diff --git a/0001-block.curl-adding-timeout-option.patch b/0001-block.curl-adding-timeout-option.patch
deleted file mode 100644
index a52d6bd..0000000
--- a/0001-block.curl-adding-timeout-option.patch
+++ /dev/null
@@ -1,115 +0,0 @@
-From 212aefaa53d142baa9a22f5aadd2e72eb916c0c0 Mon Sep 17 00:00:00 2001
-From: Daniel Henrique Barboza <danielhb@linux.vnet.ibm.com>
-Date: Wed, 13 Aug 2014 12:44:27 -0300
-Subject: [PATCH] block.curl: adding 'timeout' option
-
-The curl hardcoded timeout (5 seconds) sometimes is not long
-enough depending on the remote server configuration and network
-traffic. The user should be able to set how much long he is
-willing to wait for the connection.
-
-Adding a new option to set this timeout gives the user this
-flexibility. The previous default timeout of 5 seconds will be
-used if this option is not present.
-
-Reviewed-by: Fam Zheng <famz@redhat.com>
-Signed-off-by: Daniel Henrique Barboza <danielhb@linux.vnet.ibm.com>
-Reviewed-by: Benoit Canet <benoit.canet@nodalink.com>
-Tested-by: Richard W.M. Jones <rjones@redhat.com>
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- block/curl.c | 13 ++++++++++++-
- qemu-options.hx | 10 ++++++++--
- 2 files changed, 20 insertions(+), 3 deletions(-)
-
-diff --git a/block/curl.c b/block/curl.c
-index d4b85d2..2698ae3 100644
---- a/block/curl.c
-+++ b/block/curl.c
-@@ -63,6 +63,7 @@ static CURLMcode __curl_multi_socket_action(CURLM *multi_handle,
- #define CURL_NUM_ACB 8
- #define SECTOR_SIZE 512
- #define READ_AHEAD_DEFAULT (256 * 1024)
-+#define CURL_TIMEOUT_DEFAULT 5
-
- #define FIND_RET_NONE 0
- #define FIND_RET_OK 1
-@@ -71,6 +72,7 @@ static CURLMcode __curl_multi_socket_action(CURLM *multi_handle,
- #define CURL_BLOCK_OPT_URL "url"
- #define CURL_BLOCK_OPT_READAHEAD "readahead"
- #define CURL_BLOCK_OPT_SSLVERIFY "sslverify"
-+#define CURL_BLOCK_OPT_TIMEOUT "timeout"
-
- struct BDRVCURLState;
-
-@@ -109,6 +111,7 @@ typedef struct BDRVCURLState {
- char *url;
- size_t readahead_size;
- bool sslverify;
-+ int timeout;
- bool accept_range;
- AioContext *aio_context;
- } BDRVCURLState;
-@@ -382,7 +385,7 @@ static CURLState *curl_init_state(BDRVCURLState *s)
- curl_easy_setopt(state->curl, CURLOPT_URL, s->url);
- curl_easy_setopt(state->curl, CURLOPT_SSL_VERIFYPEER,
- (long) s->sslverify);
-- curl_easy_setopt(state->curl, CURLOPT_TIMEOUT, 5);
-+ curl_easy_setopt(state->curl, CURLOPT_TIMEOUT, s->timeout);
- curl_easy_setopt(state->curl, CURLOPT_WRITEFUNCTION,
- (void *)curl_read_cb);
- curl_easy_setopt(state->curl, CURLOPT_WRITEDATA, (void *)state);
-@@ -489,6 +492,11 @@ static QemuOptsList runtime_opts = {
- .type = QEMU_OPT_BOOL,
- .help = "Verify SSL certificate"
- },
-+ {
-+ .name = CURL_BLOCK_OPT_TIMEOUT,
-+ .type = QEMU_OPT_NUMBER,
-+ .help = "Curl timeout"
-+ },
- { /* end of list */ }
- },
- };
-@@ -525,6 +533,9 @@ static int curl_open(BlockDriverState *bs, QDict *options, int flags,
- goto out_noclean;
- }
-
-+ s->timeout = qemu_opt_get_number(opts, CURL_BLOCK_OPT_TIMEOUT,
-+ CURL_TIMEOUT_DEFAULT);
-+
- s->sslverify = qemu_opt_get_bool(opts, CURL_BLOCK_OPT_SSLVERIFY, true);
-
- file = qemu_opt_get(opts, CURL_BLOCK_OPT_URL);
-diff --git a/qemu-options.hx b/qemu-options.hx
-index c573dd8..52d56f4 100644
---- a/qemu-options.hx
-+++ b/qemu-options.hx
-@@ -2351,6 +2351,11 @@ multiple of 512 bytes. It defaults to 256k.
