Accepting request 664460 from Virtualization

OBS-URL: https://build.opensuse.org/request/show/664460
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/qemu?expand=0&rev=149

0001-XXX-dont-dump-core-on-sigabort.patch

@@ -1,7 +1,6 @@
-From 832434a783511ecfd30db4d718dcf15210da866e Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Mon, 21 Nov 2011 23:50:36 +0100
-Subject: [PATCH] XXX dont dump core on sigabort
+Subject: XXX dont dump core on sigabort
 
 Signed-off-by: Bruce Rogers <brogers@suse.com>
 ---

0002-qemu-binfmt-conf-Modify-default-pat.patch

@@ -1,7 +1,6 @@
-From ecb8f5651091fb6538366fefc43ecd095328194a Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
 Date: Wed, 10 Aug 2016 19:00:24 +0200
-Subject: [PATCH] qemu-binfmt-conf: Modify default path
+Subject: qemu-binfmt-conf: Modify default path
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

0003-qemu-cvs-gettimeofday.patch

@@ -1,7 +1,6 @@
-From 540d7a5df50656e9ec56cc78c909c36382814e54 Mon Sep 17 00:00:00 2001
 From: Ulrich Hecht <uli@suse.de>
 Date: Tue, 14 Apr 2009 16:25:41 +0200
-Subject: [PATCH] qemu-cvs-gettimeofday
+Subject: qemu-cvs-gettimeofday
 
 No clue what this is for.
 

0004-qemu-cvs-ioctl_debug.patch

@@ -1,7 +1,6 @@
-From 4b8064e9cf51af12d6c57a56fc795774eaf84ade Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Tue, 14 Apr 2009 16:26:33 +0200
-Subject: [PATCH] qemu-cvs-ioctl_debug
+Subject: qemu-cvs-ioctl_debug
 
 Extends unsupported ioctl debug output.
 

0005-qemu-cvs-ioctl_nodirection.patch

@@ -1,7 +1,6 @@
-From ae20a979f7196eca1934f963b52a657374f1ac10 Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Tue, 14 Apr 2009 16:27:36 +0200
-Subject: [PATCH] qemu-cvs-ioctl_nodirection
+Subject: qemu-cvs-ioctl_nodirection
 
 the direction given in the ioctl should be correct so we can assume the
 communication is uni-directional. The alsa developers did not like this

0006-linux-user-add-binfmt-wrapper-for-a.patch

@@ -1,7 +1,6 @@
-From 677597f3df31a00bfdfc515744a5acf20a20d204 Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Fri, 30 Sep 2011 19:40:36 +0200
-Subject: [PATCH] linux-user: add binfmt wrapper for argv[0] handling
+Subject: linux-user: add binfmt wrapper for argv[0] handling
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

0007-PPC-KVM-Disable-mmu-notifier-check.patch

@@ -1,7 +1,6 @@
-From 698f8163ca702dd9b7c5e456907178579b7bf4a0 Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Fri, 6 Jan 2012 01:05:55 +0100
-Subject: [PATCH] PPC: KVM: Disable mmu notifier check
+Subject: PPC: KVM: Disable mmu notifier check
 
 When using hugetlbfs (which is required for HV mode KVM on 970), we
 check for MMU notifiers that on 970 can not be implemented properly.

0008-linux-user-binfmt-support-host-bina.patch

@@ -1,7 +1,6 @@
-From 73f6e4c049e433b4f492916e7366aedd3a970edb Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Thu, 2 Feb 2012 18:02:33 +0100
-Subject: [PATCH] linux-user: binfmt: support host binaries
+Subject: linux-user: binfmt: support host binaries
 
 When we have a working host binary equivalent for the guest binary we're
 trying to run, let's just use that instead as it will be a lot faster.

0009-linux-user-Fake-proc-cpuinfo.patch

@@ -1,7 +1,6 @@
-From 650ba31a809fe4d89bf3a0625c07729bbf5af035 Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Mon, 23 Jul 2012 10:24:14 +0200
-Subject: [PATCH] linux-user: Fake /proc/cpuinfo
+Subject: linux-user: Fake /proc/cpuinfo
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

0010-Remove-problematic-evdev-86-key-fro.patch

@@ -1,7 +1,6 @@
-From 1e6c62c45c22da52f13ab2c1aefd0544c0307549 Mon Sep 17 00:00:00 2001
 From: Adam Williamson <awilliam@redhat.com>
 Date: Wed, 20 Dec 2017 15:43:07 -0800
-Subject: [PATCH] Remove problematic 'evdev 86' key from en-us keymap
+Subject: Remove problematic 'evdev 86' key from en-us keymap
 
 This causes LP#1738283. Gerd will have to come up with a better
 fix, but just hacking out the problematic key definition should

0011-linux-user-use-target_ulong.patch

@@ -1,7 +1,6 @@
-From a4464c46f03789eae3abf93281f1addcbdb53da0 Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Tue, 9 Oct 2012 09:06:49 +0200
-Subject: [PATCH] linux-user: use target_ulong
+Subject: linux-user: use target_ulong
 
 Linux syscalls pass pointers or data length or other information of that sort
 to the kernel. This is all stuff you don't want to have sign extended.

0012-Make-char-muxer-more-robust-wrt-sma.patch

@@ -1,7 +1,6 @@
-From 35506374079e31a526a7206813ef8f89aecaa04c Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Thu, 1 Apr 2010 17:36:23 +0200
-Subject: [PATCH] Make char muxer more robust wrt small FIFOs
+Subject: Make char muxer more robust wrt small FIFOs
 
 Virtio-Console can only process one character at a time. Using it on S390
 gave me strage "lags" where I got the character I pressed before when

0013-linux-user-lseek-explicitly-cast-no.patch

@@ -1,7 +1,6 @@
-From 02ce2ef5ff260d7ef395aa31dabd757776a6b67f Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Thu, 13 Dec 2012 14:29:22 +0100
-Subject: [PATCH] linux-user: lseek: explicitly cast non-set offsets to signed
+Subject: linux-user: lseek: explicitly cast non-set offsets to signed
 
 When doing lseek, SEEK_SET indicates that the offset is an unsigned variable.
 Other seek types have parameters that can be negative.

0014-AIO-Reduce-number-of-threads-for-32.patch

@@ -1,7 +1,6 @@
-From a2de9e871de89fe1b188dfdb13cc6701eb302b00 Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Wed, 14 Jan 2015 01:32:11 +0100
-Subject: [PATCH] AIO: Reduce number of threads for 32bit hosts
+Subject: AIO: Reduce number of threads for 32bit hosts
 
 On hosts with limited virtual address space (32bit pointers), we can very
 easily run out of virtual memory with big thread pools.

0015-xen_disk-Add-suse-specific-flush-di.patch

@@ -1,8 +1,7 @@
-From 59d91f48a4a839456fcff66ba375f5c01dd6c42c Mon Sep 17 00:00:00 2001
 From: Bruce Rogers <brogers@suse.com>
 Date: Wed, 9 Mar 2016 15:18:11 -0700
-Subject: [PATCH] xen_disk: Add suse specific flush disable handling and map to
- QEMU equiv
+Subject: xen_disk: Add suse specific flush disable handling and map to QEMU
+ equiv
 
 Add code to read the suse specific suse-diskcache-disable-flush flag out
 of xenstore, and set the equivalent flag within QEMU.

0016-qemu-bridge-helper-reduce-security-.patch

@@ -1,7 +1,6 @@
-From 12e80a565b210d70bc2a230e808ed6102ec3b123 Mon Sep 17 00:00:00 2001
 From: Bruce Rogers <brogers@suse.com>
 Date: Tue, 2 Aug 2016 11:36:02 -0600
-Subject: [PATCH] qemu-bridge-helper: reduce security profile
+Subject: qemu-bridge-helper: reduce security profile
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

0017-qemu-binfmt-conf-use-qemu-ARCH-binf.patch

@@ -1,7 +1,6 @@
-From 8d32cd58427d7207c1ab44b666a7faf09e270c1b Mon Sep 17 00:00:00 2001
 From: Andreas Schwab <schwab@suse.de>
 Date: Fri, 12 Aug 2016 18:20:49 +0200
-Subject: [PATCH] qemu-binfmt-conf: use qemu-ARCH-binfmt
+Subject: qemu-binfmt-conf: use qemu-ARCH-binfmt
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

0018-linux-user-properly-test-for-infini.patch

@@ -1,7 +1,6 @@
-From 28321798381384bff19f886b167e25dc15e9fcdf Mon Sep 17 00:00:00 2001
 From: Andreas Schwab <schwab@linux-m68k.org>
 Date: Thu, 8 Sep 2016 11:21:05 +0200
-Subject: [PATCH] linux-user: properly test for infinite timeout in poll (#8)
+Subject: linux-user: properly test for infinite timeout in poll (#8)
 
 After "linux-user: use target_ulong" the poll syscall was no longer
 handling infinite timeout.

0019-roms-Makefile-pass-a-packaging-time.patch

@@ -1,8 +1,7 @@
-From 2df2bfd0ca9aabad27114bb778863cfeb76ca111 Mon Sep 17 00:00:00 2001
 From: Bruce Rogers <brogers@suse.com>
 Date: Sat, 19 Nov 2016 08:06:30 -0700
-Subject: [PATCH] roms/Makefile: pass a packaging timestamp to subpackages with
- date info
+Subject: roms/Makefile: pass a packaging timestamp to subpackages with date
+ info
 
 Certain rom subpackages build from qemu git-submodules call the date
 program to include date information in the packaged binaries. This

0020-Raise-soft-address-space-limit-to-h.patch

@@ -1,7 +1,6 @@
-From 544752d713e0a6a8a00cae1cbd902d95944d68a2 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
 Date: Sun, 15 Jan 2012 19:53:49 +0100
-Subject: [PATCH] Raise soft address space limit to hard limit
+Subject: Raise soft address space limit to hard limit
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

0021-increase-x86_64-physical-bits-to-42.patch

@@ -1,7 +1,6 @@
-From da91336daba1034e76118bb089beb312124f0e90 Mon Sep 17 00:00:00 2001
 From: Bruce Rogers <brogers@suse.com>
 Date: Fri, 17 May 2013 16:49:58 -0600
-Subject: [PATCH] increase x86_64 physical bits to 42
+Subject: increase x86_64 physical bits to 42
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

0022-vga-Raise-VRAM-to-16-MiB-for-pc-0.1.patch

@@ -1,7 +1,6 @@
-From 3643b477312298e50ad42cc9ee4b0e047521c1cb Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
 Date: Wed, 12 Jun 2013 19:26:37 +0200
-Subject: [PATCH] vga: Raise VRAM to 16 MiB for pc-0.15 and below
+Subject: vga: Raise VRAM to 16 MiB for pc-0.15 and below
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

0023-i8254-Fix-migration-from-SLE11-SP2.patch

@@ -1,7 +1,6 @@
-From 52eec29e3edc64659edd2911aae28d82a8893528 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
 Date: Wed, 31 Jul 2013 17:05:29 +0200
-Subject: [PATCH] i8254: Fix migration from SLE11 SP2
+Subject: i8254: Fix migration from SLE11 SP2
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

0024-acpi_piix4-Fix-migration-from-SLE11.patch

@@ -1,7 +1,6 @@
-From 292bd3fb22d5487b3deecd660d2ab8d0d24d0c82 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
 Date: Wed, 31 Jul 2013 17:32:35 +0200
-Subject: [PATCH] acpi_piix4: Fix migration from SLE11 SP2
+Subject: acpi_piix4: Fix migration from SLE11 SP2
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

0025-Fix-tigervnc-long-press-issue.patch

@@ -1,7 +1,6 @@
-From 8616cd9931328170f8a4a3ecae6dda9d180601b8 Mon Sep 17 00:00:00 2001
 From: Chunyan Liu <cyliu@suse.com>
 Date: Thu, 3 Mar 2016 16:48:17 +0800
-Subject: [PATCH] Fix tigervnc long press issue
+Subject: Fix tigervnc long press issue
 
 Using xen tools 'xl vncviewer' with tigervnc (default on SLE-12),
 found that: the display of the guest is unexpected while keep

0026-string-input-visitor-Fix-uint64-par.patch

@@ -1,7 +1,6 @@
-From 259d16f0a869f9d2371036a20fb5ff19980e61b8 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
 Date: Thu, 24 Sep 2015 19:21:11 +0200
-Subject: [PATCH] string-input-visitor: Fix uint64 parsing
+Subject: string-input-visitor: Fix uint64 parsing
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

0027-test-string-input-visitor-Add-int-t.patch

@@ -1,7 +1,6 @@
-From 1729f9280988abd42f94d5f9a4bae20febac90cb Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
 Date: Thu, 24 Sep 2015 19:23:50 +0200
-Subject: [PATCH] test-string-input-visitor: Add int test case
+Subject: test-string-input-visitor: Add int test case
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

