diff --git a/0200-ccid-Fix-buffer-overrun-in-handling-of-VSC_ATR-messa.patch b/0200-ccid-Fix-buffer-overrun-in-handling-of-VSC_ATR-messa.patch
new file mode 100644
index 0000000..6a8d715
--- /dev/null
+++ b/0200-ccid-Fix-buffer-overrun-in-handling-of-VSC_ATR-messa.patch
@@ -0,0 +1,42 @@
+From 792733e8aa8565a0b49c80539d0bc7a0ac19aaff Mon Sep 17 00:00:00 2001
+From: Markus Armbruster <armbru@redhat.com>
+Date: Mon, 28 Nov 2011 20:27:37 +0100
+Subject: [PATCH] ccid: Fix buffer overrun in handling of VSC_ATR message
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+ATR size exceeding the limit is diagnosed, but then we merrily use it
+anyway, overrunning card->atr[].
+
+The message is read from a character device. Obvious security
+implications unless the other end of the character device is trusted.
+
+Spotted by Coverity. CVE-2011-4111.
+
+Signed-off-by: Markus Armbruster <armbru@redhat.com>
+Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
+(cherry picked from commit 7e62255a4b3e0e2ab84a3ec7398640e8ed58620a)
+
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+[AF: Fixes BNC#731086.]
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ hw/ccid-card-passthru.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/ccid-card-passthru.c b/hw/ccid-card-passthru.c
+index 28eb9d1..0505663 100644
+--- a/hw/ccid-card-passthru.c
++++ b/hw/ccid-card-passthru.c
+@@ -150,6 +150,7 @@ static void ccid_card_vscard_handle_message(PassthruState *card,
+ error_report("ATR size exceeds spec, ignoring");
+ ccid_card_vscard_send_error(card, scr_msg_header->reader_id,
+ VSC_GENERAL_ERROR);
++ break;
+ }
+ memcpy(card->atr, data, scr_msg_header->length);
+ card->atr_length = scr_msg_header->length;
+--
+1.7.11.2
+
diff --git a/0201-qdev-Reset-hot-plugged-devices.patch b/0201-qdev-Reset-hot-plugged-devices.patch
new file mode 100644
index 0000000..36d506e
--- /dev/null
+++ b/0201-qdev-Reset-hot-plugged-devices.patch
@@ -0,0 +1,39 @@
+From c09233797d29cc18bc7d304ceeb8bef72f3acefb Mon Sep 17 00:00:00 2001
+From: Jan Kiszka <jan.kiszka@siemens.com>
+Date: Sun, 24 Jul 2011 19:38:36 +0200
+Subject: [PATCH] qdev: Reset hot-plugged devices
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Device models rely on the core invoking their reset handlers after init.
+We do this in the cold-plug case, but so far we miss this step after
+hot-plug.
+
+Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
+Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
+(cherry picked from commit 5ab28c8340f683121c081a181adfd9f72ab85cba)
+
+[AF: Fixes BNC#722958 / LTC#75394.]
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ hw/qdev.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/qdev.c b/hw/qdev.c
+index a0fcd06..b4ea8e1 100644
+--- a/hw/qdev.c
++++ b/hw/qdev.c
+@@ -289,6 +289,9 @@ int qdev_init(DeviceState *dev)
+ dev->alias_required_for_version);
+ }
+ dev->state = DEV_STATE_INITIALIZED;
++ if (dev->hotplugged && dev->info->reset) {
++ dev->info->reset(dev);
++ }
+ return 0;
+ }
+
+--
+1.7.11.2
+
diff --git a/0202-e1000-use-MII-status-register-for-link-up-down.patch b/0202-e1000-use-MII-status-register-for-link-up-down.patch
new file mode 100644
index 0000000..3f60fb3
--- /dev/null
+++ b/0202-e1000-use-MII-status-register-for-link-up-down.patch
@@ -0,0 +1,147 @@
+From 461473595d1dd1131cb060c460c87ca7b652939e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+Date: Wed, 17 Aug 2011 11:03:14 +0200
+Subject: [PATCH] e1000: use MII status register for link up/down
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Some guests will use the standard MII status register
+to verify link state. They will not notice link changes
+unless this register is updated.
+
+Verified with Linux 3.0 and Windows XP guests.
+
+Without this patch, ethtool will report speed and duplex as
+unknown when the link is down, but still report the link as
+up. This is because the Linux e1000 driver checks the
+mac_reg[STATUS] register link state before it checks speed
+and duplex, but uses the phy_reg[PHY_STATUS] register for
+the actual link state check. Fix by updating both registers
+on link state changes.
+
+Linux guest before:
+
+ (qemu) set_link e1000.0 off
+
+ kvm-sid:~# ethtool eth0
+ Settings for eth0:
+ Supported ports: [ TP ]
+ Supported link modes: 10baseT/Half 10baseT/Full
+ 100baseT/Half 100baseT/Full
+ 1000baseT/Full
+ Supports auto-negotiation: Yes
+ Advertised link modes: 10baseT/Half 10baseT/Full
+ 100baseT/Half 100baseT/Full
+ 1000baseT/Full
+ Advertised pause frame use: No
+ Advertised auto-negotiation: Yes
+ Speed: Unknown!
+ Duplex: Unknown! (255)
+ Port: Twisted Pair
+ PHYAD: 0
+ Transceiver: internal
+ Auto-negotiation: on
+ MDI-X: Unknown
+ Supports Wake-on: umbg
+ Wake-on: d
+ Current message level: 0x00000007 (7)
+ drv probe link
+ Link detected: yes
+
+ (qemu) set_link e1000.0 on
+
+Linux guest after:
+
+ (qemu) set_link e1000.0 off
+ [ 63.384221] e1000: eth0 NIC Link is Down
+
+ kvm-sid:~# ethtool eth0
+ Settings for eth0:
+ Supported ports: [ TP ]
+ Supported link modes: 10baseT/Half 10baseT/Full
+ 100baseT/Half 100baseT/Full
+ 1000baseT/Full
+ Supports auto-negotiation: Yes
+ Advertised link modes: 10baseT/Half 10baseT/Full
+ 100baseT/Half 100baseT/Full
+ 1000baseT/Full
+ Advertised pause frame use: No
+ Advertised auto-negotiation: Yes
+ Speed: Unknown!
+ Duplex: Unknown! (255)
+ Port: Twisted Pair
+ PHYAD: 0
+ Transceiver: internal
+ Auto-negotiation: on
+ MDI-X: Unknown
+ Supports Wake-on: umbg
+ Wake-on: d
+ Current message level: 0x00000007 (7)
+ drv probe link
+ Link detected: no
+
+ (qemu) set_link e1000.0 on
+ [ 84.304582] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
+
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
+(cherry picked from commit d4044c2a6b9ba4a00dd653f515a4b0ebfcb7e125)
+
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ hw/e1000.c | 7 +++++--
+ hw/e1000_hw.h | 17 +++++++++++++++++
+ 2 files changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/hw/e1000.c b/hw/e1000.c
+index 96d84f9..e4d9ab5 100644
+--- a/hw/e1000.c
++++ b/hw/e1000.c
+@@ -624,10 +624,13 @@ e1000_set_link_status(VLANClientState *nc)
+ E1000State *s = DO_UPCAST(NICState, nc, nc)->opaque;
+ uint32_t old_status = s->mac_reg[STATUS];
+
+- if (nc->link_down)
++ if (nc->link_down) {
+ s->mac_reg[STATUS] &= ~E1000_STATUS_LU;
+- else
++ s->phy_reg[PHY_STATUS] &= ~MII_SR_LINK_STATUS;
++ } else {
+ s->mac_reg[STATUS] |= E1000_STATUS_LU;
++ s->phy_reg[PHY_STATUS] |= MII_SR_LINK_STATUS;
++ }
+
+ if (s->mac_reg[STATUS] != old_status)
+ set_ics(s, 0, E1000_ICR_LSC);
+diff --git a/hw/e1000_hw.h b/hw/e1000_hw.h
+index 9bd8a4b..2e341ac 100644
+--- a/hw/e1000_hw.h
++++ b/hw/e1000_hw.h
+@@ -349,6 +349,23 @@
+ #define M88E1000_PHY_VCO_REG_BIT8 0x100 /* Bits 8 & 11 are adjusted for */
+ #define M88E1000_PHY_VCO_REG_BIT11 0x800 /* improved BER performance */
+
++/* PHY Status Register */
++#define MII_SR_EXTENDED_CAPS 0x0001 /* Extended register capabilities */
++#define MII_SR_JABBER_DETECT 0x0002 /* Jabber Detected */
++#define MII_SR_LINK_STATUS 0x0004 /* Link Status 1 = link */
++#define MII_SR_AUTONEG_CAPS 0x0008 /* Auto Neg Capable */
++#define MII_SR_REMOTE_FAULT 0x0010 /* Remote Fault Detect */
++#define MII_SR_AUTONEG_COMPLETE 0x0020 /* Auto Neg Complete */
++#define MII_SR_PREAMBLE_SUPPRESS 0x0040 /* Preamble may be suppressed */
++#define MII_SR_EXTENDED_STATUS 0x0100 /* Ext. status info in Reg 0x0F */
++#define MII_SR_100T2_HD_CAPS 0x0200 /* 100T2 Half Duplex Capable */
++#define MII_SR_100T2_FD_CAPS 0x0400 /* 100T2 Full Duplex Capable */
++#define MII_SR_10T_HD_CAPS 0x0800 /* 10T Half Duplex Capable */
++#define MII_SR_10T_FD_CAPS 0x1000 /* 10T Full Duplex Capable */
++#define MII_SR_100X_HD_CAPS 0x2000 /* 100X Half Duplex Capable */
++#define MII_SR_100X_FD_CAPS 0x4000 /* 100X Full Duplex Capable */
++#define MII_SR_100T4_CAPS 0x8000 /* 100T4 Capable */
++
+ /* Interrupt Cause Read */
+ #define E1000_ICR_TXDW 0x00000001 /* Transmit desc written back */
+ #define E1000_ICR_TXQE 0x00000002 /* Transmit Queue empty */
+--
+1.7.11.2
+
diff --git a/0203-e1000-Don-t-set-the-Capabilities-List-bit.patch b/0203-e1000-Don-t-set-the-Capabilities-List-bit.patch
new file mode 100644
index 0000000..6c174ec
--- /dev/null
+++ b/0203-e1000-Don-t-set-the-Capabilities-List-bit.patch
@@ -0,0 +1,43 @@
+From fe7f7d7ae7114fb220ed258e249f9a63834f6fa6 Mon Sep 17 00:00:00 2001
+From: dann frazier <dann.frazier@canonical.com>
+Date: Wed, 21 Sep 2011 14:06:25 -0600
+Subject: [PATCH] e1000: Don't set the Capabilities List bit
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[Originally sent to qemu-kvm list, but I was redirected here]
+
+The Capabilities Pointer is NULL, so this bit shouldn't be set. The state of
+this bit doesn't appear to change any behavior on Linux/Windows versions we've
+tested, but it does cause Windows' PCI/PCI Express Compliance Test to balk.
+
+I happen to have a physical 82540EM controller, and it also sets the
+Capabilities Bit, but it actually has items on the capabilities list to go
+with it :)
+
+Signed-off-by: dann frazier <dann.frazier@canonical.com>
+Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
+(cherry picked from commit dd8e93799f13ef82d83c185b8e71e049452f7d40)
+
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ hw/e1000.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/hw/e1000.c b/hw/e1000.c
+index e4d9ab5..7971457 100644
+--- a/hw/e1000.c
++++ b/hw/e1000.c
+@@ -1167,8 +1167,6 @@ static int pci_e1000_init(PCIDevice *pci_dev)
+
+ pci_conf = d->dev.config;
+
+- /* TODO: we have no capabilities, so why is this bit set? */
+- pci_set_word(pci_conf + PCI_STATUS, PCI_STATUS_CAP_LIST);
+ /* TODO: RST# value should be 0, PCI spec 6.2.4 */
+ pci_conf[PCI_CACHE_LINE_SIZE] = 0x10;
+
+--
+1.7.11.2
+
diff --git a/0204-e1000-bounds-packet-size-against-buffer-size.patch b/0204-e1000-bounds-packet-size-against-buffer-size.patch
new file mode 100644
index 0000000..f616bf7
--- /dev/null
+++ b/0204-e1000-bounds-packet-size-against-buffer-size.patch
@@ -0,0 +1,45 @@
+From 078c531e6b57f36359b74ea6c136c2ea1b5a9891 Mon Sep 17 00:00:00 2001
+From: Anthony Liguori <aliguori@us.ibm.com>
+Date: Mon, 23 Jan 2012 07:30:43 -0600
+Subject: [PATCH] e1000: bounds packet size against buffer size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Otherwise we can write beyond the buffer and corrupt memory. This is tracked
+as CVE-2012-0029.
+
+Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
+(cherry picked from commit 65f82df0d7a71ce1b10cd4c5ab08888d176ac840)
+
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+[AF: stable-0.15 does not have pci_dma_read(). Fixes BNC#740165.]
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ hw/e1000.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/e1000.c b/hw/e1000.c
+index 7971457..c91790b 100644
+--- a/hw/e1000.c
++++ b/hw/e1000.c
+@@ -472,6 +472,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
+ bytes = split_size;
+ if (tp->size + bytes > msh)
+ bytes = msh - tp->size;
++
++ bytes = MIN(sizeof(tp->data) - tp->size, bytes);
+ cpu_physical_memory_read(addr, tp->data + tp->size, bytes);
+ if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
+ memmove(tp->header, tp->data, hdr);
+@@ -487,6 +489,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
+ // context descriptor TSE is not set, while data descriptor TSE is set
+ DBGOUT(TXERR, "TCP segmentaion Error\n");
+ } else {
++ split_size = MIN(sizeof(tp->data) - tp->size, split_size);
+ cpu_physical_memory_read(addr, tp->data + tp->size, split_size);
+ tp->size += split_size;
+ }
+--
+1.7.11.2
+
diff --git a/0205-compatfd.c-Don-t-pass-NULL-pointer-to-SYS_signalfd.patch b/0205-compatfd.c-Don-t-pass-NULL-pointer-to-SYS_signalfd.patch
new file mode 100644
index 0000000..1c3b7ea
--- /dev/null
+++ b/0205-compatfd.c-Don-t-pass-NULL-pointer-to-SYS_signalfd.patch
@@ -0,0 +1,49 @@
+From 89409a7eee1d25a91c31402fdb35d8554e3a99d0 Mon Sep 17 00:00:00 2001
+From: Peter Maydell <peter.maydell@linaro.org>
+Date: Thu, 13 Oct 2011 18:45:37 +0100
+Subject: [PATCH] compatfd.c: Don't pass NULL pointer to SYS_signalfd
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Don't pass a NULL pointer in to SYS_signalfd in qemu_signalfd_available():
+this isn't valid and Valgrind complains about it.
+
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
+Signed-off-by: Andrzej Zaborowski <andrew.zaborowski@intel.com>
+(cherry picked from commit 7f84c1272b601be88daeb828ec1890890c7aae25)
+
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ compatfd.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/compatfd.c b/compatfd.c
+index 31654c6..02306a4 100644
+--- a/compatfd.c
++++ b/compatfd.c
+@@ -119,9 +119,17 @@ int qemu_signalfd(const sigset_t *mask)
+ bool qemu_signalfd_available(void)
+ {
+ #ifdef CONFIG_SIGNALFD
++ sigset_t mask;
++ int fd;
++ bool ok;
++ sigemptyset(&mask);
+ errno = 0;
+- syscall(SYS_signalfd, -1, NULL, _NSIG / 8);
+- return errno != ENOSYS;
++ fd = syscall(SYS_signalfd, -1, &mask, _NSIG / 8);
++ ok = (errno != ENOSYS);
++ if (fd >= 0) {
++ close(fd);
++ }
++ return ok;
+ #else
+ return false;
+ #endif
+--
+1.7.11.2
+
diff --git a/0206-kvm-avoid-reentring-kvm_flush_coalesced_mmio_buffer.patch b/0206-kvm-avoid-reentring-kvm_flush_coalesced_mmio_buffer.patch
new file mode 100644
index 0000000..cfe02b4
--- /dev/null
+++ b/0206-kvm-avoid-reentring-kvm_flush_coalesced_mmio_buffer.patch
@@ -0,0 +1,60 @@
+From 479c2a6a296d4fafc713746bf96127c1b20c381e Mon Sep 17 00:00:00 2001
+From: Avi Kivity <avi@redhat.com>
+Date: Tue, 18 Oct 2011 19:43:12 +0200
+Subject: [PATCH] kvm: avoid reentring kvm_flush_coalesced_mmio_buffer()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+mmio callbacks invoked by kvm_flush_coalesced_mmio_buffer() may
+themselves indirectly call kvm_flush_coalesced_mmio_buffer().
+Prevent reentering the function by checking a flag that indicates
+we're processing coalesced mmio requests.
