QEMU update to version 6.2.0-78(master)

- sw_64: Added sw64 architecture related updates
- virtio-crypto: verify src&dst buffer length for sym request
- vhost-vdpa: do not cleanup the vdpa/vhost-net structures if peer nic is present
- qga: Fix suspend on Linux guests without systemd
- tests: vhost-user-test: release mutex on protocol violation
- qapi: support updating expected test output via make
- block: Fix misleading hexadecimal format
- block/rbd: fix write zeroes with growing images
- block/nbd.c: Fixed IO request coroutine not being wakeup when kill NBD server
- block/nfs: Fix 32-bit Windows build
- qapi/qdev: Tidy up device_add documentation
- hw/xen/xen_pt: fix uninitialized variable
- migration/ram: Fix error handling in ram_write_tracking_start()
- docs/about/build-platforms: Refine the distro support policy
- xen-block: Avoid leaks on new error path
- QGA VSS: Add wrapper to send log to debugger and stderr
- chardev/char-socket: set s->listener = NULL in char_socket_finalize
- qapi/block: Tidy up block-latency-histogram-set documentation
- disas/riscv Fix ctzw disassemble
- vfio: Fix vfio_get_dev_region() trace event
- migration/ram: Fix populate_read_range()
- Check and report for incomplete 'global' option  format

Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com>

Check-and-report-for-incomplete-global-option-format.patch

@@ -0,0 +1,49 @@
+From c24b649580f7eeb656124fabe255760829d01408 Mon Sep 17 00:00:00 2001
+From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
+Date: Wed, 26 Jul 2023 13:37:41 +0000
+Subject: [PATCH] Check and report for incomplete 'global' option  format
+ mainline inclusion commit 818e1636080768749dc826acd4825e71828ec7e6 category:
+ bugfix
+
+---------------------------------------------------------------
+
+Qemu might crash when provided incomplete '-global' option.
+For example:
+     qemu-system-x86_64 -global driver=isa-fdc
+     qemu-system-x86_64: ../../devel/qemu/qapi/string-input-visitor.c:394:
+     string_input_visitor_new: Assertion `str' failed.
+     Aborted (core dumped)
+
+Fixes: 3751d7c43f795b ("vl: allow full-blown QemuOpts syntax for -global")
+Signed-off-by: Rohit Kumar <rohit.kumar3@nutanix.com>
+Reviewed-by: Markus Armbruster <armbru@redhat.com>
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/604
+Message-Id: <20220216071508.412974-1-rohit.kumar3@nutanix.com>
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+
+Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
+---
+ softmmu/qdev-monitor.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/softmmu/qdev-monitor.c b/softmmu/qdev-monitor.c
+index 4ca4e92ce2..14efb37014 100644
+--- a/softmmu/qdev-monitor.c
++++ b/softmmu/qdev-monitor.c
+@@ -1041,6 +1041,13 @@ int qemu_global_option(const char *str)
+     if (!opts) {
+         return -1;
+     }
++    if (!qemu_opt_get(opts, "driver")
++        || !qemu_opt_get(opts, "property")
++        || !qemu_opt_get(opts, "value")) {
++        error_report("options 'driver', 'property', and 'value'"
++                     " are required");
++        return -1;
++    }
+ 
+     return 0;
+ }
+-- 
+2.41.0.windows.1
+

QGA-VSS-Add-wrapper-to-send-log-to-debugger-and-stde.patch

@@ -0,0 +1,110 @@
+From a7d32227e6a7b3eff114135f68f980ac686f6b80 Mon Sep 17 00:00:00 2001
+From: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
+Date: Sun, 30 Jul 2023 23:14:18 -0700
+Subject: [PATCH] QGA VSS: Add wrapper to send log to debugger and stderr
+ mainline inclusion commit 925d05d38a2bc76b5a49359370650a820bc891da category:
+ bugfix
+
+Reviewed-by: Thomas Huth <thuth@redhat.com>
+Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
+Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
+---
+ qga/vss-win32/meson.build   |  2 +-
+ qga/vss-win32/vss-debug.cpp | 39 +++++++++++++++++++++++++++++++++++++
+ qga/vss-win32/vss-debug.h   | 25 ++++++++++++++++++++++++
+ 3 files changed, 65 insertions(+), 1 deletion(-)
+ create mode 100644 qga/vss-win32/vss-debug.cpp
+ create mode 100644 qga/vss-win32/vss-debug.h
+
+diff --git a/qga/vss-win32/meson.build b/qga/vss-win32/meson.build
+index 90825edef3..290796556c 100644
+--- a/qga/vss-win32/meson.build
++++ b/qga/vss-win32/meson.build
+@@ -3,7 +3,7 @@ if add_languages('cpp', required: false)
+   link_args = cc.get_supported_link_arguments(['-fstack-protector-all', '-fstack-protector-strong',
+                                                '-Wl,--add-stdcall-alias', '-Wl,--enable-stdcall-fixup'])
+ 
+-  qga_vss = shared_module('qga-vss', ['requester.cpp', 'provider.cpp', 'install.cpp'],
++  qga_vss = shared_module('qga-vss', ['requester.cpp', 'provider.cpp', 'install.cpp', 'vss-debug.cpp'],
+                 name_prefix: '',
+                 cpp_args: ['-Wno-unknown-pragmas', '-Wno-delete-non-virtual-dtor', '-Wno-non-virtual-dtor'],
+                 link_args: link_args,
+diff --git a/qga/vss-win32/vss-debug.cpp b/qga/vss-win32/vss-debug.cpp
+new file mode 100644
+index 0000000000..820b1c6667
+--- /dev/null
++++ b/qga/vss-win32/vss-debug.cpp
+@@ -0,0 +1,39 @@
++/*
++ * QEMU Guest Agent VSS debug declarations
++ *
++ * Copyright (C) 2023 Red Hat Inc
++ *
++ * Authors:
++ *  Konstantin Kostiuk <kkostiuk@redhat.com>
++ *
++ * This work is licensed under the terms of the GNU GPL, version 2 or later.
++ * See the COPYING file in the top-level directory.
++ */
++
++#include "qemu/osdep.h"
++#include "vss-debug.h"
++#include "vss-common.h"
++
++void qga_debug_internal(const char *funcname, const char *fmt, ...)
++{
++    char user_string[512] = {0};
++    char full_string[640] = {0};
++
++    va_list args;
++    va_start(args, fmt);
++    if (vsnprintf(user_string, _countof(user_string), fmt, args) <= 0) {
++        va_end(args);
++        return;
++    }
++
++    va_end(args);
++
++    if (snprintf(full_string, _countof(full_string),
++                 QGA_PROVIDER_NAME "[%lu]: %s %s\n",
++                 GetCurrentThreadId(), funcname, user_string) <= 0) {
++        return;
++    }
++
++    OutputDebugString(full_string);
++    fputs(full_string, stderr);
++}
+diff --git a/qga/vss-win32/vss-debug.h b/qga/vss-win32/vss-debug.h
+new file mode 100644
+index 0000000000..7800457392
+--- /dev/null
++++ b/qga/vss-win32/vss-debug.h
+@@ -0,0 +1,25 @@
++/*
++ * QEMU Guest Agent VSS debug declarations
++ *
++ * Copyright (C) 2023 Red Hat Inc
++ *
++ * Authors:
++ *  Konstantin Kostiuk <kkostiuk@redhat.com>
++ *
++ * This work is licensed under the terms of the GNU GPL, version 2 or later.
++ * See the COPYING file in the top-level directory.
++ */
++
++#include "qemu/osdep.h"
++#include <vss-handles.h>
++
++#ifndef VSS_DEBUG_H
++#define VSS_DEBUG_H
++
++void qga_debug_internal(const char *funcname, const char *fmt, ...) G_GNUC_PRINTF(2, 3);
++
++#define qga_debug(fmt, ...) qga_debug_internal(__func__, fmt, ## __VA_ARGS__)
++#define qga_debug_begin qga_debug("begin")
++#define qga_debug_end qga_debug("end")
++
++#endif
+-- 
+2.41.0.windows.1
+

