This in turn will cause the client to
+resend a client monitors config message, which will cause QEMU to reemit
+an interrupt with an unchanged monitors configuration, ...
+This causes https://bugzilla.redhat.com/show_bug.cgi?id=1266484
+
+This commit makes sure that we only emit
+QXL_INTERRUPT_CLIENT_MONITORS_CONFIG when there are actual configuration
+changes the guest should act on.
+
+Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
+Message-id: 20161028144840.18326-1-cfergeau@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+(cherry picked from commit 6c7565028c272c4c6f2a83c3a90b044eeaf2804a)
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/display/qxl.c | 37 ++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 36 insertions(+), 1 deletion(-)
+
+diff --git a/hw/display/qxl.c b/hw/display/qxl.c
+index f762439..c76c237 100644
+--- a/hw/display/qxl.c
++++ b/hw/display/qxl.c
+@@ -989,6 +989,34 @@ static uint32_t qxl_crc32(const uint8_t *p, unsigned len)
+ return crc32(0xffffffff, p, len) ^ 0xffffffff;
+ }
+
++static bool qxl_rom_monitors_config_changed(QXLRom *rom,
++ VDAgentMonitorsConfig *monitors_config,
++ unsigned int max_outputs)
++{
++ int i;
++ unsigned int monitors_count;
++
++ monitors_count = MIN(monitors_config->num_of_monitors, max_outputs);
++
++ if (rom->client_monitors_config.count != monitors_count) {
++ return true;
++ }
++
++ for (i = 0 ; i < rom->client_monitors_config.count ; ++i) {
++ VDAgentMonConfig *monitor = &monitors_config->monitors[i];
++ QXLURect *rect = &rom->client_monitors_config.heads[i];
++ /* monitor->depth ignored */
++ if ((rect->left != monitor->x) ||
++ (rect->top != monitor->y) ||
++ (rect->right != monitor->x + monitor->width) ||
++ (rect->bottom != monitor->y + monitor->height)) {
++ return true;
++ }
++ }
++
++ return false;
++}
++
+ /* called from main context only */
+ static int interface_client_monitors_config(QXLInstance *sin,
+ VDAgentMonitorsConfig *monitors_config)
+@@ -997,6 +1025,7 @@ static int interface_client_monitors_config(QXLInstance *sin,
+ QXLRom *rom = memory_region_get_ram_ptr(&qxl->rom_bar);
+ int i;
+ unsigned max_outputs = ARRAY_SIZE(rom->client_monitors_config.heads);
++ bool config_changed = false;
+
+ if (qxl->revision < 4) {
+ trace_qxl_client_monitors_config_unsupported_by_device(qxl->id,
+@@ -1027,6 +1056,10 @@ static int interface_client_monitors_config(QXLInstance *sin,
+ }
+ #endif
+
++ config_changed = qxl_rom_monitors_config_changed(rom,
++ monitors_config,
++ max_outputs);
++
+ memset(&rom->client_monitors_config, 0,
+ sizeof(rom->client_monitors_config));
+ rom->client_monitors_config.count = monitors_config->num_of_monitors;
+@@ -1056,7 +1089,9 @@ static int interface_client_monitors_config(QXLInstance *sin,
+ trace_qxl_interrupt_client_monitors_config(qxl->id,
+ rom->client_monitors_config.count,
+ rom->client_monitors_config.heads);
+- qxl_send_events(qxl, QXL_INTERRUPT_CLIENT_MONITORS_CONFIG);
++ if (config_changed) {
++ qxl_send_events(qxl, QXL_INTERRUPT_CLIENT_MONITORS_CONFIG);
++ }
+ return 1;
+ }
+
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-serial-change-retry-logic-to-avoid-concurrency.patch b/SOURCES/kvm-serial-change-retry-logic-to-avoid-concurrency.patch
index df1f0e6..5b76103 100644
--- a/SOURCES/kvm-serial-change-retry-logic-to-avoid-concurrency.patch
+++ b/SOURCES/kvm-serial-change-retry-logic-to-avoid-concurrency.patch
@@ -1,15 +1,15 @@
-From 3ddb1809fc188f9aca337b19a81b40da5b992057 Mon Sep 17 00:00:00 2001
+From 19651bdbf15a4ce03d6fc6e3a6be514a3f46a118 Mon Sep 17 00:00:00 2001
From: Fam Zheng <famz@redhat.com>
-Date: Fri, 19 May 2017 00:35:13 +0200
+Date: Thu, 18 May 2017 09:21:21 +0200
Subject: [PATCH 08/18] serial: change retry logic to avoid concurrency
RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170519003523.21163-9-famz@redhat.com>
-Patchwork-id: 75362
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 08/18] serial: change retry logic to avoid concurrency
-Bugzilla: 1452332
+Message-id: <20170518092131.16571-9-famz@redhat.com>
+Patchwork-id: 75300
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 08/18] serial: change retry logic to avoid concurrency
+Bugzilla: 1451470
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
From: Kirill Batuzov <batuzovk@ispras.ru>
diff --git a/SOURCES/kvm-serial-check-if-backed-by-a-physical-serial-port-at-.patch b/SOURCES/kvm-serial-check-if-backed-by-a-physical-serial-port-at-.patch
index 733d5ba..9b8e621 100644
--- a/SOURCES/kvm-serial-check-if-backed-by-a-physical-serial-port-at-.patch
+++ b/SOURCES/kvm-serial-check-if-backed-by-a-physical-serial-port-at-.patch
@@ -1,16 +1,16 @@
-From 1882bb1a0967e7d513b0d5bd060fa214bc44efcb Mon Sep 17 00:00:00 2001
+From 3ad8bb6f424f7ff1d4bbf73237fb1590f0ce1810 Mon Sep 17 00:00:00 2001
From: Fam Zheng <famz@redhat.com>
-Date: Fri, 19 May 2017 00:35:15 +0200
+Date: Thu, 18 May 2017 09:21:23 +0200
Subject: [PATCH 10/18] serial: check if backed by a physical serial port at
realize time
RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170519003523.21163-11-famz@redhat.com>
-Patchwork-id: 75366
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 10/18] serial: check if backed by a physical serial port at realize time
-Bugzilla: 1452332
+Message-id: <20170518092131.16571-11-famz@redhat.com>
+Patchwork-id: 75299
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 10/18] serial: check if backed by a physical serial port at realize time
+Bugzilla: 1451470
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
From: Paolo Bonzini <pbonzini@redhat.com>
diff --git a/SOURCES/kvm-serial-clean-up-THRE-TEMT-handling.patch b/SOURCES/kvm-serial-clean-up-THRE-TEMT-handling.patch
index 18e9b50..dfc6fa0 100644
--- a/SOURCES/kvm-serial-clean-up-THRE-TEMT-handling.patch
+++ b/SOURCES/kvm-serial-clean-up-THRE-TEMT-handling.patch
@@ -1,15 +1,15 @@
-From 9afba2b1b9f8c2af3165fb0d9b68888996fe2330 Mon Sep 17 00:00:00 2001
+From 1b37b298fc1f0d69e24229191e4bbe741e4d96ab Mon Sep 17 00:00:00 2001
From: Fam Zheng <famz@redhat.com>
-Date: Fri, 19 May 2017 00:35:17 +0200
+Date: Thu, 18 May 2017 09:21:25 +0200
Subject: [PATCH 12/18] serial: clean up THRE/TEMT handling
RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170519003523.21163-13-famz@redhat.com>
-Patchwork-id: 75367
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 12/18] serial: clean up THRE/TEMT handling
-Bugzilla: 1452332
+Message-id: <20170518092131.16571-13-famz@redhat.com>
+Patchwork-id: 75303
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 12/18] serial: clean up THRE/TEMT handling
+Bugzilla: 1451470
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
From: Paolo Bonzini <pbonzini@redhat.com>
diff --git a/SOURCES/kvm-serial-fixing-vmstate-for-save-restore.patch b/SOURCES/kvm-serial-fixing-vmstate-for-save-restore.patch
new file mode 100644
index 0000000..e23ec75
--- /dev/null
+++ b/SOURCES/kvm-serial-fixing-vmstate-for-save-restore.patch
@@ -0,0 +1,355 @@
+From 7d2e8f9662feb64c0b15b6fd53e06e3c56921f27 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Fri, 9 Jun 2017 11:43:58 +0200
+Subject: [PATCH 3/6] serial: fixing vmstate for save/restore
+
+RH-Author: Paolo Bonzini <pbonzini@redhat.com>
+Message-id: <20170609114359.13036-3-pbonzini@redhat.com>
+Patchwork-id: 75567
+O-Subject: [RHEL7.4 qemu-kvm PATCH v2 2/3] serial: fixing vmstate for save/restore
+Bugzilla: 1452067
+RH-Acked-by: David Hildenbrand <david@redhat.com>
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+From: Pavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru>
+
+Some fields were added to VMState by this patch to preserve correct
+loading of the serial port controller state.
+Updating FCR value while loading was also modified to disable generating
+an interrupt by loadvm.
+
+Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 7385b275d9ae8bdf3c012bc4e2ae9779fcea6312)
+
+[RHEL: omit some subsections. thr_ipending can be reconstructed fairly
+ reliably by serial_post_load. The others are features that are
+ unlikely to be used in RHEL, respectively receive timeout (Linux
+ does not even have the UART_IIR_CTI symbol in the driver) and
+ physical serial ports connected to a modem]
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/char/serial.c | 245 ++++++++++++++++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 215 insertions(+), 30 deletions(-)
+
+diff --git a/hw/char/serial.c b/hw/char/serial.c
+index 39de1ca..0518a6f 100644
+--- a/hw/char/serial.c
++++ b/hw/char/serial.c
+@@ -275,6 +275,36 @@ static void serial_xmit(SerialState *s)
+ s->lsr |= UART_LSR_TEMT;
+ }
+
++/* Setter for FCR.
++ is_load flag means, that value is set while loading VM state
++ and interrupt should not be invoked */
++static void serial_write_fcr(SerialState *s, uint8_t val)
++{
++ /* Set fcr - val only has the bits that are supposed to "stick" */
++ s->fcr = val;
++
++ if (val & UART_FCR_FE) {
++ s->iir |= UART_IIR_FE;
++ /* Set recv_fifo trigger Level */
++ switch (val & 0xC0) {
++ case UART_FCR_ITL_1:
++ s->recv_fifo_itl = 1;
++ break;
++ case UART_FCR_ITL_2:
++ s->recv_fifo_itl = 4;
++ break;
++ case UART_FCR_ITL_3:
++ s->recv_fifo_itl = 8;
++ break;
++ case UART_FCR_ITL_4:
++ s->recv_fifo_itl = 14;
++ break;
++ }
++ } else {
++ s->iir &= ~UART_IIR_FE;
++ }
++}
++
+ static void serial_ioport_write(void *opaque, hwaddr addr, uint64_t val,
+ unsigned size)
+ {
+@@ -351,21 +381,17 @@ static void serial_ioport_write(void *opaque, hwaddr addr, uint64_t val,
+ }
+ break;
+ case 2:
+- val = val & 0xFF;
+-
+- if (s->fcr == val)
+- break;
+-
+ /* Did the enable/disable flag change? If so, make sure FIFOs get flushed */
+- if ((val ^ s->fcr) & UART_FCR_FE)
++ if ((val ^ s->fcr) & UART_FCR_FE) {
+ val |= UART_FCR_XFR | UART_FCR_RFR;
++ }
+
+ /* FIFO clear */
+
+ if (val & UART_FCR_RFR) {
+ s->lsr &= ~(UART_LSR_DR | UART_LSR_BI);
+ qemu_del_timer(s->fifo_timeout_timer);
+- s->timeout_ipending=0;
++ s->timeout_ipending = 0;
+ fifo8_reset(&s->recv_fifo);
+ }
+
+@@ -375,28 +401,7 @@ static void serial_ioport_write(void *opaque, hwaddr addr, uint64_t val,
+ fifo8_reset(&s->xmit_fifo);
+ }
+
+- if (val & UART_FCR_FE) {
+- s->iir |= UART_IIR_FE;
+- /* Set recv_fifo trigger Level */
+- switch (val & 0xC0) {
+- case UART_FCR_ITL_1:
+- s->recv_fifo_itl = 1;
+- break;
+- case UART_FCR_ITL_2:
+- s->recv_fifo_itl = 4;
+- break;
+- case UART_FCR_ITL_3:
+- s->recv_fifo_itl = 8;
+- break;
+- case UART_FCR_ITL_4:
+- s->recv_fifo_itl = 14;
+- break;
+- }
+- } else
+- s->iir &= ~UART_IIR_FE;
+-
+- /* Set fcr - or at least the bits in it that are supposed to "stick" */
+- s->fcr = val & 0xC9;
++ serial_write_fcr(s, val & 0xC9);
+ serial_update_irq(s);
+ break;
+ case 3:
+@@ -617,6 +622,14 @@ static void serial_pre_save(void *opaque)
+ s->fcr_vmstate = s->fcr;
+ }
+
++static int serial_pre_load(void *opaque)
++{
++ SerialState *s = opaque;
++ s->thr_ipending = -1;
++ s->poll_msl = -1;
++ return 0;
++}
++
+ static int serial_post_load(void *opaque, int version_id)
+ {
+ SerialState *s = opaque;
+@@ -628,17 +641,159 @@ static int serial_post_load(void *opaque, int version_id)
+ s->tsr_retry = MAX_XMIT_RETRY;
+ }
+
++ if (s->thr_ipending == -1) {
++ s->thr_ipending = ((s->iir & UART_IIR_ID) == UART_IIR_THRI);
++ }
++ s->last_break_enable = (s->lcr >> 6) & 1;
+ /* Initialize fcr via setter to perform essential side-effects */
+- serial_ioport_write(s, 0x02, s->fcr_vmstate, 1);
++ serial_write_fcr(s, s->fcr_vmstate);
+ serial_update_parameters(s);
+ return 0;
+ }
+
++static bool serial_thr_ipending_needed(void *opaque)
++{
++#if 0
++ SerialState *s = opaque;
++ bool expected_value = ((s->iir & UART_IIR_ID) == UART_IIR_THRI);
++ return s->thr_ipending != expected_value;
++#else
++ /* for migration compatibility with RHEL <= 7.3 */
++ return 0;
++#endif
++}
++
++const VMStateDescription vmstate_serial_thr_ipending = {
++ .name = "serial/thr_ipending",
++ .version_id = 1,
++ .minimum_version_id = 1,
++ .fields = (VMStateField[]) {
++ VMSTATE_INT32(thr_ipending, SerialState),
++ VMSTATE_END_OF_LIST()
++ }
++};
++
++static bool serial_tsr_needed(void *opaque)
++{
++ SerialState *s = (SerialState *)opaque;
++ return s->tsr_retry != 0;
++}
++
++const VMStateDescription vmstate_serial_tsr = {
++ .name = "serial/tsr",
++ .version_id = 1,
++ .minimum_version_id = 1,
++ .fields = (VMStateField[]) {
++ VMSTATE_UINT32(tsr_retry, SerialState),
++ VMSTATE_UINT8(thr, SerialState),
++ VMSTATE_UINT8(tsr, SerialState),
++ VMSTATE_END_OF_LIST()
++ }
++};
++
++static bool serial_recv_fifo_needed(void *opaque)
++{
++ SerialState *s = (SerialState *)opaque;
++ return !fifo8_is_empty(&s->recv_fifo);
++
++}
++
++const VMStateDescription vmstate_serial_recv_fifo = {
++ .name = "serial/recv_fifo",
++ .version_id = 1,
++ .minimum_version_id = 1,
++ .fields = (VMStateField[]) {
++ VMSTATE_STRUCT(recv_fifo, SerialState, 1, vmstate_fifo8, Fifo8),
++ VMSTATE_END_OF_LIST()
++ }
++};
++
++static bool serial_xmit_fifo_needed(void *opaque)
++{
++ SerialState *s = (SerialState *)opaque;
++ return !fifo8_is_empty(&s->xmit_fifo);
++}
++
++const VMStateDescription vmstate_serial_xmit_fifo = {
++ .name = "serial/xmit_fifo",
++ .version_id = 1,
++ .minimum_version_id = 1,
++ .fields = (VMStateField[]) {
++ VMSTATE_STRUCT(xmit_fifo, SerialState, 1, vmstate_fifo8, Fifo8),
++ VMSTATE_END_OF_LIST()
++ }
++};
++
++static bool serial_fifo_timeout_timer_needed(void *opaque)
++{
++#if 0
++ SerialState *s = (SerialState *)opaque;
++ return timer_pending(s->fifo_timeout_timer);
++#else
++ /* for migration compatibility with RHEL <= 7.3 */
++ return 0;
++#endif
++}
++
++const VMStateDescription vmstate_serial_fifo_timeout_timer = {
++ .name = "serial/fifo_timeout_timer",
++ .version_id = 1,
++ .minimum_version_id = 1,
++ .fields = (VMStateField[]) {
++ VMSTATE_TIMER(fifo_timeout_timer, SerialState),
++ VMSTATE_END_OF_LIST()
++ }
++};
++
++static bool serial_timeout_ipending_needed(void *opaque)
++{
++#if 0
++ SerialState *s = (SerialState *)opaque;
++ return s->timeout_ipending != 0;
++#else
++ /* for migration compatibility with RHEL <= 7.3 */
++ return 0;
++#endif
++}
++
++const VMStateDescription vmstate_serial_timeout_ipending = {
++ .name = "serial/timeout_ipending",
++ .version_id = 1,
++ .minimum_version_id = 1,
++ .fields = (VMStateField[]) {
++ VMSTATE_INT32(timeout_ipending, SerialState),
++ VMSTATE_END_OF_LIST()
++ }
++};
++
++static bool serial_poll_needed(void *opaque)
++{
++#if 0
++ SerialState *s = (SerialState *)opaque;
++ return s->poll_msl >= 0;
++#else
++ /* for migration compatibility with RHEL <= 7.3 */
++ return 0;
++#endif
++}
++
++const VMStateDescription vmstate_serial_poll = {
++ .name = "serial/poll",
++ .version_id = 1,
++ .minimum_version_id = 1,
++ .fields = (VMStateField[]) {
++ VMSTATE_INT32(poll_msl, SerialState),
++ VMSTATE_TIMER(modem_status_poll, SerialState),
++ VMSTATE_END_OF_LIST()
++ }
++};
++
+ const VMStateDescription vmstate_serial = {
+ .name = "serial",
+ .version_id = 3,
+ .minimum_version_id = 2,
+ .pre_save = serial_pre_save,
++ .pre_load = serial_pre_load,
+ .post_load = serial_post_load,
+ .fields = (VMStateField []) {
+ VMSTATE_UINT16_V(divider, SerialState, 2),
+@@ -652,6 +807,32 @@ const VMStateDescription vmstate_serial = {
+ VMSTATE_UINT8(scr, SerialState),
+ VMSTATE_UINT8_V(fcr_vmstate, SerialState, 3),
+ VMSTATE_END_OF_LIST()
++ },
++ .subsections = (VMStateSubsection[]) {
++ {
++ .vmsd = &vmstate_serial_thr_ipending,
++ .needed = &serial_thr_ipending_needed,
++ } , {
++ .vmsd = &vmstate_serial_tsr,
++ .needed = &serial_tsr_needed,
++ } , {
++ .vmsd = &vmstate_serial_recv_fifo,
++ .needed = &serial_recv_fifo_needed,
++ } , {
++ .vmsd = &vmstate_serial_xmit_fifo,
++ .needed = &serial_xmit_fifo_needed,
++ } , {
++ .vmsd = &vmstate_serial_fifo_timeout_timer,
++ .needed = &serial_fifo_timeout_timer_needed,
++ } , {
++ .vmsd = &vmstate_serial_timeout_ipending,
++ .needed = &serial_timeout_ipending_needed,
++ } , {
++ .vmsd = &vmstate_serial_poll,
++ .needed = &serial_poll_needed,
++ } , {
++ /* empty */
++ }
+ }
+ };
+
+@@ -678,6 +859,10 @@ static void serial_reset(void *opaque)
+ s->char_transmit_time = (get_ticks_per_sec() / 9600) * 10;
+ s->poll_msl = 0;
+
++ s->timeout_ipending = 0;
++ qemu_del_timer(s->fifo_timeout_timer);
++ qemu_del_timer(s->modem_status_poll);
++
+ fifo8_reset(&s->recv_fifo);
+ fifo8_reset(&s->xmit_fifo);
+
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-serial-make-tsr_retry-unsigned.patch b/SOURCES/kvm-serial-make-tsr_retry-unsigned.patch
index 85fc949..be7cc03 100644
--- a/SOURCES/kvm-serial-make-tsr_retry-unsigned.patch
+++ b/SOURCES/kvm-serial-make-tsr_retry-unsigned.patch
@@ -1,15 +1,15 @@
-From fece1f0b57a8daa08e04338baab90202d75766ec Mon Sep 17 00:00:00 2001
+From 03b9104f9cf6c0b4f7b7976b987753afddb32599 Mon Sep 17 00:00:00 2001
From: Fam Zheng <famz@redhat.com>
-Date: Fri, 19 May 2017 00:35:20 +0200
+Date: Thu, 18 May 2017 09:21:28 +0200
Subject: [PATCH 15/18] serial: make tsr_retry unsigned
RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170519003523.21163-16-famz@redhat.com>
-Patchwork-id: 75371
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 15/18] serial: make tsr_retry unsigned
-Bugzilla: 1452332
+Message-id: <20170518092131.16571-16-famz@redhat.com>
+Patchwork-id: 75305
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 15/18] serial: make tsr_retry unsigned
+Bugzilla: 1451470
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
From: Paolo Bonzini <pbonzini@redhat.com>
diff --git a/SOURCES/kvm-serial-only-resample-THR-interrupt-on-rising-edge-of.patch b/SOURCES/kvm-serial-only-resample-THR-interrupt-on-rising-edge-of.patch
index 2e30ae8..6c0dce6 100644
--- a/SOURCES/kvm-serial-only-resample-THR-interrupt-on-rising-edge-of.patch
+++ b/SOURCES/kvm-serial-only-resample-THR-interrupt-on-rising-edge-of.patch
@@ -1,16 +1,16 @@
-From 95388b9e0745ca0125012f050c53f651811b5189 Mon Sep 17 00:00:00 2001
+From 0c6d2ffcebff88c6cda738aa46fa77c09b93b78b Mon Sep 17 00:00:00 2001
From: Fam Zheng <famz@redhat.com>
-Date: Fri, 19 May 2017 00:35:19 +0200
+Date: Thu, 18 May 2017 09:21:27 +0200
Subject: [PATCH 14/18] serial: only resample THR interrupt on rising edge of
IER.THRI
RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170519003523.21163-15-famz@redhat.com>
-Patchwork-id: 75370
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 14/18] serial: only resample THR interrupt on rising edge of IER.THRI
-Bugzilla: 1452332
+Message-id: <20170518092131.16571-15-famz@redhat.com>
+Patchwork-id: 75304
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 14/18] serial: only resample THR interrupt on rising edge of IER.THRI
+Bugzilla: 1451470
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
From: Paolo Bonzini <pbonzini@redhat.com>
diff --git a/SOURCES/kvm-serial-poll-the-serial-console-with-G_IO_HUP.patch b/SOURCES/kvm-serial-poll-the-serial-console-with-G_IO_HUP.patch
index ae0367b..cfb1898 100644
--- a/SOURCES/kvm-serial-poll-the-serial-console-with-G_IO_HUP.patch
+++ b/SOURCES/kvm-serial-poll-the-serial-console-with-G_IO_HUP.patch
@@ -1,18 +1,18 @@
-From 3ca9dc028e21f6e66e4ad21d6b2948e23691d2ae Mon Sep 17 00:00:00 2001
+From 4b71b3a9e37d06da2ecc48e06eea7e4a4ae1cfe9 Mon Sep 17 00:00:00 2001
From: Fam Zheng <famz@redhat.com>
-Date: Fri, 19 May 2017 00:35:12 +0200
+Date: Thu, 18 May 2017 09:21:20 +0200
Subject: [PATCH 07/18] serial: poll the serial console with G_IO_HUP
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170519003523.21163-8-famz@redhat.com>
-Patchwork-id: 75363
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 07/18] serial: poll the serial console with G_IO_HUP
-Bugzilla: 1452332
+Message-id: <20170518092131.16571-8-famz@redhat.com>
+Patchwork-id: 75297
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 07/18] serial: poll the serial console with G_IO_HUP
+Bugzilla: 1451470
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
From: Roger Pau Monne <roger.pau@citrix.com>
diff --git a/SOURCES/kvm-serial-reinstate-watch-after-migration.patch b/SOURCES/kvm-serial-reinstate-watch-after-migration.patch
new file mode 100644
index 0000000..b18fcc0
--- /dev/null
+++ b/SOURCES/kvm-serial-reinstate-watch-after-migration.patch
@@ -0,0 +1,72 @@
+From ba96da130a625a71b574c1bb9f6027e3b8d655ab Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Fri, 9 Jun 2017 11:43:59 +0200
+Subject: [PATCH 4/6] serial: reinstate watch after migration
+
+RH-Author: Paolo Bonzini <pbonzini@redhat.com>
+Message-id: <20170609114359.13036-4-pbonzini@redhat.com>
+Patchwork-id: 75566
+O-Subject: [RHEL7.4 qemu-kvm PATCH v2 3/3] serial: reinstate watch after migration
+Bugzilla: 1452067
+RH-Acked-by: David Hildenbrand <david@redhat.com>
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+Otherwise, a serial port can get stuck if it is migrated while flow control
+is in effect.
+
+Tested-by: Bret Ketchum <bcketchum@gmail.com>
+Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 9f34a35e0020b0b2b2e21c086a486d7dfd18df4f)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/char/serial.c | 29 +++++++++++++++++++++++++----
+ 1 file changed, 25 insertions(+), 4 deletions(-)
+
+diff --git a/hw/char/serial.c b/hw/char/serial.c
+index 0518a6f..820960b 100644
+--- a/hw/char/serial.c
++++ b/hw/char/serial.c
+@@ -637,13 +637,34 @@ static int serial_post_load(void *opaque, int version_id)
+ if (version_id < 3) {
+ s->fcr_vmstate = 0;
+ }
+- if (s->tsr_retry > MAX_XMIT_RETRY) {
+- s->tsr_retry = MAX_XMIT_RETRY;
+- }
+-
+ if (s->thr_ipending == -1) {
+ s->thr_ipending = ((s->iir & UART_IIR_ID) == UART_IIR_THRI);
+ }
++
++ if (s->tsr_retry > 0) {
++ /* tsr_retry > 0 implies LSR.TEMT = 0 (transmitter not empty). */
++ if (s->lsr & UART_LSR_TEMT) {
++ error_report("inconsistent state in serial device "
++ "(tsr empty, tsr_retry=%d", s->tsr_retry);
++ return -1;
++ }
++
++ if (s->tsr_retry > MAX_XMIT_RETRY) {
++ s->tsr_retry = MAX_XMIT_RETRY;
++ }
++
++ assert(s->watch_tag == 0);
++ s->watch_tag = qemu_chr_fe_add_watch(s->chr, G_IO_OUT|G_IO_HUP,
++ serial_watch_cb, s);
++ } else {
++ /* tsr_retry == 0 implies LSR.TEMT = 1 (transmitter empty). */
++ if (!(s->lsr & UART_LSR_TEMT)) {
++ error_report("inconsistent state in serial device "
++ "(tsr not empty, tsr_retry=0");
++ return -1;
++ }
++ }
++
+ s->last_break_enable = (s->lcr >> 6) & 1;
+ /* Initialize fcr via setter to perform essential side-effects */
+ serial_write_fcr(s, s->fcr_vmstate);
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-serial-remove-watch-on-reset.patch b/SOURCES/kvm-serial-remove-watch-on-reset.patch
index a33f76c..4293ee6 100644
--- a/SOURCES/kvm-serial-remove-watch-on-reset.patch
+++ b/SOURCES/kvm-serial-remove-watch-on-reset.patch
@@ -1,15 +1,15 @@
-From ac39e63d788b8bcb748f08347312b0fccde7ce0e Mon Sep 17 00:00:00 2001
+From 768dddfbe60ecc3a9a920101aa755804f8a5700e Mon Sep 17 00:00:00 2001
From: Fam Zheng <famz@redhat.com>
-Date: Fri, 19 May 2017 00:35:23 +0200
+Date: Thu, 18 May 2017 09:21:31 +0200
Subject: [PATCH 18/18] serial: remove watch on reset
RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170519003523.21163-19-famz@redhat.com>
-Patchwork-id: 75373
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 18/18] serial: remove watch on reset
-Bugzilla: 1452332
+Message-id: <20170518092131.16571-19-famz@redhat.com>
+Patchwork-id: 75308
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 18/18] serial: remove watch on reset
+Bugzilla: 1451470
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
From: Paolo Bonzini <pbonzini@redhat.com>
diff --git a/SOURCES/kvm-serial-reset-thri_pending-on-IER-writes-with-THRI-0.patch b/SOURCES/kvm-serial-reset-thri_pending-on-IER-writes-with-THRI-0.patch
index d7242e3..d04d626 100644
--- a/SOURCES/kvm-serial-reset-thri_pending-on-IER-writes-with-THRI-0.patch
+++ b/SOURCES/kvm-serial-reset-thri_pending-on-IER-writes-with-THRI-0.patch
@@ -1,15 +1,15 @@
-From 6d2a5ef7994e753197bb9653872601db4e6cff5d Mon Sep 17 00:00:00 2001
+From 09ff2706109ce647d1fe59e99f44f96810d80b7c Mon Sep 17 00:00:00 2001
From: Fam Zheng <famz@redhat.com>
-Date: Fri, 19 May 2017 00:35:16 +0200
+Date: Thu, 18 May 2017 09:21:24 +0200
Subject: [PATCH 11/18] serial: reset thri_pending on IER writes with THRI=0
RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170519003523.21163-12-famz@redhat.com>
-Patchwork-id: 75365
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 11/18] serial: reset thri_pending on IER writes with THRI=0
-Bugzilla: 1452332
+Message-id: <20170518092131.16571-12-famz@redhat.com>
+Patchwork-id: 75302
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 11/18] serial: reset thri_pending on IER writes with THRI=0
+Bugzilla: 1451470
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
From: Paolo Bonzini <pbonzini@redhat.com>
diff --git a/SOURCES/kvm-serial-separate-serial_xmit-and-serial_watch_cb.patch b/SOURCES/kvm-serial-separate-serial_xmit-and-serial_watch_cb.patch
index 698096f..79df988 100644
--- a/SOURCES/kvm-serial-separate-serial_xmit-and-serial_watch_cb.patch
+++ b/SOURCES/kvm-serial-separate-serial_xmit-and-serial_watch_cb.patch
@@ -1,15 +1,15 @@
-From 2600e8a94c5434d07e820c7cf5bcd62d69849099 Mon Sep 17 00:00:00 2001
+From 8497b21c6dabe117b27d76f3bdbd86d80b0dd1d7 Mon Sep 17 00:00:00 2001
From: Fam Zheng <famz@redhat.com>
-Date: Fri, 19 May 2017 00:35:22 +0200
+Date: Thu, 18 May 2017 09:21:30 +0200
Subject: [PATCH 17/18] serial: separate serial_xmit and serial_watch_cb
RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170519003523.21163-18-famz@redhat.com>
-Patchwork-id: 75368
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 17/18] serial: separate serial_xmit and serial_watch_cb
-Bugzilla: 1452332
+Message-id: <20170518092131.16571-18-famz@redhat.com>
+Patchwork-id: 75309
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 17/18] serial: separate serial_xmit and serial_watch_cb
+Bugzilla: 1451470
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
From: Paolo Bonzini <pbonzini@redhat.com>
diff --git a/SOURCES/kvm-serial-simplify-tsr_retry-reset.patch b/SOURCES/kvm-serial-simplify-tsr_retry-reset.patch
index 1325ff3..f61be2c 100644
--- a/SOURCES/kvm-serial-simplify-tsr_retry-reset.patch
+++ b/SOURCES/kvm-serial-simplify-tsr_retry-reset.patch
@@ -1,15 +1,15 @@
-From 4a5819d1786be74df4b2393f72d6901e05d0eb4a Mon Sep 17 00:00:00 2001
+From 8f143ae501a5bd1010dc4526ff8e0e85c4d2baf1 Mon Sep 17 00:00:00 2001
From: Fam Zheng <famz@redhat.com>
-Date: Fri, 19 May 2017 00:35:21 +0200
+Date: Thu, 18 May 2017 09:21:29 +0200
Subject: [PATCH 16/18] serial: simplify tsr_retry reset
RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170519003523.21163-17-famz@redhat.com>
-Patchwork-id: 75372
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 16/18] serial: simplify tsr_retry reset
-Bugzilla: 1452332
+Message-id: <20170518092131.16571-17-famz@redhat.com>
+Patchwork-id: 75307
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 16/18] serial: simplify tsr_retry reset
+Bugzilla: 1451470
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
From: Paolo Bonzini <pbonzini@redhat.com>
diff --git a/SOURCES/kvm-serial-update-LSR-on-enabling-disabling-FIFOs.patch b/SOURCES/kvm-serial-update-LSR-on-enabling-disabling-FIFOs.patch
index f4b8523..7a61ec1 100644
--- a/SOURCES/kvm-serial-update-LSR-on-enabling-disabling-FIFOs.patch
+++ b/SOURCES/kvm-serial-update-LSR-on-enabling-disabling-FIFOs.patch
@@ -1,15 +1,15 @@
-From 727ebf3f24a6f519aab1306bad6e63014c76aec5 Mon Sep 17 00:00:00 2001
+From d6acc0368578932ee6a2949054a6f640a5b6fa09 Mon Sep 17 00:00:00 2001
From: Fam Zheng <famz@redhat.com>
-Date: Fri, 19 May 2017 00:35:18 +0200
+Date: Thu, 18 May 2017 09:21:26 +0200
Subject: [PATCH 13/18] serial: update LSR on enabling/disabling FIFOs
RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170519003523.21163-14-famz@redhat.com>
-Patchwork-id: 75369
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 13/18] serial: update LSR on enabling/disabling FIFOs
-Bugzilla: 1452332
+Message-id: <20170518092131.16571-14-famz@redhat.com>
+Patchwork-id: 75306
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 13/18] serial: update LSR on enabling/disabling FIFOs
+Bugzilla: 1451470
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
From: Paolo Bonzini <pbonzini@redhat.com>
diff --git a/SOURCES/kvm-spice-fix-spice_chr_add_watch-pre-condition.patch b/SOURCES/kvm-spice-fix-spice_chr_add_watch-pre-condition.patch
index 35d702b..d184899 100644
--- a/SOURCES/kvm-spice-fix-spice_chr_add_watch-pre-condition.patch
+++ b/SOURCES/kvm-spice-fix-spice_chr_add_watch-pre-condition.patch
@@ -1,19 +1,19 @@
-From 9b379db2f11257f5ef88979fdf9660eaa0ad6b4b Mon Sep 17 00:00:00 2001
-From: Fam Zheng <famz@redhat.com>
-Date: Tue, 6 Jun 2017 06:16:56 +0200
+From a88811fcdd3dbc600a669eed0b106a5bf8f6b907 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Wed, 31 May 2017 08:09:49 +0200
Subject: [PATCH] spice: fix spice_chr_add_watch() pre-condition
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
-RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170606061656.29212-2-famz@redhat.com>
-Patchwork-id: 75488
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH 1/1] spice: fix spice_chr_add_watch() pre-condition
-Bugzilla: 1452332
-RH-Acked-by: John Snow <jsnow@redhat.com>
+RH-Author: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-id: <20170531080949.17102-1-marcandre.lureau@redhat.com>
+Patchwork-id: 75440
+O-Subject: [RHEL-7.4 qemu-kvm PATCH] spice: fix spice_chr_add_watch() pre-condition
+Bugzilla: 1456983
+RH-Acked-by: Fam Zheng <famz@redhat.com>
RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
-RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: John Snow <jsnow@redhat.com>
From: Marc-André Lureau <marcandre.lureau@gmail.com>
@@ -24,18 +24,25 @@ precondition must be changed.
https://bugzilla.redhat.com/show_bug.cgi?id=1128992
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1456983
+Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=13310981
+
+"serial: poll the serial console with G_IO_HUP" was backported without
+the Spice related fix.
