diff --git a/SOURCES/kvm-Add-support-to-KVM_GET_MSR_FEATURE_INDEX_LIST-an.patch b/SOURCES/kvm-Add-support-to-KVM_GET_MSR_FEATURE_INDEX_LIST-an.patch
new file mode 100644
index 0000000..246bd33
--- /dev/null
+++ b/SOURCES/kvm-Add-support-to-KVM_GET_MSR_FEATURE_INDEX_LIST-an.patch
@@ -0,0 +1,160 @@
+From 792618b0b553323919ae9b8067bc13c9e0222526 Mon Sep 17 00:00:00 2001
+From: "plai@redhat.com" <plai@redhat.com>
+Date: Tue, 20 Aug 2019 00:24:36 +0100
+Subject: [PATCH 5/9] kvm: Add support to KVM_GET_MSR_FEATURE_INDEX_LIST and
+ KVM_GET_MSRS system ioctl
+
+RH-Author: plai@redhat.com
+Message-id: <1566260680-20995-6-git-send-email-plai@redhat.com>
+Patchwork-id: 90070
+O-Subject: [RHEL8.0 qemu-kvm PATCH v3 5/9] kvm: Add support to KVM_GET_MSR_FEATURE_INDEX_LIST and KVM_GET_MSRS system ioctl
+Bugzilla: 1718235
+RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
+RH-Acked-by: John Snow <jsnow@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+
+From: Robert Hoo <robert.hu@linux.intel.com>
+
+Add kvm_get_supported_feature_msrs() to get supported MSR feature index list.
+Add kvm_arch_get_supported_msr_feature() to get each MSR features value.
+
+Signed-off-by: Robert Hoo <robert.hu@linux.intel.com>
+Message-Id: <1539578845-37944-2-git-send-email-robert.hu@linux.intel.com>
+Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+(cherry picked from commit f57bceb6ab5163ddd6c41ff4344ab8cf28a9c63d)
+Signed-off-by: Paul Lai <plai@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ include/sysemu/kvm.h | 2 ++
+ target/i386/kvm.c | 80 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 82 insertions(+)
+
+diff --git a/include/sysemu/kvm.h b/include/sysemu/kvm.h
+index 23669c4..3d8f294 100644
+--- a/include/sysemu/kvm.h
++++ b/include/sysemu/kvm.h
+@@ -464,6 +464,8 @@ int kvm_vm_check_extension(KVMState *s, unsigned int extension);
+
+ uint32_t kvm_arch_get_supported_cpuid(KVMState *env, uint32_t function,
+ uint32_t index, int reg);
++uint32_t kvm_arch_get_supported_msr_feature(KVMState *s, uint32_t index);
++
+
+ void kvm_set_sigmask_len(KVMState *s, unsigned int sigmask_len);
+
+diff --git a/target/i386/kvm.c b/target/i386/kvm.c
+index 187ee19..d2cb91e 100644
+--- a/target/i386/kvm.c
++++ b/target/i386/kvm.c
+@@ -106,6 +106,7 @@ static int has_pit_state2;
+ static bool has_msr_mcg_ext_ctl;
+
+ static struct kvm_cpuid2 *cpuid_cache;
++static struct kvm_msr_list *kvm_feature_msrs;
+
+ int kvm_has_pit_state2(void)
+ {
+@@ -405,6 +406,42 @@ uint32_t kvm_arch_get_supported_cpuid(KVMState *s, uint32_t function,
+ return ret;
+ }
+
++uint32_t kvm_arch_get_supported_msr_feature(KVMState *s, uint32_t index)
++{
++ struct {
++ struct kvm_msrs info;
++ struct kvm_msr_entry entries[1];
++ } msr_data;
++ uint32_t ret;
++
++ if (kvm_feature_msrs == NULL) { /* Host doesn't support feature MSRs */
++ return 0;
++ }
++
++ /* Check if requested MSR is supported feature MSR */
++ int i;
++ for (i = 0; i < kvm_feature_msrs->nmsrs; i++)
++ if (kvm_feature_msrs->indices[i] == index) {
++ break;
++ }
++ if (i == kvm_feature_msrs->nmsrs) {
++ return 0; /* if the feature MSR is not supported, simply return 0 */
++ }
++
++ msr_data.info.nmsrs = 1;
++ msr_data.entries[0].index = index;
++
++ ret = kvm_ioctl(s, KVM_GET_MSRS, &msr_data);
++ if (ret != 1) {
++ error_report("KVM get MSR (index=0x%x) feature failed, %s",
++ index, strerror(-ret));
++ exit(1);
++ }
++
++ return msr_data.entries[0].data;
++}
++
++
+ typedef struct HWPoisonPage {
+ ram_addr_t ram_addr;
+ QLIST_ENTRY(HWPoisonPage) list;
+@@ -1164,6 +1201,47 @@ void kvm_arch_do_init_vcpu(X86CPU *cpu)
+ }
+ }
+
++static int kvm_get_supported_feature_msrs(KVMState *s)
++{
++ int ret = 0;
++
++ if (kvm_feature_msrs != NULL) {
++ return 0;
++ }
++
++ if (!kvm_check_extension(s, KVM_CAP_GET_MSR_FEATURES)) {
++ return 0;
++ }
++
++ struct kvm_msr_list msr_list;
++
++ msr_list.nmsrs = 0;
++ ret = kvm_ioctl(s, KVM_GET_MSR_FEATURE_INDEX_LIST, &msr_list);
++ if (ret < 0 && ret != -E2BIG) {
++ error_report("Fetch KVM feature MSR list failed: %s",
++ strerror(-ret));
++ return ret;
++ }
++
++ assert(msr_list.nmsrs > 0);
++ kvm_feature_msrs = (struct kvm_msr_list *) \
++ g_malloc0(sizeof(msr_list) +
++ msr_list.nmsrs * sizeof(msr_list.indices[0]));
++
++ kvm_feature_msrs->nmsrs = msr_list.nmsrs;
++ ret = kvm_ioctl(s, KVM_GET_MSR_FEATURE_INDEX_LIST, kvm_feature_msrs);
++
++ if (ret < 0) {
++ error_report("Fetch KVM feature MSR list failed: %s",
++ strerror(-ret));
++ g_free(kvm_feature_msrs);
++ kvm_feature_msrs = NULL;
++ return ret;
++ }
++
++ return 0;
++}
++
+ static int kvm_get_supported_msrs(KVMState *s)
+ {
+ static int kvm_supported_msrs;
+@@ -1320,6 +1398,8 @@ int kvm_arch_init(MachineState *ms, KVMState *s)
+ return ret;
+ }
+
++ kvm_get_supported_feature_msrs(s);
++
+ uname(&utsname);
+ lm_capable_kernel = strcmp(utsname.machine, "x86_64") == 0;
+
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-Fix-heap-overflow-in-ip_reass-on-big-packet-input.patch b/SOURCES/kvm-Fix-heap-overflow-in-ip_reass-on-big-packet-input.patch
new file mode 100644
index 0000000..d74ef55
--- /dev/null
+++ b/SOURCES/kvm-Fix-heap-overflow-in-ip_reass-on-big-packet-input.patch
@@ -0,0 +1,56 @@
+From e356fafe02c3ce32bad9b8d96ae9cfd6fcbb40a9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Wed, 31 Jul 2019 18:45:29 +0100
+Subject: [PATCH 5/5] Fix heap overflow in ip_reass on big packet input
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: <20190731184529.21905-2-philmd@redhat.com>
+Patchwork-id: 89820
+O-Subject: [RHEL-8.1.0 qemu-kvm PATCH 1/1] Fix heap overflow in ip_reass on big packet input
+Bugzilla: 1734750
+RH-Acked-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+
+From: Samuel Thibault <samuel.thibault@ens-lyon.org>
+
+When the first fragment does not fit in the preallocated buffer, q will
+already be pointing to the ext buffer, so we mustn't try to update it.
+
+Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+(cherry picked from libslirp commit 126c04acbabd7ad32c2b018fe10dfac2a3bc1210)
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ slirp/ip_input.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/slirp/ip_input.c b/slirp/ip_input.c
+index 348e1dc..07d8808 100644
+--- a/slirp/ip_input.c
++++ b/slirp/ip_input.c
+@@ -334,6 +334,8 @@ insert:
+ q = fp->frag_link.next;
+ m = dtom(slirp, q);
+
++ int was_ext = m->m_flags & M_EXT;
++
+ q = (struct ipasfrag *) q->ipf_next;
+ while (q != (struct ipasfrag*)&fp->frag_link) {
+ struct mbuf *t = dtom(slirp, q);
+@@ -356,7 +358,7 @@ insert:
+ * the old buffer (in the mbuf), so we must point ip
+ * into the new buffer.
+ */
+- if (m->m_flags & M_EXT) {
++ if (!was_ext && m->m_flags & M_EXT) {
+ int delta = (char *)q - m->m_dat;
+ q = (struct ipasfrag *)(m->m_ext + delta);
+ }
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-Introduce-new-no_guest_reset-parameter-for-usb-host-.patch b/SOURCES/kvm-Introduce-new-no_guest_reset-parameter-for-usb-host-.patch
new file mode 100644
index 0000000..68e8ff2
--- /dev/null
+++ b/SOURCES/kvm-Introduce-new-no_guest_reset-parameter-for-usb-host-.patch
@@ -0,0 +1,140 @@
+From b52bdeda7653879d007bbd2ee776ec5201d0c786 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 4 Jun 2019 05:12:43 +0100
+Subject: [PATCH 1/5] Introduce new "no_guest_reset" parameter for usb-host
+ device
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: <20190604051246.11374-2-kraxel@redhat.com>
+Patchwork-id: 88470
+O-Subject: [RHEL-8.1.0 qemu-kvm PATCH 1/4] Introduce new "no_guest_reset" parameter for usb-host device
+Bugzilla: 1719228
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+RH-Acked-by: Max Reitz <mreitz@redhat.com>
+RH-Acked-by: Danilo de Paula <ddepaula@redhat.com>
+
+From: Alexander Kappner <agk@godking.net>
+
+With certain USB devices passed through via usb-host, a guest attempting to
+reset a usb-host device can trigger a reset loop that renders the USB device
+unusable. In my use case, the device was an iPhone XR that was passed through to
+a Mac OS X Mojave guest. Upon connecting the device, the following happens:
+
+1) Guest recognizes new device, sends reset to emulated USB host
+2) QEMU's USB host sends reset to host kernel
+3) Host kernel resets device
+4) After reset, host kernel determines that some part of the device descriptor
+has changed ("device firmware changed" in dmesg), so host kernel decides to
+re-enumerate the device.
+5) Re-enumeration causes QEMU to disconnect and reconnect the device in the
+guest.
+6) goto 1)
+
+Here's from the host kernel (note the "device firmware changed" lines")
+
+[3677704.473050] usb 1-1.3: new high-speed USB device number 53 using ehci-pci
+[3677704.555594] usb 1-1.3: New USB device found, idVendor=05ac, idProduct=12a8, bcdDevice=11.08
+[3677704.555599] usb 1-1.3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
+[3677704.555602] usb 1-1.3: Product: iPhone
+[3677704.555605] usb 1-1.3: Manufacturer: Apple Inc.
+[3677704.555607] usb 1-1.3: SerialNumber: [[removed]]
+[3677709.401040] usb 1-1.3: reset high-speed USB device number 53 using ehci-pci
+[3677709.479486] usb 1-1.3: device firmware changed
+[3677709.479842] usb 1-1.3: USB disconnect, device number 53
+[3677709.546039] usb 1-1.3: new high-speed USB device number 54 using ehci-pci
+[3677709.627471] usb 1-1.3: New USB device found, idVendor=05ac, idProduct=12a8, bcdDevice=11.08
+[3677709.627476] usb 1-1.3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
+[3677709.627479] usb 1-1.3: Product: iPhone
+[3677709.627481] usb 1-1.3: Manufacturer: Apple Inc.
+[3677709.627483] usb 1-1.3: SerialNumber: [[removed]]
+[3677762.320044] usb 1-1.3: reset high-speed USB device number 54 using ehci-pci
+[3677762.615630] usb 1-1.3: USB disconnect, device number 54
+[3677762.787043] usb 1-1.3: new high-speed USB device number 55 using ehci-pci
+[3677762.869016] usb 1-1.3: New USB device found, idVendor=05ac, idProduct=12a8, bcdDevice=11.08
+[3677762.869024] usb 1-1.3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
+[3677762.869028] usb 1-1.3: Product: iPhone
+[3677762.869032] usb 1-1.3: Manufacturer: Apple Inc.
+[3677762.869035] usb 1-1.3: SerialNumber: [[removed]]
+[3677815.662036] usb 1-1.3: reset high-speed USB device number 55 using ehci-pci
+
+Here's from QEMU:
+
+libusb: error [_get_usbfs_fd] libusb couldn't open USB device /dev/bus/usb/005/022: No such file or directory
+libusb: error [udev_hotplug_event] ignoring udev action bind
+libusb: error [udev_hotplug_event] ignoring udev action bind
+libusb: error [_open_sysfs_attr] open /sys/bus/usb/devices/5-1/bConfigurationValue failed ret=-1 errno=2
+libusb: error [_get_usbfs_fd] File doesn't exist, wait 10 ms and try again
+
+libusb: error [_get_usbfs_fd] libusb couldn't open USB device /dev/bus/usb/005/024: No such file or directory
+libusb: error [udev_hotplug_event] ignoring udev action bind
+libusb: error [udev_hotplug_event] ignoring udev action bind
+libusb: error [_open_sysfs_attr] open /sys/bus/usb/devices/5-1/bConfigurationValue failed ret=-1 errno=2
+libusb: error [_get_usbfs_fd] File doesn't exist, wait 10 ms and try again
+
+libusb: error [_get_usbfs_fd] libusb couldn't open USB device /dev/bus/usb/005/026: No such file or directory
+
+The result of this is that the device remains permanently unusable in the guest.