block-Fix-misleading-hexadecimal-format.patch

@@ -0,0 +1,46 @@
+From 23ba08631691242000e60f85a9d0a67a42dcca3b Mon Sep 17 00:00:00 2001
+From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
+Date: Fri, 4 Aug 2023 08:26:16 +0000
+Subject: [PATCH] block: Fix misleading hexadecimal format mainline inclusion
+ commit 3f1db95917bf0b4accaf8f56d43f795fed1fb733 category: bugfix
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+---------------------------------------------------------------
+
+"0x%u" format is very misleading, replace by "0x%x".
+
+Found running:
+
+  $ git grep -E '0x%[0-9]*([lL]*|" ?PRI)[dDuU]' block/
+
+Inspired-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Hanna Reitz <hreitz@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+Reviewed-by: Denis V. Lunev <den@openvz.org>
+Message-id: 20220323114718.58714-2-philippe.mathieu.daude@gmail.com
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+
+Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
+---
+ block/parallels-ext.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/block/parallels-ext.c b/block/parallels-ext.c
+index e0dd0975c6..b0e1c1aa47 100644
+--- a/block/parallels-ext.c
++++ b/block/parallels-ext.c
+@@ -260,7 +260,7 @@ static int parallels_parse_format_extension(BlockDriverState *bs,
+             break;
+ 
+         default:
+-            error_setg(errp, "Unknown feature: 0x%" PRIu64, fh.magic);
++            error_setg(errp, "Unknown feature: 0x%" PRIx64, fh.magic);
+             goto fail;
+         }
+ 
+-- 
+2.41.0.windows.1
+

block-nbd.c-Fixed-IO-request-coroutine-not-being-wak.patch

@@ -0,0 +1,100 @@
+From 09f03d6bd8842b58e6a1e50cf9c44a788b8d2693 Mon Sep 17 00:00:00 2001
+From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
+Date: Fri, 4 Aug 2023 07:40:46 +0000
+Subject: [PATCH] block/nbd.c: Fixed IO request coroutine not being  wakeup
+ when kill NBD server mainline inclusion commit
+ 6690302b848e5b55e3e3da34f0ee7fd9f8602e23 category: bugfix
+
+---------------------------------------------------------------
+
+During the IO stress test, the IO request coroutine has a probability that is
+can't be awakened when the NBD server is killed.
+
+The GDB stack is as follows:
+(gdb) bt
+0  0x00007f2ff990cbf6 in __ppoll (fds=0x55575de85000, nfds=1, timeout=<optimized out>, sigmask=0x0) at ../sysdeps/unix/sysv/linux/ppoll.c:44
+1  0x000055575c302e7c in qemu_poll_ns (fds=0x55575de85000, nfds=1, timeout=599999603140) at ../util/qemu-timer.c:348
+2  0x000055575c2d3c34 in fdmon_poll_wait (ctx=0x55575dc480f0, ready_list=0x7ffd9dd1dae0, timeout=599999603140) at ../util/fdmon-poll.c:80
+3  0x000055575c2d350d in aio_poll (ctx=0x55575dc480f0, blocking=true) at ../util/aio-posix.c:655
+4  0x000055575c16eabd in bdrv_do_drained_begin(bs=0x55575dee7fe0, recursive=false, parent=0x0, ignore_bds_parents=false, poll=true)at ../block/io.c:474
+5  0x000055575c16eba6 in bdrv_drained_begin (bs=0x55575dee7fe0) at ../block/io.c:480
+6  0x000055575c1aff33 in quorum_del_child (bs=0x55575dee7fe0, child=0x55575dcea690, errp=0x7ffd9dd1dd08) at ../block/quorum.c:1130
+7  0x000055575c14239b in bdrv_del_child (parent_bs=0x55575dee7fe0, child=0x55575dcea690, errp=0x7ffd9dd1dd08) at ../block.c:7705
+8  0x000055575c12da28 in qmp_x_blockdev_change(parent=0x55575df404c0 "colo-disk0", has_child=true, child=0x55575de867f0 "children.1", has_node=false, no   de=0x0, errp=0x7ffd9dd1dd08) at ../blockdev.c:3676
+9  0x000055575c258435 in qmp_marshal_x_blockdev_change (args=0x7f2fec008190, ret=0x7f2ff7b0bd98, errp=0x7f2ff7b0bd90) at qapi/qapi-commands-block-core.c   :1675
+10 0x000055575c2c6201 in do_qmp_dispatch_bh (opaque=0x7f2ff7b0be30) at ../qapi/qmp-dispatch.c:129
+11 0x000055575c2ebb1c in aio_bh_call (bh=0x55575dc429c0) at ../util/async.c:141
+12 0x000055575c2ebc2a in aio_bh_poll (ctx=0x55575dc480f0) at ../util/async.c:169
+13 0x000055575c2d2d96 in aio_dispatch (ctx=0x55575dc480f0) at ../util/aio-posix.c:415
+14 0x000055575c2ec07f in aio_ctx_dispatch (source=0x55575dc480f0, callback=0x0, user_data=0x0) at ../util/async.c:311
+15 0x00007f2ff9e7cfbd in g_main_context_dispatch () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
+16 0x000055575c2fd581 in glib_pollfds_poll () at ../util/main-loop.c:232
+17 0x000055575c2fd5ff in os_host_main_loop_wait (timeout=0) at ../util/main-loop.c:255
+18 0x000055575c2fd710 in main_loop_wait (nonblocking=0) at ../util/main-loop.c:531
+19 0x000055575bfa7588 in qemu_main_loop () at ../softmmu/runstate.c:726
+20 0x000055575bbee57a in main (argc=60, argv=0x7ffd9dd1e0e8, envp=0x7ffd9dd1e2d0) at ../softmmu/main.c:50
+
+(gdb) qemu coroutine 0x55575e16aac0
+0  0x000055575c2ee7dc in qemu_coroutine_switch (from_=0x55575e16aac0, to_=0x7f2ff830fba0, action=COROUTINE_YIELD) at ../util/coroutine-ucontext.c:302
+1  0x000055575c2fe2a9 in qemu_coroutine_yield () at ../util/qemu-coroutine.c:195
+2  0x000055575c2fe93c in qemu_co_queue_wait_impl (queue=0x55575dc46170, lock=0x7f2b32ad9850) at ../util/qemu-coroutine-lock.c:56
+3  0x000055575c17ddfb in nbd_co_send_request (bs=0x55575ebfaf20, request=0x7f2b32ad9920, qiov=0x55575dfc15d8) at ../block/nbd.c:478
+4  0x000055575c17f931 in nbd_co_request (bs=0x55575ebfaf20, request=0x7f2b32ad9920, write_qiov=0x55575dfc15d8) at ../block/nbd.c:1182
+5  0x000055575c17fe14 in nbd_client_co_pwritev (bs=0x55575ebfaf20, offset=403487858688, bytes=4538368, qiov=0x55575dfc15d8, flags=0) at ../block/nbd.c:1284
+6  0x000055575c170d25 in bdrv_driver_pwritev (bs=0x55575ebfaf20, offset=403487858688, bytes=4538368, qiov=0x55575dfc15d8, qiov_offset=0, flags=0)
+    at ../block/io.c:1264
+7  0x000055575c1733b4 in bdrv_aligned_pwritev
+    (child=0x55575dff6890, req=0x7f2b32ad9ad0, offset=403487858688, bytes=4538368, align=1, qiov=0x55575dfc15d8, qiov_offset=0, flags=0) at ../block/io.c:2126
+8  0x000055575c173c67 in bdrv_co_pwritev_part (child=0x55575dff6890, offset=403487858688, bytes=4538368, qiov=0x55575dfc15d8, qiov_offset=0, flags=0)
+    at ../block/io.c:2314
+9  0x000055575c17391b in bdrv_co_pwritev (child=0x55575dff6890, offset=403487858688, bytes=4538368, qiov=0x55575dfc15d8, flags=0) at ../block/io.c:2233
+10 0x000055575c1ee506 in replication_co_writev (bs=0x55575e9824f0, sector_num=788062224, remaining_sectors=8864, qiov=0x55575dfc15d8, flags=0)
+    at ../block/replication.c:270
+11 0x000055575c170eed in bdrv_driver_pwritev (bs=0x55575e9824f0, offset=403487858688, bytes=4538368, qiov=0x55575dfc15d8, qiov_offset=0, flags=0)
+    at ../block/io.c:1297
+12 0x000055575c1733b4 in bdrv_aligned_pwritev
+    (child=0x55575dcea690, req=0x7f2b32ad9e00, offset=403487858688, bytes=4538368, align=512, qiov=0x55575dfc15d8, qiov_offset=0, flags=0)
+    at ../block/io.c:2126
+13 0x000055575c173c67 in bdrv_co_pwritev_part (child=0x55575dcea690, offset=403487858688, bytes=4538368, qiov=0x55575dfc15d8, qiov_offset=0, flags=0)
+    at ../block/io.c:2314
+14 0x000055575c17391b in bdrv_co_pwritev (child=0x55575dcea690, offset=403487858688, bytes=4538368, qiov=0x55575dfc15d8, flags=0) at ../block/io.c:2233
+15 0x000055575c1aeffa in write_quorum_entry (opaque=0x7f2fddaf8c50) at ../block/quorum.c:699
+16 0x000055575c2ee4db in coroutine_trampoline (i0=1578543808, i1=21847) at ../util/coroutine-ucontext.c:173
+17 0x00007f2ff9855660 in __start_context () at ../sysdeps/unix/sysv/linux/x86_64/__start_context.S:91
+
+When we do failover in COLO mode, QEMU will hang while it is waiting for
+the in-flight IO. From the call trace, we can see the IO request coroutine
+has yielded in nbd_co_send_request(). When we kill the NBD server, it will never
+be wake up. Actually, when we do IO stress test, it will have a lot of
+requests in free_sema queue. When the NBD server is killed, current
+MAX_NBD_REQUESTS finishes with errors but they wake up at most
+MAX_NBD_REQEUSTS from the queue. So, let's move qemu_co_queue_next out
+to fix this issue.
+
+Signed-off-by: Lei Rao <lei.rao@intel.com>
+Message-Id: <20220309074844.275450-1-lei.rao@intel.com>
+Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
+Signed-off-by: Eric Blake <eblake@redhat.com>
+
+Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
+---
+ block/nbd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/block/nbd.c b/block/nbd.c
+index 5853d85d60..33adfddc41 100644
+--- a/block/nbd.c
++++ b/block/nbd.c
+@@ -529,8 +529,8 @@ err:
+         if (i != -1) {
+             s->requests[i].coroutine = NULL;
+             s->in_flight--;
+-            qemu_co_queue_next(&s->free_sema);
+         }
++        qemu_co_queue_next(&s->free_sema);
+     }
+     qemu_co_mutex_unlock(&s->send_mutex);
+     return rc;
+-- 
+2.41.0.windows.1
+

