diff --git a/0001-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch b/0001-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch
new file mode 100644
index 0000000..9401ea7
--- /dev/null
+++ b/0001-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch
@@ -0,0 +1,94 @@
+From: Aurelien Jarno <aurelien@aurel32.net>
+Date: Sun, 13 Sep 2015 23:03:44 +0200
+Subject: [PATCH] target-ppc: fix vcipher, vcipherlast, vncipherlast and
+ vpermxor
+
+For vector instructions, the helpers get pointers to the vector register
+in arguments. Some operands might point to the same register, including
+the operand holding the result.
+
+When emulating instructions which access the vector elements in a
+non-linear way, we need to store the result in an temporary variable.
+
+This fixes openssl when emulating a POWER8 CPU.
+
+Cc: Tom Musta <tommusta@gmail.com>
+Cc: Alexander Graf <agraf@suse.de>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
+---
+ target-ppc/int_helper.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/target-ppc/int_helper.c b/target-ppc/int_helper.c
+index 0a55d5e..b122868 100644
+--- a/target-ppc/int_helper.c
++++ b/target-ppc/int_helper.c
+@@ -2327,24 +2327,28 @@ void helper_vsbox(ppc_avr_t *r, ppc_avr_t *a)
+
+ void helper_vcipher(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b)
+ {
++ ppc_avr_t result;
+ int i;
+
+ VECTOR_FOR_INORDER_I(i, u32) {
+- r->AVRW(i) = b->AVRW(i) ^
++ result.AVRW(i) = b->AVRW(i) ^
+ (AES_Te0[a->AVRB(AES_shifts[4*i + 0])] ^
+ AES_Te1[a->AVRB(AES_shifts[4*i + 1])] ^
+ AES_Te2[a->AVRB(AES_shifts[4*i + 2])] ^
+ AES_Te3[a->AVRB(AES_shifts[4*i + 3])]);
+ }
++ *r = result;
+ }
+
+ void helper_vcipherlast(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b)
+ {
++ ppc_avr_t result;
+ int i;
+
+ VECTOR_FOR_INORDER_I(i, u8) {
+- r->AVRB(i) = b->AVRB(i) ^ (AES_sbox[a->AVRB(AES_shifts[i])]);
++ result.AVRB(i) = b->AVRB(i) ^ (AES_sbox[a->AVRB(AES_shifts[i])]);
+ }
++ *r = result;
+ }
+
+ void helper_vncipher(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b)
+@@ -2369,11 +2373,13 @@ void helper_vncipher(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b)
+
+ void helper_vncipherlast(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b)
+ {
++ ppc_avr_t result;
+ int i;
+
+ VECTOR_FOR_INORDER_I(i, u8) {
+- r->AVRB(i) = b->AVRB(i) ^ (AES_isbox[a->AVRB(AES_ishifts[i])]);
++ result.AVRB(i) = b->AVRB(i) ^ (AES_isbox[a->AVRB(AES_ishifts[i])]);
+ }
++ *r = result;
+ }
+
+ #define ROTRu32(v, n) (((v) >> (n)) | ((v) << (32-n)))
+@@ -2460,16 +2466,19 @@ void helper_vshasigmad(ppc_avr_t *r, ppc_avr_t *a, uint32_t st_six)
+
+ void helper_vpermxor(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b, ppc_avr_t *c)
+ {
++ ppc_avr_t result;
+ int i;
++
+ VECTOR_FOR_INORDER_I(i, u8) {
+ int indexA = c->u8[i] >> 4;
+ int indexB = c->u8[i] & 0xF;
+ #if defined(HOST_WORDS_BIGENDIAN)
+- r->u8[i] = a->u8[indexA] ^ b->u8[indexB];
++ result.u8[i] = a->u8[indexA] ^ b->u8[indexB];
+ #else
+- r->u8[i] = a->u8[15-indexA] ^ b->u8[15-indexB];
++ result.u8[i] = a->u8[15-indexA] ^ b->u8[15-indexB];
+ #endif
+ }
++ *r = result;
+ }
+
+ #undef VECTOR_FOR_INORDER_I
diff --git a/0001-vnc-fix-memory-corruption-CVE-2015-5225.patch b/0001-vnc-fix-memory-corruption-CVE-2015-5225.patch
deleted file mode 100644
index fbe778b..0000000
--- a/0001-vnc-fix-memory-corruption-CVE-2015-5225.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Mon, 17 Aug 2015 19:56:53 +0200
-Subject: [PATCH] vnc: fix memory corruption (CVE-2015-5225)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The _cmp_bytes variable added by commit "bea60dd ui/vnc: fix potential
-memory corruption issues" can become negative. Result is (possibly
-exploitable) memory corruption. Reason for that is it uses the stride
-instead of bytes per scanline to apply limits.
-
-For the server surface is is actually fine. vnc creates that itself,
-there is never any padding and thus scanline length always equals stride.
-
-For the guest surface scanline length and stride are typically identical
-too, but it doesn't has to be that way. So add and use a new variable
-(guest_ll) for the guest scanline length. Also rename min_stride to
-line_bytes to make more clear what it actually is. Finally sprinkle
-in an assert() to make sure we never use a negative _cmp_bytes again.
-
-Reported-by: 范祚至(库特) <zuozhi.fzz@alibaba-inc.com>
-Reviewed-by: P J P <ppandit@redhat.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-(cherry picked from commit eb8934b0418b3b1d125edddc4fc334a54334a49b)
----
- ui/vnc.c | 15 ++++++++++-----
- 1 file changed, 10 insertions(+), 5 deletions(-)
-
-diff --git a/ui/vnc.c b/ui/vnc.c
-index e26973a..caf82f5 100644
---- a/ui/vnc.c
-+++ b/ui/vnc.c
-@@ -2872,7 +2872,7 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
- pixman_image_get_width(vd->server));
- int height = MIN(pixman_image_get_height(vd->guest.fb),
- pixman_image_get_height(vd->server));
-- int cmp_bytes, server_stride, min_stride, guest_stride, y = 0;
-+ int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0;
- uint8_t *guest_row0 = NULL, *server_row0;
- VncState *vs;
- int has_dirty = 0;
-@@ -2891,17 +2891,21 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
- * Update server dirty map.
- */
- server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
-- server_stride = guest_stride = pixman_image_get_stride(vd->server);
-+ server_stride = guest_stride = guest_ll =
-+ pixman_image_get_stride(vd->server);
- cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES,
- server_stride);
- if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
- int width = pixman_image_get_width(vd->server);
- tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width);
- } else {
-+ int guest_bpp =
-+ PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb));
- guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
- guest_stride = pixman_image_get_stride(vd->guest.fb);
-+ guest_ll = pixman_image_get_width(vd->guest.fb) * ((guest_bpp + 7) / 8);
- }
-- min_stride = MIN(server_stride, guest_stride);
-+ line_bytes = MIN(server_stride, guest_ll);
-
- for (;;) {
- int x;
-@@ -2932,9 +2936,10 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
- if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
- continue;
- }
-- if ((x + 1) * cmp_bytes > min_stride) {
-- _cmp_bytes = min_stride - x * cmp_bytes;
-+ if ((x + 1) * cmp_bytes > line_bytes) {
-+ _cmp_bytes = line_bytes - x * cmp_bytes;
- }
-+ assert(_cmp_bytes >= 0);
- if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) {
- continue;
- }
diff --git a/0002-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch b/0002-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch
deleted file mode 100644
index 9401ea7..0000000
--- a/0002-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From: Aurelien Jarno <aurelien@aurel32.net>
-Date: Sun, 13 Sep 2015 23:03:44 +0200
-Subject: [PATCH] target-ppc: fix vcipher, vcipherlast, vncipherlast and
- vpermxor
-
-For vector instructions, the helpers get pointers to the vector register
-in arguments. Some operands might point to the same register, including
-the operand holding the result.