+The same problem has been previously reported for an iPad:
+https://stackoverflow.com/questions/52617634/how-do-i-get-qemu-usb-passthrough-to-work-for-ipad-iphone
+
+This problem can be elegantly solved by interrupting step 2) above. Instead of
+passing through the reset, QEMU simply ignores it. To allow this to be
+configured on a per-device level, a new parameter "no_guest_reset" is
+introduced for the usb-host device. I can confirm that the configuration
+described above (iPhone XS + Mojave guest) works flawlessly with
+no_guest_reset=True specified.
+
+Working command line for my scenario:
+device_add usb-host,vendorid=0x05ac,productid=0x12a8,no_guest_reset=True,id=iphone
+
+Best regards
+Alexander
+
+Signed-off-by: Alexander Kappner <agk@godking.net>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 20190128140027.9448-1-kraxel@redhat.com
+
+[ kraxel: rename parameter to "guest-reset" ]
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit ba4c735b4fc74e309ce4b2551d258e442ef513a5)
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ hw/usb/host-libusb.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/hw/usb/host-libusb.c b/hw/usb/host-libusb.c
+index f31e9cb..d82a10a 100644
+--- a/hw/usb/host-libusb.c
++++ b/hw/usb/host-libusb.c
+@@ -82,7 +82,7 @@ struct USBHostDevice {
+ uint32_t options;
+ uint32_t loglevel;
+ bool needs_autoscan;
+-
++ bool allow_guest_reset;
+ /* state */
+ QTAILQ_ENTRY(USBHostDevice) next;
+ int seen, errcount;
+@@ -1451,6 +1451,10 @@ static void usb_host_handle_reset(USBDevice *udev)
+ USBHostDevice *s = USB_HOST_DEVICE(udev);
+ int rc;
+
++ if (!s->allow_guest_reset) {
++ return;
++ }
++
+ trace_usb_host_reset(s->bus_num, s->addr);
+
+ rc = libusb_reset_device(s->dh);
+@@ -1568,6 +1572,7 @@ static Property usb_host_dev_properties[] = {
+ DEFINE_PROP_UINT32("productid", USBHostDevice, match.product_id, 0),
+ DEFINE_PROP_UINT32("isobufs", USBHostDevice, iso_urb_count, 4),
+ DEFINE_PROP_UINT32("isobsize", USBHostDevice, iso_urb_frames, 32),
++ DEFINE_PROP_BOOL("guest-reset", USBHostDevice, allow_guest_reset, true),
+ DEFINE_PROP_UINT32("loglevel", USBHostDevice, loglevel,
+ LIBUSB_LOG_LEVEL_WARNING),
+ DEFINE_PROP_BIT("pipeline", USBHostDevice, options,
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-Use-KVM_GET_MSR_INDEX_LIST-for-MSR_IA32_ARCH_CAP.patch b/SOURCES/kvm-Use-KVM_GET_MSR_INDEX_LIST-for-MSR_IA32_ARCH_CAP.patch
new file mode 100644
index 0000000..12ea887
--- /dev/null
+++ b/SOURCES/kvm-Use-KVM_GET_MSR_INDEX_LIST-for-MSR_IA32_ARCH_CAP.patch
@@ -0,0 +1,76 @@
+From ff712825c31188b19ece7b9388630f6456bb10db Mon Sep 17 00:00:00 2001
+From: "plai@redhat.com" <plai@redhat.com>
+Date: Tue, 20 Aug 2019 00:24:37 +0100
+Subject: [PATCH 6/9] kvm: Use KVM_GET_MSR_INDEX_LIST for
+ MSR_IA32_ARCH_CAPABILITIES support
+
+RH-Author: plai@redhat.com
+Message-id: <1566260680-20995-7-git-send-email-plai@redhat.com>
+Patchwork-id: 90065
+O-Subject: [RHEL8.0 qemu-kvm PATCH v3 6/9] kvm: Use KVM_GET_MSR_INDEX_LIST for MSR_IA32_ARCH_CAPABILITIES support
+Bugzilla: 1718235
+RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
+RH-Acked-by: John Snow <jsnow@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+
+From: Bandan Das <bsd@redhat.com>
+
+When writing to guest's MSR_IA32_ARCH_CAPABILITIES, check whether it's
+supported in the guest using the KVM_GET_MSR_INDEX_LIST ioctl.
+
+Fixes: d86f963694df27f11b3681ffd225c9362de1b634
+Suggested-by: Eduardo Habkost <ehabkost@redhat.com>
+Tested-by: balducci@units.it
+Signed-off-by: Bandan Das <bsd@redhat.com>
+Message-Id: <jpg4lc4iiav.fsf_-_@linux.bootlegged.copy>
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+(cherry picked from commit aec5e9c3a94cf8b7920f59bef69a6f426092c4a0)
+Signed-off-by: Paul Lai <plai@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ target/i386/kvm.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/target/i386/kvm.c b/target/i386/kvm.c
+index d2cb91e..6f661b2 100644
+--- a/target/i386/kvm.c
++++ b/target/i386/kvm.c
+@@ -94,6 +94,7 @@ static bool has_msr_xss;
+ static bool has_msr_spec_ctrl;
+ static bool has_msr_virt_ssbd;
+ static bool has_msr_smi_count;
++static bool has_msr_arch_capabs;
+
+ static uint32_t has_architectural_pmu_version;
+ static uint32_t num_architectural_pmu_gp_counters;
+@@ -1330,6 +1331,9 @@ static int kvm_get_supported_msrs(KVMState *s)
+ case MSR_VIRT_SSBD:
+ has_msr_virt_ssbd = true;
+ break;
++ case MSR_IA32_ARCH_CAPABILITIES:
++ has_msr_arch_capabs = true;
++ break;
+ }
+ }
+ }
+@@ -1834,14 +1838,9 @@ static int kvm_put_msrs(X86CPU *cpu, int level)
+ #endif
+
+ /* If host supports feature MSR, write down. */
+- if (kvm_feature_msrs) {
+- int i;
+- for (i = 0; i < kvm_feature_msrs->nmsrs; i++)
+- if (kvm_feature_msrs->indices[i] == MSR_IA32_ARCH_CAPABILITIES) {
+- kvm_msr_entry_add(cpu, MSR_IA32_ARCH_CAPABILITIES,
+- env->features[FEAT_ARCH_CAPABILITIES]);
+- break;
+- }
++ if (has_msr_arch_capabs) {
++ kvm_msr_entry_add(cpu, MSR_IA32_ARCH_CAPABILITIES,
++ env->features[FEAT_ARCH_CAPABILITIES]);
+ }
+
+ /*
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-i386-Add-CPUID-bit-and-feature-words-for-IA32_ARCH_C.patch b/SOURCES/kvm-i386-Add-CPUID-bit-and-feature-words-for-IA32_ARCH_C.patch
new file mode 100644
index 0000000..c1ea31a
--- /dev/null
+++ b/SOURCES/kvm-i386-Add-CPUID-bit-and-feature-words-for-IA32_ARCH_C.patch
@@ -0,0 +1,72 @@
+From e5f76077a47460bcba0bdfc1d70c7b79f84d18b7 Mon Sep 17 00:00:00 2001
+From: "plai@redhat.com" <plai@redhat.com>
+Date: Tue, 20 Aug 2019 00:24:33 +0100
+Subject: [PATCH 2/9] i386: Add CPUID bit and feature words for
+ IA32_ARCH_CAPABILITIES MSR
+
+RH-Author: plai@redhat.com
+Message-id: <1566260680-20995-3-git-send-email-plai@redhat.com>
+Patchwork-id: 90066
+O-Subject: [RHEL8.0 qemu-kvm PATCH v3 2/9] i386: Add CPUID bit and feature words for IA32_ARCH_CAPABILITIES MSR
+Bugzilla: 1718235
+RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
+RH-Acked-by: John Snow <jsnow@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+
+From: Robert Hoo <robert.hu@linux.intel.com>
+
+Support of IA32_PRED_CMD MSR already be enumerated by same CPUID bit as
+SPEC_CTRL.
+
+At present, mark CPUID_7_0_EDX_ARCH_CAPABILITIES unmigratable, per Paolo's
+comment.
+
+Signed-off-by: Robert Hoo <robert.hu@linux.intel.com>
+Message-Id: <1530781798-183214-3-git-send-email-robert.hu@linux.intel.com>
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+(cherry picked from commit 3fc7c73139d2d38ae80c3b0bc963b1ac1555924c)
+Signed-off-by: Paul Lai <plai@redhat.com>
+
+Resolved Conflicts:
+ target/i386/cpu.c
+
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ target/i386/cpu.c | 3 ++-
+ target/i386/cpu.h | 1 +
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/target/i386/cpu.c b/target/i386/cpu.c
+index c979feb..6d38ac0 100644
+--- a/target/i386/cpu.c
++++ b/target/i386/cpu.c
+@@ -1008,12 +1008,13 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, "spec-ctrl", "stibp",
+- NULL, NULL, NULL, "ssbd",
++ NULL, "arch-capabilities", NULL, "ssbd",
+ },
+ .cpuid_eax = 7,
+ .cpuid_needs_ecx = true, .cpuid_ecx = 0,
+ .cpuid_reg = R_EDX,
+ .tcg_features = TCG_7_0_EDX_FEATURES,
++ .unmigratable_flags = CPUID_7_0_EDX_ARCH_CAPABILITIES,
+ },
+ [FEAT_8000_0007_EDX] = {
+ .feat_names = {
+diff --git a/target/i386/cpu.h b/target/i386/cpu.h
+index 1dc565c..e5e5169 100644
+--- a/target/i386/cpu.h
++++ b/target/i386/cpu.h
+@@ -687,6 +687,7 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS];
+ #define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network Instructions */
+ #define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) /* AVX512 Multiply Accumulation Single Precision */
+ #define CPUID_7_0_EDX_SPEC_CTRL (1U << 26) /* Speculation Control */
++#define CPUID_7_0_EDX_ARCH_CAPABILITIES (1U << 29) /*Arch Capabilities*/
+ #define CPUID_7_0_EDX_SPEC_CTRL_SSBD (1U << 31) /* Speculative Store Bypass Disable */
+
+ #define KVM_HINTS_DEDICATED (1U << 0)
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-i386-Add-new-MSR-indices-for-IA32_PRED_CMD-and-IA32_.patch b/SOURCES/kvm-i386-Add-new-MSR-indices-for-IA32_PRED_CMD-and-IA32_.patch
new file mode 100644
index 0000000..c342a58
--- /dev/null
+++ b/SOURCES/kvm-i386-Add-new-MSR-indices-for-IA32_PRED_CMD-and-IA32_.patch
@@ -0,0 +1,50 @@
+From 98e94db3fe3a94ff3b827523ec6cf2a482c8e593 Mon Sep 17 00:00:00 2001
+From: "plai@redhat.com" <plai@redhat.com>
+Date: Tue, 20 Aug 2019 00:24:32 +0100
+Subject: [PATCH 1/9] i386: Add new MSR indices for IA32_PRED_CMD and
+ IA32_ARCH_CAPABILITIES
+
+RH-Author: plai@redhat.com
+Message-id: <1566260680-20995-2-git-send-email-plai@redhat.com>
+Patchwork-id: 90063
+O-Subject: [RHEL8.0 qemu-kvm PATCH v3 1/9] i386: Add new MSR indices for IA32_PRED_CMD and IA32_ARCH_CAPABILITIES
+Bugzilla: 1718235
+RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
+RH-Acked-by: John Snow <jsnow@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+
+From: Robert Hoo <robert.hu@linux.intel.com>
+
+IA32_PRED_CMD MSR gives software a way to issue commands that affect the state
+of indirect branch predictors. Enumerated by CPUID.(EAX=7H,ECX=0):EDX[26].
+IA32_ARCH_CAPABILITIES MSR enumerates architectural features of RDCL_NO and
+IBRS_ALL. Enumerated by CPUID.(EAX=07H, ECX=0):EDX[29].
+
+https://software.intel.com/sites/default/files/managed/c5/63/336996-Speculative-Execution-Side-Channel-Mitigations.pdf
+
+Signed-off-by: Robert Hoo <robert.hu@linux.intel.com>
+Message-Id: <1530781798-183214-2-git-send-email-robert.hu@linux.intel.com>
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+(cherry picked from commit 8c80c99fcceabd0708a5a83f08577e778c9419f5)
+Signed-off-by: Paul Lai <plai@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ target/i386/cpu.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/target/i386/cpu.h b/target/i386/cpu.h
+index fb6caf4..1dc565c 100644
+--- a/target/i386/cpu.h
++++ b/target/i386/cpu.h
+@@ -352,6 +352,8 @@ typedef enum X86Seg {
+ #define MSR_TSC_ADJUST 0x0000003b
+ #define MSR_IA32_SPEC_CTRL 0x48
+ #define MSR_VIRT_SSBD 0xc001011f
++#define MSR_IA32_PRED_CMD 0x49
++#define MSR_IA32_ARCH_CAPABILITIES 0x10a
+ #define MSR_IA32_TSCDEADLINE 0x6e0
+
+ #define FEATURE_CONTROL_LOCKED (1<<0)
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-i386-Make-arch_capabilities-migratable.patch b/SOURCES/kvm-i386-Make-arch_capabilities-migratable.patch
new file mode 100644
index 0000000..755941f
--- /dev/null
+++ b/SOURCES/kvm-i386-Make-arch_capabilities-migratable.patch
@@ -0,0 +1,45 @@
+From c521a837f3490e8f61d129ab1940f8fd76a87b8a Mon Sep 17 00:00:00 2001
+From: "plai@redhat.com" <plai@redhat.com>
+Date: Tue, 20 Aug 2019 00:24:39 +0100
+Subject: [PATCH 8/9] i386: Make arch_capabilities migratable
+
+RH-Author: plai@redhat.com
+Message-id: <1566260680-20995-9-git-send-email-plai@redhat.com>
+Patchwork-id: 90067
+O-Subject: [RHEL8.0 qemu-kvm PATCH v3 8/9] i386: Make arch_capabilities migratable
+Bugzilla: 1718235
+RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
+RH-Acked-by: John Snow <jsnow@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+
+From: Eduardo Habkost <ehabkost@redhat.com>
+
+Now that kvm_arch_get_supported_cpuid() will only return
+arch_capabilities if QEMU is able to initialize the MSR properly,
+we know that the feature is safely migratable.