block-nfs-Fix-32-bit-Windows-build.patch

@@ -0,0 +1,58 @@
+From 5969f357385914e29a847c030d195cb8476f38c4 Mon Sep 17 00:00:00 2001
+From: qihao <qihao_yewu@cmss.chinamobile.com>
+Date: Thu, 3 Aug 2023 19:19:26 +0800
+Subject: [PATCH] block/nfs: Fix 32-bit Windows build
+
+cheery-pick from 588fec8a4c3fe9e0d1cb3f7ea6fdd46221e42814
+
+libnfs.h declares nfs_fstat() as the following for win32:
+
+int nfs_fstat(struct nfs_context *nfs, struct nfsfh *nfsfh,
+struct __stat64 *st);
+
+The 'st' parameter should be of type 'struct __stat64'. The
+codes happen to build successfully for 64-bit Windows, but it
+does not build for 32-bit Windows.
+
+Fixes: 6542aa9c75bc ("block: add native support for NFS")
+Fixes: 18a8056e0bc7 ("block/nfs: cache allocated filesize for read-only files")
+Signed-off-by: Bin Meng <bin.meng@windriver.com>
+Message-Id: <20220908132817.1831008-6-bmeng.cn@gmail.com>
+Reviewed-by: Stefan Weil <sw@weilnetz.de>
+Signed-off-by: Stefan Weil <sw@weilnetz.de>
+Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
+---
+ block/nfs.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/block/nfs.c b/block/nfs.c
+index 577aea1d22..56b25829cf 100644
+--- a/block/nfs.c
++++ b/block/nfs.c
+@@ -418,7 +418,11 @@ static int64_t nfs_client_open(NFSClient *client, BlockdevOptionsNfs *opts,
+                                int flags, int open_flags, Error **errp)
+ {
+     int64_t ret = -EINVAL;
++#ifdef _WIN32
++    struct __stat64 st;
++#else
+     struct stat st;
++#endif
+     char *file = NULL, *strp = NULL;
+ 
+     qemu_mutex_init(&client->mutex);
+@@ -781,7 +785,11 @@ static int nfs_reopen_prepare(BDRVReopenState *state,
+                               BlockReopenQueue *queue, Error **errp)
+ {
+     NFSClient *client = state->bs->opaque;
++#ifdef _WIN32
++    struct __stat64 st;
++#else
+     struct stat st;
++#endif
+     int ret = 0;
+ 
+     if (state->flags & BDRV_O_RDWR && bdrv_is_read_only(state->bs)) {
+-- 
+2.41.0.windows.1
+

block-rbd-fix-write-zeroes-with-growing-images.patch

@@ -0,0 +1,76 @@
+From c0caaf3367912df00107e6cd49809a48ccc566fb Mon Sep 17 00:00:00 2001
+From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
+Date: Fri, 4 Aug 2023 08:03:35 +0000
+Subject: [PATCH] block/rbd: fix write zeroes with growing images mainline
+ inclusion commit cc5387a544325c26dcf124ac7d3999389c24e5c6 category: bugfix
+
+---------------------------------------------------------------
+
+Commit d24f80234b ("block/rbd: increase dynamically the image size")
+added a workaround to support growing images (eg. qcow2), resizing
+the image before write operations that exceed the current size.
+
+We recently added support for write zeroes and without the
+workaround we can have problems with qcow2.
+
+So let's move the resize into qemu_rbd_start_co() and do it when
+the command is RBD_AIO_WRITE or RBD_AIO_WRITE_ZEROES.
+
+Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2020993
+Fixes: c56ac27d2a ("block/rbd: add write zeroes support")
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Message-Id: <20220317162638.41192-1-sgarzare@redhat.com>
+Signed-off-by: Hanna Reitz <hreitz@redhat.com>
+
+Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
+---
+ block/rbd.c | 26 ++++++++++++++------------
+ 1 file changed, 14 insertions(+), 12 deletions(-)
+
+diff --git a/block/rbd.c b/block/rbd.c
+index 92dfb6083b..ccb14efd55 100644
+--- a/block/rbd.c
++++ b/block/rbd.c
+@@ -1107,6 +1107,20 @@ static int coroutine_fn qemu_rbd_start_co(BlockDriverState *bs,
+ 
+     assert(!qiov || qiov->size == bytes);
+ 
++    if (cmd == RBD_AIO_WRITE || cmd == RBD_AIO_WRITE_ZEROES) {
++        /*
++         * RBD APIs don't allow us to write more than actual size, so in order
++         * to support growing images, we resize the image before write
++         * operations that exceed the current size.
++         */
++        if (offset + bytes > s->image_size) {
++            int r = qemu_rbd_resize(bs, offset + bytes);
++            if (r < 0) {
++                return r;
++            }
++        }
++    }
++
+     r = rbd_aio_create_completion(&task,
+                                   (rbd_callback_t) qemu_rbd_completion_cb, &c);
+     if (r < 0) {
+@@ -1182,18 +1196,6 @@ coroutine_fn qemu_rbd_co_pwritev(BlockDriverState *bs, int64_t offset,
+                                  int64_t bytes, QEMUIOVector *qiov,
+                                  BdrvRequestFlags flags)
+ {
+-    BDRVRBDState *s = bs->opaque;
+-    /*
+-     * RBD APIs don't allow us to write more than actual size, so in order
+-     * to support growing images, we resize the image before write
+-     * operations that exceed the current size.
+-     */
+-    if (offset + bytes > s->image_size) {
+-        int r = qemu_rbd_resize(bs, offset + bytes);
+-        if (r < 0) {
+-            return r;
+-        }
+-    }
+     return qemu_rbd_start_co(bs, offset, bytes, qiov, flags, RBD_AIO_WRITE);
+ }
+ 
+-- 
+2.41.0.windows.1
+

chardev-char-socket-set-s-listener-NULL-in-char_sock.patch

@@ -0,0 +1,75 @@
+From 936bf87a5acca3414625768c351fcc4e378fa30d Mon Sep 17 00:00:00 2001
+From: xiaowanghe <xiaowanghe_yewu@cmss.chinamobile.com>
+Date: Mon, 8 May 2023 00:24:18 -0700
+Subject: [PATCH] chardev/char-socket: set s->listener = NULL in
+ char_socket_finalize
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+cherry picked from commit b8a7f51f59e28d5a8e0c07ed3919cc9695560ed2
+
+After live migration with virtio block device, qemu crash at:
+
+	#0  0x000055914f46f795 in object_dynamic_cast_assert (obj=0x559151b7b090, typename=0x55914f80fbc4 "qio-channel", file=0x55914f80fb90 "/images/testvfe/sw/qemu.gerrit/include/io/channel.h", line=30, func=0x55914f80fcb8 <__func__.17257> "QIO_CHANNEL") at ../qom/object.c:872
+	#1  0x000055914f480d68 in QIO_CHANNEL (obj=0x559151b7b090) at /images/testvfe/sw/qemu.gerrit/include/io/channel.h:29
+	#2  0x000055914f4812f8 in qio_net_listener_set_client_func_full (listener=0x559151b7a720, func=0x55914f580b97 <tcp_chr_accept>, data=0x5591519f4ea0, notify=0x0, context=0x0) at ../io/net-listener.c:166
+	#3  0x000055914f580059 in tcp_chr_update_read_handler (chr=0x5591519f4ea0) at ../chardev/char-socket.c:637
+	#4  0x000055914f583dca in qemu_chr_be_update_read_handlers (s=0x5591519f4ea0, context=0x0) at ../chardev/char.c:226
+	#5  0x000055914f57b7c9 in qemu_chr_fe_set_handlers_full (b=0x559152bf23a0, fd_can_read=0x0, fd_read=0x0, fd_event=0x0, be_change=0x0, opaque=0x0, context=0x0, set_open=false, sync_state=true) at ../chardev/char-fe.c:279
+	#6  0x000055914f57b86d in qemu_chr_fe_set_handlers (b=0x559152bf23a0, fd_can_read=0x0, fd_read=0x0, fd_event=0x0, be_change=0x0, opaque=0x0, context=0x0, set_open=false) at ../chardev/char-fe.c:304
+	#7  0x000055914f378caf in vhost_user_async_close (d=0x559152bf21a0, chardev=0x559152bf23a0, vhost=0x559152bf2420, cb=0x55914f2fb8c1 <vhost_user_blk_disconnect>) at ../hw/virtio/vhost-user.c:2725
+	#8  0x000055914f2fba40 in vhost_user_blk_event (opaque=0x559152bf21a0, event=CHR_EVENT_CLOSED) at ../hw/block/vhost-user-blk.c:395
+	#9  0x000055914f58388c in chr_be_event (s=0x5591519f4ea0, event=CHR_EVENT_CLOSED) at ../chardev/char.c:61
+	#10 0x000055914f583905 in qemu_chr_be_event (s=0x5591519f4ea0, event=CHR_EVENT_CLOSED) at ../chardev/char.c:81
+	#11 0x000055914f581275 in char_socket_finalize (obj=0x5591519f4ea0) at ../chardev/char-socket.c:1083
+	#12 0x000055914f46f073 in object_deinit (obj=0x5591519f4ea0, type=0x5591519055c0) at ../qom/object.c:680
+	#13 0x000055914f46f0e5 in object_finalize (data=0x5591519f4ea0) at ../qom/object.c:694
+	#14 0x000055914f46ff06 in object_unref (objptr=0x5591519f4ea0) at ../qom/object.c:1202
+	#15 0x000055914f4715a4 in object_finalize_child_property (obj=0x559151b76c50, name=0x559151b7b250 "char3", opaque=0x5591519f4ea0) at ../qom/object.c:1747
+	#16 0x000055914f46ee86 in object_property_del_all (obj=0x559151b76c50) at ../qom/object.c:632
+	#17 0x000055914f46f0d2 in object_finalize (data=0x559151b76c50) at ../qom/object.c:693
+	#18 0x000055914f46ff06 in object_unref (objptr=0x559151b76c50) at ../qom/object.c:1202
+	#19 0x000055914f4715a4 in object_finalize_child_property (obj=0x559151b6b560, name=0x559151b76630 "chardevs", opaque=0x559151b76c50) at ../qom/object.c:1747
+	#20 0x000055914f46ef67 in object_property_del_child (obj=0x559151b6b560, child=0x559151b76c50) at ../qom/object.c:654
+	#21 0x000055914f46f042 in object_unparent (obj=0x559151b76c50) at ../qom/object.c:673
+	#22 0x000055914f58632a in qemu_chr_cleanup () at ../chardev/char.c:1189
+	#23 0x000055914f16c66c in qemu_cleanup () at ../softmmu/runstate.c:830
+	#24 0x000055914eee7b9e in qemu_default_main () at ../softmmu/main.c:38
+	#25 0x000055914eee7bcc in main (argc=86, argv=0x7ffc97cb8d88) at ../softmmu/main.c:48
+
+In char_socket_finalize after s->listener freed, event callback function
+vhost_user_blk_event will be called to handle CHR_EVENT_CLOSED.
+vhost_user_blk_event is calling qio_net_listener_set_client_func_full which
+is still using s->listener.
+
+Setting s->listener = NULL after object_unref(OBJECT(s->listener)) can
+solve this issue.
+
+Signed-off-by: Yajun Wu <yajunw@nvidia.com>
+Acked-by: Jiri Pirko <jiri@nvidia.com>
+Message-Id: <20230214021430.3638579-1-yajunw@nvidia.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+Signed-off-by: Wanghe Xiao <xiaowanghe_yewu@cmss.chinamobile.com>
+---
+ chardev/char-socket.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/chardev/char-socket.c b/chardev/char-socket.c
+index 57ae53304a..459b9b72bd 100644
+--- a/chardev/char-socket.c
++++ b/chardev/char-socket.c
+@@ -1142,6 +1142,7 @@ static void char_socket_finalize(Object *obj)
+         qio_net_listener_set_client_func_full(s->listener, NULL, NULL,
+                                               NULL, chr->gcontext);
+         object_unref(OBJECT(s->listener));
++        s->listener = NULL;
+     }
+     if (s->tls_creds) {
+         object_unref(OBJECT(s->tls_creds));
+-- 
+2.41.0.windows.1
+

disas-riscv-Fix-ctzw-disassemble.patch

@@ -0,0 +1,37 @@
+From 6872e7bf919dd5f2852c07850899cdb510eccfdf Mon Sep 17 00:00:00 2001
+From: xiaowanghe <xiaowanghe_yewu@cmss.chinamobile.com>
+Date: Tue, 1 Aug 2023 23:46:43 -0700
+Subject: [PATCH] disas/riscv Fix ctzw disassemble
+
+cherry picked from commit 270629024df1f9f4e704ce8325f958858c5cbff7
+
+Due to typo in opcode list, ctzw is disassembled as clzw instruction.
+
+Signed-off-by: Ivan Klokov <ivan.klokov@syntacore.com>
+Fixes: 02c1b569a15b ("disas/riscv: Add Zb[abcs] instructions")
+Reviewed-by: Weiwei Li <liweiwei@iscas.ac.cn>
+Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
+Message-ID: <20230217151459.54649-1-ivan.klokov@syntacore.com>
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+
+Signed-off-by: Wanghe Xiao <xiaowanghe_yewu@cmss.chinamobile.com>
+---
+ disas/riscv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/disas/riscv.c b/disas/riscv.c
+index 793ad14c27..6768ec8188 100644
+--- a/disas/riscv.c
++++ b/disas/riscv.c
+@@ -1189,7 +1189,7 @@ const rv_opcode_data opcode_data[] = {
+     { "max", rv_codec_r, rv_fmt_rd_rs1_rs2, NULL, 0, 0, 0 },
+     { "maxu", rv_codec_r, rv_fmt_rd_rs1_rs2, NULL, 0, 0, 0 },
+     { "clzw", rv_codec_r, rv_fmt_rd_rs1, NULL, 0, 0, 0 },
+-    { "clzw", rv_codec_r, rv_fmt_rd_rs1, NULL, 0, 0, 0 },
++    { "ctzw", rv_codec_r, rv_fmt_rd_rs1, NULL, 0, 0, 0 },
+     { "cpopw", rv_codec_r, rv_fmt_rd_rs1, NULL, 0, 0, 0 },
+     { "slli.uw", rv_codec_r, rv_fmt_rd_rs1_rs2, NULL, 0, 0, 0 },
+     { "add.uw", rv_codec_r, rv_fmt_rd_rs1_rs2, NULL, 0, 0, 0 },
+-- 
+2.41.0.windows.1
+

docs-about-build-platforms-Refine-the-distro-support.patch

@@ -0,0 +1,40 @@
+From 97db7448bb28e42fae5acb3eb556cfa03a11e0a8 Mon Sep 17 00:00:00 2001
+From: xiaowanghe <xiaowanghe_yewu@cmss.chinamobile.com>
+Date: Wed, 2 Aug 2023 00:02:08 -0700
+Subject: [PATCH] docs/about/build-platforms: Refine the distro support policy
+
+cherry picked from commit 270629024df1f9f4e704ce8325f958858c5cbff7
+
+For long-term distributions that release a new version only very
+seldom, we limit the support to five years after the initial release.
+Otherwise, we might need to support distros like openSUSE 15 for
+up to 7 or even more years in total due to our "two more years
+after the next major release" rule, which is just way too much to
+handle in a project like QEMU that only has limited human resources.
+
+Message-Id: <20230223193257.1068205-1-thuth@redhat.com>
+Reviewed-by: Markus Armbruster <armbru@redhat.com>
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+
+Signed-off-by: Wanghe Xiao <xiaowanghe_yewu@cmss.chinamobile.com>
+---
+ docs/about/build-platforms.rst | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/docs/about/build-platforms.rst b/docs/about/build-platforms.rst
+index c29a4b8fe6..d893a2be1c 100644
+--- a/docs/about/build-platforms.rst
++++ b/docs/about/build-platforms.rst
+@@ -67,7 +67,8 @@ Non-supported architectures may be removed in the future following the
+ Linux OS, macOS, FreeBSD, NetBSD, OpenBSD
+ -----------------------------------------
+ 
+-The project aims to support the most recent major version at all times. Support
++The project aims to support the most recent major version at all times for
++up to five years after its initial release. Support
+ for the previous major version will be dropped 2 years after the new major
+ version is released or when the vendor itself drops support, whichever comes
+ first. In this context, third-party efforts to extend the lifetime of a distro
+-- 
+2.41.0.windows.1
+

hw-xen-xen_pt-fix-uninitialized-variable.patch

@@ -0,0 +1,45 @@
+From 26bc780b9357bc50131242915175cf1db8c82b0e Mon Sep 17 00:00:00 2001
+From: xiaowanghe <xiaowanghe_yewu@cmss.chinamobile.com>
+Date: Tue, 1 Aug 2023 23:30:04 -0700
+Subject: [PATCH] hw/xen/xen_pt: fix uninitialized variable
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+cherry picked from commit 3856734d80fbf46683e4080117ed961f5ab1300b
+
+xen_pt_config_reg_init() reads only that many bytes as the size of the
+register that is being initialized. It uses
+xen_host_pci_get_{byte,word,long} and casts its last argument to
+expected pointer type. This means for smaller registers higher bits of
+'val' are not initialized. Then, the function fails if any of those
+higher bits are set.
+
+Fix this by initializing 'val' with zero.
+
+Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
+Message-Id: <20230127050815.4155276-1-marmarek@invisiblethingslab.com>
+Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
+
+Signed-off-by: Wanghe Xiao <xiaowanghe_yewu@cmss.chinamobile.com>
+---
+ hw/xen/xen_pt_config_init.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/xen/xen_pt_config_init.c b/hw/xen/xen_pt_config_init.c
+index c5c4e943a8..e7bcbe4c4f 100644
+--- a/hw/xen/xen_pt_config_init.c
++++ b/hw/xen/xen_pt_config_init.c
+@@ -1924,7 +1924,7 @@ static void xen_pt_config_reg_init(XenPCIPassthroughState *s,
+     if (reg->init) {
+         uint32_t host_mask, size_mask;
+         unsigned int offset;
+-        uint32_t val;
++        uint32_t val = 0;
+ 
+         /* initialize emulate register */
+         rc = reg->init(s, reg_entry->reg,
+-- 
+2.41.0.windows.1
+

migration-ram-Fix-error-handling-in-ram_write_tracki.patch

@@ -0,0 +1,50 @@
+From 93fc70a80b9734301472bb827cf3685366bfeb19 Mon Sep 17 00:00:00 2001
+From: qihao <qihao_yewu@cmss.chinamobile.com>
+Date: Fri, 28 Jul 2023 10:39:55 +0800
+Subject: [PATCH] migration/ram: Fix error handling in
+ ram_write_tracking_start()
+
+cherry picked from commit 72ef3a370836aa07261ad7aaeea27ed5cbcee342
+
+If something goes wrong during uffd_change_protection(), we would miss
+to unregister uffd-wp and not release our reference. Fix it by
+performing the uffd_change_protection(true) last.
+
+Note that a uffd_change_protection(false) on the recovery path without a
+prior uffd_change_protection(false) is fine.
+
+Fixes: 278e2f551a09 ("migration: support UFFD write fault processing in ram_save_iterate()")
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Peter Xu <peterx@redhat.com>
+Reviewed-by: Juan Quintela <quintela@redhat.com>
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Juan Quintela <quintela@redhat.com>
+Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
+---
+ migration/ram.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/migration/ram.c b/migration/ram.c
+index 12b8c653d8..f422fd0bc2 100644
+--- a/migration/ram.c
++++ b/migration/ram.c
+@@ -2140,13 +2140,14 @@ int ram_write_tracking_start(void)
+                 block->max_length, UFFDIO_REGISTER_MODE_WP, NULL)) {
+             goto fail;
+         }
++        block->flags |= RAM_UF_WRITEPROTECT;
++        memory_region_ref(block->mr);
++
+         /* Apply UFFD write protection to the block memory range */
+         if (uffd_change_protection(rs->uffdio_fd, block->host,
+                 block->max_length, true, false)) {
+             goto fail;
+         }
+-        block->flags |= RAM_UF_WRITEPROTECT;
+-        memory_region_ref(block->mr);
+ 
+         trace_ram_write_tracking_ramblock_start(block->idstr, block->page_size,
+                 block->host, block->max_length);
+-- 
+2.41.0.windows.1
+

migration-ram-Fix-populate_read_range.patch

@@ -0,0 +1,46 @@
+From 069ad2e6d5ce48c96519ff55ace2ca2bcdac94d5 Mon Sep 17 00:00:00 2001
+From: qihao <qihao_yewu@cmss.chinamobile.com>
+Date: Thu, 27 Jul 2023 13:26:21 +0800
+Subject: [PATCH] migration/ram: Fix populate_read_range()
+
+cheery-pick from 5f19a4491941fdc5c5b50ce4ade6ffffe0f591b4
+
+Unfortunately, commit f7b9dcfbcf44 broke populate_read_range(): the loop
+end condition is very wrong, resulting in that function not populating the
+full range. Lets' fix that.
+
+Fixes: f7b9dcfbcf44 ("migration/ram: Factor out populating pages readable in ram_block_populate_pages()")
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Peter Xu <peterx@redhat.com>
+Reviewed-by: Juan Quintela <quintela@redhat.com>
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Juan Quintela <quintela@redhat.com>
+Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
+---
+ migration/ram.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/migration/ram.c b/migration/ram.c
+index 12b8c653d8..444b6a7aa2 100644
+--- a/migration/ram.c
++++ b/migration/ram.c
+@@ -2020,13 +2020,15 @@ out:
+ static inline void populate_read_range(RAMBlock *block, ram_addr_t offset,
+                                        ram_addr_t size)
+ {
++    const ram_addr_t end = offset + size;
++
+     /*
+      * We read one byte of each page; this will preallocate page tables if
+      * required and populate the shared zeropage on MAP_PRIVATE anonymous memory
+      * where no page was populated yet. This might require adaption when
+      * supporting other mappings, like shmem.
+      */
+-    for (; offset < size; offset += block->page_size) {
++    for (; offset < end; offset += block->page_size) {
+         char tmp = *((char *)block->host + offset);
+ 
+         /* Don't optimize the read out */
+-- 
+2.41.0.windows.1
+

qapi-block-Tidy-up-block-latency-histogram-set-docum.patch

@@ -0,0 +1,77 @@
+From 880364a83e4c7a7e379136056d63346cbdd7c2f0 Mon Sep 17 00:00:00 2001
+From: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
+Date: Sun, 30 Jul 2023 18:58:08 -0700
+Subject: [PATCH] qapi/block: Tidy up block-latency-histogram-set documentation
+ mainline inclusion commit e893b9e3b3a6029384253f768cdc06969732e517 category:
+ bugfix
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+---------------------------------------------------------------
+
+Examples come out like
+
+Example
+
+set new histograms for all io types with intervals [0, 10), [10,
+    50), [50, 100), [100, +inf):
+
+The sentence "set new histograms ..." starts with a lower case letter.
+Capitalize it.  Same for the other examples.
+
+Signed-off-by: Markus Armbruster <armbru@redhat.com>
+Message-ID: <20230720071610.1096458-3-armbru@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
+---
+ qapi/block.json | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/qapi/block.json b/qapi/block.json
+index 82fcf2c914..71136db777 100644
+--- a/qapi/block.json
++++ b/qapi/block.json
+@@ -529,7 +529,8 @@
+ # Since: 4.0
+ #
+ # Example:
+-# set new histograms for all io types with intervals
++
++# Set new histograms for all io types with intervals
+ # [0, 10), [10, 50), [50, 100), [100, +inf):
+ #
+ # -> { "execute": "block-latency-histogram-set",
+@@ -538,7 +539,8 @@
+ # <- { "return": {} }
+ #
+ # Example:
+-# set new histogram only for write, other histograms will remain
++
++# Set new histogram only for write, other histograms will remain
+ # not changed (or not created):
+ #
+ # -> { "execute": "block-latency-histogram-set",
+@@ -547,7 +549,8 @@
+ # <- { "return": {} }
+ #
+ # Example:
+-# set new histograms with the following intervals:
++
++# Set new histograms with the following intervals:
+ #   read, flush: [0, 10), [10, 50), [50, 100), [100, +inf)
+ #   write: [0, 1000), [1000, 5000), [5000, +inf)
+ #
+@@ -558,7 +561,8 @@
+ # <- { "return": {} }
+ #
+ # Example:
+-# remove all latency histograms:
++
++# Remove all latency histograms:
+ #
+ # -> { "execute": "block-latency-histogram-set",
+ #      "arguments": { "id": "drive0" } }
+-- 
+2.41.0.windows.1
+

qapi-qdev-Tidy-up-device_add-documentation.patch

@@ -0,0 +1,66 @@
+From 32b601ed22d154e9423911b27541b35aa12d18bb Mon Sep 17 00:00:00 2001
+From: Markus Armbruster <armbru@redhat.com>
+Date: Thu, 20 Jul 2023 09:16:06 +0200
+Subject: [PATCH] qapi/qdev: Tidy up device_add documentation mainline
+ inclusion commit a9c72efd6d6d62ac84ae57ca55606747e04e8ba7 category: bugfix
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+-------------------------------------------------------------------
+
+The notes section comes out like this:
+
+    Notes
+
+    Additional arguments depend on the type.
+
+    1. For detailed information about this command, please refer to the
+       ‘docs/qdev-device-use.txt’ file.
+
+    2. It’s possible to list device properties by running QEMU with the
+       “-device DEVICE,help” command-line argument, where DEVICE is the
+       device’s name
+
+The first item isn't numbered.  Fix that:
+
+    1. Additional arguments depend on the type.
+
+    2. For detailed information about this command, please refer to the
+       ‘docs/qdev-device-use.txt’ file.
+
+    3. It’s possible to list device properties by running QEMU with the
+       “-device DEVICE,help” command-line argument, where DEVICE is the
+       device’s name
+
+Signed-off-by: Markus Armbruster <armbru@redhat.com>
+Message-ID: <20230720071610.1096458-4-armbru@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
+---
+ qapi/qdev.json | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/qapi/qdev.json b/qapi/qdev.json
+index 69656b14df..ca96a0c6eb 100644
+--- a/qapi/qdev.json
++++ b/qapi/qdev.json
+@@ -47,12 +47,12 @@
+ #
+ # Notes:
+ #
+-# Additional arguments depend on the type.
++# 1. Additional arguments depend on the type.
+ #
+-# 1. For detailed information about this command, please refer to the
++# 2. For detailed information about this command, please refer to the
+ #    'docs/qdev-device-use.txt' file.
+ #
+-# 2. It's possible to list device properties by running QEMU with the
++# 3. It's possible to list device properties by running QEMU with the
+ #    "-device DEVICE,help" command-line argument, where DEVICE is the
+ #    device's name
+ #
+-- 
+2.41.0.windows.1
+

qapi-support-updating-expected-test-output-via-make.patch

@@ -0,0 +1,43 @@
+From fb63e3343eaaf1d5aaf0a28e2f3ed2248a11e86a Mon Sep 17 00:00:00 2001
+From: xiaowanghe <xiaowanghe_yewu@cmss.chinamobile.com>
+Date: Mon, 7 Aug 2023 00:28:14 -0700
+Subject: [PATCH] qapi: support updating expected test output via make
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+cherry picked from commit 7ce54db23048bfcc3ea6821525bf333b715c7655
+
+It is possible to pass --update to tests/qapi-schema/test-qapi.py
+to make it update the output files on error. This is inconvenient
+to achieve though when test-qapi.py is run indirectly by make/meson.
+
+Instead simply allow for an env variable to be set:
+
+ $ QAPI_TEST_UPDATE= make check-qapi-schema
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+Message-Id: <20230420102619.348173-2-berrange@redhat.com>
+Reviewed-by: Markus Armbruster <armbru@redhat.com>
+Signed-off-by: Markus Armbruster <armbru@redhat.com>
+
+Signed-off-by: Wanghe Xiao <xiaowanghe_yewu@cmss.chinamobile.com>
+---
+ tests/qapi-schema/test-qapi.py | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tests/qapi-schema/test-qapi.py b/tests/qapi-schema/test-qapi.py
+index 2160cef082..d58c31f539 100755
+--- a/tests/qapi-schema/test-qapi.py
++++ b/tests/qapi-schema/test-qapi.py
+@@ -206,6 +206,7 @@ def main(argv):
+     parser.add_argument('-d', '--dir', action='store', default='',
+                         help="directory containing tests")
+     parser.add_argument('-u', '--update', action='store_true',
++                        default='QAPI_TEST_UPDATE' in os.environ,
+                         help="update expected test results")
+     parser.add_argument('tests', nargs='*', metavar='TEST', action='store')
+     args = parser.parse_args()
+-- 
+2.41.0.windows.1
+

qemu.spec

@@ -3,7 +3,7 @@
 
 Name: qemu
 Version: 6.2.0
-Release: 77
+Release: 78
 Epoch: 10
 Summary: QEMU is a generic and open source machine emulator and virtualizer
 License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@@ -531,6 +531,28 @@ Patch0516: ide-Increment-BB-in-flight-counter-for-TRIM-BH.patch
 Patch0517: qga-win32-Remove-change-action-from-MSI-installer.patch
 Patch0518: qga-win32-Use-rundll-for-VSS-installation.patch
 Patch0519: test-vmstate-fix-bad-GTree-usage-use-after-free.patch
+Patch0520: Check-and-report-for-incomplete-global-option-format.patch
+Patch0521: migration-ram-Fix-populate_read_range.patch
+Patch0522: vfio-Fix-vfio_get_dev_region-trace-event.patch
+Patch0523: disas-riscv-Fix-ctzw-disassemble.patch
+Patch0524: qapi-block-Tidy-up-block-latency-histogram-set-docum.patch
+Patch0525: chardev-char-socket-set-s-listener-NULL-in-char_sock.patch
+Patch0526: QGA-VSS-Add-wrapper-to-send-log-to-debugger-and-stde.patch
+Patch0527: xen-block-Avoid-leaks-on-new-error-path.patch
+Patch0528: docs-about-build-platforms-Refine-the-distro-support.patch
+Patch0529: migration-ram-Fix-error-handling-in-ram_write_tracki.patch
+Patch0530: hw-xen-xen_pt-fix-uninitialized-variable.patch
+Patch0531: qapi-qdev-Tidy-up-device_add-documentation.patch
+Patch0532: block-nfs-Fix-32-bit-Windows-build.patch
+Patch0533: block-nbd.c-Fixed-IO-request-coroutine-not-being-wak.patch
+Patch0534: block-rbd-fix-write-zeroes-with-growing-images.patch
+Patch0535: block-Fix-misleading-hexadecimal-format.patch
+Patch0536: qapi-support-updating-expected-test-output-via-make.patch
+Patch0537: tests-vhost-user-test-release-mutex-on-protocol-viol.patch
+Patch0538: qga-Fix-suspend-on-Linux-guests-without-systemd.patch
+Patch0539: vhost-vdpa-do-not-cleanup-the-vdpa-vhost-net-structu.patch
+Patch0540: virtio-crypto-verify-src-dst-buffer-length-for-sym-r.patch
+Patch0541: sw_64-Added-sw64-architecture-related-updates.patch
 
 BuildRequires: flex
 BuildRequires: gcc
@@ -1104,6 +1126,30 @@ getent passwd qemu >/dev/null || \
 %endif
 
 %changelog
+* Tue Aug 15 2023 <fengjiabo1@huawei.com> - 10:6.2.0-78
+- sw_64: Added sw64 architecture related updates
+- virtio-crypto: verify src&dst buffer length for sym request
+- vhost-vdpa: do not cleanup the vdpa/vhost-net structures if peer nic is present
+- qga: Fix suspend on Linux guests without systemd
+- tests: vhost-user-test: release mutex on protocol violation
+- qapi: support updating expected test output via make
+- block: Fix misleading hexadecimal format
+- block/rbd: fix write zeroes with growing images
+- block/nbd.c: Fixed IO request coroutine not being wakeup when kill NBD server
+- block/nfs: Fix 32-bit Windows build
+- qapi/qdev: Tidy up device_add documentation
+- hw/xen/xen_pt: fix uninitialized variable
+- migration/ram: Fix error handling in ram_write_tracking_start()
+- docs/about/build-platforms: Refine the distro support policy
+- xen-block: Avoid leaks on new error path
+- QGA VSS: Add wrapper to send log to debugger and stderr
+- chardev/char-socket: set s->listener = NULL in char_socket_finalize
+- qapi/block: Tidy up block-latency-histogram-set documentation
+- disas/riscv Fix ctzw disassemble
+- vfio: Fix vfio_get_dev_region() trace event
+- migration/ram: Fix populate_read_range()
+- Check and report for incomplete 'global' option  format
+
 * Mon Aug 7 2023 <fengjiabo1@huawei.com> - 10:6.2.0-77
 - test-vmstate: fix bad GTree usage, use-after-free
 

qga-Fix-suspend-on-Linux-guests-without-systemd.patch

@@ -0,0 +1,57 @@
+From 9f4819201fb35b419ea21d37755c4cb62454a270 Mon Sep 17 00:00:00 2001
+From: qihao <qihao_yewu@cmss.chinamobile.com>
+Date: Thu, 10 Aug 2023 13:59:53 +0800
+Subject: [PATCH] qga: Fix suspend on Linux guests without systemd
+
+cheery-pick from 86dcb6ab9b603450eb6d896cdc95286de2c7d561
+
+Allow the Linux guest agent to attempt each of the suspend methods
+(systemctl, pm-* and writing to /sys) in turn.
+
+Prior to this guests without systemd failed to suspend due to
+`guest_suspend` returning early regardless of the return value of
+`systemd_supports_mode`.
+
+Signed-off-by: Mark Somerville <mark@qpok.net>
+Reviewed-by: Konstantin Kostiuk <kkostiuk@redhat.com>
+Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
+Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
+---
+ qga/commands-posix.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/qga/commands-posix.c b/qga/commands-posix.c
+index 75dbaab68e..4e06271889 100644
+--- a/qga/commands-posix.c
++++ b/qga/commands-posix.c
+@@ -2104,10 +2104,10 @@ static void guest_suspend(SuspendMode mode, Error **errp)
+     if (systemd_supports_mode(mode, &local_err)) {
+         mode_supported = true;
+         systemd_suspend(mode, &local_err);
+-    }
+ 
+-    if (!local_err) {
+-        return;
++        if (!local_err) {
++            return;
++        }
+     }
+ 
+     error_free(local_err);
+@@ -2116,10 +2116,10 @@ static void guest_suspend(SuspendMode mode, Error **errp)
+     if (pmutils_supports_mode(mode, &local_err)) {
+         mode_supported = true;
+         pmutils_suspend(mode, &local_err);
+-    }
+ 
+-    if (!local_err) {
+-        return;
++        if (!local_err) {
++            return;
++        }
+     }
+ 
+     error_free(local_err);
+-- 
+2.41.0.windows.1
+

tests-vhost-user-test-release-mutex-on-protocol-viol.patch

@@ -0,0 +1,40 @@
+From b09ffbe7b85f891a8f5d425e5a98298a55c8400b Mon Sep 17 00:00:00 2001
+From: xiaowanghe <xiaowanghe_yewu@cmss.chinamobile.com>
+Date: Sun, 6 Aug 2023 23:48:47 -0700
+Subject: [PATCH] tests: vhost-user-test: release mutex on protocol violation
+
+cherry picked from commit 9260993e27cdbbd2e829d405cc63b1faefec6088
+
+chr_read() is printing an error message and returning with s->data_mutex taken.
+This can potentially cause a hang.  Reported by Coverity.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Wanghe Xiao <xiaowanghe_yewu@cmss.chinamobile.com>
+---
+ tests/qtest/vhost-user-test.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tests/qtest/vhost-user-test.c b/tests/qtest/vhost-user-test.c
+index 3d6337fb5c..d07babc06d 100644
+--- a/tests/qtest/vhost-user-test.c
++++ b/tests/qtest/vhost-user-test.c
+@@ -328,7 +328,7 @@ static void chr_read(void *opaque, const uint8_t *buf, int size)
+         if (size != msg.size) {
+             g_test_message("Wrong message size received %d != %d",
+                            size, msg.size);
+-            return;
++            goto out;
+         }
+     }
+ 
+@@ -429,6 +429,7 @@ static void chr_read(void *opaque, const uint8_t *buf, int size)
+         break;
+     }
+ 
++out:
+     g_mutex_unlock(&s->data_mutex);
+ }
+ 
+-- 
+2.41.0.windows.1
+

vfio-Fix-vfio_get_dev_region-trace-event.patch

@@ -0,0 +1,41 @@
+From e2ceb2def76cc917d3165a804025e630c3bedad1 Mon Sep 17 00:00:00 2001
+From: xiaowanghe <xiaowanghe_yewu@cmss.chinamobile.com>
+Date: Wed, 2 Aug 2023 19:08:05 -0700
+Subject: [PATCH] vfio: Fix vfio_get_dev_region() trace event
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+cherry picked from commit 969dae5448eaa2914be5b974f9e0311b3f95ee2c
+
+Simply transpose 'x8' to fix the typo and remove the ending '8'
+
+Fixes: e61a424f05 ("vfio: Create device specific region info helper")
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1526
+Signed-off-by: Cédric Le Goater <clg@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Link: https://lore.kernel.org/r/20230303074330.2609377-1-clg@kaod.org
+[aw: commit log s/revert/transpose/]
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+
+Signed-off-by: Wanghe Xiao <xiaowanghe_yewu@cmss.chinamobile.com>
+---
+ hw/vfio/trace-events | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/vfio/trace-events b/hw/vfio/trace-events
+index 0ef1b5f4a6..f4b74a3e81 100644
+--- a/hw/vfio/trace-events
++++ b/hw/vfio/trace-events
+@@ -116,7 +116,7 @@ vfio_region_mmaps_set_enabled(const char *name, bool enabled) "Region %s mmaps e
+ vfio_region_unmap(const char *name, unsigned long offset, unsigned long end) "Region %s unmap [0x%lx - 0x%lx]"
+ vfio_region_sparse_mmap_header(const char *name, int index, int nr_areas) "Device %s region %d: %d sparse mmap entries"
+ vfio_region_sparse_mmap_entry(int i, unsigned long start, unsigned long end) "sparse entry %d [0x%lx - 0x%lx]"
+-vfio_get_dev_region(const char *name, int index, uint32_t type, uint32_t subtype) "%s index %d, %08x/%0x8"
++vfio_get_dev_region(const char *name, int index, uint32_t type, uint32_t subtype) "%s index %d, %08x/%08x"
+ vfio_dma_unmap_overflow_workaround(void) ""
+ 
+ # platform.c
+-- 
+2.41.0.windows.1
+