-
-When emulating instructions which access the vector elements in a
-non-linear way, we need to store the result in an temporary variable.
-
-This fixes openssl when emulating a POWER8 CPU.
-
-Cc: Tom Musta <tommusta@gmail.com>
-Cc: Alexander Graf <agraf@suse.de>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
----
- target-ppc/int_helper.c | 19 ++++++++++++++-----
- 1 file changed, 14 insertions(+), 5 deletions(-)
-
-diff --git a/target-ppc/int_helper.c b/target-ppc/int_helper.c
-index 0a55d5e..b122868 100644
---- a/target-ppc/int_helper.c
-+++ b/target-ppc/int_helper.c
-@@ -2327,24 +2327,28 @@ void helper_vsbox(ppc_avr_t *r, ppc_avr_t *a)
-
- void helper_vcipher(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b)
- {
-+ ppc_avr_t result;
- int i;
-
- VECTOR_FOR_INORDER_I(i, u32) {
-- r->AVRW(i) = b->AVRW(i) ^
-+ result.AVRW(i) = b->AVRW(i) ^
- (AES_Te0[a->AVRB(AES_shifts[4*i + 0])] ^
- AES_Te1[a->AVRB(AES_shifts[4*i + 1])] ^
- AES_Te2[a->AVRB(AES_shifts[4*i + 2])] ^
- AES_Te3[a->AVRB(AES_shifts[4*i + 3])]);
- }
-+ *r = result;
- }
-
- void helper_vcipherlast(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b)
- {
-+ ppc_avr_t result;
- int i;
-
- VECTOR_FOR_INORDER_I(i, u8) {
-- r->AVRB(i) = b->AVRB(i) ^ (AES_sbox[a->AVRB(AES_shifts[i])]);
-+ result.AVRB(i) = b->AVRB(i) ^ (AES_sbox[a->AVRB(AES_shifts[i])]);
- }
-+ *r = result;
- }
-
- void helper_vncipher(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b)
-@@ -2369,11 +2373,13 @@ void helper_vncipher(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b)
-
- void helper_vncipherlast(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b)
- {
-+ ppc_avr_t result;
- int i;
-
- VECTOR_FOR_INORDER_I(i, u8) {
-- r->AVRB(i) = b->AVRB(i) ^ (AES_isbox[a->AVRB(AES_ishifts[i])]);
-+ result.AVRB(i) = b->AVRB(i) ^ (AES_isbox[a->AVRB(AES_ishifts[i])]);
- }
-+ *r = result;
- }
-
- #define ROTRu32(v, n) (((v) >> (n)) | ((v) << (32-n)))
-@@ -2460,16 +2466,19 @@ void helper_vshasigmad(ppc_avr_t *r, ppc_avr_t *a, uint32_t st_six)
-
- void helper_vpermxor(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b, ppc_avr_t *c)
- {
-+ ppc_avr_t result;
- int i;
-+
- VECTOR_FOR_INORDER_I(i, u8) {
- int indexA = c->u8[i] >> 4;
- int indexB = c->u8[i] & 0xF;
- #if defined(HOST_WORDS_BIGENDIAN)
-- r->u8[i] = a->u8[indexA] ^ b->u8[indexB];
-+ result.u8[i] = a->u8[indexA] ^ b->u8[indexB];
- #else
-- r->u8[i] = a->u8[15-indexA] ^ b->u8[15-indexB];
-+ result.u8[i] = a->u8[15-indexA] ^ b->u8[15-indexB];
- #endif
- }
-+ *r = result;
- }
-
- #undef VECTOR_FOR_INORDER_I
diff --git a/0002-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch b/0002-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch
new file mode 100644
index 0000000..2d2f370
--- /dev/null
+++ b/0002-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch
@@ -0,0 +1,49 @@
+From: Aurelien Jarno <aurelien@aurel32.net>
+Date: Sun, 13 Sep 2015 23:03:45 +0200
+Subject: [PATCH] target-ppc: fix xscmpodp and xscmpudp decoding
+
+The xscmpodp and xscmpudp instructions only have the AX, BX bits in
+there encoding, the lowest bit (usually TX) is marked as an invalid
+bit. We therefore can't decode them with GEN_XX2FORM, which decodes
+the two lowest bit.
+
+Introduce a new form GEN_XX2FORM, which decodes AX and BX and mark
+the lowest bit as invalid.
+
+Cc: Tom Musta <tommusta@gmail.com>
+Cc: Alexander Graf <agraf@suse.de>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
+---
+ target-ppc/translate.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/target-ppc/translate.c b/target-ppc/translate.c
+index 84c5cea..c0eed13 100644
+--- a/target-ppc/translate.c
++++ b/target-ppc/translate.c
+@@ -10670,6 +10670,13 @@ GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 1, opc3, 0, PPC_NONE, fl2), \
+ GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 2, opc3, 0, PPC_NONE, fl2), \
+ GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 3, opc3, 0, PPC_NONE, fl2)
+
++#undef GEN_XX2IFORM
++#define GEN_XX2IFORM(name, opc2, opc3, fl2) \
++GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 0, opc3, 1, PPC_NONE, fl2), \
++GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 1, opc3, 1, PPC_NONE, fl2), \
++GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 2, opc3, 1, PPC_NONE, fl2), \
++GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 3, opc3, 1, PPC_NONE, fl2)
++
+ #undef GEN_XX3_RC_FORM
+ #define GEN_XX3_RC_FORM(name, opc2, opc3, fl2) \
+ GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 0x00, opc3 | 0x00, 0, PPC_NONE, fl2), \
+@@ -10731,8 +10738,8 @@ GEN_XX3FORM(xsnmaddadp, 0x04, 0x14, PPC2_VSX),
+ GEN_XX3FORM(xsnmaddmdp, 0x04, 0x15, PPC2_VSX),
+ GEN_XX3FORM(xsnmsubadp, 0x04, 0x16, PPC2_VSX),
+ GEN_XX3FORM(xsnmsubmdp, 0x04, 0x17, PPC2_VSX),
+-GEN_XX2FORM(xscmpodp, 0x0C, 0x05, PPC2_VSX),
+-GEN_XX2FORM(xscmpudp, 0x0C, 0x04, PPC2_VSX),
++GEN_XX2IFORM(xscmpodp, 0x0C, 0x05, PPC2_VSX),
++GEN_XX2IFORM(xscmpudp, 0x0C, 0x04, PPC2_VSX),
+ GEN_XX3FORM(xsmaxdp, 0x00, 0x14, PPC2_VSX),
+ GEN_XX3FORM(xsmindp, 0x00, 0x15, PPC2_VSX),
+ GEN_XX2FORM(xscvdpsp, 0x12, 0x10, PPC2_VSX),
diff --git a/0003-ide-fix-ATAPI-command-permissions.patch b/0003-ide-fix-ATAPI-command-permissions.patch
new file mode 100644
index 0000000..7afc084
--- /dev/null
+++ b/0003-ide-fix-ATAPI-command-permissions.patch
@@ -0,0 +1,141 @@
+From: John Snow <jsnow@redhat.com>
+Date: Thu, 17 Sep 2015 14:17:05 -0400
+Subject: [PATCH] ide: fix ATAPI command permissions
+
+We're a little too lenient with what we'll let an ATAPI drive handle.