+
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Message-Id: <20190125220606.4864-3-ehabkost@redhat.com>
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+(cherry picked from commit 014018e19b3c54dd1bf5072bc912ceffea40abe8)
+Signed-off-by: Paul Lai <plai@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ target/i386/cpu.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/target/i386/cpu.c b/target/i386/cpu.c
+index fbcf124..365c92c 100644
+--- a/target/i386/cpu.c
++++ b/target/i386/cpu.c
+@@ -1053,7 +1053,6 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
+ .reg = R_EDX,
+ },
+ .tcg_features = TCG_7_0_EDX_FEATURES,
+- .unmigratable_flags = CPUID_7_0_EDX_ARCH_CAPABILITIES,
+ },
+ [FEAT_8000_0007_EDX] = {
+ .type = CPUID_FEATURE_WORD,
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-i386-kvm-Disable-arch_capabilities-if-MSR-can-t-be-s.patch b/SOURCES/kvm-i386-kvm-Disable-arch_capabilities-if-MSR-can-t-be-s.patch
new file mode 100644
index 0000000..1273172
--- /dev/null
+++ b/SOURCES/kvm-i386-kvm-Disable-arch_capabilities-if-MSR-can-t-be-s.patch
@@ -0,0 +1,70 @@
+From 2a73dad9463a9969e14f2496bad362547c5976eb Mon Sep 17 00:00:00 2001
+From: "plai@redhat.com" <plai@redhat.com>
+Date: Tue, 20 Aug 2019 00:24:38 +0100
+Subject: [PATCH 7/9] i386: kvm: Disable arch_capabilities if MSR can't be set
+
+RH-Author: plai@redhat.com
+Message-id: <1566260680-20995-8-git-send-email-plai@redhat.com>
+Patchwork-id: 90068
+O-Subject: [RHEL8.0 qemu-kvm PATCH v3 7/9] i386: kvm: Disable arch_capabilities if MSR can't be set
+Bugzilla: 1718235
+RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
+RH-Acked-by: John Snow <jsnow@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+
+From: Eduardo Habkost <ehabkost@redhat.com>
+
+KVM has two bugs in the handling of MSR_IA32_ARCH_CAPABILITIES:
+
+1) Linux commit commit 1eaafe91a0df ("kvm: x86: IA32_ARCH_CAPABILITIES
+ is always supported") makes GET_SUPPORTED_CPUID return
+ arch_capabilities even if running on SVM. This makes "-cpu
+ host,migratable=off" incorrectly expose arch_capabilities on CPUID on
+ AMD hosts (where the MSR is not emulated by KVM).
+
+2) KVM_GET_MSR_INDEX_LIST does not return MSR_IA32_ARCH_CAPABILITIES if
+ the MSR is not supported by the host CPU. This makes QEMU not
+ initialize the MSR properly at kvm_put_msrs() on those hosts.
+
+Work around both bugs on the QEMU side, by checking if the MSR
+was returned by KVM_GET_MSR_INDEX_LIST before returning the
+feature flag on kvm_arch_get_supported_cpuid().
+
+This has the unfortunate side effect of making arch_capabilities
+unavailable on hosts without hardware support for the MSR until bug #2
+is fixed on KVM, but I can't see another way to work around bug #1
+without that side effect.
+
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Message-Id: <20190125220606.4864-2-ehabkost@redhat.com>
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+(cherry picked from commit 485b1d256bcb0874bcde0223727c159b6837e6f8)
+Signed-off-by: Paul Lai <plai@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ target/i386/kvm.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/target/i386/kvm.c b/target/i386/kvm.c
+index 6f661b2..e783427 100644
+--- a/target/i386/kvm.c
++++ b/target/i386/kvm.c
+@@ -374,6 +374,15 @@ uint32_t kvm_arch_get_supported_cpuid(KVMState *s, uint32_t function,
+ if (host_tsx_blacklisted()) {
+ ret &= ~(CPUID_7_0_EBX_RTM | CPUID_7_0_EBX_HLE);
+ }
++ } else if (function == 7 && index == 0 && reg == R_EDX) {
++ /*
++ * Linux v4.17-v4.20 incorrectly return ARCH_CAPABILITIES on SVM hosts.
++ * We can detect the bug by checking if MSR_IA32_ARCH_CAPABILITIES is
++ * returned by KVM_GET_MSR_INDEX_LIST.
++ */
++ if (!has_msr_arch_capabs) {
++ ret &= ~CPUID_7_0_EDX_ARCH_CAPABILITIES;
++ }
+ } else if (function == 0x80000001 && reg == R_ECX) {
+ /*
+ * It's safe to enable TOPOEXT even if it's not returned by
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-scsi-disk-Acquire-the-AioContext-in-scsi_-_realize.patch b/SOURCES/kvm-scsi-disk-Acquire-the-AioContext-in-scsi_-_realize.patch
new file mode 100644
index 0000000..fc0576a
--- /dev/null
+++ b/SOURCES/kvm-scsi-disk-Acquire-the-AioContext-in-scsi_-_realize.patch
@@ -0,0 +1,191 @@
+From e0999eaacc6e74f5e56f51fcf3b3d7aeca7d3b04 Mon Sep 17 00:00:00 2001
+From: Markus Armbruster <armbru@redhat.com>
+Date: Thu, 6 Jun 2019 19:15:23 +0100
+Subject: [PATCH 6/7] scsi-disk: Acquire the AioContext in scsi_*_realize()
+
+RH-Author: Markus Armbruster <armbru@redhat.com>
+Message-id: <20190606191524.30797-3-armbru@redhat.com>
+Patchwork-id: 88605
+O-Subject: [RHEL-8.1.0 qemu-kvm PATCH 2/3] scsi-disk: Acquire the AioContext in scsi_*_realize()
+Bugzilla: 1718992
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+
+From: Alberto Garcia <berto@igalia.com>
+
+This fixes a crash when attaching two disks with the same blockdev to
+a SCSI device that is using iothreads. Test case included.
+
+Signed-off-by: Alberto Garcia <berto@igalia.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit 3ff35ba391134e4e43ab96152deb38a62e62f858)
+[Trivial conflict in hw/scsi/scsi-disk.c due to lack of commit
+51f43d5792e resolved]
+Signed-off-by: Markus Armbruster <armbru@redhat.com>
+
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ hw/scsi/scsi-disk.c | 23 ++++++++++++++++++++---
+ tests/qemu-iotests/240 | 18 ++++++++++++++++++
+ tests/qemu-iotests/240.out | 16 ++++++++++++++++
+ 3 files changed, 54 insertions(+), 3 deletions(-)
+
+diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
+index a20ef91..08da23d 100644
+--- a/hw/scsi/scsi-disk.c
++++ b/hw/scsi/scsi-disk.c
+@@ -2378,10 +2378,13 @@ static void scsi_realize(SCSIDevice *dev, Error **errp)
+ static void scsi_hd_realize(SCSIDevice *dev, Error **errp)
+ {
+ SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
++ AioContext *ctx = NULL;
+ /* can happen for devices without drive. The error message for missing
+ * backend will be issued in scsi_realize
+ */
+ if (s->qdev.conf.blk) {
++ ctx = blk_get_aio_context(s->qdev.conf.blk);
++ aio_context_acquire(ctx);
+ blkconf_blocksizes(&s->qdev.conf);
+ }
+ s->qdev.blocksize = s->qdev.conf.logical_block_size;
+@@ -2390,11 +2393,15 @@ static void scsi_hd_realize(SCSIDevice *dev, Error **errp)
+ s->product = g_strdup("QEMU HARDDISK");
+ }
+ scsi_realize(&s->qdev, errp);
++ if (ctx) {
++ aio_context_release(ctx);
++ }
+ }
+
+ static void scsi_cd_realize(SCSIDevice *dev, Error **errp)
+ {
+ SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
++ AioContext *ctx;
+ int ret;
+
+ if (!dev->conf.blk) {
+@@ -2405,6 +2412,8 @@ static void scsi_cd_realize(SCSIDevice *dev, Error **errp)
+ assert(ret == 0);
+ }
+
++ ctx = blk_get_aio_context(dev->conf.blk);
++ aio_context_acquire(ctx);
+ s->qdev.blocksize = 2048;
+ s->qdev.type = TYPE_ROM;
+ s->features |= 1 << SCSI_DISK_F_REMOVABLE;
+@@ -2412,6 +2421,7 @@ static void scsi_cd_realize(SCSIDevice *dev, Error **errp)
+ s->product = g_strdup("QEMU CD-ROM");
+ }
+ scsi_realize(&s->qdev, errp);
++ aio_context_release(ctx);
+ }
+
+ static void scsi_disk_realize(SCSIDevice *dev, Error **errp)
+@@ -2550,6 +2560,7 @@ static int get_device_type(SCSIDiskState *s)
+ static void scsi_block_realize(SCSIDevice *dev, Error **errp)
+ {
+ SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
++ AioContext *ctx;
+ int sg_version;
+ int rc;
+
+@@ -2558,6 +2569,9 @@ static void scsi_block_realize(SCSIDevice *dev, Error **errp)
+ return;
+ }
+
++ ctx = blk_get_aio_context(s->qdev.conf.blk);
++ aio_context_acquire(ctx);
++
+ /* check we are using a driver managing SG_IO (version 3 and after) */
+ rc = blk_ioctl(s->qdev.conf.blk, SG_GET_VERSION_NUM, &sg_version);
+ if (rc < 0) {
+@@ -2565,18 +2579,18 @@ static void scsi_block_realize(SCSIDevice *dev, Error **errp)
+ if (rc != -EPERM) {
+ error_append_hint(errp, "Is this a SCSI device?\n");
+ }
+- return;
++ goto out;
+ }
+ if (sg_version < 30000) {
+ error_setg(errp, "scsi generic interface too old");
+- return;
++ goto out;
+ }
+
+ /* get device type from INQUIRY data */
+ rc = get_device_type(s);
+ if (rc < 0) {
+ error_setg(errp, "INQUIRY failed");
+- return;
++ goto out;
+ }
+
+ /* Make a guess for the block size, we'll fix it when the guest sends.
+@@ -2596,6 +2610,9 @@ static void scsi_block_realize(SCSIDevice *dev, Error **errp)
+
+ scsi_realize(&s->qdev, errp);
+ scsi_generic_read_device_inquiry(&s->qdev);
++
++out:
++ aio_context_release(ctx);
+ }
+
+ typedef struct SCSIBlockReq {
+diff --git a/tests/qemu-iotests/240 b/tests/qemu-iotests/240
+index ead7ee0..5d499c9 100755
+--- a/tests/qemu-iotests/240
++++ b/tests/qemu-iotests/240
+@@ -83,6 +83,24 @@ run_qemu <<EOF
+ { "execute": "quit"}
+ EOF
+
++echo
++echo === Attach two SCSI disks using the same block device and the same iothread ===
++echo
++
++run_qemu <<EOF
++{ "execute": "qmp_capabilities" }
++{ "execute": "blockdev-add", "arguments": {"driver": "null-co", "node-name": "hd0", "read-only": true}}
++{ "execute": "object-add", "arguments": {"qom-type": "iothread", "id": "iothread0"}}
++{ "execute": "device_add", "arguments": {"id": "scsi0", "driver": "${virtio_scsi}", "iothread": "iothread0"}}
++{ "execute": "device_add", "arguments": {"id": "scsi-hd0", "driver": "scsi-hd", "drive": "hd0"}}
++{ "execute": "device_add", "arguments": {"id": "scsi-hd1", "driver": "scsi-hd", "drive": "hd0"}}
++{ "execute": "device_del", "arguments": {"id": "scsi-hd0"}}
++{ "execute": "device_del", "arguments": {"id": "scsi-hd1"}}
++{ "execute": "device_del", "arguments": {"id": "scsi0"}}
++{ "execute": "blockdev-del", "arguments": {"node-name": "hd0"}}
++{ "execute": "quit"}
++EOF
++
+ # success, all done
+ echo "*** done"
+ rm -f $seq.full
+diff --git a/tests/qemu-iotests/240.out b/tests/qemu-iotests/240.out
+index 432d981..701cb5c 100644
+--- a/tests/qemu-iotests/240.out
++++ b/tests/qemu-iotests/240.out
+@@ -15,4 +15,20 @@ QMP_VERSION
+ {"return": {}}
+ {"return": {}}
+ {"return": {}}
++
++=== Attach two SCSI disks using the same block device and the same iothread ===
++
++Testing:
++QMP_VERSION
++{"return": {}}
++{"return": {}}
++{"return": {}}
++{"return": {}}
++{"return": {}}
++{"return": {}}
++{"return": {}}
++{"return": {}}
++{"return": {}}
++{"return": {}}
++{"return": {}}
+ *** done
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-slirp-check-sscanf-result-when-emulating-ident.patch b/SOURCES/kvm-slirp-check-sscanf-result-when-emulating-ident.patch
new file mode 100644
index 0000000..8ef4361
--- /dev/null
+++ b/SOURCES/kvm-slirp-check-sscanf-result-when-emulating-ident.patch
@@ -0,0 +1,62 @@
+From dff4ed62fe8723574ac36029574364ddf85b7fe6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Mon, 8 Jul 2019 15:50:28 +0100
+Subject: [PATCH 1/7] slirp: check sscanf result when emulating ident
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: <20190708155031.7778-2-philmd@redhat.com>
+Patchwork-id: 89431
+O-Subject: [RHEL-8.0.0 qemu-kvm PATCH 1/4] slirp: check sscanf result when emulating ident
+Bugzilla: 1732324
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+
+From: William Bowling <will@wbowling.info>
+
+When emulating ident in tcp_emu, if the strchr checks passed but the
+sscanf check failed, two uninitialized variables would be copied and
+sent in the reply, so move this code inside the if(sscanf()) clause.
