diff --git a/SOURCES/kvm-acpi-accept-byte-and-word-access-to-core-ACPI-regist.patch b/SOURCES/kvm-acpi-accept-byte-and-word-access-to-core-ACPI-regist.patch
new file mode 100644
index 0000000..859de91
--- /dev/null
+++ b/SOURCES/kvm-acpi-accept-byte-and-word-access-to-core-ACPI-regist.patch
@@ -0,0 +1,82 @@
+From 6c2949cba8971971c89fb1e5db9e557dfcd156ef Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Wed, 21 Apr 2021 22:30:04 -0400
+Subject: [PATCH 5/8] acpi: accept byte and word access to core ACPI registers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+Message-id: <20210421223006.19650-5-jmaloy@redhat.com>
+Patchwork-id: 101482
+O-Subject: [RHEL-8.5.0 qemu-kvm PATCH v2 4/6] acpi: accept byte and word access to core ACPI registers
+Bugzilla: 1944621
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+From: Michael Tokarev <mjt@tls.msk.ru>
+
+All ISA registers should be accessible as bytes, words or dwords
+(if wide enough). Fix the access constraints for acpi-pm-evt,
+acpi-pm-tmr & acpi-cnt registers.
+
+Fixes: 5d971f9e67 (memory: Revert "memory: accept mismatching sizes in memory_region_access_valid")
+Fixes: afafe4bbe0 (apci: switch cnt to memory api)
+Fixes: 77d58b1e47 (apci: switch timer to memory api)
+Fixes: b5a7c024d2 (apci: switch evt to memory api)
+Buglink: https://lore.kernel.org/xen-devel/20200630170913.123646-1-anthony.perard@citrix.com/T/
+Buglink: https://bugs.debian.org/964793
+BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964247
+BugLink: https://bugs.launchpad.net/bugs/1886318
+Reported-By: Simon John <git@the-jedi.co.uk>
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+Message-Id: <20200720160627.15491-1-mjt@msgid.tls.msk.ru>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+(cherry picked from commit dba04c3488c4699f5afe96f66e448b1d447cf3fb)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ hw/acpi/core.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/hw/acpi/core.c b/hw/acpi/core.c
+index 45cbed49ab..d85052c34a 100644
+--- a/hw/acpi/core.c
++++ b/hw/acpi/core.c
+@@ -461,7 +461,8 @@ static void acpi_pm_evt_write(void *opaque, hwaddr addr, uint64_t val,
+ static const MemoryRegionOps acpi_pm_evt_ops = {
+ .read = acpi_pm_evt_read,
+ .write = acpi_pm_evt_write,
+- .valid.min_access_size = 2,
++ .impl.min_access_size = 2,
++ .valid.min_access_size = 1,
+ .valid.max_access_size = 2,
+ .endianness = DEVICE_LITTLE_ENDIAN,
+ };
+@@ -530,7 +531,8 @@ static void acpi_pm_tmr_write(void *opaque, hwaddr addr, uint64_t val,
+ static const MemoryRegionOps acpi_pm_tmr_ops = {
+ .read = acpi_pm_tmr_read,
+ .write = acpi_pm_tmr_write,
+- .valid.min_access_size = 4,
++ .impl.min_access_size = 4,
++ .valid.min_access_size = 1,
+ .valid.max_access_size = 4,
+ .endianness = DEVICE_LITTLE_ENDIAN,
+ };
+@@ -602,7 +604,8 @@ static void acpi_pm_cnt_write(void *opaque, hwaddr addr, uint64_t val,
+ static const MemoryRegionOps acpi_pm_cnt_ops = {
+ .read = acpi_pm_cnt_read,
+ .write = acpi_pm_cnt_write,
+- .valid.min_access_size = 2,
++ .impl.min_access_size = 2,
++ .valid.min_access_size = 1,
+ .valid.max_access_size = 2,
+ .endianness = DEVICE_LITTLE_ENDIAN,
+ };
+--
+2.27.0
+
diff --git a/SOURCES/kvm-cadence_gem-switch-to-use-qemu_receive_packet-for-lo.patch b/SOURCES/kvm-cadence_gem-switch-to-use-qemu_receive_packet-for-lo.patch
new file mode 100644
index 0000000..4316d69
--- /dev/null
+++ b/SOURCES/kvm-cadence_gem-switch-to-use-qemu_receive_packet-for-lo.patch
@@ -0,0 +1,60 @@
+From 1cbb554a4057afd4d71c04757ef7fd1bbb7114ee Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Tue, 29 Jun 2021 03:42:46 -0400
+Subject: [PATCH 8/9] cadence_gem: switch to use qemu_receive_packet() for
+ loopback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+Message-id: <20210629034247.3286477-9-jmaloy@redhat.com>
+Patchwork-id: 101793
+O-Subject: [RHEL-8.4.0.z qemu-kvm PATCH v2 8/9] cadence_gem: switch to use qemu_receive_packet() for loopback
+Bugzilla: 1932917
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+
+From: Alexander Bulekov <alxndr@bu.edu>
+
+This patch switches to use qemu_receive_packet() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+(cherry picked from commit e73adfbeec9d4e008630c814759052ed945c3fed)
+Conflict: upstream commit 24d62fd5028e ("net: cadence_gem: Move tx/rx
+packet buffert to CadenceGEMState") is missing in this version, so
+we stick to using the original stack variable tx_packet in the calls.
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ hw/net/cadence_gem.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
+index b8be73dc55..be7c91123b 100644
+--- a/hw/net/cadence_gem.c
++++ b/hw/net/cadence_gem.c
+@@ -1225,8 +1225,8 @@ static void gem_transmit(CadenceGEMState *s)
+ /* Send the packet somewhere */
+ if (s->phy_loop || (s->regs[GEM_NWCTRL] &
+ GEM_NWCTRL_LOCALLOOP)) {
+- gem_receive(qemu_get_queue(s->nic), tx_packet,
+- total_bytes);
++ qemu_receive_packet(qemu_get_queue(s->nic), tx_packet,
++ total_bytes);
+ } else {
+ qemu_send_packet(qemu_get_queue(s->nic), tx_packet,
+ total_bytes);
+--
+2.27.0
+
diff --git a/SOURCES/kvm-dp8393x-switch-to-use-qemu_receive_packet-for-loopba.patch b/SOURCES/kvm-dp8393x-switch-to-use-qemu_receive_packet-for-loopba.patch
new file mode 100644
index 0000000..a100b0c
--- /dev/null
+++ b/SOURCES/kvm-dp8393x-switch-to-use-qemu_receive_packet-for-loopba.patch
@@ -0,0 +1,53 @@
+From 4044e97e37188a9844cc6cd66d8b7819acccb27e Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Tue, 29 Jun 2021 03:42:41 -0400
+Subject: [PATCH 3/9] dp8393x: switch to use qemu_receive_packet() for loopback
+ packet
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+Message-id: <20210629034247.3286477-4-jmaloy@redhat.com>
+Patchwork-id: 101789
+O-Subject: [RHEL-8.4.0.z qemu-kvm PATCH v2 3/9] dp8393x: switch to use qemu_receive_packet() for loopback packet
+Bugzilla: 1932917
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+
+From: Jason Wang <jasowang@redhat.com>
+
+This patch switches to use qemu_receive_packet() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+(cherry picked from commit 331d2ac9ea307c990dc86e6493e8f0c48d14bb33)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ hw/net/dp8393x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
+index 3d991af163..6d55b5de64 100644
+--- a/hw/net/dp8393x.c
++++ b/hw/net/dp8393x.c
+@@ -482,7 +482,7 @@ static void dp8393x_do_transmit_packets(dp8393xState *s)
+ s->regs[SONIC_TCR] |= SONIC_TCR_CRSL;
+ if (nc->info->can_receive(nc)) {
+ s->loopback_packet = 1;
+- nc->info->receive(nc, s->tx_buffer, tx_len);
++ qemu_receive_packet(nc, s->tx_buffer, tx_len);
+ }
+ } else {
+ /* Transmit packet */
+--
+2.27.0
+
diff --git a/SOURCES/kvm-e1000-switch-to-use-qemu_receive_packet-for-loopback.patch b/SOURCES/kvm-e1000-switch-to-use-qemu_receive_packet-for-loopback.patch
new file mode 100644
index 0000000..b2a211f
--- /dev/null
