public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* [pve-devel] [PATCH stable-7 qemu 1/2] update patches and submodule to QEMU stable 7.2.10
@ 2024-04-10 13:13 Fiona Ebner
  2024-04-10 13:13 ` [pve-devel] [PATCH stable-7 qemu 2/2] pick up some extra fixes from upcoming 7.2.11 Fiona Ebner
  2024-04-10 16:13 ` [pve-devel] applied-series: [PATCH stable-7 qemu 1/2] update patches and submodule to QEMU stable 7.2.10 Thomas Lamprecht
  0 siblings, 2 replies; 3+ messages in thread
From: Fiona Ebner @ 2024-04-10 13:13 UTC (permalink / raw)
  To: pve-devel

Many stable fixes came in since the last bump, a few of which were
actually already present. Notable ones not yet present include a few
guest-triggerable assert fixes, some AHCI/IDE fixes (including the fix
for bug #2784), TGC fixes for i386 and ARM, VirtIO fixes, fix to avoid
VNC clipboard denial-of-service.

The reentrancy patches that landed upstream/stable were a newer
version than the ones backported initially here, so it was necessary
to explicitly drop them before rebase (which then picked up the
upstream version).

There were no other conflicts.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 ...d-support-for-sync-bitmap-mode-never.patch |  16 +-
 ...check-for-bitmap-mode-without-bitmap.patch |   4 +-
 .../0006-mirror-move-some-checks-to-qmp.patch |   4 +-
 ...race-with-clients-disconnecting-earl.patch |  10 +-
 ...monize-defuse-PID-file-resolve-error.patch |   4 +-
 ...s-Internal-cdbs-have-16-byte-length.patch} |   0
 ...he-bitmap-index-of-the-section-offse.patch |  44 ---
 ...al-deadlock-when-draining-during-tr.patch} |  10 +-
 ...he-iterator-variable-in-a-vmem-rdl_l.patch |  36 ---
 ...ty-bitmap-syncing-when-vIOMMU-is-ena.patch | 141 ---------
 ...pci-fix-migration-compat-for-vectors.patch |  42 ---
 ...-zeroes-with-BDRV_REQ_REGISTERED_BUF.patch |  36 ---
 ...-memory-prevent-dma-reentracy-issues.patch | 118 --------
 ...double-free-on-BUSY-or-similar-statu.patch |  32 --
 ...ing-endian-conversions-for-doorbell-.patch |  67 ----
 ...fix-field-corruption-in-type-4-table.patch |  50 ---
 ...ix-transitional-migration-compat-for.patch |  35 ---
 ...er-hpet-Fix-expiration-time-overflow.patch |  80 -----
 ...vdpa-stop-all-svq-on-device-deletion.patch |  71 -----
 ...tential-use-of-an-uninitialized-vari.patch | 132 --------
 ...ket-set-s-listener-NULL-in-char_sock.patch |  70 -----
 ...il-MAP-notifier-without-caching-mode.patch |  41 ---
 ...-fail-DEVIOTLB_UNMAP-without-dt-mode.patch |  50 ---
 ...isabling-re-entrancy-checking-per-MR.patch |  38 ---
 ...le-reentrancy-detection-for-script-R.patch |  33 --
 ...uest-visible-maximum-access-size-to-.patch | 166 ----------
 ...Introduce-and-use-reg_t-consistently.patch | 286 ------------------
 ...25-target-i386-Fix-BEXTR-instruction.patch |  97 ------
 ...i386-Fix-C-flag-for-BLSI-BLSMSK-BLSR.patch |  47 ---
 ...arget-i386-fix-ADOX-followed-by-ADCX.patch | 192 ------------
 ...028-target-i386-Fix-BZHI-instruction.patch |  64 ----
 ...djust-network-script-path-to-etc-kvm.patch |   4 +-
 ...he-CPU-model-to-kvm64-32-instead-of-.patch |   2 +-
 .../0007-PVE-Up-qmp-add-get_link_status.patch |   4 +-
 ...return-success-on-info-without-snaps.patch |   2 +-
 ...dd-add-osize-and-read-from-to-stdin-.patch |  12 +-
 ...E-Up-qemu-img-dd-add-isize-parameter.patch |  14 +-
 ...PVE-Up-qemu-img-dd-add-n-skip_create.patch |  10 +-
 ...virtio-balloon-improve-query-balloon.patch |   2 +-
 ...async-for-background-state-snapshots.patch |  10 +-
 ...-Add-dummy-id-command-line-parameter.patch |  10 +-
 ...3-PVE-monitor-disable-oob-capability.patch |   4 +-
 ...sed-balloon-qemu-4-0-config-size-fal.patch |   4 +-
 ...E-Allow-version-code-in-machine-type.patch |  12 +-
 ...VE-Backup-add-vma-backup-format-code.patch |   4 +-
 ...ckup-proxmox-backup-patches-for-qemu.patch |   8 +-
 ...estore-new-command-to-restore-from-p.patch |   4 +-
 ...irty-bitmap-tracking-for-incremental.patch |   6 +-
 .../pve/0032-PVE-various-PBS-fixes.patch      |   6 +-
 ...k-driver-to-map-backup-archives-into.patch |   6 +-
 ...dd-query_proxmox_support-QMP-command.patch |   2 +-
 ...E-add-query-pbs-bitmap-info-QMP-call.patch |   2 +-
 ...ct-stderr-to-journal-when-daemonized.patch |   4 +-
 ...-transaction-to-synchronize-job-stat.patch |   2 +-
 ...-block-on-finishing-and-cleanup-crea.patch |   2 +-
 ...igrate-dirty-bitmap-state-via-savevm.patch |   4 +-
 ...all-back-to-open-iscsi-initiatorname.patch |   4 +-
 ...routine-QMP-for-backup-cancel_backup.patch |   6 +-
 .../pve/0044-PBS-add-master-key-support.patch |   6 +-
 ...accept-NULL-qiov-in-bdrv_pad_request.patch |   2 +-
 ...-add-l-option-for-loading-a-snapshot.patch |  14 +-
 .../pve/0052-pbs-namespace-support.patch      |   6 +-
 ...e-jobs-correctly-cancel-in-error-sce.patch |   2 +-
 ...nsure-jobs-in-di_list-are-referenced.patch |   2 +-
 ...d-segfault-issues-upon-backup-cancel.patch |   2 +-
 ...-passing-max-workers-performance-set.patch |   6 +-
 debian/patches/series                         |  28 +-
 qemu                                          |   2 +-
 68 files changed, 122 insertions(+), 2114 deletions(-)
 rename debian/patches/extra/{0010-scsi-megasas-Internal-cdbs-have-16-byte-length.patch => 0003-scsi-megasas-Internal-cdbs-have-16-byte-length.patch} (100%)
 delete mode 100644 debian/patches/extra/0003-virtio-mem-Fix-the-bitmap-index-of-the-section-offse.patch
 rename debian/patches/extra/{0011-ide-avoid-potential-deadlock-when-draining-during-tr.patch => 0004-ide-avoid-potential-deadlock-when-draining-during-tr.patch} (93%)
 delete mode 100644 debian/patches/extra/0004-virtio-mem-Fix-the-iterator-variable-in-a-vmem-rdl_l.patch
 delete mode 100644 debian/patches/extra/0005-vhost-fix-vq-dirty-bitmap-syncing-when-vIOMMU-is-ena.patch
 delete mode 100644 debian/patches/extra/0006-virtio-rng-pci-fix-migration-compat-for-vectors.patch
 delete mode 100644 debian/patches/extra/0007-block-fix-detect-zeroes-with-BDRV_REQ_REGISTERED_BUF.patch
 delete mode 100644 debian/patches/extra/0008-memory-prevent-dma-reentracy-issues.patch
 delete mode 100644 debian/patches/extra/0009-block-iscsi-fix-double-free-on-BUSY-or-similar-statu.patch
 delete mode 100644 debian/patches/extra/0012-hw-nvme-fix-missing-endian-conversions-for-doorbell-.patch
 delete mode 100644 debian/patches/extra/0013-hw-smbios-fix-field-corruption-in-type-4-table.patch
 delete mode 100644 debian/patches/extra/0014-virtio-rng-pci-fix-transitional-migration-compat-for.patch
 delete mode 100644 debian/patches/extra/0015-hw-timer-hpet-Fix-expiration-time-overflow.patch
 delete mode 100644 debian/patches/extra/0016-vdpa-stop-all-svq-on-device-deletion.patch
 delete mode 100644 debian/patches/extra/0017-vhost-avoid-a-potential-use-of-an-uninitialized-vari.patch
 delete mode 100644 debian/patches/extra/0018-chardev-char-socket-set-s-listener-NULL-in-char_sock.patch
 delete mode 100644 debian/patches/extra/0019-intel-iommu-fail-MAP-notifier-without-caching-mode.patch
 delete mode 100644 debian/patches/extra/0020-intel-iommu-fail-DEVIOTLB_UNMAP-without-dt-mode.patch
 delete mode 100644 debian/patches/extra/0021-memory-Allow-disabling-re-entrancy-checking-per-MR.patch
 delete mode 100644 debian/patches/extra/0022-lsi53c895a-disable-reentrancy-detection-for-script-R.patch
 delete mode 100644 debian/patches/extra/0023-acpi-cpuhp-fix-guest-visible-maximum-access-size-to-.patch
 delete mode 100644 debian/patches/extra/0024-tests-tcg-i386-Introduce-and-use-reg_t-consistently.patch
 delete mode 100644 debian/patches/extra/0025-target-i386-Fix-BEXTR-instruction.patch
 delete mode 100644 debian/patches/extra/0026-target-i386-Fix-C-flag-for-BLSI-BLSMSK-BLSR.patch
 delete mode 100644 debian/patches/extra/0027-target-i386-fix-ADOX-followed-by-ADCX.patch
 delete mode 100644 debian/patches/extra/0028-target-i386-Fix-BZHI-instruction.patch

diff --git a/debian/patches/bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch b/debian/patches/bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
index fcc2353..2f6a013 100644
--- a/debian/patches/bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
+++ b/debian/patches/bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
@@ -252,10 +252,10 @@ index 251adc5ae0..8ead5f77a0 100644
                       errp);
      if (!job) {
 diff --git a/blockdev.c b/blockdev.c
-index 3f1dec6242..2ee30323cb 100644
+index ae27a41efa..a0c7e0c13b 100644
 --- a/blockdev.c
 +++ b/blockdev.c
-@@ -2946,6 +2946,10 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,
+@@ -2956,6 +2956,10 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,
                                     BlockDriverState *target,
                                     bool has_replaces, const char *replaces,
                                     enum MirrorSyncMode sync,
@@ -266,7 +266,7 @@ index 3f1dec6242..2ee30323cb 100644
                                     BlockMirrorBackingMode backing_mode,
                                     bool zero_target,
                                     bool has_speed, int64_t speed,
-@@ -2965,6 +2969,7 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,
+@@ -2975,6 +2979,7 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,
  {
      BlockDriverState *unfiltered_bs;
      int job_flags = JOB_DEFAULT;
@@ -274,7 +274,7 @@ index 3f1dec6242..2ee30323cb 100644
  
      if (!has_speed) {
          speed = 0;
-@@ -3019,6 +3024,29 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,
+@@ -3029,6 +3034,29 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,
          sync = MIRROR_SYNC_MODE_FULL;
      }
  
@@ -304,7 +304,7 @@ index 3f1dec6242..2ee30323cb 100644
      if (!has_replaces) {
          /* We want to mirror from @bs, but keep implicit filters on top */
          unfiltered_bs = bdrv_skip_implicit_filters(bs);
-@@ -3065,8 +3093,8 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,
+@@ -3075,8 +3103,8 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,
       * and will allow to check whether the node still exist at mirror completion
       */
      mirror_start(job_id, bs, target,
@@ -315,7 +315,7 @@ index 3f1dec6242..2ee30323cb 100644
                   on_source_error, on_target_error, unmap, filter_node_name,
                   copy_mode, errp);
  }
-@@ -3211,6 +3239,8 @@ void qmp_drive_mirror(DriveMirror *arg, Error **errp)
+@@ -3221,6 +3249,8 @@ void qmp_drive_mirror(DriveMirror *arg, Error **errp)
  
      blockdev_mirror_common(arg->has_job_id ? arg->job_id : NULL, bs, target_bs,
                             arg->has_replaces, arg->replaces, arg->sync,
@@ -324,7 +324,7 @@ index 3f1dec6242..2ee30323cb 100644
                             backing_mode, zero_target,
                             arg->has_speed, arg->speed,
                             arg->has_granularity, arg->granularity,
-@@ -3232,6 +3262,8 @@ void qmp_blockdev_mirror(bool has_job_id, const char *job_id,
+@@ -3242,6 +3272,8 @@ void qmp_blockdev_mirror(bool has_job_id, const char *job_id,
                           const char *device, const char *target,
                           bool has_replaces, const char *replaces,
                           MirrorSyncMode sync,
@@ -333,7 +333,7 @@ index 3f1dec6242..2ee30323cb 100644
                           bool has_speed, int64_t speed,
                           bool has_granularity, uint32_t granularity,
                           bool has_buf_size, int64_t buf_size,
-@@ -3281,7 +3313,8 @@ void qmp_blockdev_mirror(bool has_job_id, const char *job_id,
+@@ -3291,7 +3323,8 @@ void qmp_blockdev_mirror(bool has_job_id, const char *job_id,
      }
  
      blockdev_mirror_common(has_job_id ? job_id : NULL, bs, target_bs,
diff --git a/debian/patches/bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch b/debian/patches/bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch
index c6a0710..fed0702 100644
--- a/debian/patches/bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch
+++ b/debian/patches/bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch
@@ -16,10 +16,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 3 insertions(+)
 
 diff --git a/blockdev.c b/blockdev.c
-index 2ee30323cb..dd1c2cdef7 100644
+index a0c7e0c13b..98b9dff154 100644
 --- a/blockdev.c
 +++ b/blockdev.c
-@@ -3045,6 +3045,9 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,
+@@ -3055,6 +3055,9 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,
          if (bdrv_dirty_bitmap_check(bitmap, BDRV_BITMAP_ALLOW_RO, errp)) {
              return;
          }
diff --git a/debian/patches/bitmap-mirror/0006-mirror-move-some-checks-to-qmp.patch b/debian/patches/bitmap-mirror/0006-mirror-move-some-checks-to-qmp.patch
index 4771a2d..d517204 100644
--- a/debian/patches/bitmap-mirror/0006-mirror-move-some-checks-to-qmp.patch
+++ b/debian/patches/bitmap-mirror/0006-mirror-move-some-checks-to-qmp.patch
@@ -60,10 +60,10 @@ index 4969c6833c..cf85ae1074 100644
  
          if (bitmap_mode != BITMAP_SYNC_MODE_NEVER) {
 diff --git a/blockdev.c b/blockdev.c
-index dd1c2cdef7..756e980889 100644
+index 98b9dff154..5b15a86bfa 100644
 --- a/blockdev.c
 +++ b/blockdev.c
-@@ -3024,7 +3024,36 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,
+@@ -3034,7 +3034,36 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,
          sync = MIRROR_SYNC_MODE_FULL;
      }
  
diff --git a/debian/patches/extra/0001-monitor-qmp-fix-race-with-clients-disconnecting-earl.patch b/debian/patches/extra/0001-monitor-qmp-fix-race-with-clients-disconnecting-earl.patch
index 4796631..17057f0 100644
--- a/debian/patches/extra/0001-monitor-qmp-fix-race-with-clients-disconnecting-earl.patch
+++ b/debian/patches/extra/0001-monitor-qmp-fix-race-with-clients-disconnecting-earl.patch
@@ -104,7 +104,7 @@ index 86949024f6..c306cadcf4 100644
   * Is @mon is using readline?
   * Note: not all HMP monitors use readline, e.g., gdbserver has a
 diff --git a/monitor/qmp.c b/monitor/qmp.c
-index 092c527b6f..6b8cfcf6d8 100644
+index acd0a350c2..cc1407e4ac 100644
 --- a/monitor/qmp.c
 +++ b/monitor/qmp.c
 @@ -141,6 +141,8 @@ static void monitor_qmp_dispatch(MonitorQMP *mon, QObject *req)
@@ -135,7 +135,7 @@ index 092c527b6f..6b8cfcf6d8 100644
      qobject_unref(rsp);
  }
  
-@@ -444,6 +456,7 @@ static void monitor_qmp_event(void *opaque, QEMUChrEvent event)
+@@ -427,6 +439,7 @@ static void monitor_qmp_event(void *opaque, QEMUChrEvent event)
  
      switch (event) {
      case CHR_EVENT_OPENED:
@@ -144,7 +144,7 @@ index 092c527b6f..6b8cfcf6d8 100644
          monitor_qmp_caps_reset(mon);
          data = qmp_greeting(mon);
 diff --git a/qapi/qmp-dispatch.c b/qapi/qmp-dispatch.c
-index 0990873ec8..e605003771 100644
+index 5d000fae87..404d428824 100644
 --- a/qapi/qmp-dispatch.c
 +++ b/qapi/qmp-dispatch.c
 @@ -117,16 +117,28 @@ typedef struct QmpDispatchBH {
@@ -180,13 +180,13 @@ index 0990873ec8..e605003771 100644
      aio_co_wake(data->co);
  }
  
-@@ -231,6 +243,7 @@ QDict *qmp_dispatch(const QmpCommandList *cmds, QObject *request,
+@@ -253,6 +265,7 @@ QDict *qmp_dispatch(const QmpCommandList *cmds, QObject *request,
              .ret        = &ret,
              .errp       = &err,
              .co         = qemu_coroutine_self(),
 +            .conn_nr    = monitor_get_connection_nr(cur_mon),
          };
-         aio_bh_schedule_oneshot(qemu_get_aio_context(), do_qmp_dispatch_bh,
+         aio_bh_schedule_oneshot(iohandler_get_aio_context(), do_qmp_dispatch_bh,
                                  &data);
 diff --git a/stubs/monitor-core.c b/stubs/monitor-core.c
 index afa477aae6..d3ff124bf3 100644
diff --git a/debian/patches/extra/0002-init-daemonize-defuse-PID-file-resolve-error.patch b/debian/patches/extra/0002-init-daemonize-defuse-PID-file-resolve-error.patch
index 155d065..ed4fd7c 100644
--- a/debian/patches/extra/0002-init-daemonize-defuse-PID-file-resolve-error.patch
+++ b/debian/patches/extra/0002-init-daemonize-defuse-PID-file-resolve-error.patch
@@ -21,10 +21,10 @@ Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
  1 file changed, 5 insertions(+), 4 deletions(-)
 
 diff --git a/softmmu/vl.c b/softmmu/vl.c
-index 5115221efe..5f7f6ca981 100644
+index 38d76d6e51..7aa3eb5cf9 100644
 --- a/softmmu/vl.c
 +++ b/softmmu/vl.c
-@@ -2460,10 +2460,11 @@ static void qemu_maybe_daemonize(const char *pid_file)
+@@ -2468,10 +2468,11 @@ static void qemu_maybe_daemonize(const char *pid_file)
  
          pid_file_realpath = g_malloc0(PATH_MAX);
          if (!realpath(pid_file, pid_file_realpath)) {
diff --git a/debian/patches/extra/0010-scsi-megasas-Internal-cdbs-have-16-byte-length.patch b/debian/patches/extra/0003-scsi-megasas-Internal-cdbs-have-16-byte-length.patch
similarity index 100%
rename from debian/patches/extra/0010-scsi-megasas-Internal-cdbs-have-16-byte-length.patch
rename to debian/patches/extra/0003-scsi-megasas-Internal-cdbs-have-16-byte-length.patch
diff --git a/debian/patches/extra/0003-virtio-mem-Fix-the-bitmap-index-of-the-section-offse.patch b/debian/patches/extra/0003-virtio-mem-Fix-the-bitmap-index-of-the-section-offse.patch
deleted file mode 100644
index b54c0cc..0000000
--- a/debian/patches/extra/0003-virtio-mem-Fix-the-bitmap-index-of-the-section-offse.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Chenyi Qiang <chenyi.qiang@intel.com>
-Date: Fri, 16 Dec 2022 14:22:31 +0800
-Subject: [PATCH] virtio-mem: Fix the bitmap index of the section offset
-
-vmem->bitmap indexes the memory region of the virtio-mem backend at a
-granularity of block_size. To calculate the index of target section offset,
-the block_size should be divided instead of the bitmap_size.
-
-Fixes: 2044969f0b ("virtio-mem: Implement RamDiscardManager interface")
-Signed-off-by: Chenyi Qiang <chenyi.qiang@intel.com>
-Message-Id: <20221216062231.11181-1-chenyi.qiang@intel.com>
-Reviewed-by: David Hildenbrand <david@redhat.com>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: David Hildenbrand <david@redhat.com>
-(cherry-picked from commit b11cf32e07a2f7ff0d171b89497381a04c9d07e0)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/virtio/virtio-mem.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/hw/virtio/virtio-mem.c b/hw/virtio/virtio-mem.c
-index ed170def48..e19ee817fe 100644
---- a/hw/virtio/virtio-mem.c
-+++ b/hw/virtio/virtio-mem.c
-@@ -235,7 +235,7 @@ static int virtio_mem_for_each_plugged_section(const VirtIOMEM *vmem,
-     uint64_t offset, size;
-     int ret = 0;
- 
--    first_bit = s->offset_within_region / vmem->bitmap_size;
-+    first_bit = s->offset_within_region / vmem->block_size;
-     first_bit = find_next_bit(vmem->bitmap, vmem->bitmap_size, first_bit);
-     while (first_bit < vmem->bitmap_size) {
-         MemoryRegionSection tmp = *s;
-@@ -267,7 +267,7 @@ static int virtio_mem_for_each_unplugged_section(const VirtIOMEM *vmem,
-     uint64_t offset, size;
-     int ret = 0;
- 
--    first_bit = s->offset_within_region / vmem->bitmap_size;
-+    first_bit = s->offset_within_region / vmem->block_size;
-     first_bit = find_next_zero_bit(vmem->bitmap, vmem->bitmap_size, first_bit);
-     while (first_bit < vmem->bitmap_size) {
-         MemoryRegionSection tmp = *s;
diff --git a/debian/patches/extra/0011-ide-avoid-potential-deadlock-when-draining-during-tr.patch b/debian/patches/extra/0004-ide-avoid-potential-deadlock-when-draining-during-tr.patch
similarity index 93%
rename from debian/patches/extra/0011-ide-avoid-potential-deadlock-when-draining-during-tr.patch
rename to debian/patches/extra/0004-ide-avoid-potential-deadlock-when-draining-during-tr.patch
index 8ce9c79..4f93a0b 100644
--- a/debian/patches/extra/0011-ide-avoid-potential-deadlock-when-draining-during-tr.patch
+++ b/debian/patches/extra/0004-ide-avoid-potential-deadlock-when-draining-during-tr.patch
@@ -55,7 +55,7 @@ Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
  1 file changed, 6 insertions(+), 6 deletions(-)
 
 diff --git a/hw/ide/core.c b/hw/ide/core.c
-index 39afdc0006..b67c1885a8 100644
+index 3e97d665d9..a0f6801bce 100644
 --- a/hw/ide/core.c
 +++ b/hw/ide/core.c
 @@ -443,7 +443,7 @@ static void ide_trim_bh_cb(void *opaque)
@@ -76,8 +76,8 @@ index 39afdc0006..b67c1885a8 100644
          replay_bh_schedule_event(iocb->bh);
      }
  }
-@@ -514,9 +516,6 @@ BlockAIOCB *ide_issue_trim(
-     IDEState *s = opaque;
+@@ -515,9 +517,6 @@ BlockAIOCB *ide_issue_trim(
+     IDEDevice *dev = s->unit ? s->bus->slave : s->bus->master;
      TrimAIOCB *iocb;
  
