Rebase qemu to 4.1.0 version

Signed-off-by: Ying Fang <fangying1@huawei.com>
2020-05-12 10:31:40 +08:00 · 2020-05-12 10:31:40 +08:00 · cbfda6760e
commit cbfda6760e
parent 9750247ab0
27 changed files with 755 additions and 951 deletions
--- a/ARM-KVM-Check-KVM_CAP_ARM_IRQ_LINE_LAYOUT_2-for-smp.patch
+++ b/ARM-KVM-Check-KVM_CAP_ARM_IRQ_LINE_LAYOUT_2-for-smp.patch
@ -0,0 +1,64 @@
 From e3a7ec839fa4f823666d726989c375dcf73348a4 Mon Sep 17 00:00:00 2001
 From: Ying Fang <fangying1@huawei.com>
 Date: Wed, 15 Apr 2020 16:14:50 +0800
 Subject: [PATCH] ARM: KVM: Check KVM_CAP_ARM_IRQ_LINE_LAYOUT_2 for smp_cpus >
 256
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Host kernel within [4.18, 5.3] report an erroneous KVM_MAX_VCPUS=512
 for ARM. The actual capability to instantiate more than 256 vcpus
 was fixed in 5.4 with the upgrade of the KVM_IRQ_LINE ABI to support
 vcpu id encoded on 12 bits instead of 8 and a redistributor consuming
 a single KVM IO device instead of 2.
 So let's check this capability when attempting to use more than 256
 vcpus within any ARM kvm accelerated machine.
 Signed-off-by: Eric Auger <eric.auger@redhat.com>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Andrew Jones <drjones@redhat.com>
 Acked-by: Marc Zyngier <maz@kernel.org>
 Message-id: 20191003154640.22451-4-eric.auger@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 (cherry-picked from commit fff9f5558d0e0813d4f80bfe1602acf225eca4fd)
 [yu: Use the legacy smp_cpus instead of ms->smp.cpus, as we don't have
    ¦struct CpuTopology in MachineState at that time. See commit
    ¦edeeec911702 for details.]
 Signed-off-by: Zenghui Yu <yuzenghui@huawei.com>
 ---
 target/arm/kvm.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)
 diff --git a/target/arm/kvm.c b/target/arm/kvm.c
 index 50e86f8b..cc7a46df 100644
 --- a/target/arm/kvm.c
 +++ b/target/arm/kvm.c
@@ -173,6 +173,8 @@ int kvm_arm_get_max_vm_ipa_size(MachineState *ms)
 int kvm_arch_init(MachineState *ms, KVMState *s)
 {
 +    int ret = 0;
 +    unsigned int smp_cpus = ms->smp.cpus;
     /* For ARM interrupt delivery is always asynchronous,
      * whether we are using an in-kernel VGIC or not.
      */
@@ -186,7 +188,14 @@ int kvm_arch_init(MachineState *ms, KVMState *s)
     cap_has_mp_state = kvm_check_extension(s, KVM_CAP_MP_STATE);
 -    return 0;
 +    if (smp_cpus > 256 &&
 +        !kvm_check_extension(s, KVM_CAP_ARM_IRQ_LINE_LAYOUT_2)) {
 +        error_report("Using more than 256 vcpus requires a host kernel "
 +                     "with KVM_CAP_ARM_IRQ_LINE_LAYOUT_2");
 +        ret = -EINVAL;
 +    }
 +
 +    return ret;
 }
 unsigned long kvm_arch_vcpu_id(CPUState *cpu)
 --
 2.23.0
--- a/ARM64-record-vtimer-tick-when-cpu-is-stopped.patch
+++ b/ARM64-record-vtimer-tick-when-cpu-is-stopped.patch
@ -1,134 +0,0 @@
 From d2fd6d1a5200b9a58863839d21d291cd4f76ac31 Mon Sep 17 00:00:00 2001
 From: Ying Fang <fangying1@huawei.com>
 Date: Mon, 29 Jul 2019 15:47:27 +0800
 Subject: [PATCH] ARM64: record vtimer tick when cpu is stopped
 The vtimer kick still increases even if the vcpu is stopped when VM has
 save/restore or suspend/resume operation. This will cause guest watchdog
 soft-lockup if the VM has lots of memory in use.
 Signed-off-by: Hao Hong <honghao5@huawei.com>
 Signed-off-by: Haibin Wang <wanghaibin.wang@huawei.com>
 Signed-off-by: Ying Fang <fangying1@huawei.com>
 ---
 cpus.c               | 58 ++++++++++++++++++++++++++++++++++++++++++++
 target/arm/cpu.h     |  2 ++
 target/arm/machine.c |  1 +
 3 files changed, 61 insertions(+)
 diff --git a/cpus.c b/cpus.c
 index e83f72b4..f6ec48a2 100644
 --- a/cpus.c
 +++ b/cpus.c
@@ -1063,6 +1063,28 @@ void cpu_synchronize_all_pre_loadvm(void)
     }
 }
 +#ifdef __aarch64__
 +static void get_vcpu_timer_tick(CPUState *cs)
 +{
 +    CPUARMState *env = &ARM_CPU(cs)->env;
 +    int err;
 +    struct kvm_one_reg reg;
 +    uint64_t timer_tick;
 +
 +    reg.id = KVM_REG_ARM_TIMER_CNT;
 +    reg.addr = (uintptr_t) &timer_tick;
 +
 +    err = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, &reg);
 +    if (err < 0) {
 +        error_report("get vcpu tick failed, ret = %d", err);
 +        env->vtimer = 0;
 +        return;
 +    }
 +    env->vtimer = timer_tick;
 +    return;
 +}
 +#endif
 +
 static int do_vm_stop(RunState state, bool send_stop)
 {
     int ret = 0;
@@ -1070,6 +1092,11 @@ static int do_vm_stop(RunState state, bool send_stop)
     if (runstate_is_running()) {
         cpu_disable_ticks();
         pause_all_vcpus();
 +#ifdef __aarch64__
 +        if (first_cpu) {
 +            get_vcpu_timer_tick(first_cpu);
 +        }
 +#endif
         runstate_set(state);
         vm_state_notify(0, state);
         if (send_stop) {
@@ -1909,11 +1936,42 @@ void cpu_resume(CPUState *cpu)
     qemu_cpu_kick(cpu);
 }
 +#ifdef __aarch64__
 +static void set_vcpu_timer_tick(CPUState *cs)
 +{
 +    CPUARMState *env = &ARM_CPU(cs)->env;
 +
 +    if (env->vtimer == 0) {
 +        return;
 +    }
 +
 +    int err;
 +    struct kvm_one_reg reg;
 +    uint64_t timer_tick = env->vtimer;
 +    env->vtimer = 0;
 +
 +    reg.id = KVM_REG_ARM_TIMER_CNT;
 +    reg.addr = (uintptr_t) &timer_tick;
 +
 +    err = kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, &reg);
 +    if (err < 0) {
 +        error_report("Set vcpu tick failed, ret = %d", err);
 +        return;
 +    }
 +    return;
 +}
 +#endif
 +
 void resume_all_vcpus(void)
 {
     CPUState *cpu;
     qemu_clock_enable(QEMU_CLOCK_VIRTUAL, true);
 +#ifdef __aarch64__
 +    if (first_cpu) {
 +        set_vcpu_timer_tick(first_cpu);
 +    }
 +#endif
     CPU_FOREACH(cpu) {
         cpu_resume(cpu);
     }
 diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index d4d28369..e107e395 100644
 --- a/target/arm/cpu.h
 +++ b/target/arm/cpu.h
@@ -270,6 +270,8 @@ typedef struct CPUARMState {
     uint64_t elr_el[4]; /* AArch64 exception link regs  */
     uint64_t sp_el[4]; /* AArch64 banked stack pointers */
 +    uint64_t vtimer; /* Timer tick when vcpu stop */
 +
     /* System control coprocessor (cp15) */
     struct {
         uint32_t c0_cpuid;
 diff --git a/target/arm/machine.c b/target/arm/machine.c
 index b2925496..d64a0057 100644
 --- a/target/arm/machine.c
 +++ b/target/arm/machine.c
@@ -792,6 +792,7 @@ const VMStateDescription vmstate_arm_cpu = {
         VMSTATE_UINT32(env.exception.syndrome, ARMCPU),
         VMSTATE_UINT32(env.exception.fsr, ARMCPU),
         VMSTATE_UINT64(env.exception.vaddress, ARMCPU),
 +        VMSTATE_UINT64(env.vtimer, ARMCPU),
         VMSTATE_TIMER_PTR(gt_timer[GTIMER_PHYS], ARMCPU),
         VMSTATE_TIMER_PTR(gt_timer[GTIMER_VIRT], ARMCPU),
         {
 -- 
 2.23.0
--- a/Fix-use-afte-free-in-ip_reass-CVE-2020-1983.patch
+++ b/Fix-use-afte-free-in-ip_reass-CVE-2020-1983.patch
@ -1,44 +0,0 @@
 From 477c7aea5f2f9090c016c0a9813dc5901bd1b66a Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
 Date: Fri, 24 Apr 2020 11:36:41 +0800
 Subject: [PATCH] Fix use-afte-free in ip_reass() (CVE-2020-1983)
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 The q pointer is updated when the mbuf data is moved from m_dat to
 m_ext.
 m_ext buffer may also be realloc()'ed and moved during m_cat():
 q should also be updated in this case.
 Reported-by: Aviv Sasson <asasson@paloaltonetworks.com>
 Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
 Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
 diff --git a/slirp/src/ip_input.c b/slirp/src/ip_input.c
 index 89ae04e0..7fdde631 100644
 --- a/slirp/src/ip_input.c
 +++ b/slirp/src/ip_input.c
@@ -333,7 +333,7 @@ insert:
     q = fp->frag_link.next;
 	m = dtom(slirp, q);
 -	int was_ext = m->m_flags & M_EXT;
 +	int delta = (char *)q - (m->m_flags & M_EXT ? m->m_ext : m->m_dat);
 	q = (struct ipasfrag *) q->ipf_next;
 	while (q != (struct ipasfrag*)&fp->frag_link) {
@@ -356,8 +356,7 @@ insert:
 	 * then an m_ext buffer was alloced. But fp->ipq_next points to the old
 	 * buffer (in the mbuf), so we must point ip into the new buffer.
 	 */
 -	if (!was_ext && m->m_flags & M_EXT) {
 -	  int delta = (char *)q - m->m_dat;
 +	if (m->m_flags & M_EXT) {
 	  q = (struct ipasfrag *)(m->m_ext + delta);
 	}
 -- 
 2.23.0
--- a/aio-wait-delegate-polling-of-main-AioContext-if-BQL-not-held.patch
+++ b/aio-wait-delegate-polling-of-main-AioContext-if-BQL-not-held.patch
@ -1,8 +1,7 @@
-From a2bae876b7f694b12073bac8ad6668e4d975ad88 Mon Sep 17 00:00:00 2001
+From 929d29ec7bf9dd6ec3802bea2148a041ff30d59b Mon Sep 17 00:00:00 2001
-From: Ying Fang <fangying1@huawei.com>
+From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Fri, 10 Apr 2020 16:08:19 +0000
+Date: Tue, 14 Apr 2020 21:17:09 +0800
-Subject: [PATCH 1/2] aio-wait: delegate polling of main AioContext if BQL not
+Subject: [PATCH] aio-wait: delegate polling of main AioContext if BQL not held
 held
 Any thread that is not a iothread returns NULL for qemu_get_current_aio_context().
 As a result, it would also return true for
@ -20,8 +19,6 @@ The function is moved to aio-wait.h because it is mostly used
 there and to avoid a circular reference between main-loop.h
 and block/aio.h.
 upstream_url: https://patchwork.kernel.org/patch/11482099/
 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
 Message-Id: <20200407140746.8041-5-pbonzini@redhat.com>
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
@ -31,21 +28,21 @@ Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 2 files changed, 32 insertions(+), 19 deletions(-)
 diff --git a/include/block/aio-wait.h b/include/block/aio-wait.h
-index afd0ff7e..d349e7e3 100644
+index afeeb18f..716d2639 100644
 --- a/include/block/aio-wait.h
 +++ b/include/block/aio-wait.h
@@ -26,6 +26,7 @@
 #define QEMU_AIO_WAIT_H
- 
+
 #include "block/aio.h"
 +#include "qemu/main-loop.h"
- 
+
 /**
  * AioWait:
@@ -124,4 +125,25 @@ void aio_wait_kick(void);
  */
 void aio_wait_bh_oneshot(AioContext *ctx, QEMUBHFunc *cb, void *opaque);
- 
+
 +/**
 + * in_aio_context_home_thread:
 + * @ctx: the aio context
@ -67,14 +64,14 @@ index afd0ff7e..d349e7e3 100644
 +    }
 +}
 +
- #endif /* QEMU_AIO_WAIT */
+ #endif /* QEMU_AIO_WAIT_H */
 diff --git a/include/block/aio.h b/include/block/aio.h
-index 0ca25dfe..c527893b 100644
+index 6b0d52f7..9d28e247 100644
 --- a/include/block/aio.h
 +++ b/include/block/aio.h
-@@ -61,12 +61,16 @@ struct AioContext {
+@@ -60,12 +60,16 @@ struct AioContext {
     QLIST_HEAD(, AioHandler) aio_handlers;
- 
+
     /* Used to avoid unnecessary event_notifier_set calls in aio_notify;
 -     * accessed with atomic primitives.  If this field is 0, everything
 -     * (file descriptors, bottom halves, timers) will be re-evaluated
@ -95,10 +92,10 @@ index 0ca25dfe..c527893b 100644
      *
      * Bit 0 is reserved for GSource usage of the AioContext, and is 1
      * between a call to aio_ctx_prepare and the next call to aio_ctx_check.
-@@ -581,19 +585,6 @@ void aio_co_enter(AioContext *ctx, struct Coroutine *co);
+@@ -580,19 +584,6 @@ void aio_co_enter(AioContext *ctx, struct Coroutine *co);
  */
 AioContext *qemu_get_current_aio_context(void);
- 
+
 -/**
 - * in_aio_context_home_thread:
 - * @ctx: the aio context
@ -115,6 +112,5 @@ index 0ca25dfe..c527893b 100644
 /**
  * aio_context_setup:
  * @ctx: the aio context
-- 
+--
-2.25.2
+2.23.0
--- a/bios-tables-test-prepare-to-change-ARM-virt-ACPI-DSDT.patch
+++ b/bios-tables-test-prepare-to-change-ARM-virt-ACPI-DSDT.patch
@ -0,0 +1,24 @@
 From 2892a4b1f7dfc75e06d0ce770d44a062b6334eb0 Mon Sep 17 00:00:00 2001
 From: Ying Fang <fangying1@huawei.com>
 Date: Wed, 15 Apr 2020 17:03:54 +0800
 Subject: [PATCH] bios-tables-test: prepare to change ARM virt ACPI DSDT
 We will change ARM virt ACPI DSDT table in order to add the cpufreq device,
 which use ACPI CPPC to show CPU frequency info to guest.