+
+Signed-off-by: William Bowling <will@wbowling.info>
+Cc: qemu-stable@nongnu.org
+Cc: secalert@redhat.com
+Message-Id: <1551476756-25749-1-git-send-email-will@wbowling.info>
+Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+(cherry picked from commit d3222975c7d6cda9e25809dea05241188457b113)
+Fixes: CVE-2019-9824
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ slirp/tcp_subr.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
+index 1c7eb28..af1b3eb 100644
+--- a/slirp/tcp_subr.c
++++ b/slirp/tcp_subr.c
+@@ -665,12 +665,12 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ break;
+ }
+ }
++ so_rcv->sb_cc = snprintf(so_rcv->sb_data,
++ so_rcv->sb_datalen,
++ "%d,%d\r\n", n1, n2);
++ so_rcv->sb_rptr = so_rcv->sb_data;
++ so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
+ }
+- so_rcv->sb_cc = snprintf(so_rcv->sb_data,
+- so_rcv->sb_datalen,
+- "%d,%d\r\n", n1, n2);
+- so_rcv->sb_rptr = so_rcv->sb_data;
+- so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
+ }
+ m_free(m);
+ return 0;
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-slirp-don-t-manipulate-so_rcv-in-tcp_emu.patch b/SOURCES/kvm-slirp-don-t-manipulate-so_rcv-in-tcp_emu.patch
new file mode 100644
index 0000000..c1dad3c
--- /dev/null
+++ b/SOURCES/kvm-slirp-don-t-manipulate-so_rcv-in-tcp_emu.patch
@@ -0,0 +1,131 @@
+From a89949eb46b41533234c4dea0e5a011bc2e583ea Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Mon, 8 Jul 2019 15:50:31 +0100
+Subject: [PATCH 4/7] slirp: don't manipulate so_rcv in tcp_emu()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: <20190708155031.7778-5-philmd@redhat.com>
+Patchwork-id: 89428
+O-Subject: [RHEL-8.0.0 qemu-kvm PATCH 4/4] slirp: don't manipulate so_rcv in tcp_emu()
+Bugzilla: 1732324
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+
+From: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+For some reason, EMU_IDENT is not like other "emulated" protocols and
+tries to reconstitute the original buffer, if it came in multiple
+packets. Unfortunately, it does so wrongly, as it doesn't respect the
+sbuf circular buffer appending rules, nor does it maintain some of the
+invariants (rptr is incremented without bounds, etc): this leads to
+further memory corruption revealed by ASAN or various malloc
+errors. Furthermore, the so_rcv buffer is regularly flushed, so there
+is no guarantee that buffer reconstruction will do what is expected.
+
+Instead, do what the function comment says: "XXX Assumes the whole
+command came in one packet", and don't touch so_rcv.
+
+Related to: https://bugzilla.redhat.com/show_bug.cgi?id=1664205
+
+Cc: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+(cherry picked from libslirp commit
+9da0da837780f825b5db31db6620492f8b7cd5d6)
+[ MA - backported with style conflicts, and without qemu commit
+a7104eda7dab99d0cdbd3595c211864cba415905 which is unnecessary with
+this patch ]
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ slirp/tcp_subr.c | 62 ++++++++++++++++++++++++--------------------------------
+ 1 file changed, 27 insertions(+), 35 deletions(-)
+
+diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
+index e245e0d..0152f72 100644
+--- a/slirp/tcp_subr.c
++++ b/slirp/tcp_subr.c
+@@ -636,47 +636,39 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ struct socket *tmpso;
+ struct sockaddr_in addr;
+ socklen_t addrlen = sizeof(struct sockaddr_in);
+- struct sbuf *so_rcv = &so->so_rcv;
++ char *eol = g_strstr_len(m->m_data, m->m_len, "\r\n");
+
+- if (m->m_len > so_rcv->sb_datalen
+- - (so_rcv->sb_wptr - so_rcv->sb_data)) {
+- return 1;
++ if (!eol) {
++ return 1;
+ }
+
+- memcpy(so_rcv->sb_wptr, m->m_data, m->m_len);
+- so_rcv->sb_wptr += m->m_len;
+- so_rcv->sb_rptr += m->m_len;
+- m_inc(m, m->m_len + 1);
+- m->m_data[m->m_len] = 0; /* NULL terminate */
+- if (strchr(m->m_data, '\r') || strchr(m->m_data, '\n')) {
+- if (sscanf(so_rcv->sb_data, "%u%*[ ,]%u", &n1, &n2) == 2) {
+- HTONS(n1);
+- HTONS(n2);
+- /* n2 is the one on our host */
+- for (tmpso = slirp->tcb.so_next;
+- tmpso != &slirp->tcb;
+- tmpso = tmpso->so_next) {
+- if (tmpso->so_laddr.s_addr == so->so_laddr.s_addr &&
+- tmpso->so_lport == n2 &&
+- tmpso->so_faddr.s_addr == so->so_faddr.s_addr &&
+- tmpso->so_fport == n1) {
+- if (getsockname(tmpso->s,
+- (struct sockaddr *)&addr, &addrlen) == 0)
+- n2 = addr.sin_port;
+- break;
+- }
++ *eol = '\0';
++ if (sscanf(m->m_data, "%u%*[ ,]%u", &n1, &n2) == 2) {
++ HTONS(n1);
++ HTONS(n2);
++ /* n2 is the one on our host */
++ for (tmpso = slirp->tcb.so_next; tmpso != &slirp->tcb;
++ tmpso = tmpso->so_next) {
++ if (tmpso->so_laddr.s_addr == so->so_laddr.s_addr &&
++ tmpso->so_lport == n2 &&
++ tmpso->so_faddr.s_addr == so->so_faddr.s_addr &&
++ tmpso->so_fport == n1) {
++ if (getsockname(tmpso->s, (struct sockaddr *)&addr,
++ &addrlen) == 0)
++ n2 = addr.sin_port;
++ break;
+ }
+- NTOHS(n1);
+- NTOHS(n2);
+- so_rcv->sb_cc = snprintf(so_rcv->sb_data,
+- so_rcv->sb_datalen,
+- "%d,%d\r\n", n1, n2);
+- so_rcv->sb_rptr = so_rcv->sb_data;
+- so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
+ }
++ NTOHS(n1);
++ NTOHS(n2);
++ m_inc(m, snprintf(NULL, 0, "%d,%d\r\n", n1, n2) + 1);
++ m->m_len = snprintf(m->m_data, M_ROOM(m), "%d,%d\r\n", n1, n2);
++ assert(m->m_len < M_ROOM(m));
++ } else {
++ *eol = '\r';
+ }
+- m_free(m);
+- return 0;
++
++ return 1;
+ }
+
+ case EMU_FTP: /* ftp */
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-slirp-ensure-there-is-enough-space-in-mbuf-to-null-t.patch b/SOURCES/kvm-slirp-ensure-there-is-enough-space-in-mbuf-to-null-t.patch
new file mode 100644
index 0000000..e3a828a
--- /dev/null
+++ b/SOURCES/kvm-slirp-ensure-there-is-enough-space-in-mbuf-to-null-t.patch
@@ -0,0 +1,68 @@
+From 3bcddec301bcc3c251b4aab0446427de5fe35c57 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Mon, 8 Jul 2019 15:50:30 +0100
+Subject: [PATCH 3/7] slirp: ensure there is enough space in mbuf to
+ null-terminate
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: <20190708155031.7778-4-philmd@redhat.com>
+Patchwork-id: 89430
+O-Subject: [RHEL-8.0.0 qemu-kvm PATCH 3/4] slirp: ensure there is enough space in mbuf to null-terminate
+Bugzilla: 1732324
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+
+From: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+Prevents from buffer overflows.
+Related to: https://bugzilla.redhat.com/show_bug.cgi?id=1664205
+
+Cc: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+(cherry picked from libslirp commit
+306fef58b54d793ba4b259728c21322765bda917)
+[ MA - backported with style conflicts fixes ]
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ slirp/tcp_subr.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
+index 393447d..e245e0d 100644
+--- a/slirp/tcp_subr.c
++++ b/slirp/tcp_subr.c
+@@ -646,6 +646,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ memcpy(so_rcv->sb_wptr, m->m_data, m->m_len);
+ so_rcv->sb_wptr += m->m_len;
+ so_rcv->sb_rptr += m->m_len;
++ m_inc(m, m->m_len + 1);
+ m->m_data[m->m_len] = 0; /* NULL terminate */
+ if (strchr(m->m_data, '\r') || strchr(m->m_data, '\n')) {
+ if (sscanf(so_rcv->sb_data, "%u%*[ ,]%u", &n1, &n2) == 2) {
+@@ -679,6 +680,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ }
+
+ case EMU_FTP: /* ftp */
++ m_inc(m, m->m_len + 1);
+ *(m->m_data+m->m_len) = 0; /* NUL terminate for strstr */
+ if ((bptr = (char *)strstr(m->m_data, "ORT")) != NULL) {
+ /*
+@@ -776,6 +778,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ /*
+ * Need to emulate DCC CHAT, DCC SEND and DCC MOVE
+ */
++ m_inc(m, m->m_len + 1);
+ *(m->m_data+m->m_len) = 0; /* NULL terminate the string for strstr */
+ if ((bptr = (char *)strstr(m->m_data, "DCC")) == NULL)
+ return 1;
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-slirp-fix-big-little-endian-conversion-in-ident-prot.patch b/SOURCES/kvm-slirp-fix-big-little-endian-conversion-in-ident-prot.patch
new file mode 100644
index 0000000..cf0c398
--- /dev/null
+++ b/SOURCES/kvm-slirp-fix-big-little-endian-conversion-in-ident-prot.patch
@@ -0,0 +1,49 @@
+From 9ab58e678a85d9f7ec27c2a20ff10c17aa77f9e2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Mon, 8 Jul 2019 15:50:29 +0100
+Subject: [PATCH 2/7] slirp: fix big/little endian conversion in ident protocol
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: <20190708155031.7778-3-philmd@redhat.com>
+Patchwork-id: 89427
+O-Subject: [RHEL-8.0.0 qemu-kvm PATCH 2/4] slirp: fix big/little endian conversion in ident protocol
+Bugzilla: 1732324
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+
+From: Samuel Thibault <samuel.thibault@ens-lyon.org>
+
+Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+(cherry picked from commit 1fd71067dae501f1c78618e9583c6cc72db0cfa6)
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ slirp/tcp_subr.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
+index af1b3eb..393447d 100644
+--- a/slirp/tcp_subr.c
++++ b/slirp/tcp_subr.c
+@@ -661,10 +661,12 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ tmpso->so_fport == n1) {
+ if (getsockname(tmpso->s,
+ (struct sockaddr *)&addr, &addrlen) == 0)
+- n2 = ntohs(addr.sin_port);
++ n2 = addr.sin_port;
+ break;
+ }
+ }
++ NTOHS(n1);
++ NTOHS(n2);
+ so_rcv->sb_cc = snprintf(so_rcv->sb_data,
+ so_rcv->sb_datalen,
+ "%d,%d\r\n", n1, n2);
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-target-i386-add-MDS-NO-feature.patch b/SOURCES/kvm-target-i386-add-MDS-NO-feature.patch
new file mode 100644
index 0000000..ad49667
--- /dev/null
+++ b/SOURCES/kvm-target-i386-add-MDS-NO-feature.patch
@@ -0,0 +1,50 @@
+From 43f2e3a36586d9e7e12e5638ae19837f726490ff Mon Sep 17 00:00:00 2001
+From: "plai@redhat.com" <plai@redhat.com>
+Date: Tue, 20 Aug 2019 00:24:40 +0100
+Subject: [PATCH 9/9] target/i386: add MDS-NO feature
+
+RH-Author: plai@redhat.com
+Message-id: <1566260680-20995-10-git-send-email-plai@redhat.com>
+Patchwork-id: 90071
+O-Subject: [RHEL8.0 qemu-kvm PATCH v3 9/9] target/i386: add MDS-NO feature
+Bugzilla: 1718235
+RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
+RH-Acked-by: John Snow <jsnow@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+Microarchitectural Data Sampling is a hardware vulnerability which allows
+unprivileged speculative access to data which is available in various CPU
+internal buffers.