 -    /* Paired with a decrement in ide_trim_bh_cb() */
@@ -85,8 +85,8 @@ index 39afdc0006..b67c1885a8 100644
 -
      iocb = blk_aio_get(&trim_aiocb_info, s->blk, cb, cb_opaque);
      iocb->s = s;
-     iocb->bh = qemu_bh_new(ide_trim_bh_cb, iocb);
-@@ -739,8 +738,9 @@ void ide_cancel_dma_sync(IDEState *s)
+     iocb->bh = qemu_bh_new_guarded(ide_trim_bh_cb, iocb,
+@@ -741,8 +740,9 @@ void ide_cancel_dma_sync(IDEState *s)
       */
      if (s->bus->dma->aiocb) {
          trace_ide_cancel_dma_sync_remaining();
diff --git a/debian/patches/extra/0004-virtio-mem-Fix-the-iterator-variable-in-a-vmem-rdl_l.patch b/debian/patches/extra/0004-virtio-mem-Fix-the-iterator-variable-in-a-vmem-rdl_l.patch
deleted file mode 100644
index c303094..0000000
--- a/debian/patches/extra/0004-virtio-mem-Fix-the-iterator-variable-in-a-vmem-rdl_l.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Chenyi Qiang <chenyi.qiang@intel.com>
-Date: Wed, 28 Dec 2022 17:03:12 +0800
-Subject: [PATCH] virtio-mem: Fix the iterator variable in a vmem->rdl_list
- loop
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-It should be the variable rdl2 to revert the already-notified listeners.
-
-Fixes: 2044969f0b ("virtio-mem: Implement RamDiscardManager interface")
-Signed-off-by: Chenyi Qiang <chenyi.qiang@intel.com>
-Message-Id: <20221228090312.17276-1-chenyi.qiang@intel.com>
-Cc: qemu-stable@nongnu.org
-Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-Signed-off-by: David Hildenbrand <david@redhat.com>
-(cherry-picked from commit 29f1b328e3b767cba2661920a8470738469b9e36)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/virtio/virtio-mem.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/virtio/virtio-mem.c b/hw/virtio/virtio-mem.c
-index e19ee817fe..56db586c89 100644
---- a/hw/virtio/virtio-mem.c
-+++ b/hw/virtio/virtio-mem.c
-@@ -341,7 +341,7 @@ static int virtio_mem_notify_plug(VirtIOMEM *vmem, uint64_t offset,
-     if (ret) {
-         /* Notify all already-notified listeners. */
-         QLIST_FOREACH(rdl2, &vmem->rdl_list, next) {
--            MemoryRegionSection tmp = *rdl->section;
-+            MemoryRegionSection tmp = *rdl2->section;
- 
-             if (rdl2 == rdl) {
-                 break;
diff --git a/debian/patches/extra/0005-vhost-fix-vq-dirty-bitmap-syncing-when-vIOMMU-is-ena.patch b/debian/patches/extra/0005-vhost-fix-vq-dirty-bitmap-syncing-when-vIOMMU-is-ena.patch
deleted file mode 100644
index b72b3da..0000000
--- a/debian/patches/extra/0005-vhost-fix-vq-dirty-bitmap-syncing-when-vIOMMU-is-ena.patch
+++ /dev/null
@@ -1,141 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Jason Wang <jasowang@redhat.com>
-Date: Fri, 16 Dec 2022 11:35:52 +0800
-Subject: [PATCH] vhost: fix vq dirty bitmap syncing when vIOMMU is enabled
-
-When vIOMMU is enabled, the vq->used_phys is actually the IOVA not
-GPA. So we need to translate it to GPA before the syncing otherwise we
-may hit the following crash since IOVA could be out of the scope of
-the GPA log size. This could be noted when using virtio-IOMMU with
-vhost using 1G memory.
-
-Fixes: c471ad0e9bd46 ("vhost_net: device IOTLB support")
-Cc: qemu-stable@nongnu.org
-Tested-by: Lei Yang <leiyang@redhat.com>
-Reported-by: Yalan Zhang <yalzhang@redhat.com>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-Message-Id: <20221216033552.77087-1-jasowang@redhat.com>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-(cherry-picked from commit 345cc1cbcbce2bab00abc2b88338d7d89c702d6b)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/virtio/vhost.c | 84 ++++++++++++++++++++++++++++++++++++-----------
- 1 file changed, 64 insertions(+), 20 deletions(-)
-
-diff --git a/hw/virtio/vhost.c b/hw/virtio/vhost.c
-index 7fb008bc9e..fdcd1a8fdf 100644
---- a/hw/virtio/vhost.c
-+++ b/hw/virtio/vhost.c
-@@ -20,6 +20,7 @@
- #include "qemu/range.h"
- #include "qemu/error-report.h"
- #include "qemu/memfd.h"
-+#include "qemu/log.h"
- #include "standard-headers/linux/vhost_types.h"
- #include "hw/virtio/virtio-bus.h"
- #include "hw/virtio/virtio-access.h"
-@@ -106,6 +107,24 @@ static void vhost_dev_sync_region(struct vhost_dev *dev,
-     }
- }
- 
-+static bool vhost_dev_has_iommu(struct vhost_dev *dev)
-+{
-+    VirtIODevice *vdev = dev->vdev;
-+
-+    /*
-+     * For vhost, VIRTIO_F_IOMMU_PLATFORM means the backend support
-+     * incremental memory mapping API via IOTLB API. For platform that
-+     * does not have IOMMU, there's no need to enable this feature
-+     * which may cause unnecessary IOTLB miss/update transactions.
-+     */
-+    if (vdev) {
-+        return virtio_bus_device_iommu_enabled(vdev) &&
-+            virtio_host_has_feature(vdev, VIRTIO_F_IOMMU_PLATFORM);
-+    } else {
-+        return false;
-+    }
-+}
-+
- static int vhost_sync_dirty_bitmap(struct vhost_dev *dev,
-                                    MemoryRegionSection *section,
-                                    hwaddr first,
-@@ -137,8 +156,51 @@ static int vhost_sync_dirty_bitmap(struct vhost_dev *dev,
-             continue;
-         }
- 
--        vhost_dev_sync_region(dev, section, start_addr, end_addr, vq->used_phys,
--                              range_get_last(vq->used_phys, vq->used_size));
-+        if (vhost_dev_has_iommu(dev)) {
-+            IOMMUTLBEntry iotlb;
-+            hwaddr used_phys = vq->used_phys, used_size = vq->used_size;
-+            hwaddr phys, s, offset;
-+
-+            while (used_size) {
-+                rcu_read_lock();
-+                iotlb = address_space_get_iotlb_entry(dev->vdev->dma_as,
-+                                                      used_phys,
-+                                                      true,
-+                                                      MEMTXATTRS_UNSPECIFIED);
-+                rcu_read_unlock();
-+
-+                if (!iotlb.target_as) {
-+                    qemu_log_mask(LOG_GUEST_ERROR, "translation "
-+                                  "failure for used_iova %"PRIx64"\n",
-+                                  used_phys);
-+                    return -EINVAL;
-+                }
-+
-+                offset = used_phys & iotlb.addr_mask;
-+                phys = iotlb.translated_addr + offset;
-+
-+                /*
-+                 * Distance from start of used ring until last byte of
-+                 * IOMMU page.
-+                 */
-+                s = iotlb.addr_mask - offset;
-+                /*
-+                 * Size of used ring, or of the part of it until end
-+                 * of IOMMU page. To avoid zero result, do the adding
-+                 * outside of MIN().
-+                 */
-+                s = MIN(s, used_size - 1) + 1;
-+
-+                vhost_dev_sync_region(dev, section, start_addr, end_addr, phys,
-+                                      range_get_last(phys, s));
-+                used_size -= s;
-+                used_phys += s;
-+            }
-+        } else {
-+            vhost_dev_sync_region(dev, section, start_addr,
-+                                  end_addr, vq->used_phys,
-+                                  range_get_last(vq->used_phys, vq->used_size));
-+        }
-     }
-     return 0;
- }
-@@ -306,24 +368,6 @@ static inline void vhost_dev_log_resize(struct vhost_dev *dev, uint64_t size)
-     dev->log_size = size;
- }
- 
--static bool vhost_dev_has_iommu(struct vhost_dev *dev)
--{
--    VirtIODevice *vdev = dev->vdev;
--
--    /*
--     * For vhost, VIRTIO_F_IOMMU_PLATFORM means the backend support
--     * incremental memory mapping API via IOTLB API. For platform that
--     * does not have IOMMU, there's no need to enable this feature
--     * which may cause unnecessary IOTLB miss/update transactions.
--     */
--    if (vdev) {
--        return virtio_bus_device_iommu_enabled(vdev) &&
--            virtio_host_has_feature(vdev, VIRTIO_F_IOMMU_PLATFORM);
--    } else {
--        return false;
--    }
--}
--
- static void *vhost_memory_map(struct vhost_dev *dev, hwaddr addr,
-                               hwaddr *plen, bool is_write)
- {
diff --git a/debian/patches/extra/0006-virtio-rng-pci-fix-migration-compat-for-vectors.patch b/debian/patches/extra/0006-virtio-rng-pci-fix-migration-compat-for-vectors.patch
deleted file mode 100644
index 2673dd7..0000000
--- a/debian/patches/extra/0006-virtio-rng-pci-fix-migration-compat-for-vectors.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
-Date: Mon, 9 Jan 2023 10:58:09 +0000
-Subject: [PATCH] virtio-rng-pci: fix migration compat for vectors
-
-Fixup the migration compatibility for existing machine types
-so that they do not enable msi-x.
-
-Symptom:
-
-(qemu) qemu: get_pci_config_device: Bad config data: i=0x34 read: 84 device: 98 cmask: ff wmask: 0 w1cmask:0
-qemu: Failed to load PCIDevice:config
-qemu: Failed to load virtio-rng:virtio
-qemu: error while loading state for instance 0x0 of device '0000:00:03.0/virtio-rng'
-qemu: load of migration failed: Invalid argument
-
-Note: This fix will break migration from 7.2->7.2-fixed with this patch
-
-bz: https://bugzilla.redhat.com/show_bug.cgi?id=2155749
-Fixes: 9ea02e8f1 ("virtio-rng-pci: Allow setting nvectors, so we can use MSI-X")
-
-Reviewed-by: Thomas Huth <thuth@redhat.com>
-Acked-by: David Daney <david.daney@fungible.com>
-Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
-(picked-up from https://lists.nongnu.org/archive/html/qemu-devel/2023-01/msg01319.html)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/core/machine.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/hw/core/machine.c b/hw/core/machine.c
-index 8d34caa31d..77a0a131d1 100644
---- a/hw/core/machine.c
-+++ b/hw/core/machine.c
-@@ -42,6 +42,7 @@
- 
- GlobalProperty hw_compat_7_1[] = {
-     { "virtio-device", "queue_reset", "false" },
-+    { "virtio-rng-pci", "vectors", "0" },
- };
- const size_t hw_compat_7_1_len = G_N_ELEMENTS(hw_compat_7_1);
- 
diff --git a/debian/patches/extra/0007-block-fix-detect-zeroes-with-BDRV_REQ_REGISTERED_BUF.patch b/debian/patches/extra/0007-block-fix-detect-zeroes-with-BDRV_REQ_REGISTERED_BUF.patch
deleted file mode 100644
index 7b7ea1e..0000000
--- a/debian/patches/extra/0007-block-fix-detect-zeroes-with-BDRV_REQ_REGISTERED_BUF.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Stefan Hajnoczi <stefanha@redhat.com>
-Date: Thu, 26 Jan 2023 15:13:58 -0500
-Subject: [PATCH] block: fix detect-zeroes= with BDRV_REQ_REGISTERED_BUF
-
-When a write request is converted into a write zeroes request by the
-detect-zeroes= feature, it is no longer associated with an I/O buffer.
-The BDRV_REQ_REGISTERED_BUF flag doesn't make sense without an I/O
-buffer and must be cleared because bdrv_co_do_pwrite_zeroes() fails with
--EINVAL when it's set.
-
-Fiona Ebner <f.ebner@proxmox.com> bisected and diagnosed this QEMU 7.2
-regression where writes containing zeroes to a blockdev with
-discard=unmap,detect-zeroes=unmap fail.
-
-Buglink: https://gitlab.com/qemu-project/qemu/-/issues/1404
-Fixes: e8b6535533be ("block: add BDRV_REQ_REGISTERED_BUF request flag")
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- block/io.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/block/io.c b/block/io.c
-index b9424024f9..bbaa0d1b2d 100644
---- a/block/io.c
-+++ b/block/io.c
-@@ -2087,6 +2087,9 @@ static int coroutine_fn bdrv_aligned_pwritev(BdrvChild *child,
-         if (bs->detect_zeroes == BLOCKDEV_DETECT_ZEROES_OPTIONS_UNMAP) {
-             flags |= BDRV_REQ_MAY_UNMAP;
-         }
-+
-+        /* Can't use optimization hint with bufferless zero write */
-+        flags &= ~BDRV_REQ_REGISTERED_BUF;
-     }
- 
-     if (ret < 0) {
diff --git a/debian/patches/extra/0008-memory-prevent-dma-reentracy-issues.patch b/debian/patches/extra/0008-memory-prevent-dma-reentracy-issues.patch
deleted file mode 100644
index 4f3af9a..0000000
--- a/debian/patches/extra/0008-memory-prevent-dma-reentracy-issues.patch
+++ /dev/null
@@ -1,118 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Alexander Bulekov <alxndr@bu.edu>
-Date: Sat, 4 Feb 2023 23:07:34 -0500
-Subject: [PATCH] memory: prevent dma-reentracy issues
-
-Add a flag to the DeviceState, when a device is engaged in PIO/MMIO/DMA.
-This flag is set/checked prior to calling a device's MemoryRegion
-handlers, and set when device code initiates DMA.  The purpose of this
-flag is to prevent two types of DMA-based reentrancy issues:
-
-1.) mmio -> dma -> mmio case
-2.) bh -> dma write -> mmio case
-
-These issues have led to problems such as stack-exhaustion and
-use-after-frees.
-
-Summary of the problem from Peter Maydell:
-https://lore.kernel.org/qemu-devel/CAFEAcA_23vc7hE3iaM-JVA6W38LK4hJoWae5KcknhPRD5fPBZA@mail.gmail.com
-
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/62
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/540
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/541
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/556
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/557
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/827
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1282
-
-Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
-Acked-by: Peter Xu <peterx@redhat.com>
-(picked-up from https://lists.nongnu.org/archive/html/qemu-devel/2023-02/msg01142.html)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- include/hw/qdev-core.h |  7 +++++++
- softmmu/memory.c       | 17 +++++++++++++++++
- softmmu/trace-events   |  1 +
- 3 files changed, 25 insertions(+)
-
-diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h
-index 785dd5a56e..886f6bb79e 100644
---- a/include/hw/qdev-core.h
-+++ b/include/hw/qdev-core.h
-@@ -162,6 +162,10 @@ struct NamedClockList {
-     QLIST_ENTRY(NamedClockList) node;
- };
- 
-+typedef struct {
-+    bool engaged_in_io;
-+} MemReentrancyGuard;
-+
- /**
-  * DeviceState:
-  * @realized: Indicates whether the device has been fully constructed.
-@@ -194,6 +198,9 @@ struct DeviceState {
-     int alias_required_for_version;
-     ResettableState reset;
-     GSList *unplug_blockers;
-+
-+    /* Is the device currently in mmio/pio/dma? Used to prevent re-entrancy */
-+    MemReentrancyGuard mem_reentrancy_guard;
- };
- 
- struct DeviceListener {
-diff --git a/softmmu/memory.c b/softmmu/memory.c
-index bc0be3f62c..7dcb3347aa 100644
---- a/softmmu/memory.c
-+++ b/softmmu/memory.c
-@@ -533,6 +533,7 @@ static MemTxResult access_with_adjusted_size(hwaddr addr,
-     uint64_t access_mask;
-     unsigned access_size;
-     unsigned i;
-+    DeviceState *dev = NULL;
-     MemTxResult r = MEMTX_OK;
- 
-     if (!access_size_min) {
-@@ -542,6 +543,19 @@ static MemTxResult access_with_adjusted_size(hwaddr addr,
-         access_size_max = 4;
-     }
- 
-+    /* Do not allow more than one simultanous access to a device's IO Regions */
-+    if (mr->owner &&
-+        !mr->ram_device && !mr->ram && !mr->rom_device && !mr->readonly) {
-+        dev = (DeviceState *) object_dynamic_cast(mr->owner, TYPE_DEVICE);
-+        if (dev) {
-+            if (dev->mem_reentrancy_guard.engaged_in_io) {
-+                trace_memory_region_reentrant_io(get_cpu_index(), mr, addr, size);
-+                return MEMTX_ERROR;
-+            }
-+            dev->mem_reentrancy_guard.engaged_in_io = true;
-+        }
-+    }
-+
-     /* FIXME: support unaligned access? */
-     access_size = MAX(MIN(size, access_size_max), access_size_min);
-     access_mask = MAKE_64BIT_MASK(0, access_size * 8);
-@@ -556,6 +570,9 @@ static MemTxResult access_with_adjusted_size(hwaddr addr,
-                         access_mask, attrs);
-         }
-     }
-+    if (dev) {
-+        dev->mem_reentrancy_guard.engaged_in_io = false;
-+    }
-     return r;
- }
- 
-diff --git a/softmmu/trace-events b/softmmu/trace-events
-index 22606dc27b..62d04ea9a7 100644
---- a/softmmu/trace-events
-+++ b/softmmu/trace-events
-@@ -13,6 +13,7 @@ memory_region_ops_read(int cpu_index, void *mr, uint64_t addr, uint64_t value, u
- memory_region_ops_write(int cpu_index, void *mr, uint64_t addr, uint64_t value, unsigned size, const char *name) "cpu %d mr %p addr 0x%"PRIx64" value 0x%"PRIx64" size %u name '%s'"
- memory_region_subpage_read(int cpu_index, void *mr, uint64_t offset, uint64_t value, unsigned size) "cpu %d mr %p offset 0x%"PRIx64" value 0x%"PRIx64" size %u"
- memory_region_subpage_write(int cpu_index, void *mr, uint64_t offset, uint64_t value, unsigned size) "cpu %d mr %p offset 0x%"PRIx64" value 0x%"PRIx64" size %u"
-+memory_region_reentrant_io(int cpu_index, void *mr, uint64_t offset, unsigned size) "cpu %d mr %p offset 0x%"PRIx64" size %u"
- memory_region_ram_device_read(int cpu_index, void *mr, uint64_t addr, uint64_t value, unsigned size) "cpu %d mr %p addr 0x%"PRIx64" value 0x%"PRIx64" size %u"
- memory_region_ram_device_write(int cpu_index, void *mr, uint64_t addr, uint64_t value, unsigned size) "cpu %d mr %p addr 0x%"PRIx64" value 0x%"PRIx64" size %u"
- memory_region_sync_dirty(const char *mr, const char *listener, int global) "mr '%s' listener '%s' synced (global=%d)"
diff --git a/debian/patches/extra/0009-block-iscsi-fix-double-free-on-BUSY-or-similar-statu.patch b/debian/patches/extra/0009-block-iscsi-fix-double-free-on-BUSY-or-similar-statu.patch
deleted file mode 100644
index fe57e02..0000000
--- a/debian/patches/extra/0009-block-iscsi-fix-double-free-on-BUSY-or-similar-statu.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Tue, 10 Jan 2023 17:36:33 +0100
-Subject: [PATCH] block/iscsi: fix double-free on BUSY or similar statuses
-
-Commit 8c460269aa77 ("iscsi: base all handling of check condition on
-scsi_sense_to_errno", 2019-07-15) removed a "goto out" so that the
-same coroutine is re-entered twice; once from iscsi_co_generic_cb,
-once from the timer callback iscsi_retry_timer_expired.  This can
-cause a crash.
-
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1378
-Reported-by: Grzegorz Zdanowski <https://gitlab.com/kiler129>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry-picked from commit 5080152e2ef6cde7aa692e29880c62bd54acb750)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- block/iscsi.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/block/iscsi.c b/block/iscsi.c
-index 3ed4a50c0d..89cd032c3a 100644
---- a/block/iscsi.c
-+++ b/block/iscsi.c
-@@ -268,6 +268,7 @@ iscsi_co_generic_cb(struct iscsi_context *iscsi, int status,
-                 timer_mod(&iTask->retry_timer,
-                           qemu_clock_get_ms(QEMU_CLOCK_REALTIME) + retry_time);
-                 iTask->do_retry = 1;
-+                return;
-             } else if (status == SCSI_STATUS_CHECK_CONDITION) {
-                 int error = iscsi_translate_sense(&task->sense);
-                 if (error == EAGAIN) {
diff --git a/debian/patches/extra/0012-hw-nvme-fix-missing-endian-conversions-for-doorbell-.patch b/debian/patches/extra/0012-hw-nvme-fix-missing-endian-conversions-for-doorbell-.patch
deleted file mode 100644
index aa9d0b0..0000000
--- a/debian/patches/extra/0012-hw-nvme-fix-missing-endian-conversions-for-doorbell-.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Klaus Jensen <k.jensen@samsung.com>
-Date: Wed, 8 Mar 2023 19:57:12 +0300
-Subject: [PATCH] hw/nvme: fix missing endian conversions for doorbell buffers
-
-The eventidx and doorbell value are not handling endianness correctly.
-Fix this.
-
-Fixes: 3f7fe8de3d49 ("hw/nvme: Implement shadow doorbell buffer support")
-Cc: qemu-stable@nongnu.org
-Reported-by: Guenter Roeck <linux@roeck-us.net>
-Reviewed-by: Keith Busch <kbusch@kernel.org>
-Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
-(cherry picked from commit 2fda0726e5149e032acfa5fe442db56cd6433c4c)
-Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
-Conflicts: hw/nvme/ctrl.c
-(picked up from qemu-stable mailing list)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/nvme/ctrl.c | 22 ++++++++++++++++------
- 1 file changed, 16 insertions(+), 6 deletions(-)
-
-diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
-index e54276dc1d..98d8e34109 100644
---- a/hw/nvme/ctrl.c
-+++ b/hw/nvme/ctrl.c
-@@ -1333,8 +1333,12 @@ static inline void nvme_blk_write(BlockBackend *blk, int64_t offset,
- 
- static void nvme_update_cq_head(NvmeCQueue *cq)
- {
--    pci_dma_read(&cq->ctrl->parent_obj, cq->db_addr, &cq->head,
--            sizeof(cq->head));
-+    uint32_t v;
-+
-+    pci_dma_read(&cq->ctrl->parent_obj, cq->db_addr, &v, sizeof(v));
-+
-+    cq->head = le32_to_cpu(v);
-+
-     trace_pci_nvme_shadow_doorbell_cq(cq->cqid, cq->head);
- }
- 
-@@ -6141,15 +6145,21 @@ static uint16_t nvme_admin_cmd(NvmeCtrl *n, NvmeRequest *req)
- 
- static void nvme_update_sq_eventidx(const NvmeSQueue *sq)
- {
--    pci_dma_write(&sq->ctrl->parent_obj, sq->ei_addr, &sq->tail,
--                  sizeof(sq->tail));
-+    uint32_t v = cpu_to_le32(sq->tail);
-+
-+    pci_dma_write(&sq->ctrl->parent_obj, sq->ei_addr, &v, sizeof(v));
-+
-     trace_pci_nvme_eventidx_sq(sq->sqid, sq->tail);
- }
- 
- static void nvme_update_sq_tail(NvmeSQueue *sq)
- {
--    pci_dma_read(&sq->ctrl->parent_obj, sq->db_addr, &sq->tail,
--                 sizeof(sq->tail));
-+    uint32_t v;
-+
-+    pci_dma_read(&sq->ctrl->parent_obj, sq->db_addr, &v, sizeof(v));
-+
-+    sq->tail = le32_to_cpu(v);
-+
-     trace_pci_nvme_shadow_doorbell_sq(sq->sqid, sq->tail);
- }
- 
diff --git a/debian/patches/extra/0013-hw-smbios-fix-field-corruption-in-type-4-table.patch b/debian/patches/extra/0013-hw-smbios-fix-field-corruption-in-type-4-table.patch
deleted file mode 100644
index 901dbfe..0000000
--- a/debian/patches/extra/0013-hw-smbios-fix-field-corruption-in-type-4-table.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Julia Suvorova <jusual@redhat.com>
-Date: Thu, 23 Feb 2023 13:57:47 +0100
-Subject: [PATCH] hw/smbios: fix field corruption in type 4 table
-
-Since table type 4 of SMBIOS version 2.6 is shorter than 3.0, the
-strings which follow immediately after the struct fields have been
-overwritten by unconditional filling of later fields such as core_count2.
-Make these fields dependent on the SMBIOS version.
-
-Fixes: 05e27d74c7 ("hw/smbios: add core_count2 to smbios table type 4")
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2169904
-
-Signed-off-by: Julia Suvorova <jusual@redhat.com>
-Message-Id: <20230223125747.254914-1-jusual@redhat.com>
-Reviewed-by: Igor Mammedov <imammedo@redhat.com>
-Reviewed-by: Ani Sinha <ani@anisinha.ca>
-Reviewed-by: Igor Mammedov <imammedo@redhat.com>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-(cherry-picked from commit 60d09b8dc7dd4256d664ad680795cb1327805b2b)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/smbios/smbios.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/hw/smbios/smbios.c b/hw/smbios/smbios.c
-index b4243de735..66a020999b 100644
---- a/hw/smbios/smbios.c
-+++ b/hw/smbios/smbios.c
-@@ -749,14 +749,16 @@ static void smbios_build_type_4_table(MachineState *ms, unsigned instance)
-     t->core_count = (ms->smp.cores > 255) ? 0xFF : ms->smp.cores;
-     t->core_enabled = t->core_count;
- 
--    t->core_count2 = t->core_enabled2 = cpu_to_le16(ms->smp.cores);
--
-     t->thread_count = (ms->smp.threads > 255) ? 0xFF : ms->smp.threads;
--    t->thread_count2 = cpu_to_le16(ms->smp.threads);
- 
-     t->processor_characteristics = cpu_to_le16(0x02); /* Unknown */
-     t->processor_family2 = cpu_to_le16(0x01); /* Other */
- 
-+    if (tbl_len == SMBIOS_TYPE_4_LEN_V30) {
-+        t->core_count2 = t->core_enabled2 = cpu_to_le16(ms->smp.cores);
-+        t->thread_count2 = cpu_to_le16(ms->smp.threads);
-+    }
-+
-     SMBIOS_BUILD_TABLE_POST;
-     smbios_type4_count++;
- }
diff --git a/debian/patches/extra/0014-virtio-rng-pci-fix-transitional-migration-compat-for.patch b/debian/patches/extra/0014-virtio-rng-pci-fix-transitional-migration-compat-for.patch
deleted file mode 100644
index d44da6b..0000000
--- a/debian/patches/extra/0014-virtio-rng-pci-fix-transitional-migration-compat-for.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
-Date: Tue, 7 Feb 2023 17:49:44 +0000
-Subject: [PATCH] virtio-rng-pci: fix transitional migration compat for vectors
-
-In bad9c5a516 ("virtio-rng-pci: fix migration compat for vectors") I
-fixed the virtio-rng-pci migration compatibility, but it was discovered
-that we also need to fix the other aliases of the device for the
-transitional cases.
-
-Fixes: 9ea02e8f1 ('virtio-rng-pci: Allow setting nvectors, so we can use MSI-X')
-bz: https://bugzilla.redhat.com/show_bug.cgi?id=2162569
-Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
-Message-Id: <20230207174944.138255-1-dgilbert@redhat.com>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-(cherry-picked from commit 62bdb8871512076841f4464f7e26efdc7783f78d)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/core/machine.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/hw/core/machine.c b/hw/core/machine.c
-index cd84579591..4297315984 100644
---- a/hw/core/machine.c
-+++ b/hw/core/machine.c
-@@ -43,6 +43,8 @@
- GlobalProperty hw_compat_7_1[] = {
-     { "virtio-device", "queue_reset", "false" },
-     { "virtio-rng-pci", "vectors", "0" },
-+    { "virtio-rng-pci-transitional", "vectors", "0" },
-+    { "virtio-rng-pci-non-transitional", "vectors", "0" },
- };
- const size_t hw_compat_7_1_len = G_N_ELEMENTS(hw_compat_7_1);
- 
diff --git a/debian/patches/extra/0015-hw-timer-hpet-Fix-expiration-time-overflow.patch b/debian/patches/extra/0015-hw-timer-hpet-Fix-expiration-time-overflow.patch
deleted file mode 100644
index 3c30764..0000000
--- a/debian/patches/extra/0015-hw-timer-hpet-Fix-expiration-time-overflow.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Akihiko Odaki <akihiko.odaki@daynix.com>
-Date: Tue, 31 Jan 2023 12:00:37 +0900
-Subject: [PATCH] hw/timer/hpet: Fix expiration time overflow
-
-The expiration time provided for timer_mod() can overflow if a
-ridiculously large value is set to the comparator register. The
-resulting value can represent a past time after rounded, forcing the
-timer to fire immediately. If the timer is configured as periodic, it
-will rearm the timer again, and form an endless loop.
-
-Check if the expiration value will overflow, and if it will, stop the
-timer instead of rearming the timer with the overflowed time.
-
-This bug was found by Alexander Bulekov when fuzzing igb, a new
-network device emulation:
-https://patchew.org/QEMU/20230129053316.1071513-1-alxndr@bu.edu/
-
-The fixed test case is:
-fuzz/crash_2d7036941dcda1ad4380bb8a9174ed0c949bcefd
-
-Fixes: 16b29ae180 ("Add HPET emulation to qemu (Beth Kon)")
-Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
-Acked-by: Michael S. Tsirkin <mst@redhat.com>
-Message-Id: <20230131030037.18856-1-akihiko.odaki@daynix.com>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-(cherry-picked from commit 37d2bcbc2a4e9c2e9061bec72a32c7e49b9f81ec)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/timer/hpet.c | 19 +++++++++++++------
- 1 file changed, 13 insertions(+), 6 deletions(-)
-
-diff --git a/hw/timer/hpet.c b/hw/timer/hpet.c
-index 9520471be2..5f88ffdef8 100644
---- a/hw/timer/hpet.c
-+++ b/hw/timer/hpet.c
-@@ -352,6 +352,16 @@ static const VMStateDescription vmstate_hpet = {
-     }
- };
- 
-+static void hpet_arm(HPETTimer *t, uint64_t ticks)
-+{
-+    if (ticks < ns_to_ticks(INT64_MAX / 2)) {
-+        timer_mod(t->qemu_timer,
-+                  qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + ticks_to_ns(ticks));
-+    } else {
-+        timer_del(t->qemu_timer);
-+    }
-+}
-+
- /*
-  * timer expiration callback
-  */
-@@ -374,13 +384,11 @@ static void hpet_timer(void *opaque)
-             }
-         }
-         diff = hpet_calculate_diff(t, cur_tick);
--        timer_mod(t->qemu_timer,
--                       qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + (int64_t)ticks_to_ns(diff));
-+        hpet_arm(t, diff);
-     } else if (t->config & HPET_TN_32BIT && !timer_is_periodic(t)) {
-         if (t->wrap_flag) {
-             diff = hpet_calculate_diff(t, cur_tick);
--            timer_mod(t->qemu_timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) +
--                           (int64_t)ticks_to_ns(diff));
-+            hpet_arm(t, diff);
-             t->wrap_flag = 0;
-         }
-     }
-@@ -407,8 +415,7 @@ static void hpet_set_timer(HPETTimer *t)
-             t->wrap_flag = 1;
-         }
-     }
--    timer_mod(t->qemu_timer,
--                   qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + (int64_t)ticks_to_ns(diff));
-+    hpet_arm(t, diff);
- }
- 
- static void hpet_del_timer(HPETTimer *t)
diff --git a/debian/patches/extra/0016-vdpa-stop-all-svq-on-device-deletion.patch b/debian/patches/extra/0016-vdpa-stop-all-svq-on-device-deletion.patch
deleted file mode 100644
index 07166db..0000000
--- a/debian/patches/extra/0016-vdpa-stop-all-svq-on-device-deletion.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Eugenio=20P=C3=A9rez?= <eperezma@redhat.com>
-Date: Thu, 9 Feb 2023 18:00:04 +0100
-Subject: [PATCH] vdpa: stop all svq on device deletion
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Not stopping them leave the device in a bad state when virtio-net
-fronted device is unplugged with device_del monitor command.
-
-This is not triggable in regular poweroff or qemu forces shutdown
-because cleanup is called right after vhost_vdpa_dev_start(false).  But
-devices hot unplug does not call vdpa device cleanups.  This lead to all
-the vhost_vdpa devices without stop the SVQ but the last.
-
-Fix it and clean the code, making it symmetric with
-vhost_vdpa_svqs_start.
-
-Fixes: dff4426fa656 ("vhost: Add Shadow VirtQueue kick forwarding capabilities")
-Reported-by: Lei Yang <leiyang@redhat.com>
-Signed-off-by: Eugenio Pérez <eperezma@redhat.com>
-Message-Id: <20230209170004.899472-1-eperezma@redhat.com>
-Tested-by: Laurent Vivier <lvivier@redhat.com>
-Acked-by: Jason Wang <jasowang@redhat.com>
-(cherry-picked from commit 2e1a9de96b487cf818a22d681cad8d3f5d18dcca)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/virtio/vhost-vdpa.c | 17 ++---------------
- 1 file changed, 2 insertions(+), 15 deletions(-)
-
-diff --git a/hw/virtio/vhost-vdpa.c b/hw/virtio/vhost-vdpa.c
-index 7468e44b87..03c78d25d8 100644
---- a/hw/virtio/vhost-vdpa.c
-+++ b/hw/virtio/vhost-vdpa.c
-@@ -707,26 +707,11 @@ static int vhost_vdpa_get_device_id(struct vhost_dev *dev,
-     return ret;
- }
- 
--static void vhost_vdpa_reset_svq(struct vhost_vdpa *v)
--{
--    if (!v->shadow_vqs_enabled) {
--        return;
--    }
--
--    for (unsigned i = 0; i < v->shadow_vqs->len; ++i) {
--        VhostShadowVirtqueue *svq = g_ptr_array_index(v->shadow_vqs, i);
--        vhost_svq_stop(svq);
--    }
--}
--
- static int vhost_vdpa_reset_device(struct vhost_dev *dev)
- {
--    struct vhost_vdpa *v = dev->opaque;
-     int ret;
-     uint8_t status = 0;
- 
--    vhost_vdpa_reset_svq(v);
--
-     ret = vhost_vdpa_call(dev, VHOST_VDPA_SET_STATUS, &status);
-     trace_vhost_vdpa_reset_device(dev, status);
-     return ret;
-@@ -1088,6 +1073,8 @@ static void vhost_vdpa_svqs_stop(struct vhost_dev *dev)
- 
-     for (unsigned i = 0; i < v->shadow_vqs->len; ++i) {
-         VhostShadowVirtqueue *svq = g_ptr_array_index(v->shadow_vqs, i);
-+
-+        vhost_svq_stop(svq);
-         vhost_vdpa_svq_unmap_rings(dev, svq);
-     }
- }
diff --git a/debian/patches/extra/0017-vhost-avoid-a-potential-use-of-an-uninitialized-vari.patch b/debian/patches/extra/0017-vhost-avoid-a-potential-use-of-an-uninitialized-vari.patch
deleted file mode 100644
index 8ce1973..0000000
--- a/debian/patches/extra/0017-vhost-avoid-a-potential-use-of-an-uninitialized-vari.patch
+++ /dev/null
@@ -1,132 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Carlos=20L=C3=B3pez?= <clopez@suse.de>
-Date: Mon, 13 Feb 2023 09:57:47 +0100
-Subject: [PATCH] vhost: avoid a potential use of an uninitialized variable in
- vhost_svq_poll()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-In vhost_svq_poll(), if vhost_svq_get_buf() fails due to a device
-providing invalid descriptors, len is left uninitialized and returned
-to the caller, potentally leaking stack data or causing undefined
-behavior.
-
-Fix this by initializing len to 0.
-
-Found with GCC 13 and -fanalyzer (abridged):
-
-../hw/virtio/vhost-shadow-virtqueue.c: In function ‘vhost_svq_poll’:
-../hw/virtio/vhost-shadow-virtqueue.c:538:12: warning: use of uninitialized value ‘len’ [CWE-457] [-Wanalyzer-use-of-uninitialized-value]
-  538 |     return len;
-      |            ^~~
-  ‘vhost_svq_poll’: events 1-4
-    |
-    |  522 | size_t vhost_svq_poll(VhostShadowVirtqueue *svq)
-    |      |        ^~~~~~~~~~~~~~
-    |      |        |
-    |      |        (1) entry to ‘vhost_svq_poll’
-    |......
-    |  525 |     uint32_t len;
-    |      |              ~~~
-    |      |              |
-    |      |              (2) region created on stack here
-    |      |              (3) capacity: 4 bytes
-    |......
-    |  528 |         if (vhost_svq_more_used(svq)) {
-    |      |             ~
-    |      |             |
-    |      |             (4) inlined call to ‘vhost_svq_more_used’ from ‘vhost_svq_poll’
-
-    (...)
-
-    |  528 |         if (vhost_svq_more_used(svq)) {
-    |      |            ^~~~~~~~~~~~~~~~~~~~~~~~~
-    |      |            ||
-    |      |            |(8) ...to here
-    |      |            (7) following ‘true’ branch...
-    |......
-    |  537 |     vhost_svq_get_buf(svq, &len);
-    |      |     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-    |      |     |
-    |      |     (9) calling ‘vhost_svq_get_buf’ from ‘vhost_svq_poll’
-    |
-    +--> ‘vhost_svq_get_buf’: events 10-11
-           |
-           |  416 | static VirtQueueElement *vhost_svq_get_buf(VhostShadowVirtqueue *svq,
-           |      |                          ^~~~~~~~~~~~~~~~~
-           |      |                          |
-           |      |                          (10) entry to ‘vhost_svq_get_buf’
-           |......
-           |  423 |     if (!vhost_svq_more_used(svq)) {
-           |      |          ~
-           |      |          |
-           |      |          (11) inlined call to ‘vhost_svq_more_used’ from ‘vhost_svq_get_buf’
-           |
-
-           (...)
-
-           |
-         ‘vhost_svq_get_buf’: event 14
-           |
-           |  423 |     if (!vhost_svq_more_used(svq)) {
-           |      |        ^
-           |      |        |
-           |      |        (14) following ‘false’ branch...
-           |
-         ‘vhost_svq_get_buf’: event 15
-           |
-           |cc1:
-           | (15): ...to here
-           |
-    <------+
-    |
-  ‘vhost_svq_poll’: events 16-17
-    |
-    |  537 |     vhost_svq_get_buf(svq, &len);
-    |      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
-    |      |     |
-    |      |     (16) returning to ‘vhost_svq_poll’ from ‘vhost_svq_get_buf’
-    |  538 |     return len;
-    |      |            ~~~
-    |      |            |
-    |      |            (17) use of uninitialized value ‘len’ here
-
-Note by  Laurent Vivier <lvivier@redhat.com>:
-
-    The return value is only used to detect an error:
-
-    vhost_svq_poll
-        vhost_vdpa_net_cvq_add
-            vhost_vdpa_net_load_cmd
-                vhost_vdpa_net_load_mac
-                  -> a negative return is only used to detect error
-                vhost_vdpa_net_load_mq
-                  -> a negative return is only used to detect error
-            vhost_vdpa_net_handle_ctrl_avail
-              -> a negative return is only used to detect error
-
-Fixes: d368c0b052ad ("vhost: Do not depend on !NULL VirtQueueElement on vhost_svq_flush")
-Signed-off-by: Carlos López <clopez@suse.de>
-Message-Id: <20230213085747.19956-1-clopez@suse.de>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-(cherry-picked from commit e4dd39c699b7d63a06f686ec06ded8adbee989c1)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/virtio/vhost-shadow-virtqueue.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/virtio/vhost-shadow-virtqueue.c b/hw/virtio/vhost-shadow-virtqueue.c
-index 5bd14cad96..a723073747 100644
---- a/hw/virtio/vhost-shadow-virtqueue.c
-+++ b/hw/virtio/vhost-shadow-virtqueue.c
-@@ -522,7 +522,7 @@ static void vhost_svq_flush(VhostShadowVirtqueue *svq,
- size_t vhost_svq_poll(VhostShadowVirtqueue *svq)
- {
-     int64_t start_us = g_get_monotonic_time();
--    uint32_t len;
-+    uint32_t len = 0;
- 
-     do {
-         if (vhost_svq_more_used(svq)) {
diff --git a/debian/patches/extra/0018-chardev-char-socket-set-s-listener-NULL-in-char_sock.patch b/debian/patches/extra/0018-chardev-char-socket-set-s-listener-NULL-in-char_sock.patch
deleted file mode 100644
index 449bca8..0000000
--- a/debian/patches/extra/0018-chardev-char-socket-set-s-listener-NULL-in-char_sock.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Yajun Wu <yajunw@nvidia.com>
-Date: Tue, 14 Feb 2023 10:14:30 +0800
-Subject: [PATCH] chardev/char-socket: set s->listener = NULL in
- char_socket_finalize
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-After live migration with virtio block device, qemu crash at:
-
-	#0  0x000055914f46f795 in object_dynamic_cast_assert (obj=0x559151b7b090, typename=0x55914f80fbc4 "qio-channel", file=0x55914f80fb90 "/images/testvfe/sw/qemu.gerrit/include/io/channel.h", line=30, func=0x55914f80fcb8 <__func__.17257> "QIO_CHANNEL") at ../qom/object.c:872
-	#1  0x000055914f480d68 in QIO_CHANNEL (obj=0x559151b7b090) at /images/testvfe/sw/qemu.gerrit/include/io/channel.h:29
-	#2  0x000055914f4812f8 in qio_net_listener_set_client_func_full (listener=0x559151b7a720, func=0x55914f580b97 <tcp_chr_accept>, data=0x5591519f4ea0, notify=0x0, context=0x0) at ../io/net-listener.c:166
-	#3  0x000055914f580059 in tcp_chr_update_read_handler (chr=0x5591519f4ea0) at ../chardev/char-socket.c:637
-	#4  0x000055914f583dca in qemu_chr_be_update_read_handlers (s=0x5591519f4ea0, context=0x0) at ../chardev/char.c:226
-	#5  0x000055914f57b7c9 in qemu_chr_fe_set_handlers_full (b=0x559152bf23a0, fd_can_read=0x0, fd_read=0x0, fd_event=0x0, be_change=0x0, opaque=0x0, context=0x0, set_open=false, sync_state=true) at ../chardev/char-fe.c:279
-	#6  0x000055914f57b86d in qemu_chr_fe_set_handlers (b=0x559152bf23a0, fd_can_read=0x0, fd_read=0x0, fd_event=0x0, be_change=0x0, opaque=0x0, context=0x0, set_open=false) at ../chardev/char-fe.c:304
-	#7  0x000055914f378caf in vhost_user_async_close (d=0x559152bf21a0, chardev=0x559152bf23a0, vhost=0x559152bf2420, cb=0x55914f2fb8c1 <vhost_user_blk_disconnect>) at ../hw/virtio/vhost-user.c:2725
-	#8  0x000055914f2fba40 in vhost_user_blk_event (opaque=0x559152bf21a0, event=CHR_EVENT_CLOSED) at ../hw/block/vhost-user-blk.c:395
-	#9  0x000055914f58388c in chr_be_event (s=0x5591519f4ea0, event=CHR_EVENT_CLOSED) at ../chardev/char.c:61
-	#10 0x000055914f583905 in qemu_chr_be_event (s=0x5591519f4ea0, event=CHR_EVENT_CLOSED) at ../chardev/char.c:81
-	#11 0x000055914f581275 in char_socket_finalize (obj=0x5591519f4ea0) at ../chardev/char-socket.c:1083
-	#12 0x000055914f46f073 in object_deinit (obj=0x5591519f4ea0, type=0x5591519055c0) at ../qom/object.c:680
-	#13 0x000055914f46f0e5 in object_finalize (data=0x5591519f4ea0) at ../qom/object.c:694
-	#14 0x000055914f46ff06 in object_unref (objptr=0x5591519f4ea0) at ../qom/object.c:1202
-	#15 0x000055914f4715a4 in object_finalize_child_property (obj=0x559151b76c50, name=0x559151b7b250 "char3", opaque=0x5591519f4ea0) at ../qom/object.c:1747
-	#16 0x000055914f46ee86 in object_property_del_all (obj=0x559151b76c50) at ../qom/object.c:632
-	#17 0x000055914f46f0d2 in object_finalize (data=0x559151b76c50) at ../qom/object.c:693
-	#18 0x000055914f46ff06 in object_unref (objptr=0x559151b76c50) at ../qom/object.c:1202
-	#19 0x000055914f4715a4 in object_finalize_child_property (obj=0x559151b6b560, name=0x559151b76630 "chardevs", opaque=0x559151b76c50) at ../qom/object.c:1747
-	#20 0x000055914f46ef67 in object_property_del_child (obj=0x559151b6b560, child=0x559151b76c50) at ../qom/object.c:654
-	#21 0x000055914f46f042 in object_unparent (obj=0x559151b76c50) at ../qom/object.c:673
-	#22 0x000055914f58632a in qemu_chr_cleanup () at ../chardev/char.c:1189
-	#23 0x000055914f16c66c in qemu_cleanup () at ../softmmu/runstate.c:830
-	#24 0x000055914eee7b9e in qemu_default_main () at ../softmmu/main.c:38
-	#25 0x000055914eee7bcc in main (argc=86, argv=0x7ffc97cb8d88) at ../softmmu/main.c:48
-
-In char_socket_finalize after s->listener freed, event callback function
-vhost_user_blk_event will be called to handle CHR_EVENT_CLOSED.
-vhost_user_blk_event is calling qio_net_listener_set_client_func_full which
-is still using s->listener.
-
-Setting s->listener = NULL after object_unref(OBJECT(s->listener)) can
-solve this issue.
-
-Signed-off-by: Yajun Wu <yajunw@nvidia.com>
-Acked-by: Jiri Pirko <jiri@nvidia.com>
-Message-Id: <20230214021430.3638579-1-yajunw@nvidia.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-(cherry-picked from commit b8a7f51f59e28d5a8e0c07ed3919cc9695560ed2)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- chardev/char-socket.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/chardev/char-socket.c b/chardev/char-socket.c
-index 879564aa8a..b00efb1482 100644
---- a/chardev/char-socket.c
-+++ b/chardev/char-socket.c
-@@ -1065,6 +1065,7 @@ static void char_socket_finalize(Object *obj)
-         qio_net_listener_set_client_func_full(s->listener, NULL, NULL,
-                                               NULL, chr->gcontext);
-         object_unref(OBJECT(s->listener));
-+        s->listener = NULL;
-     }
-     if (s->tls_creds) {
-         object_unref(OBJECT(s->tls_creds));
diff --git a/debian/patches/extra/0019-intel-iommu-fail-MAP-notifier-without-caching-mode.patch b/debian/patches/extra/0019-intel-iommu-fail-MAP-notifier-without-caching-mode.patch
deleted file mode 100644
index f0f2d21..0000000
--- a/debian/patches/extra/0019-intel-iommu-fail-MAP-notifier-without-caching-mode.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Jason Wang <jasowang@redhat.com>
-Date: Thu, 23 Feb 2023 14:59:20 +0800
-Subject: [PATCH] intel-iommu: fail MAP notifier without caching mode
-
-Without caching mode, MAP notifier won't work correctly since guest
-won't send IOTLB update event when it establishes new mappings in the
-I/O page tables. Let's fail the IOMMU notifiers early instead of
-misbehaving silently.
-
-Reviewed-by: Eric Auger <eric.auger@redhat.com>
-Tested-by: Viktor Prutyanov <viktor@daynix.com>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-Message-Id: <20230223065924.42503-2-jasowang@redhat.com>
-Reviewed-by: Peter Xu <peterx@redhat.com>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-(cherry-picked from commit b8d78277c091f26fdd64f239bc8bb7e55d74cecf)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/i386/intel_iommu.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c
-index a08ee85edf..9143376677 100644
---- a/hw/i386/intel_iommu.c
-+++ b/hw/i386/intel_iommu.c
-@@ -3186,6 +3186,13 @@ static int vtd_iommu_notify_flag_changed(IOMMUMemoryRegion *iommu,
-                          "Snoop Control with vhost or VFIO is not supported");
-         return -ENOTSUP;
-     }
-+    if (!s->caching_mode && (new & IOMMU_NOTIFIER_MAP)) {
-+        error_setg_errno(errp, ENOTSUP,
-+                         "device %02x.%02x.%x requires caching mode",
-+                         pci_bus_num(vtd_as->bus), PCI_SLOT(vtd_as->devfn),
-+                         PCI_FUNC(vtd_as->devfn));
-+        return -ENOTSUP;
-+    }
- 
-     /* Update per-address-space notifier flags */
-     vtd_as->notifier_flags = new;
diff --git a/debian/patches/extra/0020-intel-iommu-fail-DEVIOTLB_UNMAP-without-dt-mode.patch b/debian/patches/extra/0020-intel-iommu-fail-DEVIOTLB_UNMAP-without-dt-mode.patch
deleted file mode 100644
index ce87ea5..0000000
--- a/debian/patches/extra/0020-intel-iommu-fail-DEVIOTLB_UNMAP-without-dt-mode.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Jason Wang <jasowang@redhat.com>
-Date: Thu, 23 Feb 2023 14:59:21 +0800
-Subject: [PATCH] intel-iommu: fail DEVIOTLB_UNMAP without dt mode
-
-Without dt mode, device IOTLB notifier won't work since guest won't
-send device IOTLB invalidation descriptor in this case. Let's fail
-early instead of misbehaving silently.
-
-Reviewed-by: Laurent Vivier <lvivier@redhat.com>
-Tested-by: Laurent Vivier <lvivier@redhat.com>
-Tested-by: Viktor Prutyanov <viktor@daynix.com>
-Buglink: https://bugzilla.redhat.com/2156876
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-Message-Id: <20230223065924.42503-3-jasowang@redhat.com>
-Reviewed-by: Peter Xu <peterx@redhat.com>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-(cherry-picked from commit 09adb0e021207b60a0c51a68939b4539d98d3ef3)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/i386/intel_iommu.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c
-index 9143376677..d025ef2873 100644
---- a/hw/i386/intel_iommu.c
-+++ b/hw/i386/intel_iommu.c
-@@ -3179,6 +3179,7 @@ static int vtd_iommu_notify_flag_changed(IOMMUMemoryRegion *iommu,
- {
-     VTDAddressSpace *vtd_as = container_of(iommu, VTDAddressSpace, iommu);
-     IntelIOMMUState *s = vtd_as->iommu_state;
-+    X86IOMMUState *x86_iommu = X86_IOMMU_DEVICE(s);
- 
-     /* TODO: add support for VFIO and vhost users */
-     if (s->snoop_control) {
-@@ -3193,6 +3194,13 @@ static int vtd_iommu_notify_flag_changed(IOMMUMemoryRegion *iommu,
-                          PCI_FUNC(vtd_as->devfn));
-         return -ENOTSUP;
-     }
-+    if (!x86_iommu->dt_supported && (new & IOMMU_NOTIFIER_DEVIOTLB_UNMAP)) {
-+        error_setg_errno(errp, ENOTSUP,
-+                         "device %02x.%02x.%x requires device IOTLB mode",
-+                         pci_bus_num(vtd_as->bus), PCI_SLOT(vtd_as->devfn),
-+                         PCI_FUNC(vtd_as->devfn));
-+        return -ENOTSUP;
-+    }
- 
-     /* Update per-address-space notifier flags */
-     vtd_as->notifier_flags = new;
diff --git a/debian/patches/extra/0021-memory-Allow-disabling-re-entrancy-checking-per-MR.patch b/debian/patches/extra/0021-memory-Allow-disabling-re-entrancy-checking-per-MR.patch
deleted file mode 100644
index 3d5c267..0000000
--- a/debian/patches/extra/0021-memory-Allow-disabling-re-entrancy-checking-per-MR.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Alexander Bulekov <alxndr@bu.edu>
-Date: Mon, 13 Mar 2023 04:24:16 -0400
-Subject: [PATCH] memory: Allow disabling re-entrancy checking per-MR
-
-Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
----
- include/exec/memory.h | 3 +++
- softmmu/memory.c      | 2 +-
- 2 files changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/include/exec/memory.h b/include/exec/memory.h
-index 91f8a2395a..d7268d9f39 100644
---- a/include/exec/memory.h
-+++ b/include/exec/memory.h
-@@ -765,6 +765,9 @@ struct MemoryRegion {
-     unsigned ioeventfd_nb;
-     MemoryRegionIoeventfd *ioeventfds;
-     RamDiscardManager *rdm; /* Only for RAM */
-+
-+    /* For devices designed to perform re-entrant IO into their own IO MRs */
-+    bool disable_reentrancy_guard;
- };
- 
- struct IOMMUMemoryRegion {
-diff --git a/softmmu/memory.c b/softmmu/memory.c
-index 7dcb3347aa..2b46714191 100644
---- a/softmmu/memory.c
-+++ b/softmmu/memory.c
-@@ -544,7 +544,7 @@ static MemTxResult access_with_adjusted_size(hwaddr addr,
-     }
- 
-     /* Do not allow more than one simultanous access to a device's IO Regions */
--    if (mr->owner &&
-+    if (mr->owner && !mr->disable_reentrancy_guard &&
-         !mr->ram_device && !mr->ram && !mr->rom_device && !mr->readonly) {
-         dev = (DeviceState *) object_dynamic_cast(mr->owner, TYPE_DEVICE);
-         if (dev) {
diff --git a/debian/patches/extra/0022-lsi53c895a-disable-reentrancy-detection-for-script-R.patch b/debian/patches/extra/0022-lsi53c895a-disable-reentrancy-detection-for-script-R.patch
deleted file mode 100644
index a4ed0ee..0000000
--- a/debian/patches/extra/0022-lsi53c895a-disable-reentrancy-detection-for-script-R.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Alexander Bulekov <alxndr@bu.edu>
-Date: Mon, 13 Mar 2023 04:24:17 -0400
-Subject: [PATCH] lsi53c895a: disable reentrancy detection for script RAM
-
-As the code is designed to use the memory APIs to access the script ram,
-disable reentrancy checks for the pseudo-RAM ram_io MemoryRegion.
-
-In the future, ram_io may be converted from an IO to a proper RAM MemoryRegion.
-
-Reported-by: Fiona Ebner <f.ebner@proxmox.com>
-Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
----
- hw/scsi/lsi53c895a.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
-index 50979640c3..894b9311ac 100644
---- a/hw/scsi/lsi53c895a.c
-+++ b/hw/scsi/lsi53c895a.c
-@@ -2302,6 +2302,12 @@ static void lsi_scsi_realize(PCIDevice *dev, Error **errp)
-     memory_region_init_io(&s->io_io, OBJECT(s), &lsi_io_ops, s,
-                           "lsi-io", 256);
- 
-+    /*
-+     * Since we use the address-space API to interact with ram_io, disable the
-+     * re-entrancy guard.
-+     */
-+    s->ram_io.disable_reentrancy_guard = true;
-+
-     address_space_init(&s->pci_io_as, pci_address_space_io(dev), "lsi-pci-io");
-     qdev_init_gpio_out(d, &s->ext_irq, 1);
- 
diff --git a/debian/patches/extra/0023-acpi-cpuhp-fix-guest-visible-maximum-access-size-to-.patch b/debian/patches/extra/0023-acpi-cpuhp-fix-guest-visible-maximum-access-size-to-.patch
deleted file mode 100644
index 345fc4e..0000000
--- a/debian/patches/extra/0023-acpi-cpuhp-fix-guest-visible-maximum-access-size-to-.patch
+++ /dev/null
@@ -1,166 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Laszlo Ersek <lersek@redhat.com>
-Date: Thu, 5 Jan 2023 17:18:04 +0100
-Subject: [PATCH] acpi: cpuhp: fix guest-visible maximum access size to the
- legacy reg block
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The modern ACPI CPU hotplug interface was introduced in the following
-series (aa1dd39ca307..679dd1a957df), released in v2.7.0:
-
-  1  abd49bc2ed2f docs: update ACPI CPU hotplug spec with new protocol
-  2  16bcab97eb9f pc: piix4/ich9: add 'cpu-hotplug-legacy' property
-  3  5e1b5d93887b acpi: cpuhp: add CPU devices AML with _STA method
-  4  ac35f13ba8f8 pc: acpi: introduce AcpiDeviceIfClass.madt_cpu hook
-  5  d2238cb6781d acpi: cpuhp: implement hot-add parts of CPU hotplug
-                  interface
-  6  8872c25a26cc acpi: cpuhp: implement hot-remove parts of CPU hotplug
-                  interface
-  7  76623d00ae57 acpi: cpuhp: add cpu._OST handling
-  8  679dd1a957df pc: use new CPU hotplug interface since 2.7 machine type
-
-Before patch#1, "docs/specs/acpi_cpu_hotplug.txt" only specified 1-byte
-accesses for the hotplug register block.  Patch#1 preserved the same
-restriction for the legacy register block, but:
-
-- it specified DWORD accesses for some of the modern registers,
-
-- in particular, the switch from the legacy block to the modern block
-  would require a DWORD write to the *legacy* block.
-
-The latter functionality was then implemented in cpu_status_write()
-[hw/acpi/cpu_hotplug.c], in patch#8.
-
-Unfortunately, all DWORD accesses depended on a dormant bug: the one
-introduced in earlier commit a014ed07bd5a ("memory: accept mismatching
-sizes in memory_region_access_valid", 2013-05-29); first released in
-v1.6.0.  Due to commit a014ed07bd5a, the DWORD accesses to the *legacy*
-CPU hotplug register block would work in spite of the above series *not*
-relaxing "valid.max_access_size = 1" in "hw/acpi/cpu_hotplug.c":
-
-> static const MemoryRegionOps AcpiCpuHotplug_ops = {
->     .read = cpu_status_read,
->     .write = cpu_status_write,
->     .endianness = DEVICE_LITTLE_ENDIAN,
->     .valid = {
->         .min_access_size = 1,
->         .max_access_size = 1,
->     },
-> };
-
-Later, in commits e6d0c3ce6895 ("acpi: cpuhp: introduce 'Command data 2'
-field", 2020-01-22) and ae340aa3d256 ("acpi: cpuhp: spec: add typical
-usecases", 2020-01-22), first released in v5.0.0, the modern CPU hotplug
-interface (including the documentation) was extended with another DWORD
-*read* access, namely to the "Command data 2" register, which would be
-important for the guest to confirm whether it managed to switch the
-register block from legacy to modern.
-
-This functionality too silently depended on the bug from commit
-a014ed07bd5a.
-
-In commit 5d971f9e6725 ('memory: Revert "memory: accept mismatching sizes
-in memory_region_access_valid"', 2020-06-26), first released in v5.1.0,
-the bug from commit a014ed07bd5a was fixed (the commit was reverted).
-That swiftly exposed the bug in "AcpiCpuHotplug_ops", still present from
-the v2.7.0 series quoted at the top -- namely the fact that
-"valid.max_access_size = 1" didn't match what the guest was supposed to
-do, according to the spec ("docs/specs/acpi_cpu_hotplug.txt").
-
-The symptom is that the "modern interface negotiation protocol"
-described in commit ae340aa3d256:
-
-> +      Use following steps to detect and enable modern CPU hotplug interface:
-> +        1. Store 0x0 to the 'CPU selector' register,
-> +           attempting to switch to modern mode
-> +        2. Store 0x0 to the 'CPU selector' register,
-> +           to ensure valid selector value
-> +        3. Store 0x0 to the 'Command field' register,
-> +        4. Read the 'Command data 2' register.
-> +           If read value is 0x0, the modern interface is enabled.
-> +           Otherwise legacy or no CPU hotplug interface available
-
-falls apart for the guest: steps 1 and 2 are lost, because they are DWORD
-writes; so no switching happens.  Step 3 (a single-byte write) is not
-lost, but it has no effect; see the condition in cpu_status_write() in
-patch#8.  And step 4 *misleads* the guest into thinking that the switch
-worked: the DWORD read is lost again -- it returns zero to the guest
-without ever reaching the device model, so the guest never learns the
-switch didn't work.
-
-This means that guest behavior centered on the "Command data 2" register
-worked *only* in the v5.0.0 release; it got effectively regressed in
-v5.1.0.
-
-To make things *even more* complicated, the breakage was (and remains, as
-of today) visible with TCG acceleration only.  Commit 5d971f9e6725 makes
-no difference with KVM acceleration -- the DWORD accesses still work,
-despite "valid.max_access_size = 1".
-
-As commit 5d971f9e6725 suggests, fix the problem by raising
-"valid.max_access_size" to 4 -- the spec now clearly instructs the guest
-to perform DWORD accesses to the legacy register block too, for enabling
-(and verifying!) the modern block.  In order to keep compatibility for the
-device model implementation though, set "impl.max_access_size = 1", so
-that wide accesses be split before they reach the legacy read/write
-handlers, like they always have been on KVM, and like they were on TCG
-before 5d971f9e6725 (v5.1.0).
-
-Tested with:
-
-- OVMF IA32 + qemu-system-i386, CPU hotplug/hot-unplug with SMM,
-  intermixed with ACPI S3 suspend/resume, using KVM accel
-  (regression-test);
-
-- OVMF IA32X64 + qemu-system-x86_64, CPU hotplug/hot-unplug with SMM,
-  intermixed with ACPI S3 suspend/resume, using KVM accel
-  (regression-test);
-
-- OVMF IA32 + qemu-system-i386, SMM enabled, using TCG accel; verified the
-  register block switch and the present/possible CPU counting through the
-  modern hotplug interface, during OVMF boot (bugfix test);
-
-- I do not have any testcase (guest payload) for regression-testing CPU
-  hotplug through the *legacy* CPU hotplug register block.
-
-Cc: "Michael S. Tsirkin" <mst@redhat.com>
-Cc: Ani Sinha <ani@anisinha.ca>
-Cc: Ard Biesheuvel <ardb@kernel.org>
-Cc: Igor Mammedov <imammedo@redhat.com>
-Cc: Paolo Bonzini <pbonzini@redhat.com>
-Cc: Peter Maydell <peter.maydell@linaro.org>
-Cc: Philippe Mathieu-Daudé <philmd@linaro.org>
-Cc: qemu-stable@nongnu.org
-Ref: "IO port write width clamping differs between TCG and KVM"
-Link: http://mid.mail-archive.com/aaedee84-d3ed-a4f9-21e7-d221a28d1683@redhat.com
-Link: https://lists.gnu.org/archive/html/qemu-devel/2023-01/msg00199.html
-Reported-by: Ard Biesheuvel <ardb@kernel.org>
-Signed-off-by: Laszlo Ersek <lersek@redhat.com>
-Tested-by: Ard Biesheuvel <ardb@kernel.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-Tested-by: Igor Mammedov <imammedo@redhat.com>
-Message-Id: <20230105161804.82486-1-lersek@redhat.com>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-(cherry-picked from commit dab30fbef3896bb652a09d46c37d3f55657cbcbb)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/acpi/cpu_hotplug.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/hw/acpi/cpu_hotplug.c b/hw/acpi/cpu_hotplug.c
-index 53654f8638..ff14c3f410 100644
---- a/hw/acpi/cpu_hotplug.c
-+++ b/hw/acpi/cpu_hotplug.c
-@@ -52,6 +52,9 @@ static const MemoryRegionOps AcpiCpuHotplug_ops = {
-     .endianness = DEVICE_LITTLE_ENDIAN,
-     .valid = {
-         .min_access_size = 1,
-+        .max_access_size = 4,
-+    },
-+    .impl = {
-         .max_access_size = 1,
-     },
- };
diff --git a/debian/patches/extra/0024-tests-tcg-i386-Introduce-and-use-reg_t-consistently.patch b/debian/patches/extra/0024-tests-tcg-i386-Introduce-and-use-reg_t-consistently.patch
deleted file mode 100644
index a4bcb71..0000000
--- a/debian/patches/extra/0024-tests-tcg-i386-Introduce-and-use-reg_t-consistently.patch
+++ /dev/null
@@ -1,286 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Richard Henderson <richard.henderson@linaro.org>
-Date: Sat, 14 Jan 2023 13:05:41 -1000
-Subject: [PATCH] tests/tcg/i386: Introduce and use reg_t consistently
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Define reg_t based on the actual register width.
-Define the inlines using that type.  This will allow
-input registers to 32-bit insns to be set to 64-bit
-values on x86-64, which allows testing various edge cases.
-
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-Message-Id: <20230114230542.3116013-2-richard.henderson@linaro.org>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry-picked from commit 5d62d6649cd367b5b4a3676e7514d2f9ca86cb03)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- tests/tcg/i386/test-i386-bmi2.c | 182 ++++++++++++++++----------------
- 1 file changed, 93 insertions(+), 89 deletions(-)
-
-diff --git a/tests/tcg/i386/test-i386-bmi2.c b/tests/tcg/i386/test-i386-bmi2.c
-index 5fadf47510..3c3ef85513 100644
---- a/tests/tcg/i386/test-i386-bmi2.c
-+++ b/tests/tcg/i386/test-i386-bmi2.c
-@@ -3,34 +3,40 @@
- #include <stdint.h>
- #include <stdio.h>
- 
-+#ifdef __x86_64
-+typedef uint64_t reg_t;
-+#else
-+typedef uint32_t reg_t;
-+#endif
-+
- #define insn1q(name, arg0)                                                           \
--static inline uint64_t name##q(uint64_t arg0)                                        \
-+static inline reg_t name##q(reg_t arg0)                                              \
- {                                                                                    \
--    uint64_t result64;                                                               \
-+    reg_t result64;                                                                  \
-     asm volatile (#name "q   %1, %0" : "=r"(result64) : "rm"(arg0));                 \
-     return result64;                                                                 \
- }
- 
- #define insn1l(name, arg0)                                                           \
--static inline uint32_t name##l(uint32_t arg0)                                        \
-+static inline reg_t name##l(reg_t arg0)                                              \
- {                                                                                    \
--    uint32_t result32;                                                               \
-+    reg_t result32;                                                                  \
-     asm volatile (#name "l   %k1, %k0" : "=r"(result32) : "rm"(arg0));               \
-     return result32;                                                                 \
- }
- 
- #define insn2q(name, arg0, c0, arg1, c1)                                             \
--static inline uint64_t name##q(uint64_t arg0, uint64_t arg1)                         \
-+static inline reg_t name##q(reg_t arg0, reg_t arg1)                                  \
- {                                                                                    \
--    uint64_t result64;                                                               \
-+    reg_t result64;                                                                  \
-     asm volatile (#name "q   %2, %1, %0" : "=r"(result64) : c0(arg0), c1(arg1));     \
-     return result64;                                                                 \
- }
- 
- #define insn2l(name, arg0, c0, arg1, c1)                                             \
--static inline uint32_t name##l(uint32_t arg0, uint32_t arg1)                         \
-+static inline reg_t name##l(reg_t arg0, reg_t arg1)                                  \
- {                                                                                    \
--    uint32_t result32;                                                               \
-+    reg_t result32;                                                                  \
-     asm volatile (#name "l   %k2, %k1, %k0" : "=r"(result32) : c0(arg0), c1(arg1));  \
-     return result32;                                                                 \
- }
-@@ -65,130 +71,128 @@ insn1l(blsr, src)
- int main(int argc, char *argv[]) {
-     uint64_t ehlo = 0x202020204f4c4845ull;
-     uint64_t mask = 0xa080800302020001ull;
--    uint32_t result32;
-+    reg_t result;
- 
- #ifdef __x86_64
--    uint64_t result64;
--
-     /* 64 bits */
--    result64 = andnq(mask, ehlo);
--    assert(result64 == 0x002020204d4c4844);
-+    result = andnq(mask, ehlo);
-+    assert(result == 0x002020204d4c4844);
- 
--    result64 = pextq(ehlo, mask);
--    assert(result64 == 133);
-+    result = pextq(ehlo, mask);
-+    assert(result == 133);
- 
--    result64 = pdepq(result64, mask);
--    assert(result64 == (ehlo & mask));
-+    result = pdepq(result, mask);
-+    assert(result == (ehlo & mask));
- 
--    result64 = pextq(-1ull, mask);
--    assert(result64 == 511); /* mask has 9 bits set */
-+    result = pextq(-1ull, mask);
-+    assert(result == 511); /* mask has 9 bits set */
- 
--    result64 = pdepq(-1ull, mask);
--    assert(result64 == mask);
-+    result = pdepq(-1ull, mask);
-+    assert(result == mask);
- 
--    result64 = bextrq(mask, 0x3f00);
--    assert(result64 == (mask & ~INT64_MIN));
-+    result = bextrq(mask, 0x3f00);
-+    assert(result == (mask & ~INT64_MIN));
- 
--    result64 = bextrq(mask, 0x1038);
--    assert(result64 == 0xa0);
-+    result = bextrq(mask, 0x1038);
-+    assert(result == 0xa0);
- 
--    result64 = bextrq(mask, 0x10f8);
--    assert(result64 == 0);
-+    result = bextrq(mask, 0x10f8);
-+    assert(result == 0);
- 
--    result64 = blsiq(0x30);
--    assert(result64 == 0x10);
-+    result = blsiq(0x30);
-+    assert(result == 0x10);
- 
--    result64 = blsiq(0x30ull << 32);
--    assert(result64 == 0x10ull << 32);
-+    result = blsiq(0x30ull << 32);
-+    assert(result == 0x10ull << 32);
- 
--    result64 = blsmskq(0x30);
--    assert(result64 == 0x1f);
-+    result = blsmskq(0x30);
-+    assert(result == 0x1f);
- 
--    result64 = blsrq(0x30);
--    assert(result64 == 0x20);
-+    result = blsrq(0x30);
-+    assert(result == 0x20);
- 
--    result64 = blsrq(0x30ull << 32);
--    assert(result64 == 0x20ull << 32);
-+    result = blsrq(0x30ull << 32);
-+    assert(result == 0x20ull << 32);
- 
--    result64 = bzhiq(mask, 0x3f);
--    assert(result64 == (mask & ~INT64_MIN));
-+    result = bzhiq(mask, 0x3f);
-+    assert(result == (mask & ~INT64_MIN));
- 
--    result64 = bzhiq(mask, 0x1f);
--    assert(result64 == (mask & ~(-1 << 30)));
-+    result = bzhiq(mask, 0x1f);
-+    assert(result == (mask & ~(-1 << 30)));
- 
--    result64 = rorxq(0x2132435465768798, 8);
--    assert(result64 == 0x9821324354657687);
-+    result = rorxq(0x2132435465768798, 8);
-+    assert(result == 0x9821324354657687);
- 
--    result64 = sarxq(0xffeeddccbbaa9988, 8);
--    assert(result64 == 0xffffeeddccbbaa99);
-+    result = sarxq(0xffeeddccbbaa9988, 8);
-+    assert(result == 0xffffeeddccbbaa99);
- 
--    result64 = sarxq(0x77eeddccbbaa9988, 8 | 64);
--    assert(result64 == 0x0077eeddccbbaa99);
-+    result = sarxq(0x77eeddccbbaa9988, 8 | 64);
-+    assert(result == 0x0077eeddccbbaa99);
- 
--    result64 = shrxq(0xffeeddccbbaa9988, 8);
--    assert(result64 == 0x00ffeeddccbbaa99);
-+    result = shrxq(0xffeeddccbbaa9988, 8);
-+    assert(result == 0x00ffeeddccbbaa99);
- 
--    result64 = shrxq(0x77eeddccbbaa9988, 8 | 192);
--    assert(result64 == 0x0077eeddccbbaa99);
-+    result = shrxq(0x77eeddccbbaa9988, 8 | 192);
-+    assert(result == 0x0077eeddccbbaa99);
- 
--    result64 = shlxq(0xffeeddccbbaa9988, 8);
--    assert(result64 == 0xeeddccbbaa998800);
-+    result = shlxq(0xffeeddccbbaa9988, 8);
-+    assert(result == 0xeeddccbbaa998800);
- #endif
- 
-     /* 32 bits */
--    result32 = andnl(mask, ehlo);
--    assert(result32 == 0x04d4c4844);
-+    result = andnl(mask, ehlo);
-+    assert(result == 0x04d4c4844);
- 
--    result32 = pextl((uint32_t) ehlo, mask);
--    assert(result32 == 5);
-+    result = pextl((uint32_t) ehlo, mask);
-+    assert(result == 5);
- 
--    result32 = pdepl(result32, mask);
--    assert(result32 == (uint32_t)(ehlo & mask));
-+    result = pdepl(result, mask);
-+    assert(result == (uint32_t)(ehlo & mask));
- 
--    result32 = pextl(-1u, mask);
--    assert(result32 == 7); /* mask has 3 bits set */
-+    result = pextl(-1u, mask);
-+    assert(result == 7); /* mask has 3 bits set */
- 
--    result32 = pdepl(-1u, mask);
--    assert(result32 == (uint32_t)mask);
-+    result = pdepl(-1u, mask);
-+    assert(result == (uint32_t)mask);
- 
--    result32 = bextrl(mask, 0x1f00);
--    assert(result32 == (mask & ~INT32_MIN));
-+    result = bextrl(mask, 0x1f00);
-+    assert(result == (mask & ~INT32_MIN));
- 
--    result32 = bextrl(ehlo, 0x1018);
--    assert(result32 == 0x4f);
-+    result = bextrl(ehlo, 0x1018);
-+    assert(result == 0x4f);
- 
--    result32 = bextrl(mask, 0x1038);
--    assert(result32 == 0);
-+    result = bextrl(mask, 0x1038);
-+    assert(result == 0);
- 
--    result32 = blsil(0xffff);
--    assert(result32 == 1);
-+    result = blsil(0xffff);
-+    assert(result == 1);
- 
--    result32 = blsmskl(0x300);
--    assert(result32 == 0x1ff);
-+    result = blsmskl(0x300);
-+    assert(result == 0x1ff);
- 
--    result32 = blsrl(0xffc);
--    assert(result32 == 0xff8);
-+    result = blsrl(0xffc);
-+    assert(result == 0xff8);
- 
--    result32 = bzhil(mask, 0xf);
--    assert(result32 == 1);
-+    result = bzhil(mask, 0xf);
-+    assert(result == 1);
- 
--    result32 = rorxl(0x65768798, 8);
--    assert(result32 == 0x98657687);
-+    result = rorxl(0x65768798, 8);
-+    assert(result == 0x98657687);
- 
--    result32 = sarxl(0xffeeddcc, 8);
--    assert(result32 == 0xffffeedd);
-+    result = sarxl(0xffeeddcc, 8);
-+    assert(result == 0xffffeedd);
- 
--    result32 = sarxl(0x77eeddcc, 8 | 32);
--    assert(result32 == 0x0077eedd);
-+    result = sarxl(0x77eeddcc, 8 | 32);
-+    assert(result == 0x0077eedd);
- 
--    result32 = shrxl(0xffeeddcc, 8);
--    assert(result32 == 0x00ffeedd);
-+    result = shrxl(0xffeeddcc, 8);
-+    assert(result == 0x00ffeedd);
- 
--    result32 = shrxl(0x77eeddcc, 8 | 128);
--    assert(result32 == 0x0077eedd);
-+    result = shrxl(0x77eeddcc, 8 | 128);
-+    assert(result == 0x0077eedd);
- 
--    result32 = shlxl(0xffeeddcc, 8);
--    assert(result32 == 0xeeddcc00);
-+    result = shlxl(0xffeeddcc, 8);
-+    assert(result == 0xeeddcc00);
- 
-     return 0;
- }
diff --git a/debian/patches/extra/0025-target-i386-Fix-BEXTR-instruction.patch b/debian/patches/extra/0025-target-i386-Fix-BEXTR-instruction.patch
deleted file mode 100644
index 38282b2..0000000
--- a/debian/patches/extra/0025-target-i386-Fix-BEXTR-instruction.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Richard Henderson <richard.henderson@linaro.org>
-Date: Sat, 14 Jan 2023 13:05:42 -1000
-Subject: [PATCH] target/i386: Fix BEXTR instruction
-
-There were two problems here: not limiting the input to operand bits,
-and not correctly handling large extraction length.
-
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1372
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-Id: <20230114230542.3116013-3-richard.henderson@linaro.org>
-Cc: qemu-stable@nongnu.org
-Fixes: 1d0b926150e5 ("target/i386: move scalar 0F 38 and 0F 3A instruction to new decoder", 2022-10-18)
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry-picked from commit b14c0098975264ed03144f145bca0179a6763a07)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- target/i386/tcg/emit.c.inc      | 22 +++++++++++-----------
- tests/tcg/i386/test-i386-bmi2.c | 12 ++++++++++++
- 2 files changed, 23 insertions(+), 11 deletions(-)
-
-diff --git a/target/i386/tcg/emit.c.inc b/target/i386/tcg/emit.c.inc
-index 7037ff91c6..99f6ba6e19 100644
---- a/target/i386/tcg/emit.c.inc
-+++ b/target/i386/tcg/emit.c.inc
-@@ -1078,30 +1078,30 @@ static void gen_ANDN(DisasContext *s, CPUX86State *env, X86DecodedInsn *decode)
- static void gen_BEXTR(DisasContext *s, CPUX86State *env, X86DecodedInsn *decode)
- {
-     MemOp ot = decode->op[0].ot;
--    TCGv bound, zero;
-+    TCGv bound = tcg_constant_tl(ot == MO_64 ? 63 : 31);
-+    TCGv zero = tcg_constant_tl(0);
-+    TCGv mone = tcg_constant_tl(-1);
- 
-     /*
-      * Extract START, and shift the operand.
-      * Shifts larger than operand size get zeros.
-      */
-     tcg_gen_ext8u_tl(s->A0, s->T1);
-+    if (TARGET_LONG_BITS == 64 && ot == MO_32) {
-+        tcg_gen_ext32u_tl(s->T0, s->T0);
-+    }
-     tcg_gen_shr_tl(s->T0, s->T0, s->A0);
- 
--    bound = tcg_constant_tl(ot == MO_64 ? 63 : 31);
--    zero = tcg_constant_tl(0);
-     tcg_gen_movcond_tl(TCG_COND_LEU, s->T0, s->A0, bound, s->T0, zero);
- 
-     /*
--     * Extract the LEN into a mask.  Lengths larger than
--     * operand size get all ones.
-+     * Extract the LEN into an inverse mask.  Lengths larger than
-+     * operand size get all zeros, length 0 gets all ones.
-      */
-     tcg_gen_extract_tl(s->A0, s->T1, 8, 8);
--    tcg_gen_movcond_tl(TCG_COND_LEU, s->A0, s->A0, bound, s->A0, bound);
--
--    tcg_gen_movi_tl(s->T1, 1);
--    tcg_gen_shl_tl(s->T1, s->T1, s->A0);
--    tcg_gen_subi_tl(s->T1, s->T1, 1);
--    tcg_gen_and_tl(s->T0, s->T0, s->T1);
-+    tcg_gen_shl_tl(s->T1, mone, s->A0);
-+    tcg_gen_movcond_tl(TCG_COND_LEU, s->T1, s->A0, bound, s->T1, zero);
-+    tcg_gen_andc_tl(s->T0, s->T0, s->T1);
- 
-     gen_op_update1_cc(s);
-     set_cc_op(s, CC_OP_LOGICB + ot);
-diff --git a/tests/tcg/i386/test-i386-bmi2.c b/tests/tcg/i386/test-i386-bmi2.c
-index 3c3ef85513..982d4abda4 100644
---- a/tests/tcg/i386/test-i386-bmi2.c
-+++ b/tests/tcg/i386/test-i386-bmi2.c
-@@ -99,6 +99,9 @@ int main(int argc, char *argv[]) {
-     result = bextrq(mask, 0x10f8);
-     assert(result == 0);
- 
-+    result = bextrq(0xfedcba9876543210ull, 0x7f00);
-+    assert(result == 0xfedcba9876543210ull);
-+
-     result = blsiq(0x30);
-     assert(result == 0x10);
- 
-@@ -164,6 +167,15 @@ int main(int argc, char *argv[]) {
-     result = bextrl(mask, 0x1038);
-     assert(result == 0);
- 
-+    result = bextrl((reg_t)0x8f635a775ad3b9b4ull, 0x3018);
-+    assert(result == 0x5a);
-+
-+    result = bextrl((reg_t)0xfedcba9876543210ull, 0x7f00);
-+    assert(result == 0x76543210u);
-+
-+    result = bextrl(-1, 0);
-+    assert(result == 0);
-+
-     result = blsil(0xffff);
-     assert(result == 1);
- 
diff --git a/debian/patches/extra/0026-target-i386-Fix-C-flag-for-BLSI-BLSMSK-BLSR.patch b/debian/patches/extra/0026-target-i386-Fix-C-flag-for-BLSI-BLSMSK-BLSR.patch
deleted file mode 100644
index c743d55..0000000
--- a/debian/patches/extra/0026-target-i386-Fix-C-flag-for-BLSI-BLSMSK-BLSR.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Richard Henderson <richard.henderson@linaro.org>
-Date: Sat, 14 Jan 2023 08:06:01 -1000
-Subject: [PATCH] target/i386: Fix C flag for BLSI, BLSMSK, BLSR
-
-We forgot to set cc_src, which is used for computing C.
-
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1370
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-Id: <20230114180601.2993644-1-richard.henderson@linaro.org>
-Cc: qemu-stable@nongnu.org
-Fixes: 1d0b926150e5 ("target/i386: move scalar 0F 38 and 0F 3A instruction to new decoder", 2022-10-18)
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry-picked from commit 99282098dc74c2055bde5652bde6cf0067d0c370)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- target/i386/tcg/emit.c.inc | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/target/i386/tcg/emit.c.inc b/target/i386/tcg/emit.c.inc
-index 99f6ba6e19..4d7702c106 100644
---- a/target/i386/tcg/emit.c.inc
-+++ b/target/i386/tcg/emit.c.inc
-@@ -1111,6 +1111,7 @@ static void gen_BLSI(DisasContext *s, CPUX86State *env, X86DecodedInsn *decode)
- {
-     MemOp ot = decode->op[0].ot;
- 
-+    tcg_gen_mov_tl(cpu_cc_src, s->T0);
-     tcg_gen_neg_tl(s->T1, s->T0);
-     tcg_gen_and_tl(s->T0, s->T0, s->T1);
-     tcg_gen_mov_tl(cpu_cc_dst, s->T0);
-@@ -1121,6 +1122,7 @@ static void gen_BLSMSK(DisasContext *s, CPUX86State *env, X86DecodedInsn *decode
- {
-     MemOp ot = decode->op[0].ot;
- 
-+    tcg_gen_mov_tl(cpu_cc_src, s->T0);
-     tcg_gen_subi_tl(s->T1, s->T0, 1);
-     tcg_gen_xor_tl(s->T0, s->T0, s->T1);
-     tcg_gen_mov_tl(cpu_cc_dst, s->T0);
-@@ -1131,6 +1133,7 @@ static void gen_BLSR(DisasContext *s, CPUX86State *env, X86DecodedInsn *decode)
- {
-     MemOp ot = decode->op[0].ot;
- 
-+    tcg_gen_mov_tl(cpu_cc_src, s->T0);
-     tcg_gen_subi_tl(s->T1, s->T0, 1);
-     tcg_gen_and_tl(s->T0, s->T0, s->T1);
-     tcg_gen_mov_tl(cpu_cc_dst, s->T0);
diff --git a/debian/patches/extra/0027-target-i386-fix-ADOX-followed-by-ADCX.patch b/debian/patches/extra/0027-target-i386-fix-ADOX-followed-by-ADCX.patch
deleted file mode 100644
index bb108e5..0000000
--- a/debian/patches/extra/0027-target-i386-fix-ADOX-followed-by-ADCX.patch
+++ /dev/null
@@ -1,192 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Tue, 31 Jan 2023 09:48:03 +0100
-Subject: [PATCH] target/i386: fix ADOX followed by ADCX
-
-When ADCX is followed by ADOX or vice versa, the second instruction's
-carry comes from EFLAGS and the condition codes use the CC_OP_ADCOX
-operation.  Retrieving the carry from EFLAGS is handled by this bit
-of gen_ADCOX:
-
-        tcg_gen_extract_tl(carry_in, cpu_cc_src,
-            ctz32(cc_op == CC_OP_ADCX ? CC_C : CC_O), 1);
-
-Unfortunately, in this case cc_op has been overwritten by the previous
-"if" statement to CC_OP_ADCOX.  This works by chance when the first
-instruction is ADCX; however, if the first instruction is ADOX,
-ADCX will incorrectly take its carry from OF instead of CF.
-
-Fix by moving the computation of the new cc_op at the end of the function.
-The included exhaustive test case fails without this patch and passes
-afterwards.
-
-Because ADCX/ADOX need not be invoked through the VEX prefix, this
-regression bisects to commit 16fc5726a6e2 ("target/i386: reimplement
-0x0f 0x38, add AVX", 2022-10-18).  However, the mistake happened a
-little earlier, when BMI instructions were rewritten using the new
-decoder framework.
-
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1471
-Reported-by: Paul Jolly <https://gitlab.com/myitcv>
-Fixes: 1d0b926150e5 ("target/i386: move scalar 0F 38 and 0F 3A instruction to new decoder", 2022-10-18)
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry-picked from commit 60c7dd22e1383754d5f150bc9f7c2785c662a7b6)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- target/i386/tcg/emit.c.inc       | 20 +++++----
- tests/tcg/i386/Makefile.target   |  6 ++-
- tests/tcg/i386/test-i386-adcox.c | 75 ++++++++++++++++++++++++++++++++
- 3 files changed, 91 insertions(+), 10 deletions(-)
- create mode 100644 tests/tcg/i386/test-i386-adcox.c
-
-diff --git a/target/i386/tcg/emit.c.inc b/target/i386/tcg/emit.c.inc
-index 4d7702c106..0d7c6e80ae 100644
---- a/target/i386/tcg/emit.c.inc
-+++ b/target/i386/tcg/emit.c.inc
-@@ -1015,6 +1015,7 @@ VSIB_AVX(VPGATHERQ, vpgatherq)
- 
- static void gen_ADCOX(DisasContext *s, CPUX86State *env, MemOp ot, int cc_op)
- {
-+    int opposite_cc_op;
-     TCGv carry_in = NULL;
-     TCGv carry_out = (cc_op == CC_OP_ADCX ? cpu_cc_dst : cpu_cc_src2);
-     TCGv zero;
-@@ -1022,14 +1023,8 @@ static void gen_ADCOX(DisasContext *s, CPUX86State *env, MemOp ot, int cc_op)
-     if (cc_op == s->cc_op || s->cc_op == CC_OP_ADCOX) {
-         /* Re-use the carry-out from a previous round.  */
-         carry_in = carry_out;
--        cc_op = s->cc_op;
--    } else if (s->cc_op == CC_OP_ADCX || s->cc_op == CC_OP_ADOX) {
--        /* Merge with the carry-out from the opposite instruction.  */
--        cc_op = CC_OP_ADCOX;
--    }
--
--    /* If we don't have a carry-in, get it out of EFLAGS.  */
--    if (!carry_in) {
-+    } else {
-+        /* We don't have a carry-in, get it out of EFLAGS.  */
-         if (s->cc_op != CC_OP_ADCX && s->cc_op != CC_OP_ADOX) {
-             gen_compute_eflags(s);
-         }
-@@ -1053,7 +1048,14 @@ static void gen_ADCOX(DisasContext *s, CPUX86State *env, MemOp ot, int cc_op)
-         tcg_gen_add2_tl(s->T0, carry_out, s->T0, carry_out, s->T1, zero);
-         break;
-     }
--    set_cc_op(s, cc_op);
-+
-+    opposite_cc_op = cc_op == CC_OP_ADCX ? CC_OP_ADOX : CC_OP_ADCX;
-+    if (s->cc_op == CC_OP_ADCOX || s->cc_op == opposite_cc_op) {
-+        /* Merge with the carry-out from the opposite instruction.  */
-+        set_cc_op(s, CC_OP_ADCOX);
-+    } else {
-+        set_cc_op(s, cc_op);
-+    }
- }
- 
- static void gen_ADCX(DisasContext *s, CPUX86State *env, X86DecodedInsn *decode)
-diff --git a/tests/tcg/i386/Makefile.target b/tests/tcg/i386/Makefile.target
-index 81831cafbc..bafd8c2180 100644
---- a/tests/tcg/i386/Makefile.target
-+++ b/tests/tcg/i386/Makefile.target
-@@ -14,7 +14,7 @@ config-cc.mak: Makefile
- I386_SRCS=$(notdir $(wildcard $(I386_SRC)/*.c))
- ALL_X86_TESTS=$(I386_SRCS:.c=)
- SKIP_I386_TESTS=test-i386-ssse3 test-avx test-3dnow test-mmx
--X86_64_TESTS:=$(filter test-i386-bmi2 $(SKIP_I386_TESTS), $(ALL_X86_TESTS))
-+X86_64_TESTS:=$(filter test-i386-adcox test-i386-bmi2 $(SKIP_I386_TESTS), $(ALL_X86_TESTS))
- 
- test-i386-sse-exceptions: CFLAGS += -msse4.1 -mfpmath=sse
- run-test-i386-sse-exceptions: QEMU_OPTS += -cpu max
-@@ -28,6 +28,10 @@ test-i386-bmi2: CFLAGS=-O2
- run-test-i386-bmi2: QEMU_OPTS += -cpu max
- run-plugin-test-i386-bmi2-%: QEMU_OPTS += -cpu max
- 
-+test-i386-adcox: CFLAGS=-O2
-+run-test-i386-adcox: QEMU_OPTS += -cpu max
-+run-plugin-test-i386-adcox-%: QEMU_OPTS += -cpu max
-+
- #
- # hello-i386 is a barebones app
- #
-diff --git a/tests/tcg/i386/test-i386-adcox.c b/tests/tcg/i386/test-i386-adcox.c
-new file mode 100644
-index 0000000000..16169efff8
---- /dev/null
-+++ b/tests/tcg/i386/test-i386-adcox.c
-@@ -0,0 +1,75 @@
-+/* See if various BMI2 instructions give expected results */
-+#include <assert.h>
-+#include <stdint.h>
-+#include <stdio.h>
-+
-+#define CC_C 1
-+#define CC_O (1 << 11)
-+
-+#ifdef __x86_64__
-+#define REG uint64_t
-+#else
-+#define REG uint32_t
-+#endif
-+
-+void test_adox_adcx(uint32_t in_c, uint32_t in_o, REG adcx_operand, REG adox_operand)
-+{
-+    REG flags;
-+    REG out_adcx, out_adox;
-+
-+    asm("pushf; pop %0" : "=r"(flags));
-+    flags &= ~(CC_C | CC_O);
-+    flags |= (in_c ? CC_C : 0);
-+    flags |= (in_o ? CC_O : 0);
-+
-+    out_adcx = adcx_operand;
-+    out_adox = adox_operand;
-+    asm("push %0; popf;"
-+        "adox %3, %2;"
-+        "adcx %3, %1;"
-+        "pushf; pop %0"
-+        : "+r" (flags), "+r" (out_adcx), "+r" (out_adox)
-+        : "r" ((REG)-1), "0" (flags), "1" (out_adcx), "2" (out_adox));
-+
-+    assert(out_adcx == in_c + adcx_operand - 1);
-+    assert(out_adox == in_o + adox_operand - 1);
-+    assert(!!(flags & CC_C) == (in_c || adcx_operand));
-+    assert(!!(flags & CC_O) == (in_o || adox_operand));
-+}
-+
-+void test_adcx_adox(uint32_t in_c, uint32_t in_o, REG adcx_operand, REG adox_operand)
-+{
-+    REG flags;
-+    REG out_adcx, out_adox;
-+
-+    asm("pushf; pop %0" : "=r"(flags));
-+    flags &= ~(CC_C | CC_O);
-+    flags |= (in_c ? CC_C : 0);
-+    flags |= (in_o ? CC_O : 0);
-+
-+    out_adcx = adcx_operand;
-+    out_adox = adox_operand;
-+    asm("push %0; popf;"
-+        "adcx %3, %1;"
-+        "adox %3, %2;"
-+        "pushf; pop %0"
-+        : "+r" (flags), "+r" (out_adcx), "+r" (out_adox)
-+        : "r" ((REG)-1), "0" (flags), "1" (out_adcx), "2" (out_adox));
-+
-+    assert(out_adcx == in_c + adcx_operand - 1);
-+    assert(out_adox == in_o + adox_operand - 1);
-+    assert(!!(flags & CC_C) == (in_c || adcx_operand));
-+    assert(!!(flags & CC_O) == (in_o || adox_operand));
-+}
-+
-+int main(int argc, char *argv[]) {
-+    /* try all combinations of input CF, input OF, CF from op1+op2,  OF from op2+op1 */
-+    int i;
-+    for (i = 0; i <= 15; i++) {
-+        printf("%d\n", i);
-+        test_adcx_adox(!!(i & 1), !!(i & 2), !!(i & 4), !!(i & 8));
-+        test_adox_adcx(!!(i & 1), !!(i & 2), !!(i & 4), !!(i & 8));
-+    }
-+    return 0;
-+}
-+
diff --git a/debian/patches/extra/0028-target-i386-Fix-BZHI-instruction.patch b/debian/patches/extra/0028-target-i386-Fix-BZHI-instruction.patch
deleted file mode 100644
index 391817c..0000000
--- a/debian/patches/extra/0028-target-i386-Fix-BZHI-instruction.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Richard Henderson <richard.henderson@linaro.org>
-Date: Sat, 14 Jan 2023 13:32:06 -1000
-Subject: [PATCH] target/i386: Fix BZHI instruction
-
-We did not correctly handle N >= operand size.
-
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1374
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-Id: <20230114233206.3118472-1-richard.henderson@linaro.org>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry-picked from commit 9ad2ba6e8e7fc195d0dd0b76ab38bd2fceb1bdd4)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- target/i386/tcg/emit.c.inc      | 14 +++++++-------
- tests/tcg/i386/test-i386-bmi2.c |  3 +++
- 2 files changed, 10 insertions(+), 7 deletions(-)
-
-diff --git a/target/i386/tcg/emit.c.inc b/target/i386/tcg/emit.c.inc
-index 0d7c6e80ae..7296f3952c 100644
---- a/target/i386/tcg/emit.c.inc
-+++ b/target/i386/tcg/emit.c.inc
-@@ -1145,20 +1145,20 @@ static void gen_BLSR(DisasContext *s, CPUX86State *env, X86DecodedInsn *decode)
- static void gen_BZHI(DisasContext *s, CPUX86State *env, X86DecodedInsn *decode)
- {
-     MemOp ot = decode->op[0].ot;
--    TCGv bound;
-+    TCGv bound = tcg_constant_tl(ot == MO_64 ? 63 : 31);
-+    TCGv zero = tcg_constant_tl(0);
-+    TCGv mone = tcg_constant_tl(-1);
- 
--    tcg_gen_ext8u_tl(s->T1, cpu_regs[s->vex_v]);
--    bound = tcg_constant_tl(ot == MO_64 ? 63 : 31);
-+    tcg_gen_ext8u_tl(s->T1, s->T1);
- 
-     /*
-      * Note that since we're using BMILG (in order to get O
-      * cleared) we need to store the inverse into C.
-      */
--    tcg_gen_setcond_tl(TCG_COND_LT, cpu_cc_src, s->T1, bound);
--    tcg_gen_movcond_tl(TCG_COND_GT, s->T1, s->T1, bound, bound, s->T1);
-+    tcg_gen_setcond_tl(TCG_COND_LEU, cpu_cc_src, s->T1, bound);
- 
--    tcg_gen_movi_tl(s->A0, -1);
--    tcg_gen_shl_tl(s->A0, s->A0, s->T1);
-+    tcg_gen_shl_tl(s->A0, mone, s->T1);
-+    tcg_gen_movcond_tl(TCG_COND_LEU, s->A0, s->T1, bound, s->A0, zero);
-     tcg_gen_andc_tl(s->T0, s->T0, s->A0);
- 
-     gen_op_update1_cc(s);
-diff --git a/tests/tcg/i386/test-i386-bmi2.c b/tests/tcg/i386/test-i386-bmi2.c
-index 982d4abda4..0244df7987 100644
---- a/tests/tcg/i386/test-i386-bmi2.c
-+++ b/tests/tcg/i386/test-i386-bmi2.c
-@@ -123,6 +123,9 @@ int main(int argc, char *argv[]) {
-     result = bzhiq(mask, 0x1f);
-     assert(result == (mask & ~(-1 << 30)));
- 
-+    result = bzhiq(mask, 0x40);
-+    assert(result == mask);
-+
-     result = rorxq(0x2132435465768798, 8);
-     assert(result == 0x9821324354657687);
- 
diff --git a/debian/patches/pve/0002-PVE-Config-Adjust-network-script-path-to-etc-kvm.patch b/debian/patches/pve/0002-PVE-Config-Adjust-network-script-path-to-etc-kvm.patch
index d43d40a..c4e3e18 100644
--- a/debian/patches/pve/0002-PVE-Config-Adjust-network-script-path-to-etc-kvm.patch
+++ b/debian/patches/pve/0002-PVE-Config-Adjust-network-script-path-to-etc-kvm.patch
@@ -9,10 +9,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/include/net/net.h b/include/net/net.h
-index dc20b31e9f..5ae04a8693 100644
+index 5a7c0e9ebf..59dde996f9 100644
 --- a/include/net/net.h
 +++ b/include/net/net.h
-@@ -236,8 +236,8 @@ void netdev_add(QemuOpts *opts, Error **errp);
+@@ -238,8 +238,8 @@ void netdev_add(QemuOpts *opts, Error **errp);
  int net_hub_id_for_client(NetClientState *nc, int *id);
  NetClientState *net_hub_port_find(int hub_id);
  