 Signed-off-by: Ying Fang <fangying1@huawei.com>
 ---
 tests/bios-tables-test-allowed-diff.h | 3 +++
 1 file changed, 3 insertions(+)
 diff --git a/tests/bios-tables-test-allowed-diff.h b/tests/bios-tables-test-allowed-diff.h
 index dfb8523c..32a401ae 100644
 --- a/tests/bios-tables-test-allowed-diff.h
 +++ b/tests/bios-tables-test-allowed-diff.h
@@ -1 +1,4 @@
 /* List of comma-separated changed AML files to ignore */
 +"tests/data/acpi/virt/DSDT",
 +"tests/data/acpi/virt/DSDT.memhp",
 +"tests/data/acpi/virt/DSDT.numamem",
 --
 2.23.0
--- a/cpu-add-Kunpeng-920-cpu-support.patch
+++ b/cpu-add-Kunpeng-920-cpu-support.patch
@ -3,6 +3,8 @@ From: Xu Yandong <xuyandong2@huawei.com>
 Date: Wed, 28 Aug 2019 01:36:21 -0400
 Subject: [PATCH] cpu: add Kunpeng-920 cpu support
 Add the Kunpeng-920 CPU model.
 Signed-off-by: Xu Yandong <xuyandong2@huawei.com>
 ---
 hw/arm/virt.c      |  1 +
@ -28,7 +30,7 @@ index 228906f2..5581d5e1 100644
@@ -258,6 +258,26 @@ static void aarch64_a72_initfn(Object *obj)
     define_arm_cp_regs(cpu, cortex_a72_a57_a53_cp_reginfo);
 }
- 
+
 +static void aarch64_kunpeng_920_initfn(Object *obj)
 +{
 +    ARMCPU *cpu = ARM_CPU(obj);
@ -60,6 +62,5 @@ index 228906f2..5581d5e1 100644
     { .name = "max",                .initfn = aarch64_max_initfn },
     { .name = NULL }
 };
-- 
+--
 2.19.1
--- a/cpu-parse-feature-to-avoid-failure.patch
+++ b/cpu-parse-feature-to-avoid-failure.patch
@ -1,8 +1,11 @@
 From ba1ca232cfa2ca273c610beda40bee2143f11964 Mon Sep 17 00:00:00 2001
-From: rpm-build <rpm-build>
+From: Xu Yandong <xuyandong2@huawei.com>
 Date: Tue, 3 Sep 2019 16:27:39 +0800
 Subject: [PATCH] cpu: parse +/- feature to avoid failure
 To avoid cpu feature parse failuer, +/- feature is added.
 Signed-off-by: Xu Yandong <xuyandong2@huawei.com>
 ---
 target/arm/cpu64.c | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)
--- a/hw-arm-expose-host-CPU-frequency-info-to-guest.patch
+++ b/hw-arm-expose-host-CPU-frequency-info-to-guest.patch
@ -1,57 +1,60 @@
-From 773b25c55c7428b64d21b23a6b08fc629a665ca5 Mon Sep 17 00:00:00 2001
+From b70d020dba72283d7b16a77c377512c84aab5f81 Mon Sep 17 00:00:00 2001
-From: zhanghailiang <zhang.zhanghailiang@huawei.com>
+From: Ying Fang <fangying1@huawei.com>
-Date: Mon, 29 Jul 2019 09:54:43 +0800
+Date: Mon, 20 Apr 2020 10:38:12 +0800
-Subject: [PATCH] hw/arm: expose host CPU frequency info to guest
+Subject: [PATCH] arm64: Add the cpufreq device to show cpufreq info to guest
-On ARM64, CPU frequency is fetched by ACPI CPPC, so we add virtual
+On ARM64 platform, cpu frequency is retrieved via ACPI CPPC.
-CPPC registers and ACPI _CPC objects.
+A virtual cpufreq device based on ACPI CPPC is created to
 present cpu frequency info to the guest.
-The default frequency is set to the nominal frequency of Hi1616, which
+The default frequency is set to host cpu nominal frequency,
-will not support CPPC in future. On Hi1620 we are fetching the value
+which is obtained from the host CPPC sysfs. Other performance
-from Host CPPC sys file.
+data are set to the same value, since we don't support guest
 performance scaling here.
-All performance data are set to the same value for we don't support
+Performance counters are also not emulated and they simply
-guest initiating performance scaling.
+return 1 if read, and guest should fallback to use desired
 We don't emulate performance counters and simply return 1 for all
 counter readings, and guest Linux should fall back to use the desired
 performance value as the current performance.
-Signed-off-by: Heyi Guo <guoheyi@huawei.com>
+Guest kernel version above 4.18 is required to make it work.
-Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
+
 This series is backported from:
 https://patchwork.kernel.org/cover/11379943/
 Signed-off-by: Ying Fang <fangying1@huawei.com>
 ---
 default-configs/aarch64-softmmu.mak |   1 +
 hw/acpi/Makefile.objs               |   1 +
 hw/acpi/aml-build.c                 |  22 +++
- hw/acpi/cpufreq.c                   | 278 ++++++++++++++++++++++++++++
+ hw/acpi/cpufreq.c                   | 287 ++++++++++++++++++++++++++++
 hw/arm/virt-acpi-build.c            |  78 +++++++-
 hw/arm/virt.c                       |  13 ++
 hw/char/Kconfig                     |   4 +
 include/hw/acpi/acpi-defs.h         |  38 ++++
 include/hw/acpi/aml-build.h         |   3 +
 include/hw/arm/virt.h               |   1 +
- 10 files changed, 437 insertions(+), 2 deletions(-)
+ 10 files changed, 446 insertions(+), 2 deletions(-)
 create mode 100644 hw/acpi/cpufreq.c
 diff --git a/default-configs/aarch64-softmmu.mak b/default-configs/aarch64-softmmu.mak
-index 4ea9add0..37399c14 100644
+index 958b1e08..0a030e85 100644
 --- a/default-configs/aarch64-softmmu.mak
 +++ b/default-configs/aarch64-softmmu.mak
-@@ -10,3 +10,4 @@ CONFIG_XLNX_ZYNQMP=y
+@@ -6,3 +6,4 @@ include arm-softmmu.mak
 CONFIG_XLNX_ZYNQMP_ARM=y
 CONFIG_XLNX_VERSAL=y
- CONFIG_ARM_SMMUV3=y
+ CONFIG_SBSA_REF=y
 +CONFIG_CPUFREQ=y
 diff --git a/hw/acpi/Makefile.objs b/hw/acpi/Makefile.objs
-index 2d46e378..60979db9 100644
+index 9bb2101e..1a720c38 100644
 --- a/hw/acpi/Makefile.objs
 +++ b/hw/acpi/Makefile.objs
-@@ -12,6 +12,7 @@ common-obj-y += acpi_interface.o
+@@ -13,6 +13,7 @@ common-obj-y += bios-linker-loader.o
- common-obj-y += bios-linker-loader.o
+ common-obj-y += aml-build.o utils.o
- common-obj-y += aml-build.o
+ common-obj-$(CONFIG_ACPI_PCI) += pci.o
 common-obj-$(CONFIG_TPM) += tpm.o
 +common-obj-$(CONFIG_CPUFREQ) += cpufreq.o
- 
+
 common-obj-$(CONFIG_IPMI) += ipmi.o
 common-obj-$(call lnot,$(CONFIG_IPMI)) += ipmi-stub.o
 diff --git a/hw/acpi/aml-build.c b/hw/acpi/aml-build.c
@ -61,7 +64,7 @@ index 555c24f2..73f97751 100644
@@ -1369,6 +1369,28 @@ Aml *aml_sleep(uint64_t msec)
     return var;
 }
- 
+
 +/* ACPI 5.0b: 6.4.3.7 Generic Register Descriptor */
 +Aml *aml_generic_register(AmlRegionSpace rs, uint8_t reg_width,
 +                          uint8_t reg_offset, AmlAccessType type, uint64_t addr)
@ -89,10 +92,10 @@ index 555c24f2..73f97751 100644
     int hi, lo;
 diff --git a/hw/acpi/cpufreq.c b/hw/acpi/cpufreq.c
 new file mode 100644
-index 00000000..c123a22b
+index 00000000..d02a25a6
 --- /dev/null
 +++ b/hw/acpi/cpufreq.c
-@@ -0,0 +1,278 @@
+@@ -0,0 +1,287 @@
 +/*
 + * ACPI CPPC register device
 + *
@ -124,6 +127,7 @@ index 00000000..c123a22b
 +#include "hw/acpi/acpi-defs.h"
 +#include "qemu/cutils.h"
 +#include "qemu/error-report.h"
 +#include "hw/boards.h"
 +
 +#define TYPE_CPUFREQ "cpufreq"
 +#define CPUFREQ(obj) OBJECT_CHECK(CpuhzState, (obj), TYPE_CPUFREQ)
@ -189,6 +193,9 @@ index 00000000..c123a22b
 +    uint64_t r;
 +    uint64_t n;
 +
 +    MachineState *ms = MACHINE(qdev_get_machine());
 +    unsigned int smp_cpus = ms->smp.cpus;
 +
 +    if (offset >= smp_cpus * CPPC_REG_PER_CPU_STRIDE) {
 +        warn_report("cpufreq_read: offset 0x%lx out of range", offset);
 +        return 0;
@ -258,6 +265,8 @@ index 00000000..c123a22b
 +                           uint64_t value, unsigned size)
 +{
 +    uint64_t n;
 +    MachineState *ms = MACHINE(qdev_get_machine());
 +    unsigned int smp_cpus = ms->smp.cpus;
 +
 +    if (offset >= smp_cpus * CPPC_REG_PER_CPU_STRIDE) {
 +        error_printf("cpufreq_write: offset 0x%lx out of range", offset);
@ -339,6 +348,9 @@ index 00000000..c123a22b
 +    SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
 +    CpuhzState *s = CPUFREQ(obj);
 +
 +    MachineState *ms = MACHINE(qdev_get_machine());
 +    unsigned int smp_cpus = ms->smp.cpus;
 +
 +    s->reg_size = smp_cpus * CPPC_REG_PER_CPU_STRIDE;
 +    if (s->reg_size > MAX_SUPPORT_SPACE) {
 +        error_report("Required space 0x%x excesses the max support 0x%x",
@ -372,7 +384,7 @@ index 00000000..c123a22b
 +type_init(cpufreq_register_types)
 +
 diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
-index bf9c0bc2..33a8e2e3 100644
+index 0afb3727..29494ebd 100644
 --- a/hw/arm/virt-acpi-build.c
 +++ b/hw/arm/virt-acpi-build.c
@@ -45,11 +45,73 @@
@ -380,10 +392,10 @@ index bf9c0bc2..33a8e2e3 100644
 #include "sysemu/numa.h"
 #include "kvm_arm.h"
 +#include "hw/acpi/acpi-defs.h"
- 
+
 #define ARM_SPI_BASE 32
 #define ACPI_POWER_BUTTON_DEVICE "PWRB"
- 
+
 -static void acpi_dsdt_add_cpus(Aml *scope, int smp_cpus)
 +static void acpi_dsdt_add_psd(Aml *dev, int cpus)
 +{
@ -449,7 +461,7 @@ index bf9c0bc2..33a8e2e3 100644
 +                               const MemMapEntry *cppc_memmap)
 {
     uint16_t i;
- 
+
@@ -57,6 +119,18 @@ static void acpi_dsdt_add_cpus(Aml *scope, int smp_cpus)
         Aml *dev = aml_device("C%.03X", i);
         aml_append(dev, aml_name_decl("_HID", aml_string("ACPI0007")));
@ -469,7 +481,7 @@ index bf9c0bc2..33a8e2e3 100644
         aml_append(scope, dev);
     }
 }
-@@ -740,7 +814,7 @@ build_dsdt(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
+@@ -718,7 +792,7 @@ build_dsdt(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
      * the RTC ACPI device at all when using UEFI.
