Ubuntu
qemu package

Merge ~paelzer/ubuntu/+source/qemu:lp-1835546-s390x-protvirt-final into ubuntu/+source/qemu:ubuntu/focal-devel

  1. Git
  2. lp:~paelzer/ubuntu/+source/qemu
  3. lp-1835546-s390x-protvirt-final
  4. Merge into ubuntu/focal-devel
Proposed by Christian Ehrhardt 
Status: Merged
Approved by: Christian Ehrhardt 
Approved revision: 36d2633e22db8e585e2e8f2099144f4bb6d64121
Merge reported by: Christian Ehrhardt 
Merged at revision: 8173c35832629eff7c983b284f34f86f3c0c9ce9
Proposed branch: ~paelzer/ubuntu/+source/qemu:lp-1835546-s390x-protvirt-final
Merge into: ubuntu/+source/qemu:ubuntu/focal-devel
Diff against target: 7167 lines (+6697/-18)
68 files modified
debian/changelog (+29/-0)
debian/patches/series (+64/-1)
debian/patches/stable/lp-1867519-arm-arm-powerctl-rebuild-hflags-after-setting-CP15-b.patch (+48/-0)
debian/patches/stable/lp-1867519-arm-arm-powerctl-set-NSACR.-CP11-CP10-bits-in-arm_se.patch (+49/-0)
debian/patches/stable/lp-1867519-backup-top-Begin-drain-earlier.patch (+46/-0)
debian/patches/stable/lp-1867519-block-Activate-recursively-even-for-already-active-n.patch (+108/-0)
debian/patches/stable/lp-1867519-block-backup-top-fix-failure-path.patch (+97/-0)
debian/patches/stable/lp-1867519-block-block-copy-fix-progress-calculation.patch (+201/-0)
debian/patches/stable/lp-1867519-block-fix-crash-on-zero-length-unaligned-write-and-r.patch (+107/-0)
debian/patches/stable/lp-1867519-block-io-fix-bdrv_co_do_copy_on_readv.patch (+44/-0)
debian/patches/stable/lp-1867519-block-nbd-extract-the-common-cleanup-code.patch (+78/-0)
debian/patches/stable/lp-1867519-block-nbd-fix-memory-leak-in-nbd_open.patch (+76/-0)
debian/patches/stable/lp-1867519-block-qcow2-threads-fix-qcow2_decompress.patch (+79/-0)
debian/patches/stable/lp-1867519-hw-i386-pc-fix-regression-in-parsing-vga-cmdline-par.patch (+58/-0)
debian/patches/stable/lp-1867519-intel_iommu-a-fix-to-vtd_find_as_from_bus_num.patch (+44/-0)
debian/patches/stable/lp-1867519-intel_iommu-add-present-bit-check-for-pasid-table-en.patch (+202/-0)
debian/patches/stable/lp-1867519-iotests-add-test-for-backup-top-failure-on-permissio.patch (+138/-0)
debian/patches/stable/lp-1867519-job-refactor-progress-to-separate-object.patch (+230/-0)
debian/patches/stable/lp-1867519-plugins-core-add-missing-break-in-cb_to_tcg_flags.patch (+41/-0)
debian/patches/stable/lp-1867519-qcow2-Fix-alloc_cluster_abort-for-pre-existing-clust.patch (+39/-0)
debian/patches/stable/lp-1867519-qcow2-Fix-qcow2_alloc_cluster_abort-for-external-dat.patch (+44/-0)
debian/patches/stable/lp-1867519-qcow2-bitmaps-fix-qcow2_can_store_new_dirty_bitmap.patch (+102/-0)
debian/patches/stable/lp-1867519-qemu-img-Fix-convert-n-B-for-backing-less-targets.patch (+54/-0)
debian/patches/stable/lp-1867519-s390-sclp-improve-special-wait-psw-logic.patch (+40/-0)
debian/patches/stable/lp-1867519-target-arm-Return-correct-IL-bit-in-merge_syn_data_a.patch (+46/-0)
debian/patches/stable/lp-1867519-target-arm-Set-ISSIs16Bit-in-make_issinfo.patch (+42/-0)
debian/patches/stable/lp-1867519-target-arm-arm-semi-fix-SYS_OPEN-to-return-nonzero-f.patch (+79/-0)
debian/patches/stable/lp-1867519-target-arm-ensure-we-use-current-exception-state-aft.patch (+127/-0)
debian/patches/stable/lp-1867519-target-i386-kvm-initialize-feature-MSRs-very-early.patch (+169/-0)
debian/patches/stable/lp-1867519-tcg-save-vaddr-temp-for-plugin-usage.patch (+98/-0)
debian/patches/stable/lp-1867519-tpm-ppi-page-align-PPI-RAM.patch (+47/-0)
debian/patches/stable/lp-1867519-vfio-pci-Don-t-remove-irqchip-notifier-if-not-regist.patch (+50/-0)
debian/patches/stable/lp-1867519-virtio-gracefully-handle-invalid-region-caches.patch (+331/-0)
debian/patches/stable/lp-1867519-virtio-mmio-update-queue-size-on-guest-write.patch (+40/-0)
debian/patches/stable/lp-1867519-virtio-net-delete-also-control-queue-when-TX-RX-dele.patch (+41/-0)
debian/patches/stable/lp-1867519-virtio-update-queue-size-on-guest-write.patch (+40/-0)
debian/patches/ubuntu/lp-1835546-Sync-pv.patch (+98/-0)
debian/patches/ubuntu/lp-1835546-pc-bios-s390x-Save-iplb-location-in-lowcore.patch (+138/-0)
debian/patches/ubuntu/lp-1835546-s390x-Add-SIDA-memory-ops.patch (+141/-0)
debian/patches/ubuntu/lp-1835546-s390x-Add-missing-vcpu-reset-functions.patch (+165/-0)
debian/patches/ubuntu/lp-1835546-s390x-Add-unpack-facility-feature-to-GA1.patch (+67/-0)
debian/patches/ubuntu/lp-1835546-s390x-Beautify-diag308-handling.patch (+119/-0)
debian/patches/ubuntu/lp-1835546-s390x-Don-t-do-a-normal-reset-on-the-initial-cpu.patch (+41/-0)
debian/patches/ubuntu/lp-1835546-s390x-Move-clear-reset.patch (+135/-0)
debian/patches/ubuntu/lp-1835546-s390x-Move-diagnose-308-subcodes-and-rcs-into-ipl.h.patch (+67/-0)
debian/patches/ubuntu/lp-1835546-s390x-Move-initial-reset.patch (+148/-0)
debian/patches/ubuntu/lp-1835546-s390x-Move-reset-normal-to-shared-reset-handler.patch (+134/-0)
debian/patches/ubuntu/lp-1835546-s390x-ipl-Consolidate-iplb-validity-check-into-one-f.patch (+70/-0)
debian/patches/ubuntu/lp-1835546-s390x-kvm-Make-kvm_sclp_service_call-void.patch (+72/-0)
debian/patches/ubuntu/lp-1835546-s390x-protvirt-Add-migration-blocker.patch (+70/-0)
debian/patches/ubuntu/lp-1835546-s390x-protvirt-Disable-address-checks-for-PV-guest-I.patch (+126/-0)
debian/patches/ubuntu/lp-1835546-s390x-protvirt-Handle-SIGP-store-status-correctly.patch (+50/-0)
debian/patches/ubuntu/lp-1835546-s390x-protvirt-Inhibit-balloon-when-switching-to-pro.patch (+91/-0)
debian/patches/ubuntu/lp-1835546-s390x-protvirt-KVM-intercept-changes.patch (+66/-0)
debian/patches/ubuntu/lp-1835546-s390x-protvirt-Move-IO-control-structures-over-SIDA.patch (+162/-0)
debian/patches/ubuntu/lp-1835546-s390x-protvirt-Move-STSI-data-over-SIDAD.patch (+61/-0)
debian/patches/ubuntu/lp-1835546-s390x-protvirt-Move-diag-308-data-over-SIDA.patch (+84/-0)
debian/patches/ubuntu/lp-1835546-s390x-protvirt-SCLP-interpretation.patch (+162/-0)
debian/patches/ubuntu/lp-1835546-s390x-protvirt-Set-guest-IPL-PSW.patch (+51/-0)
debian/patches/ubuntu/lp-1835546-s390x-protvirt-Support-unpack-facility.patch (+875/-0)
debian/patches/ubuntu/lp-1847361-modules-load-upgrade.patch (+125/-0)
debian/patches/ubuntu/lp-1847361-vhost-correctly-turn-on-VIRTIO_F_IOMMU_PLATFORM.patch (+61/-0)
debian/qemu-block-extra.postrm.in (+43/-0)
debian/qemu-block-extra.prerm.in (+45/-0)
debian/qemu-system-gui.postrm.in (+44/-0)
debian/qemu-system-gui.prerm.in (+46/-0)
debian/rules (+12/-0)
dev/null (+0/-17)
Reviewer Review Type Date Requested Status
Rafael David Tinoco (community) Approve
Canonical Server Pending
git-ubuntu developers Pending
Review via email: mp+381033@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Notes:
- qemu recently has import issues, so ignore the LP diff - check out the branch itself and compare things changes since the last version there
- once upstream accepted I'll update the origin links, until then it is already pointing to a git that reflects the changes as backported by IBM

FFE still ongoing in bug 1866866

PPA: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3985/+packages
Bug: 1835546

Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :

I'll review this one.

~paelzer/ubuntu/+source/qemu:lp-1835546-s390x-protvirt-final updated
947abf0... by Christian Ehrhardt 

d/p/ubuntu/expose-vmx_qemu64cpu.patch: Stop adding VMX to qemu64 to avoid broken nesting (LP: #1868692)

Signed-off-by: Christian Ehrhardt <email address hidden>

8173c35... by Christian Ehrhardt 

changelog: Stop adding VMX to qemu64 to avoid broken nesting (LP: #1868692)

Signed-off-by: Christian Ehrhardt <email address hidden>

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Added a fix for bug 1868692 to the MP

Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :
Download full text (4.2 KiB)

TL;DR => Jump to my last commits for conclusions.

1:1 mapping with IBM repo:

 patches/ubuntu/expose-vmx_qemu64cpu.patch - ok
        upstream - 0723cc8a5558c94388db75ae1f4991314914edd3 target/i386: add VMX features to named CPU models

 patches/ubuntu/lp-1835546-Sync-pv.patch
        ibm - 5081c651c9e12d519597fc2ee6e6162e52051122 Sync pv

 patches/ubuntu/lp-1835546-pc-bios-s390x-Save-iplb-location-in-lowcore.patch
        ibm - 6c657fba3b138ad43b72e54a3c43a87e170ce615 pc-bios: s390x: Save iplb location in lowcore

 patches/ubuntu/lp-1835546-s390x-Add-SIDA-memory-ops.patch
        ibm - 7d1c3eddae6fa68ba72d869adf4c37ff0b4bf031 s390x: Add SIDA memory ops

 patches/ubuntu/lp-1835546-s390x-Add-missing-vcpu-reset-functions.patch
        ibm - cdb7c92623442b8a4052011d20ac46dbc17ab064 s390x: Add missing vcpu reset functions

 patches/ubuntu/lp-1835546-s390x-Add-unpack-facility-feature-to-GA1.patch
        6ddcd74b5c6158c0a389f8588616884518d86f2c (borntraeger/pv42_v12) s390x: Add unpack facility feature to GA1

 patches/ubuntu/lp-1835546-s390x-Beautify-diag308-handling.patch
        4fb238b4b0ba7ba6d42d5d7e1f3da27e619e872c s390x: Beautify diag308 handling

 patches/ubuntu/lp-1835546-s390x-Don-t-do-a-normal-reset-on-the-initial-cpu.patch
        c300ee105ad5458eb9f8d302e54d8f3cc70963fd s390x: Don't do a normal reset on the initial cpu

 patches/ubuntu/lp-1835546-s390x-Move-clear-reset.patch
        af3f6e479284aa297ad2a85bb3eab305376d138a s390x: Move clear reset

 patches/ubuntu/lp-1835546-s390x-Move-diagnose-308-subcodes-and-rcs-into-ipl.h.patch
        f0869bee7c19767fff70794d64f400bb201e82e3 s390x: Move diagnose 308 subcodes and rcs into ipl.h

 patches/ubuntu/lp-1835546-s390x-Move-initial-reset.patch
        57b68b74dcb355eee7b1543c70a427d26e04700f s390x: Move initial reset

 patches/ubuntu/lp-1835546-s390x-Move-reset-normal-to-shared-reset-handler.patch
        bae87d827e0f158900ef25fb6015fa8d535a6c94 s390x: Move reset normal to shared reset handler

 patches/ubuntu/lp-1835546-s390x-ipl-Consolidate-iplb-validity-check-into-one-f.patch
        2321dddc5f92eea17caed784c960d3c57088fd41 s390x: ipl: Consolidate iplb validity check into one function

 patches/ubuntu/lp-1835546-s390x-kvm-Make-kvm_sclp_service_call-void.patch
        3915257d71c9e64fd4dcd4406996650a7b29baba s390x: kvm: Make kvm_sclp_service_call void

 patches/ubuntu/lp-1835546-s390x-protvirt-Add-migration-blocker.patch
        cdfe6c35aaa15192338c2da88eeaff169070f8ce s390x: protvirt: Add migration blocker

 patches/ubuntu/lp-1835546-s390x-protvirt-Disable-address-checks-for-PV-guest-I.patch
        73e4feac9b6892a441a7564a6ed8a8e3ec4e9277 s390x: protvirt: Disable address checks for PV guest IO emulation

 patches/ubuntu/lp-1835546-s390x-protvirt-Handle-SIGP-store-status-correctly.patch
        7dfa61e878ff1c743f6828898c7012d8e00dfb13 s390x: protvirt: Handle SIGP store status correctly

 patches/ubuntu/lp-1835546-s390x-protvirt-Inhibit-balloon-when-switching-to-pro.patch
        c4f98ebc0d691578fd19ef291b33920bcc27d64e s390x: protvirt: Inhibit balloon when switching to protected mode

 patches/ubuntu/lp-1835546-s390x-protvirt-KVM-intercept-changes.patch
        1b822af8262a06442c6e04dc...

Read more...

Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :

STATUS: +1 (after information on topics 1-4 as they're not blockers)

# checklist for fixes
----------------------------

 [.] changelog entry correct, targeted to correct codename
 [.] update-maintainer has been run previously
 ----
 [x] changes forwarded upstream/debian (if appropriate)
 [.] patches match what was proposed upstream
 ----
 [.] patches correctly included in debian/patches/series?
 [?] patches have correct DEP3 metadata
 ----
 [-] verified dpkg-buildpackage -S and -b
 [-] autopkgtest against PPA or built package passes
 ----
 [-] testcase provided
 [-] was able to reproduce
 [-] fix solved provided testcase

----------------------------
 [.] = ok
 [x] = not ok
 [?] = question
 [!] = note
 [-] = n/a

----------------------------

Observations:

(1)
- For all commits coming from borntraeger/pv42_v12 I would add "Forwarded" flag
and point where each of those were forwarded to. Based on DEP3 guidelines, when
patch is vendor specific DEP3 Forwarded flag becomes obligatory => this will
help me out when reducing the delta.

(2)
- For the same set of commits, I'm afraid the "cherry-picked from commit XXXX",
from both Cornelia and Christian, means nothing to external - to s390x -
repositories and confuses whoever is trying to find origin. Can/Should we just
get rid of those ?

(3)
- What about these patches coming from the same IBM s390 patchset:

3c664ea0a6d4196fbc2912e4c8a4ecd1764ac862 vhost: correctly turn on VIRTIO_F_IOMMU_PLATFORM
ae150759a9de200eb261c06502bc8e3276ff8344 s390/sclp: improve special wait psw logic
9da000ea0ae75fbdf14f6e7dc49ad324ba3fe190 rebuild bios

just checking you saw those and are ignoring them deliberately... is that so ?

(4)
- Your debian/patches/series has, at the end:

...
# LP 1867519 s390x protvirt
lp-1867519-block-nbd-extract-the-common-cleanup-code.patch
ubuntu/lp-1835546-s390x-Don-t-do-a-normal-reset-on-the-initial-cpu.patch
ubuntu/lp-1835546-s390x-Move-reset-normal-to-shared-reset-handler.patch
ubuntu/lp-1835546-s390x-Move-initial-reset.patch
ubuntu/lp-1835546-s390x-Move-clear-reset.patch
...

protvirt feature is being added in LP: #1835546 and FFe is in LP: #1866866. LP:
#1867519 is about seg faults on VFIO detach as it looks like.

Putting things the way I understand:

LP: #1868692 - qemu64 cpu type VMX feature adverstise fix
LP: #1835546 - s390x protvirt feature

and that seems correctly informed in changelog for 1:4.2-3ubuntu4.

It seems you should put line:

lp-1867519-block-nbd-extract-the-common-cleanup-code.patch

in the previous block of patches.

review: Needs Information
Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :

After information on previous comment, consider this a +1.

review: Approve
~paelzer/ubuntu/+source/qemu:lp-1835546-s390x-protvirt-final updated
a1641f6... by Christian Ehrhardt 

Fixup protvirt patches

Signed-off-by: Christian Ehrhardt <email address hidden>

e86627e... by Christian Ehrhardt 

fix stable patch file names for 1867519

Signed-off-by: Christian Ehrhardt <email address hidden>

57d22cf... by Christian Ehrhardt 

d/p/ubuntu/lp-1835546-*: backport the s390x protvirt feature (LP: #1835546)

Signed-off-by: Christian Ehrhardt <email address hidden>

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

>
> (1)
> - For all commits coming from borntraeger/pv42_v12 I would add "Forwarded"
> flag
> and point where each of those were forwarded to. Based on DEP3 guidelines,
> when
> patch is vendor specific DEP3 Forwarded flag becomes obligatory => this
> will
> help me out when reducing the delta.
>

Agreed, that will be better - I added this to all of them.
v12 exists only internally atm.
Forwarded:
https://lists.gnu.org/archive/html/qemu-devel/2020-03/msg06247.html

> (2)
> - For the same set of commits, I'm afraid the "cherry-picked from commit
> XXXX",
> from both Cornelia and Christian, means nothing to external - to s390x -
> repositories and confuses whoever is trying to find origin. Can/Should we
> just
> get rid of those ?
>

While the "cherry picked" isn't confusing to mee I can see what you mean,
removed.
The important bit is the Origin tag and in those I have correct entries
already in all headers, like

 Origin: backport, https://github.com/borntraeger/qemu/commit/6c657fba3b

(3)
> - What about these patches coming from the same IBM s390 patchset:
>
> 3c664ea0a6d4196fbc2912e4c8a4ecd1764ac862 vhost: correctly turn on
> VIRTIO_F_IOMMU_PLATFORM
> ae150759a9de200eb261c06502bc8e3276ff8344 s390/sclp: improve special wait
> psw logic
> 9da000ea0ae75fbdf14f6e7dc49ad324ba3fe190 rebuild bios
>
> just checking you saw those and are ignoring them deliberately... is that
> so ?
>

Yes it is intentional and ok, I explained to IBM why on:
https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1835546/comments/15

> (4)
> - Your debian/patches/series has, at the end:
>
> ...
> # LP 1867519 s390x protvirt
> lp-1867519-block-nbd-extract-the-common-cleanup-code.patch
> ubuntu/lp-1835546-s390x-Don-t-do-a-normal-reset-on-the-initial-cpu.patch
> ubuntu/lp-1835546-s390x-Move-reset-normal-to-shared-reset-handler.patch
> ubuntu/lp-1835546-s390x-Move-initial-reset.patch
> ubuntu/lp-1835546-s390x-Move-clear-reset.patch
> ...
>
> protvirt feature is being added in LP: #1835546 and FFe is in LP:
> #1866866. LP:
> #1867519 is about seg faults on VFIO detach as it looks like.
>
> Putting things the way I understand:
>
> LP: #1868692 - qemu64 cpu type VMX feature adverstise fix
> LP: #1835546 - s390x protvirt feature
>
> and that seems correctly informed in changelog for 1:4.2-3ubuntu4.
>
> It seems you should put line:
>
> lp-1867519-block-nbd-extract-the-common-cleanup-code.patch
>
> in the previous block of patches.
>

Agreed, it also needs a rename to have the stable prefix dir.
Done

Thanks for the review!

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Replied via email to the review, thanks.

I pushed the updated branch and consider this approved.
Just waiting for the FFe now (and maybe that upstream accepts it as I'd prefer that before upload).

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

I have re-pushed the branch and asked Rafael to re-review the bits for bug 1868692.
Comment #4 and later in that bug will explain why and the pro/cons.

Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :

+1 again on my side.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thank you, tests are good as well and the FFe is in.
I think we did as much as we can upfront, can upload before the Beta freeze happens and worst case fix hopefully minor things later.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/qemu
 * [new tag] upload/1%4.2-3ubuntu4 -> upload/1%4.2-3ubuntu4

Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading qemu_4.2-3ubuntu4.dsc: done.
  Uploading qemu_4.2-3ubuntu4.debian.tar.xz: done.
  Uploading qemu_4.2-3ubuntu4_source.buildinfo: done.
  Uploading qemu_4.2-3ubuntu4_source.changes: done.
Successfully uploaded packages.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 89089bb..4338791 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,32 @@
6+qemu (1:4.2-3ubuntu4) focal; urgency=medium
7+
8+ * d/p/ubuntu/lp-1835546-*: backport the s390x protvirt feature (LP: #1835546)
9+ * remove d/p/ubuntu/expose-vmx_qemu64cpu.patch: Stop adding VMX to qemu64
10+ to avoid broken nesting (LP: #1868692)
11+
12+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 20 Mar 2020 08:02:16 +0100
13+
14+qemu (1:4.2-3ubuntu3) focal; urgency=medium
15+
16+ * d/p/stable/lp-1867519-*: Stabilize qemu 4.2 with upstream
17+ patches @qemu-stable (LP: #1867519)
18+
19+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 18 Mar 2020 13:57:57 +0100
20+
21+qemu (1:4.2-3ubuntu2) focal; urgency=medium
22+
23+ * allow qemu to load old modules post upgrade (LP: #1847361)
24+ - d/p/ubuntu/lp-1847361-modules-load-upgrade.patch: to fallback module
25+ load to a versioned path
26+ - d/qemu-block-extra.*.in, d/qemu-system-gui.*.in: save shared objects on
27+ upgrade
28+ - d/rules: generate maintainer scripts matching package version on build
29+ - d/rules: enable --enable-module-upgrades where --enable-modules is set
30+ * d/p/ubuntu/lp-1847361-vhost-correctly-turn-on-VIRTIO_F_IOMMU_PLATFORM.patch:
31+ avoid unnecessary IOTLB transactions (LP: #1866207)
32+
33+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 02 Mar 2020 15:21:27 +0100
34+
35 qemu (1:4.2-3ubuntu1) focal; urgency=medium
36
37 * Merge with Debian testing, remaining changes:
38diff --git a/debian/patches/series b/debian/patches/series
39index c9fce99..5e9c946 100644
40--- a/debian/patches/series
41+++ b/debian/patches/series
42@@ -4,7 +4,6 @@ qboot-no-jump-tables.diff
43 iscsi-cap-block-count-from-GET-LBA-STATUS-CVE-2020-1711.patch
44
45 # ubuntu patches
46-ubuntu/expose-vmx_qemu64cpu.patch
47 ubuntu/enable-svm-by-default.patch
48 ubuntu/define-ubuntu-machine-types.patch
49 ubuntu/pre-bionic-256k-ipxe-efi-roms.patch
50@@ -13,3 +12,67 @@ ubuntu/lp-1857033-i386-Add-macro-for-stibp.patch
51 ubuntu/lp-1857033-i386-Add-new-CPU-model-Cooperlake.patch
52 lp-1859527-virtio-blk-fix-out-of-bounds-access-to-bitmap-in-not.patch
53 ubuntu/vhost-user-gpu-Drop-trailing-json-comma.patch
54+ubuntu/lp-1847361-modules-load-upgrade.patch
55+ubuntu/lp-1847361-vhost-correctly-turn-on-VIRTIO_F_IOMMU_PLATFORM.patch
56+
57+# stabilize 4.2 with patches sent to qemu-stable since 4.2 released
58+stable/lp-1867519-arm-arm-powerctl-set-NSACR.-CP11-CP10-bits-in-arm_se.patch
59+stable/lp-1867519-target-arm-ensure-we-use-current-exception-state-aft.patch
60+stable/lp-1867519-block-Activate-recursively-even-for-already-active-n.patch
61+stable/lp-1867519-arm-arm-powerctl-rebuild-hflags-after-setting-CP15-b.patch
62+stable/lp-1867519-virtio-update-queue-size-on-guest-write.patch
63+stable/lp-1867519-qcow2-bitmaps-fix-qcow2_can_store_new_dirty_bitmap.patch
64+stable/lp-1867519-backup-top-Begin-drain-earlier.patch
65+stable/lp-1867519-virtio-mmio-update-queue-size-on-guest-write.patch
66+stable/lp-1867519-virtio-net-delete-also-control-queue-when-TX-RX-dele.patch
67+stable/lp-1867519-intel_iommu-a-fix-to-vtd_find_as_from_bus_num.patch
68+stable/lp-1867519-intel_iommu-add-present-bit-check-for-pasid-table-en.patch
69+stable/lp-1867519-vfio-pci-Don-t-remove-irqchip-notifier-if-not-regist.patch
70+stable/lp-1867519-hw-i386-pc-fix-regression-in-parsing-vga-cmdline-par.patch
71+stable/lp-1867519-target-arm-arm-semi-fix-SYS_OPEN-to-return-nonzero-f.patch
72+stable/lp-1867519-target-arm-Return-correct-IL-bit-in-merge_syn_data_a.patch
73+stable/lp-1867519-target-arm-Set-ISSIs16Bit-in-make_issinfo.patch
74+stable/lp-1867519-target-i386-kvm-initialize-feature-MSRs-very-early.patch
75+stable/lp-1867519-tpm-ppi-page-align-PPI-RAM.patch
76+stable/lp-1867519-block-backup-top-fix-failure-path.patch
77+stable/lp-1867519-iotests-add-test-for-backup-top-failure-on-permissio.patch
78+stable/lp-1867519-block-fix-crash-on-zero-length-unaligned-write-and-r.patch
79+stable/lp-1867519-qemu-img-Fix-convert-n-B-for-backing-less-targets.patch
80+stable/lp-1867519-plugins-core-add-missing-break-in-cb_to_tcg_flags.patch
81+stable/lp-1867519-tcg-save-vaddr-temp-for-plugin-usage.patch
82+stable/lp-1867519-s390-sclp-improve-special-wait-psw-logic.patch
83+stable/lp-1867519-block-nbd-fix-memory-leak-in-nbd_open.patch
84+stable/lp-1867519-virtio-gracefully-handle-invalid-region-caches.patch
85+stable/lp-1867519-qcow2-Fix-qcow2_alloc_cluster_abort-for-external-dat.patch
86+stable/lp-1867519-qcow2-Fix-alloc_cluster_abort-for-pre-existing-clust.patch
87+stable/lp-1867519-block-qcow2-threads-fix-qcow2_decompress.patch
88+stable/lp-1867519-job-refactor-progress-to-separate-object.patch
89+stable/lp-1867519-block-block-copy-fix-progress-calculation.patch
90+stable/lp-1867519-block-io-fix-bdrv_co_do_copy_on_readv.patch
91+stable/lp-1867519-block-nbd-extract-the-common-cleanup-code.patch
92+
93+# LP 1867519 s390x protvirt
94+ubuntu/lp-1835546-s390x-Don-t-do-a-normal-reset-on-the-initial-cpu.patch
95+ubuntu/lp-1835546-s390x-Move-reset-normal-to-shared-reset-handler.patch
96+ubuntu/lp-1835546-s390x-Move-initial-reset.patch
97+ubuntu/lp-1835546-s390x-Move-clear-reset.patch
98+ubuntu/lp-1835546-s390x-kvm-Make-kvm_sclp_service_call-void.patch
99+ubuntu/lp-1835546-s390x-ipl-Consolidate-iplb-validity-check-into-one-f.patch
100+ubuntu/lp-1835546-s390x-Beautify-diag308-handling.patch
101+ubuntu/lp-1835546-s390x-Add-missing-vcpu-reset-functions.patch
102+ubuntu/lp-1835546-pc-bios-s390x-Save-iplb-location-in-lowcore.patch
103+ubuntu/lp-1835546-s390x-Move-diagnose-308-subcodes-and-rcs-into-ipl.h.patch
104+ubuntu/lp-1835546-Sync-pv.patch
105+ubuntu/lp-1835546-s390x-protvirt-Support-unpack-facility.patch
106+ubuntu/lp-1835546-s390x-protvirt-Add-migration-blocker.patch
107+ubuntu/lp-1835546-s390x-protvirt-Inhibit-balloon-when-switching-to-pro.patch
108+ubuntu/lp-1835546-s390x-protvirt-KVM-intercept-changes.patch
109+ubuntu/lp-1835546-s390x-Add-SIDA-memory-ops.patch
110+ubuntu/lp-1835546-s390x-protvirt-Move-STSI-data-over-SIDAD.patch
111+ubuntu/lp-1835546-s390x-protvirt-SCLP-interpretation.patch
112+ubuntu/lp-1835546-s390x-protvirt-Set-guest-IPL-PSW.patch
113+ubuntu/lp-1835546-s390x-protvirt-Move-diag-308-data-over-SIDA.patch
114+ubuntu/lp-1835546-s390x-protvirt-Disable-address-checks-for-PV-guest-I.patch
115+ubuntu/lp-1835546-s390x-protvirt-Move-IO-control-structures-over-SIDA.patch
116+ubuntu/lp-1835546-s390x-protvirt-Handle-SIGP-store-status-correctly.patch
117+ubuntu/lp-1835546-s390x-Add-unpack-facility-feature-to-GA1.patch
118diff --git a/debian/patches/stable/lp-1867519-arm-arm-powerctl-rebuild-hflags-after-setting-CP15-b.patch b/debian/patches/stable/lp-1867519-arm-arm-powerctl-rebuild-hflags-after-setting-CP15-b.patch
119new file mode 100644
120index 0000000..c980ed6
121--- /dev/null
122+++ b/debian/patches/stable/lp-1867519-arm-arm-powerctl-rebuild-hflags-after-setting-CP15-b.patch
123@@ -0,0 +1,48 @@
124+From c8fa6079eb35888587f1be27c1590da4edcc5098 Mon Sep 17 00:00:00 2001
125+From: Niek Linnenbank <nieklinnenbank@gmail.com>
126+Date: Fri, 20 Dec 2019 14:03:00 +0000
127+Subject: [PATCH] arm/arm-powerctl: rebuild hflags after setting CP15 bits in
128+ arm_set_cpu_on()
129+
130+After setting CP15 bits in arm_set_cpu_on() the cached hflags must
131+be rebuild to reflect the changed processor state. Without rebuilding,
132+the cached hflags would be inconsistent until the next call to
133+arm_rebuild_hflags(). When QEMU is compiled with debugging enabled
134+(--enable-debug), this problem is captured shortly after the first
135+call to arm_set_cpu_on() for CPUs running in ARM 32-bit non-secure mode:
136+
137+ qemu-system-arm: target/arm/helper.c:11359: cpu_get_tb_cpu_state:
138+ Assertion `flags == rebuild_hflags_internal(env)' failed.
139+ Aborted (core dumped)
140+
141+Fixes: 0c7f8c43daf65
142+Cc: qemu-stable@nongnu.org
143+Signed-off-by: Niek Linnenbank <nieklinnenbank@gmail.com>
144+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
145+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
146+
147+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=c8fa6079eb35888587f1be27c1590da4edcc5098
148+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
149+Last-Update: 2020-03-18
150+
151+---
152+ target/arm/arm-powerctl.c | 3 +++
153+ 1 file changed, 3 insertions(+)
154+
155+diff --git a/target/arm/arm-powerctl.c b/target/arm/arm-powerctl.c
156+index b064513d44..b75f813b40 100644
157+--- a/target/arm/arm-powerctl.c
158++++ b/target/arm/arm-powerctl.c
159+@@ -127,6 +127,9 @@ static void arm_set_cpu_on_async_work(CPUState *target_cpu_state,
160+ target_cpu->env.regs[0] = info->context_id;
161+ }
162+
163++ /* CP15 update requires rebuilding hflags */
164++ arm_rebuild_hflags(&target_cpu->env);
165++
166+ /* Start the new CPU at the requested address */
167+ cpu_set_pc(target_cpu_state, info->entry);
168+
169+--
170+2.25.1
171+
172diff --git a/debian/patches/stable/lp-1867519-arm-arm-powerctl-set-NSACR.-CP11-CP10-bits-in-arm_se.patch b/debian/patches/stable/lp-1867519-arm-arm-powerctl-set-NSACR.-CP11-CP10-bits-in-arm_se.patch
173new file mode 100644
174index 0000000..b2fa47c
175--- /dev/null
176+++ b/debian/patches/stable/lp-1867519-arm-arm-powerctl-set-NSACR.-CP11-CP10-bits-in-arm_se.patch
177@@ -0,0 +1,49 @@
178+From 0c7f8c43daf6556078e51de98aa13f069e505985 Mon Sep 17 00:00:00 2001
179+From: Niek Linnenbank <nieklinnenbank@gmail.com>
180+Date: Mon, 2 Dec 2019 22:09:43 +0100
181+Subject: [PATCH] arm/arm-powerctl: set NSACR.{CP11, CP10} bits in
182+ arm_set_cpu_on()
183+
184+This change ensures that the FPU can be accessed in Non-Secure mode
185+when the CPU core is reset using the arm_set_cpu_on() function call.
186+The NSACR.{CP11,CP10} bits define the exception level required to
187+access the FPU in Non-Secure mode. Without these bits set, the CPU
188+will give an undefined exception trap on the first FPU access for the
189+secondary cores under Linux.
190+
191+This is necessary because in this power-control codepath QEMU
192+is effectively emulating a bit of EL3 firmware, and has to set
193+the CPU up as the EL3 firmware would.
194+
195+Fixes: fc1120a7f5
196+Cc: qemu-stable@nongnu.org
197+Signed-off-by: Niek Linnenbank <nieklinnenbank@gmail.com>
198+[PMM: added clarifying para to commit message]
199+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
200+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
201+
202+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=0c7f8c43daf6556078e51de98aa13f069e505985
203+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
204+Last-Update: 2020-03-18
205+
206+---
207+ target/arm/arm-powerctl.c | 3 +++
208+ 1 file changed, 3 insertions(+)
209+
210+diff --git a/target/arm/arm-powerctl.c b/target/arm/arm-powerctl.c
211+index f77a950db6..b064513d44 100644
212+--- a/target/arm/arm-powerctl.c
213++++ b/target/arm/arm-powerctl.c
214+@@ -104,6 +104,9 @@ static void arm_set_cpu_on_async_work(CPUState *target_cpu_state,
215+ /* Processor is not in secure mode */
216+ target_cpu->env.cp15.scr_el3 |= SCR_NS;
217+
218++ /* Set NSACR.{CP11,CP10} so NS can access the FPU */
219++ target_cpu->env.cp15.nsacr |= 3 << 10;
220++
221+ /*
222+ * If QEMU is providing the equivalent of EL3 firmware, then we need
223+ * to make sure a CPU targeting EL2 comes out of reset with a
224+--
225+2.25.1
226+
227diff --git a/debian/patches/stable/lp-1867519-backup-top-Begin-drain-earlier.patch b/debian/patches/stable/lp-1867519-backup-top-Begin-drain-earlier.patch
228new file mode 100644
229index 0000000..d534297
230--- /dev/null
231+++ b/debian/patches/stable/lp-1867519-backup-top-Begin-drain-earlier.patch
232@@ -0,0 +1,46 @@
233+From 503ca1262bab2c11c533a4816d1ff4297d4f58a6 Mon Sep 17 00:00:00 2001
234+From: Max Reitz <mreitz@redhat.com>
235+Date: Thu, 19 Dec 2019 19:26:38 +0100
236+Subject: [PATCH] backup-top: Begin drain earlier
237+
238+When dropping backup-top, we need to drain the node before freeing the
239+BlockCopyState. Otherwise, requests may still be in flight and then the
240+assertion in shres_destroy() will fail.
241+
242+(This becomes visible in intermittent failure of 056.)
243+
244+Cc: qemu-stable@nongnu.org
245+Signed-off-by: Max Reitz <mreitz@redhat.com>
246+Message-id: 20191219182638.104621-1-mreitz@redhat.com
247+Signed-off-by: Max Reitz <mreitz@redhat.com>
248+
249+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=503ca1262bab2c11c533a4816d1ff4297d4f58a6
250+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
251+Last-Update: 2020-03-18
252+
253+---
254+ block/backup-top.c | 4 ++--
255+ 1 file changed, 2 insertions(+), 2 deletions(-)
256+
257+diff --git a/block/backup-top.c b/block/backup-top.c
258+index 7cdb1f8eba..818d3f26b4 100644
259+--- a/block/backup-top.c
260++++ b/block/backup-top.c
261+@@ -257,12 +257,12 @@ void bdrv_backup_top_drop(BlockDriverState *bs)
262+ BDRVBackupTopState *s = bs->opaque;
263+ AioContext *aio_context = bdrv_get_aio_context(bs);
264+
265+- block_copy_state_free(s->bcs);
266+-
267+ aio_context_acquire(aio_context);
268+
269+ bdrv_drained_begin(bs);
270+
271++ block_copy_state_free(s->bcs);
272++
273+ s->active = false;
274+ bdrv_child_refresh_perms(bs, bs->backing, &error_abort);
275+ bdrv_replace_node(bs, backing_bs(bs), &error_abort);
276+--
277+2.25.1
278+
279diff --git a/debian/patches/stable/lp-1867519-block-Activate-recursively-even-for-already-active-n.patch b/debian/patches/stable/lp-1867519-block-Activate-recursively-even-for-already-active-n.patch
280new file mode 100644
281index 0000000..0a9d490
282--- /dev/null
283+++ b/debian/patches/stable/lp-1867519-block-Activate-recursively-even-for-already-active-n.patch
284@@ -0,0 +1,108 @@
285+From 7bb4941ace471fc7dd6ded4749b95b9622baa6ed Mon Sep 17 00:00:00 2001
286+From: Kevin Wolf <kwolf@redhat.com>
287+Date: Tue, 17 Dec 2019 15:06:38 +0100
288+Subject: [PATCH] block: Activate recursively even for already active nodes
289+
290+bdrv_invalidate_cache_all() assumes that all nodes in a given subtree
291+are either active or inactive when it starts. Therefore, as soon as it
292+arrives at an already active node, it stops.
293+
294+However, this assumption is wrong. For example, it's possible to take a
295+snapshot of an inactive node, which results in an active overlay over an
296+inactive backing file. The active overlay is probably also the root node
297+of an inactive BlockBackend (blk->disable_perm == true).
298+
299+In this case, bdrv_invalidate_cache_all() does not need to do anything
300+to activate the overlay node, but it still needs to recurse into the
301+children and the parents to make sure that after returning success,
302+really everything is activated.
303+
304+Cc: qemu-stable@nongnu.org
305+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
306+Reviewed-by: Max Reitz <mreitz@redhat.com>
307+
308+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=7bb4941ace471fc7dd6ded4749b95b9622baa6ed
309+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
310+Last-Update: 2020-03-18
311+
312+---
313+ block.c | 50 ++++++++++++++++++++++++--------------------------
314+ 1 file changed, 24 insertions(+), 26 deletions(-)
315+
316+diff --git a/block.c b/block.c
317+index 73029fad64..1b6f7c86e8 100644
318+--- a/block.c
319++++ b/block.c
320+@@ -5335,10 +5335,6 @@ static void coroutine_fn bdrv_co_invalidate_cache(BlockDriverState *bs,
321+ return;
322+ }
323+
324+- if (!(bs->open_flags & BDRV_O_INACTIVE)) {
325+- return;
326+- }
327+-
328+ QLIST_FOREACH(child, &bs->children, next) {
329+ bdrv_co_invalidate_cache(child->bs, &local_err);
330+ if (local_err) {
331+@@ -5360,34 +5356,36 @@ static void coroutine_fn bdrv_co_invalidate_cache(BlockDriverState *bs,
332+ * just keep the extended permissions for the next time that an activation
333+ * of the image is tried.
334+ */
335+- bs->open_flags &= ~BDRV_O_INACTIVE;
336+- bdrv_get_cumulative_perm(bs, &perm, &shared_perm);
337+- ret = bdrv_check_perm(bs, NULL, perm, shared_perm, NULL, NULL, &local_err);
338+- if (ret < 0) {
339+- bs->open_flags |= BDRV_O_INACTIVE;
340+- error_propagate(errp, local_err);
341+- return;
342+- }
343+- bdrv_set_perm(bs, perm, shared_perm);
344+-
345+- if (bs->drv->bdrv_co_invalidate_cache) {
346+- bs->drv->bdrv_co_invalidate_cache(bs, &local_err);
347+- if (local_err) {
348++ if (bs->open_flags & BDRV_O_INACTIVE) {
349++ bs->open_flags &= ~BDRV_O_INACTIVE;
350++ bdrv_get_cumulative_perm(bs, &perm, &shared_perm);
351++ ret = bdrv_check_perm(bs, NULL, perm, shared_perm, NULL, NULL, &local_err);
352++ if (ret < 0) {
353+ bs->open_flags |= BDRV_O_INACTIVE;
354+ error_propagate(errp, local_err);
355+ return;
356+ }
357+- }
358++ bdrv_set_perm(bs, perm, shared_perm);
359+
360+- FOR_EACH_DIRTY_BITMAP(bs, bm) {
361+- bdrv_dirty_bitmap_skip_store(bm, false);
362+- }
363++ if (bs->drv->bdrv_co_invalidate_cache) {
364++ bs->drv->bdrv_co_invalidate_cache(bs, &local_err);
365++ if (local_err) {
366++ bs->open_flags |= BDRV_O_INACTIVE;
367++ error_propagate(errp, local_err);
368++ return;
369++ }
370++ }
371+
372+- ret = refresh_total_sectors(bs, bs->total_sectors);
373+- if (ret < 0) {
374+- bs->open_flags |= BDRV_O_INACTIVE;
375+- error_setg_errno(errp, -ret, "Could not refresh total sector count");
376+- return;
377++ FOR_EACH_DIRTY_BITMAP(bs, bm) {
378++ bdrv_dirty_bitmap_skip_store(bm, false);
379++ }
380++
381++ ret = refresh_total_sectors(bs, bs->total_sectors);
382++ if (ret < 0) {
383++ bs->open_flags |= BDRV_O_INACTIVE;
384++ error_setg_errno(errp, -ret, "Could not refresh total sector count");
385++ return;
386++ }
387+ }
388+
389+ QLIST_FOREACH(parent, &bs->parents, next_parent) {
390+--
391+2.25.1
392+
393diff --git a/debian/patches/stable/lp-1867519-block-backup-top-fix-failure-path.patch b/debian/patches/stable/lp-1867519-block-backup-top-fix-failure-path.patch
394new file mode 100644
395index 0000000..0ea91e8
396--- /dev/null
397+++ b/debian/patches/stable/lp-1867519-block-backup-top-fix-failure-path.patch
398@@ -0,0 +1,97 @@
399+From 0df62f45c1de6c020f1e6fba4eeafd248209b003 Mon Sep 17 00:00:00 2001
400+From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
401+Date: Tue, 21 Jan 2020 17:28:01 +0300
402+Subject: [PATCH] block/backup-top: fix failure path
403+
404+We can't access top after call bdrv_backup_top_drop, as it is already
405+freed at this time.
406+
407+Also, no needs to unref target child by hand, it will be unrefed on
408+bdrv_close() automatically.
409+
410+So, just do bdrv_backup_top_drop if append succeed and one bdrv_unref
411+otherwise.
412+
413+Note, that in !appended case bdrv_unref(top) moved into drained section
414+on source. It doesn't really matter, but just for code simplicity.
415+
416+Fixes: 7df7868b96404
417+Cc: qemu-stable@nongnu.org # v4.2.0
418+Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
419+Reviewed-by: Max Reitz <mreitz@redhat.com>
420+Message-id: 20200121142802.21467-2-vsementsov@virtuozzo.com
421+Signed-off-by: Max Reitz <mreitz@redhat.com>
422+
423+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=0df62f45c1de6c020f1e6fba4eeafd248209b003
424+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
425+Last-Update: 2020-03-18
426+
427+---
428+ block/backup-top.c | 21 ++++++++++++---------
429+ 1 file changed, 12 insertions(+), 9 deletions(-)
430+
431+diff --git a/block/backup-top.c b/block/backup-top.c
432+index 9aed2eb4c0..fa78f3256d 100644
433+--- a/block/backup-top.c
434++++ b/block/backup-top.c
435+@@ -190,6 +190,7 @@ BlockDriverState *bdrv_backup_top_append(BlockDriverState *source,
436+ BlockDriverState *top = bdrv_new_open_driver(&bdrv_backup_top_filter,
437+ filter_node_name,
438+ BDRV_O_RDWR, errp);
439++ bool appended = false;
440+
441+ if (!top) {
442+ return NULL;
443+@@ -212,8 +213,9 @@ BlockDriverState *bdrv_backup_top_append(BlockDriverState *source,
444+ bdrv_append(top, source, &local_err);
445+ if (local_err) {
446+ error_prepend(&local_err, "Cannot append backup-top filter: ");
447+- goto append_failed;
448++ goto fail;
449+ }
450++ appended = true;
451+
452+ /*
453+ * bdrv_append() finished successfully, now we can require permissions
454+@@ -224,14 +226,14 @@ BlockDriverState *bdrv_backup_top_append(BlockDriverState *source,
455+ if (local_err) {
456+ error_prepend(&local_err,
457+ "Cannot set permissions for backup-top filter: ");
458+- goto failed_after_append;
459++ goto fail;
460+ }
461+
462+ state->bcs = block_copy_state_new(top->backing, state->target,
463+ cluster_size, write_flags, &local_err);
464+ if (local_err) {
465+ error_prepend(&local_err, "Cannot create block-copy-state: ");
466+- goto failed_after_append;
467++ goto fail;
468+ }
469+ *bcs = state->bcs;
470+
471+@@ -239,14 +241,15 @@ BlockDriverState *bdrv_backup_top_append(BlockDriverState *source,
472+
473+ return top;
474+
475+-failed_after_append:
476+- state->active = false;
477+- bdrv_backup_top_drop(top);
478++fail:
479++ if (appended) {
480++ state->active = false;
481++ bdrv_backup_top_drop(top);
482++ } else {
483++ bdrv_unref(top);
484++ }
485+
486+-append_failed:
487+ bdrv_drained_end(source);
488+- bdrv_unref_child(top, state->target);
489+- bdrv_unref(top);
490+ error_propagate(errp, local_err);
491+
492+ return NULL;
493+--
494+2.25.1
495+
496diff --git a/debian/patches/stable/lp-1867519-block-block-copy-fix-progress-calculation.patch b/debian/patches/stable/lp-1867519-block-block-copy-fix-progress-calculation.patch
497new file mode 100644
498index 0000000..6eb7652
499--- /dev/null
500+++ b/debian/patches/stable/lp-1867519-block-block-copy-fix-progress-calculation.patch
501@@ -0,0 +1,201 @@
502+From d0ebeca14a585f352938062ef8ddde47fe4d39f9 Mon Sep 17 00:00:00 2001
503+From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
504+Date: Wed, 11 Mar 2020 13:29:57 +0300
505+Subject: [PATCH] block/block-copy: fix progress calculation
506+
507+Assume we have two regions, A and B, and region B is in-flight now,
508+region A is not yet touched, but it is unallocated and should be
509+skipped.
510+
511+Correspondingly, as progress we have
512+
513+ total = A + B
514+ current = 0
515+
516+If we reset unallocated region A and call progress_reset_callback,
517+it will calculate 0 bytes dirty in the bitmap and call
518+job_progress_set_remaining, which will set
519+
520+ total = current + 0 = 0 + 0 = 0
521+
522+So, B bytes are actually removed from total accounting. When job
523+finishes we'll have
524+
525+ total = 0
526+ current = B
527+
528+, which doesn't sound good.
529+
530+This is because we didn't considered in-flight bytes, actually when
531+calculating remaining, we should have set (in_flight + dirty_bytes)
532+as remaining, not only dirty_bytes.
533+
534+To fix it, let's refactor progress calculation, moving it to block-copy
535+itself instead of fixing callback. And, of course, track in_flight
536+bytes count.
537+
538+We still have to keep one callback, to maintain backup job bytes_read
539+calculation, but it will go on soon, when we turn the whole backup
540+process into one block_copy call.
541+
542+Cc: qemu-stable@nongnu.org
543+Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
544+Reviewed-by: Andrey Shinkevich <andrey.shinkevich@virtuozzo.com>
545+Message-Id: <20200311103004.7649-3-vsementsov@virtuozzo.com>
546+Signed-off-by: Max Reitz <mreitz@redhat.com>
547+
548+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=d0ebeca14a585f352938062ef8ddde47fe4d39f9
549+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
550+Last-Update: 2020-03-18
551+
552+---
553+ block/backup.c | 13 ++-----------
554+ block/block-copy.c | 16 ++++++++++++----
555+ include/block/block-copy.h | 15 +++++----------
556+ 3 files changed, 19 insertions(+), 25 deletions(-)
557+
558+diff --git a/block/backup.c b/block/backup.c
559+index 1383e219f5..8694e0394b 100644
560+--- a/block/backup.c
561++++ b/block/backup.c
562+@@ -57,15 +57,6 @@ static void backup_progress_bytes_callback(int64_t bytes, void *opaque)
563+ BackupBlockJob *s = opaque;
564+
565+ s->bytes_read += bytes;
566+- job_progress_update(&s->common.job, bytes);
567+-}
568+-
569+-static void backup_progress_reset_callback(void *opaque)
570+-{
571+- BackupBlockJob *s = opaque;
572+- uint64_t estimate = bdrv_get_dirty_count(s->bcs->copy_bitmap);
573+-
574+- job_progress_set_remaining(&s->common.job, estimate);
575+ }
576+
577+ static int coroutine_fn backup_do_cow(BackupBlockJob *job,
578+@@ -464,8 +455,8 @@ BlockJob *backup_job_create(const char *job_id, BlockDriverState *bs,
579+ job->cluster_size = cluster_size;
580+ job->len = len;
581+
582+- block_copy_set_callbacks(bcs, backup_progress_bytes_callback,
583+- backup_progress_reset_callback, job);
584++ block_copy_set_progress_callback(bcs, backup_progress_bytes_callback, job);
585++ block_copy_set_progress_meter(bcs, &job->common.job.progress);
586+
587+ /* Required permissions are already taken by backup-top target */
588+ block_job_add_bdrv(&job->common, "target", target, 0, BLK_PERM_ALL,
589+diff --git a/block/block-copy.c b/block/block-copy.c
590+index 79798a1567..e2d7b3b887 100644
591+--- a/block/block-copy.c
592++++ b/block/block-copy.c
593+@@ -127,17 +127,20 @@ BlockCopyState *block_copy_state_new(BdrvChild *source, BdrvChild *target,
594+ return s;
595+ }
596+
597+-void block_copy_set_callbacks(
598++void block_copy_set_progress_callback(
599+ BlockCopyState *s,
600+ ProgressBytesCallbackFunc progress_bytes_callback,
601+- ProgressResetCallbackFunc progress_reset_callback,
602+ void *progress_opaque)
603+ {
604+ s->progress_bytes_callback = progress_bytes_callback;
605+- s->progress_reset_callback = progress_reset_callback;
606+ s->progress_opaque = progress_opaque;
607+ }
608+
609++void block_copy_set_progress_meter(BlockCopyState *s, ProgressMeter *pm)
610++{
611++ s->progress = pm;
612++}
613++
614+ /*
615+ * block_copy_do_copy
616+ *
617+@@ -269,7 +272,9 @@ int64_t block_copy_reset_unallocated(BlockCopyState *s,
618+
619+ if (!ret) {
620+ bdrv_reset_dirty_bitmap(s->copy_bitmap, offset, bytes);
621+- s->progress_reset_callback(s->progress_opaque);
622++ progress_set_remaining(s->progress,
623++ bdrv_get_dirty_count(s->copy_bitmap) +
624++ s->in_flight_bytes);
625+ }
626+
627+ *count = bytes;
628+@@ -331,15 +336,18 @@ int coroutine_fn block_copy(BlockCopyState *s,
629+ trace_block_copy_process(s, start);
630+
631+ bdrv_reset_dirty_bitmap(s->copy_bitmap, start, chunk_end - start);
632++ s->in_flight_bytes += chunk_end - start;
633+
634+ co_get_from_shres(s->mem, chunk_end - start);
635+ ret = block_copy_do_copy(s, start, chunk_end, error_is_read);
636+ co_put_to_shres(s->mem, chunk_end - start);
637++ s->in_flight_bytes -= chunk_end - start;
638+ if (ret < 0) {
639+ bdrv_set_dirty_bitmap(s->copy_bitmap, start, chunk_end - start);
640+ break;
641+ }
642+
643++ progress_work_done(s->progress, chunk_end - start);
644+ s->progress_bytes_callback(chunk_end - start, s->progress_opaque);
645+ start = chunk_end;
646+ ret = 0;
647+diff --git a/include/block/block-copy.h b/include/block/block-copy.h
648+index 0a161724d7..9def00068c 100644
649+--- a/include/block/block-copy.h
650++++ b/include/block/block-copy.h
651+@@ -26,7 +26,6 @@ typedef struct BlockCopyInFlightReq {
652+ } BlockCopyInFlightReq;
653+
654+ typedef void (*ProgressBytesCallbackFunc)(int64_t bytes, void *opaque);
655+-typedef void (*ProgressResetCallbackFunc)(void *opaque);
656+ typedef struct BlockCopyState {
657+ /*
658+ * BdrvChild objects are not owned or managed by block-copy. They are
659+@@ -36,6 +35,7 @@ typedef struct BlockCopyState {
660+ BdrvChild *source;
661+ BdrvChild *target;
662+ BdrvDirtyBitmap *copy_bitmap;
663++ int64_t in_flight_bytes;
664+ int64_t cluster_size;
665+ bool use_copy_range;
666+ int64_t copy_size;
667+@@ -60,15 +60,9 @@ typedef struct BlockCopyState {
668+ */
669+ bool skip_unallocated;
670+
671++ ProgressMeter *progress;
672+ /* progress_bytes_callback: called when some copying progress is done. */
673+ ProgressBytesCallbackFunc progress_bytes_callback;
674+-
675+- /*
676+- * progress_reset_callback: called when some bytes reset from copy_bitmap
677+- * (see @skip_unallocated above). The callee is assumed to recalculate how
