Accepting request 419833 from home:bfrogers:branches:Virtualization

Update to v2.6.1 stable release. OBS-URL: https://build.opensuse.org/request/show/419833 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=311
2016-08-18 02:33:12 +00:00 · 2016-08-18 02:33:12 +00:00 · 07d2889ef8
commit 07d2889ef8
parent 0e620dde42
89 changed files with 321 additions and 1478 deletions
--- a/0001-XXX-dont-dump-core-on-sigabort.patch
+++ b/0001-XXX-dont-dump-core-on-sigabort.patch
@ -1,4 +1,4 @@
-From d1591b68524b12fa4c9cb7d2fd6fcdf021137ede Mon Sep 17 00:00:00 2001
+From 652983299b4b18cdf26414b0ba468c5dd166adc7 Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Mon, 21 Nov 2011 23:50:36 +0100
 Subject: [PATCH] XXX dont dump core on sigabort
--- a/0002-qemu-0.9.0.cvs-binfmt.patch
+++ b/0002-qemu-0.9.0.cvs-binfmt.patch
@ -1,4 +1,4 @@
-From 25da05b51950cf639c26ca5f1e47fcfdfb588ab2 Mon Sep 17 00:00:00 2001
+From 611fe6b38bf118be59326f35fd3a066250328311 Mon Sep 17 00:00:00 2001
 From: Ulrich Hecht <uli@suse.de>
 Date: Tue, 14 Apr 2009 16:18:44 +0200
 Subject: [PATCH] qemu-0.9.0.cvs-binfmt
--- a/0003-qemu-cvs-alsa_bitfield.patch
+++ b/0003-qemu-cvs-alsa_bitfield.patch
@ -1,4 +1,4 @@
-From 307dc6c6bde4ec04b9efd6f27db0295e349bf573 Mon Sep 17 00:00:00 2001
+From 6171d82516b151c7d2bac6484c801c45d8de796e Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Tue, 14 Apr 2009 16:20:50 +0200
 Subject: [PATCH] qemu-cvs-alsa_bitfield
--- a/0004-qemu-cvs-alsa_ioctl.patch
+++ b/0004-qemu-cvs-alsa_ioctl.patch
@ -1,4 +1,4 @@
-From 42ec5aa5b6abb395b894311702cec8c09ec44263 Mon Sep 17 00:00:00 2001
+From b89afe9048994b21e361d9eebe96825d80d1ef56 Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Tue, 14 Apr 2009 16:23:27 +0200
 Subject: [PATCH] qemu-cvs-alsa_ioctl
--- a/0005-qemu-cvs-alsa_mmap.patch
+++ b/0005-qemu-cvs-alsa_mmap.patch
@ -1,4 +1,4 @@
-From d899ab90ddfcf5c6efe45f9008cd2c498d368ac9 Mon Sep 17 00:00:00 2001
+From 9c9cfb248223f4da2ea2333164ea7e6a6091c03a Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Tue, 14 Apr 2009 16:24:15 +0200
 Subject: [PATCH] qemu-cvs-alsa_mmap
--- a/0006-qemu-cvs-gettimeofday.patch
+++ b/0006-qemu-cvs-gettimeofday.patch
@ -1,4 +1,4 @@
-From eaa8f697ccd1320f9ce432588beef2d341bc5a18 Mon Sep 17 00:00:00 2001
+From 2dc4a9d135ce472a59da891af09ba9529c57b61b Mon Sep 17 00:00:00 2001
 From: Ulrich Hecht <uli@suse.de>
 Date: Tue, 14 Apr 2009 16:25:41 +0200
 Subject: [PATCH] qemu-cvs-gettimeofday
--- a/0007-qemu-cvs-ioctl_debug.patch
+++ b/0007-qemu-cvs-ioctl_debug.patch
@ -1,4 +1,4 @@
-From 5fabc9a72b03eca20cda87e0bb35a92aaa3d4dbf Mon Sep 17 00:00:00 2001
+From d2a4cedd351ff7e09843bb5cbb76038af2303df7 Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Tue, 14 Apr 2009 16:26:33 +0200
 Subject: [PATCH] qemu-cvs-ioctl_debug
--- a/0008-qemu-cvs-ioctl_nodirection.patch
+++ b/0008-qemu-cvs-ioctl_nodirection.patch
@ -1,4 +1,4 @@
-From 31a5e0ab101e1549d534a63fb5e9e94007e812f8 Mon Sep 17 00:00:00 2001
+From 43f2593e07e0de12dddf72c3205e6a0fb851dc2d Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Tue, 14 Apr 2009 16:27:36 +0200
 Subject: [PATCH] qemu-cvs-ioctl_nodirection
--- a/0009-block-vmdk-Support-creation-of-SCSI.patch
+++ b/0009-block-vmdk-Support-creation-of-SCSI.patch
@ -1,4 +1,4 @@
-From 7164cadf6a1f23d2b931f34c78d3707207306cfb Mon Sep 17 00:00:00 2001
+From d367bff9f8b514a0beacac3d21426d787dcef77f Mon Sep 17 00:00:00 2001
 From: Ulrich Hecht <uli@suse.de>
 Date: Tue, 14 Apr 2009 16:37:42 +0200
 Subject: [PATCH] block/vmdk: Support creation of SCSI VMDK images in qemu-img
--- a/0010-linux-user-add-binfmt-wrapper-for-a.patch
+++ b/0010-linux-user-add-binfmt-wrapper-for-a.patch
@ -1,4 +1,4 @@
-From a7697f0442c3cb97a5ab4ee60ffe721de6dc791e Mon Sep 17 00:00:00 2001
+From 4234d2b99790fd33e82bee633f48d773e0c7c43e Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Fri, 30 Sep 2011 19:40:36 +0200
 Subject: [PATCH] linux-user: add binfmt wrapper for argv[0] handling
--- a/0011-PPC-KVM-Disable-mmu-notifier-check.patch
+++ b/0011-PPC-KVM-Disable-mmu-notifier-check.patch
@ -1,4 +1,4 @@
-From c1602f324287481df7aef85c417e143fa47bcea4 Mon Sep 17 00:00:00 2001
+From 312bb9ff5f1448e2aebcccc4f124cf8f7fa1e0a0 Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Fri, 6 Jan 2012 01:05:55 +0100
 Subject: [PATCH] PPC: KVM: Disable mmu notifier check
@ -13,7 +13,7 @@ KVM guests work there, even if possibly racy in some odd circumstances.
 1 file changed, 2 insertions(+)

 diff --git a/exec.c b/exec.c
-index c4f9036..52232dc 100644
+index fc75266..a50e148 100644
 --- a/exec.c
 +++ b/exec.c
@@ -1242,11 +1242,13 @@ static void *file_ram_alloc(RAMBlock *block,
--- a/0012-linux-user-fix-segfault-deadlock.patch
+++ b/0012-linux-user-fix-segfault-deadlock.patch
@ -1,4 +1,4 @@
-From 6b4338150763e8241cec19846a48a132d60fe75f Mon Sep 17 00:00:00 2001
+From 48e23620ccc1efef237996fcc102215619a5ba7d Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Fri, 13 Jan 2012 17:05:41 +0100
 Subject: [PATCH] linux-user: fix segfault deadlock
--- a/0013-linux-user-binfmt-support-host-bina.patch
+++ b/0013-linux-user-binfmt-support-host-bina.patch
@ -1,4 +1,4 @@
-From 02e298aafcb7bb11036cabec82da958f7d860ac8 Mon Sep 17 00:00:00 2001
+From 7ada3e29b37a639129e36a7ed2f2f07a0efc3334 Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Thu, 2 Feb 2012 18:02:33 +0100
 Subject: [PATCH] linux-user: binfmt: support host binaries
--- a/0014-linux-user-Ignore-broken-loop-ioctl.patch
+++ b/0014-linux-user-Ignore-broken-loop-ioctl.patch
@ -1,4 +1,4 @@
-From 64acfd49e9721a17c610cc54a92efe8ec3170698 Mon Sep 17 00:00:00 2001
+From f3041527d08d4547ca88843c3be991569bca5152 Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Tue, 12 Jun 2012 04:41:10 +0200
 Subject: [PATCH] linux-user: Ignore broken loop ioctl
--- a/0015-linux-user-lock-tcg.patch
+++ b/0015-linux-user-lock-tcg.patch
@ -1,4 +1,4 @@
-From f34632424427a2387a9275133c3cb4a8ad4f9d31 Mon Sep 17 00:00:00 2001
+From 3c784b6969e0379542cf4661847effa17eacd27f Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Thu, 5 Jul 2012 17:31:39 +0200
 Subject: [PATCH] linux-user: lock tcg
--- a/0016-linux-user-Run-multi-threaded-code-.patch
+++ b/0016-linux-user-Run-multi-threaded-code-.patch
@ -1,4 +1,4 @@
-From a2f095e01371ff9d00524fb4c0e7d3bd941227da Mon Sep 17 00:00:00 2001
+From 0922a98683629c491b15b282d35cba46c225549f Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Tue, 10 Jul 2012 20:40:55 +0200
 Subject: [PATCH] linux-user: Run multi-threaded code on a single core
--- a/0017-linux-user-lock-tb-flushing-too.patch
+++ b/0017-linux-user-lock-tb-flushing-too.patch
@ -1,4 +1,4 @@
-From 80465393b0e7a888125378567cc69a6cc190b8ff Mon Sep 17 00:00:00 2001
+From 598cc6f427821cbaf6b6a8eeadf90176ecf9b9d5 Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Wed, 11 Jul 2012 16:47:42 +0200
 Subject: [PATCH] linux-user: lock tb flushing too
--- a/0018-linux-user-Fake-proc-cpuinfo.patch
+++ b/0018-linux-user-Fake-proc-cpuinfo.patch
@ -1,4 +1,4 @@
-From cac0ebd114044343f3d0e6a1ae0b455949db0a5d Mon Sep 17 00:00:00 2001
+From 39ce1e900aba8b93e2296b3d4c613fd7af58f347 Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Mon, 23 Jul 2012 10:24:14 +0200
 Subject: [PATCH] linux-user: Fake /proc/cpuinfo
--- a/0019-linux-user-implement-FS_IOC_GETFLAG.patch
+++ b/0019-linux-user-implement-FS_IOC_GETFLAG.patch
@ -1,4 +1,4 @@
-From a61e366827ca2b159b515e760742bc6dee26169f Mon Sep 17 00:00:00 2001
+From 2783b7f3c20040aaa53b59a9a716364f04562126 Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Mon, 20 Aug 2012 00:02:52 +0200
 Subject: [PATCH] linux-user: implement FS_IOC_GETFLAGS ioctl
--- a/0020-linux-user-implement-FS_IOC_SETFLAG.patch
+++ b/0020-linux-user-implement-FS_IOC_SETFLAG.patch
@ -1,4 +1,4 @@
-From 39e6dbd24f5a872c5c37b0c1ddd31fe00b74c3ca Mon Sep 17 00:00:00 2001
+From fe937a73ac633b34380ac53c9057a0664c3b77cc Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Mon, 20 Aug 2012 00:07:13 +0200
 Subject: [PATCH] linux-user: implement FS_IOC_SETFLAGS ioctl
--- a/0021-linux-user-XXX-disable-fiemap.patch
+++ b/0021-linux-user-XXX-disable-fiemap.patch
@ -1,4 +1,4 @@
-From fb0a1cd7b3e0ab5908607da0b704f749a3f9cd36 Mon Sep 17 00:00:00 2001
+From 11b56fbe40bf880945a0563044b58b03d9d0baa7 Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Tue, 21 Aug 2012 14:20:40 +0200
 Subject: [PATCH] linux-user: XXX disable fiemap
--- a/0022-slirp-nooutgoing.patch
+++ b/0022-slirp-nooutgoing.patch
@ -1,4 +1,4 @@
-From d839baef69733ff67df56abd52bf01b13c2adc80 Mon Sep 17 00:00:00 2001
+From bd75d0195aef3af7392ce38952e018936da303ff Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
 Date: Wed, 29 Aug 2012 18:42:56 +0200
 Subject: [PATCH] slirp: -nooutgoing
@ -33,7 +33,7 @@ index 6106520..32b25a5 100644
     "-singlestep     always run in singlestep mode\n", QEMU_ARCH_ALL)
 STEXI
 diff --git a/slirp/socket.c b/slirp/socket.c
-index a10eff1..fec954e 100644
+index b336586..8e5bdc3 100644
 --- a/slirp/socket.c
 +++ b/slirp/socket.c
@@ -608,6 +608,8 @@ sorecvfrom(struct socket *so)
@ -96,7 +96,7 @@ index 6b9fef2..e712e21 100644
     socket_set_fast_reuse(s);
     opt = 1;
 diff --git a/vl.c b/vl.c
-index 5fd22cb..18c88ff 100644
+index 5db5dc2..c082789 100644
 --- a/vl.c
 +++ b/vl.c
@@ -162,6 +162,7 @@ int smp_threads = 1;
@ -107,7 +107,7 @@ index 5fd22cb..18c88ff 100644
 static int no_reboot;
 int no_shutdown = 0;
 int cursor_hide = 1;
-@@ -3382,6 +3383,14 @@ int main(int argc, char **argv, char **envp)
+@@ -3386,6 +3387,14 @@ int main(int argc, char **argv, char **envp)
             case QEMU_OPTION_singlestep:
                 singlestep = 1;
                 break;
--- a/0023-vnc-password-file-and-incoming-conn.patch
+++ b/0023-vnc-password-file-and-incoming-conn.patch
@ -1,4 +1,4 @@
-From c15dcea01fb9d84e583abe7d558d7a31a937ddc3 Mon Sep 17 00:00:00 2001
+From aa0933c1b541cc1b7efae51d7a0cc3978e127c86 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
 Date: Wed, 29 Aug 2012 20:06:01 +0200
 Subject: [PATCH] vnc: password-file= and incoming-connections=
@ -9,7 +9,7 @@ TBD (from SUSE Studio team)
 1 file changed, 55 insertions(+)