+
+Some Intel processors use the ARCH_CAP_MDS_NO bit in the
+IA32_ARCH_CAPABILITIES
+MSR to report that they are not vulnerable, make it available to guests.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Message-Id: <20190516185320.28340-1-pbonzini@redhat.com>
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+(cherry picked from commit 20140a82c67467f53814ca197403d5e1b561a5e5)
+Signed-off-by: Paul Lai <plai@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ target/i386/cpu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/target/i386/cpu.c b/target/i386/cpu.c
+index 365c92c..07ec8bc 100644
+--- a/target/i386/cpu.c
++++ b/target/i386/cpu.c
+@@ -1147,7 +1147,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
+ .type = MSR_FEATURE_WORD,
+ .feat_names = {
+ "rdctl-no", "ibrs-all", "rsba", "skip-l1dfl-vmentry",
+- "ssb-no", NULL, NULL, NULL,
++ "ssb-no", "mds-no", NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-usb-call-reset-handler-before-updating-state.patch b/SOURCES/kvm-usb-call-reset-handler-before-updating-state.patch
new file mode 100644
index 0000000..9913b7c
--- /dev/null
+++ b/SOURCES/kvm-usb-call-reset-handler-before-updating-state.patch
@@ -0,0 +1,47 @@
+From 4ab6c32432b80103b72b412e0e849cdb087c6e78 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 4 Jun 2019 05:12:44 +0100
+Subject: [PATCH 2/5] usb: call reset handler before updating state
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: <20190604051246.11374-3-kraxel@redhat.com>
+Patchwork-id: 88471
+O-Subject: [RHEL-8.1.0 qemu-kvm PATCH 2/4] usb: call reset handler before updating state
+Bugzilla: 1719228
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-Acked-by: Max Reitz <mreitz@redhat.com>
+
+That way the device reset handler can see what
+the before-reset state of the device is.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 20190522094702.17619-2-kraxel@redhat.com
+(cherry picked from commit 7ed4657396add28382081a15557c78cd480c1cf1)
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ hw/usb/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/usb/core.c b/hw/usb/core.c
+index 241ae66..07b67fb 100644
+--- a/hw/usb/core.c
++++ b/hw/usb/core.c
+@@ -87,10 +87,10 @@ void usb_device_reset(USBDevice *dev)
+ if (dev == NULL || !dev->attached) {
+ return;
+ }
++ usb_device_handle_reset(dev);
+ dev->remote_wakeup = 0;
+ dev->addr = 0;
+ dev->state = USB_STATE_DEFAULT;
+- usb_device_handle_reset(dev);
+ }
+
+ void usb_wakeup(USBEndpoint *ep, unsigned int stream)
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-usb-host-avoid-libusb_set_configuration-calls.patch b/SOURCES/kvm-usb-host-avoid-libusb_set_configuration-calls.patch
new file mode 100644
index 0000000..4d18d92
--- /dev/null
+++ b/SOURCES/kvm-usb-host-avoid-libusb_set_configuration-calls.patch
@@ -0,0 +1,68 @@
+From 78a7dce49a0e3747e5aab9791434cb71297baf42 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 4 Jun 2019 05:12:46 +0100
+Subject: [PATCH 4/5] usb-host: avoid libusb_set_configuration calls
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: <20190604051246.11374-5-kraxel@redhat.com>
+Patchwork-id: 88472
+O-Subject: [RHEL-8.1.0 qemu-kvm PATCH 4/4] usb-host: avoid libusb_set_configuration calls
+Bugzilla: 1719228
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-Acked-by: Max Reitz <mreitz@redhat.com>
+
+Seems some devices become confused when we call
+libusb_set_configuration(). So before calling the function check
+whenever the device has multiple configurations in the first place, and
+in case it hasn't (which is the case for the majority of devices) simply
+skip the call as it will have no effect anyway.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 20190522094702.17619-4-kraxel@redhat.com
+(cherry picked from commit bfe44898848614cfcb3a269bc965afbe1f0f331c)
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ hw/usb/host-libusb.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/hw/usb/host-libusb.c b/hw/usb/host-libusb.c
+index dd3ed02..587ff70 100644
+--- a/hw/usb/host-libusb.c
++++ b/hw/usb/host-libusb.c
+@@ -1220,19 +1220,21 @@ static void usb_host_set_address(USBHostDevice *s, int addr)
+
+ static void usb_host_set_config(USBHostDevice *s, int config, USBPacket *p)
+ {
+- int rc;
++ int rc = 0;
+
+ trace_usb_host_set_config(s->bus_num, s->addr, config);
+
+ usb_host_release_interfaces(s);
+- rc = libusb_set_configuration(s->dh, config);
+- if (rc != 0) {
+- usb_host_libusb_error("libusb_set_configuration", rc);
+- p->status = USB_RET_STALL;
+- if (rc == LIBUSB_ERROR_NO_DEVICE) {
+- usb_host_nodev(s);
++ if (s->ddesc.bNumConfigurations != 1) {
++ rc = libusb_set_configuration(s->dh, config);
++ if (rc != 0) {
++ usb_host_libusb_error("libusb_set_configuration", rc);
++ p->status = USB_RET_STALL;
++ if (rc == LIBUSB_ERROR_NO_DEVICE) {
++ usb_host_nodev(s);
++ }
++ return;
+ }
+- return;
+ }
+ p->status = usb_host_claim_interfaces(s, config);
+ if (p->status != USB_RET_SUCCESS) {
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-usb-host-skip-reset-for-untouched-devices.patch b/SOURCES/kvm-usb-host-skip-reset-for-untouched-devices.patch
new file mode 100644
index 0000000..bc3dae0
--- /dev/null
+++ b/SOURCES/kvm-usb-host-skip-reset-for-untouched-devices.patch
@@ -0,0 +1,46 @@
+From e1ceffd58a4fc842c2a31c977c24e3ac0ced42a5 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 4 Jun 2019 05:12:45 +0100
+Subject: [PATCH 3/5] usb-host: skip reset for untouched devices
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: <20190604051246.11374-4-kraxel@redhat.com>
+Patchwork-id: 88474
+O-Subject: [RHEL-8.1.0 qemu-kvm PATCH 3/4] usb-host: skip reset for untouched devices
+Bugzilla: 1719228
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-Acked-by: Max Reitz <mreitz@redhat.com>
+
+If the guest didn't talk to the device yet, skip the reset.
+Without this usb-host devices get resetted a number of times
+at boot time for no good reason.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 20190522094702.17619-3-kraxel@redhat.com
+(cherry picked from commit 65f14ab98da1da920f98ee8734dc1588b01d6b2b)
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ hw/usb/host-libusb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/usb/host-libusb.c b/hw/usb/host-libusb.c
+index d82a10a..dd3ed02 100644
+--- a/hw/usb/host-libusb.c
++++ b/hw/usb/host-libusb.c
+@@ -1454,6 +1454,9 @@ static void usb_host_handle_reset(USBDevice *udev)
+ if (!s->allow_guest_reset) {
+ return;
+ }
++ if (udev->addr == 0) {
++ return;
++ }
+
+ trace_usb_host_reset(s->bus_num, s->addr);
+
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-virtio-scsi-Forbid-devices-with-different-iothreads-.patch b/SOURCES/kvm-virtio-scsi-Forbid-devices-with-different-iothreads-.patch
new file mode 100644
index 0000000..27676bc
--- /dev/null
+++ b/SOURCES/kvm-virtio-scsi-Forbid-devices-with-different-iothreads-.patch
@@ -0,0 +1,117 @@
+From 98d938374f47c7473366706aa5f5754d9b752eea Mon Sep 17 00:00:00 2001
+From: Markus Armbruster <armbru@redhat.com>
+Date: Thu, 6 Jun 2019 19:15:24 +0100
+Subject: [PATCH 7/7] virtio-scsi: Forbid devices with different iothreads
+ sharing a blockdev
+
+RH-Author: Markus Armbruster <armbru@redhat.com>
+Message-id: <20190606191524.30797-4-armbru@redhat.com>
+Patchwork-id: 88608
+O-Subject: [RHEL-8.1.0 qemu-kvm PATCH 3/3] virtio-scsi: Forbid devices with different iothreads sharing a blockdev
+Bugzilla: 1718992
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+
+From: Alberto Garcia <berto@igalia.com>
+
+This patch forbids attaching a disk to a SCSI device if its using a
+different AioContext. Test case included.
+
+Signed-off-by: Alberto Garcia <berto@igalia.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit eb97813ff5fd5bdffc8ed9f5be5a3a50eae70a2c)
+Signed-off-by: Markus Armbruster <armbru@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ hw/scsi/virtio-scsi.c | 7 +++++++
+ tests/qemu-iotests/240 | 22 ++++++++++++++++++++++
+ tests/qemu-iotests/240.out | 20 ++++++++++++++++++++
+ 3 files changed, 49 insertions(+)
+
+diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
+index 85073f6..391500b 100644
+--- a/hw/scsi/virtio-scsi.c
++++ b/hw/scsi/virtio-scsi.c
+@@ -800,9 +800,16 @@ static void virtio_scsi_hotplug(HotplugHandler *hotplug_dev, DeviceState *dev,
+ return;
+ }
+ if (s->ctx && !s->dataplane_fenced) {
++ AioContext *ctx;
+ if (blk_op_is_blocked(sd->conf.blk, BLOCK_OP_TYPE_DATAPLANE, errp)) {
+ return;
+ }
++ ctx = blk_get_aio_context(sd->conf.blk);
++ if (ctx != s->ctx && ctx != qemu_get_aio_context()) {
++ error_setg(errp, "Cannot attach a blockdev that is using "
++ "a different iothread");
++ return;
++ }
+ virtio_scsi_acquire(s);
+ blk_set_aio_context(sd->conf.blk, s->ctx);
+ virtio_scsi_release(s);
+diff --git a/tests/qemu-iotests/240 b/tests/qemu-iotests/240
+index 5d499c9..65cc3b3 100755
+--- a/tests/qemu-iotests/240
++++ b/tests/qemu-iotests/240
+@@ -101,6 +101,28 @@ run_qemu <<EOF
+ { "execute": "quit"}
+ EOF
+
++echo
++echo === Attach two SCSI disks using the same block device but different iothreads ===
++echo
++
++run_qemu <<EOF
++{ "execute": "qmp_capabilities" }
++{ "execute": "blockdev-add", "arguments": {"driver": "null-co", "node-name": "hd0", "read-only": true}}
++{ "execute": "object-add", "arguments": {"qom-type": "iothread", "id": "iothread0"}}
++{ "execute": "object-add", "arguments": {"qom-type": "iothread", "id": "iothread1"}}
++{ "execute": "device_add", "arguments": {"id": "scsi0", "driver": "${virtio_scsi}", "iothread": "iothread0"}}
++{ "execute": "device_add", "arguments": {"id": "scsi1", "driver": "${virtio_scsi}", "iothread": "iothread1"}}
++{ "execute": "device_add", "arguments": {"id": "scsi-hd0", "driver": "scsi-hd", "drive": "hd0", "bus": "scsi0.0"}}
++{ "execute": "device_add", "arguments": {"id": "scsi-hd1", "driver": "scsi-hd", "drive": "hd0", "bus": "scsi1.0"}}
++{ "execute": "device_del", "arguments": {"id": "scsi-hd0"}}
++{ "execute": "device_add", "arguments": {"id": "scsi-hd1", "driver": "scsi-hd", "drive": "hd0", "bus": "scsi1.0"}}
++{ "execute": "device_del", "arguments": {"id": "scsi-hd1"}}
++{ "execute": "device_del", "arguments": {"id": "scsi0"}}
++{ "execute": "device_del", "arguments": {"id": "scsi1"}}
++{ "execute": "blockdev-del", "arguments": {"node-name": "hd0"}}
++{ "execute": "quit"}
++EOF
++
+ # success, all done
+ echo "*** done"
+ rm -f $seq.full
+diff --git a/tests/qemu-iotests/240.out b/tests/qemu-iotests/240.out
+index 701cb5c..d763929 100644
+--- a/tests/qemu-iotests/240.out
++++ b/tests/qemu-iotests/240.out
+@@ -31,4 +31,24 @@ QMP_VERSION
+ {"return": {}}
+ {"return": {}}
+ {"return": {}}
++
++=== Attach two SCSI disks using the same block device but different iothreads ===
++
++Testing:
++QMP_VERSION
++{"return": {}}
++{"return": {}}
++{"return": {}}
++{"return": {}}
++{"return": {}}
++{"return": {}}
++{"return": {}}
++{"error": {"class": "GenericError", "desc": "Cannot attach a blockdev that is using a different iothread"}}
++{"return": {}}
++{"return": {}}
++{"return": {}}
++{"return": {}}
++{"return": {}}
++{"return": {}}
++{"return": {}}
+ *** done
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-virtio-scsi-Move-BlockBackend-back-to-the-main-AioCo.patch b/SOURCES/kvm-virtio-scsi-Move-BlockBackend-back-to-the-main-AioCo.patch
new file mode 100644
index 0000000..aeef1c8
--- /dev/null
+++ b/SOURCES/kvm-virtio-scsi-Move-BlockBackend-back-to-the-main-AioCo.patch
@@ -0,0 +1,185 @@
+From d06442e9c1cdd9712bfb1f41317fe91ec454601b Mon Sep 17 00:00:00 2001
+From: Markus Armbruster <armbru@redhat.com>
+Date: Thu, 6 Jun 2019 19:15:22 +0100
+Subject: [PATCH 5/7] virtio-scsi: Move BlockBackend back to the main
+ AioContext on unplug
+
+RH-Author: Markus Armbruster <armbru@redhat.com>
+Message-id: <20190606191524.30797-2-armbru@redhat.com>
+Patchwork-id: 88607
+O-Subject: [RHEL-8.1.0 qemu-kvm PATCH 1/3] virtio-scsi: Move BlockBackend back to the main AioContext on unplug
+Bugzilla: 1718992
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+
+From: Alberto Garcia <berto@igalia.com>
+
+This fixes a crash when attaching a disk to a SCSI device using
+iothreads, then detaching it and reattaching it again. Test case
+included.
+
+Signed-off-by: Alberto Garcia <berto@igalia.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit a6f230c8d13a7ff3a0c7f1097412f44bfd9eff0b)
+[Trivial conflict in tests/qemu-iotests/group resolved]
+Signed-off-by: Markus Armbruster <armbru@redhat.com>
+
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ hw/scsi/virtio-scsi.c | 6 ++++
+ tests/qemu-iotests/240 | 89 ++++++++++++++++++++++++++++++++++++++++++++++
+ tests/qemu-iotests/240.out | 18 ++++++++++
+ tests/qemu-iotests/group | 1 +
+ 4 files changed, 114 insertions(+)
+ create mode 100755 tests/qemu-iotests/240
+ create mode 100644 tests/qemu-iotests/240.out
+
+diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
+index 52a3c1d..85073f6 100644
+--- a/hw/scsi/virtio-scsi.c
++++ b/hw/scsi/virtio-scsi.c
+@@ -841,6 +841,12 @@ static void virtio_scsi_hotunplug(HotplugHandler *hotplug_dev, DeviceState *dev,
+ virtio_scsi_release(s);
+ }
+
++ if (s->ctx) {
++ virtio_scsi_acquire(s);
++ blk_set_aio_context(sd->conf.blk, qemu_get_aio_context());
++ virtio_scsi_release(s);
++ }
++
+ qdev_simple_device_unplug_cb(hotplug_dev, dev, errp);
+ }
+
+diff --git a/tests/qemu-iotests/240 b/tests/qemu-iotests/240
+new file mode 100755
+index 0000000..ead7ee0
+--- /dev/null
++++ b/tests/qemu-iotests/240
+@@ -0,0 +1,89 @@
++#!/bin/bash
++#
++# Test hot plugging and unplugging with iothreads
++#
++# Copyright (C) 2019 Igalia, S.L.
++# Author: Alberto Garcia <berto@igalia.com>
++#
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 2 of the License, or
++# (at your option) any later version.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program. If not, see <http://www.gnu.org/licenses/>.
