!802 QEMU update to version 6.2.0-77(master)

From: @JiaboFeng 
Reviewed-by: @aven6 
Signed-off-by: @aven6

9pfs-prevent-opening-special-files-CVE-2023-2861.patch

@@ -0,0 +1,172 @@
+From beed3295acf786cec520a8a0aec5efcd2ca12b23 Mon Sep 17 00:00:00 2001
+From: liuxiangdong <liuxiangdong5@huawei.com>
+Date: Fri, 14 Jul 2023 05:11:57 +0800
+Subject: [PATCH] 9pfs: prevent opening special files (CVE-2023-2861) The 9p
+ protocol does not specifically define how server shall behave when client
+ tries to open a special file, however from security POV it does make sense
+ for 9p server to prohibit opening any special file on host side in general. A
+ sane Linux 9p client for instance would never attempt to open a special file
+ on host side, it would always handle those exclusively on its guest side. A
+ malicious client however could potentially escape from the exported 9p tree
+ by creating and opening a device file on host side.
+
+With QEMU this could only be exploited in the following unsafe setups:
+
+  - Running QEMU binary as root AND 9p 'local' fs driver AND 'passthrough'
+    security model.
+
+or
+
+  - Using 9p 'proxy' fs driver (which is running its helper daemon as
+    root).
+
+These setups were already discouraged for safety reasons before,
+however for obvious reasons we are now tightening behaviour on this.
+
+Fixes: CVE-2023-2861
+Reported-by: Yanwu Shen <ywsPlz@gmail.com>
+Reported-by: Jietao Xiao <shawtao1125@gmail.com>
+Reported-by: Jinku Li <jkli@xidian.edu.cn>
+Reported-by: Wenbo Shen <shenwenbo@zju.edu.cn>
+Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
+Message-Id: <E1q6w7r-0000Q0-NM@lizzy.crudebyte.com>
+---
+ fsdev/virtfs-proxy-helper.c | 27 +++++++++++++++++++++++--
+ hw/9pfs/9p-util.h           | 40 +++++++++++++++++++++++++++++++++++++
+ 2 files changed, 65 insertions(+), 2 deletions(-)
+
+diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c
+index 15c0e79b06..f9e4669a5b 100644
+--- a/fsdev/virtfs-proxy-helper.c
++++ b/fsdev/virtfs-proxy-helper.c
+@@ -26,6 +26,7 @@
+ #include "qemu/xattr.h"
+ #include "9p-iov-marshal.h"
+ #include "hw/9pfs/9p-proxy.h"
++#include "hw/9pfs/9p-util.h"
+ #include "fsdev/9p-iov-marshal.h"
+ 
+ #define PROGNAME "virtfs-proxy-helper"
+@@ -338,6 +339,28 @@ static void resetugid(int suid, int sgid)
+     }
+ }
+ 
++/*
++ * Open regular file or directory. Attempts to open any special file are
++ * rejected.
++ *
++ * returns file descriptor or -1 on error
++ */
++static int open_regular(const char *pathname, int flags, mode_t mode)
++{
++    int fd;
++
++    fd = open(pathname, flags, mode);
++    if (fd < 0) {
++        return fd;
++    }
++
++    if (close_if_special_file(fd) < 0) {
++        return -1;
++    }
++
++    return fd;
++}
++
+ /*
+  * send response in two parts
+  * 1) ProxyHeader
+@@ -682,7 +705,7 @@ static int do_create(struct iovec *iovec)
+     if (ret < 0) {
+         goto unmarshal_err_out;
+     }
+-    ret = open(path.data, flags, mode);
++    ret = open_regular(path.data, flags, mode);
+     if (ret < 0) {
+         ret = -errno;
+     }
+@@ -707,7 +730,7 @@ static int do_open(struct iovec *iovec)
+     if (ret < 0) {
+         goto err_out;
+     }
+-    ret = open(path.data, flags);
++    ret = open_regular(path.data, flags, 0);
+     if (ret < 0) {
+         ret = -errno;
+     }
+diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h
+index 546f46dc7d..23000e917f 100644
+--- a/hw/9pfs/9p-util.h
++++ b/hw/9pfs/9p-util.h
+@@ -13,12 +13,16 @@
+ #ifndef QEMU_9P_UTIL_H
+ #define QEMU_9P_UTIL_H
+ 
++#include "qemu/error-report.h"
++
+ #ifdef O_PATH
+ #define O_PATH_9P_UTIL O_PATH
+ #else
+ #define O_PATH_9P_UTIL 0
+ #endif
+ 
++#define qemu_fstat      fstat
++
+ static inline void close_preserve_errno(int fd)
+ {
+     int serrno = errno;
+@@ -26,6 +30,38 @@ static inline void close_preserve_errno(int fd)
+     errno = serrno;
+ }
+ 
++/**
++ * close_if_special_file() - Close @fd if neither regular file nor directory.
++ *
++ * @fd: file descriptor of open file
++ * Return: 0 on regular file or directory, -1 otherwise
++ *
++ * CVE-2023-2861: Prohibit opening any special file directly on host
++ * (especially device files), as a compromised client could potentially gain
++ * access outside exported tree under certain, unsafe setups. We expect
++ * client to handle I/O on special files exclusively on guest side.
++ */
++static inline int close_if_special_file(int fd)
++{
++    struct stat stbuf;
++
++    if (qemu_fstat(fd, &stbuf) < 0) {
++        close_preserve_errno(fd);
++        return -1;
++    }
++    if (!S_ISREG(stbuf.st_mode) && !S_ISDIR(stbuf.st_mode)) {
++        error_report_once(
++            "9p: broken or compromised client detected; attempt to open "
++            "special file (i.e. neither regular file, nor directory)"
++        );
++        close(fd);
++        errno = ENXIO;
++        return -1;
++    }
++
++    return 0;
++}
++
+ static inline int openat_dir(int dirfd, const char *name)
+ {
+     return openat(dirfd, name,
+@@ -56,6 +92,10 @@ again:
+         return -1;
+     }
+ 
++    if (close_if_special_file(fd) < 0) {
++        return -1;
++    }
++
+     serrno = errno;
+     /* O_NONBLOCK was only needed to open the file. Let's drop it. We don't
+      * do that with O_PATH since fcntl(F_SETFL) isn't supported, and openat()
+-- 
+2.41.0.windows.1
+

Allow-setting-up-to-8-bytes-with-the-generic-loader.patch

@@ -0,0 +1,48 @@
+From baf464ea0c35f9b235e8385b0771392ce362a6ec Mon Sep 17 00:00:00 2001
+From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
+Date: Fri, 21 Jul 2023 06:14:37 +0000
+Subject: [PATCH] Allow setting up to 8 bytes with the generic loader mainline
+ inclusion commit f42483d776bce29a9925ed61cc10eb27a5b2446c category: bugfix
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+---------------------------------------------------------------
+
+The documentation for the generic loader says that "the maximum size of
+the data is 8 bytes". However, attempts to set data-len=8 trigger the
+following assertion failure:
+
+../hw/core/generic-loader.c:59: generic_loader_reset: Assertion `s->data_len < sizeof(s->data)' failed.
+
+The type of s->data is uint64_t (i.e. 8 bytes long), so I believe this
+assert should use <= instead of <.
+
+Fixes: e481a1f63c93 ("generic-loader: Add a generic loader")
+Signed-off-by: Petr Tesarik <ptesarik@suse.com>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-id: 20220120092715.7805-1-ptesarik@suse.com
+Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
+
+Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
+---
+ hw/core/generic-loader.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/core/generic-loader.c b/hw/core/generic-loader.c
+index 9a24ffb880..504ed7ca72 100644
+--- a/hw/core/generic-loader.c
++++ b/hw/core/generic-loader.c
+@@ -56,7 +56,7 @@ static void generic_loader_reset(void *opaque)
+     }
+ 
+     if (s->data_len) {
+-        assert(s->data_len < sizeof(s->data));
++        assert(s->data_len <= sizeof(s->data));
+         dma_memory_write(s->cpu->as, s->addr, &s->data, s->data_len,
+                          MEMTXATTRS_UNSPECIFIED);
+     }
+-- 
+2.41.0.windows.1
+