diff --git a/debian/patches/pve/0003-PVE-Config-set-the-CPU-model-to-kvm64-32-instead-of-.patch b/debian/patches/pve/0003-PVE-Config-set-the-CPU-model-to-kvm64-32-instead-of-.patch
index 0871fc7..07ce8dd 100644
--- a/debian/patches/pve/0003-PVE-Config-set-the-CPU-model-to-kvm64-32-instead-of-.patch
+++ b/debian/patches/pve/0003-PVE-Config-set-the-CPU-model-to-kvm64-32-instead-of-.patch
@@ -10,7 +10,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/target/i386/cpu.h b/target/i386/cpu.h
-index d4bc19577a..be7da64f38 100644
+index 7be047ce33..a443d66439 100644
 --- a/target/i386/cpu.h
 +++ b/target/i386/cpu.h
 @@ -2174,9 +2174,9 @@ uint64_t cpu_get_tsc(CPUX86State *env);
diff --git a/debian/patches/pve/0007-PVE-Up-qmp-add-get_link_status.patch b/debian/patches/pve/0007-PVE-Up-qmp-add-get_link_status.patch
index 22ffc63..33f13ee 100644
--- a/debian/patches/pve/0007-PVE-Up-qmp-add-get_link_status.patch
+++ b/debian/patches/pve/0007-PVE-Up-qmp-add-get_link_status.patch
@@ -13,10 +13,10 @@ Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
  3 files changed, 44 insertions(+)
 