vhost-vdpa-do-not-cleanup-the-vdpa-vhost-net-structu.patch

@@ -0,0 +1,59 @@
+From b6e32ca6cb92d6b1c5414206a262fd72cedd56bc Mon Sep 17 00:00:00 2001
+From: Ani Sinha <anisinha@redhat.com>
+Date: Mon, 19 Jun 2023 12:22:09 +0530
+Subject: [PATCH] vhost-vdpa: do not cleanup the vdpa/vhost-net structures if
+ peer nic is present
+
+When a peer nic is still attached to the vdpa backend, it is too early to free
+up the vhost-net and vdpa structures. If these structures are freed here, then
+QEMU crashes when the guest is being shut down. The following call chain
+would result in an assertion failure since the pointer returned from
+vhost_vdpa_get_vhost_net() would be NULL:
+
+do_vm_stop() -> vm_state_notify() -> virtio_set_status() ->
+virtio_net_vhost_status() -> get_vhost_net().
+
+Therefore, we defer freeing up the structures until at guest shutdown
+time when qemu_cleanup() calls net_cleanup() which then calls
+qemu_del_net_client() which would eventually call vhost_vdpa_cleanup()
+again to free up the structures. This time, the loop in net_cleanup()
+ensures that vhost_vdpa_cleanup() will be called one last time when
+all the peer nics are detached and freed.
+
+All unit tests pass with this change.
+
+CC: imammedo@redhat.com
+CC: jusual@redhat.com
+CC: mst@redhat.com
+Fixes: CVE-2023-3301
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2128929
+Signed-off-by: Ani Sinha <anisinha@redhat.com>
+Message-Id: <20230619065209.442185-1-anisinha@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+---
+ net/vhost-vdpa.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/net/vhost-vdpa.c b/net/vhost-vdpa.c
+index 25dd6dd975..60b715aef1 100644
+--- a/net/vhost-vdpa.c
++++ b/net/vhost-vdpa.c
+@@ -128,6 +128,14 @@ static void vhost_vdpa_cleanup(NetClientState *nc)
+ {
+     VhostVDPAState *s = DO_UPCAST(VhostVDPAState, nc, nc);
+ 
++    /*
++     * If a peer NIC is attached, do not cleanup anything.
++     * Cleanup will happen as a part of qemu_cleanup() -> net_cleanup()
++     * when the guest is shutting down.
++     */
++    if (nc->peer && nc->peer->info->type == NET_CLIENT_DRIVER_NIC) {
++        return;
++    }
+     if (s->vhost_net) {
+         vhost_net_cleanup(s->vhost_net);
+         g_free(s->vhost_net);
+-- 
+2.41.0.windows.1
+

virtio-crypto-verify-src-dst-buffer-length-for-sym-r.patch

@@ -0,0 +1,47 @@
+From 017c7af0d5b928c6af60f8262c62d4c570b2e55e Mon Sep 17 00:00:00 2001
+From: zhenwei pi <pizhenwei@bytedance.com>
+Date: Thu, 3 Aug 2023 10:43:13 +0800
+Subject: [PATCH] virtio-crypto: verify src&dst buffer length for sym request
+
+For symmetric algorithms, the length of ciphertext must be as same
+as the plaintext.
+The missing verification of the src_len and the dst_len in
+virtio_crypto_sym_op_helper() may lead buffer overflow/divulged.
+
+This patch is originally written by Yiming Tao for QEMU-SECURITY,
+resend it(a few changes of error message) in qemu-devel.
+
+Fixes: CVE-2023-3180
+Fixes: 04b9b37edda("virtio-crypto: add data queue processing handler")
+Cc: Gonglei <arei.gonglei@huawei.com>
+Cc: Mauro Matteo Cascella <mcascell@redhat.com>
+Cc: Yiming Tao <taoym@zju.edu.cn>
+Signed-off-by: zhenwei pi <pizhenwei@bytedance.com>
+Message-Id: <20230803024314.29962-2-pizhenwei@bytedance.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+(cherry picked from commit 9d38a8434721a6479fe03fb5afb150ca793d3980)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+---
+ hw/virtio/virtio-crypto.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
+index 54f9bbb789..274c7b4dea 100644
+--- a/hw/virtio/virtio-crypto.c
++++ b/hw/virtio/virtio-crypto.c
+@@ -461,6 +461,11 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
+         return NULL;
+     }
+ 
++    if (unlikely(src_len != dst_len)) {
++        virtio_error(vdev, "sym request src len is different from dst len");
++        return NULL;
++    }
++
+     max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len;
+     if (unlikely(max_len > vcrypto->conf.max_size)) {
+         virtio_error(vdev, "virtio-crypto too big length");
+-- 
+2.41.0.windows.1
+

xen-block-Avoid-leaks-on-new-error-path.patch

@@ -0,0 +1,80 @@
+From 67577f8a8310b1233bddfdaa1099bf6371b79d51 Mon Sep 17 00:00:00 2001
+From: tangzhongrui <tangzhongrui@cmss.chinamobile.com>
+Date: Thu, 3 Aug 2023 11:01:42 +0800
+Subject: [PATCH] xen-block: Avoid leaks on new error path
+
+Commit 189829399070 ("xen-block: Use specific blockdev driver")
+introduced a new error path, without taking care of allocated
+resources.
+
+So only allocate the qdicts after the error check, and free both
+`filename` and `driver` when we are about to return and thus taking
+care of both success and error path.
+
+Coverity only spotted the leak of qdicts (*_layer variables).
+
+Reported-by: Peter Maydell <peter.maydell@linaro.org>
+Fixes: Coverity CID 1508722, 1398649
+Fixes: 189829399070 ("xen-block: Use specific blockdev driver")
+Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
+Reviewed-by: Paul Durrant <paul@xen.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-Id: <20230704171819.42564-1-anthony.perard@citrix.com>
+Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
+
+Signed-off-by: Zhongrui Tang <tangzhongrui_yewu@cmss.chinamobile.com>
+---
+ hw/block/xen-block.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/hw/block/xen-block.c b/hw/block/xen-block.c
+index 674953f1ad..6d90621e02 100644
+--- a/hw/block/xen-block.c
++++ b/hw/block/xen-block.c
+@@ -760,14 +760,15 @@ static XenBlockDrive *xen_block_drive_create(const char *id,
+     drive = g_new0(XenBlockDrive, 1);
+     drive->id = g_strdup(id);
+ 
+-    file_layer = qdict_new();
+-    driver_layer = qdict_new();
+-
+     rc = stat(filename, &st);
+     if (rc) {
+         error_setg_errno(errp, errno, "Could not stat file '%s'", filename);
+         goto done;
+     }
++
++    file_layer = qdict_new();
++    driver_layer = qdict_new();
++
+     if (S_ISBLK(st.st_mode)) {
+         qdict_put_str(file_layer, "driver", "host_device");
+     } else {
+@@ -775,7 +776,6 @@ static XenBlockDrive *xen_block_drive_create(const char *id,
+     }
+ 
+     qdict_put_str(file_layer, "filename", filename);
+-    g_free(filename);
+ 
+     if (mode && *mode != 'w') {
+         qdict_put_bool(file_layer, "read-only", true);
+@@ -810,7 +810,6 @@ static XenBlockDrive *xen_block_drive_create(const char *id,
+     qdict_put_str(file_layer, "locking", "off");
+ 
+     qdict_put_str(driver_layer, "driver", driver);
+-    g_free(driver);
+ 
+     qdict_put(driver_layer, "file", file_layer);
+ 
+@@ -821,6 +820,8 @@ static XenBlockDrive *xen_block_drive_create(const char *id,
+     qobject_unref(driver_layer);
+ 
+ done:
++    g_free(filename);
++    g_free(driver);
+     if (*errp) {
+         xen_block_drive_destroy(drive, NULL);
+         return NULL;
+-- 
+2.41.0.windows.1
+