- @item sslverify
- Whether to verify the remote server's certificate when connecting over SSL. It
- can have the value 'on' or 'off'. It defaults to 'on'.
-+
-+@item timeout
-+Set the timeout in seconds of the CURL connection. This timeout is the time
-+that CURL waits for a response from the remote server to get the size of the
-+image to be downloaded. If not set, the default timeout of 5 seconds is used.
- @end table
-
- Note that when passing options to qemu explicitly, @option{driver} is the value
-@@ -2372,9 +2377,10 @@ qemu-system-x86_64 -drive file=/tmp/Fedora-x86_64-20-20131211.1-sda.qcow2,copy-o
- @end example
-
- Example: boot from an image stored on a VMware vSphere server with a self-signed
--certificate using a local overlay for writes and a readahead of 64k
-+certificate using a local overlay for writes, a readahead of 64k and a timeout
-+of 10 seconds.
- @example
--qemu-img create -f qcow2 -o backing_file='json:@{"file.driver":"https",, "file.url":"https://user:password@@vsphere.example.com/folder/test/test-flat.vmdk?dcPath=Datacenter&dsName=datastore1",, "file.sslverify":"off",, "file.readahead":"64k"@}' /tmp/test.qcow2
-+qemu-img create -f qcow2 -o backing_file='json:@{"file.driver":"https",, "file.url":"https://user:password@@vsphere.example.com/folder/test/test-flat.vmdk?dcPath=Datacenter&dsName=datastore1",, "file.sslverify":"off",, "file.readahead":"64k",, "file.timeout":10@}' /tmp/test.qcow2
-
- qemu-system-x86_64 -drive file=/tmp/test.qcow2
- @end example
---
-2.0.4
-
diff --git a/0001-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch b/0001-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch
deleted file mode 100644
index 281cb42..0000000
--- a/0001-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch
+++ /dev/null
@@ -1,126 +0,0 @@
-From a94f83d94fdf907680f068f1be7ad13d1f697067 Mon Sep 17 00:00:00 2001
-From: "Richard W.M. Jones" <rjones@redhat.com>
-Date: Fri, 29 Aug 2014 16:03:12 +0100
-Subject: [PATCH] curl: Allow a cookie or cookies to be sent with http/https
- requests.
-
-In order to access VMware ESX efficiently, we need to send a session
-cookie. This patch is very simple and just allows you to send that
-session cookie. It punts on the question of how you get the session
-cookie in the first place, but in practice you can just run a `curl'
-command against the server and extract the cookie that way.
-
-To use it, add file.cookie to the curl URL. For example:
-
-$ qemu-img info 'json: {
- "file.driver":"https",
- "file.url":"https://vcenter/folder/Windows%202003/Windows%202003-flat.vmdk?dcPath=Datacenter&dsName=datastore1",
- "file.sslverify":"off",
- "file.cookie":"vmware_soap_session=\"52a01262-bf93-ccce-d379-8dabb3e55560\""}'
-image: [...]
-file format: raw
-virtual size: 8.0G (8589934592 bytes)
-disk size: unavailable
-
-Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- block/curl.c | 16 ++++++++++++++++
- qemu-options.hx | 5 +++++
- 2 files changed, 21 insertions(+)
-
-diff --git a/block/curl.c b/block/curl.c
-index 2698ae3..9051bc0 100644
---- a/block/curl.c
-+++ b/block/curl.c
-@@ -73,6 +73,7 @@ static CURLMcode __curl_multi_socket_action(CURLM *multi_handle,
- #define CURL_BLOCK_OPT_READAHEAD "readahead"
- #define CURL_BLOCK_OPT_SSLVERIFY "sslverify"
- #define CURL_BLOCK_OPT_TIMEOUT "timeout"
-+#define CURL_BLOCK_OPT_COOKIE "cookie"
-
- struct BDRVCURLState;
-
-@@ -112,6 +113,7 @@ typedef struct BDRVCURLState {
- size_t readahead_size;
- bool sslverify;
- int timeout;
-+ char *cookie;
- bool accept_range;
- AioContext *aio_context;
- } BDRVCURLState;