+
(cherry picked from commit f7a8beb5e6a13dc924895244777d9ef08b23b367)
-Signed-off-by: Fam Zheng <famz@redhat.com>
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
spice-qemu-char.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/spice-qemu-char.c b/spice-qemu-char.c
-index 6d147a7..079c214 100644
+index cd51f3c..02c568c 100644
--- a/spice-qemu-char.c
+++ b/spice-qemu-char.c
-@@ -171,7 +171,7 @@ static GSource *spice_chr_add_watch(CharDriverState *chr, GIOCondition cond)
+@@ -170,7 +170,7 @@ static GSource *spice_chr_add_watch(CharDriverState *chr, GIOCondition cond)
SpiceCharDriver *scd = chr->opaque;
SpiceCharSource *src;
diff --git a/SOURCES/kvm-spice-remove-spice-experimental.h-include.patch b/SOURCES/kvm-spice-remove-spice-experimental.h-include.patch
new file mode 100644
index 0000000..37f1f57
--- /dev/null
+++ b/SOURCES/kvm-spice-remove-spice-experimental.h-include.patch
@@ -0,0 +1,58 @@
+From 8ed773749fd59ff4036ded5ad106de027f92cefe Mon Sep 17 00:00:00 2001
+From: Miroslav Rezanina <mrezanin@redhat.com>
+Date: Thu, 9 Mar 2017 06:12:04 +0100
+Subject: [PATCH 16/17] spice: remove spice-experimental.h include
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Miroslav Rezanina <mrezanin@redhat.com>
+Message-id: <ed3cc22a1061a82e508c44c2c4b045997185c0e1.1489039263.git.mrezanin@redhat.com>
+Patchwork-id: 74258
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 1/2] spice: remove spice-experimental.h include
+Bugzilla: 1430606
+RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+RH-Acked-by: Marc-André Lureau <mlureau@redhat.com>
+RH-Acked-by: David Hildenbrand <david@redhat.com>
+
+From: Marc-André Lureau <marcandre.lureau@gmail.com>
+
+Nothing seems to be using functions from spice-experimental.h (better
+that way). Let's remove its inclusion.
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@gmail.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit e0883e2de0ef36f254acc274e80ddeac13a2a8f6)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ spice-qemu-char.c | 1 -
+ ui/spice-core.c | 1 -
+ 2 files changed, 2 deletions(-)
+
+diff --git a/spice-qemu-char.c b/spice-qemu-char.c
+index 6d147a7..cd51f3c 100644
+--- a/spice-qemu-char.c
++++ b/spice-qemu-char.c
+@@ -3,7 +3,6 @@
+ #include "ui/qemu-spice.h"
+ #include "sysemu/char.h"
+ #include <spice.h>
+-#include <spice-experimental.h>
+ #include <spice/protocol.h>
+
+ #include "qemu/osdep.h"
+diff --git a/ui/spice-core.c b/ui/spice-core.c
+index 8d6e726..0585267 100644
+--- a/ui/spice-core.c
++++ b/ui/spice-core.c
+@@ -16,7 +16,6 @@
+ */
+
+ #include <spice.h>
+-#include <spice-experimental.h>
+
+ #include <netdb.h>
+ #include "sysemu/sysemu.h"
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-spice-replace-use-of-deprecated-API.patch b/SOURCES/kvm-spice-replace-use-of-deprecated-API.patch
new file mode 100644
index 0000000..e9ab192
--- /dev/null
+++ b/SOURCES/kvm-spice-replace-use-of-deprecated-API.patch
@@ -0,0 +1,179 @@
+From 43d3585ba869c97c46cffc3c9fd7e46885d539c0 Mon Sep 17 00:00:00 2001
+From: Miroslav Rezanina <mrezanin@redhat.com>
+Date: Thu, 9 Mar 2017 06:12:05 +0100
+Subject: [PATCH 17/17] spice: replace use of deprecated API
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Miroslav Rezanina <mrezanin@redhat.com>
+Message-id: <4696b589a948f544ea081abeb496cb383a466020.1489039263.git.mrezanin@redhat.com>
+Patchwork-id: 74259
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 2/2] spice: replace use of deprecated API
+Bugzilla: 1430606
+RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+RH-Acked-by: Marc-André Lureau <mlureau@redhat.com>
+RH-Acked-by: David Hildenbrand <david@redhat.com>
+
+From: Marc-André Lureau <marcandre.lureau@gmail.com>
+
+hose API are deprecated since 0.11, and qemu depends on 0.12 already.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit 26defe81f6a878f33e0aaeb1df4d0d7022c929ca)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/display/qxl.c | 16 ++++++++--------
+ ui/spice-core.c | 15 +++++++--------
+ ui/spice-display.c | 10 +++++-----
+ 3 files changed, 20 insertions(+), 21 deletions(-)
+
+diff --git a/hw/display/qxl.c b/hw/display/qxl.c
+index c76c237..0a755df 100644
+--- a/hw/display/qxl.c
++++ b/hw/display/qxl.c
+@@ -162,7 +162,7 @@ void qxl_spice_update_area(PCIQXLDevice *qxl, uint32_t surface_id,
+ trace_qxl_spice_update_area_rest(qxl->id, num_dirty_rects,
+ clear_dirty_region);
+ if (async == QXL_SYNC) {
+- qxl->ssd.worker->update_area(qxl->ssd.worker, surface_id, area,
++ spice_qxl_update_area(&qxl->ssd.qxl, surface_id, area,
+ dirty_rects, num_dirty_rects, clear_dirty_region);
+ } else {
+ assert(cookie != NULL);
+@@ -193,7 +193,7 @@ static void qxl_spice_destroy_surface_wait(PCIQXLDevice *qxl, uint32_t id,
+ cookie->u.surface_id = id;
+ spice_qxl_destroy_surface_async(&qxl->ssd.qxl, id, (uintptr_t)cookie);
+ } else {
+- qxl->ssd.worker->destroy_surface_wait(qxl->ssd.worker, id);
++ spice_qxl_destroy_surface_wait(&qxl->ssd.qxl, id);
+ qxl_spice_destroy_surface_wait_complete(qxl, id);
+ }
+ }
+@@ -211,19 +211,19 @@ void qxl_spice_loadvm_commands(PCIQXLDevice *qxl, struct QXLCommandExt *ext,
+ uint32_t count)
+ {
+ trace_qxl_spice_loadvm_commands(qxl->id, ext, count);
+- qxl->ssd.worker->loadvm_commands(qxl->ssd.worker, ext, count);
++ spice_qxl_loadvm_commands(&qxl->ssd.qxl, ext, count);
+ }
+
+ void qxl_spice_oom(PCIQXLDevice *qxl)
+ {
+ trace_qxl_spice_oom(qxl->id);
+- qxl->ssd.worker->oom(qxl->ssd.worker);
++ spice_qxl_oom(&qxl->ssd.qxl);
+ }
+
+ void qxl_spice_reset_memslots(PCIQXLDevice *qxl)
+ {
+ trace_qxl_spice_reset_memslots(qxl->id);
+- qxl->ssd.worker->reset_memslots(qxl->ssd.worker);
++ spice_qxl_reset_memslots(&qxl->ssd.qxl);
+ }
+
+ static void qxl_spice_destroy_surfaces_complete(PCIQXLDevice *qxl)
+@@ -244,7 +244,7 @@ static void qxl_spice_destroy_surfaces(PCIQXLDevice *qxl, qxl_async_io async)
+ (uintptr_t)qxl_cookie_new(QXL_COOKIE_TYPE_IO,
+ QXL_IO_DESTROY_ALL_SURFACES_ASYNC));
+ } else {
+- qxl->ssd.worker->destroy_surfaces(qxl->ssd.worker);
++ spice_qxl_destroy_surfaces(&qxl->ssd.qxl);
+ qxl_spice_destroy_surfaces_complete(qxl);
+ }
+ }
+@@ -283,13 +283,13 @@ static void qxl_spice_monitors_config_async(PCIQXLDevice *qxl, int replay)
+ void qxl_spice_reset_image_cache(PCIQXLDevice *qxl)
+ {
+ trace_qxl_spice_reset_image_cache(qxl->id);
+- qxl->ssd.worker->reset_image_cache(qxl->ssd.worker);
++ spice_qxl_reset_image_cache(&qxl->ssd.qxl);
+ }
+
+ void qxl_spice_reset_cursor(PCIQXLDevice *qxl)
+ {
+ trace_qxl_spice_reset_cursor(qxl->id);
+- qxl->ssd.worker->reset_cursor(qxl->ssd.worker);
++ spice_qxl_reset_cursor(&qxl->ssd.qxl);
+ qemu_mutex_lock(&qxl->track_lock);
+ qxl->guest_cursor = 0;
+ qemu_mutex_unlock(&qxl->track_lock);
+diff --git a/ui/spice-core.c b/ui/spice-core.c
+index 0585267..0cd60f3 100644
+--- a/ui/spice-core.c
++++ b/ui/spice-core.c
+@@ -383,17 +383,16 @@ static SpiceChannelList *qmp_query_spice_channels(void)
+ struct sockaddr *paddr;
+ socklen_t plen;
+
++ if (!(item->info->flags & SPICE_CHANNEL_EVENT_FLAG_ADDR_EXT)) {
++ error_report("invalid channel event");
++ return NULL;
++ }
++
+ chan = g_malloc0(sizeof(*chan));
+ chan->value = g_malloc0(sizeof(*chan->value));
+
+- if (item->info->flags & SPICE_CHANNEL_EVENT_FLAG_ADDR_EXT) {
+- paddr = (struct sockaddr *)&item->info->paddr_ext;
+- plen = item->info->plen_ext;
+- } else {
+- paddr = &item->info->paddr;
+- plen = item->info->plen;
+- }
+-
++ paddr = (struct sockaddr *)&item->info->paddr_ext;
++ plen = item->info->plen_ext;
+ getnameinfo(paddr, plen,
+ host, sizeof(host), port, sizeof(port),
+ NI_NUMERICHOST | NI_NUMERICSERV);
+diff --git a/ui/spice-display.c b/ui/spice-display.c
+index d29d2ab..e2c24a9 100644
+--- a/ui/spice-display.c
++++ b/ui/spice-display.c
+@@ -83,14 +83,14 @@ void qemu_spice_add_memslot(SimpleSpiceDisplay *ssd, QXLDevMemSlot *memslot,
+ (uintptr_t)qxl_cookie_new(QXL_COOKIE_TYPE_IO,
+ QXL_IO_MEMSLOT_ADD_ASYNC));
+ } else {
+- ssd->worker->add_memslot(ssd->worker, memslot);
++ spice_qxl_add_memslot(&ssd->qxl, memslot);
+ }
+ }
+
+ void qemu_spice_del_memslot(SimpleSpiceDisplay *ssd, uint32_t gid, uint32_t sid)
+ {
+ trace_qemu_spice_del_memslot(ssd->qxl.id, gid, sid);
+- ssd->worker->del_memslot(ssd->worker, gid, sid);
++ spice_qxl_del_memslot(&ssd->qxl, gid, sid);
+ }
+
+ void qemu_spice_create_primary_surface(SimpleSpiceDisplay *ssd, uint32_t id,
+@@ -103,7 +103,7 @@ void qemu_spice_create_primary_surface(SimpleSpiceDisplay *ssd, uint32_t id,
+ (uintptr_t)qxl_cookie_new(QXL_COOKIE_TYPE_IO,
+ QXL_IO_CREATE_PRIMARY_ASYNC));
+ } else {
+- ssd->worker->create_primary_surface(ssd->worker, id, surface);
++ spice_qxl_create_primary_surface(&ssd->qxl, id, surface);
+ }
+ }
+
+@@ -116,14 +116,14 @@ void qemu_spice_destroy_primary_surface(SimpleSpiceDisplay *ssd,
+ (uintptr_t)qxl_cookie_new(QXL_COOKIE_TYPE_IO,
+ QXL_IO_DESTROY_PRIMARY_ASYNC));
+ } else {
+- ssd->worker->destroy_primary_surface(ssd->worker, id);
++ spice_qxl_destroy_primary_surface(&ssd->qxl, id);
+ }
+ }
+
+ void qemu_spice_wakeup(SimpleSpiceDisplay *ssd)
+ {
+ trace_qemu_spice_wakeup(ssd->qxl.id);
+- ssd->worker->wakeup(ssd->worker);
++ spice_qxl_wakeup(&ssd->qxl);
+ }
+
+ static void qemu_spice_create_one_update(SimpleSpiceDisplay *ssd,
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-target-i386-Define-TCG_-_FEATURES-earlier-in-cpu.c.patch b/SOURCES/kvm-target-i386-Define-TCG_-_FEATURES-earlier-in-cpu.c.patch
new file mode 100644
index 0000000..0fcd889
--- /dev/null
+++ b/SOURCES/kvm-target-i386-Define-TCG_-_FEATURES-earlier-in-cpu.c.patch
@@ -0,0 +1,171 @@
+From 30c05c032f0af4e959b304f5223dbaf331955488 Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Thu, 23 Feb 2017 14:29:43 +0100
+Subject: [PATCH 13/17] target-i386: Define TCG_*_FEATURES earlier in cpu.c
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20170223142945.17790-13-ehabkost@redhat.com>
+Patchwork-id: 74042
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 12/14] target-i386: Define TCG_*_FEATURES earlier in cpu.c
+Bugzilla: 1382122
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Those macros will be used in the feature_word_info array data, so need
+to be defined earlier.
+
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+(cherry picked from commit 621626ce7d44f008298c7e6cfefa9fbb80a33dc2)
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c | 121 +++++++++++++++++++++++++++---------------------------
+ 1 file changed, 61 insertions(+), 60 deletions(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index e6821b6..d611062 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -187,6 +187,67 @@ static const char *cpuid_xsave_feature_name[] = {
+ NULL, NULL, NULL, NULL,
+ };
+
++#define I486_FEATURES (CPUID_FP87 | CPUID_VME | CPUID_PSE)
++#define PENTIUM_FEATURES (I486_FEATURES | CPUID_DE | CPUID_TSC | \
++ CPUID_MSR | CPUID_MCE | CPUID_CX8 | CPUID_MMX | CPUID_APIC)
++#define PENTIUM2_FEATURES (PENTIUM_FEATURES | CPUID_PAE | CPUID_SEP | \
++ CPUID_MTRR | CPUID_PGE | CPUID_MCA | CPUID_CMOV | CPUID_PAT | \
++ CPUID_PSE36 | CPUID_FXSR)
++#define PENTIUM3_FEATURES (PENTIUM2_FEATURES | CPUID_SSE)
++#define PPRO_FEATURES (CPUID_FP87 | CPUID_DE | CPUID_PSE | CPUID_TSC | \
++ CPUID_MSR | CPUID_MCE | CPUID_CX8 | CPUID_PGE | CPUID_CMOV | \
++ CPUID_PAT | CPUID_FXSR | CPUID_MMX | CPUID_SSE | CPUID_SSE2 | \
++ CPUID_PAE | CPUID_SEP | CPUID_APIC)
++
++#define TCG_FEATURES (CPUID_FP87 | CPUID_PSE | CPUID_TSC | CPUID_MSR | \
++ CPUID_PAE | CPUID_MCE | CPUID_CX8 | CPUID_APIC | CPUID_SEP | \
++ CPUID_MTRR | CPUID_PGE | CPUID_MCA | CPUID_CMOV | CPUID_PAT | \
++ CPUID_PSE36 | CPUID_CLFLUSH | CPUID_ACPI | CPUID_MMX | \
++ CPUID_FXSR | CPUID_SSE | CPUID_SSE2 | CPUID_SS)
++ /* partly implemented:
++ CPUID_MTRR, CPUID_MCA, CPUID_CLFLUSH (needed for Win64)
++ CPUID_PSE36 (needed for Solaris) */
++ /* missing:
++ CPUID_VME, CPUID_DTS, CPUID_SS, CPUID_HT, CPUID_TM, CPUID_PBE */
++#define TCG_EXT_FEATURES (CPUID_EXT_SSE3 | CPUID_EXT_PCLMULQDQ | \
++ CPUID_EXT_MONITOR | CPUID_EXT_SSSE3 | CPUID_EXT_CX16 | \
++ CPUID_EXT_SSE41 | CPUID_EXT_SSE42 | CPUID_EXT_POPCNT | \
++ CPUID_EXT_MOVBE | CPUID_EXT_AES | CPUID_EXT_HYPERVISOR)
++ /* missing:
++ CPUID_EXT_DTES64, CPUID_EXT_DSCPL, CPUID_EXT_VMX, CPUID_EXT_SMX,
++ CPUID_EXT_EST, CPUID_EXT_TM2, CPUID_EXT_CID, CPUID_EXT_FMA,
++ CPUID_EXT_XTPR, CPUID_EXT_PDCM, CPUID_EXT_PCID, CPUID_EXT_DCA,
++ CPUID_EXT_X2APIC, CPUID_EXT_TSC_DEADLINE_TIMER, CPUID_EXT_XSAVE,
++ CPUID_EXT_OSXSAVE, CPUID_EXT_AVX, CPUID_EXT_F16C,
++ CPUID_EXT_RDRAND */
++
++#ifdef TARGET_X86_64
++#define TCG_EXT2_X86_64_FEATURES (CPUID_EXT2_SYSCALL | CPUID_EXT2_LM)
++#else
++#define TCG_EXT2_X86_64_FEATURES 0
++#endif
++
++#define TCG_EXT2_FEATURES ((TCG_FEATURES & CPUID_EXT2_AMD_ALIASES) | \
++ CPUID_EXT2_NX | CPUID_EXT2_MMXEXT | CPUID_EXT2_RDTSCP | \
++ CPUID_EXT2_3DNOW | CPUID_EXT2_3DNOWEXT | \
++ TCG_EXT2_X86_64_FEATURES)
++ /* missing:
++ CPUID_EXT2_PDPE1GB */
++#define TCG_EXT3_FEATURES (CPUID_EXT3_LAHF_LM | CPUID_EXT3_SVM | \
++ CPUID_EXT3_CR8LEG | CPUID_EXT3_ABM | CPUID_EXT3_SSE4A)
++#define TCG_EXT4_FEATURES 0
++#define TCG_SVM_FEATURES 0
++#define TCG_KVM_FEATURES 0
++#define TCG_7_0_EBX_FEATURES (CPUID_7_0_EBX_SMEP | CPUID_7_0_EBX_SMAP | \
++ CPUID_7_0_EBX_BMI1 | CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ADX)
++ /* missing:
++ CPUID_7_0_EBX_FSGSBASE, CPUID_7_0_EBX_HLE, CPUID_7_0_EBX_AVX2,
++ CPUID_7_0_EBX_ERMS, CPUID_7_0_EBX_INVPCID, CPUID_7_0_EBX_RTM,
++ CPUID_7_0_EBX_RDSEED */
++#define TCG_7_0_ECX_FEATURES 0
++#define TCG_7_0_EDX_FEATURES 0
++
++
+ typedef struct FeatureWordInfo {
+ const char **feat_names;
+ uint32_t cpuid_eax; /* Input EAX for CPUID */
+@@ -453,66 +514,6 @@ typedef struct x86_def_t {
+ char model_id[48];
+ } x86_def_t;
+
+-#define I486_FEATURES (CPUID_FP87 | CPUID_VME | CPUID_PSE)
+-#define PENTIUM_FEATURES (I486_FEATURES | CPUID_DE | CPUID_TSC | \
+- CPUID_MSR | CPUID_MCE | CPUID_CX8 | CPUID_MMX | CPUID_APIC)
+-#define PENTIUM2_FEATURES (PENTIUM_FEATURES | CPUID_PAE | CPUID_SEP | \
+- CPUID_MTRR | CPUID_PGE | CPUID_MCA | CPUID_CMOV | CPUID_PAT | \
+- CPUID_PSE36 | CPUID_FXSR)
+-#define PENTIUM3_FEATURES (PENTIUM2_FEATURES | CPUID_SSE)
+-#define PPRO_FEATURES (CPUID_FP87 | CPUID_DE | CPUID_PSE | CPUID_TSC | \
+- CPUID_MSR | CPUID_MCE | CPUID_CX8 | CPUID_PGE | CPUID_CMOV | \
+- CPUID_PAT | CPUID_FXSR | CPUID_MMX | CPUID_SSE | CPUID_SSE2 | \
+- CPUID_PAE | CPUID_SEP | CPUID_APIC)
+-
+-#define TCG_FEATURES (CPUID_FP87 | CPUID_PSE | CPUID_TSC | CPUID_MSR | \
+- CPUID_PAE | CPUID_MCE | CPUID_CX8 | CPUID_APIC | CPUID_SEP | \
+- CPUID_MTRR | CPUID_PGE | CPUID_MCA | CPUID_CMOV | CPUID_PAT | \
+- CPUID_PSE36 | CPUID_CLFLUSH | CPUID_ACPI | CPUID_MMX | \
+- CPUID_FXSR | CPUID_SSE | CPUID_SSE2 | CPUID_SS)
+- /* partly implemented:
+- CPUID_MTRR, CPUID_MCA, CPUID_CLFLUSH (needed for Win64)
+- CPUID_PSE36 (needed for Solaris) */
+- /* missing:
+- CPUID_VME, CPUID_DTS, CPUID_SS, CPUID_HT, CPUID_TM, CPUID_PBE */
+-#define TCG_EXT_FEATURES (CPUID_EXT_SSE3 | CPUID_EXT_PCLMULQDQ | \
+- CPUID_EXT_MONITOR | CPUID_EXT_SSSE3 | CPUID_EXT_CX16 | \
+- CPUID_EXT_SSE41 | CPUID_EXT_SSE42 | CPUID_EXT_POPCNT | \
+- CPUID_EXT_MOVBE | CPUID_EXT_AES | CPUID_EXT_HYPERVISOR)
+- /* missing:
+- CPUID_EXT_DTES64, CPUID_EXT_DSCPL, CPUID_EXT_VMX, CPUID_EXT_SMX,
+- CPUID_EXT_EST, CPUID_EXT_TM2, CPUID_EXT_CID, CPUID_EXT_FMA,
+- CPUID_EXT_XTPR, CPUID_EXT_PDCM, CPUID_EXT_PCID, CPUID_EXT_DCA,
+- CPUID_EXT_X2APIC, CPUID_EXT_TSC_DEADLINE_TIMER, CPUID_EXT_XSAVE,
+- CPUID_EXT_OSXSAVE, CPUID_EXT_AVX, CPUID_EXT_F16C,
+- CPUID_EXT_RDRAND */
+-
+-#ifdef TARGET_X86_64
+-#define TCG_EXT2_X86_64_FEATURES (CPUID_EXT2_SYSCALL | CPUID_EXT2_LM)
+-#else
+-#define TCG_EXT2_X86_64_FEATURES 0
+-#endif
+-
+-#define TCG_EXT2_FEATURES ((TCG_FEATURES & CPUID_EXT2_AMD_ALIASES) | \
+- CPUID_EXT2_NX | CPUID_EXT2_MMXEXT | CPUID_EXT2_RDTSCP | \
+- CPUID_EXT2_3DNOW | CPUID_EXT2_3DNOWEXT | \
+- TCG_EXT2_X86_64_FEATURES)
+- /* missing:
+- CPUID_EXT2_PDPE1GB */
+-#define TCG_EXT3_FEATURES (CPUID_EXT3_LAHF_LM | CPUID_EXT3_SVM | \
+- CPUID_EXT3_CR8LEG | CPUID_EXT3_ABM | CPUID_EXT3_SSE4A)
+-#define TCG_EXT4_FEATURES 0
+-#define TCG_SVM_FEATURES 0
+-#define TCG_KVM_FEATURES 0
+-#define TCG_7_0_EBX_FEATURES (CPUID_7_0_EBX_SMEP | CPUID_7_0_EBX_SMAP | \
+- CPUID_7_0_EBX_BMI1 | CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ADX)
+- /* missing:
+- CPUID_7_0_EBX_FSGSBASE, CPUID_7_0_EBX_HLE, CPUID_7_0_EBX_AVX2,
+- CPUID_7_0_EBX_ERMS, CPUID_7_0_EBX_INVPCID, CPUID_7_0_EBX_RTM,
+- CPUID_7_0_EBX_RDSEED */
+-#define TCG_7_0_ECX_FEATURES 0
+-#define TCG_7_0_EDX_FEATURES 0
+-
+ /* built-in CPU model definitions
+ */
+ static x86_def_t builtin_x86_defs[] = {
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-target-i386-Filter-FEAT_7_0_EBX-TCG-features-too.patch b/SOURCES/kvm-target-i386-Filter-FEAT_7_0_EBX-TCG-features-too.patch
new file mode 100644
index 0000000..0752c5f
--- /dev/null
+++ b/SOURCES/kvm-target-i386-Filter-FEAT_7_0_EBX-TCG-features-too.patch
@@ -0,0 +1,56 @@
+From 65c528e40cc9e6d3d887fd79284d465bb482bbe2 Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Thu, 23 Feb 2017 14:29:41 +0100
+Subject: [PATCH 11/17] target-i386: Filter FEAT_7_0_EBX TCG features too
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20170223142945.17790-11-ehabkost@redhat.com>
+Patchwork-id: 74044
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 10/14] target-i386: Filter FEAT_7_0_EBX TCG features too
+Bugzilla: 1382122
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+The TCG_7_0_EBX_FEATURES macro was defined but never used (it even had a
+typo that was never noticed). Make the existing TCG feature filtering
+code use it.
+
+Reviewed-by: Richard Henderson <rth@twiddle.net>
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+(cherry picked from commit d0a70f46fa9a3257089a56f2f620b0eff868557f)
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index e32d4d7..d424211 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -502,7 +502,7 @@ typedef struct x86_def_t {
+ #define TCG_EXT3_FEATURES (CPUID_EXT3_LAHF_LM | CPUID_EXT3_SVM | \
+ CPUID_EXT3_CR8LEG | CPUID_EXT3_ABM | CPUID_EXT3_SSE4A)
+ #define TCG_SVM_FEATURES 0
+-#define TCG_7_0_EBX_FEATURES (CPUID_7_0_EBX_SMEP | CPUID_7_0_EBX_SMAP \
++#define TCG_7_0_EBX_FEATURES (CPUID_7_0_EBX_SMEP | CPUID_7_0_EBX_SMAP | \
+ CPUID_7_0_EBX_BMI1 | CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ADX)
+ /* missing:
+ CPUID_7_0_EBX_FSGSBASE, CPUID_7_0_EBX_HLE, CPUID_7_0_EBX_AVX2,
+@@ -2640,6 +2640,7 @@ static void x86_cpu_realizefn(DeviceState *dev, Error **errp)
+ if (!kvm_enabled()) {
+ env->features[FEAT_1_EDX] &= TCG_FEATURES;
+ env->features[FEAT_1_ECX] &= TCG_EXT_FEATURES;
++ env->features[FEAT_7_0_EBX] &= TCG_7_0_EBX_FEATURES;
+ env->features[FEAT_8000_0001_EDX] &= TCG_EXT2_FEATURES;
+ env->features[FEAT_8000_0001_ECX] &= TCG_EXT3_FEATURES;
+ env->features[FEAT_SVM] &= TCG_SVM_FEATURES;
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-target-i386-Filter-KVM-and-0xC0000001-features-on-TC.patch b/SOURCES/kvm-target-i386-Filter-KVM-and-0xC0000001-features-on-TC.patch
new file mode 100644
index 0000000..20f595a
--- /dev/null
+++ b/SOURCES/kvm-target-i386-Filter-KVM-and-0xC0000001-features-on-TC.patch
@@ -0,0 +1,57 @@
+From d037664335efca55df79abcde79f4f2733ca535b Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Thu, 23 Feb 2017 14:29:42 +0100
+Subject: [PATCH 12/17] target-i386: Filter KVM and 0xC0000001 features on TCG
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20170223142945.17790-12-ehabkost@redhat.com>
+Patchwork-id: 74040
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 11/14] target-i386: Filter KVM and 0xC0000001 features on TCG
+Bugzilla: 1382122
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+TCG doesn't support any of the feature flags on FEAT_KVM and
+FEAT_C000_0001_EDX feature words, so clear all bits on those feature
+words.