 diff --git a/ui/vnc.c b/ui/vnc.c
-index d2ebf1f..ab65db9 100644
+index 3e89dad..e7946ba 100644
 --- a/ui/vnc.c
 +++ b/ui/vnc.c
@@ -58,6 +58,8 @@ static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 };
--- a/0024-linux-user-add-more-blk-ioctls.patch
+++ b/0024-linux-user-add-more-blk-ioctls.patch
@ -1,4 +1,4 @@
-From 5ab7c0967d239f3cab043461952f9d0b9015a617 Mon Sep 17 00:00:00 2001
+From 32cee35bd3c2f98dc645350021de3d9e23be731d Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Wed, 10 Oct 2012 10:21:20 +0200
 Subject: [PATCH] linux-user: add more blk ioctls
--- a/0025-linux-user-use-target_ulong.patch
+++ b/0025-linux-user-use-target_ulong.patch
@ -1,4 +1,4 @@
-From 616807e473c21cdf231eed07b87ec287cfdfb528 Mon Sep 17 00:00:00 2001
+From 232612b32aa306574282a98dafdef5772c99ea24 Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Tue, 9 Oct 2012 09:06:49 +0200
 Subject: [PATCH] linux-user: use target_ulong
--- a/0026-block-Add-support-for-DictZip-enabl.patch
+++ b/0026-block-Add-support-for-DictZip-enabl.patch
@ -1,4 +1,4 @@
-From 04eba9254338949db56a01bed42bc3ef187a1f04 Mon Sep 17 00:00:00 2001
+From 171c8acfae279756c43f0265e1cfc7d984ab5464 Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Wed, 5 Aug 2009 09:49:37 +0200
 Subject: [PATCH] block: Add support for DictZip enabled gzip files
--- a/0027-block-Add-tar-container-format.patch
+++ b/0027-block-Add-tar-container-format.patch
@ -1,4 +1,4 @@
-From 0c107d353084a3a15c1281c7e1385ee5ccd5da5f Mon Sep 17 00:00:00 2001
+From e05a6cfd83e972bf46ca8e8ce7a00d83c882e2d8 Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Wed, 5 Aug 2009 17:28:38 +0200
 Subject: [PATCH] block: Add tar container format
--- a/0028-Legacy-Patch-kvm-qemu-preXX-dictzip.patch
+++ b/0028-Legacy-Patch-kvm-qemu-preXX-dictzip.patch
@ -1,4 +1,4 @@
-From 5c25d47e2378efdbd72c49827252741b46ebacff Mon Sep 17 00:00:00 2001
+From e04e97093af3fc593a7db57be40e7334f9776330 Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Wed, 12 Dec 2012 19:11:30 +0100
 Subject: [PATCH] Legacy Patch kvm-qemu-preXX-dictzip3.patch
--- a/0029-console-add-question-mark-escape-op.patch
+++ b/0029-console-add-question-mark-escape-op.patch
@ -1,4 +1,4 @@
-From ea20aa50570a68fd2ccda17adfea0f32c71694dc Mon Sep 17 00:00:00 2001
+From 36f007f4de748aff064604637383a23cbebe813e Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Mon, 6 Jun 2011 06:53:52 +0200
 Subject: [PATCH] console: add question-mark escape operator
--- a/0030-Make-char-muxer-more-robust-wrt-sma.patch
+++ b/0030-Make-char-muxer-more-robust-wrt-sma.patch
@ -1,4 +1,4 @@
-From 5b001dfb49c85d9934f0ac09bd24a7aecac55956 Mon Sep 17 00:00:00 2001
+From f745251506bedd96fb153b838dbf8a399eb8e275 Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Thu, 1 Apr 2010 17:36:23 +0200
 Subject: [PATCH] Make char muxer more robust wrt small FIFOs
--- a/0031-linux-user-lseek-explicitly-cast-no.patch
+++ b/0031-linux-user-lseek-explicitly-cast-no.patch
@ -1,4 +1,4 @@
-From 1e5020a27bf52c24abb9272f9ba605959e8771e8 Mon Sep 17 00:00:00 2001
+From e7c736a9bfa10f1acb5e6b02c73fd8662d5c6a6c Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Thu, 13 Dec 2012 14:29:22 +0100
 Subject: [PATCH] linux-user: lseek: explicitly cast non-set offsets to signed
--- a/0032-virtfs-proxy-helper-Provide-__u64-f.patch
+++ b/0032-virtfs-proxy-helper-Provide-__u64-f.patch
@ -1,4 +1,4 @@
-From 01aa7df9b3b82e8d16b3dda2e092dff89c15fa82 Mon Sep 17 00:00:00 2001
+From 96ff92eb1a6402f0b90e4394990eda7f5e457d13 Mon Sep 17 00:00:00 2001
 From: Bruce Rogers <brogers@suse.com>
 Date: Thu, 16 May 2013 12:39:10 +0200
 Subject: [PATCH] virtfs-proxy-helper: Provide __u64 for broken
--- a/0033-configure-Enable-PIE-for-ppc-and-pp.patch
+++ b/0033-configure-Enable-PIE-for-ppc-and-pp.patch
@ -1,4 +1,4 @@
-From 71bb8109caee6f4192237b2fad7db748ac50760d Mon Sep 17 00:00:00 2001
+From 2181064a8a8f7a22285ae767affb23dc684d7d10 Mon Sep 17 00:00:00 2001
 From: Dinar Valeev <k0da@opensuse.org>
 Date: Wed, 2 Oct 2013 17:56:03 +0200
 Subject: [PATCH] configure: Enable PIE for ppc and ppc64 hosts
@ -14,7 +14,7 @@ Signed-off-by: Andreas Färber <afaerber@suse.de>
 1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/configure b/configure
-index c37fc5f..94035eb 100755
+index 60e3c0d..65232af 100755
 --- a/configure
 +++ b/configure
@@ -1537,7 +1537,7 @@ fi
--- a/0034-qtest-Increase-socket-timeout.patch
+++ b/0034-qtest-Increase-socket-timeout.patch
@ -1,4 +1,4 @@
-From 287306233f77a3774df2d5c9ed7f301ebc21f89c Mon Sep 17 00:00:00 2001
+From bc88332e8bf07bf413f32131cd20f4e2ba9aeb6a Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
 Date: Thu, 17 Apr 2014 18:39:10 +0200
 Subject: [PATCH] qtest: Increase socket timeout
--- a/0035-AIO-Reduce-number-of-threads-for-32.patch
+++ b/0035-AIO-Reduce-number-of-threads-for-32.patch
@ -1,4 +1,4 @@
-From 7f1e160917ebff1a756d08c9b07b88452a68387f Mon Sep 17 00:00:00 2001
+From e69780e5f390f491fae554f1a0b0649c9187869e Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Wed, 14 Jan 2015 01:32:11 +0100
 Subject: [PATCH] AIO: Reduce number of threads for 32bit hosts
--- a/0036-configure-Enable-libseccomp-for-ppc.patch
+++ b/0036-configure-Enable-libseccomp-for-ppc.patch
@ -1,4 +1,4 @@
-From 88508c66e9403bb708a1ef186e66f5d45801cdd8 Mon Sep 17 00:00:00 2001
+From 6bfa8a2b720bb6cc36a933870a2a1c0a239b3e9d Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
 Date: Tue, 14 Apr 2015 18:42:06 +0200
 Subject: [PATCH] configure: Enable libseccomp for ppc
@ -14,7 +14,7 @@ Signed-off-by: Andreas Färber <afaerber@suse.de>
 1 file changed, 3 insertions(+)

 diff --git a/configure b/configure
-index 94035eb..4efabe3 100755
+index 65232af..bf74354 100755
 --- a/configure
 +++ b/configure
@@ -1879,6 +1879,9 @@ if test "$seccomp" != "no" ; then
--- a/0037-dictzip-Fix-on-big-endian-systems.patch
+++ b/0037-dictzip-Fix-on-big-endian-systems.patch
@ -1,4 +1,4 @@
-From 3fafdf24acf45df69523e266a38f3c0ca220e9a9 Mon Sep 17 00:00:00 2001
+From bd33e933cbde5f822a0db069e7d368d0cb406249 Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Mon, 15 Jun 2015 17:36:32 +0200
 Subject: [PATCH] dictzip: Fix on big endian systems
--- a/0038-block-split-large-discard-requests-.patch
+++ b/0038-block-split-large-discard-requests-.patch
@ -1,4 +1,4 @@
-From adc543748b20def826281f9e6fda52f026dc099d Mon Sep 17 00:00:00 2001
+From 2cee6af27f7e7579c8690edfda4159a66406d2cd Mon Sep 17 00:00:00 2001
 From: Olaf Hering <olaf@aepfle.de>
 Date: Thu, 24 Mar 2016 14:32:39 +0100
 Subject: [PATCH] block: split large discard requests from block frontend
@ -15,7 +15,7 @@ Signed-off-by: Olaf Hering <olaf@aepfle.de>
 1 file changed, 21 insertions(+), 1 deletion(-)

 diff --git a/block/io.c b/block/io.c
-index a7dbf85..560fa4c 100644
+index d02e0d5..511bc75 100644
 --- a/block/io.c
 +++ b/block/io.c
@@ -2487,7 +2487,7 @@ static void coroutine_fn bdrv_discard_co_entry(void *opaque)
--- a/0039-xen_disk-Add-suse-specific-flush-di.patch
+++ b/0039-xen_disk-Add-suse-specific-flush-di.patch
@ -1,4 +1,4 @@
-From 43fdf04d426f4738aec0d349662a780906268590 Mon Sep 17 00:00:00 2001
+From 2d38805131dee693fd9bd931239793514e36d3e0 Mon Sep 17 00:00:00 2001
 From: Bruce Rogers <brogers@suse.com>
 Date: Wed, 9 Mar 2016 15:18:11 -0700
 Subject: [PATCH] xen_disk: Add suse specific flush disable handling and map to
--- a/0040-build-link-with-libatomic-on-powerp.patch
+++ b/0040-build-link-with-libatomic-on-powerp.patch
@ -1,4 +1,4 @@
-From 936efd7b1f317b574dbedf08e69e4206f16ac39f Mon Sep 17 00:00:00 2001
+From f210e8f540cb261c11bffa4ed8e9918ad1731a9b Mon Sep 17 00:00:00 2001
 From: Olaf Hering <olaf@aepfle.de>
 Date: Fri, 1 Apr 2016 12:27:16 +0200
 Subject: [PATCH] build: link with libatomic on powerpc-linux
@ -14,10 +14,10 @@ Signed-off-by: Olaf Hering <olaf@aepfle.de>
 1 file changed, 27 insertions(+)

 diff --git a/configure b/configure
-index 4efabe3..b455035 100755
+index bf74354..8892b36 100755
 --- a/configure
 +++ b/configure
-@@ -4032,6 +4032,33 @@ if test "$usb_redir" != "no" ; then
+@@ -4033,6 +4033,33 @@ if test "$usb_redir" != "no" ; then
     fi
 fi
 
--- a/0041-net-mipsnet-check-packet-length-aga.patch
+++ b/0041-net-mipsnet-check-packet-length-aga.patch
@ -1,33 +0,0 @@
-From a4cae4158cc271ed4d55bc2e237030022f8edc16 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Thu, 7 Apr 2016 04:27:00 -0600
-Subject: [PATCH] net: mipsnet: check packet length against buffer
-
-When receiving packets over MIPSnet network device, it uses
- receive buffer of size 1514 bytes. In case the controller
-accepts large(MTU) packets, it could lead to memory corruption.
-Add check to avoid it.
-
-Reported by: Oleksandr Bazhaniuk <oleksandr.bazhaniuk@intel.com>
-
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-[BR: BSC#975136 CVE-2016-4002]
-Signed-off-by: Bruce Rogers <brogers@suse.com>
---
- hw/net/mipsnet.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/hw/net/mipsnet.c b/hw/net/mipsnet.c
-index 740cd98..cf8b823 100644
--- a/hw/net/mipsnet.c
-+++ b/hw/net/mipsnet.c
-@@ -83,6 +83,9 @@ static ssize_t mipsnet_receive(NetClientState *nc, const uint8_t *buf, size_t si
-     if (!mipsnet_can_receive(nc))
-         return 0;
- 
-+    if (size >= sizeof(s->rx_buffer)) {
-+        return 0;
-+    }
-     s->busy = 1;
- 
-     /* Just accept everything. */
--- a/0041-xen-introduce-dummy-system-device.patch
+++ b/0041-xen-introduce-dummy-system-device.patch
@ -1,4 +1,4 @@
-From d7476f32d84a256e683d20db0cdd0d3676fa2a62 Mon Sep 17 00:00:00 2001
+From 24b0afe9e7869a5a398cb5d04f6e7c5efbac65da Mon Sep 17 00:00:00 2001
 From: Juergen Gross <jgross@suse.com>
 Date: Thu, 12 May 2016 16:13:39 +0200
 Subject: [PATCH] xen: introduce dummy system device
--- a/0042-i386-kvmvapic-initialise-imm32-vari.patch
+++ b/0042-i386-kvmvapic-initialise-imm32-vari.patch
@ -1,35 +0,0 @@
-From 481b43bcc3e920bbe48801a7ad2489260747e8b9 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Thu, 7 Apr 2016 12:50:08 +0530
-Subject: [PATCH] i386: kvmvapic: initialise imm32 variable
-
-When processing Task Priorty Register(TPR) access, it could leak
-automatic stack variable 'imm32' in patch_instruction().
-Initialise the variable to avoid it.
-
-Reported by: Donghai Zdh <donghai.zdh@alibaba-inc.com>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <1460013608-16670-1-git-send-email-ppandit@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-
-(cherry picked from commit 691a02e2ce0c413236a78dee6f2651c937b09fb0)
-[BR: BSC#975700 CVE-2016-4020]
-Signed-off-by: Bruce Rogers <brogers@suse.com>
---
- hw/i386/kvmvapic.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c
-index c69f374..ff1e31a 100644
--- a/hw/i386/kvmvapic.c
-+++ b/hw/i386/kvmvapic.c
-@@ -394,7 +394,7 @@ static void patch_instruction(VAPICROMState *s, X86CPU *cpu, target_ulong ip)
-     CPUX86State *env = &cpu->env;
-     VAPICHandlers *handlers;
-     uint8_t opcode[2];
-    uint32_t imm32;
-+    uint32_t imm32 = 0;
-     target_ulong current_pc = 0;
-     target_ulong current_cs_base = 0;
-     int current_flags = 0;
--- a/0042-xen-write-information-about-support.patch
+++ b/0042-xen-write-information-about-support.patch
@ -1,4 +1,4 @@
-From 7647bc34d77f7e67a88e88a7f09c314a3a5c7da8 Mon Sep 17 00:00:00 2001
+From 06bc1cf8722a7a5ad5cf7e0ad3adf9279516d77d Mon Sep 17 00:00:00 2001
 From: Juergen Gross <jgross@suse.com>
 Date: Thu, 12 May 2016 16:13:40 +0200
 Subject: [PATCH] xen: write information about supported backends
--- a/0043-esp-check-command-buffer-length-bef.patch
+++ b/0043-esp-check-command-buffer-length-bef.patch
@ -1,42 +0,0 @@
-From 26e782bead654b0415a46c9a019c54b56488519b Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Thu, 19 May 2016 16:09:30 +0530
-Subject: [PATCH] esp: check command buffer length before write(CVE-2016-4439)
-
-The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
-FIFO buffer. It is used to handle command and data transfer. While
-writing to this command buffer 's->cmdbuf[TI_BUFSZ=16]', a check
-was missing to validate input length. Add check to avoid OOB write
-access.
-
-Fixes CVE-2016-4439.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <1463654371-11169-2-git-send-email-ppandit@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit c98c6c105f66f05aa0b7c1d2a4a3f716450907ef)
-[BR: CVE-2016-4439 BSC#980711]
-Signed-off-by: Bruce Rogers <brogers@suse.com>
---
- hw/scsi/esp.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
-index 8961be2..01497e6 100644
--- a/hw/scsi/esp.c
-+++ b/hw/scsi/esp.c
-@@ -448,7 +448,11 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val)
-         break;
-     case ESP_FIFO:
-         if (s->do_cmd) {
-            s->cmdbuf[s->cmdlen++] = val & 0xff;
-+            if (s->cmdlen < TI_BUFSZ) {
-+                s->cmdbuf[s->cmdlen++] = val & 0xff;
-+            } else {
-+                trace_esp_error_fifo_overrun();
-+            }
-         } else if (s->ti_size == TI_BUFSZ - 1) {
-             trace_esp_error_fifo_overrun();
-         } else {
--- a/0043-xen-add-pvUSB-backend.patch
+++ b/0043-xen-add-pvUSB-backend.patch
@ -1,4 +1,4 @@
-From 9c573c905a6cc3b4dbf931c64e554a20683807b9 Mon Sep 17 00:00:00 2001
+From 013c67849bbe9688491b85483bce6e8fc81fa90f Mon Sep 17 00:00:00 2001
 From: Juergen Gross <jgross@suse.com>
 Date: Thu, 12 May 2016 16:13:41 +0200
 Subject: [PATCH] xen: add pvUSB backend
@ -1151,7 +1151,7 @@ index 63364f7..6e18a46 100644
 void xen_init_display(int domid);
 