+Clamp down on the IDE command execution table to remove CD_OK permissions
+from commands that are not and have never been ATAPI commands.
+
+For ATAPI command validity, please see:
+- ATA4 Section 6.5 ("PACKET Command feature set")
+- ATA8/ACS Section 4.3 ("The PACKET feature set")
+- ACS3 Section 4.3 ("The PACKET feature set")
+
+ACS3 has a historical command validity table in Table B.4
+("Historical Command Assignments") that can be referenced to find when
+a command was introduced, deprecated, obsoleted, etc.
+
+The only reference for ATAPI command validity is by checking that
+version's PACKET feature set section.
+
+ATAPI was introduced by T13 into ATA4, all commands retired prior to ATA4
+therefore are assumed to have never been ATAPI commands.
+
+Mandatory commands, as listed in ATA8-ACS3, are:
+
+- DEVICE RESET
+- EXECUTE DEVICE DIAGNOSTIC
+- IDENTIFY DEVICE
+- IDENTIFY PACKET DEVICE
+- NOP
+- PACKET
+- READ SECTOR(S)
+- SET FEATURES
+
+Optional commands as listed in ATA8-ACS3, are:
+
+- FLUSH CACHE
+- READ LOG DMA EXT
+- READ LOG EXT
+- WRITE LOG DMA EXT
+- WRITE LOG EXT
+
+All other commands are illegal to send to an ATAPI device and should
+be rejected by the device.
+
+CD_OK removal justifications:
+
+0x06 WIN_DSM Defined in ACS2. Not valid for ATAPI.
+0x21 WIN_READ_ONCE Retired in ATA5. Not ATAPI in ATA4.
+0x94 WIN_STANDBYNOW2 Retired in ATA4. Did not coexist with ATAPI.
+0x95 WIN_IDLEIMMEDIATE2 Retired in ATA4. Did not coexist with ATAPI.
+0x96 WIN_STANDBY2 Retired in ATA4. Did not coexist with ATAPI.
+0x97 WIN_SETIDLE2 Retired in ATA4. Did not coexist with ATAPI.
+0x98 WIN_CHECKPOWERMODE2 Retired in ATA4. Did not coexist with ATAPI.
+0x99 WIN_SLEEPNOW2 Retired in ATA4. Did not coexist with ATAPI.
+0xE0 WIN_STANDBYNOW1 Not part of ATAPI in ATA4, ACS or ACS3.
+0xE1 WIN_IDLEIMMDIATE Not part of ATAPI in ATA4, ACS or ACS3.
+0xE2 WIN_STANDBY Not part of ATAPI in ATA4, ACS or ACS3.
+0xE3 WIN_SETIDLE1 Not part of ATAPI in ATA4, ACS or ACS3.
+0xE4 WIN_CHECKPOWERMODE1 Not part of ATAPI in ATA4, ACS or ACS3.
+0xE5 WIN_SLEEPNOW1 Not part of ATAPI in ATA4, ACS or ACS3.
+0xF8 WIN_READ_NATIVE_MAX Obsoleted in ACS3. Not ATAPI in ATA4 or ACS.
+
+This patch fixes a divide by zero fault that can be caused by sending
+the WIN_READ_NATIVE_MAX command to an ATAPI drive, which causes it to
+attempt to use zeroed CHS values to perform sector arithmetic.
+
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Signed-off-by: John Snow <jsnow@redhat.com>
+Reviewed-by: Markus Armbruster <armbru@redhat.com>
+Message-id: 1441816082-21031-1-git-send-email-jsnow@redhat.com
+CC: qemu-stable@nongnu.org
+(cherry picked from commit d9033e1d3aa666c5071580617a57bd853c5d794a)
+---
+ hw/ide/core.c | 30 +++++++++++++++---------------
+ 1 file changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/hw/ide/core.c b/hw/ide/core.c
+index 50449ca..71caea9 100644
+--- a/hw/ide/core.c
++++ b/hw/ide/core.c
+@@ -1747,11 +1747,11 @@ static const struct {
+ } ide_cmd_table[0x100] = {
+ /* NOP not implemented, mandatory for CD */
+ [CFA_REQ_EXT_ERROR_CODE] = { cmd_cfa_req_ext_error_code, CFA_OK },
+- [WIN_DSM] = { cmd_data_set_management, ALL_OK },
++ [WIN_DSM] = { cmd_data_set_management, HD_CFA_OK },
+ [WIN_DEVICE_RESET] = { cmd_device_reset, CD_OK },
+ [WIN_RECAL] = { cmd_nop, HD_CFA_OK | SET_DSC},
+ [WIN_READ] = { cmd_read_pio, ALL_OK },
+- [WIN_READ_ONCE] = { cmd_read_pio, ALL_OK },
++ [WIN_READ_ONCE] = { cmd_read_pio, HD_CFA_OK },
+ [WIN_READ_EXT] = { cmd_read_pio, HD_CFA_OK },
+ [WIN_READDMA_EXT] = { cmd_read_dma, HD_CFA_OK },
+ [WIN_READ_NATIVE_MAX_EXT] = { cmd_read_native_max, HD_CFA_OK | SET_DSC },
+@@ -1770,12 +1770,12 @@ static const struct {
+ [CFA_TRANSLATE_SECTOR] = { cmd_cfa_translate_sector, CFA_OK },
+ [WIN_DIAGNOSE] = { cmd_exec_dev_diagnostic, ALL_OK },
+ [WIN_SPECIFY] = { cmd_nop, HD_CFA_OK | SET_DSC },
+- [WIN_STANDBYNOW2] = { cmd_nop, ALL_OK },
+- [WIN_IDLEIMMEDIATE2] = { cmd_nop, ALL_OK },
+- [WIN_STANDBY2] = { cmd_nop, ALL_OK },
+- [WIN_SETIDLE2] = { cmd_nop, ALL_OK },
+- [WIN_CHECKPOWERMODE2] = { cmd_check_power_mode, ALL_OK | SET_DSC },
+- [WIN_SLEEPNOW2] = { cmd_nop, ALL_OK },
++ [WIN_STANDBYNOW2] = { cmd_nop, HD_CFA_OK },
++ [WIN_IDLEIMMEDIATE2] = { cmd_nop, HD_CFA_OK },
++ [WIN_STANDBY2] = { cmd_nop, HD_CFA_OK },
++ [WIN_SETIDLE2] = { cmd_nop, HD_CFA_OK },
++ [WIN_CHECKPOWERMODE2] = { cmd_check_power_mode, HD_CFA_OK | SET_DSC },
++ [WIN_SLEEPNOW2] = { cmd_nop, HD_CFA_OK },
+ [WIN_PACKETCMD] = { cmd_packet, CD_OK },
+ [WIN_PIDENTIFY] = { cmd_identify_packet, CD_OK },
+ [WIN_SMART] = { cmd_smart, HD_CFA_OK | SET_DSC },