-@@ -385,6 +387,9 @@ static CURLState *curl_init_state(BDRVCURLState *s)
- curl_easy_setopt(state->curl, CURLOPT_URL, s->url);
- curl_easy_setopt(state->curl, CURLOPT_SSL_VERIFYPEER,
- (long) s->sslverify);
-+ if (s->cookie) {
-+ curl_easy_setopt(state->curl, CURLOPT_COOKIE, s->cookie);
-+ }
- curl_easy_setopt(state->curl, CURLOPT_TIMEOUT, s->timeout);
- curl_easy_setopt(state->curl, CURLOPT_WRITEFUNCTION,
- (void *)curl_read_cb);
-@@ -497,6 +502,11 @@ static QemuOptsList runtime_opts = {
- .type = QEMU_OPT_NUMBER,
- .help = "Curl timeout"
- },
-+ {
-+ .name = CURL_BLOCK_OPT_COOKIE,
-+ .type = QEMU_OPT_STRING,
-+ .help = "Pass the cookie or list of cookies with each request"
-+ },
- { /* end of list */ }
- },
- };
-@@ -509,6 +519,7 @@ static int curl_open(BlockDriverState *bs, QDict *options, int flags,
- QemuOpts *opts;
- Error *local_err = NULL;
- const char *file;
-+ const char *cookie;
- double d;
-
- static int inited = 0;
-@@ -538,6 +549,9 @@ static int curl_open(BlockDriverState *bs, QDict *options, int flags,
-
- s->sslverify = qemu_opt_get_bool(opts, CURL_BLOCK_OPT_SSLVERIFY, true);
-
-+ cookie = qemu_opt_get(opts, CURL_BLOCK_OPT_COOKIE);
-+ s->cookie = g_strdup(cookie);
-+
- file = qemu_opt_get(opts, CURL_BLOCK_OPT_URL);
- if (file == NULL) {
- error_setg(errp, "curl block driver requires an 'url' option");
-@@ -593,6 +607,7 @@ out:
- curl_easy_cleanup(state->curl);
- state->curl = NULL;
- out_noclean:
-+ g_free(s->cookie);
- g_free(s->url);
- qemu_opts_del(opts);
- return -EINVAL;
-@@ -695,6 +710,7 @@ static void curl_close(BlockDriverState *bs)
- DPRINTF("CURL: Close\n");
- curl_detach_aio_context(bs);
-
-+ g_free(s->cookie);
- g_free(s->url);
- }
-
-diff --git a/qemu-options.hx b/qemu-options.hx
-index 52d56f4..5479cf5 100644
---- a/qemu-options.hx
-+++ b/qemu-options.hx
-@@ -2352,6 +2352,11 @@ multiple of 512 bytes. It defaults to 256k.
- Whether to verify the remote server's certificate when connecting over SSL. It
- can have the value 'on' or 'off'. It defaults to 'on'.
-
-+@item cookie
-+Send this cookie (it can also be a list of cookies separated by ';') with
-+each outgoing request. Only supported when using protocols such as HTTP
-+which support cookies, otherwise ignored.
-+
- @item timeout
- Set the timeout in seconds of the CURL connection. This timeout is the time
- that CURL waits for a response from the remote server to get the size of the
---
-2.0.4
-
diff --git a/0001-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch b/0001-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch
deleted file mode 100644
index f8ef3c8..0000000
--- a/0001-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From a2f468e48f8b6559ec9123e94948bc373b788941 Mon Sep 17 00:00:00 2001
-From: "Richard W.M. Jones" <rjones@redhat.com>
-Date: Thu, 28 Aug 2014 09:04:21 +0100
-Subject: [PATCH] curl: Don't deref NULL pointer in call to aio_poll.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-In commit 63f0f45f2e89b60ff8245fec81328ddfde42a303 the following
-mechanical change was made:
-
- if (!state) {
-- qemu_aio_wait();
-+ aio_poll(state->s->aio_context, true);
- }
-
-The new code now checks if state is NULL and then dereferences it
-('state->s') which is obviously incorrect.
-
-This commit replaces state->s->aio_context with
-bdrv_get_aio_context(bs), fixing this problem. The two other hunks
-are concerned with getting the BlockDriverState pointer bs to where it
-is needed.
-
-The original bug causes a segfault when using libguestfs to access a
-VMware vCenter Server and doing any kind of complex read-heavy
-operations. With this commit the segfault goes away.