++#
++
++# creator
++owner=berto@igalia.com
++
++seq=`basename $0`
++echo "QA output created by $seq"
++
++status=1 # failure is the default!
++
++# get standard environment, filters and checks
++. ./common.rc
++. ./common.filter
++
++_supported_fmt generic
++_supported_proto generic
++_supported_os Linux
++
++do_run_qemu()
++{
++ echo Testing: "$@"
++ $QEMU -nographic -qmp stdio -serial none "$@"
++ echo
++}
++
++# Remove QMP events from (pretty-printed) output. Doesn't handle
++# nested dicts correctly, but we don't get any of those in this test.
++_filter_qmp_events()
++{
++ tr '\n' '\t' | sed -e \
++ 's/{\s*"timestamp":\s*{[^}]*},\s*"event":[^,}]*\(,\s*"data":\s*{[^}]*}\)\?\s*}\s*//g' \
++ | tr '\t' '\n'
++}
++
++run_qemu()
++{
++ do_run_qemu "$@" 2>&1 | _filter_qmp | _filter_qmp_events
++}
++
++case "$QEMU_DEFAULT_MACHINE" in
++ s390-ccw-virtio)
++ virtio_scsi=virtio-scsi-ccw
++ ;;
++ *)
++ virtio_scsi=virtio-scsi-pci
++ ;;
++esac
++
++echo
++echo === Unplug a SCSI disk and then plug it again ===
++echo
++
++run_qemu <<EOF
++{ "execute": "qmp_capabilities" }
++{ "execute": "blockdev-add", "arguments": {"driver": "null-co", "node-name": "hd0"}}
++{ "execute": "object-add", "arguments": {"qom-type": "iothread", "id": "iothread0"}}
++{ "execute": "device_add", "arguments": {"id": "scsi0", "driver": "${virtio_scsi}", "iothread": "iothread0"}}
++{ "execute": "device_add", "arguments": {"id": "scsi-hd0", "driver": "scsi-hd", "drive": "hd0"}}
++{ "execute": "device_del", "arguments": {"id": "scsi-hd0"}}
++{ "execute": "device_add", "arguments": {"id": "scsi-hd0", "driver": "scsi-hd", "drive": "hd0"}}
++{ "execute": "device_del", "arguments": {"id": "scsi-hd0"}}
++{ "execute": "device_del", "arguments": {"id": "scsi0"}}
++{ "execute": "blockdev-del", "arguments": {"node-name": "hd0"}}
++{ "execute": "quit"}
++EOF
++
++# success, all done
++echo "*** done"
++rm -f $seq.full
++status=0
+diff --git a/tests/qemu-iotests/240.out b/tests/qemu-iotests/240.out
+new file mode 100644
+index 0000000..432d981
+--- /dev/null
++++ b/tests/qemu-iotests/240.out
+@@ -0,0 +1,18 @@
++QA output created by 240
++
++=== Unplug a SCSI disk and then plug it again ===
++
++Testing:
++QMP_VERSION
++{"return": {}}
++{"return": {}}
++{"return": {}}
++{"return": {}}
++{"return": {}}
++{"return": {}}
++{"return": {}}
++{"return": {}}
++{"return": {}}
++{"return": {}}
++{"return": {}}
++*** done
+diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group
+index 61c0f9c..5cbdc24 100644
+--- a/tests/qemu-iotests/group
++++ b/tests/qemu-iotests/group
+@@ -226,3 +226,4 @@
+ 231 auto quick
+ 232 auto quick
+ 234 auto quick migration
++240 auto quick
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-x86-Data-structure-changes-to-support-MSR-based-feat.patch b/SOURCES/kvm-x86-Data-structure-changes-to-support-MSR-based-feat.patch
new file mode 100644
index 0000000..401a722
--- /dev/null
+++ b/SOURCES/kvm-x86-Data-structure-changes-to-support-MSR-based-feat.patch
@@ -0,0 +1,500 @@
+From 2f915d53815514554da5e8ec7e81a8cbb6fa439e Mon Sep 17 00:00:00 2001
+From: "plai@redhat.com" <plai@redhat.com>
+Date: Tue, 20 Aug 2019 00:24:34 +0100
+Subject: [PATCH 3/9] x86: Data structure changes to support MSR based features
+
+RH-Author: plai@redhat.com
+Message-id: <1566260680-20995-4-git-send-email-plai@redhat.com>
+Patchwork-id: 90064
+O-Subject: [RHEL8.0 qemu-kvm PATCH v3 3/9] x86: Data structure changes to support MSR based features
+Bugzilla: 1718235
+RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
+RH-Acked-by: John Snow <jsnow@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+
+From: Robert Hoo <robert.hu@linux.intel.com>
+
+Add FeatureWordType indicator in struct FeatureWordInfo.
+Change feature_word_info[] accordingly.
+Change existing functions that refer to feature_word_info[] accordingly.
+
+Signed-off-by: Robert Hoo <robert.hu@linux.intel.com>
+Message-Id: <1539578845-37944-3-git-send-email-robert.hu@linux.intel.com>
+[ehabkost: fixed hvf_enabled() case]
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+
+(cherry picked from commit 07585923485952bf4cb7da563c9f91fecc85d09c)
+Signed-off-by: Paul Lai <plai@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ target/i386/cpu.c | 197 +++++++++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 142 insertions(+), 55 deletions(-)
+
+diff --git a/target/i386/cpu.c b/target/i386/cpu.c
+index 6d38ac0..bbca6f4 100644
+--- a/target/i386/cpu.c
++++ b/target/i386/cpu.c
+@@ -773,17 +773,36 @@ static void x86_cpu_vendor_words2str(char *dst, uint32_t vendor1,
+ /* missing:
+ CPUID_XSAVE_XSAVEC, CPUID_XSAVE_XSAVES */
+
++typedef enum FeatureWordType {
++ CPUID_FEATURE_WORD,
++ MSR_FEATURE_WORD,
++} FeatureWordType;
++
+ typedef struct FeatureWordInfo {
++ FeatureWordType type;
+ /* feature flags names are taken from "Intel Processor Identification and
+ * the CPUID Instruction" and AMD's "CPUID Specification".
+ * In cases of disagreement between feature naming conventions,
+ * aliases may be added.
+ */
+ const char *feat_names[32];
+- uint32_t cpuid_eax; /* Input EAX for CPUID */
+- bool cpuid_needs_ecx; /* CPUID instruction uses ECX as input */
+- uint32_t cpuid_ecx; /* Input ECX value for CPUID */
+- int cpuid_reg; /* output register (R_* constant) */
++ union {
++ /* If type==CPUID_FEATURE_WORD */
++ struct {
++ uint32_t eax; /* Input EAX for CPUID */
++ bool needs_ecx; /* CPUID instruction uses ECX as input */
++ uint32_t ecx; /* Input ECX value for CPUID */
++ int reg; /* output register (R_* constant) */
++ } cpuid;
++ /* If type==MSR_FEATURE_WORD */
++ struct {
++ uint32_t index;
++ struct { /*CPUID that enumerate this MSR*/
++ FeatureWord cpuid_class;
++ uint32_t cpuid_flag;
++ } cpuid_dep;
++ } msr;
++ };
+ uint32_t tcg_features; /* Feature flags supported by TCG */
+ uint32_t unmigratable_flags; /* Feature flags known to be unmigratable */
+ uint32_t migratable_flags; /* Feature flags known to be migratable */
+@@ -793,6 +812,7 @@ typedef struct FeatureWordInfo {
+
+ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
+ [FEAT_1_EDX] = {
++ .type = CPUID_FEATURE_WORD,
+ .feat_names = {
+ "fpu", "vme", "de", "pse",
+ "tsc", "msr", "pae", "mce",
+@@ -803,10 +823,11 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
+ "fxsr", "sse", "sse2", "ss",
+ "ht" /* Intel htt */, "tm", "ia64", "pbe",
+ },
+- .cpuid_eax = 1, .cpuid_reg = R_EDX,
++ .cpuid = {.eax = 1, .reg = R_EDX, },
+ .tcg_features = TCG_FEATURES,
+ },
+ [FEAT_1_ECX] = {
++ .type = CPUID_FEATURE_WORD,
+ .feat_names = {
+ "pni" /* Intel,AMD sse3 */, "pclmulqdq", "dtes64", "monitor",
+ "ds-cpl", "vmx", "smx", "est",
+@@ -817,7 +838,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
+ "tsc-deadline", "aes", "xsave", "osxsave",
+ "avx", "f16c", "rdrand", "hypervisor",
+ },
+- .cpuid_eax = 1, .cpuid_reg = R_ECX,
++ .cpuid = { .eax = 1, .reg = R_ECX, },
+ .tcg_features = TCG_EXT_FEATURES,
+ },
+ /* Feature names that are already defined on feature_name[] but
+@@ -826,6 +847,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
+ * to features[FEAT_8000_0001_EDX] if and only if CPU vendor is AMD.
+ */
+ [FEAT_8000_0001_EDX] = {
++ .type = CPUID_FEATURE_WORD,
+ .feat_names = {
+ NULL /* fpu */, NULL /* vme */, NULL /* de */, NULL /* pse */,
+ NULL /* tsc */, NULL /* msr */, NULL /* pae */, NULL /* mce */,
+@@ -836,10 +858,11 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
+ NULL /* fxsr */, "fxsr-opt", "pdpe1gb", "rdtscp",
+ NULL, "lm", "3dnowext", "3dnow",
+ },
+- .cpuid_eax = 0x80000001, .cpuid_reg = R_EDX,
++ .cpuid = { .eax = 0x80000001, .reg = R_EDX, },
+ .tcg_features = TCG_EXT2_FEATURES,
+ },
+ [FEAT_8000_0001_ECX] = {
++ .type = CPUID_FEATURE_WORD,
+ .feat_names = {
+ "lahf-lm", "cmp-legacy", "svm", "extapic",
+ "cr8legacy", "abm", "sse4a", "misalignsse",
+@@ -850,7 +873,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
+ "perfctr-nb", NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ },
+- .cpuid_eax = 0x80000001, .cpuid_reg = R_ECX,
++ .cpuid = { .eax = 0x80000001, .reg = R_ECX, },
+ .tcg_features = TCG_EXT3_FEATURES,
+ /*
+ * TOPOEXT is always allowed but can't be enabled blindly by
+@@ -860,6 +883,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
+ .no_autoenable_flags = CPUID_EXT3_TOPOEXT,
+ },
+ [FEAT_C000_0001_EDX] = {
++ .type = CPUID_FEATURE_WORD,
+ .feat_names = {
+ NULL, NULL, "xstore", "xstore-en",
+ NULL, NULL, "xcrypt", "xcrypt-en",
+@@ -870,10 +894,11 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ },
+- .cpuid_eax = 0xC0000001, .cpuid_reg = R_EDX,
++ .cpuid = { .eax = 0xC0000001, .reg = R_EDX, },
+ .tcg_features = TCG_EXT4_FEATURES,
+ },
+ [FEAT_KVM] = {
++ .type = CPUID_FEATURE_WORD,
+ .feat_names = {
+ "kvmclock", "kvm-nopiodelay", "kvm-mmu", "kvmclock",
+ "kvm-asyncpf", "kvm-steal-time", "kvm-pv-eoi", "kvm-pv-unhalt",
+@@ -884,10 +909,11 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
+ "kvmclock-stable-bit", NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ },
+- .cpuid_eax = KVM_CPUID_FEATURES, .cpuid_reg = R_EAX,
++ .cpuid = { .eax = KVM_CPUID_FEATURES, .reg = R_EAX, },
+ .tcg_features = TCG_KVM_FEATURES,
+ },
+ [FEAT_KVM_HINTS] = {
++ .type = CPUID_FEATURE_WORD,
+ .feat_names = {
+ "kvm-hint-dedicated", NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+@@ -898,7 +924,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ },
+- .cpuid_eax = KVM_CPUID_FEATURES, .cpuid_reg = R_EDX,
++ .cpuid = { .eax = KVM_CPUID_FEATURES, .reg = R_EDX, },
+ .tcg_features = TCG_KVM_FEATURES,
+ /*
+ * KVM hints aren't auto-enabled by -cpu host, they need to be
+@@ -907,6 +933,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
+ .no_autoenable_flags = ~0U,
+ },
+ [FEAT_HYPERV_EAX] = {
++ .type = CPUID_FEATURE_WORD,
+ .feat_names = {
+ NULL /* hv_msr_vp_runtime_access */, NULL /* hv_msr_time_refcount_access */,