+++ b/SOURCES/kvm-e1000-switch-to-use-qemu_receive_packet-for-loopback.patch
@@ -0,0 +1,52 @@
+From bf44928b2ac2cb8b9608209d5425533458fd2b8a Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Tue, 29 Jun 2021 03:42:40 -0400
+Subject: [PATCH 2/9] e1000: switch to use qemu_receive_packet() for loopback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+Message-id: <20210629034247.3286477-3-jmaloy@redhat.com>
+Patchwork-id: 101784
+O-Subject: [RHEL-8.4.0.z qemu-kvm PATCH v2 2/9] e1000: switch to use qemu_receive_packet() for loopback
+Bugzilla: 1932917
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+
+From: Jason Wang <jasowang@redhat.com>
+
+This patch switches to use qemu_receive_packet() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+(cherry picked from commit 1caff0340f49c93d535c6558a5138d20d475315c)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ hw/net/e1000.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/e1000.c b/hw/net/e1000.c
+index fc73fdd6fa..f6ae78748a 100644
+--- a/hw/net/e1000.c
++++ b/hw/net/e1000.c
+@@ -547,7 +547,7 @@ e1000_send_packet(E1000State *s, const uint8_t *buf, int size)
+
+ NetClientState *nc = qemu_get_queue(s->nic);
+ if (s->phy_reg[PHY_CTRL] & MII_CR_LOOPBACK) {
+- nc->info->receive(nc, buf, size);
++ qemu_receive_packet(nc, buf, size);
+ } else {
+ qemu_send_packet(nc, buf, size);
+ }
+--
+2.27.0
+
diff --git a/SOURCES/kvm-hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch b/SOURCES/kvm-hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch
new file mode 100644
index 0000000..d63b7ed
--- /dev/null
+++ b/SOURCES/kvm-hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch
@@ -0,0 +1,80 @@
+From fd46dd1555e5955cf55b463ef126cf5cfac1d7ae Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Fri, 21 May 2021 23:04:32 -0400
+Subject: [PATCH 8/8] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+Message-id: <20210521230432.585518-2-jmaloy@redhat.com>
+Patchwork-id: 101625
+O-Subject: [RHEL-8.4.0 qemu-kvm PATCH 1/1] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
+Bugzilla: 1952986
+RH-Acked-by: Danilo de Paula <ddepaula@redhat.com>
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+From: Philippe Mathieu-Daudé <f4bug@amsat.org>
+
+Per the ARM Generic Interrupt Controller Architecture specification
+(document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit,
+not 10:
+
+ - 4.3 Distributor register descriptions
+ - 4.3.15 Software Generated Interrupt Register, GICD_SG
+
+ - Table 4-21 GICD_SGIR bit assignments
+
+ The Interrupt ID of the SGI to forward to the specified CPU
+ interfaces. The value of this field is the Interrupt ID, in
+ the range 0-15, for example a value of 0b0011 specifies
+ Interrupt ID 3.
+
+Correct the irq mask to fix an undefined behavior (which eventually
+lead to a heap-buffer-overflow, see [Buglink]):
+
+ $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio
+ [I 1612088147.116987] OPENED
+ [R +0.278293] writel 0x8000f00 0xff4affb0
+ ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]'
+ SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13
+
+This fixes a security issue when running with KVM on Arm with
+kernel-irqchip=off. (The default is kernel-irqchip=on, which is
+unaffected, and which is also the correct choice for performance.)
+
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2021-20221
+Fixes: 9ee6e8bb853 ("ARMv7 support.")
+Buglink: https://bugs.launchpad.net/qemu/+bug/1913916
+Buglink: https://bugs.launchpad.net/qemu/+bug/1913917
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-id: 20210131103401.217160-1-f4bug@amsat.org
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+
+(cherry picked from commit edfe2eb4360cde4ed5d95bda7777edcb3510f76a)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ hw/intc/arm_gic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c
+index 1d7da7baa2..df355f4d11 100644
+--- a/hw/intc/arm_gic.c
++++ b/hw/intc/arm_gic.c
+@@ -1455,7 +1455,7 @@ static void gic_dist_writel(void *opaque, hwaddr offset,
+ int target_cpu;
+
+ cpu = gic_get_current_cpu(s);
+- irq = value & 0x3ff;
++ irq = value & 0xf;
+ switch ((value >> 24) & 3) {
+ case 0:
+ mask = (value >> 16) & ALL_CPU_MASK;
+--
+2.27.0
+
diff --git a/SOURCES/kvm-lan9118-switch-to-use-qemu_receive_packet-for-loopba.patch b/SOURCES/kvm-lan9118-switch-to-use-qemu_receive_packet-for-loopba.patch
new file mode 100644
index 0000000..11fac16
--- /dev/null
+++ b/SOURCES/kvm-lan9118-switch-to-use-qemu_receive_packet-for-loopba.patch
@@ -0,0 +1,53 @@
+From 0438b497def59f2101864d79a20e50b896ae1870 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Tue, 29 Jun 2021 03:42:47 -0400
+Subject: [PATCH 9/9] lan9118: switch to use qemu_receive_packet() for loopback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+Message-id: <20210629034247.3286477-10-jmaloy@redhat.com>
+Patchwork-id: 101790
+O-Subject: [RHEL-8.4.0.z qemu-kvm PATCH v2 9/9] lan9118: switch to use qemu_receive_packet() for loopback
+Bugzilla: 1932917
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+
+From: Alexander Bulekov <alxndr@bu.edu>
+
+This patch switches to use qemu_receive_packet() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
+Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+(cherry picked from commit 37cee01784ff0df13e5209517e1b3594a5e792d1)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ hw/net/lan9118.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/lan9118.c b/hw/net/lan9118.c
+index ed551f2178..7bb4633f0f 100644
+--- a/hw/net/lan9118.c
++++ b/hw/net/lan9118.c
+@@ -667,7 +667,7 @@ static void do_tx_packet(lan9118_state *s)
+ /* FIXME: Honor TX disable, and allow queueing of packets. */
+ if (s->phy_control & 0x4000) {
+ /* This assumes the receive routine doesn't touch the VLANClient. */
+- lan9118_receive(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
++ qemu_receive_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
+ } else {
+ qemu_send_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
+ }
+--
+2.27.0
+
diff --git a/SOURCES/kvm-libqos-pci-pc-use-32-bit-write-for-EJ-register.patch b/SOURCES/kvm-libqos-pci-pc-use-32-bit-write-for-EJ-register.patch
new file mode 100644
index 0000000..b9781d0
--- /dev/null
+++ b/SOURCES/kvm-libqos-pci-pc-use-32-bit-write-for-EJ-register.patch
@@ -0,0 +1,47 @@
+From 17813233c9bb5c93c7f3c7fc350641f8e76e769c Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Wed, 21 Apr 2021 22:30:02 -0400
+Subject: [PATCH 3/8] libqos: pci-pc: use 32-bit write for EJ register
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+Message-id: <20210421223006.19650-3-jmaloy@redhat.com>
+Patchwork-id: 101484
+O-Subject: [RHEL-8.5.0 qemu-kvm PATCH v2 2/6] libqos: pci-pc: use 32-bit write for EJ register
+Bugzilla: 1944621
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+The memory region ops have min_access_size == 4 so obey it.