-
-Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
-Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
-Reviewed-by: Benoît Canet <benoit.canet@nodalink.com>
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- block/curl.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/block/curl.c b/block/curl.c
-index 9051bc0..0258339 100644
---- a/block/curl.c
-+++ b/block/curl.c
-@@ -357,7 +357,7 @@ static void curl_multi_timeout_do(void *arg)
- #endif
- }
-
--static CURLState *curl_init_state(BDRVCURLState *s)
-+static CURLState *curl_init_state(BlockDriverState *bs, BDRVCURLState *s)
- {
- CURLState *state = NULL;
- int i, j;
-@@ -375,7 +375,7 @@ static CURLState *curl_init_state(BDRVCURLState *s)
- break;
- }
- if (!state) {
-- aio_poll(state->s->aio_context, true);
-+ aio_poll(bdrv_get_aio_context(bs), true);
- }
- } while(!state);
-
-@@ -566,7 +566,7 @@ static int curl_open(BlockDriverState *bs, QDict *options, int flags,
- DPRINTF("CURL: Opening %s\n", file);
- s->aio_context = bdrv_get_aio_context(bs);
- s->url = g_strdup(file);
-- state = curl_init_state(s);
-+ state = curl_init_state(bs, s);
- if (!state)
- goto out_noclean;
-
-@@ -651,7 +651,7 @@ static void curl_readv_bh_cb(void *p)
- }
-
- // No cache found, so let's start a new request
-- state = curl_init_state(s);
-+ state = curl_init_state(acb->common.bs, s);
- if (!state) {
- acb->common.cb(acb->common.opaque, -EIO);
- qemu_aio_release(acb);
---
-2.0.4
-
diff --git a/0001-loader-Add-load_image_gzipped-function.patch b/0001-loader-Add-load_image_gzipped-function.patch
index 5be7cd9..4358d91 100644
--- a/0001-loader-Add-load_image_gzipped-function.patch
+++ b/0001-loader-Add-load_image_gzipped-function.patch
@@ -1,7 +1,7 @@
-From ddf2a3a69486376897ae654c8f1f0aa8cbae6c24 Mon Sep 17 00:00:00 2001
+From 031f135c71ab705914f378d19067d1f1f25e744f Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
-Date: Mon, 4 Aug 2014 12:25:08 +0100
-Subject: [PATCH 1/2] loader: Add load_image_gzipped function.
+Date: Tue, 19 Aug 2014 18:56:28 +0100
+Subject: [PATCH] loader: Add load_image_gzipped function.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@@ -11,13 +11,20 @@ gzipped. It is uncompressed before storing it in guest memory.
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Message-id: 1407831259-2115-2-git-send-email-rjones@redhat.com
+[PMM: removed stray space before ')']
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+
+(cherry picked from commit 235e74afcb85285a8e35e75f0cb6e6811267bb75)
---
hw/core/loader.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
include/hw/loader.h | 1 +
2 files changed, 49 insertions(+)
diff --git a/hw/core/loader.c b/hw/core/loader.c
-index 2bf6b8f..83136e8 100644
+index 2bf6b8f..0fde699 100644
--- a/hw/core/loader.c
+++ b/hw/core/loader.c
@@ -577,6 +577,54 @@ int load_ramdisk(const char *filename, hwaddr addr, uint64_t max_sz)
@@ -47,7 +54,7 @@ index 2bf6b8f..83136e8 100644
+ /* Is it a gzip-compressed file? */
+ if (len < 2 ||
+ compressed_data[0] != 0x1f ||
-+ compressed_data[1] != 0x8b ) {
++ compressed_data[1] != 0x8b) {
+ goto out;
+ }
+
@@ -87,6 +94,3 @@ index 796cbf9..00c9117 100644
#define ELF_LOAD_FAILED -1
#define ELF_LOAD_NOT_ELF -2
---
-2.0.4
-
diff --git a/0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch b/0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch
index d2521c1..1702946 100644
--- a/0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch
+++ b/0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch
@@ -1,7 +1,7 @@
-From fc77c3116f7e4b3400e576c51e73ade2edee350a Mon Sep 17 00:00:00 2001
+From 0f688b169496a2f85fe092eae3f385511946bf3f Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
-Date: Tue, 29 Jul 2014 23:32:31 +0100
-Subject: [PATCH 2/2] aarch64: Allow -kernel option to take a gzip-compressed
+Date: Tue, 19 Aug 2014 18:56:28 +0100
+Subject: [PATCH] aarch64: Allow -kernel option to take a gzip-compressed
kernel.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@@ -25,36 +25,25 @@ Currently this is only done when emulating aarch64.