+
+Reviewed-by: Richard Henderson <rth@twiddle.net>
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+(cherry picked from commit 84a6c6cd40687598c7e85d7de8095e08b5e636d7)
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index d424211..e6821b6 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -501,7 +501,9 @@ typedef struct x86_def_t {
+ CPUID_EXT2_PDPE1GB */
+ #define TCG_EXT3_FEATURES (CPUID_EXT3_LAHF_LM | CPUID_EXT3_SVM | \
+ CPUID_EXT3_CR8LEG | CPUID_EXT3_ABM | CPUID_EXT3_SSE4A)
++#define TCG_EXT4_FEATURES 0
+ #define TCG_SVM_FEATURES 0
++#define TCG_KVM_FEATURES 0
+ #define TCG_7_0_EBX_FEATURES (CPUID_7_0_EBX_SMEP | CPUID_7_0_EBX_SMAP | \
+ CPUID_7_0_EBX_BMI1 | CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ADX)
+ /* missing:
+@@ -2644,6 +2646,8 @@ static void x86_cpu_realizefn(DeviceState *dev, Error **errp)
+ env->features[FEAT_8000_0001_EDX] &= TCG_EXT2_FEATURES;
+ env->features[FEAT_8000_0001_ECX] &= TCG_EXT3_FEATURES;
+ env->features[FEAT_SVM] &= TCG_SVM_FEATURES;
++ env->features[FEAT_KVM] &= TCG_KVM_FEATURES;
++ env->features[FEAT_C000_0001_EDX] &= TCG_EXT4_FEATURES;
+ env->features[FEAT_XSAVE] = 0;
+ env->features[FEAT_7_0_ECX] &= TCG_7_0_ECX_FEATURES;
+ env->features[FEAT_7_0_EDX] &= TCG_7_0_EDX_FEATURES;
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-target-i386-Loop-based-copying-and-setting-unsetting.patch b/SOURCES/kvm-target-i386-Loop-based-copying-and-setting-unsetting.patch
new file mode 100644
index 0000000..6efcc59
--- /dev/null
+++ b/SOURCES/kvm-target-i386-Loop-based-copying-and-setting-unsetting.patch
@@ -0,0 +1,112 @@
+From 04a8a3d76b171deb5eaf8318591e5cfaea3cc843 Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Thu, 23 Feb 2017 14:29:44 +0100
+Subject: [PATCH 14/17] target-i386: Loop-based copying and setting/unsetting
+ of feature words
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20170223142945.17790-14-ehabkost@redhat.com>
+Patchwork-id: 74045
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 13/14] target-i386: Loop-based copying and setting/unsetting of feature words
+Bugzilla: 1382122
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Now that we have the feature word arrays, we don't need to manually copy
+each array item, we can simply iterate through each feature word.
+
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+(cherry picked from commit e1c224b4eb3b8693c230bb2762a959ae1f531f76)
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c | 44 ++++++++++----------------------------------
+ 1 file changed, 10 insertions(+), 34 deletions(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index d611062..010b95f 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -1755,6 +1755,7 @@ static inline void feat2prop(char *s)
+ static void cpu_x86_parse_featurestr(X86CPU *cpu, char *features, Error **errp)
+ {
+ char *featurestr; /* Single 'key=value" string being parsed */
++ FeatureWord w;
+ /* Features to be added */
+ FeatureWordArray plus_features = { 0 };
+ /* Features to be removed */
+@@ -1844,28 +1845,11 @@ static void cpu_x86_parse_featurestr(X86CPU *cpu, char *features, Error **errp)
+ }
+ featurestr = strtok(NULL, ",");
+ }
+- env->features[FEAT_1_EDX] |= plus_features[FEAT_1_EDX];
+- env->features[FEAT_1_ECX] |= plus_features[FEAT_1_ECX];
+- env->features[FEAT_8000_0001_EDX] |= plus_features[FEAT_8000_0001_EDX];
+- env->features[FEAT_8000_0001_ECX] |= plus_features[FEAT_8000_0001_ECX];
+- env->features[FEAT_C000_0001_EDX] |= plus_features[FEAT_C000_0001_EDX];
+- env->features[FEAT_KVM] |= plus_features[FEAT_KVM];
+- env->features[FEAT_SVM] |= plus_features[FEAT_SVM];
+- env->features[FEAT_7_0_EBX] |= plus_features[FEAT_7_0_EBX];
+- env->features[FEAT_7_0_ECX] |= plus_features[FEAT_7_0_ECX];
+- env->features[FEAT_7_0_EDX] |= plus_features[FEAT_7_0_EDX];
+- env->features[FEAT_XSAVE] |= plus_features[FEAT_XSAVE];
+- env->features[FEAT_1_EDX] &= ~minus_features[FEAT_1_EDX];
+- env->features[FEAT_1_ECX] &= ~minus_features[FEAT_1_ECX];
+- env->features[FEAT_8000_0001_EDX] &= ~minus_features[FEAT_8000_0001_EDX];
+- env->features[FEAT_8000_0001_ECX] &= ~minus_features[FEAT_8000_0001_ECX];
+- env->features[FEAT_C000_0001_EDX] &= ~minus_features[FEAT_C000_0001_EDX];
+- env->features[FEAT_KVM] &= ~minus_features[FEAT_KVM];
+- env->features[FEAT_SVM] &= ~minus_features[FEAT_SVM];
+- env->features[FEAT_7_0_EBX] &= ~minus_features[FEAT_7_0_EBX];
+- env->features[FEAT_7_0_ECX] &= ~minus_features[FEAT_7_0_ECX];
+- env->features[FEAT_7_0_EDX] &= ~minus_features[FEAT_7_0_EDX];
+- env->features[FEAT_XSAVE] &= ~minus_features[FEAT_XSAVE];
++
++ for (w = 0; w < FEATURE_WORDS; w++) {
++ env->features[w] |= plus_features[w];
++ env->features[w] &= ~minus_features[w];
++ }
+
+ out:
+ return;
+@@ -1974,6 +1958,7 @@ static void cpu_x86_register(X86CPU *cpu, const char *name, Error **errp)
+ {
+ CPUX86State *env = &cpu->env;
+ x86_def_t def1, *def = &def1;
++ FeatureWord w;
+
+ memset(def, 0, sizeof(*def));
+
+@@ -1992,21 +1977,12 @@ static void cpu_x86_register(X86CPU *cpu, const char *name, Error **errp)
+ object_property_set_int(OBJECT(cpu), def->family, "family", errp);
+ object_property_set_int(OBJECT(cpu), def->model, "model", errp);
+ object_property_set_int(OBJECT(cpu), def->stepping, "stepping", errp);
+- env->features[FEAT_1_EDX] = def->features[FEAT_1_EDX];
+- env->features[FEAT_1_ECX] = def->features[FEAT_1_ECX];
+- env->features[FEAT_8000_0001_EDX] = def->features[FEAT_8000_0001_EDX];
+- env->features[FEAT_8000_0001_ECX] = def->features[FEAT_8000_0001_ECX];
+ object_property_set_int(OBJECT(cpu), def->xlevel, "xlevel", errp);
+- env->features[FEAT_KVM] = def->features[FEAT_KVM];
+- env->features[FEAT_SVM] = def->features[FEAT_SVM];
+- env->features[FEAT_C000_0001_EDX] = def->features[FEAT_C000_0001_EDX];
+- env->features[FEAT_7_0_EBX] = def->features[FEAT_7_0_EBX];
+- env->features[FEAT_7_0_ECX] = def->features[FEAT_7_0_ECX];
+- env->features[FEAT_7_0_EDX] = def->features[FEAT_7_0_EDX];
+- env->features[FEAT_XSAVE] = def->features[FEAT_XSAVE];
+ env->cpuid_xlevel2 = def->xlevel2;
+-
+ object_property_set_str(OBJECT(cpu), def->model_id, "model-id", errp);
++ for (w = 0; w < FEATURE_WORDS; w++) {
++ env->features[w] = def->features[w];
++ }
+ }
+
+ X86CPU *cpu_x86_create(const char *cpu_model, DeviceState *icc_bridge,
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-target-i386-Loop-based-feature-word-filtering-in-TCG.patch b/SOURCES/kvm-target-i386-Loop-based-feature-word-filtering-in-TCG.patch
new file mode 100644
index 0000000..5b90519
--- /dev/null
+++ b/SOURCES/kvm-target-i386-Loop-based-feature-word-filtering-in-TCG.patch
@@ -0,0 +1,127 @@
+From 91e436476830a82f429e1df848ea751280580b46 Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Thu, 23 Feb 2017 14:29:45 +0100
+Subject: [PATCH 15/17] target-i386: Loop-based feature word filtering in TCG
+ mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20170223142945.17790-15-ehabkost@redhat.com>
+Patchwork-id: 74046
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 14/14] target-i386: Loop-based feature word filtering in TCG mode
+Bugzilla: 1382122
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Instead of manually filtering each feature word, add a tcg_features
+field to FeatureWordInfo, and use that field to filter all feature words
+in TCG mode.
+
+Reviewed-by: Richard Henderson <rth@twiddle.net>
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+(cherry picked from commit 37ce3522cb88c524caec57cb52a4bfbb880abbe5)
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c | 26 +++++++++++++++-----------
+ 1 file changed, 15 insertions(+), 11 deletions(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index 010b95f..38056eb 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -254,54 +254,65 @@ typedef struct FeatureWordInfo {
+ bool cpuid_needs_ecx; /* CPUID instruction uses ECX as input */
+ uint32_t cpuid_ecx; /* Input ECX value for CPUID */
+ int cpuid_reg; /* output register (R_* constant) */
++ uint32_t tcg_features; /* Feature flags supported by TCG */
+ } FeatureWordInfo;
+
+ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
+ [FEAT_1_EDX] = {
+ .feat_names = feature_name,
+ .cpuid_eax = 1, .cpuid_reg = R_EDX,
++ .tcg_features = TCG_FEATURES,
+ },
+ [FEAT_1_ECX] = {
+ .feat_names = ext_feature_name,
+ .cpuid_eax = 1, .cpuid_reg = R_ECX,
++ .tcg_features = TCG_EXT_FEATURES,
+ },
+ [FEAT_8000_0001_EDX] = {
+ .feat_names = ext2_feature_name,
+ .cpuid_eax = 0x80000001, .cpuid_reg = R_EDX,
++ .tcg_features = TCG_EXT2_FEATURES,
+ },
+ [FEAT_8000_0001_ECX] = {
+ .feat_names = ext3_feature_name,
+ .cpuid_eax = 0x80000001, .cpuid_reg = R_ECX,
++ .tcg_features = TCG_EXT3_FEATURES,
+ },
+ [FEAT_C000_0001_EDX] = {
+ .feat_names = ext4_feature_name,
+ .cpuid_eax = 0xC0000001, .cpuid_reg = R_EDX,
++ .tcg_features = TCG_EXT4_FEATURES,
+ },
+ [FEAT_KVM] = {
+ .feat_names = kvm_feature_name,
+ .cpuid_eax = KVM_CPUID_FEATURES, .cpuid_reg = R_EAX,
++ .tcg_features = TCG_KVM_FEATURES,
+ },
+ [FEAT_SVM] = {
+ .feat_names = svm_feature_name,
+ .cpuid_eax = 0x8000000A, .cpuid_reg = R_EDX,
++ .tcg_features = TCG_SVM_FEATURES,
+ },
+ [FEAT_7_0_EBX] = {
+ .feat_names = cpuid_7_0_ebx_feature_name,
+ .cpuid_eax = 7,
+ .cpuid_needs_ecx = true, .cpuid_ecx = 0,
+ .cpuid_reg = R_EBX,
++ .tcg_features = TCG_7_0_EBX_FEATURES,
+ },
+ [FEAT_7_0_ECX] = {
+ .feat_names = cpuid_7_0_ecx_feature_name,
+ .cpuid_eax = 7,
+ .cpuid_needs_ecx = true, .cpuid_ecx = 0,
+ .cpuid_reg = R_ECX,
++ .tcg_features = TCG_7_0_ECX_FEATURES,
+ },
+ [FEAT_7_0_EDX] = {
+ .feat_names = cpuid_7_0_edx_feature_name,
+ .cpuid_eax = 7,
+ .cpuid_needs_ecx = true, .cpuid_ecx = 0,
+ .cpuid_reg = R_EDX,
++ .tcg_features = TCG_7_0_EDX_FEATURES,
+ },
+ [FEAT_XSAVE] = {
+ .feat_names = cpuid_xsave_feature_name,
+@@ -2617,17 +2628,10 @@ static void x86_cpu_realizefn(DeviceState *dev, Error **errp)
+ }
+
+ if (!kvm_enabled()) {
+- env->features[FEAT_1_EDX] &= TCG_FEATURES;
+- env->features[FEAT_1_ECX] &= TCG_EXT_FEATURES;
+- env->features[FEAT_7_0_EBX] &= TCG_7_0_EBX_FEATURES;
+- env->features[FEAT_8000_0001_EDX] &= TCG_EXT2_FEATURES;
+- env->features[FEAT_8000_0001_ECX] &= TCG_EXT3_FEATURES;
+- env->features[FEAT_SVM] &= TCG_SVM_FEATURES;
+- env->features[FEAT_KVM] &= TCG_KVM_FEATURES;
+- env->features[FEAT_C000_0001_EDX] &= TCG_EXT4_FEATURES;
+- env->features[FEAT_XSAVE] = 0;
+- env->features[FEAT_7_0_ECX] &= TCG_7_0_ECX_FEATURES;
+- env->features[FEAT_7_0_EDX] &= TCG_7_0_EDX_FEATURES;
++ FeatureWord w;
++ for (w = 0; w < FEATURE_WORDS; w++) {
++ env->features[w] &= feature_word_info[w].tcg_features;
++ }
+ } else {
+ KVMState *s = kvm_state;
+ if ((cpu->check_cpuid || cpu->enforce_cpuid)
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-target-i386-Make-TCG-feature-filtering-more-readable.patch b/SOURCES/kvm-target-i386-Make-TCG-feature-filtering-more-readable.patch
new file mode 100644
index 0000000..2683994
--- /dev/null
+++ b/SOURCES/kvm-target-i386-Make-TCG-feature-filtering-more-readable.patch
@@ -0,0 +1,69 @@
+From 6e553d9996682836a35a1020e9d992c856236342 Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Thu, 23 Feb 2017 14:29:40 +0100
+Subject: [PATCH 10/17] target-i386: Make TCG feature filtering more readable
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20170223142945.17790-10-ehabkost@redhat.com>
+Patchwork-id: 74041
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 09/14] target-i386: Make TCG feature filtering more readable
+Bugzilla: 1382122
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Instead of an #ifdef in the middle of the code, just set
+TCG_EXT2_FEATURES to a different value depending on TARGET_X86_64.
+
+Reviewed-by: Richard Henderson <rth@twiddle.net>
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+(cherry picked from commit a42d9938a162c3e3c9e441d1927dca5bd59167d9)
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index bb8abf7..e32d4d7 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -486,9 +486,17 @@ typedef struct x86_def_t {
+ CPUID_EXT_X2APIC, CPUID_EXT_TSC_DEADLINE_TIMER, CPUID_EXT_XSAVE,
+ CPUID_EXT_OSXSAVE, CPUID_EXT_AVX, CPUID_EXT_F16C,
+ CPUID_EXT_RDRAND */
++
++#ifdef TARGET_X86_64
++#define TCG_EXT2_X86_64_FEATURES (CPUID_EXT2_SYSCALL | CPUID_EXT2_LM)
++#else
++#define TCG_EXT2_X86_64_FEATURES 0
++#endif
++
+ #define TCG_EXT2_FEATURES ((TCG_FEATURES & CPUID_EXT2_AMD_ALIASES) | \
+ CPUID_EXT2_NX | CPUID_EXT2_MMXEXT | CPUID_EXT2_RDTSCP | \
+- CPUID_EXT2_3DNOW | CPUID_EXT2_3DNOWEXT)
++ CPUID_EXT2_3DNOW | CPUID_EXT2_3DNOWEXT | \
++ TCG_EXT2_X86_64_FEATURES)
+ /* missing:
+ CPUID_EXT2_PDPE1GB */
+ #define TCG_EXT3_FEATURES (CPUID_EXT3_LAHF_LM | CPUID_EXT3_SVM | \
+@@ -2632,11 +2640,7 @@ static void x86_cpu_realizefn(DeviceState *dev, Error **errp)
+ if (!kvm_enabled()) {
+ env->features[FEAT_1_EDX] &= TCG_FEATURES;
+ env->features[FEAT_1_ECX] &= TCG_EXT_FEATURES;
+- env->features[FEAT_8000_0001_EDX] &= (TCG_EXT2_FEATURES
+-#ifdef TARGET_X86_64
+- | CPUID_EXT2_SYSCALL | CPUID_EXT2_LM
+-#endif
+- );
++ env->features[FEAT_8000_0001_EDX] &= TCG_EXT2_FEATURES;
+ env->features[FEAT_8000_0001_ECX] &= TCG_EXT3_FEATURES;
+ env->features[FEAT_SVM] &= TCG_SVM_FEATURES;
+ env->features[FEAT_XSAVE] = 0;
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-target-i386-add-Ivy-Bridge-CPU-model.patch b/SOURCES/kvm-target-i386-add-Ivy-Bridge-CPU-model.patch
new file mode 100644
index 0000000..d211806
--- /dev/null
+++ b/SOURCES/kvm-target-i386-add-Ivy-Bridge-CPU-model.patch
@@ -0,0 +1,73 @@
+From 8075eadce1f9f144ae2e2fcf23c1890943caf1f8 Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Wed, 22 Feb 2017 21:11:07 +0100
+Subject: [PATCH 01/17] target-i386: add Ivy Bridge CPU model
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20170222211107.29696-1-ehabkost@redhat.com>
+Patchwork-id: 74028
+O-Subject: [RHEL-7.4 qemu-kvm PATCH] target-i386: add Ivy Bridge CPU model
+Bugzilla: 1368375
+RH-Acked-by: Bandan Das <bsd@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1368375
+Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=12606134
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 2f9ac42acf4602453d5839221df6cc7cabc3355e)
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c | 32 ++++++++++++++++++++++++++++++++
+ 1 file changed, 32 insertions(+)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index 476306d..c3c8306 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -878,6 +878,38 @@ static x86_def_t builtin_x86_defs[] = {
+ .model_id = "Intel Xeon E312xx (Sandy Bridge)",
+ },
+ {
++ .name = "IvyBridge",
++ .level = 0xd,
++ .vendor = CPUID_VENDOR_INTEL,
++ .family = 6,
++ .model = 58,
++ .stepping = 9,
++ .features[FEAT_1_EDX] =
++ CPUID_VME | CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX |
++ CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA |
++ CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 |
++ CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE |
++ CPUID_DE | CPUID_FP87,
++ .features[FEAT_1_ECX] =
++ CPUID_EXT_AVX | CPUID_EXT_XSAVE | CPUID_EXT_AES |
++ CPUID_EXT_TSC_DEADLINE_TIMER | CPUID_EXT_POPCNT |
++ CPUID_EXT_X2APIC | CPUID_EXT_SSE42 | CPUID_EXT_SSE41 |
++ CPUID_EXT_CX16 | CPUID_EXT_SSSE3 | CPUID_EXT_PCLMULQDQ |
++ CPUID_EXT_SSE3 | CPUID_EXT_F16C | CPUID_EXT_RDRAND,
++ .features[FEAT_7_0_EBX] =
++ CPUID_7_0_EBX_FSGSBASE | CPUID_7_0_EBX_SMEP |
++ CPUID_7_0_EBX_ERMS,
++ .features[FEAT_8000_0001_EDX] =
++ CPUID_EXT2_LM | CPUID_EXT2_RDTSCP | CPUID_EXT2_NX |
++ CPUID_EXT2_SYSCALL,
++ .features[FEAT_8000_0001_ECX] =
++ CPUID_EXT3_LAHF_LM,
++ .features[FEAT_XSAVE] =
++ CPUID_XSAVE_XSAVEOPT,
++ .xlevel = 0x8000000A,
++ .model_id = "Intel Xeon E3-12xx v2 (Ivy Bridge)",
++ },
++ {
+ .name = "Haswell",
+ .level = 0xd,
+ .vendor = CPUID_VENDOR_INTEL,
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-target-i386-get-set-migrate-XSAVES-state.patch b/SOURCES/kvm-target-i386-get-set-migrate-XSAVES-state.patch
new file mode 100644
index 0000000..760ac99
--- /dev/null
+++ b/SOURCES/kvm-target-i386-get-set-migrate-XSAVES-state.patch
@@ -0,0 +1,170 @@
+From a824033fdc6956ee449f49f6d1a74ebfb21d0700 Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Fri, 31 Mar 2017 11:37:37 +0200
+Subject: [PATCH 1/4] target-i386: get/set/migrate XSAVES state
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20170331113737.9930-1-ehabkost@redhat.com>
+Patchwork-id: 74596
+O-Subject: [RHEL-7.4 qemu-kvm PATCH] target-i386: get/set/migrate XSAVES state
+Bugzilla: 1327593
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Bandan Das <bsd@redhat.com>
+RH-Acked-by: David Hildenbrand <david@redhat.com>
+
+From: Wanpeng Li <wanpeng.li@linux.intel.com>
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1327593
+Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=12913269
+
+Add xsaves related definition, it also adds corresponding part
+to kvm_get/put, and vmstate.
+
+Backport notes:
+* As we didn't have unmigratable_flags yet, our backport
+ of upstream commit 0bb0b2d2fe7f645ddaf1f0ff40ac669c9feb4aa1
+ (commit 5fcaf5176d7545518c76f3aa8ea7ce6fb063c62d) didn't
+ include "xsaves" cpuid_xsave_feature_name[]. This patch now
+ adds "xsave" to cpuid_xsave_feature_name[].
+
+Signed-off-by: Wanpeng Li <wanpeng.li@linux.intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 18cd2c17b5370369a886155c001da0a7f54bbcca)
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c | 2 +-
+ target-i386/cpu.h | 2 ++
+ target-i386/kvm.c | 15 +++++++++++++++
+ target-i386/machine.c | 21 +++++++++++++++++++++
+ 4 files changed, 39 insertions(+), 1 deletion(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index 33f0997..ae56995 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -177,7 +177,7 @@ static const char *cpuid_7_0_edx_feature_name[] = {
+ };
+
+ static const char *cpuid_xsave_feature_name[] = {
+- "xsaveopt", "xsavec", "xgetbv1", NULL,
++ "xsaveopt", "xsavec", "xgetbv1", "xsaves",
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+diff --git a/target-i386/cpu.h b/target-i386/cpu.h
+index f04deb4..ac60309 100644
+--- a/target-i386/cpu.h
++++ b/target-i386/cpu.h
+@@ -384,6 +384,7 @@
+ #define MSR_VM_HSAVE_PA 0xc0010117
+
+ #define MSR_IA32_BNDCFGS 0x00000d90
++#define MSR_IA32_XSS 0x00000da0
+
+ #define XSTATE_FP (1ULL << 0)
+ #define XSTATE_SSE (1ULL << 1)
+@@ -1026,6 +1027,7 @@ typedef struct CPUX86State {
+ uint64_t xstate_bv;
+
+ uint64_t xcr0;
++ uint64_t xss;
+
+ TPRAccess tpr_access_type;
+ } CPUX86State;
+diff --git a/target-i386/kvm.c b/target-i386/kvm.c
+index e1b0ca2..6a479f4 100644
+--- a/target-i386/kvm.c
++++ b/target-i386/kvm.c
+@@ -76,6 +76,7 @@ static bool has_msr_hv_hypercall;
+ static bool has_msr_hv_vapic;
+ static bool has_msr_hv_tsc;
+ static bool has_msr_mtrr;
++static bool has_msr_xss;
+
+ static bool has_msr_architectural_pmu;
+ static uint32_t num_architectural_pmu_counters;
+@@ -795,6 +796,10 @@ static int kvm_get_supported_msrs(KVMState *s)
+ has_msr_bndcfgs = true;
+ continue;
+ }
++ if (kvm_msr_list->indices[i] == MSR_IA32_XSS) {
++ has_msr_xss = true;
++ continue;
++ }
+ }
+ }
+
+@@ -1177,6 +1182,9 @@ static int kvm_put_msrs(X86CPU *cpu, int level)
+ if (has_msr_bndcfgs) {
+ kvm_msr_entry_set(&msrs[n++], MSR_IA32_BNDCFGS, env->msr_bndcfgs);
+ }
++ if (has_msr_xss) {
++ kvm_msr_entry_set(&msrs[n++], MSR_IA32_XSS, env->xss);
++ }
+ #ifdef TARGET_X86_64
+ if (lm_capable_kernel) {
+ kvm_msr_entry_set(&msrs[n++], MSR_CSTAR, env->cstar);
+@@ -1530,6 +1538,10 @@ static int kvm_get_msrs(X86CPU *cpu)
+ if (has_msr_bndcfgs) {
+ msrs[n++].index = MSR_IA32_BNDCFGS;
+ }
++ if (has_msr_xss) {
++ msrs[n++].index = MSR_IA32_XSS;
++ }
++
+
+ if (!env->tsc_valid) {
+ msrs[n++].index = MSR_IA32_TSC;
+@@ -1677,6 +1689,9 @@ static int kvm_get_msrs(X86CPU *cpu)
+ case MSR_IA32_BNDCFGS:
+ env->msr_bndcfgs = msrs[i].data;
+ break;
++ case MSR_IA32_XSS:
++ env->xss = msrs[i].data;
++ break;
+ default:
+ if (msrs[i].index >= MSR_MC0_CTL &&
+ msrs[i].index < MSR_MC0_CTL + (env->mcg_cap & 0xff) * 4) {
+diff --git a/target-i386/machine.c b/target-i386/machine.c
+index 2c97002..ce7fcd3 100644
+--- a/target-i386/machine.c
++++ b/target-i386/machine.c
+@@ -704,6 +704,24 @@ static const VMStateDescription vmstate_avx512 = {
+ }
+ };
+
++static bool xss_needed(void *opaque)
++{
++ X86CPU *cpu = opaque;
++ CPUX86State *env = &cpu->env;
++
++ return env->xss != 0;
++}
++
++static const VMStateDescription vmstate_xss = {
++ .name = "cpu/xss",
++ .version_id = 1,
++ .minimum_version_id = 1,
++ .fields = (VMStateField[]) {
++ VMSTATE_UINT64(env.xss, X86CPU),
++ VMSTATE_END_OF_LIST()
++ }
++};
++
+ const VMStateDescription vmstate_x86_cpu = {
+ .name = "cpu",
+ .version_id = 12,
+@@ -850,6 +868,9 @@ const VMStateDescription vmstate_x86_cpu = {
+ }, {
+ .vmsd = &vmstate_avx512,
+ .needed = avx512_needed,
++ }, {
++ .vmsd = &vmstate_xss,
++ .needed = xss_needed,
+ } , {
+ /* empty */
+ }
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-target-i386-kvm_check_features_against_host-Kill-fea.patch b/SOURCES/kvm-target-i386-kvm_check_features_against_host-Kill-fea.patch
new file mode 100644
index 0000000..ce9514e
--- /dev/null
+++ b/SOURCES/kvm-target-i386-kvm_check_features_against_host-Kill-fea.patch
@@ -0,0 +1,114 @@
+From 6d76a3d10423f99561a431964637b58d7e5f2e77 Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Thu, 23 Feb 2017 14:29:39 +0100
+Subject: [PATCH 09/17] target-i386: kvm_check_features_against_host(): Kill
+ feature word array
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20170223142945.17790-9-ehabkost@redhat.com>
+Patchwork-id: 74039
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 08/14] target-i386: kvm_check_features_against_host(): Kill feature word array
+Bugzilla: 1382122
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+We don't need the ft[] array on kvm_check_features_against_host()
+anymore, as we can simply use the feature_word_info[] array, that has
+everything we need.
+
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit f0b9b11164482a8a2283dee25cecc4a4c531259e)
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c | 57 ++++++++++++-------------------------------------------
+ 1 file changed, 12 insertions(+), 45 deletions(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index 22ad4f9..bb8abf7 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -1303,57 +1303,23 @@ static int unavailable_host_feature(FeatureWordInfo *f, uint32_t mask)
+ *
+ * This function may be called only if KVM is enabled.
+ */
+-static int kvm_check_features_against_host(X86CPU *cpu)
++static int kvm_check_features_against_host(KVMState *s, X86CPU *cpu)
+ {
+ CPUX86State *env = &cpu->env;
+- x86_def_t host_def;
+- uint32_t mask;
+- int rv, i;
+- struct model_features_t ft[] = {
+- {&env->features[FEAT_1_EDX],
+- &host_def.features[FEAT_1_EDX],
+- FEAT_1_EDX },
+- {&env->features[FEAT_1_ECX],
+- &host_def.features[FEAT_1_ECX],
+- FEAT_1_ECX },
+- {&env->features[FEAT_8000_0001_EDX],
+- &host_def.features[FEAT_8000_0001_EDX],
+- FEAT_8000_0001_EDX },
+- {&env->features[FEAT_8000_0001_ECX],
+- &host_def.features[FEAT_8000_0001_ECX],
+- FEAT_8000_0001_ECX },
+- {&env->features[FEAT_C000_0001_EDX],
+- &host_def.features[FEAT_C000_0001_EDX],
+- FEAT_C000_0001_EDX },
+- {&env->features[FEAT_7_0_EBX],
+- &host_def.features[FEAT_7_0_EBX],
+- FEAT_7_0_EBX },
+- {&env->features[FEAT_7_0_ECX],
+- &host_def.features[FEAT_7_0_ECX],
+- FEAT_7_0_ECX },
+- {&env->features[FEAT_7_0_EDX],
+- &host_def.features[FEAT_7_0_EDX],
+- FEAT_7_0_EDX },
+- {&env->features[FEAT_XSAVE],
+- &host_def.features[FEAT_XSAVE],
+- FEAT_XSAVE },
+- {&env->features[FEAT_SVM],
+- &host_def.features[FEAT_SVM],
+- FEAT_SVM },
+- {&env->features[FEAT_KVM],
+- &host_def.features[FEAT_KVM],
+- FEAT_KVM },
+- };
++ int rv = 0;
++ FeatureWord w;
+
+ assert(kvm_enabled());
+
+- kvm_cpu_fill_host(&host_def);
+- for (rv = 0, i = 0; i < ARRAY_SIZE(ft); ++i) {
+- FeatureWord w = ft[i].feat_word;
++ for (w = 0; w < FEATURE_WORDS; w++) {
+ FeatureWordInfo *wi = &feature_word_info[w];
++ uint32_t guest_feat = env->features[w];
++ uint32_t host_feat = kvm_arch_get_supported_cpuid(s, wi->cpuid_eax,
++ wi->cpuid_ecx,
++ wi->cpuid_reg);
++ uint32_t mask;
+ for (mask = 1; mask; mask <<= 1) {
+- if (*ft[i].guest_feat & mask &&
+- !(*ft[i].host_feat & mask)) {
++ if (guest_feat & mask && !(host_feat & mask)) {
+ unavailable_host_feature(wi, mask);
+ rv = 1;
+ }
+@@ -2677,8 +2643,9 @@ static void x86_cpu_realizefn(DeviceState *dev, Error **errp)
+ env->features[FEAT_7_0_ECX] &= TCG_7_0_ECX_FEATURES;
+ env->features[FEAT_7_0_EDX] &= TCG_7_0_EDX_FEATURES;
+ } else {
++ KVMState *s = kvm_state;
+ if ((cpu->check_cpuid || cpu->enforce_cpuid)
+- && kvm_check_features_against_host(cpu) && cpu->enforce_cpuid) {
++ && kvm_check_features_against_host(s, cpu) && cpu->enforce_cpuid) {
+ error_setg(&local_err,
+ "Host's CPU doesn't support requested features");
+ goto out;
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-target-i386-kvm_cpu_fill_host-Fill-feature-words-in-.patch b/SOURCES/kvm-target-i386-kvm_cpu_fill_host-Fill-feature-words-in-.patch
new file mode 100644
index 0000000..ab2524c
--- /dev/null
+++ b/SOURCES/kvm-target-i386-kvm_cpu_fill_host-Fill-feature-words-in-.patch
@@ -0,0 +1,70 @@
+From acedcdc24c0aad54530c0d41958b19981207e803 Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Thu, 23 Feb 2017 14:29:38 +0100
+Subject: [PATCH 08/17] target-i386: kvm_cpu_fill_host(): Fill feature words in
+ a loop
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20170223142945.17790-8-ehabkost@redhat.com>
+Patchwork-id: 74038
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 07/14] target-i386: kvm_cpu_fill_host(): Fill feature words in a loop
+Bugzilla: 1382122
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Now that the kvm_cpu_fill_host() code is simplified, we can simply set
+the feature word array using a simple loop.