 diff --git a/include/hw/xen/xen_common.h b/include/hw/xen/xen_common.h
-index bd65e67..d010cee 100644
+index 7b52e8f..5eabf37 100644
 --- a/include/hw/xen/xen_common.h
 +++ b/include/hw/xen/xen_common.h
@@ -49,6 +49,8 @@ typedef xc_gnttab xengnttab_handle;
--- a/0044-esp-check-dma-length-before-reading.patch
+++ b/0044-esp-check-dma-length-before-reading.patch
@ -1,76 +0,0 @@
-From ff65fa87b6d7d4e7dbda895181c9afc80b07c5e3 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Thu, 19 May 2016 16:09:31 +0530
-Subject: [PATCH] esp: check dma length before reading scsi
- command(CVE-2016-4441)
-
-The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
-FIFO buffer. It is used to handle command and data transfer.
-Routine get_cmd() uses DMA to read scsi commands into this buffer.
-Add check to validate DMA length against buffer size to avoid any
-overrun.
-
-Fixes CVE-2016-4441.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <1463654371-11169-3-git-send-email-ppandit@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 6c1fef6b59563cc415f21e03f81539ed4b33ad90)
-[BR: CVE-2016-4441 BSC#980723]
-Signed-off-by: Bruce Rogers <brogers@suse.com>
---
- hw/scsi/esp.c | 11 +++++++----
- 1 file changed, 7 insertions(+), 4 deletions(-)
-
-diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
-index 01497e6..591c817 100644
--- a/hw/scsi/esp.c
-+++ b/hw/scsi/esp.c
-@@ -82,7 +82,7 @@ void esp_request_cancelled(SCSIRequest *req)
-     }
- }
- 
-static uint32_t get_cmd(ESPState *s, uint8_t *buf)
-+static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen)
- {
-     uint32_t dmalen;
-     int target;
-@@ -92,6 +92,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf)
-         dmalen = s->rregs[ESP_TCLO];
-         dmalen |= s->rregs[ESP_TCMID] << 8;
-         dmalen |= s->rregs[ESP_TCHI] << 16;
-+        if (dmalen > buflen) {
-+            return 0;
-+        }
-         s->dma_memory_read(s->dma_opaque, buf, dmalen);
-     } else {
-         dmalen = s->ti_size;
-@@ -166,7 +169,7 @@ static void handle_satn(ESPState *s)
-         s->dma_cb = handle_satn;
-         return;
-     }
-    len = get_cmd(s, buf);
-+    len = get_cmd(s, buf, sizeof(buf));
-     if (len)
-         do_cmd(s, buf);
- }
-@@ -180,7 +183,7 @@ static void handle_s_without_atn(ESPState *s)
-         s->dma_cb = handle_s_without_atn;
-         return;
-     }
-    len = get_cmd(s, buf);
-+    len = get_cmd(s, buf, sizeof(buf));
-     if (len) {
-         do_busid_cmd(s, buf, 0);
-     }
-@@ -192,7 +195,7 @@ static void handle_satn_stop(ESPState *s)
-         s->dma_cb = handle_satn_stop;
-         return;
-     }
-    s->cmdlen = get_cmd(s, s->cmdbuf);
-+    s->cmdlen = get_cmd(s, s->cmdbuf, sizeof(s->cmdbuf));
-     if (s->cmdlen) {
-         trace_esp_handle_satn_stop(s->cmdlen);
-         s->do_cmd = 1;
--- a/0044-xen-move-xen_sysdev-to-xen_backend..patch
+++ b/0044-xen-move-xen_sysdev-to-xen_backend..patch
@ -1,4 +1,4 @@
-From ee2225e5f531d965aed352bf99ba339969216144 Mon Sep 17 00:00:00 2001
+From 87e73bcc23fedcaa89776810dfcf4c6ef8ad39b1 Mon Sep 17 00:00:00 2001
 From: Juergen Gross <jgross@suse.com>
 Date: Mon, 13 Jun 2016 11:12:21 +0200
 Subject: [PATCH] xen: move xen_sysdev to xen_backend.c
--- a/0045-scsi-pvscsi-check-command-descripto.patch
+++ b/0045-scsi-pvscsi-check-command-descripto.patch
@ -1,96 +0,0 @@
-From 8c2fc88049f351c67bd82c6f61c54111eb088e69 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Mon, 23 May 2016 04:49:00 -0600
-Subject: [PATCH] scsi: pvscsi: check command descriptor ring buffer size
-
-Vmware Paravirtual SCSI emulation uses command descriptors to
-process SCSI commands. These descriptors come with their ring
-buffers. A guest could set the ring buffer size to an arbitrary
-value leading to OOB access issue. Add check to avoid it.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-[BR: CVE-2016-4952 BSC#981266]
-Signed-off-by: Bruce Rogers <brogers@suse.com>
---
- hw/scsi/vmw_pvscsi.c | 24 ++++++++++++++++++++----
- 1 file changed, 20 insertions(+), 4 deletions(-)
-
-diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
-index e690b4e..e1d6d06 100644
--- a/hw/scsi/vmw_pvscsi.c
-+++ b/hw/scsi/vmw_pvscsi.c
-@@ -153,7 +153,7 @@ pvscsi_log2(uint32_t input)
-     return log;
- }
- 
-static void
-+static int
- pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
- {
-     int i;
-@@ -161,6 +161,10 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
-     uint32_t req_ring_size, cmp_ring_size;
-     m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT;
- 
-+    if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)
-+        || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) {
-+        return -1;
-+    }
-     req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
-     cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE;
-     txr_len_log2 = pvscsi_log2(req_ring_size - 1);
-@@ -192,15 +196,20 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
- 
-     /* Flush ring state page changes */
-     smp_wmb();
-+
-+    return 0;
- }
- 
-static void
-+static int
- pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
- {
-     int i;
-     uint32_t len_log2;
-     uint32_t ring_size;
- 
-+    if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
-+        return -1;
-+    }
-     ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE;
-     len_log2 = pvscsi_log2(ring_size - 1);
- 
-@@ -220,6 +229,8 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
- 
-     /* Flush ring state page changes */
-     smp_wmb();
-+
-+    return 0;
- }
- 
- static void
-@@ -770,7 +781,10 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s)
-     trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS");
- 
-     pvscsi_dbg_dump_tx_rings_config(rc);
-    pvscsi_ring_init_data(&s->rings, rc);
-+    if (pvscsi_ring_init_data(&s->rings, rc) < 0) {
-+        return PVSCSI_COMMAND_PROCESSING_FAILED;
-+    }
-+
-     s->rings_info_valid = TRUE;
-     return PVSCSI_COMMAND_PROCESSING_SUCCEEDED;
- }
-@@ -850,7 +864,9 @@ pvscsi_on_cmd_setup_msg_ring(PVSCSIState *s)
-     }
- 
-     if (s->rings_info_valid) {
-        pvscsi_ring_init_msg(&s->rings, rc);
-+        if (pvscsi_ring_init_msg(&s->rings, rc) < 0) {
-+            return PVSCSI_COMMAND_PROCESSING_FAILED;
-+        }
-         s->msg_ring_info_valid = TRUE;
-     }
-     return sizeof(PVSCSICmdDescSetupMsgRing) / sizeof(uint32_t);
--- a/0045-vnc-add-configurable-keyboard-delay.patch
+++ b/0045-vnc-add-configurable-keyboard-delay.patch
@ -1,4 +1,4 @@
-From 6a788961dd16f558d78ab7313f0b297409f37af7 Mon Sep 17 00:00:00 2001
+From a77aa218a1ae490d8b4594a77492353c4ebf235f Mon Sep 17 00:00:00 2001
 From: Gerd Hoffmann <kraxel@redhat.com>
 Date: Wed, 1 Jun 2016 08:22:30 +0200
 Subject: [PATCH] vnc: add configurable keyboard delay
@ -42,7 +42,7 @@ index 32b25a5..3bcd98f 100644
 ETEXI
 
 diff --git a/ui/vnc.c b/ui/vnc.c
-index ab65db9..1bee07f 100644
+index e7946ba..f78c8c3 100644
 --- a/ui/vnc.c
 +++ b/ui/vnc.c
@@ -1639,6 +1639,7 @@ static void reset_keys(VncState *vs)
--- a/0046-configure-add-echo_version-helper.patch
+++ b/0046-configure-add-echo_version-helper.patch
@ -1,4 +1,4 @@
-From 83775fe297c7cc8dae0d46c22accc2d7eb78c4a0 Mon Sep 17 00:00:00 2001
+From c4fc507e8d321e3ad3df335b6c4ab84d8fd6bae7 Mon Sep 17 00:00:00 2001
 From: Cole Robinson <crobinso@redhat.com>
 Date: Fri, 6 May 2016 14:03:09 -0400
 Subject: [PATCH] configure: add echo_version helper
@ -17,10 +17,10 @@ Signed-off-by: Bruce Rogers <brogers@suse.com>
 1 file changed, 8 insertions(+), 10 deletions(-)

 diff --git a/configure b/configure
-index b455035..767658e 100755
+index 8892b36..51dc704 100755
 --- a/configure
 +++ b/configure
-@@ -4748,6 +4748,12 @@ EOF
+@@ -4749,6 +4749,12 @@ EOF
   fi
 fi
 
@ -33,7 +33,7 @@ index b455035..767658e 100755
 # prepend pixman and ftd flags after all config tests are done
 QEMU_CFLAGS="$pixman_cflags $fdt_cflags $QEMU_CFLAGS"
 libs_softmmu="$pixman_libs $libs_softmmu"
-@@ -4805,11 +4811,7 @@ echo "GNUTLS hash       $gnutls_hash"
+@@ -4806,11 +4812,7 @@ echo "GNUTLS hash       $gnutls_hash"
 echo "GNUTLS rnd        $gnutls_rnd"
 echo "libgcrypt         $gcrypt"
 echo "libgcrypt kdf     $gcrypt_kdf"
@ -46,7 +46,7 @@ index b455035..767658e 100755
 echo "nettle kdf        $nettle_kdf"
 echo "libtasn1          $tasn1"
 echo "VTE support       $vte"
-@@ -4861,11 +4863,7 @@ echo "Trace backends    $trace_backends"
+@@ -4862,11 +4864,7 @@ echo "Trace backends    $trace_backends"
 if have_backend "simple"; then
 echo "Trace output file $trace_file-<pid>"
 fi
--- a/0046-scsi-mptsas-infinite-loop-while-fet.patch
+++ b/0046-scsi-mptsas-infinite-loop-while-fet.patch
@ -1,45 +0,0 @@
-From 9e91782f3582e12f5c41e64f70e5c53f0e7b9f2a Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 24 May 2016 02:10:00 -0600
-Subject: [PATCH] scsi: mptsas: infinite loop while fetching requests
-
-The LSI SAS1068 Host Bus Adapter emulator in Qemu, periodically
-looks for requests and fetches them. A loop doing that in
-mptsas_fetch_requests() could run infinitely if 's->state' was
-not operational. Move check to avoid such a loop.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-[BR: CVE-2016-4964 BSC#981399]
-Signed-off-by: Bruce Rogers <brogers@suse.com>
---
- hw/scsi/mptsas.c | 9 ++++-----
- 1 file changed, 4 insertions(+), 5 deletions(-)
-
-diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
-index 499c146..be88e16 100644
--- a/hw/scsi/mptsas.c
-+++ b/hw/scsi/mptsas.c
-@@ -754,11 +754,6 @@ static void mptsas_fetch_request(MPTSASState *s)
-     hwaddr addr;
-     int size;
- 
-    if (s->state != MPI_IOC_STATE_OPERATIONAL) {
-        mptsas_set_fault(s, MPI_IOCSTATUS_INVALID_STATE);
-        return;
-    }
-
-     /* Read the message header from the guest first. */
-     addr = s->host_mfa_high_addr | MPTSAS_FIFO_GET(s, request_post);
-     pci_dma_read(pci, addr, req, sizeof(hdr));
-@@ -789,6 +784,10 @@ static void mptsas_fetch_requests(void *opaque)
- {
-     MPTSASState *s = opaque;
- 
-+    if (s->state != MPI_IOC_STATE_OPERATIONAL) {
-+        mptsas_set_fault(s, MPI_IOCSTATUS_INVALID_STATE);
-+        return;
-+    }
-     while (!MPTSAS_FIFO_EMPTY(s, request_post)) {
-         mptsas_fetch_request(s);
-     }
--- a/0047-configure-support-vte-2.91.patch
+++ b/0047-configure-support-vte-2.91.patch
@ -1,4 +1,4 @@
-From b673055ec7e4eda0454aacc2d042bd53405f85e6 Mon Sep 17 00:00:00 2001
+From eeb106a711b51266bf05f3895e01575357414ec6 Mon Sep 17 00:00:00 2001
 From: Cole Robinson <crobinso@redhat.com>
 Date: Fri, 6 May 2016 14:03:12 -0400
 Subject: [PATCH] configure: support vte-2.91
@ -18,10 +18,10 @@ Signed-off-by: Bruce Rogers <brogers@suse.com>
 1 file changed, 11 insertions(+), 6 deletions(-)

 diff --git a/configure b/configure
-index 767658e..f32cff5 100755
+index 51dc704..8f1948c 100755
 --- a/configure
 +++ b/configure
-@@ -2395,20 +2395,25 @@ fi
+@@ -2396,20 +2396,25 @@ fi
 