678+- * many bytes remain based on the dirty bit count of copy_bitmap.
679+- */
680+- ProgressResetCallbackFunc progress_reset_callback;
681+ void *progress_opaque;
682+
683+ SharedResource *mem;
684+@@ -79,12 +73,13 @@ BlockCopyState *block_copy_state_new(BdrvChild *source, BdrvChild *target,
685+ BdrvRequestFlags write_flags,
686+ Error **errp);
687+
688+-void block_copy_set_callbacks(
689++void block_copy_set_progress_callback(
690+ BlockCopyState *s,
691+ ProgressBytesCallbackFunc progress_bytes_callback,
692+- ProgressResetCallbackFunc progress_reset_callback,
693+ void *progress_opaque);
694+
695++void block_copy_set_progress_meter(BlockCopyState *s, ProgressMeter *pm);
696++
697+ void block_copy_state_free(BlockCopyState *s);
698+
699+ int64_t block_copy_reset_unallocated(BlockCopyState *s,
700+--
701+2.25.1
702+
703diff --git a/debian/patches/stable/lp-1867519-block-fix-crash-on-zero-length-unaligned-write-and-r.patch b/debian/patches/stable/lp-1867519-block-fix-crash-on-zero-length-unaligned-write-and-r.patch
704new file mode 100644
705index 0000000..a84fdd7
706--- /dev/null
707+++ b/debian/patches/stable/lp-1867519-block-fix-crash-on-zero-length-unaligned-write-and-r.patch
708@@ -0,0 +1,107 @@
709+From ac9d00bf7b47acae6b0e42910d9ed55fef3af5b8 Mon Sep 17 00:00:00 2001
710+From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
711+Date: Thu, 6 Feb 2020 19:42:45 +0300
712+Subject: [PATCH] block: fix crash on zero-length unaligned write and read
713+
714+Commit 7a3f542fbd "block/io: refactor padding" occasionally dropped
715+aligning for zero-length request: bdrv_init_padding() blindly return
716+false if bytes == 0, like there is nothing to align.
717+
718+This leads the following command to crash:
719+
720+./qemu-io --image-opts -c 'write 1 0' \
721+ driver=blkdebug,align=512,image.driver=null-co,image.size=512
722+
723+>> qemu-io: block/io.c:1955: bdrv_aligned_pwritev: Assertion
724+ `(offset & (align - 1)) == 0' failed.
725+>> Aborted (core dumped)
726+
727+Prior to 7a3f542fbd we does aligning of such zero requests. Instead of
728+recovering this behavior let's just do nothing on such requests as it
729+is useless.
730+
731+Note that driver may have special meaning of zero-length reqeusts, like
732+qcow2_co_pwritev_compressed_part, so we can't skip any zero-length
733+operation. But for unaligned ones, we can't pass it to driver anyway.
734+
735+This commit also fixes crash in iotest 80 running with -nocache:
736+
737+./check -nocache -qcow2 80
738+
739+which crashes on same assertion due to trying to read empty extra data
740+in qcow2_do_read_snapshots().
741+
742+Cc: qemu-stable@nongnu.org # v4.2
743+Fixes: 7a3f542fbd
744+Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
745+Reviewed-by: Max Reitz <mreitz@redhat.com>
746+Message-id: 20200206164245.17781-1-vsementsov@virtuozzo.com
747+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
748+
749+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=ac9d00bf7b47acae6b0e42910d9ed55fef3af5b8
750+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
751+Last-Update: 2020-03-18
752+
753+---
754+ block/io.c | 28 +++++++++++++++++++++++++++-
755+ 1 file changed, 27 insertions(+), 1 deletion(-)
756+
757+diff --git a/block/io.c b/block/io.c
758+index 1eb2b2bddc..7e4cb74cf4 100644
759+--- a/block/io.c
760++++ b/block/io.c
761+@@ -1565,10 +1565,12 @@ static bool bdrv_init_padding(BlockDriverState *bs,
762+ pad->tail = align - pad->tail;
763+ }
764+
765+- if ((!pad->head && !pad->tail) || !bytes) {
766++ if (!pad->head && !pad->tail) {
767+ return false;
768+ }
769+
770++ assert(bytes); /* Nothing good in aligning zero-length requests */
771++
772+ sum = pad->head + bytes + pad->tail;
773+ pad->buf_len = (sum > align && pad->head && pad->tail) ? 2 * align : align;
774+ pad->buf = qemu_blockalign(bs, pad->buf_len);
775+@@ -1706,6 +1708,18 @@ int coroutine_fn bdrv_co_preadv_part(BdrvChild *child,
776+ return ret;
777+ }
778+
779++ if (bytes == 0 && !QEMU_IS_ALIGNED(offset, bs->bl.request_alignment)) {
780++ /*
781++ * Aligning zero request is nonsense. Even if driver has special meaning
782++ * of zero-length (like qcow2_co_pwritev_compressed_part), we can't pass
783++ * it to driver due to request_alignment.
784++ *
785++ * Still, no reason to return an error if someone do unaligned
786++ * zero-length read occasionally.
787++ */
788++ return 0;
789++ }
790++
791+ bdrv_inc_in_flight(bs);
792+
793+ /* Don't do copy-on-read if we read data before write operation */
794+@@ -2116,6 +2130,18 @@ int coroutine_fn bdrv_co_pwritev_part(BdrvChild *child,
795+ return -ENOTSUP;
796+ }
797+
798++ if (bytes == 0 && !QEMU_IS_ALIGNED(offset, bs->bl.request_alignment)) {
799++ /*
800++ * Aligning zero request is nonsense. Even if driver has special meaning
801++ * of zero-length (like qcow2_co_pwritev_compressed_part), we can't pass
802++ * it to driver due to request_alignment.
803++ *
804++ * Still, no reason to return an error if someone do unaligned
805++ * zero-length write occasionally.
806++ */
807++ return 0;
808++ }
809++
810+ bdrv_inc_in_flight(bs);
811+ /*
812+ * Align write if necessary by performing a read-modify-write cycle.
813+--
814+2.25.1
815+
816diff --git a/debian/patches/stable/lp-1867519-block-io-fix-bdrv_co_do_copy_on_readv.patch b/debian/patches/stable/lp-1867519-block-io-fix-bdrv_co_do_copy_on_readv.patch
817new file mode 100644
818index 0000000..84335eb
819--- /dev/null
820+++ b/debian/patches/stable/lp-1867519-block-io-fix-bdrv_co_do_copy_on_readv.patch
821@@ -0,0 +1,44 @@
822+From 4ab78b19189a81038e744728ed949d09aa477550 Mon Sep 17 00:00:00 2001
823+From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
824+Date: Thu, 12 Mar 2020 11:19:49 +0300
825+Subject: [PATCH] block/io: fix bdrv_co_do_copy_on_readv
826+
827+Prior to 1143ec5ebf4 it was OK to qemu_iovec_from_buf() from aligned-up
828+buffer to original qiov, as qemu_iovec_from_buf() will stop at qiov end
829+anyway.
830+
831+But after 1143ec5ebf4 we assume that bdrv_co_do_copy_on_readv works on
832+part of original qiov, defined by qiov_offset and bytes. So we must not
833+touch qiov behind qiov_offset+bytes bound. Fix it.
834+
835+Cc: qemu-stable@nongnu.org # v4.2
836+Fixes: 1143ec5ebf4
837+Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
838+Reviewed-by: John Snow <jsnow@redhat.com>
839+Message-id: 20200312081949.5350-1-vsementsov@virtuozzo.com
840+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
841+
842+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=4ab78b19189a81038e744728ed949d09aa477550
843+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
844+Last-Update: 2020-03-18
845+
846+---
847+ block/io.c | 2 +-
848+ 1 file changed, 1 insertion(+), 1 deletion(-)
849+
850+diff --git a/block/io.c b/block/io.c
851+index 7e4cb74cf4..aba67f66b9 100644
852+--- a/block/io.c
853++++ b/block/io.c
854+@@ -1399,7 +1399,7 @@ static int coroutine_fn bdrv_co_do_copy_on_readv(BdrvChild *child,
855+ if (!(flags & BDRV_REQ_PREFETCH)) {
856+ qemu_iovec_from_buf(qiov, qiov_offset + progress,
857+ bounce_buffer + skip_bytes,
858+- pnum - skip_bytes);
859++ MIN(pnum - skip_bytes, bytes - progress));
860+ }
861+ } else if (!(flags & BDRV_REQ_PREFETCH)) {
862+ /* Read directly into the destination */
863+--
864+2.25.1
865+
866diff --git a/debian/patches/stable/lp-1867519-block-nbd-extract-the-common-cleanup-code.patch b/debian/patches/stable/lp-1867519-block-nbd-extract-the-common-cleanup-code.patch
867new file mode 100644
868index 0000000..8dc2409
869--- /dev/null
870+++ b/debian/patches/stable/lp-1867519-block-nbd-extract-the-common-cleanup-code.patch
871@@ -0,0 +1,78 @@
872+From 7f493662be4045146a8f45119d8834c9088a0ad6 Mon Sep 17 00:00:00 2001
873+From: Pan Nengyuan <pannengyuan@huawei.com>
874+Date: Thu, 5 Dec 2019 11:45:27 +0800
875+Subject: [PATCH] block/nbd: extract the common cleanup code
876+
877+The BDRVNBDState cleanup code is common in two places, add
878+nbd_clear_bdrvstate() function to do these cleanups.
879+
880+Suggested-by: Stefano Garzarella <sgarzare@redhat.com>
881+Signed-off-by: Pan Nengyuan <pannengyuan@huawei.com>
882+Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
883+Message-Id: <1575517528-44312-2-git-send-email-pannengyuan@huawei.com>
884+Reviewed-by: Eric Blake <eblake@redhat.com>
885+[eblake: fix compilation error and commit message]
886+Signed-off-by: Eric Blake <eblake@redhat.com>
887+
888+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=7f493662be4045146a8f45119d8834c9088a0ad6
889+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
890+Last-Update: 2020-03-18
891+
892+---
893+ block/nbd.c | 26 +++++++++++++++-----------
894+ 1 file changed, 15 insertions(+), 11 deletions(-)
895+
896+diff --git a/block/nbd.c b/block/nbd.c
897+index f69e61e68a..ed0f93ab27 100644
898+--- a/block/nbd.c
899++++ b/block/nbd.c
900+@@ -95,6 +95,19 @@ typedef struct BDRVNBDState {
901+
902+ static int nbd_client_connect(BlockDriverState *bs, Error **errp);
903+
904++static void nbd_clear_bdrvstate(BDRVNBDState *s)
905++{
906++ object_unref(OBJECT(s->tlscreds));
907++ qapi_free_SocketAddress(s->saddr);
908++ s->saddr = NULL;
909++ g_free(s->export);
910++ s->export = NULL;
911++ g_free(s->tlscredsid);
912++ s->tlscredsid = NULL;
913++ g_free(s->x_dirty_bitmap);
914++ s->x_dirty_bitmap = NULL;
915++}
916++
917+ static void nbd_channel_error(BDRVNBDState *s, int ret)
918+ {
919+ if (ret == -EIO) {
920+@@ -1879,11 +1892,7 @@ static int nbd_process_options(BlockDriverState *bs, QDict *options,
921+
922+ error:
923+ if (ret < 0) {
924+- object_unref(OBJECT(s->tlscreds));
925+- qapi_free_SocketAddress(s->saddr);
926+- g_free(s->export);
927+- g_free(s->tlscredsid);
928+- g_free(s->x_dirty_bitmap);
929++ nbd_clear_bdrvstate(s);
930+ }
931+ qemu_opts_del(opts);
932+ return ret;
933+@@ -1962,12 +1971,7 @@ static void nbd_close(BlockDriverState *bs)
934+ BDRVNBDState *s = bs->opaque;
935+
936+ nbd_client_close(bs);
937+-
938+- object_unref(OBJECT(s->tlscreds));
939+- qapi_free_SocketAddress(s->saddr);
940+- g_free(s->export);
941+- g_free(s->tlscredsid);
942+- g_free(s->x_dirty_bitmap);
943++ nbd_clear_bdrvstate(s);
944+ }
945+
946+ static int64_t nbd_getlength(BlockDriverState *bs)
947+--
948+2.25.1
949+
950diff --git a/debian/patches/stable/lp-1867519-block-nbd-fix-memory-leak-in-nbd_open.patch b/debian/patches/stable/lp-1867519-block-nbd-fix-memory-leak-in-nbd_open.patch
951new file mode 100644
952index 0000000..dde008d
953--- /dev/null
954+++ b/debian/patches/stable/lp-1867519-block-nbd-fix-memory-leak-in-nbd_open.patch
955@@ -0,0 +1,76 @@
956+From 8198cf5ef0ef98118b4176970d1cd998d93ec849 Mon Sep 17 00:00:00 2001
957+From: Pan Nengyuan <pannengyuan@huawei.com>
958+Date: Thu, 5 Dec 2019 11:45:28 +0800
959+Subject: [PATCH] block/nbd: fix memory leak in nbd_open()
960+
961+In currently implementation there will be a memory leak when
962+nbd_client_connect() returns error status. Here is an easy way to
963+reproduce:
964+
965+1. run qemu-iotests as follow and check the result with asan:
966+ ./check -raw 143
967+
968+Following is the asan output backtrack:
969+Direct leak of 40 byte(s) in 1 object(s) allocated from:
970+ #0 0x7f629688a560 in calloc (/usr/lib64/libasan.so.3+0xc7560)
971+ #1 0x7f6295e7e015 in g_malloc0 (/usr/lib64/libglib-2.0.so.0+0x50015)
972+ #2 0x56281dab4642 in qobject_input_start_struct /mnt/sdb/qemu-4.2.0-rc0/qapi/qobject-input-visitor.c:295
973+ #3 0x56281dab1a04 in visit_start_struct /mnt/sdb/qemu-4.2.0-rc0/qapi/qapi-visit-core.c:49
974+ #4 0x56281dad1827 in visit_type_SocketAddress qapi/qapi-visit-sockets.c:386
975+ #5 0x56281da8062f in nbd_config /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1716
976+ #6 0x56281da8062f in nbd_process_options /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1829
977+ #7 0x56281da8062f in nbd_open /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1873
978+
979+Direct leak of 15 byte(s) in 1 object(s) allocated from:
980+ #0 0x7f629688a3a0 in malloc (/usr/lib64/libasan.so.3+0xc73a0)
981+ #1 0x7f6295e7dfbd in g_malloc (/usr/lib64/libglib-2.0.so.0+0x4ffbd)
982+ #2 0x7f6295e96ace in g_strdup (/usr/lib64/libglib-2.0.so.0+0x68ace)
983+ #3 0x56281da804ac in nbd_process_options /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1834
984+ #4 0x56281da804ac in nbd_open /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1873
985+
986+Indirect leak of 24 byte(s) in 1 object(s) allocated from:
987+ #0 0x7f629688a3a0 in malloc (/usr/lib64/libasan.so.3+0xc73a0)
988+ #1 0x7f6295e7dfbd in g_malloc (/usr/lib64/libglib-2.0.so.0+0x4ffbd)
989+ #2 0x7f6295e96ace in g_strdup (/usr/lib64/libglib-2.0.so.0+0x68ace)
990+ #3 0x56281dab41a3 in qobject_input_type_str_keyval /mnt/sdb/qemu-4.2.0-rc0/qapi/qobject-input-visitor.c:536
991+ #4 0x56281dab2ee9 in visit_type_str /mnt/sdb/qemu-4.2.0-rc0/qapi/qapi-visit-core.c:297
992+ #5 0x56281dad0fa1 in visit_type_UnixSocketAddress_members qapi/qapi-visit-sockets.c:141
993+ #6 0x56281dad17b6 in visit_type_SocketAddress_members qapi/qapi-visit-sockets.c:366
994+ #7 0x56281dad186a in visit_type_SocketAddress qapi/qapi-visit-sockets.c:393
995+ #8 0x56281da8062f in nbd_config /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1716
996+ #9 0x56281da8062f in nbd_process_options /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1829
997+ #10 0x56281da8062f in nbd_open /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1873
998+
999+Fixes: 8f071c9db506e03ab
1000+Reported-by: Euler Robot <euler.robot@huawei.com>
1001+Signed-off-by: Pan Nengyuan <pannengyuan@huawei.com>
1002+Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
1003+Cc: qemu-stable <qemu-stable@nongnu.org>
1004+Cc: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
1005+Message-Id: <1575517528-44312-3-git-send-email-pannengyuan@huawei.com>
1006+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
1007+Signed-off-by: Eric Blake <eblake@redhat.com>
1008+
1009+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=8198cf5ef0ef98118b4176970d1cd998d93ec849
1010+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
1011+Last-Update: 2020-03-18
1012+
1013+---
1014+ block/nbd.c | 1 +
1015+ 1 file changed, 1 insertion(+)
1016+
1017+diff --git a/block/nbd.c b/block/nbd.c
1018+index ed0f93ab27..976be76647 100644
1019+--- a/block/nbd.c
1020++++ b/block/nbd.c
1021+@@ -1915,6 +1915,7 @@ static int nbd_open(BlockDriverState *bs, QDict *options, int flags,
1022+
1023+ ret = nbd_client_connect(bs, errp);
1024+ if (ret < 0) {
1025++ nbd_clear_bdrvstate(s);
1026+ return ret;
1027+ }
1028+ /* successfully connected */
1029+--
1030+2.25.1
1031+
1032diff --git a/debian/patches/stable/lp-1867519-block-qcow2-threads-fix-qcow2_decompress.patch b/debian/patches/stable/lp-1867519-block-qcow2-threads-fix-qcow2_decompress.patch
1033new file mode 100644
1034index 0000000..bf4169e
1035--- /dev/null
1036+++ b/debian/patches/stable/lp-1867519-block-qcow2-threads-fix-qcow2_decompress.patch
1037@@ -0,0 +1,79 @@
1038+From e7266570f2cf7b3ca2a156c677ee0a59d563458b Mon Sep 17 00:00:00 2001
1039+From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
1040+Date: Mon, 2 Mar 2020 18:09:30 +0300
1041+Subject: [PATCH] block/qcow2-threads: fix qcow2_decompress
1042+MIME-Version: 1.0
1043+Content-Type: text/plain; charset=UTF-8
1044+Content-Transfer-Encoding: 8bit
1045+
1046+On success path we return what inflate() returns instead of 0. And it
1047+most probably works for Z_STREAM_END as it is positive, but is
1048+definitely broken for Z_BUF_ERROR.
1049+
1050+While being here, switch to errno return code, to be closer to
1051+qcow2_compress API (and usual expectations).
1052+
1053+Revert condition in if to be more positive. Drop dead initialization of
1054+ret.
1055+
1056+Cc: qemu-stable@nongnu.org # v4.0
1057+Fixes: 341926ab83e2b
1058+Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
1059+Message-Id: <20200302150930.16218-1-vsementsov@virtuozzo.com>
1060+Reviewed-by: Alberto Garcia <berto@igalia.com>
1061+Reviewed-by: Ján Tomko <jtomko@redhat.com>
1062+Signed-off-by: Max Reitz <mreitz@redhat.com>
1063+
1064+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=e7266570f2cf7b3ca2a156c677ee0a59d563458b
1065+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
1066+Last-Update: 2020-03-18
1067+
1068+---
1069+ block/qcow2-threads.c | 12 +++++++-----
1070+ 1 file changed, 7 insertions(+), 5 deletions(-)
1071+
1072+diff --git a/block/qcow2-threads.c b/block/qcow2-threads.c
1073+index 77bb578cdf..a68126f291 100644
1074+--- a/block/qcow2-threads.c
1075++++ b/block/qcow2-threads.c
1076+@@ -128,12 +128,12 @@ static ssize_t qcow2_compress(void *dest, size_t dest_size,
1077+ * @src - source buffer, @src_size bytes
1078+ *
1079+ * Returns: 0 on success
1080+- * -1 on fail
1081++ * -EIO on fail
1082+ */
1083+ static ssize_t qcow2_decompress(void *dest, size_t dest_size,
1084+ const void *src, size_t src_size)
1085+ {
1086+- int ret = 0;
1087++ int ret;
1088+ z_stream strm;
1089+
1090+ memset(&strm, 0, sizeof(strm));
1091+@@ -144,17 +144,19 @@ static ssize_t qcow2_decompress(void *dest, size_t dest_size,
1092+
1093+ ret = inflateInit2(&strm, -12);
1094+ if (ret != Z_OK) {
1095+- return -1;
1096++ return -EIO;
1097+ }
1098+
1099+ ret = inflate(&strm, Z_FINISH);
1100+- if ((ret != Z_STREAM_END && ret != Z_BUF_ERROR) || strm.avail_out != 0) {
1101++ if ((ret == Z_STREAM_END || ret == Z_BUF_ERROR) && strm.avail_out == 0) {
1102+ /*
1103+ * We approve Z_BUF_ERROR because we need @dest buffer to be filled, but
1104+ * @src buffer may be processed partly (because in qcow2 we know size of
1105+ * compressed data with precision of one sector)
1106+ */
1107+- ret = -1;
1108++ ret = 0;
1109++ } else {
1110++ ret = -EIO;
1111+ }
1112+
1113+ inflateEnd(&strm);
1114+--
1115+2.25.1
1116+
1117diff --git a/debian/patches/stable/lp-1867519-hw-i386-pc-fix-regression-in-parsing-vga-cmdline-par.patch b/debian/patches/stable/lp-1867519-hw-i386-pc-fix-regression-in-parsing-vga-cmdline-par.patch
1118new file mode 100644
1119index 0000000..c6aa3a3
1120--- /dev/null
1121+++ b/debian/patches/stable/lp-1867519-hw-i386-pc-fix-regression-in-parsing-vga-cmdline-par.patch
1122@@ -0,0 +1,58 @@
1123+From a88c40f02ace88f09b2a85a64831b277b2ebc88c Mon Sep 17 00:00:00 2001
1124+From: Peter Wu <peter@lekensteyn.nl>
1125+Date: Sat, 21 Dec 2019 17:21:24 +0100
1126+Subject: [PATCH] hw/i386/pc: fix regression in parsing vga cmdline parameter
1127+
1128+When the 'vga=' parameter is succeeded by another parameter, QEMU 4.2.0
1129+would refuse to start with a rather cryptic message:
1130+
1131+ $ qemu-system-x86_64 -kernel /boot/vmlinuz-linux -append 'vga=792 quiet'
1132+ qemu: can't parse 'vga' parameter: Invalid argument
1133+
1134+It was not clear whether this applied to the '-vga std' parameter or the
1135+'-append' one. Fix the parsing regression and clarify the error.
1136+
1137+Fixes: 133ef074bd ("hw/i386/pc: replace use of strtol with qemu_strtoui in x86_load_linux()")
1138+Cc: Sergio Lopez <slp@redhat.com>
1139+Signed-off-by: Peter Wu <peter@lekensteyn.nl>
1140+Message-Id: <20191221162124.1159291-1-peter@lekensteyn.nl>
1141+Cc: qemu-stable@nongnu.org
1142+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
1143+
1144+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=a88c40f02ace88f09b2a85a64831b277b2ebc88c
1145+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
1146+Last-Update: 2020-03-18
1147+
1148+---
1149+ hw/i386/x86.c | 8 ++++----
1150+ 1 file changed, 4 insertions(+), 4 deletions(-)
1151+
1152+diff --git a/hw/i386/x86.c b/hw/i386/x86.c
1153+index d8bb5c2a96..9b9a4d5837 100644
1154+--- a/hw/i386/x86.c
1155++++ b/hw/i386/x86.c
1156+@@ -612,6 +612,7 @@ void x86_load_linux(X86MachineState *x86ms,
1157+ vmode = strstr(kernel_cmdline, "vga=");
1158+ if (vmode) {
1159+ unsigned int video_mode;
1160++ const char *end;
1161+ int ret;
1162+ /* skip "vga=" */
1163+ vmode += 4;
1164+@@ -622,10 +623,9 @@ void x86_load_linux(X86MachineState *x86ms,
1165+ } else if (!strncmp(vmode, "ask", 3)) {
1166+ video_mode = 0xfffd;
1167+ } else {
1168+- ret = qemu_strtoui(vmode, NULL, 0, &video_mode);
1169+- if (ret != 0) {
1170+- fprintf(stderr, "qemu: can't parse 'vga' parameter: %s\n",
1171+- strerror(-ret));
1172++ ret = qemu_strtoui(vmode, &end, 0, &video_mode);
1173++ if (ret != 0 || (*end && *end != ' ')) {
1174++ fprintf(stderr, "qemu: invalid 'vga=' kernel parameter.\n");
1175+ exit(1);
1176+ }
1177+ }
1178+--
1179+2.25.1
1180+
1181diff --git a/debian/patches/stable/lp-1867519-intel_iommu-a-fix-to-vtd_find_as_from_bus_num.patch b/debian/patches/stable/lp-1867519-intel_iommu-a-fix-to-vtd_find_as_from_bus_num.patch
1182new file mode 100644
1183index 0000000..4d13d20
1184--- /dev/null
1185+++ b/debian/patches/stable/lp-1867519-intel_iommu-a-fix-to-vtd_find_as_from_bus_num.patch
1186@@ -0,0 +1,44 @@
1187+From a2e1cd41ccfe796529abfd1b6aeb1dd4393762a2 Mon Sep 17 00:00:00 2001
1188+From: Liu Yi L <yi.l.liu@intel.com>
1189+Date: Fri, 3 Jan 2020 21:28:05 +0800
1190+Subject: [PATCH] intel_iommu: a fix to vtd_find_as_from_bus_num()
1191+
1192+Ensure the return value of vtd_find_as_from_bus_num() is NULL by
1193+enforcing vtd_bus=NULL. This would help caller of vtd_find_as_from_bus_num()
1194+to decide if any further operation on the returned vtd_bus.
1195+
1196+Cc: qemu-stable@nongnu.org
1197+Cc: Kevin Tian <kevin.tian@intel.com>
1198+Cc: Jacob Pan <jacob.jun.pan@linux.intel.com>
1199+Cc: Peter Xu <peterx@redhat.com>
1200+Cc: Yi Sun <yi.y.sun@linux.intel.com>
1201+Signed-off-by: Liu Yi L <yi.l.liu@intel.com>
1202+Signed-off-by: Yi Sun <yi.y.sun@linux.intel.com>
1203+Message-Id: <1578058086-4288-2-git-send-email-yi.l.liu@intel.com>
1204+Reviewed-by: Peter Xu <peterx@redhat.com>
1205+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
1206+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
1207+
1208+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=a2e1cd41ccfe796529abfd1b6aeb1dd4393762a2
1209+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
1210+Last-Update: 2020-03-18
1211+
1212+---
1213+ hw/i386/intel_iommu.c | 1 +
1214+ 1 file changed, 1 insertion(+)
1215+
1216+diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c
1217+index ee06993675..609b80750a 100644
1218+--- a/hw/i386/intel_iommu.c
1219++++ b/hw/i386/intel_iommu.c
1220+@@ -948,6 +948,7 @@ static VTDBus *vtd_find_as_from_bus_num(IntelIOMMUState *s, uint8_t bus_num)
1221+ return vtd_bus;
1222+ }
1223+ }
1224++ vtd_bus = NULL;
1225+ }
1226+ return vtd_bus;
1227+ }
1228+--
1229+2.25.1
1230+
1231diff --git a/debian/patches/stable/lp-1867519-intel_iommu-add-present-bit-check-for-pasid-table-en.patch b/debian/patches/stable/lp-1867519-intel_iommu-add-present-bit-check-for-pasid-table-en.patch
1232new file mode 100644
1233index 0000000..02548a2
1234--- /dev/null
1235+++ b/debian/patches/stable/lp-1867519-intel_iommu-add-present-bit-check-for-pasid-table-en.patch
1236@@ -0,0 +1,202 @@
1237+From 56fc1e6ac6bde95bc0369d358587f2234d4dddad Mon Sep 17 00:00:00 2001
1238+From: Liu Yi L <yi.l.liu@intel.com>
1239+Date: Fri, 3 Jan 2020 21:28:06 +0800
1240+Subject: [PATCH] intel_iommu: add present bit check for pasid table entries
1241+
1242+The present bit check for pasid entry (pe) and pasid directory
1243+entry (pdire) were missed in previous commits as fpd bit check
1244+doesn't require present bit as "Set". This patch adds the present
1245+bit check for callers which wants to get a valid pe/pdire.
1246+
1247+Cc: qemu-stable@nongnu.org
1248+Cc: Kevin Tian <kevin.tian@intel.com>
1249+Cc: Jacob Pan <jacob.jun.pan@linux.intel.com>
1250+Cc: Peter Xu <peterx@redhat.com>
1251+Cc: Yi Sun <yi.y.sun@linux.intel.com>
1252+Reviewed-by: Peter Xu <peterx@redhat.com>
1253+Signed-off-by: Liu Yi L <yi.l.liu@intel.com>
1254+Message-Id: <1578058086-4288-3-git-send-email-yi.l.liu@intel.com>
1255+Reviewed-by: Peter Xu <peterx@redhat.com>
1256+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
1257+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
1258+
1259+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=56fc1e6ac6bde95bc0369d358587f2234d4dddad
1260+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
1261+Last-Update: 2020-03-18
1262+
1263+---
1264+ hw/i386/intel_iommu.c | 92 +++++++++++++++++++++++++++-------
1265+ hw/i386/intel_iommu_internal.h | 1 +
1266+ 2 files changed, 74 insertions(+), 19 deletions(-)
1267+
1268+diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c
1269+index 609b80750a..a523ef0e65 100644
1270+--- a/hw/i386/intel_iommu.c
1271++++ b/hw/i386/intel_iommu.c
1272+@@ -686,9 +686,18 @@ static inline bool vtd_pe_type_check(X86IOMMUState *x86_iommu,
1273+ return true;
1274+ }
1275+
1276+-static int vtd_get_pasid_dire(dma_addr_t pasid_dir_base,
1277+- uint32_t pasid,
1278+- VTDPASIDDirEntry *pdire)
1279++static inline bool vtd_pdire_present(VTDPASIDDirEntry *pdire)
1280++{
1281++ return pdire->val & 1;
1282++}
1283++
1284++/**
1285++ * Caller of this function should check present bit if wants
1286++ * to use pdir entry for futher usage except for fpd bit check.
1287++ */
1288++static int vtd_get_pdire_from_pdir_table(dma_addr_t pasid_dir_base,
1289++ uint32_t pasid,
1290++ VTDPASIDDirEntry *pdire)
1291+ {
1292+ uint32_t index;
1293+ dma_addr_t addr, entry_size;
1294+@@ -703,18 +712,22 @@ static int vtd_get_pasid_dire(dma_addr_t pasid_dir_base,
1295+ return 0;
1296+ }
1297+
1298+-static int vtd_get_pasid_entry(IntelIOMMUState *s,
1299+- uint32_t pasid,
1300+- VTDPASIDDirEntry *pdire,
1301+- VTDPASIDEntry *pe)
1302++static inline bool vtd_pe_present(VTDPASIDEntry *pe)
1303++{
1304++ return pe->val[0] & VTD_PASID_ENTRY_P;
1305++}
1306++
1307++static int vtd_get_pe_in_pasid_leaf_table(IntelIOMMUState *s,
1308++ uint32_t pasid,
1309++ dma_addr_t addr,
1310++ VTDPASIDEntry *pe)
1311+ {
1312+ uint32_t index;
1313+- dma_addr_t addr, entry_size;
1314++ dma_addr_t entry_size;
1315+ X86IOMMUState *x86_iommu = X86_IOMMU_DEVICE(s);
1316+
1317+ index = VTD_PASID_TABLE_INDEX(pasid);
1318+ entry_size = VTD_PASID_ENTRY_SIZE;
1319+- addr = pdire->val & VTD_PASID_TABLE_BASE_ADDR_MASK;
1320+ addr = addr + index * entry_size;
1321+ if (dma_memory_read(&address_space_memory, addr, pe, entry_size)) {
1322+ return -VTD_FR_PASID_TABLE_INV;
1323+@@ -732,25 +745,54 @@ static int vtd_get_pasid_entry(IntelIOMMUState *s,
1324+ return 0;
1325+ }
1326+
1327+-static int vtd_get_pasid_entry_from_pasid(IntelIOMMUState *s,
1328+- dma_addr_t pasid_dir_base,
1329+- uint32_t pasid,
1330+- VTDPASIDEntry *pe)
1331++/**
1332++ * Caller of this function should check present bit if wants
1333++ * to use pasid entry for futher usage except for fpd bit check.
1334++ */
1335++static int vtd_get_pe_from_pdire(IntelIOMMUState *s,
1336++ uint32_t pasid,
1337++ VTDPASIDDirEntry *pdire,
1338++ VTDPASIDEntry *pe)
1339++{
1340++ dma_addr_t addr = pdire->val & VTD_PASID_TABLE_BASE_ADDR_MASK;
1341++
1342++ return vtd_get_pe_in_pasid_leaf_table(s, pasid, addr, pe);
1343++}
1344++
1345++/**
1346++ * This function gets a pasid entry from a specified pasid
1347++ * table (includes dir and leaf table) with a specified pasid.
1348++ * Sanity check should be done to ensure return a present
1349++ * pasid entry to caller.
1350++ */
1351++static int vtd_get_pe_from_pasid_table(IntelIOMMUState *s,
1352++ dma_addr_t pasid_dir_base,
1353++ uint32_t pasid,
1354++ VTDPASIDEntry *pe)
1355+ {
1356+ int ret;
1357+ VTDPASIDDirEntry pdire;
1358+
1359+- ret = vtd_get_pasid_dire(pasid_dir_base, pasid, &pdire);
1360++ ret = vtd_get_pdire_from_pdir_table(pasid_dir_base,
1361++ pasid, &pdire);
1362+ if (ret) {
1363+ return ret;
1364+ }
1365+
1366+- ret = vtd_get_pasid_entry(s, pasid, &pdire, pe);
1367++ if (!vtd_pdire_present(&pdire)) {
1368++ return -VTD_FR_PASID_TABLE_INV;
1369++ }
1370++
1371++ ret = vtd_get_pe_from_pdire(s, pasid, &pdire, pe);
1372+ if (ret) {
1373+ return ret;
1374+ }
1375+
1376+- return ret;
1377++ if (!vtd_pe_present(pe)) {
1378++ return -VTD_FR_PASID_TABLE_INV;
1379++ }
1380++
1381++ return 0;
1382+ }
1383+
1384+ static int vtd_ce_get_rid2pasid_entry(IntelIOMMUState *s,
1385+@@ -763,7 +805,7 @@ static int vtd_ce_get_rid2pasid_entry(IntelIOMMUState *s,
1386+
1387+ pasid = VTD_CE_GET_RID2PASID(ce);
1388+ pasid_dir_base = VTD_CE_GET_PASID_DIR_TABLE(ce);
1389+- ret = vtd_get_pasid_entry_from_pasid(s, pasid_dir_base, pasid, pe);
1390++ ret = vtd_get_pe_from_pasid_table(s, pasid_dir_base, pasid, pe);
1391+
1392+ return ret;
1393+ }
1394+@@ -781,7 +823,11 @@ static int vtd_ce_get_pasid_fpd(IntelIOMMUState *s,
1395+ pasid = VTD_CE_GET_RID2PASID(ce);
1396+ pasid_dir_base = VTD_CE_GET_PASID_DIR_TABLE(ce);
1397+
1398+- ret = vtd_get_pasid_dire(pasid_dir_base, pasid, &pdire);
1399++ /*
1400++ * No present bit check since fpd is meaningful even
1401++ * if the present bit is clear.
1402++ */
1403++ ret = vtd_get_pdire_from_pdir_table(pasid_dir_base, pasid, &pdire);
1404+ if (ret) {
1405+ return ret;
1406+ }
1407+@@ -791,7 +837,15 @@ static int vtd_ce_get_pasid_fpd(IntelIOMMUState *s,
1408+ return 0;
1409+ }
1410+
1411+- ret = vtd_get_pasid_entry(s, pasid, &pdire, &pe);
1412++ if (!vtd_pdire_present(&pdire)) {
1413++ return -VTD_FR_PASID_TABLE_INV;
1414++ }
1415++
1416++ /*
1417++ * No present bit check since fpd is meaningful even
1418++ * if the present bit is clear.
1419++ */
1420++ ret = vtd_get_pe_from_pdire(s, pasid, &pdire, &pe);
1421+ if (ret) {
1422+ return ret;
1423+ }
1424+diff --git a/hw/i386/intel_iommu_internal.h b/hw/i386/intel_iommu_internal.h
1425+index edcf9fc9bb..862033ebe6 100644
1426+--- a/hw/i386/intel_iommu_internal.h
1427++++ b/hw/i386/intel_iommu_internal.h
1428+@@ -479,6 +479,7 @@ typedef struct VTDRootEntry VTDRootEntry;
1429+ #define VTD_PASID_ENTRY_FPD (1ULL << 1) /* Fault Processing Disable */
1430+
1431+ /* PASID Granular Translation Type Mask */
1432++#define VTD_PASID_ENTRY_P 1ULL
1433+ #define VTD_SM_PASID_ENTRY_PGTT (7ULL << 6)
1434+ #define VTD_SM_PASID_ENTRY_FLT (1ULL << 6)
1435+ #define VTD_SM_PASID_ENTRY_SLT (2ULL << 6)
1436+--
1437+2.25.1
1438+
1439diff --git a/debian/patches/stable/lp-1867519-iotests-add-test-for-backup-top-failure-on-permissio.patch b/debian/patches/stable/lp-1867519-iotests-add-test-for-backup-top-failure-on-permissio.patch
1440new file mode 100644
1441index 0000000..790c5d4
1442--- /dev/null
1443+++ b/debian/patches/stable/lp-1867519-iotests-add-test-for-backup-top-failure-on-permissio.patch
1444@@ -0,0 +1,138 @@
1445+From a541fcc27c98b96da187c7d4573f3270f3ddd283 Mon Sep 17 00:00:00 2001
1446+From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
1447+Date: Tue, 21 Jan 2020 17:28:02 +0300
1448+Subject: [PATCH] iotests: add test for backup-top failure on permission
1449+ activation
1450+
1451+This test checks that bug is really fixed by previous commit.
1452+
1453+Cc: qemu-stable@nongnu.org # v4.2.0
1454+Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
1455+Message-id: 20200121142802.21467-3-vsementsov@virtuozzo.com
1456+Signed-off-by: Max Reitz <mreitz@redhat.com>
1457+
1458+Origin: backport, https://git.qemu.org/?p=qemu.git;a=commit;h=a541fcc27c98b96da187c7d4573f3270f3ddd283
1459+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
1460+Last-Update: 2020-03-18
1461+
1462+---
1463+ tests/qemu-iotests/283 | 92 ++++++++++++++++++++++++++++++++++++++
1464+ tests/qemu-iotests/283.out | 8 ++++
1465+ tests/qemu-iotests/group | 1 +
1466+ 3 files changed, 101 insertions(+)
1467+ create mode 100644 tests/qemu-iotests/283
1468+ create mode 100644 tests/qemu-iotests/283.out
1469+
1470+--- /dev/null
1471++++ b/tests/qemu-iotests/283
1472+@@ -0,0 +1,92 @@
1473++#!/usr/bin/env python
1474++#
1475++# Test for backup-top filter permission activation failure
1476++#
1477++# Copyright (c) 2019 Virtuozzo International GmbH.
1478++#
1479++# This program is free software; you can redistribute it and/or modify
1480++# it under the terms of the GNU General Public License as published by
1481++# the Free Software Foundation; either version 2 of the License, or
1482++# (at your option) any later version.
1483++#
1484++# This program is distributed in the hope that it will be useful,
1485++# but WITHOUT ANY WARRANTY; without even the implied warranty of
1486++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
1487++# GNU General Public License for more details.
1488++#
1489++# You should have received a copy of the GNU General Public License
1490++# along with this program. If not, see <http://www.gnu.org/licenses/>.
1491++#
1492++
1493++import iotests
1494++
1495++# The test is unrelated to formats, restrict it to qcow2 to avoid extra runs
1496++iotests.verify_image_format(supported_fmts=['qcow2'])
1497++
1498++size = 1024 * 1024
1499++
1500++""" Test description
1501++
1502++When performing a backup, all writes on the source subtree must go through the
1503++backup-top filter so it can copy all data to the target before it is changed.
1504++backup-top filter is appended above source node, to achieve this thing, so all
1505++parents of source node are handled. A configuration with side parents of source
1506++sub-tree with write permission is unsupported (we'd have append several
1507++backup-top filter like nodes to handle such parents). The test create an
1508++example of such configuration and checks that a backup is then not allowed
1509++(blockdev-backup command should fail).
1510++
1511++The configuration:
1512++
1513++ ┌────────┐ target ┌─────────────┐
1514++ │ target │ ◀─────── │ backup_top │
1515++ └────────┘ └─────────────┘
1516++ │
1517++ │ backing
1518++ ▼
1519++ ┌─────────────┐
1520++ │ source │
1521++ └─────────────┘
1522++ │
1523++ │ file
1524++ ▼
1525++ ┌─────────────┐ write perm ┌───────┐
1526++ │ base │ ◀──────────── │ other │
1527++ └─────────────┘ └───────┘
1528++
1529++On activation (see .active field of backup-top state in block/backup-top.c),
1530++backup-top is going to unshare write permission on its source child. Write
1531++unsharing will be propagated to the "source->base" link and will conflict with
1532++other node write permission. So permission update will fail and backup job will
1533++not be started.
1534++
1535++Note, that the only thing which prevents backup of running on such
1536++configuration is default permission propagation scheme. It may be altered by
1537++different block drivers, so backup will run in invalid configuration. But
1538++something is better than nothing. Also, before the previous commit (commit
1539++preceding this test creation), starting backup on such configuration led to
1540++crash, so current "something" is a lot better, and this test actual goal is
1541++to check that crash is fixed :)
1542++"""
1543++
1544++vm = iotests.VM()
1545++vm.launch()
1546++
1547++vm.qmp_log('blockdev-add', **{'node-name': 'target', 'driver': 'null-co'})
1548++
1549++vm.qmp_log('blockdev-add', **{
1550++ 'node-name': 'source',
1551++ 'driver': 'blkdebug',
1552++ 'image': {'node-name': 'base', 'driver': 'null-co', 'size': size}
1553++})
1554++
1555++vm.qmp_log('blockdev-add', **{
1556++ 'node-name': 'other',
1557++ 'driver': 'blkdebug',
1558++ 'image': 'base',
1559++ 'take-child-perms': ['write']
1560++})
1561++
1562++vm.qmp_log('blockdev-backup', sync='full', device='source', target='target')
1563++
1564++vm.shutdown()
1565+--- /dev/null
1566++++ b/tests/qemu-iotests/283.out
1567+@@ -0,0 +1,8 @@
1568++{"execute": "blockdev-add", "arguments": {"driver": "null-co", "node-name": "target"}}
1569++{"return": {}}
1570++{"execute": "blockdev-add", "arguments": {"driver": "blkdebug", "image": {"driver": "null-co", "node-name": "base", "size": 1048576}, "node-name": "source"}}
1571++{"return": {}}
1572++{"execute": "blockdev-add", "arguments": {"driver": "blkdebug", "image": "base", "node-name": "other", "take-child-perms": ["write"]}}
1573++{"return": {}}
1574++{"execute": "blockdev-backup", "arguments": {"device": "source", "sync": "full", "target": "target"}}
1575++{"error": {"class": "GenericError", "desc": "Cannot set permissions for backup-top filter: Conflicts with use by other as 'image', which uses 'write' on base"}}
1576+--- a/tests/qemu-iotests/group
1577++++ b/tests/qemu-iotests/group
1578+@@ -286,3 +286,4 @@
1579+ 272 rw
1580+ 273 backing quick
1581+ 277 rw quick
1582++283 auto quick
1583diff --git a/debian/patches/stable/lp-1867519-job-refactor-progress-to-separate-object.patch b/debian/patches/stable/lp-1867519-job-refactor-progress-to-separate-object.patch
1584new file mode 100644
1585index 0000000..a31cf9f
1586--- /dev/null
1587+++ b/debian/patches/stable/lp-1867519-job-refactor-progress-to-separate-object.patch
1588@@ -0,0 +1,230 @@
1589+From 01fe1ca945345d3dc420d70c69488143dc0451b1 Mon Sep 17 00:00:00 2001
1590+From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
1591+Date: Wed, 11 Mar 2020 13:29:56 +0300
1592+Subject: [PATCH] job: refactor progress to separate object
1593+
1594+We need it in separate to pass to the block-copy object in the next
1595+commit.
1596+
1597+Cc: qemu-stable@nongnu.org
1598+Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
1599+Reviewed-by: Andrey Shinkevich <andrey.shinkevich@virtuozzo.com>
1600+Reviewed-by: Max Reitz <mreitz@redhat.com>
1601+Message-Id: <20200311103004.7649-2-vsementsov@virtuozzo.com>
1602+Signed-off-by: Max Reitz <mreitz@redhat.com>
1603+
1604+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=01fe1ca945345d3dc420d70c69488143dc0451b1
1605+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
1606+Last-Update: 2020-03-18
1607+
1608+---
1609+ blockjob.c | 16 +++++-----
1610+ include/qemu/job.h | 11 ++-----
1611+ include/qemu/progress_meter.h | 58 +++++++++++++++++++++++++++++++++++
1612+ job-qmp.c | 4 +--
1613+ job.c | 6 ++--
1614+ qemu-img.c | 6 ++--
1615+ 6 files changed, 76 insertions(+), 25 deletions(-)
1616+ create mode 100644 include/qemu/progress_meter.h
1617+
1618+diff --git a/blockjob.c b/blockjob.c
1619+index 5d63b1e89d..fc850312c1 100644
1620+--- a/blockjob.c
1621++++ b/blockjob.c
1622+@@ -299,8 +299,8 @@ BlockJobInfo *block_job_query(BlockJob *job, Error **errp)
1623+ info->device = g_strdup(job->job.id);
1624+ info->busy = atomic_read(&job->job.busy);
1625+ info->paused = job->job.pause_count > 0;
1626+- info->offset = job->job.progress_current;
1627+- info->len = job->job.progress_total;
1628++ info->offset = job->job.progress.current;
1629++ info->len = job->job.progress.total;
1630+ info->speed = job->speed;
1631+ info->io_status = job->iostatus;
1632+ info->ready = job_is_ready(&job->job),
1633+@@ -330,8 +330,8 @@ static void block_job_event_cancelled(Notifier *n, void *opaque)
1634+
1635+ qapi_event_send_block_job_cancelled(job_type(&job->job),
1636+ job->job.id,
1637+- job->job.progress_total,
1638+- job->job.progress_current,
1639++ job->job.progress.total,
1640++ job->job.progress.current,
1641+ job->speed);
1642+ }
1643+
1644+@@ -350,8 +350,8 @@ static void block_job_event_completed(Notifier *n, void *opaque)
1645+
1646+ qapi_event_send_block_job_completed(job_type(&job->job),
1647+ job->job.id,
1648+- job->job.progress_total,
1649+- job->job.progress_current,
1650++ job->job.progress.total,
1651++ job->job.progress.current,
1652+ job->speed,
1653+ !!msg,
1654+ msg);
1655+@@ -379,8 +379,8 @@ static void block_job_event_ready(Notifier *n, void *opaque)
1656+
1657+ qapi_event_send_block_job_ready(job_type(&job->job),
1658+ job->job.id,
1659+- job->job.progress_total,
1660+- job->job.progress_current,
1661++ job->job.progress.total,
1662++ job->job.progress.current,
1663+ job->speed);
1664+ }
1665+
1666+diff --git a/include/qemu/job.h b/include/qemu/job.h
1667+index bd59cd8944..32aabb1c60 100644
1668+--- a/include/qemu/job.h
1669++++ b/include/qemu/job.h
1670+@@ -28,6 +28,7 @@
1671+
1672+ #include "qapi/qapi-types-job.h"
1673+ #include "qemu/queue.h"
1674++#include "qemu/progress_meter.h"
1675+ #include "qemu/coroutine.h"
1676+ #include "block/aio.h"
1677+
1678+@@ -117,15 +118,7 @@ typedef struct Job {
1679+ /** True if this job should automatically dismiss itself */
1680+ bool auto_dismiss;
1681+
1682+- /**
1683+- * Current progress. The unit is arbitrary as long as the ratio between
1684+- * progress_current and progress_total represents the estimated percentage
1685+- * of work already done.
1686+- */
1687+- int64_t progress_current;
1688+-
1689+- /** Estimated progress_current value at the completion of the job */
1690+- int64_t progress_total;
1691++ ProgressMeter progress;
1692+
1693+ /**
1694+ * Return code from @run and/or @prepare callback(s).
1695+diff --git a/include/qemu/progress_meter.h b/include/qemu/progress_meter.h
1696+new file mode 100644
1697+index 0000000000..9a23ff071c
1698+--- /dev/null
1699++++ b/include/qemu/progress_meter.h
1700+@@ -0,0 +1,58 @@
1701++/*
1702++ * Helper functionality for some process progress tracking.
1703++ *
1704++ * Copyright (c) 2011 IBM Corp.
1705++ * Copyright (c) 2012, 2018 Red Hat, Inc.
1706++ * Copyright (c) 2020 Virtuozzo International GmbH
1707++ *
1708++ * Permission is hereby granted, free of charge, to any person obtaining a copy
1709++ * of this software and associated documentation files (the "Software"), to deal
1710++ * in the Software without restriction, including without limitation the rights
1711++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
1712++ * copies of the Software, and to permit persons to whom the Software is
1713++ * furnished to do so, subject to the following conditions:
1714++ *
1715++ * The above copyright notice and this permission notice shall be included in
1716++ * all copies or substantial portions of the Software.
1717++ *
1718++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
1719++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
1720++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
1721++ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
1722++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
1723++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
1724++ * THE SOFTWARE.
1725++ */
1726++
1727++#ifndef QEMU_PROGRESS_METER_H
1728++#define QEMU_PROGRESS_METER_H
1729++
1730++typedef struct ProgressMeter {
1731++ /**
1732++ * Current progress. The unit is arbitrary as long as the ratio between
1733++ * current and total represents the estimated percentage
1734++ * of work already done.
1735++ */
1736++ uint64_t current;
1737++
1738++ /** Estimated current value at the completion of the process */
1739++ uint64_t total;
1740++} ProgressMeter;
1741++
1742++static inline void progress_work_done(ProgressMeter *pm, uint64_t done)
1743++{
1744++ pm->current += done;
1745++}
1746++
1747++static inline void progress_set_remaining(ProgressMeter *pm, uint64_t remaining)
1748++{
1749++ pm->total = pm->current + remaining;
1750++}
1751++
1752++static inline void progress_increase_remaining(ProgressMeter *pm,
1753++ uint64_t delta)
1754++{
1755++ pm->total += delta;
1756++}
1757++
1758++#endif /* QEMU_PROGRESS_METER_H */
1759+diff --git a/job-qmp.c b/job-qmp.c
1760+index fbfed25a00..fecc939ebd 100644
1761+--- a/job-qmp.c
1762++++ b/job-qmp.c
1763+@@ -143,8 +143,8 @@ static JobInfo *job_query_single(Job *job, Error **errp)
1764+ .id = g_strdup(job->id),
1765+ .type = job_type(job),
1766+ .status = job->status,
1767+- .current_progress = job->progress_current,
1768+- .total_progress = job->progress_total,
1769++ .current_progress = job->progress.current,
1770++ .total_progress = job->progress.total,
1771+ .has_error = !!job->err,
1772+ .error = job->err ? \
1773+ g_strdup(error_get_pretty(job->err)) : NULL,
1774+diff --git a/job.c b/job.c
1775+index 04409b40aa..134a07b92e 100644
1776+--- a/job.c
1777++++ b/job.c
1778+@@ -369,17 +369,17 @@ void job_unref(Job *job)
1779+
1780+ void job_progress_update(Job *job, uint64_t done)
1781+ {
1782+- job->progress_current += done;
1783++ progress_work_done(&job->progress, done);
1784+ }
1785+
1786+ void job_progress_set_remaining(Job *job, uint64_t remaining)
1787+ {
1788+- job->progress_total = job->progress_current + remaining;
1789++ progress_set_remaining(&job->progress, remaining);
1790+ }
1791+
1792+ void job_progress_increase_remaining(Job *job, uint64_t delta)
1793+ {
1794+- job->progress_total += delta;
1795++ progress_increase_remaining(&job->progress, delta);
1796+ }
1797+
1798+ void job_event_cancelled(Job *job)
1799+diff --git a/qemu-img.c b/qemu-img.c
1800+index 7b7087dd60..afddf33f08 100644
1801+--- a/qemu-img.c
1802++++ b/qemu-img.c
1803+@@ -884,9 +884,9 @@ static void run_block_job(BlockJob *job, Error **errp)
1804+ do {
1805+ float progress = 0.0f;
1806+ aio_poll(aio_context, true);
1807+- if (job->job.progress_total) {
1808+- progress = (float)job->job.progress_current /
1809+- job->job.progress_total * 100.f;
1810++ if (job->job.progress.total) {
1811++ progress = (float)job->job.progress.current /
1812++ job->job.progress.total * 100.f;
1813+ }
1814+ qemu_progress_print(progress, 0);
1815+ } while (!job_is_ready(&job->job) && !job_is_completed(&job->job));
1816+--
1817+2.25.1
1818+
1819diff --git a/debian/patches/stable/lp-1867519-plugins-core-add-missing-break-in-cb_to_tcg_flags.patch b/debian/patches/stable/lp-1867519-plugins-core-add-missing-break-in-cb_to_tcg_flags.patch
1820new file mode 100644
1821index 0000000..5047c62
1822--- /dev/null
1823+++ b/debian/patches/stable/lp-1867519-plugins-core-add-missing-break-in-cb_to_tcg_flags.patch
1824@@ -0,0 +1,41 @@
1825+From dcc474c69e6a59044b9bb54624bd636cbfd98aa9 Mon Sep 17 00:00:00 2001
1826+From: "Emilio G. Cota" <cota@braap.org>
1827+Date: Tue, 25 Feb 2020 12:47:02 +0000
1828+Subject: [PATCH] plugins/core: add missing break in cb_to_tcg_flags
1829+MIME-Version: 1.0
1830+Content-Type: text/plain; charset=UTF-8
1831+Content-Transfer-Encoding: 8bit
1832+
1833+Fixes: 54cb65d8588
1834+Reported-by: Robert Henry <robhenry@microsoft.com>
1835+Signed-off-by: Emilio G. Cota <cota@braap.org>
1836+Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
1837+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
1838+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
1839+Message-Id: <20200105072940.32204-1-cota@braap.org>
1840+Cc: qemu-stable@nongnu.org
1841+Message-Id: <20200225124710.14152-12-alex.bennee@linaro.org>
1842+
1843+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=dcc474c69e6a59044b9bb54624bd636cbfd98aa9
1844+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
1845+Last-Update: 2020-03-18
1846+
1847+---
1848+ plugins/core.c | 1 +
1849+ 1 file changed, 1 insertion(+)
1850+
1851+diff --git a/plugins/core.c b/plugins/core.c
1852+index 9e1b9e7a91..ed863011ba 100644
1853+--- a/plugins/core.c
1854++++ b/plugins/core.c
1855+@@ -286,6 +286,7 @@ static inline uint32_t cb_to_tcg_flags(enum qemu_plugin_cb_flags flags)
1856+ switch (flags) {
1857+ case QEMU_PLUGIN_CB_RW_REGS:
1858+ ret = 0;
1859++ break;
1860+ case QEMU_PLUGIN_CB_R_REGS:
1861+ ret = TCG_CALL_NO_WG;
1862+ break;
1863+--
1864+2.25.1
1865+
1866diff --git a/debian/patches/stable/lp-1867519-qcow2-Fix-alloc_cluster_abort-for-pre-existing-clust.patch b/debian/patches/stable/lp-1867519-qcow2-Fix-alloc_cluster_abort-for-pre-existing-clust.patch
1867new file mode 100644
1868index 0000000..ed7560a
1869--- /dev/null
1870+++ b/debian/patches/stable/lp-1867519-qcow2-Fix-alloc_cluster_abort-for-pre-existing-clust.patch
1871@@ -0,0 +1,39 @@
1872+From 3ede935fdbbd5f7b24b4724bbfb8938acb5956d8 Mon Sep 17 00:00:00 2001
1873+From: Max Reitz <mreitz@redhat.com>
1874+Date: Tue, 25 Feb 2020 15:31:28 +0100
1875+Subject: [PATCH] qcow2: Fix alloc_cluster_abort() for pre-existing clusters
1876+
1877+handle_alloc() reuses preallocated zero clusters. If anything goes
1878+wrong during the data write, we do not change their L2 entry, so we
1879+must not let qcow2_alloc_cluster_abort() free them.
1880+
1881+Fixes: 8b24cd141549b5b264baeddd4e72902cfb5de23b
1882+Cc: qemu-stable@nongnu.org
1883+Signed-off-by: Max Reitz <mreitz@redhat.com>
1884+Message-Id: <20200225143130.111267-2-mreitz@redhat.com>
1885+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
1886+
1887+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=3ede935fdbbd5f7b24b4724bbfb8938acb5956d8
1888+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
1889+Last-Update: 2020-03-18
1890+
1891+---
1892+ block/qcow2-cluster.c | 2 +-
1893+ 1 file changed, 1 insertion(+), 1 deletion(-)
1894+
1895+diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
1896+index 78c95dfa16..17f1363279 100644
1897+--- a/block/qcow2-cluster.c
1898++++ b/block/qcow2-cluster.c
1899+@@ -1026,7 +1026,7 @@ err:
1900+ void qcow2_alloc_cluster_abort(BlockDriverState *bs, QCowL2Meta *m)
1901+ {
1902+ BDRVQcow2State *s = bs->opaque;
1903+- if (!has_data_file(bs)) {
1904++ if (!has_data_file(bs) && !m->keep_old_clusters) {
1905+ qcow2_free_clusters(bs, m->alloc_offset,
1906+ m->nb_clusters << s->cluster_bits,
1907+ QCOW2_DISCARD_NEVER);
1908+--
1909+2.25.1
1910+
1911diff --git a/debian/patches/stable/lp-1867519-qcow2-Fix-qcow2_alloc_cluster_abort-for-external-dat.patch b/debian/patches/stable/lp-1867519-qcow2-Fix-qcow2_alloc_cluster_abort-for-external-dat.patch
1912new file mode 100644
1913index 0000000..b7acd5b
1914--- /dev/null
1915+++ b/debian/patches/stable/lp-1867519-qcow2-Fix-qcow2_alloc_cluster_abort-for-external-dat.patch
1916@@ -0,0 +1,44 @@
1917+From c3b6658c1a5a3fb24d6c27b2594cf86146f75b22 Mon Sep 17 00:00:00 2001
1918+From: Kevin Wolf <kwolf@redhat.com>
1919+Date: Tue, 11 Feb 2020 10:48:59 +0100
1920+Subject: [PATCH] qcow2: Fix qcow2_alloc_cluster_abort() for external data file
1921+
1922+For external data file, cluster allocations return an offset in the data
1923+file and are not refcounted. In this case, there is nothing to do for
1924+qcow2_alloc_cluster_abort(). Freeing the same offset in the qcow2 file
1925+is wrong and causes crashes in the better case or image corruption in
1926+the worse case.
1927+
1928+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
1929+Message-Id: <20200211094900.17315-3-kwolf@redhat.com>
1930+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
1931+
1932+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=c3b6658c1a5a3fb24d6c27b2594cf86146f75b22
1933+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
1934+Last-Update: 2020-03-18
1935+
1936+---
1937+ block/qcow2-cluster.c | 7 +++++--
1938+ 1 file changed, 5 insertions(+), 2 deletions(-)
1939+
1940+diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
1941+index 1947f13a2d..78c95dfa16 100644
1942+--- a/block/qcow2-cluster.c
1943++++ b/block/qcow2-cluster.c
1944+@@ -1026,8 +1026,11 @@ err:
1945+ void qcow2_alloc_cluster_abort(BlockDriverState *bs, QCowL2Meta *m)
1946+ {
1947+ BDRVQcow2State *s = bs->opaque;
1948+- qcow2_free_clusters(bs, m->alloc_offset, m->nb_clusters << s->cluster_bits,
1949+- QCOW2_DISCARD_NEVER);
1950++ if (!has_data_file(bs)) {
1951++ qcow2_free_clusters(bs, m->alloc_offset,
1952++ m->nb_clusters << s->cluster_bits,
1953++ QCOW2_DISCARD_NEVER);
1954++ }
1955+ }
1956+
1957+ /*
1958+--
1959+2.25.1
1960+
1961diff --git a/debian/patches/stable/lp-1867519-qcow2-bitmaps-fix-qcow2_can_store_new_dirty_bitmap.patch b/debian/patches/stable/lp-1867519-qcow2-bitmaps-fix-qcow2_can_store_new_dirty_bitmap.patch
1962new file mode 100644
1963index 0000000..b1b1869
1964--- /dev/null
1965+++ b/debian/patches/stable/lp-1867519-qcow2-bitmaps-fix-qcow2_can_store_new_dirty_bitmap.patch
1966@@ -0,0 +1,102 @@
1967+From a1db8733d28d615bc0daeada6c406a6dd5c5d5ef Mon Sep 17 00:00:00 2001
1968+From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
1969+Date: Mon, 14 Oct 2019 14:51:25 +0300
1970+Subject: [PATCH] qcow2-bitmaps: fix qcow2_can_store_new_dirty_bitmap
1971+
1972+qcow2_can_store_new_dirty_bitmap works wrong, as it considers only
1973+bitmaps already stored in the qcow2 image and ignores persistent
1974+BdrvDirtyBitmap objects.
1975+
1976+So, let's instead count persistent BdrvDirtyBitmaps. We load all qcow2
1977+bitmaps on open, so there should not be any bitmap in the image for
1978+which we don't have BdrvDirtyBitmaps version. If it is - it's a kind of
1979+corruption, and no reason to check for corruptions here (open() and
1980+close() are better places for it).
1981+
1982+Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
1983+Message-id: 20191014115126.15360-2-vsementsov@virtuozzo.com
1984+Reviewed-by: Max Reitz <mreitz@redhat.com>
1985+Cc: qemu-stable@nongnu.org
1986+Signed-off-by: Max Reitz <mreitz@redhat.com>
1987+
1988+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=a1db8733d28d615bc0daeada6c406a6dd5c5d5ef
1989+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
1990+Last-Update: 2020-03-18
1991+
1992+---
1993+ block/qcow2-bitmap.c | 41 ++++++++++++++++++-----------------------
1994+ 1 file changed, 18 insertions(+), 23 deletions(-)
1995+
1996+diff --git a/block/qcow2-bitmap.c b/block/qcow2-bitmap.c
1997+index c6c8ebbe89..d41f5d049b 100644
1998+--- a/block/qcow2-bitmap.c
1999++++ b/block/qcow2-bitmap.c
2000+@@ -1703,8 +1703,14 @@ bool coroutine_fn qcow2_co_can_store_new_dirty_bitmap(BlockDriverState *bs,
2001+ Error **errp)
2002+ {
2003+ BDRVQcow2State *s = bs->opaque;
2004+- bool found;
2005+- Qcow2BitmapList *bm_list;
2006++ BdrvDirtyBitmap *bitmap;
2007++ uint64_t bitmap_directory_size = 0;
2008++ uint32_t nb_bitmaps = 0;
2009++
2010++ if (bdrv_find_dirty_bitmap(bs, name)) {
2011++ error_setg(errp, "Bitmap already exists: %s", name);
2012++ return false;
2013++ }
2014+
2015+ if (s->qcow_version < 3) {
2016+ /* Without autoclear_features, we would always have to assume
2017+@@ -1720,38 +1726,27 @@ bool coroutine_fn qcow2_co_can_store_new_dirty_bitmap(BlockDriverState *bs,
2018+ goto fail;
2019+ }
2020+
2021+- if (s->nb_bitmaps == 0) {
2022+- return true;
2023++ FOR_EACH_DIRTY_BITMAP(bs, bitmap) {
2024++ if (bdrv_dirty_bitmap_get_persistence(bitmap)) {
2025++ nb_bitmaps++;
2026++ bitmap_directory_size +=
2027++ calc_dir_entry_size(strlen(bdrv_dirty_bitmap_name(bitmap)), 0);
2028++ }
2029+ }
2030++ nb_bitmaps++;
2031++ bitmap_directory_size += calc_dir_entry_size(strlen(name), 0);
2032+
2033+- if (s->nb_bitmaps >= QCOW2_MAX_BITMAPS) {
2034++ if (nb_bitmaps > QCOW2_MAX_BITMAPS) {
2035+ error_setg(errp,
2036+ "Maximum number of persistent bitmaps is already reached");
2037+ goto fail;
2038+ }
2039+
2040+- if (s->bitmap_directory_size + calc_dir_entry_size(strlen(name), 0) >
2041+- QCOW2_MAX_BITMAP_DIRECTORY_SIZE)
2042+- {
2043++ if (bitmap_directory_size > QCOW2_MAX_BITMAP_DIRECTORY_SIZE) {
2044+ error_setg(errp, "Not enough space in the bitmap directory");
2045+ goto fail;
2046+ }
2047+
2048+- qemu_co_mutex_lock(&s->lock);
2049+- bm_list = bitmap_list_load(bs, s->bitmap_directory_offset,
2050+- s->bitmap_directory_size, errp);
2051+- qemu_co_mutex_unlock(&s->lock);
2052+- if (bm_list == NULL) {
2053+- goto fail;
2054+- }
2055+-
2056+- found = find_bitmap_by_name(bm_list, name);
2057+- bitmap_list_free(bm_list);
2058+- if (found) {
2059+- error_setg(errp, "Bitmap with the same name is already stored");
2060+- goto fail;
2061+- }
2062+-
2063+ return true;
2064+
2065+ fail:
2066+--
2067+2.25.1
2068+
2069diff --git a/debian/patches/stable/lp-1867519-qemu-img-Fix-convert-n-B-for-backing-less-targets.patch b/debian/patches/stable/lp-1867519-qemu-img-Fix-convert-n-B-for-backing-less-targets.patch
2070new file mode 100644
2071index 0000000..ed8ab96
2072--- /dev/null
2073+++ b/debian/patches/stable/lp-1867519-qemu-img-Fix-convert-n-B-for-backing-less-targets.patch
2074@@ -0,0 +1,54 @@
2075+From c69291e712ae4ef95f628424db6586473da61d43 Mon Sep 17 00:00:00 2001
2076+From: Max Reitz <mreitz@redhat.com>
2077+Date: Tue, 21 Jan 2020 16:59:14 +0100
2078+Subject: [PATCH] qemu-img: Fix convert -n -B for backing-less targets
2079+
2080+s.target_has_backing does not reflect whether the target BDS has a
2081+backing file; it only tells whether we should use a backing file during
2082+conversion (specified by -B).
2083+
2084+As such, if you use convert -n, the target does not necessarily actually
2085+have a backing file, and then dereferencing out_bs->backing fails here.
2086+
2087+When converting to an existing file, we should set
2088+target_backing_sectors to a negative value, because first, as the
2089+comment explains, this value is only used for optimization, so it is
2090+always fine to do that.
2091+
2092+Second, we use this value to determine where the target must be
2093+initialized to zeroes (overlays are initialized to zero after the end of
2094+their backing file). When converting to an existing file, we cannot
2095+assume that to be true.
2096+
2097+Cc: qemu-stable@nongnu.org
2098+Fixes: 351c8efff9ad809c822d55620df54d575d536f68
2099+ ("qemu-img: Special post-backing convert handling")
2100+Signed-off-by: Max Reitz <mreitz@redhat.com>
2101+Message-Id: <20200121155915.98232-2-mreitz@redhat.com>
2102+Reviewed-by: John Snow <jsnow@redhat.com>
2103+Signed-off-by: Max Reitz <mreitz@redhat.com>
2104+
2105+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=c69291e712ae4ef95f628424db6586473da61d43
2106+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
2107+Last-Update: 2020-03-18
2108+
2109+---
2110+ qemu-img.c | 2 +-
2111+ 1 file changed, 1 insertion(+), 1 deletion(-)
2112+
2113+diff --git a/qemu-img.c b/qemu-img.c
2114+index 0faf2cd2f5..804630a368 100644
2115+--- a/qemu-img.c
2116++++ b/qemu-img.c
2117+@@ -2523,7 +2523,7 @@ static int img_convert(int argc, char **argv)
2118+ }
2119+ }
2120+
2121+- if (s.target_has_backing) {
2122++ if (s.target_has_backing && s.target_is_new) {
2123+ /* Errors are treated as "backing length unknown" (which means
2124+ * s.target_backing_sectors has to be negative, which it will
2125+ * be automatically). The backing file length is used only
2126+--
2127+2.25.1
2128+
2129diff --git a/debian/patches/stable/lp-1867519-s390-sclp-improve-special-wait-psw-logic.patch b/debian/patches/stable/lp-1867519-s390-sclp-improve-special-wait-psw-logic.patch
2130new file mode 100644
2131index 0000000..fb21432
2132--- /dev/null
2133+++ b/debian/patches/stable/lp-1867519-s390-sclp-improve-special-wait-psw-logic.patch
2134@@ -0,0 +1,40 @@
2135+From 8b51c0961cc13e55b26bb6665ec3a341abdc7658 Mon Sep 17 00:00:00 2001
2136+From: Christian Borntraeger <borntraeger@de.ibm.com>
2137+Date: Thu, 20 Feb 2020 14:16:22 +0100
2138+Subject: [PATCH] s390/sclp: improve special wait psw logic
2139+
2140+There is a special quiesce PSW that we check for "shutdown". Otherwise disabled
2141+wait is detected as "crashed". Architecturally we must only check PSW bits
2142+116-127. Fix this.
2143+
2144+Cc: qemu-stable@nongnu.org
2145+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
2146+Message-Id: <1582204582-22995-1-git-send-email-borntraeger@de.ibm.com>
2147+Reviewed-by: David Hildenbrand <david@redhat.com>
2148+Acked-by: Janosch Frank <frankja@linux.ibm.com>
2149+Signed-off-by: Cornelia Huck <cohuck@redhat.com>
2150+
2151+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=8b51c0961cc13e55b26bb6665ec3a341abdc7658
2152+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
2153+Last-Update: 2020-03-18
2154+
2155+---
2156+ target/s390x/helper.c | 2 +-
2157+ 1 file changed, 1 insertion(+), 1 deletion(-)
2158+
2159+diff --git a/target/s390x/helper.c b/target/s390x/helper.c
2160+index b810ad431e..ed72684911 100644
2161+--- a/target/s390x/helper.c
2162++++ b/target/s390x/helper.c
2163+@@ -89,7 +89,7 @@ hwaddr s390_cpu_get_phys_addr_debug(CPUState *cs, vaddr vaddr)
2164+ static inline bool is_special_wait_psw(uint64_t psw_addr)
2165+ {
2166+ /* signal quiesce */
2167+- return psw_addr == 0xfffUL;
2168++ return (psw_addr & 0xfffUL) == 0xfffUL;
2169+ }
2170+
2171+ void s390_handle_wait(S390CPU *cpu)
2172+--
2173+2.25.1
2174+
2175diff --git a/debian/patches/stable/lp-1867519-target-arm-Return-correct-IL-bit-in-merge_syn_data_a.patch b/debian/patches/stable/lp-1867519-target-arm-Return-correct-IL-bit-in-merge_syn_data_a.patch
2176new file mode 100644
2177index 0000000..6c4bce9
2178--- /dev/null
2179+++ b/debian/patches/stable/lp-1867519-target-arm-Return-correct-IL-bit-in-merge_syn_data_a.patch
2180@@ -0,0 +1,46 @@
2181+From 30d544839e278dc76017b9a42990c41e84a34377 Mon Sep 17 00:00:00 2001
2182+From: Jeff Kubascik <jeff.kubascik@dornerworks.com>
2183+Date: Fri, 17 Jan 2020 14:09:31 +0000
2184+Subject: [PATCH] target/arm: Return correct IL bit in merge_syn_data_abort
2185+
2186+The IL bit is set for 32-bit instructions, thus passing false
2187+with the is_16bit parameter to syn_data_abort_with_iss() makes
2188+a syn mask that always has the IL bit set.
2189+
2190+Pass is_16bit as true to make the initial syn mask have IL=0,
2191+so that the final IL value comes from or'ing template_syn.
2192+
2193+Cc: qemu-stable@nongnu.org
2194+Fixes: aaa1f954d4ca ("target-arm: A64: Create Instruction Syndromes for Data Aborts")
2195+Signed-off-by: Jeff Kubascik <jeff.kubascik@dornerworks.com>
2196+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2197+Message-id: 20200117004618.2742-2-richard.henderson@linaro.org
2198+[rth: Extracted this as a self-contained bug fix from a larger patch]
2199+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2200+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
2201+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2202+
2203+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=30d544839e278dc76017b9a42990c41e84a34377
2204+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
2205+Last-Update: 2020-03-18
2206+
2207+---
2208+ target/arm/tlb_helper.c | 2 +-
2209+ 1 file changed, 1 insertion(+), 1 deletion(-)
2210+
2211+diff --git a/target/arm/tlb_helper.c b/target/arm/tlb_helper.c
2212+index 5feb312941..e63f8bda29 100644
2213+--- a/target/arm/tlb_helper.c
2214++++ b/target/arm/tlb_helper.c
2215+@@ -44,7 +44,7 @@ static inline uint32_t merge_syn_data_abort(uint32_t template_syn,
2216+ syn = syn_data_abort_with_iss(same_el,
2217+ 0, 0, 0, 0, 0,
2218+ ea, 0, s1ptw, is_write, fsc,
2219+- false);
2220++ true);
2221+ /* Merge the runtime syndrome with the template syndrome. */
2222+ syn |= template_syn;
2223+ }
2224+--
2225+2.25.1
2226+
2227diff --git a/debian/patches/stable/lp-1867519-target-arm-Set-ISSIs16Bit-in-make_issinfo.patch b/debian/patches/stable/lp-1867519-target-arm-Set-ISSIs16Bit-in-make_issinfo.patch
2228new file mode 100644
2229index 0000000..46f0f6d
2230--- /dev/null
2231+++ b/debian/patches/stable/lp-1867519-target-arm-Set-ISSIs16Bit-in-make_issinfo.patch
2232@@ -0,0 +1,42 @@
2233+From 1a1fbc6cbb34c26d43d8360c66c1d21681af14a9 Mon Sep 17 00:00:00 2001
2234+From: Richard Henderson <richard.henderson@linaro.org>
2235+Date: Fri, 17 Jan 2020 14:09:31 +0000
2236+Subject: [PATCH] target/arm: Set ISSIs16Bit in make_issinfo
2237+
2238+During the conversion to decodetree, the setting of
2239+ISSIs16Bit got lost. This causes the guest os to
2240+incorrectly adjust trapping memory operations.
2241+
2242+Cc: qemu-stable@nongnu.org
2243+Fixes: 46beb58efbb8a2a32 ("target/arm: Convert T16, load (literal)")
2244+Reported-by: Jeff Kubascik <jeff.kubascik@dornerworks.com>
2245+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2246+Message-id: 20200117004618.2742-3-richard.henderson@linaro.org
2247+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
2248+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2249+
2250+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=1a1fbc6cbb34c26d43d8360c66c1d21681af14a9
2251+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
2252+Last-Update: 2020-03-18
2253+
2254+---
2255+ target/arm/translate.c | 3 +++
2256+ 1 file changed, 3 insertions(+)
2257+
2258+diff --git a/target/arm/translate.c b/target/arm/translate.c
2259+index 0c8624fb42..2f4aea927f 100644
2260+--- a/target/arm/translate.c
2261++++ b/target/arm/translate.c
2262+@@ -8556,6 +8556,9 @@ static ISSInfo make_issinfo(DisasContext *s, int rd, bool p, bool w)
2263+ /* ISS not valid if writeback */
2264+ if (p && !w) {
2265+ ret = rd;
2266++ if (s->base.pc_next - s->pc_curr == 2) {
2267++ ret |= ISSIs16Bit;
2268++ }
2269+ } else {
2270+ ret = ISSInvalid;
2271+ }
2272+--
2273+2.25.1
2274+
2275diff --git a/debian/patches/stable/lp-1867519-target-arm-arm-semi-fix-SYS_OPEN-to-return-nonzero-f.patch b/debian/patches/stable/lp-1867519-target-arm-arm-semi-fix-SYS_OPEN-to-return-nonzero-f.patch
2276new file mode 100644
2277index 0000000..4f7a731
2278--- /dev/null
2279+++ b/debian/patches/stable/lp-1867519-target-arm-arm-semi-fix-SYS_OPEN-to-return-nonzero-f.patch
2280@@ -0,0 +1,79 @@
2281+From 21bf9b06cb6d07c6cc437dfd47b47b28c2bb79db Mon Sep 17 00:00:00 2001
2282+From: Masahiro Yamada <masahiroy@kernel.org>
2283+Date: Fri, 17 Jan 2020 14:09:30 +0000
2284+Subject: [PATCH] target/arm/arm-semi: fix SYS_OPEN to return nonzero
2285+ filehandle
2286+
2287+According to the specification "Semihosting for AArch32 and Aarch64",
2288+the SYS_OPEN operation should return:
2289+
2290+ - A nonzero handle if the call is successful
2291+ - -1 if the call is not successful
2292+
2293+So, it should never return 0.
2294+
2295+Prior to commit 35e9a0a8ce4b ("target/arm/arm-semi: Make semihosting
2296+code hand out its own file descriptors"), the guest fd matched to the
2297+host fd. It returned a nonzero handle on success since the fd 0 is
2298+already used for stdin.
2299+
2300+Now that the guest fd is the index of guestfd_array, it starts from 0.
2301+
2302+I noticed this issue particularly because Trusted Firmware-A built with
2303+PLAT=qemu is no longer working. Its io_semihosting driver only handles
2304+a positive return value as a valid filehandle.
2305+
2306+Basically, there are two ways to fix this:
2307+
2308+ - Use (guestfd - 1) as the index of guestfs_arrary. We need to insert
2309+ increment/decrement to convert the guestfd and the array index back
2310+ and forth.
2311+
2312+ - Keep using guestfd as the index of guestfs_array. The first entry
2313+ of guestfs_array is left unused.
2314+
2315+I thought the latter is simpler. We end up with wasting a small piece
2316+of memory for the unused first entry of guestfd_array, but this is
2317+probably not a big deal.
2318+
2319+Fixes: 35e9a0a8ce4b ("target/arm/arm-semi: Make semihosting code hand out its own file descriptors")
2320+Cc: qemu-stable@nongnu.org
2321+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
2322+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
2323+Message-id: 20200109041228.10131-1-masahiroy@kernel.org
2324+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2325+
2326+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=21bf9b06cb6d07c6cc437dfd47b47b28c2bb79db
2327+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
2328+Last-Update: 2020-03-18
2329+
2330+---
2331+ target/arm/arm-semi.c | 5 +++--
2332+ 1 file changed, 3 insertions(+), 2 deletions(-)
2333+
2334+diff --git a/target/arm/arm-semi.c b/target/arm/arm-semi.c
2335+index 47d61f6fe1..788fe61b51 100644
2336+--- a/target/arm/arm-semi.c
2337++++ b/target/arm/arm-semi.c
2338+@@ -144,7 +144,8 @@ static int alloc_guestfd(void)
2339+ guestfd_array = g_array_new(FALSE, TRUE, sizeof(GuestFD));
2340+ }
2341+
2342+- for (i = 0; i < guestfd_array->len; i++) {
2343++ /* SYS_OPEN should return nonzero handle on success. Start guestfd from 1 */
2344++ for (i = 1; i < guestfd_array->len; i++) {
2345+ GuestFD *gf = &g_array_index(guestfd_array, GuestFD, i);
2346+
2347+ if (gf->type == GuestFDUnused) {
2348+@@ -168,7 +169,7 @@ static GuestFD *do_get_guestfd(int guestfd)
2349+ return NULL;
2350+ }
2351+
2352+- if (guestfd < 0 || guestfd >= guestfd_array->len) {
2353++ if (guestfd <= 0 || guestfd >= guestfd_array->len) {
2354+ return NULL;
2355+ }
2356+
2357+--
2358+2.25.1
2359+
2360diff --git a/debian/patches/stable/lp-1867519-target-arm-ensure-we-use-current-exception-state-aft.patch b/debian/patches/stable/lp-1867519-target-arm-ensure-we-use-current-exception-state-aft.patch
2361new file mode 100644
2362index 0000000..896de43
2363--- /dev/null
2364+++ b/debian/patches/stable/lp-1867519-target-arm-ensure-we-use-current-exception-state-aft.patch
2365@@ -0,0 +1,127 @@
2366+From f80741d107673f162e3b097fc76a1590036cc9d1 Mon Sep 17 00:00:00 2001
2367+From: =?UTF-8?q?Alex=20Benn=C3=A9e?= <alex.bennee@linaro.org>
2368+Date: Thu, 12 Dec 2019 11:47:34 +0000
2369+Subject: [PATCH] target/arm: ensure we use current exception state after SCR
2370+ update
2371+MIME-Version: 1.0
2372+Content-Type: text/plain; charset=UTF-8
2373+Content-Transfer-Encoding: 8bit
2374+
2375+A write to the SCR can change the effective EL by droppping the system
2376+from secure to non-secure mode. However if we use a cached current_el
2377+from before the change we'll rebuild the flags incorrectly. To fix
2378+this we introduce the ARM_CP_NEWEL CP flag to indicate the new EL
2379+should be used when recomputing the flags.
2380+
2381+Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
2382+Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
2383+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
2384+Message-id: 20191212114734.6962-1-alex.bennee@linaro.org
2385+Cc: Richard Henderson <richard.henderson@linaro.org>
2386+Message-Id: <20191209143723.6368-1-alex.bennee@linaro.org>
2387+Cc: qemu-stable@nongnu.org
2388+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2389+
2390+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=f80741d107673f162e3b097fc76a1590036cc9d1
2391+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
2392+Last-Update: 2020-03-18
2393+
2394+---
2395+ target/arm/cpu.h | 8 ++++++--
2396+ target/arm/helper.c | 14 +++++++++++++-
2397+ target/arm/helper.h | 1 +
2398+ target/arm/translate.c | 6 +++++-
2399+ 4 files changed, 25 insertions(+), 4 deletions(-)
2400+
2401+diff --git a/target/arm/cpu.h b/target/arm/cpu.h
2402+index 4106e4ae59..5f70e9e043 100644
2403+--- a/target/arm/cpu.h
2404++++ b/target/arm/cpu.h
2405+@@ -2238,6 +2238,9 @@ static inline uint64_t cpreg_to_kvm_id(uint32_t cpregid)
2406+ * RAISES_EXC is for when the read or write hook might raise an exception;
2407+ * the generated code will synchronize the CPU state before calling the hook
2408+ * so that it is safe for the hook to call raise_exception().
2409++ * NEWEL is for writes to registers that might change the exception
2410++ * level - typically on older ARM chips. For those cases we need to
2411++ * re-read the new el when recomputing the translation flags.
2412+ */
2413+ #define ARM_CP_SPECIAL 0x0001
2414+ #define ARM_CP_CONST 0x0002
2415+@@ -2257,10 +2260,11 @@ static inline uint64_t cpreg_to_kvm_id(uint32_t cpregid)
2416+ #define ARM_CP_SVE 0x2000
2417+ #define ARM_CP_NO_GDB 0x4000
2418+ #define ARM_CP_RAISES_EXC 0x8000
2419++#define ARM_CP_NEWEL 0x10000
2420+ /* Used only as a terminator for ARMCPRegInfo lists */
2421+-#define ARM_CP_SENTINEL 0xffff
2422++#define ARM_CP_SENTINEL 0xfffff
2423+ /* Mask of only the flag bits in a type field */
2424+-#define ARM_CP_FLAG_MASK 0xf0ff
2425++#define ARM_CP_FLAG_MASK 0x1f0ff
2426+
2427+ /* Valid values for ARMCPRegInfo state field, indicating which of
2428+ * the AArch32 and AArch64 execution states this register is visible in.
2429+diff --git a/target/arm/helper.c b/target/arm/helper.c
2430+index 3a93844a3b..5074b5f69c 100644
2431+--- a/target/arm/helper.c
2432++++ b/target/arm/helper.c
2433+@@ -5133,7 +5133,7 @@ static const ARMCPRegInfo el3_cp_reginfo[] = {
2434+ .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 1, .opc2 = 0,
2435+ .access = PL3_RW, .fieldoffset = offsetof(CPUARMState, cp15.scr_el3),
2436+ .resetvalue = 0, .writefn = scr_write },
2437+- { .name = "SCR", .type = ARM_CP_ALIAS,
2438++ { .name = "SCR", .type = ARM_CP_ALIAS | ARM_CP_NEWEL,
2439+ .cp = 15, .opc1 = 0, .crn = 1, .crm = 1, .opc2 = 0,
2440+ .access = PL1_RW, .accessfn = access_trap_aa32s_el1,
2441+ .fieldoffset = offsetoflow32(CPUARMState, cp15.scr_el3),
2442+@@ -11472,6 +11472,18 @@ void HELPER(rebuild_hflags_m32)(CPUARMState *env, int el)
2443+ env->hflags = rebuild_hflags_m32(env, fp_el, mmu_idx);
2444+ }
2445+
2446++/*
2447++ * If we have triggered a EL state change we can't rely on the
2448++ * translator having passed it too us, we need to recompute.
2449++ */
2450++void HELPER(rebuild_hflags_a32_newel)(CPUARMState *env)
2451++{
2452++ int el = arm_current_el(env);
2453++ int fp_el = fp_exception_el(env, el);
2454++ ARMMMUIdx mmu_idx = arm_mmu_idx_el(env, el);
2455++ env->hflags = rebuild_hflags_a32(env, fp_el, mmu_idx);
2456++}
2457++
2458+ void HELPER(rebuild_hflags_a32)(CPUARMState *env, int el)
2459+ {
2460+ int fp_el = fp_exception_el(env, el);
2461+diff --git a/target/arm/helper.h b/target/arm/helper.h
2462+index 7ce5169afb..aa3d8cd08f 100644
2463+--- a/target/arm/helper.h
2464++++ b/target/arm/helper.h
2465+@@ -91,6 +91,7 @@ DEF_HELPER_2(get_user_reg, i32, env, i32)
2466+ DEF_HELPER_3(set_user_reg, void, env, i32, i32)
2467+
2468+ DEF_HELPER_FLAGS_2(rebuild_hflags_m32, TCG_CALL_NO_RWG, void, env, int)
2469++DEF_HELPER_FLAGS_1(rebuild_hflags_a32_newel, TCG_CALL_NO_RWG, void, env)
2470+ DEF_HELPER_FLAGS_2(rebuild_hflags_a32, TCG_CALL_NO_RWG, void, env, int)
2471+ DEF_HELPER_FLAGS_2(rebuild_hflags_a64, TCG_CALL_NO_RWG, void, env, int)
2472+
2473+diff --git a/target/arm/translate.c b/target/arm/translate.c
2474+index f162be8434..2b6c1f91bf 100644
2475+--- a/target/arm/translate.c
2476++++ b/target/arm/translate.c
2477+@@ -7083,7 +7083,11 @@ static int disas_coproc_insn(DisasContext *s, uint32_t insn)
2478+ if (arm_dc_feature(s, ARM_FEATURE_M)) {
2479+ gen_helper_rebuild_hflags_m32(cpu_env, tcg_el);
2480+ } else {
2481+- gen_helper_rebuild_hflags_a32(cpu_env, tcg_el);
2482++ if (ri->type & ARM_CP_NEWEL) {
2483++ gen_helper_rebuild_hflags_a32_newel(cpu_env);
2484++ } else {
2485++ gen_helper_rebuild_hflags_a32(cpu_env, tcg_el);
2486++ }
2487+ }
2488+ tcg_temp_free_i32(tcg_el);
2489+ /*
2490+--
2491+2.25.1
2492+
2493diff --git a/debian/patches/stable/lp-1867519-target-i386-kvm-initialize-feature-MSRs-very-early.patch b/debian/patches/stable/lp-1867519-target-i386-kvm-initialize-feature-MSRs-very-early.patch
2494new file mode 100644
2495index 0000000..9316575
2496--- /dev/null
2497+++ b/debian/patches/stable/lp-1867519-target-i386-kvm-initialize-feature-MSRs-very-early.patch
2498@@ -0,0 +1,169 @@
2499+From 420ae1fc51c99abfd03b1c590f55617edd2a2bed Mon Sep 17 00:00:00 2001
2500+From: Paolo Bonzini <pbonzini@redhat.com>
2501+Date: Mon, 20 Jan 2020 19:21:42 +0100
2502+Subject: [PATCH] target/i386: kvm: initialize feature MSRs very early
2503+
2504+Some read-only MSRs affect the behavior of ioctls such as
2505+KVM_SET_NESTED_STATE. We can initialize them once and for all
2506+right after the CPU is realized, since they will never be modified
2507+by the guest.
2508+
2509+Reported-by: Qingua Cheng <qcheng@redhat.com>
2510+Cc: qemu-stable@nongnu.org
2511+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2512+Message-Id: <1579544504-3616-2-git-send-email-pbonzini@redhat.com>
2513+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2514+
2515+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=420ae1fc51c99abfd03b1c590f55617edd2a2bed
2516+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
2517+Last-Update: 2020-03-18
2518+
2519+---
2520+ target/i386/kvm.c | 81 +++++++++++++++++++++++++-----------------
2521+ target/i386/kvm_i386.h | 1 +
2522+ 2 files changed, 49 insertions(+), 33 deletions(-)
2523+
2524+diff --git a/target/i386/kvm.c b/target/i386/kvm.c
2525+index 7ee3202634..f6dd6b790e 100644
2526+--- a/target/i386/kvm.c
2527++++ b/target/i386/kvm.c
2528+@@ -67,6 +67,8 @@
2529+ * 255 kvm_msr_entry structs */
2530+ #define MSR_BUF_SIZE 4096
2531+
2532++static void kvm_init_msrs(X86CPU *cpu);
2533++
2534+ const KVMCapabilityInfo kvm_arch_required_capabilities[] = {
2535+ KVM_CAP_INFO(SET_TSS_ADDR),
2536+ KVM_CAP_INFO(EXT_CPUID),
2537+@@ -1842,6 +1844,8 @@ int kvm_arch_init_vcpu(CPUState *cs)
2538+ has_msr_tsc_aux = false;
2539+ }
2540+
2541++ kvm_init_msrs(cpu);
2542++
2543+ r = hyperv_init_vcpu(cpu);
2544+ if (r) {
2545+ goto fail;
2546+@@ -2660,11 +2664,53 @@ static void kvm_msr_entry_add_vmx(X86CPU *cpu, FeatureWordArray f)
2547+ VMCS12_MAX_FIELD_INDEX << 1);
2548+ }
2549+
2550++static int kvm_buf_set_msrs(X86CPU *cpu)
2551++{
2552++ int ret = kvm_vcpu_ioctl(CPU(cpu), KVM_SET_MSRS, cpu->kvm_msr_buf);
2553++ if (ret < 0) {
2554++ return ret;
2555++ }
2556++
2557++ if (ret < cpu->kvm_msr_buf->nmsrs) {
2558++ struct kvm_msr_entry *e = &cpu->kvm_msr_buf->entries[ret];
2559++ error_report("error: failed to set MSR 0x%" PRIx32 " to 0x%" PRIx64,
2560++ (uint32_t)e->index, (uint64_t)e->data);
2561++ }
2562++
2563++ assert(ret == cpu->kvm_msr_buf->nmsrs);
2564++ return 0;
2565++}
2566++
2567++static void kvm_init_msrs(X86CPU *cpu)
2568++{
2569++ CPUX86State *env = &cpu->env;
2570++
2571++ kvm_msr_buf_reset(cpu);
2572++ if (has_msr_arch_capabs) {
2573++ kvm_msr_entry_add(cpu, MSR_IA32_ARCH_CAPABILITIES,
2574++ env->features[FEAT_ARCH_CAPABILITIES]);
2575++ }
2576++
2577++ if (has_msr_core_capabs) {
2578++ kvm_msr_entry_add(cpu, MSR_IA32_CORE_CAPABILITY,
2579++ env->features[FEAT_CORE_CAPABILITY]);
2580++ }
2581++
2582++ /*
2583++ * Older kernels do not include VMX MSRs in KVM_GET_MSR_INDEX_LIST, but
2584++ * all kernels with MSR features should have them.
2585++ */
2586++ if (kvm_feature_msrs && cpu_has_vmx(env)) {
2587++ kvm_msr_entry_add_vmx(cpu, env->features);
2588++ }
2589++
2590++ assert(kvm_buf_set_msrs(cpu) == 0);
2591++}
2592++
2593+ static int kvm_put_msrs(X86CPU *cpu, int level)
2594+ {
2595+ CPUX86State *env = &cpu->env;
2596+ int i;
2597+- int ret;
2598+
2599+ kvm_msr_buf_reset(cpu);
2600+
2601+@@ -2722,17 +2768,6 @@ static int kvm_put_msrs(X86CPU *cpu, int level)
2602+ }
2603+ #endif
2604+
2605+- /* If host supports feature MSR, write down. */
2606+- if (has_msr_arch_capabs) {
2607+- kvm_msr_entry_add(cpu, MSR_IA32_ARCH_CAPABILITIES,
2608+- env->features[FEAT_ARCH_CAPABILITIES]);
2609+- }
2610+-
2611+- if (has_msr_core_capabs) {
2612+- kvm_msr_entry_add(cpu, MSR_IA32_CORE_CAPABILITY,
2613+- env->features[FEAT_CORE_CAPABILITY]);
2614+- }
2615+-
2616+ /*
2617+ * The following MSRs have side effects on the guest or are too heavy
2618+ * for normal writeback. Limit them to reset or full state updates.
2619+@@ -2910,14 +2945,6 @@ static int kvm_put_msrs(X86CPU *cpu, int level)
2620+
2621+ /* Note: MSR_IA32_FEATURE_CONTROL is written separately, see
2622+ * kvm_put_msr_feature_control. */
2623+-
2624+- /*
2625+- * Older kernels do not include VMX MSRs in KVM_GET_MSR_INDEX_LIST, but
2626+- * all kernels with MSR features should have them.
2627+- */
2628+- if (kvm_feature_msrs && cpu_has_vmx(env)) {
2629+- kvm_msr_entry_add_vmx(cpu, env->features);
2630+- }
2631+ }
2632+
2633+ if (env->mcg_cap) {
2634+@@ -2933,19 +2960,7 @@ static int kvm_put_msrs(X86CPU *cpu, int level)
2635+ }
2636+ }
2637+
2638+- ret = kvm_vcpu_ioctl(CPU(cpu), KVM_SET_MSRS, cpu->kvm_msr_buf);
2639+- if (ret < 0) {
2640+- return ret;
2641+- }
2642+-
2643+- if (ret < cpu->kvm_msr_buf->nmsrs) {
2644+- struct kvm_msr_entry *e = &cpu->kvm_msr_buf->entries[ret];
2645+- error_report("error: failed to set MSR 0x%" PRIx32 " to 0x%" PRIx64,
2646+- (uint32_t)e->index, (uint64_t)e->data);
2647+- }
2648+-
2649+- assert(ret == cpu->kvm_msr_buf->nmsrs);
2650+- return 0;
2651++ return kvm_buf_set_msrs(cpu);
2652+ }
2653+
2654+
2655+diff --git a/target/i386/kvm_i386.h b/target/i386/kvm_i386.h
2656+index 7d0242f5fb..00bde7acaf 100644
2657+--- a/target/i386/kvm_i386.h
2658++++ b/target/i386/kvm_i386.h
2659+@@ -46,4 +46,5 @@ bool kvm_enable_x2apic(void);
2660+ bool kvm_has_x2apic_api(void);
2661+
2662+ bool kvm_hv_vpindex_settable(void);
2663++
2664+ #endif
2665+--
2666+2.25.1
2667+
2668diff --git a/debian/patches/stable/lp-1867519-tcg-save-vaddr-temp-for-plugin-usage.patch b/debian/patches/stable/lp-1867519-tcg-save-vaddr-temp-for-plugin-usage.patch
2669new file mode 100644
2670index 0000000..5d0bbf2
2671--- /dev/null
2672+++ b/debian/patches/stable/lp-1867519-tcg-save-vaddr-temp-for-plugin-usage.patch
2673@@ -0,0 +1,98 @@
2674+From fcc54ab5c7ca84ae72e8bf3781c33c9193a911aa Mon Sep 17 00:00:00 2001
2675+From: =?UTF-8?q?Alex=20Benn=C3=A9e?= <alex.bennee@linaro.org>
2676+Date: Tue, 25 Feb 2020 17:49:08 +0000
2677+Subject: [PATCH] tcg: save vaddr temp for plugin usage
2678+MIME-Version: 1.0
2679+Content-Type: text/plain; charset=UTF-8
2680+Content-Transfer-Encoding: 8bit
2681+
2682+While do_gen_mem_cb does copy (via extu_tl_i64) vaddr into a new temp
2683+this won't help if the vaddr temp gets clobbered by the actual
2684+load/store op. To avoid this clobbering we explicitly copy vaddr
2685+before the op to ensure it is live my the time we do the
2686+instrumentation.
2687+
2688+Suggested-by: Richard Henderson <richard.henderson@linaro.org>
2689+Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
2690+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
2691+Reviewed-by: Emilio G. Cota <cota@braap.org>
2692+Cc: qemu-stable@nongnu.org
2693+Message-Id: <20200225124710.14152-18-alex.bennee@linaro.org>
2694+
2695+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=fcc54ab5c7ca84ae72e8bf3781c33c9193a911aa
2696+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
2697+Last-Update: 2020-03-18
2698+
2699+---
2700+ tcg/tcg-op.c | 23 ++++++++++++++++++++---
2701+ 1 file changed, 20 insertions(+), 3 deletions(-)
2702+
2703+diff --git a/tcg/tcg-op.c b/tcg/tcg-op.c
2704+index 7d782002e3..e2e25ebf7d 100644
2705+--- a/tcg/tcg-op.c
2706++++ b/tcg/tcg-op.c
2707+@@ -2794,13 +2794,26 @@ static void tcg_gen_req_mo(TCGBar type)
2708+ }
2709+ }
2710+
2711++static inline TCGv plugin_prep_mem_callbacks(TCGv vaddr)
2712++{
2713++#ifdef CONFIG_PLUGIN
2714++ if (tcg_ctx->plugin_insn != NULL) {
2715++ /* Save a copy of the vaddr for use after a load. */
2716++ TCGv temp = tcg_temp_new();
2717++ tcg_gen_mov_tl(temp, vaddr);
2718++ return temp;
2719++ }
2720++#endif
2721++ return vaddr;
2722++}
2723++
2724+ static inline void plugin_gen_mem_callbacks(TCGv vaddr, uint16_t info)
2725+ {
2726+ #ifdef CONFIG_PLUGIN
2727+- if (tcg_ctx->plugin_insn == NULL) {
2728+- return;
2729++ if (tcg_ctx->plugin_insn != NULL) {
2730++ plugin_gen_empty_mem_callback(vaddr, info);
2731++ tcg_temp_free(vaddr);
2732+ }
2733+- plugin_gen_empty_mem_callback(vaddr, info);
2734+ #endif
2735+ }
2736+
2737+@@ -2822,6 +2835,7 @@ void tcg_gen_qemu_ld_i32(TCGv_i32 val, TCGv addr, TCGArg idx, MemOp memop)
2738+ }
2739+ }
2740+
2741++ addr = plugin_prep_mem_callbacks(addr);
2742+ gen_ldst_i32(INDEX_op_qemu_ld_i32, val, addr, memop, idx);
2743+ plugin_gen_mem_callbacks(addr, info);
2744+
2745+@@ -2868,6 +2882,7 @@ void tcg_gen_qemu_st_i32(TCGv_i32 val, TCGv addr, TCGArg idx, MemOp memop)
2746+ memop &= ~MO_BSWAP;
2747+ }
2748+
2749++ addr = plugin_prep_mem_callbacks(addr);
2750+ gen_ldst_i32(INDEX_op_qemu_st_i32, val, addr, memop, idx);
2751+ plugin_gen_mem_callbacks(addr, info);
2752+
2753+@@ -2905,6 +2920,7 @@ void tcg_gen_qemu_ld_i64(TCGv_i64 val, TCGv addr, TCGArg idx, MemOp memop)
2754+ }
2755+ }
2756+
2757++ addr = plugin_prep_mem_callbacks(addr);
2758+ gen_ldst_i64(INDEX_op_qemu_ld_i64, val, addr, memop, idx);
2759+ plugin_gen_mem_callbacks(addr, info);
2760+
2761+@@ -2967,6 +2983,7 @@ void tcg_gen_qemu_st_i64(TCGv_i64 val, TCGv addr, TCGArg idx, MemOp memop)
2762+ memop &= ~MO_BSWAP;
2763+ }
2764+
2765++ addr = plugin_prep_mem_callbacks(addr);
2766+ gen_ldst_i64(INDEX_op_qemu_st_i64, val, addr, memop, idx);
2767+ plugin_gen_mem_callbacks(addr, info);
2768+
2769+--
2770+2.25.1
2771+
2772diff --git a/debian/patches/stable/lp-1867519-tpm-ppi-page-align-PPI-RAM.patch b/debian/patches/stable/lp-1867519-tpm-ppi-page-align-PPI-RAM.patch
2773new file mode 100644
2774index 0000000..209bd3e
2775--- /dev/null
2776+++ b/debian/patches/stable/lp-1867519-tpm-ppi-page-align-PPI-RAM.patch
2777@@ -0,0 +1,47 @@
2778+From 71e415c8a75c130875f14d6b2136825789feb297 Mon Sep 17 00:00:00 2001
2779+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
2780+Date: Fri, 3 Jan 2020 11:39:59 +0400
2781+Subject: [PATCH] tpm-ppi: page-align PPI RAM
2782+MIME-Version: 1.0
2783+Content-Type: text/plain; charset=UTF-8
2784+Content-Transfer-Encoding: 8bit
2785+
2786+post-copy migration fails on destination with error such as:
2787+2019-12-26T10:22:44.714644Z qemu-kvm: ram_block_discard_range:
2788+Unaligned start address: 0x559d2afae9a0
2789+
2790+Use qemu_memalign() to constrain the PPI RAM memory alignment.
2791+
2792+Cc: qemu-stable@nongnu.org
2793+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
2794+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
2795+Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
2796+Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
2797+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
2798+Message-id: 20200103074000.1006389-3-marcandre.lureau@redhat.com
2799+
2800+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=71e415c8a75c130875f14d6b2136825789feb297
2801+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
2802+Last-Update: 2020-03-18
2803+
2804+---
2805+ hw/tpm/tpm_ppi.c | 3 ++-
2806+ 1 file changed, 2 insertions(+), 1 deletion(-)
2807+
2808+diff --git a/hw/tpm/tpm_ppi.c b/hw/tpm/tpm_ppi.c
2809+index ff314592b4..6d9c1a3e40 100644
2810+--- a/hw/tpm/tpm_ppi.c
2811++++ b/hw/tpm/tpm_ppi.c
2812+@@ -43,7 +43,8 @@ void tpm_ppi_reset(TPMPPI *tpmppi)
2813+ void tpm_ppi_init(TPMPPI *tpmppi, struct MemoryRegion *m,
2814+ hwaddr addr, Object *obj)
2815+ {
2816+- tpmppi->buf = g_malloc0(HOST_PAGE_ALIGN(TPM_PPI_ADDR_SIZE));
2817++ tpmppi->buf = qemu_memalign(qemu_real_host_page_size,
2818++ HOST_PAGE_ALIGN(TPM_PPI_ADDR_SIZE));
2819+ memory_region_init_ram_device_ptr(&tpmppi->ram, obj, "tpm-ppi",
2820+ TPM_PPI_ADDR_SIZE, tpmppi->buf);
2821+ vmstate_register_ram(&tpmppi->ram, DEVICE(obj));
2822+--
2823+2.25.1
2824+
2825diff --git a/debian/patches/stable/lp-1867519-vfio-pci-Don-t-remove-irqchip-notifier-if-not-regist.patch b/debian/patches/stable/lp-1867519-vfio-pci-Don-t-remove-irqchip-notifier-if-not-regist.patch
2826new file mode 100644
2827index 0000000..f52b1bd
2828--- /dev/null
2829+++ b/debian/patches/stable/lp-1867519-vfio-pci-Don-t-remove-irqchip-notifier-if-not-regist.patch
2830@@ -0,0 +1,50 @@
2831+From 0446f8121723b134ca1d1ed0b73e96d4a0a8689d Mon Sep 17 00:00:00 2001
2832+From: Peter Xu <peterx@redhat.com>
2833+Date: Mon, 6 Jan 2020 13:34:45 -0700
2834+Subject: [PATCH] vfio/pci: Don't remove irqchip notifier if not registered
2835+
2836+The kvm irqchip notifier is only registered if the device supports
2837+INTx, however it's unconditionally removed. If the assigned device
2838+does not support INTx, this will cause QEMU to crash when unplugging
2839+the device from the system. Change it to conditionally remove the
2840+notifier only if the notify hook is setup.
2841+
2842+CC: Eduardo Habkost <ehabkost@redhat.com>
2843+CC: David Gibson <david@gibson.dropbear.id.au>
2844+CC: Alex Williamson <alex.williamson@redhat.com>
2845+Cc: qemu-stable@nongnu.org # v4.2
2846+Reported-by: yanghliu@redhat.com
2847+Debugged-by: Eduardo Habkost <ehabkost@redhat.com>
2848+Fixes: c5478fea27ac ("vfio/pci: Respond to KVM irqchip change notifier")
2849+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1782678
2850+Signed-off-by: Peter Xu <peterx@redhat.com>
2851+Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2852+Reviewed-by: Greg Kurz <groug@kaod.org>
2853+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2854+
2855+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=0446f8121723b134ca1d1ed0b73e96d4a0a8689d
2856+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
2857+Last-Update: 2020-03-18
2858+
2859+---
2860+ hw/vfio/pci.c | 4 +++-
2861+ 1 file changed, 3 insertions(+), 1 deletion(-)
2862+
2863+diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c
2864+index 2d40b396f2..337a173ce7 100644
2865+--- a/hw/vfio/pci.c
2866++++ b/hw/vfio/pci.c
2867+@@ -3076,7 +3076,9 @@ static void vfio_exitfn(PCIDevice *pdev)
2868+ vfio_unregister_req_notifier(vdev);
2869+ vfio_unregister_err_notifier(vdev);
2870+ pci_device_set_intx_routing_notifier(&vdev->pdev, NULL);
2871+- kvm_irqchip_remove_change_notifier(&vdev->irqchip_change_notifier);
2872++ if (vdev->irqchip_change_notifier.notify) {
2873++ kvm_irqchip_remove_change_notifier(&vdev->irqchip_change_notifier);
2874++ }
2875+ vfio_disable_interrupts(vdev);
2876+ if (vdev->intx.mmap_timer) {
2877+ timer_free(vdev->intx.mmap_timer);
2878+--
2879+2.25.1
2880+
2881diff --git a/debian/patches/stable/lp-1867519-virtio-gracefully-handle-invalid-region-caches.patch b/debian/patches/stable/lp-1867519-virtio-gracefully-handle-invalid-region-caches.patch
2882new file mode 100644
2883index 0000000..177cafe
2884--- /dev/null
2885+++ b/debian/patches/stable/lp-1867519-virtio-gracefully-handle-invalid-region-caches.patch
2886@@ -0,0 +1,331 @@
2887+From abdd16f4681cc4d6bf84990227b5c9b98e869ccd Mon Sep 17 00:00:00 2001
2888+From: Stefan Hajnoczi <stefanha@redhat.com>
2889+Date: Fri, 7 Feb 2020 10:46:19 +0000
2890+Subject: [PATCH] virtio: gracefully handle invalid region caches
2891+
2892+The virtqueue code sets up MemoryRegionCaches to access the virtqueue
2893+guest RAM data structures. The code currently assumes that
2894+VRingMemoryRegionCaches is initialized before device emulation code
2895+accesses the virtqueue. An assertion will fail in
2896+vring_get_region_caches() when this is not true. Device fuzzing found a
2897+case where this assumption is false (see below).
2898+
2899+Virtqueue guest RAM addresses can also be changed from a vCPU thread
2900+while an IOThread is accessing the virtqueue. This breaks the same
2901+assumption but this time the caches could become invalid partway through
2902+the virtqueue code. The code fetches the caches RCU pointer multiple
2903+times so we will need to validate the pointer every time it is fetched.
2904+
2905+Add checks each time we call vring_get_region_caches() and treat invalid
2906+caches as a nop: memory stores are ignored and memory reads return 0.
2907+
2908+The fuzz test failure is as follows:
2909+
2910+ $ qemu -M pc -device virtio-blk-pci,id=drv0,drive=drive0,addr=4.0 \
2911+ -drive if=none,id=drive0,file=null-co://,format=raw,auto-read-only=off \
2912+ -drive if=none,id=drive1,file=null-co://,file.read-zeroes=on,format=raw \
2913+ -display none \
2914+ -qtest stdio
2915+ endianness
2916+ outl 0xcf8 0x80002020
2917+ outl 0xcfc 0xe0000000
2918+ outl 0xcf8 0x80002004
2919+ outw 0xcfc 0x7
2920+ write 0xe0000000 0x24 0x00ffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffab5cffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffab0000000001
2921+ inb 0x4
2922+ writew 0xe000001c 0x1
2923+ write 0xe0000014 0x1 0x0d
2924+
2925+The following error message is produced:
2926+
2927+ qemu-system-x86_64: /home/stefanha/qemu/hw/virtio/virtio.c:286: vring_get_region_caches: Assertion `caches != NULL' failed.
2928+
2929+The backtrace looks like this:
2930+
2931+ #0 0x00007ffff5520625 in raise () at /lib64/libc.so.6
2932+ #1 0x00007ffff55098d9 in abort () at /lib64/libc.so.6
2933+ #2 0x00007ffff55097a9 in _nl_load_domain.cold () at /lib64/libc.so.6
2934+ #3 0x00007ffff5518a66 in annobin_assert.c_end () at /lib64/libc.so.6
2935+ #4 0x00005555559073da in vring_get_region_caches (vq=<optimized out>) at qemu/hw/virtio/virtio.c:286
2936+ #5 vring_get_region_caches (vq=<optimized out>) at qemu/hw/virtio/virtio.c:283
2937+ #6 0x000055555590818d in vring_used_flags_set_bit (mask=1, vq=0x5555575ceea0) at qemu/hw/virtio/virtio.c:398
2938+ #7 virtio_queue_split_set_notification (enable=0, vq=0x5555575ceea0) at qemu/hw/virtio/virtio.c:398
2939+ #8 virtio_queue_set_notification (vq=vq@entry=0x5555575ceea0, enable=enable@entry=0) at qemu/hw/virtio/virtio.c:451
2940+ #9 0x0000555555908512 in virtio_queue_set_notification (vq=vq@entry=0x5555575ceea0, enable=enable@entry=0) at qemu/hw/virtio/virtio.c:444
2941+ #10 0x00005555558c697a in virtio_blk_handle_vq (s=0x5555575c57e0, vq=0x5555575ceea0) at qemu/hw/block/virtio-blk.c:775
2942+ #11 0x0000555555907836 in virtio_queue_notify_aio_vq (vq=0x5555575ceea0) at qemu/hw/virtio/virtio.c:2244
2943+ #12 0x0000555555cb5dd7 in aio_dispatch_handlers (ctx=ctx@entry=0x55555671a420) at util/aio-posix.c:429
2944+ #13 0x0000555555cb67a8 in aio_dispatch (ctx=0x55555671a420) at util/aio-posix.c:460
2945+ #14 0x0000555555cb307e in aio_ctx_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>) at util/async.c:260
2946+ #15 0x00007ffff7bbc510 in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
2947+ #16 0x0000555555cb5848 in glib_pollfds_poll () at util/main-loop.c:219
2948+ #17 os_host_main_loop_wait (timeout=<optimized out>) at util/main-loop.c:242
2949+ #18 main_loop_wait (nonblocking=<optimized out>) at util/main-loop.c:518
2950+ #19 0x00005555559b20c9 in main_loop () at vl.c:1683
2951+ #20 0x0000555555838115 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4441
2952+
2953+Reported-by: Alexander Bulekov <alxndr@bu.edu>
2954+Cc: Michael Tsirkin <mst@redhat.com>
2955+Cc: Cornelia Huck <cohuck@redhat.com>
2956+Cc: Paolo Bonzini <pbonzini@redhat.com>
2957+Cc: qemu-stable@nongnu.org
2958+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2959+Message-Id: <20200207104619.164892-1-stefanha@redhat.com>
2960+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
2961+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2962+
2963+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=abdd16f4681cc4d6bf84990227b5c9b98e869ccd
2964+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
2965+Last-Update: 2020-03-18
2966+
2967+---
2968+ hw/virtio/virtio.c | 99 ++++++++++++++++++++++++++++++++++++++++++----
2969+ 1 file changed, 91 insertions(+), 8 deletions(-)
2970+
2971+diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
2972+index 2c5410e981..00d444699d 100644
2973+--- a/hw/virtio/virtio.c
2974++++ b/hw/virtio/virtio.c
2975+@@ -282,15 +282,19 @@ static void vring_packed_flags_write(VirtIODevice *vdev,
2976+ /* Called within rcu_read_lock(). */
2977+ static VRingMemoryRegionCaches *vring_get_region_caches(struct VirtQueue *vq)
2978+ {
2979+- VRingMemoryRegionCaches *caches = atomic_rcu_read(&vq->vring.caches);
2980+- assert(caches != NULL);
2981+- return caches;
2982++ return atomic_rcu_read(&vq->vring.caches);
2983+ }
2984++
2985+ /* Called within rcu_read_lock(). */
2986+ static inline uint16_t vring_avail_flags(VirtQueue *vq)
2987+ {
2988+ VRingMemoryRegionCaches *caches = vring_get_region_caches(vq);
2989+ hwaddr pa = offsetof(VRingAvail, flags);
2990++
2991++ if (!caches) {
2992++ return 0;
2993++ }
2994++
2995+ return virtio_lduw_phys_cached(vq->vdev, &caches->avail, pa);
2996+ }
2997+
2998+@@ -299,6 +303,11 @@ static inline uint16_t vring_avail_idx(VirtQueue *vq)
2999+ {
3000+ VRingMemoryRegionCaches *caches = vring_get_region_caches(vq);
3001+ hwaddr pa = offsetof(VRingAvail, idx);
3002++
3003++ if (!caches) {
3004++ return 0;
3005++ }
3006++
3007+ vq->shadow_avail_idx = virtio_lduw_phys_cached(vq->vdev, &caches->avail, pa);
3008+ return vq->shadow_avail_idx;
3009+ }
3010+@@ -308,6 +317,11 @@ static inline uint16_t vring_avail_ring(VirtQueue *vq, int i)
3011+ {
3012+ VRingMemoryRegionCaches *caches = vring_get_region_caches(vq);
3013+ hwaddr pa = offsetof(VRingAvail, ring[i]);
3014++
3015++ if (!caches) {
3016++ return 0;
3017++ }
3018++
3019+ return virtio_lduw_phys_cached(vq->vdev, &caches->avail, pa);
3020+ }
3021+
3022+@@ -323,6 +337,11 @@ static inline void vring_used_write(VirtQueue *vq, VRingUsedElem *uelem,
3023+ {
3024+ VRingMemoryRegionCaches *caches = vring_get_region_caches(vq);
3025+ hwaddr pa = offsetof(VRingUsed, ring[i]);
3026++
3027++ if (!caches) {
3028++ return;
3029++ }
3030++
3031+ virtio_tswap32s(vq->vdev, &uelem->id);
3032+ virtio_tswap32s(vq->vdev, &uelem->len);
3033+ address_space_write_cached(&caches->used, pa, uelem, sizeof(VRingUsedElem));
3034+@@ -334,6 +353,11 @@ static uint16_t vring_used_idx(VirtQueue *vq)
3035+ {
3036+ VRingMemoryRegionCaches *caches = vring_get_region_caches(vq);
3037+ hwaddr pa = offsetof(VRingUsed, idx);
3038++
3039++ if (!caches) {
3040++ return 0;
3041++ }
3042++
3043+ return virtio_lduw_phys_cached(vq->vdev, &caches->used, pa);
3044+ }
3045+
3046+@@ -342,8 +366,12 @@ static inline void vring_used_idx_set(VirtQueue *vq, uint16_t val)
3047+ {
3048+ VRingMemoryRegionCaches *caches = vring_get_region_caches(vq);
3049+ hwaddr pa = offsetof(VRingUsed, idx);
3050+- virtio_stw_phys_cached(vq->vdev, &caches->used, pa, val);
3051+- address_space_cache_invalidate(&caches->used, pa, sizeof(val));
3052++
3053++ if (caches) {
3054++ virtio_stw_phys_cached(vq->vdev, &caches->used, pa, val);
3055++ address_space_cache_invalidate(&caches->used, pa, sizeof(val));
3056++ }
3057++
3058+ vq->used_idx = val;
3059+ }
3060+
3061+@@ -353,8 +381,13 @@ static inline void vring_used_flags_set_bit(VirtQueue *vq, int mask)
3062+ VRingMemoryRegionCaches *caches = vring_get_region_caches(vq);
3063+ VirtIODevice *vdev = vq->vdev;
3064+ hwaddr pa = offsetof(VRingUsed, flags);
3065+- uint16_t flags = virtio_lduw_phys_cached(vq->vdev, &caches->used, pa);
3066++ uint16_t flags;
3067+
3068++ if (!caches) {
3069++ return;
3070++ }
3071++
3072++ flags = virtio_lduw_phys_cached(vq->vdev, &caches->used, pa);
3073+ virtio_stw_phys_cached(vdev, &caches->used, pa, flags | mask);
3074+ address_space_cache_invalidate(&caches->used, pa, sizeof(flags));
3075+ }
3076+@@ -365,8 +398,13 @@ static inline void vring_used_flags_unset_bit(VirtQueue *vq, int mask)
3077+ VRingMemoryRegionCaches *caches = vring_get_region_caches(vq);
3078+ VirtIODevice *vdev = vq->vdev;
3079+ hwaddr pa = offsetof(VRingUsed, flags);
3080+- uint16_t flags = virtio_lduw_phys_cached(vq->vdev, &caches->used, pa);
3081++ uint16_t flags;
3082+
3083++ if (!caches) {
3084++ return;
3085++ }
3086++
3087++ flags = virtio_lduw_phys_cached(vq->vdev, &caches->used, pa);
3088+ virtio_stw_phys_cached(vdev, &caches->used, pa, flags & ~mask);
3089+ address_space_cache_invalidate(&caches->used, pa, sizeof(flags));
3090+ }
3091+@@ -381,6 +419,10 @@ static inline void vring_set_avail_event(VirtQueue *vq, uint16_t val)
3092+ }
3093+
3094+ caches = vring_get_region_caches(vq);
3095++ if (!caches) {
3096++ return;
3097++ }
3098++
3099+ pa = offsetof(VRingUsed, ring[vq->vring.num]);
3100+ virtio_stw_phys_cached(vq->vdev, &caches->used, pa, val);
3101+ address_space_cache_invalidate(&caches->used, pa, sizeof(val));
3102+@@ -410,7 +452,11 @@ static void virtio_queue_packed_set_notification(VirtQueue *vq, int enable)
3103+ VRingMemoryRegionCaches *caches;
3104+
3105+ RCU_READ_LOCK_GUARD();
3106+- caches = vring_get_region_caches(vq);
3107++ caches = vring_get_region_caches(vq);
3108++ if (!caches) {
3109++ return;
3110++ }
3111++
3112+ vring_packed_event_read(vq->vdev, &caches->used, &e);
3113+
3114+ if (!enable) {
3115+@@ -597,6 +643,10 @@ static int virtio_queue_packed_empty_rcu(VirtQueue *vq)
3116+ }
3117+
3118+ cache = vring_get_region_caches(vq);
3119++ if (!cache) {
3120++ return 1;
3121++ }
3122++
3123+ vring_packed_desc_read_flags(vq->vdev, &desc.flags, &cache->desc,
3124+ vq->last_avail_idx);
3125+
3126+@@ -777,6 +827,10 @@ static void virtqueue_packed_fill_desc(VirtQueue *vq,
3127+ }
3128+
3129+ caches = vring_get_region_caches(vq);
3130++ if (!caches) {
3131++ return;
3132++ }
3133++
3134+ vring_packed_desc_write(vq->vdev, &desc, &caches->desc, head, strict_order);
3135+ }
3136+
3137+@@ -949,6 +1003,10 @@ static void virtqueue_split_get_avail_bytes(VirtQueue *vq,
3138+
3139+ max = vq->vring.num;
3140+ caches = vring_get_region_caches(vq);
3141++ if (!caches) {
3142++ goto err;
3143++ }
3144++
3145+ while ((rc = virtqueue_num_heads(vq, idx)) > 0) {
3146+ MemoryRegionCache *desc_cache = &caches->desc;
3147+ unsigned int num_bufs;
3148+@@ -1089,6 +1147,9 @@ static void virtqueue_packed_get_avail_bytes(VirtQueue *vq,
3149+
3150+ max = vq->vring.num;
3151+ caches = vring_get_region_caches(vq);
3152++ if (!caches) {
3153++ goto err;
3154++ }
3155+
3156+ for (;;) {
3157+ unsigned int num_bufs = total_bufs;
3158+@@ -1194,6 +1255,10 @@ void virtqueue_get_avail_bytes(VirtQueue *vq, unsigned int *in_bytes,
3159+ }
3160+
3161+ caches = vring_get_region_caches(vq);
3162++ if (!caches) {
3163++ goto err;
3164++ }
3165++
3166+ desc_size = virtio_vdev_has_feature(vq->vdev, VIRTIO_F_RING_PACKED) ?
3167+ sizeof(VRingPackedDesc) : sizeof(VRingDesc);
3168+ if (caches->desc.len < vq->vring.num * desc_size) {
3169+@@ -1387,6 +1452,11 @@ static void *virtqueue_split_pop(VirtQueue *vq, size_t sz)
3170+ i = head;
3171+
3172+ caches = vring_get_region_caches(vq);
3173++ if (!caches) {
3174++ virtio_error(vdev, "Region caches not initialized");
3175++ goto done;
3176++ }
3177++
3178+ if (caches->desc.len < max * sizeof(VRingDesc)) {
3179+ virtio_error(vdev, "Cannot map descriptor ring");
3180+ goto done;
3181+@@ -1509,6 +1579,11 @@ static void *virtqueue_packed_pop(VirtQueue *vq, size_t sz)
3182+ i = vq->last_avail_idx;
3183+
3184+ caches = vring_get_region_caches(vq);
3185++ if (!caches) {
3186++ virtio_error(vdev, "Region caches not initialized");
3187++ goto done;
3188++ }
3189++
3190+ if (caches->desc.len < max * sizeof(VRingDesc)) {
3191+ virtio_error(vdev, "Cannot map descriptor ring");
3192+ goto done;
3193+@@ -1628,6 +1703,10 @@ static unsigned int virtqueue_packed_drop_all(VirtQueue *vq)
3194+ VRingPackedDesc desc;
3195+
3196+ caches = vring_get_region_caches(vq);
3197++ if (!caches) {
3198++ return 0;
3199++ }
3200++
3201+ desc_cache = &caches->desc;
3202+
3203+ virtio_queue_set_notification(vq, 0);
3204+@@ -2412,6 +2491,10 @@ static bool virtio_packed_should_notify(VirtIODevice *vdev, VirtQueue *vq)
3205+ VRingMemoryRegionCaches *caches;
3206+
3207+ caches = vring_get_region_caches(vq);
3208++ if (!caches) {
3209++ return false;
3210++ }
3211++
3212+ vring_packed_event_read(vdev, &caches->avail, &e);
3213+
3214+ old = vq->signalled_used;
3215+--
3216+2.25.1
3217+
3218diff --git a/debian/patches/stable/lp-1867519-virtio-mmio-update-queue-size-on-guest-write.patch b/debian/patches/stable/lp-1867519-virtio-mmio-update-queue-size-on-guest-write.patch
3219new file mode 100644
3220index 0000000..d18b0ee
3221--- /dev/null
3222+++ b/debian/patches/stable/lp-1867519-virtio-mmio-update-queue-size-on-guest-write.patch
3223@@ -0,0 +1,40 @@
3224+From 1049f4c62c4070618cc5defc9963c6a17ae7a5ae Mon Sep 17 00:00:00 2001
3225+From: Denis Plotnikov <dplotnikov@virtuozzo.com>
3226+Date: Tue, 24 Dec 2019 11:14:46 +0300
3227+Subject: [PATCH] virtio-mmio: update queue size on guest write
3228+
3229+Some guests read back queue size after writing it.
3230+Always update the on size write otherwise they might be confused.
3231+
3232+Cc: qemu-stable@nongnu.org
3233+Signed-off-by: Denis Plotnikov <dplotnikov@virtuozzo.com>
3234+Message-Id: <20191224081446.17003-1-dplotnikov@virtuozzo.com>
3235+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
3236+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
3237+
3238+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=1049f4c62c4070618cc5defc9963c6a17ae7a5ae
3239+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
3240+Last-Update: 2020-03-18
3241+
3242+---
3243+ hw/virtio/virtio-mmio.c | 3 ++-
3244+ 1 file changed, 2 insertions(+), 1 deletion(-)
3245+
3246+diff --git a/hw/virtio/virtio-mmio.c b/hw/virtio/virtio-mmio.c
3247+index ef40b7a9b2..872f2cd237 100644
3248+--- a/hw/virtio/virtio-mmio.c
3249++++ b/hw/virtio/virtio-mmio.c
3250+@@ -308,8 +308,9 @@ static void virtio_mmio_write(void *opaque, hwaddr offset, uint64_t value,
3251+ break;
3252+ case VIRTIO_MMIO_QUEUE_NUM:
3253+ trace_virtio_mmio_queue_write(value, VIRTQUEUE_MAX_SIZE);
3254++ virtio_queue_set_num(vdev, vdev->queue_sel, value);
3255++
3256+ if (proxy->legacy) {
3257+- virtio_queue_set_num(vdev, vdev->queue_sel, value);
3258+ virtio_queue_update_rings(vdev, vdev->queue_sel);
3259+ } else {
3260+ proxy->vqs[vdev->queue_sel].num = value;
3261+--
3262+2.25.1
3263+
3264diff --git a/debian/patches/stable/lp-1867519-virtio-net-delete-also-control-queue-when-TX-RX-dele.patch b/debian/patches/stable/lp-1867519-virtio-net-delete-also-control-queue-when-TX-RX-dele.patch
3265new file mode 100644
3266index 0000000..1db89ff
3267--- /dev/null
3268+++ b/debian/patches/stable/lp-1867519-virtio-net-delete-also-control-queue-when-TX-RX-dele.patch
3269@@ -0,0 +1,41 @@
3270+From d945d9f1731244ef341f74ede93120fc9de35913 Mon Sep 17 00:00:00 2001
3271+From: Yuri Benditovich <yuri.benditovich@daynix.com>
3272+Date: Thu, 26 Dec 2019 06:36:49 +0200
3273+Subject: [PATCH] virtio-net: delete also control queue when TX/RX deleted
3274+
3275+https://bugzilla.redhat.com/show_bug.cgi?id=1708480
3276+If the control queue is not deleted together with TX/RX, it
3277+later will be ignored in freeing cache resources and hot
3278+unplug will not be completed.
3279+
3280+Cc: qemu-stable@nongnu.org
3281+Signed-off-by: Yuri Benditovich <yuri.benditovich@daynix.com>
3282+Message-Id: <20191226043649.14481-3-yuri.benditovich@daynix.com>
3283+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
3284+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
3285+
3286+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=d945d9f1731244ef341f74ede93120fc9de35913
3287+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
3288+Last-Update: 2020-03-18
3289+
3290+---
3291+ hw/net/virtio-net.c | 3 ++-
3292+ 1 file changed, 2 insertions(+), 1 deletion(-)
3293+
3294+diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
3295+index db3d7c38e6..f325440d01 100644
3296+--- a/hw/net/virtio-net.c
3297++++ b/hw/net/virtio-net.c
3298+@@ -3101,7 +3101,8 @@ static void virtio_net_device_unrealize(DeviceState *dev, Error **errp)
3299+ for (i = 0; i < max_queues; i++) {
3300+ virtio_net_del_queue(n, i);
3301+ }
3302+-
3303++ /* delete also control vq */
3304++ virtio_del_queue(vdev, max_queues * 2);
3305+ qemu_announce_timer_del(&n->announce_timer, false);
3306+ g_free(n->vqs);
3307+ qemu_del_nic(n->nic);
3308+--
3309+2.25.1
3310+
3311diff --git a/debian/patches/stable/lp-1867519-virtio-update-queue-size-on-guest-write.patch b/debian/patches/stable/lp-1867519-virtio-update-queue-size-on-guest-write.patch
3312new file mode 100644
3313index 0000000..da81c2c
3314--- /dev/null
3315+++ b/debian/patches/stable/lp-1867519-virtio-update-queue-size-on-guest-write.patch
3316@@ -0,0 +1,40 @@
3317+From d0c5f643383b9e84316f148affff368ac33d75b9 Mon Sep 17 00:00:00 2001
3318+From: "Michael S. Tsirkin" <mst@redhat.com>
3319+Date: Fri, 13 Dec 2019 09:22:48 -0500
3320+Subject: [PATCH] virtio: update queue size on guest write
3321+
3322+Some guests read back queue size after writing it.
3323+Update the size immediatly upon write otherwise
3324+they get confused.
3325+
3326+In particular this is the case for seabios.
3327+
3328+Reported-by: Roman Kagan <rkagan@virtuozzo.com>
3329+Suggested-by: Denis Plotnikov <dplotnikov@virtuozzo.com>
3330+Cc: qemu-stable@nongnu.org
3331+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
3332+
3333+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=d0c5f643383b9e84316f148affff368ac33d75b9
3334+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
3335+Last-Update: 2020-03-18
3336+
3337+---
3338+ hw/virtio/virtio-pci.c | 2 ++
3339+ 1 file changed, 2 insertions(+)
3340+
3341+diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c
3342+index c6b47a9c73..e5c759e19e 100644
3343+--- a/hw/virtio/virtio-pci.c
3344++++ b/hw/virtio/virtio-pci.c
3345+@@ -1256,6 +1256,8 @@ static void virtio_pci_common_write(void *opaque, hwaddr addr,
3346+ break;
3347+ case VIRTIO_PCI_COMMON_Q_SIZE:
3348+ proxy->vqs[vdev->queue_sel].num = val;
3349++ virtio_queue_set_num(vdev, vdev->queue_sel,
3350++ proxy->vqs[vdev->queue_sel].num);
3351+ break;
3352+ case VIRTIO_PCI_COMMON_Q_MSIX:
3353+ msix_vector_unuse(&proxy->pci_dev,
3354+--
3355+2.25.1
3356+
3357diff --git a/debian/patches/ubuntu/expose-vmx_qemu64cpu.patch b/debian/patches/ubuntu/expose-vmx_qemu64cpu.patch
3358deleted file mode 100644
3359index 5694cd4..0000000
3360--- a/debian/patches/ubuntu/expose-vmx_qemu64cpu.patch
3361+++ /dev/null
3362@@ -1,17 +0,0 @@
3363-Description: Expose VMX cpuid feature to the default "qemu64" CPU type,
3364- supporting Intel compatible VMX nested virtualization.
3365-Author: Dave Walker (Daviey) <DaveWalker@ubuntu.com>
3366-
3367-Index: qemu/target/i386/cpu.c
3368-===================================================================
3369---- qemu.orig/target/i386/cpu.c
3370-+++ qemu/target/i386/cpu.c
3371-@@ -673,7 +673,7 @@ static X86CPUDefinition builtin_x86_defs
3372- CPUID_MTRR | CPUID_CLFLUSH | CPUID_MCA |
3373- CPUID_PSE36,
3374- .features[FEAT_1_ECX] =
3375-- CPUID_EXT_SSE3 | CPUID_EXT_CX16,
3376-+ CPUID_EXT_SSE3 | CPUID_EXT_CX16 | CPUID_EXT_VMX,
3377- .features[FEAT_8000_0001_EDX] =
3378- CPUID_EXT2_LM | CPUID_EXT2_SYSCALL | CPUID_EXT2_NX,
3379- .features[FEAT_8000_0001_ECX] =
3380diff --git a/debian/patches/ubuntu/lp-1835546-Sync-pv.patch b/debian/patches/ubuntu/lp-1835546-Sync-pv.patch
3381new file mode 100644
3382index 0000000..0324a8c
3383--- /dev/null
3384+++ b/debian/patches/ubuntu/lp-1835546-Sync-pv.patch
3385@@ -0,0 +1,98 @@
3386+From 5081c651c9e12d519597fc2ee6e6162e52051122 Mon Sep 17 00:00:00 2001
3387+From: Janosch Frank <frankja@linux.ibm.com>
3388+Date: Tue, 25 Feb 2020 06:09:23 -0500
3389+Subject: [PATCH] Sync pv
3390+
3391+Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
3392+
3393+Forwarded: https://lists.gnu.org/archive/html/qemu-devel/2020-03/msg06247.html
3394+Origin: backport, https://github.com/borntraeger/qemu/commit/5081c651c9
3395+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1835546
3396+Last-Update: 2020-03-20
3397+
3398+---
3399+ linux-headers/linux/kvm.h | 50 +++++++++++++++++++++++++++++++++++++--
3400+ 1 file changed, 48 insertions(+), 2 deletions(-)
3401+
3402+diff --git a/linux-headers/linux/kvm.h b/linux-headers/linux/kvm.h
3403+index 3d9b18f7f8..18c636070e 100644
3404+--- a/linux-headers/linux/kvm.h
3405++++ b/linux-headers/linux/kvm.h
3406+@@ -468,12 +468,17 @@ struct kvm_s390_mem_op {
3407+ __u32 size; /* amount of bytes */
3408+ __u32 op; /* type of operation */
3409+ __u64 buf; /* buffer in userspace */
3410+- __u8 ar; /* the access register number */
3411+- __u8 reserved[31]; /* should be set to 0 */
3412++ union {
3413++ __u8 ar; /* the access register number */
3414++ __u32 sida_offset; /* offset into the sida */
3415++ __u8 reserved[32]; /* should be set to 0 */
3416++ };
3417+ };
3418+ /* types for kvm_s390_mem_op->op */
3419+ #define KVM_S390_MEMOP_LOGICAL_READ 0
3420+ #define KVM_S390_MEMOP_LOGICAL_WRITE 1
3421++#define KVM_S390_MEMOP_SIDA_READ 2
3422++#define KVM_S390_MEMOP_SIDA_WRITE 3
3423+ /* flags for kvm_s390_mem_op->flags */
3424+ #define KVM_S390_MEMOP_F_CHECK_ONLY (1ULL << 0)
3425+ #define KVM_S390_MEMOP_F_INJECT_EXCEPTION (1ULL << 1)
3426+@@ -1000,6 +1005,8 @@ struct kvm_ppc_resize_hpt {
3427+ #define KVM_CAP_PMU_EVENT_FILTER 173
3428+ #define KVM_CAP_ARM_IRQ_LINE_LAYOUT_2 174
3429+ #define KVM_CAP_HYPERV_DIRECT_TLBFLUSH 175
3430++#define KVM_CAP_S390_VCPU_RESETS 179
3431++#define KVM_CAP_S390_PROTECTED 180
3432+
3433+ #ifdef KVM_CAP_IRQ_ROUTING
3434+
3435+@@ -1461,6 +1468,45 @@ struct kvm_enc_region {
3436+ /* Available with KVM_CAP_ARM_SVE */
3437+ #define KVM_ARM_VCPU_FINALIZE _IOW(KVMIO, 0xc2, int)
3438+
3439++/* Available with KVM_CAP_S390_VCPU_RESETS */
3440++#define KVM_S390_NORMAL_RESET _IO(KVMIO, 0xc3)
3441++#define KVM_S390_CLEAR_RESET _IO(KVMIO, 0xc4)
3442++
3443++struct kvm_s390_pv_sec_parm {
3444++ __u64 origin;
3445++ __u64 length;
3446++};
3447++
3448++struct kvm_s390_pv_unp {
3449++ __u64 addr;
3450++ __u64 size;
3451++ __u64 tweak;
3452++};
3453++
3454++enum pv_cmd_id {
3455++ KVM_PV_ENABLE,
3456++ KVM_PV_DISABLE,
3457++ KVM_PV_VM_SET_SEC_PARMS,
3458++ KVM_PV_VM_UNPACK,
3459++ KVM_PV_VM_VERIFY,
3460++ KVM_PV_VM_PREP_RESET,
3461++ KVM_PV_VM_UNSHARE_ALL,
3462++ KVM_PV_VCPU_CREATE,
3463++ KVM_PV_VCPU_DESTROY,
3464++};
3465++
3466++struct kvm_pv_cmd {
3467++ __u32 cmd; /* Command to be executed */
3468++ __u16 rc; /* Ultravisor return code */
3469++ __u16 rrc; /* Ultravisor return reason code */
3470++ __u64 data; /* Data or address */
3471++ __u32 flags; /* flags for future extensions. Must be 0 for now */
3472++ __u32 reserved[3];
3473++};
3474++
3475++/* Available with KVM_CAP_S390_PROTECTED */
3476++#define KVM_S390_PV_COMMAND _IOWR(KVMIO, 0xc5, struct kvm_pv_cmd)
3477++
3478+ /* Secure Encrypted Virtualization command */
3479+ enum sev_cmd_id {
3480+ /* Guest initialization commands */
3481+--
3482+2.25.1
3483+
3484diff --git a/debian/patches/ubuntu/lp-1835546-pc-bios-s390x-Save-iplb-location-in-lowcore.patch b/debian/patches/ubuntu/lp-1835546-pc-bios-s390x-Save-iplb-location-in-lowcore.patch
3485new file mode 100644
3486index 0000000..d95587f
3487--- /dev/null
3488+++ b/debian/patches/ubuntu/lp-1835546-pc-bios-s390x-Save-iplb-location-in-lowcore.patch
3489@@ -0,0 +1,138 @@
3490+From 6c657fba3b138ad43b72e54a3c43a87e170ce615 Mon Sep 17 00:00:00 2001
3491+From: Janosch Frank <frankja@linux.ibm.com>
3492+Date: Wed, 4 Mar 2020 06:42:31 -0500
3493+Subject: [PATCH] pc-bios: s390x: Save iplb location in lowcore
3494+
3495+The POP states that for a list directed IPL the IPLB is stored into
3496+memory by the machine loader and its address is stored at offset 0x14
3497+of the lowcore.
3498+
3499+ZIPL currently uses the address in offset 0x14 to access the IPLB and
3500+acquire flags about secure boot. If the IPLB address points into
3501+memory which has an unsupported mix of flags set, ZIPL will panic
3502+instead of booting the OS.
3503+
3504+As the lowcore can have quite a high entropy for a guest that did drop
3505+out of protected mode (i.e. rebooted) we encountered the ZIPL panic
3506+quite often.
3507+
3508+Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
3509+Tested-by: Marc Hartmayer <mhartmay@linux.ibm.com>
3510+Message-Id: <20200304114231.23493-19-frankja@linux.ibm.com>
3511+Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
3512+Reviewed-by: David Hildenbrand <david@redhat.com>
3513+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
3514+
3515+Forwarded: https://lists.gnu.org/archive/html/qemu-devel/2020-03/msg06247.html
3516+Origin: backport, https://github.com/borntraeger/qemu/commit/6c657fba3b
3517+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1835546
3518+Last-Update: 2020-03-20
3519+
3520+---
3521+ pc-bios/s390-ccw/jump2ipl.c | 1 +
3522+ pc-bios/s390-ccw/main.c | 8 +++++++-
3523+ pc-bios/s390-ccw/netmain.c | 1 +
3524+ pc-bios/s390-ccw/s390-arch.h | 10 ++++++++--
3525+ pc-bios/s390-ccw/s390-ccw.h | 1 +
3526+ 5 files changed, 18 insertions(+), 3 deletions(-)
3527+
3528+diff --git a/pc-bios/s390-ccw/jump2ipl.c b/pc-bios/s390-ccw/jump2ipl.c
3529+index 266f1502b9..1489e5043c 100644
3530+--- a/pc-bios/s390-ccw/jump2ipl.c
3531++++ b/pc-bios/s390-ccw/jump2ipl.c
3532+@@ -35,6 +35,7 @@ void jump_to_IPL_code(uint64_t address)
3533+ {
3534+ /* store the subsystem information _after_ the bootmap was loaded */
3535+ write_subsystem_identification();
3536++ write_iplb_location();
3537+
3538+ /* prevent unknown IPL types in the guest */
3539+ if (iplb.pbt == S390_IPL_TYPE_QEMU_SCSI) {
3540+diff --git a/pc-bios/s390-ccw/main.c b/pc-bios/s390-ccw/main.c
3541+index a21b386280..4e65b411e1 100644
3542+--- a/pc-bios/s390-ccw/main.c
3543++++ b/pc-bios/s390-ccw/main.c
3544+@@ -9,6 +9,7 @@
3545+ */
3546+
3547+ #include "libc.h"
3548++#include "helper.h"
3549+ #include "s390-arch.h"
3550+ #include "s390-ccw.h"
3551+ #include "cio.h"
3552+@@ -22,7 +23,7 @@ QemuIplParameters qipl;
3553+ IplParameterBlock iplb __attribute__((__aligned__(PAGE_SIZE)));
3554+ static bool have_iplb;
3555+ static uint16_t cutype;
3556+-LowCore const *lowcore; /* Yes, this *is* a pointer to address 0 */
3557++LowCore *lowcore; /* Yes, this *is* a pointer to address 0 */
3558+
3559+ #define LOADPARM_PROMPT "PROMPT "
3560+ #define LOADPARM_EMPTY " "
3561+@@ -42,6 +43,11 @@ void write_subsystem_identification(void)
3562+ *zeroes = 0;
3563+ }
3564+
3565++void write_iplb_location(void)
3566++{
3567++ lowcore->ptr_iplb = ptr2u32(&iplb);
3568++}
3569++
3570+ void panic(const char *string)
3571+ {
3572+ sclp_print(string);
3573+diff --git a/pc-bios/s390-ccw/netmain.c b/pc-bios/s390-ccw/netmain.c
3574+index f2dcc01e27..309ffa30d9 100644
3575+--- a/pc-bios/s390-ccw/netmain.c
3576++++ b/pc-bios/s390-ccw/netmain.c
3577+@@ -40,6 +40,7 @@
3578+ #define DEFAULT_TFTP_RETRIES 20
3579+
3580+ extern char _start[];
3581++void write_iplb_location(void) {}
3582+
3583+ #define KERNEL_ADDR ((void *)0L)
3584+ #define KERNEL_MAX_SIZE ((long)_start)
3585+diff --git a/pc-bios/s390-ccw/s390-arch.h b/pc-bios/s390-ccw/s390-arch.h
3586+index 504fc7c2f0..5f36361c02 100644
3587+--- a/pc-bios/s390-ccw/s390-arch.h
3588++++ b/pc-bios/s390-ccw/s390-arch.h
3589+@@ -36,7 +36,13 @@ typedef struct LowCore {
3590+ /* prefix area: defined by architecture */
3591+ PSWLegacy ipl_psw; /* 0x000 */
3592+ uint32_t ccw1[2]; /* 0x008 */
3593+- uint32_t ccw2[2]; /* 0x010 */
3594++ union {
3595++ uint32_t ccw2[2]; /* 0x010 */
3596++ struct {
3597++ uint32_t reserved10;
3598++ uint32_t ptr_iplb;
3599++ };
3600++ };
3601+ uint8_t pad1[0x80 - 0x18]; /* 0x018 */
3602+ uint32_t ext_params; /* 0x080 */
3603+ uint16_t cpu_addr; /* 0x084 */
3604+@@ -85,7 +91,7 @@ typedef struct LowCore {
3605+ PSW io_new_psw; /* 0x1f0 */
3606+ } __attribute__((packed, aligned(8192))) LowCore;
3607+
3608+-extern LowCore const *lowcore;
3609++extern LowCore *lowcore;
3610+
3611+ static inline void set_prefix(uint32_t address)
3612+ {
3613+diff --git a/pc-bios/s390-ccw/s390-ccw.h b/pc-bios/s390-ccw/s390-ccw.h
3614+index 11bce7d73c..21f27e7990 100644
3615+--- a/pc-bios/s390-ccw/s390-ccw.h
3616++++ b/pc-bios/s390-ccw/s390-ccw.h
3617+@@ -57,6 +57,7 @@ void consume_io_int(void);
3618+ /* main.c */
3619+ void panic(const char *string);
3620+ void write_subsystem_identification(void);
3621++void write_iplb_location(void);
3622+ extern char stack[PAGE_SIZE * 8] __attribute__((__aligned__(PAGE_SIZE)));
3623+ unsigned int get_loadparm_index(void);
3624+
3625+--
3626+2.25.1
3627+
3628diff --git a/debian/patches/ubuntu/lp-1835546-s390x-Add-SIDA-memory-ops.patch b/debian/patches/ubuntu/lp-1835546-s390x-Add-SIDA-memory-ops.patch
3629new file mode 100644
3630index 0000000..ba58e8a
3631--- /dev/null
3632+++ b/debian/patches/ubuntu/lp-1835546-s390x-Add-SIDA-memory-ops.patch
3633@@ -0,0 +1,141 @@
3634+From f3673a4cba21dae20c2a87bd6639a2e03ef7ff39 Mon Sep 17 00:00:00 2001
3635+From: Janosch Frank <frankja@linux.ibm.com>
3636+Date: Wed, 5 Feb 2020 06:57:35 -0500
3637+Subject: [PATCH] s390x: Add SIDA memory ops
3638+
3639+Protected guests save the instruction control blocks in the SIDA
3640+instead of QEMU/KVM directly accessing the guest's memory.
3641+
3642+Let's introduce new functions to access the SIDA.
3643+
3644+The memops for doing so are available with KVM_CAP_S390_PROTECTED, so
3645+let's check for that.
3646+
3647+Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
3648+Reviewed-by: David Hildenbrand <david@redhat.com>
3649+Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
3650+Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
3651+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
3652+
3653+Forwarded: https://lists.gnu.org/archive/html/qemu-devel/2020-03/msg06247.html
3654+Origin: backport, https://github.com/borntraeger/qemu/commit/f3673a4cba
3655+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1835546
3656+Last-Update: 2020-03-20
3657+
3658+---
3659+ target/s390x/cpu.h | 7 ++++++-
3660+ target/s390x/kvm.c | 26 ++++++++++++++++++++++++++
3661+ target/s390x/kvm_s390x.h | 2 ++
3662+ target/s390x/mmu_helper.c | 14 ++++++++++++++
3663+ 4 files changed, 48 insertions(+), 1 deletion(-)
3664+
3665+diff --git a/target/s390x/cpu.h b/target/s390x/cpu.h
3666+index d2af13b345..2ec0f78b48 100644
3667+--- a/target/s390x/cpu.h
3668++++ b/target/s390x/cpu.h
3669+@@ -821,7 +821,12 @@ int s390_cpu_virt_mem_rw(S390CPU *cpu, vaddr laddr, uint8_t ar, void *hostbuf,
3670+ #define s390_cpu_virt_mem_check_write(cpu, laddr, ar, len) \
3671+ s390_cpu_virt_mem_rw(cpu, laddr, ar, NULL, len, true)
3672+ void s390_cpu_virt_mem_handle_exc(S390CPU *cpu, uintptr_t ra);
3673+-
3674++int s390_cpu_pv_mem_rw(S390CPU *cpu, unsigned int offset, void *hostbuf,
3675++ int len, bool is_write);
3676++#define s390_cpu_pv_mem_read(cpu, offset, dest, len) \
3677++ s390_cpu_pv_mem_rw(cpu, offset, dest, len, false)
3678++#define s390_cpu_pv_mem_write(cpu, offset, dest, len) \
3679++ s390_cpu_pv_mem_rw(cpu, offset, dest, len, true)
3680+
3681+ /* sigp.c */
3682+ int s390_cpu_restart(S390CPU *cpu);
3683+diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c
3684+index abeeaaa674..941e4df630 100644
3685+--- a/target/s390x/kvm.c
3686++++ b/target/s390x/kvm.c
3687+@@ -154,6 +154,7 @@ static int cap_ri;
3688+ static int cap_gs;
3689+ static int cap_hpage_1m;
3690+ static int cap_vcpu_resets;
3691++static int cap_protected;
3692+
3693+ static int active_cmma;
3694+
3695+@@ -351,6 +352,7 @@ int kvm_arch_init(MachineState *ms, KVMState *s)
3696+ cap_mem_op = kvm_check_extension(s, KVM_CAP_S390_MEM_OP);
3697+ cap_s390_irq = kvm_check_extension(s, KVM_CAP_S390_INJECT_IRQ);
3698+ cap_vcpu_resets = kvm_check_extension(s, KVM_CAP_S390_VCPU_RESETS);
3699++ cap_protected = kvm_check_extension(s, KVM_CAP_S390_PROTECTED);
3700+
3701+ if (!kvm_check_extension(s, KVM_CAP_S390_GMAP)
3702+ || !kvm_check_extension(s, KVM_CAP_S390_COW)) {
3703+@@ -848,6 +850,30 @@ int kvm_s390_mem_op(S390CPU *cpu, vaddr addr, uint8_t ar, void *hostbuf,
3704+ return ret;
3705+ }
3706+
3707++int kvm_s390_mem_op_pv(S390CPU *cpu, uint64_t offset, void *hostbuf,
3708++ int len, bool is_write)
3709++{
3710++ struct kvm_s390_mem_op mem_op = {
3711++ .sida_offset = offset,
3712++ .size = len,
3713++ .op = is_write ? KVM_S390_MEMOP_SIDA_WRITE
3714++ : KVM_S390_MEMOP_SIDA_READ,
3715++ .buf = (uint64_t)hostbuf,
3716++ };
3717++ int ret;
3718++
3719++ if (!cap_mem_op || !cap_protected) {
3720++ return -ENOSYS;
3721++ }
3722++
3723++ ret = kvm_vcpu_ioctl(CPU(cpu), KVM_S390_MEM_OP, &mem_op);
3724++ if (ret < 0) {
3725++ error_report("KVM_S390_MEM_OP failed: %s", strerror(-ret));
3726++ abort();
3727++ }
3728++ return ret;
3729++}
3730++
3731+ /*
3732+ * Legacy layout for s390:
3733+ * Older S390 KVM requires the topmost vma of the RAM to be
3734+diff --git a/target/s390x/kvm_s390x.h b/target/s390x/kvm_s390x.h
3735+index dea813f450..6ab17c81b7 100644
3736+--- a/target/s390x/kvm_s390x.h
3737++++ b/target/s390x/kvm_s390x.h
3738+@@ -19,6 +19,8 @@ void kvm_s390_vcpu_interrupt(S390CPU *cpu, struct kvm_s390_irq *irq);
3739+ void kvm_s390_access_exception(S390CPU *cpu, uint16_t code, uint64_t te_code);
3740+ int kvm_s390_mem_op(S390CPU *cpu, vaddr addr, uint8_t ar, void *hostbuf,
3741+ int len, bool is_write);
3742++int kvm_s390_mem_op_pv(S390CPU *cpu, vaddr addr, void *hostbuf, int len,
3743++ bool is_write);
3744+ void kvm_s390_program_interrupt(S390CPU *cpu, uint16_t code);
3745+ int kvm_s390_set_cpu_state(S390CPU *cpu, uint8_t cpu_state);
3746+ void kvm_s390_vcpu_interrupt_pre_save(S390CPU *cpu);
3747+diff --git a/target/s390x/mmu_helper.c b/target/s390x/mmu_helper.c
3748+index c9f3f34750..ec8befbdc8 100644
3749+--- a/target/s390x/mmu_helper.c
3750++++ b/target/s390x/mmu_helper.c
3751+@@ -474,6 +474,20 @@ static int translate_pages(S390CPU *cpu, vaddr addr, int nr_pages,
3752+ return 0;
3753+ }
3754+
3755++int s390_cpu_pv_mem_rw(S390CPU *cpu, unsigned int offset, void *hostbuf,
3756++ int len, bool is_write)
3757++{
3758++ int ret;
3759++
3760++ if (kvm_enabled()) {
3761++ ret = kvm_s390_mem_op_pv(cpu, offset, hostbuf, len, is_write);
3762++ } else {
3763++ /* Protected Virtualization is a KVM/Hardware only feature */
3764++ g_assert_not_reached();
3765++ }
3766++ return ret;
3767++}
3768++
3769+ /**
3770+ * s390_cpu_virt_mem_rw:
3771+ * @laddr: the logical start address
3772+--
3773+2.25.1
3774+
3775diff --git a/debian/patches/ubuntu/lp-1835546-s390x-Add-missing-vcpu-reset-functions.patch b/debian/patches/ubuntu/lp-1835546-s390x-Add-missing-vcpu-reset-functions.patch
3776new file mode 100644
3777index 0000000..41595f0
3778--- /dev/null
3779+++ b/debian/patches/ubuntu/lp-1835546-s390x-Add-missing-vcpu-reset-functions.patch
3780@@ -0,0 +1,165 @@
3781+From cdb7c92623442b8a4052011d20ac46dbc17ab064 Mon Sep 17 00:00:00 2001
3782+From: Janosch Frank <frankja@linux.ibm.com>
3783+Date: Fri, 14 Feb 2020 10:16:21 -0500
3784+Subject: [PATCH] s390x: Add missing vcpu reset functions
3785+
3786+Up to now we only had an ioctl to reset vcpu data QEMU couldn't reach
3787+for the initial reset, which was also called for the clear reset. To
3788+be architecture compliant, we also need to clear local interrupts on a
3789+normal reset.
3790+
3791+Because of this and the upcoming protvirt support we need to add
3792+ioctls for the missing clear and normal resets.
3793+
3794+Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
3795+Reviewed-by: Thomas Huth <thuth@redhat.com>
3796+Acked-by: David Hildenbrand <david@redhat.com>
3797+Message-Id: <20200214151636.8764-3-frankja@linux.ibm.com>
3798+Signed-off-by: Cornelia Huck <cohuck@redhat.com>
3799+
3800+Forwarded: https://lists.gnu.org/archive/html/qemu-devel/2020-03/msg06247.html
3801+Origin: backport, https://github.com/borntraeger/qemu/commit/cdb7c92623
3802+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1835546
3803+Last-Update: 2020-03-20
3804+
3805+---
3806+ target/s390x/cpu.c | 14 ++++++++++++--
3807+ target/s390x/kvm-stub.c | 10 +++++++++-
3808+ target/s390x/kvm.c | 42 ++++++++++++++++++++++++++++++++--------
3809+ target/s390x/kvm_s390x.h | 4 +++-
3810+ 4 files changed, 58 insertions(+), 12 deletions(-)
3811+
3812+diff --git a/target/s390x/cpu.c b/target/s390x/cpu.c
3813+index bd39cb54b7..52fefa1586 100644
3814+--- a/target/s390x/cpu.c
3815++++ b/target/s390x/cpu.c
3816+@@ -131,8 +131,18 @@ static void s390_cpu_reset(CPUState *s, cpu_reset_type type)
3817+ }
3818+
3819+ /* Reset state inside the kernel that we cannot access yet from QEMU. */
3820+- if (kvm_enabled() && type != S390_CPU_RESET_NORMAL) {
3821+- kvm_s390_reset_vcpu(cpu);
3822++ if (kvm_enabled()) {
3823++ switch (type) {
3824++ case S390_CPU_RESET_CLEAR:
3825++ kvm_s390_reset_vcpu_clear(cpu);
3826++ break;
3827++ case S390_CPU_RESET_INITIAL:
3828++ kvm_s390_reset_vcpu_initial(cpu);
3829++ break;
3830++ case S390_CPU_RESET_NORMAL:
3831++ kvm_s390_reset_vcpu_normal(cpu);
3832++ break;
3833++ }
3834+ }
3835+ }
3836+
3837+diff --git a/target/s390x/kvm-stub.c b/target/s390x/kvm-stub.c
3838+index 5152e2bdf1..c4cd497f85 100644
3839+--- a/target/s390x/kvm-stub.c
3840++++ b/target/s390x/kvm-stub.c
3841+@@ -83,7 +83,15 @@ void kvm_s390_cmma_reset(void)
3842+ {
3843+ }
3844+
3845+-void kvm_s390_reset_vcpu(S390CPU *cpu)
3846++void kvm_s390_reset_vcpu_initial(S390CPU *cpu)
3847++{
3848++}
3849++
3850++void kvm_s390_reset_vcpu_clear(S390CPU *cpu)
3851++{
3852++}
3853++
3854++void kvm_s390_reset_vcpu_normal(S390CPU *cpu)
3855+ {
3856+ }
3857+
3858+diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c
3859+index ad6e38c876..f633472980 100644
3860+--- a/target/s390x/kvm.c
3861++++ b/target/s390x/kvm.c
3862+@@ -151,6 +151,7 @@ static int cap_s390_irq;
3863+ static int cap_ri;
3864+ static int cap_gs;
3865+ static int cap_hpage_1m;
3866++static int cap_vcpu_resets;
3867+
3868+ static int active_cmma;
3869+
3870+@@ -342,6 +343,7 @@ int kvm_arch_init(MachineState *ms, KVMState *s)
3871+ cap_async_pf = kvm_check_extension(s, KVM_CAP_ASYNC_PF);
3872+ cap_mem_op = kvm_check_extension(s, KVM_CAP_S390_MEM_OP);
3873+ cap_s390_irq = kvm_check_extension(s, KVM_CAP_S390_INJECT_IRQ);
3874++ cap_vcpu_resets = kvm_check_extension(s, KVM_CAP_S390_VCPU_RESETS);
3875+
3876+ if (!kvm_check_extension(s, KVM_CAP_S390_GMAP)
3877+ || !kvm_check_extension(s, KVM_CAP_S390_COW)) {
3878+@@ -403,17 +405,41 @@ int kvm_arch_destroy_vcpu(CPUState *cs)
3879+ return 0;
3880+ }
3881+
3882+-void kvm_s390_reset_vcpu(S390CPU *cpu)
3883++static void kvm_s390_reset_vcpu(S390CPU *cpu, unsigned long type)
3884+ {
3885+ CPUState *cs = CPU(cpu);
3886+
3887+- /* The initial reset call is needed here to reset in-kernel
3888+- * vcpu data that we can't access directly from QEMU
3889+- * (i.e. with older kernels which don't support sync_regs/ONE_REG).
3890+- * Before this ioctl cpu_synchronize_state() is called in common kvm
3891+- * code (kvm-all) */
3892+- if (kvm_vcpu_ioctl(cs, KVM_S390_INITIAL_RESET, NULL)) {
3893+- error_report("Initial CPU reset failed on CPU %i", cs->cpu_index);
3894++ /*
3895++ * The reset call is needed here to reset in-kernel vcpu data that
3896++ * we can't access directly from QEMU (i.e. with older kernels
3897++ * which don't support sync_regs/ONE_REG). Before this ioctl
3898++ * cpu_synchronize_state() is called in common kvm code
3899++ * (kvm-all).
3900++ */
3901++ if (kvm_vcpu_ioctl(cs, type)) {
3902++ error_report("CPU reset failed on CPU %i type %lx",
3903++ cs->cpu_index, type);
3904++ }
3905++}
3906++
3907++void kvm_s390_reset_vcpu_initial(S390CPU *cpu)
3908++{
3909++ kvm_s390_reset_vcpu(cpu, KVM_S390_INITIAL_RESET);
3910++}
3911++
3912++void kvm_s390_reset_vcpu_clear(S390CPU *cpu)
3913++{
3914++ if (cap_vcpu_resets) {
3915++ kvm_s390_reset_vcpu(cpu, KVM_S390_CLEAR_RESET);
3916++ } else {
3917++ kvm_s390_reset_vcpu(cpu, KVM_S390_INITIAL_RESET);
3918++ }
3919++}
3920++
3921++void kvm_s390_reset_vcpu_normal(S390CPU *cpu)
3922++{
3923++ if (cap_vcpu_resets) {
3924++ kvm_s390_reset_vcpu(cpu, KVM_S390_NORMAL_RESET);
3925+ }
3926+ }
3927+
3928+diff --git a/target/s390x/kvm_s390x.h b/target/s390x/kvm_s390x.h
3929+index caf985955b..0b21789796 100644
3930+--- a/target/s390x/kvm_s390x.h
3931++++ b/target/s390x/kvm_s390x.h
3932+@@ -34,7 +34,9 @@ int kvm_s390_assign_subch_ioeventfd(EventNotifier *notifier, uint32_t sch,
3933+ int vq, bool assign);
3934+ int kvm_s390_cmma_active(void);
3935+ void kvm_s390_cmma_reset(void);
3936+-void kvm_s390_reset_vcpu(S390CPU *cpu);
3937++void kvm_s390_reset_vcpu_clear(S390CPU *cpu);
3938++void kvm_s390_reset_vcpu_normal(S390CPU *cpu);
3939++void kvm_s390_reset_vcpu_initial(S390CPU *cpu);
3940+ int kvm_s390_set_mem_limit(uint64_t new_limit, uint64_t *hw_limit);
3941+ void kvm_s390_set_max_pagesize(uint64_t pagesize, Error **errp);
3942+ void kvm_s390_crypto_reset(void);
3943+--
3944+2.25.1
3945+
3946diff --git a/debian/patches/ubuntu/lp-1835546-s390x-Add-unpack-facility-feature-to-GA1.patch b/debian/patches/ubuntu/lp-1835546-s390x-Add-unpack-facility-feature-to-GA1.patch
3947new file mode 100644
3948index 0000000..d77477d
3949--- /dev/null
3950+++ b/debian/patches/ubuntu/lp-1835546-s390x-Add-unpack-facility-feature-to-GA1.patch
3951@@ -0,0 +1,67 @@
3952+From 8c284a11c5dd980fd2cea00306c18ea644c0754d Mon Sep 17 00:00:00 2001
3953+From: Christian Borntraeger <borntraeger@de.ibm.com>
3954+Date: Tue, 25 Feb 2020 06:28:51 -0500
3955+Subject: [PATCH] s390x: Add unpack facility feature to GA1
3956+
3957+The unpack facility is an indication that diagnose 308 subcodes 8-10
3958+are available to the guest. That means, that the guest can put itself
3959+into protected mode.
3960+
3961+Once it is in protected mode, the hardware stops any attempt of VM
3962+introspection by the hypervisor.
3963+
3964+Some features are currently not supported in protected mode:
3965+ * vfio devices
3966+ * Migration
3967+ * Huge page backings
3968+
3969+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
3970+Reviewed-by: David Hildenbrand <david@redhat.com>
3971+Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
3972+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
3973+Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
3974+
3975+Forwarded: https://lists.gnu.org/archive/html/qemu-devel/2020-03/msg06247.html
3976+Origin: backport, https://github.com/borntraeger/qemu/commit/8c284a11c5
3977+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1835546
3978+Last-Update: 2020-03-20
3979+
3980+---
3981+ target/s390x/gen-features.c | 1 +
3982+ target/s390x/kvm.c | 8 ++++++++
3983+ 2 files changed, 9 insertions(+)
3984+
3985+diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c
3986+index 6278845b12..8ddeebc544 100644
3987+--- a/target/s390x/gen-features.c
3988++++ b/target/s390x/gen-features.c
3989+@@ -562,6 +562,7 @@ static uint16_t full_GEN15_GA1[] = {
3990+ S390_FEAT_GROUP_MSA_EXT_9,
3991+ S390_FEAT_GROUP_MSA_EXT_9_PCKMO,
3992+ S390_FEAT_ETOKEN,
3993++ S390_FEAT_UNPACK,
3994+ };
3995+
3996+ /* Default features (in order of release)
3997+diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c
3998+index d94b915da4..8b82e4c93d 100644
3999+--- a/target/s390x/kvm.c
4000++++ b/target/s390x/kvm.c
4001+@@ -2407,6 +2407,14 @@ void kvm_s390_get_host_cpu_model(S390CPUModel *model, Error **errp)
4002+ clear_bit(S390_FEAT_BPB, model->features);
4003+ }
4004+
4005++ /*
4006++ * If we have support for protected virtualization, indicate
4007++ * the protected virtualization IPL unpack facility.
4008++ */
4009++ if (cap_protected) {
4010++ set_bit(S390_FEAT_UNPACK, model->features);
4011++ }
4012++
4013+ /* We emulate a zPCI bus and AEN, therefore we don't need HW support */
4014+ set_bit(S390_FEAT_ZPCI, model->features);
4015+ set_bit(S390_FEAT_ADAPTER_EVENT_NOTIFICATION, model->features);
4016+--
4017+2.25.1
4018+
4019diff --git a/debian/patches/ubuntu/lp-1835546-s390x-Beautify-diag308-handling.patch b/debian/patches/ubuntu/lp-1835546-s390x-Beautify-diag308-handling.patch
4020new file mode 100644
4021index 0000000..ab401a1
4022--- /dev/null
4023+++ b/debian/patches/ubuntu/lp-1835546-s390x-Beautify-diag308-handling.patch
4024@@ -0,0 +1,119 @@
4025+From 4fb238b4b0ba7ba6d42d5d7e1f3da27e619e872c Mon Sep 17 00:00:00 2001
4026+From: Janosch Frank <frankja@linux.ibm.com>
4027+Date: Wed, 27 Nov 2019 12:50:45 -0500
4028+Subject: [PATCH] s390x: Beautify diag308 handling
4029+
4030+Let's improve readability by:
4031+* Using constants for the subcodes
4032+* Moving parameter checking into a function
4033+* Removing subcode > 6 check as the default case catches that
4034+
4035+Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
4036+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
4037+Reviewed-by: Thomas Huth <thuth@redhat.com>
4038+Reviewed-by: David Hildenbrand <david@redhat.com>
4039+Message-Id: <20191127175046.4911-6-frankja@linux.ibm.com>
4040+Signed-off-by: Cornelia Huck <cohuck@redhat.com>
4041+
4042+Forwarded: https://lists.gnu.org/archive/html/qemu-devel/2020-03/msg06247.html
4043+Origin: backport, https://github.com/borntraeger/qemu/commit/4fb238b4b0
4044+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1835546
4045+Last-Update: 2020-03-20
4046+
4047+---
4048+ target/s390x/diag.c | 54 +++++++++++++++++++++++++++------------------
4049+ 1 file changed, 32 insertions(+), 22 deletions(-)
4050+
4051+diff --git a/target/s390x/diag.c b/target/s390x/diag.c
4052+index 0c81d8e1ef..54e5670b3f 100644
4053+--- a/target/s390x/diag.c
4054++++ b/target/s390x/diag.c
4055+@@ -53,6 +53,29 @@ int handle_diag_288(CPUS390XState *env, uint64_t r1, uint64_t r3)
4056+ #define DIAG_308_RC_NO_CONF 0x0102
4057+ #define DIAG_308_RC_INVALID 0x0402
4058+
4059++#define DIAG308_RESET_MOD_CLR 0
4060++#define DIAG308_RESET_LOAD_NORM 1
4061++#define DIAG308_LOAD_CLEAR 3
4062++#define DIAG308_LOAD_NORMAL_DUMP 4
4063++#define DIAG308_SET 5
4064++#define DIAG308_STORE 6
4065++
4066++static int diag308_parm_check(CPUS390XState *env, uint64_t r1, uint64_t addr,
4067++ uintptr_t ra, bool write)
4068++{
4069++ if ((r1 & 1) || (addr & ~TARGET_PAGE_MASK)) {
4070++ s390_program_interrupt(env, PGM_SPECIFICATION, ra);
4071++ return -1;
4072++ }
4073++ if (!address_space_access_valid(&address_space_memory, addr,
4074++ sizeof(IplParameterBlock), write,
4075++ MEMTXATTRS_UNSPECIFIED)) {
4076++ s390_program_interrupt(env, PGM_ADDRESSING, ra);
4077++ return -1;
4078++ }
4079++ return 0;
4080++}
4081++
4082+ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra)
4083+ {
4084+ CPUState *cs = env_cpu(env);
4085+@@ -65,30 +88,24 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra)
4086+ return;
4087+ }
4088+
4089+- if ((subcode & ~0x0ffffULL) || (subcode > 6)) {
4090++ if (subcode & ~0x0ffffULL) {
4091+ s390_program_interrupt(env, PGM_SPECIFICATION, ra);
4092+ return;
4093+ }
4094+
4095+ switch (subcode) {
4096+- case 0:
4097++ case DIAG308_RESET_MOD_CLR:
4098+ s390_ipl_reset_request(cs, S390_RESET_MODIFIED_CLEAR);
4099+ break;
4100+- case 1:
4101++ case DIAG308_RESET_LOAD_NORM:
4102+ s390_ipl_reset_request(cs, S390_RESET_LOAD_NORMAL);
4103+ break;
4104+- case 3:
4105++ case DIAG308_LOAD_CLEAR:
4106++ /* Well we still lack the clearing bit... */
4107+ s390_ipl_reset_request(cs, S390_RESET_REIPL);
4108+ break;
4109+- case 5:
4110+- if ((r1 & 1) || (addr & 0x0fffULL)) {
4111+- s390_program_interrupt(env, PGM_SPECIFICATION, ra);
4112+- return;
4113+- }
4114+- if (!address_space_access_valid(&address_space_memory, addr,
4115+- sizeof(IplParameterBlock), false,
4116+- MEMTXATTRS_UNSPECIFIED)) {
4117+- s390_program_interrupt(env, PGM_ADDRESSING, ra);
4118++ case DIAG308_SET:
4119++ if (diag308_parm_check(env, r1, addr, ra, false)) {
4120+ return;
4121+ }
4122+ iplb = g_new0(IplParameterBlock, 1);
4123+@@ -110,15 +127,8 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra)
4124+ out:
4125+ g_free(iplb);
4126+ return;
4127+- case 6:
4128+- if ((r1 & 1) || (addr & 0x0fffULL)) {
4129+- s390_program_interrupt(env, PGM_SPECIFICATION, ra);
4130+- return;
4131+- }
4132+- if (!address_space_access_valid(&address_space_memory, addr,
4133+- sizeof(IplParameterBlock), true,
4134+- MEMTXATTRS_UNSPECIFIED)) {
4135+- s390_program_interrupt(env, PGM_ADDRESSING, ra);
4136++ case DIAG308_STORE:
4137++ if (diag308_parm_check(env, r1, addr, ra, true)) {
4138+ return;
4139+ }
4140+ iplb = s390_ipl_get_iplb();
4141+--
4142+2.25.1
4143+
4144diff --git a/debian/patches/ubuntu/lp-1835546-s390x-Don-t-do-a-normal-reset-on-the-initial-cpu.patch b/debian/patches/ubuntu/lp-1835546-s390x-Don-t-do-a-normal-reset-on-the-initial-cpu.patch
4145new file mode 100644
4146index 0000000..0f0d987
4147--- /dev/null
4148+++ b/debian/patches/ubuntu/lp-1835546-s390x-Don-t-do-a-normal-reset-on-the-initial-cpu.patch
4149@@ -0,0 +1,41 @@
4150+From c300ee105ad5458eb9f8d302e54d8f3cc70963fd Mon Sep 17 00:00:00 2001
4151+From: Janosch Frank <frankja@linux.ibm.com>
4152+Date: Wed, 27 Nov 2019 12:50:41 -0500
4153+Subject: [PATCH] s390x: Don't do a normal reset on the initial cpu
4154+
4155+The initiating cpu needs to be reset with an initial reset. While
4156+doing a normal reset followed by a initial reset is not wrong per se,
4157+the Ultravisor will only allow the correct reset to be performed.
4158+
4159+Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
4160+Reviewed-by: David Hildenbrand <david@redhat.com>
4161+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
4162+Message-Id: <20191127175046.4911-2-frankja@linux.ibm.com>
4163+Signed-off-by: Cornelia Huck <cohuck@redhat.com>
4164+
4165+Forwarded: https://lists.gnu.org/archive/html/qemu-devel/2020-03/msg06247.html
4166+Origin: backport, https://github.com/borntraeger/qemu/commit/c300ee105a
4167+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1835546
4168+Last-Update: 2020-03-20
4169+
4170+---
4171+ hw/s390x/s390-virtio-ccw.c | 3 +++
4172+ 1 file changed, 3 insertions(+)
4173+
4174+diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
4175+index d3edeef0ad..c1d1440272 100644
4176+--- a/hw/s390x/s390-virtio-ccw.c
4177++++ b/hw/s390x/s390-virtio-ccw.c
4178+@@ -348,6 +348,9 @@ static void s390_machine_reset(MachineState *machine)
4179+ break;
4180+ case S390_RESET_LOAD_NORMAL:
4181+ CPU_FOREACH(t) {
4182++ if (t == cs) {
4183++ continue;
4184++ }
4185+ run_on_cpu(t, s390_do_cpu_reset, RUN_ON_CPU_NULL);
4186+ }
4187+ subsystem_reset();
4188+--
4189+2.25.1
4190+
4191diff --git a/debian/patches/ubuntu/lp-1835546-s390x-Move-clear-reset.patch b/debian/patches/ubuntu/lp-1835546-s390x-Move-clear-reset.patch
4192new file mode 100644
4193index 0000000..ac56ad5
4194--- /dev/null
4195+++ b/debian/patches/ubuntu/lp-1835546-s390x-Move-clear-reset.patch
4196@@ -0,0 +1,135 @@
4197+From af3f6e479284aa297ad2a85bb3eab305376d138a Mon Sep 17 00:00:00 2001
4198+From: Janosch Frank <frankja@linux.ibm.com>
4199+Date: Wed, 27 Nov 2019 12:50:44 -0500
4200+Subject: [PATCH] s390x: Move clear reset
4201+
4202+Let's also move the clear reset function into the reset handler.
4203+
4204+Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
4205+Message-Id: <20191127175046.4911-5-frankja@linux.ibm.com>
4206+Reviewed-by: David Hildenbrand <david@redhat.com>
4207+Reviewed-by: Thomas Huth <thuth@redhat.com>
4208+Signed-off-by: Cornelia Huck <cohuck@redhat.com>
4209+
4210+Forwarded: https://lists.gnu.org/archive/html/qemu-devel/2020-03/msg06247.html
4211+Origin: backport, https://github.com/borntraeger/qemu/commit/af3f6e4792
4212+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1835546
4213+Last-Update: 2020-03-20
4214+
4215+---
4216+ target/s390x/cpu-qom.h | 1 +
4217+ target/s390x/cpu.c | 58 +++++++++++++-----------------------------
4218+ 2 files changed, 18 insertions(+), 41 deletions(-)
4219+
4220+diff --git a/target/s390x/cpu-qom.h b/target/s390x/cpu-qom.h
4221+index 6f0a12042e..dbe5346ec9 100644
4222+--- a/target/s390x/cpu-qom.h
4223++++ b/target/s390x/cpu-qom.h
4224+@@ -37,6 +37,7 @@ typedef struct S390CPUDef S390CPUDef;
4225+ typedef enum cpu_reset_type {
4226+ S390_CPU_RESET_NORMAL,
4227+ S390_CPU_RESET_INITIAL,
4228++ S390_CPU_RESET_CLEAR,
4229+ } cpu_reset_type;
4230+
4231+ /**
4232+diff --git a/target/s390x/cpu.c b/target/s390x/cpu.c
4233+index ca62fe7685..bd39cb54b7 100644
4234+--- a/target/s390x/cpu.c
4235++++ b/target/s390x/cpu.c
4236+@@ -94,6 +94,9 @@ static void s390_cpu_reset(CPUState *s, cpu_reset_type type)
4237+ s390_cpu_set_state(S390_CPU_STATE_STOPPED, cpu);
4238+
4239+ switch (type) {
4240++ case S390_CPU_RESET_CLEAR:
4241++ memset(env, 0, offsetof(CPUS390XState, start_initial_reset_fields));
4242++ /* fall through */
4243+ case S390_CPU_RESET_INITIAL:
4244+ /* initial reset does not clear everything! */
4245+ memset(&env->start_initial_reset_fields, 0,
4246+@@ -107,6 +110,14 @@ static void s390_cpu_reset(CPUState *s, cpu_reset_type type)
4247+ env->cregs[0] = CR0_RESET;
4248+ env->cregs[14] = CR14_RESET;
4249+
4250++#if defined(CONFIG_USER_ONLY)
4251++ /* user mode should always be allowed to use the full FPU */
4252++ env->cregs[0] |= CR0_AFP;
4253++ if (s390_has_feat(S390_FEAT_VECTOR)) {
4254++ env->cregs[0] |= CR0_VECTOR;
4255++ }
4256++#endif
4257++
4258+ /* tininess for underflow is detected before rounding */
4259+ set_float_detect_tininess(float_tininess_before_rounding,
4260+ &env->fpu_status);
4261+@@ -125,46 +136,6 @@ static void s390_cpu_reset(CPUState *s, cpu_reset_type type)
4262+ }
4263+ }
4264+
4265+-/* CPUClass:reset() */
4266+-static void s390_cpu_full_reset(CPUState *s)
4267+-{
4268+- S390CPU *cpu = S390_CPU(s);
4269+- S390CPUClass *scc = S390_CPU_GET_CLASS(cpu);
4270+- CPUS390XState *env = &cpu->env;
4271+-
4272+- scc->parent_reset(s);
4273+- cpu->env.sigp_order = 0;
4274+- s390_cpu_set_state(S390_CPU_STATE_STOPPED, cpu);
4275+-
4276+- memset(env, 0, offsetof(CPUS390XState, end_reset_fields));
4277+-
4278+- /* architectured initial values for CR 0 and 14 */
4279+- env->cregs[0] = CR0_RESET;
4280+- env->cregs[14] = CR14_RESET;
4281+-
4282+-#if defined(CONFIG_USER_ONLY)
4283+- /* user mode should always be allowed to use the full FPU */
4284+- env->cregs[0] |= CR0_AFP;
4285+- if (s390_has_feat(S390_FEAT_VECTOR)) {
4286+- env->cregs[0] |= CR0_VECTOR;
4287+- }
4288+-#endif
4289+-
4290+- /* architectured initial value for Breaking-Event-Address register */
4291+- env->gbea = 1;
4292+-
4293+- env->pfault_token = -1UL;
4294+-
4295+- /* tininess for underflow is detected before rounding */
4296+- set_float_detect_tininess(float_tininess_before_rounding,
4297+- &env->fpu_status);
4298+-
4299+- /* Reset state inside the kernel that we cannot access yet from QEMU. */
4300+- if (kvm_enabled()) {
4301+- kvm_s390_reset_vcpu(cpu);
4302+- }
4303+-}
4304+-
4305+ #if !defined(CONFIG_USER_ONLY)
4306+ static void s390_cpu_machine_reset_cb(void *opaque)
4307+ {
4308+@@ -456,6 +427,11 @@ static Property s390x_cpu_properties[] = {
4309+ DEFINE_PROP_END_OF_LIST()
4310+ };
4311+
4312++static void s390_cpu_reset_full(CPUState *s)
4313++{
4314++ return s390_cpu_reset(s, S390_CPU_RESET_CLEAR);
4315++}
4316++
4317+ static void s390_cpu_class_init(ObjectClass *oc, void *data)
4318+ {
4319+ S390CPUClass *scc = S390_CPU_CLASS(oc);
4320+@@ -472,7 +448,7 @@ static void s390_cpu_class_init(ObjectClass *oc, void *data)
4321+ scc->load_normal = s390_cpu_load_normal;
4322+ #endif
4323+ scc->reset = s390_cpu_reset;
4324+- cc->reset = s390_cpu_full_reset;
4325++ cc->reset = s390_cpu_reset_full;
4326+ cc->class_by_name = s390_cpu_class_by_name,
4327+ cc->has_work = s390_cpu_has_work;
4328+ #ifdef CONFIG_TCG
4329+--
4330+2.25.1
4331+
4332diff --git a/debian/patches/ubuntu/lp-1835546-s390x-Move-diagnose-308-subcodes-and-rcs-into-ipl.h.patch b/debian/patches/ubuntu/lp-1835546-s390x-Move-diagnose-308-subcodes-and-rcs-into-ipl.h.patch
4333new file mode 100644
4334index 0000000..0bee0cb
4335--- /dev/null
4336+++ b/debian/patches/ubuntu/lp-1835546-s390x-Move-diagnose-308-subcodes-and-rcs-into-ipl.h.patch
4337@@ -0,0 +1,67 @@
4338+From f0869bee7c19767fff70794d64f400bb201e82e3 Mon Sep 17 00:00:00 2001
4339+From: Janosch Frank <frankja@linux.ibm.com>
4340+Date: Fri, 13 Mar 2020 10:35:02 -0400
4341+Subject: [PATCH] s390x: Move diagnose 308 subcodes and rcs into ipl.h
4342+
4343+They are part of the IPL process, so let's put them into the ipl
4344+header.
4345+
4346+Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
4347+
4348+Forwarded: https://lists.gnu.org/archive/html/qemu-devel/2020-03/msg06247.html
4349+Origin: backport, https://github.com/borntraeger/qemu/commit/f0869bee7c
4350+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1835546
4351+Last-Update: 2020-03-20
4352+
4353+---
4354+ hw/s390x/ipl.h | 11 +++++++++++
4355+ target/s390x/diag.c | 11 -----------
4356+ 2 files changed, 11 insertions(+), 11 deletions(-)
4357+
4358+diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h
4359+index 3e44abe1c6..a5665e6bfd 100644
4360+--- a/hw/s390x/ipl.h
4361++++ b/hw/s390x/ipl.h
4362+@@ -159,6 +159,17 @@ struct S390IPLState {
4363+ typedef struct S390IPLState S390IPLState;
4364+ QEMU_BUILD_BUG_MSG(offsetof(S390IPLState, iplb) & 3, "alignment of iplb wrong");
4365+
4366++#define DIAG_308_RC_OK 0x0001
4367++#define DIAG_308_RC_NO_CONF 0x0102
4368++#define DIAG_308_RC_INVALID 0x0402
4369++
4370++#define DIAG308_RESET_MOD_CLR 0
4371++#define DIAG308_RESET_LOAD_NORM 1
4372++#define DIAG308_LOAD_CLEAR 3
4373++#define DIAG308_LOAD_NORMAL_DUMP 4
4374++#define DIAG308_SET 5
4375++#define DIAG308_STORE 6
4376++
4377+ #define S390_IPL_TYPE_FCP 0x00
4378+ #define S390_IPL_TYPE_CCW 0x02
4379+ #define S390_IPL_TYPE_QEMU_SCSI 0xff
4380+diff --git a/target/s390x/diag.c b/target/s390x/diag.c
4381+index 54e5670b3f..8aba6341f9 100644
4382+--- a/target/s390x/diag.c
4383++++ b/target/s390x/diag.c
4384+@@ -49,17 +49,6 @@ int handle_diag_288(CPUS390XState *env, uint64_t r1, uint64_t r3)
4385+ return diag288_class->handle_timer(diag288, func, timeout);
4386+ }
4387+
4388+-#define DIAG_308_RC_OK 0x0001
4389+-#define DIAG_308_RC_NO_CONF 0x0102
4390+-#define DIAG_308_RC_INVALID 0x0402
4391+-
4392+-#define DIAG308_RESET_MOD_CLR 0
4393+-#define DIAG308_RESET_LOAD_NORM 1
4394+-#define DIAG308_LOAD_CLEAR 3
4395+-#define DIAG308_LOAD_NORMAL_DUMP 4
4396+-#define DIAG308_SET 5
4397+-#define DIAG308_STORE 6
4398+-
4399+ static int diag308_parm_check(CPUS390XState *env, uint64_t r1, uint64_t addr,
4400+ uintptr_t ra, bool write)
4401+ {
4402+--
4403+2.25.1
4404+
4405diff --git a/debian/patches/ubuntu/lp-1835546-s390x-Move-initial-reset.patch b/debian/patches/ubuntu/lp-1835546-s390x-Move-initial-reset.patch
4406new file mode 100644
4407index 0000000..05da572
4408--- /dev/null
4409+++ b/debian/patches/ubuntu/lp-1835546-s390x-Move-initial-reset.patch
4410@@ -0,0 +1,148 @@
4411+From 57b68b74dcb355eee7b1543c70a427d26e04700f Mon Sep 17 00:00:00 2001
4412+From: Janosch Frank <frankja@linux.ibm.com>
4413+Date: Thu, 28 Nov 2019 03:37:23 -0500
4414+Subject: [PATCH] s390x: Move initial reset
4415+
4416+Let's move the intial reset into the reset handler and cleanup
4417+afterwards.
4418+
4419+Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
4420+Reviewed-by: David Hildenbrand <david@redhat.com>
4421+Message-Id: <20191128083723.11937-1-frankja@linux.ibm.com>
4422+Reviewed-by: Thomas Huth <thuth@redhat.com>
4423+Signed-off-by: Cornelia Huck <cohuck@redhat.com>
4424+
4425+Forwarded: https://lists.gnu.org/archive/html/qemu-devel/2020-03/msg06247.html
4426+Origin: backport, https://github.com/borntraeger/qemu/commit/57b68b74dc
4427+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1835546
4428+Last-Update: 2020-03-20
4429+
4430+---
4431+ target/s390x/cpu-qom.h | 2 +-
4432+ target/s390x/cpu.c | 46 +++++++++++++++++-------------------------
4433+ target/s390x/cpu.h | 2 +-
4434+ target/s390x/sigp.c | 2 +-
4435+ 4 files changed, 21 insertions(+), 31 deletions(-)
4436+
4437+diff --git a/target/s390x/cpu-qom.h b/target/s390x/cpu-qom.h
4438+index f3b71bac67..6f0a12042e 100644
4439+--- a/target/s390x/cpu-qom.h
4440++++ b/target/s390x/cpu-qom.h
4441+@@ -36,6 +36,7 @@ typedef struct S390CPUDef S390CPUDef;
4442+
4443+ typedef enum cpu_reset_type {
4444+ S390_CPU_RESET_NORMAL,
4445++ S390_CPU_RESET_INITIAL,
4446+ } cpu_reset_type;
4447+
4448+ /**
4449+@@ -62,7 +63,6 @@ typedef struct S390CPUClass {
4450+ void (*parent_reset)(CPUState *cpu);
4451+ void (*load_normal)(CPUState *cpu);
4452+ void (*reset)(CPUState *cpu, cpu_reset_type type);
4453+- void (*initial_cpu_reset)(CPUState *cpu);
4454+ } S390CPUClass;
4455+
4456+ typedef struct S390CPU S390CPU;
4457+diff --git a/target/s390x/cpu.c b/target/s390x/cpu.c
4458+index 67d6fbfa44..ca62fe7685 100644
4459+--- a/target/s390x/cpu.c
4460++++ b/target/s390x/cpu.c
4461+@@ -94,6 +94,23 @@ static void s390_cpu_reset(CPUState *s, cpu_reset_type type)
4462+ s390_cpu_set_state(S390_CPU_STATE_STOPPED, cpu);
4463+
4464+ switch (type) {
4465++ case S390_CPU_RESET_INITIAL:
4466++ /* initial reset does not clear everything! */
4467++ memset(&env->start_initial_reset_fields, 0,
4468++ offsetof(CPUS390XState, end_reset_fields) -
4469++ offsetof(CPUS390XState, start_initial_reset_fields));
4470++
4471++ /* architectured initial value for Breaking-Event-Address register */
4472++ env->gbea = 1;
4473++
4474++ /* architectured initial values for CR 0 and 14 */
4475++ env->cregs[0] = CR0_RESET;
4476++ env->cregs[14] = CR14_RESET;
4477++
4478++ /* tininess for underflow is detected before rounding */
4479++ set_float_detect_tininess(float_tininess_before_rounding,
4480++ &env->fpu_status);
4481++ /* fall through */
4482+ case S390_CPU_RESET_NORMAL:
4483+ env->pfault_token = -1UL;
4484+ env->bpbc = false;
4485+@@ -101,35 +118,9 @@ static void s390_cpu_reset(CPUState *s, cpu_reset_type type)
4486+ default:
4487+ g_assert_not_reached();
4488+ }
4489+-}
4490+-
4491+-/* S390CPUClass::initial_reset() */
4492+-static void s390_cpu_initial_reset(CPUState *s)
4493+-{
4494+- S390CPU *cpu = S390_CPU(s);
4495+- CPUS390XState *env = &cpu->env;
4496+-
4497+- s390_cpu_reset(s, S390_CPU_RESET_NORMAL);
4498+- /* initial reset does not clear everything! */
4499+- memset(&env->start_initial_reset_fields, 0,
4500+- offsetof(CPUS390XState, end_reset_fields) -
4501+- offsetof(CPUS390XState, start_initial_reset_fields));
4502+-
4503+- /* architectured initial values for CR 0 and 14 */
4504+- env->cregs[0] = CR0_RESET;
4505+- env->cregs[14] = CR14_RESET;
4506+-
4507+- /* architectured initial value for Breaking-Event-Address register */
4508+- env->gbea = 1;
4509+-
4510+- env->pfault_token = -1UL;
4511+-
4512+- /* tininess for underflow is detected before rounding */
4513+- set_float_detect_tininess(float_tininess_before_rounding,
4514+- &env->fpu_status);
4515+
4516+ /* Reset state inside the kernel that we cannot access yet from QEMU. */
4517+- if (kvm_enabled()) {
4518++ if (kvm_enabled() && type != S390_CPU_RESET_NORMAL) {
4519+ kvm_s390_reset_vcpu(cpu);
4520+ }
4521+ }
4522+@@ -481,7 +472,6 @@ static void s390_cpu_class_init(ObjectClass *oc, void *data)
4523+ scc->load_normal = s390_cpu_load_normal;
4524+ #endif
4525+ scc->reset = s390_cpu_reset;
4526+- scc->initial_cpu_reset = s390_cpu_initial_reset;
4527+ cc->reset = s390_cpu_full_reset;
4528+ cc->class_by_name = s390_cpu_class_by_name,
4529+ cc->has_work = s390_cpu_has_work;
4530+diff --git a/target/s390x/cpu.h b/target/s390x/cpu.h
4531+index 18123dfd5b..d2af13b345 100644
4532+--- a/target/s390x/cpu.h
4533++++ b/target/s390x/cpu.h
4534+@@ -748,7 +748,7 @@ static inline void s390_do_cpu_initial_reset(CPUState *cs, run_on_cpu_data arg)
4535+ {
4536+ S390CPUClass *scc = S390_CPU_GET_CLASS(cs);
4537+
4538+- scc->initial_cpu_reset(cs);
4539++ scc->reset(cs, S390_CPU_RESET_INITIAL);
4540+ }
4541+
4542+ static inline void s390_do_cpu_load_normal(CPUState *cs, run_on_cpu_data arg)
4543+diff --git a/target/s390x/sigp.c b/target/s390x/sigp.c
4544+index 850139b9cd..727875bb4a 100644
4545+--- a/target/s390x/sigp.c
4546++++ b/target/s390x/sigp.c
4547+@@ -254,7 +254,7 @@ static void sigp_initial_cpu_reset(CPUState *cs, run_on_cpu_data arg)
4548+ SigpInfo *si = arg.host_ptr;
4549+
4550+ cpu_synchronize_state(cs);
4551+- scc->initial_cpu_reset(cs);
4552++ scc->reset(cs, S390_CPU_RESET_INITIAL);
4553+ cpu_synchronize_post_reset(cs);
4554+ si->cc = SIGP_CC_ORDER_CODE_ACCEPTED;
4555+ }
4556+--
4557+2.25.1
4558+
4559diff --git a/debian/patches/ubuntu/lp-1835546-s390x-Move-reset-normal-to-shared-reset-handler.patch b/debian/patches/ubuntu/lp-1835546-s390x-Move-reset-normal-to-shared-reset-handler.patch
4560new file mode 100644
4561index 0000000..daed72a
4562--- /dev/null
4563+++ b/debian/patches/ubuntu/lp-1835546-s390x-Move-reset-normal-to-shared-reset-handler.patch
4564@@ -0,0 +1,134 @@
4565+From bae87d827e0f158900ef25fb6015fa8d535a6c94 Mon Sep 17 00:00:00 2001
4566+From: Janosch Frank <frankja@linux.ibm.com>
4567+Date: Wed, 27 Nov 2019 12:50:42 -0500
4568+Subject: [PATCH] s390x: Move reset normal to shared reset handler
4569+
4570+Let's start moving the cpu reset functions into a single function with
4571+a switch/case, so we can later use fallthroughs and share more code
4572+between resets.
4573+
4574+This patch introduces the reset function by renaming cpu_reset().
4575+
4576+Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
4577+Reviewed-by: David Hildenbrand <david@redhat.com>
4578+Message-Id: <20191127175046.4911-3-frankja@linux.ibm.com>
4579+Reviewed-by: Thomas Huth <thuth@redhat.com>
4580+Signed-off-by: Cornelia Huck <cohuck@redhat.com>
4581+
4582+Forwarded: https://lists.gnu.org/archive/html/qemu-devel/2020-03/msg06247.html
4583+Origin: backport, https://github.com/borntraeger/qemu/commit/bae87d827e
4584+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1835546
4585+Last-Update: 2020-03-20
4586+
4587+---
4588+ target/s390x/cpu-qom.h | 6 +++++-
4589+ target/s390x/cpu.c | 19 +++++++++++++------
4590+ target/s390x/cpu.h | 2 +-
4591+ target/s390x/sigp.c | 2 +-
4592+ 4 files changed, 20 insertions(+), 9 deletions(-)
4593+
4594+diff --git a/target/s390x/cpu-qom.h b/target/s390x/cpu-qom.h
4595+index b809ec8418..f3b71bac67 100644
4596+--- a/target/s390x/cpu-qom.h
4597++++ b/target/s390x/cpu-qom.h
4598+@@ -34,6 +34,10 @@
4599+ typedef struct S390CPUModel S390CPUModel;
4600+ typedef struct S390CPUDef S390CPUDef;
4601+
4602++typedef enum cpu_reset_type {
4603++ S390_CPU_RESET_NORMAL,
4604++} cpu_reset_type;
4605++
4606+ /**
4607+ * S390CPUClass:
4608+ * @parent_realize: The parent class' realize handler.
4609+@@ -57,7 +61,7 @@ typedef struct S390CPUClass {
4610+ DeviceRealize parent_realize;
4611+ void (*parent_reset)(CPUState *cpu);
4612+ void (*load_normal)(CPUState *cpu);
4613+- void (*cpu_reset)(CPUState *cpu);
4614++ void (*reset)(CPUState *cpu, cpu_reset_type type);
4615+ void (*initial_cpu_reset)(CPUState *cpu);
4616+ } S390CPUClass;
4617+
4618+diff --git a/target/s390x/cpu.c b/target/s390x/cpu.c
4619+index 3abe7e80fd..67d6fbfa44 100644
4620+--- a/target/s390x/cpu.c
4621++++ b/target/s390x/cpu.c
4622+@@ -82,18 +82,25 @@ static void s390_cpu_load_normal(CPUState *s)
4623+ }
4624+ #endif
4625+
4626+-/* S390CPUClass::cpu_reset() */
4627+-static void s390_cpu_reset(CPUState *s)
4628++/* S390CPUClass::reset() */
4629++static void s390_cpu_reset(CPUState *s, cpu_reset_type type)
4630+ {
4631+ S390CPU *cpu = S390_CPU(s);
4632+ S390CPUClass *scc = S390_CPU_GET_CLASS(cpu);
4633+ CPUS390XState *env = &cpu->env;
4634+
4635+- env->pfault_token = -1UL;
4636+- env->bpbc = false;
4637+ scc->parent_reset(s);
4638+ cpu->env.sigp_order = 0;
4639+ s390_cpu_set_state(S390_CPU_STATE_STOPPED, cpu);
4640++
4641++ switch (type) {
4642++ case S390_CPU_RESET_NORMAL:
4643++ env->pfault_token = -1UL;
4644++ env->bpbc = false;
4645++ break;
4646++ default:
4647++ g_assert_not_reached();
4648++ }
4649+ }
4650+
4651+ /* S390CPUClass::initial_reset() */
4652+@@ -102,7 +109,7 @@ static void s390_cpu_initial_reset(CPUState *s)
4653+ S390CPU *cpu = S390_CPU(s);
4654+ CPUS390XState *env = &cpu->env;
4655+
4656+- s390_cpu_reset(s);
4657++ s390_cpu_reset(s, S390_CPU_RESET_NORMAL);
4658+ /* initial reset does not clear everything! */
4659+ memset(&env->start_initial_reset_fields, 0,
4660+ offsetof(CPUS390XState, end_reset_fields) -
4661+@@ -473,7 +480,7 @@ static void s390_cpu_class_init(ObjectClass *oc, void *data)
4662+ #if !defined(CONFIG_USER_ONLY)
4663+ scc->load_normal = s390_cpu_load_normal;
4664+ #endif
4665+- scc->cpu_reset = s390_cpu_reset;
4666++ scc->reset = s390_cpu_reset;
4667+ scc->initial_cpu_reset = s390_cpu_initial_reset;
4668+ cc->reset = s390_cpu_full_reset;
4669+ cc->class_by_name = s390_cpu_class_by_name,
4670+diff --git a/target/s390x/cpu.h b/target/s390x/cpu.h
4671+index 17460ed7b3..18123dfd5b 100644
4672+--- a/target/s390x/cpu.h
4673++++ b/target/s390x/cpu.h
4674+@@ -741,7 +741,7 @@ static inline void s390_do_cpu_reset(CPUState *cs, run_on_cpu_data arg)
4675+ {
4676+ S390CPUClass *scc = S390_CPU_GET_CLASS(cs);
4677+
4678+- scc->cpu_reset(cs);
4679++ scc->reset(cs, S390_CPU_RESET_NORMAL);
4680+ }
4681+
4682+ static inline void s390_do_cpu_initial_reset(CPUState *cs, run_on_cpu_data arg)
4683+diff --git a/target/s390x/sigp.c b/target/s390x/sigp.c
4684+index 2ce22d4dc1..850139b9cd 100644
4685+--- a/target/s390x/sigp.c
4686++++ b/target/s390x/sigp.c
4687+@@ -266,7 +266,7 @@ static void sigp_cpu_reset(CPUState *cs, run_on_cpu_data arg)
4688+ SigpInfo *si = arg.host_ptr;
4689+
4690+ cpu_synchronize_state(cs);
4691+- scc->cpu_reset(cs);
4692++ scc->reset(cs, S390_CPU_RESET_NORMAL);
4693+ cpu_synchronize_post_reset(cs);
4694+ si->cc = SIGP_CC_ORDER_CODE_ACCEPTED;
4695+ }
4696+--
4697+2.25.1
4698+
4699diff --git a/debian/patches/ubuntu/lp-1835546-s390x-ipl-Consolidate-iplb-validity-check-into-one-f.patch b/debian/patches/ubuntu/lp-1835546-s390x-ipl-Consolidate-iplb-validity-check-into-one-f.patch
4700new file mode 100644
4701index 0000000..59ee3d6
4702--- /dev/null
4703+++ b/debian/patches/ubuntu/lp-1835546-s390x-ipl-Consolidate-iplb-validity-check-into-one-f.patch
4704@@ -0,0 +1,70 @@
4705+From 2321dddc5f92eea17caed784c960d3c57088fd41 Mon Sep 17 00:00:00 2001
4706+From: Janosch Frank <frankja@linux.ibm.com>
4707+Date: Tue, 10 Mar 2020 05:09:50 -0400
4708+Subject: [PATCH] s390x: ipl: Consolidate iplb validity check into one function
4709+
4710+It's nicer to just call one function than calling a function for each
4711+possible iplb type.
4712+
4713+Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
4714+Reviewed-by: David Hildenbrand <david@redhat.com>
4715+Message-Id: <20200310090950.61172-1-frankja@linux.ibm.com>
4716+Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
4717+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
4718+
4719+Forwarded: https://lists.gnu.org/archive/html/qemu-devel/2020-03/msg06247.html
4720+Origin: backport, https://github.com/borntraeger/qemu/commit/2321dddc5f
4721+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1835546
4722+Last-Update: 2020-03-20
4723+
4724+---
4725+ hw/s390x/ipl.h | 18 +++++++++---------
4726+ target/s390x/diag.c | 2 +-
4727+ 2 files changed, 10 insertions(+), 10 deletions(-)
4728+
4729+diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h
4730+index d4813105db..3e44abe1c6 100644
4731+--- a/hw/s390x/ipl.h
4732++++ b/hw/s390x/ipl.h
4733+@@ -173,16 +173,16 @@ static inline bool iplb_valid_len(IplParameterBlock *iplb)
4734+ return be32_to_cpu(iplb->len) <= sizeof(IplParameterBlock);
4735+ }
4736+
4737+-static inline bool iplb_valid_ccw(IplParameterBlock *iplb)
4738++static inline bool iplb_valid(IplParameterBlock *iplb)
4739+ {
4740+- return be32_to_cpu(iplb->len) >= S390_IPLB_MIN_CCW_LEN &&
4741+- iplb->pbt == S390_IPL_TYPE_CCW;
4742+-}
4743+-
4744+-static inline bool iplb_valid_fcp(IplParameterBlock *iplb)
4745+-{
4746+- return be32_to_cpu(iplb->len) >= S390_IPLB_MIN_FCP_LEN &&
4747+- iplb->pbt == S390_IPL_TYPE_FCP;
4748++ switch (iplb->pbt) {
4749++ case S390_IPL_TYPE_FCP:
4750++ return be32_to_cpu(iplb->len) >= S390_IPLB_MIN_FCP_LEN;
4751++ case S390_IPL_TYPE_CCW:
4752++ return be32_to_cpu(iplb->len) >= S390_IPLB_MIN_CCW_LEN;
4753++ default:
4754++ return false;
4755++ }
4756+ }
4757+
4758+ #endif
4759+diff --git a/target/s390x/diag.c b/target/s390x/diag.c
4760+index 53c2f81f2a..0c81d8e1ef 100644
4761+--- a/target/s390x/diag.c
4762++++ b/target/s390x/diag.c
4763+@@ -100,7 +100,7 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra)
4764+
4765+ cpu_physical_memory_read(addr, iplb, be32_to_cpu(iplb->len));
4766+
4767+- if (!iplb_valid_ccw(iplb) && !iplb_valid_fcp(iplb)) {
4768++ if (!iplb_valid(iplb)) {
4769+ env->regs[r1 + 1] = DIAG_308_RC_INVALID;
4770+ goto out;
4771+ }
4772+--
4773+2.25.1
4774+
4775diff --git a/debian/patches/ubuntu/lp-1835546-s390x-kvm-Make-kvm_sclp_service_call-void.patch b/debian/patches/ubuntu/lp-1835546-s390x-kvm-Make-kvm_sclp_service_call-void.patch
4776new file mode 100644
4777index 0000000..55c2974
4778--- /dev/null
4779+++ b/debian/patches/ubuntu/lp-1835546-s390x-kvm-Make-kvm_sclp_service_call-void.patch
4780@@ -0,0 +1,72 @@
4781+From 3915257d71c9e64fd4dcd4406996650a7b29baba Mon Sep 17 00:00:00 2001
4782+From: Janosch Frank <frankja@linux.ibm.com>
4783+Date: Fri, 29 Nov 2019 04:17:13 -0500
4784+Subject: [PATCH] s390x: kvm: Make kvm_sclp_service_call void
4785+
4786+It defaults to returning 0 anyway and that return value is not
4787+necessary, as 0 is also the default rc that the caller would return.
4788+
4789+While doing that we can simplify the logic a bit and return early if
4790+we inject a PGM exception.
4791+
4792+Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
4793+Reviewed-by: Thomas Huth <thuth@redhat.com>
4794+Message-Id: <20191129091713.4582-1-frankja@linux.ibm.com>
4795+Reviewed-by: David Hildenbrand <david@redhat.com>
4796+Signed-off-by: Cornelia Huck <cohuck@redhat.com>
4797+
4798+Forwarded: https://lists.gnu.org/archive/html/qemu-devel/2020-03/msg06247.html
4799+Origin: backport, https://github.com/borntraeger/qemu/commit/3915257d71
4800+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1835546
4801+Last-Update: 2020-03-20
4802+
4803+---
4804+ target/s390x/kvm.c | 12 +++++-------
4805+ 1 file changed, 5 insertions(+), 7 deletions(-)
4806+
4807+diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c
4808+index 0c9d14b4b1..ad6e38c876 100644
4809+--- a/target/s390x/kvm.c
4810++++ b/target/s390x/kvm.c
4811+@@ -1159,13 +1159,13 @@ void kvm_s390_access_exception(S390CPU *cpu, uint16_t code, uint64_t te_code)
4812+ kvm_s390_vcpu_interrupt(cpu, &irq);
4813+ }
4814+
4815+-static int kvm_sclp_service_call(S390CPU *cpu, struct kvm_run *run,
4816++static void kvm_sclp_service_call(S390CPU *cpu, struct kvm_run *run,
4817+ uint16_t ipbh0)
4818+ {
4819+ CPUS390XState *env = &cpu->env;
4820+ uint64_t sccb;
4821+ uint32_t code;
4822+- int r = 0;
4823++ int r;
4824+
4825+ sccb = env->regs[ipbh0 & 0xf];
4826+ code = env->regs[(ipbh0 & 0xf0) >> 4];
4827+@@ -1173,11 +1173,9 @@ static int kvm_sclp_service_call(S390CPU *cpu, struct kvm_run *run,
4828+ r = sclp_service_call(env, sccb, code);
4829+ if (r < 0) {
4830+ kvm_s390_program_interrupt(cpu, -r);
4831+- } else {
4832+- setcc(cpu, r);
4833++ return;
4834+ }
4835+-
4836+- return 0;
4837++ setcc(cpu, r);
4838+ }
4839+
4840+ static int handle_b2(S390CPU *cpu, struct kvm_run *run, uint8_t ipa1)
4841+@@ -1240,7 +1238,7 @@ static int handle_b2(S390CPU *cpu, struct kvm_run *run, uint8_t ipa1)
4842+ setcc(cpu, 3);
4843+ break;
4844+ case PRIV_B2_SCLP_CALL:
4845+- rc = kvm_sclp_service_call(cpu, run, ipbh0);
4846++ kvm_sclp_service_call(cpu, run, ipbh0);
4847+ break;
4848+ default:
4849+ rc = -1;
4850+--
4851+2.25.1
4852+
4853diff --git a/debian/patches/ubuntu/lp-1835546-s390x-protvirt-Add-migration-blocker.patch b/debian/patches/ubuntu/lp-1835546-s390x-protvirt-Add-migration-blocker.patch
4854new file mode 100644
4855index 0000000..9909233
4856--- /dev/null
4857+++ b/debian/patches/ubuntu/lp-1835546-s390x-protvirt-Add-migration-blocker.patch
4858@@ -0,0 +1,70 @@
4859+From 617d3f7be6434962614dc5ee381f3d67aca85578 Mon Sep 17 00:00:00 2001
4860+From: Janosch Frank <frankja@linux.ibm.com>
4861+Date: Fri, 6 Mar 2020 06:40:13 -0500
4862+Subject: [PATCH] s390x: protvirt: Add migration blocker
4863+
4864+Migration is not yet supported.
4865+
4866+Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
4867+Reviewed-by: David Hildenbrand <david@redhat.com>
4868+Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
4869+Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
4870+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
4871+
4872+Forwarded: https://lists.gnu.org/archive/html/qemu-devel/2020-03/msg06247.html
4873+Origin: backport, https://github.com/borntraeger/qemu/commit/617d3f7be6
4874+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1835546
4875+Last-Update: 2020-03-20
4876+
4877+---
4878+ hw/s390x/s390-virtio-ccw.c | 18 ++++++++++++++++++
4879+ 1 file changed, 18 insertions(+)
4880+
4881+diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
4882+index 5149030d22..ed910a0996 100644
4883+--- a/hw/s390x/s390-virtio-ccw.c
4884++++ b/hw/s390x/s390-virtio-ccw.c
4885+@@ -44,6 +44,9 @@
4886+ #include "sysemu/sysemu.h"
4887+ #include "hw/s390x/pv.h"
4888+ #include <linux/kvm.h>
4889++#include "migration/blocker.h"
4890++
4891++static Error *pv_mig_blocker;
4892+
4893+ S390CPU *s390_cpu_addr2state(uint16_t cpu_addr)
4894+ {
4895+@@ -325,15 +328,30 @@ static void s390_machine_unprotect(S390CcwMachineState *ms)
4896+ {
4897+ s390_pv_vm_disable();
4898+ ms->pv = false;
4899++ migrate_del_blocker(pv_mig_blocker);
4900++ error_free_or_abort(&pv_mig_blocker);
4901+ }
4902+
4903+ static int s390_machine_protect(S390CcwMachineState *ms)
4904+ {
4905++ Error *local_err = NULL;
4906+ int rc;
4907+
4908++ error_setg(&pv_mig_blocker,
4909++ "protected VMs are currently not migrateable.");
4910++ rc = migrate_add_blocker(pv_mig_blocker, &local_err);
4911++ if (rc) {
4912++ error_report_err(local_err);
4913++ error_free_or_abort(&pv_mig_blocker);
4914++ return rc;
4915++ }
4916++
4917+ /* Create SE VM */
4918+ rc = s390_pv_vm_enable();
4919+ if (rc) {
4920++ error_report_err(local_err);
4921++ migrate_del_blocker(pv_mig_blocker);
4922++ error_free_or_abort(&pv_mig_blocker);
4923+ return rc;
4924+ }
4925+
4926+--
4927+2.25.1
4928+
4929diff --git a/debian/patches/ubuntu/lp-1835546-s390x-protvirt-Disable-address-checks-for-PV-guest-I.patch b/debian/patches/ubuntu/lp-1835546-s390x-protvirt-Disable-address-checks-for-PV-guest-I.patch
4930new file mode 100644
4931index 0000000..99b5c6f
4932--- /dev/null
4933+++ b/debian/patches/ubuntu/lp-1835546-s390x-protvirt-Disable-address-checks-for-PV-guest-I.patch
4934@@ -0,0 +1,126 @@
4935+From ec052c4f954d5a33d06c94d46058c623f65883bb Mon Sep 17 00:00:00 2001
4936+From: Janosch Frank <frankja@linux.ibm.com>
4937+Date: Fri, 29 Nov 2019 04:22:41 -0500
4938+Subject: [PATCH] s390x: protvirt: Disable address checks for PV guest IO
4939+ emulation
4940+
4941+IO instruction data is routed through SIDAD for protected guests, so
4942+adresses do not need to be checked, as this is kernel memory which is
4943+always available.
4944+
4945+Also the instruction data always starts at offset 0 of the SIDAD.
4946+
4947+Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
4948+Reviewed-by: Thomas Huth <thuth@redhat.com>
4949+Reviewed-by: David Hildenbrand <david@redhat.com>
4950+Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
4951+Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
4952+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
4953+
4954+Forwarded: https://lists.gnu.org/archive/html/qemu-devel/2020-03/msg06247.html
4955+Origin: backport, https://github.com/borntraeger/qemu/commit/ec052c4f95
4956+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1835546
4957+Last-Update: 2020-03-20
4958+
4959+---
4960+ target/s390x/ioinst.c | 35 ++++++++++++++++++++++++++++-------
4961+ 1 file changed, 28 insertions(+), 7 deletions(-)
4962+
4963+diff --git a/target/s390x/ioinst.c b/target/s390x/ioinst.c
4964+index c437a1d8c6..bbcccf6be2 100644
4965+--- a/target/s390x/ioinst.c
4966++++ b/target/s390x/ioinst.c
4967+@@ -16,6 +16,25 @@
4968+ #include "hw/s390x/ioinst.h"
4969+ #include "trace.h"
4970+ #include "hw/s390x/s390-pci-bus.h"
4971++#include "hw/s390x/pv.h"
4972++
4973++/* All I/O instructions but chsc use the s format */
4974++static uint64_t get_address_from_regs(CPUS390XState *env, uint32_t ipb,
4975++ uint8_t *ar)
4976++{
4977++ /*
4978++ * Addresses for protected guests are all offsets into the
4979++ * satellite block which holds the IO control structures. Those
4980++ * control structures are always starting at offset 0 and are
4981++ * always aligned and accessible. So we can return 0 here which
4982++ * will pass the following address checks.
4983++ */
4984++ if (s390_is_pv()) {
4985++ *ar = 0;
4986++ return 0;
4987++ }
4988++ return decode_basedisp_s(env, ipb, ar);
4989++}
4990+
4991+ int ioinst_disassemble_sch_ident(uint32_t value, int *m, int *cssid, int *ssid,
4992+ int *schid)
4993+@@ -114,7 +133,7 @@ void ioinst_handle_msch(S390CPU *cpu, uint64_t reg1, uint32_t ipb, uintptr_t ra)
4994+ CPUS390XState *env = &cpu->env;
4995+ uint8_t ar;
4996+
4997+- addr = decode_basedisp_s(env, ipb, &ar);
4998++ addr = get_address_from_regs(env, ipb, &ar);
4999+ if (addr & 3) {
5000+ s390_program_interrupt(env, PGM_SPECIFICATION, ra);
The diff has been truncated for viewing.

Subscribers

People subscribed via source and target branches