+@@ -1789,19 +1789,19 @@ static const struct {
+ [WIN_WRITEDMA] = { cmd_write_dma, HD_CFA_OK },
+ [WIN_WRITEDMA_ONCE] = { cmd_write_dma, HD_CFA_OK },
+ [CFA_WRITE_MULTI_WO_ERASE] = { cmd_write_multiple, CFA_OK },
+- [WIN_STANDBYNOW1] = { cmd_nop, ALL_OK },
+- [WIN_IDLEIMMEDIATE] = { cmd_nop, ALL_OK },
+- [WIN_STANDBY] = { cmd_nop, ALL_OK },
+- [WIN_SETIDLE1] = { cmd_nop, ALL_OK },
+- [WIN_CHECKPOWERMODE1] = { cmd_check_power_mode, ALL_OK | SET_DSC },
+- [WIN_SLEEPNOW1] = { cmd_nop, ALL_OK },
++ [WIN_STANDBYNOW1] = { cmd_nop, HD_CFA_OK },
++ [WIN_IDLEIMMEDIATE] = { cmd_nop, HD_CFA_OK },
++ [WIN_STANDBY] = { cmd_nop, HD_CFA_OK },
++ [WIN_SETIDLE1] = { cmd_nop, HD_CFA_OK },
++ [WIN_CHECKPOWERMODE1] = { cmd_check_power_mode, HD_CFA_OK | SET_DSC },
++ [WIN_SLEEPNOW1] = { cmd_nop, HD_CFA_OK },
+ [WIN_FLUSH_CACHE] = { cmd_flush_cache, ALL_OK },
+ [WIN_FLUSH_CACHE_EXT] = { cmd_flush_cache, HD_CFA_OK },
+ [WIN_IDENTIFY] = { cmd_identify, ALL_OK },
+ [WIN_SETFEATURES] = { cmd_set_features, ALL_OK | SET_DSC },
+ [IBM_SENSE_CONDITION] = { cmd_ibm_sense_condition, CFA_OK | SET_DSC },
+ [CFA_WEAR_LEVEL] = { cmd_cfa_erase_sectors, HD_CFA_OK | SET_DSC },
+- [WIN_READ_NATIVE_MAX] = { cmd_read_native_max, ALL_OK | SET_DSC },
++ [WIN_READ_NATIVE_MAX] = { cmd_read_native_max, HD_CFA_OK | SET_DSC },
+ };
+
+ static bool ide_cmd_permitted(IDEState *s, uint32_t cmd)
diff --git a/0003-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch b/0003-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch
deleted file mode 100644
index 2d2f370..0000000
--- a/0003-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From: Aurelien Jarno <aurelien@aurel32.net>
-Date: Sun, 13 Sep 2015 23:03:45 +0200
-Subject: [PATCH] target-ppc: fix xscmpodp and xscmpudp decoding
-
-The xscmpodp and xscmpudp instructions only have the AX, BX bits in
-there encoding, the lowest bit (usually TX) is marked as an invalid
-bit. We therefore can't decode them with GEN_XX2FORM, which decodes
-the two lowest bit.
-
-Introduce a new form GEN_XX2FORM, which decodes AX and BX and mark
-the lowest bit as invalid.
-
-Cc: Tom Musta <tommusta@gmail.com>
-Cc: Alexander Graf <agraf@suse.de>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
----
- target-ppc/translate.c | 11 +++++++++--
- 1 file changed, 9 insertions(+), 2 deletions(-)
-
-diff --git a/target-ppc/translate.c b/target-ppc/translate.c
-index 84c5cea..c0eed13 100644
---- a/target-ppc/translate.c
-+++ b/target-ppc/translate.c
-@@ -10670,6 +10670,13 @@ GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 1, opc3, 0, PPC_NONE, fl2), \
- GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 2, opc3, 0, PPC_NONE, fl2), \
- GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 3, opc3, 0, PPC_NONE, fl2)
-
-+#undef GEN_XX2IFORM
-+#define GEN_XX2IFORM(name, opc2, opc3, fl2) \
-+GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 0, opc3, 1, PPC_NONE, fl2), \
-+GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 1, opc3, 1, PPC_NONE, fl2), \
-+GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 2, opc3, 1, PPC_NONE, fl2), \
-+GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 3, opc3, 1, PPC_NONE, fl2)
-+
- #undef GEN_XX3_RC_FORM
- #define GEN_XX3_RC_FORM(name, opc2, opc3, fl2) \
- GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 0x00, opc3 | 0x00, 0, PPC_NONE, fl2), \
-@@ -10731,8 +10738,8 @@ GEN_XX3FORM(xsnmaddadp, 0x04, 0x14, PPC2_VSX),
- GEN_XX3FORM(xsnmaddmdp, 0x04, 0x15, PPC2_VSX),
- GEN_XX3FORM(xsnmsubadp, 0x04, 0x16, PPC2_VSX),
- GEN_XX3FORM(xsnmsubmdp, 0x04, 0x17, PPC2_VSX),
--GEN_XX2FORM(xscmpodp, 0x0C, 0x05, PPC2_VSX),
--GEN_XX2FORM(xscmpudp, 0x0C, 0x04, PPC2_VSX),
-+GEN_XX2IFORM(xscmpodp, 0x0C, 0x05, PPC2_VSX),
-+GEN_XX2IFORM(xscmpudp, 0x0C, 0x04, PPC2_VSX),
- GEN_XX3FORM(xsmaxdp, 0x00, 0x14, PPC2_VSX),
- GEN_XX3FORM(xsmindp, 0x00, 0x15, PPC2_VSX),
- GEN_XX2FORM(xscvdpsp, 0x12, 0x10, PPC2_VSX),
diff --git a/0004-e1000-Avoid-infinite-loop-in-processing-transmit-des.patch b/0004-e1000-Avoid-infinite-loop-in-processing-transmit-des.patch
deleted file mode 100644
index 9e77105..0000000
--- a/0004-e1000-Avoid-infinite-loop-in-processing-transmit-des.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From: P J P <pjp@fedoraproject.org>
-Date: Fri, 4 Sep 2015 17:21:06 +0100
-Subject: [PATCH] e1000: Avoid infinite loop in processing transmit descriptor
- (CVE-2015-6815)
-
-While processing transmit descriptors, it could lead to an infinite
-loop if 'bytes' was to become zero; Add a check to avoid it.
-
-[The guest can force 'bytes' to 0 by setting the hdr_len and mss
-descriptor fields to 0.