 if test "$vte" != "no"; then
     if test "$gtkabi" = "3.0"; then
@ -52,7 +52,7 @@ index 767658e..f32cff5 100755
         else
             feature_not_found "vte" "Install libvte devel"
         fi
-@@ -4806,6 +4811,7 @@ echo "pixman            $pixman"
+@@ -4807,6 +4812,7 @@ echo "pixman            $pixman"
 echo "SDL support       $sdl"
 echo "GTK support       $gtk"
 echo "GTK GL support    $gtk_gl"
@ -60,7 +60,7 @@ index 767658e..f32cff5 100755
 echo "GNUTLS support    $gnutls"
 echo "GNUTLS hash       $gnutls_hash"
 echo "GNUTLS rnd        $gnutls_rnd"
-@@ -4814,7 +4820,6 @@ echo "libgcrypt kdf     $gcrypt_kdf"
+@@ -4815,7 +4821,6 @@ echo "libgcrypt kdf     $gcrypt_kdf"
 echo "nettle            $nettle `echo_version $nettle $nettle_version`"
 echo "nettle kdf        $nettle_kdf"
 echo "libtasn1          $tasn1"
--- a/0047-vga-add-sr_vbe-register-set.patch
+++ b/0047-vga-add-sr_vbe-register-set.patch
@ -1,235 +0,0 @@
-From d8d0d22b88ceaf7f9ce8e01eb2842b8daf2aa34e Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Tue, 17 May 2016 10:54:54 +0200
-Subject: [PATCH] vga: add sr_vbe register set
-
-Commit "fd3c136 vga: make sure vga register setup for vbe stays intact
-(CVE-2016-3712)." causes a regression.  The win7 installer is unhappy
-because it can't freely modify vga registers any more while in vbe mode.
-
-This patch introduces a new sr_vbe register set.  The vbe_update_vgaregs
-will fill sr_vbe[] instead of sr[].  Normal vga register reads and
-writes go to sr[].  Any sr register read access happens through a new
-sr() helper function which will read from sr_vbe[] with vbe active and
-from sr[] otherwise.
-
-This way we can allow guests update sr[] registers as they want, without
-allowing them disrupt vbe video modes that way.
-
-Cc: qemu-stable@nongnu.org
-Reported-by: Thomas Lamprecht <thomas@lamprecht.org>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: 1463475294-14119-1-git-send-email-kraxel@redhat.com
-(cherry picked from commit 94ef4f337fb614f18b765a8e0e878a4c23cdedcd)
-Signed-off-by: Bruce Rogers <brogers@suse.com>
---
- hw/display/vga.c     | 50 ++++++++++++++++++++++++++++----------------------
- hw/display/vga_int.h |  1 +
- 2 files changed, 29 insertions(+), 22 deletions(-)
-
-diff --git a/hw/display/vga.c b/hw/display/vga.c
-index 4a55ec6..9ebc54f 100644
--- a/hw/display/vga.c
-+++ b/hw/display/vga.c
-@@ -149,6 +149,11 @@ static inline bool vbe_enabled(VGACommonState *s)
-     return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED;
- }
- 
-+static inline uint8_t sr(VGACommonState *s, int idx)
-+{
-+    return vbe_enabled(s) ? s->sr_vbe[idx] : s->sr[idx];
-+}
-+
- static void vga_update_memory_access(VGACommonState *s)
- {
-     hwaddr base, offset, size;
-@@ -163,8 +168,8 @@ static void vga_update_memory_access(VGACommonState *s)
-         s->has_chain4_alias = false;
-         s->plane_updated = 0xf;
-     }
-    if ((s->sr[VGA_SEQ_PLANE_WRITE] & VGA_SR02_ALL_PLANES) ==
-        VGA_SR02_ALL_PLANES && s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
-+    if ((sr(s, VGA_SEQ_PLANE_WRITE) & VGA_SR02_ALL_PLANES) ==
-+        VGA_SR02_ALL_PLANES && sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) {
-         offset = 0;
-         switch ((s->gr[VGA_GFX_MISC] >> 2) & 3) {
-         case 0:
-@@ -234,7 +239,7 @@ static void vga_precise_update_retrace_info(VGACommonState *s)
-           ((s->cr[VGA_CRTC_OVERFLOW] >> 6) & 2)) << 8);
-     vretr_end_line = s->cr[VGA_CRTC_V_SYNC_END] & 0xf;
- 
-    clocking_mode = (s->sr[VGA_SEQ_CLOCK_MODE] >> 3) & 1;
-+    clocking_mode = (sr(s, VGA_SEQ_CLOCK_MODE) >> 3) & 1;
-     clock_sel = (s->msr >> 2) & 3;
-     dots = (s->msr & 1) ? 8 : 9;
- 
-@@ -486,7 +491,6 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)
-         printf("vga: write SR%x = 0x%02x\n", s->sr_index, val);
- #endif
-         s->sr[s->sr_index] = val & sr_mask[s->sr_index];
-        vbe_update_vgaregs(s);
-         if (s->sr_index == VGA_SEQ_CLOCK_MODE) {
-             s->update_retrace_info(s);
-         }
-@@ -680,13 +684,13 @@ static void vbe_update_vgaregs(VGACommonState *s)
- 
-     if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) {
-         shift_control = 0;
-        s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */
-+        s->sr_vbe[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */
-     } else {
-         shift_control = 2;
-         /* set chain 4 mode */
-        s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M;
-+        s->sr_vbe[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M;
-         /* activate all planes */
-        s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES;
-+        s->sr_vbe[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES;
-     }
-     s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) |
-         (shift_control << 5);
-@@ -836,7 +840,7 @@ uint32_t vga_mem_readb(VGACommonState *s, hwaddr addr)
-         break;
-     }
- 
-    if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
-+    if (sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) {
-         /* chain 4 mode : simplest access */
-         assert(addr < s->vram_size);
-         ret = s->vram_ptr[addr];
-@@ -904,11 +908,11 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
-         break;
-     }
- 
-    if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
-+    if (sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) {
-         /* chain 4 mode : simplest access */
-         plane = addr & 3;
-         mask = (1 << plane);
-        if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
-+        if (sr(s, VGA_SEQ_PLANE_WRITE) & mask) {
-             assert(addr < s->vram_size);
-             s->vram_ptr[addr] = val;
- #ifdef DEBUG_VGA_MEM
-@@ -921,7 +925,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
-         /* odd/even mode (aka text mode mapping) */
-         plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1);
-         mask = (1 << plane);
-        if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
-+        if (sr(s, VGA_SEQ_PLANE_WRITE) & mask) {
-             addr = ((addr & ~1) << 1) | plane;
-             if (addr >= s->vram_size) {
-                 return;
-@@ -996,7 +1000,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
- 
-     do_write:
-         /* mask data according to sr[2] */
-        mask = s->sr[VGA_SEQ_PLANE_WRITE];
-+        mask = sr(s, VGA_SEQ_PLANE_WRITE);
-         s->plane_updated |= mask; /* only used to detect font change */
-         write_mask = mask16[mask];
-         if (addr * sizeof(uint32_t) >= s->vram_size) {
-@@ -1152,10 +1156,10 @@ static void vga_get_text_resolution(VGACommonState *s, int *pwidth, int *pheight
-     /* total width & height */
-     cheight = (s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1;
-     cwidth = 8;
-    if (!(s->sr[VGA_SEQ_CLOCK_MODE] & VGA_SR01_CHAR_CLK_8DOTS)) {
-+    if (!(sr(s, VGA_SEQ_CLOCK_MODE) & VGA_SR01_CHAR_CLK_8DOTS)) {
-         cwidth = 9;
-     }
-    if (s->sr[VGA_SEQ_CLOCK_MODE] & 0x08) {
-+    if (sr(s, VGA_SEQ_CLOCK_MODE) & 0x08) {
-         cwidth = 16; /* NOTE: no 18 pixel wide */
-     }
-     width = (s->cr[VGA_CRTC_H_DISP] + 1);
-@@ -1197,7 +1201,7 @@ static void vga_draw_text(VGACommonState *s, int full_update)
-     int64_t now = qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL);
- 
-     /* compute font data address (in plane 2) */
-    v = s->sr[VGA_SEQ_CHARACTER_MAP];
-+    v = sr(s, VGA_SEQ_CHARACTER_MAP);
-     offset = (((v >> 4) & 1) | ((v << 1) & 6)) * 8192 * 4 + 2;
-     if (offset != s->font_offsets[0]) {
-         s->font_offsets[0] = offset;
-@@ -1506,11 +1510,11 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
-     }
- 
-     if (shift_control == 0) {
-        if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
-+        if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
-             disp_width <<= 1;
-         }
-     } else if (shift_control == 1) {
-        if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
-+        if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
-             disp_width <<= 1;
-         }
-     }
-@@ -1574,7 +1578,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
- 
-     if (shift_control == 0) {
-         full_update |= update_palette16(s);
-        if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
-+        if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
-             v = VGA_DRAW_LINE4D2;
-         } else {
-             v = VGA_DRAW_LINE4;
-@@ -1582,7 +1586,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
-         bits = 4;
-     } else if (shift_control == 1) {
-         full_update |= update_palette16(s);
-        if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
-+        if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
-             v = VGA_DRAW_LINE2D2;
-         } else {
-             v = VGA_DRAW_LINE2;
-@@ -1629,7 +1633,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
- #if 0
-     printf("w=%d h=%d v=%d line_offset=%d cr[0x09]=0x%02x cr[0x17]=0x%02x linecmp=%d sr[0x01]=0x%02x\n",
-            width, height, v, line_offset, s->cr[9], s->cr[VGA_CRTC_MODE],
-           s->line_compare, s->sr[VGA_SEQ_CLOCK_MODE]);
-+           s->line_compare, sr(s, VGA_SEQ_CLOCK_MODE));
- #endif
-     addr1 = (s->start_addr * 4);
-     bwidth = (width * bits + 7) / 8;
-@@ -1781,6 +1785,7 @@ void vga_common_reset(VGACommonState *s)
- {
-     s->sr_index = 0;
-     memset(s->sr, '\0', sizeof(s->sr));
-+    memset(s->sr_vbe, '\0', sizeof(s->sr_vbe));
-     s->gr_index = 0;
-     memset(s->gr, '\0', sizeof(s->gr));
-     s->ar_index = 0;
-@@ -1883,10 +1888,10 @@ static void vga_update_text(void *opaque, console_ch_t *chardata)
-         /* total width & height */
-         cheight = (s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1;
-         cw = 8;
-        if (!(s->sr[VGA_SEQ_CLOCK_MODE] & VGA_SR01_CHAR_CLK_8DOTS)) {
-+        if (!(sr(s, VGA_SEQ_CLOCK_MODE) & VGA_SR01_CHAR_CLK_8DOTS)) {
-             cw = 9;
-         }
-        if (s->sr[VGA_SEQ_CLOCK_MODE] & 0x08) {
-+        if (sr(s, VGA_SEQ_CLOCK_MODE) & 0x08) {
-             cw = 16; /* NOTE: no 18 pixel wide */
-         }
-         width = (s->cr[VGA_CRTC_H_DISP] + 1);
-@@ -2053,6 +2058,7 @@ static int vga_common_post_load(void *opaque, int version_id)
- 
-     /* force refresh */
-     s->graphic_mode = -1;
-+    vbe_update_vgaregs(s);
-     return 0;
- }
- 
-diff --git a/hw/display/vga_int.h b/hw/display/vga_int.h
-index bdb43a5..3ce5544 100644
--- a/hw/display/vga_int.h
-+++ b/hw/display/vga_int.h
-@@ -98,6 +98,7 @@ typedef struct VGACommonState {
-     MemoryRegion chain4_alias;
-     uint8_t sr_index;
-     uint8_t sr[256];
-+    uint8_t sr_vbe[256];
-     uint8_t gr_index;
-     uint8_t gr[256];
-     uint8_t ar_index;
--- a/0048-hw-arm-virt-mark-the-PCIe-host-cont.patch
+++ b/0048-hw-arm-virt-mark-the-PCIe-host-cont.patch
@ -1,4 +1,4 @@
-From ced63da3c840792292a6ee8201c3f7789b80b7eb Mon Sep 17 00:00:00 2001
+From 8b1a852589b2693dd384680d761e617a34ba2f9e Mon Sep 17 00:00:00 2001
 From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
 Date: Mon, 4 Jul 2016 13:06:36 +0100
 Subject: [PATCH] hw/arm/virt: mark the PCIe host controller as DMA coherent in
@ -25,7 +25,7 @@ Signed-off-by: Alexander Graf <agraf@suse.de>
 1 file changed, 1 insertion(+)

 diff --git a/hw/arm/virt.c b/hw/arm/virt.c
-index 56d35c7..9d015d5 100644
+index a535285..30841de 100644
 --- a/hw/arm/virt.c
 +++ b/hw/arm/virt.c
@@ -950,6 +950,7 @@ static void create_pcie(const VirtBoardInfo *vbi, qemu_irq *pic,
--- a/0048-scsi-megasas-use-appropriate-proper.patch
+++ b/0048-scsi-megasas-use-appropriate-proper.patch
@ -1,34 +0,0 @@
-From f7901e3ec072d45629284c91300bf5ad21b36908 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Wed, 25 May 2016 16:01:29 +0530
-Subject: [PATCH] scsi: megasas: use appropriate property buffer size
-
-When setting MegaRAID SAS controller properties via MegaRAID
-Firmware Interface(MFI) commands, a user supplied size parameter
-is used to set property value. Use appropriate size value to avoid
-OOB access issues.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <1464172291-2856-2-git-send-email-ppandit@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 1b85898025c4cd95dce673d15e67e60e98e91731)
-[BR:CVE-2016-5106 BSC#982018]
-Signed-off-by: Bruce Rogers <brogers@suse.com>
---
- hw/scsi/megasas.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
-index a63a581..dcbd3e1 100644
--- a/hw/scsi/megasas.c
-+++ b/hw/scsi/megasas.c
-@@ -1446,7 +1446,7 @@ static int megasas_dcmd_set_properties(MegasasState *s, MegasasCmd *cmd)
-                                             dcmd_size);
-         return MFI_STAT_INVALID_PARAMETER;
-     }
-    dma_buf_write((uint8_t *)&info, cmd->iov_size, &cmd->qsg);
-+    dma_buf_write((uint8_t *)&info, dcmd_size, &cmd->qsg);
-     trace_megasas_dcmd_unsupported(cmd->index, cmd->iov_size);
-     return MFI_STAT_OK;
- }
--- a/0049-scsi-megasas-check-read_queue_head-.patch
+++ b/0049-scsi-megasas-check-read_queue_head-.patch
@ -1,36 +0,0 @@
-From e9910b20f94d3683d4d8895136583529cf7c313f Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Wed, 25 May 2016 17:55:10 +0530
-Subject: [PATCH] scsi: megasas: check 'read_queue_head' index value
-
-While doing MegaRAID SAS controller command frame lookup, routine
-'megasas_lookup_frame' uses 'read_queue_head' value as an index
-into 'frames[MEGASAS_MAX_FRAMES=2048]' array. Limit its value
-within array bounds to avoid any OOB access.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <1464179110-18593-1-git-send-email-ppandit@redhat.com>
-Reviewed-by: Alexander Graf <agraf@suse.de>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit b60bdd1f1ee1616b7a9aeeffb4088e1ce2710fb2)
-[BR: CVE-2016-5107 BSC#982019]
-Signed-off-by: Bruce Rogers <brogers@suse.com>
---
- hw/scsi/megasas.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
-index dcbd3e1..96aee1c 100644
--- a/hw/scsi/megasas.c
-+++ b/hw/scsi/megasas.c
-@@ -650,7 +650,9 @@ static int megasas_init_firmware(MegasasState *s, MegasasCmd *cmd)
-     pa_hi = le32_to_cpu(initq->pi_addr_hi);
-     s->producer_pa = ((uint64_t) pa_hi << 32) | pa_lo;
-     s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa);
-+    s->reply_queue_head %= MEGASAS_MAX_FRAMES;
-     s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa);
-+    s->reply_queue_tail %= MEGASAS_MAX_FRAMES;
-     flags = le32_to_cpu(initq->flags);
-     if (flags & MFI_QUEUE_FLAG_CONTEXT64) {
-         s->flags |= MEGASAS_MASK_USE_QUEUE64;
--- a/0049-xen-SUSE-xenlinux-unplug-for-emulat.patch
+++ b/0049-xen-SUSE-xenlinux-unplug-for-emulat.patch
@ -1,4 +1,4 @@
-From 1caba48fc19de7cdceda7577ccf6970d4eb7ed75 Mon Sep 17 00:00:00 2001
+From 6fc72ceb37357fb66b43b17a84b4b6fe128c5f4f Mon Sep 17 00:00:00 2001
 From: Olaf Hering <ohering@suse.de>
 Date: Tue, 21 Jun 2016 18:42:45 +0200
 Subject: [PATCH] xen: SUSE xenlinux unplug for emulated PCI
--- a/0050-scsi-esp-fix-migration.patch
+++ b/0050-scsi-esp-fix-migration.patch
@ -1,4 +1,4 @@
-From a4c62237f33857750850ef30066a5ae5d4d1194e Mon Sep 17 00:00:00 2001
+From ef7fe72329d837ac78895a6b287bc6d7cb2a6889 Mon Sep 17 00:00:00 2001
 From: Paolo Bonzini <pbonzini@redhat.com>
 Date: Mon, 20 Jun 2016 16:32:39 +0200
 Subject: [PATCH] scsi: esp: fix migration
@ -17,10 +17,10 @@ Signed-off-by: Bruce Rogers <brogers@suse.com>
 2 files changed, 7 insertions(+), 3 deletions(-)

 diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
-index 9e318fd..25c547c 100644
+index baa0a2c..1f2f2d3 100644
 --- a/hw/scsi/esp.c
 +++ b/hw/scsi/esp.c
-@@ -577,7 +577,7 @@ static bool esp_mem_accepts(void *opaque, hwaddr addr,
+@@ -574,7 +574,7 @@ static bool esp_mem_accepts(void *opaque, hwaddr addr,
 