+
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 2bc65d2b020887da3eb9043ae4f7d133ed85a7fe)
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c | 29 +++++++----------------------
+ 1 file changed, 7 insertions(+), 22 deletions(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index 1515b87..22ad4f9 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -1268,28 +1268,13 @@ static void kvm_cpu_fill_host(x86_def_t *x86_cpu_def)
+
+ cpu_x86_fill_model_id(x86_cpu_def->model_id);
+
+- x86_cpu_def->features[FEAT_1_EDX] =
+- kvm_arch_get_supported_cpuid(s, 0x1, 0, R_EDX);
+- x86_cpu_def->features[FEAT_1_ECX] =
+- kvm_arch_get_supported_cpuid(s, 0x1, 0, R_ECX);
+- x86_cpu_def->features[FEAT_7_0_EBX] =
+- kvm_arch_get_supported_cpuid(s, 0x7, 0, R_EBX);
+- x86_cpu_def->features[FEAT_7_0_ECX] =
+- kvm_arch_get_supported_cpuid(s, 0x7, 0, R_ECX);
+- x86_cpu_def->features[FEAT_7_0_EDX] =
+- kvm_arch_get_supported_cpuid(s, 0x7, 0, R_EDX);
+- x86_cpu_def->features[FEAT_XSAVE] =
+- kvm_arch_get_supported_cpuid(s, 0xd, 1, R_EAX);
+- x86_cpu_def->features[FEAT_8000_0001_EDX] =
+- kvm_arch_get_supported_cpuid(s, 0x80000001, 0, R_EDX);
+- x86_cpu_def->features[FEAT_8000_0001_ECX] =
+- kvm_arch_get_supported_cpuid(s, 0x80000001, 0, R_ECX);
+- x86_cpu_def->features[FEAT_C000_0001_EDX] =
+- kvm_arch_get_supported_cpuid(s, 0xC0000001, 0, R_EDX);
+- x86_cpu_def->features[FEAT_SVM] =
+- kvm_arch_get_supported_cpuid(s, 0x8000000A, 0, R_EDX);
+- x86_cpu_def->features[FEAT_KVM] =
+- kvm_arch_get_supported_cpuid(s, KVM_CPUID_FEATURES, 0, R_EAX);
++ FeatureWord w;
++ for (w = 0; w < FEATURE_WORDS; w++) {
++ FeatureWordInfo *wi = &feature_word_info[w];
++ x86_cpu_def->features[w] =
++ kvm_arch_get_supported_cpuid(s, wi->cpuid_eax, wi->cpuid_ecx,
++ wi->cpuid_reg);
++ }
+
+ #endif /* CONFIG_KVM */
+ }
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-target-i386-kvm_cpu_fill_host-Kill-unused-code.patch b/SOURCES/kvm-target-i386-kvm_cpu_fill_host-Kill-unused-code.patch
new file mode 100644
index 0000000..7956a54
--- /dev/null
+++ b/SOURCES/kvm-target-i386-kvm_cpu_fill_host-Kill-unused-code.patch
@@ -0,0 +1,46 @@
+From bdde6d373b48144d8b4c1ebb60a3d50d9c31dc87 Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Thu, 23 Feb 2017 14:29:33 +0100
+Subject: [PATCH 03/17] target-i386: kvm_cpu_fill_host(): Kill unused code
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20170223142945.17790-3-ehabkost@redhat.com>
+Patchwork-id: 74034
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 02/14] target-i386: kvm_cpu_fill_host(): Kill unused code
+Bugzilla: 1382122
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Those host_cpuid() calls are useless. They are leftovers from when the
+old code using host_cpuid() was removed.
+
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 81e207707e7b6204f64451779d752f23777ed451)
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index 789e687..8a49ff5 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -1292,12 +1292,10 @@ static void kvm_cpu_fill_host(x86_def_t *x86_cpu_def)
+
+ /* Call Centaur's CPUID instruction. */
+ if (!strcmp(x86_cpu_def->vendor, CPUID_VENDOR_VIA)) {
+- host_cpuid(0xC0000000, 0, &eax, &ebx, &ecx, &edx);
+ eax = kvm_arch_get_supported_cpuid(s, 0xC0000000, 0, R_EAX);
+ if (eax >= 0xC0000001) {
+ /* Support VIA max extended level */
+ x86_cpu_def->xlevel2 = eax;
+- host_cpuid(0xC0000001, 0, &eax, &ebx, &ecx, &edx);
+ x86_cpu_def->features[FEAT_C000_0001_EDX] =
+ kvm_arch_get_supported_cpuid(s, 0xC0000001, 0, R_EDX);
+ }
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-CPU-v.patch b/SOURCES/kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-CPU-v.patch
new file mode 100644
index 0000000..69ebd26
--- /dev/null
+++ b/SOURCES/kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-CPU-v.patch
@@ -0,0 +1,62 @@
+From ce8b0103a1c5cae9030156d9f17daf5dee5ed4c5 Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Thu, 23 Feb 2017 14:29:35 +0100
+Subject: [PATCH 05/17] target-i386: kvm_cpu_fill_host(): No need to check CPU
+ vendor
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20170223142945.17790-5-ehabkost@redhat.com>
+Patchwork-id: 74043
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 04/14] target-i386: kvm_cpu_fill_host(): No need to check CPU vendor
+Bugzilla: 1382122
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+There's no need to check CPU vendor before calling
+kvm_arch_get_supported_cpuid(s, 0xC0000000, 0, R_EAX), because:
+
+ * The kernel won't return any entry for 0xC0000000 if host CPU vendor
+ is not Centaur (See kvm_dev_ioctl_get_cpuid() on the kernel code);
+ * kvm_arch_get_supported_cpuid() will return 0 if no entry is returned
+ by the kernel for the requested leaf.
+
+This will simplify the kvm_cpu_fill_host() code a little.
+
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit b73dcfb16fc894041de553ac9f98b9e1640fcf06)
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index c82073e..a10055b 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -1285,14 +1285,12 @@ static void kvm_cpu_fill_host(x86_def_t *x86_cpu_def)
+ cpu_x86_fill_model_id(x86_cpu_def->model_id);
+
+ /* Call Centaur's CPUID instruction. */
+- if (!strcmp(x86_cpu_def->vendor, CPUID_VENDOR_VIA)) {
+- eax = kvm_arch_get_supported_cpuid(s, 0xC0000000, 0, R_EAX);
+- if (eax >= 0xC0000001) {
+- /* Support VIA max extended level */
+- x86_cpu_def->xlevel2 = eax;
+- x86_cpu_def->features[FEAT_C000_0001_EDX] =
+- kvm_arch_get_supported_cpuid(s, 0xC0000001, 0, R_EDX);
+- }
++ eax = kvm_arch_get_supported_cpuid(s, 0xC0000000, 0, R_EAX);
++ if (eax >= 0xC0000001) {
++ /* Support VIA max extended level */
++ x86_cpu_def->xlevel2 = eax;
++ x86_cpu_def->features[FEAT_C000_0001_EDX] =
++ kvm_arch_get_supported_cpuid(s, 0xC0000001, 0, R_EDX);
+ }
+
+ /* Other KVM-specific feature fields: */
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-level.patch b/SOURCES/kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-level.patch
new file mode 100644
index 0000000..2a6cde8
--- /dev/null
+++ b/SOURCES/kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-level.patch
@@ -0,0 +1,66 @@
+From 40d8624f4a90769b60ee567035f8231b64c10011 Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Thu, 23 Feb 2017 14:29:34 +0100
+Subject: [PATCH 04/17] target-i386: kvm_cpu_fill_host(): No need to check
+ level
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20170223142945.17790-4-ehabkost@redhat.com>
+Patchwork-id: 74035
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 03/14] target-i386: kvm_cpu_fill_host(): No need to check level
+Bugzilla: 1382122
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+There's no need to check level (CPUID[0].EAX) before calling
+kvm_arch_get_supported_cpuid(s, 0x7, 0, R_EBX), because:
+
+ * The kernel won't return any entry for CPUID 7 if CPUID[0].EAX is < 7
+ on the host (See kvm_dev_ioctl_get_cpuid() on the kernel code);
+ * kvm_arch_get_supported_cpuid() will return 0 if no entry is returned
+ by the kernel for the requested leaf.
+
+This will simplify the kvm_cpu_fill_host() code a little.
+
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 7171a3933f2ee8cb984fd64c59ca081f39b943a4)
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c | 18 ++++++------------
+ 1 file changed, 6 insertions(+), 12 deletions(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index 8a49ff5..c82073e 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -1267,18 +1267,12 @@ static void kvm_cpu_fill_host(x86_def_t *x86_cpu_def)
+ x86_cpu_def->features[FEAT_1_ECX] =
+ kvm_arch_get_supported_cpuid(s, 0x1, 0, R_ECX);
+
+- if (x86_cpu_def->level >= 7) {
+- x86_cpu_def->features[FEAT_7_0_EBX] =
+- kvm_arch_get_supported_cpuid(s, 0x7, 0, R_EBX);
+- x86_cpu_def->features[FEAT_7_0_ECX] =
+- kvm_arch_get_supported_cpuid(s, 0x7, 0, R_ECX);
+- x86_cpu_def->features[FEAT_7_0_EDX] =
+- kvm_arch_get_supported_cpuid(s, 0x7, 0, R_EDX);
+- } else {
+- x86_cpu_def->features[FEAT_7_0_EBX] = 0;
+- x86_cpu_def->features[FEAT_7_0_ECX] = 0;
+- x86_cpu_def->features[FEAT_7_0_EDX] = 0;
+- }
++ x86_cpu_def->features[FEAT_7_0_EBX] =
++ kvm_arch_get_supported_cpuid(s, 0x7, 0, R_EBX);
++ x86_cpu_def->features[FEAT_7_0_ECX] =
++ kvm_arch_get_supported_cpuid(s, 0x7, 0, R_ECX);
++ x86_cpu_def->features[FEAT_7_0_EDX] =
++ kvm_arch_get_supported_cpuid(s, 0x7, 0, R_EDX);
+ x86_cpu_def->features[FEAT_XSAVE] =
+ kvm_arch_get_supported_cpuid(s, 0xd, 1, R_EAX);
+
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-xleve.patch b/SOURCES/kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-xleve.patch
new file mode 100644
index 0000000..3accad7
--- /dev/null
+++ b/SOURCES/kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-xleve.patch
@@ -0,0 +1,68 @@
+From f51c618ce3598d9a6a3256e4dd2b9dd3164fbc81 Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Thu, 23 Feb 2017 14:29:36 +0100
+Subject: [PATCH 06/17] target-i386: kvm_cpu_fill_host(): No need to check
+ xlevel2
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20170223142945.17790-6-ehabkost@redhat.com>
+Patchwork-id: 74036
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 05/14] target-i386: kvm_cpu_fill_host(): No need to check xlevel2
+Bugzilla: 1382122
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+There's no need to check CPU xlevel2 before calling
+kvm_arch_get_supported_cpuid(s, 0xC0000001, 0, R_EDX), because:
+
+ * The kernel won't return any entry for 0xC0000000 if host CPU vendor
+ is not Centaur (See kvm_dev_ioctl_get_supported_cpuid() on the kernel
+ code)
+ * Similarly, the kernel won't return any entry for 0xC0000001 if
+ CPUID[0xC0000000].EAX is < 0xC0000001
+ * kvm_arch_get_supported_cpuid() will return 0 if no entry is returned
+ by the kernel for the requested leaf
+
+For similar reasons, we can simply set x86_cpu_def->xlevel2 directly
+instead of making it conditional, because it will be set to 0 CPU vendor
+is not Centaur.
+
+This will simplify the kvm_cpu_fill_host() code a little.
+
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+[Remove unparseable comment. - Paolo]
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 803a932706e3ba335d4c98f3577a05cb000f1699)
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index a10055b..02bd038 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -1285,13 +1285,10 @@ static void kvm_cpu_fill_host(x86_def_t *x86_cpu_def)
+ cpu_x86_fill_model_id(x86_cpu_def->model_id);
+
+ /* Call Centaur's CPUID instruction. */
+- eax = kvm_arch_get_supported_cpuid(s, 0xC0000000, 0, R_EAX);
+- if (eax >= 0xC0000001) {
+- /* Support VIA max extended level */
+- x86_cpu_def->xlevel2 = eax;
+- x86_cpu_def->features[FEAT_C000_0001_EDX] =
+- kvm_arch_get_supported_cpuid(s, 0xC0000001, 0, R_EDX);
+- }
++ x86_cpu_def->xlevel2 =
++ kvm_arch_get_supported_cpuid(s, 0xC0000000, 0, R_EAX);
++ x86_cpu_def->features[FEAT_C000_0001_EDX] =
++ kvm_arch_get_supported_cpuid(s, 0xC0000001, 0, R_EDX);
+
+ /* Other KVM-specific feature fields: */
+ x86_cpu_def->features[FEAT_SVM] =
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-target-i386-kvm_cpu_fill_host-Set-all-feature-words-.patch b/SOURCES/kvm-target-i386-kvm_cpu_fill_host-Set-all-feature-words-.patch
new file mode 100644
index 0000000..0de6ac3
--- /dev/null
+++ b/SOURCES/kvm-target-i386-kvm_cpu_fill_host-Set-all-feature-words-.patch
@@ -0,0 +1,82 @@
+From 905a9704d3099a82421850ae172b89f4de2e58b3 Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Thu, 23 Feb 2017 14:29:37 +0100
+Subject: [PATCH 07/17] target-i386: kvm_cpu_fill_host(): Set all feature words
+ at end of function
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20170223142945.17790-7-ehabkost@redhat.com>
+Patchwork-id: 74037
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 06/14] target-i386: kvm_cpu_fill_host(): Set all feature words at end of function
+Bugzilla: 1382122
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Reorder the code so all the code that sets x86_cpu_def->features is at
+the end of the function.
+
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 2a573259ebf8b1072707257d547603520d1ed236)
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c | 29 ++++++++++++-----------------
+ 1 file changed, 12 insertions(+), 17 deletions(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index 02bd038..1515b87 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -1262,35 +1262,30 @@ static void kvm_cpu_fill_host(x86_def_t *x86_cpu_def)
+ x86_cpu_def->stepping = eax & 0x0F;
+
+ x86_cpu_def->level = kvm_arch_get_supported_cpuid(s, 0x0, 0, R_EAX);
++ x86_cpu_def->xlevel = kvm_arch_get_supported_cpuid(s, 0x80000000, 0, R_EAX);
++ x86_cpu_def->xlevel2 =
++ kvm_arch_get_supported_cpuid(s, 0xC0000000, 0, R_EAX);
++
++ cpu_x86_fill_model_id(x86_cpu_def->model_id);
++
+ x86_cpu_def->features[FEAT_1_EDX] =
+ kvm_arch_get_supported_cpuid(s, 0x1, 0, R_EDX);
+ x86_cpu_def->features[FEAT_1_ECX] =
+ kvm_arch_get_supported_cpuid(s, 0x1, 0, R_ECX);
+-
+ x86_cpu_def->features[FEAT_7_0_EBX] =
+- kvm_arch_get_supported_cpuid(s, 0x7, 0, R_EBX);
++ kvm_arch_get_supported_cpuid(s, 0x7, 0, R_EBX);
+ x86_cpu_def->features[FEAT_7_0_ECX] =
+- kvm_arch_get_supported_cpuid(s, 0x7, 0, R_ECX);
++ kvm_arch_get_supported_cpuid(s, 0x7, 0, R_ECX);
+ x86_cpu_def->features[FEAT_7_0_EDX] =
+- kvm_arch_get_supported_cpuid(s, 0x7, 0, R_EDX);
++ kvm_arch_get_supported_cpuid(s, 0x7, 0, R_EDX);
+ x86_cpu_def->features[FEAT_XSAVE] =
+- kvm_arch_get_supported_cpuid(s, 0xd, 1, R_EAX);
+-
+- x86_cpu_def->xlevel = kvm_arch_get_supported_cpuid(s, 0x80000000, 0, R_EAX);
++ kvm_arch_get_supported_cpuid(s, 0xd, 1, R_EAX);
+ x86_cpu_def->features[FEAT_8000_0001_EDX] =
+- kvm_arch_get_supported_cpuid(s, 0x80000001, 0, R_EDX);
++ kvm_arch_get_supported_cpuid(s, 0x80000001, 0, R_EDX);
+ x86_cpu_def->features[FEAT_8000_0001_ECX] =
+- kvm_arch_get_supported_cpuid(s, 0x80000001, 0, R_ECX);
+-
+- cpu_x86_fill_model_id(x86_cpu_def->model_id);
+-
+- /* Call Centaur's CPUID instruction. */
+- x86_cpu_def->xlevel2 =
+- kvm_arch_get_supported_cpuid(s, 0xC0000000, 0, R_EAX);
++ kvm_arch_get_supported_cpuid(s, 0x80000001, 0, R_ECX);
+ x86_cpu_def->features[FEAT_C000_0001_EDX] =
+ kvm_arch_get_supported_cpuid(s, 0xC0000001, 0, R_EDX);
+-
+- /* Other KVM-specific feature fields: */
+ x86_cpu_def->features[FEAT_SVM] =
+ kvm_arch_get_supported_cpuid(s, 0x8000000A, 0, R_EDX);
+ x86_cpu_def->features[FEAT_KVM] =
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-ui-vnc-derive-cmp_bytes-from-VNC_DIRTY_PIXELS_PER_BI.patch b/SOURCES/kvm-ui-vnc-derive-cmp_bytes-from-VNC_DIRTY_PIXELS_PER_BI.patch
new file mode 100644
index 0000000..38db6ec
--- /dev/null
+++ b/SOURCES/kvm-ui-vnc-derive-cmp_bytes-from-VNC_DIRTY_PIXELS_PER_BI.patch
@@ -0,0 +1,47 @@
+From 6eed761f1505348596f34c915c56e8a98ce7c3af Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 22 Feb 2017 12:36:20 +0100
+Subject: [PATCH 02/24] ui/vnc: derive cmp_bytes from VNC_DIRTY_PIXELS_PER_BIT
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: <1487766986-6329-3-git-send-email-kraxel@redhat.com>
+Patchwork-id: 73973
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 2/8] ui/vnc: derive cmp_bytes from VNC_DIRTY_PIXELS_PER_BIT
+Bugzilla: 1377977
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+RH-Acked-by: Marc-André Lureau <mlureau@redhat.com>
+RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+
+From: Peter Lieven <pl@kamp.de>
+
+this allows for setting VNC_DIRTY_PIXELS_PER_BIT to different
+values than 16 if desired.
+
+Reviewed-by: Wenchao Xia <xiawenc@linux.vnet.ibm.com>
+Signed-off-by: Peter Lieven <pl@kamp.de>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit 6cd859aa8a7fb60fe6edb89e628cddfe25dfe186)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ ui/vnc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ui/vnc.c b/ui/vnc.c
+index 0c799ed..13fb34b 100644
+--- a/ui/vnc.c
++++ b/ui/vnc.c
+@@ -2709,7 +2709,7 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
+ * Check and copy modified bits from guest to server surface.
+ * Update server dirty map.
+ */
+- cmp_bytes = 64;
++ cmp_bytes = VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES;
+ if (cmp_bytes > vnc_server_fb_stride(vd)) {
+ cmp_bytes = vnc_server_fb_stride(vd);
+ }
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-ui-vnc-fix-potential-memory-corruption-issues.patch b/SOURCES/kvm-ui-vnc-fix-potential-memory-corruption-issues.patch
new file mode 100644
index 0000000..ba588c9
--- /dev/null
+++ b/SOURCES/kvm-ui-vnc-fix-potential-memory-corruption-issues.patch
@@ -0,0 +1,407 @@
+From 3d842d39e26560dfb7679d88746c314a3545ca18 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 22 Feb 2017 12:36:24 +0100
+Subject: [PATCH 06/24] ui/vnc: fix potential memory corruption issues
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: <1487766986-6329-7-git-send-email-kraxel@redhat.com>
+Patchwork-id: 73977
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 6/8] ui/vnc: fix potential memory corruption issues
+Bugzilla: 1377977
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+RH-Acked-by: Marc-André Lureau <mlureau@redhat.com>
+RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+
+From: Peter Lieven <pl@kamp.de>
+
+this patch makes the VNC server work correctly if the
+server surface and the guest surface have different sizes.
+
+Basically the server surface is adjusted to not exceed VNC_MAX_WIDTH
+x VNC_MAX_HEIGHT and additionally the width is rounded up to multiple of
+VNC_DIRTY_PIXELS_PER_BIT.
+
+If we have a resolution whose width is not dividable by VNC_DIRTY_PIXELS_PER_BIT
+we now get a small black bar on the right of the screen.
+
+If the surface is too big to fit the limits only the upper left area is shown.
+
+On top of that this fixes 2 memory corruption issues:
+
+The first was actually discovered during playing
+around with a Windows 7 vServer. During resolution
+change in Windows 7 it happens sometimes that Windows
+changes to an intermediate resolution where
+server_stride % cmp_bytes != 0 (in vnc_refresh_server_surface).
+This happens only if width % VNC_DIRTY_PIXELS_PER_BIT != 0.
+
+The second is a theoretical issue, but is maybe exploitable
+by the guest. If for some reason the guest surface size is bigger
+than VNC_MAX_WIDTH x VNC_MAX_HEIGHT we end up in severe corruption since
+this limit is nowhere enforced.
+
+Signed-off-by: Peter Lieven <pl@kamp.de>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit bea60dd7679364493a0d7f5b54316c767cf894ef)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Conflicts:
+ ui/vnc.c [ in pointer_event, input subsystem differences ]
+---
+ ui/vnc.c | 149 +++++++++++++++++++++++++++++----------------------------------
+ ui/vnc.h | 14 +++---
+ 2 files changed, 77 insertions(+), 86 deletions(-)
+
+diff --git a/ui/vnc.c b/ui/vnc.c
+index 51f95be..80b7792 100644
+--- a/ui/vnc.c
++++ b/ui/vnc.c
+@@ -427,14 +427,10 @@ static void framebuffer_update_request(VncState *vs, int incremental,
+ static void vnc_refresh(DisplayChangeListener *dcl);
+ static int vnc_refresh_server_surface(VncDisplay *vd);
+
+-static void vnc_dpy_update(DisplayChangeListener *dcl,
+- int x, int y, int w, int h)
+-{
+- VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
+- struct VncSurface *s = &vd->guest;
+- int width = surface_width(vd->ds);
+- int height = surface_height(vd->ds);
+-
++static void vnc_set_area_dirty(DECLARE_BITMAP(dirty[VNC_MAX_HEIGHT],
++ VNC_MAX_WIDTH / VNC_DIRTY_PIXELS_PER_BIT),
++ int width, int height,
++ int x, int y, int w, int h) {
+ /* this is needed this to ensure we updated all affected
+ * blocks if x % VNC_DIRTY_PIXELS_PER_BIT != 0 */
+ w += (x % VNC_DIRTY_PIXELS_PER_BIT);
+@@ -446,11 +442,22 @@ static void vnc_dpy_update(DisplayChangeListener *dcl,
+ h = MIN(y + h, height);
+
+ for (; y < h; y++) {
+- bitmap_set(s->dirty[y], x / VNC_DIRTY_PIXELS_PER_BIT,
++ bitmap_set(dirty[y], x / VNC_DIRTY_PIXELS_PER_BIT,
+ DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT));
+ }
+ }
+
++static void vnc_dpy_update(DisplayChangeListener *dcl,
++ int x, int y, int w, int h)
++{
++ VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
++ struct VncSurface *s = &vd->guest;
++ int width = pixman_image_get_width(vd->server);
++ int height = pixman_image_get_height(vd->server);
++
++ vnc_set_area_dirty(s->dirty, width, height, x, y, w, h);
++}
++
+ void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h,
+ int32_t encoding)
+ {
+@@ -512,17 +519,15 @@ void buffer_advance(Buffer *buf, size_t len)
+
+ static void vnc_desktop_resize(VncState *vs)
+ {
+- DisplaySurface *ds = vs->vd->ds;
+-
+ if (vs->csock == -1 || !vnc_has_feature(vs, VNC_FEATURE_RESIZE)) {
+ return;
+ }
+- if (vs->client_width == surface_width(ds) &&
+- vs->client_height == surface_height(ds)) {
++ if (vs->client_width == pixman_image_get_width(vs->vd->server) &&
++ vs->client_height == pixman_image_get_height(vs->vd->server)) {
+ return;
+ }
+- vs->client_width = surface_width(ds);
+- vs->client_height = surface_height(ds);
++ vs->client_width = pixman_image_get_width(vs->vd->server);
++ vs->client_height = pixman_image_get_height(vs->vd->server);
+ vnc_lock_output(vs);
+ vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
+ vnc_write_u8(vs, 0);
+@@ -566,31 +571,24 @@ void *vnc_server_fb_ptr(VncDisplay *vd, int x, int y)
+ ptr += x * VNC_SERVER_FB_BYTES;
+ return ptr;
+ }
+-/* this sets only the visible pixels of a dirty bitmap */
+-#define VNC_SET_VISIBLE_PIXELS_DIRTY(bitmap, w, h) {\
+- int y;\
+- memset(bitmap, 0x00, sizeof(bitmap));\
+- for (y = 0; y < h; y++) {\
+- bitmap_set(bitmap[y], 0,\
+- DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT));\
+- } \
+- }
+
+ static void vnc_dpy_switch(DisplayChangeListener *dcl,
+ DisplaySurface *surface)
+ {
+ VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
+ VncState *vs;
++ int width, height;
+
+ vnc_abort_display_jobs(vd);
+
+ /* server surface */
+ qemu_pixman_image_unref(vd->server);
+ vd->ds = surface;
++ width = MIN(VNC_MAX_WIDTH, ROUND_UP(surface_width(vd->ds),
++ VNC_DIRTY_PIXELS_PER_BIT));
++ height = MIN(VNC_MAX_HEIGHT, surface_height(vd->ds));
+ vd->server = pixman_image_create_bits(VNC_SERVER_FB_FORMAT,
+- surface_width(vd->ds),
+- surface_height(vd->ds),
+- NULL, 0);
++ width, height, NULL, 0);
+
+ /* guest surface */
+ #if 0 /* FIXME */
+@@ -600,9 +598,9 @@ static void vnc_dpy_switch(DisplayChangeListener *dcl,
+ qemu_pixman_image_unref(vd->guest.fb);
+ vd->guest.fb = pixman_image_ref(surface->image);
+ vd->guest.format = surface->format;
+- VNC_SET_VISIBLE_PIXELS_DIRTY(vd->guest.dirty,
+- surface_width(vd->ds),
+- surface_height(vd->ds));
++ memset(vd->guest.dirty, 0x00, sizeof(vd->guest.dirty));
++ vnc_set_area_dirty(vd->guest.dirty, width, height, 0, 0,
++ width, height);
+
+ QTAILQ_FOREACH(vs, &vd->clients, next) {
+ vnc_colordepth(vs);
+@@ -610,9 +608,9 @@ static void vnc_dpy_switch(DisplayChangeListener *dcl,
+ if (vs->vd->cursor) {
+ vnc_cursor_define(vs);
+ }
+- VNC_SET_VISIBLE_PIXELS_DIRTY(vs->dirty,
+- surface_width(vd->ds),
+- surface_height(vd->ds));
++ memset(vs->dirty, 0x00, sizeof(vs->dirty));
++ vnc_set_area_dirty(vs->dirty, width, height, 0, 0,
++ width, height);
+ }
+ }
+
+@@ -916,8 +914,8 @@ static int vnc_update_client(VncState *vs, int has_dirty)
+ */
+ job = vnc_job_new(vs);
+
+- height = MIN(pixman_image_get_height(vd->server), vs->client_height);
+- width = MIN(pixman_image_get_width(vd->server), vs->client_width);
++ height = pixman_image_get_height(vd->server);
++ width = pixman_image_get_width(vd->server);
+
+ y = 0;
+ for (;;) {
+@@ -1500,8 +1498,8 @@ static void check_pointer_type_change(Notifier *notifier, void *data)
+ vnc_write_u8(vs, 0);
+ vnc_write_u16(vs, 1);
+ vnc_framebuffer_update(vs, absolute, 0,
+- surface_width(vs->vd->ds),
+- surface_height(vs->vd->ds),
++ pixman_image_get_width(vs->vd->server),
++ pixman_image_get_height(vs->vd->server),
+ VNC_ENCODING_POINTER_TYPE_CHANGE);
+ vnc_unlock_output(vs);
+ vnc_flush(vs);
+@@ -1513,8 +1511,8 @@ static void pointer_event(VncState *vs, int button_mask, int x, int y)
+ {
+ int buttons = 0;
+ int dz = 0;
+- int width = surface_width(vs->vd->ds);
+- int height = surface_height(vs->vd->ds);
++ int width = pixman_image_get_width(vs->vd->server);
++ int height = pixman_image_get_height(vs->vd->server);
+
+ if (button_mask & 0x01)
+ buttons |= MOUSE_EVENT_LBUTTON;
+@@ -1866,29 +1864,18 @@ static void ext_key_event(VncState *vs, int down,
+ }
+
+ static void framebuffer_update_request(VncState *vs, int incremental,
+- int x_position, int y_position,
+- int w, int h)
++ int x, int y, int w, int h)
+ {
+- int i;
+- const size_t width = surface_width(vs->vd->ds) / VNC_DIRTY_PIXELS_PER_BIT;
+- const size_t height = surface_height(vs->vd->ds);
+-
+- if (y_position > height) {
+- y_position = height;
+- }
+- if (y_position + h >= height) {
+- h = height - y_position;
+- }
++ int width = pixman_image_get_width(vs->vd->server);
++ int height = pixman_image_get_height(vs->vd->server);
+
+ vs->need_update = 1;
+- if (!incremental) {
+- vs->force_update = 1;
+- for (i = 0; i < h; i++) {
+- bitmap_set(vs->dirty[y_position + i], 0, width);
+- bitmap_clear(vs->dirty[y_position + i], width,
+- VNC_DIRTY_BITS - width);
+- }
++
++ if (incremental) {
++ return;
+ }
++
++ vnc_set_area_dirty(vs->dirty, width, height, x, y, w, h);
+ }
+
+ static void send_ext_key_event_ack(VncState *vs)
+@@ -1898,8 +1885,8 @@ static void send_ext_key_event_ack(VncState *vs)
+ vnc_write_u8(vs, 0);
+ vnc_write_u16(vs, 1);
+ vnc_framebuffer_update(vs, 0, 0,
+- surface_width(vs->vd->ds),
+- surface_height(vs->vd->ds),
++ pixman_image_get_width(vs->vd->server),
++ pixman_image_get_height(vs->vd->server),
+ VNC_ENCODING_EXT_KEY_EVENT);
+ vnc_unlock_output(vs);
+ vnc_flush(vs);
+@@ -1912,8 +1899,8 @@ static void send_ext_audio_ack(VncState *vs)
+ vnc_write_u8(vs, 0);
+ vnc_write_u16(vs, 1);
+ vnc_framebuffer_update(vs, 0, 0,
+- surface_width(vs->vd->ds),
+- surface_height(vs->vd->ds),
++ pixman_image_get_width(vs->vd->server),
++ pixman_image_get_height(vs->vd->server),
+ VNC_ENCODING_AUDIO);
+ vnc_unlock_output(vs);
+ vnc_flush(vs);
+@@ -2101,8 +2088,8 @@ static void vnc_colordepth(VncState *vs)
+ vnc_write_u8(vs, 0);
+ vnc_write_u16(vs, 1); /* number of rects */
+ vnc_framebuffer_update(vs, 0, 0,
+- surface_width(vs->vd->ds),
+- surface_height(vs->vd->ds),
++ pixman_image_get_width(vs->vd->server),
++ pixman_image_get_height(vs->vd->server),
+ VNC_ENCODING_WMVi);
+ pixel_format_message(vs);
+ vnc_unlock_output(vs);
+@@ -2317,8 +2304,8 @@ static int protocol_client_init(VncState *vs, uint8_t *data, size_t len)
+ }
+ vnc_set_share_mode(vs, mode);
+
+- vs->client_width = surface_width(vs->vd->ds);
+- vs->client_height = surface_height(vs->vd->ds);
++ vs->client_width = pixman_image_get_width(vs->vd->server);
++ vs->client_height = pixman_image_get_height(vs->vd->server);
+ vnc_write_u16(vs, vs->client_width);
+ vnc_write_u16(vs, vs->client_height);
+
+@@ -2685,12 +2672,12 @@ static void vnc_rect_updated(VncDisplay *vd, int x, int y, struct timeval * tv)
+
+ static int vnc_refresh_server_surface(VncDisplay *vd)
+ {
+- int width = pixman_image_get_width(vd->guest.fb);
+- int height = pixman_image_get_height(vd->guest.fb);
+- int y;
++ int width = MIN(pixman_image_get_width(vd->guest.fb),
++ pixman_image_get_width(vd->server));
++ int height = MIN(pixman_image_get_height(vd->guest.fb),
++ pixman_image_get_height(vd->server));
++ int cmp_bytes, server_stride, min_stride, guest_stride, y = 0;
+ uint8_t *guest_row0 = NULL, *server_row0;
+- int guest_stride = 0, server_stride;
+- int cmp_bytes;
+ VncState *vs;
+ int has_dirty = 0;
+ pixman_image_t *tmpbuf = NULL;
+@@ -2707,10 +2694,10 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
+ * Check and copy modified bits from guest to server surface.