 diff --git a/net/net.c b/net/net.c
-index 840ad9dca5..28e97c5d85 100644
+index c3391168f6..f7d984f6f5 100644
 --- a/net/net.c
 +++ b/net/net.c
-@@ -1372,6 +1372,33 @@ void hmp_info_network(Monitor *mon, const QDict *qdict)
+@@ -1387,6 +1387,33 @@ void hmp_info_network(Monitor *mon, const QDict *qdict)
      }
  }
  
diff --git a/debian/patches/pve/0009-PVE-Up-qemu-img-return-success-on-info-without-snaps.patch b/debian/patches/pve/0009-PVE-Up-qemu-img-return-success-on-info-without-snaps.patch
index 7c2e8ba..b701d51 100644
--- a/debian/patches/pve/0009-PVE-Up-qemu-img-return-success-on-info-without-snaps.patch
+++ b/debian/patches/pve/0009-PVE-Up-qemu-img-return-success-on-info-without-snaps.patch
@@ -9,7 +9,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/qemu-img.c b/qemu-img.c
-index a9b3a8103c..0bc9f1af59 100644
+index 2c32d9da4e..b9636714f6 100644
 --- a/qemu-img.c
 +++ b/qemu-img.c
 @@ -3013,7 +3013,8 @@ static int img_info(int argc, char **argv)
diff --git a/debian/patches/pve/0010-PVE-Up-qemu-img-dd-add-osize-and-read-from-to-stdin-.patch b/debian/patches/pve/0010-PVE-Up-qemu-img-dd-add-osize-and-read-from-to-stdin-.patch
index fb6581b..77f9052 100644
--- a/debian/patches/pve/0010-PVE-Up-qemu-img-dd-add-osize-and-read-from-to-stdin-.patch
+++ b/debian/patches/pve/0010-PVE-Up-qemu-img-dd-add-osize-and-read-from-to-stdin-.patch
@@ -54,10 +54,10 @@ index 1b1dab5b17..d1616c045a 100644
  
  DEF("info", img_info,
 diff --git a/qemu-img.c b/qemu-img.c
-index 0bc9f1af59..221b9d6a16 100644
+index b9636714f6..0f6a4e4e57 100644
 --- a/qemu-img.c
 +++ b/qemu-img.c
-@@ -4829,10 +4829,12 @@ static int img_bitmap(int argc, char **argv)
+@@ -4840,10 +4840,12 @@ static int img_bitmap(int argc, char **argv)
  #define C_IF      04
  #define C_OF      010
  #define C_SKIP    020
@@ -70,7 +70,7 @@ index 0bc9f1af59..221b9d6a16 100644
  };
  
  struct DdIo {
-@@ -4908,6 +4910,19 @@ static int img_dd_skip(const char *arg,
+@@ -4919,6 +4921,19 @@ static int img_dd_skip(const char *arg,
      return 0;
  }
  
@@ -90,7 +90,7 @@ index 0bc9f1af59..221b9d6a16 100644
  static int img_dd(int argc, char **argv)
  {
      int ret = 0;
-@@ -4948,6 +4963,7 @@ static int img_dd(int argc, char **argv)
+@@ -4959,6 +4974,7 @@ static int img_dd(int argc, char **argv)
          { "if", img_dd_if, C_IF },
          { "of", img_dd_of, C_OF },
          { "skip", img_dd_skip, C_SKIP },
@@ -98,7 +98,7 @@ index 0bc9f1af59..221b9d6a16 100644
          { NULL, NULL, 0 }
      };
      const struct option long_options[] = {
-@@ -5023,91 +5039,112 @@ static int img_dd(int argc, char **argv)
+@@ -5034,91 +5050,112 @@ static int img_dd(int argc, char **argv)
          arg = NULL;
      }
  
@@ -275,7 +275,7 @@ index 0bc9f1af59..221b9d6a16 100644
      }
  
      if (dd.flags & C_SKIP && (in.offset > INT64_MAX / in.bsz ||
-@@ -5124,20 +5161,43 @@ static int img_dd(int argc, char **argv)
+@@ -5135,20 +5172,43 @@ static int img_dd(int argc, char **argv)
      in.buf = g_new(uint8_t, in.bsz);
  
      for (out_pos = 0; in_pos < size; ) {
diff --git a/debian/patches/pve/0011-PVE-Up-qemu-img-dd-add-isize-parameter.patch b/debian/patches/pve/0011-PVE-Up-qemu-img-dd-add-isize-parameter.patch
index 217b83b..b83d3b4 100644
--- a/debian/patches/pve/0011-PVE-Up-qemu-img-dd-add-isize-parameter.patch
+++ b/debian/patches/pve/0011-PVE-Up-qemu-img-dd-add-isize-parameter.patch
@@ -16,10 +16,10 @@ Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
  1 file changed, 25 insertions(+), 3 deletions(-)
 
 diff --git a/qemu-img.c b/qemu-img.c
-index 221b9d6a16..c1306385a8 100644
+index 0f6a4e4e57..a3cd66e56c 100644
 --- a/qemu-img.c
 +++ b/qemu-img.c
-@@ -4830,11 +4830,13 @@ static int img_bitmap(int argc, char **argv)
+@@ -4841,11 +4841,13 @@ static int img_bitmap(int argc, char **argv)
  #define C_OF      010
  #define C_SKIP    020
  #define C_OSIZE   040
@@ -33,7 +33,7 @@ index 221b9d6a16..c1306385a8 100644
  };
  
  struct DdIo {
-@@ -4923,6 +4925,19 @@ static int img_dd_osize(const char *arg,
+@@ -4934,6 +4936,19 @@ static int img_dd_osize(const char *arg,
      return 0;
  }
  
@@ -53,7 +53,7 @@ index 221b9d6a16..c1306385a8 100644
  static int img_dd(int argc, char **argv)
  {
      int ret = 0;
-@@ -4937,12 +4952,14 @@ static int img_dd(int argc, char **argv)
+@@ -4948,12 +4963,14 @@ static int img_dd(int argc, char **argv)
      int c, i;
      const char *out_fmt = "raw";
      const char *fmt = NULL;
@@ -69,7 +69,7 @@ index 221b9d6a16..c1306385a8 100644
      };
      struct DdIo in = {
          .bsz = 512, /* Block size is by default 512 bytes */
-@@ -4964,6 +4981,7 @@ static int img_dd(int argc, char **argv)
+@@ -4975,6 +4992,7 @@ static int img_dd(int argc, char **argv)
          { "of", img_dd_of, C_OF },
          { "skip", img_dd_skip, C_SKIP },
          { "osize", img_dd_osize, C_OSIZE },
@@ -77,7 +77,7 @@ index 221b9d6a16..c1306385a8 100644
          { NULL, NULL, 0 }
      };
      const struct option long_options[] = {
-@@ -5160,9 +5178,10 @@ static int img_dd(int argc, char **argv)
+@@ -5171,9 +5189,10 @@ static int img_dd(int argc, char **argv)
  
      in.buf = g_new(uint8_t, in.bsz);
  
@@ -90,7 +90,7 @@ index 221b9d6a16..c1306385a8 100644
          if (blk1) {
              in_ret = blk_pread(blk1, in_pos, bytes, in.buf, 0);
              if (in_ret == 0) {
-@@ -5171,6 +5190,9 @@ static int img_dd(int argc, char **argv)
+@@ -5182,6 +5201,9 @@ static int img_dd(int argc, char **argv)
          } else {
              in_ret = read(STDIN_FILENO, in.buf, bytes);
              if (in_ret == 0) {
diff --git a/debian/patches/pve/0012-PVE-Up-qemu-img-dd-add-n-skip_create.patch b/debian/patches/pve/0012-PVE-Up-qemu-img-dd-add-n-skip_create.patch
index db8a5c5..686e23d 100644
--- a/debian/patches/pve/0012-PVE-Up-qemu-img-dd-add-n-skip_create.patch
+++ b/debian/patches/pve/0012-PVE-Up-qemu-img-dd-add-n-skip_create.patch
@@ -65,10 +65,10 @@ index d1616c045a..b5b0bb4467 100644
  
  DEF("info", img_info,
 diff --git a/qemu-img.c b/qemu-img.c
-index c1306385a8..59c403373b 100644
+index a3cd66e56c..4f5ef5b887 100644
 --- a/qemu-img.c
 +++ b/qemu-img.c
-@@ -4954,7 +4954,7 @@ static int img_dd(int argc, char **argv)
+@@ -4965,7 +4965,7 @@ static int img_dd(int argc, char **argv)
      const char *fmt = NULL;
      int64_t size = 0, readsize = 0;
      int64_t out_pos, in_pos;
@@ -77,7 +77,7 @@ index c1306385a8..59c403373b 100644
      struct DdInfo dd = {
          .flags = 0,
          .count = 0,
-@@ -4992,7 +4992,7 @@ static int img_dd(int argc, char **argv)
+@@ -5003,7 +5003,7 @@ static int img_dd(int argc, char **argv)
          { 0, 0, 0, 0 }
      };
  
@@ -86,7 +86,7 @@ index c1306385a8..59c403373b 100644
          if (c == EOF) {
              break;
          }
-@@ -5012,6 +5012,9 @@ static int img_dd(int argc, char **argv)
+@@ -5023,6 +5023,9 @@ static int img_dd(int argc, char **argv)
          case 'h':
              help();
              break;
@@ -96,7 +96,7 @@ index c1306385a8..59c403373b 100644
          case 'U':
              force_share = true;
              break;
-@@ -5142,13 +5145,15 @@ static int img_dd(int argc, char **argv)
+@@ -5153,13 +5156,15 @@ static int img_dd(int argc, char **argv)
                                  size - in.bsz * in.offset, &error_abort);
          }
  
diff --git a/debian/patches/pve/0013-PVE-virtio-balloon-improve-query-balloon.patch b/debian/patches/pve/0013-PVE-virtio-balloon-improve-query-balloon.patch
index ad3eb76..7d48bcd 100644
--- a/debian/patches/pve/0013-PVE-virtio-balloon-improve-query-balloon.patch
+++ b/debian/patches/pve/0013-PVE-virtio-balloon-improve-query-balloon.patch
@@ -17,7 +17,7 @@ Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
  4 files changed, 82 insertions(+), 4 deletions(-)
 
 diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
-index 73ac5eb675..bbfe7eca62 100644
+index e4c4c2d3c8..49874569b1 100644
 --- a/hw/virtio/virtio-balloon.c
 +++ b/hw/virtio/virtio-balloon.c
 @@ -806,8 +806,37 @@ static uint64_t virtio_balloon_get_features(VirtIODevice *vdev, uint64_t f,
diff --git a/debian/patches/pve/0017-PVE-add-savevm-async-for-background-state-snapshots.patch b/debian/patches/pve/0017-PVE-add-savevm-async-for-background-state-snapshots.patch
index 3898bd4..830a2ee 100644
--- a/debian/patches/pve/0017-PVE-add-savevm-async-for-background-state-snapshots.patch
+++ b/debian/patches/pve/0017-PVE-add-savevm-async-for-background-state-snapshots.patch
@@ -854,10 +854,10 @@ index 27ef5a2b20..b3ce75dcae 100644
  # @CommandLineParameterType:
  #
 diff --git a/qemu-options.hx b/qemu-options.hx
-index 7f99d15b23..54efb127c4 100644
+index 7f798ce47e..9e3de34143 100644
 --- a/qemu-options.hx
 +++ b/qemu-options.hx
-@@ -4391,6 +4391,18 @@ SRST
+@@ -4423,6 +4423,18 @@ SRST
      Start right away with a saved state (``loadvm`` in monitor)
  ERST
  
@@ -877,7 +877,7 @@ index 7f99d15b23..54efb127c4 100644
  DEF("daemonize", 0, QEMU_OPTION_daemonize, \
      "-daemonize      daemonize QEMU after initializing\n", QEMU_ARCH_ALL)
 diff --git a/softmmu/vl.c b/softmmu/vl.c
-index 5f7f6ca981..21f067d115 100644
+index 7aa3eb5cf9..c94fe3d778 100644
 --- a/softmmu/vl.c
 +++ b/softmmu/vl.c
 @@ -164,6 +164,7 @@ static const char *accelerators;
@@ -888,7 +888,7 @@ index 5f7f6ca981..21f067d115 100644
  static QTAILQ_HEAD(, ObjectOption) object_opts = QTAILQ_HEAD_INITIALIZER(object_opts);
  static QTAILQ_HEAD(, DeviceOption) device_opts = QTAILQ_HEAD_INITIALIZER(device_opts);
  static int display_remote;
-@@ -2607,6 +2608,12 @@ void qmp_x_exit_preconfig(Error **errp)
+@@ -2615,6 +2616,12 @@ void qmp_x_exit_preconfig(Error **errp)
  
      if (loadvm) {
          load_snapshot(loadvm, NULL, false, NULL, &error_fatal);
@@ -901,7 +901,7 @@ index 5f7f6ca981..21f067d115 100644
      }
      if (replay_mode != REPLAY_MODE_NONE) {
          replay_vmstate_init();
-@@ -3151,6 +3158,9 @@ void qemu_init(int argc, char **argv)
+@@ -3159,6 +3166,9 @@ void qemu_init(int argc, char **argv)
              case QEMU_OPTION_loadvm:
                  loadvm = optarg;
                  break;
diff --git a/debian/patches/pve/0020-PVE-Add-dummy-id-command-line-parameter.patch b/debian/patches/pve/0020-PVE-Add-dummy-id-command-line-parameter.patch
index a3f3e04..6acb1d5 100644
--- a/debian/patches/pve/0020-PVE-Add-dummy-id-command-line-parameter.patch
+++ b/debian/patches/pve/0020-PVE-Add-dummy-id-command-line-parameter.patch
@@ -14,10 +14,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  2 files changed, 11 insertions(+)
 
 diff --git a/qemu-options.hx b/qemu-options.hx
-index 54efb127c4..ef456d03ec 100644
+index 9e3de34143..1ff8905127 100644
 --- a/qemu-options.hx
 +++ b/qemu-options.hx
-@@ -1147,6 +1147,9 @@ backend describes how QEMU handles the data.
+@@ -1159,6 +1159,9 @@ legacy PC, they are not recommended for modern configurations.
  