 const VMStateDescription vmstate_esp = {
     .name ="esp",
@ -29,7 +29,7 @@ index 9e318fd..25c547c 100644
     .minimum_version_id = 3,
     .fields = (VMStateField[]) {
         VMSTATE_BUFFER(rregs, ESPState),
-@@ -588,7 +588,8 @@ const VMStateDescription vmstate_esp = {
+@@ -585,7 +585,8 @@ const VMStateDescription vmstate_esp = {
         VMSTATE_BUFFER(ti_buf, ESPState),
         VMSTATE_UINT32(status, ESPState),
         VMSTATE_UINT32(dma, ESPState),
--- a/0050-scsi-megasas-null-terminate-bios-ve.patch
+++ b/0050-scsi-megasas-null-terminate-bios-ve.patch
@ -1,32 +0,0 @@
-From e7b653272e0242843f39b9b8d65694c29028fdf5 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 7 Jun 2016 16:44:03 +0530
-Subject: [PATCH] scsi: megasas: null terminate bios version buffer
-
-While reading information via 'megasas_ctrl_get_info' routine,
-a local bios version buffer isn't null terminated. Add the
-terminating null byte to avoid any OOB access.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 844864fbae66935951529408831c2f22367a57b6)
-[BR: CVE-2016-5337 BSC#983961]
-Signed-off-by: Bruce Rogers <brogers@suse.com>
---
- hw/scsi/megasas.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
-index 96aee1c..893448b 100644
--- a/hw/scsi/megasas.c
-+++ b/hw/scsi/megasas.c
-@@ -773,6 +773,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd)
- 
-         ptr = memory_region_get_ram_ptr(&pci_dev->rom);
-         memcpy(biosver, ptr + 0x41, 31);
-+        biosver[31] = 0;
-         memcpy(info.image_component[1].name, "BIOS", 4);
-         memcpy(info.image_component[1].version, biosver,
-                strlen((const char *)biosver));
--- a/0051-vmsvga-move-fifo-sanity-checks-to-v.patch
+++ b/0051-vmsvga-move-fifo-sanity-checks-to-v.patch
@ -1,73 +0,0 @@
-From 74a7469799521413262d7571b7092f859ed32121 Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Mon, 30 May 2016 09:09:18 +0200
-Subject: [PATCH] vmsvga: move fifo sanity checks to vmsvga_fifo_length
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Sanity checks are applied when the fifo is enabled by the guest
-(SVGA_REG_CONFIG_DONE write).  Which doesn't help much if the guest
-changes the fifo registers afterwards.  Move the checks to
-vmsvga_fifo_length so they are done each time qemu is about to read
-from the fifo.
-
-Fixes: CVE-2016-4454
-Cc: qemu-stable@nongnu.org
-Cc: P J P <ppandit@redhat.com>
-Reported-by: 李强 <liqiang6-s@360.cn>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: 1464592161-18348-2-git-send-email-kraxel@redhat.com
-(cherry picked from commit 521360267876d3b6518b328051a2e56bca55bef8)
-[BR: CVE-2016-4454 BSC#982222]
-Signed-off-by: Bruce Rogers <brogers@suse.com>
---
- hw/display/vmware_vga.c | 28 +++++++++++++++-------------
- 1 file changed, 15 insertions(+), 13 deletions(-)
-
-diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
-index 0c63fa8..63a7c05 100644
--- a/hw/display/vmware_vga.c
-+++ b/hw/display/vmware_vga.c
-@@ -555,6 +555,21 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
-     if (!s->config || !s->enable) {
-         return 0;
-     }
-+
-+    /* Check range and alignment.  */
-+    if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) {
-+        return 0;
-+    }
-+    if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
-+        return 0;
-+    }
-+    if (CMD(max) > SVGA_FIFO_SIZE) {
-+        return 0;
-+    }
-+    if (CMD(max) < CMD(min) + 10 * 1024) {
-+        return 0;
-+    }
-+
-     num = CMD(next_cmd) - CMD(stop);
-     if (num < 0) {
-         num += CMD(max) - CMD(min);
-@@ -1005,19 +1020,6 @@ static void vmsvga_value_write(void *opaque, uint32_t address, uint32_t value)
-     case SVGA_REG_CONFIG_DONE:
-         if (value) {
-             s->fifo = (uint32_t *) s->fifo_ptr;
-            /* Check range and alignment.  */
-            if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) {
-                break;
-            }
-            if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
-                break;
-            }
-            if (CMD(max) > SVGA_FIFO_SIZE) {
-                break;
-            }
-            if (CMD(max) < CMD(min) + 10 * 1024) {
-                break;
-            }
-             vga_dirty_log_stop(&s->vga);
-         }
-         s->config = !!value;
--- a/0051-xen-when-removing-a-backend-don-t-r.patch
+++ b/0051-xen-when-removing-a-backend-don-t-r.patch
@ -1,4 +1,4 @@
-From 0d4ea8a7847a76415ed0d0db0392be5b7d1b71a6 Mon Sep 17 00:00:00 2001
+From 57e6b7c9e33686c070e6b5bce203e1a4a01b821d Mon Sep 17 00:00:00 2001
 From: Juergen Gross <jgross@suse.com>
 Date: Fri, 29 Jul 2016 12:51:53 +0200
 Subject: [PATCH] xen: when removing a backend don't remove many of them
--- a/0052-vmsvga-don-t-process-more-than-1024.patch
+++ b/0052-vmsvga-don-t-process-more-than-1024.patch
@ -1,45 +0,0 @@
-From 51a212ea5bb9d958e0fd59d9e975685a8b9e62d0 Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Mon, 30 May 2016 09:09:21 +0200
-Subject: [PATCH] vmsvga: don't process more than 1024 fifo commands at once
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-vmsvga_fifo_run is called in regular intervals (on each display update)
-and will resume where it left off.  So we can simply exit the loop,
-without having to worry about how processing will continue.
-
-Fixes: CVE-2016-4453
-Cc: qemu-stable@nongnu.org
-Cc: P J P <ppandit@redhat.com>
-Reported-by: 李强 <liqiang6-s@360.cn>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: 1464592161-18348-5-git-send-email-kraxel@redhat.com
-(cherry picked from commit 4e68a0ee17dad7b8d870df0081d4ab2e079016c2)
-[BR: CVE-2016-4453 BSC#982223]
-Signed-off-by: Bruce Rogers <brogers@suse.com>
---
- hw/display/vmware_vga.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
-index 63a7c05..3bd4c52 100644
--- a/hw/display/vmware_vga.c
-+++ b/hw/display/vmware_vga.c
-@@ -596,13 +596,13 @@ static inline uint32_t vmsvga_fifo_read(struct vmsvga_state_s *s)
- static void vmsvga_fifo_run(struct vmsvga_state_s *s)
- {
-     uint32_t cmd, colour;
-    int args, len;
-+    int args, len, maxloop = 1024;
-     int x, y, dx, dy, width, height;
-     struct vmsvga_cursor_definition_s cursor;
-     uint32_t cmd_start;
- 
-     len = vmsvga_fifo_length(s);
-    while (len > 0) {
-+    while (len > 0 && --maxloop > 0) {
-         /* May need to go back to the start of the command if incomplete */
-         cmd_start = s->cmd->stop;
- 
--- a/0052-xen-drain-submit-queue-in-xen-usb-b.patch
+++ b/0052-xen-drain-submit-queue-in-xen-usb-b.patch
@ -1,4 +1,4 @@
-From afb94bcc5bbb8b58f8c96821caaab268f96cabdb Mon Sep 17 00:00:00 2001
+From 559d8ccdb0a5e92b6a0a42f2850caa7a8c57ae76 Mon Sep 17 00:00:00 2001
 From: Juergen Gross <jgross@suse.com>
 Date: Wed, 27 Jul 2016 08:17:41 +0200
 Subject: [PATCH] xen: drain submit queue in xen-usb before removing device
--- a/0053-block-iscsi-avoid-potential-overflo.patch
+++ b/0053-block-iscsi-avoid-potential-overflo.patch
@ -1,37 +0,0 @@
-From 75e2bbd9eb1645c7acb1929ca700913a6e2f54d6 Mon Sep 17 00:00:00 2001
-From: Peter Lieven <pl@kamp.de>
-Date: Tue, 24 May 2016 10:59:28 +0200
-Subject: [PATCH] block/iscsi: avoid potential overflow of acb->task->cdb
-
-at least in the path via virtio-blk the maximum size is not
-restricted.
-
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Peter Lieven <pl@kamp.de>
-Message-Id: <1464080368-29584-1-git-send-email-pl@kamp.de>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit a6b3167fa0e825aebb5a7cd8b437b6d41584a196)
-[BR: CVE-2016-5126 BSC#982285]
-Signed-off-by: Bruce Rogers <brogers@suse.com>
---
- block/iscsi.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/block/iscsi.c b/block/iscsi.c
-index 302baf8..172e6cf 100644
--- a/block/iscsi.c
-+++ b/block/iscsi.c
-@@ -837,6 +837,13 @@ static BlockAIOCB *iscsi_aio_ioctl(BlockDriverState *bs,
-         return &acb->common;
-     }
- 
-+    if (acb->ioh->cmd_len > SCSI_CDB_MAX_SIZE) {
-+        error_report("iSCSI: ioctl error CDB exceeds max size (%d > %d)",
-+                     acb->ioh->cmd_len, SCSI_CDB_MAX_SIZE);
-+        qemu_aio_unref(acb);
-+        return NULL;
-+    }
-+
-     acb->task = malloc(sizeof(struct scsi_task));
-     if (acb->task == NULL) {
-         error_report("iSCSI: Failed to allocate task for scsi command. %s",
--- a/0053-qcow2-avoid-extra-flushes-in-qcow2.patch
+++ b/0053-qcow2-avoid-extra-flushes-in-qcow2.patch
@ -1,4 +1,4 @@
-From 197d526012602fbac75392a86e991539e4400bf0 Mon Sep 17 00:00:00 2001
+From c9f5c5004b9fb97398c8dc0003303493904c986c Mon Sep 17 00:00:00 2001
 From: "Denis V. Lunev" <den@openvz.org>
 Date: Thu, 2 Jun 2016 18:58:15 +0300
 Subject: [PATCH] qcow2: avoid extra flushes in qcow2
--- a/0054-qemu-bridge-helper-reduce-security-.patch
+++ b/0054-qemu-bridge-helper-reduce-security-.patch
@ -1,4 +1,4 @@
-From 4bbd77b07de2f0df2e8a0dba9c4ca51299ee2518 Mon Sep 17 00:00:00 2001
+From 66d8c1e91cb8b11fad0ddc68c7398c5ff202525e Mon Sep 17 00:00:00 2001
 From: Bruce Rogers <brogers@suse.com>
 Date: Tue, 2 Aug 2016 11:36:02 -0600
 Subject: [PATCH] qemu-bridge-helper: reduce security profile
--- a/0054-scsi-esp-check-TI-buffer-index-befo.patch
+++ b/0054-scsi-esp-check-TI-buffer-index-befo.patch
@ -1,71 +0,0 @@
-From 40b9ce117b5a3aced6e1b88ea0e2619170b202f6 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Mon, 6 Jun 2016 22:04:43 +0530
-Subject: [PATCH] scsi: esp: check TI buffer index before read/write
-
-The 53C9X Fast SCSI Controller(FSC) comes with internal 16-byte
-FIFO buffers. One is used to handle commands and other is for
-information transfer. Three control variables 'ti_rptr',
-'ti_wptr' and 'ti_size' are used to control r/w access to the
-information transfer buffer ti_buf[TI_BUFSZ=16]. In that,
-
-'ti_rptr' is used as read index, where read occurs.
-'ti_wptr' is a write index, where write would occur.
-'ti_size' indicates total bytes to be read from the buffer.
-
-While reading/writing to this buffer, index could exceed its
-size. Add check to avoid OOB r/w access.
-
-Reported-by: Huawei PSIRT <psirt@huawei.com>
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <1465230883-22303-1-git-send-email-ppandit@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit ff589551c8e8e9e95e211b9d8daafb4ed39f1aec)
-[BR: CVE-2016-5338 BSC#983982]
-Signed-off-by: Bruce Rogers <brogers@suse.com>
---
- hw/scsi/esp.c | 20 +++++++++-----------
- 1 file changed, 9 insertions(+), 11 deletions(-)
-
-diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
-index 591c817..3adb685 100644
--- a/hw/scsi/esp.c
-+++ b/hw/scsi/esp.c
-@@ -400,19 +400,17 @@ uint64_t esp_reg_read(ESPState *s, uint32_t saddr)
-     trace_esp_mem_readb(saddr, s->rregs[saddr]);
-     switch (saddr) {
-     case ESP_FIFO:
-        if (s->ti_size > 0) {
-+        if ((s->rregs[ESP_RSTAT] & STAT_PIO_MASK) == 0) {
-+            /* Data out.  */
-+            qemu_log_mask(LOG_UNIMP, "esp: PIO data read not implemented\n");
-+            s->rregs[ESP_FIFO] = 0;
-+            esp_raise_irq(s);
-+        } else if (s->ti_rptr < s->ti_wptr) {
-             s->ti_size--;
-            if ((s->rregs[ESP_RSTAT] & STAT_PIO_MASK) == 0) {
-                /* Data out.  */
-                qemu_log_mask(LOG_UNIMP,
-                              "esp: PIO data read not implemented\n");
-                s->rregs[ESP_FIFO] = 0;
-            } else {
-                s->rregs[ESP_FIFO] = s->ti_buf[s->ti_rptr++];
-            }
-+            s->rregs[ESP_FIFO] = s->ti_buf[s->ti_rptr++];
-             esp_raise_irq(s);
-         }
-        if (s->ti_size == 0) {
-+        if (s->ti_rptr == s->ti_wptr) {
-             s->ti_rptr = 0;
-             s->ti_wptr = 0;
-         }
-@@ -456,7 +454,7 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val)
-             } else {
-                 trace_esp_error_fifo_overrun();
-             }
-        } else if (s->ti_size == TI_BUFSZ - 1) {
-+        } else if (s->ti_wptr == TI_BUFSZ - 1) {
-             trace_esp_error_fifo_overrun();
-         } else {
-             s->ti_size++;
--- a/0055-xen-use-a-common-function-for-pv-an.patch
+++ b/0055-xen-use-a-common-function-for-pv-an.patch
@ -1,4 +1,4 @@
-From ddbfdd2c5396aa810a789f5cb681879f78cb693f Mon Sep 17 00:00:00 2001
+From fceaaa771845a1fa7379539e77390b833dc9de3b Mon Sep 17 00:00:00 2001
 From: Juergen Gross <jgross@suse.com>
 Date: Tue, 2 Aug 2016 08:32:32 +0200
 Subject: [PATCH] xen: use a common function for pv and hvm guest backend
--- a/0060-scsi-megasas-initialise-local-confi.patch
+++ b/0060-scsi-megasas-initialise-local-confi.patch
@ -1,34 +0,0 @@
-From 702d446c9378b6d8415599780cf9f8bfb4c7cb9a Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Wed, 25 May 2016 17:41:44 +0530
-Subject: [PATCH] scsi: megasas: initialise local configuration data buffer
-
-When reading MegaRAID SAS controller configuration via MegaRAID
-Firmware Interface(MFI) commands, routine megasas_dcmd_cfg_read
-uses an uninitialised local data buffer. Initialise this buffer
-to avoid stack information leakage.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <1464178304-12831-1-git-send-email-ppandit@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit d37af740730dbbb93960cd318e040372d04d6dcf)
-[BR: CVE-2016-5105 982017]
-Signed-off-by: Bruce Rogers <brogers@suse.com>
---
- hw/scsi/megasas.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
-index 893448b..a9ffc32 100644
--- a/hw/scsi/megasas.c
-+++ b/hw/scsi/megasas.c
-@@ -1296,7 +1296,7 @@ static int megasas_dcmd_ld_get_info(MegasasState *s, MegasasCmd *cmd)
- 
- static int megasas_dcmd_cfg_read(MegasasState *s, MegasasCmd *cmd)
- {
-    uint8_t data[4096];
-+    uint8_t data[4096] = { 0 };
-     struct mfi_config_data *info;
-     int num_pd_disks = 0, array_offset, ld_offset;
-     BusChild *kid;
--- a/0065-scsi-esp-check-buffer-length-before.patch
+++ b/0065-scsi-esp-check-buffer-length-before.patch
@ -1,36 +0,0 @@
-From 440a840f30f2439aece31ae59a5ee91675a78bb1 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 31 May 2016 23:23:27 +0530
-Subject: [PATCH] scsi: esp: check buffer length before reading scsi command
-
-The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
-FIFO buffer. It is used to handle command and data transfer.
-Routine get_cmd() in non-DMA mode, uses 'ti_size' to read scsi
-command into a buffer. Add check to validate command length against
-buffer size to avoid any overrun.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <1464717207-7549-1-git-send-email-ppandit@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit d3cdc49138c30be1d3c2f83d18f85d9fdee95f1a)
-[BR: CVE-2016-5238 BSC#982959]
-Signed-off-by: Bruce Rogers <brogers@suse.com>
---
- hw/scsi/esp.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
-index 3adb685..4b94bbc 100644
--- a/hw/scsi/esp.c
-+++ b/hw/scsi/esp.c
-@@ -98,6 +98,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen)
-         s->dma_memory_read(s->dma_opaque, buf, dmalen);
-     } else {
-         dmalen = s->ti_size;
-+        if (dmalen > TI_BUFSZ) {
-+            return 0;
-+        }
-         memcpy(buf, s->ti_buf, dmalen);
-         buf[0] = buf[2] >> 5;
-     }
--- a/0066-scsi-esp-respect-FIFO-invariant-aft.patch
+++ b/0066-scsi-esp-respect-FIFO-invariant-aft.patch
@ -1,29 +0,0 @@
-From 9b2c1b6e771f01757b93cc92625ef48903786291 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Tue, 14 Jun 2016 15:10:24 +0200
-Subject: [PATCH] scsi: esp: respect FIFO invariant after message phase
-
-The FIFO contains two bytes; hence the write ptr should be two bytes ahead
-of the read pointer.
-
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit d020aa504cec8f525b55ba2ef982c09dc847c72e)
-[BR: CVE-2016-5238 BSC#982959]
-Signed-off-by: Bruce Rogers <brogers@suse.com>
---
- hw/scsi/esp.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
-index 4b94bbc..3f08598 100644
--- a/hw/scsi/esp.c
-+++ b/hw/scsi/esp.c
-@@ -222,7 +222,7 @@ static void write_response(ESPState *s)
-     } else {
-         s->ti_size = 2;
-         s->ti_rptr = 0;
-        s->ti_wptr = 0;
-+        s->ti_wptr = 2;
-         s->rregs[ESP_RFLAGS] = 2;
-     }
-     esp_raise_irq(s);
--- a/0067-pci-assign-Move-Invalid-ROM-error-m.patch
+++ b/0067-pci-assign-Move-Invalid-ROM-error-m.patch
@ -1,52 +0,0 @@
-From f4fe76597dccb9017be71983c4204f21877fc69f Mon Sep 17 00:00:00 2001
-From: Lin Ma <lma@suse.com>
-Date: Thu, 16 Jun 2016 01:05:27 +0800
-Subject: [PATCH] pci-assign: Move "Invalid ROM" error message to
- pci-assign-load-rom.c
-
-In function pci_assign_dev_load_option_rom, For those pci devices don't
-have 'rom' file under sysfs or if loading ROM from external file, The
-function returns NULL, and won't set the passed 'size' variable.
-
-In these 2 cases, qemu still reports "Invalid ROM" error message, Users
-may be confused by it.
-
-Signed-off-by: Lin Ma <lma@suse.com>
-Message-Id: <1466010327-22368-1-git-send-email-lma@suse.com>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit be968c721ee9df49708691ab58f0e66b394dea82)
-[BR: BSC#982927]
-Signed-off-by: Bruce Rogers <brogers@suse.com>
---
- hw/i386/kvm/pci-assign.c      | 4 ----
- hw/i386/pci-assign-load-rom.c | 3 +++
- 2 files changed, 3 insertions(+), 4 deletions(-)
-
-diff --git a/hw/i386/kvm/pci-assign.c b/hw/i386/kvm/pci-assign.c
-index bf425a2..8abce52 100644
--- a/hw/i386/kvm/pci-assign.c
-+++ b/hw/i386/kvm/pci-assign.c
-@@ -1891,8 +1891,4 @@ static void assigned_dev_load_option_rom(AssignedDevice *dev)
-     pci_assign_dev_load_option_rom(&dev->dev, OBJECT(dev), &size,
-                                    dev->host.domain, dev->host.bus,
-                                    dev->host.slot, dev->host.function);
-
-    if (!size) {
-        error_report("pci-assign: Invalid ROM.");
-    }
- }
-diff --git a/hw/i386/pci-assign-load-rom.c b/hw/i386/pci-assign-load-rom.c
-index 4bbb08c..0d8e4b2 100644
--- a/hw/i386/pci-assign-load-rom.c
-+++ b/hw/i386/pci-assign-load-rom.c
-@@ -40,6 +40,9 @@ void *pci_assign_dev_load_option_rom(PCIDevice *dev, struct Object *owner,
-              domain, bus, slot, function);
- 
-     if (stat(rom_file, &st)) {
-+        if (errno != ENOENT) {
-+            error_report("pci-assign: Invalid ROM.");
-+        }
-         return NULL;
-     }
- 
--- a/0068-Xen-PCI-passthrough-fix-passthrough.patch
+++ b/0068-Xen-PCI-passthrough-fix-passthrough.patch
@ -1,29 +0,0 @@
-From a4b6bbf1139ebc70375c48afe99fccdd9dcaa501 Mon Sep 17 00:00:00 2001
-From: Bruce Rogers <brogers@suse.com>
-Date: Tue, 26 Jul 2016 16:42:45 -0600
-Subject: [PATCH] Xen PCI passthrough: fix passthrough failure when no
- interrupt pin
-
-Commit 5a11d0f7 mistakenly converted a log message into an error
-condition when no pin interrupt is found for the pci device being
-passed through. Revert that part of the commit.
-
-[BR: BSC#981925, BSC#989250]
-Signed-off-by: Bruce Rogers <brogers@suse.com>
---
- hw/xen/xen_pt.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/xen/xen_pt.c b/hw/xen/xen_pt.c
-index f593b04..b6d71bb 100644
--- a/hw/xen/xen_pt.c
-+++ b/hw/xen/xen_pt.c
-@@ -842,7 +842,7 @@ static void xen_pt_realize(PCIDevice *d, Error **errp)
-         goto err_out;
-     }
-     if (!scratch) {
-        error_setg(errp, "no pin interrupt");
-+        XEN_PT_LOG(d, "no pin interrupt\n");
-         goto out;
-     }
- 
--- a/0069-scsi-esp-make-cmdbuf-big-enough-for.patch
+++ b/0069-scsi-esp-make-cmdbuf-big-enough-for.patch
@ -1,73 +0,0 @@
-From 20a82db8677dfb40288953ba296c372b66146f4d Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Thu, 16 Jun 2016 00:22:35 +0200
-Subject: [PATCH] scsi: esp: make cmdbuf big enough for maximum CDB size
-
-While doing DMA read into ESP command buffer 's->cmdbuf', it could
-write past the 's->cmdbuf' area, if it was transferring more than 16
-bytes.  Increase the command buffer size to 32, which is maximum when
-'s->do_cmd' is set, and add a check on 'len' to avoid OOB access.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 926cde5f3e4d2504ed161ed0cb771ac7cad6fd11)
-[BR: CVE-2016-6351 BSC#990835]
-Signed-off-by: Bruce Rogers <brogers@suse.com>
---
- hw/scsi/esp.c         | 6 ++++--
- include/hw/scsi/esp.h | 3 ++-
- 2 files changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
-index 3f08598..9e318fd 100644
--- a/hw/scsi/esp.c
-+++ b/hw/scsi/esp.c
-@@ -249,6 +249,8 @@ static void esp_do_dma(ESPState *s)
-     len = s->dma_left;
-     if (s->do_cmd) {
-         trace_esp_do_dma(s->cmdlen, len);
-+        assert (s->cmdlen <= sizeof(s->cmdbuf) &&
-+                len <= sizeof(s->cmdbuf) - s->cmdlen);
-         s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len);
-         s->ti_size = 0;
-         s->cmdlen = 0;
-@@ -348,7 +350,7 @@ static void handle_ti(ESPState *s)
-     s->dma_counter = dmalen;
- 
-     if (s->do_cmd)
-        minlen = (dmalen < 32) ? dmalen : 32;
-+        minlen = (dmalen < ESP_CMDBUF_SZ) ? dmalen : ESP_CMDBUF_SZ;
-     else if (s->ti_size < 0)
-         minlen = (dmalen < -s->ti_size) ? dmalen : -s->ti_size;
-     else
-@@ -452,7 +454,7 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val)
-         break;
-     case ESP_FIFO:
-         if (s->do_cmd) {
-            if (s->cmdlen < TI_BUFSZ) {
-+            if (s->cmdlen < ESP_CMDBUF_SZ) {
-                 s->cmdbuf[s->cmdlen++] = val & 0xff;
-             } else {
-                 trace_esp_error_fifo_overrun();
-diff --git a/include/hw/scsi/esp.h b/include/hw/scsi/esp.h
-index 6c79527..d2c4886 100644
--- a/include/hw/scsi/esp.h
-+++ b/include/hw/scsi/esp.h
-@@ -14,6 +14,7 @@ void esp_init(hwaddr espaddr, int it_shift,
- 
- #define ESP_REGS 16
- #define TI_BUFSZ 16
-+#define ESP_CMDBUF_SZ 32
- 
- typedef struct ESPState ESPState;
- 
-@@ -31,7 +32,7 @@ struct ESPState {
-     SCSIBus bus;
-     SCSIDevice *current_dev;
-     SCSIRequest *current_req;
-    uint8_t cmdbuf[TI_BUFSZ];
-+    uint8_t cmdbuf[ESP_CMDBUF_SZ];
-     uint32_t cmdlen;
-     uint32_t do_cmd;
- 
--- a/0071-virtio-error-out-if-guest-exceeds-v.patch
+++ b/0071-virtio-error-out-if-guest-exceeds-v.patch
@ -1,65 +0,0 @@
-From d9c626e4ede58130f64f24f4f9ca1140e4102a70 Mon Sep 17 00:00:00 2001
-From: Stefan Hajnoczi <stefanha@redhat.com>
-Date: Tue, 19 Jul 2016 13:07:13 +0100
-Subject: [PATCH] virtio: error out if guest exceeds virtqueue size
-
-A broken or malicious guest can submit more requests than the virtqueue
-size permits, causing unbounded memory allocation in QEMU.
-
-The guest can submit requests without bothering to wait for completion
-and is therefore not bound by virtqueue size.  This requires reusing
-vring descriptors in more than one request, which is not allowed by the
-VIRTIO 1.0 specification.
-
-In "3.2.1 Supplying Buffers to The Device", the VIRTIO 1.0 specification
-says:
-
-  1. The driver places the buffer into free descriptor(s) in the
-     descriptor table, chaining as necessary
-
-and
-
-  Note that the above code does not take precautions against the
-  available ring buffer wrapping around: this is not possible since the
-  ring buffer is the same size as the descriptor table, so step (1) will
-  prevent such a condition.
-
-This implies that placing more buffers into the virtqueue than the
-descriptor table size is not allowed.
-
-QEMU is missing the check to prevent this case.  Processing a request
-allocates a VirtQueueElement leading to unbounded memory allocation
-controlled by the guest.
-
-Exit with an error if the guest provides more requests than the
-virtqueue size permits.  This bounds memory allocation and makes the
-buggy guest visible to the user.
-
-This patch fixes CVE-2016-5403 and was reported by Zhenhao Hong from 360
-Marvel Team, China.
-
-Reported-by: Zhenhao Hong <hongzhenhao@360.cn>
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-(cherry picked from commit afd9096eb1882f23929f5b5c177898ed231bac66)
-[BR: CVE-2016-5403 BSC#991080]
-Signed-off-by: Bruce Rogers <brogers@suse.com>
---
- hw/virtio/virtio.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
-index 30ede3d..e5ead0d 100644
--- a/hw/virtio/virtio.c
-+++ b/hw/virtio/virtio.c
-@@ -561,6 +561,11 @@ void *virtqueue_pop(VirtQueue *vq, size_t sz)
- 
-     max = vq->vring.num;
- 
-+    if (vq->inuse >= vq->vring.num) {
-+        error_report("Virtqueue size exceeded");
-+        exit(1);
-+    }
-+
-     i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
-     if (virtio_vdev_has_feature(vdev, VIRTIO_RING_F_EVENT_IDX)) {
-         vring_set_avail_event(vq, vq->last_avail_idx);
--- a/qemu-2.6.0.tar.bz2
+++ b/qemu-2.6.0.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c9ac4a651b273233d21b8bec32e30507cb9cce7900841febc330956a1a8434ec
-size 25755267
--- a/qemu-2.6.0.tar.bz2.sig
+++ b/qemu-2.6.0.tar.bz2.sig
--- a/qemu-2.6.1.tar.bz2
+++ b/qemu-2.6.1.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4942fd1b6ee31f2f55ffc2201dd7397e6b9c55a2ef332e6d660c730d268e08d1
+size 25762855
--- a/qemu-2.6.1.tar.bz2.sig
+++ b/qemu-2.6.1.tar.bz2.sig
--- a/qemu-linux-user.changes
+++ b/qemu-linux-user.changes
@ -1,3 +1,62 @@
+-------------------------------------------------------------------
+Wed Aug 17 20:25:13 UTC 2016 - brogers@suse.com
+
+- Update to v2.6.1 a stable, bug-fix-only release (fate#316228)
+- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.6
+* Patches dropped (upstreamed):
+  0041-net-mipsnet-check-packet-length-aga.patch
+  0042-i386-kvmvapic-initialise-imm32-vari.patch
+  0043-esp-check-command-buffer-length-bef.patch
+  0044-esp-check-dma-length-before-reading.patch
+  0045-scsi-pvscsi-check-command-descripto.patch
+  0046-scsi-mptsas-infinite-loop-while-fet.patch
+  0047-vga-add-sr_vbe-register-set.patch
+  0048-scsi-megasas-use-appropriate-proper.patch
+  0049-scsi-megasas-check-read_queue_head-.patch
+  0050-scsi-megasas-null-terminate-bios-ve.patch
+  0051-vmsvga-move-fifo-sanity-checks-to-v.patch
+  0052-vmsvga-don-t-process-more-than-1024.patch
+  0053-block-iscsi-avoid-potential-overflo.patch
+  0054-scsi-esp-check-TI-buffer-index-befo.patch
+  0060-scsi-megasas-initialise-local-confi.patch
+  0065-scsi-esp-check-buffer-length-before.patch
+  0066-scsi-esp-respect-FIFO-invariant-aft.patch
+  0067-pci-assign-Move-Invalid-ROM-error-m.patch
+  0068-Xen-PCI-passthrough-fix-passthrough.patch
+  0069-scsi-esp-make-cmdbuf-big-enough-for.patch
+  0071-virtio-error-out-if-guest-exceeds-v.patch
+* Patches renamed:
+  0055-xen-introduce-dummy-system-device.patch
+  -> 0041-xen-introduce-dummy-system-device.patch
+  0056-xen-write-information-about-support.patch
+  -> 0042-xen-write-information-about-support.patch
+  0057-xen-add-pvUSB-backend.patch
+  -> 0043-xen-add-pvUSB-backend.patch
+  0058-xen-move-xen_sysdev-to-xen_backend..patch
+  -> 0044-xen-move-xen_sysdev-to-xen_backend..patch
+  0059-vnc-add-configurable-keyboard-delay.patch
+  -> 0045-vnc-add-configurable-keyboard-delay.patch
+  0061-configure-add-echo_version-helper.patch
+  -> 0046-configure-add-echo_version-helper.patch
+  0062-configure-support-vte-2.91.patch
+  -> 0047-configure-support-vte-2.91.patch
+  0063-hw-arm-virt-mark-the-PCIe-host-cont.patch
+  -> 0048-hw-arm-virt-mark-the-PCIe-host-cont.patch
+  0064-xen-SUSE-xenlinux-unplug-for-emulat.patch
+  -> 0049-xen-SUSE-xenlinux-unplug-for-emulat.patch
+  0070-scsi-esp-fix-migration.patch
+  -> 0050-scsi-esp-fix-migration.patch
+  0072-xen-when-removing-a-backend-don-t-r.patch
+  -> 0051-xen-when-removing-a-backend-don-t-r.patch
+  0073-xen-drain-submit-queue-in-xen-usb-b.patch
+  -> 0052-xen-drain-submit-queue-in-xen-usb-b.patch
+  0074-qcow2-avoid-extra-flushes-in-qcow2.patch
+  -> 0053-qcow2-avoid-extra-flushes-in-qcow2.patch
+  0075-qemu-bridge-helper-reduce-security-.patch
+  -> 0054-qemu-bridge-helper-reduce-security-.patch
+  0076-xen-use-a-common-function-for-pv-an.patch
+  -> 0055-xen-use-a-common-function-for-pv-an.patch
+
 -------------------------------------------------------------------
 Wed Aug  3 17:09:11 UTC 2016 - brogers@suse.com