+ NULL /* hv_msr_synic_access */, NULL /* hv_msr_stimer_access */,
+@@ -920,9 +947,10 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ },
+- .cpuid_eax = 0x40000003, .cpuid_reg = R_EAX,
++ .cpuid = { .eax = 0x40000003, .reg = R_EAX, },
+ },
+ [FEAT_HYPERV_EBX] = {
++ .type = CPUID_FEATURE_WORD,
+ .feat_names = {
+ NULL /* hv_create_partitions */, NULL /* hv_access_partition_id */,
+ NULL /* hv_access_memory_pool */, NULL /* hv_adjust_message_buffers */,
+@@ -936,9 +964,10 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ },
+- .cpuid_eax = 0x40000003, .cpuid_reg = R_EBX,
++ .cpuid = { .eax = 0x40000003, .reg = R_EBX, },
+ },
+ [FEAT_HYPERV_EDX] = {
++ .type = CPUID_FEATURE_WORD,
+ .feat_names = {
+ NULL /* hv_mwait */, NULL /* hv_guest_debugging */,
+ NULL /* hv_perf_monitor */, NULL /* hv_cpu_dynamic_part */,
+@@ -951,9 +980,10 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ },
+- .cpuid_eax = 0x40000003, .cpuid_reg = R_EDX,
++ .cpuid = { .eax = 0x40000003, .reg = R_EDX, },
+ },
+ [FEAT_SVM] = {
++ .type = CPUID_FEATURE_WORD,
+ .feat_names = {
+ "npt", "lbrv", "svm-lock", "nrip-save",
+ "tsc-scale", "vmcb-clean", "flushbyasid", "decodeassists",
+@@ -964,10 +994,11 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ },
+- .cpuid_eax = 0x8000000A, .cpuid_reg = R_EDX,
++ .cpuid = { .eax = 0x8000000A, .reg = R_EDX, },
+ .tcg_features = TCG_SVM_FEATURES,
+ },
+ [FEAT_7_0_EBX] = {
++ .type = CPUID_FEATURE_WORD,
+ .feat_names = {
+ "fsgsbase", "tsc-adjust", NULL, "bmi1",
+ "hle", "avx2", NULL, "smep",
+@@ -978,12 +1009,15 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
+ "clwb", "intel-pt", "avx512pf", "avx512er",
+ "avx512cd", "sha-ni", "avx512bw", "avx512vl",
+ },
+- .cpuid_eax = 7,
+- .cpuid_needs_ecx = true, .cpuid_ecx = 0,
+- .cpuid_reg = R_EBX,
++ .cpuid = {
++ .eax = 7,
++ .needs_ecx = true, .ecx = 0,
++ .reg = R_EBX,
++ },
+ .tcg_features = TCG_7_0_EBX_FEATURES,
+ },
+ [FEAT_7_0_ECX] = {
++ .type = CPUID_FEATURE_WORD,
+ .feat_names = {
+ NULL, "avx512vbmi", "umip", "pku",
+ "ospke", NULL, "avx512vbmi2", NULL,
+@@ -994,12 +1028,15 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ },
+- .cpuid_eax = 7,
+- .cpuid_needs_ecx = true, .cpuid_ecx = 0,
+- .cpuid_reg = R_ECX,
++ .cpuid = {
++ .eax = 7,
++ .needs_ecx = true, .ecx = 0,
++ .reg = R_ECX,
++ },
+ .tcg_features = TCG_7_0_ECX_FEATURES,
+ },
+ [FEAT_7_0_EDX] = {
++ .type = CPUID_FEATURE_WORD,
+ .feat_names = {
+ NULL, NULL, "avx512-4vnniw", "avx512-4fmaps",
+ NULL, NULL, NULL, NULL,
+@@ -1010,13 +1047,16 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
+ NULL, NULL, "spec-ctrl", "stibp",
+ NULL, "arch-capabilities", NULL, "ssbd",
+ },
+- .cpuid_eax = 7,
+- .cpuid_needs_ecx = true, .cpuid_ecx = 0,
+- .cpuid_reg = R_EDX,
++ .cpuid = {
++ .eax = 7,
++ .needs_ecx = true, .ecx = 0,
++ .reg = R_EDX,
++ },
+ .tcg_features = TCG_7_0_EDX_FEATURES,
+ .unmigratable_flags = CPUID_7_0_EDX_ARCH_CAPABILITIES,
+ },
+ [FEAT_8000_0007_EDX] = {
++ .type = CPUID_FEATURE_WORD,
+ .feat_names = {
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+@@ -1027,12 +1067,12 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ },
+- .cpuid_eax = 0x80000007,
+- .cpuid_reg = R_EDX,
++ .cpuid = { .eax = 0x80000007, .reg = R_EDX, },
+ .tcg_features = TCG_APM_FEATURES,
+ .unmigratable_flags = CPUID_APM_INVTSC,
+ },
+ [FEAT_8000_0008_EBX] = {
++ .type = CPUID_FEATURE_WORD,
+ .feat_names = {
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+@@ -1043,12 +1083,12 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
+ NULL, "virt-ssbd", NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ },
+- .cpuid_eax = 0x80000008,
+- .cpuid_reg = R_EBX,
++ .cpuid = { .eax = 0x80000008, .reg = R_EBX, },
+ .tcg_features = 0,
+ .unmigratable_flags = 0,
+ },
+ [FEAT_XSAVE] = {
++ .type = CPUID_FEATURE_WORD,
+ .feat_names = {
+ "xsaveopt", "xsavec", "xgetbv1", "xsaves",
+ NULL, NULL, NULL, NULL,
+@@ -1059,12 +1099,15 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ },
+- .cpuid_eax = 0xd,
+- .cpuid_needs_ecx = true, .cpuid_ecx = 1,
+- .cpuid_reg = R_EAX,
++ .cpuid = {
++ .eax = 0xd,
++ .needs_ecx = true, .ecx = 1,
++ .reg = R_EAX,
++ },
+ .tcg_features = TCG_XSAVE_FEATURES,
+ },
+ [FEAT_6_EAX] = {
++ .type = CPUID_FEATURE_WORD,
+ .feat_names = {
+ NULL, NULL, "arat", NULL,
+ NULL, NULL, NULL, NULL,
+@@ -1075,13 +1118,16 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ },
+- .cpuid_eax = 6, .cpuid_reg = R_EAX,
++ .cpuid = { .eax = 6, .reg = R_EAX, },
+ .tcg_features = TCG_6_EAX_FEATURES,
+ },
+ [FEAT_XSAVE_COMP_LO] = {
+- .cpuid_eax = 0xD,
+- .cpuid_needs_ecx = true, .cpuid_ecx = 0,
+- .cpuid_reg = R_EAX,
++ .type = CPUID_FEATURE_WORD,
++ .cpuid = {
++ .eax = 0xD,
++ .needs_ecx = true, .ecx = 0,
++ .reg = R_EAX,
++ },
+ .tcg_features = ~0U,
+ .migratable_flags = XSTATE_FP_MASK | XSTATE_SSE_MASK |
+ XSTATE_YMM_MASK | XSTATE_BNDREGS_MASK | XSTATE_BNDCSR_MASK |
+@@ -1089,9 +1135,12 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
+ XSTATE_PKRU_MASK,
+ },
+ [FEAT_XSAVE_COMP_HI] = {
+- .cpuid_eax = 0xD,
+- .cpuid_needs_ecx = true, .cpuid_ecx = 0,
+- .cpuid_reg = R_EDX,
++ .type = CPUID_FEATURE_WORD,
++ .cpuid = {
++ .eax = 0xD,
++ .needs_ecx = true, .ecx = 0,
++ .reg = R_EDX,
++ },
+ .tcg_features = ~0U,
+ },
+ };
+@@ -2846,21 +2895,41 @@ static const TypeInfo host_x86_cpu_type_info = {
+
+ #endif
+
++static char *feature_word_description(FeatureWordInfo *f, uint32_t bit)
++{
++ assert(f->type == CPUID_FEATURE_WORD || f->type == MSR_FEATURE_WORD);
++
++ switch (f->type) {
++ case CPUID_FEATURE_WORD:
++ {
++ const char *reg = get_register_name_32(f->cpuid.reg);
++ assert(reg);
++ return g_strdup_printf("CPUID.%02XH:%s",
++ f->cpuid.eax, reg);
++ }
++ case MSR_FEATURE_WORD:
++ return g_strdup_printf("MSR(%02XH)",
++ f->msr.index);
++ }
++
++ return NULL;
++}
++
+ static void report_unavailable_features(FeatureWord w, uint32_t mask)
+ {
+ FeatureWordInfo *f = &feature_word_info[w];
+ int i;
++ char *feat_word_str;
+
+ for (i = 0; i < 32; ++i) {
+ if ((1UL << i) & mask) {
+- const char *reg = get_register_name_32(f->cpuid_reg);
+- assert(reg);
+- warn_report("%s doesn't support requested feature: "
+- "CPUID.%02XH:%s%s%s [bit %d]",
++ feat_word_str = feature_word_description(f, i);
++ warn_report("%s doesn't support requested feature: %s%s%s [bit %d]",
+ accel_uses_host_cpuid() ? "host" : "TCG",
+- f->cpuid_eax, reg,
++ feat_word_str,
+ f->feat_names[i] ? "." : "",
+ f->feat_names[i] ? f->feat_names[i] : "", i);
++ g_free(feat_word_str);
+ }
+ }
+ }
+@@ -3104,11 +3173,18 @@ static void x86_cpu_get_feature_words(Object *obj, Visitor *v,
+
+ for (w = 0; w < FEATURE_WORDS; w++) {
+ FeatureWordInfo *wi = &feature_word_info[w];
++ /*
++ * We didn't have MSR features when "feature-words" was
++ * introduced. Therefore skipped other type entries.
++ */
++ if (wi->type != CPUID_FEATURE_WORD) {
++ continue;
++ }
+ X86CPUFeatureWordInfo *qwi = &word_infos[w];
+- qwi->cpuid_input_eax = wi->cpuid_eax;
+- qwi->has_cpuid_input_ecx = wi->cpuid_needs_ecx;
+- qwi->cpuid_input_ecx = wi->cpuid_ecx;
+- qwi->cpuid_register = x86_reg_info_32[wi->cpuid_reg].qapi_enum;
++ qwi->cpuid_input_eax = wi->cpuid.eax;
++ qwi->has_cpuid_input_ecx = wi->cpuid.needs_ecx;
++ qwi->cpuid_input_ecx = wi->cpuid.ecx;
++ qwi->cpuid_register = x86_reg_info_32[wi->cpuid.reg].qapi_enum;
+ qwi->features = array[w];
+
+ /* List will be in reverse order, but order shouldn't matter */
+@@ -3464,16 +3540,26 @@ static uint32_t x86_cpu_get_supported_feature_word(FeatureWord w,
+ bool migratable_only)
+ {
+ FeatureWordInfo *wi = &feature_word_info[w];
+- uint32_t r;
++ uint32_t r = 0;
+
+ if (kvm_enabled()) {
+- r = kvm_arch_get_supported_cpuid(kvm_state, wi->cpuid_eax,
+- wi->cpuid_ecx,
+- wi->cpuid_reg);
++ switch (wi->type) {
++ case CPUID_FEATURE_WORD:
++ r = kvm_arch_get_supported_cpuid(kvm_state, wi->cpuid.eax,
++ wi->cpuid.ecx,
++ wi->cpuid.reg);
++ break;
++ case MSR_FEATURE_WORD:
++ r = kvm_arch_get_supported_msr_feature(kvm_state, wi->msr.index);
++ break;
++ }
+ } else if (hvf_enabled()) {
+- r = hvf_get_supported_cpuid(wi->cpuid_eax,
+- wi->cpuid_ecx,
+- wi->cpuid_reg);
++ if (wi->type != CPUID_FEATURE_WORD) {
++ return 0;
++ }
++ r = hvf_get_supported_cpuid(wi->cpuid.eax,
++ wi->cpuid.ecx,
++ wi->cpuid.reg);
+ } else if (tcg_enabled()) {
+ r = wi->tcg_features;
+ } else {
+@@ -4534,9 +4620,10 @@ static void x86_cpu_adjust_feat_level(X86CPU *cpu, FeatureWord w)
+ {
+ CPUX86State *env = &cpu->env;
+ FeatureWordInfo *fi = &feature_word_info[w];
+- uint32_t eax = fi->cpuid_eax;
++ uint32_t eax = fi->cpuid.eax;
+ uint32_t region = eax & 0xF0000000;
+
++ assert(feature_word_info[w].type == CPUID_FEATURE_WORD);
+ if (!env->features[w]) {
+ return;
+ }
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-x86-define-a-new-MSR-based-feature-word-FEATURE_WORD.patch b/SOURCES/kvm-x86-define-a-new-MSR-based-feature-word-FEATURE_WORD.patch
new file mode 100644
index 0000000..6afb822
--- /dev/null
+++ b/SOURCES/kvm-x86-define-a-new-MSR-based-feature-word-FEATURE_WORD.patch
@@ -0,0 +1,128 @@
+From 4263a1e54da9f6e1d1b0aa74d52436224a6cfd5e Mon Sep 17 00:00:00 2001
+From: "plai@redhat.com" <plai@redhat.com>
+Date: Tue, 20 Aug 2019 00:24:35 +0100
+Subject: [PATCH 4/9] x86: define a new MSR based feature word --
+ FEATURE_WORDS_ARCH_CAPABILITIES
+
+RH-Author: plai@redhat.com
+Message-id: <1566260680-20995-5-git-send-email-plai@redhat.com>
+Patchwork-id: 90069
+O-Subject: [RHEL8.0 qemu-kvm PATCH v3 4/9] x86: define a new MSR based feature word -- FEATURE_WORDS_ARCH_CAPABILITIES
+Bugzilla: 1718235
+RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
+RH-Acked-by: John Snow <jsnow@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+
+From: Robert Hoo <robert.hu@linux.intel.com>
+
+Note RSBA is specially treated -- no matter host support it or not, qemu
+pretends it is supported.