      */
     scope = aml_scope("\\_SB");
@ -479,10 +491,10 @@ index bf9c0bc2..33a8e2e3 100644
                        (irqmap[VIRT_UART] + ARM_SPI_BASE));
     acpi_dsdt_add_flash(scope, &memmap[VIRT_FLASH]);
 diff --git a/hw/arm/virt.c b/hw/arm/virt.c
-index ce2664a3..ec6f00ab 100644
+index d9496c93..0fa355ba 100644
 --- a/hw/arm/virt.c
 +++ b/hw/arm/virt.c
-@@ -132,6 +132,7 @@ static const MemMapEntry base_memmap[] = {
+@@ -135,6 +135,7 @@ static const MemMapEntry base_memmap[] = {
     [VIRT_SECURE_UART] =        { 0x09040000, 0x00001000 },
     [VIRT_SMMU] =               { 0x09050000, 0x00020000 },
     [VIRT_MMIO] =               { 0x0a000000, 0x00000200 },
@ -490,10 +502,10 @@ index ce2664a3..ec6f00ab 100644
     /* ...repeating for a total of NUM_VIRTIO_TRANSPORTS, each of that size */
     [VIRT_PLATFORM_BUS] =       { 0x0c000000, 0x02000000 },
     [VIRT_SECURE_MEM] =         { 0x0e000000, 0x01000000 },
-@@ -725,6 +726,16 @@ static void create_uart(const VirtMachineState *vms, qemu_irq *pic, int uart,
+@@ -731,6 +732,16 @@ static void create_uart(const VirtMachineState *vms, qemu_irq *pic, int uart,
     g_free(nodename);
 }
- 
+
 +static void create_cpufreq(const VirtMachineState *vms, MemoryRegion *mem)
 +{
 +    hwaddr base = vms->memmap[VIRT_CPUFREQ].base;
@ -507,21 +519,21 @@ index ce2664a3..ec6f00ab 100644
 static void create_rtc(const VirtMachineState *vms, qemu_irq *pic)
 {
     char *nodename;
-@@ -1618,6 +1629,8 @@ static void machvirt_init(MachineState *machine)
+@@ -1682,6 +1693,8 @@ static void machvirt_init(MachineState *machine)
- 
+
     create_uart(vms, pic, VIRT_UART, sysmem, serial_hd(0));
- 
+
 +    create_cpufreq(vms, sysmem);
 +
     if (vms->secure) {
         create_secure_ram(vms, secure_sysmem);
         create_uart(vms, pic, VIRT_SECURE_UART, secure_sysmem, serial_hd(1));
 diff --git a/hw/char/Kconfig b/hw/char/Kconfig
-index 6360c9ff..8cc3ae2a 100644
+index 40e7a8b8..2f61bf53 100644
 --- a/hw/char/Kconfig
 +++ b/hw/char/Kconfig
-@@ -40,3 +40,7 @@ config SCLPCONSOLE
+@@ -46,3 +46,7 @@ config SCLPCONSOLE
- 
+
 config TERMINAL3270
     bool
 +
@ -529,13 +541,13 @@ index 6360c9ff..8cc3ae2a 100644
 +   bool
 +   default y
 diff --git a/include/hw/acpi/acpi-defs.h b/include/hw/acpi/acpi-defs.h
-index f9aa4bd3..b4899a32 100644
+index 57a3f58b..39ae91d3 100644
 --- a/include/hw/acpi/acpi-defs.h
 +++ b/include/hw/acpi/acpi-defs.h
-@@ -652,4 +652,42 @@ struct AcpiIortRC {
+@@ -634,4 +634,42 @@ struct AcpiIortRC {
 } QEMU_PACKED;
 typedef struct AcpiIortRC AcpiIortRC;
- 
+
 +/*
 + * CPPC register definition from kernel header
 + * include/acpi/cppc_acpi.h
@ -586,11 +598,11 @@ index 1a563ad7..375335ab 100644
 +Aml *aml_generic_register(AmlRegionSpace rs, uint8_t reg_width,
 +                          uint8_t reg_offset, AmlAccessType type,
 +                          uint64_t addr);
- 
+
 /* Block AML object primitives */
 Aml *aml_scope(const char *name_format, ...) GCC_FMT_ATTR(1, 2);
 diff --git a/include/hw/arm/virt.h b/include/hw/arm/virt.h
-index 507517c6..8465f9bd 100644
+index a7209420..43a6ce91 100644
 --- a/include/hw/arm/virt.h
 +++ b/include/hw/arm/virt.h
@@ -66,6 +66,7 @@ enum {
@ -601,6 +613,5 @@ index 507517c6..8465f9bd 100644
     VIRT_MMIO,
     VIRT_RTC,
     VIRT_FW_CFG,
-- 
+--
 2.19.1
--- a/hw-arm-virt-Introduce-cpu-topology-support.patch
+++ b/hw-arm-virt-Introduce-cpu-topology-support.patch
@ -1,6 +1,6 @@
-From 123b4eb3cb7b9b4e3e0705a9b5f974b37d3b8431 Mon Sep 17 00:00:00 2001
+From 73fc4af05ebe12d77915e6b3c85c48f5e0c432f3 Mon Sep 17 00:00:00 2001
-From: zhanghailiang <zhang.zhanghailiang@huawei.com>
+From: Ying Fang <fangying1@huawei.com>
-Date: Mon, 5 Aug 2019 15:04:31 +0800
+Date: Wed, 22 Apr 2020 19:23:27 +0800
 Subject: [PATCH] hw/arm/virt: Introduce cpu topology support
 Add topology support for guest vcpu by cpu-map in dtb when the guest is booted
@ -11,13 +11,13 @@ Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
 (picked-from https://patchwork.ozlabs.org/cover/939301/ which is pushed by
 Andrew Jones <drjones@redhat.com>)
 ---
- device_tree.c                | 32 +++++++++++++++++++++++
+ device_tree.c                | 32 ++++++++++++++++++++++
- hw/acpi/aml-build.c          | 50 ++++++++++++++++++++++++++++++++++++
+ hw/acpi/aml-build.c          | 53 ++++++++++++++++++++++++++++++++++++
 hw/arm/virt-acpi-build.c     |  4 +++
- hw/arm/virt.c                | 29 +++++++++++++++++++++
+ hw/arm/virt.c                | 32 +++++++++++++++++++++-
 include/hw/acpi/aml-build.h  |  2 ++
 include/sysemu/device_tree.h |  1 +
- 6 files changed, 118 insertions(+)
+ 6 files changed, 123 insertions(+), 1 deletion(-)
 diff --git a/device_tree.c b/device_tree.c
 index f8b46b3c..03906a14 100644
@ -26,7 +26,7 @@ index f8b46b3c..03906a14 100644
@@ -524,6 +524,38 @@ int qemu_fdt_add_subnode(void *fdt, const char *name)
     return retval;
 }
- 
+
 +/**
 + * qemu_fdt_add_path
 + * @fdt: Flattened Device Tree
@ -63,7 +63,7 @@ index f8b46b3c..03906a14 100644
 {
     const char *dumpdtb = qemu_opt_get(qemu_get_machine_opts(), "dumpdtb");
 diff --git a/hw/acpi/aml-build.c b/hw/acpi/aml-build.c
-index 73f97751..9d39ad10 100644
+index 73f97751..f2c8c28f 100644
 --- a/hw/acpi/aml-build.c
 +++ b/hw/acpi/aml-build.c
@@ -25,6 +25,7 @@
@ -71,13 +71,13 @@ index 73f97751..9d39ad10 100644
 #include "qemu/bitops.h"
 #include "sysemu/numa.h"
 +#include "sysemu/cpus.h"
- 
+
 static GArray *build_alloc_array(void)
 {
-@@ -51,6 +52,55 @@ static void build_append_array(GArray *array, GArray *val)
+@@ -51,6 +52,58 @@ static void build_append_array(GArray *array, GArray *val)
     g_array_append_vals(array, val->data, val->len);
 }
- 
+
 +/*
 + * ACPI 6.2 Processor Properties Topology Table (PPTT)
 + */
@ -97,6 +97,9 @@ index 73f97751..9d39ad10 100644
 +{
 +    int pptt_start = table_data->len;
 +    int uid = 0, cpus = 0, socket;
 +    MachineState *ms = MACHINE(qdev_get_machine());
 +    unsigned int smp_cores = ms->smp.cores;
 +    unsigned int smp_threads = ms->smp.threads;
 +
 +    acpi_data_push(table_data, sizeof(AcpiTableHeader));
 +
@ -128,28 +131,28 @@ index 73f97751..9d39ad10 100644
 +}
 +
 #define ACPI_NAMESEG_LEN 4
- 
+
 static void
 diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
-index 33a8e2e3..18653e6d 100644
+index 29494ebd..fe54411f 100644
 --- a/hw/arm/virt-acpi-build.c
 +++ b/hw/arm/virt-acpi-build.c
-@@ -870,6 +870,10 @@ void virt_acpi_build(VirtMachineState *vms, AcpiBuildTables *tables)
+@@ -848,6 +848,10 @@ void virt_acpi_build(VirtMachineState *vms, AcpiBuildTables *tables)
     acpi_add_table(table_offsets, tables_blob);
     build_fadt_rev5(tables_blob, tables->linker, vms, dsdt);
- 
+
 +    acpi_add_table(table_offsets, tables_blob);
 +
 +    build_pptt(tables_blob, tables->linker, vms->smp_cpus);
 +
     acpi_add_table(table_offsets, tables_blob);
     build_madt(tables_blob, tables->linker, vms);
- 
+
 diff --git a/hw/arm/virt.c b/hw/arm/virt.c
-index 57a78b16..16700a2e 100644
+index 0fa355ba..272455bc 100644
 --- a/hw/arm/virt.c
 +++ b/hw/arm/virt.c
-@@ -42,6 +42,7 @@
+@@ -44,6 +44,7 @@
 #include "net/net.h"
 #include "sysemu/device_tree.h"
 #include "sysemu/numa.h"
@ -157,10 +160,20 @@ index 57a78b16..16700a2e 100644
 #include "sysemu/sysemu.h"
 #include "sysemu/kvm.h"
 #include "hw/loader.h"
-@@ -364,8 +365,36 @@ static void fdt_add_cpu_nodes(const VirtMachineState *vms)
+@@ -312,7 +313,8 @@ static void fdt_add_cpu_nodes(const VirtMachineState *vms)
     int cpu;
     int addr_cells = 1;
     const MachineState *ms = MACHINE(vms);
 -
 +    unsigned int smp_cores = ms->smp.cores;
 +    unsigned int smp_threads = ms->smp.threads;
     /*
      * From Documentation/devicetree/bindings/arm/cpus.txt
      *  On ARM v8 64-bit systems value should be set to 2,
@@ -368,8 +370,36 @@ static void fdt_add_cpu_nodes(const VirtMachineState *vms)
                 ms->possible_cpus->cpus[cs->cpu_index].props.node_id);
         }
- 
+
 +        qemu_fdt_setprop_cell(vms->fdt, nodename, "phandle",
 +                              qemu_fdt_alloc_phandle(vms->fdt));
 +
@ -192,7 +205,7 @@ index 57a78b16..16700a2e 100644
 +        g_free(cpu_path);
 +    }
 }
- 
+
 static void fdt_add_its_gic_node(VirtMachineState *vms)
 diff --git a/include/hw/acpi/aml-build.h b/include/hw/acpi/aml-build.h
 index 375335ab..bfb0b100 100644
@ -201,11 +214,11 @@ index 375335ab..bfb0b100 100644
@@ -417,6 +417,8 @@ build_append_gas_from_struct(GArray *table, const struct AcpiGenericAddress *s)
 void build_srat_memory(AcpiSratMemoryAffinity *numamem, uint64_t base,
                        uint64_t len, int node, MemoryAffinityFlags flags);
- 
+
 +void build_pptt(GArray *table_data, BIOSLinker *linker, int possible_cpus);
 +
 void build_slit(GArray *table_data, BIOSLinker *linker);
- 
+
 void build_fadt(GArray *tbl, BIOSLinker *linker, const AcpiFadtData *f,
 diff --git a/include/sysemu/device_tree.h b/include/sysemu/device_tree.h
 index c16fd69b..d62fc873 100644
@ -216,9 +229,8 @@ index c16fd69b..d62fc873 100644
 int qemu_fdt_nop_node(void *fdt, const char *node_path);
 int qemu_fdt_add_subnode(void *fdt, const char *name);
 +int qemu_fdt_add_path(void *fdt, const char *path);
- 
+
 #define qemu_fdt_setprop_cells(fdt, node_path, property, ...)                 \
     do {                                                                      \
-- 
+--
-2.19.1
+2.23.0
--- a/hw-arm64-add-vcpu-cache-info-support.patch
+++ b/hw-arm64-add-vcpu-cache-info-support.patch
@ -1,6 +1,6 @@
-From 8db6d888e3eb131900111506b93f6101413df5b4 Mon Sep 17 00:00:00 2001
+From 5a0ed254f99ca37498bd81994b906b6984b5ffa9 Mon Sep 17 00:00:00 2001
-From: zhanghailiang <zhang.zhanghailiang@huawei.com>
+From: Ying Fang <fangying1@huawei.com>
-Date: Mon, 5 Aug 2019 15:30:05 +0800
+Date: Wed, 22 Apr 2020 19:25:00 +0800
 Subject: [PATCH] hw/arm64: add vcpu cache info support
 Support VCPU Cache info by dtb and PPTT table, including L1, L2 and L3 Cache.
@ -8,16 +8,16 @@ Support VCPU Cache info by dtb and PPTT table, including L1, L2 and L3 Cache.
 Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
 Signed-off-by: Honghao <honghao5@huawei.com>
 ---
- hw/acpi/aml-build.c         | 124 ++++++++++++++++++++++++++++++++++++
+ hw/acpi/aml-build.c         | 126 ++++++++++++++++++++++++++++++++++++
- hw/arm/virt.c               |  76 +++++++++++++++++++++-
+ hw/arm/virt.c               |  80 ++++++++++++++++++++++-
 include/hw/acpi/aml-build.h |  46 +++++++++++++
- 3 files changed, 245 insertions(+), 1 deletion(-)
+ 3 files changed, 251 insertions(+), 1 deletion(-)
 diff --git a/hw/acpi/aml-build.c b/hw/acpi/aml-build.c
-index 9d39ad10..99209c0a 100644
+index f2c8c28f..74e95005 100644
 --- a/hw/acpi/aml-build.c
 +++ b/hw/acpi/aml-build.c
-@@ -55,6 +55,129 @@ static void build_append_array(GArray *array, GArray *val)
+@@ -55,6 +55,131 @@ static void build_append_array(GArray *array, GArray *val)
 /*
  * ACPI 6.2 Processor Properties Topology Table (PPTT)
  */
@ -115,6 +115,8 @@ index 9d39ad10..99209c0a 100644
 +    int pptt_start = table_data->len;
 +    int uid = 0, cpus = 0, socket;
 +    struct offset_status offset;
 +    const MachineState *ms = MACHINE(qdev_get_machine());
 +    unsigned int smp_cores = ms->smp.cores;
 +
 +    acpi_data_push(table_data, sizeof(AcpiTableHeader));
 +
@ -147,25 +149,27 @@ index 9d39ad10..99209c0a 100644
 static void build_cpu_hierarchy(GArray *tbl, uint32_t flags,
                                 uint32_t parent, uint32_t id)
 {
-@@ -100,6 +223,7 @@ void build_pptt(GArray *table_data, BIOSLinker *linker, int possible_cpus)
+@@ -103,6 +228,7 @@ void build_pptt(GArray *table_data, BIOSLinker *linker, int possible_cpus)
                  (void *)(table_data->data + pptt_start), "PPTT",
                  table_data->len - pptt_start, 1, NULL, NULL);
 }
 +#endif
- 
+
 #define ACPI_NAMESEG_LEN 4
- 
+
 diff --git a/hw/arm/virt.c b/hw/arm/virt.c
-index 16700a2e..96f56e2e 100644
+index 272455bc..9669c70b 100644
 --- a/hw/arm/virt.c
 +++ b/hw/arm/virt.c
-@@ -304,6 +304,77 @@ static void fdt_add_timer_nodes(const VirtMachineState *vms)
+@@ -308,6 +308,81 @@ static void fdt_add_timer_nodes(const VirtMachineState *vms)
                        GIC_FDT_IRQ_TYPE_PPI, ARCH_TIMER_NS_EL2_IRQ, irqflags);
 }
- 
+
 +static void fdt_add_l3cache_nodes(const VirtMachineState *vms)
 +{
 +    int i;
 +    const MachineState *ms = MACHINE(qdev_get_machine());
 +    unsigned int smp_cores = ms->smp.cores;
 +    unsigned int sockets = vms->smp_cpus / smp_cores;
 +
 +    /* If current is not equal to max */
@ -191,6 +195,8 @@ index 16700a2e..96f56e2e 100644
 +static void fdt_add_l2cache_nodes(const VirtMachineState *vms)
 +{
 +    int i, j;
 +    const MachineState *ms = MACHINE(qdev_get_machine());
 +    unsigned int smp_cores = ms->smp.cores;
 +    signed int sockets = vms->smp_cpus / smp_cores;
 +
 +    /* If current is not equal to max */
@ -237,17 +243,17 @@ index 16700a2e..96f56e2e 100644
 static void fdt_add_cpu_nodes(const VirtMachineState *vms)
 {
     int cpu;
-@@ -336,6 +407,9 @@ static void fdt_add_cpu_nodes(const VirtMachineState *vms)
+@@ -341,6 +416,9 @@ static void fdt_add_cpu_nodes(const VirtMachineState *vms)
     qemu_fdt_setprop_cell(vms->fdt, "/cpus", "#address-cells", addr_cells);
     qemu_fdt_setprop_cell(vms->fdt, "/cpus", "#size-cells", 0x0);
- 
+
 +    fdt_add_l3cache_nodes(vms);
 +    fdt_add_l2cache_nodes(vms);
 +
     for (cpu = vms->smp_cpus - 1; cpu >= 0; cpu--) {
         char *nodename = g_strdup_printf("/cpus/cpu@%d", cpu);
         ARMCPU *armcpu = ARM_CPU(qemu_get_cpu(cpu));
-@@ -364,7 +438,7 @@ static void fdt_add_cpu_nodes(const VirtMachineState *vms)
+@@ -369,7 +447,7 @@ static void fdt_add_cpu_nodes(const VirtMachineState *vms)
             qemu_fdt_setprop_cell(vms->fdt, nodename, "numa-node-id",
                 ms->possible_cpus->cpus[cs->cpu_index].props.node_id);
         }
@ -255,7 +261,7 @@ index 16700a2e..96f56e2e 100644
 +        fdt_add_l1cache_prop(vms, nodename, cpu);
         qemu_fdt_setprop_cell(vms->fdt, nodename, "phandle",
                               qemu_fdt_alloc_phandle(vms->fdt));
- 
+
 diff --git a/include/hw/acpi/aml-build.h b/include/hw/acpi/aml-build.h
 index bfb0b100..0be3453a 100644
 --- a/include/hw/acpi/aml-build.h
@ -263,7 +269,7 @@ index bfb0b100..0be3453a 100644
@@ -223,6 +223,52 @@ struct AcpiBuildTables {
     BIOSLinker *linker;
 } AcpiBuildTables;
- 
+
 +#ifdef __aarch64__
 +/* Definitions of the hardcoded cache info*/
 +
@ -313,6 +319,5 @@ index bfb0b100..0be3453a 100644
 /**
  * init_aml_allocator:
  *
-- 
+--
 2.23.0
--- a/linux-headers-update-against-KVM-ARM-Fix-256-vcpus.patch
+++ b/linux-headers-update-against-KVM-ARM-Fix-256-vcpus.patch
@ -1,7 +1,7 @@
-From 896b9892d4df316b85836daa973e442c0c64cec6 Mon Sep 17 00:00:00 2001
+From 27a9f40b308efd8ddcb81e286441865b5a0cb541 Mon Sep 17 00:00:00 2001
 From: Zenghui Yu <yuzenghui@huawei.com>
-Date: Fri, 3 Jan 2020 17:16:55 +0800
+Date: Tue, 14 Apr 2020 21:52:42 +0800
-Subject: [PATCH 1/3] linux headers: update against "KVM/ARM: Fix >256 vcpus"
+Subject: [PATCH] linux headers: update against "KVM/ARM: Fix >256 vcpus"
 This is part of upstream commit f363d039e883 ("linux headers: update
 against v5.4-rc1"), authored by Eric Auger <eric.auger@redhat.com>.
@ -19,7 +19,7 @@ index e1f8b745..137a2730 100644
 +++ b/linux-headers/asm-arm/kvm.h
@@ -254,8 +254,10 @@ struct kvm_vcpu_events {
 #define   KVM_DEV_ARM_ITS_CTRL_RESET		4
- 
+
 /* KVM_IRQ_LINE irq field index values */
 +#define KVM_ARM_IRQ_VCPU2_SHIFT		28
 +#define KVM_ARM_IRQ_VCPU2_MASK		0xf
@ -30,12 +30,12 @@ index e1f8b745..137a2730 100644
 #define KVM_ARM_IRQ_VCPU_MASK		0xff
 #define KVM_ARM_IRQ_NUM_SHIFT		0
 diff --git a/linux-headers/asm-arm64/kvm.h b/linux-headers/asm-arm64/kvm.h
-index e6a98c14..dfd3a028 100644
+index 2431ec35..cdfd5f33 100644
 --- a/linux-headers/asm-arm64/kvm.h
 +++ b/linux-headers/asm-arm64/kvm.h
-@@ -265,8 +265,10 @@ struct kvm_vcpu_events {
+@@ -308,8 +308,10 @@ struct kvm_vcpu_events {
 #define   KVM_ARM_VCPU_TIMER_IRQ_PTIMER		1
- 
+
 /* KVM_IRQ_LINE irq field index values */
 +#define KVM_ARM_IRQ_VCPU2_SHIFT		28
 +#define KVM_ARM_IRQ_VCPU2_MASK		0xf
@ -46,17 +46,16 @@ index e6a98c14..dfd3a028 100644
 #define KVM_ARM_IRQ_VCPU_MASK		0xff
 #define KVM_ARM_IRQ_NUM_SHIFT		0
 diff --git a/linux-headers/linux/kvm.h b/linux-headers/linux/kvm.h
-index b53ee597..086cea4d 100644
+index c8423e76..744e888e 100644
 --- a/linux-headers/linux/kvm.h
 +++ b/linux-headers/linux/kvm.h
@@ -988,6 +988,7 @@ struct kvm_ppc_resize_hpt {
 #define KVM_CAP_ARM_VM_IPA_SIZE 165
- #define KVM_CAP_MANUAL_DIRTY_LOG_PROTECT 166
+ #define KVM_CAP_MANUAL_DIRTY_LOG_PROTECT 166 /* Obsolete */
 #define KVM_CAP_HYPERV_CPUID 167
 +#define KVM_CAP_ARM_IRQ_LINE_LAYOUT_2 174
- 
+ #define KVM_CAP_MANUAL_DIRTY_LOG_PROTECT2 168
- #ifdef KVM_CAP_IRQ_ROUTING
+ #define KVM_CAP_PPC_IRQ_XIVE 169
- 
+ #define KVM_CAP_ARM_SVE 170
-- 
+--
-2.19.1
+2.23.0
--- a/memory-unref-the-memory-region-in-simplify-flatview.patch
+++ b/memory-unref-the-memory-region-in-simplify-flatview.patch
@ -1,85 +0,0 @@
 From b9f43f0cca03586a31b53e47ade72e77db01cb4c Mon Sep 17 00:00:00 2001
 From: King Wang <king.wang@huawei.com>
 Date: Fri, 12 Jul 2019 14:52:41 +0800
 Subject: [PATCH 2/5] memory: unref the memory region in simplify flatview
 The memory region reference is increased when insert a range
 into flatview range array, then decreased by destroy flatview.
 If some flat range merged by flatview_simplify, the memory region
 reference can not be decreased by destroy flatview any more.
 In this case, start virtual machine by the command line:
 qemu-system-x86_64
 -name guest=ubuntu,debug-threads=on
 -machine pc,accel=kvm,usb=off,dump-guest-core=off
 -cpu host
 -m 16384
 -realtime mlock=off
 -smp 8,sockets=2,cores=4,threads=1
 -object memory-backend-file,id=ram-node0,prealloc=yes,mem-path=/dev/hugepages,share=yes,size=8589934592
 -numa node,nodeid=0,cpus=0-3,memdev=ram-node0
 -object memory-backend-file,id=ram-node1,prealloc=yes,mem-path=/dev/hugepages,share=yes,size=8589934592
 -numa node,nodeid=1,cpus=4-7,memdev=ram-node1
 -no-user-config
 -nodefaults
 -rtc base=utc
 -no-shutdown
 -boot strict=on
 -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2
 -device virtio-scsi-pci,id=scsi0,bus=pci.0,addr=0x2
 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x3
 -drive file=ubuntu.qcow2,format=qcow2,if=none,id=drive-virtio-disk0,cache=none,aio=native
 -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1
 -chardev pty,id=charserial0
 -device isa-serial,chardev=charserial0,id=serial0
 -device usb-tablet,id=input0,bus=usb.0,port=1
 -vnc 0.0.0.0:0
 -device VGA,id=video0,vgamem_mb=16,bus=pci.0,addr=0x5
 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x6
 -msg timestamp=on
 And run the script in guest OS:
 while true
 do
    setpci -s 00:06.0 04.b=03
 	setpci -s 00:06.0 04.b=07
 done
 I found the reference of node0 HostMemoryBackendFile is a big one.
 (gdb) p numa_info[0]->node_memdev->parent.ref
 $6 = 1636278
 (gdb)
 Signed-off-by: King Wang<king.wang@huawei.com>
 Message-Id: <20190712065241.11784-1-king.wang@huawei.com>
 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
 ---
 memory.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
 diff --git a/memory.c b/memory.c
 index 9fbca52..0b49281 100644
 --- a/memory.c
 +++ b/memory.c
@@ -320,7 +320,7 @@ static bool can_merge(FlatRange *r1, FlatRange *r2)
 /* Attempt to simplify a view by merging adjacent ranges */
 static void flatview_simplify(FlatView *view)
 {
 -    unsigned i, j;
 +    unsigned i, j, k;
     i = 0;
     while (i < view->nr) {
@@ -331,6 +331,9 @@ static void flatview_simplify(FlatView *view)
             ++j;
         }
         ++i;
 +        for (k = i; k < j; k++) {
 +            memory_region_unref(view->ranges[k].mr);
 +        }
         memmove(&view->ranges[i], &view->ranges[j],
                 (view->nr - j) * sizeof(view->ranges[j]));
         view->nr -= j - i;
 -- 
 1.8.3.1
--- a/monitor-fix-memory-leak-in-monitor_fdset_dup_fd_find.patch
+++ b/monitor-fix-memory-leak-in-monitor_fdset_dup_fd_find.patch
@ -1,6 +1,6 @@
-From 6f7a7f18f4460b0891eabbe1ca69e599216427b7 Mon Sep 17 00:00:00 2001
+From 117082ef493e62e6e2cd972b309e0cd72682ab02 Mon Sep 17 00:00:00 2001
 From: Chen Qun <kuhn.chenqun@huawei.com>
-Date: Mon, 16 Mar 2020 14:26:06 +0800
+Date: Tue, 14 Apr 2020 19:50:59 +0800
 Subject: [PATCH] moniter: fix memleak in monitor_fdset_dup_fd_find_remove
 When remove dup_fd in monitor_fdset_dup_fd_find_remove function,
@ -25,14 +25,14 @@ Reported-by: Euler Robot <euler.robot@huawei.com>
 Signed-off-by: Chen Qun <kuhn.chenqun@huawei.com>
 (cherry picked from commit a661614de18c89f58cad3fc1bb8aab44e820183a)
 ---
- monitor.c | 1 +
+ monitor/misc.c | 1 +
 1 file changed, 1 insertion(+)
-diff --git a/monitor.c b/monitor.c
+diff --git a/monitor/misc.c b/monitor/misc.c
-index 4807bbe..b5b15b5 100644
+index 00338c00..0d6369ba 100644
--- a/monitor.c
+--- a/monitor/misc.c
-+++ b/monitor.c
+++ b/monitor/misc.c
-@@ -2596,6 +2596,7 @@ static int monitor_fdset_dup_fd_find_remove(int dup_fd, bool remove)
+@@ -1746,6 +1746,7 @@ static int64_t monitor_fdset_dup_fd_find_remove(int dup_fd, bool remove)
             if (mon_fdset_fd_dup->fd == dup_fd) {
                 if (remove) {
                     QLIST_REMOVE(mon_fdset_fd_dup, next);
@ -40,6 +40,5 @@ index 4807bbe..b5b15b5 100644
                     if (QLIST_EMPTY(&mon_fdset->dup_fds)) {
                         monitor_fdset_cleanup(mon_fdset);
                     }
-- 
+--
-1.8.3.1
+2.23.0
--- a/nbd-Fix-regression-with-multiple-meta-contexts.patch
+++ b/nbd-Fix-regression-with-multiple-meta-contexts.patch
@ -1,60 +0,0 @@
 From 32c6cb39cbadd6fc2026ff6311fcf58549f71d49 Mon Sep 17 00:00:00 2001
 From: Pan Nengyuan <pannengyuan@huawei.com>
 Date: Wed, 15 Apr 2020 14:29:04 +0800
 Subject: [PATCH] nbd: Fix regression with multiple meta contexts
 Detected by a hang in the libnbd testsuite.  If a client requests
 multiple meta contexts (both base:allocation and qemu:dirty-bitmap:x)
 at the same time, our attempt to silence a false-positive warning
 about a potential uninitialized variable introduced botched logic: we
 were short-circuiting the second context, and never sending the
 NBD_REPLY_FLAG_DONE.  Combining two 'if' into one 'if/else' in
 bdf200a55 was wrong (I'm a bit embarrassed that such a change was my
 initial suggestion after the v1 patch, then I did not review the v2
 patch that actually got committed). Revert that, and instead silence
 the false positive warning by replacing 'return ret' with 'return 0'
 (the value it always has at that point in the code, even though it
 eluded the deduction abilities of the robot that reported the false
 positive).