+
+Tested-by: Thomas Huth <thuth@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+(cherry picked from commit 4b7c06837ae0b1ff56473202a42e7e386f53d6db)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ tests/libqos/pci-pc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/libqos/pci-pc.c b/tests/libqos/pci-pc.c
+index 0bc591d1da..3bb2eb3ba8 100644
+--- a/tests/libqos/pci-pc.c
++++ b/tests/libqos/pci-pc.c
+@@ -186,7 +186,7 @@ void qpci_unplug_acpi_device_test(QTestState *qts, const char *id, uint8_t slot)
+ g_assert(!qdict_haskey(response, "error"));
+ qobject_unref(response);
+
+- qtest_outb(qts, ACPI_PCIHP_ADDR + PCI_EJ_BASE, 1 << slot);
++ qtest_outl(qts, ACPI_PCIHP_ADDR + PCI_EJ_BASE, 1 << slot);
+
+ qtest_qmp_eventwait(qts, "DEVICE_DELETED");
+ }
+--
+2.27.0
+
diff --git a/SOURCES/kvm-libqos-usb-hcd-ehci-use-32-bit-write-for-config-regi.patch b/SOURCES/kvm-libqos-usb-hcd-ehci-use-32-bit-write-for-config-regi.patch
new file mode 100644
index 0000000..1406231
--- /dev/null
+++ b/SOURCES/kvm-libqos-usb-hcd-ehci-use-32-bit-write-for-config-regi.patch
@@ -0,0 +1,48 @@
+From 9c10bd2a3cd83c06add41e61a970da304fb0d3bf Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Wed, 21 Apr 2021 22:30:01 -0400
+Subject: [PATCH 2/8] libqos: usb-hcd-ehci: use 32-bit write for config
+ register
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+Message-id: <20210421223006.19650-2-jmaloy@redhat.com>
+Patchwork-id: 101478
+O-Subject: [RHEL-8.5.0 qemu-kvm PATCH v2 1/6] libqos: usb-hcd-ehci: use 32-bit write for config register
+Bugzilla: 1944621
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+The memory region ops have min_access_size == 4 so obey it.
+
+Tested-by: Thomas Huth <thuth@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+(cherry picked from commit 89ed83d8b23c11d250c290593cad3ca839d5b053)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ tests/usb-hcd-ehci-test.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/usb-hcd-ehci-test.c b/tests/usb-hcd-ehci-test.c
+index 5251d539e9..c51e8bb223 100644
+--- a/tests/usb-hcd-ehci-test.c
++++ b/tests/usb-hcd-ehci-test.c
+@@ -96,7 +96,7 @@ static void pci_ehci_port_1(void)
+ static void pci_ehci_config(void)
+ {
+ /* hands over all ports from companion uhci to ehci */
+- qpci_io_writew(ehci1.dev, ehci1.bar, 0x60, 1);
++ qpci_io_writel(ehci1.dev, ehci1.bar, 0x60, 1);
+ }
+
+ static void pci_uhci_port_2(void)
+--
+2.27.0
+
diff --git a/SOURCES/kvm-memory-Revert-memory-accept-mismatching-sizes-in-mem.patch b/SOURCES/kvm-memory-Revert-memory-accept-mismatching-sizes-in-mem.patch
new file mode 100644
index 0000000..eff9682
--- /dev/null
+++ b/SOURCES/kvm-memory-Revert-memory-accept-mismatching-sizes-in-mem.patch
@@ -0,0 +1,104 @@
+From e4010373c72eab2342d2ba7f10c1ddf43dc618c8 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Wed, 21 Apr 2021 22:30:03 -0400
+Subject: [PATCH 4/8] memory: Revert "memory: accept mismatching sizes in
+ memory_region_access_valid"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+Message-id: <20210421223006.19650-4-jmaloy@redhat.com>
+Patchwork-id: 101480
+O-Subject: [RHEL-8.5.0 qemu-kvm PATCH v2 3/6] memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"
+Bugzilla: 1944621
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+From: "Michael S. Tsirkin" <mst@redhat.com>
+
+Memory API documentation documents valid .min_access_size and .max_access_size
+fields and explains that any access outside these boundaries is blocked.
+
+This is what devices seem to assume.
+
+However this is not what the implementation does: it simply
+ignores the boundaries unless there's an "accepts" callback.
+
+Naturally, this breaks a bunch of devices.
+
+Revert to the documented behaviour.
+
+Devices that want to allow any access can just drop the valid field,
+or add the impl field to have accesses converted to appropriate
+length.
+
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Richard Henderson <rth@twiddle.net>
+Fixes: CVE-2020-13754
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1842363
+Fixes: a014ed07bd5a ("memory: accept mismatching sizes in memory_region_access_valid")
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Message-Id: <20200610134731.1514409-1-mst@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+(cherry picked from commit 5d971f9e672507210e77d020d89e0e89165c8fc9)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ memory.c | 29 +++++++++--------------------
+ 1 file changed, 9 insertions(+), 20 deletions(-)
+
+diff --git a/memory.c b/memory.c
+index 5a4a80842d..0cfcb72a5a 100644
+--- a/memory.c
++++ b/memory.c
+@@ -1351,35 +1351,24 @@ bool memory_region_access_valid(MemoryRegion *mr,
+ bool is_write,
+ MemTxAttrs attrs)
+ {
+- int access_size_min, access_size_max;
+- int access_size, i;
+-
+- if (!mr->ops->valid.unaligned && (addr & (size - 1))) {
++ if (mr->ops->valid.accepts
++ && !mr->ops->valid.accepts(mr->opaque, addr, size, is_write, attrs)) {
+ return false;
+ }
+
+- if (!mr->ops->valid.accepts) {
+- return true;
+- }
+-
+- access_size_min = mr->ops->valid.min_access_size;
+- if (!mr->ops->valid.min_access_size) {
+- access_size_min = 1;
++ if (!mr->ops->valid.unaligned && (addr & (size - 1))) {
++ return false;
+ }
+
+- access_size_max = mr->ops->valid.max_access_size;
++ /* Treat zero as compatibility all valid */
+ if (!mr->ops->valid.max_access_size) {
+- access_size_max = 4;
++ return true;
+ }
+
+- access_size = MAX(MIN(size, access_size_max), access_size_min);
+- for (i = 0; i < size; i += access_size) {
+- if (!mr->ops->valid.accepts(mr->opaque, addr + i, access_size,
+- is_write, attrs)) {
+- return false;
+- }
++ if (size > mr->ops->valid.max_access_size
++ || size < mr->ops->valid.min_access_size) {
++ return false;
+ }
+-
+ return true;
+ }
+
+--
+2.27.0
+
diff --git a/SOURCES/kvm-net-introduce-qemu_receive_packet.patch b/SOURCES/kvm-net-introduce-qemu_receive_packet.patch
new file mode 100644
index 0000000..7fecc55
--- /dev/null
+++ b/SOURCES/kvm-net-introduce-qemu_receive_packet.patch
@@ -0,0 +1,187 @@
+From ee23b82cc9174c96ea73252e2986cf822999494b Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Tue, 29 Jun 2021 03:42:39 -0400
+Subject: [PATCH 1/9] net: introduce qemu_receive_packet()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+Message-id: <20210629034247.3286477-2-jmaloy@redhat.com>
+Patchwork-id: 101785
+O-Subject: [RHEL-8.4.0.z qemu-kvm PATCH v2 1/9] net: introduce qemu_receive_packet()
+Bugzilla: 1932917
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+
+From: Jason Wang <jasowang@redhat.com>
+
+Some NIC supports loopback mode and this is done by calling
+nc->info->receive() directly which in fact suppresses the effort of
+reentrancy check that is done in qemu_net_queue_send().
+
+Unfortunately we can't use qemu_net_queue_send() here since for
+loopback there's no sender as peer, so this patch introduce a
+qemu_receive_packet() which is used for implementing loopback mode
+for a NIC with this check.
