diff --git a/SOURCES/kvm-iscsi-Avoid-potential-for-get_status-overflow.patch b/SOURCES/kvm-iscsi-Avoid-potential-for-get_status-overflow.patch
new file mode 100644
index 0000000..ed227dc
--- /dev/null
+++ b/SOURCES/kvm-iscsi-Avoid-potential-for-get_status-overflow.patch
@@ -0,0 +1,61 @@
+From f8e55fd069eea72105e104534aa7560d8df03bf7 Mon Sep 17 00:00:00 2001
+From: jmaloy <jmaloy@redhat.com>
+Date: Wed, 29 Jan 2020 21:14:31 +0000
+Subject: [PATCH 4/5] iscsi: Avoid potential for get_status overflow
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: jmaloy <jmaloy@redhat.com>
+Message-id: <20200129211432.11592-2-jmaloy@redhat.com>
+Patchwork-id: 93584
+O-Subject: [RHEL-8.1.0 qemu-kvm PATCH 1/2] iscsi: Avoid potential for get_status overflow
+Bugzilla: 1794500
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+From: Eric Blake <eblake@redhat.com>
+
+Detected by Coverity: Multiplying two 32-bit int and assigning
+the result to a 64-bit number is a risk of overflow. Prior to
+the conversion to byte-based interfaces, the block layer took
+care of ensuring that a status request never exceeded 2G in
+the driver; but after that conversion, the block layer expects
+drivers to deal with any size request (the driver can always
+truncate the request size back down, as long as it makes
+progress). So, in the off-chance that someone makes a large
+request, we are at the mercy of whether iscsi_get_lba_status_task()
+will cap things to at most INT_MAX / iscsilun->block_size when
+it populates lbasd->num_blocks; since I could not easily audit
+that, it's better to be safe than sorry by just forcing a 64-bit
+multiply.
+
+Fixes: 92809c36
+CC: qemu-stable@nongnu.org
+Signed-off-by: Eric Blake <eblake@redhat.com>
+Message-Id: <20180508212718.1482663-1-eblake@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+(cherry picked from commit 8ee1cef4593a7bda076891470c0620e79333c0d0)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ block/iscsi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/block/iscsi.c b/block/iscsi.c
+index c412b12..336ce49 100644
+--- a/block/iscsi.c
++++ b/block/iscsi.c
+@@ -734,7 +734,7 @@ retry:
+ goto out_unlock;
+ }
+
+- *pnum = lbasd->num_blocks * iscsilun->block_size;
++ *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size;
+
+ if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED ||
+ lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) {
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-iscsi-Cap-block-count-from-GET-LBA-STATUS-CVE-2020-1.patch b/SOURCES/kvm-iscsi-Cap-block-count-from-GET-LBA-STATUS-CVE-2020-1.patch
new file mode 100644
index 0000000..a65452b
--- /dev/null
+++ b/SOURCES/kvm-iscsi-Cap-block-count-from-GET-LBA-STATUS-CVE-2020-1.patch
@@ -0,0 +1,79 @@
+From 66a75a069b944ba4392129a6488206631c581167 Mon Sep 17 00:00:00 2001
+From: jmaloy <jmaloy@redhat.com>
+Date: Wed, 29 Jan 2020 21:14:32 +0000
+Subject: [PATCH 5/5] iscsi: Cap block count from GET LBA STATUS
+ (CVE-2020-1711)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: jmaloy <jmaloy@redhat.com>
+Message-id: <20200129211432.11592-3-jmaloy@redhat.com>
+Patchwork-id: 93583
+O-Subject: [RHEL-8.1.0 qemu-kvm PATCH 2/2] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711)
+Bugzilla: 1794500
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+From: Felipe Franciosi <felipe@nutanix.com>
+
+When querying an iSCSI server for the provisioning status of blocks (via
+GET LBA STATUS), Qemu only validates that the response descriptor zero's
+LBA matches the one requested. Given the SCSI spec allows servers to
+respond with the status of blocks beyond the end of the LUN, Qemu may
+have its heap corrupted by clearing/setting too many bits at the end of
+its allocmap for the LUN.
+
+A malicious guest in control of the iSCSI server could carefully program
+Qemu's heap (by selectively setting the bitmap) and then smash it.
+
+This limits the number of bits that iscsi_co_block_status() will try to
+update in the allocmap so it can't overflow the bitmap.