  ERST
  
@@ -28,10 +28,10 @@ index 54efb127c4..ef456d03ec 100644
      "-fda/-fdb file  use 'file' as floppy disk 0/1 image\n", QEMU_ARCH_ALL)
  DEF("fdb", HAS_ARG, QEMU_OPTION_fdb, "", QEMU_ARCH_ALL)
 diff --git a/softmmu/vl.c b/softmmu/vl.c
-index 21f067d115..9d737e7914 100644
+index c94fe3d778..a6f7a422ec 100644
 --- a/softmmu/vl.c
 +++ b/softmmu/vl.c
-@@ -2643,6 +2643,7 @@ void qemu_init(int argc, char **argv)
+@@ -2651,6 +2651,7 @@ void qemu_init(int argc, char **argv)
      MachineClass *machine_class;
      bool userconfig = true;
      FILE *vmstate_dump_file = NULL;
@@ -39,7 +39,7 @@ index 21f067d115..9d737e7914 100644
  
      qemu_add_opts(&qemu_drive_opts);
      qemu_add_drive_opts(&qemu_legacy_drive_opts);
-@@ -3263,6 +3264,13 @@ void qemu_init(int argc, char **argv)
+@@ -3271,6 +3272,13 @@ void qemu_init(int argc, char **argv)
                  machine_parse_property_opt(qemu_find_opts("smp-opts"),
                                             "smp", optarg);
                  break;
diff --git a/debian/patches/pve/0023-PVE-monitor-disable-oob-capability.patch b/debian/patches/pve/0023-PVE-monitor-disable-oob-capability.patch
index 9abde33..bdcfd8b 100644
--- a/debian/patches/pve/0023-PVE-monitor-disable-oob-capability.patch
+++ b/debian/patches/pve/0023-PVE-monitor-disable-oob-capability.patch
@@ -18,10 +18,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 1 insertion(+), 2 deletions(-)
 
 diff --git a/monitor/qmp.c b/monitor/qmp.c
-index 6b8cfcf6d8..3ec67e32d3 100644
+index cc1407e4ac..c34fa2e0e3 100644
 --- a/monitor/qmp.c
 +++ b/monitor/qmp.c
-@@ -519,8 +519,7 @@ void monitor_init_qmp(Chardev *chr, bool pretty, Error **errp)
+@@ -502,8 +502,7 @@ void monitor_init_qmp(Chardev *chr, bool pretty, Error **errp)
      qemu_chr_fe_set_echo(&mon->common.chr, true);
  
      /* Note: we run QMP monitor in I/O thread when @chr supports that */
diff --git a/debian/patches/pve/0024-PVE-Compat-4.0-used-balloon-qemu-4-0-config-size-fal.patch b/debian/patches/pve/0024-PVE-Compat-4.0-used-balloon-qemu-4-0-config-size-fal.patch
index c7905be..4d9fcc9 100644
--- a/debian/patches/pve/0024-PVE-Compat-4.0-used-balloon-qemu-4-0-config-size-fal.patch
+++ b/debian/patches/pve/0024-PVE-Compat-4.0-used-balloon-qemu-4-0-config-size-fal.patch
@@ -26,10 +26,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/hw/core/machine.c b/hw/core/machine.c
-index 8d34caa31d..2df9037c4e 100644
+index 19f42450f5..39ef2b6fe6 100644
 --- a/hw/core/machine.c
 +++ b/hw/core/machine.c
-@@ -132,7 +132,8 @@ GlobalProperty hw_compat_4_0[] = {
+@@ -135,7 +135,8 @@ GlobalProperty hw_compat_4_0[] = {
      { "virtio-vga",     "edid", "false" },
      { "virtio-gpu-device", "edid", "false" },
      { "virtio-device", "use-started", "false" },
diff --git a/debian/patches/pve/0025-PVE-Allow-version-code-in-machine-type.patch b/debian/patches/pve/0025-PVE-Allow-version-code-in-machine-type.patch
index 2d814da..b5c86c5 100644
--- a/debian/patches/pve/0025-PVE-Allow-version-code-in-machine-type.patch
+++ b/debian/patches/pve/0025-PVE-Allow-version-code-in-machine-type.patch
@@ -36,10 +36,10 @@ index 76fff60a6b..ec9201fb9a 100644
  
          if (mc->default_cpu_type) {
 diff --git a/include/hw/boards.h b/include/hw/boards.h
-index 90f1dd3aeb..14d60520d9 100644
+index ca2f0d3592..acc3b62b6e 100644
 --- a/include/hw/boards.h
 +++ b/include/hw/boards.h
-@@ -230,6 +230,8 @@ struct MachineClass {
+@@ -232,6 +232,8 @@ struct MachineClass {
      const char *desc;
      const char *deprecation_reason;
  
@@ -71,10 +71,10 @@ index 9156103c8f..f4fb1b2c9c 100644
  ##
  # @query-machines:
 diff --git a/softmmu/vl.c b/softmmu/vl.c
-index 9d737e7914..a64eee2fad 100644
+index a6f7a422ec..8b0b35b6b4 100644
 --- a/softmmu/vl.c
 +++ b/softmmu/vl.c
-@@ -1578,6 +1578,7 @@ static const QEMUOption *lookup_opt(int argc, char **argv,
+@@ -1582,6 +1582,7 @@ static const QEMUOption *lookup_opt(int argc, char **argv,
  static MachineClass *select_machine(QDict *qdict, Error **errp)
  {
      const char *optarg = qdict_get_try_str(qdict, "type");
@@ -82,7 +82,7 @@ index 9d737e7914..a64eee2fad 100644
      GSList *machines = object_class_get_list(TYPE_MACHINE, false);
      MachineClass *machine_class;
      Error *local_err = NULL;
-@@ -1595,6 +1596,11 @@ static MachineClass *select_machine(QDict *qdict, Error **errp)
+@@ -1599,6 +1600,11 @@ static MachineClass *select_machine(QDict *qdict, Error **errp)
          }
      }
  
@@ -94,7 +94,7 @@ index 9d737e7914..a64eee2fad 100644
      g_slist_free(machines);
      if (local_err) {
          error_append_hint(&local_err, "Use -machine help to list supported machines\n");
-@@ -3205,12 +3211,31 @@ void qemu_init(int argc, char **argv)
+@@ -3213,12 +3219,31 @@ void qemu_init(int argc, char **argv)
              case QEMU_OPTION_machine:
                  {
                      bool help;
diff --git a/debian/patches/pve/0027-PVE-Backup-add-vma-backup-format-code.patch b/debian/patches/pve/0027-PVE-Backup-add-vma-backup-format-code.patch
index 7735ab9..0741098 100644
--- a/debian/patches/pve/0027-PVE-Backup-add-vma-backup-format-code.patch
+++ b/debian/patches/pve/0027-PVE-Backup-add-vma-backup-format-code.patch
@@ -33,7 +33,7 @@ index 020a89ae07..4feae20e37 100644
  softmmu_ss.add(files('block-ram-registrar.c'))
  
 diff --git a/meson.build b/meson.build
-index 5c6b5a1c75..e8cf7e3d78 100644
+index 787f91855e..a496f6fe10 100644
 --- a/meson.build
 +++ b/meson.build
 @@ -1525,6 +1525,8 @@ keyutils = dependency('libkeyutils', required: false,
@@ -45,7 +45,7 @@ index 5c6b5a1c75..e8cf7e3d78 100644
  # libselinux
  selinux = dependency('libselinux',
                       required: get_option('selinux'),
-@@ -3596,6 +3598,9 @@ if have_tools
+@@ -3598,6 +3600,9 @@ if have_tools
                 dependencies: [blockdev, qemuutil, gnutls, selinux],
                 install: true)
  
diff --git a/debian/patches/pve/0029-PVE-Backup-proxmox-backup-patches-for-qemu.patch b/debian/patches/pve/0029-PVE-Backup-proxmox-backup-patches-for-qemu.patch
index 36ca351..ffd1ab0 100644
--- a/debian/patches/pve/0029-PVE-Backup-proxmox-backup-patches-for-qemu.patch
+++ b/debian/patches/pve/0029-PVE-Backup-proxmox-backup-patches-for-qemu.patch
@@ -47,10 +47,10 @@ index 0d7023fc82..e995ae72b9 100644
  softmmu_ss.add(when: 'CONFIG_TCG', if_true: files('blkreplay.c'))
  softmmu_ss.add(files('block-ram-registrar.c'))
 diff --git a/block/monitor/block-hmp-cmds.c b/block/monitor/block-hmp-cmds.c
-index b6135e9bfe..477044c54a 100644
+index cf21b5e40a..60fa93c85e 100644
 --- a/block/monitor/block-hmp-cmds.c
 +++ b/block/monitor/block-hmp-cmds.c
-@@ -1015,3 +1015,36 @@ void hmp_info_snapshots(Monitor *mon, const QDict *qdict)
+@@ -1017,3 +1017,36 @@ void hmp_info_snapshots(Monitor *mon, const QDict *qdict)
      g_free(sn_tab);
      g_free(global_snapshots);
  }
@@ -88,7 +88,7 @@ index b6135e9bfe..477044c54a 100644
 +    hmp_handle_error(mon, error);
 +}
 diff --git a/blockdev.c b/blockdev.c
-index 756e980889..bc8d67b290 100644
+index 5b15a86bfa..cba1078815 100644
 --- a/blockdev.c
 +++ b/blockdev.c
 @@ -36,6 +36,7 @@
@@ -186,7 +186,7 @@ index 440f86aba8..350527e599 100644
  void hmp_device_add(Monitor *mon, const QDict *qdict);
  void hmp_device_del(Monitor *mon, const QDict *qdict);
 diff --git a/meson.build b/meson.build
-index e8cf7e3d78..782756162c 100644
+index a496f6fe10..406112d96f 100644
 --- a/meson.build
 +++ b/meson.build
 @@ -1526,6 +1526,7 @@ keyutils = dependency('libkeyutils', required: false,
diff --git a/debian/patches/pve/0030-PVE-Backup-pbs-restore-new-command-to-restore-from-p.patch b/debian/patches/pve/0030-PVE-Backup-pbs-restore-new-command-to-restore-from-p.patch
index 422f840..e9cf062 100644
--- a/debian/patches/pve/0030-PVE-Backup-pbs-restore-new-command-to-restore-from-p.patch
+++ b/debian/patches/pve/0030-PVE-Backup-pbs-restore-new-command-to-restore-from-p.patch
@@ -12,10 +12,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  create mode 100644 pbs-restore.c
 
 diff --git a/meson.build b/meson.build
-index 782756162c..63ea813a9a 100644
+index 406112d96f..9c46881eb7 100644
 --- a/meson.build
 +++ b/meson.build
-@@ -3602,6 +3602,10 @@ if have_tools
+@@ -3604,6 +3604,10 @@ if have_tools
    vma = executable('vma', files('vma.c', 'vma-reader.c') + genh,
                     dependencies: [authz, block, crypto, io, qom], install: true)
  
diff --git a/debian/patches/pve/0031-PVE-Backup-Add-dirty-bitmap-tracking-for-incremental.patch b/debian/patches/pve/0031-PVE-Backup-Add-dirty-bitmap-tracking-for-incremental.patch
index 6d225ba..1e39dcf 100644
--- a/debian/patches/pve/0031-PVE-Backup-Add-dirty-bitmap-tracking-for-incremental.patch
+++ b/debian/patches/pve/0031-PVE-Backup-Add-dirty-bitmap-tracking-for-incremental.patch
@@ -29,10 +29,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  6 files changed, 142 insertions(+), 23 deletions(-)
 
 diff --git a/block/monitor/block-hmp-cmds.c b/block/monitor/block-hmp-cmds.c
-index 477044c54a..556af25861 100644
+index 60fa93c85e..8b23bdedac 100644
 --- a/block/monitor/block-hmp-cmds.c
 +++ b/block/monitor/block-hmp-cmds.c
-@@ -1042,6 +1042,7 @@ void hmp_backup(Monitor *mon, const QDict *qdict)
+@@ -1044,6 +1044,7 @@ void hmp_backup(Monitor *mon, const QDict *qdict)
          false, NULL, // PBS fingerprint
          false, NULL, // PBS backup-id
          false, 0, // PBS backup-time
@@ -132,7 +132,7 @@ index 1dda8b7d8f..8cbf645b2c 100644
  
  
 diff --git a/pve-backup.c b/pve-backup.c
-index 3d28975eaa..abd7062afe 100644
+index 6af212b9b4..3f97cf6532 100644
 --- a/pve-backup.c
 +++ b/pve-backup.c
 @@ -28,6 +28,8 @@
diff --git a/debian/patches/pve/0032-PVE-various-PBS-fixes.patch b/debian/patches/pve/0032-PVE-various-PBS-fixes.patch
index 104e42d..c4d2112 100644
--- a/debian/patches/pve/0032-PVE-various-PBS-fixes.patch
+++ b/debian/patches/pve/0032-PVE-various-PBS-fixes.patch
@@ -19,10 +19,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  3 files changed, 54 insertions(+), 13 deletions(-)
 
 diff --git a/block/monitor/block-hmp-cmds.c b/block/monitor/block-hmp-cmds.c
-index 556af25861..a09f722fea 100644
+index 8b23bdedac..f59b02592e 100644
 --- a/block/monitor/block-hmp-cmds.c
 +++ b/block/monitor/block-hmp-cmds.c
-@@ -1042,7 +1042,9 @@ void hmp_backup(Monitor *mon, const QDict *qdict)
+@@ -1044,7 +1044,9 @@ void hmp_backup(Monitor *mon, const QDict *qdict)
          false, NULL, // PBS fingerprint
          false, NULL, // PBS backup-id
          false, 0, // PBS backup-time
@@ -34,7 +34,7 @@ index 556af25861..a09f722fea 100644
          false, NULL, false, NULL, !!devlist,
          devlist, qdict_haskey(qdict, "speed"), speed, &error);
 diff --git a/pve-backup.c b/pve-backup.c
-index abd7062afe..e113ab61b9 100644
+index 3f97cf6532..a275a1d4e1 100644
 --- a/pve-backup.c
 +++ b/pve-backup.c
 @@ -8,6 +8,7 @@
diff --git a/debian/patches/pve/0033-PVE-Add-PBS-block-driver-to-map-backup-archives-into.patch b/debian/patches/pve/0033-PVE-Add-PBS-block-driver-to-map-backup-archives-into.patch
index ab28112..68c658d 100644
--- a/debian/patches/pve/0033-PVE-Add-PBS-block-driver-to-map-backup-archives-into.patch
+++ b/debian/patches/pve/0033-PVE-Add-PBS-block-driver-to-map-backup-archives-into.patch
@@ -317,7 +317,7 @@ index 0000000000..9d1f1f39d4
 +
 +block_init(bdrv_pbs_init);
 diff --git a/configure b/configure
-index 26c7bc5154..c587e986c7 100755
+index 5f1828f1ec..c9b70b5e9a 100755
 --- a/configure
 +++ b/configure
 @@ -285,6 +285,7 @@ linux_user=""
@@ -358,10 +358,10 @@ index 26c7bc5154..c587e986c7 100755
  # XXX: suppress that
  if [ "$bsd" = "yes" ] ; then
 diff --git a/meson.build b/meson.build
-index 63ea813a9a..f7f5b3f253 100644
+index 9c46881eb7..93ebda47af 100644
 --- a/meson.build
 +++ b/meson.build
-@@ -3978,7 +3978,7 @@ summary_info += {'bzip2 support':     libbzip2}
+@@ -3980,7 +3980,7 @@ summary_info += {'bzip2 support':     libbzip2}
  summary_info += {'lzfse support':     liblzfse}
  summary_info += {'zstd support':      zstd}
  summary_info += {'NUMA host support': numa}
diff --git a/debian/patches/pve/0034-PVE-add-query_proxmox_support-QMP-command.patch b/debian/patches/pve/0034-PVE-add-query_proxmox_support-QMP-command.patch
index 22ff9a6..8ff8b32 100644
--- a/debian/patches/pve/0034-PVE-add-query_proxmox_support-QMP-command.patch
+++ b/debian/patches/pve/0034-PVE-add-query_proxmox_support-QMP-command.patch
@@ -16,7 +16,7 @@ Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
  2 files changed, 38 insertions(+)
 
 diff --git a/pve-backup.c b/pve-backup.c
-index e113ab61b9..9318ca4f0c 100644
+index a275a1d4e1..b10373cd8a 100644
 --- a/pve-backup.c
 +++ b/pve-backup.c
 @@ -1072,3 +1072,12 @@ BackupStatus *qmp_query_backup(Error **errp)
diff --git a/debian/patches/pve/0035-PVE-add-query-pbs-bitmap-info-QMP-call.patch b/debian/patches/pve/0035-PVE-add-query-pbs-bitmap-info-QMP-call.patch
index 92a19c5..1e7685e 100644
--- a/debian/patches/pve/0035-PVE-add-query-pbs-bitmap-info-QMP-call.patch
+++ b/debian/patches/pve/0035-PVE-add-query-pbs-bitmap-info-QMP-call.patch
@@ -69,7 +69,7 @@ index 670f783515..d819e5fc36 100644
                             info->zero_bytes, zero_per);
  
 diff --git a/pve-backup.c b/pve-backup.c
-index 9318ca4f0c..c85b2ecd83 100644
+index b10373cd8a..8ae50e06c3 100644
 --- a/pve-backup.c
 +++ b/pve-backup.c
 @@ -46,6 +46,7 @@ static struct PVEBackupState {
diff --git a/debian/patches/pve/0036-PVE-redirect-stderr-to-journal-when-daemonized.patch b/debian/patches/pve/0036-PVE-redirect-stderr-to-journal-when-daemonized.patch
index 4a00163..cdceb24 100644
--- a/debian/patches/pve/0036-PVE-redirect-stderr-to-journal-when-daemonized.patch
+++ b/debian/patches/pve/0036-PVE-redirect-stderr-to-journal-when-daemonized.patch
@@ -14,7 +14,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  2 files changed, 7 insertions(+), 2 deletions(-)
 
 diff --git a/meson.build b/meson.build
-index f7f5b3f253..283b0e356e 100644
+index 93ebda47af..d47ce5fe64 100644
 --- a/meson.build
 +++ b/meson.build
 @@ -1526,6 +1526,7 @@ keyutils = dependency('libkeyutils', required: false,
@@ -25,7 +25,7 @@ index f7f5b3f253..283b0e356e 100644
  libproxmox_backup_qemu = cc.find_library('proxmox_backup_qemu', required: true)
  
  # libselinux
-@@ -3096,6 +3097,7 @@ if have_block
+@@ -3094,6 +3095,7 @@ if have_block
    # os-posix.c contains POSIX-specific functions used by qemu-storage-daemon,
    # os-win32.c does not
    blockdev_ss.add(when: 'CONFIG_POSIX', if_true: files('os-posix.c'))
diff --git a/debian/patches/pve/0038-PVE-Backup-Use-a-transaction-to-synchronize-job-stat.patch b/debian/patches/pve/0038-PVE-Backup-Use-a-transaction-to-synchronize-job-stat.patch
index abda21b..d867326 100644
--- a/debian/patches/pve/0038-PVE-Backup-Use-a-transaction-to-synchronize-job-stat.patch
+++ b/debian/patches/pve/0038-PVE-Backup-Use-a-transaction-to-synchronize-job-stat.patch
@@ -20,7 +20,7 @@ Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
  1 file changed, 50 insertions(+), 113 deletions(-)
 
 diff --git a/pve-backup.c b/pve-backup.c
-index c85b2ecd83..b5fb844434 100644
+index 8ae50e06c3..eedac335ec 100644
 --- a/pve-backup.c
 +++ b/pve-backup.c
 @@ -52,6 +52,7 @@ static struct PVEBackupState {
diff --git a/debian/patches/pve/0039-PVE-Backup-Don-t-block-on-finishing-and-cleanup-crea.patch b/debian/patches/pve/0039-PVE-Backup-Don-t-block-on-finishing-and-cleanup-crea.patch
index e13b2d2..695e6cb 100644
--- a/debian/patches/pve/0039-PVE-Backup-Don-t-block-on-finishing-and-cleanup-crea.patch
+++ b/debian/patches/pve/0039-PVE-Backup-Don-t-block-on-finishing-and-cleanup-crea.patch
@@ -57,7 +57,7 @@ Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
  2 files changed, 138 insertions(+), 79 deletions(-)
 
 diff --git a/pve-backup.c b/pve-backup.c
-index b5fb844434..88268bb586 100644
+index eedac335ec..7bd9d06346 100644
 --- a/pve-backup.c
 +++ b/pve-backup.c
 @@ -33,7 +33,9 @@ const char *PBS_BITMAP_NAME = "pbs-incremental-dirty-bitmap";
diff --git a/debian/patches/pve/0040-PVE-Migrate-dirty-bitmap-state-via-savevm.patch b/debian/patches/pve/0040-PVE-Migrate-dirty-bitmap-state-via-savevm.patch
index fd338a5..5253076 100644
--- a/debian/patches/pve/0040-PVE-Migrate-dirty-bitmap-state-via-savevm.patch
+++ b/debian/patches/pve/0040-PVE-Migrate-dirty-bitmap-state-via-savevm.patch
@@ -51,7 +51,7 @@ index 0842d00cd2..d012f4d8d3 100644
  softmmu_ss.add(files(
    'block-dirty-bitmap.c',
 diff --git a/migration/migration.c b/migration/migration.c
-index f485eea5fb..89b287180f 100644
+index 9b496cce1d..421b4ee225 100644
 --- a/migration/migration.c
 +++ b/migration/migration.c
 @@ -229,6 +229,7 @@ void migration_object_init(void)
@@ -175,7 +175,7 @@ index 0000000000..29f2b3860d
 +                         NULL);
 +}
 diff --git a/pve-backup.c b/pve-backup.c
-index 88268bb586..fa9c6c4493 100644
+index 7bd9d06346..5662f48b72 100644
 --- a/pve-backup.c
 +++ b/pve-backup.c
 @@ -1128,6 +1128,7 @@ ProxmoxSupportStatus *qmp_query_proxmox_support(Error **errp)
diff --git a/debian/patches/pve/0042-PVE-fall-back-to-open-iscsi-initiatorname.patch b/debian/patches/pve/0042-PVE-fall-back-to-open-iscsi-initiatorname.patch
index afaddcf..d9108a6 100644
--- a/debian/patches/pve/0042-PVE-fall-back-to-open-iscsi-initiatorname.patch
+++ b/debian/patches/pve/0042-PVE-fall-back-to-open-iscsi-initiatorname.patch
@@ -21,10 +21,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 30 insertions(+)
 
 diff --git a/block/iscsi.c b/block/iscsi.c
-index a316d46d96..3ed4a50c0d 100644
+index 1bba42a71b..89cd032c3a 100644
 --- a/block/iscsi.c
 +++ b/block/iscsi.c
-@@ -1387,12 +1387,42 @@ static char *get_initiator_name(QemuOpts *opts)
+@@ -1388,12 +1388,42 @@ static char *get_initiator_name(QemuOpts *opts)
      const char *name;
      char *iscsi_name;
      UuidInfo *uuid_info;
diff --git a/debian/patches/pve/0043-PVE-Use-coroutine-QMP-for-backup-cancel_backup.patch b/debian/patches/pve/0043-PVE-Use-coroutine-QMP-for-backup-cancel_backup.patch
index 18675b2..6ad487d 100644
--- a/debian/patches/pve/0043-PVE-Use-coroutine-QMP-for-backup-cancel_backup.patch
+++ b/debian/patches/pve/0043-PVE-Use-coroutine-QMP-for-backup-cancel_backup.patch
@@ -32,10 +32,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  5 files changed, 77 insertions(+), 196 deletions(-)
 
 diff --git a/block/monitor/block-hmp-cmds.c b/block/monitor/block-hmp-cmds.c
-index a09f722fea..71ed202491 100644
+index f59b02592e..2e53cb65df 100644
 --- a/block/monitor/block-hmp-cmds.c
 +++ b/block/monitor/block-hmp-cmds.c
-@@ -1016,7 +1016,7 @@ void hmp_info_snapshots(Monitor *mon, const QDict *qdict)
+@@ -1018,7 +1018,7 @@ void hmp_info_snapshots(Monitor *mon, const QDict *qdict)
      g_free(global_snapshots);
  }
  
@@ -44,7 +44,7 @@ index a09f722fea..71ed202491 100644
  {
      Error *error = NULL;
  
-@@ -1025,7 +1025,7 @@ void hmp_backup_cancel(Monitor *mon, const QDict *qdict)
+@@ -1027,7 +1027,7 @@ void hmp_backup_cancel(Monitor *mon, const QDict *qdict)
      hmp_handle_error(mon, error);
  }
  
diff --git a/debian/patches/pve/0044-PBS-add-master-key-support.patch b/debian/patches/pve/0044-PBS-add-master-key-support.patch
index 7c708d7..c3acf3d 100644
--- a/debian/patches/pve/0044-PBS-add-master-key-support.patch
+++ b/debian/patches/pve/0044-PBS-add-master-key-support.patch
@@ -19,10 +19,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  3 files changed, 11 insertions(+)
 
 diff --git a/block/monitor/block-hmp-cmds.c b/block/monitor/block-hmp-cmds.c
-index 71ed202491..c7468e5d3b 100644
+index 2e53cb65df..f98f4cf7e6 100644
 --- a/block/monitor/block-hmp-cmds.c
 +++ b/block/monitor/block-hmp-cmds.c
-@@ -1039,6 +1039,7 @@ void coroutine_fn hmp_backup(Monitor *mon, const QDict *qdict)
+@@ -1041,6 +1041,7 @@ void coroutine_fn hmp_backup(Monitor *mon, const QDict *qdict)
          false, NULL, // PBS password
          false, NULL, // PBS keyfile
          false, NULL, // PBS key_password
@@ -31,7 +31,7 @@ index 71ed202491..c7468e5d3b 100644
          false, NULL, // PBS backup-id
          false, 0, // PBS backup-time
 diff --git a/pve-backup.c b/pve-backup.c
-index 109498eaf9..4b5134ed27 100644
+index e4fe1b601d..41e8effa01 100644
 --- a/pve-backup.c
 +++ b/pve-backup.c
 @@ -529,6 +529,7 @@ UuidInfo coroutine_fn *qmp_backup(
diff --git a/debian/patches/pve/0047-block-io-accept-NULL-qiov-in-bdrv_pad_request.patch b/debian/patches/pve/0047-block-io-accept-NULL-qiov-in-bdrv_pad_request.patch
index 269d392..c565550 100644
--- a/debian/patches/pve/0047-block-io-accept-NULL-qiov-in-bdrv_pad_request.patch
+++ b/debian/patches/pve/0047-block-io-accept-NULL-qiov-in-bdrv_pad_request.patch
@@ -17,7 +17,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 4 insertions(+)
 
 diff --git a/block/io.c b/block/io.c
-index b9424024f9..01f50d28c8 100644
+index 4589a58917..20167d61b7 100644
 --- a/block/io.c
 +++ b/block/io.c
 @@ -1730,6 +1730,10 @@ static int bdrv_pad_request(BlockDriverState *bs,
diff --git a/debian/patches/pve/0050-qemu-img-dd-add-l-option-for-loading-a-snapshot.patch b/debian/patches/pve/0050-qemu-img-dd-add-l-option-for-loading-a-snapshot.patch
index ed75a35..ff93e85 100644
--- a/debian/patches/pve/0050-qemu-img-dd-add-l-option-for-loading-a-snapshot.patch
+++ b/debian/patches/pve/0050-qemu-img-dd-add-l-option-for-loading-a-snapshot.patch
@@ -46,10 +46,10 @@ index b5b0bb4467..36f97e1f19 100644
  
  DEF("info", img_info,
 diff --git a/qemu-img.c b/qemu-img.c
-index 59c403373b..065a54cc42 100644
+index 4f5ef5b887..4894016ad2 100644
 --- a/qemu-img.c
 +++ b/qemu-img.c
-@@ -4946,6 +4946,7 @@ static int img_dd(int argc, char **argv)
+@@ -4957,6 +4957,7 @@ static int img_dd(int argc, char **argv)
      BlockDriver *drv = NULL, *proto_drv = NULL;
      BlockBackend *blk1 = NULL, *blk2 = NULL;
      QemuOpts *opts = NULL;
@@ -57,7 +57,7 @@ index 59c403373b..065a54cc42 100644
      QemuOptsList *create_opts = NULL;
      Error *local_err = NULL;
      bool image_opts = false;
-@@ -4955,6 +4956,7 @@ static int img_dd(int argc, char **argv)
+@@ -4966,6 +4967,7 @@ static int img_dd(int argc, char **argv)
      int64_t size = 0, readsize = 0;
      int64_t out_pos, in_pos;
      bool force_share = false, skip_create = false;
@@ -65,7 +65,7 @@ index 59c403373b..065a54cc42 100644
      struct DdInfo dd = {
          .flags = 0,
          .count = 0,
-@@ -4992,7 +4994,7 @@ static int img_dd(int argc, char **argv)
+@@ -5003,7 +5005,7 @@ static int img_dd(int argc, char **argv)
          { 0, 0, 0, 0 }
      };
  