 Fixes: bdf200a5535
 Signed-off-by: Eric Blake <eblake@redhat.com>
 Message-Id: <20200206173832.130004-1-eblake@redhat.com>
 Reviewed-by: Laurent Vivier <laurent@vivier.eu>
 (cherry picked from commit 73e064ccf09d908febc83761addcc6e76feabf78)
 ---
 nbd/server.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)
 diff --git a/nbd/server.c b/nbd/server.c
 index aefb07d..3630352 100644
 --- a/nbd/server.c
 +++ b/nbd/server.c
@@ -2304,15 +2304,22 @@ static coroutine_fn int nbd_handle_request(NBDClient *client,
                                                !client->export_meta.bitmap,
                                                NBD_META_ID_BASE_ALLOCATION,
                                                errp);
 -            } else {                     /* client->export_meta.bitmap */
 +                if (ret < 0) {
 +                    return ret;
 +                }
 +            } 
 +            if (client->export_meta.bitmap) {
                 ret = nbd_co_send_bitmap(client, request->handle,
                                          client->exp->export_bitmap,
                                          request->from, request->len,
                                          dont_fragment,
                                          true, NBD_META_ID_DIRTY_BITMAP, errp);
 +                if (ret < 0) {
 +                    return ret;
 +                }
             }
 -            return ret;
 +            return 0;
         } else {
             return nbd_send_generic_reply(client, request->handle, -EINVAL,
                                           "CMD_BLOCK_STATUS not negotiated",
 -- 
 1.8.3.1
--- a/qemu-4.1.0.tar.xz
+++ b/qemu-4.1.0.tar.xz
--- a/qemu-bridge-helper-move-repeating-code-in-parse_acl.patch
+++ b/qemu-bridge-helper-move-repeating-code-in-parse_acl.patch
@ -1,75 +0,0 @@
 From 3283dde4b5b5cce0f96f48d536bebff66d97ce0b Mon Sep 17 00:00:00 2001
 From: Prasad J Pandit <pjp@fedoraproject.org>
 Date: Tue, 23 Jul 2019 16:17:53 +0530
 Subject: [PATCH 2/2] qemu-bridge-helper: move repeating code in parse_acl_file
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Move repeating error handling sequence in parse_acl_file routine
 to an 'err' label.
 This patch fixes CVE-2019-13164.
 Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
 Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
 Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
 Reviewed-by: Li Qiang <liq3ea@gmail.com>
 Signed-off-by: Jason Wang <jasowang@redhat.com>
 (cherry-picked from commit 3283dde4b5b5cce0f96f48d536bebff66d97ce0b)
 ---
 qemu-bridge-helper.c | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)
 diff --git a/qemu-bridge-helper.c b/qemu-bridge-helper.c
 index 2058e10454..3d50ec094c 100644
 --- a/qemu-bridge-helper.c
 +++ b/qemu-bridge-helper.c
@@ -102,9 +102,7 @@ static int parse_acl_file(const char *filename, ACLList *acl_list)
         if (arg == NULL) {
             fprintf(stderr, "Invalid config line:\n  %s\n", line);
 -            fclose(f);
 -            errno = EINVAL;
 -            return -1;
 +            goto err;
         }
         *arg = 0;
@@ -121,9 +119,7 @@ static int parse_acl_file(const char *filename, ACLList *acl_list)
         if (!g_str_equal(cmd, "include") && strlen(arg) >= IFNAMSIZ) {
             fprintf(stderr, "name `%s' too long: %zu\n", arg, strlen(arg));
 -            fclose(f);
 -            errno = EINVAL;
 -            return -1;
 +            goto err;
         }
         if (strcmp(cmd, "deny") == 0) {
@@ -149,15 +145,18 @@ static int parse_acl_file(const char *filename, ACLList *acl_list)
             parse_acl_file(arg, acl_list);
         } else {
             fprintf(stderr, "Unknown command `%s'\n", cmd);
 -            fclose(f);
 -            errno = EINVAL;
 -            return -1;
 +            goto err;
         }
     }
     fclose(f);
 -
     return 0;
 +
 +err:
 +    fclose(f);
 +    errno = EINVAL;
 +    return -1;
 +
 }
 static bool has_vnet_hdr(int fd)
 -- 
 2.19.1
--- a/qemu-bridge-helper-restrict-interface-name-to-IFNAMS.patch
+++ b/qemu-bridge-helper-restrict-interface-name-to-IFNAMS.patch
@ -1,60 +0,0 @@
 From 6f5d8671225dc77190647f18a27a0d156d4ca97a Mon Sep 17 00:00:00 2001
 From: Prasad J Pandit <pjp@fedoraproject.org>
 Date: Tue, 23 Jul 2019 16:17:52 +0530
 Subject: [PATCH 1/2] qemu-bridge-helper: restrict interface name to IFNAMSIZ
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 The network interface name in Linux is defined to be of size
 IFNAMSIZ(=16), including the terminating null('\0') byte.
 The same is applied to interface names read from 'bridge.conf'
 file to form ACL rules. If user supplied '--br=bridge' name
 is not restricted to the same length, it could lead to ACL bypass
 issue. Restrict interface name to IFNAMSIZ, including null byte.
 This patch fixes CVE-2019-13164.
 Reported-by: Riccardo Schirone <rschiron@redhat.com>
 Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
 Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
 Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
 Reviewed-by: Li Qiang <liq3ea@gmail.com>
 Signed-off-by: Jason Wang <jasowang@redhat.com>
 (cherry-picked from commit 6f5d8671225dc77190647f18a27a0d156d4ca97a)
 ---
 qemu-bridge-helper.c | 11 +++++++++++
 1 file changed, 11 insertions(+)
 diff --git a/qemu-bridge-helper.c b/qemu-bridge-helper.c
 index 95624bc300..2058e10454 100644
 --- a/qemu-bridge-helper.c
 +++ b/qemu-bridge-helper.c
@@ -119,6 +119,13 @@ static int parse_acl_file(const char *filename, ACLList *acl_list)
         }
         *argend = 0;
 +        if (!g_str_equal(cmd, "include") && strlen(arg) >= IFNAMSIZ) {
 +            fprintf(stderr, "name `%s' too long: %zu\n", arg, strlen(arg));
 +            fclose(f);
 +            errno = EINVAL;
 +            return -1;
 +        }
 +
         if (strcmp(cmd, "deny") == 0) {
             acl_rule = g_malloc(sizeof(*acl_rule));
             if (strcmp(arg, "all") == 0) {
@@ -269,6 +276,10 @@ int main(int argc, char **argv)
         usage();
         return EXIT_FAILURE;
     }
 +    if (strlen(bridge) >= IFNAMSIZ) {
 +        fprintf(stderr, "name `%s' too long: %zu\n", bridge, strlen(bridge));
 +        return EXIT_FAILURE;
 +    }
     /* parse default acl file */
     QSIMPLEQ_INIT(&acl_list);
 -- 
 2.19.1
--- a/qemu.spec
+++ b/qemu.spec
@ -1,6 +1,6 @@
 Name: qemu
-Version: 4.0.1
+Version: 4.1.0
-Release: 11
+Release: 1
 Epoch: 2
 Summary: QEMU is a generic and open source machine emulator and virtualizer
 License: GPLv2 and BSD and MIT and CC-BY
@ -10,61 +10,58 @@ Source1: 80-kvm.rules
 Source2: 99-qemu-guest-agent.rules
 Source3: bridge.conf
-Patch0001: qxl-check-release-info-object.patch
+Patch0001: pl011-reset-read-FIFO-when-UARTTIMSC-0-UARTICR-0xfff.patch
-Patch0002: ARM64-record-vtimer-tick-when-cpu-is-stopped.patch
+Patch0002: pl031-support-rtc-timer-property-for-pl031.patch
-Patch0003: pl011-reset-read-FIFO-when-UARTTIMSC-0-UARTICR-0xfff.patch
+Patch0003: vhost-cancel-migration-when-vhost-user-restarted.patch
-Patch0004: pl031-support-rtc-timer-property-for-pl031.patch
+Patch0004: qcow2-fix-memory-leak-in-qcow2_read_extensions.patch
-Patch0005: vhost-cancel-migration-when-vhost-user-restarted.patch
+Patch0005: bios-tables-test-prepare-to-change-ARM-virt-ACPI-DSDT.patch
-Patch0006: qcow2-fix-memory-leak-in-qcow2_read_extensions.patch
+Patch0006: hw-arm-expose-host-CPU-frequency-info-to-guest.patch
-Patch0007: hw-arm-expose-host-CPU-frequency-info-to-guest.patch
+Patch0007: smbios-Add-missing-member-of-type-4-for-smbios-3.0.patch
-Patch0008: qemu-bridge-helper-restrict-interface-name-to-IFNAMS.patch
+Patch0008: tests-bios-tables-test-disable-this-testcase.patch
-Patch0009: qemu-bridge-helper-move-repeating-code-in-parse_acl.patch
+Patch0009: hw-arm-virt-Introduce-cpu-topology-support.patch
-Patch0010: smbios-Add-missing-member-of-type-4-for-smbios-3.0.patch
+Patch0010: hw-arm64-add-vcpu-cache-info-support.patch
-Patch0011: hw-arm-virt-Introduce-cpu-topology-support.patch
+Patch0011: xhci-Fix-memory-leak-in-xhci_address_slot.patch
-Patch0012: hw-arm64-add-vcpu-cache-info-support.patch
+Patch0012: xhci-Fix-memory-leak-in-xhci_kick_epctx.patch
-Patch0013: xhci-Fix-memory-leak-in-xhci_address_slot.patch
+Patch0013: ehci-fix-queue-dev-null-ptr-dereference.patch
-Patch0014: xhci-Fix-memory-leak-in-xhci_kick_epctx.patch
+Patch0014: util-async-hold-AioContext-ref-to-prevent-use-after-free.patch
-Patch0015: ehci-fix-queue-dev-null-ptr-dereference.patch
+Patch0015: vhost-user-scsi-prevent-using-uninitialized-vqs.patch
-Patch0016: memory-unref-the-memory-region-in-simplify-flatview.patch
+Patch0016: cpu-add-Kunpeng-920-cpu-support.patch
-Patch0017: util-async-hold-AioContext-ref-to-prevent-use-after-free.patch
+Patch0017: cpu-parse-feature-to-avoid-failure.patch
-Patch0018: vhost-user-scsi-prevent-using-uninitialized-vqs.patch
+Patch0018: cpu-add-Cortex-A72-processor-kvm-target-support.patch
-Patch0019: cpu-add-Kunpeng-920-cpu-support.patch
+Patch0019: pcie-disable-the-PCI_EXP_LINKSTA_DLLA-cap.patch
-Patch0020: cpu-parse-feature-to-avoid-failure.patch
+Patch0020: vnc-fix-memory-leak-when-vnc-disconnect.patch
-Patch0021: cpu-add-Cortex-A72-processor-kvm-target-support.patch
+Patch0021: linux-headers-update-against-KVM-ARM-Fix-256-vcpus.patch
-Patch0022: vnc-fix-memory-leak-when-vnc-disconnect.patch
+Patch0022: intc-arm_gic-Support-IRQ-injection-for-more-than-256.patch
-Patch0023: pcie-disable-the-PCI_EXP_LINKSTA_DLLA-cap.patch
+Patch0023: ARM-KVM-Check-KVM_CAP_ARM_IRQ_LINE_LAYOUT_2-for-smp.patch
-Patch0024: linux-headers-update-against-KVM-ARM-Fix-256-vcpus.patch
+Patch0024: 9pfs-local-Fix-possible-memory-leak-in-local_link.patch
-Patch0025: intc-arm_gic-Support-IRQ-injection-for-more-than-256.patch
+Patch0025: scsi-disk-define-props-in-scsi_block_disk-to-avoid-memleaks.patch
-Patch0026: ARM-KVM-Check-KVM_CAP_ARM_IRQ_LINE_LAYOUT_2-for-smp_.patch
+Patch0026: arm-translate-a64-fix-uninitialized-variable-warning.patch
-Patch0027: 9pfs-local-Fix-possible-memory-leak-in-local_link.patch
+Patch0027: nbd-fix-uninitialized-variable-warning.patch
-Patch0028: scsi-disk-define-props-in-scsi_block_disk-to-avoid-memleaks.patch
+Patch0028: xhci-Fix-memory-leak-in-xhci_kick_epctx-when-poweroff.patch
-Patch0029: arm-translate-a64-fix-uninitialized-variable-warning.patch
+Patch0029: block-fix-memleaks-in-bdrv_refresh_filename.patch
-Patch0030: nbd-fix-uninitialized-variable-warning.patch
+Patch0030: iscsi-Cap-block-count-from-GET-LBA-STATUS-CVE-2020-1.patch
-Patch0031: xhci-Fix-memory-leak-in-xhci_kick_epctx-when-poweroff.patch
+Patch0031: tcp_emu-Fix-oob-access.patch
-Patch0032: block-fix-memleaks-in-bdrv_refresh_filename.patch
+Patch0032: slirp-use-correct-size-while-emulating-IRC-commands.patch
-Patch0033: iscsi-Cap-block-count-from-GET-LBA-STATUS-CVE-2020-1.patch
+Patch0033: slirp-use-correct-size-while-emulating-commands.patch
-Patch0034: tcp_emu-Fix-oob-access.patch
+Patch0034: util-add-slirp_fmt-helpers.patch
-Patch0035: slirp-use-correct-size-while-emulating-IRC-commands.patch
+Patch0035: tcp_emu-fix-unsafe-snprintf-usages.patch
-Patch0036: slirp-use-correct-size-while-emulating-commands.patch
+Patch0036: block-iscsi-use-MIN-between-mx_sb_len-and-sb_len_wr.patch
-Patch0037: tcp_emu-fix-unsafe-snprintf-usages.patch
+Patch0037: monitor-fix-memory-leak-in-monitor_fdset_dup_fd_find.patch
-Patch0038: block-iscsi-use-MIN-between-mx_sb_len-and-sb_len_wr.patch
+Patch0038: memory-Align-MemoryRegionSections-fields.patch