0028-test-string-input-visitor-Add-uint6.patch

@@ -1,7 +1,6 @@
-From 327e8a8a3e53dd39c6966dac5428e440ec376514 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
 Date: Thu, 24 Sep 2015 19:24:23 +0200
-Subject: [PATCH] test-string-input-visitor: Add uint64 test
+Subject: test-string-input-visitor: Add uint64 test
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

0029-tests-Add-QOM-property-unit-tests.patch

@@ -1,7 +1,6 @@
-From 310ea98c034bd4c957375b3ebb02b6d43e8d8c09 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
 Date: Sun, 6 Sep 2015 20:12:42 +0200
-Subject: [PATCH] tests: Add QOM property unit tests
+Subject: tests: Add QOM property unit tests
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

0030-tests-Add-scsi-disk-test.patch

@@ -1,7 +1,6 @@
-From 3c695b87e039baa1539d8855aeda4ee072bc6a42 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
 Date: Fri, 25 Sep 2015 12:31:11 +0200
-Subject: [PATCH] tests: Add scsi-disk test
+Subject: tests: Add scsi-disk test
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

0031-Switch-order-of-libraries-for-mpath.patch

@@ -1,7 +1,6 @@
-From bd18c7118a50c88b572a0df2f7cc24562ea20767 Mon Sep 17 00:00:00 2001
 From: Bruce Rogers <brogers@suse.com>
 Date: Fri, 3 Nov 2017 11:12:40 -0600
-Subject: [PATCH] Switch order of libraries for mpath support
+Subject: Switch order of libraries for mpath support
 
 Signed-off-by: Bruce Rogers <brogers@suse.com>
 ---

0032-Make-installed-scripts-explicitly-p.patch

@@ -1,7 +1,6 @@
-From fac5e1c088d083876e9a707e0f7e9d6d05d092c0 Mon Sep 17 00:00:00 2001
 From: Bruce Rogers <brogers@suse.com>
 Date: Thu, 25 Jan 2018 14:16:10 -0700
-Subject: [PATCH] Make installed scripts explicitly python3
+Subject: Make installed scripts explicitly python3
 
 We want to expliitly reference python3 in the scripts we install.
 

0033-smbios-Add-1-terminator-if-any-stri.patch

@@ -1,8 +1,6 @@
-From f6b18bb5a86c6bcff0589078e156c116fb3a95af Mon Sep 17 00:00:00 2001
 From: Lin Ma <lma@suse.com>
 Date: Wed, 14 Mar 2018 14:31:26 +0800
-Subject: [PATCH] smbios: Add 1 terminator if any string fields defined in
- given table.
+Subject: smbios: Add 1 terminator if any string fields defined in given table.
 
 If user specifies smbios table files through qemu command line, Then will
 get error messages while decoding those table content in guest.

0034-qemu-io-tests-comment-out-problemat.patch

@@ -1,7 +1,6 @@
-From 9684904be240ac18d63e9b1e8f3293d80a028abe Mon Sep 17 00:00:00 2001
 From: Bruce Rogers <brogers@suse.com>
 Date: Fri, 6 Apr 2018 13:33:31 -0600
-Subject: [PATCH] qemu-io tests: comment out problematic block io tests issues
+Subject: qemu-io tests: comment out problematic block io tests issues
 
 The following issues are seen:
 153 - error resulting from failed to get "write" lock

0035-tests-test-thread-pool-is-racy-add-.patch

@@ -1,7 +1,6 @@
-From d58238438527d65192caa54feac77221880b3ba2 Mon Sep 17 00:00:00 2001
 From: Bruce Rogers <brogers@suse.com>
 Date: Fri, 13 Apr 2018 11:46:47 -0600
-Subject: [PATCH] tests: test-thread-pool is racy - add some barriers
+Subject: tests: test-thread-pool is racy - add some barriers
 
 I imagine there is more to be done to fix the memory consistency
 races here, but these added barriers at least let it pass on ppc64le,

0036-xen-add-block-resize-support-for-xe.patch

@@ -1,7 +1,6 @@
-From 197d3a02669dce7d0ac0207cea5c989cc12b391d Mon Sep 17 00:00:00 2001
 From: Bruce Rogers <brogers@suse.com>
 Date: Fri, 8 Jun 2018 11:04:36 -0600
-Subject: [PATCH] xen: add block resize support for xen disks
+Subject: xen: add block resize support for xen disks
 
 Provide monitor naming of xen disks, and plumb guest driver
 notification through xenstore of resizing instigated via the

0037-tests-qemu-iotests-Triple-timeout-o.patch

@@ -1,7 +1,6 @@
-From ea96fb81295d2c6e5ed20201dc3c9583d2b8bb4c Mon Sep 17 00:00:00 2001
 From: Bruce Rogers <brogers@suse.com>
 Date: Tue, 20 Nov 2018 15:46:41 -0700
-Subject: [PATCH] tests/qemu-iotests: Triple timeout of i/o tests due to obs
+Subject: tests/qemu-iotests: Triple timeout of i/o tests due to obs
  environment
 
 Executing tests in obs is very fickle, since you aren't guaranteed

0038-tests-block-io-test-130-needs-some-.patch

@@ -1,7 +1,6 @@
-From 20ab0810e2eab9dc47fab57bb1949e1a84c8cba5 Mon Sep 17 00:00:00 2001
 From: Bruce Rogers <brogers@suse.com>
 Date: Sun, 25 Nov 2018 18:01:36 -0700
-Subject: [PATCH] tests: block-io test 130 needs some delays
+Subject: tests: block-io test 130 needs some delays
 
 I haven't figured out exactly the best solution, but we need some delays
 in this test.

0039-xen_disk-Avoid-repeated-memory-allo.patch

@@ -1,7 +1,6 @@
-From f88c2f1b54da7a92420724189a6df37e6b3faed3 Mon Sep 17 00:00:00 2001
 From: Tim Smith <tim.smith@citrix.com>
 Date: Fri, 2 Nov 2018 10:01:09 +0000
-Subject: [PATCH] xen_disk: Avoid repeated memory allocation
+Subject: xen_disk: Avoid repeated memory allocation
 
 xen_disk currently allocates memory to hold the data for each ioreq
 as that ioreq is used, and frees it afterwards. Because it requires
@@ -15,14 +14,14 @@ Since the ioreqs themselves are re-used via a free list, this
 should actually improve memory usage.
 
 Signed-off-by: Tim Smith <tim.smith@citrix.com>
-[BSC#1100408]
+[BR: BSC#1100408]
 Signed-off-by: Bruce Rogers <brogers@suse.com>
 ---
- hw/block/xen_disk.c | 7 ++-----
- 1 file changed, 2 insertions(+), 5 deletions(-)
+ hw/block/xen_disk.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
 
 diff --git a/hw/block/xen_disk.c b/hw/block/xen_disk.c
-index d9a55faf27..e9501ee34c 100644
+index d9a55faf27..df99162520 100644
 --- a/hw/block/xen_disk.c
 +++ b/hw/block/xen_disk.c
 @@ -110,7 +110,6 @@ static void ioreq_reset(struct ioreq *ioreq)
@@ -33,15 +32,17 @@ index d9a55faf27..e9501ee34c 100644
      ioreq->size = 0;
      ioreq->presync = 0;
  
-@@ -135,6 +134,7 @@ static struct ioreq *ioreq_start(struct XenBlkDev *blkdev)
+@@ -135,6 +134,9 @@ static struct ioreq *ioreq_start(struct XenBlkDev *blkdev)
          /* allocate new struct */
          ioreq = g_malloc0(sizeof(*ioreq));
          ioreq->blkdev = blkdev;
-+        ioreq->buf = qemu_memalign(XC_PAGE_SIZE, BLKIF_MAX_SEGMENTS_PER_REQUEST * XC_PAGE_SIZE);
++        ioreq->buf = qemu_memalign(XC_PAGE_SIZE,
++                                   BLKIF_MAX_SEGMENTS_PER_REQUEST *
++                                   XC_PAGE_SIZE);
          blkdev->requests_total++;
          qemu_iovec_init(&ioreq->v, 1);
      } else {
-@@ -317,14 +317,12 @@ static void qemu_aio_complete(void *opaque, int ret)
+@@ -317,14 +319,12 @@ static void qemu_aio_complete(void *opaque, int ret)
          if (ret == 0) {
              ioreq_grant_copy(ioreq);
          }
@@ -56,7 +57,7 @@ index d9a55faf27..e9501ee34c 100644
          break;
      default:
          break;
-@@ -392,12 +390,10 @@ static int ioreq_runio_qemu_aio(struct ioreq *ioreq)
+@@ -392,12 +392,10 @@ static int ioreq_runio_qemu_aio(struct ioreq *ioreq)
  {
      struct XenBlkDev *blkdev = ioreq->blkdev;
  
@@ -69,7 +70,7 @@ index d9a55faf27..e9501ee34c 100644
          goto err;
      }
  
-@@ -1007,6 +1003,7 @@ static int blk_free(struct XenDevice *xendev)
+@@ -1007,6 +1005,7 @@ static int blk_free(struct XenDevice *xendev)
          ioreq = QLIST_FIRST(&blkdev->freelist);
          QLIST_REMOVE(ioreq, list);
          qemu_iovec_destroy(&ioreq->v);

0040-xen-ignore-live-parameter-from-xen-.patch

@@ -0,0 +1,39 @@
+From: Olaf Hering <olaf@aepfle.de>
+Date: Tue, 8 Jan 2019 14:20:08 +0100
+Subject: xen: ignore live parameter from xen-save-devices-state
+
+The final step of xl migrate|save for an HVM domU is saving the state of
+qemu. This also involves releasing all block devices. While releasing
+backends ought to be a separate step, such functionality is not
+implemented.
+
+Unfortunately, releasing the block devices depends on the optional
+'live' option. This breaks offline migration with 'virsh migrate domU
+dom0' because the sending side does not release the disks, as a result
+the receiving side can not properly claim write access to the disks.
+
+As a minimal fix, remove the dependency on the 'live' option. Upstream
+may fix this in a different way, like removing the newly added 'live'
+parameter entirely.
+
+Fixes: 5d6c599fe1 ("migration, xen: Fix block image lock issue on live migration")
+
+Signed-off-by: Olaf Hering <olaf@aepfle.de>
+[BSC#1079730, BSC#1101982, BSC#1063993]
+---
+ migration/savevm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/migration/savevm.c b/migration/savevm.c
+index 9e45fb4f3f..47d4c51186 100644
+--- a/migration/savevm.c
++++ b/migration/savevm.c
+@@ -2602,7 +2602,7 @@ void qmp_xen_save_devices_state(const char *filename, bool has_live, bool live,
+          * So call bdrv_inactivate_all (release locks) here to let the other
+          * side of the migration take controle of the images.
+          */
+-        if (live && !saved_vm_running) {
++        if (!saved_vm_running) {
+             ret = bdrv_inactivate_all();
+             if (ret) {
+                 error_setg(errp, "%s: bdrv_inactivate_all() failed (%d)",

0041-vfio-ap-flag-as-compatible-with-bal.patch

@@ -0,0 +1,40 @@
+From: Cornelia Huck <cohuck@redhat.com>
+Date: Wed, 5 Dec 2018 15:35:03 +0100
+Subject: vfio-ap: flag as compatible with balloon
+
+vfio-ap devices do not pin any pages in the host. Therefore, they
+are compatible with memory ballooning.
+
+Flag them as compatible, so both vfio-ap and a balloon can be
+used simultaneously.
+
+Cc: qemu-stable@nongnu.org
+Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Tested-by: Tony Krowiak <akrowiak@linux.ibm.com>
+Reviewed-by: Halil Pasic <pasic@linux.ibm.com>
+Signed-off-by: Cornelia Huck <cohuck@redhat.com>
+(cherry picked from commit 1883e8fc8005e9ef452890a075bae98e8c432968)
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+---
+ hw/vfio/ap.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/hw/vfio/ap.c b/hw/vfio/ap.c
+index 65de952f44..0a25f5e096 100644
+--- a/hw/vfio/ap.c
++++ b/hw/vfio/ap.c
+@@ -104,6 +104,14 @@ static void vfio_ap_realize(DeviceState *dev, Error **errp)
+     vapdev->vdev.name = g_strdup_printf("%s", mdevid);
+     vapdev->vdev.dev = dev;
+ 
++    /*
++     * vfio-ap devices operate in a way compatible with
++     * memory ballooning, as no pages are pinned in the host.
++     * This needs to be set before vfio_get_device() for vfio common to
++     * handle the balloon inhibitor.
++     */
++    vapdev->vdev.balloon_allowed = true;
++
+     ret = vfio_get_device(vfio_group, mdevid, &vapdev->vdev, &local_err);
+     if (ret) {
+         goto out_get_dev_err;