+
+Fixes: CVE-2020-1711
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Felipe Franciosi <felipe@nutanix.com>
+Signed-off-by: Peter Turschmid <peter.turschm@nutanix.com>
+Signed-off-by: Raphael Norwitz <raphael.norwitz@nutanix.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit 693fd2acdf14dd86c0bf852610f1c2cca80a74dc)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ block/iscsi.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/block/iscsi.c b/block/iscsi.c
+index 336ce49..8ec97ab 100644
+--- a/block/iscsi.c
++++ b/block/iscsi.c
+@@ -671,7 +671,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs,
+ struct scsi_get_lba_status *lbas = NULL;
+ struct scsi_lba_status_descriptor *lbasd = NULL;
+ struct IscsiTask iTask;
+- uint64_t lba;
++ uint64_t lba, max_bytes;
+ int ret;
+
+ iscsi_co_init_iscsitask(iscsilun, &iTask);
+@@ -691,6 +691,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs,
+ }
+
+ lba = offset / iscsilun->block_size;
++ max_bytes = (iscsilun->num_blocks - lba) * iscsilun->block_size;
+
+ qemu_mutex_lock(&iscsilun->mutex);
+ retry:
+@@ -734,7 +735,7 @@ retry:
+ goto out_unlock;
+ }
+
+- *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size;
++ *pnum = MIN((int64_t) lbasd->num_blocks * iscsilun->block_size, max_bytes);
+
+ if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED ||
+ lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) {
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-slirp-use-correct-size-while-emulating-IRC-commands.patch b/SOURCES/kvm-slirp-use-correct-size-while-emulating-IRC-commands.patch
new file mode 100644
index 0000000..c0f0dd7
--- /dev/null
+++ b/SOURCES/kvm-slirp-use-correct-size-while-emulating-IRC-commands.patch
@@ -0,0 +1,71 @@
+From 25ac3224ae8ffe35efdd6bfc5db289e469dc6864 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Fri, 17 Jan 2020 11:49:41 +0000
+Subject: [PATCH 2/5] slirp: use correct size while emulating IRC commands
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: <20200117114942.12236-3-philmd@redhat.com>
+Patchwork-id: 93392
+O-Subject: [RHEL-7.7.z qemu-kvm-rhev + RHEL-7.8 qemu-kvm-rhev + RHEL-7.9 qemu-kvm-rhev + RHEL-8.1.0 qemu-kvm + RHEL-8.2.0 qemu-kvm + RHEL-7.7.z qemu-kvm-ma + RHEL-7.8 qemu-kvm-ma + RHEL-7.9 qemu-kvm-ma PATCH 2/3] slirp: use correct size while emulating IRC commands
+Bugzilla: 1791565
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+
+From: Prasad J Pandit <pjp@fedoraproject.org>
+
+While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size
+'m->m_size' to write DCC commands via snprintf(3). This may
+lead to OOB write access, because 'bptr' points somewhere in
+the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m)
+size to avoid OOB access.
+
+Reported-by: Vishnu Dev TJ <vishnudevtj@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Message-Id: <20200109094228.79764-2-ppandit@redhat.com>
+(cherry picked from libslirp commit ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9)
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ slirp/tcp_subr.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
+index decfd9b..b60310d 100644
+--- a/slirp/tcp_subr.c
++++ b/slirp/tcp_subr.c
+@@ -783,7 +783,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ return 1;
+ }
+ m->m_len = bptr - m->m_data; /* Adjust length */
+- m->m_len += snprintf(bptr, m->m_size,
++ m->m_len += snprintf(bptr, M_FREEROOM(m),
+ "DCC CHAT chat %lu %u%c\n",
+ (unsigned long)ntohl(so->so_faddr.s_addr),
+ ntohs(so->so_fport), 1);
+@@ -794,7 +794,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ return 1;
+ }
+ m->m_len = bptr - m->m_data; /* Adjust length */
+- m->m_len += snprintf(bptr, m->m_size,
++ m->m_len += snprintf(bptr, M_FREEROOM(m),
+ "DCC SEND %s %lu %u %u%c\n", buff,
+ (unsigned long)ntohl(so->so_faddr.s_addr),
+ ntohs(so->so_fport), n1, 1);
+@@ -805,7 +805,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ return 1;
+ }