-Patch0039: monitor-fix-memory-leak-in-monitor_fdset_dup_fd_find.patch
+Patch0039: memory-Provide-an-equality-function-for-MemoryRegion.patch
 Patch0040: vhost-Fix-memory-region-section-comparison.patch
-Patch0041: memory-Align-MemoryRegionSections-fields.patch
+Patch0041: file-posix-Handle-undetectable-alignment.patch
-Patch0042: memory-Provide-an-equality-function-for-MemoryRegion.patch
+Patch0042: block-backup-fix-max_transfer-handling-for-copy_rang.patch
-Patch0043: file-posix-Handle-undetectable-alignment.patch
+Patch0043: block-backup-fix-backup_cow_with_offload-for-last-cl.patch
-Patch0044: block-backup-fix-max_transfer-handling-for-copy_rang.patch
+Patch0044: qcow2-Limit-total-allocation-range-to-INT_MAX.patch
-Patch0045: block-backup-fix-backup_cow_with_offload-for-last-cl.patch
+Patch0045: mirror-Do-not-dereference-invalid-pointers.patch
-Patch0046: qcow2-Limit-total-allocation-range-to-INT_MAX.patch
+Patch0046: COLO-compare-Fix-incorrect-if-logic.patch
-Patch0047: mirror-Do-not-dereference-invalid-pointers.patch
+Patch0047: qcow2-bitmap-Fix-uint64_t-left-shift-overflow.patch
-Patch0048: COLO-compare-Fix-incorrect-if-logic.patch
+Patch0048: pcie-Add-pcie-root-port-fast-plug-unplug-feature.patch
-Patch0049: qcow2-bitmap-Fix-uint64_t-left-shift-overflow.patch
+Patch0049: pcie-Compat-with-devices-which-do-not-support-Link-W.patch
-Patch0050: pcie-Add-pcie-root-port-fast-plug-unplug-feature.patch
+Patch0050: aio-wait-delegate-polling-of-main-AioContext-if-BQL-not-held.patch
-Patch0051: pcie-Compat-with-devices-which-do-not-support-Link-W.patch
+Patch0051: async-use-explicit-memory-barriers.patch
-Patch0052: aio-wait-delegate-polling-of-main-AioContext-if-BQL-not-held.patch
+
 Patch0053: async-use-explicit-memory-barriers.patch
 Patch0054: Fix-use-afte-free-in-ip_reass-CVE-2020-1983.patch
 Patch0055: nbd-Fix-regression-with-multiple-meta-contexts.patch
 BuildRequires: flex
 BuildRequires: bison
@ -251,7 +248,9 @@ install -D -m 0644 %{_sourcedir}/99-qemu-guest-agent.rules %{buildroot}%{_udevdi
 mkdir -p %{buildroot}%{_localstatedir}/log
 touch %{buildroot}%{_localstatedir}/log/qga-fsfreeze-hook.log
 # For qemu docs package
 %global qemudocdir %{_docdir}/%{name}
 rm -rf %{buildroot}%{qemudocdir}/specs
 install -D -p -m 0644 -t %{buildroot}%{qemudocdir} Changelog README COPYING COPYING.LIB LICENSE
 chmod -x %{buildroot}%{_mandir}/man1/*
@ -266,6 +265,9 @@ rm -rf %{buildroot}%{_datadir}/%{name}/multiboot.bin
 rm -rf %{buildroot}%{_datadir}/%{name}/linuxboot_dma.bin
 rm -rf %{buildroot}%{_datadir}/%{name}/pvh.bin
 %endif
 %ifarch x86_64
 rm -rf %{buildroot}%{_datadir}/%{name}/vgabios-ati.bin
 %endif
 rm -rf %{buildroot}%{_datadir}/%{name}/openbios-*
 rm -rf %{buildroot}%{_datadir}/%{name}/slof.bin
 rm -rf %{buildroot}%{_datadir}/%{name}/QEMU,*.bin
@ -281,6 +283,11 @@ rm -rf %{buildroot}%{_datadir}/%{name}/skiboot.lid
 rm -rf %{buildroot}%{_datadir}/%{name}/spapr-*
 rm -rf %{buildroot}%{_datadir}/%{name}/u-boot*
 rm -rf %{buildroot}%{_bindir}/ivshmem*
 rm -f %{buildroot}%{_datadir}/%{name}/edk2*
 rm -rf %{buildroot}%{_datadir}/%{name}/firmware
 rm -rf %{buildroot}%{_datadir}/%{name}/opensbi*
 rm -rf %{buildroot}%{_datadir}/%{name}/qemu-nsis.bmp
 for f in %{buildroot}%{_bindir}/* %{buildroot}%{_libdir}/* \
         %{buildroot}%{_libexecdir}/*; do
@ -400,99 +407,100 @@ getent passwd qemu >/dev/null || \
 %endif
 %changelog
-* Fri Apr 24 2020 backport nbd fix from qemu upstream
+* Thu Apr 16 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
 - nbd: Fix regression with multiple meta contexts
 * Fri Apr 24 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
 - Fix use-afte-free in ip_reass() (CVE-2020-1983)
 * Sat Apr 11 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
 - aio-wait: delegate polling of main AioContext if BQL not held
 - async: use explicit memory barriers
-* Wed Mar 18 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
+* Thu Apr 16 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
 - pcie: Add pcie-root-port fast plug/unplug feature
- pcie: Compat with devices which do not support Link Width
+- pcie: Compat with devices which do not support Link Width, such as ioh3420
-* Tue Mar 17 2020 Huawei Technologies Co., Ltd. <zhang.zhanghailiang@huawei.com>
+* Thu Apr 16 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
- Put linuxboot_dma.bin and pvh.bin in x86 package
+- qcow2-bitmap: Fix uint64_t left-shift overflow
-* Mon Mar 16 2020 backport some bug fix patches from upstream
+* Thu Apr 16 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
- Patch from number 0040 to 0049 are picked from stable-4.1.1
+- COLO-compare: Fix incorrect `if` logic
-* Mon Mar 16 2020 Huawei Technologies Co., Ltd. <kuhn.chenqun@huawei.com>
+* Thu Apr 16 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
- moniter: fix memleak in monitor_fdset_dup_fd_find_remove
+- block/backup: fix max_transfer handling for copy_range
 - block/backup: fix backup_cow_with_offload for last cluster
 - qcow2: Limit total allocation range to INT_MAX
 - mirror: Do not dereference invalid pointers
 * Thu Apr 16 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
 - file-posix: Handle undetectable alignment
 * Thu Apr 16 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
 - vhost: Fix memory region section comparison
 - memory: Provide an equality function for MemoryRegionSections
 - memory: Align MemoryRegionSections fields
 * Thu Apr 16 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
 - block/iscsi: use MIN() between mx_sb_len and sb_len_wr
 - moniter: fix memleak in monitor_fdset_dup_fd_find_remove
-* Wed Mar 11 2020 backport from qemu upstream
+* Thu Apr 16 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
 - tcp_emu: Fix oob access
 - slirp: use correct size while emulating IRC commands
 - slirp: use correct size while emulating commands
 - tcp_emu: fix unsafe snprintf() usages
-
+- util: add slirp_fmt() helpers
-* Mon Mar 9 2020 backport from qemu upstream
+- slirp: use correct size while emulating commands
 - slirp: use correct size while emulating IRC commands
 - tcp_emu: Fix oob access
 - iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711)
-* Thu Feb  6 2020 Huawei Technologies Co., Ltd. <zhang.zhanghailiang@huawei.com>
+* Thu Apr 16 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
- spec: remove fno-inline option for configure
+- 9pfs: local: Fix possible memory leak in local_link()
-
+- scsi-disk: define props in scsi_block_disk to avoid memleaks
-* Thu Jan 16 2020 Huawei Technologies Co., Ltd. <pannengyuan@huawei.com>
+- arm/translate-a64: fix uninitialized variable warning
 - block: fix memleaks in bdrv_refresh_filename
 - vnc: fix memory leak when vnc disconnect
 - block: fix memleaks in bdrv_refresh_filename
-* Mon Jan 13 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
+* Thu Apr 16 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
- 9pfs: Fix a possible memory leak in local_link
+- linux headers: update against "KVM/ARM: Fix >256 vcpus"
- scsi-disk: disk define props in scsi_block to avoid memleaks
+- intc/arm_gic: Support IRQ injection for more than 256 vcpus
- arm/translate-a64: fix uninitialized variable warning
+- ARM: KVM: Check KVM_CAP_ARM_IRQ_LINE_LAYOUT_2 for smp_cpus >
 - nbd: fix uninitialized variable warning
 - xhci: Fix memory leak in xhci_kick_epctx when poweroff
-* Mon Jan  6 2020 backport from qemu upstream
+* Thu Apr 16 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
- linux headers: update against "KVM/ARM: Fix >256 vcp
+- vnc: fix memory leak when vnc disconnect
 - intc/arm_gic: Support IRQ injection for more than 256 vpus
 - ARM: KVM: Check KVM_CAP_ARM_IRQ_LINE_LAYOUT_2 for smp_cpus > 256
-* Thu Dec 12 2019 backport from qemu upstream v4.0.1 release
+* Thu Apr 16 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
- tpm: Exit in reset when backend indicates failure
+- pcie: disable the PCI_EXP_LINKSTA_DLLA cap for pcie-root-port by default
 - tpm_emulator: Translate TPM error codes to strings
-* Thu Oct 17 2019 backport from qemu upstream
+* Thu Apr 16 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
- vnc-fix-memory-leak-when-vnc-disconnect.patch
+- cpu: add Kunpeng-920 cpu support
 - cpu: parse +/- feature to avoid failure
 - cpu: add Cortex-A72 processor kvm target support
-* Mon Sep  9 2019 backport from qemu upstream
+* Thu Apr 16 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
- ehci-fix-queue-dev-null-ptr-dereference.patch
+- vhost-user-scsi: prevent using uninitialized vqs
 - memory-unref-the-memory-region-in-simplify-flatview.patch
 - util-async-hold-AioContext-ref-to-prevent-use-after-.patch
 - vhost-user-scsi-prevent-using-uninitialized-vqs.patch
-* Fri Aug 30 2019 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
+* Thu Apr 16 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
 - util/async: hold AioContext ref to prevent use-after-free
 * Thu Apr 16 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
 - xhci: Fix memory leak in xhci_address_slot
 - xhci: Fix memory leak in xhci_kick_epctx
 - ehci: fix queue->dev null ptr dereference
-* Wed Aug 7 2019 Huawei Technologies Co., Ltd. <zhang.zhanghailiang@huawei.com>
+* Thu Apr 16 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
 - tests/bios-tables-test: disable this testcase
 - hw/arm/virt: Introduce cpu topology support
 - hw/arm64: add vcpu cache info support
-* Tue Aug 6 2019 Huawei Technologies Co., Ltd. <zhang.zhanghailiang@huawei.com>
+* Wed Apr 15 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
 - Update release version to 4.0.0-2
 * Mon Aug 5 2019 Huawei Technologies Co., Ltd. <zhang.zhanghailiang@huawei.com>
 - enable make check
 - smbios: Add missing member of type 4 for smbios 3.0
-* Mon Aug 5 2019 fix CVE-2019-13164
+* Wed Apr 15 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
- qemu-bridge-helper: restrict interface name to IFNAMSIZ
+- bios-tables-test: prepare to change ARM virt ACPI DSDT
- qemu-bridge-helper: move repeating code in parse_acl_file
+- arm64: Add the cpufreq device to show cpufreq info to guest
-* Tue Jul 30 2019 Huawei Technologies Co., Ltd. <zhang.zhanghailiang@huawei.com
+* Wed Apr 15 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
 - qcow2: fix memory leak in qcow2_read_extensions
 - hw/arm: expose host CPU frequency info to guest
-* Fri Jul 26 2019 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
+* Wed Apr 15 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
- vhost: cancel migration when vhost-user restarted
+- pl011: reset read FIFIO when UARTTIMSC=0 & UARTICR=0xff
 - pl031: support rtc-timer property for pl031
- pl011: reset read FIFO when UARTTIMSC=0 & UARTICR=0xffff
+- vhost: cancel migration when vhost-user restarted
 - ARM64: record vtimer tick when cpu is stopped
-* Tue Jul 23 2019 openEuler Buildteam <buildteam@openeuler.org> - version-release
+* Mon Apr 13 2020 openEuler Buildteam <buildteam@openeuler.org> - version-release
 - Package init
--- a/qxl-check-release-info-object.patch
+++ b/qxl-check-release-info-object.patch
@ -1,36 +0,0 @@
 From cbed4e0108ca1403f1f47cde292330b87a0d8bf2 Mon Sep 17 00:00:00 2001
 From: Prasad J Pandit <pjp@fedoraproject.org>
 Date: Thu, 25 Apr 2019 12:05:34 +0530
 Subject: [PATCH] qxl: check release info object
 When releasing spice resources in release_resource() routine,
 if release info object 'ext.info' is null, it leads to null
 pointer dereference. Add check to avoid it.