---Stefan]
-
-Signed-off-by: P J P <pjp@fedoraproject.org>
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-Reviewed-by: Thomas Huth <thuth@redhat.com>
-Message-id: 1441383666-6590-1-git-send-email-stefanha@redhat.com
-(cherry picked from commit b947ac2bf26479e710489739c465c8af336599e7)
----
- hw/net/e1000.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/hw/net/e1000.c b/hw/net/e1000.c
-index 5c6bcd0..09c9e9d 100644
---- a/hw/net/e1000.c
-+++ b/hw/net/e1000.c
-@@ -740,7 +740,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
- memmove(tp->data, tp->header, tp->hdr_len);
- tp->size = tp->hdr_len;
- }
-- } while (split_size -= bytes);
-+ split_size -= bytes;
-+ } while (bytes && split_size);
- } else if (!tp->tse && tp->cptse) {
- // context descriptor TSE is not set, while data descriptor TSE is set
- DBGOUT(TXERR, "TCP segmentation error\n");
diff --git a/0004-virtio-introduce-virtqueue_unmap_sg.patch b/0004-virtio-introduce-virtqueue_unmap_sg.patch
new file mode 100644
index 0000000..1481b88
--- /dev/null
+++ b/0004-virtio-introduce-virtqueue_unmap_sg.patch
@@ -0,0 +1,54 @@
+From: Jason Wang <jasowang@redhat.com>
+Date: Fri, 25 Sep 2015 13:21:28 +0800
+Subject: [PATCH] virtio: introduce virtqueue_unmap_sg()
+
+Factor out sg unmapping logic. This will be reused by the patch that
+can discard descriptor.
+
+Cc: Michael S. Tsirkin <mst@redhat.com>
+Cc: Andrew James <andrew.james@hpe.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+(cherry picked from commit ce317461573bac12b10d67699b4ddf1f97cf066c)
+---
+ hw/virtio/virtio.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
+index 788b556..242aecb 100644
+--- a/hw/virtio/virtio.c
++++ b/hw/virtio/virtio.c
+@@ -243,14 +243,12 @@ int virtio_queue_empty(VirtQueue *vq)
+ return vring_avail_idx(vq) == vq->last_avail_idx;
+ }
+
+-void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem,
+- unsigned int len, unsigned int idx)
++static void virtqueue_unmap_sg(VirtQueue *vq, const VirtQueueElement *elem,
++ unsigned int len)
+ {
+ unsigned int offset;
+ int i;
+
+- trace_virtqueue_fill(vq, elem, len, idx);
+-
+ offset = 0;
+ for (i = 0; i < elem->in_num; i++) {
+ size_t size = MIN(len - offset, elem->in_sg[i].iov_len);
+@@ -266,6 +264,14 @@ void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem,
+ cpu_physical_memory_unmap(elem->out_sg[i].iov_base,
+ elem->out_sg[i].iov_len,
+ 0, elem->out_sg[i].iov_len);
++}
++
++void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem,
++ unsigned int len, unsigned int idx)
++{
++ trace_virtqueue_fill(vq, elem, len, idx);
++
++ virtqueue_unmap_sg(vq, elem, len);
+
+ idx = (idx + vring_used_idx(vq)) % vq->vring.num;
+
diff --git a/0005-ide-fix-ATAPI-command-permissions.patch b/0005-ide-fix-ATAPI-command-permissions.patch
deleted file mode 100644
index 7afc084..0000000
--- a/0005-ide-fix-ATAPI-command-permissions.patch
+++ /dev/null
@@ -1,141 +0,0 @@
-From: John Snow <jsnow@redhat.com>
-Date: Thu, 17 Sep 2015 14:17:05 -0400
-Subject: [PATCH] ide: fix ATAPI command permissions
-
-We're a little too lenient with what we'll let an ATAPI drive handle.
-Clamp down on the IDE command execution table to remove CD_OK permissions
-from commands that are not and have never been ATAPI commands.
-
-For ATAPI command validity, please see:
-- ATA4 Section 6.5 ("PACKET Command feature set")
-- ATA8/ACS Section 4.3 ("The PACKET feature set")
-- ACS3 Section 4.3 ("The PACKET feature set")
-
-ACS3 has a historical command validity table in Table B.4
-("Historical Command Assignments") that can be referenced to find when
-a command was introduced, deprecated, obsoleted, etc.
-
-The only reference for ATAPI command validity is by checking that
-version's PACKET feature set section.
-
-ATAPI was introduced by T13 into ATA4, all commands retired prior to ATA4
-therefore are assumed to have never been ATAPI commands.
-
-Mandatory commands, as listed in ATA8-ACS3, are:
-
-- DEVICE RESET
-- EXECUTE DEVICE DIAGNOSTIC
-- IDENTIFY DEVICE
-- IDENTIFY PACKET DEVICE
-- NOP
-- PACKET
-- READ SECTOR(S)
-- SET FEATURES
-
-Optional commands as listed in ATA8-ACS3, are:
-
-- FLUSH CACHE
-- READ LOG DMA EXT
-- READ LOG EXT
-- WRITE LOG DMA EXT
-- WRITE LOG EXT
-
-All other commands are illegal to send to an ATAPI device and should
-be rejected by the device.
-
-CD_OK removal justifications:
-
-0x06 WIN_DSM Defined in ACS2. Not valid for ATAPI.
-0x21 WIN_READ_ONCE Retired in ATA5. Not ATAPI in ATA4.
-0x94 WIN_STANDBYNOW2 Retired in ATA4. Did not coexist with ATAPI.
-0x95 WIN_IDLEIMMEDIATE2 Retired in ATA4. Did not coexist with ATAPI.
-0x96 WIN_STANDBY2 Retired in ATA4. Did not coexist with ATAPI.
-0x97 WIN_SETIDLE2 Retired in ATA4. Did not coexist with ATAPI.
-0x98 WIN_CHECKPOWERMODE2 Retired in ATA4. Did not coexist with ATAPI.
-0x99 WIN_SLEEPNOW2 Retired in ATA4. Did not coexist with ATAPI.
-0xE0 WIN_STANDBYNOW1 Not part of ATAPI in ATA4, ACS or ACS3.
-0xE1 WIN_IDLEIMMDIATE Not part of ATAPI in ATA4, ACS or ACS3.
-0xE2 WIN_STANDBY Not part of ATAPI in ATA4, ACS or ACS3.
-0xE3 WIN_SETIDLE1 Not part of ATAPI in ATA4, ACS or ACS3.
-0xE4 WIN_CHECKPOWERMODE1 Not part of ATAPI in ATA4, ACS or ACS3.
-0xE5 WIN_SLEEPNOW1 Not part of ATAPI in ATA4, ACS or ACS3.
-0xF8 WIN_READ_NATIVE_MAX Obsoleted in ACS3. Not ATAPI in ATA4 or ACS.
-
-This patch fixes a divide by zero fault that can be caused by sending
-the WIN_READ_NATIVE_MAX command to an ATAPI drive, which causes it to
-attempt to use zeroed CHS values to perform sector arithmetic.