@@ -74,7 +74,7 @@ index 59c403373b..065a54cc42 100644
          if (c == EOF) {
              break;
          }
-@@ -5015,6 +5017,19 @@ static int img_dd(int argc, char **argv)
+@@ -5026,6 +5028,19 @@ static int img_dd(int argc, char **argv)
          case 'n':
              skip_create = true;
              break;
@@ -94,7 +94,7 @@ index 59c403373b..065a54cc42 100644
          case 'U':
              force_share = true;
              break;
-@@ -5074,11 +5089,24 @@ static int img_dd(int argc, char **argv)
+@@ -5085,11 +5100,24 @@ static int img_dd(int argc, char **argv)
      if (dd.flags & C_IF) {
          blk1 = img_open(image_opts, in.filename, fmt, 0, false, false,
                          force_share);
@@ -120,7 +120,7 @@ index 59c403373b..065a54cc42 100644
      }
  
      if (dd.flags & C_OSIZE) {
-@@ -5233,6 +5261,7 @@ static int img_dd(int argc, char **argv)
+@@ -5244,6 +5272,7 @@ static int img_dd(int argc, char **argv)
  out:
      g_free(arg);
      qemu_opts_del(opts);
diff --git a/debian/patches/pve/0052-pbs-namespace-support.patch b/debian/patches/pve/0052-pbs-namespace-support.patch
index 2640b95..5cbf672 100644
--- a/debian/patches/pve/0052-pbs-namespace-support.patch
+++ b/debian/patches/pve/0052-pbs-namespace-support.patch
@@ -13,10 +13,10 @@ Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
  5 files changed, 47 insertions(+), 9 deletions(-)
 
 diff --git a/block/monitor/block-hmp-cmds.c b/block/monitor/block-hmp-cmds.c
-index c7468e5d3b..57b2457f1e 100644
+index f98f4cf7e6..55ef4f5965 100644
 --- a/block/monitor/block-hmp-cmds.c
 +++ b/block/monitor/block-hmp-cmds.c
-@@ -1041,6 +1041,7 @@ void coroutine_fn hmp_backup(Monitor *mon, const QDict *qdict)
+@@ -1043,6 +1043,7 @@ void coroutine_fn hmp_backup(Monitor *mon, const QDict *qdict)
          false, NULL, // PBS key_password
          false, NULL, // PBS master_keyfile
          false, NULL, // PBS fingerprint
@@ -170,7 +170,7 @@ index 2f834cf42e..f03d9bab8d 100644
          fprintf(stderr, "restore failed: %s\n", pbs_error);
          return -1;
 diff --git a/pve-backup.c b/pve-backup.c
-index 4b5134ed27..262e7d3894 100644
+index 41e8effa01..1c25ae98bd 100644
 --- a/pve-backup.c
 +++ b/pve-backup.c
 @@ -10,6 +10,8 @@
diff --git a/debian/patches/pve/0056-PVE-Backup-create-jobs-correctly-cancel-in-error-sce.patch b/debian/patches/pve/0056-PVE-Backup-create-jobs-correctly-cancel-in-error-sce.patch
index 3598205..67cdc44 100644
--- a/debian/patches/pve/0056-PVE-Backup-create-jobs-correctly-cancel-in-error-sce.patch
+++ b/debian/patches/pve/0056-PVE-Backup-create-jobs-correctly-cancel-in-error-sce.patch
@@ -21,7 +21,7 @@ Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
  1 file changed, 8 insertions(+), 2 deletions(-)
 
 diff --git a/pve-backup.c b/pve-backup.c
-index 262e7d3894..fde3554133 100644
+index 1c25ae98bd..1b466eee3a 100644
 --- a/pve-backup.c
 +++ b/pve-backup.c
 @@ -503,6 +503,11 @@ static void create_backup_jobs_bh(void *opaque) {
diff --git a/debian/patches/pve/0057-PVE-Backup-ensure-jobs-in-di_list-are-referenced.patch b/debian/patches/pve/0057-PVE-Backup-ensure-jobs-in-di_list-are-referenced.patch
index 1446569..2713f14 100644
--- a/debian/patches/pve/0057-PVE-Backup-ensure-jobs-in-di_list-are-referenced.patch
+++ b/debian/patches/pve/0057-PVE-Backup-ensure-jobs-in-di_list-are-referenced.patch
@@ -23,7 +23,7 @@ Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
  1 file changed, 19 insertions(+), 3 deletions(-)
 
 diff --git a/pve-backup.c b/pve-backup.c
-index fde3554133..0cf30e1ced 100644
+index 1b466eee3a..5aecf06af7 100644
 --- a/pve-backup.c
 +++ b/pve-backup.c
 @@ -316,6 +316,13 @@ static void coroutine_fn pvebackup_co_complete_stream(void *opaque)
diff --git a/debian/patches/pve/0058-PVE-Backup-avoid-segfault-issues-upon-backup-cancel.patch b/debian/patches/pve/0058-PVE-Backup-avoid-segfault-issues-upon-backup-cancel.patch
index 1fbf04a..4bfede4 100644
--- a/debian/patches/pve/0058-PVE-Backup-avoid-segfault-issues-upon-backup-cancel.patch
+++ b/debian/patches/pve/0058-PVE-Backup-avoid-segfault-issues-upon-backup-cancel.patch
@@ -39,7 +39,7 @@ Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
  1 file changed, 38 insertions(+), 19 deletions(-)
 
 diff --git a/pve-backup.c b/pve-backup.c
-index 0cf30e1ced..4067018dbe 100644
+index 5aecf06af7..a921cbcb2d 100644
 --- a/pve-backup.c
 +++ b/pve-backup.c
 @@ -354,12 +354,41 @@ static void pvebackup_complete_cb(void *opaque, int ret)
diff --git a/debian/patches/pve/0062-PVE-Backup-allow-passing-max-workers-performance-set.patch b/debian/patches/pve/0062-PVE-Backup-allow-passing-max-workers-performance-set.patch
index c22b380..a73d9e7 100644
--- a/debian/patches/pve/0062-PVE-Backup-allow-passing-max-workers-performance-set.patch
+++ b/debian/patches/pve/0062-PVE-Backup-allow-passing-max-workers-performance-set.patch
@@ -31,10 +31,10 @@ Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
  3 files changed, 23 insertions(+), 8 deletions(-)
 
 diff --git a/block/monitor/block-hmp-cmds.c b/block/monitor/block-hmp-cmds.c
-index 57b2457f1e..ab0c988ae9 100644
+index 55ef4f5965..62e962227b 100644
 --- a/block/monitor/block-hmp-cmds.c
 +++ b/block/monitor/block-hmp-cmds.c
-@@ -1049,7 +1049,9 @@ void coroutine_fn hmp_backup(Monitor *mon, const QDict *qdict)
+@@ -1051,7 +1051,9 @@ void coroutine_fn hmp_backup(Monitor *mon, const QDict *qdict)
          false, false, // PBS encrypt
          true, dir ? BACKUP_FORMAT_DIR : BACKUP_FORMAT_VMA,
          false, NULL, false, NULL, !!devlist,
@@ -46,7 +46,7 @@ index 57b2457f1e..ab0c988ae9 100644
      hmp_handle_error(mon, error);
  }
 diff --git a/pve-backup.c b/pve-backup.c
-index 4067018dbe..3ca4f74cb8 100644
+index a921cbcb2d..4e66f09927 100644
 --- a/pve-backup.c
 +++ b/pve-backup.c
 @@ -55,6 +55,7 @@ static struct PVEBackupState {
diff --git a/debian/patches/series b/debian/patches/series
index 4e8ddd6..f67a67b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,31 +1,7 @@
 extra/0001-monitor-qmp-fix-race-with-clients-disconnecting-earl.patch
 extra/0002-init-daemonize-defuse-PID-file-resolve-error.patch
-extra/0003-virtio-mem-Fix-the-bitmap-index-of-the-section-offse.patch
-extra/0004-virtio-mem-Fix-the-iterator-variable-in-a-vmem-rdl_l.patch
-extra/0005-vhost-fix-vq-dirty-bitmap-syncing-when-vIOMMU-is-ena.patch
-extra/0006-virtio-rng-pci-fix-migration-compat-for-vectors.patch
-extra/0007-block-fix-detect-zeroes-with-BDRV_REQ_REGISTERED_BUF.patch
-extra/0008-memory-prevent-dma-reentracy-issues.patch
-extra/0009-block-iscsi-fix-double-free-on-BUSY-or-similar-statu.patch
-extra/0010-scsi-megasas-Internal-cdbs-have-16-byte-length.patch
-extra/0011-ide-avoid-potential-deadlock-when-draining-during-tr.patch
-extra/0012-hw-nvme-fix-missing-endian-conversions-for-doorbell-.patch
-extra/0013-hw-smbios-fix-field-corruption-in-type-4-table.patch
-extra/0014-virtio-rng-pci-fix-transitional-migration-compat-for.patch
-extra/0015-hw-timer-hpet-Fix-expiration-time-overflow.patch
-extra/0016-vdpa-stop-all-svq-on-device-deletion.patch
-extra/0017-vhost-avoid-a-potential-use-of-an-uninitialized-vari.patch
-extra/0018-chardev-char-socket-set-s-listener-NULL-in-char_sock.patch
-extra/0019-intel-iommu-fail-MAP-notifier-without-caching-mode.patch
-extra/0020-intel-iommu-fail-DEVIOTLB_UNMAP-without-dt-mode.patch
-extra/0021-memory-Allow-disabling-re-entrancy-checking-per-MR.patch
-extra/0022-lsi53c895a-disable-reentrancy-detection-for-script-R.patch
-extra/0023-acpi-cpuhp-fix-guest-visible-maximum-access-size-to-.patch
-extra/0024-tests-tcg-i386-Introduce-and-use-reg_t-consistently.patch
-extra/0025-target-i386-Fix-BEXTR-instruction.patch
-extra/0026-target-i386-Fix-C-flag-for-BLSI-BLSMSK-BLSR.patch
-extra/0027-target-i386-fix-ADOX-followed-by-ADCX.patch
-extra/0028-target-i386-Fix-BZHI-instruction.patch
+extra/0003-scsi-megasas-Internal-cdbs-have-16-byte-length.patch
+extra/0004-ide-avoid-potential-deadlock-when-draining-during-tr.patch
 bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
 bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch
 bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch
diff --git a/qemu b/qemu
index b67b00e..eee83fa 160000
--- a/qemu
+++ b/qemu
@@ -1 +1 @@
-Subproject commit b67b00e6b4c7831a3f5bc684bc0df7a9bfd1bd56
+Subproject commit eee83fae9d31efb4e1698c07c6de6bf564f363f6
-- 
2.30.2





^ permalink raw reply	[flat|nested] 3+ messages in thread

* [pve-devel] [PATCH stable-7 qemu 2/2] pick up some extra fixes from upcoming 7.2.11
  2024-04-10 13:13 [pve-devel] [PATCH stable-7 qemu 1/2] update patches and submodule to QEMU stable 7.2.10 Fiona Ebner
@ 2024-04-10 13:13 ` Fiona Ebner
  2024-04-10 16:13 ` [pve-devel] applied-series: [PATCH stable-7 qemu 1/2] update patches and submodule to QEMU stable 7.2.10 Thomas Lamprecht
  1 sibling, 0 replies; 3+ messages in thread
From: Fiona Ebner @ 2024-04-10 13:13 UTC (permalink / raw)
  To: pve-devel

In particular, the i386 patches fix an issue that was newly introduced
in 7.2.10 and the LSI patches improve the reentrancy fix. The others
also sounded relevant and nice to have.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 ...lign-exposed-ID-registers-with-Linux.patch | 273 ++++++++++++++++++
 ...4-sysregs.c-Use-S-syntax-for-id_aa64.patch |  91 ++++++
 ...arget-arm-Fix-SME-full-tile-indexing.patch | 199 +++++++++++++
 ...tor-move-drain_call_rcu-call-under-i.patch |  61 ++++
 ...3c895a-stop-script-on-phase-mismatch.patch |  85 ++++++
 ...5a-add-missing-decrement-of-reentran.patch |  38 +++
 ...895a-add-timer-to-scripts-processing.patch | 173 +++++++++++
 ...0012-e1000e-fix-link-state-on-resume.patch | 161 +++++++++++
 ...roduce-function-to-query-MMU-indices.patch |  61 ++++
 ...separate-MMU-indexes-for-32-bit-acce.patch | 130 +++++++++
 ...386-fix-direction-of-32-bit-MMU-test.patch |  46 +++
 ...rt-monitor_puts-in-do_inject_x86_mce.patch |  35 +++
 ...ix-sign_mask-for-logical-right-shift.patch |  86 ++++++
 ...-Fix-packed-virtqueue-flush-used_idx.patch |  66 +++++
 ...he-CPU-model-to-kvm64-32-instead-of-.patch |   2 +-
 debian/patches/series                         |  14 +
 16 files changed, 1520 insertions(+), 1 deletion(-)
 create mode 100644 debian/patches/extra/0005-target-arm-align-exposed-ID-registers-with-Linux.patch
 create mode 100644 debian/patches/extra/0006-tests-tcg-aarch64-sysregs.c-Use-S-syntax-for-id_aa64.patch
 create mode 100644 debian/patches/extra/0007-target-arm-Fix-SME-full-tile-indexing.patch
 create mode 100644 debian/patches/extra/0008-system-qdev-monitor-move-drain_call_rcu-call-under-i.patch
 create mode 100644 debian/patches/extra/0009-hw-scsi-lsi53c895a-stop-script-on-phase-mismatch.patch
 create mode 100644 debian/patches/extra/0010-hw-scsi-lsi53c895a-add-missing-decrement-of-reentran.patch
 create mode 100644 debian/patches/extra/0011-hw-scsi-lsi53c895a-add-timer-to-scripts-processing.patch
 create mode 100644 debian/patches/extra/0012-e1000e-fix-link-state-on-resume.patch
 create mode 100644 debian/patches/extra/0013-target-i386-introduce-function-to-query-MMU-indices.patch
 create mode 100644 debian/patches/extra/0014-target-i386-use-separate-MMU-indexes-for-32-bit-acce.patch
 create mode 100644 debian/patches/extra/0015-target-i386-fix-direction-of-32-bit-MMU-test.patch
 create mode 100644 debian/patches/extra/0016-target-i386-Revert-monitor_puts-in-do_inject_x86_mce.patch
 create mode 100644 debian/patches/extra/0017-tcg-optimize-Fix-sign_mask-for-logical-right-shift.patch
 create mode 100644 debian/patches/extra/0018-hw-virtio-Fix-packed-virtqueue-flush-used_idx.patch