 (This is cherry-pick d52680fc932efb8a2f334cc6993e705ed1e31e99)
 Reported-by: Bugs SysSec <bugs-syssec@rub.de>
 Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
 Message-id: 20190425063534.32747-1-ppandit@redhat.com
 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
 ---
 hw/display/qxl.c | 3 +++
 1 file changed, 3 insertions(+)
 diff --git a/hw/display/qxl.c b/hw/display/qxl.c
 index c8ce578..632923a 100644
 --- a/hw/display/qxl.c
 +++ b/hw/display/qxl.c
@@ -777,6 +777,9 @@ static void interface_release_resource(QXLInstance *sin,
     QXLReleaseRing *ring;
     uint64_t *item, id;
 +    if (!ext.info) {
 +        return;
 +    }
     if (ext.group_id == MEMSLOT_GROUP_HOST) {
         /* host group -> vga mode update request */
         QXLCommandExt *cmdext = (void *)(intptr_t)(ext.info->id);
 -- 
 1.8.3.1
--- a/slirp-use-correct-size-while-emulating-IRC-commands.patch
+++ b/slirp-use-correct-size-while-emulating-IRC-commands.patch
@ -1,6 +1,6 @@
-From 882149fd8401f8ff667ea384bb68008354fd110f Mon Sep 17 00:00:00 2001
+From 011880f527ff317a40769ea8673a6353e5db53ac Mon Sep 17 00:00:00 2001
 From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Wed, 11 Mar 2020 18:19:36 +0800
+Date: Tue, 14 Apr 2020 18:23:23 +0800
 Subject: [PATCH] slirp: use correct size while emulating IRC commands
 While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size
@ -13,40 +13,42 @@ Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
 Reviewed-by: Samuel Thibault's avatarSamuel Thibault <samuel.thibault@ens-lyon.org>
 Message-Id: <20200109094228.79764-2-ppandit@redhat.com>
 ---
- slirp/src/tcp_subr.c | 6 +++---
+ slirp/src/tcp_subr.c | 9 ++++++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
+ 1 file changed, 6 insertions(+), 3 deletions(-)
 diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c
-index 4608942f..2053b11b 100644
+index 9c94c03a..2a15b16a 100644
 --- a/slirp/src/tcp_subr.c
 +++ b/slirp/src/tcp_subr.c
-@@ -786,7 +786,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+@@ -778,7 +778,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
- 				return 1;
+                 return 1;
- 			}
+             }
- 			m->m_len = bptr - m->m_data; /* Adjust length */
+             m->m_len = bptr - m->m_data; /* Adjust length */
-                        m->m_len += snprintf(bptr, m->m_size,
+-            m->m_len += snprintf(bptr, m->m_size, "DCC CHAT chat %lu %u%c\n",
-+                        m->m_len += snprintf(bptr, M_FREEROOM(m),
+            m->m_len += snprintf(bptr, M_FREEROOM(m),
-                                              "DCC CHAT chat %lu %u%c\n",
+                                 "DCC CHAT chat %lu %u%c\n",
-                                              (unsigned long)ntohl(so->so_faddr.s_addr),
+                                  (unsigned long)ntohl(so->so_faddr.s_addr),
-                                              ntohs(so->so_fport), 1);
+                                  ntohs(so->so_fport), 1);
-@@ -797,7 +797,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+         } else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport,
- 				return 1;
+@@ -789,7 +790,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
- 			}
+             }
- 			m->m_len = bptr - m->m_data; /* Adjust length */
+             m->m_len = bptr - m->m_data; /* Adjust length */
-                        m->m_len += snprintf(bptr, m->m_size,
+             m->m_len +=
-+                        m->m_len += snprintf(bptr, M_FREEROOM(m),
+-                snprintf(bptr, m->m_size, "DCC SEND %s %lu %u %u%c\n", buff,
-                                              "DCC SEND %s %lu %u %u%c\n", buff,
+                snprintf(bptr, M_FREEROOM(m),
-                                              (unsigned long)ntohl(so->so_faddr.s_addr),
+                         "DCC SEND %s %lu %u %u%c\n", buff,
-                                              ntohs(so->so_fport), n1, 1);
+                          (unsigned long)ntohl(so->so_faddr.s_addr),
-@@ -808,7 +808,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+                          ntohs(so->so_fport), n1, 1);
- 				return 1;
+         } else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport,
- 			}
+@@ -800,7 +802,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
- 			m->m_len = bptr - m->m_data; /* Adjust length */
+             }
-                        m->m_len += snprintf(bptr, m->m_size,
+             m->m_len = bptr - m->m_data; /* Adjust length */
-+                        m->m_len += snprintf(bptr, M_FREEROOM(m),
+             m->m_len +=
-                                              "DCC MOVE %s %lu %u %u%c\n", buff,
+-                snprintf(bptr, m->m_size, "DCC MOVE %s %lu %u %u%c\n", buff,
-                                              (unsigned long)ntohl(so->so_faddr.s_addr),
+                snprintf(bptr, M_FREEROOM(m),
-                                              ntohs(so->so_fport), n1, 1);
+                         "DCC MOVE %s %lu %u %u%c\n", buff,
-- 
+                          (unsigned long)ntohl(so->so_faddr.s_addr),
-2.21.1 (Apple Git-122.3)
+                          ntohs(so->so_fport), n1, 1);
-
+         }
 --
 2.23.0
--- a/slirp-use-correct-size-while-emulating-commands.patch
+++ b/slirp-use-correct-size-while-emulating-commands.patch
@ -1,6 +1,6 @@
-From 66e2f47a01ffcaafe11acae0a191efd1805f86c6 Mon Sep 17 00:00:00 2001
+From 662aa4f1d168b32335a4dc40782e816329afcac0 Mon Sep 17 00:00:00 2001
 From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Wed, 11 Mar 2020 18:27:22 +0800
+Date: Tue, 14 Apr 2020 18:36:12 +0800
 Subject: [PATCH] slirp: use correct size while emulating commands
 While emulating services in tcp_emu(), it uses 'mbuf' size
@ -10,42 +10,40 @@ Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
 Signed-off-by: Samuel Thibault's avatarSamuel Thibault <samuel.thibault@ens-lyon.org>
 Message-Id: <20200109094228.79764-3-ppandit@redhat.com>
 ---
- slirp/src/tcp_subr.c | 8 ++++----
+ slirp/src/tcp_subr.c | 7 ++++---
- 1 file changed, 4 insertions(+), 4 deletions(-)
+ 1 file changed, 4 insertions(+), 3 deletions(-)
 diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c
-index 2053b11b..e898fd03 100644
+index 2a15b16a..019b637a 100644
 --- a/slirp/src/tcp_subr.c
 +++ b/slirp/src/tcp_subr.c
-@@ -707,7 +707,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+@@ -696,7 +696,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
- 			n4 =  (laddr & 0xff);
+             n4 = (laddr & 0xff);
 			m->m_len = bptr - m->m_data; /* Adjust length */
 -                        m->m_len += snprintf(bptr, m->m_size - m->m_len,
 +                        m->m_len += snprintf(bptr, M_FREEROOM(m),
                                              "ORT %d,%d,%d,%d,%d,%d\r\n%s",
                                              n1, n2, n3, n4, n5, n6, x==7?buff:"");
 			return 1;
@@ -740,7 +740,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
 			n4 =  (laddr & 0xff);
 			m->m_len = bptr - m->m_data; /* Adjust length */
 -			m->m_len += snprintf(bptr, m->m_size - m->m_len,
 +			m->m_len += snprintf(bptr, M_FREEROOM(m),
                                              "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
                                              n1, n2, n3, n4, n5, n6, x==7?buff:"");
@@ -766,8 +766,8 @@ tcp_emu(struct socket *so, struct mbuf *m)
 		if (m->m_data[m->m_len-1] == '\0' && lport != 0 &&
 		    (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr,
 		                     htons(lport), SS_FACCEPTONCE)) != NULL)
 -                    m->m_len = snprintf(m->m_data, m->m_size, "%d",
 -                                        ntohs(so->so_fport)) + 1;
 +                    m->m_len = snprintf(m->m_data, M_ROOM(m),
 +					"%d", ntohs(so->so_fport)) + 1;
 		return 1;
 	 case EMU_IRC:
 -- 
 2.21.1 (Apple Git-122.3)
             m->m_len = bptr - m->m_data; /* Adjust length */
 -            m->m_len += snprintf(bptr, m->m_size - m->m_len,
 +            m->m_len += snprintf(bptr, M_FREEROOM(m),
                                  "ORT %d,%d,%d,%d,%d,%d\r\n%s", n1, n2, n3, n4,
                                  n5, n6, x == 7 ? buff : "");
             return 1;
@@ -732,7 +732,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
             m->m_len = bptr - m->m_data; /* Adjust length */
             m->m_len +=
 -                snprintf(bptr, m->m_size - m->m_len,
 +                snprintf(bptr, M_FREEROOM(m),
                          "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
                          n1, n2, n3, n4, n5, n6, x == 7 ? buff : "");
@@ -759,7 +759,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
             (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr,
                              htons(lport), SS_FACCEPTONCE)) != NULL)
             m->m_len =
 -                snprintf(m->m_data, m->m_size, "%d", ntohs(so->so_fport)) + 1;
 +                snprintf(m->m_data, M_ROOM(m),
 +                            "%d", ntohs(so->so_fport)) + 1;
         return 1;
     case EMU_IRC:
 --
 2.23.0
--- a/smbios-Add-missing-member-of-type-4-for-smbios-3.0.patch
+++ b/smbios-Add-missing-member-of-type-4-for-smbios-3.0.patch
@ -1,21 +1,19 @@
-From e52fdbd850b49304c5bbd5f19c9f518b80efef42 Mon Sep 17 00:00:00 2001
+From 2b8ad77678da175cb92c902955cb85827e661de3 Mon Sep 17 00:00:00 2001
-From: zhanghailiang <zhang.zhanghailiang@huawei.com>
+From: Ying Fang <fangying1@huawei.com>
-Date: Wed, 31 Jul 2019 15:40:55 +0800
+Date: Tue, 14 Apr 2020 14:53:44 +0800
 Subject: [PATCH] smbios: Add missing member of type 4 for smbios 3.0
 According to smbios 3.0 spec, for processor information (type 4),
-it adds three new members (Core Count 2, Core enabled 2, thread count 2) for 3.0,
+it adds three new members (Core Count 2, Core enabled 2, thread count 2) for 3.0, Without this three members, we can not get correct cpu frequency from dmi,
 Without this three members, we can not get correct cpu frequency from dmi,
 Because it will failed to check the length of Processor Infomation in DMI.
 The corresponding codes in kernel is like:
-	if (dm->type == DMI_ENTRY_PROCESSOR &&
+    if (dm->type == DMI_ENTRY_PROCESSOR &&
-	    dm->length >= DMI_ENTRY_PROCESSOR_MIN_LENGTH) {
+        dm->length >= DMI_ENTRY_PROCESSOR_MIN_LENGTH) {
-		u16 val = (u16)get_unaligned((const u16 *)
+        u16 val = (u16)get_unaligned((const u16 *)
-				(dmi_data + DMI_PROCESSOR_MAX_SPEED));
+                (dmi_data + DMI_PROCESSOR_MAX_SPEED));
-		*mhz = val > *mhz ? val : *mhz;
+        *mhz = val > *mhz ? val : *mhz;
-	}
+    }
 Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
 ---
@ -24,11 +22,11 @@ Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
 2 files changed, 6 insertions(+), 1 deletion(-)
 diff --git a/hw/smbios/smbios.c b/hw/smbios/smbios.c
-index 47be9071..b11ec6e3 100644
+index 7bcd67b0..51b00d44 100644
 --- a/hw/smbios/smbios.c
 +++ b/hw/smbios/smbios.c
-@@ -600,7 +600,9 @@ static void smbios_build_type_4_table(unsigned instance)
+@@ -603,7 +603,9 @@ static void smbios_build_type_4_table(MachineState *ms, unsigned instance)
-     t->thread_count = smp_threads;
+     t->thread_count = ms->smp.threads;
     t->processor_characteristics = cpu_to_le16(0x02); /* Unknown */
     t->processor_family2 = cpu_to_le16(0x01); /* Other */
 -
@ -39,7 +37,7 @@ index 47be9071..b11ec6e3 100644
     smbios_type4_count++;
 }
 diff --git a/include/hw/firmware/smbios.h b/include/hw/firmware/smbios.h
-index 6fef32a3..70eb7304 100644
+index 02a0ced0..6887bca4 100644
 --- a/include/hw/firmware/smbios.h
 +++ b/include/hw/firmware/smbios.h
@@ -193,6 +193,9 @@ struct smbios_type_4 {
@ -50,8 +48,7 @@ index 6fef32a3..70eb7304 100644
 +    uint16_t enabledcorecount2;
 +    uint16_t threadcount2;
 } QEMU_PACKED;
 /* SMBIOS type 11 - OEM strings */
 -- 
 2.19.1
 /* SMBIOS type 11 - OEM strings */
 --
 2.23.0
--- a/tcp_emu-Fix-oob-access.patch
+++ b/tcp_emu-Fix-oob-access.patch
@ -1,6 +1,6 @@
-From 0f7224535cdfec549cd43a5ae4ccde936f50ee95 Mon Sep 17 00:00:00 2001
+From 585634894f511bc1821cef54494bf2d9abc109c9 Mon Sep 17 00:00:00 2001
 From: Samuel Thibault <samuel.thibault@ens-lyon.org>
-Date: Wed, 11 Mar 2020 17:33:46 +0800
+Date: Tue, 14 Apr 2020 18:04:33 +0800
 Subject: [PATCH] tcp_emu: Fix oob access
 The main loop only checks for one available byte, while we sometimes
@ -10,29 +10,28 @@ need two bytes.
 1 file changed, 6 insertions(+)
 diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c
-index fde9207b..4608942f 100644
+index d6dd133a..9c94c03a 100644
 --- a/slirp/src/tcp_subr.c
 +++ b/slirp/src/tcp_subr.c
-@@ -895,6 +895,9 @@ tcp_emu(struct socket *so, struct mbuf *m)
+@@ -886,6 +886,9 @@ int tcp_emu(struct socket *so, struct mbuf *m)
- 				break;
+                 break;
 			 case 5:
 +				if (bptr == m->m_data + m->m_len - 1)
 +					return 1; /* We need two bytes */
 +
 				/*
 				 * The difference between versions 1.0 and
 				 * 2.0 is here. For future versions of
@@ -910,6 +913,9 @@ tcp_emu(struct socket *so, struct mbuf *m)
 				/* This is the field containing the port
 				 * number that RA-player is listening to.
 				 */
 +				if (bptr == m->m_data + m->m_len - 1)
 +					return 1; /* We need two bytes */
 +
 				lport = (((uint8_t*)bptr)[0] << 8)
 				+ ((uint8_t *)bptr)[1];
 				if (lport < 6970)
 -- 
 2.21.1 (Apple Git-122.3)
             case 5:
 +                if (bptr == m->m_data + m->m_len - 1)
 +                    return 1; /* We need two bytes */
 +
                 /*
                  * The difference between versions 1.0 and
                  * 2.0 is here. For future versions of
@@ -901,6 +904,9 @@ int tcp_emu(struct socket *so, struct mbuf *m)
                 /* This is the field containing the port
                  * number that RA-player is listening to.