+
+Signed-off-by: Robert Hoo <robert.hu@linux.intel.com>
+Message-Id: <1539578845-37944-4-git-send-email-robert.hu@linux.intel.com>
+[ehabkost: removed automatic enabling of RSBA]
+Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+
+(cherry picked from commit d86f963694df27f11b3681ffd225c9362de1b634)
+Signed-off-by: Paul Lai <plai@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ target/i386/cpu.c | 24 +++++++++++++++++++++++-
+ target/i386/cpu.h | 8 ++++++++
+ target/i386/kvm.c | 11 +++++++++++
+ 3 files changed, 42 insertions(+), 1 deletion(-)
+
+diff --git a/target/i386/cpu.c b/target/i386/cpu.c
+index bbca6f4..fbcf124 100644
+--- a/target/i386/cpu.c
++++ b/target/i386/cpu.c
+@@ -1143,6 +1143,27 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
+ },
+ .tcg_features = ~0U,
+ },
++ /*Below are MSR exposed features*/
++ [FEAT_ARCH_CAPABILITIES] = {
++ .type = MSR_FEATURE_WORD,
++ .feat_names = {
++ "rdctl-no", "ibrs-all", "rsba", "skip-l1dfl-vmentry",
++ "ssb-no", NULL, NULL, NULL,
++ NULL, NULL, NULL, NULL,
++ NULL, NULL, NULL, NULL,
++ NULL, NULL, NULL, NULL,
++ NULL, NULL, NULL, NULL,
++ NULL, NULL, NULL, NULL,
++ NULL, NULL, NULL, NULL,
++ },
++ .msr = {
++ .index = MSR_IA32_ARCH_CAPABILITIES,
++ .cpuid_dep = {
++ FEAT_7_0_EDX,
++ CPUID_7_0_EDX_ARCH_CAPABILITIES
++ }
++ },
++ },
+ };
+
+ typedef struct X86RegisterInfo32 {
+@@ -3550,7 +3571,8 @@ static uint32_t x86_cpu_get_supported_feature_word(FeatureWord w,
+ wi->cpuid.reg);
+ break;
+ case MSR_FEATURE_WORD:
+- r = kvm_arch_get_supported_msr_feature(kvm_state, wi->msr.index);
++ r = kvm_arch_get_supported_msr_feature(kvm_state,
++ wi->msr.index);
+ break;
+ }
+ } else if (hvf_enabled()) {
+diff --git a/target/i386/cpu.h b/target/i386/cpu.h
+index e5e5169..6820a70 100644
+--- a/target/i386/cpu.h
++++ b/target/i386/cpu.h
+@@ -500,6 +500,7 @@ typedef enum FeatureWord {
+ FEAT_6_EAX, /* CPUID[6].EAX */
+ FEAT_XSAVE_COMP_LO, /* CPUID[EAX=0xd,ECX=0].EAX */
+ FEAT_XSAVE_COMP_HI, /* CPUID[EAX=0xd,ECX=0].EDX */
++ FEAT_ARCH_CAPABILITIES,
+ FEATURE_WORDS,
+ } FeatureWord;
+
+@@ -726,6 +727,13 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS];
+ #define CPUID_TOPOLOGY_LEVEL_SMT (1U << 8)
+ #define CPUID_TOPOLOGY_LEVEL_CORE (2U << 8)
+
++/* MSR Feature Bits */
++#define MSR_ARCH_CAP_RDCL_NO (1U << 0)
++#define MSR_ARCH_CAP_IBRS_ALL (1U << 1)
++#define MSR_ARCH_CAP_RSBA (1U << 2)
++#define MSR_ARCH_CAP_SKIP_L1DFL_VMENTRY (1U << 3)
++#define MSR_ARCH_CAP_SSB_NO (1U << 4)
++
+ #ifndef HYPERV_SPINLOCK_NEVER_RETRY
+ #define HYPERV_SPINLOCK_NEVER_RETRY 0xFFFFFFFF
+ #endif
+diff --git a/target/i386/kvm.c b/target/i386/kvm.c
+index 87e4771..187ee19 100644
+--- a/target/i386/kvm.c
++++ b/target/i386/kvm.c
+@@ -1753,6 +1753,17 @@ static int kvm_put_msrs(X86CPU *cpu, int level)
+ }
+ #endif
+
++ /* If host supports feature MSR, write down. */
++ if (kvm_feature_msrs) {
++ int i;
++ for (i = 0; i < kvm_feature_msrs->nmsrs; i++)
++ if (kvm_feature_msrs->indices[i] == MSR_IA32_ARCH_CAPABILITIES) {
++ kvm_msr_entry_add(cpu, MSR_IA32_ARCH_CAPABILITIES,
++ env->features[FEAT_ARCH_CAPABILITIES]);
++ break;
++ }
++ }
++
+ /*
+ * The following MSRs have side effects on the guest or are too heavy
+ * for normal writeback. Limit them to reset or full state updates.
+--
+1.8.3.1
+
diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec
index 2fd59bf..59eacd8 100644
--- a/SPECS/qemu-kvm.spec
+++ b/SPECS/qemu-kvm.spec
@@ -68,7 +68,7 @@ Obsoletes: %1-rhev
Summary: QEMU is a machine emulator and virtualizer
Name: qemu-kvm
Version: 2.12.0
-Release: 64%{?dist}.2
+Release: 65%{?dist}.5
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
Epoch: 15
License: GPLv2 and GPLv2+ and CC-BY
@@ -1322,6 +1322,48 @@ Patch640: kvm-scsi-generic-avoid-possible-out-of-bounds-access-to-.patch
Patch641: kvm-device_tree-Fix-integer-overflowing-in-load_device_t.patch
# For bz#1704545 - CVE-2018-12126 virt:rhel/qemu-kvm: hardware: Microarchitectural Store Buffer Data Sampling [rhel-8.0.0.z]
Patch642: kvm-target-i386-define-md-clear-bit-rhev.patch
+# For bz#1732324 - CVE-2019-6778 qemu-kvm: QEMU: slirp: heap buffer overflow in tcp_emu() [rhel-8.0.0.z]
+Patch643: kvm-slirp-check-sscanf-result-when-emulating-ident.patch
+# For bz#1732324 - CVE-2019-6778 qemu-kvm: QEMU: slirp: heap buffer overflow in tcp_emu() [rhel-8.0.0.z]
+Patch644: kvm-slirp-fix-big-little-endian-conversion-in-ident-prot.patch
+# For bz#1732324 - CVE-2019-6778 qemu-kvm: QEMU: slirp: heap buffer overflow in tcp_emu() [rhel-8.0.0.z]
+Patch645: kvm-slirp-ensure-there-is-enough-space-in-mbuf-to-null-t.patch
+# For bz#1732324 - CVE-2019-6778 qemu-kvm: QEMU: slirp: heap buffer overflow in tcp_emu() [rhel-8.0.0.z]
+Patch646: kvm-slirp-don-t-manipulate-so_rcv-in-tcp_emu.patch
+# For bz#1718992 - qemu-kvm core dumped after hotplug the deleted disk with iothread parameter [rhel-8.0.0.z]
+Patch647: kvm-virtio-scsi-Move-BlockBackend-back-to-the-main-AioCo.patch
+# For bz#1718992 - qemu-kvm core dumped after hotplug the deleted disk with iothread parameter [rhel-8.0.0.z]
+Patch648: kvm-scsi-disk-Acquire-the-AioContext-in-scsi_-_realize.patch
+# For bz#1718992 - qemu-kvm core dumped after hotplug the deleted disk with iothread parameter [rhel-8.0.0.z]
+Patch649: kvm-virtio-scsi-Forbid-devices-with-different-iothreads-.patch
+# For bz#1719228 - Detached device when trying to upgrade USB device firmware when in doing USB Passthrough via QEMU [rhel-8.0.0.z]
+Patch650: kvm-Introduce-new-no_guest_reset-parameter-for-usb-host-.patch
+# For bz#1719228 - Detached device when trying to upgrade USB device firmware when in doing USB Passthrough via QEMU [rhel-8.0.0.z]
+Patch651: kvm-usb-call-reset-handler-before-updating-state.patch
+# For bz#1719228 - Detached device when trying to upgrade USB device firmware when in doing USB Passthrough via QEMU [rhel-8.0.0.z]
+Patch652: kvm-usb-host-skip-reset-for-untouched-devices.patch
+# For bz#1719228 - Detached device when trying to upgrade USB device firmware when in doing USB Passthrough via QEMU [rhel-8.0.0.z]
+Patch653: kvm-usb-host-avoid-libusb_set_configuration-calls.patch
+# For bz#1734750 - CVE-2019-14378 qemu-kvm: QEMU: slirp: heap buffer overflow during packet reassembly [rhel-8.0.0.z]
+Patch654: kvm-Fix-heap-overflow-in-ip_reass-on-big-packet-input.patch
+# For bz#1718235 - [Intel 8.1 Bug] [KVM][CLX] CPUID_7_0_EDX_ARCH_CAPABILITIES is not enabled in VM - qemu-kvm [rhel-8.0.0.z]
+Patch655: kvm-i386-Add-new-MSR-indices-for-IA32_PRED_CMD-and-IA32_.patch
+# For bz#1718235 - [Intel 8.1 Bug] [KVM][CLX] CPUID_7_0_EDX_ARCH_CAPABILITIES is not enabled in VM - qemu-kvm [rhel-8.0.0.z]
+Patch656: kvm-i386-Add-CPUID-bit-and-feature-words-for-IA32_ARCH_C.patch
+# For bz#1718235 - [Intel 8.1 Bug] [KVM][CLX] CPUID_7_0_EDX_ARCH_CAPABILITIES is not enabled in VM - qemu-kvm [rhel-8.0.0.z]
+Patch657: kvm-x86-Data-structure-changes-to-support-MSR-based-feat.patch
+# For bz#1718235 - [Intel 8.1 Bug] [KVM][CLX] CPUID_7_0_EDX_ARCH_CAPABILITIES is not enabled in VM - qemu-kvm [rhel-8.0.0.z]
+Patch658: kvm-x86-define-a-new-MSR-based-feature-word-FEATURE_WORD.patch
+# For bz#1718235 - [Intel 8.1 Bug] [KVM][CLX] CPUID_7_0_EDX_ARCH_CAPABILITIES is not enabled in VM - qemu-kvm [rhel-8.0.0.z]
+Patch659: kvm-Add-support-to-KVM_GET_MSR_FEATURE_INDEX_LIST-an.patch
+# For bz#1718235 - [Intel 8.1 Bug] [KVM][CLX] CPUID_7_0_EDX_ARCH_CAPABILITIES is not enabled in VM - qemu-kvm [rhel-8.0.0.z]
+Patch660: kvm-Use-KVM_GET_MSR_INDEX_LIST-for-MSR_IA32_ARCH_CAP.patch
+# For bz#1718235 - [Intel 8.1 Bug] [KVM][CLX] CPUID_7_0_EDX_ARCH_CAPABILITIES is not enabled in VM - qemu-kvm [rhel-8.0.0.z]
+Patch661: kvm-i386-kvm-Disable-arch_capabilities-if-MSR-can-t-be-s.patch
+# For bz#1718235 - [Intel 8.1 Bug] [KVM][CLX] CPUID_7_0_EDX_ARCH_CAPABILITIES is not enabled in VM - qemu-kvm [rhel-8.0.0.z]
+Patch662: kvm-i386-Make-arch_capabilities-migratable.patch
+# For bz#1718235 - [Intel 8.1 Bug] [KVM][CLX] CPUID_7_0_EDX_ARCH_CAPABILITIES is not enabled in VM - qemu-kvm [rhel-8.0.0.z]
+Patch663: kvm-target-i386-add-MDS-NO-feature.patch
BuildRequires: zlib-devel
BuildRequires: glib2-devel
@@ -2212,6 +2254,48 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
%changelog
+* Wed Aug 28 2019 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 2.12.0-65.el8_0_0.5
+- kvm-i386-Add-new-MSR-indices-for-IA32_PRED_CMD-and-IA32_.patch [bz#1718235]
+- kvm-i386-Add-CPUID-bit-and-feature-words-for-IA32_ARCH_C.patch [bz#1718235]
+- kvm-x86-Data-structure-changes-to-support-MSR-based-feat.patch [bz#1718235]
+- kvm-x86-define-a-new-MSR-based-feature-word-FEATURE_WORD.patch [bz#1718235]
+- kvm-Add-support-to-KVM_GET_MSR_FEATURE_INDEX_LIST-an.patch [bz#1718235]
+- kvm-Use-KVM_GET_MSR_INDEX_LIST-for-MSR_IA32_ARCH_CAP.patch [bz#1718235]
+- kvm-i386-kvm-Disable-arch_capabilities-if-MSR-can-t-be-s.patch [bz#1718235]
+- kvm-i386-Make-arch_capabilities-migratable.patch [bz#1718235]
+- kvm-target-i386-add-MDS-NO-feature.patch [bz#1718235]
+- Resolves: bz#1718235
+ ([Intel 8.1 Bug] [KVM][CLX] CPUID_7_0_EDX_ARCH_CAPABILITIES is not enabled in VM - qemu-kvm [rhel-8.0.0.z])
+
+* Mon Aug 26 2019 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 2.12.0-65.el8_0_0.4
+- kvm-Introduce-new-no_guest_reset-parameter-for-usb-host-.patch [bz#1719228]
+- kvm-usb-call-reset-handler-before-updating-state.patch [bz#1719228]
+- kvm-usb-host-skip-reset-for-untouched-devices.patch [bz#1719228]
+- kvm-usb-host-avoid-libusb_set_configuration-calls.patch [bz#1719228]
+- kvm-Fix-heap-overflow-in-ip_reass-on-big-packet-input.patch [bz#1734750]
+- Resolves: bz#1719228
+ (Detached device when trying to upgrade USB device firmware when in doing USB Passthrough via QEMU [rhel-8.0.0.z])
+- Resolves: bz#1734750
+ (CVE-2019-14378 qemu-kvm: QEMU: slirp: heap buffer overflow during packet reassembly [rhel-8.0.0.z])
+
+* Wed Jul 24 2019 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 2.12.0-65.el8_0_0.3
+- kvm-slirp-check-sscanf-result-when-emulating-ident.patch [bz#1732324]
+- kvm-slirp-fix-big-little-endian-conversion-in-ident-prot.patch [bz#1732324]
+- kvm-slirp-ensure-there-is-enough-space-in-mbuf-to-null-t.patch [bz#1732324]
+- kvm-slirp-don-t-manipulate-so_rcv-in-tcp_emu.patch [bz#1732324]
+- kvm-virtio-scsi-Move-BlockBackend-back-to-the-main-AioCo.patch [bz#1718992]
+- kvm-scsi-disk-Acquire-the-AioContext-in-scsi_-_realize.patch [bz#1718992]
+- kvm-virtio-scsi-Forbid-devices-with-different-iothreads-.patch [bz#1718992]
+- Resolves: bz#1718992
+ (qemu-kvm core dumped after hotplug the deleted disk with iothread parameter [rhel-8.0.0.z])
+- Resolves: bz#1732324
+ (CVE-2019-6778 qemu-kvm: QEMU: slirp: heap buffer overflow in tcp_emu() [rhel-8.0.0.z])
+
+* Sun Jun 30 2019 Danilo de Paula <ddepaula@redhat.com> - 15:2.12.0-65.2
+- Rebuild all virt packages to fix RHEL's upgrade path
+- Resolves: rhbz#1696354
+ (Ensure modular RPM upgrade path [ZStream Clone] [rhel-8.0.0.z])
+
* Fri May 10 2019 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 2.12.0-64.el8.0.0.2
- Bump release version to fix the versioning problem (zstream release lower than ystream).
- Resolves: bz#1704545