--- a/qemu-linux-user.spec
+++ b/qemu-linux-user.spec
@ -21,9 +21,9 @@ Url:            http://www.qemu.org/
 Summary:        Universal CPU emulator
 License:        BSD-3-Clause and GPL-2.0 and GPL-2.0+ and LGPL-2.1+ and MIT
 Group:          System/Emulators/PC
-Version:        2.6.0
+Version:        2.6.1
 Release:        0
-Source:         http://wiki.qemu.org/download/qemu-2.6.0.tar.bz2
+Source:         http://wiki.qemu.org/download/qemu-2.6.1.tar.bz2
 # This patch queue is auto-generated from https://github.com/openSUSE/qemu
 Patch0001:      0001-XXX-dont-dump-core-on-sigabort.patch
 Patch0002:      0002-qemu-0.9.0.cvs-binfmt.patch
@ -65,42 +65,21 @@ Patch0037:      0037-dictzip-Fix-on-big-endian-systems.patch
 Patch0038:      0038-block-split-large-discard-requests-.patch
 Patch0039:      0039-xen_disk-Add-suse-specific-flush-di.patch
 Patch0040:      0040-build-link-with-libatomic-on-powerp.patch
-Patch0041:      0041-net-mipsnet-check-packet-length-aga.patch
-Patch0042:      0042-i386-kvmvapic-initialise-imm32-vari.patch
-Patch0043:      0043-esp-check-command-buffer-length-bef.patch
-Patch0044:      0044-esp-check-dma-length-before-reading.patch
-Patch0045:      0045-scsi-pvscsi-check-command-descripto.patch
-Patch0046:      0046-scsi-mptsas-infinite-loop-while-fet.patch
-Patch0047:      0047-vga-add-sr_vbe-register-set.patch
-Patch0048:      0048-scsi-megasas-use-appropriate-proper.patch
-Patch0049:      0049-scsi-megasas-check-read_queue_head-.patch
-Patch0050:      0050-scsi-megasas-null-terminate-bios-ve.patch
-Patch0051:      0051-vmsvga-move-fifo-sanity-checks-to-v.patch
-Patch0052:      0052-vmsvga-don-t-process-more-than-1024.patch
-Patch0053:      0053-block-iscsi-avoid-potential-overflo.patch
-Patch0054:      0054-scsi-esp-check-TI-buffer-index-befo.patch
-Patch0055:      0055-xen-introduce-dummy-system-device.patch
-Patch0056:      0056-xen-write-information-about-support.patch
-Patch0057:      0057-xen-add-pvUSB-backend.patch
-Patch0058:      0058-xen-move-xen_sysdev-to-xen_backend..patch
-Patch0059:      0059-vnc-add-configurable-keyboard-delay.patch
-Patch0060:      0060-scsi-megasas-initialise-local-confi.patch
-Patch0061:      0061-configure-add-echo_version-helper.patch
-Patch0062:      0062-configure-support-vte-2.91.patch
-Patch0063:      0063-hw-arm-virt-mark-the-PCIe-host-cont.patch
-Patch0064:      0064-xen-SUSE-xenlinux-unplug-for-emulat.patch
-Patch0065:      0065-scsi-esp-check-buffer-length-before.patch
-Patch0066:      0066-scsi-esp-respect-FIFO-invariant-aft.patch
-Patch0067:      0067-pci-assign-Move-Invalid-ROM-error-m.patch
-Patch0068:      0068-Xen-PCI-passthrough-fix-passthrough.patch
-Patch0069:      0069-scsi-esp-make-cmdbuf-big-enough-for.patch
-Patch0070:      0070-scsi-esp-fix-migration.patch
-Patch0071:      0071-virtio-error-out-if-guest-exceeds-v.patch
-Patch0072:      0072-xen-when-removing-a-backend-don-t-r.patch
-Patch0073:      0073-xen-drain-submit-queue-in-xen-usb-b.patch
-Patch0074:      0074-qcow2-avoid-extra-flushes-in-qcow2.patch
-Patch0075:      0075-qemu-bridge-helper-reduce-security-.patch
-Patch0076:      0076-xen-use-a-common-function-for-pv-an.patch
+Patch0041:      0041-xen-introduce-dummy-system-device.patch
+Patch0042:      0042-xen-write-information-about-support.patch
+Patch0043:      0043-xen-add-pvUSB-backend.patch
+Patch0044:      0044-xen-move-xen_sysdev-to-xen_backend..patch
+Patch0045:      0045-vnc-add-configurable-keyboard-delay.patch
+Patch0046:      0046-configure-add-echo_version-helper.patch
+Patch0047:      0047-configure-support-vte-2.91.patch
+Patch0048:      0048-hw-arm-virt-mark-the-PCIe-host-cont.patch
+Patch0049:      0049-xen-SUSE-xenlinux-unplug-for-emulat.patch
+Patch0050:      0050-scsi-esp-fix-migration.patch
+Patch0051:      0051-xen-when-removing-a-backend-don-t-r.patch
+Patch0052:      0052-xen-drain-submit-queue-in-xen-usb-b.patch
+Patch0053:      0053-qcow2-avoid-extra-flushes-in-qcow2.patch
+Patch0054:      0054-qemu-bridge-helper-reduce-security-.patch
+Patch0055:      0055-xen-use-a-common-function-for-pv-an.patch
 # Please do not add patches manually here, run update_git.sh.
 # this is to make lint happy
 Source300:      qemu-rpmlintrc
@ -153,7 +132,7 @@ emulations. This can be used together with the OBS build script to
 run cross-architecture builds.