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Message-id: 1407831259-2115-3-git-send-email-rjones@redhat.com
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+(cherry picked from commit 6f5d3cbe8892367026526a7deed0ceecc700a7ad)
---
- hw/arm/boot.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
+ hw/arm/boot.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
diff --git a/hw/arm/boot.c b/hw/arm/boot.c
-index 1241761..c71c4d5 100644
+index 3d1f4a2..b7d60aa 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
-@@ -448,6 +448,7 @@ static void do_cpu_reset(void *opaque)
- void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)
- {
- CPUState *cs = CPU(cpu);
-+ int allow_compressed_kernels = 0;
- int kernel_size;
- int initrd_size;
- int is_linux = 0;
-@@ -469,6 +470,7 @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)
- primary_loader = bootloader_aarch64;
- kernel_load_offset = KERNEL64_LOAD_ADDR;
- elf_machine = EM_AARCH64;
-+ allow_compressed_kernels = 1;
- } else {
- primary_loader = bootloader;
- kernel_load_offset = KERNEL_LOAD_ADDR;
-@@ -514,6 +516,13 @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)
+@@ -510,6 +510,13 @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)
kernel_size = load_uimage(info->kernel_filename, &entry, NULL,
&is_linux);
}
+ /* On aarch64, it's the bootloader's job to uncompress the kernel. */
-+ if (allow_compressed_kernels && kernel_size < 0) {
++ if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64) && kernel_size < 0) {
+ entry = info->loader_start + kernel_load_offset;
+ kernel_size = load_image_gzipped(info->kernel_filename, entry,
+ info->ram_size - kernel_load_offset);
@@ -63,6 +52,3 @@ index 1241761..c71c4d5 100644
if (kernel_size < 0) {
entry = info->loader_start + kernel_load_offset;
kernel_size = load_image_targphys(info->kernel_filename, entry,
---
-2.0.4
-
diff --git a/0003-block.curl-adding-timeout-option.patch b/0003-block.curl-adding-timeout-option.patch
new file mode 100644
index 0000000..1cfbc69
--- /dev/null
+++ b/0003-block.curl-adding-timeout-option.patch
@@ -0,0 +1,113 @@
+From 04ca8ab4dfca981ab0f1f6744286e8a84e0fccca Mon Sep 17 00:00:00 2001
+From: Daniel Henrique Barboza <danielhb@linux.vnet.ibm.com>
+Date: Wed, 13 Aug 2014 12:44:27 -0300
+Subject: [PATCH] block.curl: adding 'timeout' option
+
+The curl hardcoded timeout (5 seconds) sometimes is not long
+enough depending on the remote server configuration and network
+traffic. The user should be able to set how much long he is
+willing to wait for the connection.
+
+Adding a new option to set this timeout gives the user this
+flexibility. The previous default timeout of 5 seconds will be
+used if this option is not present.
+
+Reviewed-by: Fam Zheng <famz@redhat.com>
+Signed-off-by: Daniel Henrique Barboza <danielhb@linux.vnet.ibm.com>
+Reviewed-by: Benoit Canet <benoit.canet@nodalink.com>
+Tested-by: Richard W.M. Jones <rjones@redhat.com>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+(cherry picked from commit 212aefaa53d142baa9a22f5aadd2e72eb916c0c0)
+---
+ block/curl.c | 13 ++++++++++++-
+ qemu-options.hx | 10 ++++++++--
+ 2 files changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/block/curl.c b/block/curl.c
+index 79ff2f1..6f45547 100644
+--- a/block/curl.c
++++ b/block/curl.c
+@@ -63,6 +63,7 @@ static CURLMcode __curl_multi_socket_action(CURLM *multi_handle,
+ #define CURL_NUM_ACB 8
+ #define SECTOR_SIZE 512
+ #define READ_AHEAD_DEFAULT (256 * 1024)
++#define CURL_TIMEOUT_DEFAULT 5
+
+ #define FIND_RET_NONE 0
+ #define FIND_RET_OK 1
+@@ -71,6 +72,7 @@ static CURLMcode __curl_multi_socket_action(CURLM *multi_handle,
+ #define CURL_BLOCK_OPT_URL "url"
+ #define CURL_BLOCK_OPT_READAHEAD "readahead"
+ #define CURL_BLOCK_OPT_SSLVERIFY "sslverify"
++#define CURL_BLOCK_OPT_TIMEOUT "timeout"
+
+ struct BDRVCURLState;
+
+@@ -109,6 +111,7 @@ typedef struct BDRVCURLState {
+ char *url;
+ size_t readahead_size;
+ bool sslverify;
++ int timeout;
+ bool accept_range;
+ AioContext *aio_context;
+ } BDRVCURLState;
+@@ -382,7 +385,7 @@ static CURLState *curl_init_state(BDRVCURLState *s)
+ curl_easy_setopt(state->curl, CURLOPT_URL, s->url);
+ curl_easy_setopt(state->curl, CURLOPT_SSL_VERIFYPEER,
+ (long) s->sslverify);
+- curl_easy_setopt(state->curl, CURLOPT_TIMEOUT, 5);
++ curl_easy_setopt(state->curl, CURLOPT_TIMEOUT, s->timeout);
+ curl_easy_setopt(state->curl, CURLOPT_WRITEFUNCTION,
+ (void *)curl_read_cb);
+ curl_easy_setopt(state->curl, CURLOPT_WRITEDATA, (void *)state);
+@@ -489,6 +492,11 @@ static QemuOptsList runtime_opts = {
+ .type = QEMU_OPT_BOOL,
+ .help = "Verify SSL certificate"
+ },
++ {
++ .name = CURL_BLOCK_OPT_TIMEOUT,
++ .type = QEMU_OPT_NUMBER,
++ .help = "Curl timeout"
++ },
+ { /* end of list */ }
+ },
+ };
+@@ -525,6 +533,9 @@ static int curl_open(BlockDriverState *bs, QDict *options, int flags,
+ goto out_noclean;
+ }
+
++ s->timeout = qemu_opt_get_number(opts, CURL_BLOCK_OPT_TIMEOUT,
++ CURL_TIMEOUT_DEFAULT);
++
+ s->sslverify = qemu_opt_get_bool(opts, CURL_BLOCK_OPT_SSLVERIFY, true);
+
+ file = qemu_opt_get(opts, CURL_BLOCK_OPT_URL);
+diff --git a/qemu-options.hx b/qemu-options.hx
+index 1549625..dcb008b 100644
+--- a/qemu-options.hx
++++ b/qemu-options.hx
+@@ -2351,6 +2351,11 @@ multiple of 512 bytes. It defaults to 256k.