0042-hw-s390x-Fix-bad-mask-in-time2tod.patch

@@ -0,0 +1,35 @@
+From: Thomas Huth <thuth@redhat.com>
+Date: Fri, 14 Dec 2018 14:08:07 +0100
+Subject: hw/s390x: Fix bad mask in time2tod()
+
+Since "s390x/tcg: avoid overflows in time2tod/tod2time", the
+time2tod() function tries to deal with the 9 uppermost bits in the
+time value, but uses the wrong mask for this: 0xff80000000000000 should
+be used instead of 0xff10000000000000 here.
+
+Fixes: 14055ce53c2d901d826ffad7fb7d6bb8ab46bdfd
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Message-Id: <1544792887-14575-1-git-send-email-thuth@redhat.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+[CH: tweaked commit message]
+(cherry picked from commit aba7a5a2de3dba5917024df25441f715b9249e31)
+Signed-off-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+---
+ include/hw/s390x/tod.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/hw/s390x/tod.h b/include/hw/s390x/tod.h
+index 413c0d7c02..442f45b2f5 100644
+--- a/include/hw/s390x/tod.h
++++ b/include/hw/s390x/tod.h
+@@ -50,7 +50,7 @@ typedef struct S390TODClass {
+ /* Converts ns to s390's clock format */
+ static inline uint64_t time2tod(uint64_t ns)
+ {
+-    return (ns << 9) / 125 + (((ns & 0xff10000000000000ull) / 125) << 9);
++    return (ns << 9) / 125 + (((ns & 0xff80000000000000ull) / 125) << 9);
+ }
+ 
+ /* Converts s390's clock format to ns */

0043-pcie-set-link-state-inactive-active.patch

@@ -0,0 +1,102 @@
+From: Zheng Xiang <zhengxiang9@huawei.com>
+Date: Mon, 3 Dec 2018 15:05:17 +0800
+Subject: pcie: set link state inactive/active after hot unplug/plug
+
+When VM boots from the latest version of linux kernel, after
+hot-unpluging virtio-blk disks which are hotplugged into
+pcie-root-port, the VM's dmesg log shows:
+
+[  151.046242] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0001 from Slot Status
+[  151.046365] pciehp 0000:00:05.0:pcie004: Slot(0-3): Attention button pressed
+[  151.046369] pciehp 0000:00:05.0:pcie004: Slot(0-3): Powering off due to button press
+[  151.046420] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status
+[  151.046425] pciehp 0000:00:05.0:pcie004: pciehp_green_led_blink: SLOTCTRL a8 write cmd 200
+[  151.046464] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status
+[  151.046468] pciehp 0000:00:05.0:pcie004: pciehp_set_attention_status: SLOTCTRL a8 write cmd c0
+[  156.163421] pciehp 0000:00:05.0:pcie004: pciehp_get_power_status: SLOTCTRL a8 value read 2f1
+[  156.163427] pciehp 0000:00:05.0:pcie004: pciehp_unconfigure_device: domain:bus:dev = 0000:06:00
+[  156.198736] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status
+[  156.198772] pciehp 0000:00:05.0:pcie004: pciehp_power_off_slot: SLOTCTRL a8 write cmd 400
+[  157.224124] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0018 from Slot Status
+[  157.224194] pciehp 0000:00:05.0:pcie004: pciehp_green_led_off: SLOTCTRL a8 write cmd 300
+[  157.224220] pciehp 0000:00:05.0:pcie004: pciehp_check_link_active: lnk_status = 2011
+[  157.224223] pciehp 0000:00:05.0:pcie004: Slot(0-3): Link Up
+[  157.224233] pciehp 0000:00:05.0:pcie004: pciehp_get_power_status: SLOTCTRL a8 value read 7f1
+[  157.224281] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status
+[  157.224285] pciehp 0000:00:05.0:pcie004: pciehp_power_on_slot: SLOTCTRL a8 write cmd 0
+[  157.224300] pciehp 0000:00:05.0:pcie004: __pciehp_link_set: lnk_ctrl = 0
+[  157.224336] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status
+[  157.224339] pciehp 0000:00:05.0:pcie004: pciehp_green_led_blink: SLOTCTRL a8 write cmd 200
+[  159.739294] pci 0000:06:00.0 id reading try 50 times with interval 20 ms to get ffffffff
+[  159.739315] pciehp 0000:00:05.0:pcie004: pciehp_check_link_status: lnk_status = 2011
+[  159.739318] pciehp 0000:00:05.0:pcie004: Failed to check link status
+[  159.739371] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status
+[  159.739394] pciehp 0000:00:05.0:pcie004: pciehp_power_off_slot: SLOTCTRL a8 write cmd 400
+[  160.771426] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status
+[  160.771452] pciehp 0000:00:05.0:pcie004: pciehp_green_led_off: SLOTCTRL a8 write cmd 300
+[  160.771495] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status
+[  160.771499] pciehp 0000:00:05.0:pcie004: pciehp_set_attention_status: SLOTCTRL a8 write cmd 40
+[  160.771535] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status
+[  160.771539] pciehp 0000:00:05.0:pcie004: pciehp_green_led_off: SLOTCTRL a8 write cmd 300
+
+After analyzing the log information, it seems that qemu doesn't
+change the Link Status from active to inactive after hot-unplug.
+This results in the abnormal log after the linux kernel commit
+d331710ea78fea merged.
+
+Furthermore, If I hotplug the same virtio-blk disk after hot-unplug,
+the virtio-blk would turn on and then back off.
+
+So this patch set the Link Status inactive after hot-unplug and
+active after hot-plug.
+
+Signed-off-by: Zheng Xiang <zhengxiang9@huawei.com>
+Signed-off-by: Zheng Xiang <xiang.zheng@linaro.org>
+Cc: Wang Haibin <wanghaibin.wang@huawei.com>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+(cherry picked from commit 2f2b18f60bf17453b4c01197a9316615a3c1f1de)
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+---
+ hw/pci/pcie.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/hw/pci/pcie.c b/hw/pci/pcie.c
+index 6c91bd44a0..66b73b87c8 100644
+--- a/hw/pci/pcie.c
++++ b/hw/pci/pcie.c
+@@ -345,6 +345,10 @@ void pcie_cap_slot_hotplug_cb(HotplugHandler *hotplug_dev, DeviceState *dev,
+     if (!dev->hotplugged) {
+         pci_word_test_and_set_mask(exp_cap + PCI_EXP_SLTSTA,
+                                    PCI_EXP_SLTSTA_PDS);
++        if (pci_dev->cap_present & QEMU_PCIE_LNKSTA_DLLLA) {
++            pci_word_test_and_set_mask(exp_cap + PCI_EXP_LNKSTA,
++                                       PCI_EXP_LNKSTA_DLLLA);
++        }
+         return;
+     }
+ 
+@@ -355,6 +359,10 @@ void pcie_cap_slot_hotplug_cb(HotplugHandler *hotplug_dev, DeviceState *dev,
+     if (pci_get_function_0(pci_dev)) {
+         pci_word_test_and_set_mask(exp_cap + PCI_EXP_SLTSTA,
+                                    PCI_EXP_SLTSTA_PDS);
++        if (pci_dev->cap_present & QEMU_PCIE_LNKSTA_DLLLA) {
++            pci_word_test_and_set_mask(exp_cap + PCI_EXP_LNKSTA,
++                                       PCI_EXP_LNKSTA_DLLLA);
++        }
+         pcie_cap_slot_event(PCI_DEVICE(hotplug_dev),
+                             PCI_EXP_HP_EV_PDC | PCI_EXP_HP_EV_ABP);
+     }
+@@ -531,6 +539,10 @@ void pcie_cap_slot_write_config(PCIDevice *dev,
+ 
+         pci_word_test_and_clear_mask(exp_cap + PCI_EXP_SLTSTA,
+                                      PCI_EXP_SLTSTA_PDS);
++        if (dev->cap_present & QEMU_PCIE_LNKSTA_DLLLA) {
++            pci_word_test_and_clear_mask(exp_cap + PCI_EXP_LNKSTA,
++                                         PCI_EXP_LNKSTA_DLLLA);
++        }
+         pci_word_test_and_set_mask(exp_cap + PCI_EXP_SLTSTA,
+                                        PCI_EXP_SLTSTA_PDC);
+     }

0044-pc-piix4-Update-smbus-I-O-space-aft.patch

@@ -0,0 +1,30 @@
+From: Corey Minyard <cminyard@mvista.com>
+Date: Mon, 26 Nov 2018 12:28:44 -0600
+Subject: pc:piix4: Update smbus I/O space after a migration
+
+Otherwise it won't be set up correctly and won't work after
+miigration.
+
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Cc: Igor Mammedov <imammedo@redhat.com>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+(cherry picked from commit 2b4e573c7c7b9a698ba6931ba456bbd8d3d8c84c)
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+---
+ hw/acpi/piix4.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/acpi/piix4.c b/hw/acpi/piix4.c
+index b0bd10b3f9..fb3620e6c0 100644
+--- a/hw/acpi/piix4.c
++++ b/hw/acpi/piix4.c
+@@ -173,6 +173,7 @@ static int vmstate_acpi_post_load(void *opaque, int version_id)
+     PIIX4PMState *s = opaque;
+ 
+     pm_io_space_update(s);
++    smbus_io_space_update(s);
+     return 0;
+ }
+ 

0045-hw-usb-fix-mistaken-de-initializati.patch

@@ -0,0 +1,54 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 9 Jan 2019 11:07:15 -0700
+Subject: hw/usb: fix mistaken de-initialization of CCID state
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Daniel P. Berrangé <berrange@redhat.com>
+
+In previous commit:
+
+  commit 7dea29e4af17fc1d27478de9f8ea38144deac54a
+  Author: Li Qiang <liq3ea@gmail.com>
+  Date:   Fri Oct 19 03:50:36 2018 -0700
+
+    hw: ccid-card-emulated: cleanup resource when realize in error path
+
+The emulated_realize method was changed so that it jumps to a cleanup
+label to de-initialize state upon error. This change failed to ensure
+the success path exited the method before this point though. So the
+mutexes are always destroyed even in normal operation. The result is
+as crashtastic as expected:
+
+$ qemu-system-x86_64 -usb -device usb-ccid,id=ccid0 -device ccid-card-emulated,backend=nss-emulated,id=smartcard0,bus=ccid0.0
+qemu-system-x86_64: util/qemu-thread-posix.c:64: qemu_mutex_lock_impl: Assertion `mutex->initialized' failed.
+Aborted (core dumped)
+
+Fixes: 7dea29e4af1
+Reported-by: Michael Tokarev <mjt@tls.msk.ru>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20181221134115.27973-1-berrange@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit 3fd2092fd11b9e4220a08eca0663cc59178a6c3f)
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+---
+ hw/usb/ccid-card-emulated.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/hw/usb/ccid-card-emulated.c b/hw/usb/ccid-card-emulated.c
+index 25976ed84f..e0457d305b 100644
+--- a/hw/usb/ccid-card-emulated.c
++++ b/hw/usb/ccid-card-emulated.c
+@@ -549,6 +549,8 @@ static void emulated_realize(CCIDCardState *base, Error **errp)
+     qemu_thread_create(&card->apdu_thread_id, "ccid/apdu", handle_apdu_thread,
+                        card, QEMU_THREAD_JOINABLE);
+ 
++    return;
++
+ out2:
+     clean_event_notifier(card);
+ out1:

0046-usb-mtp-use-O_NOFOLLOW-and-O_CLOEXE.patch

@@ -0,0 +1,79 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Thu, 13 Dec 2018 13:25:11 +0100
+Subject: usb-mtp: use O_NOFOLLOW and O_CLOEXEC.
+
+Open files and directories with O_NOFOLLOW to avoid symlinks attacks.
+While being at it also add O_CLOEXEC.
+
+usb-mtp only handles regular files and directories and ignores
+everything else, so users should not see a difference.
+
+Because qemu ignores symlinks, carrying out a successful symlink attack
+requires swapping an existing file or directory below rootdir for a
+symlink and winning the race against the inotify notification to qemu.
+
+Fixes: CVE-2018-16872
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: Bandan Das <bsd@redhat.com>
+Reported-by: Michael Hanselmann <public@hansmi.ch>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Michael Hanselmann <public@hansmi.ch>
+Message-id: 20181213122511.13853-1-kraxel@redhat.com
+(cherry picked from commit bab9df35ce73d1c8e19a37e2737717ea1c984dc1)
+[BR: BSC#1119493]
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+---
+ hw/usb/dev-mtp.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
+index 100b7171f4..36c43b8c20 100644
+--- a/hw/usb/dev-mtp.c
++++ b/hw/usb/dev-mtp.c
+@@ -653,13 +653,18 @@ static void usb_mtp_object_readdir(MTPState *s, MTPObject *o)
+ {
+     struct dirent *entry;
+     DIR *dir;
++    int fd;
+ 
+     if (o->have_children) {
+         return;
+     }
+     o->have_children = true;
+ 
+-    dir = opendir(o->path);
++    fd = open(o->path, O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW);
++    if (fd < 0) {
++        return;
++    }
++    dir = fdopendir(fd);
+     if (!dir) {
+         return;
+     }
+@@ -1007,7 +1012,7 @@ static MTPData *usb_mtp_get_object(MTPState *s, MTPControl *c,
+ 
+     trace_usb_mtp_op_get_object(s->dev.addr, o->handle, o->path);
+ 
+-    d->fd = open(o->path, O_RDONLY);
++    d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW);
+     if (d->fd == -1) {
+         usb_mtp_data_free(d);
+         return NULL;
+@@ -1031,7 +1036,7 @@ static MTPData *usb_mtp_get_partial_object(MTPState *s, MTPControl *c,
+                                         c->argv[1], c->argv[2]);
+ 
+     d = usb_mtp_data_alloc(c);
+-    d->fd = open(o->path, O_RDONLY);
++    d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW);
+     if (d->fd == -1) {
+         usb_mtp_data_free(d);
+         return NULL;
+@@ -1658,7 +1663,7 @@ static void usb_mtp_write_data(MTPState *s)
+                                  0, 0, 0, 0);
+             goto done;
+         }
+-        d->fd = open(path, O_CREAT | O_WRONLY, mask);
++        d->fd = open(path, O_CREAT | O_WRONLY | O_CLOEXEC | O_NOFOLLOW, mask);
+         if (d->fd == -1) {
+             usb_mtp_queue_result(s, RES_STORE_FULL, d->trans,
+                                  0, 0, 0, 0);

0047-pvrdma-release-device-resources-in-.patch

@@ -0,0 +1,41 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 12 Dec 2018 23:28:17 +0530
+Subject: pvrdma: release device resources in case of an error
+
+If during pvrdma device initialisation an error occurs,
+pvrdma_realize() does not release memory resources, leading
+to memory leakage.
+
+Reported-by: Li Qiang <liq3ea@163.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <20181212175817.815-1-ppandit@redhat.com>
+Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
+Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
+(cherry picked from commit cce648613bc802be1b894227f7fd94d88476ea07)
+[BR: BSC#1119437]
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+---
+ hw/rdma/vmw/pvrdma_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
+index ca5fa8d981..34d8cc4694 100644
+--- a/hw/rdma/vmw/pvrdma_main.c
++++ b/hw/rdma/vmw/pvrdma_main.c
+@@ -572,7 +572,7 @@ static int pvrdma_check_ram_shared(Object *obj, void *opaque)
+ 
+ static void pvrdma_realize(PCIDevice *pdev, Error **errp)
+ {
+-    int rc;
++    int rc = 0;
+     PVRDMADev *dev = PVRDMA_DEV(pdev);
+     Object *memdev_root;
+     bool ram_shared = false;
+@@ -632,6 +632,7 @@ static void pvrdma_realize(PCIDevice *pdev, Error **errp)
+ 
+ out:
+     if (rc) {
++        pvrdma_fini(pdev);
+         error_append_hint(errp, "Device fail to load\n");
+     }
+ }

0048-rdma-check-num_sge-does-not-exceed-.patch

@@ -0,0 +1,46 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 13 Dec 2018 01:00:34 +0530
+Subject: rdma: check num_sge does not exceed MAX_SGE
+
+rdma back-end has scatter/gather array ibv_sge[MAX_SGE=4] set
+to have 4 elements. A guest could send a 'PvrdmaSqWqe' ring element
+with 'num_sge' set to > MAX_SGE, which may lead to OOB access issue.
+Add check to avoid it.
+
+Reported-by: Saar Amar <saaramar5@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
+Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
+(cherry picked from commit 0e68373cc2b3a063ce067bc0cc3edaf370752890)
+[BR: BSC#1119840, modified complete_work() calls to be comp_handler()]
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+---
+ hw/rdma/rdma_backend.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/hw/rdma/rdma_backend.c b/hw/rdma/rdma_backend.c
+index d7a4bbd91f..0b3b98a94c 100644
+--- a/hw/rdma/rdma_backend.c
++++ b/hw/rdma/rdma_backend.c
+@@ -311,8 +311,8 @@ void rdma_backend_post_send(RdmaBackendDev *backend_dev,
+     }
+ 
+     pr_dbg("num_sge=%d\n", num_sge);
+-    if (!num_sge) {
+-        pr_dbg("num_sge=0\n");
++    if (!num_sge || num_sge > MAX_SGE) {
++        pr_dbg("invalid num_sge=%d\n", num_sge);
+         comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx);
+         return;
+     }
+@@ -390,8 +390,8 @@ void rdma_backend_post_recv(RdmaBackendDev *backend_dev,
+     }
+ 
+     pr_dbg("num_sge=%d\n", num_sge);
+-    if (!num_sge) {
+-        pr_dbg("num_sge=0\n");
++    if (!num_sge || num_sge > MAX_SGE) {
++        pr_dbg("invalid num_sge=%d\n", num_sge);
+         comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx);
+         return;
+     }

0049-pvrdma-add-uar_read-routine.patch

@@ -0,0 +1,41 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 13 Dec 2018 01:00:35 +0530
+Subject: pvrdma: add uar_read routine
+
+Define skeleton 'uar_read' routine. Avoid NULL dereference.
+
+Reported-by: Li Qiang <liq3ea@163.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
+Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
+(cherry picked from commit 2aa86456fb938a11f2b7bd57c8643c213218681c)
+[BR: BSC#1119979 CVE-2018-20191]
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+---
+ hw/rdma/vmw/pvrdma_main.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
+index 34d8cc4694..c9d9631769 100644
+--- a/hw/rdma/vmw/pvrdma_main.c
++++ b/hw/rdma/vmw/pvrdma_main.c
+@@ -455,6 +455,11 @@ static const MemoryRegionOps regs_ops = {
+     },
+ };
+ 
++static uint64_t uar_read(void *opaque, hwaddr addr, unsigned size)
++{
++    return 0xffffffff;
++}
++
+ static void uar_write(void *opaque, hwaddr addr, uint64_t val, unsigned size)
+ {
+     PVRDMADev *dev = opaque;
+@@ -496,6 +501,7 @@ static void uar_write(void *opaque, hwaddr addr, uint64_t val, unsigned size)
+ }
+ 
+ static const MemoryRegionOps uar_ops = {
++    .read = uar_read,
+     .write = uar_write,
+     .endianness = DEVICE_LITTLE_ENDIAN,
+     .impl = {

0050-pvrdma-check-number-of-pages-when-c.patch

@@ -0,0 +1,48 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 13 Dec 2018 01:00:36 +0530
+Subject: pvrdma: check number of pages when creating rings
+
+When creating CQ/QP rings, an object can have up to
+PVRDMA_MAX_FAST_REG_PAGES 8 pages. Check 'npages' parameter
+to avoid excessive memory allocation or a null dereference.
+
+Reported-by: Li Qiang <liq3ea@163.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
+Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
+(cherry picked from commit 2c858ce5da8ae6689c75182b73bc455a291cad41)
+[BR: BSC#1119989 CVE-2018-20125]
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+---
+ hw/rdma/vmw/pvrdma_cmd.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
+index 4faeb21631..ce2514aacb 100644
+--- a/hw/rdma/vmw/pvrdma_cmd.c
++++ b/hw/rdma/vmw/pvrdma_cmd.c
+@@ -261,6 +261,11 @@ static int create_cq_ring(PCIDevice *pci_dev , PvrdmaRing **ring,
+     int rc = -EINVAL;
+     char ring_name[MAX_RING_NAME_SZ];
+ 
++    if (!nchunks || nchunks > PVRDMA_MAX_FAST_REG_PAGES) {
++        pr_dbg("invalid nchunks: %d\n", nchunks);
++        return rc;
++    }
++
+     pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)pdir_dma);
+     dir = rdma_pci_dma_map(pci_dev, pdir_dma, TARGET_PAGE_SIZE);
+     if (!dir) {
+@@ -377,6 +382,12 @@ static int create_qp_rings(PCIDevice *pci_dev, uint64_t pdir_dma,
+     char ring_name[MAX_RING_NAME_SZ];
+     uint32_t wqe_sz;
+ 
++    if (!spages || spages > PVRDMA_MAX_FAST_REG_PAGES
++        || !rpages || rpages > PVRDMA_MAX_FAST_REG_PAGES) {
++        pr_dbg("invalid pages: %d, %d\n", spages, rpages);
++        return rc;
++    }
++
+     pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)pdir_dma);
+     dir = rdma_pci_dma_map(pci_dev, pdir_dma, TARGET_PAGE_SIZE);
+     if (!dir) {

0051-pvrdma-check-return-value-from-pvrd.patch

@@ -0,0 +1,79 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 13 Dec 2018 01:00:39 +0530
+Subject: pvrdma: check return value from pvrdma_idx_ring_has_ routines
+
+pvrdma_idx_ring_has_[data/space] routines also return invalid
+index PVRDMA_INVALID_IDX[=-1], if ring has no data/space. Check
+return value from these routines to avoid plausible infinite loops.
+
+Reported-by: Li Qiang <liq3ea@163.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
+Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
+(cherry picked from commit f1e2e38ee0136b7710a2caa347049818afd57a1b)
+[BR: BSC#1119984 CVE-2018-20216]
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+---
+ hw/rdma/vmw/pvrdma_dev_ring.c | 29 +++++++++++------------------
+ 1 file changed, 11 insertions(+), 18 deletions(-)
+
+diff --git a/hw/rdma/vmw/pvrdma_dev_ring.c b/hw/rdma/vmw/pvrdma_dev_ring.c
+index 01247fc041..e8e5b502f6 100644
+--- a/hw/rdma/vmw/pvrdma_dev_ring.c
++++ b/hw/rdma/vmw/pvrdma_dev_ring.c
+@@ -73,23 +73,16 @@ out:
+ 
+ void *pvrdma_ring_next_elem_read(PvrdmaRing *ring)
+ {
++    int e;
+     unsigned int idx = 0, offset;
+ 
+-    /*
+-    pr_dbg("%s: t=%d, h=%d\n", ring->name, ring->ring_state->prod_tail,
+-           ring->ring_state->cons_head);
+-    */
+-
+-    if (!pvrdma_idx_ring_has_data(ring->ring_state, ring->max_elems, &idx)) {
++    e = pvrdma_idx_ring_has_data(ring->ring_state, ring->max_elems, &idx);
++    if (e <= 0) {
+         pr_dbg("No more data in ring\n");
+         return NULL;
+     }
+ 
+     offset = idx * ring->elem_sz;
+-    /*
+-    pr_dbg("idx=%d\n", idx);
+-    pr_dbg("offset=%d\n", offset);
+-    */
+     return ring->pages[offset / TARGET_PAGE_SIZE] + (offset % TARGET_PAGE_SIZE);
+ }
+ 
+@@ -105,20 +98,20 @@ void pvrdma_ring_read_inc(PvrdmaRing *ring)
+ 
+ void *pvrdma_ring_next_elem_write(PvrdmaRing *ring)
+ {
+-    unsigned int idx, offset, tail;
++    int idx;
++    unsigned int offset, tail;
+ 
+-    /*
+-    pr_dbg("%s: t=%d, h=%d\n", ring->name, ring->ring_state->prod_tail,
+-           ring->ring_state->cons_head);
+-    */
+-
+-    if (!pvrdma_idx_ring_has_space(ring->ring_state, ring->max_elems, &tail)) {
++    idx = pvrdma_idx_ring_has_space(ring->ring_state, ring->max_elems, &tail);
++    if (idx <= 0) {
+         pr_dbg("CQ is full\n");
+         return NULL;
+     }
+ 
+     idx = pvrdma_idx(&ring->ring_state->prod_tail, ring->max_elems);
+-    /* TODO: tail == idx */
++    if (idx < 0 || tail != idx) {
++        pr_dbg("invalid idx\n");
++        return NULL;
++    }
+ 
+     offset = idx * ring->elem_sz;
+     return ring->pages[offset / TARGET_PAGE_SIZE] + (offset % TARGET_PAGE_SIZE);