+ m->m_len = bptr - m->m_data; /* Adjust length */
+- m->m_len += snprintf(bptr, m->m_size,
++ m->m_len += snprintf(bptr, M_FREEROOM(m),
+ "DCC MOVE %s %lu %u %u%c\n", buff,
+ (unsigned long)ntohl(so->so_faddr.s_addr),
+ ntohs(so->so_fport), n1, 1);
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-slirp-use-correct-size-while-emulating-commands.patch b/SOURCES/kvm-slirp-use-correct-size-while-emulating-commands.patch
new file mode 100644
index 0000000..5372146
--- /dev/null
+++ b/SOURCES/kvm-slirp-use-correct-size-while-emulating-commands.patch
@@ -0,0 +1,70 @@
+From 149a200018dd40ec0f1c494c959a3c03ea60c897 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Fri, 17 Jan 2020 11:49:42 +0000
+Subject: [PATCH 3/5] slirp: use correct size while emulating commands
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: <20200117114942.12236-4-philmd@redhat.com>
+Patchwork-id: 93391
+O-Subject: [RHEL-7.7.z qemu-kvm-rhev + RHEL-7.8 qemu-kvm-rhev + RHEL-7.9 qemu-kvm-rhev + RHEL-8.1.0 qemu-kvm + RHEL-8.2.0 qemu-kvm + RHEL-7.7.z qemu-kvm-ma + RHEL-7.8 qemu-kvm-ma + RHEL-7.9 qemu-kvm-ma PATCH 3/3] slirp: use correct size while emulating commands
+Bugzilla: 1791565
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+
+From: Prasad J Pandit <pjp@fedoraproject.org>
+
+While emulating services in tcp_emu(), it uses 'mbuf' size
+'m->m_size' to write commands via snprintf(3). Use M_FREEROOM(m)
+size to avoid possible OOB access.
+
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Message-Id: <20200109094228.79764-3-ppandit@redhat.com>
+(cherry picked from libslirp commit 82ebe9c370a0e2970fb5695aa19aa5214a6a1c80)
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ slirp/tcp_subr.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
+index b60310d..b95ba23 100644
+--- a/slirp/tcp_subr.c
++++ b/slirp/tcp_subr.c
+@@ -703,7 +703,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ n4 = (laddr & 0xff);
+
+ m->m_len = bptr - m->m_data; /* Adjust length */
+- m->m_len += snprintf(bptr, m->m_size - m->m_len,
++ m->m_len += snprintf(bptr, M_FREEROOM(m),
+ "ORT %d,%d,%d,%d,%d,%d\r\n%s",
+ n1, n2, n3, n4, n5, n6, x==7?buff:"");
+ return 1;
+@@ -736,7 +736,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ n4 = (laddr & 0xff);
+
+ m->m_len = bptr - m->m_data; /* Adjust length */
+- m->m_len += snprintf(bptr, m->m_size - m->m_len,
++ m->m_len += snprintf(bptr, M_FREEROOM(m),
+ "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
+ n1, n2, n3, n4, n5, n6, x==7?buff:"");
+
+@@ -762,8 +762,8 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ if (m->m_data[m->m_len-1] == '\0' && lport != 0 &&
+ (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr,
+ htons(lport), SS_FACCEPTONCE)) != NULL)
+- m->m_len = snprintf(m->m_data, m->m_size, "%d",
+- ntohs(so->so_fport)) + 1;
++ m->m_len = snprintf(m->m_data, M_ROOM(m),
++ "%d", ntohs(so->so_fport)) + 1;
+ return 1;
+
+ case EMU_IRC:
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-tcp_emu-Fix-oob-access.patch b/SOURCES/kvm-tcp_emu-Fix-oob-access.patch
new file mode 100644
index 0000000..5eae2ce
--- /dev/null
+++ b/SOURCES/kvm-tcp_emu-Fix-oob-access.patch
@@ -0,0 +1,60 @@
+From 8cf51a309acf37f2d03ed5a0a31737b884ace3f0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Fri, 17 Jan 2020 11:49:40 +0000
+Subject: [PATCH 1/5] tcp_emu: Fix oob access
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: <20200117114942.12236-2-philmd@redhat.com>
+Patchwork-id: 93393
+O-Subject: [RHEL-7.7.z qemu-kvm-rhev + RHEL-7.8 qemu-kvm-rhev + RHEL-7.9 qemu-kvm-rhev + RHEL-8.1.0 qemu-kvm + RHEL-8.2.0 qemu-kvm + RHEL-7.7.z qemu-kvm-ma + RHEL-7.8 qemu-kvm-ma + RHEL-7.9 qemu-kvm-ma PATCH 1/3] tcp_emu: Fix oob access
+Bugzilla: 1791565
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+
+From: Samuel Thibault <samuel.thibault@ens-lyon.org>
+
+The main loop only checks for one available byte, while we sometimes
+need two bytes.