+ @item sslverify
+ Whether to verify the remote server's certificate when connecting over SSL. It
+ can have the value 'on' or 'off'. It defaults to 'on'.
++
++@item timeout
++Set the timeout in seconds of the CURL connection. This timeout is the time
++that CURL waits for a response from the remote server to get the size of the
++image to be downloaded. If not set, the default timeout of 5 seconds is used.
+ @end table
+
+ Note that when passing options to qemu explicitly, @option{driver} is the value
+@@ -2372,9 +2377,10 @@ qemu-system-x86_64 -drive file=/tmp/Fedora-x86_64-20-20131211.1-sda.qcow2,copy-o
+ @end example
+
+ Example: boot from an image stored on a VMware vSphere server with a self-signed
+-certificate using a local overlay for writes and a readahead of 64k
++certificate using a local overlay for writes, a readahead of 64k and a timeout
++of 10 seconds.
+ @example
+-qemu-img create -f qcow2 -o backing_file='json:@{"file.driver":"https",, "file.url":"https://user:password@@vsphere.example.com/folder/test/test-flat.vmdk?dcPath=Datacenter&dsName=datastore1",, "file.sslverify":"off",, "file.readahead":"64k"@}' /tmp/test.qcow2
++qemu-img create -f qcow2 -o backing_file='json:@{"file.driver":"https",, "file.url":"https://user:password@@vsphere.example.com/folder/test/test-flat.vmdk?dcPath=Datacenter&dsName=datastore1",, "file.sslverify":"off",, "file.readahead":"64k",, "file.timeout":10@}' /tmp/test.qcow2
+
+ qemu-system-x86_64 -drive file=/tmp/test.qcow2
+ @end example
diff --git a/0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch b/0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch
new file mode 100644
index 0000000..345b94d
--- /dev/null
+++ b/0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch
@@ -0,0 +1,124 @@
+From dde3e0ef0b9f2ffd68b6bd348ccb46d8fb35f84c Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones@redhat.com>
+Date: Fri, 29 Aug 2014 16:03:12 +0100
+Subject: [PATCH] curl: Allow a cookie or cookies to be sent with http/https
+ requests.
+
+In order to access VMware ESX efficiently, we need to send a session
+cookie. This patch is very simple and just allows you to send that
+session cookie. It punts on the question of how you get the session
+cookie in the first place, but in practice you can just run a `curl'
+command against the server and extract the cookie that way.
+
+To use it, add file.cookie to the curl URL. For example:
+
+$ qemu-img info 'json: {
+ "file.driver":"https",
+ "file.url":"https://vcenter/folder/Windows%202003/Windows%202003-flat.vmdk?dcPath=Datacenter&dsName=datastore1",
+ "file.sslverify":"off",
+ "file.cookie":"vmware_soap_session=\"52a01262-bf93-ccce-d379-8dabb3e55560\""}'
+image: [...]
