Ubuntu
qemu package

Merge ~paelzer/ubuntu/+source/qemu:lp-1867519-stabilize-4.2 into ubuntu/+source/qemu:ubuntu/focal-devel

  1. Git
  2. lp:~paelzer/ubuntu/+source/qemu
  3. lp-1867519-stabilize-4.2
  4. Merge into ubuntu/focal-devel
Proposed by Christian Ehrhardt 
Status: Merged
Merge reported by: Christian Ehrhardt 
Merged at revision: 9f5874b0fa11c6738c4629273527d8b216f297e3
Proposed branch: ~paelzer/ubuntu/+source/qemu:lp-1867519-stabilize-4.2
Merge into: ubuntu/+source/qemu:ubuntu/focal-devel
Diff against target: 3765 lines (+3470/-0)
43 files modified
debian/changelog (+21/-0)
debian/patches/lp-1867519-block-nbd-extract-the-common-cleanup-code.patch (+78/-0)
debian/patches/series (+38/-0)
debian/patches/stable/lp-1867519-arm-arm-powerctl-rebuild-hflags-after-setting-CP15-b.patch (+48/-0)
debian/patches/stable/lp-1867519-arm-arm-powerctl-set-NSACR.-CP11-CP10-bits-in-arm_se.patch (+49/-0)
debian/patches/stable/lp-1867519-backup-top-Begin-drain-earlier.patch (+46/-0)
debian/patches/stable/lp-1867519-block-Activate-recursively-even-for-already-active-n.patch (+108/-0)
debian/patches/stable/lp-1867519-block-backup-top-fix-failure-path.patch (+97/-0)
debian/patches/stable/lp-1867519-block-block-copy-fix-progress-calculation.patch (+201/-0)
debian/patches/stable/lp-1867519-block-fix-crash-on-zero-length-unaligned-write-and-r.patch (+107/-0)
debian/patches/stable/lp-1867519-block-io-fix-bdrv_co_do_copy_on_readv.patch (+44/-0)
debian/patches/stable/lp-1867519-block-nbd-fix-memory-leak-in-nbd_open.patch (+76/-0)
debian/patches/stable/lp-1867519-block-qcow2-threads-fix-qcow2_decompress.patch (+79/-0)
debian/patches/stable/lp-1867519-hw-i386-pc-fix-regression-in-parsing-vga-cmdline-par.patch (+58/-0)
debian/patches/stable/lp-1867519-intel_iommu-a-fix-to-vtd_find_as_from_bus_num.patch (+44/-0)
debian/patches/stable/lp-1867519-intel_iommu-add-present-bit-check-for-pasid-table-en.patch (+202/-0)
debian/patches/stable/lp-1867519-iotests-add-test-for-backup-top-failure-on-permissio.patch (+138/-0)
debian/patches/stable/lp-1867519-job-refactor-progress-to-separate-object.patch (+230/-0)
debian/patches/stable/lp-1867519-plugins-core-add-missing-break-in-cb_to_tcg_flags.patch (+41/-0)
debian/patches/stable/lp-1867519-qcow2-Fix-alloc_cluster_abort-for-pre-existing-clust.patch (+39/-0)
debian/patches/stable/lp-1867519-qcow2-Fix-qcow2_alloc_cluster_abort-for-external-dat.patch (+44/-0)
debian/patches/stable/lp-1867519-qcow2-bitmaps-fix-qcow2_can_store_new_dirty_bitmap.patch (+102/-0)
debian/patches/stable/lp-1867519-qemu-img-Fix-convert-n-B-for-backing-less-targets.patch (+54/-0)
debian/patches/stable/lp-1867519-s390-sclp-improve-special-wait-psw-logic.patch (+40/-0)
debian/patches/stable/lp-1867519-target-arm-Return-correct-IL-bit-in-merge_syn_data_a.patch (+46/-0)
debian/patches/stable/lp-1867519-target-arm-Set-ISSIs16Bit-in-make_issinfo.patch (+42/-0)
debian/patches/stable/lp-1867519-target-arm-arm-semi-fix-SYS_OPEN-to-return-nonzero-f.patch (+79/-0)
debian/patches/stable/lp-1867519-target-arm-ensure-we-use-current-exception-state-aft.patch (+127/-0)
debian/patches/stable/lp-1867519-target-i386-kvm-initialize-feature-MSRs-very-early.patch (+169/-0)
debian/patches/stable/lp-1867519-tcg-save-vaddr-temp-for-plugin-usage.patch (+98/-0)
debian/patches/stable/lp-1867519-tpm-ppi-page-align-PPI-RAM.patch (+47/-0)
debian/patches/stable/lp-1867519-vfio-pci-Don-t-remove-irqchip-notifier-if-not-regist.patch (+50/-0)
debian/patches/stable/lp-1867519-virtio-gracefully-handle-invalid-region-caches.patch (+331/-0)
debian/patches/stable/lp-1867519-virtio-mmio-update-queue-size-on-guest-write.patch (+40/-0)
debian/patches/stable/lp-1867519-virtio-net-delete-also-control-queue-when-TX-RX-dele.patch (+41/-0)
debian/patches/stable/lp-1867519-virtio-update-queue-size-on-guest-write.patch (+40/-0)
debian/patches/ubuntu/lp-1847361-modules-load-upgrade.patch (+125/-0)
debian/patches/ubuntu/lp-1847361-vhost-correctly-turn-on-VIRTIO_F_IOMMU_PLATFORM.patch (+61/-0)
debian/qemu-block-extra.postrm.in (+43/-0)
debian/qemu-block-extra.prerm.in (+45/-0)
debian/qemu-system-gui.postrm.in (+44/-0)
debian/qemu-system-gui.prerm.in (+46/-0)
debian/rules (+12/-0)
Reviewer Review Type Date Requested Status
Andreas Hasenack Approve
Canonical Server Pending
git-ubuntu developers Pending
Review via email: mp+380874@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

We know qemu had git-ubuntu import errors recently.
Probably it is best to just look at my proposed branch - that has a proper upload/1%4.2-3ubuntu2 in history and this MP is only for the coming upload/1%4.2-3ubuntu3.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Holy 33 patches, batman :)

I wonder if qemu shouldn't do more point releases, more often :)

+1 from a packaging viewpoint, and I don't think this warrants an FFe.

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thanks I did some quick checks (given it is only minor fixes).
But we accrued enough changes that after the next coming known big qmeu change I'll do a full virt-regression-test again ...

To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/qemu
 * [new tag] upload/1%4.2-3ubuntu3 -> upload/1%4.2-3ubuntu3

Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading qemu_4.2-3ubuntu3.dsc: done.
  Uploading qemu_4.2-3ubuntu3.debian.tar.xz: done.
  Uploading qemu_4.2-3ubuntu3_source.buildinfo: done.
  Uploading qemu_4.2-3ubuntu3_source.changes: done.
Successfully uploaded packages.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 89089bb..11efbaa 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,24 @@
6+qemu (1:4.2-3ubuntu3) focal; urgency=medium
7+
8+ * d/p/stable/lp-1867519-*: Stabilize qemu 4.2 with upstream
9+ patches @qemu-stable (LP: #1867519)
10+
11+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 18 Mar 2020 13:57:57 +0100
12+
13+qemu (1:4.2-3ubuntu2) focal; urgency=medium
14+
15+ * allow qemu to load old modules post upgrade (LP: #1847361)
16+ - d/p/ubuntu/lp-1847361-modules-load-upgrade.patch: to fallback module
17+ load to a versioned path
18+ - d/qemu-block-extra.*.in, d/qemu-system-gui.*.in: save shared objects on
19+ upgrade
20+ - d/rules: generate maintainer scripts matching package version on build
21+ - d/rules: enable --enable-module-upgrades where --enable-modules is set
22+ * d/p/ubuntu/lp-1847361-vhost-correctly-turn-on-VIRTIO_F_IOMMU_PLATFORM.patch:
23+ avoid unnecessary IOTLB transactions (LP: #1866207)
24+
25+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 02 Mar 2020 15:21:27 +0100
26+
27 qemu (1:4.2-3ubuntu1) focal; urgency=medium
28
29 * Merge with Debian testing, remaining changes:
30diff --git a/debian/patches/lp-1867519-block-nbd-extract-the-common-cleanup-code.patch b/debian/patches/lp-1867519-block-nbd-extract-the-common-cleanup-code.patch
31new file mode 100644
32index 0000000..8dc2409
33--- /dev/null
34+++ b/debian/patches/lp-1867519-block-nbd-extract-the-common-cleanup-code.patch
35@@ -0,0 +1,78 @@
36+From 7f493662be4045146a8f45119d8834c9088a0ad6 Mon Sep 17 00:00:00 2001
37+From: Pan Nengyuan <pannengyuan@huawei.com>
38+Date: Thu, 5 Dec 2019 11:45:27 +0800
39+Subject: [PATCH] block/nbd: extract the common cleanup code
40+
41+The BDRVNBDState cleanup code is common in two places, add
42+nbd_clear_bdrvstate() function to do these cleanups.
43+
44+Suggested-by: Stefano Garzarella <sgarzare@redhat.com>
45+Signed-off-by: Pan Nengyuan <pannengyuan@huawei.com>
46+Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
47+Message-Id: <1575517528-44312-2-git-send-email-pannengyuan@huawei.com>
48+Reviewed-by: Eric Blake <eblake@redhat.com>
49+[eblake: fix compilation error and commit message]
50+Signed-off-by: Eric Blake <eblake@redhat.com>
51+
52+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=7f493662be4045146a8f45119d8834c9088a0ad6
53+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
54+Last-Update: 2020-03-18
55+
56+---
57+ block/nbd.c | 26 +++++++++++++++-----------
58+ 1 file changed, 15 insertions(+), 11 deletions(-)
59+
60+diff --git a/block/nbd.c b/block/nbd.c
61+index f69e61e68a..ed0f93ab27 100644
62+--- a/block/nbd.c
63++++ b/block/nbd.c
64+@@ -95,6 +95,19 @@ typedef struct BDRVNBDState {
65+
66+ static int nbd_client_connect(BlockDriverState *bs, Error **errp);
67+
68++static void nbd_clear_bdrvstate(BDRVNBDState *s)
69++{
70++ object_unref(OBJECT(s->tlscreds));
71++ qapi_free_SocketAddress(s->saddr);
72++ s->saddr = NULL;
73++ g_free(s->export);
74++ s->export = NULL;
75++ g_free(s->tlscredsid);
76++ s->tlscredsid = NULL;
77++ g_free(s->x_dirty_bitmap);
78++ s->x_dirty_bitmap = NULL;
79++}
80++
81+ static void nbd_channel_error(BDRVNBDState *s, int ret)
82+ {
83+ if (ret == -EIO) {
84+@@ -1879,11 +1892,7 @@ static int nbd_process_options(BlockDriverState *bs, QDict *options,
85+
86+ error:
87+ if (ret < 0) {
88+- object_unref(OBJECT(s->tlscreds));
89+- qapi_free_SocketAddress(s->saddr);
90+- g_free(s->export);
91+- g_free(s->tlscredsid);
92+- g_free(s->x_dirty_bitmap);
93++ nbd_clear_bdrvstate(s);
94+ }
95+ qemu_opts_del(opts);
96+ return ret;
97+@@ -1962,12 +1971,7 @@ static void nbd_close(BlockDriverState *bs)
98+ BDRVNBDState *s = bs->opaque;
99+
100+ nbd_client_close(bs);
101+-
102+- object_unref(OBJECT(s->tlscreds));
103+- qapi_free_SocketAddress(s->saddr);
104+- g_free(s->export);
105+- g_free(s->tlscredsid);
106+- g_free(s->x_dirty_bitmap);
107++ nbd_clear_bdrvstate(s);
108+ }
109+
110+ static int64_t nbd_getlength(BlockDriverState *bs)
111+--
112+2.25.1
113+
114diff --git a/debian/patches/series b/debian/patches/series
115index c9fce99..f01fa16 100644
116--- a/debian/patches/series
117+++ b/debian/patches/series
118@@ -13,3 +13,41 @@ ubuntu/lp-1857033-i386-Add-macro-for-stibp.patch
119 ubuntu/lp-1857033-i386-Add-new-CPU-model-Cooperlake.patch
120 lp-1859527-virtio-blk-fix-out-of-bounds-access-to-bitmap-in-not.patch
121 ubuntu/vhost-user-gpu-Drop-trailing-json-comma.patch
122+ubuntu/lp-1847361-modules-load-upgrade.patch
123+ubuntu/lp-1847361-vhost-correctly-turn-on-VIRTIO_F_IOMMU_PLATFORM.patch
124+
125+# stabilize 4.2 with patches sent to qemu-stable since 4.2 released
126+stable/lp-1867519-arm-arm-powerctl-set-NSACR.-CP11-CP10-bits-in-arm_se.patch
127+stable/lp-1867519-target-arm-ensure-we-use-current-exception-state-aft.patch
128+stable/lp-1867519-block-Activate-recursively-even-for-already-active-n.patch
129+stable/lp-1867519-arm-arm-powerctl-rebuild-hflags-after-setting-CP15-b.patch
130+stable/lp-1867519-virtio-update-queue-size-on-guest-write.patch
131+stable/lp-1867519-qcow2-bitmaps-fix-qcow2_can_store_new_dirty_bitmap.patch
132+stable/lp-1867519-backup-top-Begin-drain-earlier.patch
133+stable/lp-1867519-virtio-mmio-update-queue-size-on-guest-write.patch
134+stable/lp-1867519-virtio-net-delete-also-control-queue-when-TX-RX-dele.patch
135+stable/lp-1867519-intel_iommu-a-fix-to-vtd_find_as_from_bus_num.patch
136+stable/lp-1867519-intel_iommu-add-present-bit-check-for-pasid-table-en.patch
137+stable/lp-1867519-vfio-pci-Don-t-remove-irqchip-notifier-if-not-regist.patch
138+stable/lp-1867519-hw-i386-pc-fix-regression-in-parsing-vga-cmdline-par.patch
139+stable/lp-1867519-target-arm-arm-semi-fix-SYS_OPEN-to-return-nonzero-f.patch
140+stable/lp-1867519-target-arm-Return-correct-IL-bit-in-merge_syn_data_a.patch
141+stable/lp-1867519-target-arm-Set-ISSIs16Bit-in-make_issinfo.patch
142+stable/lp-1867519-target-i386-kvm-initialize-feature-MSRs-very-early.patch
143+stable/lp-1867519-tpm-ppi-page-align-PPI-RAM.patch
144+stable/lp-1867519-block-backup-top-fix-failure-path.patch
145+stable/lp-1867519-iotests-add-test-for-backup-top-failure-on-permissio.patch
146+stable/lp-1867519-block-fix-crash-on-zero-length-unaligned-write-and-r.patch
147+stable/lp-1867519-qemu-img-Fix-convert-n-B-for-backing-less-targets.patch
148+stable/lp-1867519-plugins-core-add-missing-break-in-cb_to_tcg_flags.patch
149+stable/lp-1867519-tcg-save-vaddr-temp-for-plugin-usage.patch
150+stable/lp-1867519-s390-sclp-improve-special-wait-psw-logic.patch
151+stable/lp-1867519-block-nbd-fix-memory-leak-in-nbd_open.patch
152+stable/lp-1867519-virtio-gracefully-handle-invalid-region-caches.patch
153+stable/lp-1867519-qcow2-Fix-qcow2_alloc_cluster_abort-for-external-dat.patch
154+stable/lp-1867519-qcow2-Fix-alloc_cluster_abort-for-pre-existing-clust.patch
155+stable/lp-1867519-block-qcow2-threads-fix-qcow2_decompress.patch
156+stable/lp-1867519-job-refactor-progress-to-separate-object.patch
157+stable/lp-1867519-block-block-copy-fix-progress-calculation.patch
158+stable/lp-1867519-block-io-fix-bdrv_co_do_copy_on_readv.patch
159+lp-1867519-block-nbd-extract-the-common-cleanup-code.patch
160diff --git a/debian/patches/stable/lp-1867519-arm-arm-powerctl-rebuild-hflags-after-setting-CP15-b.patch b/debian/patches/stable/lp-1867519-arm-arm-powerctl-rebuild-hflags-after-setting-CP15-b.patch
161new file mode 100644
162index 0000000..c980ed6
163--- /dev/null
164+++ b/debian/patches/stable/lp-1867519-arm-arm-powerctl-rebuild-hflags-after-setting-CP15-b.patch
165@@ -0,0 +1,48 @@
166+From c8fa6079eb35888587f1be27c1590da4edcc5098 Mon Sep 17 00:00:00 2001
167+From: Niek Linnenbank <nieklinnenbank@gmail.com>
168+Date: Fri, 20 Dec 2019 14:03:00 +0000
169+Subject: [PATCH] arm/arm-powerctl: rebuild hflags after setting CP15 bits in
170+ arm_set_cpu_on()
171+
172+After setting CP15 bits in arm_set_cpu_on() the cached hflags must
173+be rebuild to reflect the changed processor state. Without rebuilding,
174+the cached hflags would be inconsistent until the next call to
175+arm_rebuild_hflags(). When QEMU is compiled with debugging enabled
176+(--enable-debug), this problem is captured shortly after the first
177+call to arm_set_cpu_on() for CPUs running in ARM 32-bit non-secure mode:
178+
179+ qemu-system-arm: target/arm/helper.c:11359: cpu_get_tb_cpu_state:
180+ Assertion `flags == rebuild_hflags_internal(env)' failed.
181+ Aborted (core dumped)
182+
183+Fixes: 0c7f8c43daf65
184+Cc: qemu-stable@nongnu.org
185+Signed-off-by: Niek Linnenbank <nieklinnenbank@gmail.com>
186+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
187+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
188+
189+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=c8fa6079eb35888587f1be27c1590da4edcc5098
190+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
191+Last-Update: 2020-03-18
192+
193+---
194+ target/arm/arm-powerctl.c | 3 +++
195+ 1 file changed, 3 insertions(+)
196+
197+diff --git a/target/arm/arm-powerctl.c b/target/arm/arm-powerctl.c
198+index b064513d44..b75f813b40 100644
199+--- a/target/arm/arm-powerctl.c
200++++ b/target/arm/arm-powerctl.c
201+@@ -127,6 +127,9 @@ static void arm_set_cpu_on_async_work(CPUState *target_cpu_state,
202+ target_cpu->env.regs[0] = info->context_id;
203+ }
204+
205++ /* CP15 update requires rebuilding hflags */
206++ arm_rebuild_hflags(&target_cpu->env);
207++
208+ /* Start the new CPU at the requested address */
209+ cpu_set_pc(target_cpu_state, info->entry);
210+
211+--
212+2.25.1
213+
214diff --git a/debian/patches/stable/lp-1867519-arm-arm-powerctl-set-NSACR.-CP11-CP10-bits-in-arm_se.patch b/debian/patches/stable/lp-1867519-arm-arm-powerctl-set-NSACR.-CP11-CP10-bits-in-arm_se.patch
215new file mode 100644
216index 0000000..b2fa47c
217--- /dev/null
218+++ b/debian/patches/stable/lp-1867519-arm-arm-powerctl-set-NSACR.-CP11-CP10-bits-in-arm_se.patch
219@@ -0,0 +1,49 @@
220+From 0c7f8c43daf6556078e51de98aa13f069e505985 Mon Sep 17 00:00:00 2001
221+From: Niek Linnenbank <nieklinnenbank@gmail.com>
222+Date: Mon, 2 Dec 2019 22:09:43 +0100
223+Subject: [PATCH] arm/arm-powerctl: set NSACR.{CP11, CP10} bits in
224+ arm_set_cpu_on()
225+
226+This change ensures that the FPU can be accessed in Non-Secure mode
227+when the CPU core is reset using the arm_set_cpu_on() function call.
228+The NSACR.{CP11,CP10} bits define the exception level required to
229+access the FPU in Non-Secure mode. Without these bits set, the CPU
230+will give an undefined exception trap on the first FPU access for the
231+secondary cores under Linux.
232+
233+This is necessary because in this power-control codepath QEMU
234+is effectively emulating a bit of EL3 firmware, and has to set
235+the CPU up as the EL3 firmware would.
236+
237+Fixes: fc1120a7f5
238+Cc: qemu-stable@nongnu.org
239+Signed-off-by: Niek Linnenbank <nieklinnenbank@gmail.com>
240+[PMM: added clarifying para to commit message]
241+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
242+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
243+
244+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=0c7f8c43daf6556078e51de98aa13f069e505985
245+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
246+Last-Update: 2020-03-18
247+
248+---
249+ target/arm/arm-powerctl.c | 3 +++
250+ 1 file changed, 3 insertions(+)
251+
252+diff --git a/target/arm/arm-powerctl.c b/target/arm/arm-powerctl.c
253+index f77a950db6..b064513d44 100644
254+--- a/target/arm/arm-powerctl.c
255++++ b/target/arm/arm-powerctl.c
256+@@ -104,6 +104,9 @@ static void arm_set_cpu_on_async_work(CPUState *target_cpu_state,
257+ /* Processor is not in secure mode */
258+ target_cpu->env.cp15.scr_el3 |= SCR_NS;
259+
260++ /* Set NSACR.{CP11,CP10} so NS can access the FPU */
261++ target_cpu->env.cp15.nsacr |= 3 << 10;
262++
263+ /*
264+ * If QEMU is providing the equivalent of EL3 firmware, then we need
265+ * to make sure a CPU targeting EL2 comes out of reset with a
266+--
267+2.25.1
268+
269diff --git a/debian/patches/stable/lp-1867519-backup-top-Begin-drain-earlier.patch b/debian/patches/stable/lp-1867519-backup-top-Begin-drain-earlier.patch
270new file mode 100644
271index 0000000..d534297
272--- /dev/null
273+++ b/debian/patches/stable/lp-1867519-backup-top-Begin-drain-earlier.patch
274@@ -0,0 +1,46 @@
275+From 503ca1262bab2c11c533a4816d1ff4297d4f58a6 Mon Sep 17 00:00:00 2001
276+From: Max Reitz <mreitz@redhat.com>
277+Date: Thu, 19 Dec 2019 19:26:38 +0100
278+Subject: [PATCH] backup-top: Begin drain earlier
279+
280+When dropping backup-top, we need to drain the node before freeing the
281+BlockCopyState. Otherwise, requests may still be in flight and then the
282+assertion in shres_destroy() will fail.
283+
284+(This becomes visible in intermittent failure of 056.)
285+
286+Cc: qemu-stable@nongnu.org
287+Signed-off-by: Max Reitz <mreitz@redhat.com>
288+Message-id: 20191219182638.104621-1-mreitz@redhat.com
289+Signed-off-by: Max Reitz <mreitz@redhat.com>
290+
291+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=503ca1262bab2c11c533a4816d1ff4297d4f58a6
292+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
293+Last-Update: 2020-03-18
294+
295+---
296+ block/backup-top.c | 4 ++--
297+ 1 file changed, 2 insertions(+), 2 deletions(-)
298+
299+diff --git a/block/backup-top.c b/block/backup-top.c
300+index 7cdb1f8eba..818d3f26b4 100644
301+--- a/block/backup-top.c
302++++ b/block/backup-top.c
303+@@ -257,12 +257,12 @@ void bdrv_backup_top_drop(BlockDriverState *bs)
304+ BDRVBackupTopState *s = bs->opaque;
305+ AioContext *aio_context = bdrv_get_aio_context(bs);
306+
307+- block_copy_state_free(s->bcs);
308+-
309+ aio_context_acquire(aio_context);
310+
311+ bdrv_drained_begin(bs);
312+
313++ block_copy_state_free(s->bcs);
314++
315+ s->active = false;
316+ bdrv_child_refresh_perms(bs, bs->backing, &error_abort);
317+ bdrv_replace_node(bs, backing_bs(bs), &error_abort);
318+--
319+2.25.1
320+
321diff --git a/debian/patches/stable/lp-1867519-block-Activate-recursively-even-for-already-active-n.patch b/debian/patches/stable/lp-1867519-block-Activate-recursively-even-for-already-active-n.patch
322new file mode 100644
323index 0000000..0a9d490
324--- /dev/null
325+++ b/debian/patches/stable/lp-1867519-block-Activate-recursively-even-for-already-active-n.patch
326@@ -0,0 +1,108 @@
327+From 7bb4941ace471fc7dd6ded4749b95b9622baa6ed Mon Sep 17 00:00:00 2001
328+From: Kevin Wolf <kwolf@redhat.com>
329+Date: Tue, 17 Dec 2019 15:06:38 +0100
330+Subject: [PATCH] block: Activate recursively even for already active nodes
331+
332+bdrv_invalidate_cache_all() assumes that all nodes in a given subtree
333+are either active or inactive when it starts. Therefore, as soon as it
334+arrives at an already active node, it stops.
