[qemu/f16] CVE-2012-2652: Possible symlink attacks with -snapshot (bz 825697, bz 824919) Fix systemtap tapsets
Cole Robinson
crobinso at fedoraproject.org
Mon Jul 30 01:15:51 UTC 2012
commit cd9d1615148a819966218610f5929f0fba1ae14f
Author: Cole Robinson <crobinso at redhat.com>
Date: Sun Jul 29 21:15:19 2012 -0400
CVE-2012-2652: Possible symlink attacks with -snapshot (bz 825697, bz 824919)
Fix systemtap tapsets (bz 831763)
Fix qmp response race caused by spice server bug (bz 744015)
Fix text mode screendumps (bz 819155)
Don't renable ksm on update (bz 815156)
Fix RPM install error on non-virt machines (bz 660629)
Obsolete openbios to fix upgrade dependency issues (bz 694802)
...ffer-overrun-in-handling-of-VSC_ATR-messa.patch | 42 ++++
0201-qdev-Reset-hot-plugged-devices.patch | 39 ++++
...-use-MII-status-register-for-link-up-down.patch | 147 ++++++++++++++
...e1000-Don-t-set-the-Capabilities-List-bit.patch | 43 ++++
...00-bounds-packet-size-against-buffer-size.patch | 45 +++++
...c-Don-t-pass-NULL-pointer-to-SYS_signalfd.patch | 49 +++++
...reentring-kvm_flush_coalesced_mmio_buffer.patch | 60 ++++++
...ead_cid-returns-garbage-if-p_name-is-NULL.patch | 36 ++++
0208-block-Fix-bdrv_open-use-after-free.patch | 43 ++++
...Fix-off-by-one-error-in-array-index-check.patch | 34 ++++
...-acl-Fix-use-after-free-in-qemu_acl_reset.patch | 52 +++++
0211-migration-flush-migration-data-to-disk.patch | 71 +++++++
0212-Fix-X86-CPU-topology-in-KVM-mode.patch | 55 ++++++
...c-Add-missing-break-to-fix-buffer-overrun.patch | 37 ++++
...-ac97-don-t-override-the-pci-subsystem-id.patch | 119 ++++++++++++
0215-vvfat-Fix-potential-buffer-overflow.patch | 36 ++++
...tls-don-t-use-depricated-gnutls-functions.patch | 116 +++++++++++
...Implement-a-flush-function-on-the-fd-hand.patch | 76 ++++++++
...-mix-output-and-input-streams-RHBZ-740493.patch | 51 +++++
...mix-output-and-input-stream-states-RHBZ-7.patch | 172 +++++++++++++++++
...-vdi-about-discarded-no-longer-allocated-.patch | 108 +++++++++++
0221-vmdk-Improve-error-handling.patch | 79 ++++++++
...-block-set-bs-read_only-before-.bdrv_open.patch | 52 +++++
0223-console-Fix-rendering-of-VGA-underline.patch | 64 ++++++
...pc-initialization-of-the-Dynamic-Disk-Hea.patch | 48 +++++
...-Fix-bdrv_write_compressed-error-handling.patch | 93 +++++++++
...-reinitialize-across-bdrv_close-bdrv_open.patch | 55 ++++++
0227-qxl-stride-fixup.patch | 111 +++++++++++
0228-vmdk-Fix-possible-segfaults.patch | 55 ++++++
0229-pc-Fix-floppy-drives-with-if-none.patch | 204 ++++++++++++++++++++
...mmon-Have-a-ram_addr_t-of-uint64-with-Xen.patch | 97 +++++++++
0231-Error-check-find_ram_offset.patch | 58 ++++++
0232-pc-add-pc-0.15.patch | 73 +++++++
...vent_idx-compatibility-for-virtio-devices.patch | 95 +++++++++
...-trace-call-to-oslib-posix.c-qemu_vmalloc.patch | 37 ++++
...c-align-properly-for-transparent-hugepage.patch | 61 ++++++
...write-checksum-back-to-footer-after-check.patch | 41 ++++
0237-bt-host-add-missing-break-statement.patch | 36 ++++
0238-ds1338-Add-missing-break-statement.patch | 39 ++++
...ero-unused-parts-when-allocating-a-new-bl.patch | 70 +++++++
qemu-fix-non-PCI-target-build.patch | 53 -----
qemu-fix-systemtap.patch | 19 ++
qemu-fix-text-mode-screendumps.patch | 31 +++
qemu-snapshot-symlink-attack.patch | 93 +++++++++
qemu-spice-server-threading.patch | 73 +++++++
qemu-vhost-fix-dirty-page-handling.patch | 31 ---
qemu.spec | 165 +++++++++++++---
47 files changed, 3153 insertions(+), 111 deletions(-)
---
diff --git a/0200-ccid-Fix-buffer-overrun-in-handling-of-VSC_ATR-messa.patch b/0200-ccid-Fix-buffer-overrun-in-handling-of-VSC_ATR-messa.patch
new file mode 100644
index 0000000..6a8d715
--- /dev/null
+++ b/0200-ccid-Fix-buffer-overrun-in-handling-of-VSC_ATR-messa.patch
@@ -0,0 +1,42 @@
+From 792733e8aa8565a0b49c80539d0bc7a0ac19aaff Mon Sep 17 00:00:00 2001
+From: Markus Armbruster <armbru at redhat.com>
+Date: Mon, 28 Nov 2011 20:27:37 +0100
+Subject: [PATCH] ccid: Fix buffer overrun in handling of VSC_ATR message
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+ATR size exceeding the limit is diagnosed, but then we merrily use it
+anyway, overrunning card->atr[].
+
+The message is read from a character device. Obvious security
+implications unless the other end of the character device is trusted.
+
+Spotted by Coverity. CVE-2011-4111.
+
+Signed-off-by: Markus Armbruster <armbru at redhat.com>
+Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>
+(cherry picked from commit 7e62255a4b3e0e2ab84a3ec7398640e8ed58620a)
+
+Signed-off-by: Bruce Rogers <brogers at suse.com>
+[AF: Fixes BNC#731086.]
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ hw/ccid-card-passthru.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/ccid-card-passthru.c b/hw/ccid-card-passthru.c
+index 28eb9d1..0505663 100644
+--- a/hw/ccid-card-passthru.c
++++ b/hw/ccid-card-passthru.c
+@@ -150,6 +150,7 @@ static void ccid_card_vscard_handle_message(PassthruState *card,
+ error_report("ATR size exceeds spec, ignoring");
+ ccid_card_vscard_send_error(card, scr_msg_header->reader_id,
+ VSC_GENERAL_ERROR);
++ break;
+ }
+ memcpy(card->atr, data, scr_msg_header->length);
+ card->atr_length = scr_msg_header->length;
+--
+1.7.11.2
+
diff --git a/0201-qdev-Reset-hot-plugged-devices.patch b/0201-qdev-Reset-hot-plugged-devices.patch
new file mode 100644
index 0000000..36d506e
--- /dev/null
+++ b/0201-qdev-Reset-hot-plugged-devices.patch
@@ -0,0 +1,39 @@
+From c09233797d29cc18bc7d304ceeb8bef72f3acefb Mon Sep 17 00:00:00 2001
+From: Jan Kiszka <jan.kiszka at siemens.com>
+Date: Sun, 24 Jul 2011 19:38:36 +0200
+Subject: [PATCH] qdev: Reset hot-plugged devices
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Device models rely on the core invoking their reset handlers after init.
+We do this in the cold-plug case, but so far we miss this step after
+hot-plug.
+
+Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
+Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>
+(cherry picked from commit 5ab28c8340f683121c081a181adfd9f72ab85cba)
+
+[AF: Fixes BNC#722958 / LTC#75394.]
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ hw/qdev.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/qdev.c b/hw/qdev.c
+index a0fcd06..b4ea8e1 100644
+--- a/hw/qdev.c
++++ b/hw/qdev.c
+@@ -289,6 +289,9 @@ int qdev_init(DeviceState *dev)
+ dev->alias_required_for_version);
+ }
+ dev->state = DEV_STATE_INITIALIZED;
++ if (dev->hotplugged && dev->info->reset) {
++ dev->info->reset(dev);
++ }
+ return 0;
+ }
+
+--
+1.7.11.2
+
diff --git a/0202-e1000-use-MII-status-register-for-link-up-down.patch b/0202-e1000-use-MII-status-register-for-link-up-down.patch
new file mode 100644
index 0000000..3f60fb3
--- /dev/null
+++ b/0202-e1000-use-MII-status-register-for-link-up-down.patch
@@ -0,0 +1,147 @@
+From 461473595d1dd1131cb060c460c87ca7b652939e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn at mork.no>
+Date: Wed, 17 Aug 2011 11:03:14 +0200
+Subject: [PATCH] e1000: use MII status register for link up/down
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Some guests will use the standard MII status register
+to verify link state. They will not notice link changes
+unless this register is updated.
+
+Verified with Linux 3.0 and Windows XP guests.
+
+Without this patch, ethtool will report speed and duplex as
+unknown when the link is down, but still report the link as
+up. This is because the Linux e1000 driver checks the
+mac_reg[STATUS] register link state before it checks speed
+and duplex, but uses the phy_reg[PHY_STATUS] register for
+the actual link state check. Fix by updating both registers
+on link state changes.
+
+Linux guest before:
+
+ (qemu) set_link e1000.0 off
+
+ kvm-sid:~# ethtool eth0
+ Settings for eth0:
+ Supported ports: [ TP ]
+ Supported link modes: 10baseT/Half 10baseT/Full
+ 100baseT/Half 100baseT/Full
+ 1000baseT/Full
+ Supports auto-negotiation: Yes
+ Advertised link modes: 10baseT/Half 10baseT/Full
+ 100baseT/Half 100baseT/Full
+ 1000baseT/Full
+ Advertised pause frame use: No
+ Advertised auto-negotiation: Yes
+ Speed: Unknown!
+ Duplex: Unknown! (255)
+ Port: Twisted Pair
+ PHYAD: 0
+ Transceiver: internal
+ Auto-negotiation: on
+ MDI-X: Unknown
+ Supports Wake-on: umbg
+ Wake-on: d
+ Current message level: 0x00000007 (7)
+ drv probe link
+ Link detected: yes
+
+ (qemu) set_link e1000.0 on
+
+Linux guest after:
+
+ (qemu) set_link e1000.0 off
+ [ 63.384221] e1000: eth0 NIC Link is Down
+
+ kvm-sid:~# ethtool eth0
+ Settings for eth0:
+ Supported ports: [ TP ]
+ Supported link modes: 10baseT/Half 10baseT/Full
+ 100baseT/Half 100baseT/Full
+ 1000baseT/Full
+ Supports auto-negotiation: Yes
+ Advertised link modes: 10baseT/Half 10baseT/Full
+ 100baseT/Half 100baseT/Full
+ 1000baseT/Full
+ Advertised pause frame use: No
+ Advertised auto-negotiation: Yes
+ Speed: Unknown!
+ Duplex: Unknown! (255)
+ Port: Twisted Pair
+ PHYAD: 0
+ Transceiver: internal
+ Auto-negotiation: on
+ MDI-X: Unknown
+ Supports Wake-on: umbg
+ Wake-on: d
+ Current message level: 0x00000007 (7)
+ drv probe link
+ Link detected: no
+
+ (qemu) set_link e1000.0 on
+ [ 84.304582] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
+
+Signed-off-by: Bjørn Mork <bjorn at mork.no>
+Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>
+(cherry picked from commit d4044c2a6b9ba4a00dd653f515a4b0ebfcb7e125)
+
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ hw/e1000.c | 7 +++++--
+ hw/e1000_hw.h | 17 +++++++++++++++++
+ 2 files changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/hw/e1000.c b/hw/e1000.c
+index 96d84f9..e4d9ab5 100644
+--- a/hw/e1000.c
++++ b/hw/e1000.c
+@@ -624,10 +624,13 @@ e1000_set_link_status(VLANClientState *nc)
+ E1000State *s = DO_UPCAST(NICState, nc, nc)->opaque;
+ uint32_t old_status = s->mac_reg[STATUS];
+
+- if (nc->link_down)
++ if (nc->link_down) {
+ s->mac_reg[STATUS] &= ~E1000_STATUS_LU;
+- else
++ s->phy_reg[PHY_STATUS] &= ~MII_SR_LINK_STATUS;
++ } else {
+ s->mac_reg[STATUS] |= E1000_STATUS_LU;
++ s->phy_reg[PHY_STATUS] |= MII_SR_LINK_STATUS;
++ }
+
+ if (s->mac_reg[STATUS] != old_status)
+ set_ics(s, 0, E1000_ICR_LSC);
+diff --git a/hw/e1000_hw.h b/hw/e1000_hw.h
+index 9bd8a4b..2e341ac 100644
+--- a/hw/e1000_hw.h
++++ b/hw/e1000_hw.h
+@@ -349,6 +349,23 @@
+ #define M88E1000_PHY_VCO_REG_BIT8 0x100 /* Bits 8 & 11 are adjusted for */
+ #define M88E1000_PHY_VCO_REG_BIT11 0x800 /* improved BER performance */
+
++/* PHY Status Register */
++#define MII_SR_EXTENDED_CAPS 0x0001 /* Extended register capabilities */
++#define MII_SR_JABBER_DETECT 0x0002 /* Jabber Detected */
++#define MII_SR_LINK_STATUS 0x0004 /* Link Status 1 = link */
++#define MII_SR_AUTONEG_CAPS 0x0008 /* Auto Neg Capable */
++#define MII_SR_REMOTE_FAULT 0x0010 /* Remote Fault Detect */
++#define MII_SR_AUTONEG_COMPLETE 0x0020 /* Auto Neg Complete */
++#define MII_SR_PREAMBLE_SUPPRESS 0x0040 /* Preamble may be suppressed */
++#define MII_SR_EXTENDED_STATUS 0x0100 /* Ext. status info in Reg 0x0F */
++#define MII_SR_100T2_HD_CAPS 0x0200 /* 100T2 Half Duplex Capable */
++#define MII_SR_100T2_FD_CAPS 0x0400 /* 100T2 Full Duplex Capable */
++#define MII_SR_10T_HD_CAPS 0x0800 /* 10T Half Duplex Capable */
++#define MII_SR_10T_FD_CAPS 0x1000 /* 10T Full Duplex Capable */
++#define MII_SR_100X_HD_CAPS 0x2000 /* 100X Half Duplex Capable */
++#define MII_SR_100X_FD_CAPS 0x4000 /* 100X Full Duplex Capable */
++#define MII_SR_100T4_CAPS 0x8000 /* 100T4 Capable */
++
+ /* Interrupt Cause Read */
+ #define E1000_ICR_TXDW 0x00000001 /* Transmit desc written back */
+ #define E1000_ICR_TXQE 0x00000002 /* Transmit Queue empty */
+--
+1.7.11.2
+
diff --git a/0203-e1000-Don-t-set-the-Capabilities-List-bit.patch b/0203-e1000-Don-t-set-the-Capabilities-List-bit.patch
new file mode 100644
index 0000000..6c174ec
--- /dev/null
+++ b/0203-e1000-Don-t-set-the-Capabilities-List-bit.patch
@@ -0,0 +1,43 @@
+From fe7f7d7ae7114fb220ed258e249f9a63834f6fa6 Mon Sep 17 00:00:00 2001
+From: dann frazier <dann.frazier at canonical.com>
+Date: Wed, 21 Sep 2011 14:06:25 -0600
+Subject: [PATCH] e1000: Don't set the Capabilities List bit
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[Originally sent to qemu-kvm list, but I was redirected here]
+
+The Capabilities Pointer is NULL, so this bit shouldn't be set. The state of
+this bit doesn't appear to change any behavior on Linux/Windows versions we've
+tested, but it does cause Windows' PCI/PCI Express Compliance Test to balk.
+
+I happen to have a physical 82540EM controller, and it also sets the
+Capabilities Bit, but it actually has items on the capabilities list to go
+with it :)
+
+Signed-off-by: dann frazier <dann.frazier at canonical.com>
+Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>
+(cherry picked from commit dd8e93799f13ef82d83c185b8e71e049452f7d40)
+
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ hw/e1000.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/hw/e1000.c b/hw/e1000.c
+index e4d9ab5..7971457 100644
+--- a/hw/e1000.c
++++ b/hw/e1000.c
+@@ -1167,8 +1167,6 @@ static int pci_e1000_init(PCIDevice *pci_dev)
+
+ pci_conf = d->dev.config;
+
+- /* TODO: we have no capabilities, so why is this bit set? */
+- pci_set_word(pci_conf + PCI_STATUS, PCI_STATUS_CAP_LIST);
+ /* TODO: RST# value should be 0, PCI spec 6.2.4 */
+ pci_conf[PCI_CACHE_LINE_SIZE] = 0x10;
+
+--
+1.7.11.2
+
diff --git a/0204-e1000-bounds-packet-size-against-buffer-size.patch b/0204-e1000-bounds-packet-size-against-buffer-size.patch
new file mode 100644
index 0000000..f616bf7
--- /dev/null
+++ b/0204-e1000-bounds-packet-size-against-buffer-size.patch
@@ -0,0 +1,45 @@
+From 078c531e6b57f36359b74ea6c136c2ea1b5a9891 Mon Sep 17 00:00:00 2001
+From: Anthony Liguori <aliguori at us.ibm.com>
+Date: Mon, 23 Jan 2012 07:30:43 -0600
+Subject: [PATCH] e1000: bounds packet size against buffer size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Otherwise we can write beyond the buffer and corrupt memory. This is tracked
+as CVE-2012-0029.
+
+Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>
+(cherry picked from commit 65f82df0d7a71ce1b10cd4c5ab08888d176ac840)
+
+Signed-off-by: Bruce Rogers <brogers at suse.com>
+[AF: stable-0.15 does not have pci_dma_read(). Fixes BNC#740165.]
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ hw/e1000.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/e1000.c b/hw/e1000.c
+index 7971457..c91790b 100644
+--- a/hw/e1000.c
++++ b/hw/e1000.c
+@@ -472,6 +472,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
+ bytes = split_size;
+ if (tp->size + bytes > msh)
+ bytes = msh - tp->size;
++
++ bytes = MIN(sizeof(tp->data) - tp->size, bytes);
+ cpu_physical_memory_read(addr, tp->data + tp->size, bytes);
+ if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
+ memmove(tp->header, tp->data, hdr);
+@@ -487,6 +489,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
+ // context descriptor TSE is not set, while data descriptor TSE is set
+ DBGOUT(TXERR, "TCP segmentaion Error\n");
+ } else {
++ split_size = MIN(sizeof(tp->data) - tp->size, split_size);
+ cpu_physical_memory_read(addr, tp->data + tp->size, split_size);
+ tp->size += split_size;
+ }
+--
+1.7.11.2
+
diff --git a/0205-compatfd.c-Don-t-pass-NULL-pointer-to-SYS_signalfd.patch b/0205-compatfd.c-Don-t-pass-NULL-pointer-to-SYS_signalfd.patch
new file mode 100644
index 0000000..1c3b7ea
--- /dev/null
+++ b/0205-compatfd.c-Don-t-pass-NULL-pointer-to-SYS_signalfd.patch
@@ -0,0 +1,49 @@
+From 89409a7eee1d25a91c31402fdb35d8554e3a99d0 Mon Sep 17 00:00:00 2001
+From: Peter Maydell <peter.maydell at linaro.org>
+Date: Thu, 13 Oct 2011 18:45:37 +0100
+Subject: [PATCH] compatfd.c: Don't pass NULL pointer to SYS_signalfd
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Don't pass a NULL pointer in to SYS_signalfd in qemu_signalfd_available():
+this isn't valid and Valgrind complains about it.
+
+Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
+Reviewed-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
+Signed-off-by: Andrzej Zaborowski <andrew.zaborowski at intel.com>
+(cherry picked from commit 7f84c1272b601be88daeb828ec1890890c7aae25)
+
+Signed-off-by: Bruce Rogers <brogers at suse.com>
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ compatfd.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/compatfd.c b/compatfd.c
+index 31654c6..02306a4 100644
+--- a/compatfd.c
++++ b/compatfd.c
+@@ -119,9 +119,17 @@ int qemu_signalfd(const sigset_t *mask)
+ bool qemu_signalfd_available(void)
+ {
+ #ifdef CONFIG_SIGNALFD
++ sigset_t mask;
++ int fd;
++ bool ok;
++ sigemptyset(&mask);
+ errno = 0;
+- syscall(SYS_signalfd, -1, NULL, _NSIG / 8);
+- return errno != ENOSYS;
++ fd = syscall(SYS_signalfd, -1, &mask, _NSIG / 8);
++ ok = (errno != ENOSYS);
++ if (fd >= 0) {
++ close(fd);
++ }
++ return ok;
+ #else
+ return false;
+ #endif
+--
+1.7.11.2
+
diff --git a/0206-kvm-avoid-reentring-kvm_flush_coalesced_mmio_buffer.patch b/0206-kvm-avoid-reentring-kvm_flush_coalesced_mmio_buffer.patch
new file mode 100644
index 0000000..cfe02b4
--- /dev/null
+++ b/0206-kvm-avoid-reentring-kvm_flush_coalesced_mmio_buffer.patch
@@ -0,0 +1,60 @@
+From 479c2a6a296d4fafc713746bf96127c1b20c381e Mon Sep 17 00:00:00 2001
+From: Avi Kivity <avi at redhat.com>
+Date: Tue, 18 Oct 2011 19:43:12 +0200
+Subject: [PATCH] kvm: avoid reentring kvm_flush_coalesced_mmio_buffer()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+mmio callbacks invoked by kvm_flush_coalesced_mmio_buffer() may
+themselves indirectly call kvm_flush_coalesced_mmio_buffer().
+Prevent reentering the function by checking a flag that indicates
+we're processing coalesced mmio requests.
+
+Signed-off-by: Avi Kivity <avi at redhat.com>
+(cherry picked from commit 1cae88b9f4121c9af0bf677435c6129e643280fd)
+
+Signed-off-by: Bruce Rogers <brogers at suse.com>
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ kvm-all.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/kvm-all.c b/kvm-all.c
+index cbc2532..26621d0 100644
+--- a/kvm-all.c
++++ b/kvm-all.c
+@@ -64,6 +64,7 @@ struct KVMState
+ int vmfd;
+ int coalesced_mmio;
+ struct kvm_coalesced_mmio_ring *coalesced_mmio_ring;
++ bool coalesced_flush_in_progress;
+ int broken_set_mem_region;
+ int migration_log;
+ int vcpu_events;
+@@ -876,6 +877,13 @@ static int kvm_handle_internal_error(CPUState *env, struct kvm_run *run)
+ void kvm_flush_coalesced_mmio_buffer(void)
+ {
+ KVMState *s = kvm_state;
++
++ if (s->coalesced_flush_in_progress) {
++ return;
++ }
++
++ s->coalesced_flush_in_progress = true;
++
+ if (s->coalesced_mmio_ring) {
+ struct kvm_coalesced_mmio_ring *ring = s->coalesced_mmio_ring;
+ while (ring->first != ring->last) {
+@@ -888,6 +896,8 @@ void kvm_flush_coalesced_mmio_buffer(void)
+ ring->first = (ring->first + 1) % KVM_COALESCED_MMIO_MAX;
+ }
+ }
++
++ s->coalesced_flush_in_progress = false;
+ }
+
+ static void do_kvm_cpu_synchronize_state(void *_env)
+--
+1.7.11.2
+
diff --git a/0207-vmdk-vmdk_read_cid-returns-garbage-if-p_name-is-NULL.patch b/0207-vmdk-vmdk_read_cid-returns-garbage-if-p_name-is-NULL.patch
new file mode 100644
index 0000000..7f6b622
--- /dev/null
+++ b/0207-vmdk-vmdk_read_cid-returns-garbage-if-p_name-is-NULL.patch
@@ -0,0 +1,36 @@
+From 1b09be835d853b8fd591e1f5de29ae20ed405722 Mon Sep 17 00:00:00 2001
+From: Pavel Borzenkov <pavel.borzenkov at gmail.com>
+Date: Tue, 18 Oct 2011 21:19:03 +0400
+Subject: [PATCH] vmdk: vmdk_read_cid returns garbage if p_name is NULL
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Spotted by Clang Analyzer
+
+Signed-off-by: Pavel Borzenkov <pavel.borzenkov at gmail.com>
+Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
+(cherry picked from commit 8379e46d1fd681b8aa4714382e2cdab05e5d0575)
+
+Signed-off-by: Bruce Rogers <brogers at suse.com>
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ block/vmdk.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/block/vmdk.c b/block/vmdk.c
+index 37478d2..b5caa40 100644
+--- a/block/vmdk.c
++++ b/block/vmdk.c
+@@ -177,7 +177,7 @@ static void vmdk_free_extents(BlockDriverState *bs)
+ static uint32_t vmdk_read_cid(BlockDriverState *bs, int parent)
+ {
+ char desc[DESC_SIZE];
+- uint32_t cid;
++ uint32_t cid = 0xffffffff;
+ const char *p_name, *cid_str;
+ size_t cid_str_size;
+ BDRVVmdkState *s = bs->opaque;
+--
+1.7.11.2
+
diff --git a/0208-block-Fix-bdrv_open-use-after-free.patch b/0208-block-Fix-bdrv_open-use-after-free.patch
new file mode 100644
index 0000000..ff9c621
--- /dev/null
+++ b/0208-block-Fix-bdrv_open-use-after-free.patch
@@ -0,0 +1,43 @@
+From 72e8677ee72152245f5dc222a85f83a6a382efe8 Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf at redhat.com>
+Date: Wed, 26 Oct 2011 11:03:01 +0200
+Subject: [PATCH] block: Fix bdrv_open use after free
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+tmp_filename was used outside the block it was defined in, i.e. after it went
+out of scope. Move its declaration to the top level.
+
+Signed-off-by: Kevin Wolf <kwolf at redhat.com>
+(cherry picked from commit 2b5728164fcf5211bbae8d3c2fc6df62dd6b2295)
+
+Signed-off-by: Bruce Rogers <brogers at suse.com>
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ block.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/block.c b/block.c
+index 9549b9e..4ebb18b 100644
+--- a/block.c
++++ b/block.c
+@@ -526,6 +526,7 @@ int bdrv_open(BlockDriverState *bs, const char *filename, int flags,
+ BlockDriver *drv)
+ {
+ int ret;
++ char tmp_filename[PATH_MAX];
+
+ if (flags & BDRV_O_SNAPSHOT) {
+ BlockDriverState *bs1;
+@@ -533,7 +534,6 @@ int bdrv_open(BlockDriverState *bs, const char *filename, int flags,
+ int is_protocol = 0;
+ BlockDriver *bdrv_qcow2;
+ QEMUOptionParameter *options;
+- char tmp_filename[PATH_MAX];
+ char backing_filename[PATH_MAX];
+
+ /* if snapshot, we create a temporary backing file and open it
+--
+1.7.11.2
+
diff --git a/0209-ide-Fix-off-by-one-error-in-array-index-check.patch b/0209-ide-Fix-off-by-one-error-in-array-index-check.patch
new file mode 100644
index 0000000..282d5a5
--- /dev/null
+++ b/0209-ide-Fix-off-by-one-error-in-array-index-check.patch
@@ -0,0 +1,34 @@
+From 99f6b4ed1c345b144b0f052974cb470036418020 Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf at redhat.com>
+Date: Wed, 26 Oct 2011 11:52:47 +0200
+Subject: [PATCH] ide: Fix off-by-one error in array index check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Kevin Wolf <kwolf at redhat.com>
+Reviewed-by: Paolo Bonzini <pbonzini at redhat.com>
+(cherry picked from commit fb60105d4942a26f571b1be92a8b9e7528d0c4d8)
+
+Signed-off-by: Bruce Rogers <brogers at suse.com>
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ hw/ide/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/ide/core.c b/hw/ide/core.c
+index d145b19..9bc446e 100644
+--- a/hw/ide/core.c
++++ b/hw/ide/core.c
+@@ -1933,7 +1933,7 @@ static int ide_drive_pio_post_load(void *opaque, int version_id)
+ {
+ IDEState *s = opaque;
+
+- if (s->end_transfer_fn_idx > ARRAY_SIZE(transfer_end_table)) {
++ if (s->end_transfer_fn_idx >= ARRAY_SIZE(transfer_end_table)) {
+ return -EINVAL;
+ }
+ s->end_transfer_func = transfer_end_table[s->end_transfer_fn_idx];
+--
+1.7.11.2
+
diff --git a/0210-acl-Fix-use-after-free-in-qemu_acl_reset.patch b/0210-acl-Fix-use-after-free-in-qemu_acl_reset.patch
new file mode 100644
index 0000000..e86dd11
--- /dev/null
+++ b/0210-acl-Fix-use-after-free-in-qemu_acl_reset.patch
@@ -0,0 +1,52 @@
+From fa9ad46e1a4b3707a465bccf6f4431db7a647a08 Mon Sep 17 00:00:00 2001
+From: Markus Armbruster <armbru at redhat.com>
+Date: Fri, 28 Oct 2011 17:07:02 +0200
+Subject: [PATCH] acl: Fix use after free in qemu_acl_reset()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reproducer:
+
+ $ MALLOC_PERTURB_=234 qemu-system-x86_64 -vnc :0,acl,sasl [...]
+ QEMU 0.15.50 monitor - type 'help' for more information
+ (qemu) acl_add vnc.username fred allow
+ acl: added rule at position 1
+ (qemu) acl_reset vnc.username
+ Segmentation fault (core dumped)
+
+Spotted by Coverity.
+
+Signed-off-by: Markus Armbruster <armbru at redhat.com>
+Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
+(cherry picked from commit 0ce6a434176e274a7e86bcaa268542c5cc402696)
+
+Signed-off-by: Bruce Rogers <brogers at suse.com>
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ acl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/acl.c b/acl.c
+index 82c2704..cae059f 100644
+--- a/acl.c
++++ b/acl.c
+@@ -95,13 +95,13 @@ int qemu_acl_party_is_allowed(qemu_acl *acl,
+
+ void qemu_acl_reset(qemu_acl *acl)
+ {
+- qemu_acl_entry *entry;
++ qemu_acl_entry *entry, *next_entry;
+
+ /* Put back to deny by default, so there is no window
+ * of "open access" while the user re-initializes the
+ * access control list */
+ acl->defaultDeny = 1;
+- QTAILQ_FOREACH(entry, &acl->entries, next) {
++ QTAILQ_FOREACH_SAFE(entry, &acl->entries, next, next_entry) {
+ QTAILQ_REMOVE(&acl->entries, entry, next);
+ free(entry->match);
+ free(entry);
+--
+1.7.11.2
+
diff --git a/0211-migration-flush-migration-data-to-disk.patch b/0211-migration-flush-migration-data-to-disk.patch
new file mode 100644
index 0000000..41a628d
--- /dev/null
+++ b/0211-migration-flush-migration-data-to-disk.patch
@@ -0,0 +1,71 @@
+From 06400ebc136bf44f1fa423159fae9cc9a4f6839d Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel at redhat.com>
+Date: Thu, 27 Oct 2011 09:12:04 +0200
+Subject: [PATCH] migration: flush migration data to disk.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch increases robustness when migrating to a file with
+two little changes:
+
+ (1) Before closing the migration file handle checks if it happens to be
+ a regular file and if so it issues a fsync. This way the data is
+ flushed to disk before qemu sends the migration completed event.
+ (2) It adds error checking. In case either fsync or close syscall
+ fails pass up the error (and fail migration).
+
+[ v2: return -errno instead of -1 ]
+
+Cc: Juan Quintela <quintela at redhat.com>
+Cc: Jiri Denemark <jdenemar at redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
+Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>
+(cherry picked from commit aab2293687ee54a409f3fb53a1ab3595b595e0fb)
+
+Signed-off-by: Bruce Rogers <brogers at suse.com>
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ migration-fd.c | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/migration-fd.c b/migration-fd.c
+index 66d51c1..f986bdf 100644
+--- a/migration-fd.c
++++ b/migration-fd.c
+@@ -42,10 +42,31 @@ static int fd_write(FdMigrationState *s, const void * buf, size_t size)
+
+ static int fd_close(FdMigrationState *s)
+ {
++ struct stat st;
++ int ret;
++
+ DPRINTF("fd_close\n");
+ if (s->fd != -1) {
+- close(s->fd);
++ ret = fstat(s->fd, &st);
++ if (ret == 0 && S_ISREG(st.st_mode)) {
++ /*
++ * If the file handle is a regular file make sure the
++ * data is flushed to disk before signaling success.
++ */
++ ret = fsync(s->fd);
++ if (ret != 0) {
++ ret = -errno;
++ perror("migration-fd: fsync");
++ return ret;
++ }
++ }
++ ret = close(s->fd);
+ s->fd = -1;
++ if (ret != 0) {
++ ret = -errno;
++ perror("migration-fd: close");
++ return ret;
++ }
+ }
+ return 0;
+ }
+--
+1.7.11.2
+
diff --git a/0212-Fix-X86-CPU-topology-in-KVM-mode.patch b/0212-Fix-X86-CPU-topology-in-KVM-mode.patch
new file mode 100644
index 0000000..444b80a
--- /dev/null
+++ b/0212-Fix-X86-CPU-topology-in-KVM-mode.patch
@@ -0,0 +1,55 @@
+From 7a890dc5d4e79e4ced03aa9d3665c9a1df3e448e Mon Sep 17 00:00:00 2001
+From: Bharata B Rao <bharata.rao at gmail.com>
+Date: Wed, 2 Nov 2011 14:16:08 +0530
+Subject: [PATCH] Fix X86 CPU topology in KVM mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+apic id returned to guest kernel in ebx for cpuid(function=1) depends on
+CPUX86State->cpuid_apic_id which gets populated after the cpuid information
+is cached in the host kernel. This results in broken CPU topology in guest.
+
+Fix this by setting cpuid_apic_id before cpuid information is passed to
+the host kernel. This is done by moving the setting of cpuid_apic_id
+to cpu_x86_init() where it will work for both KVM as well as TCG modes.
+
+Acked-by: Jan Kiszka <jan.kiszka at siemens.com>
+Signed-off-by: Bharata B Rao <bharata.rao at gmail.com>
+Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>
+(cherry picked from commit f2209eb854a016eabc444b45f6d6b1636949141f)
+
+Signed-off-by: Bruce Rogers <brogers at suse.com>
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ hw/pc.c | 1 -
+ target-i386/helper.c | 1 +
+ 2 files changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/pc.c b/hw/pc.c
+index a3e8539..14ce684 100644
+--- a/hw/pc.c
++++ b/hw/pc.c
+@@ -931,7 +931,6 @@ static CPUState *pc_new_cpu(const char *cpu_model)
+ exit(1);
+ }
+ if ((env->cpuid_features & CPUID_APIC) || smp_cpus > 1) {
+- env->cpuid_apic_id = env->cpu_index;
+ env->apic_state = apic_init(env, env->cpuid_apic_id);
+ }
+ qemu_register_reset(pc_cpu_reset, env);
+diff --git a/target-i386/helper.c b/target-i386/helper.c
+index e9be104..829c1da 100644
+--- a/target-i386/helper.c
++++ b/target-i386/helper.c
+@@ -1258,6 +1258,7 @@ CPUX86State *cpu_x86_init(const char *cpu_model)
+ cpu_x86_close(env);
+ return NULL;
+ }
++ env->cpuid_apic_id = env->cpu_index;
+ mce_init(env);
+
+ qemu_init_vcpu(env);
+--
+1.7.11.2
+
diff --git a/0213-hw-lan9118.c-Add-missing-break-to-fix-buffer-overrun.patch b/0213-hw-lan9118.c-Add-missing-break-to-fix-buffer-overrun.patch
new file mode 100644
index 0000000..2523e90
--- /dev/null
+++ b/0213-hw-lan9118.c-Add-missing-break-to-fix-buffer-overrun.patch
@@ -0,0 +1,37 @@
+From e9552556f514b334b78ed56e32b4af366b429a0b Mon Sep 17 00:00:00 2001
+From: Peter Maydell <peter.maydell at linaro.org>
+Date: Wed, 9 Nov 2011 18:59:54 +0000
+Subject: [PATCH] hw/lan9118.c: Add missing 'break' to fix buffer overrun
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Add a missing 'break' statement to fix a buffer overrun when
+executing the EEPROM write-all command. Spotted by Coverity
+(see bug 887883).
+
+Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
+Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
+(cherry picked from commit 0e3b800e71cb7759d099eabbd8ad4c4fe848e381)
+
+Signed-off-by: Bruce Rogers <brogers at suse.com>
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ hw/lan9118.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/lan9118.c b/hw/lan9118.c
+index 73a8661..494b11d 100644
+--- a/hw/lan9118.c
++++ b/hw/lan9118.c
+@@ -863,6 +863,7 @@ static void lan9118_eeprom_cmd(lan9118_state *s, int cmd, int addr)
+ } else {
+ DPRINTF("EEPROM Write All (ignored)\n");
+ }
++ break;
+ case 5: /* ERASE */
+ if (s->eeprom_writable) {
+ s->eeprom[addr] = 0xff;
+--
+1.7.11.2
+
diff --git a/0214-ac97-don-t-override-the-pci-subsystem-id.patch b/0214-ac97-don-t-override-the-pci-subsystem-id.patch
new file mode 100644
index 0000000..f42640e
--- /dev/null
+++ b/0214-ac97-don-t-override-the-pci-subsystem-id.patch
@@ -0,0 +1,119 @@
+From 498a3d8b7d28b8c114d65d9db5ccf3e96e2458f1 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel at redhat.com>
+Date: Mon, 7 Nov 2011 16:33:09 +0100
+Subject: [PATCH] ac97: don't override the pci subsystem id
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch removes the code lines which set the subsystem id for the
+emulated ac97 card to 8086:0000. Due to the device id being zero the
+subsystem id isn't vaild anyway. With the patch applied the sound card
+gets the default qemu subsystem id (1af4:1100) instead.
+
+[ v2: old & broken id is maintained for -M pc-$oldqemuversion ]
+
+Cc: Takashi Iwai <tiwai at suse.de>
+Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
+Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>
+(cherry picked from commit 25a21c94c0055e078acb7f7455e66c8a15f32385)
+
+Signed-off-by: Bruce Rogers <brogers at suse.com>
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ hw/ac97.c | 16 +++++++++++-----
+ hw/pc_piix.c | 16 ++++++++++++++++
+ 2 files changed, 27 insertions(+), 5 deletions(-)
+
+diff --git a/hw/ac97.c b/hw/ac97.c
+index 0b59896..a039481 100644
+--- a/hw/ac97.c
++++ b/hw/ac97.c
+@@ -149,6 +149,7 @@ typedef struct AC97BusMasterRegs {
+ typedef struct AC97LinkState {
+ PCIDevice dev;
+ QEMUSoundCard card;
++ uint32_t use_broken_id;
+ uint32_t glob_cnt;
+ uint32_t glob_sta;
+ uint32_t cas;
+@@ -1301,11 +1302,12 @@ static int ac97_initfn (PCIDevice *dev)
+ c[PCI_BASE_ADDRESS_0 + 6] = 0x00;
+ c[PCI_BASE_ADDRESS_0 + 7] = 0x00;
+
+- c[PCI_SUBSYSTEM_VENDOR_ID] = 0x86; /* svid subsystem vendor id rwo */
+- c[PCI_SUBSYSTEM_VENDOR_ID + 1] = 0x80;
+-
+- c[PCI_SUBSYSTEM_ID] = 0x00; /* sid subsystem id rwo */
+- c[PCI_SUBSYSTEM_ID + 1] = 0x00;
++ if (s->use_broken_id) {
++ c[PCI_SUBSYSTEM_VENDOR_ID] = 0x86;
++ c[PCI_SUBSYSTEM_VENDOR_ID + 1] = 0x80;
++ c[PCI_SUBSYSTEM_ID] = 0x00;
++ c[PCI_SUBSYSTEM_ID + 1] = 0x00;
++ }
+
+ c[PCI_INTERRUPT_LINE] = 0x00; /* intr_ln interrupt line rw */
+ /* TODO: RST# value should be 0. */
+@@ -1336,6 +1338,10 @@ static PCIDeviceInfo ac97_info = {
+ .device_id = PCI_DEVICE_ID_INTEL_82801AA_5,
+ .revision = 0x01,
+ .class_id = PCI_CLASS_MULTIMEDIA_AUDIO,
++ .qdev.props = (Property[]) {
++ DEFINE_PROP_UINT32("use_broken_id", AC97LinkState, use_broken_id, 0),
++ DEFINE_PROP_END_OF_LIST(),
++ }
+ };
+
+ static void ac97_register (void)
+diff --git a/hw/pc_piix.c b/hw/pc_piix.c
+index c5c16b4..31552fd 100644
+--- a/hw/pc_piix.c
++++ b/hw/pc_piix.c
+@@ -300,6 +300,10 @@ static QEMUMachine pc_machine_v0_13 = {
+ .driver = "virtio-net-pci",
+ .property = "event_idx",
+ .value = "off",
++ },{
++ .driver = "AC97",
++ .property = "use_broken_id",
++ .value = stringify(1),
+ },
+ { /* end of list */ }
+ },
+@@ -343,6 +347,10 @@ static QEMUMachine pc_machine_v0_12 = {
+ .driver = "virtio-net-pci",
+ .property = "event_idx",
+ .value = "off",
++ },{
++ .driver = "AC97",
++ .property = "use_broken_id",
++ .value = stringify(1),
+ },
+ { /* end of list */ }
+ }
+@@ -394,6 +402,10 @@ static QEMUMachine pc_machine_v0_11 = {
+ .driver = "virtio-net-pci",
+ .property = "event_idx",
+ .value = "off",
++ },{
++ .driver = "AC97",
++ .property = "use_broken_id",
++ .value = stringify(1),
+ },
+ { /* end of list */ }
+ }
+@@ -457,6 +469,10 @@ static QEMUMachine pc_machine_v0_10 = {
+ .driver = "virtio-net-pci",
+ .property = "event_idx",
+ .value = "off",
++ },{
++ .driver = "AC97",
++ .property = "use_broken_id",
++ .value = stringify(1),
+ },
+ { /* end of list */ }
+ },
+--
+1.7.11.2
+
diff --git a/0215-vvfat-Fix-potential-buffer-overflow.patch b/0215-vvfat-Fix-potential-buffer-overflow.patch
new file mode 100644
index 0000000..4f9d07c
--- /dev/null
+++ b/0215-vvfat-Fix-potential-buffer-overflow.patch
@@ -0,0 +1,36 @@
+From f03f1fc43b30c377a553daf7709e1f0f392a532b Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf at redhat.com>
+Date: Wed, 1 Jun 2011 10:57:00 +0200
+Subject: [PATCH] vvfat: Fix potential buffer overflow
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+path2[PATH_MAX] can be used for the null termination, so make the array big
+enough to allow this.
+
+Signed-off-by: Kevin Wolf <kwolf at redhat.com>
+(cherry picked from commit 0d460d6f414e02805cbc348404db03b2b7907360)
+
+Signed-off-by: Bruce Rogers <brogers at suse.com>
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ block/vvfat.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/block/vvfat.c b/block/vvfat.c
+index fe568fe..98b58f0 100644
+--- a/block/vvfat.c
++++ b/block/vvfat.c
+@@ -1741,7 +1741,7 @@ static int check_directory_consistency(BDRVVVFATState *s,
+
+ long_file_name lfn;
+ int path_len = strlen(path);
+- char path2[PATH_MAX];
++ char path2[PATH_MAX + 1];
+
+ assert(path_len < PATH_MAX); /* len was tested before! */
+ pstrcpy(path2, sizeof(path2), path);
+--
+1.7.11.2
+
diff --git a/0216-vns-tls-don-t-use-depricated-gnutls-functions.patch b/0216-vns-tls-don-t-use-depricated-gnutls-functions.patch
new file mode 100644
index 0000000..a47ad72
--- /dev/null
+++ b/0216-vns-tls-don-t-use-depricated-gnutls-functions.patch
@@ -0,0 +1,116 @@
+From 5a32540f7b39f0b1224c3d6f1d12b6d4e358fe0a Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel at redhat.com>
+Date: Wed, 7 Sep 2011 17:52:10 +0200
+Subject: [PATCH] vns/tls: don't use depricated gnutls functions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Avoid using deprecated gnutls functions with recent gnutls versions.
+Fixes build failure on Fedora 16. Keep the old way for compatibility
+with old installations such as RHEL-5 (gnutls 1.4.x).
+
+Based on a patch from Raghavendra D Prabhu <raghu.prabhu13 at gmail.com>
+
+Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
+Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>
+(cherry picked from commit f40d55081667a716312b9a8b6e13835c4074f56b)
+
+Signed-off-by: Bruce Rogers <brogers at suse.com>
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ ui/vnc-tls.c | 68 +++++++++++++++++++++++++++++++++++++++++++-----------------
+ 1 file changed, 49 insertions(+), 19 deletions(-)
+
+diff --git a/ui/vnc-tls.c b/ui/vnc-tls.c
+index 31f1467..f5ed306 100644
+--- a/ui/vnc-tls.c
++++ b/ui/vnc-tls.c
+@@ -283,13 +283,57 @@ int vnc_tls_validate_certificate(struct VncState *vs)
+ return 0;
+ }
+
++#if defined(GNUTLS_VERSION_NUMBER) && \
++ GNUTLS_VERSION_NUMBER >= 0x020200 /* 2.2.0 */
++
++static int vnc_set_gnutls_priority(gnutls_session_t s, int x509)
++{
++ const char *priority = x509 ? "NORMAL" : "NORMAL:+ANON-DH";
++ int rc;
++
++ rc = gnutls_priority_set_direct(s, priority, NULL);
++ if (rc != GNUTLS_E_SUCCESS) {
++ return -1;
++ }
++ return 0;
++}
++
++#else
++
++static int vnc_set_gnutls_priority(gnutls_session_t s, int x509)
++{
++ static const int cert_types[] = { GNUTLS_CRT_X509, 0 };
++ static const int protocols[] = {
++ GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0
++ };
++ static const int kx_anon[] = { GNUTLS_KX_ANON_DH, 0 };
++ static const int kx_x509[] = {
++ GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA,
++ GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0
++ };
++ int rc;
++
++ rc = gnutls_kx_set_priority(s, x509 ? kx_x509 : kx_anon);
++ if (rc != GNUTLS_E_SUCCESS) {
++ return -1;
++ }
++
++ rc = gnutls_certificate_type_set_priority(s, cert_types);
++ if (rc != GNUTLS_E_SUCCESS) {
++ return -1;
++ }
++
++ rc = gnutls_protocol_set_priority(s, protocols);
++ if (rc != GNUTLS_E_SUCCESS) {
++ return -1;
++ }
++ return 0;
++}
++
++#endif
+
+ int vnc_tls_client_setup(struct VncState *vs,
+ int needX509Creds) {
+- static const int cert_type_priority[] = { GNUTLS_CRT_X509, 0 };
+- static const int protocol_priority[]= { GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 };
+- static const int kx_anon[] = {GNUTLS_KX_ANON_DH, 0};
+- static const int kx_x509[] = {GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0};
+
+ VNC_DEBUG("Do TLS setup\n");
+ if (vnc_tls_initialize() < 0) {
+@@ -310,21 +354,7 @@ int vnc_tls_client_setup(struct VncState *vs,
+ return -1;
+ }
+
+- if (gnutls_kx_set_priority(vs->tls.session, needX509Creds ? kx_x509 : kx_anon) < 0) {
+- gnutls_deinit(vs->tls.session);
+- vs->tls.session = NULL;
+- vnc_client_error(vs);
+- return -1;
+- }
+-
+- if (gnutls_certificate_type_set_priority(vs->tls.session, cert_type_priority) < 0) {
+- gnutls_deinit(vs->tls.session);
+- vs->tls.session = NULL;
+- vnc_client_error(vs);
+- return -1;
+- }
+-
+- if (gnutls_protocol_set_priority(vs->tls.session, protocol_priority) < 0) {
++ if (vnc_set_gnutls_priority(vs->tls.session, needX509Creds) < 0) {
+ gnutls_deinit(vs->tls.session);
+ vs->tls.session = NULL;
+ vnc_client_error(vs);
+--
+1.7.11.2
+
diff --git a/0217-block-curl-Implement-a-flush-function-on-the-fd-hand.patch b/0217-block-curl-Implement-a-flush-function-on-the-fd-hand.patch
new file mode 100644
index 0000000..581f5fe
--- /dev/null
+++ b/0217-block-curl-Implement-a-flush-function-on-the-fd-hand.patch
@@ -0,0 +1,76 @@
+From 84be2986f687b998f583b27d8b3e068e87032418 Mon Sep 17 00:00:00 2001
+From: Nick Thomas <nick at bytemark.co.uk>
+Date: Wed, 21 Sep 2011 11:55:49 +0100
+Subject: [PATCH] block/curl: Implement a flush function on the fd handlers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Nick Thomas <nick at bytemark.co.uk>
+Signed-off-by: Kevin Wolf <kwolf at redhat.com>
+(cherry picked from commit c84dcdc1d6583ebe5841907c99d95deb8c40a6e0)
+
+Signed-off-by: Bruce Rogers <brogers at suse.com>
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ block/curl.c | 26 ++++++++++++++++++++++----
+ 1 file changed, 22 insertions(+), 4 deletions(-)
+
+diff --git a/block/curl.c b/block/curl.c
+index 407f095..6cf6a70 100644
+--- a/block/curl.c
++++ b/block/curl.c
+@@ -76,6 +76,7 @@ typedef struct BDRVCURLState {
+
+ static void curl_clean_state(CURLState *s);
+ static void curl_multi_do(void *arg);
++static int curl_aio_flush(void *opaque);
+
+ static int curl_sock_cb(CURL *curl, curl_socket_t fd, int action,
+ void *s, void *sp)
+@@ -83,14 +84,16 @@ static int curl_sock_cb(CURL *curl, curl_socket_t fd, int action,
+ DPRINTF("CURL (AIO): Sock action %d on fd %d\n", action, fd);
+ switch (action) {
+ case CURL_POLL_IN:
+- qemu_aio_set_fd_handler(fd, curl_multi_do, NULL, NULL, NULL, s);
++ qemu_aio_set_fd_handler(fd, curl_multi_do, NULL, curl_aio_flush,
++ NULL, s);
+ break;
+ case CURL_POLL_OUT:
+- qemu_aio_set_fd_handler(fd, NULL, curl_multi_do, NULL, NULL, s);
++ qemu_aio_set_fd_handler(fd, NULL, curl_multi_do, curl_aio_flush,
++ NULL, s);
+ break;
+ case CURL_POLL_INOUT:
+- qemu_aio_set_fd_handler(fd, curl_multi_do,
+- curl_multi_do, NULL, NULL, s);
++ qemu_aio_set_fd_handler(fd, curl_multi_do, curl_multi_do,
++ curl_aio_flush, NULL, s);
+ break;
+ case CURL_POLL_REMOVE:
+ qemu_aio_set_fd_handler(fd, NULL, NULL, NULL, NULL, NULL);
+@@ -394,6 +397,21 @@ out_noclean:
+ return -EINVAL;
+ }
+
++static int curl_aio_flush(void *opaque)
++{
++ BDRVCURLState *s = opaque;
++ int i, j;
++
++ for (i=0; i < CURL_NUM_STATES; i++) {
++ for(j=0; j < CURL_NUM_ACB; j++) {
++ if (s->states[i].acb[j]) {
++ return 1;
++ }
++ }
++ }
++ return 0;
++}
++
+ static void curl_aio_cancel(BlockDriverAIOCB *blockacb)
+ {
+ // Do we have to implement canceling? Seems to work without...
+--
+1.7.11.2
+
diff --git a/0218-hda-do-not-mix-output-and-input-streams-RHBZ-740493.patch b/0218-hda-do-not-mix-output-and-input-streams-RHBZ-740493.patch
new file mode 100644
index 0000000..a4f5088
--- /dev/null
+++ b/0218-hda-do-not-mix-output-and-input-streams-RHBZ-740493.patch
@@ -0,0 +1,51 @@
+From 05a5f7c79ad8dc4887e7cd60c2572121b51adce7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau at gmail.com>
+Date: Tue, 25 Oct 2011 16:53:00 +0200
+Subject: [PATCH] hda: do not mix output and input streams, RHBZ #740493
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Windows 7 may use the same stream number for input and output.
+That will result in lot of garbage on playback.
+
+The hardcoded value of 4 needs to be in sync with GCAP streams
+description and IN/OUT registers.
+
+Signed-off-by: Marc-Andr? Lureau <marcandre.lureau at redhat.com>
+Signed-off-by: malc <av1474 at comtv.ru>
+(cherry picked from commit 36ac4ad3d054a7b4962a6393630a73591cfa9558)
+
+Signed-off-by: Bruce Rogers <brogers at suse.com>
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ hw/intel-hda.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/hw/intel-hda.c b/hw/intel-hda.c
+index 5a2bc3a..7d02558 100644
+--- a/hw/intel-hda.c
++++ b/hw/intel-hda.c
+@@ -389,14 +389,15 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
+ {
+ HDACodecBus *bus = DO_UPCAST(HDACodecBus, qbus, dev->qdev.parent_bus);
+ IntelHDAState *d = container_of(bus, IntelHDAState, codecs);
+- IntelHDAStream *st = NULL;
+ target_phys_addr_t addr;
+ uint32_t s, copy, left;
++ IntelHDAStream *st;
+ bool irq = false;
+
+- for (s = 0; s < ARRAY_SIZE(d->st); s++) {
+- if (stnr == ((d->st[s].ctl >> 20) & 0x0f)) {
+- st = d->st + s;
++ st = output ? d->st + 4 : d->st;
++ for (s = 0; s < 4; s++) {
++ if (stnr == ((st[s].ctl >> 20) & 0x0f)) {
++ st = st + s;
+ break;
+ }
+ }
+--
+1.7.11.2
+
diff --git a/0219-hda-do-not-mix-output-and-input-stream-states-RHBZ-7.patch b/0219-hda-do-not-mix-output-and-input-stream-states-RHBZ-7.patch
new file mode 100644
index 0000000..062496e
--- /dev/null
+++ b/0219-hda-do-not-mix-output-and-input-stream-states-RHBZ-7.patch
@@ -0,0 +1,172 @@
+From 51a747e171a66d0dc1e4b47c0238fb2e7fa6b118 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau at gmail.com>
+Date: Tue, 25 Oct 2011 16:53:01 +0200
+Subject: [PATCH] hda: do not mix output and input stream states, RHBZ #740493
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Windows 7 may use the same stream number for input and output.
+Current code will confuse streams.
+
+Changes since v1:
+- keep running_compat[] for migration version 1
+- add running_real[] for migration version 2
+
+Signed-off-by: Marc-Andr? Lureau <marcandre.lureau at redhat.com>
+Signed-off-by: malc <av1474 at comtv.ru>
+(cherry picked from commit ba43d28916c4f51c19bd7366089155ce81bee058)
+
+Signed-off-by: Bruce Rogers <brogers at suse.com>
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ hw/hda-audio.c | 26 +++++++++++++++++++-------
+ hw/intel-hda.c | 9 +++++----
+ hw/intel-hda.h | 2 +-
+ 3 files changed, 25 insertions(+), 12 deletions(-)
+
+diff --git a/hw/hda-audio.c b/hw/hda-audio.c
+index c699d6f..9b089e6 100644
+--- a/hw/hda-audio.c
++++ b/hw/hda-audio.c
+@@ -466,7 +466,8 @@ struct HDAAudioState {
+ QEMUSoundCard card;
+ const desc_codec *desc;
+ HDAAudioStream st[4];
+- bool running[16];
++ bool running_compat[16];
++ bool running_real[2 * 16];
+
+ /* properties */
+ uint32_t debug;
+@@ -663,7 +664,7 @@ static void hda_audio_command(HDACodecDevice *hda, uint32_t nid, uint32_t data)
+ st->channel = payload & 0x0f;
+ dprint(a, 2, "%s: stream %d, channel %d\n",
+ st->node->name, st->stream, st->channel);
+- hda_audio_set_running(st, a->running[st->stream]);
++ hda_audio_set_running(st, a->running_real[st->output * 16 + st->stream]);
+ hda_codec_response(hda, true, 0);
+ break;
+ case AC_VERB_GET_CONV:
+@@ -746,16 +747,20 @@ fail:
+ hda_codec_response(hda, true, 0);
+ }
+
+-static void hda_audio_stream(HDACodecDevice *hda, uint32_t stnr, bool running)
++static void hda_audio_stream(HDACodecDevice *hda, uint32_t stnr, bool running, bool output)
+ {
+ HDAAudioState *a = DO_UPCAST(HDAAudioState, hda, hda);
+ int s;
+
+- a->running[stnr] = running;
++ a->running_compat[stnr] = running;
++ a->running_real[output * 16 + stnr] = running;
+ for (s = 0; s < ARRAY_SIZE(a->st); s++) {
+ if (a->st[s].node == NULL) {
+ continue;
+ }
++ if (a->st[s].output != output) {
++ continue;
++ }
+ if (a->st[s].stream != stnr) {
+ continue;
+ }
+@@ -837,6 +842,12 @@ static int hda_audio_post_load(void *opaque, int version)
+ int i;
+
+ dprint(a, 1, "%s\n", __FUNCTION__);
++ if (version == 1) {
++ /* assume running_compat[] is for output streams */
++ for (i = 0; i < ARRAY_SIZE(a->running_compat); i++)
++ a->running_real[16 + i] = a->running_compat[i];
++ }
++
+ for (i = 0; i < ARRAY_SIZE(a->st); i++) {
+ st = a->st + i;
+ if (st->node == NULL)
+@@ -844,7 +855,7 @@ static int hda_audio_post_load(void *opaque, int version)
+ hda_codec_parse_fmt(st->format, &st->as);
+ hda_audio_setup(st);
+ hda_audio_set_amp(st);
+- hda_audio_set_running(st, a->running[st->stream]);
++ hda_audio_set_running(st, a->running_real[st->output * 16 + st->stream]);
+ }
+ return 0;
+ }
+@@ -868,13 +879,14 @@ static const VMStateDescription vmstate_hda_audio_stream = {
+
+ static const VMStateDescription vmstate_hda_audio = {
+ .name = "hda-audio",
+- .version_id = 1,
++ .version_id = 2,
+ .post_load = hda_audio_post_load,
+ .fields = (VMStateField []) {
+ VMSTATE_STRUCT_ARRAY(st, HDAAudioState, 4, 0,
+ vmstate_hda_audio_stream,
+ HDAAudioStream),
+- VMSTATE_BOOL_ARRAY(running, HDAAudioState, 16),
++ VMSTATE_BOOL_ARRAY(running_compat, HDAAudioState, 16),
++ VMSTATE_BOOL_ARRAY_V(running_real, HDAAudioState, 2 * 16, 2),
+ VMSTATE_END_OF_LIST()
+ }
+ };
+diff --git a/hw/intel-hda.c b/hw/intel-hda.c
+index 7d02558..904e4fc 100644
+--- a/hw/intel-hda.c
++++ b/hw/intel-hda.c
+@@ -485,7 +485,7 @@ static void intel_hda_parse_bdl(IntelHDAState *d, IntelHDAStream *st)
+ st->bp = 0;
+ }
+
+-static void intel_hda_notify_codecs(IntelHDAState *d, uint32_t stream, bool running)
++static void intel_hda_notify_codecs(IntelHDAState *d, uint32_t stream, bool running, bool output)
+ {
+ DeviceState *qdev;
+ HDACodecDevice *cdev;
+@@ -493,7 +493,7 @@ static void intel_hda_notify_codecs(IntelHDAState *d, uint32_t stream, bool runn
+ QLIST_FOREACH(qdev, &d->codecs.qbus.children, sibling) {
+ cdev = DO_UPCAST(HDACodecDevice, qdev, qdev);
+ if (cdev->info->stream) {
+- cdev->info->stream(cdev, stream, running);
++ cdev->info->stream(cdev, stream, running, output);
+ }
+ }
+ }
+@@ -567,6 +567,7 @@ static void intel_hda_set_ics(IntelHDAState *d, const IntelHDAReg *reg, uint32_t
+
+ static void intel_hda_set_st_ctl(IntelHDAState *d, const IntelHDAReg *reg, uint32_t old)
+ {
++ bool output = reg->stream >= 4;
+ IntelHDAStream *st = d->st + reg->stream;
+
+ if (st->ctl & 0x01) {
+@@ -582,11 +583,11 @@ static void intel_hda_set_st_ctl(IntelHDAState *d, const IntelHDAReg *reg, uint3
+ dprint(d, 1, "st #%d: start %d (ring buf %d bytes)\n",
+ reg->stream, stnr, st->cbl);
+ intel_hda_parse_bdl(d, st);
+- intel_hda_notify_codecs(d, stnr, true);
++ intel_hda_notify_codecs(d, stnr, true, output);
+ } else {
+ /* stop */
+ dprint(d, 1, "st #%d: stop %d\n", reg->stream, stnr);
+- intel_hda_notify_codecs(d, stnr, false);
++ intel_hda_notify_codecs(d, stnr, false, output);
+ }
+ }
+ intel_hda_update_irq(d);
+diff --git a/hw/intel-hda.h b/hw/intel-hda.h
+index 4e44e38..65fd2a8 100644
+--- a/hw/intel-hda.h
++++ b/hw/intel-hda.h
+@@ -34,7 +34,7 @@ struct HDACodecDeviceInfo {
+ int (*init)(HDACodecDevice *dev);
+ int (*exit)(HDACodecDevice *dev);
+ void (*command)(HDACodecDevice *dev, uint32_t nid, uint32_t data);
+- void (*stream)(HDACodecDevice *dev, uint32_t stnr, bool running);
++ void (*stream)(HDACodecDevice *dev, uint32_t stnr, bool running, bool output);
+ };
+
+ void hda_codec_bus_init(DeviceState *dev, HDACodecBus *bus,
+--
+1.7.11.2
+
diff --git a/0220-Teach-block-vdi-about-discarded-no-longer-allocated-.patch b/0220-Teach-block-vdi-about-discarded-no-longer-allocated-.patch
new file mode 100644
index 0000000..e51c539
--- /dev/null
+++ b/0220-Teach-block-vdi-about-discarded-no-longer-allocated-.patch
@@ -0,0 +1,108 @@
+From 5621e2027384a35494508f3bc01a758bc2ac076b Mon Sep 17 00:00:00 2001
+From: Eric Sunshine <sunshine at sunshineco.com>
+Date: Wed, 26 Oct 2011 15:51:18 -0400
+Subject: [PATCH] Teach block/vdi about "discarded" (no longer allocated)
+ blocks
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+An entry in the VDI block map will hold an offset to the actual block if
+the block is allocated, or one of two specially-interpreted values if
+not allocated. Using VirtualBox terminology, value VDI_IMAGE_BLOCK_FREE
+(0xffffffff) represents a never-allocated block (semantically arbitrary
+content). VDI_IMAGE_BLOCK_ZERO (0xfffffffe) represents a "discarded"
+block (semantically zero-filled). block/vdi knows only about
+VDI_IMAGE_BLOCK_FREE. Teach it about VDI_IMAGE_BLOCK_ZERO.
+
+Signed-off-by: Eric Sunshine <sunshine at sunshineco.com>
+Signed-off-by: Kevin Wolf <kwolf at redhat.com>
+(cherry picked from commit c794b4e0fd9ef8d72b068614dcdb2418c105d5cc)
+
+Signed-off-by: Bruce Rogers <brogers at suse.com>
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ block/vdi.c | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/block/vdi.c b/block/vdi.c
+index 261cf9b..1be0cdc 100644
+--- a/block/vdi.c
++++ b/block/vdi.c
+@@ -114,8 +114,13 @@ void uuid_unparse(const uuid_t uu, char *out);
+ */
+ #define VDI_TEXT "<<< QEMU VM Virtual Disk Image >>>\n"
+
+-/* Unallocated blocks use this index (no need to convert endianness). */
+-#define VDI_UNALLOCATED UINT32_MAX
++/* A never-allocated block; semantically arbitrary content. */
++#define VDI_UNALLOCATED 0xffffffffU
++
++/* A discarded (no longer allocated) block; semantically zero-filled. */
++#define VDI_DISCARDED 0xfffffffeU
++
++#define VDI_IS_ALLOCATED(X) ((X) < VDI_DISCARDED)
+
+ #if !defined(CONFIG_UUID)
+ void uuid_generate(uuid_t out)
+@@ -307,10 +312,10 @@ static int vdi_check(BlockDriverState *bs, BdrvCheckResult *res)
+ /* Check block map and value of blocks_allocated. */
+ for (block = 0; block < s->header.blocks_in_image; block++) {
+ uint32_t bmap_entry = le32_to_cpu(s->bmap[block]);
+- if (bmap_entry != VDI_UNALLOCATED) {
++ if (VDI_IS_ALLOCATED(bmap_entry)) {
+ if (bmap_entry < s->header.blocks_in_image) {
+ blocks_allocated++;
+- if (bmap[bmap_entry] == VDI_UNALLOCATED) {
++ if (!VDI_IS_ALLOCATED(bmap[bmap_entry])) {
+ bmap[bmap_entry] = bmap_entry;
+ } else {
+ fprintf(stderr, "ERROR: block index %" PRIu32
+@@ -472,7 +477,7 @@ static int vdi_is_allocated(BlockDriverState *bs, int64_t sector_num,
+ n_sectors = nb_sectors;
+ }
+ *pnum = n_sectors;
+- return bmap_entry != VDI_UNALLOCATED;
++ return VDI_IS_ALLOCATED(bmap_entry);
+ }
+
+ static void vdi_aio_cancel(BlockDriverAIOCB *blockacb)
+@@ -603,7 +608,7 @@ static void vdi_aio_read_cb(void *opaque, int ret)
+ /* prepare next AIO request */
+ acb->n_sectors = n_sectors;
+ bmap_entry = le32_to_cpu(s->bmap[block_index]);
+- if (bmap_entry == VDI_UNALLOCATED) {
++ if (!VDI_IS_ALLOCATED(bmap_entry)) {
+ /* Block not allocated, return zeros, no need to wait. */
+ memset(acb->buf, 0, n_sectors * SECTOR_SIZE);
+ ret = vdi_schedule_bh(vdi_aio_rw_bh, acb);
+@@ -685,7 +690,7 @@ static void vdi_aio_write_cb(void *opaque, int ret)
+ if (acb->header_modified) {
+ VdiHeader *header = acb->block_buffer;
+ logout("now writing modified header\n");
+- assert(acb->bmap_first != VDI_UNALLOCATED);
++ assert(VDI_IS_ALLOCATED(acb->bmap_first));
+ *header = s->header;
+ vdi_header_to_le(header);
+ acb->header_modified = 0;
+@@ -699,7 +704,7 @@ static void vdi_aio_write_cb(void *opaque, int ret)
+ goto done;
+ }
+ return;
+- } else if (acb->bmap_first != VDI_UNALLOCATED) {
++ } else if (VDI_IS_ALLOCATED(acb->bmap_first)) {
+ /* One or more new blocks were allocated. */
+ uint64_t offset;
+ uint32_t bmap_first;
+@@ -749,7 +754,7 @@ static void vdi_aio_write_cb(void *opaque, int ret)
+ /* prepare next AIO request */
+ acb->n_sectors = n_sectors;
+ bmap_entry = le32_to_cpu(s->bmap[block_index]);
+- if (bmap_entry == VDI_UNALLOCATED) {
++ if (!VDI_IS_ALLOCATED(bmap_entry)) {
+ /* Allocate new block and write to it. */
+ uint64_t offset;
+ uint8_t *block;
+--
+1.7.11.2
+
diff --git a/0221-vmdk-Improve-error-handling.patch b/0221-vmdk-Improve-error-handling.patch
new file mode 100644
index 0000000..ca8d29f
--- /dev/null
+++ b/0221-vmdk-Improve-error-handling.patch
@@ -0,0 +1,79 @@
+From 2139ef7f75ff63904fac6b451c8a89e4b0c72448 Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf at redhat.com>
+Date: Wed, 26 Oct 2011 12:25:25 +0200
+Subject: [PATCH] vmdk: Improve error handling
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Return the right error values in some more places.
+
+Signed-off-by: Kevin Wolf <kwolf at redhat.com>
+(cherry picked from commit 99f1835d9bc744f98370254600530e66f32e6d81)
+
+Signed-off-by: Bruce Rogers <brogers at suse.com>
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ block/vmdk.c | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/block/vmdk.c b/block/vmdk.c
+index b5caa40..8284747 100644
+--- a/block/vmdk.c
++++ b/block/vmdk.c
+@@ -181,8 +181,10 @@ static uint32_t vmdk_read_cid(BlockDriverState *bs, int parent)
+ const char *p_name, *cid_str;
+ size_t cid_str_size;
+ BDRVVmdkState *s = bs->opaque;
++ int ret;
+
+- if (bdrv_pread(bs->file, s->desc_offset, desc, DESC_SIZE) != DESC_SIZE) {
++ ret = bdrv_pread(bs->file, s->desc_offset, desc, DESC_SIZE);
++ if (ret < 0) {
+ return 0;
+ }
+
+@@ -208,10 +210,12 @@ static int vmdk_write_cid(BlockDriverState *bs, uint32_t cid)
+ char desc[DESC_SIZE], tmp_desc[DESC_SIZE];
+ char *p_name, *tmp_str;
+ BDRVVmdkState *s = bs->opaque;
++ int ret;
+
+ memset(desc, 0, sizeof(desc));
+- if (bdrv_pread(bs->file, s->desc_offset, desc, DESC_SIZE) != DESC_SIZE) {
+- return -EIO;
++ ret = bdrv_pread(bs->file, s->desc_offset, desc, DESC_SIZE);
++ if (ret < 0) {
++ return ret;
+ }
+
+ tmp_str = strstr(desc, "parentCID");
+@@ -223,9 +227,11 @@ static int vmdk_write_cid(BlockDriverState *bs, uint32_t cid)
+ pstrcat(desc, sizeof(desc), tmp_desc);
+ }
+
+- if (bdrv_pwrite_sync(bs->file, s->desc_offset, desc, DESC_SIZE) < 0) {
+- return -EIO;
++ ret = bdrv_pwrite_sync(bs->file, s->desc_offset, desc, DESC_SIZE);
++ if (ret < 0) {
++ return ret;
+ }
++
+ return 0;
+ }
+
+@@ -906,7 +912,10 @@ static int vmdk_write(BlockDriverState *bs, int64_t sector_num,
+ /* update CID on the first write every time the virtual disk is
+ * opened */
+ if (!s->cid_updated) {
+- vmdk_write_cid(bs, time(NULL));
++ ret = vmdk_write_cid(bs, time(NULL));
++ if (ret < 0) {
++ return ret;
++ }
+ s->cid_updated = true;
+ }
+ }
+--
+1.7.11.2
+
diff --git a/0222-block-set-bs-read_only-before-.bdrv_open.patch b/0222-block-set-bs-read_only-before-.bdrv_open.patch
new file mode 100644
index 0000000..72c03cc
--- /dev/null
+++ b/0222-block-set-bs-read_only-before-.bdrv_open.patch
@@ -0,0 +1,52 @@
+From b461a24186f05d7adec265bd34f348f7b8f9569b Mon Sep 17 00:00:00 2001
+From: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
+Date: Thu, 27 Oct 2011 10:54:27 +0100
+Subject: [PATCH] block: set bs->read_only before .bdrv_open()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Several block drivers set bs->read_only in .bdrv_open() but
+block.c:bdrv_open_common() clobbers its value. Additionally, QED uses
+bdrv_is_read_only() in .bdrv_open() to decide whether to perform
+consistency checks.
+
+The correct ordering is to initialize bs->read_only from the open flags
+before calling .bdrv_open(). This way block drivers can override it if
+necessary and can use bdrv_is_read_only() in .bdrv_open().
+
+Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
+Signed-off-by: Kevin Wolf <kwolf at redhat.com>
+(cherry picked from commit e7c637967e6aad195b5f30cfd995913c9e0b4666)
+
+Signed-off-by: Bruce Rogers <brogers at suse.com>
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ block.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/block.c b/block.c
+index 4ebb18b..8d77746 100644
+--- a/block.c
++++ b/block.c
+@@ -455,6 +455,8 @@ static int bdrv_open_common(BlockDriverState *bs, const char *filename,
+ open_flags |= BDRV_O_RDWR;
+ }
+
++ bs->keep_read_only = bs->read_only = !(open_flags & BDRV_O_RDWR);
++
+ /* Open the image, either directly or using a protocol */
+ if (drv->bdrv_file_open) {
+ ret = drv->bdrv_file_open(bs, filename, open_flags);
+@@ -469,8 +471,6 @@ static int bdrv_open_common(BlockDriverState *bs, const char *filename,
+ goto free_and_fail;
+ }
+
+- bs->keep_read_only = bs->read_only = !(open_flags & BDRV_O_RDWR);
+-
+ ret = refresh_total_sectors(bs, bs->total_sectors);
+ if (ret < 0) {
+ goto free_and_fail;
+--
+1.7.11.2
+
diff --git a/0223-console-Fix-rendering-of-VGA-underline.patch b/0223-console-Fix-rendering-of-VGA-underline.patch
new file mode 100644
index 0000000..a271442
--- /dev/null
+++ b/0223-console-Fix-rendering-of-VGA-underline.patch
@@ -0,0 +1,64 @@
+From 1add57cd4c48d9eb6517f685f67480b4f4f3f13b Mon Sep 17 00:00:00 2001
+From: Markus Armbruster <armbru at redhat.com>
+Date: Fri, 4 Nov 2011 10:38:29 +0100
+Subject: [PATCH] console: Fix rendering of VGA underline
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+vga_putcharxy()'s underline code sets font_data to 0xffff instead of
+0xff. vga_putcharxy() then reads dmask16[0xffff >> 4] and
+dmask4[0xffff >> 6]. In practice, these out-of-bounds subscripts
+"only" put a few crap bits into the display surface.
+
+For 32 bit pixels, there's no array access. font_data's extra bits go
+straight into the display surface.
+
+Broken when commit 6d6f7c28 implemented underline.
+
+Spotted by Coverity.
+
+Signed-off-by: Markus Armbruster <armbru at redhat.com>
+Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>
+(cherry picked from commit 439229c7cb97f6c4cddd3965c3e9d2b8319fe83c)
+
+Signed-off-by: Bruce Rogers <brogers at suse.com>
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ console.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/console.c b/console.c
+index 242086c..07c82b8 100644
+--- a/console.c
++++ b/console.c
+@@ -461,7 +461,7 @@ static void vga_putcharxy(DisplayState *ds, int x, int y, int ch,
+ font_data = *font_ptr++;
+ if (t_attrib->uline
+ && ((i == FONT_HEIGHT - 2) || (i == FONT_HEIGHT - 3))) {
+- font_data = 0xFFFF;
++ font_data = 0xFF;
+ }
+ ((uint32_t *)d)[0] = (dmask16[(font_data >> 4)] & xorcol) ^ bgcol;
+ ((uint32_t *)d)[1] = (dmask16[(font_data >> 0) & 0xf] & xorcol) ^ bgcol;
+@@ -474,7 +474,7 @@ static void vga_putcharxy(DisplayState *ds, int x, int y, int ch,
+ font_data = *font_ptr++;
+ if (t_attrib->uline
+ && ((i == FONT_HEIGHT - 2) || (i == FONT_HEIGHT - 3))) {
+- font_data = 0xFFFF;
++ font_data = 0xFF;
+ }
+ ((uint32_t *)d)[0] = (dmask4[(font_data >> 6)] & xorcol) ^ bgcol;
+ ((uint32_t *)d)[1] = (dmask4[(font_data >> 4) & 3] & xorcol) ^ bgcol;
+@@ -487,7 +487,7 @@ static void vga_putcharxy(DisplayState *ds, int x, int y, int ch,
+ for(i = 0; i < FONT_HEIGHT; i++) {
+ font_data = *font_ptr++;
+ if (t_attrib->uline && ((i == FONT_HEIGHT - 2) || (i == FONT_HEIGHT - 3))) {
+- font_data = 0xFFFF;
++ font_data = 0xFF;
+ }
+ ((uint32_t *)d)[0] = (-((font_data >> 7)) & xorcol) ^ bgcol;
+ ((uint32_t *)d)[1] = (-((font_data >> 6) & 1) & xorcol) ^ bgcol;
+--
+1.7.11.2
+
diff --git a/0224-block-Fix-vpc-initialization-of-the-Dynamic-Disk-Hea.patch b/0224-block-Fix-vpc-initialization-of-the-Dynamic-Disk-Hea.patch
new file mode 100644
index 0000000..addd077
--- /dev/null
+++ b/0224-block-Fix-vpc-initialization-of-the-Dynamic-Disk-Hea.patch
@@ -0,0 +1,48 @@
+From 69a9776f3e8a4ff5311f78cc63e52ea436dd9cbe Mon Sep 17 00:00:00 2001
+From: Charles Arnold <carnold at suse.com>
+Date: Wed, 9 Nov 2011 09:32:25 -0700
+Subject: [PATCH] block: Fix vpc initialization of the Dynamic Disk Header
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The Data Offset field in the Dynamic Disk Header is an 8 byte field.
+Although the specification (2006-10-11) gives an example of initializing
+only the first 4 bytes, images generated by Microsoft on Windows initialize
+all 8 bytes.
+
+Failure to initialize all 8 bytes results in errors from utilities
+like Citrix's vhd-util which checks specifically for the proper Data
+Offset field initialization.
+
+Signed-off-by: Charles Arnold <carnold at suse.com>
+Reviewed-by: Andreas Färber <afaerber at suse.de>
+Signed-off-by: Kevin Wolf <kwolf at redhat.com>
+(cherry picked from commit 78439f6af1caa3e8bdafc9fc2d62aeefa53ed63a)
+
+Signed-off-by: Bruce Rogers <brogers at suse.com>
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ block/vpc.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/block/vpc.c b/block/vpc.c
+index 56865da..ac33e15 100644
+--- a/block/vpc.c
++++ b/block/vpc.c
+@@ -587,7 +587,11 @@ static int vpc_create(const char *filename, QEMUOptionParameter *options)
+
+ memcpy(dyndisk_header->magic, "cxsparse", 8);
+
+- dyndisk_header->data_offset = be64_to_cpu(0xFFFFFFFF);
++ /*
++ * Note: The spec is actually wrong here for data_offset, it says
++ * 0xFFFFFFFF, but MS tools expect all 64 bits to be set.
++ */
++ dyndisk_header->data_offset = be64_to_cpu(0xFFFFFFFFFFFFFFFFULL);
+ dyndisk_header->table_offset = be64_to_cpu(3 * 512);
+ dyndisk_header->version = be32_to_cpu(0x00010000);
+ dyndisk_header->block_size = be32_to_cpu(block_size);
+--
+1.7.11.2
+
diff --git a/0225-qcow-Fix-bdrv_write_compressed-error-handling.patch b/0225-qcow-Fix-bdrv_write_compressed-error-handling.patch
new file mode 100644
index 0000000..da5de39
--- /dev/null
+++ b/0225-qcow-Fix-bdrv_write_compressed-error-handling.patch
@@ -0,0 +1,93 @@
+From 5202e9d55b745eddde9ba6bd08af32fcae347e93 Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf at redhat.com>
+Date: Wed, 26 Oct 2011 11:21:50 +0200
+Subject: [PATCH] qcow: Fix bdrv_write_compressed error handling
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Kevin Wolf <kwolf at redhat.com>
+Reviewed-by: Paolo Bonzini <pbonzini at redhat.com>
+(cherry picked from commit 64ebe71aa0e498d24e8c02b133192142fce3a0d0)
+
+Signed-off-by: Bruce Rogers <brogers at suse.com>
+[AF: backported]
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ block/qcow.c | 30 +++++++++++++++++++-----------
+ 1 file changed, 19 insertions(+), 11 deletions(-)
+
+diff --git a/block/qcow.c b/block/qcow.c
+index 227b104..115b820 100644
+--- a/block/qcow.c
++++ b/block/qcow.c
+@@ -926,8 +926,6 @@ static int qcow_write_compressed(BlockDriverState *bs, int64_t sector_num,
+ return -EINVAL;
+
+ out_buf = qemu_malloc(s->cluster_size + (s->cluster_size / 1000) + 128);
+- if (!out_buf)
+- return -1;
+
+ /* best compression, small window, no zlib header */
+ memset(&strm, 0, sizeof(strm));
+@@ -935,8 +933,8 @@ static int qcow_write_compressed(BlockDriverState *bs, int64_t sector_num,
+ Z_DEFLATED, -12,
+ 9, Z_DEFAULT_STRATEGY);
+ if (ret != 0) {
+- qemu_free(out_buf);
+- return -1;
++ ret = -EINVAL;
++ goto fail;
+ }
+
+ strm.avail_in = s->cluster_size;
+@@ -946,9 +944,9 @@ static int qcow_write_compressed(BlockDriverState *bs, int64_t sector_num,
+
+ ret = deflate(&strm, Z_FINISH);
+ if (ret != Z_STREAM_END && ret != Z_OK) {
+- qemu_free(out_buf);
+ deflateEnd(&strm);
+- return -1;
++ ret = -EINVAL;
++ goto fail;
+ }
+ out_len = strm.next_out - out_buf;
+
+@@ -956,19 +954,29 @@ static int qcow_write_compressed(BlockDriverState *bs, int64_t sector_num,
+
+ if (ret != Z_STREAM_END || out_len >= s->cluster_size) {
+ /* could not compress: write normal cluster */
+- bdrv_write(bs, sector_num, buf, s->cluster_sectors);
++ ret = bdrv_write(bs, sector_num, buf, s->cluster_sectors);
++ if (ret < 0) {
++ goto fail;
++ }
+ } else {
+ cluster_offset = get_cluster_offset(bs, sector_num << 9, 2,
+ out_len, 0, 0);
++ if (cluster_offset == 0) {
++ ret = -EIO;
++ goto fail;
++ }
++
+ cluster_offset &= s->cluster_offset_mask;
+- if (bdrv_pwrite(bs->file, cluster_offset, out_buf, out_len) != out_len) {
+- qemu_free(out_buf);
+- return -1;
++ ret = bdrv_pwrite(bs->file, cluster_offset, out_buf, out_len);
++ if (ret < 0) {
++ goto fail;
+ }
+ }
+
++ ret = 0;
++fail:
+ qemu_free(out_buf);
+- return 0;
++ return ret;
+ }
+
+ static int qcow_flush(BlockDriverState *bs)
+--
+1.7.11.2
+
diff --git a/0226-block-reinitialize-across-bdrv_close-bdrv_open.patch b/0226-block-reinitialize-across-bdrv_close-bdrv_open.patch
new file mode 100644
index 0000000..7cca69c
--- /dev/null
+++ b/0226-block-reinitialize-across-bdrv_close-bdrv_open.patch
@@ -0,0 +1,55 @@
+From 2432c8cf0a61be64094dae724638a9a081ee4bf9 Mon Sep 17 00:00:00 2001
+From: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
+Date: Thu, 27 Oct 2011 10:54:28 +0100
+Subject: [PATCH] block: reinitialize across bdrv_close()/bdrv_open()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Several BlockDriverState fields are not being reinitialized across
+bdrv_close()/bdrv_open(). Make sure they are reset to their default
+values.
+
+Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
+Signed-off-by: Kevin Wolf <kwolf at redhat.com>
+(cherry picked from commit 03f541bd6eacdc6c2893f72b975257c89cab2b74)
+
+Signed-off-by: Bruce Rogers <brogers at suse.com>
+[AF: backported]
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ block.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/block.c b/block.c
+index 8d77746..1d6d26b 100644
+--- a/block.c
++++ b/block.c
+@@ -426,11 +426,14 @@ static int bdrv_open_common(BlockDriverState *bs, const char *filename,
+ bs->total_sectors = 0;
+ bs->encrypted = 0;
+ bs->valid_key = 0;
++ bs->sg = 0;
+ bs->open_flags = flags;
++ bs->growable = 0;
+ /* buffer_alignment defaulted to 512, drivers can change this value */
+ bs->buffer_alignment = 512;
+
+ pstrcpy(bs->filename, sizeof(bs->filename), filename);
++ bs->backing_file[0] = '\0';
+
+ if (use_bdrv_whitelist && !bdrv_is_whitelisted(drv)) {
+ return -ENOTSUP;
+@@ -439,8 +442,7 @@ static int bdrv_open_common(BlockDriverState *bs, const char *filename,
+ bs->drv = drv;
+ bs->opaque = qemu_mallocz(drv->instance_size);
+
+- if (flags & BDRV_O_CACHE_WB)
+- bs->enable_write_cache = 1;
++ bs->enable_write_cache = !!(flags & BDRV_O_CACHE_WB);
+
+ /*
+ * Clear flags that are internal to the block layer before opening the
+--
+1.7.11.2
+
diff --git a/0227-qxl-stride-fixup.patch b/0227-qxl-stride-fixup.patch
new file mode 100644
index 0000000..1c3d936
--- /dev/null
+++ b/0227-qxl-stride-fixup.patch
@@ -0,0 +1,111 @@
+From a3cc0cf8b185043fbd1f9b893c1c20f90efb1d06 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel at redhat.com>
+Date: Fri, 21 Oct 2011 15:59:07 +0200
+Subject: [PATCH] qxl: stride fixup
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+spice uses negative stride value to signal the bitmap is upside down.
+The qxl renderer (used for scl, vnc and screenshots) wants a positive
+value because it is easier to work with. The positive value is then
+stored in the very same variable, which has the drawback that the
+upside-down test works only once. Fix by using two variables.
+
+Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
+(cherry picked from commit 0e2487bd6f56445b43307536a465ee2ba810aed9)
+
+Signed-off-by: Bruce Rogers <brogers at suse.com>
+[AF: backported]
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ hw/qxl-render.c | 23 ++++++++++++-----------
+ hw/qxl.h | 3 ++-
+ 2 files changed, 14 insertions(+), 12 deletions(-)
+
+diff --git a/hw/qxl-render.c b/hw/qxl-render.c
+index 1316066..104d79b 100644
+--- a/hw/qxl-render.c
++++ b/hw/qxl-render.c
+@@ -28,16 +28,16 @@ static void qxl_flip(PCIQXLDevice *qxl, QXLRect *rect)
+ int len, i;
+
+ src += (qxl->guest_primary.surface.height - rect->top - 1) *
+- qxl->guest_primary.stride;
+- dst += rect->top * qxl->guest_primary.stride;
++ qxl->guest_primary.abs_stride;
++ dst += rect->top * qxl->guest_primary.abs_stride;
+ src += rect->left * qxl->guest_primary.bytes_pp;
+ dst += rect->left * qxl->guest_primary.bytes_pp;
+ len = (rect->right - rect->left) * qxl->guest_primary.bytes_pp;
+
+ for (i = rect->top; i < rect->bottom; i++) {
+ memcpy(dst, src, len);
+- dst += qxl->guest_primary.stride;
+- src -= qxl->guest_primary.stride;
++ dst += qxl->guest_primary.abs_stride;
++ src -= qxl->guest_primary.abs_stride;
+ }
+ }
+
+@@ -45,7 +45,8 @@ void qxl_render_resize(PCIQXLDevice *qxl)
+ {
+ QXLSurfaceCreate *sc = &qxl->guest_primary.surface;
+
+- qxl->guest_primary.stride = sc->stride;
++ qxl->guest_primary.qxl_stride = sc->stride;
++ qxl->guest_primary.abs_stride = abs(sc->stride);
+ qxl->guest_primary.resized++;
+ switch (sc->format) {
+ case SPICE_SURFACE_FMT_16_555:
+@@ -87,11 +88,11 @@ void qxl_render_update(PCIQXLDevice *qxl)
+ qemu_free_displaysurface(vga->ds);
+
+ qxl->guest_primary.data = qemu_get_ram_ptr(qxl->vga.vram_offset);
+- if (qxl->guest_primary.stride < 0) {
++ if (qxl->guest_primary.qxl_stride < 0) {
+ /* spice surface is upside down -> need extra buffer to flip */
+- qxl->guest_primary.stride = -qxl->guest_primary.stride;
+- qxl->guest_primary.flipped = qemu_malloc(qxl->guest_primary.surface.width *
+- qxl->guest_primary.stride);
++ qxl->guest_primary.flipped =
++ qemu_malloc(qxl->guest_primary.surface.width *
++ qxl->guest_primary.abs_stride);
+ ptr = qxl->guest_primary.flipped;
+ } else {
+ ptr = qxl->guest_primary.data;
+@@ -100,7 +101,7 @@ void qxl_render_update(PCIQXLDevice *qxl)
+ __FUNCTION__,
+ qxl->guest_primary.surface.width,
+ qxl->guest_primary.surface.height,
+- qxl->guest_primary.stride,
++ qxl->guest_primary.qxl_stride,
+ qxl->guest_primary.bytes_pp,
+ qxl->guest_primary.bits_pp,
+ qxl->guest_primary.flipped ? "yes" : "no");
+@@ -108,7 +109,7 @@ void qxl_render_update(PCIQXLDevice *qxl)
+ qemu_create_displaysurface_from(qxl->guest_primary.surface.width,
+ qxl->guest_primary.surface.height,
+ qxl->guest_primary.bits_pp,
+- qxl->guest_primary.stride,
++ qxl->guest_primary.abs_stride,
+ ptr);
+ dpy_resize(vga->ds);
+ }
+diff --git a/hw/qxl.h b/hw/qxl.h
+index f6c450d..c05998a 100644
+--- a/hw/qxl.h
++++ b/hw/qxl.h
+@@ -42,7 +42,8 @@ typedef struct PCIQXLDevice {
+ QXLSurfaceCreate surface;
+ uint32_t commands;
+ uint32_t resized;
+- int32_t stride;
++ int32_t qxl_stride;
++ uint32_t abs_stride;
+ uint32_t bits_pp;
+ uint32_t bytes_pp;
+ uint8_t *data, *flipped;
+--
+1.7.11.2
+
diff --git a/0228-vmdk-Fix-possible-segfaults.patch b/0228-vmdk-Fix-possible-segfaults.patch
new file mode 100644
index 0000000..c722c6c
--- /dev/null
+++ b/0228-vmdk-Fix-possible-segfaults.patch
@@ -0,0 +1,55 @@
+From f51851ea928882bd3d49cbb6d953723294239d8a Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf at redhat.com>
+Date: Wed, 26 Oct 2011 12:25:52 +0200
+Subject: [PATCH] vmdk: Fix possible segfaults
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Data we read from the disk isn't necessarily null terminated and may not
+contain the string we're looking for. The code needs to be a bit more careful
+here.
+
+Signed-off-by: Kevin Wolf <kwolf at redhat.com>
+(cherry picked from commit 93897b9fd43548e9c15cf8bece2d9e5174b01fc7)
+
+Signed-off-by: Bruce Rogers <brogers at suse.com>
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ block/vmdk.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/block/vmdk.c b/block/vmdk.c
+index 8284747..f4fce08 100644
+--- a/block/vmdk.c
++++ b/block/vmdk.c
+@@ -196,6 +196,7 @@ static uint32_t vmdk_read_cid(BlockDriverState *bs, int parent)
+ cid_str_size = sizeof("CID");
+ }
+
++ desc[DESC_SIZE - 1] = '\0';
+ p_name = strstr(desc, cid_str);
+ if (p_name != NULL) {
+ p_name += cid_str_size;
+@@ -212,13 +213,17 @@ static int vmdk_write_cid(BlockDriverState *bs, uint32_t cid)
+ BDRVVmdkState *s = bs->opaque;
+ int ret;
+
+- memset(desc, 0, sizeof(desc));
+ ret = bdrv_pread(bs->file, s->desc_offset, desc, DESC_SIZE);
+ if (ret < 0) {
+ return ret;
+ }
+
++ desc[DESC_SIZE - 1] = '\0';
+ tmp_str = strstr(desc, "parentCID");
++ if (tmp_str == NULL) {
++ return -EINVAL;
++ }
++
+ pstrcpy(tmp_desc, sizeof(tmp_desc), tmp_str);
+ p_name = strstr(desc, "CID");
+ if (p_name != NULL) {
+--
+1.7.11.2
+
diff --git a/0229-pc-Fix-floppy-drives-with-if-none.patch b/0229-pc-Fix-floppy-drives-with-if-none.patch
new file mode 100644
index 0000000..1d40a24
--- /dev/null
+++ b/0229-pc-Fix-floppy-drives-with-if-none.patch
@@ -0,0 +1,204 @@
+From 03ff3683be1e3a4e9644150b7f12f046374dcbcd Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf at redhat.com>
+Date: Thu, 20 Oct 2011 16:37:26 +0200
+Subject: [PATCH] pc: Fix floppy drives with if=none
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Commit 63ffb564 broke floppy devices specified on the command line like
+-drive file=...,if=none,id=floppy -global isa-fdc.driveA=floppy because it
+relies on drive_get() which works only with -fda/-drive if=floppy.
+
+This patch resembles what we're already doing for IDE, i.e. remember the floppy
+device that was created and use that to extract the BlockDriverStates where
+needed.
+
+Signed-off-by: Kevin Wolf <kwolf at redhat.com>
+Reviewed-by: Markus Armbruster <armbru at redhat.com>
+(cherry picked from commit 34d4260e1846d69d7241f690534e3dd4b3e6fd5b)
+
+[BR: bnc#733777]
+Signed-off-by: Bruce Rogers <brogers at suse.com>
+[AF: backported]
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ hw/fdc.c | 12 ++++++++++++
+ hw/fdc.h | 9 +++++++--
+ hw/pc.c | 25 ++++++++++++++-----------
+ hw/pc.h | 3 ++-
+ hw/pc_piix.c | 5 +++--
+ 5 files changed, 38 insertions(+), 16 deletions(-)
+
+diff --git a/hw/fdc.c b/hw/fdc.c
+index 9fdbc75..cf675ce 100644
+--- a/hw/fdc.c
++++ b/hw/fdc.c
+@@ -1911,6 +1911,18 @@ static int sun4m_fdc_init1(SysBusDevice *dev)
+ return fdctrl_init_common(fdctrl);
+ }
+
++void fdc_get_bs(BlockDriverState *bs[], ISADevice *dev)
++{
++ FDCtrlISABus *isa = DO_UPCAST(FDCtrlISABus, busdev, dev);
++ FDCtrl *fdctrl = &isa->state;
++ int i;
++
++ for (i = 0; i < MAX_FD; i++) {
++ bs[i] = fdctrl->drives[i].bs;
++ }
++}
++
++
+ static const VMStateDescription vmstate_isa_fdc ={
+ .name = "fdc",
+ .version_id = 2,
+diff --git a/hw/fdc.h b/hw/fdc.h
+index 09f73c6..506feb6 100644
+--- a/hw/fdc.h
++++ b/hw/fdc.h
+@@ -7,14 +7,15 @@
+ /* fdc.c */
+ #define MAX_FD 2
+
+-static inline void fdctrl_init_isa(DriveInfo **fds)
++static inline ISADevice *fdctrl_init_isa(DriveInfo **fds)
+ {
+ ISADevice *dev;
+
+ dev = isa_try_create("isa-fdc");
+ if (!dev) {
+- return;
++ return NULL;
+ }
++
+ if (fds[0]) {
+ qdev_prop_set_drive_nofail(&dev->qdev, "driveA", fds[0]->bdrv);
+ }
+@@ -22,10 +23,14 @@ static inline void fdctrl_init_isa(DriveInfo **fds)
+ qdev_prop_set_drive_nofail(&dev->qdev, "driveB", fds[1]->bdrv);
+ }
+ qdev_init_nofail(&dev->qdev);
++
++ return dev;
+ }
+
+ void fdctrl_init_sysbus(qemu_irq irq, int dma_chann,
+ target_phys_addr_t mmio_base, DriveInfo **fds);
+ void sun4m_fdctrl_init(qemu_irq irq, target_phys_addr_t io_base,
+ DriveInfo **fds, qemu_irq *fdc_tc);
++void fdc_get_bs(BlockDriverState *bs[], ISADevice *dev);
++
+ #endif
+diff --git a/hw/pc.c b/hw/pc.c
+index 14ce684..1d2b61e 100644
+--- a/hw/pc.c
++++ b/hw/pc.c
+@@ -333,12 +333,12 @@ static void pc_cmos_init_late(void *opaque)
+
+ void pc_cmos_init(ram_addr_t ram_size, ram_addr_t above_4g_mem_size,
+ const char *boot_device,
+- BusState *idebus0, BusState *idebus1,
++ ISADevice *floppy, BusState *idebus0, BusState *idebus1,
+ ISADevice *s)
+ {
+ int val, nb, nb_heads, max_track, last_sect, i;
+ FDriveType fd_type[2];
+- DriveInfo *fd[2];
++ BlockDriverState *fd[MAX_FD];
+ static pc_cmos_init_late_arg arg;
+
+ /* various important CMOS locations needed by PC/Bochs bios */
+@@ -380,14 +380,16 @@ void pc_cmos_init(ram_addr_t ram_size, ram_addr_t above_4g_mem_size,
+ }
+
+ /* floppy type */
+- for (i = 0; i < 2; i++) {
+- fd[i] = drive_get(IF_FLOPPY, 0, i);
+- if (fd[i] && bdrv_is_inserted(fd[i]->bdrv)) {
+- bdrv_get_floppy_geometry_hint(fd[i]->bdrv, &nb_heads, &max_track,
+- &last_sect, FDRIVE_DRV_NONE,
+- &fd_type[i]);
+- } else {
+- fd_type[i] = FDRIVE_DRV_NONE;
++ if (floppy) {
++ fdc_get_bs(fd, floppy);
++ for (i = 0; i < 2; i++) {
++ if (fd[i] && bdrv_is_inserted(fd[i])) {
++ bdrv_get_floppy_geometry_hint(fd[i], &nb_heads, &max_track,
++ &last_sect, FDRIVE_DRV_NONE,
++ &fd_type[i]);
++ } else {
++ fd_type[i] = FDRIVE_DRV_NONE;
++ }
+ }
+ }
+ val = (cmos_get_fd_drive_type(fd_type[0]) << 4) |
+@@ -1091,6 +1093,7 @@ static void cpu_request_exit(void *opaque, int irq, int level)
+
+ void pc_basic_device_init(qemu_irq *isa_irq,
+ ISADevice **rtc_state,
++ ISADevice **floppy,
+ bool no_vmport)
+ {
+ int i;
+@@ -1155,7 +1158,7 @@ void pc_basic_device_init(qemu_irq *isa_irq,
+ for(i = 0; i < MAX_FD; i++) {
+ fd[i] = drive_get(IF_FLOPPY, 0, i);
+ }
+- fdctrl_init_isa(fd);
++ *floppy = fdctrl_init_isa(fd);
+ }
+
+ void pc_pci_device_init(PCIBus *pci_bus)
+diff --git a/hw/pc.h b/hw/pc.h
+index 6d5730b..24b7fe2 100644
+--- a/hw/pc.h
++++ b/hw/pc.h
+@@ -138,11 +138,12 @@ qemu_irq *pc_allocate_cpu_irq(void);
+ void pc_vga_init(PCIBus *pci_bus);
+ void pc_basic_device_init(qemu_irq *isa_irq,
+ ISADevice **rtc_state,
++ ISADevice **floppy,
+ bool no_vmport);
+ void pc_init_ne2k_isa(NICInfo *nd);
+ void pc_cmos_init(ram_addr_t ram_size, ram_addr_t above_4g_mem_size,
+ const char *boot_device,
+- BusState *ide0, BusState *ide1,
++ ISADevice *floppy, BusState *ide0, BusState *ide1,
+ ISADevice *s);
+ void pc_pci_device_init(PCIBus *pci_bus);
+
+diff --git a/hw/pc_piix.c b/hw/pc_piix.c
+index 31552fd..b8e0841 100644
+--- a/hw/pc_piix.c
++++ b/hw/pc_piix.c
+@@ -89,6 +89,7 @@ static void pc_init1(ram_addr_t ram_size,
+ DriveInfo *hd[MAX_IDE_BUS * MAX_IDE_DEVS];
+ BusState *idebus[MAX_IDE_BUS];
+ ISADevice *rtc_state;
++ ISADevice *floppy;
+
+ pc_cpus_init(cpu_model);
+
+@@ -141,7 +142,7 @@ static void pc_init1(ram_addr_t ram_size,
+ }
+
+ /* init basic PC hardware */
+- pc_basic_device_init(isa_irq, &rtc_state, xen_enabled());
++ pc_basic_device_init(isa_irq, &rtc_state, &floppy, xen_enabled());
+
+ for(i = 0; i < nb_nics; i++) {
+ NICInfo *nd = &nd_table[i];
+@@ -170,7 +171,7 @@ static void pc_init1(ram_addr_t ram_size,
+ audio_init(isa_irq, pci_enabled ? pci_bus : NULL);
+
+ pc_cmos_init(below_4g_mem_size, above_4g_mem_size, boot_device,
+- idebus[0], idebus[1], rtc_state);
++ floppy, idebus[0], idebus[1], rtc_state);
+
+ if (pci_enabled && usb_enabled) {
+ usb_uhci_piix3_init(pci_bus, piix3_devfn + 2);
+--
+1.7.11.2
+
diff --git a/0230-cpu-common-Have-a-ram_addr_t-of-uint64-with-Xen.patch b/0230-cpu-common-Have-a-ram_addr_t-of-uint64-with-Xen.patch
new file mode 100644
index 0000000..1fe3b1e
--- /dev/null
+++ b/0230-cpu-common-Have-a-ram_addr_t-of-uint64-with-Xen.patch
@@ -0,0 +1,97 @@
+From 7baf1e0bf54096eceb4c4553c9212599454cd83d Mon Sep 17 00:00:00 2001
+From: Anthony PERARD <anthony.perard at citrix.com>
+Date: Wed, 20 Jul 2011 08:17:42 +0000
+Subject: [PATCH] cpu-common: Have a ram_addr_t of uint64 with Xen.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In Xen case, memory can be bigger than the host memory. that mean a
+32bits host (and QEMU) should be able to handle a RAM address of 64bits.
+
+Signed-off-by: Anthony PERARD <anthony.perard at citrix.com>
+Signed-off-by: Alexander Graf <agraf at suse.de>
+(cherry picked from commit f15fbc4bd1a24bd1477a846e63e62c6d435912f8)
+
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ cpu-common.h | 8 ++++++++
+ exec.c | 9 +++++----
+ xen-all.c | 2 +-
+ 3 files changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/cpu-common.h b/cpu-common.h
+index 44b04b3..0700101 100644
+--- a/cpu-common.h
++++ b/cpu-common.h
+@@ -27,7 +27,15 @@ enum device_endian {
+ };
+
+ /* address in the RAM (different from a physical address) */
++#if defined(CONFIG_XEN_BACKEND) && TARGET_PHYS_ADDR_BITS == 64
++typedef uint64_t ram_addr_t;
++# define RAM_ADDR_MAX UINT64_MAX
++# define RAM_ADDR_FMT "%" PRIx64
++#else
+ typedef unsigned long ram_addr_t;
++# define RAM_ADDR_MAX ULONG_MAX
++# define RAM_ADDR_FMT "%lx"
++#endif
+
+ /* memory API */
+
+diff --git a/exec.c b/exec.c
+index 2160ded..6fb589b 100644
+--- a/exec.c
++++ b/exec.c
+@@ -2863,13 +2863,13 @@ static void *file_ram_alloc(RAMBlock *block,
+ static ram_addr_t find_ram_offset(ram_addr_t size)
+ {
+ RAMBlock *block, *next_block;
+- ram_addr_t offset = 0, mingap = ULONG_MAX;
++ ram_addr_t offset = 0, mingap = RAM_ADDR_MAX;
+
+ if (QLIST_EMPTY(&ram_list.blocks))
+ return 0;
+
+ QLIST_FOREACH(block, &ram_list.blocks, next) {
+- ram_addr_t end, next = ULONG_MAX;
++ ram_addr_t end, next = RAM_ADDR_MAX;
+
+ end = block->offset + block->length;
+
+@@ -3081,7 +3081,8 @@ void qemu_ram_remap(ram_addr_t addr, ram_addr_t length)
+ #endif
+ }
+ if (area != vaddr) {
+- fprintf(stderr, "Could not remap addr: %lx@%lx\n",
++ fprintf(stderr, "Could not remap addr: "
++ RAM_ADDR_FMT "@" RAM_ADDR_FMT "\n",
+ length, addr);
+ exit(1);
+ }
+@@ -4052,7 +4053,7 @@ void *cpu_physical_memory_map(target_phys_addr_t addr,
+ target_phys_addr_t page;
+ unsigned long pd;
+ PhysPageDesc *p;
+- ram_addr_t raddr = ULONG_MAX;
++ ram_addr_t raddr = RAM_ADDR_MAX;
+ ram_addr_t rlen;
+ void *ret;
+
+diff --git a/xen-all.c b/xen-all.c
+index 167bed6..8f2556a 100644
+--- a/xen-all.c
++++ b/xen-all.c
+@@ -184,7 +184,7 @@ void xen_ram_alloc(ram_addr_t ram_addr, ram_addr_t size)
+ }
+
+ if (xc_domain_populate_physmap_exact(xen_xc, xen_domid, nr_pfn, 0, 0, pfn_list)) {
+- hw_error("xen: failed to populate ram at %lx", ram_addr);
++ hw_error("xen: failed to populate ram at " RAM_ADDR_FMT, ram_addr);
+ }
+
+ qemu_free(pfn_list);
+--
+1.7.11.2
+
diff --git a/0231-Error-check-find_ram_offset.patch b/0231-Error-check-find_ram_offset.patch
new file mode 100644
index 0000000..e4b3497
--- /dev/null
+++ b/0231-Error-check-find_ram_offset.patch
@@ -0,0 +1,58 @@
+From 75f2b558df8c3ccd8b980eedf2f4aef8b217587e Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson at redhat.com>
+Date: Mon, 31 Oct 2011 08:54:09 -0600
+Subject: [PATCH] Error check find_ram_offset
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Spotted via code review, we initialize offset to 0 to avoid a
+compiler warning, but in the unlikely case that offset is
+never set to something else, we should abort instead of return
+a value that will almost certainly cause problems.
+
+Signed-off-by: Alex Williamson <alex.williamson at redhat.com>
+Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>
+(cherry picked from commit 3e837b2c05bc63fe2226baf3c29923d5a688593f)
+
+Signed-off-by: Bruce Rogers <brogers at suse.com>
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ exec.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/exec.c b/exec.c
+index 6fb589b..537a49f 100644
+--- a/exec.c
++++ b/exec.c
+@@ -2863,7 +2863,7 @@ static void *file_ram_alloc(RAMBlock *block,
+ static ram_addr_t find_ram_offset(ram_addr_t size)
+ {
+ RAMBlock *block, *next_block;
+- ram_addr_t offset = 0, mingap = RAM_ADDR_MAX;
++ ram_addr_t offset = RAM_ADDR_MAX, mingap = RAM_ADDR_MAX;
+
+ if (QLIST_EMPTY(&ram_list.blocks))
+ return 0;
+@@ -2879,10 +2879,17 @@ static ram_addr_t find_ram_offset(ram_addr_t size)
+ }
+ }
+ if (next - end >= size && next - end < mingap) {
+- offset = end;
++ offset = end;
+ mingap = next - end;
+ }
+ }
++
++ if (offset == RAM_ADDR_MAX) {
++ fprintf(stderr, "Failed to find gap of requested size: %" PRIu64 "\n",
++ (uint64_t)size);
++ abort();
++ }
++
+ return offset;
+ }
+
+--
+1.7.11.2
+
diff --git a/0232-pc-add-pc-0.15.patch b/0232-pc-add-pc-0.15.patch
new file mode 100644
index 0000000..aaefe27
--- /dev/null
+++ b/0232-pc-add-pc-0.15.patch
@@ -0,0 +1,73 @@
+From 60d8ce5610a8b24ff298d6cb3d9abbd2e6f046bd Mon Sep 17 00:00:00 2001
+From: Anthony Liguori <aliguori at us.ibm.com>
+Date: Sun, 18 Dec 2011 12:59:12 -0600
+Subject: [PATCH] pc: add pc-0.15
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>
+(cherry picked from commit ce01a508e8053350544c88ba68a3f90c44b6bb93)
+
+[BR: bnc#741460]
+Signed-off-by: Bruce Rogers <brogers at suse.com>
+[AF: backported]
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ hw/pc_piix.c | 26 +++++++++++++++++++++++---
+ 1 file changed, 23 insertions(+), 3 deletions(-)
+
+diff --git a/hw/pc_piix.c b/hw/pc_piix.c
+index b8e0841..20bac9d 100644
+--- a/hw/pc_piix.c
++++ b/hw/pc_piix.c
+@@ -258,8 +258,8 @@ static void pc_xen_hvm_init(ram_addr_t ram_size,
+ }
+ #endif
+
+-static QEMUMachine pc_machine = {
+- .name = "pc-0.14",
++static QEMUMachine pc_machine_v0_15 = {
++ .name = "pc-0.15",
+ .alias = "pc",
+ .desc = "Standard PC",
+ .init = pc_init_pci,
+@@ -267,6 +267,25 @@ static QEMUMachine pc_machine = {
+ .is_default = 1,
+ };
+
++static QEMUMachine pc_machine_v0_14 = {
++ .name = "pc-0.14",
++ .desc = "Standard PC",
++ .init = pc_init_pci,
++ .max_cpus = 255,
++ .compat_props = (GlobalProperty[]) {
++ {
++ .driver = "qxl",
++ .property = "revision",
++ .value = stringify(2),
++ },{
++ .driver = "qxl-vga",
++ .property = "revision",
++ .value = stringify(2),
++ },
++ { /* end of list */ }
++ },
++};
++
+ static QEMUMachine pc_machine_v0_13 = {
+ .name = "pc-0.13",
+ .desc = "Standard PC",
+@@ -498,7 +517,8 @@ static QEMUMachine xenfv_machine = {
+
+ static void pc_machine_init(void)
+ {
+- qemu_register_machine(&pc_machine);
++ qemu_register_machine(&pc_machine_v0_15);
++ qemu_register_machine(&pc_machine_v0_14);
+ qemu_register_machine(&pc_machine_v0_13);
+ qemu_register_machine(&pc_machine_v0_12);
+ qemu_register_machine(&pc_machine_v0_11);
+--
+1.7.11.2
+
diff --git a/0233-pc-fix-event_idx-compatibility-for-virtio-devices.patch b/0233-pc-fix-event_idx-compatibility-for-virtio-devices.patch
new file mode 100644
index 0000000..7ad890a
--- /dev/null
+++ b/0233-pc-fix-event_idx-compatibility-for-virtio-devices.patch
@@ -0,0 +1,95 @@
+From 3cc7ef743b3f04ff986c820f67444d2dec946167 Mon Sep 17 00:00:00 2001
+From: Anthony Liguori <aliguori at us.ibm.com>
+Date: Sun, 18 Dec 2011 13:07:03 -0600
+Subject: [PATCH] pc: fix event_idx compatibility for virtio devices
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+event_idx was introduced in 0.15 and must be disabled for all virtio-pci devices
+(including virtio-balloon-pci).
+
+Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>
+(cherry picked from commit ea830ebb74461c5ad6d199857fb000d2e0284c69)
+
+[BR: bnc#741460]
+Signed-off-by: Bruce Rogers <brogers at suse.com>
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ hw/pc_piix.c | 32 ++++++++++++++++++++++++++++++++
+ 1 file changed, 32 insertions(+)
+
+diff --git a/hw/pc_piix.c b/hw/pc_piix.c
+index 20bac9d..b179465 100644
+--- a/hw/pc_piix.c
++++ b/hw/pc_piix.c
+@@ -281,6 +281,22 @@ static QEMUMachine pc_machine_v0_14 = {
+ .driver = "qxl-vga",
+ .property = "revision",
+ .value = stringify(2),
++ },{
++ .driver = "virtio-blk-pci",
++ .property = "event_idx",
++ .value = "off",
++ },{
++ .driver = "virtio-serial-pci",
++ .property = "event_idx",
++ .value = "off",
++ },{
++ .driver = "virtio-net-pci",
++ .property = "event_idx",
++ .value = "off",
++ },{
++ .driver = "virtio-balloon-pci",
++ .property = "event_idx",
++ .value = "off",
+ },
+ { /* end of list */ }
+ },
+@@ -321,6 +337,10 @@ static QEMUMachine pc_machine_v0_13 = {
+ .property = "event_idx",
+ .value = "off",
+ },{
++ .driver = "virtio-balloon-pci",
++ .property = "event_idx",
++ .value = "off",
++ },{
+ .driver = "AC97",
+ .property = "use_broken_id",
+ .value = stringify(1),
+@@ -368,6 +388,10 @@ static QEMUMachine pc_machine_v0_12 = {
+ .property = "event_idx",
+ .value = "off",
+ },{
++ .driver = "virtio-balloon-pci",
++ .property = "event_idx",
++ .value = "off",
++ },{
+ .driver = "AC97",
+ .property = "use_broken_id",
+ .value = stringify(1),
+@@ -423,6 +447,10 @@ static QEMUMachine pc_machine_v0_11 = {
+ .property = "event_idx",
+ .value = "off",
+ },{
++ .driver = "virtio-balloon-pci",
++ .property = "event_idx",
++ .value = "off",
++ },{
+ .driver = "AC97",
+ .property = "use_broken_id",
+ .value = stringify(1),
+@@ -490,6 +518,10 @@ static QEMUMachine pc_machine_v0_10 = {
+ .property = "event_idx",
+ .value = "off",
+ },{
++ .driver = "virtio-balloon-pci",
++ .property = "event_idx",
++ .value = "off",
++ },{
+ .driver = "AC97",
+ .property = "use_broken_id",
+ .value = stringify(1),
+--
+1.7.11.2
+
diff --git a/0234-Add-missing-trace-call-to-oslib-posix.c-qemu_vmalloc.patch b/0234-Add-missing-trace-call-to-oslib-posix.c-qemu_vmalloc.patch
new file mode 100644
index 0000000..2585cb5
--- /dev/null
+++ b/0234-Add-missing-trace-call-to-oslib-posix.c-qemu_vmalloc.patch
@@ -0,0 +1,37 @@
+From 601465e71b720e1e54911bbd67e2d02cd4904f0d Mon Sep 17 00:00:00 2001
+From: Jes Sorensen <Jes.Sorensen at redhat.com>
+Date: Mon, 25 Jul 2011 17:13:36 +0200
+Subject: [PATCH] Add missing trace call to oslib-posix.c:qemu_vmalloc()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Acked-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
+Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
+Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>
+(cherry picked from commit c7f4111a06208b46c6d05934d2a1e5cfbebc0180)
+
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ oslib-posix.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/oslib-posix.c b/oslib-posix.c
+index 3a18e86..196099c 100644
+--- a/oslib-posix.c
++++ b/oslib-posix.c
+@@ -79,7 +79,10 @@ void *qemu_memalign(size_t alignment, size_t size)
+ /* alloc shared memory pages */
+ void *qemu_vmalloc(size_t size)
+ {
+- return qemu_memalign(getpagesize(), size);
++ void *ptr;
++ ptr = qemu_memalign(getpagesize(), size);
++ trace_qemu_vmalloc(size, ptr);
++ return ptr;
+ }
+
+ void qemu_vfree(void *ptr)
+--
+1.7.11.2
+
diff --git a/0235-qemu_vmalloc-align-properly-for-transparent-hugepage.patch b/0235-qemu_vmalloc-align-properly-for-transparent-hugepage.patch
new file mode 100644
index 0000000..bb9cde2
--- /dev/null
+++ b/0235-qemu_vmalloc-align-properly-for-transparent-hugepage.patch
@@ -0,0 +1,61 @@
+From d12ac10d3ce10d3e1c9b23aeca397caa74be49d3 Mon Sep 17 00:00:00 2001
+From: Avi Kivity <avi at redhat.com>
+Date: Mon, 5 Sep 2011 11:07:05 +0300
+Subject: [PATCH] qemu_vmalloc: align properly for transparent hugepages and
+ KVM
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+To make good use of transparent hugepages, KVM requires that guest-physical
+and host-virtual addresses share the low 21 bits (as opposed to just the low
+12 bits normally required).
+
+Adjust qemu_vmalloc() to honor that requirement. Ignore it for small regions
+to avoid fragmentation.
+
+Signed-off-by: Avi Kivity <avi at redhat.com>
+Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>
+(cherry picked from commit 36b586284e678da28df3af9fd0907d2b16f9311c)
+
+Signed-off-by: Bruce Rogers <brogers at suse.com>
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ oslib-posix.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/oslib-posix.c b/oslib-posix.c
+index 196099c..a304fb0 100644
+--- a/oslib-posix.c
++++ b/oslib-posix.c
+@@ -35,6 +35,13 @@
+ extern int daemon(int, int);
+ #endif
+
++#if defined(__linux__) && defined(__x86_64__)
++ /* Use 2MB alignment so transparent hugepages can be used by KVM */
++# define QEMU_VMALLOC_ALIGN (512 * 4096)
++#else
++# define QEMU_VMALLOC_ALIGN getpagesize()
++#endif
++
+ #include "config-host.h"
+ #include "sysemu.h"
+ #include "trace.h"
+@@ -80,7 +87,12 @@ void *qemu_memalign(size_t alignment, size_t size)
+ void *qemu_vmalloc(size_t size)
+ {
+ void *ptr;
+- ptr = qemu_memalign(getpagesize(), size);
++ size_t align = QEMU_VMALLOC_ALIGN;
++
++ if (size < align) {
++ align = getpagesize();
++ }
++ ptr = qemu_memalign(align, size);
+ trace_qemu_vmalloc(size, ptr);
+ return ptr;
+ }
+--
+1.7.11.2
+
diff --git a/0236-block-vpc-write-checksum-back-to-footer-after-check.patch b/0236-block-vpc-write-checksum-back-to-footer-after-check.patch
new file mode 100644
index 0000000..f35383d
--- /dev/null
+++ b/0236-block-vpc-write-checksum-back-to-footer-after-check.patch
@@ -0,0 +1,41 @@
+From add89f969fc86f3b3223c4283ee49fcb507b8f81 Mon Sep 17 00:00:00 2001
+From: Zhang Shengju <zhangsju at gmail.com>
+Date: Tue, 13 Mar 2012 22:38:13 +0800
+Subject: [PATCH] block/vpc: write checksum back to footer after check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+After validation check, the 'checksum' is not written back
+to footer, which leave it with zero.
+
+This results in errors while loadding it under Microsoft's
+Hyper-V environment, and also errors from utilities like
+Citrix's vhd-util.
+
+Signed-off-by: Zhang Shengju <sean_zhang at trendmicro.com.cn>
+Signed-off-by: Kevin Wolf <kwolf at redhat.com>
+(cherry picked from commit c088b691363070d151f80cc1fde4b7c151bdfe8f)
+
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ block/vpc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/block/vpc.c b/block/vpc.c
+index ac33e15..55201e2 100644
+--- a/block/vpc.c
++++ b/block/vpc.c
+@@ -170,6 +170,9 @@ static int vpc_open(BlockDriverState *bs, int flags)
+ fprintf(stderr, "block-vpc: The header checksum of '%s' is "
+ "incorrect.\n", bs->filename);
+
++ /* Write 'checksum' back to footer, or else will leave it with zero. */
++ footer->checksum = be32_to_cpu(checksum);
++
+ // The visible size of a image in Virtual PC depends on the geometry
+ // rather than on the size stored in the footer (the size in the footer
+ // is too large usually)
+--
+1.7.11.2
+
diff --git a/0237-bt-host-add-missing-break-statement.patch b/0237-bt-host-add-missing-break-statement.patch
new file mode 100644
index 0000000..8f72237
--- /dev/null
+++ b/0237-bt-host-add-missing-break-statement.patch
@@ -0,0 +1,36 @@
+From 557393c06af445a23f65667d16d1ff43b5d7ae6d Mon Sep 17 00:00:00 2001
+From: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
+Date: Thu, 12 Jan 2012 14:17:04 +0000
+Subject: [PATCH] bt-host: add missing break statement
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The switch statement in bt_host_read() is missing a break in one case.
+Andrzej Zaborowski <andrew.zaborowski at intel.com> confirmed that this is
+not an intentional fall-through.
+
+Reviewed-by: Stefan Weil <sw at weilnetz.de>
+Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
+(cherry picked from commit f7253270fc66a60e4faf639a3c4ce0b352553b24)
+
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ bt-host.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/bt-host.c b/bt-host.c
+index 095254d..df59494 100644
+--- a/bt-host.c
++++ b/bt-host.c
+@@ -130,6 +130,7 @@ static void bt_host_read(void *opaque)
+ pktlen = MIN(pkt[2] + 3, s->len);
+ s->len -= pktlen;
+ pkt += pktlen;
++ break;
+
+ default:
+ bad_pkt:
+--
+1.7.11.2
+
diff --git a/0238-ds1338-Add-missing-break-statement.patch b/0238-ds1338-Add-missing-break-statement.patch
new file mode 100644
index 0000000..f4529e9
--- /dev/null
+++ b/0238-ds1338-Add-missing-break-statement.patch
@@ -0,0 +1,39 @@
+From 1c363aca36c5f53cb04d04fa1ee9a442dd5dbad4 Mon Sep 17 00:00:00 2001
+From: Stefan Weil <sw at weilnetz.de>
+Date: Sat, 25 Feb 2012 14:50:25 +0100
+Subject: [PATCH] ds1338: Add missing break statement
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Without the break statement, case 5 sets month and year from the same
+data. This does not look correct.
+
+The missing break was reported by splint.
+
+Signed-off-by: Stefan Weil <sw at weilnetz.de>
+Reviewed-by: Peter Maydell <peter.maydell at linaro.org>
+Reviewed-by: Andreas Färber <afaerber at suse.de>
+Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
+(cherry picked from commit fbac6a7d35d119a52606c175aface9bcec805f09)
+
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ hw/ds1338.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/ds1338.c b/hw/ds1338.c
+index 3522af5..964d2f7 100644
+--- a/hw/ds1338.c
++++ b/hw/ds1338.c
+@@ -97,6 +97,7 @@ static int ds1338_send(i2c_slave *i2c, uint8_t data)
+ break;
+ case 5:
+ s->now.tm_mon = from_bcd(data & 0x1f) - 1;
++ break;
+ case 6:
+ s->now.tm_year = from_bcd(data) + 100;
+ break;
+--
+1.7.11.2
+
diff --git a/0239-block-vdi-Zero-unused-parts-when-allocating-a-new-bl.patch b/0239-block-vdi-Zero-unused-parts-when-allocating-a-new-bl.patch
new file mode 100644
index 0000000..c396ce6
--- /dev/null
+++ b/0239-block-vdi-Zero-unused-parts-when-allocating-a-new-bl.patch
@@ -0,0 +1,70 @@
+From e246af75817264aa340cc4e8bb42c17a2d48cbb7 Mon Sep 17 00:00:00 2001
+From: Stefan Weil <sw at weilnetz.de>
+Date: Sat, 21 Jan 2012 13:54:24 +0100
+Subject: [PATCH] block/vdi: Zero unused parts when allocating a new block
+ (fix #919242)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The new block was filled with zero when it was allocated by g_malloc0,
+but when it was reused later and only partially used, data from the
+previously allocated block were still present and written to the new
+block.
+
+This caused the problems reported by bug #919242
+(https://bugs.launchpad.net/qemu/+bug/919242).
+
+Now the unused parts of the new block which are before and after the data
+are always filled with zero, so it is no longer necessary to zero the whole
+block with g_malloc0.
+
+I also updated the copyright comment.
+
+Signed-off-by: Stefan Weil <sw at weilnetz.de>
+Signed-off-by: Kevin Wolf <kwolf at redhat.com>
+(cherry picked from commit 641543b76b82a8b361482b727e08de0c8ec093b0)
+
+[AF: g_malloc() -> qemu_malloc()]
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+---
+ block/vdi.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/block/vdi.c b/block/vdi.c
+index 1be0cdc..07413af 100644
+--- a/block/vdi.c
++++ b/block/vdi.c
+@@ -1,7 +1,7 @@
+ /*
+ * Block driver for the Virtual Disk Image (VDI) format
+ *
+- * Copyright (c) 2009 Stefan Weil
++ * Copyright (c) 2009, 2012 Stefan Weil
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+@@ -765,15 +765,19 @@ static void vdi_aio_write_cb(void *opaque, int ret)
+ (uint64_t)bmap_entry * s->block_sectors;
+ block = acb->block_buffer;
+ if (block == NULL) {
+- block = qemu_mallocz(s->block_size);
++ block = qemu_malloc(s->block_size);
+ acb->block_buffer = block;
+ acb->bmap_first = block_index;
+ assert(!acb->header_modified);
+ acb->header_modified = 1;
+ }
+ acb->bmap_last = block_index;
++ /* Copy data to be written to new block and zero unused parts. */
++ memset(block, 0, sector_in_block * SECTOR_SIZE);
+ memcpy(block + sector_in_block * SECTOR_SIZE,
+ acb->buf, n_sectors * SECTOR_SIZE);
++ memset(block + (sector_in_block + n_sectors) * SECTOR_SIZE, 0,
++ (s->block_sectors - n_sectors - sector_in_block) * SECTOR_SIZE);
+ acb->hd_iov.iov_base = (void *)block;
+ acb->hd_iov.iov_len = s->block_size;
+ qemu_iovec_init_external(&acb->hd_qiov, &acb->hd_iov, 1);
+--
+1.7.11.2
+
diff --git a/qemu-fix-systemtap.patch b/qemu-fix-systemtap.patch
new file mode 100644
index 0000000..3191eec
--- /dev/null
+++ b/qemu-fix-systemtap.patch
@@ -0,0 +1,19 @@
+diff -rup qemu-kvm-1.0.1/scripts/tracetool z/scripts/tracetool
+--- qemu-kvm-1.0.1/scripts/tracetool 2012-04-16 22:15:17.000000000 -0400
++++ z/scripts/tracetool 2012-07-29 21:10:51.326868987 -0400
+@@ -500,6 +500,15 @@ EOF
+ if [ "$arg" = "limit" ]; then
+ arg="_limit"
+ fi
++ if [ "$arg" = "in" ]; then
++ arg="_in"
++ fi
++ if [ "$arg" = "next" ]; then
++ arg="_next"
++ fi
++ if [ "$arg" = "self" ]; then
++ arg="_self"
++ fi
+ cat <<EOF
+ $arg = \$arg$i;
+ EOF
diff --git a/qemu-fix-text-mode-screendumps.patch b/qemu-fix-text-mode-screendumps.patch
new file mode 100644
index 0000000..ae517c2
--- /dev/null
+++ b/qemu-fix-text-mode-screendumps.patch
@@ -0,0 +1,31 @@
+diff -rup qemu-kvm-0.15.1/hw/vga.c frob/hw/vga.c
+--- qemu-kvm-0.15.1/hw/vga.c 2011-10-19 09:54:48.000000000 -0400
++++ frob/hw/vga.c 2012-07-29 21:00:27.389677588 -0400
+@@ -149,7 +149,7 @@ static uint16_t expand2[256];
+ static uint8_t expand4to8[16];
+
+ static void vga_screen_dump(void *opaque, const char *filename);
+-static char *screen_dump_filename;
++static const char *screen_dump_filename;
+ static DisplayChangeListener *screen_dump_dcl;
+
+ static void vga_dumb_update_retrace_info(VGACommonState *s)
+@@ -2330,7 +2330,6 @@ static void vga_save_dpy_update(DisplayS
+ {
+ if (screen_dump_filename) {
+ ppm_save(screen_dump_filename, ds->surface);
+- screen_dump_filename = NULL;
+ }
+ }
+
+@@ -2408,8 +2407,8 @@ static void vga_screen_dump(void *opaque
+ if (!screen_dump_dcl)
+ screen_dump_dcl = vga_screen_dump_init(s->ds);
+
+- screen_dump_filename = (char *)filename;
++ screen_dump_filename = filename;
+ vga_invalidate_display(s);
+ vga_hw_update();
++ screen_dump_filename = NULL;
+ }
+-
diff --git a/qemu-snapshot-symlink-attack.patch b/qemu-snapshot-symlink-attack.patch
new file mode 100644
index 0000000..e6b1ae6
--- /dev/null
+++ b/qemu-snapshot-symlink-attack.patch
@@ -0,0 +1,93 @@
+diff -rup qemu-kvm-0.15.1/block/vvfat.c frob/block/vvfat.c
+--- qemu-kvm-0.15.1/block/vvfat.c 2012-07-29 20:56:28.318227757 -0400
++++ frob/block/vvfat.c 2012-07-29 20:59:15.537859208 -0400
+@@ -2795,7 +2795,12 @@ static int enable_write_target(BDRVVVFAT
+ array_init(&(s->commits), sizeof(commit_t));
+
+ s->qcow_filename = qemu_malloc(1024);
+- get_tmp_filename(s->qcow_filename, 1024);
++ ret = get_tmp_filename(s->qcow_filename, 1024);
++ if (ret < 0) {
++ free(s->qcow_filename);
++ s->qcow_filename = NULL;
++ return ret;
++ }
+
+ bdrv_qcow = bdrv_find_format("qcow");
+ options = parse_option_parameters("", bdrv_qcow->create_options, NULL);
+diff -rup qemu-kvm-0.15.1/block.c frob/block.c
+--- qemu-kvm-0.15.1/block.c 2012-07-29 20:56:28.367221495 -0400
++++ frob/block.c 2012-07-29 20:58:24.931326050 -0400
+@@ -254,28 +254,36 @@ int bdrv_create_file(const char* filenam
+ return bdrv_create(drv, filename, options);
+ }
+
+-#ifdef _WIN32
+-void get_tmp_filename(char *filename, int size)
++/*
++ * Create a uniquely-named empty temporary file.
++ * Return 0 upon success, otherwise a negative errno value.
++ */
++int get_tmp_filename(char *filename, int size)
+ {
++#ifdef _WIN32
+ char temp_dir[MAX_PATH];
+-
+- GetTempPath(MAX_PATH, temp_dir);
+- GetTempFileName(temp_dir, "qem", 0, filename);
+-}
++ /* GetTempFileName requires that its output buffer (4th param)
++ have length MAX_PATH or greater. */
++ assert(size >= MAX_PATH);
++ return (GetTempPath(MAX_PATH, temp_dir)
++ && GetTempFileName(temp_dir, "qem", 0, filename)
++ ? 0 : -GetLastError());
+ #else
+-void get_tmp_filename(char *filename, int size)
+-{
+ int fd;
+ const char *tmpdir;
+- /* XXX: race condition possible */
+ tmpdir = getenv("TMPDIR");
+ if (!tmpdir)
+ tmpdir = "/tmp";
+- snprintf(filename, size, "%s/vl.XXXXXX", tmpdir);
++ if (snprintf(filename, size, "%s/vl.XXXXXX", tmpdir) >= size) {
++ return -EOVERFLOW;
++ }
+ fd = mkstemp(filename);
+- close(fd);
+-}
++ if (fd < 0 || close(fd)) {
++ return -errno;
++ }
++ return 0;
+ #endif
++}
+
+ /*
+ * Detect host devices. By convention, /dev/cdrom[N] is always
+@@ -555,7 +563,10 @@ int bdrv_open(BlockDriverState *bs, cons
+
+ bdrv_delete(bs1);
+
+- get_tmp_filename(tmp_filename, sizeof(tmp_filename));
++ ret = get_tmp_filename(tmp_filename, sizeof(tmp_filename));
++ if (ret < 0) {
++ return ret;
++ }
+
+ /* Real path is meaningless for protocols */
+ if (is_protocol)
+diff -rup qemu-kvm-0.15.1/block_int.h frob/block_int.h
+--- qemu-kvm-0.15.1/block_int.h 2011-10-19 09:54:48.000000000 -0400
++++ frob/block_int.h 2012-07-29 20:58:24.932325925 -0400
+@@ -216,7 +216,7 @@ struct BlockDriverAIOCB {
+ BlockDriverAIOCB *next;
+ };
+
+-void get_tmp_filename(char *filename, int size);
++int get_tmp_filename(char *filename, int size);
+
+ void *qemu_aio_get(AIOPool *pool, BlockDriverState *bs,
+ BlockDriverCompletionFunc *cb, void *opaque);
diff --git a/qemu-spice-server-threading.patch b/qemu-spice-server-threading.patch
new file mode 100644
index 0000000..c8ba0a3
--- /dev/null
+++ b/qemu-spice-server-threading.patch
@@ -0,0 +1,73 @@
+commit 22b626e28e9895cc65c1e2023323bda5138716dc
+Author: Gerd Hoffmann <kraxel at redhat.com>
+Date: Fri Sep 2 15:03:28 2011 +0200
+
+ spice: workaround a spice server bug.
+
+ spice server might call the channel_event callback from spice server
+ thread context. Detect that and aquire iothread lock if needed,
+
+diff --git a/ui/spice-core.c b/ui/spice-core.c
+index dba11f0..3cbc721 100644
+--- a/ui/spice-core.c
++++ b/ui/spice-core.c
+@@ -19,6 +19,7 @@
+ #include <spice-experimental.h>
+
+ #include <netdb.h>
++#include <pthread.h>
+
+ #include "qemu-common.h"
+ #include "qemu-spice.h"
+@@ -44,6 +45,8 @@ static char *auth_passwd;
+ static time_t auth_expires = TIME_MAX;
+ int using_spice = 0;
+
++static pthread_t me;
++
+ struct SpiceTimer {
+ QEMUTimer *timer;
+ QTAILQ_ENTRY(SpiceTimer) next;
+@@ -217,6 +220,20 @@ static void channel_event(int event, SpiceChannelEventInfo *info)
+ QDict *server, *client;
+ QObject *data;
+
++ /*
++ * Spice server might have called us from spice worker thread
++ * context (happens on display channel disconnects). Spice should
++ * not do that. It isn't that easy to fix it in spice and even
++ * when it is fixed we still should cover the already released
++ * spice versions. So detect that we've been called from another
++ * thread and grab the iothread lock if so before calling qemu
++ * functions.
++ */
++ bool need_lock = !pthread_equal(me, pthread_self());
++ if (need_lock) {
++ qemu_mutex_lock_iothread();
++ }
++
+ client = qdict_new();
+ add_addr_info(client, &info->paddr, info->plen);
+
+@@ -236,6 +253,10 @@ static void channel_event(int event, SpiceChannelEventInfo *info)
+ QOBJECT(client), QOBJECT(server));
+ monitor_protocol_event(qevent[event], data);
+ qobject_decref(data);
++
++ if (need_lock) {
++ qemu_mutex_unlock_iothread();
++ }
+ }
+
+ #else /* SPICE_INTERFACE_CORE_MINOR >= 3 */
+@@ -482,7 +503,9 @@ void qemu_spice_init(void)
+ spice_image_compression_t compression;
+ spice_wan_compression_t wan_compr;
+
+- if (!opts) {
++ me = pthread_self();
++
++ if (!opts) {
+ return;
+ }
+ port = qemu_opt_get_number(opts, "port", 0);
diff --git a/qemu.spec b/qemu.spec
index 1cb916c..86918a3 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -1,8 +1,8 @@
Summary: QEMU is a FAST! processor emulator
Name: qemu
Version: 0.15.1
-Release: 6%{?dist}
-# Epoch because we pushed a qemu-1.0 package
+Release: 7%{?dist}
+# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
Epoch: 2
License: GPLv2+ and LGPLv2+ and BSD
Group: Development/Tools
@@ -89,6 +89,51 @@ Patch103: %{name}-virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch
# Fix fedora guest hang with virtio console (bz 837925)
Patch104: %{name}-virtio-console-unconnected-pty.patch
+# Patches from 0.15 stable
+Patch200: 0200-ccid-Fix-buffer-overrun-in-handling-of-VSC_ATR-messa.patch
+Patch201: 0201-qdev-Reset-hot-plugged-devices.patch
+Patch202: 0202-e1000-use-MII-status-register-for-link-up-down.patch
+Patch203: 0203-e1000-Don-t-set-the-Capabilities-List-bit.patch
+Patch205: 0205-compatfd.c-Don-t-pass-NULL-pointer-to-SYS_signalfd.patch
+Patch206: 0206-kvm-avoid-reentring-kvm_flush_coalesced_mmio_buffer.patch
+Patch207: 0207-vmdk-vmdk_read_cid-returns-garbage-if-p_name-is-NULL.patch
+Patch208: 0208-block-Fix-bdrv_open-use-after-free.patch
+Patch209: 0209-ide-Fix-off-by-one-error-in-array-index-check.patch
+Patch210: 0210-acl-Fix-use-after-free-in-qemu_acl_reset.patch
+Patch211: 0211-migration-flush-migration-data-to-disk.patch
+Patch212: 0212-Fix-X86-CPU-topology-in-KVM-mode.patch
+Patch213: 0213-hw-lan9118.c-Add-missing-break-to-fix-buffer-overrun.patch
+Patch214: 0214-ac97-don-t-override-the-pci-subsystem-id.patch
+Patch215: 0215-vvfat-Fix-potential-buffer-overflow.patch
+Patch216: 0216-vns-tls-don-t-use-depricated-gnutls-functions.patch
+Patch217: 0217-block-curl-Implement-a-flush-function-on-the-fd-hand.patch
+Patch218: 0218-hda-do-not-mix-output-and-input-streams-RHBZ-740493.patch
+Patch219: 0219-hda-do-not-mix-output-and-input-stream-states-RHBZ-7.patch
+Patch220: 0220-Teach-block-vdi-about-discarded-no-longer-allocated-.patch
+Patch221: 0221-vmdk-Improve-error-handling.patch
+Patch222: 0222-block-set-bs-read_only-before-.bdrv_open.patch
+Patch223: 0223-console-Fix-rendering-of-VGA-underline.patch
+Patch224: 0224-block-Fix-vpc-initialization-of-the-Dynamic-Disk-Hea.patch
+Patch225: 0225-qcow-Fix-bdrv_write_compressed-error-handling.patch
+Patch226: 0226-block-reinitialize-across-bdrv_close-bdrv_open.patch
+Patch227: 0227-qxl-stride-fixup.patch
+Patch228: 0228-vmdk-Fix-possible-segfaults.patch
+Patch230: 0230-cpu-common-Have-a-ram_addr_t-of-uint64-with-Xen.patch
+Patch231: 0231-Error-check-find_ram_offset.patch
+Patch236: 0236-block-vpc-write-checksum-back-to-footer-after-check.patch
+Patch237: 0237-bt-host-add-missing-break-statement.patch
+Patch238: 0238-ds1338-Add-missing-break-statement.patch
+Patch239: 0239-block-vdi-Zero-unused-parts-when-allocating-a-new-bl.patch
+# CVE-2012-2652: Possible symlink attacks with -snapshot (bz 825697, bz
+# 824919)
+Patch240: %{name}-snapshot-symlink-attack.patch
+# Fix systemtap tapsets (bz 831763)
+Patch241: %{name}-fix-systemtap.patch
+# Fix qmp response race caused by spice server bug (bz 744015)
+Patch242: %{name}-spice-server-threading.patch
+# Fix text mode screendumps (bz 819155)
+Patch243: %{name}-fix-text-mode-screendumps.patch
+
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: SDL-devel zlib-devel which texi2html gnutls-devel cyrus-sasl-devel
BuildRequires: libaio-devel
@@ -122,6 +167,13 @@ Requires: %{name}-img = %{epoch}:%{version}-%{release}
Obsoletes: %{name}-system-ppc
Obsoletes: %{name}-system-sparc
+# Needed for F14->F16+ upgrade
+# https://bugzilla.redhat.com/show_bug.cgi?id=694802
+Obsoletes: openbios-common
+Obsoletes: openbios-ppc
+Obsoletes: openbios-sparc32
+Obsoletes: openbios-sparc64
+
%define qemudocdir %{_docdir}/%{name}-%{version}
%description
@@ -161,9 +213,9 @@ Group: Development/Tools
Requires(post): /usr/bin/getent
Requires(post): /usr/sbin/groupadd
Requires(post): /usr/sbin/useradd
-Requires(post): /sbin/chkconfig
-Requires(preun): /sbin/service /sbin/chkconfig
-Requires(postun): /sbin/service
+Requires(post): systemd-units
+Requires(preun): systemd-units
+Requires(postun): systemd-units
%description common
QEMU is a generic and open source processor emulator which achieves a good
emulation speed by using dynamic translation.
@@ -211,9 +263,8 @@ fi
Summary: QEMU user mode emulation of qemu targets
Group: Development/Tools
Requires: %{name}-common = %{epoch}:%{version}-%{release}
-Requires(post): /sbin/chkconfig
-Requires(preun): /sbin/service /sbin/chkconfig
-Requires(postun): /sbin/service
+Requires(post): systemd-units
+Requires(postun): systemd-units
%description user
QEMU is a generic and open source processor emulator which achieves a good
emulation speed by using dynamic translation.
@@ -228,6 +279,7 @@ Provides: kvm = 85
Obsoletes: kvm < 85
Requires: vgabios >= 0.6c-2
Requires: seabios-bin >= 0.6.0-2
+Requires: sgabios-bin
Requires: /usr/share/gpxe/8086100e.rom
Requires: /usr/share/gpxe/rtl8029.rom
Requires: /usr/share/gpxe/pcnet32.rom
@@ -345,6 +397,45 @@ such as kvm_stat.
%patch103 -p1
%patch104 -p1
+%patch200 -p1
+%patch201 -p1
+%patch202 -p1
+%patch203 -p1
+%patch205 -p1
+%patch206 -p1
+%patch207 -p1
+%patch208 -p1
+%patch209 -p1
+%patch210 -p1
+%patch211 -p1
+%patch212 -p1
+%patch213 -p1
+%patch214 -p1
+%patch215 -p1
+%patch216 -p1
+%patch217 -p1
+%patch218 -p1
+%patch219 -p1
+%patch220 -p1
+%patch221 -p1
+%patch222 -p1
+%patch223 -p1
+%patch224 -p1
+%patch225 -p1
+%patch226 -p1
+%patch227 -p1
+%patch228 -p1
+%patch230 -p1
+%patch231 -p1
+%patch236 -p1
+%patch237 -p1
+%patch238 -p1
+%patch239 -p1
+%patch240 -p1
+%patch241 -p1
+%patch242 -p1
+%patch243 -p1
+
%build
# By default we build everything, but allow x86 to build a minimal version
# with only similar arch target support
@@ -498,6 +589,7 @@ ln -s ../vgabios/VGABIOS-lgpl-latest.cirrus.bin %{buildroot}/%{_datadir}/%{name}
ln -s ../vgabios/VGABIOS-lgpl-latest.qxl.bin %{buildroot}/%{_datadir}/%{name}/vgabios-qxl.bin
ln -s ../vgabios/VGABIOS-lgpl-latest.stdvga.bin %{buildroot}/%{_datadir}/%{name}/vgabios-stdvga.bin
ln -s ../vgabios/VGABIOS-lgpl-latest.vmware.bin %{buildroot}/%{_datadir}/%{name}/vgabios-vmware.bin
+ln -s ../sgabios/sgabios.bin %{buildroot}/%{_datadir}/%{name}/sgabios.bin
ln -s ../seabios/bios.bin %{buildroot}/%{_datadir}/%{name}/bios.bin
mkdir -p $RPM_BUILD_ROOT%{_exec_prefix}/lib/binfmt.d
@@ -540,41 +632,47 @@ rm -rf $RPM_BUILD_ROOT
%ifarch %{ix86} x86_64
# load kvm modules now, so we can make sure no reboot is needed.
# If there's already a kvm module installed, we don't mess with it
-sh %{_sysconfdir}/sysconfig/modules/kvm.modules
+sh %{_sysconfdir}/sysconfig/modules/kvm.modules || :
%endif
%post common
if [ $1 -eq 1 ] ; then
- getent group kvm >/dev/null || groupadd -g 36 -r kvm
- getent group qemu >/dev/null || groupadd -g 107 -r qemu
- getent passwd qemu >/dev/null || \
- useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
- -c "qemu user" qemu
-
- /bin/systemctl enable ksm.service
- /bin/systemctl enable ksmtuned.service
+ # Initial installation
+ /bin/systemctl enable ksm.service >/dev/null 2>&1 || :
+ /bin/systemctl enable ksmtuned.service >/dev/null 2>&1 || :
fi
+getent group kvm >/dev/null || groupadd -g 36 -r kvm
+getent group qemu >/dev/null || groupadd -g 107 -r qemu
+getent passwd qemu >/dev/null || \
+ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
+ -c "qemu user" qemu
+
%preun common
-if [ $1 -eq 0 ]; then
- /bin/systemctl --system stop ksmtuned.service &>/dev/null || :
- /bin/systemctl --system stop ksm.service &>/dev/null || :
- /bin/systemctl disable ksmtuned.service
- /bin/systemctl disable ksm.service
+if [ $1 -eq 0 ] ; then
+ # Package removal, not upgrade
+ /bin/systemctl --no-reload disable ksmtuned.service > /dev/null 2>&1 || :
+ /bin/systemctl --no-reload disable ksm.service > /dev/null 2>&1 || :
+ /bin/systemctl stop ksmtuned.service > /dev/null 2>&1 || :
+ /bin/systemctl stop ksm.service > /dev/null 2>&1 || :
fi
%postun common
-if [ $1 -ge 1 ]; then
- /bin/systemctl --system try-restart ksm.service &>/dev/null || :
- /bin/systemctl --system try-restart ksmtuned.service &>/dev/null || :
+/bin/systemctl daemon-reload >/dev/null 2>&1 || :
+if [ $1 -ge 1 ] ; then
+ # Package upgrade, not uninstall
+ /bin/systemctl try-restart ksmtuned.service >/dev/null 2>&1 || :
+ /bin/systemctl try-restart ksm.service >/dev/null 2>&1 || :
fi
+
%post user
/bin/systemctl --system try-restart systemd-binfmt.service &>/dev/null || :
%postun user
/bin/systemctl --system try-restart systemd-binfmt.service &>/dev/null || :
+
%files
%defattr(-,root,root)
@@ -648,6 +746,7 @@ fi
%{_bindir}/qemu
%{_bindir}/qemu-system-x86_64
%{_datadir}/%{name}/bios.bin
+%{_datadir}/%{name}/sgabios.bin
%{_datadir}/%{name}/linuxboot.bin
%{_datadir}/%{name}/multiboot.bin
%{_datadir}/%{name}/mpc8544ds.dtb
@@ -724,6 +823,18 @@ fi
%{_mandir}/man1/qemu-img.1*
%changelog
+* Sun Jul 29 2012 Cole Robinson <crobinso at redhat.com> - 0.15.1-7
+- Pull patches from 0.15 stable
+- CVE-2012-2652: Possible symlink attacks with -snapshot (bz 825697, bz
+ 824919)
+- Fix systemtap tapsets (bz 831763)
+- Fix qmp response race caused by spice server bug (bz 744015)
+- Fix text mode screendumps (bz 819155)
+- Don't renable ksm on update (bz 815156)
+- Fix RPM install error on non-virt machines (bz 660629)
+- Obsolete openbios to fix upgrade dependency issues (bz 694802)
+- Fix sgabios integration (bz 791344)
+
* Wed Jul 18 2012 Cole Robinson <crobinso at redhat.com> - 0.15.1-6
- Fix fedora guest hang with virtio console (bz 837925)
@@ -734,7 +845,7 @@ fi
* Mon Jan 30 2012 Justin M. Forbes <jforbes at redhat.com> - 2:0.15.1-4
- Add vhost-net to kvm.modules
- Fix USB passthrough assert on packet completion (#769625)
--
+
* Thu Jan 5 2012 Christophe Fergeau <cfergeau at redhat.com> - 2:0.15.1-3.1
- Backport patches from qemu 1.0 to fix floppy drives (#753863)
@@ -749,7 +860,7 @@ fi
- Require seabios-bin >= 0.6.0-2 (#741992)
- Replace init scripts with systemd units (#741920)
- Update to 0.15.1 stable upstream
-
+
* Fri Oct 21 2011 Paul Moore <pmoore at redhat.com>
- Enable full relro and PIE (rhbz #738812)
More information about the scm-commits
mailing list