                  */
 +                if (bptr == m->m_data + m->m_len - 1)
 +                    return 1; /* We need two bytes */
 +
                 lport = (((uint8_t *)bptr)[0] << 8) + ((uint8_t *)bptr)[1];
                 if (lport < 6970)
                     lport += 256; /* don't know why */
 --
 2.23.0
--- a/tcp_emu-fix-unsafe-snprintf-usages.patch
+++ b/tcp_emu-fix-unsafe-snprintf-usages.patch
@ -1,6 +1,6 @@
-From 1db8bcc0ec91bb4374b3ffdd03da3c4ede381fb5 Mon Sep 17 00:00:00 2001
+From 220a52fda279038d46c25d39a372154ff9b024d2 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureauls?= <marcandre.lureau@redhat.com>
-Date: Wed, 11 Mar 2020 18:52:07 +0800
+Date: Tue, 14 Apr 2020 19:06:35 +0800
 Subject: [PATCH] tcp_emu: fix unsafe snprintf() usages
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@ -28,67 +28,76 @@ Signed-off-by: default avatarMarc-André Lureau <marcandre.lureau@redhat.com>
 Reviewed-by: Samuel Thibault's avatarSamuel Thibault <samuel.thibault@ens-lyon.org>
 Message-Id: <20200127092414.169796-7-marcandre.lureau@redhat.com>
 ---
- slirp/src/tcp_subr.c | 12 ++++++------
+ slirp/src/tcp_subr.c | 15 +++++++--------
- 1 file changed, 6 insertions(+), 6 deletions(-)
+ 1 file changed, 7 insertions(+), 8 deletions(-)
 diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c
-index e898fd03..88dadc76 100644
+index 019b637a..6c1b17bd 100644
 --- a/slirp/src/tcp_subr.c
 +++ b/slirp/src/tcp_subr.c
-@@ -707,7 +707,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+@@ -655,8 +655,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
- 			n4 =  (laddr & 0xff);
+                 NTOHS(n1);
- 
+                 NTOHS(n2);
- 			m->m_len = bptr - m->m_data; /* Adjust length */
+                 m_inc(m, snprintf(NULL, 0, "%d,%d\r\n", n1, n2) + 1);
-                        m->m_len += snprintf(bptr, M_FREEROOM(m),
+-                m->m_len = snprintf(m->m_data, M_ROOM(m), "%d,%d\r\n", n1, n2);
-+                        m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
+-                assert(m->m_len < M_ROOM(m));
-                                              "ORT %d,%d,%d,%d,%d,%d\r\n%s",
+                m->m_len = slirp_fmt(m->m_data, M_ROOM(m), "%d,%d\r\n", n1, n2);
-                                              n1, n2, n3, n4, n5, n6, x==7?buff:"");
+             } else {
- 			return 1;
+                 *eol = '\r';
-@@ -740,7 +740,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+             }
- 			n4 =  (laddr & 0xff);
+@@ -696,7 +695,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
- 
+             n4 = (laddr & 0xff);
 			m->m_len = bptr - m->m_data; /* Adjust length */
 -			m->m_len += snprintf(bptr, M_FREEROOM(m),
 +			m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
                                              "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
                                              n1, n2, n3, n4, n5, n6, x==7?buff:"");
@@ -766,7 +766,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
 		if (m->m_data[m->m_len-1] == '\0' && lport != 0 &&
 		    (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr,
 		                     htons(lport), SS_FACCEPTONCE)) != NULL)
 -                    m->m_len = snprintf(m->m_data, M_ROOM(m),
 +                    m->m_len = slirp_fmt0(m->m_data, M_ROOM(m),
 					"%d", ntohs(so->so_fport)) + 1;
 		return 1;
@@ -786,7 +786,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
 				return 1;
 			}
 			m->m_len = bptr - m->m_data; /* Adjust length */
 -                        m->m_len += snprintf(bptr, M_FREEROOM(m),
 +                        m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
                                              "DCC CHAT chat %lu %u%c\n",
                                              (unsigned long)ntohl(so->so_faddr.s_addr),
                                              ntohs(so->so_fport), 1);
@@ -797,7 +797,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
 				return 1;
 			}
 			m->m_len = bptr - m->m_data; /* Adjust length */
 -                        m->m_len += snprintf(bptr, M_FREEROOM(m),
 +                        m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
                                              "DCC SEND %s %lu %u %u%c\n", buff,
                                              (unsigned long)ntohl(so->so_faddr.s_addr),
                                              ntohs(so->so_fport), n1, 1);
@@ -808,7 +808,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
 				return 1;
 			}
 			m->m_len = bptr - m->m_data; /* Adjust length */
 -                        m->m_len += snprintf(bptr, M_FREEROOM(m),
 +                        m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
                                              "DCC MOVE %s %lu %u %u%c\n", buff,
                                              (unsigned long)ntohl(so->so_faddr.s_addr),
                                              ntohs(so->so_fport), n1, 1);
 -- 
 2.21.1 (Apple Git-122.3)
             m->m_len = bptr - m->m_data; /* Adjust length */
 -            m->m_len += snprintf(bptr, M_FREEROOM(m),
 +            m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
                                  "ORT %d,%d,%d,%d,%d,%d\r\n%s", n1, n2, n3, n4,
                                  n5, n6, x == 7 ? buff : "");
             return 1;
@@ -732,7 +731,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
             m->m_len = bptr - m->m_data; /* Adjust length */
             m->m_len +=
 -                snprintf(bptr, M_FREEROOM(m),
 +                slirp_fmt(bptr, M_FREEROOM(m),
                          "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
                          n1, n2, n3, n4, n5, n6, x == 7 ? buff : "");
@@ -759,7 +758,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
             (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr,
                              htons(lport), SS_FACCEPTONCE)) != NULL)
             m->m_len =
 -                snprintf(m->m_data, M_ROOM(m),
 +                slirp_fmt0(m->m_data, M_ROOM(m),
                             "%d", ntohs(so->so_fport)) + 1;
         return 1;
@@ -779,7 +778,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
                 return 1;
             }
             m->m_len = bptr - m->m_data; /* Adjust length */
 -            m->m_len += snprintf(bptr, M_FREEROOM(m),
 +            m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
                                  "DCC CHAT chat %lu %u%c\n",
                                  (unsigned long)ntohl(so->so_faddr.s_addr),
                                  ntohs(so->so_fport), 1);
@@ -791,7 +790,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
             }
             m->m_len = bptr - m->m_data; /* Adjust length */
             m->m_len +=
 -                snprintf(bptr, M_FREEROOM(m),
 +                slirp_fmt(bptr, M_FREEROOM(m),
                          "DCC SEND %s %lu %u %u%c\n", buff,
                          (unsigned long)ntohl(so->so_faddr.s_addr),
                          ntohs(so->so_fport), n1, 1);
@@ -803,7 +802,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
             }
             m->m_len = bptr - m->m_data; /* Adjust length */
             m->m_len +=
 -                snprintf(bptr, M_FREEROOM(m),
 +                slirp_fmt(bptr, M_FREEROOM(m),
                          "DCC MOVE %s %lu %u %u%c\n", buff,
                          (unsigned long)ntohl(so->so_faddr.s_addr),
                          ntohs(so->so_fport), n1, 1);
 --
 2.23.0
--- a/tests-bios-tables-test-disable-this-testcase.patch
+++ b/tests-bios-tables-test-disable-this-testcase.patch
@ -0,0 +1,48 @@
 From 0814ef80cdf212c68b73fc1fbad4eeece3560ef9 Mon Sep 17 00:00:00 2001
 From: Ying Fang <fangying1@huawei.com>
 Date: Wed, 15 Apr 2020 19:52:09 +0800
 Subject: [PATCH] tests/bios-tables-test: disable this testcase
 We will change ARM virt ACPI FACP and PPTT table in order to
 support CPU topology information presentation. However our
 change make this testcase fail since we changed the table
 totally and we cannot apply patch with rpmbuild system.
 Signed-off-by: Ying Fang <fangying1@huawei.com>
 ---
 tests/Makefile.include | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/tests/Makefile.include b/tests/Makefile.include
 index fd7fdb86..d8cf00c1 100644
 --- a/tests/Makefile.include
 +++ b/tests/Makefile.include
@@ -164,7 +164,7 @@ check-qtest-i386-y += tests/ide-test$(EXESUF)
 check-qtest-i386-y += tests/ahci-test$(EXESUF)
 check-qtest-i386-y += tests/hd-geo-test$(EXESUF)
 check-qtest-i386-y += tests/boot-order-test$(EXESUF)
 -check-qtest-i386-y += tests/bios-tables-test$(EXESUF)
 +# check-qtest-i386-y += tests/bios-tables-test$(EXESUF)
 check-qtest-i386-$(CONFIG_SGA) += tests/boot-serial-test$(EXESUF)
 check-qtest-i386-$(CONFIG_SLIRP) += tests/pxe-test$(EXESUF)
 check-qtest-i386-y += tests/rtc-test$(EXESUF)
@@ -269,7 +269,7 @@ check-qtest-aarch64-y += tests/boot-serial-test$(EXESUF)
 check-qtest-aarch64-y += tests/migration-test$(EXESUF)
 # TODO: once aarch64 TCG is fixed on ARM 32 bit host, make test unconditional
 ifneq ($(ARCH),arm)
 -check-qtest-aarch64-y += tests/bios-tables-test$(EXESUF)
 +#check-qtest-aarch64-y += tests/bios-tables-test$(EXESUF)
 endif
 check-qtest-microblazeel-y += $(check-qtest-microblaze-y)
@@ -783,7 +783,7 @@ tests/ipmi-bt-test$(EXESUF): tests/ipmi-bt-test.o
 tests/hd-geo-test$(EXESUF): tests/hd-geo-test.o
 tests/boot-order-test$(EXESUF): tests/boot-order-test.o $(libqos-obj-y)
 tests/boot-serial-test$(EXESUF): tests/boot-serial-test.o $(libqos-obj-y)
 -tests/bios-tables-test$(EXESUF): tests/bios-tables-test.o \
 +#tests/bios-tables-test$(EXESUF): tests/bios-tables-test.o \
 	tests/boot-sector.o tests/acpi-utils.o $(libqos-obj-y)
 tests/pxe-test$(EXESUF): tests/pxe-test.o tests/boot-sector.o $(libqos-obj-y)
 tests/microbit-test$(EXESUF): tests/microbit-test.o
 --
 2.23.0
--- a/util-add-slirp_fmt-helpers.patch
+++ b/util-add-slirp_fmt-helpers.patch
@ -0,0 +1,124 @@
 From f3475a4a22dd84be0d2d7daa11676ac861da64bc Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureauls?= <marcandre.lureau@redhat.com>
 Date: Tue, 14 Apr 2020 18:51:39 +0800
 Subject: [PATCH] util: add slirp_fmt() helpers
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Various calls to snprintf() in libslirp assume that snprintf() returns
 "only" the number of bytes written (excluding terminating NUL).
 https://pubs.opengroup.org/onlinepubs/9699919799/functions/snprintf.html#tag_16_159_04
 "Upon successful completion, the snprintf() function shall return the
 number of bytes that would be written to s had n been sufficiently
 large excluding the terminating null byte."
 Introduce slirp_fmt() that handles several pathological cases the
 way libslirp usually expect:
 - treat error as fatal (instead of silently returning -1)
 - fmt0() will always \0 end
 - return the number of bytes actually written (instead of what would
 have been written, which would usually result in OOB later), including
 the ending \0 for fmt0()
 - warn if truncation happened (instead of ignoring)
 Other less common cases can still be handled with strcpy/snprintf() etc.
 Signed-off-by: default avatarMarc-André Lureau <marcandre.lureau@redhat.com>
 Reviewed-by: Samuel Thibault's avatarSamuel Thibault <samuel.thibault@ens-lyon.org>
 Message-Id: <20200127092414.169796-2-marcandre.lureau@redhat.com>
 ---
 slirp/src/util.c | 63 ++++++++++++++++++++++++++++++++++++++++++++++++
 slirp/src/util.h |  3 +++
 2 files changed, 66 insertions(+)
 diff --git a/slirp/src/util.c b/slirp/src/util.c
 index e5960871..dcae899e 100644
 --- a/slirp/src/util.c
 +++ b/slirp/src/util.c
@@ -364,3 +364,66 @@ void slirp_pstrcpy(char *buf, int buf_size, const char *str)
     }
     *q = '\0';
 }
 +
 +static int slirp_vsnprintf(char *str, size_t size,
 +                           const char *format, va_list args)
 +{
 +    int rv = vsnprintf(str, size, format, args);
 +
 +    if (rv < 0) {
 +        g_error("vsnprintf() failed: %s", g_strerror(errno));
 +    }
 +
 +    return rv;
 +}
 +
 +/*
 + * A snprintf()-like function that:
 + * - returns the number of bytes written (excluding optional \0-ending)
 + * - dies on error
 + * - warn on truncation
 + */
 +int slirp_fmt(char *str, size_t size, const char *format, ...)
 +{
 +    va_list args;
 +    int rv;
 +
 +    va_start(args, format);
 +    rv = slirp_vsnprintf(str, size, format, args);
 +    va_end(args);
 +
 +    if (rv > size) {
 +        g_critical("vsnprintf() truncation");
 +    }
 +
 +    return MIN(rv, size);
 +}
 +
 +/*
 + * A snprintf()-like function that:
 + * - always \0-end (unless size == 0)
 + * - returns the number of bytes actually written, including \0 ending
 + * - dies on error
 + * - warn on truncation
 + */
 +int slirp_fmt0(char *str, size_t size, const char *format, ...)
 +{
 +    va_list args;
 +    int rv;
 +
 +    va_start(args, format);
 +    rv = slirp_vsnprintf(str, size, format, args);
 +    va_end(args);
 +
 +    if (rv >= size) {
 +        g_critical("vsnprintf() truncation");
 +        if (size > 0)
 +            str[size - 1] = '\0';
 +        rv = size;
 +    } else {
 +        rv += 1; /* include \0 */
 +    }
 +
 +    return rv;
 +}
 +
 diff --git a/slirp/src/util.h b/slirp/src/util.h
 index 3c6223ce..0558dfc2 100644
 --- a/slirp/src/util.h
 +++ b/slirp/src/util.h
@@ -177,4 +177,7 @@ static inline int slirp_socket_set_fast_reuse(int fd)
 void slirp_pstrcpy(char *buf, int buf_size, const char *str);
 +int slirp_fmt(char *str, size_t size, const char *format, ...);
 +int slirp_fmt0(char *str, size_t size, const char *format, ...);
 +
 #endif
 --
 2.23.0
--- a/vhost-user-scsi-prevent-using-uninitialized-vqs.patch
+++ b/vhost-user-scsi-prevent-using-uninitialized-vqs.patch
@ -1,7 +1,7 @@
-From 19d56f560879081de411f359417eaaa2998c9e3a Mon Sep 17 00:00:00 2001
+From 4d8f2885b3f1219c3df2cf1a00dc0c55b23ee715 Mon Sep 17 00:00:00 2001
 From: Raphael Norwitz <raphael.norwitz@nutanix.com>
-Date: Tue, 11 Jun 2019 17:35:17 -0700
+Date: Tue, 14 Apr 2020 21:39:05 +0800
-Subject: [PATCH 5/5] vhost-user-scsi: prevent using uninitialized vqs
+Subject: [PATCH] vhost-user-scsi: prevent using uninitialized vqs
 Of the 3 virtqueues, seabios only sets cmd, leaving ctrl
 and event without a physical address. This can cause
@ -26,18 +26,17 @@ Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/hw/scsi/vhost-user-scsi.c b/hw/scsi/vhost-user-scsi.c
-index 8b1e687..241631f 100644
+index fcee67d5..affc2431 100644
 --- a/hw/scsi/vhost-user-scsi.c
 +++ b/hw/scsi/vhost-user-scsi.c
-@@ -90,7 +90,7 @@ static void vhost_user_scsi_realize(DeviceState *dev, Error **errp)
+@@ -91,7 +91,7 @@ static void vhost_user_scsi_realize(DeviceState *dev, Error **errp)
     }
- 
+
     vsc->dev.nvqs = 2 + vs->conf.num_queues;
 -    vsc->dev.vqs = g_new(struct vhost_virtqueue, vsc->dev.nvqs);
 +    vsc->dev.vqs = g_new0(struct vhost_virtqueue, vsc->dev.nvqs);
     vsc->dev.vq_index = 0;
     vsc->dev.backend_features = 0;
- 
+     vqs = vsc->dev.vqs;
-- 
+--
-1.8.3.1
+2.23.0