335+
336+However, this assumption is wrong. For example, it's possible to take a
337+snapshot of an inactive node, which results in an active overlay over an
338+inactive backing file. The active overlay is probably also the root node
339+of an inactive BlockBackend (blk->disable_perm == true).
340+
341+In this case, bdrv_invalidate_cache_all() does not need to do anything
342+to activate the overlay node, but it still needs to recurse into the
343+children and the parents to make sure that after returning success,
344+really everything is activated.
345+
346+Cc: qemu-stable@nongnu.org
347+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
348+Reviewed-by: Max Reitz <mreitz@redhat.com>
349+
350+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=7bb4941ace471fc7dd6ded4749b95b9622baa6ed
351+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
352+Last-Update: 2020-03-18
353+
354+---
355+ block.c | 50 ++++++++++++++++++++++++--------------------------
356+ 1 file changed, 24 insertions(+), 26 deletions(-)
357+
358+diff --git a/block.c b/block.c
359+index 73029fad64..1b6f7c86e8 100644
360+--- a/block.c
361++++ b/block.c
362+@@ -5335,10 +5335,6 @@ static void coroutine_fn bdrv_co_invalidate_cache(BlockDriverState *bs,
363+ return;
364+ }
365+
366+- if (!(bs->open_flags & BDRV_O_INACTIVE)) {
367+- return;
368+- }
369+-
370+ QLIST_FOREACH(child, &bs->children, next) {
371+ bdrv_co_invalidate_cache(child->bs, &local_err);
372+ if (local_err) {
373+@@ -5360,34 +5356,36 @@ static void coroutine_fn bdrv_co_invalidate_cache(BlockDriverState *bs,
374+ * just keep the extended permissions for the next time that an activation
375+ * of the image is tried.
376+ */
377+- bs->open_flags &= ~BDRV_O_INACTIVE;
378+- bdrv_get_cumulative_perm(bs, &perm, &shared_perm);
379+- ret = bdrv_check_perm(bs, NULL, perm, shared_perm, NULL, NULL, &local_err);
380+- if (ret < 0) {
381+- bs->open_flags |= BDRV_O_INACTIVE;
382+- error_propagate(errp, local_err);
383+- return;
384+- }
385+- bdrv_set_perm(bs, perm, shared_perm);
386+-
387+- if (bs->drv->bdrv_co_invalidate_cache) {
388+- bs->drv->bdrv_co_invalidate_cache(bs, &local_err);
389+- if (local_err) {
390++ if (bs->open_flags & BDRV_O_INACTIVE) {
391++ bs->open_flags &= ~BDRV_O_INACTIVE;
392++ bdrv_get_cumulative_perm(bs, &perm, &shared_perm);
393++ ret = bdrv_check_perm(bs, NULL, perm, shared_perm, NULL, NULL, &local_err);
394++ if (ret < 0) {
395+ bs->open_flags |= BDRV_O_INACTIVE;
396+ error_propagate(errp, local_err);
397+ return;
398+ }
399+- }
400++ bdrv_set_perm(bs, perm, shared_perm);
401+
402+- FOR_EACH_DIRTY_BITMAP(bs, bm) {
403+- bdrv_dirty_bitmap_skip_store(bm, false);
404+- }
405++ if (bs->drv->bdrv_co_invalidate_cache) {
406++ bs->drv->bdrv_co_invalidate_cache(bs, &local_err);
407++ if (local_err) {
408++ bs->open_flags |= BDRV_O_INACTIVE;
409++ error_propagate(errp, local_err);
410++ return;
411++ }
412++ }
413+
414+- ret = refresh_total_sectors(bs, bs->total_sectors);
415+- if (ret < 0) {
416+- bs->open_flags |= BDRV_O_INACTIVE;
417+- error_setg_errno(errp, -ret, "Could not refresh total sector count");
418+- return;
419++ FOR_EACH_DIRTY_BITMAP(bs, bm) {
420++ bdrv_dirty_bitmap_skip_store(bm, false);
421++ }
422++
423++ ret = refresh_total_sectors(bs, bs->total_sectors);
424++ if (ret < 0) {
425++ bs->open_flags |= BDRV_O_INACTIVE;
426++ error_setg_errno(errp, -ret, "Could not refresh total sector count");
427++ return;
428++ }
429+ }
430+
431+ QLIST_FOREACH(parent, &bs->parents, next_parent) {
432+--
433+2.25.1
434+
435diff --git a/debian/patches/stable/lp-1867519-block-backup-top-fix-failure-path.patch b/debian/patches/stable/lp-1867519-block-backup-top-fix-failure-path.patch
436new file mode 100644
437index 0000000..0ea91e8
438--- /dev/null
439+++ b/debian/patches/stable/lp-1867519-block-backup-top-fix-failure-path.patch
440@@ -0,0 +1,97 @@
441+From 0df62f45c1de6c020f1e6fba4eeafd248209b003 Mon Sep 17 00:00:00 2001
442+From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
443+Date: Tue, 21 Jan 2020 17:28:01 +0300
444+Subject: [PATCH] block/backup-top: fix failure path
445+
446+We can't access top after call bdrv_backup_top_drop, as it is already
447+freed at this time.
448+
449+Also, no needs to unref target child by hand, it will be unrefed on
450+bdrv_close() automatically.
451+
452+So, just do bdrv_backup_top_drop if append succeed and one bdrv_unref
453+otherwise.
454+
455+Note, that in !appended case bdrv_unref(top) moved into drained section
456+on source. It doesn't really matter, but just for code simplicity.
457+
458+Fixes: 7df7868b96404
459+Cc: qemu-stable@nongnu.org # v4.2.0
460+Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
461+Reviewed-by: Max Reitz <mreitz@redhat.com>
462+Message-id: 20200121142802.21467-2-vsementsov@virtuozzo.com
463+Signed-off-by: Max Reitz <mreitz@redhat.com>
464+
465+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=0df62f45c1de6c020f1e6fba4eeafd248209b003
466+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
467+Last-Update: 2020-03-18
468+
469+---
470+ block/backup-top.c | 21 ++++++++++++---------
471+ 1 file changed, 12 insertions(+), 9 deletions(-)
472+
473+diff --git a/block/backup-top.c b/block/backup-top.c
474+index 9aed2eb4c0..fa78f3256d 100644
475+--- a/block/backup-top.c
476++++ b/block/backup-top.c
477+@@ -190,6 +190,7 @@ BlockDriverState *bdrv_backup_top_append(BlockDriverState *source,
478+ BlockDriverState *top = bdrv_new_open_driver(&bdrv_backup_top_filter,
479+ filter_node_name,
480+ BDRV_O_RDWR, errp);
481++ bool appended = false;
482+
483+ if (!top) {
484+ return NULL;
485+@@ -212,8 +213,9 @@ BlockDriverState *bdrv_backup_top_append(BlockDriverState *source,
486+ bdrv_append(top, source, &local_err);
487+ if (local_err) {
488+ error_prepend(&local_err, "Cannot append backup-top filter: ");
489+- goto append_failed;
490++ goto fail;
491+ }
492++ appended = true;
493+
494+ /*
495+ * bdrv_append() finished successfully, now we can require permissions
496+@@ -224,14 +226,14 @@ BlockDriverState *bdrv_backup_top_append(BlockDriverState *source,
497+ if (local_err) {
498+ error_prepend(&local_err,
499+ "Cannot set permissions for backup-top filter: ");
500+- goto failed_after_append;
501++ goto fail;
502+ }
503+
504+ state->bcs = block_copy_state_new(top->backing, state->target,
505+ cluster_size, write_flags, &local_err);
506+ if (local_err) {
507+ error_prepend(&local_err, "Cannot create block-copy-state: ");
508+- goto failed_after_append;
509++ goto fail;
510+ }
511+ *bcs = state->bcs;
512+
513+@@ -239,14 +241,15 @@ BlockDriverState *bdrv_backup_top_append(BlockDriverState *source,
514+
515+ return top;
516+
517+-failed_after_append:
518+- state->active = false;
519+- bdrv_backup_top_drop(top);
520++fail:
521++ if (appended) {
522++ state->active = false;
523++ bdrv_backup_top_drop(top);
524++ } else {
525++ bdrv_unref(top);
526++ }
527+
528+-append_failed:
529+ bdrv_drained_end(source);
530+- bdrv_unref_child(top, state->target);
531+- bdrv_unref(top);
532+ error_propagate(errp, local_err);
533+
534+ return NULL;
535+--
536+2.25.1
537+
538diff --git a/debian/patches/stable/lp-1867519-block-block-copy-fix-progress-calculation.patch b/debian/patches/stable/lp-1867519-block-block-copy-fix-progress-calculation.patch
539new file mode 100644
540index 0000000..6eb7652
541--- /dev/null
542+++ b/debian/patches/stable/lp-1867519-block-block-copy-fix-progress-calculation.patch
543@@ -0,0 +1,201 @@
544+From d0ebeca14a585f352938062ef8ddde47fe4d39f9 Mon Sep 17 00:00:00 2001
545+From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
546+Date: Wed, 11 Mar 2020 13:29:57 +0300
547+Subject: [PATCH] block/block-copy: fix progress calculation
548+
549+Assume we have two regions, A and B, and region B is in-flight now,
550+region A is not yet touched, but it is unallocated and should be
551+skipped.
552+
553+Correspondingly, as progress we have
554+
555+ total = A + B
556+ current = 0
557+
558+If we reset unallocated region A and call progress_reset_callback,
559+it will calculate 0 bytes dirty in the bitmap and call
560+job_progress_set_remaining, which will set
561+
562+ total = current + 0 = 0 + 0 = 0
563+
564+So, B bytes are actually removed from total accounting. When job
565+finishes we'll have
566+
567+ total = 0
568+ current = B
569+
570+, which doesn't sound good.
571+
572+This is because we didn't considered in-flight bytes, actually when
573+calculating remaining, we should have set (in_flight + dirty_bytes)
574+as remaining, not only dirty_bytes.
575+
576+To fix it, let's refactor progress calculation, moving it to block-copy
577+itself instead of fixing callback. And, of course, track in_flight
578+bytes count.
579+
580+We still have to keep one callback, to maintain backup job bytes_read
581+calculation, but it will go on soon, when we turn the whole backup
582+process into one block_copy call.
583+
584+Cc: qemu-stable@nongnu.org
585+Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
586+Reviewed-by: Andrey Shinkevich <andrey.shinkevich@virtuozzo.com>
587+Message-Id: <20200311103004.7649-3-vsementsov@virtuozzo.com>
588+Signed-off-by: Max Reitz <mreitz@redhat.com>
589+
590+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=d0ebeca14a585f352938062ef8ddde47fe4d39f9
591+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
592+Last-Update: 2020-03-18
593+
594+---
595+ block/backup.c | 13 ++-----------
596+ block/block-copy.c | 16 ++++++++++++----
597+ include/block/block-copy.h | 15 +++++----------
598+ 3 files changed, 19 insertions(+), 25 deletions(-)
599+
600+diff --git a/block/backup.c b/block/backup.c
601+index 1383e219f5..8694e0394b 100644
602+--- a/block/backup.c
603++++ b/block/backup.c
604+@@ -57,15 +57,6 @@ static void backup_progress_bytes_callback(int64_t bytes, void *opaque)
605+ BackupBlockJob *s = opaque;
606+
607+ s->bytes_read += bytes;
608+- job_progress_update(&s->common.job, bytes);
609+-}
610+-
611+-static void backup_progress_reset_callback(void *opaque)
612+-{
613+- BackupBlockJob *s = opaque;
614+- uint64_t estimate = bdrv_get_dirty_count(s->bcs->copy_bitmap);
615+-
616+- job_progress_set_remaining(&s->common.job, estimate);
617+ }
618+
619+ static int coroutine_fn backup_do_cow(BackupBlockJob *job,
620+@@ -464,8 +455,8 @@ BlockJob *backup_job_create(const char *job_id, BlockDriverState *bs,
621+ job->cluster_size = cluster_size;
622+ job->len = len;
623+
624+- block_copy_set_callbacks(bcs, backup_progress_bytes_callback,
625+- backup_progress_reset_callback, job);
626++ block_copy_set_progress_callback(bcs, backup_progress_bytes_callback, job);
627++ block_copy_set_progress_meter(bcs, &job->common.job.progress);
628+
629+ /* Required permissions are already taken by backup-top target */
630+ block_job_add_bdrv(&job->common, "target", target, 0, BLK_PERM_ALL,
631+diff --git a/block/block-copy.c b/block/block-copy.c
632+index 79798a1567..e2d7b3b887 100644
633+--- a/block/block-copy.c
634++++ b/block/block-copy.c
635+@@ -127,17 +127,20 @@ BlockCopyState *block_copy_state_new(BdrvChild *source, BdrvChild *target,
636+ return s;
637+ }
638+
639+-void block_copy_set_callbacks(
640++void block_copy_set_progress_callback(
641+ BlockCopyState *s,
642+ ProgressBytesCallbackFunc progress_bytes_callback,
643+- ProgressResetCallbackFunc progress_reset_callback,
644+ void *progress_opaque)
645+ {
646+ s->progress_bytes_callback = progress_bytes_callback;
647+- s->progress_reset_callback = progress_reset_callback;
648+ s->progress_opaque = progress_opaque;
649+ }
650+
651++void block_copy_set_progress_meter(BlockCopyState *s, ProgressMeter *pm)
652++{
653++ s->progress = pm;
654++}
655++
656+ /*
657+ * block_copy_do_copy
658+ *
659+@@ -269,7 +272,9 @@ int64_t block_copy_reset_unallocated(BlockCopyState *s,
660+
661+ if (!ret) {
662+ bdrv_reset_dirty_bitmap(s->copy_bitmap, offset, bytes);
663+- s->progress_reset_callback(s->progress_opaque);
664++ progress_set_remaining(s->progress,
665++ bdrv_get_dirty_count(s->copy_bitmap) +
666++ s->in_flight_bytes);
667+ }
668+
669+ *count = bytes;
670+@@ -331,15 +336,18 @@ int coroutine_fn block_copy(BlockCopyState *s,
671+ trace_block_copy_process(s, start);
672+
673+ bdrv_reset_dirty_bitmap(s->copy_bitmap, start, chunk_end - start);
674++ s->in_flight_bytes += chunk_end - start;
675+
676+ co_get_from_shres(s->mem, chunk_end - start);
677+ ret = block_copy_do_copy(s, start, chunk_end, error_is_read);
678+ co_put_to_shres(s->mem, chunk_end - start);
679++ s->in_flight_bytes -= chunk_end - start;
680+ if (ret < 0) {
681+ bdrv_set_dirty_bitmap(s->copy_bitmap, start, chunk_end - start);
682+ break;
683+ }
684+
685++ progress_work_done(s->progress, chunk_end - start);
686+ s->progress_bytes_callback(chunk_end - start, s->progress_opaque);
687+ start = chunk_end;
688+ ret = 0;
689+diff --git a/include/block/block-copy.h b/include/block/block-copy.h
690+index 0a161724d7..9def00068c 100644
691+--- a/include/block/block-copy.h
692++++ b/include/block/block-copy.h
693+@@ -26,7 +26,6 @@ typedef struct BlockCopyInFlightReq {
694+ } BlockCopyInFlightReq;
695+
696+ typedef void (*ProgressBytesCallbackFunc)(int64_t bytes, void *opaque);
697+-typedef void (*ProgressResetCallbackFunc)(void *opaque);
698+ typedef struct BlockCopyState {
699+ /*
700+ * BdrvChild objects are not owned or managed by block-copy. They are
701+@@ -36,6 +35,7 @@ typedef struct BlockCopyState {
702+ BdrvChild *source;
703+ BdrvChild *target;
704+ BdrvDirtyBitmap *copy_bitmap;
705++ int64_t in_flight_bytes;
706+ int64_t cluster_size;
707+ bool use_copy_range;
708+ int64_t copy_size;
709+@@ -60,15 +60,9 @@ typedef struct BlockCopyState {
710+ */
711+ bool skip_unallocated;
712+
713++ ProgressMeter *progress;
714+ /* progress_bytes_callback: called when some copying progress is done. */
715+ ProgressBytesCallbackFunc progress_bytes_callback;
716+-
717+- /*
718+- * progress_reset_callback: called when some bytes reset from copy_bitmap
719+- * (see @skip_unallocated above). The callee is assumed to recalculate how
720+- * many bytes remain based on the dirty bit count of copy_bitmap.
721+- */
722+- ProgressResetCallbackFunc progress_reset_callback;
723+ void *progress_opaque;
724+
725+ SharedResource *mem;
726+@@ -79,12 +73,13 @@ BlockCopyState *block_copy_state_new(BdrvChild *source, BdrvChild *target,
727+ BdrvRequestFlags write_flags,
728+ Error **errp);
729+
730+-void block_copy_set_callbacks(
731++void block_copy_set_progress_callback(
732+ BlockCopyState *s,
733+ ProgressBytesCallbackFunc progress_bytes_callback,
734+- ProgressResetCallbackFunc progress_reset_callback,
735+ void *progress_opaque);
736+
737++void block_copy_set_progress_meter(BlockCopyState *s, ProgressMeter *pm);
738++
739+ void block_copy_state_free(BlockCopyState *s);
740+
741+ int64_t block_copy_reset_unallocated(BlockCopyState *s,
742+--
743+2.25.1
744+
745diff --git a/debian/patches/stable/lp-1867519-block-fix-crash-on-zero-length-unaligned-write-and-r.patch b/debian/patches/stable/lp-1867519-block-fix-crash-on-zero-length-unaligned-write-and-r.patch
746new file mode 100644
747index 0000000..a84fdd7
748--- /dev/null
749+++ b/debian/patches/stable/lp-1867519-block-fix-crash-on-zero-length-unaligned-write-and-r.patch
750@@ -0,0 +1,107 @@
751+From ac9d00bf7b47acae6b0e42910d9ed55fef3af5b8 Mon Sep 17 00:00:00 2001
752+From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
753+Date: Thu, 6 Feb 2020 19:42:45 +0300
754+Subject: [PATCH] block: fix crash on zero-length unaligned write and read
755+
756+Commit 7a3f542fbd "block/io: refactor padding" occasionally dropped
757+aligning for zero-length request: bdrv_init_padding() blindly return
758+false if bytes == 0, like there is nothing to align.
759+
760+This leads the following command to crash:
761+
762+./qemu-io --image-opts -c 'write 1 0' \
763+ driver=blkdebug,align=512,image.driver=null-co,image.size=512
764+
765+>> qemu-io: block/io.c:1955: bdrv_aligned_pwritev: Assertion
766+ `(offset & (align - 1)) == 0' failed.
767+>> Aborted (core dumped)
768+
769+Prior to 7a3f542fbd we does aligning of such zero requests. Instead of
770+recovering this behavior let's just do nothing on such requests as it
771+is useless.
772+
773+Note that driver may have special meaning of zero-length reqeusts, like
774+qcow2_co_pwritev_compressed_part, so we can't skip any zero-length
775+operation. But for unaligned ones, we can't pass it to driver anyway.
776+
777+This commit also fixes crash in iotest 80 running with -nocache:
778+
779+./check -nocache -qcow2 80
780+
781+which crashes on same assertion due to trying to read empty extra data
782+in qcow2_do_read_snapshots().
783+
784+Cc: qemu-stable@nongnu.org # v4.2
785+Fixes: 7a3f542fbd
786+Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
787+Reviewed-by: Max Reitz <mreitz@redhat.com>
788+Message-id: 20200206164245.17781-1-vsementsov@virtuozzo.com
789+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
790+
791+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=ac9d00bf7b47acae6b0e42910d9ed55fef3af5b8
792+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
793+Last-Update: 2020-03-18
794+
795+---
796+ block/io.c | 28 +++++++++++++++++++++++++++-
797+ 1 file changed, 27 insertions(+), 1 deletion(-)
798+
799+diff --git a/block/io.c b/block/io.c
800+index 1eb2b2bddc..7e4cb74cf4 100644
801+--- a/block/io.c
802++++ b/block/io.c
803+@@ -1565,10 +1565,12 @@ static bool bdrv_init_padding(BlockDriverState *bs,
804+ pad->tail = align - pad->tail;
805+ }
806+
807+- if ((!pad->head && !pad->tail) || !bytes) {
808++ if (!pad->head && !pad->tail) {
809+ return false;
810+ }
811+
812++ assert(bytes); /* Nothing good in aligning zero-length requests */
813++
814+ sum = pad->head + bytes + pad->tail;
815+ pad->buf_len = (sum > align && pad->head && pad->tail) ? 2 * align : align;
816+ pad->buf = qemu_blockalign(bs, pad->buf_len);
817+@@ -1706,6 +1708,18 @@ int coroutine_fn bdrv_co_preadv_part(BdrvChild *child,
818+ return ret;
819+ }
820+
821++ if (bytes == 0 && !QEMU_IS_ALIGNED(offset, bs->bl.request_alignment)) {
822++ /*
823++ * Aligning zero request is nonsense. Even if driver has special meaning
824++ * of zero-length (like qcow2_co_pwritev_compressed_part), we can't pass
825++ * it to driver due to request_alignment.
826++ *
827++ * Still, no reason to return an error if someone do unaligned
828++ * zero-length read occasionally.
829++ */
830++ return 0;
831++ }
832++
833+ bdrv_inc_in_flight(bs);
834+
835+ /* Don't do copy-on-read if we read data before write operation */
836+@@ -2116,6 +2130,18 @@ int coroutine_fn bdrv_co_pwritev_part(BdrvChild *child,
837+ return -ENOTSUP;
838+ }
839+
840++ if (bytes == 0 && !QEMU_IS_ALIGNED(offset, bs->bl.request_alignment)) {
841++ /*
842++ * Aligning zero request is nonsense. Even if driver has special meaning
843++ * of zero-length (like qcow2_co_pwritev_compressed_part), we can't pass
844++ * it to driver due to request_alignment.
845++ *
846++ * Still, no reason to return an error if someone do unaligned
847++ * zero-length write occasionally.
848++ */
849++ return 0;
850++ }
851++
852+ bdrv_inc_in_flight(bs);
853+ /*
854+ * Align write if necessary by performing a read-modify-write cycle.