0052-pvrdma-release-ring-object-in-case-.patch

@@ -0,0 +1,103 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 13 Dec 2018 01:00:37 +0530
+Subject: pvrdma: release ring object in case of an error
+
+create_cq and create_qp routines allocate ring object, but it's
+not released in case of an error, leading to memory leakage.
+
+Reported-by: Li Qiang <liq3ea@163.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
+Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
+(cherry picked from commit 509f57c98e7536905bb4902363d0cba66ce7e089)
+[BR: BSC#1119991 CVE-2018-20126]
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+---
+ hw/rdma/vmw/pvrdma_cmd.c | 39 ++++++++++++++++++++++++++++-----------
+ 1 file changed, 28 insertions(+), 11 deletions(-)
+
+diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
+index ce2514aacb..51da4a1c40 100644
+--- a/hw/rdma/vmw/pvrdma_cmd.c
++++ b/hw/rdma/vmw/pvrdma_cmd.c
+@@ -315,6 +315,14 @@ out:
+     return rc;
+ }
+ 
++static void destroy_cq_ring(PvrdmaRing *ring)
++{
++    pvrdma_ring_free(ring);
++    /* ring_state was in slot 1, not 0 so need to jump back */
++    rdma_pci_dma_unmap(ring->dev, --ring->ring_state, TARGET_PAGE_SIZE);
++    g_free(ring);
++}
++
+ static int create_cq(PVRDMADev *dev, union pvrdma_cmd_req *req,
+                      union pvrdma_cmd_resp *rsp)
+ {
+@@ -338,6 +346,9 @@ static int create_cq(PVRDMADev *dev, union pvrdma_cmd_req *req,
+ 
+     resp->hdr.err = rdma_rm_alloc_cq(&dev->rdma_dev_res, &dev->backend_dev,
+                                      cmd->cqe, &resp->cq_handle, ring);
++    if (resp->hdr.err) {
++        destroy_cq_ring(ring);
++    }
+     resp->cqe = cmd->cqe;
+ 
+ out:
+@@ -361,10 +372,7 @@ static int destroy_cq(PVRDMADev *dev, union pvrdma_cmd_req *req,
+     }
+ 
+     ring = (PvrdmaRing *)cq->opaque;
+-    pvrdma_ring_free(ring);
+-    /* ring_state was in slot 1, not 0 so need to jump back */
+-    rdma_pci_dma_unmap(PCI_DEVICE(dev), --ring->ring_state, TARGET_PAGE_SIZE);
+-    g_free(ring);
++    destroy_cq_ring(ring);
+ 
+     rdma_rm_dealloc_cq(&dev->rdma_dev_res, cmd->cq_handle);
+ 
+@@ -462,6 +470,17 @@ out:
+     return rc;
+ }
+ 
++static void destroy_qp_rings(PvrdmaRing *ring)
++{
++    pr_dbg("sring=%p\n", &ring[0]);
++    pvrdma_ring_free(&ring[0]);
++    pr_dbg("rring=%p\n", &ring[1]);
++    pvrdma_ring_free(&ring[1]);
++
++    rdma_pci_dma_unmap(ring->dev, ring->ring_state, TARGET_PAGE_SIZE);
++    g_free(ring);
++}
++
+ static int create_qp(PVRDMADev *dev, union pvrdma_cmd_req *req,
+                      union pvrdma_cmd_resp *rsp)
+ {
+@@ -492,6 +511,10 @@ static int create_qp(PVRDMADev *dev, union pvrdma_cmd_req *req,
+                                      cmd->max_send_sge, cmd->send_cq_handle,
+                                      cmd->max_recv_wr, cmd->max_recv_sge,
+                                      cmd->recv_cq_handle, rings, &resp->qpn);
++    if (resp->hdr.err) {
++        destroy_qp_rings(rings);
++        return resp->hdr.err;
++    }
+ 
+     resp->max_send_wr = cmd->max_send_wr;
+     resp->max_recv_wr = cmd->max_recv_wr;
+@@ -566,13 +589,7 @@ static int destroy_qp(PVRDMADev *dev, union pvrdma_cmd_req *req,
+     rdma_rm_dealloc_qp(&dev->rdma_dev_res, cmd->qp_handle);
+ 
+     ring = (PvrdmaRing *)qp->opaque;
+-    pr_dbg("sring=%p\n", &ring[0]);
+-    pvrdma_ring_free(&ring[0]);
+-    pr_dbg("rring=%p\n", &ring[1]);
+-    pvrdma_ring_free(&ring[1]);
+-
+-    rdma_pci_dma_unmap(PCI_DEVICE(dev), ring->ring_state, TARGET_PAGE_SIZE);
+-    g_free(ring);
++    destroy_qp_rings(ring);
+ 
+     return 0;
+ }