diff --git a/debian/patches/extra/0005-target-arm-align-exposed-ID-registers-with-Linux.patch b/debian/patches/extra/0005-target-arm-align-exposed-ID-registers-with-Linux.patch
new file mode 100644
index 0000000..bf17182
--- /dev/null
+++ b/debian/patches/extra/0005-target-arm-align-exposed-ID-registers-with-Linux.patch
@@ -0,0 +1,273 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zhuojia Shen <chaosdefinition@hotmail.com>
+Date: Wed, 10 Apr 2024 08:43:24 +0300
+Subject: [PATCH] target/arm: align exposed ID registers with Linux
+
+In CPUID registers exposed to userspace, some registers were missing
+and some fields were not exposed.  This patch aligns exposed ID
+registers and their fields with what the upstream kernel currently
+exposes.
+
+Specifically, the following new ID registers/fields are exposed to
+userspace:
+
+ID_AA64PFR1_EL1.BT:       bits 3-0
+ID_AA64PFR1_EL1.MTE:      bits 11-8
+ID_AA64PFR1_EL1.SME:      bits 27-24
+
+ID_AA64ZFR0_EL1.SVEver:   bits 3-0
+ID_AA64ZFR0_EL1.AES:      bits 7-4
+ID_AA64ZFR0_EL1.BitPerm:  bits 19-16
+ID_AA64ZFR0_EL1.BF16:     bits 23-20
+ID_AA64ZFR0_EL1.SHA3:     bits 35-32
+ID_AA64ZFR0_EL1.SM4:      bits 43-40
+ID_AA64ZFR0_EL1.I8MM:     bits 47-44
+ID_AA64ZFR0_EL1.F32MM:    bits 55-52
+ID_AA64ZFR0_EL1.F64MM:    bits 59-56
+
+ID_AA64SMFR0_EL1.F32F32:  bit 32
+ID_AA64SMFR0_EL1.B16F32:  bit 34
+ID_AA64SMFR0_EL1.F16F32:  bit 35
+ID_AA64SMFR0_EL1.I8I32:   bits 39-36
+ID_AA64SMFR0_EL1.F64F64:  bit 48
+ID_AA64SMFR0_EL1.I16I64:  bits 55-52
+ID_AA64SMFR0_EL1.FA64:    bit 63
+
+ID_AA64MMFR0_EL1.ECV:     bits 63-60
+
+ID_AA64MMFR1_EL1.AFP:     bits 47-44
+
+ID_AA64MMFR2_EL1.AT:      bits 35-32
+
+ID_AA64ISAR0_EL1.RNDR:    bits 63-60
+
+ID_AA64ISAR1_EL1.FRINTTS: bits 35-32
+ID_AA64ISAR1_EL1.BF16:    bits 47-44
+ID_AA64ISAR1_EL1.DGH:     bits 51-48
+ID_AA64ISAR1_EL1.I8MM:    bits 55-52
+
+ID_AA64ISAR2_EL1.WFxT:    bits 3-0
+ID_AA64ISAR2_EL1.RPRES:   bits 7-4
+ID_AA64ISAR2_EL1.GPA3:    bits 11-8
+ID_AA64ISAR2_EL1.APA3:    bits 15-12
+
+The code is also refactored to use symbolic names for ID register fields
+for better readability and maintainability.
+
+The test case in tests/tcg/aarch64/sysregs.c is also updated to match
+the intended behavior.
+
+Signed-off-by: Zhuojia Shen <chaosdefinition@hotmail.com>
+Message-id: DS7PR12MB6309FB585E10772928F14271ACE79@DS7PR12MB6309.namprd12.prod.outlook.com
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+[PMM: use Sn_n_Cn_Cn_n syntax to work with older assemblers
+that don't recognize id_aa64isar2_el1 and id_aa64mmfr2_el1]
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+(cherry picked from commit bc6bd20ee3538347afb750c4bd06edca4a922897)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+(Mjt: pick this for v8.0.0-2361-g1f51573f79
+ "target/arm: Fix SME full tile indexing")
+---
+ target/arm/helper.c               | 96 +++++++++++++++++++++++++------
+ tests/tcg/aarch64/Makefile.target |  7 ++-
+ tests/tcg/aarch64/sysregs.c       | 24 ++++++--
+ 3 files changed, 103 insertions(+), 24 deletions(-)
+
+diff --git a/target/arm/helper.c b/target/arm/helper.c
+index 2e284e048c..acc0470e86 100644
+--- a/target/arm/helper.c
++++ b/target/arm/helper.c
+@@ -7852,31 +7852,89 @@ void register_cp_regs_for_features(ARMCPU *cpu)
+ #ifdef CONFIG_USER_ONLY
+         static const ARMCPRegUserSpaceInfo v8_user_idregs[] = {
+             { .name = "ID_AA64PFR0_EL1",
+-              .exported_bits = 0x000f000f00ff0000,
+-              .fixed_bits    = 0x0000000000000011 },
++              .exported_bits = R_ID_AA64PFR0_FP_MASK |
++                               R_ID_AA64PFR0_ADVSIMD_MASK |
++                               R_ID_AA64PFR0_SVE_MASK |
++                               R_ID_AA64PFR0_DIT_MASK,
++              .fixed_bits = (0x1u << R_ID_AA64PFR0_EL0_SHIFT) |
++                            (0x1u << R_ID_AA64PFR0_EL1_SHIFT) },
+             { .name = "ID_AA64PFR1_EL1",
+-              .exported_bits = 0x00000000000000f0 },
++              .exported_bits = R_ID_AA64PFR1_BT_MASK |
++                               R_ID_AA64PFR1_SSBS_MASK |
++                               R_ID_AA64PFR1_MTE_MASK |
++                               R_ID_AA64PFR1_SME_MASK },
+             { .name = "ID_AA64PFR*_EL1_RESERVED",
+-              .is_glob = true                     },
+-            { .name = "ID_AA64ZFR0_EL1"           },
++              .is_glob = true },
++            { .name = "ID_AA64ZFR0_EL1",
++              .exported_bits = R_ID_AA64ZFR0_SVEVER_MASK |
++                               R_ID_AA64ZFR0_AES_MASK |
++                               R_ID_AA64ZFR0_BITPERM_MASK |
++                               R_ID_AA64ZFR0_BFLOAT16_MASK |
++                               R_ID_AA64ZFR0_SHA3_MASK |
++                               R_ID_AA64ZFR0_SM4_MASK |
++                               R_ID_AA64ZFR0_I8MM_MASK |
++                               R_ID_AA64ZFR0_F32MM_MASK |
++                               R_ID_AA64ZFR0_F64MM_MASK },
++            { .name = "ID_AA64SMFR0_EL1",
++              .exported_bits = R_ID_AA64SMFR0_F32F32_MASK |
++                               R_ID_AA64SMFR0_B16F32_MASK |
++                               R_ID_AA64SMFR0_F16F32_MASK |
++                               R_ID_AA64SMFR0_I8I32_MASK |
++                               R_ID_AA64SMFR0_F64F64_MASK |
++                               R_ID_AA64SMFR0_I16I64_MASK |
++                               R_ID_AA64SMFR0_FA64_MASK },
+             { .name = "ID_AA64MMFR0_EL1",
+-              .fixed_bits    = 0x00000000ff000000 },
+-            { .name = "ID_AA64MMFR1_EL1"          },
++              .exported_bits = R_ID_AA64MMFR0_ECV_MASK,
++              .fixed_bits = (0xfu << R_ID_AA64MMFR0_TGRAN64_SHIFT) |
++                            (0xfu << R_ID_AA64MMFR0_TGRAN4_SHIFT) },
++            { .name = "ID_AA64MMFR1_EL1",
++              .exported_bits = R_ID_AA64MMFR1_AFP_MASK },
++            { .name = "ID_AA64MMFR2_EL1",
++              .exported_bits = R_ID_AA64MMFR2_AT_MASK },
+             { .name = "ID_AA64MMFR*_EL1_RESERVED",
+-              .is_glob = true                     },
++              .is_glob = true },
+             { .name = "ID_AA64DFR0_EL1",
+-              .fixed_bits    = 0x0000000000000006 },
+-            { .name = "ID_AA64DFR1_EL1"           },
++              .fixed_bits = (0x6u << R_ID_AA64DFR0_DEBUGVER_SHIFT) },
++            { .name = "ID_AA64DFR1_EL1" },
+             { .name = "ID_AA64DFR*_EL1_RESERVED",
+-              .is_glob = true                     },
++              .is_glob = true },
+             { .name = "ID_AA64AFR*",
+-              .is_glob = true                     },
++              .is_glob = true },
+             { .name = "ID_AA64ISAR0_EL1",
+-              .exported_bits = 0x00fffffff0fffff0 },
++              .exported_bits = R_ID_AA64ISAR0_AES_MASK |
++                               R_ID_AA64ISAR0_SHA1_MASK |
++                               R_ID_AA64ISAR0_SHA2_MASK |
++                               R_ID_AA64ISAR0_CRC32_MASK |
++                               R_ID_AA64ISAR0_ATOMIC_MASK |
++                               R_ID_AA64ISAR0_RDM_MASK |
++                               R_ID_AA64ISAR0_SHA3_MASK |
++                               R_ID_AA64ISAR0_SM3_MASK |
++                               R_ID_AA64ISAR0_SM4_MASK |
++                               R_ID_AA64ISAR0_DP_MASK |
++                               R_ID_AA64ISAR0_FHM_MASK |
++                               R_ID_AA64ISAR0_TS_MASK |
++                               R_ID_AA64ISAR0_RNDR_MASK },
+             { .name = "ID_AA64ISAR1_EL1",
+-              .exported_bits = 0x000000f0ffffffff },
++              .exported_bits = R_ID_AA64ISAR1_DPB_MASK |
++                               R_ID_AA64ISAR1_APA_MASK |
++                               R_ID_AA64ISAR1_API_MASK |
++                               R_ID_AA64ISAR1_JSCVT_MASK |
++                               R_ID_AA64ISAR1_FCMA_MASK |
++                               R_ID_AA64ISAR1_LRCPC_MASK |
++                               R_ID_AA64ISAR1_GPA_MASK |
++                               R_ID_AA64ISAR1_GPI_MASK |
++                               R_ID_AA64ISAR1_FRINTTS_MASK |
++                               R_ID_AA64ISAR1_SB_MASK |
++                               R_ID_AA64ISAR1_BF16_MASK |
++                               R_ID_AA64ISAR1_DGH_MASK |
++                               R_ID_AA64ISAR1_I8MM_MASK },
++            { .name = "ID_AA64ISAR2_EL1",
++              .exported_bits = R_ID_AA64ISAR2_WFXT_MASK |
++                               R_ID_AA64ISAR2_RPRES_MASK |
++                               R_ID_AA64ISAR2_GPA3_MASK |
++                               R_ID_AA64ISAR2_APA3_MASK },
+             { .name = "ID_AA64ISAR*_EL1_RESERVED",
+-              .is_glob = true                     },
++              .is_glob = true },
+         };
+         modify_arm_cp_regs(v8_idregs, v8_user_idregs);
+ #endif
+@@ -8194,8 +8252,12 @@ void register_cp_regs_for_features(ARMCPU *cpu)
+ #ifdef CONFIG_USER_ONLY
+         static const ARMCPRegUserSpaceInfo id_v8_user_midr_cp_reginfo[] = {
+             { .name = "MIDR_EL1",
+-              .exported_bits = 0x00000000ffffffff },
+-            { .name = "REVIDR_EL1"                },
++              .exported_bits = R_MIDR_EL1_REVISION_MASK |
++                               R_MIDR_EL1_PARTNUM_MASK |
++                               R_MIDR_EL1_ARCHITECTURE_MASK |
++                               R_MIDR_EL1_VARIANT_MASK |
++                               R_MIDR_EL1_IMPLEMENTER_MASK },
++            { .name = "REVIDR_EL1" },
+         };
+         modify_arm_cp_regs(id_v8_midr_cp_reginfo, id_v8_user_midr_cp_reginfo);
+ #endif
+diff --git a/tests/tcg/aarch64/Makefile.target b/tests/tcg/aarch64/Makefile.target
+index a72578fccb..fc6d5d824d 100644
+--- a/tests/tcg/aarch64/Makefile.target
++++ b/tests/tcg/aarch64/Makefile.target
+@@ -23,7 +23,8 @@ config-cc.mak: Makefile
+ 	    $(call cc-option,-march=armv8.1-a+sve2,         CROSS_CC_HAS_SVE2); \
+ 	    $(call cc-option,-march=armv8.3-a,              CROSS_CC_HAS_ARMV8_3); \
+ 	    $(call cc-option,-mbranch-protection=standard,  CROSS_CC_HAS_ARMV8_BTI); \
+-	    $(call cc-option,-march=armv8.5-a+memtag,       CROSS_CC_HAS_ARMV8_MTE)) 3> config-cc.mak
++	    $(call cc-option,-march=armv8.5-a+memtag,       CROSS_CC_HAS_ARMV8_MTE); \
++	    $(call cc-option,-march=armv9-a+sme,            CROSS_CC_HAS_ARMV9_SME)) 3> config-cc.mak
+ -include config-cc.mak
+ 
+ # Pauth Tests
+@@ -53,7 +54,11 @@ endif
+ ifneq ($(CROSS_CC_HAS_SVE),)
+ # System Registers Tests
+ AARCH64_TESTS += sysregs
++ifneq ($(CROSS_CC_HAS_ARMV9_SME),)
++sysregs: CFLAGS+=-march=armv9-a+sme -DHAS_ARMV9_SME
++else
+ sysregs: CFLAGS+=-march=armv8.1-a+sve
++endif
+ 
+ # SVE ioctl test
+ AARCH64_TESTS += sve-ioctls
+diff --git a/tests/tcg/aarch64/sysregs.c b/tests/tcg/aarch64/sysregs.c
+index 40cf8d2877..46b931f781 100644
+--- a/tests/tcg/aarch64/sysregs.c
++++ b/tests/tcg/aarch64/sysregs.c
+@@ -22,6 +22,13 @@
+ #define HWCAP_CPUID (1 << 11)
+ #endif
+ 
++/*
++ * Older assemblers don't recognize newer system register names,
++ * but we can still access them by the Sn_n_Cn_Cn_n syntax.
++ */
++#define SYS_ID_AA64ISAR2_EL1 S3_0_C0_C6_2
++#define SYS_ID_AA64MMFR2_EL1 S3_0_C0_C7_2
++
+ int failed_bit_count;
+ 
+ /* Read and print system register `id' value */
+@@ -112,18 +119,23 @@ int main(void)
+      * minimum valid fields - for the purposes of this check allowed
+      * to have non-zero values.
+      */
+-    get_cpu_reg_check_mask(id_aa64isar0_el1, _m(00ff,ffff,f0ff,fff0));
+-    get_cpu_reg_check_mask(id_aa64isar1_el1, _m(0000,00f0,ffff,ffff));
++    get_cpu_reg_check_mask(id_aa64isar0_el1, _m(f0ff,ffff,f0ff,fff0));
++    get_cpu_reg_check_mask(id_aa64isar1_el1, _m(00ff,f0ff,ffff,ffff));
++    get_cpu_reg_check_mask(SYS_ID_AA64ISAR2_EL1, _m(0000,0000,0000,ffff));
+     /* TGran4 & TGran64 as pegged to -1 */
+-    get_cpu_reg_check_mask(id_aa64mmfr0_el1, _m(0000,0000,ff00,0000));
+-    get_cpu_reg_check_zero(id_aa64mmfr1_el1);
++    get_cpu_reg_check_mask(id_aa64mmfr0_el1, _m(f000,0000,ff00,0000));
++    get_cpu_reg_check_mask(id_aa64mmfr1_el1, _m(0000,f000,0000,0000));
++    get_cpu_reg_check_mask(SYS_ID_AA64MMFR2_EL1, _m(0000,000f,0000,0000));
+     /* EL1/EL0 reported as AA64 only */
+     get_cpu_reg_check_mask(id_aa64pfr0_el1,  _m(000f,000f,00ff,0011));
+-    get_cpu_reg_check_mask(id_aa64pfr1_el1,  _m(0000,0000,0000,00f0));
++    get_cpu_reg_check_mask(id_aa64pfr1_el1,  _m(0000,0000,0f00,0fff));
+     /* all hidden, DebugVer fixed to 0x6 (ARMv8 debug architecture) */
+     get_cpu_reg_check_mask(id_aa64dfr0_el1,  _m(0000,0000,0000,0006));
+     get_cpu_reg_check_zero(id_aa64dfr1_el1);
+-    get_cpu_reg_check_zero(id_aa64zfr0_el1);
++    get_cpu_reg_check_mask(id_aa64zfr0_el1,  _m(0ff0,ff0f,00ff,00ff));
++#ifdef HAS_ARMV9_SME
++    get_cpu_reg_check_mask(id_aa64smfr0_el1, _m(80f1,00fd,0000,0000));
++#endif
+ 
+     get_cpu_reg_check_zero(id_aa64afr0_el1);
+     get_cpu_reg_check_zero(id_aa64afr1_el1);
diff --git a/debian/patches/extra/0006-tests-tcg-aarch64-sysregs.c-Use-S-syntax-for-id_aa64.patch b/debian/patches/extra/0006-tests-tcg-aarch64-sysregs.c-Use-S-syntax-for-id_aa64.patch
new file mode 100644
index 0000000..b7b82bd
--- /dev/null
+++ b/debian/patches/extra/0006-tests-tcg-aarch64-sysregs.c-Use-S-syntax-for-id_aa64.patch
@@ -0,0 +1,91 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Maydell <peter.maydell@linaro.org>
+Date: Wed, 10 Apr 2024 08:43:25 +0300
+Subject: [PATCH] tests/tcg/aarch64/sysregs.c: Use S syntax for id_aa64zfr0_el1
+ and id_aa64smfr0_el1
+
+Some assemblers will complain about attempts to access
+id_aa64zfr0_el1 and id_aa64smfr0_el1 by name if the test
+binary isn't built for the right processor type:
+
+ /tmp/ccASXpLo.s:782: Error: selected processor does not support system register name 'id_aa64zfr0_el1'
+ /tmp/ccASXpLo.s:829: Error: selected processor does not support system register name 'id_aa64smfr0_el1'
+
+However, these registers are in the ID space and are guaranteed to
+read-as-zero on older CPUs, so the access is both safe and sensible.
+Switch to using the S syntax, as we already do for ID_AA64ISAR2_EL1
+and ID_AA64MMFR2_EL1.  This allows us to drop the HAS_ARMV9_SME check
+and the makefile machinery to adjust the CFLAGS for this test, so we
+don't rely on having a sufficiently new compiler to be able to check
+these registers.
+
+This means we're actually testing the SME ID register: no released
+GCC yet recognizes -march=armv9-a+sme, so that was always skipped.
+It also avoids a future problem if we try to switch the "do we have
+SME support in the toolchain" check from "in the compiler" to "in the
+assembler" (at which point we would otherwise run into the above
+errors).
+
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+(cherry picked from commit 3dc2afeab2964b54848715b913b6c605f36be3e1)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+(Mjt: pick this for v8.0.0-2361-g1f51573f79
+ "target/arm: Fix SME full tile indexing")
+---
+ tests/tcg/aarch64/Makefile.target |  7 +------
+ tests/tcg/aarch64/sysregs.c       | 11 +++++++----
+ 2 files changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/tests/tcg/aarch64/Makefile.target b/tests/tcg/aarch64/Makefile.target
+index fc6d5d824d..118d069073 100644
+--- a/tests/tcg/aarch64/Makefile.target
++++ b/tests/tcg/aarch64/Makefile.target
+@@ -51,15 +51,10 @@ AARCH64_TESTS += mte-1 mte-2 mte-3 mte-4 mte-5 mte-6 mte-7
+ mte-%: CFLAGS += -march=armv8.5-a+memtag
+ endif
+ 
+-ifneq ($(CROSS_CC_HAS_SVE),)
+ # System Registers Tests
+ AARCH64_TESTS += sysregs
+-ifneq ($(CROSS_CC_HAS_ARMV9_SME),)
+-sysregs: CFLAGS+=-march=armv9-a+sme -DHAS_ARMV9_SME
+-else
+-sysregs: CFLAGS+=-march=armv8.1-a+sve
+-endif
+ 
++ifneq ($(CROSS_CC_HAS_SVE),)
+ # SVE ioctl test
+ AARCH64_TESTS += sve-ioctls
+ sve-ioctls: CFLAGS+=-march=armv8.1-a+sve
+diff --git a/tests/tcg/aarch64/sysregs.c b/tests/tcg/aarch64/sysregs.c
+index 46b931f781..d8eb06abcf 100644
+--- a/tests/tcg/aarch64/sysregs.c
++++ b/tests/tcg/aarch64/sysregs.c
+@@ -25,9 +25,14 @@
+ /*
+  * Older assemblers don't recognize newer system register names,
+  * but we can still access them by the Sn_n_Cn_Cn_n syntax.
++ * This also means we don't need to specifically request that the
++ * assembler enables whatever architectural features the ID registers
++ * syntax might be gated behind.
+  */
+ #define SYS_ID_AA64ISAR2_EL1 S3_0_C0_C6_2
+ #define SYS_ID_AA64MMFR2_EL1 S3_0_C0_C7_2
++#define SYS_ID_AA64ZFR0_EL1 S3_0_C0_C4_4
++#define SYS_ID_AA64SMFR0_EL1 S3_0_C0_C4_5
+ 
+ int failed_bit_count;
+ 
+@@ -132,10 +137,8 @@ int main(void)
+     /* all hidden, DebugVer fixed to 0x6 (ARMv8 debug architecture) */
+     get_cpu_reg_check_mask(id_aa64dfr0_el1,  _m(0000,0000,0000,0006));
+     get_cpu_reg_check_zero(id_aa64dfr1_el1);
+-    get_cpu_reg_check_mask(id_aa64zfr0_el1,  _m(0ff0,ff0f,00ff,00ff));
+-#ifdef HAS_ARMV9_SME
+-    get_cpu_reg_check_mask(id_aa64smfr0_el1, _m(80f1,00fd,0000,0000));
+-#endif
++    get_cpu_reg_check_mask(SYS_ID_AA64ZFR0_EL1,  _m(0ff0,ff0f,00ff,00ff));
++    get_cpu_reg_check_mask(SYS_ID_AA64SMFR0_EL1, _m(80f1,00fd,0000,0000));
+ 
+     get_cpu_reg_check_zero(id_aa64afr0_el1);
+     get_cpu_reg_check_zero(id_aa64afr1_el1);
diff --git a/debian/patches/extra/0007-target-arm-Fix-SME-full-tile-indexing.patch b/debian/patches/extra/0007-target-arm-Fix-SME-full-tile-indexing.patch
new file mode 100644
index 0000000..228d794
--- /dev/null
+++ b/debian/patches/extra/0007-target-arm-Fix-SME-full-tile-indexing.patch
@@ -0,0 +1,199 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Richard Henderson <richard.henderson@linaro.org>
+Date: Wed, 10 Apr 2024 08:43:26 +0300
+Subject: [PATCH] target/arm: Fix SME full tile indexing
+
+For the outer product set of insns, which take an entire matrix
+tile as output, the argument is not a combined tile+column.
+Therefore using get_tile_rowcol was incorrect, as we extracted
+the tile number from itself.
+
+The test case relies only on assembler support for SME, since
+no release of GCC recognizes -march=armv9-a+sme yet.
+
+Cc: qemu-stable@nongnu.org
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1620
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20230622151201.1578522-5-richard.henderson@linaro.org
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+[PMM: dropped now-unneeded changes to sysregs CFLAGS]
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+(cherry picked from commit 1f51573f7925b80e79a29f87c7d9d6ead60960c0)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+---
+ target/arm/translate-sme.c        | 24 ++++++---
+ tests/tcg/aarch64/Makefile.target |  7 ++-
+ tests/tcg/aarch64/sme-outprod1.c  | 83 +++++++++++++++++++++++++++++++
+ 3 files changed, 107 insertions(+), 7 deletions(-)
+ create mode 100644 tests/tcg/aarch64/sme-outprod1.c
+
+diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
+index 7b87a9df63..65f8495bdd 100644
+--- a/target/arm/translate-sme.c
++++ b/target/arm/translate-sme.c
+@@ -103,6 +103,21 @@ static TCGv_ptr get_tile_rowcol(DisasContext *s, int esz, int rs,
+     return addr;
+ }
+ 
++/*
++ * Resolve tile.size[0] to a host pointer.
++ * Used by e.g. outer product insns where we require the entire tile.
++ */
++static TCGv_ptr get_tile(DisasContext *s, int esz, int tile)
++{
++    TCGv_ptr addr = tcg_temp_new_ptr();
++    int offset;
++
++    offset = tile * sizeof(ARMVectorReg) + offsetof(CPUARMState, zarray);
++
++    tcg_gen_addi_ptr(addr, cpu_env, offset);
++    return addr;
++}
++
+ static bool trans_ZERO(DisasContext *s, arg_ZERO *a)
+ {
+     if (!dc_isar_feature(aa64_sme, s)) {
+@@ -279,8 +294,7 @@ static bool do_adda(DisasContext *s, arg_adda *a, MemOp esz,
+         return true;
+     }
+ 
+-    /* Sum XZR+zad to find ZAd. */
+-    za = get_tile_rowcol(s, esz, 31, a->zad, false);
++    za = get_tile(s, esz, a->zad);
+     zn = vec_full_reg_ptr(s, a->zn);
+     pn = pred_full_reg_ptr(s, a->pn);
+     pm = pred_full_reg_ptr(s, a->pm);
+@@ -310,8 +324,7 @@ static bool do_outprod(DisasContext *s, arg_op *a, MemOp esz,
+         return true;
+     }
+ 
+-    /* Sum XZR+zad to find ZAd. */
+-    za = get_tile_rowcol(s, esz, 31, a->zad, false);
++    za = get_tile(s, esz, a->zad);
+     zn = vec_full_reg_ptr(s, a->zn);
+     zm = vec_full_reg_ptr(s, a->zm);
+     pn = pred_full_reg_ptr(s, a->pn);
+@@ -337,8 +350,7 @@ static bool do_outprod_fpst(DisasContext *s, arg_op *a, MemOp esz,
+         return true;
+     }
+ 
+-    /* Sum XZR+zad to find ZAd. */
+-    za = get_tile_rowcol(s, esz, 31, a->zad, false);
++    za = get_tile(s, esz, a->zad);
+     zn = vec_full_reg_ptr(s, a->zn);
+     zm = vec_full_reg_ptr(s, a->zm);
+     pn = pred_full_reg_ptr(s, a->pn);
+diff --git a/tests/tcg/aarch64/Makefile.target b/tests/tcg/aarch64/Makefile.target
+index 118d069073..5e4ea7c998 100644
+--- a/tests/tcg/aarch64/Makefile.target
++++ b/tests/tcg/aarch64/Makefile.target
+@@ -24,7 +24,7 @@ config-cc.mak: Makefile
+ 	    $(call cc-option,-march=armv8.3-a,              CROSS_CC_HAS_ARMV8_3); \
+ 	    $(call cc-option,-mbranch-protection=standard,  CROSS_CC_HAS_ARMV8_BTI); \
+ 	    $(call cc-option,-march=armv8.5-a+memtag,       CROSS_CC_HAS_ARMV8_MTE); \
+-	    $(call cc-option,-march=armv9-a+sme,            CROSS_CC_HAS_ARMV9_SME)) 3> config-cc.mak
++	    $(call cc-option,-Wa$(COMMA)-march=armv9-a+sme, CROSS_AS_HAS_ARMV9_SME)) 3> config-cc.mak
+ -include config-cc.mak
+ 
+ # Pauth Tests
+@@ -51,6 +51,11 @@ AARCH64_TESTS += mte-1 mte-2 mte-3 mte-4 mte-5 mte-6 mte-7
+ mte-%: CFLAGS += -march=armv8.5-a+memtag
+ endif
+ 
++# SME Tests
++ifneq ($(CROSS_AS_HAS_ARMV9_SME),)
++AARCH64_TESTS += sme-outprod1
++endif
++
+ # System Registers Tests
+ AARCH64_TESTS += sysregs
+ 
+diff --git a/tests/tcg/aarch64/sme-outprod1.c b/tests/tcg/aarch64/sme-outprod1.c
+new file mode 100644
+index 0000000000..6e5972d75e
+--- /dev/null
++++ b/tests/tcg/aarch64/sme-outprod1.c
+@@ -0,0 +1,83 @@
++/*
++ * SME outer product, 1 x 1.
++ * SPDX-License-Identifier: GPL-2.0-or-later
++ */
++
++#include <stdio.h>
++
++extern void foo(float *dst);
++
++asm(
++"	.arch_extension sme\n"
++"	.type foo, @function\n"
++"foo:\n"
++"	stp x29, x30, [sp, -80]!\n"
++"	mov x29, sp\n"
++"	stp d8, d9, [sp, 16]\n"
++"	stp d10, d11, [sp, 32]\n"
++"	stp d12, d13, [sp, 48]\n"
++"	stp d14, d15, [sp, 64]\n"
++"	smstart\n"
++"	ptrue p0.s, vl4\n"
++"	fmov z0.s, #1.0\n"
++/*
++ * An outer product of a vector of 1.0 by itself should be a matrix of 1.0.
++ * Note that we are using tile 1 here (za1.s) rather than tile 0.
++ */
++"	zero {za}\n"
++"	fmopa za1.s, p0/m, p0/m, z0.s, z0.s\n"
++/*
++ * Read the first 4x4 sub-matrix of elements from tile 1:
++ * Note that za1h should be interchangable here.
++ */
++"	mov w12, #0\n"
++"	mova z0.s, p0/m, za1v.s[w12, #0]\n"
++"	mova z1.s, p0/m, za1v.s[w12, #1]\n"
++"	mova z2.s, p0/m, za1v.s[w12, #2]\n"
++"	mova z3.s, p0/m, za1v.s[w12, #3]\n"
++/*
++ * And store them to the input pointer (dst in the C code):
++ */
++"	st1w {z0.s}, p0, [x0]\n"
++"	add x0, x0, #16\n"
++"	st1w {z1.s}, p0, [x0]\n"
++"	add x0, x0, #16\n"
++"	st1w {z2.s}, p0, [x0]\n"
++"	add x0, x0, #16\n"
++"	st1w {z3.s}, p0, [x0]\n"
++"	smstop\n"
++"	ldp d8, d9, [sp, 16]\n"
++"	ldp d10, d11, [sp, 32]\n"
++"	ldp d12, d13, [sp, 48]\n"
++"	ldp d14, d15, [sp, 64]\n"
++"	ldp x29, x30, [sp], 80\n"
++"	ret\n"
++"	.size foo, . - foo"
++);
++
++int main()
++{
++    float dst[16];
++    int i, j;
++
++    foo(dst);
++
++    for (i = 0; i < 16; i++) {
++        if (dst[i] != 1.0f) {
++            break;
++        }
++    }
++
++    if (i == 16) {
++        return 0; /* success */
++    }
++
++    /* failure */
++    for (i = 0; i < 4; ++i) {
++        for (j = 0; j < 4; ++j) {
++            printf("%f ", (double)dst[i * 4 + j]);
++        }
++        printf("\n");
++    }
++    return 1;
++}
diff --git a/debian/patches/extra/0008-system-qdev-monitor-move-drain_call_rcu-call-under-i.patch b/debian/patches/extra/0008-system-qdev-monitor-move-drain_call_rcu-call-under-i.patch
new file mode 100644
index 0000000..7c15a00
--- /dev/null
+++ b/debian/patches/extra/0008-system-qdev-monitor-move-drain_call_rcu-call-under-i.patch
@@ -0,0 +1,61 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Dmitrii Gavrilov <ds-gavr@yandex-team.ru>
+Date: Wed, 10 Apr 2024 08:43:28 +0300
+Subject: [PATCH] system/qdev-monitor: move drain_call_rcu call under if (!dev)
+ in qmp_device_add()
+
+Original goal of addition of drain_call_rcu to qmp_device_add was to cover
+the failure case of qdev_device_add. It seems call of drain_call_rcu was
+misplaced in 7bed89958bfbf40df what led to waiting for pending RCU callbacks
+under happy path too. What led to overall performance degradation of
+qmp_device_add.
+
+In this patch call of drain_call_rcu moved under handling of failure of
+qdev_device_add.
+
+Signed-off-by: Dmitrii Gavrilov <ds-gavr@yandex-team.ru>
+Message-ID: <20231103105602.90475-1-ds-gavr@yandex-team.ru>
+Fixes: 7bed89958bf ("device_core: use drain_call_rcu in in qmp_device_add", 2020-10-12)
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 012b170173bcaa14b9bc26209e0813311ac78489)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+---
+ softmmu/qdev-monitor.c | 23 +++++++++++------------
+ 1 file changed, 11 insertions(+), 12 deletions(-)
+
+diff --git a/softmmu/qdev-monitor.c b/softmmu/qdev-monitor.c
+index 4b0ef65780..f4348443b0 100644
+--- a/softmmu/qdev-monitor.c
++++ b/softmmu/qdev-monitor.c
+@@ -853,19 +853,18 @@ void qmp_device_add(QDict *qdict, QObject **ret_data, Error **errp)
+         return;
+     }
+     dev = qdev_device_add(opts, errp);
+-
+-    /*
+-     * Drain all pending RCU callbacks. This is done because
+-     * some bus related operations can delay a device removal
+-     * (in this case this can happen if device is added and then
+-     * removed due to a configuration error)
+-     * to a RCU callback, but user might expect that this interface
+-     * will finish its job completely once qmp command returns result
+-     * to the user
+-     */
+-    drain_call_rcu();
+-
+     if (!dev) {
++        /*
++         * Drain all pending RCU callbacks. This is done because
++         * some bus related operations can delay a device removal
++         * (in this case this can happen if device is added and then
++         * removed due to a configuration error)
++         * to a RCU callback, but user might expect that this interface
++         * will finish its job completely once qmp command returns result
++         * to the user
++         */
++        drain_call_rcu();
++
+         qemu_opts_del(opts);
+         return;
+     }
diff --git a/debian/patches/extra/0009-hw-scsi-lsi53c895a-stop-script-on-phase-mismatch.patch b/debian/patches/extra/0009-hw-scsi-lsi53c895a-stop-script-on-phase-mismatch.patch
new file mode 100644
index 0000000..fc1900f
--- /dev/null
+++ b/debian/patches/extra/0009-hw-scsi-lsi53c895a-stop-script-on-phase-mismatch.patch
@@ -0,0 +1,85 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sven Schnelle <svens@stackframe.org>
+Date: Wed, 10 Apr 2024 08:43:29 +0300
+Subject: [PATCH] hw/scsi/lsi53c895a: stop script on phase mismatch
+
+Netbsd isn't happy with qemu lsi53c895a emulation:
+
+cd0(esiop0:0:2:0): command with tag id 0 reset
+esiop0: autoconfiguration error: phase mismatch without command
+esiop0: autoconfiguration error: unhandled scsi interrupt, sist=0x80 sstat1=0x0 DSA=0x23a64b1 DSP=0x50
+
+This is because lsi_bad_phase() triggers a phase mismatch, which
+stops SCRIPT processing. However, after returning to
+lsi_command_complete(), SCRIPT is restarted with lsi_resume_script().
+Fix this by adding a return value to lsi_bad_phase(), and only resume
+script processing when lsi_bad_phase() didn't trigger a host interrupt.
+
+Signed-off-by: Sven Schnelle <svens@stackframe.org>
+Tested-by: Helge Deller <deller@gmx.de>
+Message-ID: <20240302214453.2071388-1-svens@stackframe.org>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit a9198b3132d81a6bfc9fdbf6f3d3a514c2864674)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+---
+ hw/scsi/lsi53c895a.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
+index ca619ed564..905f5ef237 100644
+--- a/hw/scsi/lsi53c895a.c
++++ b/hw/scsi/lsi53c895a.c
+@@ -570,8 +570,9 @@ static inline void lsi_set_phase(LSIState *s, int phase)
+     s->sstat1 = (s->sstat1 & ~PHASE_MASK) | phase;
+ }
+ 
+-static void lsi_bad_phase(LSIState *s, int out, int new_phase)
++static int lsi_bad_phase(LSIState *s, int out, int new_phase)
+ {
++    int ret = 0;
+     /* Trigger a phase mismatch.  */
+     if (s->ccntl0 & LSI_CCNTL0_ENPMJ) {
+         if ((s->ccntl0 & LSI_CCNTL0_PMJCTL)) {
+@@ -584,8 +585,10 @@ static void lsi_bad_phase(LSIState *s, int out, int new_phase)
+         trace_lsi_bad_phase_interrupt();
+         lsi_script_scsi_interrupt(s, LSI_SIST0_MA, 0);
+         lsi_stop_script(s);
++        ret = 1;
+     }
+     lsi_set_phase(s, new_phase);
++    return ret;
+ }
+ 
+ 
+@@ -789,7 +792,7 @@ static int lsi_queue_req(LSIState *s, SCSIRequest *req, uint32_t len)
+ static void lsi_command_complete(SCSIRequest *req, size_t resid)
+ {
+     LSIState *s = LSI53C895A(req->bus->qbus.parent);
+-    int out;
++    int out, stop = 0;
+ 
+     out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
+     trace_lsi_command_complete(req->status);
+@@ -797,7 +800,10 @@ static void lsi_command_complete(SCSIRequest *req, size_t resid)
+     s->command_complete = 2;
+     if (s->waiting && s->dbc != 0) {
+         /* Raise phase mismatch for short transfers.  */
+-        lsi_bad_phase(s, out, PHASE_ST);
++        stop = lsi_bad_phase(s, out, PHASE_ST);
++        if (stop) {
++            s->waiting = 0;
++        }
+     } else {
+         lsi_set_phase(s, PHASE_ST);
+     }
+@@ -807,7 +813,9 @@ static void lsi_command_complete(SCSIRequest *req, size_t resid)
+         lsi_request_free(s, s->current);
+         scsi_req_unref(req);
+     }
+-    lsi_resume_script(s);
++    if (!stop) {
++        lsi_resume_script(s);
++    }
+ }
+ 
+  /* Callback to indicate that the SCSI layer has completed a transfer.  */
diff --git a/debian/patches/extra/0010-hw-scsi-lsi53c895a-add-missing-decrement-of-reentran.patch b/debian/patches/extra/0010-hw-scsi-lsi53c895a-add-missing-decrement-of-reentran.patch
new file mode 100644
index 0000000..35771e2
--- /dev/null
+++ b/debian/patches/extra/0010-hw-scsi-lsi53c895a-add-missing-decrement-of-reentran.patch
@@ -0,0 +1,38 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sven Schnelle <svens@stackframe.org>
+Date: Wed, 10 Apr 2024 08:43:30 +0300
+Subject: [PATCH] hw/scsi/lsi53c895a: add missing decrement of reentrancy
+ counter
+
+When the maximum count of SCRIPTS instructions is reached, the code
+stops execution and returns, but fails to decrement the reentrancy
+counter. This effectively renders the SCSI controller unusable
+because on next entry the reentrancy counter is still above the limit.
+
+This bug was seen on HP-UX 10.20 which seems to trigger SCRIPTS
+loops.
+
+Fixes: b987718bbb ("hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI controller (CVE-2023-0330)")
+Signed-off-by: Sven Schnelle <svens@stackframe.org>
+Message-ID: <20240128202214.2644768-1-svens@stackframe.org>
+Reviewed-by: Thomas Huth <thuth@redhat.com>
+Tested-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+(cherry picked from commit 8b09b7fe47082c69295a0fc0cc01b041b6385025)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+---
+ hw/scsi/lsi53c895a.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
+index 905f5ef237..c7a3964b5f 100644
+--- a/hw/scsi/lsi53c895a.c
++++ b/hw/scsi/lsi53c895a.c
+@@ -1167,6 +1167,7 @@ again:
+         lsi_script_scsi_interrupt(s, LSI_SIST0_UDC, 0);
+         lsi_disconnect(s);
+         trace_lsi_execute_script_stop();
++        reentrancy_level--;
+         return;
+     }
+     insn = read_dword(s, s->dsp);
diff --git a/debian/patches/extra/0011-hw-scsi-lsi53c895a-add-timer-to-scripts-processing.patch b/debian/patches/extra/0011-hw-scsi-lsi53c895a-add-timer-to-scripts-processing.patch
new file mode 100644
index 0000000..32b7fe8
--- /dev/null
+++ b/debian/patches/extra/0011-hw-scsi-lsi53c895a-add-timer-to-scripts-processing.patch
@@ -0,0 +1,173 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sven Schnelle <svens@stackframe.org>
+Date: Wed, 10 Apr 2024 08:43:31 +0300
+Subject: [PATCH] hw/scsi/lsi53c895a: add timer to scripts processing
+
+HP-UX 10.20 seems to make the lsi53c895a spinning on a memory location
+under certain circumstances. As the SCSI controller and CPU are not
+running at the same time this loop will never finish. After some
+time, the check loop interrupts with a unexpected device disconnect.
+This works, but is slow because the kernel resets the scsi controller.
+Instead of signaling UDC, start a timer and exit the loop. Until the
+timer fires, the CPU can process instructions which might changes the
+memory location.
+
+The limit of instructions is also reduced because scripts running on
+the SCSI processor are usually very short. This keeps the time until
+the loop is exit short.
+
+Suggested-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Sven Schnelle <svens@stackframe.org>
+Message-ID: <20240229204407.1699260-1-svens@stackframe.org>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 9876359990dd4c8a48de65cf5e1c3d13e96a7f4e)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+---
+ hw/scsi/lsi53c895a.c | 43 +++++++++++++++++++++++++++++++++----------
+ hw/scsi/trace-events |  2 ++
+ 2 files changed, 35 insertions(+), 10 deletions(-)
+
+diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
+index c7a3964b5f..48c85d479c 100644
+--- a/hw/scsi/lsi53c895a.c
++++ b/hw/scsi/lsi53c895a.c
+@@ -188,7 +188,7 @@ static const char *names[] = {
+ #define LSI_TAG_VALID     (1 << 16)
+ 
+ /* Maximum instructions to process. */
+-#define LSI_MAX_INSN    10000
++#define LSI_MAX_INSN    100
+ 
+ typedef struct lsi_request {
+     SCSIRequest *req;
+@@ -205,6 +205,7 @@ enum {
+     LSI_WAIT_RESELECT, /* Wait Reselect instruction has been issued */
+     LSI_DMA_SCRIPTS, /* processing DMA from lsi_execute_script */
+     LSI_DMA_IN_PROGRESS, /* DMA operation is in progress */
++    LSI_WAIT_SCRIPTS, /* SCRIPTS stopped because of instruction count limit */
+ };
+ 
+ enum {
+@@ -224,6 +225,7 @@ struct LSIState {
+     MemoryRegion ram_io;
+     MemoryRegion io_io;
+     AddressSpace pci_io_as;
++    QEMUTimer *scripts_timer;
+ 
+     int carry; /* ??? Should this be an a visible register somewhere?  */
+     int status;
+@@ -415,6 +417,7 @@ static void lsi_soft_reset(LSIState *s)
+     s->sbr = 0;
+     assert(QTAILQ_EMPTY(&s->queue));
+     assert(!s->current);
++    timer_del(s->scripts_timer);
+ }
+ 
+ static int lsi_dma_40bit(LSIState *s)
+@@ -1135,6 +1138,12 @@ static void lsi_wait_reselect(LSIState *s)
+     }
+ }
+ 
++static void lsi_scripts_timer_start(LSIState *s)
++{
++    trace_lsi_scripts_timer_start();
++    timer_mod(s->scripts_timer, qemu_clock_get_us(QEMU_CLOCK_VIRTUAL) + 500);
++}
++
+ static void lsi_execute_script(LSIState *s)
+ {
+     PCIDevice *pci_dev = PCI_DEVICE(s);
+@@ -1144,6 +1153,11 @@ static void lsi_execute_script(LSIState *s)
+     int insn_processed = 0;
+     static int reentrancy_level;
+ 
++    if (s->waiting == LSI_WAIT_SCRIPTS) {
++        timer_del(s->scripts_timer);
++        s->waiting = LSI_NOWAIT;
++    }
++
+     reentrancy_level++;
+ 
+     s->istat1 |= LSI_ISTAT1_SRUN;
+@@ -1151,8 +1165,8 @@ again:
+     /*
+      * Some windows drivers make the device spin waiting for a memory location
+      * to change. If we have executed more than LSI_MAX_INSN instructions then
+-     * assume this is the case and force an unexpected device disconnect. This
+-     * is apparently sufficient to beat the drivers into submission.
++     * assume this is the case and start a timer. Until the timer fires, the
++     * host CPU has a chance to run and change the memory location.
+      *
+      * Another issue (CVE-2023-0330) can occur if the script is programmed to
+      * trigger itself again and again. Avoid this problem by stopping after
+@@ -1160,13 +1174,8 @@ again:
+      * which should be enough for all valid use cases).
+      */
+     if (++insn_processed > LSI_MAX_INSN || reentrancy_level > 8) {
+-        if (!(s->sien0 & LSI_SIST0_UDC)) {
+-            qemu_log_mask(LOG_GUEST_ERROR,
+-                          "lsi_scsi: inf. loop with UDC masked");
+-        }
+-        lsi_script_scsi_interrupt(s, LSI_SIST0_UDC, 0);
+-        lsi_disconnect(s);
+-        trace_lsi_execute_script_stop();
++        s->waiting = LSI_WAIT_SCRIPTS;
++        lsi_scripts_timer_start(s);
+         reentrancy_level--;
+         return;
+     }
+@@ -2205,6 +2214,9 @@ static int lsi_post_load(void *opaque, int version_id)
+         return -EINVAL;
+     }
+ 
++    if (s->waiting == LSI_WAIT_SCRIPTS) {
++        lsi_scripts_timer_start(s);
++    }
+     return 0;
+ }
+ 
+@@ -2302,6 +2314,15 @@ static const struct SCSIBusInfo lsi_scsi_info = {
+     .cancel = lsi_request_cancelled
+ };
+ 
++static void scripts_timer_cb(void *opaque)
++{
++    LSIState *s = opaque;
++
++    trace_lsi_scripts_timer_triggered();
++    s->waiting = LSI_NOWAIT;
++    lsi_execute_script(s);
++}
++
+ static void lsi_scsi_realize(PCIDevice *dev, Error **errp)
+ {
+     LSIState *s = LSI53C895A(dev);
+@@ -2321,6 +2342,7 @@ static void lsi_scsi_realize(PCIDevice *dev, Error **errp)
+                           "lsi-ram", 0x2000);
+     memory_region_init_io(&s->io_io, OBJECT(s), &lsi_io_ops, s,
+                           "lsi-io", 256);
++    s->scripts_timer = timer_new_us(QEMU_CLOCK_VIRTUAL, scripts_timer_cb, s);
+ 
+     /*
+      * Since we use the address-space API to interact with ram_io, disable the
+@@ -2345,6 +2367,7 @@ static void lsi_scsi_exit(PCIDevice *dev)
+     LSIState *s = LSI53C895A(dev);
+ 
+     address_space_destroy(&s->pci_io_as);
++    timer_del(s->scripts_timer);
+ }
+ 
+ static void lsi_class_init(ObjectClass *klass, void *data)
+diff --git a/hw/scsi/trace-events b/hw/scsi/trace-events
+index ab238293f0..131af99d91 100644
+--- a/hw/scsi/trace-events
++++ b/hw/scsi/trace-events
+@@ -299,6 +299,8 @@ lsi_execute_script_stop(void) "SCRIPTS execution stopped"
+ lsi_awoken(void) "Woken by SIGP"
+ lsi_reg_read(const char *name, int offset, uint8_t ret) "Read reg %s 0x%x = 0x%02x"
+ lsi_reg_write(const char *name, int offset, uint8_t val) "Write reg %s 0x%x = 0x%02x"
++lsi_scripts_timer_triggered(void) "SCRIPTS timer triggered"
++lsi_scripts_timer_start(void) "SCRIPTS timer started"
+ 
+ # virtio-scsi.c
+ virtio_scsi_cmd_req(int lun, uint32_t tag, uint8_t cmd) "virtio_scsi_cmd_req lun=%u tag=0x%x cmd=0x%x"
diff --git a/debian/patches/extra/0012-e1000e-fix-link-state-on-resume.patch b/debian/patches/extra/0012-e1000e-fix-link-state-on-resume.patch
new file mode 100644
index 0000000..b313718
--- /dev/null
+++ b/debian/patches/extra/0012-e1000e-fix-link-state-on-resume.patch
@@ -0,0 +1,161 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Laurent Vivier <lvivier@redhat.com>
+Date: Wed, 10 Apr 2024 08:43:33 +0300
+Subject: [PATCH] e1000e: fix link state on resume
+
+On resume e1000e_vm_state_change() always calls e1000e_autoneg_resume()
+that sets link_down to false, and thus activates the link even
+if we have disabled it.
+
+The problem can be reproduced starting qemu in paused state (-S) and
+then set the link to down. When we resume the machine the link appears
+to be up.
+
+Reproducer:
+
+   # qemu-system-x86_64 ... -device e1000e,netdev=netdev0,id=net0 -S
+
+   {"execute": "qmp_capabilities" }
+   {"execute": "set_link", "arguments": {"name": "net0", "up": false}}
+   {"execute": "cont" }
+
+To fix the problem, merge the content of e1000e_vm_state_change()
+into e1000e_core_post_load() as e1000 does.
+
+Buglink: https://issues.redhat.com/browse/RHEL-21867
+Fixes: 6f3fbe4ed06a ("net: Introduce e1000e device emulation")
+Suggested-by: Akihiko Odaki <akihiko.odaki@daynix.com>
+Signed-off-by: Laurent Vivier <lvivier@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+(cherry picked from commit 4cadf10234989861398e19f3bb441d3861f3bb7c)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+---
+ hw/net/e1000e_core.c | 60 ++++++--------------------------------------
+ hw/net/e1000e_core.h |  2 --
+ 2 files changed, 7 insertions(+), 55 deletions(-)
+
+diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c
+index c71d82ce1d..742f5ec800 100644
+--- a/hw/net/e1000e_core.c
++++ b/hw/net/e1000e_core.c
+@@ -108,14 +108,6 @@ e1000e_intmgr_timer_resume(E1000IntrDelayTimer *timer)
+     }
+ }
+ 
+-static void
+-e1000e_intmgr_timer_pause(E1000IntrDelayTimer *timer)
+-{
+-    if (timer->running) {
+-        timer_del(timer->timer);
+-    }
+-}
+-
+ static inline void
+ e1000e_intrmgr_stop_timer(E1000IntrDelayTimer *timer)
+ {
+@@ -397,24 +389,6 @@ e1000e_intrmgr_resume(E1000ECore *core)
+     }
+ }
+ 
+-static void
+-e1000e_intrmgr_pause(E1000ECore *core)
+-{
+-    int i;
+-
+-    e1000e_intmgr_timer_pause(&core->radv);
+-    e1000e_intmgr_timer_pause(&core->rdtr);
+-    e1000e_intmgr_timer_pause(&core->raid);
+-    e1000e_intmgr_timer_pause(&core->tidv);
+-    e1000e_intmgr_timer_pause(&core->tadv);
+-
+-    e1000e_intmgr_timer_pause(&core->itr);
+-
+-    for (i = 0; i < E1000E_MSIX_VEC_NUM; i++) {
+-        e1000e_intmgr_timer_pause(&core->eitr[i]);
+-    }
+-}
+-
+ static void
+ e1000e_intrmgr_reset(E1000ECore *core)
+ {
+@@ -3336,12 +3310,6 @@ e1000e_core_read(E1000ECore *core, hwaddr addr, unsigned size)
+     return 0;
+ }
+ 
+-static inline void
+-e1000e_autoneg_pause(E1000ECore *core)
+-{
+-    timer_del(core->autoneg_timer);
+-}
+-
+ static void
+ e1000e_autoneg_resume(E1000ECore *core)
+ {
+@@ -3353,22 +3321,6 @@ e1000e_autoneg_resume(E1000ECore *core)
+     }
+ }
+ 
+-static void
+-e1000e_vm_state_change(void *opaque, bool running, RunState state)
+-{
+-    E1000ECore *core = opaque;
+-
+-    if (running) {
+-        trace_e1000e_vm_state_running();
+-        e1000e_intrmgr_resume(core);
+-        e1000e_autoneg_resume(core);
+-    } else {
+-        trace_e1000e_vm_state_stopped();
+-        e1000e_autoneg_pause(core);
+-        e1000e_intrmgr_pause(core);
+-    }
+-}
+-
+ void
+ e1000e_core_pci_realize(E1000ECore     *core,
+                         const uint16_t *eeprom_templ,
+@@ -3381,9 +3333,6 @@ e1000e_core_pci_realize(E1000ECore     *core,
+                                        e1000e_autoneg_timer, core);
+     e1000e_intrmgr_pci_realize(core);
+ 
+-    core->vmstate =
+-        qemu_add_vm_change_state_handler(e1000e_vm_state_change, core);
+-
+     for (i = 0; i < E1000E_NUM_QUEUES; i++) {
+         net_tx_pkt_init(&core->tx[i].tx_pkt, core->owner,
+                         E1000E_MAX_TX_FRAGS, core->has_vnet);
+@@ -3408,8 +3357,6 @@ e1000e_core_pci_uninit(E1000ECore *core)
+ 
+     e1000e_intrmgr_pci_unint(core);
+ 
+-    qemu_del_vm_change_state_handler(core->vmstate);
+-
+     for (i = 0; i < E1000E_NUM_QUEUES; i++) {
+         net_tx_pkt_reset(core->tx[i].tx_pkt);
+         net_tx_pkt_uninit(core->tx[i].tx_pkt);
+@@ -3561,5 +3508,12 @@ e1000e_core_post_load(E1000ECore *core)
+      */
+     nc->link_down = (core->mac[STATUS] & E1000_STATUS_LU) == 0;
+ 
++    /*
++     * we need to restart intrmgr timers, as an older version of
++     * QEMU can have stopped them before migration
++     */
++    e1000e_intrmgr_resume(core);
++    e1000e_autoneg_resume(core);
++
+     return 0;
+ }
+diff --git a/hw/net/e1000e_core.h b/hw/net/e1000e_core.h
+index 4ddb4d2c39..f2a8ff4a33 100644
+--- a/hw/net/e1000e_core.h
++++ b/hw/net/e1000e_core.h
+@@ -100,8 +100,6 @@ struct E1000Core {
+     E1000IntrDelayTimer eitr[E1000E_MSIX_VEC_NUM];
+     bool eitr_intr_pending[E1000E_MSIX_VEC_NUM];
+ 
+-    VMChangeStateEntry *vmstate;
+-
+     uint32_t itr_guest_value;
+     uint32_t eitr_guest_value[E1000E_MSIX_VEC_NUM];
+ 
diff --git a/debian/patches/extra/0013-target-i386-introduce-function-to-query-MMU-indices.patch b/debian/patches/extra/0013-target-i386-introduce-function-to-query-MMU-indices.patch
new file mode 100644
index 0000000..c97cd07
--- /dev/null
+++ b/debian/patches/extra/0013-target-i386-introduce-function-to-query-MMU-indices.patch
@@ -0,0 +1,61 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 10 Apr 2024 08:43:49 +0300
+Subject: [PATCH] target/i386: introduce function to query MMU indices
+
+Remove knowledge of specific MMU indexes (other than MMU_NESTED_IDX and
+MMU_PHYS_IDX) from mmu_translate().  This will make it possible to split
+32-bit and 64-bit MMU indexes.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 5f97afe2543f09160a8d123ab6e2e8c6d98fa9ce)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+(Mjt: context fixup in target/i386/cpu.h due to other changes in that area)
+---
+ target/i386/cpu.h                    | 10 ++++++++++
+ target/i386/tcg/sysemu/excp_helper.c |  4 ++--
+ 2 files changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/target/i386/cpu.h b/target/i386/cpu.h
+index 7be047ce33..f175e18768 100644
+--- a/target/i386/cpu.h
++++ b/target/i386/cpu.h
+@@ -2195,6 +2195,16 @@ static inline int cpu_mmu_index(CPUX86State *env, bool ifetch)
+         ? MMU_KNOSMAP_IDX : MMU_KSMAP_IDX;
+ }
+ 
++static inline bool is_mmu_index_smap(int mmu_index)
++{
++    return mmu_index == MMU_KSMAP_IDX;
++}
++
++static inline bool is_mmu_index_user(int mmu_index)
++{
++    return mmu_index == MMU_USER_IDX;
++}
++
+ static inline bool is_mmu_index_32(int mmu_index)
+ {
+     assert(mmu_index < MMU_PHYS_IDX);
+diff --git a/target/i386/tcg/sysemu/excp_helper.c b/target/i386/tcg/sysemu/excp_helper.c
+index 5999cdedf5..553a60d976 100644
+--- a/target/i386/tcg/sysemu/excp_helper.c
++++ b/target/i386/tcg/sysemu/excp_helper.c
+@@ -135,7 +135,7 @@ static bool mmu_translate(CPUX86State *env, const TranslateParams *in,
+ {
+     const target_ulong addr = in->addr;
+     const int pg_mode = in->pg_mode;
+-    const bool is_user = (in->mmu_idx == MMU_USER_IDX);
++    const bool is_user = is_mmu_index_user(in->mmu_idx);
+     const MMUAccessType access_type = in->access_type;
+     uint64_t ptep, pte, rsvd_mask;
+     PTETranslate pte_trans = {
+@@ -355,7 +355,7 @@ do_check_protect_pse36:
+     }
+ 
+     int prot = 0;
+-    if (in->mmu_idx != MMU_KSMAP_IDX || !(ptep & PG_USER_MASK)) {
++    if (!is_mmu_index_smap(in->mmu_idx) || !(ptep & PG_USER_MASK)) {
+         prot |= PAGE_READ;
+         if ((ptep & PG_RW_MASK) || !(is_user || (pg_mode & PG_MODE_WP))) {
+             prot |= PAGE_WRITE;
diff --git a/debian/patches/extra/0014-target-i386-use-separate-MMU-indexes-for-32-bit-acce.patch b/debian/patches/extra/0014-target-i386-use-separate-MMU-indexes-for-32-bit-acce.patch
new file mode 100644
index 0000000..64c042d
--- /dev/null
+++ b/debian/patches/extra/0014-target-i386-use-separate-MMU-indexes-for-32-bit-acce.patch
@@ -0,0 +1,130 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 10 Apr 2024 08:43:50 +0300
+Subject: [PATCH] target/i386: use separate MMU indexes for 32-bit accesses
+
+Accesses from a 32-bit environment (32-bit code segment for instruction
+accesses, EFER.LMA==0 for processor accesses) have to mask away the
+upper 32 bits of the address.  While a bit wasteful, the easiest way
+to do so is to use separate MMU indexes.  These days, QEMU anyway is
+compiled with a fixed value for NB_MMU_MODES.  Split MMU_USER_IDX,
+MMU_KSMAP_IDX and MMU_KNOSMAP_IDX in two.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 90f641531c782c873a05895f411c05fbbbef3c49)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+(Mjt: move changes for x86_cpu_mmu_index() to cpu_mmu_index() due to missing
+ v8.2.0-1030-gace0c5fe5950 "target/i386: Populate CPUClass.mmu_index"
+ Increase NB_MMU_MODES from 5 to 8 in target/i386/cpu-param.h due to missing
+ v7.2.0-2640-gffd824f3f32d "include/exec: Set default NB_MMU_MODES to 16"
+ v7.2.0-2647-g6787318a5d86 "target/i386: Remove NB_MMU_MODES define"
+ which relaxed upper limit of MMU index for i386, since this commit starts
+ using MMU_NESTED_IDX=7.
+ Thanks Zhao Liu and Paolo Bonzini for the analisys and suggestions.
+)
+---
+ target/i386/cpu-param.h              |  2 +-
+ target/i386/cpu.h                    | 44 ++++++++++++++++++++--------
+ target/i386/tcg/sysemu/excp_helper.c |  3 +-
+ 3 files changed, 34 insertions(+), 15 deletions(-)
+
+diff --git a/target/i386/cpu-param.h b/target/i386/cpu-param.h
+index f579b16bd2..e21e472e1e 100644
+--- a/target/i386/cpu-param.h
++++ b/target/i386/cpu-param.h
+@@ -23,7 +23,7 @@
+ # define TARGET_VIRT_ADDR_SPACE_BITS  32
+ #endif
+ #define TARGET_PAGE_BITS 12
+-#define NB_MMU_MODES 5
++#define NB_MMU_MODES 8
+ 
+ #ifndef CONFIG_USER_ONLY
+ # define TARGET_TB_PCREL 1
+diff --git a/target/i386/cpu.h b/target/i386/cpu.h
+index f175e18768..73eee08f3f 100644
+--- a/target/i386/cpu.h
++++ b/target/i386/cpu.h
+@@ -2182,27 +2182,42 @@ uint64_t cpu_get_tsc(CPUX86State *env);
+ #define cpu_list x86_cpu_list
+ 
+ /* MMU modes definitions */
+-#define MMU_KSMAP_IDX   0
+-#define MMU_USER_IDX    1
+-#define MMU_KNOSMAP_IDX 2
+-#define MMU_NESTED_IDX  3
+-#define MMU_PHYS_IDX    4
++#define MMU_KSMAP64_IDX    0
++#define MMU_KSMAP32_IDX    1
++#define MMU_USER64_IDX     2
++#define MMU_USER32_IDX     3
++#define MMU_KNOSMAP64_IDX  4
++#define MMU_KNOSMAP32_IDX  5
++#define MMU_PHYS_IDX       6
++#define MMU_NESTED_IDX     7
++
++#ifdef CONFIG_USER_ONLY
++#ifdef TARGET_X86_64
++#define MMU_USER_IDX MMU_USER64_IDX
++#else
++#define MMU_USER_IDX MMU_USER32_IDX
++#endif
++#endif
+ 
+ static inline int cpu_mmu_index(CPUX86State *env, bool ifetch)
+ {
+-    return (env->hflags & HF_CPL_MASK) == 3 ? MMU_USER_IDX :
+-        (!(env->hflags & HF_SMAP_MASK) || (env->eflags & AC_MASK))
+-        ? MMU_KNOSMAP_IDX : MMU_KSMAP_IDX;
++    int mmu_index_32 = (env->hflags & HF_CS64_MASK) ? 1 : 0;
++    int mmu_index_base =
++        (env->hflags & HF_CPL_MASK) == 3 ? MMU_USER64_IDX :
++        !(env->hflags & HF_SMAP_MASK) ? MMU_KNOSMAP64_IDX :
++        (env->eflags & AC_MASK) ? MMU_KNOSMAP64_IDX : MMU_KSMAP64_IDX;
++
++    return mmu_index_base + mmu_index_32;
+ }
+ 
+ static inline bool is_mmu_index_smap(int mmu_index)
+ {
+-    return mmu_index == MMU_KSMAP_IDX;
++    return (mmu_index & ~1) == MMU_KSMAP64_IDX;
+ }
+ 
+ static inline bool is_mmu_index_user(int mmu_index)
+ {
+-    return mmu_index == MMU_USER_IDX;
++    return (mmu_index & ~1) == MMU_USER64_IDX;
+ }
+ 
+ static inline bool is_mmu_index_32(int mmu_index)
+@@ -2213,9 +2228,12 @@ static inline bool is_mmu_index_32(int mmu_index)
+ 
+ static inline int cpu_mmu_index_kernel(CPUX86State *env)
+ {
+-    return !(env->hflags & HF_SMAP_MASK) ? MMU_KNOSMAP_IDX :
+-        ((env->hflags & HF_CPL_MASK) < 3 && (env->eflags & AC_MASK))
+-        ? MMU_KNOSMAP_IDX : MMU_KSMAP_IDX;
++    int mmu_index_32 = (env->hflags & HF_LMA_MASK) ? 1 : 0;
++    int mmu_index_base =
++        !(env->hflags & HF_SMAP_MASK) ? MMU_KNOSMAP64_IDX :
++        ((env->hflags & HF_CPL_MASK) < 3 && (env->eflags & AC_MASK)) ? MMU_KNOSMAP64_IDX : MMU_KSMAP64_IDX;
++
++    return mmu_index_base + mmu_index_32;
+ }
+ 
+ #define CC_DST  (env->cc_dst)
+diff --git a/target/i386/tcg/sysemu/excp_helper.c b/target/i386/tcg/sysemu/excp_helper.c
+index 553a60d976..5f13252d68 100644
+--- a/target/i386/tcg/sysemu/excp_helper.c
++++ b/target/i386/tcg/sysemu/excp_helper.c
+@@ -541,7 +541,8 @@ static bool get_physical_address(CPUX86State *env, vaddr addr,
+         if (likely(use_stage2)) {
+             in.cr3 = env->nested_cr3;
+             in.pg_mode = env->nested_pg_mode;
+-            in.mmu_idx = MMU_USER_IDX;
++            in.mmu_idx =
++                env->nested_pg_mode & PG_MODE_LMA ? MMU_USER64_IDX : MMU_USER32_IDX;
+             in.ptw_idx = MMU_PHYS_IDX;
+ 
+             if (!mmu_translate(env, &in, out, err)) {
diff --git a/debian/patches/extra/0015-target-i386-fix-direction-of-32-bit-MMU-test.patch b/debian/patches/extra/0015-target-i386-fix-direction-of-32-bit-MMU-test.patch
new file mode 100644
index 0000000..667da4f
--- /dev/null
+++ b/debian/patches/extra/0015-target-i386-fix-direction-of-32-bit-MMU-test.patch
@@ -0,0 +1,46 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 10 Apr 2024 08:43:51 +0300
+Subject: [PATCH] target/i386: fix direction of "32-bit MMU" test
+
+The low bit of MMU indices for x86 TCG indicates whether the processor is
+in 32-bit mode and therefore linear addresses have to be masked to 32 bits.
+However, the index was computed incorrectly, leading to possible conflicts
+in the TLB for any address above 4G.
+
+Analyzed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
+Fixes: b1661801c18 ("target/i386: Fix physical address truncation", 2024-02-28)
+Fixes: 1c15f97b4f1 ("target/i386: Fix physical address truncation" in stable-7.2)
+Cc: qemu-stable@nongnu.org
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2206
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 2cc68629a6fc198f4a972698bdd6477f883aedfb)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+(Mjt: move changes for x86_cpu_mmu_index() to cpu_mmu_index() due to missing
+ v8.2.0-1030-gace0c5fe59 "target/i386: Populate CPUClass.mmu_index")
+---
+ target/i386/cpu.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/target/i386/cpu.h b/target/i386/cpu.h
+index 73eee08f3f..326649ca99 100644
+--- a/target/i386/cpu.h
++++ b/target/i386/cpu.h
+@@ -2201,7 +2201,7 @@ uint64_t cpu_get_tsc(CPUX86State *env);
+ 
+ static inline int cpu_mmu_index(CPUX86State *env, bool ifetch)
+ {
+-    int mmu_index_32 = (env->hflags & HF_CS64_MASK) ? 1 : 0;
++    int mmu_index_32 = (env->hflags & HF_CS64_MASK) ? 0 : 1;
+     int mmu_index_base =
+         (env->hflags & HF_CPL_MASK) == 3 ? MMU_USER64_IDX :
+         !(env->hflags & HF_SMAP_MASK) ? MMU_KNOSMAP64_IDX :
+@@ -2228,7 +2228,7 @@ static inline bool is_mmu_index_32(int mmu_index)
+ 
+ static inline int cpu_mmu_index_kernel(CPUX86State *env)
+ {
+-    int mmu_index_32 = (env->hflags & HF_LMA_MASK) ? 1 : 0;
++    int mmu_index_32 = (env->hflags & HF_LMA_MASK) ? 0 : 1;
+     int mmu_index_base =
+         !(env->hflags & HF_SMAP_MASK) ? MMU_KNOSMAP64_IDX :
+         ((env->hflags & HF_CPL_MASK) < 3 && (env->eflags & AC_MASK)) ? MMU_KNOSMAP64_IDX : MMU_KSMAP64_IDX;
diff --git a/debian/patches/extra/0016-target-i386-Revert-monitor_puts-in-do_inject_x86_mce.patch b/debian/patches/extra/0016-target-i386-Revert-monitor_puts-in-do_inject_x86_mce.patch
new file mode 100644
index 0000000..be14c2e
--- /dev/null
+++ b/debian/patches/extra/0016-target-i386-Revert-monitor_puts-in-do_inject_x86_mce.patch
@@ -0,0 +1,35 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tao Su <tao1.su@linux.intel.com>
+Date: Wed, 10 Apr 2024 08:43:52 +0300
+Subject: [PATCH] target/i386: Revert monitor_puts() in do_inject_x86_mce()
+
+monitor_puts() doesn't check the monitor pointer, but do_inject_x86_mce()
+may have a parameter with NULL monitor pointer. Revert monitor_puts() in
+do_inject_x86_mce() to fix, then the fact that we send the same message to
+monitor and log is again more obvious.
+
+Fixes: bf0c50d4aa85 (monitor: expose monitor_puts to rest of code)
+Reviwed-by: Xiaoyao Li <xiaoyao.li@intel.com>
+Reviewed-by: Markus Armbruster <armbru@redhat.com>
+Signed-off-by: Tao Su <tao1.su@linux.intel.com>
+Message-ID: <20240320083640.523287-1-tao1.su@linux.intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 7fd226b04746f0be0b636de5097f1b42338951a0)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+---
+ target/i386/helper.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/target/i386/helper.c b/target/i386/helper.c
+index 0ac2da066d..290d9d309c 100644
+--- a/target/i386/helper.c
++++ b/target/i386/helper.c
+@@ -427,7 +427,7 @@ static void do_inject_x86_mce(CPUState *cs, run_on_cpu_data data)
+         if (need_reset) {
+             emit_guest_memory_failure(MEMORY_FAILURE_ACTION_RESET, ar,
+                                       recursive);
+-            monitor_puts(params->mon, msg);
++            monitor_printf(params->mon, "%s", msg);
+             qemu_log_mask(CPU_LOG_RESET, "%s\n", msg);
+             qemu_system_reset_request(SHUTDOWN_CAUSE_GUEST_RESET);
+             return;
diff --git a/debian/patches/extra/0017-tcg-optimize-Fix-sign_mask-for-logical-right-shift.patch b/debian/patches/extra/0017-tcg-optimize-Fix-sign_mask-for-logical-right-shift.patch
new file mode 100644
index 0000000..53ca97b
--- /dev/null
+++ b/debian/patches/extra/0017-tcg-optimize-Fix-sign_mask-for-logical-right-shift.patch
@@ -0,0 +1,86 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Richard Henderson <richard.henderson@linaro.org>
+Date: Wed, 10 Apr 2024 08:43:57 +0300
+Subject: [PATCH] tcg/optimize: Fix sign_mask for logical right-shift
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The 'sign' computation is attempting to locate the sign bit that has
+been repeated, so that we can test if that bit is known zero.  That
+computation can be zero if there are no known sign repetitions.
+
+Cc: qemu-stable@nongnu.org
+Fixes: 93a967fbb57 ("tcg/optimize: Propagate sign info for shifting")
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2248
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+(cherry picked from commit 2911e9b95f3bb03783ae5ca3e2494dc3b44a9161)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+(Mjt: trivial context fixup in tests/tcg/aarch64/Makefile.target)
+---
+ tcg/optimize.c                    |  2 +-
+ tests/tcg/aarch64/Makefile.target |  1 +
+ tests/tcg/aarch64/test-2248.c     | 28 ++++++++++++++++++++++++++++
+ 3 files changed, 30 insertions(+), 1 deletion(-)
+ create mode 100644 tests/tcg/aarch64/test-2248.c
+
+diff --git a/tcg/optimize.c b/tcg/optimize.c
+index ae081ab29c..b6f6436c74 100644
+--- a/tcg/optimize.c
++++ b/tcg/optimize.c
+@@ -1907,7 +1907,7 @@ static bool fold_shift(OptContext *ctx, TCGOp *op)
+          * will not reduced the number of input sign repetitions.
+          */
+         sign = (s_mask & -s_mask) >> 1;
+-        if (!(z_mask & sign)) {
++        if (sign && !(z_mask & sign)) {
+             ctx->s_mask = s_mask;
+         }
+         break;
+diff --git a/tests/tcg/aarch64/Makefile.target b/tests/tcg/aarch64/Makefile.target
+index 5e4ea7c998..474f61bc30 100644
+--- a/tests/tcg/aarch64/Makefile.target
++++ b/tests/tcg/aarch64/Makefile.target
+@@ -10,6 +10,7 @@ VPATH 		+= $(AARCH64_SRC)
+ 
+ # Base architecture tests
+ AARCH64_TESTS=fcvt pcalign-a64
++AARCH64_TESTS += test-2248
+ 
+ fcvt: LDFLAGS+=-lm
+ 
+diff --git a/tests/tcg/aarch64/test-2248.c b/tests/tcg/aarch64/test-2248.c
+new file mode 100644
+index 0000000000..aac2e17836
+--- /dev/null
++++ b/tests/tcg/aarch64/test-2248.c
+@@ -0,0 +1,28 @@
++/* SPDX-License-Identifier: GPL-2.0-or-later */
++/* See https://gitlab.com/qemu-project/qemu/-/issues/2248 */
++
++#include <assert.h>
++
++__attribute__((noinline))
++long test(long x, long y, long sh)
++{
++    long r;
++    asm("cmp   %1, %2\n\t"
++        "cset  x12, lt\n\t"
++        "and   w11, w12, #0xff\n\t"
++        "cmp   w11, #0\n\t"
++        "csetm x14, ne\n\t"
++        "lsr   x13, x14, %3\n\t"
++        "sxtb  %0, w13"
++        : "=r"(r)
++        : "r"(x), "r"(y), "r"(sh)
++        : "x11", "x12", "x13", "x14");
++    return r;
++}
++
++int main()
++{
++    long r = test(0, 1, 2);
++    assert(r == -1);
++    return 0;
++}
diff --git a/debian/patches/extra/0018-hw-virtio-Fix-packed-virtqueue-flush-used_idx.patch b/debian/patches/extra/0018-hw-virtio-Fix-packed-virtqueue-flush-used_idx.patch
new file mode 100644
index 0000000..dc4c2be
--- /dev/null
+++ b/debian/patches/extra/0018-hw-virtio-Fix-packed-virtqueue-flush-used_idx.patch
@@ -0,0 +1,66 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Wafer <wafer@jaguarmicro.com>
+Date: Wed, 10 Apr 2024 08:44:02 +0300
+Subject: [PATCH] hw/virtio: Fix packed virtqueue flush used_idx
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In the event of writing many chains of descriptors, the device must
+write just the id of the last buffer in the descriptor chain, skip
+forward the number of descriptors in the chain, and then repeat the
+operations for the rest of chains.
+
+Current QEMU code writes all the buffer ids consecutively, and then
+skips all the buffers altogether. This is a bug, and can be reproduced
+with a VirtIONet device with _F_MRG_RXBUB and without
+_F_INDIRECT_DESC:
+
+If a virtio-net device has the VIRTIO_NET_F_MRG_RXBUF feature
+but not the VIRTIO_RING_F_INDIRECT_DESC feature,
+'VirtIONetQueue->rx_vq' will use the merge feature
+to store data in multiple 'elems'.
+The 'num_buffers' in the virtio header indicates how many elements are merged.
+If the value of 'num_buffers' is greater than 1,
+all the merged elements will be filled into the descriptor ring.
+The 'idx' of the elements should be the value of 'vq->used_idx' plus 'ndescs'.
+
+Fixes: 86044b24e8 ("virtio: basic packed virtqueue support")
+Acked-by: Eugenio Pérez <eperezma@redhat.com>
+Signed-off-by: Wafer <wafer@jaguarmicro.com>
+Message-Id: <20240407015451.5228-2-wafer@jaguarmicro.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+(cherry picked from commit 2d9a31b3c27311eca1682cb2c076d7a300441960)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+---
+ hw/virtio/virtio.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
+index b7da7f074d..e4f8ed1e63 100644
+--- a/hw/virtio/virtio.c
++++ b/hw/virtio/virtio.c
+@@ -1367,12 +1367,20 @@ static void virtqueue_packed_flush(VirtQueue *vq, unsigned int count)
+         return;
+     }
+ 
++    /*
++     * For indirect element's 'ndescs' is 1.
++     * For all other elemment's 'ndescs' is the
++     * number of descriptors chained by NEXT (as set in virtqueue_packed_pop).
++     * So When the 'elem' be filled into the descriptor ring,
++     * The 'idx' of this 'elem' shall be
++     * the value of 'vq->used_idx' plus the 'ndescs'.
++     */
++    ndescs += vq->used_elems[0].ndescs;
+     for (i = 1; i < count; i++) {
+-        virtqueue_packed_fill_desc(vq, &vq->used_elems[i], i, false);
++        virtqueue_packed_fill_desc(vq, &vq->used_elems[i], ndescs, false);
+         ndescs += vq->used_elems[i].ndescs;
+     }
+     virtqueue_packed_fill_desc(vq, &vq->used_elems[0], 0, true);
+-    ndescs += vq->used_elems[0].ndescs;
+ 
+     vq->inuse -= ndescs;
+     vq->used_idx += ndescs;
diff --git a/debian/patches/pve/0003-PVE-Config-set-the-CPU-model-to-kvm64-32-instead-of-.patch b/debian/patches/pve/0003-PVE-Config-set-the-CPU-model-to-kvm64-32-instead-of-.patch
index 07ce8dd..5b58350 100644
--- a/debian/patches/pve/0003-PVE-Config-set-the-CPU-model-to-kvm64-32-instead-of-.patch
+++ b/debian/patches/pve/0003-PVE-Config-set-the-CPU-model-to-kvm64-32-instead-of-.patch
@@ -10,7 +10,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/target/i386/cpu.h b/target/i386/cpu.h
-index 7be047ce33..a443d66439 100644
+index 326649ca99..24d21486bc 100644
 --- a/target/i386/cpu.h
 +++ b/target/i386/cpu.h
 @@ -2174,9 +2174,9 @@ uint64_t cpu_get_tsc(CPUX86State *env);
diff --git a/debian/patches/series b/debian/patches/series
index f67a67b..f12a651 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,6 +2,20 @@ extra/0001-monitor-qmp-fix-race-with-clients-disconnecting-earl.patch
 extra/0002-init-daemonize-defuse-PID-file-resolve-error.patch
 extra/0003-scsi-megasas-Internal-cdbs-have-16-byte-length.patch
 extra/0004-ide-avoid-potential-deadlock-when-draining-during-tr.patch
+extra/0005-target-arm-align-exposed-ID-registers-with-Linux.patch
+extra/0006-tests-tcg-aarch64-sysregs.c-Use-S-syntax-for-id_aa64.patch
+extra/0007-target-arm-Fix-SME-full-tile-indexing.patch
+extra/0008-system-qdev-monitor-move-drain_call_rcu-call-under-i.patch
+extra/0009-hw-scsi-lsi53c895a-stop-script-on-phase-mismatch.patch
+extra/0010-hw-scsi-lsi53c895a-add-missing-decrement-of-reentran.patch
+extra/0011-hw-scsi-lsi53c895a-add-timer-to-scripts-processing.patch
+extra/0012-e1000e-fix-link-state-on-resume.patch
+extra/0013-target-i386-introduce-function-to-query-MMU-indices.patch
+extra/0014-target-i386-use-separate-MMU-indexes-for-32-bit-acce.patch
+extra/0015-target-i386-fix-direction-of-32-bit-MMU-test.patch
+extra/0016-target-i386-Revert-monitor_puts-in-do_inject_x86_mce.patch
+extra/0017-tcg-optimize-Fix-sign_mask-for-logical-right-shift.patch
+extra/0018-hw-virtio-Fix-packed-virtqueue-flush-used_idx.patch
 bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
 bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch
 bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch
-- 
2.30.2