855+--
856+2.25.1
857+
858diff --git a/debian/patches/stable/lp-1867519-block-io-fix-bdrv_co_do_copy_on_readv.patch b/debian/patches/stable/lp-1867519-block-io-fix-bdrv_co_do_copy_on_readv.patch
859new file mode 100644
860index 0000000..84335eb
861--- /dev/null
862+++ b/debian/patches/stable/lp-1867519-block-io-fix-bdrv_co_do_copy_on_readv.patch
863@@ -0,0 +1,44 @@
864+From 4ab78b19189a81038e744728ed949d09aa477550 Mon Sep 17 00:00:00 2001
865+From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
866+Date: Thu, 12 Mar 2020 11:19:49 +0300
867+Subject: [PATCH] block/io: fix bdrv_co_do_copy_on_readv
868+
869+Prior to 1143ec5ebf4 it was OK to qemu_iovec_from_buf() from aligned-up
870+buffer to original qiov, as qemu_iovec_from_buf() will stop at qiov end
871+anyway.
872+
873+But after 1143ec5ebf4 we assume that bdrv_co_do_copy_on_readv works on
874+part of original qiov, defined by qiov_offset and bytes. So we must not
875+touch qiov behind qiov_offset+bytes bound. Fix it.
876+
877+Cc: qemu-stable@nongnu.org # v4.2
878+Fixes: 1143ec5ebf4
879+Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
880+Reviewed-by: John Snow <jsnow@redhat.com>
881+Message-id: 20200312081949.5350-1-vsementsov@virtuozzo.com
882+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
883+
884+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=4ab78b19189a81038e744728ed949d09aa477550
885+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
886+Last-Update: 2020-03-18
887+
888+---
889+ block/io.c | 2 +-
890+ 1 file changed, 1 insertion(+), 1 deletion(-)
891+
892+diff --git a/block/io.c b/block/io.c
893+index 7e4cb74cf4..aba67f66b9 100644
894+--- a/block/io.c
895++++ b/block/io.c
896+@@ -1399,7 +1399,7 @@ static int coroutine_fn bdrv_co_do_copy_on_readv(BdrvChild *child,
897+ if (!(flags & BDRV_REQ_PREFETCH)) {
898+ qemu_iovec_from_buf(qiov, qiov_offset + progress,
899+ bounce_buffer + skip_bytes,
900+- pnum - skip_bytes);
901++ MIN(pnum - skip_bytes, bytes - progress));
902+ }
903+ } else if (!(flags & BDRV_REQ_PREFETCH)) {
904+ /* Read directly into the destination */
905+--
906+2.25.1
907+
908diff --git a/debian/patches/stable/lp-1867519-block-nbd-fix-memory-leak-in-nbd_open.patch b/debian/patches/stable/lp-1867519-block-nbd-fix-memory-leak-in-nbd_open.patch
909new file mode 100644
910index 0000000..dde008d
911--- /dev/null
912+++ b/debian/patches/stable/lp-1867519-block-nbd-fix-memory-leak-in-nbd_open.patch
913@@ -0,0 +1,76 @@
914+From 8198cf5ef0ef98118b4176970d1cd998d93ec849 Mon Sep 17 00:00:00 2001
915+From: Pan Nengyuan <pannengyuan@huawei.com>
916+Date: Thu, 5 Dec 2019 11:45:28 +0800
917+Subject: [PATCH] block/nbd: fix memory leak in nbd_open()
918+
919+In currently implementation there will be a memory leak when
920+nbd_client_connect() returns error status. Here is an easy way to
921+reproduce:
922+
923+1. run qemu-iotests as follow and check the result with asan:
924+ ./check -raw 143
925+
926+Following is the asan output backtrack:
927+Direct leak of 40 byte(s) in 1 object(s) allocated from:
928+ #0 0x7f629688a560 in calloc (/usr/lib64/libasan.so.3+0xc7560)
929+ #1 0x7f6295e7e015 in g_malloc0 (/usr/lib64/libglib-2.0.so.0+0x50015)
930+ #2 0x56281dab4642 in qobject_input_start_struct /mnt/sdb/qemu-4.2.0-rc0/qapi/qobject-input-visitor.c:295
931+ #3 0x56281dab1a04 in visit_start_struct /mnt/sdb/qemu-4.2.0-rc0/qapi/qapi-visit-core.c:49
932+ #4 0x56281dad1827 in visit_type_SocketAddress qapi/qapi-visit-sockets.c:386
933+ #5 0x56281da8062f in nbd_config /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1716
934+ #6 0x56281da8062f in nbd_process_options /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1829
935+ #7 0x56281da8062f in nbd_open /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1873
936+
937+Direct leak of 15 byte(s) in 1 object(s) allocated from:
938+ #0 0x7f629688a3a0 in malloc (/usr/lib64/libasan.so.3+0xc73a0)
939+ #1 0x7f6295e7dfbd in g_malloc (/usr/lib64/libglib-2.0.so.0+0x4ffbd)
940+ #2 0x7f6295e96ace in g_strdup (/usr/lib64/libglib-2.0.so.0+0x68ace)
941+ #3 0x56281da804ac in nbd_process_options /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1834
942+ #4 0x56281da804ac in nbd_open /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1873
943+
944+Indirect leak of 24 byte(s) in 1 object(s) allocated from:
945+ #0 0x7f629688a3a0 in malloc (/usr/lib64/libasan.so.3+0xc73a0)
946+ #1 0x7f6295e7dfbd in g_malloc (/usr/lib64/libglib-2.0.so.0+0x4ffbd)
947+ #2 0x7f6295e96ace in g_strdup (/usr/lib64/libglib-2.0.so.0+0x68ace)
948+ #3 0x56281dab41a3 in qobject_input_type_str_keyval /mnt/sdb/qemu-4.2.0-rc0/qapi/qobject-input-visitor.c:536
949+ #4 0x56281dab2ee9 in visit_type_str /mnt/sdb/qemu-4.2.0-rc0/qapi/qapi-visit-core.c:297
950+ #5 0x56281dad0fa1 in visit_type_UnixSocketAddress_members qapi/qapi-visit-sockets.c:141
951+ #6 0x56281dad17b6 in visit_type_SocketAddress_members qapi/qapi-visit-sockets.c:366
952+ #7 0x56281dad186a in visit_type_SocketAddress qapi/qapi-visit-sockets.c:393
953+ #8 0x56281da8062f in nbd_config /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1716
954+ #9 0x56281da8062f in nbd_process_options /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1829
955+ #10 0x56281da8062f in nbd_open /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1873
956+
957+Fixes: 8f071c9db506e03ab
958+Reported-by: Euler Robot <euler.robot@huawei.com>
959+Signed-off-by: Pan Nengyuan <pannengyuan@huawei.com>
960+Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
961+Cc: qemu-stable <qemu-stable@nongnu.org>
962+Cc: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
963+Message-Id: <1575517528-44312-3-git-send-email-pannengyuan@huawei.com>
964+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
965+Signed-off-by: Eric Blake <eblake@redhat.com>
966+
967+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=8198cf5ef0ef98118b4176970d1cd998d93ec849
968+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
969+Last-Update: 2020-03-18
970+
971+---
972+ block/nbd.c | 1 +
973+ 1 file changed, 1 insertion(+)
974+
975+diff --git a/block/nbd.c b/block/nbd.c
976+index ed0f93ab27..976be76647 100644
977+--- a/block/nbd.c
978++++ b/block/nbd.c
979+@@ -1915,6 +1915,7 @@ static int nbd_open(BlockDriverState *bs, QDict *options, int flags,
980+
981+ ret = nbd_client_connect(bs, errp);
982+ if (ret < 0) {
983++ nbd_clear_bdrvstate(s);
984+ return ret;
985+ }
986+ /* successfully connected */
987+--
988+2.25.1
989+
990diff --git a/debian/patches/stable/lp-1867519-block-qcow2-threads-fix-qcow2_decompress.patch b/debian/patches/stable/lp-1867519-block-qcow2-threads-fix-qcow2_decompress.patch
991new file mode 100644
992index 0000000..bf4169e
993--- /dev/null
994+++ b/debian/patches/stable/lp-1867519-block-qcow2-threads-fix-qcow2_decompress.patch
995@@ -0,0 +1,79 @@
996+From e7266570f2cf7b3ca2a156c677ee0a59d563458b Mon Sep 17 00:00:00 2001
997+From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
998+Date: Mon, 2 Mar 2020 18:09:30 +0300
999+Subject: [PATCH] block/qcow2-threads: fix qcow2_decompress
1000+MIME-Version: 1.0
1001+Content-Type: text/plain; charset=UTF-8
1002+Content-Transfer-Encoding: 8bit
1003+
1004+On success path we return what inflate() returns instead of 0. And it
1005+most probably works for Z_STREAM_END as it is positive, but is
1006+definitely broken for Z_BUF_ERROR.
1007+
1008+While being here, switch to errno return code, to be closer to
1009+qcow2_compress API (and usual expectations).
1010+
1011+Revert condition in if to be more positive. Drop dead initialization of
1012+ret.
1013+
1014+Cc: qemu-stable@nongnu.org # v4.0
1015+Fixes: 341926ab83e2b
1016+Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
1017+Message-Id: <20200302150930.16218-1-vsementsov@virtuozzo.com>
1018+Reviewed-by: Alberto Garcia <berto@igalia.com>
1019+Reviewed-by: Ján Tomko <jtomko@redhat.com>
1020+Signed-off-by: Max Reitz <mreitz@redhat.com>
1021+
1022+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=e7266570f2cf7b3ca2a156c677ee0a59d563458b
1023+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
1024+Last-Update: 2020-03-18
1025+
1026+---
1027+ block/qcow2-threads.c | 12 +++++++-----
1028+ 1 file changed, 7 insertions(+), 5 deletions(-)
1029+
1030+diff --git a/block/qcow2-threads.c b/block/qcow2-threads.c
1031+index 77bb578cdf..a68126f291 100644
1032+--- a/block/qcow2-threads.c
1033++++ b/block/qcow2-threads.c
1034+@@ -128,12 +128,12 @@ static ssize_t qcow2_compress(void *dest, size_t dest_size,
1035+ * @src - source buffer, @src_size bytes
1036+ *
1037+ * Returns: 0 on success
1038+- * -1 on fail
1039++ * -EIO on fail
1040+ */
1041+ static ssize_t qcow2_decompress(void *dest, size_t dest_size,
1042+ const void *src, size_t src_size)
1043+ {
1044+- int ret = 0;
1045++ int ret;
1046+ z_stream strm;
1047+
1048+ memset(&strm, 0, sizeof(strm));
1049+@@ -144,17 +144,19 @@ static ssize_t qcow2_decompress(void *dest, size_t dest_size,
1050+
1051+ ret = inflateInit2(&strm, -12);
1052+ if (ret != Z_OK) {
1053+- return -1;
1054++ return -EIO;
1055+ }
1056+
1057+ ret = inflate(&strm, Z_FINISH);
1058+- if ((ret != Z_STREAM_END && ret != Z_BUF_ERROR) || strm.avail_out != 0) {
1059++ if ((ret == Z_STREAM_END || ret == Z_BUF_ERROR) && strm.avail_out == 0) {
1060+ /*
1061+ * We approve Z_BUF_ERROR because we need @dest buffer to be filled, but
1062+ * @src buffer may be processed partly (because in qcow2 we know size of
1063+ * compressed data with precision of one sector)
1064+ */
1065+- ret = -1;
1066++ ret = 0;
1067++ } else {
1068++ ret = -EIO;
1069+ }
1070+
1071+ inflateEnd(&strm);
1072+--
1073+2.25.1
1074+
1075diff --git a/debian/patches/stable/lp-1867519-hw-i386-pc-fix-regression-in-parsing-vga-cmdline-par.patch b/debian/patches/stable/lp-1867519-hw-i386-pc-fix-regression-in-parsing-vga-cmdline-par.patch
1076new file mode 100644
1077index 0000000..c6aa3a3
1078--- /dev/null
1079+++ b/debian/patches/stable/lp-1867519-hw-i386-pc-fix-regression-in-parsing-vga-cmdline-par.patch
1080@@ -0,0 +1,58 @@
1081+From a88c40f02ace88f09b2a85a64831b277b2ebc88c Mon Sep 17 00:00:00 2001
1082+From: Peter Wu <peter@lekensteyn.nl>
1083+Date: Sat, 21 Dec 2019 17:21:24 +0100
1084+Subject: [PATCH] hw/i386/pc: fix regression in parsing vga cmdline parameter
1085+
1086+When the 'vga=' parameter is succeeded by another parameter, QEMU 4.2.0
1087+would refuse to start with a rather cryptic message:
1088+
1089+ $ qemu-system-x86_64 -kernel /boot/vmlinuz-linux -append 'vga=792 quiet'
1090+ qemu: can't parse 'vga' parameter: Invalid argument
1091+
1092+It was not clear whether this applied to the '-vga std' parameter or the
1093+'-append' one. Fix the parsing regression and clarify the error.
1094+
1095+Fixes: 133ef074bd ("hw/i386/pc: replace use of strtol with qemu_strtoui in x86_load_linux()")
1096+Cc: Sergio Lopez <slp@redhat.com>
1097+Signed-off-by: Peter Wu <peter@lekensteyn.nl>
1098+Message-Id: <20191221162124.1159291-1-peter@lekensteyn.nl>
1099+Cc: qemu-stable@nongnu.org
1100+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
1101+
1102+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=a88c40f02ace88f09b2a85a64831b277b2ebc88c
1103+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
1104+Last-Update: 2020-03-18
1105+
1106+---
1107+ hw/i386/x86.c | 8 ++++----
1108+ 1 file changed, 4 insertions(+), 4 deletions(-)
1109+
1110+diff --git a/hw/i386/x86.c b/hw/i386/x86.c
1111+index d8bb5c2a96..9b9a4d5837 100644
1112+--- a/hw/i386/x86.c
1113++++ b/hw/i386/x86.c
1114+@@ -612,6 +612,7 @@ void x86_load_linux(X86MachineState *x86ms,
1115+ vmode = strstr(kernel_cmdline, "vga=");
1116+ if (vmode) {
1117+ unsigned int video_mode;
1118++ const char *end;
1119+ int ret;
1120+ /* skip "vga=" */
1121+ vmode += 4;
1122+@@ -622,10 +623,9 @@ void x86_load_linux(X86MachineState *x86ms,
1123+ } else if (!strncmp(vmode, "ask", 3)) {
1124+ video_mode = 0xfffd;
1125+ } else {
1126+- ret = qemu_strtoui(vmode, NULL, 0, &video_mode);
1127+- if (ret != 0) {
1128+- fprintf(stderr, "qemu: can't parse 'vga' parameter: %s\n",
1129+- strerror(-ret));
1130++ ret = qemu_strtoui(vmode, &end, 0, &video_mode);
1131++ if (ret != 0 || (*end && *end != ' ')) {
1132++ fprintf(stderr, "qemu: invalid 'vga=' kernel parameter.\n");
1133+ exit(1);
1134+ }
1135+ }
1136+--
1137+2.25.1
1138+
1139diff --git a/debian/patches/stable/lp-1867519-intel_iommu-a-fix-to-vtd_find_as_from_bus_num.patch b/debian/patches/stable/lp-1867519-intel_iommu-a-fix-to-vtd_find_as_from_bus_num.patch
1140new file mode 100644
1141index 0000000..4d13d20
1142--- /dev/null
1143+++ b/debian/patches/stable/lp-1867519-intel_iommu-a-fix-to-vtd_find_as_from_bus_num.patch
1144@@ -0,0 +1,44 @@
1145+From a2e1cd41ccfe796529abfd1b6aeb1dd4393762a2 Mon Sep 17 00:00:00 2001
1146+From: Liu Yi L <yi.l.liu@intel.com>
1147+Date: Fri, 3 Jan 2020 21:28:05 +0800
1148+Subject: [PATCH] intel_iommu: a fix to vtd_find_as_from_bus_num()
1149+
1150+Ensure the return value of vtd_find_as_from_bus_num() is NULL by
1151+enforcing vtd_bus=NULL. This would help caller of vtd_find_as_from_bus_num()
1152+to decide if any further operation on the returned vtd_bus.
1153+
1154+Cc: qemu-stable@nongnu.org
1155+Cc: Kevin Tian <kevin.tian@intel.com>
1156+Cc: Jacob Pan <jacob.jun.pan@linux.intel.com>
1157+Cc: Peter Xu <peterx@redhat.com>
1158+Cc: Yi Sun <yi.y.sun@linux.intel.com>
1159+Signed-off-by: Liu Yi L <yi.l.liu@intel.com>
1160+Signed-off-by: Yi Sun <yi.y.sun@linux.intel.com>
1161+Message-Id: <1578058086-4288-2-git-send-email-yi.l.liu@intel.com>
1162+Reviewed-by: Peter Xu <peterx@redhat.com>
1163+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
1164+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
1165+
1166+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=a2e1cd41ccfe796529abfd1b6aeb1dd4393762a2
1167+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
1168+Last-Update: 2020-03-18
1169+
1170+---
1171+ hw/i386/intel_iommu.c | 1 +
1172+ 1 file changed, 1 insertion(+)
1173+
1174+diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c
1175+index ee06993675..609b80750a 100644
1176+--- a/hw/i386/intel_iommu.c
1177++++ b/hw/i386/intel_iommu.c
1178+@@ -948,6 +948,7 @@ static VTDBus *vtd_find_as_from_bus_num(IntelIOMMUState *s, uint8_t bus_num)
1179+ return vtd_bus;
1180+ }
1181+ }
1182++ vtd_bus = NULL;
1183+ }
1184+ return vtd_bus;
1185+ }
1186+--
1187+2.25.1
1188+
1189diff --git a/debian/patches/stable/lp-1867519-intel_iommu-add-present-bit-check-for-pasid-table-en.patch b/debian/patches/stable/lp-1867519-intel_iommu-add-present-bit-check-for-pasid-table-en.patch
1190new file mode 100644
1191index 0000000..02548a2
1192--- /dev/null
1193+++ b/debian/patches/stable/lp-1867519-intel_iommu-add-present-bit-check-for-pasid-table-en.patch
1194@@ -0,0 +1,202 @@
1195+From 56fc1e6ac6bde95bc0369d358587f2234d4dddad Mon Sep 17 00:00:00 2001
1196+From: Liu Yi L <yi.l.liu@intel.com>
1197+Date: Fri, 3 Jan 2020 21:28:06 +0800
1198+Subject: [PATCH] intel_iommu: add present bit check for pasid table entries
1199+
1200+The present bit check for pasid entry (pe) and pasid directory
1201+entry (pdire) were missed in previous commits as fpd bit check
1202+doesn't require present bit as "Set". This patch adds the present
1203+bit check for callers which wants to get a valid pe/pdire.
1204+
1205+Cc: qemu-stable@nongnu.org
1206+Cc: Kevin Tian <kevin.tian@intel.com>
1207+Cc: Jacob Pan <jacob.jun.pan@linux.intel.com>
1208+Cc: Peter Xu <peterx@redhat.com>
1209+Cc: Yi Sun <yi.y.sun@linux.intel.com>
1210+Reviewed-by: Peter Xu <peterx@redhat.com>
1211+Signed-off-by: Liu Yi L <yi.l.liu@intel.com>
1212+Message-Id: <1578058086-4288-3-git-send-email-yi.l.liu@intel.com>
1213+Reviewed-by: Peter Xu <peterx@redhat.com>
1214+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
1215+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
1216+
1217+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=56fc1e6ac6bde95bc0369d358587f2234d4dddad
1218+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
1219+Last-Update: 2020-03-18
1220+
1221+---
1222+ hw/i386/intel_iommu.c | 92 +++++++++++++++++++++++++++-------
1223+ hw/i386/intel_iommu_internal.h | 1 +
1224+ 2 files changed, 74 insertions(+), 19 deletions(-)
1225+
1226+diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c
1227+index 609b80750a..a523ef0e65 100644
1228+--- a/hw/i386/intel_iommu.c
1229++++ b/hw/i386/intel_iommu.c
1230+@@ -686,9 +686,18 @@ static inline bool vtd_pe_type_check(X86IOMMUState *x86_iommu,
1231+ return true;
1232+ }
1233+
1234+-static int vtd_get_pasid_dire(dma_addr_t pasid_dir_base,
1235+- uint32_t pasid,
1236+- VTDPASIDDirEntry *pdire)
1237++static inline bool vtd_pdire_present(VTDPASIDDirEntry *pdire)
1238++{
1239++ return pdire->val & 1;
1240++}
1241++
1242++/**
1243++ * Caller of this function should check present bit if wants
1244++ * to use pdir entry for futher usage except for fpd bit check.
1245++ */
1246++static int vtd_get_pdire_from_pdir_table(dma_addr_t pasid_dir_base,
1247++ uint32_t pasid,
1248++ VTDPASIDDirEntry *pdire)
1249+ {
1250+ uint32_t index;
1251+ dma_addr_t addr, entry_size;
1252+@@ -703,18 +712,22 @@ static int vtd_get_pasid_dire(dma_addr_t pasid_dir_base,
1253+ return 0;
1254+ }
1255+
1256+-static int vtd_get_pasid_entry(IntelIOMMUState *s,
1257+- uint32_t pasid,
1258+- VTDPASIDDirEntry *pdire,
1259+- VTDPASIDEntry *pe)
1260++static inline bool vtd_pe_present(VTDPASIDEntry *pe)
1261++{
1262++ return pe->val[0] & VTD_PASID_ENTRY_P;
1263++}
1264++
1265++static int vtd_get_pe_in_pasid_leaf_table(IntelIOMMUState *s,
1266++ uint32_t pasid,
1267++ dma_addr_t addr,
1268++ VTDPASIDEntry *pe)
1269+ {
1270+ uint32_t index;
1271+- dma_addr_t addr, entry_size;
1272++ dma_addr_t entry_size;
1273+ X86IOMMUState *x86_iommu = X86_IOMMU_DEVICE(s);
1274+
1275+ index = VTD_PASID_TABLE_INDEX(pasid);
1276+ entry_size = VTD_PASID_ENTRY_SIZE;
1277+- addr = pdire->val & VTD_PASID_TABLE_BASE_ADDR_MASK;
1278+ addr = addr + index * entry_size;
1279+ if (dma_memory_read(&address_space_memory, addr, pe, entry_size)) {
1280+ return -VTD_FR_PASID_TABLE_INV;
1281+@@ -732,25 +745,54 @@ static int vtd_get_pasid_entry(IntelIOMMUState *s,
1282+ return 0;
1283+ }
1284+
1285+-static int vtd_get_pasid_entry_from_pasid(IntelIOMMUState *s,
1286+- dma_addr_t pasid_dir_base,
1287+- uint32_t pasid,
1288+- VTDPASIDEntry *pe)
1289++/**
1290++ * Caller of this function should check present bit if wants
1291++ * to use pasid entry for futher usage except for fpd bit check.
1292++ */
1293++static int vtd_get_pe_from_pdire(IntelIOMMUState *s,
1294++ uint32_t pasid,
1295++ VTDPASIDDirEntry *pdire,
1296++ VTDPASIDEntry *pe)
1297++{
1298++ dma_addr_t addr = pdire->val & VTD_PASID_TABLE_BASE_ADDR_MASK;
1299++
1300++ return vtd_get_pe_in_pasid_leaf_table(s, pasid, addr, pe);
1301++}
1302++
1303++/**
1304++ * This function gets a pasid entry from a specified pasid
1305++ * table (includes dir and leaf table) with a specified pasid.
1306++ * Sanity check should be done to ensure return a present
1307++ * pasid entry to caller.