0053-block-Fix-hangs-in-synchronous-APIs.patch

@@ -0,0 +1,637 @@
+From: Kevin Wolf <kwolf@redhat.com>
+Date: Wed, 9 Jan 2019 11:10:07 -0700
+Subject: block: Fix hangs in synchronous APIs with iothreads
+
+In the block layer, synchronous APIs are often implemented by creating a
+coroutine that calls the asynchronous coroutine-based implementation and
+then waiting for completion with BDRV_POLL_WHILE().
+
+For this to work with iothreads (more specifically, when the synchronous
+API is called in a thread that is not the home thread of the block
+device, so that the coroutine will run in a different thread), we must
+make sure to call aio_wait_kick() at the end of the operation. Many
+places are missing this, so that BDRV_POLL_WHILE() keeps hanging even if
+the condition has long become false.
+
+Note that bdrv_dec_in_flight() involves an aio_wait_kick() call. This
+corresponds to the BDRV_POLL_WHILE() in the drain functions, but it is
+generally not enough for most other operations because they haven't set
+the return value in the coroutine entry stub yet. To avoid race
+conditions there, we need to kick after setting the return value.
+
+The race window is small enough that the problem doesn't usually surface
+in the common path. However, it does surface and causes easily
+reproducible hangs if the operation can return early before even calling
+bdrv_inc/dec_in_flight, which many of them do (trivial error or no-op
+success paths).
+
+The bug in bdrv_truncate(), bdrv_check() and bdrv_invalidate_cache() is
+slightly different: These functions even neglected to schedule the
+coroutine in the home thread of the node. This avoids the hang, but is
+obviously wrong, too. Fix those to schedule the coroutine in the right
+AioContext in addition to adding aio_wait_kick() calls.
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+---
+ block.c                     |   6 +-
+ block/block-backend.c       |   5 +
+ block/io.c                  |   8 +-
+ block/nbd-client.c          |   1 +
+ block/nvme.c                |   1 +
+ block/qcow2.c               |   1 +
+ block/qed.c                 |   1 +
+ tests/Makefile.include      |   2 +
+ tests/test-block-iothread.c | 372 ++++++++++++++++++++++++++++++++++++
+ 9 files changed, 394 insertions(+), 3 deletions(-)
+
+diff --git a/block.c b/block.c
+index 811239ca23..79d48d7d78 100644
+--- a/block.c
++++ b/block.c
+@@ -3736,6 +3736,7 @@ static void bdrv_check_co_entry(void *opaque)
+ {
+     CheckCo *cco = opaque;
+     cco->ret = bdrv_co_check(cco->bs, cco->res, cco->fix);
++    aio_wait_kick();
+ }
+ 
+ int bdrv_check(BlockDriverState *bs,
+@@ -3754,7 +3755,7 @@ int bdrv_check(BlockDriverState *bs,
+         bdrv_check_co_entry(&cco);
+     } else {
+         co = qemu_coroutine_create(bdrv_check_co_entry, &cco);
+-        qemu_coroutine_enter(co);
++        bdrv_coroutine_enter(bs, co);
+         BDRV_POLL_WHILE(bs, cco.ret == -EINPROGRESS);
+     }
+ 
+@@ -4571,6 +4572,7 @@ static void coroutine_fn bdrv_invalidate_cache_co_entry(void *opaque)
+     InvalidateCacheCo *ico = opaque;
+     bdrv_co_invalidate_cache(ico->bs, ico->errp);
+     ico->done = true;
++    aio_wait_kick();
+ }
+ 
+ void bdrv_invalidate_cache(BlockDriverState *bs, Error **errp)
+@@ -4587,7 +4589,7 @@ void bdrv_invalidate_cache(BlockDriverState *bs, Error **errp)
+         bdrv_invalidate_cache_co_entry(&ico);
+     } else {
+         co = qemu_coroutine_create(bdrv_invalidate_cache_co_entry, &ico);
+-        qemu_coroutine_enter(co);
++        bdrv_coroutine_enter(bs, co);
+         BDRV_POLL_WHILE(bs, !ico.done);
+     }
+ }
+diff --git a/block/block-backend.c b/block/block-backend.c
+index 1d41622942..35e3edb861 100644
+--- a/block/block-backend.c
++++ b/block/block-backend.c
+@@ -1223,6 +1223,7 @@ static void blk_read_entry(void *opaque)
+ 
+     rwco->ret = blk_co_preadv(rwco->blk, rwco->offset, qiov->size,
+                               qiov, rwco->flags);
++    aio_wait_kick();
+ }
+ 
+ static void blk_write_entry(void *opaque)
+@@ -1232,6 +1233,7 @@ static void blk_write_entry(void *opaque)
+ 
+     rwco->ret = blk_co_pwritev(rwco->blk, rwco->offset, qiov->size,
+                                qiov, rwco->flags);
++    aio_wait_kick();
+ }
+ 
+ static int blk_prw(BlockBackend *blk, int64_t offset, uint8_t *buf,
+@@ -1543,6 +1545,7 @@ static void blk_ioctl_entry(void *opaque)
+ 
+     rwco->ret = blk_co_ioctl(rwco->blk, rwco->offset,
+                              qiov->iov[0].iov_base);
++    aio_wait_kick();
+ }
+ 
+ int blk_ioctl(BlockBackend *blk, unsigned long int req, void *buf)
+@@ -1589,6 +1592,7 @@ static void blk_flush_entry(void *opaque)
+ {
+     BlkRwCo *rwco = opaque;
+     rwco->ret = blk_co_flush(rwco->blk);
++    aio_wait_kick();
+ }
+ 
+ int blk_flush(BlockBackend *blk)
+@@ -2028,6 +2032,7 @@ static void blk_pdiscard_entry(void *opaque)
+     QEMUIOVector *qiov = rwco->iobuf;
+ 
+     rwco->ret = blk_co_pdiscard(rwco->blk, rwco->offset, qiov->size);
++    aio_wait_kick();
+ }
+ 
+ int blk_pdiscard(BlockBackend *blk, int64_t offset, int bytes)
+diff --git a/block/io.c b/block/io.c
+index bd9d688f8b..213ca03d8d 100644
+--- a/block/io.c
++++ b/block/io.c
+@@ -806,6 +806,7 @@ static void coroutine_fn bdrv_rw_co_entry(void *opaque)
+                                     rwco->qiov->size, rwco->qiov,
+                                     rwco->flags);
+     }
++    aio_wait_kick();
+ }
+ 
+ /*
+@@ -2279,6 +2280,7 @@ static void coroutine_fn bdrv_block_status_above_co_entry(void *opaque)
+                                            data->offset, data->bytes,
+                                            data->pnum, data->map, data->file);
+     data->done = true;
++    aio_wait_kick();
+ }
+ 
+ /*
+@@ -2438,6 +2440,7 @@ static void coroutine_fn bdrv_co_rw_vmstate_entry(void *opaque)
+ {
+     BdrvVmstateCo *co = opaque;
+     co->ret = bdrv_co_rw_vmstate(co->bs, co->qiov, co->pos, co->is_read);
++    aio_wait_kick();
+ }
+ 
+ static inline int
+@@ -2559,6 +2562,7 @@ static void coroutine_fn bdrv_flush_co_entry(void *opaque)
+     FlushCo *rwco = opaque;
+ 
+     rwco->ret = bdrv_co_flush(rwco->bs);
++    aio_wait_kick();
+ }
+ 
+ int coroutine_fn bdrv_co_flush(BlockDriverState *bs)
+@@ -2704,6 +2708,7 @@ static void coroutine_fn bdrv_pdiscard_co_entry(void *opaque)
+     DiscardCo *rwco = opaque;
+ 
+     rwco->ret = bdrv_co_pdiscard(rwco->child, rwco->offset, rwco->bytes);
++    aio_wait_kick();
+ }
+ 
+ int coroutine_fn bdrv_co_pdiscard(BdrvChild *child, int64_t offset, int bytes)
+@@ -3217,6 +3222,7 @@ static void coroutine_fn bdrv_truncate_co_entry(void *opaque)
+     TruncateCo *tco = opaque;
+     tco->ret = bdrv_co_truncate(tco->child, tco->offset, tco->prealloc,
+                                 tco->errp);
++    aio_wait_kick();
+ }
+ 
+ int bdrv_truncate(BdrvChild *child, int64_t offset, PreallocMode prealloc,
+@@ -3236,7 +3242,7 @@ int bdrv_truncate(BdrvChild *child, int64_t offset, PreallocMode prealloc,
+         bdrv_truncate_co_entry(&tco);
+     } else {
+         co = qemu_coroutine_create(bdrv_truncate_co_entry, &tco);
+-        qemu_coroutine_enter(co);
++        bdrv_coroutine_enter(child->bs, co);
+         BDRV_POLL_WHILE(child->bs, tco.ret == NOT_DONE);
+     }
+ 
+diff --git a/block/nbd-client.c b/block/nbd-client.c
+index fc5b7eda8e..a6b5605c0b 100644
+--- a/block/nbd-client.c
++++ b/block/nbd-client.c
+@@ -116,6 +116,7 @@ static coroutine_fn void nbd_read_reply_entry(void *opaque)
+     s->quit = true;
+     nbd_recv_coroutines_wake_all(s);
+     s->read_reply_co = NULL;
++    aio_wait_kick();
+ }
+ 
+ static int nbd_co_send_request(BlockDriverState *bs,
+diff --git a/block/nvme.c b/block/nvme.c
+index 29294038fc..36779fdd3d 100644
+--- a/block/nvme.c
++++ b/block/nvme.c
+@@ -390,6 +390,7 @@ static void nvme_cmd_sync_cb(void *opaque, int ret)
+ {
+     int *pret = opaque;
+     *pret = ret;
++    aio_wait_kick();
+ }
+ 
+ static int nvme_cmd_sync(BlockDriverState *bs, NVMeQueuePair *q,
+diff --git a/block/qcow2.c b/block/qcow2.c
+index 991d6ac91b..9334414513 100644
+--- a/block/qcow2.c
++++ b/block/qcow2.c
+@@ -1665,6 +1665,7 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
+         /* From bdrv_co_create.  */
+         qcow2_open_entry(&qoc);
+     } else {
++        assert(qemu_get_current_aio_context() == qemu_get_aio_context());
+         qemu_coroutine_enter(qemu_coroutine_create(qcow2_open_entry, &qoc));
+         BDRV_POLL_WHILE(bs, qoc.ret == -EINPROGRESS);
+     }
+diff --git a/block/qed.c b/block/qed.c
+index 9377c0b7ad..1280870024 100644
+--- a/block/qed.c
++++ b/block/qed.c
+@@ -559,6 +559,7 @@ static int bdrv_qed_open(BlockDriverState *bs, QDict *options, int flags,
+     if (qemu_in_coroutine()) {
+         bdrv_qed_open_entry(&qoc);
+     } else {
++        assert(qemu_get_current_aio_context() == qemu_get_aio_context());
+         qemu_coroutine_enter(qemu_coroutine_create(bdrv_qed_open_entry, &qoc));
+         BDRV_POLL_WHILE(bs, qoc.ret == -EINPROGRESS);
+     }
+diff --git a/tests/Makefile.include b/tests/Makefile.include
+index d6f67eed85..5682e41384 100644
+--- a/tests/Makefile.include
++++ b/tests/Makefile.include
+@@ -70,6 +70,7 @@ check-unit-y += tests/test-bdrv-drain$(EXESUF)
+ check-unit-y += tests/test-blockjob$(EXESUF)
+ check-unit-y += tests/test-blockjob-txn$(EXESUF)
+ check-unit-y += tests/test-block-backend$(EXESUF)
++check-unit-y += tests/test-block-iothread$(EXESUF)
+ check-unit-y += tests/test-image-locking$(EXESUF)
+ check-unit-y += tests/test-x86-cpuid$(EXESUF)
+ # all code tested by test-x86-cpuid is inside topology.h
+@@ -541,6 +542,7 @@ tests/test-bdrv-drain$(EXESUF): tests/test-bdrv-drain.o $(test-block-obj-y) $(te
+ tests/test-blockjob$(EXESUF): tests/test-blockjob.o $(test-block-obj-y) $(test-util-obj-y)
+ tests/test-blockjob-txn$(EXESUF): tests/test-blockjob-txn.o $(test-block-obj-y) $(test-util-obj-y)
+ tests/test-block-backend$(EXESUF): tests/test-block-backend.o $(test-block-obj-y) $(test-util-obj-y)
++tests/test-block-iothread$(EXESUF): tests/test-block-iothread.o $(test-block-obj-y) $(test-util-obj-y)
+ tests/test-image-locking$(EXESUF): tests/test-image-locking.o $(test-block-obj-y) $(test-util-obj-y)
+ tests/test-thread-pool$(EXESUF): tests/test-thread-pool.o $(test-block-obj-y)
+ tests/test-iov$(EXESUF): tests/test-iov.o $(test-util-obj-y)
+diff --git a/tests/test-block-iothread.c b/tests/test-block-iothread.c
+new file mode 100644
+index 0000000000..97ac0b159d
+--- /dev/null
++++ b/tests/test-block-iothread.c
+@@ -0,0 +1,372 @@
++/*
++ * Block tests for iothreads
++ *
++ * Copyright (c) 2018 Kevin Wolf <kwolf@redhat.com>
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining a copy
++ * of this software and associated documentation files (the "Software"), to deal
++ * in the Software without restriction, including without limitation the rights
++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
++ * copies of the Software, and to permit persons to whom the Software is
++ * furnished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice shall be included in
++ * all copies or substantial portions of the Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
++ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
++ * THE SOFTWARE.
++ */
++
++#include "qemu/osdep.h"
++#include "block/block.h"
++#include "block/blockjob_int.h"
++#include "sysemu/block-backend.h"
++#include "qapi/error.h"
++#include "iothread.h"
++
++static int coroutine_fn bdrv_test_co_prwv(BlockDriverState *bs,
++                                          uint64_t offset, uint64_t bytes,
++                                          QEMUIOVector *qiov, int flags)
++{
++    return 0;
++}
++
++static int coroutine_fn bdrv_test_co_pdiscard(BlockDriverState *bs,
++                                              int64_t offset, int bytes)
++{
++    return 0;
++}
++
++static int coroutine_fn
++bdrv_test_co_truncate(BlockDriverState *bs, int64_t offset,
++                      PreallocMode prealloc, Error **errp)
++{
++    return 0;
++}
++
++static int coroutine_fn bdrv_test_co_block_status(BlockDriverState *bs,
++                                                  bool want_zero,
++                                                  int64_t offset, int64_t count,
++                                                  int64_t *pnum, int64_t *map,
++                                                  BlockDriverState **file)
++{
++    *pnum = count;
++    return 0;
++}
++
++static BlockDriver bdrv_test = {
++    .format_name            = "test",
++    .instance_size          = 1,
++
++    .bdrv_co_preadv         = bdrv_test_co_prwv,
++    .bdrv_co_pwritev        = bdrv_test_co_prwv,
++    .bdrv_co_pdiscard       = bdrv_test_co_pdiscard,
++    .bdrv_co_truncate       = bdrv_test_co_truncate,
++    .bdrv_co_block_status   = bdrv_test_co_block_status,
++};
++
++static void test_sync_op_pread(BdrvChild *c)
++{
++    uint8_t buf[512];
++    int ret;
++
++    /* Success */
++    ret = bdrv_pread(c, 0, buf, sizeof(buf));
++    g_assert_cmpint(ret, ==, 512);
++
++    /* Early error: Negative offset */
++    ret = bdrv_pread(c, -2, buf, sizeof(buf));
++    g_assert_cmpint(ret, ==, -EIO);
++}
++
++static void test_sync_op_pwrite(BdrvChild *c)
++{
++    uint8_t buf[512];
++    int ret;
++
++    /* Success */
++    ret = bdrv_pwrite(c, 0, buf, sizeof(buf));
++    g_assert_cmpint(ret, ==, 512);
++
++    /* Early error: Negative offset */
++    ret = bdrv_pwrite(c, -2, buf, sizeof(buf));
++    g_assert_cmpint(ret, ==, -EIO);
++}
++
++static void test_sync_op_blk_pread(BlockBackend *blk)
++{
++    uint8_t buf[512];
++    int ret;
++
++    /* Success */
++    ret = blk_pread(blk, 0, buf, sizeof(buf));
++    g_assert_cmpint(ret, ==, 512);
++
++    /* Early error: Negative offset */
++    ret = blk_pread(blk, -2, buf, sizeof(buf));
++    g_assert_cmpint(ret, ==, -EIO);
++}
++
++static void test_sync_op_blk_pwrite(BlockBackend *blk)
++{
++    uint8_t buf[512];
++    int ret;
++
++    /* Success */
++    ret = blk_pwrite(blk, 0, buf, sizeof(buf), 0);
++    g_assert_cmpint(ret, ==, 512);
++
++    /* Early error: Negative offset */
++    ret = blk_pwrite(blk, -2, buf, sizeof(buf), 0);
++    g_assert_cmpint(ret, ==, -EIO);
++}
++
++static void test_sync_op_load_vmstate(BdrvChild *c)
++{
++    uint8_t buf[512];
++    int ret;
++
++    /* Error: Driver does not support snapshots */
++    ret = bdrv_load_vmstate(c->bs, buf, 0, sizeof(buf));
++    g_assert_cmpint(ret, ==, -ENOTSUP);
++}
++
++static void test_sync_op_save_vmstate(BdrvChild *c)
++{
++    uint8_t buf[512];
++    int ret;
++
++    /* Error: Driver does not support snapshots */
++    ret = bdrv_save_vmstate(c->bs, buf, 0, sizeof(buf));
++    g_assert_cmpint(ret, ==, -ENOTSUP);
++}
++
++static void test_sync_op_pdiscard(BdrvChild *c)
++{
++    int ret;
++
++    /* Normal success path */
++    c->bs->open_flags |= BDRV_O_UNMAP;
++    ret = bdrv_pdiscard(c, 0, 512);
++    g_assert_cmpint(ret, ==, 0);
++
++    /* Early success: UNMAP not supported */
++    c->bs->open_flags &= ~BDRV_O_UNMAP;
++    ret = bdrv_pdiscard(c, 0, 512);
++    g_assert_cmpint(ret, ==, 0);
++
++    /* Early error: Negative offset */
++    ret = bdrv_pdiscard(c, -2, 512);
++    g_assert_cmpint(ret, ==, -EIO);
++}
++
++static void test_sync_op_blk_pdiscard(BlockBackend *blk)
++{
++    int ret;
++
++    /* Early success: UNMAP not supported */
++    ret = blk_pdiscard(blk, 0, 512);
++    g_assert_cmpint(ret, ==, 0);
++
++    /* Early error: Negative offset */
++    ret = blk_pdiscard(blk, -2, 512);
++    g_assert_cmpint(ret, ==, -EIO);
++}
++
++static void test_sync_op_truncate(BdrvChild *c)
++{
++    int ret;
++
++    /* Normal success path */
++    ret = bdrv_truncate(c, 65536, PREALLOC_MODE_OFF, NULL);
++    g_assert_cmpint(ret, ==, 0);
++
++    /* Early error: Negative offset */
++    ret = bdrv_truncate(c, -2, PREALLOC_MODE_OFF, NULL);
++    g_assert_cmpint(ret, ==, -EINVAL);
++
++    /* Error: Read-only image */
++    c->bs->read_only = true;
++    c->bs->open_flags &= ~BDRV_O_RDWR;
++
++    ret = bdrv_truncate(c, 65536, PREALLOC_MODE_OFF, NULL);
++    g_assert_cmpint(ret, ==, -EACCES);
++
++    c->bs->read_only = false;
++    c->bs->open_flags |= BDRV_O_RDWR;
++}
++
++static void test_sync_op_block_status(BdrvChild *c)
++{
++    int ret;
++    int64_t n;
++
++    /* Normal success path */
++    ret = bdrv_is_allocated(c->bs, 0, 65536, &n);
++    g_assert_cmpint(ret, ==, 0);
++
++    /* Early success: No driver support */
++    bdrv_test.bdrv_co_block_status = NULL;
++    ret = bdrv_is_allocated(c->bs, 0, 65536, &n);
++    g_assert_cmpint(ret, ==, 1);
++
++    /* Early success: bytes = 0 */
++    ret = bdrv_is_allocated(c->bs, 0, 0, &n);
++    g_assert_cmpint(ret, ==, 0);
++
++    /* Early success: Offset > image size*/
++    ret = bdrv_is_allocated(c->bs, 0x1000000, 0x1000000, &n);
++    g_assert_cmpint(ret, ==, 0);
++}
++
++static void test_sync_op_flush(BdrvChild *c)
++{
++    int ret;
++
++    /* Normal success path */
++    ret = bdrv_flush(c->bs);
++    g_assert_cmpint(ret, ==, 0);
++
++    /* Early success: Read-only image */
++    c->bs->read_only = true;
++    c->bs->open_flags &= ~BDRV_O_RDWR;
++
++    ret = bdrv_flush(c->bs);
++    g_assert_cmpint(ret, ==, 0);
++
++    c->bs->read_only = false;
++    c->bs->open_flags |= BDRV_O_RDWR;
++}
++
++static void test_sync_op_blk_flush(BlockBackend *blk)
++{
++    BlockDriverState *bs = blk_bs(blk);
++    int ret;
++
++    /* Normal success path */
++    ret = blk_flush(blk);
++    g_assert_cmpint(ret, ==, 0);
++
++    /* Early success: Read-only image */
++    bs->read_only = true;
++    bs->open_flags &= ~BDRV_O_RDWR;
++
++    ret = blk_flush(blk);
++    g_assert_cmpint(ret, ==, 0);
++
++    bs->read_only = false;
++    bs->open_flags |= BDRV_O_RDWR;
++}
++
++static void test_sync_op_check(BdrvChild *c)
++{
++    BdrvCheckResult result;
++    int ret;
++
++    /* Error: Driver does not implement check */
++    ret = bdrv_check(c->bs, &result, 0);
++    g_assert_cmpint(ret, ==, -ENOTSUP);
++}
++
++static void test_sync_op_invalidate_cache(BdrvChild *c)
++{
++    /* Early success: Image is not inactive */
++    bdrv_invalidate_cache(c->bs, NULL);
++}
++
++
++typedef struct SyncOpTest {
++    const char *name;
++    void (*fn)(BdrvChild *c);
++    void (*blkfn)(BlockBackend *blk);
++} SyncOpTest;
++
++const SyncOpTest sync_op_tests[] = {
++    {
++        .name   = "/sync-op/pread",
++        .fn     = test_sync_op_pread,
++        .blkfn  = test_sync_op_blk_pread,
++    }, {
++        .name   = "/sync-op/pwrite",
++        .fn     = test_sync_op_pwrite,
++        .blkfn  = test_sync_op_blk_pwrite,
++    }, {
++        .name   = "/sync-op/load_vmstate",
++        .fn     = test_sync_op_load_vmstate,
++    }, {
++        .name   = "/sync-op/save_vmstate",
++        .fn     = test_sync_op_save_vmstate,
++    }, {
++        .name   = "/sync-op/pdiscard",
++        .fn     = test_sync_op_pdiscard,
++        .blkfn  = test_sync_op_blk_pdiscard,
++    }, {
++        .name   = "/sync-op/truncate",
++        .fn     = test_sync_op_truncate,
++    }, {
++        .name   = "/sync-op/block_status",
++        .fn     = test_sync_op_block_status,
++    }, {
++        .name   = "/sync-op/flush",
++        .fn     = test_sync_op_flush,
++        .blkfn  = test_sync_op_blk_flush,
++    }, {
++        .name   = "/sync-op/check",
++        .fn     = test_sync_op_check,
++    }, {
++        .name   = "/sync-op/invalidate_cache",
++        .fn     = test_sync_op_invalidate_cache,
++    },
++};
++
++/* Test synchronous operations that run in a different iothread, so we have to
++ * poll for the coroutine there to return. */
++static void test_sync_op(const void *opaque)
++{
++    const SyncOpTest *t = opaque;
++    IOThread *iothread = iothread_new();
++    AioContext *ctx = iothread_get_aio_context(iothread);
++    BlockBackend *blk;
++    BlockDriverState *bs;
++    BdrvChild *c;
++
++    blk = blk_new(BLK_PERM_ALL, BLK_PERM_ALL);
++    bs = bdrv_new_open_driver(&bdrv_test, "base", BDRV_O_RDWR, &error_abort);
++    bs->total_sectors = 65536 / BDRV_SECTOR_SIZE;
++    blk_insert_bs(blk, bs, &error_abort);
++    c = QLIST_FIRST(&bs->parents);
++
++    blk_set_aio_context(blk, ctx);
++    aio_context_acquire(ctx);
++    t->fn(c);
++    if (t->blkfn) {
++        t->blkfn(blk);
++    }
++    aio_context_release(ctx);
++    blk_set_aio_context(blk, qemu_get_aio_context());
++
++    bdrv_unref(bs);
++    blk_unref(blk);
++}
++
++int main(int argc, char **argv)
++{
++    int i;
++
++    bdrv_init();
++    qemu_init_main_loop(&error_abort);
++
++    g_test_init(&argc, &argv, NULL);
++
++    for (i = 0; i < ARRAY_SIZE(sync_op_tests); i++) {
++        const SyncOpTest *t = &sync_op_tests[i];
++        g_test_add_data_func(t->name, t, test_sync_op);
++    }
++
++    return g_test_run();
++}