+file format: raw
+virtual size: 8.0G (8589934592 bytes)
+disk size: unavailable
+
+Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+(cherry picked from commit a94f83d94fdf907680f068f1be7ad13d1f697067)
+---
+ block/curl.c | 16 ++++++++++++++++
+ qemu-options.hx | 5 +++++
+ 2 files changed, 21 insertions(+)
+
+diff --git a/block/curl.c b/block/curl.c
+index 6f45547..537e257 100644
+--- a/block/curl.c
++++ b/block/curl.c
+@@ -73,6 +73,7 @@ static CURLMcode __curl_multi_socket_action(CURLM *multi_handle,
+ #define CURL_BLOCK_OPT_READAHEAD "readahead"
+ #define CURL_BLOCK_OPT_SSLVERIFY "sslverify"
+ #define CURL_BLOCK_OPT_TIMEOUT "timeout"
++#define CURL_BLOCK_OPT_COOKIE "cookie"
+
+ struct BDRVCURLState;
+
+@@ -112,6 +113,7 @@ typedef struct BDRVCURLState {
+ size_t readahead_size;
+ bool sslverify;
+ int timeout;
++ char *cookie;
+ bool accept_range;
+ AioContext *aio_context;
+ } BDRVCURLState;
+@@ -385,6 +387,9 @@ static CURLState *curl_init_state(BDRVCURLState *s)
+ curl_easy_setopt(state->curl, CURLOPT_URL, s->url);
+ curl_easy_setopt(state->curl, CURLOPT_SSL_VERIFYPEER,
+ (long) s->sslverify);
++ if (s->cookie) {
++ curl_easy_setopt(state->curl, CURLOPT_COOKIE, s->cookie);
++ }
+ curl_easy_setopt(state->curl, CURLOPT_TIMEOUT, s->timeout);
+ curl_easy_setopt(state->curl, CURLOPT_WRITEFUNCTION,
+ (void *)curl_read_cb);
+@@ -497,6 +502,11 @@ static QemuOptsList runtime_opts = {
+ .type = QEMU_OPT_NUMBER,
+ .help = "Curl timeout"
+ },
++ {
++ .name = CURL_BLOCK_OPT_COOKIE,
++ .type = QEMU_OPT_STRING,
++ .help = "Pass the cookie or list of cookies with each request"
++ },
+ { /* end of list */ }
+ },
+ };
+@@ -509,6 +519,7 @@ static int curl_open(BlockDriverState *bs, QDict *options, int flags,
+ QemuOpts *opts;
+ Error *local_err = NULL;
+ const char *file;
++ const char *cookie;
+ double d;
+
+ static int inited = 0;
+@@ -538,6 +549,9 @@ static int curl_open(BlockDriverState *bs, QDict *options, int flags,
+
+ s->sslverify = qemu_opt_get_bool(opts, CURL_BLOCK_OPT_SSLVERIFY, true);
+
++ cookie = qemu_opt_get(opts, CURL_BLOCK_OPT_COOKIE);
++ s->cookie = g_strdup(cookie);
++
+ file = qemu_opt_get(opts, CURL_BLOCK_OPT_URL);
+ if (file == NULL) {
+ error_setg(errp, "curl block driver requires an 'url' option");
+@@ -593,6 +607,7 @@ out:
+ curl_easy_cleanup(state->curl);
+ state->curl = NULL;
+ out_noclean:
++ g_free(s->cookie);
+ g_free(s->url);
+ qemu_opts_del(opts);
+ return -EINVAL;
+@@ -689,6 +704,7 @@ static void curl_close(BlockDriverState *bs)
+ DPRINTF("CURL: Close\n");
+ curl_detach_aio_context(bs);
+
++ g_free(s->cookie);
+ g_free(s->url);
+ }
+
+diff --git a/qemu-options.hx b/qemu-options.hx
+index dcb008b..53b6171 100644
+--- a/qemu-options.hx
++++ b/qemu-options.hx
+@@ -2352,6 +2352,11 @@ multiple of 512 bytes. It defaults to 256k.
+ Whether to verify the remote server's certificate when connecting over SSL. It
+ can have the value 'on' or 'off'. It defaults to 'on'.
+
++@item cookie
++Send this cookie (it can also be a list of cookies separated by ';') with
++each outgoing request. Only supported when using protocols such as HTTP
++which support cookies, otherwise ignored.
++
+ @item timeout
+ Set the timeout in seconds of the CURL connection. This timeout is the time
+ that CURL waits for a response from the remote server to get the size of the
diff --git a/0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch b/0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch
new file mode 100644
index 0000000..594dc3f
--- /dev/null
+++ b/0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch
@@ -0,0 +1,77 @@
+From 1ea3e3a38b5bdb144a7206654c51f8f4768077f3 Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones@redhat.com>
+Date: Thu, 28 Aug 2014 09:04:21 +0100
+Subject: [PATCH] curl: Don't deref NULL pointer in call to aio_poll.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In commit 63f0f45f2e89b60ff8245fec81328ddfde42a303 the following
+mechanical change was made:
+
+ if (!state) {
+- qemu_aio_wait();
++ aio_poll(state->s->aio_context, true);
+ }
+
+The new code now checks if state is NULL and then dereferences it
+('state->s') which is obviously incorrect.
+
+This commit replaces state->s->aio_context with
+bdrv_get_aio_context(bs), fixing this problem. The two other hunks
+are concerned with getting the BlockDriverState pointer bs to where it
+is needed.
+
+The original bug causes a segfault when using libguestfs to access a
+VMware vCenter Server and doing any kind of complex read-heavy
+operations. With this commit the segfault goes away.