1308++ */
1309++static int vtd_get_pe_from_pasid_table(IntelIOMMUState *s,
1310++ dma_addr_t pasid_dir_base,
1311++ uint32_t pasid,
1312++ VTDPASIDEntry *pe)
1313+ {
1314+ int ret;
1315+ VTDPASIDDirEntry pdire;
1316+
1317+- ret = vtd_get_pasid_dire(pasid_dir_base, pasid, &pdire);
1318++ ret = vtd_get_pdire_from_pdir_table(pasid_dir_base,
1319++ pasid, &pdire);
1320+ if (ret) {
1321+ return ret;
1322+ }
1323+
1324+- ret = vtd_get_pasid_entry(s, pasid, &pdire, pe);
1325++ if (!vtd_pdire_present(&pdire)) {
1326++ return -VTD_FR_PASID_TABLE_INV;
1327++ }
1328++
1329++ ret = vtd_get_pe_from_pdire(s, pasid, &pdire, pe);
1330+ if (ret) {
1331+ return ret;
1332+ }
1333+
1334+- return ret;
1335++ if (!vtd_pe_present(pe)) {
1336++ return -VTD_FR_PASID_TABLE_INV;
1337++ }
1338++
1339++ return 0;
1340+ }
1341+
1342+ static int vtd_ce_get_rid2pasid_entry(IntelIOMMUState *s,
1343+@@ -763,7 +805,7 @@ static int vtd_ce_get_rid2pasid_entry(IntelIOMMUState *s,
1344+
1345+ pasid = VTD_CE_GET_RID2PASID(ce);
1346+ pasid_dir_base = VTD_CE_GET_PASID_DIR_TABLE(ce);
1347+- ret = vtd_get_pasid_entry_from_pasid(s, pasid_dir_base, pasid, pe);
1348++ ret = vtd_get_pe_from_pasid_table(s, pasid_dir_base, pasid, pe);
1349+
1350+ return ret;
1351+ }
1352+@@ -781,7 +823,11 @@ static int vtd_ce_get_pasid_fpd(IntelIOMMUState *s,
1353+ pasid = VTD_CE_GET_RID2PASID(ce);
1354+ pasid_dir_base = VTD_CE_GET_PASID_DIR_TABLE(ce);
1355+
1356+- ret = vtd_get_pasid_dire(pasid_dir_base, pasid, &pdire);
1357++ /*
1358++ * No present bit check since fpd is meaningful even
1359++ * if the present bit is clear.
1360++ */
1361++ ret = vtd_get_pdire_from_pdir_table(pasid_dir_base, pasid, &pdire);
1362+ if (ret) {
1363+ return ret;
1364+ }
1365+@@ -791,7 +837,15 @@ static int vtd_ce_get_pasid_fpd(IntelIOMMUState *s,
1366+ return 0;
1367+ }
1368+
1369+- ret = vtd_get_pasid_entry(s, pasid, &pdire, &pe);
1370++ if (!vtd_pdire_present(&pdire)) {
1371++ return -VTD_FR_PASID_TABLE_INV;
1372++ }
1373++
1374++ /*
1375++ * No present bit check since fpd is meaningful even
1376++ * if the present bit is clear.
1377++ */
1378++ ret = vtd_get_pe_from_pdire(s, pasid, &pdire, &pe);
1379+ if (ret) {
1380+ return ret;
1381+ }
1382+diff --git a/hw/i386/intel_iommu_internal.h b/hw/i386/intel_iommu_internal.h
1383+index edcf9fc9bb..862033ebe6 100644
1384+--- a/hw/i386/intel_iommu_internal.h
1385++++ b/hw/i386/intel_iommu_internal.h
1386+@@ -479,6 +479,7 @@ typedef struct VTDRootEntry VTDRootEntry;
1387+ #define VTD_PASID_ENTRY_FPD (1ULL << 1) /* Fault Processing Disable */
1388+
1389+ /* PASID Granular Translation Type Mask */
1390++#define VTD_PASID_ENTRY_P 1ULL
1391+ #define VTD_SM_PASID_ENTRY_PGTT (7ULL << 6)
1392+ #define VTD_SM_PASID_ENTRY_FLT (1ULL << 6)
1393+ #define VTD_SM_PASID_ENTRY_SLT (2ULL << 6)
1394+--
1395+2.25.1
1396+
1397diff --git a/debian/patches/stable/lp-1867519-iotests-add-test-for-backup-top-failure-on-permissio.patch b/debian/patches/stable/lp-1867519-iotests-add-test-for-backup-top-failure-on-permissio.patch
1398new file mode 100644
1399index 0000000..790c5d4
1400--- /dev/null
1401+++ b/debian/patches/stable/lp-1867519-iotests-add-test-for-backup-top-failure-on-permissio.patch
1402@@ -0,0 +1,138 @@
1403+From a541fcc27c98b96da187c7d4573f3270f3ddd283 Mon Sep 17 00:00:00 2001
1404+From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
1405+Date: Tue, 21 Jan 2020 17:28:02 +0300
1406+Subject: [PATCH] iotests: add test for backup-top failure on permission
1407+ activation
1408+
1409+This test checks that bug is really fixed by previous commit.
1410+
1411+Cc: qemu-stable@nongnu.org # v4.2.0
1412+Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
1413+Message-id: 20200121142802.21467-3-vsementsov@virtuozzo.com
1414+Signed-off-by: Max Reitz <mreitz@redhat.com>
1415+
1416+Origin: backport, https://git.qemu.org/?p=qemu.git;a=commit;h=a541fcc27c98b96da187c7d4573f3270f3ddd283
1417+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
1418+Last-Update: 2020-03-18
1419+
1420+---
1421+ tests/qemu-iotests/283 | 92 ++++++++++++++++++++++++++++++++++++++
1422+ tests/qemu-iotests/283.out | 8 ++++
1423+ tests/qemu-iotests/group | 1 +
1424+ 3 files changed, 101 insertions(+)
1425+ create mode 100644 tests/qemu-iotests/283
1426+ create mode 100644 tests/qemu-iotests/283.out
1427+
1428+--- /dev/null
1429++++ b/tests/qemu-iotests/283
1430+@@ -0,0 +1,92 @@
1431++#!/usr/bin/env python
1432++#
1433++# Test for backup-top filter permission activation failure
1434++#
1435++# Copyright (c) 2019 Virtuozzo International GmbH.
1436++#
1437++# This program is free software; you can redistribute it and/or modify
1438++# it under the terms of the GNU General Public License as published by
1439++# the Free Software Foundation; either version 2 of the License, or
1440++# (at your option) any later version.
1441++#
1442++# This program is distributed in the hope that it will be useful,
1443++# but WITHOUT ANY WARRANTY; without even the implied warranty of
1444++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
1445++# GNU General Public License for more details.
1446++#
1447++# You should have received a copy of the GNU General Public License
1448++# along with this program. If not, see <http://www.gnu.org/licenses/>.
1449++#
1450++
1451++import iotests
1452++
1453++# The test is unrelated to formats, restrict it to qcow2 to avoid extra runs
1454++iotests.verify_image_format(supported_fmts=['qcow2'])
1455++
1456++size = 1024 * 1024
1457++
1458++""" Test description
1459++
1460++When performing a backup, all writes on the source subtree must go through the
1461++backup-top filter so it can copy all data to the target before it is changed.
1462++backup-top filter is appended above source node, to achieve this thing, so all
1463++parents of source node are handled. A configuration with side parents of source
1464++sub-tree with write permission is unsupported (we'd have append several
1465++backup-top filter like nodes to handle such parents). The test create an
1466++example of such configuration and checks that a backup is then not allowed
1467++(blockdev-backup command should fail).
1468++
1469++The configuration:
1470++
1471++ ┌────────┐ target ┌─────────────┐
1472++ │ target │ ◀─────── │ backup_top │
1473++ └────────┘ └─────────────┘
1474++ │
1475++ │ backing
1476++ ▼
1477++ ┌─────────────┐
1478++ │ source │
1479++ └─────────────┘
1480++ │
1481++ │ file
1482++ ▼
1483++ ┌─────────────┐ write perm ┌───────┐
1484++ │ base │ ◀──────────── │ other │
1485++ └─────────────┘ └───────┘
1486++
1487++On activation (see .active field of backup-top state in block/backup-top.c),
1488++backup-top is going to unshare write permission on its source child. Write
1489++unsharing will be propagated to the "source->base" link and will conflict with
1490++other node write permission. So permission update will fail and backup job will
1491++not be started.
1492++
1493++Note, that the only thing which prevents backup of running on such
1494++configuration is default permission propagation scheme. It may be altered by
1495++different block drivers, so backup will run in invalid configuration. But
1496++something is better than nothing. Also, before the previous commit (commit
1497++preceding this test creation), starting backup on such configuration led to
1498++crash, so current "something" is a lot better, and this test actual goal is
1499++to check that crash is fixed :)
1500++"""
1501++
1502++vm = iotests.VM()
1503++vm.launch()
1504++
1505++vm.qmp_log('blockdev-add', **{'node-name': 'target', 'driver': 'null-co'})
1506++
1507++vm.qmp_log('blockdev-add', **{
1508++ 'node-name': 'source',
1509++ 'driver': 'blkdebug',
1510++ 'image': {'node-name': 'base', 'driver': 'null-co', 'size': size}
1511++})
1512++
1513++vm.qmp_log('blockdev-add', **{
1514++ 'node-name': 'other',
1515++ 'driver': 'blkdebug',
1516++ 'image': 'base',
1517++ 'take-child-perms': ['write']
1518++})
1519++
1520++vm.qmp_log('blockdev-backup', sync='full', device='source', target='target')
1521++
1522++vm.shutdown()
1523+--- /dev/null
1524++++ b/tests/qemu-iotests/283.out
1525+@@ -0,0 +1,8 @@
1526++{"execute": "blockdev-add", "arguments": {"driver": "null-co", "node-name": "target"}}
1527++{"return": {}}
1528++{"execute": "blockdev-add", "arguments": {"driver": "blkdebug", "image": {"driver": "null-co", "node-name": "base", "size": 1048576}, "node-name": "source"}}
1529++{"return": {}}
1530++{"execute": "blockdev-add", "arguments": {"driver": "blkdebug", "image": "base", "node-name": "other", "take-child-perms": ["write"]}}
1531++{"return": {}}
1532++{"execute": "blockdev-backup", "arguments": {"device": "source", "sync": "full", "target": "target"}}
1533++{"error": {"class": "GenericError", "desc": "Cannot set permissions for backup-top filter: Conflicts with use by other as 'image', which uses 'write' on base"}}
1534+--- a/tests/qemu-iotests/group
1535++++ b/tests/qemu-iotests/group
1536+@@ -286,3 +286,4 @@
1537+ 272 rw
1538+ 273 backing quick
1539+ 277 rw quick
1540++283 auto quick
1541diff --git a/debian/patches/stable/lp-1867519-job-refactor-progress-to-separate-object.patch b/debian/patches/stable/lp-1867519-job-refactor-progress-to-separate-object.patch
1542new file mode 100644
1543index 0000000..a31cf9f
1544--- /dev/null
1545+++ b/debian/patches/stable/lp-1867519-job-refactor-progress-to-separate-object.patch
1546@@ -0,0 +1,230 @@
1547+From 01fe1ca945345d3dc420d70c69488143dc0451b1 Mon Sep 17 00:00:00 2001
1548+From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
1549+Date: Wed, 11 Mar 2020 13:29:56 +0300
1550+Subject: [PATCH] job: refactor progress to separate object
1551+
1552+We need it in separate to pass to the block-copy object in the next
1553+commit.
1554+
1555+Cc: qemu-stable@nongnu.org
1556+Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
1557+Reviewed-by: Andrey Shinkevich <andrey.shinkevich@virtuozzo.com>
1558+Reviewed-by: Max Reitz <mreitz@redhat.com>
1559+Message-Id: <20200311103004.7649-2-vsementsov@virtuozzo.com>
1560+Signed-off-by: Max Reitz <mreitz@redhat.com>
1561+
1562+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=01fe1ca945345d3dc420d70c69488143dc0451b1
1563+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
1564+Last-Update: 2020-03-18
1565+
1566+---
1567+ blockjob.c | 16 +++++-----
1568+ include/qemu/job.h | 11 ++-----
1569+ include/qemu/progress_meter.h | 58 +++++++++++++++++++++++++++++++++++
1570+ job-qmp.c | 4 +--
1571+ job.c | 6 ++--
1572+ qemu-img.c | 6 ++--
1573+ 6 files changed, 76 insertions(+), 25 deletions(-)
1574+ create mode 100644 include/qemu/progress_meter.h
1575+
1576+diff --git a/blockjob.c b/blockjob.c
1577+index 5d63b1e89d..fc850312c1 100644
1578+--- a/blockjob.c
1579++++ b/blockjob.c
1580+@@ -299,8 +299,8 @@ BlockJobInfo *block_job_query(BlockJob *job, Error **errp)
1581+ info->device = g_strdup(job->job.id);
1582+ info->busy = atomic_read(&job->job.busy);
1583+ info->paused = job->job.pause_count > 0;
1584+- info->offset = job->job.progress_current;
1585+- info->len = job->job.progress_total;
1586++ info->offset = job->job.progress.current;
1587++ info->len = job->job.progress.total;
1588+ info->speed = job->speed;
1589+ info->io_status = job->iostatus;
1590+ info->ready = job_is_ready(&job->job),
1591+@@ -330,8 +330,8 @@ static void block_job_event_cancelled(Notifier *n, void *opaque)
1592+
1593+ qapi_event_send_block_job_cancelled(job_type(&job->job),
1594+ job->job.id,
1595+- job->job.progress_total,
1596+- job->job.progress_current,
1597++ job->job.progress.total,
1598++ job->job.progress.current,
1599+ job->speed);
1600+ }
1601+
1602+@@ -350,8 +350,8 @@ static void block_job_event_completed(Notifier *n, void *opaque)
1603+
1604+ qapi_event_send_block_job_completed(job_type(&job->job),
1605+ job->job.id,
1606+- job->job.progress_total,
1607+- job->job.progress_current,
1608++ job->job.progress.total,
1609++ job->job.progress.current,
1610+ job->speed,
1611+ !!msg,
1612+ msg);
1613+@@ -379,8 +379,8 @@ static void block_job_event_ready(Notifier *n, void *opaque)
1614+
1615+ qapi_event_send_block_job_ready(job_type(&job->job),
1616+ job->job.id,
1617+- job->job.progress_total,
1618+- job->job.progress_current,
1619++ job->job.progress.total,
1620++ job->job.progress.current,
1621+ job->speed);
1622+ }
1623+
1624+diff --git a/include/qemu/job.h b/include/qemu/job.h
1625+index bd59cd8944..32aabb1c60 100644
1626+--- a/include/qemu/job.h
1627++++ b/include/qemu/job.h
1628+@@ -28,6 +28,7 @@
1629+
1630+ #include "qapi/qapi-types-job.h"
1631+ #include "qemu/queue.h"
1632++#include "qemu/progress_meter.h"
1633+ #include "qemu/coroutine.h"
1634+ #include "block/aio.h"
1635+
1636+@@ -117,15 +118,7 @@ typedef struct Job {
1637+ /** True if this job should automatically dismiss itself */
1638+ bool auto_dismiss;
1639+
1640+- /**
1641+- * Current progress. The unit is arbitrary as long as the ratio between
1642+- * progress_current and progress_total represents the estimated percentage
1643+- * of work already done.
1644+- */
1645+- int64_t progress_current;
1646+-
1647+- /** Estimated progress_current value at the completion of the job */
1648+- int64_t progress_total;
1649++ ProgressMeter progress;
1650+
1651+ /**
1652+ * Return code from @run and/or @prepare callback(s).
1653+diff --git a/include/qemu/progress_meter.h b/include/qemu/progress_meter.h
1654+new file mode 100644
1655+index 0000000000..9a23ff071c
1656+--- /dev/null
1657++++ b/include/qemu/progress_meter.h
1658+@@ -0,0 +1,58 @@
1659++/*
1660++ * Helper functionality for some process progress tracking.
1661++ *
1662++ * Copyright (c) 2011 IBM Corp.
1663++ * Copyright (c) 2012, 2018 Red Hat, Inc.
1664++ * Copyright (c) 2020 Virtuozzo International GmbH
1665++ *
1666++ * Permission is hereby granted, free of charge, to any person obtaining a copy
1667++ * of this software and associated documentation files (the "Software"), to deal
1668++ * in the Software without restriction, including without limitation the rights
1669++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
1670++ * copies of the Software, and to permit persons to whom the Software is
1671++ * furnished to do so, subject to the following conditions:
1672++ *
1673++ * The above copyright notice and this permission notice shall be included in
1674++ * all copies or substantial portions of the Software.
1675++ *
1676++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
1677++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
1678++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
1679++ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
1680++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
1681++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
1682++ * THE SOFTWARE.
1683++ */
1684++
1685++#ifndef QEMU_PROGRESS_METER_H
1686++#define QEMU_PROGRESS_METER_H
1687++
1688++typedef struct ProgressMeter {
1689++ /**
1690++ * Current progress. The unit is arbitrary as long as the ratio between
1691++ * current and total represents the estimated percentage
1692++ * of work already done.
1693++ */
1694++ uint64_t current;
1695++
1696++ /** Estimated current value at the completion of the process */
1697++ uint64_t total;
1698++} ProgressMeter;
1699++
1700++static inline void progress_work_done(ProgressMeter *pm, uint64_t done)
1701++{
1702++ pm->current += done;
1703++}
1704++
1705++static inline void progress_set_remaining(ProgressMeter *pm, uint64_t remaining)
1706++{
1707++ pm->total = pm->current + remaining;
1708++}
1709++
1710++static inline void progress_increase_remaining(ProgressMeter *pm,
1711++ uint64_t delta)
1712++{
1713++ pm->total += delta;
1714++}
1715++
1716++#endif /* QEMU_PROGRESS_METER_H */
1717+diff --git a/job-qmp.c b/job-qmp.c
1718+index fbfed25a00..fecc939ebd 100644
1719+--- a/job-qmp.c
1720++++ b/job-qmp.c
1721+@@ -143,8 +143,8 @@ static JobInfo *job_query_single(Job *job, Error **errp)
1722+ .id = g_strdup(job->id),
1723+ .type = job_type(job),
1724+ .status = job->status,
1725+- .current_progress = job->progress_current,
1726+- .total_progress = job->progress_total,
1727++ .current_progress = job->progress.current,
1728++ .total_progress = job->progress.total,
1729+ .has_error = !!job->err,
1730+ .error = job->err ? \
1731+ g_strdup(error_get_pretty(job->err)) : NULL,
1732+diff --git a/job.c b/job.c
1733+index 04409b40aa..134a07b92e 100644
1734+--- a/job.c
1735++++ b/job.c
1736+@@ -369,17 +369,17 @@ void job_unref(Job *job)
1737+
1738+ void job_progress_update(Job *job, uint64_t done)
1739+ {
1740+- job->progress_current += done;
1741++ progress_work_done(&job->progress, done);
1742+ }
1743+
1744+ void job_progress_set_remaining(Job *job, uint64_t remaining)
1745+ {
1746+- job->progress_total = job->progress_current + remaining;
1747++ progress_set_remaining(&job->progress, remaining);
1748+ }
1749+
1750+ void job_progress_increase_remaining(Job *job, uint64_t delta)
1751+ {
1752+- job->progress_total += delta;
1753++ progress_increase_remaining(&job->progress, delta);
1754+ }
1755+
1756+ void job_event_cancelled(Job *job)
1757+diff --git a/qemu-img.c b/qemu-img.c
1758+index 7b7087dd60..afddf33f08 100644
1759+--- a/qemu-img.c
1760++++ b/qemu-img.c
1761+@@ -884,9 +884,9 @@ static void run_block_job(BlockJob *job, Error **errp)
1762+ do {
1763+ float progress = 0.0f;
1764+ aio_poll(aio_context, true);
1765+- if (job->job.progress_total) {
1766+- progress = (float)job->job.progress_current /
1767+- job->job.progress_total * 100.f;
1768++ if (job->job.progress.total) {
1769++ progress = (float)job->job.progress.current /
1770++ job->job.progress.total * 100.f;
1771+ }
1772+ qemu_progress_print(progress, 0);
1773+ } while (!job_is_ready(&job->job) && !job_is_completed(&job->job));
1774+--
1775+2.25.1
1776+
1777diff --git a/debian/patches/stable/lp-1867519-plugins-core-add-missing-break-in-cb_to_tcg_flags.patch b/debian/patches/stable/lp-1867519-plugins-core-add-missing-break-in-cb_to_tcg_flags.patch
1778new file mode 100644
1779index 0000000..5047c62
1780--- /dev/null
1781+++ b/debian/patches/stable/lp-1867519-plugins-core-add-missing-break-in-cb_to_tcg_flags.patch
1782@@ -0,0 +1,41 @@
1783+From dcc474c69e6a59044b9bb54624bd636cbfd98aa9 Mon Sep 17 00:00:00 2001
1784+From: "Emilio G. Cota" <cota@braap.org>
1785+Date: Tue, 25 Feb 2020 12:47:02 +0000
1786+Subject: [PATCH] plugins/core: add missing break in cb_to_tcg_flags
1787+MIME-Version: 1.0
1788+Content-Type: text/plain; charset=UTF-8
1789+Content-Transfer-Encoding: 8bit
1790+
1791+Fixes: 54cb65d8588
1792+Reported-by: Robert Henry <robhenry@microsoft.com>
1793+Signed-off-by: Emilio G. Cota <cota@braap.org>
1794+Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
1795+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
1796+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
1797+Message-Id: <20200105072940.32204-1-cota@braap.org>
1798+Cc: qemu-stable@nongnu.org
1799+Message-Id: <20200225124710.14152-12-alex.bennee@linaro.org>
1800+
1801+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=dcc474c69e6a59044b9bb54624bd636cbfd98aa9
1802+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
1803+Last-Update: 2020-03-18
1804+
1805+---
1806+ plugins/core.c | 1 +
1807+ 1 file changed, 1 insertion(+)
1808+
1809+diff --git a/plugins/core.c b/plugins/core.c
1810+index 9e1b9e7a91..ed863011ba 100644
1811+--- a/plugins/core.c
1812++++ b/plugins/core.c
1813+@@ -286,6 +286,7 @@ static inline uint32_t cb_to_tcg_flags(enum qemu_plugin_cb_flags flags)
1814+ switch (flags) {
1815+ case QEMU_PLUGIN_CB_RW_REGS:
1816+ ret = 0;
1817++ break;
1818+ case QEMU_PLUGIN_CB_R_REGS:
1819+ ret = TCG_CALL_NO_WG;
1820+ break;
1821+--
1822+2.25.1
1823+
1824diff --git a/debian/patches/stable/lp-1867519-qcow2-Fix-alloc_cluster_abort-for-pre-existing-clust.patch b/debian/patches/stable/lp-1867519-qcow2-Fix-alloc_cluster_abort-for-pre-existing-clust.patch
1825new file mode 100644
1826index 0000000..ed7560a
1827--- /dev/null
1828+++ b/debian/patches/stable/lp-1867519-qcow2-Fix-alloc_cluster_abort-for-pre-existing-clust.patch
1829@@ -0,0 +1,39 @@
1830+From 3ede935fdbbd5f7b24b4724bbfb8938acb5956d8 Mon Sep 17 00:00:00 2001
1831+From: Max Reitz <mreitz@redhat.com>
1832+Date: Tue, 25 Feb 2020 15:31:28 +0100
1833+Subject: [PATCH] qcow2: Fix alloc_cluster_abort() for pre-existing clusters
1834+
1835+handle_alloc() reuses preallocated zero clusters. If anything goes
1836+wrong during the data write, we do not change their L2 entry, so we
1837+must not let qcow2_alloc_cluster_abort() free them.