-
-Reported-by: Qinghao Tang <luodalongde@gmail.com>
-Signed-off-by: John Snow <jsnow@redhat.com>
-Reviewed-by: Markus Armbruster <armbru@redhat.com>
-Message-id: 1441816082-21031-1-git-send-email-jsnow@redhat.com
-CC: qemu-stable@nongnu.org
-(cherry picked from commit d9033e1d3aa666c5071580617a57bd853c5d794a)
----
- hw/ide/core.c | 30 +++++++++++++++---------------
- 1 file changed, 15 insertions(+), 15 deletions(-)
-
-diff --git a/hw/ide/core.c b/hw/ide/core.c
-index 50449ca..71caea9 100644
---- a/hw/ide/core.c
-+++ b/hw/ide/core.c
-@@ -1747,11 +1747,11 @@ static const struct {
- } ide_cmd_table[0x100] = {
- /* NOP not implemented, mandatory for CD */
- [CFA_REQ_EXT_ERROR_CODE] = { cmd_cfa_req_ext_error_code, CFA_OK },
-- [WIN_DSM] = { cmd_data_set_management, ALL_OK },
-+ [WIN_DSM] = { cmd_data_set_management, HD_CFA_OK },
- [WIN_DEVICE_RESET] = { cmd_device_reset, CD_OK },
- [WIN_RECAL] = { cmd_nop, HD_CFA_OK | SET_DSC},
- [WIN_READ] = { cmd_read_pio, ALL_OK },
-- [WIN_READ_ONCE] = { cmd_read_pio, ALL_OK },
-+ [WIN_READ_ONCE] = { cmd_read_pio, HD_CFA_OK },
- [WIN_READ_EXT] = { cmd_read_pio, HD_CFA_OK },
- [WIN_READDMA_EXT] = { cmd_read_dma, HD_CFA_OK },
- [WIN_READ_NATIVE_MAX_EXT] = { cmd_read_native_max, HD_CFA_OK | SET_DSC },
-@@ -1770,12 +1770,12 @@ static const struct {
- [CFA_TRANSLATE_SECTOR] = { cmd_cfa_translate_sector, CFA_OK },
- [WIN_DIAGNOSE] = { cmd_exec_dev_diagnostic, ALL_OK },
- [WIN_SPECIFY] = { cmd_nop, HD_CFA_OK | SET_DSC },
-- [WIN_STANDBYNOW2] = { cmd_nop, ALL_OK },
-- [WIN_IDLEIMMEDIATE2] = { cmd_nop, ALL_OK },
-- [WIN_STANDBY2] = { cmd_nop, ALL_OK },
-- [WIN_SETIDLE2] = { cmd_nop, ALL_OK },
-- [WIN_CHECKPOWERMODE2] = { cmd_check_power_mode, ALL_OK | SET_DSC },
-- [WIN_SLEEPNOW2] = { cmd_nop, ALL_OK },
-+ [WIN_STANDBYNOW2] = { cmd_nop, HD_CFA_OK },
-+ [WIN_IDLEIMMEDIATE2] = { cmd_nop, HD_CFA_OK },
-+ [WIN_STANDBY2] = { cmd_nop, HD_CFA_OK },
-+ [WIN_SETIDLE2] = { cmd_nop, HD_CFA_OK },
-+ [WIN_CHECKPOWERMODE2] = { cmd_check_power_mode, HD_CFA_OK | SET_DSC },
-+ [WIN_SLEEPNOW2] = { cmd_nop, HD_CFA_OK },
- [WIN_PACKETCMD] = { cmd_packet, CD_OK },
- [WIN_PIDENTIFY] = { cmd_identify_packet, CD_OK },
- [WIN_SMART] = { cmd_smart, HD_CFA_OK | SET_DSC },
-@@ -1789,19 +1789,19 @@ static const struct {
- [WIN_WRITEDMA] = { cmd_write_dma, HD_CFA_OK },
- [WIN_WRITEDMA_ONCE] = { cmd_write_dma, HD_CFA_OK },
- [CFA_WRITE_MULTI_WO_ERASE] = { cmd_write_multiple, CFA_OK },
-- [WIN_STANDBYNOW1] = { cmd_nop, ALL_OK },
-- [WIN_IDLEIMMEDIATE] = { cmd_nop, ALL_OK },
-- [WIN_STANDBY] = { cmd_nop, ALL_OK },
-- [WIN_SETIDLE1] = { cmd_nop, ALL_OK },
-- [WIN_CHECKPOWERMODE1] = { cmd_check_power_mode, ALL_OK | SET_DSC },
-- [WIN_SLEEPNOW1] = { cmd_nop, ALL_OK },
-+ [WIN_STANDBYNOW1] = { cmd_nop, HD_CFA_OK },
-+ [WIN_IDLEIMMEDIATE] = { cmd_nop, HD_CFA_OK },
-+ [WIN_STANDBY] = { cmd_nop, HD_CFA_OK },
-+ [WIN_SETIDLE1] = { cmd_nop, HD_CFA_OK },
-+ [WIN_CHECKPOWERMODE1] = { cmd_check_power_mode, HD_CFA_OK | SET_DSC },
-+ [WIN_SLEEPNOW1] = { cmd_nop, HD_CFA_OK },
- [WIN_FLUSH_CACHE] = { cmd_flush_cache, ALL_OK },
- [WIN_FLUSH_CACHE_EXT] = { cmd_flush_cache, HD_CFA_OK },
- [WIN_IDENTIFY] = { cmd_identify, ALL_OK },
- [WIN_SETFEATURES] = { cmd_set_features, ALL_OK | SET_DSC },
- [IBM_SENSE_CONDITION] = { cmd_ibm_sense_condition, CFA_OK | SET_DSC },
- [CFA_WEAR_LEVEL] = { cmd_cfa_erase_sectors, HD_CFA_OK | SET_DSC },
-- [WIN_READ_NATIVE_MAX] = { cmd_read_native_max, ALL_OK | SET_DSC },
-+ [WIN_READ_NATIVE_MAX] = { cmd_read_native_max, HD_CFA_OK | SET_DSC },
- };
-
- static bool ide_cmd_permitted(IDEState *s, uint32_t cmd)
diff --git a/0005-virtio-introduce-virtqueue_discard.patch b/0005-virtio-introduce-virtqueue_discard.patch
new file mode 100644
index 0000000..817665a
--- /dev/null
+++ b/0005-virtio-introduce-virtqueue_discard.patch
@@ -0,0 +1,50 @@
+From: Jason Wang <jasowang@redhat.com>
+Date: Fri, 25 Sep 2015 13:21:29 +0800
+Subject: [PATCH] virtio: introduce virtqueue_discard()
+
+This patch introduces virtqueue_discard() to discard a descriptor and
+unmap the sgs. This will be used by the patch that will discard
+descriptor when packet is truncated.
+
+Cc: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+(cherry picked from commit 29b9f5efd78ae0f9cc02dd169b6e80d2c404bade)
+---
+ hw/virtio/virtio.c | 7 +++++++
+ include/hw/virtio/virtio.h | 2 ++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
+index 242aecb..b1f4e16 100644
+--- a/hw/virtio/virtio.c
++++ b/hw/virtio/virtio.c
+@@ -266,6 +266,13 @@ static void virtqueue_unmap_sg(VirtQueue *vq, const VirtQueueElement *elem,
+ 0, elem->out_sg[i].iov_len);
+ }
+
++void virtqueue_discard(VirtQueue *vq, const VirtQueueElement *elem,
++ unsigned int len)
++{
++ vq->last_avail_idx--;
++ virtqueue_unmap_sg(vq, elem, len);
++}
++
+ void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem,
+ unsigned int len, unsigned int idx)
+ {
+diff --git a/include/hw/virtio/virtio.h b/include/hw/virtio/virtio.h
+index cccae89..8023bde 100644
+--- a/include/hw/virtio/virtio.h
++++ b/include/hw/virtio/virtio.h
+@@ -146,6 +146,8 @@ void virtio_del_queue(VirtIODevice *vdev, int n);
+ void virtqueue_push(VirtQueue *vq, const VirtQueueElement *elem,
+ unsigned int len);
+ void virtqueue_flush(VirtQueue *vq, unsigned int count);
++void virtqueue_discard(VirtQueue *vq, const VirtQueueElement *elem,
++ unsigned int len);
+ void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem,
+ unsigned int len, unsigned int idx);
+
diff --git a/0006-net-avoid-infinite-loop-when-receiving-packets-CVE-2.patch b/0006-net-avoid-infinite-loop-when-receiving-packets-CVE-2.patch
deleted file mode 100644
index c1f70ca..0000000
--- a/0006-net-avoid-infinite-loop-when-receiving-packets-CVE-2.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From: P J P <pjp@fedoraproject.org>
-Date: Tue, 15 Sep 2015 16:46:59 +0530
-Subject: [PATCH] net: avoid infinite loop when receiving
- packets(CVE-2015-5278)
-
-Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
-bytes to process network packets. While receiving packets
-via ne2000_receive() routine, a local 'index' variable
-could exceed the ring buffer size, leading to an infinite
-loop situation.
-
-Reported-by: Qinghao Tang <luodalongde@gmail.com>
-Signed-off-by: P J P <pjp@fedoraproject.org>
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-(cherry picked from commit 737d2b3c41d59eb8f94ab7eb419b957938f24943)
----
- hw/net/ne2000.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
-index 3492db3..44a4264 100644
---- a/hw/net/ne2000.c
-+++ b/hw/net/ne2000.c
-@@ -253,7 +253,7 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
- if (index <= s->stop)
- avail = s->stop - index;
- else
-- avail = 0;
-+ break;
- len = size;
- if (len > avail)
- len = avail;
diff --git a/0006-virtio-net-correctly-drop-truncated-packets.patch b/0006-virtio-net-correctly-drop-truncated-packets.patch
new file mode 100644
index 0000000..eb21dbb
--- /dev/null
+++ b/0006-virtio-net-correctly-drop-truncated-packets.patch
@@ -0,0 +1,43 @@
+From: Jason Wang <jasowang@redhat.com>
+Date: Fri, 25 Sep 2015 13:21:30 +0800
+Subject: [PATCH] virtio-net: correctly drop truncated packets
+
+When packet is truncated during receiving, we drop the packets but
+neither discard the descriptor nor add and signal used
+descriptor. This will lead several issues:
+
+- sg mappings are leaked
+- rx will be stalled if a lots of packets were truncated
+
+In order to be consistent with vhost, fix by discarding the descriptor
+in this case.
+
+Cc: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+(cherry picked from commit 0cf33fb6b49a19de32859e2cdc6021334f448fb3)
+---
+ hw/net/virtio-net.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
+index 1510839..775389b 100644
+--- a/hw/net/virtio-net.c
++++ b/hw/net/virtio-net.c
+@@ -1086,13 +1086,7 @@ static ssize_t virtio_net_receive(NetClientState *nc, const uint8_t *buf, size_t
+ * must have consumed the complete packet.
+ * Otherwise, drop it. */
+ if (!n->mergeable_rx_bufs && offset < size) {
+-#if 0
+- error_report("virtio-net truncated non-mergeable packet: "
+- "i %zd mergeable %d offset %zd, size %zd, "
+- "guest hdr len %zd, host hdr len %zd",
+- i, n->mergeable_rx_bufs,
+- offset, size, n->guest_hdr_len, n->host_hdr_len);
+-#endif
++ virtqueue_discard(q->rx_vq, &elem, total);
+ return size;
+ }
+
diff --git a/0007-mirror-Fix-coroutine-reentrance.patch b/0007-mirror-Fix-coroutine-reentrance.patch
new file mode 100644
index 0000000..9faced1
--- /dev/null
+++ b/0007-mirror-Fix-coroutine-reentrance.patch
@@ -0,0 +1,117 @@
+From: Kevin Wolf <kwolf@redhat.com>
+Date: Thu, 13 Aug 2015 10:41:50 +0200
+Subject: [PATCH] mirror: Fix coroutine reentrance
+
+This fixes a regression introduced by commit dcfb3beb ("mirror: Do zero
+write on target if sectors not allocated"), which was reported to cause
+aborts with the message "Co-routine re-entered recursively".
+
+The cause for this bug is the following code in mirror_iteration_done():
+
+ if (s->common.busy) {
+ qemu_coroutine_enter(s->common.co, NULL);
+ }
+
+This has always been ugly because - unlike most places that reenter - it
+doesn't have a specific yield that it pairs with, but is more
+uncontrolled. What we really mean here is "reenter the coroutine if
+it's in one of the four explicit yields in mirror.c".
+
+This used to be equivalent with s->common.busy because neither
+mirror_run() nor mirror_iteration() call any function that could yield.
+However since commit dcfb3beb this doesn't hold true any more:
+bdrv_get_block_status_above() can yield.
+
+So what happens is that bdrv_get_block_status_above() wants to take a
+lock that is already held, so it adds itself to the queue of waiting
+coroutines and yields. Instead of being woken up by the unlock function,
+however, it gets woken up by mirror_iteration_done(), which is obviously
+wrong.
+
+In most cases the code actually happens to cope fairly well with such
+cases, but in this specific case, the unlock must already have scheduled
+the coroutine for wakeup when mirror_iteration_done() reentered it. And
+then the coroutine happened to process the scheduled restarts and tried
+to reenter itself recursively.
+
+This patch fixes the problem by pairing the reenter in
+mirror_iteration_done() with specific yields instead of abusing
+s->common.busy.
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Jeff Cody <jcody@redhat.com>
+Message-id: 1439455310-11263-1-git-send-email-kwolf@redhat.com
+Signed-off-by: Jeff Cody <jcody@redhat.com>
+(cherry picked from commit e424aff5f307227b1c2512bbb8ece891bb895cef)
+---
+ block/mirror.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/block/mirror.c b/block/mirror.c
+index fc4d8f5..b2fb4b9 100644
+--- a/block/mirror.c
++++ b/block/mirror.c
+@@ -60,6 +60,7 @@ typedef struct MirrorBlockJob {
+ int sectors_in_flight;
+ int ret;
+ bool unmap;
++ bool waiting_for_io;
+ } MirrorBlockJob;
+
+ typedef struct MirrorOp {
+@@ -114,11 +115,7 @@ static void mirror_iteration_done(MirrorOp *op, int ret)
+ qemu_iovec_destroy(&op->qiov);
+ g_slice_free(MirrorOp, op);
+
+- /* Enter coroutine when it is not sleeping. The coroutine sleeps to
+- * rate-limit itself. The coroutine will eventually resume since there is
+- * a sleep timeout so don't wake it early.