+
+(cherry picked from libslirp commit 2655fffed7a9e765bcb4701dd876e9dab975f289)
+[PMD: backported with style conflicts,
+ CHANGELOG.md absent in downstream]
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ slirp/tcp_subr.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
+index 0152f72..decfd9b 100644
+--- a/slirp/tcp_subr.c
++++ b/slirp/tcp_subr.c
+@@ -892,6 +892,9 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ break;
+
+ case 5:
++ if (bptr == m->m_data + m->m_len - 1)
++ return 1; /* We need two bytes */
++
+ /*
+ * The difference between versions 1.0 and
+ * 2.0 is here. For future versions of
+@@ -907,6 +910,10 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ /* This is the field containing the port
+ * number that RA-player is listening to.
+ */
++
++ if (bptr == m->m_data + m->m_len - 1)
++ return 1; /* We need two bytes */
++
+ lport = (((u_char*)bptr)[0] << 8)
+ + ((u_char *)bptr)[1];
+ if (lport < 6970)
+--
+1.8.3.1
+
diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec
index b19a415..7075b63 100644
--- a/SPECS/qemu-kvm.spec
+++ b/SPECS/qemu-kvm.spec
@@ -67,7 +67,7 @@ Obsoletes: %1-rhev
Summary: QEMU is a machine emulator and virtualizer
Name: qemu-kvm
Version: 2.12.0
-Release: 88%{?dist}.2
+Release: 88%{?dist}.3
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
Epoch: 15
License: GPLv2 and GPLv2+ and CC-BY
@@ -1687,6 +1687,16 @@ Patch823: kvm-s390-PCI-fix-IOMMU-region-init.patch
Patch824: kvm-target-i386-Export-TAA_NO-bit-to-guests.patch
# For bz#1771970 - CVE-2019-11135 virt:rhel/qemu-kvm: hw: TSX Transaction Asynchronous Abort (TAA) [rhel-8.1.0.z]
Patch825: kvm-target-i386-add-support-for-MSR_IA32_TSX_CTRL.patch
+# For bz#1791565 - CVE-2020-7039 virt:rhel/qemu-kvm: QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu() [rhel-8.1.0.z]
+Patch826: kvm-tcp_emu-Fix-oob-access.patch
+# For bz#1791565 - CVE-2020-7039 virt:rhel/qemu-kvm: QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu() [rhel-8.1.0.z]
+Patch827: kvm-slirp-use-correct-size-while-emulating-IRC-commands.patch
+# For bz#1791565 - CVE-2020-7039 virt:rhel/qemu-kvm: QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu() [rhel-8.1.0.z]
+Patch828: kvm-slirp-use-correct-size-while-emulating-commands.patch
+# For bz#1794500 - CVE-2020-1711 qemu-kvm: QEMU: block: iscsi: OOB heap access via an unexpected response of iSCSI Server [rhel-8.1.0.z]
+Patch829: kvm-iscsi-Avoid-potential-for-get_status-overflow.patch
+# For bz#1794500 - CVE-2020-1711 qemu-kvm: QEMU: block: iscsi: OOB heap access via an unexpected response of iSCSI Server [rhel-8.1.0.z]
+Patch830: kvm-iscsi-Cap-block-count-from-GET-LBA-STATUS-CVE-2020-1.patch
BuildRequires: zlib-devel
BuildRequires: glib2-devel
@@ -2573,6 +2583,17 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
%changelog
+* Tue Feb 11 2020 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 2.12.0-88.el8_1_0.3
+- kvm-tcp_emu-Fix-oob-access.patch [bz#1791565]
+- kvm-slirp-use-correct-size-while-emulating-IRC-commands.patch [bz#1791565]
+- kvm-slirp-use-correct-size-while-emulating-commands.patch [bz#1791565]
+- kvm-iscsi-Avoid-potential-for-get_status-overflow.patch [bz#1794500]
+- kvm-iscsi-Cap-block-count-from-GET-LBA-STATUS-CVE-2020-1.patch [bz#1794500]
+- Resolves: bz#1791565
+ (CVE-2020-7039 virt:rhel/qemu-kvm: QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu() [rhel-8.1.0.z])
+- Resolves: bz#1794500
+ (CVE-2020-1711 qemu-kvm: QEMU: block: iscsi: OOB heap access via an unexpected response of iSCSI Server [rhel-8.1.0.z])
+
* Tue Dec 10 2019 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 2.12.0-88.el8_1_0.2
- kvm-target-i386-Export-TAA_NO-bit-to-guests.patch [bz#1771970]
- kvm-target-i386-add-support-for-MSR_IA32_TSX_CTRL.patch [bz#1771970]