+
+Signed-off-by: Avi Kivity <avi@redhat.com>
+(cherry picked from commit 1cae88b9f4121c9af0bf677435c6129e643280fd)
+
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ kvm-all.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/kvm-all.c b/kvm-all.c
+index cbc2532..26621d0 100644
+--- a/kvm-all.c
++++ b/kvm-all.c
+@@ -64,6 +64,7 @@ struct KVMState
+ int vmfd;
+ int coalesced_mmio;
+ struct kvm_coalesced_mmio_ring *coalesced_mmio_ring;
++ bool coalesced_flush_in_progress;
+ int broken_set_mem_region;
+ int migration_log;
+ int vcpu_events;
+@@ -876,6 +877,13 @@ static int kvm_handle_internal_error(CPUState *env, struct kvm_run *run)
+ void kvm_flush_coalesced_mmio_buffer(void)
+ {
+ KVMState *s = kvm_state;
++
++ if (s->coalesced_flush_in_progress) {
++ return;
++ }
++
++ s->coalesced_flush_in_progress = true;
++
+ if (s->coalesced_mmio_ring) {
+ struct kvm_coalesced_mmio_ring *ring = s->coalesced_mmio_ring;
+ while (ring->first != ring->last) {
+@@ -888,6 +896,8 @@ void kvm_flush_coalesced_mmio_buffer(void)
+ ring->first = (ring->first + 1) % KVM_COALESCED_MMIO_MAX;
+ }
+ }
++
++ s->coalesced_flush_in_progress = false;
+ }
+
+ static void do_kvm_cpu_synchronize_state(void *_env)
+--
+1.7.11.2
+
diff --git a/0207-vmdk-vmdk_read_cid-returns-garbage-if-p_name-is-NULL.patch b/0207-vmdk-vmdk_read_cid-returns-garbage-if-p_name-is-NULL.patch
new file mode 100644
index 0000000..7f6b622
--- /dev/null
+++ b/0207-vmdk-vmdk_read_cid-returns-garbage-if-p_name-is-NULL.patch
@@ -0,0 +1,36 @@
+From 1b09be835d853b8fd591e1f5de29ae20ed405722 Mon Sep 17 00:00:00 2001
+From: Pavel Borzenkov <pavel.borzenkov@gmail.com>
+Date: Tue, 18 Oct 2011 21:19:03 +0400
+Subject: [PATCH] vmdk: vmdk_read_cid returns garbage if p_name is NULL
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Spotted by Clang Analyzer
+
+Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
+Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
+(cherry picked from commit 8379e46d1fd681b8aa4714382e2cdab05e5d0575)
+
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ block/vmdk.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/block/vmdk.c b/block/vmdk.c
+index 37478d2..b5caa40 100644
+--- a/block/vmdk.c
++++ b/block/vmdk.c
+@@ -177,7 +177,7 @@ static void vmdk_free_extents(BlockDriverState *bs)
+ static uint32_t vmdk_read_cid(BlockDriverState *bs, int parent)
+ {
+ char desc[DESC_SIZE];
+- uint32_t cid;
++ uint32_t cid = 0xffffffff;
+ const char *p_name, *cid_str;
+ size_t cid_str_size;
+ BDRVVmdkState *s = bs->opaque;
+--
+1.7.11.2
+
diff --git a/0208-block-Fix-bdrv_open-use-after-free.patch b/0208-block-Fix-bdrv_open-use-after-free.patch
new file mode 100644
index 0000000..ff9c621
--- /dev/null
+++ b/0208-block-Fix-bdrv_open-use-after-free.patch
@@ -0,0 +1,43 @@
+From 72e8677ee72152245f5dc222a85f83a6a382efe8 Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf@redhat.com>
+Date: Wed, 26 Oct 2011 11:03:01 +0200
+Subject: [PATCH] block: Fix bdrv_open use after free
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+tmp_filename was used outside the block it was defined in, i.e. after it went
+out of scope. Move its declaration to the top level.
+
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit 2b5728164fcf5211bbae8d3c2fc6df62dd6b2295)
+
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ block.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/block.c b/block.c
+index 9549b9e..4ebb18b 100644
+--- a/block.c
++++ b/block.c
+@@ -526,6 +526,7 @@ int bdrv_open(BlockDriverState *bs, const char *filename, int flags,
+ BlockDriver *drv)
+ {
+ int ret;
++ char tmp_filename[PATH_MAX];
+
+ if (flags & BDRV_O_SNAPSHOT) {
+ BlockDriverState *bs1;
+@@ -533,7 +534,6 @@ int bdrv_open(BlockDriverState *bs, const char *filename, int flags,
+ int is_protocol = 0;
+ BlockDriver *bdrv_qcow2;
+ QEMUOptionParameter *options;
+- char tmp_filename[PATH_MAX];
+ char backing_filename[PATH_MAX];
+
+ /* if snapshot, we create a temporary backing file and open it
+--
+1.7.11.2
+
diff --git a/0209-ide-Fix-off-by-one-error-in-array-index-check.patch b/0209-ide-Fix-off-by-one-error-in-array-index-check.patch
new file mode 100644
index 0000000..282d5a5
--- /dev/null
+++ b/0209-ide-Fix-off-by-one-error-in-array-index-check.patch
@@ -0,0 +1,34 @@
+From 99f6b4ed1c345b144b0f052974cb470036418020 Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf@redhat.com>
+Date: Wed, 26 Oct 2011 11:52:47 +0200
+Subject: [PATCH] ide: Fix off-by-one error in array index check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit fb60105d4942a26f571b1be92a8b9e7528d0c4d8)
+
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ hw/ide/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/ide/core.c b/hw/ide/core.c
+index d145b19..9bc446e 100644
+--- a/hw/ide/core.c
++++ b/hw/ide/core.c
+@@ -1933,7 +1933,7 @@ static int ide_drive_pio_post_load(void *opaque, int version_id)
+ {
+ IDEState *s = opaque;
+
+- if (s->end_transfer_fn_idx > ARRAY_SIZE(transfer_end_table)) {
++ if (s->end_transfer_fn_idx >= ARRAY_SIZE(transfer_end_table)) {
+ return -EINVAL;
+ }
+ s->end_transfer_func = transfer_end_table[s->end_transfer_fn_idx];
+--
+1.7.11.2
+
diff --git a/0210-acl-Fix-use-after-free-in-qemu_acl_reset.patch b/0210-acl-Fix-use-after-free-in-qemu_acl_reset.patch
new file mode 100644
index 0000000..e86dd11
--- /dev/null
+++ b/0210-acl-Fix-use-after-free-in-qemu_acl_reset.patch
@@ -0,0 +1,52 @@
+From fa9ad46e1a4b3707a465bccf6f4431db7a647a08 Mon Sep 17 00:00:00 2001
+From: Markus Armbruster <armbru@redhat.com>
+Date: Fri, 28 Oct 2011 17:07:02 +0200
+Subject: [PATCH] acl: Fix use after free in qemu_acl_reset()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reproducer:
+
+ $ MALLOC_PERTURB_=234 qemu-system-x86_64 -vnc :0,acl,sasl [...]
+ QEMU 0.15.50 monitor - type 'help' for more information
+ (qemu) acl_add vnc.username fred allow
+ acl: added rule at position 1
+ (qemu) acl_reset vnc.username
+ Segmentation fault (core dumped)
+
+Spotted by Coverity.
+
+Signed-off-by: Markus Armbruster <armbru@redhat.com>
+Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
+(cherry picked from commit 0ce6a434176e274a7e86bcaa268542c5cc402696)
+
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ acl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/acl.c b/acl.c
+index 82c2704..cae059f 100644
+--- a/acl.c
++++ b/acl.c
+@@ -95,13 +95,13 @@ int qemu_acl_party_is_allowed(qemu_acl *acl,
+
+ void qemu_acl_reset(qemu_acl *acl)
+ {
+- qemu_acl_entry *entry;
++ qemu_acl_entry *entry, *next_entry;
+
+ /* Put back to deny by default, so there is no window
+ * of "open access" while the user re-initializes the
+ * access control list */
+ acl->defaultDeny = 1;
+- QTAILQ_FOREACH(entry, &acl->entries, next) {
++ QTAILQ_FOREACH_SAFE(entry, &acl->entries, next, next_entry) {
+ QTAILQ_REMOVE(&acl->entries, entry, next);
+ free(entry->match);
+ free(entry);
+--
+1.7.11.2
+
diff --git a/0211-migration-flush-migration-data-to-disk.patch b/0211-migration-flush-migration-data-to-disk.patch
new file mode 100644
index 0000000..41a628d
--- /dev/null
+++ b/0211-migration-flush-migration-data-to-disk.patch
@@ -0,0 +1,71 @@
+From 06400ebc136bf44f1fa423159fae9cc9a4f6839d Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Thu, 27 Oct 2011 09:12:04 +0200
+Subject: [PATCH] migration: flush migration data to disk.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch increases robustness when migrating to a file with
+two little changes:
+
+ (1) Before closing the migration file handle checks if it happens to be
+ a regular file and if so it issues a fsync. This way the data is
+ flushed to disk before qemu sends the migration completed event.
+ (2) It adds error checking. In case either fsync or close syscall
+ fails pass up the error (and fail migration).
+
+[ v2: return -errno instead of -1 ]
+
+Cc: Juan Quintela <quintela@redhat.com>
+Cc: Jiri Denemark <jdenemar@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
+(cherry picked from commit aab2293687ee54a409f3fb53a1ab3595b595e0fb)
+
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ migration-fd.c | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/migration-fd.c b/migration-fd.c
+index 66d51c1..f986bdf 100644
+--- a/migration-fd.c
++++ b/migration-fd.c
+@@ -42,10 +42,31 @@ static int fd_write(FdMigrationState *s, const void * buf, size_t size)
+
+ static int fd_close(FdMigrationState *s)
+ {
++ struct stat st;
++ int ret;
++
+ DPRINTF("fd_close\n");
+ if (s->fd != -1) {
+- close(s->fd);
++ ret = fstat(s->fd, &st);
++ if (ret == 0 && S_ISREG(st.st_mode)) {
++ /*
++ * If the file handle is a regular file make sure the
++ * data is flushed to disk before signaling success.
++ */
++ ret = fsync(s->fd);
++ if (ret != 0) {
++ ret = -errno;
++ perror("migration-fd: fsync");
++ return ret;
++ }
++ }
++ ret = close(s->fd);
+ s->fd = -1;
++ if (ret != 0) {
++ ret = -errno;
++ perror("migration-fd: close");
++ return ret;
++ }
+ }
+ return 0;
+ }
+--
+1.7.11.2
+
diff --git a/0212-Fix-X86-CPU-topology-in-KVM-mode.patch b/0212-Fix-X86-CPU-topology-in-KVM-mode.patch
new file mode 100644
index 0000000..444b80a
--- /dev/null
+++ b/0212-Fix-X86-CPU-topology-in-KVM-mode.patch
@@ -0,0 +1,55 @@
+From 7a890dc5d4e79e4ced03aa9d3665c9a1df3e448e Mon Sep 17 00:00:00 2001
+From: Bharata B Rao <bharata.rao@gmail.com>
+Date: Wed, 2 Nov 2011 14:16:08 +0530
+Subject: [PATCH] Fix X86 CPU topology in KVM mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+apic id returned to guest kernel in ebx for cpuid(function=1) depends on
+CPUX86State->cpuid_apic_id which gets populated after the cpuid information
+is cached in the host kernel. This results in broken CPU topology in guest.
+
+Fix this by setting cpuid_apic_id before cpuid information is passed to
+the host kernel. This is done by moving the setting of cpuid_apic_id
+to cpu_x86_init() where it will work for both KVM as well as TCG modes.
+
+Acked-by: Jan Kiszka <jan.kiszka@siemens.com>
+Signed-off-by: Bharata B Rao <bharata.rao@gmail.com>
+Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
+(cherry picked from commit f2209eb854a016eabc444b45f6d6b1636949141f)
+
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ hw/pc.c | 1 -
+ target-i386/helper.c | 1 +
+ 2 files changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/pc.c b/hw/pc.c
+index a3e8539..14ce684 100644
+--- a/hw/pc.c
++++ b/hw/pc.c
+@@ -931,7 +931,6 @@ static CPUState *pc_new_cpu(const char *cpu_model)
+ exit(1);
+ }
+ if ((env->cpuid_features & CPUID_APIC) || smp_cpus > 1) {
+- env->cpuid_apic_id = env->cpu_index;
+ env->apic_state = apic_init(env, env->cpuid_apic_id);
+ }
+ qemu_register_reset(pc_cpu_reset, env);
+diff --git a/target-i386/helper.c b/target-i386/helper.c
+index e9be104..829c1da 100644
+--- a/target-i386/helper.c
++++ b/target-i386/helper.c
+@@ -1258,6 +1258,7 @@ CPUX86State *cpu_x86_init(const char *cpu_model)
+ cpu_x86_close(env);
+ return NULL;
+ }
++ env->cpuid_apic_id = env->cpu_index;
+ mce_init(env);
+
+ qemu_init_vcpu(env);
+--
+1.7.11.2
+
diff --git a/0213-hw-lan9118.c-Add-missing-break-to-fix-buffer-overrun.patch b/0213-hw-lan9118.c-Add-missing-break-to-fix-buffer-overrun.patch
new file mode 100644
index 0000000..2523e90
--- /dev/null
+++ b/0213-hw-lan9118.c-Add-missing-break-to-fix-buffer-overrun.patch
@@ -0,0 +1,37 @@
+From e9552556f514b334b78ed56e32b4af366b429a0b Mon Sep 17 00:00:00 2001
+From: Peter Maydell <peter.maydell@linaro.org>
+Date: Wed, 9 Nov 2011 18:59:54 +0000
+Subject: [PATCH] hw/lan9118.c: Add missing 'break' to fix buffer overrun
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Add a missing 'break' statement to fix a buffer overrun when
+executing the EEPROM write-all command. Spotted by Coverity
+(see bug 887883).
+
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
+(cherry picked from commit 0e3b800e71cb7759d099eabbd8ad4c4fe848e381)
+
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ hw/lan9118.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/lan9118.c b/hw/lan9118.c
+index 73a8661..494b11d 100644
+--- a/hw/lan9118.c
++++ b/hw/lan9118.c
+@@ -863,6 +863,7 @@ static void lan9118_eeprom_cmd(lan9118_state *s, int cmd, int addr)
+ } else {
+ DPRINTF("EEPROM Write All (ignored)\n");
+ }
++ break;
+ case 5: /* ERASE */
+ if (s->eeprom_writable) {
+ s->eeprom[addr] = 0xff;
+--
+1.7.11.2
+
diff --git a/0214-ac97-don-t-override-the-pci-subsystem-id.patch b/0214-ac97-don-t-override-the-pci-subsystem-id.patch
new file mode 100644
index 0000000..f42640e
--- /dev/null
+++ b/0214-ac97-don-t-override-the-pci-subsystem-id.patch
@@ -0,0 +1,119 @@
+From 498a3d8b7d28b8c114d65d9db5ccf3e96e2458f1 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 7 Nov 2011 16:33:09 +0100
+Subject: [PATCH] ac97: don't override the pci subsystem id
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch removes the code lines which set the subsystem id for the
+emulated ac97 card to 8086:0000. Due to the device id being zero the
+subsystem id isn't vaild anyway. With the patch applied the sound card
+gets the default qemu subsystem id (1af4:1100) instead.
+
+[ v2: old & broken id is maintained for -M pc-$oldqemuversion ]
+
+Cc: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
+(cherry picked from commit 25a21c94c0055e078acb7f7455e66c8a15f32385)
+
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ hw/ac97.c | 16 +++++++++++-----
+ hw/pc_piix.c | 16 ++++++++++++++++
+ 2 files changed, 27 insertions(+), 5 deletions(-)
+
+diff --git a/hw/ac97.c b/hw/ac97.c
+index 0b59896..a039481 100644
+--- a/hw/ac97.c
++++ b/hw/ac97.c
+@@ -149,6 +149,7 @@ typedef struct AC97BusMasterRegs {
+ typedef struct AC97LinkState {
+ PCIDevice dev;
+ QEMUSoundCard card;
++ uint32_t use_broken_id;
+ uint32_t glob_cnt;
+ uint32_t glob_sta;
+ uint32_t cas;
+@@ -1301,11 +1302,12 @@ static int ac97_initfn (PCIDevice *dev)
+ c[PCI_BASE_ADDRESS_0 + 6] = 0x00;
+ c[PCI_BASE_ADDRESS_0 + 7] = 0x00;
+
+- c[PCI_SUBSYSTEM_VENDOR_ID] = 0x86; /* svid subsystem vendor id rwo */
+- c[PCI_SUBSYSTEM_VENDOR_ID + 1] = 0x80;
+-
+- c[PCI_SUBSYSTEM_ID] = 0x00; /* sid subsystem id rwo */
+- c[PCI_SUBSYSTEM_ID + 1] = 0x00;
++ if (s->use_broken_id) {
++ c[PCI_SUBSYSTEM_VENDOR_ID] = 0x86;
++ c[PCI_SUBSYSTEM_VENDOR_ID + 1] = 0x80;
++ c[PCI_SUBSYSTEM_ID] = 0x00;
++ c[PCI_SUBSYSTEM_ID + 1] = 0x00;
++ }
+
+ c[PCI_INTERRUPT_LINE] = 0x00; /* intr_ln interrupt line rw */
+ /* TODO: RST# value should be 0. */
+@@ -1336,6 +1338,10 @@ static PCIDeviceInfo ac97_info = {
+ .device_id = PCI_DEVICE_ID_INTEL_82801AA_5,
+ .revision = 0x01,
+ .class_id = PCI_CLASS_MULTIMEDIA_AUDIO,
++ .qdev.props = (Property[]) {
++ DEFINE_PROP_UINT32("use_broken_id", AC97LinkState, use_broken_id, 0),
++ DEFINE_PROP_END_OF_LIST(),
++ }
+ };
+
+ static void ac97_register (void)
+diff --git a/hw/pc_piix.c b/hw/pc_piix.c
+index c5c16b4..31552fd 100644
+--- a/hw/pc_piix.c
++++ b/hw/pc_piix.c
+@@ -300,6 +300,10 @@ static QEMUMachine pc_machine_v0_13 = {
+ .driver = "virtio-net-pci",
+ .property = "event_idx",
+ .value = "off",
++ },{
++ .driver = "AC97",
++ .property = "use_broken_id",
++ .value = stringify(1),
+ },
+ { /* end of list */ }
+ },
+@@ -343,6 +347,10 @@ static QEMUMachine pc_machine_v0_12 = {
+ .driver = "virtio-net-pci",
+ .property = "event_idx",
+ .value = "off",
++ },{
++ .driver = "AC97",
++ .property = "use_broken_id",
++ .value = stringify(1),
+ },
+ { /* end of list */ }
+ }
+@@ -394,6 +402,10 @@ static QEMUMachine pc_machine_v0_11 = {
+ .driver = "virtio-net-pci",
+ .property = "event_idx",
+ .value = "off",
++ },{
++ .driver = "AC97",
++ .property = "use_broken_id",
++ .value = stringify(1),
+ },
+ { /* end of list */ }
+ }
+@@ -457,6 +469,10 @@ static QEMUMachine pc_machine_v0_10 = {
+ .driver = "virtio-net-pci",
+ .property = "event_idx",
+ .value = "off",
++ },{
++ .driver = "AC97",
++ .property = "use_broken_id",
++ .value = stringify(1),
+ },
+ { /* end of list */ }
+ },
+--
+1.7.11.2
+
diff --git a/0215-vvfat-Fix-potential-buffer-overflow.patch b/0215-vvfat-Fix-potential-buffer-overflow.patch
new file mode 100644
index 0000000..4f9d07c
--- /dev/null
+++ b/0215-vvfat-Fix-potential-buffer-overflow.patch
@@ -0,0 +1,36 @@
+From f03f1fc43b30c377a553daf7709e1f0f392a532b Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf@redhat.com>
+Date: Wed, 1 Jun 2011 10:57:00 +0200
+Subject: [PATCH] vvfat: Fix potential buffer overflow
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+path2[PATH_MAX] can be used for the null termination, so make the array big
+enough to allow this.