^ permalink raw reply	[flat|nested] 3+ messages in thread

* [pve-devel] applied-series: [PATCH stable-7 qemu 1/2] update patches and submodule to QEMU stable 7.2.10
  2024-04-10 13:13 [pve-devel] [PATCH stable-7 qemu 1/2] update patches and submodule to QEMU stable 7.2.10 Fiona Ebner
  2024-04-10 13:13 ` [pve-devel] [PATCH stable-7 qemu 2/2] pick up some extra fixes from upcoming 7.2.11 Fiona Ebner
@ 2024-04-10 16:13 ` Thomas Lamprecht
  1 sibling, 0 replies; 3+ messages in thread
From: Thomas Lamprecht @ 2024-04-10 16:13 UTC (permalink / raw)
  To: Proxmox VE development discussion, Fiona Ebner

Am 10/04/2024 um 15:13 schrieb Fiona Ebner:
> Many stable fixes came in since the last bump, a few of which were
> actually already present. Notable ones not yet present include a few
> guest-triggerable assert fixes, some AHCI/IDE fixes (including the fix
> for bug #2784), TGC fixes for i386 and ARM, VirtIO fixes, fix to avoid
> VNC clipboard denial-of-service.
> 
> The reentrancy patches that landed upstream/stable were a newer
> version than the ones backported initially here, so it was necessary
> to explicitly drop them before rebase (which then picked up the
> upstream version).
> 
> There were no other conflicts.
> 
> Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
> ---
>  ...d-support-for-sync-bitmap-mode-never.patch |  16 +-
>  ...check-for-bitmap-mode-without-bitmap.patch |   4 +-
>  .../0006-mirror-move-some-checks-to-qmp.patch |   4 +-
>  ...race-with-clients-disconnecting-earl.patch |  10 +-
>  ...monize-defuse-PID-file-resolve-error.patch |   4 +-
>  ...s-Internal-cdbs-have-16-byte-length.patch} |   0
>  ...he-bitmap-index-of-the-section-offse.patch |  44 ---
>  ...al-deadlock-when-draining-during-tr.patch} |  10 +-
>  ...he-iterator-variable-in-a-vmem-rdl_l.patch |  36 ---
>  ...ty-bitmap-syncing-when-vIOMMU-is-ena.patch | 141 ---------
>  ...pci-fix-migration-compat-for-vectors.patch |  42 ---
>  ...-zeroes-with-BDRV_REQ_REGISTERED_BUF.patch |  36 ---
>  ...-memory-prevent-dma-reentracy-issues.patch | 118 --------
>  ...double-free-on-BUSY-or-similar-statu.patch |  32 --
>  ...ing-endian-conversions-for-doorbell-.patch |  67 ----
>  ...fix-field-corruption-in-type-4-table.patch |  50 ---
>  ...ix-transitional-migration-compat-for.patch |  35 ---
>  ...er-hpet-Fix-expiration-time-overflow.patch |  80 -----
>  ...vdpa-stop-all-svq-on-device-deletion.patch |  71 -----
>  ...tential-use-of-an-uninitialized-vari.patch | 132 --------
>  ...ket-set-s-listener-NULL-in-char_sock.patch |  70 -----
>  ...il-MAP-notifier-without-caching-mode.patch |  41 ---
>  ...-fail-DEVIOTLB_UNMAP-without-dt-mode.patch |  50 ---
>  ...isabling-re-entrancy-checking-per-MR.patch |  38 ---
>  ...le-reentrancy-detection-for-script-R.patch |  33 --
>  ...uest-visible-maximum-access-size-to-.patch | 166 ----------
>  ...Introduce-and-use-reg_t-consistently.patch | 286 ------------------
>  ...25-target-i386-Fix-BEXTR-instruction.patch |  97 ------
>  ...i386-Fix-C-flag-for-BLSI-BLSMSK-BLSR.patch |  47 ---
>  ...arget-i386-fix-ADOX-followed-by-ADCX.patch | 192 ------------
>  ...028-target-i386-Fix-BZHI-instruction.patch |  64 ----
>  ...djust-network-script-path-to-etc-kvm.patch |   4 +-
>  ...he-CPU-model-to-kvm64-32-instead-of-.patch |   2 +-
>  .../0007-PVE-Up-qmp-add-get_link_status.patch |   4 +-
>  ...return-success-on-info-without-snaps.patch |   2 +-
>  ...dd-add-osize-and-read-from-to-stdin-.patch |  12 +-
>  ...E-Up-qemu-img-dd-add-isize-parameter.patch |  14 +-
>  ...PVE-Up-qemu-img-dd-add-n-skip_create.patch |  10 +-
>  ...virtio-balloon-improve-query-balloon.patch |   2 +-
>  ...async-for-background-state-snapshots.patch |  10 +-
>  ...-Add-dummy-id-command-line-parameter.patch |  10 +-
>  ...3-PVE-monitor-disable-oob-capability.patch |   4 +-
>  ...sed-balloon-qemu-4-0-config-size-fal.patch |   4 +-
>  ...E-Allow-version-code-in-machine-type.patch |  12 +-
>  ...VE-Backup-add-vma-backup-format-code.patch |   4 +-
>  ...ckup-proxmox-backup-patches-for-qemu.patch |   8 +-
>  ...estore-new-command-to-restore-from-p.patch |   4 +-
>  ...irty-bitmap-tracking-for-incremental.patch |   6 +-
>  .../pve/0032-PVE-various-PBS-fixes.patch      |   6 +-
>  ...k-driver-to-map-backup-archives-into.patch |   6 +-
>  ...dd-query_proxmox_support-QMP-command.patch |   2 +-
>  ...E-add-query-pbs-bitmap-info-QMP-call.patch |   2 +-
>  ...ct-stderr-to-journal-when-daemonized.patch |   4 +-
>  ...-transaction-to-synchronize-job-stat.patch |   2 +-
>  ...-block-on-finishing-and-cleanup-crea.patch |   2 +-
>  ...igrate-dirty-bitmap-state-via-savevm.patch |   4 +-
>  ...all-back-to-open-iscsi-initiatorname.patch |   4 +-
>  ...routine-QMP-for-backup-cancel_backup.patch |   6 +-
>  .../pve/0044-PBS-add-master-key-support.patch |   6 +-
>  ...accept-NULL-qiov-in-bdrv_pad_request.patch |   2 +-
>  ...-add-l-option-for-loading-a-snapshot.patch |  14 +-
>  .../pve/0052-pbs-namespace-support.patch      |   6 +-
>  ...e-jobs-correctly-cancel-in-error-sce.patch |   2 +-
>  ...nsure-jobs-in-di_list-are-referenced.patch |   2 +-
>  ...d-segfault-issues-upon-backup-cancel.patch |   2 +-
>  ...-passing-max-workers-performance-set.patch |   6 +-
>  debian/patches/series                         |  28 +-
>  qemu                                          |   2 +-
>  68 files changed, 122 insertions(+), 2114 deletions(-)
>  rename debian/patches/extra/{0010-scsi-megasas-Internal-cdbs-have-16-byte-length.patch => 0003-scsi-megasas-Internal-cdbs-have-16-byte-length.patch} (100%)
>  delete mode 100644 debian/patches/extra/0003-virtio-mem-Fix-the-bitmap-index-of-the-section-offse.patch
>  rename debian/patches/extra/{0011-ide-avoid-potential-deadlock-when-draining-during-tr.patch => 0004-ide-avoid-potential-deadlock-when-draining-during-tr.patch} (93%)
>  delete mode 100644 debian/patches/extra/0004-virtio-mem-Fix-the-iterator-variable-in-a-vmem-rdl_l.patch
>  delete mode 100644 debian/patches/extra/0005-vhost-fix-vq-dirty-bitmap-syncing-when-vIOMMU-is-ena.patch
>  delete mode 100644 debian/patches/extra/0006-virtio-rng-pci-fix-migration-compat-for-vectors.patch
>  delete mode 100644 debian/patches/extra/0007-block-fix-detect-zeroes-with-BDRV_REQ_REGISTERED_BUF.patch
>  delete mode 100644 debian/patches/extra/0008-memory-prevent-dma-reentracy-issues.patch
>  delete mode 100644 debian/patches/extra/0009-block-iscsi-fix-double-free-on-BUSY-or-similar-statu.patch
>  delete mode 100644 debian/patches/extra/0012-hw-nvme-fix-missing-endian-conversions-for-doorbell-.patch
>  delete mode 100644 debian/patches/extra/0013-hw-smbios-fix-field-corruption-in-type-4-table.patch
>  delete mode 100644 debian/patches/extra/0014-virtio-rng-pci-fix-transitional-migration-compat-for.patch
>  delete mode 100644 debian/patches/extra/0015-hw-timer-hpet-Fix-expiration-time-overflow.patch
>  delete mode 100644 debian/patches/extra/0016-vdpa-stop-all-svq-on-device-deletion.patch
>  delete mode 100644 debian/patches/extra/0017-vhost-avoid-a-potential-use-of-an-uninitialized-vari.patch
>  delete mode 100644 debian/patches/extra/0018-chardev-char-socket-set-s-listener-NULL-in-char_sock.patch
>  delete mode 100644 debian/patches/extra/0019-intel-iommu-fail-MAP-notifier-without-caching-mode.patch
>  delete mode 100644 debian/patches/extra/0020-intel-iommu-fail-DEVIOTLB_UNMAP-without-dt-mode.patch
>  delete mode 100644 debian/patches/extra/0021-memory-Allow-disabling-re-entrancy-checking-per-MR.patch
>  delete mode 100644 debian/patches/extra/0022-lsi53c895a-disable-reentrancy-detection-for-script-R.patch
>  delete mode 100644 debian/patches/extra/0023-acpi-cpuhp-fix-guest-visible-maximum-access-size-to-.patch
>  delete mode 100644 debian/patches/extra/0024-tests-tcg-i386-Introduce-and-use-reg_t-consistently.patch
>  delete mode 100644 debian/patches/extra/0025-target-i386-Fix-BEXTR-instruction.patch
>  delete mode 100644 debian/patches/extra/0026-target-i386-Fix-C-flag-for-BLSI-BLSMSK-BLSR.patch
>  delete mode 100644 debian/patches/extra/0027-target-i386-fix-ADOX-followed-by-ADCX.patch
>  delete mode 100644 debian/patches/extra/0028-target-i386-Fix-BZHI-instruction.patch
> 
>

applied series, thanks!




^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2024-04-10 16:13 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-10 13:13 [pve-devel] [PATCH stable-7 qemu 1/2] update patches and submodule to QEMU stable 7.2.10 Fiona Ebner
2024-04-10 13:13 ` [pve-devel] [PATCH stable-7 qemu 2/2] pick up some extra fixes from upcoming 7.2.11 Fiona Ebner
2024-04-10 16:13 ` [pve-devel] applied-series: [PATCH stable-7 qemu 1/2] update patches and submodule to QEMU stable 7.2.10 Thomas Lamprecht

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal