Ubuntu
qemu package

Merge ~paelzer/ubuntu/+source/qemu:focal-SRU-august2020-1890154-1883984-1891203-1891877 into ubuntu/+source/qemu:ubuntu/focal-devel

  1. Git
  2. lp:~paelzer/ubuntu/+source/qemu
  3. focal-SRU-august2020-1890154-1883984-1891203-1891877
  4. Merge into ubuntu/focal-devel
Proposed by Christian Ehrhardt 
Status: Merged
Approved by: Christian Ehrhardt 
Approved revision: 74968e83c5c627c29f7a6cb802086ae93622aeca
Merge reported by: Christian Ehrhardt 
Merged at revision: 74968e83c5c627c29f7a6cb802086ae93622aeca
Proposed branch: ~paelzer/ubuntu/+source/qemu:focal-SRU-august2020-1890154-1883984-1891203-1891877
Merge into: ubuntu/+source/qemu:ubuntu/focal-devel
Diff against target: 10691 lines (+9839/-7)
133 files modified
debian/changelog (+86/-0)
debian/patches/series (+131/-1)
debian/patches/stable/lp-1891877-9p-Lock-directory-streams-with-a-CoMutex.patch (+74/-0)
debian/patches/stable/lp-1891877-9p-local-always-return-1-on-error-in-local_unlinkat_.patch (+91/-0)
debian/patches/stable/lp-1891877-9p-proxy-Fix-export_flags.patch (+49/-0)
debian/patches/stable/lp-1891877-9pfs-include-linux-limits.h-for-XATTR_SIZE_MAX.patch (+43/-0)
debian/patches/stable/lp-1891877-9pfs-local-Fix-possible-memory-leak-in-local_link.patch (+44/-0)
debian/patches/stable/lp-1891877-9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch (+67/-0)
debian/patches/stable/lp-1891877-Fix-double-free-issue-in-qemu_set_log_filename.patch (+41/-0)
debian/patches/stable/lp-1891877-Fix-tulip-breakage.patch (+65/-0)
debian/patches/stable/lp-1891877-Revert-qemu-options.hx-Update-for-reboot-timeout-par.patch (+43/-0)
debian/patches/stable/lp-1891877-Revert-vnc-allow-fall-back-to-RAW-encoding.patch (+77/-0)
debian/patches/stable/lp-1891877-Update-version-for-4.2.1-release.patch (+24/-0)
debian/patches/stable/lp-1891877-blkdebug-Allow-taking-unsharing-permissions.patch (+209/-0)
debian/patches/stable/lp-1891877-block-Add-bdrv_qapi_perm_to_blk_perm.patch (+87/-0)
debian/patches/stable/lp-1891877-block-Avoid-memleak-on-qcow2-image-info-failure.patch (+41/-0)
debian/patches/stable/lp-1891877-block-Call-attention-to-truncation-of-long-NBD-expor.patch (+100/-0)
debian/patches/stable/lp-1891877-block-Fix-VM-size-field-width-in-snapshot-dump.patch (+58/-0)
debian/patches/stable/lp-1891877-block-backup-fix-memory-leak-in-bdrv_backup_top_appe.patch (+55/-0)
debian/patches/stable/lp-1891877-block-bdrv_set_backing_bs-fix-use-after-free.patch (+122/-0)
debian/patches/stable/lp-1891877-block-fix-memleaks-in-bdrv_refresh_filename.patch (+68/-0)
debian/patches/stable/lp-1891877-compat-disable-edid-on-correct-virtio-gpu-device.patch (+49/-0)
debian/patches/stable/lp-1891877-display-bochs-display-fix-memory-leak.patch (+42/-0)
debian/patches/stable/lp-1891877-dp8393x-Always-update-RRA-pointers-and-sequence-numb.patch (+52/-0)
debian/patches/stable/lp-1891877-dp8393x-Always-use-32-bit-accesses.patch (+167/-0)
debian/patches/stable/lp-1891877-dp8393x-Clean-up-endianness-hacks.patch (+71/-0)
debian/patches/stable/lp-1891877-dp8393x-Clear-RRRA-command-register-bit-only-when-ap.patch (+56/-0)
debian/patches/stable/lp-1891877-dp8393x-Clear-descriptor-in_use-field-to-release-pac.patch (+55/-0)
debian/patches/stable/lp-1891877-dp8393x-Don-t-clobber-packet-checksum.patch (+45/-0)
debian/patches/stable/lp-1891877-dp8393x-Don-t-reset-Silicon-Revision-register.patch (+51/-0)
debian/patches/stable/lp-1891877-dp8393x-Don-t-stop-reception-upon-RBE-interrupt-asse.patch (+137/-0)
debian/patches/stable/lp-1891877-dp8393x-Have-dp8393x_receive-return-the-packet-size.patch (+68/-0)
debian/patches/stable/lp-1891877-dp8393x-Implement-packet-size-limit-and-RBAE-interru.patch (+57/-0)
debian/patches/stable/lp-1891877-dp8393x-Mask-EOL-bit-from-descriptor-addresses.patch (+98/-0)
debian/patches/stable/lp-1891877-dp8393x-Pad-frames-to-word-or-long-word-boundary.patch (+113/-0)
debian/patches/stable/lp-1891877-dp8393x-Update-LLFA-and-CRDA-registers-from-rx-descr.patch (+75/-0)
debian/patches/stable/lp-1891877-dp8393x-Use-long-word-aligned-RRA-pointers-in-32-bit.patch (+60/-0)
debian/patches/stable/lp-1891877-dump-Fix-writing-of-ELF-section.patch (+51/-0)
debian/patches/stable/lp-1891877-hmp-vnc-Fix-info-vnc-list-leak.patch (+54/-0)
debian/patches/stable/lp-1891877-hostmem-don-t-use-mbind-if-host-nodes-is-empty.patch (+61/-0)
debian/patches/stable/lp-1891877-hw-arm-cubieboard-use-ARM-Cortex-A8-as-the-default-C.patch (+59/-0)
debian/patches/stable/lp-1891877-hw-arm-smmuv3-Align-stream-table-base-address-to-tab.patch (+83/-0)
debian/patches/stable/lp-1891877-hw-arm-smmuv3-Apply-address-mask-to-linear-strtab-ba.patch (+59/-0)
debian/patches/stable/lp-1891877-hw-arm-smmuv3-Check-stream-IDs-against-actual-table-.patch (+63/-0)
debian/patches/stable/lp-1891877-hw-arm-smmuv3-Correct-SMMU_BASE_ADDR_MASK-value.patch (+52/-0)
debian/patches/stable/lp-1891877-hw-arm-smmuv3-Report-F_STE_FETCH-fault-address-in-co.patch (+55/-0)
debian/patches/stable/lp-1891877-hw-arm-smmuv3-Use-correct-bit-positions-in-EVT_SET_A.patch (+58/-0)
debian/patches/stable/lp-1891877-hw-i386-amd_iommu.c-Fix-corruption-of-log-events-pas.patch (+49/-0)
debian/patches/stable/lp-1891877-hw-intc-arm_gicv3_kvm-Stop-wrongly-programming-GICR_.patch (+66/-0)
debian/patches/stable/lp-1891877-i386-Resolve-CPU-models-to-v1-by-default.patch (+91/-0)
debian/patches/stable/lp-1891877-ide-Fix-incorrect-handling-of-some-PRDTs-in-ide_dma_.patch (+99/-0)
debian/patches/stable/lp-1891877-iotests-026-Move-v3-exclusive-test-to-new-file.patch (+232/-0)
debian/patches/stable/lp-1891877-iotests-026-Test-EIO-on-allocation-in-a-data-file.patch (+107/-0)
debian/patches/stable/lp-1891877-iotests-026-Test-EIO-on-preallocated-zero-cluster.patch (+97/-0)
debian/patches/stable/lp-1891877-iotests-283-Use-consistent-size-for-source-and-targe.patch (+57/-0)
debian/patches/stable/lp-1891877-iotests-Fix-IMGOPTSSYNTAX-for-nbd.patch (+42/-0)
debian/patches/stable/lp-1891877-iotests-Fix-nonportable-use-of-od-endian.patch (+69/-0)
debian/patches/stable/lp-1891877-iotests-Test-copy-offloading-with-external-data-file.patch (+71/-0)
debian/patches/stable/lp-1891877-iotests-add-test-for-backup-top-failure-on-permissio.patch (+19/-6)
debian/patches/stable/lp-1891877-m68k-Fix-regression-causing-Single-Step-via-GDB-RSP-.patch (+108/-0)
debian/patches/stable/lp-1891877-migration-Rate-limit-inside-host-pages.patch (+157/-0)
debian/patches/stable/lp-1891877-migration-colo-fix-use-after-free-of-local_err.patch (+39/-0)
debian/patches/stable/lp-1891877-migration-ram-fix-use-after-free-of-local_err.patch (+39/-0)
debian/patches/stable/lp-1891877-migration-test-ppc64-fix-FORTH-test-program.patch (+67/-0)
debian/patches/stable/lp-1891877-net-Do-not-include-a-newline-in-the-id-of-nic-device.patch (+43/-0)
debian/patches/stable/lp-1891877-numa-properly-check-if-numa-is-supported.patch (+75/-0)
debian/patches/stable/lp-1891877-numa-remove-not-needed-check.patch (+52/-0)
debian/patches/stable/lp-1891877-ppc-ppc405_boards-Remove-unnecessary-NULL-check.patch (+63/-0)
debian/patches/stable/lp-1891877-qapi-better-document-NVMe-blockdev-device-parameter.patch (+49/-0)
debian/patches/stable/lp-1891877-qcow2-List-autoclear-bit-names-in-header.patch (+208/-0)
debian/patches/stable/lp-1891877-qcow2-update_refcount-Reset-old_table_index-after-qc.patch (+43/-0)
debian/patches/stable/lp-1891877-qemu-ga-document-vsock-listen-in-the-man-page.patch (+70/-0)
debian/patches/stable/lp-1891877-qemu-nbd-Close-inherited-stderr.patch (+46/-0)
debian/patches/stable/lp-1891877-qga-Fix-undefined-C-behavior.patch (+53/-0)
debian/patches/stable/lp-1891877-qga-Installer-Wait-for-installation-to-finish.patch (+42/-0)
debian/patches/stable/lp-1891877-qga-win-Handle-VSS_E_PROVIDER_ALREADY_REGISTERED-err.patch (+47/-0)
debian/patches/stable/lp-1891877-qga-win-prevent-crash-when-executing-guest-file-read.patch (+55/-0)
debian/patches/stable/lp-1891877-runstate-ignore-finishmigrate-prelaunch-transition.patch (+69/-0)
debian/patches/stable/lp-1891877-s390x-adapter-routes-error-handling.patch (+84/-0)
debian/patches/stable/lp-1891877-scsi-qemu-pr-helper-Fix-out-of-bounds-access-to-trnp.patch (+102/-0)
debian/patches/stable/lp-1891877-sheepdog-Consistently-set-bdrv_has_zero_init_truncat.patch (+54/-0)
debian/patches/stable/lp-1891877-spapr-Fix-failure-path-for-attempting-to-hot-unplug-.patch (+42/-0)
debian/patches/stable/lp-1891877-target-arm-Clear-tail-in-gvec_fmul_idx_-gvec_fmla_id.patch (+47/-0)
debian/patches/stable/lp-1891877-target-arm-Correct-definition-of-PMCRDP.patch (+47/-0)
debian/patches/stable/lp-1891877-target-arm-fix-TCG-leak-for-fcvt-half-double.patch (+54/-0)
debian/patches/stable/lp-1891877-target-arm-monitor-query-cpu-model-expansion-crashed.patch (+66/-0)
debian/patches/stable/lp-1891877-target-ppc-Fix-mtmsr-d-L-1-variant-that-loses-interr.patch (+163/-0)
debian/patches/stable/lp-1891877-target-ppc-Fix-rlwinm-on-ppc64.patch (+67/-0)
debian/patches/stable/lp-1891877-target-xtensa-fix-pasto-in-pfwait.r-opcode-name.patch (+36/-0)
debian/patches/stable/lp-1891877-tcg-i386-Fix-INDEX_op_dup2_vec.patch (+45/-0)
debian/patches/stable/lp-1891877-tcg-mips-mips-sync-encode-error.patch (+57/-0)
debian/patches/stable/lp-1891877-tests-fix-modules-test-duplicate-test-case-error.patch (+54/-0)
debian/patches/stable/lp-1891877-tests-ide-test-Create-a-single-unit-test-covering-mo.patch (+228/-0)
debian/patches/stable/lp-1891877-vhost-user-blk-delete-virtioqueues-in-unrealize-to-f.patch (+75/-0)
debian/patches/stable/lp-1891877-vhost-user-gpu-Release-memory-returned-by-vu_queue_p.patch (+67/-0)
debian/patches/stable/lp-1891877-virtio-9p-device-fix-memleak-in-virtio_9p_device_unr.patch (+49/-0)
debian/patches/stable/lp-1891877-virtio-add-ability-to-delete-vq-through-a-pointer.patch (+71/-0)
debian/patches/stable/lp-1891877-virtio-balloon-fix-free-page-hinting-check-on-unreal.patch (+51/-0)
debian/patches/stable/lp-1891877-virtio-balloon-fix-free-page-hinting-without-an-ioth.patch (+116/-0)
debian/patches/stable/lp-1891877-virtio-balloon-unref-the-iothread-when-unrealizing.patch (+49/-0)
debian/patches/stable/lp-1891877-virtio-crypto-do-delete-ctrl_vq-in-virtio_crypto_dev.patch (+61/-0)
debian/patches/stable/lp-1891877-virtio-make-virtio_delete_queue-idempotent.patch (+37/-0)
debian/patches/stable/lp-1891877-virtio-pmem-do-delete-rq_vq-in-virtio_pmem_unrealize.patch (+45/-0)
debian/patches/stable/lp-1891877-virtio-reset-region-cache-when-on-queue-deletion.patch (+40/-0)
debian/patches/stable/lp-1891877-vpc-Don-t-round-up-already-aligned-BAT-sizes.patch (+55/-0)
debian/patches/stable/lp-1891877-xen-9pfs-yield-when-there-isn-t-enough-room-on-the-r.patch (+96/-0)
debian/patches/stable/lp-1891877-xen-block-Fix-double-qlist-remove-and-request-leak.patch (+163/-0)
debian/patches/ubuntu/CVE-2020-10761.patch (+149/-0)
debian/patches/ubuntu/CVE-2020-12829-2.patch (+55/-0)
debian/patches/ubuntu/CVE-2020-12829-3.patch (+41/-0)
debian/patches/ubuntu/CVE-2020-12829-4.patch (+42/-0)
debian/patches/ubuntu/CVE-2020-12829-5.patch (+28/-0)
debian/patches/ubuntu/CVE-2020-12829-6.patch (+129/-0)
debian/patches/ubuntu/CVE-2020-12829-7.patch (+61/-0)
debian/patches/ubuntu/CVE-2020-12829-pre1.patch (+159/-0)
debian/patches/ubuntu/CVE-2020-12829-pre2.patch (+134/-0)
debian/patches/ubuntu/CVE-2020-12829-pre3.patch (+42/-0)
debian/patches/ubuntu/CVE-2020-12829-pre4.patch (+95/-0)
debian/patches/ubuntu/CVE-2020-12829.patch (+261/-0)
debian/patches/ubuntu/CVE-2020-13253.patch (+122/-0)
debian/patches/ubuntu/CVE-2020-13361.patch (+60/-0)
debian/patches/ubuntu/CVE-2020-13362-1.patch (+51/-0)
debian/patches/ubuntu/CVE-2020-13362-2.patch (+36/-0)
debian/patches/ubuntu/CVE-2020-13362-3.patch (+97/-0)
debian/patches/ubuntu/CVE-2020-13659.patch (+47/-0)
debian/patches/ubuntu/CVE-2020-13754-1.patch (+81/-0)
debian/patches/ubuntu/CVE-2020-13754-2.patch (+59/-0)
debian/patches/ubuntu/CVE-2020-13800.patch (+59/-0)
debian/patches/ubuntu/CVE-2020-14415.patch (+33/-0)
debian/patches/ubuntu/CVE-2020-15863.patch (+58/-0)
debian/patches/ubuntu/CVE-2020-16092.patch (+40/-0)
debian/patches/ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch (+37/-0)
debian/patches/ubuntu/lp-1890154-s390x-protvirt-allow-to-IPL-secure-guests-with-no-re.patch (+52/-0)
Reviewer Review Type Date Requested Status
Rafael David Tinoco (community) Approve
Canonical Server Pending
git-ubuntu developers Pending
Review via email: mp+389527@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

PPA: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4215/+packages

PPA that contains version 6.4 https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa
I'll rebase it once 6.4 is released and got imported - but the content won't change.

SRU templates in the bug added and other than review + regression test good to go IMHO.

Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :

From the beginning

c33d65deb29 - security update 4.2-3ubuntu6.4 (to be released)

----

5c4fe018c0 nbd/server: Avoid long error message assertions CVE-2020-10761
fa70c2871f sm501: Optimize small overlapping blits
84ec3f9402 sm501: Fix bounds checks
4decaad9d2 sm501: Drop unneded variable
f018edc358 sm501: Do not allow guest to set invalid format
299778d5af sm501: Introduce variable for commonly used value for better readability
9982c605a7 sm501: Fix and optimize overlap check
e29da77e5f sm501: Convert printf + abort to qemu_log_mask
6f8183b5dc sm501: Shorten long variable names in sm501_2d_operation
2824809b7f sm501: Use BIT(x) macro to shorten constant
3d0b096298 sm501: Clean up local variables in sm501_2d_operation
b15a22bbcb sm501: Replace hand written implementation with pixman where possible
790762e548 hw/sd/sdcard: Do not switch to ReceivingData if address is invalid
369ff955a8 es1370: check total frame count against current frame
f50ab86a26 megasas: use unsigned type for reply_queue_head and check index
fd69185567 megasas: avoid NULL pointer dereference
2b151297e4 megasas: use unsigned type for positive numeric fields
77f55eac6c exec: set map length to zero when returning NULL
5d971f9e67 memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"
dba04c3488 acpi: accept byte and word access to core ACPI registers
a98610c429 ati-vga: check mm_index before recursive call (CVE-2020-13800)
7a4ede0047 audio/oss: fix buffer pos calculation
5519724a13 hw/net/xgmac: Fix buffer overflow in xgmac_enet_send()
035e69b063 hw/net/net_tx_pkt: fix assertion failure in net_tx_pkt_add_raw_fragment()

----

So, all the CVE fixes look ok, but I think we might be missing a fix for a regression caused by:

5d971f9e67 memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"

which is:

commit 70b78d4e71 (MISSING)
Author: Alistair Francis <email address hidden>
Date: Tue Jun 30 17:12:11 2020

    hw/riscv: Allow 64 bit access to SiFive CLINT

    Commit 5d971f9e672507210e77d020d89e0e89165c8fc9
    "memory: Revert "memory: accept mismatching sizes in
    memory_region_access_valid"" broke most RISC-V boards as they do 64 bit
    accesses to the CLINT and QEMU would trigger a fault. Fix this failure
    by allowing 8 byte accesses.

    Signed-off-by: Alistair Francis <email address hidden>
    Reviewed-by: LIU Zhiwei<email address hidden>
    Message-Id: <122b78825b077e4dfd39b444d3a46fe894a7804c<email address hidden>>

Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :
Download full text (13.8 KiB)

For...

ab9f0cb1d27 further stabilize by importing patches of qemu v4.2.1

----
stable/lp-1891877-9p-Lock-directory-streams-with-a-CoMutex.patch
stable/lp-1891877-9p-local-always-return-1-on-error-in-local_unlinkat_.patch
stable/lp-1891877-9p-proxy-Fix-export_flags.patch
stable/lp-1891877-9pfs-include-linux-limits.h-for-XATTR_SIZE_MAX.patch
stable/lp-1891877-9pfs-local-Fix-possible-memory-leak-in-local_link.patch
stable/lp-1891877-9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch
stable/lp-1891877-Fix-double-free-issue-in-qemu_set_log_filename.patch
stable/lp-1891877-Fix-tulip-breakage.patch
stable/lp-1891877-Revert-qemu-options.hx-Update-for-reboot-timeout-par.patch
stable/lp-1891877-Revert-vnc-allow-fall-back-to-RAW-encoding.patch
stable/lp-1891877-Update-version-for-4.2.1-release.patch
stable/lp-1891877-blkdebug-Allow-taking-unsharing-permissions.patch
stable/lp-1891877-block-Add-bdrv_qapi_perm_to_blk_perm.patch
stable/lp-1891877-block-Avoid-memleak-on-qcow2-image-info-failure.patch
stable/lp-1891877-block-Call-attention-to-truncation-of-long-NBD-expor.patch
stable/lp-1891877-block-Fix-VM-size-field-width-in-snapshot-dump.patch
stable/lp-1891877-block-backup-fix-memory-leak-in-bdrv_backup_top_appe.patch
stable/lp-1891877-block-bdrv_set_backing_bs-fix-use-after-free.patch
stable/lp-1891877-block-fix-memleaks-in-bdrv_refresh_filename.patch
stable/lp-1891877-compat-disable-edid-on-correct-virtio-gpu-device.patch
stable/lp-1891877-display-bochs-display-fix-memory-leak.patch
stable/lp-1891877-dp8393x-Always-update-RRA-pointers-and-sequence-numb.patch
stable/lp-1891877-dp8393x-Always-use-32-bit-accesses.patch
stable/lp-1891877-dp8393x-Clean-up-endianness-hacks.patch
stable/lp-1891877-dp8393x-Clear-RRRA-command-register-bit-only-when-ap.patch
stable/lp-1891877-dp8393x-Clear-descriptor-in_use-field-to-release-pac.patch
stable/lp-1891877-dp8393x-Don-t-clobber-packet-checksum.patch
stable/lp-1891877-dp8393x-Don-t-reset-Silicon-Revision-register.patch
stable/lp-1891877-dp8393x-Don-t-stop-reception-upon-RBE-interrupt-asse.patch
stable/lp-1891877-dp8393x-Have-dp8393x_receive-return-the-packet-size.patch
stable/lp-1891877-dp8393x-Implement-packet-size-limit-and-RBAE-interru.patch
stable/lp-1891877-dp8393x-Mask-EOL-bit-from-descriptor-addresses.patch
stable/lp-1891877-dp8393x-Pad-frames-to-word-or-long-word-boundary.patch
stable/lp-1891877-dp8393x-Update-LLFA-and-CRDA-registers-from-rx-descr.patch
stable/lp-1891877-dp8393x-Use-long-word-aligned-RRA-pointers-in-32-bit.patch
stable/lp-1891877-dump-Fix-writing-of-ELF-section.patch
stable/lp-1891877-hmp-vnc-Fix-info-vnc-list-leak.patch
stable/lp-1891877-hostmem-don-t-use-mbind-if-host-nodes-is-empty.patch
stable/lp-1891877-hw-arm-cubieboard-use-ARM-Cortex-A8-as-the-default-C.patch
stable/lp-1891877-hw-arm-smmuv3-Align-stream-table-base-address-to-tab.patch
stable/lp-1891877-hw-arm-smmuv3-Apply-address-mask-to-linear-strtab-ba.patch
stable/lp-1891877-hw-arm-smmuv3-Check-stream-IDs-against-actual-table-.patch
stable/lp-1891877-hw-arm-smmuv3-Correct-SMMU_BASE_ADDR_MASK-value.patch
stable/lp-1891877-hw-arm-smmuv3-Report-F_STE_FETCH-fault-address-in-co.patch
stable/lp-1891877-hw-arm-smmuv3-Use-correct-b...

Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :

All other patches (single SRUs) look okay to me.

I'm +1 on this (and already approving) as long as you check:

commit 70b78d4e71 (MISSING)
Author: Alistair Francis <email address hidden>
Date: Tue Jun 30 17:12:11 2020

    hw/riscv: Allow 64 bit access to SiFive CLINT

as being a fix (or not) to regression cause by:

5d971f9e67 memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"

All the rest look good SRUs, cases have templates, patches apply cleanly, etc.

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

commit 5d971f9e672507210e77d020d89e0e89165c8fc9
Author: Michael S. Tsirkin <email address hidden>
Date: Wed Jun 10 09:47:49 2020 -0400

    memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"

Was added by/in
  debian/patches/ubuntu/CVE-2020-13754-1.patch:

As part of the former security upload.

And I agree this patch should be added as well.

Ok so it was not missing on my stable patches but actually broken on the security release before it. Great catch and great that you are ok with the rest.

Also the security update got released tonight so I can rebase onto the new import and upload.

Note: this fix you identified also needs to go on top of groovy (there added by security upload in 1:5.0-5ubuntu3) which I'll do right away.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hmm no, despite being a 5.1 patch in groovy
  debian/patches/riscv-allow-64-bit-access-to-SiFive-CLINT.patch
was added by me when doing the security fixes in 1:5.0-5ubuntu3

So groovy is good already, adding the patch to Focal as discussed.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

I have pinged security as they backported this to X&B as well - not sure how reasonable riscv emu was these days, but I thought they should know.

The Focal upload is prepared as reviewed plus the fix that was identified.

To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/qemu
 * [new tag] upload/1%4.2-3ubuntu6.5 -> upload/1%4.2-3ubuntu6.5

Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading qemu_4.2-3ubuntu6.5.dsc: done.
  Uploading qemu_4.2-3ubuntu6.5.debian.tar.xz: done.
  Uploading qemu_4.2-3ubuntu6.5_source.buildinfo: done.
  Uploading qemu_4.2-3ubuntu6.5_source.changes: done.
Successfully uploaded packages.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

SRU released

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index cc2f33a..0124b2c 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,89 @@
6+qemu (1:4.2-3ubuntu6.5) focal; urgency=medium
7+
8+ * further stabilize qemu by importing patches of qemu v4.2.1
9+ Fixes (LP: #1891203) and (LP: #1891877)
10+ - d/p/stable/lp-1891877-*
11+ * fix s390x SQXBR emulation (LP: #1883984)
12+ - d/p/ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch
13+ * fix -no-reboot for s390x protvirt guests (LP: #1890154)
14+ - d/p/ubuntu/lp-1890154-s390x-protvirt-allow-to-IPL-secure-guests-with-*
15+
16+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 19 Aug 2020 13:40:49 +0200
17+
18+qemu (1:4.2-3ubuntu6.4) focal-security; urgency=medium
19+
20+ * SECURITY UPDATE: assert failure in nbd
21+ - debian/patches/ubuntu/CVE-2020-10761.patch: avoid long error message
22+ assertions in nbd/server.c, tests/qemu-iotests/143,
23+ tests/qemu-iotests/143.out.
24+ - CVE-2020-10761
25+ * SECURITY UPDATE: out-of-bounds read and write in sm501
26+ - debian/patches/ubuntu/CVE-2020-12829-pre1.patch: convert printf +
27+ abort to qemu_log_mask.
28+ - debian/patches/ubuntu/CVE-2020-12829-pre2.patch: shorten long
29+ variable names in sm501_2d_operation.
30+ - debian/patches/ubuntu/CVE-2020-12829-pre3.patch: use BIT(x) macro to
31+ shorten constant.
32+ - debian/patches/ubuntu/CVE-2020-12829-pre4.patch: clean up local
33+ variables in sm501_2d_operation.
34+ - debian/patches/ubuntu/CVE-2020-12829.patch: replace hand written
35+ implementation with pixman where possible.
36+ - debian/patches/ubuntu/CVE-2020-12829-2.patch: optimize small
37+ overlapping blits.
38+ - debian/patches/ubuntu/CVE-2020-12829-3.patch: fix bounds checks.
39+ - debian/patches/ubuntu/CVE-2020-12829-4.patch: drop unneded variable.
40+ - debian/patches/ubuntu/CVE-2020-12829-5.patch: do not allow guest to
41+ set invalid format.
42+ - debian/patches/ubuntu/CVE-2020-12829-6.patch: introduce variable for
43+ commonly used value for better readability.
44+ - debian/patches/ubuntu/CVE-2020-12829-7.patch: fix and optimize
45+ overlap check.
46+ - CVE-2020-12829
47+ * SECURITY UPDATE: out-of-bounds read during sdhci_write() operations
48+ - debian/patches/ubuntu/CVE-2020-13253.patch: do not switch to
49+ ReceivingData if address is invalid in hw/sd/sd.c.
50+ - CVE-2020-13253
51+ * SECURITY UPDATE: out-of-bounds access during es1370_write() operation
52+ - debian/patches/ubuntu/CVE-2020-13361.patch: check total frame count
53+ against current frame in hw/audio/es1370.c.
54+ - CVE-2020-13361
55+ * SECURITY UPDATE: out-of-bounds read via crafted reply_queue_head
56+ - debian/patches/ubuntu/CVE-2020-13362-1.patch: use unsigned type for
57+ reply_queue_head and check index in hw/scsi/megasas.c.
58+ - debian/patches/ubuntu/CVE-2020-13362-2.patch: avoid NULL pointer
59+ dereference in hw/scsi/megasas.c.
60+ - debian/patches/ubuntu/CVE-2020-13362-3.patch: use unsigned type for
61+ positive numeric fields in hw/scsi/megasas.c.
62+ - CVE-2020-13362
63+ * SECURITY UPDATE: NULL pointer dereference related to BounceBuffer
64+ - debian/patches/ubuntu/CVE-2020-13659.patch: set map length to zero
65+ when returning NULL in exec.c, include/exec/memory.h.
66+ - CVE-2020-13659
67+ * SECURITY UPDATE: out-of-bounds access via msi-x mmio operation
68+ - debian/patches/ubuntu/CVE-2020-13754-1.patch: revert accepting
69+ mismatching sizes in memory_region_access_valid in memory.c.
70+ - debian/patches/ubuntu/CVE-2020-13754-2.patch: accept byte and word
71+ access to core ACPI registers in hw/acpi/core.c.
72+ - CVE-2020-13754
73+ * SECURITY UPDATE: infinite recursion in ati-vga
74+ - debian/patches/ubuntu/CVE-2020-13800.patch: check mm_index before
75+ recursive call in hw/display/ati.c.
76+ - CVE-2020-13800
77+ * SECURITY UPDATE: division by zero in oss_write()
78+ - debian/patches/ubuntu/CVE-2020-14415.patch: fix buffer pos
79+ calculation in audio/ossaudio.c.
80+ - CVE-2020-14415
81+ * SECURITY UPDATE: buffer overflow in XGMAC Ethernet controller
82+ - debian/patches/ubuntu/CVE-2020-15863.patch: check bounds in
83+ hw/net/xgmac.c.
84+ - CVE-2020-15863
85+ * SECURITY UPDATE: reachable assertion failure
86+ - debian/patches/ubuntu/CVE-2020-16092.patch: fix assertion failure in
87+ hw/net/net_tx_pkt.c.
88+ - CVE-2020-16092
89+
90+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 11 Aug 2020 12:30:06 -0400
91+
92 qemu (1:4.2-3ubuntu6.3) focal; urgency=medium
93
94 * debian/patches/ubuntu/lp-1878973-*: fix assert in qemu-guest-agent that
95diff --git a/debian/patches/series b/debian/patches/series
96index dd6cb95..b9c1506 100644
97--- a/debian/patches/series
98+++ b/debian/patches/series
99@@ -39,7 +39,6 @@ stable/lp-1867519-target-arm-Set-ISSIs16Bit-in-make_issinfo.patch
100 stable/lp-1867519-target-i386-kvm-initialize-feature-MSRs-very-early.patch
101 stable/lp-1867519-tpm-ppi-page-align-PPI-RAM.patch
102 stable/lp-1867519-block-backup-top-fix-failure-path.patch
103-stable/lp-1867519-iotests-add-test-for-backup-top-failure-on-permissio.patch
104 stable/lp-1867519-block-fix-crash-on-zero-length-unaligned-write-and-r.patch
105 stable/lp-1867519-qemu-img-Fix-convert-n-B-for-backing-less-targets.patch
106 stable/lp-1867519-plugins-core-add-missing-break-in-cb_to_tcg_flags.patch
107@@ -93,3 +92,134 @@ ubuntu/lp-1872945-target-openrisc-Fix-FPCSR-mask-to-allow-setting-DZF.patch
108 ubuntu/CVE-2020-11869.patch
109 ubuntu/lp-1878973-fix-assert-regression.patch
110 lp-1882774-target-i386-do-not-set-unsupported-VMX-secondary-exe.patch
111+ubuntu/CVE-2020-10761.patch
112+ubuntu/CVE-2020-12829-pre1.patch
113+ubuntu/CVE-2020-12829-pre2.patch
114+ubuntu/CVE-2020-12829-pre3.patch
115+ubuntu/CVE-2020-12829-pre4.patch
116+ubuntu/CVE-2020-12829.patch
117+ubuntu/CVE-2020-12829-2.patch
118+ubuntu/CVE-2020-12829-3.patch
119+ubuntu/CVE-2020-12829-4.patch
120+ubuntu/CVE-2020-12829-5.patch
121+ubuntu/CVE-2020-12829-6.patch
122+ubuntu/CVE-2020-12829-7.patch
123+ubuntu/CVE-2020-13253.patch
124+ubuntu/CVE-2020-13361.patch
125+ubuntu/CVE-2020-13362-1.patch
126+ubuntu/CVE-2020-13362-2.patch
127+ubuntu/CVE-2020-13362-3.patch
128+ubuntu/CVE-2020-13659.patch
129+ubuntu/CVE-2020-13754-1.patch
130+ubuntu/CVE-2020-13754-2.patch
131+ubuntu/CVE-2020-13800.patch
132+ubuntu/CVE-2020-14415.patch
133+ubuntu/CVE-2020-15863.patch
134+ubuntu/CVE-2020-16092.patch
135+stable/lp-1891877-i386-Resolve-CPU-models-to-v1-by-default.patch
136+stable/lp-1891877-qapi-better-document-NVMe-blockdev-device-parameter.patch
137+stable/lp-1891877-numa-remove-not-needed-check.patch
138+stable/lp-1891877-numa-properly-check-if-numa-is-supported.patch
139+stable/lp-1891877-tests-ide-test-Create-a-single-unit-test-covering-mo.patch
140+stable/lp-1891877-ide-Fix-incorrect-handling-of-some-PRDTs-in-ide_dma_.patch
141+stable/lp-1891877-virtio-add-ability-to-delete-vq-through-a-pointer.patch
142+stable/lp-1891877-virtio-make-virtio_delete_queue-idempotent.patch
143+stable/lp-1891877-virtio-reset-region-cache-when-on-queue-deletion.patch
144+stable/lp-1891877-dp8393x-Mask-EOL-bit-from-descriptor-addresses.patch
145+stable/lp-1891877-dp8393x-Always-use-32-bit-accesses.patch
146+stable/lp-1891877-dp8393x-Clean-up-endianness-hacks.patch
147+stable/lp-1891877-dp8393x-Have-dp8393x_receive-return-the-packet-size.patch
148+stable/lp-1891877-dp8393x-Update-LLFA-and-CRDA-registers-from-rx-descr.patch
149+stable/lp-1891877-dp8393x-Clear-RRRA-command-register-bit-only-when-ap.patch
150+stable/lp-1891877-dp8393x-Implement-packet-size-limit-and-RBAE-interru.patch
151+stable/lp-1891877-dp8393x-Don-t-clobber-packet-checksum.patch
152+stable/lp-1891877-dp8393x-Use-long-word-aligned-RRA-pointers-in-32-bit.patch
153+stable/lp-1891877-dp8393x-Pad-frames-to-word-or-long-word-boundary.patch
154+stable/lp-1891877-dp8393x-Clear-descriptor-in_use-field-to-release-pac.patch
155+stable/lp-1891877-dp8393x-Always-update-RRA-pointers-and-sequence-numb.patch
156+stable/lp-1891877-dp8393x-Don-t-reset-Silicon-Revision-register.patch
157+stable/lp-1891877-dp8393x-Don-t-stop-reception-upon-RBE-interrupt-asse.patch
158+stable/lp-1891877-qcow2-update_refcount-Reset-old_table_index-after-qc.patch
159+stable/lp-1891877-iotests-Test-copy-offloading-with-external-data-file.patch
160+stable/lp-1891877-iotests-026-Test-EIO-on-preallocated-zero-cluster.patch
161+stable/lp-1891877-iotests-026-Test-EIO-on-allocation-in-a-data-file.patch
162+stable/lp-1891877-scsi-qemu-pr-helper-Fix-out-of-bounds-access-to-trnp.patch
163+stable/lp-1891877-target-ppc-Fix-rlwinm-on-ppc64.patch
164+stable/lp-1891877-compat-disable-edid-on-correct-virtio-gpu-device.patch
165+stable/lp-1891877-qga-Installer-Wait-for-installation-to-finish.patch
166+stable/lp-1891877-qga-win-Handle-VSS_E_PROVIDER_ALREADY_REGISTERED-err.patch
167+stable/lp-1891877-qga-win-prevent-crash-when-executing-guest-file-read.patch
168+stable/lp-1891877-qga-Fix-undefined-C-behavior.patch
169+stable/lp-1891877-qemu-ga-document-vsock-listen-in-the-man-page.patch
170+stable/lp-1891877-hw-i386-amd_iommu.c-Fix-corruption-of-log-events-pas.patch
171+stable/lp-1891877-tcg-i386-Fix-INDEX_op_dup2_vec.patch
172+stable/lp-1891877-dump-Fix-writing-of-ELF-section.patch
173+stable/lp-1891877-xen-block-Fix-double-qlist-remove-and-request-leak.patch
174+stable/lp-1891877-vhost-user-gpu-Release-memory-returned-by-vu_queue_p.patch
175+stable/lp-1891877-target-ppc-Fix-mtmsr-d-L-1-variant-that-loses-interr.patch
176+stable/lp-1891877-hostmem-don-t-use-mbind-if-host-nodes-is-empty.patch
177+stable/lp-1891877-target-arm-Clear-tail-in-gvec_fmul_idx_-gvec_fmla_id.patch
178+stable/lp-1891877-qemu-nbd-Close-inherited-stderr.patch
179+stable/lp-1891877-9p-Lock-directory-streams-with-a-CoMutex.patch
180+stable/lp-1891877-net-Do-not-include-a-newline-in-the-id-of-nic-device.patch
181+stable/lp-1891877-virtio-balloon-fix-free-page-hinting-without-an-ioth.patch
182+stable/lp-1891877-virtio-balloon-fix-free-page-hinting-check-on-unreal.patch
183+stable/lp-1891877-virtio-balloon-unref-the-iothread-when-unrealizing.patch
184+stable/lp-1891877-block-Call-attention-to-truncation-of-long-NBD-expor.patch
185+stable/lp-1891877-9pfs-local-Fix-possible-memory-leak-in-local_link.patch
186+stable/lp-1891877-9p-local-always-return-1-on-error-in-local_unlinkat_.patch
187+stable/lp-1891877-virtio-9p-device-fix-memleak-in-virtio_9p_device_unr.patch
188+stable/lp-1891877-9p-proxy-Fix-export_flags.patch
189+stable/lp-1891877-9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch
190+stable/lp-1891877-9pfs-include-linux-limits.h-for-XATTR_SIZE_MAX.patch
191+stable/lp-1891877-xen-9pfs-yield-when-there-isn-t-enough-room-on-the-r.patch
192+stable/lp-1891877-tests-fix-modules-test-duplicate-test-case-error.patch
193+stable/lp-1891877-iotests-026-Move-v3-exclusive-test-to-new-file.patch
194+stable/lp-1891877-Revert-qemu-options.hx-Update-for-reboot-timeout-par.patch
195+stable/lp-1891877-Fix-double-free-issue-in-qemu_set_log_filename.patch
196+stable/lp-1891877-iotests-Fix-IMGOPTSSYNTAX-for-nbd.patch
197+stable/lp-1891877-display-bochs-display-fix-memory-leak.patch
198+stable/lp-1891877-hw-arm-smmuv3-Apply-address-mask-to-linear-strtab-ba.patch
199+stable/lp-1891877-hw-arm-smmuv3-Correct-SMMU_BASE_ADDR_MASK-value.patch
200+stable/lp-1891877-hw-arm-smmuv3-Check-stream-IDs-against-actual-table-.patch
201+stable/lp-1891877-hw-arm-smmuv3-Align-stream-table-base-address-to-tab.patch
202+stable/lp-1891877-hw-arm-smmuv3-Use-correct-bit-positions-in-EVT_SET_A.patch
203+stable/lp-1891877-hw-arm-smmuv3-Report-F_STE_FETCH-fault-address-in-co.patch
204+stable/lp-1891877-block-Add-bdrv_qapi_perm_to_blk_perm.patch
205+stable/lp-1891877-blkdebug-Allow-taking-unsharing-permissions.patch
206+stable/lp-1891877-migration-test-ppc64-fix-FORTH-test-program.patch
207+stable/lp-1891877-runstate-ignore-finishmigrate-prelaunch-transition.patch
208+stable/lp-1891877-migration-Rate-limit-inside-host-pages.patch
209+stable/lp-1891877-Revert-vnc-allow-fall-back-to-RAW-encoding.patch
210+stable/lp-1891877-m68k-Fix-regression-causing-Single-Step-via-GDB-RSP-.patch
211+stable/lp-1891877-s390x-adapter-routes-error-handling.patch
212+stable/lp-1891877-block-backup-fix-memory-leak-in-bdrv_backup_top_appe.patch
213+stable/lp-1891877-hw-intc-arm_gicv3_kvm-Stop-wrongly-programming-GICR_.patch
214+stable/lp-1891877-target-arm-fix-TCG-leak-for-fcvt-half-double.patch
215+stable/lp-1891877-block-fix-memleaks-in-bdrv_refresh_filename.patch
216+stable/lp-1891877-iotests-add-test-for-backup-top-failure-on-permissio.patch
217+stable/lp-1891877-target-arm-monitor-query-cpu-model-expansion-crashed.patch
218+stable/lp-1891877-block-Fix-VM-size-field-width-in-snapshot-dump.patch
219+stable/lp-1891877-target-arm-Correct-definition-of-PMCRDP.patch
220+stable/lp-1891877-virtio-pmem-do-delete-rq_vq-in-virtio_pmem_unrealize.patch
221+stable/lp-1891877-virtio-crypto-do-delete-ctrl_vq-in-virtio_crypto_dev.patch
222+stable/lp-1891877-vhost-user-blk-delete-virtioqueues-in-unrealize-to-f.patch
223+stable/lp-1891877-hw-arm-cubieboard-use-ARM-Cortex-A8-as-the-default-C.patch
224+stable/lp-1891877-iotests-Fix-nonportable-use-of-od-endian.patch
225+stable/lp-1891877-ppc-ppc405_boards-Remove-unnecessary-NULL-check.patch
226+stable/lp-1891877-block-Avoid-memleak-on-qcow2-image-info-failure.patch
227+stable/lp-1891877-block-bdrv_set_backing_bs-fix-use-after-free.patch
228+stable/lp-1891877-hmp-vnc-Fix-info-vnc-list-leak.patch
229+stable/lp-1891877-migration-colo-fix-use-after-free-of-local_err.patch
230+stable/lp-1891877-migration-ram-fix-use-after-free-of-local_err.patch
231+stable/lp-1891877-qcow2-List-autoclear-bit-names-in-header.patch
232+stable/lp-1891877-sheepdog-Consistently-set-bdrv_has_zero_init_truncat.patch
233+stable/lp-1891877-spapr-Fix-failure-path-for-attempting-to-hot-unplug-.patch
234+stable/lp-1891877-vpc-Don-t-round-up-already-aligned-BAT-sizes.patch
235+stable/lp-1891877-target-xtensa-fix-pasto-in-pfwait.r-opcode-name.patch
236+stable/lp-1891877-tcg-mips-mips-sync-encode-error.patch
237+stable/lp-1891877-Fix-tulip-breakage.patch
238+stable/lp-1891877-iotests-283-Use-consistent-size-for-source-and-targe.patch
239+stable/lp-1891877-Update-version-for-4.2.1-release.patch
240+ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch
241+ubuntu/lp-1890154-s390x-protvirt-allow-to-IPL-secure-guests-with-no-re.patch
242diff --git a/debian/patches/stable/lp-1891877-9p-Lock-directory-streams-with-a-CoMutex.patch b/debian/patches/stable/lp-1891877-9p-Lock-directory-streams-with-a-CoMutex.patch
243new file mode 100644
244index 0000000..f32c223
245--- /dev/null
246+++ b/debian/patches/stable/lp-1891877-9p-Lock-directory-streams-with-a-CoMutex.patch
247@@ -0,0 +1,74 @@
248+From dad6d5e7e613e51b2584c447378a044ccc2fdc81 Mon Sep 17 00:00:00 2001
249+From: Greg Kurz <groug@kaod.org>
250+Date: Mon, 25 May 2020 10:38:03 +0200
251+Subject: [PATCH] 9p: Lock directory streams with a CoMutex
252+
253+Locking was introduced in QEMU 2.7 to address the deprecation of
254+readdir_r(3) in glibc 2.24. It turns out that the frontend code is
255+the worst place to handle a critical section with a pthread mutex:
256+the code runs in a coroutine on behalf of the QEMU mainloop and then
257+yields control, waiting for the fsdev backend to process the request
258+in a worker thread. If the client resends another readdir request for
259+the same fid before the previous one finally unlocked the mutex, we're
260+deadlocked.
261+
262+This never bit us because the linux client serializes readdir requests
263+for the same fid, but it is quite easy to demonstrate with a custom
264+client.
265+
266+A good solution could be to narrow the critical section in the worker
267+thread code and to return a copy of the dirent to the frontend, but
268+this causes quite some changes in both 9p.c and codir.c. So, instead
269+of that, in order for people to easily backport the fix to older QEMU
270+versions, let's simply use a CoMutex since all the users for this
271+sit in coroutines.
272+
273+Fixes: 7cde47d4a89d ("9p: add locking to V9fsDir")
274+Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
275+Message-Id: <158981894794.109297.3530035833368944254.stgit@bahia.lan>
276+Signed-off-by: Greg Kurz <groug@kaod.org>
277+(cherry picked from commit ed463454efd0ac3042ff772bfe1b1d846dc281a5)
278+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
279+
280+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=dad6d5e7e6
281+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
282+Last-Update: 2020-08-19
283+
284+---
285+ hw/9pfs/9p.h | 8 ++++----
286+ 1 file changed, 4 insertions(+), 4 deletions(-)
287+
288+diff --git a/hw/9pfs/9p.h b/hw/9pfs/9p.h
289+index 3904f82901..069c86333f 100644
290+--- a/hw/9pfs/9p.h
291++++ b/hw/9pfs/9p.h
292+@@ -186,22 +186,22 @@ typedef struct V9fsXattr
293+
294+ typedef struct V9fsDir {
295+ DIR *stream;
296+- QemuMutex readdir_mutex;
297++ CoMutex readdir_mutex;
298+ } V9fsDir;
299+
300+ static inline void v9fs_readdir_lock(V9fsDir *dir)
301+ {
302+- qemu_mutex_lock(&dir->readdir_mutex);
303++ qemu_co_mutex_lock(&dir->readdir_mutex);
304+ }
305+
306+ static inline void v9fs_readdir_unlock(V9fsDir *dir)
307+ {
308+- qemu_mutex_unlock(&dir->readdir_mutex);
309++ qemu_co_mutex_unlock(&dir->readdir_mutex);
310+ }
311+
312+ static inline void v9fs_readdir_init(V9fsDir *dir)
313+ {
314+- qemu_mutex_init(&dir->readdir_mutex);
315++ qemu_co_mutex_init(&dir->readdir_mutex);
316+ }
317+
318+ /*
319+--
320+2.28.0
321+
322diff --git a/debian/patches/stable/lp-1891877-9p-local-always-return-1-on-error-in-local_unlinkat_.patch b/debian/patches/stable/lp-1891877-9p-local-always-return-1-on-error-in-local_unlinkat_.patch
323new file mode 100644
324index 0000000..f2efe0b
325--- /dev/null
326+++ b/debian/patches/stable/lp-1891877-9p-local-always-return-1-on-error-in-local_unlinkat_.patch
327@@ -0,0 +1,91 @@
328+From 03afe9c035884c5901258967cf906de64eff25de Mon Sep 17 00:00:00 2001
329+From: Daniel Henrique Barboza <danielhb413@gmail.com>
330+Date: Mon, 20 Jan 2020 15:11:39 +0100
331+Subject: [PATCH] 9p: local: always return -1 on error in local_unlinkat_common
332+
333+local_unlinkat_common() is supposed to always return -1 on error.
334+This is being done by jumps to the 'err_out' label, which is
335+a 'return ret' call, and 'ret' is initialized with -1.
336+
337+Unfortunately there is a condition in which the function will
338+return 0 on error: in a case where flags == AT_REMOVEDIR, 'ret'
339+will be 0 when reaching
340+
341+map_dirfd = openat_dir(...)
342+
343+And, if map_dirfd == -1 and errno != ENOENT, the existing 'err_out'
344+jump will execute 'return ret', when ret is still set to zero
345+at that point.
346+
347+This patch fixes it by changing all 'err_out' labels by
348+'return -1' calls, ensuring that the function will always
349+return -1 on error conditions. 'ret' can be left unintialized
350+since it's now being used just to store the result of 'unlinkat'
351+calls.
352+
353+CC: Greg Kurz <groug@kaod.org>
354+Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
355+[groug: changed prefix in title to be "9p: local:"]
356+Signed-off-by: Greg Kurz <groug@kaod.org>
357+(cherry picked from commit 846cf408a4c8055063f4a5a71ccf7ed030cdad30)
358+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
359+
360+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=03afe9c035
361+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
362+Last-Update: 2020-08-19
363+
364+---
365+ hw/9pfs/9p-local.c | 14 ++++++--------
366+ 1 file changed, 6 insertions(+), 8 deletions(-)
367+
368+diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
369+index 491b08aee8..b3b826b01f 100644
370+--- a/hw/9pfs/9p-local.c
371++++ b/hw/9pfs/9p-local.c
372+@@ -1076,7 +1076,7 @@ out:
373+ static int local_unlinkat_common(FsContext *ctx, int dirfd, const char *name,
374+ int flags)
375+ {
376+- int ret = -1;
377++ int ret;
378+
379+ if (ctx->export_flags & V9FS_SM_MAPPED_FILE) {
380+ int map_dirfd;
381+@@ -1094,12 +1094,12 @@ static int local_unlinkat_common(FsContext *ctx, int dirfd, const char *name,
382+
383+ fd = openat_dir(dirfd, name);
384+ if (fd == -1) {
385+- goto err_out;
386++ return -1;
387+ }
388+ ret = unlinkat(fd, VIRTFS_META_DIR, AT_REMOVEDIR);
389+ close_preserve_errno(fd);
390+ if (ret < 0 && errno != ENOENT) {
391+- goto err_out;
392++ return -1;
393+ }
394+ }
395+ map_dirfd = openat_dir(dirfd, VIRTFS_META_DIR);
396+@@ -1107,16 +1107,14 @@ static int local_unlinkat_common(FsContext *ctx, int dirfd, const char *name,
397+ ret = unlinkat(map_dirfd, name, 0);
398+ close_preserve_errno(map_dirfd);
399+ if (ret < 0 && errno != ENOENT) {
400+- goto err_out;
401++ return -1;
402+ }
403+ } else if (errno != ENOENT) {
404+- goto err_out;
405++ return -1;
406+ }
407+ }
408+
409+- ret = unlinkat(dirfd, name, flags);
410+-err_out:
411+- return ret;
412++ return unlinkat(dirfd, name, flags);
413+ }
414+
415+ static int local_remove(FsContext *ctx, const char *path)
416+--
417+2.28.0
418+
419diff --git a/debian/patches/stable/lp-1891877-9p-proxy-Fix-export_flags.patch b/debian/patches/stable/lp-1891877-9p-proxy-Fix-export_flags.patch
420new file mode 100644
421index 0000000..8784844
422--- /dev/null
423+++ b/debian/patches/stable/lp-1891877-9p-proxy-Fix-export_flags.patch
424@@ -0,0 +1,49 @@
425+From 410252fc5b2aaef65b793edd37289284c1a4eb91 Mon Sep 17 00:00:00 2001
426+From: Greg Kurz <groug@kaod.org>
427+Date: Tue, 10 Mar 2020 16:12:49 +0100
428+Subject: [PATCH] 9p/proxy: Fix export_flags
429+MIME-Version: 1.0
430+Content-Type: text/plain; charset=UTF-8
431+Content-Transfer-Encoding: 8bit
432+
433+The common fsdev options are set by qemu_fsdev_add() before it calls
434+the backend specific option parsing code. In the case of "proxy" this
435+means "writeout" or "readonly" were simply ignored. This has been
436+broken from the beginning.
437+
438+Reported-by: Stéphane Graber <stgraber@ubuntu.com>
439+Signed-off-by: Greg Kurz <groug@kaod.org>
440+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
441+Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
442+Message-Id: <158349633705.1237488.8895481990204796135.stgit@bahia.lan>
443+(cherry picked from commit 659f1953281bcfa5ac217e42877d7d3c32eeea38)
444+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
445+
446+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=410252fc5b
447+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
448+Last-Update: 2020-08-19
449+
450+---
451+ hw/9pfs/9p-proxy.c | 4 ++--
452+ 1 file changed, 2 insertions(+), 2 deletions(-)
453+
454+diff --git a/hw/9pfs/9p-proxy.c b/hw/9pfs/9p-proxy.c
455+index 97ab9c58a5..3b885b96b5 100644
456+--- a/hw/9pfs/9p-proxy.c
457++++ b/hw/9pfs/9p-proxy.c
458+@@ -1139,10 +1139,10 @@ static int proxy_parse_opts(QemuOpts *opts, FsDriverEntry *fs, Error **errp)
459+ }
460+ if (socket) {
461+ fs->path = g_strdup(socket);
462+- fs->export_flags = V9FS_PROXY_SOCK_NAME;
463++ fs->export_flags |= V9FS_PROXY_SOCK_NAME;
464+ } else {
465+ fs->path = g_strdup(sock_fd);
466+- fs->export_flags = V9FS_PROXY_SOCK_FD;
467++ fs->export_flags |= V9FS_PROXY_SOCK_FD;
468+ }
469+ return 0;
470+ }
471+--
472+2.28.0
473+
474diff --git a/debian/patches/stable/lp-1891877-9pfs-include-linux-limits.h-for-XATTR_SIZE_MAX.patch b/debian/patches/stable/lp-1891877-9pfs-include-linux-limits.h-for-XATTR_SIZE_MAX.patch
475new file mode 100644
476index 0000000..8f0bcb5
477--- /dev/null
478+++ b/debian/patches/stable/lp-1891877-9pfs-include-linux-limits.h-for-XATTR_SIZE_MAX.patch
479@@ -0,0 +1,43 @@
480+From 0c6499ff2b1f9614195f31a24f1cf3888ce5d079 Mon Sep 17 00:00:00 2001
481+From: Dan Robertson <dan@dlrobertson.com>
482+Date: Mon, 25 May 2020 10:38:03 +0200
483+Subject: [PATCH] 9pfs: include linux/limits.h for XATTR_SIZE_MAX
484+MIME-Version: 1.0
485+Content-Type: text/plain; charset=UTF-8
486+Content-Transfer-Encoding: 8bit
487+
488+linux/limits.h should be included for the XATTR_SIZE_MAX definition used
489+by v9fs_xattrcreate.
490+
491+Fixes: 3b79ef2cf488 ("9pfs: limit xattr size in xattrcreate")
492+Signed-off-by: Dan Robertson <dan@dlrobertson.com>
493+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
494+Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
495+Message-Id: <20200515203015.7090-2-dan@dlrobertson.com>
496+Signed-off-by: Greg Kurz <groug@kaod.org>
497+(cherry picked from commit 03556ea920b23c466ce7c1283199033de33ee671)
498+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
499+
500+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=0c6499ff2b
501+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
502+Last-Update: 2020-08-19
503+
504+---
505+ hw/9pfs/9p.c | 1 +
506+ 1 file changed, 1 insertion(+)
507+
508+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
509+index 520177f40c..37e43d3f85 100644
510+--- a/hw/9pfs/9p.c
511++++ b/hw/9pfs/9p.c
512+@@ -28,6 +28,7 @@
513+ #include "sysemu/qtest.h"
514+ #include "qemu/xxhash.h"
515+ #include <math.h>
516++#include <linux/limits.h>
517+
518+ int open_fd_hw;
519+ int total_open_fd;
520+--
521+2.28.0
522+
523diff --git a/debian/patches/stable/lp-1891877-9pfs-local-Fix-possible-memory-leak-in-local_link.patch b/debian/patches/stable/lp-1891877-9pfs-local-Fix-possible-memory-leak-in-local_link.patch
524new file mode 100644
525index 0000000..3e0996b
526--- /dev/null
527+++ b/debian/patches/stable/lp-1891877-9pfs-local-Fix-possible-memory-leak-in-local_link.patch
528@@ -0,0 +1,44 @@
529+From 18f6b13e085fdb81f5385bffce35364ab8535303 Mon Sep 17 00:00:00 2001
530+From: Jiajun Chen <chenjiajun8@huawei.com>
531+Date: Mon, 20 Jan 2020 15:11:39 +0100
532+Subject: [PATCH] 9pfs: local: Fix possible memory leak in local_link()
533+MIME-Version: 1.0
534+Content-Type: text/plain; charset=UTF-8
535+Content-Transfer-Encoding: 8bit
536+
537+There is a possible memory leak while local_link return -1 without free
538+odirpath and oname.
539+
540+Reported-by: Euler Robot <euler.robot@huawei.com>
541+Signed-off-by: Jaijun Chen <chenjiajun8@huawei.com>
542+Signed-off-by: Xiang Zheng <zhengxiang9@huawei.com>
543+Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
544+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
545+Signed-off-by: Greg Kurz <groug@kaod.org>
546+(cherry picked from commit 841b8d099c462cd4282c4ced8c2a6512899fd8d9)
547+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
548+
549+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=18f6b13e08
550+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
551+Last-Update: 2020-08-19
552+
553+---
554+ hw/9pfs/9p-local.c | 2 +-
555+ 1 file changed, 1 insertion(+), 1 deletion(-)
556+
557+diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
558+index 4708c0bd89..491b08aee8 100644
559+--- a/hw/9pfs/9p-local.c
560++++ b/hw/9pfs/9p-local.c
561+@@ -947,7 +947,7 @@ static int local_link(FsContext *ctx, V9fsPath *oldpath,
562+ if (ctx->export_flags & V9FS_SM_MAPPED_FILE &&
563+ local_is_mapped_file_metadata(ctx, name)) {
564+ errno = EINVAL;
565+- return -1;
566++ goto out;
567+ }
568+
569+ odirfd = local_opendir_nofollow(ctx, odirpath);
570+--
571+2.28.0
572+
573diff --git a/debian/patches/stable/lp-1891877-9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch b/debian/patches/stable/lp-1891877-9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch
574new file mode 100644
575index 0000000..59acbb2
576--- /dev/null
577+++ b/debian/patches/stable/lp-1891877-9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch
578@@ -0,0 +1,67 @@
579+From 17216bc04494825600b58ebb8a3a6fe0d8052125 Mon Sep 17 00:00:00 2001
580+From: Omar Sandoval <osandov@fb.com>
581+Date: Thu, 14 May 2020 08:06:43 +0200
582+Subject: [PATCH] 9pfs: local: ignore O_NOATIME if we don't have permissions
583+
584+QEMU's local 9pfs server passes through O_NOATIME from the client. If
585+the QEMU process doesn't have permissions to use O_NOATIME (namely, it
586+does not own the file nor have the CAP_FOWNER capability), the open will
587+fail. This causes issues when from the client's point of view, it
588+believes it has permissions to use O_NOATIME (e.g., a process running as
589+root in the virtual machine). Additionally, overlayfs on Linux opens
590+files on the lower layer using O_NOATIME, so in this case a 9pfs mount
591+can't be used as a lower layer for overlayfs (cf.
592+https://github.com/osandov/drgn/blob/dabfe1971951701da13863dbe6d8a1d172ad9650/vmtest/onoatimehack.c
593+and https://github.com/NixOS/nixpkgs/issues/54509).
594+
595+Luckily, O_NOATIME is effectively a hint, and is often ignored by, e.g.,
596+network filesystems. open(2) notes that O_NOATIME "may not be effective
597+on all filesystems. One example is NFS, where the server maintains the
598+access time." This means that we can honor it when possible but fall
599+back to ignoring it.
600+
601+Acked-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
602+Signed-off-by: Omar Sandoval <osandov@fb.com>
603+Message-Id: <e9bee604e8df528584693a4ec474ded6295ce8ad.1587149256.git.osandov@fb.com>
604+Signed-off-by: Greg Kurz <groug@kaod.org>
605+(cherry picked from commit a5804fcf7b22fc7d1f9ec794dd284c7d504bd16b)
606+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
607+
608+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=17216bc044
609+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
610+Last-Update: 2020-08-19
611+
612+---
613+ hw/9pfs/9p-util.h | 13 +++++++++++++
614+ 1 file changed, 13 insertions(+)
615+
616+diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h
617+index 79ed6b233e..546f46dc7d 100644
618+--- a/hw/9pfs/9p-util.h
619++++ b/hw/9pfs/9p-util.h
620+@@ -37,9 +37,22 @@ static inline int openat_file(int dirfd, const char *name, int flags,
621+ {
622+ int fd, serrno, ret;
623+
624++again:
625+ fd = openat(dirfd, name, flags | O_NOFOLLOW | O_NOCTTY | O_NONBLOCK,
626+ mode);
627+ if (fd == -1) {
628++ if (errno == EPERM && (flags & O_NOATIME)) {
629++ /*
630++ * The client passed O_NOATIME but we lack permissions to honor it.
631++ * Rather than failing the open, fall back without O_NOATIME. This
632++ * doesn't break the semantics on the client side, as the Linux
633++ * open(2) man page notes that O_NOATIME "may not be effective on
634++ * all filesystems". In particular, NFS and other network
635++ * filesystems ignore it entirely.
636++ */
637++ flags &= ~O_NOATIME;
638++ goto again;
639++ }
640+ return -1;
641+ }
642+
643+--
644+2.28.0
645+
646diff --git a/debian/patches/stable/lp-1891877-Fix-double-free-issue-in-qemu_set_log_filename.patch b/debian/patches/stable/lp-1891877-Fix-double-free-issue-in-qemu_set_log_filename.patch
647new file mode 100644
648index 0000000..c6c78e1
649--- /dev/null
650+++ b/debian/patches/stable/lp-1891877-Fix-double-free-issue-in-qemu_set_log_filename.patch
651@@ -0,0 +1,41 @@
652+From 45b65bf8dfb46a03ff67c36424986e2450c5203e Mon Sep 17 00:00:00 2001
653+From: Robert Foley <robert.foley@linaro.org>
654+Date: Mon, 18 Nov 2019 16:15:23 -0500
655+Subject: [PATCH] Fix double free issue in qemu_set_log_filename().
656+MIME-Version: 1.0
657+Content-Type: text/plain; charset=UTF-8
658+Content-Transfer-Encoding: 8bit
659+
660+After freeing the logfilename, we set logfilename to NULL, in case of an
661+error which returns without setting logfilename.
662+
663+Signed-off-by: Robert Foley <robert.foley@linaro.org>
664+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
665+Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
666+Message-Id: <20191118211528.3221-2-robert.foley@linaro.org>
667+(cherry picked from commit 0f516ca4767042aec8716369d6d62436fa10593a)
668+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
669+
670+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=45b65bf8df
671+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
672+Last-Update: 2020-08-19
673+
674+---
675+ util/log.c | 1 +
676+ 1 file changed, 1 insertion(+)
677+
678+diff --git a/util/log.c b/util/log.c
679+index 1ca13059ee..4316fe74ee 100644
680+--- a/util/log.c
681++++ b/util/log.c
682+@@ -113,6 +113,7 @@ void qemu_set_log_filename(const char *filename, Error **errp)
683+ {
684+ char *pidstr;
685+ g_free(logfilename);
686++ logfilename = NULL;
687+
688+ pidstr = strstr(filename, "%");
689+ if (pidstr) {
690+--
691+2.28.0
692+
693diff --git a/debian/patches/stable/lp-1891877-Fix-tulip-breakage.patch b/debian/patches/stable/lp-1891877-Fix-tulip-breakage.patch
694new file mode 100644
695index 0000000..ed4a09c
696--- /dev/null
697+++ b/debian/patches/stable/lp-1891877-Fix-tulip-breakage.patch
698@@ -0,0 +1,65 @@
699+From 0664ffac4be2673c1c962bb9d010dc964d080ee7 Mon Sep 17 00:00:00 2001
700+From: Helge Deller <deller@gmx.de>
701+Date: Sun, 26 Apr 2020 12:55:39 +0200
702+Subject: [PATCH] Fix tulip breakage
703+
704+The tulip network driver in a qemu-system-hppa emulation is broken in
705+the sense that bigger network packages aren't received any longer and
706+thus even running e.g. "apt update" inside the VM fails.
707+
708+The breakage was introduced by commit 8ffb7265af ("check frame size and
709+r/w data length") which added checks to prevent accesses outside of the
710+rx/tx buffers.
711+
712+But the new checks were implemented wrong. The variable rx_frame_len
713+counts backwards, from rx_frame_size down to zero, and the variable len
714+is never bigger than rx_frame_len, so accesses just can't happen and the
715+checks are unnecessary.
716+On the contrary the checks now prevented bigger packages to be moved
717+into the rx buffers.
718+
719+This patch reverts the wrong checks and were sucessfully tested with a
720+qemu-system-hppa emulation.
721+
722+Fixes: 8ffb7265af ("check frame size and r/w data length")
723+Buglink: https://bugs.launchpad.net/bugs/1874539
724+Signed-off-by: Helge Deller <deller@gmx.de>
725+Signed-off-by: Jason Wang <jasowang@redhat.com>
726+(cherry picked from commit d9b69640391618045949f7c500b87fc129f862ed)
727+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
728+
729+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=0664ffac4b
730+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
731+Last-Update: 2020-08-19
732+
733+---
734+ hw/net/tulip.c | 6 ------
735+ 1 file changed, 6 deletions(-)
736+
737+diff --git a/hw/net/tulip.c b/hw/net/tulip.c
738+index 1167c1bb07..c6654a98a9 100644
739+--- a/hw/net/tulip.c
740++++ b/hw/net/tulip.c
741+@@ -171,9 +171,6 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc)
742+ len = s->rx_frame_len;
743+ }
744+
745+- if (s->rx_frame_len + len > sizeof(s->rx_frame)) {
746+- return;
747+- }
748+ pci_dma_write(&s->dev, desc->buf_addr1, s->rx_frame +
749+ (s->rx_frame_size - s->rx_frame_len), len);
750+ s->rx_frame_len -= len;
751+@@ -186,9 +183,6 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc)
752+ len = s->rx_frame_len;
753+ }
754+
755+- if (s->rx_frame_len + len > sizeof(s->rx_frame)) {
756+- return;
757+- }
758+ pci_dma_write(&s->dev, desc->buf_addr2, s->rx_frame +
759+ (s->rx_frame_size - s->rx_frame_len), len);
760+ s->rx_frame_len -= len;
761+--
762+2.28.0
763+
764diff --git a/debian/patches/stable/lp-1891877-Revert-qemu-options.hx-Update-for-reboot-timeout-par.patch b/debian/patches/stable/lp-1891877-Revert-qemu-options.hx-Update-for-reboot-timeout-par.patch
765new file mode 100644
766index 0000000..a667e04
767--- /dev/null
768+++ b/debian/patches/stable/lp-1891877-Revert-qemu-options.hx-Update-for-reboot-timeout-par.patch
769@@ -0,0 +1,43 @@
770+From aea7a50fb5e38ccfda741848286a548b72877dfa Mon Sep 17 00:00:00 2001
771+From: Han Han <hhan@redhat.com>
772+Date: Thu, 5 Dec 2019 10:48:21 +0800
773+Subject: [PATCH] Revert "qemu-options.hx: Update for reboot-timeout parameter"
774+
775+This reverts commit bbd9e6985ff342cbe15b9cb7eb30e842796fbbe8.
776+
777+In 20a1922032 we allowed reboot-timeout=-1 again, so update the doc
778+accordingly.
779+
780+Signed-off-by: Han Han <hhan@redhat.com>
781+Reviewed-by: Markus Armbruster <armbru@redhat.com>
782+Message-Id: <20191205024821.245435-1-hhan@redhat.com>
783+Signed-off-by: Laurent Vivier <laurent@vivier.eu>
784+(cherry picked from commit 8937a39da22e5d5689c516a2d4ce4f2bb6a378fc)
785+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
786+
787+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=aea7a50fb5
788+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
789+Last-Update: 2020-08-19
790+
791+---
792+ qemu-options.hx | 4 ++--
793+ 1 file changed, 2 insertions(+), 2 deletions(-)
794+
795+diff --git a/qemu-options.hx b/qemu-options.hx
796+index 65c9473b73..e14d88e9b2 100644
797+--- a/qemu-options.hx
798++++ b/qemu-options.hx
799+@@ -327,8 +327,8 @@ format(true color). The resolution should be supported by the SVGA mode, so
800+ the recommended is 320x240, 640x480, 800x640.
801+
802+ A timeout could be passed to bios, guest will pause for @var{rb_timeout} ms
803+-when boot failed, then reboot. If @option{reboot-timeout} is not set,
804+-guest will not reboot by default. Currently Seabios for X86
805++when boot failed, then reboot. If @var{rb_timeout} is '-1', guest will not
806++reboot, qemu passes '-1' to bios by default. Currently Seabios for X86
807+ system support it.
808+
809+ Do strict boot via @option{strict=on} as far as firmware/BIOS
810+--
811+2.28.0
812+
813diff --git a/debian/patches/stable/lp-1891877-Revert-vnc-allow-fall-back-to-RAW-encoding.patch b/debian/patches/stable/lp-1891877-Revert-vnc-allow-fall-back-to-RAW-encoding.patch
814new file mode 100644
815index 0000000..8319291
816--- /dev/null
817+++ b/debian/patches/stable/lp-1891877-Revert-vnc-allow-fall-back-to-RAW-encoding.patch
818@@ -0,0 +1,77 @@
819+From b5ba361d8f8908ab37a104b0110910926d94d57f Mon Sep 17 00:00:00 2001
820+From: Gerd Hoffmann <kraxel@redhat.com>
821+Date: Tue, 21 Jan 2020 07:02:10 +0100
822+Subject: [PATCH] Revert "vnc: allow fall back to RAW encoding"
823+
824+This reverts commit de3f7de7f4e257ce44cdabb90f5f17ee99624557.
825+
826+Remove VNC optimization to reencode framebuffer update as raw if it's
827+smaller than the default encoding.
828+
829+QEMU's implementation was naive and didn't account for the ZLIB z_stream
830+mutating with each compression. Because of the mutation, simply
831+resetting the output buffer's offset wasn't sufficient to "rewind" the
832+operation. The mutated z_stream would generate future zlib blocks which
833+referred to symbols in past blocks which weren't sent. This would lead
834+to artifacting.
835+
836+Considering that ZRLE is never larger than raw and even though ZLIB can
837+occasionally be fractionally larger than raw, the overhead of
838+implementing this optimization correctly isn't worth it.
839+
840+Signed-off-by: Cameron Esfahani <dirty@apple.com>
841+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
842+(cherry picked from commit 0780ec7be82dd4781e9fd216b5d99a125882ff5a)
843+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
844+
845+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=b5ba361d8f
846+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
847+Last-Update: 2020-08-19
848+
849+---
850+ ui/vnc.c | 20 ++------------------
851+ 1 file changed, 2 insertions(+), 18 deletions(-)
852+
853+diff --git a/ui/vnc.c b/ui/vnc.c
854+index 87b8045afe..f94b3a257e 100644
855+--- a/ui/vnc.c
856++++ b/ui/vnc.c
857+@@ -898,8 +898,6 @@ int vnc_raw_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
858+ int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
859+ {
860+ int n = 0;
861+- bool encode_raw = false;
862+- size_t saved_offs = vs->output.offset;
863+
864+ switch(vs->vnc_encoding) {
865+ case VNC_ENCODING_ZLIB:
866+@@ -922,24 +920,10 @@ int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
867+ n = vnc_zywrle_send_framebuffer_update(vs, x, y, w, h);
868+ break;
869+ default:
870+- encode_raw = true;
871++ vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW);
872++ n = vnc_raw_send_framebuffer_update(vs, x, y, w, h);
873+ break;
874+ }
875+-
876+- /* If the client has the same pixel format as our internal buffer and
877+- * a RAW encoding would need less space fall back to RAW encoding to
878+- * save bandwidth and processing power in the client. */
879+- if (!encode_raw && vs->write_pixels == vnc_write_pixels_copy &&
880+- 12 + h * w * VNC_SERVER_FB_BYTES <= (vs->output.offset - saved_offs)) {
881+- vs->output.offset = saved_offs;
882+- encode_raw = true;
883+- }
884+-
885+- if (encode_raw) {
886+- vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW);
887+- n = vnc_raw_send_framebuffer_update(vs, x, y, w, h);
888+- }
889+-
890+ return n;
891+ }
892+
893+--
894+2.28.0
895+
896diff --git a/debian/patches/stable/lp-1891877-Update-version-for-4.2.1-release.patch b/debian/patches/stable/lp-1891877-Update-version-for-4.2.1-release.patch
897new file mode 100644
898index 0000000..15a9277
899--- /dev/null
900+++ b/debian/patches/stable/lp-1891877-Update-version-for-4.2.1-release.patch
901@@ -0,0 +1,24 @@
902+From 6cdf8c4efa073eac7d5f9894329e2d07743c2955 Mon Sep 17 00:00:00 2001
903+From: Michael Roth <mdroth@linux.vnet.ibm.com>
904+Date: Thu, 25 Jun 2020 13:08:54 -0500
905+Subject: [PATCH] Update version for 4.2.1 release
906+
907+
908+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=6cdf8c4efa
909+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
910+Last-Update: 2020-08-19
911+
912+---
913+ VERSION | 2 +-
914+ 1 file changed, 1 insertion(+), 1 deletion(-)
915+
916+diff --git a/VERSION b/VERSION
917+index 6aba2b245a..fae6e3d04b 100644
918+--- a/VERSION
919++++ b/VERSION
920+@@ -1 +1 @@
921+-4.2.0
922++4.2.1
923+--
924+2.28.0
925+
926diff --git a/debian/patches/stable/lp-1891877-blkdebug-Allow-taking-unsharing-permissions.patch b/debian/patches/stable/lp-1891877-blkdebug-Allow-taking-unsharing-permissions.patch
927new file mode 100644
928index 0000000..108b9bf
929--- /dev/null
930+++ b/debian/patches/stable/lp-1891877-blkdebug-Allow-taking-unsharing-permissions.patch
931@@ -0,0 +1,209 @@
932+From 9a30621d3d5de76f865dc804a1dd16cc517461b6 Mon Sep 17 00:00:00 2001
933+From: Max Reitz <mreitz@redhat.com>
934+Date: Fri, 8 Nov 2019 13:34:53 +0100
935+Subject: [PATCH] blkdebug: Allow taking/unsharing permissions
936+
937+Sometimes it is useful to be able to add a node to the block graph that
938+takes or unshare a certain set of permissions for debugging purposes.
939+This patch adds this capability to blkdebug.
940+
941+(Note that you cannot make blkdebug release or share permissions that it
942+needs to take or cannot share, because this might result in assertion
943+failures in the block layer. But if the blkdebug node has no parents,
944+it will not take any permissions and share everything by default, so you
945+can then freely choose what permissions to take and share.)
946+
947+Signed-off-by: Max Reitz <mreitz@redhat.com>
948+Message-id: 20191108123455.39445-4-mreitz@redhat.com
949+Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
950+Signed-off-by: Max Reitz <mreitz@redhat.com>
951+(cherry picked from commit 69c6449ff10fe4e3219e960549307096d5366bd0)
952+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
953+
954+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=9a30621d3d
955+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
956+Last-Update: 2020-08-19
957+
958+---
959+ block/blkdebug.c | 93 +++++++++++++++++++++++++++++++++++++++++++-
960+ qapi/block-core.json | 14 ++++++-
961+ 2 files changed, 105 insertions(+), 2 deletions(-)
962+
963+diff --git a/block/blkdebug.c b/block/blkdebug.c
964+index 5ae96c52b0..af44aa973f 100644
965+--- a/block/blkdebug.c
966++++ b/block/blkdebug.c
967+@@ -28,10 +28,14 @@
968+ #include "qemu/cutils.h"
969+ #include "qemu/config-file.h"
970+ #include "block/block_int.h"
971++#include "block/qdict.h"
972+ #include "qemu/module.h"
973+ #include "qemu/option.h"
974++#include "qapi/qapi-visit-block-core.h"
975+ #include "qapi/qmp/qdict.h"
976++#include "qapi/qmp/qlist.h"
977+ #include "qapi/qmp/qstring.h"
978++#include "qapi/qobject-input-visitor.h"
979+ #include "sysemu/qtest.h"
980+
981+ typedef struct BDRVBlkdebugState {
982+@@ -44,6 +48,9 @@ typedef struct BDRVBlkdebugState {
983+ uint64_t opt_discard;
984+ uint64_t max_discard;
985+
986++ uint64_t take_child_perms;
987++ uint64_t unshare_child_perms;
988++
989+ /* For blkdebug_refresh_filename() */
990+ char *config_file;
991+
992+@@ -344,6 +351,69 @@ static void blkdebug_parse_filename(const char *filename, QDict *options,
993+ qdict_put_str(options, "x-image", filename);
994+ }
995+
996++static int blkdebug_parse_perm_list(uint64_t *dest, QDict *options,
997++ const char *prefix, Error **errp)
998++{
999++ int ret = 0;
1000++ QDict *subqdict = NULL;
1001++ QObject *crumpled_subqdict = NULL;
1002++ Visitor *v = NULL;
1003++ BlockPermissionList *perm_list = NULL, *element;
1004++ Error *local_err = NULL;
1005++
1006++ *dest = 0;
1007++
1008++ qdict_extract_subqdict(options, &subqdict, prefix);
1009++ if (!qdict_size(subqdict)) {
1010++ goto out;
1011++ }
1012++
1013++ crumpled_subqdict = qdict_crumple(subqdict, errp);
1014++ if (!crumpled_subqdict) {
1015++ ret = -EINVAL;
1016++ goto out;
1017++ }
1018++
1019++ v = qobject_input_visitor_new(crumpled_subqdict);
1020++ visit_type_BlockPermissionList(v, NULL, &perm_list, &local_err);
1021++ if (local_err) {
1022++ error_propagate(errp, local_err);
1023++ ret = -EINVAL;
1024++ goto out;
1025++ }
1026++
1027++ for (element = perm_list; element; element = element->next) {
1028++ *dest |= bdrv_qapi_perm_to_blk_perm(element->value);
1029++ }
1030++
1031++out:
1032++ qapi_free_BlockPermissionList(perm_list);
1033++ visit_free(v);
1034++ qobject_unref(subqdict);
1035++ qobject_unref(crumpled_subqdict);
1036++ return ret;
1037++}
1038++
1039++static int blkdebug_parse_perms(BDRVBlkdebugState *s, QDict *options,
1040++ Error **errp)
1041++{
1042++ int ret;
1043++
1044++ ret = blkdebug_parse_perm_list(&s->take_child_perms, options,
1045++ "take-child-perms.", errp);
1046++ if (ret < 0) {
1047++ return ret;
1048++ }
1049++
1050++ ret = blkdebug_parse_perm_list(&s->unshare_child_perms, options,
1051++ "unshare-child-perms.", errp);
1052++ if (ret < 0) {
1053++ return ret;
1054++ }
1055++
1056++ return 0;
1057++}
1058++
1059+ static QemuOptsList runtime_opts = {
1060+ .name = "blkdebug",
1061+ .head = QTAILQ_HEAD_INITIALIZER(runtime_opts.head),
1062+@@ -419,6 +489,12 @@ static int blkdebug_open(BlockDriverState *bs, QDict *options, int flags,
1063+ /* Set initial state */
1064+ s->state = 1;
1065+
1066++ /* Parse permissions modifiers before opening the image file */
1067++ ret = blkdebug_parse_perms(s, options, errp);
1068++ if (ret < 0) {
1069++ goto out;
1070++ }
1071++
1072+ /* Open the image file */
1073+ bs->file = bdrv_open_child(qemu_opt_get(opts, "x-image"), options, "image",
1074+ bs, &child_file, false, &local_err);
1075+@@ -916,6 +992,21 @@ static int blkdebug_reopen_prepare(BDRVReopenState *reopen_state,
1076+ return 0;
1077+ }
1078+
1079++static void blkdebug_child_perm(BlockDriverState *bs, BdrvChild *c,
1080++ const BdrvChildRole *role,
1081++ BlockReopenQueue *reopen_queue,
1082++ uint64_t perm, uint64_t shared,
1083++ uint64_t *nperm, uint64_t *nshared)
1084++{
1085++ BDRVBlkdebugState *s = bs->opaque;
1086++
1087++ bdrv_filter_default_perms(bs, c, role, reopen_queue, perm, shared,
1088++ nperm, nshared);
1089++
1090++ *nperm |= s->take_child_perms;
1091++ *nshared &= ~s->unshare_child_perms;
1092++}
1093++
1094+ static const char *const blkdebug_strong_runtime_opts[] = {
1095+ "config",
1096+ "inject-error.",
1097+@@ -940,7 +1031,7 @@ static BlockDriver bdrv_blkdebug = {
1098+ .bdrv_file_open = blkdebug_open,
1099+ .bdrv_close = blkdebug_close,
1100+ .bdrv_reopen_prepare = blkdebug_reopen_prepare,
1101+- .bdrv_child_perm = bdrv_filter_default_perms,
1102++ .bdrv_child_perm = blkdebug_child_perm,
1103+
1104+ .bdrv_getlength = blkdebug_getlength,
1105+ .bdrv_refresh_filename = blkdebug_refresh_filename,
1106+diff --git a/qapi/block-core.json b/qapi/block-core.json
1107+index fcb52ec24f..839b10b3f0 100644
1108+--- a/qapi/block-core.json
1109++++ b/qapi/block-core.json
1110+@@ -3454,6 +3454,16 @@
1111+ #
1112+ # @set-state: array of state-change descriptions
1113+ #
1114++# @take-child-perms: Permissions to take on @image in addition to what
1115++# is necessary anyway (which depends on how the
1116++# blkdebug node is used). Defaults to none.
1117++# (since 5.0)
1118++#
1119++# @unshare-child-perms: Permissions not to share on @image in addition
1120++# to what cannot be shared anyway (which depends
1121++# on how the blkdebug node is used). Defaults
1122++# to none. (since 5.0)
1123++#
1124+ # Since: 2.9
1125+ ##
1126+ { 'struct': 'BlockdevOptionsBlkdebug',
1127+@@ -3463,7 +3473,9 @@
1128+ '*opt-write-zero': 'int32', '*max-write-zero': 'int32',
1129+ '*opt-discard': 'int32', '*max-discard': 'int32',
1130+ '*inject-error': ['BlkdebugInjectErrorOptions'],
1131+- '*set-state': ['BlkdebugSetStateOptions'] } }
1132++ '*set-state': ['BlkdebugSetStateOptions'],
1133++ '*take-child-perms': ['BlockPermission'],
1134++ '*unshare-child-perms': ['BlockPermission'] } }
1135+
1136+ ##
1137+ # @BlockdevOptionsBlklogwrites:
1138+--
1139+2.28.0
1140+
1141diff --git a/debian/patches/stable/lp-1891877-block-Add-bdrv_qapi_perm_to_blk_perm.patch b/debian/patches/stable/lp-1891877-block-Add-bdrv_qapi_perm_to_blk_perm.patch
1142new file mode 100644
1143index 0000000..0faa557
1144--- /dev/null
1145+++ b/debian/patches/stable/lp-1891877-block-Add-bdrv_qapi_perm_to_blk_perm.patch
1146@@ -0,0 +1,87 @@
1147+From 0972fbf353e436088bbc4180bc13e93245cd7add Mon Sep 17 00:00:00 2001
1148+From: Max Reitz <mreitz@redhat.com>
1149+Date: Fri, 8 Nov 2019 13:34:51 +0100
1150+Subject: [PATCH] block: Add bdrv_qapi_perm_to_blk_perm()
1151+MIME-Version: 1.0
1152+Content-Type: text/plain; charset=UTF-8
1153+Content-Transfer-Encoding: 8bit
1154+
1155+We need some way to correlate QAPI BlockPermission values with
1156+BLK_PERM_* flags. We could:
1157+
1158+(1) have the same order in the QAPI definition as the the BLK_PERM_*
1159+ flags are in LSb-first order. However, then there is no guarantee
1160+ that they actually match (e.g. when someone modifies the QAPI schema
1161+ without thinking of the BLK_PERM_* definitions).
1162+ We could add static assertions, but these would break what’s good
1163+ about this solution, namely its simplicity.
1164+
1165+(2) define the BLK_PERM_* flags based on the BlockPermission values.
1166+ But this way whenever someone were to modify the QAPI order
1167+ (perfectly sensible in theory), the BLK_PERM_* values would change.
1168+ Because these values are used for file locking, this might break
1169+ file locking between different qemu versions.
1170+
1171+Therefore, go the slightly more cumbersome way: Add a function to
1172+translate from the QAPI constants to the BLK_PERM_* flags.
1173+
1174+Signed-off-by: Max Reitz <mreitz@redhat.com>
1175+Message-id: 20191108123455.39445-2-mreitz@redhat.com
1176+Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
1177+Signed-off-by: Max Reitz <mreitz@redhat.com>
1178+(cherry picked from commit 7b1d9c4df0603fbc526226a9c5ef91118aa6c957)
1179+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
1180+
1181+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=0972fbf353
1182+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
1183+Last-Update: 2020-08-19
1184+
1185+---
1186+ block.c | 18 ++++++++++++++++++
1187+ include/block/block.h | 1 +
1188+ 2 files changed, 19 insertions(+)
1189+
1190+diff --git a/block.c b/block.c
1191+index 19c25da305..863cf34d45 100644
1192+--- a/block.c
1193++++ b/block.c
1194+@@ -2227,6 +2227,24 @@ void bdrv_format_default_perms(BlockDriverState *bs, BdrvChild *c,
1195+ *nshared = shared;
1196+ }
1197+
1198++uint64_t bdrv_qapi_perm_to_blk_perm(BlockPermission qapi_perm)
1199++{
1200++ static const uint64_t permissions[] = {
1201++ [BLOCK_PERMISSION_CONSISTENT_READ] = BLK_PERM_CONSISTENT_READ,
1202++ [BLOCK_PERMISSION_WRITE] = BLK_PERM_WRITE,
1203++ [BLOCK_PERMISSION_WRITE_UNCHANGED] = BLK_PERM_WRITE_UNCHANGED,
1204++ [BLOCK_PERMISSION_RESIZE] = BLK_PERM_RESIZE,
1205++ [BLOCK_PERMISSION_GRAPH_MOD] = BLK_PERM_GRAPH_MOD,
1206++ };
1207++
1208++ QEMU_BUILD_BUG_ON(ARRAY_SIZE(permissions) != BLOCK_PERMISSION__MAX);
1209++ QEMU_BUILD_BUG_ON(1UL << ARRAY_SIZE(permissions) != BLK_PERM_ALL + 1);
1210++
1211++ assert(qapi_perm < BLOCK_PERMISSION__MAX);
1212++
1213++ return permissions[qapi_perm];
1214++}
1215++
1216+ static void bdrv_replace_child_noperm(BdrvChild *child,
1217+ BlockDriverState *new_bs)
1218+ {
1219+diff --git a/include/block/block.h b/include/block/block.h
1220+index 1df9848e74..e9dcfef7fa 100644
1221+--- a/include/block/block.h
1222++++ b/include/block/block.h
1223+@@ -280,6 +280,7 @@ enum {
1224+ };
1225+
1226+ char *bdrv_perm_names(uint64_t perm);
1227++uint64_t bdrv_qapi_perm_to_blk_perm(BlockPermission qapi_perm);
1228+
1229+ /* disk I/O throttling */
1230+ void bdrv_init(void);
1231+--
1232+2.28.0
1233+
1234diff --git a/debian/patches/stable/lp-1891877-block-Avoid-memleak-on-qcow2-image-info-failure.patch b/debian/patches/stable/lp-1891877-block-Avoid-memleak-on-qcow2-image-info-failure.patch
1235new file mode 100644
1236index 0000000..3a3a104
1237--- /dev/null
1238+++ b/debian/patches/stable/lp-1891877-block-Avoid-memleak-on-qcow2-image-info-failure.patch
1239@@ -0,0 +1,41 @@
1240+From 47e0fa74799c23dc29ff0adb356d82425b166231 Mon Sep 17 00:00:00 2001
1241+From: Eric Blake <eblake@redhat.com>
1242+Date: Fri, 20 Mar 2020 13:36:20 -0500
1243+Subject: [PATCH] block: Avoid memleak on qcow2 image info failure
1244+
1245+If we fail to get bitmap info, we must not leak the encryption info.
1246+
1247+Fixes: b8968c875f403
1248+Fixes: Coverity CID 1421894
1249+Signed-off-by: Eric Blake <eblake@redhat.com>
1250+Message-Id: <20200320183620.1112123-1-eblake@redhat.com>
1251+Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
1252+Reviewed-by: Andrey Shinkevich <andrey.shinkevich@virtuozzo.com>
1253+Tested-by: Andrey Shinkevich <andrey.shinkevich@virtuozzo.com>
1254+Signed-off-by: Max Reitz <mreitz@redhat.com>
1255+(cherry picked from commit 71eaec2e8c7c8d266137b5c5f42da0bd6d6b5eb7)
1256+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
1257+
1258+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=47e0fa7479
1259+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
1260+Last-Update: 2020-08-19
1261+
1262+---
1263+ block/qcow2.c | 1 +
1264+ 1 file changed, 1 insertion(+)
1265+
1266+diff --git a/block/qcow2.c b/block/qcow2.c
1267+index 7c18721741..13e118e16f 100644
1268+--- a/block/qcow2.c
1269++++ b/block/qcow2.c
1270+@@ -4800,6 +4800,7 @@ static ImageInfoSpecific *qcow2_get_specific_info(BlockDriverState *bs,
1271+ if (local_err) {
1272+ error_propagate(errp, local_err);
1273+ qapi_free_ImageInfoSpecific(spec_info);
1274++ qapi_free_QCryptoBlockInfo(encrypt_info);
1275+ return NULL;
1276+ }
1277+ *spec_info->u.qcow2.data = (ImageInfoSpecificQCow2){
1278+--
1279+2.28.0
1280+
1281diff --git a/debian/patches/stable/lp-1891877-block-Call-attention-to-truncation-of-long-NBD-expor.patch b/debian/patches/stable/lp-1891877-block-Call-attention-to-truncation-of-long-NBD-expor.patch
1282new file mode 100644
1283index 0000000..008a0c3
1284--- /dev/null
1285+++ b/debian/patches/stable/lp-1891877-block-Call-attention-to-truncation-of-long-NBD-expor.patch
1286@@ -0,0 +1,100 @@
1287+From 6c75ddf4a9f317f038a4d94da1b2989fef5dd93b Mon Sep 17 00:00:00 2001
1288+From: Eric Blake <eblake@redhat.com>
1289+Date: Mon, 8 Jun 2020 13:26:38 -0500
1290+Subject: [PATCH] block: Call attention to truncation of long NBD exports
1291+
1292+Commit 93676c88 relaxed our NBD client code to request export names up
1293+to the NBD protocol maximum of 4096 bytes without NUL terminator, even
1294+though the block layer can't store anything longer than 4096 bytes
1295+including NUL terminator for display to the user. Since this means
1296+there are some export names where we have to truncate things, we can
1297+at least try to make the truncation a bit more obvious for the user.
1298+Note that in spite of the truncated display name, we can still
1299+communicate with an NBD server using such a long export name; this was
1300+deemed nicer than refusing to even connect to such a server (since the
1301+server may not be under our control, and since determining our actual
1302+length limits gets tricky when nbd://host:port/export and
1303+nbd+unix:///export?socket=/path are themselves variable-length
1304+expansions beyond the export name but count towards the block layer
1305+name length).
1306+
1307+Reported-by: Xueqiang Wei <xuwei@redhat.com>
1308+Fixes: https://bugzilla.redhat.com/1843684
1309+Signed-off-by: Eric Blake <eblake@redhat.com>
1310+Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
1311+Message-Id: <20200610163741.3745251-3-eblake@redhat.com>
1312+(cherry picked from commit 5c86bdf1208916ece0b87e1151c9b48ee54faa3e)
1313+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
1314+
1315+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=6c75ddf4a9
1316+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
1317+Last-Update: 2020-08-19
1318+
1319+---
1320+ block.c | 7 +++++--
1321+ block/nbd.c | 21 +++++++++++++--------
1322+ 2 files changed, 18 insertions(+), 10 deletions(-)
1323+
1324+diff --git a/block.c b/block.c
1325+index 2e5e8b639a..19c25da305 100644
1326+--- a/block.c
1327++++ b/block.c
1328+@@ -6486,8 +6486,11 @@ void bdrv_refresh_filename(BlockDriverState *bs)
1329+ pstrcpy(bs->filename, sizeof(bs->filename), bs->exact_filename);
1330+ } else {
1331+ QString *json = qobject_to_json(QOBJECT(bs->full_open_options));
1332+- snprintf(bs->filename, sizeof(bs->filename), "json:%s",
1333+- qstring_get_str(json));
1334++ if (snprintf(bs->filename, sizeof(bs->filename), "json:%s",
1335++ qstring_get_str(json)) >= sizeof(bs->filename)) {
1336++ /* Give user a hint if we truncated things. */
1337++ strcpy(bs->filename + sizeof(bs->filename) - 4, "...");
1338++ }
1339+ qobject_unref(json);
1340+ }
1341+ }
1342+diff --git a/block/nbd.c b/block/nbd.c
1343+index 3d369fc8eb..eb380102c0 100644
1344+--- a/block/nbd.c
1345++++ b/block/nbd.c
1346+@@ -1971,6 +1971,7 @@ static void nbd_refresh_filename(BlockDriverState *bs)
1347+ {
1348+ BDRVNBDState *s = bs->opaque;
1349+ const char *host = NULL, *port = NULL, *path = NULL;
1350++ size_t len = 0;
1351+
1352+ if (s->saddr->type == SOCKET_ADDRESS_TYPE_INET) {
1353+ const InetSocketAddress *inet = &s->saddr->u.inet;
1354+@@ -1983,17 +1984,21 @@ static void nbd_refresh_filename(BlockDriverState *bs)
1355+ } /* else can't represent as pseudo-filename */
1356+
1357+ if (path && s->export) {
1358+- snprintf(bs->exact_filename, sizeof(bs->exact_filename),
1359+- "nbd+unix:///%s?socket=%s", s->export, path);
1360++ len = snprintf(bs->exact_filename, sizeof(bs->exact_filename),
1361++ "nbd+unix:///%s?socket=%s", s->export, path);
1362+ } else if (path && !s->export) {
1363+- snprintf(bs->exact_filename, sizeof(bs->exact_filename),
1364+- "nbd+unix://?socket=%s", path);
1365++ len = snprintf(bs->exact_filename, sizeof(bs->exact_filename),
1366++ "nbd+unix://?socket=%s", path);
1367+ } else if (host && s->export) {
1368+- snprintf(bs->exact_filename, sizeof(bs->exact_filename),
1369+- "nbd://%s:%s/%s", host, port, s->export);
1370++ len = snprintf(bs->exact_filename, sizeof(bs->exact_filename),
1371++ "nbd://%s:%s/%s", host, port, s->export);
1372+ } else if (host && !s->export) {
1373+- snprintf(bs->exact_filename, sizeof(bs->exact_filename),
1374+- "nbd://%s:%s", host, port);
1375++ len = snprintf(bs->exact_filename, sizeof(bs->exact_filename),
1376++ "nbd://%s:%s", host, port);
1377++ }
1378++ if (len > sizeof(bs->exact_filename)) {
1379++ /* Name is too long to represent exactly, so leave it empty. */
1380++ bs->exact_filename[0] = '\0';
1381+ }
1382+ }
1383+
1384+--
1385+2.28.0
1386+
1387diff --git a/debian/patches/stable/lp-1891877-block-Fix-VM-size-field-width-in-snapshot-dump.patch b/debian/patches/stable/lp-1891877-block-Fix-VM-size-field-width-in-snapshot-dump.patch
1388new file mode 100644
1389index 0000000..dadc759
1390--- /dev/null
1391+++ b/debian/patches/stable/lp-1891877-block-Fix-VM-size-field-width-in-snapshot-dump.patch
1392@@ -0,0 +1,58 @@
1393+From 0b487ea66409be1984ed55d3de71000ac363644f Mon Sep 17 00:00:00 2001
1394+From: Max Reitz <mreitz@redhat.com>
1395+Date: Fri, 17 Jan 2020 11:58:58 +0100
1396+Subject: [PATCH] block: Fix VM size field width in snapshot dump
1397+
1398+When printing the snapshot list (e.g. with qemu-img snapshot -l), the VM
1399+size field is only seven characters wide. As of de38b5005e9, this is
1400+not necessarily sufficient: We generally print three digits, and this
1401+may require a decimal point. Also, the unit field grew from something
1402+as plain as "M" to " MiB". This means that number and unit may take up
1403+eight characters in total; but we also want spaces in front.
1404+
1405+Considering previously the maximum width was four characters and the
1406+field width was chosen to be three characters wider, let us adjust the
1407+field width to be eleven now.
1408+
1409+Fixes: de38b5005e946aa3714963ea4c501e279e7d3666
1410+Buglink: https://bugs.launchpad.net/qemu/+bug/1859989
1411+Signed-off-by: Max Reitz <mreitz@redhat.com>
1412+Message-Id: <20200117105859.241818-2-mreitz@redhat.com>
1413+Reviewed-by: Eric Blake <eblake@redhat.com>
1414+Signed-off-by: Max Reitz <mreitz@redhat.com>
1415+(cherry picked from commit 804359b8b90f76d9d8fbe8d85a6544b68f107f10)
1416+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
1417+
1418+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=0b487ea664
1419+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
1420+Last-Update: 2020-08-19
1421+
1422+---
1423+ block/qapi.c | 4 ++--
1424+ 1 file changed, 2 insertions(+), 2 deletions(-)
1425+
1426+diff --git a/block/qapi.c b/block/qapi.c
1427+index 9a5d0c9b27..ffa539250d 100644
1428+--- a/block/qapi.c
1429++++ b/block/qapi.c
1430+@@ -657,7 +657,7 @@ void bdrv_snapshot_dump(QEMUSnapshotInfo *sn)
1431+ char *sizing = NULL;
1432+
1433+ if (!sn) {
1434+- qemu_printf("%-10s%-20s%7s%20s%15s",
1435++ qemu_printf("%-10s%-20s%11s%20s%15s",
1436+ "ID", "TAG", "VM SIZE", "DATE", "VM CLOCK");
1437+ } else {
1438+ ti = sn->date_sec;
1439+@@ -672,7 +672,7 @@ void bdrv_snapshot_dump(QEMUSnapshotInfo *sn)
1440+ (int)(secs % 60),
1441+ (int)((sn->vm_clock_nsec / 1000000) % 1000));
1442+ sizing = size_to_str(sn->vm_state_size);
1443+- qemu_printf("%-10s%-20s%7s%20s%15s",
1444++ qemu_printf("%-10s%-20s%11s%20s%15s",
1445+ sn->id_str, sn->name,
1446+ sizing,
1447+ date_buf,
1448+--
1449+2.28.0
1450+
1451diff --git a/debian/patches/stable/lp-1891877-block-backup-fix-memory-leak-in-bdrv_backup_top_appe.patch b/debian/patches/stable/lp-1891877-block-backup-fix-memory-leak-in-bdrv_backup_top_appe.patch
1452new file mode 100644
1453index 0000000..31648ce
1454--- /dev/null
1455+++ b/debian/patches/stable/lp-1891877-block-backup-fix-memory-leak-in-bdrv_backup_top_appe.patch
1456@@ -0,0 +1,55 @@
1457+From dc6bdba433246e55c930fad38c1267242fae888c Mon Sep 17 00:00:00 2001
1458+From: Eiichi Tsukata <devel@etsukata.com>
1459+Date: Mon, 23 Dec 2019 18:06:32 +0900
1460+Subject: [PATCH] block/backup: fix memory leak in bdrv_backup_top_append()
1461+
1462+bdrv_open_driver() allocates bs->opaque according to drv->instance_size.
1463+There is no need to allocate it and overwrite opaque in
1464+bdrv_backup_top_append().
1465+
1466+Reproducer:
1467+
1468+ $ QTEST_QEMU_BINARY=./x86_64-softmmu/qemu-system-x86_64 valgrind -q --leak-check=full tests/test-replication -p /replication/secondary/start
1469+ ==29792== 24 bytes in 1 blocks are definitely lost in loss record 52 of 226
1470+ ==29792== at 0x483AB1A: calloc (vg_replace_malloc.c:762)
1471+ ==29792== by 0x4B07CE0: g_malloc0 (in /usr/lib64/libglib-2.0.so.0.6000.7)
1472+ ==29792== by 0x12BAB9: bdrv_open_driver (block.c:1289)
1473+ ==29792== by 0x12BEA9: bdrv_new_open_driver (block.c:1359)
1474+ ==29792== by 0x1D15CB: bdrv_backup_top_append (backup-top.c:190)
1475+ ==29792== by 0x1CC11A: backup_job_create (backup.c:439)
1476+ ==29792== by 0x1CD542: replication_start (replication.c:544)
1477+ ==29792== by 0x1401B9: replication_start_all (replication.c:52)
1478+ ==29792== by 0x128B50: test_secondary_start (test-replication.c:427)
1479+ ...
1480+
1481+Fixes: 7df7868b9640 ("block: introduce backup-top filter driver")
1482+Signed-off-by: Eiichi Tsukata <devel@etsukata.com>
1483+Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
1484+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
1485+(cherry picked from commit fb574de81bfdd71fdb0315105a3a7761efb68395)
1486+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
1487+
1488+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=dc6bdba433
1489+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
1490+Last-Update: 2020-08-19
1491+
1492+---
1493+ block/backup-top.c | 2 +-
1494+ 1 file changed, 1 insertion(+), 1 deletion(-)
1495+
1496+diff --git a/block/backup-top.c b/block/backup-top.c
1497+index 818d3f26b4..64e9e4f576 100644
1498+--- a/block/backup-top.c
1499++++ b/block/backup-top.c
1500+@@ -196,7 +196,7 @@ BlockDriverState *bdrv_backup_top_append(BlockDriverState *source,
1501+ }
1502+
1503+ top->total_sectors = source->total_sectors;
1504+- top->opaque = state = g_new0(BDRVBackupTopState, 1);
1505++ state = top->opaque;
1506+
1507+ bdrv_ref(target);
1508+ state->target = bdrv_attach_child(top, target, "target", &child_file, errp);
1509+--
1510+2.28.0
1511+
1512diff --git a/debian/patches/stable/lp-1891877-block-bdrv_set_backing_bs-fix-use-after-free.patch b/debian/patches/stable/lp-1891877-block-bdrv_set_backing_bs-fix-use-after-free.patch
1513new file mode 100644
1514index 0000000..4ca9cb9
1515--- /dev/null
1516+++ b/debian/patches/stable/lp-1891877-block-bdrv_set_backing_bs-fix-use-after-free.patch
1517@@ -0,0 +1,122 @@
1518+From 5ff78dc9bcf2a81f097f1137e58f9a0759347d91 Mon Sep 17 00:00:00 2001
1519+From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
1520+Date: Mon, 16 Mar 2020 09:06:30 +0300
1521+Subject: [PATCH] block: bdrv_set_backing_bs: fix use-after-free
1522+MIME-Version: 1.0
1523+Content-Type: text/plain; charset=UTF-8
1524+Content-Transfer-Encoding: 8bit
1525+
1526+There is a use-after-free possible: bdrv_unref_child() leaves
1527+bs->backing freed but not NULL. bdrv_attach_child may produce nested
1528+polling loop due to drain, than access of freed pointer is possible.
1529+
1530+I've produced the following crash on 30 iotest with modified code. It
1531+does not reproduce on master, but still seems possible:
1532+
1533+ #0 __strcmp_avx2 () at /lib64/libc.so.6
1534+ #1 bdrv_backing_overridden (bs=0x55c9d3cc2060) at block.c:6350
1535+ #2 bdrv_refresh_filename (bs=0x55c9d3cc2060) at block.c:6404
1536+ #3 bdrv_backing_attach (c=0x55c9d48e5520) at block.c:1063
1537+ #4 bdrv_replace_child_noperm
1538+ (child=child@entry=0x55c9d48e5520,
1539+ new_bs=new_bs@entry=0x55c9d3cc2060) at block.c:2290
1540+ #5 bdrv_replace_child
1541+ (child=child@entry=0x55c9d48e5520,
1542+ new_bs=new_bs@entry=0x55c9d3cc2060) at block.c:2320
1543+ #6 bdrv_root_attach_child
1544+ (child_bs=child_bs@entry=0x55c9d3cc2060,
1545+ child_name=child_name@entry=0x55c9d241d478 "backing",
1546+ child_role=child_role@entry=0x55c9d26ecee0 <child_backing>,
1547+ ctx=<optimized out>, perm=<optimized out>, shared_perm=21,
1548+ opaque=0x55c9d3c5a3d0, errp=0x7ffd117108e0) at block.c:2424
1549+ #7 bdrv_attach_child
1550+ (parent_bs=parent_bs@entry=0x55c9d3c5a3d0,
1551+ child_bs=child_bs@entry=0x55c9d3cc2060,
1552+ child_name=child_name@entry=0x55c9d241d478 "backing",
1553+ child_role=child_role@entry=0x55c9d26ecee0 <child_backing>,
1554+ errp=errp@entry=0x7ffd117108e0) at block.c:5876
1555+ #8 in bdrv_set_backing_hd
1556+ (bs=bs@entry=0x55c9d3c5a3d0,
1557+ backing_hd=backing_hd@entry=0x55c9d3cc2060,
1558+ errp=errp@entry=0x7ffd117108e0)
1559+ at block.c:2576
1560+ #9 stream_prepare (job=0x55c9d49d84a0) at block/stream.c:150
1561+ #10 job_prepare (job=0x55c9d49d84a0) at job.c:761
1562+ #11 job_txn_apply (txn=<optimized out>, fn=<optimized out>) at
1563+ job.c:145
1564+ #12 job_do_finalize (job=0x55c9d49d84a0) at job.c:778
1565+ #13 job_completed_txn_success (job=0x55c9d49d84a0) at job.c:832
1566+ #14 job_completed (job=0x55c9d49d84a0) at job.c:845
1567+ #15 job_completed (job=0x55c9d49d84a0) at job.c:836
1568+ #16 job_exit (opaque=0x55c9d49d84a0) at job.c:864
1569+ #17 aio_bh_call (bh=0x55c9d471a160) at util/async.c:117
1570+ #18 aio_bh_poll (ctx=ctx@entry=0x55c9d3c46720) at util/async.c:117
1571+ #19 aio_poll (ctx=ctx@entry=0x55c9d3c46720,
1572+ blocking=blocking@entry=true)
1573+ at util/aio-posix.c:728
1574+ #20 bdrv_parent_drained_begin_single (poll=true, c=0x55c9d3d558f0)
1575+ at block/io.c:121
1576+ #21 bdrv_parent_drained_begin_single (c=c@entry=0x55c9d3d558f0,
1577+ poll=poll@entry=true)
1578+ at block/io.c:114
1579+ #22 bdrv_replace_child_noperm
1580+ (child=child@entry=0x55c9d3d558f0,
1581+ new_bs=new_bs@entry=0x55c9d3d27300) at block.c:2258
1582+ #23 bdrv_replace_child
1583+ (child=child@entry=0x55c9d3d558f0,
1584+ new_bs=new_bs@entry=0x55c9d3d27300) at block.c:2320
1585+ #24 bdrv_root_attach_child
1586+ (child_bs=child_bs@entry=0x55c9d3d27300,
1587+ child_name=child_name@entry=0x55c9d241d478 "backing",
1588+ child_role=child_role@entry=0x55c9d26ecee0 <child_backing>,
1589+ ctx=<optimized out>, perm=<optimized out>, shared_perm=21,
1590+ opaque=0x55c9d3cc2060, errp=0x7ffd11710c60) at block.c:2424
1591+ #25 bdrv_attach_child
1592+ (parent_bs=parent_bs@entry=0x55c9d3cc2060,
1593+ child_bs=child_bs@entry=0x55c9d3d27300,
1594+ child_name=child_name@entry=0x55c9d241d478 "backing",
1595+ child_role=child_role@entry=0x55c9d26ecee0 <child_backing>,
1596+ errp=errp@entry=0x7ffd11710c60) at block.c:5876
1597+ #26 bdrv_set_backing_hd
1598+ (bs=bs@entry=0x55c9d3cc2060,
1599+ backing_hd=backing_hd@entry=0x55c9d3d27300,
1600+ errp=errp@entry=0x7ffd11710c60)
1601+ at block.c:2576
1602+ #27 stream_prepare (job=0x55c9d495ead0) at block/stream.c:150
1603+ ...
1604+
1605+Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
1606+Message-Id: <20200316060631.30052-2-vsementsov@virtuozzo.com>
1607+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
1608+Reviewed-by: John Snow <jsnow@redhat.com>
1609+Signed-off-by: Max Reitz <mreitz@redhat.com>
1610+(cherry picked from commit 6e57963a77df1e275a73dab4c6a7ec9a9d3468d4)
1611+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
1612+
1613+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=5ff78dc9bc
1614+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
1615+Last-Update: 2020-08-19
1616+
1617+---
1618+ block.c | 2 +-
1619+ 1 file changed, 1 insertion(+), 1 deletion(-)
1620+
1621+diff --git a/block.c b/block.c
1622+index 4916252444..1cb1cd7a37 100644
1623+--- a/block.c
1624++++ b/block.c
1625+@@ -2577,10 +2577,10 @@ void bdrv_set_backing_hd(BlockDriverState *bs, BlockDriverState *backing_hd,
1626+
1627+ if (bs->backing) {
1628+ bdrv_unref_child(bs, bs->backing);
1629++ bs->backing = NULL;
1630+ }
1631+
1632+ if (!backing_hd) {
1633+- bs->backing = NULL;
1634+ goto out;
1635+ }
1636+
1637+--
1638+2.28.0
1639+
1640diff --git a/debian/patches/stable/lp-1891877-block-fix-memleaks-in-bdrv_refresh_filename.patch b/debian/patches/stable/lp-1891877-block-fix-memleaks-in-bdrv_refresh_filename.patch
1641new file mode 100644
1642index 0000000..8b916a8
1643--- /dev/null
1644+++ b/debian/patches/stable/lp-1891877-block-fix-memleaks-in-bdrv_refresh_filename.patch
1645@@ -0,0 +1,68 @@
1646+From a967e75f3a65ccfca3e793e4cb8223449f20a9c5 Mon Sep 17 00:00:00 2001
1647+From: Pan Nengyuan <pannengyuan@huawei.com>
1648+Date: Thu, 16 Jan 2020 16:56:00 +0800
1649+Subject: [PATCH] block: fix memleaks in bdrv_refresh_filename
1650+
1651+If we call the qmp 'query-block' while qemu is working on
1652+'block-commit', it will cause memleaks, the memory leak stack is as
1653+follow:
1654+
1655+Indirect leak of 12360 byte(s) in 3 object(s) allocated from:
1656+ #0 0x7f80f0b6d970 in __interceptor_calloc (/lib64/libasan.so.5+0xef970)
1657+ #1 0x7f80ee86049d in g_malloc0 (/lib64/libglib-2.0.so.0+0x5249d)
1658+ #2 0x55ea95b5bb67 in qdict_new /mnt/sdb/qemu-4.2.0-rc0/qobject/qdict.c:29
1659+ #3 0x55ea956cd043 in bdrv_refresh_filename /mnt/sdb/qemu-4.2.0-rc0/block.c:6427
1660+ #4 0x55ea956cc950 in bdrv_refresh_filename /mnt/sdb/qemu-4.2.0-rc0/block.c:6399
1661+ #5 0x55ea956cc950 in bdrv_refresh_filename /mnt/sdb/qemu-4.2.0-rc0/block.c:6399
1662+ #6 0x55ea956cc950 in bdrv_refresh_filename /mnt/sdb/qemu-4.2.0-rc0/block.c:6399
1663+ #7 0x55ea958818ea in bdrv_block_device_info /mnt/sdb/qemu-4.2.0-rc0/block/qapi.c:56
1664+ #8 0x55ea958879de in bdrv_query_info /mnt/sdb/qemu-4.2.0-rc0/block/qapi.c:392
1665+ #9 0x55ea9588b58f in qmp_query_block /mnt/sdb/qemu-4.2.0-rc0/block/qapi.c:578
1666+ #10 0x55ea95567392 in qmp_marshal_query_block qapi/qapi-commands-block-core.c:95
1667+
1668+Indirect leak of 4120 byte(s) in 1 object(s) allocated from:
1669+ #0 0x7f80f0b6d970 in __interceptor_calloc (/lib64/libasan.so.5+0xef970)
1670+ #1 0x7f80ee86049d in g_malloc0 (/lib64/libglib-2.0.so.0+0x5249d)
1671+ #2 0x55ea95b5bb67 in qdict_new /mnt/sdb/qemu-4.2.0-rc0/qobject/qdict.c:29
1672+ #3 0x55ea956cd043 in bdrv_refresh_filename /mnt/sdb/qemu-4.2.0-rc0/block.c:6427
1673+ #4 0x55ea956cc950 in bdrv_refresh_filename /mnt/sdb/qemu-4.2.0-rc0/block.c:6399
1674+ #5 0x55ea956cc950 in bdrv_refresh_filename /mnt/sdb/qemu-4.2.0-rc0/block.c:6399
1675+ #6 0x55ea9569f301 in bdrv_backing_attach /mnt/sdb/qemu-4.2.0-rc0/block.c:1064
1676+ #7 0x55ea956a99dd in bdrv_replace_child_noperm /mnt/sdb/qemu-4.2.0-rc0/block.c:2283
1677+ #8 0x55ea956b9b53 in bdrv_replace_node /mnt/sdb/qemu-4.2.0-rc0/block.c:4196
1678+ #9 0x55ea956b9e49 in bdrv_append /mnt/sdb/qemu-4.2.0-rc0/block.c:4236
1679+ #10 0x55ea958c3472 in commit_start /mnt/sdb/qemu-4.2.0-rc0/block/commit.c:306
1680+ #11 0x55ea94b68ab0 in qmp_block_commit /mnt/sdb/qemu-4.2.0-rc0/blockdev.c:3459
1681+ #12 0x55ea9556a7a7 in qmp_marshal_block_commit qapi/qapi-commands-block-core.c:407
1682+
1683+Fixes: bb808d5f5c0978828a974d547e6032402c339555
1684+Reported-by: Euler Robot <euler.robot@huawei.com>
1685+Signed-off-by: Pan Nengyuan <pannengyuan@huawei.com>
1686+Message-id: 20200116085600.24056-1-pannengyuan@huawei.com
1687+Signed-off-by: Max Reitz <mreitz@redhat.com>
1688+(cherry picked from commit cb8956144ccaccf23d5cc4167677e2c84fa5a9f8)
1689+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
1690+
1691+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=a967e75f3a
1692+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
1693+Last-Update: 2020-08-19
1694+
1695+---
1696+ block.c | 1 +
1697+ 1 file changed, 1 insertion(+)
1698+
1699+diff --git a/block.c b/block.c
1700+index 863cf34d45..4916252444 100644
1701+--- a/block.c
1702++++ b/block.c
1703+@@ -6426,6 +6426,7 @@ void bdrv_refresh_filename(BlockDriverState *bs)
1704+ child->bs->exact_filename);
1705+ pstrcpy(bs->filename, sizeof(bs->filename), child->bs->filename);
1706+
1707++ qobject_unref(bs->full_open_options);
1708+ bs->full_open_options = qobject_ref(child->bs->full_open_options);
1709+
1710+ return;
1711+--
1712+2.28.0
1713+
1714diff --git a/debian/patches/stable/lp-1891877-compat-disable-edid-on-correct-virtio-gpu-device.patch b/debian/patches/stable/lp-1891877-compat-disable-edid-on-correct-virtio-gpu-device.patch
1715new file mode 100644
1716index 0000000..2e76b86
1717--- /dev/null
1718+++ b/debian/patches/stable/lp-1891877-compat-disable-edid-on-correct-virtio-gpu-device.patch
1719@@ -0,0 +1,49 @@
1720+From 219362f9655859056e8f15cf96fc3169d4dc80de Mon Sep 17 00:00:00 2001
1721+From: Cornelia Huck <cohuck@redhat.com>
1722+Date: Wed, 18 Mar 2020 10:39:19 +0100
1723+Subject: [PATCH] compat: disable edid on correct virtio-gpu device
1724+MIME-Version: 1.0
1725+Content-Type: text/plain; charset=UTF-8
1726+Content-Transfer-Encoding: 8bit
1727+
1728+Commit bb15791166c1 ("compat: disable edid on virtio-gpu base
1729+device") tried to disable 'edid' on the virtio-gpu base device.
1730+However, that device is not 'virtio-gpu', but 'virtio-gpu-device'.
1731+Fix it.
1732+
1733+Fixes: bb15791166c1 ("compat: disable edid on virtio-gpu base device")
1734+Reported-by: Lukáš Doktor <ldoktor@redhat.com>
1735+Tested-by: Lukáš Doktor <ldoktor@redhat.com>
1736+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
1737+Signed-off-by: Cornelia Huck <cohuck@redhat.com>
1738+Message-id: 20200318093919.24942-1-cohuck@redhat.com
1739+Cc: qemu-stable@nongnu.org
1740+Signed-off-by: Cornelia Huck <cohuck@redhat.com>
1741+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
1742+(cherry picked from commit 02501fc39381c4dabaf6becdd12c2a4754c3847c)
1743+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
1744+
1745+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=219362f965
1746+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
1747+Last-Update: 2020-08-19
1748+
1749+---
1750+ hw/core/machine.c | 2 +-
1751+ 1 file changed, 1 insertion(+), 1 deletion(-)
1752+
1753+diff --git a/hw/core/machine.c b/hw/core/machine.c
1754+index aa63231f31..1872263bf0 100644
1755+--- a/hw/core/machine.c
1756++++ b/hw/core/machine.c
1757+@@ -37,7 +37,7 @@ GlobalProperty hw_compat_4_0[] = {
1758+ { "secondary-vga", "edid", "false" },
1759+ { "bochs-display", "edid", "false" },
1760+ { "virtio-vga", "edid", "false" },
1761+- { "virtio-gpu", "edid", "false" },
1762++ { "virtio-gpu-device", "edid", "false" },
1763+ { "virtio-device", "use-started", "false" },
1764+ { "virtio-balloon-device", "qemu-4-0-config-size", "true" },
1765+ { "pl031", "migrate-tick-offset", "false" },
1766+--
1767+2.28.0
1768+
1769diff --git a/debian/patches/stable/lp-1891877-display-bochs-display-fix-memory-leak.patch b/debian/patches/stable/lp-1891877-display-bochs-display-fix-memory-leak.patch
1770new file mode 100644
1771index 0000000..6196cbc
1772--- /dev/null
1773+++ b/debian/patches/stable/lp-1891877-display-bochs-display-fix-memory-leak.patch
1774@@ -0,0 +1,42 @@
1775+From 7e1bc51f3f606e758b2600555ddc99f643a3697d Mon Sep 17 00:00:00 2001
1776+From: Cameron Esfahani <dirty@apple.com>
1777+Date: Tue, 10 Dec 2019 13:27:54 -0800
1778+Subject: [PATCH] display/bochs-display: fix memory leak
1779+MIME-Version: 1.0
1780+Content-Type: text/plain; charset=UTF-8
1781+Content-Transfer-Encoding: 8bit
1782+
1783+Fix memory leak in bochs_display_update(). Leaks 304 bytes per frame.
1784+
1785+Fixes: 33ebad54056
1786+Signed-off-by: Cameron Esfahani <dirty@apple.com>
1787+Message-Id: <d6c26e68db134c7b0c7ce8b61596ca2e65e01e12.1576013209.git.dirty@apple.com>
1788+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
1789+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
1790+(cherry picked from commit 0d82411d0e38a0de7829f97d04406765c8d2210d)
1791+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
1792+
1793+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=7e1bc51f3f
1794+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
1795+Last-Update: 2020-08-19
1796+
1797+---
1798+ hw/display/bochs-display.c | 2 ++
1799+ 1 file changed, 2 insertions(+)
1800+
1801+diff --git a/hw/display/bochs-display.c b/hw/display/bochs-display.c
1802+index dc1bd1641d..215db9a231 100644
1803+--- a/hw/display/bochs-display.c
1804++++ b/hw/display/bochs-display.c
1805+@@ -252,6 +252,8 @@ static void bochs_display_update(void *opaque)
1806+ dpy_gfx_update(s->con, 0, ys,
1807+ mode.width, y - ys);
1808+ }
1809++
1810++ g_free(snap);
1811+ }
1812+ }
1813+
1814+--
1815+2.28.0
1816+
1817diff --git a/debian/patches/stable/lp-1891877-dp8393x-Always-update-RRA-pointers-and-sequence-numb.patch b/debian/patches/stable/lp-1891877-dp8393x-Always-update-RRA-pointers-and-sequence-numb.patch
1818new file mode 100644
1819index 0000000..3d85936
1820--- /dev/null
1821+++ b/debian/patches/stable/lp-1891877-dp8393x-Always-update-RRA-pointers-and-sequence-numb.patch
1822@@ -0,0 +1,52 @@
1823+From 1190026fe415ce29605bdadbb68956a3315714e8 Mon Sep 17 00:00:00 2001
1824+From: Finn Thain <fthain@telegraphics.com.au>
1825+Date: Wed, 29 Jan 2020 20:27:49 +1100
1826+Subject: [PATCH] dp8393x: Always update RRA pointers and sequence numbers
1827+
1828+These operations need to take place regardless of whether or not
1829+rx descriptors have been used up (that is, EOL flag was observed).
1830+
1831+The algorithm is now the same for a packet that was withheld as for
1832+a packet that was not.
1833+
1834+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
1835+Tested-by: Laurent Vivier <laurent@vivier.eu>
1836+Signed-off-by: Jason Wang <jasowang@redhat.com>
1837+(cherry picked from commit 80b60673ea598869050c66d95d8339480e4cefd0)
1838+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
1839+
1840+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=1190026fe4
1841+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
1842+Last-Update: 2020-08-19
1843+
1844+---
1845+ hw/net/dp8393x.c | 12 +++++++-----
1846+ 1 file changed, 7 insertions(+), 5 deletions(-)
1847+
1848+diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
1849+index 4ce2ef818b..aa7bd785f3 100644
1850+--- a/hw/net/dp8393x.c
1851++++ b/hw/net/dp8393x.c
1852+@@ -897,12 +897,14 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
1853+ /* Move to next descriptor */
1854+ s->regs[SONIC_CRDA] = s->regs[SONIC_LLFA];
1855+ s->regs[SONIC_ISR] |= SONIC_ISR_PKTRX;
1856+- s->regs[SONIC_RSC] = (s->regs[SONIC_RSC] & 0xff00) | (((s->regs[SONIC_RSC] & 0x00ff) + 1) & 0x00ff);
1857++ }
1858+
1859+- if (s->regs[SONIC_RCR] & SONIC_RCR_LPKT) {
1860+- /* Read next RRA */
1861+- dp8393x_do_read_rra(s);
1862+- }
1863++ s->regs[SONIC_RSC] = (s->regs[SONIC_RSC] & 0xff00) |
1864++ ((s->regs[SONIC_RSC] + 1) & 0x00ff);
1865++
1866++ if (s->regs[SONIC_RCR] & SONIC_RCR_LPKT) {
1867++ /* Read next RRA */
1868++ dp8393x_do_read_rra(s);
1869+ }
1870+
1871+ /* Done */
1872+--
1873+2.28.0
1874+
1875diff --git a/debian/patches/stable/lp-1891877-dp8393x-Always-use-32-bit-accesses.patch b/debian/patches/stable/lp-1891877-dp8393x-Always-use-32-bit-accesses.patch
1876new file mode 100644
1877index 0000000..ff2540a
1878--- /dev/null
1879+++ b/debian/patches/stable/lp-1891877-dp8393x-Always-use-32-bit-accesses.patch
1880@@ -0,0 +1,167 @@
1881+From 956e1b2d977f8743d58c97994c27d6c848ae3b7d Mon Sep 17 00:00:00 2001
1882+From: Finn Thain <fthain@telegraphics.com.au>
1883+Date: Wed, 29 Jan 2020 20:27:49 +1100
1884+Subject: [PATCH] dp8393x: Always use 32-bit accesses
1885+
1886+The DP83932 and DP83934 have 32 data lines. The datasheet says,
1887+
1888+ Data Bus: These bidirectional lines are used to transfer data on the
1889+ system bus. When the SONIC is a bus master, 16-bit data is transferred
1890+ on D15-D0 and 32-bit data is transferred on D31-D0. When the SONIC is
1891+ accessed as a slave, register data is driven onto lines D15-D0.
1892+ D31-D16 are held TRI-STATE if SONIC is in 16-bit mode. If SONIC is in
1893+ 32-bit mode, they are driven, but invalid.
1894+
1895+Always use 32-bit accesses both as bus master and bus slave.
1896+
1897+Force the MSW to zero in bus master mode.
1898+
1899+This gets the Linux 'jazzsonic' driver working, and avoids the need for
1900+prior hacks to make the NetBSD 'sn' driver work.
1901+
1902+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
1903+Tested-by: Laurent Vivier <laurent@vivier.eu>
1904+Signed-off-by: Jason Wang <jasowang@redhat.com>
1905+(cherry picked from commit 3fe9a838ec3eae1374ced16b63bf56894b2ffbe6)
1906+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
1907+
1908+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=956e1b2d97
1909+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
1910+Last-Update: 2020-08-19
1911+
1912+---
1913+ hw/net/dp8393x.c | 47 +++++++++++++++++++++++++++++------------------
1914+ 1 file changed, 29 insertions(+), 18 deletions(-)
1915+
1916+diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
1917+index 7ca6a6dd46..49c304ee20 100644
1918+--- a/hw/net/dp8393x.c
1919++++ b/hw/net/dp8393x.c
1920+@@ -246,9 +246,19 @@ static void dp8393x_put(dp8393xState *s, int width, int offset,
1921+ uint16_t val)
1922+ {
1923+ if (s->big_endian) {
1924+- s->data[offset * width + width - 1] = cpu_to_be16(val);
1925++ if (width == 2) {
1926++ s->data[offset * 2] = 0;
1927++ s->data[offset * 2 + 1] = cpu_to_be16(val);
1928++ } else {
1929++ s->data[offset] = cpu_to_be16(val);
1930++ }
1931+ } else {
1932+- s->data[offset * width] = cpu_to_le16(val);
1933++ if (width == 2) {
1934++ s->data[offset * 2] = cpu_to_le16(val);
1935++ s->data[offset * 2 + 1] = 0;
1936++ } else {
1937++ s->data[offset] = cpu_to_le16(val);
1938++ }
1939+ }
1940+ }
1941+
1942+@@ -588,7 +598,7 @@ static uint64_t dp8393x_read(void *opaque, hwaddr addr, unsigned int size)
1943+
1944+ DPRINTF("read 0x%04x from reg %s\n", val, reg_names[reg]);
1945+
1946+- return val;
1947++ return s->big_endian ? val << 16 : val;
1948+ }
1949+
1950+ static void dp8393x_write(void *opaque, hwaddr addr, uint64_t data,
1951+@@ -596,13 +606,14 @@ static void dp8393x_write(void *opaque, hwaddr addr, uint64_t data,
1952+ {
1953+ dp8393xState *s = opaque;
1954+ int reg = addr >> s->it_shift;
1955++ uint32_t val = s->big_endian ? data >> 16 : data;
1956+
1957+- DPRINTF("write 0x%04x to reg %s\n", (uint16_t)data, reg_names[reg]);
1958++ DPRINTF("write 0x%04x to reg %s\n", (uint16_t)val, reg_names[reg]);
1959+
1960+ switch (reg) {
1961+ /* Command register */
1962+ case SONIC_CR:
1963+- dp8393x_do_command(s, data);
1964++ dp8393x_do_command(s, val);
1965+ break;
1966+ /* Prevent write to read-only registers */
1967+ case SONIC_CAP2:
1968+@@ -615,36 +626,36 @@ static void dp8393x_write(void *opaque, hwaddr addr, uint64_t data,
1969+ /* Accept write to some registers only when in reset mode */
1970+ case SONIC_DCR:
1971+ if (s->regs[SONIC_CR] & SONIC_CR_RST) {
1972+- s->regs[reg] = data & 0xbfff;
1973++ s->regs[reg] = val & 0xbfff;
1974+ } else {
1975+ DPRINTF("writing to DCR invalid\n");
1976+ }
1977+ break;
1978+ case SONIC_DCR2:
1979+ if (s->regs[SONIC_CR] & SONIC_CR_RST) {
1980+- s->regs[reg] = data & 0xf017;
1981++ s->regs[reg] = val & 0xf017;
1982+ } else {
1983+ DPRINTF("writing to DCR2 invalid\n");
1984+ }
1985+ break;
1986+ /* 12 lower bytes are Read Only */
1987+ case SONIC_TCR:
1988+- s->regs[reg] = data & 0xf000;
1989++ s->regs[reg] = val & 0xf000;
1990+ break;
1991+ /* 9 lower bytes are Read Only */
1992+ case SONIC_RCR:
1993+- s->regs[reg] = data & 0xffe0;
1994++ s->regs[reg] = val & 0xffe0;
1995+ break;
1996+ /* Ignore most significant bit */
1997+ case SONIC_IMR:
1998+- s->regs[reg] = data & 0x7fff;
1999++ s->regs[reg] = val & 0x7fff;
2000+ dp8393x_update_irq(s);
2001+ break;
2002+ /* Clear bits by writing 1 to them */
2003+ case SONIC_ISR:
2004+- data &= s->regs[reg];
2005+- s->regs[reg] &= ~data;
2006+- if (data & SONIC_ISR_RBE) {
2007++ val &= s->regs[reg];
2008++ s->regs[reg] &= ~val;
2009++ if (val & SONIC_ISR_RBE) {
2010+ dp8393x_do_read_rra(s);
2011+ }
2012+ dp8393x_update_irq(s);
2013+@@ -657,17 +668,17 @@ static void dp8393x_write(void *opaque, hwaddr addr, uint64_t data,
2014+ case SONIC_REA:
2015+ case SONIC_RRP:
2016+ case SONIC_RWP:
2017+- s->regs[reg] = data & 0xfffe;
2018++ s->regs[reg] = val & 0xfffe;
2019+ break;
2020+ /* Invert written value for some registers */
2021+ case SONIC_CRCT:
2022+ case SONIC_FAET:
2023+ case SONIC_MPT:
2024+- s->regs[reg] = data ^ 0xffff;
2025++ s->regs[reg] = val ^ 0xffff;
2026+ break;
2027+ /* All other registers have no special contrainst */
2028+ default:
2029+- s->regs[reg] = data;
2030++ s->regs[reg] = val;
2031+ }
2032+
2033+ if (reg == SONIC_WT0 || reg == SONIC_WT1) {
2034+@@ -678,8 +689,8 @@ static void dp8393x_write(void *opaque, hwaddr addr, uint64_t data,
2035+ static const MemoryRegionOps dp8393x_ops = {
2036+ .read = dp8393x_read,
2037+ .write = dp8393x_write,
2038+- .impl.min_access_size = 2,
2039+- .impl.max_access_size = 2,
2040++ .impl.min_access_size = 4,
2041++ .impl.max_access_size = 4,
2042+ .endianness = DEVICE_NATIVE_ENDIAN,
2043+ };
2044+
2045+--
2046+2.28.0
2047+
2048diff --git a/debian/patches/stable/lp-1891877-dp8393x-Clean-up-endianness-hacks.patch b/debian/patches/stable/lp-1891877-dp8393x-Clean-up-endianness-hacks.patch
2049new file mode 100644
2050index 0000000..8d4a682
2051--- /dev/null
2052+++ b/debian/patches/stable/lp-1891877-dp8393x-Clean-up-endianness-hacks.patch
2053@@ -0,0 +1,71 @@
2054+From bf3f12ac8c34e4856f48c5f7ee7d23c042097797 Mon Sep 17 00:00:00 2001
2055+From: Finn Thain <fthain@telegraphics.com.au>
2056+Date: Wed, 29 Jan 2020 20:27:49 +1100
2057+Subject: [PATCH] dp8393x: Clean up endianness hacks
2058+MIME-Version: 1.0
2059+Content-Type: text/plain; charset=UTF-8
2060+Content-Transfer-Encoding: 8bit
2061+
2062+According to the datasheet, section 3.4.4, "in 32-bit mode ... the SONIC
2063+always writes long words".
2064+
2065+Therefore, use the same technique for the 'in_use' field that is used
2066+everywhere else, and write the full long word.
2067+
2068+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
2069+Tested-by: Laurent Vivier <laurent@vivier.eu>
2070+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
2071+Signed-off-by: Jason Wang <jasowang@redhat.com>
2072+(cherry picked from commit 46ffee9ad43185cbee4182c208bbd534814086ca)
2073+ Conflicts:
2074+ hw/net/dp8393x.c
2075+*roll in local dependencies on b7cbebf2b9d
2076+*drop functional dep. on 19f70347731
2077+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2078+
2079+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=bf3f12ac8c
2080+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
2081+Last-Update: 2020-08-19
2082+
2083+---
2084+ hw/net/dp8393x.c | 17 ++++++-----------
2085+ 1 file changed, 6 insertions(+), 11 deletions(-)
2086+
2087+diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
2088+index 49c304ee20..f89f4c7ba3 100644
2089+--- a/hw/net/dp8393x.c
2090++++ b/hw/net/dp8393x.c
2091+@@ -776,8 +776,6 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
2092+ return -1;
2093+ }
2094+
2095+- /* XXX: Check byte ordering */
2096+-
2097+ /* Check for EOL */
2098+ if (s->regs[SONIC_LLFA] & SONIC_DESC_EOL) {
2099+ /* Are we still in resource exhaustion? */
2100+@@ -847,15 +845,12 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
2101+ /* EOL detected */
2102+ s->regs[SONIC_ISR] |= SONIC_ISR_RDE;
2103+ } else {
2104+- /* Clear in_use, but it is always 16bit wide */
2105+- int offset = dp8393x_crda(s) + sizeof(uint16_t) * 6 * width;
2106+- if (s->big_endian && width == 2) {
2107+- /* we need to adjust the offset of the 16bit field */
2108+- offset += sizeof(uint16_t);
2109+- }
2110+- s->data[0] = 0;
2111+- address_space_rw(&s->as, offset, MEMTXATTRS_UNSPECIFIED,
2112+- (uint8_t *)s->data, sizeof(uint16_t), 1);
2113++ /* Clear in_use */
2114++ size = sizeof(uint16_t) * width;
2115++ address = dp8393x_crda(s) + sizeof(uint16_t) * 6 * width;
2116++ dp8393x_put(s, width, 0, 0);
2117++ address_space_rw(&s->as, address, MEMTXATTRS_UNSPECIFIED,
2118++ (uint8_t *)s->data, size, true);
2119+ s->regs[SONIC_CRDA] = s->regs[SONIC_LLFA];
2120+ s->regs[SONIC_ISR] |= SONIC_ISR_PKTRX;
2121+ s->regs[SONIC_RSC] = (s->regs[SONIC_RSC] & 0xff00) | (((s->regs[SONIC_RSC] & 0x00ff) + 1) & 0x00ff);
2122+--
2123+2.28.0
2124+
2125diff --git a/debian/patches/stable/lp-1891877-dp8393x-Clear-RRRA-command-register-bit-only-when-ap.patch b/debian/patches/stable/lp-1891877-dp8393x-Clear-RRRA-command-register-bit-only-when-ap.patch
2126new file mode 100644
2127index 0000000..017873d
2128--- /dev/null
2129+++ b/debian/patches/stable/lp-1891877-dp8393x-Clear-RRRA-command-register-bit-only-when-ap.patch
2130@@ -0,0 +1,56 @@
2131+From 5f08c382caee86109585111b240c36371738b00d Mon Sep 17 00:00:00 2001
2132+From: Finn Thain <fthain@telegraphics.com.au>
2133+Date: Wed, 29 Jan 2020 20:27:49 +1100
2134+Subject: [PATCH] dp8393x: Clear RRRA command register bit only when
2135+ appropriate
2136+MIME-Version: 1.0
2137+Content-Type: text/plain; charset=UTF-8
2138+Content-Transfer-Encoding: 8bit
2139+
2140+It doesn't make sense to clear the command register bit unless the
2141+command was actually issued.
2142+
2143+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
2144+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
2145+Tested-by: Laurent Vivier <laurent@vivier.eu>
2146+Signed-off-by: Jason Wang <jasowang@redhat.com>
2147+(cherry picked from commit a3cce2825a0b12bb717a5106daaca245557cc9ae)
2148+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2149+
2150+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=5f08c382ca
2151+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
2152+Last-Update: 2020-08-19
2153+
2154+---
2155+ hw/net/dp8393x.c | 7 +++----
2156+ 1 file changed, 3 insertions(+), 4 deletions(-)
2157+
2158+diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
2159+index 8dd6bf032c..04f58ee4e1 100644
2160+--- a/hw/net/dp8393x.c
2161++++ b/hw/net/dp8393x.c
2162+@@ -352,9 +352,6 @@ static void dp8393x_do_read_rra(dp8393xState *s)
2163+ s->regs[SONIC_ISR] |= SONIC_ISR_RBE;
2164+ dp8393x_update_irq(s);
2165+ }
2166+-
2167+- /* Done */
2168+- s->regs[SONIC_CR] &= ~SONIC_CR_RRRA;
2169+ }
2170+
2171+ static void dp8393x_do_software_reset(dp8393xState *s)
2172+@@ -563,8 +560,10 @@ static void dp8393x_do_command(dp8393xState *s, uint16_t command)
2173+ dp8393x_do_start_timer(s);
2174+ if (command & SONIC_CR_RST)
2175+ dp8393x_do_software_reset(s);
2176+- if (command & SONIC_CR_RRRA)
2177++ if (command & SONIC_CR_RRRA) {
2178+ dp8393x_do_read_rra(s);
2179++ s->regs[SONIC_CR] &= ~SONIC_CR_RRRA;
2180++ }
2181+ if (command & SONIC_CR_LCAM)
2182+ dp8393x_do_load_cam(s);
2183+ }
2184+--
2185+2.28.0
2186+
2187diff --git a/debian/patches/stable/lp-1891877-dp8393x-Clear-descriptor-in_use-field-to-release-pac.patch b/debian/patches/stable/lp-1891877-dp8393x-Clear-descriptor-in_use-field-to-release-pac.patch
2188new file mode 100644
2189index 0000000..2227684
2190--- /dev/null
2191+++ b/debian/patches/stable/lp-1891877-dp8393x-Clear-descriptor-in_use-field-to-release-pac.patch
2192@@ -0,0 +1,55 @@
2193+From 8d61b1e2c4e2ad8310ca957decf26b0b82d37148 Mon Sep 17 00:00:00 2001
2194+From: Finn Thain <fthain@telegraphics.com.au>
2195+Date: Wed, 29 Jan 2020 20:27:49 +1100
2196+Subject: [PATCH] dp8393x: Clear descriptor in_use field to release packet
2197+
2198+When the SONIC receives a packet into the last available descriptor, it
2199+retains ownership of that descriptor for as long as necessary.
2200+
2201+Section 3.4.7 of the datasheet says,
2202+
2203+ When the system appends more descriptors, the SONIC releases ownership
2204+ of the descriptor after writing 0000h to the RXpkt.in_use field.
2205+
2206+The packet can now be processed by the host, so raise a PKTRX interrupt,
2207+just like the normal case.
2208+
2209+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
2210+Tested-by: Laurent Vivier <laurent@vivier.eu>
2211+Signed-off-by: Jason Wang <jasowang@redhat.com>
2212+(cherry picked from commit d9fae13196a31716f45dcddcdd958fbb8e59b35a)
2213+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2214+
2215+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=8d61b1e2c4
2216+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
2217+Last-Update: 2020-08-19
2218+
2219+---
2220+ hw/net/dp8393x.c | 10 ++++++++++
2221+ 1 file changed, 10 insertions(+)
2222+
2223+diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
2224+index 0e9061d831..4ce2ef818b 100644
2225+--- a/hw/net/dp8393x.c
2226++++ b/hw/net/dp8393x.c
2227+@@ -809,7 +809,17 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
2228+ return -1;
2229+ }
2230+ /* Link has been updated by host */
2231++
2232++ /* Clear in_use */
2233++ size = sizeof(uint16_t) * width;
2234++ address = dp8393x_crda(s) + sizeof(uint16_t) * 6 * width;
2235++ dp8393x_put(s, width, 0, 0);
2236++ address_space_rw(&s->as, address, MEMTXATTRS_UNSPECIFIED,
2237++ (uint8_t *)s->data, size, 1);
2238++
2239++ /* Move to next descriptor */
2240+ s->regs[SONIC_CRDA] = s->regs[SONIC_LLFA];
2241++ s->regs[SONIC_ISR] |= SONIC_ISR_PKTRX;
2242+ }
2243+
2244+ /* Save current position */
2245+--
2246+2.28.0
2247+
2248diff --git a/debian/patches/stable/lp-1891877-dp8393x-Don-t-clobber-packet-checksum.patch b/debian/patches/stable/lp-1891877-dp8393x-Don-t-clobber-packet-checksum.patch
2249new file mode 100644
2250index 0000000..4682953
2251--- /dev/null
2252+++ b/debian/patches/stable/lp-1891877-dp8393x-Don-t-clobber-packet-checksum.patch
2253@@ -0,0 +1,45 @@
2254+From d50aa8acbc6f4bd83d0d0b5958d49ac6baf254a5 Mon Sep 17 00:00:00 2001
2255+From: Finn Thain <fthain@telegraphics.com.au>
2256+Date: Wed, 29 Jan 2020 20:27:49 +1100
2257+Subject: [PATCH] dp8393x: Don't clobber packet checksum
2258+MIME-Version: 1.0
2259+Content-Type: text/plain; charset=UTF-8
2260+Content-Transfer-Encoding: 8bit
2261+
2262+A received packet consumes pkt_size bytes in the buffer and the frame
2263+checksum that's appended to it consumes another 4 bytes. The Receive
2264+Buffer Address register takes the former quantity into account but
2265+not the latter. So the next packet written to the buffer overwrites
2266+the frame checksum. Fix this.
2267+
2268+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
2269+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
2270+Tested-by: Laurent Vivier <laurent@vivier.eu>
2271+Signed-off-by: Jason Wang <jasowang@redhat.com>
2272+(cherry picked from commit bae112b80c9c42cea21ee7623c283668c3451c2e)
2273+*drop context dep. on 19f70347731
2274+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2275+
2276+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=d50aa8acbc
2277+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
2278+Last-Update: 2020-08-19
2279+
2280+---
2281+ hw/net/dp8393x.c | 1 +
2282+ 1 file changed, 1 insertion(+)
2283+
2284+diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
2285+index ca8088c839..315b4ad844 100644
2286+--- a/hw/net/dp8393x.c
2287++++ b/hw/net/dp8393x.c
2288+@@ -816,6 +816,7 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
2289+ address += rx_len;
2290+ address_space_rw(&s->as, address,
2291+ MEMTXATTRS_UNSPECIFIED, (uint8_t *)&checksum, 4, 1);
2292++ address += 4;
2293+ rx_len += 4;
2294+ s->regs[SONIC_CRBA1] = address >> 16;
2295+ s->regs[SONIC_CRBA0] = address & 0xffff;
2296+--
2297+2.28.0
2298+
2299diff --git a/debian/patches/stable/lp-1891877-dp8393x-Don-t-reset-Silicon-Revision-register.patch b/debian/patches/stable/lp-1891877-dp8393x-Don-t-reset-Silicon-Revision-register.patch
2300new file mode 100644
2301index 0000000..71593d3
2302--- /dev/null
2303+++ b/debian/patches/stable/lp-1891877-dp8393x-Don-t-reset-Silicon-Revision-register.patch
2304@@ -0,0 +1,51 @@
2305+From 735cd8ddab7d2e8b3cb693295067d2c8a9098f86 Mon Sep 17 00:00:00 2001
2306+From: Finn Thain <fthain@telegraphics.com.au>
2307+Date: Wed, 29 Jan 2020 20:27:49 +1100
2308+Subject: [PATCH] dp8393x: Don't reset Silicon Revision register
2309+MIME-Version: 1.0
2310+Content-Type: text/plain; charset=UTF-8
2311+Content-Transfer-Encoding: 8bit
2312+
2313+The jazzsonic driver in Linux uses the Silicon Revision register value
2314+to probe the chip. The driver fails unless the SR register contains 4.
2315+Unfortunately, reading this register in QEMU usually returns 0 because
2316+the s->regs[] array gets wiped after a software reset.
2317+
2318+Fixes: bd8f1ebce4 ("net/dp8393x: fix hardware reset")
2319+Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
2320+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
2321+Signed-off-by: Jason Wang <jasowang@redhat.com>
2322+(cherry picked from commit 083e21bbdde7dbd326baf29d21f49fc3f5614496)
2323+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2324+
2325+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=735cd8ddab
2326+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
2327+Last-Update: 2020-08-19
2328+
2329+---
2330+ hw/net/dp8393x.c | 2 +-
2331+ 1 file changed, 1 insertion(+), 1 deletion(-)
2332+
2333+diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
2334+index aa7bd785f3..d33f21bd0b 100644
2335+--- a/hw/net/dp8393x.c
2336++++ b/hw/net/dp8393x.c
2337+@@ -919,6 +919,7 @@ static void dp8393x_reset(DeviceState *dev)
2338+ timer_del(s->watchdog);
2339+
2340+ memset(s->regs, 0, sizeof(s->regs));
2341++ s->regs[SONIC_SR] = 0x0004; /* only revision recognized by Linux/mips */
2342+ s->regs[SONIC_CR] = SONIC_CR_RST | SONIC_CR_STP | SONIC_CR_RXDIS;
2343+ s->regs[SONIC_DCR] &= ~(SONIC_DCR_EXBUS | SONIC_DCR_LBR);
2344+ s->regs[SONIC_RCR] &= ~(SONIC_RCR_LB0 | SONIC_RCR_LB1 | SONIC_RCR_BRD | SONIC_RCR_RNT);
2345+@@ -971,7 +972,6 @@ static void dp8393x_realize(DeviceState *dev, Error **errp)
2346+ qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
2347+
2348+ s->watchdog = timer_new_ns(QEMU_CLOCK_VIRTUAL, dp8393x_watchdog, s);
2349+- s->regs[SONIC_SR] = 0x0004; /* only revision recognized by Linux */
2350+
2351+ memory_region_init_ram(&s->prom, OBJECT(dev),
2352+ "dp8393x-prom", SONIC_PROM_SIZE, &local_err);
2353+--
2354+2.28.0
2355+
2356diff --git a/debian/patches/stable/lp-1891877-dp8393x-Don-t-stop-reception-upon-RBE-interrupt-asse.patch b/debian/patches/stable/lp-1891877-dp8393x-Don-t-stop-reception-upon-RBE-interrupt-asse.patch
2357new file mode 100644
2358index 0000000..40495e4
2359--- /dev/null
2360+++ b/debian/patches/stable/lp-1891877-dp8393x-Don-t-stop-reception-upon-RBE-interrupt-asse.patch
2361@@ -0,0 +1,137 @@
2362+From 3e1d95301e8c00d8a8a2ec03ed941f019c8fd2b3 Mon Sep 17 00:00:00 2001
2363+From: Finn Thain <fthain@telegraphics.com.au>
2364+Date: Wed, 29 Jan 2020 20:27:49 +1100
2365+Subject: [PATCH] dp8393x: Don't stop reception upon RBE interrupt assertion
2366+
2367+Section 3.4.7 of the datasheet explains that,
2368+
2369+ The RBE bit in the Interrupt Status register is set when the
2370+ SONIC finishes using the second to last receive buffer and reads
2371+ the last RRA descriptor. Actually, the SONIC is not truly out of
2372+ resources, but gives the system an early warning of an impending
2373+ out of resources condition.
2374+
2375+RBE does not mean actual receive buffer exhaustion, and reception should
2376+not be stopped. This is important because Linux will not check and clear
2377+the RBE interrupt until it receives another packet. But that won't
2378+happen if can_receive returns false. This bug causes the SONIC to become
2379+deaf (until reset).
2380+
2381+Fix this with a new flag to indicate actual receive buffer exhaustion.
2382+
2383+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
2384+Tested-by: Laurent Vivier <laurent@vivier.eu>
2385+Signed-off-by: Jason Wang <jasowang@redhat.com>
2386+(cherry picked from commit c2279bd0a19b35057f2e4c3b4df9a915717d1142)
2387+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2388+
2389+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=3e1d95301e
2390+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
2391+Last-Update: 2020-08-19
2392+
2393+---
2394+ hw/net/dp8393x.c | 35 ++++++++++++++++++++++-------------
2395+ 1 file changed, 22 insertions(+), 13 deletions(-)
2396+
2397+diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
2398+index d33f21bd0b..44f77c5d3c 100644
2399+--- a/hw/net/dp8393x.c
2400++++ b/hw/net/dp8393x.c
2401+@@ -158,6 +158,7 @@ typedef struct dp8393xState {
2402+ /* Hardware */
2403+ uint8_t it_shift;
2404+ bool big_endian;
2405++ bool last_rba_is_full;
2406+ qemu_irq irq;
2407+ #ifdef DEBUG_SONIC
2408+ int irq_level;
2409+@@ -347,12 +348,15 @@ static void dp8393x_do_read_rra(dp8393xState *s)
2410+ s->regs[SONIC_RRP] = s->regs[SONIC_RSA];
2411+ }
2412+
2413+- /* Check resource exhaustion */
2414++ /* Warn the host if CRBA now has the last available resource */
2415+ if (s->regs[SONIC_RRP] == s->regs[SONIC_RWP])
2416+ {
2417+ s->regs[SONIC_ISR] |= SONIC_ISR_RBE;
2418+ dp8393x_update_irq(s);
2419+ }
2420++
2421++ /* Allow packet reception */
2422++ s->last_rba_is_full = false;
2423+ }
2424+
2425+ static void dp8393x_do_software_reset(dp8393xState *s)
2426+@@ -659,9 +663,6 @@ static void dp8393x_write(void *opaque, hwaddr addr, uint64_t data,
2427+ dp8393x_do_read_rra(s);
2428+ }
2429+ dp8393x_update_irq(s);
2430+- if (dp8393x_can_receive(s->nic->ncs)) {
2431+- qemu_flush_queued_packets(qemu_get_queue(s->nic));
2432+- }
2433+ break;
2434+ /* The guest is required to store aligned pointers here */
2435+ case SONIC_RSA:
2436+@@ -721,8 +722,6 @@ static int dp8393x_can_receive(NetClientState *nc)
2437+
2438+ if (!(s->regs[SONIC_CR] & SONIC_CR_RXEN))
2439+ return 0;
2440+- if (s->regs[SONIC_ISR] & SONIC_ISR_RBE)
2441+- return 0;
2442+ return 1;
2443+ }
2444+
2445+@@ -773,6 +772,10 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
2446+ s->regs[SONIC_RCR] &= ~(SONIC_RCR_PRX | SONIC_RCR_LBK | SONIC_RCR_FAER |
2447+ SONIC_RCR_CRCR | SONIC_RCR_LPKT | SONIC_RCR_BC | SONIC_RCR_MC);
2448+
2449++ if (s->last_rba_is_full) {
2450++ return pkt_size;
2451++ }
2452++
2453+ rx_len = pkt_size + sizeof(checksum);
2454+ if (s->regs[SONIC_DCR] & SONIC_DCR_DW) {
2455+ width = 2;
2456+@@ -786,8 +789,8 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
2457+ DPRINTF("oversize packet, pkt_size is %d\n", pkt_size);
2458+ s->regs[SONIC_ISR] |= SONIC_ISR_RBAE;
2459+ dp8393x_update_irq(s);
2460+- dp8393x_do_read_rra(s);
2461+- return pkt_size;
2462++ s->regs[SONIC_RCR] |= SONIC_RCR_LPKT;
2463++ goto done;
2464+ }
2465+
2466+ packet_type = dp8393x_receive_filter(s, buf, pkt_size);
2467+@@ -899,17 +902,23 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
2468+ s->regs[SONIC_ISR] |= SONIC_ISR_PKTRX;
2469+ }
2470+
2471++ dp8393x_update_irq(s);
2472++
2473+ s->regs[SONIC_RSC] = (s->regs[SONIC_RSC] & 0xff00) |
2474+ ((s->regs[SONIC_RSC] + 1) & 0x00ff);
2475+
2476++done:
2477++
2478+ if (s->regs[SONIC_RCR] & SONIC_RCR_LPKT) {
2479+- /* Read next RRA */
2480+- dp8393x_do_read_rra(s);
2481++ if (s->regs[SONIC_RRP] == s->regs[SONIC_RWP]) {
2482++ /* Stop packet reception */
2483++ s->last_rba_is_full = true;
2484++ } else {
2485++ /* Read next resource */
2486++ dp8393x_do_read_rra(s);
2487++ }
2488+ }
2489+
2490+- /* Done */
2491+- dp8393x_update_irq(s);
2492+-
2493+ return pkt_size;
2494+ }
2495+
2496+--
2497+2.28.0
2498+
2499diff --git a/debian/patches/stable/lp-1891877-dp8393x-Have-dp8393x_receive-return-the-packet-size.patch b/debian/patches/stable/lp-1891877-dp8393x-Have-dp8393x_receive-return-the-packet-size.patch
2500new file mode 100644
2501index 0000000..8a4e085
2502--- /dev/null
2503+++ b/debian/patches/stable/lp-1891877-dp8393x-Have-dp8393x_receive-return-the-packet-size.patch
2504@@ -0,0 +1,68 @@
2505+From 153c3320e77cfcafc5a44d01d6fb7905121a8fd7 Mon Sep 17 00:00:00 2001
2506+From: Finn Thain <fthain@telegraphics.com.au>
2507+Date: Wed, 29 Jan 2020 20:27:49 +1100
2508+Subject: [PATCH] dp8393x: Have dp8393x_receive() return the packet size
2509+MIME-Version: 1.0
2510+Content-Type: text/plain; charset=UTF-8
2511+Content-Transfer-Encoding: 8bit
2512+
2513+This function re-uses its 'size' argument as a scratch variable.
2514+Instead, declare a local 'size' variable for that purpose so that the
2515+function result doesn't get messed up.
2516+
2517+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
2518+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
2519+Tested-by: Laurent Vivier <laurent@vivier.eu>
2520+Signed-off-by: Jason Wang <jasowang@redhat.com>
2521+(cherry picked from commit 9e3cd456d85ad45e72bdba99203302342ce29b3b)
2522+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2523+
2524+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=153c3320e7
2525+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
2526+Last-Update: 2020-08-19
2527+
2528+---
2529+ hw/net/dp8393x.c | 9 +++++----
2530+ 1 file changed, 5 insertions(+), 4 deletions(-)
2531+
2532+diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
2533+index f89f4c7ba3..a696485a55 100644
2534+--- a/hw/net/dp8393x.c
2535++++ b/hw/net/dp8393x.c
2536+@@ -757,20 +757,21 @@ static int dp8393x_receive_filter(dp8393xState *s, const uint8_t * buf,
2537+ }
2538+
2539+ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
2540+- size_t size)
2541++ size_t pkt_size)
2542+ {
2543+ dp8393xState *s = qemu_get_nic_opaque(nc);
2544+ int packet_type;
2545+ uint32_t available, address;
2546+- int width, rx_len = size;
2547++ int width, rx_len = pkt_size;
2548+ uint32_t checksum;
2549++ int size;
2550+
2551+ width = (s->regs[SONIC_DCR] & SONIC_DCR_DW) ? 2 : 1;
2552+
2553+ s->regs[SONIC_RCR] &= ~(SONIC_RCR_PRX | SONIC_RCR_LBK | SONIC_RCR_FAER |
2554+ SONIC_RCR_CRCR | SONIC_RCR_LPKT | SONIC_RCR_BC | SONIC_RCR_MC);
2555+
2556+- packet_type = dp8393x_receive_filter(s, buf, size);
2557++ packet_type = dp8393x_receive_filter(s, buf, pkt_size);
2558+ if (packet_type < 0) {
2559+ DPRINTF("packet not for netcard\n");
2560+ return -1;
2561+@@ -864,7 +865,7 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
2562+ /* Done */
2563+ dp8393x_update_irq(s);
2564+
2565+- return size;
2566++ return pkt_size;
2567+ }
2568+
2569+ static void dp8393x_reset(DeviceState *dev)
2570+--
2571+2.28.0
2572+
2573diff --git a/debian/patches/stable/lp-1891877-dp8393x-Implement-packet-size-limit-and-RBAE-interru.patch b/debian/patches/stable/lp-1891877-dp8393x-Implement-packet-size-limit-and-RBAE-interru.patch
2574new file mode 100644
2575index 0000000..fcdb4ca
2576--- /dev/null
2577+++ b/debian/patches/stable/lp-1891877-dp8393x-Implement-packet-size-limit-and-RBAE-interru.patch
2578@@ -0,0 +1,57 @@
2579+From 3a8068f4ebb9f9500cf3d1805f5cfbd42e15ab12 Mon Sep 17 00:00:00 2001
2580+From: Finn Thain <fthain@telegraphics.com.au>
2581+Date: Wed, 29 Jan 2020 20:27:49 +1100
2582+Subject: [PATCH] dp8393x: Implement packet size limit and RBAE interrupt
2583+
2584+Add a bounds check to prevent a large packet from causing a buffer
2585+overflow. This is defensive programming -- I haven't actually tried
2586+sending an oversized packet or a jumbo ethernet frame.
2587+
2588+The SONIC handles packets that are too big for the buffer by raising
2589+the RBAE interrupt and dropping them. Linux uses that interrupt to
2590+count dropped packets.
2591+
2592+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
2593+Tested-by: Laurent Vivier <laurent@vivier.eu>
2594+Signed-off-by: Jason Wang <jasowang@redhat.com>
2595+(cherry picked from commit ada74315270d1dcabf4c9d4fece19df7ef5b9577)
2596+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2597+
2598+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=3a8068f4eb
2599+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
2600+Last-Update: 2020-08-19
2601+
2602+---
2603+ hw/net/dp8393x.c | 9 +++++++++
2604+ 1 file changed, 9 insertions(+)
2605+
2606+diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
2607+index 04f58ee4e1..ca8088c839 100644
2608+--- a/hw/net/dp8393x.c
2609++++ b/hw/net/dp8393x.c
2610+@@ -137,6 +137,7 @@ do { printf("sonic ERROR: %s: " fmt, __func__ , ## __VA_ARGS__); } while (0)
2611+ #define SONIC_TCR_CRCI 0x2000
2612+ #define SONIC_TCR_PINT 0x8000
2613+
2614++#define SONIC_ISR_RBAE 0x0010
2615+ #define SONIC_ISR_RBE 0x0020
2616+ #define SONIC_ISR_RDE 0x0040
2617+ #define SONIC_ISR_TC 0x0080
2618+@@ -770,6 +771,14 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
2619+ s->regs[SONIC_RCR] &= ~(SONIC_RCR_PRX | SONIC_RCR_LBK | SONIC_RCR_FAER |
2620+ SONIC_RCR_CRCR | SONIC_RCR_LPKT | SONIC_RCR_BC | SONIC_RCR_MC);
2621+
2622++ if (pkt_size + 4 > dp8393x_rbwc(s) * 2) {
2623++ DPRINTF("oversize packet, pkt_size is %d\n", pkt_size);
2624++ s->regs[SONIC_ISR] |= SONIC_ISR_RBAE;
2625++ dp8393x_update_irq(s);
2626++ dp8393x_do_read_rra(s);
2627++ return pkt_size;
2628++ }
2629++
2630+ packet_type = dp8393x_receive_filter(s, buf, pkt_size);
2631+ if (packet_type < 0) {
2632+ DPRINTF("packet not for netcard\n");
2633+--
2634+2.28.0
2635+
2636diff --git a/debian/patches/stable/lp-1891877-dp8393x-Mask-EOL-bit-from-descriptor-addresses.patch b/debian/patches/stable/lp-1891877-dp8393x-Mask-EOL-bit-from-descriptor-addresses.patch
2637new file mode 100644
2638index 0000000..9514b07
2639--- /dev/null
2640+++ b/debian/patches/stable/lp-1891877-dp8393x-Mask-EOL-bit-from-descriptor-addresses.patch
2641@@ -0,0 +1,98 @@
2642+From eb54a2f9cee10cf1c7832a3536a8d5980ec313e9 Mon Sep 17 00:00:00 2001
2643+From: Finn Thain <fthain@telegraphics.com.au>
2644+Date: Mon, 20 Jan 2020 09:59:21 +1100
2645+Subject: [PATCH] dp8393x: Mask EOL bit from descriptor addresses
2646+
2647+The Least Significant bit of a descriptor address register is used as
2648+an EOL flag. It has to be masked when the register value is to be used
2649+as an actual address for copying memory around. But when the registers
2650+are to be updated the EOL bit should not be masked.
2651+
2652+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
2653+Tested-by: Laurent Vivier <laurent@vivier.eu>
2654+Signed-off-by: Jason Wang <jasowang@redhat.com>
2655+(cherry picked from commit 88f632fbb1b3d31d5b6978d28f8735a6ed18b8f5)
2656+ Conflicts:
2657+ hw/net/dp8393x.c
2658+*drop context dep. on 19f70347731
2659+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2660+
2661+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=eb54a2f9ce
2662+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
2663+Last-Update: 2020-08-19
2664+
2665+---
2666+ hw/net/dp8393x.c | 17 +++++++++++------
2667+ 1 file changed, 11 insertions(+), 6 deletions(-)
2668+
2669+diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
2670+index 3d991af163..7ca6a6dd46 100644
2671+--- a/hw/net/dp8393x.c
2672++++ b/hw/net/dp8393x.c
2673+@@ -145,6 +145,9 @@ do { printf("sonic ERROR: %s: " fmt, __func__ , ## __VA_ARGS__); } while (0)
2674+ #define SONIC_ISR_PINT 0x0800
2675+ #define SONIC_ISR_LCD 0x1000
2676+
2677++#define SONIC_DESC_EOL 0x0001
2678++#define SONIC_DESC_ADDR 0xFFFE
2679++
2680+ #define TYPE_DP8393X "dp8393x"
2681+ #define DP8393X(obj) OBJECT_CHECK(dp8393xState, (obj), TYPE_DP8393X)
2682+
2683+@@ -197,7 +200,8 @@ static uint32_t dp8393x_crba(dp8393xState *s)
2684+
2685+ static uint32_t dp8393x_crda(dp8393xState *s)
2686+ {
2687+- return (s->regs[SONIC_URDA] << 16) | s->regs[SONIC_CRDA];
2688++ return (s->regs[SONIC_URDA] << 16) |
2689++ (s->regs[SONIC_CRDA] & SONIC_DESC_ADDR);
2690+ }
2691+
2692+ static uint32_t dp8393x_rbwc(dp8393xState *s)
2693+@@ -217,7 +221,8 @@ static uint32_t dp8393x_tsa(dp8393xState *s)
2694+
2695+ static uint32_t dp8393x_ttda(dp8393xState *s)
2696+ {
2697+- return (s->regs[SONIC_UTDA] << 16) | s->regs[SONIC_TTDA];
2698++ return (s->regs[SONIC_UTDA] << 16) |
2699++ (s->regs[SONIC_TTDA] & SONIC_DESC_ADDR);
2700+ }
2701+
2702+ static uint32_t dp8393x_wt(dp8393xState *s)
2703+@@ -507,7 +512,7 @@ static void dp8393x_do_transmit_packets(dp8393xState *s)
2704+ (4 + 3 * s->regs[SONIC_TFC]) * width,
2705+ MEMTXATTRS_UNSPECIFIED, (uint8_t *)s->data, size, 0);
2706+ s->regs[SONIC_CTDA] = dp8393x_get(s, width, 0) & ~0x1;
2707+- if (dp8393x_get(s, width, 0) & 0x1) {
2708++ if (dp8393x_get(s, width, 0) & SONIC_DESC_EOL) {
2709+ /* EOL detected */
2710+ break;
2711+ }
2712+@@ -763,13 +768,13 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
2713+ /* XXX: Check byte ordering */
2714+
2715+ /* Check for EOL */
2716+- if (s->regs[SONIC_LLFA] & 0x1) {
2717++ if (s->regs[SONIC_LLFA] & SONIC_DESC_EOL) {
2718+ /* Are we still in resource exhaustion? */
2719+ size = sizeof(uint16_t) * 1 * width;
2720+ address = dp8393x_crda(s) + sizeof(uint16_t) * 5 * width;
2721+ address_space_rw(&s->as, address, MEMTXATTRS_UNSPECIFIED,
2722+ (uint8_t *)s->data, size, 0);
2723+- if (dp8393x_get(s, width, 0) & 0x1) {
2724++ if (dp8393x_get(s, width, 0) & SONIC_DESC_EOL) {
2725+ /* Still EOL ; stop reception */
2726+ return -1;
2727+ } else {
2728+@@ -827,7 +832,7 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
2729+ address_space_rw(&s->as, dp8393x_crda(s) + sizeof(uint16_t) * 5 * width,
2730+ MEMTXATTRS_UNSPECIFIED, (uint8_t *)s->data, size, 0);
2731+ s->regs[SONIC_LLFA] = dp8393x_get(s, width, 0);
2732+- if (s->regs[SONIC_LLFA] & 0x1) {
2733++ if (s->regs[SONIC_LLFA] & SONIC_DESC_EOL) {
2734+ /* EOL detected */
2735+ s->regs[SONIC_ISR] |= SONIC_ISR_RDE;
2736+ } else {
2737+--
2738+2.28.0
2739+
2740diff --git a/debian/patches/stable/lp-1891877-dp8393x-Pad-frames-to-word-or-long-word-boundary.patch b/debian/patches/stable/lp-1891877-dp8393x-Pad-frames-to-word-or-long-word-boundary.patch
2741new file mode 100644
2742index 0000000..9eea6ff
2743--- /dev/null
2744+++ b/debian/patches/stable/lp-1891877-dp8393x-Pad-frames-to-word-or-long-word-boundary.patch
2745@@ -0,0 +1,113 @@
2746+From cbc8277051f76f8131f5d4c787862a16a5fa1707 Mon Sep 17 00:00:00 2001
2747+From: Finn Thain <fthain@telegraphics.com.au>
2748+Date: Wed, 29 Jan 2020 20:27:49 +1100
2749+Subject: [PATCH] dp8393x: Pad frames to word or long word boundary
2750+MIME-Version: 1.0
2751+Content-Type: text/plain; charset=UTF-8
2752+Content-Transfer-Encoding: 8bit
2753+
2754+The existing code has a bug where the Remaining Buffer Word Count (RBWC)
2755+is calculated with a truncating division, which gives the wrong result
2756+for odd-sized packets.
2757+
2758+Section 1.4.1 of the datasheet says,
2759+
2760+ Once the end of the packet has been reached, the serializer will
2761+ fill out the last word (16-bit mode) or long word (32-bit mode)
2762+ if the last byte did not end on a word or long word boundary
2763+ respectively. The fill byte will be 0FFh.
2764+
2765+Implement buffer padding so that buffer limits are correctly enforced.
2766+
2767+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
2768+Tested-by: Laurent Vivier <laurent@vivier.eu>
2769+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
2770+Signed-off-by: Jason Wang <jasowang@redhat.com>
2771+(cherry picked from commit 350e7d9a77d3b9ac74d240e4b232db1ebe5c05bc)
2772+*drop context dependencies from b7cbebf2b9d, 1ccda935d4f, and
2773+ 19f70347731
2774+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2775+
2776+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=cbc8277051
2777+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
2778+Last-Update: 2020-08-19
2779+
2780+---
2781+ hw/net/dp8393x.c | 39 ++++++++++++++++++++++++++++-----------
2782+ 1 file changed, 28 insertions(+), 11 deletions(-)
2783+
2784+diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
2785+index 40e3a029b6..0e9061d831 100644
2786+--- a/hw/net/dp8393x.c
2787++++ b/hw/net/dp8393x.c
2788+@@ -766,16 +766,23 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
2789+ dp8393xState *s = qemu_get_nic_opaque(nc);
2790+ int packet_type;
2791+ uint32_t available, address;
2792+- int width, rx_len = pkt_size;
2793++ int width, rx_len, padded_len;
2794+ uint32_t checksum;
2795+ int size;
2796+
2797+- width = (s->regs[SONIC_DCR] & SONIC_DCR_DW) ? 2 : 1;
2798+-
2799+ s->regs[SONIC_RCR] &= ~(SONIC_RCR_PRX | SONIC_RCR_LBK | SONIC_RCR_FAER |
2800+ SONIC_RCR_CRCR | SONIC_RCR_LPKT | SONIC_RCR_BC | SONIC_RCR_MC);
2801+
2802+- if (pkt_size + 4 > dp8393x_rbwc(s) * 2) {
2803++ rx_len = pkt_size + sizeof(checksum);
2804++ if (s->regs[SONIC_DCR] & SONIC_DCR_DW) {
2805++ width = 2;
2806++ padded_len = ((rx_len - 1) | 3) + 1;
2807++ } else {
2808++ width = 1;
2809++ padded_len = ((rx_len - 1) | 1) + 1;
2810++ }
2811++
2812++ if (padded_len > dp8393x_rbwc(s) * 2) {
2813+ DPRINTF("oversize packet, pkt_size is %d\n", pkt_size);
2814+ s->regs[SONIC_ISR] |= SONIC_ISR_RBAE;
2815+ dp8393x_update_irq(s);
2816+@@ -810,22 +817,32 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
2817+ s->regs[SONIC_TRBA0] = s->regs[SONIC_CRBA0];
2818+
2819+ /* Calculate the ethernet checksum */
2820+- checksum = cpu_to_le32(crc32(0, buf, rx_len));
2821++ checksum = cpu_to_le32(crc32(0, buf, pkt_size));
2822+
2823+ /* Put packet into RBA */
2824+ DPRINTF("Receive packet at %08x\n", dp8393x_crba(s));
2825+ address = dp8393x_crba(s);
2826+ address_space_rw(&s->as, address,
2827+- MEMTXATTRS_UNSPECIFIED, (uint8_t *)buf, rx_len, 1);
2828+- address += rx_len;
2829++ MEMTXATTRS_UNSPECIFIED, (uint8_t *)buf, pkt_size, 1);
2830++ address += pkt_size;
2831++
2832++ /* Put frame checksum into RBA */
2833+ address_space_rw(&s->as, address,
2834+- MEMTXATTRS_UNSPECIFIED, (uint8_t *)&checksum, 4, 1);
2835+- address += 4;
2836+- rx_len += 4;
2837++ MEMTXATTRS_UNSPECIFIED, (uint8_t *)&checksum, sizeof(checksum), 1);
2838++ address += sizeof(checksum);
2839++
2840++ /* Pad short packets to keep pointers aligned */
2841++ if (rx_len < padded_len) {
2842++ size = padded_len - rx_len;
2843++ address_space_rw(&s->as, address, MEMTXATTRS_UNSPECIFIED,
2844++ (uint8_t *)"\xFF\xFF\xFF", size, 1);
2845++ address += size;
2846++ }
2847++
2848+ s->regs[SONIC_CRBA1] = address >> 16;
2849+ s->regs[SONIC_CRBA0] = address & 0xffff;
2850+ available = dp8393x_rbwc(s);
2851+- available -= rx_len / 2;
2852++ available -= padded_len >> 1;
2853+ s->regs[SONIC_RBWC1] = available >> 16;
2854+ s->regs[SONIC_RBWC0] = available & 0xffff;
2855+
2856+--
2857+2.28.0
2858+
2859diff --git a/debian/patches/stable/lp-1891877-dp8393x-Update-LLFA-and-CRDA-registers-from-rx-descr.patch b/debian/patches/stable/lp-1891877-dp8393x-Update-LLFA-and-CRDA-registers-from-rx-descr.patch
2860new file mode 100644
2861index 0000000..d150124
2862--- /dev/null
2863+++ b/debian/patches/stable/lp-1891877-dp8393x-Update-LLFA-and-CRDA-registers-from-rx-descr.patch
2864@@ -0,0 +1,75 @@
2865+From edd67a61f499982bcc2098962c8e04c5210f2f80 Mon Sep 17 00:00:00 2001
2866+From: Finn Thain <fthain@telegraphics.com.au>
2867+Date: Wed, 29 Jan 2020 20:27:49 +1100
2868+Subject: [PATCH] dp8393x: Update LLFA and CRDA registers from rx descriptor
2869+MIME-Version: 1.0
2870+Content-Type: text/plain; charset=UTF-8
2871+Content-Transfer-Encoding: 8bit
2872+
2873+Follow the algorithm given in the National Semiconductor DP83932C
2874+datasheet in section 3.4.7:
2875+
2876+ At the next reception, the SONIC re-reads the last RXpkt.link field,
2877+ and updates its CRDA register to point to the next descriptor.
2878+
2879+The chip is designed to allow the host to provide a new list of
2880+descriptors in this way.
2881+
2882+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
2883+Tested-by: Laurent Vivier <laurent@vivier.eu>
2884+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
2885+Signed-off-by: Jason Wang <jasowang@redhat.com>
2886+(cherry picked from commit 5b0c98fcb7ac006bd8efe0e0fecba52c43a9d028)
2887+*drop context dep on 19f70347731
2888+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2889+
2890+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=edd67a61f4
2891+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
2892+Last-Update: 2020-08-19
2893+
2894+---
2895+ hw/net/dp8393x.c | 11 +++++++----
2896+ 1 file changed, 7 insertions(+), 4 deletions(-)
2897+
2898+diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
2899+index a696485a55..8dd6bf032c 100644
2900+--- a/hw/net/dp8393x.c
2901++++ b/hw/net/dp8393x.c
2902+@@ -784,12 +784,13 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
2903+ address = dp8393x_crda(s) + sizeof(uint16_t) * 5 * width;
2904+ address_space_rw(&s->as, address, MEMTXATTRS_UNSPECIFIED,
2905+ (uint8_t *)s->data, size, 0);
2906+- if (dp8393x_get(s, width, 0) & SONIC_DESC_EOL) {
2907++ s->regs[SONIC_LLFA] = dp8393x_get(s, width, 0);
2908++ if (s->regs[SONIC_LLFA] & SONIC_DESC_EOL) {
2909+ /* Still EOL ; stop reception */
2910+ return -1;
2911+- } else {
2912+- s->regs[SONIC_CRDA] = s->regs[SONIC_LLFA];
2913+ }
2914++ /* Link has been updated by host */
2915++ s->regs[SONIC_CRDA] = s->regs[SONIC_LLFA];
2916+ }
2917+
2918+ /* Save current position */
2919+@@ -837,7 +838,7 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
2920+ address_space_rw(&s->as, dp8393x_crda(s),
2921+ MEMTXATTRS_UNSPECIFIED, (uint8_t *)s->data, size, 1);
2922+
2923+- /* Move to next descriptor */
2924++ /* Check link field */
2925+ size = sizeof(uint16_t) * width;
2926+ address_space_rw(&s->as, dp8393x_crda(s) + sizeof(uint16_t) * 5 * width,
2927+ MEMTXATTRS_UNSPECIFIED, (uint8_t *)s->data, size, 0);
2928+@@ -852,6 +853,8 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
2929+ dp8393x_put(s, width, 0, 0);
2930+ address_space_rw(&s->as, address, MEMTXATTRS_UNSPECIFIED,
2931+ (uint8_t *)s->data, size, true);
2932++
2933++ /* Move to next descriptor */
2934+ s->regs[SONIC_CRDA] = s->regs[SONIC_LLFA];
2935+ s->regs[SONIC_ISR] |= SONIC_ISR_PKTRX;
2936+ s->regs[SONIC_RSC] = (s->regs[SONIC_RSC] & 0xff00) | (((s->regs[SONIC_RSC] & 0x00ff) + 1) & 0x00ff);
2937+--
2938+2.28.0
2939+
2940diff --git a/debian/patches/stable/lp-1891877-dp8393x-Use-long-word-aligned-RRA-pointers-in-32-bit.patch b/debian/patches/stable/lp-1891877-dp8393x-Use-long-word-aligned-RRA-pointers-in-32-bit.patch
2941new file mode 100644
2942index 0000000..6026297
2943--- /dev/null
2944+++ b/debian/patches/stable/lp-1891877-dp8393x-Use-long-word-aligned-RRA-pointers-in-32-bit.patch
2945@@ -0,0 +1,60 @@
2946+From e7cad754fd0bf00c671a1509acc2981f11736ee8 Mon Sep 17 00:00:00 2001
2947+From: Finn Thain <fthain@telegraphics.com.au>
2948+Date: Wed, 29 Jan 2020 20:27:49 +1100
2949+Subject: [PATCH] dp8393x: Use long-word-aligned RRA pointers in 32-bit mode
2950+MIME-Version: 1.0
2951+Content-Type: text/plain; charset=UTF-8
2952+Content-Transfer-Encoding: 8bit
2953+
2954+Section 3.4.1 of the datasheet says,
2955+
2956+ The alignment of the RRA is confined to either word or long word
2957+ boundaries, depending upon the data width mode. In 16-bit mode,
2958+ the RRA must be aligned to a word boundary (A0 is always zero)
2959+ and in 32-bit mode, the RRA is aligned to a long word boundary
2960+ (A0 and A1 are always zero).
2961+
2962+This constraint has been implemented for 16-bit mode; implement it
2963+for 32-bit mode too.
2964+
2965+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
2966+Tested-by: Laurent Vivier <laurent@vivier.eu>
2967+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
2968+Signed-off-by: Jason Wang <jasowang@redhat.com>
2969+(cherry picked from commit ea2270279bc2e1635cb6e909e22e17e630198773)
2970+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2971+
2972+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=e7cad754fd
2973+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
2974+Last-Update: 2020-08-19
2975+
2976+---
2977+ hw/net/dp8393x.c | 8 ++++++--
2978+ 1 file changed, 6 insertions(+), 2 deletions(-)
2979+
2980+diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
2981+index 315b4ad844..40e3a029b6 100644
2982+--- a/hw/net/dp8393x.c
2983++++ b/hw/net/dp8393x.c
2984+@@ -663,12 +663,16 @@ static void dp8393x_write(void *opaque, hwaddr addr, uint64_t data,
2985+ qemu_flush_queued_packets(qemu_get_queue(s->nic));
2986+ }
2987+ break;
2988+- /* Ignore least significant bit */
2989++ /* The guest is required to store aligned pointers here */
2990+ case SONIC_RSA:
2991+ case SONIC_REA:
2992+ case SONIC_RRP:
2993+ case SONIC_RWP:
2994+- s->regs[reg] = val & 0xfffe;
2995++ if (s->regs[SONIC_DCR] & SONIC_DCR_DW) {
2996++ s->regs[reg] = val & 0xfffc;
2997++ } else {
2998++ s->regs[reg] = val & 0xfffe;
2999++ }
3000+ break;
3001+ /* Invert written value for some registers */
3002+ case SONIC_CRCT:
3003+--
3004+2.28.0
3005+
3006diff --git a/debian/patches/stable/lp-1891877-dump-Fix-writing-of-ELF-section.patch b/debian/patches/stable/lp-1891877-dump-Fix-writing-of-ELF-section.patch
3007new file mode 100644
3008index 0000000..41bf056
3009--- /dev/null
3010+++ b/debian/patches/stable/lp-1891877-dump-Fix-writing-of-ELF-section.patch
3011@@ -0,0 +1,51 @@
3012+From 25fcaed9a366314c21793e14624c89db75224b50 Mon Sep 17 00:00:00 2001
3013+From: Peter Maydell <peter.maydell@linaro.org>
3014+Date: Tue, 24 Mar 2020 17:36:30 +0000
3015+Subject: [PATCH] dump: Fix writing of ELF section
3016+MIME-Version: 1.0
3017+Content-Type: text/plain; charset=UTF-8
3018+Content-Transfer-Encoding: 8bit
3019+
3020+In write_elf_section() we set the 'shdr' pointer to point to local
3021+structures shdr32 or shdr64, which we fill in to be written out to
3022+the ELF dump. Unfortunately the address we pass to fd_write_vmcore()
3023+has a spurious '&' operator, so instead of writing out the section
3024+header we write out the literal pointer value followed by whatever is
3025+on the stack after the 'shdr' local variable.
3026+
3027+Pass the correct address into fd_write_vmcore().
3028+
3029+Spotted by Coverity: CID 1421970.
3030+
3031+Cc: qemu-stable@nongnu.org
3032+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
3033+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
3034+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
3035+Message-id: 20200324173630.12221-1-peter.maydell@linaro.org
3036+(cherry picked from commit 174d2d6856bf435f4f58e9303ba30dd0e1279d3f)
3037+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
3038+
3039+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=25fcaed9a3
3040+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
3041+Last-Update: 2020-08-19
3042+
3043+---
3044+ dump/dump.c | 2 +-
3045+ 1 file changed, 1 insertion(+), 1 deletion(-)
3046+
3047+diff --git a/dump/dump.c b/dump/dump.c
3048+index 6fb6e1245a..22ed1d3b0d 100644
3049+--- a/dump/dump.c
3050++++ b/dump/dump.c
3051+@@ -364,7 +364,7 @@ static void write_elf_section(DumpState *s, int type, Error **errp)
3052+ shdr = &shdr64;
3053+ }
3054+
3055+- ret = fd_write_vmcore(&shdr, shdr_size, s);
3056++ ret = fd_write_vmcore(shdr, shdr_size, s);
3057+ if (ret < 0) {
3058+ error_setg_errno(errp, -ret,
3059+ "dump: failed to write section header table");
3060+--
3061+2.28.0
3062+
3063diff --git a/debian/patches/stable/lp-1891877-hmp-vnc-Fix-info-vnc-list-leak.patch b/debian/patches/stable/lp-1891877-hmp-vnc-Fix-info-vnc-list-leak.patch
3064new file mode 100644
3065index 0000000..1193bf2
3066--- /dev/null
3067+++ b/debian/patches/stable/lp-1891877-hmp-vnc-Fix-info-vnc-list-leak.patch
3068@@ -0,0 +1,54 @@
3069+From 674d3822250a8830fb8e9720ce499f2e8cef6a88 Mon Sep 17 00:00:00 2001
3070+From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
3071+Date: Mon, 23 Mar 2020 12:08:22 +0000
3072+Subject: [PATCH] hmp/vnc: Fix info vnc list leak
3073+
3074+We're iterating the list, and then freeing the iteration pointer rather
3075+than the list head.
3076+
3077+Fixes: 0a9667ecdb6d ("hmp: Update info vnc")
3078+Reported-by: Coverity (CID 1421932)
3079+Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
3080+Message-Id: <20200323120822.51266-1-dgilbert@redhat.com>
3081+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
3082+Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
3083+(cherry picked from commit d4ff109373ce871928c7e9ef648973eba642b484)
3084+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
3085+
3086+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=674d382225
3087+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
3088+Last-Update: 2020-08-19
3089+
3090+---
3091+ monitor/hmp-cmds.c | 5 +++--
3092+ 1 file changed, 3 insertions(+), 2 deletions(-)
3093+
3094+diff --git a/monitor/hmp-cmds.c b/monitor/hmp-cmds.c
3095+index b2551c16d1..2fdc84ec99 100644
3096+--- a/monitor/hmp-cmds.c
3097++++ b/monitor/hmp-cmds.c
3098+@@ -729,10 +729,11 @@ static void hmp_info_vnc_servers(Monitor *mon, VncServerInfo2List *server)
3099+
3100+ void hmp_info_vnc(Monitor *mon, const QDict *qdict)
3101+ {
3102+- VncInfo2List *info2l;
3103++ VncInfo2List *info2l, *info2l_head;
3104+ Error *err = NULL;
3105+
3106+ info2l = qmp_query_vnc_servers(&err);
3107++ info2l_head = info2l;
3108+ if (err) {
3109+ hmp_handle_error(mon, &err);
3110+ return;
3111+@@ -761,7 +762,7 @@ void hmp_info_vnc(Monitor *mon, const QDict *qdict)
3112+ info2l = info2l->next;
3113+ }
3114+
3115+- qapi_free_VncInfo2List(info2l);
3116++ qapi_free_VncInfo2List(info2l_head);
3117+
3118+ }
3119+ #endif
3120+--
3121+2.28.0
3122+
3123diff --git a/debian/patches/stable/lp-1891877-hostmem-don-t-use-mbind-if-host-nodes-is-empty.patch b/debian/patches/stable/lp-1891877-hostmem-don-t-use-mbind-if-host-nodes-is-empty.patch
3124new file mode 100644
3125index 0000000..27298fa
3126--- /dev/null
3127+++ b/debian/patches/stable/lp-1891877-hostmem-don-t-use-mbind-if-host-nodes-is-empty.patch
3128@@ -0,0 +1,61 @@
3129+From 34c78a4100c967cc385fcfd4c2295b2b0ebd8786 Mon Sep 17 00:00:00 2001
3130+From: Igor Mammedov <imammedo@redhat.com>
3131+Date: Thu, 30 Apr 2020 11:46:06 -0400
3132+Subject: [PATCH] hostmem: don't use mbind() if host-nodes is empty
3133+MIME-Version: 1.0
3134+Content-Type: text/plain; charset=UTF-8
3135+Content-Transfer-Encoding: 8bit
3136+
3137+Since 5.0 QEMU uses hostmem backend for allocating main guest RAM.
3138+The backend however calls mbind() which is typically NOP
3139+in case of default policy/absent host-nodes bitmap.
3140+However when runing in container with black-listed mbind()
3141+syscall, QEMU fails to start with error
3142+ "cannot bind memory to host NUMA nodes: Operation not permitted"
3143+even when user hasn't provided host-nodes to pin to explictly
3144+(which is the case with -m option)
3145+
3146+To fix issue, call mbind() only in case when user has provided
3147+host-nodes explicitly (i.e. host_nodes bitmap is not empty).
3148+That should allow to run QEMU in containers with black-listed
3149+mbind() without memory pinning. If QEMU provided memory-pinning
3150+is required user still has to white-list mbind() in container
3151+configuration.
3152+
3153+Reported-by: Manuel Hohmann <mhohmann@physnet.uni-hamburg.de>
3154+Signed-off-by: Igor Mammedov <imammedo@redhat.com>
3155+Message-Id: <20200430154606.6421-1-imammedo@redhat.com>
3156+Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
3157+Cc: qemu-stable@nongnu.org
3158+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
3159+(cherry picked from commit 70b6d525dfb51d5e523d568d1139fc051bc223c5)
3160+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
3161+
3162+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=34c78a4100
3163+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
3164+Last-Update: 2020-08-19
3165+
3166+---
3167+ backends/hostmem.c | 6 ++++--
3168+ 1 file changed, 4 insertions(+), 2 deletions(-)
3169+
3170+diff --git a/backends/hostmem.c b/backends/hostmem.c
3171+index e773bdfa6e..21b1993e49 100644
3172+--- a/backends/hostmem.c
3173++++ b/backends/hostmem.c
3174+@@ -363,8 +363,10 @@ host_memory_backend_memory_complete(UserCreatable *uc, Error **errp)
3175+ assert(sizeof(backend->host_nodes) >=
3176+ BITS_TO_LONGS(MAX_NODES + 1) * sizeof(unsigned long));
3177+ assert(maxnode <= MAX_NODES);
3178+- if (mbind(ptr, sz, backend->policy,
3179+- maxnode ? backend->host_nodes : NULL, maxnode + 1, flags)) {
3180++
3181++ if (maxnode &&
3182++ mbind(ptr, sz, backend->policy, backend->host_nodes, maxnode + 1,
3183++ flags)) {
3184+ if (backend->policy != MPOL_DEFAULT || errno != ENOSYS) {
3185+ error_setg_errno(errp, errno,
3186+ "cannot bind memory to host NUMA nodes");
3187+--
3188+2.28.0
3189+
3190diff --git a/debian/patches/stable/lp-1891877-hw-arm-cubieboard-use-ARM-Cortex-A8-as-the-default-C.patch b/debian/patches/stable/lp-1891877-hw-arm-cubieboard-use-ARM-Cortex-A8-as-the-default-C.patch
3191new file mode 100644
3192index 0000000..7690bd7
3193--- /dev/null
3194+++ b/debian/patches/stable/lp-1891877-hw-arm-cubieboard-use-ARM-Cortex-A8-as-the-default-C.patch
3195@@ -0,0 +1,59 @@
3196+From 9dd68ac26b5a413dc948efe9bbf414702bc200da Mon Sep 17 00:00:00 2001
3197+From: Niek Linnenbank <nieklinnenbank@gmail.com>
3198+Date: Thu, 5 Mar 2020 16:09:19 +0000
3199+Subject: [PATCH] hw/arm/cubieboard: use ARM Cortex-A8 as the default CPU in
3200+ machine definition
3201+MIME-Version: 1.0
3202+Content-Type: text/plain; charset=UTF-8
3203+Content-Transfer-Encoding: 8bit
3204+
3205+The Cubieboard is a singleboard computer with an Allwinner A10 System-on-Chip [1].
3206+As documented in the Allwinner A10 User Manual V1.5 [2], the SoC has an ARM
3207+Cortex-A8 processor. Currently the Cubieboard machine definition specifies the
3208+ARM Cortex-A9 in its description and as the default CPU.
3209+
3210+This patch corrects the Cubieboard machine definition to use the ARM Cortex-A8.
3211+
3212+The only user-visible effect is that our textual description of the
3213+machine was wrong, because hw/arm/allwinner-a10.c always creates a
3214+Cortex-A8 CPU regardless of the default value in the MachineClass struct.
3215+
3216+ [1] http://docs.cubieboard.org/products/start#cubieboard1
3217+ [2] https://linux-sunxi.org/File:Allwinner_A10_User_manual_V1.5.pdf
3218+
3219+Fixes: 8a863c8120994981a099
3220+Signed-off-by: Niek Linnenbank <nieklinnenbank@gmail.com>
3221+Message-id: 20200227220149.6845-2-nieklinnenbank@gmail.com
3222+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
3223+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
3224+[note in commit message that the bug didn't have much visible effect]
3225+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
3226+(cherry picked from commit 2104df2a1fbf44b2564427aa72fd58d66ce290a7)
3227+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
3228+
3229+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=9dd68ac26b
3230+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
3231+Last-Update: 2020-08-19
3232+
3233+---
3234+ hw/arm/cubieboard.c | 4 ++--
3235+ 1 file changed, 2 insertions(+), 2 deletions(-)
3236+
3237+diff --git a/hw/arm/cubieboard.c b/hw/arm/cubieboard.c
3238+index 6dc2f1d6b6..d8e8919e79 100644
3239+--- a/hw/arm/cubieboard.c
3240++++ b/hw/arm/cubieboard.c
3241+@@ -78,8 +78,8 @@ static void cubieboard_init(MachineState *machine)
3242+
3243+ static void cubieboard_machine_init(MachineClass *mc)
3244+ {
3245+- mc->desc = "cubietech cubieboard (Cortex-A9)";
3246+- mc->default_cpu_type = ARM_CPU_TYPE_NAME("cortex-a9");
3247++ mc->desc = "cubietech cubieboard (Cortex-A8)";
3248++ mc->default_cpu_type = ARM_CPU_TYPE_NAME("cortex-a8");
3249+ mc->init = cubieboard_init;
3250+ mc->block_default_type = IF_IDE;
3251+ mc->units_per_default_bus = 1;
3252+--
3253+2.28.0
3254+
3255diff --git a/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Align-stream-table-base-address-to-tab.patch b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Align-stream-table-base-address-to-tab.patch
3256new file mode 100644
3257index 0000000..eb50555
3258--- /dev/null
3259+++ b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Align-stream-table-base-address-to-tab.patch
3260@@ -0,0 +1,83 @@
3261+From 65fad28d85f137edd895ac90a83b42bb36aad481 Mon Sep 17 00:00:00 2001
3262+From: Simon Veith <sveith@amazon.de>
3263+Date: Fri, 20 Dec 2019 14:03:00 +0000
3264+Subject: [PATCH] hw/arm/smmuv3: Align stream table base address to table size
3265+
3266+Per the specification, and as observed in hardware, the SMMUv3 aligns
3267+the SMMU_STRTAB_BASE address to the size of the table by masking out the
3268+respective least significant bits in the ADDR field.
3269+
3270+Apply this masking logic to our smmu_find_ste() lookup function per the
3271+specification.
3272+
3273+ref. ARM IHI 0070C, section 6.3.23.
3274+
3275+Signed-off-by: Simon Veith <sveith@amazon.de>
3276+Acked-by: Eric Auger <eric.auger@redhat.com>
3277+Tested-by: Eric Auger <eric.auger@redhat.com>
3278+Message-id: 1576509312-13083-5-git-send-email-sveith@amazon.de
3279+Cc: Eric Auger <eric.auger@redhat.com>
3280+Cc: qemu-devel@nongnu.org
3281+Cc: qemu-arm@nongnu.org
3282+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
3283+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
3284+(cherry picked from commit 41678c33aac61261522b74f08595ccf2221a430a)
3285+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
3286+
3287+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=65fad28d85
3288+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
3289+Last-Update: 2020-08-19
3290+
3291+---
3292+ hw/arm/smmuv3.c | 18 ++++++++++++++----
3293+ 1 file changed, 14 insertions(+), 4 deletions(-)
3294+
3295+diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
3296+index 727558bcfa..31ac3ca32e 100644
3297+--- a/hw/arm/smmuv3.c
3298++++ b/hw/arm/smmuv3.c
3299+@@ -376,8 +376,9 @@ bad_ste:
3300+ static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste,
3301+ SMMUEventInfo *event)
3302+ {
3303+- dma_addr_t addr;
3304++ dma_addr_t addr, strtab_base;
3305+ uint32_t log2size;
3306++ int strtab_size_shift;
3307+ int ret;
3308+
3309+ trace_smmuv3_find_ste(sid, s->features, s->sid_split);
3310+@@ -391,10 +392,16 @@ static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste,
3311+ }
3312+ if (s->features & SMMU_FEATURE_2LVL_STE) {
3313+ int l1_ste_offset, l2_ste_offset, max_l2_ste, span;
3314+- dma_addr_t strtab_base, l1ptr, l2ptr;
3315++ dma_addr_t l1ptr, l2ptr;
3316+ STEDesc l1std;
3317+
3318+- strtab_base = s->strtab_base & SMMU_BASE_ADDR_MASK;
3319++ /*
3320++ * Align strtab base address to table size. For this purpose, assume it
3321++ * is not bounded by SMMU_IDR1_SIDSIZE.
3322++ */
3323++ strtab_size_shift = MAX(5, (int)log2size - s->sid_split - 1 + 3);
3324++ strtab_base = s->strtab_base & SMMU_BASE_ADDR_MASK &
3325++ ~MAKE_64BIT_MASK(0, strtab_size_shift);
3326+ l1_ste_offset = sid >> s->sid_split;
3327+ l2_ste_offset = sid & ((1 << s->sid_split) - 1);
3328+ l1ptr = (dma_addr_t)(strtab_base + l1_ste_offset * sizeof(l1std));
3329+@@ -433,7 +440,10 @@ static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste,
3330+ }
3331+ addr = l2ptr + l2_ste_offset * sizeof(*ste);
3332+ } else {
3333+- addr = (s->strtab_base & SMMU_BASE_ADDR_MASK) + sid * sizeof(*ste);
3334++ strtab_size_shift = log2size + 5;
3335++ strtab_base = s->strtab_base & SMMU_BASE_ADDR_MASK &
3336++ ~MAKE_64BIT_MASK(0, strtab_size_shift);
3337++ addr = strtab_base + sid * sizeof(*ste);
3338+ }
3339+
3340+ if (smmu_get_ste(s, addr, ste, event)) {
3341+--
3342+2.28.0
3343+
3344diff --git a/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Apply-address-mask-to-linear-strtab-ba.patch b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Apply-address-mask-to-linear-strtab-ba.patch
3345new file mode 100644
3346index 0000000..c88cb54
3347--- /dev/null
3348+++ b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Apply-address-mask-to-linear-strtab-ba.patch
3349@@ -0,0 +1,59 @@
3350+From e8ae3a4e2bb72ae636ecbf201b0f74d4bf7d5aeb Mon Sep 17 00:00:00 2001
3351+From: Simon Veith <sveith@amazon.de>
3352+Date: Fri, 20 Dec 2019 14:03:00 +0000
3353+Subject: [PATCH] hw/arm/smmuv3: Apply address mask to linear strtab base
3354+ address
3355+
3356+In the SMMU_STRTAB_BASE register, the stream table base address only
3357+occupies bits [51:6]. Other bits, such as RA (bit [62]), must be masked
3358+out to obtain the base address.
3359+
3360+The branch for 2-level stream tables correctly applies this mask by way
3361+of SMMU_BASE_ADDR_MASK, but the one for linear stream tables does not.
3362+
3363+Apply the missing mask in that case as well so that the correct stream
3364+base address is used by guests which configure a linear stream table.
3365+
3366+Linux guests are unaffected by this change because they choose a 2-level
3367+stream table layout for the QEMU SMMUv3, based on the size of its stream
3368+ID space.
3369+
3370+ref. ARM IHI 0070C, section 6.3.23.
3371+
3372+Signed-off-by: Simon Veith <sveith@amazon.de>
3373+Acked-by: Eric Auger <eric.auger@redhat.com>
3374+Tested-by: Eric Auger <eric.auger@redhat.com>
3375+Message-id: 1576509312-13083-2-git-send-email-sveith@amazon.de
3376+Cc: Eric Auger <eric.auger@redhat.com>
3377+Cc: qemu-devel@nongnu.org
3378+Cc: qemu-arm@nongnu.org
3379+Acked-by: Eric Auger <eric.auger@redhat.com>
3380+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
3381+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
3382+(cherry picked from commit 3d44c60500785f18bb469c9de0aeba7415c0f28f)
3383+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
3384+
3385+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=e8ae3a4e2b
3386+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
3387+Last-Update: 2020-08-19
3388+
3389+---
3390+ hw/arm/smmuv3.c | 2 +-
3391+ 1 file changed, 1 insertion(+), 1 deletion(-)
3392+
3393+diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
3394+index e2fbb8357e..eef9a18d70 100644
3395+--- a/hw/arm/smmuv3.c
3396++++ b/hw/arm/smmuv3.c
3397+@@ -429,7 +429,7 @@ static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste,
3398+ }
3399+ addr = l2ptr + l2_ste_offset * sizeof(*ste);
3400+ } else {
3401+- addr = s->strtab_base + sid * sizeof(*ste);
3402++ addr = (s->strtab_base & SMMU_BASE_ADDR_MASK) + sid * sizeof(*ste);
3403+ }
3404+
3405+ if (smmu_get_ste(s, addr, ste, event)) {
3406+--
3407+2.28.0
3408+
3409diff --git a/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Check-stream-IDs-against-actual-table-.patch b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Check-stream-IDs-against-actual-table-.patch
3410new file mode 100644
3411index 0000000..90f85c4
3412--- /dev/null
3413+++ b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Check-stream-IDs-against-actual-table-.patch
3414@@ -0,0 +1,63 @@
3415+From 256ecc06eb534e7d851fcdf667132a8721b5ad61 Mon Sep 17 00:00:00 2001
3416+From: Simon Veith <sveith@amazon.de>
3417+Date: Fri, 20 Dec 2019 14:03:00 +0000
3418+Subject: [PATCH] hw/arm/smmuv3: Check stream IDs against actual table LOG2SIZE
3419+
3420+When checking whether a stream ID is in range of the stream table, we
3421+have so far been only checking it against our implementation limit
3422+(SMMU_IDR1_SIDSIZE). However, the guest can program the
3423+STRTAB_BASE_CFG.LOG2SIZE field to a size that is smaller than this
3424+limit.
3425+
3426+Check the stream ID against this limit as well to match the hardware
3427+behavior of raising C_BAD_STREAMID events in case the limit is exceeded.
3428+Also, ensure that we do not go one entry beyond the end of the table by
3429+checking that its index is strictly smaller than the table size.
3430+
3431+ref. ARM IHI 0070C, section 6.3.24.
3432+
3433+Signed-off-by: Simon Veith <sveith@amazon.de>
3434+Acked-by: Eric Auger <eric.auger@redhat.com>
3435+Tested-by: Eric Auger <eric.auger@redhat.com>
3436+Message-id: 1576509312-13083-4-git-send-email-sveith@amazon.de
3437+Cc: Eric Auger <eric.auger@redhat.com>
3438+Cc: qemu-devel@nongnu.org
3439+Cc: qemu-arm@nongnu.org
3440+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
3441+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
3442+(cherry picked from commit 05ff2fb80ce4ca85d8a39d48ff8156de739b4f51)
3443+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
3444+
3445+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=256ecc06eb
3446+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
3447+Last-Update: 2020-08-19
3448+
3449+---
3450+ hw/arm/smmuv3.c | 8 ++++++--
3451+ 1 file changed, 6 insertions(+), 2 deletions(-)
3452+
3453+diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
3454+index eef9a18d70..727558bcfa 100644
3455+--- a/hw/arm/smmuv3.c
3456++++ b/hw/arm/smmuv3.c
3457+@@ -377,11 +377,15 @@ static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste,
3458+ SMMUEventInfo *event)
3459+ {
3460+ dma_addr_t addr;
3461++ uint32_t log2size;
3462+ int ret;
3463+
3464+ trace_smmuv3_find_ste(sid, s->features, s->sid_split);
3465+- /* Check SID range */
3466+- if (sid > (1 << SMMU_IDR1_SIDSIZE)) {
3467++ log2size = FIELD_EX32(s->strtab_base_cfg, STRTAB_BASE_CFG, LOG2SIZE);
3468++ /*
3469++ * Check SID range against both guest-configured and implementation limits
3470++ */
3471++ if (sid >= (1 << MIN(log2size, SMMU_IDR1_SIDSIZE))) {
3472+ event->type = SMMU_EVT_C_BAD_STREAMID;
3473+ return -EINVAL;
3474+ }
3475+--
3476+2.28.0
3477+
3478diff --git a/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Correct-SMMU_BASE_ADDR_MASK-value.patch b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Correct-SMMU_BASE_ADDR_MASK-value.patch
3479new file mode 100644
3480index 0000000..11865de
3481--- /dev/null
3482+++ b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Correct-SMMU_BASE_ADDR_MASK-value.patch
3483@@ -0,0 +1,52 @@
3484+From 606a6bf788d37a524c89e2627a44693afb5cb6a1 Mon Sep 17 00:00:00 2001
3485+From: Simon Veith <sveith@amazon.de>
3486+Date: Fri, 20 Dec 2019 14:03:00 +0000
3487+Subject: [PATCH] hw/arm/smmuv3: Correct SMMU_BASE_ADDR_MASK value
3488+
3489+There are two issues with the current value of SMMU_BASE_ADDR_MASK:
3490+
3491+- At the lower end, we are clearing bits [4:0]. Per the SMMUv3 spec,
3492+ we should also be treating bit 5 as zero in the base address.
3493+- At the upper end, we are clearing bits [63:48]. Per the SMMUv3 spec,
3494+ only bits [63:52] must be explicitly treated as zero.
3495+
3496+Update the SMMU_BASE_ADDR_MASK value to mask out bits [63:52] and [5:0].
3497+
3498+ref. ARM IHI 0070C, section 6.3.23.
3499+
3500+Signed-off-by: Simon Veith <sveith@amazon.de>
3501+Acked-by: Eric Auger <eric.auger@redhat.com>
3502+Tested-by: Eric Auger <eric.auger@redhat.com>
3503+Message-id: 1576509312-13083-3-git-send-email-sveith@amazon.de
3504+Cc: Eric Auger <eric.auger@redhat.com>
3505+Cc: qemu-devel@nongnu.org
3506+Cc: qemu-arm@nongnu.org
3507+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
3508+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
3509+(cherry picked from commit 3293b9f514a413e019b7dbc9d543458075b4849e)
3510+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
3511+
3512+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=606a6bf788
3513+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
3514+Last-Update: 2020-08-19
3515+
3516+---
3517+ hw/arm/smmuv3-internal.h | 2 +-
3518+ 1 file changed, 1 insertion(+), 1 deletion(-)
3519+
3520+diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
3521+index d190181ef1..042b435808 100644
3522+--- a/hw/arm/smmuv3-internal.h
3523++++ b/hw/arm/smmuv3-internal.h
3524+@@ -99,7 +99,7 @@ REG32(GERROR_IRQ_CFG2, 0x74)
3525+
3526+ #define A_STRTAB_BASE 0x80 /* 64b */
3527+
3528+-#define SMMU_BASE_ADDR_MASK 0xffffffffffe0
3529++#define SMMU_BASE_ADDR_MASK 0xfffffffffffc0
3530+
3531+ REG32(STRTAB_BASE_CFG, 0x88)
3532+ FIELD(STRTAB_BASE_CFG, FMT, 16, 2)
3533+--
3534+2.28.0
3535+
3536diff --git a/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Report-F_STE_FETCH-fault-address-in-co.patch b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Report-F_STE_FETCH-fault-address-in-co.patch
3537new file mode 100644
3538index 0000000..b7cc26c
3539--- /dev/null
3540+++ b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Report-F_STE_FETCH-fault-address-in-co.patch
3541@@ -0,0 +1,55 @@
3542+From 9b59fdf47822acb6f2f6be5629829f27ffb08d41 Mon Sep 17 00:00:00 2001
3543+From: Simon Veith <sveith@amazon.de>
3544+Date: Fri, 20 Dec 2019 14:03:00 +0000
3545+Subject: [PATCH] hw/arm/smmuv3: Report F_STE_FETCH fault address in correct
3546+ word position
3547+
3548+The smmuv3_record_event() function that generates the F_STE_FETCH error
3549+uses the EVT_SET_ADDR macro to record the fetch address, placing it in
3550+32-bit words 4 and 5.
3551+
3552+The correct position for this address is in words 6 and 7, per the
3553+SMMUv3 Architecture Specification.
3554+
3555+Update the function to use the EVT_SET_ADDR2 macro instead, which is the
3556+macro intended for writing to these words.
3557+
3558+ref. ARM IHI 0070C, section 7.3.4.
3559+
3560+Signed-off-by: Simon Veith <sveith@amazon.de>
3561+Acked-by: Eric Auger <eric.auger@redhat.com>
3562+Tested-by: Eric Auger <eric.auger@redhat.com>
3563+Message-id: 1576509312-13083-7-git-send-email-sveith@amazon.de
3564+Cc: Eric Auger <eric.auger@redhat.com>
3565+Cc: qemu-devel@nongnu.org
3566+Cc: qemu-arm@nongnu.org
3567+Acked-by: Eric Auger <eric.auger@redhat.com>
3568+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
3569+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
3570+(cherry picked from commit b255cafb59578d16716186ed955717bc8f87bdb7)
3571+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
3572+
3573+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=9b59fdf478
3574+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
3575+Last-Update: 2020-08-19
3576+
3577+---
3578+ hw/arm/smmuv3.c | 2 +-
3579+ 1 file changed, 1 insertion(+), 1 deletion(-)
3580+
3581+diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
3582+index 31ac3ca32e..8b5f157dc7 100644
3583+--- a/hw/arm/smmuv3.c
3584++++ b/hw/arm/smmuv3.c
3585+@@ -172,7 +172,7 @@ void smmuv3_record_event(SMMUv3State *s, SMMUEventInfo *info)
3586+ case SMMU_EVT_F_STE_FETCH:
3587+ EVT_SET_SSID(&evt, info->u.f_ste_fetch.ssid);
3588+ EVT_SET_SSV(&evt, info->u.f_ste_fetch.ssv);
3589+- EVT_SET_ADDR(&evt, info->u.f_ste_fetch.addr);
3590++ EVT_SET_ADDR2(&evt, info->u.f_ste_fetch.addr);
3591+ break;
3592+ case SMMU_EVT_C_BAD_STE:
3593+ EVT_SET_SSID(&evt, info->u.c_bad_ste.ssid);
3594+--
3595+2.28.0
3596+
3597diff --git a/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Use-correct-bit-positions-in-EVT_SET_A.patch b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Use-correct-bit-positions-in-EVT_SET_A.patch
3598new file mode 100644
3599index 0000000..5a9a3b0
3600--- /dev/null
3601+++ b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Use-correct-bit-positions-in-EVT_SET_A.patch
3602@@ -0,0 +1,58 @@
3603+From ec3bd881e2e5942f835094b2da06ca415f7b27b3 Mon Sep 17 00:00:00 2001
3604+From: Simon Veith <sveith@amazon.de>
3605+Date: Fri, 20 Dec 2019 14:03:00 +0000
3606+Subject: [PATCH] hw/arm/smmuv3: Use correct bit positions in EVT_SET_ADDR2
3607+ macro
3608+
3609+The bit offsets in the EVT_SET_ADDR2 macro do not match those specified
3610+in the ARM SMMUv3 Architecture Specification. In all events that use
3611+this macro, e.g. F_WALK_EABT, the faulting fetch address or IPA actually
3612+occupies the 32-bit words 6 and 7 in the event record contiguously, with
3613+the upper and lower unused bits clear due to alignment or maximum
3614+supported address bits. How many bits are clear depends on the
3615+individual event type.
3616+
3617+Update the macro to write to the correct words in the event record so
3618+that guest drivers can obtain accurate address information on events.
3619+
3620+ref. ARM IHI 0070C, sections 7.3.12 through 7.3.16.
3621+
3622+Signed-off-by: Simon Veith <sveith@amazon.de>
3623+Acked-by: Eric Auger <eric.auger@redhat.com>
3624+Tested-by: Eric Auger <eric.auger@redhat.com>
3625+Message-id: 1576509312-13083-6-git-send-email-sveith@amazon.de
3626+Cc: Eric Auger <eric.auger@redhat.com>
3627+Cc: qemu-devel@nongnu.org
3628+Cc: qemu-arm@nongnu.org
3629+Acked-by: Eric Auger <eric.auger@redhat.com>
3630+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
3631+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
3632+(cherry picked from commit a7f65ceb851af5a5b639c6e30801076d848db2c2)
3633+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
3634+
3635+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=ec3bd881e2
3636+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
3637+Last-Update: 2020-08-19
3638+
3639+---
3640+ hw/arm/smmuv3-internal.h | 4 ++--
3641+ 1 file changed, 2 insertions(+), 2 deletions(-)
3642+
3643+diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
3644+index 042b435808..4112394129 100644
3645+--- a/hw/arm/smmuv3-internal.h
3646++++ b/hw/arm/smmuv3-internal.h
3647+@@ -461,8 +461,8 @@ typedef struct SMMUEventInfo {
3648+ } while (0)
3649+ #define EVT_SET_ADDR2(x, addr) \
3650+ do { \
3651+- (x)->word[7] = deposit32((x)->word[7], 3, 29, addr >> 16); \
3652+- (x)->word[7] = deposit32((x)->word[7], 0, 16, addr & 0xffff);\
3653++ (x)->word[7] = (uint32_t)(addr >> 32); \
3654++ (x)->word[6] = (uint32_t)(addr & 0xffffffff); \
3655+ } while (0)
3656+
3657+ void smmuv3_record_event(SMMUv3State *s, SMMUEventInfo *event);
3658+--
3659+2.28.0
3660+
3661diff --git a/debian/patches/stable/lp-1891877-hw-i386-amd_iommu.c-Fix-corruption-of-log-events-pas.patch b/debian/patches/stable/lp-1891877-hw-i386-amd_iommu.c-Fix-corruption-of-log-events-pas.patch
3662new file mode 100644
3663index 0000000..ef32c14
3664--- /dev/null
3665+++ b/debian/patches/stable/lp-1891877-hw-i386-amd_iommu.c-Fix-corruption-of-log-events-pas.patch
3666@@ -0,0 +1,49 @@
3667+From 33be7aa9b6bea692e7ba615db1c97820051dc435 Mon Sep 17 00:00:00 2001
3668+From: Peter Maydell <peter.maydell@linaro.org>
3669+Date: Thu, 26 Mar 2020 10:53:49 +0000
3670+Subject: [PATCH] hw/i386/amd_iommu.c: Fix corruption of log events passed to
3671+ guest
3672+
3673+In the function amdvi_log_event(), we write an event log buffer
3674+entry into guest ram, whose contents are passed to the function
3675+via the "uint64_t *evt" argument. Unfortunately, a spurious
3676+'&' in the call to dma_memory_write() meant that instead of
3677+writing the event to the guest we would write the literal value
3678+of the pointer, plus whatever was in the following 8 bytes
3679+on the stack. This error was spotted by Coverity.
3680+
3681+Fix the bug by removing the '&'.
3682+
3683+Fixes: CID 1421945
3684+Cc: qemu-stable@nongnu.org
3685+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
3686+Message-Id: <20200326105349.24588-1-peter.maydell@linaro.org>
3687+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
3688+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
3689+(cherry picked from commit 32a2d6b1f6b4405f0fc20c031e61d5d48e3d9cd1)
3690+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
3691+
3692+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=33be7aa9b6
3693+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
3694+Last-Update: 2020-08-19
3695+
3696+---
3697+ hw/i386/amd_iommu.c | 2 +-
3698+ 1 file changed, 1 insertion(+), 1 deletion(-)
3699+
3700+diff --git a/hw/i386/amd_iommu.c b/hw/i386/amd_iommu.c
3701+index d55dbf07fc..ac5f2fddc5 100644
3702+--- a/hw/i386/amd_iommu.c
3703++++ b/hw/i386/amd_iommu.c
3704+@@ -181,7 +181,7 @@ static void amdvi_log_event(AMDVIState *s, uint64_t *evt)
3705+ }
3706+
3707+ if (dma_memory_write(&address_space_memory, s->evtlog + s->evtlog_tail,
3708+- &evt, AMDVI_EVENT_LEN)) {
3709++ evt, AMDVI_EVENT_LEN)) {
3710+ trace_amdvi_evntlog_fail(s->evtlog, s->evtlog_tail);
3711+ }
3712+
3713+--
3714+2.28.0
3715+
3716diff --git a/debian/patches/stable/lp-1891877-hw-intc-arm_gicv3_kvm-Stop-wrongly-programming-GICR_.patch b/debian/patches/stable/lp-1891877-hw-intc-arm_gicv3_kvm-Stop-wrongly-programming-GICR_.patch
3717new file mode 100644
3718index 0000000..9c219c9
3719--- /dev/null
3720+++ b/debian/patches/stable/lp-1891877-hw-intc-arm_gicv3_kvm-Stop-wrongly-programming-GICR_.patch
3721@@ -0,0 +1,66 @@
3722+From 9adb6569bf71808e76a7b71766e73a6da103741e Mon Sep 17 00:00:00 2001
3723+From: Zenghui Yu <yuzenghui@huawei.com>
3724+Date: Thu, 30 Jan 2020 16:02:05 +0000
3725+Subject: [PATCH] hw/intc/arm_gicv3_kvm: Stop wrongly programming
3726+ GICR_PENDBASER.PTZ bit
3727+
3728+If LPIs are disabled, KVM will just ignore the GICR_PENDBASER.PTZ bit when
3729+restoring GICR_CTLR. Setting PTZ here makes littlt sense in "reduce GIC
3730+initialization time".
3731+
3732+And what's worse, PTZ is generally programmed by guest to indicate to the
3733+Redistributor whether the LPI Pending table is zero when enabling LPIs.
3734+If migration is triggered when the PTZ has just been cleared by guest (and
3735+before enabling LPIs), we will see PTZ==1 on the destination side, which
3736+is not as expected. Let's just drop this hackish userspace behavior.
3737+
3738+Also take this chance to refine the comment a bit.
3739+
3740+Fixes: 367b9f527bec ("hw/intc/arm_gicv3_kvm: Implement get/put functions")
3741+Signed-off-by: Zenghui Yu <yuzenghui@huawei.com>
3742+Message-id: 20200119133051.642-1-yuzenghui@huawei.com
3743+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
3744+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
3745+(cherry picked from commit 618bacabd3c8c3360be795cd8763bacdf5bec101)
3746+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
3747+
3748+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=9adb6569bf
3749+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
3750+Last-Update: 2020-08-19
3751+
3752+---
3753+ hw/intc/arm_gicv3_kvm.c | 11 ++++-------
3754+ 1 file changed, 4 insertions(+), 7 deletions(-)
3755+
3756+diff --git a/hw/intc/arm_gicv3_kvm.c b/hw/intc/arm_gicv3_kvm.c
3757+index 9c7f4ab871..49304ca589 100644
3758+--- a/hw/intc/arm_gicv3_kvm.c
3759++++ b/hw/intc/arm_gicv3_kvm.c
3760+@@ -336,7 +336,10 @@ static void kvm_arm_gicv3_put(GICv3State *s)
3761+ kvm_gicd_access(s, GICD_CTLR, &reg, true);
3762+
3763+ if (redist_typer & GICR_TYPER_PLPIS) {
3764+- /* Set base addresses before LPIs are enabled by GICR_CTLR write */
3765++ /*
3766++ * Restore base addresses before LPIs are potentially enabled by
3767++ * GICR_CTLR write
3768++ */
3769+ for (ncpu = 0; ncpu < s->num_cpu; ncpu++) {
3770+ GICv3CPUState *c = &s->cpu[ncpu];
3771+
3772+@@ -347,12 +350,6 @@ static void kvm_arm_gicv3_put(GICv3State *s)
3773+ kvm_gicr_access(s, GICR_PROPBASER + 4, ncpu, &regh, true);
3774+
3775+ reg64 = c->gicr_pendbaser;
3776+- if (!(c->gicr_ctlr & GICR_CTLR_ENABLE_LPIS)) {
3777+- /* Setting PTZ is advised if LPIs are disabled, to reduce
3778+- * GIC initialization time.
3779+- */
3780+- reg64 |= GICR_PENDBASER_PTZ;
3781+- }
3782+ regl = (uint32_t)reg64;
3783+ kvm_gicr_access(s, GICR_PENDBASER, ncpu, &regl, true);
3784+ regh = (uint32_t)(reg64 >> 32);
3785+--
3786+2.28.0
3787+
3788diff --git a/debian/patches/stable/lp-1891877-i386-Resolve-CPU-models-to-v1-by-default.patch b/debian/patches/stable/lp-1891877-i386-Resolve-CPU-models-to-v1-by-default.patch
3789new file mode 100644
3790index 0000000..4bccfa5
3791--- /dev/null
3792+++ b/debian/patches/stable/lp-1891877-i386-Resolve-CPU-models-to-v1-by-default.patch
3793@@ -0,0 +1,91 @@
3794+From bed590f2b849ad548d659942771d824c288c6a50 Mon Sep 17 00:00:00 2001
3795+From: Eduardo Habkost <ehabkost@redhat.com>
3796+Date: Thu, 5 Dec 2019 19:33:39 -0300
3797+Subject: [PATCH] i386: Resolve CPU models to v1 by default
3798+
3799+When using `query-cpu-definitions` using `-machine none`,
3800+QEMU is resolving all CPU models to their latest versions. The
3801+actual CPU model version being used by another machine type (e.g.
3802+`pc-q35-4.0`) might be different.
3803+
3804+In theory, this was OK because the correct CPU model
3805+version is returned when using the correct `-machine` argument.
3806+
3807+Except that in practice, this breaks libvirt expectations:
3808+libvirt always use `-machine none` when checking if a CPU model
3809+is runnable, because runnability is not expected to be affected
3810+when the machine type is changed.
3811+
3812+For example, when running on a Haswell host without TSX,
3813+Haswell-v4 is runnable, but Haswell-v1 is not. On those hosts,
3814+`query-cpu-definitions` says Haswell is runnable if using
3815+`-machine none`, but Haswell is actually not runnable using any
3816+of the `pc-*` machine types (because they resolve Haswell to
3817+Haswell-v1). In other words, we're breaking the "runnability
3818+guarantee" we promised to not break for a few releases (see
3819+qemu-deprecated.texi).
3820+
3821+To address this issue, change the default CPU model version to v1
3822+on all machine types, so we make `query-cpu-definitions` output
3823+when using `-machine none` match the results when using `pc-*`.
3824+This will change in the future (the plan is to always return the
3825+latest CPU model version if using `-machine none`), but only
3826+after giving libvirt the opportunity to adapt.
3827+
3828+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1779078
3829+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
3830+Message-Id: <20191205223339.764534-1-ehabkost@redhat.com>
3831+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
3832+(cherry picked from commit ad18392892c04637fb56956d997f4bc600224356)
3833+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
3834+
3835+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=bed590f2b8
3836+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
3837+Last-Update: 2020-08-19
3838+
3839+---
3840+ qemu-deprecated.texi | 8 ++++++++
3841+ target/i386/cpu.c | 8 +++++++-
3842+ 2 files changed, 15 insertions(+), 1 deletion(-)
3843+
3844+diff --git a/qemu-deprecated.texi b/qemu-deprecated.texi
3845+index 4b4b7425ac..b42d8b3c5f 100644
3846+--- a/qemu-deprecated.texi
3847++++ b/qemu-deprecated.texi
3848+@@ -374,6 +374,14 @@ guarantees must resolve the CPU model aliases using te
3849+ ``alias-of'' field returned by the ``query-cpu-definitions'' QMP
3850+ command.
3851+
3852++While those guarantees are kept, the return value of
3853++``query-cpu-definitions'' will have existing CPU model aliases
3854++point to a version that doesn't break runnability guarantees
3855++(specifically, version 1 of those CPU models). In future QEMU
3856++versions, aliases will point to newer CPU model versions
3857++depending on the machine type, so management software must
3858++resolve CPU model aliases before starting a virtual machine.
3859++
3860+
3861+ @node Recently removed features
3862+ @appendix Recently removed features
3863+diff --git a/target/i386/cpu.c b/target/i386/cpu.c
3864+index 69f518a21a..54e7f18a09 100644
3865+--- a/target/i386/cpu.c
3866++++ b/target/i386/cpu.c
3867+@@ -3924,7 +3924,13 @@ static PropValue tcg_default_props[] = {
3868+ };
3869+
3870+
3871+-X86CPUVersion default_cpu_version = CPU_VERSION_LATEST;
3872++/*
3873++ * We resolve CPU model aliases using -v1 when using "-machine
3874++ * none", but this is just for compatibility while libvirt isn't
3875++ * adapted to resolve CPU model versions before creating VMs.
3876++ * See "Runnability guarantee of CPU models" at * qemu-deprecated.texi.
3877++ */
3878++X86CPUVersion default_cpu_version = 1;
3879+
3880+ void x86_cpu_set_default_version(X86CPUVersion version)
3881+ {
3882+--
3883+2.28.0
3884+
3885diff --git a/debian/patches/stable/lp-1891877-ide-Fix-incorrect-handling-of-some-PRDTs-in-ide_dma_.patch b/debian/patches/stable/lp-1891877-ide-Fix-incorrect-handling-of-some-PRDTs-in-ide_dma_.patch
3886new file mode 100644
3887index 0000000..c42f271
3888--- /dev/null
3889+++ b/debian/patches/stable/lp-1891877-ide-Fix-incorrect-handling-of-some-PRDTs-in-ide_dma_.patch
3890@@ -0,0 +1,99 @@
3891+From 4412cb3bcaf5b0cccf88f881c18be5dfd395e934 Mon Sep 17 00:00:00 2001
3892+From: Alexander Popov <alex.popov@linux.com>
3893+Date: Mon, 23 Dec 2019 20:51:16 +0300
3894+Subject: [PATCH] ide: Fix incorrect handling of some PRDTs in ide_dma_cb()
3895+
3896+The commit a718978ed58a from July 2015 introduced the assertion which
3897+implies that the size of successful DMA transfers handled in ide_dma_cb()
3898+should be multiple of 512 (the size of a sector). But guest systems can
3899+initiate DMA transfers that don't fit this requirement.
3900+
3901+For fixing that let's check the number of bytes prepared for the transfer
3902+by the prepare_buf() handler. The code in ide_dma_cb() must behave
3903+according to the Programming Interface for Bus Master IDE Controller
3904+(Revision 1.0 5/16/94):
3905+1. If PRDs specified a smaller size than the IDE transfer
3906+ size, then the Interrupt and Active bits in the Controller
3907+ status register are not set (Error Condition).
3908+2. If the size of the physical memory regions was equal to
3909+ the IDE device transfer size, the Interrupt bit in the
3910+ Controller status register is set to 1, Active bit is set to 0.
3911+3. If PRDs specified a larger size than the IDE transfer size,
3912+ the Interrupt and Active bits in the Controller status register
3913+ are both set to 1.
3914+
3915+Signed-off-by: Alexander Popov <alex.popov@linux.com>
3916+Reviewed-by: Kevin Wolf <kwolf@redhat.com>
3917+Message-id: 20191223175117.508990-2-alex.popov@linux.com
3918+Signed-off-by: John Snow <jsnow@redhat.com>
3919+(cherry picked from commit ed78352a59ea7acf7520d4d47a96b9911bae7fc3)
3920+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
3921+
3922+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=4412cb3bca
3923+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
3924+Last-Update: 2020-08-19
3925+
3926+---
3927+ hw/ide/core.c | 30 ++++++++++++++++++++++--------
3928+ 1 file changed, 22 insertions(+), 8 deletions(-)
3929+
3930+diff --git a/hw/ide/core.c b/hw/ide/core.c
3931+index 754ff4dc34..80000eb766 100644
3932+--- a/hw/ide/core.c
3933++++ b/hw/ide/core.c
3934+@@ -849,6 +849,7 @@ static void ide_dma_cb(void *opaque, int ret)
3935+ int64_t sector_num;
3936+ uint64_t offset;
3937+ bool stay_active = false;
3938++ int32_t prep_size = 0;
3939+
3940+ if (ret == -EINVAL) {
3941+ ide_dma_error(s);
3942+@@ -863,13 +864,15 @@ static void ide_dma_cb(void *opaque, int ret)
3943+ }
3944+ }
3945+
3946+- n = s->io_buffer_size >> 9;
3947+- if (n > s->nsector) {
3948+- /* The PRDs were longer than needed for this request. Shorten them so
3949+- * we don't get a negative remainder. The Active bit must remain set
3950+- * after the request completes. */
3951++ if (s->io_buffer_size > s->nsector * 512) {
3952++ /*
3953++ * The PRDs were longer than needed for this request.
3954++ * The Active bit must remain set after the request completes.
3955++ */
3956+ n = s->nsector;
3957+ stay_active = true;
3958++ } else {
3959++ n = s->io_buffer_size >> 9;
3960+ }
3961+
3962+ sector_num = ide_get_sector(s);
3963+@@ -892,9 +895,20 @@ static void ide_dma_cb(void *opaque, int ret)
3964+ n = s->nsector;
3965+ s->io_buffer_index = 0;
3966+ s->io_buffer_size = n * 512;
3967+- if (s->bus->dma->ops->prepare_buf(s->bus->dma, s->io_buffer_size) < 512) {
3968+- /* The PRDs were too short. Reset the Active bit, but don't raise an
3969+- * interrupt. */
3970++ prep_size = s->bus->dma->ops->prepare_buf(s->bus->dma, s->io_buffer_size);
3971++ /* prepare_buf() must succeed and respect the limit */
3972++ assert(prep_size >= 0 && prep_size <= n * 512);
3973++
3974++ /*
3975++ * Now prep_size stores the number of bytes in the sglist, and
3976++ * s->io_buffer_size stores the number of bytes described by the PRDs.
3977++ */
3978++
3979++ if (prep_size < n * 512) {
3980++ /*
3981++ * The PRDs are too short for this request. Error condition!
3982++ * Reset the Active bit and don't raise the interrupt.
3983++ */
3984+ s->status = READY_STAT | SEEK_STAT;
3985+ dma_buf_commit(s, 0);
3986+ goto eot;
3987+--
3988+2.28.0
3989+
3990diff --git a/debian/patches/stable/lp-1891877-iotests-026-Move-v3-exclusive-test-to-new-file.patch b/debian/patches/stable/lp-1891877-iotests-026-Move-v3-exclusive-test-to-new-file.patch
3991new file mode 100644
3992index 0000000..8684d31
3993--- /dev/null
3994+++ b/debian/patches/stable/lp-1891877-iotests-026-Move-v3-exclusive-test-to-new-file.patch
3995@@ -0,0 +1,232 @@
3996+From 2f7597fbc2727eeb4f16c579c9dc0b115a8e5e93 Mon Sep 17 00:00:00 2001
3997+From: Max Reitz <mreitz@redhat.com>
3998+Date: Wed, 11 Mar 2020 15:07:07 +0100
3999+Subject: [PATCH] iotests/026: Move v3-exclusive test to new file
4000+MIME-Version: 1.0
4001+Content-Type: text/plain; charset=UTF-8
4002+Content-Transfer-Encoding: 8bit
4003+
4004+data_file does not work with v2, and we probably want 026 to keep
4005+working for v2 images. Thus, open a new file for v3-exclusive error
4006+path test cases.
4007+
4008+Fixes: 81311255f217859413c94f2cd9cebf2684bbda94
4009+ (“iotests/026: Test EIO on allocation in a data-file”)
4010+Signed-off-by: Max Reitz <mreitz@redhat.com>
4011+Message-Id: <20200311140707.1243218-1-mreitz@redhat.com>
4012+Reviewed-by: John Snow <jsnow@redhat.com>
4013+Tested-by: John Snow <jsnow@redhat.com>
4014+Signed-off-by: Max Reitz <mreitz@redhat.com>
4015+(cherry picked from commit c264e5d2f9f5d73977eac8e5d084f727b3d07ea9)
4016+ Conflicts:
4017+ tests/qemu-iotests/group
4018+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4019+
4020+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=2f7597fbc2
4021+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
4022+Last-Update: 2020-08-19
4023+
4024+---
4025+ tests/qemu-iotests/026 | 31 -----------
4026+ tests/qemu-iotests/026.out | 6 --
4027+ tests/qemu-iotests/026.out.nocache | 6 --
4028+ tests/qemu-iotests/289 | 89 ++++++++++++++++++++++++++++++
4029+ tests/qemu-iotests/289.out | 8 +++
4030+ tests/qemu-iotests/group | 1 +
4031+ 6 files changed, 98 insertions(+), 43 deletions(-)
4032+ create mode 100755 tests/qemu-iotests/289
4033+ create mode 100644 tests/qemu-iotests/289.out
4034+
4035+diff --git a/tests/qemu-iotests/026 b/tests/qemu-iotests/026
4036+index c1c96a41d9..3afd708863 100755
4037+--- a/tests/qemu-iotests/026
4038++++ b/tests/qemu-iotests/026
4039+@@ -237,37 +237,6 @@ $QEMU_IO -c "write 0 $CLUSTER_SIZE" "$BLKDBG_TEST_IMG" | _filter_qemu_io
4040+
4041+ _check_test_img
4042+
4043+-echo
4044+-echo === Avoid freeing external data clusters on failure ===
4045+-echo
4046+-
4047+-# Similar test as the last one, except we test what happens when there
4048+-# is an error when writing to an external data file instead of when
4049+-# writing to a preallocated zero cluster
4050+-_make_test_img -o "data_file=$TEST_IMG.data_file" $CLUSTER_SIZE
4051+-
4052+-# Put blkdebug above the data-file, and a raw node on top of that so
4053+-# that blkdebug will see a write_aio event and emit an error
4054+-$QEMU_IO -c "write 0 $CLUSTER_SIZE" \
4055+- "json:{
4056+- 'driver': 'qcow2',
4057+- 'file': { 'driver': 'file', 'filename': '$TEST_IMG' },
4058+- 'data-file': {
4059+- 'driver': 'raw',
4060+- 'file': {
4061+- 'driver': 'blkdebug',
4062+- 'config': '$TEST_DIR/blkdebug.conf',
4063+- 'image': {
4064+- 'driver': 'file',
4065+- 'filename': '$TEST_IMG.data_file'
4066+- }
4067+- }
4068+- }
4069+- }" \
4070+- | _filter_qemu_io
4071+-
4072+-_check_test_img
4073+-
4074+ # success, all done
4075+ echo "*** done"
4076+ rm -f $seq.full
4077+diff --git a/tests/qemu-iotests/026.out b/tests/qemu-iotests/026.out
4078+index c1b3b58482..83989996ff 100644
4079+--- a/tests/qemu-iotests/026.out
4080++++ b/tests/qemu-iotests/026.out
4081+@@ -653,10 +653,4 @@ wrote 1024/1024 bytes at offset 0
4082+ 1 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
4083+ write failed: Input/output error
4084+ No errors were found on the image.
4085+-
4086+-=== Avoid freeing external data clusters on failure ===
4087+-
4088+-Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1024 data_file=TEST_DIR/t.IMGFMT.data_file
4089+-write failed: Input/output error
4090+-No errors were found on the image.
4091+ *** done
4092+diff --git a/tests/qemu-iotests/026.out.nocache b/tests/qemu-iotests/026.out.nocache
4093+index 8d5001648a..9359d26d7e 100644
4094+--- a/tests/qemu-iotests/026.out.nocache
4095++++ b/tests/qemu-iotests/026.out.nocache
4096+@@ -661,10 +661,4 @@ wrote 1024/1024 bytes at offset 0
4097+ 1 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
4098+ write failed: Input/output error
4099+ No errors were found on the image.
4100+-
4101+-=== Avoid freeing external data clusters on failure ===
4102+-
4103+-Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1024 data_file=TEST_DIR/t.IMGFMT.data_file
4104+-write failed: Input/output error
4105+-No errors were found on the image.
4106+ *** done
4107+diff --git a/tests/qemu-iotests/289 b/tests/qemu-iotests/289
4108+new file mode 100755
4109+index 0000000000..1c11d4030e
4110+--- /dev/null
4111++++ b/tests/qemu-iotests/289
4112+@@ -0,0 +1,89 @@
4113++#!/usr/bin/env bash
4114++#
4115++# qcow2 v3-exclusive error path testing
4116++# (026 tests paths common to v2 and v3)
4117++#
4118++# Copyright (C) 2020 Red Hat, Inc.
4119++#
4120++# This program is free software; you can redistribute it and/or modify
4121++# it under the terms of the GNU General Public License as published by
4122++# the Free Software Foundation; either version 2 of the License, or
4123++# (at your option) any later version.
4124++#
4125++# This program is distributed in the hope that it will be useful,
4126++# but WITHOUT ANY WARRANTY; without even the implied warranty of
4127++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
4128++# GNU General Public License for more details.
4129++#
4130++# You should have received a copy of the GNU General Public License
4131++# along with this program. If not, see <http://www.gnu.org/licenses/>.
4132++#
4133++
4134++seq=$(basename $0)
4135++echo "QA output created by $seq"
4136++
4137++status=1 # failure is the default!
4138++
4139++_cleanup()
4140++{
4141++ _cleanup_test_img
4142++ rm "$TEST_DIR/blkdebug.conf"
4143++ rm -f "$TEST_IMG.data_file"
4144++}
4145++trap "_cleanup; exit \$status" 0 1 2 3 15
4146++
4147++# get standard environment, filters and checks
4148++. ./common.rc
4149++. ./common.filter
4150++. ./common.pattern
4151++
4152++_supported_fmt qcow2
4153++_supported_proto file
4154++# This is a v3-exclusive test;
4155++# As for data_file, error paths often very much depend on whether
4156++# there is an external data file or not; so we create one exactly when
4157++# we want to test it
4158++_unsupported_imgopts 'compat=0.10' data_file
4159++
4160++echo
4161++echo === Avoid freeing external data clusters on failure ===
4162++echo
4163++
4164++cat > "$TEST_DIR/blkdebug.conf" <<EOF
4165++[inject-error]
4166++event = "write_aio"
4167++errno = "5"
4168++once = "on"
4169++EOF
4170++
4171++# Test what happens when there is an error when writing to an external
4172++# data file instead of when writing to a preallocated zero cluster
4173++_make_test_img -o "data_file=$TEST_IMG.data_file" 64k
4174++
4175++# Put blkdebug above the data-file, and a raw node on top of that so
4176++# that blkdebug will see a write_aio event and emit an error. This
4177++# will then trigger the alloc abort code, which we want to test here.
4178++$QEMU_IO -c "write 0 64k" \
4179++ "json:{
4180++ 'driver': 'qcow2',
4181++ 'file': { 'driver': 'file', 'filename': '$TEST_IMG' },
4182++ 'data-file': {
4183++ 'driver': 'raw',
4184++ 'file': {
4185++ 'driver': 'blkdebug',
4186++ 'config': '$TEST_DIR/blkdebug.conf',
4187++ 'image': {
4188++ 'driver': 'file',
4189++ 'filename': '$TEST_IMG.data_file'
4190++ }
4191++ }
4192++ }
4193++ }" \
4194++ | _filter_qemu_io
4195++
4196++_check_test_img
4197++
4198++# success, all done
4199++echo "*** done"
4200++rm -f $seq.full
4201++status=0
4202+diff --git a/tests/qemu-iotests/289.out b/tests/qemu-iotests/289.out
4203+new file mode 100644
4204+index 0000000000..e54e2629d4
4205+--- /dev/null
4206++++ b/tests/qemu-iotests/289.out
4207+@@ -0,0 +1,8 @@
4208++QA output created by 289
4209++
4210++=== Avoid freeing external data clusters on failure ===
4211++
4212++Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=65536 data_file=TEST_DIR/t.IMGFMT.data_file
4213++write failed: Input/output error
4214++No errors were found on the image.
4215++*** done
4216+diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group
4217+index 6b10a6a762..2dc8a6e572 100644
4218+--- a/tests/qemu-iotests/group
4219++++ b/tests/qemu-iotests/group
4220+@@ -286,3 +286,4 @@
4221+ 272 rw
4222+ 273 backing quick
4223+ 277 rw quick
4224++289 rw quick
4225+--
4226+2.28.0
4227+
4228diff --git a/debian/patches/stable/lp-1891877-iotests-026-Test-EIO-on-allocation-in-a-data-file.patch b/debian/patches/stable/lp-1891877-iotests-026-Test-EIO-on-allocation-in-a-data-file.patch
4229new file mode 100644
4230index 0000000..76e486b
4231--- /dev/null
4232+++ b/debian/patches/stable/lp-1891877-iotests-026-Test-EIO-on-allocation-in-a-data-file.patch
4233@@ -0,0 +1,107 @@
4234+From 4540aa4a8d2c59ec42af0ea58ca1794124ce47dd Mon Sep 17 00:00:00 2001
4235+From: Max Reitz <mreitz@redhat.com>
4236+Date: Tue, 25 Feb 2020 15:31:30 +0100
4237+Subject: [PATCH] iotests/026: Test EIO on allocation in a data-file
4238+
4239+Test what happens when writing data to an external data file, where the
4240+write requires an L2 entry to be allocated, but the data write fails.
4241+
4242+Signed-off-by: Max Reitz <mreitz@redhat.com>
4243+Message-Id: <20200225143130.111267-4-mreitz@redhat.com>
4244+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
4245+(cherry picked from commit 81311255f217859413c94f2cd9cebf2684bbda94)
4246+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4247+
4248+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=4540aa4a8d
4249+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
4250+Last-Update: 2020-08-19
4251+
4252+---
4253+ tests/qemu-iotests/026 | 32 ++++++++++++++++++++++++++++++
4254+ tests/qemu-iotests/026.out | 6 ++++++
4255+ tests/qemu-iotests/026.out.nocache | 6 ++++++
4256+ 3 files changed, 44 insertions(+)
4257+
4258+diff --git a/tests/qemu-iotests/026 b/tests/qemu-iotests/026
4259+index d89729697f..c1c96a41d9 100755
4260+--- a/tests/qemu-iotests/026
4261++++ b/tests/qemu-iotests/026
4262+@@ -30,6 +30,7 @@ _cleanup()
4263+ {
4264+ _cleanup_test_img
4265+ rm "$TEST_DIR/blkdebug.conf"
4266++ rm -f "$TEST_IMG.data_file"
4267+ }
4268+ trap "_cleanup; exit \$status" 0 1 2 3 15
4269+
4270+@@ -236,6 +237,37 @@ $QEMU_IO -c "write 0 $CLUSTER_SIZE" "$BLKDBG_TEST_IMG" | _filter_qemu_io
4271+
4272+ _check_test_img
4273+
4274++echo
4275++echo === Avoid freeing external data clusters on failure ===
4276++echo
4277++
4278++# Similar test as the last one, except we test what happens when there
4279++# is an error when writing to an external data file instead of when
4280++# writing to a preallocated zero cluster
4281++_make_test_img -o "data_file=$TEST_IMG.data_file" $CLUSTER_SIZE
4282++
4283++# Put blkdebug above the data-file, and a raw node on top of that so
4284++# that blkdebug will see a write_aio event and emit an error
4285++$QEMU_IO -c "write 0 $CLUSTER_SIZE" \
4286++ "json:{
4287++ 'driver': 'qcow2',
4288++ 'file': { 'driver': 'file', 'filename': '$TEST_IMG' },
4289++ 'data-file': {
4290++ 'driver': 'raw',
4291++ 'file': {
4292++ 'driver': 'blkdebug',
4293++ 'config': '$TEST_DIR/blkdebug.conf',
4294++ 'image': {
4295++ 'driver': 'file',
4296++ 'filename': '$TEST_IMG.data_file'
4297++ }
4298++ }
4299++ }
4300++ }" \
4301++ | _filter_qemu_io
4302++
4303++_check_test_img
4304++
4305+ # success, all done
4306+ echo "*** done"
4307+ rm -f $seq.full
4308+diff --git a/tests/qemu-iotests/026.out b/tests/qemu-iotests/026.out
4309+index 83989996ff..c1b3b58482 100644
4310+--- a/tests/qemu-iotests/026.out
4311++++ b/tests/qemu-iotests/026.out
4312+@@ -653,4 +653,10 @@ wrote 1024/1024 bytes at offset 0
4313+ 1 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
4314+ write failed: Input/output error
4315+ No errors were found on the image.
4316++
4317++=== Avoid freeing external data clusters on failure ===
4318++
4319++Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1024 data_file=TEST_DIR/t.IMGFMT.data_file
4320++write failed: Input/output error
4321++No errors were found on the image.
4322+ *** done
4323+diff --git a/tests/qemu-iotests/026.out.nocache b/tests/qemu-iotests/026.out.nocache
4324+index 9359d26d7e..8d5001648a 100644
4325+--- a/tests/qemu-iotests/026.out.nocache
4326++++ b/tests/qemu-iotests/026.out.nocache
4327+@@ -661,4 +661,10 @@ wrote 1024/1024 bytes at offset 0
4328+ 1 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
4329+ write failed: Input/output error
4330+ No errors were found on the image.
4331++
4332++=== Avoid freeing external data clusters on failure ===
4333++
4334++Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1024 data_file=TEST_DIR/t.IMGFMT.data_file
4335++write failed: Input/output error
4336++No errors were found on the image.
4337+ *** done
4338+--
4339+2.28.0
4340+
4341diff --git a/debian/patches/stable/lp-1891877-iotests-026-Test-EIO-on-preallocated-zero-cluster.patch b/debian/patches/stable/lp-1891877-iotests-026-Test-EIO-on-preallocated-zero-cluster.patch
4342new file mode 100644
4343index 0000000..5295272
4344--- /dev/null
4345+++ b/debian/patches/stable/lp-1891877-iotests-026-Test-EIO-on-preallocated-zero-cluster.patch
4346@@ -0,0 +1,97 @@
4347+From 30aa0ea6c578b51a71d8cbb9578cc7f7bfeb56aa Mon Sep 17 00:00:00 2001
4348+From: Max Reitz <mreitz@redhat.com>
4349+Date: Tue, 25 Feb 2020 15:31:29 +0100
4350+Subject: [PATCH] iotests/026: Test EIO on preallocated zero cluster
4351+
4352+Test what happens when writing data to a preallocated zero cluster, but
4353+the data write fails.
4354+
4355+Signed-off-by: Max Reitz <mreitz@redhat.com>
4356+Message-Id: <20200225143130.111267-3-mreitz@redhat.com>
4357+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
4358+(cherry picked from commit 31ab00f3747c00fdbb9027cea644b40dd1405480)
4359+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4360+
4361+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=30aa0ea6c5
4362+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
4363+Last-Update: 2020-08-19
4364+
4365+---
4366+ tests/qemu-iotests/026 | 21 +++++++++++++++++++++
4367+ tests/qemu-iotests/026.out | 10 ++++++++++
4368+ tests/qemu-iotests/026.out.nocache | 10 ++++++++++
4369+ 3 files changed, 41 insertions(+)
4370+
4371+diff --git a/tests/qemu-iotests/026 b/tests/qemu-iotests/026
4372+index 3430029ed6..d89729697f 100755
4373+--- a/tests/qemu-iotests/026
4374++++ b/tests/qemu-iotests/026
4375+@@ -215,6 +215,27 @@ _make_test_img 64M
4376+ $QEMU_IO -c "write 0 1M" -c "write 0 1M" "$BLKDBG_TEST_IMG" | _filter_qemu_io
4377+ _check_test_img
4378+
4379++echo
4380++echo === Avoid freeing preallocated zero clusters on failure ===
4381++echo
4382++
4383++cat > "$TEST_DIR/blkdebug.conf" <<EOF
4384++[inject-error]
4385++event = "write_aio"
4386++errno = "5"
4387++once = "on"
4388++EOF
4389++
4390++_make_test_img $CLUSTER_SIZE
4391++# Create a preallocated zero cluster
4392++$QEMU_IO -c "write 0 $CLUSTER_SIZE" -c "write -z 0 $CLUSTER_SIZE" "$TEST_IMG" \
4393++ | _filter_qemu_io
4394++# Try to overwrite it (prompting an I/O error from blkdebug), thus
4395++# triggering the alloc abort code
4396++$QEMU_IO -c "write 0 $CLUSTER_SIZE" "$BLKDBG_TEST_IMG" | _filter_qemu_io
4397++
4398++_check_test_img
4399++
4400+ # success, all done
4401+ echo "*** done"
4402+ rm -f $seq.full
4403+diff --git a/tests/qemu-iotests/026.out b/tests/qemu-iotests/026.out
4404+index ff0817b6f2..83989996ff 100644
4405+--- a/tests/qemu-iotests/026.out
4406++++ b/tests/qemu-iotests/026.out
4407+@@ -643,4 +643,14 @@ write failed: Input/output error
4408+ wrote 1048576/1048576 bytes at offset 0
4409+ 1 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
4410+ No errors were found on the image.
4411++
4412++=== Avoid freeing preallocated zero clusters on failure ===
4413++
4414++Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1024
4415++wrote 1024/1024 bytes at offset 0
4416++1 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
4417++wrote 1024/1024 bytes at offset 0
4418++1 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
4419++write failed: Input/output error
4420++No errors were found on the image.
4421+ *** done
4422+diff --git a/tests/qemu-iotests/026.out.nocache b/tests/qemu-iotests/026.out.nocache
4423+index 495d013007..9359d26d7e 100644
4424+--- a/tests/qemu-iotests/026.out.nocache
4425++++ b/tests/qemu-iotests/026.out.nocache
4426+@@ -651,4 +651,14 @@ write failed: Input/output error
4427+ wrote 1048576/1048576 bytes at offset 0
4428+ 1 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
4429+ No errors were found on the image.
4430++
4431++=== Avoid freeing preallocated zero clusters on failure ===
4432++
4433++Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1024
4434++wrote 1024/1024 bytes at offset 0
4435++1 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
4436++wrote 1024/1024 bytes at offset 0
4437++1 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
4438++write failed: Input/output error
4439++No errors were found on the image.
4440+ *** done
4441+--
4442+2.28.0
4443+
4444diff --git a/debian/patches/stable/lp-1891877-iotests-283-Use-consistent-size-for-source-and-targe.patch b/debian/patches/stable/lp-1891877-iotests-283-Use-consistent-size-for-source-and-targe.patch
4445new file mode 100644
4446index 0000000..d479c09
4447--- /dev/null
4448+++ b/debian/patches/stable/lp-1891877-iotests-283-Use-consistent-size-for-source-and-targe.patch
4449@@ -0,0 +1,57 @@
4450+From 4a0db6ba7d5c524cbbcc684d7448e01e11eacbbd Mon Sep 17 00:00:00 2001
4451+From: Kevin Wolf <kwolf@redhat.com>
4452+Date: Thu, 30 Apr 2020 16:27:52 +0200
4453+Subject: [PATCH] iotests/283: Use consistent size for source and target
4454+
4455+The test case forgot to specify the null-co size for the target node.
4456+When adding a check to backup that both sizes match, this would fail
4457+because of the size mismatch and not the behaviour that the test really
4458+wanted to test.
4459+
4460+Fixes: a541fcc27c98b96da187c7d4573f3270f3ddd283
4461+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
4462+Message-Id: <20200430142755.315494-2-kwolf@redhat.com>
4463+Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
4464+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
4465+(cherry picked from commit 813cc2545b82409fd504509f0ba2e96fab6edb9e)
4466+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4467+
4468+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=4a0db6ba7d
4469+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
4470+Last-Update: 2020-08-19
4471+
4472+---
4473+ tests/qemu-iotests/283 | 6 +++++-
4474+ tests/qemu-iotests/283.out | 2 +-
4475+ 2 files changed, 6 insertions(+), 2 deletions(-)
4476+
4477+diff --git a/tests/qemu-iotests/283 b/tests/qemu-iotests/283
4478+index 293e557bd9..a82e3c8164 100644
4479+--- a/tests/qemu-iotests/283
4480++++ b/tests/qemu-iotests/283
4481+@@ -72,7 +72,11 @@ to check that crash is fixed :)
4482+ vm = iotests.VM()
4483+ vm.launch()
4484+
4485+-vm.qmp_log('blockdev-add', **{'node-name': 'target', 'driver': 'null-co'})
4486++vm.qmp_log('blockdev-add', **{
4487++ 'node-name': 'target',
4488++ 'driver': 'null-co',
4489++ 'size': size,
4490++})
4491+
4492+ vm.qmp_log('blockdev-add', **{
4493+ 'node-name': 'source',
4494+diff --git a/tests/qemu-iotests/283.out b/tests/qemu-iotests/283.out
4495+index daaf5828c1..d8cff22cc1 100644
4496+--- a/tests/qemu-iotests/283.out
4497++++ b/tests/qemu-iotests/283.out
4498+@@ -1,4 +1,4 @@
4499+-{"execute": "blockdev-add", "arguments": {"driver": "null-co", "node-name": "target"}}
4500++{"execute": "blockdev-add", "arguments": {"driver": "null-co", "node-name": "target", "size": 1048576}}
4501+ {"return": {}}
4502+ {"execute": "blockdev-add", "arguments": {"driver": "blkdebug", "image": {"driver": "null-co", "node-name": "base", "size": 1048576}, "node-name": "source"}}
4503+ {"return": {}}
4504+--
4505+2.28.0
4506+
4507diff --git a/debian/patches/stable/lp-1891877-iotests-Fix-IMGOPTSSYNTAX-for-nbd.patch b/debian/patches/stable/lp-1891877-iotests-Fix-IMGOPTSSYNTAX-for-nbd.patch
4508new file mode 100644
4509index 0000000..5bb67e9
4510--- /dev/null
4511+++ b/debian/patches/stable/lp-1891877-iotests-Fix-IMGOPTSSYNTAX-for-nbd.patch
4512@@ -0,0 +1,42 @@
4513+From 6772bba8a45cda8ab96f124bb148c3ec1f7a4234 Mon Sep 17 00:00:00 2001
4514+From: Max Reitz <mreitz@redhat.com>
4515+Date: Wed, 18 Dec 2019 11:48:55 +0100
4516+Subject: [PATCH] iotests: Fix IMGOPTSSYNTAX for nbd
4517+MIME-Version: 1.0
4518+Content-Type: text/plain; charset=UTF-8
4519+Content-Transfer-Encoding: 8bit
4520+
4521+There is no $SOCKDIR, only $SOCK_DIR.
4522+
4523+Fixes: f3923a72f199b2c63747a7032db74730546f55c6
4524+Signed-off-by: Max Reitz <mreitz@redhat.com>
4525+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
4526+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
4527+(cherry picked from commit eb4ea9aaa0051054b3c148ad8631be7510851681)
4528+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4529+
4530+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=6772bba8a4
4531+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
4532+Last-Update: 2020-08-19
4533+
4534+---
4535+ tests/qemu-iotests/common.rc | 3 ++-
4536+ 1 file changed, 2 insertions(+), 1 deletion(-)
4537+
4538+diff --git a/tests/qemu-iotests/common.rc b/tests/qemu-iotests/common.rc
4539+index 0cc8acc9ed..d3bf92031f 100644
4540+--- a/tests/qemu-iotests/common.rc
4541++++ b/tests/qemu-iotests/common.rc
4542+@@ -217,7 +217,8 @@ if [ "$IMGOPTSSYNTAX" = "true" ]; then
4543+ TEST_IMG="$DRIVER,file.filename=$TEST_DIR/t.$IMGFMT"
4544+ elif [ "$IMGPROTO" = "nbd" ]; then
4545+ TEST_IMG_FILE=$TEST_DIR/t.$IMGFMT
4546+- TEST_IMG="$DRIVER,file.driver=nbd,file.type=unix,file.path=$SOCKDIR/nbd"
4547++ TEST_IMG="$DRIVER,file.driver=nbd,file.type=unix"
4548++ TEST_IMG="$TEST_IMG,file.path=$SOCK_DIR/nbd"
4549+ elif [ "$IMGPROTO" = "ssh" ]; then
4550+ TEST_IMG_FILE=$TEST_DIR/t.$IMGFMT
4551+ TEST_IMG="$DRIVER,file.driver=ssh,file.host=127.0.0.1,file.path=$TEST_IMG_FILE"
4552+--
4553+2.28.0
4554+
4555diff --git a/debian/patches/stable/lp-1891877-iotests-Fix-nonportable-use-of-od-endian.patch b/debian/patches/stable/lp-1891877-iotests-Fix-nonportable-use-of-od-endian.patch
4556new file mode 100644
4557index 0000000..720412c
4558--- /dev/null
4559+++ b/debian/patches/stable/lp-1891877-iotests-Fix-nonportable-use-of-od-endian.patch
4560@@ -0,0 +1,69 @@
4561+From c6decabc4a30b841e031a838206286db6ad343bc Mon Sep 17 00:00:00 2001
4562+From: Eric Blake <eblake@redhat.com>
4563+Date: Wed, 26 Feb 2020 06:54:24 -0600
4564+Subject: [PATCH] iotests: Fix nonportable use of od --endian
4565+
4566+Tests 261 and 272 fail on RHEL 7 with coreutils 8.22, since od
4567+--endian was not added until coreutils 8.23. Fix this by manually
4568+constructing the final value one byte at a time.
4569+
4570+Fixes: fc8ba423
4571+Reported-by: Andrey Shinkevich <andrey.shinkevich@virtuozzo.com>
4572+Signed-off-by: Eric Blake <eblake@redhat.com>
4573+Reviewed-by: Max Reitz <mreitz@redhat.com>
4574+Message-Id: <20200226125424.481840-1-eblake@redhat.com>
4575+Signed-off-by: Max Reitz <mreitz@redhat.com>
4576+(cherry picked from commit 69135eb30b9c3fca583737a96df015174dc8e6dd)
4577+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4578+
4579+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=c6decabc4a
4580+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
4581+Last-Update: 2020-08-19
4582+
4583+---
4584+ tests/qemu-iotests/common.rc | 22 +++++++++++++++++-----
4585+ 1 file changed, 17 insertions(+), 5 deletions(-)
4586+
4587+diff --git a/tests/qemu-iotests/common.rc b/tests/qemu-iotests/common.rc
4588+index d3bf92031f..538eb349e6 100644
4589+--- a/tests/qemu-iotests/common.rc
4590++++ b/tests/qemu-iotests/common.rc
4591+@@ -56,18 +56,30 @@ poke_file()
4592+ # peek_file_le 'test.img' 512 2 => 65534
4593+ peek_file_le()
4594+ {
4595+- # Wrap in echo $() to strip spaces
4596+- echo $(od -j"$2" -N"$3" --endian=little -An -vtu"$3" "$1")
4597++ local val=0 shift=0 byte
4598++
4599++ # coreutils' od --endian is not portable, so manually assemble bytes.
4600++ for byte in $(od -j"$2" -N"$3" -An -v -tu1 "$1"); do
4601++ val=$(( val | (byte << shift) ))
4602++ shift=$((shift + 8))
4603++ done
4604++ printf %llu $val
4605+ }
4606+
4607+ # peek_file_be 'test.img' 512 2 => 65279
4608+ peek_file_be()
4609+ {
4610+- # Wrap in echo $() to strip spaces
4611+- echo $(od -j"$2" -N"$3" --endian=big -An -vtu"$3" "$1")
4612++ local val=0 byte
4613++
4614++ # coreutils' od --endian is not portable, so manually assemble bytes.
4615++ for byte in $(od -j"$2" -N"$3" -An -v -tu1 "$1"); do
4616++ val=$(( (val << 8) | byte ))
4617++ done
4618++ printf %llu $val
4619+ }
4620+
4621+-# peek_file_raw 'test.img' 512 2 => '\xff\xfe'
4622++# peek_file_raw 'test.img' 512 2 => '\xff\xfe'. Do not use if the raw data
4623++# is likely to contain \0 or trailing \n.
4624+ peek_file_raw()
4625+ {
4626+ dd if="$1" bs=1 skip="$2" count="$3" status=none
4627+--
4628+2.28.0
4629+
4630diff --git a/debian/patches/stable/lp-1891877-iotests-Test-copy-offloading-with-external-data-file.patch b/debian/patches/stable/lp-1891877-iotests-Test-copy-offloading-with-external-data-file.patch
4631new file mode 100644
4632index 0000000..7f2bb10
4633--- /dev/null
4634+++ b/debian/patches/stable/lp-1891877-iotests-Test-copy-offloading-with-external-data-file.patch
4635@@ -0,0 +1,71 @@
4636+From 373fd948ab33b6e74b227cd62d4ccc4c17417473 Mon Sep 17 00:00:00 2001
4637+From: Kevin Wolf <kwolf@redhat.com>
4638+Date: Tue, 11 Feb 2020 10:49:00 +0100
4639+Subject: [PATCH] iotests: Test copy offloading with external data file
4640+
4641+This adds a test for 'qemu-img convert' with copy offloading where the
4642+target image has an external data file. If the test hosts supports it,
4643+it tests both the case where copy offloading is supported and the case
4644+where it isn't (otherwise we just test unsupported twice).
4645+
4646+More specifically, the case with unsupported copy offloading tests
4647+qcow2_alloc_cluster_abort() with external data files.
4648+
4649+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
4650+Message-Id: <20200211094900.17315-4-kwolf@redhat.com>
4651+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
4652+(cherry picked from commit a0cf8daf77548786ced84d773f06fc70571c5d38)
4653+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4654+
4655+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=373fd948ab
4656+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
4657+Last-Update: 2020-08-19
4658+
4659+---
4660+ tests/qemu-iotests/244 | 14 ++++++++++++++
4661+ tests/qemu-iotests/244.out | 6 ++++++
4662+ 2 files changed, 20 insertions(+)
4663+
4664+diff --git a/tests/qemu-iotests/244 b/tests/qemu-iotests/244
4665+index 13978f93d2..2f5dfb9edd 100755
4666+--- a/tests/qemu-iotests/244
4667++++ b/tests/qemu-iotests/244
4668+@@ -194,6 +194,20 @@ $QEMU_IO -c 'read -P 0x11 0 1M' -f $IMGFMT "$TEST_IMG" | _filter_qemu_io
4669+ $QEMU_IMG map --output=human "$TEST_IMG" | _filter_testdir
4670+ $QEMU_IMG map --output=json "$TEST_IMG"
4671+
4672++echo
4673++echo "=== Copy offloading ==="
4674++echo
4675++
4676++# Make use of copy offloading if the test host can provide it
4677++_make_test_img -o "data_file=$TEST_IMG.data" 64M
4678++$QEMU_IMG convert -f $IMGFMT -O $IMGFMT -n -C "$TEST_IMG.src" "$TEST_IMG"
4679++$QEMU_IMG compare -f $IMGFMT -F $IMGFMT "$TEST_IMG.src" "$TEST_IMG"
4680++
4681++# blkdebug doesn't support copy offloading, so this tests the error path
4682++$QEMU_IMG amend -f $IMGFMT -o "data_file=blkdebug::$TEST_IMG.data" "$TEST_IMG"
4683++$QEMU_IMG convert -f $IMGFMT -O $IMGFMT -n -C "$TEST_IMG.src" "$TEST_IMG"
4684++$QEMU_IMG compare -f $IMGFMT -F $IMGFMT "$TEST_IMG.src" "$TEST_IMG"
4685++
4686+ # success, all done
4687+ echo "*** done"
4688+ rm -f $seq.full
4689+diff --git a/tests/qemu-iotests/244.out b/tests/qemu-iotests/244.out
4690+index 6a3d0067cc..e6f4dc7993 100644
4691+--- a/tests/qemu-iotests/244.out
4692++++ b/tests/qemu-iotests/244.out
4693+@@ -122,4 +122,10 @@ Offset Length Mapped to File
4694+ 0 0x100000 0 TEST_DIR/t.qcow2.data
4695+ [{ "start": 0, "length": 1048576, "depth": 0, "zero": false, "data": true, "offset": 0},
4696+ { "start": 1048576, "length": 66060288, "depth": 0, "zero": true, "data": false}]
4697++
4698++=== Copy offloading ===
4699++
4700++Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 data_file=TEST_DIR/t.IMGFMT.data
4701++Images are identical.
4702++Images are identical.
4703+ *** done
4704+--
4705+2.28.0
4706+
4707diff --git a/debian/patches/stable/lp-1867519-iotests-add-test-for-backup-top-failure-on-permissio.patch b/debian/patches/stable/lp-1891877-iotests-add-test-for-backup-top-failure-on-permissio.patch
4708similarity index 85%
4709rename from debian/patches/stable/lp-1867519-iotests-add-test-for-backup-top-failure-on-permissio.patch
4710rename to debian/patches/stable/lp-1891877-iotests-add-test-for-backup-top-failure-on-permissio.patch
4711index 790c5d4..8aa1367 100644
4712--- a/debian/patches/stable/lp-1867519-iotests-add-test-for-backup-top-failure-on-permissio.patch
4713+++ b/debian/patches/stable/lp-1891877-iotests-add-test-for-backup-top-failure-on-permissio.patch
4714@@ -1,4 +1,4 @@
4715-From a541fcc27c98b96da187c7d4573f3270f3ddd283 Mon Sep 17 00:00:00 2001
4716+From 8952da32c36b8d457d0ebe28c252a7eeab68f127 Mon Sep 17 00:00:00 2001
4717 From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
4718 Date: Tue, 21 Jan 2020 17:28:02 +0300
4719 Subject: [PATCH] iotests: add test for backup-top failure on permission
4720@@ -10,10 +10,12 @@ Cc: qemu-stable@nongnu.org # v4.2.0
4721 Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
4722 Message-id: 20200121142802.21467-3-vsementsov@virtuozzo.com
4723 Signed-off-by: Max Reitz <mreitz@redhat.com>
4724+(cherry picked from commit a541fcc27c98b96da187c7d4573f3270f3ddd283)
4725+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4726
4727-Origin: backport, https://git.qemu.org/?p=qemu.git;a=commit;h=a541fcc27c98b96da187c7d4573f3270f3ddd283
4728-Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
4729-Last-Update: 2020-03-18
4730+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=8952da32c3
4731+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
4732+Last-Update: 2020-08-19
4733
4734 ---
4735 tests/qemu-iotests/283 | 92 ++++++++++++++++++++++++++++++++++++++
4736@@ -23,6 +25,9 @@ Last-Update: 2020-03-18
4737 create mode 100644 tests/qemu-iotests/283
4738 create mode 100644 tests/qemu-iotests/283.out
4739
4740+diff --git a/tests/qemu-iotests/283 b/tests/qemu-iotests/283
4741+new file mode 100644
4742+index 0000000000..293e557bd9
4743 --- /dev/null
4744 +++ b/tests/qemu-iotests/283
4745 @@ -0,0 +1,92 @@
4746@@ -118,6 +123,9 @@ Last-Update: 2020-03-18
4747 +vm.qmp_log('blockdev-backup', sync='full', device='source', target='target')
4748 +
4749 +vm.shutdown()
4750+diff --git a/tests/qemu-iotests/283.out b/tests/qemu-iotests/283.out
4751+new file mode 100644
4752+index 0000000000..daaf5828c1
4753 --- /dev/null
4754 +++ b/tests/qemu-iotests/283.out
4755 @@ -0,0 +1,8 @@
4756@@ -129,10 +137,15 @@ Last-Update: 2020-03-18
4757 +{"return": {}}
4758 +{"execute": "blockdev-backup", "arguments": {"device": "source", "sync": "full", "target": "target"}}
4759 +{"error": {"class": "GenericError", "desc": "Cannot set permissions for backup-top filter: Conflicts with use by other as 'image', which uses 'write' on base"}}
4760+diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group
4761+index 2dc8a6e572..f5e0bf86ce 100644
4762 --- a/tests/qemu-iotests/group
4763 +++ b/tests/qemu-iotests/group
4764-@@ -286,3 +286,4 @@
4765- 272 rw
4766+@@ -287,3 +287,4 @@
4767 273 backing quick
4768 277 rw quick
4769+ 289 rw quick
4770 +283 auto quick
4771+--
4772+2.28.0
4773+
4774diff --git a/debian/patches/stable/lp-1891877-m68k-Fix-regression-causing-Single-Step-via-GDB-RSP-.patch b/debian/patches/stable/lp-1891877-m68k-Fix-regression-causing-Single-Step-via-GDB-RSP-.patch
4775new file mode 100644
4776index 0000000..1fa7179
4777--- /dev/null
4778+++ b/debian/patches/stable/lp-1891877-m68k-Fix-regression-causing-Single-Step-via-GDB-RSP-.patch
4779@@ -0,0 +1,108 @@
4780+From c44015c50c741ebc267e022542fc110ea97197a0 Mon Sep 17 00:00:00 2001
4781+From: Laurent Vivier <laurent@vivier.eu>
4782+Date: Thu, 16 Jan 2020 17:54:54 +0100
4783+Subject: [PATCH] m68k: Fix regression causing Single-Step via GDB/RSP to not
4784+ single step
4785+
4786+A regression that was introduced, with the refactor to TranslatorOps,
4787+drops two lines that update the PC when single-stepping is being performed.
4788+
4789+Fixes: 11ab74b01e0a ("target/m68k: Convert to TranslatorOps")
4790+Reported-by: Lucien Murray-Pitts <lucienmp_antispam@yahoo.com>
4791+Suggested-by: Lucien Murray-Pitts <lucienmp_antispam@yahoo.com>
4792+Suggested-by: Richard Henderson <richard.henderson@linaro.org>
4793+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
4794+Signed-off-by: Laurent Vivier <laurent@vivier.eu>
4795+Message-Id: <20200116165454.2076265-1-laurent@vivier.eu>
4796+(cherry picked from commit 322f244aaa80a5208090d41481c1c09c6face66b)
4797+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4798+
4799+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=c44015c50c
4800+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
4801+Last-Update: 2020-08-19
4802+
4803+---
4804+ target/m68k/translate.c | 42 ++++++++++++++++++++++++++---------------
4805+ 1 file changed, 27 insertions(+), 15 deletions(-)
4806+
4807+diff --git a/target/m68k/translate.c b/target/m68k/translate.c
4808+index fcdb7bc8e4..16fae5ac9e 100644
4809+--- a/target/m68k/translate.c
4810++++ b/target/m68k/translate.c
4811+@@ -289,16 +289,21 @@ static void gen_jmp(DisasContext *s, TCGv dest)
4812+ s->base.is_jmp = DISAS_JUMP;
4813+ }
4814+
4815+-static void gen_exception(DisasContext *s, uint32_t dest, int nr)
4816++static void gen_raise_exception(int nr)
4817+ {
4818+ TCGv_i32 tmp;
4819+
4820+- update_cc_op(s);
4821+- tcg_gen_movi_i32(QREG_PC, dest);
4822+-
4823+ tmp = tcg_const_i32(nr);
4824+ gen_helper_raise_exception(cpu_env, tmp);
4825+ tcg_temp_free_i32(tmp);
4826++}
4827++
4828++static void gen_exception(DisasContext *s, uint32_t dest, int nr)
4829++{
4830++ update_cc_op(s);
4831++ tcg_gen_movi_i32(QREG_PC, dest);
4832++
4833++ gen_raise_exception(nr);
4834+
4835+ s->base.is_jmp = DISAS_NORETURN;
4836+ }
4837+@@ -6198,29 +6203,36 @@ static void m68k_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
4838+ {
4839+ DisasContext *dc = container_of(dcbase, DisasContext, base);
4840+
4841+- if (dc->base.is_jmp == DISAS_NORETURN) {
4842+- return;
4843+- }
4844+- if (dc->base.singlestep_enabled) {
4845+- gen_helper_raise_exception(cpu_env, tcg_const_i32(EXCP_DEBUG));
4846+- return;
4847+- }
4848+-
4849+ switch (dc->base.is_jmp) {
4850++ case DISAS_NORETURN:
4851++ break;
4852+ case DISAS_TOO_MANY:
4853+ update_cc_op(dc);
4854+- gen_jmp_tb(dc, 0, dc->pc);
4855++ if (dc->base.singlestep_enabled) {
4856++ tcg_gen_movi_i32(QREG_PC, dc->pc);
4857++ gen_raise_exception(EXCP_DEBUG);
4858++ } else {
4859++ gen_jmp_tb(dc, 0, dc->pc);
4860++ }
4861+ break;
4862+ case DISAS_JUMP:
4863+ /* We updated CC_OP and PC in gen_jmp/gen_jmp_im. */
4864+- tcg_gen_lookup_and_goto_ptr();
4865++ if (dc->base.singlestep_enabled) {
4866++ gen_raise_exception(EXCP_DEBUG);
4867++ } else {
4868++ tcg_gen_lookup_and_goto_ptr();
4869++ }
4870+ break;
4871+ case DISAS_EXIT:
4872+ /*
4873+ * We updated CC_OP and PC in gen_exit_tb, but also modified
4874+ * other state that may require returning to the main loop.
4875+ */
4876+- tcg_gen_exit_tb(NULL, 0);
4877++ if (dc->base.singlestep_enabled) {
4878++ gen_raise_exception(EXCP_DEBUG);
4879++ } else {
4880++ tcg_gen_exit_tb(NULL, 0);
4881++ }
4882+ break;
4883+ default:
4884+ g_assert_not_reached();
4885+--
4886+2.28.0
4887+
4888diff --git a/debian/patches/stable/lp-1891877-migration-Rate-limit-inside-host-pages.patch b/debian/patches/stable/lp-1891877-migration-Rate-limit-inside-host-pages.patch
4889new file mode 100644
4890index 0000000..06e962f
4891--- /dev/null
4892+++ b/debian/patches/stable/lp-1891877-migration-Rate-limit-inside-host-pages.patch
4893@@ -0,0 +1,157 @@
4894+From 52771abbfa6775db8843f2ee365d45be169887cd Mon Sep 17 00:00:00 2001
4895+From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
4896+Date: Thu, 5 Dec 2019 10:29:18 +0000
4897+Subject: [PATCH] migration: Rate limit inside host pages
4898+
4899+When using hugepages, rate limiting is necessary within each huge
4900+page, since a 1G huge page can take a significant time to send, so
4901+you end up with bursty behaviour.
4902+
4903+Fixes: 4c011c37ecb3 ("postcopy: Send whole huge pages")
4904+Reported-by: Lin Ma <LMa@suse.com>
4905+Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
4906+Reviewed-by: Juan Quintela <quintela@redhat.com>
4907+Reviewed-by: Peter Xu <peterx@redhat.com>
4908+Signed-off-by: Juan Quintela <quintela@redhat.com>
4909+(cherry picked from commit 97e1e06780e70f6e98a0d2df881e0c0927d3aeb6)
4910+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4911+
4912+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=52771abbfa
4913+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
4914+Last-Update: 2020-08-19
4915+
4916+---
4917+ migration/migration.c | 57 ++++++++++++++++++++++++------------------
4918+ migration/migration.h | 1 +
4919+ migration/ram.c | 2 ++
4920+ migration/trace-events | 4 +--
4921+ 4 files changed, 37 insertions(+), 27 deletions(-)
4922+
4923+diff --git a/migration/migration.c b/migration/migration.c
4924+index 354ad072fa..27500d09a9 100644
4925+--- a/migration/migration.c
4926++++ b/migration/migration.c
4927+@@ -3224,6 +3224,37 @@ void migration_consume_urgent_request(void)
4928+ qemu_sem_wait(&migrate_get_current()->rate_limit_sem);
4929+ }
4930+
4931++/* Returns true if the rate limiting was broken by an urgent request */
4932++bool migration_rate_limit(void)
4933++{
4934++ int64_t now = qemu_clock_get_ms(QEMU_CLOCK_REALTIME);
4935++ MigrationState *s = migrate_get_current();
4936++
4937++ bool urgent = false;
4938++ migration_update_counters(s, now);
4939++ if (qemu_file_rate_limit(s->to_dst_file)) {
4940++ /*
4941++ * Wait for a delay to do rate limiting OR
4942++ * something urgent to post the semaphore.
4943++ */
4944++ int ms = s->iteration_start_time + BUFFER_DELAY - now;
4945++ trace_migration_rate_limit_pre(ms);
4946++ if (qemu_sem_timedwait(&s->rate_limit_sem, ms) == 0) {
4947++ /*
4948++ * We were woken by one or more urgent things but
4949++ * the timedwait will have consumed one of them.
4950++ * The service routine for the urgent wake will dec
4951++ * the semaphore itself for each item it consumes,
4952++ * so add this one we just eat back.
4953++ */
4954++ qemu_sem_post(&s->rate_limit_sem);
4955++ urgent = true;
4956++ }
4957++ trace_migration_rate_limit_post(urgent);
4958++ }
4959++ return urgent;
4960++}
4961++
4962+ /*
4963+ * Master migration thread on the source VM.
4964+ * It drives the migration and pumps the data down the outgoing channel.
4965+@@ -3290,8 +3321,6 @@ static void *migration_thread(void *opaque)
4966+ trace_migration_thread_setup_complete();
4967+
4968+ while (migration_is_active(s)) {
4969+- int64_t current_time;
4970+-
4971+ if (urgent || !qemu_file_rate_limit(s->to_dst_file)) {
4972+ MigIterateState iter_state = migration_iteration_run(s);
4973+ if (iter_state == MIG_ITERATE_SKIP) {
4974+@@ -3318,29 +3347,7 @@ static void *migration_thread(void *opaque)
4975+ update_iteration_initial_status(s);
4976+ }
4977+
4978+- current_time = qemu_clock_get_ms(QEMU_CLOCK_REALTIME);
4979+-
4980+- migration_update_counters(s, current_time);
4981+-
4982+- urgent = false;
4983+- if (qemu_file_rate_limit(s->to_dst_file)) {
4984+- /* Wait for a delay to do rate limiting OR
4985+- * something urgent to post the semaphore.
4986+- */
4987+- int ms = s->iteration_start_time + BUFFER_DELAY - current_time;
4988+- trace_migration_thread_ratelimit_pre(ms);
4989+- if (qemu_sem_timedwait(&s->rate_limit_sem, ms) == 0) {
4990+- /* We were worken by one or more urgent things but
4991+- * the timedwait will have consumed one of them.
4992+- * The service routine for the urgent wake will dec
4993+- * the semaphore itself for each item it consumes,
4994+- * so add this one we just eat back.
4995+- */
4996+- qemu_sem_post(&s->rate_limit_sem);
4997+- urgent = true;
4998+- }
4999+- trace_migration_thread_ratelimit_post(urgent);
5000+- }
The diff has been truncated for viewing.

Subscribers

People subscribed via source and target branches