 %prep
-%setup -q -n qemu-2.6.0
+%setup -q -n qemu-2.6.1
 %patch0001 -p1
 %patch0002 -p1
 %patch0003 -p1
@ -209,27 +188,6 @@ run cross-architecture builds.
 %patch0053 -p1
 %patch0054 -p1
 %patch0055 -p1
-%patch0056 -p1
-%patch0057 -p1
-%patch0058 -p1
-%patch0059 -p1
-%patch0060 -p1
-%patch0061 -p1
-%patch0062 -p1
-%patch0063 -p1
-%patch0064 -p1
-%patch0065 -p1
-%patch0066 -p1
-%patch0067 -p1
-%patch0068 -p1
-%patch0069 -p1
-%patch0070 -p1
-%patch0071 -p1
-%patch0072 -p1
-%patch0073 -p1
-%patch0074 -p1
-%patch0075 -p1
-%patch0076 -p1

 %build
 ./configure --prefix=%_prefix --sysconfdir=%_sysconfdir \
--- a/qemu-linux-user.spec.in
+++ b/qemu-linux-user.spec.in
@ -23,7 +23,7 @@ License:        BSD-3-Clause and GPL-2.0 and GPL-2.0+ and LGPL-2.1+ and MIT
 Group:          System/Emulators/PC
 QEMU_VERSION
 Release:        0
-Source:         http://wiki.qemu.org/download/qemu-2.6.0.tar.bz2
+Source:         http://wiki.qemu.org/download/qemu-2.6.1.tar.bz2
 # This patch queue is auto-generated from https://github.com/openSUSE/qemu
 PATCH_FILES
 # Please do not add patches manually here, run update_git.sh.
@ -78,7 +78,7 @@ emulations. This can be used together with the OBS build script to
 run cross-architecture builds.

 %prep
-%setup -q -n qemu-2.6.0
+%setup -q -n qemu-2.6.1
 PATCH_EXEC

 %build
--- a/qemu-testsuite.changes
+++ b/qemu-testsuite.changes
@ -1,3 +1,62 @@
+-------------------------------------------------------------------
+Wed Aug 17 20:25:13 UTC 2016 - brogers@suse.com
+
+- Update to v2.6.1 a stable, bug-fix-only release (fate#316228)
+- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.6
+* Patches dropped (upstreamed):
+  0041-net-mipsnet-check-packet-length-aga.patch
+  0042-i386-kvmvapic-initialise-imm32-vari.patch
+  0043-esp-check-command-buffer-length-bef.patch
+  0044-esp-check-dma-length-before-reading.patch
+  0045-scsi-pvscsi-check-command-descripto.patch
+  0046-scsi-mptsas-infinite-loop-while-fet.patch
+  0047-vga-add-sr_vbe-register-set.patch
+  0048-scsi-megasas-use-appropriate-proper.patch
+  0049-scsi-megasas-check-read_queue_head-.patch
+  0050-scsi-megasas-null-terminate-bios-ve.patch
+  0051-vmsvga-move-fifo-sanity-checks-to-v.patch
+  0052-vmsvga-don-t-process-more-than-1024.patch
+  0053-block-iscsi-avoid-potential-overflo.patch
+  0054-scsi-esp-check-TI-buffer-index-befo.patch
+  0060-scsi-megasas-initialise-local-confi.patch
+  0065-scsi-esp-check-buffer-length-before.patch
+  0066-scsi-esp-respect-FIFO-invariant-aft.patch
+  0067-pci-assign-Move-Invalid-ROM-error-m.patch
+  0068-Xen-PCI-passthrough-fix-passthrough.patch
+  0069-scsi-esp-make-cmdbuf-big-enough-for.patch
+  0071-virtio-error-out-if-guest-exceeds-v.patch
+* Patches renamed:
+  0055-xen-introduce-dummy-system-device.patch
+  -> 0041-xen-introduce-dummy-system-device.patch
+  0056-xen-write-information-about-support.patch
+  -> 0042-xen-write-information-about-support.patch
+  0057-xen-add-pvUSB-backend.patch
+  -> 0043-xen-add-pvUSB-backend.patch
+  0058-xen-move-xen_sysdev-to-xen_backend..patch
+  -> 0044-xen-move-xen_sysdev-to-xen_backend..patch
+  0059-vnc-add-configurable-keyboard-delay.patch
+  -> 0045-vnc-add-configurable-keyboard-delay.patch
+  0061-configure-add-echo_version-helper.patch
+  -> 0046-configure-add-echo_version-helper.patch
+  0062-configure-support-vte-2.91.patch
+  -> 0047-configure-support-vte-2.91.patch
+  0063-hw-arm-virt-mark-the-PCIe-host-cont.patch
+  -> 0048-hw-arm-virt-mark-the-PCIe-host-cont.patch
+  0064-xen-SUSE-xenlinux-unplug-for-emulat.patch
+  -> 0049-xen-SUSE-xenlinux-unplug-for-emulat.patch
+  0070-scsi-esp-fix-migration.patch
+  -> 0050-scsi-esp-fix-migration.patch
+  0072-xen-when-removing-a-backend-don-t-r.patch
+  -> 0051-xen-when-removing-a-backend-don-t-r.patch
+  0073-xen-drain-submit-queue-in-xen-usb-b.patch
+  -> 0052-xen-drain-submit-queue-in-xen-usb-b.patch
+  0074-qcow2-avoid-extra-flushes-in-qcow2.patch
+  -> 0053-qcow2-avoid-extra-flushes-in-qcow2.patch
+  0075-qemu-bridge-helper-reduce-security-.patch
+  -> 0054-qemu-bridge-helper-reduce-security-.patch
+  0076-xen-use-a-common-function-for-pv-an.patch
+  -> 0055-xen-use-a-common-function-for-pv-an.patch
+
 -------------------------------------------------------------------
 Wed Aug  3 21:36:14 UTC 2016 - brogers@suse.com