+- */
+- if (s->common.busy) {
++ if (s->waiting_for_io) {
+ qemu_coroutine_enter(s->common.co, NULL);
+ }
+ }
+@@ -203,7 +200,9 @@ static uint64_t coroutine_fn mirror_iteration(MirrorBlockJob *s)
+ /* Wait for I/O to this cluster (from a previous iteration) to be done. */
+ while (test_bit(next_chunk, s->in_flight_bitmap)) {
+ trace_mirror_yield_in_flight(s, sector_num, s->in_flight);
++ s->waiting_for_io = true;
+ qemu_coroutine_yield();
++ s->waiting_for_io = false;
+ }
+
+ do {
+@@ -239,7 +238,9 @@ static uint64_t coroutine_fn mirror_iteration(MirrorBlockJob *s)
+ */
+ while (nb_chunks == 0 && s->buf_free_count < added_chunks) {
+ trace_mirror_yield_buf_busy(s, nb_chunks, s->in_flight);
++ s->waiting_for_io = true;
+ qemu_coroutine_yield();
++ s->waiting_for_io = false;
+ }
+ if (s->buf_free_count < nb_chunks + added_chunks) {
+ trace_mirror_break_buf_busy(s, nb_chunks, s->in_flight);
+@@ -333,7 +334,9 @@ static void mirror_free_init(MirrorBlockJob *s)
+ static void mirror_drain(MirrorBlockJob *s)
+ {
+ while (s->in_flight > 0) {
++ s->waiting_for_io = true;
+ qemu_coroutine_yield();
++ s->waiting_for_io = false;
+ }
+ }
+
+@@ -506,7 +509,9 @@ static void coroutine_fn mirror_run(void *opaque)
+ if (s->in_flight == MAX_IN_FLIGHT || s->buf_free_count == 0 ||
+ (cnt == 0 && s->in_flight > 0)) {
+ trace_mirror_yield(s, s->in_flight, s->buf_free_count, cnt);
++ s->waiting_for_io = true;
+ qemu_coroutine_yield();
++ s->waiting_for_io = false;
+ continue;
+ } else if (cnt != 0) {
+ delay_ns = mirror_iteration(s);
diff --git a/0007-net-add-checks-to-validate-ring-buffer-pointers-CVE-.patch b/0007-net-add-checks-to-validate-ring-buffer-pointers-CVE-.patch
deleted file mode 100644
index d197a7e..0000000
--- a/0007-net-add-checks-to-validate-ring-buffer-pointers-CVE-.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From: P J P <pjp@fedoraproject.org>
-Date: Tue, 15 Sep 2015 16:40:49 +0530
-Subject: [PATCH] net: add checks to validate ring buffer
- pointers(CVE-2015-5279)
-
-Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
-bytes to process network packets. While receiving packets
-via ne2000_receive() routine, a local 'index' variable
-could exceed the ring buffer size, which could lead to a
-memory buffer overflow. Added other checks at initialisation.
-
-Reported-by: Qinghao Tang <luodalongde@gmail.com>
-Signed-off-by: P J P <pjp@fedoraproject.org>
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-(cherry picked from commit 9bbdbc66e5765068dce76e9269dce4547afd8ad4)
----
- hw/net/ne2000.c | 19 +++++++++++++++----
- 1 file changed, 15 insertions(+), 4 deletions(-)
-
-diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
-index 44a4264..2bdb4c9 100644
---- a/hw/net/ne2000.c
-+++ b/hw/net/ne2000.c
-@@ -230,6 +230,9 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
- }
-
- index = s->curpag << 8;
-+ if (index >= NE2000_PMEM_END) {
-+ index = s->start;
-+ }
- /* 4 bytes for header */
- total_len = size + 4;
- /* address for next packet (4 bytes for CRC) */
-@@ -315,13 +318,19 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
- offset = addr | (page << 4);
- switch(offset) {
- case EN0_STARTPG:
-- s->start = val << 8;
-+ if (val << 8 <= NE2000_PMEM_END) {
-+ s->start = val << 8;
-+ }
- break;
- case EN0_STOPPG:
-- s->stop = val << 8;
-+ if (val << 8 <= NE2000_PMEM_END) {
-+ s->stop = val << 8;
-+ }
- break;
- case EN0_BOUNDARY:
-- s->boundary = val;
-+ if (val << 8 < NE2000_PMEM_END) {
-+ s->boundary = val;
-+ }
- break;
- case EN0_IMR:
- s->imr = val;
-@@ -362,7 +371,9 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
- s->phys[offset - EN1_PHYS] = val;
- break;
- case EN1_CURPAG:
-- s->curpag = val;
-+ if (val << 8 < NE2000_PMEM_END) {
-+ s->curpag = val;
-+ }
- break;
- case EN1_MULT ... EN1_MULT + 7:
- s->mult[offset - EN1_MULT] = val;
diff --git a/qemu.spec b/qemu.spec
index fc125d2..90c635b 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -39,8 +39,8 @@
Summary: QEMU is a FAST! processor emulator
Name: qemu
-Version: 2.4.0
-Release: 4%{?dist}
+Version: 2.4.0.1
+Release: 1%{?dist}
Epoch: 2
License: GPLv2+ and LGPLv2+ and BSD
Group: Development/Tools
@@ -68,22 +68,18 @@ Source12: bridge.conf
# qemu-kvm back compat wrapper
Source13: qemu-kvm.sh
-# CVE-2015-5255: heap memory corruption in vnc_refresh_server_surface
-# (bz #1255899)
-Patch0001: 0001-vnc-fix-memory-corruption-CVE-2015-5225.patch
# Fix emulation of various instructions, required by libm in F22 ppc64
# guests.
-Patch0002: 0002-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch
-Patch0003: 0003-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch
-# CVE-2015-6815: net: e1000: infinite loop issue (bz #1260225)
-Patch0004: 0004-e1000-Avoid-infinite-loop-in-processing-transmit-des.patch
+Patch0001: 0001-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch
+Patch0002: 0002-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch
# CVE-2015-6855: ide: divide by zero issue (bz #1261793)
-Patch0005: 0005-ide-fix-ATAPI-command-permissions.patch
-# CVE-2015-5278: Infinite loop in ne2000_receive() (bz #1263284)
-Patch0006: 0006-net-avoid-infinite-loop-when-receiving-packets-CVE-2.patch
-# CVE-2015-5279: Heap overflow vulnerability in ne2000_receive() (bz
-# #1263287)
-Patch0007: 0007-net-add-checks-to-validate-ring-buffer-pointers-CVE-.patch
+Patch0003: 0003-ide-fix-ATAPI-command-permissions.patch
+# CVE-2015-7295: virtio-net possible remote DoS (bz #1264393)
+Patch0004: 0004-virtio-introduce-virtqueue_unmap_sg.patch
+Patch0005: 0005-virtio-introduce-virtqueue_discard.patch
+Patch0006: 0006-virtio-net-correctly-drop-truncated-packets.patch
+# drive-mirror: Fix coroutine reentrance (bz #1266936)
+Patch0007: 0007-mirror-Fix-coroutine-reentrance.patch
BuildRequires: SDL2-devel
BuildRequires: zlib-devel
@@ -1216,6 +1212,11 @@ getent passwd qemu >/dev/null || \
%changelog
+* Thu Oct 08 2015 Cole Robinson <crobinso@redhat.com> - 2:2.4.0.1-1
+- Rebased to version 2.4.0.1
+- CVE-2015-7295: virtio-net possible remote DoS (bz #1264393)
+- drive-mirror: Fix coroutine reentrance (bz #1266936)
+
* Mon Sep 21 2015 Cole Robinson <crobinso@redhat.com> - 2:2.4.0-4
- CVE-2015-6815: net: e1000: infinite loop issue (bz #1260225)
- CVE-2015-6855: ide: divide by zero issue (bz #1261793)
diff --git a/sources b/sources
index ecf5405..d4f0f63 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-186ee8194140a484a455f8e3c74589f4 qemu-2.4.0.tar.bz2
+c99445164e77184a9ba2e7dbf7ed5c29 qemu-2.4.0.1.tar.bz2