qemu-linux-user.changes

@@ -1,3 +1,48 @@
+-------------------------------------------------------------------
+Thu Jan 10 18:03:30 UTC 2019 - Bruce Rogers <brogers@suse.com>
+
+- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1
+* Patches added:
+  0041-vfio-ap-flag-as-compatible-with-bal.patch
+  0042-hw-s390x-Fix-bad-mask-in-time2tod.patch
+  0043-pcie-set-link-state-inactive-active.patch
+  0044-pc-piix4-Update-smbus-I-O-space-aft.patch
+  0045-hw-usb-fix-mistaken-de-initializati.patch
+  0046-usb-mtp-use-O_NOFOLLOW-and-O_CLOEXE.patch
+  0047-pvrdma-release-device-resources-in-.patch
+  0048-rdma-check-num_sge-does-not-exceed-.patch
+  0049-pvrdma-add-uar_read-routine.patch
+  0050-pvrdma-check-number-of-pages-when-c.patch
+  0051-pvrdma-check-return-value-from-pvrd.patch
+  0052-pvrdma-release-ring-object-in-case-.patch
+  0053-block-Fix-hangs-in-synchronous-APIs.patch
+
+-------------------------------------------------------------------
+Tue Jan  8 13:41:35 UTC 2019 - olaf@aepfle.de
+
+- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1
+* Patches added:
+  0040-xen-ignore-live-parameter-from-xen-.patch
+  (bsc#1079730, bsc#1101982, bsc#1063993)
+
+-------------------------------------------------------------------
+Fri Jan  4 19:53:55 UTC 2019 - Bruce Rogers <brogers@suse.com>
+
+- Follow up on ideas prompted by last change: clean up the patches
+  generated by git workflow. There is no value to the first line
+  (mbox From line), or [PATCH] on subject line. Get rid of those
+- Other minor fixes and improvements to update_git.sh
+
+-------------------------------------------------------------------
+Thu Jan  3 14:12:56 UTC 2019 - olaf@aepfle.de
+
+- Modify update_git.sh script:
+  pass --zero-commit to format-patch
+  This removes needless noise in the buildservice when the same set
+  of patches is imported/exported at different times by different users.
+  pass --no-signature to format-patch
+  Remove sed call which used to remove the signature, use mv instead
+
 -------------------------------------------------------------------
 Wed Dec 12 21:33:15 UTC 2018 - Bruce Rogers <brogers@suse.com>
 

qemu-linux-user.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package qemu-linux-user
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -71,6 +71,20 @@ Patch0036:      0036-xen-add-block-resize-support-for-xe.patch
 Patch0037:      0037-tests-qemu-iotests-Triple-timeout-o.patch
 Patch0038:      0038-tests-block-io-test-130-needs-some-.patch
 Patch0039:      0039-xen_disk-Avoid-repeated-memory-allo.patch
+Patch0040:      0040-xen-ignore-live-parameter-from-xen-.patch
+Patch0041:      0041-vfio-ap-flag-as-compatible-with-bal.patch
+Patch0042:      0042-hw-s390x-Fix-bad-mask-in-time2tod.patch
+Patch0043:      0043-pcie-set-link-state-inactive-active.patch
+Patch0044:      0044-pc-piix4-Update-smbus-I-O-space-aft.patch
+Patch0045:      0045-hw-usb-fix-mistaken-de-initializati.patch
+Patch0046:      0046-usb-mtp-use-O_NOFOLLOW-and-O_CLOEXE.patch
+Patch0047:      0047-pvrdma-release-device-resources-in-.patch
+Patch0048:      0048-rdma-check-num_sge-does-not-exceed-.patch
+Patch0049:      0049-pvrdma-add-uar_read-routine.patch
+Patch0050:      0050-pvrdma-check-number-of-pages-when-c.patch
+Patch0051:      0051-pvrdma-check-return-value-from-pvrd.patch
+Patch0052:      0052-pvrdma-release-ring-object-in-case-.patch
+Patch0053:      0053-block-Fix-hangs-in-synchronous-APIs.patch
 # Please do not add QEMU patches manually here.
 # Run update_git.sh to regenerate this queue.
 ExcludeArch:    s390
@@ -141,6 +155,20 @@ syscall layer occurs on the native hardware and operating system.
 %patch0037 -p1
 %patch0038 -p1
 %patch0039 -p1
+%patch0040 -p1
+%patch0041 -p1
+%patch0042 -p1
+%patch0043 -p1
+%patch0044 -p1
+%patch0045 -p1
+%patch0046 -p1
+%patch0047 -p1
+%patch0048 -p1
+%patch0049 -p1
+%patch0050 -p1
+%patch0051 -p1
+%patch0052 -p1
+%patch0053 -p1
 
 %build
 ./configure \

qemu-linux-user.spec.in

@@ -1,7 +1,7 @@
 #
 # spec file for package qemu-linux-user
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed

qemu-testsuite.changes

@@ -1,3 +1,59 @@
+-------------------------------------------------------------------
+Thu Jan 10 18:03:29 UTC 2019 - Bruce Rogers <brogers@suse.com>
+
+- include post v3.1.0 patches marked for next stable release:
+  0041-vfio-ap-flag-as-compatible-with-bal.patch
+  0042-hw-s390x-Fix-bad-mask-in-time2tod.patch
+  0043-pcie-set-link-state-inactive-active.patch
+  0044-pc-piix4-Update-smbus-I-O-space-aft.patch
+  0045-hw-usb-fix-mistaken-de-initializati.patch
+- Address various security/stability issues
+* Fix host access vulnerability in usb-mtp infrastructure
+  (CVE-2018-16872 bsc#1119493)
+  0046-usb-mtp-use-O_NOFOLLOW-and-O_CLOEXE.patch
+* Fix DoS in pvrdma interface (CVE-2018-20123 bsc#1119437)
+  0047-pvrdma-release-device-resources-in-.patch
+* Fix OOB access issue in rdma backend (CVE-2018-20124 bsc#1119840)
+  0048-rdma-check-num_sge-does-not-exceed-.patch
+* Fix NULL pointer reference in pvrdma emulation (CVE-2018-20191
+  bsc#1119979)
+  0049-pvrdma-add-uar_read-routine.patch
+* Fix DoS in pvrdma interface (CVE-2018-20125 bsc#1119989)
+  0050-pvrdma-check-number-of-pages-when-c.patch
+* Fix DoS in pvrdma interface (CVE-2018-20216 bsc#1119984)
+  0051-pvrdma-check-return-value-from-pvrd.patch
+* Fix DoS in pvrdma interface (CVE-2018-20126 bsc#1119991)
+  0052-pvrdma-release-ring-object-in-case-.patch
+- one more post v3.1.0 patches marked for next stable release:
+  0053-block-Fix-hangs-in-synchronous-APIs.patch
+- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1
+
+-------------------------------------------------------------------
+Tue Jan  8 13:41:35 UTC 2019 - olaf@aepfle.de
+
+- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1
+* Patches added:
+  0040-xen-ignore-live-parameter-from-xen-.patch
+  (bsc#1079730, bsc#1101982, bsc#1063993)
+
+-------------------------------------------------------------------
+Fri Jan  4 19:53:55 UTC 2019 - Bruce Rogers <brogers@suse.com>
+
+- Follow up on ideas prompted by last change: clean up the patches
+  generated by git workflow. There is no value to the first line
+  (mbox From line), or [PATCH] on subject line. Get rid of those
+- Other minor fixes and improvements to update_git.sh
+
+-------------------------------------------------------------------
+Thu Jan  3 14:12:56 UTC 2019 - olaf@aepfle.de
+
+- Modify update_git.sh script:
+  pass --zero-commit to format-patch
+  This removes needless noise in the buildservice when the same set
+  of patches is imported/exported at different times by different users.
+  pass --no-signature to format-patch
+  Remove sed call which used to remove the signature, use mv instead
+
 -------------------------------------------------------------------
 Fri Dec 14 06:24:53 UTC 2018 - lma@suse.com
 