+
+NIC that supports loopback mode will be converted to this helper.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+(cherry picked from commit 705df5466c98f3efdd2b68d3b31dad86858acad7)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ include/net/net.h | 5 +++++
+ include/net/queue.h | 8 ++++++++
+ net/net.c | 38 +++++++++++++++++++++++++++++++-------
+ net/queue.c | 22 ++++++++++++++++++++++
+ 4 files changed, 66 insertions(+), 7 deletions(-)
+
+diff --git a/include/net/net.h b/include/net/net.h
+index e175ba9677..1b32a8aaec 100644
+--- a/include/net/net.h
++++ b/include/net/net.h
+@@ -142,12 +142,17 @@ void *qemu_get_nic_opaque(NetClientState *nc);
+ void qemu_del_net_client(NetClientState *nc);
+ typedef void (*qemu_nic_foreach)(NICState *nic, void *opaque);
+ void qemu_foreach_nic(qemu_nic_foreach func, void *opaque);
++int qemu_can_receive_packet(NetClientState *nc);
+ int qemu_can_send_packet(NetClientState *nc);
+ ssize_t qemu_sendv_packet(NetClientState *nc, const struct iovec *iov,
+ int iovcnt);
+ ssize_t qemu_sendv_packet_async(NetClientState *nc, const struct iovec *iov,
+ int iovcnt, NetPacketSent *sent_cb);
+ ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size);
++ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size);
++ssize_t qemu_receive_packet_iov(NetClientState *nc,
++ const struct iovec *iov,
++ int iovcnt);
+ ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size);
+ ssize_t qemu_send_packet_async(NetClientState *nc, const uint8_t *buf,
+ int size, NetPacketSent *sent_cb);
+diff --git a/include/net/queue.h b/include/net/queue.h
+index c0269bb1dc..9f2f289d77 100644
+--- a/include/net/queue.h
++++ b/include/net/queue.h
+@@ -55,6 +55,14 @@ void qemu_net_queue_append_iov(NetQueue *queue,
+
+ void qemu_del_net_queue(NetQueue *queue);
+
++ssize_t qemu_net_queue_receive(NetQueue *queue,
++ const uint8_t *data,
++ size_t size);
++
++ssize_t qemu_net_queue_receive_iov(NetQueue *queue,
++ const struct iovec *iov,
++ int iovcnt);
++
+ ssize_t qemu_net_queue_send(NetQueue *queue,
+ NetClientState *sender,
+ unsigned flags,
+diff --git a/net/net.c b/net/net.c
+index 84aa6d8d00..d0b651ca95 100644
+--- a/net/net.c
++++ b/net/net.c
+@@ -516,6 +516,17 @@ int qemu_set_vnet_be(NetClientState *nc, bool is_be)
+ #endif
+ }
+
++int qemu_can_receive_packet(NetClientState *nc)
++{
++ if (nc->receive_disabled) {
++ return 0;
++ } else if (nc->info->can_receive &&
++ !nc->info->can_receive(nc)) {
++ return 0;
++ }
++ return 1;
++}
++
+ int qemu_can_send_packet(NetClientState *sender)
+ {
+ int vm_running = runstate_is_running();
+@@ -528,13 +539,7 @@ int qemu_can_send_packet(NetClientState *sender)
+ return 1;
+ }
+
+- if (sender->peer->receive_disabled) {
+- return 0;
+- } else if (sender->peer->info->can_receive &&
+- !sender->peer->info->can_receive(sender->peer)) {
+- return 0;
+- }
+- return 1;
++ return qemu_can_receive_packet(sender->peer);
+ }
+
+ static ssize_t filter_receive_iov(NetClientState *nc,
+@@ -667,6 +672,25 @@ ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size)
+ return qemu_send_packet_async(nc, buf, size, NULL);
+ }
+
++ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size)
++{
++ if (!qemu_can_receive_packet(nc)) {
++ return 0;
++ }
++
++ return qemu_net_queue_receive(nc->incoming_queue, buf, size);
++}
++
++ssize_t qemu_receive_packet_iov(NetClientState *nc, const struct iovec *iov,
++ int iovcnt)
++{
++ if (!qemu_can_receive_packet(nc)) {
++ return 0;
++ }
++
++ return qemu_net_queue_receive_iov(nc->incoming_queue, iov, iovcnt);
++}
++
+ ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size)
+ {
+ return qemu_send_packet_async_with_flags(nc, QEMU_NET_PACKET_FLAG_RAW,
+diff --git a/net/queue.c b/net/queue.c
+index 61276ca4be..7c0b72c8ef 100644
+--- a/net/queue.c
++++ b/net/queue.c
+@@ -182,6 +182,28 @@ static ssize_t qemu_net_queue_deliver_iov(NetQueue *queue,
+ return ret;
+ }
+
++ssize_t qemu_net_queue_receive(NetQueue *queue,
++ const uint8_t *data,
++ size_t size)
++{
++ if (queue->delivering) {
++ return 0;
++ }
++
++ return qemu_net_queue_deliver(queue, NULL, 0, data, size);
++}
++
++ssize_t qemu_net_queue_receive_iov(NetQueue *queue,
++ const struct iovec *iov,
++ int iovcnt)
++{
++ if (queue->delivering) {
++ return 0;
++ }
++
++ return qemu_net_queue_deliver_iov(queue, NULL, 0, iov, iovcnt);
++}
++
+ ssize_t qemu_net_queue_send(NetQueue *queue,
+ NetClientState *sender,
+ unsigned flags,
+--
+2.27.0
+
diff --git a/SOURCES/kvm-net-remove-an-assert-call-in-eth_get_gso_type.patch b/SOURCES/kvm-net-remove-an-assert-call-in-eth_get_gso_type.patch
new file mode 100644
index 0000000..cf3ef08
--- /dev/null
+++ b/SOURCES/kvm-net-remove-an-assert-call-in-eth_get_gso_type.patch
@@ -0,0 +1,62 @@
+From 04c233dd15e3b5bc842af371c3433eb723ffb6e6 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Tue, 23 Mar 2021 22:11:13 -0400
+Subject: [PATCH 1/8] net: remove an assert call in eth_get_gso_type
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+Message-id: <20210323221113.1893864-2-jmaloy@redhat.com>
+Patchwork-id: 101364
+O-Subject: [RHEL-8.4.0 qemu-kvm PATCH 1/1] net: remove an assert call in eth_get_gso_type
+Bugzilla: 1939494
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-Acked-by: Xiao Wang <jasowang@redhat.com>
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+
+From: Prasad J Pandit <pjp@fedoraproject.org>
+
+eth_get_gso_type() routine returns segmentation offload type based on
+L3 protocol type. It calls g_assert_not_reached if L3 protocol is
+unknown, making the following return statement unreachable. Remove the
+g_assert call, it maybe triggered by a guest user.
+
+Reported-by: Gaoning Pan <pgn@zju.edu.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+(cherry picked from commit 7564bf7701f00214cdc8a678a9f7df765244def1)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ net/eth.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/eth.c b/net/eth.c
+index 0c1d413ee2..1e0821c5f8 100644
+--- a/net/eth.c
++++ b/net/eth.c
+@@ -16,6 +16,7 @@
+ */
+
+ #include "qemu/osdep.h"
++#include "qemu/log.h"
+ #include "net/eth.h"
+ #include "net/checksum.h"
+ #include "net/tap.h"
+@@ -71,9 +72,8 @@ eth_get_gso_type(uint16_t l3_proto, uint8_t *l3_hdr, uint8_t l4proto)
+ return VIRTIO_NET_HDR_GSO_TCPV6 | ecn_state;
+ }
+ }
+-
+- /* Unsupported offload */
+- g_assert_not_reached();
++ qemu_log_mask(LOG_UNIMP, "%s: probably not GSO frame, "
++ "unknown L3 protocol: 0x%04"PRIx16"\n", __func__, l3_proto);
+
+ return VIRTIO_NET_HDR_GSO_NONE | ecn_state;
+ }
+--
+2.27.0
+
diff --git a/SOURCES/kvm-pc-bios-s390-ccw-break-loop-if-a-null-block-number-i.patch b/SOURCES/kvm-pc-bios-s390-ccw-break-loop-if-a-null-block-number-i.patch
new file mode 100644
index 0000000..c54cfbd
--- /dev/null
+++ b/SOURCES/kvm-pc-bios-s390-ccw-break-loop-if-a-null-block-number-i.patch
@@ -0,0 +1,46 @@
+From 3d7ff6c57357e1fb8453b26200cfd239e9cdaa72 Mon Sep 17 00:00:00 2001
+From: Thomas Huth <thuth@redhat.com>
+Date: Thu, 24 Jun 2021 14:50:46 -0400
+Subject: [PATCH 2/3] pc-bios/s390-ccw: break loop if a null block number is
+ reached
+
+RH-Author: Thomas Huth <thuth@redhat.com>
+Message-id: <20210624145047.483112-3-thuth@redhat.com>
+Patchwork-id: 101762
+O-Subject: [RHEL-8.2.0.z / RHEL-8.4.0.z qemu-kvm PATCH 2/3] pc-bios/s390-ccw: break loop if a null block number is reached
+Bugzilla: 1975679
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Jon Maloy <jmaloy@redhat.com>
+RH-Acked-by: Cornelia Huck <cohuck@redhat.com>
+
+Break the loop if `cur_block_nr` is a null block number because this
+means that the end of chunk is reached. In this case we will try to
+boot the default entry.