accel-tcg-Optimize-jump-cache-flush-during-tlb-range.patch

@@ -0,0 +1,49 @@
+From 28ca488c585c556ce04419f927d13d46771e1ea4 Mon Sep 17 00:00:00 2001
+From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
+Date: Tue, 18 Jul 2023 06:29:51 +0000
+Subject: [PATCH] accel/tcg: Optimize jump cache flush during tlb  range flush
+ mainline inclusion commit cfc2a2d69d59f02b32df3098ce17e10ab86d43c6 category:
+ bugfix
+
+---------------------------------------------------------------
+
+When the length of the range is large enough, clearing the whole cache is
+faster than iterating over the (possibly extremely large) set of pages
+contained in the range.
+
+This mimics the pre-existing similar optimization done on the flush of the
+tlb itself.
+
+Signed-off-by: Idan Horowitz <idan.horowitz@gmail.com>
+Message-Id: <20220110164754.1066025-1-idan.horowitz@gmail.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+
+Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
+---
+ accel/tcg/cputlb.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
+index b69a953447..03526fa1ab 100644
+--- a/accel/tcg/cputlb.c
++++ b/accel/tcg/cputlb.c
+@@ -783,6 +783,15 @@ static void tlb_flush_range_by_mmuidx_async_0(CPUState *cpu,
+     }
+     qemu_spin_unlock(&env_tlb(env)->c.lock);
+ 
++    /*
++     * If the length is larger than the jump cache size, then it will take
++     * longer to clear each entry individually than it will to clear it all.
++     */
++    if (d.len >= (TARGET_PAGE_SIZE * TB_JMP_CACHE_SIZE)) {
++        cpu_tb_jmp_cache_clear(cpu);
++        return;
++    }
++
+     for (target_ulong i = 0; i < d.len; i += TARGET_PAGE_SIZE) {
+         tb_flush_jmp_cache(cpu, d.addr + i);
+     }
+-- 
+2.41.0.windows.1
+

accel-tcg-cpu-exec-Fix-precise-single-stepping-after.patch

@@ -0,0 +1,48 @@
+From ddca9c0cba8e3c858b7998c67ae2739f58b5b681 Mon Sep 17 00:00:00 2001
+From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
+Date: Fri, 21 Jul 2023 06:41:38 +0000
+Subject: [PATCH] accel/tcg/cpu-exec: Fix precise single-stepping  after
+ interrupt mainline inclusion commit 5b7b197c87cefbd24bd1936614fd4e00ccc279ab
+ category: bugfix
+
+---------------------------------------------------------------
+
+In some cases, cpu->exit_request can be false after handling the
+interrupt, leading to another TB being executed instead of returning
+to the main loop.
+
+Fix this by returning true unconditionally when in single-step mode.
+
+Fixes: ba3c35d9c402 ("tcg/cpu-exec: precise single-stepping after an interrupt")
+Signed-off-by: Luc Michel <lmichel@kalray.eu>
+Message-Id: <20220214132656.11397-1-lmichel@kalray.eu>
+[rth: Unlock iothread mutex; simplify indentation]
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+
+Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
+---
+ accel/tcg/cpu-exec.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
+index 409ec8c38c..7fb87afedc 100644
+--- a/accel/tcg/cpu-exec.c
++++ b/accel/tcg/cpu-exec.c
+@@ -798,8 +798,12 @@ static inline bool cpu_handle_interrupt(CPUState *cpu,
+                  * raised when single-stepping so that GDB doesn't miss the
+                  * next instruction.
+                  */
+-                cpu->exception_index =
+-                    (cpu->singlestep_enabled ? EXCP_DEBUG : -1);
++                if (unlikely(cpu->singlestep_enabled)) {
++                    cpu->exception_index = EXCP_DEBUG;
++                    qemu_mutex_unlock_iothread();
++                    return true;
++                }
++                cpu->exception_index = -1;   
+                 *last_tb = NULL;
+             }
+             /* The target hook may have updated the 'cpu->interrupt_request';
+-- 
+2.41.0.windows.1
+

block-iscsi-fix-double-free-on-BUSY-or-similar-statu.patch

@@ -0,0 +1,36 @@
+From 2d37c08cc6f274c48a4a65a446788e946f0363c0 Mon Sep 17 00:00:00 2001
+From: qihao <qihao_yewu@cmss.chinamobile.com>
+Date: Wed, 28 Jun 2023 10:58:55 +0800
+Subject: [PATCH] block/iscsi: fix double-free on BUSY or similar statuses
+
+cheery-pick from 5080152e2ef6cde7aa692e29880c62bd54acb750
+
+Commit 8c460269aa77 ("iscsi: base all handling of check condition on
+scsi_sense_to_errno", 2019-07-15) removed a "goto out" so that the
+same coroutine is re-entered twice; once from iscsi_co_generic_cb,
+once from the timer callback iscsi_retry_timer_expired.  This can
+cause a crash.
+
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1378
+Reported-by: Grzegorz Zdanowski <https://gitlab.com/kiler129>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
+---
+ block/iscsi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/block/iscsi.c b/block/iscsi.c
+index 57aa07a40d..61ccb58fc8 100644
+--- a/block/iscsi.c
++++ b/block/iscsi.c
+@@ -268,6 +268,7 @@ iscsi_co_generic_cb(struct iscsi_context *iscsi, int status,
+                 timer_mod(&iTask->retry_timer,
+                           qemu_clock_get_ms(QEMU_CLOCK_REALTIME) + retry_time);
+                 iTask->do_retry = 1;
++                return;
+             } else if (status == SCSI_STATUS_CHECK_CONDITION) {
+                 int error = iscsi_translate_sense(&task->sense);
+                 if (error == EAGAIN) {
+-- 
+2.41.0.windows.1
+

block-monitor-Fix-crash-when-executing-HMP-commit.patch

@@ -0,0 +1,54 @@
+From 33dfb9d81a8cfe17aaa3f0804cbd491b06d38cd6 Mon Sep 17 00:00:00 2001
+From: qihao <qihao_yewu@cmss.chinamobile.com>
+Date: Tue, 27 Jun 2023 14:40:13 +0800
+Subject: [PATCH] block/monitor: Fix crash when executing HMP commit
+
+cheery-pick from b7b814cd87a5fbe9f0fb5732dd28932699317bda
+
+hmp_commit() calls blk_is_available() from a non-coroutine context (and
+in the main loop). blk_is_available() is a co_wrapper_mixed_bdrv_rdlock
+function, and in the non-coroutine context it calls AIO_WAIT_WHILE(),
+which crashes if the aio_context lock is not taken before.
+
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1615
+Signed-off-by: Wang Liang <wangliangzz@inspur.com>
+Message-Id: <20230424103902.45265-1-wangliangzz@126.com>
+Reviewed-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
+Reviewed-by: Kevin Wolf <kwolf@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit 8c1e8fb2e7fc2cbeb57703e143965a4cd3ad301a)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
+---
+ block/monitor/block-hmp-cmds.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/block/monitor/block-hmp-cmds.c b/block/monitor/block-hmp-cmds.c
+index 2ac4aedfff..44f0af3430 100644
+--- a/block/monitor/block-hmp-cmds.c
++++ b/block/monitor/block-hmp-cmds.c
+@@ -213,15 +213,17 @@ void hmp_commit(Monitor *mon, const QDict *qdict)
+             error_report("Device '%s' not found", device);
+             return;
+         }
+-        if (!blk_is_available(blk)) {
+-            error_report("Device '%s' has no medium", device);
+-            return;
+-        }
+ 
+         bs = bdrv_skip_implicit_filters(blk_bs(blk));
+         aio_context = bdrv_get_aio_context(bs);
+         aio_context_acquire(aio_context);
+ 
++        if (!blk_is_available(blk)) {
++            error_report("Device '%s' has no medium", device);
++            aio_context_release(aio_context);
++            return;
++        }
++
+         ret = bdrv_commit(bs);
+ 
+         aio_context_release(aio_context);
+-- 
+2.41.0.windows.1
+