qemu-testsuite.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package qemu-testsuite
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -176,6 +176,20 @@ Patch0036:      0036-xen-add-block-resize-support-for-xe.patch
 Patch0037:      0037-tests-qemu-iotests-Triple-timeout-o.patch
 Patch0038:      0038-tests-block-io-test-130-needs-some-.patch
 Patch0039:      0039-xen_disk-Avoid-repeated-memory-allo.patch
+Patch0040:      0040-xen-ignore-live-parameter-from-xen-.patch
+Patch0041:      0041-vfio-ap-flag-as-compatible-with-bal.patch
+Patch0042:      0042-hw-s390x-Fix-bad-mask-in-time2tod.patch
+Patch0043:      0043-pcie-set-link-state-inactive-active.patch
+Patch0044:      0044-pc-piix4-Update-smbus-I-O-space-aft.patch
+Patch0045:      0045-hw-usb-fix-mistaken-de-initializati.patch
+Patch0046:      0046-usb-mtp-use-O_NOFOLLOW-and-O_CLOEXE.patch
+Patch0047:      0047-pvrdma-release-device-resources-in-.patch
+Patch0048:      0048-rdma-check-num_sge-does-not-exceed-.patch
+Patch0049:      0049-pvrdma-add-uar_read-routine.patch
+Patch0050:      0050-pvrdma-check-number-of-pages-when-c.patch
+Patch0051:      0051-pvrdma-check-return-value-from-pvrd.patch
+Patch0052:      0052-pvrdma-release-ring-object-in-case-.patch
+Patch0053:      0053-block-Fix-hangs-in-synchronous-APIs.patch
 # Please do not add QEMU patches manually here.
 # Run update_git.sh to regenerate this queue.
 
@@ -943,6 +957,20 @@ This package provides a service file for starting and stopping KSM.
 %patch0037 -p1
 %patch0038 -p1
 %patch0039 -p1
+%patch0040 -p1
+%patch0041 -p1
+%patch0042 -p1
+%patch0043 -p1
+%patch0044 -p1
+%patch0045 -p1
+%patch0046 -p1
+%patch0047 -p1
+%patch0048 -p1
+%patch0049 -p1
+%patch0050 -p1
+%patch0051 -p1
+%patch0052 -p1
+%patch0053 -p1
 
 pushd roms/seabios
 %patch1100 -p1

qemu.changes

@@ -1,3 +1,59 @@
+-------------------------------------------------------------------
+Thu Jan 10 18:03:29 UTC 2019 - Bruce Rogers <brogers@suse.com>
+
+- include post v3.1.0 patches marked for next stable release:
+  0041-vfio-ap-flag-as-compatible-with-bal.patch
+  0042-hw-s390x-Fix-bad-mask-in-time2tod.patch
+  0043-pcie-set-link-state-inactive-active.patch
+  0044-pc-piix4-Update-smbus-I-O-space-aft.patch
+  0045-hw-usb-fix-mistaken-de-initializati.patch
+- Address various security/stability issues
+* Fix host access vulnerability in usb-mtp infrastructure
+  (CVE-2018-16872 bsc#1119493)
+  0046-usb-mtp-use-O_NOFOLLOW-and-O_CLOEXE.patch
+* Fix DoS in pvrdma interface (CVE-2018-20123 bsc#1119437)
+  0047-pvrdma-release-device-resources-in-.patch
+* Fix OOB access issue in rdma backend (CVE-2018-20124 bsc#1119840)
+  0048-rdma-check-num_sge-does-not-exceed-.patch
+* Fix NULL pointer reference in pvrdma emulation (CVE-2018-20191
+  bsc#1119979)
+  0049-pvrdma-add-uar_read-routine.patch
+* Fix DoS in pvrdma interface (CVE-2018-20125 bsc#1119989)
+  0050-pvrdma-check-number-of-pages-when-c.patch
+* Fix DoS in pvrdma interface (CVE-2018-20216 bsc#1119984)
+  0051-pvrdma-check-return-value-from-pvrd.patch
+* Fix DoS in pvrdma interface (CVE-2018-20126 bsc#1119991)
+  0052-pvrdma-release-ring-object-in-case-.patch
+- one more post v3.1.0 patches marked for next stable release:
+  0053-block-Fix-hangs-in-synchronous-APIs.patch
+- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1
+
+-------------------------------------------------------------------
+Tue Jan  8 13:41:35 UTC 2019 - olaf@aepfle.de
+
+- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1
+* Patches added:
+  0040-xen-ignore-live-parameter-from-xen-.patch
+  (bsc#1079730, bsc#1101982, bsc#1063993)
+
+-------------------------------------------------------------------
+Fri Jan  4 19:53:55 UTC 2019 - Bruce Rogers <brogers@suse.com>
+
+- Follow up on ideas prompted by last change: clean up the patches
+  generated by git workflow. There is no value to the first line
+  (mbox From line), or [PATCH] on subject line. Get rid of those
+- Other minor fixes and improvements to update_git.sh
+
+-------------------------------------------------------------------
+Thu Jan  3 14:12:56 UTC 2019 - olaf@aepfle.de
+
+- Modify update_git.sh script:
+  pass --zero-commit to format-patch
+  This removes needless noise in the buildservice when the same set
+  of patches is imported/exported at different times by different users.
+  pass --no-signature to format-patch
+  Remove sed call which used to remove the signature, use mv instead
+
 -------------------------------------------------------------------
 Fri Dec 14 06:24:53 UTC 2018 - lma@suse.com
 

qemu.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package qemu
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -176,6 +176,20 @@ Patch0036:      0036-xen-add-block-resize-support-for-xe.patch
 Patch0037:      0037-tests-qemu-iotests-Triple-timeout-o.patch
 Patch0038:      0038-tests-block-io-test-130-needs-some-.patch
 Patch0039:      0039-xen_disk-Avoid-repeated-memory-allo.patch
+Patch0040:      0040-xen-ignore-live-parameter-from-xen-.patch
+Patch0041:      0041-vfio-ap-flag-as-compatible-with-bal.patch
+Patch0042:      0042-hw-s390x-Fix-bad-mask-in-time2tod.patch
+Patch0043:      0043-pcie-set-link-state-inactive-active.patch
+Patch0044:      0044-pc-piix4-Update-smbus-I-O-space-aft.patch
+Patch0045:      0045-hw-usb-fix-mistaken-de-initializati.patch
+Patch0046:      0046-usb-mtp-use-O_NOFOLLOW-and-O_CLOEXE.patch
+Patch0047:      0047-pvrdma-release-device-resources-in-.patch
+Patch0048:      0048-rdma-check-num_sge-does-not-exceed-.patch
+Patch0049:      0049-pvrdma-add-uar_read-routine.patch
+Patch0050:      0050-pvrdma-check-number-of-pages-when-c.patch
+Patch0051:      0051-pvrdma-check-return-value-from-pvrd.patch
+Patch0052:      0052-pvrdma-release-ring-object-in-case-.patch
+Patch0053:      0053-block-Fix-hangs-in-synchronous-APIs.patch
 # Please do not add QEMU patches manually here.
 # Run update_git.sh to regenerate this queue.
 
@@ -943,6 +957,20 @@ This package provides a service file for starting and stopping KSM.
 %patch0037 -p1
 %patch0038 -p1
 %patch0039 -p1
+%patch0040 -p1
+%patch0041 -p1
+%patch0042 -p1
+%patch0043 -p1
+%patch0044 -p1
+%patch0045 -p1
+%patch0046 -p1
+%patch0047 -p1
+%patch0048 -p1
+%patch0049 -p1
+%patch0050 -p1
+%patch0051 -p1
+%patch0052 -p1
+%patch0053 -p1
 
 pushd roms/seabios
 %patch1100 -p1

qemu.spec.in

@@ -1,7 +1,7 @@
 #
 # spec file for package qemu
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed

update_git.sh

@@ -76,15 +76,14 @@ if [ "$OLD_SOURCE_VERSION_AND_EXTRA" = "" ]; then
     echo "Warning: No tarball found"
 fi
 
-if [[ $QEMU_TARBALL =~ $BASE_RE$EXTRA_RE$SUFFIX_RE ]]; then
-    OLD_COMMIT_ISH=${BASH_REMATCH[3]}
-else
-    #Assume release (or release candidate) tarball with equivalent tag:
-    OLD_COMMIT_ISH=$(cd $GIT_LOCAL_TREE && git rev-list --abbrev-commit \
-        --abbrev=9 -1 v$OLD_SOURCE_VERSION_AND_EXTRA)
-fi
-
 if [ "$GIT_UPSTREAM_COMMIT_ISH" = "LATEST" ]; then
+    if [[ $QEMU_TARBALL =~ $BASE_RE$EXTRA_RE$SUFFIX_RE ]]; then
+        OLD_COMMIT_ISH=${BASH_REMATCH[3]}
+    else
+        #Assume release (or release candidate) tarball with equivalent tag:
+        OLD_COMMIT_ISH=$(cd $GIT_LOCAL_TREE && git rev-list --abbrev-commit \
+            --abbrev=9 -1 v$OLD_SOURCE_VERSION_AND_EXTRA)
+    fi
     if [ ${#QEMU_TARBALL_SIG[@]} -ne 0 ]; then
         echo "INFO: Ignoring signature file: $QEMU_TARBALL_SIG"
         QEMU_TARBALL_SIG=
@@ -213,8 +212,9 @@ else # not based on LATEST upstream master, rather any upstream commitish
     WRITE_LOG=1
 fi
 
-(cd $GIT_DIR && git format-patch -N --stat=72 --indent-heuristic \
-    $GIT_UPSTREAM_COMMIT_ISH --suffix= -o $CMP_DIR --no-renames >/dev/null)
+(cd $GIT_DIR && git format-patch -N --suffix= --no-renames -o $CMP_DIR -k \
+    --stat=72 --indent-heuristic --zero-commit --no-signature \
+    $GIT_UPSTREAM_COMMIT_ISH >/dev/null)
 
 check_patch()
 {
@@ -237,14 +237,10 @@ rm -rf $GIT_DIR
 
     shopt -s nullglob
 
-    # Process patches to eliminate useless differences: limit file names to 40
-    # chars before extension and remove git signature. ('30' below gets us past
-    # dir prefix)
+    # limit patch base file name to 40 chars ('30' is for path length)
     for i in $CMP_DIR/*; do
-        # format-patch may append a signature, which per default contains the
-        # git version. wipe everything starting from the signature tag
-        sed '/^-- $/Q' $i > $CMP_DIR/${i:30:40}.patch
-        rm $i
+        tail -n +2 $i > $CMP_DIR/${i:30:40}.patch
+	rm $i
     done
 
     for i in 0???-*.patch; do
@@ -277,7 +273,7 @@ rm -rf $GIT_DIR
     rm -f checkpatch.pl
     if [ -s checkpatch.log ]; then
         echo "WARNING: Issues reported by qemu patch checker. Please handle" \
-            "ERRORS now:"
+            "ERROR items now:"
         cat checkpatch.log
     fi
     rm -f checkpatch.log
@@ -316,8 +312,8 @@ rm -rf $GIT_DIR
             elif [[ "$line" =~ ^Source: ]]; then
                 echo "$line"
                 if [ ${#QEMU_TARBALL_SIG[@]} -eq 1 ]; then
-                    # We assume the signature file is right
-                    echo "$(echo $line|sed 's/^Source*/&99/').sig"
+                    # We assume the signature file corresponds - just add .sig
+                    echo "$line.sig"|sed 's/^Source:  /Source99:/'
                 fi
             elif [ "$line" = "SEABIOS_VERSION" ]; then
                 echo "Version:        $SEABIOS_VERSION"
@@ -372,8 +368,12 @@ sed -e 's|^\(Name:.*qemu\)|\1-testsuite|' < qemu.spec > qemu-testsuite.spec
 sed -i 's/^# spec file for package qemu/&-testsuite/' qemu-testsuite.spec
 
 if [ "$1" = "-f" ]; then
-    echo "running osc service to format spec file"
-    osc service localrun format_spec_file
+    if [ "$(rpm -q --queryformat '%{VERSION}' obs-service-format_spec_file)" -lt "20180820" ]; then
+        echo "WARNING! Not running osc format-spec-file service - recent obs package needed"
+    else
+        echo "running osc service to format spec file"
+        osc service localrun format_spec_file
+    fi
 else
     echo "note: not running osc format_spec_file service. If desired, pass -f"
 fi