+
+Fixes: ba831b25262a ("s390-ccw: read stage2 boot loader data to find menu")
+Reviewed-by: Collin Walling <walling@linux.ibm.com>
+Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
+Message-Id: <20200924085926.21709-3-mhartmay@linux.ibm.com>
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+(cherry picked from commit 468184ec9024f4f7b55247f70ec57554e8a500d7)
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ pc-bios/s390-ccw/bootmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c
+index bb6e003270..624f524331 100644
+--- a/pc-bios/s390-ccw/bootmap.c
++++ b/pc-bios/s390-ccw/bootmap.c
+@@ -192,7 +192,7 @@ static int eckd_get_boot_menu_index(block_number_t s1b_block_nr)
+ for (i = 0; i < STAGE2_BLK_CNT_MAX; i++) {
+ cur_block_nr = eckd_block_num(&s1b->seek[i].chs);
+
+- if (!cur_block_nr) {
++ if (!cur_block_nr || is_null_block_number(cur_block_nr)) {
+ break;
+ }
+
+--
+2.27.0
+
diff --git a/SOURCES/kvm-pc-bios-s390-ccw-don-t-try-to-read-the-next-block-if.patch b/SOURCES/kvm-pc-bios-s390-ccw-don-t-try-to-read-the-next-block-if.patch
new file mode 100644
index 0000000..1d45f6d
--- /dev/null
+++ b/SOURCES/kvm-pc-bios-s390-ccw-don-t-try-to-read-the-next-block-if.patch
@@ -0,0 +1,44 @@
+From c3f15d52ad265bba0b21453d2d8b69f597092c25 Mon Sep 17 00:00:00 2001
+From: Thomas Huth <thuth@redhat.com>
+Date: Thu, 24 Jun 2021 14:50:47 -0400
+Subject: [PATCH 3/3] pc-bios/s390-ccw: don't try to read the next block if end
+ of chunk is reached
+
+RH-Author: Thomas Huth <thuth@redhat.com>
+Message-id: <20210624145047.483112-4-thuth@redhat.com>
+Patchwork-id: 101763
+O-Subject: [RHEL-8.2.0.z / RHEL-8.4.0.z qemu-kvm PATCH 3/3] pc-bios/s390-ccw: don't try to read the next block if end of chunk is reached
+Bugzilla: 1975679
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Jon Maloy <jmaloy@redhat.com>
+RH-Acked-by: Cornelia Huck <cohuck@redhat.com>
+
+Don't read the block if a null block number is reached, because this means that
+the end of chunk is reached.
+
+Reviewed-by: Collin Walling <walling@linux.ibm.com>
+Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
+Message-Id: <20210416074736.17409-1-mhartmay@linux.ibm.com>
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+(cherry picked from commit a6625d38cce3901a7c1cba069f0abcf743a293f1)
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ pc-bios/s390-ccw/bootmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c
+index 624f524331..8458b15cb6 100644
+--- a/pc-bios/s390-ccw/bootmap.c
++++ b/pc-bios/s390-ccw/bootmap.c
+@@ -212,7 +212,7 @@ static int eckd_get_boot_menu_index(block_number_t s1b_block_nr)
+ next_block_nr = eckd_block_num(&s1b->seek[i + 1].chs);
+ }
+
+- if (next_block_nr) {
++ if (next_block_nr && !is_null_block_number(next_block_nr)) {
+ read_block(next_block_nr, s2_next_blk,
+ "Cannot read stage2 boot loader");
+ }
+--
+2.27.0
+
diff --git a/SOURCES/kvm-pc-bios-s390-ccw-fix-off-by-one-error.patch b/SOURCES/kvm-pc-bios-s390-ccw-fix-off-by-one-error.patch
new file mode 100644
index 0000000..d180158
--- /dev/null
+++ b/SOURCES/kvm-pc-bios-s390-ccw-fix-off-by-one-error.patch
@@ -0,0 +1,47 @@
+From 93ddbd8ba056141dd68d973d534b67dad9882052 Mon Sep 17 00:00:00 2001
+From: Thomas Huth <thuth@redhat.com>
+Date: Thu, 24 Jun 2021 14:50:45 -0400
+Subject: [PATCH 1/3] pc-bios/s390-ccw: fix off-by-one error
+
+RH-Author: Thomas Huth <thuth@redhat.com>
+Message-id: <20210624145047.483112-2-thuth@redhat.com>
+Patchwork-id: 101764
+O-Subject: [RHEL-8.2.0.z / RHEL-8.4.0.z qemu-kvm PATCH 1/3] pc-bios/s390-ccw: fix off-by-one error
+Bugzilla: 1975679
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Jon Maloy <jmaloy@redhat.com>
+RH-Acked-by: Cornelia Huck <cohuck@redhat.com>
+
+This error takes effect when the magic value "zIPL" is located at the
+end of a block. For example if s2_cur_blk = 0x7fe18000 and the magic
+value "zIPL" is located at 0x7fe18ffc - 0x7fe18fff.
+
+Fixes: ba831b25262a ("s390-ccw: read stage2 boot loader data to find menu")
+Reviewed-by: Collin Walling <walling@linux.ibm.com>
+Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
+Message-Id: <20200924085926.21709-2-mhartmay@linux.ibm.com>
+Reviewed-by: Thomas Huth <thuth@redhat.com>
+[thuth: Use "<= ... - 4" instead of "< ... - 3"]
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+(cherry picked from commit 5f97ba0c74ccace0a4014460de9751ff3c6f454a)
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ pc-bios/s390-ccw/bootmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c
+index e91ea719ff..bb6e003270 100644
+--- a/pc-bios/s390-ccw/bootmap.c
++++ b/pc-bios/s390-ccw/bootmap.c
+@@ -163,7 +163,7 @@ static bool find_zipl_boot_menu_banner(int *offset)
+ int i;
+
+ /* Menu banner starts with "zIPL" */
+- for (i = 0; i < virtio_get_block_size() - 4; i++) {
++ for (i = 0; i <= virtio_get_block_size() - 4; i++) {
+ if (magic_match(s2_cur_blk + i, ZIPL_MAGIC_EBCDIC)) {
+ *offset = i;
+ return true;
+--
+2.27.0
+
diff --git a/SOURCES/kvm-pcnet-switch-to-use-qemu_receive_packet-for-loopback.patch b/SOURCES/kvm-pcnet-switch-to-use-qemu_receive_packet-for-loopback.patch
new file mode 100644
index 0000000..2c66a5f
--- /dev/null
+++ b/SOURCES/kvm-pcnet-switch-to-use-qemu_receive_packet-for-loopback.patch
@@ -0,0 +1,54 @@
+From 3427c5573a7ab788e0c39e30b4d0ed5db85f03b3 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Tue, 29 Jun 2021 03:42:45 -0400
+Subject: [PATCH 7/9] pcnet: switch to use qemu_receive_packet() for loopback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+Message-id: <20210629034247.3286477-8-jmaloy@redhat.com>
+Patchwork-id: 101791
+O-Subject: [RHEL-8.4.0.z qemu-kvm PATCH v2 7/9] pcnet: switch to use qemu_receive_packet() for loopback
+Bugzilla: 1932917
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+
+From: Alexander Bulekov <alxndr@bu.edu>
+
+This patch switches to use qemu_receive_packet() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Buglink: https://bugs.launchpad.net/qemu/+bug/1917085
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
+Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+(cherry picked from commit 99ccfaa1edafd79f7a3a0ff7b58ae4da7c514928)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ hw/net/pcnet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
+index f3f18d8598..dcd3fc4948 100644
+--- a/hw/net/pcnet.c
++++ b/hw/net/pcnet.c
+@@ -1250,7 +1250,7 @@ txagain:
+ if (BCR_SWSTYLE(s) == 1)
+ add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS);
+ s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC;
+- pcnet_receive(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);
++ qemu_receive_packet(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);
+ s->looptest = 0;
+ } else {
+ if (s->nic) {
+--
+2.27.0
+
diff --git a/SOURCES/kvm-rtl8139-switch-to-use-qemu_receive_packet-for-loopba.patch b/SOURCES/kvm-rtl8139-switch-to-use-qemu_receive_packet-for-loopba.patch
new file mode 100644
index 0000000..95df72c
--- /dev/null
+++ b/SOURCES/kvm-rtl8139-switch-to-use-qemu_receive_packet-for-loopba.patch
@@ -0,0 +1,54 @@
+From e0b83063b76725878c466f1b8918c61864cfd0c2 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Tue, 29 Jun 2021 03:42:44 -0400
+Subject: [PATCH 6/9] rtl8139: switch to use qemu_receive_packet() for loopback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+Message-id: <20210629034247.3286477-7-jmaloy@redhat.com>
+Patchwork-id: 101792
+O-Subject: [RHEL-8.4.0.z qemu-kvm PATCH v2 6/9] rtl8139: switch to use qemu_receive_packet() for loopback
+Bugzilla: 1932917
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+
+From: Alexander Bulekov <alxndr@bu.edu>
+
+This patch switches to use qemu_receive_packet() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Buglink: https://bugs.launchpad.net/qemu/+bug/1910826
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
+Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+(cherry picked from commit 5311fb805a4403bba024e83886fa0e7572265de4)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ hw/net/rtl8139.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
+index 21d80e96cf..ccb04faa4c 100644
+--- a/hw/net/rtl8139.c
++++ b/hw/net/rtl8139.c
+@@ -1793,7 +1793,7 @@ static void rtl8139_transfer_frame(RTL8139State *s, uint8_t *buf, int size,
+ }
+
+ DPRINTF("+++ transmit loopback mode\n");
+- rtl8139_do_receive(qemu_get_queue(s->nic), buf, size, do_interrupt);
++ qemu_receive_packet(qemu_get_queue(s->nic), buf, size);
+
+ if (iov) {
+ g_free(buf2);
+--
+2.27.0
+
diff --git a/SOURCES/kvm-softmmu-memory-Log-invalid-memory-accesses.patch b/SOURCES/kvm-softmmu-memory-Log-invalid-memory-accesses.patch
new file mode 100644
index 0000000..9b468ed
--- /dev/null
+++ b/SOURCES/kvm-softmmu-memory-Log-invalid-memory-accesses.patch
@@ -0,0 +1,84 @@
+From 251adb595eb7e39e9368cb7ed07f9a4c42d28d2c Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Wed, 21 Apr 2021 22:30:06 -0400
+Subject: [PATCH 7/8] softmmu/memory: Log invalid memory accesses
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+Message-id: <20210421223006.19650-7-jmaloy@redhat.com>
+Patchwork-id: 101481
+O-Subject: [RHEL-8.5.0 qemu-kvm PATCH v2 6/6] softmmu/memory: Log invalid memory accesses
+Bugzilla: 1944621
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+From: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+Log invalid memory accesses with as GUEST_ERROR.
+
+This is particularly useful since commit 5d971f9e67 which reverted
+("memory: accept mismatching sizes in memory_region_access_valid").
+
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Message-Id: <20201005152725.2143444-1-philmd@redhat.com>
+Signed-off-by: Laurent Vivier <laurent@vivier.eu>
+
+(cherry picked from commit 21786c7e59847b1612406ff394958f22e5b323f8)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ memory.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/memory.c b/memory.c
+index 0cfcb72a5a..660df8159a 100644
+--- a/memory.c
++++ b/memory.c
+@@ -14,6 +14,7 @@
+ */
+
+ #include "qemu/osdep.h"
++#include "qemu/log.h"
+ #include "qapi/error.h"
+ #include "cpu.h"
+ #include "exec/memory.h"
+@@ -1353,10 +1354,18 @@ bool memory_region_access_valid(MemoryRegion *mr,
+ {
+ if (mr->ops->valid.accepts
+ && !mr->ops->valid.accepts(mr->opaque, addr, size, is_write, attrs)) {
++ qemu_log_mask(LOG_GUEST_ERROR, "Invalid access at addr "
++ "0x%" HWADDR_PRIX ", size %u, "
++ "region '%s', reason: rejected\n",
++ addr, size, memory_region_name(mr));
+ return false;
+ }
+
+ if (!mr->ops->valid.unaligned && (addr & (size - 1))) {
++ qemu_log_mask(LOG_GUEST_ERROR, "Invalid access at addr "
++ "0x%" HWADDR_PRIX ", size %u, "
++ "region '%s', reason: unaligned\n",
++ addr, size, memory_region_name(mr));
+ return false;
+ }
+
+@@ -1367,6 +1376,13 @@ bool memory_region_access_valid(MemoryRegion *mr,
+
+ if (size > mr->ops->valid.max_access_size
+ || size < mr->ops->valid.min_access_size) {
++ qemu_log_mask(LOG_GUEST_ERROR, "Invalid access at addr "
++ "0x%" HWADDR_PRIX ", size %u, "
++ "region '%s', reason: invalid size "
++ "(min:%u max:%u)\n",
++ addr, size, memory_region_name(mr),
++ mr->ops->valid.min_access_size,
++ mr->ops->valid.max_access_size);
+ return false;
+ }
+ return true;
+--
+2.27.0
+
diff --git a/SOURCES/kvm-sungem-switch-to-use-qemu_receive_packet-for-loopbac.patch b/SOURCES/kvm-sungem-switch-to-use-qemu_receive_packet-for-loopbac.patch
new file mode 100644
index 0000000..47f8f13
--- /dev/null
+++ b/SOURCES/kvm-sungem-switch-to-use-qemu_receive_packet-for-loopbac.patch
@@ -0,0 +1,54 @@
+From 1a56df13e6a033548b22489d3b148009c8f80718 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Tue, 29 Jun 2021 03:42:42 -0400
+Subject: [PATCH 4/9] sungem: switch to use qemu_receive_packet() for loopback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+Message-id: <20210629034247.3286477-5-jmaloy@redhat.com>
+Patchwork-id: 101786
+O-Subject: [RHEL-8.4.0.z qemu-kvm PATCH v2 4/9] sungem: switch to use qemu_receive_packet() for loopback
+Bugzilla: 1932917
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+
+From: Jason Wang <jasowang@redhat.com>
+
+This patch switches to use qemu_receive_packet() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+(cherry picked from commit 8c92060d3c0248bd4d515719a35922cd2391b9b4)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ hw/net/sungem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/sungem.c b/hw/net/sungem.c
+index f31d41ac5b..8b202b5c15 100644
+--- a/hw/net/sungem.c
++++ b/hw/net/sungem.c
+@@ -305,7 +305,7 @@ static void sungem_send_packet(SunGEMState *s, const uint8_t *buf,
+ NetClientState *nc = qemu_get_queue(s->nic);
+
+ if (s->macregs[MAC_XIFCFG >> 2] & MAC_XIFCFG_LBCK) {
+- nc->info->receive(nc, buf, size);
++ qemu_receive_packet(nc, buf, size);
+ } else {
+ qemu_send_packet(nc, buf, size);
+ }
+--
+2.27.0
+
diff --git a/SOURCES/kvm-tx_pkt-switch-to-use-qemu_receive_packet_iov-for-loo.patch b/SOURCES/kvm-tx_pkt-switch-to-use-qemu_receive_packet_iov-for-loo.patch
new file mode 100644
index 0000000..fdb9496
--- /dev/null
+++ b/SOURCES/kvm-tx_pkt-switch-to-use-qemu_receive_packet_iov-for-loo.patch
@@ -0,0 +1,53 @@
+From 199915a03857c1e4e0a6ac90a46496b1a8abd702 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Tue, 29 Jun 2021 03:42:43 -0400
+Subject: [PATCH 5/9] tx_pkt: switch to use qemu_receive_packet_iov() for
+ loopback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+Message-id: <20210629034247.3286477-6-jmaloy@redhat.com>
+Patchwork-id: 101788
+O-Subject: [RHEL-8.4.0.z qemu-kvm PATCH v2 5/9] tx_pkt: switch to use qemu_receive_packet_iov() for loopback
+Bugzilla: 1932917
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+
+From: Jason Wang <jasowang@redhat.com>
+
+This patch switches to use qemu_receive_receive_iov() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+(cherry picked from commit 8c552542b81e56ff532dd27ec6e5328954bdda73)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ hw/net/net_tx_pkt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
+index 54d4c3bbd0..646cdfaf4d 100644
+--- a/hw/net/net_tx_pkt.c
++++ b/hw/net/net_tx_pkt.c
+@@ -544,7 +544,7 @@ static inline void net_tx_pkt_sendv(struct NetTxPkt *pkt,
+ NetClientState *nc, const struct iovec *iov, int iov_cnt)
+ {
+ if (pkt->is_loopback) {
+- nc->info->receive_iov(nc, iov, iov_cnt);
++ qemu_receive_packet_iov(nc, iov, iov_cnt);
+ } else {
+ qemu_sendv_packet(nc, iov, iov_cnt);
+ }
+--
+2.27.0
+
diff --git a/SOURCES/kvm-xhci-fix-valid.max_access_size-to-access-address-reg.patch b/SOURCES/kvm-xhci-fix-valid.max_access_size-to-access-address-reg.patch
new file mode 100644
index 0000000..f577210
--- /dev/null
+++ b/SOURCES/kvm-xhci-fix-valid.max_access_size-to-access-address-reg.patch
@@ -0,0 +1,76 @@
+From 33e907b7be4636a726d40a3d68cab24574bc597a Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Wed, 21 Apr 2021 22:30:05 -0400
+Subject: [PATCH 6/8] xhci: fix valid.max_access_size to access address
+ registers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+Message-id: <20210421223006.19650-6-jmaloy@redhat.com>
+Patchwork-id: 101483
+O-Subject: [RHEL-8.5.0 qemu-kvm PATCH v2 5/6] xhci: fix valid.max_access_size to access address registers
+Bugzilla: 1944621
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+From: Laurent Vivier <lvivier@redhat.com>
+
+QEMU XHCI advertises AC64 (64-bit addressing) but doesn't allow
+64-bit mode access in "runtime" and "operational" MemoryRegionOps.
+
+Set the max_access_size based on sizeof(dma_addr_t) as AC64 is set.
+
+XHCI specs:
+"If the xHC supports 64-bit addressing (AC64 = ‘1’), then software
+should write 64-bit registers using only Qword accesses. If a
+system is incapable of issuing Qword accesses, then writes to the
+64-bit address fields shall be performed using 2 Dword accesses;
+low Dword-first, high-Dword second. If the xHC supports 32-bit
+addressing (AC64 = ‘0’), then the high Dword of registers containing
+64-bit address fields are unused and software should write addresses
+using only Dword accesses"
+
+The problem has been detected with SLOF, as linux kernel always accesses
+registers using 32-bit access even if AC64 is set and revealed by
+5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"")
+
+Suggested-by: Alexey Kardashevskiy <aik@au1.ibm.com>
+Signed-off-by: Laurent Vivier <lvivier@redhat.com>
+Message-id: 20200721083322.90651-1-lvivier@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+(cherry picked from commit 8e67fda2dd6202ccec093fda561107ba14830a17)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ hw/usb/hcd-xhci.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
+index 646c78cde9..ab449bb003 100644
+--- a/hw/usb/hcd-xhci.c
++++ b/hw/usb/hcd-xhci.c
+@@ -3183,7 +3183,7 @@ static const MemoryRegionOps xhci_oper_ops = {
+ .read = xhci_oper_read,
+ .write = xhci_oper_write,
+ .valid.min_access_size = 4,
+- .valid.max_access_size = 4,
++ .valid.max_access_size = sizeof(dma_addr_t),
+ .endianness = DEVICE_LITTLE_ENDIAN,
+ };
+
+@@ -3199,7 +3199,7 @@ static const MemoryRegionOps xhci_runtime_ops = {
+ .read = xhci_runtime_read,
+ .write = xhci_runtime_write,
+ .valid.min_access_size = 4,
+- .valid.max_access_size = 4,
++ .valid.max_access_size = sizeof(dma_addr_t),
+ .endianness = DEVICE_LITTLE_ENDIAN,
+ };
+
+--
+2.27.0
+
diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec
index 4a65e5f..d88bcd7 100644
--- a/SPECS/qemu-kvm.spec
+++ b/SPECS/qemu-kvm.spec
@@ -67,7 +67,7 @@ Obsoletes: %1-rhev
Summary: QEMU is a machine emulator and virtualizer
Name: qemu-kvm
Version: 4.2.0
-Release: 48%{?dist}
+Release: 48%{?dist}.3
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
Epoch: 15
License: GPLv2 and GPLv2+ and CC-BY
@@ -1130,6 +1130,46 @@ Patch489: kvm-x86-cpu-Populate-SVM-CPUID-feature-bits.patch
Patch490: kvm-i386-Add-the-support-for-AMD-EPYC-3rd-generation-pro.patch