1838+
1839+Fixes: 8b24cd141549b5b264baeddd4e72902cfb5de23b
1840+Cc: qemu-stable@nongnu.org
1841+Signed-off-by: Max Reitz <mreitz@redhat.com>
1842+Message-Id: <20200225143130.111267-2-mreitz@redhat.com>
1843+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
1844+
1845+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=3ede935fdbbd5f7b24b4724bbfb8938acb5956d8
1846+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
1847+Last-Update: 2020-03-18
1848+
1849+---
1850+ block/qcow2-cluster.c | 2 +-
1851+ 1 file changed, 1 insertion(+), 1 deletion(-)
1852+
1853+diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
1854+index 78c95dfa16..17f1363279 100644
1855+--- a/block/qcow2-cluster.c
1856++++ b/block/qcow2-cluster.c
1857+@@ -1026,7 +1026,7 @@ err:
1858+ void qcow2_alloc_cluster_abort(BlockDriverState *bs, QCowL2Meta *m)
1859+ {
1860+ BDRVQcow2State *s = bs->opaque;
1861+- if (!has_data_file(bs)) {
1862++ if (!has_data_file(bs) && !m->keep_old_clusters) {
1863+ qcow2_free_clusters(bs, m->alloc_offset,
1864+ m->nb_clusters << s->cluster_bits,
1865+ QCOW2_DISCARD_NEVER);
1866+--
1867+2.25.1
1868+
1869diff --git a/debian/patches/stable/lp-1867519-qcow2-Fix-qcow2_alloc_cluster_abort-for-external-dat.patch b/debian/patches/stable/lp-1867519-qcow2-Fix-qcow2_alloc_cluster_abort-for-external-dat.patch
1870new file mode 100644
1871index 0000000..b7acd5b
1872--- /dev/null
1873+++ b/debian/patches/stable/lp-1867519-qcow2-Fix-qcow2_alloc_cluster_abort-for-external-dat.patch
1874@@ -0,0 +1,44 @@
1875+From c3b6658c1a5a3fb24d6c27b2594cf86146f75b22 Mon Sep 17 00:00:00 2001
1876+From: Kevin Wolf <kwolf@redhat.com>
1877+Date: Tue, 11 Feb 2020 10:48:59 +0100
1878+Subject: [PATCH] qcow2: Fix qcow2_alloc_cluster_abort() for external data file
1879+
1880+For external data file, cluster allocations return an offset in the data
1881+file and are not refcounted. In this case, there is nothing to do for
1882+qcow2_alloc_cluster_abort(). Freeing the same offset in the qcow2 file
1883+is wrong and causes crashes in the better case or image corruption in
1884+the worse case.
1885+
1886+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
1887+Message-Id: <20200211094900.17315-3-kwolf@redhat.com>
1888+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
1889+
1890+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=c3b6658c1a5a3fb24d6c27b2594cf86146f75b22
1891+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
1892+Last-Update: 2020-03-18
1893+
1894+---
1895+ block/qcow2-cluster.c | 7 +++++--
1896+ 1 file changed, 5 insertions(+), 2 deletions(-)
1897+
1898+diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
1899+index 1947f13a2d..78c95dfa16 100644
1900+--- a/block/qcow2-cluster.c
1901++++ b/block/qcow2-cluster.c
1902+@@ -1026,8 +1026,11 @@ err:
1903+ void qcow2_alloc_cluster_abort(BlockDriverState *bs, QCowL2Meta *m)
1904+ {
1905+ BDRVQcow2State *s = bs->opaque;
1906+- qcow2_free_clusters(bs, m->alloc_offset, m->nb_clusters << s->cluster_bits,
1907+- QCOW2_DISCARD_NEVER);
1908++ if (!has_data_file(bs)) {
1909++ qcow2_free_clusters(bs, m->alloc_offset,
1910++ m->nb_clusters << s->cluster_bits,
1911++ QCOW2_DISCARD_NEVER);
1912++ }
1913+ }
1914+
1915+ /*
1916+--
1917+2.25.1
1918+
1919diff --git a/debian/patches/stable/lp-1867519-qcow2-bitmaps-fix-qcow2_can_store_new_dirty_bitmap.patch b/debian/patches/stable/lp-1867519-qcow2-bitmaps-fix-qcow2_can_store_new_dirty_bitmap.patch
1920new file mode 100644
1921index 0000000..b1b1869
1922--- /dev/null
1923+++ b/debian/patches/stable/lp-1867519-qcow2-bitmaps-fix-qcow2_can_store_new_dirty_bitmap.patch
1924@@ -0,0 +1,102 @@
1925+From a1db8733d28d615bc0daeada6c406a6dd5c5d5ef Mon Sep 17 00:00:00 2001
1926+From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
1927+Date: Mon, 14 Oct 2019 14:51:25 +0300
1928+Subject: [PATCH] qcow2-bitmaps: fix qcow2_can_store_new_dirty_bitmap
1929+
1930+qcow2_can_store_new_dirty_bitmap works wrong, as it considers only
1931+bitmaps already stored in the qcow2 image and ignores persistent
1932+BdrvDirtyBitmap objects.
1933+
1934+So, let's instead count persistent BdrvDirtyBitmaps. We load all qcow2
1935+bitmaps on open, so there should not be any bitmap in the image for
1936+which we don't have BdrvDirtyBitmaps version. If it is - it's a kind of
1937+corruption, and no reason to check for corruptions here (open() and
1938+close() are better places for it).
1939+
1940+Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
1941+Message-id: 20191014115126.15360-2-vsementsov@virtuozzo.com
1942+Reviewed-by: Max Reitz <mreitz@redhat.com>
1943+Cc: qemu-stable@nongnu.org
1944+Signed-off-by: Max Reitz <mreitz@redhat.com>
1945+
1946+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=a1db8733d28d615bc0daeada6c406a6dd5c5d5ef
1947+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
1948+Last-Update: 2020-03-18
1949+
1950+---
1951+ block/qcow2-bitmap.c | 41 ++++++++++++++++++-----------------------
1952+ 1 file changed, 18 insertions(+), 23 deletions(-)
1953+
1954+diff --git a/block/qcow2-bitmap.c b/block/qcow2-bitmap.c
1955+index c6c8ebbe89..d41f5d049b 100644
1956+--- a/block/qcow2-bitmap.c
1957++++ b/block/qcow2-bitmap.c
1958+@@ -1703,8 +1703,14 @@ bool coroutine_fn qcow2_co_can_store_new_dirty_bitmap(BlockDriverState *bs,
1959+ Error **errp)
1960+ {
1961+ BDRVQcow2State *s = bs->opaque;
1962+- bool found;
1963+- Qcow2BitmapList *bm_list;
1964++ BdrvDirtyBitmap *bitmap;
1965++ uint64_t bitmap_directory_size = 0;
1966++ uint32_t nb_bitmaps = 0;
1967++
1968++ if (bdrv_find_dirty_bitmap(bs, name)) {
1969++ error_setg(errp, "Bitmap already exists: %s", name);
1970++ return false;
1971++ }
1972+
1973+ if (s->qcow_version < 3) {
1974+ /* Without autoclear_features, we would always have to assume
1975+@@ -1720,38 +1726,27 @@ bool coroutine_fn qcow2_co_can_store_new_dirty_bitmap(BlockDriverState *bs,
1976+ goto fail;
1977+ }
1978+
1979+- if (s->nb_bitmaps == 0) {
1980+- return true;
1981++ FOR_EACH_DIRTY_BITMAP(bs, bitmap) {
1982++ if (bdrv_dirty_bitmap_get_persistence(bitmap)) {
1983++ nb_bitmaps++;
1984++ bitmap_directory_size +=
1985++ calc_dir_entry_size(strlen(bdrv_dirty_bitmap_name(bitmap)), 0);
1986++ }
1987+ }
1988++ nb_bitmaps++;
1989++ bitmap_directory_size += calc_dir_entry_size(strlen(name), 0);
1990+
1991+- if (s->nb_bitmaps >= QCOW2_MAX_BITMAPS) {
1992++ if (nb_bitmaps > QCOW2_MAX_BITMAPS) {
1993+ error_setg(errp,
1994+ "Maximum number of persistent bitmaps is already reached");
1995+ goto fail;
1996+ }
1997+
1998+- if (s->bitmap_directory_size + calc_dir_entry_size(strlen(name), 0) >
1999+- QCOW2_MAX_BITMAP_DIRECTORY_SIZE)
2000+- {
2001++ if (bitmap_directory_size > QCOW2_MAX_BITMAP_DIRECTORY_SIZE) {
2002+ error_setg(errp, "Not enough space in the bitmap directory");
2003+ goto fail;
2004+ }
2005+
2006+- qemu_co_mutex_lock(&s->lock);
2007+- bm_list = bitmap_list_load(bs, s->bitmap_directory_offset,
2008+- s->bitmap_directory_size, errp);
2009+- qemu_co_mutex_unlock(&s->lock);
2010+- if (bm_list == NULL) {
2011+- goto fail;
2012+- }
2013+-
2014+- found = find_bitmap_by_name(bm_list, name);
2015+- bitmap_list_free(bm_list);
2016+- if (found) {
2017+- error_setg(errp, "Bitmap with the same name is already stored");
2018+- goto fail;
2019+- }
2020+-
2021+ return true;
2022+
2023+ fail:
2024+--
2025+2.25.1
2026+
2027diff --git a/debian/patches/stable/lp-1867519-qemu-img-Fix-convert-n-B-for-backing-less-targets.patch b/debian/patches/stable/lp-1867519-qemu-img-Fix-convert-n-B-for-backing-less-targets.patch
2028new file mode 100644
2029index 0000000..ed8ab96
2030--- /dev/null
2031+++ b/debian/patches/stable/lp-1867519-qemu-img-Fix-convert-n-B-for-backing-less-targets.patch
2032@@ -0,0 +1,54 @@
2033+From c69291e712ae4ef95f628424db6586473da61d43 Mon Sep 17 00:00:00 2001
2034+From: Max Reitz <mreitz@redhat.com>
2035+Date: Tue, 21 Jan 2020 16:59:14 +0100
2036+Subject: [PATCH] qemu-img: Fix convert -n -B for backing-less targets
2037+
2038+s.target_has_backing does not reflect whether the target BDS has a
2039+backing file; it only tells whether we should use a backing file during
2040+conversion (specified by -B).
2041+
2042+As such, if you use convert -n, the target does not necessarily actually
2043+have a backing file, and then dereferencing out_bs->backing fails here.
2044+
2045+When converting to an existing file, we should set
2046+target_backing_sectors to a negative value, because first, as the
2047+comment explains, this value is only used for optimization, so it is
2048+always fine to do that.
2049+
2050+Second, we use this value to determine where the target must be
2051+initialized to zeroes (overlays are initialized to zero after the end of
2052+their backing file). When converting to an existing file, we cannot
2053+assume that to be true.
2054+
2055+Cc: qemu-stable@nongnu.org
2056+Fixes: 351c8efff9ad809c822d55620df54d575d536f68
2057+ ("qemu-img: Special post-backing convert handling")
2058+Signed-off-by: Max Reitz <mreitz@redhat.com>
2059+Message-Id: <20200121155915.98232-2-mreitz@redhat.com>
2060+Reviewed-by: John Snow <jsnow@redhat.com>
2061+Signed-off-by: Max Reitz <mreitz@redhat.com>
2062+
2063+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=c69291e712ae4ef95f628424db6586473da61d43
2064+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
2065+Last-Update: 2020-03-18
2066+
2067+---
2068+ qemu-img.c | 2 +-
2069+ 1 file changed, 1 insertion(+), 1 deletion(-)
2070+
2071+diff --git a/qemu-img.c b/qemu-img.c
2072+index 0faf2cd2f5..804630a368 100644
2073+--- a/qemu-img.c
2074++++ b/qemu-img.c
2075+@@ -2523,7 +2523,7 @@ static int img_convert(int argc, char **argv)
2076+ }
2077+ }
2078+
2079+- if (s.target_has_backing) {
2080++ if (s.target_has_backing && s.target_is_new) {
2081+ /* Errors are treated as "backing length unknown" (which means
2082+ * s.target_backing_sectors has to be negative, which it will
2083+ * be automatically). The backing file length is used only
2084+--
2085+2.25.1
2086+
2087diff --git a/debian/patches/stable/lp-1867519-s390-sclp-improve-special-wait-psw-logic.patch b/debian/patches/stable/lp-1867519-s390-sclp-improve-special-wait-psw-logic.patch
2088new file mode 100644
2089index 0000000..fb21432
2090--- /dev/null
2091+++ b/debian/patches/stable/lp-1867519-s390-sclp-improve-special-wait-psw-logic.patch
2092@@ -0,0 +1,40 @@
2093+From 8b51c0961cc13e55b26bb6665ec3a341abdc7658 Mon Sep 17 00:00:00 2001
2094+From: Christian Borntraeger <borntraeger@de.ibm.com>
2095+Date: Thu, 20 Feb 2020 14:16:22 +0100
2096+Subject: [PATCH] s390/sclp: improve special wait psw logic
2097+
2098+There is a special quiesce PSW that we check for "shutdown". Otherwise disabled
2099+wait is detected as "crashed". Architecturally we must only check PSW bits
2100+116-127. Fix this.
2101+
2102+Cc: qemu-stable@nongnu.org
2103+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
2104+Message-Id: <1582204582-22995-1-git-send-email-borntraeger@de.ibm.com>
2105+Reviewed-by: David Hildenbrand <david@redhat.com>
2106+Acked-by: Janosch Frank <frankja@linux.ibm.com>
2107+Signed-off-by: Cornelia Huck <cohuck@redhat.com>
2108+
2109+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=8b51c0961cc13e55b26bb6665ec3a341abdc7658
2110+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
2111+Last-Update: 2020-03-18
2112+
2113+---
2114+ target/s390x/helper.c | 2 +-
2115+ 1 file changed, 1 insertion(+), 1 deletion(-)
2116+
2117+diff --git a/target/s390x/helper.c b/target/s390x/helper.c
2118+index b810ad431e..ed72684911 100644
2119+--- a/target/s390x/helper.c
2120++++ b/target/s390x/helper.c
2121+@@ -89,7 +89,7 @@ hwaddr s390_cpu_get_phys_addr_debug(CPUState *cs, vaddr vaddr)
2122+ static inline bool is_special_wait_psw(uint64_t psw_addr)
2123+ {
2124+ /* signal quiesce */
2125+- return psw_addr == 0xfffUL;
2126++ return (psw_addr & 0xfffUL) == 0xfffUL;
2127+ }
2128+
2129+ void s390_handle_wait(S390CPU *cpu)
2130+--
2131+2.25.1
2132+
2133diff --git a/debian/patches/stable/lp-1867519-target-arm-Return-correct-IL-bit-in-merge_syn_data_a.patch b/debian/patches/stable/lp-1867519-target-arm-Return-correct-IL-bit-in-merge_syn_data_a.patch
2134new file mode 100644
2135index 0000000..6c4bce9
2136--- /dev/null
2137+++ b/debian/patches/stable/lp-1867519-target-arm-Return-correct-IL-bit-in-merge_syn_data_a.patch
2138@@ -0,0 +1,46 @@
2139+From 30d544839e278dc76017b9a42990c41e84a34377 Mon Sep 17 00:00:00 2001
2140+From: Jeff Kubascik <jeff.kubascik@dornerworks.com>
2141+Date: Fri, 17 Jan 2020 14:09:31 +0000
2142+Subject: [PATCH] target/arm: Return correct IL bit in merge_syn_data_abort
2143+
2144+The IL bit is set for 32-bit instructions, thus passing false
2145+with the is_16bit parameter to syn_data_abort_with_iss() makes
2146+a syn mask that always has the IL bit set.
2147+
2148+Pass is_16bit as true to make the initial syn mask have IL=0,
2149+so that the final IL value comes from or'ing template_syn.
2150+
2151+Cc: qemu-stable@nongnu.org
2152+Fixes: aaa1f954d4ca ("target-arm: A64: Create Instruction Syndromes for Data Aborts")
2153+Signed-off-by: Jeff Kubascik <jeff.kubascik@dornerworks.com>
2154+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2155+Message-id: 20200117004618.2742-2-richard.henderson@linaro.org
2156+[rth: Extracted this as a self-contained bug fix from a larger patch]
2157+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2158+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
2159+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2160+
2161+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=30d544839e278dc76017b9a42990c41e84a34377
2162+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
2163+Last-Update: 2020-03-18
2164+
2165+---
2166+ target/arm/tlb_helper.c | 2 +-
2167+ 1 file changed, 1 insertion(+), 1 deletion(-)
2168+
2169+diff --git a/target/arm/tlb_helper.c b/target/arm/tlb_helper.c
2170+index 5feb312941..e63f8bda29 100644
2171+--- a/target/arm/tlb_helper.c
2172++++ b/target/arm/tlb_helper.c
2173+@@ -44,7 +44,7 @@ static inline uint32_t merge_syn_data_abort(uint32_t template_syn,
2174+ syn = syn_data_abort_with_iss(same_el,
2175+ 0, 0, 0, 0, 0,
2176+ ea, 0, s1ptw, is_write, fsc,
2177+- false);
2178++ true);
2179+ /* Merge the runtime syndrome with the template syndrome. */
2180+ syn |= template_syn;
2181+ }
2182+--
2183+2.25.1
2184+
2185diff --git a/debian/patches/stable/lp-1867519-target-arm-Set-ISSIs16Bit-in-make_issinfo.patch b/debian/patches/stable/lp-1867519-target-arm-Set-ISSIs16Bit-in-make_issinfo.patch
2186new file mode 100644
2187index 0000000..46f0f6d
2188--- /dev/null
2189+++ b/debian/patches/stable/lp-1867519-target-arm-Set-ISSIs16Bit-in-make_issinfo.patch
2190@@ -0,0 +1,42 @@
2191+From 1a1fbc6cbb34c26d43d8360c66c1d21681af14a9 Mon Sep 17 00:00:00 2001
2192+From: Richard Henderson <richard.henderson@linaro.org>
2193+Date: Fri, 17 Jan 2020 14:09:31 +0000
2194+Subject: [PATCH] target/arm: Set ISSIs16Bit in make_issinfo
2195+
2196+During the conversion to decodetree, the setting of
2197+ISSIs16Bit got lost. This causes the guest os to
2198+incorrectly adjust trapping memory operations.
2199+
2200+Cc: qemu-stable@nongnu.org
2201+Fixes: 46beb58efbb8a2a32 ("target/arm: Convert T16, load (literal)")
2202+Reported-by: Jeff Kubascik <jeff.kubascik@dornerworks.com>
2203+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2204+Message-id: 20200117004618.2742-3-richard.henderson@linaro.org
2205+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
2206+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2207+
2208+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=1a1fbc6cbb34c26d43d8360c66c1d21681af14a9
2209+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
2210+Last-Update: 2020-03-18
2211+
2212+---
2213+ target/arm/translate.c | 3 +++
2214+ 1 file changed, 3 insertions(+)
2215+
2216+diff --git a/target/arm/translate.c b/target/arm/translate.c
2217+index 0c8624fb42..2f4aea927f 100644
2218+--- a/target/arm/translate.c
2219++++ b/target/arm/translate.c
2220+@@ -8556,6 +8556,9 @@ static ISSInfo make_issinfo(DisasContext *s, int rd, bool p, bool w)
2221+ /* ISS not valid if writeback */
2222+ if (p && !w) {
2223+ ret = rd;
2224++ if (s->base.pc_next - s->pc_curr == 2) {
2225++ ret |= ISSIs16Bit;
2226++ }
2227+ } else {
2228+ ret = ISSInvalid;
2229+ }
2230+--
2231+2.25.1
2232+
2233diff --git a/debian/patches/stable/lp-1867519-target-arm-arm-semi-fix-SYS_OPEN-to-return-nonzero-f.patch b/debian/patches/stable/lp-1867519-target-arm-arm-semi-fix-SYS_OPEN-to-return-nonzero-f.patch
2234new file mode 100644
2235index 0000000..4f7a731
2236--- /dev/null
2237+++ b/debian/patches/stable/lp-1867519-target-arm-arm-semi-fix-SYS_OPEN-to-return-nonzero-f.patch
2238@@ -0,0 +1,79 @@
2239+From 21bf9b06cb6d07c6cc437dfd47b47b28c2bb79db Mon Sep 17 00:00:00 2001
2240+From: Masahiro Yamada <masahiroy@kernel.org>
2241+Date: Fri, 17 Jan 2020 14:09:30 +0000
2242+Subject: [PATCH] target/arm/arm-semi: fix SYS_OPEN to return nonzero
2243+ filehandle
2244+
2245+According to the specification "Semihosting for AArch32 and Aarch64",
2246+the SYS_OPEN operation should return:
2247+
2248+ - A nonzero handle if the call is successful
2249+ - -1 if the call is not successful
2250+
2251+So, it should never return 0.
2252+
2253+Prior to commit 35e9a0a8ce4b ("target/arm/arm-semi: Make semihosting
2254+code hand out its own file descriptors"), the guest fd matched to the
2255+host fd. It returned a nonzero handle on success since the fd 0 is
2256+already used for stdin.
2257+
2258+Now that the guest fd is the index of guestfd_array, it starts from 0.
2259+
2260+I noticed this issue particularly because Trusted Firmware-A built with
2261+PLAT=qemu is no longer working. Its io_semihosting driver only handles
2262+a positive return value as a valid filehandle.
2263+
2264+Basically, there are two ways to fix this:
2265+
2266+ - Use (guestfd - 1) as the index of guestfs_arrary. We need to insert
2267+ increment/decrement to convert the guestfd and the array index back
2268+ and forth.
2269+
2270+ - Keep using guestfd as the index of guestfs_array. The first entry
2271+ of guestfs_array is left unused.
2272+
2273+I thought the latter is simpler. We end up with wasting a small piece
2274+of memory for the unused first entry of guestfd_array, but this is
2275+probably not a big deal.
2276+
2277+Fixes: 35e9a0a8ce4b ("target/arm/arm-semi: Make semihosting code hand out its own file descriptors")
2278+Cc: qemu-stable@nongnu.org
2279+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
2280+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
2281+Message-id: 20200109041228.10131-1-masahiroy@kernel.org
2282+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2283+
2284+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=21bf9b06cb6d07c6cc437dfd47b47b28c2bb79db
2285+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
2286+Last-Update: 2020-03-18
2287+
2288+---
2289+ target/arm/arm-semi.c | 5 +++--
2290+ 1 file changed, 3 insertions(+), 2 deletions(-)
2291+
2292+diff --git a/target/arm/arm-semi.c b/target/arm/arm-semi.c
2293+index 47d61f6fe1..788fe61b51 100644
2294+--- a/target/arm/arm-semi.c
2295++++ b/target/arm/arm-semi.c
2296+@@ -144,7 +144,8 @@ static int alloc_guestfd(void)
2297+ guestfd_array = g_array_new(FALSE, TRUE, sizeof(GuestFD));
2298+ }
2299+
2300+- for (i = 0; i < guestfd_array->len; i++) {
2301++ /* SYS_OPEN should return nonzero handle on success. Start guestfd from 1 */
2302++ for (i = 1; i < guestfd_array->len; i++) {
2303+ GuestFD *gf = &g_array_index(guestfd_array, GuestFD, i);
2304+
2305+ if (gf->type == GuestFDUnused) {
2306+@@ -168,7 +169,7 @@ static GuestFD *do_get_guestfd(int guestfd)
2307+ return NULL;
2308+ }
2309+
2310+- if (guestfd < 0 || guestfd >= guestfd_array->len) {
2311++ if (guestfd <= 0 || guestfd >= guestfd_array->len) {
2312+ return NULL;
2313+ }
2314+
2315+--
2316+2.25.1
2317+
2318diff --git a/debian/patches/stable/lp-1867519-target-arm-ensure-we-use-current-exception-state-aft.patch b/debian/patches/stable/lp-1867519-target-arm-ensure-we-use-current-exception-state-aft.patch
2319new file mode 100644
2320index 0000000..896de43
2321--- /dev/null
2322+++ b/debian/patches/stable/lp-1867519-target-arm-ensure-we-use-current-exception-state-aft.patch
2323@@ -0,0 +1,127 @@
2324+From f80741d107673f162e3b097fc76a1590036cc9d1 Mon Sep 17 00:00:00 2001
2325+From: =?UTF-8?q?Alex=20Benn=C3=A9e?= <alex.bennee@linaro.org>
2326+Date: Thu, 12 Dec 2019 11:47:34 +0000
2327+Subject: [PATCH] target/arm: ensure we use current exception state after SCR
2328+ update
2329+MIME-Version: 1.0
2330+Content-Type: text/plain; charset=UTF-8
2331+Content-Transfer-Encoding: 8bit
2332+
2333+A write to the SCR can change the effective EL by droppping the system
2334+from secure to non-secure mode. However if we use a cached current_el
2335+from before the change we'll rebuild the flags incorrectly. To fix
2336+this we introduce the ARM_CP_NEWEL CP flag to indicate the new EL
2337+should be used when recomputing the flags.