+
+Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Reviewed-by: Benoît Canet <benoit.canet@nodalink.com>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+(cherry picked from commit a2f468e48f8b6559ec9123e94948bc373b788941)
+---
+ block/curl.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/block/curl.c b/block/curl.c
+index 537e257..d28b701 100644
+--- a/block/curl.c
++++ b/block/curl.c
+@@ -357,7 +357,7 @@ static void curl_multi_timeout_do(void *arg)
+ #endif
+ }
+
+-static CURLState *curl_init_state(BDRVCURLState *s)
++static CURLState *curl_init_state(BlockDriverState *bs, BDRVCURLState *s)
+ {
+ CURLState *state = NULL;
+ int i, j;
+@@ -375,7 +375,7 @@ static CURLState *curl_init_state(BDRVCURLState *s)
+ break;
+ }
+ if (!state) {
+- aio_poll(state->s->aio_context, true);
++ aio_poll(bdrv_get_aio_context(bs), true);
+ }
+ } while(!state);
+
+@@ -566,7 +566,7 @@ static int curl_open(BlockDriverState *bs, QDict *options, int flags,
+ DPRINTF("CURL: Opening %s\n", file);
+ s->aio_context = bdrv_get_aio_context(bs);
+ s->url = g_strdup(file);
+- state = curl_init_state(s);
++ state = curl_init_state(bs, s);
+ if (!state)
+ goto out_noclean;
+
+@@ -651,7 +651,7 @@ static void curl_readv_bh_cb(void *p)
+ }
+
+ // No cache found, so let's start a new request
+- state = curl_init_state(s);
++ state = curl_init_state(acb->common.bs, s);
+ if (!state) {
+ acb->common.cb(acb->common.opaque, -EIO);
+ qemu_aio_release(acb);
diff --git a/qemu.spec b/qemu.spec
index 6a01fff..17a44eb 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -151,8 +151,8 @@
Summary: QEMU is a FAST! processor emulator
Name: qemu
-Version: 2.1.0
-Release: 6%{?dist}
+Version: 2.1.1
+Release: 1%{?dist}
Epoch: 2
License: GPLv2+ and LGPLv2+ and BSD
Group: Development/Tools
@@ -192,16 +192,13 @@ Source12: bridge.conf
# qemu-kvm back compat wrapper
Source13: qemu-kvm.sh
-# Upstream commit: 235e74afcb85285a8e35e75f0cb6e6811267bb75
-Patch1: 0001-loader-Add-load_image_gzipped-function.patch
-# Upstream commit: 6f5d3cbe8892367026526a7deed0ceecc700a7ad
-Patch2: 0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch
-# Upstream commit: 212aefaa53d142baa9a22f5aadd2e72eb916c0c0
-Patch3: 0001-block.curl-adding-timeout-option.patch
-# Upstream commit: a94f83d94fdf907680f068f1be7ad13d1f697067
-Patch4: 0001-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch
-# Upstream commit: a2f468e48f8b6559ec9123e94948bc373b788941
-Patch5: 0001-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch
+# Allow aarch64 to boot compressed kernel
+Patch0001: 0001-loader-Add-load_image_gzipped-function.patch
+Patch0002: 0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch
+# Fix crash in curl driver
+Patch0003: 0003-block.curl-adding-timeout-option.patch
+Patch0004: 0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch
+Patch0005: 0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch
BuildRequires: SDL2-devel
BuildRequires: zlib-devel
@@ -727,11 +724,13 @@ CAC emulation development files.
%prep
%setup -q
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
+# Allow aarch64 to boot compressed kernel
+%patch0001 -p1
+%patch0002 -p1
+# Fix crash in curl driver
+%patch0003 -p1
+%patch0004 -p1
+%patch0005 -p1
%build
@@ -1511,6 +1510,12 @@ getent passwd qemu >/dev/null || \
%endif
%changelog
+* Thu Sep 11 2014 Cole Robinson <crobinso@redhat.com> - 2:2.1.1-1
+- Rebased to version 2.1.1
+- CVE-2014-5388: out of bounds memory access (bz #1132962, bz #1132956)
+- CVE-2014-3615 crash when guest sets high resolution (bz #1139121, bz
+ #1139115)
+
* Wed Sep 3 2014 Richard W.M. Jones <rjones@redhat.com> 2:2.1.0-6
- Add upstream patches to:
* Fix crash in curl driver.
diff --git a/sources b/sources
index 1db3d6d..bb54534 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-6726977292b448cbc7f89998fac6983b qemu-2.1.0.tar.bz2
+78b1b51bfa2eee424e1bfdf3b66daa64 qemu-2.1.1.tar.bz2