+
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit 0d460d6f414e02805cbc348404db03b2b7907360)
+
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ block/vvfat.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/block/vvfat.c b/block/vvfat.c
+index fe568fe..98b58f0 100644
+--- a/block/vvfat.c
++++ b/block/vvfat.c
+@@ -1741,7 +1741,7 @@ static int check_directory_consistency(BDRVVVFATState *s,
+
+ long_file_name lfn;
+ int path_len = strlen(path);
+- char path2[PATH_MAX];
++ char path2[PATH_MAX + 1];
+
+ assert(path_len < PATH_MAX); /* len was tested before! */
+ pstrcpy(path2, sizeof(path2), path);
+--
+1.7.11.2
+
diff --git a/0216-vns-tls-don-t-use-depricated-gnutls-functions.patch b/0216-vns-tls-don-t-use-depricated-gnutls-functions.patch
new file mode 100644
index 0000000..a47ad72
--- /dev/null
+++ b/0216-vns-tls-don-t-use-depricated-gnutls-functions.patch
@@ -0,0 +1,116 @@
+From 5a32540f7b39f0b1224c3d6f1d12b6d4e358fe0a Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 7 Sep 2011 17:52:10 +0200
+Subject: [PATCH] vns/tls: don't use depricated gnutls functions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Avoid using deprecated gnutls functions with recent gnutls versions.
+Fixes build failure on Fedora 16. Keep the old way for compatibility
+with old installations such as RHEL-5 (gnutls 1.4.x).
+
+Based on a patch from Raghavendra D Prabhu <raghu.prabhu13@gmail.com>
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
+(cherry picked from commit f40d55081667a716312b9a8b6e13835c4074f56b)
+
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ ui/vnc-tls.c | 68 +++++++++++++++++++++++++++++++++++++++++++-----------------
+ 1 file changed, 49 insertions(+), 19 deletions(-)
+
+diff --git a/ui/vnc-tls.c b/ui/vnc-tls.c
+index 31f1467..f5ed306 100644
+--- a/ui/vnc-tls.c
++++ b/ui/vnc-tls.c
+@@ -283,13 +283,57 @@ int vnc_tls_validate_certificate(struct VncState *vs)
+ return 0;
+ }
+
++#if defined(GNUTLS_VERSION_NUMBER) && \
++ GNUTLS_VERSION_NUMBER >= 0x020200 /* 2.2.0 */
++
++static int vnc_set_gnutls_priority(gnutls_session_t s, int x509)
++{
++ const char *priority = x509 ? "NORMAL" : "NORMAL:+ANON-DH";
++ int rc;
++
++ rc = gnutls_priority_set_direct(s, priority, NULL);
++ if (rc != GNUTLS_E_SUCCESS) {
++ return -1;
++ }
++ return 0;
++}
++
++#else
++
++static int vnc_set_gnutls_priority(gnutls_session_t s, int x509)
++{
++ static const int cert_types[] = { GNUTLS_CRT_X509, 0 };
++ static const int protocols[] = {
++ GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0
++ };
++ static const int kx_anon[] = { GNUTLS_KX_ANON_DH, 0 };
++ static const int kx_x509[] = {
++ GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA,
++ GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0
++ };
++ int rc;
++
++ rc = gnutls_kx_set_priority(s, x509 ? kx_x509 : kx_anon);
++ if (rc != GNUTLS_E_SUCCESS) {
++ return -1;
++ }
++
++ rc = gnutls_certificate_type_set_priority(s, cert_types);
++ if (rc != GNUTLS_E_SUCCESS) {
++ return -1;
++ }
++
++ rc = gnutls_protocol_set_priority(s, protocols);
++ if (rc != GNUTLS_E_SUCCESS) {
++ return -1;
++ }
++ return 0;
++}
++
++#endif
+
+ int vnc_tls_client_setup(struct VncState *vs,
+ int needX509Creds) {
+- static const int cert_type_priority[] = { GNUTLS_CRT_X509, 0 };
+- static const int protocol_priority[]= { GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 };
+- static const int kx_anon[] = {GNUTLS_KX_ANON_DH, 0};
+- static const int kx_x509[] = {GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0};
+
+ VNC_DEBUG("Do TLS setup\n");
+ if (vnc_tls_initialize() < 0) {
+@@ -310,21 +354,7 @@ int vnc_tls_client_setup(struct VncState *vs,
+ return -1;
+ }
+
+- if (gnutls_kx_set_priority(vs->tls.session, needX509Creds ? kx_x509 : kx_anon) < 0) {
+- gnutls_deinit(vs->tls.session);
+- vs->tls.session = NULL;
+- vnc_client_error(vs);
+- return -1;
+- }
+-
+- if (gnutls_certificate_type_set_priority(vs->tls.session, cert_type_priority) < 0) {
+- gnutls_deinit(vs->tls.session);
+- vs->tls.session = NULL;
+- vnc_client_error(vs);
+- return -1;
+- }
+-
+- if (gnutls_protocol_set_priority(vs->tls.session, protocol_priority) < 0) {
++ if (vnc_set_gnutls_priority(vs->tls.session, needX509Creds) < 0) {
+ gnutls_deinit(vs->tls.session);
+ vs->tls.session = NULL;
+ vnc_client_error(vs);
+--
+1.7.11.2
+
diff --git a/0217-block-curl-Implement-a-flush-function-on-the-fd-hand.patch b/0217-block-curl-Implement-a-flush-function-on-the-fd-hand.patch
new file mode 100644
index 0000000..581f5fe
--- /dev/null
+++ b/0217-block-curl-Implement-a-flush-function-on-the-fd-hand.patch
@@ -0,0 +1,76 @@
+From 84be2986f687b998f583b27d8b3e068e87032418 Mon Sep 17 00:00:00 2001
+From: Nick Thomas <nick@bytemark.co.uk>
+Date: Wed, 21 Sep 2011 11:55:49 +0100
+Subject: [PATCH] block/curl: Implement a flush function on the fd handlers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Nick Thomas <nick@bytemark.co.uk>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit c84dcdc1d6583ebe5841907c99d95deb8c40a6e0)
+
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ block/curl.c | 26 ++++++++++++++++++++++----
+ 1 file changed, 22 insertions(+), 4 deletions(-)
+
+diff --git a/block/curl.c b/block/curl.c
+index 407f095..6cf6a70 100644
+--- a/block/curl.c
++++ b/block/curl.c
+@@ -76,6 +76,7 @@ typedef struct BDRVCURLState {
+
+ static void curl_clean_state(CURLState *s);
+ static void curl_multi_do(void *arg);
++static int curl_aio_flush(void *opaque);
+
+ static int curl_sock_cb(CURL *curl, curl_socket_t fd, int action,
+ void *s, void *sp)
+@@ -83,14 +84,16 @@ static int curl_sock_cb(CURL *curl, curl_socket_t fd, int action,
+ DPRINTF("CURL (AIO): Sock action %d on fd %d\n", action, fd);
+ switch (action) {
+ case CURL_POLL_IN:
+- qemu_aio_set_fd_handler(fd, curl_multi_do, NULL, NULL, NULL, s);
++ qemu_aio_set_fd_handler(fd, curl_multi_do, NULL, curl_aio_flush,
++ NULL, s);
+ break;
+ case CURL_POLL_OUT:
+- qemu_aio_set_fd_handler(fd, NULL, curl_multi_do, NULL, NULL, s);
++ qemu_aio_set_fd_handler(fd, NULL, curl_multi_do, curl_aio_flush,
++ NULL, s);
+ break;
+ case CURL_POLL_INOUT:
+- qemu_aio_set_fd_handler(fd, curl_multi_do,
+- curl_multi_do, NULL, NULL, s);
++ qemu_aio_set_fd_handler(fd, curl_multi_do, curl_multi_do,
++ curl_aio_flush, NULL, s);
+ break;
+ case CURL_POLL_REMOVE:
+ qemu_aio_set_fd_handler(fd, NULL, NULL, NULL, NULL, NULL);
+@@ -394,6 +397,21 @@ out_noclean:
+ return -EINVAL;
+ }
+
++static int curl_aio_flush(void *opaque)
++{
++ BDRVCURLState *s = opaque;
++ int i, j;
++
++ for (i=0; i < CURL_NUM_STATES; i++) {
++ for(j=0; j < CURL_NUM_ACB; j++) {
++ if (s->states[i].acb[j]) {
++ return 1;
++ }
++ }
++ }
++ return 0;
++}
++
+ static void curl_aio_cancel(BlockDriverAIOCB *blockacb)
+ {
+ // Do we have to implement canceling? Seems to work without...
+--
+1.7.11.2
+
diff --git a/0218-hda-do-not-mix-output-and-input-streams-RHBZ-740493.patch b/0218-hda-do-not-mix-output-and-input-streams-RHBZ-740493.patch
new file mode 100644
index 0000000..a4f5088
--- /dev/null
+++ b/0218-hda-do-not-mix-output-and-input-streams-RHBZ-740493.patch
@@ -0,0 +1,51 @@
+From 05a5f7c79ad8dc4887e7cd60c2572121b51adce7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@gmail.com>
+Date: Tue, 25 Oct 2011 16:53:00 +0200
+Subject: [PATCH] hda: do not mix output and input streams, RHBZ #740493
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Windows 7 may use the same stream number for input and output.
+That will result in lot of garbage on playback.
+
+The hardcoded value of 4 needs to be in sync with GCAP streams
+description and IN/OUT registers.
+
+Signed-off-by: Marc-Andr? Lureau <marcandre.lureau@redhat.com>
+Signed-off-by: malc <av1474@comtv.ru>
+(cherry picked from commit 36ac4ad3d054a7b4962a6393630a73591cfa9558)
+
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ hw/intel-hda.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/hw/intel-hda.c b/hw/intel-hda.c
+index 5a2bc3a..7d02558 100644
+--- a/hw/intel-hda.c
++++ b/hw/intel-hda.c
+@@ -389,14 +389,15 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
+ {
+ HDACodecBus *bus = DO_UPCAST(HDACodecBus, qbus, dev->qdev.parent_bus);
+ IntelHDAState *d = container_of(bus, IntelHDAState, codecs);
+- IntelHDAStream *st = NULL;
+ target_phys_addr_t addr;
+ uint32_t s, copy, left;
++ IntelHDAStream *st;
+ bool irq = false;
+
+- for (s = 0; s < ARRAY_SIZE(d->st); s++) {
+- if (stnr == ((d->st[s].ctl >> 20) & 0x0f)) {
+- st = d->st + s;
++ st = output ? d->st + 4 : d->st;
++ for (s = 0; s < 4; s++) {
++ if (stnr == ((st[s].ctl >> 20) & 0x0f)) {
++ st = st + s;
+ break;
+ }
+ }
+--
+1.7.11.2
+
diff --git a/0219-hda-do-not-mix-output-and-input-stream-states-RHBZ-7.patch b/0219-hda-do-not-mix-output-and-input-stream-states-RHBZ-7.patch
new file mode 100644
index 0000000..062496e
--- /dev/null
+++ b/0219-hda-do-not-mix-output-and-input-stream-states-RHBZ-7.patch
@@ -0,0 +1,172 @@
+From 51a747e171a66d0dc1e4b47c0238fb2e7fa6b118 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@gmail.com>
+Date: Tue, 25 Oct 2011 16:53:01 +0200
+Subject: [PATCH] hda: do not mix output and input stream states, RHBZ #740493
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Windows 7 may use the same stream number for input and output.
+Current code will confuse streams.
+
+Changes since v1:
+- keep running_compat[] for migration version 1
+- add running_real[] for migration version 2
+
+Signed-off-by: Marc-Andr? Lureau <marcandre.lureau@redhat.com>
+Signed-off-by: malc <av1474@comtv.ru>
+(cherry picked from commit ba43d28916c4f51c19bd7366089155ce81bee058)
+
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ hw/hda-audio.c | 26 +++++++++++++++++++-------
+ hw/intel-hda.c | 9 +++++----
+ hw/intel-hda.h | 2 +-
+ 3 files changed, 25 insertions(+), 12 deletions(-)
+
+diff --git a/hw/hda-audio.c b/hw/hda-audio.c
+index c699d6f..9b089e6 100644
+--- a/hw/hda-audio.c
++++ b/hw/hda-audio.c
+@@ -466,7 +466,8 @@ struct HDAAudioState {
+ QEMUSoundCard card;
+ const desc_codec *desc;
+ HDAAudioStream st[4];
+- bool running[16];
++ bool running_compat[16];
++ bool running_real[2 * 16];
+
+ /* properties */
+ uint32_t debug;
+@@ -663,7 +664,7 @@ static void hda_audio_command(HDACodecDevice *hda, uint32_t nid, uint32_t data)
+ st->channel = payload & 0x0f;
+ dprint(a, 2, "%s: stream %d, channel %d\n",
+ st->node->name, st->stream, st->channel);
+- hda_audio_set_running(st, a->running[st->stream]);
++ hda_audio_set_running(st, a->running_real[st->output * 16 + st->stream]);
+ hda_codec_response(hda, true, 0);
+ break;
+ case AC_VERB_GET_CONV:
+@@ -746,16 +747,20 @@ fail:
+ hda_codec_response(hda, true, 0);
+ }
+
+-static void hda_audio_stream(HDACodecDevice *hda, uint32_t stnr, bool running)
++static void hda_audio_stream(HDACodecDevice *hda, uint32_t stnr, bool running, bool output)
+ {
+ HDAAudioState *a = DO_UPCAST(HDAAudioState, hda, hda);
+ int s;
+
+- a->running[stnr] = running;
++ a->running_compat[stnr] = running;
++ a->running_real[output * 16 + stnr] = running;
+ for (s = 0; s < ARRAY_SIZE(a->st); s++) {
+ if (a->st[s].node == NULL) {
+ continue;
+ }
++ if (a->st[s].output != output) {
++ continue;
++ }
+ if (a->st[s].stream != stnr) {
+ continue;
+ }
+@@ -837,6 +842,12 @@ static int hda_audio_post_load(void *opaque, int version)
+ int i;
+
+ dprint(a, 1, "%s\n", __FUNCTION__);
++ if (version == 1) {
++ /* assume running_compat[] is for output streams */
++ for (i = 0; i < ARRAY_SIZE(a->running_compat); i++)
++ a->running_real[16 + i] = a->running_compat[i];
++ }
++
+ for (i = 0; i < ARRAY_SIZE(a->st); i++) {
+ st = a->st + i;
+ if (st->node == NULL)
+@@ -844,7 +855,7 @@ static int hda_audio_post_load(void *opaque, int version)
+ hda_codec_parse_fmt(st->format, &st->as);
+ hda_audio_setup(st);
+ hda_audio_set_amp(st);
+- hda_audio_set_running(st, a->running[st->stream]);
++ hda_audio_set_running(st, a->running_real[st->output * 16 + st->stream]);
+ }
+ return 0;
+ }
+@@ -868,13 +879,14 @@ static const VMStateDescription vmstate_hda_audio_stream = {
+
+ static const VMStateDescription vmstate_hda_audio = {
+ .name = "hda-audio",
+- .version_id = 1,
++ .version_id = 2,
+ .post_load = hda_audio_post_load,
+ .fields = (VMStateField []) {
+ VMSTATE_STRUCT_ARRAY(st, HDAAudioState, 4, 0,
+ vmstate_hda_audio_stream,
+ HDAAudioStream),
+- VMSTATE_BOOL_ARRAY(running, HDAAudioState, 16),
++ VMSTATE_BOOL_ARRAY(running_compat, HDAAudioState, 16),
++ VMSTATE_BOOL_ARRAY_V(running_real, HDAAudioState, 2 * 16, 2),
+ VMSTATE_END_OF_LIST()
+ }
+ };
+diff --git a/hw/intel-hda.c b/hw/intel-hda.c
+index 7d02558..904e4fc 100644
+--- a/hw/intel-hda.c
++++ b/hw/intel-hda.c
+@@ -485,7 +485,7 @@ static void intel_hda_parse_bdl(IntelHDAState *d, IntelHDAStream *st)
+ st->bp = 0;
+ }
+
+-static void intel_hda_notify_codecs(IntelHDAState *d, uint32_t stream, bool running)
++static void intel_hda_notify_codecs(IntelHDAState *d, uint32_t stream, bool running, bool output)
+ {
+ DeviceState *qdev;
+ HDACodecDevice *cdev;
+@@ -493,7 +493,7 @@ static void intel_hda_notify_codecs(IntelHDAState *d, uint32_t stream, bool runn
+ QLIST_FOREACH(qdev, &d->codecs.qbus.children, sibling) {
+ cdev = DO_UPCAST(HDACodecDevice, qdev, qdev);
+ if (cdev->info->stream) {
+- cdev->info->stream(cdev, stream, running);
++ cdev->info->stream(cdev, stream, running, output);
+ }
+ }
+ }
+@@ -567,6 +567,7 @@ static void intel_hda_set_ics(IntelHDAState *d, const IntelHDAReg *reg, uint32_t
+
+ static void intel_hda_set_st_ctl(IntelHDAState *d, const IntelHDAReg *reg, uint32_t old)
+ {
++ bool output = reg->stream >= 4;
+ IntelHDAStream *st = d->st + reg->stream;
+
+ if (st->ctl & 0x01) {
+@@ -582,11 +583,11 @@ static void intel_hda_set_st_ctl(IntelHDAState *d, const IntelHDAReg *reg, uint3
+ dprint(d, 1, "st #%d: start %d (ring buf %d bytes)\n",
+ reg->stream, stnr, st->cbl);
+ intel_hda_parse_bdl(d, st);
+- intel_hda_notify_codecs(d, stnr, true);
++ intel_hda_notify_codecs(d, stnr, true, output);
+ } else {
+ /* stop */
+ dprint(d, 1, "st #%d: stop %d\n", reg->stream, stnr);
+- intel_hda_notify_codecs(d, stnr, false);
++ intel_hda_notify_codecs(d, stnr, false, output);
+ }
+ }
+ intel_hda_update_irq(d);
+diff --git a/hw/intel-hda.h b/hw/intel-hda.h
+index 4e44e38..65fd2a8 100644
+--- a/hw/intel-hda.h
++++ b/hw/intel-hda.h
+@@ -34,7 +34,7 @@ struct HDACodecDeviceInfo {
+ int (*init)(HDACodecDevice *dev);
+ int (*exit)(HDACodecDevice *dev);
+ void (*command)(HDACodecDevice *dev, uint32_t nid, uint32_t data);
+- void (*stream)(HDACodecDevice *dev, uint32_t stnr, bool running);
++ void (*stream)(HDACodecDevice *dev, uint32_t stnr, bool running, bool output);
+ };
+
+ void hda_codec_bus_init(DeviceState *dev, HDACodecBus *bus,
+--
+1.7.11.2
+
diff --git a/0220-Teach-block-vdi-about-discarded-no-longer-allocated-.patch b/0220-Teach-block-vdi-about-discarded-no-longer-allocated-.patch
new file mode 100644
index 0000000..e51c539
--- /dev/null
+++ b/0220-Teach-block-vdi-about-discarded-no-longer-allocated-.patch
@@ -0,0 +1,108 @@
+From 5621e2027384a35494508f3bc01a758bc2ac076b Mon Sep 17 00:00:00 2001
+From: Eric Sunshine <sunshine@sunshineco.com>
+Date: Wed, 26 Oct 2011 15:51:18 -0400
+Subject: [PATCH] Teach block/vdi about "discarded" (no longer allocated)
+ blocks
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+An entry in the VDI block map will hold an offset to the actual block if
+the block is allocated, or one of two specially-interpreted values if
+not allocated. Using VirtualBox terminology, value VDI_IMAGE_BLOCK_FREE
+(0xffffffff) represents a never-allocated block (semantically arbitrary
+content). VDI_IMAGE_BLOCK_ZERO (0xfffffffe) represents a "discarded"
+block (semantically zero-filled). block/vdi knows only about
+VDI_IMAGE_BLOCK_FREE. Teach it about VDI_IMAGE_BLOCK_ZERO.