+ * Update server dirty map.
+ */
+- cmp_bytes = VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES;
+- if (cmp_bytes > vnc_server_fb_stride(vd)) {
+- cmp_bytes = vnc_server_fb_stride(vd);
+- }
++ server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
++ server_stride = guest_stride = pixman_image_get_stride(vd->server);
++ cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES,
++ server_stride);
+ if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
+ int width = pixman_image_get_width(vd->server);
+ tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width);
+@@ -2718,10 +2705,8 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
+ guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
+ guest_stride = pixman_image_get_stride(vd->guest.fb);
+ }
+- server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
+- server_stride = pixman_image_get_stride(vd->server);
++ min_stride = MIN(server_stride, guest_stride);
+
+- y = 0;
+ for (;;) {
+ int x;
+ uint8_t *guest_ptr, *server_ptr;
+@@ -2747,13 +2732,17 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
+
+ for (; x < DIV_ROUND_UP(width, VNC_DIRTY_PIXELS_PER_BIT);
+ x++, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) {
++ int _cmp_bytes = cmp_bytes;
+ if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
+ continue;
+ }
+- if (memcmp(server_ptr, guest_ptr, cmp_bytes) == 0) {
++ if ((x + 1) * cmp_bytes > min_stride) {
++ _cmp_bytes = min_stride - x * cmp_bytes;
++ }
++ if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) {
+ continue;
+ }
+- memcpy(server_ptr, guest_ptr, cmp_bytes);
++ memcpy(server_ptr, guest_ptr, _cmp_bytes);
+ if (!vd->non_adaptive) {
+ vnc_rect_updated(vd, x * VNC_DIRTY_PIXELS_PER_BIT,
+ y, &tv);
+diff --git a/ui/vnc.h b/ui/vnc.h
+index ebf4bdd..8d534b6 100644
+--- a/ui/vnc.h
++++ b/ui/vnc.h
+@@ -77,14 +77,15 @@ typedef void VncSendHextileTile(VncState *vs,
+ void *last_fg,
+ int *has_bg, int *has_fg);
+
+-/* VNC_MAX_WIDTH must be a multiple of 16. */
+-#define VNC_MAX_WIDTH 2560
+-#define VNC_MAX_HEIGHT 2048
+-
+ /* VNC_DIRTY_PIXELS_PER_BIT is the number of dirty pixels represented
+- * by one bit in the dirty bitmap */
++ * by one bit in the dirty bitmap, should be a power of 2 */
+ #define VNC_DIRTY_PIXELS_PER_BIT 16
+
++/* VNC_MAX_WIDTH must be a multiple of VNC_DIRTY_PIXELS_PER_BIT. */
++
++#define VNC_MAX_WIDTH ROUND_UP(2560, VNC_DIRTY_PIXELS_PER_BIT)
++#define VNC_MAX_HEIGHT 2048
++
+ /* VNC_DIRTY_BITS is the number of bits in the dirty bitmap. */
+ #define VNC_DIRTY_BITS (VNC_MAX_WIDTH / VNC_DIRTY_PIXELS_PER_BIT)
+
+@@ -126,7 +127,8 @@ typedef struct VncRectStat VncRectStat;
+ struct VncSurface
+ {
+ struct timeval last_freq_check;
+- DECLARE_BITMAP(dirty[VNC_MAX_HEIGHT], VNC_MAX_WIDTH / 16);
++ DECLARE_BITMAP(dirty[VNC_MAX_HEIGHT],
++ VNC_MAX_WIDTH / VNC_DIRTY_PIXELS_PER_BIT);
+ VncRectStat stats[VNC_STAT_ROWS][VNC_STAT_COLS];
+ pixman_image_t *fb;
+ pixman_format_code_t format;
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-ui-vnc-fix-vmware-VGA-incompatiblities.patch b/SOURCES/kvm-ui-vnc-fix-vmware-VGA-incompatiblities.patch
new file mode 100644
index 0000000..96479d3
--- /dev/null
+++ b/SOURCES/kvm-ui-vnc-fix-vmware-VGA-incompatiblities.patch
@@ -0,0 +1,94 @@
+From e35f40730d3d79ebc1870c5716c14f821a67a5ef Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 22 Feb 2017 12:36:23 +0100
+Subject: [PATCH 05/24] ui/vnc: fix vmware VGA incompatiblities
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: <1487766986-6329-6-git-send-email-kraxel@redhat.com>
+Patchwork-id: 73976
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 5/8] ui/vnc: fix vmware VGA incompatiblities
+Bugzilla: 1377977
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+RH-Acked-by: Marc-André Lureau <mlureau@redhat.com>
+RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+
+From: Peter Lieven <pl@kamp.de>
+
+this fixes invalid rectangle updates observed after commit 12b316d
+with the vmware VGA driver. The issues occured because the server
+and client surface update seems to be out of sync at some points
+and the max width of the surface is not dividable by
+VNC_DIRTY_BITS_PER_PIXEL (16).
+
+Reported-by: Serge Hallyn <serge.hallyn@ubuntu.com>
+Signed-off-by: Peter Lieven <pl@kamp.de>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit 2f487a3d40faff1772e14da6b921900915501f9a)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/display/vmware_vga.c | 3 ++-
+ ui/vnc.c | 10 +++++++---
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
+index df76aec..8e334c0 100644
+--- a/hw/display/vmware_vga.c
++++ b/hw/display/vmware_vga.c
+@@ -24,6 +24,7 @@
+ #include "hw/hw.h"
+ #include "hw/loader.h"
+ #include "ui/console.h"
++#include "ui/vnc.h"
+ #include "hw/pci/pci.h"
+
+ #undef VERBOSE
+@@ -209,7 +210,7 @@ enum {
+
+ /* These values can probably be changed arbitrarily. */
+ #define SVGA_SCRATCH_SIZE 0x8000
+-#define SVGA_MAX_WIDTH 2360
++#define SVGA_MAX_WIDTH ROUND_UP(2360, VNC_DIRTY_PIXELS_PER_BIT)
+ #define SVGA_MAX_HEIGHT 1770
+
+ #ifdef VERBOSE
+diff --git a/ui/vnc.c b/ui/vnc.c
+index 2540261..51f95be 100644
+--- a/ui/vnc.c
++++ b/ui/vnc.c
+@@ -898,7 +898,7 @@ static int vnc_update_client(VncState *vs, int has_dirty)
+ VncDisplay *vd = vs->vd;
+ VncJob *job;
+ int y;
+- int height;
++ int height, width;
+ int n = 0;
+
+ if (vs->output.offset && !vs->audio_cap && !vs->force_update)
+@@ -917,6 +917,7 @@ static int vnc_update_client(VncState *vs, int has_dirty)
+ job = vnc_job_new(vs);
+
+ height = MIN(pixman_image_get_height(vd->server), vs->client_height);
++ width = MIN(pixman_image_get_width(vd->server), vs->client_width);
+
+ y = 0;
+ for (;;) {
+@@ -935,8 +936,11 @@ static int vnc_update_client(VncState *vs, int has_dirty)
+ VNC_DIRTY_BPL(vs), x);
+ bitmap_clear(vs->dirty[y], x, x2 - x);
+ h = find_and_clear_dirty_height(vs, y, x, x2, height);
+- n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y,
+- (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h);
++ x2 = MIN(x2, width / VNC_DIRTY_PIXELS_PER_BIT);
++ if (x2 > x) {
++ n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y,
++ (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h);
++ }
+ }
+
+ vnc_job_push(job);
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-ui-vnc-introduce-VNC_DIRTY_PIXELS_PER_BIT-macro.patch b/SOURCES/kvm-ui-vnc-introduce-VNC_DIRTY_PIXELS_PER_BIT-macro.patch
new file mode 100644
index 0000000..f435ab8
--- /dev/null
+++ b/SOURCES/kvm-ui-vnc-introduce-VNC_DIRTY_PIXELS_PER_BIT-macro.patch
@@ -0,0 +1,203 @@
+From fd7f778fd9bd7b99ce790081544b28adede189b2 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 22 Feb 2017 12:36:19 +0100
+Subject: [PATCH 01/24] ui/vnc: introduce VNC_DIRTY_PIXELS_PER_BIT macro
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: <1487766986-6329-2-git-send-email-kraxel@redhat.com>
+Patchwork-id: 73972
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 1/8] ui/vnc: introduce VNC_DIRTY_PIXELS_PER_BIT macro
+Bugzilla: 1377977
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+RH-Acked-by: Marc-André Lureau <mlureau@redhat.com>
+RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+
+From: Peter Lieven <pl@kamp.de>
+
+Signed-off-by: Peter Lieven <pl@kamp.de>
+Reviewed-by: Wenchao Xia <xiawenc@linux.vnet.ibm.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit b4c85ddcec24c60616aad9b3b7fc36ce19ba3ca4)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ ui/vnc.c | 65 ++++++++++++++++++++++++++++++++++++++++------------------------
+ ui/vnc.h | 6 +++++-
+ 2 files changed, 46 insertions(+), 25 deletions(-)
+
+diff --git a/ui/vnc.c b/ui/vnc.c
+index a0e2d33..0c799ed 100644
+--- a/ui/vnc.c
++++ b/ui/vnc.c
+@@ -442,17 +442,19 @@ static void vnc_dpy_update(DisplayChangeListener *dcl,
+ iteration. otherwise, if (x % 16) != 0, the last iteration may span
+ two 16-pixel blocks but we only mark the first as dirty
+ */
+- w += (x % 16);
+- x -= (x % 16);
++ w += (x % VNC_DIRTY_PIXELS_PER_BIT);
++ x -= (x % VNC_DIRTY_PIXELS_PER_BIT);
+
+ x = MIN(x, width);
+ y = MIN(y, height);
+ w = MIN(x + w, width) - x;
+ h = MIN(h, height);
+
+- for (; y < h; y++)
+- for (i = 0; i < w; i += 16)
+- set_bit((x + i) / 16, s->dirty[y]);
++ for (; y < h; y++) {
++ for (i = 0; i < w; i += VNC_DIRTY_PIXELS_PER_BIT) {
++ set_bit((x + i) / VNC_DIRTY_PIXELS_PER_BIT, s->dirty[y]);
++ }
++ }
+ }
+
+ void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h,
+@@ -769,11 +771,12 @@ static void vnc_dpy_copy(DisplayChangeListener *dcl,
+ y = dst_y + h - 1;
+ inc = -1;
+ }
+- w_lim = w - (16 - (dst_x % 16));
+- if (w_lim < 0)
++ w_lim = w - (VNC_DIRTY_PIXELS_PER_BIT - (dst_x % VNC_DIRTY_PIXELS_PER_BIT));
++ if (w_lim < 0) {
+ w_lim = w;
+- else
+- w_lim = w - (w_lim % 16);
++ } else {
++ w_lim = w - (w_lim % VNC_DIRTY_PIXELS_PER_BIT);
++ }
+ for (i = 0; i < h; i++) {
+ for (x = 0; x <= w_lim;
+ x += s, src_row += cmp_bytes, dst_row += cmp_bytes) {
+@@ -781,10 +784,11 @@ static void vnc_dpy_copy(DisplayChangeListener *dcl,
+ if ((s = w - w_lim) == 0)
+ break;
+ } else if (!x) {
+- s = (16 - (dst_x % 16));
++ s = (VNC_DIRTY_PIXELS_PER_BIT -
++ (dst_x % VNC_DIRTY_PIXELS_PER_BIT));
+ s = MIN(s, w_lim);
+ } else {
+- s = 16;
++ s = VNC_DIRTY_PIXELS_PER_BIT;
+ }
+ cmp_bytes = s * VNC_SERVER_FB_BYTES;
+ if (memcmp(src_row, dst_row, cmp_bytes) == 0)
+@@ -792,7 +796,8 @@ static void vnc_dpy_copy(DisplayChangeListener *dcl,
+ memmove(dst_row, src_row, cmp_bytes);
+ QTAILQ_FOREACH(vs, &vd->clients, next) {
+ if (!vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
+- set_bit(((x + dst_x) / 16), vs->dirty[y]);
++ set_bit(((x + dst_x) / VNC_DIRTY_PIXELS_PER_BIT),
++ vs->dirty[y]);
+ }
+ }
+ }
+@@ -911,7 +916,7 @@ static int vnc_update_client(VncState *vs, int has_dirty)
+ for (y = 0; y < height; y++) {
+ int x;
+ int last_x = -1;
+- for (x = 0; x < width / 16; x++) {
++ for (x = 0; x < width / VNC_DIRTY_PIXELS_PER_BIT; x++) {
+ if (test_and_clear_bit(x, vs->dirty[y])) {
+ if (last_x == -1) {
+ last_x = x;
+@@ -921,16 +926,22 @@ static int vnc_update_client(VncState *vs, int has_dirty)
+ int h = find_and_clear_dirty_height(vs, y, last_x, x,
+ height);
+
+- n += vnc_job_add_rect(job, last_x * 16, y,
+- (x - last_x) * 16, h);
++ n += vnc_job_add_rect(job,
++ last_x * VNC_DIRTY_PIXELS_PER_BIT,
++ y,
++ (x - last_x) *
++ VNC_DIRTY_PIXELS_PER_BIT,
++ h);
+ }
+ last_x = -1;
+ }
+ }
+ if (last_x != -1) {
+ int h = find_and_clear_dirty_height(vs, y, last_x, x, height);
+- n += vnc_job_add_rect(job, last_x * 16, y,
+- (x - last_x) * 16, h);
++ n += vnc_job_add_rect(job, last_x * VNC_DIRTY_PIXELS_PER_BIT,
++ y,
++ (x - last_x) * VNC_DIRTY_PIXELS_PER_BIT,
++ h);
+ }
+ }
+
+@@ -1861,7 +1872,7 @@ static void framebuffer_update_request(VncState *vs, int incremental,
+ int w, int h)
+ {
+ int i;
+- const size_t width = surface_width(vs->vd->ds) / 16;
++ const size_t width = surface_width(vs->vd->ds) / VNC_DIRTY_PIXELS_PER_BIT;
+ const size_t height = surface_height(vs->vd->ds);
+
+ if (y_position > height) {
+@@ -2573,7 +2584,9 @@ static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y)
+
+ vs->lossy_rect[sty][stx] = 0;
+ for (j = 0; j < VNC_STAT_RECT; ++j) {
+- bitmap_set(vs->dirty[y + j], x / 16, VNC_STAT_RECT / 16);
++ bitmap_set(vs->dirty[y + j],
++ x / VNC_DIRTY_PIXELS_PER_BIT,
++ VNC_STAT_RECT / VNC_DIRTY_PIXELS_PER_BIT);
+ }
+ has_dirty++;
+ }
+@@ -2720,17 +2733,21 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
+ }
+ server_ptr = server_row;
+
+- for (x = 0; x + 15 < width;
+- x += 16, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) {
+- if (!test_and_clear_bit((x / 16), vd->guest.dirty[y]))
++ for (x = 0; x + VNC_DIRTY_PIXELS_PER_BIT - 1 < width;
++ x += VNC_DIRTY_PIXELS_PER_BIT, guest_ptr += cmp_bytes,
++ server_ptr += cmp_bytes) {
++ if (!test_and_clear_bit((x / VNC_DIRTY_PIXELS_PER_BIT),
++ vd->guest.dirty[y])) {
+ continue;
+- if (memcmp(server_ptr, guest_ptr, cmp_bytes) == 0)
++ }
++ if (memcmp(server_ptr, guest_ptr, cmp_bytes) == 0) {
+ continue;
++ }
+ memcpy(server_ptr, guest_ptr, cmp_bytes);
+ if (!vd->non_adaptive)
+ vnc_rect_updated(vd, x, y, &tv);
+ QTAILQ_FOREACH(vs, &vd->clients, next) {
+- set_bit((x / 16), vs->dirty[y]);
++ set_bit((x / VNC_DIRTY_PIXELS_PER_BIT), vs->dirty[y]);
+ }
+ has_dirty++;
+ }
+diff --git a/ui/vnc.h b/ui/vnc.h
+index 0efc5c6..561f383 100644
+--- a/ui/vnc.h
++++ b/ui/vnc.h
+@@ -81,8 +81,12 @@ typedef void VncSendHextileTile(VncState *vs,
+ #define VNC_MAX_WIDTH 2560
+ #define VNC_MAX_HEIGHT 2048
+
++/* VNC_DIRTY_PIXELS_PER_BIT is the number of dirty pixels represented
++ * by one bit in the dirty bitmap */
++#define VNC_DIRTY_PIXELS_PER_BIT 16
++
+ /* VNC_DIRTY_BITS is the number of bits in the dirty bitmap. */
+-#define VNC_DIRTY_BITS (VNC_MAX_WIDTH / 16)
++#define VNC_DIRTY_BITS (VNC_MAX_WIDTH / VNC_DIRTY_PIXELS_PER_BIT)
+
+ #define VNC_STAT_RECT 64
+ #define VNC_STAT_COLS (VNC_MAX_WIDTH / VNC_STAT_RECT)
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-ui-vnc-optimize-dirty-bitmap-tracking.patch b/SOURCES/kvm-ui-vnc-optimize-dirty-bitmap-tracking.patch
new file mode 100644
index 0000000..d45c7a3
--- /dev/null
+++ b/SOURCES/kvm-ui-vnc-optimize-dirty-bitmap-tracking.patch
@@ -0,0 +1,287 @@
+From ea939f77fa0b152746821afb017cfef8170e5500 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 22 Feb 2017 12:36:21 +0100
+Subject: [PATCH 03/24] ui/vnc: optimize dirty bitmap tracking
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: <1487766986-6329-4-git-send-email-kraxel@redhat.com>
+Patchwork-id: 73979
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 3/8] ui/vnc: optimize dirty bitmap tracking
+Bugzilla: 1377977
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+RH-Acked-by: Marc-André Lureau <mlureau@redhat.com>
+RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+
+From: Peter Lieven <pl@kamp.de>
+
+vnc_update_client currently scans the dirty bitmap of each client
+bitwise which is a very costly operation if only few bits are dirty.
+vnc_refresh_server_surface does almost the same.
+this patch optimizes both by utilizing the heavily optimized
+function find_next_bit to find the offset of the next dirty
+bit in the dirty bitmaps.
+
+The following artifical test (just the bitmap operation part) running
+vnc_update_client 65536 times on a 2560x2048 surface illustrates the
+performance difference:
+
+All bits clean - vnc_update_client_new: 0.07 secs
+ vnc_update_client_old: 10.98 secs
+
+All bits dirty - vnc_update_client_new: 11.26 secs
+ vnc_update_client_old: 20.19 secs
+
+Few bits dirty - vnc_update_client_new: 0.08 secs
+ vnc_update_client_old: 10.98 secs
+
+The case for all bits dirty is still rather slow, this
+is due to the implementation of find_and_clear_dirty_height.
+This will be addresses in a separate patch.
+
+Signed-off-by: Peter Lieven <pl@kamp.de>
+Reviewed-by: Wenchao Xia <xiawenc@linux.vnet.ibm.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit 12b316d4c173bf07f421ef9dc98ba4b53916066e)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ ui/vnc.c | 155 ++++++++++++++++++++++++++++++++++-----------------------------
+ ui/vnc.h | 4 ++
+ 2 files changed, 88 insertions(+), 71 deletions(-)
+
+diff --git a/ui/vnc.c b/ui/vnc.c
+index 13fb34b..54530a2 100644
+--- a/ui/vnc.c
++++ b/ui/vnc.c
+@@ -572,6 +572,15 @@ void *vnc_server_fb_ptr(VncDisplay *vd, int x, int y)
+ ptr += x * VNC_SERVER_FB_BYTES;
+ return ptr;
+ }
++/* this sets only the visible pixels of a dirty bitmap */
++#define VNC_SET_VISIBLE_PIXELS_DIRTY(bitmap, w, h) {\
++ int y;\
++ memset(bitmap, 0x00, sizeof(bitmap));\
++ for (y = 0; y < h; y++) {\
++ bitmap_set(bitmap[y], 0,\
++ DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT));\
++ } \
++ }
+
+ static void vnc_dpy_switch(DisplayChangeListener *dcl,
+ DisplaySurface *surface)
+@@ -597,7 +606,9 @@ static void vnc_dpy_switch(DisplayChangeListener *dcl,
+ qemu_pixman_image_unref(vd->guest.fb);
+ vd->guest.fb = pixman_image_ref(surface->image);
+ vd->guest.format = surface->format;
+- memset(vd->guest.dirty, 0xFF, sizeof(vd->guest.dirty));
++ VNC_SET_VISIBLE_PIXELS_DIRTY(vd->guest.dirty,
++ surface_width(vd->ds),
++ surface_height(vd->ds));
+
+ QTAILQ_FOREACH(vs, &vd->clients, next) {
+ vnc_colordepth(vs);
+@@ -605,7 +616,9 @@ static void vnc_dpy_switch(DisplayChangeListener *dcl,
+ if (vs->vd->cursor) {
+ vnc_cursor_define(vs);
+ }
+- memset(vs->dirty, 0xFF, sizeof(vs->dirty));
++ VNC_SET_VISIBLE_PIXELS_DIRTY(vs->dirty,
++ surface_width(vd->ds),
++ surface_height(vd->ds));
+ }
+ }
+
+@@ -891,10 +904,9 @@ static int vnc_update_client(VncState *vs, int has_dirty)
+ VncDisplay *vd = vs->vd;
+ VncJob *job;
+ int y;
+- int width, height;
++ int height;
+ int n = 0;
+
+-
+ if (vs->output.offset && !vs->audio_cap && !vs->force_update)
+ /* kernel send buffers are full -> drop frames to throttle */
+ return 0;
+@@ -910,39 +922,27 @@ static int vnc_update_client(VncState *vs, int has_dirty)
+ */
+ job = vnc_job_new(vs);
+
+- width = MIN(pixman_image_get_width(vd->server), vs->client_width);
+ height = MIN(pixman_image_get_height(vd->server), vs->client_height);
+
+- for (y = 0; y < height; y++) {
+- int x;
+- int last_x = -1;
+- for (x = 0; x < width / VNC_DIRTY_PIXELS_PER_BIT; x++) {
+- if (test_and_clear_bit(x, vs->dirty[y])) {
+- if (last_x == -1) {
+- last_x = x;
+- }
+- } else {
+- if (last_x != -1) {
+- int h = find_and_clear_dirty_height(vs, y, last_x, x,
+- height);
+-
+- n += vnc_job_add_rect(job,
+- last_x * VNC_DIRTY_PIXELS_PER_BIT,
+- y,
+- (x - last_x) *
+- VNC_DIRTY_PIXELS_PER_BIT,
+- h);
+- }
+- last_x = -1;
+- }
+- }
+- if (last_x != -1) {
+- int h = find_and_clear_dirty_height(vs, y, last_x, x, height);
+- n += vnc_job_add_rect(job, last_x * VNC_DIRTY_PIXELS_PER_BIT,
+- y,
+- (x - last_x) * VNC_DIRTY_PIXELS_PER_BIT,
+- h);
++ y = 0;
++ for (;;) {
++ int x, h;
++ unsigned long x2;
++ unsigned long offset = find_next_bit((unsigned long *) &vs->dirty,
++ height * VNC_DIRTY_BPL(vs),
++ y * VNC_DIRTY_BPL(vs));
++ if (offset == height * VNC_DIRTY_BPL(vs)) {
++ /* no more dirty bits */
++ break;
+ }
++ y = offset / VNC_DIRTY_BPL(vs);
++ x = offset % VNC_DIRTY_BPL(vs);
++ x2 = find_next_zero_bit((unsigned long *) &vs->dirty[y],
++ VNC_DIRTY_BPL(vs), x);
++ bitmap_clear(vs->dirty[y], x, x2 - x);
++ h = find_and_clear_dirty_height(vs, y, x, x2, height);
++ n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y,
++ (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h);
+ }
+
+ vnc_job_push(job);
+@@ -2690,8 +2690,8 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
+ int width = pixman_image_get_width(vd->guest.fb);
+ int height = pixman_image_get_height(vd->guest.fb);
+ int y;
+- uint8_t *guest_row;
+- uint8_t *server_row;
++ uint8_t *guest_row0 = NULL, *server_row0;
++ int guest_stride = 0, server_stride;
+ int cmp_bytes;
+ VncState *vs;
+ int has_dirty = 0;
+@@ -2716,44 +2716,57 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
+ if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
+ int width = pixman_image_get_width(vd->server);
+ tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width);
+- }
+- guest_row = (uint8_t *)pixman_image_get_data(vd->guest.fb);
+- server_row = (uint8_t *)pixman_image_get_data(vd->server);
+- for (y = 0; y < height; y++) {
+- if (!bitmap_empty(vd->guest.dirty[y], VNC_DIRTY_BITS)) {
+- int x;
+- uint8_t *guest_ptr;
+- uint8_t *server_ptr;
+-
+- if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
+- qemu_pixman_linebuf_fill(tmpbuf, vd->guest.fb, width, 0, y);
+- guest_ptr = (uint8_t *)pixman_image_get_data(tmpbuf);
+- } else {
+- guest_ptr = guest_row;
+- }
+- server_ptr = server_row;
++ } else {
++ guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
++ guest_stride = pixman_image_get_stride(vd->guest.fb);
++ }
++ server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
++ server_stride = pixman_image_get_stride(vd->server);
++
++ y = 0;
++ for (;;) {
++ int x;
++ uint8_t *guest_ptr, *server_ptr;
++ unsigned long offset = find_next_bit((unsigned long *) &vd->guest.dirty,
++ height * VNC_DIRTY_BPL(&vd->guest),
++ y * VNC_DIRTY_BPL(&vd->guest));
++ if (offset == height * VNC_DIRTY_BPL(&vd->guest)) {
++ /* no more dirty bits */
++ break;
++ }
++ y = offset / VNC_DIRTY_BPL(&vd->guest);
++ x = offset % VNC_DIRTY_BPL(&vd->guest);
+
+- for (x = 0; x + VNC_DIRTY_PIXELS_PER_BIT - 1 < width;
+- x += VNC_DIRTY_PIXELS_PER_BIT, guest_ptr += cmp_bytes,
+- server_ptr += cmp_bytes) {
+- if (!test_and_clear_bit((x / VNC_DIRTY_PIXELS_PER_BIT),
+- vd->guest.dirty[y])) {
+- continue;
+- }
+- if (memcmp(server_ptr, guest_ptr, cmp_bytes) == 0) {
+- continue;
+- }
+- memcpy(server_ptr, guest_ptr, cmp_bytes);
+- if (!vd->non_adaptive)
+- vnc_rect_updated(vd, x, y, &tv);
+- QTAILQ_FOREACH(vs, &vd->clients, next) {
+- set_bit((x / VNC_DIRTY_PIXELS_PER_BIT), vs->dirty[y]);
+- }
+- has_dirty++;
++ server_ptr = server_row0 + y * server_stride + x * cmp_bytes;
++
++ if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
++ qemu_pixman_linebuf_fill(tmpbuf, vd->guest.fb, width, 0, y);
++ guest_ptr = (uint8_t *)pixman_image_get_data(tmpbuf);
++ } else {
++ guest_ptr = guest_row0 + y * guest_stride;
++ }
++ guest_ptr += x * cmp_bytes;
++
++ for (; x < DIV_ROUND_UP(width, VNC_DIRTY_PIXELS_PER_BIT);
++ x++, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) {
++ if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
++ continue;
++ }
++ if (memcmp(server_ptr, guest_ptr, cmp_bytes) == 0) {
++ continue;
++ }
++ memcpy(server_ptr, guest_ptr, cmp_bytes);
++ if (!vd->non_adaptive) {
++ vnc_rect_updated(vd, x * VNC_DIRTY_PIXELS_PER_BIT,
++ y, &tv);
+ }
++ QTAILQ_FOREACH(vs, &vd->clients, next) {
++ set_bit(x, vs->dirty[y]);
++ }
++ has_dirty++;
+ }
+- guest_row += pixman_image_get_stride(vd->guest.fb);
+- server_row += pixman_image_get_stride(vd->server);
++
++ y++;
+ }
+ qemu_pixman_image_unref(tmpbuf);
+ return has_dirty;
+diff --git a/ui/vnc.h b/ui/vnc.h
+index 561f383..ebf4bdd 100644
+--- a/ui/vnc.h
++++ b/ui/vnc.h
+@@ -88,6 +88,10 @@ typedef void VncSendHextileTile(VncState *vs,
+ /* VNC_DIRTY_BITS is the number of bits in the dirty bitmap. */
+ #define VNC_DIRTY_BITS (VNC_MAX_WIDTH / VNC_DIRTY_PIXELS_PER_BIT)
+
++/* VNC_DIRTY_BPL (BPL = bits per line) might be greater than
++ * VNC_DIRTY_BITS due to alignment */
++#define VNC_DIRTY_BPL(x) (sizeof((x)->dirty) / VNC_MAX_HEIGHT * BITS_PER_BYTE)
++
+ #define VNC_STAT_RECT 64
+ #define VNC_STAT_COLS (VNC_MAX_WIDTH / VNC_STAT_RECT)
+ #define VNC_STAT_ROWS (VNC_MAX_HEIGHT / VNC_STAT_RECT)
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-ui-vnc-optimize-setting-in-vnc_dpy_update.patch b/SOURCES/kvm-ui-vnc-optimize-setting-in-vnc_dpy_update.patch
new file mode 100644
index 0000000..d2de57e
--- /dev/null
+++ b/SOURCES/kvm-ui-vnc-optimize-setting-in-vnc_dpy_update.patch
@@ -0,0 +1,71 @@
+From 9730b328cc524281334344466a01fb861b271b82 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 22 Feb 2017 12:36:22 +0100
+Subject: [PATCH 04/24] ui/vnc: optimize setting in vnc_dpy_update()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: <1487766986-6329-5-git-send-email-kraxel@redhat.com>
+Patchwork-id: 73974
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 4/8] ui/vnc: optimize setting in vnc_dpy_update()
+Bugzilla: 1377977
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+RH-Acked-by: Marc-André Lureau <mlureau@redhat.com>
+RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+
+From: Peter Lieven <pl@kamp.de>
+
+Signed-off-by: Peter Lieven <pl@kamp.de>
+Reviewed-by: Wenchao Xia <xiawenc@linux.vnet.ibm.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit 919372251cbfa9e43b0264fec475dd1eca23784f)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ ui/vnc.c | 16 +++++-----------
+ 1 file changed, 5 insertions(+), 11 deletions(-)
+
+diff --git a/ui/vnc.c b/ui/vnc.c
+index 54530a2..2540261 100644
+--- a/ui/vnc.c
++++ b/ui/vnc.c
+@@ -430,30 +430,24 @@ static int vnc_refresh_server_surface(VncDisplay *vd);
+ static void vnc_dpy_update(DisplayChangeListener *dcl,
+ int x, int y, int w, int h)
+ {
+- int i;
+ VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
+ struct VncSurface *s = &vd->guest;
+ int width = surface_width(vd->ds);
+ int height = surface_height(vd->ds);
+
+- h += y;
+-
+- /* round x down to ensure the loop only spans one 16-pixel block per,
+- iteration. otherwise, if (x % 16) != 0, the last iteration may span
+- two 16-pixel blocks but we only mark the first as dirty
+- */
++ /* this is needed this to ensure we updated all affected
++ * blocks if x % VNC_DIRTY_PIXELS_PER_BIT != 0 */
+ w += (x % VNC_DIRTY_PIXELS_PER_BIT);
+ x -= (x % VNC_DIRTY_PIXELS_PER_BIT);
+
+ x = MIN(x, width);
+ y = MIN(y, height);
+ w = MIN(x + w, width) - x;
+- h = MIN(h, height);
++ h = MIN(y + h, height);
+
+ for (; y < h; y++) {
+- for (i = 0; i < w; i += VNC_DIRTY_PIXELS_PER_BIT) {
+- set_bit((x + i) / VNC_DIRTY_PIXELS_PER_BIT, s->dirty[y]);
+- }
++ bitmap_set(s->dirty[y], x / VNC_DIRTY_PIXELS_PER_BIT,
++ DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT));
+ }
+ }
+
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-usb-ccid-add-check-message-size-checks.patch b/SOURCES/kvm-usb-ccid-add-check-message-size-checks.patch
new file mode 100644
index 0000000..f0c2e48
--- /dev/null
+++ b/SOURCES/kvm-usb-ccid-add-check-message-size-checks.patch
@@ -0,0 +1,64 @@
+From 3d6cc57909eca16bd7bc4dc823b5eb71e65baffb Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 14 Mar 2017 08:52:56 +0100
+Subject: [PATCH 23/24] usb-ccid: add check message size checks
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: <1489481576-26911-5-git-send-email-kraxel@redhat.com>
+Patchwork-id: 74287
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 4/4] usb-ccid: add check message size checks
+Bugzilla: 1419818
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Check message size too when figuring whenever we should expect more data.
+Fix debug message to show useful data, p->iov.size is fixed anyway if we
+land there, print how much we got meanwhile instead.
+
+Also check announced message size against actual message size. That
+is a more general fix for CVE-2017-5898 than commit "c7dfbf3 usb: ccid:
+check ccid apdu length".
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-id: 1487250819-23764-4-git-send-email-kraxel@redhat.com
+(cherry picked from commit 31fb4444a485a348f8e2699d7c3dd15e1819ad2c)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/usb/dev-smartcard-reader.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
+index 07d15ba..5e96a18 100644
+--- a/hw/usb/dev-smartcard-reader.c
++++ b/hw/usb/dev-smartcard-reader.c
+@@ -1009,12 +1009,19 @@ static void ccid_handle_bulk_out(USBCCIDState *s, USBPacket *p)
+ }
+
+ ccid_header = (CCID_Header *)s->bulk_out_data;
+- if (p->iov.size == CCID_MAX_PACKET_SIZE) {
++ if ((s->bulk_out_pos - 10 < ccid_header->dwLength) &&
++ (p->iov.size == CCID_MAX_PACKET_SIZE)) {
+ DPRINTF(s, D_VERBOSE,
+- "usb-ccid: bulk_in: expecting more packets (%zd/%d)\n",
+- p->iov.size, ccid_header->dwLength);
++ "usb-ccid: bulk_in: expecting more packets (%d/%d)\n",
++ s->bulk_out_pos - 10, ccid_header->dwLength);
+ return;
+ }
++ if (s->bulk_out_pos - 10 != ccid_header->dwLength) {
++ DPRINTF(s, 1,
++ "usb-ccid: bulk_in: message size mismatch (got %d, expected %d)\n",
++ s->bulk_out_pos - 10, ccid_header->dwLength);
++ goto err;
++ }
+
+ DPRINTF(s, D_MORE_INFO, "%s %x %s\n", __func__,
+ ccid_header->bMessageType,
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-usb-ccid-better-bulk_out-error-handling.patch b/SOURCES/kvm-usb-ccid-better-bulk_out-error-handling.patch
new file mode 100644
index 0000000..6eab01a
--- /dev/null
+++ b/SOURCES/kvm-usb-ccid-better-bulk_out-error-handling.patch
@@ -0,0 +1,175 @@
+From b71bd2f7f4a259183fa3d38e6e891cffb86683e2 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 14 Mar 2017 08:52:54 +0100
+Subject: [PATCH 21/24] usb-ccid: better bulk_out error handling
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: <1489481576-26911-3-git-send-email-kraxel@redhat.com>
+Patchwork-id: 74289
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 2/4] usb-ccid: better bulk_out error handling
+Bugzilla: 1419818
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Add err goto label where we can jump to from all error conditions.
+STALL request on all errors. Reset position on all errors.
+
+Normal request processing is not in a else branch any more, so this code
+is reintended, there are no code changes in that part of the code
+though.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-id: 1487250819-23764-2-git-send-email-kraxel@redhat.com
+(cherry picked from commit 0aeebc73b7976bae5cb7e9768e3d9a0fd9d634e8)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/usb/dev-smartcard-reader.c | 116 ++++++++++++++++++++++--------------------
+ 1 file changed, 61 insertions(+), 55 deletions(-)
+
+diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
+index 0e0b363..672a7bf 100644
+--- a/hw/usb/dev-smartcard-reader.c
++++ b/hw/usb/dev-smartcard-reader.c
+@@ -999,8 +999,7 @@ static void ccid_handle_bulk_out(USBCCIDState *s, USBPacket *p)
+ CCID_Header *ccid_header;
+
+ if (p->iov.size + s->bulk_out_pos > BULK_OUT_DATA_SIZE) {
+- p->status = USB_RET_STALL;
+- return;
++ goto err;
+ }
+ ccid_header = (CCID_Header *)s->bulk_out_data;
+ usb_packet_copy(p, s->bulk_out_data + s->bulk_out_pos, p->iov.size);
+@@ -1015,64 +1014,71 @@ static void ccid_handle_bulk_out(USBCCIDState *s, USBPacket *p)
+ DPRINTF(s, 1,
+ "%s: bad USB_TOKEN_OUT length, should be at least 10 bytes\n",
+ __func__);
+- } else {
+- DPRINTF(s, D_MORE_INFO, "%s %x %s\n", __func__,
+- ccid_header->bMessageType,
+- ccid_message_type_to_str(ccid_header->bMessageType));
+- switch (ccid_header->bMessageType) {
+- case CCID_MESSAGE_TYPE_PC_to_RDR_GetSlotStatus:
+- ccid_write_slot_status(s, ccid_header);
+- break;
+- case CCID_MESSAGE_TYPE_PC_to_RDR_IccPowerOn:
+- DPRINTF(s, 1, "%s: PowerOn: %d\n", __func__,
++ goto err;
++ }
++
++ DPRINTF(s, D_MORE_INFO, "%s %x %s\n", __func__,
++ ccid_header->bMessageType,
++ ccid_message_type_to_str(ccid_header->bMessageType));
++ switch (ccid_header->bMessageType) {
++ case CCID_MESSAGE_TYPE_PC_to_RDR_GetSlotStatus:
++ ccid_write_slot_status(s, ccid_header);
++ break;
++ case CCID_MESSAGE_TYPE_PC_to_RDR_IccPowerOn:
++ DPRINTF(s, 1, "%s: PowerOn: %d\n", __func__,
+ ((CCID_IccPowerOn *)(ccid_header))->bPowerSelect);
+- s->powered = true;
+- if (!ccid_card_inserted(s)) {
+- ccid_report_error_failed(s, ERROR_ICC_MUTE);
+- }
+- /* atr is written regardless of error. */
+- ccid_write_data_block_atr(s, ccid_header);
+- break;
+- case CCID_MESSAGE_TYPE_PC_to_RDR_IccPowerOff:
+- ccid_reset_error_status(s);
+- s->powered = false;
+- ccid_write_slot_status(s, ccid_header);
+- break;
+- case CCID_MESSAGE_TYPE_PC_to_RDR_XfrBlock:
+- ccid_on_apdu_from_guest(s, (CCID_XferBlock *)s->bulk_out_data);
+- break;
+- case CCID_MESSAGE_TYPE_PC_to_RDR_SetParameters:
+- ccid_reset_error_status(s);
+- ccid_set_parameters(s, ccid_header);
+- ccid_write_parameters(s, ccid_header);
+- break;
+- case CCID_MESSAGE_TYPE_PC_to_RDR_ResetParameters:
+- ccid_reset_error_status(s);
+- ccid_reset_parameters(s);
+- ccid_write_parameters(s, ccid_header);
+- break;
+- case CCID_MESSAGE_TYPE_PC_to_RDR_GetParameters:
+- ccid_reset_error_status(s);
+- ccid_write_parameters(s, ccid_header);
+- break;
+- case CCID_MESSAGE_TYPE_PC_to_RDR_Mechanical:
+- ccid_report_error_failed(s, 0);
+- ccid_write_slot_status(s, ccid_header);
+- break;
+- default:
+- DPRINTF(s, 1,
++ s->powered = true;
++ if (!ccid_card_inserted(s)) {
++ ccid_report_error_failed(s, ERROR_ICC_MUTE);
++ }
++ /* atr is written regardless of error. */
++ ccid_write_data_block_atr(s, ccid_header);
++ break;
++ case CCID_MESSAGE_TYPE_PC_to_RDR_IccPowerOff:
++ ccid_reset_error_status(s);
++ s->powered = false;
++ ccid_write_slot_status(s, ccid_header);
++ break;
++ case CCID_MESSAGE_TYPE_PC_to_RDR_XfrBlock:
++ ccid_on_apdu_from_guest(s, (CCID_XferBlock *)s->bulk_out_data);
++ break;
++ case CCID_MESSAGE_TYPE_PC_to_RDR_SetParameters:
++ ccid_reset_error_status(s);
++ ccid_set_parameters(s, ccid_header);
++ ccid_write_parameters(s, ccid_header);
++ break;
++ case CCID_MESSAGE_TYPE_PC_to_RDR_ResetParameters:
++ ccid_reset_error_status(s);
++ ccid_reset_parameters(s);
++ ccid_write_parameters(s, ccid_header);
++ break;
++ case CCID_MESSAGE_TYPE_PC_to_RDR_GetParameters:
++ ccid_reset_error_status(s);
++ ccid_write_parameters(s, ccid_header);
++ break;
++ case CCID_MESSAGE_TYPE_PC_to_RDR_Mechanical:
++ ccid_report_error_failed(s, 0);
++ ccid_write_slot_status(s, ccid_header);
++ break;
++ default:
++ DPRINTF(s, 1,
+ "handle_data: ERROR: unhandled message type %Xh\n",
+ ccid_header->bMessageType);
+- /*
+- * The caller is expecting the device to respond, tell it we
+- * don't support the operation.
+- */
+- ccid_report_error_failed(s, ERROR_CMD_NOT_SUPPORTED);
+- ccid_write_slot_status(s, ccid_header);
+- break;
+- }
++ /*
++ * The caller is expecting the device to respond, tell it we
++ * don't support the operation.
++ */
++ ccid_report_error_failed(s, ERROR_CMD_NOT_SUPPORTED);
++ ccid_write_slot_status(s, ccid_header);
++ break;
+ }
+ s->bulk_out_pos = 0;
++ return;
++
++err:
++ p->status = USB_RET_STALL;
++ s->bulk_out_pos = 0;
++ return;
+ }
+
+ static void ccid_bulk_in_copy_to_guest(USBCCIDState *s, USBPacket *p)
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-usb-ccid-check-ccid-apdu-length.patch b/SOURCES/kvm-usb-ccid-check-ccid-apdu-length.patch
new file mode 100644
index 0000000..7091df9
--- /dev/null
+++ b/SOURCES/kvm-usb-ccid-check-ccid-apdu-length.patch
@@ -0,0 +1,48 @@
+From c69bcffde2abc36576ff8b9d60f721e1261fec32 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 14 Mar 2017 08:52:53 +0100
+Subject: [PATCH 20/24] usb: ccid: check ccid apdu length
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: <1489481576-26911-2-git-send-email-kraxel@redhat.com>
+Patchwork-id: 74286
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 1/4] usb: ccid: check ccid apdu length
+Bugzilla: 1419818
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+From: Prasad J Pandit <pjp@fedoraproject.org>
+
+CCID device emulator uses Application Protocol Data Units(APDU)
+to exchange command and responses to and from the host.
+The length in these units couldn't be greater than 65536. Add
+check to ensure the same. It'd also avoid potential integer
+overflow in emulated_apdu_from_guest.
+
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 20170202192228.10847-1-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit c7dfbf322595ded4e70b626bf83158a9f3807c6a)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/usb/dev-smartcard-reader.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
+index 0e666e1..0e0b363 100644
+--- a/hw/usb/dev-smartcard-reader.c
++++ b/hw/usb/dev-smartcard-reader.c
+@@ -965,7 +965,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv)
+ DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__,
+ recv->hdr.bSeq, len);
+ ccid_add_pending_answer(s, (CCID_Header *)recv);
+- if (s->card) {
++ if (s->card && len <= BULK_OUT_DATA_SIZE) {
+ ccid_card_apdu_from_guest(s->card, recv->abData, len);
+ } else {
+ DPRINTF(s, D_WARN, "warning: discarded apdu\n");
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-usb-ccid-move-header-size-check.patch b/SOURCES/kvm-usb-ccid-move-header-size-check.patch
new file mode 100644
index 0000000..ac197eb
--- /dev/null
+++ b/SOURCES/kvm-usb-ccid-move-header-size-check.patch
@@ -0,0 +1,64 @@
+From 6116e5c19a7623b2543fbd937970da9a6e0e1ce7 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 14 Mar 2017 08:52:55 +0100
+Subject: [PATCH 22/24] usb-ccid: move header size check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: <1489481576-26911-4-git-send-email-kraxel@redhat.com>
+Patchwork-id: 74285
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 3/4] usb-ccid: move header size check
+Bugzilla: 1419818
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Move up header size check, so we can use header fields in sanity checks
+(in followup patches). Also reword the debug message.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-id: 1487250819-23764-3-git-send-email-kraxel@redhat.com
+(cherry picked from commit 7569c54642e8aa9fa03e250c7c578bd4d3747f00)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/usb/dev-smartcard-reader.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
+index 672a7bf..07d15ba 100644
+--- a/hw/usb/dev-smartcard-reader.c
++++ b/hw/usb/dev-smartcard-reader.c
+@@ -1001,21 +1001,20 @@ static void ccid_handle_bulk_out(USBCCIDState *s, USBPacket *p)
+ if (p->iov.size + s->bulk_out_pos > BULK_OUT_DATA_SIZE) {
+ goto err;
+ }
+- ccid_header = (CCID_Header *)s->bulk_out_data;
+ usb_packet_copy(p, s->bulk_out_data + s->bulk_out_pos, p->iov.size);
+ s->bulk_out_pos += p->iov.size;
++ if (s->bulk_out_pos < 10) {
++ DPRINTF(s, 1, "%s: header incomplete\n", __func__);
++ goto err;
++ }
++
++ ccid_header = (CCID_Header *)s->bulk_out_data;
+ if (p->iov.size == CCID_MAX_PACKET_SIZE) {
+ DPRINTF(s, D_VERBOSE,
+ "usb-ccid: bulk_in: expecting more packets (%zd/%d)\n",
+ p->iov.size, ccid_header->dwLength);
+ return;
+ }
+- if (s->bulk_out_pos < 10) {
+- DPRINTF(s, 1,
+- "%s: bad USB_TOKEN_OUT length, should be at least 10 bytes\n",
+- __func__);
+- goto err;
+- }
+
+ DPRINTF(s, D_MORE_INFO, "%s %x %s\n", __func__,
+ ccid_header->bMessageType,
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-vhdx-Fix-zero-fill-iov-length.patch b/SOURCES/kvm-vhdx-Fix-zero-fill-iov-length.patch
new file mode 100644
index 0000000..d0fdca3
--- /dev/null
+++ b/SOURCES/kvm-vhdx-Fix-zero-fill-iov-length.patch
@@ -0,0 +1,57 @@
+From a7cfda7b304697450f0a55c22f4459b25999e9c5 Mon Sep 17 00:00:00 2001
+From: Max Reitz <mreitz@redhat.com>
+Date: Mon, 13 Mar 2017 17:47:05 +0100
+Subject: [PATCH 17/24] vhdx: Fix zero-fill iov length
+
+RH-Author: Max Reitz <mreitz@redhat.com>
+Message-id: <20170313174706.29316-2-mreitz@redhat.com>
+Patchwork-id: 74279
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 8/9] vhdx: Fix zero-fill iov length
+Bugzilla: 1427176
+RH-Acked-by: Fam Zheng <famz@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+
+From: Kevin Wolf <kwolf@redhat.com>
+
+Fix the length of the zero-fill for the back, which was accidentally
+using the same value as for the front. This is caught by qemu-iotests
+033.
+
+For consistency, change the code for the front as well to use the length
+stored in the iov (it is the same value, copied four lines above).
+
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Acked-by: Jeff Cody <jcody@redhat.com>
+(cherry picked from commit d1a126c53ddc563b7b731cee013e0362f7a5f22f)
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ block/vhdx.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/block/vhdx.c b/block/vhdx.c
+index 21ad6ad..47a872d 100644
+--- a/block/vhdx.c
++++ b/block/vhdx.c
+@@ -1247,7 +1247,7 @@ static coroutine_fn int vhdx_co_writev(BlockDriverState *bs, int64_t sector_num,
+ iov1.iov_base = qemu_blockalign(bs, iov1.iov_len);
+ memset(iov1.iov_base, 0, iov1.iov_len);
+ qemu_iovec_concat_iov(&hd_qiov, &iov1, 1, 0,
+- sinfo.block_offset);
++ iov1.iov_len);
+ sectors_to_write += iov1.iov_len >> BDRV_SECTOR_BITS;
+ }
+
+@@ -1263,7 +1263,7 @@ static coroutine_fn int vhdx_co_writev(BlockDriverState *bs, int64_t sector_num,
+ iov2.iov_base = qemu_blockalign(bs, iov2.iov_len);
+ memset(iov2.iov_base, 0, iov2.iov_len);
+ qemu_iovec_concat_iov(&hd_qiov, &iov2, 1, 0,
+- sinfo.block_offset);
++ iov2.iov_len);
+ sectors_to_write += iov2.iov_len >> BDRV_SECTOR_BITS;
+ }
+ }
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-virtio-add-virtqueue_rewind.patch b/SOURCES/kvm-virtio-add-virtqueue_rewind.patch
index 1915e93..a5d98d3 100644
--- a/SOURCES/kvm-virtio-add-virtqueue_rewind.patch
+++ b/SOURCES/kvm-virtio-add-virtqueue_rewind.patch
@@ -1,4 +1,4 @@
-From f7d6a76475d29e0edb5456e62492117b87f4bc41 Mon Sep 17 00:00:00 2001
+From 6b2d5dafa9847ce29e5cddeb369b35db5ce076b1 Mon Sep 17 00:00:00 2001
From: Ladi Prosek <lprosek@redhat.com>
Date: Thu, 10 Nov 2016 23:00:50 +0100
Subject: [PATCH 7/8] virtio: add virtqueue_rewind()
@@ -7,7 +7,7 @@ RH-Author: Ladi Prosek <lprosek@redhat.com>
Message-id: <1478797251-10302-1-git-send-email-lprosek@redhat.com>
Patchwork-id: 72818
O-Subject: [PATCH v2 7/6] virtio: add virtqueue_rewind()
-Bugzilla: 1393484
+Bugzilla: 1377968
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
diff --git a/SOURCES/kvm-virtio-balloon-discard-virtqueue-element-on-reset.patch b/SOURCES/kvm-virtio-balloon-discard-virtqueue-element-on-reset.patch
index a076d4e..2c37b1d 100644
--- a/SOURCES/kvm-virtio-balloon-discard-virtqueue-element-on-reset.patch
+++ b/SOURCES/kvm-virtio-balloon-discard-virtqueue-element-on-reset.patch
@@ -1,4 +1,4 @@
-From a1c91f04449eea0e678aeef78914213f092b7a19 Mon Sep 17 00:00:00 2001
+From 2c71eba27413f9b34610cee3f6b16b0678f4d102 Mon Sep 17 00:00:00 2001
From: Ladi Prosek <lprosek@redhat.com>
Date: Wed, 5 Oct 2016 17:22:27 +0200
Subject: [PATCH 5/8] virtio-balloon: discard virtqueue element on reset
@@ -7,7 +7,7 @@ RH-Author: Ladi Prosek <lprosek@redhat.com>
Message-id: <1475666548-9186-6-git-send-email-lprosek@redhat.com>
Patchwork-id: 72484
O-Subject: [RHEL-7.4 qemu-kvm v2 PATCH 5/6] virtio-balloon: discard virtqueue element on reset
-Bugzilla: 1393484
+Bugzilla: 1377968
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
diff --git a/SOURCES/kvm-virtio-balloon-fix-stats-vq-migration.patch b/SOURCES/kvm-virtio-balloon-fix-stats-vq-migration.patch
index bd3b2e7..38c7762 100644
--- a/SOURCES/kvm-virtio-balloon-fix-stats-vq-migration.patch
+++ b/SOURCES/kvm-virtio-balloon-fix-stats-vq-migration.patch
@@ -1,4 +1,4 @@
-From 6d5c0e0e98907244d72e7828337d7ff6160b6b80 Mon Sep 17 00:00:00 2001
+From 92a638cb3b0601746d47b4a443762fe71bb21431 Mon Sep 17 00:00:00 2001
From: Ladi Prosek <lprosek@redhat.com>
Date: Thu, 10 Nov 2016 23:00:51 +0100
Subject: [PATCH 8/8] virtio-balloon: fix stats vq migration
@@ -7,7 +7,7 @@ RH-Author: Ladi Prosek <lprosek@redhat.com>
Message-id: <1478797251-10302-2-git-send-email-lprosek@redhat.com>
Patchwork-id: 72819
O-Subject: [PATCH v2 8/6] virtio-balloon: fix stats vq migration
-Bugzilla: 1393484
+Bugzilla: 1377968
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
diff --git a/SOURCES/kvm-virtio-blk-Release-s-rq-queue-at-system_reset.patch b/SOURCES/kvm-virtio-blk-Release-s-rq-queue-at-system_reset.patch
index a58ed36..f730a9a 100644
--- a/SOURCES/kvm-virtio-blk-Release-s-rq-queue-at-system_reset.patch
+++ b/SOURCES/kvm-virtio-blk-Release-s-rq-queue-at-system_reset.patch
@@ -1,16 +1,16 @@
-From cc9a8ce29ba364abcf019f6fe44b218255b9e4d7 Mon Sep 17 00:00:00 2001
+From 200748826a6069c31f5004dde00614675bac659b Mon Sep 17 00:00:00 2001
From: Fam Zheng <famz@redhat.com>
-Date: Wed, 8 Feb 2017 07:05:34 +0100
-Subject: [PATCH 1/8] virtio-blk: Release s->rq queue at system_reset
+Date: Tue, 7 Feb 2017 09:21:53 +0100
+Subject: [PATCH 02/11] virtio-blk: Release s->rq queue at system_reset
RH-Author: Fam Zheng <famz@redhat.com>
-Message-id: <20170208070534.10571-1-famz@redhat.com>
-Patchwork-id: 73642
-O-Subject: [RHEL-7.3.z qemu-kvm PATCH] virtio-blk: Release s->rq queue at system_reset
-Bugzilla: 1420049
-RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+Message-id: <20170207092153.8331-1-famz@redhat.com>
+Patchwork-id: 73553
+O-Subject: [RHEL-7.4 qemu-kvm PATCH] virtio-blk: Release s->rq queue at system_reset
+Bugzilla: 1361488
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
-RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
At system_reset, there is no point in retrying the queued request,
because the driver that issued the request won't be around any more.
diff --git a/SOURCES/kvm-virtio-decrement-vq-inuse-in-virtqueue_discard.patch b/SOURCES/kvm-virtio-decrement-vq-inuse-in-virtqueue_discard.patch
index 1822127..949fd97 100644
--- a/SOURCES/kvm-virtio-decrement-vq-inuse-in-virtqueue_discard.patch
+++ b/SOURCES/kvm-virtio-decrement-vq-inuse-in-virtqueue_discard.patch
@@ -1,4 +1,4 @@
-From c24e1c927bad95d84e0ffab665baff98d91fb916 Mon Sep 17 00:00:00 2001
+From bf7aa4bb11e9991a3d5a1007dbe52dd0ac6dae99 Mon Sep 17 00:00:00 2001
From: Ladi Prosek <lprosek@redhat.com>
Date: Wed, 5 Oct 2016 17:22:25 +0200
Subject: [PATCH 3/8] virtio: decrement vq->inuse in virtqueue_discard()
@@ -7,7 +7,7 @@ RH-Author: Ladi Prosek <lprosek@redhat.com>
Message-id: <1475666548-9186-4-git-send-email-lprosek@redhat.com>
Patchwork-id: 72482
O-Subject: [RHEL-7.4 qemu-kvm v2 PATCH 3/6] virtio: decrement vq->inuse in virtqueue_discard()
-Bugzilla: 1393484
+Bugzilla: 1377968
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
diff --git a/SOURCES/kvm-virtio-introduce-virtqueue_discard.patch b/SOURCES/kvm-virtio-introduce-virtqueue_discard.patch
index 8f233c6..ee5aedc 100644
--- a/SOURCES/kvm-virtio-introduce-virtqueue_discard.patch
+++ b/SOURCES/kvm-virtio-introduce-virtqueue_discard.patch
@@ -1,4 +1,4 @@
-From b5c6f7a910c5c16ac34ef2436d0a56991e0166e3 Mon Sep 17 00:00:00 2001
+From 06ca4cab12a4216d40c297d8a79c83a4df4dd80e Mon Sep 17 00:00:00 2001
From: Ladi Prosek <lprosek@redhat.com>
Date: Wed, 5 Oct 2016 17:22:24 +0200
Subject: [PATCH 2/8] virtio: introduce virtqueue_discard()
@@ -7,7 +7,7 @@ RH-Author: Ladi Prosek <lprosek@redhat.com>
Message-id: <1475666548-9186-3-git-send-email-lprosek@redhat.com>
Patchwork-id: 72481
O-Subject: [RHEL-7.4 qemu-kvm v2 PATCH 2/6] virtio: introduce virtqueue_discard()
-Bugzilla: 1393484
+Bugzilla: 1377968
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
diff --git a/SOURCES/kvm-virtio-introduce-virtqueue_unmap_sg.patch b/SOURCES/kvm-virtio-introduce-virtqueue_unmap_sg.patch
index 77d40c9..bd3e621 100644
--- a/SOURCES/kvm-virtio-introduce-virtqueue_unmap_sg.patch
+++ b/SOURCES/kvm-virtio-introduce-virtqueue_unmap_sg.patch
@@ -1,4 +1,4 @@
-From fc6f666f00182fe587068bd45e4e9e6d135d03fb Mon Sep 17 00:00:00 2001
+From 9d3ccec3b8323f7cfbce932f8c6530aa4105ba02 Mon Sep 17 00:00:00 2001
From: Ladi Prosek <lprosek@redhat.com>
Date: Wed, 5 Oct 2016 17:22:23 +0200
Subject: [PATCH 1/8] virtio: introduce virtqueue_unmap_sg()
@@ -7,7 +7,7 @@ RH-Author: Ladi Prosek <lprosek@redhat.com>
Message-id: <1475666548-9186-2-git-send-email-lprosek@redhat.com>
Patchwork-id: 72480
O-Subject: [RHEL-7.4 qemu-kvm v2 PATCH 1/6] virtio: introduce virtqueue_unmap_sg()
-Bugzilla: 1393484
+Bugzilla: 1377968
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
diff --git a/SOURCES/kvm-virtio-zero-vq-inuse-in-virtio_reset.patch b/SOURCES/kvm-virtio-zero-vq-inuse-in-virtio_reset.patch
index e231a0a..6c4eb84 100644
--- a/SOURCES/kvm-virtio-zero-vq-inuse-in-virtio_reset.patch
+++ b/SOURCES/kvm-virtio-zero-vq-inuse-in-virtio_reset.patch
@@ -1,4 +1,4 @@
-From e3e5226d8ed3907bb818eb8db74175c08c011459 Mon Sep 17 00:00:00 2001
+From f5f0d9ed92f4ba1ea746529ccc945cf60d4973c8 Mon Sep 17 00:00:00 2001
From: Ladi Prosek <lprosek@redhat.com>
Date: Wed, 5 Oct 2016 17:22:28 +0200
Subject: [PATCH 6/8] virtio: zero vq->inuse in virtio_reset()
@@ -7,7 +7,7 @@ RH-Author: Ladi Prosek <lprosek@redhat.com>
Message-id: <1475666548-9186-7-git-send-email-lprosek@redhat.com>
Patchwork-id: 72485
O-Subject: [RHEL-7.4 qemu-kvm v2 PATCH 6/6] virtio: zero vq->inuse in virtio_reset()
-Bugzilla: 1393484
+Bugzilla: 1377968
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
diff --git a/SOURCES/kvm-vl-Don-t-silently-change-topology-when-all-smp-optio.patch b/SOURCES/kvm-vl-Don-t-silently-change-topology-when-all-smp-optio.patch
new file mode 100644
index 0000000..8d9d72f
--- /dev/null
+++ b/SOURCES/kvm-vl-Don-t-silently-change-topology-when-all-smp-optio.patch
@@ -0,0 +1,57 @@
+From 1f9218a32773bb616f65f581f3a6b22699b2f6be Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Tue, 27 Dec 2016 20:43:20 +0100
+Subject: [PATCH 2/4] vl: Don't silently change topology when all -smp options
+ were set
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <1482871400-24971-1-git-send-email-ehabkost@redhat.com>
+Patchwork-id: 73103
+O-Subject: [RHEL-7.4 qemu-kvm PATCH] vl: Don't silently change topology when all -smp options were set
+Bugzilla: 1375507
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+RH-Acked-by: Andrew Jones <drjones@redhat.com>
+RH-Acked-by: David Hildenbrand <david@redhat.com>
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1375507
+
+QEMU tries to change the "threads" option even if it was explicitly set
+in the command-line, and it shouldn't do that.
+
+The right thing to do when all options (cpus, sockets, cores, threds)
+are explicitly set is to sanity check them and abort in case they don't
+make sense (i.e. when sockets*cores*threads < cpus).
+
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Reviewed-by: Andrew Jones <drjones@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit ec2cbbdd80463efd4bc81a9d1362a2acb3097a21)
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ vl.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/vl.c b/vl.c
+index 9756361..7c34b7c 100644
+--- a/vl.c
++++ b/vl.c
+@@ -1393,8 +1393,14 @@ static void smp_parse(const char *optarg)
+ if (cores == 0) {
+ threads = threads > 0 ? threads : 1;
+ cores = smp / (sockets * threads);
+- } else {
++ } else if (threads == 0) {
+ threads = smp / (cores * sockets);
++ } else if (sockets * cores * threads < smp) {
++ fprintf(stderr, "cpu topology: error: "
++ "sockets (%u) * cores (%u) * threads (%u) < "
++ "smp_cpus (%u)\n",
++ sockets, cores, threads, smp);
++ exit(1);
+ }
+ }
+ smp_cpus = smp;
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-vnc-fix-memory-corruption-CVE-2015-5225.patch b/SOURCES/kvm-vnc-fix-memory-corruption-CVE-2015-5225.patch
new file mode 100644
index 0000000..0808fa3
--- /dev/null
+++ b/SOURCES/kvm-vnc-fix-memory-corruption-CVE-2015-5225.patch
@@ -0,0 +1,93 @@
+From e543257370cce5153bbcf0085a116e6aa4a6d91b Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 22 Feb 2017 12:36:25 +0100
+Subject: [PATCH 07/24] vnc: fix memory corruption (CVE-2015-5225)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: <1487766986-6329-8-git-send-email-kraxel@redhat.com>
+Patchwork-id: 73978
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 7/8] vnc: fix memory corruption (CVE-2015-5225)
+Bugzilla: 1377977
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+RH-Acked-by: Marc-André Lureau <mlureau@redhat.com>
+RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+
+The _cmp_bytes variable added by commit "bea60dd ui/vnc: fix potential
+memory corruption issues" can become negative. Result is (possibly
+exploitable) memory corruption. Reason for that is it uses the stride
+instead of bytes per scanline to apply limits.
+
+For the server surface is is actually fine. vnc creates that itself,
+there is never any padding and thus scanline length always equals stride.
+
+For the guest surface scanline length and stride are typically identical
+too, but it doesn't has to be that way. So add and use a new variable
+(guest_ll) for the guest scanline length. Also rename min_stride to
+line_bytes to make more clear what it actually is. Finally sprinkle
+in an assert() to make sure we never use a negative _cmp_bytes again.
+
+Reported-by: 范祚至(库特) <zuozhi.fzz@alibaba-inc.com>
+Reviewed-by: P J P <ppandit@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit eb8934b0418b3b1d125edddc4fc334a54334a49b)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ ui/vnc.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/ui/vnc.c b/ui/vnc.c
+index 80b7792..d0ada7e 100644
+--- a/ui/vnc.c
++++ b/ui/vnc.c
+@@ -2676,7 +2676,7 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
+ pixman_image_get_width(vd->server));
+ int height = MIN(pixman_image_get_height(vd->guest.fb),
+ pixman_image_get_height(vd->server));
+- int cmp_bytes, server_stride, min_stride, guest_stride, y = 0;
++ int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0;
+ uint8_t *guest_row0 = NULL, *server_row0;
+ VncState *vs;
+ int has_dirty = 0;
+@@ -2695,17 +2695,21 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
+ * Update server dirty map.
+ */
+ server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
+- server_stride = guest_stride = pixman_image_get_stride(vd->server);
++ server_stride = guest_stride = guest_ll =
++ pixman_image_get_stride(vd->server);
+ cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES,
+ server_stride);
+ if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
+ int width = pixman_image_get_width(vd->server);
+ tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width);
+ } else {
++ int guest_bpp =
++ PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb));
+ guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
+ guest_stride = pixman_image_get_stride(vd->guest.fb);
++ guest_ll = pixman_image_get_width(vd->guest.fb) * ((guest_bpp + 7) / 8);
+ }
+- min_stride = MIN(server_stride, guest_stride);
++ line_bytes = MIN(server_stride, guest_ll);
+
+ for (;;) {
+ int x;
+@@ -2736,9 +2740,10 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
+ if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
+ continue;
+ }
+- if ((x + 1) * cmp_bytes > min_stride) {
+- _cmp_bytes = min_stride - x * cmp_bytes;
++ if ((x + 1) * cmp_bytes > line_bytes) {
++ _cmp_bytes = line_bytes - x * cmp_bytes;
+ }
++ assert(_cmp_bytes >= 0);
+ if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) {
+ continue;
+ }
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-vnc-fix-overflow-in-vnc_update_stats.patch b/SOURCES/kvm-vnc-fix-overflow-in-vnc_update_stats.patch
new file mode 100644
index 0000000..db0c181
--- /dev/null
+++ b/SOURCES/kvm-vnc-fix-overflow-in-vnc_update_stats.patch
@@ -0,0 +1,56 @@
+From 8c2d53ffb72c574d0c81e2c86115a18598e66c65 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 22 Feb 2017 12:36:26 +0100
+Subject: [PATCH 08/24] vnc: fix overflow in vnc_update_stats
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: <1487766986-6329-9-git-send-email-kraxel@redhat.com>
+Patchwork-id: 73975
+O-Subject: [RHEL-7.4 qemu-kvm PATCH 8/8] vnc: fix overflow in vnc_update_stats
+Bugzilla: 1377977
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+RH-Acked-by: Marc-André Lureau <mlureau@redhat.com>
+RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+
+Commit "bea60dd ui/vnc: fix potential memory corruption issues" is
+incomplete. vnc_update_stats must calculate width and height the same
+way vnc_refresh_server_surface does it, to make sure we don't use width
+and height values larger than the qemu vnc server can handle.
+
+Commit "e22492d ui/vnc: disable adaptive update calculations if not
+needed" masks the issue in the default configuration. It triggers only
+in case the "lossy" option is set to "on" (default is "off").
+
+Cc: Marc-André Lureau <marcandre.lureau@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-id: 1485248428-575-1-git-send-email-kraxel@redhat.com
+(cherry picked from commit eebe0b7905642a986cbce7406d6ab7bf78f3e210)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ ui/vnc.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/ui/vnc.c b/ui/vnc.c
+index d0ada7e..b68918e 100644
+--- a/ui/vnc.c
++++ b/ui/vnc.c
+@@ -2581,8 +2581,10 @@ static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y)
+
+ static int vnc_update_stats(VncDisplay *vd, struct timeval * tv)
+ {
+- int width = pixman_image_get_width(vd->guest.fb);
+- int height = pixman_image_get_height(vd->guest.fb);
++ int width = MIN(pixman_image_get_width(vd->guest.fb),
++ pixman_image_get_width(vd->server));
++ int height = MIN(pixman_image_get_height(vd->guest.fb),
++ pixman_image_get_height(vd->server));
+ int x, y;
+ struct timeval res;
+ int has_dirty = 0;
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-x86-add-AVX512_4VNNIW-and-AVX512_4FMAPS-features.patch b/SOURCES/kvm-x86-add-AVX512_4VNNIW-and-AVX512_4FMAPS-features.patch
new file mode 100644
index 0000000..1035dbe
--- /dev/null
+++ b/SOURCES/kvm-x86-add-AVX512_4VNNIW-and-AVX512_4FMAPS-features.patch
@@ -0,0 +1,174 @@
+From 7b43b5139f8e919203d3ed20fbba6cb143fde6d7 Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Thu, 23 Feb 2017 14:29:32 +0100
+Subject: [PATCH 02/17] x86: add AVX512_4VNNIW and AVX512_4FMAPS features
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20170223142945.17790-2-ehabkost@redhat.com>
+Patchwork-id: 74033
+O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 01/14] x86: add AVX512_4VNNIW and AVX512_4FMAPS features
+Bugzilla: 1382122
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+From: Luwei Kang <luwei.kang@intel.com>
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1382122
+
+The spec can be found in Intel Software Developer Manual or in
+Instruction Set Extensions Programming Reference.
+
+Backport notes:
+
+Changes v1 -> v2:
+* Fixed build error, moved feat_names to a separate static array
+ variable
+* Fixed backport mistakes (I had forgotten to add
+ features[FEAT_7_0_EDX] initialization and filtering code)
+
+Signed-off-by: Piotr Luc <piotr.luc@intel.com>
+Signed-off-by: Luwei Kang <luwei.kang@intel.com>
+Message-Id: <1477902446-5932-1-git-send-email-he.chen@linux.intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 95ea69fb46266aaa46d0c8b7f0ba8c4903dbe4e3)
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c | 31 ++++++++++++++++++++++++++++++-
+ target-i386/cpu.h | 4 ++++
+ 2 files changed, 34 insertions(+), 1 deletion(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index c3c8306..789e687 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -165,6 +165,17 @@ static const char *cpuid_7_0_ecx_feature_name[] = {
+ NULL, NULL, NULL, NULL,
+ };
+
++static const char *cpuid_7_0_edx_feature_name[] = {
++ NULL, NULL, "avx512-4vnniw", "avx512-4fmaps",
++ NULL, NULL, NULL, NULL,
++ NULL, NULL, NULL, NULL,
++ NULL, NULL, NULL, NULL,
++ NULL, NULL, NULL, NULL,
++ NULL, NULL, NULL, NULL,
++ NULL, NULL, NULL, NULL,
++ NULL, NULL, NULL, NULL,
++};
++
+ static const char *cpuid_xsave_feature_name[] = {
+ "xsaveopt", "xsavec", "xgetbv1", NULL,
+ NULL, NULL, NULL, NULL,
+@@ -225,6 +236,12 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
+ .cpuid_needs_ecx = true, .cpuid_ecx = 0,
+ .cpuid_reg = R_ECX,
+ },
++ [FEAT_7_0_EDX] = {
++ .feat_names = cpuid_7_0_edx_feature_name,
++ .cpuid_eax = 7,
++ .cpuid_needs_ecx = true, .cpuid_ecx = 0,
++ .cpuid_reg = R_EDX,
++ },
+ [FEAT_XSAVE] = {
+ .feat_names = cpuid_xsave_feature_name,
+ .cpuid_eax = 0xd,
+@@ -484,6 +501,7 @@ typedef struct x86_def_t {
+ CPUID_7_0_EBX_ERMS, CPUID_7_0_EBX_INVPCID, CPUID_7_0_EBX_RTM,
+ CPUID_7_0_EBX_RDSEED */
+ #define TCG_7_0_ECX_FEATURES 0
++#define TCG_7_0_EDX_FEATURES 0
+
+ /* built-in CPU model definitions
+ */
+@@ -1254,9 +1272,12 @@ static void kvm_cpu_fill_host(x86_def_t *x86_cpu_def)
+ kvm_arch_get_supported_cpuid(s, 0x7, 0, R_EBX);
+ x86_cpu_def->features[FEAT_7_0_ECX] =
+ kvm_arch_get_supported_cpuid(s, 0x7, 0, R_ECX);
++ x86_cpu_def->features[FEAT_7_0_EDX] =
++ kvm_arch_get_supported_cpuid(s, 0x7, 0, R_EDX);
+ } else {
+ x86_cpu_def->features[FEAT_7_0_EBX] = 0;
+ x86_cpu_def->features[FEAT_7_0_ECX] = 0;
++ x86_cpu_def->features[FEAT_7_0_EDX] = 0;
+ }
+ x86_cpu_def->features[FEAT_XSAVE] =
+ kvm_arch_get_supported_cpuid(s, 0xd, 1, R_EAX);
+@@ -1343,6 +1364,9 @@ static int kvm_check_features_against_host(X86CPU *cpu)
+ {&env->features[FEAT_7_0_ECX],
+ &host_def.features[FEAT_7_0_ECX],
+ FEAT_7_0_ECX },
++ {&env->features[FEAT_7_0_EDX],
++ &host_def.features[FEAT_7_0_EDX],
++ FEAT_7_0_EDX },
+ {&env->features[FEAT_XSAVE],
+ &host_def.features[FEAT_XSAVE],
+ FEAT_XSAVE },
+@@ -1885,6 +1909,7 @@ static void cpu_x86_parse_featurestr(X86CPU *cpu, char *features, Error **errp)
+ env->features[FEAT_SVM] |= plus_features[FEAT_SVM];
+ env->features[FEAT_7_0_EBX] |= plus_features[FEAT_7_0_EBX];
+ env->features[FEAT_7_0_ECX] |= plus_features[FEAT_7_0_ECX];
++ env->features[FEAT_7_0_EDX] |= plus_features[FEAT_7_0_EDX];
+ env->features[FEAT_XSAVE] |= plus_features[FEAT_XSAVE];
+ env->features[FEAT_1_EDX] &= ~minus_features[FEAT_1_EDX];
+ env->features[FEAT_1_ECX] &= ~minus_features[FEAT_1_ECX];
+@@ -1895,6 +1920,7 @@ static void cpu_x86_parse_featurestr(X86CPU *cpu, char *features, Error **errp)
+ env->features[FEAT_SVM] &= ~minus_features[FEAT_SVM];
+ env->features[FEAT_7_0_EBX] &= ~minus_features[FEAT_7_0_EBX];
+ env->features[FEAT_7_0_ECX] &= ~minus_features[FEAT_7_0_ECX];
++ env->features[FEAT_7_0_EDX] &= ~minus_features[FEAT_7_0_EDX];
+ env->features[FEAT_XSAVE] &= ~minus_features[FEAT_XSAVE];
+
+ out:
+@@ -2032,6 +2058,7 @@ static void cpu_x86_register(X86CPU *cpu, const char *name, Error **errp)
+ env->features[FEAT_C000_0001_EDX] = def->features[FEAT_C000_0001_EDX];
+ env->features[FEAT_7_0_EBX] = def->features[FEAT_7_0_EBX];
+ env->features[FEAT_7_0_ECX] = def->features[FEAT_7_0_ECX];
++ env->features[FEAT_7_0_EDX] = def->features[FEAT_7_0_EDX];
+ env->features[FEAT_XSAVE] = def->features[FEAT_XSAVE];
+ env->cpuid_xlevel2 = def->xlevel2;
+
+@@ -2270,7 +2297,7 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
+ *eax = 0; /* Maximum ECX value for sub-leaves */
+ *ebx = env->features[FEAT_7_0_EBX]; /* Feature flags */
+ *ecx = env->features[FEAT_7_0_ECX]; /* Feature flags */
+- *edx = 0; /* Reserved */
++ *edx = env->features[FEAT_7_0_EDX]; /* Feature flags */
+ } else {
+ *eax = 0;
+ *ebx = 0;
+@@ -2680,6 +2707,8 @@ static void x86_cpu_realizefn(DeviceState *dev, Error **errp)
+ env->features[FEAT_8000_0001_ECX] &= TCG_EXT3_FEATURES;
+ env->features[FEAT_SVM] &= TCG_SVM_FEATURES;
+ env->features[FEAT_XSAVE] = 0;
++ env->features[FEAT_7_0_ECX] &= TCG_7_0_ECX_FEATURES;
++ env->features[FEAT_7_0_EDX] &= TCG_7_0_EDX_FEATURES;
+ } else {
+ if ((cpu->check_cpuid || cpu->enforce_cpuid)
+ && kvm_check_features_against_host(cpu) && cpu->enforce_cpuid) {
+diff --git a/target-i386/cpu.h b/target-i386/cpu.h
+index d541809..eec5c49 100644
+--- a/target-i386/cpu.h
++++ b/target-i386/cpu.h
+@@ -401,6 +401,7 @@ typedef enum FeatureWord {
+ FEAT_1_ECX, /* CPUID[1].ECX */
+ FEAT_7_0_EBX, /* CPUID[EAX=7,ECX=0].EBX */
+ FEAT_7_0_ECX, /* CPUID[EAX=7,ECX=0].ECX */
++ FEAT_7_0_EDX, /* CPUID[EAX=7,ECX=0].EDX */
+ FEAT_8000_0001_EDX, /* CPUID[8000_0001].EDX */
+ FEAT_8000_0001_ECX, /* CPUID[8000_0001].ECX */
+ FEAT_C000_0001_EDX, /* CPUID[C000_0001].EDX */
+@@ -580,6 +581,9 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS];
+ #define CPUID_7_0_ECX_OSPKE (1U << 4)
+ #define CPUID_7_0_ECX_RDPID (1U << 22)
+
++#define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network Instructions */
++#define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) /* AVX512 Multiply Accumulation Single Precision */
++
+ #define CPUID_XSAVE_XSAVEOPT (1U << 0)
+ #define CPUID_XSAVE_XSAVEC (1U << 1)
+ #define CPUID_XSAVE_XGETBV1 (1U << 2)
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-x86-add-AVX512_VPOPCNTDQ-features.patch b/SOURCES/kvm-x86-add-AVX512_VPOPCNTDQ-features.patch
new file mode 100644
index 0000000..a0e2e5f
--- /dev/null
+++ b/SOURCES/kvm-x86-add-AVX512_VPOPCNTDQ-features.patch
@@ -0,0 +1,63 @@
+From 3a10799602b257d8d890965a1c3144476d8aa48d Mon Sep 17 00:00:00 2001
+From: "plai@redhat.com" <plai@redhat.com>
+Date: Mon, 13 Mar 2017 20:15:12 +0100
+Subject: [PATCH 19/24] x86: add AVX512_VPOPCNTDQ features
+
+RH-Author: plai@redhat.com
+Message-id: <1489436112-5802-2-git-send-email-plai@redhat.com>
+Patchwork-id: 74283
+O-Subject: [RHEL7.4 qemu-kvm BZ1415830 v2 RESEND] x86: add AVX512_VPOPCNTDQ features
+Bugzilla: 1415830
+RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
+RH-Acked-by: David Hildenbrand <david@redhat.com>
+RH-Acked-by: Bandan Das <bsd@redhat.com>
+
+From: He Chen <he.chen@linux.intel.com>
+
+AVX512_VPOPCNTDQ: Vector POPCNT instructions for word and qwords.
+variable precision.
+
+Signed-off-by: He Chen <he.chen@linux.intel.com>
+Message-Id: <1484272411-28073-1-git-send-email-he.chen@linux.intel.com>
+Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+(cherry picked from commit f77543772dcd38fa438470d9b80bafbd3a3ebbd7)
+Signed-off-by: Paul Lai <plai@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Conflicts:
+ target/i386/cpu.c -> changes applied to target-i386/cpu.c
+ target/i386/cpu.h -> changes applied to target-i386/cpu.h
+---
+ target-i386/cpu.c | 2 +-
+ target-i386/cpu.h | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index 38056eb..33f0997 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -158,7 +158,7 @@ static const char *cpuid_7_0_ecx_feature_name[] = {
+ NULL, "avx512vbmi", NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+- NULL, NULL, NULL, NULL,
++ NULL, NULL, "avx512-vpopcntdq", NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+diff --git a/target-i386/cpu.h b/target-i386/cpu.h
+index eec5c49..f04deb4 100644
+--- a/target-i386/cpu.h
++++ b/target-i386/cpu.h
+@@ -579,6 +579,7 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS];
+ #define CPUID_7_0_ECX_UMIP (1U << 2)
+ #define CPUID_7_0_ECX_PKU (1U << 3)
+ #define CPUID_7_0_ECX_OSPKE (1U << 4)
++#define CPUID_7_0_ECX_AVX512_VPOPCNTDQ (1U << 14) /* POPCNT for vectors of DW/QW */
+ #define CPUID_7_0_ECX_RDPID (1U << 22)
+
+ #define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network Instructions */
+--
+1.8.3.1
+
diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec
index 69085fe..fc54cb1 100644
--- a/SPECS/qemu-kvm.spec
+++ b/SPECS/qemu-kvm.spec
@@ -73,19 +73,16 @@ Provides: %1%{extra_provides_suffix} = %{epoch}:%{version}-%{release} \
Obsoletes: %1 < %{obsoletes_version} \
%endif
-Summary: QEMU is a FAST! processor emulator
+Summary: QEMU is a machine emulator and virtualizer
Name: %{pkgname}%{?pkgsuffix}
Version: 1.5.3
-Release: 126%{?dist}.10
+Release: 141%{?dist}
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
Epoch: 10
License: GPLv2+ and LGPLv2+ and BSD
Group: Development/Tools
URL: http://www.qemu.org/
-# RHEV will build Qemu only on x86_64:
-%if %{rhev}
-ExclusiveArch: %{power64} x86_64
-%endif
+ExclusiveArch: x86_64 %{power64} aarch64 s390x
Requires: seabios-bin >= 1.7.2.2-5
Requires: sgabios-bin
Requires: seavgabios-bin
@@ -130,6 +127,7 @@ Source17: rhel6-ne2k_pci.rom
Source18: bios-256k.bin
Source19: README.rhel6-gpxe-source
Source20: rhel6-e1000.rom
+Source21: sample_images.tar
# libcacard build fixes (heading upstream)
Patch1: 0000-libcacard-fix-missing-symbols-in-libcacard.so.patch
@@ -3388,114 +3386,219 @@ Patch1664: kvm-target-i386-Add-more-Intel-AVX-512-instructions-supp.patch
Patch1665: kvm-nbd-server-Set-O_NONBLOCK-on-client-fd.patch
# For bz#1376542 - RHSA-2016-1756 breaks migration of instances
Patch1666: kvm-virtio-recalculate-vq-inuse-after-migration.patch
-# For bz#1393042 - system_reset should clear pending request for error (IDE)
-Patch1667: kvm-ide-fix-halted-IO-segfault-at-reset.patch
-# For bz#1392027 - shutdown rhel 5.11 guest failed and stop at "system halted"
-Patch1668: kvm-hw-i386-regenerate-checked-in-AML-payload-RHEL-only.patch
-# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot
-Patch1669: kvm-virtio-introduce-virtqueue_unmap_sg.patch
-# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot
-Patch1670: kvm-virtio-introduce-virtqueue_discard.patch
-# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot
-Patch1671: kvm-virtio-decrement-vq-inuse-in-virtqueue_discard.patch
-# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot
-Patch1672: kvm-balloon-fix-segfault-and-harden-the-stats-queue.patch
-# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot
-Patch1673: kvm-virtio-balloon-discard-virtqueue-element-on-reset.patch
-# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot
-Patch1674: kvm-virtio-zero-vq-inuse-in-virtio_reset.patch
-# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot
-Patch1675: kvm-virtio-add-virtqueue_rewind.patch
-# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot
-Patch1676: kvm-virtio-balloon-fix-stats-vq-migration.patch
-# For bz#1398217 - CVE-2016-2857 qemu-kvm: Qemu: net: out of bounds read in net_checksum_calculate() [rhel-7.3.z]
+# For bz#1377087 - shutdown rhel 5.11 guest failed and stop at "system halted"
+Patch1667: kvm-hw-i386-regenerate-checked-in-AML-payload-RHEL-only.patch
+# For bz#1377968 - [RHEL7.3] KVM guest shuts itself down after 128th reboot
+Patch1668: kvm-virtio-introduce-virtqueue_unmap_sg.patch
+# For bz#1377968 - [RHEL7.3] KVM guest shuts itself down after 128th reboot
+Patch1669: kvm-virtio-introduce-virtqueue_discard.patch
+# For bz#1377968 - [RHEL7.3] KVM guest shuts itself down after 128th reboot
+Patch1670: kvm-virtio-decrement-vq-inuse-in-virtqueue_discard.patch
+# For bz#1377968 - [RHEL7.3] KVM guest shuts itself down after 128th reboot
+Patch1671: kvm-balloon-fix-segfault-and-harden-the-stats-queue.patch
+# For bz#1377968 - [RHEL7.3] KVM guest shuts itself down after 128th reboot
+Patch1672: kvm-virtio-balloon-discard-virtqueue-element-on-reset.patch
+# For bz#1377968 - [RHEL7.3] KVM guest shuts itself down after 128th reboot
+Patch1673: kvm-virtio-zero-vq-inuse-in-virtio_reset.patch
+# For bz#1377968 - [RHEL7.3] KVM guest shuts itself down after 128th reboot
+Patch1674: kvm-virtio-add-virtqueue_rewind.patch
+# For bz#1377968 - [RHEL7.3] KVM guest shuts itself down after 128th reboot
+Patch1675: kvm-virtio-balloon-fix-stats-vq-migration.patch
+# For bz#1375507 - "threads" option is overwritten if both "sockets" and "cores" is set on -smp
+Patch1676: kvm-vl-Don-t-silently-change-topology-when-all-smp-optio.patch
+# For bz#1398218 - CVE-2016-2857 qemu-kvm: Qemu: net: out of bounds read in net_checksum_calculate() [rhel-7.4]
Patch1677: kvm-net-check-packet-payload-length.patch
-# For bz#1420049 - system_reset should clear pending request for error (virtio-blk)
-Patch1678: kvm-virtio-blk-Release-s-rq-queue-at-system_reset.patch
-# For bz#1418232 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.3.z]
-Patch1679: kvm-cirrus_vga-fix-off-by-one-in-blit_region_is_unsafe.patch
-# For bz#1418232 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.3.z]
-Patch1680: kvm-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch
-# For bz#1418232 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.3.z]
-Patch1681: kvm-display-cirrus-ignore-source-pitch-value-as-needed-i.patch
-# For bz#1418232 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.3.z]
-Patch1682: kvm-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch
-# For bz#1418232 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.3.z]
-Patch1683: kvm-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch
-# For bz#1418232 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.3.z]
-Patch1684: kvm-cirrus-fix-blit-address-mask-handling.patch
-# For bz#1418232 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.3.z]
-Patch1685: kvm-cirrus-fix-oob-access-issue-CVE-2017-2615.patch
-# For bz#1420490 - EMBARGOED CVE-2017-2620 qemu-kvm: Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo [rhel-7.3.z]
-Patch1686: kvm-cirrus-fix-patterncopy-checks.patch
-# For bz#1420490 - EMBARGOED CVE-2017-2620 qemu-kvm: Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo [rhel-7.3.z]
-Patch1687: kvm-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch
-# For bz#1420490 - EMBARGOED CVE-2017-2620 qemu-kvm: Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo [rhel-7.3.z]
-Patch1688: kvm-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch
-# For bz#1430059 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.3.z]
-Patch1689: kvm-fix-cirrus_vga-fix-OOB-read-case-qemu-Segmentation-f.patch
-# For bz#1430059 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.3.z]
-Patch1690: kvm-cirrus-vnc-zap-bitblit-support-from-console-code.patch
-# For bz#1430059 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.3.z]
-Patch1691: kvm-cirrus-add-option-to-disable-blitter.patch
-# For bz#1430059 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.3.z]
-Patch1692: kvm-cirrus-fix-cirrus_invalidate_region.patch
-# For bz#1430059 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.3.z]
-Patch1693: kvm-cirrus-stop-passing-around-dst-pointers-in-the-blitt.patch
-# For bz#1430059 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.3.z]
-Patch1694: kvm-cirrus-stop-passing-around-src-pointers-in-the-blitt.patch
-# For bz#1430059 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.3.z]
-Patch1695: kvm-cirrus-fix-off-by-one-in-cirrus_bitblt_rop_bkwd_tran.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1696: kvm-char-serial-cosmetic-fixes.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1697: kvm-char-serial-Use-generic-Fifo8.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1698: kvm-char-serial-serial_ioport_write-Factor-out-common-co.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1699: kvm-char-serial-fix-copy-paste-error-fifo8_is_full-vs-em.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1700: kvm-char-serial-Fix-emptyness-check.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1701: kvm-char-serial-Fix-emptyness-handling.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1702: kvm-serial-poll-the-serial-console-with-G_IO_HUP.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1703: kvm-serial-change-retry-logic-to-avoid-concurrency.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1704: kvm-qemu-char-ignore-flow-control-if-a-PTY-s-slave-is-no.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1705: kvm-serial-check-if-backed-by-a-physical-serial-port-at-.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1706: kvm-serial-reset-thri_pending-on-IER-writes-with-THRI-0.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1707: kvm-serial-clean-up-THRE-TEMT-handling.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1708: kvm-serial-update-LSR-on-enabling-disabling-FIFOs.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1709: kvm-serial-only-resample-THR-interrupt-on-rising-edge-of.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1710: kvm-serial-make-tsr_retry-unsigned.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1711: kvm-serial-simplify-tsr_retry-reset.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1712: kvm-serial-separate-serial_xmit-and-serial_watch_cb.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1713: kvm-serial-remove-watch-on-reset.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1714: kvm-char-change-qemu_chr_fe_add_watch-to-return-unsigned.patch
-# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
-Patch1715: kvm-spice-fix-spice_chr_add_watch-pre-condition.patch
-# For bz#1460179 - CVE-2017-9524 qemu-kvm: Qemu: nbd: segmentation fault due to client non-negotiation [rhel-7.3.z]
-Patch1716: kvm-nbd-Fully-initialize-client-in-case-of-failed-negoti.patch
-# For bz#1460179 - CVE-2017-9524 qemu-kvm: Qemu: nbd: segmentation fault due to client non-negotiation [rhel-7.3.z]
-Patch1717: kvm-nbd-Fix-regression-on-resiliency-to-port-scan.patch
+# For bz#1342489 - Flickering Fedora 24 Login Screen on RHEL 7
+Patch1678: kvm-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch
+# For bz#1151859 - [RFE] Allow the libgfapi logging level to be controlled.
+Patch1679: kvm-gluster-correctly-propagate-errors.patch
+# For bz#1151859 - [RFE] Allow the libgfapi logging level to be controlled.
+Patch1680: kvm-gluster-Correctly-propagate-errors-when-volume-isn-t.patch
+# For bz#1151859 - [RFE] Allow the libgfapi logging level to be controlled.