# For bz#1917451 - CVE-2020-29443 virt:rhel/qemu-kvm: QEMU: ide: atapi: OOB access while processing read commands [rhel-8.4.0]
Patch491: kvm-ide-atapi-check-logical-block-address-and-read-size-.patch
+# For bz#1939494 - CVE-2020-27617 virt:rhel/qemu-kvm: QEMU: net: an assert failure via eth_get_gso_type [rhel-8.4.0.z]
+Patch492: kvm-net-remove-an-assert-call-in-eth_get_gso_type.patch
+# For bz#1944621 - CVE-2020-13754 virt:rhel/qemu-kvm: QEMU: msix: OOB access during mmio operations may lead to DoS [rhel-8.4.0.z]
+Patch493: kvm-libqos-usb-hcd-ehci-use-32-bit-write-for-config-regi.patch
+# For bz#1944621 - CVE-2020-13754 virt:rhel/qemu-kvm: QEMU: msix: OOB access during mmio operations may lead to DoS [rhel-8.4.0.z]
+Patch494: kvm-libqos-pci-pc-use-32-bit-write-for-EJ-register.patch
+# For bz#1944621 - CVE-2020-13754 virt:rhel/qemu-kvm: QEMU: msix: OOB access during mmio operations may lead to DoS [rhel-8.4.0.z]
+Patch495: kvm-memory-Revert-memory-accept-mismatching-sizes-in-mem.patch
+# For bz#1944621 - CVE-2020-13754 virt:rhel/qemu-kvm: QEMU: msix: OOB access during mmio operations may lead to DoS [rhel-8.4.0.z]
+Patch496: kvm-acpi-accept-byte-and-word-access-to-core-ACPI-regist.patch
+# For bz#1944621 - CVE-2020-13754 virt:rhel/qemu-kvm: QEMU: msix: OOB access during mmio operations may lead to DoS [rhel-8.4.0.z]
+Patch497: kvm-xhci-fix-valid.max_access_size-to-access-address-reg.patch
+# For bz#1944621 - CVE-2020-13754 virt:rhel/qemu-kvm: QEMU: msix: OOB access during mmio operations may lead to DoS [rhel-8.4.0.z]
+Patch498: kvm-softmmu-memory-Log-invalid-memory-accesses.patch
+# For bz#1952986 - CVE-2021-20221 virt:rhel/qemu-kvm: qemu: out-of-bound heap buffer access via an interrupt ID field [rhel-8.4.0.z]
+Patch499: kvm-hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch
+# For bz#1975679 - RHEL8.4 Nightly[0322] - KVM guest fails to find zipl boot menu index (qemu-kvm) [rhel-8.4.0.z]
+Patch500: kvm-pc-bios-s390-ccw-fix-off-by-one-error.patch
+# For bz#1975679 - RHEL8.4 Nightly[0322] - KVM guest fails to find zipl boot menu index (qemu-kvm) [rhel-8.4.0.z]
+Patch501: kvm-pc-bios-s390-ccw-break-loop-if-a-null-block-number-i.patch
+# For bz#1975679 - RHEL8.4 Nightly[0322] - KVM guest fails to find zipl boot menu index (qemu-kvm) [rhel-8.4.0.z]
+Patch502: kvm-pc-bios-s390-ccw-don-t-try-to-read-the-next-block-if.patch
+# For bz#1932917 - CVE-2021-3416 virt:rhel/qemu-kvm: QEMU: net: infinite loop in loopback mode may lead to stack overflow [rhel-8.4.z]
+Patch503: kvm-net-introduce-qemu_receive_packet.patch
+# For bz#1932917 - CVE-2021-3416 virt:rhel/qemu-kvm: QEMU: net: infinite loop in loopback mode may lead to stack overflow [rhel-8.4.z]
+Patch504: kvm-e1000-switch-to-use-qemu_receive_packet-for-loopback.patch
+# For bz#1932917 - CVE-2021-3416 virt:rhel/qemu-kvm: QEMU: net: infinite loop in loopback mode may lead to stack overflow [rhel-8.4.z]
+Patch505: kvm-dp8393x-switch-to-use-qemu_receive_packet-for-loopba.patch
+# For bz#1932917 - CVE-2021-3416 virt:rhel/qemu-kvm: QEMU: net: infinite loop in loopback mode may lead to stack overflow [rhel-8.4.z]
+Patch506: kvm-sungem-switch-to-use-qemu_receive_packet-for-loopbac.patch
+# For bz#1932917 - CVE-2021-3416 virt:rhel/qemu-kvm: QEMU: net: infinite loop in loopback mode may lead to stack overflow [rhel-8.4.z]
+Patch507: kvm-tx_pkt-switch-to-use-qemu_receive_packet_iov-for-loo.patch
+# For bz#1932917 - CVE-2021-3416 virt:rhel/qemu-kvm: QEMU: net: infinite loop in loopback mode may lead to stack overflow [rhel-8.4.z]
+Patch508: kvm-rtl8139-switch-to-use-qemu_receive_packet-for-loopba.patch
+# For bz#1932917 - CVE-2021-3416 virt:rhel/qemu-kvm: QEMU: net: infinite loop in loopback mode may lead to stack overflow [rhel-8.4.z]
+Patch509: kvm-pcnet-switch-to-use-qemu_receive_packet-for-loopback.patch
+# For bz#1932917 - CVE-2021-3416 virt:rhel/qemu-kvm: QEMU: net: infinite loop in loopback mode may lead to stack overflow [rhel-8.4.z]
+Patch510: kvm-cadence_gem-switch-to-use-qemu_receive_packet-for-lo.patch
+# For bz#1932917 - CVE-2021-3416 virt:rhel/qemu-kvm: QEMU: net: infinite loop in loopback mode may lead to stack overflow [rhel-8.4.z]
+Patch511: kvm-lan9118-switch-to-use-qemu_receive_packet-for-loopba.patch
BuildRequires: wget
BuildRequires: rpm-build
@@ -2078,6 +2118,42 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
%changelog
+* Wed Jul 21 2021 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 4.2.0-48.el8_4.3
+- kvm-net-introduce-qemu_receive_packet.patch [bz#1932917]
+- kvm-e1000-switch-to-use-qemu_receive_packet-for-loopback.patch [bz#1932917]
+- kvm-dp8393x-switch-to-use-qemu_receive_packet-for-loopba.patch [bz#1932917]
+- kvm-sungem-switch-to-use-qemu_receive_packet-for-loopbac.patch [bz#1932917]
+- kvm-tx_pkt-switch-to-use-qemu_receive_packet_iov-for-loo.patch [bz#1932917]
+- kvm-rtl8139-switch-to-use-qemu_receive_packet-for-loopba.patch [bz#1932917]
+- kvm-pcnet-switch-to-use-qemu_receive_packet-for-loopback.patch [bz#1932917]
+- kvm-cadence_gem-switch-to-use-qemu_receive_packet-for-lo.patch [bz#1932917]
+- kvm-lan9118-switch-to-use-qemu_receive_packet-for-loopba.patch [bz#1932917]
+- Resolves: bz#1932917
+ (CVE-2021-3416 virt:rhel/qemu-kvm: QEMU: net: infinite loop in loopback mode may lead to stack overflow [rhel-8.4.z])
+
+* Tue Jul 06 2021 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 4.2.0-48.el8_4.2
+- kvm-pc-bios-s390-ccw-fix-off-by-one-error.patch [bz#1975679]
+- kvm-pc-bios-s390-ccw-break-loop-if-a-null-block-number-i.patch [bz#1975679]
+- kvm-pc-bios-s390-ccw-don-t-try-to-read-the-next-block-if.patch [bz#1975679]
+- Resolves: bz#1975679
+ (RHEL8.4 Nightly[0322] - KVM guest fails to find zipl boot menu index (qemu-kvm) [rhel-8.4.0.z])
+
+* Thu Jun 03 2021 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 4.2.0-48.el8_4
+- kvm-net-remove-an-assert-call-in-eth_get_gso_type.patch [bz#1939494]
+- kvm-libqos-usb-hcd-ehci-use-32-bit-write-for-config-regi.patch [bz#1944621]
+- kvm-libqos-pci-pc-use-32-bit-write-for-EJ-register.patch [bz#1944621]
+- kvm-memory-Revert-memory-accept-mismatching-sizes-in-mem.patch [bz#1944621]
+- kvm-acpi-accept-byte-and-word-access-to-core-ACPI-regist.patch [bz#1944621]
+- kvm-xhci-fix-valid.max_access_size-to-access-address-reg.patch [bz#1944621]
+- kvm-softmmu-memory-Log-invalid-memory-accesses.patch [bz#1944621]
+- kvm-hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch [bz#1952986]
+- Resolves: bz#1939494
+ (CVE-2020-27617 virt:rhel/qemu-kvm: QEMU: net: an assert failure via eth_get_gso_type [rhel-8.4.0.z])
+- Resolves: bz#1944621
+ (CVE-2020-13754 virt:rhel/qemu-kvm: QEMU: msix: OOB access during mmio operations may lead to DoS [rhel-8.4.0.z])
+- Resolves: bz#1952986
+ (CVE-2021-20221 virt:rhel/qemu-kvm: qemu: out-of-bound heap buffer access via an interrupt ID field [rhel-8.4.0.z])
+
* Tue Mar 16 2021 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 4.2.0-48.el8
- kvm-ide-atapi-check-logical-block-address-and-read-size-.patch [bz#1917451]
- Resolves: bz#1917451