+
+Signed-off-by: Eric Sunshine <sunshine@sunshineco.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit c794b4e0fd9ef8d72b068614dcdb2418c105d5cc)
+
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ block/vdi.c | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/block/vdi.c b/block/vdi.c
+index 261cf9b..1be0cdc 100644
+--- a/block/vdi.c
++++ b/block/vdi.c
+@@ -114,8 +114,13 @@ void uuid_unparse(const uuid_t uu, char *out);
+ */
+ #define VDI_TEXT "<<< QEMU VM Virtual Disk Image >>>\n"
+
+-/* Unallocated blocks use this index (no need to convert endianness). */
+-#define VDI_UNALLOCATED UINT32_MAX
++/* A never-allocated block; semantically arbitrary content. */
++#define VDI_UNALLOCATED 0xffffffffU
++
++/* A discarded (no longer allocated) block; semantically zero-filled. */
++#define VDI_DISCARDED 0xfffffffeU
++
++#define VDI_IS_ALLOCATED(X) ((X) < VDI_DISCARDED)
+
+ #if !defined(CONFIG_UUID)
+ void uuid_generate(uuid_t out)
+@@ -307,10 +312,10 @@ static int vdi_check(BlockDriverState *bs, BdrvCheckResult *res)
+ /* Check block map and value of blocks_allocated. */
+ for (block = 0; block < s->header.blocks_in_image; block++) {
+ uint32_t bmap_entry = le32_to_cpu(s->bmap[block]);
+- if (bmap_entry != VDI_UNALLOCATED) {
++ if (VDI_IS_ALLOCATED(bmap_entry)) {
+ if (bmap_entry < s->header.blocks_in_image) {
+ blocks_allocated++;
+- if (bmap[bmap_entry] == VDI_UNALLOCATED) {
++ if (!VDI_IS_ALLOCATED(bmap[bmap_entry])) {
+ bmap[bmap_entry] = bmap_entry;
+ } else {
+ fprintf(stderr, "ERROR: block index %" PRIu32
+@@ -472,7 +477,7 @@ static int vdi_is_allocated(BlockDriverState *bs, int64_t sector_num,
+ n_sectors = nb_sectors;
+ }
+ *pnum = n_sectors;
+- return bmap_entry != VDI_UNALLOCATED;
++ return VDI_IS_ALLOCATED(bmap_entry);
+ }
+
+ static void vdi_aio_cancel(BlockDriverAIOCB *blockacb)
+@@ -603,7 +608,7 @@ static void vdi_aio_read_cb(void *opaque, int ret)
+ /* prepare next AIO request */
+ acb->n_sectors = n_sectors;
+ bmap_entry = le32_to_cpu(s->bmap[block_index]);
+- if (bmap_entry == VDI_UNALLOCATED) {
++ if (!VDI_IS_ALLOCATED(bmap_entry)) {
+ /* Block not allocated, return zeros, no need to wait. */
+ memset(acb->buf, 0, n_sectors * SECTOR_SIZE);
+ ret = vdi_schedule_bh(vdi_aio_rw_bh, acb);
+@@ -685,7 +690,7 @@ static void vdi_aio_write_cb(void *opaque, int ret)
+ if (acb->header_modified) {
+ VdiHeader *header = acb->block_buffer;
+ logout("now writing modified header\n");
+- assert(acb->bmap_first != VDI_UNALLOCATED);
++ assert(VDI_IS_ALLOCATED(acb->bmap_first));
+ *header = s->header;
+ vdi_header_to_le(header);
+ acb->header_modified = 0;
+@@ -699,7 +704,7 @@ static void vdi_aio_write_cb(void *opaque, int ret)
+ goto done;
+ }
+ return;
+- } else if (acb->bmap_first != VDI_UNALLOCATED) {
++ } else if (VDI_IS_ALLOCATED(acb->bmap_first)) {
+ /* One or more new blocks were allocated. */
+ uint64_t offset;
+ uint32_t bmap_first;
+@@ -749,7 +754,7 @@ static void vdi_aio_write_cb(void *opaque, int ret)
+ /* prepare next AIO request */
+ acb->n_sectors = n_sectors;
+ bmap_entry = le32_to_cpu(s->bmap[block_index]);
+- if (bmap_entry == VDI_UNALLOCATED) {
++ if (!VDI_IS_ALLOCATED(bmap_entry)) {
+ /* Allocate new block and write to it. */
+ uint64_t offset;
+ uint8_t *block;
+--
+1.7.11.2
+
diff --git a/0221-vmdk-Improve-error-handling.patch b/0221-vmdk-Improve-error-handling.patch
new file mode 100644
index 0000000..ca8d29f
--- /dev/null
+++ b/0221-vmdk-Improve-error-handling.patch
@@ -0,0 +1,79 @@
+From 2139ef7f75ff63904fac6b451c8a89e4b0c72448 Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf@redhat.com>
+Date: Wed, 26 Oct 2011 12:25:25 +0200
+Subject: [PATCH] vmdk: Improve error handling
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Return the right error values in some more places.
+
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit 99f1835d9bc744f98370254600530e66f32e6d81)
+
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ block/vmdk.c | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/block/vmdk.c b/block/vmdk.c
+index b5caa40..8284747 100644
+--- a/block/vmdk.c
++++ b/block/vmdk.c
+@@ -181,8 +181,10 @@ static uint32_t vmdk_read_cid(BlockDriverState *bs, int parent)
+ const char *p_name, *cid_str;
+ size_t cid_str_size;
+ BDRVVmdkState *s = bs->opaque;
++ int ret;
+
+- if (bdrv_pread(bs->file, s->desc_offset, desc, DESC_SIZE) != DESC_SIZE) {
++ ret = bdrv_pread(bs->file, s->desc_offset, desc, DESC_SIZE);
++ if (ret < 0) {
+ return 0;
+ }
+
+@@ -208,10 +210,12 @@ static int vmdk_write_cid(BlockDriverState *bs, uint32_t cid)
+ char desc[DESC_SIZE], tmp_desc[DESC_SIZE];
+ char *p_name, *tmp_str;
+ BDRVVmdkState *s = bs->opaque;
++ int ret;
+
+ memset(desc, 0, sizeof(desc));
+- if (bdrv_pread(bs->file, s->desc_offset, desc, DESC_SIZE) != DESC_SIZE) {
+- return -EIO;
++ ret = bdrv_pread(bs->file, s->desc_offset, desc, DESC_SIZE);
++ if (ret < 0) {
++ return ret;
+ }
+
+ tmp_str = strstr(desc, "parentCID");
+@@ -223,9 +227,11 @@ static int vmdk_write_cid(BlockDriverState *bs, uint32_t cid)
+ pstrcat(desc, sizeof(desc), tmp_desc);
+ }
+
+- if (bdrv_pwrite_sync(bs->file, s->desc_offset, desc, DESC_SIZE) < 0) {
+- return -EIO;
++ ret = bdrv_pwrite_sync(bs->file, s->desc_offset, desc, DESC_SIZE);
++ if (ret < 0) {
++ return ret;
+ }
++
+ return 0;
+ }
+
+@@ -906,7 +912,10 @@ static int vmdk_write(BlockDriverState *bs, int64_t sector_num,
+ /* update CID on the first write every time the virtual disk is
+ * opened */
+ if (!s->cid_updated) {
+- vmdk_write_cid(bs, time(NULL));
++ ret = vmdk_write_cid(bs, time(NULL));
++ if (ret < 0) {
++ return ret;
++ }
+ s->cid_updated = true;
+ }
+ }
+--
+1.7.11.2
+
diff --git a/0222-block-set-bs-read_only-before-.bdrv_open.patch b/0222-block-set-bs-read_only-before-.bdrv_open.patch
new file mode 100644
index 0000000..72c03cc
--- /dev/null
+++ b/0222-block-set-bs-read_only-before-.bdrv_open.patch
@@ -0,0 +1,52 @@
+From b461a24186f05d7adec265bd34f348f7b8f9569b Mon Sep 17 00:00:00 2001
+From: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
+Date: Thu, 27 Oct 2011 10:54:27 +0100
+Subject: [PATCH] block: set bs->read_only before .bdrv_open()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Several block drivers set bs->read_only in .bdrv_open() but
+block.c:bdrv_open_common() clobbers its value. Additionally, QED uses
+bdrv_is_read_only() in .bdrv_open() to decide whether to perform
+consistency checks.
+
+The correct ordering is to initialize bs->read_only from the open flags
+before calling .bdrv_open(). This way block drivers can override it if
+necessary and can use bdrv_is_read_only() in .bdrv_open().
+
+Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit e7c637967e6aad195b5f30cfd995913c9e0b4666)
+
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ block.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/block.c b/block.c
+index 4ebb18b..8d77746 100644
+--- a/block.c
++++ b/block.c
+@@ -455,6 +455,8 @@ static int bdrv_open_common(BlockDriverState *bs, const char *filename,
+ open_flags |= BDRV_O_RDWR;
+ }
+
++ bs->keep_read_only = bs->read_only = !(open_flags & BDRV_O_RDWR);
++
+ /* Open the image, either directly or using a protocol */
+ if (drv->bdrv_file_open) {
+ ret = drv->bdrv_file_open(bs, filename, open_flags);
+@@ -469,8 +471,6 @@ static int bdrv_open_common(BlockDriverState *bs, const char *filename,
+ goto free_and_fail;
+ }
+
+- bs->keep_read_only = bs->read_only = !(open_flags & BDRV_O_RDWR);
+-
+ ret = refresh_total_sectors(bs, bs->total_sectors);
+ if (ret < 0) {
+ goto free_and_fail;
+--
+1.7.11.2
+
diff --git a/0223-console-Fix-rendering-of-VGA-underline.patch b/0223-console-Fix-rendering-of-VGA-underline.patch
new file mode 100644
index 0000000..a271442
--- /dev/null
+++ b/0223-console-Fix-rendering-of-VGA-underline.patch
@@ -0,0 +1,64 @@
+From 1add57cd4c48d9eb6517f685f67480b4f4f3f13b Mon Sep 17 00:00:00 2001
+From: Markus Armbruster <armbru@redhat.com>
+Date: Fri, 4 Nov 2011 10:38:29 +0100
+Subject: [PATCH] console: Fix rendering of VGA underline
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+vga_putcharxy()'s underline code sets font_data to 0xffff instead of
+0xff. vga_putcharxy() then reads dmask16[0xffff >> 4] and
+dmask4[0xffff >> 6]. In practice, these out-of-bounds subscripts
+"only" put a few crap bits into the display surface.
+
+For 32 bit pixels, there's no array access. font_data's extra bits go
+straight into the display surface.
+
+Broken when commit 6d6f7c28 implemented underline.
+
+Spotted by Coverity.
+
+Signed-off-by: Markus Armbruster <armbru@redhat.com>
+Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
+(cherry picked from commit 439229c7cb97f6c4cddd3965c3e9d2b8319fe83c)
+
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ console.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/console.c b/console.c
+index 242086c..07c82b8 100644
+--- a/console.c
++++ b/console.c
+@@ -461,7 +461,7 @@ static void vga_putcharxy(DisplayState *ds, int x, int y, int ch,
+ font_data = *font_ptr++;
+ if (t_attrib->uline
+ && ((i == FONT_HEIGHT - 2) || (i == FONT_HEIGHT - 3))) {
+- font_data = 0xFFFF;
++ font_data = 0xFF;
+ }
+ ((uint32_t *)d)[0] = (dmask16[(font_data >> 4)] & xorcol) ^ bgcol;
+ ((uint32_t *)d)[1] = (dmask16[(font_data >> 0) & 0xf] & xorcol) ^ bgcol;
+@@ -474,7 +474,7 @@ static void vga_putcharxy(DisplayState *ds, int x, int y, int ch,
+ font_data = *font_ptr++;
+ if (t_attrib->uline
+ && ((i == FONT_HEIGHT - 2) || (i == FONT_HEIGHT - 3))) {
+- font_data = 0xFFFF;
++ font_data = 0xFF;
+ }
+ ((uint32_t *)d)[0] = (dmask4[(font_data >> 6)] & xorcol) ^ bgcol;
+ ((uint32_t *)d)[1] = (dmask4[(font_data >> 4) & 3] & xorcol) ^ bgcol;
+@@ -487,7 +487,7 @@ static void vga_putcharxy(DisplayState *ds, int x, int y, int ch,
+ for(i = 0; i < FONT_HEIGHT; i++) {
+ font_data = *font_ptr++;
+ if (t_attrib->uline && ((i == FONT_HEIGHT - 2) || (i == FONT_HEIGHT - 3))) {
+- font_data = 0xFFFF;
++ font_data = 0xFF;
+ }
+ ((uint32_t *)d)[0] = (-((font_data >> 7)) & xorcol) ^ bgcol;
+ ((uint32_t *)d)[1] = (-((font_data >> 6) & 1) & xorcol) ^ bgcol;
+--
+1.7.11.2
+
diff --git a/0224-block-Fix-vpc-initialization-of-the-Dynamic-Disk-Hea.patch b/0224-block-Fix-vpc-initialization-of-the-Dynamic-Disk-Hea.patch
new file mode 100644
index 0000000..addd077
--- /dev/null
+++ b/0224-block-Fix-vpc-initialization-of-the-Dynamic-Disk-Hea.patch
@@ -0,0 +1,48 @@
+From 69a9776f3e8a4ff5311f78cc63e52ea436dd9cbe Mon Sep 17 00:00:00 2001
+From: Charles Arnold <carnold@suse.com>
+Date: Wed, 9 Nov 2011 09:32:25 -0700
+Subject: [PATCH] block: Fix vpc initialization of the Dynamic Disk Header
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The Data Offset field in the Dynamic Disk Header is an 8 byte field.
+Although the specification (2006-10-11) gives an example of initializing
+only the first 4 bytes, images generated by Microsoft on Windows initialize
+all 8 bytes.
+
+Failure to initialize all 8 bytes results in errors from utilities
+like Citrix's vhd-util which checks specifically for the proper Data
+Offset field initialization.
+
+Signed-off-by: Charles Arnold <carnold@suse.com>
+Reviewed-by: Andreas Färber <afaerber@suse.de>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit 78439f6af1caa3e8bdafc9fc2d62aeefa53ed63a)
+
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ block/vpc.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/block/vpc.c b/block/vpc.c
+index 56865da..ac33e15 100644
+--- a/block/vpc.c
++++ b/block/vpc.c
+@@ -587,7 +587,11 @@ static int vpc_create(const char *filename, QEMUOptionParameter *options)
+
+ memcpy(dyndisk_header->magic, "cxsparse", 8);
+
+- dyndisk_header->data_offset = be64_to_cpu(0xFFFFFFFF);
++ /*
++ * Note: The spec is actually wrong here for data_offset, it says
++ * 0xFFFFFFFF, but MS tools expect all 64 bits to be set.
++ */
++ dyndisk_header->data_offset = be64_to_cpu(0xFFFFFFFFFFFFFFFFULL);
+ dyndisk_header->table_offset = be64_to_cpu(3 * 512);
+ dyndisk_header->version = be32_to_cpu(0x00010000);
+ dyndisk_header->block_size = be32_to_cpu(block_size);
+--
+1.7.11.2
+
diff --git a/0225-qcow-Fix-bdrv_write_compressed-error-handling.patch b/0225-qcow-Fix-bdrv_write_compressed-error-handling.patch
new file mode 100644
index 0000000..da5de39
--- /dev/null
+++ b/0225-qcow-Fix-bdrv_write_compressed-error-handling.patch
@@ -0,0 +1,93 @@
+From 5202e9d55b745eddde9ba6bd08af32fcae347e93 Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf@redhat.com>
+Date: Wed, 26 Oct 2011 11:21:50 +0200
+Subject: [PATCH] qcow: Fix bdrv_write_compressed error handling
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 64ebe71aa0e498d24e8c02b133192142fce3a0d0)
+
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+[AF: backported]
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ block/qcow.c | 30 +++++++++++++++++++-----------
+ 1 file changed, 19 insertions(+), 11 deletions(-)
+
+diff --git a/block/qcow.c b/block/qcow.c
+index 227b104..115b820 100644
+--- a/block/qcow.c
++++ b/block/qcow.c
+@@ -926,8 +926,6 @@ static int qcow_write_compressed(BlockDriverState *bs, int64_t sector_num,
+ return -EINVAL;
+
+ out_buf = qemu_malloc(s->cluster_size + (s->cluster_size / 1000) + 128);
+- if (!out_buf)
+- return -1;
+
+ /* best compression, small window, no zlib header */
+ memset(&strm, 0, sizeof(strm));
+@@ -935,8 +933,8 @@ static int qcow_write_compressed(BlockDriverState *bs, int64_t sector_num,
+ Z_DEFLATED, -12,
+ 9, Z_DEFAULT_STRATEGY);
+ if (ret != 0) {
+- qemu_free(out_buf);
+- return -1;
++ ret = -EINVAL;
++ goto fail;
+ }
+
+ strm.avail_in = s->cluster_size;
+@@ -946,9 +944,9 @@ static int qcow_write_compressed(BlockDriverState *bs, int64_t sector_num,
+
+ ret = deflate(&strm, Z_FINISH);
+ if (ret != Z_STREAM_END && ret != Z_OK) {
+- qemu_free(out_buf);
+ deflateEnd(&strm);
+- return -1;
++ ret = -EINVAL;
++ goto fail;
+ }
+ out_len = strm.next_out - out_buf;
+
+@@ -956,19 +954,29 @@ static int qcow_write_compressed(BlockDriverState *bs, int64_t sector_num,
+
+ if (ret != Z_STREAM_END || out_len >= s->cluster_size) {
+ /* could not compress: write normal cluster */
+- bdrv_write(bs, sector_num, buf, s->cluster_sectors);
++ ret = bdrv_write(bs, sector_num, buf, s->cluster_sectors);
++ if (ret < 0) {
++ goto fail;
++ }
+ } else {
+ cluster_offset = get_cluster_offset(bs, sector_num << 9, 2,
+ out_len, 0, 0);
++ if (cluster_offset == 0) {
++ ret = -EIO;
++ goto fail;
++ }
++
+ cluster_offset &= s->cluster_offset_mask;
+- if (bdrv_pwrite(bs->file, cluster_offset, out_buf, out_len) != out_len) {
+- qemu_free(out_buf);
+- return -1;
++ ret = bdrv_pwrite(bs->file, cluster_offset, out_buf, out_len);
++ if (ret < 0) {
++ goto fail;
+ }
+ }
+
++ ret = 0;
++fail:
+ qemu_free(out_buf);
+- return 0;
++ return ret;
+ }
+
+ static int qcow_flush(BlockDriverState *bs)
+--
+1.7.11.2
+
diff --git a/0226-block-reinitialize-across-bdrv_close-bdrv_open.patch b/0226-block-reinitialize-across-bdrv_close-bdrv_open.patch
new file mode 100644
index 0000000..7cca69c
--- /dev/null
+++ b/0226-block-reinitialize-across-bdrv_close-bdrv_open.patch
@@ -0,0 +1,55 @@
+From 2432c8cf0a61be64094dae724638a9a081ee4bf9 Mon Sep 17 00:00:00 2001
+From: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
+Date: Thu, 27 Oct 2011 10:54:28 +0100
+Subject: [PATCH] block: reinitialize across bdrv_close()/bdrv_open()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Several BlockDriverState fields are not being reinitialized across
+bdrv_close()/bdrv_open(). Make sure they are reset to their default
+values.
+
+Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit 03f541bd6eacdc6c2893f72b975257c89cab2b74)
+
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+[AF: backported]
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ block.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/block.c b/block.c
+index 8d77746..1d6d26b 100644
+--- a/block.c
++++ b/block.c
+@@ -426,11 +426,14 @@ static int bdrv_open_common(BlockDriverState *bs, const char *filename,
+ bs->total_sectors = 0;
+ bs->encrypted = 0;
+ bs->valid_key = 0;
++ bs->sg = 0;
+ bs->open_flags = flags;
++ bs->growable = 0;
+ /* buffer_alignment defaulted to 512, drivers can change this value */
+ bs->buffer_alignment = 512;
+
+ pstrcpy(bs->filename, sizeof(bs->filename), filename);
++ bs->backing_file[0] = '\0';
+
+ if (use_bdrv_whitelist && !bdrv_is_whitelisted(drv)) {
+ return -ENOTSUP;
+@@ -439,8 +442,7 @@ static int bdrv_open_common(BlockDriverState *bs, const char *filename,
+ bs->drv = drv;
+ bs->opaque = qemu_mallocz(drv->instance_size);
+
+- if (flags & BDRV_O_CACHE_WB)
+- bs->enable_write_cache = 1;
++ bs->enable_write_cache = !!(flags & BDRV_O_CACHE_WB);
+
+ /*
+ * Clear flags that are internal to the block layer before opening the
+--
+1.7.11.2
+
diff --git a/0227-qxl-stride-fixup.patch b/0227-qxl-stride-fixup.patch
new file mode 100644
index 0000000..1c3d936
--- /dev/null
+++ b/0227-qxl-stride-fixup.patch
@@ -0,0 +1,111 @@
+From a3cc0cf8b185043fbd1f9b893c1c20f90efb1d06 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Fri, 21 Oct 2011 15:59:07 +0200
+Subject: [PATCH] qxl: stride fixup
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+spice uses negative stride value to signal the bitmap is upside down.
+The qxl renderer (used for scl, vnc and screenshots) wants a positive
+value because it is easier to work with. The positive value is then
+stored in the very same variable, which has the drawback that the
+upside-down test works only once. Fix by using two variables.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit 0e2487bd6f56445b43307536a465ee2ba810aed9)
+
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+[AF: backported]
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ hw/qxl-render.c | 23 ++++++++++++-----------
+ hw/qxl.h | 3 ++-
+ 2 files changed, 14 insertions(+), 12 deletions(-)
+
+diff --git a/hw/qxl-render.c b/hw/qxl-render.c
+index 1316066..104d79b 100644
+--- a/hw/qxl-render.c
++++ b/hw/qxl-render.c
+@@ -28,16 +28,16 @@ static void qxl_flip(PCIQXLDevice *qxl, QXLRect *rect)
+ int len, i;
+
+ src += (qxl->guest_primary.surface.height - rect->top - 1) *
+- qxl->guest_primary.stride;
+- dst += rect->top * qxl->guest_primary.stride;
++ qxl->guest_primary.abs_stride;
++ dst += rect->top * qxl->guest_primary.abs_stride;
+ src += rect->left * qxl->guest_primary.bytes_pp;
+ dst += rect->left * qxl->guest_primary.bytes_pp;
+ len = (rect->right - rect->left) * qxl->guest_primary.bytes_pp;
+
+ for (i = rect->top; i < rect->bottom; i++) {
+ memcpy(dst, src, len);
+- dst += qxl->guest_primary.stride;
+- src -= qxl->guest_primary.stride;
++ dst += qxl->guest_primary.abs_stride;
++ src -= qxl->guest_primary.abs_stride;
+ }
+ }
+
+@@ -45,7 +45,8 @@ void qxl_render_resize(PCIQXLDevice *qxl)
+ {
+ QXLSurfaceCreate *sc = &qxl->guest_primary.surface;
+
+- qxl->guest_primary.stride = sc->stride;
++ qxl->guest_primary.qxl_stride = sc->stride;
++ qxl->guest_primary.abs_stride = abs(sc->stride);
+ qxl->guest_primary.resized++;
+ switch (sc->format) {
+ case SPICE_SURFACE_FMT_16_555:
+@@ -87,11 +88,11 @@ void qxl_render_update(PCIQXLDevice *qxl)
+ qemu_free_displaysurface(vga->ds);
+
+ qxl->guest_primary.data = qemu_get_ram_ptr(qxl->vga.vram_offset);
+- if (qxl->guest_primary.stride < 0) {
++ if (qxl->guest_primary.qxl_stride < 0) {
+ /* spice surface is upside down -> need extra buffer to flip */
+- qxl->guest_primary.stride = -qxl->guest_primary.stride;
+- qxl->guest_primary.flipped = qemu_malloc(qxl->guest_primary.surface.width *
+- qxl->guest_primary.stride);
++ qxl->guest_primary.flipped =
++ qemu_malloc(qxl->guest_primary.surface.width *
++ qxl->guest_primary.abs_stride);
+ ptr = qxl->guest_primary.flipped;
+ } else {
+ ptr = qxl->guest_primary.data;
+@@ -100,7 +101,7 @@ void qxl_render_update(PCIQXLDevice *qxl)
+ __FUNCTION__,
+ qxl->guest_primary.surface.width,
+ qxl->guest_primary.surface.height,
+- qxl->guest_primary.stride,
++ qxl->guest_primary.qxl_stride,
+ qxl->guest_primary.bytes_pp,
+ qxl->guest_primary.bits_pp,
+ qxl->guest_primary.flipped ? "yes" : "no");
+@@ -108,7 +109,7 @@ void qxl_render_update(PCIQXLDevice *qxl)
+ qemu_create_displaysurface_from(qxl->guest_primary.surface.width,
+ qxl->guest_primary.surface.height,
+ qxl->guest_primary.bits_pp,
+- qxl->guest_primary.stride,
++ qxl->guest_primary.abs_stride,
+ ptr);
+ dpy_resize(vga->ds);
+ }
+diff --git a/hw/qxl.h b/hw/qxl.h
+index f6c450d..c05998a 100644
+--- a/hw/qxl.h
++++ b/hw/qxl.h
+@@ -42,7 +42,8 @@ typedef struct PCIQXLDevice {
+ QXLSurfaceCreate surface;
+ uint32_t commands;
+ uint32_t resized;
+- int32_t stride;
++ int32_t qxl_stride;
++ uint32_t abs_stride;
+ uint32_t bits_pp;
+ uint32_t bytes_pp;
+ uint8_t *data, *flipped;
+--
+1.7.11.2
+
diff --git a/0228-vmdk-Fix-possible-segfaults.patch b/0228-vmdk-Fix-possible-segfaults.patch
new file mode 100644
index 0000000..c722c6c
--- /dev/null
+++ b/0228-vmdk-Fix-possible-segfaults.patch
@@ -0,0 +1,55 @@
+From f51851ea928882bd3d49cbb6d953723294239d8a Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf@redhat.com>
+Date: Wed, 26 Oct 2011 12:25:52 +0200
+Subject: [PATCH] vmdk: Fix possible segfaults
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Data we read from the disk isn't necessarily null terminated and may not
+contain the string we're looking for. The code needs to be a bit more careful
+here.
+
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit 93897b9fd43548e9c15cf8bece2d9e5174b01fc7)
+
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ block/vmdk.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/block/vmdk.c b/block/vmdk.c
+index 8284747..f4fce08 100644
+--- a/block/vmdk.c
++++ b/block/vmdk.c
+@@ -196,6 +196,7 @@ static uint32_t vmdk_read_cid(BlockDriverState *bs, int parent)
+ cid_str_size = sizeof("CID");
+ }
+
++ desc[DESC_SIZE - 1] = '\0';
+ p_name = strstr(desc, cid_str);
+ if (p_name != NULL) {
+ p_name += cid_str_size;
+@@ -212,13 +213,17 @@ static int vmdk_write_cid(BlockDriverState *bs, uint32_t cid)
+ BDRVVmdkState *s = bs->opaque;
+ int ret;
+
+- memset(desc, 0, sizeof(desc));
+ ret = bdrv_pread(bs->file, s->desc_offset, desc, DESC_SIZE);
+ if (ret < 0) {
+ return ret;
+ }
+
++ desc[DESC_SIZE - 1] = '\0';
+ tmp_str = strstr(desc, "parentCID");
++ if (tmp_str == NULL) {
++ return -EINVAL;
++ }
++
+ pstrcpy(tmp_desc, sizeof(tmp_desc), tmp_str);
+ p_name = strstr(desc, "CID");
+ if (p_name != NULL) {
+--
+1.7.11.2
+
diff --git a/0229-pc-Fix-floppy-drives-with-if-none.patch b/0229-pc-Fix-floppy-drives-with-if-none.patch
new file mode 100644
index 0000000..1d40a24
--- /dev/null
+++ b/0229-pc-Fix-floppy-drives-with-if-none.patch
@@ -0,0 +1,204 @@
+From 03ff3683be1e3a4e9644150b7f12f046374dcbcd Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf@redhat.com>
+Date: Thu, 20 Oct 2011 16:37:26 +0200
+Subject: [PATCH] pc: Fix floppy drives with if=none
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Commit 63ffb564 broke floppy devices specified on the command line like
+-drive file=...,if=none,id=floppy -global isa-fdc.driveA=floppy because it
+relies on drive_get() which works only with -fda/-drive if=floppy.
+
+This patch resembles what we're already doing for IDE, i.e. remember the floppy
+device that was created and use that to extract the BlockDriverStates where
+needed.
+
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Reviewed-by: Markus Armbruster <armbru@redhat.com>
+(cherry picked from commit 34d4260e1846d69d7241f690534e3dd4b3e6fd5b)
+
+[BR: bnc#733777]
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+[AF: backported]
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ hw/fdc.c | 12 ++++++++++++
+ hw/fdc.h | 9 +++++++--
+ hw/pc.c | 25 ++++++++++++++-----------
+ hw/pc.h | 3 ++-
+ hw/pc_piix.c | 5 +++--
+ 5 files changed, 38 insertions(+), 16 deletions(-)
+
+diff --git a/hw/fdc.c b/hw/fdc.c
+index 9fdbc75..cf675ce 100644
+--- a/hw/fdc.c
++++ b/hw/fdc.c
+@@ -1911,6 +1911,18 @@ static int sun4m_fdc_init1(SysBusDevice *dev)
+ return fdctrl_init_common(fdctrl);
+ }
+
++void fdc_get_bs(BlockDriverState *bs[], ISADevice *dev)
++{
++ FDCtrlISABus *isa = DO_UPCAST(FDCtrlISABus, busdev, dev);
++ FDCtrl *fdctrl = &isa->state;
++ int i;
++
++ for (i = 0; i < MAX_FD; i++) {
++ bs[i] = fdctrl->drives[i].bs;
++ }
++}
++
++
+ static const VMStateDescription vmstate_isa_fdc ={
+ .name = "fdc",
+ .version_id = 2,
+diff --git a/hw/fdc.h b/hw/fdc.h
+index 09f73c6..506feb6 100644
+--- a/hw/fdc.h
++++ b/hw/fdc.h
+@@ -7,14 +7,15 @@
+ /* fdc.c */
+ #define MAX_FD 2
+
+-static inline void fdctrl_init_isa(DriveInfo **fds)
++static inline ISADevice *fdctrl_init_isa(DriveInfo **fds)
+ {
+ ISADevice *dev;
+
+ dev = isa_try_create("isa-fdc");
+ if (!dev) {
+- return;
++ return NULL;
+ }
++
+ if (fds[0]) {
+ qdev_prop_set_drive_nofail(&dev->qdev, "driveA", fds[0]->bdrv);
+ }
+@@ -22,10 +23,14 @@ static inline void fdctrl_init_isa(DriveInfo **fds)
+ qdev_prop_set_drive_nofail(&dev->qdev, "driveB", fds[1]->bdrv);
+ }
+ qdev_init_nofail(&dev->qdev);
++
++ return dev;
+ }
+
+ void fdctrl_init_sysbus(qemu_irq irq, int dma_chann,
+ target_phys_addr_t mmio_base, DriveInfo **fds);
+ void sun4m_fdctrl_init(qemu_irq irq, target_phys_addr_t io_base,
+ DriveInfo **fds, qemu_irq *fdc_tc);
++void fdc_get_bs(BlockDriverState *bs[], ISADevice *dev);
++
+ #endif
+diff --git a/hw/pc.c b/hw/pc.c
+index 14ce684..1d2b61e 100644
+--- a/hw/pc.c
++++ b/hw/pc.c
+@@ -333,12 +333,12 @@ static void pc_cmos_init_late(void *opaque)
+
+ void pc_cmos_init(ram_addr_t ram_size, ram_addr_t above_4g_mem_size,
+ const char *boot_device,
+- BusState *idebus0, BusState *idebus1,
++ ISADevice *floppy, BusState *idebus0, BusState *idebus1,
+ ISADevice *s)
+ {
+ int val, nb, nb_heads, max_track, last_sect, i;
+ FDriveType fd_type[2];
+- DriveInfo *fd[2];
++ BlockDriverState *fd[MAX_FD];
+ static pc_cmos_init_late_arg arg;
+
+ /* various important CMOS locations needed by PC/Bochs bios */
+@@ -380,14 +380,16 @@ void pc_cmos_init(ram_addr_t ram_size, ram_addr_t above_4g_mem_size,
+ }
+
+ /* floppy type */
+- for (i = 0; i < 2; i++) {
+- fd[i] = drive_get(IF_FLOPPY, 0, i);
+- if (fd[i] && bdrv_is_inserted(fd[i]->bdrv)) {
+- bdrv_get_floppy_geometry_hint(fd[i]->bdrv, &nb_heads, &max_track,
+- &last_sect, FDRIVE_DRV_NONE,
+- &fd_type[i]);
+- } else {
+- fd_type[i] = FDRIVE_DRV_NONE;
++ if (floppy) {
++ fdc_get_bs(fd, floppy);
++ for (i = 0; i < 2; i++) {
++ if (fd[i] && bdrv_is_inserted(fd[i])) {
++ bdrv_get_floppy_geometry_hint(fd[i], &nb_heads, &max_track,
++ &last_sect, FDRIVE_DRV_NONE,
++ &fd_type[i]);
++ } else {
++ fd_type[i] = FDRIVE_DRV_NONE;
++ }
+ }
+ }
+ val = (cmos_get_fd_drive_type(fd_type[0]) << 4) |
+@@ -1091,6 +1093,7 @@ static void cpu_request_exit(void *opaque, int irq, int level)
+
+ void pc_basic_device_init(qemu_irq *isa_irq,
+ ISADevice **rtc_state,
++ ISADevice **floppy,
+ bool no_vmport)
+ {
+ int i;
+@@ -1155,7 +1158,7 @@ void pc_basic_device_init(qemu_irq *isa_irq,
+ for(i = 0; i < MAX_FD; i++) {
+ fd[i] = drive_get(IF_FLOPPY, 0, i);
+ }
+- fdctrl_init_isa(fd);
++ *floppy = fdctrl_init_isa(fd);
+ }
+
+ void pc_pci_device_init(PCIBus *pci_bus)
+diff --git a/hw/pc.h b/hw/pc.h
+index 6d5730b..24b7fe2 100644
+--- a/hw/pc.h
++++ b/hw/pc.h
+@@ -138,11 +138,12 @@ qemu_irq *pc_allocate_cpu_irq(void);
+ void pc_vga_init(PCIBus *pci_bus);
+ void pc_basic_device_init(qemu_irq *isa_irq,
+ ISADevice **rtc_state,
++ ISADevice **floppy,
+ bool no_vmport);
+ void pc_init_ne2k_isa(NICInfo *nd);
+ void pc_cmos_init(ram_addr_t ram_size, ram_addr_t above_4g_mem_size,
+ const char *boot_device,
+- BusState *ide0, BusState *ide1,
++ ISADevice *floppy, BusState *ide0, BusState *ide1,
+ ISADevice *s);
+ void pc_pci_device_init(PCIBus *pci_bus);
+
+diff --git a/hw/pc_piix.c b/hw/pc_piix.c
+index 31552fd..b8e0841 100644
+--- a/hw/pc_piix.c
++++ b/hw/pc_piix.c
+@@ -89,6 +89,7 @@ static void pc_init1(ram_addr_t ram_size,
+ DriveInfo *hd[MAX_IDE_BUS * MAX_IDE_DEVS];
+ BusState *idebus[MAX_IDE_BUS];
+ ISADevice *rtc_state;
++ ISADevice *floppy;
+
+ pc_cpus_init(cpu_model);
+
+@@ -141,7 +142,7 @@ static void pc_init1(ram_addr_t ram_size,
+ }
+
+ /* init basic PC hardware */
+- pc_basic_device_init(isa_irq, &rtc_state, xen_enabled());
++ pc_basic_device_init(isa_irq, &rtc_state, &floppy, xen_enabled());
+
+ for(i = 0; i < nb_nics; i++) {
+ NICInfo *nd = &nd_table[i];
+@@ -170,7 +171,7 @@ static void pc_init1(ram_addr_t ram_size,
+ audio_init(isa_irq, pci_enabled ? pci_bus : NULL);
+
+ pc_cmos_init(below_4g_mem_size, above_4g_mem_size, boot_device,
+- idebus[0], idebus[1], rtc_state);
++ floppy, idebus[0], idebus[1], rtc_state);
+
+ if (pci_enabled && usb_enabled) {
+ usb_uhci_piix3_init(pci_bus, piix3_devfn + 2);
+--
+1.7.11.2
+
diff --git a/0230-cpu-common-Have-a-ram_addr_t-of-uint64-with-Xen.patch b/0230-cpu-common-Have-a-ram_addr_t-of-uint64-with-Xen.patch
new file mode 100644
index 0000000..1fe3b1e
--- /dev/null
+++ b/0230-cpu-common-Have-a-ram_addr_t-of-uint64-with-Xen.patch
@@ -0,0 +1,97 @@
+From 7baf1e0bf54096eceb4c4553c9212599454cd83d Mon Sep 17 00:00:00 2001
+From: Anthony PERARD <anthony.perard@citrix.com>
+Date: Wed, 20 Jul 2011 08:17:42 +0000
+Subject: [PATCH] cpu-common: Have a ram_addr_t of uint64 with Xen.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In Xen case, memory can be bigger than the host memory. that mean a
+32bits host (and QEMU) should be able to handle a RAM address of 64bits.