gitlab-Disable-plugins-for-cross-i386-tci.patch

@@ -0,0 +1,34 @@
+From d301917340f0d0196fb8e346a5d489e9be329a0a Mon Sep 17 00:00:00 2001
+From: jipengfei <jipengfei_yewu@cmss.chinamobile.com>
+Date: Fri, 30 Jun 2023 21:33:34 +0800
+Subject: [PATCH] gitlab: Disable plugins for cross-i386-tci
+
+There are timeouts in the cross-i386-tci job that are related to plugins.
+Restrict this job to basic TCI testing.
+
+cheery-pick from 0cc889c8826cefa5b80110d31a62273b56aa1832
+
+Signed-off-by: jipengfei_yewu <jipengfei_yewu@cmss.chinamobile.com>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Acked-by: Thomas Huth <thuth@redhat.com>
+Message-Id: <20230629130844.151453-1-richard.henderson@linaro.org>
+---
+ .gitlab-ci.d/crossbuilds.yml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/.gitlab-ci.d/crossbuilds.yml b/.gitlab-ci.d/crossbuilds.yml
+index 17d6cb3e45..d06bf5f57d 100644
+--- a/.gitlab-ci.d/crossbuilds.yml
++++ b/.gitlab-ci.d/crossbuilds.yml
+@@ -65,7 +65,7 @@ cross-i386-tci:
+   variables:
+     IMAGE: fedora-i386-cross
+     ACCEL: tcg-interpreter
+-    EXTRA_CONFIGURE_OPTS: --target-list=i386-softmmu,i386-linux-user,aarch64-softmmu,aarch64-linux-user,ppc-softmmu,ppc-linux-user
++    EXTRA_CONFIGURE_OPTS: --target-list=i386-softmmu,i386-linux-user,aarch64-softmmu,aarch64-linux-user,ppc-softmmu,ppc-linux-user --disable-plugins
+     MAKE_CHECK_ARGS: check check-tcg
+ 
+ cross-mips-system:
+-- 
+2.41.0.windows.1
+

host-vdpa-make-notifiers-_init-_uninit-symmetric.patch

@@ -0,0 +1,79 @@
+From 8bba9208da0aa994b91d9568b58241e94b5d46fc Mon Sep 17 00:00:00 2001
+From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
+Date: Wed, 26 Jul 2023 02:21:47 +0000
+Subject: [PATCH] host-vdpa: make notifiers _init()/_uninit()  symmetric
+ mainline inclusion commit b1f030a0a2e281193b09350c0281c0084e84bcf4 category:
+ bugfix
+
+---------------------------------------------------------------
+
+vhost_vdpa_host_notifiers_init() initializes queue notifiers
+for queues "dev->vq_index" to queue "dev->vq_index + dev->nvqs",
+whereas vhost_vdpa_host_notifiers_uninit() uninitializes the
+same notifiers for queue "0" to queue "dev->nvqs".
+
+This asymmetry seems buggy, fix that by using dev->vq_index
+as the base for both.
+
+Fixes: d0416d487bd5 ("vhost-vdpa: map virtqueue notification area if possible")
+Cc: jasowang@redhat.com
+Signed-off-by: Laurent Vivier <lvivier@redhat.com>
+Message-Id: <20220211161309.1385839-1-lvivier@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
+---
+ hw/virtio/vhost-vdpa.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/hw/virtio/vhost-vdpa.c b/hw/virtio/vhost-vdpa.c
+index 225c9b1730..287025ef93 100644
+--- a/hw/virtio/vhost-vdpa.c
++++ b/hw/virtio/vhost-vdpa.c
+@@ -381,15 +381,6 @@ static void vhost_vdpa_host_notifier_uninit(struct vhost_dev *dev,
+     }
+ }
+ 
+-static void vhost_vdpa_host_notifiers_uninit(struct vhost_dev *dev, int n)
+-{
+-    int i;
+-
+-    for (i = 0; i < n; i++) {
+-        vhost_vdpa_host_notifier_uninit(dev, i);
+-    }
+-}
+-
+ static int vhost_vdpa_host_notifier_init(struct vhost_dev *dev, int queue_index)
+ {
+     size_t page_size = qemu_real_host_page_size;
+@@ -429,6 +420,15 @@ err:
+     return -1;
+ }
+ 
++static void vhost_vdpa_host_notifiers_uninit(struct vhost_dev *dev, int n)
++{
++    int i;
++
++    for (i = dev->vq_index; i < dev->vq_index + n; i++) {
++        vhost_vdpa_host_notifier_uninit(dev, i);
++    }
++}
++
+ static void vhost_vdpa_host_notifiers_init(struct vhost_dev *dev)
+ {
+     int i;
+@@ -442,7 +442,7 @@ static void vhost_vdpa_host_notifiers_init(struct vhost_dev *dev)
+     return;
+ 
+ err:
+-    vhost_vdpa_host_notifiers_uninit(dev, i);
++    vhost_vdpa_host_notifiers_uninit(dev, i - dev->vq_index);
+     return;
+ }
+ 
+-- 
+2.41.0.windows.1
+

hw-net-virtio-net-make-some-VirtIONet-const.patch

@@ -0,0 +1,44 @@
+From f6e12a7c892c5e823157f6b84955544ff659e980 Mon Sep 17 00:00:00 2001
+From: jipengfei <jipengfei_yewu@cmss.chinamobile.com>
+Date: Fri, 30 Jun 2023 22:19:22 +0800
+Subject: [PATCH] hw/net/virtio-net: make some VirtIONet const
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The VirtIONet structure is not modified in
+virtio_net_supported_guest_offloads().
+Therefore, make it const to allow this function to
+accept const variables.
+
+cheery-pick from 705e89cfaafc54491482742a756cf661b48608d2
+
+Signed-off-by: jipengfei_yewu <jipengfei_yewu@cmss.chinamobile.com>
+Signed-off-by: Hawkins Jiawei <yin31149@gmail.com>
+Reviewed-by: Eugenio Pérez <eperezma@redhat.com>
+Message-Id: <489b09c3998ac09b9135e57a7dd8c56a4be8cdf9.1685704856.git.yin31149@gmail.com>
+Tested-by: Lei Yang <leiyang@redhat.com>
+Reviewed-by: Eugenio Pérez <eperezma@redhat.com>
+Tested-by: Eugenio Pérez <eperezma@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+---
+ hw/net/virtio-net.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
+index 4946b65e22..3bd786cc22 100644
+--- a/hw/net/virtio-net.c
++++ b/hw/net/virtio-net.c
+@@ -811,7 +811,7 @@ static uint64_t virtio_net_guest_offloads_by_features(uint32_t features)
+     return guest_offloads_mask & features;
+ }
+ 
+-static inline uint64_t virtio_net_supported_guest_offloads(VirtIONet *n)
++static inline uint64_t virtio_net_supported_guest_offloads(const VirtIONet *n)
+ {
+     VirtIODevice *vdev = VIRTIO_DEVICE(n);
+     return virtio_net_guest_offloads_by_features(vdev->guest_features);
+-- 
+2.41.0.windows.1
+