+Patch1681: kvm-block-gluster-add-support-for-selecting-debug-loggin.patch
+# For bz#1342768 - [Intel 7.4 Bug] qemu-kvm crashes with Linux kernel 4.6.0 or above
+Patch1682: kvm-memory-Allow-access-only-upto-the-maximum-alignment-.patch
+# For bz#1361488 - system_reset should clear pending request for error (virtio-blk)
+Patch1683: kvm-virtio-blk-Release-s-rq-queue-at-system_reset.patch
+# For bz#1418233 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.4]
+Patch1684: kvm-cirrus_vga-fix-off-by-one-in-blit_region_is_unsafe.patch
+# For bz#1418233 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.4]
+Patch1685: kvm-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch
+# For bz#1418233 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.4]
+Patch1686: kvm-display-cirrus-ignore-source-pitch-value-as-needed-i.patch
+# For bz#1418233 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.4]
+Patch1687: kvm-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch
+# For bz#1418233 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.4]
+Patch1688: kvm-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch
+# For bz#1418233 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.4]
+Patch1689: kvm-cirrus-fix-blit-address-mask-handling.patch
+# For bz#1418233 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.4]
+Patch1690: kvm-cirrus-fix-oob-access-issue-CVE-2017-2615.patch
+# For bz#1419898 - Documentation inaccurate for __com.redhat_qxl_screendump and __com.redhat_drive_add
+Patch1691: kvm-HMP-Fix-user-manual-typo-of-__com.redhat_qxl_screend.patch
+# For bz#1419898 - Documentation inaccurate for __com.redhat_qxl_screendump and __com.redhat_drive_add
+Patch1692: kvm-HMP-Fix-documentation-of-__com.redhat.drive_add.patch
+# For bz#1420492 - EMBARGOED CVE-2017-2620 qemu-kvm: Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo [rhel-7.4]
+Patch1693: kvm-cirrus-fix-patterncopy-checks.patch
+# For bz#1420492 - EMBARGOED CVE-2017-2620 qemu-kvm: Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo [rhel-7.4]
+Patch1694: kvm-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch
+# For bz#1420492 - EMBARGOED CVE-2017-2620 qemu-kvm: Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo [rhel-7.4]
+Patch1695: kvm-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch
+# For bz#1368375 - [Intel 7.4 Bug] qemu-kvm does not support “-cpu IvyBridge”
+Patch1696: kvm-target-i386-add-Ivy-Bridge-CPU-model.patch
+# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu
+Patch1697: kvm-x86-add-AVX512_4VNNIW-and-AVX512_4FMAPS-features.patch
+# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu
+Patch1698: kvm-target-i386-kvm_cpu_fill_host-Kill-unused-code.patch
+# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu
+Patch1699: kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-level.patch
+# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu
+Patch1700: kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-CPU-v.patch
+# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu
+Patch1701: kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-xleve.patch
+# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu
+Patch1702: kvm-target-i386-kvm_cpu_fill_host-Set-all-feature-words-.patch
+# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu
+Patch1703: kvm-target-i386-kvm_cpu_fill_host-Fill-feature-words-in-.patch
+# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu
+Patch1704: kvm-target-i386-kvm_check_features_against_host-Kill-fea.patch
+# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu
+Patch1705: kvm-target-i386-Make-TCG-feature-filtering-more-readable.patch
+# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu
+Patch1706: kvm-target-i386-Filter-FEAT_7_0_EBX-TCG-features-too.patch
+# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu
+Patch1707: kvm-target-i386-Filter-KVM-and-0xC0000001-features-on-TC.patch
+# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu
+Patch1708: kvm-target-i386-Define-TCG_-_FEATURES-earlier-in-cpu.c.patch
+# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu
+Patch1709: kvm-target-i386-Loop-based-copying-and-setting-unsetting.patch
+# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu
+Patch1710: kvm-target-i386-Loop-based-feature-word-filtering-in-TCG.patch
+# For bz#1430606 - Can't build qemu-kvm with newer spice packages
+Patch1711: kvm-spice-remove-spice-experimental.h-include.patch
+# For bz#1430606 - Can't build qemu-kvm with newer spice packages
+Patch1712: kvm-spice-replace-use-of-deprecated-API.patch
+# For bz#1377977 - qemu-kvm coredump in vnc_raw_send_framebuffer_update [rhel-7.4]
+Patch1713: kvm-ui-vnc-introduce-VNC_DIRTY_PIXELS_PER_BIT-macro.patch
+# For bz#1377977 - qemu-kvm coredump in vnc_raw_send_framebuffer_update [rhel-7.4]
+Patch1714: kvm-ui-vnc-derive-cmp_bytes-from-VNC_DIRTY_PIXELS_PER_BI.patch
+# For bz#1377977 - qemu-kvm coredump in vnc_raw_send_framebuffer_update [rhel-7.4]
+Patch1715: kvm-ui-vnc-optimize-dirty-bitmap-tracking.patch
+# For bz#1377977 - qemu-kvm coredump in vnc_raw_send_framebuffer_update [rhel-7.4]
+Patch1716: kvm-ui-vnc-optimize-setting-in-vnc_dpy_update.patch
+# For bz#1377977 - qemu-kvm coredump in vnc_raw_send_framebuffer_update [rhel-7.4]
+Patch1717: kvm-ui-vnc-fix-vmware-VGA-incompatiblities.patch
+# For bz#1377977 - qemu-kvm coredump in vnc_raw_send_framebuffer_update [rhel-7.4]
+Patch1718: kvm-ui-vnc-fix-potential-memory-corruption-issues.patch
+# For bz#1377977 - qemu-kvm coredump in vnc_raw_send_framebuffer_update [rhel-7.4]
+Patch1719: kvm-vnc-fix-memory-corruption-CVE-2015-5225.patch
+# For bz#1377977 - qemu-kvm coredump in vnc_raw_send_framebuffer_update [rhel-7.4]
+Patch1720: kvm-vnc-fix-overflow-in-vnc_update_stats.patch
+# For bz#1335751 - CVE-2016-4020 qemu-kvm: Qemu: i386: leakage of stack memory to guest in kvmvapic.c [rhel-7.4]
+Patch1721: kvm-i386-kvmvapic-initialise-imm32-variable.patch
+# For bz#1427176 - test cases of qemu-iotests failed
+Patch1722: kvm-qemu-iotests-Filter-out-actual-image-size-in-067.patch
+# For bz#1427176 - test cases of qemu-iotests failed
+Patch1723: kvm-qcow2-Don-t-rely-on-free_cluster_index-in-alloc_ref2.patch
+# For bz#1427176 - test cases of qemu-iotests failed
+Patch1724: kvm-qemu-iotests-Fix-core-dump-suppression-in-test-039.patch
+# For bz#1427176 - test cases of qemu-iotests failed
+Patch1725: kvm-qemu-io-Add-sigraise-command.patch
+# For bz#1427176 - test cases of qemu-iotests failed
+Patch1726: kvm-iotests-Filter-for-Killed-in-qemu-io-output.patch
+# For bz#1427176 - test cases of qemu-iotests failed
+Patch1727: kvm-iotests-Fix-test-039.patch
+# For bz#1427176 - test cases of qemu-iotests failed
+Patch1728: kvm-blkdebug-Add-bdrv_truncate.patch
+# For bz#1427176 - test cases of qemu-iotests failed
+Patch1729: kvm-vhdx-Fix-zero-fill-iov-length.patch
+# For bz#1427176 - test cases of qemu-iotests failed
+Patch1730: kvm-qemu-iotests-Disable-030-040-041.patch
+# For bz#1415830 - [Intel 7.4 FEAT] Enable vpopcntdq for KNM - qemu/kvm
+Patch1731: kvm-x86-add-AVX512_VPOPCNTDQ-features.patch
+# For bz#1419818 - CVE-2017-5898 qemu-kvm: Qemu: usb: integer overflow in emulated_apdu_from_guest [rhel-7.4]
+Patch1732: kvm-usb-ccid-check-ccid-apdu-length.patch
+# For bz#1419818 - CVE-2017-5898 qemu-kvm: Qemu: usb: integer overflow in emulated_apdu_from_guest [rhel-7.4]
+Patch1733: kvm-usb-ccid-better-bulk_out-error-handling.patch
+# For bz#1419818 - CVE-2017-5898 qemu-kvm: Qemu: usb: integer overflow in emulated_apdu_from_guest [rhel-7.4]
+Patch1734: kvm-usb-ccid-move-header-size-check.patch
+# For bz#1419818 - CVE-2017-5898 qemu-kvm: Qemu: usb: integer overflow in emulated_apdu_from_guest [rhel-7.4]
+Patch1735: kvm-usb-ccid-add-check-message-size-checks.patch
+# For bz#1430060 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.4]
+Patch1736: kvm-fix-cirrus_vga-fix-OOB-read-case-qemu-Segmentation-f.patch
+# For bz#1430060 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.4]
+Patch1737: kvm-cirrus-vnc-zap-bitblit-support-from-console-code.patch
+# For bz#1430060 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.4]
+Patch1738: kvm-cirrus-add-option-to-disable-blitter.patch
+# For bz#1430060 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.4]
+Patch1739: kvm-cirrus-fix-cirrus_invalidate_region.patch
+# For bz#1430060 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.4]
+Patch1740: kvm-cirrus-stop-passing-around-dst-pointers-in-the-blitt.patch
+# For bz#1430060 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.4]
+Patch1741: kvm-cirrus-stop-passing-around-src-pointers-in-the-blitt.patch
+# For bz#1430060 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.4]
+Patch1742: kvm-cirrus-fix-off-by-one-in-cirrus_bitblt_rop_bkwd_tran.patch
+# For bz#1327593 - [Intel 7.4 FEAT] KVM Enable the XSAVEC, XSAVES and XRSTORS instructions
+Patch1743: kvm-target-i386-get-set-migrate-XSAVES-state.patch
+# For bz#1299875 - system_reset should clear pending request for error (IDE)
+Patch1744: kvm-ide-fix-halted-IO-segfault-at-reset.patch
+# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
+Patch1745: kvm-char-serial-cosmetic-fixes.patch
+# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
+Patch1746: kvm-char-serial-Use-generic-Fifo8.patch
+# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
+Patch1747: kvm-char-serial-serial_ioport_write-Factor-out-common-co.patch
+# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
+Patch1748: kvm-char-serial-fix-copy-paste-error-fifo8_is_full-vs-em.patch
+# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
+Patch1749: kvm-char-serial-Fix-emptyness-check.patch
+# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
+Patch1750: kvm-char-serial-Fix-emptyness-handling.patch
+# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
+Patch1751: kvm-serial-poll-the-serial-console-with-G_IO_HUP.patch
+# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
+Patch1752: kvm-serial-change-retry-logic-to-avoid-concurrency.patch
+# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
+Patch1753: kvm-qemu-char-ignore-flow-control-if-a-PTY-s-slave-is-no.patch
+# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
+Patch1754: kvm-serial-check-if-backed-by-a-physical-serial-port-at-.patch
+# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
+Patch1755: kvm-serial-reset-thri_pending-on-IER-writes-with-THRI-0.patch
+# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
+Patch1756: kvm-serial-clean-up-THRE-TEMT-handling.patch
+# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
+Patch1757: kvm-serial-update-LSR-on-enabling-disabling-FIFOs.patch
+# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
+Patch1758: kvm-serial-only-resample-THR-interrupt-on-rising-edge-of.patch
+# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
+Patch1759: kvm-serial-make-tsr_retry-unsigned.patch
+# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
+Patch1760: kvm-serial-simplify-tsr_retry-reset.patch
+# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
+Patch1761: kvm-serial-separate-serial_xmit-and-serial_watch_cb.patch
+# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
+Patch1762: kvm-serial-remove-watch-on-reset.patch
+# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop
+Patch1763: kvm-char-change-qemu_chr_fe_add_watch-to-return-unsigned.patch
+# For bz#1456983 - Character device regression due to missing patch
+Patch1764: kvm-spice-fix-spice_chr_add_watch-pre-condition.patch
+# For bz#1455745 - Backport fix for broken logic that's supposed to ensure memory slots are page aligned
+Patch1765: kvm-Fix-memory-slot-page-alignment-logic-bug-1455745.patch
+# For bz#1452067 - migration can confuse serial port user
+Patch1766: kvm-Do-not-hang-on-full-PTY.patch
+# For bz#1452067 - migration can confuse serial port user
+Patch1767: kvm-serial-fixing-vmstate-for-save-restore.patch
+# For bz#1452067 - migration can confuse serial port user
+Patch1768: kvm-serial-reinstate-watch-after-migration.patch
+# For bz#1451614 - CVE-2017-9524 qemu-kvm: segment fault when private user nmap qemu-nbd server [rhel-7.4]
+Patch1769: kvm-nbd-Fully-initialize-client-in-case-of-failed-negoti.patch
+# For bz#1451614 - CVE-2017-9524 qemu-kvm: segment fault when private user nmap qemu-nbd server [rhel-7.4]
+Patch1770: kvm-nbd-Fix-regression-on-resiliency-to-port-scan.patch
BuildRequires: zlib-devel
BuildRequires: SDL-devel
BuildRequires: which
-BuildRequires: texi2html
BuildRequires: gnutls-devel
BuildRequires: cyrus-sasl-devel
BuildRequires: libtool
@@ -3562,7 +3665,7 @@ BuildRequires: perl-podlators
BuildRequires: texinfo
# For rdma
%if 0%{?have_librdma:1}
-BuildRequires: librdmacm-devel
+BuildRequires: rdma-core-devel
%endif
# cpp for preprocessing option ROM assembly files
%ifarch %{ix86} x86_64
@@ -3590,12 +3693,10 @@ Requires: qemu-img = %{epoch}:%{version}-%{release}
%define qemudocdir %{_docdir}/%{pkgname}
%description
-qemu-kvm is an open source virtualizer that provides hardware emulation for
-the KVM hypervisor. qemu-kvm acts as a virtual machine monitor together with
-the KVM kernel modules, and emulates the hardware for a full system such as
-a PC and its assocated peripherals.
-
-As qemu-kvm requires no host kernel patches to run, it is safe and easy to use.
+qemu-kvm%{?pkgsuffix} is an open source virtualizer that provides hardware
+emulation for the KVM hypervisor. qemu-kvm%{?pkgsuffix} acts as a virtual
+machine monitor together with the KVM kernel modules, and emulates the
+hardware for a full system such as a PC and its associated peripherals.
%package -n qemu-img%{?pkgsuffix}
Summary: QEMU command line tool for manipulating disk images
@@ -3670,6 +3771,7 @@ such as kvm_stat.
%prep
%setup -q -n qemu-%{version}
cp %{SOURCE18} pc-bios # keep "make check" happy
+tar -xf %{SOURCE21}
%patch1 -p1
#%%patch2 -p1
#%%patch3 -p1
@@ -5387,6 +5489,59 @@ cp %{SOURCE18} pc-bios # keep "make check" happy
%patch1715 -p1
%patch1716 -p1
%patch1717 -p1
+%patch1718 -p1
+%patch1719 -p1
+%patch1720 -p1
+%patch1721 -p1
+%patch1722 -p1
+%patch1723 -p1
+%patch1724 -p1
+%patch1725 -p1
+%patch1726 -p1
+%patch1727 -p1
+%patch1728 -p1
+%patch1729 -p1
+%patch1730 -p1
+%patch1731 -p1
+%patch1732 -p1
+%patch1733 -p1
+%patch1734 -p1
+%patch1735 -p1
+%patch1736 -p1
+%patch1737 -p1
+%patch1738 -p1
+%patch1739 -p1
+%patch1740 -p1
+%patch1741 -p1
+%patch1742 -p1
+%patch1743 -p1
+%patch1744 -p1
+%patch1745 -p1
+%patch1746 -p1
+%patch1747 -p1
+%patch1748 -p1
+%patch1749 -p1
+%patch1750 -p1
+%patch1751 -p1
+%patch1752 -p1
+%patch1753 -p1
+%patch1754 -p1
+%patch1755 -p1
+%patch1756 -p1
+%patch1757 -p1
+%patch1758 -p1
+%patch1759 -p1
+%patch1760 -p1
+%patch1761 -p1
+%patch1762 -p1
+%patch1763 -p1
+%patch1764 -p1
+%patch1765 -p1
+%patch1766 -p1
+%patch1767 -p1
+%patch1768 -p1
+%patch1769 -p1
+%patch1770 -p1
%build
buildarch="%{kvm_target}-softmmu"
@@ -5832,101 +5987,211 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || :
%{_mandir}/man8/qemu-nbd.8*
%changelog
-* Fri Jun 16 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-126.el7_3.10
-- kvm-nbd-Fully-initialize-client-in-case-of-failed-negoti.patch [bz#1460179]
-- kvm-nbd-Fix-regression-on-resiliency-to-port-scan.patch [bz#1460179]
-- Resolves: bz#1460179
- (CVE-2017-9524 qemu-kvm: Qemu: nbd: segmentation fault due to client non-negotiation [rhel-7.3.z])
-
-* Tue Jun 06 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-126.el7_3.9
-- kvm-spice-fix-spice_chr_add_watch-pre-condition.patch [bz#1452332]
-- Resolves: bz#1452332
+* Tue Jun 13 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-141.el7
+- kvm-Fix-memory-slot-page-alignment-logic-bug-1455745.patch [bz#1455745]
+- kvm-Do-not-hang-on-full-PTY.patch [bz#1452067]
+- kvm-serial-fixing-vmstate-for-save-restore.patch [bz#1452067]
+- kvm-serial-reinstate-watch-after-migration.patch [bz#1452067]
+- kvm-nbd-Fully-initialize-client-in-case-of-failed-negoti.patch [bz#1451614]
+- kvm-nbd-Fix-regression-on-resiliency-to-port-scan.patch [bz#1451614]
+- Resolves: bz#1451614
+ (CVE-2017-9524 qemu-kvm: segment fault when private user nmap qemu-nbd server [rhel-7.4])
+- Resolves: bz#1452067
+ (migration can confuse serial port user)
+- Resolves: bz#1455745
+ (Backport fix for broken logic that's supposed to ensure memory slots are page aligned)
+
+* Tue Jun 06 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-140.el7
+- kvm-spice-fix-spice_chr_add_watch-pre-condition.patch [bz#1456983]
+- Resolves: bz#1456983
+ (Character device regression due to missing patch)
+
+* Wed May 24 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-139.el7
+- kvm-char-change-qemu_chr_fe_add_watch-to-return-unsigned.patch [bz#1451470]
+- Resolves: bz#1451470
(RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop)
-* Wed May 24 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-126.el7_3.8
-- kvm-char-change-qemu_chr_fe_add_watch-to-return-unsigned.patch [bz#1452332]
-- Resolves: bz#1452332
+* Tue May 23 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-138.el7
+- kvm-char-serial-cosmetic-fixes.patch [bz#1451470]
+- kvm-char-serial-Use-generic-Fifo8.patch [bz#1451470]
+- kvm-char-serial-serial_ioport_write-Factor-out-common-co.patch [bz#1451470]
+- kvm-char-serial-fix-copy-paste-error-fifo8_is_full-vs-em.patch [bz#1451470]
+- kvm-char-serial-Fix-emptyness-check.patch [bz#1451470]
+- kvm-char-serial-Fix-emptyness-handling.patch [bz#1451470]
+- kvm-serial-poll-the-serial-console-with-G_IO_HUP.patch [bz#1451470]
+- kvm-serial-change-retry-logic-to-avoid-concurrency.patch [bz#1451470]
+- kvm-qemu-char-ignore-flow-control-if-a-PTY-s-slave-is-no.patch [bz#1451470]
+- kvm-serial-check-if-backed-by-a-physical-serial-port-at-.patch [bz#1451470]
+- kvm-serial-reset-thri_pending-on-IER-writes-with-THRI-0.patch [bz#1451470]
+- kvm-serial-clean-up-THRE-TEMT-handling.patch [bz#1451470]
+- kvm-serial-update-LSR-on-enabling-disabling-FIFOs.patch [bz#1451470]
+- kvm-serial-only-resample-THR-interrupt-on-rising-edge-of.patch [bz#1451470]
+- kvm-serial-make-tsr_retry-unsigned.patch [bz#1451470]
+- kvm-serial-simplify-tsr_retry-reset.patch [bz#1451470]
+- kvm-serial-separate-serial_xmit-and-serial_watch_cb.patch [bz#1451470]
+- kvm-serial-remove-watch-on-reset.patch [bz#1451470]
+- Resolves: bz#1451470
(RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop)
-* Mon May 22 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-126.el7_3.7
-- kvm-char-serial-cosmetic-fixes.patch [bz#1452332]
-- kvm-char-serial-Use-generic-Fifo8.patch [bz#1452332]
-- kvm-char-serial-serial_ioport_write-Factor-out-common-co.patch [bz#1452332]
-- kvm-char-serial-fix-copy-paste-error-fifo8_is_full-vs-em.patch [bz#1452332]
-- kvm-char-serial-Fix-emptyness-check.patch [bz#1452332]
-- kvm-char-serial-Fix-emptyness-handling.patch [bz#1452332]
-- kvm-serial-poll-the-serial-console-with-G_IO_HUP.patch [bz#1452332]
-- kvm-serial-change-retry-logic-to-avoid-concurrency.patch [bz#1452332]
-- kvm-qemu-char-ignore-flow-control-if-a-PTY-s-slave-is-no.patch [bz#1452332]
-- kvm-serial-check-if-backed-by-a-physical-serial-port-at-.patch [bz#1452332]
-- kvm-serial-reset-thri_pending-on-IER-writes-with-THRI-0.patch [bz#1452332]
-- kvm-serial-clean-up-THRE-TEMT-handling.patch [bz#1452332]
-- kvm-serial-update-LSR-on-enabling-disabling-FIFOs.patch [bz#1452332]
-- kvm-serial-only-resample-THR-interrupt-on-rising-edge-of.patch [bz#1452332]
-- kvm-serial-make-tsr_retry-unsigned.patch [bz#1452332]
-- kvm-serial-simplify-tsr_retry-reset.patch [bz#1452332]
-- kvm-serial-separate-serial_xmit-and-serial_watch_cb.patch [bz#1452332]
-- kvm-serial-remove-watch-on-reset.patch [bz#1452332]
-- Resolves: bz#1452332
- (RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop)
+* Fri Apr 28 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-137.el7
+- kvm-ide-fix-halted-IO-segfault-at-reset.patch [bz#1299875]
+- Resolves: bz#1299875
+ (system_reset should clear pending request for error (IDE))
-* Fri Mar 24 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-126.el7_3.6
-- kvm-fix-cirrus_vga-fix-OOB-read-case-qemu-Segmentation-f.patch [bz#1430059]
-- kvm-cirrus-vnc-zap-bitblit-support-from-console-code.patch [bz#1430059]
-- kvm-cirrus-add-option-to-disable-blitter.patch [bz#1430059]
-- kvm-cirrus-fix-cirrus_invalidate_region.patch [bz#1430059]
-- kvm-cirrus-stop-passing-around-dst-pointers-in-the-blitt.patch [bz#1430059]
-- kvm-cirrus-stop-passing-around-src-pointers-in-the-blitt.patch [bz#1430059]
-- kvm-cirrus-fix-off-by-one-in-cirrus_bitblt_rop_bkwd_tran.patch [bz#1430059]
-- Resolves: bz#1430059
- (CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.3.z])
-
-* Mon Feb 13 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-126.el7_3.5
-- kvm-cirrus-fix-patterncopy-checks.patch [bz#1420490]
-- kvm-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch [bz#1420490]
-- kvm-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch [bz#1420490]
-- Resolves: bz#1420490
- (EMBARGOED CVE-2017-2620 qemu-kvm: Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo [rhel-7.3.z])
-
-* Fri Feb 10 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-126.el7_3.4
-- kvm-virtio-blk-Release-s-rq-queue-at-system_reset.patch [bz#1420049]
-- kvm-cirrus_vga-fix-off-by-one-in-blit_region_is_unsafe.patch [bz#1418232]
-- kvm-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch [bz#1418232]
-- kvm-display-cirrus-ignore-source-pitch-value-as-needed-i.patch [bz#1418232]
-- kvm-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch [bz#1418232]
-- kvm-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch [bz#1418232]
-- kvm-cirrus-fix-blit-address-mask-handling.patch [bz#1418232]
-- kvm-cirrus-fix-oob-access-issue-CVE-2017-2615.patch [bz#1418232]
-- Resolves: bz#1418232
- (CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.3.z])
-- Resolves: bz#1420049
+* Tue Apr 18 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-136.el7
+- kvm-target-i386-get-set-migrate-XSAVES-state.patch [bz#1327593]
+- kvm-Removing-texi2html-from-build-requirements.patch [bz#1440987]
+- kvm-Disable-build-of-32bit-packages.patch [bz#1441778]
+- kvm-Add-sample-images-to-srpm.patch [bz#1436280]
+- Resolves: bz#1327593
+ ([Intel 7.4 FEAT] KVM Enable the XSAVEC, XSAVES and XRSTORS instructions)
+- Resolves: bz#1436280
+ (sample images for qemu-iotests are missing in the SRPM)
+- Resolves: bz#1440987
+ (Remove texi2html build dependancy from RPM)
+- Resolves: bz#1441778
+ (Stop building qemu-img for 32bit architectures.)
+
+* Thu Mar 30 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-135.el7
+- kvm-fix-cirrus_vga-fix-OOB-read-case-qemu-Segmentation-f.patch [bz#1430060]
+- kvm-cirrus-vnc-zap-bitblit-support-from-console-code.patch [bz#1430060]
+- kvm-cirrus-add-option-to-disable-blitter.patch [bz#1430060]
+- kvm-cirrus-fix-cirrus_invalidate_region.patch [bz#1430060]
+- kvm-cirrus-stop-passing-around-dst-pointers-in-the-blitt.patch [bz#1430060]
+- kvm-cirrus-stop-passing-around-src-pointers-in-the-blitt.patch [bz#1430060]
+- kvm-cirrus-fix-off-by-one-in-cirrus_bitblt_rop_bkwd_tran.patch [bz#1430060]
+- Resolves: bz#1430060
+ (CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.4])
+
+* Tue Mar 21 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-134.el7
+- kvm-ui-vnc-introduce-VNC_DIRTY_PIXELS_PER_BIT-macro.patch [bz#1377977]
+- kvm-ui-vnc-derive-cmp_bytes-from-VNC_DIRTY_PIXELS_PER_BI.patch [bz#1377977]
+- kvm-ui-vnc-optimize-dirty-bitmap-tracking.patch [bz#1377977]
+- kvm-ui-vnc-optimize-setting-in-vnc_dpy_update.patch [bz#1377977]
+- kvm-ui-vnc-fix-vmware-VGA-incompatiblities.patch [bz#1377977]
+- kvm-ui-vnc-fix-potential-memory-corruption-issues.patch [bz#1377977]
+- kvm-vnc-fix-memory-corruption-CVE-2015-5225.patch [bz#1377977]
+- kvm-vnc-fix-overflow-in-vnc_update_stats.patch [bz#1377977]
+- kvm-i386-kvmvapic-initialise-imm32-variable.patch [bz#1335751]
+- kvm-qemu-iotests-Filter-out-actual-image-size-in-067.patch [bz#1427176]
+- vm-qcow2-Don-t-rely-on-free_cluster_index-in-alloc_ref2.patch [bz#1427176]
+- kvm-qemu-iotests-Fix-core-dump-suppression-in-test-039.patch [bz#1427176]
+- kvm-qemu-io-Add-sigraise-command.patch [bz#1427176]
+- kvm-iotests-Filter-for-Killed-in-qemu-io-output.patch [bz#1427176]
+- kvm-iotests-Fix-test-039.patch [bz#1427176]
+- kvm-blkdebug-Add-bdrv_truncate.patch [bz#1427176]
+- kvm-vhdx-Fix-zero-fill-iov-length.patch [bz#1427176]
+- kvm-qemu-iotests-Disable-030-040-041.patch [bz#1427176]
+- kvm-x86-add-AVX512_VPOPCNTDQ-features.patch [bz#1415830]
+- kvm-usb-ccid-check-ccid-apdu-length.patch [bz#1419818]
+- kvm-usb-ccid-better-bulk_out-error-handling.patch [bz#1419818]
+- kvm-usb-ccid-move-header-size-check.patch [bz#1419818]
+- kvm-usb-ccid-add-check-message-size-checks.patch [bz#1419818]
+- kvm-spec-Update-rdma-build-dependency.patch [bz#1433920]
+- Resolves: bz#1335751
+ (CVE-2016-4020 qemu-kvm: Qemu: i386: leakage of stack memory to guest in kvmvapic.c [rhel-7.4])
+- Resolves: bz#1377977
+ (qemu-kvm coredump in vnc_raw_send_framebuffer_update [rhel-7.4])
+- Resolves: bz#1415830
+ ([Intel 7.4 FEAT] Enable vpopcntdq for KNM - qemu/kvm)
+- Resolves: bz#1419818
+ (CVE-2017-5898 qemu-kvm: Qemu: usb: integer overflow in emulated_apdu_from_guest [rhel-7.4])
+- Resolves: bz#1427176
+ (test cases of qemu-iotests failed)
+- Resolves: bz#1433920
+ (Switch from librdmacm-devel to rdma-core-devel)
+
+* Thu Mar 09 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-133.el7
+- kvm-target-i386-add-Ivy-Bridge-CPU-model.patch [bz#1368375]
+- kvm-x86-add-AVX512_4VNNIW-and-AVX512_4FMAPS-features.patch [bz#1382122]
+- kvm-target-i386-kvm_cpu_fill_host-Kill-unused-code.patch [bz#1382122]
+- kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-level.patch [bz#1382122]
+- kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-CPU-v.patch [bz#1382122]
+- kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-xleve.patch [bz#1382122]
+- kvm-target-i386-kvm_cpu_fill_host-Set-all-feature-words-.patch [bz#1382122]
+- kvm-target-i386-kvm_cpu_fill_host-Fill-feature-words-in-.patch [bz#1382122]
+- kvm-target-i386-kvm_check_features_against_host-Kill-fea.patch [bz#1382122]
+- kvm-target-i386-Make-TCG-feature-filtering-more-readable.patch [bz#1382122]
+- kvm-target-i386-Filter-FEAT_7_0_EBX-TCG-features-too.patch [bz#1382122]
+- kvm-target-i386-Filter-KVM-and-0xC0000001-features-on-TC.patch [bz#1382122]
+- kvm-target-i386-Define-TCG_-_FEATURES-earlier-in-cpu.c.patch [bz#1382122]
+- kvm-target-i386-Loop-based-copying-and-setting-unsetting.patch [bz#1382122]
+- kvm-target-i386-Loop-based-feature-word-filtering-in-TCG.patch [bz#1382122]
+- kvm-spice-remove-spice-experimental.h-include.patch [bz#1430606]
+- kvm-spice-replace-use-of-deprecated-API.patch [bz#1430606]
+- Resolves: bz#1368375
+ ([Intel 7.4 Bug] qemu-kvm does not support “-cpu IvyBridge”)
+- Resolves: bz#1382122
+ ([Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu)
+- Resolves: bz#1430606
+ (Can't build qemu-kvm with newer spice packages)
+
+* Tue Feb 21 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-132.el7
+- kvm-cirrus-fix-patterncopy-checks.patch [bz#1420492]
+- kvm-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch [bz#1420492]
+- kvm-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch [bz#1420492]
+- Resolves: bz#1420492
+ (EMBARGOED CVE-2017-2620 qemu-kvm: Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo [rhel-7.4])
+
+* Fri Feb 10 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-131.el7
+- kvm-memory-Allow-access-only-upto-the-maximum-alignment-.patch [bz#1342768]
+- kvm-virtio-blk-Release-s-rq-queue-at-system_reset.patch [bz#1361488]
+- kvm-cirrus_vga-fix-off-by-one-in-blit_region_is_unsafe.patch [bz#1418233]
+- kvm-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch [bz#1418233]
+- kvm-display-cirrus-ignore-source-pitch-value-as-needed-i.patch [bz#1418233]
+- kvm-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch [bz#1418233]
+- kvm-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch [bz#1418233]
+- kvm-cirrus-fix-blit-address-mask-handling.patch [bz#1418233]
+- kvm-cirrus-fix-oob-access-issue-CVE-2017-2615.patch [bz#1418233]
+- kvm-HMP-Fix-user-manual-typo-of-__com.redhat_qxl_screend.patch [bz#1419898]
+- kvm-HMP-Fix-documentation-of-__com.redhat.drive_add.patch [bz#1419898]
+- Resolves: bz#1342768
+ ([Intel 7.4 Bug] qemu-kvm crashes with Linux kernel 4.6.0 or above)
+- Resolves: bz#1361488
(system_reset should clear pending request for error (virtio-blk))
-
-* Wed Jan 04 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-126.el7_3.3
-- kvm-net-check-packet-payload-length.patch [bz#1398217]
-- Resolves: bz#1398217
- (CVE-2016-2857 qemu-kvm: Qemu: net: out of bounds read in net_checksum_calculate() [rhel-7.3.z])
-
-* Thu Nov 24 2016 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-126.el7_3.2
-- kvm-virtio-introduce-virtqueue_unmap_sg.patch [bz#1393484]
-- kvm-virtio-introduce-virtqueue_discard.patch [bz#1393484]
-- kvm-virtio-decrement-vq-inuse-in-virtqueue_discard.patch [bz#1393484]
-- kvm-balloon-fix-segfault-and-harden-the-stats-queue.patch [bz#1393484]
-- kvm-virtio-balloon-discard-virtqueue-element-on-reset.patch [bz#1393484]
-- kvm-virtio-zero-vq-inuse-in-virtio_reset.patch [bz#1393484]
-- kvm-virtio-add-virtqueue_rewind.patch [bz#1393484]
-- kvm-virtio-balloon-fix-stats-vq-migration.patch [bz#1393484]
-- Resolves: bz#1393484
+- Resolves: bz#1418233
+ (CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.4])
+- Resolves: bz#1419898
+ (Documentation inaccurate for __com.redhat_qxl_screendump and __com.redhat_drive_add)
+
+* Wed Feb 01 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-130.el7
+- kvm-gluster-correctly-propagate-errors.patch [bz#1151859]
+- kvm-gluster-Correctly-propagate-errors-when-volume-isn-t.patch [bz#1151859]
+- kvm-block-gluster-add-support-for-selecting-debug-loggin.patch [bz#1151859]
+- Resolves: bz#1151859
+ ([RFE] Allow the libgfapi logging level to be controlled.)
+
+* Wed Jan 18 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-129.el7
+- kvm-Update-qemu-kvm-package-Summary-and-Description.patch [bz#1378541]
+- kvm-vl-Don-t-silently-change-topology-when-all-smp-optio.patch [bz#1375507]
+- kvm-net-check-packet-payload-length.patch [bz#1398218]
+- kvm-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch [bz#1342489]
+- Resolves: bz#1342489
+ (Flickering Fedora 24 Login Screen on RHEL 7)
+- Resolves: bz#1375507
+ ("threads" option is overwritten if both "sockets" and "cores" is set on -smp)
+- Resolves: bz#1378541
+ (QEMU: update package summary and description)
+- Resolves: bz#1398218
+ (CVE-2016-2857 qemu-kvm: Qemu: net: out of bounds read in net_checksum_calculate() [rhel-7.4])
+
+* Thu Nov 24 2016 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-128.el7
+- kvm-virtio-introduce-virtqueue_unmap_sg.patch [bz#1377968]
+- kvm-virtio-introduce-virtqueue_discard.patch [bz#1377968]
+- kvm-virtio-decrement-vq-inuse-in-virtqueue_discard.patch [bz#1377968]
+- kvm-balloon-fix-segfault-and-harden-the-stats-queue.patch [bz#1377968]
+- kvm-virtio-balloon-discard-virtqueue-element-on-reset.patch [bz#1377968]
+- kvm-virtio-zero-vq-inuse-in-virtio_reset.patch [bz#1377968]
+- kvm-virtio-add-virtqueue_rewind.patch [bz#1377968]
+- kvm-virtio-balloon-fix-stats-vq-migration.patch [bz#1377968]
+- Resolves: bz#1377968
([RHEL7.3] KVM guest shuts itself down after 128th reboot)
-* Fri Nov 11 2016 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-126.el7_3.1
-- kvm-ide-fix-halted-IO-segfault-at-reset.patch [bz#1393042]
-- kvm-hw-i386-regenerate-checked-in-AML-payload-RHEL-only.patch [bz#1392027]
-- kvm-SPEC-file-flip-the-build-from-IASL-to-checked-in-AML.patch [bz#1392027]
-- Resolves: bz#1392027
+* Wed Nov 16 2016 Danilo de Paula <ddepaula@redhat.com> - 1.5.3-127.el7
+- kvm-hw-i386-regenerate-checked-in-AML-payload-RHEL-only.patch [bz#1377087]
+- kvm-ide-fix-halted-IO-segfault-at-reset.patch [bz#1377087]
+- Resolves: bz#1377087
(shutdown rhel 5.11 guest failed and stop at "system halted")
-- Resolves: bz#1393042
- (system_reset should clear pending request for error (IDE))
* Tue Sep 20 2016 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-126.el7
- kvm-virtio-recalculate-vq-inuse-after-migration.patch [bz#1376542]