+
+Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
+Signed-off-by: Alexander Graf <agraf@suse.de>
+(cherry picked from commit f15fbc4bd1a24bd1477a846e63e62c6d435912f8)
+
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ cpu-common.h | 8 ++++++++
+ exec.c | 9 +++++----
+ xen-all.c | 2 +-
+ 3 files changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/cpu-common.h b/cpu-common.h
+index 44b04b3..0700101 100644
+--- a/cpu-common.h
++++ b/cpu-common.h
+@@ -27,7 +27,15 @@ enum device_endian {
+ };
+
+ /* address in the RAM (different from a physical address) */
++#if defined(CONFIG_XEN_BACKEND) && TARGET_PHYS_ADDR_BITS == 64
++typedef uint64_t ram_addr_t;
++# define RAM_ADDR_MAX UINT64_MAX
++# define RAM_ADDR_FMT "%" PRIx64
++#else
+ typedef unsigned long ram_addr_t;
++# define RAM_ADDR_MAX ULONG_MAX
++# define RAM_ADDR_FMT "%lx"
++#endif
+
+ /* memory API */
+
+diff --git a/exec.c b/exec.c
+index 2160ded..6fb589b 100644
+--- a/exec.c
++++ b/exec.c
+@@ -2863,13 +2863,13 @@ static void *file_ram_alloc(RAMBlock *block,
+ static ram_addr_t find_ram_offset(ram_addr_t size)
+ {
+ RAMBlock *block, *next_block;
+- ram_addr_t offset = 0, mingap = ULONG_MAX;
++ ram_addr_t offset = 0, mingap = RAM_ADDR_MAX;
+
+ if (QLIST_EMPTY(&ram_list.blocks))
+ return 0;
+
+ QLIST_FOREACH(block, &ram_list.blocks, next) {
+- ram_addr_t end, next = ULONG_MAX;
++ ram_addr_t end, next = RAM_ADDR_MAX;
+
+ end = block->offset + block->length;
+
+@@ -3081,7 +3081,8 @@ void qemu_ram_remap(ram_addr_t addr, ram_addr_t length)
+ #endif
+ }
+ if (area != vaddr) {
+- fprintf(stderr, "Could not remap addr: %lx@%lx\n",
++ fprintf(stderr, "Could not remap addr: "
++ RAM_ADDR_FMT "@" RAM_ADDR_FMT "\n",
+ length, addr);
+ exit(1);
+ }
+@@ -4052,7 +4053,7 @@ void *cpu_physical_memory_map(target_phys_addr_t addr,
+ target_phys_addr_t page;
+ unsigned long pd;
+ PhysPageDesc *p;
+- ram_addr_t raddr = ULONG_MAX;
++ ram_addr_t raddr = RAM_ADDR_MAX;
+ ram_addr_t rlen;
+ void *ret;
+
+diff --git a/xen-all.c b/xen-all.c
+index 167bed6..8f2556a 100644
+--- a/xen-all.c
++++ b/xen-all.c
+@@ -184,7 +184,7 @@ void xen_ram_alloc(ram_addr_t ram_addr, ram_addr_t size)
+ }
+
+ if (xc_domain_populate_physmap_exact(xen_xc, xen_domid, nr_pfn, 0, 0, pfn_list)) {
+- hw_error("xen: failed to populate ram at %lx", ram_addr);
++ hw_error("xen: failed to populate ram at " RAM_ADDR_FMT, ram_addr);
+ }
+
+ qemu_free(pfn_list);
+--
+1.7.11.2
+
diff --git a/0231-Error-check-find_ram_offset.patch b/0231-Error-check-find_ram_offset.patch
new file mode 100644
index 0000000..e4b3497
--- /dev/null
+++ b/0231-Error-check-find_ram_offset.patch
@@ -0,0 +1,58 @@
+From 75f2b558df8c3ccd8b980eedf2f4aef8b217587e Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Mon, 31 Oct 2011 08:54:09 -0600
+Subject: [PATCH] Error check find_ram_offset
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Spotted via code review, we initialize offset to 0 to avoid a
+compiler warning, but in the unlikely case that offset is
+never set to something else, we should abort instead of return
+a value that will almost certainly cause problems.
+
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
+(cherry picked from commit 3e837b2c05bc63fe2226baf3c29923d5a688593f)
+
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ exec.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/exec.c b/exec.c
+index 6fb589b..537a49f 100644
+--- a/exec.c
++++ b/exec.c
+@@ -2863,7 +2863,7 @@ static void *file_ram_alloc(RAMBlock *block,
+ static ram_addr_t find_ram_offset(ram_addr_t size)
+ {
+ RAMBlock *block, *next_block;
+- ram_addr_t offset = 0, mingap = RAM_ADDR_MAX;
++ ram_addr_t offset = RAM_ADDR_MAX, mingap = RAM_ADDR_MAX;
+
+ if (QLIST_EMPTY(&ram_list.blocks))
+ return 0;
+@@ -2879,10 +2879,17 @@ static ram_addr_t find_ram_offset(ram_addr_t size)
+ }
+ }
+ if (next - end >= size && next - end < mingap) {
+- offset = end;
++ offset = end;
+ mingap = next - end;
+ }
+ }
++
++ if (offset == RAM_ADDR_MAX) {
++ fprintf(stderr, "Failed to find gap of requested size: %" PRIu64 "\n",
++ (uint64_t)size);
++ abort();
++ }
++
+ return offset;
+ }
+
+--
+1.7.11.2
+
diff --git a/0232-pc-add-pc-0.15.patch b/0232-pc-add-pc-0.15.patch
new file mode 100644
index 0000000..aaefe27
--- /dev/null
+++ b/0232-pc-add-pc-0.15.patch
@@ -0,0 +1,73 @@
+From 60d8ce5610a8b24ff298d6cb3d9abbd2e6f046bd Mon Sep 17 00:00:00 2001
+From: Anthony Liguori <aliguori@us.ibm.com>
+Date: Sun, 18 Dec 2011 12:59:12 -0600
+Subject: [PATCH] pc: add pc-0.15
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
+(cherry picked from commit ce01a508e8053350544c88ba68a3f90c44b6bb93)
+
+[BR: bnc#741460]
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+[AF: backported]
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ hw/pc_piix.c | 26 +++++++++++++++++++++++---
+ 1 file changed, 23 insertions(+), 3 deletions(-)
+
+diff --git a/hw/pc_piix.c b/hw/pc_piix.c
+index b8e0841..20bac9d 100644
+--- a/hw/pc_piix.c
++++ b/hw/pc_piix.c
+@@ -258,8 +258,8 @@ static void pc_xen_hvm_init(ram_addr_t ram_size,
+ }
+ #endif
+
+-static QEMUMachine pc_machine = {
+- .name = "pc-0.14",
++static QEMUMachine pc_machine_v0_15 = {
++ .name = "pc-0.15",
+ .alias = "pc",
+ .desc = "Standard PC",
+ .init = pc_init_pci,
+@@ -267,6 +267,25 @@ static QEMUMachine pc_machine = {
+ .is_default = 1,
+ };
+
++static QEMUMachine pc_machine_v0_14 = {
++ .name = "pc-0.14",
++ .desc = "Standard PC",
++ .init = pc_init_pci,
++ .max_cpus = 255,
++ .compat_props = (GlobalProperty[]) {
++ {
++ .driver = "qxl",
++ .property = "revision",
++ .value = stringify(2),
++ },{
++ .driver = "qxl-vga",
++ .property = "revision",
++ .value = stringify(2),
++ },
++ { /* end of list */ }
++ },
++};
++
+ static QEMUMachine pc_machine_v0_13 = {
+ .name = "pc-0.13",
+ .desc = "Standard PC",
+@@ -498,7 +517,8 @@ static QEMUMachine xenfv_machine = {
+
+ static void pc_machine_init(void)
+ {
+- qemu_register_machine(&pc_machine);
++ qemu_register_machine(&pc_machine_v0_15);
++ qemu_register_machine(&pc_machine_v0_14);
+ qemu_register_machine(&pc_machine_v0_13);
+ qemu_register_machine(&pc_machine_v0_12);
+ qemu_register_machine(&pc_machine_v0_11);
+--
+1.7.11.2
+
diff --git a/0233-pc-fix-event_idx-compatibility-for-virtio-devices.patch b/0233-pc-fix-event_idx-compatibility-for-virtio-devices.patch
new file mode 100644
index 0000000..7ad890a
--- /dev/null
+++ b/0233-pc-fix-event_idx-compatibility-for-virtio-devices.patch
@@ -0,0 +1,95 @@
+From 3cc7ef743b3f04ff986c820f67444d2dec946167 Mon Sep 17 00:00:00 2001
+From: Anthony Liguori <aliguori@us.ibm.com>
+Date: Sun, 18 Dec 2011 13:07:03 -0600
+Subject: [PATCH] pc: fix event_idx compatibility for virtio devices
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+event_idx was introduced in 0.15 and must be disabled for all virtio-pci devices
+(including virtio-balloon-pci).
+
+Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
+(cherry picked from commit ea830ebb74461c5ad6d199857fb000d2e0284c69)
+
+[BR: bnc#741460]
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ hw/pc_piix.c | 32 ++++++++++++++++++++++++++++++++
+ 1 file changed, 32 insertions(+)
+
+diff --git a/hw/pc_piix.c b/hw/pc_piix.c
+index 20bac9d..b179465 100644
+--- a/hw/pc_piix.c
++++ b/hw/pc_piix.c
+@@ -281,6 +281,22 @@ static QEMUMachine pc_machine_v0_14 = {
+ .driver = "qxl-vga",
+ .property = "revision",
+ .value = stringify(2),
++ },{
++ .driver = "virtio-blk-pci",
++ .property = "event_idx",
++ .value = "off",
++ },{
++ .driver = "virtio-serial-pci",
++ .property = "event_idx",
++ .value = "off",
++ },{
++ .driver = "virtio-net-pci",
++ .property = "event_idx",
++ .value = "off",
++ },{
++ .driver = "virtio-balloon-pci",
++ .property = "event_idx",
++ .value = "off",
+ },
+ { /* end of list */ }
+ },
+@@ -321,6 +337,10 @@ static QEMUMachine pc_machine_v0_13 = {
+ .property = "event_idx",
+ .value = "off",
+ },{
++ .driver = "virtio-balloon-pci",
++ .property = "event_idx",
++ .value = "off",
++ },{
+ .driver = "AC97",
+ .property = "use_broken_id",
+ .value = stringify(1),
+@@ -368,6 +388,10 @@ static QEMUMachine pc_machine_v0_12 = {
+ .property = "event_idx",
+ .value = "off",
+ },{
++ .driver = "virtio-balloon-pci",
++ .property = "event_idx",
++ .value = "off",
++ },{
+ .driver = "AC97",
+ .property = "use_broken_id",
+ .value = stringify(1),
+@@ -423,6 +447,10 @@ static QEMUMachine pc_machine_v0_11 = {
+ .property = "event_idx",
+ .value = "off",
+ },{
++ .driver = "virtio-balloon-pci",
++ .property = "event_idx",
++ .value = "off",
++ },{
+ .driver = "AC97",
+ .property = "use_broken_id",
+ .value = stringify(1),
+@@ -490,6 +518,10 @@ static QEMUMachine pc_machine_v0_10 = {
+ .property = "event_idx",
+ .value = "off",
+ },{
++ .driver = "virtio-balloon-pci",
++ .property = "event_idx",
++ .value = "off",
++ },{
+ .driver = "AC97",
+ .property = "use_broken_id",
+ .value = stringify(1),
+--
+1.7.11.2
+
diff --git a/0234-Add-missing-trace-call-to-oslib-posix.c-qemu_vmalloc.patch b/0234-Add-missing-trace-call-to-oslib-posix.c-qemu_vmalloc.patch
new file mode 100644
index 0000000..2585cb5
--- /dev/null
+++ b/0234-Add-missing-trace-call-to-oslib-posix.c-qemu_vmalloc.patch
@@ -0,0 +1,37 @@
+From 601465e71b720e1e54911bbd67e2d02cd4904f0d Mon Sep 17 00:00:00 2001
+From: Jes Sorensen <Jes.Sorensen@redhat.com>
+Date: Mon, 25 Jul 2011 17:13:36 +0200
+Subject: [PATCH] Add missing trace call to oslib-posix.c:qemu_vmalloc()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Acked-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
+Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
+Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
+(cherry picked from commit c7f4111a06208b46c6d05934d2a1e5cfbebc0180)
+
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ oslib-posix.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/oslib-posix.c b/oslib-posix.c
+index 3a18e86..196099c 100644
+--- a/oslib-posix.c
++++ b/oslib-posix.c
+@@ -79,7 +79,10 @@ void *qemu_memalign(size_t alignment, size_t size)
+ /* alloc shared memory pages */
+ void *qemu_vmalloc(size_t size)
+ {
+- return qemu_memalign(getpagesize(), size);
++ void *ptr;
++ ptr = qemu_memalign(getpagesize(), size);
++ trace_qemu_vmalloc(size, ptr);
++ return ptr;
+ }
+
+ void qemu_vfree(void *ptr)
+--
+1.7.11.2
+
diff --git a/0235-qemu_vmalloc-align-properly-for-transparent-hugepage.patch b/0235-qemu_vmalloc-align-properly-for-transparent-hugepage.patch
new file mode 100644
index 0000000..bb9cde2
--- /dev/null
+++ b/0235-qemu_vmalloc-align-properly-for-transparent-hugepage.patch
@@ -0,0 +1,61 @@
+From d12ac10d3ce10d3e1c9b23aeca397caa74be49d3 Mon Sep 17 00:00:00 2001
+From: Avi Kivity <avi@redhat.com>
+Date: Mon, 5 Sep 2011 11:07:05 +0300
+Subject: [PATCH] qemu_vmalloc: align properly for transparent hugepages and
+ KVM
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+To make good use of transparent hugepages, KVM requires that guest-physical
+and host-virtual addresses share the low 21 bits (as opposed to just the low
+12 bits normally required).
+
+Adjust qemu_vmalloc() to honor that requirement. Ignore it for small regions
+to avoid fragmentation.
+
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
+(cherry picked from commit 36b586284e678da28df3af9fd0907d2b16f9311c)
+
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ oslib-posix.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/oslib-posix.c b/oslib-posix.c
+index 196099c..a304fb0 100644
+--- a/oslib-posix.c
++++ b/oslib-posix.c
+@@ -35,6 +35,13 @@
+ extern int daemon(int, int);
+ #endif
+
++#if defined(__linux__) && defined(__x86_64__)
++ /* Use 2MB alignment so transparent hugepages can be used by KVM */
++# define QEMU_VMALLOC_ALIGN (512 * 4096)
++#else
++# define QEMU_VMALLOC_ALIGN getpagesize()
++#endif
++
+ #include "config-host.h"
+ #include "sysemu.h"
+ #include "trace.h"
+@@ -80,7 +87,12 @@ void *qemu_memalign(size_t alignment, size_t size)
+ void *qemu_vmalloc(size_t size)
+ {
+ void *ptr;
+- ptr = qemu_memalign(getpagesize(), size);
++ size_t align = QEMU_VMALLOC_ALIGN;
++
++ if (size < align) {
++ align = getpagesize();
++ }
++ ptr = qemu_memalign(align, size);
+ trace_qemu_vmalloc(size, ptr);
+ return ptr;
+ }
+--
+1.7.11.2
+
diff --git a/0236-block-vpc-write-checksum-back-to-footer-after-check.patch b/0236-block-vpc-write-checksum-back-to-footer-after-check.patch
new file mode 100644
index 0000000..f35383d
--- /dev/null
+++ b/0236-block-vpc-write-checksum-back-to-footer-after-check.patch
@@ -0,0 +1,41 @@
+From add89f969fc86f3b3223c4283ee49fcb507b8f81 Mon Sep 17 00:00:00 2001
+From: Zhang Shengju <zhangsju@gmail.com>
+Date: Tue, 13 Mar 2012 22:38:13 +0800
+Subject: [PATCH] block/vpc: write checksum back to footer after check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+After validation check, the 'checksum' is not written back
+to footer, which leave it with zero.
+
+This results in errors while loadding it under Microsoft's
+Hyper-V environment, and also errors from utilities like
+Citrix's vhd-util.
+
+Signed-off-by: Zhang Shengju <sean_zhang@trendmicro.com.cn>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit c088b691363070d151f80cc1fde4b7c151bdfe8f)
+
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ block/vpc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/block/vpc.c b/block/vpc.c
+index ac33e15..55201e2 100644
+--- a/block/vpc.c
++++ b/block/vpc.c
+@@ -170,6 +170,9 @@ static int vpc_open(BlockDriverState *bs, int flags)
+ fprintf(stderr, "block-vpc: The header checksum of '%s' is "
+ "incorrect.\n", bs->filename);
+
++ /* Write 'checksum' back to footer, or else will leave it with zero. */
++ footer->checksum = be32_to_cpu(checksum);
++
+ // The visible size of a image in Virtual PC depends on the geometry
+ // rather than on the size stored in the footer (the size in the footer
+ // is too large usually)
+--
+1.7.11.2
+
diff --git a/0237-bt-host-add-missing-break-statement.patch b/0237-bt-host-add-missing-break-statement.patch
new file mode 100644
index 0000000..8f72237
--- /dev/null
+++ b/0237-bt-host-add-missing-break-statement.patch
@@ -0,0 +1,36 @@
+From 557393c06af445a23f65667d16d1ff43b5d7ae6d Mon Sep 17 00:00:00 2001
+From: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
+Date: Thu, 12 Jan 2012 14:17:04 +0000
+Subject: [PATCH] bt-host: add missing break statement
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The switch statement in bt_host_read() is missing a break in one case.
+Andrzej Zaborowski <andrew.zaborowski@intel.com> confirmed that this is
+not an intentional fall-through.
+
+Reviewed-by: Stefan Weil <sw@weilnetz.de>
+Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
+(cherry picked from commit f7253270fc66a60e4faf639a3c4ce0b352553b24)
+
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ bt-host.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/bt-host.c b/bt-host.c
+index 095254d..df59494 100644
+--- a/bt-host.c
++++ b/bt-host.c
+@@ -130,6 +130,7 @@ static void bt_host_read(void *opaque)
+ pktlen = MIN(pkt[2] + 3, s->len);
+ s->len -= pktlen;
+ pkt += pktlen;
++ break;
+
+ default:
+ bad_pkt:
+--
+1.7.11.2
+
diff --git a/0238-ds1338-Add-missing-break-statement.patch b/0238-ds1338-Add-missing-break-statement.patch
new file mode 100644
index 0000000..f4529e9
--- /dev/null
+++ b/0238-ds1338-Add-missing-break-statement.patch
@@ -0,0 +1,39 @@
+From 1c363aca36c5f53cb04d04fa1ee9a442dd5dbad4 Mon Sep 17 00:00:00 2001
+From: Stefan Weil <sw@weilnetz.de>
+Date: Sat, 25 Feb 2012 14:50:25 +0100
+Subject: [PATCH] ds1338: Add missing break statement
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Without the break statement, case 5 sets month and year from the same
+data. This does not look correct.
+
+The missing break was reported by splint.
+
+Signed-off-by: Stefan Weil <sw@weilnetz.de>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Andreas Färber <afaerber@suse.de>
+Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
+(cherry picked from commit fbac6a7d35d119a52606c175aface9bcec805f09)
+
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ hw/ds1338.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/ds1338.c b/hw/ds1338.c
+index 3522af5..964d2f7 100644
+--- a/hw/ds1338.c
++++ b/hw/ds1338.c
+@@ -97,6 +97,7 @@ static int ds1338_send(i2c_slave *i2c, uint8_t data)
+ break;
+ case 5:
+ s->now.tm_mon = from_bcd(data & 0x1f) - 1;
++ break;
+ case 6:
+ s->now.tm_year = from_bcd(data) + 100;
+ break;
+--
+1.7.11.2
+
diff --git a/0239-block-vdi-Zero-unused-parts-when-allocating-a-new-bl.patch b/0239-block-vdi-Zero-unused-parts-when-allocating-a-new-bl.patch
new file mode 100644
index 0000000..c396ce6
--- /dev/null
+++ b/0239-block-vdi-Zero-unused-parts-when-allocating-a-new-bl.patch
@@ -0,0 +1,70 @@
+From e246af75817264aa340cc4e8bb42c17a2d48cbb7 Mon Sep 17 00:00:00 2001
+From: Stefan Weil <sw@weilnetz.de>
+Date: Sat, 21 Jan 2012 13:54:24 +0100
+Subject: [PATCH] block/vdi: Zero unused parts when allocating a new block
+ (fix #919242)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The new block was filled with zero when it was allocated by g_malloc0,
+but when it was reused later and only partially used, data from the
+previously allocated block were still present and written to the new
+block.
+
+This caused the problems reported by bug #919242
+(https://bugs.launchpad.net/qemu/+bug/919242).
+
+Now the unused parts of the new block which are before and after the data
+are always filled with zero, so it is no longer necessary to zero the whole
+block with g_malloc0.
+
+I also updated the copyright comment.
+
+Signed-off-by: Stefan Weil <sw@weilnetz.de>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit 641543b76b82a8b361482b727e08de0c8ec093b0)
+
+[AF: g_malloc() -> qemu_malloc()]
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+---
+ block/vdi.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/block/vdi.c b/block/vdi.c
+index 1be0cdc..07413af 100644
+--- a/block/vdi.c
++++ b/block/vdi.c
+@@ -1,7 +1,7 @@
+ /*
+ * Block driver for the Virtual Disk Image (VDI) format
+ *
+- * Copyright (c) 2009 Stefan Weil
++ * Copyright (c) 2009, 2012 Stefan Weil
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+@@ -765,15 +765,19 @@ static void vdi_aio_write_cb(void *opaque, int ret)
+ (uint64_t)bmap_entry * s->block_sectors;
+ block = acb->block_buffer;
+ if (block == NULL) {
+- block = qemu_mallocz(s->block_size);
++ block = qemu_malloc(s->block_size);
+ acb->block_buffer = block;
+ acb->bmap_first = block_index;
+ assert(!acb->header_modified);
+ acb->header_modified = 1;
+ }
+ acb->bmap_last = block_index;
++ /* Copy data to be written to new block and zero unused parts. */
++ memset(block, 0, sector_in_block * SECTOR_SIZE);
+ memcpy(block + sector_in_block * SECTOR_SIZE,
+ acb->buf, n_sectors * SECTOR_SIZE);
++ memset(block + (sector_in_block + n_sectors) * SECTOR_SIZE, 0,
++ (s->block_sectors - n_sectors - sector_in_block) * SECTOR_SIZE);
+ acb->hd_iov.iov_base = (void *)block;
+ acb->hd_iov.iov_len = s->block_size;
+ qemu_iovec_init_external(&acb->hd_qiov, &acb->hd_iov, 1);
+--
+1.7.11.2
+
diff --git a/qemu-fix-non-PCI-target-build.patch b/qemu-fix-non-PCI-target-build.patch
deleted file mode 100644
index b479efa..0000000
--- a/qemu-fix-non-PCI-target-build.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-commit 1a8364456c2f3946b4feb8fc78eaf00d974f4c03
-Author: Jan Kiszka <jan.kiszka@siemens.com>
-Date: Wed Feb 23 09:28:53 2011 +0100
-
- qemu-kvm: Fix non-PCI target build
-
- Replace obsolete qemu-kvm.h with kvm.h in pci.c and build that module
- just like upstream does. This fixes non-x86 targets which have no PCI
- support.
-
- Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
- Signed-off-by: Avi Kivity <avi@redhat.com>
-
-diff --git a/Makefile.objs b/Makefile.objs
-index f5702eb..3ec7121 100644
---- a/Makefile.objs
-+++ b/Makefile.objs
-@@ -170,7 +170,7 @@ hw-obj-y =
- hw-obj-y += loader.o
- hw-obj-$(CONFIG_VIRTIO) += virtio.o virtio-console.o
- hw-obj-y += fw_cfg.o
--hw-obj-$(CONFIG_PCI) += pci_bridge.o
-+hw-obj-$(CONFIG_PCI) += pci.o pci_bridge.o
- hw-obj-$(CONFIG_PCI) += msix.o msi.o
- hw-obj-$(CONFIG_PCI) += pci_host.o pcie_host.o
- hw-obj-$(CONFIG_PCI) += ioh3420.o xio3130_upstream.o xio3130_downstream.o
-diff --git a/Makefile.target b/Makefile.target
-index 6e9a024..23367eb 100644
---- a/Makefile.target
-+++ b/Makefile.target
-@@ -195,7 +195,7 @@ endif #CONFIG_BSD_USER
- # System emulator target
- ifdef CONFIG_SOFTMMU
-
--obj-y = arch_init.o cpus.o monitor.o pci.o machine.o gdbstub.o vl.o balloon.o
-+obj-y = arch_init.o cpus.o monitor.o machine.o gdbstub.o vl.o balloon.o
- # virtio has to be here due to weird dependency between PCI and virtio-net.
- # need to fix this properly
- obj-$(CONFIG_NO_PCI) += pci-stub.o
-diff --git a/hw/pci.c b/hw/pci.c
-index 0c44939..1f6cebe 100644
---- a/hw/pci.c
-+++ b/hw/pci.c
-@@ -29,8 +29,8 @@
- #include "net.h"
- #include "sysemu.h"
- #include "loader.h"
--#include "qemu-kvm.h"
- #include "hw/pc.h"
-+#include "kvm.h"
- #include "device-assignment.h"
- #include "qemu-objects.h"
- #include "range.h"
diff --git a/qemu-fix-systemtap.patch b/qemu-fix-systemtap.patch
new file mode 100644
index 0000000..3191eec
--- /dev/null
+++ b/qemu-fix-systemtap.patch
@@ -0,0 +1,19 @@
+diff -rup qemu-kvm-1.0.1/scripts/tracetool z/scripts/tracetool
+--- qemu-kvm-1.0.1/scripts/tracetool 2012-04-16 22:15:17.000000000 -0400
++++ z/scripts/tracetool 2012-07-29 21:10:51.326868987 -0400
+@@ -500,6 +500,15 @@ EOF
+ if [ "$arg" = "limit" ]; then
+ arg="_limit"
+ fi
++ if [ "$arg" = "in" ]; then
++ arg="_in"
++ fi
++ if [ "$arg" = "next" ]; then
++ arg="_next"
++ fi
++ if [ "$arg" = "self" ]; then
++ arg="_self"
++ fi
+ cat <<EOF
+ $arg = \$arg$i;
+ EOF
diff --git a/qemu-fix-text-mode-screendumps.patch b/qemu-fix-text-mode-screendumps.patch
new file mode 100644
index 0000000..ae517c2
--- /dev/null
+++ b/qemu-fix-text-mode-screendumps.patch
@@ -0,0 +1,31 @@
+diff -rup qemu-kvm-0.15.1/hw/vga.c frob/hw/vga.c
+--- qemu-kvm-0.15.1/hw/vga.c 2011-10-19 09:54:48.000000000 -0400
++++ frob/hw/vga.c 2012-07-29 21:00:27.389677588 -0400
+@@ -149,7 +149,7 @@ static uint16_t expand2[256];
+ static uint8_t expand4to8[16];
+
+ static void vga_screen_dump(void *opaque, const char *filename);
+-static char *screen_dump_filename;
++static const char *screen_dump_filename;
+ static DisplayChangeListener *screen_dump_dcl;
+
+ static void vga_dumb_update_retrace_info(VGACommonState *s)
+@@ -2330,7 +2330,6 @@ static void vga_save_dpy_update(DisplayS
+ {
+ if (screen_dump_filename) {
+ ppm_save(screen_dump_filename, ds->surface);
+- screen_dump_filename = NULL;
+ }
+ }
+
+@@ -2408,8 +2407,8 @@ static void vga_screen_dump(void *opaque
+ if (!screen_dump_dcl)
+ screen_dump_dcl = vga_screen_dump_init(s->ds);
+
+- screen_dump_filename = (char *)filename;
++ screen_dump_filename = filename;
+ vga_invalidate_display(s);
+ vga_hw_update();
++ screen_dump_filename = NULL;
+ }
+-
diff --git a/qemu-snapshot-symlink-attack.patch b/qemu-snapshot-symlink-attack.patch
new file mode 100644
index 0000000..e6b1ae6
--- /dev/null
+++ b/qemu-snapshot-symlink-attack.patch
@@ -0,0 +1,93 @@
+diff -rup qemu-kvm-0.15.1/block/vvfat.c frob/block/vvfat.c
+--- qemu-kvm-0.15.1/block/vvfat.c 2012-07-29 20:56:28.318227757 -0400
++++ frob/block/vvfat.c 2012-07-29 20:59:15.537859208 -0400
+@@ -2795,7 +2795,12 @@ static int enable_write_target(BDRVVVFAT
+ array_init(&(s->commits), sizeof(commit_t));
+
+ s->qcow_filename = qemu_malloc(1024);
+- get_tmp_filename(s->qcow_filename, 1024);
++ ret = get_tmp_filename(s->qcow_filename, 1024);
++ if (ret < 0) {
++ free(s->qcow_filename);
++ s->qcow_filename = NULL;
++ return ret;
++ }
+
+ bdrv_qcow = bdrv_find_format("qcow");
+ options = parse_option_parameters("", bdrv_qcow->create_options, NULL);
+diff -rup qemu-kvm-0.15.1/block.c frob/block.c
+--- qemu-kvm-0.15.1/block.c 2012-07-29 20:56:28.367221495 -0400
++++ frob/block.c 2012-07-29 20:58:24.931326050 -0400
+@@ -254,28 +254,36 @@ int bdrv_create_file(const char* filenam
+ return bdrv_create(drv, filename, options);
+ }
+
+-#ifdef _WIN32
+-void get_tmp_filename(char *filename, int size)
++/*
++ * Create a uniquely-named empty temporary file.
++ * Return 0 upon success, otherwise a negative errno value.
++ */
++int get_tmp_filename(char *filename, int size)
+ {
++#ifdef _WIN32
+ char temp_dir[MAX_PATH];
+-
+- GetTempPath(MAX_PATH, temp_dir);
+- GetTempFileName(temp_dir, "qem", 0, filename);
+-}
++ /* GetTempFileName requires that its output buffer (4th param)
++ have length MAX_PATH or greater. */
++ assert(size >= MAX_PATH);
++ return (GetTempPath(MAX_PATH, temp_dir)
++ && GetTempFileName(temp_dir, "qem", 0, filename)
++ ? 0 : -GetLastError());
+ #else
+-void get_tmp_filename(char *filename, int size)
+-{
+ int fd;
+ const char *tmpdir;
+- /* XXX: race condition possible */
+ tmpdir = getenv("TMPDIR");
+ if (!tmpdir)
+ tmpdir = "/tmp";
+- snprintf(filename, size, "%s/vl.XXXXXX", tmpdir);
++ if (snprintf(filename, size, "%s/vl.XXXXXX", tmpdir) >= size) {
++ return -EOVERFLOW;
++ }
+ fd = mkstemp(filename);
+- close(fd);
+-}
++ if (fd < 0 || close(fd)) {
++ return -errno;
++ }
++ return 0;
+ #endif
++}
+
+ /*
+ * Detect host devices. By convention, /dev/cdrom[N] is always
+@@ -555,7 +563,10 @@ int bdrv_open(BlockDriverState *bs, cons
+
+ bdrv_delete(bs1);
+
+- get_tmp_filename(tmp_filename, sizeof(tmp_filename));
++ ret = get_tmp_filename(tmp_filename, sizeof(tmp_filename));
++ if (ret < 0) {
++ return ret;
++ }
+
+ /* Real path is meaningless for protocols */
+ if (is_protocol)
+diff -rup qemu-kvm-0.15.1/block_int.h frob/block_int.h
+--- qemu-kvm-0.15.1/block_int.h 2011-10-19 09:54:48.000000000 -0400
++++ frob/block_int.h 2012-07-29 20:58:24.932325925 -0400
+@@ -216,7 +216,7 @@ struct BlockDriverAIOCB {
+ BlockDriverAIOCB *next;
+ };
+
+-void get_tmp_filename(char *filename, int size);
++int get_tmp_filename(char *filename, int size);
+
+ void *qemu_aio_get(AIOPool *pool, BlockDriverState *bs,
+ BlockDriverCompletionFunc *cb, void *opaque);
diff --git a/qemu-spice-server-threading.patch b/qemu-spice-server-threading.patch
new file mode 100644
index 0000000..c8ba0a3
--- /dev/null
+++ b/qemu-spice-server-threading.patch
@@ -0,0 +1,73 @@
+commit 22b626e28e9895cc65c1e2023323bda5138716dc
+Author: Gerd Hoffmann <kraxel@redhat.com>
+Date: Fri Sep 2 15:03:28 2011 +0200
+
+ spice: workaround a spice server bug.
+
+ spice server might call the channel_event callback from spice server
+ thread context. Detect that and aquire iothread lock if needed,
+
+diff --git a/ui/spice-core.c b/ui/spice-core.c
+index dba11f0..3cbc721 100644
+--- a/ui/spice-core.c
++++ b/ui/spice-core.c
+@@ -19,6 +19,7 @@
+ #include <spice-experimental.h>
+
+ #include <netdb.h>
++#include <pthread.h>
+
+ #include "qemu-common.h"
+ #include "qemu-spice.h"
+@@ -44,6 +45,8 @@ static char *auth_passwd;
+ static time_t auth_expires = TIME_MAX;
+ int using_spice = 0;
+
++static pthread_t me;
++
+ struct SpiceTimer {
+ QEMUTimer *timer;
+ QTAILQ_ENTRY(SpiceTimer) next;
+@@ -217,6 +220,20 @@ static void channel_event(int event, SpiceChannelEventInfo *info)
+ QDict *server, *client;
+ QObject *data;
+
++ /*
++ * Spice server might have called us from spice worker thread
++ * context (happens on display channel disconnects). Spice should
++ * not do that. It isn't that easy to fix it in spice and even
++ * when it is fixed we still should cover the already released
++ * spice versions. So detect that we've been called from another
++ * thread and grab the iothread lock if so before calling qemu
++ * functions.
++ */
++ bool need_lock = !pthread_equal(me, pthread_self());
++ if (need_lock) {
++ qemu_mutex_lock_iothread();
++ }
++
+ client = qdict_new();
+ add_addr_info(client, &info->paddr, info->plen);
+
+@@ -236,6 +253,10 @@ static void channel_event(int event, SpiceChannelEventInfo *info)
+ QOBJECT(client), QOBJECT(server));
+ monitor_protocol_event(qevent[event], data);
+ qobject_decref(data);
++
++ if (need_lock) {
++ qemu_mutex_unlock_iothread();
++ }
+ }
+
+ #else /* SPICE_INTERFACE_CORE_MINOR >= 3 */
+@@ -482,7 +503,9 @@ void qemu_spice_init(void)
+ spice_image_compression_t compression;
+ spice_wan_compression_t wan_compr;
+
+- if (!opts) {
++ me = pthread_self();
++
++ if (!opts) {
+ return;
+ }
+ port = qemu_opt_get_number(opts, "port", 0);
diff --git a/qemu-vhost-fix-dirty-page-handling.patch b/qemu-vhost-fix-dirty-page-handling.patch
deleted file mode 100644
index e3fabb7..0000000
--- a/qemu-vhost-fix-dirty-page-handling.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-vhost was passing a physical address to cpu_physical_memory_set_dirty,
-which is wrong: we need to translate to ram address first.
-
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-
-Note: this lead to crashes during migration, so the patch
-is needed on the stable branch too.
-
----
- hw/vhost.c | 4 +++-
- 1 files changed, 3 insertions(+), 1 deletions(-)
-
-diff --git a/hw/vhost.c b/hw/vhost.c
-index aaa34e4..97a1299 100644
---- a/hw/vhost.c
-+++ b/hw/vhost.c
-@@ -49,8 +49,10 @@ static void vhost_dev_sync_region(struct vhost_dev *dev,
- log = __sync_fetch_and_and(from, 0);
- while ((bit = sizeof(log) > sizeof(int) ?
- ffsll(log) : ffs(log))) {
-+ ram_addr_t ram_addr;
- bit -= 1;
-- cpu_physical_memory_set_dirty(addr + bit * VHOST_LOG_PAGE);
-+ ram_addr = cpu_get_physical_page_desc(addr + bit * VHOST_LOG_PAGE);
-+ cpu_physical_memory_set_dirty(ram_addr);
- log &= ~(0x1ull << bit);
- }
- addr += VHOST_LOG_CHUNK;
---
-1.7.3.2.91.g446ac
-
diff --git a/qemu.spec b/qemu.spec
index 1cb916c..86918a3 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -1,8 +1,8 @@
Summary: QEMU is a FAST! processor emulator
Name: qemu
Version: 0.15.1
-Release: 6%{?dist}
-# Epoch because we pushed a qemu-1.0 package
+Release: 7%{?dist}
+# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
Epoch: 2
License: GPLv2+ and LGPLv2+ and BSD
Group: Development/Tools
@@ -89,6 +89,51 @@ Patch103: %{name}-virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch
# Fix fedora guest hang with virtio console (bz 837925)
Patch104: %{name}-virtio-console-unconnected-pty.patch
+# Patches from 0.15 stable
+Patch200: 0200-ccid-Fix-buffer-overrun-in-handling-of-VSC_ATR-messa.patch
+Patch201: 0201-qdev-Reset-hot-plugged-devices.patch
+Patch202: 0202-e1000-use-MII-status-register-for-link-up-down.patch
+Patch203: 0203-e1000-Don-t-set-the-Capabilities-List-bit.patch
+Patch205: 0205-compatfd.c-Don-t-pass-NULL-pointer-to-SYS_signalfd.patch
+Patch206: 0206-kvm-avoid-reentring-kvm_flush_coalesced_mmio_buffer.patch
+Patch207: 0207-vmdk-vmdk_read_cid-returns-garbage-if-p_name-is-NULL.patch
+Patch208: 0208-block-Fix-bdrv_open-use-after-free.patch
+Patch209: 0209-ide-Fix-off-by-one-error-in-array-index-check.patch
+Patch210: 0210-acl-Fix-use-after-free-in-qemu_acl_reset.patch
+Patch211: 0211-migration-flush-migration-data-to-disk.patch
+Patch212: 0212-Fix-X86-CPU-topology-in-KVM-mode.patch
+Patch213: 0213-hw-lan9118.c-Add-missing-break-to-fix-buffer-overrun.patch
+Patch214: 0214-ac97-don-t-override-the-pci-subsystem-id.patch
+Patch215: 0215-vvfat-Fix-potential-buffer-overflow.patch
+Patch216: 0216-vns-tls-don-t-use-depricated-gnutls-functions.patch
+Patch217: 0217-block-curl-Implement-a-flush-function-on-the-fd-hand.patch
+Patch218: 0218-hda-do-not-mix-output-and-input-streams-RHBZ-740493.patch
+Patch219: 0219-hda-do-not-mix-output-and-input-stream-states-RHBZ-7.patch
+Patch220: 0220-Teach-block-vdi-about-discarded-no-longer-allocated-.patch
+Patch221: 0221-vmdk-Improve-error-handling.patch
+Patch222: 0222-block-set-bs-read_only-before-.bdrv_open.patch
+Patch223: 0223-console-Fix-rendering-of-VGA-underline.patch
+Patch224: 0224-block-Fix-vpc-initialization-of-the-Dynamic-Disk-Hea.patch
+Patch225: 0225-qcow-Fix-bdrv_write_compressed-error-handling.patch
+Patch226: 0226-block-reinitialize-across-bdrv_close-bdrv_open.patch
+Patch227: 0227-qxl-stride-fixup.patch
+Patch228: 0228-vmdk-Fix-possible-segfaults.patch
+Patch230: 0230-cpu-common-Have-a-ram_addr_t-of-uint64-with-Xen.patch
+Patch231: 0231-Error-check-find_ram_offset.patch
+Patch236: 0236-block-vpc-write-checksum-back-to-footer-after-check.patch
+Patch237: 0237-bt-host-add-missing-break-statement.patch
+Patch238: 0238-ds1338-Add-missing-break-statement.patch
+Patch239: 0239-block-vdi-Zero-unused-parts-when-allocating-a-new-bl.patch
+# CVE-2012-2652: Possible symlink attacks with -snapshot (bz 825697, bz
+# 824919)
+Patch240: %{name}-snapshot-symlink-attack.patch
+# Fix systemtap tapsets (bz 831763)
+Patch241: %{name}-fix-systemtap.patch
+# Fix qmp response race caused by spice server bug (bz 744015)
+Patch242: %{name}-spice-server-threading.patch
+# Fix text mode screendumps (bz 819155)
+Patch243: %{name}-fix-text-mode-screendumps.patch
+
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: SDL-devel zlib-devel which texi2html gnutls-devel cyrus-sasl-devel
BuildRequires: libaio-devel
@@ -122,6 +167,13 @@ Requires: %{name}-img = %{epoch}:%{version}-%{release}
Obsoletes: %{name}-system-ppc
Obsoletes: %{name}-system-sparc
+# Needed for F14->F16+ upgrade
+# https://bugzilla.redhat.com/show_bug.cgi?id=694802
+Obsoletes: openbios-common
+Obsoletes: openbios-ppc
+Obsoletes: openbios-sparc32
+Obsoletes: openbios-sparc64
+
%define qemudocdir %{_docdir}/%{name}-%{version}
%description
@@ -161,9 +213,9 @@ Group: Development/Tools
Requires(post): /usr/bin/getent
Requires(post): /usr/sbin/groupadd
Requires(post): /usr/sbin/useradd
-Requires(post): /sbin/chkconfig
-Requires(preun): /sbin/service /sbin/chkconfig
-Requires(postun): /sbin/service
+Requires(post): systemd-units
+Requires(preun): systemd-units
+Requires(postun): systemd-units
%description common
QEMU is a generic and open source processor emulator which achieves a good
emulation speed by using dynamic translation.
@@ -211,9 +263,8 @@ fi
Summary: QEMU user mode emulation of qemu targets
Group: Development/Tools
Requires: %{name}-common = %{epoch}:%{version}-%{release}
-Requires(post): /sbin/chkconfig
-Requires(preun): /sbin/service /sbin/chkconfig
-Requires(postun): /sbin/service
+Requires(post): systemd-units
+Requires(postun): systemd-units
%description user
QEMU is a generic and open source processor emulator which achieves a good
emulation speed by using dynamic translation.
@@ -228,6 +279,7 @@ Provides: kvm = 85
Obsoletes: kvm < 85
Requires: vgabios >= 0.6c-2
Requires: seabios-bin >= 0.6.0-2
+Requires: sgabios-bin
Requires: /usr/share/gpxe/8086100e.rom
Requires: /usr/share/gpxe/rtl8029.rom
Requires: /usr/share/gpxe/pcnet32.rom
@@ -345,6 +397,45 @@ such as kvm_stat.
%patch103 -p1
%patch104 -p1
+%patch200 -p1
+%patch201 -p1
+%patch202 -p1
+%patch203 -p1
+%patch205 -p1
+%patch206 -p1
+%patch207 -p1
+%patch208 -p1
+%patch209 -p1
+%patch210 -p1
+%patch211 -p1
+%patch212 -p1
+%patch213 -p1
+%patch214 -p1
+%patch215 -p1
+%patch216 -p1
+%patch217 -p1
+%patch218 -p1
+%patch219 -p1
+%patch220 -p1
+%patch221 -p1
+%patch222 -p1
+%patch223 -p1
+%patch224 -p1
+%patch225 -p1
+%patch226 -p1
+%patch227 -p1
+%patch228 -p1
+%patch230 -p1
+%patch231 -p1
+%patch236 -p1
+%patch237 -p1
+%patch238 -p1
+%patch239 -p1
+%patch240 -p1
+%patch241 -p1
+%patch242 -p1
+%patch243 -p1
+
%build
# By default we build everything, but allow x86 to build a minimal version
# with only similar arch target support
@@ -498,6 +589,7 @@ ln -s ../vgabios/VGABIOS-lgpl-latest.cirrus.bin %{buildroot}/%{_datadir}/%{name}
ln -s ../vgabios/VGABIOS-lgpl-latest.qxl.bin %{buildroot}/%{_datadir}/%{name}/vgabios-qxl.bin
ln -s ../vgabios/VGABIOS-lgpl-latest.stdvga.bin %{buildroot}/%{_datadir}/%{name}/vgabios-stdvga.bin
ln -s ../vgabios/VGABIOS-lgpl-latest.vmware.bin %{buildroot}/%{_datadir}/%{name}/vgabios-vmware.bin
+ln -s ../sgabios/sgabios.bin %{buildroot}/%{_datadir}/%{name}/sgabios.bin
ln -s ../seabios/bios.bin %{buildroot}/%{_datadir}/%{name}/bios.bin
mkdir -p $RPM_BUILD_ROOT%{_exec_prefix}/lib/binfmt.d
@@ -540,41 +632,47 @@ rm -rf $RPM_BUILD_ROOT
%ifarch %{ix86} x86_64
# load kvm modules now, so we can make sure no reboot is needed.
# If there's already a kvm module installed, we don't mess with it
-sh %{_sysconfdir}/sysconfig/modules/kvm.modules
+sh %{_sysconfdir}/sysconfig/modules/kvm.modules || :
%endif
%post common
if [ $1 -eq 1 ] ; then
- getent group kvm >/dev/null || groupadd -g 36 -r kvm
- getent group qemu >/dev/null || groupadd -g 107 -r qemu
- getent passwd qemu >/dev/null || \
- useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
- -c "qemu user" qemu
-
- /bin/systemctl enable ksm.service
- /bin/systemctl enable ksmtuned.service
+ # Initial installation
+ /bin/systemctl enable ksm.service >/dev/null 2>&1 || :
+ /bin/systemctl enable ksmtuned.service >/dev/null 2>&1 || :
fi
+getent group kvm >/dev/null || groupadd -g 36 -r kvm
+getent group qemu >/dev/null || groupadd -g 107 -r qemu
+getent passwd qemu >/dev/null || \
+ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
+ -c "qemu user" qemu
+
%preun common
-if [ $1 -eq 0 ]; then
- /bin/systemctl --system stop ksmtuned.service &>/dev/null || :
- /bin/systemctl --system stop ksm.service &>/dev/null || :
- /bin/systemctl disable ksmtuned.service
- /bin/systemctl disable ksm.service
+if [ $1 -eq 0 ] ; then
+ # Package removal, not upgrade
+ /bin/systemctl --no-reload disable ksmtuned.service > /dev/null 2>&1 || :
+ /bin/systemctl --no-reload disable ksm.service > /dev/null 2>&1 || :
+ /bin/systemctl stop ksmtuned.service > /dev/null 2>&1 || :
+ /bin/systemctl stop ksm.service > /dev/null 2>&1 || :
fi
%postun common
-if [ $1 -ge 1 ]; then
- /bin/systemctl --system try-restart ksm.service &>/dev/null || :
- /bin/systemctl --system try-restart ksmtuned.service &>/dev/null || :
+/bin/systemctl daemon-reload >/dev/null 2>&1 || :
+if [ $1 -ge 1 ] ; then
+ # Package upgrade, not uninstall
+ /bin/systemctl try-restart ksmtuned.service >/dev/null 2>&1 || :
+ /bin/systemctl try-restart ksm.service >/dev/null 2>&1 || :
fi
+
%post user
/bin/systemctl --system try-restart systemd-binfmt.service &>/dev/null || :
%postun user
/bin/systemctl --system try-restart systemd-binfmt.service &>/dev/null || :
+
%files
%defattr(-,root,root)
@@ -648,6 +746,7 @@ fi
%{_bindir}/qemu
%{_bindir}/qemu-system-x86_64
%{_datadir}/%{name}/bios.bin
+%{_datadir}/%{name}/sgabios.bin
%{_datadir}/%{name}/linuxboot.bin
%{_datadir}/%{name}/multiboot.bin
%{_datadir}/%{name}/mpc8544ds.dtb
@@ -724,6 +823,18 @@ fi
%{_mandir}/man1/qemu-img.1*
%changelog
+* Sun Jul 29 2012 Cole Robinson <crobinso@redhat.com> - 0.15.1-7
+- Pull patches from 0.15 stable
+- CVE-2012-2652: Possible symlink attacks with -snapshot (bz 825697, bz
+ 824919)
+- Fix systemtap tapsets (bz 831763)
+- Fix qmp response race caused by spice server bug (bz 744015)
+- Fix text mode screendumps (bz 819155)
+- Don't renable ksm on update (bz 815156)
+- Fix RPM install error on non-virt machines (bz 660629)
+- Obsolete openbios to fix upgrade dependency issues (bz 694802)
+- Fix sgabios integration (bz 791344)
+
* Wed Jul 18 2012 Cole Robinson <crobinso@redhat.com> - 0.15.1-6
- Fix fedora guest hang with virtio console (bz 837925)
@@ -734,7 +845,7 @@ fi
* Mon Jan 30 2012 Justin M. Forbes <jforbes@redhat.com> - 2:0.15.1-4
- Add vhost-net to kvm.modules
- Fix USB passthrough assert on packet completion (#769625)
--
+
* Thu Jan 5 2012 Christophe Fergeau <cfergeau@redhat.com> - 2:0.15.1-3.1
- Backport patches from qemu 1.0 to fix floppy drives (#753863)
@@ -749,7 +860,7 @@ fi
- Require seabios-bin >= 0.6.0-2 (#741992)
- Replace init scripts with systemd units (#741920)
- Update to 0.15.1 stable upstream
-
+
* Fri Oct 21 2011 Paul Moore <pmoore@redhat.com>
- Enable full relro and PIE (rhbz #738812)