hw-net-vmxnet3-allow-VMXNET3_MAX_MTU-itself-as-a-val.patch

@@ -0,0 +1,47 @@
+From 2d7c5ea10b443c33ffe2c21de5a495bd6d2a67bd Mon Sep 17 00:00:00 2001
+From: qihao <qihao_yewu@cmss.chinamobile.com>
+Date: Wed, 28 Jun 2023 09:37:04 +0800
+Subject: [PATCH] hw/net/vmxnet3: allow VMXNET3_MAX_MTU itself as a value
+
+cheery-pick from b209cc4556d56938fa8a933670b8fb98c036af37
+
+Currently, VMXNET3_MAX_MTU itself (being 9000) is not considered a
+valid value for the MTU, but a guest running ESXi 7.0 might try to
+set it and fail the assert [0].
+
+In the Linux kernel, dev->max_mtu itself is a valid value for the MTU
+and for the vmxnet3 driver it's 9000, so a guest running Linux will
+also fail the assert when trying to set an MTU of 9000.
+
+VMXNET3_MAX_MTU and s->mtu don't seem to be used in relation to buffer
+allocations/accesses, so allowing the upper limit itself as a value
+should be fine.
+
+[0]: https://forum.proxmox.com/threads/114011/
+
+Fixes: d05dcd94ae ("net: vmxnet3: validate configuration values during activate (CVE-2021-20203)")
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+(cherry picked from commit 099a63828130843741d317cb28e936f468b2b53b)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
+---
+ hw/net/vmxnet3.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
+index 0b7acf7f89..a2037583bf 100644
+--- a/hw/net/vmxnet3.c
++++ b/hw/net/vmxnet3.c
+@@ -1441,7 +1441,7 @@ static void vmxnet3_activate_device(VMXNET3State *s)
+     vmxnet3_setup_rx_filtering(s);
+     /* Cache fields from shared memory */
+     s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu);
+-    assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu < VMXNET3_MAX_MTU);
++    assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu <= VMXNET3_MAX_MTU);
+     VMW_CFPRN("MTU is %u", s->mtu);
+ 
+     s->max_rx_frags =
+-- 
+2.41.0.windows.1
+

hw-pci-bridge-pxb-Fix-missing-swizzle.patch

@@ -0,0 +1,52 @@
+From bf6161d03c1d6a8cb378a2f84743aa45b0ddf84b Mon Sep 17 00:00:00 2001
+From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
+Date: Wed, 26 Jul 2023 02:34:48 +0000
+Subject: [PATCH] hw/pci-bridge/pxb: Fix missing swizzle mainline inclusion
+ commit e609301b458bf6daba478299dc5aea5d1fbaea39 category: bugfix
+
+---------------------------------------------------------------
+
+pxb_map_irq_fn() handled the necessary removal of the swizzle
+applied to the PXB interrupts by the bus to which it was attached
+but neglected to apply the normal swizzle for PCI root ports
+on the expander bridge.
+
+Result of this was on ARM virt, the PME interrupts for a second
+RP on a PXB instance were miss-routed to #45 rather than #46.
+
+Tested with a selection of different configurations with 1 to 5
+RP per PXB instance.  Note on my x86 test setup the PME interrupts
+are not triggered so I haven't been able to test this.
+
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Cc: Michael S. Tsirkin <mst@redhat.com>
+Cc: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
+Message-Id: <20220118174855.19325-1-Jonathan.Cameron@huawei.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
+---
+ hw/pci-bridge/pci_expander_bridge.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/hw/pci-bridge/pci_expander_bridge.c b/hw/pci-bridge/pci_expander_bridge.c
+index 10e6e7c2ab..de932286b5 100644
+--- a/hw/pci-bridge/pci_expander_bridge.c
++++ b/hw/pci-bridge/pci_expander_bridge.c
+@@ -192,6 +192,12 @@ static int pxb_map_irq_fn(PCIDevice *pci_dev, int pin)
+ {
+     PCIDevice *pxb = pci_get_bus(pci_dev)->parent_dev;
+ 
++    /*
++     * First carry out normal swizzle to handle
++     * multple root ports on a pxb instance.
++     */
++    pin = pci_swizzle_map_irq_fn(pci_dev, pin);
++
+     /*
+      * The bios does not index the pxb slot number when
+      * it computes the IRQ because it resides on bus 0
+-- 
+2.41.0.windows.1
+

hw-ppc-Kconfig-MAC_NEWWORLD-should-always-select-USB.patch

@@ -0,0 +1,43 @@
+From f2ee3b11fc10dd5353beb8efca7d919668dd332c Mon Sep 17 00:00:00 2001
+From: qihao <qihao@cmss.chinamobile.com>
+Date: Mon, 26 Jun 2023 11:04:33 +0800
+Subject: [PATCH] hw/ppc/Kconfig: MAC_NEWWORLD should always select
+ USB_OHCI_PCI
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+cheery-pick 9ec08f3569be3bc8bfd4d9b8b0445b9136910661
+
+The PowerMacs have an OHCI controller soldered on the motherboard,
+so this should always be enabled for the "mac99" machine.
+This fixes the problem that QEMU aborts when the user tries to run
+the "mac99" machine with a build that has been compiled with the
+"--without-default-devices" configure switch.
+
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
+Message-Id: <20230530102041.55527-1-thuth@redhat.com>
+Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
+Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
+---
+ hw/ppc/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/ppc/Kconfig b/hw/ppc/Kconfig
+index 400511c6b7..9e0b7184e3 100644
+--- a/hw/ppc/Kconfig
++++ b/hw/ppc/Kconfig
+@@ -119,6 +119,7 @@ config MAC_NEWWORLD
+     select MAC_PMU
+     select UNIN_PCI
+     select FW_CFG_PPC
++    select USB_OHCI_PCI
+ 
+ config E500
+     bool
+-- 
+2.41.0.windows.1
+

hw-virtio-vdpa-Fix-leak-of-host-notifier-memory-regi.patch

@@ -0,0 +1,50 @@
+From 862a150140b95bbd23d174307aacd06f65d36f1c Mon Sep 17 00:00:00 2001
+From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
+Date: Fri, 21 Jul 2023 07:26:44 +0000
+Subject: [PATCH] hw/virtio: vdpa: Fix leak of host-notifier  memory-region
+ mainline inclusion commit 98f7607ecda00dea3cbb2ed7b4427c96846efb83 category:
+ bugfix
+
+---------------------------------------------------------------
+
+If call virtio_queue_set_host_notifier_mr fails, should free
+host-notifier memory-region.
+
+This problem can trigger a coredump with some vDPA drivers (mlx5,
+but not with the vdpasim), if we unplug the virtio-net card from
+the guest after a stop/start.
+
+The same fix has been done for vhost-user:
+  1f89d3b91e3e ("hw/virtio: Fix leak of host-notifier memory-region")
+
+Fixes: d0416d487bd5 ("vhost-vdpa: map virtqueue notification area if possible")
+Cc: jasowang@redhat.com
+Resolves: https://bugzilla.redhat.com/2027208
+Signed-off-by: Laurent Vivier <lvivier@redhat.com>
+Message-Id: <20220211170259.1388734-1-lvivier@redhat.com>
+Cc: qemu-stable@nongnu.org
+Acked-by: Jason Wang <jasowang@redhat.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
+---
+ hw/virtio/vhost-vdpa.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/virtio/vhost-vdpa.c b/hw/virtio/vhost-vdpa.c
+index f285edb786..225c9b1730 100644
+--- a/hw/virtio/vhost-vdpa.c
++++ b/hw/virtio/vhost-vdpa.c
+@@ -417,6 +417,7 @@ static int vhost_vdpa_host_notifier_init(struct vhost_dev *dev, int queue_index)
+     g_free(name);
+ 
+     if (virtio_queue_set_host_notifier_mr(vdev, queue_index, &n->mr, true)) {
++        object_unparent(OBJECT(&n->mr));
+         munmap(addr, page_size);
+         goto err;
+     }
+-- 
+2.41.0.windows.1
+