2338+
2339+Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
2340+Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
2341+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
2342+Message-id: 20191212114734.6962-1-alex.bennee@linaro.org
2343+Cc: Richard Henderson <richard.henderson@linaro.org>
2344+Message-Id: <20191209143723.6368-1-alex.bennee@linaro.org>
2345+Cc: qemu-stable@nongnu.org
2346+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2347+
2348+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=f80741d107673f162e3b097fc76a1590036cc9d1
2349+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
2350+Last-Update: 2020-03-18
2351+
2352+---
2353+ target/arm/cpu.h | 8 ++++++--
2354+ target/arm/helper.c | 14 +++++++++++++-
2355+ target/arm/helper.h | 1 +
2356+ target/arm/translate.c | 6 +++++-
2357+ 4 files changed, 25 insertions(+), 4 deletions(-)
2358+
2359+diff --git a/target/arm/cpu.h b/target/arm/cpu.h
2360+index 4106e4ae59..5f70e9e043 100644
2361+--- a/target/arm/cpu.h
2362++++ b/target/arm/cpu.h
2363+@@ -2238,6 +2238,9 @@ static inline uint64_t cpreg_to_kvm_id(uint32_t cpregid)
2364+ * RAISES_EXC is for when the read or write hook might raise an exception;
2365+ * the generated code will synchronize the CPU state before calling the hook
2366+ * so that it is safe for the hook to call raise_exception().
2367++ * NEWEL is for writes to registers that might change the exception
2368++ * level - typically on older ARM chips. For those cases we need to
2369++ * re-read the new el when recomputing the translation flags.
2370+ */
2371+ #define ARM_CP_SPECIAL 0x0001
2372+ #define ARM_CP_CONST 0x0002
2373+@@ -2257,10 +2260,11 @@ static inline uint64_t cpreg_to_kvm_id(uint32_t cpregid)
2374+ #define ARM_CP_SVE 0x2000
2375+ #define ARM_CP_NO_GDB 0x4000
2376+ #define ARM_CP_RAISES_EXC 0x8000
2377++#define ARM_CP_NEWEL 0x10000
2378+ /* Used only as a terminator for ARMCPRegInfo lists */
2379+-#define ARM_CP_SENTINEL 0xffff
2380++#define ARM_CP_SENTINEL 0xfffff
2381+ /* Mask of only the flag bits in a type field */
2382+-#define ARM_CP_FLAG_MASK 0xf0ff
2383++#define ARM_CP_FLAG_MASK 0x1f0ff
2384+
2385+ /* Valid values for ARMCPRegInfo state field, indicating which of
2386+ * the AArch32 and AArch64 execution states this register is visible in.
2387+diff --git a/target/arm/helper.c b/target/arm/helper.c
2388+index 3a93844a3b..5074b5f69c 100644
2389+--- a/target/arm/helper.c
2390++++ b/target/arm/helper.c
2391+@@ -5133,7 +5133,7 @@ static const ARMCPRegInfo el3_cp_reginfo[] = {
2392+ .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 1, .opc2 = 0,
2393+ .access = PL3_RW, .fieldoffset = offsetof(CPUARMState, cp15.scr_el3),
2394+ .resetvalue = 0, .writefn = scr_write },
2395+- { .name = "SCR", .type = ARM_CP_ALIAS,
2396++ { .name = "SCR", .type = ARM_CP_ALIAS | ARM_CP_NEWEL,
2397+ .cp = 15, .opc1 = 0, .crn = 1, .crm = 1, .opc2 = 0,
2398+ .access = PL1_RW, .accessfn = access_trap_aa32s_el1,
2399+ .fieldoffset = offsetoflow32(CPUARMState, cp15.scr_el3),
2400+@@ -11472,6 +11472,18 @@ void HELPER(rebuild_hflags_m32)(CPUARMState *env, int el)
2401+ env->hflags = rebuild_hflags_m32(env, fp_el, mmu_idx);
2402+ }
2403+
2404++/*
2405++ * If we have triggered a EL state change we can't rely on the
2406++ * translator having passed it too us, we need to recompute.
2407++ */
2408++void HELPER(rebuild_hflags_a32_newel)(CPUARMState *env)
2409++{
2410++ int el = arm_current_el(env);
2411++ int fp_el = fp_exception_el(env, el);
2412++ ARMMMUIdx mmu_idx = arm_mmu_idx_el(env, el);
2413++ env->hflags = rebuild_hflags_a32(env, fp_el, mmu_idx);
2414++}
2415++
2416+ void HELPER(rebuild_hflags_a32)(CPUARMState *env, int el)
2417+ {
2418+ int fp_el = fp_exception_el(env, el);
2419+diff --git a/target/arm/helper.h b/target/arm/helper.h
2420+index 7ce5169afb..aa3d8cd08f 100644
2421+--- a/target/arm/helper.h
2422++++ b/target/arm/helper.h
2423+@@ -91,6 +91,7 @@ DEF_HELPER_2(get_user_reg, i32, env, i32)
2424+ DEF_HELPER_3(set_user_reg, void, env, i32, i32)
2425+
2426+ DEF_HELPER_FLAGS_2(rebuild_hflags_m32, TCG_CALL_NO_RWG, void, env, int)
2427++DEF_HELPER_FLAGS_1(rebuild_hflags_a32_newel, TCG_CALL_NO_RWG, void, env)
2428+ DEF_HELPER_FLAGS_2(rebuild_hflags_a32, TCG_CALL_NO_RWG, void, env, int)
2429+ DEF_HELPER_FLAGS_2(rebuild_hflags_a64, TCG_CALL_NO_RWG, void, env, int)
2430+
2431+diff --git a/target/arm/translate.c b/target/arm/translate.c
2432+index f162be8434..2b6c1f91bf 100644
2433+--- a/target/arm/translate.c
2434++++ b/target/arm/translate.c
2435+@@ -7083,7 +7083,11 @@ static int disas_coproc_insn(DisasContext *s, uint32_t insn)
2436+ if (arm_dc_feature(s, ARM_FEATURE_M)) {
2437+ gen_helper_rebuild_hflags_m32(cpu_env, tcg_el);
2438+ } else {
2439+- gen_helper_rebuild_hflags_a32(cpu_env, tcg_el);
2440++ if (ri->type & ARM_CP_NEWEL) {
2441++ gen_helper_rebuild_hflags_a32_newel(cpu_env);
2442++ } else {
2443++ gen_helper_rebuild_hflags_a32(cpu_env, tcg_el);
2444++ }
2445+ }
2446+ tcg_temp_free_i32(tcg_el);
2447+ /*
2448+--
2449+2.25.1
2450+
2451diff --git a/debian/patches/stable/lp-1867519-target-i386-kvm-initialize-feature-MSRs-very-early.patch b/debian/patches/stable/lp-1867519-target-i386-kvm-initialize-feature-MSRs-very-early.patch
2452new file mode 100644
2453index 0000000..9316575
2454--- /dev/null
2455+++ b/debian/patches/stable/lp-1867519-target-i386-kvm-initialize-feature-MSRs-very-early.patch
2456@@ -0,0 +1,169 @@
2457+From 420ae1fc51c99abfd03b1c590f55617edd2a2bed Mon Sep 17 00:00:00 2001
2458+From: Paolo Bonzini <pbonzini@redhat.com>
2459+Date: Mon, 20 Jan 2020 19:21:42 +0100
2460+Subject: [PATCH] target/i386: kvm: initialize feature MSRs very early
2461+
2462+Some read-only MSRs affect the behavior of ioctls such as
2463+KVM_SET_NESTED_STATE. We can initialize them once and for all
2464+right after the CPU is realized, since they will never be modified
2465+by the guest.
2466+
2467+Reported-by: Qingua Cheng <qcheng@redhat.com>
2468+Cc: qemu-stable@nongnu.org
2469+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2470+Message-Id: <1579544504-3616-2-git-send-email-pbonzini@redhat.com>
2471+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2472+
2473+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=420ae1fc51c99abfd03b1c590f55617edd2a2bed
2474+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
2475+Last-Update: 2020-03-18
2476+
2477+---
2478+ target/i386/kvm.c | 81 +++++++++++++++++++++++++-----------------
2479+ target/i386/kvm_i386.h | 1 +
2480+ 2 files changed, 49 insertions(+), 33 deletions(-)
2481+
2482+diff --git a/target/i386/kvm.c b/target/i386/kvm.c
2483+index 7ee3202634..f6dd6b790e 100644
2484+--- a/target/i386/kvm.c
2485++++ b/target/i386/kvm.c
2486+@@ -67,6 +67,8 @@
2487+ * 255 kvm_msr_entry structs */
2488+ #define MSR_BUF_SIZE 4096
2489+
2490++static void kvm_init_msrs(X86CPU *cpu);
2491++
2492+ const KVMCapabilityInfo kvm_arch_required_capabilities[] = {
2493+ KVM_CAP_INFO(SET_TSS_ADDR),
2494+ KVM_CAP_INFO(EXT_CPUID),
2495+@@ -1842,6 +1844,8 @@ int kvm_arch_init_vcpu(CPUState *cs)
2496+ has_msr_tsc_aux = false;
2497+ }
2498+
2499++ kvm_init_msrs(cpu);
2500++
2501+ r = hyperv_init_vcpu(cpu);
2502+ if (r) {
2503+ goto fail;
2504+@@ -2660,11 +2664,53 @@ static void kvm_msr_entry_add_vmx(X86CPU *cpu, FeatureWordArray f)
2505+ VMCS12_MAX_FIELD_INDEX << 1);
2506+ }
2507+
2508++static int kvm_buf_set_msrs(X86CPU *cpu)
2509++{
2510++ int ret = kvm_vcpu_ioctl(CPU(cpu), KVM_SET_MSRS, cpu->kvm_msr_buf);
2511++ if (ret < 0) {
2512++ return ret;
2513++ }
2514++
2515++ if (ret < cpu->kvm_msr_buf->nmsrs) {
2516++ struct kvm_msr_entry *e = &cpu->kvm_msr_buf->entries[ret];
2517++ error_report("error: failed to set MSR 0x%" PRIx32 " to 0x%" PRIx64,
2518++ (uint32_t)e->index, (uint64_t)e->data);
2519++ }
2520++
2521++ assert(ret == cpu->kvm_msr_buf->nmsrs);
2522++ return 0;
2523++}
2524++
2525++static void kvm_init_msrs(X86CPU *cpu)
2526++{
2527++ CPUX86State *env = &cpu->env;
2528++
2529++ kvm_msr_buf_reset(cpu);
2530++ if (has_msr_arch_capabs) {
2531++ kvm_msr_entry_add(cpu, MSR_IA32_ARCH_CAPABILITIES,
2532++ env->features[FEAT_ARCH_CAPABILITIES]);
2533++ }
2534++
2535++ if (has_msr_core_capabs) {
2536++ kvm_msr_entry_add(cpu, MSR_IA32_CORE_CAPABILITY,
2537++ env->features[FEAT_CORE_CAPABILITY]);
2538++ }
2539++
2540++ /*
2541++ * Older kernels do not include VMX MSRs in KVM_GET_MSR_INDEX_LIST, but
2542++ * all kernels with MSR features should have them.
2543++ */
2544++ if (kvm_feature_msrs && cpu_has_vmx(env)) {
2545++ kvm_msr_entry_add_vmx(cpu, env->features);
2546++ }
2547++
2548++ assert(kvm_buf_set_msrs(cpu) == 0);
2549++}
2550++
2551+ static int kvm_put_msrs(X86CPU *cpu, int level)
2552+ {
2553+ CPUX86State *env = &cpu->env;
2554+ int i;
2555+- int ret;
2556+
2557+ kvm_msr_buf_reset(cpu);
2558+
2559+@@ -2722,17 +2768,6 @@ static int kvm_put_msrs(X86CPU *cpu, int level)
2560+ }
2561+ #endif
2562+
2563+- /* If host supports feature MSR, write down. */
2564+- if (has_msr_arch_capabs) {
2565+- kvm_msr_entry_add(cpu, MSR_IA32_ARCH_CAPABILITIES,
2566+- env->features[FEAT_ARCH_CAPABILITIES]);
2567+- }
2568+-
2569+- if (has_msr_core_capabs) {
2570+- kvm_msr_entry_add(cpu, MSR_IA32_CORE_CAPABILITY,
2571+- env->features[FEAT_CORE_CAPABILITY]);
2572+- }
2573+-
2574+ /*
2575+ * The following MSRs have side effects on the guest or are too heavy
2576+ * for normal writeback. Limit them to reset or full state updates.
2577+@@ -2910,14 +2945,6 @@ static int kvm_put_msrs(X86CPU *cpu, int level)
2578+
2579+ /* Note: MSR_IA32_FEATURE_CONTROL is written separately, see
2580+ * kvm_put_msr_feature_control. */
2581+-
2582+- /*
2583+- * Older kernels do not include VMX MSRs in KVM_GET_MSR_INDEX_LIST, but
2584+- * all kernels with MSR features should have them.
2585+- */
2586+- if (kvm_feature_msrs && cpu_has_vmx(env)) {
2587+- kvm_msr_entry_add_vmx(cpu, env->features);
2588+- }
2589+ }
2590+
2591+ if (env->mcg_cap) {
2592+@@ -2933,19 +2960,7 @@ static int kvm_put_msrs(X86CPU *cpu, int level)
2593+ }
2594+ }
2595+
2596+- ret = kvm_vcpu_ioctl(CPU(cpu), KVM_SET_MSRS, cpu->kvm_msr_buf);
2597+- if (ret < 0) {
2598+- return ret;
2599+- }
2600+-
2601+- if (ret < cpu->kvm_msr_buf->nmsrs) {
2602+- struct kvm_msr_entry *e = &cpu->kvm_msr_buf->entries[ret];
2603+- error_report("error: failed to set MSR 0x%" PRIx32 " to 0x%" PRIx64,
2604+- (uint32_t)e->index, (uint64_t)e->data);
2605+- }
2606+-
2607+- assert(ret == cpu->kvm_msr_buf->nmsrs);
2608+- return 0;
2609++ return kvm_buf_set_msrs(cpu);
2610+ }
2611+
2612+
2613+diff --git a/target/i386/kvm_i386.h b/target/i386/kvm_i386.h
2614+index 7d0242f5fb..00bde7acaf 100644
2615+--- a/target/i386/kvm_i386.h
2616++++ b/target/i386/kvm_i386.h
2617+@@ -46,4 +46,5 @@ bool kvm_enable_x2apic(void);
2618+ bool kvm_has_x2apic_api(void);
2619+
2620+ bool kvm_hv_vpindex_settable(void);
2621++
2622+ #endif
2623+--
2624+2.25.1
2625+
2626diff --git a/debian/patches/stable/lp-1867519-tcg-save-vaddr-temp-for-plugin-usage.patch b/debian/patches/stable/lp-1867519-tcg-save-vaddr-temp-for-plugin-usage.patch
2627new file mode 100644
2628index 0000000..5d0bbf2
2629--- /dev/null
2630+++ b/debian/patches/stable/lp-1867519-tcg-save-vaddr-temp-for-plugin-usage.patch
2631@@ -0,0 +1,98 @@
2632+From fcc54ab5c7ca84ae72e8bf3781c33c9193a911aa Mon Sep 17 00:00:00 2001
2633+From: =?UTF-8?q?Alex=20Benn=C3=A9e?= <alex.bennee@linaro.org>
2634+Date: Tue, 25 Feb 2020 17:49:08 +0000
2635+Subject: [PATCH] tcg: save vaddr temp for plugin usage
2636+MIME-Version: 1.0
2637+Content-Type: text/plain; charset=UTF-8
2638+Content-Transfer-Encoding: 8bit
2639+
2640+While do_gen_mem_cb does copy (via extu_tl_i64) vaddr into a new temp
2641+this won't help if the vaddr temp gets clobbered by the actual
2642+load/store op. To avoid this clobbering we explicitly copy vaddr
2643+before the op to ensure it is live my the time we do the
2644+instrumentation.
2645+
2646+Suggested-by: Richard Henderson <richard.henderson@linaro.org>
2647+Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
2648+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
2649+Reviewed-by: Emilio G. Cota <cota@braap.org>
2650+Cc: qemu-stable@nongnu.org
2651+Message-Id: <20200225124710.14152-18-alex.bennee@linaro.org>
2652+
2653+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=fcc54ab5c7ca84ae72e8bf3781c33c9193a911aa
2654+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
2655+Last-Update: 2020-03-18
2656+
2657+---
2658+ tcg/tcg-op.c | 23 ++++++++++++++++++++---
2659+ 1 file changed, 20 insertions(+), 3 deletions(-)
2660+
2661+diff --git a/tcg/tcg-op.c b/tcg/tcg-op.c
2662+index 7d782002e3..e2e25ebf7d 100644
2663+--- a/tcg/tcg-op.c
2664++++ b/tcg/tcg-op.c
2665+@@ -2794,13 +2794,26 @@ static void tcg_gen_req_mo(TCGBar type)
2666+ }
2667+ }
2668+
2669++static inline TCGv plugin_prep_mem_callbacks(TCGv vaddr)
2670++{
2671++#ifdef CONFIG_PLUGIN
2672++ if (tcg_ctx->plugin_insn != NULL) {
2673++ /* Save a copy of the vaddr for use after a load. */
2674++ TCGv temp = tcg_temp_new();
2675++ tcg_gen_mov_tl(temp, vaddr);
2676++ return temp;
2677++ }
2678++#endif
2679++ return vaddr;
2680++}
2681++
2682+ static inline void plugin_gen_mem_callbacks(TCGv vaddr, uint16_t info)
2683+ {
2684+ #ifdef CONFIG_PLUGIN
2685+- if (tcg_ctx->plugin_insn == NULL) {
2686+- return;
2687++ if (tcg_ctx->plugin_insn != NULL) {
2688++ plugin_gen_empty_mem_callback(vaddr, info);
2689++ tcg_temp_free(vaddr);
2690+ }
2691+- plugin_gen_empty_mem_callback(vaddr, info);
2692+ #endif
2693+ }
2694+
2695+@@ -2822,6 +2835,7 @@ void tcg_gen_qemu_ld_i32(TCGv_i32 val, TCGv addr, TCGArg idx, MemOp memop)
2696+ }
2697+ }
2698+
2699++ addr = plugin_prep_mem_callbacks(addr);
2700+ gen_ldst_i32(INDEX_op_qemu_ld_i32, val, addr, memop, idx);
2701+ plugin_gen_mem_callbacks(addr, info);
2702+
2703+@@ -2868,6 +2882,7 @@ void tcg_gen_qemu_st_i32(TCGv_i32 val, TCGv addr, TCGArg idx, MemOp memop)
2704+ memop &= ~MO_BSWAP;
2705+ }
2706+
2707++ addr = plugin_prep_mem_callbacks(addr);
2708+ gen_ldst_i32(INDEX_op_qemu_st_i32, val, addr, memop, idx);
2709+ plugin_gen_mem_callbacks(addr, info);
2710+
2711+@@ -2905,6 +2920,7 @@ void tcg_gen_qemu_ld_i64(TCGv_i64 val, TCGv addr, TCGArg idx, MemOp memop)
2712+ }
2713+ }
2714+
2715++ addr = plugin_prep_mem_callbacks(addr);
2716+ gen_ldst_i64(INDEX_op_qemu_ld_i64, val, addr, memop, idx);
2717+ plugin_gen_mem_callbacks(addr, info);
2718+
2719+@@ -2967,6 +2983,7 @@ void tcg_gen_qemu_st_i64(TCGv_i64 val, TCGv addr, TCGArg idx, MemOp memop)
2720+ memop &= ~MO_BSWAP;
2721+ }
2722+
2723++ addr = plugin_prep_mem_callbacks(addr);
2724+ gen_ldst_i64(INDEX_op_qemu_st_i64, val, addr, memop, idx);
2725+ plugin_gen_mem_callbacks(addr, info);
2726+
2727+--
2728+2.25.1
2729+
2730diff --git a/debian/patches/stable/lp-1867519-tpm-ppi-page-align-PPI-RAM.patch b/debian/patches/stable/lp-1867519-tpm-ppi-page-align-PPI-RAM.patch
2731new file mode 100644
2732index 0000000..209bd3e
2733--- /dev/null
2734+++ b/debian/patches/stable/lp-1867519-tpm-ppi-page-align-PPI-RAM.patch
2735@@ -0,0 +1,47 @@
2736+From 71e415c8a75c130875f14d6b2136825789feb297 Mon Sep 17 00:00:00 2001
2737+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
2738+Date: Fri, 3 Jan 2020 11:39:59 +0400
2739+Subject: [PATCH] tpm-ppi: page-align PPI RAM
2740+MIME-Version: 1.0
2741+Content-Type: text/plain; charset=UTF-8
2742+Content-Transfer-Encoding: 8bit
2743+
2744+post-copy migration fails on destination with error such as:
2745+2019-12-26T10:22:44.714644Z qemu-kvm: ram_block_discard_range:
2746+Unaligned start address: 0x559d2afae9a0
2747+
2748+Use qemu_memalign() to constrain the PPI RAM memory alignment.
2749+
2750+Cc: qemu-stable@nongnu.org
2751+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
2752+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
2753+Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
2754+Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
2755+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
2756+Message-id: 20200103074000.1006389-3-marcandre.lureau@redhat.com
2757+
2758+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=71e415c8a75c130875f14d6b2136825789feb297
2759+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
2760+Last-Update: 2020-03-18
2761+
2762+---
2763+ hw/tpm/tpm_ppi.c | 3 ++-
2764+ 1 file changed, 2 insertions(+), 1 deletion(-)
2765+
2766+diff --git a/hw/tpm/tpm_ppi.c b/hw/tpm/tpm_ppi.c
2767+index ff314592b4..6d9c1a3e40 100644
2768+--- a/hw/tpm/tpm_ppi.c
2769++++ b/hw/tpm/tpm_ppi.c
2770+@@ -43,7 +43,8 @@ void tpm_ppi_reset(TPMPPI *tpmppi)
2771+ void tpm_ppi_init(TPMPPI *tpmppi, struct MemoryRegion *m,
2772+ hwaddr addr, Object *obj)
2773+ {
2774+- tpmppi->buf = g_malloc0(HOST_PAGE_ALIGN(TPM_PPI_ADDR_SIZE));
2775++ tpmppi->buf = qemu_memalign(qemu_real_host_page_size,
2776++ HOST_PAGE_ALIGN(TPM_PPI_ADDR_SIZE));
2777+ memory_region_init_ram_device_ptr(&tpmppi->ram, obj, "tpm-ppi",
2778+ TPM_PPI_ADDR_SIZE, tpmppi->buf);
2779+ vmstate_register_ram(&tpmppi->ram, DEVICE(obj));
2780+--
2781+2.25.1
2782+
2783diff --git a/debian/patches/stable/lp-1867519-vfio-pci-Don-t-remove-irqchip-notifier-if-not-regist.patch b/debian/patches/stable/lp-1867519-vfio-pci-Don-t-remove-irqchip-notifier-if-not-regist.patch
2784new file mode 100644
2785index 0000000..f52b1bd
2786--- /dev/null
2787+++ b/debian/patches/stable/lp-1867519-vfio-pci-Don-t-remove-irqchip-notifier-if-not-regist.patch
2788@@ -0,0 +1,50 @@
2789+From 0446f8121723b134ca1d1ed0b73e96d4a0a8689d Mon Sep 17 00:00:00 2001
2790+From: Peter Xu <peterx@redhat.com>
2791+Date: Mon, 6 Jan 2020 13:34:45 -0700
2792+Subject: [PATCH] vfio/pci: Don't remove irqchip notifier if not registered
2793+
2794+The kvm irqchip notifier is only registered if the device supports
2795+INTx, however it's unconditionally removed. If the assigned device
2796+does not support INTx, this will cause QEMU to crash when unplugging
2797+the device from the system. Change it to conditionally remove the
2798+notifier only if the notify hook is setup.