--- a/qemu-testsuite.spec
+++ b/qemu-testsuite.spec
@ -71,10 +71,10 @@ Url:            http://www.qemu.org/
 Summary:        Universal CPU emulator
 License:        BSD-3-Clause and GPL-2.0 and GPL-2.0+ and LGPL-2.1+ and MIT
 Group:          System/Emulators/PC
-Version:        2.6.0
+Version:        2.6.1
 Release:        0
-Source:         http://wiki.qemu.org/download/qemu-2.6.0.tar.bz2
-Source99:       http://wiki.qemu.org/download/qemu-2.6.0.tar.bz2.sig
+Source:         http://wiki.qemu.org/download/qemu-2.6.1.tar.bz2
+Source99:       http://wiki.qemu.org/download/qemu-2.6.1.tar.bz2.sig
 Source1:        80-kvm.rules
 Source2:        qemu-ifup
 Source3:        kvm_stat
@ -127,42 +127,21 @@ Patch0037:      0037-dictzip-Fix-on-big-endian-systems.patch
 Patch0038:      0038-block-split-large-discard-requests-.patch
 Patch0039:      0039-xen_disk-Add-suse-specific-flush-di.patch
 Patch0040:      0040-build-link-with-libatomic-on-powerp.patch
-Patch0041:      0041-net-mipsnet-check-packet-length-aga.patch
-Patch0042:      0042-i386-kvmvapic-initialise-imm32-vari.patch
-Patch0043:      0043-esp-check-command-buffer-length-bef.patch
-Patch0044:      0044-esp-check-dma-length-before-reading.patch
-Patch0045:      0045-scsi-pvscsi-check-command-descripto.patch
-Patch0046:      0046-scsi-mptsas-infinite-loop-while-fet.patch
-Patch0047:      0047-vga-add-sr_vbe-register-set.patch
-Patch0048:      0048-scsi-megasas-use-appropriate-proper.patch
-Patch0049:      0049-scsi-megasas-check-read_queue_head-.patch
-Patch0050:      0050-scsi-megasas-null-terminate-bios-ve.patch
-Patch0051:      0051-vmsvga-move-fifo-sanity-checks-to-v.patch
-Patch0052:      0052-vmsvga-don-t-process-more-than-1024.patch
-Patch0053:      0053-block-iscsi-avoid-potential-overflo.patch
-Patch0054:      0054-scsi-esp-check-TI-buffer-index-befo.patch
-Patch0055:      0055-xen-introduce-dummy-system-device.patch
-Patch0056:      0056-xen-write-information-about-support.patch
-Patch0057:      0057-xen-add-pvUSB-backend.patch
-Patch0058:      0058-xen-move-xen_sysdev-to-xen_backend..patch
-Patch0059:      0059-vnc-add-configurable-keyboard-delay.patch
-Patch0060:      0060-scsi-megasas-initialise-local-confi.patch
-Patch0061:      0061-configure-add-echo_version-helper.patch
-Patch0062:      0062-configure-support-vte-2.91.patch
-Patch0063:      0063-hw-arm-virt-mark-the-PCIe-host-cont.patch
-Patch0064:      0064-xen-SUSE-xenlinux-unplug-for-emulat.patch
-Patch0065:      0065-scsi-esp-check-buffer-length-before.patch
-Patch0066:      0066-scsi-esp-respect-FIFO-invariant-aft.patch
-Patch0067:      0067-pci-assign-Move-Invalid-ROM-error-m.patch
-Patch0068:      0068-Xen-PCI-passthrough-fix-passthrough.patch
-Patch0069:      0069-scsi-esp-make-cmdbuf-big-enough-for.patch
-Patch0070:      0070-scsi-esp-fix-migration.patch
-Patch0071:      0071-virtio-error-out-if-guest-exceeds-v.patch
-Patch0072:      0072-xen-when-removing-a-backend-don-t-r.patch
-Patch0073:      0073-xen-drain-submit-queue-in-xen-usb-b.patch
-Patch0074:      0074-qcow2-avoid-extra-flushes-in-qcow2.patch
-Patch0075:      0075-qemu-bridge-helper-reduce-security-.patch
-Patch0076:      0076-xen-use-a-common-function-for-pv-an.patch
+Patch0041:      0041-xen-introduce-dummy-system-device.patch
+Patch0042:      0042-xen-write-information-about-support.patch
+Patch0043:      0043-xen-add-pvUSB-backend.patch
+Patch0044:      0044-xen-move-xen_sysdev-to-xen_backend..patch
+Patch0045:      0045-vnc-add-configurable-keyboard-delay.patch
+Patch0046:      0046-configure-add-echo_version-helper.patch
+Patch0047:      0047-configure-support-vte-2.91.patch
+Patch0048:      0048-hw-arm-virt-mark-the-PCIe-host-cont.patch
+Patch0049:      0049-xen-SUSE-xenlinux-unplug-for-emulat.patch
+Patch0050:      0050-scsi-esp-fix-migration.patch
+Patch0051:      0051-xen-when-removing-a-backend-don-t-r.patch
+Patch0052:      0052-xen-drain-submit-queue-in-xen-usb-b.patch
+Patch0053:      0053-qcow2-avoid-extra-flushes-in-qcow2.patch
+Patch0054:      0054-qemu-bridge-helper-reduce-security-.patch
+Patch0055:      0055-xen-use-a-common-function-for-pv-an.patch
 # Please do not add QEMU patches manually here.
 # Run update_git.sh to regenerate this queue.

@ -742,7 +721,7 @@ This package provides a service file for starting and stopping KSM.
 %endif # !qemu-testsuite

 %prep
-%setup -q -n qemu-2.6.0
+%setup -q -n qemu-2.6.1
 %patch0001 -p1
 %patch0002 -p1
 %patch0003 -p1
@ -798,27 +777,6 @@ This package provides a service file for starting and stopping KSM.
 %patch0053 -p1
 %patch0054 -p1
 %patch0055 -p1
-%patch0056 -p1
-%patch0057 -p1
-%patch0058 -p1
-%patch0059 -p1
-%patch0060 -p1
-%patch0061 -p1
-%patch0062 -p1
-%patch0063 -p1
-%patch0064 -p1
-%patch0065 -p1
-%patch0066 -p1
-%patch0067 -p1
-%patch0068 -p1
-%patch0069 -p1
-%patch0070 -p1
-%patch0071 -p1
-%patch0072 -p1
-%patch0073 -p1
-%patch0074 -p1
-%patch0075 -p1
-%patch0076 -p1

 %if %{build_x86_fw_from_source}
 pushd roms/seabios
--- a/qemu.changes
+++ b/qemu.changes
@ -1,3 +1,62 @@
+-------------------------------------------------------------------
+Wed Aug 17 20:25:13 UTC 2016 - brogers@suse.com
+
+- Update to v2.6.1 a stable, bug-fix-only release (fate#316228)
+- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.6
+* Patches dropped (upstreamed):
+  0041-net-mipsnet-check-packet-length-aga.patch
+  0042-i386-kvmvapic-initialise-imm32-vari.patch
+  0043-esp-check-command-buffer-length-bef.patch
+  0044-esp-check-dma-length-before-reading.patch
+  0045-scsi-pvscsi-check-command-descripto.patch
+  0046-scsi-mptsas-infinite-loop-while-fet.patch
+  0047-vga-add-sr_vbe-register-set.patch
+  0048-scsi-megasas-use-appropriate-proper.patch
+  0049-scsi-megasas-check-read_queue_head-.patch
+  0050-scsi-megasas-null-terminate-bios-ve.patch
+  0051-vmsvga-move-fifo-sanity-checks-to-v.patch
+  0052-vmsvga-don-t-process-more-than-1024.patch
+  0053-block-iscsi-avoid-potential-overflo.patch
+  0054-scsi-esp-check-TI-buffer-index-befo.patch
+  0060-scsi-megasas-initialise-local-confi.patch
+  0065-scsi-esp-check-buffer-length-before.patch
+  0066-scsi-esp-respect-FIFO-invariant-aft.patch
+  0067-pci-assign-Move-Invalid-ROM-error-m.patch
+  0068-Xen-PCI-passthrough-fix-passthrough.patch
+  0069-scsi-esp-make-cmdbuf-big-enough-for.patch
+  0071-virtio-error-out-if-guest-exceeds-v.patch
+* Patches renamed:
+  0055-xen-introduce-dummy-system-device.patch
+  -> 0041-xen-introduce-dummy-system-device.patch
+  0056-xen-write-information-about-support.patch
+  -> 0042-xen-write-information-about-support.patch
+  0057-xen-add-pvUSB-backend.patch
+  -> 0043-xen-add-pvUSB-backend.patch
+  0058-xen-move-xen_sysdev-to-xen_backend..patch
+  -> 0044-xen-move-xen_sysdev-to-xen_backend..patch
+  0059-vnc-add-configurable-keyboard-delay.patch
+  -> 0045-vnc-add-configurable-keyboard-delay.patch
+  0061-configure-add-echo_version-helper.patch
+  -> 0046-configure-add-echo_version-helper.patch
+  0062-configure-support-vte-2.91.patch
+  -> 0047-configure-support-vte-2.91.patch
+  0063-hw-arm-virt-mark-the-PCIe-host-cont.patch
+  -> 0048-hw-arm-virt-mark-the-PCIe-host-cont.patch
+  0064-xen-SUSE-xenlinux-unplug-for-emulat.patch
+  -> 0049-xen-SUSE-xenlinux-unplug-for-emulat.patch
+  0070-scsi-esp-fix-migration.patch
+  -> 0050-scsi-esp-fix-migration.patch
+  0072-xen-when-removing-a-backend-don-t-r.patch
+  -> 0051-xen-when-removing-a-backend-don-t-r.patch
+  0073-xen-drain-submit-queue-in-xen-usb-b.patch
+  -> 0052-xen-drain-submit-queue-in-xen-usb-b.patch
+  0074-qcow2-avoid-extra-flushes-in-qcow2.patch
+  -> 0053-qcow2-avoid-extra-flushes-in-qcow2.patch
+  0075-qemu-bridge-helper-reduce-security-.patch
+  -> 0054-qemu-bridge-helper-reduce-security-.patch
+  0076-xen-use-a-common-function-for-pv-an.patch
+  -> 0055-xen-use-a-common-function-for-pv-an.patch
+
 -------------------------------------------------------------------
 Wed Aug  3 21:36:14 UTC 2016 - brogers@suse.com

--- a/qemu.spec
+++ b/qemu.spec
@ -71,10 +71,10 @@ Url:            http://www.qemu.org/
 Summary:        Universal CPU emulator
 License:        BSD-3-Clause and GPL-2.0 and GPL-2.0+ and LGPL-2.1+ and MIT
 Group:          System/Emulators/PC
-Version:        2.6.0
+Version:        2.6.1
 Release:        0
-Source:         http://wiki.qemu.org/download/qemu-2.6.0.tar.bz2
-Source99:       http://wiki.qemu.org/download/qemu-2.6.0.tar.bz2.sig
+Source:         http://wiki.qemu.org/download/qemu-2.6.1.tar.bz2
+Source99:       http://wiki.qemu.org/download/qemu-2.6.1.tar.bz2.sig
 Source1:        80-kvm.rules
 Source2:        qemu-ifup
 Source3:        kvm_stat
@ -127,42 +127,21 @@ Patch0037:      0037-dictzip-Fix-on-big-endian-systems.patch
 Patch0038:      0038-block-split-large-discard-requests-.patch
 Patch0039:      0039-xen_disk-Add-suse-specific-flush-di.patch
 Patch0040:      0040-build-link-with-libatomic-on-powerp.patch
-Patch0041:      0041-net-mipsnet-check-packet-length-aga.patch
-Patch0042:      0042-i386-kvmvapic-initialise-imm32-vari.patch
-Patch0043:      0043-esp-check-command-buffer-length-bef.patch
-Patch0044:      0044-esp-check-dma-length-before-reading.patch
-Patch0045:      0045-scsi-pvscsi-check-command-descripto.patch
-Patch0046:      0046-scsi-mptsas-infinite-loop-while-fet.patch
-Patch0047:      0047-vga-add-sr_vbe-register-set.patch
-Patch0048:      0048-scsi-megasas-use-appropriate-proper.patch
-Patch0049:      0049-scsi-megasas-check-read_queue_head-.patch
-Patch0050:      0050-scsi-megasas-null-terminate-bios-ve.patch
-Patch0051:      0051-vmsvga-move-fifo-sanity-checks-to-v.patch
-Patch0052:      0052-vmsvga-don-t-process-more-than-1024.patch
-Patch0053:      0053-block-iscsi-avoid-potential-overflo.patch
-Patch0054:      0054-scsi-esp-check-TI-buffer-index-befo.patch
-Patch0055:      0055-xen-introduce-dummy-system-device.patch
-Patch0056:      0056-xen-write-information-about-support.patch
-Patch0057:      0057-xen-add-pvUSB-backend.patch
-Patch0058:      0058-xen-move-xen_sysdev-to-xen_backend..patch
-Patch0059:      0059-vnc-add-configurable-keyboard-delay.patch
-Patch0060:      0060-scsi-megasas-initialise-local-confi.patch
-Patch0061:      0061-configure-add-echo_version-helper.patch
-Patch0062:      0062-configure-support-vte-2.91.patch
-Patch0063:      0063-hw-arm-virt-mark-the-PCIe-host-cont.patch
-Patch0064:      0064-xen-SUSE-xenlinux-unplug-for-emulat.patch
-Patch0065:      0065-scsi-esp-check-buffer-length-before.patch
-Patch0066:      0066-scsi-esp-respect-FIFO-invariant-aft.patch
-Patch0067:      0067-pci-assign-Move-Invalid-ROM-error-m.patch
-Patch0068:      0068-Xen-PCI-passthrough-fix-passthrough.patch
-Patch0069:      0069-scsi-esp-make-cmdbuf-big-enough-for.patch
-Patch0070:      0070-scsi-esp-fix-migration.patch
-Patch0071:      0071-virtio-error-out-if-guest-exceeds-v.patch
-Patch0072:      0072-xen-when-removing-a-backend-don-t-r.patch
-Patch0073:      0073-xen-drain-submit-queue-in-xen-usb-b.patch
-Patch0074:      0074-qcow2-avoid-extra-flushes-in-qcow2.patch
-Patch0075:      0075-qemu-bridge-helper-reduce-security-.patch
-Patch0076:      0076-xen-use-a-common-function-for-pv-an.patch
+Patch0041:      0041-xen-introduce-dummy-system-device.patch
+Patch0042:      0042-xen-write-information-about-support.patch
+Patch0043:      0043-xen-add-pvUSB-backend.patch
+Patch0044:      0044-xen-move-xen_sysdev-to-xen_backend..patch
+Patch0045:      0045-vnc-add-configurable-keyboard-delay.patch
+Patch0046:      0046-configure-add-echo_version-helper.patch
+Patch0047:      0047-configure-support-vte-2.91.patch
+Patch0048:      0048-hw-arm-virt-mark-the-PCIe-host-cont.patch
+Patch0049:      0049-xen-SUSE-xenlinux-unplug-for-emulat.patch
+Patch0050:      0050-scsi-esp-fix-migration.patch
+Patch0051:      0051-xen-when-removing-a-backend-don-t-r.patch
+Patch0052:      0052-xen-drain-submit-queue-in-xen-usb-b.patch
+Patch0053:      0053-qcow2-avoid-extra-flushes-in-qcow2.patch
+Patch0054:      0054-qemu-bridge-helper-reduce-security-.patch
+Patch0055:      0055-xen-use-a-common-function-for-pv-an.patch
 # Please do not add QEMU patches manually here.
 # Run update_git.sh to regenerate this queue.

@ -742,7 +721,7 @@ This package provides a service file for starting and stopping KSM.
 %endif # !qemu-testsuite

 %prep
-%setup -q -n qemu-2.6.0
+%setup -q -n qemu-2.6.1
 %patch0001 -p1
 %patch0002 -p1
 %patch0003 -p1
@ -798,27 +777,6 @@ This package provides a service file for starting and stopping KSM.
 %patch0053 -p1
 %patch0054 -p1
 %patch0055 -p1
-%patch0056 -p1
-%patch0057 -p1
-%patch0058 -p1
-%patch0059 -p1
-%patch0060 -p1
-%patch0061 -p1
-%patch0062 -p1
-%patch0063 -p1
-%patch0064 -p1
-%patch0065 -p1
-%patch0066 -p1
-%patch0067 -p1
-%patch0068 -p1
-%patch0069 -p1
-%patch0070 -p1
-%patch0071 -p1
-%patch0072 -p1
-%patch0073 -p1
-%patch0074 -p1
-%patch0075 -p1
-%patch0076 -p1

 %if %{build_x86_fw_from_source}
 pushd roms/seabios
--- a/qemu.spec.in
+++ b/qemu.spec.in
@ -73,8 +73,8 @@ License:        BSD-3-Clause and GPL-2.0 and GPL-2.0+ and LGPL-2.1+ and MIT
 Group:          System/Emulators/PC
 QEMU_VERSION
 Release:        0
-Source:         http://wiki.qemu.org/download/qemu-2.6.0.tar.bz2
-Source99:       http://wiki.qemu.org/download/qemu-2.6.0.tar.bz2.sig
+Source:         http://wiki.qemu.org/download/qemu-2.6.1.tar.bz2
+Source99:       http://wiki.qemu.org/download/qemu-2.6.1.tar.bz2.sig
 Source1:        80-kvm.rules
 Source2:        qemu-ifup
 Source3:        kvm_stat
@ -667,7 +667,7 @@ This package provides a service file for starting and stopping KSM.
 %endif # !qemu-testsuite

 %prep
-%setup -q -n qemu-2.6.0
+%setup -q -n qemu-2.6.1
 PATCH_EXEC

 %if %{build_x86_fw_from_source}
--- a/update_git.sh
+++ b/update_git.sh
@ -14,7 +14,7 @@ set -e
 GIT_TREE=git://github.com/openSUSE/qemu.git
 GIT_LOCAL_TREE=~/git/qemu-opensuse
 GIT_BRANCH=opensuse-2.6
-GIT_UPSTREAM_TAG=v2.6.0
+GIT_UPSTREAM_TAG=v2.6.1
 GIT_DIR=/dev/shm/qemu-factory-git-dir
 CMP_DIR=/dev/shm/qemu-factory-cmp-dir