ide-Increment-BB-in-flight-counter-for-TRIM-BH.patch

@@ -0,0 +1,87 @@
+From 31ae365f6c13d1bdad9d4eefe6e9f00928e5dd64 Mon Sep 17 00:00:00 2001
+From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
+Date: Wed, 26 Jul 2023 02:50:59 +0000
+Subject: [PATCH] ide: Increment BB in-flight counter for TRIM BH mainline
+ inclusion commit 7e5cdb345f77d76cb4877fe6230c4e17a7d0d0ca category: bugfix
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+---------------------------------------------------------------
+
+When we still have an AIOCB registered for DMA operations, we try to
+settle the respective operation by draining the BlockBackend associated
+with the IDE device.
+
+However, this assumes that every DMA operation is associated with an
+increment of the BlockBackend’s in-flight counter (e.g. through some
+ongoing I/O operation), so that draining the BB until its in-flight
+counter reaches 0 will settle all DMA operations.  That is not the case:
+For TRIM, the guest can issue a zero-length operation that will not
+result in any I/O operation forwarded to the BlockBackend, and also not
+increment the in-flight counter in any other way.  In such a case,
+blk_drain() will be a no-op if no other operations are in flight.
+
+It is clear that if blk_drain() is a no-op, the value of
+s->bus->dma->aiocb will not change between checking it in the `if`
+condition and asserting that it is NULL after blk_drain().
+
+The particular problem is that ide_issue_trim() creates a BH
+(ide_trim_bh_cb()) to settle the TRIM request: iocb->common.cb() is
+ide_dma_cb(), which will either create a new request, or find the
+transfer to be done and call ide_set_inactive(), which clears
+s->bus->dma->aiocb.  Therefore, the blk_drain() must wait for
+ide_trim_bh_cb() to run, which currently it will not always do.
+
+To fix this issue, we increment the BlockBackend's in-flight counter
+when the TRIM operation begins (in ide_issue_trim(), when the
+ide_trim_bh_cb() BH is created) and decrement it when ide_trim_bh_cb()
+is done.
+
+Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2029980
+Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Hanna Reitz <hreitz@redhat.com>
+Message-Id: <20220120142259.120189-1-hreitz@redhat.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Reviewed-by: John Snow <jsnow@redhat.com>
+Tested-by: John Snow <jsnow@redhat.com>
+
+Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
+---
+ hw/ide/core.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/hw/ide/core.c b/hw/ide/core.c
+index e28f8aad61..15138225be 100644
+--- a/hw/ide/core.c
++++ b/hw/ide/core.c
+@@ -433,12 +433,16 @@ static const AIOCBInfo trim_aiocb_info = {
+ static void ide_trim_bh_cb(void *opaque)
+ {
+     TrimAIOCB *iocb = opaque;
++    BlockBackend *blk = iocb->s->blk;
+ 
+     iocb->common.cb(iocb->common.opaque, iocb->ret);
+ 
+     qemu_bh_delete(iocb->bh);
+     iocb->bh = NULL;
+     qemu_aio_unref(iocb);
++
++    /* Paired with an increment in ide_issue_trim() */
++    blk_dec_in_flight(blk);
+ }
+ 
+ static void ide_issue_trim_cb(void *opaque, int ret)
+@@ -508,6 +512,9 @@ BlockAIOCB *ide_issue_trim(
+     IDEState *s = opaque;
+     TrimAIOCB *iocb;
+ 
++    /* Paired with a decrement in ide_trim_bh_cb() */
++    blk_inc_in_flight(s->blk);
++
+     iocb = blk_aio_get(&trim_aiocb_info, s->blk, cb, cb_opaque);
+     iocb->s = s;
+     iocb->bh = qemu_bh_new(ide_trim_bh_cb, iocb);
+-- 
+2.41.0.windows.1
+

migration-report-compress-thread-pid-to-libvirt.patch

@@ -0,0 +1,54 @@
+From 16c188d246f8d74f3d25098effdb836cdeb17e16 Mon Sep 17 00:00:00 2001
+From: jipengfei <jipengfei_yewu@cmss.chinamobile.com>
+Date: Sat, 1 Jul 2023 13:08:53 +0800
+Subject: [PATCH] migration: report compress thread pid to libvirt
+
+Supports migrating compressed threads bound to physical cores,qemu need to tell libvirt the compress thread pids.
+
+Signed-off-by:jipengfei <jipengfei_yewu@cmss.chinamobile.com>
+---
+ migration/ram.c     |  3 +++
+ qapi/migration.json | 13 +++++++++++++
+ 2 files changed, 16 insertions(+)
+
+diff --git a/migration/ram.c b/migration/ram.c
+index c3484ee1a9..c6c59b54d9 100644
+--- a/migration/ram.c
++++ b/migration/ram.c
+@@ -755,6 +755,9 @@ static void *do_data_compress(void *opaque)
+     RAMBlock *block;
+     bool zero_page;
+ 
++    /* report compress thread pids to libvirt */
++    qapi_event_send_migration_compress_pid(qemu_get_thread_id());
++
+     qemu_mutex_lock(&param->mutex);
+     while (!param->quit) {
+         if (param->block) {
+diff --git a/qapi/migration.json b/qapi/migration.json
+index 8e18fd30e4..e965f4329b 100644
+--- a/qapi/migration.json
++++ b/qapi/migration.json
+@@ -1308,6 +1308,19 @@
+ { 'event': 'MIGRATION_PID',
+   'data': { 'pid': 'int' } }
+ 
++##
++# @MIGRATION_COMPRESS_PID:
++#
++# Emitted when compress thread appear
++#
++# @pid: pid of compress thread
++#
++# Since: 6.2
++##
++{ 'event': 'MIGRATION_COMPRESS_PID',
++  'data': { 'pid': 'int' } }
++
++
+ ##
+ # @COLOMessage:
+ #
+-- 
+2.41.0.windows.1
+

qemu.spec

@@ -3,7 +3,7 @@
 
 Name: qemu
 Version: 6.2.0
-Release: 75
+Release: 77
 Epoch: 10
 Summary: QEMU is a generic and open source machine emulator and virtualizer
 License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@@ -507,6 +507,30 @@ Patch0492: virtio-fix-reachable-assertion-due-to-stale-value-of.patch
 Patch0493: hw-nvme-Change-alignment-in-dma-functions-for-nvme_b.patch
 Patch0494: Fix-smp.cores-value-and-Fix-divide-0-error.patch
 Patch0495: Add-lbt-support-for-kvm.patch
+Patch0496: migration-report-compress-thread-pid-to-libvirt.patch
+Patch0497: hw-ppc-Kconfig-MAC_NEWWORLD-should-always-select-USB.patch
+Patch0498: virtio-gpu-add-a-FIXME-for-virtio_gpu_load.patch
+Patch0499: block-monitor-Fix-crash-when-executing-HMP-commit.patch
+Patch0500: vnc-avoid-underflow-when-accessing-user-provided-add.patch
+Patch0501: qga-vss-win32-fix-warning-for-clang-15.patch
+Patch0502: hw-net-vmxnet3-allow-VMXNET3_MAX_MTU-itself-as-a-val.patch
+Patch0503: tests-tcg-fix-unused-variable-in-linux-test.patch
+Patch0504: block-iscsi-fix-double-free-on-BUSY-or-similar-statu.patch
+Patch0505: vfio-pci-Fix-a-segfault-in-vfio_realize.patch
+Patch0506: gitlab-Disable-plugins-for-cross-i386-tci.patch
+Patch0507: tcg-Reduce-tcg_assert_listed_vecop-scope.patch
+Patch0508: 9pfs-prevent-opening-special-files-CVE-2023-2861.patch
+Patch0509: accel-tcg-Optimize-jump-cache-flush-during-tlb-range.patch
+Patch0510: hw-net-virtio-net-make-some-VirtIONet-const.patch
+Patch0511: Allow-setting-up-to-8-bytes-with-the-generic-loader.patch
+Patch0512: accel-tcg-cpu-exec-Fix-precise-single-stepping-after.patch
+Patch0513: hw-virtio-vdpa-Fix-leak-of-host-notifier-memory-regi.patch
+Patch0514: host-vdpa-make-notifiers-_init-_uninit-symmetric.patch
+Patch0515: hw-pci-bridge-pxb-Fix-missing-swizzle.patch
+Patch0516: ide-Increment-BB-in-flight-counter-for-TRIM-BH.patch
+Patch0517: qga-win32-Remove-change-action-from-MSI-installer.patch
+Patch0518: qga-win32-Use-rundll-for-VSS-installation.patch
+Patch0519: test-vmstate-fix-bad-GTree-usage-use-after-free.patch
 
 BuildRequires: flex
 BuildRequires: gcc
@@ -1080,6 +1104,34 @@ getent passwd qemu >/dev/null || \
 %endif
 
 %changelog
+* Mon Aug 7 2023 <fengjiabo1@huawei.com> - 10:6.2.0-77
+- test-vmstate: fix bad GTree usage, use-after-free
+
+* Fri Jul 28 2023 <fengjiabo1@huawei.com> - 10:6.2.0-76
+- qga/win32: Use rundll for VSS installation
+- qga/win32: Remove change action from MSI installer
+- ide: Increment BB in-flight counter for TRIM BH
+- hw/pci-bridge/pxb: Fix missing swizzle
+- host-vdpa: make notifiers _init()/_uninit() symmetric
+- hw/virtio: vdpa: Fix leak of host-notifier memory-region
+- accel/tcg/cpu-exec: Fix precise single-stepping after interrupt
+- Allow setting up to 8 bytes with the generic loader
+- hw/net/virtio-net: make some VirtIONet const
+- accel/tcg: Optimize jump cache flush during tlb range flush
+- 9pfs: prevent opening special files (CVE-2023-2861)
+- tcg: Reduce tcg_assert_listed_vecop() scope
+- gitlab: Disable plugins for cross-i386-tci
+- vfio/pci: Fix a segfault in vfio_realize
+- block/iscsi: fix double-free on BUSY or similar statuses
+- tests/tcg: fix unused variable in linux-test
+- hw/net/vmxnet3: allow VMXNET3_MAX_MTU itself as a value
+- qga/vss-win32: fix warning for clang++-15
+- vnc: avoid underflow when accessing user-provided address
+- block/monitor: Fix crash when executing HMP commit
+- virtio-gpu: add a FIXME for virtio_gpu_load()
+- hw/ppc/Kconfig: MAC_NEWWORLD should always select USB_OHCI_PCI
+- migration: report compress thread pid to libvirt
+
 * Thu Jun 29 2023 <fengjiabo1@huawei.com> - 10:6.2.0-75
 - Add lbt support for kvm.
 - Fix smp.cores value and Fix divide 0 error

qga-vss-win32-fix-warning-for-clang-15.patch

@@ -0,0 +1,47 @@
+From b9212c3d72363f67d621dd4e16e507e4a677158e Mon Sep 17 00:00:00 2001
+From: qihao <qihao_yewu@cmss.chinamobile.com>
+Date: Tue, 27 Jun 2023 22:45:24 +0800
+Subject: [PATCH] qga/vss-win32: fix warning for clang++-15
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+cheery-pick from a3f531cee66b12041098f7a809c2a7d6ecb6ad7d
+
+Reported when compiling with clang-windows-arm64.
+
+../qga/vss-win32/install.cpp:537:9: error: variable 'hr' is used uninitialized whenever 'if' condition is false [-Werror,-Wsometimes-uninitialized]
+    if (!(ControlService(service, SERVICE_CONTROL_STOP, NULL))) {
+        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+../qga/vss-win32/install.cpp:545:12: note: uninitialized use occurs here
+    return hr;
+           ^~
+
+Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
+Fixes: 917ebcb170 ("qga-win: Fix QGA VSS Provider service stop failure")
+Reviewed-by: Konstantin Kostiuk <kkostiuk@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Signed-off-by: Kostiantyn Kostiuk <kostyanf14@live.com>
+(cherry picked from commit 0fcd574b025fccdf14d5140687cafe2bc30b634f)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
+---
+ qga/vss-win32/install.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/qga/vss-win32/install.cpp b/qga/vss-win32/install.cpp
+index 40de133774..e90a03c1cf 100644
+--- a/qga/vss-win32/install.cpp
++++ b/qga/vss-win32/install.cpp
+@@ -513,7 +513,7 @@ namespace _com_util
+ /* Stop QGA VSS provider service using Winsvc API  */
+ STDAPI StopService(void)
+ {
+-    HRESULT hr;
++    HRESULT hr = S_OK;
+     SC_HANDLE manager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
+     SC_HANDLE service = NULL;
+ 
+-- 
+2.41.0.windows.1
+

qga-win32-Remove-change-action-from-MSI-installer.patch

@@ -0,0 +1,35 @@
+From 38a72d2fbaf732d0804fefca034c24b2ad068ad1 Mon Sep 17 00:00:00 2001
+From: Konstantin Kostiuk <kkostiuk@redhat.com>
+Date: Fri, 3 Mar 2023 21:20:07 +0200
+Subject: [PATCH] qga/win32: Remove change action from MSI installer
+
+Remove the 'change' button from "Programs and Features" because it does
+not checks if a user is an admin or not. The installer has no components
+to choose from and always installs everything. So the 'change' button is
+not obviously needed but can create a security issue.
+
+resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2167423
+fixes: CVE-2023-0664 (part 1 of 2)
+
+Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
+Reviewed-by: Yan Vugenfirer <yvugenfi@redhat.com>
+Reported-by: Brian Wiltse <brian.wiltse@live.com>
+---
+ qga/installer/qemu-ga.wxs | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/qga/installer/qemu-ga.wxs b/qga/installer/qemu-ga.wxs
+index 0950e8c6be..b62e709a4c 100644
+--- a/qga/installer/qemu-ga.wxs
++++ b/qga/installer/qemu-ga.wxs
+@@ -58,6 +58,7 @@
+       />
+     <Media Id="1" Cabinet="qemu_ga.$(env.QEMU_GA_VERSION).cab" EmbedCab="yes" />
+     <Property Id="WHSLogo">1</Property>
++    <Property Id="ARPNOMODIFY" Value="yes" Secure="yes" />
+     <MajorUpgrade
+       DowngradeErrorMessage="Error: A newer version of QEMU guest agent is already installed."
+       />
+-- 
+2.41.0.windows.1
+

qga-win32-Use-rundll-for-VSS-installation.patch

@@ -0,0 +1,99 @@
+From bc472314a51895f67112e3ac35439df63292f101 Mon Sep 17 00:00:00 2001
+From: Konstantin Kostiuk <kkostiuk@redhat.com>
+Date: Fri, 3 Mar 2023 21:20:08 +0200
+Subject: [PATCH] qga/win32: Use rundll for VSS installation
+
+The custom action uses cmd.exe to run VSS Service installation
+and removal which causes an interactive command shell to spawn.
+This shell can be used to execute any commands as a SYSTEM user.
+Even if call qemu-ga.exe directly the interactive command shell
+will be spawned as qemu-ga.exe is a console application and used
+by users from the console as well as a service.
+
+As VSS Service runs from DLL which contains the installer and
+uninstaller code, it can be run directly by rundll32.exe without
+any interactive command shell.
+
+Add specific entry points for rundll which is just a wrapper
+for COMRegister/COMUnregister functions with proper arguments.
+
+resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2167423
+fixes: CVE-2023-0664 (part 2 of 2)
+
+Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
+Reviewed-by: Yan Vugenfirer <yvugenfi@redhat.com>
+Reported-by: Brian Wiltse <brian.wiltse@live.com>
+---
+ qga/installer/qemu-ga.wxs | 10 +++++-----
+ qga/vss-win32/install.cpp |  9 +++++++++
+ qga/vss-win32/qga-vss.def |  2 ++
+ 3 files changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/qga/installer/qemu-ga.wxs b/qga/installer/qemu-ga.wxs
+index b62e709a4c..11b66a22e6 100644
+--- a/qga/installer/qemu-ga.wxs
++++ b/qga/installer/qemu-ga.wxs
+@@ -143,22 +143,22 @@
+       </Directory>
+     </Directory>
+ 
+-    <Property Id="cmd" Value="cmd.exe"/>
++    <Property Id="rundll" Value="rundll32.exe"/>
+     <Property Id="REINSTALLMODE" Value="amus"/>
+ 
+     <?ifdef var.InstallVss?>
+     <CustomAction Id="RegisterCom"
+-              ExeCommand='/c "[qemu_ga_directory]qemu-ga.exe" -s vss-install'
++              ExeCommand='"[qemu_ga_directory]qga-vss.dll",DLLCOMRegister'
+               Execute="deferred"
+-              Property="cmd"
++              Property="rundll"
+               Impersonate="no"
+               Return="check"
+               >
+     </CustomAction>
+     <CustomAction Id="UnRegisterCom"
+-              ExeCommand='/c "[qemu_ga_directory]qemu-ga.exe" -s vss-uninstall'
++              ExeCommand='"[qemu_ga_directory]qga-vss.dll",DLLCOMUnregister'
+               Execute="deferred"
+-              Property="cmd"
++              Property="rundll"
+               Impersonate="no"
+               Return="check"
+               >
+diff --git a/qga/vss-win32/install.cpp b/qga/vss-win32/install.cpp
+index e90a03c1cf..8b7400e4e5 100644
+--- a/qga/vss-win32/install.cpp
++++ b/qga/vss-win32/install.cpp
+@@ -352,6 +352,15 @@ out:
+     return hr;
+ }
+ 
++STDAPI_(void) CALLBACK DLLCOMRegister(HWND, HINSTANCE, LPSTR, int)
++{
++    COMRegister();
++}
++
++STDAPI_(void) CALLBACK DLLCOMUnregister(HWND, HINSTANCE, LPSTR, int)
++{
++    COMUnregister();
++}
+ 
+ static BOOL CreateRegistryKey(LPCTSTR key, LPCTSTR value, LPCTSTR data)
+ {
+diff --git a/qga/vss-win32/qga-vss.def b/qga/vss-win32/qga-vss.def
+index 927782c31b..ee97a81427 100644
+--- a/qga/vss-win32/qga-vss.def
++++ b/qga/vss-win32/qga-vss.def
+@@ -1,6 +1,8 @@
+ LIBRARY      "QGA-PROVIDER.DLL"
+ 
+ EXPORTS
++	DLLCOMRegister
++	DLLCOMUnregister
+ 	COMRegister		PRIVATE
+ 	COMUnregister		PRIVATE
+ 	DllCanUnloadNow		PRIVATE
+-- 
+2.41.0.windows.1
+

tcg-Reduce-tcg_assert_listed_vecop-scope.patch

@@ -0,0 +1,64 @@
+From 61af18384a150a2c7d1f54521692a93c0e4ebacc Mon Sep 17 00:00:00 2001
+From: tangzhongrui <tangzhongrui@cmss.chinamobile.com>
+Date: Sun, 2 Jul 2023 23:37:42 +0800
+Subject: [PATCH]     tcg: Reduce tcg_assert_listed_vecop() scope
+
+    tcg_assert_listed_vecop() is only used in tcg-op-vec.c.
+
+    Signed-off-by: Philippe Mathieu-Daud<C3><A9> <philmd@linaro.org>
+    Message-Id: <20230629091107.74384-1-philmd@linaro.org>
+    Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+    Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+
+    Signed-off-by: Zhongrui Tang <tangzhongrui_yewu@cmss.chinamobile.com>
+---
+ include/tcg/tcg.h | 6 ------
+ tcg/tcg-op-vec.c  | 6 +++---
+ 2 files changed, 3 insertions(+), 9 deletions(-)
+
+diff --git a/include/tcg/tcg.h b/include/tcg/tcg.h
+index 42f5b500ed..0ab8e4e735 100644
+--- a/include/tcg/tcg.h
++++ b/include/tcg/tcg.h
+@@ -1240,12 +1240,6 @@ uint64_t dup_const(unsigned vece, uint64_t c);
+      :  (target_long)dup_const(VECE, C))
+ #endif
+ 
+-#ifdef CONFIG_DEBUG_TCG
+-void tcg_assert_listed_vecop(TCGOpcode);
+-#else
+-static inline void tcg_assert_listed_vecop(TCGOpcode op) { }
+-#endif
+-
+ static inline const TCGOpcode *tcg_swap_vecop_list(const TCGOpcode *n)
+ {
+ #ifdef CONFIG_DEBUG_TCG
+diff --git a/tcg/tcg-op-vec.c b/tcg/tcg-op-vec.c
+index faf30f9cdd..7c027099c4 100644
+--- a/tcg/tcg-op-vec.c
++++ b/tcg/tcg-op-vec.c
+@@ -50,9 +50,9 @@ extern TCGv_i32 TCGV_HIGH_link_error(TCGv_i64);
+  * tcg_ctx->vec_opt_opc is non-NULL, the tcg_gen_*_vec expanders
+  * will validate that their opcode is present in the list.
+  */
+-#ifdef CONFIG_DEBUG_TCG
+-void tcg_assert_listed_vecop(TCGOpcode op)
++static void tcg_assert_listed_vecop(TCGOpcode op)
+ {
++#ifdef CONFIG_DEBUG_TCG
+     const TCGOpcode *p = tcg_ctx->vecop_list;
+     if (p) {
+         for (; *p; ++p) {
+@@ -62,8 +62,8 @@ void tcg_assert_listed_vecop(TCGOpcode op)
+         }
+         g_assert_not_reached();
+     }
+-}
+ #endif
++}
+ 
+ bool tcg_can_emit_vecop_list(const TCGOpcode *list,
+                              TCGType type, unsigned vece)
+-- 
+2.41.0.windows.1
+

test-vmstate-fix-bad-GTree-usage-use-after-free.patch

@@ -0,0 +1,64 @@
+From 974fcc3a97148b1af3bebfaa6a72645837233489 Mon Sep 17 00:00:00 2001
+From: Eric Auger <eric.auger@redhat.com>
+Date: Tue, 28 Feb 2023 10:29:44 +0100
+Subject: [PATCH] test-vmstate: fix bad GTree usage, use-after-free
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+According to g_tree_foreach() documentation:
+"The tree may not be modified while iterating over it (you can't
+add/remove items)."
+
+compare_trees()/diff_tree() fail to respect this rule.
+Historically GLib2 used a slice allocator for the GTree APIs
+which did not immediately release the memory back to the system
+allocator. As a result QEMU's use-after-free bug was not visible.
+With GLib > 2.75.3 however, GLib2 has switched to using malloc
+and now a SIGSEGV can be observed while running test-vmstate.
+
+Get rid of the node removal within the tree traversal. Also
+check the trees have the same number of nodes before the actual
+diff.
+
+Fixes: 9a85e4b8f6 ("migration: Support gtree migration")
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1518
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Signed-off-by: Eric Auger <eric.auger@redhat.com>
+Reported-by: Richard W.M. Jones <rjones@redhat.com>
+Tested-by: Richard W.M. Jones <rjones@redhat.com>
+Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+Reviewed-by: Juan Quintela <quintela@redhat.com>
+Signed-off-by: Juan Quintela <quintela@redhat.com>
+---
+ tests/unit/test-vmstate.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/tests/unit/test-vmstate.c b/tests/unit/test-vmstate.c
+index 4688c03ea7..ac47f0a44b 100644
+--- a/tests/unit/test-vmstate.c
++++ b/tests/unit/test-vmstate.c
+@@ -1076,7 +1076,6 @@ static gboolean diff_tree(gpointer key, gpointer value, gpointer data)
+     struct match_node_data d = {tp->tree2, key, value};
+ 
+     g_tree_foreach(tp->tree2, tp->match_node, &d);
+-    g_tree_remove(tp->tree1, key);
+     return false;
+ }
+ 
+@@ -1085,9 +1084,9 @@ static void compare_trees(GTree *tree1, GTree *tree2,
+ {
+     struct tree_cmp_data tp = {tree1, tree2, function};
+ 
++    assert(g_tree_nnodes(tree1) == g_tree_nnodes(tree2));
+     g_tree_foreach(tree1, diff_tree, &tp);
+-    assert(g_tree_nnodes(tree1) == 0);
+-    assert(g_tree_nnodes(tree2) == 0);
++    g_tree_destroy(g_tree_ref(tree1));
+ }
+ 
+ static void diff_domain(TestGTreeDomain *d1, TestGTreeDomain *d2)
+-- 
+2.41.0.windows.1
+

tests-tcg-fix-unused-variable-in-linux-test.patch

@@ -0,0 +1,48 @@
+From 050aa274447899ecb000aa8d62d95b6c6192fc56 Mon Sep 17 00:00:00 2001
+From: qihao <qihao_yewu@cmss.chinamobile.com>
+Date: Wed, 28 Jun 2023 10:08:22 +0800
+Subject: [PATCH] tests/tcg: fix unused variable in linux-test
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+cheery-pick from 2bc6c79417b89c3306b724577e775f03fe61fb2e
+
+The latest hexagon compiler picks up that we never consume wcount.
+Given the name of the #define that rcount checks against is WCOUNT_MAX
+I figured the check just got missed.
+
+Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Message-Id: <20221221090411.1995037-5-alex.bennee@linaro.org>
+Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
+---
+ tests/tcg/multiarch/linux/linux-test.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/tests/tcg/multiarch/linux/linux-test.c b/tests/tcg/multiarch/linux/linux-test.c
+index 019d8175ca..78c68540ef 100644
+--- a/tests/tcg/multiarch/linux/linux-test.c
++++ b/tests/tcg/multiarch/linux/linux-test.c
+@@ -354,13 +354,17 @@ static void test_pipe(void)
+             if (FD_ISSET(fds[0], &rfds)) {
+                 chk_error(read(fds[0], &ch, 1));
+                 rcount++;
+-                if (rcount >= WCOUNT_MAX)
++                if (rcount >= WCOUNT_MAX) {
+                     break;
++                }
+             }
+             if (FD_ISSET(fds[1], &wfds)) {
+                 ch = 'a';
+                 chk_error(write(fds[1], &ch, 1));
+                 wcount++;
++                if (wcount >= WCOUNT_MAX) {
++                    break;
++                }
+             }
+         }
+     }
+-- 
+2.41.0.windows.1
+

vfio-pci-Fix-a-segfault-in-vfio_realize.patch

@@ -0,0 +1,54 @@
+From 22e8d7076800d7c62e41e8c69fc01444cf00d451 Mon Sep 17 00:00:00 2001
+From: jipengfei <jipengfei_yewu@cmss.chinamobile.com>
+Date: Fri, 30 Jun 2023 21:05:23 +0800
+Subject: [PATCH] vfio/pci: Fix a segfault in vfio_realize
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The kvm irqchip notifier is only registered if the device supports
+INTx, however it's unconditionally removed in vfio realize error
+path. If the assigned device does not support INTx, this will cause
+QEMU to crash when vfio realize fails. Change it to conditionally
+remove the notifier only if the notify hook is setup.
+
+Before fix:
+(qemu) device_add vfio-pci,host=81:11.1,id=vfio1,bus=root1,xres=1
+Connection closed by foreign host.
+
+After fix:
+(qemu) device_add vfio-pci,host=81:11.1,id=vfio1,bus=root1,xres=1
+Error: vfio 0000:81:11.1: xres and yres properties require display=on
+(qemu)
+
+Fixes: c5478fea27ac ("vfio/pci: Respond to KVM irqchip change notifier")
+
+cheery-pick from 357bd7932a136613d700ee8bc83e9165f059d1f7
+
+Signed-off-by: jipengfei_yewu <jipengfei_yewu@cmss.chinamobile.com>
+Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
+Reviewed-by: Cédric Le Goater <clg@redhat.com>
+Reviewed-by: Joao Martins <joao.m.martins@oracle.com>
+Signed-off-by: Cédric Le Goater <clg@redhat.com>
+---
+ hw/vfio/pci.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c
+index 7b45353ce2..b085389ff8 100644
+--- a/hw/vfio/pci.c
++++ b/hw/vfio/pci.c
+@@ -3112,7 +3112,9 @@ static void vfio_realize(PCIDevice *pdev, Error **errp)
+ 
+ out_deregister:
+     pci_device_set_intx_routing_notifier(&vdev->pdev, NULL);
+-    kvm_irqchip_remove_change_notifier(&vdev->irqchip_change_notifier);
++    if (vdev->irqchip_change_notifier.notify) {
++       kvm_irqchip_remove_change_notifier(&vdev->irqchip_change_notifier);
++    }
+ out_teardown:
+     vfio_teardown_msi(vdev);
+     vfio_bars_exit(vdev);
+-- 
+2.41.0.windows.1
+

virtio-gpu-add-a-FIXME-for-virtio_gpu_load.patch

@@ -0,0 +1,37 @@
+From 5a69ce95a920377f1c4f0c34c6cb8073dc5dbf8d Mon Sep 17 00:00:00 2001
+From: qihao <qihao_yewu@cmss.chinamobile.com>
+Date: Mon, 26 Jun 2023 14:29:40 +0800
+Subject: [PATCH] virtio-gpu: add a FIXME for virtio_gpu_load()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+cheery-pick from 529969b8d03970bae5feef8c69ebf5e0f521131c
+
+It looks like the virtio_gpu_load() does not compute and set the offset,
+the same way virtio_gpu_set_scanout() does. This probably results in
+incorrect display until the scanout/framebuffer is updated again, I
+guess we should fix it, although I haven't checked this yet.
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20230515132518.1025853-1-marcandre.lureau@redhat.com>
+Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
+---
+ hw/display/virtio-gpu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
+index c6dc818988..9ccc0575e3 100644
+--- a/hw/display/virtio-gpu.c
++++ b/hw/display/virtio-gpu.c
+@@ -1284,6 +1284,7 @@ static int virtio_gpu_load(QEMUFile *f, void *opaque, size_t size,
+     /* load & apply scanout state */
+     vmstate_load_state(f, &vmstate_virtio_gpu_scanouts, g, 1);
+     for (i = 0; i < g->parent_obj.conf.max_outputs; i++) {
++        /* FIXME: should take scanout.r.{x,y} into account */
+         scanout = &g->parent_obj.scanout[i];
+         if (!scanout->resource_id) {
+             continue;
+-- 
+2.41.0.windows.1
+

vnc-avoid-underflow-when-accessing-user-provided-add.patch

@@ -0,0 +1,41 @@
+From 3d6a5be54f59b86db1d9513cff24ca6f7d002400 Mon Sep 17 00:00:00 2001
+From: qihao <qihao_yewu@cmss.chinamobile.com>
+Date: Tue, 27 Jun 2023 17:39:56 +0800
+Subject: [PATCH] vnc: avoid underflow when accessing user-provided address
+
+cheery-pick from bfc532703f3c4f8d2744748c440ca36ce9798ccb
+
+If hostlen is zero, there is a possibility that addrstr[hostlen - 1]
+underflows and, if a closing bracked is there, hostlen - 2 is passed
+to g_strndup() on the next line.  If websocket==false then
+addrstr[0] would be a colon, but if websocket==true this could in
+principle happen.
+
+Fix it by checking hostlen.
+
+Reported by Coverity.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 3f9c41c5df9617510d8533cf6588172efb3df34b)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
+---
+ ui/vnc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ui/vnc.c b/ui/vnc.c
+index 91e067ba7c..f4322a9065 100644
+--- a/ui/vnc.c
++++ b/ui/vnc.c
+@@ -3761,7 +3761,7 @@ static int vnc_display_get_address(const char *addrstr,
+ 
+         addr->type = SOCKET_ADDRESS_TYPE_INET;
+         inet = &addr->u.inet;
+-        if (addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
++        if (hostlen && addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
+             inet->host = g_strndup(addrstr + 1, hostlen - 2);
+         } else {
+             inet->host = g_strndup(addrstr, hostlen);
+-- 
+2.41.0.windows.1
+