2799+
2800+CC: Eduardo Habkost <ehabkost@redhat.com>
2801+CC: David Gibson <david@gibson.dropbear.id.au>
2802+CC: Alex Williamson <alex.williamson@redhat.com>
2803+Cc: qemu-stable@nongnu.org # v4.2
2804+Reported-by: yanghliu@redhat.com
2805+Debugged-by: Eduardo Habkost <ehabkost@redhat.com>
2806+Fixes: c5478fea27ac ("vfio/pci: Respond to KVM irqchip change notifier")
2807+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1782678
2808+Signed-off-by: Peter Xu <peterx@redhat.com>
2809+Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2810+Reviewed-by: Greg Kurz <groug@kaod.org>
2811+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2812+
2813+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=0446f8121723b134ca1d1ed0b73e96d4a0a8689d
2814+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
2815+Last-Update: 2020-03-18
2816+
2817+---
2818+ hw/vfio/pci.c | 4 +++-
2819+ 1 file changed, 3 insertions(+), 1 deletion(-)
2820+
2821+diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c
2822+index 2d40b396f2..337a173ce7 100644
2823+--- a/hw/vfio/pci.c
2824++++ b/hw/vfio/pci.c
2825+@@ -3076,7 +3076,9 @@ static void vfio_exitfn(PCIDevice *pdev)
2826+ vfio_unregister_req_notifier(vdev);
2827+ vfio_unregister_err_notifier(vdev);
2828+ pci_device_set_intx_routing_notifier(&vdev->pdev, NULL);
2829+- kvm_irqchip_remove_change_notifier(&vdev->irqchip_change_notifier);
2830++ if (vdev->irqchip_change_notifier.notify) {
2831++ kvm_irqchip_remove_change_notifier(&vdev->irqchip_change_notifier);
2832++ }
2833+ vfio_disable_interrupts(vdev);
2834+ if (vdev->intx.mmap_timer) {
2835+ timer_free(vdev->intx.mmap_timer);
2836+--
2837+2.25.1
2838+
2839diff --git a/debian/patches/stable/lp-1867519-virtio-gracefully-handle-invalid-region-caches.patch b/debian/patches/stable/lp-1867519-virtio-gracefully-handle-invalid-region-caches.patch
2840new file mode 100644
2841index 0000000..177cafe
2842--- /dev/null
2843+++ b/debian/patches/stable/lp-1867519-virtio-gracefully-handle-invalid-region-caches.patch
2844@@ -0,0 +1,331 @@
2845+From abdd16f4681cc4d6bf84990227b5c9b98e869ccd Mon Sep 17 00:00:00 2001
2846+From: Stefan Hajnoczi <stefanha@redhat.com>
2847+Date: Fri, 7 Feb 2020 10:46:19 +0000
2848+Subject: [PATCH] virtio: gracefully handle invalid region caches
2849+
2850+The virtqueue code sets up MemoryRegionCaches to access the virtqueue
2851+guest RAM data structures. The code currently assumes that
2852+VRingMemoryRegionCaches is initialized before device emulation code
2853+accesses the virtqueue. An assertion will fail in
2854+vring_get_region_caches() when this is not true. Device fuzzing found a
2855+case where this assumption is false (see below).
2856+
2857+Virtqueue guest RAM addresses can also be changed from a vCPU thread
2858+while an IOThread is accessing the virtqueue. This breaks the same
2859+assumption but this time the caches could become invalid partway through
2860+the virtqueue code. The code fetches the caches RCU pointer multiple
2861+times so we will need to validate the pointer every time it is fetched.
2862+
2863+Add checks each time we call vring_get_region_caches() and treat invalid
2864+caches as a nop: memory stores are ignored and memory reads return 0.
2865+
2866+The fuzz test failure is as follows:
2867+
2868+ $ qemu -M pc -device virtio-blk-pci,id=drv0,drive=drive0,addr=4.0 \
2869+ -drive if=none,id=drive0,file=null-co://,format=raw,auto-read-only=off \
2870+ -drive if=none,id=drive1,file=null-co://,file.read-zeroes=on,format=raw \
2871+ -display none \
2872+ -qtest stdio
2873+ endianness
2874+ outl 0xcf8 0x80002020
2875+ outl 0xcfc 0xe0000000
2876+ outl 0xcf8 0x80002004
2877+ outw 0xcfc 0x7
2878+ write 0xe0000000 0x24 0x00ffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffab5cffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffab0000000001
2879+ inb 0x4
2880+ writew 0xe000001c 0x1
2881+ write 0xe0000014 0x1 0x0d
2882+
2883+The following error message is produced:
2884+
2885+ qemu-system-x86_64: /home/stefanha/qemu/hw/virtio/virtio.c:286: vring_get_region_caches: Assertion `caches != NULL' failed.
2886+
2887+The backtrace looks like this:
2888+
2889+ #0 0x00007ffff5520625 in raise () at /lib64/libc.so.6
2890+ #1 0x00007ffff55098d9 in abort () at /lib64/libc.so.6
2891+ #2 0x00007ffff55097a9 in _nl_load_domain.cold () at /lib64/libc.so.6
2892+ #3 0x00007ffff5518a66 in annobin_assert.c_end () at /lib64/libc.so.6
2893+ #4 0x00005555559073da in vring_get_region_caches (vq=<optimized out>) at qemu/hw/virtio/virtio.c:286
2894+ #5 vring_get_region_caches (vq=<optimized out>) at qemu/hw/virtio/virtio.c:283
2895+ #6 0x000055555590818d in vring_used_flags_set_bit (mask=1, vq=0x5555575ceea0) at qemu/hw/virtio/virtio.c:398
2896+ #7 virtio_queue_split_set_notification (enable=0, vq=0x5555575ceea0) at qemu/hw/virtio/virtio.c:398
2897+ #8 virtio_queue_set_notification (vq=vq@entry=0x5555575ceea0, enable=enable@entry=0) at qemu/hw/virtio/virtio.c:451
2898+ #9 0x0000555555908512 in virtio_queue_set_notification (vq=vq@entry=0x5555575ceea0, enable=enable@entry=0) at qemu/hw/virtio/virtio.c:444
2899+ #10 0x00005555558c697a in virtio_blk_handle_vq (s=0x5555575c57e0, vq=0x5555575ceea0) at qemu/hw/block/virtio-blk.c:775
2900+ #11 0x0000555555907836 in virtio_queue_notify_aio_vq (vq=0x5555575ceea0) at qemu/hw/virtio/virtio.c:2244
2901+ #12 0x0000555555cb5dd7 in aio_dispatch_handlers (ctx=ctx@entry=0x55555671a420) at util/aio-posix.c:429
2902+ #13 0x0000555555cb67a8 in aio_dispatch (ctx=0x55555671a420) at util/aio-posix.c:460
2903+ #14 0x0000555555cb307e in aio_ctx_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>) at util/async.c:260
2904+ #15 0x00007ffff7bbc510 in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
2905+ #16 0x0000555555cb5848 in glib_pollfds_poll () at util/main-loop.c:219
2906+ #17 os_host_main_loop_wait (timeout=<optimized out>) at util/main-loop.c:242
2907+ #18 main_loop_wait (nonblocking=<optimized out>) at util/main-loop.c:518
2908+ #19 0x00005555559b20c9 in main_loop () at vl.c:1683
2909+ #20 0x0000555555838115 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4441
2910+
2911+Reported-by: Alexander Bulekov <alxndr@bu.edu>
2912+Cc: Michael Tsirkin <mst@redhat.com>
2913+Cc: Cornelia Huck <cohuck@redhat.com>
2914+Cc: Paolo Bonzini <pbonzini@redhat.com>
2915+Cc: qemu-stable@nongnu.org
2916+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2917+Message-Id: <20200207104619.164892-1-stefanha@redhat.com>
2918+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
2919+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2920+
2921+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=abdd16f4681cc4d6bf84990227b5c9b98e869ccd
2922+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
2923+Last-Update: 2020-03-18
2924+
2925+---
2926+ hw/virtio/virtio.c | 99 ++++++++++++++++++++++++++++++++++++++++++----
2927+ 1 file changed, 91 insertions(+), 8 deletions(-)
2928+
2929+diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
2930+index 2c5410e981..00d444699d 100644
2931+--- a/hw/virtio/virtio.c
2932++++ b/hw/virtio/virtio.c
2933+@@ -282,15 +282,19 @@ static void vring_packed_flags_write(VirtIODevice *vdev,
2934+ /* Called within rcu_read_lock(). */
2935+ static VRingMemoryRegionCaches *vring_get_region_caches(struct VirtQueue *vq)
2936+ {
2937+- VRingMemoryRegionCaches *caches = atomic_rcu_read(&vq->vring.caches);
2938+- assert(caches != NULL);
2939+- return caches;
2940++ return atomic_rcu_read(&vq->vring.caches);
2941+ }
2942++
2943+ /* Called within rcu_read_lock(). */
2944+ static inline uint16_t vring_avail_flags(VirtQueue *vq)
2945+ {
2946+ VRingMemoryRegionCaches *caches = vring_get_region_caches(vq);
2947+ hwaddr pa = offsetof(VRingAvail, flags);
2948++
2949++ if (!caches) {
2950++ return 0;
2951++ }
2952++
2953+ return virtio_lduw_phys_cached(vq->vdev, &caches->avail, pa);
2954+ }
2955+
2956+@@ -299,6 +303,11 @@ static inline uint16_t vring_avail_idx(VirtQueue *vq)
2957+ {
2958+ VRingMemoryRegionCaches *caches = vring_get_region_caches(vq);
2959+ hwaddr pa = offsetof(VRingAvail, idx);
2960++
2961++ if (!caches) {
2962++ return 0;
2963++ }
2964++
2965+ vq->shadow_avail_idx = virtio_lduw_phys_cached(vq->vdev, &caches->avail, pa);
2966+ return vq->shadow_avail_idx;
2967+ }
2968+@@ -308,6 +317,11 @@ static inline uint16_t vring_avail_ring(VirtQueue *vq, int i)
2969+ {
2970+ VRingMemoryRegionCaches *caches = vring_get_region_caches(vq);
2971+ hwaddr pa = offsetof(VRingAvail, ring[i]);
2972++
2973++ if (!caches) {
2974++ return 0;
2975++ }
2976++
2977+ return virtio_lduw_phys_cached(vq->vdev, &caches->avail, pa);
2978+ }
2979+
2980+@@ -323,6 +337,11 @@ static inline void vring_used_write(VirtQueue *vq, VRingUsedElem *uelem,
2981+ {
2982+ VRingMemoryRegionCaches *caches = vring_get_region_caches(vq);
2983+ hwaddr pa = offsetof(VRingUsed, ring[i]);
2984++
2985++ if (!caches) {
2986++ return;
2987++ }
2988++
2989+ virtio_tswap32s(vq->vdev, &uelem->id);
2990+ virtio_tswap32s(vq->vdev, &uelem->len);
2991+ address_space_write_cached(&caches->used, pa, uelem, sizeof(VRingUsedElem));
2992+@@ -334,6 +353,11 @@ static uint16_t vring_used_idx(VirtQueue *vq)
2993+ {
2994+ VRingMemoryRegionCaches *caches = vring_get_region_caches(vq);
2995+ hwaddr pa = offsetof(VRingUsed, idx);
2996++
2997++ if (!caches) {
2998++ return 0;
2999++ }
3000++
3001+ return virtio_lduw_phys_cached(vq->vdev, &caches->used, pa);
3002+ }
3003+
3004+@@ -342,8 +366,12 @@ static inline void vring_used_idx_set(VirtQueue *vq, uint16_t val)
3005+ {
3006+ VRingMemoryRegionCaches *caches = vring_get_region_caches(vq);
3007+ hwaddr pa = offsetof(VRingUsed, idx);
3008+- virtio_stw_phys_cached(vq->vdev, &caches->used, pa, val);
3009+- address_space_cache_invalidate(&caches->used, pa, sizeof(val));
3010++
3011++ if (caches) {
3012++ virtio_stw_phys_cached(vq->vdev, &caches->used, pa, val);
3013++ address_space_cache_invalidate(&caches->used, pa, sizeof(val));
3014++ }
3015++
3016+ vq->used_idx = val;
3017+ }
3018+
3019+@@ -353,8 +381,13 @@ static inline void vring_used_flags_set_bit(VirtQueue *vq, int mask)
3020+ VRingMemoryRegionCaches *caches = vring_get_region_caches(vq);
3021+ VirtIODevice *vdev = vq->vdev;
3022+ hwaddr pa = offsetof(VRingUsed, flags);
3023+- uint16_t flags = virtio_lduw_phys_cached(vq->vdev, &caches->used, pa);
3024++ uint16_t flags;
3025+
3026++ if (!caches) {
3027++ return;
3028++ }
3029++
3030++ flags = virtio_lduw_phys_cached(vq->vdev, &caches->used, pa);
3031+ virtio_stw_phys_cached(vdev, &caches->used, pa, flags | mask);
3032+ address_space_cache_invalidate(&caches->used, pa, sizeof(flags));
3033+ }
3034+@@ -365,8 +398,13 @@ static inline void vring_used_flags_unset_bit(VirtQueue *vq, int mask)
3035+ VRingMemoryRegionCaches *caches = vring_get_region_caches(vq);
3036+ VirtIODevice *vdev = vq->vdev;
3037+ hwaddr pa = offsetof(VRingUsed, flags);
3038+- uint16_t flags = virtio_lduw_phys_cached(vq->vdev, &caches->used, pa);
3039++ uint16_t flags;
3040+
3041++ if (!caches) {
3042++ return;
3043++ }
3044++
3045++ flags = virtio_lduw_phys_cached(vq->vdev, &caches->used, pa);
3046+ virtio_stw_phys_cached(vdev, &caches->used, pa, flags & ~mask);
3047+ address_space_cache_invalidate(&caches->used, pa, sizeof(flags));
3048+ }
3049+@@ -381,6 +419,10 @@ static inline void vring_set_avail_event(VirtQueue *vq, uint16_t val)
3050+ }
3051+
3052+ caches = vring_get_region_caches(vq);
3053++ if (!caches) {
3054++ return;
3055++ }
3056++
3057+ pa = offsetof(VRingUsed, ring[vq->vring.num]);
3058+ virtio_stw_phys_cached(vq->vdev, &caches->used, pa, val);
3059+ address_space_cache_invalidate(&caches->used, pa, sizeof(val));
3060+@@ -410,7 +452,11 @@ static void virtio_queue_packed_set_notification(VirtQueue *vq, int enable)
3061+ VRingMemoryRegionCaches *caches;
3062+
3063+ RCU_READ_LOCK_GUARD();
3064+- caches = vring_get_region_caches(vq);
3065++ caches = vring_get_region_caches(vq);
3066++ if (!caches) {
3067++ return;
3068++ }
3069++
3070+ vring_packed_event_read(vq->vdev, &caches->used, &e);
3071+
3072+ if (!enable) {
3073+@@ -597,6 +643,10 @@ static int virtio_queue_packed_empty_rcu(VirtQueue *vq)
3074+ }
3075+
3076+ cache = vring_get_region_caches(vq);
3077++ if (!cache) {
3078++ return 1;
3079++ }
3080++
3081+ vring_packed_desc_read_flags(vq->vdev, &desc.flags, &cache->desc,
3082+ vq->last_avail_idx);
3083+
3084+@@ -777,6 +827,10 @@ static void virtqueue_packed_fill_desc(VirtQueue *vq,
3085+ }
3086+
3087+ caches = vring_get_region_caches(vq);
3088++ if (!caches) {
3089++ return;
3090++ }
3091++
3092+ vring_packed_desc_write(vq->vdev, &desc, &caches->desc, head, strict_order);
3093+ }
3094+
3095+@@ -949,6 +1003,10 @@ static void virtqueue_split_get_avail_bytes(VirtQueue *vq,
3096+
3097+ max = vq->vring.num;
3098+ caches = vring_get_region_caches(vq);
3099++ if (!caches) {
3100++ goto err;
3101++ }
3102++
3103+ while ((rc = virtqueue_num_heads(vq, idx)) > 0) {
3104+ MemoryRegionCache *desc_cache = &caches->desc;
3105+ unsigned int num_bufs;
3106+@@ -1089,6 +1147,9 @@ static void virtqueue_packed_get_avail_bytes(VirtQueue *vq,
3107+
3108+ max = vq->vring.num;
3109+ caches = vring_get_region_caches(vq);
3110++ if (!caches) {
3111++ goto err;
3112++ }
3113+
3114+ for (;;) {
3115+ unsigned int num_bufs = total_bufs;
3116+@@ -1194,6 +1255,10 @@ void virtqueue_get_avail_bytes(VirtQueue *vq, unsigned int *in_bytes,
3117+ }
3118+
3119+ caches = vring_get_region_caches(vq);
3120++ if (!caches) {
3121++ goto err;
3122++ }
3123++
3124+ desc_size = virtio_vdev_has_feature(vq->vdev, VIRTIO_F_RING_PACKED) ?
3125+ sizeof(VRingPackedDesc) : sizeof(VRingDesc);
3126+ if (caches->desc.len < vq->vring.num * desc_size) {
3127+@@ -1387,6 +1452,11 @@ static void *virtqueue_split_pop(VirtQueue *vq, size_t sz)
3128+ i = head;
3129+
3130+ caches = vring_get_region_caches(vq);
3131++ if (!caches) {
3132++ virtio_error(vdev, "Region caches not initialized");
3133++ goto done;
3134++ }
3135++
3136+ if (caches->desc.len < max * sizeof(VRingDesc)) {
3137+ virtio_error(vdev, "Cannot map descriptor ring");
3138+ goto done;
3139+@@ -1509,6 +1579,11 @@ static void *virtqueue_packed_pop(VirtQueue *vq, size_t sz)
3140+ i = vq->last_avail_idx;
3141+
3142+ caches = vring_get_region_caches(vq);
3143++ if (!caches) {
3144++ virtio_error(vdev, "Region caches not initialized");
3145++ goto done;
3146++ }
3147++
3148+ if (caches->desc.len < max * sizeof(VRingDesc)) {
3149+ virtio_error(vdev, "Cannot map descriptor ring");
3150+ goto done;
3151+@@ -1628,6 +1703,10 @@ static unsigned int virtqueue_packed_drop_all(VirtQueue *vq)
3152+ VRingPackedDesc desc;
3153+
3154+ caches = vring_get_region_caches(vq);
3155++ if (!caches) {
3156++ return 0;
3157++ }
3158++
3159+ desc_cache = &caches->desc;
3160+
3161+ virtio_queue_set_notification(vq, 0);
3162+@@ -2412,6 +2491,10 @@ static bool virtio_packed_should_notify(VirtIODevice *vdev, VirtQueue *vq)
3163+ VRingMemoryRegionCaches *caches;
3164+
3165+ caches = vring_get_region_caches(vq);
3166++ if (!caches) {
3167++ return false;
3168++ }
3169++
3170+ vring_packed_event_read(vdev, &caches->avail, &e);
3171+
3172+ old = vq->signalled_used;
3173+--
3174+2.25.1
3175+
3176diff --git a/debian/patches/stable/lp-1867519-virtio-mmio-update-queue-size-on-guest-write.patch b/debian/patches/stable/lp-1867519-virtio-mmio-update-queue-size-on-guest-write.patch
3177new file mode 100644
3178index 0000000..d18b0ee
3179--- /dev/null
3180+++ b/debian/patches/stable/lp-1867519-virtio-mmio-update-queue-size-on-guest-write.patch
3181@@ -0,0 +1,40 @@
3182+From 1049f4c62c4070618cc5defc9963c6a17ae7a5ae Mon Sep 17 00:00:00 2001
3183+From: Denis Plotnikov <dplotnikov@virtuozzo.com>
3184+Date: Tue, 24 Dec 2019 11:14:46 +0300
3185+Subject: [PATCH] virtio-mmio: update queue size on guest write
3186+
3187+Some guests read back queue size after writing it.
3188+Always update the on size write otherwise they might be confused.
3189+
3190+Cc: qemu-stable@nongnu.org
3191+Signed-off-by: Denis Plotnikov <dplotnikov@virtuozzo.com>
3192+Message-Id: <20191224081446.17003-1-dplotnikov@virtuozzo.com>
3193+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
3194+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
3195+
3196+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=1049f4c62c4070618cc5defc9963c6a17ae7a5ae
3197+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
3198+Last-Update: 2020-03-18
3199+
3200+---
3201+ hw/virtio/virtio-mmio.c | 3 ++-
3202+ 1 file changed, 2 insertions(+), 1 deletion(-)
3203+
3204+diff --git a/hw/virtio/virtio-mmio.c b/hw/virtio/virtio-mmio.c
3205+index ef40b7a9b2..872f2cd237 100644
3206+--- a/hw/virtio/virtio-mmio.c
3207++++ b/hw/virtio/virtio-mmio.c
3208+@@ -308,8 +308,9 @@ static void virtio_mmio_write(void *opaque, hwaddr offset, uint64_t value,
3209+ break;
3210+ case VIRTIO_MMIO_QUEUE_NUM:
3211+ trace_virtio_mmio_queue_write(value, VIRTQUEUE_MAX_SIZE);
3212++ virtio_queue_set_num(vdev, vdev->queue_sel, value);
3213++
3214+ if (proxy->legacy) {
3215+- virtio_queue_set_num(vdev, vdev->queue_sel, value);
3216+ virtio_queue_update_rings(vdev, vdev->queue_sel);
3217+ } else {
3218+ proxy->vqs[vdev->queue_sel].num = value;
3219+--
3220+2.25.1
3221+
3222diff --git a/debian/patches/stable/lp-1867519-virtio-net-delete-also-control-queue-when-TX-RX-dele.patch b/debian/patches/stable/lp-1867519-virtio-net-delete-also-control-queue-when-TX-RX-dele.patch
3223new file mode 100644
3224index 0000000..1db89ff
3225--- /dev/null
3226+++ b/debian/patches/stable/lp-1867519-virtio-net-delete-also-control-queue-when-TX-RX-dele.patch
3227@@ -0,0 +1,41 @@
3228+From d945d9f1731244ef341f74ede93120fc9de35913 Mon Sep 17 00:00:00 2001
3229+From: Yuri Benditovich <yuri.benditovich@daynix.com>
3230+Date: Thu, 26 Dec 2019 06:36:49 +0200
3231+Subject: [PATCH] virtio-net: delete also control queue when TX/RX deleted
3232+
3233+https://bugzilla.redhat.com/show_bug.cgi?id=1708480
3234+If the control queue is not deleted together with TX/RX, it
3235+later will be ignored in freeing cache resources and hot
3236+unplug will not be completed.
3237+
3238+Cc: qemu-stable@nongnu.org
3239+Signed-off-by: Yuri Benditovich <yuri.benditovich@daynix.com>
3240+Message-Id: <20191226043649.14481-3-yuri.benditovich@daynix.com>
3241+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
3242+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
3243+
3244+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=d945d9f1731244ef341f74ede93120fc9de35913
3245+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
3246+Last-Update: 2020-03-18
3247+
3248+---
3249+ hw/net/virtio-net.c | 3 ++-
3250+ 1 file changed, 2 insertions(+), 1 deletion(-)
3251+
3252+diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
3253+index db3d7c38e6..f325440d01 100644
3254+--- a/hw/net/virtio-net.c
3255++++ b/hw/net/virtio-net.c
3256+@@ -3101,7 +3101,8 @@ static void virtio_net_device_unrealize(DeviceState *dev, Error **errp)
3257+ for (i = 0; i < max_queues; i++) {
3258+ virtio_net_del_queue(n, i);
3259+ }
3260+-
3261++ /* delete also control vq */
3262++ virtio_del_queue(vdev, max_queues * 2);
3263+ qemu_announce_timer_del(&n->announce_timer, false);
3264+ g_free(n->vqs);
3265+ qemu_del_nic(n->nic);
3266+--
3267+2.25.1
3268+
3269diff --git a/debian/patches/stable/lp-1867519-virtio-update-queue-size-on-guest-write.patch b/debian/patches/stable/lp-1867519-virtio-update-queue-size-on-guest-write.patch
3270new file mode 100644
3271index 0000000..da81c2c
3272--- /dev/null
3273+++ b/debian/patches/stable/lp-1867519-virtio-update-queue-size-on-guest-write.patch
3274@@ -0,0 +1,40 @@
3275+From d0c5f643383b9e84316f148affff368ac33d75b9 Mon Sep 17 00:00:00 2001
3276+From: "Michael S. Tsirkin" <mst@redhat.com>
3277+Date: Fri, 13 Dec 2019 09:22:48 -0500
3278+Subject: [PATCH] virtio: update queue size on guest write
3279+
3280+Some guests read back queue size after writing it.
3281+Update the size immediatly upon write otherwise
3282+they get confused.
3283+
3284+In particular this is the case for seabios.
3285+
3286+Reported-by: Roman Kagan <rkagan@virtuozzo.com>
3287+Suggested-by: Denis Plotnikov <dplotnikov@virtuozzo.com>
3288+Cc: qemu-stable@nongnu.org
3289+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
3290+
3291+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=d0c5f643383b9e84316f148affff368ac33d75b9
3292+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
3293+Last-Update: 2020-03-18
3294+
3295+---
3296+ hw/virtio/virtio-pci.c | 2 ++
3297+ 1 file changed, 2 insertions(+)
3298+
3299+diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c
3300+index c6b47a9c73..e5c759e19e 100644
3301+--- a/hw/virtio/virtio-pci.c
3302++++ b/hw/virtio/virtio-pci.c
3303+@@ -1256,6 +1256,8 @@ static void virtio_pci_common_write(void *opaque, hwaddr addr,
3304+ break;
3305+ case VIRTIO_PCI_COMMON_Q_SIZE:
3306+ proxy->vqs[vdev->queue_sel].num = val;
3307++ virtio_queue_set_num(vdev, vdev->queue_sel,
3308++ proxy->vqs[vdev->queue_sel].num);
3309+ break;
3310+ case VIRTIO_PCI_COMMON_Q_MSIX:
3311+ msix_vector_unuse(&proxy->pci_dev,
3312+--
3313+2.25.1
3314+
3315diff --git a/debian/patches/ubuntu/lp-1847361-modules-load-upgrade.patch b/debian/patches/ubuntu/lp-1847361-modules-load-upgrade.patch
3316new file mode 100644
3317index 0000000..056f2e0
3318--- /dev/null
3319+++ b/debian/patches/ubuntu/lp-1847361-modules-load-upgrade.patch
3320@@ -0,0 +1,125 @@
3321+From ab7e28b0905b1e2daeb5d582cf0f0ce33ea47317 Mon Sep 17 00:00:00 2001
3322+From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
3323+Date: Mon, 2 Mar 2020 15:12:53 +0100
3324+Subject: [PATCH] modules: load modules from versioned /var/run dir
3325+
3326+On upgrades the old .so files usually are replaced. But on the other
3327+hand since a qemu process represents a guest instance it is usually kept
3328+around.
3329+
3330+That makes late addition of dynamic features e.g. 'hot-attach of a ceph
3331+disk' fail by trying to load a new version of e.f. block-rbd.so into an
3332+old still running qemu binary.
3333+
3334+This adds a fallback to also load modules from a versioned directory in the
3335+temporary /var/run path. That way qemu is providing a way for packaging
3336+to store modules of an upgraded qemu package as needed until the next reboot.
3337+
3338+Fixes: https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1847361
3339+Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
3340+
3341+Forwarded: yes, https://lists.nongnu.org/archive/html/qemu-devel/2020-03/msg01593.html
3342+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1847361
3343+Last-Update: 2020-03-02
3344+
3345+---
3346+ configure | 15 +++++++++++++++
3347+ util/module.c | 14 ++++++++++++++
3348+ 2 files changed, 29 insertions(+)
3349+
3350+--- a/configure
3351++++ b/configure
3352+@@ -404,6 +404,7 @@ EXESUF=""
3353+ DSOSUF=".so"
3354+ LDFLAGS_SHARED="-shared"
3355+ modules="no"
3356++module_upgrades="no"
3357+ prefix="/usr/local"
3358+ mandir="\${prefix}/share/man"
3359+ datadir="\${prefix}/share"
3360+@@ -995,6 +996,10 @@ for opt do
3361+ --disable-modules)
3362+ modules="no"
3363+ ;;
3364++ --disable-module-upgrades) module_upgrades="no"
3365++ ;;
3366++ --enable-module-upgrades) module_upgrades="yes"
3367++ ;;
3368+ --cpu=*)
3369+ ;;
3370+ --target-list=*) target_list="$optarg"
3371+@@ -1735,6 +1740,7 @@ disabled with --disable-FEATURE, default
3372+ guest-agent-msi build guest agent Windows MSI installation package
3373+ pie Position Independent Executables
3374+ modules modules support (non-Windows)
3375++ module-upgrades try to load modules from alternate paths for upgrades
3376+ debug-tcg TCG debugging (default is disabled)
3377+ debug-info debugging information
3378+ sparse sparse checker
3379+@@ -1995,6 +2001,11 @@ if test "$modules" = "yes" && test "$min
3380+ error_exit "Modules are not available for Windows"
3381+ fi
3382+
3383++# module_upgrades is only reasonable if modules are enabled
3384++if test "$modules" = "no" && test "$module_upgrades" = "yes" ; then
3385++ error_exit "Can't enable module-upgrades as Modules are not enabled"
3386++fi
3387++
3388+ # Static linking is not possible with modules or PIE
3389+ if test "$static" = "yes" ; then
3390+ if test "$modules" = "yes" ; then
3391+@@ -6457,6 +6468,7 @@ if test "$slirp" != "no" ; then
3392+ echo "smbd $smbd"
3393+ fi
3394+ echo "module support $modules"
3395++echo "alt path mod load $module_upgrades"
3396+ echo "host CPU $cpu"
3397+ echo "host big endian $bigendian"
3398+ echo "target list $target_list"
3399+@@ -6814,6 +6826,9 @@ if test "$modules" = "yes"; then
3400+ echo "CONFIG_STAMP=_$( (echo $qemu_version; echo $pkgversion; cat $0) | $shacmd - | cut -f1 -d\ )" >> $config_host_mak
3401+ echo "CONFIG_MODULES=y" >> $config_host_mak
3402+ fi
3403++if test "$module_upgrades" = "yes"; then
3404++ echo "CONFIG_MODULE_UPGRADES=y" >> $config_host_mak
3405++fi
3406+ if test "$have_x11" = "yes" && test "$need_x11" = "yes"; then
3407+ echo "CONFIG_X11=y" >> $config_host_mak
3408+ echo "X11_CFLAGS=$x11_cflags" >> $config_host_mak
3409+--- a/util/module.c
3410++++ b/util/module.c
3411+@@ -19,6 +19,9 @@
3412+ #endif
3413+ #include "qemu/queue.h"
3414+ #include "qemu/module.h"
3415++#ifdef CONFIG_MODULE_UPGRADES
3416++#include "qemu-version.h"
3417++#endif
3418+
3419+ typedef struct ModuleEntry
3420+ {
3421+@@ -163,6 +166,9 @@ bool module_load_one(const char *prefix,
3422+ #ifdef CONFIG_MODULES
3423+ char *fname = NULL;
3424+ char *exec_dir;
3425++#ifdef CONFIG_MODULE_UPGRADES
3426++ char *version_dir;
3427++#endif
3428+ const char *search_dir;
3429+ char *dirs[4];
3430+ char *module_name;
3431+@@ -194,6 +200,14 @@ bool module_load_one(const char *prefix,
3432+ dirs[n_dirs++] = g_strdup_printf("%s", CONFIG_QEMU_MODDIR);
3433+ dirs[n_dirs++] = g_strdup_printf("%s/..", exec_dir ? : "");
3434+ dirs[n_dirs++] = g_strdup_printf("%s", exec_dir ? : "");
3435++
3436++#ifdef CONFIG_MODULE_UPGRADES
3437++ version_dir = g_strcanon(g_strdup(QEMU_PKGVERSION),
3438++ G_CSET_A_2_Z G_CSET_a_2_z G_CSET_DIGITS "+-.~",
3439++ '_');
3440++ dirs[n_dirs++] = g_strdup_printf("/var/run/qemu/%s", version_dir);
3441++#endif
3442++
3443+ assert(n_dirs <= ARRAY_SIZE(dirs));
3444+
3445+ g_free(exec_dir);
3446diff --git a/debian/patches/ubuntu/lp-1847361-vhost-correctly-turn-on-VIRTIO_F_IOMMU_PLATFORM.patch b/debian/patches/ubuntu/lp-1847361-vhost-correctly-turn-on-VIRTIO_F_IOMMU_PLATFORM.patch
3447new file mode 100644
3448index 0000000..6ef5d49
3449--- /dev/null
3450+++ b/debian/patches/ubuntu/lp-1847361-vhost-correctly-turn-on-VIRTIO_F_IOMMU_PLATFORM.patch
3451@@ -0,0 +1,61 @@
3452+From f7ef7e6e3ba6e994e070cc609eb154339d1c4a11 Mon Sep 17 00:00:00 2001
3453+From: Jason Wang <jasowang@redhat.com>
3454+Date: Mon, 2 Mar 2020 12:24:54 +0800
3455+Subject: [PATCH] vhost: correctly turn on VIRTIO_F_IOMMU_PLATFORM
3456+
3457+We turn on device IOTLB via VIRTIO_F_IOMMU_PLATFORM unconditionally on
3458+platform without IOMMU support. This can lead unnecessary IOTLB
3459+transactions which will damage the performance.
3460+
3461+Fixing this by check whether the device is backed by IOMMU and disable
3462+device IOTLB.
3463+
3464+Reported-by: Halil Pasic <pasic@linux.ibm.com>
3465+Tested-by: Halil Pasic <pasic@linux.ibm.com>
3466+Reviewed-by: Halil Pasic <pasic@linux.ibm.com>
3467+Signed-off-by: Jason Wang <jasowang@redhat.com>
3468+Message-Id: <20200302042454.24814-1-jasowang@redhat.com>
3469+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
3470+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
3471+
3472+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=f7ef7e6e3ba6e994e070cc609eb154339d1c4a11
3473+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1847361
3474+Last-Update: 2020-03-13
3475+
3476+---
3477+ hw/virtio/vhost.c | 12 +++++++++++-
3478+ 1 file changed, 11 insertions(+), 1 deletion(-)
3479+
3480+diff --git a/hw/virtio/vhost.c b/hw/virtio/vhost.c
3481+index 0d226dae10..01ebe12f28 100644
3482+--- a/hw/virtio/vhost.c
3483++++ b/hw/virtio/vhost.c
3484+@@ -290,7 +290,14 @@ static int vhost_dev_has_iommu(struct vhost_dev *dev)
3485+ {
3486+ VirtIODevice *vdev = dev->vdev;
3487+
3488+- return virtio_host_has_feature(vdev, VIRTIO_F_IOMMU_PLATFORM);
3489++ /*
3490++ * For vhost, VIRTIO_F_IOMMU_PLATFORM means the backend support
3491++ * incremental memory mapping API via IOTLB API. For platform that
3492++ * does not have IOMMU, there's no need to enable this feature
3493++ * which may cause unnecessary IOTLB miss/update trnasactions.
3494++ */
3495++ return vdev->dma_as != &address_space_memory &&
3496++ virtio_host_has_feature(vdev, VIRTIO_F_IOMMU_PLATFORM);
3497+ }
3498+
3499+ static void *vhost_memory_map(struct vhost_dev *dev, hwaddr addr,
3500+@@ -765,6 +772,9 @@ static int vhost_dev_set_features(struct vhost_dev *dev,
3501+ if (enable_log) {
3502+ features |= 0x1ULL << VHOST_F_LOG_ALL;
3503+ }
3504++ if (!vhost_dev_has_iommu(dev)) {
3505++ features &= ~(0x1ULL << VIRTIO_F_IOMMU_PLATFORM);
3506++ }
3507+ r = dev->vhost_ops->vhost_set_features(dev, features);
3508+ if (r < 0) {
3509+ VHOST_OPS_DEBUG("vhost_set_features failed");
3510+--
3511+2.25.1
3512+
3513diff --git a/debian/qemu-block-extra.postrm.in b/debian/qemu-block-extra.postrm.in
3514new file mode 100644
3515index 0000000..ef2126a
3516--- /dev/null
3517+++ b/debian/qemu-block-extra.postrm.in
3518@@ -0,0 +1,43 @@
3519+#!/bin/sh
3520+# postrm script for brrr
3521+#
3522+# see: dh_installdeb(1)
3523+
3524+set -e
3525+
3526+# summary of how this script can be called:
3527+# * <postrm> `remove'
3528+# * <postrm> `purge'
3529+# * <old-postrm> `upgrade' <new-version>
3530+# * <new-postrm> `failed-upgrade' <old-version>
3531+# * <new-postrm> `abort-install'
3532+# * <new-postrm> `abort-install' <old-version>
3533+# * <new-postrm> `abort-upgrade' <old-version>
3534+# * <disappearer's-postrm> `disappear' <overwriter>
3535+# <overwriter-version>
3536+# for details, see https://www.debian.org/doc/debian-policy/ or
3537+# the debian-policy package
3538+
3539+
3540+case "$1" in
3541+ purge|remove)
3542+ # remove .so files for still running qemu instances in /var/run
3543+ # for details see bug LP: #1847361
3544+ rm -f /var/run/qemu/@PKGVERSION@/block-*.so
3545+ ;;
3546+
3547+ upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
3548+ ;;
3549+
3550+ *)
3551+ echo "postrm called with unknown argument \`$1'" >&2
3552+ exit 1
3553+ ;;
3554+esac
3555+
3556+# dh_installdeb will replace this with shell code automatically
3557+# generated by other debhelper scripts.
3558+
3559+#DEBHELPER#
3560+
3561+exit 0
3562diff --git a/debian/qemu-block-extra.prerm.in b/debian/qemu-block-extra.prerm.in
3563new file mode 100644
3564index 0000000..dee25a8
3565--- /dev/null
3566+++ b/debian/qemu-block-extra.prerm.in
3567@@ -0,0 +1,45 @@
3568+#!/bin/sh
3569+# prerm script for qemu-block-extra
3570+#
3571+# see: dh_installdeb(1)
3572+
3573+set -e
3574+
3575+# summary of how this script can be called:
3576+# * <prerm> `remove'
3577+# * <old-prerm> `upgrade' <new-version>
3578+# * <new-prerm> `failed-upgrade' <old-version>
3579+# * <conflictor's-prerm> `remove' `in-favour' <package> <new-version>
3580+# * <deconfigured's-prerm> `deconfigure' `in-favour'
3581+# <package-being-installed> <version> `removing'
3582+# <conflicting-package> <version>
3583+# for details, see https://www.debian.org/doc/debian-policy/ or
3584+# the debian-policy package
3585+
3586+
3587+case "$1" in
3588+ remove)
3589+ ;;
3590+
3591+ upgrade|deconfigure)
3592+ # retain .so files for still running qemu instances in /var/run
3593+ # for details see bug LP: #1847361
3594+ mkdir -p /var/run/qemu/@PKGVERSION@
3595+ cp /usr/lib/@ARCH@/qemu/block-*.so /var/run/qemu/@PKGVERSION@/
3596+ ;;
3597+
3598+ failed-upgrade)
3599+ ;;
3600+
3601+ *)
3602+ echo "prerm called with unknown argument \`$1'" >&2
3603+ exit 1
3604+ ;;
3605+esac
3606+
3607+# dh_installdeb will replace this with shell code automatically
3608+# generated by other debhelper scripts.
3609+
3610+#DEBHELPER#
3611+
3612+exit 0
3613diff --git a/debian/qemu-system-gui.postrm.in b/debian/qemu-system-gui.postrm.in
3614new file mode 100644
3615index 0000000..48c740a
3616--- /dev/null
3617+++ b/debian/qemu-system-gui.postrm.in
3618@@ -0,0 +1,44 @@
3619+#!/bin/sh
3620+# postrm script for brrr
3621+#
3622+# see: dh_installdeb(1)
3623+
3624+set -e
3625+
3626+# summary of how this script can be called:
3627+# * <postrm> `remove'
3628+# * <postrm> `purge'
3629+# * <old-postrm> `upgrade' <new-version>
3630+# * <new-postrm> `failed-upgrade' <old-version>
3631+# * <new-postrm> `abort-install'
3632+# * <new-postrm> `abort-install' <old-version>
3633+# * <new-postrm> `abort-upgrade' <old-version>
3634+# * <disappearer's-postrm> `disappear' <overwriter>
3635+# <overwriter-version>
3636+# for details, see https://www.debian.org/doc/debian-policy/ or
3637+# the debian-policy package
3638+
3639+
3640+case "$1" in
3641+ purge|remove)
3642+ # remove .so files for still running qemu instances in /var/run
3643+ # for details see bug LP: #1847361
3644+ rm -f /var/run/qemu/@PKGVERSION@/ui-gtk.so
3645+ rm -f /var/run/qemu/@PKGVERSION@/audio-*.so
3646+ ;;
3647+
3648+ upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
3649+ ;;
3650+
3651+ *)
3652+ echo "postrm called with unknown argument \`$1'" >&2
3653+ exit 1
3654+ ;;
3655+esac
3656+
3657+# dh_installdeb will replace this with shell code automatically
3658+# generated by other debhelper scripts.
3659+
3660+#DEBHELPER#
3661+
3662+exit 0
3663diff --git a/debian/qemu-system-gui.prerm.in b/debian/qemu-system-gui.prerm.in
3664new file mode 100644
3665index 0000000..3624362
3666--- /dev/null
3667+++ b/debian/qemu-system-gui.prerm.in
3668@@ -0,0 +1,46 @@
3669+#!/bin/sh
3670+# prerm script for qemu-system-gui
3671+#
3672+# see: dh_installdeb(1)
3673+
3674+set -e
3675+
3676+# summary of how this script can be called:
3677+# * <prerm> `remove'
3678+# * <old-prerm> `upgrade' <new-version>
3679+# * <new-prerm> `failed-upgrade' <old-version>
3680+# * <conflictor's-prerm> `remove' `in-favour' <package> <new-version>
3681+# * <deconfigured's-prerm> `deconfigure' `in-favour'
3682+# <package-being-installed> <version> `removing'
3683+# <conflicting-package> <version>
3684+# for details, see https://www.debian.org/doc/debian-policy/ or
3685+# the debian-policy package
3686+
3687+
3688+case "$1" in
3689+ remove)
3690+ ;;
3691+
3692+ upgrade|deconfigure)
3693+ # retain .so files for still running qemu instances in /var/run
3694+ # for details see bug LP: #1847361
3695+ mkdir -p /var/run/qemu/@PKGVERSION@
3696+ cp /usr/lib/@ARCH@/qemu/ui-gtk.so /var/run/qemu/@PKGVERSION@/
3697+ cp /usr/lib/@ARCH@/qemu/audio-*.so /var/run/qemu/@PKGVERSION@/
3698+ ;;
3699+
3700+ failed-upgrade)
3701+ ;;
3702+
3703+ *)
3704+ echo "prerm called with unknown argument \`$1'" >&2
3705+ exit 1
3706+ ;;
3707+esac
3708+
3709+# dh_installdeb will replace this with shell code automatically
3710+# generated by other debhelper scripts.
3711+
3712+#DEBHELPER#
3713+
3714+exit 0
3715diff --git a/debian/rules b/debian/rules
3716index 1604d33..58ed6ea 100755
3717--- a/debian/rules
3718+++ b/debian/rules
3719@@ -15,6 +15,9 @@ else
3720 VENDOR := DEBIAN
3721 endif
3722
3723+AUTOGENERATED:= qemu-block-extra.prerm qemu-block-extra.postrm qemu-system-gui.prerm qemu-system-gui.postrm
3724+PKGVERSION := $(shell printf "Debian ${DEB_VERSION}" | tr --complement '[:alnum:]+-.~' '_')
3725+
3726 # support parallel build using DEB_BUILD_OPTIONS=parallel=N
3727 ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
3728 MAKEFLAGS += -j$(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
3729@@ -103,6 +106,12 @@ endif # enable_linux_user
3730 b/configure-stamp: configure
3731 dh_testdir
3732
3733+ for f in ${AUTOGENERATED} ; do \
3734+ sed -e 's%@ARCH@%${DEB_HOST_MULTIARCH}%g' \
3735+ -e 's%@PKGVERSION@%${PKGVERSION}%g' \
3736+ < debian/$$f.in > debian/$$f ; \
3737+ done
3738+
3739 # system build
3740 rm -rf b/qemu; mkdir -p b/qemu
3741 cd b/qemu && \
3742@@ -111,6 +120,7 @@ b/configure-stamp: configure
3743 --${enable_linux_user}-linux-user \
3744 --disable-xen \
3745 --enable-modules \
3746+ --enable-module-upgrades \
3747 $(shell sh debian/extract-config-opts \
3748 $(DEB_HOST_ARCH_OS)-$(DEB_HOST_ARCH) debian/control) \
3749 $(QEMU_CONFIGURE_OPTIONS) || \
3750@@ -137,6 +147,7 @@ ifneq ($(filter $(DEB_HOST_ARCH),amd64 i386),)
3751 --enable-xen \
3752 --target-list="aarch64-softmmu arm-softmmu i386-softmmu x86_64-softmmu"
3753 --enable-modules \
3754+ --enable-module-upgrades \
3755 $(shell sh debian/extract-config-opts \
3756 $(DEB_HOST_ARCH_OS)-$(DEB_HOST_ARCH) debian/control) \
3757 $(QEMU_CONFIGURE_OPTIONS) || \
3758@@ -489,6 +500,7 @@ clean: debian/control
3759 rm -rf b
3760 find scripts/ -name '*.pyc' -delete || :
3761 rm -f debian/qemu-user.1
3762+ rm -f $(patsubst %, debian/%, ${AUTOGENERATED})
3763 dh_clean
3764
3765 .PHONY: build clean binary-arch binary-indep binary build-arch build-indep build

Subscribers

People subscribed via source and target branches